pyrox.dev / nix
My Nix Configuration
fork atom

Compare changes

Choose any two refs to compare.

options
unified split
Changed files
+575 -135
TODO.md
devShells
default
default.nix
flake.lock
hosts
marvin
services
git.nix
grafana.nix
immich-config.json
immich.nix
planka.nix
secrets
iceshrimp-db-password.age
iceshrimp-secret-config.age
immich
mail-pw.age
oauth-secret.age
pingvin-secrets.age
secrets.nix
vaultwarden.nix
prefect
dn42
default.nix
peers
default.nix
prefixlabs.nix
services
caddy.nix
nixosModules
services
forgejo-runner
default.nix
packages
anubis-files
src
policies
forgejo.yaml
bgutil-pot-server
librusty_v8.nix
package.nix
update-librusty.sh
glide-browser-bin
package.nix
planka
package.nix
-2
TODO.md 
···

       
18

       
18

       
 

       
- [ ] Move all Docker containers to using native versions of databases, redis, etc.


     

       
19

       
19

       
 

       
  - Ensures higher performance and reduces the number of running containers.


     

       
20

       
20

       
 

       
  - https://github.com/felschr/nixos-config/blob/main/services/immich.nix for an example of how to do it


     

       
21

       

       
-

       
- [ ] Add Archivebox service(needs custom module)


     

       
22

       

       
-

       
- [ ] Add Immich service


     

       
23

       
21

       
 

       



     

       
24

       
22

       
 

       
## Zaphod


     

       
25

       
23
+7 -3
devShells/default/default.nix 
···

       
4

       
4

       
 

       
}:


     

       
5

       
5

       
 

       
pkgs.mkShellNoCC {


     

       
6

       
6

       
 

       
  packages = [


     

       

       
7

       
+

       
    # keep-sorted start


     

       
7

       
8

       
 

       
    pkgs.deadnix


     

       
8

       
9

       
 

       
    pkgs.just


     

       
9

       
10

       
 

       
    pkgs.nil


     

       

       
11

       
+

       
    pkgs.nix-output-monitor


     

       
10

       
12

       
 

       
    pkgs.nix-tree


     

       

       
13

       
+

       
    pkgs.nix-update


     

       
11

       
14

       
 

       
    pkgs.nixd


     

       
12

       

       
-

       
    pkgs.nix-output-monitor


     

       
13

       
15

       
 

       
    pkgs.nixfmt-rfc-style


     

       
14

       

       
-

       
    pkgs.statix


     

       

       
16

       
+

       
    pkgs.nixos-rebuild-ng


     

       
15

       
17

       
 

       
    pkgs.nvd


     

       
16

       

       
-

       
    pkgs.nixos-rebuild-ng


     

       

       
18

       
+

       
    pkgs.statix


     

       

       
19

       
+

       
    pkgs.tokei


     

       

       
20

       
+

       
    # keep-sorted endd


     

       
17

       
21

       
 

       
  ];


     

       
18

       
22

       
 

       
}
+3 -3
flake.lock 
···

       
274

       
274

       
 

       
        ]


     

       
275

       
275

       
 

       
      },


     

       
276

       
276

       
 

       
      "locked": {


     

       
277

       

       
-

       
        "lastModified": 1764119541,


     

       
278

       

       
-

       
        "narHash": "sha256-WmrejR45x4oFf3g3kJFi3jPhoQ9h8oaAGiIAb8ulZcw=",


     

       

       
277

       
+

       
        "lastModified": 1764646680,


     

       

       
278

       
+

       
        "narHash": "sha256-HEVzGL23bev8CuZXbLgDZRWy+mD/qPZhRBpjag7G/dU=",


     

       
279

       
279

       
 

       
        "owner": "pyrox0",


     

       
280

       
280

       
 

       
        "repo": "dn43.nix",


     

       
281

       

       
-

       
        "rev": "afdab3ea9e7ef9c4472143e63941cd7bdd5d1c77",


     

       

       
281

       
+

       
        "rev": "c8b68602cf1ef696e6a9f9c25e8c177d4101331b",


     

       
282

       
282

       
 

       
        "type": "github"


     

       
283

       
283

       
 

       
      },


     

       
284

       
284

       
 

       
      "original": {
+5 -5
hosts/marvin/services/git.nix 
···

       
41

       
41

       
 

       
    };


     

       
42

       
42

       
 

       
    settings = {


     

       
43

       
43

       
 

       
      DEFAULT = {


     

       
44

       

       
-

       
        APP_NAME = "PyroNet Git";


     

       

       
44

       
+

       
        APP_NAME = "dishNet Git";


     

       
45

       
45

       
 

       
        RUN_MODE = "prod";


     

       
46

       
46

       
 

       
      };


     

       
47

       
47

       
 

       
      attachment = {


     

       
48

       
48

       
 

       
        MAX_SIZE = 200;


     

       
49

       
49

       
 

       
      };


     

       
50

       

       
-

       
      log."logger.router.MODE" = "";


     

       

       
50

       
+

       
      log.LOGGER_ROUTER_MODE = "";


     

       
51

       
51

       
 

       
      mailer = {


     

       
52

       
52

       
 

       
        ENABLED = true;


     

       
53

       

       
-

       
        FROM = "PyroNet Git <git@pyrox.dev>";


     

       

       
53

       
+

       
        FROM = "dishNet Git <git@pyrox.dev>";


     

       
54

       
54

       
 

       
        PROTOCOL = "smtps";


     

       
55

       
55

       
 

       
        SMTP_ADDR = "mail.pyrox.dev";


     

       
56

       
56

       
 

       
        SMTP_PORT = 465;


     
···

       
66

       
66

       
 

       
      };


     

       
67

       
67

       
 

       
      "ui.meta" = {


     

       
68

       
68

       
 

       
        AUTHOR = "dish";


     

       
69

       

       
-

       
        DESCRIPTION = "PyroNet Git Services";


     

       

       
69

       
+

       
        DESCRIPTION = "dishNet Git Services";


     

       
70

       
70

       
 

       
      };


     

       
71

       
71

       
 

       
      metrics = {


     

       
72

       
72

       
 

       
        ENABLED = true;


     
···

       
85

       
85

       
 

       
        ISSUE_INDEXER_PATH = "indexers/issues.bleve";


     

       
86

       
86

       
 

       
        # Enable repo indexing


     

       
87

       
87

       
 

       
        REPO_INDEXER_ENABLED = true;


     

       
88

       

       
-

       
        REPO_INDEXER_REPO_TYPES = "sources,forks,templates,mirrors";


     

       

       
88

       
+

       
        REPO_INDEXER_REPO_TYPES = "sources,forks";


     

       
89

       
89

       
 

       
        REPO_INDEXER_TYPE = "bleve";


     

       
90

       
90

       
 

       
        REPO_INDEXER_PATH = "indexers/repos.bleve";


     

       
91

       
91

       
 

       
      };
+3 -3
hosts/marvin/services/grafana.nix 
···

       
40

       
40

       
 

       
      };


     

       
41

       
41

       
 

       
      smtp = {


     

       
42

       
42

       
 

       
        enabled = true;


     

       
43

       

       
-

       
        user = "grafana@thehedgehog.me";


     

       
44

       

       
-

       
        from_address = "grafana@thehedgehog.me";


     

       
45

       

       
-

       
        host = "smtp.migadu.com:465";


     

       

       
43

       
+

       
        user = "grafana@pyrox.dev";


     

       

       
44

       
+

       
        from_address = "grafana@pyrox.dev";


     

       

       
45

       
+

       
        host = "mail.pyrox.dev:465";


     

       
46

       
46

       
 

       
        password = "$__file{${config.age.secrets.grafana-smtp-password.path}}";


     

       
47

       
47

       
 

       
      };


     

       
48

       
48

       
 

       
    };
+223
hosts/marvin/services/immich-config.json 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  "backup": {


     

       

       
3

       
+

       
    "database": {


     

       

       
4

       
+

       
      "cronExpression": "0 02 * * *",


     

       

       
5

       
+

       
      "enabled": true,


     

       

       
6

       
+

       
      "keepLastAmount": 14


     

       

       
7

       
+

       
    }


     

       

       
8

       
+

       
  },


     

       

       
9

       
+

       
  "ffmpeg": {


     

       

       
10

       
+

       
    "accel": "vaapi",


     

       

       
11

       
+

       
    "accelDecode": true,


     

       

       
12

       
+

       
    "acceptedAudioCodecs": ["aac", "mp3", "libopus"],


     

       

       
13

       
+

       
    "acceptedContainers": ["mov", "ogg", "webm"],


     

       

       
14

       
+

       
    "acceptedVideoCodecs": ["h264"],


     

       

       
15

       
+

       
    "bframes": -1,


     

       

       
16

       
+

       
    "cqMode": "auto",


     

       

       
17

       
+

       
    "crf": 23,


     

       

       
18

       
+

       
    "gopSize": 0,


     

       

       
19

       
+

       
    "maxBitrate": "0",


     

       

       
20

       
+

       
    "preferredHwDevice": "auto",


     

       

       
21

       
+

       
    "preset": "veryfast",


     

       

       
22

       
+

       
    "refs": 0,


     

       

       
23

       
+

       
    "targetAudioCodec": "aac",


     

       

       
24

       
+

       
    "targetResolution": "720",


     

       

       
25

       
+

       
    "targetVideoCodec": "h264",


     

       

       
26

       
+

       
    "temporalAQ": false,


     

       

       
27

       
+

       
    "threads": 0,


     

       

       
28

       
+

       
    "tonemap": "hable",


     

       

       
29

       
+

       
    "transcode": "required",


     

       

       
30

       
+

       
    "twoPass": false


     

       

       
31

       
+

       
  },


     

       

       
32

       
+

       
  "image": {


     

       

       
33

       
+

       
    "colorspace": "p3",


     

       

       
34

       
+

       
    "extractEmbedded": false,


     

       

       
35

       
+

       
    "fullsize": {


     

       

       
36

       
+

       
      "enabled": false,


     

       

       
37

       
+

       
      "format": "jpeg",


     

       

       
38

       
+

       
      "quality": 80


     

       

       
39

       
+

       
    },


     

       

       
40

       
+

       
    "preview": {


     

       

       
41

       
+

       
      "format": "jpeg",


     

       

       
42

       
+

       
      "quality": 80,


     

       

       
43

       
+

       
      "size": 1440


     

       

       
44

       
+

       
    },


     

       

       
45

       
+

       
    "thumbnail": {


     

       

       
46

       
+

       
      "format": "webp",


     

       

       
47

       
+

       
      "quality": 80,


     

       

       
48

       
+

       
      "size": 250


     

       

       
49

       
+

       
    }


     

       

       
50

       
+

       
  },


     

       

       
51

       
+

       
  "job": {


     

       

       
52

       
+

       
    "backgroundTask": {


     

       

       
53

       
+

       
      "concurrency": 5


     

       

       
54

       
+

       
    },


     

       

       
55

       
+

       
    "faceDetection": {


     

       

       
56

       
+

       
      "concurrency": 2


     

       

       
57

       
+

       
    },


     

       

       
58

       
+

       
    "library": {


     

       

       
59

       
+

       
      "concurrency": 5


     

       

       
60

       
+

       
    },


     

       

       
61

       
+

       
    "metadataExtraction": {


     

       

       
62

       
+

       
      "concurrency": 5


     

       

       
63

       
+

       
    },


     

       

       
64

       
+

       
    "migration": {


     

       

       
65

       
+

       
      "concurrency": 5


     

       

       
66

       
+

       
    },


     

       

       
67

       
+

       
    "notifications": {


     

       

       
68

       
+

       
      "concurrency": 5


     

       

       
69

       
+

       
    },


     

       

       
70

       
+

       
    "ocr": {


     

       

       
71

       
+

       
      "concurrency": 1


     

       

       
72

       
+

       
    },


     

       

       
73

       
+

       
    "search": {


     

       

       
74

       
+

       
      "concurrency": 5


     

       

       
75

       
+

       
    },


     

       

       
76

       
+

       
    "sidecar": {


     

       

       
77

       
+

       
      "concurrency": 5


     

       

       
78

       
+

       
    },


     

       

       
79

       
+

       
    "smartSearch": {


     

       

       
80

       
+

       
      "concurrency": 2


     

       

       
81

       
+

       
    },


     

       

       
82

       
+

       
    "thumbnailGeneration": {


     

       

       
83

       
+

       
      "concurrency": 3


     

       

       
84

       
+

       
    },


     

       

       
85

       
+

       
    "videoConversion": {


     

       

       
86

       
+

       
      "concurrency": 1


     

       

       
87

       
+

       
    },


     

       

       
88

       
+

       
    "workflow": {


     

       

       
89

       
+

       
      "concurrency": 5


     

       

       
90

       
+

       
    }


     

       

       
91

       
+

       
  },


     

       

       
92

       
+

       
  "library": {


     

       

       
93

       
+

       
    "scan": {


     

       

       
94

       
+

       
      "cronExpression": "0 0 * * *",


     

       

       
95

       
+

       
      "enabled": true


     

       

       
96

       
+

       
    },


     

       

       
97

       
+

       
    "watch": {


     

       

       
98

       
+

       
      "enabled": false


     

       

       
99

       
+

       
    }


     

       

       
100

       
+

       
  },


     

       

       
101

       
+

       
  "logging": {


     

       

       
102

       
+

       
    "enabled": true,


     

       

       
103

       
+

       
    "level": "log"


     

       

       
104

       
+

       
  },


     

       

       
105

       
+

       
  "machineLearning": {


     

       

       
106

       
+

       
    "availabilityChecks": {


     

       

       
107

       
+

       
      "enabled": true,


     

       

       
108

       
+

       
      "interval": 30000,


     

       

       
109

       
+

       
      "timeout": 2000


     

       

       
110

       
+

       
    },


     

       

       
111

       
+

       
    "clip": {


     

       

       
112

       
+

       
      "enabled": true,


     

       

       
113

       
+

       
      "modelName": "ViT-B-16-SigLIP2__webli"


     

       

       
114

       
+

       
    },


     

       

       
115

       
+

       
    "duplicateDetection": {


     

       

       
116

       
+

       
      "enabled": true,


     

       

       
117

       
+

       
      "maxDistance": 0.01


     

       

       
118

       
+

       
    },


     

       

       
119

       
+

       
    "enabled": true,


     

       

       
120

       
+

       
    "facialRecognition": {


     

       

       
121

       
+

       
      "enabled": true,


     

       

       
122

       
+

       
      "maxDistance": 0.5,


     

       

       
123

       
+

       
      "minFaces": 7,


     

       

       
124

       
+

       
      "minScore": 0.7,


     

       

       
125

       
+

       
      "modelName": "buffalo_l"


     

       

       
126

       
+

       
    },


     

       

       
127

       
+

       
    "ocr": {


     

       

       
128

       
+

       
      "enabled": true,


     

       

       
129

       
+

       
      "maxResolution": 736,


     

       

       
130

       
+

       
      "minDetectionScore": 0.5,


     

       

       
131

       
+

       
      "minRecognitionScore": 0.8,


     

       

       
132

       
+

       
      "modelName": "EN__PP-OCRv5_mobile"


     

       

       
133

       
+

       
    },


     

       

       
134

       
+

       
    "urls": ["http://localhost:3003"]


     

       

       
135

       
+

       
  },


     

       

       
136

       
+

       
  "map": {


     

       

       
137

       
+

       
    "darkStyle": "https://tiles.immich.cloud/v1/style/dark.json",


     

       

       
138

       
+

       
    "enabled": true,


     

       

       
139

       
+

       
    "lightStyle": "https://tiles.immich.cloud/v1/style/light.json"


     

       

       
140

       
+

       
  },


     

       

       
141

       
+

       
  "metadata": {


     

       

       
142

       
+

       
    "faces": {


     

       

       
143

       
+

       
      "import": false


     

       

       
144

       
+

       
    }


     

       

       
145

       
+

       
  },


     

       

       
146

       
+

       
  "newVersionCheck": {


     

       

       
147

       
+

       
    "enabled": false


     

       

       
148

       
+

       
  },


     

       

       
149

       
+

       
  "nightlyTasks": {


     

       

       
150

       
+

       
    "clusterNewFaces": true,


     

       

       
151

       
+

       
    "databaseCleanup": true,


     

       

       
152

       
+

       
    "generateMemories": true,


     

       

       
153

       
+

       
    "missingThumbnails": true,


     

       

       
154

       
+

       
    "startTime": "00:00",


     

       

       
155

       
+

       
    "syncQuotaUsage": true


     

       

       
156

       
+

       
  },


     

       

       
157

       
+

       
  "notifications": {


     

       

       
158

       
+

       
    "smtp": {


     

       

       
159

       
+

       
      "enabled": true,


     

       

       
160

       
+

       
      "from": "dishNet Photos <immich@pyrox.dev>",


     

       

       
161

       
+

       
      "replyTo": "",


     

       

       
162

       
+

       
      "transport": {


     

       

       
163

       
+

       
        "host": "mail.pyrox.dev",


     

       

       
164

       
+

       
        "ignoreCert": false,


     

       

       
165

       
+

       
        "port": 25,


     

       

       
166

       
+

       
        "secure": true,


     

       

       
167

       
+

       
        "username": "immich@pyrox.dev"


     

       

       
168

       
+

       
      }


     

       

       
169

       
+

       
    }


     

       

       
170

       
+

       
  },


     

       

       
171

       
+

       
  "oauth": {


     

       

       
172

       
+

       
    "autoLaunch": false,


     

       

       
173

       
+

       
    "autoRegister": true,


     

       

       
174

       
+

       
    "buttonText": "Login with Pocket-ID",


     

       

       
175

       
+

       
    "clientId": "f1312240-d9fc-4336-aca6-b98316867848",


     

       

       
176

       
+

       
    "defaultStorageQuota": null,


     

       

       
177

       
+

       
    "enabled": true,


     

       

       
178

       
+

       
    "issuerUrl": "https://auth.pyrox.dev",


     

       

       
179

       
+

       
    "mobileOverrideEnabled": false,


     

       

       
180

       
+

       
    "mobileRedirectUri": "",


     

       

       
181

       
+

       
    "profileSigningAlgorithm": "none",


     

       

       
182

       
+

       
    "roleClaim": "immich_role",


     

       

       
183

       
+

       
    "scope": "openid email profile immich_role",


     

       

       
184

       
+

       
    "signingAlgorithm": "RS256",


     

       

       
185

       
+

       
    "storageLabelClaim": "preferred_username",


     

       

       
186

       
+

       
    "storageQuotaClaim": "immich_quota",


     

       

       
187

       
+

       
    "timeout": 30000,


     

       

       
188

       
+

       
    "tokenEndpointAuthMethod": "client_secret_post"


     

       

       
189

       
+

       
  },


     

       

       
190

       
+

       
  "passwordLogin": {


     

       

       
191

       
+

       
    "enabled": true


     

       

       
192

       
+

       
  },


     

       

       
193

       
+

       
  "reverseGeocoding": {


     

       

       
194

       
+

       
    "enabled": true


     

       

       
195

       
+

       
  },


     

       

       
196

       
+

       
  "server": {


     

       

       
197

       
+

       
    "externalDomain": "https://img.pyrox.dev",


     

       

       
198

       
+

       
    "loginPageMessage": "",


     

       

       
199

       
+

       
    "publicUsers": true


     

       

       
200

       
+

       
  },


     

       

       
201

       
+

       
  "storageTemplate": {


     

       

       
202

       
+

       
    "enabled": false,


     

       

       
203

       
+

       
    "hashVerificationEnabled": true,


     

       

       
204

       
+

       
    "template": "{{y}}/{{y}}-{{MM}}-{{dd}}/{{filename}}"


     

       

       
205

       
+

       
  },


     

       

       
206

       
+

       
  "templates": {


     

       

       
207

       
+

       
    "email": {


     

       

       
208

       
+

       
      "albumInviteTemplate": "",


     

       

       
209

       
+

       
      "albumUpdateTemplate": "",


     

       

       
210

       
+

       
      "welcomeTemplate": ""


     

       

       
211

       
+

       
    }


     

       

       
212

       
+

       
  },


     

       

       
213

       
+

       
  "theme": {


     

       

       
214

       
+

       
    "customCss": ""


     

       

       
215

       
+

       
  },


     

       

       
216

       
+

       
  "trash": {


     

       

       
217

       
+

       
    "days": 30,


     

       

       
218

       
+

       
    "enabled": true


     

       

       
219

       
+

       
  },


     

       

       
220

       
+

       
  "user": {


     

       

       
221

       
+

       
    "deleteDelay": 7


     

       

       
222

       
+

       
  }


     

       

       
223

       
+

       
}
+25 -3
hosts/marvin/services/immich.nix 
···

       
1

       

       
-

       
{ self, config, ... }:


     

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  self,


     

       

       
3

       
+

       
  config,


     

       

       
4

       
+

       
  lib,


     

       

       
5

       
+

       
  ...


     

       

       
6

       
+

       
}:


     

       
2

       
7

       
 

       
let


     

       
3

       
8

       
 

       
  d = self.lib.data.services.immich;


     

       
4

       
9

       
 

       
in


     
···

       
11

       
16

       
 

       
      redis.enable = true;


     

       
12

       
17

       
 

       
      mediaLocation = "/var/media/photos/";


     

       
13

       
18

       
 

       
      accelerationDevices = [ "/dev/dri/renderD128" ];


     

       
14

       

       
-

       
      settings = null;


     

       

       
19

       
+

       
      settings = lib.recursiveUpdate (builtins.fromJSON (builtins.readFile ./immich-config.json)) {


     

       

       
20

       
+

       
        oauth.clientSecret._secret = config.age.secrets.immich-oauth-secret.path;


     

       

       
21

       
+

       
        notifications.smtp.transport.password._secret = config.age.secrets.immich-mail-pw.path;


     

       

       
22

       
+

       
        server.externalDomain = "https://${d.extUrl}";


     

       

       
23

       
+

       
      };


     

       
15

       
24

       
 

       
    };


     

       
16

       
25

       
 

       
    immich-public-proxy = {


     

       
17

       
26

       
 

       
      enable = true;


     

       
18

       
27

       
 

       
      port = d.pubProxy;


     

       
19

       

       
-

       
      immichUrl = "localhost:${toString d.port}";


     

       

       
28

       
+

       
      immichUrl = "http://localhost:${toString d.port}";


     

       
20

       
29

       
 

       
      settings.ipp = {


     

       
21

       
30

       
 

       
        downloadedFilename = 1;


     

       
22

       
31

       
 

       
      };


     

       
23

       
32

       
 

       
    };


     

       
24

       
33

       
 

       
  };


     

       

       
34

       
+

       
  systemd.services.immich-public-proxy.environment.PUBLIC_BASE_URL = "https://${d.extUrl}";


     

       
25

       
35

       
 

       
  users.users.immich.extraGroups = [


     

       
26

       
36

       
 

       
    "video"


     

       
27

       
37

       
 

       
    "render"


     

       
28

       
38

       
 

       
  ];


     

       

       
39

       
+

       
  age.secrets = {


     

       

       
40

       
+

       
    immich-oauth-secret = {


     

       

       
41

       
+

       
      file = ./secrets/immich/oauth-secret.age;


     

       

       
42

       
+

       
      owner = "immich";


     

       

       
43

       
+

       
      group = "immich";


     

       

       
44

       
+

       
    };


     

       

       
45

       
+

       
    immich-mail-pw = {


     

       

       
46

       
+

       
      file = ./secrets/immich/mail-pw.age;


     

       

       
47

       
+

       
      owner = "immich";


     

       

       
48

       
+

       
      group = "immich";


     

       

       
49

       
+

       
    };


     

       

       
50

       
+

       
  };


     

       
29

       
51

       
 

       
}
+97 -32
hosts/marvin/services/planka.nix 
···

       
1

       
1

       
 

       
{


     

       

       
2

       
+

       
  lib,


     

       
2

       
3

       
 

       
  config,


     

       
3

       
4

       
 

       
  self,


     

       

       
5

       
+

       
  self',


     

       

       
6

       
+

       
  pkgs,


     

       
4

       
7

       
 

       
  ...


     

       
5

       
8

       
 

       
}:


     

       
6

       
9

       
 

       
let


     

       
7

       

       
-

       
  dataDir = "/var/lib/planka";


     

       
8

       
10

       
 

       
  d = self.lib.data.services.planka;


     

       

       
11

       
+

       



     

       

       
12

       
+

       
  commonServiceConfig = {


     

       

       
13

       
+

       
    EnvironmentFile = config.age.secrets.planka-env.path;


     

       

       
14

       
+

       
    StateDirectory = "planka";


     

       

       
15

       
+

       
    WorkingDirectory = "/var/lib/planka";


     

       

       
16

       
+

       
    User = "planka";


     

       

       
17

       
+

       
    Group = "planka";


     

       

       
18

       
+

       



     

       

       
19

       
+

       
    # Hardening


     

       

       
20

       
+

       
    LockPersonality = true;


     

       

       
21

       
+

       
    NoNewPrivileges = true;


     

       

       
22

       
+

       
    PrivateDevices = true;


     

       

       
23

       
+

       
    PrivateMounts = true;


     

       

       
24

       
+

       
    PrivateTmp = true;


     

       

       
25

       
+

       
    PrivateUsers = true;


     

       

       
26

       
+

       
    ProtectClock = true;


     

       

       
27

       
+

       
    ProtectControlGroups = true;


     

       

       
28

       
+

       
    ProtectHome = true;


     

       

       
29

       
+

       
    ProtectHostname = true;


     

       

       
30

       
+

       
    ProtectKernelLogs = true;


     

       

       
31

       
+

       
    ProtectKernelModules = true;


     

       

       
32

       
+

       
    ProtectKernelTunables = true;


     

       

       
33

       
+

       
    ProtectProc = "invisible";


     

       

       
34

       
+

       
    RemoveIPC = true;


     

       

       
35

       
+

       
    RestrictRealtime = true;


     

       

       
36

       
+

       
    RestrictSUIDSGID = true;


     

       

       
37

       
+

       
    UMask = "0660";


     

       

       
38

       
+

       
    RestrictAddressFamilies = [


     

       

       
39

       
+

       
      "AF_UNIX"


     

       

       
40

       
+

       
      "AF_INET"


     

       

       
41

       
+

       
      "AF_INET6"


     

       

       
42

       
+

       
    ];


     

       

       
43

       
+

       
  };


     

       
9

       
44

       
 

       
in


     

       
10

       
45

       
 

       
{


     

       
11

       

       
-

       
  virtualisation.oci-containers.containers = {


     

       
12

       

       
-

       
    planka-server = {


     

       
13

       

       
-

       
      image = "ghcr.io/plankanban/planka:2.0.0-rc.4";


     

       
14

       

       
-

       
      ports = [ "${toString d.port}:1337" ];


     

       
15

       

       
-

       
      environment = {


     

       
16

       

       
-

       
        BASE_URL = "https://${d.extUrl}";


     

       
17

       

       
-

       
        DATABASE_URL = "postgresql://planka@planka-db/planka";


     

       
18

       

       
-

       
        # Default Admin


     

       
19

       

       
-

       
        DEFAULT_ADMIN_EMAIL = "pyrox@pyrox.dev";


     

       
20

       

       
-

       
        DEFAULT_ADMIN_USERNAME = "pyrox";


     

       
21

       

       
-

       
        TRUST_PROXY = "true";


     

       
22

       

       
-

       
        DEFAULT_LANGUAGE = "en-US";


     

       

       
46

       
+

       
  systemd = {


     

       

       
47

       
+

       
    tmpfiles.settings = {


     

       

       
48

       
+

       
      "10-planka"."/var/lib/planka".d = {


     

       

       
49

       
+

       
        group = "planka";


     

       

       
50

       
+

       
        user = "planka";


     

       

       
51

       
+

       
        mode = "0755";


     

       
23

       
52

       
 

       
      };


     

       
24

       

       
-

       
      environmentFiles = [ config.age.secrets.planka-env.path ];


     

       
25

       

       
-

       
      volumes = [


     

       
26

       

       
-

       
        "${dataDir}/user-avatars:/app/public/user-avatars"


     

       
27

       

       
-

       
        "${dataDir}/project-background-images:/app/public/project-background-images"


     

       
28

       

       
-

       
        "${dataDir}/attachments:/app/private/attachments"


     

       
29

       

       
-

       
        "${dataDir}/favicons:/app/public/favicons"


     

       
30

       

       
-

       
        "${dataDir}/background-images:/app/public/background-images"


     

       
31

       

       
-

       
      ];


     

       
32

       

       
-

       
      extraOptions = [ "--network=planka" ];


     

       
33

       
53

       
 

       
    };


     

       
34

       

       
-

       
    planka-db = {


     

       
35

       

       
-

       
      image = "postgres:16-alpine";


     

       
36

       

       
-

       
      volumes = [ "${dataDir}/db:/var/lib/postgresql/data" ];


     

       
37

       

       
-

       
      environment = {


     

       
38

       

       
-

       
        POSTGRES_USER = "planka";


     

       
39

       

       
-

       
        POSTGRES_DB = "planka";


     

       
40

       

       
-

       
        POSTGRES_HOST_AUTH_METHOD = "trust";


     

       

       
54

       
+

       
    services = {


     

       

       
55

       
+

       
      planka-init-db = {


     

       

       
56

       
+

       
        wantedBy = [ "multi-user.target" ];


     

       

       
57

       
+

       
        after = [ "postgres.target" ];


     

       

       
58

       
+

       
        description = "Planka Kanban Database Init Script";


     

       

       
59

       
+

       
        path = [


     

       

       
60

       
+

       
          pkgs.nodejs


     

       

       
61

       
+

       
        ];


     

       

       
62

       
+

       
        script = ''


     

       

       
63

       
+

       
          if [ ! -f /var/lib/planka/db-init-ran ]; then


     

       

       
64

       
+

       
            node run ${self'.packages.planka}/lib/node_modules/planka/db/init.js && \


     

       

       
65

       
+

       
            touch /var/lib/planka/db-init-ran


     

       

       
66

       
+

       
          fi


     

       

       
67

       
+

       
        '';


     

       

       
68

       
+

       
        serviceConfig = commonServiceConfig // {


     

       

       
69

       
+

       
          Type = "oneshot";


     

       

       
70

       
+

       
          SyslogIdentifier = "planka-init-db";


     

       

       
71

       
+

       
        };


     

       
41

       
72

       
 

       
      };


     

       
42

       

       
-

       
      extraOptions = [ "--network=planka" ];


     

       

       
73

       
+

       
      planka-server = {


     

       

       
74

       
+

       
        after = [ "planka-init-db.service" ];


     

       

       
75

       
+

       
        wantedBy = [ "multi-user.target" ];


     

       

       
76

       
+

       
        description = "Planka Kanban Server";


     

       

       
77

       
+

       
        documentation = [ "https://docs.planka.cloud" ];


     

       

       
78

       
+

       
        environment = {


     

       

       
79

       
+

       
          DATABASE_URL = "postgresql://%2Frun%2Fpostgresql/planka";


     

       

       
80

       
+

       
          DEFAULT_ADMIN_EMAIL = "pyrox@pyrox.dev";


     

       

       
81

       
+

       
          DEFAULT_ADMIN_USERNAME = "pyrox";


     

       

       
82

       
+

       
          TRUST_PROXY = "true";


     

       

       
83

       
+

       
          DEFAULT_LANGUAGE = "en-US";


     

       

       
84

       
+

       
          BASE_URL = "https://${d.extUrl}";


     

       

       
85

       
+

       
          NODE_ENV = "production";


     

       

       
86

       
+

       
        };


     

       

       
87

       
+

       
        serviceConfig = commonServiceConfig // {


     

       

       
88

       
+

       
          Type = "simple";


     

       

       
89

       
+

       
          ExecStart = "${lib.getExe self'.packages.planka} --port ${toString d.port}";


     

       

       
90

       
+

       
          SyslogIdentifier = "planka";


     

       

       
91

       
+

       
        };


     

       

       
92

       
+

       
      };


     

       
43

       
93

       
 

       
    };


     

       
44

       
94

       
 

       
  };


     

       

       
95

       
+

       
  users.users.planka = {


     

       

       
96

       
+

       
    isSystemUser = true;


     

       

       
97

       
+

       
    group = "planka";


     

       

       
98

       
+

       
  };


     

       

       
99

       
+

       
  users.groups.planka = { };


     

       

       
100

       
+

       
  services.postgresql = {


     

       

       
101

       
+

       
    ensureUsers = [


     

       

       
102

       
+

       
      {


     

       

       
103

       
+

       
        name = "planka";


     

       

       
104

       
+

       
        ensureDBOwnership = true;


     

       

       
105

       
+

       
        ensureClauses.login = true;


     

       

       
106

       
+

       
      }


     

       

       
107

       
+

       
    ];


     

       

       
108

       
+

       
    ensureDatabases = [ "planka" ];


     

       

       
109

       
+

       
  };


     

       
45

       
110

       
 

       
  age.secrets.planka-env = {


     

       
46

       
111

       
 

       
    file = ./secrets/planka-env.age;


     

       
47

       

       
-

       
    owner = "thehedgehog";


     

       
48

       

       
-

       
    group = "misc";


     

       

       
112

       
+

       
    owner = "planka";


     

       

       
113

       
+

       
    group = "planka";


     

       
49

       
114

       
 

       
  };


     

       
50

       
115

       
 

       
  services.anubis.instances.planka = {


     

       
51

       
116

       
 

       
    settings = {
-23
hosts/marvin/services/secrets/iceshrimp-db-password.age 
···

       
1

       

       
-

       
age-encryption.org/v1


     

       
2

       

       
-

       
-> ssh-ed25519 iqBxIA g+DkjSGDd+i/sdqRCuU2I2Qzmq4Q+FI7wSyfkdM9q0Q


     

       
3

       

       
-

       
cG52xAS/VPjCNgHdky0/jbMvF5tF+cB8BxFNCHYlf2s


     

       
4

       

       
-

       
-> ssh-rsa fFaiTA


     

       
5

       

       
-

       
r5mQer6QBi+HdSS16OLHfv/oh0hbug5drdX/BuQHMORogiDfHEM03K6pmg9064Ep


     

       
6

       

       
-

       
CJgl6z3IS9hlLX7cSq2kVSvP9gk+l5AmI+pMZkJyT9ED43g6wtRI7yiy1ALO0rqB


     

       
7

       

       
-

       
z/CPaoLkFNFlt7sDg5rijAB+t6DNAxULfFj8KR3b+NvGrrW6Vbaio+T5mg1A2PTd


     

       
8

       

       
-

       
60eEfuqdn9dHVI82FQFmai1LwoyButrUNn3UiP8aIdvFUueixcqsAXSK1zjPJZ5B


     

       
9

       

       
-

       
VeAkshwhB9+HKMH1cyRa6LUbzJYxAQBhkgTFqS/r64h3ZAYHTc0lY44VtVhbnEQI


     

       
10

       

       
-

       
76PBEOcQXXjvPR6yvbcVZfpqCkqfo9hb7wogPfJiRMjKM/qlpR19KOf21T0hsV6q


     

       
11

       

       
-

       
b7nYf01yBscx6GKXREkZoxgpo6iLLzVQqU5SzQgs7nxW089JdJ62WoZvJwTxv2G8


     

       
12

       

       
-

       
AdzImnsw73q55MgOYtv/A3hGM8O1Jw4Q4UfMSS43xB+cuvtlEmSqi5mFh0gPbqQR


     

       
13

       

       
-

       
LN8+OcDLz0SR8U6xHj9ufXfhHc4nwO8iZpzav5nZXMEb3Gmva3k8U+nnmuPKqsrL


     

       
14

       

       
-

       
VxFmGNxqmWPfxO0FJC/cxLKME/Lj2MU9r6KT8RQ00BjHUfoDgbFzHVLqIEbIE+Vr


     

       
15

       

       
-

       
/Glcmz/Ecrt3kTwfAhEDpj6g0XVNHt7HA+r4SDWjI00


     

       
16

       

       
-

       
-> ssh-ed25519 wpmdHA LUF/UncaQTEMQepVAhEqFm345dICeW3d3QGhiflTSH8


     

       
17

       

       
-

       
ImxpR4innOw1jMSF4gvmOGRDl0BzqAhOyz+GFstsJG4


     

       
18

       

       
-

       
-> Cg-grease k7q9


     

       
19

       

       
-

       
MLRf60C4nbEc9XHo26cg7UYySbZtOMP2kZtZmvLiS1XFeIqQaR0RgRcUOoTblYzo


     

       
20

       

       
-

       
KQ


     

       
21

       

       
-

       
--- PV6HHY8kDdpFcgNu83K/cwz4qQCW38jcHkTOkCunxrk


     

       
22

       

       
-

       
�*ǜ�lq��^��fʀ���l�� R��C}Մ�ɧ���F�ĩ�&�~h�


     

       
23

       

       
-

       
̟�r��6ʞac,����lc�
>
hosts/marvin/services/secrets/iceshrimp-secret-config.age

This is a binary file and will not be displayed.

+19
hosts/marvin/services/secrets/immich/mail-pw.age 
···

       

       
1

       
+

       
age-encryption.org/v1


     

       

       
2

       
+

       
-> ssh-ed25519 iqBxIA 3PVJMF6BgxuDxN9NAEYqcZaYEUhK9TB5XprRyW13Kx0


     

       

       
3

       
+

       
AIQQG+4/9SVPcfq9ZtL/JsWDmLvW03UiAJaJ1nHSckQ


     

       

       
4

       
+

       
-> ssh-rsa fFaiTA


     

       

       
5

       
+

       
ZPBI1w2a48Md+Rt92ssVcfxN26zTLCEalT+jG8SJBv07ouOzd4ibPq65m6uOQU/+


     

       

       
6

       
+

       
EEgHe23fGsPP4oISWDUgVFxesLA3wjsTWmbVrkrBzGQNeNnevIRMcJu7vWDtby/+


     

       

       
7

       
+

       
dVxPQIoXH0jPlcDQCm2lwOGD+du+Nb4PnVseRPDaXRypKKmx+J057FQemYBk4OWx


     

       

       
8

       
+

       
yUfbKV2gHHcuRTVUQG6XAQwWvhh4e25fyc+MzKZNPUK4c/SVibjAsUH+Edd+NaV5


     

       

       
9

       
+

       
yxku5k4TFZkU69sl2zCdgWfYVTowTGYGyf4Kf+I/kl9m13zIk9vRpocgt4APaJnv


     

       

       
10

       
+

       
p+KxJvbYRiprWl+IzZg6TwXY5mA1IbvlppR4aak1pwaIE76CgF5mGNDGkviGndtP


     

       

       
11

       
+

       
+eCMIocp6lk2U0dJEYkBtmjNbxFh3dxOcirgdNDypYPlZTSGvSRGhpL4nUJRsR+l


     

       

       
12

       
+

       
A7rJ5aHH2B4Vi93zgSV0PWiWSA7899bzgN1kQKKIgYln6Tl8UxQSNt5L3L4VajuW


     

       

       
13

       
+

       
3UqCltyGWt/926BMS+GrDZSWCEtVsDs5XQqDKEx6D+iviHZJXniI+RhH/eM7FLjp


     

       

       
14

       
+

       
iXgCRkBIALo2lOiScpr2rtfGDViq3Nh64cIslEPiewjVFTCxkxH+LuQ1stukrNki


     

       

       
15

       
+

       
IF0+pZ65rgatMAdnZRFXfRxmywKD99z4WRHAxvYloXc


     

       

       
16

       
+

       
-> ssh-ed25519 wpmdHA SQlzD3yqbnoF0JHqPFFDUugbm8jlBsdntLzF/WlJbjo


     

       

       
17

       
+

       
FggpB1k5xbq62QNlwkocwjiWhEqNjHAxR/GwoPhXbC8


     

       

       
18

       
+

       
--- 1g4f2OQbS5iXm/cqBamEWuapvZHorxfX7wHizfPcYsc


     

       

       
19

       
+

       
�z�92�LN=9���$O���fP���E���~�.��}7�eڰq��y�N�I�L����"%�V�lz'�أ�
+19
hosts/marvin/services/secrets/immich/oauth-secret.age 
···

       

       
1

       
+

       
age-encryption.org/v1


     

       

       
2

       
+

       
-> ssh-ed25519 iqBxIA 4osfKV5/wFT7mCdc4TjP7pJHdD8wzV7VKKiBSGRqImk


     

       

       
3

       
+

       
wU6RSxJh8SBbXbiwCl4lXD/m1THoAg5n1Y7pyKFPiec


     

       

       
4

       
+

       
-> ssh-rsa fFaiTA


     

       

       
5

       
+

       
RTHaBLsBWbDEmY80LktVL/C6CeFinLm3/4t/hoWmbzLLoElBL86EGVdrE5ovjUYl


     

       

       
6

       
+

       
j5+ZacmqahwjCtF/ZGBt8MFkWOK9u90YDfLp+kb2ILVy/E+CcQ3xPpH9bf83pPl/


     

       

       
7

       
+

       
aZmttaRlhnhSDYVXB0lHx3u/cCrYhTf6TjEoVGZ/XrLW0BRmO6GSwcmTrachZzdJ


     

       

       
8

       
+

       
je+pf2ug//mnAJR0y4MxjGlNPD/Vaj/UiaFQjPT+7ZvUUSkbv/QpPqyhhosFA11e


     

       

       
9

       
+

       
1EGp21ppwUnJSNdYh2vulpQGurB5bPlv6Y8FpcFKivq/qKmA4ydyER3NcCca5Ly+


     

       

       
10

       
+

       
01jQ1HRqWylYJj7K4hnxSjnNlOXCrJATuPJYoNdt2U1DnolUAqL6JIP/qNmYx8Fb


     

       

       
11

       
+

       
ZrfFINBmPsNc9XJn14T4J+VB6e68ODBOvZdbzoBQOWAObnP5OH+zLYCB3II+aLPp


     

       

       
12

       
+

       
Zo5WsNBBdZih4EbO0Y9PNWBjyCzxqs7zXPg1PjjDVHN/tIpSGnqoCqCPGuePhgRV


     

       

       
13

       
+

       
h1gnP/lqOW2U1oL004hi3etsUsk3kXHjr35GXMVBeay+3uGXkZqhNYYSluQnJSrs


     

       

       
14

       
+

       
rzahZZ8/q0FDdlUixWHb2uQjL1XMTqUcw8wPsUak8shkx8s7GPKNxtEKFcK46jk4


     

       

       
15

       
+

       
ac9TCyee4HzPC/SWkLGFl0bt9s9lGTBSNQrVzogY/sg


     

       

       
16

       
+

       
-> ssh-ed25519 wpmdHA C6npqn5aqimGJlo+UlvYOoqXSu/hW1JVNAmBPP1Vvjk


     

       

       
17

       
+

       
gWzXqL92jI83iqSr3dydJo+UAz5OGBo6kw6QC4KRWgM


     

       

       
18

       
+

       
--- ltHFDmeAbJsQtyY4CKFEz8OGAkPkue/8upHNOOQgn5I


     

       

       
19

       
+

       
��O�ӌ#&`���P�IZ�#�[��+�tdeG�ui�����?n"��(��b� ]s�	y줔���
-20
hosts/marvin/services/secrets/pingvin-secrets.age 
···

       
1

       

       
-

       
age-encryption.org/v1


     

       
2

       

       
-

       
-> ssh-ed25519 iqBxIA HdZwcvp9cLpqrUp0M7sK7ipTslMxK0EYqFfS8xtYeDk


     

       
3

       

       
-

       
Ud7ismLtRG4RlugV3P5wRNjRe8HcJW0rAz/adadWCNc


     

       
4

       

       
-

       
-> ssh-rsa fFaiTA


     

       
5

       

       
-

       
KwjETLhUBpq8Hfp41rg3++syweOB+yNIIdd0KeS2YjxjbDfgwzRVoM+wlB/C3b4X


     

       
6

       

       
-

       
W0561y9+wsnB5A6k/peXLASfVodw30vI9LdW+nHejQr9v/UooXPztoJNrfgaKUow


     

       
7

       

       
-

       
PsLbLUj+M8Y4i22GRKrY6rrCfJk8F4a+2b0PzDc1EqUcZOjMV7aE+fQ4U7+FD1jv


     

       
8

       

       
-

       
xGmrKNRXNUL1j5GpPAi7E7YXuGj2SxjZOiisKqyep5KTEFyIJ04lrN/rtbi2vkEJ


     

       
9

       

       
-

       
ejAFg2jIvxAWiEzEUbjOLFzeIdpb8pPqQJ3OUF4U0crT/r5dxmJKxB0J7ktS6eEY


     

       
10

       

       
-

       
NZ4/CtY/kLXjo9sWc6G2UtWAm+myXKsxETxFtp/RQ6LXMjS+3xbzGvkAoY/fzVMt


     

       
11

       

       
-

       
zLGdOV0X/paLb1jGl9CHkflq7qrpkdgqc6I5nmsOCRLHrsiVWLaCVCvu2T1fpjCh


     

       
12

       

       
-

       
tP+Mwdjv5ONXduoGUOxjCT8IVv7ceTt93S/9cZakpDIFJ38I1XymrjuFLfbhLMVK


     

       
13

       

       
-

       
VMfo9cLhWyz2/DAKA4gKnmagUhnYO2vdNBzzM9dg0/ysrLoX71ujEcxB0tx21pkE


     

       
14

       

       
-

       
eB3LEfFH94Izzn9crNJ1YMUFCpFayedN2uQjv89LN2oHx+mUKemXCdl+AV2sLP7P


     

       
15

       

       
-

       
pi4/UDjKOcIeK8cSvqJtsemjUn7QJdOamH4/IpgFh5o


     

       
16

       

       
-

       
-> ssh-ed25519 wpmdHA X+4vtGSjMeIuSearcEfYA8Mv5kmghhItcE1n5BPWLSo


     

       
17

       

       
-

       
uYkj1VkPXs8mJu99J4GFth6LyqhWymEH5fsN0+5TDsw


     

       
18

       

       
-

       
--- Ql8rRuZH0kS1eDQ9EYB7mW+GvcHtjXcW/Wu1ZGhjpKI


     

       
19

       

       
-

       
虌d0dj̭�ھ�f����� g�D�+�q��W��d������%5��1�?�U��)�tܫ��[


     

       
20

       

       
-

       
S�DV�+��U�".� q�i�,g{}#y�@���3O/M~��CЎBV�š� }�=����*#�7�?Q��
+2 -3
hosts/marvin/services/secrets/secrets.nix 
···

       
27

       
27

       
 

       
  "golink-authkey.age".publicKeys = marvinDefault;


     

       
28

       
28

       
 

       
  "grafana-admin-password.age".publicKeys = marvinDefault;


     

       
29

       
29

       
 

       
  "grafana-smtp-password.age".publicKeys = marvinDefault;


     

       
30

       

       
-

       
  "iceshrimp-secret-config.age".publicKeys = marvinDefault;


     

       
31

       

       
-

       
  "iceshrimp-db-password.age".publicKeys = marvinDefault;


     

       

       
30

       
+

       
  "immich/oauth-secret.age".publicKeys = marvinDefault;


     

       

       
31

       
+

       
  "immich/mail-pw.age".publicKeys = marvinDefault;


     

       
32

       
32

       
 

       
  "jellyfin-exporter-config.age".publicKeys = marvinDefault;


     

       
33

       
33

       
 

       
  "minio-root.age".publicKeys = marvinDefault;


     

       
34

       
34

       
 

       
  "miniflux-admin.age".publicKeys = marvinDefault;


     

       
35

       
35

       
 

       
  "../nextcloud/nextcloud-admin-pw.age".publicKeys = marvinDefault;


     

       
36

       
36

       
 

       
  "nix-serve-priv.age".publicKeys = marvinDefault;


     

       
37

       
37

       
 

       
  "pinchflat-secrets.age".publicKeys = marvinDefault;


     

       
38

       

       
-

       
  "pingvin-secrets.age".publicKeys = marvinDefault;


     

       
39

       
38

       
 

       
  "planka-env.age".publicKeys = marvinDefault;


     

       
40

       
39

       
 

       
  "pocket-id-secrets.age".publicKeys = marvinDefault;


     

       
41

       
40

       
 

       
  "vaultwarden-vars.age".publicKeys = marvinDefault;
+2 -23
hosts/marvin/services/vaultwarden.nix 
···

       
23

       
23

       
 

       
      rocketAddress = "0.0.0.0";


     

       
24

       
24

       
 

       
      rocketCliColors = false;


     

       
25

       
25

       
 

       
      rocketPort = d.port;


     

       
26

       

       
-

       
      websocketEnabled = true;


     

       
27

       

       
-

       
      ipHeader = "X-Real-IP";


     

       
28

       
26

       
 

       
      reloadTemplates = false;


     

       
29

       
27

       
 

       
      logTimestampFormat = "%Y-%m-%d %H:%M:%S.%3f";


     

       
30

       
28

       
 

       
      # # Ratelimiting


     
···

       
36

       
34

       
 

       



     

       
37

       
35

       
 

       
      # Logging


     

       
38

       
36

       
 

       
      useSyslog = true;


     

       
39

       

       
-

       
      logLevel = "info";


     

       
40

       
37

       
 

       
      extendedLogging = true;


     

       
41

       
38

       
 

       



     

       
42

       
39

       
 

       
      # Features


     
···

       
46

       
43

       
 

       



     

       
47

       
44

       
 

       
      # Invitations


     

       
48

       
45

       
 

       
      invitationsAllowed = true;


     

       
49

       

       
-

       
      invitationOrgName = "PyroNet Vault";


     

       

       
46

       
+

       
      invitationOrgName = "dishNet Vault";


     

       
50

       
47

       
 

       
      invitationExpirationHours = 168;


     

       
51

       
48

       
 

       



     

       
52

       
49

       
 

       
      # Database


     
···

       
55

       
52

       
 

       
      # Signups


     

       
56

       
53

       
 

       
      signupsAllowed = false;


     

       
57

       
54

       
 

       
      signupsVerify = true;


     

       
58

       

       
-

       
      signupsVerifyResendTime = 3600;


     

       
59

       

       
-

       
      signupsVerifyResendLimit = 5;


     

       
60

       
55

       
 

       
      signupsDomainWhitelist = "pyrox.dev";


     

       
61

       
56

       
 

       



     

       
62

       
57

       
 

       
      # Passwords


     
···

       
67

       
62

       
 

       



     

       
68

       
63

       
 

       
      # Mail


     

       
69

       
64

       
 

       
      smtpFrom = "vault@pyrox.dev";


     

       
70

       

       
-

       
      smtpFromName = "PyroNet Vault <vault@pyrox.dev>";


     

       

       
65

       
+

       
      smtpFromName = "dishNet Vault <vault@pyrox.dev>";


     

       
71

       
66

       
 

       
      smtpUsername = "vault@pyrox.dev";


     

       
72

       
67

       
 

       
      smtpSecurity = "force_tls";


     

       
73

       
68

       
 

       
      smtpPort = 465;


     
···

       
76

       
71

       
 

       
      smtpTimeout = 20;


     

       
77

       
72

       
 

       
      smtpEmbedImages = true;


     

       
78

       
73

       
 

       
      useSendmail = false;


     

       
79

       

       
-

       
      smtpDebug = false;


     

       
80

       

       
-

       
      smtpAcceptInvalidCerts = false;


     

       
81

       

       
-

       
      smtpAcceptInvalidHostnames = false;


     

       
82

       
74

       
 

       



     

       
83

       
75

       
 

       
      # Authentication


     

       
84

       

       
-

       
      authenticatorDisableTimeDrift = false;


     

       
85

       

       
-

       
      disable2faRemember = false;


     

       
86

       
76

       
 

       
      incomplete2faTimeLimit = 5;


     

       
87

       
77

       
 

       
      # # Email 2FA


     

       
88

       

       
-

       
      emailAttemptsLimit = 3;


     

       
89

       
78

       
 

       
      emailExpirationTime = 180;


     

       
90

       
79

       
 

       
      emailTokenSize = 7;


     

       
91

       
80

       
 

       
      requireDeviceEmail = true;


     

       
92

       

       
-

       



     

       
93

       

       
-

       
      # Icons


     

       
94

       

       
-

       
      disableIconDownload = false;


     

       
95

       

       
-

       
      iconService = "internal";


     

       
96

       

       
-

       
      iconRedirectCode = 302;


     

       
97

       

       
-

       
      iconDownloadTimeout = 10;


     

       
98

       

       
-

       
      iconBlacklistNonGlobalIps = true;


     

       
99

       

       
-

       
      # # 30 Day TTL


     

       
100

       

       
-

       
      iconCacheTtl = 30 * 24 * 60 * 60;


     

       
101

       

       
-

       
      iconCacheNegttl = 30 * 24 * 60 * 60;


     

       
102

       
81

       
 

       



     

       
103

       
82

       
 

       
      # Misc Settings


     

       
104

       
83

       
 

       
      trashAutoDeleteDays = 14;
+4 -1
hosts/prefect/dn42/default.nix 
···

       
52

       
52

       
 

       
      v4 = [ "172.20.43.96/27" ];


     

       
53

       
53

       
 

       
      v6 = [ "fd21:1500:66b0::/48" ];


     

       
54

       
54

       
 

       
    };


     

       
55

       

       
-

       



     

       
56

       
55

       
 

       
    # Enable StayRTR


     

       
57

       
56

       
 

       
    # https://github.com/bgp/stayrtr


     

       
58

       
57

       
 

       
    stayrtr.enable = true;


     

       

       
58

       
+

       
    # Peer with GRC


     

       

       
59

       
+

       
    # https://dn42.dev/services/Route-Collector


     

       

       
60

       
+

       
    collector.enable = true;


     

       

       
61

       
+

       



     

       
59

       
62

       
 

       
    wg.tunnelDefaults = {


     

       
60

       
63

       
 

       
      privateKeyFile = "/run/agenix/dn42-privkey";


     

       
61

       
64

       
 

       
      localAddrs.v4 = cfg42.addr.v4;
+1
hosts/prefect/dn42/peers/default.nix 
···

       
14

       
14

       
 

       
    (import ./kioubit.nix { inherit dn42Types; })


     

       
15

       
15

       
 

       
    (import ./lare.nix { inherit dn42Types; })


     

       
16

       
16

       
 

       
    (import ./potato.nix { inherit dn42Types; })


     

       

       
17

       
+

       
    (import ./prefixlabs.nix { inherit dn42Types; })


     

       
17

       
18

       
 

       
    (import ./routedbits.nix { inherit dn42Types; })


     

       
18

       
19

       
 

       
    (import ./sunnet.nix { inherit dn42Types; })


     

       
19

       
20

       
 

       
    (import ./uffsalot.nix { inherit dn42Types; })
+26
hosts/prefect/dn42/peers/prefixlabs.nix 
···

       

       
1

       
+

       
{ dn42Types, ... }:


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  config.dn42 = {


     

       

       
4

       
+

       
    peers.prefixlabs = {


     

       

       
5

       
+

       
      as = 4242421240;


     

       

       
6

       
+

       
      addr.v6 = "fe80::1240:2";


     

       

       
7

       
+

       
      interface = "wg42_prefixlabs";


     

       

       
8

       
+

       
      extendedNextHop = true;


     

       

       
9

       
+

       
      # My side


     

       

       
10

       
+

       
      srcAddr.v6 = "fe80::240";


     

       

       
11

       
+

       
      # Communities


     

       

       
12

       
+

       
      crypto = dn42Types.crypto.safePFS;


     

       

       
13

       
+

       
      latency = dn42Types.latency."7.3ms";


     

       

       
14

       
+

       
      bandwidth = dn42Types.bandwidth."1000mb";


     

       

       
15

       
+

       
      transit = true;


     

       

       
16

       
+

       
    };


     

       

       
17

       
+

       
    wg.tunnels.prefixlabs = {


     

       

       
18

       
+

       
      listenPort = 43240;


     

       

       
19

       
+

       
      peerPubKey = "uRYzFGi+/B6pD0FR2SW3G/OzC5LPJXePNIt0s+nJfW0=";


     

       

       
20

       
+

       
      peerEndpoint = "us-01.prefixlabs.net:22459";


     

       

       
21

       
+

       
      peerAddrs.v4 = "172.20.209.11";


     

       

       
22

       
+

       
      peerAddrs.v6 = "fe80::1240:2";


     

       

       
23

       
+

       
      localAddrs.v6 = "fe80::240";


     

       

       
24

       
+

       
    };


     

       

       
25

       
+

       
  };


     

       

       
26

       
+

       
}
+7 -9
hosts/prefect/services/caddy.nix 
···

       
211

       
211

       
 

       
        '';


     

       
212

       
212

       
 

       
      };


     

       
213

       
213

       
 

       



     

       
214

       

       
-

       
      # Pingvin Share


     

       
215

       

       
-

       
      ${pns.pingvin-share.extUrl} = {


     

       

       
214

       
+

       
      # Immich


     

       

       
215

       
+

       
      ${pns.immich.extUrl} = {


     

       
216

       
216

       
 

       
        extraConfig = ''


     

       
217

       

       
-

       
          reverse_proxy /api/* ${marvin}:${toString pns.pingvin-share.be-anubis} {


     

       
218

       

       
-

       
            header_up X-Real-IP {remote_host}


     

       
219

       

       
-

       
            header_up X-Http-Version {http.request.proto}


     

       
220

       

       
-

       
          }


     

       
221

       

       
-

       
          reverse_proxy /* ${marvin}:${toString pns.pingvin-share.anubis} {


     

       
222

       

       
-

       
            header_up X-Real-IP {remote_host}


     

       
223

       

       
-

       
            header_up X-Http-Version {http.request.proto}


     

       

       
217

       
+

       
          @public path /share /share/*


     

       

       
218

       
+

       
          handle @public {


     

       

       
219

       
+

       
            reverse_proxy ${marvin}:${toString pns.immich.pubProxy}


     

       
224

       
220

       
 

       
          }


     

       

       
221

       
+

       
          reverse_proxy ${marvin}:${toString pns.immich.port}


     

       
225

       
222

       
 

       
        '';


     

       
226

       
223

       
 

       
      };


     

       

       
224

       
+

       



     

       
227

       
225

       
 

       
      # Tangled Services


     

       
228

       
226

       
 

       
      ${pns.tangled-knot.extUrl} = {


     

       
229

       
227

       
 

       
        extraConfig = ''
-2
nixosModules/services/forgejo-runner/default.nix 
···

       
26

       
26

       
 

       
      };


     

       
27

       
27

       
 

       
      cache = {


     

       
28

       
28

       
 

       
        enabled = true;


     

       
29

       

       
-

       
        dir = "/var/lib/forgejo/runners/cache/";


     

       
30

       

       
-

       
        host = "";


     

       
31

       
29

       
 

       
        port = 0;


     

       
32

       
30

       
 

       
      };


     

       
33

       
31

       
 

       
      container = {
+6
packages/anubis-files/src/policies/forgejo.yaml 
···

       
2

       
2

       
 

       
  - import: CUSTOM/policies/meta/base.yaml


     

       
3

       
3

       
 

       
  - import: (data)/clients/git.yaml


     

       
4

       
4

       
 

       
  - import: (data)/apps/gitea-rss-feeds.yaml


     

       

       
5

       
+

       



     

       

       
6

       
+

       
  # Allow forgejo runner connections from localhost and tailscale


     

       

       
7

       
+

       
  - name: forgejo-runner


     

       

       
8

       
+

       
    user_agent_regex: connect-go


     

       

       
9

       
+

       
    action: ALLOW


     

       

       
10

       
+

       



     

       
5

       
11

       
 

       
dnsbl: false


     

       
6

       
12

       
 

       
openGraph:


     

       
7

       
13

       
 

       
  enabled: true
+26
packages/bgutil-pot-server/librusty_v8.nix 
···

       

       
1

       
+

       
# COPIED FROM nixpkgs/pkgs/by-name/router


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  lib,


     

       

       
4

       
+

       
  stdenv,


     

       

       
5

       
+

       
  fetchurl,


     

       

       
6

       
+

       
}:


     

       

       
7

       
+

       



     

       

       
8

       
+

       
let


     

       

       
9

       
+

       
  fetch_librusty_v8 =


     

       

       
10

       
+

       
    args:


     

       

       
11

       
+

       
    fetchurl {


     

       

       
12

       
+

       
      name = "librusty_v8-${args.version}";


     

       

       
13

       
+

       
      url = "https://github.com/denoland/rusty_v8/releases/download/v${args.version}/librusty_v8_release_${stdenv.hostPlatform.rust.rustcTarget}.a";


     

       

       
14

       
+

       
      sha256 = args.shas.${stdenv.hostPlatform.system};


     

       

       
15

       
+

       
      meta = {


     

       

       
16

       
+

       
        inherit (args) version;


     

       

       
17

       
+

       
        sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];


     

       

       
18

       
+

       
      };


     

       

       
19

       
+

       
    };


     

       

       
20

       
+

       
in


     

       

       
21

       
+

       
fetch_librusty_v8 {


     

       

       
22

       
+

       
  version = "130.0.7";


     

       

       
23

       
+

       
  shas = {


     

       

       
24

       
+

       
    x86_64-linux = "sha256-pkdsuU6bAkcIHEZUJOt5PXdzK424CEgTLXjLtQ80t10=";


     

       

       
25

       
+

       
  };


     

       

       
26

       
+

       
}
+49
packages/bgutil-pot-server/package.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  lib,


     

       

       
3

       
+

       
  callPackage,


     

       

       
4

       
+

       
  rustPlatform,


     

       

       
5

       
+

       
  fetchFromGitHub,


     

       

       
6

       
+

       
  pkg-config,


     

       

       
7

       
+

       
  openssl,


     

       

       
8

       
+

       
  _experimental-update-script-combinators,


     

       

       
9

       
+

       
  nix-update-script,


     

       

       
10

       
+

       
}:


     

       

       
11

       
+

       
rustPlatform.buildRustPackage (finalAttrs: {


     

       

       
12

       
+

       
  pname = "bgutil-pot-server";


     

       

       
13

       
+

       
  version = "0.6.0";


     

       

       
14

       
+

       



     

       

       
15

       
+

       
  src = fetchFromGitHub {


     

       

       
16

       
+

       
    owner = "jim60105";


     

       

       
17

       
+

       
    repo = "bgutil-ytdlp-pot-provider-rs";


     

       

       
18

       
+

       
    tag = "v${finalAttrs.version}";


     

       

       
19

       
+

       
    hash = "sha256-kEu5WqOymH8yAyMhGKtVPOq3qlTRpFU/FO71uWEX/e8=";


     

       

       
20

       
+

       
  };


     

       

       
21

       
+

       



     

       

       
22

       
+

       
  cargoHash = "sha256-fJZeyIsFUfpWeC1MWsU1hANb6cqC9xHQOnhcohEMTeM=";


     

       

       
23

       
+

       



     

       

       
24

       
+

       
  nativeBuildInputs = [


     

       

       
25

       
+

       
    pkg-config


     

       

       
26

       
+

       
  ];


     

       

       
27

       
+

       



     

       

       
28

       
+

       
  buildInputs = [


     

       

       
29

       
+

       
    openssl


     

       

       
30

       
+

       
  ];


     

       

       
31

       
+

       



     

       

       
32

       
+

       
  env.RUSTY_V8_ARCHIVE = callPackage ./librusty_v8.nix { };


     

       

       
33

       
+

       



     

       

       
34

       
+

       
  doCheck = false;


     

       

       
35

       
+

       



     

       

       
36

       
+

       
  passthru.updateScript = _experimental-update-script-combinators.sequence [


     

       

       
37

       
+

       
    (nix-update-script { })


     

       

       
38

       
+

       
    ./update-librusty.sh


     

       

       
39

       
+

       
  ];


     

       

       
40

       
+

       



     

       

       
41

       
+

       
  meta = {


     

       

       
42

       
+

       
    changelog = "https://github.com/jim60105/bgutil-ytdlp-pot-provider-rs/releases/tag/v${finalAttrs.version}";


     

       

       
43

       
+

       
    description = "Proof-of-origin token provider plugin for yt-dlp in Rust";


     

       

       
44

       
+

       
    homepage = "https://github.com/jim60105/bgutil-ytdlp-pot-provider-rs";


     

       

       
45

       
+

       
    license = lib.licenses.gpl3Plus;


     

       

       
46

       
+

       
    maintainers = with lib.maintainers; [ pyrox0 ];


     

       

       
47

       
+

       
    mainProgram = "bgutil-pot";


     

       

       
48

       
+

       
  };


     

       

       
49

       
+

       
})
+45
packages/bgutil-pot-server/update-librusty.sh 
···

       

       
1

       
+

       
#!/usr/bin/env nix-shell


     

       

       
2

       
+

       
#!nix-shell -i bash -p gnugrep gnused nix jq


     

       

       
3

       
+

       
# shellcheck shell=bash


     

       

       
4

       
+

       
# COPIED FROM nixpkgs/pkgs/by-name/wi/windmill


     

       

       
5

       
+

       



     

       

       
6

       
+

       
set -eu -o pipefail


     

       

       
7

       
+

       



     

       

       
8

       
+

       
echo "librusty_v8: UPDATING"


     

       

       
9

       
+

       



     

       

       
10

       
+

       
BGUTIL_LATEST_VERSION=$(curl ${GITHUB_TOKEN:+-u ":$GITHUB_TOKEN"} --silent --fail --location "https://api.github.com/repos/jim60105/bgutil-ytdlp-pot-provider-rs/releases/latest" | jq --raw-output .tag_name)


     

       

       
11

       
+

       
CARGO_LOCK=$(curl ${GITHUB_TOKEN:+-u ":$GITHUB_TOKEN"} --silent --fail --location "https://github.com/jim60105/bgutil-ytdlp-pot-provider-rs/raw/$BGUTIL_LATEST_VERSION/Cargo.lock")


     

       

       
12

       
+

       



     

       

       
13

       
+

       
PACKAGE_DIR=$(dirname "$(readlink --canonicalize-existing "${BASH_SOURCE[0]}")")


     

       

       
14

       
+

       
OUTPUT_FILE="$PACKAGE_DIR/librusty_v8.nix"


     

       

       
15

       
+

       
NEW_VERSION=$(echo "$CARGO_LOCK" | grep --after-context 5 'name = "v8"' | grep 'version =' | sed -E 's/version = "//;s/"//')


     

       

       
16

       
+

       



     

       

       
17

       
+

       
CURRENT_VERSION=""


     

       

       
18

       
+

       
if [ -f "$OUTPUT_FILE" ]; then


     

       

       
19

       
+

       
  CURRENT_VERSION="$(grep 'version =' "$OUTPUT_FILE" | sed -E 's/version = "//;s/"//')"


     

       

       
20

       
+

       
fi


     

       

       
21

       
+

       



     

       

       
22

       
+

       
if [ "$CURRENT_VERSION" == "$NEW_VERSION" ]; then


     

       

       
23

       
+

       
  echo "No update needed, $CURRENT_VERSION is already latest"


     

       

       
24

       
+

       
  exit 0


     

       

       
25

       
+

       
fi


     

       

       
26

       
+

       



     

       

       
27

       
+

       
x86Hash="$(nix-prefetch-url --type sha256 https://github.com/denoland/rusty_v8/releases/download/v"$NEW_V")"


     

       

       
28

       
+

       
TEMP_FILE="$OUTPUT_FILE.tmp"


     

       

       
29

       
+

       
cat >"$TEMP_FILE" <<EOF


     

       

       
30

       
+

       
# COPIED FROM nixpkgs/pkgs/by-name/wi/windmill


     

       

       
31

       
+

       
# auto-generated file -- DO NOT EDIT!


     

       

       
32

       
+

       
{ fetchLibrustyV8 }:


     

       

       
33

       
+

       



     

       

       
34

       
+

       
fetchLibrustyV8 {


     

       

       
35

       
+

       
  version = "$NEW_VERSION";


     

       

       
36

       
+

       
  shas = {


     

       

       
37

       
+

       
    # NOTE; Follows supported platforms of package (see meta.platforms attribute)!


     

       

       
38

       
+

       
    x86_64-linux = "$(nix hash convert --hash-algo sha256 --from nix32 "$x86Hash")";


     

       

       
39

       
+

       
  };


     

       

       
40

       
+

       
}


     

       

       
41

       
+

       
EOF


     

       

       
42

       
+

       



     

       

       
43

       
+

       
mv "$TEMP_FILE" "$OUTPUT_FILE"


     

       

       
44

       
+

       



     

       

       
45

       
+

       
echo "librusty_v8: UPDATE DONE"
+2 -2
packages/glide-browser-bin/package.nix 
···

       
25

       
25

       
 

       
}:


     

       
26

       
26

       
 

       
stdenv.mkDerivation (finalAttrs: {


     

       
27

       
27

       
 

       
  pname = "glide-browser";


     

       
28

       

       
-

       
  version = "0.1.54a";


     

       

       
28

       
+

       
  version = "0.1.55a";


     

       
29

       
29

       
 

       



     

       
30

       
30

       
 

       
  src = fetchurl {


     

       
31

       
31

       
 

       
    url = "https://github.com/glide-browser/glide/releases/download/${finalAttrs.version}/glide.linux-x86_64.tar.xz";


     

       
32

       

       
-

       
    hash = "sha256-Rw85b+9eaiM9szWpYZiF7FqJY7OpliOwt09/c8UWlGk=";


     

       

       
32

       
+

       
    hash = "sha256-mjk8KmB/T5ZpB9AMQw1mtb9VbMXVX2VV4N+hWpWkSYI=";


     

       
33

       
33

       
 

       
  };


     

       
34

       
34

       
 

       



     

       
35

       
35

       
 

       
  nativeBuildInputs = [
+4 -1
packages/planka/package.nix 
···

       
78

       
78

       
 

       
in


     

       
79

       
79

       
 

       
stdenv.mkDerivation (finalAttrs: {


     

       
80

       
80

       
 

       
  pname = "planka";


     

       
81

       

       
-

       
  inherit version src meta;


     

       

       
81

       
+

       
  inherit version src;


     

       
82

       
82

       
 

       



     

       
83

       
83

       
 

       
  sourceRoot = "${finalAttrs.src.name}/server";


     

       
84

       
84

       
 

       



     
···

       
132

       
132

       
 

       
  '';


     

       
133

       
133

       
 

       



     

       
134

       
134

       
 

       
  passthru.updateScript = nix-update-script { extraArgs = [ "--version=unstable" ]; };


     

       

       
135

       
+

       
  meta = meta // {


     

       

       
136

       
+

       
    mainProgram = "planka";


     

       

       
137

       
+

       
  };


     

       
135

       
138

       
 

       
})