comparing aeb14f5653cb5bdeef7897785400b471acb9873d and main on pyrox.dev/nix

+7 -6

.envrc

··· 1 - if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then 2 - source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM=" 1 + if ! has nix_direnv_version || ! nix_direnv_version 3.1.0; then 2 + source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.1.0/direnvrc" "sha256-yMJ2OVMzrFaDPn7q8nCBZFRYpL/f0RcHzhmw/i6btJM=" 3 3 fi 4 - export NH_FLAKE=$(pwd) 4 + 5 5 export NH_NOM=1 6 + export NH_LOG=nh=info 7 + NH_FLAKE=$(pwd) 8 + export NH_FLAKE 6 9 7 - if [[ $(hostname) == "zaphod" ]]; then 8 - use flake . --accept-flake-config 9 - fi 10 + use flake . --accept-flake-config

+31

.nvim.lua

··· 1 + local nvim_lsp = require("lspconfig") 2 + nvim_lsp.nixd.setup({ 3 + cmd = { "nixd" }, 4 + settings = { 5 + nixd = { 6 + nixpkgs = { 7 + expr = "import <nixpkgs> { }", 8 + }, 9 + formatting = { 10 + command = { "treefmt" }, 11 + }, 12 + options = { 13 + nixos = { 14 + expr = "(builtins.getFlake (builtins.toString ./.)).nixosConfigurations.zaphod.options", 15 + }, 16 + home_manager = { 17 + expr = "(builtins.getFlake (builtins.toString ./.)).nixosConfigurations.zaphod.options.home-manager.users.type.getSubOptions []", 18 + }, 19 + flake_parts = { 20 + expr = "(builtins.getFlake (builtins.toString ./.)).debug.options", 21 + }, 22 + flake_parts_perSystem = { 23 + expr = "(builtins.getFlake (builtins.toString ./.)).currentSystem.options", 24 + }, 25 + my_modules = { 26 + exper = "(pkgs.lib.evalModules { modules = (builtins.getFlake (builtins.toString ./.)).nixosModules; }).options", 27 + }, 28 + }, 29 + }, 30 + }, 31 + })

+1

.shellcheckrc

··· 1 + disable=SC2148

+23

.zed/settings.json

··· 1 + // Folder-specific settings 2 + // 3 + // For a full list of overridable settings, and general information on folder-specific settings, 4 + // see the documentation: https://zed.dev/docs/configuring-zed#settings-files 5 + { 6 + "lsp": { 7 + "nixd": { 8 + "settings": { 9 + "options": { 10 + "nixos": { 11 + "expr": "(builtins.getFlake (builtins.toString ./.)).nixosConfigurations.zaphod.options" 12 + }, 13 + "home-manager": { 14 + "expr": "(builtins.getFlake (builtins.toString ./.)).nixosConfigurations.zaphod.options.home-manager.users.type.getSubOptions []" 15 + }, 16 + "flake-parts": { 17 + "expr": "(builtins.getFlake (builtins.toString ./.)).debug.options" 18 + } 19 + } 20 + } 21 + } 22 + } 23 + }

+4 -2

Justfile

··· 2 2 alias s := switch 3 3 4 4 build: 5 - nh os build . --verbose -- --show-trace --accept-flake-config 5 + nixos-rebuild-ng build --flake . --accept-flake-config --verbose --show-trace \ 6 + --max-jobs 3 --cores 6 \ 7 + && nvd diff /run/current-system result 6 8 7 9 switch: 8 - nh os switch . --verbose -- --show-trace --accept-flake-config 10 + nixos-rebuild-ng switch --flake . --accept-flake-config --verbose --show-trace --sudo

+30 -18

README.md

··· 1 1 # PyroConf, a custom Nix config 2 2 3 3 ## No Place Like ~ 4 - This is PyroNet's (relatively) production-grade NixOS config repo. It contains configurations for 3 different machines, as well as `home-manager` configurations. 5 4 6 - I try to keep the configuration organized. All home-manager related items go in `/home`, host configurations go in `/hosts`, and custom packages are in `/pkgs`, among other folders. 5 + This is PyroNet's (relatively) production-grade NixOS config repo. It contains configurations for 3 different machines, 6 + as well as `home-manager` configurations. 7 7 8 - My machines serve production infra for *.pyrox.dev domains. There are a few exceptions: 9 - * [My blog](https://blog.pyrox.dev), and the [root domain](https://pyrox.dev) which are served by [OMG.LOL](https://omg.lol). 10 - I highly recommend their services, as you get a great domain name at a company that cares about you. If you do sign up, consider using [my referral link](https://omg.lol?refer=py), as I get 3 months of service credit if you sign up through it. 8 + I try to keep the configuration organized. All home-manager related items go in `/home`, host configurations go in 9 + `/hosts`, and custom packages are in `/pkgs`, among other folders. 10 + 11 + My machines serve production infra for \*.pyrox.dev domains. There are a few exceptions: 12 + 13 + - [My blog](https://blog.pyrox.dev), and the [root domain](https://pyrox.dev) which are served by 14 + [OMG.LOL](https://omg.lol). I highly recommend their services, as you get a great domain name at a company that cares 15 + about you. If you do sign up, consider using [my referral link](https://omg.lol?refer=py), as I get 3 months of 16 + service credit if you sign up through it. 11 17 12 18 There are some services I run that many homelabs do not. They are: 13 - * Authoritative DNS for my domains, run on `prefect`. 14 - * A Tailscale tunnel from `marvin` to `prefect` which allows me to run services on `marvin` while having them be externally accessible. 15 - * Email services for my domains, also run on `prefect`, with all email data backed up hourly to `marvin`, ensuring data reliability. 16 - * Connections to the [DN42](https://dn42.us) network, run on `prefect`. 19 + 20 + - Authoritative DNS for my domains, run on `prefect`. 21 + - A Tailscale tunnel from `marvin` to `prefect` which allows me to run services on `marvin` while having them be 22 + externally accessible. 23 + - Email services for my domains, also run on `prefect`, with all email data backed up hourly to `marvin`, ensuring data 24 + reliability. 25 + - Connections to the [DN42](https://dn42.us) network, run on `prefect`. 17 26 18 27 I also run many typical homelab services, such as: 19 - * [Vaultwarden](https://github.com/danigarcia/vaultwarden) for passwords 20 - * [Jellyfin](https://jellyfin.org) for media 21 - * [Authentik](https://goauthentik.io) for central auth 22 - * And many more 28 + 29 + - [Vaultwarden](https://github.com/danigarcia/vaultwarden) for passwords 30 + - [Jellyfin](https://jellyfin.org) for media 31 + - [Authentik](https://goauthentik.io) for central auth 32 + - And many more 23 33 24 34 # Contact 25 - If you have any questions about any of the services I run, or would like to reach out, my contact info is on my profile [here](https://pyrox.dev) 35 + 36 + If you have any questions about any of the services I run, or would like to reach out, my contact info is on my profile 37 + [here](https://pyrox.dev) 26 38 27 39 # License 28 - Copyright (c) 2023 Pyrox and PyroNet. All rights reserved. 29 - This Source Code Form is subject to the terms of the Mozilla Public 30 - License, v. 2.0. If a copy of the MPL was not distributed with this 31 - file, You can obtain one at <http://mozilla.org/MPL/2.0/>. 40 + 41 + Copyright (c) 2023 Pyrox and PyroNet. All rights reserved. This Source Code Form is subject to the terms of the Mozilla 42 + Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at 43 + <http://mozilla.org/MPL/2.0/>.

-4

TODO.md

··· 15 15 16 16 - [ ] Add Attic and use as an internal binary cache 17 17 - [ ] https://docs.attic.rs/ 18 - - [ ] Switch Authentik from Docker to Authentik-nix 19 - - https://github.com/nix-community/authentik-nix 20 18 - [ ] Move all Docker containers to using native versions of databases, redis, etc. 21 19 - Ensures higher performance and reduces the number of running containers. 22 20 - https://github.com/felschr/nixos-config/blob/main/services/immich.nix for an example of how to do it 23 - - [ ] Add Archivebox service(needs custom module) 24 - - [ ] Add Immich service 25 21 26 22 ## Zaphod 27 23

-2

checks/deploy/default.nix

··· 1 - { inputs, ... }: 2 - builtins.mapAttrs (_: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib

+22

devShells/default/default.nix

··· 1 + { 2 + pkgs, 3 + ... 4 + }: 5 + pkgs.mkShellNoCC { 6 + packages = [ 7 + # keep-sorted start 8 + pkgs.deadnix 9 + pkgs.just 10 + pkgs.nil 11 + pkgs.nix-output-monitor 12 + pkgs.nix-tree 13 + pkgs.nix-update 14 + pkgs.nixd 15 + pkgs.nixfmt-rfc-style 16 + pkgs.nixos-rebuild-ng 17 + pkgs.nvd 18 + pkgs.statix 19 + pkgs.tokei 20 + # keep-sorted endd 21 + ]; 22 + }

+9

devShells/default.nix

··· 1 + _: { 2 + perSystem = 3 + { pkgs, ... }: 4 + { 5 + devShells = { 6 + default = pkgs.callPackage ./default { }; 7 + }; 8 + }; 9 + }

+398 -525

flake.lock

··· 1 1 { 2 2 "nodes": { 3 + "actor-typeahead-src": { 4 + "flake": false, 5 + "locked": { 6 + "lastModified": 1762835797, 7 + "narHash": "sha256-heizoWUKDdar6ymfZTnj3ytcEv/L4d4fzSmtr0HlXsQ=", 8 + "ref": "refs/heads/main", 9 + "rev": "677fe7f743050a4e7f09d4a6f87bbf1325a06f6b", 10 + "revCount": 6, 11 + "type": "git", 12 + "url": "https://tangled.org/@jakelazaroff.com/actor-typeahead" 13 + }, 14 + "original": { 15 + "type": "git", 16 + "url": "https://tangled.org/@jakelazaroff.com/actor-typeahead" 17 + } 18 + }, 3 19 "agenix": { 4 20 "inputs": { 5 21 "darwin": "darwin", ··· 9 25 "nixpkgs": [ 10 26 "nixpkgs" 11 27 ], 12 - "systems": [ 13 - "systems" 14 - ] 28 + "systems": "systems" 15 29 }, 16 30 "locked": { 17 - "lastModified": 1736955230, 18 - "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", 31 + "lastModified": 1762618334, 32 + "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", 19 33 "owner": "ryantm", 20 34 "repo": "agenix", 21 - "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", 35 + "rev": "fcdea223397448d35d9b31f798479227e80183f6", 22 36 "type": "github" 23 37 }, 24 38 "original": { ··· 27 41 "type": "github" 28 42 } 29 43 }, 30 - "authentik": { 44 + "bird": { 31 45 "inputs": { 32 - "authentik-src": "authentik-src", 33 - "flake-compat": [ 34 - "flake-compat" 35 - ], 46 + "flake-utils": "flake-utils", 47 + "nixpkgs": [ 48 + "dn42", 49 + "nixpkgs" 50 + ] 51 + }, 52 + "locked": { 53 + "lastModified": 1757884119, 54 + "narHash": "sha256-RF0Em7PjDRaQ5cBFgc3fL22qgDVbv2HoVW1TDRaaSNo=", 55 + "owner": "NuschtOS", 56 + "repo": "bird.nix", 57 + "rev": "f8d18c2c8eebd477987001a9c0af50a9ca7909e5", 58 + "type": "github" 59 + }, 60 + "original": { 61 + "owner": "NuschtOS", 62 + "repo": "bird.nix", 63 + "type": "github" 64 + } 65 + }, 66 + "buildbot-nix": { 67 + "inputs": { 36 68 "flake-parts": [ 37 69 "flake-parts" 38 70 ], 39 - "flake-utils": [ 40 - "flake-utils" 41 - ], 42 - "napalm": "napalm", 71 + "hercules-ci-effects": "hercules-ci-effects", 43 72 "nixpkgs": [ 44 73 "nixpkgs" 45 74 ], 46 - "poetry2nix": "poetry2nix", 47 - "systems": "systems" 75 + "treefmt-nix": [] 48 76 }, 49 77 "locked": { 50 - "lastModified": 1744375272, 51 - "narHash": "sha256-xvWbdTctLu5YWgcp+lNTh51GAY3vB2XEXUFKRMJUiCM=", 78 + "lastModified": 1763946641, 79 + "narHash": "sha256-kPP7k2b+Dkd91yJO01y3l1F0t+Mqvv8+FrPfjcCwszg=", 52 80 "owner": "nix-community", 53 - "repo": "authentik-nix", 54 - "rev": "105b3b6c004ce00d1d3c7a88669bea4aadfd4580", 81 + "repo": "buildbot-nix", 82 + "rev": "cd32d1c420320383bfcc80c1b0b402b6a7eccc23", 55 83 "type": "github" 56 84 }, 57 85 "original": { 58 86 "owner": "nix-community", 59 - "repo": "authentik-nix", 87 + "repo": "buildbot-nix", 60 88 "type": "github" 61 89 } 62 90 }, 63 - "authentik-src": { 64 - "flake": false, 91 + "caelestia": { 92 + "inputs": { 93 + "caelestia-cli": "caelestia-cli", 94 + "nixpkgs": [ 95 + "nixpkgs" 96 + ], 97 + "quickshell": [ 98 + "quickshell" 99 + ] 100 + }, 65 101 "locked": { 66 - "lastModified": 1744135136, 67 - "narHash": "sha256-7wvoCRhLipX4qzrb/ctsozG565yckx+moxiF6vRo84I=", 68 - "owner": "goauthentik", 69 - "repo": "authentik", 70 - "rev": "74eab55c615b156e4191ee98dc789e2d58c016f9", 102 + "lastModified": 1764466211, 103 + "narHash": "sha256-rBK+usqfAP9ZuEthw9wMCwTKQgKUMmziuzrrkpDZdzY=", 104 + "owner": "caelestia-dots", 105 + "repo": "shell", 106 + "rev": "40813e520582c5df11f6d4c870a31900fe171cce", 71 107 "type": "github" 72 108 }, 73 109 "original": { 74 - "owner": "goauthentik", 75 - "ref": "version/2025.2.4", 76 - "repo": "authentik", 110 + "owner": "caelestia-dots", 111 + "repo": "shell", 77 112 "type": "github" 78 113 } 79 114 }, 80 - "blobs": { 81 - "flake": false, 82 - "locked": { 83 - "lastModified": 1604995301, 84 - "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=", 85 - "owner": "simple-nixos-mailserver", 86 - "repo": "blobs", 87 - "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265", 88 - "type": "gitlab" 89 - }, 90 - "original": { 91 - "owner": "simple-nixos-mailserver", 92 - "repo": "blobs", 93 - "type": "gitlab" 94 - } 95 - }, 96 - "buildbot-nix": { 115 + "caelestia-cli": { 97 116 "inputs": { 98 - "flake-parts": [ 99 - "flake-parts" 117 + "caelestia-shell": [ 118 + "caelestia" 100 119 ], 101 - "hercules-ci-effects": "hercules-ci-effects", 102 120 "nixpkgs": [ 121 + "caelestia", 103 122 "nixpkgs" 104 - ], 105 - "treefmt-nix": "treefmt-nix_2" 123 + ] 106 124 }, 107 125 "locked": { 108 - "lastModified": 1744289588, 109 - "narHash": "sha256-xzYebbAH13K6pK/Z+Vvu/uY52NkTkOs/o7PEAeAx5Yg=", 110 - "owner": "Mic92", 111 - "repo": "buildbot-nix", 112 - "rev": "8a50a4bcf8090c156d38ae96a57ded65f1341ac6", 126 + "lastModified": 1764381410, 127 + "narHash": "sha256-WR/oQQjveFqQxo8oHngZuOVgBQINDgPe+lCXLeNhAAg=", 128 + "owner": "caelestia-dots", 129 + "repo": "cli", 130 + "rev": "ed12d4cb82600872a82feb577711be1148c7af35", 113 131 "type": "github" 114 132 }, 115 133 "original": { 116 - "owner": "Mic92", 117 - "repo": "buildbot-nix", 134 + "owner": "caelestia-dots", 135 + "repo": "cli", 118 136 "type": "github" 119 137 } 120 138 }, ··· 123 141 "nixpkgs": "nixpkgs" 124 142 }, 125 143 "locked": { 126 - "lastModified": 1744447794, 127 - "narHash": "sha256-z5uK5BDmFg0L/0EW2XYLGr39FbQeXyNVnIEhkZrG8+Q=", 144 + "lastModified": 1764325801, 145 + "narHash": "sha256-LQ7tsrXs1wuB6KBwUctL3JlUsG/FWI2pCI6NkoO52dk=", 128 146 "owner": "catppuccin", 129 147 "repo": "nix", 130 - "rev": "c44fe73ed8e5d5809eded7cc6156ca9c40044e42", 148 + "rev": "a696fed6b9b6aa89ef495842cdca3fc2a7cef0de", 131 149 "type": "github" 132 150 }, 133 151 "original": { ··· 144 162 ] 145 163 }, 146 164 "locked": { 147 - "lastModified": 1700795494, 148 - "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", 165 + "lastModified": 1744478979, 166 + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", 149 167 "owner": "lnl7", 150 168 "repo": "nix-darwin", 151 - "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", 169 + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", 152 170 "type": "github" 153 171 }, 154 172 "original": { ··· 158 176 "type": "github" 159 177 } 160 178 }, 161 - "deploy-rs": { 179 + "dgop": { 162 180 "inputs": { 163 - "flake-compat": [ 164 - "flake-compat" 165 - ], 166 181 "nixpkgs": [ 182 + "dms", 167 183 "nixpkgs" 168 - ], 169 - "utils": [ 170 - "flake-utils" 171 184 ] 172 185 }, 173 186 "locked": { 174 - "lastModified": 1727447169, 175 - "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=", 176 - "owner": "serokell", 177 - "repo": "deploy-rs", 178 - "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76", 187 + "lastModified": 1762435535, 188 + "narHash": "sha256-QhzRn7pYN35IFpKjjxJAj3GPJECuC+VLhoGem3ezycc=", 189 + "owner": "AvengeMedia", 190 + "repo": "dgop", 191 + "rev": "6cf638dde818f9f8a2e26d0243179c43cb3458d7", 179 192 "type": "github" 180 193 }, 181 194 "original": { 182 - "owner": "serokell", 183 - "repo": "deploy-rs", 195 + "owner": "AvengeMedia", 196 + "repo": "dgop", 184 197 "type": "github" 185 198 } 186 199 }, 187 - "devshell": { 200 + "dms": { 188 201 "inputs": { 202 + "dgop": "dgop", 189 203 "nixpkgs": [ 190 - "topology", 191 204 "nixpkgs" 192 205 ] 193 206 }, 194 207 "locked": { 195 - "lastModified": 1728330715, 196 - "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", 197 - "owner": "numtide", 198 - "repo": "devshell", 199 - "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", 208 + "lastModified": 1764553800, 209 + "narHash": "sha256-kHlx3E3K2UNWI1Hpbyl5zieoOVevZfwz8P/OcyViDHY=", 210 + "owner": "AvengeMedia", 211 + "repo": "DankMaterialShell", 212 + "rev": "7959a795753d9f646cfb9e21cfb778adf7e5c933", 213 + "type": "github" 214 + }, 215 + "original": { 216 + "owner": "AvengeMedia", 217 + "repo": "DankMaterialShell", 218 + "type": "github" 219 + } 220 + }, 221 + "dms-plugins": { 222 + "flake": false, 223 + "locked": { 224 + "lastModified": 1764085668, 225 + "narHash": "sha256-KtOu12NVLdyho9T4EXJaReNhFO98nAXpemkb6yeOvwE=", 226 + "owner": "AvengeMedia", 227 + "repo": "dms-plugins", 228 + "rev": "3bc66f186a8184cb8eca5fdfc0699cb4a828cd90", 229 + "type": "github" 230 + }, 231 + "original": { 232 + "owner": "AvengeMedia", 233 + "repo": "dms-plugins", 234 + "type": "github" 235 + } 236 + }, 237 + "dms-power-usage": { 238 + "flake": false, 239 + "locked": { 240 + "lastModified": 1760429135, 241 + "narHash": "sha256-M/H4nlAzUFrxZ01ldaR/YH1hqVN4vlBrkaCUqjtMaTM=", 242 + "owner": "Daniel-42-z", 243 + "repo": "dms-power-usage", 244 + "rev": "3f75b651d90210c6f9442a099cf14262ac47750d", 200 245 "type": "github" 201 246 }, 202 247 "original": { 203 - "owner": "numtide", 204 - "repo": "devshell", 248 + "owner": "Daniel-42-z", 249 + "repo": "dms-power-usage", 205 250 "type": "github" 206 251 } 207 252 }, 208 - "dns": { 253 + "dms-wp-shuffler": { 254 + "flake": false, 255 + "locked": { 256 + "lastModified": 1760657995, 257 + "narHash": "sha256-71kZLdVZmWMG+sgpbPHH8RFGmvLWve9NNTpZNJXrRd4=", 258 + "owner": "Daniel-42-z", 259 + "repo": "dms-wallpaper-shuffler", 260 + "rev": "cc459906990e562d3a332bd5c6869e8f5af1ee52", 261 + "type": "github" 262 + }, 263 + "original": { 264 + "owner": "Daniel-42-z", 265 + "repo": "dms-wallpaper-shuffler", 266 + "type": "github" 267 + } 268 + }, 269 + "dn42": { 209 270 "inputs": { 210 - "flake-utils": [ 211 - "flake-utils" 212 - ], 271 + "bird": "bird", 213 272 "nixpkgs": [ 214 273 "nixpkgs" 215 274 ] 216 275 }, 217 276 "locked": { 218 - "lastModified": 1737653493, 219 - "narHash": "sha256-qTbv8Pm9WWF63M5Fj0Od9E54/lsbMSQUBHw/s30eFok=", 220 - "owner": "nix-community", 221 - "repo": "dns.nix", 222 - "rev": "96e548ae8bd44883afc5bddb9dacd0502542276d", 277 + "lastModified": 1764646680, 278 + "narHash": "sha256-HEVzGL23bev8CuZXbLgDZRWy+mD/qPZhRBpjag7G/dU=", 279 + "owner": "pyrox0", 280 + "repo": "dn43.nix", 281 + "rev": "c8b68602cf1ef696e6a9f9c25e8c177d4101331b", 223 282 "type": "github" 224 283 }, 225 284 "original": { 226 - "owner": "nix-community", 227 - "repo": "dns.nix", 285 + "owner": "pyrox0", 286 + "repo": "dn43.nix", 287 + "type": "github" 288 + } 289 + }, 290 + "easy-hosts": { 291 + "locked": { 292 + "lastModified": 1755470564, 293 + "narHash": "sha256-KB1ZryVDoQcbIsItOf4WtxkHhh3ppj+XwMpSnt/2QHc=", 294 + "owner": "tgirlcloud", 295 + "repo": "easy-hosts", 296 + "rev": "d0422bc7b3db26268982aa15d07e60370e76ee1d", 297 + "type": "github" 298 + }, 299 + "original": { 300 + "owner": "tgirlcloud", 301 + "repo": "easy-hosts", 228 302 "type": "github" 229 303 } 230 304 }, 231 305 "flake-compat": { 232 306 "locked": { 233 - "lastModified": 1733328505, 234 - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", 307 + "lastModified": 1761588595, 308 + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", 235 309 "owner": "edolstra", 236 310 "repo": "flake-compat", 237 - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", 311 + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", 238 312 "type": "github" 239 313 }, 240 314 "original": { ··· 246 320 "flake-compat_2": { 247 321 "flake": false, 248 322 "locked": { 249 - "lastModified": 1696426674, 250 - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", 251 - "owner": "edolstra", 252 - "repo": "flake-compat", 253 - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", 254 - "type": "github" 323 + "lastModified": 1751685974, 324 + "narHash": "sha256-NKw96t+BgHIYzHUjkTK95FqYRVKB8DHpVhefWSz/kTw=", 325 + "rev": "549f2762aebeff29a2e5ece7a7dc0f955281a1d1", 326 + "type": "tarball", 327 + "url": "https://git.lix.systems/api/v1/repos/lix-project/flake-compat/archive/549f2762aebeff29a2e5ece7a7dc0f955281a1d1.tar.gz?rev=549f2762aebeff29a2e5ece7a7dc0f955281a1d1" 255 328 }, 256 329 "original": { 257 - "owner": "edolstra", 258 - "repo": "flake-compat", 259 - "type": "github" 330 + "type": "tarball", 331 + "url": "https://git.lix.systems/lix-project/flake-compat/archive/main.tar.gz" 260 332 } 261 333 }, 262 334 "flake-parts": { 263 335 "inputs": { 264 - "nixpkgs-lib": [ 265 - "nixpkgs-lib" 266 - ] 336 + "nixpkgs-lib": "nixpkgs-lib" 267 337 }, 268 338 "locked": { 269 - "lastModified": 1743550720, 270 - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", 339 + "lastModified": 1763759067, 340 + "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=", 271 341 "owner": "hercules-ci", 272 342 "repo": "flake-parts", 273 - "rev": "c621e8422220273271f52058f618c94e405bb0f5", 343 + "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0", 274 344 "type": "github" 275 345 }, 276 346 "original": { ··· 279 349 "type": "github" 280 350 } 281 351 }, 282 - "flake-root": { 283 - "locked": { 284 - "lastModified": 1723604017, 285 - "narHash": "sha256-rBtQ8gg+Dn4Sx/s+pvjdq3CB2wQNzx9XGFq/JVGCB6k=", 286 - "owner": "srid", 287 - "repo": "flake-root", 288 - "rev": "b759a56851e10cb13f6b8e5698af7b59c44be26e", 289 - "type": "github" 290 - }, 291 - "original": { 292 - "owner": "srid", 293 - "repo": "flake-root", 294 - "type": "github" 295 - } 296 - }, 297 352 "flake-utils": { 298 353 "inputs": { 299 - "systems": [ 300 - "systems" 301 - ] 354 + "systems": "systems_2" 302 355 }, 303 356 "locked": { 304 357 "lastModified": 1731533236, ··· 314 367 "type": "github" 315 368 } 316 369 }, 317 - "flake-utils-plus": { 370 + "flake-utils_2": { 318 371 "inputs": { 319 - "flake-utils": "flake-utils_2" 372 + "systems": "systems_3" 320 373 }, 321 374 "locked": { 322 - "lastModified": 1715533576, 323 - "narHash": "sha256-fT4ppWeCJ0uR300EH3i7kmgRZnAVxrH+XtK09jQWihk=", 324 - "owner": "gytis-ivaskevicius", 325 - "repo": "flake-utils-plus", 326 - "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", 375 + "lastModified": 1731533236, 376 + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", 377 + "owner": "numtide", 378 + "repo": "flake-utils", 379 + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", 327 380 "type": "github" 328 381 }, 329 382 "original": { 330 - "owner": "gytis-ivaskevicius", 331 - "repo": "flake-utils-plus", 332 - "rev": "3542fe9126dc492e53ddd252bb0260fe035f2c0f", 383 + "owner": "numtide", 384 + "repo": "flake-utils", 333 385 "type": "github" 334 386 } 335 387 }, 336 - "flake-utils_2": { 388 + "flake-utils_3": { 337 389 "inputs": { 338 - "systems": "systems_2" 390 + "systems": "systems_5" 339 391 }, 340 392 "locked": { 341 393 "lastModified": 1694529238, ··· 351 403 "type": "github" 352 404 } 353 405 }, 354 - "gitignore": { 406 + "golink": { 355 407 "inputs": { 356 408 "nixpkgs": [ 357 - "topology", 358 - "pre-commit-hooks", 359 409 "nixpkgs" 360 - ] 410 + ], 411 + "systems": "systems_4" 361 412 }, 362 413 "locked": { 363 - "lastModified": 1709087332, 364 - "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", 365 - "owner": "hercules-ci", 366 - "repo": "gitignore.nix", 367 - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", 414 + "lastModified": 1764170522, 415 + "narHash": "sha256-4c9jCOfkKNRHJLXgOIcVcNSaw/XaiVaqesaLJn86wGA=", 416 + "owner": "tailscale", 417 + "repo": "golink", 418 + "rev": "6821994de926c565d3ef9fbf3cb0e0fcb780f4be", 368 419 "type": "github" 369 420 }, 370 421 "original": { 371 - "owner": "hercules-ci", 372 - "repo": "gitignore.nix", 422 + "owner": "tailscale", 423 + "repo": "golink", 373 424 "type": "github" 374 425 } 375 426 }, 376 - "golink": { 427 + "gomod2nix": { 377 428 "inputs": { 429 + "flake-utils": "flake-utils_3", 378 430 "nixpkgs": [ 431 + "tangled", 379 432 "nixpkgs" 380 - ], 381 - "parts": [ 382 - "flake-parts" 383 - ], 384 - "systems": [ 385 - "systems" 386 433 ] 387 434 }, 388 435 "locked": { 389 - "lastModified": 1744133121, 390 - "narHash": "sha256-SBhJUjmvM7fIUj8bhJx5hljdIm9BJ8q/wYBD5GRJwNA=", 391 - "owner": "tailscale", 392 - "repo": "golink", 393 - "rev": "4112ebe50fc8751bcd5342ffa2da720fa8aba38c", 436 + "lastModified": 1754078208, 437 + "narHash": "sha256-YVoIFDCDpYuU3riaDEJ3xiGdPOtsx4sR5eTzHTytPV8=", 438 + "owner": "nix-community", 439 + "repo": "gomod2nix", 440 + "rev": "7f963246a71626c7fc70b431a315c4388a0c95cf", 394 441 "type": "github" 395 442 }, 396 443 "original": { 397 - "owner": "tailscale", 398 - "repo": "golink", 444 + "owner": "nix-community", 445 + "repo": "gomod2nix", 399 446 "type": "github" 400 447 } 401 448 }, 402 449 "hardware": { 403 450 "locked": { 404 - "lastModified": 1744366945, 405 - "narHash": "sha256-OuLhysErPHl53BBifhesrRumJNhrlSgQDfYOTXfgIMg=", 451 + "lastModified": 1764440730, 452 + "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=", 406 453 "owner": "nixos", 407 454 "repo": "nixos-hardware", 408 - "rev": "1fe3cc2bc5d2dc9c81cb4e63d2f67c1543340df1", 455 + "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3", 409 456 "type": "github" 410 457 }, 411 458 "original": { ··· 426 473 ] 427 474 }, 428 475 "locked": { 429 - "lastModified": 1742014779, 430 - "narHash": "sha256-I6fG1zrfdLFcp/imGZElig0BJO3YU0QEXLgvwWoOpJ8=", 476 + "lastModified": 1758022363, 477 + "narHash": "sha256-ENUhCRWgSX4ni751HieNuQoq06dJvApV/Nm89kh+/A0=", 431 478 "owner": "hercules-ci", 432 479 "repo": "hercules-ci-effects", 433 - "rev": "524637ef84c177661690b924bf64a1ce18072a2c", 480 + "rev": "1a3667d33e247ad35ca250698d63f49a5453d824", 434 481 "type": "github" 435 482 }, 436 483 "original": { ··· 446 493 ] 447 494 }, 448 495 "locked": { 449 - "lastModified": 1744498625, 450 - "narHash": "sha256-pL52uCt9CUoTTmysGG91c2FeU7XUvpB7Cep6yon2vDk=", 496 + "lastModified": 1764544324, 497 + "narHash": "sha256-GVBGjO7UsmzLrlOJV8NlKSxukHaHencrJqWkCA6FkqI=", 451 498 "owner": "nix-community", 452 499 "repo": "home-manager", 453 - "rev": "db56335ca8942d86f2200664acdbd5b9212b26ad", 500 + "rev": "e4e25a8c310fa45f2a8339c7972dc43d2845a612", 454 501 "type": "github" 455 502 }, 456 503 "original": { ··· 459 506 "type": "github" 460 507 } 461 508 }, 462 - "iceshrimp": { 463 - "inputs": { 464 - "nixpkgs": [ 465 - "nixpkgs" 466 - ] 467 - }, 509 + "htmx-src": { 510 + "flake": false, 468 511 "locked": { 469 - "lastModified": 1721338360, 470 - "narHash": "sha256-1CEhakLtPq+Lqo+p40wo00hkewmyzPAvjBr8ah6Faqk=", 471 - "ref": "refs/heads/dev", 472 - "rev": "98c3678cfbcea5e750a5947394d35a73ae72634a", 473 - "revCount": 48, 474 - "type": "git", 475 - "url": "https://iceshrimp.dev/pyrox/packaging" 512 + "narHash": "sha256-nm6avZuEBg67SSyyZUhjpXVNstHHgUxrtBHqJgowU08=", 513 + "type": "file", 514 + "url": "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js" 476 515 }, 477 516 "original": { 478 - "type": "git", 479 - "url": "https://iceshrimp.dev/pyrox/packaging" 517 + "type": "file", 518 + "url": "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js" 480 519 } 481 520 }, 482 - "mailserver": { 483 - "inputs": { 484 - "blobs": "blobs", 485 - "flake-compat": [ 486 - "flake-compat" 487 - ], 488 - "nixpkgs": [ 489 - "nixpkgs" 490 - ], 491 - "nixpkgs-24_11": "nixpkgs-24_11" 492 - }, 521 + "htmx-ws-src": { 522 + "flake": false, 493 523 "locked": { 494 - "lastModified": 1742413977, 495 - "narHash": "sha256-NkhM9GVu3HL+MiXtGD0TjuPCQ4GFVJPBZ8KyI2cFDGU=", 496 - "owner": "simple-nixos-mailserver", 497 - "repo": "nixos-mailserver", 498 - "rev": "b4fbffe79c00f19be94b86b4144ff67541613659", 499 - "type": "gitlab" 524 + "narHash": "sha256-2fg6KyEJoO24q0fQqbz9RMaYNPQrMwpZh29tkSqdqGY=", 525 + "type": "file", 526 + "url": "https://cdn.jsdelivr.net/npm/htmx-ext-ws@2.0.2" 500 527 }, 501 528 "original": { 502 - "owner": "simple-nixos-mailserver", 503 - "ref": "master", 504 - "repo": "nixos-mailserver", 505 - "type": "gitlab" 529 + "type": "file", 530 + "url": "https://cdn.jsdelivr.net/npm/htmx-ext-ws@2.0.2" 506 531 } 507 532 }, 508 - "my-pkgs": { 509 - "inputs": { 510 - "nixpkgs": [ 511 - "nixpkgs" 512 - ] 513 - }, 533 + "ibm-plex-mono-src": { 534 + "flake": false, 514 535 "locked": { 515 - "lastModified": 1718762298, 516 - "narHash": "sha256-HU73BsUdmpYn6SMgs+4Zpj1fPA94H0CAC2pYhIxqUoY=", 517 - "ref": "refs/heads/main", 518 - "rev": "1aa7198174b166f6f3153a69388cc4f650471750", 519 - "revCount": 13, 520 - "type": "git", 521 - "url": "https://git.pyrox.dev/pyrox/pkgs" 536 + "lastModified": 1731402384, 537 + "narHash": "sha256-OwUmrPfEehLDz0fl2ChYLK8FQM2p0G1+EMrGsYEq+6g=", 538 + "type": "tarball", 539 + "url": "https://github.com/IBM/plex/releases/download/@ibm/plex-mono@1.1.0/ibm-plex-mono.zip" 522 540 }, 523 541 "original": { 524 - "type": "git", 525 - "url": "https://git.pyrox.dev/pyrox/pkgs" 542 + "type": "tarball", 543 + "url": "https://github.com/IBM/plex/releases/download/@ibm/plex-mono@1.1.0/ibm-plex-mono.zip" 526 544 } 527 545 }, 528 - "napalm": { 529 - "inputs": { 530 - "flake-utils": [ 531 - "authentik", 532 - "flake-utils" 533 - ], 534 - "nixpkgs": [ 535 - "authentik", 536 - "nixpkgs" 537 - ] 538 - }, 546 + "indigo": { 547 + "flake": false, 539 548 "locked": { 540 - "lastModified": 1725806412, 541 - "narHash": "sha256-lGZjkjds0p924QEhm/r0BhAxbHBJE1xMOldB/HmQH04=", 542 - "owner": "willibutz", 543 - "repo": "napalm", 544 - "rev": "b492440d9e64ae20736d3bec5c7715ffcbde83f5", 549 + "lastModified": 1753693716, 550 + "narHash": "sha256-DMIKnCJRODQXEHUxA+7mLzRALmnZhkkbHlFT2rCQYrE=", 551 + "owner": "oppiliappan", 552 + "repo": "indigo", 553 + "rev": "5f170569da9360f57add450a278d73538092d8ca", 545 554 "type": "github" 546 555 }, 547 556 "original": { 548 - "owner": "willibutz", 549 - "ref": "avoid-foldl-stack-overflow", 550 - "repo": "napalm", 557 + "owner": "oppiliappan", 558 + "repo": "indigo", 551 559 "type": "github" 552 560 } 553 561 }, 554 - "nh": { 555 - "inputs": { 556 - "nixpkgs": [ 557 - "nixpkgs" 558 - ] 559 - }, 562 + "inter-fonts-src": { 563 + "flake": false, 560 564 "locked": { 561 - "lastModified": 1743682999, 562 - "narHash": "sha256-bg+aAN8K90r3m/I+xXiXG0gawpbkshwlk93wxUN7KEk=", 563 - "owner": "viperML", 564 - "repo": "nh", 565 - "rev": "9e9a4590b38b62b28f07a1fae973ce7b6ca0687a", 566 - "type": "github" 565 + "lastModified": 1731687360, 566 + "narHash": "sha256-5vdKKvHAeZi6igrfpbOdhZlDX2/5+UvzlnCQV6DdqoQ=", 567 + "type": "tarball", 568 + "url": "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip" 567 569 }, 568 570 "original": { 569 - "owner": "viperML", 570 - "repo": "nh", 571 - "type": "github" 571 + "type": "tarball", 572 + "url": "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip" 572 573 } 573 574 }, 574 - "nix-github-actions": { 575 - "inputs": { 576 - "nixpkgs": [ 577 - "authentik", 578 - "poetry2nix", 579 - "nixpkgs" 580 - ] 581 - }, 575 + "lucide-src": { 576 + "flake": false, 582 577 "locked": { 583 - "lastModified": 1729742964, 584 - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", 585 - "owner": "nix-community", 586 - "repo": "nix-github-actions", 587 - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", 588 - "type": "github" 578 + "lastModified": 1754044466, 579 + "narHash": "sha256-+exBR2OToB1iv7ZQI2S4B0lXA/QRvC9n6U99UxGpJGs=", 580 + "type": "tarball", 581 + "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip" 589 582 }, 590 583 "original": { 591 - "owner": "nix-community", 592 - "repo": "nix-github-actions", 593 - "type": "github" 584 + "type": "tarball", 585 + "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip" 594 586 } 595 587 }, 596 - "nix-index": { 588 + "my-pkgs": { 597 589 "inputs": { 598 - "flake-compat": [ 599 - "flake-compat" 600 - ], 601 590 "nixpkgs": [ 602 591 "nixpkgs" 603 592 ] 604 593 }, 605 594 "locked": { 606 - "lastModified": 1742833817, 607 - "narHash": "sha256-HuZVkVH7NCbI1KgQlS67Jq0FcUBc29DQz7n9CqHJEvc=", 608 - "owner": "nix-community", 609 - "repo": "nix-index", 610 - "rev": "03b861752c32141db8c3f923f51f733ad1f42e43", 611 - "type": "github" 595 + "lastModified": 1718762298, 596 + "narHash": "sha256-HU73BsUdmpYn6SMgs+4Zpj1fPA94H0CAC2pYhIxqUoY=", 597 + "ref": "refs/heads/main", 598 + "rev": "1aa7198174b166f6f3153a69388cc4f650471750", 599 + "revCount": 13, 600 + "type": "git", 601 + "url": "https://git.pyrox.dev/pyrox/pkgs" 612 602 }, 613 603 "original": { 614 - "owner": "nix-community", 615 - "repo": "nix-index", 616 - "type": "github" 604 + "type": "git", 605 + "url": "https://git.pyrox.dev/pyrox/pkgs" 617 606 } 618 607 }, 619 608 "nix-index-database": { ··· 623 612 ] 624 613 }, 625 614 "locked": { 626 - "lastModified": 1743911143, 627 - "narHash": "sha256-4j4JPwr0TXHH4ZyorXN5yIcmqIQr0WYacsuPA4ktONo=", 615 + "lastModified": 1764475780, 616 + "narHash": "sha256-77jL5H5x51ksLiOUDjY0ZK8e2T4ZXLhj3ap8ETvknWI=", 628 617 "owner": "Mic92", 629 618 "repo": "nix-index-database", 630 - "rev": "a36f6a7148aec2c77d78e4466215cceb2f5f4bfb", 619 + "rev": "5a3ff8c1a09003f399f43d5742d893c0b1ab8af0", 631 620 "type": "github" 632 621 }, 633 622 "original": { ··· 636 625 "type": "github" 637 626 } 638 627 }, 639 - "nix-search": { 640 - "inputs": { 641 - "flake-compat": [ 642 - "flake-compat" 643 - ], 644 - "flake-utils": [ 645 - "flake-utils" 646 - ], 647 - "nixpkgs": [ 648 - "nixpkgs" 649 - ] 650 - }, 651 - "locked": { 652 - "lastModified": 1741306118, 653 - "narHash": "sha256-699XDyrMhx0nSI2z/WRhTsJhiiMt4WqaPx8//cPiBGY=", 654 - "owner": "diamondburned", 655 - "repo": "nix-search", 656 - "rev": "7dcd7b9ae3ec59b7a8ee61371157f83e6bd87b89", 657 - "type": "github" 658 - }, 659 - "original": { 660 - "owner": "diamondburned", 661 - "repo": "nix-search", 662 - "type": "github" 663 - } 664 - }, 665 - "nixd": { 666 - "inputs": { 667 - "flake-parts": [ 668 - "flake-parts" 669 - ], 670 - "flake-root": "flake-root", 671 - "nixpkgs": [ 672 - "nixpkgs" 673 - ], 674 - "treefmt-nix": "treefmt-nix_3" 675 - }, 676 - "locked": { 677 - "lastModified": 1744423808, 678 - "narHash": "sha256-DiivRNDj39u86uUilkmbgbx2c1NqWVQ3fxw6fFfVO14=", 679 - "owner": "nix-community", 680 - "repo": "nixd", 681 - "rev": "3aa27fde1edcf7b126c70a62aad05d120209363c", 682 - "type": "github" 683 - }, 684 - "original": { 685 - "owner": "nix-community", 686 - "repo": "nixd", 687 - "type": "github" 688 - } 689 - }, 690 628 "nixpkgs": { 691 629 "locked": { 692 - "lastModified": 1744098102, 693 - "narHash": "sha256-tzCdyIJj9AjysC3OuKA+tMD/kDEDAF9mICPDU7ix0JA=", 630 + "lastModified": 1763966396, 631 + "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=", 694 632 "owner": "NixOS", 695 633 "repo": "nixpkgs", 696 - "rev": "c8cd81426f45942bb2906d5ed2fe21d2f19d95b7", 634 + "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a", 697 635 "type": "github" 698 636 }, 699 637 "original": { ··· 703 641 "type": "github" 704 642 } 705 643 }, 706 - "nixpkgs-24_11": { 707 - "locked": { 708 - "lastModified": 1734083684, 709 - "narHash": "sha256-5fNndbndxSx5d+C/D0p/VF32xDiJCJzyOqorOYW4JEo=", 710 - "owner": "NixOS", 711 - "repo": "nixpkgs", 712 - "rev": "314e12ba369ccdb9b352a4db26ff419f7c49fa84", 713 - "type": "github" 714 - }, 715 - "original": { 716 - "id": "nixpkgs", 717 - "ref": "nixos-24.11", 718 - "type": "indirect" 719 - } 720 - }, 721 644 "nixpkgs-lib": { 722 645 "locked": { 723 - "lastModified": 1744511788, 724 - "narHash": "sha256-5PVswSsunWhzi6mBwOvuCCUBK+ggcB/idSWCaXvVvr8=", 646 + "lastModified": 1761765539, 647 + "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=", 725 648 "owner": "nix-community", 726 649 "repo": "nixpkgs.lib", 727 - "rev": "022a1e186f42079dba4f00376697158e068abd79", 650 + "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc", 728 651 "type": "github" 729 652 }, 730 653 "original": { ··· 733 656 "type": "github" 734 657 } 735 658 }, 736 - "nixpkgs_2": { 659 + "nixpkgs-stalwart-fix": { 737 660 "locked": { 738 - "lastModified": 1744502386, 739 - "narHash": "sha256-QAd1L37eU7ktL2WeLLLTmI6P9moz9+a/ONO8qNBYJgM=", 740 - "owner": "nixos", 661 + "lastModified": 1762728499, 662 + "narHash": "sha256-XtT/8ID3gz9RGk8ITBnktmodq5/ZG6tF60XSfuKSmro=", 663 + "owner": "pyrox0", 741 664 "repo": "nixpkgs", 742 - "rev": "f6db44a8daa59c40ae41ba6e5823ec77fe0d2124", 665 + "rev": "b5178ff139339638e98a1e5833add22b047f96d0", 743 666 "type": "github" 744 667 }, 745 668 "original": { 746 - "owner": "nixos", 747 - "ref": "nixpkgs-unstable", 669 + "owner": "pyrox0", 670 + "ref": "fix/stalwart-module", 748 671 "repo": "nixpkgs", 749 672 "type": "github" 750 673 } 751 674 }, 752 - "poetry2nix": { 753 - "inputs": { 754 - "flake-utils": [ 755 - "authentik", 756 - "flake-utils" 757 - ], 758 - "nix-github-actions": "nix-github-actions", 759 - "nixpkgs": [ 760 - "authentik", 761 - "nixpkgs" 762 - ], 763 - "systems": [ 764 - "authentik", 765 - "systems" 766 - ], 767 - "treefmt-nix": "treefmt-nix" 675 + "nixpkgs_2": { 676 + "locked": { 677 + "lastModified": 1764527385, 678 + "narHash": "sha256-gpwyCnyi2or0InBXe+4I9YeED3Uly3EGH58qvVnchBY=", 679 + "rev": "23258e03aaa49b3a68597e3e50eb0cbce7e42e9d", 680 + "type": "tarball", 681 + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre904683.23258e03aaa4/nixexprs.tar.xz" 768 682 }, 683 + "original": { 684 + "type": "tarball", 685 + "url": "https://nixpkgs.dev/channel/nixpkgs-unstable" 686 + } 687 + }, 688 + "nixpkgs_3": { 769 689 "locked": { 770 - "lastModified": 1743690424, 771 - "narHash": "sha256-cX98bUuKuihOaRp8dNV1Mq7u6/CQZWTPth2IJPATBXc=", 772 - "owner": "nix-community", 773 - "repo": "poetry2nix", 774 - "rev": "ce2369db77f45688172384bbeb962bc6c2ea6f94", 690 + "lastModified": 1751984180, 691 + "narHash": "sha256-LwWRsENAZJKUdD3SpLluwDmdXY9F45ZEgCb0X+xgOL0=", 692 + "owner": "nixos", 693 + "repo": "nixpkgs", 694 + "rev": "9807714d6944a957c2e036f84b0ff8caf9930bc0", 775 695 "type": "github" 776 696 }, 777 697 "original": { 778 - "owner": "nix-community", 779 - "repo": "poetry2nix", 698 + "owner": "nixos", 699 + "ref": "nixos-unstable", 700 + "repo": "nixpkgs", 780 701 "type": "github" 781 702 } 782 703 }, 783 - "pre-commit-hooks": { 704 + "quickshell": { 784 705 "inputs": { 785 - "flake-compat": "flake-compat_2", 786 - "gitignore": "gitignore", 787 706 "nixpkgs": [ 788 - "topology", 789 - "nixpkgs" 790 - ], 791 - "nixpkgs-stable": [ 792 - "topology", 793 707 "nixpkgs" 794 708 ] 795 709 }, 796 710 "locked": { 797 - "lastModified": 1730797577, 798 - "narHash": "sha256-SrID5yVpyUfknUTGWgYkTyvdr9J1LxUym4om3SVGPkg=", 799 - "owner": "cachix", 800 - "repo": "pre-commit-hooks.nix", 801 - "rev": "1864030ed24a2b8b4e4d386a5eeaf0c5369e50a9", 711 + "lastModified": 1764482797, 712 + "narHash": "sha256-ynV90KoBrPe38YFlKAHtPFk4Ee3IANUsIFGxRaq7H/s=", 713 + "owner": "quickshell-mirror", 714 + "repo": "quickshell", 715 + "rev": "d24e8e9736287d01ee73ef9d573d2bc316a62d5c", 802 716 "type": "github" 803 717 }, 804 718 "original": { 805 - "owner": "cachix", 806 - "repo": "pre-commit-hooks.nix", 719 + "owner": "quickshell-mirror", 720 + "repo": "quickshell", 807 721 "type": "github" 808 722 } 809 723 }, 810 724 "root": { 811 725 "inputs": { 812 726 "agenix": "agenix", 813 - "authentik": "authentik", 814 727 "buildbot-nix": "buildbot-nix", 728 + "caelestia": "caelestia", 815 729 "ctp": "ctp", 816 - "deploy-rs": "deploy-rs", 817 - "dns": "dns", 730 + "dms": "dms", 731 + "dms-plugins": "dms-plugins", 732 + "dms-power-usage": "dms-power-usage", 733 + "dms-wp-shuffler": "dms-wp-shuffler", 734 + "dn42": "dn42", 735 + "easy-hosts": "easy-hosts", 818 736 "flake-compat": "flake-compat", 819 737 "flake-parts": "flake-parts", 820 - "flake-utils": "flake-utils", 738 + "flake-utils": "flake-utils_2", 821 739 "golink": "golink", 822 740 "hardware": "hardware", 823 741 "home-manager": "home-manager", 824 - "iceshrimp": "iceshrimp", 825 - "mailserver": "mailserver", 826 742 "my-pkgs": "my-pkgs", 827 - "nh": "nh", 828 - "nix-index": "nix-index", 829 743 "nix-index-database": "nix-index-database", 830 - "nix-search": "nix-search", 831 - "nixd": "nixd", 832 744 "nixpkgs": "nixpkgs_2", 833 - "nixpkgs-lib": "nixpkgs-lib", 834 - "snowfall-lib": "snowfall-lib", 835 - "stable": "stable", 836 - "systems": "systems_3", 837 - "topology": "topology" 745 + "nixpkgs-stalwart-fix": "nixpkgs-stalwart-fix", 746 + "quickshell": "quickshell", 747 + "tangled": "tangled", 748 + "treefmt-nix": "treefmt-nix" 838 749 } 839 750 }, 840 - "snowfall-lib": { 841 - "inputs": { 842 - "flake-compat": [ 843 - "flake-compat" 844 - ], 845 - "flake-utils-plus": "flake-utils-plus", 846 - "nixpkgs": [ 847 - "nixpkgs" 848 - ] 849 - }, 751 + "sqlite-lib-src": { 752 + "flake": false, 850 753 "locked": { 851 - "lastModified": 1736130495, 852 - "narHash": "sha256-4i9nAJEZFv7vZMmrE0YG55I3Ggrtfo5/T07JEpEZ/RM=", 853 - "owner": "snowfallorg", 854 - "repo": "lib", 855 - "rev": "02d941739f98a09e81f3d2d9b3ab08918958beac", 856 - "type": "github" 857 - }, 858 - "original": { 859 - "owner": "snowfallorg", 860 - "repo": "lib", 861 - "type": "github" 862 - } 863 - }, 864 - "stable": { 865 - "locked": { 866 - "lastModified": 1735563628, 867 - "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", 868 - "owner": "nixos", 869 - "repo": "nixpkgs", 870 - "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", 871 - "type": "github" 754 + "lastModified": 1706631843, 755 + "narHash": "sha256-bJoMjirsBjm2Qk9KPiy3yV3+8b/POlYe76/FQbciHro=", 756 + "type": "tarball", 757 + "url": "https://sqlite.org/2024/sqlite-amalgamation-3450100.zip" 872 758 }, 873 759 "original": { 874 - "owner": "nixos", 875 - "ref": "nixos-24.05", 876 - "repo": "nixpkgs", 877 - "type": "github" 760 + "type": "tarball", 761 + "url": "https://sqlite.org/2024/sqlite-amalgamation-3450100.zip" 878 762 } 879 763 }, 880 764 "systems": { 881 765 "locked": { 882 - "lastModified": 1689347949, 883 - "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=", 766 + "lastModified": 1681028828, 767 + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 884 768 "owner": "nix-systems", 885 - "repo": "default-linux", 886 - "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68", 769 + "repo": "default", 770 + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 887 771 "type": "github" 888 772 }, 889 773 "original": { 890 774 "owner": "nix-systems", 891 - "repo": "default-linux", 775 + "repo": "default", 892 776 "type": "github" 893 777 } 894 778 }, ··· 922 806 "type": "github" 923 807 } 924 808 }, 925 - "topology": { 926 - "inputs": { 927 - "devshell": "devshell", 928 - "flake-utils": [ 929 - "flake-utils" 930 - ], 931 - "nixpkgs": [ 932 - "nixpkgs" 933 - ], 934 - "pre-commit-hooks": "pre-commit-hooks" 935 - }, 809 + "systems_4": { 936 810 "locked": { 937 - "lastModified": 1744142264, 938 - "narHash": "sha256-h5KyodobZm8dx/HSNN+basgdmjxrQxudjrss4gAQpZk=", 939 - "owner": "oddlama", 940 - "repo": "nix-topology", 941 - "rev": "f49121cbbf4a86c560638ade406d99ee58deb7aa", 811 + "lastModified": 1681028828, 812 + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 813 + "owner": "nix-systems", 814 + "repo": "default", 815 + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 942 816 "type": "github" 943 817 }, 944 818 "original": { 945 - "owner": "oddlama", 946 - "repo": "nix-topology", 819 + "owner": "nix-systems", 820 + "repo": "default", 947 821 "type": "github" 948 822 } 949 823 }, 950 - "treefmt-nix": { 951 - "inputs": { 952 - "nixpkgs": [ 953 - "authentik", 954 - "poetry2nix", 955 - "nixpkgs" 956 - ] 957 - }, 824 + "systems_5": { 958 825 "locked": { 959 - "lastModified": 1730120726, 960 - "narHash": "sha256-LqHYIxMrl/1p3/kvm2ir925tZ8DkI0KA10djk8wecSk=", 961 - "owner": "numtide", 962 - "repo": "treefmt-nix", 963 - "rev": "9ef337e492a5555d8e17a51c911ff1f02635be15", 826 + "lastModified": 1681028828, 827 + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 828 + "owner": "nix-systems", 829 + "repo": "default", 830 + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 964 831 "type": "github" 965 832 }, 966 833 "original": { 967 - "owner": "numtide", 968 - "repo": "treefmt-nix", 834 + "owner": "nix-systems", 835 + "repo": "default", 969 836 "type": "github" 970 837 } 971 838 }, 972 - "treefmt-nix_2": { 839 + "tangled": { 973 840 "inputs": { 974 - "nixpkgs": [ 975 - "buildbot-nix", 976 - "nixpkgs" 977 - ] 841 + "actor-typeahead-src": "actor-typeahead-src", 842 + "flake-compat": "flake-compat_2", 843 + "gomod2nix": "gomod2nix", 844 + "htmx-src": "htmx-src", 845 + "htmx-ws-src": "htmx-ws-src", 846 + "ibm-plex-mono-src": "ibm-plex-mono-src", 847 + "indigo": "indigo", 848 + "inter-fonts-src": "inter-fonts-src", 849 + "lucide-src": "lucide-src", 850 + "nixpkgs": "nixpkgs_3", 851 + "sqlite-lib-src": "sqlite-lib-src" 978 852 }, 979 853 "locked": { 980 - "lastModified": 1743748085, 981 - "narHash": "sha256-uhjnlaVTWo5iD3LXics1rp9gaKgDRQj6660+gbUU3cE=", 982 - "owner": "numtide", 983 - "repo": "treefmt-nix", 984 - "rev": "815e4121d6a5d504c0f96e5be2dd7f871e4fd99d", 985 - "type": "github" 854 + "lastModified": 1764494836, 855 + "narHash": "sha256-u1i7aMo0fTQ6WVdOZhG2fo/gEx2Fq8+3URmuqEBZGWI=", 856 + "ref": "refs/heads/master", 857 + "rev": "d37f774fb8c60aa2bd0cb965c9884457d0afb660", 858 + "revCount": 1689, 859 + "type": "git", 860 + "url": "https://tangled.org/@tangled.org/core" 986 861 }, 987 862 "original": { 988 - "owner": "numtide", 989 - "repo": "treefmt-nix", 990 - "type": "github" 863 + "type": "git", 864 + "url": "https://tangled.org/@tangled.org/core" 991 865 } 992 866 }, 993 - "treefmt-nix_3": { 867 + "treefmt-nix": { 994 868 "inputs": { 995 869 "nixpkgs": [ 996 - "nixd", 997 870 "nixpkgs" 998 871 ] 999 872 }, 1000 873 "locked": { 1001 - "lastModified": 1734704479, 1002 - "narHash": "sha256-MMi74+WckoyEWBRcg/oaGRvXC9BVVxDZNRMpL+72wBI=", 874 + "lastModified": 1762938485, 875 + "narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=", 1003 876 "owner": "numtide", 1004 877 "repo": "treefmt-nix", 1005 - "rev": "65712f5af67234dad91a5a4baee986a8b62dbf8f", 878 + "rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4", 1006 879 "type": "github" 1007 880 }, 1008 881 "original": {

+103 -169

flake.nix

··· 4 4 substitute = "true"; 5 5 extra-substituters = [ 6 6 "https://cache.nixos.org" 7 - "https://crane.cachix.org" 8 - "https://isabelroses.cachix.org" 9 7 "https://nix-community.cachix.org" 10 - "https://nixpkgs-wayland.cachix.org" 11 - "https://viperml.cachix.org" 12 8 ]; 13 9 trusted-public-keys = [ 14 10 "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" 15 - "crane.cachix.org-1:8Scfpmn9w+hGdXH/Q9tTLiYAE/2dnJYRJP7kl80GuRk=" 16 - "isabelroses.cachix.org-1:mXdV/CMcPDaiTmkQ7/4+MzChpOe6Cb97njKmBQQmLPM=" 17 11 "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" 18 - "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" 19 - "viperml.cachix.org-1:qZhKBMTfmcLL+OG6fj/hzsMEedgKvZVFRRAhq7j8Vh8=" 20 12 ]; 21 13 cores = 0; 22 14 max-jobs = 2; ··· 25 17 description = "PyroNet machines and services"; 26 18 27 19 inputs = { 28 - snowfall-lib = { 29 - url = "github:snowfallorg/lib"; 30 - inputs.nixpkgs.follows = "nixpkgs"; 31 - inputs.flake-compat.follows = "flake-compat"; 32 - }; 33 - nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable"; 34 - stable.url = "github:nixos/nixpkgs/nixos-24.05"; 35 - # Overrides 36 - flake-compat.url = "github:edolstra/flake-compat"; 37 - systems.url = "github:nix-systems/default"; 38 20 flake-parts = { 39 21 url = "github:hercules-ci/flake-parts"; 40 - inputs.nixpkgs-lib.follows = "nixpkgs-lib"; 41 22 }; 23 + nixpkgs.url = "https://nixpkgs.dev/channel/nixpkgs-unstable"; 24 + nixpkgs-stalwart-fix.url = "github:pyrox0/nixpkgs/fix/stalwart-module"; 25 + # Overrides 26 + flake-compat.url = "github:edolstra/flake-compat"; 42 27 flake-utils = { 43 28 url = "github:numtide/flake-utils"; 44 - inputs.systems.follows = "systems"; 45 29 }; 46 - nixpkgs-lib.url = "github:nix-community/nixpkgs.lib"; 47 30 48 31 # Inputs 49 32 agenix = { 50 33 url = "github:ryantm/agenix"; 51 34 inputs = { 52 35 nixpkgs.follows = "nixpkgs"; 53 - systems.follows = "systems"; 54 36 home-manager.follows = "home-manager"; 55 37 }; 56 38 }; 57 - authentik = { 58 - url = "github:nix-community/authentik-nix"; 59 - inputs = { 60 - flake-utils.follows = "flake-utils"; 61 - flake-parts.follows = "flake-parts"; 62 - flake-compat.follows = "flake-compat"; 63 - nixpkgs.follows = "nixpkgs"; 64 - }; 65 - }; 66 39 buildbot-nix = { 67 - url = "github:Mic92/buildbot-nix"; 40 + url = "github:nix-community/buildbot-nix"; 68 41 inputs.nixpkgs.follows = "nixpkgs"; 69 42 inputs.flake-parts.follows = "flake-parts"; 43 + inputs.treefmt-nix.follows = ""; 44 + }; 45 + caelestia = { 46 + url = "github:caelestia-dots/shell"; 47 + inputs.nixpkgs.follows = "nixpkgs"; 48 + inputs.quickshell.follows = "quickshell"; 70 49 }; 71 50 ctp = { 72 51 url = "github:catppuccin/nix"; 73 52 }; 74 - deploy-rs = { 75 - url = "github:serokell/deploy-rs"; 76 - inputs = { 77 - nixpkgs.follows = "nixpkgs"; 78 - utils.follows = "flake-utils"; 79 - flake-compat.follows = "flake-compat"; 80 - }; 53 + dn42 = { 54 + url = "github:pyrox0/dn43.nix"; 55 + inputs.nixpkgs.follows = "nixpkgs"; 81 56 }; 82 - dns = { 83 - url = "github:nix-community/dns.nix"; 84 - inputs.flake-utils.follows = "flake-utils"; 57 + dms = { 58 + url = "github:AvengeMedia/DankMaterialShell"; 85 59 inputs.nixpkgs.follows = "nixpkgs"; 86 60 }; 61 + # DMS Plugins 62 + dms-wp-shuffler = { 63 + url = "github:Daniel-42-z/dms-wallpaper-shuffler"; 64 + flake = false; 65 + }; 66 + dms-power-usage = { 67 + url = "github:Daniel-42-z/dms-power-usage"; 68 + flake = false; 69 + }; 70 + dms-plugins = { 71 + url = "github:AvengeMedia/dms-plugins"; 72 + flake = false; 73 + }; 74 + easy-hosts.url = "github:tgirlcloud/easy-hosts"; 87 75 golink = { 88 76 url = "github:tailscale/golink"; 89 - inputs.parts.follows = "flake-parts"; 90 - inputs.systems.follows = "systems"; 91 77 inputs.nixpkgs.follows = "nixpkgs"; 92 78 }; 93 79 hardware = { ··· 97 83 url = "github:nix-community/home-manager"; 98 84 inputs.nixpkgs.follows = "nixpkgs"; 99 85 }; 100 - iceshrimp = { 101 - url = "git+https://iceshrimp.dev/pyrox/packaging"; 102 - inputs.nixpkgs.follows = "nixpkgs"; 103 - }; 104 - mailserver = { 105 - url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master"; 106 - inputs = { 107 - flake-compat.follows = "flake-compat"; 108 - nixpkgs.follows = "nixpkgs"; 109 - }; 110 - }; 111 - nix-search = { 112 - url = "github:diamondburned/nix-search"; 113 - inputs.nixpkgs.follows = "nixpkgs"; 114 - inputs.flake-utils.follows = "flake-utils"; 115 - inputs.flake-compat.follows = "flake-compat"; 116 - }; 117 - nh = { 118 - url = "github:viperML/nh"; 119 - inputs.nixpkgs.follows = "nixpkgs"; 120 - }; 121 - nixd = { 122 - url = "github:nix-community/nixd"; 123 - inputs.nixpkgs.follows = "nixpkgs"; 124 - inputs.flake-parts.follows = "flake-parts"; 125 - }; 126 - nix-index = { 127 - url = "github:nix-community/nix-index"; 128 - inputs.flake-compat.follows = "flake-compat"; 129 - inputs.nixpkgs.follows = "nixpkgs"; 130 - }; 131 86 nix-index-database = { 132 87 url = "github:Mic92/nix-index-database"; 133 88 inputs.nixpkgs.follows = "nixpkgs"; ··· 136 91 url = "git+https://git.pyrox.dev/pyrox/pkgs"; 137 92 inputs.nixpkgs.follows = "nixpkgs"; 138 93 }; 139 - topology = { 140 - url = "github:oddlama/nix-topology"; 94 + quickshell = { 95 + url = "github:quickshell-mirror/quickshell"; 96 + inputs.nixpkgs.follows = "nixpkgs"; 97 + }; 98 + tangled = { 99 + url = "git+https://tangled.org/@tangled.org/core"; 100 + }; 101 + treefmt-nix = { 102 + url = "github:numtide/treefmt-nix"; 141 103 inputs.nixpkgs.follows = "nixpkgs"; 142 - inputs.flake-utils.follows = "flake-utils"; 143 104 }; 144 105 }; 145 106 146 107 outputs = 147 - inputs@{ self, ... }: 148 - let 149 - lib = inputs.snowfall-lib.mkLib { 150 - inherit inputs; 151 - src = ./.; 152 - snowfall = { 153 - meta = { 154 - name = "pyronet"; 155 - title = "PyroNet Config"; 156 - }; 157 - namespace = "py"; 158 - }; 159 - }; 160 - overlays = [ 161 - self.overlays.pyronet-packages 162 - self.overlays.nix-index 163 - self.overlays.sway-unwrapped 164 - inputs.golink.overlays.default 165 - inputs.nixd.overlays.default 166 - inputs.topology.overlays.default 108 + inputs: 109 + inputs.flake-parts.lib.mkFlake { inherit inputs; } { 110 + # Systems we want to build for 111 + systems = [ 112 + "x86_64-linux" 167 113 ]; 168 - in 169 - lib.mkFlake { 170 - # Nixpkgs configuration 171 - channels-config = { 172 - allowUnfree = true; 173 - }; 174 114 175 - # Overlays for Nixpkgs. 176 - inherit overlays; 177 - 178 - # Home-manager configurations 179 - homes = { 180 - # Default modules for all homes 181 - modules = with inputs; [ 182 - nix-index-database.hmModules.nix-index 183 - ctp.homeModules.catppuccin 184 - ]; 185 - }; 186 - 187 - # NixOS Configurations 188 - systems = { 189 - # Modules for all systems 190 - modules.nixos = with inputs; [ 191 - agenix.nixosModules.default 192 - buildbot-nix.nixosModules.buildbot-worker 193 - ctp.nixosModules.catppuccin 194 - topology.nixosModules.default 195 - ]; 196 - hosts = { 197 - # Zaphod, my personal Framework 16 laptop 198 - zaphod.modules = with inputs; [ hardware.nixosModules.framework-16-7040-amd ]; 199 - 200 - # Prefect, my main VPS 201 - prefect.modules = with inputs; [ mailserver.nixosModule ]; 115 + # Flake modules 116 + imports = [ 117 + inputs.easy-hosts.flakeModule 118 + inputs.home-manager.flakeModules.home-manager 119 + inputs.treefmt-nix.flakeModule 120 + ./packages.nix 121 + ./lib 122 + ./overlays 123 + ./devShells 124 + ./nixosModules 125 + ./homeModules 126 + ./templates 127 + ./hosts 128 + ]; 202 129 203 - # Marvin, my main homelab machine 204 - marvin.modules = with inputs; [ 205 - authentik.nixosModules.default 206 - buildbot-nix.nixosModules.buildbot-master 207 - golink.nixosModules.default 208 - iceshrimp.nixosModules.default 209 - ]; 210 - }; 211 - }; 212 - templates = { 213 - uv.description = "Python template flake that uses uv"; 214 - }; 130 + # # Flake attributes 131 + # flake = { 132 + # 133 + # }; 215 134 216 - outputs-builder = channels: { 217 - # Define default packages to use everywhere 218 - packages = { 219 - nvim = channels.nixpkgs.neovim-unwrapped; 220 - customGit = channels.nixpkgs.git.override { 221 - withLibsecret = true; 222 - withSsh = true; 223 - perlSupport = false; 224 - osxkeychainSupport = false; 225 - guiSupport = false; 226 - svnSupport = false; 135 + # Per-system stuff 136 + perSystem = 137 + { 138 + system, 139 + ... 140 + }: 141 + { 142 + _module.args.pkgs = import inputs.nixpkgs { 143 + inherit system; 144 + overlays = [ 145 + inputs.self.overlays.openssh-fixperms 146 + inputs.golink.overlays.default 147 + ]; 148 + config = { 149 + allowUnfree = true; 150 + }; 227 151 }; 228 - }; 229 - formatter = channels.nixpkgs.nixfmt-rfc-style; 230 - 231 - }; 232 - deploy = lib.mkDeploy { inherit (inputs) self; }; 233 - topology = import inputs.topology { 234 - pkgs = import inputs.nixpkgs { 235 - inherit overlays; 236 - system = "x86_64-linux"; 152 + treefmt = { 153 + programs = { 154 + deadnix = { 155 + enable = true; 156 + no-underscore = true; 157 + }; 158 + jsonfmt.enable = true; 159 + jsonfmt.excludes = [ ".zed/settings.json" ]; 160 + just.enable = true; 161 + keep-sorted.enable = true; 162 + mdformat.enable = true; 163 + mdformat.settings.wrap = 120; 164 + nixf-diagnose.enable = true; 165 + nixfmt.enable = true; 166 + nixfmt.indent = 2; 167 + nixfmt.width = 120; 168 + shellcheck.enable = true; 169 + statix.enable = true; 170 + stylua.enable = true; 171 + taplo.enable = true; 172 + yamlfmt.enable = true; 173 + }; 174 + }; 237 175 }; 238 - modules = [ 239 - ./topology.nix 240 - { nixosConfigurations = self.nixosConfigurations; } 241 - ]; 242 - }; 243 - 176 + # Enable debugging for nixd 177 + debug = true; 244 178 }; 245 179 }

+17

homeModules/all-modules.nix

··· 1 + { inputs, ... }: 2 + { 3 + imports = [ 4 + inputs.self.homeModules.profiles 5 + inputs.self.homeModules.programs 6 + inputs.self.homeModules.scripts 7 + inputs.self.homeModules.services 8 + inputs.self.homeModules.theming 9 + inputs.self.homeModules.wayland 10 + inputs.self.homeModules.xdg 11 + 12 + inputs.nix-index-database.homeModules.nix-index 13 + inputs.ctp.homeModules.catppuccin 14 + inputs.caelestia.homeManagerModules.default 15 + inputs.dms.homeModules.dankMaterialShell.default 16 + ]; 17 + }

+17

homeModules/default.nix

··· 1 + { 2 + inputs, 3 + flake-parts-lib, 4 + ... 5 + }: 6 + { 7 + flake.homeModules = { 8 + wayland = import ./wayland; 9 + xdg = import ./xdg; 10 + programs = import ./programs; 11 + services = import ./services; 12 + scripts = import ./scripts; 13 + theming = import ./theming; 14 + profiles = import ./profiles; 15 + allModules = flake-parts-lib.importApply ./all-modules.nix { inherit inputs; }; 16 + }; 17 + }

+24

homeModules/profiles/base/default.nix

··· 1 + { 2 + config, 3 + lib, 4 + ... 5 + }: 6 + 7 + let 8 + cfg = config.py.profiles.base; 9 + in 10 + { 11 + options.py.profiles.base.enable = lib.mkEnableOption "Base Home Profile"; 12 + config = lib.mkIf cfg.enable { 13 + home.stateVersion = "26.05"; 14 + home.language = { 15 + base = "en_US.utf8"; 16 + }; 17 + manual = { 18 + manpages.enable = false; 19 + html.enable = false; 20 + json.enable = false; 21 + }; 22 + programs.man.enable = false; 23 + }; 24 + }

+68

homeModules/profiles/cli/default.nix

··· 1 + { 2 + pkgs, 3 + lib, 4 + config, 5 + ... 6 + }: 7 + let 8 + inherit (lib) mkDefault mkEnableOption; 9 + cfg = config.py.profiles.cli; 10 + in 11 + { 12 + options.py.profiles.cli.enable = mkEnableOption "CLI Profile"; 13 + config = lib.mkIf cfg.enable { 14 + py.profiles.base.enable = true; 15 + py.programs = { 16 + bat.enable = mkDefault true; 17 + direnv.enable = mkDefault true; 18 + fish.enable = mkDefault true; 19 + fzf.enable = mkDefault true; 20 + git = { 21 + enable = mkDefault true; 22 + gh.enable = mkDefault true; 23 + lazygit.enable = mkDefault true; 24 + }; 25 + gpg.enable = mkDefault true; 26 + helix.enable = mkDefault true; 27 + nix-index.enable = mkDefault true; 28 + nushell.enable = mkDefault true; 29 + pandoc.enable = mkDefault true; 30 + ssh.enable = mkDefault true; 31 + starship.enable = mkDefault true; 32 + wakatime.enable = mkDefault true; 33 + zoxide.enable = mkDefault true; 34 + }; 35 + catppuccin = { 36 + btop.enable = true; 37 + glamour.enable = true; 38 + }; 39 + programs = { 40 + eza = { 41 + enable = true; 42 + icons = "auto"; 43 + git = true; 44 + enableBashIntegration = false; 45 + enableIonIntegration = false; 46 + }; 47 + btop = { 48 + enable = true; 49 + }; 50 + }; 51 + xdg.configFile = { 52 + "rbw/config.json".source = ./rbw-config.json; 53 + }; 54 + home.packages = with pkgs; [ 55 + btrfs-progs 56 + fd 57 + fzf 58 + glow 59 + gnupg 60 + nix-search 61 + pinentry-qt 62 + rbw 63 + rsync 64 + xdg-utils 65 + yt-dlp 66 + ]; 67 + }; 68 + }

+7

homeModules/profiles/cli/rbw-config.json

··· 1 + { 2 + "email": "pyrox@pyrox.dev", 3 + "base_url": "https://bw.pyrox.dev", 4 + "identity_url": null, 5 + "lock_timeout": 3600, 6 + "pinentry": "pinentry" 7 + }

+10

homeModules/profiles/default.nix

··· 1 + { 2 + imports = [ 3 + ./base/default.nix 4 + ./cli/default.nix 5 + ./desktop/default.nix 6 + ./development/default.nix 7 + ./gui/default.nix 8 + ./server/default.nix 9 + ]; 10 + }

+76

homeModules/profiles/desktop/default.nix

··· 1 + { 2 + pkgs, 3 + lib, 4 + config, 5 + ... 6 + }: 7 + let 8 + cfg = config.py.profiles.desktop; 9 + inherit (cfg) shell; 10 + inherit (lib) mkIf mkDefault mkEnableOption; 11 + 12 + mkShellOption = 13 + name: var: 14 + lib.mkOption { 15 + type = lib.types.bool; 16 + default = if (shell == var) then true else false; 17 + description = "Enable ${name}"; 18 + readOnly = true; 19 + visible = false; 20 + internal = true; 21 + }; 22 + in 23 + { 24 + options.py.profiles.desktop = { 25 + enable = mkEnableOption "Desktop Config"; 26 + shell = lib.mkOption { 27 + type = lib.types.enum [ 28 + "caelestia" 29 + "dms" 30 + ]; 31 + default = "caelestia"; 32 + description = "The desktop shell to use in the graphical environment"; 33 + }; 34 + caelestia = mkShellOption "Caelestia shell" "caelestia"; 35 + dms = mkShellOption "DMS" "dms"; 36 + }; 37 + config = mkIf cfg.enable { 38 + py.profiles.base.enable = true; 39 + py.profiles.cli.enable = true; 40 + py.profiles.gui.enable = true; 41 + py.profiles.development.enable = true; 42 + programs.mpv = { 43 + enable = mkDefault true; 44 + scripts = with pkgs.mpvScripts; [ 45 + videoclip 46 + mpris 47 + modernz 48 + thumbfast 49 + ]; 50 + config = { 51 + osc = false; 52 + keep-open = true; 53 + }; 54 + scriptOpts = { 55 + modernz.greenandgrumpy = true; 56 + videoclip.preset = "medium"; 57 + videoclip.video_folder_path = "~/Videos/mpv-clips/"; 58 + videoclip.video_width = 1920; 59 + videoclip.video_height = 1080; 60 + }; 61 + }; 62 + home.packages = with pkgs; [ 63 + archipelago 64 + brightnessctl 65 + clipman 66 + dex 67 + keepassxc 68 + playerctl 69 + poptracker 70 + thunderbird 71 + wl-clipboard 72 + zotero 73 + ]; 74 + services.easyeffects.enable = mkDefault true; 75 + }; 76 + }

+25

homeModules/profiles/development/default.nix

··· 1 + { 2 + pkgs, 3 + config, 4 + lib, 5 + ... 6 + }: 7 + let 8 + customPython = pkgs.python313.withPackages (ps: [ ps.pip ]); 9 + cfg = config.py.profiles.development; 10 + in 11 + { 12 + options.py.profiles.development.enable = lib.mkEnableOption "Development Profile"; 13 + config = lib.mkIf cfg.enable { 14 + py.programs = { 15 + neovim.enable = true; 16 + }; 17 + home.packages = with pkgs; [ 18 + any-nix-shell 19 + customPython 20 + editorconfig-core-c 21 + nil 22 + nixd 23 + ]; 24 + }; 25 + }

+47

homeModules/profiles/gui/default.nix

··· 1 + { 2 + pkgs, 3 + lib, 4 + osConfig, 5 + config, 6 + ... 7 + }: 8 + let 9 + inherit (lib) mkDefault mkEnableOption; 10 + cfg = config.py.profiles.gui; 11 + in 12 + { 13 + options.py.profiles.gui.enable = mkEnableOption "GUI Profile"; 14 + config = lib.mkIf cfg.enable { 15 + py = { 16 + programs = { 17 + chromium.enable = mkDefault true; 18 + firefox.enable = mkDefault true; 19 + ghostty.enable = mkDefault true; 20 + kitty.enable = mkDefault false; 21 + obs.enable = mkDefault true; 22 + vscodium.enable = mkDefault false; 23 + zed-editor.enable = mkDefault true; 24 + }; 25 + services = { 26 + gpg-agent.enable = mkDefault true; 27 + kdeconnect.enable = mkDefault true; 28 + syncthing.enable = mkDefault false; 29 + }; 30 + }; 31 + home.packages = with pkgs; [ 32 + chatterino2 33 + equibop 34 + krita 35 + libappindicator 36 + libappindicator-gtk3 37 + prismlauncher 38 + pwvucontrol 39 + hyprshot 40 + satty 41 + ueberzug 42 + (olympus.overrideAttrs (_: { 43 + celesteWrapper = osConfig.programs.steam.package.run; 44 + })) 45 + ]; 46 + }; 47 + }

+15

homeModules/profiles/server/default.nix

··· 1 + { 2 + lib, 3 + config, 4 + ... 5 + }: 6 + let 7 + cfg = config.py.profiles.server; 8 + in 9 + { 10 + options.py.profiles.server.enable = lib.mkEnableOption "Server Profile"; 11 + config = lib.mkIf cfg.enable { 12 + py.profiles.base.enable = true; 13 + py.profiles.cli.enable = true; 14 + }; 15 + }

+50

homeModules/programs/caelestia/caelestia-cli.json

··· 1 + { 2 + "record": { 3 + "extraArgs": [] 4 + }, 5 + "theme": { 6 + "enableTerm": false, 7 + "enableHypr": false, 8 + "enableDiscord": false, 9 + "enableSpicetify": false, 10 + "enableFuzzel": false, 11 + "enableBtop": true, 12 + "enableGtk": false, 13 + "enableQt": false 14 + }, 15 + "toggles": { 16 + "discord": { 17 + "discord": { 18 + "enable": true, 19 + "match": [ 20 + { 21 + "class": "equibop" 22 + } 23 + ], 24 + "command": [ 25 + "equibop" 26 + ], 27 + "move": true 28 + } 29 + }, 30 + "sysmon": { 31 + "btop": { 32 + "enable": true, 33 + "match": [ 34 + { 35 + "class": "btop", 36 + "title": "btop", 37 + "workspace": { 38 + "name": "special:sysmon" 39 + } 40 + } 41 + ], 42 + "command": [ 43 + "ghostty", 44 + "-e", 45 + "btop" 46 + ] 47 + } 48 + } 49 + } 50 + }

+364

homeModules/programs/caelestia/caelestia-shell.json

··· 1 + { 2 + "appearance": { 3 + "anim": { 4 + "durations": { 5 + "scale": 0.5 6 + } 7 + }, 8 + "font": { 9 + "family": { 10 + "clock": "Inter", 11 + "material": "Material Symbols Rounded", 12 + "mono": "BlexMono Nerd Font", 13 + "sans": "Inter" 14 + }, 15 + "size": { 16 + "scale": 1.1 17 + } 18 + }, 19 + "padding": { 20 + "scale": 1 21 + }, 22 + "rounding": { 23 + "scale": 0 24 + }, 25 + "spacing": { 26 + "scale": 0.5 27 + }, 28 + "transparency": { 29 + "base": 0.85, 30 + "enabled": false, 31 + "layers": 0.4 32 + } 33 + }, 34 + "background": { 35 + "desktopClock": { 36 + "enabled": false 37 + }, 38 + "enabled": true, 39 + "visualiser": { 40 + "autoHide": true, 41 + "enabled": false, 42 + "rounding": 1, 43 + "spacing": 1 44 + } 45 + }, 46 + "bar": { 47 + "clock": { 48 + "showIcon": false 49 + }, 50 + "dragThreshold": 20, 51 + "entries": [ 52 + { 53 + "enabled": true, 54 + "id": "workspaces" 55 + }, 56 + { 57 + "enabled": true, 58 + "id": "spacer" 59 + }, 60 + { 61 + "enabled": false, 62 + "id": "activeWindow" 63 + }, 64 + { 65 + "enabled": true, 66 + "id": "spacer" 67 + }, 68 + { 69 + "enabled": true, 70 + "id": "clock" 71 + }, 72 + { 73 + "enabled": true, 74 + "id": "statusIcons" 75 + }, 76 + { 77 + "enabled": true, 78 + "id": "tray" 79 + }, 80 + { 81 + "enabled": true, 82 + "id": "power" 83 + } 84 + ], 85 + "persistent": true, 86 + "scrollActions": { 87 + "brightness": false, 88 + "volume": false, 89 + "workspaces": false 90 + }, 91 + "showOnHover": true, 92 + "status": { 93 + "showAudio": true, 94 + "showBattery": true, 95 + "showBluetooth": true, 96 + "showKbLayout": false, 97 + "showLockStatus": true, 98 + "showMicrophone": false, 99 + "showNetwork": true 100 + }, 101 + "tray": { 102 + "background": true, 103 + "compact": false, 104 + "iconSubs": [], 105 + "recolour": true 106 + }, 107 + "workspaces": { 108 + "activeIndicator": true, 109 + "activeLabel": "", 110 + "activeTrail": false, 111 + "label": " ", 112 + "occupiedBg": false, 113 + "occupiedLabel": "", 114 + "perMonitorWorkspaces": true, 115 + "showWindows": true, 116 + "shown": 5 117 + } 118 + }, 119 + "border": { 120 + "rounding": 0, 121 + "thickness": 10 122 + }, 123 + "dashboard": { 124 + "dragThreshold": 50, 125 + "enabled": true, 126 + "mediaUpdateInterval": 500, 127 + "showOnHover": true 128 + }, 129 + "general": { 130 + "apps": { 131 + "audio": [ 132 + "pwvucontrol" 133 + ], 134 + "explorer": [ 135 + "thunar" 136 + ], 137 + "playback": [ 138 + "mpv" 139 + ], 140 + "terminal": [ 141 + "ghostty" 142 + ] 143 + }, 144 + "battery": { 145 + "criticalLevel": 3, 146 + "warnLevels": [ 147 + { 148 + "icon": "battery_android_frame_2", 149 + "level": 20, 150 + "message": "You might want to plug in a charger", 151 + "title": "Low battery" 152 + }, 153 + { 154 + "icon": "battery_android_frame_1", 155 + "level": 10, 156 + "message": "You should probably plug in a charger now", 157 + "title": "Did you see the previous message?" 158 + }, 159 + { 160 + "critical": true, 161 + "icon": "battery_android_alert", 162 + "level": 5, 163 + "message": "PLUG THE CHARGER RIGHT NOW!!", 164 + "title": "Critical battery level" 165 + } 166 + ] 167 + }, 168 + "idle": { 169 + "inhibitWhenAudio": false, 170 + "lockBeforeSleep": false, 171 + "timeouts": [] 172 + } 173 + }, 174 + "launcher": { 175 + "actionPrefix": ">", 176 + "actions": [ 177 + { 178 + "command": [ 179 + "autocomplete", 180 + "calc" 181 + ], 182 + "dangerous": false, 183 + "description": "Do simple math equations (powered by Qalc)", 184 + "enabled": true, 185 + "icon": "calculate", 186 + "name": "Calculator" 187 + }, 188 + { 189 + "name": "Wallpaper", 190 + "icon": "image", 191 + "description": "Change the current wallpaper", 192 + "command": [ 193 + "autocomplete", 194 + "wallpaper" 195 + ], 196 + "enabled": true, 197 + "dangerous": false 198 + }, 199 + { 200 + "name": "Random", 201 + "icon": "casino", 202 + "description": "Switch to a random wallpaper", 203 + "command": [ 204 + "caelestia", 205 + "wallpaper", 206 + "-r" 207 + ], 208 + "enabled": true, 209 + "dangerous": false 210 + }, 211 + { 212 + "command": [ 213 + "systemctl", 214 + "poweroff" 215 + ], 216 + "dangerous": true, 217 + "description": "Shutdown the system", 218 + "enabled": true, 219 + "icon": "power_settings_new", 220 + "name": "Shutdown" 221 + }, 222 + { 223 + "command": [ 224 + "systemctl", 225 + "reboot" 226 + ], 227 + "dangerous": true, 228 + "description": "Reboot the system", 229 + "enabled": true, 230 + "icon": "cached", 231 + "name": "Reboot" 232 + }, 233 + { 234 + "command": [ 235 + "loginctl", 236 + "terminate-user", 237 + "" 238 + ], 239 + "dangerous": true, 240 + "description": "Log out of the current session", 241 + "enabled": true, 242 + "icon": "exit_to_app", 243 + "name": "Logout" 244 + }, 245 + { 246 + "command": [ 247 + "loginctl", 248 + "lock-session" 249 + ], 250 + "dangerous": false, 251 + "description": "Lock the current session", 252 + "enabled": true, 253 + "icon": "lock", 254 + "name": "Lock" 255 + }, 256 + { 257 + "command": [ 258 + "systemctl", 259 + "suspend" 260 + ], 261 + "dangerous": false, 262 + "description": "Suspend", 263 + "enabled": true, 264 + "icon": "bedtime", 265 + "name": "Sleep" 266 + } 267 + ], 268 + "dragThreshold": 50, 269 + "enableDangerousActions": false, 270 + "hiddenApps": [], 271 + "maxShown": 7, 272 + "maxWallpapers": 9, 273 + "showOnHover": false, 274 + "specialPrefix": "@", 275 + "useFuzzy": { 276 + "actions": false, 277 + "apps": true, 278 + "schemes": false, 279 + "variants": false, 280 + "wallpapers": false 281 + }, 282 + "vimKeybinds": true 283 + }, 284 + "lock": { 285 + "recolourLogo": false, 286 + "enableFprint": false 287 + }, 288 + "notifs": { 289 + "actionOnClick": true, 290 + "clearThreshold": 0.3, 291 + "defaultExpireTimeout": 5000, 292 + "expandThreshold": 20, 293 + "expire": true 294 + }, 295 + "osd": { 296 + "enableBrightness": true, 297 + "enableMicrophone": false, 298 + "enabled": true, 299 + "hideDelay": 2000 300 + }, 301 + "paths": { 302 + "mediaGif": "", 303 + "sessionGif": "", 304 + "wallpaperDir": "~/bgs/wallpapers" 305 + }, 306 + "services": { 307 + "audioIncrement": 0.1, 308 + "defaultPlayer": "Spotify", 309 + "gpuType": "", 310 + "playerAliases": [ 311 + { 312 + "from": "Mozilla firefox", 313 + "to": "Firefox" 314 + } 315 + ], 316 + "smartScheme": false, 317 + "useFahrenheit": true, 318 + "useTwelveHourClock": false, 319 + "visualiserBars": 0, 320 + "weatherLocation": "Norfolk+Virginia" 321 + }, 322 + "session": { 323 + "commands": { 324 + "hibernate": [ 325 + "systemctl", 326 + "suspend" 327 + ], 328 + "logout": [ 329 + "loginctl", 330 + "terminate-user" 331 + ], 332 + "reboot": [ 333 + "systemctl", 334 + "reboot" 335 + ], 336 + "shutdown": [ 337 + "systemctl", 338 + "poweroff" 339 + ] 340 + }, 341 + "dragThreshold": 30, 342 + "enabled": true, 343 + "vimKeybinds": true 344 + }, 345 + "sidebar": { 346 + "dragThreshold": 80, 347 + "enabled": true 348 + }, 349 + "utilities": { 350 + "enabled": true, 351 + "maxToasts": 4, 352 + "toasts": { 353 + "audioInputChanged": true, 354 + "audioOutputChanged": true, 355 + "capsLockChanged": true, 356 + "chargingChanged": true, 357 + "configLoaded": true, 358 + "dndChanged": true, 359 + "gameModeChanged": true, 360 + "numLockChanged": true, 361 + "nowPlaying": true 362 + } 363 + } 364 + }

+23

homeModules/programs/caelestia/default.nix

··· 1 + { 2 + config, 3 + lib, 4 + ... 5 + }: 6 + let 7 + cfg = config.py.profiles.desktop.caelestia; 8 + en = config.py.profiles.desktop.enable; 9 + in 10 + { 11 + config = lib.mkIf (cfg && en) { 12 + programs.caelestia = { 13 + enable = true; 14 + settings = builtins.fromJSON (builtins.readFile ./caelestia-shell.json); 15 + systemd = { 16 + enable = true; 17 + target = "graphical-session.target"; 18 + }; 19 + cli.enable = true; 20 + cli.settings = builtins.fromJSON (builtins.readFile ./caelestia-cli.json); 21 + }; 22 + }; 23 + }

+18

homeModules/programs/chromium/default.nix

··· 1 + { 2 + pkgs, 3 + config, 4 + lib, 5 + ... 6 + }: 7 + let 8 + cfg = config.py.programs.chromium; 9 + in 10 + { 11 + options.py.programs.chromium.enable = lib.mkEnableOption "Chromium"; 12 + 13 + config.programs.chromium = lib.mkIf cfg.enable { 14 + enable = true; 15 + package = pkgs.ungoogled-chromium; 16 + dictionaries = [ pkgs.hunspellDictsChromium.en_US ]; 17 + }; 18 + }

+23

homeModules/programs/default.nix

··· 1 + { 2 + imports = [ 3 + # keep-sorted start 4 + ./caelestia 5 + ./chromium 6 + ./dms 7 + ./firefox 8 + ./fish 9 + ./ghostty 10 + ./git 11 + ./gpg 12 + ./helix 13 + ./kitty 14 + ./misc-programs 15 + ./neovim 16 + ./nushell 17 + ./ssh 18 + ./starship 19 + ./vscodium 20 + ./zed-editor 21 + # keep-sorted end 22 + ]; 23 + }

+20

homeModules/programs/dms/default.nix

··· 1 + { 2 + config, 3 + lib, 4 + ... 5 + }: 6 + let 7 + cfg = config.py.profiles.desktop.dms; 8 + en = config.py.profiles.desktop.enable; 9 + in 10 + { 11 + config = lib.mkIf (cfg && en) { 12 + programs.dankMaterialShell = { 13 + enable = true; 14 + enableDynamicTheming = false; 15 + enableAudioWavelength = false; 16 + enableCalendarEvents = false; 17 + enableSystemSound = false; 18 + }; 19 + }; 20 + }

+27

homeModules/programs/firefox/default.nix

··· 1 + { config, lib, ... }: 2 + let 3 + cfg = config.py.programs.firefox; 4 + in 5 + { 6 + options.py.programs.firefox = { 7 + enable = lib.mkEnableOption "Firefox configuration"; 8 + }; 9 + config = lib.mkIf cfg.enable { 10 + programs.firefox = { 11 + inherit (cfg) enable; 12 + package = null; 13 + profiles = { 14 + default = { 15 + id = 0; 16 + isDefault = true; 17 + name = "Default"; 18 + }; 19 + acc_testing = { 20 + id = 1; 21 + isDefault = false; 22 + name = "Accessibility Testing"; 23 + }; 24 + }; 25 + }; 26 + }; 27 + }

+44

homeModules/programs/fish/default.nix

··· 1 + { 2 + pkgs, 3 + lib, 4 + config, 5 + ... 6 + }: 7 + let 8 + inherit (lib) mkEnableOption mkIf; 9 + cfg = config.py.programs.fish; 10 + in 11 + { 12 + options.py.programs.fish.enable = mkEnableOption "fish shell"; 13 + config.catppuccin.fish.enable = cfg.enable; 14 + config.programs.fish = mkIf cfg.enable { 15 + enable = true; 16 + shellAliases = { 17 + "lg" = "lazygit"; 18 + "cat" = "bat"; 19 + "gls" = "eza -lah@ --icons --git --git-ignore --no-user"; 20 + "ls" = "eza --icons -a"; 21 + "ll" = "eza --icons -lah@"; 22 + "lt" = "eza --icons --tree -a"; 23 + "dig" = "doggo"; 24 + "nt" = "nixpkgs-track"; 25 + }; 26 + shellInit = '' 27 + set -x GPG_TTY (tty) 28 + set -x SSH_AUTH_SOCK (gpgconf --list-dirs agent-ssh-socket) 29 + gpgconf --launch gpg-agent 30 + ''; 31 + 32 + interactiveShellInit = '' 33 + fzf_configure_bindings --directory=\cf --git_log=\cl --git_status=\cg \ 34 + --history=\cr --variables=\cv --processes=\cp 35 + ''; 36 + 37 + plugins = [ 38 + { 39 + inherit (pkgs.fishPlugins.fzf-fish) src; 40 + name = "fzf-fish"; 41 + } 42 + ]; 43 + }; 44 + }

+20

homeModules/programs/ghostty/default.nix

··· 1 + { 2 + lib, 3 + config, 4 + ... 5 + }: 6 + let 7 + cfg = config.py.programs.ghostty; 8 + in 9 + { 10 + options.py.programs.ghostty.enable = lib.mkEnableOption "ghostty"; 11 + config.catppuccin.ghostty.enable = cfg.enable; 12 + config.programs.ghostty = lib.mkIf cfg.enable { 13 + enable = true; 14 + enableFishIntegration = true; 15 + installBatSyntax = true; 16 + enableBashIntegration = true; 17 + enableZshIntegration = false; 18 + settings = import ./settings.nix; 19 + }; 20 + }

+19

homeModules/programs/ghostty/settings.nix

··· 1 + { 2 + font-family = "IBM Plex Mono"; 3 + font-family-bold = "IBM Plex Mono Bold"; 4 + font-family-italic = "IBM Plex Mono Italic"; 5 + font-family-bold-italic = "IBM Plex Mono Bold Italic"; 6 + font-size = 14; 7 + 8 + cursor-style = "block"; 9 + 10 + window-decoration = false; 11 + window-inherit-working-directory = false; 12 + 13 + clipboard-read = "allow"; 14 + clipboard-write = "allow"; 15 + clipboard-paste-protection = true; 16 + 17 + shell-integration-features = "cursor,sudo,title"; 18 + auto-update = "off"; 19 + }

+106

homeModules/programs/git/default.nix

··· 1 + { 2 + pkgs, 3 + lib, 4 + config, 5 + ... 6 + }: 7 + let 8 + cfg = config.py.programs.git; 9 + in 10 + { 11 + options.py.programs.git = { 12 + enable = lib.mkEnableOption "git configuration"; 13 + lazygit.enable = lib.mkEnableOption "lazygit configuration"; 14 + gh.enable = lib.mkEnableOption "gh configuration"; 15 + }; 16 + config = { 17 + catppuccin = { 18 + lazygit.enable = cfg.lazygit.enable; 19 + }; 20 + programs = { 21 + git = lib.mkIf cfg.enable { 22 + enable = true; 23 + package = pkgs.git; 24 + settings = { 25 + branch.sort = "-committerdate"; 26 + column.ui = "auto"; 27 + core.editor = lib.getExe pkgs.neovim; 28 + "credential \"https://git.pyrox.dev\"".username = "pyrox"; 29 + credential.helper = "rbw"; 30 + diff = { 31 + algorithm = "histogram"; 32 + colorMoved = "plain"; 33 + mnemonicPrefix = true; 34 + renames = true; 35 + }; 36 + fetch = { 37 + all = true; 38 + prune = true; 39 + pruneTags = true; 40 + }; 41 + gpg.ssh.allowedSignersFile = "~/.ssh/authorized_signatures"; 42 + init.defaultBranch = "main"; 43 + pull.rebase = false; 44 + push = { 45 + autoSetupRemote = true; 46 + followTags = true; 47 + }; 48 + rebase.updateRefs = true; 49 + tag.sort = "version:refname"; 50 + lfs = { 51 + enable = true; 52 + skipSmudge = false; 53 + }; 54 + user = { 55 + email = "pyrox@pyrox.dev"; 56 + name = "dish"; 57 + }; 58 + signing = { 59 + key = "~/.ssh/main.pub"; 60 + format = "ssh"; 61 + signByDefault = true; 62 + }; 63 + }; 64 + }; 65 + delta = { 66 + enable = true; 67 + options.line-numbers = true; 68 + enableGitIntegration = true; 69 + }; 70 + mergiraf = lib.mkIf cfg.enable { 71 + enable = true; 72 + }; 73 + lazygit = lib.mkIf cfg.lazygit.enable { 74 + enable = true; 75 + settings = { 76 + gui = { 77 + nerdFontsVersion = "3"; 78 + showRandomTip = false; 79 + theme.selectedLineBgColor = [ "default" ]; 80 + }; 81 + git.pagers = [ 82 + { 83 + pager = "${lib.getExe pkgs.delta} --dark --paging=never"; 84 + colorArg = "always"; 85 + } 86 + ]; 87 + services = { 88 + "git.pyrox.dev" = "gitea:git.pyrox.dev"; 89 + "git.dn42.dev" = "gitea:git.dn42.dev"; 90 + "codeberg.org" = "gitea:codeberg.org"; 91 + }; 92 + }; 93 + }; 94 + gh = lib.mkIf cfg.gh.enable { 95 + enable = true; 96 + gitCredentialHelper.enable = true; 97 + settings = { 98 + editor = lib.getExe pkgs.neovim; 99 + git_protocol = "https"; 100 + browser = lib.mkIf config.py.profiles.gui.enable pkgs.firefox; 101 + prompt = "enabled"; 102 + }; 103 + }; 104 + }; 105 + }; 106 + }

+49

homeModules/programs/gpg/default.nix

··· 1 + { 2 + pkgs, 3 + lib, 4 + config, 5 + ... 6 + }: 7 + let 8 + cfg = config.py.programs.gpg; 9 + in 10 + { 11 + options.py.programs.gpg.enable = lib.mkEnableOption "gpg"; 12 + config.programs.gpg = lib.mkIf cfg.enable { 13 + enable = true; 14 + settings = { 15 + personal-cipher-preferences = "AES256 AES192 AES"; 16 + personal-digest-preferences = "SHA512 SHA384 SHA256"; 17 + personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed"; 18 + default-preference-list = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed"; 19 + cert-digest-algo = "SHA512"; 20 + s2k-digest-algo = "SHA512"; 21 + s2k-cipher-algo = "AES256"; 22 + charset = "utf-8"; 23 + fixed-list-mode = true; 24 + no-comments = true; 25 + no-emit-version = true; 26 + no-greeting = true; 27 + keyid-format = "0xlong"; 28 + list-options = "show-uid-validity"; 29 + verify-options = "show-uid-validity"; 30 + with-fingerprint = true; 31 + with-key-origin = true; 32 + require-cross-certification = true; 33 + no-symkey-cache = true; 34 + use-agent = true; 35 + throw-keyids = true; 36 + default-key = "0xFE1D8A7D620C611F"; 37 + trusted-key = "0xFE1D8A7D620C611F"; 38 + keyserver = "hkps://keys.openpgp.org"; 39 + }; 40 + scdaemonSettings = { 41 + card-timeout = "60"; 42 + pcsc-shared = true; 43 + # shared-access = true; 44 + disable-ccid = true; 45 + pcsc-driver = "${pkgs.pcsclite.out}/lib/libpcsclite.so"; 46 + reader-port = "Yubico Yubi"; 47 + }; 48 + }; 49 + }

+15

homeModules/programs/helix/default.nix

··· 1 + { config, lib, ... }: 2 + let 3 + cfg = config.py.programs.helix; 4 + in 5 + { 6 + options.py.programs.helix.enable = lib.mkEnableOption "helix editor"; 7 + config.catppuccin.helix = { 8 + inherit (cfg) enable; 9 + useItalics = cfg.enable; 10 + }; 11 + config.programs.helix = lib.mkIf cfg.enable { 12 + enable = true; 13 + settings = import ./settings.nix; 14 + }; 15 + }

+25

homeModules/programs/helix/settings.nix

··· 1 + { 2 + editor = { 3 + line-number = "absolute"; 4 + mouse = false; 5 + auto-save = true; 6 + true-color = true; 7 + bufferline = "multiple"; 8 + cursor-shape = { 9 + normal = "block"; 10 + insert = "bar"; 11 + select = "underline"; 12 + }; 13 + lsp = { 14 + display-messages = true; 15 + auto-signature-help = true; 16 + display-signature-help-docs = true; 17 + }; 18 + whitespace.render = { 19 + space = "none"; 20 + tab = "all"; 21 + newline = "all"; 22 + }; 23 + indent-guides.render = true; 24 + }; 25 + }

+14

homeModules/programs/kitty/default.nix

··· 1 + { lib, config, ... }: 2 + let 3 + cfg = config.py.programs.kitty; 4 + in 5 + { 6 + options.py.programs.kitty.enable = lib.mkEnableOption "kitty"; 7 + config.catppuccin.kitty.enable = cfg.enable; 8 + config.programs.kitty = lib.mkIf cfg.enable { 9 + enable = true; 10 + font.name = "BlexMono Nerd Font"; 11 + font.size = 14; 12 + settings = import ./settings.nix; 13 + }; 14 + }

+41

homeModules/programs/kitty/settings.nix

··· 1 + { 2 + # Font settings 3 + bold_font = "BlexMono Nerd Font Bold"; 4 + italic_font = "BlexMono Nerd Font Italic"; 5 + bold_italic_font = "BlexMono Nerd Font Bold Italic"; 6 + # Cursor Settings 7 + scrollback_lines = 10000; 8 + wheel_scroll_multiplier = 3; 9 + touch_scroll_multiplier = 2; 10 + scrollback_pager = "page"; 11 + cursor_shape = "block"; 12 + # Mouse settings 13 + mouse_hide_wait = "0.5"; 14 + open_url_with = "default"; 15 + strip_trailing_spaces = "smart"; 16 + focus_follows_mouse = true; 17 + # Perf settings 18 + repaint_delay = 16; 19 + sync_to_monitor = true; 20 + # Terminal Bell settings 21 + enable_audio_bell = false; 22 + # Window settings 23 + hide_window_decorations = true; 24 + # Tab Bar settings 25 + tab_bar_edge = "bottom"; 26 + tab_bar_margin_width = 0; 27 + tab_bar_margin_height = "0 0"; 28 + tab_bar_style = "powerline"; 29 + tab_bar_min_tabs = 2; 30 + 31 + shell = "fish"; 32 + editor = "nvim"; 33 + allow_remote_control = "socket-only"; 34 + listen_on = "unix:/tmp/mykitty"; 35 + update_check_interval = 0; 36 + allow_hyperlinks = true; 37 + shell_integration = "no-cursor"; 38 + term = "xterm-kitty"; 39 + remember_window_size = "no"; 40 + linux_display_server = "wayland"; 41 + }

+78

homeModules/programs/misc-programs/default.nix

··· 1 + { 2 + config, 3 + lib, 4 + pkgs, 5 + ... 6 + }: 7 + let 8 + cfg = config.py.programs; 9 + inherit (lib) mkEnableOption mkIf; 10 + in 11 + { 12 + options.py.programs = { 13 + bat.enable = mkEnableOption "bat"; 14 + direnv.enable = mkEnableOption "direnv"; 15 + fzf.enable = mkEnableOption "fzf"; 16 + nix-index.enable = mkEnableOption "nix-index"; 17 + obs.enable = mkEnableOption "OBS Studio"; 18 + pandoc.enable = mkEnableOption "pandoc"; 19 + wakatime.enable = mkEnableOption "wakatime"; 20 + zoxide.enable = mkEnableOption "zoxide"; 21 + }; 22 + config = { 23 + catppuccin = { 24 + bat.enable = cfg.bat.enable; 25 + fzf.enable = cfg.fzf.enable; 26 + obs.enable = cfg.obs.enable; 27 + }; 28 + programs = { 29 + bat = mkIf cfg.bat.enable { 30 + enable = true; 31 + }; 32 + direnv = mkIf cfg.direnv.enable { 33 + enable = true; 34 + enableBashIntegration = true; 35 + enableNushellIntegration = true; 36 + enableZshIntegration = true; 37 + nix-direnv.enable = true; 38 + stdlib = builtins.readFile ./direnv-stdlib.sh; 39 + }; 40 + fzf = mkIf cfg.fzf.enable { 41 + enable = true; 42 + enableBashIntegration = true; 43 + enableZshIntegration = true; 44 + }; 45 + nix-index = mkIf cfg.nix-index.enable { 46 + enable = true; 47 + enableBashIntegration = true; 48 + enableFishIntegration = true; 49 + enableZshIntegration = true; 50 + }; 51 + obs-studio = mkIf cfg.obs.enable { 52 + enable = true; 53 + plugins = with pkgs.obs-studio-plugins; [ 54 + obs-text-pthread 55 + obs-backgroundremoval 56 + input-overlay 57 + obs-tuna 58 + obs-pipewire-audio-capture 59 + obs-vkcapture 60 + wlrobs 61 + ]; 62 + }; 63 + pandoc = mkIf cfg.pandoc.enable { enable = true; }; 64 + zoxide = mkIf cfg.zoxide.enable { 65 + enable = true; 66 + enableBashIntegration = true; 67 + enableFishIntegration = true; 68 + enableZshIntegration = true; 69 + }; 70 + }; 71 + home = { 72 + packages = mkIf cfg.wakatime.enable [ pkgs.wakatime-cli ]; 73 + sessionVariables = { 74 + WAKATIME_HOME = "${config.xdg.configHome}/wakatime"; 75 + }; 76 + }; 77 + }; 78 + }

+26

homeModules/programs/misc-programs/direnv-stdlib.sh

··· 1 + layout_poetry() { 2 + PYPROJECT_TOML="\$\{PYPROJECT_TOML:-pyproject.toml}" 3 + if [[ ! -f "$PYPROJECT_TOML" ]]; then 4 + log_status "No pyproject.toml found. Executing \`poetry init\` to create a \`$PYPROJECT_TOML\` first." 5 + poetry init 6 + fi 7 + 8 + if [[ -d ".venv" ]]; then 9 + VIRTUAL_ENV="$(pwd)/.venv" 10 + else 11 + VIRTUAL_ENV=$( 12 + poetry env info --path 2>/dev/null 13 + true 14 + ) 15 + fi 16 + 17 + if [[ -z $VIRTUAL_ENV || ! -d $VIRTUAL_ENV ]]; then 18 + log_status "No virtual environment exists. Executing \`poetry install\` to create one." 19 + poetry install 20 + VIRTUAL_ENV=$(poetry env info --path) 21 + fi 22 + 23 + PATH_add "$VIRTUAL_ENV/bin" 24 + export POETRY_ACTIVE=1 25 + export VIRTUAL_ENV 26 + }

+35

homeModules/programs/neovim/default.nix

··· 1 + { 2 + pkgs, 3 + config, 4 + lib, 5 + ... 6 + }: 7 + let 8 + cfg = config.py.programs.neovim; 9 + in 10 + { 11 + options.py.programs.neovim.enable = lib.mkEnableOption "Neovim Configuration"; 12 + 13 + config.programs.neovim = lib.mkIf cfg.enable { 14 + enable = true; 15 + viAlias = true; 16 + vimAlias = true; 17 + vimdiffAlias = true; 18 + withRuby = false; 19 + withNodeJs = false; 20 + withPython3 = false; 21 + extraPackages = [ 22 + pkgs.bottom 23 + pkgs.fd 24 + pkgs.gcc 25 + pkgs.go 26 + pkgs.nodejs 27 + # ] 28 + # ++ lib.optionals config.py.profiles.gui.enable [ 29 + # pkgs.ffmpegthumbnailer 30 + # pkgs.fontpreview 31 + # pkgs.poppler 32 + # pkgs.ueberzug 33 + ]; 34 + }; 35 + }

+369

homeModules/programs/nushell/config.nu

··· 1 + source ~/.zoxide.nu 2 + source ~/.cache/starship/init.nu 3 + 4 + source /home/thehedgehog/.cache/starship/init.nu 5 + 6 + let-env config = ($env | default {} config).config 7 + let-env config = ($env.config | default {} hooks) 8 + let-env config = ($env.config | update hooks ($env.config.hooks | default [] pre_prompt)) 9 + let-env config = ($env.config | update hooks.pre_prompt ($env.config.hooks.pre_prompt | append { 10 + code: " 11 + let direnv = (direnv export json | from json) 12 + let direnv = if ($direnv | length) == 1 { $direnv } else { {} } 13 + $direnv | load-env 14 + " 15 + })) 16 + 17 + let-env config = { 18 + ls: { 19 + use_ls_colors: true # use the LS_COLORS environment variable to colorize output 20 + clickable_links: true # enable or disable clickable links. Your terminal has to support links. 21 + } 22 + rm: { 23 + always_trash: false # always act as if -t was given. Can be overridden with -p 24 + } 25 + cd: { 26 + abbreviations: false # allows `cd s/o/f` to expand to `cd some/other/folder` 27 + } 28 + table: { 29 + mode: rounded # basic, compact, compact_double, light, thin, with_love, rounded, reinforced, heavy, none, other 30 + index_mode: always # "always" show indexes, "never" show indexes, "auto" = show indexes when a table has "index" column 31 + trim: { 32 + methodology: wrapping # wrapping or truncating 33 + wrapping_try_keep_words: true # A strategy used by the 'wrapping' methodology 34 + truncating_suffix: "..." # A suffix used by the 'truncating' methodology 35 + } 36 + } 37 + 38 + explore: { 39 + help_banner: true 40 + exit_esc: true 41 + 42 + command_bar_text: '#C4C9C6' 43 + # command_bar: {fg: '#C4C9C6' bg: '#223311' } 44 + 45 + status_bar_background: {fg: '#1D1F21' bg: '#C4C9C6' } 46 + # status_bar_text: {fg: '#C4C9C6' bg: '#223311' } 47 + 48 + highlight: {bg: 'yellow' fg: 'black' } 49 + 50 + status: { 51 + # warn: {bg: 'yellow', fg: 'blue'} 52 + # error: {bg: 'yellow', fg: 'blue'} 53 + # info: {bg: 'yellow', fg: 'blue'} 54 + } 55 + 56 + try: { 57 + # border_color: 'red' 58 + # highlighted_color: 'blue' 59 + 60 + # reactive: false 61 + } 62 + 63 + table: { 64 + split_line: '#404040' 65 + 66 + cursor: true 67 + 68 + line_index: true 69 + line_shift: true 70 + line_head_top: true 71 + line_head_bottom: true 72 + 73 + show_head: true 74 + show_index: true 75 + 76 + # selected_cell: {fg: 'white', bg: '#777777'} 77 + # selected_row: {fg: 'yellow', bg: '#C1C2A3'} 78 + # selected_column: blue 79 + 80 + # padding_column_right: 2 81 + # padding_column_left: 2 82 + 83 + # padding_index_left: 2 84 + # padding_index_right: 1 85 + } 86 + 87 + config: { 88 + cursor_color: {bg: 'yellow' fg: 'black' } 89 + 90 + # border_color: white 91 + # list_color: green 92 + } 93 + } 94 + 95 + history: { 96 + max_size: 10000 # Session has to be reloaded for this to take effect 97 + sync_on_enter: true # Enable to share history between multiple sessions, else you have to close the session to write history to file 98 + file_format: "plaintext" # "sqlite" or "plaintext" 99 + } 100 + completions: { 101 + case_sensitive: false # set to true to enable case-sensitive completions 102 + quick: true # set this to false to prevent auto-selecting completions when only one remains 103 + partial: true # set this to false to prevent partial filling of the prompt 104 + algorithm: "prefix" # prefix or fuzzy 105 + external: { 106 + enable: true # set to false to prevent nushell looking into $env.PATH to find more suggestions, `false` recommended for WSL users as this look up my be very slow 107 + max_results: 100 # setting it lower can improve completion performance at the cost of omitting some options 108 + completer: null # check 'carapace_completer' above as an example 109 + } 110 + } 111 + filesize: { 112 + metric: true # true => KB, MB, GB (ISO standard), false => KiB, MiB, GiB (Windows standard) 113 + format: "auto" # b, kb, kib, mb, mib, gb, gib, tb, tib, pb, pib, eb, eib, zb, zib, auto 114 + } 115 + cursor_shape: { 116 + emacs: line # block, underscore, line (line is the default) 117 + vi_insert: block # block, underscore, line (block is the default) 118 + vi_normal: underscore # block, underscore, line (underscore is the default) 119 + } 120 + color_config: $dark_theme # if you want a light theme, replace `$dark_theme` to `$light_theme` 121 + use_grid_icons: true 122 + footer_mode: "25" # always, never, number_of_rows, auto 123 + float_precision: 2 # the precision for displaying floats in tables 124 + # buffer_editor: "emacs" # command that will be used to edit the current line buffer with ctrl+o, if unset fallback to $env.EDITOR and $env.VISUAL 125 + use_ansi_coloring: true 126 + edit_mode: emacs # emacs, vi 127 + shell_integration: true # enables terminal markers and a workaround to arrow keys stop working issue 128 + # true or false to enable or disable the welcome banner at startup 129 + show_banner: true 130 + render_right_prompt_on_last_line: false # true or false to enable or disable right prompt to be rendered on last line of the prompt. 131 + 132 + hooks: { 133 + pre_prompt: [{ 134 + null # replace with source code to run before the prompt is shown 135 + }] 136 + pre_execution: [{ 137 + null # replace with source code to run before the repl input is run 138 + }] 139 + env_change: { 140 + PWD: [{|before, after| 141 + null # replace with source code to run if the PWD environment is different since the last repl input 142 + }] 143 + } 144 + display_output: { 145 + if (term size).columns >= 100 { table -e } else { table } 146 + } 147 + } 148 + menus: [ 149 + # Configuration for default nushell menus 150 + # Note the lack of source parameter 151 + { 152 + name: completion_menu 153 + only_buffer_difference: false 154 + marker: "| " 155 + type: { 156 + layout: columnar 157 + columns: 4 158 + col_width: 20 # Optional value. If missing all the screen width is used to calculate column width 159 + col_padding: 2 160 + } 161 + style: { 162 + text: green 163 + selected_text: green_reverse 164 + description_text: yellow 165 + } 166 + } 167 + { 168 + name: history_menu 169 + only_buffer_difference: true 170 + marker: "? " 171 + type: { 172 + layout: list 173 + page_size: 10 174 + } 175 + style: { 176 + text: green 177 + selected_text: green_reverse 178 + description_text: yellow 179 + } 180 + } 181 + { 182 + name: help_menu 183 + only_buffer_difference: true 184 + marker: "? " 185 + type: { 186 + layout: description 187 + columns: 4 188 + col_width: 20 # Optional value. If missing all the screen width is used to calculate column width 189 + col_padding: 2 190 + selection_rows: 4 191 + description_rows: 10 192 + } 193 + style: { 194 + text: green 195 + selected_text: green_reverse 196 + description_text: yellow 197 + } 198 + } 199 + # Example of extra menus created using a nushell source 200 + # Use the source field to create a list of records that populates 201 + # the menu 202 + { 203 + name: commands_menu 204 + only_buffer_difference: false 205 + marker: "# " 206 + type: { 207 + layout: columnar 208 + columns: 4 209 + col_width: 20 210 + col_padding: 2 211 + } 212 + style: { 213 + text: green 214 + selected_text: green_reverse 215 + description_text: yellow 216 + } 217 + source: { |buffer, position| 218 + $nu.scope.commands 219 + | where name =~ $buffer 220 + | each { |it| {value: $it.name description: $it.usage} } 221 + } 222 + } 223 + { 224 + name: vars_menu 225 + only_buffer_difference: true 226 + marker: "# " 227 + type: { 228 + layout: list 229 + page_size: 10 230 + } 231 + style: { 232 + text: green 233 + selected_text: green_reverse 234 + description_text: yellow 235 + } 236 + source: { |buffer, position| 237 + $nu.scope.vars 238 + | where name =~ $buffer 239 + | sort-by name 240 + | each { |it| {value: $it.name description: $it.type} } 241 + } 242 + } 243 + { 244 + name: commands_with_description 245 + only_buffer_difference: true 246 + marker: "# " 247 + type: { 248 + layout: description 249 + columns: 4 250 + col_width: 20 251 + col_padding: 2 252 + selection_rows: 4 253 + description_rows: 10 254 + } 255 + style: { 256 + text: green 257 + selected_text: green_reverse 258 + description_text: yellow 259 + } 260 + source: { |buffer, position| 261 + $nu.scope.commands 262 + | where name =~ $buffer 263 + | each { |it| {value: $it.name description: $it.usage} } 264 + } 265 + } 266 + ] 267 + keybindings: [ 268 + { 269 + name: completion_menu 270 + modifier: none 271 + keycode: tab 272 + mode: [emacs vi_normal vi_insert] 273 + event: { 274 + until: [ 275 + { send: menu name: completion_menu } 276 + { send: menunext } 277 + ] 278 + } 279 + } 280 + { 281 + name: completion_previous 282 + modifier: shift 283 + keycode: backtab 284 + mode: [emacs, vi_normal, vi_insert] # Note: You can add the same keybinding to all modes by using a list 285 + event: { send: menuprevious } 286 + } 287 + { 288 + name: history_menu 289 + modifier: control 290 + keycode: char_r 291 + mode: emacs 292 + event: { send: menu name: history_menu } 293 + } 294 + { 295 + name: next_page 296 + modifier: control 297 + keycode: char_x 298 + mode: emacs 299 + event: { send: menupagenext } 300 + } 301 + { 302 + name: undo_or_previous_page 303 + modifier: control 304 + keycode: char_z 305 + mode: emacs 306 + event: { 307 + until: [ 308 + { send: menupageprevious } 309 + { edit: undo } 310 + ] 311 + } 312 + } 313 + { 314 + name: yank 315 + modifier: control 316 + keycode: char_y 317 + mode: emacs 318 + event: { 319 + until: [ 320 + {edit: pastecutbufferafter} 321 + ] 322 + } 323 + } 324 + { 325 + name: unix-line-discard 326 + modifier: control 327 + keycode: char_u 328 + mode: [emacs, vi_normal, vi_insert] 329 + event: { 330 + until: [ 331 + {edit: cutfromlinestart} 332 + ] 333 + } 334 + } 335 + { 336 + name: kill-line 337 + modifier: control 338 + keycode: char_k 339 + mode: [emacs, vi_normal, vi_insert] 340 + event: { 341 + until: [ 342 + {edit: cuttolineend} 343 + ] 344 + } 345 + } 346 + # Keybindings used to trigger the user defined menus 347 + { 348 + name: commands_menu 349 + modifier: control 350 + keycode: char_t 351 + mode: [emacs, vi_normal, vi_insert] 352 + event: { send: menu name: commands_menu } 353 + } 354 + { 355 + name: vars_menu 356 + modifier: alt 357 + keycode: char_o 358 + mode: [emacs, vi_normal, vi_insert] 359 + event: { send: menu name: vars_menu } 360 + } 361 + { 362 + name: commands_with_description 363 + modifier: control 364 + keycode: char_s 365 + mode: [emacs, vi_normal, vi_insert] 366 + event: { send: menu name: commands_with_description } 367 + } 368 + ] 369 + }

+12

homeModules/programs/nushell/default.nix

··· 1 + { config, lib, ... }: 2 + let 3 + cfg = config.py.programs.nushell; 4 + in 5 + { 6 + options.py.programs.nushell.enable = lib.mkEnableOption "Nushell"; 7 + config.programs.nushell = lib.mkIf cfg.enable { 8 + enable = true; 9 + configFile.source = ./config.nu; 10 + envFile.source = ./env.nu; 11 + }; 12 + }

+9

homeModules/programs/nushell/env.nu

··· 1 + zoxide init nushell --hook prompt | save ~/.zoxide.nu 2 + mkdir ~/.cache/starship 3 + starship init nu | save ~/.cache/starship/init.nu 4 + 5 + let starship_cache = "/home/thehedgehog/.cache/starship" 6 + if not ($starship_cache | path exists) { 7 + mkdir $starship_cache 8 + } 9 + /etc/profiles/per-user/thehedgehog/bin/starship init nu | save --force /home/thehedgehog/.cache/starship/init.nu

+1

homeModules/programs/ssh/backup.pub

··· 1 + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM= 993390@993390-student-FVFD26HVJ1WK

+57

homeModules/programs/ssh/default.nix

··· 1 + { lib, config, ... }: 2 + let 3 + cfg = config.py.programs.ssh; 4 + in 5 + { 6 + options.py.programs.ssh.enable = lib.mkEnableOption "ssh"; 7 + config = lib.mkIf cfg.enable { 8 + programs.ssh = { 9 + enable = true; 10 + enableDefaultConfig = false; 11 + matchBlocks = { 12 + "*" = { 13 + forwardAgent = false; 14 + addKeysToAgent = "no"; 15 + serverAliveInterval = 0; 16 + serverAliveCountMax = 3; 17 + hashKnownHosts = false; 18 + userKnownHostsFile = "~/.ssh/known_hosts"; 19 + controlMaster = "no"; 20 + controlPath = "~/.ssh/master-%r@%n:%p"; 21 + controlPersist = "no"; 22 + compression = true; 23 + }; 24 + "marvin" = { 25 + hostname = "100.123.15.72"; 26 + user = "thehedgehog"; 27 + port = 22; 28 + extraOptions = { 29 + "IdentitiesOnly" = "no"; 30 + "PreferredAuthentications" = "publickey"; 31 + }; 32 + }; 33 + "prefect" = { 34 + hostname = "100.93.63.54"; 35 + user = "thehedgehog"; 36 + port = 22; 37 + extraOptions = { 38 + "IdentitiesOnly" = "no"; 39 + "PreferredAuthentications" = "publickey"; 40 + }; 41 + }; 42 + "botw" = { 43 + hostname = "bandit.labs.overthewire.org"; 44 + port = 2220; 45 + sendEnv = [ 46 + "WECHALLUSER" 47 + "WECHALLTOKEN" 48 + ]; 49 + }; 50 + }; 51 + extraOptionOverrides = { 52 + "Match" = ''host * exec "gpg-connect-agent UPDATESTARTUPTTY /bye"''; 53 + }; 54 + }; 55 + home.file.".ssh/authorized_signatures".text = import ./ssh-auth-signers.nix; 56 + }; 57 + }

+7

homeModules/programs/ssh/ssh-auth-signers.nix

··· 1 + '' 2 + hedgehog@mrhedgehog.xyz ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw== 3 + hedgehog@mrhedgehog.xyz ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM= 4 + me@thehedgehog.me ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw== 5 + me@thehedgehog.me ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM= 6 + me@thehedgehog.me ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK97n2SgV/U1mLzxcaEDl85iF5D3jm7xboZ+S01+CbM/8zxVoWyjVHCqTwDcrLwP0c5Z51BNj7U0UkGIgR4zTSM= 7 + ''

+1

homeModules/programs/ssh/yubikey-back.pub

··· 1 + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw== cardno:15 567 372

+1

homeModules/programs/ssh/yubikey-main.pub

··· 1 + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746

+1

homeModules/programs/ssh/yubikey-new.pub

··· 1 + ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK97n2SgV/U1mLzxcaEDl85iF5D3jm7xboZ+S01+CbM/8zxVoWyjVHCqTwDcrLwP0c5Z51BNj7U0UkGIgR4zTSM=

+15

homeModules/programs/starship/default.nix

··· 1 + { lib, config, ... }: 2 + let 3 + cfg = config.py.programs.starship; 4 + in 5 + { 6 + options.py.programs.starship.enable = lib.mkEnableOption "starship"; 7 + config.catppuccin.starship.enable = false; 8 + config.programs.starship = lib.mkIf cfg.enable { 9 + enable = true; 10 + enableFishIntegration = true; 11 + enableBashIntegration = true; 12 + enableZshIntegration = true; 13 + settings = import ./settings.nix { inherit lib; }; 14 + }; 15 + }

+104

homeModules/programs/starship/settings.nix

··· 1 + { lib }: 2 + { 3 + format = lib.concatStrings [ 4 + "$hostname" 5 + "$directory" 6 + "$python" 7 + "$deno" 8 + "$nodejs" 9 + "$lua" 10 + "$git_branch" 11 + "$git_status" 12 + "$battery" 13 + "$shlvl" 14 + "$character" 15 + ]; 16 + right_format = lib.concatStrings [ "$nix_shell" ]; 17 + 18 + directory = { 19 + read_only = " "; 20 + }; 21 + git_branch = { 22 + symbol = " "; 23 + format = "(\\[[$symbol$branch]($style)\\])"; 24 + }; 25 + git_status = { 26 + format = "(\\[[$all_status$ahead_behind]($style)\\])"; 27 + }; 28 + deno = { 29 + symbol = " "; 30 + format = "(\\[[$symbol($version)]($style)\\])"; 31 + }; 32 + nodejs = { 33 + format = "(\\[[$symbol($version)]($style)\\])"; 34 + detect_files = [ 35 + "package.json" 36 + ".node-version" 37 + ".nvmrc" 38 + "!deno.json" 39 + "!deno.lock" 40 + ]; 41 + }; 42 + lua = { 43 + symbol = " "; 44 + format = "(\\[[$symbol($version)]($style)\\])"; 45 + }; 46 + package = { 47 + symbol = "󰏖 "; 48 + format = "(\\[[$symbol$version]($style)\\])"; 49 + }; 50 + python = { 51 + symbol = " "; 52 + pyenv_version_name = false; 53 + version_format = "v$major.$minor"; 54 + format = "(\\[[$symbol($version)($virtualenv)]($style)\\])"; 55 + }; 56 + shlvl = { 57 + symbol = " "; 58 + format = "(\\[[$symbol$shlvl]($style)\\])"; 59 + }; 60 + nix_shell = { 61 + symbol = " "; 62 + format = "(\\[[$symbol($name)]($style)\\])"; 63 + }; 64 + aws.disabled = true; 65 + conda.disabled = true; 66 + crystal.disabled = true; 67 + dart.disabled = true; 68 + docker_context.disabled = true; 69 + dotnet.disabled = true; 70 + elixir.disabled = true; 71 + elm.disabled = true; 72 + env_var.disabled = true; 73 + erlang.disabled = true; 74 + gcloud.disabled = true; 75 + golang.disabled = true; 76 + helm.disabled = true; 77 + java.disabled = true; 78 + jobs.disabled = true; 79 + julia.disabled = true; 80 + kotlin.disabled = true; 81 + kubernetes.disabled = true; 82 + memory_usage.disabled = true; 83 + hg_branch.disabled = true; 84 + nim.disabled = true; 85 + ocaml.disabled = true; 86 + openstack.disabled = true; 87 + perl.disabled = true; 88 + php.disabled = true; 89 + purescript.disabled = true; 90 + rlang.disabled = true; 91 + red.disabled = true; 92 + ruby.disabled = true; 93 + rust.disabled = true; 94 + scala.disabled = true; 95 + singularity.disabled = true; 96 + swift.disabled = true; 97 + terraform.disabled = true; 98 + time.disabled = true; 99 + username.disabled = true; 100 + vagrant.disabled = true; 101 + vlang.disabled = true; 102 + vcsh.disabled = true; 103 + zig.disabled = true; 104 + }

+54

homeModules/programs/vscodium/default.nix

··· 1 + { 2 + pkgs, 3 + lib, 4 + config, 5 + ... 6 + }: 7 + let 8 + cfg = config.py.programs.vscodium; 9 + in 10 + { 11 + options.py.programs.vscodium.enable = lib.mkEnableOption "VSCodium"; 12 + config.programs.vscode = lib.mkIf cfg.enable { 13 + enable = true; 14 + package = pkgs.vscode; 15 + profiles.default.userSettings = { 16 + "biome.lspBin" = ""; 17 + "breadcrumbs.enabled" = false; 18 + "editor.formatOnPaste" = true; 19 + "editor.formatOnSave" = true; 20 + "editor.formatOnSaveMode" = "file"; 21 + "editor.formatOnType" = true; 22 + "editor.fontSize" = 15; 23 + "editor.fontFamily" = "'IBM Plex Mono', 'monospace', monospace"; 24 + "editor.minimap.enabled" = false; 25 + "explorer.confirmDelete" = false; 26 + "explorer.confirmDragAndDrop" = false; 27 + "extensions.autoCheckUpdates" = false; 28 + "extensions.autoUpdate" = false; 29 + "extensions.closeExtensionDetailsOnViewChange" = true; 30 + "extensions.ignoreRecommendations" = true; 31 + "npm.keybindingsChangedWarningShown" = true; 32 + "ruff.nativeServer" = true; 33 + "ruff.showNotifications" = "onError"; 34 + "nix.enableLanguageServer" = true; 35 + "nix.serverPath" = lib.getExe pkgs.nixd; 36 + "[nix]" = { 37 + "editor.defaultFormatter" = "brettm12345.nixfmt-vscode"; 38 + }; 39 + "python.analysis.autoImportCompletions" = true; 40 + "python.analysis.autoSearchPaths" = true; 41 + "python.analysis.completeFunctionParens" = true; 42 + "python.experiments.enabled" = false; 43 + "python.languageServer" = "Pylance"; 44 + "telemetry.telemetryLevel" = "off"; 45 + "terminal.external.linuxExec" = "ghostty"; 46 + "update.mode" = "none"; 47 + "update.showReleaseNotes" = false; 48 + "workbench.colorTheme" = "Catppuccin Mocha"; 49 + "workbench.iconTheme" = "catppuccin-mocha"; 50 + "vscode-neovim.neovimExecutablePaths.linux" = lib.getExe pkgs.neovim; 51 + "python.formatting.provider" = "black"; 52 + }; 53 + }; 54 + }

+36

homeModules/programs/zed-editor/default.nix

··· 1 + { 2 + pkgs, 3 + lib, 4 + config, 5 + ... 6 + }: 7 + let 8 + cfg = config.py.programs.zed-editor; 9 + in 10 + { 11 + options.py.programs.zed-editor.enable = lib.mkEnableOption "Zed Editor"; 12 + config.programs.zed-editor = lib.mkIf cfg.enable { 13 + enable = true; 14 + package = pkgs.zed-editor.fhsWithPackages (pkgs: [ 15 + pkgs.zlib 16 + pkgs.openssl 17 + pkgs.openssh-patched 18 + pkgs.kdePackages.qtdeclarative 19 + ]); 20 + userSettings = import ./settings.nix; 21 + extensions = [ 22 + "catppuccin" 23 + "catppuccin-icons" 24 + "git-firefly" 25 + "nix" 26 + "ruff" 27 + "fish" 28 + "just" 29 + "discord-presence" 30 + "wakatime" 31 + "mermaid" 32 + "caddyfile" 33 + "vento" 34 + ]; 35 + }; 36 + }

+100

homeModules/programs/zed-editor/settings.nix

··· 1 + { 2 + auto_update = false; 3 + buffer_font_family = "BlexMono Nerd Font"; 4 + buffer_font_size = 15; 5 + disable_ai = true; 6 + git_panel.button = true; 7 + load_direnv = "direct"; 8 + lsp.deno.settings.deno.enable = true; 9 + relative_line_numbers = true; 10 + show_edit_predictions = false; 11 + soft_wrap = "none"; 12 + terminal.dock = "bottom"; 13 + theme = "Catppuccin Mocha"; 14 + ui_font_family = "Inter"; 15 + ui_font_size = 15; 16 + vim_mode = true; 17 + wrap_guides = [ 100 ]; 18 + 19 + icon_theme = { 20 + mode = "dark"; 21 + dark = "Catppuccin Mocha"; 22 + light = "Catppuccin Mocha"; 23 + }; 24 + 25 + inlay_hints = { 26 + enabled = true; 27 + edit_debounce_ms = 500; 28 + }; 29 + 30 + languages = { 31 + Nix = { 32 + formatter.external = { 33 + command = "nixfmt"; 34 + arguments = [ 35 + "--quiet" 36 + "--filename" 37 + "{buffer_path}" 38 + "--" 39 + ]; 40 + }; 41 + }; 42 + TypeScript = { 43 + enable_language_server = true; 44 + language_servers = [ 45 + "deno" 46 + "!typescript-language-server" 47 + "!vtsls" 48 + "!eslint" 49 + ]; 50 + formatter = "language_server"; 51 + prettier.allowed = false; 52 + }; 53 + Vento = { 54 + enable_language_server = true; 55 + language_servers = [ 56 + "vscode-html-language-server" 57 + "tailwindcss-language-server" 58 + ]; 59 + format_on_save = "on"; 60 + formatter.external = { 61 + command = "deno"; 62 + arguments = [ 63 + "task" 64 + "fmt" 65 + "--stdin" 66 + "{buffer_path}" 67 + ]; 68 + }; 69 + }; 70 + }; 71 + 72 + lsp = { 73 + tailwindcss-language-server = { 74 + settings = { 75 + includeLanguages = { 76 + "vento" = "html"; 77 + "*.vto" = "html"; 78 + }; 79 + experimental = { 80 + classRegex = [ 81 + "class=\"([^\"]*)" 82 + "class={\"([^\"}]*)" 83 + "class=format!({\"([^\"}]*)" 84 + ]; 85 + }; 86 + }; 87 + }; 88 + }; 89 + 90 + tabs = { 91 + file_icons = true; 92 + git_status = true; 93 + show_diagnostics = "errors"; 94 + }; 95 + 96 + telemetry = { 97 + metrics = false; 98 + diagnostics = false; 99 + }; 100 + }

+1

homeModules/scripts/default.nix

··· 1 + _: { }

+7

homeModules/services/default.nix

··· 1 + { 2 + imports = [ 3 + ./gpg-agent 4 + ./kdeconnect 5 + ./syncthing 6 + ]; 7 + }

+24

homeModules/services/gpg-agent/default.nix

··· 1 + { lib, config, ... }: 2 + let 3 + cfg = config.py.services.gpg-agent; 4 + in 5 + { 6 + options.py.services.gpg-agent.enable = lib.mkEnableOption "gpg-agent"; 7 + config.services.gpg-agent = lib.mkIf cfg.enable { 8 + enable = true; 9 + enableExtraSocket = true; 10 + enableScDaemon = true; 11 + enableSshSupport = true; 12 + defaultCacheTtl = 600; 13 + maxCacheTtl = 600; 14 + sshKeys = [ 15 + # My Normal GPG Key(Authentication Subkey) 16 + "485329FEF73C42C6C42879F66C8B971F3FD4A132" 17 + "CFEFCD08CFE6F0849F32ABC9C5CF3158A2FE1392" 18 + ]; 19 + extraConfig = '' 20 + ttyname $GPG_TTY 21 + max-cache-ttl-ssh 600 22 + ''; 23 + }; 24 + }

+11

homeModules/services/kdeconnect/default.nix

··· 1 + { lib, config, ... }: 2 + let 3 + cfg = config.py.services.kdeconnect; 4 + in 5 + { 6 + options.py.services.kdeconnect.enable = lib.mkEnableOption "KDEConnect"; 7 + config.services.kdeconnect = lib.mkIf cfg.enable { 8 + enable = true; 9 + indicator = true; 10 + }; 11 + }

+11

homeModules/services/syncthing/default.nix

··· 1 + { lib, config, ... }: 2 + let 3 + cfg = config.py.services.syncthing; 4 + in 5 + { 6 + options.py.services.syncthing.enable = lib.mkEnableOption "Syncthing"; 7 + config.services.syncthing = lib.mkIf cfg.enable { 8 + enable = true; 9 + tray.enable = true; 10 + }; 11 + }

+46

homeModules/theming/default.nix

··· 1 + { 2 + pkgs, 3 + config, 4 + lib, 5 + ... 6 + }: 7 + let 8 + pro = config.py.profiles; 9 + inherit (lib) mkDefault mkIf; 10 + in 11 + { 12 + catppuccin = { 13 + flavor = "mocha"; 14 + accent = "blue"; 15 + }; 16 + home.pointerCursor = mkIf pro.gui.enable { 17 + package = pkgs.catppuccin-cursors.mochaBlue; 18 + name = "catppuccin-mocha-blue-cursors"; 19 + gtk.enable = true; 20 + hyprcursor.enable = true; 21 + }; 22 + gtk = mkIf pro.gui.enable { 23 + enable = true; 24 + theme = mkDefault { 25 + name = "Colloid-Dark-Compact-Catppuccin"; 26 + package = pkgs.colloid-gtk-theme.override { 27 + tweaks = [ 28 + "catppuccin" 29 + "black" 30 + ]; 31 + colorVariants = [ "dark" ]; 32 + sizeVariants = [ "compact" ]; 33 + themeVariants = [ "default" ]; 34 + }; 35 + }; 36 + font = { 37 + name = "IBM Plex Mono"; 38 + size = 14; 39 + }; 40 + gtk3.bookmarks = [ "file:///${config.home.homeDirectory}/Downloads" ]; 41 + iconTheme = mkIf pro.gui.enable { 42 + package = mkDefault pkgs.colloid-icon-theme; 43 + name = "Colloid-Dark"; 44 + }; 45 + }; 46 + }

+32

homeModules/wayland/default.nix

··· 1 + { 2 + pkgs, 3 + config, 4 + osConfig, 5 + lib, 6 + ... 7 + }: 8 + let 9 + c = osConfig.py.programs.hyprland; 10 + in 11 + { 12 + imports = [ 13 + ./services.nix 14 + ./hypridle.nix 15 + ]; 16 + config = { 17 + catppuccin.hyprland.enable = c.enable; 18 + wayland.windowManager.hyprland = { 19 + inherit (c) enable; 20 + # Per https://nix-community.github.io/home-manager/options.xhtml#opt-wayland.windowManager.hyprland.package 21 + package = null; 22 + systemd = { 23 + enable = true; 24 + enableXdgAutostart = true; 25 + }; 26 + settings = import ./settings.nix { inherit lib config; }; 27 + plugins = [ 28 + pkgs.hyprlandPlugins.hy3 29 + ]; 30 + }; 31 + }; 32 + }

+11

homeModules/wayland/env.nix

··· 1 + { 2 + env = [ 3 + "WLR_NO_HARDWARE_CURSORS, 1" 4 + "WLR_RENDERER_ALLOW_SOFTWARE, 1" 5 + "NIXOS_OZONE_WL, 1" 6 + "XDG_SESSION_TYPE, wayland" 7 + "QT_QPA_PLATFORM, wayland" 8 + "XDG_CURRENT_DESKTOP, Hyprland" 9 + "XDG_SESSION_DESKTOP, Hyprland" 10 + ]; 11 + }

+36

homeModules/wayland/hypridle.nix

··· 1 + { 2 + config, 3 + lib, 4 + ... 5 + }: 6 + let 7 + cfg = config.wayland.windowManager.hyprland; 8 + in 9 + { 10 + config.services.hypridle = lib.mkIf cfg.enable { 11 + enable = true; 12 + settings = { 13 + general = { 14 + lock_cmd = "loginctl lock-session"; 15 + # before_sleep_cmd = "loginctl lock-session"; 16 + after_sleep_cmd = "hyprctl dispatch dpms on"; 17 + inhibit_sleep = 3; 18 + }; 19 + listener = [ 20 + { 21 + timeout = 420; 22 + on-timeout = "loginctl lock-session"; 23 + } 24 + { 25 + timeout = 600; 26 + on-timeout = "hyprctl dispatch dpms off"; 27 + on-resume = "hyprctl dispatch dpms on"; 28 + } 29 + { 30 + timeout = 900; 31 + on-timeout = "systemctl resume"; 32 + } 33 + ]; 34 + }; 35 + }; 36 + }

+110

homeModules/wayland/keybindings.nix

··· 1 + { lib, shell }: 2 + { 3 + "$mod" = "SUPER"; 4 + "$satty" = "satty -f -"; 5 + 6 + binde = [ 7 + # Media binds that can be held and repeated 8 + ", XF86MonBrightnessDown, exec, brightnessctl set 5%-" 9 + ", XF86MonBrightnessUp, exec, brightnessctl set +5%" 10 + ", XF86AudioRaiseVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+" 11 + ", XF86AudioLowerVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-" 12 + ]; 13 + 14 + bind = [ 15 + "SUPER_SHIFT, F, exec, MOZ_DISABLE_RDD_SANDBOX=1 firefox" 16 + "$mod, Return, exec, ghostty" 17 + "SUPER_SHIFT, E, exit" 18 + 19 + # Media Binds 20 + ", XF86AudioMute, exec, wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle" 21 + ", XF86AudioMicMute, exec, wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle" 22 + ", XF86AudioPlay, exec, playerctl play-pause" 23 + ", XF86AudioNext, exec, playerctl next" 24 + ", XF86AudioPrev, exec, playerctl previous" 25 + 26 + # Workspace binds 27 + "$mod, 1, workspace, 01" 28 + "SUPER_SHIFT, 1, hy3:movetoworkspace, 01" 29 + "$mod, 2, workspace, 02" 30 + "SUPER_SHIFT, 2, hy3:movetoworkspace, 02" 31 + "$mod, 3, workspace, 03" 32 + "SUPER_SHIFT, 3, hy3:movetoworkspace, 03" 33 + "$mod, 4, workspace, 04" 34 + "SUPER_SHIFT, 4, hy3:movetoworkspace, 04" 35 + "$mod, 5, workspace, 05" 36 + "SUPER_SHIFT, 5, hy3:movetoworkspace, 05" 37 + "$mod, 6, workspace, 06" 38 + "SUPER_SHIFT, 6, hy3:movetoworkspace, 06" 39 + "$mod, 7, workspace, 07" 40 + "SUPER_SHIFT, 7, hy3:movetoworkspace, 07" 41 + "$mod, 8, workspace, 08" 42 + "SUPER_SHIFT, 8, hy3:movetoworkspace, 08" 43 + "$mod, 9, workspace, 09" 44 + "SUPER_SHIFT, 9, hy3:movetoworkspace, 09" 45 + "$mod, 0, workspace, 10" 46 + "SUPER_SHIFT, 0, hy3:movetoworkspace, 10" 47 + # Scratchpad 48 + "SUPER_SHIFT, -, hy3:movetoworkspace, special:default" 49 + "$mod, -, togglespecialworkspace, default" 50 + 51 + # Window Management 52 + "SUPER_SHIFT, Up, hy3:movewindow, up, once, visible" 53 + "SUPER_SHIFT, K, hy3:movewindow, up, once, visible" 54 + "$mod, Up, hy3:movefocus, up, visible, warp" 55 + "$mod, K, hy3:movefocus, up, visible, warp" 56 + 57 + "SUPER_SHIFT, Right, hy3:movewindow, right, once, visible" 58 + "SUPER_SHIFT, L, hy3:movewindow, right, once, visible" 59 + "$mod, Right, hy3:movefocus, right, visible, warp" 60 + "$mod, L, hy3:movefocus, right, visible, warp" 61 + 62 + "SUPER_SHIFT, Left, hy3:movewindow, left, once, visible" 63 + "SUPER_SHIFT, H, hy3:movewindow, left, once, visible" 64 + "$mod, Left, hy3:movefocus, left, visible, warp" 65 + "$mod, H, hy3:movefocus, left, visible, warp" 66 + 67 + "SUPER_SHIFT, Down, hy3:movewindow, down, once, visible" 68 + "SUPER_SHIFT, J, hy3:movewindow, down, once, visible" 69 + "$mod, Down, hy3:movefocus, down, visible, warp" 70 + "$mod, J, hy3:movefocus, down, visible, warp" 71 + 72 + "SUPER_SHIFT, Q, killactive" 73 + "$mod, F, fullscreen, 0" 74 + # Super-(literal equals) 75 + "$mod, code:21, hy3:togglefocuslayer" 76 + # Super-(literal plus) 77 + "SUPER_SHIFT, code:21, togglefloating, active" 78 + 79 + # Screenshots 80 + "SHIFT, F3, exec, hyprshot -m output --raw -z -s | $satty" 81 + "SHIFT, F4, exec, hyprshot -m region --raw -z -s | $satty" 82 + ] 83 + ++ lib.optionals (shell == "caelestia") [ 84 + "$mod, X, global, caelestia:session" 85 + ", XF86PowerOff , global, caelestia:session" 86 + "$mod, Space, global, caelestia:launcher" 87 + ] 88 + ++ lib.optionals (shell == "dms") [ 89 + "$mod, X, exec, dms ipc call powermenu toggle" 90 + ", XF86PowerOff ,exec, dms ipc call powermenu toggle" 91 + "SUPER_SHIFT, X, exec, dms ipc call lock lock" 92 + "$mod, Space, exec, dms ipc call spotlight toggle" 93 + ]; 94 + 95 + bindm = [ 96 + "$mod, mouse:272, movewindow" 97 + ]; 98 + 99 + # Unbind a bunch of default keybinds 100 + unbind = [ 101 + "$mod, C" 102 + "$mod, E" 103 + "$mod, J" 104 + "$mod, M" 105 + "$mod, P" 106 + "$mod, Q" 107 + "$mod, R" 108 + "$mod, V" 109 + ]; 110 + }

+8

homeModules/wayland/monitors.nix

··· 1 + { 2 + monitor = [ 3 + "eDP-1, 2560x1600@165, 0x0, 1, vrr, 1" 4 + "desc:Acer Technologies SA241Y 0x1497CF17, preferred, 2560x0, 1" 5 + # Fallback for random monitors 6 + ", preferred, auto, 1" 7 + ]; 8 + }

+7

homeModules/wayland/plugins.nix

··· 1 + { 2 + plugin = { 3 + hy3 = { 4 + no_gaps_when_only = 1; 5 + }; 6 + }; 7 + }

+10

homeModules/wayland/services.nix

··· 1 + { 2 + config, 3 + ... 4 + }: 5 + let 6 + cfg = config.wayland.windowManager.hyprland; 7 + in 8 + { 9 + services.hyprpolkitagent.enable = cfg.enable; 10 + }

+25

homeModules/wayland/settings.nix

··· 1 + { config, lib, ... }: 2 + let 3 + inherit (config.py.profiles.desktop) shell; 4 + keybinds = import ./keybindings.nix { inherit lib shell; }; 5 + monitors = import ./monitors.nix; 6 + variables = import ./variables.nix; 7 + plugins = import ./plugins.nix; 8 + env = import ./env.nix; 9 + windowrules = import ./windowrules.nix; 10 + in 11 + { 12 + animation = [ 13 + "global, 1, 4, default" 14 + ]; 15 + exec-once = lib.optionals (shell == "dms") [ 16 + "dms run" 17 + "bash -c \"wl-paste --watch cliphist store &\"" 18 + ]; 19 + } 20 + // keybinds 21 + // monitors 22 + // variables 23 + // plugins 24 + // env 25 + // windowrules

+35

homeModules/wayland/variables.nix

··· 1 + # https://wiki.hypr.land/Configuring/Variables 2 + { 3 + general = { 4 + gaps_in = 1; 5 + gaps_out = 10; 6 + layout = "hy3"; 7 + resize_on_border = true; 8 + }; 9 + decoration = { 10 + blur.enabled = false; 11 + shadow.enabled = false; 12 + }; 13 + misc = { 14 + disable_hyprland_logo = true; 15 + disable_splash_rendering = true; 16 + font_family = "Inter"; 17 + mouse_move_focuses_monitor = true; 18 + }; 19 + input = { 20 + kb_options = "caps:escape"; 21 + repeat_delay = 300; 22 + touchpad = { 23 + scroll_factor = 1.5; 24 + tap_button_map = "lmr"; 25 + tap-and-drag = false; 26 + }; 27 + }; 28 + cursor = { 29 + hotspot_padding = 2; 30 + }; 31 + ecosystem = { 32 + no_update_news = true; 33 + no_donation_nag = true; 34 + }; 35 + }

+7

homeModules/wayland/windowrules.nix

··· 1 + { 2 + windowrule = [ 3 + "immediate, content game, title:Celeste" 4 + "tile, title:Melvor Idle" 5 + "immediate, content game, fullscreen, monitor DP-2, class:steam_app_49520, initialClass:steam_app_49520" 6 + ]; 7 + }

+128

homeModules/xdg/default.nix

··· 1 + { 2 + config, 3 + lib, 4 + pkgs, 5 + ... 6 + }: 7 + let 8 + homeDir = config.home.homeDirectory; 9 + pro = config.py.profiles; 10 + in 11 + { 12 + xdg = { 13 + enable = true; 14 + mime.enable = lib.mkIf pro.gui.enable true; 15 + configHome = lib.mkForce "${homeDir}/.config"; 16 + dataHome = lib.mkForce "${homeDir}/.local/share"; 17 + portal = lib.mkIf pro.gui.enable { 18 + enable = true; 19 + xdgOpenUsePortal = true; 20 + extraPortals = [ 21 + pkgs.xdg-desktop-portal-gtk 22 + ]; 23 + config = { 24 + common = { 25 + default = [ 26 + "hyprland" 27 + "gtk" 28 + ]; 29 + "org.freedesktop.impl.portal.FileChooser" = [ "gtk" ]; 30 + }; 31 + }; 32 + }; 33 + mimeApps = lib.mkIf pro.gui.enable { 34 + enable = true; 35 + associations.added = { 36 + "application/pdf" = [ "firefox.desktop" ]; 37 + "application/rdf+xml" = [ "firefox.desktop" ]; 38 + "application/rss+xml" = [ "firefox.desktop" ]; 39 + "application/xhtml+xml" = [ "firefox.desktop" ]; 40 + "application/xhtml_xml" = [ "firefox.desktop" ]; 41 + "application/xml" = [ "firefox.desktop" ]; 42 + "image/gif" = [ 43 + "viewnior.desktop" 44 + "firefox.desktop" 45 + ]; 46 + "image/jpeg" = [ 47 + "viewnior.desktop" 48 + "firefox.desktop" 49 + ]; 50 + "image/png" = [ 51 + "viewnior.desktop" 52 + "firefox.desktop" 53 + ]; 54 + "image/webp" = [ 55 + "viewnior.desktop" 56 + "firefox.desktop" 57 + ]; 58 + "text/html" = [ "firefox.desktop" ]; 59 + "text/xml" = [ "firefox.desktop" ]; 60 + "x-scheme-handler/http" = [ "firefox.desktop" ]; 61 + "x-scheme-handler/https" = [ "firefox.desktop" ]; 62 + "x-scheme-handler/about" = [ "firefox.desktop" ]; 63 + "x-scheme-handler/unknown" = [ "firefox.desktop" ]; 64 + "x-scheme-handler/mailto" = [ 65 + "thunderbird.desktop" 66 + "firefox.desktop" 67 + ]; 68 + "x-scheme-handler/webcal" = [ 69 + "firefox.desktop" 70 + "thunderbird.desktop" 71 + ]; 72 + }; 73 + defaultApplications = { 74 + "application/pdf" = [ "firefox.desktop" ]; 75 + "application/rdf+xml" = [ "firefox.desktop" ]; 76 + "application/rss+xml" = [ "firefox.desktop" ]; 77 + "application/xhtml+xml" = [ "firefox.desktop" ]; 78 + "application/xhtml_xml" = [ "firefox.desktop" ]; 79 + "application/xml" = [ "firefox.desktop" ]; 80 + "image/gif" = [ 81 + "viewnior.desktop" 82 + "firefox.desktop" 83 + ]; 84 + "image/jpeg" = [ 85 + "viewnior.desktop" 86 + "firefox.desktop" 87 + ]; 88 + "image/png" = [ 89 + "viewnior.desktop" 90 + "firefox.desktop" 91 + ]; 92 + "image/webp" = [ 93 + "viewnior.desktop" 94 + "firefox.desktop" 95 + ]; 96 + "text/html" = [ "firefox.desktop" ]; 97 + "text/xml" = [ "firefox.desktop" ]; 98 + "x-scheme-handler/http" = [ "firefox.desktop" ]; 99 + "x-scheme-handler/https" = [ "firefox.desktop" ]; 100 + "x-scheme-handler/about" = [ "firefox.desktop" ]; 101 + "x-scheme-handler/unknown" = [ "firefox.desktop" ]; 102 + "x-scheme-handler/mailto" = [ 103 + "thunderbird.desktop" 104 + "firefox.desktop" 105 + ]; 106 + "x-scheme-handler/webcal" = [ 107 + "firefox.desktop" 108 + "thunderbird.desktop" 109 + ]; 110 + "x-scheme-handler/steam" = [ 111 + "steam-native.desktop" 112 + "steam.desktop" 113 + ]; 114 + "x-scheme-handler/steamlink" = [ 115 + "steam-native.desktop" 116 + "steam.desktop" 117 + ]; 118 + }; 119 + }; 120 + userDirs = { 121 + enable = true; 122 + createDirectories = true; 123 + music = "$HOME/music"; 124 + publicShare = "$HOME/.xdg/share"; 125 + templates = "$HOME/.xdg/templates"; 126 + }; 127 + }; 128 + }

-8

homes/x86_64-linux/pyrox@marvin/default.nix

··· 1 - { 2 - snowfallorg.user = { 3 - enable = true; 4 - }; 5 - py = { 6 - profiles.server.enable = true; 7 - }; 8 - }

-8

homes/x86_64-linux/pyrox@prefect/default.nix

··· 1 - { 2 - snowfallorg.user = { 3 - enable = true; 4 - }; 5 - py = { 6 - profiles.server.enable = true; 7 - }; 8 - }

-8

homes/x86_64-linux/pyrox@thought/default.nix

··· 1 - { 2 - snowfallorg.user = { 3 - enable = true; 4 - }; 5 - py = { 6 - profiles.server.enable = true; 7 - }; 8 - }

-55

homes/x86_64-linux/pyrox@zaphod/default.nix

··· 1 - { 2 - pkgs, 3 - ... 4 - }: 5 - { 6 - imports = [ 7 - ./files/pamKeys.nix 8 - ./files/distrobox-config.nix 9 - ]; 10 - snowfallorg.user = { 11 - enable = true; 12 - }; 13 - home.packages = [ 14 - pkgs.mindustry 15 - ]; 16 - py = { 17 - profiles.desktop.enable = true; 18 - }; 19 - py.services.kanshi.settings = [ 20 - { 21 - profile = { 22 - name = "laptop-only"; 23 - outputs = [ 24 - { 25 - criteria = "eDP-1"; 26 - status = "enable"; 27 - scale = 1.2; 28 - position = "0,0"; 29 - adaptiveSync = true; 30 - } 31 - ]; 32 - }; 33 - } 34 - { 35 - profile = { 36 - name = "office"; 37 - outputs = [ 38 - { 39 - criteria = "eDP-1"; 40 - status = "enable"; 41 - scale = 1.2; 42 - position = "0,0"; 43 - adaptiveSync = true; 44 - } 45 - { 46 - criteria = "Acer Technologies SA241Y 0x1497CF17"; 47 - status = "enable"; 48 - scale = 1.0; 49 - position = "2160,0"; 50 - } 51 - ]; 52 - }; 53 - } 54 - ]; 55 - }

-7

homes/x86_64-linux/pyrox@zaphod/files/distrobox-config.nix

··· 1 - { 2 - xdg.configFile."distrobox/distrobox.conf" = { 3 - text = '' 4 - distrobox_sudo_program="doas" 5 - ''; 6 - }; 7 - }

-5

homes/x86_64-linux/pyrox@zaphod/files/pamKeys.nix

··· 1 - { 2 - xdg.configFile."Yubico/u2f_keys".text = '' 3 - thehedgehog:iC1dk7d+DYFX60wpkDlWdwNpkRLXmML7iDjxh4TRXe8OhsAb2pgKiY6tVLHeZIK3WOVA1DuWU8rWlHdma3eqJg==,NdBJTVCvOamU35ad3fJRv6A6YZQIYrojcVk9a8WYMVvTtKO+xyIeBvunlidHv4Zb0rYrOvK6u7Gb4N5x6T6FIQ==,es256,+presence:juWx2IphhNuHZHiv8nG3i2WWTyR5A+CWp5iHz2AmE7aj3b3rgj85Gl1PMpmZlvlwDgbCP+dlcP5PPzTFloB3Ow==,FEXBkP0PzZSURoIbLuGiRRHFIcSiqEz/ieNPRqRY/hqLJ4AsvGwJ1xdIX7F8qAQuMSp8m7usuBLS4u+4FGg3Ng==,es256,+presence 4 - ''; 5 - }

-8

homes/x86_64-linux/thehedgehog@marvin/default.nix

··· 1 - { 2 - snowfallorg.user = { 3 - enable = true; 4 - }; 5 - py = { 6 - profiles.server.enable = true; 7 - }; 8 - }

-8

homes/x86_64-linux/thehedgehog@prefect/default.nix

··· 1 - { 2 - snowfallorg.user = { 3 - enable = true; 4 - }; 5 - py = { 6 - profiles.server.enable = true; 7 - }; 8 - }

-8

homes/x86_64-linux/thehedgehog@thought/default.nix

··· 1 - { 2 - snowfallorg.user = { 3 - enable = true; 4 - }; 5 - py = { 6 - profiles.server.enable = true; 7 - }; 8 - }

-50

homes/x86_64-linux/thehedgehog@zaphod/default.nix

··· 1 - { 2 - pkgs, 3 - ... 4 - }: 5 - { 6 - snowfallorg.user = { 7 - enable = true; 8 - }; 9 - home.packages = [ 10 - pkgs.mindustry 11 - pkgs.signal-desktop-source 12 - ]; 13 - py.profiles.desktop.enable = true; 14 - py.services.kanshi.settings = [ 15 - { 16 - profile = { 17 - name = "laptop-only"; 18 - outputs = [ 19 - { 20 - criteria = "eDP-1"; 21 - status = "enable"; 22 - scale = 1.2; 23 - position = "0,0"; 24 - adaptiveSync = true; 25 - } 26 - ]; 27 - }; 28 - } 29 - { 30 - profile = { 31 - name = "office"; 32 - outputs = [ 33 - { 34 - criteria = "eDP-1"; 35 - status = "enable"; 36 - scale = 1.2; 37 - position = "0,0"; 38 - adaptiveSync = true; 39 - } 40 - { 41 - criteria = "Acer Technologies SA241Y 0x1497CF17"; 42 - status = "enable"; 43 - scale = 1.0; 44 - position = "2160,0"; 45 - } 46 - ]; 47 - }; 48 - } 49 - ]; 50 - }

+69

hosts/default.nix

··· 1 + { inputs, ... }: 2 + { 3 + easy-hosts = { 4 + shared = { 5 + modules = [ 6 + inputs.agenix.nixosModules.default 7 + inputs.ctp.nixosModules.catppuccin 8 + inputs.home-manager.nixosModules.home-manager 9 + inputs.self.nixosModules.chromium 10 + inputs.self.nixosModules.defaultConfig 11 + inputs.self.nixosModules.defaultUsers 12 + inputs.self.nixosModules.firefox 13 + inputs.self.nixosModules.hyprland 14 + inputs.self.nixosModules.forgejo-runner 15 + inputs.self.nixosModules.hm-pyrox 16 + inputs.self.nixosModules.hm-thehedgehog 17 + inputs.self.nixosModules.miscPrograms 18 + inputs.self.nixosModules.neovim 19 + inputs.self.nixosModules.profiles 20 + inputs.self.nixosModules.scrutiny 21 + ]; 22 + }; 23 + path = ./.; 24 + hosts = { 25 + marvin = { 26 + deployable = true; 27 + tags = [ 28 + "server" 29 + "home" 30 + ]; 31 + modules = [ 32 + inputs.golink.nixosModules.default 33 + inputs.tangled.nixosModules.knot 34 + inputs.tangled.nixosModules.spindle 35 + ]; 36 + }; 37 + prefect = { 38 + deployable = true; 39 + tags = [ 40 + "server" 41 + "vps" 42 + ]; 43 + modules = [ 44 + inputs.dn42.nixosModules.default 45 + ]; 46 + }; 47 + thought = { 48 + deployable = true; 49 + tags = [ 50 + "server" 51 + "vps" 52 + ]; 53 + }; 54 + zaphod = { 55 + deployable = true; 56 + tags = [ "laptop" ]; 57 + modules = [ 58 + inputs.hardware.nixosModules.framework-16-7040-amd 59 + inputs.self.nixosModules.hm-pyrox-zaphod 60 + inputs.self.nixosModules.hm-thehedgehog-zaphod 61 + { 62 + home-manager.useGlobalPkgs = true; 63 + home-manager.useUserPackages = true; 64 + } 65 + ]; 66 + }; 67 + }; 68 + }; 69 + }

+58

hosts/marvin/bootloader.nix

··· 1 + { pkgs, ... }: 2 + let 3 + fileSystems = { 4 + btrfs = true; 5 + ext4 = true; 6 + vfat = true; 7 + zfs = true; 8 + }; 9 + in 10 + { 11 + boot = { 12 + extraModulePackages = [ ]; 13 + kernelModules = [ "kvm-amd" ]; 14 + kernelPackages = pkgs.linuxPackages_6_1; 15 + kernelParams = [ "nohibernate" ]; 16 + supportedFilesystems = fileSystems; 17 + zfs.devNodes = "/dev/"; 18 + 19 + # Initrd config 20 + initrd = { 21 + availableKernelModules = [ 22 + "xhci_pci" 23 + "ahci" 24 + "nvme" 25 + "usbhid" 26 + "usb_storage" 27 + "sd_mod" 28 + ]; 29 + supportedFilesystems = fileSystems; 30 + kernelModules = [ ]; 31 + }; 32 + 33 + # Systemd-boot config 34 + loader = { 35 + systemd-boot.enable = true; 36 + systemd-boot.configurationLimit = 5; 37 + efi = { 38 + canTouchEfiVariables = true; 39 + efiSysMountPoint = "/boot/efi"; 40 + }; 41 + }; 42 + 43 + kernel.sysctl = { 44 + "net.ipv4.ip_forward" = 1; 45 + "net.ipv6.conf.all.forwarding" = 1; 46 + }; 47 + 48 + # ZFS Config 49 + # I use ZFS as my bulk data storage 50 + # zfs = { 51 + # enabled = true; 52 + # }; 53 + }; 54 + # ZFS mount stuff 55 + services.udev.extraRules = '' 56 + ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ENV{ID_FS_TYPE}=="zfs_member", ATTR{../queue/scheduler}="none" 57 + ''; 58 + }

+82

hosts/marvin/default.nix

··· 1 + { ... }: 2 + { 3 + imports = [ 4 + # Machine-specific configurations. 5 + ./bootloader.nix 6 + ./firewall.nix 7 + ./networking.nix 8 + ./hardware.nix 9 + 10 + # Running Services 11 + # keep-sorted start 12 + ./services/anubis.nix 13 + ./services/avahi.nix 14 + ./services/bots.nix 15 + ./services/deemix.nix 16 + ./services/gdq-cals.nix 17 + ./services/git.nix 18 + ./services/golink.nix 19 + ./services/grafana.nix 20 + ./services/immich.nix 21 + ./services/jellyfin.nix 22 + ./services/matrix.nix 23 + ./services/miniflux.nix 24 + ./services/nextcloud 25 + ./services/nginx.nix 26 + ./services/pinchflat.nix 27 + ./services/planka.nix 28 + ./services/pocket-id.nix 29 + ./services/podman.nix 30 + ./services/postgres.nix 31 + ./services/prometheus.nix 32 + ./services/scrutiny.nix 33 + ./services/syncthing.nix 34 + ./services/tailscale.nix 35 + ./services/tangled.nix 36 + ./services/vaultwarden.nix 37 + ./services/zfs.nix 38 + # keep-sorted end 39 + ]; 40 + nix.settings.max-jobs = 12; 41 + networking = { 42 + networkmanager = { 43 + enable = true; 44 + }; 45 + wireless = { 46 + enable = false; 47 + }; 48 + }; 49 + fileSystems = { 50 + "/" = { 51 + fsType = "btrfs"; 52 + device = "/dev/disk/by-uuid/f15e4072-80dc-414e-a1fc-158ea441aebd"; 53 + # options = [ "subvol=@" ]; 54 + }; 55 + "/boot/efi" = { 56 + fsType = "vfat"; 57 + device = "/dev/disk/by-uuid/EE05-66B4"; 58 + }; 59 + "/var" = { 60 + fsType = "zfs"; 61 + device = "tank/var"; 62 + options = [ "zfsutil" ]; 63 + }; 64 + "/var/log/journal" = { 65 + fsType = "zfs"; 66 + device = "tank/var/log/journal"; 67 + options = [ "zfsutil" ]; 68 + }; 69 + }; 70 + swapDevices = [ { device = "/dev/disk/by-uuid/e69409bc-9cf0-4795-8620-33a021a4b729"; } ]; 71 + users.groups.misc.gid = 1000; 72 + time.timeZone = "America/New_York"; 73 + py = { 74 + profiles.server.enable = true; 75 + users.default.enable = true; 76 + programs = { 77 + fish.enable = true; 78 + neovim.enable = true; 79 + }; 80 + }; 81 + services.pulseaudio.enable = false; 82 + }

+18

hosts/marvin/firewall.nix

··· 1 + { 2 + networking.firewall = { 3 + allowedTCPPorts = [ 4 + 80 5 + 443 6 + 6912 7 + 34197 8 + ]; 9 + allowedUDPPorts = [ 10 + 4367 11 + 34197 12 + ]; 13 + trustedInterfaces = [ 14 + "tailscale0" 15 + "wg0" 16 + ]; 17 + }; 18 + }

+12

hosts/marvin/hardware.nix

··· 1 + { 2 + hardware = { 3 + enableAllFirmware = true; 4 + enableRedistributableFirmware = true; 5 + bluetooth.enable = false; 6 + bumblebee.enable = false; 7 + ckb-next.enable = false; 8 + cpu.amd.updateMicrocode = true; 9 + gpgSmartcards.enable = true; 10 + graphics.enable = true; 11 + }; 12 + }

+35

hosts/marvin/networking.nix

··· 1 + { lib, pkgs, ... }: 2 + { 3 + networking = { 4 + hostName = "marvin"; 5 + hostId = "5711215d"; 6 + enableIPv6 = true; 7 + useDHCP = lib.mkDefault true; 8 + interfaces = { 9 + enp42s0.useDHCP = lib.mkDefault true; 10 + wlp41s0.useDHCP = lib.mkDefault true; 11 + }; 12 + networkmanager = { 13 + enable = true; 14 + }; 15 + wireless.enable = false; 16 + 17 + # Enable NAT for containers 18 + nat = { 19 + enable = true; 20 + internalInterfaces = [ "ve-+" ]; 21 + externalInterface = "wlp41s0"; 22 + # Lazy IPv6 connectivity for the container 23 + enableIPv6 = true; 24 + }; 25 + }; 26 + systemd.services.wpa_supplicant.environment.OPENSSL_CONF = pkgs.writeText "openssl.cnf" '' 27 + openssl_conf = openssl_init 28 + [openssl_init] 29 + ssl_conf = ssl_sect 30 + [ssl_sect] 31 + system_default = system_default_sect 32 + [system_default_sect] 33 + Options = UnsafeLegacyRenegotiation 34 + ''; 35 + }

+28

hosts/marvin/services/anubis.nix

··· 1 + { 2 + config, 3 + self', 4 + ... 5 + }: 6 + { 7 + config = { 8 + services.anubis.defaultOptions = { 9 + enable = true; 10 + extraFlags = [ "-metrics-bind \"\"" ]; 11 + settings = { 12 + BIND_NETWORK = "tcp"; 13 + METRICS_BIND_NETWORK = "tcp"; 14 + SERVE_ROBOTS_TXT = true; 15 + COOKIE_DOMAIN = ".pyrox.dev"; 16 + ED25519_PRIVATE_KEY_HEX_FILE = config.age.secrets.anubis-key.path; 17 + OG_PASSTHROUGH = true; 18 + OG_CACHE_CONSIDER_HOST = true; 19 + POLICY_FNAME = "${self'.packages.anubis-files}/policies/default.yaml"; 20 + }; 21 + }; 22 + age.secrets.anubis-key = { 23 + file = ./secrets/anubis-key.age; 24 + owner = "anubis"; 25 + group = "anubis"; 26 + }; 27 + }; 28 + }

+10

hosts/marvin/services/avahi.nix

··· 1 + { 2 + services.avahi = { 3 + enable = true; 4 + publish = { 5 + enable = true; 6 + addresses = true; 7 + workstation = true; 8 + }; 9 + }; 10 + }

+46

hosts/marvin/services/bots.nix

··· 1 + { pkgs, ... }: 2 + { 3 + systemd.services = { 4 + io-bot = { 5 + enable = false; 6 + wantedBy = [ "multi-user.target" ]; 7 + after = [ 8 + "network.target" 9 + "io-bot-lavalink.service" 10 + ]; 11 + description = "I/O, my personal bot"; 12 + path = [ pkgs.python311 ]; 13 + serviceConfig = { 14 + ExecStart = "${pkgs.bash}/bin/bash start.sh"; 15 + Restart = "always"; 16 + RestartSec = 3; 17 + WorkingDirectory = "/home/thehedgehog/io-py"; 18 + }; 19 + }; 20 + io-bot-lavalink = { 21 + enable = false; 22 + wantedBy = [ "multi-user.target" ]; 23 + after = [ "network.target" ]; 24 + description = "Lavalink server for I/O"; 25 + serviceConfig = { 26 + ExecStart = "${pkgs.openjdk17_headless}/bin/java -jar ../Lavalink.jar"; 27 + Restart = "always"; 28 + RestartSec = 3; 29 + WorkingDirectory = "/home/thehedgehog/io-py/config"; 30 + }; 31 + }; 32 + misc-bot = { 33 + enable = false; 34 + wantedBy = [ "multi-user.target" ]; 35 + after = [ "network.target" ]; 36 + description = "Random Bot 1"; 37 + path = [ pkgs.python311 ]; 38 + serviceConfig = { 39 + ExecStart = "${pkgs.bash}/bin/bash start.sh"; 40 + Restart = "always"; 41 + RestartSec = 3; 42 + WorkingDirectory = "/home/thehedgehog/bots/bot1"; 43 + }; 44 + }; 45 + }; 46 + }

+53

hosts/marvin/services/buildbot.nix

··· 1 + { config, self, ... }: 2 + let 3 + as = config.age.secrets; 4 + d = self.lib.data.services.buildbot; 5 + g = self.lib.data.services.git; 6 + bbSecret = { 7 + owner = "buildbot"; 8 + group = "buildbot"; 9 + }; 10 + in 11 + { 12 + services = { 13 + buildbot-nix.master = { 14 + enable = true; 15 + dbUrl = "postgresql://buildbot@localhost/buildbot"; 16 + workersFile = as.buildbot-workers.path; 17 + authBackend = "gitea"; 18 + gitea = { 19 + enable = true; 20 + tokenFile = as.buildbot-gitea-token.path; 21 + oauthSecretFile = as.buildbot-oauth-secret.path; 22 + instanceUrl = g.extUrl; 23 + oauthId = "2bfd5c46-43a7-4d98-b443-9176dc0a9452"; 24 + topic = "buildbot-enable"; 25 + }; 26 + admins = [ "pyrox" ]; 27 + domain = d.extUrl; 28 + useHttps = true; 29 + }; 30 + postgresql = { 31 + ensureUsers = [ 32 + { 33 + name = "buildbot"; 34 + ensureDBOwnership = true; 35 + ensureClauses.login = true; 36 + } 37 + ]; 38 + ensureDatabases = [ "buildbot" ]; 39 + }; 40 + buildbot-master.port = 6915; 41 + }; 42 + age.secrets = { 43 + buildbot-gitea-token = bbSecret // { 44 + file = ./secrets/buildbot-gitea-token.age; 45 + }; 46 + buildbot-oauth-secret = bbSecret // { 47 + file = ./secrets/buildbot-oauth-secret.age; 48 + }; 49 + buildbot-workers = bbSecret // { 50 + file = ./secrets/buildbot-workers.age; 51 + }; 52 + }; 53 + }

+21

hosts/marvin/services/deemix.nix

··· 1 + { self, ... }: 2 + let 3 + d = self.lib.data.services.deemix; 4 + in 5 + { 6 + virtualisation.oci-containers.containers.deemix = { 7 + image = "ghcr.io/bambanah/deemix:latest"; 8 + volumes = [ 9 + "/var/lib/deemix:/config" 10 + "/var/lib/music:/downloads" 11 + ]; 12 + ports = [ "${toString d.port}:6595" ]; 13 + environment = { 14 + PUID = "1000"; 15 + PGID = "1000"; 16 + UMASK_SET = "022"; 17 + DEEMIX_SINGLE_USER = "true"; 18 + DISABLE_OWNERSHIP_CHECK = "true"; 19 + }; 20 + }; 21 + }

+38

hosts/marvin/services/gdq-cals.nix

··· 1 + { 2 + lib, 3 + pkgs, 4 + ... 5 + }: 6 + let 7 + pyWithLibs = pkgs.python312.withPackages (ps: [ 8 + ps.pytz 9 + ps.icalendar 10 + ps.requests 11 + ps.google-auth-oauthlib 12 + ps.google-api-python-client 13 + ]); 14 + in 15 + { 16 + config.systemd = { 17 + services.gdq-calendars = { 18 + wantedBy = [ "multi-user.target" ]; 19 + description = "GDQ Calendar Updater"; 20 + path = [ pyWithLibs ]; 21 + serviceConfig = { 22 + ExecStart = "${lib.getExe pyWithLibs} gdq_cal_ics_exporter.py --fatales --gcal --disable_general"; 23 + Type = "oneshot"; 24 + WorkingDirectory = "/home/thehedgehog/gdq-cals/"; 25 + User = "thehedgehog"; 26 + Group = "users"; 27 + RemainAfterExit = true; 28 + }; 29 + }; 30 + timers.gdq-calendars = { 31 + wantedBy = [ "timers.target" ]; 32 + timerConfig = { 33 + OnCalendar = "*-*-* 00/2:00:00"; 34 + Unit = "gdq-calendars.service"; 35 + }; 36 + }; 37 + }; 38 + }

+166

hosts/marvin/services/git.nix

··· 1 + { 2 + config, 3 + lib, 4 + pkgs, 5 + self', 6 + self, 7 + ... 8 + }: 9 + let 10 + cfg = config.services.forgejo.settings; 11 + age = config.age.secrets; 12 + 13 + forgejoSecret = { 14 + owner = "forgejo"; 15 + group = "forgejo"; 16 + }; 17 + 18 + d = self.lib.data.services.git; 19 + in 20 + { 21 + catppuccin.forgejo.enable = true; 22 + py.services.forgejo-runner = { 23 + enable = true; 24 + tokenFile = age.forgejo-default-runner-token.path; 25 + }; 26 + services.forgejo = { 27 + enable = true; 28 + package = pkgs.forgejo; 29 + lfs.enable = true; 30 + database = { 31 + type = "postgres"; 32 + createDatabase = true; 33 + passwordFile = age.forgejo-db-pw.path; 34 + }; 35 + secrets = { 36 + mailer.PASSWD = age.forgejo-mail-pw.path; 37 + security.SECRET_KEY = lib.mkForce age.forgejo-secret-key.path; 38 + security.INTERNAL_TOKEN = lib.mkForce age.forgejo-internal-token.path; 39 + oauth2.JWT_SECRET = lib.mkForce age.forgejo-oauth2-jwt-secret.path; 40 + server.LFS_JWT_SECRET = lib.mkForce age.forgejo-lfs-jwt-secret.path; 41 + }; 42 + settings = { 43 + DEFAULT = { 44 + APP_NAME = "dishNet Git"; 45 + RUN_MODE = "prod"; 46 + }; 47 + attachment = { 48 + MAX_SIZE = 200; 49 + }; 50 + log.LOGGER_ROUTER_MODE = ""; 51 + mailer = { 52 + ENABLED = true; 53 + FROM = "dishNet Git <git@pyrox.dev>"; 54 + PROTOCOL = "smtps"; 55 + SMTP_ADDR = "mail.pyrox.dev"; 56 + SMTP_PORT = 465; 57 + USER = "git@pyrox.dev"; 58 + }; 59 + picture = { 60 + ENABLE_FEDERATED_AVATAR = true; 61 + }; 62 + ui = { 63 + DEFAULT_SHOW_FULL_NAME = true; 64 + USE_SERVICE_WORKER = true; 65 + SHOW_USER_EMAIL = false; 66 + }; 67 + "ui.meta" = { 68 + AUTHOR = "dish"; 69 + DESCRIPTION = "dishNet Git Services"; 70 + }; 71 + metrics = { 72 + ENABLED = true; 73 + }; 74 + server = { 75 + DISABLE_SSH = true; 76 + DOMAIN = d.extUrl; 77 + HTTP_PORT = d.port; 78 + ROOT_URL = "https://${cfg.server.DOMAIN}"; 79 + LFS_START_SERVER = true; 80 + }; 81 + # 82 + indexer = { 83 + # Enable issue indexing 84 + ISSUE_INDEXER_TYPE = "bleve"; 85 + ISSUE_INDEXER_PATH = "indexers/issues.bleve"; 86 + # Enable repo indexing 87 + REPO_INDEXER_ENABLED = true; 88 + REPO_INDEXER_REPO_TYPES = "sources,forks"; 89 + REPO_INDEXER_TYPE = "bleve"; 90 + REPO_INDEXER_PATH = "indexers/repos.bleve"; 91 + }; 92 + session = { 93 + PROVIDER = "db"; 94 + COOKIE_SECURE = true; 95 + COOKIE_NAME = "pyrogit-session"; 96 + DOMAIN = d.extUrl; 97 + # Sessions last for 1 week 98 + GC_INTERVAL_TIME = 86400 * 7; 99 + SESSION_LIFE_TIME = 86400 * 7; 100 + }; 101 + service = { 102 + DISABLE_REGISTRATION = true; 103 + AUTO_WATCH_NEW_REPOS = false; 104 + }; 105 + security = { 106 + INSTALL_LOCK = true; 107 + COOKIE_USERNAME = "pyrogit-user"; 108 + COOKIE_REMEMBER_NAME = "pyrogit-auth"; 109 + MIN_PASSWORD_LENGTH = 10; 110 + PASSWORD_COMPLEXITY = "lower,upper,digit,spec"; 111 + PASSWORD_HASH_ALGO = "argon2"; 112 + PASSWORD_CHECK_PWN = true; 113 + ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true; 114 + # Only allow reverse proxies from Tailscale tailnet 115 + REVERSE_PROXY_TRUSTED_PROXIES = "10.64.0.0/10"; 116 + }; 117 + actions = { 118 + ENABLED = true; 119 + }; 120 + }; 121 + }; 122 + age.secrets = lib.mkIf config.services.forgejo.enable { 123 + forgejo-db-pw = forgejoSecret // { 124 + file = ./secrets/forgejo/db-pw.age; 125 + }; 126 + forgejo-mail-pw = forgejoSecret // { 127 + file = ./secrets/forgejo/mail-pw.age; 128 + }; 129 + forgejo-aux-docs-runner-token = forgejoSecret // { 130 + file = ./secrets/forgejo/aux-docs-runner-token.age; 131 + }; 132 + forgejo-default-runner-token = forgejoSecret // { 133 + file = ./secrets/forgejo/default-runner-token.age; 134 + }; 135 + forgejo-gitgay-runner-token = forgejoSecret // { 136 + file = ./secrets/forgejo/gitgay-runner-token.age; 137 + }; 138 + forgejo-internal-token = forgejoSecret // { 139 + file = ./secrets/forgejo/internal-token.age; 140 + }; 141 + forgejo-oauth2-jwt-secret = forgejoSecret // { 142 + file = ./secrets/forgejo/oauth2-jwt-secret.age; 143 + }; 144 + forgejo-lfs-jwt-secret = forgejoSecret // { 145 + file = ./secrets/forgejo/lfs-jwt-secret.age; 146 + }; 147 + forgejo-secret-key = forgejoSecret // { 148 + file = ./secrets/forgejo/secret-key.age; 149 + }; 150 + }; 151 + services.anubis.instances.forgejo = lib.mkIf config.services.forgejo.enable { 152 + settings = { 153 + BIND = ":${toString d.anubis}"; 154 + POLICY_FNAME = "${self'.packages.anubis-files}/policies/forgejo.yaml"; 155 + TARGET = "http://localhost:${toString d.port}"; 156 + }; 157 + }; 158 + services.prometheus.scrapeConfigs = lib.mkIf config.services.forgejo.enable [ 159 + { 160 + job_name = "forgejo"; 161 + static_configs = [ 162 + { targets = [ "127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}" ]; } 163 + ]; 164 + } 165 + ]; 166 + }

+5

hosts/marvin/services/golink.nix

··· 1 + { 2 + services.golink = { 3 + enable = true; 4 + }; 5 + }

+69

hosts/marvin/services/grafana.nix

··· 1 + { 2 + config, 3 + self', 4 + self, 5 + ... 6 + }: 7 + let 8 + d = self.lib.data.services.grafana; 9 + a = self.lib.data.services.authentik; 10 + in 11 + { 12 + services.grafana = { 13 + enable = true; 14 + settings = { 15 + analytics.reporting_enable = false; 16 + "auth.generic_oauth" = { 17 + name = "central"; 18 + icon = "signin"; 19 + enabled = "true"; 20 + client_id = "89f4607cf446a777a6b25ebde8731cdcb80b04c1"; 21 + client_secret = "89eccaa8a31104c218df5cfe37c87f0ea0bbddcd1571bddb7f7fbf5a09045efd59c61f1caaa79483ad59aac2c19488b254acdaced47e66a6505865a14a63ac4a"; 22 + auth_url = "https://${a.extUrl}/application/o/authorize/"; 23 + token_url = "https://${a.extUrl}/application/o/token/"; 24 + api_url = "https://${a.extUrl}/application/o/userinfo/"; 25 + scopes = "openid profile email"; 26 + }; 27 + "auth" = { 28 + signout_redirect_url = "https://${a.extUrl}/if/session-end/stathog/"; 29 + disableLoginForm = true; 30 + }; 31 + security = { 32 + admin_user = "pyrox"; 33 + admin_password = "$__file{${config.age.secrets.grafana-admin.path}}"; 34 + }; 35 + server = { 36 + root_url = "https://${d.extUrl}"; 37 + domain = d.extUrl; 38 + http_port = d.port; 39 + http_addr = "0.0.0.0"; 40 + }; 41 + smtp = { 42 + enabled = true; 43 + user = "grafana@pyrox.dev"; 44 + from_address = "grafana@pyrox.dev"; 45 + host = "mail.pyrox.dev:465"; 46 + password = "$__file{${config.age.secrets.grafana-smtp-password.path}}"; 47 + }; 48 + }; 49 + }; 50 + age.secrets = { 51 + grafana-admin = { 52 + file = ./secrets/grafana-admin-password.age; 53 + owner = "grafana"; 54 + group = "grafana"; 55 + }; 56 + grafana-smtp-password = { 57 + file = ./secrets/grafana-smtp-password.age; 58 + owner = "grafana"; 59 + group = "grafana"; 60 + }; 61 + }; 62 + services.anubis.instances.grafana = { 63 + settings = { 64 + BIND = ":${toString d.anubis}"; 65 + POLICY_FNAME = "${self'.packages.anubis-files}/policies/default.yaml"; 66 + TARGET = "http://localhost:${toString d.port}"; 67 + }; 68 + }; 69 + }

+223

hosts/marvin/services/immich-config.json

··· 1 + { 2 + "backup": { 3 + "database": { 4 + "cronExpression": "0 02 * * *", 5 + "enabled": true, 6 + "keepLastAmount": 14 7 + } 8 + }, 9 + "ffmpeg": { 10 + "accel": "vaapi", 11 + "accelDecode": true, 12 + "acceptedAudioCodecs": ["aac", "mp3", "libopus"], 13 + "acceptedContainers": ["mov", "ogg", "webm"], 14 + "acceptedVideoCodecs": ["h264"], 15 + "bframes": -1, 16 + "cqMode": "auto", 17 + "crf": 23, 18 + "gopSize": 0, 19 + "maxBitrate": "0", 20 + "preferredHwDevice": "auto", 21 + "preset": "veryfast", 22 + "refs": 0, 23 + "targetAudioCodec": "aac", 24 + "targetResolution": "720", 25 + "targetVideoCodec": "h264", 26 + "temporalAQ": false, 27 + "threads": 0, 28 + "tonemap": "hable", 29 + "transcode": "required", 30 + "twoPass": false 31 + }, 32 + "image": { 33 + "colorspace": "p3", 34 + "extractEmbedded": false, 35 + "fullsize": { 36 + "enabled": false, 37 + "format": "jpeg", 38 + "quality": 80 39 + }, 40 + "preview": { 41 + "format": "jpeg", 42 + "quality": 80, 43 + "size": 1440 44 + }, 45 + "thumbnail": { 46 + "format": "webp", 47 + "quality": 80, 48 + "size": 250 49 + } 50 + }, 51 + "job": { 52 + "backgroundTask": { 53 + "concurrency": 5 54 + }, 55 + "faceDetection": { 56 + "concurrency": 2 57 + }, 58 + "library": { 59 + "concurrency": 5 60 + }, 61 + "metadataExtraction": { 62 + "concurrency": 5 63 + }, 64 + "migration": { 65 + "concurrency": 5 66 + }, 67 + "notifications": { 68 + "concurrency": 5 69 + }, 70 + "ocr": { 71 + "concurrency": 1 72 + }, 73 + "search": { 74 + "concurrency": 5 75 + }, 76 + "sidecar": { 77 + "concurrency": 5 78 + }, 79 + "smartSearch": { 80 + "concurrency": 2 81 + }, 82 + "thumbnailGeneration": { 83 + "concurrency": 3 84 + }, 85 + "videoConversion": { 86 + "concurrency": 1 87 + }, 88 + "workflow": { 89 + "concurrency": 5 90 + } 91 + }, 92 + "library": { 93 + "scan": { 94 + "cronExpression": "0 0 * * *", 95 + "enabled": true 96 + }, 97 + "watch": { 98 + "enabled": false 99 + } 100 + }, 101 + "logging": { 102 + "enabled": true, 103 + "level": "log" 104 + }, 105 + "machineLearning": { 106 + "availabilityChecks": { 107 + "enabled": true, 108 + "interval": 30000, 109 + "timeout": 2000 110 + }, 111 + "clip": { 112 + "enabled": true, 113 + "modelName": "ViT-B-16-SigLIP2__webli" 114 + }, 115 + "duplicateDetection": { 116 + "enabled": true, 117 + "maxDistance": 0.01 118 + }, 119 + "enabled": true, 120 + "facialRecognition": { 121 + "enabled": true, 122 + "maxDistance": 0.5, 123 + "minFaces": 7, 124 + "minScore": 0.7, 125 + "modelName": "buffalo_l" 126 + }, 127 + "ocr": { 128 + "enabled": true, 129 + "maxResolution": 736, 130 + "minDetectionScore": 0.5, 131 + "minRecognitionScore": 0.8, 132 + "modelName": "EN__PP-OCRv5_mobile" 133 + }, 134 + "urls": ["http://localhost:3003"] 135 + }, 136 + "map": { 137 + "darkStyle": "https://tiles.immich.cloud/v1/style/dark.json", 138 + "enabled": true, 139 + "lightStyle": "https://tiles.immich.cloud/v1/style/light.json" 140 + }, 141 + "metadata": { 142 + "faces": { 143 + "import": false 144 + } 145 + }, 146 + "newVersionCheck": { 147 + "enabled": false 148 + }, 149 + "nightlyTasks": { 150 + "clusterNewFaces": true, 151 + "databaseCleanup": true, 152 + "generateMemories": true, 153 + "missingThumbnails": true, 154 + "startTime": "00:00", 155 + "syncQuotaUsage": true 156 + }, 157 + "notifications": { 158 + "smtp": { 159 + "enabled": true, 160 + "from": "dishNet Photos <immich@pyrox.dev>", 161 + "replyTo": "", 162 + "transport": { 163 + "host": "mail.pyrox.dev", 164 + "ignoreCert": false, 165 + "port": 25, 166 + "secure": true, 167 + "username": "immich@pyrox.dev" 168 + } 169 + } 170 + }, 171 + "oauth": { 172 + "autoLaunch": false, 173 + "autoRegister": true, 174 + "buttonText": "Login with Pocket-ID", 175 + "clientId": "f1312240-d9fc-4336-aca6-b98316867848", 176 + "defaultStorageQuota": null, 177 + "enabled": true, 178 + "issuerUrl": "https://auth.pyrox.dev", 179 + "mobileOverrideEnabled": false, 180 + "mobileRedirectUri": "", 181 + "profileSigningAlgorithm": "none", 182 + "roleClaim": "immich_role", 183 + "scope": "openid email profile immich_role", 184 + "signingAlgorithm": "RS256", 185 + "storageLabelClaim": "preferred_username", 186 + "storageQuotaClaim": "immich_quota", 187 + "timeout": 30000, 188 + "tokenEndpointAuthMethod": "client_secret_post" 189 + }, 190 + "passwordLogin": { 191 + "enabled": true 192 + }, 193 + "reverseGeocoding": { 194 + "enabled": true 195 + }, 196 + "server": { 197 + "externalDomain": "https://img.pyrox.dev", 198 + "loginPageMessage": "", 199 + "publicUsers": true 200 + }, 201 + "storageTemplate": { 202 + "enabled": false, 203 + "hashVerificationEnabled": true, 204 + "template": "{{y}}/{{y}}-{{MM}}-{{dd}}/{{filename}}" 205 + }, 206 + "templates": { 207 + "email": { 208 + "albumInviteTemplate": "", 209 + "albumUpdateTemplate": "", 210 + "welcomeTemplate": "" 211 + } 212 + }, 213 + "theme": { 214 + "customCss": "" 215 + }, 216 + "trash": { 217 + "days": 30, 218 + "enabled": true 219 + }, 220 + "user": { 221 + "deleteDelay": 7 222 + } 223 + }

+51

hosts/marvin/services/immich.nix

··· 1 + { 2 + self, 3 + config, 4 + lib, 5 + ... 6 + }: 7 + let 8 + d = self.lib.data.services.immich; 9 + in 10 + { 11 + services = { 12 + immich = { 13 + inherit (d) port; 14 + enable = true; 15 + host = "0.0.0.0"; 16 + redis.enable = true; 17 + mediaLocation = "/var/media/photos/"; 18 + accelerationDevices = [ "/dev/dri/renderD128" ]; 19 + settings = lib.recursiveUpdate (builtins.fromJSON (builtins.readFile ./immich-config.json)) { 20 + oauth.clientSecret._secret = config.age.secrets.immich-oauth-secret.path; 21 + notifications.smtp.transport.password._secret = config.age.secrets.immich-mail-pw.path; 22 + server.externalDomain = "https://${d.extUrl}"; 23 + }; 24 + }; 25 + immich-public-proxy = { 26 + enable = true; 27 + port = d.pubProxy; 28 + immichUrl = "http://localhost:${toString d.port}"; 29 + settings.ipp = { 30 + downloadedFilename = 1; 31 + }; 32 + }; 33 + }; 34 + systemd.services.immich-public-proxy.environment.PUBLIC_BASE_URL = "https://${d.extUrl}"; 35 + users.users.immich.extraGroups = [ 36 + "video" 37 + "render" 38 + ]; 39 + age.secrets = { 40 + immich-oauth-secret = { 41 + file = ./secrets/immich/oauth-secret.age; 42 + owner = "immich"; 43 + group = "immich"; 44 + }; 45 + immich-mail-pw = { 46 + file = ./secrets/immich/mail-pw.age; 47 + owner = "immich"; 48 + group = "immich"; 49 + }; 50 + }; 51 + }

+71

hosts/marvin/services/jellyfin.nix

··· 1 + { 2 + lib, 3 + config, 4 + self', 5 + ... 6 + }: 7 + let 8 + cfg = config.services.jellyfin; 9 + in 10 + { 11 + services.jellyfin = { 12 + enable = true; 13 + }; 14 + users.users.jellyfin.extraGroups = [ 15 + "input" 16 + "render" 17 + "video" 18 + ]; 19 + networking.firewall.allowedUDPPorts = [ 20 + 1900 21 + 7359 22 + ]; 23 + services.prometheus.scrapeConfigs = lib.mkIf cfg.enable [ 24 + { 25 + job_name = "jellyfin_server"; 26 + static_configs = [ { targets = [ "127.0.0.1:8096" ]; } ]; 27 + } 28 + { 29 + job_name = "jellyfin"; 30 + static_configs = [ { targets = [ "127.0.0.1:30103" ]; } ]; 31 + } 32 + ]; 33 + systemd.services.jellyfin-exporter = lib.mkIf cfg.enable { 34 + enable = true; 35 + wantedBy = [ "multi-user.target" ]; 36 + after = [ 37 + "network.target" 38 + "jellyfin.service" 39 + ]; 40 + description = "Jellyfin Metrics Exporter for Prometheus"; 41 + serviceConfig = { 42 + ExecStart = "${lib.getExe self'.packages.jellyfin-exporter} @${config.age.secrets.jellyfin-exporter-config.path}"; 43 + ReadOnlyPaths = [ config.age.secrets.jellyfin-exporter-config.path ]; 44 + Restart = "always"; 45 + DynamicUser = true; 46 + User = "jellyfin-exporter"; 47 + Group = "jellyfin-exporter"; 48 + StateDirectory = "jellyfin-exporter"; 49 + CacheDirectory = "stalwart-mail"; 50 + 51 + # Hardening 52 + MemoryDenyWriteExecute = true; 53 + PrivateDevices = true; 54 + PrivateTmp = true; 55 + ProtectClock = true; 56 + ProtectControlGroups = true; 57 + ProtectHome = true; 58 + ProtectHostname = true; 59 + ProtectKernelLogs = true; 60 + ProtectKernelModules = true; 61 + ProtectKernelTunables = true; 62 + RestrictNamespaces = true; 63 + RestrictRealtime = true; 64 + RestrictSUIDSGID = true; 65 + }; 66 + }; 67 + age.secrets.jellyfin-exporter-config = lib.mkIf cfg.enable { 68 + file = ./secrets/jellyfin-exporter-config.age; 69 + mode = "444"; 70 + }; 71 + }

+53

hosts/marvin/services/matrix.nix

··· 1 + { 2 + self, 3 + ... 4 + }: 5 + let 6 + d = self.lib.data.services.matrix-server; 7 + in 8 + { 9 + services.matrix-conduit = { 10 + enable = true; 11 + 12 + settings.global = { 13 + inherit (d) port; 14 + server_name = "pyrox.dev"; 15 + max_request_size = 1024 * 1024 * 50; 16 + allow_registration = false; 17 + allow_federation = true; 18 + allow_check_for_updates = false; 19 + trusted_servers = [ 20 + "matrix.org" 21 + "vector.im" 22 + "catgirl.cloud" 23 + "nixos.org" 24 + ]; 25 + address = "0.0.0.0"; 26 + well_known = { 27 + client = "https://${d.extUrl}"; 28 + server = "${d.extUrl}:443"; 29 + }; 30 + media = { 31 + backend = "filesystem"; 32 + directory_structure = { 33 + depth = 2; 34 + length = 3; 35 + }; 36 + retention = [ 37 + { 38 + space = "100G"; 39 + } 40 + { 41 + scope = "remote"; 42 + accessed = "30d"; 43 + created = "90d"; 44 + } 45 + { 46 + scope = "thumbnail"; 47 + space = "1G"; 48 + } 49 + ]; 50 + }; 51 + }; 52 + }; 53 + }

+38

hosts/marvin/services/miniflux.nix

··· 1 + { 2 + config, 3 + self, 4 + ... 5 + }: 6 + let 7 + d = self.lib.data.services.miniflux; 8 + in 9 + { 10 + services.miniflux = { 11 + enable = true; 12 + config = { 13 + PORT = d.port; 14 + FETCH_YOUTUBE_WATCH_TIME = 1; 15 + BASE_URL = "https://${d.extUrl}"; 16 + CREATE_ADMIN = 1; 17 + WEBAUTHN = 1; 18 + WORKER_POOL_SIZE = 5; 19 + }; 20 + adminCredentialsFile = config.age.secrets.miniflux-admin.path; 21 + }; 22 + users.users.miniflux.isSystemUser = true; 23 + users.users.miniflux.group = "miniflux"; 24 + users.groups.miniflux = { }; 25 + age.secrets = { 26 + miniflux-admin = { 27 + file = ./secrets/miniflux-admin.age; 28 + owner = "miniflux"; 29 + group = "miniflux"; 30 + }; 31 + }; 32 + services.anubis.instances.miniflux = { 33 + settings = { 34 + BIND = ":${toString d.anubis}"; 35 + TARGET = "http://localhost:${toString d.port}"; 36 + }; 37 + }; 38 + }

+112

hosts/marvin/services/nextcloud/default.nix

··· 1 + { 2 + config, 3 + pkgs, 4 + lib, 5 + self', 6 + self, 7 + ... 8 + }: 9 + let 10 + d = self.lib.data.services.nextcloud; 11 + i = self.lib.data.services.nextcloud-imaginary; 12 + in 13 + { 14 + imports = [ 15 + ./office.nix 16 + ./imaginary.nix 17 + ]; 18 + services.nextcloud = { 19 + enable = true; 20 + package = pkgs.nextcloud32; 21 + phpPackage = lib.mkForce pkgs.php82; 22 + appstoreEnable = true; 23 + caching.redis = true; 24 + # Enable Webfinger 25 + webfinger = true; 26 + # Any additional PHP Extensions we need 27 + phpExtraExtensions = all: [ 28 + all.pdlib 29 + all.bz2 30 + ]; 31 + config = { 32 + adminpassFile = config.age.secrets.nextcloud-admin-pw.path; 33 + adminuser = "pyrox"; 34 + dbtype = "pgsql"; 35 + }; 36 + settings = { 37 + default_phone_region = "US"; 38 + overwriteprotocol = "https"; 39 + trusted_proxies = [ "100.64.0.0/10" ]; 40 + # Preview Settings 41 + "preview_imaginary_url" = "http://localhost:${builtins.toString i.port}"; 42 + "preview_format" = "webp"; 43 + "preview_ffmpeg_path" = "${pkgs.ffmpeg-headless}/bin/ffmpeg"; 44 + "enabledPreviewProviders" = [ 45 + "OC\\Preview\\Font" 46 + "OC\\Preview\\Krita" 47 + "OC\\Preview\\MP3" 48 + "OC\\Preview\\MarkDown" 49 + "OC\\Preview\\MSOfficeDoc" 50 + "OC\\Preview\\OpenDocument" 51 + "OC\\Preview\\TXT" 52 + "OC\\Preview\\Imaginary" 53 + ]; 54 + # Memories Configuration 55 + "memories.exiftool" = "${pkgs.exiftool}/bin/exiftool"; 56 + "memories.exiftool_no_local" = true; 57 + # # Index Everything 58 + "memories.index.mode" = "1"; 59 + # # GIS Data in Postgres 60 + "memories.gis_type" = 2; 61 + # # Transcoding 62 + "memories.vod.disable" = false; 63 + "memories.vod.vaapi" = true; 64 + "memories.vod.nvenc" = false; 65 + "memories.vod.use_gop_size" = false; # NVENV-only 66 + "memories.vod.ffmpeg" = "${pkgs.ffmpeg-headless}/bin/ffmpeg"; 67 + "memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe"; 68 + "memories.vod.path" = "/var/lib/nextcloud/store-apps/memories/bin-ext/go-vod-amd64"; 69 + "memories.vod.external" = false; 70 + 71 + # Recognize Options 72 + "node_binary" = "${pkgs.nodejs_20}/bin/node"; 73 + "tensorflow.cores" = 6; 74 + "tensorflow.gpu" = false; 75 + "musicnn.enabled" = false; 76 + "movinet.enabled" = false; 77 + "faces.enable" = true; 78 + "imagenet.enabled" = true; 79 + "landmarks.enabled" = true; 80 + }; 81 + phpOptions = { 82 + "opcache.interned_strings_buffer" = "32"; 83 + "opcache.jit" = "1255"; 84 + "opcache.jit_buffer_size" = "256M"; 85 + "opcache.save_comments" = "1"; 86 + "opcache.validate_timestamps" = "0"; 87 + }; 88 + poolSettings = { 89 + "pm" = "dynamic"; 90 + "pm.max_children" = 43; 91 + "pm.start_servers" = 10; 92 + "pm.min_spare_servers" = 10; 93 + "pm.max_spare_servers" = 32; 94 + "pm.max_requests" = 500; 95 + }; 96 + configureRedis = true; 97 + database.createLocally = true; 98 + hostName = d.extUrl; 99 + }; 100 + age.secrets.nextcloud-admin-pw = { 101 + file = ./nextcloud-admin-pw.age; 102 + owner = "nextcloud"; 103 + group = "nextcloud"; 104 + }; 105 + services.anubis.instances.nextcloud = { 106 + settings = { 107 + BIND = ":${toString d.anubis}"; 108 + POLICY_FNAME = "${self'.packages.anubis-files}/policies/nextcloud.yaml"; 109 + TARGET = "http://localhost:${toString d.port}"; 110 + }; 111 + }; 112 + }

+13

hosts/marvin/services/nextcloud/imaginary.nix

··· 1 + { self, ... }: 2 + let 3 + d = self.lib.data.services.nextcloud-imaginary; 4 + in 5 + { 6 + services.imaginary = { 7 + inherit (d) port; 8 + enable = true; 9 + address = "localhost"; 10 + settings.return-size = true; 11 + settings.disable-endpoints = "form"; 12 + }; 13 + }

+21

hosts/marvin/services/nextcloud/nextcloud-admin-pw.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA f3m5ux9oJxmPDheJ82b171yuc+2/YfPklKOi9+TRqAk 3 + QlVi9vN0mFBwa4lGeWgHhy7xeGmzv87lHy1teE4Ju38 4 + -> ssh-rsa fFaiTA 5 + OE+aFl2tmjMJOOtfhoVGOnWmF64OqGQ21FuhcCaDz+K05lmO4F+6q0dblr/8gOD/ 6 + aUX7qKNS6/ylBn1sjdWs6LKEFSfQQmPD26MDAFciDRMR5GCylKQzVN+ZVFjS36tr 7 + tWl1wiuGlK25szMdPMTfH2mUd2RpyceGirTFXbDppBQvlboivVV51FVgHQJUmell 8 + ak4dXDNvlSX/Q2VfIrfr6LurJrPPpJ8phgD/yqvwoEr1DhbrtdBJWHLnP7GlAi9D 9 + WexmhyWALCbfJjpPTKBumGmFFzCf5FvEhw4WW3wSkK+RwoyPDq+f5JyM0mEUNgjM 10 + tI5cbyaZ+FuoZgwouSLPU1zSaE5DCucRrWoMLw/F/1rXZl6aXmiX+sJYhwTOnfvS 11 + UxEs+7i+E/+yPP0otfoEeU7fSUQgkVcfDwwCF95vvSoX2ZeocU3IaosovmQNHiQk 12 + VNR2z8WZx7y5bBxxxMuA9sKwhDbqpS+O7Yr34PSO2aZMvctfJZMFHOGO3LWtCMOo 13 + /EtZSwtTL1P3z7ZVr9SpBOT1Cp5f6JhM8fRwcv/+cssWrv031LDpX7R2lUXd0E9/ 14 + b8ZI6NotJfXicqf1qS91GYttz9FpXKSTx+wc28eEQNoHdE9vJydYd8p/FfsPNnbo 15 + E7kEz0KgTTIC0lfRN5/CKHJ3urAN47UCzBkht/gArHM 16 + -> ssh-ed25519 wpmdHA miwIKKntwHzAVfbSs0wQyxEuiPGS4OPisTtLkasNaHE 17 + psG8Q1MCrd2cuHNFhBoJlHTUA8Rk2alsRahoaTaZ96I 18 + -> f-grease Q=!6H\ CBdSy[)u 19 + sOGvXIX7dyTl5tFUlDOfuXyR5KrAFTehzsMhjUiqFD/N 20 + --- 6GHjrSO/f/nkqePu2iFESH76n7G1KPN6F+xp6ChHPec 21 + ��!��c�8i^��lκ�l>�E|o�q��T�[9��V�I�J^}��O{:5�>��Sb��J�p�

+29

hosts/marvin/services/nextcloud/office.nix

··· 1 + { self', self, ... }: 2 + let 3 + d = self.lib.data.services.nextcloud-office; 4 + in 5 + { 6 + services.collabora-online = { 7 + enable = true; 8 + inherit (d) port; 9 + settings = { 10 + ssl.enable = false; 11 + ssl.termination = true; 12 + }; 13 + aliasGroups = [ 14 + { 15 + host = "https://office.pyrox.dev:443"; 16 + } 17 + { 18 + host = "https://cloud.pyrox.dev:443"; 19 + } 20 + ]; 21 + }; 22 + services.anubis.instances.nextcloud-office = { 23 + settings = { 24 + BIND = ":${toString d.anubis}"; 25 + POLICY_FNAME = "${self'.packages.anubis-files}/policies/nextcloud-office.yaml"; 26 + TARGET = "http://localhost:${toString d.port}"; 27 + }; 28 + }; 29 + }

+18

hosts/marvin/services/nginx.nix

··· 1 + { self, ... }: 2 + let 3 + n = self.lib.data.services.nextcloud; 4 + in 5 + { 6 + services.nginx = { 7 + virtualHosts = { 8 + "${n.extUrl}" = { 9 + listen = [ 10 + { 11 + inherit (n) port; 12 + addr = "0.0.0.0"; 13 + } 14 + ]; 15 + }; 16 + }; 17 + }; 18 + }

+48

hosts/marvin/services/pinchflat.nix

··· 1 + { 2 + config, 3 + lib, 4 + self, 5 + ... 6 + }: 7 + let 8 + cfg = config.services.pinchflat; 9 + age = config.age.secrets; 10 + d = self.lib.data.services.pinchflat; 11 + in 12 + { 13 + services.pinchflat = { 14 + enable = true; 15 + inherit (d) port; 16 + secretsFile = age.pinchflat-secrets.path; 17 + mediaDir = "/var/media/youtube"; 18 + extraConfig = { 19 + YT_DLP_WORKER_CONCURRENCY = 2; 20 + }; 21 + }; 22 + systemd.services.pinchflat = lib.mkIf cfg.enable { 23 + serviceConfig = { 24 + DynamicUser = lib.mkForce false; 25 + User = lib.mkForce "pinchflat"; 26 + Group = lib.mkForce "pinchflat"; 27 + }; 28 + }; 29 + users.users.pinchflat = lib.mkIf cfg.enable { 30 + isSystemUser = true; 31 + group = "pinchflat"; 32 + }; 33 + users.groups.pinchflat = lib.mkIf cfg.enable { }; 34 + age.secrets = lib.mkIf cfg.enable { 35 + pinchflat-secrets = { 36 + owner = "pinchflat"; 37 + group = "pinchflat"; 38 + file = ./secrets/pinchflat-secrets.age; 39 + }; 40 + }; 41 + # BGUtil Docker Container for yt-dlp 42 + virtualisation.oci-containers.containers.ytdlp-bgutil-provider = lib.mkIf cfg.enable { 43 + image = "brainicism/bgutil-ytdlp-pot-provider"; 44 + ports = [ 45 + "4416:4416" 46 + ]; 47 + }; 48 + }

+122

hosts/marvin/services/planka.nix

··· 1 + { 2 + lib, 3 + config, 4 + self, 5 + self', 6 + pkgs, 7 + ... 8 + }: 9 + let 10 + d = self.lib.data.services.planka; 11 + 12 + commonServiceConfig = { 13 + EnvironmentFile = config.age.secrets.planka-env.path; 14 + StateDirectory = "planka"; 15 + WorkingDirectory = "/var/lib/planka"; 16 + User = "planka"; 17 + Group = "planka"; 18 + 19 + # Hardening 20 + LockPersonality = true; 21 + NoNewPrivileges = true; 22 + PrivateDevices = true; 23 + PrivateMounts = true; 24 + PrivateTmp = true; 25 + PrivateUsers = true; 26 + ProtectClock = true; 27 + ProtectControlGroups = true; 28 + ProtectHome = true; 29 + ProtectHostname = true; 30 + ProtectKernelLogs = true; 31 + ProtectKernelModules = true; 32 + ProtectKernelTunables = true; 33 + ProtectProc = "invisible"; 34 + RemoveIPC = true; 35 + RestrictRealtime = true; 36 + RestrictSUIDSGID = true; 37 + UMask = "0660"; 38 + RestrictAddressFamilies = [ 39 + "AF_UNIX" 40 + "AF_INET" 41 + "AF_INET6" 42 + ]; 43 + }; 44 + in 45 + { 46 + systemd = { 47 + tmpfiles.settings = { 48 + "10-planka"."/var/lib/planka".d = { 49 + group = "planka"; 50 + user = "planka"; 51 + mode = "0755"; 52 + }; 53 + }; 54 + services = { 55 + planka-init-db = { 56 + wantedBy = [ "multi-user.target" ]; 57 + after = [ "postgres.target" ]; 58 + description = "Planka Kanban Database Init Script"; 59 + path = [ 60 + pkgs.nodejs 61 + ]; 62 + script = '' 63 + if [ ! -f /var/lib/planka/db-init-ran ]; then 64 + node run ${self'.packages.planka}/lib/node_modules/planka/db/init.js && \ 65 + touch /var/lib/planka/db-init-ran 66 + fi 67 + ''; 68 + serviceConfig = commonServiceConfig // { 69 + Type = "oneshot"; 70 + SyslogIdentifier = "planka-init-db"; 71 + }; 72 + }; 73 + planka-server = { 74 + after = [ "planka-init-db.service" ]; 75 + wantedBy = [ "multi-user.target" ]; 76 + description = "Planka Kanban Server"; 77 + documentation = [ "https://docs.planka.cloud" ]; 78 + environment = { 79 + DATABASE_URL = "postgresql://%2Frun%2Fpostgresql/planka"; 80 + DEFAULT_ADMIN_EMAIL = "pyrox@pyrox.dev"; 81 + DEFAULT_ADMIN_USERNAME = "pyrox"; 82 + TRUST_PROXY = "true"; 83 + DEFAULT_LANGUAGE = "en-US"; 84 + BASE_URL = "https://${d.extUrl}"; 85 + NODE_ENV = "production"; 86 + }; 87 + serviceConfig = commonServiceConfig // { 88 + Type = "simple"; 89 + ExecStart = "${lib.getExe self'.packages.planka} --port ${toString d.port}"; 90 + SyslogIdentifier = "planka"; 91 + }; 92 + }; 93 + }; 94 + }; 95 + users.users.planka = { 96 + isSystemUser = true; 97 + group = "planka"; 98 + }; 99 + users.groups.planka = { }; 100 + services.postgresql = { 101 + ensureUsers = [ 102 + { 103 + name = "planka"; 104 + ensureDBOwnership = true; 105 + ensureClauses.login = true; 106 + } 107 + ]; 108 + ensureDatabases = [ "planka" ]; 109 + }; 110 + age.secrets.planka-env = { 111 + file = ./secrets/planka-env.age; 112 + owner = "planka"; 113 + group = "planka"; 114 + }; 115 + services.anubis.instances.planka = { 116 + settings = { 117 + COOKIE_DOMAIN = ".cs2a.club"; 118 + BIND = ":${toString d.anubis}"; 119 + TARGET = "http://localhost:${toString d.port}"; 120 + }; 121 + }; 122 + }

+49

hosts/marvin/services/pocket-id.nix

··· 1 + { 2 + config, 3 + self, 4 + ... 5 + }: 6 + let 7 + d = self.lib.data.services.pocket-id; 8 + in 9 + { 10 + services.pocket-id = { 11 + enable = true; 12 + environmentFile = config.age.secrets.pocket-id-secrets.path; 13 + settings = { 14 + APP_URL = "https://${d.extUrl}"; 15 + TRUST_PROXY = true; 16 + UPDATE_CHECK_DISABLED = true; 17 + PORT = d.port; 18 + 19 + # Frontend Config 20 + UI_CONFIG_DISABLED = true; 21 + APP_NAME = "dishNet Auth"; 22 + SESSION_DURATION = 120; 23 + EMAILS_VERIFIED = true; 24 + ALLOW_OWN_ACCOUNT_EDIT = true; 25 + DISABLE_ANIMATIONS = true; 26 + SMTP_HOST = "mail.pyrox.dev"; 27 + SMTP_PORT = 465; 28 + SMTP_FROM = "auth@pyrox.dev"; 29 + SMTP_USER = "auth@pyrox.dev"; 30 + SMTP_TLS = "tls"; 31 + SMTP_SKIP_CERT_VERIFY = false; 32 + LDAP_ENABLED = false; 33 + }; 34 + }; 35 + 36 + age.secrets.pocket-id-secrets = { 37 + file = ./secrets/pocket-id-secrets.age; 38 + owner = "pocket-id"; 39 + group = "pocket-id"; 40 + }; 41 + services.anubis.instances = { 42 + pocket-id = { 43 + settings = { 44 + BIND = ":${toString d.anubis}"; 45 + TARGET = "http://localhost:${toString d.port}"; 46 + }; 47 + }; 48 + }; 49 + }

+16

hosts/marvin/services/podman.nix

··· 1 + { 2 + virtualisation = { 3 + oci-containers.backend = "docker"; 4 + docker = { 5 + enable = true; 6 + storageDriver = "zfs"; 7 + autoPrune.enable = true; 8 + liveRestore = true; 9 + daemon.settings = { 10 + experimental = true; 11 + ip6tables = true; 12 + fixed-cidr-v6 = "2001:db8:1::/64"; 13 + }; 14 + }; 15 + }; 16 + }

+50

hosts/marvin/services/postgres.nix

··· 1 + { pkgs, ... }: 2 + # let 3 + # cfg = config.services.postgresql; 4 + # in 5 + { 6 + services.postgresql = { 7 + enable = true; 8 + package = pkgs.postgresql_16; 9 + enableJIT = true; 10 + # Settings taken from [PGTune](https://pgtune.leopard.in.ua/) 11 + settings = { 12 + max_connections = "300"; 13 + shared_buffers = "2GB"; 14 + effective_cache_size = "6GB"; 15 + maintenance_work_mem = "512MB"; 16 + checkpoint_completion_target = 0.9; 17 + wal_buffers = "16MB"; 18 + default_statistics_target = 100; 19 + random_page_cost = 4; 20 + effective_io_concurrency = 2; 21 + work_mem = "2621kB"; 22 + huge_pages = "off"; 23 + min_wal_size = "1GB"; 24 + max_wal_size = "4GB"; 25 + max_worker_processes = 8; 26 + max_parallel_workers_per_gather = 4; 27 + max_parallel_workers = 8; 28 + max_parallel_maintenance_workers = 4; 29 + }; 30 + }; 31 + # systemd.timers.pg-autovacuum = { 32 + # description = "Timer for Postgres Autovacuum"; 33 + # timerConfig = { 34 + # OnCalendar = "*-*-* 01:00:00"; 35 + # Unit = "pg-autovacuum.service"; 36 + # }; 37 + # }; 38 + # systemd.services.pg-autovacuum = { 39 + # description = "Vacuum all Postgres databases."; 40 + # requisite = [ "postgresql.service" ]; 41 + # wantedBy = [ "multi-user.target" ]; 42 + # serviceConfig = { 43 + # Type = "oneshot"; 44 + # User = "postgres"; 45 + # Group = "postgres"; 46 + # SyslogIdentifier = "pg-autovacuum"; 47 + # ExecStart = "${cfg.package}/bin/vacuumdb --all --echo --jobs=6 --parallel=5 --analyze --verbose"; 48 + # }; 49 + # }; 50 + }

+26

hosts/marvin/services/prometheus.nix

··· 1 + { config, ... }: 2 + { 3 + services.prometheus = { 4 + enable = true; 5 + port = 6999; 6 + exporters = { 7 + node = { 8 + enable = true; 9 + enabledCollectors = [ "systemd" ]; 10 + port = 6998; 11 + }; 12 + }; 13 + scrapeConfigs = [ 14 + { 15 + job_name = "marvin"; 16 + static_configs = [ 17 + { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; } 18 + ]; 19 + } 20 + { 21 + job_name = "prometheus"; 22 + static_configs = [ { targets = [ "127.0.0.1:6999" ]; } ]; 23 + } 24 + ]; 25 + }; 26 + }

+32

hosts/marvin/services/scrutiny.nix

··· 1 + { self, ... }: 2 + let 3 + d = self.lib.data.services.scrutiny; 4 + in 5 + { 6 + services.scrutiny = { 7 + enable = true; 8 + influxdb.enable = true; 9 + settings = { 10 + web = { 11 + listen = { 12 + inherit (d) port; 13 + }; 14 + influxdb.tls.insecure_skip_verify = true; 15 + }; 16 + }; 17 + collector = { 18 + enable = true; 19 + settings = { 20 + api.endpoint = "http://localhost:${toString d.port}"; 21 + devices = [ 22 + { 23 + device = "/dev/sdb"; 24 + commands = { 25 + metrics_smart_args = "-xv 188,raw16 --xall --json -T permissive"; 26 + }; 27 + } 28 + ]; 29 + }; 30 + }; 31 + }; 32 + }

+20

hosts/marvin/services/secrets/anubis-key.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA 0nhVhc10cQVe6R565JAHib/nXjCJz30CkP8stgrr2H8 3 + UZvBZgQSA0RJoXhgub7bvONXH7Tr4fyLngYaeV0RaiI 4 + -> ssh-rsa fFaiTA 5 + KTErOmc2adbOX4BDCpbGCSxi2P507OhPJygCguq32e8MpEQtUQM39ryS24z2iPko 6 + JefAkJDFz7MnF3FrlsQhs0Tn68XFKWNU6/qcduWsrn0mFkF+UTWylg4LifOmfaxh 7 + iGUkUzSsneZHpnJRYX7nI2e2dV6FD++Dm2fOjyBQpOZemas3qb8jM4t8SbtUCkOB 8 + tarqwI3R60xdwlv4UnoIQgnALdKkQ/2p/tBSQV2i47iCMo2ksHC57Q8FqfsMBRbF 9 + 1QPfvaSKS+85mkkew9qhGCTiI9CTPMJ1LytFPrN7hYvwWJEdqBXQplaGnK/Z3v6A 10 + riKcb2z7uB5fL37DmEtESejxMVdo8AeJRhBKWNf065wve5UjvVE3NNver/F+aiOW 11 + nhPZPD5uwv8G4Bu5jStBSeceqkwdxqagnqWE4HqNB/MUshOehEbjdSHVxcNslsu+ 12 + ay4lCudcIbWUgfD3fTQO8sVBral6Z42DgZ1DDgzDGzw4CAw2s7iu1gVL19yr+KkZ 13 + L1sLVdTKAKEvTMsmDLtC8hEnU5LzOhw/+6zu+jCEpiAM1tdLiZXAbXtX70qfFoG0 14 + vdrmNxkKMqeBQ6mOIx2HtIGfZaEZac9psbT71aU8g0oHa0GVIoj/6s13kOxDe4V7 15 + SyKVhTN/uRSzePWyjNtikK4A8I2+A1wh705hBo11cq0 16 + -> ssh-ed25519 wpmdHA Zr0B8acivkr2BMIZhSUWzkXKlGi1JFQESG6/WQ279is 17 + wyCREE9Va/xD+Fyjn+iYDvXNNHs3Jasz7CZ7jVuRmC0 18 + --- riW/wZBclVd4FZPODjzrhFo3UoMSsvMp257fOv86tRg 19 + ]� 20 + 0��c��Q,��*$��L�Z��1"L&�d}%a ��c3�B�.�'��tKƖď-]*t��L��B%�8S��F��N��/�.a��

+23

hosts/marvin/services/secrets/authentik-env.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA Mq6LpVWnock3MlBHyxTdIz0MRgayV1DmPc7G0YUYmno 3 + Hjhpy+AkQ12MPP5/nFdfCbUYjlB7urYgodmNH3MYQys 4 + -> ssh-rsa fFaiTA 5 + nUWzhFls8eejZQcIvXT1OQcoLCUPs/xkrGmJZ9nYsimIg9O1SvSvsksTzpF+kPxb 6 + FSm0mpN5LSI5qIWkTVCARSygCXh5oW7O5BteIEslfZQ2mBWWfUIUfXjxgyMR5YNI 7 + WuMQ5NLag3uulDKFm7nX/MW9MdF5TQqsp2waDxZR8twErIHXxyYV7L50OpgHXshN 8 + YF+MQ44G8CpKfnMlJT2LqYdcwtCD5CbPyyJVGzPtKXXMCO90ep7kgsdAtwRzRQ/A 9 + pOm1kN0E4OtOCCTuUEu9KcTjREFEzVdNDo+sK1aTxZVgDMT5Q+1MW8LMAjxJkJaH 10 + EhgiwzOB1wuKNJmT3oTHxCZeXebEZVIgzrM0d8G/ZpRezMhPQuVhPNwTuSTS6Nmu 11 + UoLpGd836qa4wRiCnyw2wv5NWC9dk9egXGmpJP0WuYkm977nV8rNPD6Y0yo1zdXN 12 + bR11U5nGhNmKaZR7JuF4uXnscDwuLjezTqbnfWLnWWfsPchUdwxSLkBWfxOt9Bwb 13 + UXXRCXmP1G7G76L8Lq4px5w9cuOf1m40aIRFDAQvsU8lcjNh+x6Hlrs6e6JLpTIU 14 + hSm9RNis+NfC4eUTbBzvHQJl5pOcc4qGDhRfZHHHgFviGtDRNnCX8Qti0s55z5xj 15 + 92YLwusKCLsY/qfUMGxR6xJOH+qF1slnKJUze6Fm+3A 16 + -> ssh-ed25519 wpmdHA y8GnMn9T4Pd/luf2iFGLgwiH2+28omDf+koJjTnjHjY 17 + bhwyh4cWPs0/WaDEAV6tQ9VT8Rwg+54O48IXDlp3WnM 18 + -> zEWmG,-grease 19 + RnR4Sk7VgVxA 20 + --- rw5rtJ/Nk3pe6NIho1qUG8THDMN/gyC82qDL9WF+1ec 21 + �as��Dp��c�´��i�x�AQ>�w��o�bI 0�X��Za�AH#��0�|��HR5��S��G��9Y��{��ּ_"��r4?x՚5�tG�F|�&�gXC�\9�P 22 + y�K�`��LeS` !��21��U1��S�?�X1[�7Qӫ��D�!�>��XǍ�)mH��#[�C�r�4��9σb 23 + lf�K_PB��$�X�n��(V�Q��u�?ix�z��I��Zܘ

+20

hosts/marvin/services/secrets/buildbot/gitea-token.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA sXjW2SR1XZX72GNOub2LDOyPErSL1frz/6h1/PCpYQc 3 + C1S5xYK8e0wjxXUo3Fv1Bly/KexFni/vUVQXvTOaYjM 4 + -> ssh-rsa fFaiTA 5 + hp5tbxse6zTj3F9+cURU7l1wgQ7xPqetn//fPbeAWgOaE6mV5AgKmul7rHEL9IIH 6 + aFTvalTWR/KnFznYtlW/k8NJ8kxsO8xF+E5TzFnJHoJ1kcnxzx470m/erc928n48 7 + XcqN+XT2OS7xxH8i4v+pTqsCniK5oKpUbXujFBDdLQzHr6PfudD7KflSDklIdYEB 8 + Hcd1wPtnOwD7lPPrH4MIVNcAsZdc1gdieWI6WAyYhwyCGkHx+AAtbGBGIRxpM6eA 9 + /iau2CyIL3NoQO5ahuocI3j6JZg/rjf8CrB6BOcjST63xxJOtb/Z1vCDMN8IL7h5 10 + BC/W0jeLSWG6j/HtGXQHcBuuCe9X6ghNxHjJnXTlW5gyy/5fkfg1VwH1GH7LSgr3 11 + tULl2deCUc13COd+c74wPl1tndaCFou3syWQI1+g6cxafdjNeC4toQVVTjiWKArW 12 + 9FxAfmOHRqkren+G68rV3r9HUwiik5yfFj3i0ReiSJOs+PnFdwiia+qEyEU6c+RA 13 + ZKm02DA0xdIKvWRhBcV3LfXa59gM/fqHY7fPOr764UE8G3OxhU41YokRxSF2Amjr 14 + SrrTdd9ifydgm/6QOezR/rGdIPednZGw7AifVDtzStqfeK2N/1UptXmRTqJxNKDl 15 + HqChILGJP+4oQ9C40DBJKqoDoQ4cgdABf+cVvum4Vuo 16 + -> ssh-ed25519 wpmdHA ihAY2EmeXBKtEYivtyxIM4f9DT8l4r+fB1aZq+/bBjI 17 + cTxIJd2UpHpk6+kRC6kYnkWpk5vNOKN3KaTObI2yK60 18 + --- wb5Zy32SMDk6XSAwzGDLz1fHZkTmFQRJu3UdOSO6ALs 19 + �6�3 20 + ��x�p�(SFx��9%�l�`��mNy�i'��?i��@Nw��ϖ�Xh\ơ� �A�X�{�

hosts/marvin/services/secrets/buildbot/oauth-secret.age

This is a binary file and will not be displayed.

+19

hosts/marvin/services/secrets/buildbot/worker-password.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA gwCfKQU/RuO5wvWJt+BNo9vMIH4cQNKC4YBo4zgeM00 3 + 568cl7NUSUNWPCF3SL8SSqsyV3qqKmM4CoqmQ+yynUs 4 + -> ssh-rsa fFaiTA 5 + xa/L5kqpE+MAOnbQFeOi4u53k9RdTz7di+bFiDwkUMoxPwKKWmT6DejEq2JmqcL6 6 + adkNyc7sS9mfyoCC55WttpC1VBtyCtWCvJIuG8vtO11RsBfA6GvHLG4uuuHRGEqQ 7 + i9IGIVBIUdCT+q4Eu8zV5hVEdbuufDGTbp1Ye2MZszl99XE3FKBgBNMfMyYL4fO4 8 + +GE6kuTMdgwlI1CKFlQH5cZSMwGtm1ElTZcwd0Zl1Zu/5Y4mKwJ78RLtdmoIpYW/ 9 + 8TnvuH1uD6PFZQ6f0RDxNnEnyZuAezTx16tjFfTuoI1/lyvq6t6et/f9TysKTnZZ 10 + W0PSBFvTaxE1IKaO/PRynd9ZrBbLgk8pibCP6HgM8ev1Gbl4vLjq/0t+t0PEVquH 11 + y0MXvO6OvjGs89JS9/AYbBAsFxmD/FcKGm857fKFqE2a+SguX0oTBbjNx/PG0rAm 12 + RTx9CR2wCUhTq5KheRmL+Ik/T/Yv4QuDid6p93PHcwJ2YUqXPyMEuTyv/nhjSEGa 13 + v3GX7sIQh0aC0LSHF0ielfyxjvAXysNKiIZaN+DU0tGTgKW/QvMOnUKB4X3EZCHu 14 + yMGgV1vR+pVTLx7xoAyjPL9DQC9ezMlSs5gcZVEV3NLRndz5Es2SAgg7r0mXy5fg 15 + PZz7XVriGa+2JhcAnDbFWgFjqwI7r5MSTpq8Sl9FZ8E 16 + -> ssh-ed25519 wpmdHA wfideEEHVJwKpYxqET5LDOE859htEZIpg1UxKIGSayM 17 + V5vr78i22cOHPS8+ZFluqMDfH9D3vzkHQ51Oos+MWq0 18 + --- ltXrwcgDWjvOiOkbNmi8MAUtgcevsUKA2ooV7UyB03s 19 + �� U����q��{l��˓��<��=r��Žv�ݸ�H��Z��V��

+21

hosts/marvin/services/secrets/buildbot/workers.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA NyjUU036+HYwviv9FB7Onyl3YYScNe/vLXpAYnbbJxU 3 + pecvax2BSVOYEgCHxoQyWTRzBRpq8N2ertX0QAw600Y 4 + -> ssh-rsa fFaiTA 5 + Tdwy6FqSqpMxc7x/Ygwiz8ssPwug7sk1BZ0QghMZkoO8KPJwldUcYfsgQxklzisx 6 + JuMDTBacCxN6/RnIfvcagtYZ2NeKsGkhk6KZ1QtcDt9oWrLD9KQBs/YlBmkJGE3L 7 + SqAcQX9AybGQ+ODS8ZbXR7WTcCy0I85Jiy60QYRfkX5lElL0BAbbuphn6xtm0dt7 8 + YuArYTndGI1KOgcnDCia8Az84vzjIh/Cp4AGthmhAOQP2R1k94LI8p1639RqlrkT 9 + XAdsglg344l7ki2Eib4pPADDmhKttrJ/79DTK0X+1757PaUyxMif55WIrxQLzE2s 10 + QHhwj1pka1HynIGy87cwILAlvqWNFUQ9lTbfMNfTLMBEJ7hH/HB6Adpmr0CVhKKG 11 + B3WfC9l3v/15owcb3qLeP/dkaarjHbTM4FafOLkjrhdEgYCEGK/ls3vx0Deq4x39 12 + G3WO/fclUQyjcO/g17i9yyfmuupL11Juk8xRyaU5fzi5O7gtGnPlLxhBqXE1s9Xa 13 + FzSSBHztAYAT7D7wodoE+LsTAajRoMQnTkFuP0pvO81C8z7dMXVckYvPco8dTbHY 14 + wujBpw+h//2oIfWxgM6lzZGKny+VsbFSVDz3JURCeWUaFpjdDHzkk7fd+fXAdhcx 15 + Wh25XuYYKvr1SOjo1ux9hAgbH/KAGKy9hoXzpbs6q6I 16 + -> ssh-ed25519 wpmdHA iO+7sYjfsEVkwxtiRMgi/5liBd5I56Cl3nIo5fFe6gc 17 + Rhez8a+eG9D4kV6I3R7eRdEty3dVyYybBCsDoD3gy8Q 18 + --- W7rtaU3i9bkD3+2PKJbOeDK8AlFhpW0t3Lp6MeJ7RiQ 19 + �� 20 + .I�s��q^hA��Ch�D��s��|��8[�%xX�n+�Qb�#f�gUL�C�c9p��RgBd9e%'Y8�F��gկ~�15�D��d�K��C�c>��w 21 + tP(�cr��p7

hosts/marvin/services/secrets/forgejo/aux-docs-runner-token.age

This is a binary file and will not be displayed.

+21

hosts/marvin/services/secrets/forgejo/db-pw.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA 2iR3dpVJpZQc8SpHKJMDdoFgRQ3SdR+1Z6MJNOXBYRA 3 + gN/aJwxHXwAH+UPyVG3C0iwNyitvqleasEId230Ta5I 4 + -> ssh-rsa fFaiTA 5 + o1krn+dfavUdLS/kL1jr0fzPdM9U8r22e2HXUyB8Cjg8K39QNR0tIUnJOeDh+ySk 6 + 5mnA2fIhCc8TDmxViSVelV34xPBJUE97Uv4ny8d33oAM/h+Z9lUVkNYqBQIvy/7A 7 + VbXPr4exw09vIKqMII8r7Jk84h/W/+FNCOD0eD/hoIEihkEKmTlGaKnDrIukWK5u 8 + 3oohSQ8vjz57NjyNAVMpqBR+N/kgix7Qn2nWie0Y+8a6Oe09KGv8o4NSvMsoF36g 9 + ZoahpTkWqN5kEMciduo4bGUPO0WlKS8JtmpgZnOB9s0BN1xHqGyFheh2lkprW8m7 10 + 5RsnmjveQ5W/YOjQwfZcyx7MzWGu/tdAOa24ZxDMoVuz6p1fVYNmVx5roj8ddU8M 11 + Zf4LIRyq+p0reWEZyx4kGM9KO3e3uBdjEcd1hN8c11Nuhq8sQWtCzZIfXUpbWFsc 12 + tFdKrAkxnrCjFbwkBLj9KRrstJ2U9kvQPjv/TLUu3nfZvQrT3r6La7nh43yJVFbO 13 + BEKiebbMKZ/uXpat9ysBblaDSDLgFq9bG+fKaDCurK8xLeihEmUUto3+zJ2ju0xN 14 + 9/5y4wvaHp2ubn2garimQA5SL/MXviroM3Ihis1QXh/EjCqUAsNDWuxj4yGq7KjH 15 + pyJh4POTwFwa1+dieajao44dXbjR8agomTDNsFcvciw 16 + -> ssh-ed25519 wpmdHA Yn2SflGKXRy8gFw49DgIgYgQ4wW8E2DGGI7dB08Fp3g 17 + h+CktGIMZuh8mRJawXRRNrN6ekc96ET5vIHEE+560R0 18 + -> VEh-grease \tZ(& 19 + sarIr7CdltfkDsPGC746Bj2bSi4JYbJyJyqFIY6mTlr89qhx+Q 20 + --- Oogb2JMBAeU5WMAOhFDuLMUwj6Y3yGjn4FDAJ8IsNTo 21 + �oi�KAe�+��i��\��*��:�� c�6��(�1��敽#�Stq��y�/�T�� h�|

+20

hosts/marvin/services/secrets/forgejo/default-runner-token.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA wAo/lrx6N+r+RDRkW+diss7p9GXRuBKJ8X3m9SqsUms 3 + j7n9oR9u1XkSPikdXm7ck0nOlt1QOJ1ZBGcU/b+kgr4 4 + -> ssh-rsa fFaiTA 5 + jP6zvnCemRTSeHZzkwCQw4ISRuQVNwPRDVr1zqPlx19z7s+c5NSH2k+ryjgbVWkc 6 + EoP+SMR2sguwhi6SvKNvFZOp4+oAu4ATWGCvjTiqD+iNj0IR9pd+TMIVD6g117eM 7 + 0W2LQN+Yw9tDpT5vX4RSR+Vs9rvWkNgZI58Rib4DprRP9lcD4hjpUyFWLnjsm/PV 8 + 4YGMyt9CCQWT4UuEj8PZGK/l1uQRNIoXlHj83Ewl7WNhlO7I08kSDKke39VkIiXj 9 + 55FOLCIq8rgT8mUsBqr2EJRzS9hJpKIytYdhLmTdAMdpfXWvjDTVAKIYO7DnAWdk 10 + uU+ORVOfKEYjD4uuYODhS/n2U6USwNF/R2E6JB806LOglASacw7o9h2oTXEpiW8u 11 + KJq3VkmnhaE9h7SOkBISlGC+y9MDm0Lv07P0hHBr1j+oaeVehMst9HO8S2ngVp6H 12 + 0ZjokI6JpExinFn+UDoocXUK9s33Hvzg/q672JmgIos56wmCtFX7A/ba2isKpajp 13 + WIQMgvQEVxaUBpbRQTjj5SNGVRMns2cJWWpvinyjLMWRj8J+0OEzOLyrvnCpZZw1 14 + DS+ffnwCd/7t3zxnyyl+xeRVD0tq7Dd1X4oxmSNDEHKcNKhjsDnIEd1y/tcTsUUN 15 + X9GDhHLFLoS3BxBydkJ6dSH9knlE5KZAc3wKtjw+AQA 16 + -> ssh-ed25519 wpmdHA hgNiJmcUepbnNwU+8zcRC7xlhou25Uv3mKO7L36RlQA 17 + 1uSnVNpcQTGhYw+L02JQSd1PUrC6t6Dh4QI+eXbr8NI 18 + --- H3xuoJ0qmwWqAJoiY8nFXbTOpOeEcKcr2zc6CozBFtU 19 + W��S��2��+jz[�귐��P1�>��b�R�J�-�� 20 + &�jm^��E ~��37ܢ6��/�$�ÒH>9p� ,

+19

hosts/marvin/services/secrets/forgejo/gitgay-runner-token.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA NtvHYtlP2R1/ySw+0gQk8q1QJcujtjMK9h8BXTLnpFU 3 + 5+iRMI+OvjQMSR8TkEO5QXFp0u6De3EVtmt+OttYLAw 4 + -> ssh-rsa fFaiTA 5 + MiYovathZe/ZO/NvHsRTFaAlj8GsHgBcbVkkV9MDoYhacdomegj+J2nQks/j+TbP 6 + zU9BSBMSyzWrYuCi15kISyk962mSc7Gte4nwJvUUiZdWq/Vm2dSLyV57EHBgSXl/ 7 + C9DHnS78OgTDn8YeeRviLkJ87LEEPF9yGG2z/YN4i53Cuy8UDQagdpFG4dWjGnQn 8 + hImg4bI99h1coaCf8PfsuLsdumbR6y12rdW0A5cEyhfDoodV9hILGuP9KCtUXNxO 9 + BrxDlpVC5CjUZ1xcz1qgQA8QvKbl7qVitxmr5+1pHwtscaiTufOs4MI+ZxCKwOhJ 10 + VPiy01TesPHR9oua/7Ap4dBOTpKRPb8GyaCVyRvkb4cVIlQNgIYuL3pkB3KOM3Ct 11 + VhvXVgXxB6Gb78gJkBy/uwmnSybfnzjv1z+yA9f8VFBzt+i2kDq8/37Tng9DSVGj 12 + 4yS67uYQkT5+OVrcjNwBd3NAguVNNg1PEsIE8SvnLXRmI79gjiMdlmZFTsAl2EZN 13 + 2CMUaR9r0O88xhEf7FKQ9CUjZjfZvyhHPaJXADfducaVhB56RCIf3jwtsdFnTzzZ 14 + UMIYJ57Pe8m0ESjzp/8+6wH4MPaMULSJhxnpUJW5y5qqnpvRo1dQiPRkW3Xxjh3H 15 + 2ulClJg8m7Tqj/nASJFZkqI7PUxjnAteEUcY2WBRtMA 16 + -> ssh-ed25519 wpmdHA OYK95VOo8jFn31+P4keeW0eJco7PKVE82NQL0U+0f1I 17 + D7O1m8QTLBARYjzUJBBX18Ko62iu7ETDD/CJHptTBf8 18 + --- ku5u3TkIGQvE212JtizdwVoz4B0Jx3wvvPrGFfvihGg 19 + �gL�y+72.O\A�,U&z��y +�Y��OB=�#��=/��}�@W�xx�� \'��~�x.��5?�X�

hosts/marvin/services/secrets/forgejo/internal-token.age

This is a binary file and will not be displayed.

hosts/marvin/services/secrets/forgejo/lfs-jwt-secret.age

This is a binary file and will not be displayed.

+22

hosts/marvin/services/secrets/forgejo/mail-pw.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA QbfTwmaq7Y7u8CL4KBCcGrCyT4b1lGky7FH11QCTvmk 3 + IdVtZ+2EyxvRLVXUTiiLPfAcKdkfY34MZrzn7SSl9eg 4 + -> ssh-rsa fFaiTA 5 + XfTTdTEAls+Qtl2WYcHCaKd+vE4eZaY5Rh1llYAfeAxBsmgq4vmSS1UFkPD5HUMl 6 + 9dkHZuEYyySdhOM7RFICYpwbWAdSybs08dFI4rjpYiU0ZuT54aDmvTtioVIIVvn+ 7 + E9YEphsIO4jbqTDEk0lgBNs622vlJ/d6xV6Loc15ZFYxyqteXTTpQii2Jpzh010b 8 + PW+LlzSChr4yMZWRqKQV2QcHQD699L3p4X5eleuUkMh1N+mM0U0RlDPnRzDx+10L 9 + yMZxyRjWs+u2mo1SuNrgzn14D9SewJXbhYvc+KcigTWhQymr4XHDCPguB4UExonu 10 + /JodLIpjVA4ZlTQV56jjMgOXDE5bk+TpHMULn2mxxXFxtDPzvamOjnjTNS9b6PVF 11 + /JHcRgHpoY4Z6KgQN4cR7naj23pco/k8DbI2f7TYTXTHxSl1wfLbaTwdtEpnuO4F 12 + D+sNXQC1wI5Kr0fQV6l1NwtPI1De2NbR4S8SKKJRDk+xdhnmiD3qawy+I5D2e8Ri 13 + JLkzUn4xeQgSLibXrDWJI++JCnc0le2OgdZ/uJd5feJJaSr8ISRW2Rhvq168bamf 14 + tTPFVG6V0YRC/oGgytT2TOtqrx9+Ewf2TN2BUdlckUp3k1L6JiZJg3Tnps8RaCvo 15 + wfsGS1ZKcadS6dQyfAKe7vr9Q/dEVYoOR0SIstLae6o 16 + -> ssh-ed25519 wpmdHA L3dLS8TuV+mkf9lT3ChtIvLxciLJIHhPdUFz8dcoe3I 17 + tpSkZkQ3yidTctaAk3yzye/DJiUYBeHvJBu7JDVsCqk 18 + -> 4-nZ-grease @h[XP&o 19 + g+aR0SZXoWycWqRgm2Ry00EJ29VWxfzDI3UmPg 20 + --- SlVpGEGQXxhp7CUE1f+LoX4rGtOONFm1SSq/gwGITpk 21 + \�;^_��T�p�R��21f��v̵]��O(��L��5X��ol&��$ 22 + ��y��l^��"��V�c~

+19

hosts/marvin/services/secrets/forgejo/oauth2-jwt-secret.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA yaO0bR/AMXXrY7ZqH9GlFFFNSYtd3YdIaZHeBkmAV2Y 3 + emQoXCiHu59lqhMo6+6RZcjykzCFgQL//LeMoMf42m0 4 + -> ssh-rsa fFaiTA 5 + vUrw2prvE5tBUMfKD/VtBYzoCz+OholrDVO4/8gvKWcUVBls1wjDHH3DXR68YRTt 6 + Kxxv/Nzi4aHOdwBgF/UQ4FkFE8Lq13N8upgVhUph6ryFI77bEZ30EJdI9bSNEPiD 7 + L75lnD/oqvALZviQGypX+phllyc/vihJuWF7wHEkNzowLYSfoYv0SoZYUym9nORG 8 + aRyw936NP1GGhOgnoqCfl/AJqE48nXlhK9SfJ/8xTfHrEgeT5e5lid6s9Uw0j/m0 9 + ZXA/ut6yoLS4+SgbOJR1RosiMav55+DGOVJ4PgK8s7hhzxyUTPqtoSPiQoLzjvqW 10 + vp4IY3DMSqPEsb7rbHn2eIfnaGqFof7x4HbG/ablKRQtx13DTJ0m2MKDubH2RWQT 11 + MZGiqA+h4jVShLBY8zX0l596K3eFdJqxZyxU5rzP5ahgS2JKaaaEarPdHXuZ1P+U 12 + NSGZ1O8hW0GQ6lyeTjyGA+ZwjWk+CBZFj4iaTGi9tnMLeF9GctVcNrSTNVxlUmek 13 + rBIfb5QXA8zuTJWbxcEjrFJb9dmjC7Sd9EtCfIRh6VQBXlClBQgSOZVqH6RBhJ51 14 + iRL9Po2Xrb/Y08w+BrCqdecfeDU027E/Ds2uSdoSK2OMJ6ZNaz3RER4HXitltPA+ 15 + gN3W5et8lD9DIW+cc1wj2MyitEFZh9pJ7C+uB6YF81Y 16 + -> ssh-ed25519 wpmdHA w2zM2j5IAfn51aylYdRUz8WCuv7FkumpxepsfqS//W0 17 + gVcYqjAA4ULVcSmS7BVRqF8kfWHbtjlX3659+CGQbME 18 + --- 1L+ACPbJPa2Y3wxSGr/7CBTPYXIOxOHynEhlUZGLgzw 19 + ��jq�uz�P3� "�}ܬĩ�W/距��ߎ+�΀q��*}�a��6��I,5<sB�m�{J�%(��a�A��

+19

hosts/marvin/services/secrets/forgejo/secret-key.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA 2bKuQvw8O9MVoEjaS212yLxAjIcnoT9K1XfZ+WDUsQI 3 + sA0hNHX+vfLlM0WORLnrxMbHsqwNoqCrSTCY7iIBtmY 4 + -> ssh-rsa fFaiTA 5 + qIb+f5jyeTmKqW/ylUBcQH5tz0/0SM/ovGWkr1xiloqieANaMEdMTiQRYNrMpOtl 6 + HUn4YjLZ7RqlOUBvRWJkMsSaj2gnPCUBnnNh2exCG/rLWnbL2OfC3yFAcfFKSAc+ 7 + f/jiudo0PmSStP8o8S/Q+k74cxbg1ic/eMfX4hdHCxliI7privKtxOSz3yiuW2Tq 8 + ZOMKQ/YF3rqMD/O0jdUFu1OzdCuBj+GtpPrJGR5NJmeQJw8wM9Zk4ZMpW6MkOPij 9 + tK5URdwX15dDTC8woUCwvFdVKTd7+VV0E5p2y2ooIr9SNFOyK6ehwINIpoPvoQKn 10 + SgObyRUc4jksyPirl0r+1h2bFuJdWY/JhPb5pyeSZpI4VybZwWY0RpYgWtMNUJ3j 11 + 4YJ22pKKtkH0NXsWhwzG8Tmv7S0kDsZS+yD3vMD/mkAnlSt5cK0MnMXpqxfS0PWM 12 + lhk7iD/ne29yCvl3aWTfJF2Uc7gi2gcHZ9WscS07ysWD2kBkQAsMBohSNPP+sE9C 13 + qH8BFrlFBJs1K95jmnbtIprA9k7S0P9ahqnCh4B1PmNP7dWvVDjWeknrij3p4Vuo 14 + GibCDtFWrbO37Aksefs0AF2wGQmaHRHtAhdL2Ieh/v5yP1HMcMTpYvTFqw04AnRq 15 + C5Qj3pd89I2Zxfu71X8UuNqXFaDt7FTVPqQXA/QXmi4 16 + -> ssh-ed25519 wpmdHA bOhWTK7ltgJA9tVCQn/Has4cqeiGkLukCtV6ns2xgmg 17 + m18TCv820K+AhM3DsTG14LXWSSJ2Q0agwW/67B2cv7s 18 + --- RDzTUIZVWDsM2snL8JjZNi7JR3+uDVBqCpcXQwq5ics 19 + %-�t�'=*єNzW2�N��v�*��3��Ew�-��9yMg�Ğ��p/�OQ��I@},��VZy�ꧣUQ"��q��9moی��g�to�

hosts/marvin/services/secrets/golink-authkey.age

This is a binary file and will not be displayed.

+23

hosts/marvin/services/secrets/grafana-admin-password.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA XeXuqrum348P3vNXQH2ikpZfSIiLeJWejxY3tgGv+2g 3 + C40Ha7mJHes78csqAtgEBOMrVhZ84jR2MIw96o6xlKg 4 + -> ssh-rsa fFaiTA 5 + gMFfSu49RZeKk9Gj2jhdeG+Yvais/e8Xfw/7Vysgv5a9aZrNcduGcaVV36jYogMG 6 + D5nC5LqFDlvYKrfJDeQ5JKoYb6SJQ027qopoithQPMSRAIc4Ke6EwkIGPkH8a/R6 7 + +WgfUlaFiacOqRmNB2ObQvQvyKQt4EPihkqt76b2gGoz3e+lS6SS6pT2UUqHbV6d 8 + BqBgzc68YWS0IZPtyMcLNFL/TpGH3y0sf335ypuytiEHMmH9qN39h33rFRYB7gdB 9 + nGuKZ0nhqn3VQUWAiSWJW46+oGF78bsFRgnPvMVqc4TQaiXLG/Qv1jVEgBU/GSHC 10 + GbrE7fgBMMN2noX7zQ7NdBbOZF9J4gVm031lo3mpI4GlaO7G24EUTdG8JmP2cTcZ 11 + Q4iiiiZaOxWWhJ9ObDYr2clvm8P3TLqE6C77yzlA1QMo957rr4RO3HHDgfn/Ge6n 12 + gx30M/SCLKvCeyZTmRWHULlzlsr8MShENJf/zeKdbnNaMacofXgwL+mCe8bWHcrQ 13 + OfPmXBHa4UPb7zbESOaNgbYhCzjNEhqcXKn2AXbWcNJGImyOf0PievCBPGo/B013 14 + VETrs8gd1ud8GplsT8b0XMmAJDrJSPSJC7ieyjBFGU+dWucwtUtw3VajqMjklAZO 15 + 6gWo+ybtXA473LFpzu4MVA0Zr1nwaYajJDMsygfVVos 16 + -> ssh-ed25519 wpmdHA hqXiyptEBUhTluqATQtTHNjpQMsEWGweLZBM0vNr+0Q 17 + sSUev74dcNmHWZZF4l0iJjgEH+zX3pJ+1d88cZFU1QA 18 + -> W-grease dB_Ln,<Q 8OG= 19 + mn5NEEyg97gp+G6d9APe+CT+9uqp68TCOpqqwOYMk2BZwpVqmTysx1r595h66ShQ 20 + 4fDWVuM9W8k+nr7tuV1jSRtA/XH0NhwxgwM 21 + --- uqf0oP6H6UKtTSOO2W5kZtxmF3loWg9vD1tVqn442PQ 22 + ��ц�-��^W�� qv�UP'w�=��N�7��;n�� 23 + ,a�%5�'һRTz��u]��P,

hosts/marvin/services/secrets/grafana-smtp-password.age

This is a binary file and will not be displayed.

+19

hosts/marvin/services/secrets/immich/mail-pw.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA 3PVJMF6BgxuDxN9NAEYqcZaYEUhK9TB5XprRyW13Kx0 3 + AIQQG+4/9SVPcfq9ZtL/JsWDmLvW03UiAJaJ1nHSckQ 4 + -> ssh-rsa fFaiTA 5 + ZPBI1w2a48Md+Rt92ssVcfxN26zTLCEalT+jG8SJBv07ouOzd4ibPq65m6uOQU/+ 6 + EEgHe23fGsPP4oISWDUgVFxesLA3wjsTWmbVrkrBzGQNeNnevIRMcJu7vWDtby/+ 7 + dVxPQIoXH0jPlcDQCm2lwOGD+du+Nb4PnVseRPDaXRypKKmx+J057FQemYBk4OWx 8 + yUfbKV2gHHcuRTVUQG6XAQwWvhh4e25fyc+MzKZNPUK4c/SVibjAsUH+Edd+NaV5 9 + yxku5k4TFZkU69sl2zCdgWfYVTowTGYGyf4Kf+I/kl9m13zIk9vRpocgt4APaJnv 10 + p+KxJvbYRiprWl+IzZg6TwXY5mA1IbvlppR4aak1pwaIE76CgF5mGNDGkviGndtP 11 + +eCMIocp6lk2U0dJEYkBtmjNbxFh3dxOcirgdNDypYPlZTSGvSRGhpL4nUJRsR+l 12 + A7rJ5aHH2B4Vi93zgSV0PWiWSA7899bzgN1kQKKIgYln6Tl8UxQSNt5L3L4VajuW 13 + 3UqCltyGWt/926BMS+GrDZSWCEtVsDs5XQqDKEx6D+iviHZJXniI+RhH/eM7FLjp 14 + iXgCRkBIALo2lOiScpr2rtfGDViq3Nh64cIslEPiewjVFTCxkxH+LuQ1stukrNki 15 + IF0+pZ65rgatMAdnZRFXfRxmywKD99z4WRHAxvYloXc 16 + -> ssh-ed25519 wpmdHA SQlzD3yqbnoF0JHqPFFDUugbm8jlBsdntLzF/WlJbjo 17 + FggpB1k5xbq62QNlwkocwjiWhEqNjHAxR/GwoPhXbC8 18 + --- 1g4f2OQbS5iXm/cqBamEWuapvZHorxfX7wHizfPcYsc 19 + �z�92�LN=9��$O��fP��E��~�.��}7�eڰq��y�N�I�L��"%�V�lz'�أ�

+19

hosts/marvin/services/secrets/immich/oauth-secret.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA 4osfKV5/wFT7mCdc4TjP7pJHdD8wzV7VKKiBSGRqImk 3 + wU6RSxJh8SBbXbiwCl4lXD/m1THoAg5n1Y7pyKFPiec 4 + -> ssh-rsa fFaiTA 5 + RTHaBLsBWbDEmY80LktVL/C6CeFinLm3/4t/hoWmbzLLoElBL86EGVdrE5ovjUYl 6 + j5+ZacmqahwjCtF/ZGBt8MFkWOK9u90YDfLp+kb2ILVy/E+CcQ3xPpH9bf83pPl/ 7 + aZmttaRlhnhSDYVXB0lHx3u/cCrYhTf6TjEoVGZ/XrLW0BRmO6GSwcmTrachZzdJ 8 + je+pf2ug//mnAJR0y4MxjGlNPD/Vaj/UiaFQjPT+7ZvUUSkbv/QpPqyhhosFA11e 9 + 1EGp21ppwUnJSNdYh2vulpQGurB5bPlv6Y8FpcFKivq/qKmA4ydyER3NcCca5Ly+ 10 + 01jQ1HRqWylYJj7K4hnxSjnNlOXCrJATuPJYoNdt2U1DnolUAqL6JIP/qNmYx8Fb 11 + ZrfFINBmPsNc9XJn14T4J+VB6e68ODBOvZdbzoBQOWAObnP5OH+zLYCB3II+aLPp 12 + Zo5WsNBBdZih4EbO0Y9PNWBjyCzxqs7zXPg1PjjDVHN/tIpSGnqoCqCPGuePhgRV 13 + h1gnP/lqOW2U1oL004hi3etsUsk3kXHjr35GXMVBeay+3uGXkZqhNYYSluQnJSrs 14 + rzahZZ8/q0FDdlUixWHb2uQjL1XMTqUcw8wPsUak8shkx8s7GPKNxtEKFcK46jk4 15 + ac9TCyee4HzPC/SWkLGFl0bt9s9lGTBSNQrVzogY/sg 16 + -> ssh-ed25519 wpmdHA C6npqn5aqimGJlo+UlvYOoqXSu/hW1JVNAmBPP1Vvjk 17 + gWzXqL92jI83iqSr3dydJo+UAz5OGBo6kw6QC4KRWgM 18 + --- ltHFDmeAbJsQtyY4CKFEz8OGAkPkue/8upHNOOQgn5I 19 + ��O�ӌ#&`��P�IZ�#�[��+�tdeG�ui��?n"��(��b� ]s� y줔��

+19

hosts/marvin/services/secrets/jellyfin-exporter-config.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA TYkyDIP1q7bJrSI0YsLBg1F78NF0AnWGTDBL5EdkexI 3 + wPDeCC6nUE2Y0xzepEc3p5DM4W5VmXgoUQ7Lxe7pEf4 4 + -> ssh-rsa fFaiTA 5 + OAT8CyT8DHsr5gkiqhaP5eg//9BAiIGFbiYtr3Wyj3gRv91qsjtRh+MKggqysSPk 6 + EN0z7NeoVujFe1mF3/dIFrQD5rcyVSomOnGytmL6R1aSDP677S0JoXUi1RaYfyYq 7 + NE59VXK27kCTwsnsD3F2Aish+xmYvBTmUSHDXU/DtKGRB7vgqRSBlMUC9nHCKYvn 8 + 9dBC7gzikMRBNJ7ciOLfB1m7cR3A31gw+4OpUYqlLXCvfdCuh5QPhToy4VDPFZOq 9 + 5C4upvtK1qcyy8ZBLL1mwfLpP79t9NIHZnbg0q5fNwSqUkmGfV+mAJHKH5bZMbxB 10 + 5soPF9yV3mXqXbhl4xEhOMVd50LJwE8t/CyWqkLmZ8CmQ1UovsI4qIDEXP3tLSmC 11 + PAT/RYqw84Pzb7Yd8RYELWnbWR/4BbzjkR5rbj7sklSo55be+A0N5YoWuU1ApBR8 12 + 8LKCKJMzaWnfHS6WNeMNHHP+j7SlBlKnqJWjbjfURJG1HyRx8TIJZ40jZUzfeFG1 13 + W4U0RFQZ83d6vz4MBLa9Fk0ms6NyJoO+Rgh0Wl45tritHtkkwYWyxxPL2yPivQ/w 14 + NDtBn08eliJzxhAGz0pAHETU8aHgNkLAXbMGku9U/hDaQ4XjGH3np6WOjwnCxJ0W 15 + W7ChuMLXcD7CopjGkJSwTUQB3W1McVLQ34yfD7ZroJM 16 + -> ssh-ed25519 wpmdHA JpxYf1dtrdlZEx4E8Su0scbGteAREMlKJ3OHfqDWyRc 17 + /ZVDz4HSKPT6OyeryIEkfplDLN2XIWm0b4ncg/xezfs 18 + --- oY4WmthKy5Ytp1j3hd81DRGFW1A2818Wr9pYmc14hRU 19 + �;�2��}�O3h�u5��缻�N��s}oVU��@��嬝��L�at��8�x��P�R��d�Rx{3�b��?o��x8`��V ܬ�"*��e�� #NV��?��aP��N��Iɥ�j��S��y3�i��hgп\�D�b��1;��\A<d��f9��A�g�J4؞��R��'תs�COCs� ��N�v�"��vk>8,�DR��

hosts/marvin/services/secrets/miniflux-admin.age

This is a binary file and will not be displayed.

+24

hosts/marvin/services/secrets/minio-root.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA mgvSF87cU7AZU7wodayiSUZAKkAkwqSrtjhqa4Pykl4 3 + eFNRjsChXz5ij9uOJvf+mJIE5zd6pwKJie7UKmwl5bE 4 + -> ssh-rsa fFaiTA 5 + NcGWHG9CTQ1Gpje+gsMrVlp1qc8w9NW+Onvv8WhaI+IFVEcUD85fvgPaO2jI88jK 6 + TXyPk9RanxiCupk7dF9OXqMprOHexss+h9SSl1AN+4V0Ob/H0r63de0Uuro70t/4 7 + /4FP8t5AE/aoFGdw6CeGyhOYjoLo6YRZAq4fYO0vvitFdcbWVm99OFbO3WfoxNZB 8 + TgUJ2ELV1mRfPKe3QwHYLztKcyxN4CArjNjQvjQbLXS2Hbu3I4f4qIdKPwGVC1HE 9 + Q0c9veAaffaAGgbNUyohDjN4I4jEzkRhTlRN4LNQmOUNLBorWu9ml+IyCnsg2Q+a 10 + nIyp6OvE7t0qElPv7H4m7krBP6WsSXLhUkCd75VgWEgJRqsLz7p8XyUpb/EhPmql 11 + CQy8gcAnsvNjYzC0xpZKsxN37dRvmTmQkWd3E1w4XDwHoh8EMdVXFkTAIZ3IZabZ 12 + 4MSkwhtgTBMiQvWMxIPN9fgsd6t1GawDsH+uN0tPpBslerlF17bszmdSdVYpYZBN 13 + Z2YE9z13vbL3eHvp83fp7n7Ale8sFd6FQ6VpbAa0xHiwYV0WooUHymhcG2W8Lcq9 14 + 5w9LJSaV7HMxjc0nUBloxsOF6ODcrOsfNo1VXe1vnbDAwhDqpcwaylxUoh3zpXHW 15 + XBEIzqVG3qC3ACD/xqCy27DkomgKXCG9eJvirAiQ2Uk 16 + -> ssh-ed25519 wpmdHA xWldzzokOiLqGXnhbDz+xpHYeqkV0ZNuQJqGp1h28VQ 17 + i2/gdjHevsacZhuSDeABMAKEbU0U00U0TQWSHDS82ws 18 + -> \G-grease v0 "."c0,-f Y3. 19 + MpzHrbDONd6D0zPzvCfz/ycI8sKBIP20soAtSN7EucFLN6BCbb13KT1BOh/Yvg5o 20 + +52Mlpg3p0KAdZFYp9Siqmcrb8GEEZ/8lqKu/n8TyD1BWe+eWq2PfbrhCtgqvMlR 21 + Dg 22 + --- lLxTWRzSaZ/GAzAmD88c//dzNqT4UDZQb4szP7MgCGY 23 + +�P��q�f=Yc��,)��F�P�9�.��Z<��ɟF�c,�q��o��Y �>��\�l��z��2ϯ��_s��z��&_�B��q<�J��+0h�_��W 24 + 隓

hosts/marvin/services/secrets/nix-serve-priv.age

This is a binary file and will not be displayed.

hosts/marvin/services/secrets/pinchflat-secrets.age

This is a binary file and will not be displayed.

hosts/marvin/services/secrets/planka-env.age

This is a binary file and will not be displayed.

hosts/marvin/services/secrets/pocket-id-secrets.age

This is a binary file and will not be displayed.

+43

hosts/marvin/services/secrets/secrets.nix

··· 1 + let 2 + ssh-new = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxOg9nOtfbedq9AlnXNVUfyU8Mwfj4IB7HX/4VoWeXP"; 3 + yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw=="; 4 + marvin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP60B1IOdfJRrDcCKajMV8YJNC01gSsccZi3DKHlS6YJ"; 5 + marvinDefault = [ 6 + marvin 7 + yubi-back 8 + ssh-new 9 + ]; 10 + in 11 + { 12 + "anubis-key.age".publicKeys = marvinDefault; 13 + "authentik-env.age".publicKeys = marvinDefault; 14 + # "buildbot/gitea-token.age".publicKeys = marvinDefault; 15 + # "buildbot/oauth-secret.age".publicKeys = marvinDefault; 16 + # "buildbot/worker-password.age".publicKeys = marvinDefault; 17 + # "buildbot/workers.age".publicKeys = marvinDefault; 18 + "forgejo/aux-docs-runner-token.age".publicKeys = marvinDefault; 19 + "forgejo/db-pw.age".publicKeys = marvinDefault; 20 + "forgejo/default-runner-token.age".publicKeys = marvinDefault; 21 + "forgejo/gitgay-runner-token.age".publicKeys = marvinDefault; 22 + "forgejo/internal-token.age".publicKeys = marvinDefault; 23 + "forgejo/lfs-jwt-secret.age".publicKeys = marvinDefault; 24 + "forgejo/mail-pw.age".publicKeys = marvinDefault; 25 + "forgejo/oauth2-jwt-secret.age".publicKeys = marvinDefault; 26 + "forgejo/secret-key.age".publicKeys = marvinDefault; 27 + "golink-authkey.age".publicKeys = marvinDefault; 28 + "grafana-admin-password.age".publicKeys = marvinDefault; 29 + "grafana-smtp-password.age".publicKeys = marvinDefault; 30 + "immich/oauth-secret.age".publicKeys = marvinDefault; 31 + "immich/mail-pw.age".publicKeys = marvinDefault; 32 + "jellyfin-exporter-config.age".publicKeys = marvinDefault; 33 + "minio-root.age".publicKeys = marvinDefault; 34 + "miniflux-admin.age".publicKeys = marvinDefault; 35 + "../nextcloud/nextcloud-admin-pw.age".publicKeys = marvinDefault; 36 + "nix-serve-priv.age".publicKeys = marvinDefault; 37 + "pinchflat-secrets.age".publicKeys = marvinDefault; 38 + "planka-env.age".publicKeys = marvinDefault; 39 + "pocket-id-secrets.age".publicKeys = marvinDefault; 40 + "vaultwarden-vars.age".publicKeys = marvinDefault; 41 + "vaultwarden-pgpass.age".publicKeys = marvinDefault; 42 + "webmentiond-env.age".publicKeys = marvinDefault; 43 + }

hosts/marvin/services/secrets/thehedgehog-key.age

This is a binary file and will not be displayed.

hosts/marvin/services/secrets/thehedgehog-pem.age

This is a binary file and will not be displayed.

+20

hosts/marvin/services/secrets/vaultwarden-pgpass.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 iqBxIA MmMZMGXNjC0521Tc/YRvAc4uV6Mj14Hrncf05PEEEns 3 + 3gv8ZFgFx8CHTRelKT4AOGdNTnTtNsJqOCoynmzuOWI 4 + -> ssh-rsa fFaiTA 5 + Uy93t1IeeIHUwzKCA6m00kl58Z7Uyzsx08CFF2trLruf3iB6+mk703K6QMkrBUHR 6 + awSxL8TOLlRwV/h/ckFfTMlltPYcs49s1NV5BhqRSFQJpFOWtoh2RH+6HpZt7lVv 7 + 8rS2lnlrsm+s+oragwMPMtjLbN5llH3NiZ4V8C2bksKllxAYZJ98rT+kFB+k1BGI 8 + o8GcP7Z4+SyEyr4NZBo7pIdpyPYIvhw2MQUSM80Hs30IKGkvBuybDefYY7tSSCZ8 9 + puFY2uGI0tLcX9PCT73M7NRCO4Z9lgQgixDrLerDl4pwLd+6p5UHBk9DdmcxyX3f 10 + hYC75XcIMOKJfnSUd/maMzx7xgCHtGRuGTp2sHccC5pkjlhI7S8e6Exae66UjXYC 11 + 5AAA18m8Vzjcck0WiEE7XsZMCwYuKLg53wzsyhPLsHOTiu7BqRg8S/pmArY2SOa+ 12 + DfQE/fjpljGeKC9mDfyLe4+lyGQ1lUCzASacd1kG5iWS2NM0KDEG/iUTsurfY2gI 13 + 5v76P3r5iV6jQUGpwScH5XgaekbqC/Xp58p9JbNmPeD5q10ORPggJov4BmqZlX/c 14 + Zf2ImTzmECdFRRpcQHZEd/XpR2BfEXCfeLKJiwjYEYKYchD0eWOC7LUnb3+n1Ce+ 15 + XtlEs77kAkY1SfZyBv9AkP0FXUrfh7VLMeAh2cIsNzw 16 + -> ssh-ed25519 wpmdHA tjOcqTNJbYxD3s9DqfIHUHdw0xqtkWjMou7lPrANHEA 17 + s+9wASJ94ILA0SZYCrHO877yLLs+rZApqrJGi3sBznI 18 + --- CM35xl4mV3DtEYw5Fhzjpj79v4twt09X+weM5EoNkGw 19 + ��M�y&�q��p{p�W>û`A��@��L��/�@��:P��߿u�Nڏ&��^v��0�*/�u�q[�<�M<6J�W� ��9��~c��v�z 20 + k>��ˊ�I�

hosts/marvin/services/secrets/vaultwarden-vars.age

This is a binary file and will not be displayed.

hosts/marvin/services/secrets/webmentiond-env.age

This is a binary file and will not be displayed.

+15

hosts/marvin/services/syncthing.nix

··· 1 + { 2 + services.syncthing = { 3 + enable = false; 4 + guiAddress = "0.0.0.0:8384"; 5 + }; 6 + # Open The Ports! 7 + networking.firewall.allowedTCPPorts = [ 8 + 8384 9 + 22000 10 + ]; 11 + networking.firewall.allowedUDPPorts = [ 12 + 22000 13 + 21027 14 + ]; 15 + }

+12

hosts/marvin/services/tailscale.nix

··· 1 + { config, ... }: 2 + { 3 + services.tailscale = { 4 + enable = true; 5 + permitCertUid = "962"; 6 + }; 7 + networking.firewall = { 8 + trustedInterfaces = [ "tailscale0" ]; 9 + allowedUDPPorts = [ config.services.tailscale.port ]; 10 + checkReversePath = "loose"; 11 + }; 12 + }

+44

hosts/marvin/services/tangled.nix

··· 1 + { 2 + config, 3 + lib, 4 + self, 5 + ... 6 + }: 7 + let 8 + cfg = config.services.tangled.knot; 9 + dk = self.lib.data.services.tangled-knot; 10 + ds = self.lib.data.services.tangled-spindle; 11 + in 12 + { 13 + services = { 14 + tangled = { 15 + knot = { 16 + enable = true; 17 + gitUser = "git"; 18 + stateDir = "/var/lib/tangled-knot"; 19 + repo.scanPath = "${cfg.stateDir}/repos"; 20 + server = { 21 + listenAddr = "0.0.0.0:${toString dk.port}"; 22 + hostname = dk.extUrl; 23 + internalListenAddr = "127.0.0.1:${toString dk.intListenPort}"; 24 + owner = "did:plc:5cqzysioqzttihsnbsaxrggu"; 25 + }; 26 + }; 27 + spindle = { 28 + enable = true; 29 + server = { 30 + listenAddr = "0.0.0.0:${toString ds.port}"; 31 + hostname = ds.extUrl; 32 + owner = "did:plc:5cqzysioqzttihsnbsaxrggu"; 33 + }; 34 + pipelines.workflowTimeout = "10m"; 35 + }; 36 + }; 37 + openssh = { 38 + enable = lib.mkForce cfg.enable; 39 + ports = [ 2222 ]; 40 + settings.AllowUsers = [ "git" ]; 41 + settings.AllowGroups = [ "git" ]; 42 + }; 43 + }; 44 + }

+101

hosts/marvin/services/vaultwarden.nix

··· 1 + { 2 + config, 3 + self, 4 + self', 5 + ... 6 + }: 7 + let 8 + 9 + d = self.lib.data.services.vaultwarden; 10 + 11 + vaultwardenSecret = { 12 + owner = "vaultwarden"; 13 + group = "vaultwarden"; 14 + }; 15 + in 16 + { 17 + services.vaultwarden = { 18 + enable = true; 19 + dbBackend = "postgresql"; 20 + config = { 21 + # Web Server Settings 22 + domain = "https://${d.extUrl}"; 23 + rocketAddress = "0.0.0.0"; 24 + rocketCliColors = false; 25 + rocketPort = d.port; 26 + reloadTemplates = false; 27 + logTimestampFormat = "%Y-%m-%d %H:%M:%S.%3f"; 28 + # # Ratelimiting 29 + loginRatelimitSeconds = 60; 30 + loginRatelimitMaxBurst = 10; 31 + adminRatelimitSeconds = 120; 32 + adminRatelimitMaxBurst = 2; 33 + adminSessionLifetime = 10; 34 + 35 + # Logging 36 + useSyslog = true; 37 + extendedLogging = true; 38 + 39 + # Features 40 + sendsAllowed = true; 41 + emailChangeAllowed = true; 42 + emergencyAccessAllowed = true; 43 + 44 + # Invitations 45 + invitationsAllowed = true; 46 + invitationOrgName = "dishNet Vault"; 47 + invitationExpirationHours = 168; 48 + 49 + # Database 50 + databaseUrl = "postgresql://localhost:5432/vaultwarden"; 51 + 52 + # Signups 53 + signupsAllowed = false; 54 + signupsVerify = true; 55 + signupsDomainWhitelist = "pyrox.dev"; 56 + 57 + # Passwords 58 + # # 1 Mil hash iterations by default 59 + passwordIterations = 1000000; 60 + passwordHintsAllowed = true; 61 + showPasswordHint = true; 62 + 63 + # Mail 64 + smtpFrom = "vault@pyrox.dev"; 65 + smtpFromName = "dishNet Vault <vault@pyrox.dev>"; 66 + smtpUsername = "vault@pyrox.dev"; 67 + smtpSecurity = "force_tls"; 68 + smtpPort = 465; 69 + smtpHost = "mail.pyrox.dev"; 70 + smtpAuthMechanism = "Login"; 71 + smtpTimeout = 20; 72 + smtpEmbedImages = true; 73 + useSendmail = false; 74 + 75 + # Authentication 76 + incomplete2faTimeLimit = 5; 77 + # # Email 2FA 78 + emailExpirationTime = 180; 79 + emailTokenSize = 7; 80 + requireDeviceEmail = true; 81 + 82 + # Misc Settings 83 + trashAutoDeleteDays = 14; 84 + }; 85 + environmentFile = config.age.secrets.vaultwarden-vars.path; 86 + }; 87 + systemd.services.vaultwarden.environment.PGPASSFILE = config.age.secrets.vaultwarden-pgpass.path; 88 + age.secrets.vaultwarden-vars = vaultwardenSecret // { 89 + file = ./secrets/vaultwarden-vars.age; 90 + }; 91 + age.secrets.vaultwarden-pgpass = vaultwardenSecret // { 92 + file = ./secrets/vaultwarden-pgpass.age; 93 + }; 94 + services.anubis.instances.vaultwarden = { 95 + settings = { 96 + BIND = ":${toString d.anubis}"; 97 + POLICY_FNAME = "${self'.packages.anubis-files}/policies/vaultwarden.yaml"; 98 + TARGET = "http://localhost:${toString d.port}"; 99 + }; 100 + }; 101 + }

+8

hosts/marvin/services/zfs.nix

··· 1 + { 2 + services.zfs = { 3 + trim.enable = true; 4 + autoScrub.enable = true; 5 + autoScrub.pools = [ "tank" ]; 6 + autoSnapshot.enable = true; 7 + }; 8 + }

+44

hosts/prefect/bootloader.nix

··· 1 + { pkgs, modulesPath, ... }: 2 + let 3 + fileSystems = { 4 + btrfs = true; 5 + ext4 = true; 6 + vfat = true; 7 + zfs = true; 8 + }; 9 + in 10 + { 11 + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; 12 + boot = { 13 + zfs.devNodes = "/dev/"; 14 + loader = { 15 + grub.device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_21170924"; 16 + grub.enable = true; 17 + }; 18 + initrd = { 19 + availableKernelModules = [ 20 + "ata_piix" 21 + "uhci_hcd" 22 + "xen_blkfront" 23 + "ahci" 24 + "xhci_pci" 25 + "virtio_pci" 26 + "sd_mod" 27 + "sr_mod" 28 + ]; 29 + kernelModules = [ "nvme" ]; 30 + supportedFilesystems = fileSystems; 31 + }; 32 + supportedFilesystems = fileSystems; 33 + kernelPackages = pkgs.linuxPackages_6_1; 34 + kernel.sysctl = { 35 + "net.ipv4.ip_forward" = true; 36 + "net.ipv6.conf.all.forwarding" = true; 37 + "net.ipv4.conf.default.rp_filter" = false; 38 + "net.ipv4.conf.all.rp_filter" = false; 39 + }; 40 + }; 41 + services.udev.extraRules = '' 42 + ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ENV{ID_FS_TYPE}=="zfs_member", ATTR{../queue/scheduler}="none" 43 + ''; 44 + }

+56

hosts/prefect/default.nix

··· 1 + { 2 + pkgs, 3 + inputs, 4 + ... 5 + }: 6 + { 7 + disabledModules = [ 8 + "services/mail/stalwart-mail.nix" 9 + ]; 10 + imports = [ 11 + "${inputs.nixpkgs-stalwart-fix}/nixos/modules/services/mail/stalwart-mail.nix" 12 + # Machine-specific configurations. 13 + ./bootloader.nix 14 + ./firewall.nix 15 + ./networking.nix 16 + ./hardware.nix 17 + ./packages.nix 18 + 19 + # DN42 Services 20 + ./dn42/default.nix 21 + 22 + # Running Services 23 + ./services/acme.nix 24 + ./services/caddy.nix 25 + ./services/fail2ban.nix 26 + ./services/mailserver 27 + ./services/prometheus.nix 28 + ./services/secrets.nix 29 + ./services/tailscale.nix 30 + ]; 31 + fileSystems = { 32 + "/" = { 33 + fsType = "ext4"; 34 + device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_21170924-part1"; 35 + }; 36 + }; 37 + 38 + nix.settings.max-jobs = 2; 39 + nix.settings.cores = 2; 40 + 41 + programs.fish.enable = true; 42 + programs.fish.interactiveShellInit = '' 43 + ${pkgs.direnv}/bin/direnv hook fish | source 44 + ''; 45 + py = { 46 + profiles.server.enable = true; 47 + users.default.enable = true; 48 + programs = { 49 + fish.enable = true; 50 + neovim.enable = true; 51 + }; 52 + services.scrutiny.collector.enable = false; 53 + }; 54 + security.tpm2.enable = false; 55 + security.tpm2.abrmd.enable = false; 56 + }

+67

hosts/prefect/dn42/default.nix

··· 1 + { pkgs, config, ... }: 2 + let 3 + cfg42 = config.dn42; 4 + in 5 + { 6 + imports = [ 7 + ./peers 8 + ]; 9 + networking = { 10 + interfaces.lo = { 11 + ipv4.addresses = [ 12 + { 13 + address = "172.20.43.96"; 14 + prefixLength = 32; 15 + } 16 + ]; 17 + ipv6.addresses = [ 18 + { 19 + address = "fd21:1500:66b0::1"; 20 + prefixLength = 128; 21 + } 22 + { 23 + address = "fe80::1"; 24 + prefixLength = 128; 25 + } 26 + ]; 27 + }; 28 + }; 29 + 30 + environment.systemPackages = with pkgs; [ 31 + dnsutils 32 + mtr 33 + tcpdump 34 + wireguard-tools 35 + ]; 36 + dn42 = { 37 + enable = true; 38 + # ASN corresponding to DN42 PYRONET 39 + as = 4242422459; 40 + # Communities config 41 + # https://dn42.dev/howto/BGP-communities 42 + region = 42; 43 + country = 1840; 44 + routerId = cfg42.addr.v4; 45 + # Primary IP Addresses 46 + addr = { 47 + v4 = "172.20.43.96"; 48 + v6 = "fd21:1500:66b0::1"; 49 + }; 50 + # Owned IP Ranges 51 + nets = { 52 + v4 = [ "172.20.43.96/27" ]; 53 + v6 = [ "fd21:1500:66b0::/48" ]; 54 + }; 55 + # Enable StayRTR 56 + # https://github.com/bgp/stayrtr 57 + stayrtr.enable = true; 58 + # Peer with GRC 59 + # https://dn42.dev/services/Route-Collector 60 + collector.enable = true; 61 + 62 + wg.tunnelDefaults = { 63 + privateKeyFile = "/run/agenix/dn42-privkey"; 64 + localAddrs.v4 = cfg42.addr.v4; 65 + }; 66 + }; 67 + }

+25

hosts/prefect/dn42/peers/bandura.nix

··· 1 + { dn42Types, ... }: 2 + { 3 + config.dn42 = { 4 + peers.bandura = { 5 + as = 4242422923; 6 + addr.v6 = "fe80::2926"; 7 + interface = "wg42_bandura"; 8 + extendedNextHop = true; 9 + # My side 10 + srcAddr.v6 = "fe80::11"; 11 + # Communities 12 + crypto = dn42Types.crypto.safePFS; 13 + latency = dn42Types.latency."55ms"; 14 + bandwidth = dn42Types.bandwidth."1000mb"; 15 + transit = true; 16 + }; 17 + wg.tunnels.bandura = { 18 + listenPort = 44923; 19 + peerPubKey = "xPW1/cWYDkk/IAss1GbdwVMW7fzKtyHA+qrfCriOB2k="; 20 + peerEndpoint = "aurora.mk16.de:52459"; 21 + peerAddrs.v6 = "fe80::2926"; 22 + localAddrs.v6 = "fe80::11"; 23 + }; 24 + }; 25 + }

+26

hosts/prefect/dn42/peers/catgirls.nix

··· 1 + { dn42Types, ... }: 2 + { 3 + config.dn42 = { 4 + peers.catgirls = { 5 + as = 4242421411; 6 + addr.v6 = "fe80::2189:124"; 7 + interface = "wg42_catgirls"; 8 + extendedNextHop = true; 9 + # My side 10 + srcAddr.v6 = "fe80::111"; 11 + # Communities 12 + crypto = dn42Types.crypto.safePFS; 13 + latency = dn42Types.latency."148ms"; 14 + bandwidth = dn42Types.bandwidth."1000mb"; 15 + transit = true; 16 + }; 17 + wg.tunnels.catgirls = { 18 + enable = false; 19 + listenPort = 43411; 20 + peerPubKey = ""; 21 + peerEndpoint = ""; 22 + peerAddrs.v6 = "fe80::111"; 23 + localAddrs.v6 = "fe80::7"; 24 + }; 25 + }; 26 + }

+26

hosts/prefect/dn42/peers/chrismoos.nix

··· 1 + { dn42Types, ... }: 2 + { 3 + config.dn42 = { 4 + peers.chrismoos = { 5 + as = 4242421588; 6 + addr.v6 = "fe80::1588"; 7 + interface = "wg42_chrismoos"; 8 + extendedNextHop = true; 9 + # My side 10 + srcAddr.v6 = "fe80::100"; 11 + # Communities 12 + crypto = dn42Types.crypto.safePFS; 13 + latency = dn42Types.latency."2.7ms"; 14 + bandwidth = dn42Types.bandwidth."1000mb"; 15 + transit = true; 16 + }; 17 + wg.tunnels.chrismoos = { 18 + listenPort = 43588; 19 + peerPubKey = "itmJ4Z8V1aNN368P6kMzuQM+GdzWbBKZjJiXrgSeGlw="; 20 + peerEndpoint = "us-qas01.dn42.tech9.io:58768"; 21 + peerAddrs.v4 = "172.20.16.143"; 22 + peerAddrs.v6 = "fe80::1588"; 23 + localAddrs.v6 = "fe80::100"; 24 + }; 25 + }; 26 + }

+29

hosts/prefect/dn42/peers/darkpoint.nix

··· 1 + { dn42Types, ... }: 2 + let 3 + peerv6 = "fe80::150"; 4 + localv6 = "fe80::113"; 5 + in 6 + { 7 + config.dn42 = { 8 + peers.darkpoint = { 9 + as = 4242420150; 10 + addr.v6 = peerv6; 11 + interface = "wg42_darkpoint"; 12 + extendedNextHop = true; 13 + # My side 14 + srcAddr.v6 = localv6; 15 + # Communities 16 + crypto = dn42Types.crypto.safePFS; 17 + latency = dn42Types.latency."2.7ms"; 18 + bandwidth = dn42Types.bandwidth."1000mb"; 19 + transit = true; 20 + }; 21 + wg.tunnels.darkpoint = { 22 + listenPort = 42150; 23 + peerPubKey = "1o0XfQvBM1gqknqzfuOnVmf2RjRTHuyMZYNipSSb2TQ="; 24 + peerEndpoint = "iad.darkpoint.xyz:22459"; 25 + peerAddrs.v6 = peerv6; 26 + localAddrs.v6 = localv6; 27 + }; 28 + }; 29 + }

+23

hosts/prefect/dn42/peers/default.nix

··· 1 + _: 2 + let 3 + dn42Types = import ../types.nix; 4 + in 5 + { 6 + # Port numbers are 42000 + `last 4 digits of ASN` 7 + imports = [ 8 + # keep-sorted start 9 + (import ./bandura.nix { inherit dn42Types; }) 10 + # (import ./catgirls.nix { inherit dn42Types; }) 11 + (import ./chrismoos.nix { inherit dn42Types; }) 12 + (import ./darkpoint.nix { inherit dn42Types; }) 13 + (import ./iedon.nix { inherit dn42Types; }) 14 + (import ./kioubit.nix { inherit dn42Types; }) 15 + (import ./lare.nix { inherit dn42Types; }) 16 + (import ./potato.nix { inherit dn42Types; }) 17 + (import ./prefixlabs.nix { inherit dn42Types; }) 18 + (import ./routedbits.nix { inherit dn42Types; }) 19 + (import ./sunnet.nix { inherit dn42Types; }) 20 + (import ./uffsalot.nix { inherit dn42Types; }) 21 + # keep-sorted end 22 + ]; 23 + }

+26

hosts/prefect/dn42/peers/iedon.nix

··· 1 + { dn42Types, ... }: 2 + { 3 + config.dn42 = { 4 + peers.iedon = { 5 + as = 4242422189; 6 + addr.v6 = "fe80::2189:124"; 7 + interface = "wg42_iedon"; 8 + extendedNextHop = true; 9 + # My side 10 + srcAddr.v6 = "fe80::6"; 11 + # Communities 12 + crypto = dn42Types.crypto.safePFS; 13 + latency = dn42Types.latency."20ms"; 14 + bandwidth = dn42Types.bandwidth."1000mb"; 15 + transit = true; 16 + }; 17 + wg.tunnels.iedon = { 18 + listenPort = 44198; 19 + peerPubKey = "2Wmv10a9eVSni9nfZ7YPsyl3ZC5z7vHq0sTZGgk5WGo="; 20 + peerEndpoint = "us-nyc.dn42.iedon.net:48883"; 21 + peerAddrs.v4 = "172.23.91.124"; 22 + peerAddrs.v6 = "fe80::2189:124"; 23 + localAddrs.v6 = "fe80::6"; 24 + }; 25 + }; 26 + }

+27

hosts/prefect/dn42/peers/kioubit.nix

··· 1 + { dn42Types, ... }: 2 + { 3 + config.dn42 = { 4 + peers.kioubit = { 5 + as = 4242423914; 6 + addr.v6 = "fe80::ade0"; 7 + interface = "wg42_kioubit"; 8 + extendedNextHop = true; 9 + # My side 10 + srcAddr.v6 = "fe80::ade1"; 11 + # Communities 12 + crypto = dn42Types.crypto.safePFS; 13 + latency = dn42Types.latency."7.3ms"; 14 + bandwidth = dn42Types.bandwidth."1000mb"; 15 + transit = true; 16 + }; 17 + wg.tunnels.kioubit = { 18 + listenPort = 45914; 19 + peerPubKey = "6Cylr9h1xFduAO+5nyXhFI1XJ0+Sw9jCpCDvcqErF1s="; 20 + peerEndpoint = "us2.g-load.eu:22459"; 21 + peerAddrs.v4 = "172.20.53.98"; 22 + peerAddrs.v6 = "fe80::ade0"; 23 + localAddrs.v4 = "192.168.220.70"; 24 + localAddrs.v6 = "fe80::ade1"; 25 + }; 26 + }; 27 + }

+25

hosts/prefect/dn42/peers/lare.nix

··· 1 + { dn42Types, ... }: 2 + { 3 + config.dn42 = { 4 + peers.lare = { 5 + as = 4242423035; 6 + addr.v6 = "fe80::3035:137"; 7 + interface = "wg42_lare"; 8 + extendedNextHop = true; 9 + # My side 10 + srcAddr.v6 = "fe80::112"; 11 + # Communities 12 + crypto = dn42Types.crypto.safePFS; 13 + latency = dn42Types.latency."20ms"; 14 + bandwidth = dn42Types.bandwidth."1000mb"; 15 + transit = true; 16 + }; 17 + wg.tunnels.lare = { 18 + listenPort = 45035; 19 + peerPubKey = "AREskFoxP2cd6DXoJ7druDsiWKX+8TwrkQqfi4JxRRw="; 20 + peerEndpoint = "use2.dn42.lare.cc:22459"; 21 + peerAddrs.v6 = "fe80::3035:137"; 22 + localAddrs.v6 = "fe80::112"; 23 + }; 24 + }; 25 + }

+26

hosts/prefect/dn42/peers/potato.nix

··· 1 + { dn42Types, ... }: 2 + { 3 + config.dn42 = { 4 + peers.potato = { 5 + as = 4242421816; 6 + addr.v6 = "fe80::1816"; 7 + interface = "wg42_potato"; 8 + extendedNextHop = true; 9 + # My side 10 + srcAddr.v6 = "fe80::111"; 11 + # Communities 12 + crypto = dn42Types.crypto.safePFS; 13 + latency = dn42Types.latency."148ms"; 14 + bandwidth = dn42Types.bandwidth."1000mb"; 15 + transit = true; 16 + }; 17 + wg.tunnels.potato = { 18 + enable = false; 19 + listenPort = 43816; 20 + peerPubKey = "LUwqKS6QrCPv510Pwt1eAIiHACYDsbMjrkrbGTJfviU="; 21 + peerEndpoint = "las.node.potat0.cc:22459"; 22 + peerAddrs.v6 = "fe80::1816"; 23 + localAddrs.v6 = "fe80::9"; 24 + }; 25 + }; 26 + }

+26

hosts/prefect/dn42/peers/prefixlabs.nix

··· 1 + { dn42Types, ... }: 2 + { 3 + config.dn42 = { 4 + peers.prefixlabs = { 5 + as = 4242421240; 6 + addr.v6 = "fe80::1240:2"; 7 + interface = "wg42_prefixlabs"; 8 + extendedNextHop = true; 9 + # My side 10 + srcAddr.v6 = "fe80::240"; 11 + # Communities 12 + crypto = dn42Types.crypto.safePFS; 13 + latency = dn42Types.latency."7.3ms"; 14 + bandwidth = dn42Types.bandwidth."1000mb"; 15 + transit = true; 16 + }; 17 + wg.tunnels.prefixlabs = { 18 + listenPort = 43240; 19 + peerPubKey = "uRYzFGi+/B6pD0FR2SW3G/OzC5LPJXePNIt0s+nJfW0="; 20 + peerEndpoint = "us-01.prefixlabs.net:22459"; 21 + peerAddrs.v4 = "172.20.209.11"; 22 + peerAddrs.v6 = "fe80::1240:2"; 23 + localAddrs.v6 = "fe80::240"; 24 + }; 25 + }; 26 + }

+26

hosts/prefect/dn42/peers/routedbits.nix

··· 1 + { dn42Types, ... }: 2 + { 3 + config.dn42 = { 4 + peers.routedbits = { 5 + as = 4242420207; 6 + addr.v6 = "fe80::207"; 7 + interface = "wg42_routedbits"; 8 + extendedNextHop = true; 9 + # My side 10 + srcAddr.v6 = "fe80::5"; 11 + # Communities 12 + crypto = dn42Types.crypto.safePFS; 13 + latency = dn42Types.latency."2.7ms"; 14 + bandwidth = dn42Types.bandwidth."1000mb"; 15 + transit = true; 16 + }; 17 + wg.tunnels.routedbits = { 18 + listenPort = 42207; 19 + peerPubKey = "/RLM4EcF8b7FKKcxnvHIYyDoES59HXIBqhKEWt4yRy0="; 20 + peerEndpoint = "router.iad1.routedbits.com:52459"; 21 + peerAddrs.v4 = "172.20.19.73"; 22 + peerAddrs.v6 = "fe80::207"; 23 + localAddrs.v6 = "fe80::5"; 24 + }; 25 + }; 26 + }

+26

hosts/prefect/dn42/peers/sunnet.nix

··· 1 + { dn42Types, ... }: 2 + { 3 + config.dn42 = { 4 + peers.sunnet = { 5 + as = 4242423088; 6 + addr.v6 = "fe80::3088:193"; 7 + interface = "wg42_sunnet"; 8 + extendedNextHop = true; 9 + # My side 10 + srcAddr.v6 = "fe80::abcd"; 11 + # Communities 12 + crypto = dn42Types.crypto.safePFS; 13 + latency = dn42Types.latency."148ms"; 14 + bandwidth = dn42Types.bandwidth."1000mb"; 15 + transit = true; 16 + }; 17 + wg.tunnels.sunnet = { 18 + listenPort = 45088; 19 + peerPubKey = "QSAeFPotqFpF6fFe3CMrMjrpS5AL54AxWY2w1+Ot2Bo="; 20 + peerEndpoint = "lax1-us.dn42.6700.cc:22459"; 21 + peerAddrs.v4 = "172.21.100.193"; 22 + peerAddrs.v6 = "fe80::3088:193"; 23 + localAddrs.v6 = "fe80::abcd"; 24 + }; 25 + }; 26 + }

+26

hosts/prefect/dn42/peers/uffsalot.nix

··· 1 + { dn42Types, ... }: 2 + { 3 + config.dn42 = { 4 + peers.uffsalot = { 5 + as = 4242420780; 6 + addr.v6 = "fe80::780"; 7 + interface = "wg42_uffsalot"; 8 + extendedNextHop = true; 9 + # My side 10 + srcAddr.v6 = "fe80::10"; 11 + # Communities 12 + crypto = dn42Types.crypto.safePFS; 13 + latency = dn42Types.latency."148ms"; 14 + bandwidth = dn42Types.bandwidth."1000mb"; 15 + transit = true; 16 + }; 17 + wg.tunnels.uffsalot = { 18 + listenPort = 42780; 19 + peerPubKey = "7V65FxvD9AQetyUr0qSiu+ik8samB4Atrw2ekvC0xQM="; 20 + peerEndpoint = "dn42-de-fra4.brand-web.net:42459"; 21 + peerAddrs.v4 = "172.20.191.129"; 22 + peerAddrs.v6 = "fe80::780"; 23 + localAddrs.v6 = "fe80::10"; 24 + }; 25 + }; 26 + }

+63

hosts/prefect/dn42/types.nix

··· 1 + # DN42 Community Standard BGP Communities 2 + # See main lists here: https://dn42.dev/howto/BGP-communities 3 + { 4 + latency = { 5 + "2.7ms" = 1; 6 + "7.3ms" = 2; 7 + "20ms" = 3; 8 + "55ms" = 4; 9 + "148ms" = 5; 10 + "403ms" = 6; 11 + "1097ms" = 7; 12 + "2981ms" = 8; 13 + "gt2981" = 9; 14 + }; 15 + bandwidth = { 16 + "0.1mb" = 21; 17 + "1mb" = 22; 18 + "10mb" = 23; 19 + "100mb" = 24; 20 + "1000mb" = 25; 21 + }; 22 + crypto = { 23 + unencrypted = 31; 24 + unsafeVPN = 32; 25 + safeNoPFS = 33; 26 + safePFS = 34; 27 + }; 28 + region = { 29 + europe = 41; 30 + northAmericaEast = 42; 31 + northAmericaCentral = 43; 32 + northAmericaWest = 44; 33 + centralAmerica = 45; 34 + southAmericaEast = 46; 35 + southAmericaWest = 47; 36 + africaNorth = 48; 37 + africaSouth = 49; 38 + asiaSouth = 50; 39 + asiaSouthEast = 51; 40 + asiaEast = 52; 41 + pacificOceania = 53; 42 + antarctica = 54; 43 + asiaNorth = 55; 44 + asiaWest = 56; 45 + centralAsia = 57; 46 + }; 47 + country = { 48 + canada = 1124; 49 + china = 1156; 50 + taiwan = 1158; 51 + france = 1250; 52 + germany = 1276; 53 + hongKong = 1344; 54 + japan = 1392; 55 + netherlands = 1528; 56 + norway = 1578; 57 + russianFederation = 1643; 58 + singapore = 1702; 59 + switzerland = 1756; 60 + unitedKingdom = 1826; 61 + unitedStatesOfAmerica = 1840; 62 + }; 63 + }

+44

hosts/prefect/firewall.nix

··· 1 + { 2 + # Enable using nftables instead of iptables 3 + networking.nftables.enable = true; 4 + networking.firewall = { 5 + enable = true; 6 + allowedTCPPorts = [ 7 + 25 8 + 80 9 + 143 10 + 179 11 + 389 12 + 443 13 + 465 14 + 587 15 + 636 16 + 993 17 + 4130 18 + 4190 19 + 6900 20 + 8000 21 + ]; 22 + allowedUDPPorts = [ 23 + 80 24 + 636 25 + 4367 26 + 6900 27 + 34197 28 + ]; 29 + allowedUDPPortRanges = [ 30 + { 31 + from = 42000; 32 + to = 52000; 33 + } 34 + ]; 35 + trustedInterfaces = [ 36 + "wg0" 37 + ]; 38 + extraForwardRules = '' 39 + meta iifname "wg42_*" meta oifname "wg42_*" accept 40 + meta iifname tailscale0 meta oifname "wg42_*" accept 41 + meta iifname "wg42_*" meta oifname tailscale0 tcp dport 22 accept 42 + ''; 43 + }; 44 + }

+1

hosts/prefect/hardware.nix

··· 1 + { zramSwap.enable = true; }

+35

hosts/prefect/networking.nix

··· 1 + { lib, ... }: 2 + { 3 + networking = { 4 + hostName = "prefect"; 5 + hostId = "496e5e96"; 6 + nameservers = lib.mkForce [ 7 + "172.20.0.53" 8 + "172.23.0.53" 9 + "fd42:d42:d42:53::1" 10 + "fd42:d42:d42:54::1" 11 + "2a01:4ff:ff00::add:2" 12 + "2a01:4ff:ff00::add:1" 13 + "185.12.64.1" 14 + "185.12.64.2" 15 + "100.123.15.72" 16 + ]; 17 + resolvconf.enable = false; 18 + resolvconf.extraConfig = '' 19 + name_servers="172.20.0.53 172.23.0.53 fd42:d42:d42:53::1 fd42:d42:d42:54::1 2a01:4ff:ff00::add:2 2a01:4ff:ff00::add:1 185.12.64.1 185.12.64.2 100.64.0.3 45.11.45.11" 20 + # name_servers="100.64.0.3" 21 + ''; 22 + interfaces.enp1s0 = { 23 + ipv6.addresses = [ 24 + { 25 + address = "2a01:4ff:f0:98bf::1"; 26 + prefixLength = 64; 27 + } 28 + ]; 29 + }; 30 + defaultGateway6 = { 31 + address = "fe80::1"; 32 + interface = "enp1s0"; 33 + }; 34 + }; 35 + }

+4

hosts/prefect/packages.nix

··· 1 + { pkgs, ... }: 2 + { 3 + environment.systemPackages = with pkgs; [ direnv ]; 4 + }

+19

hosts/prefect/secrets/acme-creds.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 LcWOqQ W9y79zRYtD++Eh6rHy123fXPpbjF/VKym6yKbiJdeko 3 + RblRsoHs16Zi2sG3wqdcW60hRUWG2QQQS/Rvro5fPlk 4 + -> ssh-rsa fFaiTA 5 + gfo7VZ2QjUSHTSuY5fL9clW/RwnMLbFEBcM6tGwXdaJBtnGJiK3TE/haiX078y9l 6 + Yw8qA04rQ0d4PSN2aUvLhbj1la8WfkutwZM1E4otuiI0waPLVBK7lyImSucMJVRW 7 + ZyYJuRUNAbyGZcj6qrbTPOK2qv4NORbVNJrXA5utUOn7+SimpifUcN60mSY1LTXG 8 + AmWa+qo7iWTkSngEG+ZaqnCqKRBGn9j3b9h925ah13PKaP9Y1g3L2EtSj/Z0BMPS 9 + PGTuObBgc1a+mQswcDY1tLq2gdohPAoRV/6djRdL7cnkVK3gcrPq+qca6Vy4xV1N 10 + w1IPPb4TTEPuTdqJRHQ/56b3QK9+ahpDUQMfUGcJ7nQeVqYksu8fbEhkCNTW2nK7 11 + Z+XC9BbksI/xlIC0t7HjMf99c2rLxbBY3lkh8EiH3vlCEURAqbAw4yRjSeUU24SP 12 + ieEI3fFp1ShFxVKQ15mcICGD6bCK55S7lk6RFYMsPFn+gaNWpy1k6KPPom6Bw0pf 13 + uHQ2Mc8eTPe6pmeLkV133TIvf5fWZTpOaw9fV9DLyggd04yTYsfbn2g7TBEC/PaK 14 + 9UjuxtlyZOLWzvoa6leKhqJDhJnQcYKSXGczjMtWzwwdhDlK7gM84uSw/NHjc/uP 15 + mswdQXpTIZ3AawGtgJy1hx0gxOBNNTJTu3T0kR2TP9E 16 + -> ssh-ed25519 wpmdHA QHgeXP4+KHH7z+oNDoJiQx2W5rywdt8ufTFqMKJSAg4 17 + 8Ws80AAf/4LYBu+BIxFaCf5+X6STrurg2Oel8wQ4LVI 18 + --- gtLhAHFMWYrIqO7DB2HyBXvh3rFaTY9T99R/1Nn8Jq0 19 + (�h�=gx��:�d9�y��^c�m��2b��$�� K�M3:�f*�VH�8�h��9��!�i�U��k?��

+19

hosts/prefect/secrets/dn42-peerfinder-uuid.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 LcWOqQ kBcl/7oOU9vxw5FShoRs1rLr2+8ax3O28SA8iqme1kI 3 + dxRn2Ty/FmzLURNoJTVz8Xf49Xb6+93ThfkebsF7qrE 4 + -> ssh-rsa fFaiTA 5 + qdSIS9RJua3Z/MMrLrbtwMYApTD981CJbHiiRlgdQEPfW8Dl1ghPSv9MS9hI2xb+ 6 + KCU6BTW9gxYYXvg2iG2b/VrU5zOLllop7C9e9+ks8G7hVqDEC/PAG2Jru8IhUjgR 7 + sDXE/UDOCgvwGm9ykd+h6fndFGGy412C5XraYKOx3RFCyWZPo3r+V4di04t49IQG 8 + A58opz3cIALRbCg8w0GcQprdI7qvr2pX8xfwPdsOk0MOr6i/4s8V1KJhFG5rT9e1 9 + hOAEpLXTl6rtHKA12GfgMokS4D5da7Eae7P7MQcu+CMRCRFdtaRwAXCsmyy0Nixu 10 + Pk06ewkhXDRfsZG8Vjr1akyZMAP0V7b2IzlCFfmZ55V7SqkjQp5p/ewD9W0H7nfU 11 + xI3tS2k0JgX/lyP2QOkNvRv1bR/pFjrkN0xWXe333NL96XibTuSC1yWaXxll8eXv 12 + EkuZK10FMqLBZv2QTiZgjEltxFJTLUD+A1cNqSIYzOaTcj862drejkSUqDmhvjBR 13 + 9cOLfvxcJ65SPP2FfcA8u7FulWPeUa1WI1Rr8hMECQ1wVQG7vz617se+2Sm6W60G 14 + ZwihmOzAE2UbG60msdkhl5/P/oL2kprupZ3XZfSeBrcsexvbMqHxWdfXryO7NveG 15 + TqjwROdJ6JvJgKvukpll5fppjhiQlPs6wJpDNxqR+UE 16 + -> ssh-ed25519 wpmdHA gm6QPnESX+3cUNK1cn4pGYufAIlpGM456PE9HoKqejY 17 + E98aiJNwJ4xzoAWu7a2s757zaK8qXo+l+Jv8xFMg430 18 + --- nsAD74FL+Wqkye1GO6/ZQ9MViWxCE0wRjKmcJsf27lE 19 + P\ɸju�}qP^�g+�n��m��W�g�� 1�+�Ԕ��T�M�ߤ��b��(��4�Y5��

+19

hosts/prefect/secrets/dn42-privkey.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 LcWOqQ B+/jn8M0138SSUaT13FksSgPgm4Na6S28UceeqJH4w4 3 + VA055+VxxIEKeADY7V6ov4xplN54LjnqqzpKPcHd/yI 4 + -> ssh-rsa fFaiTA 5 + SJQN8/1W+RoGGy07BuHPUbSAqpSd6n0/BreSlD07a2WXqhwap/NK2KUd5CODrSXm 6 + upjycEsVm7hE+qgSTYDH7kXHPvAqdns3BnKVer4404dIoTgO0mGO5xhkkZb8vSFT 7 + x0mUgfEzHc6jJFZ94KTbaajbIVxyoXtdFOIRZ7XgzxUNDpVaK+zI0C5KCph027vv 8 + V4FmK+4lSbhXJkZDdk7Qsogm5i9piwz7ibIYqVU8SkdA9Ogp6a4BySIgaYObakEd 9 + ZuYGOFnw04Fcepqtf+NiigWDt4RpIXBC3ePQ/TrmriC5gaByFNPgasJ/GiKmtZs9 10 + oBYfB7jlyQ+FZ9FCWt06MC2sZJRWLYVClLGYOMc5zi78U9Q4fs0MjRfs6PSJYk0G 11 + fgHo7KDLBEnVWluzTVPhMsKmWhTpFu+aYWQ7VE0Qfc1uolJH1TmsKaZ0y32Ewnry 12 + YfqwPBCaFUN2uuWmBsiMuKBFQ55ky948kqSfD+GJkCrN5TwS5ZZwFWpkHdKGbL8e 13 + geTvZaD9UB48oV0Ad9vnNWuu/Nfr64XnYOXKNt9ezAR9nmUEh+tHbwC2x3xBjyn7 14 + Oy1JjH4hRwK8L9d5hrtKIP9gWIIUFjEsi1vcgnKm9nieInGnHd2zsUxH3JbqRggl 15 + Ul7e/oZcILBQ8+Jgz6CFvKMUFztLtndZrVdM14rVR0g 16 + -> ssh-ed25519 wpmdHA p5t4c9VAcYR3gV+nwKgJmqEA5e5NLlTHuSYudGgtkGA 17 + RRxMP1ONcrJCZl7b/nTli+cPPaSpk9+BHN2ZZFNNHWI 18 + --- /EK83atFakXmrSbmNXdshl6JcCqq4ReYGA+JrHTh8jY 19 + �A��{f�.ydcv�zx��0�!�"fn� i$.��|C��'��0^�F��?�&�Ks��T�ȡ�{ІO

+19

hosts/prefect/secrets/headscale-oidc-secret.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 LcWOqQ 9WEpxu36UKkp8wETOX7Bzbe7RbIr2k+iUh6iqlYt1AI 3 + w4g2hxFzUFsOynUUrwtQBwVJtIFiRqQYPUzKwCwEKL0 4 + -> ssh-rsa fFaiTA 5 + E0MNb/JGvaAlGYw9C0dC5mKybhNAyuYj2+s0w8+aQ1p/OH7bDacXJbEF5JSyA8oO 6 + pd/c44QCQRIFFrnEOddvYsUsq3d8x1Hxs4LUMXF2XMmtljBiFSPZ2u/NFljmY/i0 7 + 3/ppVQWlmFEMbk/tFb70sw6yVg+ZQN3+K1VQnLSpqm/v9WyruPYUCwRx2O8Zfy/E 8 + 0LiFqnSGcxMPCNQ2BQFTDXqXA0wjasKb+sDbqzki9Uxok6VmCCQ5xfPmv+L2V1PY 9 + VgNUOPx9Vfo4iuuQAt4RMdlSQbG/xTja57TDVsjGXi+vDDJGfX5kJLunjuFWBP8Q 10 + A+KPPl+PB9+Hqnzxwbz6r1lRCX/GIUtVcddWE7o/4rkVXIGPwWOg5hD/fLPNnu1E 11 + 3iqhA+Hs1uMeqr8fGLSR4B9kNBPqqJUIqrg+bbsUpxo0qtYdHgvSECY38dE/kHVh 12 + LNbJ2XqGf065UjzRvNLWsrLEUZPpAB32MxBt7PG2Lrd/OmjdVf4PVyyYn7icmaSj 13 + zYE2MI7qQb8VUpsGttggYmhltxx6I0/fUMLkXZuWTtzDQdjrrGu5crCmveVyXWfT 14 + f1YzefQ/wEGasTJbH6MSyWqanl4D5BGVVtXcNQluDpCxI3EYX8VI9zRfMHrNXsEc 15 + rNjUM+Nm4KSubFScMDRReiVszZXyf4rTVWEXmmVcJeI 16 + -> ssh-ed25519 wpmdHA qtkvqOY/HL1dHuJB11jppDBAJiwGS7FcEV/Zz1BQ4lg 17 + YsTTYNL2KrMEuuKTNLYq2Rx1Ic76Bd2LzAvLeRqdFYQ 18 + --- iUSmUHHGyMQENZOuZzSfivf7LTeLd2wh5B4DeApwpcA 19 + ��)��NWv�ӘԐ|κ$(`1�ӟ%t�' ��ް�M�lԧ�Pr�ͬ Ԓ��I� ��h�W!��)N�Xz +r,��;�1SuJ_��@k_C�ߝvvyǵ��r{�z�pK��ڝ��t9h\t^�i0c7��ax��q1

+21

hosts/prefect/secrets/secrets.nix

··· 1 + let 2 + yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw=="; 3 + prefect = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP532AB5mkNvE29MkDDY8HEf8ZdktGWiI0PzLrvbmLQe"; 4 + ssh-new = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxOg9nOtfbedq9AlnXNVUfyU8Mwfj4IB7HX/4VoWeXP"; 5 + default = [ 6 + prefect 7 + yubi-back 8 + ssh-new 9 + ]; 10 + in 11 + { 12 + "headscale-oidc-secret.age".publicKeys = default; 13 + "dn42-privkey.age".publicKeys = default; 14 + "dn42-peerfinder-uuid.age".publicKeys = default; 15 + "wireguard-priv-key.age".publicKeys = default; 16 + "acme-creds.age".publicKeys = default; 17 + "stalwart-secret-rsa.age".publicKeys = default; 18 + "stalwart-secret-ed25519.age".publicKeys = default; 19 + "stalwart-desec-token.age".publicKeys = default; 20 + "stalwart-fallback-admin-pw.age".publicKeys = default; 21 + }

+20

hosts/prefect/secrets/stalwart-desec-token.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 LcWOqQ jGFXEJomNDBCR77u3stHaHCWq/VAkUrixdxvF07330o 3 + 05GhqYBL8QFz8a8GRHJ3h8bL1puZYfPE/leeHbXNw3o 4 + -> ssh-rsa fFaiTA 5 + J1BWit5DxgYimZRyMycqN55IBNcCyRx6yFmtE4si04OkBniECA+3XVYeB2U+kTIs 6 + aEsnW5X4yl1X/+ZBKSUdR/h87IO679xuwn6dgxbkkQSYKbiSPXXv9KMxj4rc9O7D 7 + PcCvl2PFHjp2x2K0EqAeOmAleSVaCoCkimKF1lLg3Wv6YMeFmbdQMPfycLLFtB6A 8 + AljWA8MgRYdhKBmx7fX9iVnnslHgEFjjYp9tlHAORFEcxt5qoldlJcz65IqpkDCk 9 + lnFFV1Ve3jAGl/OKJ9DH7PjHtYBrYfR3wTtEYIoTRtLqsrRjVvkDYUKHsaqNwv8C 10 + 8Um91XpIyYkhxPWzwU5Btd99N+dG2dpCVd8Qe2oNjotOsHHjmZGIQOCr6i3kDEVZ 11 + KMSDD27fE1SWIGvvwmLefW5Z4rE1MTqZqKx+qMjd2LRZwXls3DgBfSrNRjGW7s3u 12 + bnV3t4Cp+iwmXJjpGm+mLeeaO/TdPEfcT6++rzuDvFABmG46ZogVDd1bkuI4Ls0D 13 + N0sMNUSYc1qKXIjYyMskQwmc4yhFPFwnRaHrLuNq9c0oLu/Wwq9S53J7EdnA+ZQ0 14 + RYx3BzQwOdzqDc9gZIHwJ30pBa0CxXOWyYNk/zg4v0rr/F7PCkgpHJO+CrtYTxuf 15 + 6cJJJJ2fcxNzofRwZyPIX1k5IFqzIcr+Tv1GXgIO5CU 16 + -> ssh-ed25519 wpmdHA bf+e7LA2JpY4ln+kWFhL69zcIIoVVyiK+XeLZhukowg 17 + HAG4AS/CScv8dbnskAE3ibxNuPwtoNAeF78HbabawFg 18 + --- d+QudebUDJm/84Gb2yn3lZLzCZpbBz39AqYhGRIvx5w 19 + �"��_�*�L�S��!o�R 20 + {��˳��d��8�p˃O��4��"��Ӊ�

+20

hosts/prefect/secrets/stalwart-fallback-admin-pw.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 LcWOqQ 7togPtzcJXZIAe+97CEtOpKYvKcXdMPZN1ZXaDtiF2M 3 + bx4Slxv+LPXPTyjRbl/1fme4nEO2aY9pF6J5ww7k2gQ 4 + -> ssh-rsa fFaiTA 5 + I9AeATPIo5M+Tqd0lbLs37jGa/I/m6C56/vVdVd2r2kH8FobbhFXkypmBfZjleNB 6 + FqP4Jn12IAWACTY9LEoSrhaeABpdZAUE6Vt+hqYDOc8UL5WuTekVUCW+Sw2EJbnl 7 + oyBBcTRSuSd3OEO3Q4hp5SmHiGUkL7eDfEdXMXe7fnYEIfJoYu6Op1bLoTK7Tiuz 8 + g5c7a9kgxcD73ynfeRz0kQM/AXbEXrtu0Wr7CH9ZWWmCkkhcpNnS7CRtTb5Qhk4L 9 + oTVn+Rs6Mgv395pmV0Ou3fqkys3+t7PdO+tHDtlMNqORn3KaQuPLAWjgBCG1408T 10 + iGpbkqdoGb3VpBUfw/dWISPrDZsJGcLOFULHX76JKIGQXV/UG8zNlS5lddo7zY7T 11 + mh8tBqZrj9MWOwkG0nDDV87sEFOqFfj4gclEF5GRE55Sypog6oRZLTVjvH636E+2 12 + mztdPJyhUzMtvhQQfvftG+AwxhNGt4SRdMd7O+QeYSWmqykTlZx7nF73BBeYP0JC 13 + xSmVsdxuS3aur2HcogCSICo2+jGGoP33FOYnpzVY/Y67B4tunfL1ItfmbGeKVwG0 14 + f9sm6meYvRw9JvAdBcqFILOxPvg/P2VARaf5fDpZP6MmRTWkl9FH2J1Wp9m7ZMi3 15 + m8RAfpH7l5U/vVcbLYUaL5w0e4cNeHBQSbn/AhqCeFQ 16 + -> ssh-ed25519 wpmdHA rPRuQwrporOZbD6kpZwGZbZoEYNvG7E+t1zDolmwmzE 17 + CtTiaRwa+S+vn1wrUjkZWatUkLcvXVPQDbsvtwdT7X4 18 + --- xDaJBT4M3JZNN0aABAp9QnPw7rsl/D9/SRIz0aHEGRE 19 + ��?�%*�N��"h#_E��:c&��f�d�r�� 20 + ��J<Ci��X��g�;�ҏ� f�\^��Y�q�+��S�{=܀a��L�ն��Vt�n��EXu�hݿZ0�׎��u��+ޖ��

hosts/prefect/secrets/stalwart-secret-ed25519.age

This is a binary file and will not be displayed.

hosts/prefect/secrets/stalwart-secret-rsa.age

This is a binary file and will not be displayed.

+19

hosts/prefect/secrets/wireguard-priv-key.age

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 LcWOqQ BTHdUq7iDGg8yOCg1pEWJS/eoz3xpLDuxhDEMPwoDXg 3 + AMzM5h6v1fBKP1AwKuzTztmlSDhzs03z9XF0zWJEh0M 4 + -> ssh-rsa fFaiTA 5 + mgOVWNlEMvC0gJPDlTu+hHRzwUM4g7tI0a3R5+ta6SHvRPA0hWmvMZTv3xAwBep+ 6 + eKv/OWBizVdCV8EGnWx+GPIZ7yOWTp0SeXhMoZGDZaxZN3TAH2ZE1G80GUSlw1Xa 7 + +tRp0ct0VFj3kgcc8TK+csVXXdkQKkY7IPv6dTUktxlsNvcL8NtpIOU91w5lRfKz 8 + 9A1CMtMv0rYUuw7tlim4QKqxhR39d7ZWlOH0h/EKwuHosNOqotmYgDLnGfMcbksU 9 + nu4tvHI3aTc/BUbJEkR0Kh9v7i3E05wv5JquSqTmtixbyLbHnA7KvXgqhETyGMr4 10 + OJKB6lMJzhEyzNtb4wfe3TRmf2qT8ps7lDA4a2836b2dCnd7oBVYByCgLK74zXzn 11 + 1TMIdStHNK/G7q3VBw7XmRbHZvu/OTiYz54KVWvT3MAHz2UmlFdOXNWm8HqCqkkQ 12 + 6JdRZ/PCwWpXrrlC5A5s1FICOjTbtL4KbiMfSOGq5LdoZ7m2txl6gUXuvwB51Tdy 13 + lc9ry4IGAvs0XXOaKXR+5zy/+s2JwfRbTS1AzRrthDx0VhDp+WhsjW60A3RVG3Gz 14 + 3fTuTNUBqBWEoVWtdFRL2JeJL7znmfSJFjjpkOGB9KcMz3ioYp30Pjt4m8bM1UhT 15 + zuCHYb8jkX8CSgkp0EbPBQ3OORt8NGx6mVqiuWQjJmI 16 + -> ssh-ed25519 wpmdHA u5AgCOwHFFFWdH2Tw0duMd07wLEoa8kc2hFrC/i8pFQ 17 + 1tq9YV8UTXwxt7XQ9xMTBr9Hn9VWMvsyQ8BJImx+VZk 18 + --- ZEQB6NqhPqOHbdiwnzdRNi8WNd5+tP/78Lub739rbOg 19 + ��sr�R�[��V�㹒U��g%l�$�,ⵖ��C��l3`��J&��p=��C`

+33

hosts/prefect/services/acme.nix

··· 1 + { config, ... }: 2 + { 3 + security.acme = { 4 + acceptTerms = true; 5 + certs."pyroxdev-mail" = { 6 + domain = "mail.pyrox.dev"; 7 + extraDomainNames = [ 8 + "dav.pyrox.dev" 9 + "mta-sts.pyrox.dev" 10 + "autoconfig.pyrox.dev" 11 + "autodiscover.pyrox.dev" 12 + ]; 13 + reloadServices = [ "stalwart-mail" ]; 14 + }; 15 + defaults = { 16 + # LE Production Server 17 + server = "https://acme-v02.api.letsencrypt.org/directory"; 18 + email = "pyrox@pyrox.dev"; 19 + # For DNS Challenges, use DeSec(my provider) 20 + dnsProvider = "desec"; 21 + # Enable DNS Propagation checks(ensure DNS records exist before requesting certs) 22 + dnsPropagationCheck = true; 23 + dnsResolver = "9.9.9.9:53"; 24 + # Agenix-encrypted credentials for ACME 25 + credentialsFile = config.age.secrets.acme-creds.path; 26 + }; 27 + }; 28 + age.secrets.acme-creds = { 29 + file = ../secrets/acme-creds.age; 30 + owner = "acme"; 31 + group = "acme"; 32 + }; 33 + }

+374

hosts/prefect/services/caddy.nix

··· 1 + { pkgs, self, ... }: 2 + let 3 + pns = self.lib.data.services; 4 + inherit (self.lib.data) mail; 5 + marvin = "http://${self.lib.data.hosts.marvin.ts.ip4}"; 6 + marvinIP = self.lib.data.hosts.marvin.ts.ip4; 7 + inherit (self.lib.data) tsNet; 8 + in 9 + { 10 + services.caddy = { 11 + enable = true; 12 + package = pkgs.caddy.withPlugins { 13 + plugins = [ 14 + "github.com/caddy-dns/desec@v1.0.1" 15 + "github.com/greenpau/caddy-security@v1.1.31" 16 + "github.com/tailscale/caddy-tailscale@v0.0.0-20251016213337-01d084e119cb" 17 + "github.com/mholt/caddy-l4@v0.0.0-20251001194302-2e3e6cf60b25" 18 + "github.com/mohammed90/caddy-git-fs@v0.0.0-20240805164056-529acecd1830" 19 + ]; 20 + hash = "sha256-kvChIK67UKn5vMFMcLszSl5AfW1BNHTRm1aXX5t5Wyc="; 21 + }; 22 + email = "pyrox@pyrox.dev"; 23 + virtualHosts = { 24 + "mail.pyrox.dev" = { }; 25 + # Redirect old domains -> pyrox.dev 26 + "blog.pyrox.dev" = { 27 + serverAliases = [ 28 + "www.pyrox.dev" 29 + "thehedgehog.me" 30 + ]; 31 + extraConfig = '' 32 + redir https://pyrox.dev{uri} permanent 33 + ''; 34 + }; 35 + "pyrox.dev" = { 36 + extraConfig = '' 37 + route { 38 + header /.well-known/matrix/* Access-Control-Allow-Origin * 39 + reverse_proxy /.well-known/matrix/* http://100.123.15.72:6922 40 + redir /.well-known/carddav https://cloud.pyrox.dev/.well-known/carddav temporary 41 + redir /.well-known/caldav https://cloud.pyrox.dev/.well-known/caldav temporary 42 + header /.well-known/openpgpkey/* Access-Control-Allow-Origin * 43 + header /.well-known/openpgpkey/hu/* application/octet-stream 44 + respond /.well-known/openpgpkey/*/policy 200 45 + header /.well-known/fursona Content-Type application/json 46 + header { 47 + X-Content-Type-Options nosniff 48 + Permissions-Policy accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), unload=(), 49 + +Permissions-Policy display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), 50 + +Permissions-Policy gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), 51 + +Permissions-Policy payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), 52 + +Permissions-Policy sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), 53 + +Permissions-Policy clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=() 54 + X-Frame-Options SAMEORIGIN 55 + Referrer-Policy origin 56 + -Server 57 + } 58 + file_server { 59 + fs blog-repo 60 + hide .git 61 + precompressed br gzip 62 + } 63 + } 64 + ''; 65 + }; 66 + 67 + # Authentication 68 + ${pns.pocket-id.extUrl} = { 69 + extraConfig = '' 70 + reverse_proxy ${marvin}:${toString pns.pocket-id.port} 71 + ''; 72 + }; 73 + 74 + # Vaultwarden 75 + ${pns.vaultwarden.extUrl} = { 76 + extraConfig = '' 77 + header / { 78 + Strict-Transport-Security "max-age=31536000;" 79 + X-XSS-Protection "0" 80 + X-Frame-Options "DENY" 81 + X-Robots-Tag "noindex, nofollow" 82 + X-Content-Type-Options "nosniff" 83 + -Server 84 + -X-Powered-By 85 + -Last-Modified 86 + } 87 + reverse_proxy ${marvin}:${toString pns.vaultwarden.anubis} { 88 + header_up X-Real-IP {remote_host} 89 + header_up X-Http-Version {http.request.proto} 90 + } 91 + ''; 92 + }; 93 + 94 + # Cinny + Conduit 95 + ${pns.matrix-server.extUrl} = { 96 + extraConfig = '' 97 + handle /_matrix/* { 98 + reverse_proxy ${marvin}:${toString pns.matrix-server.port} 99 + } 100 + handle { 101 + root * /var/www/cinny/dist/ 102 + try_files {path} / index.html 103 + file_server 104 + } 105 + ''; 106 + }; 107 + # Jellyfin 108 + ${pns.jellyfin.extUrl} = { 109 + extraConfig = '' 110 + @blocked not remote_ip 100.64.0.0/10 private_ranges 111 + reverse_proxy ${marvin}:${toString pns.jellyfin.port} 112 + handle /metrics* { 113 + respond @blocked "Access Denied" 403 114 + } 115 + ''; 116 + }; 117 + 118 + # Yourmother.website 119 + "yourmother.website" = { 120 + extraConfig = '' 121 + header Content-Type text/html 122 + respond 200 { 123 + body `<!DOCTYPE html> 124 + <html> 125 + <head> 126 + <meta http-equiv="Refresh" content="0; url=https://youtube.com/watch?v=oHg5SJYRHA0" /> 127 + </head> 128 + </html>` 129 + } 130 + ''; 131 + }; 132 + 133 + # OpenPGP WKD stuff 134 + "openpgpkey.pyrox.dev" = { 135 + serverAliases = [ "openpgpkey.thehedgehog.me" ]; 136 + extraConfig = '' 137 + respond /.well-known/openpgpkey/{labels.1}.{labels.0}/policy 200 138 + header Access-Control-Allow-Origin * 139 + header /.well-known/openpgpkey/{labels.1}.{labels.0}/hu/* Content-Type application/octet-stream 140 + file_server { 141 + fs blog-repo 142 + } 143 + ''; 144 + }; 145 + 146 + # Metrics 147 + ":6899" = { 148 + extraConfig = '' 149 + metrics /metrics 150 + ''; 151 + }; 152 + # SIMPLE HOSTS 153 + 154 + # Forgejo 155 + ${pns.git.extUrl} = { 156 + extraConfig = '' 157 + reverse_proxy ${marvin}:${toString pns.git.anubis} { 158 + header_up X-Real-Ip {remote_host} 159 + header_up X-Http-Version {http.request.proto} 160 + } 161 + ''; 162 + }; 163 + 164 + # Grafana 165 + ${pns.grafana.extUrl} = { 166 + extraConfig = '' 167 + reverse_proxy ${marvin}:${toString pns.grafana.anubis} { 168 + header_up X-Real-Ip {remote_host} 169 + header_up X-Http-Version {http.request.proto} 170 + } 171 + ''; 172 + }; 173 + 174 + # Miniflux 175 + ${pns.miniflux.extUrl} = { 176 + extraConfig = '' 177 + reverse_proxy ${marvin}:${toString pns.miniflux.anubis} { 178 + header_up X-Real-Ip {remote_host} 179 + header_up X-Http-Version {http.request.proto} 180 + } 181 + ''; 182 + }; 183 + 184 + # Nextcloud 185 + ${pns.nextcloud.extUrl} = { 186 + extraConfig = '' 187 + reverse_proxy ${marvin}:${toString pns.nextcloud.anubis} { 188 + header_up X-Real-Ip {remote_host} 189 + header_up X-Http-Version {http.request.proto} 190 + } 191 + ''; 192 + }; 193 + 194 + # Nextcloud-Office(Collabora) 195 + ${pns.nextcloud-office.extUrl} = { 196 + extraConfig = '' 197 + reverse_proxy ${marvin}:${toString pns.nextcloud-office.anubis} { 198 + header_up X-Real-Ip {remote_host} 199 + header_up X-Http-Version {http.request.proto} 200 + } 201 + ''; 202 + }; 203 + 204 + # Planka 205 + ${pns.planka.extUrl} = { 206 + extraConfig = '' 207 + reverse_proxy ${marvin}:${toString pns.planka.anubis} { 208 + header_up X-Real-Ip {remote_host} 209 + header_up X-Http-Version {http.request.proto} 210 + } 211 + ''; 212 + }; 213 + 214 + # Immich 215 + ${pns.immich.extUrl} = { 216 + extraConfig = '' 217 + @public path /share /share/* 218 + handle @public { 219 + reverse_proxy ${marvin}:${toString pns.immich.pubProxy} 220 + } 221 + reverse_proxy ${marvin}:${toString pns.immich.port} 222 + ''; 223 + }; 224 + 225 + # Tangled Services 226 + ${pns.tangled-knot.extUrl} = { 227 + extraConfig = '' 228 + reverse_proxy ${marvin}:${toString pns.tangled-knot.port} 229 + ''; 230 + }; 231 + ${pns.tangled-spindle.extUrl} = { 232 + extraConfig = '' 233 + reverse_proxy ${marvin}:${toString pns.tangled-spindle.port} 234 + ''; 235 + }; 236 + 237 + # Simple Tailscale Hosts 238 + 239 + # Deemix 240 + "${pns.deemix.tsHost}.${tsNet}" = { 241 + extraConfig = '' 242 + bind tailscale/${pns.deemix.tsHost} 243 + tailscale_auth 244 + reverse_proxy ${marvin}:${toString pns.deemix.port} 245 + ''; 246 + }; 247 + # Pinchflat 248 + "${pns.pinchflat.tsHost}.${tsNet}" = { 249 + extraConfig = '' 250 + bind tailscale/${pns.pinchflat.tsHost} 251 + tailscale_auth 252 + reverse_proxy ${marvin}:${toString pns.pinchflat.port} 253 + ''; 254 + }; 255 + 256 + "http://mail.pyrox.dev" = { 257 + serverAliases = [ 258 + "http://mta-sts.pyrox.dev" 259 + "http://autodiscover.pyrox.dev" 260 + "http://autoconfig.pyrox.dev" 261 + "http://dav.pyrox.dev" 262 + ]; 263 + extraConfig = '' 264 + reverse_proxy 127.0.0.1:${toString mail.intHTTP} { 265 + transport http { 266 + proxy_protocol v2 267 + } 268 + } 269 + 270 + ''; 271 + }; 272 + }; 273 + # Mail Config 274 + globalConfig = '' 275 + filesystem blog-repo git ${marvin}:${toString pns.git.port}/pyrox/new-blog { 276 + ref refs/heads/pages 277 + refresh_period 10m 278 + } 279 + servers :80 { 280 + listener_wrappers { 281 + layer4 { 282 + @maildomains http host mail.pyrox.dev mta-sts.pyrox.dev autoconfig.pyrox.dev autodiscover.pyrox.dev dav.pyrox.dev 283 + route @maildomains { 284 + subroute { 285 + @a http 286 + route @a { 287 + proxy { 288 + proxy_protocol v2 289 + upstream 127.0.0.1:${toString mail.intHTTP} 290 + } 291 + } 292 + } 293 + } 294 + } 295 + http_redirect 296 + } 297 + } 298 + servers :443 { 299 + listener_wrappers { 300 + layer4 { 301 + @maildomains tls sni mail.pyrox.dev mta-sts.pyrox.dev autoconfig.pyrox.dev autodiscover.pyrox.dev dav.pyrox.dev 302 + route @maildomains { 303 + proxy { 304 + proxy_protocol v2 305 + upstream 127.0.0.1:${toString mail.intHTTPS} 306 + } 307 + } 308 + } 309 + tls 310 + } 311 + } 312 + layer4 { 313 + :22 { 314 + @a ssh 315 + route @a { 316 + proxy { 317 + upstream ${marvinIP}:2222 318 + } 319 + } 320 + } 321 + :25 { 322 + route { 323 + proxy { 324 + proxy_protocol v2 325 + upstream 127.0.0.1:40025 326 + } 327 + } 328 + } 329 + :143 { 330 + route { 331 + proxy { 332 + proxy_protocol v2 333 + upstream 127.0.0.1:${toString mail.intIMAP} 334 + } 335 + } 336 + } 337 + :465 { 338 + route { 339 + proxy { 340 + proxy_protocol v2 341 + upstream 127.0.0.1:${toString mail.intSMTPS} 342 + } 343 + } 344 + } 345 + :587 { 346 + route { 347 + proxy { 348 + proxy_protocol v2 349 + upstream 127.0.0.1:${toString mail.intSMTP} 350 + } 351 + } 352 + } 353 + :993 { 354 + route { 355 + proxy { 356 + proxy_protocol v2 357 + upstream 127.0.0.1:${toString mail.intIMAPS} 358 + } 359 + } 360 + } 361 + :4190 { 362 + route { 363 + proxy { 364 + proxy_protocol v2 365 + upstream 127.0.0.1:${toString mail.intManageSieve} 366 + } 367 + } 368 + } 369 + } 370 + ''; 371 + }; 372 + systemd.services.caddy.serviceConfig.CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; 373 + systemd.services.caddy.serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE"; 374 + }

+38

hosts/prefect/services/fail2ban.nix

··· 1 + { 2 + services.fail2ban = { 3 + enable = true; 4 + maxretry = 5; 5 + ignoreIP = [ 6 + "4349:3909:beef::/48" 7 + "100.64.0.0/10" 8 + "127.0.0.0/8" 9 + "10.0.0.0/8" 10 + "172.16.0.0/12" 11 + "192.168.0.0/16" 12 + ]; 13 + jails = { 14 + postfix = { 15 + filter = "postfix"; 16 + settings = { 17 + action = "nftables"; 18 + port = "143,993"; 19 + }; 20 + }; 21 + dovecot = { 22 + filter = "dovecot"; 23 + settings = { 24 + action = "nftables"; 25 + port = "25,465,587"; 26 + }; 27 + }; 28 + # I don't use SSHd right now, but if I do, re-enable this. 29 + # sshd = { 30 + # filter = "sshd"; 31 + # settings = { 32 + # action = "nftables"; 33 + # port = "22"; 34 + # }; 35 + # }; 36 + }; 37 + }; 38 + }

+73

hosts/prefect/services/headscale.nix

··· 1 + # Headscale is a tailscale-compatible control plane that you can use with all of the clients. 2 + { 3 + services.headscale = { 4 + enable = true; 5 + port = 6900; 6 + # Set so that anything can access this. Default is localhost only, which is useless 7 + address = "0.0.0.0"; 8 + # Server URL is the FQDN of this server 9 + serverUrl = "https://vpn.thehedgehog.me:6900"; 10 + dns = { 11 + # All domains are .hog domains internally 12 + baseDomain = "hog"; 13 + # Enable MagicDNS 14 + # See https://tailscale.com/kb/1081/magicdns/ for more details 15 + magicDns = true; 16 + # I inject DNS.sb as my secondary nameserver, and my adblocking server as primary. 17 + nameservers = [ "45.11.45.11" ]; 18 + # Domains to inject, so I can type "media/" into my search bar and go to "media.main.hog" 19 + # You can't tell headscale to not create a namespace, so this is the best that I can do 20 + domains = [ "main.hog" ]; 21 + }; 22 + # Automatic TLS 23 + tls = { 24 + letsencrypt = { 25 + # Set up automatic Let's Encrypt cert pulls 26 + hostname = "vpn.thehedgehog.me"; 27 + }; 28 + }; 29 + # Disabled since if this goes down, then it's a pain to reconnect to auth 30 + # OIDC configuration, so I can have my beloved SSO. 31 + # openIdConnect = { 32 + # # Issuer is HedgeCloud auth, my private auth server 33 + # issuer = "https://auth.thehedgehog.me/application/o/hedgevpn/"; 34 + # # All people get assigned to the "main" namespace 35 + # domainMap = { 36 + # ".*" = "main"; 37 + # }; 38 + # # Set client ID for OIDC 39 + # clientId = "25066b6b1e72718186f8c0dc20f7892951834b6e"; 40 + # # Client Secret is in this file 41 + # clientSecretFile = "/run/agenix/headscale-oidc-secret"; 42 + # }; 43 + # Misc settings that aren't set in the above sections 44 + settings = { 45 + # Set challenge type, forwarded by Caddy 46 + tls_letsencrypt_challenge_type = "HTTP-01"; 47 + # oidc.strip_email_domain = true; 48 + # NixOS handles our updates 49 + disable_check_updates = true; 50 + ip_prefixes = [ 51 + "4349:3909:beef::/48" 52 + "100.64.0.0/10" 53 + ]; 54 + derp = { 55 + server = { 56 + enabled = true; 57 + region_id = 969; 58 + region_code = "internal"; 59 + region_name = "Internal DERP"; 60 + stun_listen_addr = "0.0.0.0:6869"; 61 + }; 62 + }; 63 + }; 64 + }; 65 + systemd.services.headscale.serviceConfig.CapabilityBoundingSet = [ 66 + "CAP_CHOWN" 67 + "CAP_NET_BIND_SERVICE" 68 + ]; 69 + systemd.services.headscale.serviceConfig.AmbientCapabilities = [ 70 + "CAP_CHOWN" 71 + "CAP_NET_BIND_SERVICE" 72 + ]; 73 + }

+21

hosts/prefect/services/mailserver/acme.nix

··· 1 + # ACME for certs, using TLS-ALPN-01 Challenges(one fewer ports open) 2 + # https://stalw.art/docs/server/tls/acme/configuration 3 + { cfg, sec }: 4 + { 5 + letsencrypt = { 6 + directory = "https://acme-staging-v02.api.letsencrypt.org/directory"; 7 + challenge = "dns-01"; 8 + contact = [ "pyrox@pyrox.dev" ]; 9 + domains = [ 10 + "mail.pyrox.dev" 11 + "mta-sts.pyrox.dev" 12 + "autoconfig.pyrox.dev" 13 + "autodiscover.pyrox.dev" 14 + ]; 15 + cache = "${cfg.dataDir}/acme/certs"; 16 + renew-before = "30d"; 17 + default = true; 18 + provider = "desec"; 19 + secret = "%{file:${sec.stalwart-desec-token.path}}%"; 20 + }; 21 + }

+21

hosts/prefect/services/mailserver/auth.nix

··· 1 + { ifThen, otherwise }: 2 + let 3 + relVer = [ 4 + (ifThen "protocol = 'smtp'" "relaxed") 5 + (otherwise "disable") 6 + ]; 7 + in 8 + { 9 + dkim = { 10 + sign = [ 11 + (ifThen "sender_domain = 'pyrox.dev'" "['rsa', 'ed25519']") 12 + (otherwise false) 13 + ]; 14 + }; 15 + spf.verify.ehlo = relVer; 16 + spf.verify.mail-from = relVer; 17 + dmarc.verify = relVer; 18 + iprev.verify = relVer; 19 + arc.seal = "'ed25519'"; 20 + arc.verify = "relaxed"; 21 + }

+25

hosts/prefect/services/mailserver/auto-ban.nix

··· 1 + # Strict Auto-ban 2 + # https://stalw.art/docs/server/auto-ban 3 + { 4 + auth.rate = "15/1d"; 5 + abuse.rate = "15/1d"; 6 + loiter.rate = "15/1d"; 7 + scan = { 8 + rate = "20/1d"; 9 + paths = [ 10 + "*.php*" 11 + "*.cgi*" 12 + "*.asp*" 13 + "*/wp-*" 14 + "*/php*" 15 + "*/cgi-bin*" 16 + "*xmlrpc*" 17 + "*../*" 18 + "*/..*" 19 + "*joomla*" 20 + "*wordpress*" 21 + "*drupal*" 22 + "/.git*" 23 + ]; 24 + }; 25 + }

+25

hosts/prefect/services/mailserver/calendar.nix

··· 1 + # Calendar settings 2 + # https://stalw.art/docs/collaboration/calendar 3 + { 4 + max-recurrence-expansions = 2048; 5 + # 512 KiB 6 + max-size = 524288; 7 + max-attendees-per-instance = 20; 8 + default.href-name = "default"; 9 + default.display-name = "Personal"; 10 + # Scheduling 11 + # https://stalw.art/docs/collaboration/scheduling 12 + scheduling.enable = true; 13 + # 1 MiB 14 + scheduling.inbound.max-size = 1048576; 15 + scheduling.outbound.max-recipients = 100; 16 + scheduling.inbox.auto-expunge = "30d"; 17 + scheduling.http-rsvp.enable = true; 18 + scheduling.http-rsvp.expiration = "7d"; 19 + # Notifications 20 + # https://stalw.art/docs/collaboration/notifications 21 + alarms.enable = true; 22 + alarms.minimum-interval = "1h"; 23 + alarms.from.name = "PyroNet Calendars"; 24 + alarms.from.email = "calendar-notifs@pyrox.dev"; 25 + }

+216

hosts/prefect/services/mailserver/default.nix

··· 1 + { 2 + config, 3 + lib, 4 + self, 5 + ... 6 + }: 7 + let 8 + d = self.lib.data.mail; 9 + cfg = config.services.stalwart-mail; 10 + sec = config.age.secrets; 11 + credsDir = "/run/credentials/stalwart-mail.service"; 12 + certDir = config.security.acme.certs."pyroxdev-mail".directory; 13 + isAuthenticated = d: { 14 + "if" = "!is_empty(authenticated_as)"; 15 + "then" = d; 16 + }; 17 + otherwise = d: { 18 + "else" = d; 19 + }; 20 + ifThen = f: d: { 21 + "if" = f; 22 + "then" = d; 23 + }; 24 + smSecret = { 25 + owner = "stalwart-mail"; 26 + group = "stalwart-mail"; 27 + }; 28 + in 29 + { 30 + services.stalwart-mail = { 31 + credentials = { 32 + cert = "${certDir}/cert.pem"; 33 + key = "${certDir}/key.pem"; 34 + }; 35 + enable = true; 36 + dataDir = "/var/lib/stalwart"; 37 + settings = { 38 + tracer.stdout.level = "info"; 39 + authentication.fallback-admin = { 40 + user = "fallback"; 41 + secret = "%{file:${sec.stalwart-fallback-admin-pw.path}}%"; 42 + }; 43 + config = { 44 + local-keys = [ 45 + "asn.*" 46 + "auth.*" 47 + "authentication.*" 48 + "auto-ban.*" 49 + "calendar.*" 50 + "certificate.*" 51 + "changes.*" 52 + "cluster.*" 53 + "config.*" 54 + "contacts.*" 55 + "directory.*" 56 + "http.*" 57 + "imap.*" 58 + "jmap.*" 59 + "queue.*" 60 + "report.*" 61 + "resolver.*" 62 + "server.*" 63 + "session.*" 64 + "signature.*" 65 + "storage.*" 66 + "store.*" 67 + "tracer.*" 68 + "webadmin.*" 69 + "form.*" 70 + "email.*" 71 + "spam-filter.*" 72 + ]; 73 + }; 74 + certificate = { 75 + default = { 76 + default = true; 77 + cert = "%{file:${credsDir}/cert}%"; 78 + private-key = "%{file:${credsDir}/key}%"; 79 + subjects = [ 80 + "dav.pyrox.dev" 81 + "mail.pyrox.dev" 82 + "mta-sts.pyrox.dev" 83 + "autoconfig.pyrox.dev" 84 + "autodiscover.pyrox.dev" 85 + ]; 86 + }; 87 + }; 88 + server = import ./server.nix { inherit d; }; 89 + # Use NixOS-generated certs now, since stalwart can't do it on its own 90 + # (DeSec API Errors abound) 91 + # acme = import ./acme.nix { inherit cfg sec; }; 92 + # HTTP Configuration 93 + # https://stalw.art/docs/http/overview 94 + http = { 95 + url = "'https://${d.extUrl}'"; 96 + hsts = true; 97 + rate-limit = { 98 + account = "10000/1m"; 99 + }; 100 + }; 101 + # Disable HTTP Forms submission 102 + # https://stalw.art/docs/http/form-submission 103 + form.enable = false; 104 + # DKIM Signatures 105 + signature = import ./signature.nix { inherit sec; }; 106 + # Storage Settings 107 + # https://stalw.art/docs/storage/overview 108 + store = { 109 + data = { 110 + type = "rocksdb"; 111 + path = "${cfg.dataDir}/db"; 112 + purge.frequency = "0 3 *"; 113 + }; 114 + blob = { 115 + type = "fs"; 116 + path = "${cfg.dataDir}/blobs"; 117 + depth = 2; 118 + compression = "lz4"; 119 + purge.frequency = "0 4 *"; 120 + }; 121 + db.path = "${cfg.dataDir}/db2"; 122 + }; 123 + storage = { 124 + data = "data"; 125 + blob = "blob"; 126 + fts = "data"; 127 + lookup = "data"; 128 + directory = "default"; 129 + }; 130 + directory = { 131 + default = { 132 + type = "internal"; 133 + store = "data"; 134 + }; 135 + }; 136 + # ASN/GeoIP Lookups 137 + # https://stalw.art/docs/server/asn 138 + asn = { 139 + type = "dns"; 140 + separator = "|"; 141 + zone.ipv4 = "origin.asn.cymru.com"; 142 + zone.ipv6 = "origin6.asn.cymru.com"; 143 + index.asn = 0; 144 + index.asn-name = 1; 145 + index.country = 2; 146 + }; 147 + auto-ban = import ./auto-ban.nix; 148 + # JMAP Settings 149 + # https://stalw.art/docs/email/jmap 150 + jmap = { 151 + mailbox.max-depth = 10; 152 + mailbox.max-name-length = 255; 153 + # 50 MB 154 + email.max-attachment-size = 50 * 1000 * 1000; 155 + # 75 MB 156 + email.max-size = 75 * 1000 * 1000; 157 + email.parse.max-items = 10; 158 + }; 159 + imap = import ./imap.nix; 160 + # Maintainance 161 + # https://stalw.art/docs/email/maintenance 162 + email.auto-expunge = "180d"; 163 + changes.max-history = 10000; 164 + session = import ./session.nix { inherit isAuthenticated otherwise ifThen; }; 165 + queue = import ./queue.nix { inherit d ifThen otherwise; }; 166 + # DNS Settings 167 + # https://stalw.art/docs/mta/outbound/dns 168 + resolver = { 169 + custom = [ 170 + "tls://dns11.quad9.net" 171 + "tcp://1.1.1.1" 172 + ]; 173 + concurrency = 2; 174 + preserve-intermediates = true; 175 + timeout = "5s"; 176 + attempts = 3; 177 + edns = true; 178 + }; 179 + report = import ./report.nix { inherit d; }; 180 + calendar = import ./calendar.nix; 181 + # Authentication 182 + auth = import ./auth.nix { inherit ifThen otherwise; }; 183 + # Contacts 184 + # https://stalw.art/docs/collaboration/contact 185 + contacts = { 186 + # 512 KiB 187 + max-size = 524288; 188 + default.href-name = "default"; 189 + default.display-name = "Contacts"; 190 + }; 191 + # Spam Filtering 192 + # https://stalw.art/docs/spamfilter/overview 193 + spam-filter = { 194 + card-is-ham = true; 195 + }; 196 + }; 197 + }; 198 + systemd.services.stalwart-mail.serviceConfig = { 199 + Restart = lib.mkForce "always"; 200 + RestartSec = lib.mkForce 1; 201 + }; 202 + age.secrets = { 203 + stalwart-secret-rsa = smSecret // { 204 + file = ../../secrets/stalwart-secret-rsa.age; 205 + }; 206 + stalwart-secret-ed25519 = smSecret // { 207 + file = ../../secrets/stalwart-secret-ed25519.age; 208 + }; 209 + stalwart-desec-token = smSecret // { 210 + file = ../../secrets/stalwart-desec-token.age; 211 + }; 212 + stalwart-fallback-admin-pw = smSecret // { 213 + file = ../../secrets/stalwart-fallback-admin-pw.age; 214 + }; 215 + }; 216 + }

+42

hosts/prefect/services/mailserver/imap.nix

··· 1 + # https://stalw.art/docs/email/imap 2 + { 3 + # 50 MiB 4 + request.max-size = 52428800; 5 + auth.max-failures = 3; 6 + auth.allow-plain-text = false; 7 + folders = 8 + let 9 + folder = { 10 + create = true; 11 + subscribe = true; 12 + }; 13 + in 14 + { 15 + inbox = folder // { 16 + name = "Inbox"; 17 + }; 18 + drafts = folder // { 19 + name = "Drafts"; 20 + }; 21 + sent = folder // { 22 + name = "Sent"; 23 + }; 24 + trash = folder // { 25 + name = "Trash"; 26 + }; 27 + archive = folder // { 28 + name = "Archive"; 29 + }; 30 + junk = folder // { 31 + name = "Junk"; 32 + }; 33 + shared = { 34 + name = "Shared Folders"; 35 + create = true; 36 + subscribe = false; 37 + }; 38 + }; 39 + timeout.authenticated = "30m"; 40 + timeout.anonymous = "1m"; 41 + timeout.idle = "30m"; 42 + }

+97

hosts/prefect/services/mailserver/queue.nix

··· 1 + { 2 + d, 3 + ifThen, 4 + otherwise, 5 + }: 6 + # Queue Management 7 + # https://stalw.art/docs/mta/outbound/overview 8 + { 9 + # Virtual Queues 10 + # https://stalw.art/docs/mta/outbound/queue 11 + virtual.default.threads-per-node = 100; 12 + virtual.admin.threads-per-node = 10; 13 + virtual.local.threads-per-node = 100; 14 + # Schedules 15 + # https://stalw.art/docs/mta/outbound/schedule 16 + schedule = 17 + let 18 + queue = { 19 + retry = [ 20 + "1m" 21 + "2m" 22 + "5m" 23 + "10m" 24 + "15m" 25 + "30m" 26 + "1h" 27 + "2h" 28 + ]; 29 + notify = [ 30 + "1d" 31 + "3d" 32 + ]; 33 + max-attempts = 15; 34 + }; 35 + in 36 + { 37 + default = queue // { 38 + queue-name = "default"; 39 + }; 40 + admin = queue // { 41 + queue-name = "admin"; 42 + }; 43 + local = queue // { 44 + queue-name = "local"; 45 + }; 46 + }; 47 + # Routes 48 + # https://stalw.art/docs/mta/outbound/routing 49 + route = { 50 + local.type = "local"; 51 + remote = { 52 + type = "mx"; 53 + ip-lookup = "ipv6_then_ipv4"; 54 + tls.implicit = false; 55 + tls.allow-invalid-certs = false; 56 + }; 57 + }; 58 + # Strategies 59 + # https://stalw.art/docs/mta/outbound/strategy 60 + strategy = { 61 + schedule = [ 62 + (ifThen "is_local_domain('', rcpt_domain)" "'local'") 63 + (ifThen "source = 'dsn'" "'admin'") 64 + (ifThen "source = 'report'" "'admin'") 65 + (ifThen "source = 'autogenerated'" "'admin'") 66 + (otherwise "'default'") 67 + ]; 68 + route = [ 69 + (ifThen "is_local_domain('', rcpt_domain)" "'local'") 70 + (otherwise "'remote'") 71 + ]; 72 + connection = "'default'"; 73 + tls = "'default'"; 74 + }; 75 + # Remote Connection 76 + # https://stalw.art/docs/mta/outbound/connection 77 + connection.default = { 78 + ehlo-hostname = d.extUrl; 79 + source-ips = d.extIPs; 80 + timeout = { 81 + connect = "3m"; 82 + greeting = "3m"; 83 + ehlo = "3m"; 84 + mail-from = "3m"; 85 + rcpt-to = "3m"; 86 + data = "10m"; 87 + }; 88 + }; 89 + tls.default = { 90 + dane = "optional"; 91 + mta-sts = "optional"; 92 + starttls = "optional"; 93 + allow-invalid-certs = false; 94 + timeout.tls = "3m"; 95 + timeout.mta-sts = "3m"; 96 + }; 97 + }

+64

hosts/prefect/services/mailserver/report.nix

··· 1 + { d }: 2 + # Reports 3 + # https://stalw.art/docs/mta/reports/overview 4 + { 5 + domain = "pyrox.dev"; 6 + submitter = "'${d.extUrl}'"; 7 + analysis = { 8 + addresses = [ 9 + "dmarc@" 10 + "reports@" 11 + "spf@" 12 + "dkim@" 13 + "abuse@" 14 + ]; 15 + forward = true; 16 + store = "30d"; 17 + }; 18 + dsn = { 19 + from-name = "'PyroNet Mail'"; 20 + from-address = "'mail@pyrox.dev'"; 21 + sign = "['rsa', 'ed25519']"; 22 + }; 23 + dkim = { 24 + from-name = "'PyroNet Mail Reports'"; 25 + from-address = "'noreply-dkim@pyrox.dev'"; 26 + subject = "'DKIM Authentication Failure Report'"; 27 + sign = "['rsa', 'ed25519']"; 28 + send = "1/1d"; 29 + }; 30 + spf = { 31 + from-name = "'PyroNet Mail Reports'"; 32 + from-address = "'noreply-spf@pyrox.dev'"; 33 + subject = "'SPF Authentication Failure Report'"; 34 + sign = "['rsa', 'ed25519']"; 35 + send = "1/1d"; 36 + }; 37 + dmarc = { 38 + from-name = "'PyroNet Mail Reports'"; 39 + from-address = "'noreply-dmarc@pyrox.dev'"; 40 + subject = "'DMARC Authentication Failure Report'"; 41 + sign = "['rsa', 'ed25519']"; 42 + send = "1/1d"; 43 + aggregate = { 44 + from-name = "'DMARC Report'"; 45 + from-address = "'noreply-dmarc@pyrox.dev'"; 46 + org-name = "'PyroNet Mail'"; 47 + contact-info = "'pyrox@pyrox.dev'"; 48 + send = "daily"; 49 + # 25 MiB 50 + max-size = 26214400; 51 + sign = "['rsa', 'ed25519']"; 52 + }; 53 + }; 54 + tls.aggregate = { 55 + from-name = "'PyroNet Mail Reports'"; 56 + from-address = "'noreply-tls@pyrox.dev'"; 57 + org-name = "'PyroNet Mail'"; 58 + contact-info = "'pyrox@pyrox.dev'"; 59 + send = "daily"; 60 + # 25 MiB 61 + max-size = 26214400; 62 + sign = "['rsa', 'ed25519']"; 63 + }; 64 + }

+69

hosts/prefect/services/mailserver/server.nix

··· 1 + { d }: 2 + { 3 + hostname = d.extUrl; 4 + # TLS 5 + # https://stalw.art/docs/server/tls/overview 6 + tls = { 7 + enable = true; 8 + implicit = false; 9 + ignore-client-order = true; 10 + }; 11 + # Listeners 12 + # https://stalw.art/docs/server/listener 13 + listener = { 14 + smtp = { 15 + bind = [ 16 + "[::]:${toString d.intSMTP}" 17 + "[::]:40025" 18 + ]; 19 + protocol = "smtp"; 20 + # Explicit TLS 21 + tls.implicit = false; 22 + }; 23 + smtps = { 24 + bind = "[::]:${toString d.intSMTPS}"; 25 + protocol = "smtp"; 26 + # Implicit TLS 27 + tls.implicit = true; 28 + }; 29 + imap = { 30 + bind = "[::]:${toString d.intIMAP}"; 31 + protocol = "imap"; 32 + # Explicit TLS 33 + tls.implicit = false; 34 + }; 35 + imaps = { 36 + bind = "[::]:${toString d.intIMAPS}"; 37 + protocol = "imap"; 38 + # Implicit TLS 39 + tls.implicit = true; 40 + }; 41 + managesieve = { 42 + bind = "[::]:${toString d.intManageSieve}"; 43 + protocol = "managesieve"; 44 + # Explicit TLS 45 + tls.implicit = false; 46 + }; 47 + https = { 48 + bind = "[::]:${toString d.intHTTPS}"; 49 + protocol = "http"; 50 + # Implicit TLS 51 + tls.implicit = true; 52 + }; 53 + http = { 54 + bind = "[::]:${toString d.intHTTP}"; 55 + protocol = "http"; 56 + # Implicit TLS 57 + tls.implicit = false; 58 + }; 59 + }; 60 + # Proxy Protocol from Caddy 61 + # Only accepts proxy protocol from Tailscale IP Ranges 62 + # https://tailscale.com/kb/1015/100.x-addresses 63 + # https://tailscale.com/kb/1033/ip-and-dns-addresses 64 + proxy.trusted-networks = [ 65 + "fd7a:115c:a1e0::/48" 66 + "100.64.0.0/10" 67 + "127.0.0.1/8" 68 + ]; 69 + }

+63

hosts/prefect/services/mailserver/session.nix

··· 1 + { 2 + isAuthenticated, 3 + otherwise, 4 + ifThen, 5 + }: 6 + # MTA Settings 7 + # https://stalw.art/docs/mta/overview 8 + { 9 + # Inbound 10 + # https://stalw.art/docs/mta/inbound/overview 11 + # # EHLO Stage 12 + # # https://stalw.art/docs/mta/inbound/ehlo 13 + ehlo = { 14 + require = true; 15 + reject-non-fqdn = [ 16 + (ifThen "protocol = 'smtp'" true) 17 + (otherwise false) 18 + ]; 19 + }; 20 + # # RCPT Stage 21 + # # https://stalw.art/docs/mta/inbound/rcpt 22 + rcpt = { 23 + relay = [ 24 + (isAuthenticated true) 25 + (otherwise false) 26 + ]; 27 + subaddressing = true; 28 + }; 29 + auth = { 30 + mechanisms = [ 31 + (ifThen "local_port != 40025 && is_tls" "[plain, login, oauthbearer, xoauth2]") 32 + (ifThen "local_port != 40025" "[oauthbearer, xoauth2]") 33 + (otherwise false) 34 + ]; 35 + directory = "'default'"; 36 + require = [ 37 + (ifThen "local_port != 40025" true) 38 + (otherwise false) 39 + ]; 40 + must-match-sender = true; 41 + }; 42 + extensions = 43 + let 44 + ifAuthed = [ 45 + (isAuthenticated true) 46 + (otherwise false) 47 + ]; 48 + in 49 + { 50 + pipelining = true; 51 + chunking = true; 52 + requiretls = true; 53 + no-soliciting = ""; 54 + dsn = ifAuthed; 55 + deliver-by = [ 56 + (isAuthenticated "15d") 57 + (otherwise false) 58 + ]; 59 + mt-priority = false; 60 + vrfy = ifAuthed; 61 + expn = ifAuthed; 62 + }; 63 + }

+42

hosts/prefect/services/mailserver/signature.nix

··· 1 + { sec }: 2 + let 3 + headers = [ 4 + "From" 5 + "To" 6 + "Cc" 7 + "Date" 8 + "Subject" 9 + "Message-ID" 10 + "Organization" 11 + "MIME-Version" 12 + "Content-Type" 13 + "In-Reply-To" 14 + "References" 15 + "List-Id" 16 + "User-Agent" 17 + "Thread-Topic" 18 + "Thread-Index" 19 + ]; 20 + in 21 + { 22 + rsa = { 23 + inherit headers; 24 + private-key = "%{file:${sec.stalwart-secret-rsa.path}}%"; 25 + domain = "pyrox.dev"; 26 + selector = "rsa-default"; 27 + algorithm = "rsa-sha256"; 28 + canonicalization = "relaxed/relaxed"; 29 + expire = "10d"; 30 + report = true; 31 + }; 32 + ed25519 = { 33 + inherit headers; 34 + private-key = "%{file:${sec.stalwart-secret-ed25519.path}}%"; 35 + domain = "pyrox.dev"; 36 + selector = "default"; 37 + algorithm = "ed25519-sha256"; 38 + canonicalization = "relaxed/relaxed"; 39 + expire = "10d"; 40 + report = true; 41 + }; 42 + }

+158

hosts/prefect/services/named.conf

··· 1 + include "/etc/bind/rndc.key"; 2 + controls { 3 + inet 127.0.0.1 allow {localhost;} keys {"rndc-key";}; 4 + }; 5 + 6 + acl cachenetworks { 127.0.0.0/24; }; 7 + acl dn42-dns { 172.20.129.2; 172.20.1.255; 172.22.76.110; 172.20.14.33; }; 8 + 9 + options { 10 + directory "/run/named"; 11 + pid-file "/run/named/named.pid"; 12 + 13 + # Server Identity 14 + version "420.69"; 15 + server-id "zaphod"; 16 + hostname "zaphod"; 17 + 18 + # Enable DNSSEC 19 + dnssec-validation no; 20 + 21 + # Only listen to local addresses 22 + listen-on { 127.0.0.1; }; 23 + listen-on-v6 { ::1; }; 24 + allow-query { any; }; 25 + # disable the integrated handling of RFC1918 and non-assigned IPv6 space reverse dns 26 + empty-zones-enable no; 27 + validate-except { 28 + # DN42 Zones 29 + "dn42"; 30 + "20.172.in-addr.arpa"; 31 + "21.172.in-addr.arpa"; 32 + "22.172.in-addr.arpa"; 33 + "23.172.in-addr.arpa"; 34 + "10.in-addr.arpa"; 35 + "d.f.ip6.arpa"; 36 + # ChaosVPN Zones 37 + "hack"; 38 + "31.172.in-addr.arpa"; 39 + "100.10.in-addr.arpa"; 40 + "101.10.in-addr.arpa"; 41 + "102.10.in-addr.arpa"; 42 + "103.10.in-addr.arpa"; 43 + 44 + # NeoNetwork Zones 45 + "neo"; 46 + "127.10.in-addr.arpa"; 47 + "7.2.1.0.0.1.d.f.ip6.arpa"; 48 + }; 49 + 50 + # Recursion settings 51 + recursion yes; 52 + allow-recursion { any; }; 53 + allow-recursion-on { any; }; 54 + allow-query-cache { any; }; 55 + allow-query-cache-on { any; }; 56 + prefetch 10; 57 + }; 58 + 59 + # DN42 Zones 60 + zone "dn42" { 61 + type forward; 62 + forward only; 63 + forwarders { 172.20.0.53; 172.23.0.53; }; 64 + }; 65 + zone "20.172.in-addr.arpa" { 66 + type forward; 67 + forward only; 68 + forwarders { 172.20.0.53; 172.23.0.53; }; 69 + }; 70 + zone "21.172.in-addr.arpa" { 71 + type forward; 72 + forward only; 73 + forwarders { 172.20.0.53; 172.23.0.53; }; 74 + }; 75 + zone "22.172.in-addr.arpa" { 76 + type forward; 77 + forward only; 78 + forwarders { 172.20.0.53; 172.23.0.53; }; 79 + }; 80 + zone "23.172.in-addr.arpa" { 81 + type forward; 82 + forward only; 83 + forwarders { 172.20.0.53; 172.23.0.53; }; 84 + }; 85 + zone "10.in-addr.arpa" { 86 + type forward; 87 + forward only; 88 + forwarders { 172.20.0.53; 172.23.0.53; }; 89 + }; 90 + zone "d.f.ip6.arpa" { 91 + type forward; 92 + forward only; 93 + forwarders { 172.20.0.53; 172.23.0.53; }; 94 + }; 95 + 96 + # ChaosVPN Zones 97 + zone "hack" { 98 + type forward; 99 + forward only; 100 + forwarders { 172.31.0.5; 172.31.255.53; }; 101 + }; 102 + zone "31.172.in-addr.arpa" { 103 + type forward; 104 + forward only; 105 + forwarders { 172.31.0.5; 172.31.255.53; }; 106 + }; 107 + zone "100.10.in-addr.arpa" { 108 + type forward; 109 + forward only; 110 + forwarders { 172.31.0.5; 172.31.255.53; }; 111 + }; 112 + zone "101.10.in-addr.arpa" { 113 + type forward; 114 + forward only; 115 + forwarders { 172.31.0.5; 172.31.255.53; }; 116 + }; 117 + zone "102.10.in-addr.arpa" { 118 + type forward; 119 + forward only; 120 + forwarders { 172.31.0.5; 172.31.255.53; }; 121 + }; 122 + zone "103.10.in-addr.arpa" { 123 + type forward; 124 + forward only; 125 + forwarders { 172.31.0.5; 172.31.255.53; }; 126 + }; 127 + 128 + # NeoNetwork 129 + zone "neo" { 130 + type forward; 131 + forward only; 132 + forwarders { 10.127.255.53; }; 133 + }; 134 + zone "127.10.in-addr.arpa" { 135 + type forward; 136 + forward only; 137 + forwarders { 10.127.255.53; }; 138 + }; 139 + zone "7.2.1.0.0.1.d.f.ip6.arpa" { 140 + type forward; 141 + forward only; 142 + forwarders { 10.127.255.53; }; 143 + }; 144 + 145 + zone "crxn" { 146 + type forward; 147 + forward only; 148 + forwarders { fd92:58b6:2b2::5353; }; 149 + }; 150 + # Fallback root zone 151 + zone "." { 152 + type forward; 153 + forward only; 154 + forwarders { 100.123.15.72; 9.9.9.9; }; 155 + }; 156 + 157 + 158 +

+37

hosts/prefect/services/prometheus.nix

··· 1 + { config, ... }: 2 + { 3 + services.prometheus = { 4 + enable = true; 5 + port = 6999; 6 + exporters = { 7 + node = { 8 + enable = true; 9 + enabledCollectors = [ "systemd" ]; 10 + port = 6998; 11 + }; 12 + bird = { 13 + enable = true; 14 + }; 15 + }; 16 + scrapeConfigs = [ 17 + { 18 + job_name = "prefect"; 19 + static_configs = [ 20 + { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; } 21 + ]; 22 + } 23 + { 24 + job_name = "caddy"; 25 + static_configs = [ { targets = [ "127.0.0.1:6899" ]; } ]; 26 + } 27 + { 28 + job_name = "bird"; 29 + static_configs = [ { targets = [ "127.0.0.1:9324" ]; } ]; 30 + } 31 + { 32 + job_name = "prometheus"; 33 + static_configs = [ { targets = [ "127.0.0.1:6999" ]; } ]; 34 + } 35 + ]; 36 + }; 37 + }

+22

hosts/prefect/services/secrets.nix

··· 1 + { 2 + config.age.secrets = { 3 + # headscale-oidc-secret = { 4 + # file = ../secrets/headscale-oidc-secret.age; 5 + # path = "/run/agenix/headscale-oidc-secret"; 6 + # owner = "headscale"; 7 + # group = "headscale"; 8 + # }; 9 + dn42-privkey = { 10 + file = ../secrets/dn42-privkey.age; 11 + path = "/run/agenix/dn42-privkey"; 12 + }; 13 + dn42-peerfinder-uuid = { 14 + file = ../secrets/dn42-peerfinder-uuid.age; 15 + path = "/run/agenix/dn42-peerfinder-uuid"; 16 + }; 17 + wireguard-priv-key = { 18 + file = ../secrets/wireguard-priv-key.age; 19 + path = "/run/agenix/wireguard-priv-key"; 20 + }; 21 + }; 22 + }

+10

hosts/prefect/services/tailscale.nix

··· 1 + { config, ... }: 2 + { 3 + services.tailscale = { 4 + enable = true; 5 + }; 6 + networking.firewall = { 7 + trustedInterfaces = [ "tailscale0" ]; 8 + allowedUDPPorts = [ config.services.tailscale.port ]; 9 + }; 10 + }

+39

hosts/thought/bootloader.nix

··· 1 + { pkgs, modulesPath, ... }: 2 + let 3 + fileSystems = { 4 + btrfs = true; 5 + ext4 = true; 6 + vfat = true; 7 + }; 8 + in 9 + { 10 + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; 11 + boot = { 12 + loader = { 13 + grub.device = "/dev/sda"; 14 + grub.enable = true; 15 + }; 16 + initrd = { 17 + availableKernelModules = [ 18 + "ata_piix" 19 + "uhci_hcd" 20 + "xen_blkfront" 21 + "ahci" 22 + "xhci_pci" 23 + "virtio_pci" 24 + "sd_mod" 25 + "sr_mod" 26 + ]; 27 + kernelModules = [ "nvme" ]; 28 + supportedFilesystems = fileSystems; 29 + }; 30 + supportedFilesystems = fileSystems; 31 + kernelPackages = pkgs.linuxPackages_latest; 32 + kernel.sysctl = { 33 + "net.ipv4.ip_forward" = 1; 34 + "net.ipv6.conf.all.forwarding" = 1; 35 + "net.ipv4.conf.default.rp_filter" = 0; 36 + "net.ipv4.conf.all.rp_filter" = 0; 37 + }; 38 + }; 39 + }

+35

hosts/thought/default.nix

··· 1 + { pkgs, system, ... }: 2 + { 3 + imports = [ 4 + # Machine-specific configurations. 5 + ./bootloader.nix 6 + ./firewall.nix 7 + ./networking.nix 8 + ./hardware.nix 9 + ./packages.nix 10 + 11 + # Running Services 12 + ./services/prometheus.nix 13 + ./services/tailscale.nix 14 + ]; 15 + nixpkgs.hostPlatform.system = system; 16 + py = { 17 + profiles.server.enable = true; 18 + users.default.enable = true; 19 + programs = { 20 + fish.enable = true; 21 + neovim.enable = true; 22 + }; 23 + }; 24 + fileSystems = { 25 + "/" = { 26 + fsType = "ext4"; 27 + device = "/dev/sda1"; 28 + }; 29 + }; 30 + 31 + programs.fish.enable = true; 32 + programs.fish.interactiveShellInit = '' 33 + ${pkgs.direnv}/bin/direnv hook fish | source 34 + ''; 35 + }

+25

hosts/thought/disks.nix

··· 1 + { 2 + disko.devices.disk = { 3 + main = { 4 + type = "disk"; 5 + device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_33656227"; 6 + content = { 7 + type = "gpt"; 8 + partitions = { 9 + boot = { 10 + size = "1M"; 11 + type = "EF02"; 12 + }; 13 + root = { 14 + size = "100%"; 15 + content = { 16 + type = "filesystem"; 17 + format = "btrfs"; 18 + mountpoint = "/"; 19 + }; 20 + }; 21 + }; 22 + }; 23 + }; 24 + }; 25 + }

+46

hosts/thought/firewall.nix

··· 1 + { 2 + networking.firewall = { 3 + enable = true; 4 + allowedTCPPorts = [ 8000 ]; 5 + allowedUDPPorts = [ 34197 ]; 6 + }; 7 + services.ferm = { 8 + enable = true; 9 + config = '' 10 + domain ip table filter chain INPUT proto icmp ACCEPT; 11 + domain ip6 table filter chain INPUT proto (ipv6-icmp icmp) ACCEPT; 12 + domain (ip ip6) table filter { 13 + chain INPUT { 14 + policy DROP; 15 + interface lo ACCEPT; 16 + interface tailscale0 ACCEPT; 17 + interface wg42_+ ACCEPT; 18 + interface wg0 ACCEPT; 19 + proto tcp dport (22 25 53 80 143 389 443 465 587 636 993 4190 6900 8000 http https 34197) ACCEPT; 20 + proto udp dport (22 25 53 480:510 636 4367 6900 8000 34197) ACCEPT; 21 + proto tcp dport (179) ACCEPT; 22 + # dns 23 + proto (udp tcp) dport domain ACCEPT; 24 + mod state state (INVALID) DROP; 25 + mod state state (ESTABLISHED RELATED) ACCEPT; 26 + } 27 + chain OUTPUT { 28 + policy ACCEPT; 29 + } 30 + chain FORWARD { 31 + policy DROP; 32 + # allow intern routing and dn42 forwarding 33 + interface wg42_+ outerface wg42_+ ACCEPT; 34 + interface tailscale0 outerface tailscale0 ACCEPT; 35 + interface tailscale0 outerface wg42_+ ACCEPT; 36 + # but dn42 -> intern only with execptions 37 + interface wg42_+ outerface tailscale0 { 38 + proto (ipv6-icmp icmp) ACCEPT; # Allow SSH Access from dn42 to devices behind tailscale0 Interfaces 39 + proto tcp dport (ssh) ACCEPT; 40 + mod state state (ESTABLISHED) ACCEPT; 41 + } 42 + } 43 + } 44 + ''; 45 + }; 46 + }

+1

hosts/thought/hardware.nix

··· 1 + { zramSwap.enable = true; }

+22

hosts/thought/networking.nix

··· 1 + { lib, ... }: 2 + { 3 + networking = { 4 + hostName = "thought"; 5 + hostId = "1e22528e"; 6 + useDHCP = false; 7 + nameservers = lib.mkForce [ ]; 8 + resolvconf.enable = false; 9 + interfaces.enp1s0 = { 10 + ipv6.addresses = [ 11 + { 12 + address = "2a01:4ff:1f0:c98a::1"; 13 + prefixLength = 64; 14 + } 15 + ]; 16 + }; 17 + defaultGateway6 = { 18 + address = "fe80::1"; 19 + interface = "enp1s0"; 20 + }; 21 + }; 22 + }

+4

hosts/thought/packages.nix

··· 1 + { pkgs, ... }: 2 + { 3 + environment.systemPackages = with pkgs; [ direnv ]; 4 + }

+4

hosts/thought/secrets/secrets.nix

··· 1 + { 2 + imports = [ ../../common/secrets/secrets.nix ]; 3 + # "headscale-oidc-secret.age".publicKeys = [ prefect yubi-main yubi-back ]; 4 + }

+37

hosts/thought/services/prometheus.nix

··· 1 + { config, ... }: 2 + { 3 + services.prometheus = { 4 + enable = true; 5 + port = 6999; 6 + exporters = { 7 + node = { 8 + enable = true; 9 + enabledCollectors = [ "systemd" ]; 10 + port = 6998; 11 + }; 12 + bird = { 13 + enable = true; 14 + }; 15 + }; 16 + scrapeConfigs = [ 17 + { 18 + job_name = "prefect"; 19 + static_configs = [ 20 + { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; } 21 + ]; 22 + } 23 + { 24 + job_name = "caddy"; 25 + static_configs = [ { targets = [ "127.0.0.1:6899" ]; } ]; 26 + } 27 + { 28 + job_name = "bird"; 29 + static_configs = [ { targets = [ "127.0.0.1:9324" ]; } ]; 30 + } 31 + { 32 + job_name = "prometheus"; 33 + static_configs = [ { targets = [ "127.0.0.1:6999" ]; } ]; 34 + } 35 + ]; 36 + }; 37 + }

+11

hosts/thought/services/tailscale.nix

··· 1 + { config, ... }: 2 + { 3 + services.tailscale = { 4 + enable = true; 5 + }; 6 + networking.firewall = { 7 + trustedInterfaces = [ "tailscale0" ]; 8 + allowedUDPPorts = [ config.services.tailscale.port ]; 9 + checkReversePath = "loose"; 10 + }; 11 + }

+52

hosts/zaphod/bootloader.nix

··· 1 + { pkgs, config, ... }: 2 + let 3 + fileSystems = { 4 + btrfs = true; 5 + ext4 = true; 6 + vfat = true; 7 + ntfs = true; 8 + }; 9 + in 10 + { 11 + boot = { 12 + kernelParams = [ 13 + "amdgpu.dcdebugmask=0x410" 14 + ]; 15 + bootspec.enable = true; 16 + kernelPackages = pkgs.linuxPackages_latest; 17 + extraModulePackages = with config.boot.kernelPackages; [ 18 + v4l2loopback 19 + framework-laptop-kmod 20 + ]; 21 + kernelModules = [ 22 + "v4l2loopback" 23 + "btusb" 24 + "cros_ec" 25 + "cros_ec_lpcs" 26 + ]; 27 + supportedFilesystems = fileSystems; 28 + initrd = { 29 + enable = true; 30 + network.enable = false; 31 + availableKernelModules = [ 32 + "xhci_pci" 33 + "thunderbolt" 34 + "nvme" 35 + "usb_storage" 36 + "usbhid" 37 + "sd_mod" 38 + ]; 39 + kernelModules = [ ]; 40 + }; 41 + loader = { 42 + systemd-boot = { 43 + enable = true; 44 + configurationLimit = 5; 45 + }; 46 + efi.canTouchEfiVariables = true; 47 + }; 48 + plymouth.enable = true; 49 + plymouth.font = "${pkgs.ibm-plex}/share/fonts/opentype/IBMPlexMono-Regular.otf"; 50 + }; 51 + catppuccin.plymouth.enable = true; 52 + }

+22

hosts/zaphod/console.nix

··· 1 + { 2 + console = { 3 + colors = [ 4 + "1a1b26" 5 + "f7768e" 6 + "73daca" 7 + "e0af68" 8 + "7aa2f7" 9 + "bb9af7" 10 + "7dcfff" 11 + "c0caf5" 12 + "565f89" 13 + "f7768e" 14 + "73daca" 15 + "e0af68" 16 + "7aa2f7" 17 + "bb9af7" 18 + "7dcfff" 19 + "c0caf5" 20 + ]; 21 + }; 22 + }

+57

hosts/zaphod/default.nix

··· 1 + { ... }: 2 + { 3 + imports = [ 4 + # Machine specific configs 5 + ./bootloader.nix 6 + ./console.nix 7 + ./fonts.nix 8 + ./hardware.nix 9 + # ./kde.nix 10 + ./networking.nix 11 + ./misc.nix 12 + ./packages.nix 13 + ./power.nix 14 + 15 + # Security 16 + ./security/modules.nix 17 + 18 + # Services 19 + ./services/modules.nix 20 + 21 + # Machine-specific programs. 22 + ./programs/ssh.nix 23 + ./programs/zsh.nix 24 + 25 + # Agenix secrets 26 + # ./secret-files.nix 27 + ]; 28 + py = { 29 + profiles.gui.enable = true; 30 + users.default.enable = true; 31 + programs = { 32 + appimage.enable = true; 33 + chromium.enable = true; 34 + dconf.enable = true; 35 + firefox.enable = true; 36 + fish.enable = true; 37 + hyprland.enable = true; 38 + less.enable = true; 39 + neovim.enable = true; 40 + noisetorch.enable = true; 41 + steam.enable = true; 42 + wireshark.enable = true; 43 + }; 44 + }; 45 + 46 + fileSystems = { 47 + "/" = { 48 + fsType = "btrfs"; 49 + device = "/dev/disk/by-uuid/dce547b5-71db-4b80-a029-370c4b7765ab"; 50 + }; 51 + "/boot" = { 52 + fsType = "vfat"; 53 + device = "/dev/disk/by-uuid/2F06-FA92"; 54 + }; 55 + }; 56 + swapDevices = [ { device = "/dev/disk/by-uuid/5f64b6ad-f471-4c6f-8536-59f581e16827"; } ]; 57 + }

+24

hosts/zaphod/fonts.nix

··· 1 + { pkgs, lib, ... }: 2 + { 3 + fonts = { 4 + fontDir.enable = true; 5 + fontconfig = { 6 + enable = lib.mkForce true; 7 + defaultFonts = { 8 + serif = [ "IBM Plex Serif" ]; 9 + sansSerif = [ "IBM Plex Sans" ]; 10 + monospace = [ 11 + "IBM Plex Mono" 12 + "FiraCode Nerd Font Mono" 13 + ]; 14 + emoji = [ "JoyPixels" ]; 15 + }; 16 + }; 17 + packages = with pkgs; [ 18 + ibm-plex 19 + nerd-fonts.blex-mono 20 + nerd-fonts.symbols-only 21 + inter 22 + ]; 23 + }; 24 + }

+40

hosts/zaphod/hardware.nix

··· 1 + { pkgs, ... }: 2 + { 3 + hardware = { 4 + enableAllFirmware = false; 5 + enableRedistributableFirmware = false; 6 + firmware = [ 7 + pkgs.linux-firmware 8 + pkgs.alsa-firmware 9 + pkgs.sof-firmware 10 + ]; 11 + bluetooth = { 12 + enable = true; 13 + hsphfpd.enable = false; 14 + powerOnBoot = true; 15 + }; 16 + gpgSmartcards.enable = true; 17 + amdgpu = { 18 + opencl.enable = false; 19 + initrd.enable = true; 20 + }; 21 + graphics = { 22 + enable = true; 23 + extraPackages = [ 24 + pkgs.gamescope 25 + pkgs.mangohud 26 + ]; 27 + extraPackages32 = [ 28 + pkgs.pkgsi686Linux.mangohud 29 + ]; 30 + }; 31 + wirelessRegulatoryDatabase = true; 32 + framework.enableKmod = false; 33 + keyboard.qmk.enable = true; 34 + keyboard.qmk.keychronSupport = true; 35 + }; 36 + services.udev.packages = [ 37 + pkgs.qmk-udev-rules 38 + pkgs.logitech-udev-rules 39 + ]; 40 + }

+20

hosts/zaphod/kde.nix

··· 1 + { 2 + services.xserver = { 3 + enable = false; 4 + displayManager = { 5 + sddm.enable = false; 6 + defaultSession = "plasmawayland"; 7 + }; 8 + desktopManager.plasma5 = { 9 + enable = false; 10 + phononBackend = "vlc"; 11 + runUsingSystemd = true; 12 + useQtScaling = true; 13 + }; 14 + }; 15 + qt = { 16 + enable = true; 17 + platformTheme = "kde"; 18 + style = "cleanlooks"; 19 + }; 20 + }

+59

hosts/zaphod/misc.nix

··· 1 + { lib, pkgs, ... }: 2 + { 3 + documentation = { 4 + enable = false; 5 + doc.enable = false; 6 + man = { 7 + enable = false; 8 + generateCaches = false; 9 + mandoc.enable = true; 10 + }; 11 + nixos.enable = false; 12 + }; 13 + environment = { 14 + homeBinInPath = true; 15 + localBinInPath = true; 16 + }; 17 + services.openssh.settings.PermitRootLogin = lib.mkForce "yes"; 18 + time.timeZone = "America/New_York"; 19 + # 20 + # systemd.tmpfiles.rules = ["L+ /lib64 - - - - /run/current-system/sw/lib64"]; 21 + 22 + virtualisation.virtualbox = { 23 + host.enable = false; 24 + host.enableExtensionPack = false; 25 + guest = { 26 + enable = false; 27 + clipboard = true; 28 + seamless = false; 29 + dragAndDrop = true; 30 + }; 31 + }; 32 + # Enable Virt-manager 33 + virtualisation.libvirtd.enable = false; 34 + programs.dconf.enable = true; 35 + # environment.systemPackages = with pkgs; [virt-manager]; 36 + 37 + users.extraGroups.vboxusers.members = [ 38 + "thehedgehog" 39 + "pyrox" 40 + ]; 41 + # users.extraGroups.libvirtd.members = ["thehedgehog" "pyrox"]; 42 + xdg.portal.xdgOpenUsePortal = true; 43 + 44 + # Nix-LD 45 + programs.nix-ld.enable = true; 46 + 47 + programs.steam.extraPackages = [ 48 + pkgs.pixman 49 + ]; 50 + 51 + services.upower = { 52 + enable = true; 53 + percentageLow = 30; 54 + percentageCritical = 15; 55 + }; 56 + 57 + # For caelestia screen recording 58 + programs.gpu-screen-recorder.enable = true; 59 + }

+51

hosts/zaphod/networking.nix

··· 1 + { lib, pkgs, ... }: 2 + { 3 + networking = { 4 + enableB43Firmware = false; 5 + enableIPv6 = true; 6 + hostId = "28c6bad2"; 7 + hostName = "zaphod"; 8 + usePredictableInterfaceNames = lib.mkDefault true; 9 + # Interface config 10 + interfaces.wlp1s0.useDHCP = lib.mkDefault true; 11 + # Enable NetworkManager and disable wpa_supplicant 12 + networkmanager = { 13 + enable = true; 14 + dns = lib.mkForce "default"; 15 + wifi.powersave = true; 16 + }; 17 + wireless = { 18 + enable = false; 19 + }; 20 + 21 + # Tailscale fix(not needed, but recommended) 22 + firewall.checkReversePath = "loose"; 23 + 24 + # DNS Servers 25 + # Only use local resolver 26 + nameservers = lib.mkForce [ ]; 27 + 28 + resolvconf.enable = false; 29 + }; 30 + services.resolved = { 31 + enable = false; 32 + llmnr = "true"; 33 + fallbackDns = [ "158.59.252.11" ]; 34 + extraConfig = '' 35 + MulticastDNS=true 36 + ''; 37 + }; 38 + systemd.services.wpa_supplicant.environment.OPENSSL_CONF = pkgs.writeText "openssl.cnf" '' 39 + openssl_conf = openssl_init 40 + [openssl_init] 41 + ssl_conf = ssl_sect 42 + [ssl_sect] 43 + system_default = system_default_sect 44 + [system_default_sect] 45 + Options = UnsafeLegacyRenegotiation 46 + ''; 47 + services.mullvad-vpn = { 48 + enable = false; 49 + package = pkgs.mullvad-vpn; 50 + }; 51 + }

+23

hosts/zaphod/packages.nix

··· 1 + { 2 + pkgs, 3 + inputs', 4 + ... 5 + }: 6 + { 7 + environment.systemPackages = [ 8 + inputs'.agenix.packages.default 9 + pkgs.file 10 + pkgs.gnupg 11 + pkgs.libappindicator 12 + pkgs.kdePackages.kdenlive 13 + pkgs.libappindicator-gtk3 14 + pkgs.nixpkgs-track 15 + pkgs.pmutils 16 + pkgs.qbittorrent 17 + pkgs.steam-run 18 + # Tools for working with Framework computers 19 + pkgs.framework-tool-tui 20 + pkgs.fw-ectool 21 + pkgs.framework-tool 22 + ]; 23 + }

+1

hosts/zaphod/power.nix

··· 1 + { powerManagement.enable = true; }

+10

hosts/zaphod/programs/gnupg.nix

··· 1 + { 2 + programs.gnupg = { 3 + agent = { 4 + enable = true; 5 + enableSSHSupport = true; 6 + enableBrowserSocket = true; 7 + }; 8 + dirmngr.enable = true; 9 + }; 10 + }

+6

hosts/zaphod/programs/ssh.nix

··· 1 + { 2 + programs.ssh = { 3 + enableAskPassword = false; 4 + forwardX11 = false; 5 + }; 6 + }

+13

hosts/zaphod/programs/zsh.nix

··· 1 + { 2 + programs.zsh = { 3 + enable = true; 4 + enableBashCompletion = true; 5 + enableCompletion = true; 6 + enableGlobalCompInit = true; 7 + autosuggestions.enable = true; 8 + autosuggestions.async = true; 9 + histSize = 10000; 10 + syntaxHighlighting.enable = true; 11 + vteIntegration = true; 12 + }; 13 + }

+8

hosts/zaphod/secret-files.nix

··· 1 + { 2 + config.age.secrets = { 3 + wg-privkey = { 4 + file = ./secrets/wg-privkey.age; 5 + path = "/run/agenix/wg-privkey"; 6 + }; 7 + }; 8 + }

+12

hosts/zaphod/secrets/secrets.nix

··· 1 + let 2 + yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw=="; 3 + yubi-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746"; 4 + backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM="; 5 + in 6 + { 7 + "wg-privkey.age".publicKeys = [ 8 + yubi-back 9 + yubi-main 10 + backup 11 + ]; 12 + }

hosts/zaphod/secrets/wg-privkey.age

This is a binary file and will not be displayed.

+6

hosts/zaphod/security/modules.nix

··· 1 + { 2 + imports = [ ./pam.nix ]; 3 + security = { 4 + protectKernelImage = true; 5 + }; 6 + }

+9

hosts/zaphod/security/pam.nix

··· 1 + { 2 + security.pam = { 3 + p11.enable = false; 4 + p11.control = "sufficient"; 5 + u2f.enable = true; 6 + u2f.settings.cue = true; 7 + sshAgentAuth.enable = false; 8 + }; 9 + }

+6

hosts/zaphod/services/avahi.nix

··· 1 + { 2 + services.avahi = { 3 + enable = true; 4 + nssmdns4 = true; 5 + }; 6 + }

+20

hosts/zaphod/services/docker.nix

··· 1 + { pkgs, ... }: 2 + let 3 + betterDocker = pkgs.docker.override { 4 + buildxSupport = false; 5 + composeSupport = false; 6 + sbomSupport = false; 7 + }; 8 + in 9 + { 10 + virtualisation.docker = { 11 + enable = true; 12 + package = betterDocker; 13 + rootless = { 14 + enable = false; 15 + package = betterDocker; 16 + setSocketVariable = true; 17 + }; 18 + storageDriver = "btrfs"; 19 + }; 20 + }

+4

hosts/zaphod/services/flatpak.nix

··· 1 + { 2 + services.flatpak.enable = true; 3 + xdg.portal.enable = true; 4 + }

+8

hosts/zaphod/services/fprintd.nix

··· 1 + { pkgs, ... }: 2 + { 3 + services.fprintd = { 4 + enable = false; 5 + tod.enable = false; 6 + tod.driver = pkgs.libfprint-2-tod1-goodix; 7 + }; 8 + }

+9

hosts/zaphod/services/fwupd.nix

··· 1 + { 2 + services.fwupd = { 3 + enable = true; 4 + extraRemotes = [ "lvfs-testing" ]; 5 + uefiCapsuleSettings = { 6 + "DisableCapsuleUpdateOnDisk" = true; 7 + }; 8 + }; 9 + }

+10

hosts/zaphod/services/greeter.nix

··· 1 + { 2 + services.displayManager.ly = { 3 + enable = true; 4 + x11Support = false; 5 + settings = { 6 + clear_password = true; 7 + hide_version_string = true; 8 + }; 9 + }; 10 + }

+13

hosts/zaphod/services/kmscon.nix

··· 1 + { pkgs, ... }: 2 + { 3 + services.kmscon = { 4 + enable = true; 5 + hwRender = true; 6 + fonts = [ 7 + { 8 + name = "BlexMono Nerd Font"; 9 + package = pkgs.nerd-fonts.blex-mono; 10 + } 11 + ]; 12 + }; 13 + }

+18

hosts/zaphod/services/misc.nix

··· 1 + { config, lib, ... }: 2 + { 3 + services = { 4 + blueman.enable = false; 5 + fstrim.enable = lib.mkDefault true; 6 + tlp.enable = lib.mkDefault ( 7 + (lib.versionOlder (lib.versions.majorMinor lib.version) "21.05") || !config.services.power-profiles-daemon.enable 8 + ); 9 + libinput.enable = lib.mkDefault true; 10 + logind.settings.Login = { 11 + HandlePowerKey = "ignore"; 12 + HandlePowerKeyLongPress = "ignore"; 13 + HandleLidSwitch = "ignore"; 14 + HandleLidSwitchExternalPower = "ignore"; 15 + HandleLidSwitchDocked = "ignore"; 16 + }; 17 + }; 18 + }

+17

hosts/zaphod/services/modules.nix

··· 1 + { 2 + imports = [ 3 + ./avahi.nix 4 + ./docker.nix 5 + ./flatpak.nix 6 + ./fprintd.nix 7 + ./fwupd.nix 8 + ./greeter.nix 9 + ./kmscon.nix 10 + ./misc.nix 11 + ./packagekit.nix 12 + ./pcscd.nix 13 + ./pipewire.nix 14 + ./ssh.nix 15 + ./tailscale.nix 16 + ]; 17 + }

+5

hosts/zaphod/services/packagekit.nix

··· 1 + { 2 + services = { 3 + packagekit.enable = false; 4 + }; 5 + }

+5

hosts/zaphod/services/pcscd.nix

··· 1 + { 2 + services.pcscd = { 3 + enable = true; 4 + }; 5 + }

+12

hosts/zaphod/services/pipewire.nix

··· 1 + { 2 + services.pipewire = { 3 + enable = true; 4 + alsa.enable = true; 5 + alsa.support32Bit = true; 6 + audio.enable = true; 7 + jack.enable = true; 8 + pulse.enable = true; 9 + wireplumber.enable = true; 10 + }; 11 + security.rtkit.enable = true; 12 + }

+6

hosts/zaphod/services/ssh.nix

··· 1 + { 2 + # services.openssh = { 3 + # enable = true; 4 + # permitRootLogin = "prohibit-password"; 5 + # }; 6 + }

+5

hosts/zaphod/services/tailscale.nix

··· 1 + { 2 + services.tailscale = { 3 + enable = true; 4 + }; 5 + }

+4 -3

lib/data/default.nix

··· 1 1 { 2 - data.hosts = builtins.fromTOML (builtins.readFile ./hosts.toml); 3 - data.services = builtins.fromTOML (builtins.readFile ./services.toml); 4 - data.tsNet = "coelacanth-dragon.ts.net"; 2 + hosts = builtins.fromTOML (builtins.readFile ./hosts.toml); 3 + services = builtins.fromTOML (builtins.readFile ./services.toml); 4 + mail = builtins.fromTOML (builtins.readFile ./mail.toml); 5 + tsNet = "coelacanth-dragon.ts.net"; 5 6 }

+10

lib/data/mail.toml

··· 1 + extUrl = "mail.pyrox.dev" 2 + extIPs = ["5.161.140.5", "2a01:4ff:f0:98bf:0:0:0:1"] 3 + # internal port is 40k+real mail port 4 + intSMTP = 40587 5 + intSMTPS = 40465 6 + intIMAP = 40143 7 + intIMAPS = 40993 8 + intManageSieve = 44190 9 + intHTTPS = 40443 10 + intHTTP = 40080

+48 -2

lib/data/services.toml

··· 1 1 # Schema: 2 2 # port: what port the service uses internally, int 3 3 # host: What host the service runs on 4 - # extUrl: if needed, the externally accessible domain name of the service 4 + # extUrl: (optional) the externally accessible domain name of the service 5 + # anubis: What port the anubis service for this domain will use, int 6 + # tsHost: (optional) What Tailscale host this service will run on, for services only available via Tailscale. 7 + # # Should only be set if this is available externally, if at all, since TS-only services aren't able to be scraped. 8 + # Current lowest unassigned port: 6938 5 9 [authentik] 6 10 port = 6908 7 11 host = "marvin" 8 12 extUrl = "auth.pyrox.dev" 13 + anubis = 8401 9 14 10 15 [buildbot-server] 11 16 port = 6915 ··· 27 32 port = 6904 28 33 host = "marvin" 29 34 extUrl = "git.pyrox.dev" 35 + anubis = 8402 30 36 31 37 [grafana] 32 38 port = 6914 33 39 host = "marvin" 34 40 extUrl = "stats.pyrox.dev" 41 + anubis = 8403 35 42 36 43 [iceshrimp] 37 44 port = 6923 38 45 host = "marvin" 39 46 extUrl = "soc.pyrox.dev" 40 47 48 + [immich] 49 + port = 6936 50 + host = "marvin" 51 + extUrl = "img.pyrox.dev" 52 + pubProxy = 6937 53 + 41 54 [jellyfin] 42 55 port = 8096 43 56 host = "marvin" 44 57 extUrl = "media.pyrox.dev" 58 + anubis = 8404 59 + exporter = 30103 45 60 46 61 [matrix-server] 47 62 port = 6922 ··· 52 67 port = 6903 53 68 host = "marvin" 54 69 extUrl = "rss.pyrox.dev" 70 + anubis = 8405 55 71 56 72 [nextcloud] 57 73 port = 6926 58 74 host = "marvin" 59 75 extUrl = "cloud.pyrox.dev" 76 + anubis = 8406 60 77 61 78 [nextcloud-imaginary] 62 79 port = 6928 ··· 66 83 port = 6927 67 84 host = "marvin" 68 85 extUrl = "office.pyrox.dev" 86 + anubis = 8407 69 87 70 88 [pinchflat] 71 89 port = 6930 72 90 host = "marvin" 73 91 tsHost = "yt" 74 92 93 + [pingvin-share] 94 + port = 6933 95 + host = "marvin" 96 + extUrl = "share.pyrox.dev" 97 + anubis = 8410 98 + be-port = 30104 99 + be-anubis = 30105 100 + 75 101 [planka] 76 102 port = 6929 77 103 host = "marvin" 78 104 extUrl = "plan.cs2a.club" 105 + anubis = 8408 79 106 80 107 [prosody] 81 108 host = "marvin" 82 109 extUrl = "xmpp.pyrox.dev" 83 110 111 + [pocket-id] 112 + port = 6932 113 + host = "marvin" 114 + extUrl = "auth.pyrox.dev" 115 + anubis = 8401 116 + 84 117 [redlib] 85 118 port = 6901 86 119 host = "marvin" 87 - extUrl = "reddit.pyrox.dev" 120 + tsHost = "reddit" 88 121 89 122 [scrutiny] 90 123 port = 6931 91 124 host = "marvin" 92 125 tsHost = "scrutiny" 93 126 127 + [tangled-knot] 128 + port = 6934 129 + host = "marvin" 130 + extUrl = "knot.pyrox.dev" 131 + intListenPort = 30106 132 + 133 + [tangled-spindle] 134 + port = 6935 135 + host = "marvin" 136 + extUrl = "spindle.pyrox.dev" 137 + 138 + 94 139 [vaultwarden] 95 140 port = 6912 96 141 host = "marvin" 97 142 extUrl = "bw.pyrox.dev" 143 + anubis = 8409 98 144 99 145 [webmentiond] 100 146 port = 6925

+5

lib/default.nix

··· 1 + _: { 2 + flake = { 3 + lib.data = import ./data; 4 + }; 5 + }

+1 -1

lib/deploy/default.nix

··· 8 8 let 9 9 inherit (inputs) deploy-rs; 10 10 in 11 - rec { 11 + { 12 12 ## Create deployment configuration for use with deploy-rs. 13 13 ## 14 14 ## ```nix

-24

modules/home/profiles/base/default.nix

··· 1 - { 2 - config, 3 - lib, 4 - ... 5 - }: 6 - let 7 - cfg = config.py.profiles.base; 8 - in 9 - { 10 - options.py.profiles.base.enable = lib.mkEnableOption "Base Home Profile"; 11 - config = lib.mkIf cfg.enable { 12 - programs.home-manager.enable = true; 13 - home.stateVersion = "25.05"; 14 - home.language = { 15 - base = "en_US.utf8"; 16 - }; 17 - manual = { 18 - manpages.enable = false; 19 - html.enable = false; 20 - json.enable = false; 21 - }; 22 - programs.man.enable = false; 23 - }; 24 - }

-69

modules/home/profiles/cli/default.nix

··· 1 - { 2 - pkgs, 3 - lib, 4 - config, 5 - inputs, 6 - system, 7 - ... 8 - }: 9 - let 10 - cfg = config.py.profiles.cli; 11 - inherit (lib) mkEnableOption mkDefault mkIf; 12 - in 13 - { 14 - options.py.profiles.cli.enable = mkEnableOption "CLI Profile"; 15 - config = mkIf cfg.enable { 16 - py.programs = { 17 - bat.enable = mkDefault true; 18 - direnv.enable = mkDefault true; 19 - fish.enable = mkDefault true; 20 - fzf.enable = mkDefault true; 21 - git = { 22 - enable = mkDefault true; 23 - gh.enable = mkDefault true; 24 - lazygit.enable = mkDefault true; 25 - }; 26 - gpg.enable = mkDefault true; 27 - helix.enable = mkDefault true; 28 - nix-index.enable = mkDefault true; 29 - nushell.enable = mkDefault true; 30 - pandoc.enable = mkDefault true; 31 - ssh.enable = mkDefault true; 32 - starship.enable = mkDefault true; 33 - wakatime.enable = mkDefault true; 34 - zoxide.enable = mkDefault true; 35 - }; 36 - catppuccin = { 37 - btop.enable = true; 38 - glamour.enable = true; 39 - }; 40 - programs = { 41 - eza = { 42 - enable = true; 43 - icons = "auto"; 44 - git = true; 45 - enableBashIntegration = false; 46 - enableIonIntegration = false; 47 - }; 48 - btop = { 49 - enable = true; 50 - }; 51 - }; 52 - xdg.configFile = { 53 - "rbw/config.json".source = ./rbw-config.json; 54 - }; 55 - home.packages = with pkgs; [ 56 - btrfs-progs 57 - fd 58 - fzf 59 - glow 60 - gnupg 61 - pinentry 62 - rbw 63 - rsync 64 - xdg-utils 65 - yt-dlp 66 - inputs.nix-search.packages.${system}.default 67 - ]; 68 - }; 69 - }

-1

modules/home/profiles/cli/rbw-config.json

··· 1 - {"email":"pyrox@pyrox.dev","base_url":"https://bw.pyrox.dev","identity_url":null,"lock_timeout":3600,"pinentry":"pinentry"}

-38

modules/home/profiles/desktop/default.nix

··· 1 - { 2 - pkgs, 3 - config, 4 - lib, 5 - ... 6 - }: 7 - let 8 - cfg = config.py.profiles.desktop; 9 - inherit (lib) mkIf mkDefault mkEnableOption; 10 - in 11 - { 12 - options.py.profiles.desktop.enable = mkEnableOption "Desktop Config"; 13 - config = mkIf cfg.enable { 14 - py.profiles = { 15 - base.enable = mkDefault true; 16 - cli.enable = mkDefault true; 17 - gui.enable = mkDefault true; 18 - development.enable = mkDefault true; 19 - }; 20 - programs.mpv.enable = mkDefault true; 21 - home.packages = with pkgs; [ 22 - archipelago 23 - brightnessctl 24 - clipman 25 - dex 26 - fractal 27 - keepassxc 28 - newsflash 29 - playerctl 30 - poptracker 31 - thunderbird 32 - wlogout 33 - wl-clipboard 34 - zotero 35 - ]; 36 - services.easyeffects.enable = mkDefault true; 37 - }; 38 - }

-25

modules/home/profiles/development/default.nix

··· 1 - { 2 - pkgs, 3 - lib, 4 - config, 5 - ... 6 - }: 7 - let 8 - customPython = pkgs.python313.withPackages (ps: [ ps.pip ]); 9 - cfg = config.py.profiles.development; 10 - in 11 - { 12 - options.py.profiles.development.enable = lib.mkEnableOption "Development Profile"; 13 - config = lib.mkIf cfg.enable { 14 - py.programs = { 15 - neovim.enable = true; 16 - }; 17 - home.packages = with pkgs; [ 18 - any-nix-shell 19 - customPython 20 - editorconfig-core-c 21 - nil 22 - nixd 23 - ]; 24 - }; 25 - }

-55

modules/home/profiles/gui/default.nix

··· 1 - { 2 - pkgs, 3 - lib, 4 - config, 5 - ... 6 - }: 7 - let 8 - cfg = config.py.profiles.gui; 9 - inherit (lib) mkEnableOption mkIf mkDefault; 10 - in 11 - { 12 - options.py.profiles.gui.enable = mkEnableOption "GUI Profile"; 13 - config = mkIf cfg.enable { 14 - home.sessionVariables = { 15 - XDG_CURRENT_DESKTOP = "sway"; 16 - }; 17 - py = { 18 - gui.enable = true; 19 - programs = { 20 - chromium.enable = mkDefault true; 21 - firefox.enable = mkDefault true; 22 - ghostty.enable = mkDefault true; 23 - kitty.enable = mkDefault false; 24 - obs.enable = mkDefault true; 25 - vscodium.enable = mkDefault false; 26 - wlogout.enable = mkDefault true; 27 - zed-editor.enable = mkDefault true; 28 - }; 29 - services = { 30 - gpg-agent.enable = mkDefault true; 31 - kanshi.enable = mkDefault true; 32 - kdeconnect.enable = mkDefault true; 33 - mako.enable = mkDefault true; 34 - swayidle.enable = mkDefault true; 35 - syncthing.enable = mkDefault false; 36 - }; 37 - }; 38 - home.packages = with pkgs; [ 39 - chatterino2 40 - equibop 41 - grim 42 - krita 43 - libappindicator 44 - libappindicator-gtk3 45 - lutris 46 - prismlauncher 47 - pwvucontrol 48 - py.olympus 49 - satty 50 - slurp 51 - sway-launcher-desktop 52 - ueberzug 53 - ]; 54 - }; 55 - }

-13

modules/home/profiles/server/default.nix

··· 1 - { lib, config, ... }: 2 - let 3 - cfg = config.py.profiles.server; 4 - in 5 - { 6 - options.py.profiles.server.enable = lib.mkEnableOption "Server Profile"; 7 - config = lib.mkIf cfg.enable { 8 - py.profiles = { 9 - base.enable = lib.mkDefault true; 10 - cli.enable = lib.mkDefault true; 11 - }; 12 - }; 13 - }

-18

modules/home/programs/chromium/default.nix

··· 1 - { 2 - pkgs, 3 - config, 4 - lib, 5 - ... 6 - }: 7 - let 8 - cfg = config.py.programs.chromium; 9 - in 10 - { 11 - options.py.programs.chromium.enable = lib.mkEnableOption "Chromium"; 12 - 13 - config.programs.chromium = lib.mkIf cfg.enable { 14 - enable = true; 15 - package = pkgs.ungoogled-chromium; 16 - dictionaries = [ pkgs.hunspellDictsChromium.en_US ]; 17 - }; 18 - }

-22

modules/home/programs/firefox/default.nix

··· 1 - { config, lib, ... }: 2 - let 3 - cfg = config.py.programs.firefox; 4 - in 5 - { 6 - options.py.programs.firefox = { 7 - enable = lib.mkEnableOption "Firefox configuration"; 8 - }; 9 - config = lib.mkIf cfg.enable { 10 - programs.firefox = { 11 - inherit (cfg) enable; 12 - package = null; 13 - profiles = { 14 - default = { 15 - id = 0; 16 - isDefault = true; 17 - name = "Default"; 18 - }; 19 - }; 20 - }; 21 - }; 22 - }

-44

modules/home/programs/fish/default.nix

··· 1 - { 2 - pkgs, 3 - lib, 4 - config, 5 - ... 6 - }: 7 - let 8 - inherit (lib) mkEnableOption mkIf; 9 - cfg = config.py.programs.fish; 10 - in 11 - { 12 - options.py.programs.fish.enable = mkEnableOption "fish shell"; 13 - config.catppuccin.fish.enable = cfg.enable; 14 - config.programs.fish = mkIf cfg.enable { 15 - enable = true; 16 - shellAliases = { 17 - "lg" = "lazygit"; 18 - "cat" = "bat"; 19 - "gls" = "eza -lah@ --icons --git --git-ignore --no-user"; 20 - "ls" = "eza --icons -a"; 21 - "ll" = "eza --icons -lah@"; 22 - "lt" = "eza --icons --tree -a"; 23 - "dig" = "doggo"; 24 - "nt" = "nixpkgs-track"; 25 - }; 26 - shellInit = '' 27 - set -x GPG_TTY (tty) 28 - set -x SSH_AUTH_SOCK (gpgconf --list-dirs agent-ssh-socket) 29 - gpgconf --launch gpg-agent 30 - ''; 31 - 32 - interactiveShellInit = '' 33 - fzf_configure_bindings --directory=\cf --git_log=\cl --git_status=\cg \ 34 - --history=\cr --variables=\cv --processes=\cp 35 - ''; 36 - 37 - plugins = [ 38 - { 39 - inherit (pkgs.fishPlugins.fzf-fish) src; 40 - name = "fzf-fish"; 41 - } 42 - ]; 43 - }; 44 - }

-16

modules/home/programs/ghostty/default.nix

··· 1 - { lib, config, ... }: 2 - let 3 - cfg = config.py.programs.ghostty; 4 - in 5 - { 6 - options.py.programs.ghostty.enable = lib.mkEnableOption "ghostty"; 7 - config.catppuccin.ghostty.enable = cfg.enable; 8 - config.programs.ghostty = lib.mkIf cfg.enable { 9 - enable = true; 10 - enableFishIntegration = true; 11 - installBatSyntax = true; 12 - enableBashIntegration = true; 13 - enableZshIntegration = false; 14 - settings = import ./settings.nix; 15 - }; 16 - }

-18

modules/home/programs/ghostty/settings.nix

··· 1 - { 2 - font-family = "BlexMono Nerd Font"; 3 - font-family-bold = "BlexMono Nerd Font Bold"; 4 - font-family-italic = "BlexMono Nerd Font Italic"; 5 - font-family-bold-italic = "BlexMono Nerd Font Bold Italic"; 6 - font-size = 14; 7 - font-codepoint-map = "U+E000-U+E00A,U+E0A0-U+E0A3,U+E0B0-U+E0C8,U+E0CA,U+E0CC-U+E0D7,U+E200-U+E2A9,U+E300-U+E3E3,U+E5FA-U+E6B7,U+E700-U+E8EF,U+EA60-U+EC1E,U+ED00-U+F2FF,U+EE00-U+EE0B,U+F300-U+F381,U+F400-U+F533,U+F0001-U+F1AF0=Symbols Nerd Font"; 8 - 9 - cursor-style = "block"; 10 - window-decoration = false; 11 - 12 - clipboard-read = "allow"; 13 - clipboard-write = "allow"; 14 - clipboard-paste-protection = true; 15 - 16 - shell-integration-features = "cursor,sudo,title"; 17 - auto-update = "off"; 18 - }

-128

modules/home/programs/git/default.nix

··· 1 - { 2 - pkgs, 3 - lib, 4 - config, 5 - ... 6 - }: 7 - let 8 - cfg = config.py.programs.git; 9 - in 10 - { 11 - options.py.programs.git = { 12 - enable = lib.mkEnableOption "git configuration"; 13 - lazygit.enable = lib.mkEnableOption "lazygit configuration"; 14 - gh.enable = lib.mkEnableOption "gh configuration"; 15 - }; 16 - config = { 17 - catppuccin = { 18 - lazygit.enable = cfg.lazygit.enable; 19 - }; 20 - programs = { 21 - git = lib.mkIf cfg.enable { 22 - enable = true; 23 - package = pkgs.py.customGit; 24 - aliases = { 25 - a = "add -p"; 26 - co = "checkout"; 27 - cob = "checkout -b"; 28 - f = "fetch -p"; 29 - c = "commit"; 30 - p = "push"; 31 - ba = "branch -a"; 32 - bd = "branch -d"; 33 - bD = "branch -D"; 34 - d = "diff"; 35 - dc = "diff --cached"; 36 - ds = "diff --staged"; 37 - r = "restore"; 38 - rs = "restore --staged"; 39 - st = "status -sb"; 40 - # reset 41 - soft = "reset --soft"; 42 - hard = "reset --hard"; 43 - s1ft = "soft HEAD~1"; 44 - h1rd = "hard HEAD~1"; 45 - # logging 46 - lg = "log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit"; 47 - plog = "log --graph --pretty='format:%C(red)%d%C(reset) %C(yellow)%h%C(reset) %ar %C(green)%aN%C(reset) %s'"; 48 - tlog = "log --stat --since='1 Day Ago' --graph --pretty=oneline --abbrev-commit --date=relative"; 49 - rank = "shortlog -sn --no-merges"; 50 - # delete merged branches 51 - bdm = "!git branch --merged | grep -v '*' | xargs -n 1 git branch -d"; 52 - wt = "worktree"; 53 - }; 54 - delta = { 55 - enable = true; 56 - options.line-numbers = true; 57 - }; 58 - extraConfig = { 59 - branch.sort = "-committerdate"; 60 - column.ui = "auto"; 61 - core.editor = lib.getExe pkgs.py.nvim; 62 - "credential \"https://git.pyrox.dev\"".username = "pyrox"; 63 - credential.helper = "rbw"; 64 - diff = { 65 - algorithm = "histogram"; 66 - colorMoved = "plain"; 67 - mnemonicPrefix = true; 68 - renames = true; 69 - }; 70 - fetch = { 71 - all = true; 72 - prune = true; 73 - pruneTags = true; 74 - }; 75 - gpg.ssh.allowedSignersFile = "~/.ssh/authorized_signatures"; 76 - init.defaultBranch = "main"; 77 - pull.rebase = false; 78 - push = { 79 - autoSetupRemote = true; 80 - followTags = true; 81 - }; 82 - rebase.updateRefs = true; 83 - tag.sort = "version:refname"; 84 - }; 85 - lfs = { 86 - enable = true; 87 - skipSmudge = false; 88 - }; 89 - signing = { 90 - key = "~/.ssh/main.pub"; 91 - format = "ssh"; 92 - signByDefault = true; 93 - }; 94 - userEmail = "pyrox@pyrox.dev"; 95 - userName = "dish"; 96 - }; 97 - lazygit = lib.mkIf cfg.lazygit.enable { 98 - enable = true; 99 - settings = { 100 - gui = { 101 - nerdFontsVersion = "3"; 102 - showRandomTip = false; 103 - theme.selectedLineBgColor = [ "default" ]; 104 - }; 105 - git.paging = { 106 - pager = "${lib.getExe pkgs.delta} --dark --paging=never"; 107 - colorArg = "always"; 108 - }; 109 - services = { 110 - "git.pyrox.dev" = "gitea:git.pyrox.dev"; 111 - "git.dn42.dev" = "gitea:git.dn42.dev"; 112 - "codeberg.org" = "gitea:codeberg.org"; 113 - }; 114 - }; 115 - }; 116 - gh = lib.mkIf cfg.gh.enable { 117 - enable = true; 118 - gitCredentialHelper.enable = true; 119 - settings = { 120 - editor = lib.getExe pkgs.py.nvim; 121 - git_protocol = "https"; 122 - browser = lib.mkIf config.py.gui.enable pkgs.firefox; 123 - prompt = "enabled"; 124 - }; 125 - }; 126 - }; 127 - }; 128 - }

-49

modules/home/programs/gpg/default.nix

··· 1 - { 2 - pkgs, 3 - lib, 4 - config, 5 - ... 6 - }: 7 - let 8 - cfg = config.py.programs.gpg; 9 - in 10 - { 11 - options.py.programs.gpg.enable = lib.mkEnableOption "gpg"; 12 - config.programs.gpg = lib.mkIf cfg.enable { 13 - enable = true; 14 - settings = { 15 - personal-cipher-preferences = "AES256 AES192 AES"; 16 - personal-digest-preferences = "SHA512 SHA384 SHA256"; 17 - personal-compress-preferences = "ZLIB BZIP2 ZIP Uncompressed"; 18 - default-preference-list = "SHA512 SHA384 SHA256 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed"; 19 - cert-digest-algo = "SHA512"; 20 - s2k-digest-algo = "SHA512"; 21 - s2k-cipher-algo = "AES256"; 22 - charset = "utf-8"; 23 - fixed-list-mode = true; 24 - no-comments = true; 25 - no-emit-version = true; 26 - no-greeting = true; 27 - keyid-format = "0xlong"; 28 - list-options = "show-uid-validity"; 29 - verify-options = "show-uid-validity"; 30 - with-fingerprint = true; 31 - with-key-origin = true; 32 - require-cross-certification = true; 33 - no-symkey-cache = true; 34 - use-agent = true; 35 - throw-keyids = true; 36 - default-key = "0xFE1D8A7D620C611F"; 37 - trusted-key = "0xFE1D8A7D620C611F"; 38 - keyserver = "hkps://keys.openpgp.org"; 39 - }; 40 - scdaemonSettings = { 41 - card-timeout = "60"; 42 - pcsc-shared = true; 43 - # shared-access = true; 44 - disable-ccid = true; 45 - pcsc-driver = "${pkgs.pcsclite.out}/lib/libpcsclite.so"; 46 - reader-port = "Yubico Yubi"; 47 - }; 48 - }; 49 - }

-15

modules/home/programs/helix/default.nix

··· 1 - { config, lib, ... }: 2 - let 3 - cfg = config.py.programs.helix; 4 - in 5 - { 6 - options.py.programs.helix.enable = lib.mkEnableOption "helix editor"; 7 - config.catppuccin.helix = { 8 - enable = cfg.enable; 9 - useItalics = cfg.enable; 10 - }; 11 - config.programs.helix = lib.mkIf cfg.enable { 12 - enable = true; 13 - settings = import ./settings.nix; 14 - }; 15 - }

-25

modules/home/programs/helix/settings.nix

··· 1 - { 2 - editor = { 3 - line-number = "absolute"; 4 - mouse = false; 5 - auto-save = true; 6 - true-color = true; 7 - bufferline = "multiple"; 8 - cursor-shape = { 9 - normal = "block"; 10 - insert = "bar"; 11 - select = "underline"; 12 - }; 13 - lsp = { 14 - display-messages = true; 15 - auto-signature-help = true; 16 - display-signature-help-docs = true; 17 - }; 18 - whitespace.render = { 19 - space = "none"; 20 - tab = "all"; 21 - newline = "all"; 22 - }; 23 - indent-guides.render = true; 24 - }; 25 - }

-14

modules/home/programs/kitty/default.nix

··· 1 - { lib, config, ... }: 2 - let 3 - cfg = config.py.programs.kitty; 4 - in 5 - { 6 - options.py.programs.kitty.enable = lib.mkEnableOption "kitty"; 7 - config.catppuccin.kitty.enable = cfg.enable; 8 - config.programs.kitty = lib.mkIf cfg.enable { 9 - enable = true; 10 - font.name = "BlexMono Nerd Font"; 11 - font.size = 14; 12 - settings = import ./settings.nix; 13 - }; 14 - }

-41

modules/home/programs/kitty/settings.nix

··· 1 - { 2 - # Font settings 3 - bold_font = "BlexMono Nerd Font Bold"; 4 - italic_font = "BlexMono Nerd Font Italic"; 5 - bold_italic_font = "BlexMono Nerd Font Bold Italic"; 6 - # Cursor Settings 7 - scrollback_lines = 10000; 8 - wheel_scroll_multiplier = 3; 9 - touch_scroll_multiplier = 2; 10 - scrollback_pager = "page"; 11 - cursor_shape = "block"; 12 - # Mouse settings 13 - mouse_hide_wait = "0.5"; 14 - open_url_with = "default"; 15 - strip_trailing_spaces = "smart"; 16 - focus_follows_mouse = true; 17 - # Perf settings 18 - repaint_delay = 16; 19 - sync_to_monitor = true; 20 - # Terminal Bell settings 21 - enable_audio_bell = false; 22 - # Window settings 23 - hide_window_decorations = true; 24 - # Tab Bar settings 25 - tab_bar_edge = "bottom"; 26 - tab_bar_margin_width = 0; 27 - tab_bar_margin_height = "0 0"; 28 - tab_bar_style = "powerline"; 29 - tab_bar_min_tabs = 2; 30 - 31 - shell = "fish"; 32 - editor = "nvim"; 33 - allow_remote_control = "socket-only"; 34 - listen_on = "unix:/tmp/mykitty"; 35 - update_check_interval = 0; 36 - allow_hyperlinks = true; 37 - shell_integration = "no-cursor"; 38 - term = "xterm-kitty"; 39 - remember_window_size = "no"; 40 - linux_display_server = "wayland"; 41 - }

-78

modules/home/programs/misc-programs/default.nix

··· 1 - { 2 - config, 3 - lib, 4 - pkgs, 5 - ... 6 - }: 7 - let 8 - cfg = config.py.programs; 9 - inherit (lib) mkEnableOption mkIf; 10 - in 11 - { 12 - options.py.programs = { 13 - bat.enable = mkEnableOption "bat"; 14 - direnv.enable = mkEnableOption "direnv"; 15 - fzf.enable = mkEnableOption "fzf"; 16 - nix-index.enable = mkEnableOption "nix-index"; 17 - obs.enable = mkEnableOption "OBS Studio"; 18 - pandoc.enable = mkEnableOption "pandoc"; 19 - wakatime.enable = mkEnableOption "wakatime"; 20 - zoxide.enable = mkEnableOption "zoxide"; 21 - }; 22 - config = { 23 - catppuccin = { 24 - bat.enable = cfg.bat.enable; 25 - fzf.enable = cfg.fzf.enable; 26 - obs.enable = cfg.obs.enable; 27 - }; 28 - programs = { 29 - bat = mkIf cfg.bat.enable { 30 - enable = true; 31 - }; 32 - direnv = mkIf cfg.direnv.enable { 33 - enable = true; 34 - enableBashIntegration = true; 35 - enableNushellIntegration = true; 36 - enableZshIntegration = true; 37 - nix-direnv.enable = true; 38 - stdlib = builtins.readFile ./direnv-stdlib.sh; 39 - }; 40 - fzf = mkIf cfg.fzf.enable { 41 - enable = true; 42 - enableBashIntegration = true; 43 - enableZshIntegration = true; 44 - }; 45 - nix-index = mkIf cfg.nix-index.enable { 46 - enable = true; 47 - enableBashIntegration = true; 48 - enableFishIntegration = true; 49 - enableZshIntegration = true; 50 - }; 51 - obs-studio = mkIf cfg.obs.enable { 52 - enable = true; 53 - plugins = with pkgs.obs-studio-plugins; [ 54 - obs-text-pthread 55 - obs-backgroundremoval 56 - input-overlay 57 - obs-tuna 58 - obs-pipewire-audio-capture 59 - obs-vkcapture 60 - wlrobs 61 - ]; 62 - }; 63 - pandoc = mkIf cfg.pandoc.enable { enable = true; }; 64 - zoxide = mkIf cfg.zoxide.enable { 65 - enable = true; 66 - enableBashIntegration = true; 67 - enableFishIntegration = true; 68 - enableZshIntegration = true; 69 - }; 70 - }; 71 - home = { 72 - packages = mkIf cfg.wakatime.enable [ pkgs.wakatime ]; 73 - sessionVariables = { 74 - WAKATIME_HOME = "${config.xdg.configHome}/wakatime"; 75 - }; 76 - }; 77 - }; 78 - }

-26

modules/home/programs/misc-programs/direnv-stdlib.sh

··· 1 - layout_poetry() { 2 - PYPROJECT_TOML="\$\{PYPROJECT_TOML:-pyproject.toml}" 3 - if [[ ! -f "$PYPROJECT_TOML" ]]; then 4 - log_status "No pyproject.toml found. Executing \`poetry init\` to create a \`$PYPROJECT_TOML\` first." 5 - poetry init 6 - fi 7 - 8 - if [[ -d ".venv" ]]; then 9 - VIRTUAL_ENV="$(pwd)/.venv" 10 - else 11 - VIRTUAL_ENV=$( 12 - poetry env info --path 2>/dev/null 13 - true 14 - ) 15 - fi 16 - 17 - if [[ -z $VIRTUAL_ENV || ! -d $VIRTUAL_ENV ]]; then 18 - log_status "No virtual environment exists. Executing \`poetry install\` to create one." 19 - poetry install 20 - VIRTUAL_ENV=$(poetry env info --path) 21 - fi 22 - 23 - PATH_add "$VIRTUAL_ENV/bin" 24 - export POETRY_ACTIVE=1 25 - export VIRTUAL_ENV 26 - }

-37

modules/home/programs/neovim/default.nix

··· 1 - { 2 - pkgs, 3 - config, 4 - lib, 5 - ... 6 - }: 7 - let 8 - cfg = config.py.programs.neovim; 9 - in 10 - { 11 - options.py.programs.neovim.enable = lib.mkEnableOption "Neovim Configuration"; 12 - 13 - config.programs.neovim = lib.mkIf cfg.enable { 14 - enable = true; 15 - package = pkgs.py.nvim; 16 - viAlias = true; 17 - vimAlias = true; 18 - vimdiffAlias = true; 19 - withRuby = false; 20 - withNodeJs = false; 21 - withPython3 = false; 22 - extraPackages = 23 - [ 24 - pkgs.bottom 25 - pkgs.fd 26 - pkgs.gcc 27 - pkgs.go 28 - pkgs.nodejs 29 - ] 30 - ++ lib.optionals config.py.profiles.gui.enable [ 31 - pkgs.ffmpegthumbnailer 32 - pkgs.fontpreview 33 - pkgs.poppler 34 - pkgs.ueberzug 35 - ]; 36 - }; 37 - }

-369

modules/home/programs/nushell/config.nu

··· 1 - source ~/.zoxide.nu 2 - source ~/.cache/starship/init.nu 3 - 4 - source /home/thehedgehog/.cache/starship/init.nu 5 - 6 - let-env config = ($env | default {} config).config 7 - let-env config = ($env.config | default {} hooks) 8 - let-env config = ($env.config | update hooks ($env.config.hooks | default [] pre_prompt)) 9 - let-env config = ($env.config | update hooks.pre_prompt ($env.config.hooks.pre_prompt | append { 10 - code: " 11 - let direnv = (direnv export json | from json) 12 - let direnv = if ($direnv | length) == 1 { $direnv } else { {} } 13 - $direnv | load-env 14 - " 15 - })) 16 - 17 - let-env config = { 18 - ls: { 19 - use_ls_colors: true # use the LS_COLORS environment variable to colorize output 20 - clickable_links: true # enable or disable clickable links. Your terminal has to support links. 21 - } 22 - rm: { 23 - always_trash: false # always act as if -t was given. Can be overridden with -p 24 - } 25 - cd: { 26 - abbreviations: false # allows `cd s/o/f` to expand to `cd some/other/folder` 27 - } 28 - table: { 29 - mode: rounded # basic, compact, compact_double, light, thin, with_love, rounded, reinforced, heavy, none, other 30 - index_mode: always # "always" show indexes, "never" show indexes, "auto" = show indexes when a table has "index" column 31 - trim: { 32 - methodology: wrapping # wrapping or truncating 33 - wrapping_try_keep_words: true # A strategy used by the 'wrapping' methodology 34 - truncating_suffix: "..." # A suffix used by the 'truncating' methodology 35 - } 36 - } 37 - 38 - explore: { 39 - help_banner: true 40 - exit_esc: true 41 - 42 - command_bar_text: '#C4C9C6' 43 - # command_bar: {fg: '#C4C9C6' bg: '#223311' } 44 - 45 - status_bar_background: {fg: '#1D1F21' bg: '#C4C9C6' } 46 - # status_bar_text: {fg: '#C4C9C6' bg: '#223311' } 47 - 48 - highlight: {bg: 'yellow' fg: 'black' } 49 - 50 - status: { 51 - # warn: {bg: 'yellow', fg: 'blue'} 52 - # error: {bg: 'yellow', fg: 'blue'} 53 - # info: {bg: 'yellow', fg: 'blue'} 54 - } 55 - 56 - try: { 57 - # border_color: 'red' 58 - # highlighted_color: 'blue' 59 - 60 - # reactive: false 61 - } 62 - 63 - table: { 64 - split_line: '#404040' 65 - 66 - cursor: true 67 - 68 - line_index: true 69 - line_shift: true 70 - line_head_top: true 71 - line_head_bottom: true 72 - 73 - show_head: true 74 - show_index: true 75 - 76 - # selected_cell: {fg: 'white', bg: '#777777'} 77 - # selected_row: {fg: 'yellow', bg: '#C1C2A3'} 78 - # selected_column: blue 79 - 80 - # padding_column_right: 2 81 - # padding_column_left: 2 82 - 83 - # padding_index_left: 2 84 - # padding_index_right: 1 85 - } 86 - 87 - config: { 88 - cursor_color: {bg: 'yellow' fg: 'black' } 89 - 90 - # border_color: white 91 - # list_color: green 92 - } 93 - } 94 - 95 - history: { 96 - max_size: 10000 # Session has to be reloaded for this to take effect 97 - sync_on_enter: true # Enable to share history between multiple sessions, else you have to close the session to write history to file 98 - file_format: "plaintext" # "sqlite" or "plaintext" 99 - } 100 - completions: { 101 - case_sensitive: false # set to true to enable case-sensitive completions 102 - quick: true # set this to false to prevent auto-selecting completions when only one remains 103 - partial: true # set this to false to prevent partial filling of the prompt 104 - algorithm: "prefix" # prefix or fuzzy 105 - external: { 106 - enable: true # set to false to prevent nushell looking into $env.PATH to find more suggestions, `false` recommended for WSL users as this look up my be very slow 107 - max_results: 100 # setting it lower can improve completion performance at the cost of omitting some options 108 - completer: null # check 'carapace_completer' above as an example 109 - } 110 - } 111 - filesize: { 112 - metric: true # true => KB, MB, GB (ISO standard), false => KiB, MiB, GiB (Windows standard) 113 - format: "auto" # b, kb, kib, mb, mib, gb, gib, tb, tib, pb, pib, eb, eib, zb, zib, auto 114 - } 115 - cursor_shape: { 116 - emacs: line # block, underscore, line (line is the default) 117 - vi_insert: block # block, underscore, line (block is the default) 118 - vi_normal: underscore # block, underscore, line (underscore is the default) 119 - } 120 - color_config: $dark_theme # if you want a light theme, replace `$dark_theme` to `$light_theme` 121 - use_grid_icons: true 122 - footer_mode: "25" # always, never, number_of_rows, auto 123 - float_precision: 2 # the precision for displaying floats in tables 124 - # buffer_editor: "emacs" # command that will be used to edit the current line buffer with ctrl+o, if unset fallback to $env.EDITOR and $env.VISUAL 125 - use_ansi_coloring: true 126 - edit_mode: emacs # emacs, vi 127 - shell_integration: true # enables terminal markers and a workaround to arrow keys stop working issue 128 - # true or false to enable or disable the welcome banner at startup 129 - show_banner: true 130 - render_right_prompt_on_last_line: false # true or false to enable or disable right prompt to be rendered on last line of the prompt. 131 - 132 - hooks: { 133 - pre_prompt: [{ 134 - null # replace with source code to run before the prompt is shown 135 - }] 136 - pre_execution: [{ 137 - null # replace with source code to run before the repl input is run 138 - }] 139 - env_change: { 140 - PWD: [{|before, after| 141 - null # replace with source code to run if the PWD environment is different since the last repl input 142 - }] 143 - } 144 - display_output: { 145 - if (term size).columns >= 100 { table -e } else { table } 146 - } 147 - } 148 - menus: [ 149 - # Configuration for default nushell menus 150 - # Note the lack of source parameter 151 - { 152 - name: completion_menu 153 - only_buffer_difference: false 154 - marker: "| " 155 - type: { 156 - layout: columnar 157 - columns: 4 158 - col_width: 20 # Optional value. If missing all the screen width is used to calculate column width 159 - col_padding: 2 160 - } 161 - style: { 162 - text: green 163 - selected_text: green_reverse 164 - description_text: yellow 165 - } 166 - } 167 - { 168 - name: history_menu 169 - only_buffer_difference: true 170 - marker: "? " 171 - type: { 172 - layout: list 173 - page_size: 10 174 - } 175 - style: { 176 - text: green 177 - selected_text: green_reverse 178 - description_text: yellow 179 - } 180 - } 181 - { 182 - name: help_menu 183 - only_buffer_difference: true 184 - marker: "? " 185 - type: { 186 - layout: description 187 - columns: 4 188 - col_width: 20 # Optional value. If missing all the screen width is used to calculate column width 189 - col_padding: 2 190 - selection_rows: 4 191 - description_rows: 10 192 - } 193 - style: { 194 - text: green 195 - selected_text: green_reverse 196 - description_text: yellow 197 - } 198 - } 199 - # Example of extra menus created using a nushell source 200 - # Use the source field to create a list of records that populates 201 - # the menu 202 - { 203 - name: commands_menu 204 - only_buffer_difference: false 205 - marker: "# " 206 - type: { 207 - layout: columnar 208 - columns: 4 209 - col_width: 20 210 - col_padding: 2 211 - } 212 - style: { 213 - text: green 214 - selected_text: green_reverse 215 - description_text: yellow 216 - } 217 - source: { |buffer, position| 218 - $nu.scope.commands 219 - | where name =~ $buffer 220 - | each { |it| {value: $it.name description: $it.usage} } 221 - } 222 - } 223 - { 224 - name: vars_menu 225 - only_buffer_difference: true 226 - marker: "# " 227 - type: { 228 - layout: list 229 - page_size: 10 230 - } 231 - style: { 232 - text: green 233 - selected_text: green_reverse 234 - description_text: yellow 235 - } 236 - source: { |buffer, position| 237 - $nu.scope.vars 238 - | where name =~ $buffer 239 - | sort-by name 240 - | each { |it| {value: $it.name description: $it.type} } 241 - } 242 - } 243 - { 244 - name: commands_with_description 245 - only_buffer_difference: true 246 - marker: "# " 247 - type: { 248 - layout: description 249 - columns: 4 250 - col_width: 20 251 - col_padding: 2 252 - selection_rows: 4 253 - description_rows: 10 254 - } 255 - style: { 256 - text: green 257 - selected_text: green_reverse 258 - description_text: yellow 259 - } 260 - source: { |buffer, position| 261 - $nu.scope.commands 262 - | where name =~ $buffer 263 - | each { |it| {value: $it.name description: $it.usage} } 264 - } 265 - } 266 - ] 267 - keybindings: [ 268 - { 269 - name: completion_menu 270 - modifier: none 271 - keycode: tab 272 - mode: [emacs vi_normal vi_insert] 273 - event: { 274 - until: [ 275 - { send: menu name: completion_menu } 276 - { send: menunext } 277 - ] 278 - } 279 - } 280 - { 281 - name: completion_previous 282 - modifier: shift 283 - keycode: backtab 284 - mode: [emacs, vi_normal, vi_insert] # Note: You can add the same keybinding to all modes by using a list 285 - event: { send: menuprevious } 286 - } 287 - { 288 - name: history_menu 289 - modifier: control 290 - keycode: char_r 291 - mode: emacs 292 - event: { send: menu name: history_menu } 293 - } 294 - { 295 - name: next_page 296 - modifier: control 297 - keycode: char_x 298 - mode: emacs 299 - event: { send: menupagenext } 300 - } 301 - { 302 - name: undo_or_previous_page 303 - modifier: control 304 - keycode: char_z 305 - mode: emacs 306 - event: { 307 - until: [ 308 - { send: menupageprevious } 309 - { edit: undo } 310 - ] 311 - } 312 - } 313 - { 314 - name: yank 315 - modifier: control 316 - keycode: char_y 317 - mode: emacs 318 - event: { 319 - until: [ 320 - {edit: pastecutbufferafter} 321 - ] 322 - } 323 - } 324 - { 325 - name: unix-line-discard 326 - modifier: control 327 - keycode: char_u 328 - mode: [emacs, vi_normal, vi_insert] 329 - event: { 330 - until: [ 331 - {edit: cutfromlinestart} 332 - ] 333 - } 334 - } 335 - { 336 - name: kill-line 337 - modifier: control 338 - keycode: char_k 339 - mode: [emacs, vi_normal, vi_insert] 340 - event: { 341 - until: [ 342 - {edit: cuttolineend} 343 - ] 344 - } 345 - } 346 - # Keybindings used to trigger the user defined menus 347 - { 348 - name: commands_menu 349 - modifier: control 350 - keycode: char_t 351 - mode: [emacs, vi_normal, vi_insert] 352 - event: { send: menu name: commands_menu } 353 - } 354 - { 355 - name: vars_menu 356 - modifier: alt 357 - keycode: char_o 358 - mode: [emacs, vi_normal, vi_insert] 359 - event: { send: menu name: vars_menu } 360 - } 361 - { 362 - name: commands_with_description 363 - modifier: control 364 - keycode: char_s 365 - mode: [emacs, vi_normal, vi_insert] 366 - event: { send: menu name: commands_with_description } 367 - } 368 - ] 369 - }

-12

modules/home/programs/nushell/default.nix

··· 1 - { config, lib, ... }: 2 - let 3 - cfg = config.py.programs.nushell; 4 - in 5 - { 6 - options.py.programs.nushell.enable = lib.mkEnableOption "Nushell"; 7 - config.programs.nushell = lib.mkIf cfg.enable { 8 - enable = true; 9 - configFile.source = ./config.nu; 10 - envFile.source = ./env.nu; 11 - }; 12 - }

-9

modules/home/programs/nushell/env.nu

··· 1 - zoxide init nushell --hook prompt | save ~/.zoxide.nu 2 - mkdir ~/.cache/starship 3 - starship init nu | save ~/.cache/starship/init.nu 4 - 5 - let starship_cache = "/home/thehedgehog/.cache/starship" 6 - if not ($starship_cache | path exists) { 7 - mkdir $starship_cache 8 - } 9 - /etc/profiles/per-user/thehedgehog/bin/starship init nu | save --force /home/thehedgehog/.cache/starship/init.nu

-1

modules/home/programs/ssh/backup.pub

··· 1 - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM= 993390@993390-student-FVFD26HVJ1WK

-45

modules/home/programs/ssh/default.nix

··· 1 - { lib, config, ... }: 2 - let 3 - cfg = config.py.programs.ssh; 4 - in 5 - { 6 - options.py.programs.ssh.enable = lib.mkEnableOption "ssh"; 7 - config = lib.mkIf cfg.enable { 8 - programs.ssh = { 9 - enable = true; 10 - compression = true; 11 - matchBlocks = { 12 - "marvin" = { 13 - hostname = "100.123.15.72"; 14 - user = "thehedgehog"; 15 - port = 22; 16 - extraOptions = { 17 - "IdentitiesOnly" = "no"; 18 - "PreferredAuthentications" = "publickey"; 19 - }; 20 - }; 21 - "prefect" = { 22 - hostname = "100.93.63.54"; 23 - user = "thehedgehog"; 24 - port = 22; 25 - extraOptions = { 26 - "IdentitiesOnly" = "no"; 27 - "PreferredAuthentications" = "publickey"; 28 - }; 29 - }; 30 - "botw" = { 31 - hostname = "bandit.labs.overthewire.org"; 32 - port = 2220; 33 - sendEnv = [ 34 - "WECHALLUSER" 35 - "WECHALLTOKEN" 36 - ]; 37 - }; 38 - }; 39 - extraOptionOverrides = { 40 - "Match" = ''host * exec "gpg-connect-agent UPDATESTARTUPTTY /bye"''; 41 - }; 42 - }; 43 - home.file.".ssh/authorized_signatures".text = import ./ssh-auth-signers.nix; 44 - }; 45 - }

-7

modules/home/programs/ssh/ssh-auth-signers.nix

··· 1 - '' 2 - hedgehog@mrhedgehog.xyz ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw== 3 - hedgehog@mrhedgehog.xyz ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM= 4 - me@thehedgehog.me ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw== 5 - me@thehedgehog.me ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM= 6 - me@thehedgehog.me ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK97n2SgV/U1mLzxcaEDl85iF5D3jm7xboZ+S01+CbM/8zxVoWyjVHCqTwDcrLwP0c5Z51BNj7U0UkGIgR4zTSM= 7 - ''

-1

modules/home/programs/ssh/yubikey-back.pub

··· 1 - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw== cardno:15 567 372

-1

modules/home/programs/ssh/yubikey-main.pub

··· 1 - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746

-1

modules/home/programs/ssh/yubikey-new.pub

··· 1 - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK97n2SgV/U1mLzxcaEDl85iF5D3jm7xboZ+S01+CbM/8zxVoWyjVHCqTwDcrLwP0c5Z51BNj7U0UkGIgR4zTSM=

-15

modules/home/programs/starship/default.nix

··· 1 - { lib, config, ... }: 2 - let 3 - cfg = config.py.programs.starship; 4 - in 5 - { 6 - options.py.programs.starship.enable = lib.mkEnableOption "starship"; 7 - config.catppuccin.starship.enable = false; 8 - config.programs.starship = lib.mkIf cfg.enable { 9 - enable = true; 10 - enableFishIntegration = true; 11 - enableBashIntegration = true; 12 - enableZshIntegration = true; 13 - settings = import ./settings.nix { inherit lib; }; 14 - }; 15 - }

-104

modules/home/programs/starship/settings.nix

··· 1 - { lib }: 2 - { 3 - format = lib.concatStrings [ 4 - "$hostname" 5 - "$directory" 6 - "$python" 7 - "$deno" 8 - "$nodejs" 9 - "$lua" 10 - "$git_branch" 11 - "$git_status" 12 - "$battery" 13 - "$shlvl" 14 - "$character" 15 - ]; 16 - right_format = lib.concatStrings [ "$nix_shell" ]; 17 - 18 - directory = { 19 - read_only = " "; 20 - }; 21 - git_branch = { 22 - symbol = " "; 23 - format = "(\\[[$symbol$branch]($style)\\])"; 24 - }; 25 - git_status = { 26 - format = "(\\[[$all_status$ahead_behind]($style)\\])"; 27 - }; 28 - deno = { 29 - symbol = " "; 30 - format = "(\\[[$symbol($version)]($style)\\])"; 31 - }; 32 - nodejs = { 33 - format = "(\\[[$symbol($version)]($style)\\])"; 34 - detect_files = [ 35 - "package.json" 36 - ".node-version" 37 - ".nvmrc" 38 - "!deno.json" 39 - "!deno.lock" 40 - ]; 41 - }; 42 - lua = { 43 - symbol = " "; 44 - format = "(\\[[$symbol($version)]($style)\\])"; 45 - }; 46 - package = { 47 - symbol = "󰏖 "; 48 - format = "(\\[[$symbol$version]($style)\\])"; 49 - }; 50 - python = { 51 - symbol = " "; 52 - pyenv_version_name = false; 53 - version_format = "v$major.$minor"; 54 - format = "(\\[[$symbol($version)($virtualenv)]($style)\\])"; 55 - }; 56 - shlvl = { 57 - symbol = " "; 58 - format = "(\\[[$symbol$shlvl]($style)\\])"; 59 - }; 60 - nix_shell = { 61 - symbol = " "; 62 - format = "(\\[[$symbol($name)]($style)\\])"; 63 - }; 64 - aws.disabled = true; 65 - conda.disabled = true; 66 - crystal.disabled = true; 67 - dart.disabled = true; 68 - docker_context.disabled = true; 69 - dotnet.disabled = true; 70 - elixir.disabled = true; 71 - elm.disabled = true; 72 - env_var.disabled = true; 73 - erlang.disabled = true; 74 - gcloud.disabled = true; 75 - golang.disabled = true; 76 - helm.disabled = true; 77 - java.disabled = true; 78 - jobs.disabled = true; 79 - julia.disabled = true; 80 - kotlin.disabled = true; 81 - kubernetes.disabled = true; 82 - memory_usage.disabled = true; 83 - hg_branch.disabled = true; 84 - nim.disabled = true; 85 - ocaml.disabled = true; 86 - openstack.disabled = true; 87 - perl.disabled = true; 88 - php.disabled = true; 89 - purescript.disabled = true; 90 - rlang.disabled = true; 91 - red.disabled = true; 92 - ruby.disabled = true; 93 - rust.disabled = true; 94 - scala.disabled = true; 95 - singularity.disabled = true; 96 - swift.disabled = true; 97 - terraform.disabled = true; 98 - time.disabled = true; 99 - username.disabled = true; 100 - vagrant.disabled = true; 101 - vlang.disabled = true; 102 - vcsh.disabled = true; 103 - zig.disabled = true; 104 - }

-54

modules/home/programs/vscodium/default.nix

··· 1 - { 2 - pkgs, 3 - lib, 4 - config, 5 - ... 6 - }: 7 - let 8 - cfg = config.py.programs.vscodium; 9 - in 10 - { 11 - options.py.programs.vscodium.enable = lib.mkEnableOption "VSCodium"; 12 - config.programs.vscode = lib.mkIf cfg.enable { 13 - enable = true; 14 - package = pkgs.vscode; 15 - profiles.default.userSettings = { 16 - "biome.lspBin" = ""; 17 - "breadcrumbs.enabled" = false; 18 - "editor.formatOnPaste" = true; 19 - "editor.formatOnSave" = true; 20 - "editor.formatOnSaveMode" = "file"; 21 - "editor.formatOnType" = true; 22 - "editor.fontSize" = 15; 23 - "editor.fontFamily" = "'IBM Plex Mono', 'monospace', monospace"; 24 - "editor.minimap.enabled" = false; 25 - "explorer.confirmDelete" = false; 26 - "explorer.confirmDragAndDrop" = false; 27 - "extensions.autoCheckUpdates" = false; 28 - "extensions.autoUpdate" = false; 29 - "extensions.closeExtensionDetailsOnViewChange" = true; 30 - "extensions.ignoreRecommendations" = true; 31 - "npm.keybindingsChangedWarningShown" = true; 32 - "ruff.nativeServer" = true; 33 - "ruff.showNotifications" = "onError"; 34 - "nix.enableLanguageServer" = true; 35 - "nix.serverPath" = lib.getExe pkgs.nixd; 36 - "[nix]" = { 37 - "editor.defaultFormatter" = "brettm12345.nixfmt-vscode"; 38 - }; 39 - "python.analysis.autoImportCompletions" = true; 40 - "python.analysis.autoSearchPaths" = true; 41 - "python.analysis.completeFunctionParens" = true; 42 - "python.experiments.enabled" = false; 43 - "python.languageServer" = "Pylance"; 44 - "telemetry.telemetryLevel" = "off"; 45 - "terminal.external.linuxExec" = "ghostty"; 46 - "update.mode" = "none"; 47 - "update.showReleaseNotes" = false; 48 - "workbench.colorTheme" = "Catppuccin Mocha"; 49 - "workbench.iconTheme" = "catppuccin-mocha"; 50 - "vscode-neovim.neovimExecutablePaths.linux" = lib.getExe pkgs.py.nvim; 51 - "python.formatting.provider" = "black"; 52 - }; 53 - }; 54 - }

-55

modules/home/programs/wlogout/default.nix

··· 1 - { 2 - pkgs, 3 - config, 4 - lib, 5 - ... 6 - }: 7 - let 8 - cfg = config.py.programs.wlogout; 9 - pkg = config.programs.wlogout.package; 10 - in 11 - { 12 - options.py.programs.wlogout.enable = lib.mkEnableOption "wlogout"; 13 - config.programs.wlogout = lib.mkIf cfg.enable { 14 - enable = true; 15 - style = import ./style.nix { inherit pkg; }; 16 - layout = [ 17 - { 18 - label = "hibernate"; 19 - action = "systemctl hibernate"; 20 - text = "Hibernate"; 21 - keybind = "h"; 22 - } 23 - { 24 - label = "reboot"; 25 - action = "systemctl reboot"; 26 - text = "Reboot"; 27 - keybind = "r"; 28 - } 29 - { 30 - label = "suspend"; 31 - action = "systemctl suspend"; 32 - text = "Suspend"; 33 - keybind = "u"; 34 - } 35 - { 36 - label = "suspend-then-hibernate"; 37 - action = "systemctl suspend-then-hibernate"; 38 - text = "Supend then Hibernate"; 39 - keybind = "p"; 40 - } 41 - { 42 - label = "lock"; 43 - action = "${pkgs.swaylock-effects}/bin/swaylock"; 44 - text = "Lock"; 45 - keybind = "l"; 46 - } 47 - { 48 - label = "shutdown"; 49 - action = "systemctl poweroff"; 50 - text = "Shutdown"; 51 - keybind = "s"; 52 - } 53 - ]; 54 - }; 55 - }

-52

modules/home/programs/wlogout/style.nix

··· 1 - { pkg, ... }: 2 - let 3 - icon-path = "${pkg}/share/wlogout/icons"; 4 - in 5 - '' 6 - * { 7 - background-image: none; 8 - } 9 - window { 10 - background-image: image(url("/home/thehedgehog/bgs/ctp-waves.png"), url("/home/thehedgehog/bgs/ctp-waves.png")); 11 - background-size: cover; 12 - } 13 - button { 14 - color: #cdd6f4; 15 - background-color: #11111b; 16 - border: none; 17 - border-color: #6c7086; 18 - background-repeat: no-repeat; 19 - background-position: center; 20 - background-size: 25%; 21 - } 22 - 23 - button:focus, button:active, button:hover { 24 - background-color: #1e1e2e; 25 - outline-style: none; 26 - border:none; 27 - } 28 - 29 - #lock { 30 - background-image: image(url("${icon-path}/lock.png"), url("${icon-path}/lock.png")); 31 - } 32 - 33 - #suspend-then-hibernate { 34 - background-image: image(url("${icon-path}/suspend.png"), url("${icon-path}/suspend.png")); 35 - } 36 - 37 - #suspend { 38 - background-image: image(url("${icon-path}/suspend.png"), url("${icon-path}/suspend.png")); 39 - } 40 - 41 - #hibernate { 42 - background-image: image(url("${icon-path}/hibernate.png"), url("${icon-path}/hibernate.png")); 43 - } 44 - 45 - #shutdown { 46 - background-image: image(url("${icon-path}/shutdown.png"), url("${icon-path}/shutdown.png")); 47 - } 48 - 49 - #reboot { 50 - background-image: image(url("${icon-path}/reboot.png"), url("${icon-path}/reboot.png")); 51 - } 52 - ''

-34

modules/home/programs/zed-editor/default.nix

··· 1 - { 2 - pkgs, 3 - lib, 4 - config, 5 - ... 6 - }: 7 - let 8 - cfg = config.py.programs.zed-editor; 9 - in 10 - { 11 - options.py.programs.zed-editor.enable = lib.mkEnableOption "Zed Editor"; 12 - config.programs.zed-editor = lib.mkIf cfg.enable { 13 - enable = true; 14 - package = pkgs.zed-editor.fhsWithPackages (pkgs: [ 15 - pkgs.zlib 16 - pkgs.openssl 17 - ]); 18 - userSettings = import ./settings.nix; 19 - extensions = [ 20 - "catppuccin" 21 - "catppuccin-icons" 22 - "git-firefly" 23 - "nix" 24 - "ruff" 25 - "fish" 26 - "just" 27 - "discord-presence" 28 - "wakatime" 29 - "mermaid" 30 - "caddyfile" 31 - "vento" 32 - ]; 33 - }; 34 - }

-110

modules/home/programs/zed-editor/settings.nix

··· 1 - { 2 - auto_update = false; 3 - buffer_font_family = "BlexMono Nerd Font"; 4 - buffer_font_size = 15; 5 - git_panel.button = true; 6 - load_direnv = "direct"; 7 - lsp.deno.settings.deno.enable = true; 8 - relative_line_numbers = true; 9 - show_edit_predictions = false; 10 - soft_wrap = "none"; 11 - terminal.dock = "bottom"; 12 - theme = "Catppuccin Mocha"; 13 - ui_font_family = "Inter"; 14 - ui_font_size = 15; 15 - vim_mode = true; 16 - wrap_guides = [ 100 ]; 17 - 18 - assistant = { 19 - enabled = false; 20 - button = false; 21 - version = "2"; 22 - }; 23 - 24 - features = { 25 - copilot = false; 26 - edit_prediction_provider = "none"; 27 - }; 28 - 29 - icon_theme = { 30 - mode = "dark"; 31 - dark = "Catppuccin Mocha"; 32 - light = "Catppuccin Mocha"; 33 - }; 34 - 35 - inlay_hints = { 36 - enabled = true; 37 - edit_debounce_ms = 500; 38 - }; 39 - 40 - languages = { 41 - Nix = { 42 - formatter.external = { 43 - command = "nixfmt"; 44 - arguments = [ 45 - "--quiet" 46 - "--filename" 47 - "{buffer_path}" 48 - "--" 49 - ]; 50 - }; 51 - }; 52 - TypeScript = { 53 - enable_language_server = true; 54 - language_servers = [ 55 - "deno" 56 - "!typescript-language-server" 57 - "!vtsls" 58 - "!eslint" 59 - ]; 60 - formatter = "language_server"; 61 - prettier.allowed = false; 62 - }; 63 - Vento = { 64 - enable_language_server = true; 65 - language_servers = [ 66 - "vscode-html-language-server" 67 - "tailwindcss-language-server" 68 - ]; 69 - format_on_save = "on"; 70 - formatter.external = { 71 - command = "deno"; 72 - arguments = [ 73 - "task" 74 - "fmt" 75 - "--stdin" 76 - "{buffer_path}" 77 - ]; 78 - }; 79 - }; 80 - }; 81 - 82 - lsp = { 83 - tailwindcss-language-server = { 84 - settings = { 85 - includeLanguages = { 86 - "vento" = "html"; 87 - "*.vto" = "html"; 88 - }; 89 - experimental = { 90 - classRegex = [ 91 - "class=\"([^\"]*)" 92 - "class={\"([^\"}]*)" 93 - "class=format!({\"([^\"}]*)" 94 - ]; 95 - }; 96 - }; 97 - }; 98 - }; 99 - 100 - tabs = { 101 - file_icons = true; 102 - git_status = true; 103 - show_diagnostics = "errors"; 104 - }; 105 - 106 - telemetry = { 107 - metrics = false; 108 - diagnostics = false; 109 - }; 110 - }

-1

modules/home/scripts/default.nix

··· 1 - _: { }

-24

modules/home/services/gpg-agent/default.nix

··· 1 - { lib, config, ... }: 2 - let 3 - cfg = config.py.services.gpg-agent; 4 - in 5 - { 6 - options.py.services.gpg-agent.enable = lib.mkEnableOption "gpg-agent"; 7 - config.services.gpg-agent = lib.mkIf cfg.enable { 8 - enable = true; 9 - enableExtraSocket = true; 10 - enableScDaemon = true; 11 - enableSshSupport = true; 12 - defaultCacheTtl = 600; 13 - maxCacheTtl = 600; 14 - sshKeys = [ 15 - # My Normal GPG Key(Authentication Subkey) 16 - "485329FEF73C42C6C42879F66C8B971F3FD4A132" 17 - "CFEFCD08CFE6F0849F32ABC9C5CF3158A2FE1392" 18 - ]; 19 - extraConfig = '' 20 - ttyname $GPG_TTY 21 - max-cache-ttl-ssh 600 22 - ''; 23 - }; 24 - }

-18

modules/home/services/kanshi/default.nix

··· 1 - { config, lib, ... }: 2 - let 3 - cfg = config.py.services.kanshi; 4 - in 5 - { 6 - options.py.services.kanshi = { 7 - enable = lib.mkEnableOption "kanshi"; 8 - settings = lib.mkOption { 9 - type = lib.types.listOf lib.types.attrs; 10 - default = [ ]; 11 - description = "The value of `config.services.kanshi.settings`."; 12 - }; 13 - }; 14 - config.services.kanshi = lib.mkIf cfg.enable { 15 - enable = true; 16 - inherit (cfg) settings; 17 - }; 18 - }

-11

modules/home/services/kdeconnect/default.nix

··· 1 - { lib, config, ... }: 2 - let 3 - cfg = config.py.services.kdeconnect; 4 - in 5 - { 6 - options.py.services.kdeconnect.enable = lib.mkEnableOption "KDEConnect"; 7 - config.services.kdeconnect = lib.mkIf cfg.enable { 8 - enable = true; 9 - indicator = true; 10 - }; 11 - }

-27

modules/home/services/mako/default.nix

··· 1 - { lib, config, ... }: 2 - let 3 - cfg = config.py.services.mako; 4 - in 5 - { 6 - options.py.services.mako.enable = lib.mkEnableOption "mako"; 7 - # avoid IFD 8 - config.catppuccin.mako.enable = false; 9 - config.services.mako = lib.mkIf cfg.enable { 10 - enable = true; 11 - actions = true; 12 - defaultTimeout = 10000; 13 - font = "IBM Plex Sans 14pt"; 14 - icons = true; 15 - layer = "overlay"; 16 - 17 - # Vendored Catppuccin Theme(avoids IFD) 18 - backgroundColor = "#1e1e2e"; 19 - textColor = "#cdd6f4"; 20 - borderColor = "#89b4fa"; 21 - progressColor = "over #313244"; 22 - extraConfig = '' 23 - [urgency=high] 24 - border-color=#fab387 25 - ''; 26 - }; 27 - }

-31

modules/home/services/swayidle/default.nix

··· 1 - { 2 - pkgs, 3 - config, 4 - lib, 5 - ... 6 - }: 7 - let 8 - cfg = config.py.services.swayidle; 9 - in 10 - { 11 - options.py.services.swayidle.enable = lib.mkEnableOption "swayidle"; 12 - config.services.swayidle = lib.mkIf cfg.enable { 13 - enable = true; 14 - events = [ 15 - { 16 - event = "lock"; 17 - command = "${pkgs.swaylock}/bin/swaylock -C ~/.config/swaylock/config"; 18 - } 19 - { 20 - event = "after-resume"; 21 - command = ''swaymsg "output * dpms on"''; 22 - } 23 - ]; 24 - timeouts = [ 25 - { 26 - timeout = 180; 27 - command = "${pkgs.swaylock}/bin/swaylock -C ~/.config/swaylock/config"; 28 - } 29 - ]; 30 - }; 31 - }

-11

modules/home/services/syncthing/default.nix

··· 1 - { lib, config, ... }: 2 - let 3 - cfg = config.py.services.syncthing; 4 - in 5 - { 6 - options.py.services.syncthing.enable = lib.mkEnableOption "Syncthing"; 7 - config.services.syncthing = lib.mkIf cfg.enable { 8 - enable = true; 9 - tray.enable = true; 10 - }; 11 - }

-44

modules/home/theming/default.nix

··· 1 - { 2 - pkgs, 3 - config, 4 - lib, 5 - ... 6 - }: 7 - let 8 - pro = config.py.profiles; 9 - in 10 - { 11 - catppuccin = { 12 - flavor = "mocha"; 13 - accent = "blue"; 14 - }; 15 - home.pointerCursor = lib.mkIf pro.gui.enable { 16 - package = pkgs.catppuccin-cursors.mochaBlue; 17 - name = "Catppuccin-Mocha-Blue"; 18 - gtk.enable = true; 19 - }; 20 - gtk = lib.mkIf pro.gui.enable { 21 - enable = true; 22 - theme = { 23 - name = "Colloid-Dark-Compact-Catppuccin"; 24 - package = pkgs.colloid-gtk-theme.override { 25 - tweaks = [ 26 - "catppuccin" 27 - "black" 28 - ]; 29 - colorVariants = [ "dark" ]; 30 - sizeVariants = [ "compact" ]; 31 - themeVariants = [ "default" ]; 32 - }; 33 - }; 34 - font = { 35 - name = "IBM Plex Mono"; 36 - size = 14; 37 - }; 38 - gtk3.bookmarks = [ "file:///${config.home.homeDirectory}/Downloads" ]; 39 - iconTheme = { 40 - package = pkgs.colloid-icon-theme; 41 - name = "Colloid-Dark"; 42 - }; 43 - }; 44 - }

-8

modules/home/wayland/default.nix

··· 1 - { 2 - imports = [ 3 - ./sway.nix 4 - ./keybindings.nix 5 - ./waybar.nix 6 - ./swaylock.nix 7 - ]; 8 - }

-45

modules/home/wayland/keybindings.nix

··· 1 - { config, lib, ... }: 2 - let 3 - inherit (config.wayland.windowManager.sway.config) menu; 4 - mod = config.wayland.windowManager.sway.config.modifier; 5 - term = config.wayland.windowManager.sway.config.terminal; 6 - grim = "grim -g"; 7 - slurp-screen = "\"$(slurp -c -b '#1e1e2e80' -o -r)\" -"; 8 - slurp-box = "\"$(slurp -c '#f38ba8ff' -b '#1e1e2e80' -w 1 -d -F 'IBM Plex Mono')\" -"; 9 - satty = "satty -f -"; 10 - cfg = config.py.gui; 11 - in 12 - { 13 - config.wayland.windowManager.sway.config.keybindings = lib.mkIf cfg.enable ( 14 - lib.mkOptionDefault { 15 - "${mod}+d" = "${menu}"; 16 - "${mod}+Shift+F" = "exec MOZ_DISABLE_RDD_SANDBOX=1 firefox"; 17 - "${mod}+Return" = "exec ${term}"; 18 - "${mod}+x" = "exec wlogout"; 19 - "${mod}+s" = null; 20 - "${mod}+w" = null; 21 - "XF86MonBrightnessDown" = "exec brightnessctl set 5%-"; 22 - "XF86MonBrightnessUp" = "exec brightnessctl set +5%"; 23 - "XF86AudioRaiseVolume" = "exec wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+"; 24 - "XF86AudioLowerVolume" = "exec wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-"; 25 - "XF86AudioMute" = "exec wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"; 26 - "XF86AudioMicMute" = "exec wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle"; 27 - "XF86AudioPlay" = "exec playerctl play-pause"; 28 - "XF86AudioNext" = "exec playerctl next"; 29 - "XF86AudioPrev" = "exec playerctl previous"; 30 - "Shift+F3" = "exec ${grim} ${slurp-screen} | ${satty}"; 31 - "Shift+F4" = "exec ${grim} ${slurp-box} | ${satty}"; 32 - "${mod}+Shift+1" = "move container to workspace number 1"; 33 - "${mod}+Shift+2" = "move container to workspace number 2"; 34 - "${mod}+Shift+3" = "move container to workspace number 3"; 35 - "${mod}+Shift+4" = "move container to workspace number 4"; 36 - "${mod}+Shift+5" = "move container to workspace number 5"; 37 - "${mod}+Shift+6" = "move container to workspace number 6"; 38 - "${mod}+Shift+7" = "move container to workspace number 7"; 39 - "${mod}+Shift+8" = "move container to workspace number 8"; 40 - "${mod}+Shift+9" = "move container to workspace number 9"; 41 - "${mod}+Shift+0" = "move container to workspace number 10"; 42 - "${mod}+0" = "workspace number 10"; 43 - } 44 - ); 45 - }

-162

modules/home/wayland/sway.nix

··· 1 - { 2 - pkgs, 3 - config, 4 - lib, 5 - ... 6 - }: 7 - let 8 - term = config.wayland.windowManager.sway.config.terminal; 9 - homeDir = config.home.homeDirectory; 10 - cfg = config.py.gui; 11 - in 12 - { 13 - options.py.gui = { 14 - enable = lib.mkEnableOption "GUI Configuration"; 15 - }; 16 - config = lib.mkIf cfg.enable { 17 - catppuccin = { 18 - sway.enable = true; 19 - }; 20 - home.sessionVariables = { 21 - XDG_CURRENT_DESKTOP = "sway"; 22 - }; 23 - wayland.windowManager.sway = { 24 - enable = lib.mkDefault true; 25 - package = null; 26 - # nix-community/home-manager/issues/5311 27 - checkConfig = false; 28 - wrapperFeatures.base = true; 29 - wrapperFeatures.gtk = true; 30 - extraConfig = '' 31 - default_border pixel 32 - focus_on_window_activation smart 33 - ''; 34 - systemd = { 35 - enable = true; 36 - xdgAutostart = true; 37 - }; 38 - config = { 39 - terminal = lib.getExe pkgs.ghostty; 40 - menu = "exec ${term} --class=py.floating --window-height=20 --window-width=12 --font-size=14 -e ${pkgs.sway-launcher-desktop}/bin/sway-launcher-desktop"; 41 - modifier = "Mod4"; 42 - bars = [ { command = "true"; } ]; 43 - focus = { 44 - followMouse = true; 45 - mouseWarping = true; 46 - newWindow = "smart"; 47 - }; 48 - fonts = { 49 - names = [ "IBM Plex Sans" ]; 50 - style = "Regular"; 51 - size = 12.0; 52 - }; 53 - gaps = { 54 - inner = 1; 55 - outer = 1; 56 - smartBorders = "on"; 57 - smartGaps = false; 58 - }; 59 - input = { 60 - "type:keyboard" = { 61 - xkb_options = "caps:escape"; 62 - }; 63 - "type:mouse" = { 64 - accel_profile = "flat"; 65 - }; 66 - "type:touchpad" = { 67 - accel_profile = "adaptive"; 68 - scroll_factor = "1.5"; 69 - tap = "enabled"; 70 - }; 71 - }; 72 - modes = { 73 - resize = { 74 - Escape = "mode default"; 75 - Return = "mode default"; 76 - Up = "resize shrink height 10 px"; 77 - Down = "resize grow height 10 px"; 78 - Left = "resize shrink width 10 px"; 79 - Right = "resize grow width 10 px"; 80 - h = "resize shrink width 10 px"; 81 - j = "resize grow height 10 px"; 82 - k = "resize shrink height 10 px"; 83 - l = "resize grow width 10 px"; 84 - }; 85 - }; 86 - output = { 87 - eDP-1 = { 88 - scale = "1.2"; 89 - }; 90 - "*" = { 91 - bg = "${homeDir}/bgs/xenia-hangout-mocha.png fill"; 92 - }; 93 - }; 94 - startup = [ 95 - { command = "${pkgs.dex}/bin/dex -a"; } 96 - { command = "${homeDir}/scripts/unfuck-xdg-portals.fish"; } 97 - { command = "wl-paste -t text --watch clipman store --no-persist"; } 98 - ]; 99 - window = { 100 - commands = [ 101 - { 102 - command = "inhibit_idle fullscreen"; 103 - criteria = { 104 - class = "Chromium|zoom|Firefox"; 105 - }; 106 - } 107 - { 108 - command = "floating enable, sticky enable, resize set 20 ppt 40 ppt, border pixel 4"; 109 - criteria = { 110 - app_id = "^py.floating$"; 111 - }; 112 - } 113 - { 114 - command = "resize set 20 ppt"; 115 - criteria = { 116 - title = "Mumble PTT"; 117 - }; 118 - } 119 - ]; 120 - }; 121 - colors = { 122 - background = "$base"; 123 - focused = { 124 - border = "$pink"; 125 - background = "$base"; 126 - text = "$text"; 127 - indicator = "$rosewater"; 128 - childBorder = "$pink"; 129 - }; 130 - focusedInactive = { 131 - border = "$mauve"; 132 - background = "$base"; 133 - text = "$text"; 134 - indicator = "$rosewater"; 135 - childBorder = "$mauve"; 136 - }; 137 - unfocused = { 138 - border = "$mauve"; 139 - background = "$base"; 140 - text = "$text"; 141 - indicator = "$rosewater"; 142 - childBorder = "$mauve"; 143 - }; 144 - urgent = { 145 - border = "$peach"; 146 - background = "$base"; 147 - text = "$peach"; 148 - indicator = "$overlay0"; 149 - childBorder = "$peach"; 150 - }; 151 - placeholder = { 152 - border = "$overlay0"; 153 - background = "$base"; 154 - text = "$text"; 155 - indicator = "$overlay0"; 156 - childBorder = "$overlay0"; 157 - }; 158 - }; 159 - }; 160 - }; 161 - }; 162 - }

-61

modules/home/wayland/swaylock.nix

··· 1 - { lib, config, ... }: 2 - let 3 - cfg = config.py.gui; 4 - in 5 - { 6 - catppuccin = { 7 - swaylock.enable = false; 8 - }; 9 - programs.swaylock = lib.mkIf cfg.enable { 10 - enable = lib.mkDefault true; 11 - settings = { 12 - daemonize = true; 13 - image = "/home/thehedgehog/bgs/ctp-waves.png"; 14 - scaling = "fill"; 15 - line-uses-ring = true; 16 - ignore-empty-password = true; 17 - clock = true; 18 - timestr = "%T"; 19 - effect-blur = "5x5"; 20 - 21 - font = "IBM Plex Sans"; 22 - font-size = 20; 23 - 24 - indicator = true; 25 - indicator-idle-visible = true; 26 - indicator-radius = 100; 27 - indicator-thickness = 5; 28 - 29 - # Catppuccin Theme(avoid IFD by vendoring it in here) 30 - color = "1e1e2e"; 31 - bs-hl-color = "f5e0dc"; 32 - caps-lock-bs-hl-color = "f5e0dc"; 33 - caps-lock-key-hl-color = "a6e3a1"; 34 - inside-color = "00000000"; 35 - inside-clear-color = "00000000"; 36 - inside-caps-lock-color = "00000000"; 37 - inside-ver-color = "00000000"; 38 - inside-wrong-color = "00000000"; 39 - key-hl-color = "a6e3a1"; 40 - layout-bg-color = "00000000"; 41 - layout-border-color = "00000000"; 42 - layout-text-color = "cdd6f4"; 43 - line-color = "00000000"; 44 - line-clear-color = "00000000"; 45 - line-caps-lock-color = "00000000"; 46 - line-ver-color = "00000000"; 47 - line-wrong-color = "00000000"; 48 - ring-color = "b4befe"; 49 - ring-clear-color = "f5e0dc"; 50 - ring-caps-lock-color = "fab387"; 51 - ring-ver-color = "89b4fa"; 52 - ring-wrong-color = "eba0ac"; 53 - separator-color = "00000000"; 54 - text-color = "cdd6f4"; 55 - text-clear-color = "f5e0dc"; 56 - text-caps-lock-color = "fab387"; 57 - text-ver-color = "89b4fa"; 58 - text-wrong-color = "eba0ac"; 59 - }; 60 - }; 61 - }

-37

modules/home/wayland/waybar-mocha.css

··· 1 - /* 2 - * 3 - * Catppuccin Mocha palette 4 - * Maintainer: rubyowo 5 - * 6 - */ 7 - 8 - @define-color base #1e1e2e; 9 - @define-color mantle #181825; 10 - @define-color crust #11111b; 11 - 12 - @define-color text #cdd6f4; 13 - @define-color subtext0 #a6adc8; 14 - @define-color subtext1 #bac2de; 15 - 16 - @define-color surface0 #313244; 17 - @define-color surface1 #45475a; 18 - @define-color surface2 #585b70; 19 - 20 - @define-color overlay0 #6c7086; 21 - @define-color overlay1 #7f849c; 22 - @define-color overlay2 #9399b2; 23 - 24 - @define-color blue #89b4fa; 25 - @define-color lavender #b4befe; 26 - @define-color sapphire #74c7ec; 27 - @define-color sky #89dceb; 28 - @define-color teal #94e2d5; 29 - @define-color green #a6e3a1; 30 - @define-color yellow #f9e2af; 31 - @define-color peach #fab387; 32 - @define-color maroon #eba0ac; 33 - @define-color red #f38ba8; 34 - @define-color mauve #cba6f7; 35 - @define-color pink #f5c2e7; 36 - @define-color flamingo #f2cdcd; 37 - @define-color rosewater #f5e0dc;

-128

modules/home/wayland/waybar-style.css

··· 1 - @import "mocha.css"; 2 - #waybar { 3 - font-family: 4 - BlexMono Nerd Font, 5 - sans-serif; 6 - font-size: 16px; 7 - } 8 - 9 - #window { 10 - padding: 0 4px; 11 - } 12 - 13 - .modules-center { 14 - padding-right: 20px; 15 - } 16 - 17 - window#waybar { 18 - border: none; 19 - border-radius: 0; 20 - box-shadow: none; 21 - text-shadow: none; 22 - transition-duration: 0s; 23 - color: @text; 24 - background: @base; 25 - } 26 - 27 - #workspaces { 28 - margin: 0 5px; 29 - } 30 - 31 - #workspaces button { 32 - padding: 0 8px; 33 - color: @text; 34 - border-bottom: 2px solid @subtext0; 35 - border-radius: 0px; 36 - min-width: 25px; 37 - margin-right: 8px; 38 - } 39 - 40 - #workspaces button.visible { 41 - color: @subtext0; 42 - } 43 - 44 - #workspaces button.focused { 45 - border-bottom: 3px solid @mauve; 46 - font-weight: bold; 47 - } 48 - 49 - #workspaces button.urgent { 50 - border: 2px solid @red; 51 - } 52 - 53 - #workspaces button:hover { 54 - border-color: @blue; 55 - color: @blue; 56 - } 57 - 58 - /* Repeat style here to ensure properties are overwritten as there's no !important and button:hover above resets the colour */ 59 - 60 - #workspaces button.focused { 61 - color: @subtext0; 62 - } 63 - #workspaces button.focused:hover { 64 - color: @text; 65 - } 66 - 67 - #tray, 68 - #mode, 69 - #battery, 70 - #temperature, 71 - #cpu, 72 - #memory, 73 - #network, 74 - #wireplumber, 75 - #clock, 76 - #idle_inhibitor, 77 - #sway-language, 78 - #backlight { 79 - padding: 2px 8px; 80 - margin: 2px 5px; 81 - color: @text; 82 - } 83 - 84 - #mode:hover, 85 - #battery:hover, 86 - #temperature:hover, 87 - #cpu:hover, 88 - #memory:hover, 89 - #network:hover, 90 - #wireplumber:hover, 91 - #clock:hover, 92 - #idle_inhibitor:hover, 93 - #sway-language:hover, 94 - #backlight:hover { 95 - background-color: @subtext1; 96 - color: @base; 97 - } 98 - 99 - #clock { 100 - font-weight: bold; 101 - } 102 - 103 - #battery.warning { 104 - color: @yellow; 105 - } 106 - 107 - #battery.critical { 108 - color: @red; 109 - } 110 - 111 - #battery.charging, 112 - #battery.full { 113 - color: @green; 114 - } 115 - 116 - #battery.warning:hover, 117 - #battery.critical:hover, 118 - #battery.charging:hover, 119 - #battery.full:hover { 120 - color: @base; 121 - } 122 - 123 - @keyframes blink { 124 - to { 125 - background-color: #ffffff; 126 - color: black; 127 - } 128 - }

-171

modules/home/wayland/waybar.nix

··· 1 - { 2 - pkgs, 3 - lib, 4 - config, 5 - ... 6 - }: 7 - let 8 - cfg = config.py.gui; 9 - in 10 - { 11 - config = { 12 - xdg.configFile."waybar/mocha.css" = lib.mkIf cfg.enable { 13 - source = ./waybar-mocha.css; 14 - recursive = false; 15 - }; 16 - catppuccin.waybar.enable = false; 17 - programs.waybar = lib.mkIf cfg.enable { 18 - enable = lib.mkDefault true; 19 - systemd.enable = true; 20 - systemd.target = "sway-session.target"; 21 - style = ./waybar-style.css; 22 - settings = { 23 - mainBar = { 24 - layer = "top"; 25 - position = "top"; 26 - height = 32; 27 - modules-left = [ 28 - "sway/workspaces" 29 - "sway/mode" 30 - ]; 31 - modules-center = [ "mpris" ]; 32 - modules-right = [ 33 - "idle_inhibitor" 34 - "wireplumber" 35 - "network" 36 - "temperature" 37 - "backlight" 38 - "battery" 39 - "clock" 40 - "tray" 41 - ]; 42 - "sway/workspaces" = { 43 - disable-scroll = true; 44 - enable-bar-scroll = false; 45 - active-only = false; 46 - all-outputs = false; 47 - format = "{icon}"; 48 - }; 49 - "idle_inhibitor" = { 50 - format = "{icon} "; 51 - format-icons = { 52 - "activated" = ""; 53 - "deactivated" = ""; 54 - }; 55 - }; 56 - "tray" = { 57 - icon-size = 25; 58 - spacing = 12; 59 - }; 60 - "clock" = { 61 - tooltip-format = "<tt>{calendar}</tt>"; 62 - format = " {:%H:%M:%S}"; 63 - format-alt = "{%d %b %Y}"; 64 - interval = 1; 65 - calendar = { 66 - format = { 67 - today = "{}"; 68 - }; 69 - }; 70 - }; 71 - "cpu" = { 72 - format = " {usage}%"; 73 - interval = 5; 74 - tooltip = false; 75 - }; 76 - "memory" = { 77 - format = " {}%"; 78 - }; 79 - "temperature" = { 80 - critical-threshold = 80; 81 - format = "{icon} {temperatureC}°C"; 82 - format-icons = [ 83 - "" 84 - "" 85 - "" 86 - "" 87 - "" 88 - ]; 89 - }; 90 - "backlight" = { 91 - format = "{icon} {percent}%"; 92 - format-icons = [ 93 - "󰃚" 94 - "󰃛" 95 - "󰃜" 96 - "󰃝" 97 - "󰃞" 98 - "󰃟" 99 - "󰃠" 100 - ]; 101 - }; 102 - "battery" = { 103 - states = { 104 - good = 65; 105 - warning = 30; 106 - critical = 15; 107 - }; 108 - full-at = 80; 109 - format = "{icon} {capacity}%"; 110 - format-charging = "󰂄 {capacity}%"; 111 - format-plugged = " {capacity}%"; 112 - format-alt = "{icon} {time}"; 113 - format-icons = [ 114 - "󰂎" 115 - "󰁺" 116 - "󰁻" 117 - "󰁼" 118 - "󰁽" 119 - "󰁾" 120 - "󰁿" 121 - "󰂀" 122 - "󰂁" 123 - "󰂂" 124 - "󰁹" 125 - ]; 126 - }; 127 - "network" = { 128 - format-wifi = "<big></big> {essid}"; 129 - format-ethernet = "󰈀 {ifname}: {ipaddr}/{cidr}"; 130 - format-linked = "󰄡 {ifname} (No IP)"; 131 - format-disconnected = "⚠ Disconnected!"; 132 - format-alt = "{ifname}: {ipaddr}/{cidr}"; 133 - on-click = lib.getExe pkgs.networkmanagerapplet; 134 - }; 135 - "wireplumber" = { 136 - format = "{icon} {volume}%"; 137 - format-muted = "󰝟"; 138 - format-icons = [ 139 - "" 140 - "" 141 - "" 142 - ]; 143 - states = { 144 - low = 15; 145 - med = 40; 146 - high = 60; 147 - }; 148 - scroll-step = 5; 149 - on-click = lib.getExe pkgs.pwvucontrol; 150 - }; 151 - mpris = { 152 - format = "{status_icon} {dynamic}"; 153 - max-length = 100; 154 - format-paused = "{status_icon} {dynamic}"; 155 - dynamic-order = [ 156 - "artist" 157 - "title" 158 - ]; 159 - status-icons = { 160 - playing = ""; 161 - paused = ""; 162 - }; 163 - player-icons = { 164 - firefox = "󰈹"; 165 - }; 166 - }; 167 - }; 168 - }; 169 - }; 170 - }; 171 - }

-127

modules/home/xdg/default.nix

··· 1 - { 2 - config, 3 - lib, 4 - pkgs, 5 - ... 6 - }: 7 - let 8 - homeDir = config.home.homeDirectory; 9 - pro = config.py.profiles; 10 - in 11 - { 12 - xdg = { 13 - enable = true; 14 - mime.enable = lib.mkIf pro.gui.enable true; 15 - configHome = lib.mkForce "${homeDir}/.config"; 16 - dataHome = lib.mkForce "${homeDir}/.local/share"; 17 - portal = lib.mkIf pro.gui.enable { 18 - enable = true; 19 - xdgOpenUsePortal = true; 20 - extraPortals = [ 21 - pkgs.xdg-desktop-portal-gtk 22 - pkgs.xdg-desktop-portal-wlr 23 - ]; 24 - config = { 25 - common = { 26 - default = [ "gtk" ]; 27 - "org.freedesktop.impl.portal.Screenshot" = [ "wlr" ]; 28 - "org.freedesktop.impl.portal.ScreenCast" = [ "wlr" ]; 29 - }; 30 - }; 31 - }; 32 - mimeApps = lib.mkIf pro.gui.enable { 33 - enable = true; 34 - associations.added = { 35 - "application/pdf" = [ "firefox.desktop" ]; 36 - "application/rdf+xml" = [ "firefox.desktop" ]; 37 - "application/rss+xml" = [ "firefox.desktop" ]; 38 - "application/xhtml+xml" = [ "firefox.desktop" ]; 39 - "application/xhtml_xml" = [ "firefox.desktop" ]; 40 - "application/xml" = [ "firefox.desktop" ]; 41 - "image/gif" = [ 42 - "viewnior.desktop" 43 - "firefox.desktop" 44 - ]; 45 - "image/jpeg" = [ 46 - "viewnior.desktop" 47 - "firefox.desktop" 48 - ]; 49 - "image/png" = [ 50 - "viewnior.desktop" 51 - "firefox.desktop" 52 - ]; 53 - "image/webp" = [ 54 - "viewnior.desktop" 55 - "firefox.desktop" 56 - ]; 57 - "text/html" = [ "firefox.desktop" ]; 58 - "text/xml" = [ "firefox.desktop" ]; 59 - "x-scheme-handler/http" = [ "firefox.desktop" ]; 60 - "x-scheme-handler/https" = [ "firefox.desktop" ]; 61 - "x-scheme-handler/about" = [ "firefox.desktop" ]; 62 - "x-scheme-handler/unknown" = [ "firefox.desktop" ]; 63 - "x-scheme-handler/mailto" = [ 64 - "thunderbird.desktop" 65 - "firefox.desktop" 66 - ]; 67 - "x-scheme-handler/webcal" = [ 68 - "firefox.desktop" 69 - "thunderbird.desktop" 70 - ]; 71 - }; 72 - defaultApplications = { 73 - "application/pdf" = [ "firefox.desktop" ]; 74 - "application/rdf+xml" = [ "firefox.desktop" ]; 75 - "application/rss+xml" = [ "firefox.desktop" ]; 76 - "application/xhtml+xml" = [ "firefox.desktop" ]; 77 - "application/xhtml_xml" = [ "firefox.desktop" ]; 78 - "application/xml" = [ "firefox.desktop" ]; 79 - "image/gif" = [ 80 - "viewnior.desktop" 81 - "firefox.desktop" 82 - ]; 83 - "image/jpeg" = [ 84 - "viewnior.desktop" 85 - "firefox.desktop" 86 - ]; 87 - "image/png" = [ 88 - "viewnior.desktop" 89 - "firefox.desktop" 90 - ]; 91 - "image/webp" = [ 92 - "viewnior.desktop" 93 - "firefox.desktop" 94 - ]; 95 - "text/html" = [ "firefox.desktop" ]; 96 - "text/xml" = [ "firefox.desktop" ]; 97 - "x-scheme-handler/http" = [ "firefox.desktop" ]; 98 - "x-scheme-handler/https" = [ "firefox.desktop" ]; 99 - "x-scheme-handler/about" = [ "firefox.desktop" ]; 100 - "x-scheme-handler/unknown" = [ "firefox.desktop" ]; 101 - "x-scheme-handler/mailto" = [ 102 - "thunderbird.desktop" 103 - "firefox.desktop" 104 - ]; 105 - "x-scheme-handler/webcal" = [ 106 - "firefox.desktop" 107 - "thunderbird.desktop" 108 - ]; 109 - "x-scheme-handler/steam" = [ 110 - "steam-native.desktop" 111 - "steam.desktop" 112 - ]; 113 - "x-scheme-handler/steamlink" = [ 114 - "steam-native.desktop" 115 - "steam.desktop" 116 - ]; 117 - }; 118 - }; 119 - userDirs = { 120 - enable = true; 121 - createDirectories = true; 122 - music = "$HOME/music"; 123 - publicShare = "$HOME/.xdg/share"; 124 - templates = "$HOME/.xdg/templates"; 125 - }; 126 - }; 127 - }

-73

modules/nixos/default-config/bootloader.nix

··· 1 - { 2 - boot = { 3 - tmp.cleanOnBoot = true; 4 - # Disable unused kernel modules 5 - # https://madaidans-insecurities.github.io/guides/linux-hardening.html?#kasr-kernel-modules 6 - blacklistedKernelModules = [ 7 - # Obscure network protocols 8 - "af_802154" 9 - "appletalk" 10 - "atm" 11 - "ax25" 12 - "can" 13 - "dccp" 14 - "decnet" 15 - "econet" 16 - "ipx" 17 - "n-hdlc" 18 - "netrom" 19 - "p8022" 20 - "p8023" 21 - "psnap" 22 - "rds" 23 - "rose" 24 - "sctp" 25 - "tipc" 26 - "x25" 27 - # Old or rare or insufficiently audited filesystems 28 - # or ones I just don't want loaded 29 - "adfs" 30 - "affs" 31 - "befs" 32 - "bfs" 33 - "cramfs" 34 - "efs" 35 - "erofs" 36 - "f2fs" 37 - "freevxfs" 38 - "hfs" 39 - "hfsplus" 40 - "hpfs" 41 - "jffs2" 42 - "jfs" 43 - "minix" 44 - "nilfs2" 45 - "ntfs" 46 - "ocfs2" 47 - "omfs" 48 - "orangefs" 49 - "qnx4" 50 - "qnx6" 51 - "reiserfs" 52 - "sysv" 53 - "ubifs" 54 - "ufs" 55 - # Network filesystems - I don't use these 56 - "gfs2" 57 - "nfs" 58 - "nfsv3" 59 - "nfsv4" 60 - # Vivid driver 61 - # Only used for testing purposes, has caused security issues. Disable. 62 - "vivid" 63 - ]; 64 - 65 - kernelParams = [ 66 - # Page allocator randomization 67 - # Should hardon and improve performance 68 - "page_alloc.shuffle=1" 69 - # Disable debugfs - not needed 70 - "debugfs=off" 71 - ]; 72 - }; 73 - }

-24

modules/nixos/default-config/default.nix

··· 1 - { pkgs, ... }: 2 - { 3 - imports = [ 4 - ./bootloader.nix 5 - ./networking.nix 6 - ./nixConfig.nix 7 - ./nixpkgsConfig.nix 8 - ./packages.nix 9 - ./programs 10 - ./root.nix 11 - ./security.nix 12 - ./services 13 - ./ssh.nix 14 - ./users.nix 15 - ]; 16 - system.stateVersion = "25.05"; 17 - system.disableInstallerTools = true; 18 - nix.package = pkgs.nixVersions.stable; 19 - catppuccin = { 20 - flavor = "mocha"; 21 - accent = "mauve"; 22 - tty.enable = true; 23 - }; 24 - }

-38

modules/nixos/default-config/networking.nix

··· 1 - { pkgs, lib, ... }: 2 - { 3 - networking = { 4 - networkmanager.plugins = lib.mkForce [ pkgs.networkmanager-openvpn ]; 5 - nameservers = [ 6 - "9.9.9.9" 7 - "fd42:d42:d42:53::1" 8 - "fd42:d42:d42:54::1" 9 - "172.23.0.53" 10 - "172.20.0.53" 11 - ]; 12 - timeServers = [ 13 - "0.pool.ntp.org" 14 - "1.pool.ntp.org" 15 - "2.pool.ntp.org" 16 - "3.pool.ntp.org" 17 - ]; 18 - resolvconf.extraConfig = '' 19 - name_servers="9.9.9.9 fd42:d42:d42:53::1 fd42:d42:d42:54::1 172.23.0.53 172.20.0.53" 20 - ''; 21 - }; 22 - boot.kernel.sysctl = { 23 - # Disable ICMP Redirects 24 - # https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked 25 - "net.ipv4.conf.all.accept_redirects" = 0; 26 - "net.ipv4.conf.default.accept_redirects" = 0; 27 - "net.ipv4.conf.all.secure_redirects" = 0; 28 - "net.ipv4.conf.default.secure_redirects" = 0; 29 - "net.ipv6.conf.all.accept_redirects" = 0; 30 - "net.ipv6.conf.default.accept_redirects" = 0; 31 - }; 32 - # Disable *-wait-online services as they block rebuilds often. 33 - # https://github.com/NixOS/nixpkgs/issues/180175 34 - systemd.services = { 35 - NetworkManager-wait-online.enable = lib.mkForce false; 36 - systemd-networkd-wait-online.enable = lib.mkForce false; 37 - }; 38 - }

-102

modules/nixos/default-config/nixConfig.nix

··· 1 - { 2 - pkgs, 3 - lib, 4 - inputs, 5 - ... 6 - }: 7 - let 8 - userList = [ 9 - "root" 10 - "thehedgehog" 11 - "pyrox" 12 - ]; 13 - flakeInputs = lib.filterAttrs (name: value: (value ? outputs) && (name != "self")) inputs; 14 - in 15 - { 16 - nix = { 17 - enable = true; 18 - # We use `nh.clean` instead, so this is disabled 19 - gc.automatic = false; 20 - registry = lib.mapAttrs (_: v: { flake = v; }) flakeInputs; 21 - settings = { 22 - # Don't auto-accept flake-defined nix settings, they're a CVE waiting to happen. 23 - accept-flake-config = false; 24 - # Allow these users to access the daemon 25 - allowed-users = userList; 26 - # No pre-defined nixbld users 27 - auto-allocate-uids = true; 28 - # Always optimize the store 29 - auto-optimise-store = true; 30 - # Compress build logs to save space 31 - compress-build-log = true; 32 - # Use all available cores to build 33 - cores = 0; 34 - experimental-features = [ 35 - # Use auto-generated uids instead of users in the nixbld group 36 - "auto-allocate-uids" 37 - # Can allow saving space in the store by content-addressing instead of input-addressing derivations 38 - "ca-derivations" 39 - # Build inside cgroups 40 - "cgroups" 41 - # Duh 42 - "flakes" 43 - # Nix3 CLI 44 - "nix-command" 45 - # Disallow URL Literals as they are deprecated 46 - "no-url-literals" 47 - # Allow Nix to call itself 48 - "recursive-nix" 49 - ]; 50 - # Build from source if substitution fails 51 - fallback = true; 52 - # Write an empty flake registry 53 - flake-registry = pkgs.writers.writeJSON "registry-empty.json" { 54 - flakes = [ ]; 55 - version = 2; 56 - }; 57 - # allow keeping direnv gc roots 58 - keep-derivations = true; 59 - # Keep going even if a build fails, so that all possible succeeding builds do 60 - keep-going = true; 61 - # More direnv gc root stuff 62 - keep-outputs = true; 63 - # Show fewer log lines from failed builds since I get them from nh 64 - log-lines = 10; 65 - # Extra system features 66 - system-features = [ 67 - "big-parallel" 68 - "kvm" 69 - "nixos-test" 70 - "recursive-nix" 71 - ]; 72 - # The pubkeys of the below substituters 73 - trusted-public-keys = [ 74 - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" 75 - "crane.cachix.org-1:8Scfpmn9w+hGdXH/Q9tTLiYAE/2dnJYRJP7kl80GuRk=" 76 - "isabelroses.cachix.org-1:mXdV/CMcPDaiTmkQ7/4+MzChpOe6Cb97njKmBQQmLPM=" 77 - "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" 78 - "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" 79 - "viperml.cachix.org-1:qZhKBMTfmcLL+OG6fj/hzsMEedgKvZVFRRAhq7j8Vh8=" 80 - ]; 81 - # Extra substituters 82 - trusted-substituters = [ 83 - "https://cache.nixos.org" 84 - "https://crane.cachix.org" 85 - "https://isabelroses.cachix.org" 86 - "https://nix-community.cachix.org" 87 - "https://nixpkgs-wayland.cachix.org" 88 - "https://viperml.cachix.org" 89 - ]; 90 - # These users have additional daemon rights 91 - trusted-users = userList; 92 - # Use cgroups for building 93 - use-cgroups = true; 94 - # Allow use of the registry 95 - use-registries = true; 96 - # XDG base dirs to avoid cluttering $HOME 97 - use-xdg-base-directories = true; 98 - # I almost always work in a dirty tree, I know it's dirty 99 - warn-dirty = false; 100 - }; 101 - }; 102 - }

-7

modules/nixos/default-config/nixpkgsConfig.nix

··· 1 - { 2 - nixpkgs = { 3 - config = { 4 - allowUnfree = true; 5 - }; 6 - }; 7 - }

-19

modules/nixos/default-config/packages.nix

··· 1 - { pkgs, ... }: 2 - { 3 - environment.systemPackages = with pkgs; [ 4 - direnv 5 - doggo 6 - fzf 7 - ghostty.terminfo 8 - lazygit 9 - nix-output-monitor 10 - pciutils 11 - py.customGit 12 - ripgrep 13 - tailscale 14 - unrar 15 - unzip 16 - zip 17 - usbutils 18 - ]; 19 - }

-7

modules/nixos/default-config/programs/default.nix

··· 1 - { 2 - imports = [ 3 - ./ssh.nix 4 - ./nh.nix 5 - ]; 6 - programs.fish.enable = true; 7 - }

-9

modules/nixos/default-config/programs/nh.nix

··· 1 - { inputs, ... }: 2 - { 3 - programs.nh = { 4 - enable = true; 5 - package = inputs.nh.packages.x86_64-linux.default; 6 - clean.enable = true; 7 - clean.extraArgs = "-k 5"; 8 - }; 9 - }

-35

modules/nixos/default-config/programs/ssh.nix

··· 1 - { 2 - programs.ssh = { 3 - ciphers = [ 4 - "chacha20-poly1305@openssh.com" 5 - "aes256-gcm@openssh.com" 6 - "aes128-gcm@openssh.com" 7 - "aes256-ctr" 8 - "aes192-ctr" 9 - "aes128-ctr" 10 - ]; 11 - macs = [ 12 - "umac-128-etm@openssh.com" 13 - "hmac-sha2-256-etm@openssh.com" 14 - "hmac-sha2-512-etm@openssh.com" 15 - ]; 16 - kexAlgorithms = [ 17 - # Experimental, disabled for now. 18 - # "sntrup761x25519-sha512@openssh.com" 19 - "curve25519-sha256" 20 - "curve25519-sha256@libssh.org" 21 - # Disabled for being 2048-bit 22 - # "diffie-hellman-group-exchange-sha256" 23 - ]; 24 - hostKeyAlgorithms = [ 25 - "ssh-ed25519-cert-v01@openssh.com" 26 - "sk-ssh-ed25519-cert-v01@openssh.com" 27 - "rsa-sha2-512-cert-v01@openssh.com" 28 - "rsa-sha2-256-cert-v01@openssh.com" 29 - "ssh-ed25519" 30 - "sk-ssh-ed25519@openssh.com" 31 - "rsa-sha2-512" 32 - "rsa-sha2-256" 33 - ]; 34 - }; 35 - }

-8

modules/nixos/default-config/root.nix

··· 1 - { 2 - users.users.root = { 3 - openssh.authorizedKeys.keys = [ 4 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw==" 5 - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM=" 6 - ]; 7 - }; 8 - }

modules/nixos/default-config/secrets/powerdns-secrets.age

This is a binary file and will not be displayed.

-22

modules/nixos/default-config/secrets/secrets.nix

··· 1 - let 2 - prefect = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP532AB5mkNvE29MkDDY8HEf8ZdktGWiI0PzLrvbmLQe"; 3 - thought = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGkJcLykggEp427h2IywoiR74Yl3N+FU6Pwx9ZFQ3vjq"; 4 - yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw=="; 5 - yubi-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746"; 6 - backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM="; 7 - marvin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP60B1IOdfJRrDcCKajMV8YJNC01gSsccZi3DKHlS6YJ"; 8 - servers = [ 9 - prefect 10 - thought 11 - marvin 12 - ]; 13 - personal = [ 14 - yubi-back 15 - yubi-main 16 - backup 17 - ]; 18 - all-keys = servers ++ personal; 19 - in 20 - { 21 - "powerdns-secrets.age".publicKeys = all-keys; 22 - }

-35

modules/nixos/default-config/security.nix

··· 1 - { pkgs, ... }: 2 - { 3 - # Everything should use doas instead of sudo 4 - # Sudo is kept enabled for tools that ~can't~ won't use doas. 5 - security = { 6 - doas = { 7 - enable = true; 8 - wheelNeedsPassword = false; 9 - }; 10 - # Needed for nixos-rebuild to work properly 11 - sudo.enable = true; 12 - 13 - # TPM configuration 14 - tpm2 = { 15 - enable = true; 16 - abrmd.enable = true; 17 - applyUdevRules = true; 18 - pkcs11.enable = false; 19 - }; 20 - 21 - # Set up extra certificates for DN42 specifically 22 - pki.certificateFiles = [ 23 - (pkgs.fetchurl { 24 - url = "https://dn42.burble.com/burble-dn42-ca.pem"; 25 - name = "burble-dn42-ca.pem"; 26 - sha256 = "0wcrjkiav018bpl87583g0v60clx3jg3wfyf8d9h8zdkwcb16b2g"; 27 - }) 28 - (pkgs.fetchurl { 29 - url = "https://aur.archlinux.org/cgit/aur.git/plain/dn42.crt?h=ca-certificates-dn42&id=646f7effb290adf25c7e9fea3b41bf055522ba29"; 30 - name = "dn42.crt"; 31 - sha256 = "sha256-wsMeC9/tlppSNZGrqfZFLAjv3AMj1KwIAWeh2XBpiYs="; 32 - }) 33 - ]; 34 - }; 35 - }

-6

modules/nixos/default-config/services/default.nix

··· 1 - { 2 - imports = [ 3 - ./ntp.nix 4 - ./tailscale.nix 5 - ]; 6 - }

-5

modules/nixos/default-config/services/ntp.nix

··· 1 - { 2 - services.ntp = { 3 - enable = true; 4 - }; 5 - }

-5

modules/nixos/default-config/services/tailscale.nix

··· 1 - { 2 - services.tailscale = { 3 - enable = true; 4 - }; 5 - }

-34

modules/nixos/default-config/ssh.nix

··· 1 - { 2 - age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 3 - services.openssh = { 4 - enable = false; 5 - allowSFTP = false; 6 - settings = { 7 - PermitRootLogin = "prohibit-password"; 8 - PasswordAuthentication = false; 9 - KbdInteractiveAuthentication = false; 10 - KexAlgorithms = [ 11 - # Experimental, disabled for now. 12 - # "sntrup761x25519-sha512@openssh.com" 13 - "curve25519-sha256" 14 - "curve25519-sha256@libssh.org" 15 - # Disabled for being 2048-bit 16 - # "diffie-hellman-group-exchange-sha256" 17 - ]; 18 - Ciphers = [ 19 - "chacha20-poly1305@openssh.com" 20 - "aes256-gcm@openssh.com" 21 - "aes128-gcm@openssh.com" 22 - "aes256-ctr" 23 - "aes192-ctr" 24 - "aes128-ctr" 25 - ]; 26 - Macs = [ 27 - "hmac-sha2-512-etm@openssh.com" 28 - "hmac-sha2-256-etm@openssh.com" 29 - "umac-128-etm@openssh.com" 30 - ]; 31 - }; 32 - }; 33 - networking.firewall.allowedTCPPorts = [ 22 ]; 34 - }

-15

modules/nixos/default-config/users.nix

··· 1 - { lib, ... }: 2 - { 3 - users.users = { 4 - pyrox = lib.mkDefault { 5 - isNormalUser = true; 6 - description = lib.mkDefault "Pyrox"; 7 - extraGroups = [ 8 - "networkmanager" 9 - "wheel" 10 - "input" 11 - "wireshark" 12 - ]; 13 - }; 14 - }; 15 - }

-1

modules/nixos/default-users/backup.pub

··· 1 - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM= 993390@993390-student-FVFD26HVJ1WK

-72

modules/nixos/default-users/default.nix

··· 1 - { 2 - pkgs, 3 - config, 4 - lib, 5 - ... 6 - }: 7 - let 8 - cfg = config.py.users.default; 9 - in 10 - { 11 - options.py.users.default.enable = lib.mkEnableOption "Default PyroNet Users"; 12 - options.py.user.name = lib.mkOption { 13 - type = lib.types.str; 14 - default = "thehedgehog"; 15 - description = "User for deploy-rs deployments."; 16 - }; 17 - 18 - config = lib.mkIf cfg.enable { 19 - users.users.pyrox = { 20 - description = "Pyrox"; 21 - isNormalUser = true; 22 - extraGroups = [ 23 - "adbusers" 24 - "wheel" 25 - "networkmanager" 26 - "video" 27 - "docker" 28 - "wireshark" 29 - "input" 30 - ]; 31 - hashedPassword = "$6$6EtuZhVOJdfI9DYP$1Qnd7R8qdN.E5yE2kDQCNg2zgJ5cIjNBKsIW/qJgb8wcKlUpIoVg/fEKvBkAgCiLyojVG2kzfu4J9LR8rA8a2/"; 32 - shell = pkgs.fish; 33 - openssh = { 34 - authorizedKeys = { 35 - keyFiles = [ 36 - ./yubikey-new.pub 37 - ./yubikey-main.pub 38 - ./yubikey-back.pub 39 - ./backup.pub 40 - ]; 41 - keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP532AB5mkNvE29MkDDY8HEf8ZdktGWiI0PzLrvbmLQe" ]; 42 - }; 43 - }; 44 - }; 45 - users.users.thehedgehog = { 46 - description = "The Hedgehog"; 47 - isNormalUser = true; 48 - extraGroups = [ 49 - "adbusers" 50 - "wheel" 51 - "networkmanager" 52 - "video" 53 - "docker" 54 - "wireshark" 55 - "input" 56 - ]; 57 - hashedPassword = "$6$6EtuZhVOJdfI9DYP$1Qnd7R8qdN.E5yE2kDQCNg2zgJ5cIjNBKsIW/qJgb8wcKlUpIoVg/fEKvBkAgCiLyojVG2kzfu4J9LR8rA8a2/"; 58 - shell = pkgs.fish; 59 - openssh = { 60 - authorizedKeys = { 61 - keyFiles = [ 62 - ./yubikey-new.pub 63 - ./yubikey-main.pub 64 - ./yubikey-back.pub 65 - ./backup.pub 66 - ]; 67 - keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP532AB5mkNvE29MkDDY8HEf8ZdktGWiI0PzLrvbmLQe" ]; 68 - }; 69 - }; 70 - }; 71 - }; 72 - }

-1

modules/nixos/default-users/yubikey-back.pub

··· 1 - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw== cardno:15 567 372

-1

modules/nixos/default-users/yubikey-main.pub

··· 1 - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746

-1

modules/nixos/default-users/yubikey-new.pub

··· 1 - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK97n2SgV/U1mLzxcaEDl85iF5D3jm7xboZ+S01+CbM/8zxVoWyjVHCqTwDcrLwP0c5Z51BNj7U0UkGIgR4zTSM=

-20

modules/nixos/profiles/default.nix

··· 1 - { config, lib, ... }: 2 - let 3 - cfg = config.py.profiles; 4 - in 5 - { 6 - options.py.profiles = { 7 - base.enable = lib.mkEnableOption "Base Profile"; 8 - cli.enable = lib.mkEnableOption "CLI Profile"; 9 - development.enable = lib.mkEnableOption "Development Profile"; 10 - graphical.enable = lib.mkEnableOption "Graphical Profile"; 11 - server.enable = lib.mkEnableOption "Server Profile"; 12 - }; 13 - config = { 14 - py.profiles = { 15 - base.enable = lib.mkDefault true; 16 - cli.enable = lib.mkDefault true; 17 - development.enable = lib.mkDefault cfg.graphical.enable; 18 - }; 19 - }; 20 - }

-16

modules/nixos/programs/chromium/default.nix

··· 1 - { config, lib, ... }: 2 - let 3 - cfg = config.py.programs.chromium; 4 - in 5 - { 6 - options.py.programs.chromium.enable = lib.mkEnableOption "Chromium"; 7 - 8 - config = lib.mkIf cfg.enable { 9 - programs.chromium = { 10 - enable = true; 11 - defaultSearchProviderEnabled = true; 12 - defaultSearchProviderSearchURL = "https://kagi.com/search?q={searchTerms}"; 13 - extraOpts = import ./extraOpts.nix; 14 - }; 15 - }; 16 - }

-82

modules/nixos/programs/chromium/extraOpts.nix

··· 1 - { 2 - AbusiveExperienceInterventionEnforce = false; 3 - AccessCodeCastEnabled = false; 4 - AdsSettingForIntrusiveAdsSites = 2; 5 - AllowDeletingBrowserHistory = true; 6 - AllowDinosaurEasterEgg = true; 7 - AllowFileSelectionDialogs = true; 8 - AllowSystemNotifications = true; 9 - AudioCaptureAllowed = true; 10 - AudioSandboxEnabled = true; 11 - AutofillAddressEnabled = false; 12 - AutofillCreditCardEnabled = false; 13 - AutoplayAllowed = false; 14 - BackgroundModeEnabled = false; 15 - BookmarkBarEnabled = false; 16 - BrowserLabsEnabled = true; 17 - BrowserSignin = 0; 18 - BuiltInDnsClientEnabled = false; 19 - ChromeVariations = 2; 20 - ClickToCallEnabled = false; 21 - ClientCertificateManagementAllowed = 0; 22 - CloudExtensionRequestEnabled = false; 23 - CloudProfileReportingEnabled = false; 24 - CloudReportingEnabled = false; 25 - CommandLineFlagSecurityWarningsEnabled = false; 26 - ComponentUpdatesEnabled = false; 27 - ContextualSearchEnabled = false; 28 - DNSInterceptionChecksEnabled = false; 29 - DataLeakPreventionReportingEnabled = false; 30 - DefaultBrowserSettingEnabled = false; 31 - DefaultClipboardSetting = 3; 32 - DefaultFileSystemReadGuardSetting = 3; 33 - DefaultFileSystemWriteGuardSetting = 3; 34 - DefaultGeolocationSetting = 3; 35 - DefaultImagesSetting = 1; 36 - DefaultInsecureContentSetting = 3; 37 - DefaultNotificationsSetting = 2; 38 - DefaultSensorsSetting = 2; 39 - DefaultSerialGuardSetting = 2; 40 - DefaultWebBluetoothGuardSetting = 3; 41 - DefaultWebHidGuardSetting = 3; 42 - DefaultWebUsbGuardSetting = 3; 43 - DefaultWindowPlacementSetting = 3; 44 - DesktopSharingHubEnabled = false; 45 - DeveloperToolsAvailability = 1; 46 - DevToolsGenAiSettings = 2; 47 - GenAILocalFoundationalModelSettings = 1; 48 - HelpMeWriteSettings = 2; 49 - TabOrganizerSettings = 2; 50 - CreateThemesSettings = 2; 51 - Disable3DAPIs = false; 52 - DisableScreenshots = false; 53 - EditBookmarksEnabled = true; 54 - EnableMediaRouter = false; 55 - ForceGoogleSafeSearch = false; 56 - ForceYouTubeRestrict = 0; 57 - FullscreenAllowed = true; 58 - HardwareAccelerationModeEnabled = true; 59 - HeadlessMode = 1; 60 - HideWebStoreIcon = true; 61 - HttpsOnlyMode = "allowed"; 62 - ImportAutofillFormData = false; 63 - ImportBookmarks = false; 64 - ImportHistory = false; 65 - ImportHomepage = false; 66 - ImportSavedPasswords = false; 67 - ImportSearchEngine = false; 68 - IncognitoModeAvailability = 0; 69 - InsecureFormsWarningsEnabled = false; 70 - LensRegionSearchEnabled = false; 71 - MediaRecommendationsEnabled = false; 72 - MetricsReportingEnabled = false; 73 - NTPCardsVisible = false; 74 - NetworkPredictionOptions = 2; 75 - PasswordDismissCompromisedAlertEnabled = false; 76 - PasswordLeakDetectionEnabled = false; 77 - PasswordManagerEnabled = false; 78 - PaymentMethodQueryEnabled = false; 79 - ShowCastIconInToolbar = false; 80 - SyncDisabled = true; 81 - SystemUse24HourClock = true; 82 - }

-28

modules/nixos/programs/firefox/default.nix

··· 1 - { 2 - config, 3 - lib, 4 - pkgs, 5 - ... 6 - }: 7 - let 8 - cfg = config.py.programs.firefox; 9 - in 10 - { 11 - options.py.programs.firefox = { 12 - enable = lib.mkEnableOption "Firefox configuration"; 13 - }; 14 - 15 - config = lib.mkIf cfg.enable { 16 - programs.firefox = { 17 - enable = true; 18 - package = pkgs.firefox; 19 - wrapperConfig.cfg = { 20 - smartcardSupport = true; 21 - pipewireSupport = true; 22 - ffmpegSupport = true; 23 - }; 24 - policies = import ./policies.nix; 25 - preferences = import ./extraPrefs.nix; 26 - }; 27 - }; 28 - }

-70

modules/nixos/programs/firefox/extensions.nix

··· 1 - let 2 - mkAMO = short: { 3 - installation_mode = "force_installed"; 4 - install_url = "https://addons.mozilla.org/firefox/downloads/latest/${short}/latest.xpi"; 5 - }; 6 - in 7 - { 8 - # Addons from AMO 9 - "{1be309c5-3e4f-4b99-927d-bb500eb4fa88}" = mkAMO "augmented-steam"; 10 - "{446900e4-71c2-419f-a6a7-df9c091e268b}" = mkAMO "bitwarden-password-manager" // { 11 - default_area = "navbar"; 12 - }; 13 - "{bbb880ce-43c9-47ae-b746-c3e0096c5b76}" = mkAMO "catppuccin-gh-file-explorer"; 14 - "{74145f27-f039-47ce-a470-a662b129930a}" = mkAMO "clearurls"; 15 - "gdpr@cavi.au.dk" = mkAMO "consent-o-matic"; 16 - "{5cce4ab5-3d47-41b9-af5e-8203eea05245}" = mkAMO "control-panel-for-twitter"; 17 - "CookieAutoDelete@kennydo.com" = mkAMO "cookie-autodelete"; 18 - "addon@darkreader.org" = mkAMO "darkreader" // { 19 - default_area = "navbar"; 20 - }; 21 - "DontFuckWithPaste@raim.ist" = mkAMO "don-t-fuck-with-paste"; 22 - "{72bd91c9-3dc5-40a8-9b10-dec633c0873f}" = mkAMO "enhanced-github"; 23 - "headereditor-amo@addon.firefoxcn.net" = mkAMO "header-editor"; 24 - "{cb31ec5d-c49a-4e5a-b240-16c767444f62}" = mkAMO "indie-wiki-buddy"; 25 - "idcac-pub@guus.ninja" = mkAMO "istilldontcareaboutcookies"; 26 - "search@kagi.com" = mkAMO "kagi-search-for-firefox"; 27 - "7esoorv3@alefvanoon.anonaddy.me" = mkAMO "libredirect" // { 28 - default_area = "navbar"; 29 - }; 30 - "github-forks-addon@musicallyut.in" = mkAMO "lovely-forks"; 31 - "firefox-addon@pronoundb.org" = mkAMO "pronoundb"; 32 - "{30280527-c46c-4e03-bb16-2e3ed94fa57c}" = mkAMO "protondb-for-steam"; 33 - "redirector@einaregilsson.com" = mkAMO "redirector"; 34 - "{a4c4eda4-fb84-4a84-b4a1-f7c1cbf2a1ad}" = mkAMO "refined-github-"; 35 - "{762f9885-5a13-4abd-9c77-433dcd38b8fd}" = mkAMO "return-youtube-dislikes"; 36 - "{48748554-4c01-49e8-94af-79662bf34d50}" = mkAMO "privacy-pass"; 37 - "sponsorBlocker@ajay.app" = mkAMO "sponsorblock"; 38 - "firefox-extension@steamdb.info" = mkAMO "steam-database"; 39 - "{7a7a4a92-a2a0-41d1-9fd7-1e92480d612d}" = mkAMO "styl-us" // { 40 - default_area = "navbar"; 41 - }; 42 - "jid0-3GUEt1r69sQNSrca5p8kx9Ezc3U@jetpack" = mkAMO "terms-of-service-didnt-read"; 43 - "{76ef94a4-e3d0-4c6f-961a-d38a429a332b}" = mkAMO "ttv-lol-pro"; 44 - "uBlock0@raymondhill.net" = mkAMO "ublock-origin" // { 45 - default_area = "navbar"; 46 - }; 47 - "{799c0914-748b-41df-a25c-22d008f9e83f}" = mkAMO "web-scrobbler" // { 48 - default_area = "navbar"; 49 - }; 50 - "yeah@dimden.dev" = mkAMO "yeah-for-twitter"; 51 - # Official Mozilla Extensions 52 - # Still downloaded from AMO 53 - "@contain-facebook" = mkAMO "facebook-container"; 54 - "FirefoxColor@mozilla.com" = mkAMO "firefox-color"; 55 - "firefox-translations-addon@mozilla.org" = mkAMO "firefox-translations"; 56 - "@testpilot-containers" = mkAMO "multi-account-containers"; 57 - # External Addons 58 - "frankerfacez@frankerfacez.com" = { 59 - installation_mode = "force_installed"; 60 - install_url = "https://cdn.frankerfacez.com/script/frankerfacez-4.0-an+fx.xpi"; 61 - }; 62 - "magnolia@12.34" = { 63 - installation_mode = "force_installed"; 64 - install_url = "https://github.com/bpc-clone/bpc_updates/releases/download/latest/bypass_paywalls_clean-latest.xpi"; 65 - }; 66 - "zotero@chnm.gmu.edu" = { 67 - installation_mode = "force_installed"; 68 - install_url = "https://www.zotero.org/download/connector/dl?browser=firefox"; 69 - }; 70 - }

-172

modules/nixos/programs/firefox/extraPrefs.nix

··· 1 - { 2 - "accessibility.typeaheadfind.flashBar" = 0; 3 - "app.normandy.api_url" = ""; 4 - "app.normandy.enabled" = false; 5 - "app.normandy.first_run" = false; 6 - "app.shield.optoutstudies.enabled" = false; 7 - "app.update.auto" = false; 8 - "app.update.backgroundErrors" = 1; 9 - "app.update.disable_button.showUpdateHistory" = false; 10 - "beacon.enabled" = false; 11 - "browser.aboutConfig.showWarning" = false; 12 - "browser.bookmarks.addedImportButton" = true; 13 - "browser.contentblocking.report.hide_vpn_banner" = true; 14 - "browser.contentblocking.report.lockwise.enabled" = false; 15 - "browser.contentblocking.report.show_mobile_app" = false; 16 - "browser.contentblocking.report.social.url" = ""; 17 - "browser.formfill.enable" = false; 18 - "browser.laterrun.bookkeeping.profileCreationTime" = 0; 19 - "browser.laterrun.bookkeeping.sessionCount" = 0; 20 - "browser.newtabpage.activity-stream.discoverystream.enabled" = false; 21 - "browser.newtabpage.activity-stream.discoverystream.endpointSpocsClear" = ""; 22 - "browser.newtabpage.activity-stream.discoverystream.endpoints" = ""; 23 - "browser.newtabpage.activity-stream.discoverystream.personalization.enabled" = false; 24 - "browser.newtabpage.activity-stream.discoverystream.readTime.enabled" = false; 25 - "browser.newtabpage.activity-stream.discoverystream.rec.impressions" = "{}"; 26 - "browser.newtabpage.activity-stream.discoverystream.recentSaves.enabled" = false; 27 - "browser.newtabpage.activity-stream.discoverystream.saveToPocketCard.enabled" = false; 28 - "browser.newtabpage.activity-stream.discoverystream.sendToPocket.enabled" = false; 29 - "browser.newtabpage.activity-stream.discoverystream.spoc.impressions" = "{}"; 30 - "browser.newtabpage.activity-stream.feeds.recommendationprovider" = false; 31 - "browser.newtabpage.activity-stream.feeds.telemetry" = false; 32 - "browser.newtabpage.activity-stream.impressionId" = "{}"; 33 - "browser.newtabpage.activity-stream.section.highlights.includePocket" = false; 34 - "browser.newtabpage.activity-stream.telemetry" = false; 35 - "browser.newtabpage.activity-stream.telemetry.structuredIngestion.endpoint" = ""; 36 - "browser.newtabpage.activity-stream.telemetry.ut.events" = false; 37 - "browser.partnerlink.attributionURL" = ""; 38 - "browser.partnerlink.campaign.topsites" = ""; 39 - "browser.ping-centre.telemetry" = false; 40 - "browser.places.importBookmarksHTML" = false; 41 - "browser.pocket.enabled" = false; 42 - "browser.safebrowsing.downloads.enabled" = false; 43 - "browser.safebrowsing.downloads.remote.block_dangerous" = false; 44 - "browser.safebrowsing.downloads.remote.block_dangerous_host" = false; 45 - "browser.safebrowsing.downloads.remote.block_potentially_unwanted" = false; 46 - "browser.safebrowsing.downloads.remote.block_uncommon" = false; 47 - "browser.safebrowsing.downloads.remote.enabled" = false; 48 - "browser.safebrowsing.downloads.remote.url" = ""; 49 - "browser.safebrowsing.malware.enabled" = false; 50 - "browser.safebrowsing.phishing.enabled" = false; 51 - # Disable safebrowsing shit 52 - "browser.safebrowsing.provider.google.advisoryURL" = ""; 53 - "browser.safebrowsing.provider.google.gethashURL" = ""; 54 - "browser.safebrowsing.provider.google.reportURL" = ""; 55 - "browser.safebrowsing.provider.google.updateURL" = ""; 56 - "browser.safebrowsing.provider.google4.advisoryURL" = ""; 57 - "browser.safebrowsing.provider.google4.dataSharingURL" = ""; 58 - "browser.safebrowsing.provider.google4.gethashURL" = ""; 59 - "browser.safebrowsing.provider.google4.lists" = ""; 60 - "browser.safebrowsing.provider.google4.reportURL" = ""; 61 - "browser.safebrowsing.provider.google4.updateURL" = ""; 62 - "browser.safebrowsing.provider.mozilla.gethashURL" = ""; 63 - "browser.safebrowsing.provider.mozilla.lastupdatetime" = ""; 64 - "browser.safebrowsing.provider.mozilla.lists" = ""; 65 - "browser.safebrowsing.provider.mozilla.lists.base" = ""; 66 - "browser.safebrowsing.provider.mozilla.lists.content" = ""; 67 - "browser.safebrowsing.provider.mozilla.nextupdatetime" = ""; 68 - "browser.safebrowsing.provider.mozilla.updateURL" = ""; 69 - "browser.search.serpEventTelemetry.enabled" = false; 70 - "browser.send_pings" = false; 71 - "browser.tabs.warnOnClose" = true; 72 - # Disable useless suggestions 73 - "browser.urlbar.suggest.addons" = false; 74 - "browser.urlbar.suggest.bookmark" = true; 75 - "browser.urlbar.suggest.calculator" = true; 76 - "browser.urlbar.suggest.clipboard" = false; 77 - "browser.urlbar.suggest.engines" = false; 78 - "browser.urlbar.suggest.history" = true; 79 - "browser.urlbar.suggest.mdn" = false; 80 - "browser.urlbar.suggest.openpage" = true; 81 - "browser.urlbar.suggest.pocket" = false; 82 - "browser.urlbar.suggest.quicksuggest.nonsponsored" = false; 83 - "browser.urlbar.suggest.quicksuggest.sponsored" = false; 84 - "browser.urlbar.suggest.topsites" = false; 85 - "browser.urlbar.suggest.trending" = false; 86 - "browser.urlbar.suggest.weather" = false; 87 - # Disable sensors 88 - "device.sensors.ambientLight.enabled" = false; 89 - "device.sensors.enabled" = false; 90 - "device.sensors.motion.enabled" = false; 91 - "device.sensors.orientation.enabled" = false; 92 - "device.sensors.proximity.enabled" = false; 93 - "device.sensors.test.events" = false; 94 - "devtools.chrome.enabled" = true; 95 - "doh-rollout.uri" = ""; 96 - "dom.battery.enabled" = false; 97 - "dom.event.clipboardevents.enabled" = false; 98 - "dom.security.unexpected_system_load_telemetry_enabled" = false; 99 - "dom.webgpu.enabled" = true; 100 - "extensions.formautofill.addresses.enabled" = false; 101 - "extensions.formautofill.creditCards.enabled" = false; 102 - "extensions.htmlaboutaddons.recommendations.enabled" = false; 103 - # Disable Pocket 104 - "extensions.pocket.enabled" = false; 105 - "extensions.pocket.showHome" = false; 106 - "extensions.pocket.site" = ""; 107 - "extensions.recommendations.privacyPolicyUrl" = ""; 108 - "extensions.recommendations.themeRecommendationUrl" = ""; 109 - "extensions.ui.dictionary.hidden" = true; 110 - "extensions.update.autoUpdateDefault" = false; 111 - "extensions.webextensions.restrictedDomains" = ""; 112 - "privacy.clearOnShutdown.downloads" = true; 113 - "privacy.donottrackheader.enabled" = false; 114 - "privacy.resistFingerprinting.block_mozAddonManager" = true; 115 - "remote.prefs.recommended" = false; 116 - "services.settings.server" = ""; 117 - "signon.autofillForms" = false; 118 - "signon.generation.enabled" = false; 119 - "signon.management.page.breach-alerts.enabled" = false; 120 - "toolkit.legacyUserProfileCustomizations.stylesheets" = true; 121 - "ui.systemUsesDarkTheme" = 1; 122 - "webgl.force-enabled" = true; 123 - "xpinstall.signatures.required" = false; 124 - # Disable telemetry stuff 125 - # Already disabled in policies, but better safe than sorry. 126 - "browser.urlbar.eventTelemetry.enabled" = false; 127 - "browser.urlbar.quicksuggest.dataCollection.enabled" = false; 128 - "datareporting.healthreport.infoURL" = ""; 129 - "datareporting.policy.firstRunURL" = ""; 130 - "security.app_menu.recordEventTelemetry" = false; 131 - "security.certerrors.recordEventTelemetry" = false; 132 - "security.identitypopup.recordEventTelemetry" = false; 133 - "security.protectionspopup.recordEventTelemetry" = false; 134 - "network.trr.confirmation_telemetry_enabled" = false; 135 - "privacy.trackingprotection.origin_telemetry.enabled" = false; 136 - "toolkit.telemetry.bhrPing.enabled" = false; 137 - "toolkit.telemetry.cachedClientID" = ""; 138 - "toolkit.telemetry.dap_enabled" = false; 139 - "toolkit.telemetry.dap_helper" = ""; 140 - "toolkit.telemetry.dap_leader" = ""; 141 - "toolkit.telemetry.dap_task1_enabled" = false; 142 - "toolkit.telemetry.debugSlowSql" = false; 143 - "toolkit.telemetry.firstShutdownPing.enabled" = false; 144 - "toolkit.telemetry.geckoview.streaming" = false; 145 - "toolkit.telemetry.newProfilePing.enabled" = false; 146 - "toolkit.telemetry.pioneer-new-studies-available" = false; 147 - "toolkit.telemetry.previousBuildID" = ""; 148 - "toolkit.telemetry.reportingpolicy.firstRun" = ""; 149 - "toolkit.telemetry.server" = ""; 150 - "toolkit.telemetry.server_owner" = ""; 151 - "toolkit.telemetry.shutdownPingSender.backgroundtask.enabled" = false; 152 - "toolkit.telemetry.shutdownPingSender.enabled" = false; 153 - "toolkit.telemetry.shutdownPingSender.enabledFirstSession" = false; 154 - "toolkit.telemetry.testing.overrideProductsCheck" = false; 155 - "toolkit.telemetry.unified" = false; 156 - "toolkit.telemetry.updatePing.enabled" = ""; 157 - # FastFox 158 - "media.memory_cache_max_size" = 65536; 159 - "browser.cache.jsbc_compression_level" = 3; 160 - "image.mem.decode_bytes_at_a_time" = 32768; 161 - "network.http.max-connections" = 1800; 162 - "network.http.max-persistent-connections-per-server" = 10; 163 - "network.http.max-urgent-start-excessive-connections-per-host" = 5; 164 - "network.dns.max_high_priority_threads" = 8; 165 - "network.ssl_tokens_cache_capacity" = 10240; 166 - "network.dns.disablePrefetch" = true; 167 - "browser.places.speculativeConnect.enabled" = false; 168 - "browser.urlbar.speculativeConnect.enabled" = false; 169 - 170 - # Other Tweaks 171 - "security.fileuri.strict_origin_policy" = false; 172 - }

-66

modules/nixos/programs/firefox/policies.nix

··· 1 - { 2 - AppAutoUpdate = false; 3 - AutofillAddressEnabled = false; 4 - AutofillCreditCardEnabled = false; 5 - BackgroundAppUpdate = false; 6 - DisableAppUpdate = true; 7 - DisableBuiltinPDFViewer = false; 8 - DisableFirefoxAccounts = true; 9 - DisableFirefoxStudies = true; 10 - DisableMasterPasswordCreation = true; 11 - DisablePocket = true; 12 - DisableSetDesktopBackground = true; 13 - DisableTelemetry = true; 14 - DNSOverHTTPS = { 15 - Enabled = false; 16 - ProviderURL = "https://dns.nextdns.io/36e7f7"; 17 - Locked = true; 18 - }; 19 - DontCheckDefaultBrowser = true; 20 - ExtensionSettings = import ./extensions.nix; 21 - ExtensionUpdate = true; 22 - FirefoxHome = { 23 - Search = true; 24 - TopSites = false; 25 - SponsoredTopSites = false; 26 - Highlights = false; 27 - Pocket = false; 28 - SponsoredPocket = false; 29 - Snippets = false; 30 - Locked = true; 31 - }; 32 - FirefoxSuggest = { 33 - WebSuggestions = false; 34 - SponsoredSuggestions = false; 35 - ImproveSuggest = false; 36 - Locked = true; 37 - }; 38 - HardwareAcceleration = true; 39 - Homepage = { 40 - URL = "about:blank"; 41 - Locked = true; 42 - StartPage = "previous-session"; 43 - }; 44 - ManualAppUpdateOnly = true; 45 - OfferToSaveLogins = false; 46 - OfferToSaveLoginsDefault = false; 47 - OverrideFirstRunPage = ""; 48 - OverridePostUpdatePage = ""; 49 - PasswordManagerEnabled = false; 50 - PDFjs = { 51 - Enabled = true; 52 - EnablePermissions = false; 53 - }; 54 - PrintingEnabled = true; 55 - SearchBar = "unified"; 56 - ShowHomeButton = false; 57 - UserMessaging = { 58 - WhatsNew = false; 59 - ExtensionRecommendations = false; 60 - FeatureRecommendations = false; 61 - UrlbarInterventions = false; 62 - SkipOnboarding = false; 63 - MoreFromMozilla = false; 64 - Locked = true; 65 - }; 66 - }

-28

modules/nixos/programs/misc/default.nix

··· 1 - { config, lib, ... }: 2 - let 3 - cfg = config.py.programs; 4 - inherit (lib) mkEnableOption mkIf; 5 - in 6 - { 7 - options.py.programs = { 8 - appimage.enable = mkEnableOption "Appimage"; 9 - dconf.enable = mkEnableOption "dconf"; 10 - fish.enable = mkEnableOption "fish shell"; 11 - less.enable = mkEnableOption "less"; 12 - noisetorch.enable = mkEnableOption "NoiseTorch"; 13 - steam.enable = mkEnableOption "Steam"; 14 - wireshark.enable = mkEnableOption "Wireshark"; 15 - }; 16 - config.programs = { 17 - appimage = mkIf cfg.appimage.enable { 18 - enable = true; 19 - binfmt = true; 20 - }; 21 - dconf.enable = mkIf cfg.dconf.enable true; 22 - fish.enable = mkIf cfg.fish.enable true; 23 - less.enable = mkIf cfg.less.enable true; 24 - noisetorch.enable = mkIf cfg.noisetorch.enable true; 25 - steam.enable = mkIf cfg.steam.enable true; 26 - wireshark.enable = mkIf cfg.wireshark.enable true; 27 - }; 28 - }

-23

modules/nixos/programs/neovim/default.nix

··· 1 - { 2 - pkgs, 3 - lib, 4 - config, 5 - ... 6 - }: 7 - let 8 - cfg = config.py.programs.neovim; 9 - in 10 - { 11 - options.py.programs.neovim.enable = lib.mkEnableOption "Neovim configuration"; 12 - 13 - config.programs.neovim = lib.mkIf cfg.enable { 14 - enable = true; 15 - package = pkgs.py.nvim; 16 - defaultEditor = true; 17 - viAlias = true; 18 - vimAlias = true; 19 - withRuby = false; 20 - withNodeJs = false; 21 - withPython3 = false; 22 - }; 23 - }

-20

modules/nixos/services/buildbot/default.nix

··· 1 - { config, lib, ... }: 2 - let 3 - cfg = config.py.services.buildbot.worker; 4 - in 5 - { 6 - options.py.services.buildbot.worker = { 7 - enable = lib.mkEnableOption "buildbot worker"; 8 - passwordFile = lib.mkOption { 9 - type = lib.types.path; 10 - description = "Password file for the worker"; 11 - default = null; 12 - }; 13 - }; 14 - config.services.buildbot-nix.worker = lib.mkIf cfg.enable { 15 - enable = true; 16 - name = config.networking.hostName; 17 - masterUrl = "tcp:host=marvin:port=6915"; 18 - workerPasswordFile = cfg.passwordFile; 19 - }; 20 - }

-61

modules/nixos/services/forgejo-runner/default.nix

··· 1 - { 2 - pkgs, 3 - config, 4 - lib, 5 - ... 6 - }: 7 - let 8 - runnerBase = { 9 - enable = true; 10 - url = "https://git.pyrox.dev"; 11 - labels = [ 12 - "default:docker://git.pyrox.dev/pyrox/flake-base:latest" 13 - "nodejs:docker://node:20" 14 - "nodejs-alpine:docker://node:20-alpine" 15 - "nodejs-lts:docker://node:20" 16 - "nodejs-lts:docker://node:20-alpine" 17 - "nodejs-latest:docker://node:21" 18 - "nodejs-latest-alpine:docker://node:21-alpine" 19 - "alpine:docker://alpine:3.19" 20 - ]; 21 - settings = { 22 - log.level = "info"; 23 - runner = { 24 - insecure = false; 25 - capacity = 4; 26 - }; 27 - cache = { 28 - enabled = true; 29 - dir = "/var/lib/forgejo/runners/cache/"; 30 - host = ""; 31 - port = 0; 32 - }; 33 - container = { 34 - # Automatically create a network for containers 35 - network = ""; 36 - enable_ipv6 = false; 37 - }; 38 - }; 39 - }; 40 - cfg = config.py.services.forgejo-runner; 41 - in 42 - { 43 - options.py.services.forgejo-runner = { 44 - enable = lib.mkEnableOption "Forgejo Actions Runner configuration"; 45 - tokenFile = lib.mkOption { 46 - type = lib.types.path; 47 - description = "Token for default runner"; 48 - example = /path/to/token/file; 49 - }; 50 - }; 51 - 52 - config.services.gitea-actions-runner = lib.mkIf cfg.enable { 53 - package = pkgs.forgejo-actions-runner; 54 - instances = { 55 - "${config.networking.hostName}-default" = runnerBase // { 56 - inherit (cfg) tokenFile; 57 - name = "${config.networking.hostName}"; 58 - }; 59 - }; 60 - }; 61 - }

-28

modules/nixos/services/scrutiny/default.nix

··· 1 - { 2 - config, 3 - lib, 4 - ... 5 - }: 6 - let 7 - cfg = config.py.services.scrutiny.collector; 8 - apiUrl = "https://marvin.${lib.py.data.tsNet}:${toString lib.py.data.services.scrutiny.port}"; 9 - in 10 - { 11 - options.py.services.scrutiny = { 12 - collector = { 13 - enable = lib.mkEnableOption "Scrutiny Collector"; 14 - extraSettings = lib.mkOption { 15 - type = lib.types.attrs; 16 - description = "Extra settings to merge to the default scrutiny collector options"; 17 - default = { }; 18 - }; 19 - }; 20 - }; 21 - config.services.scrutiny.collector = lib.mkIf cfg.enable { 22 - enable = true; 23 - settings = { 24 - host.id = config.networking.hostName; 25 - api.endpoint = apiUrl; 26 - } // cfg.extraSettings; 27 - }; 28 - }

+74

nixosModules/default-config/bootloader.nix

··· 1 + { 2 + boot = { 3 + tmp.cleanOnBoot = true; 4 + # Disable unused kernel modules 5 + # https://madaidans-insecurities.github.io/guides/linux-hardening.html?#kasr-kernel-modules 6 + blacklistedKernelModules = [ 7 + # Obscure network protocols 8 + "af_802154" 9 + "appletalk" 10 + "atm" 11 + "ax25" 12 + "can" 13 + "dccp" 14 + "decnet" 15 + "econet" 16 + "ipx" 17 + "n-hdlc" 18 + "netrom" 19 + "p8022" 20 + "p8023" 21 + "psnap" 22 + "rds" 23 + "rose" 24 + "sctp" 25 + "tipc" 26 + "x25" 27 + # Old or rare or insufficiently audited filesystems 28 + # or ones I just don't want loaded 29 + "adfs" 30 + "affs" 31 + "befs" 32 + "bfs" 33 + "cramfs" 34 + "efs" 35 + "erofs" 36 + "f2fs" 37 + "freevxfs" 38 + "hfs" 39 + "hfsplus" 40 + "hpfs" 41 + "jffs2" 42 + "jfs" 43 + "minix" 44 + "nilfs2" 45 + "ntfs" 46 + "ocfs2" 47 + "omfs" 48 + "orangefs" 49 + "qnx4" 50 + "qnx6" 51 + "reiserfs" 52 + "sysv" 53 + "ubifs" 54 + "ufs" 55 + # Network filesystems - I don't use these 56 + "gfs2" 57 + "nfs" 58 + "nfsv3" 59 + "nfsv4" 60 + # Vivid driver 61 + # Only used for testing purposes, has caused security issues. Disable. 62 + "vivid" 63 + ]; 64 + 65 + kernelParams = [ 66 + # Page allocator randomization 67 + # Should hardon and improve performance 68 + "page_alloc.shuffle=1" 69 + ]; 70 + # Don't use either of these so disable them 71 + kexec.enable = false; 72 + bcache.enable = false; 73 + }; 74 + }

+37

nixosModules/default-config/default.nix

··· 1 + { lib, ... }: 2 + { 3 + imports = [ 4 + ./bootloader.nix 5 + ./networking.nix 6 + ./nixConfig.nix 7 + ./nixpkgsConfig.nix 8 + ./packages.nix 9 + ./programs 10 + ./root.nix 11 + ./security.nix 12 + ./services 13 + ./ssh.nix 14 + ./users.nix 15 + ]; 16 + system = { 17 + stateVersion = "26.05"; 18 + disableInstallerTools = true; 19 + tools.nixos-rebuild.enable = true; 20 + }; 21 + catppuccin = { 22 + flavor = "mocha"; 23 + accent = "mauve"; 24 + tty.enable = true; 25 + }; 26 + documentation = { 27 + enable = lib.mkDefault false; 28 + man.enable = lib.mkDefault false; 29 + man.man-db.enable = lib.mkDefault false; 30 + man.generateCaches = lib.mkDefault false; 31 + man.mandoc.enable = lib.mkDefault false; 32 + doc.enable = lib.mkDefault false; 33 + nixos.enable = false; 34 + dev.enable = false; 35 + info.enable = false; 36 + }; 37 + }

+38

nixosModules/default-config/networking.nix

··· 1 + { pkgs, lib, ... }: 2 + { 3 + networking = { 4 + networkmanager.plugins = lib.mkForce [ pkgs.networkmanager-openvpn ]; 5 + nameservers = [ 6 + "9.9.9.9" 7 + "fd42:d42:d42:53::1" 8 + "fd42:d42:d42:54::1" 9 + "172.23.0.53" 10 + "172.20.0.53" 11 + ]; 12 + timeServers = [ 13 + "0.pool.ntp.org" 14 + "1.pool.ntp.org" 15 + "2.pool.ntp.org" 16 + "3.pool.ntp.org" 17 + ]; 18 + resolvconf.extraConfig = '' 19 + name_servers="9.9.9.9 fd42:d42:d42:53::1 fd42:d42:d42:54::1 172.23.0.53 172.20.0.53" 20 + ''; 21 + }; 22 + boot.kernel.sysctl = { 23 + # Disable ICMP Redirects 24 + # https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked 25 + "net.ipv4.conf.all.accept_redirects" = 0; 26 + "net.ipv4.conf.default.accept_redirects" = 0; 27 + "net.ipv4.conf.all.secure_redirects" = 0; 28 + "net.ipv4.conf.default.secure_redirects" = 0; 29 + "net.ipv6.conf.all.accept_redirects" = 0; 30 + "net.ipv6.conf.default.accept_redirects" = 0; 31 + }; 32 + # Disable *-wait-online services as they block rebuilds often. 33 + # https://github.com/NixOS/nixpkgs/issues/180175 34 + systemd.services = { 35 + NetworkManager-wait-online.enable = lib.mkForce false; 36 + systemd-networkd-wait-online.enable = lib.mkForce false; 37 + }; 38 + }

+91

nixosModules/default-config/nixConfig.nix

··· 1 + { 2 + pkgs, 3 + lib, 4 + inputs, 5 + ... 6 + }: 7 + let 8 + userList = [ 9 + "root" 10 + "thehedgehog" 11 + "pyrox" 12 + ]; 13 + flakeInputs = lib.filterAttrs (name: value: (value ? outputs) && (name != "self")) inputs; 14 + in 15 + { 16 + nix = { 17 + enable = true; 18 + gc.automatic = true; 19 + registry = lib.mapAttrs (_: v: { flake = v; }) flakeInputs; 20 + settings = { 21 + # Don't auto-accept flake-defined nix settings, they're a CVE waiting to happen. 22 + accept-flake-config = false; 23 + # Allow these users to access the daemon 24 + allowed-users = userList; 25 + # No pre-defined nixbld users 26 + auto-allocate-uids = true; 27 + # Always optimize the store 28 + auto-optimise-store = true; 29 + # Compress build logs to save space 30 + compress-build-log = true; 31 + # Use all available cores to build 32 + cores = lib.mkDefault 8; 33 + experimental-features = [ 34 + # Use auto-generated uids instead of users in the nixbld group 35 + "auto-allocate-uids" 36 + # Can allow saving space in the store by content-addressing instead of input-addressing derivations 37 + "ca-derivations" 38 + # Build inside cgroups 39 + "cgroups" 40 + # Duh 41 + "flakes" 42 + # Nix3 CLI 43 + "nix-command" 44 + # Disallow URL Literals as they are deprecated 45 + "no-url-literals" 46 + ]; 47 + # Build from source if substitution fails 48 + fallback = true; 49 + # Write an empty flake registry 50 + flake-registry = pkgs.writers.writeJSON "registry-empty.json" { 51 + flakes = [ ]; 52 + version = 2; 53 + }; 54 + # allow keeping direnv gc roots 55 + keep-derivations = true; 56 + # Keep going even if a build fails, so that all possible succeeding builds do 57 + keep-going = true; 58 + # More direnv gc root stuff 59 + keep-outputs = true; 60 + log-lines = 20; 61 + # Limit the max amount of builds 62 + max-jobs = lib.mkDefault 4; 63 + # Extra system features 64 + system-features = [ 65 + "big-parallel" 66 + "kvm" 67 + "nixos-test" 68 + ]; 69 + # The pubkeys of the below substituters 70 + trusted-public-keys = [ 71 + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" 72 + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" 73 + ]; 74 + # Extra substituters 75 + trusted-substituters = [ 76 + "https://cache.nixos.org" 77 + "https://nix-community.cachix.org" 78 + ]; 79 + # These users have additional daemon rights 80 + trusted-users = userList; 81 + # Use cgroups for building 82 + use-cgroups = true; 83 + # Allow use of the registry 84 + use-registries = true; 85 + # XDG base dirs to avoid cluttering $HOME 86 + use-xdg-base-directories = true; 87 + # I almost always work in a dirty tree, I know it's dirty 88 + warn-dirty = false; 89 + }; 90 + }; 91 + }

+17

nixosModules/default-config/nixpkgsConfig.nix

··· 1 + { 2 + inputs, 3 + ... 4 + }: 5 + { 6 + nixpkgs = { 7 + overlays = [ 8 + inputs.self.overlays.openssh-fixperms 9 + inputs.self.overlays.hy3-fixes 10 + inputs.golink.overlays.default 11 + inputs.quickshell.overlays.default 12 + ]; 13 + config = { 14 + allowUnfree = true; 15 + }; 16 + }; 17 + }

+19

nixosModules/default-config/packages.nix

··· 1 + { pkgs, ... }: 2 + { 3 + environment.systemPackages = with pkgs; [ 4 + direnv 5 + doggo 6 + fzf 7 + ghostty.terminfo 8 + lazygit 9 + nix-output-monitor 10 + pciutils 11 + git 12 + ripgrep 13 + tailscale 14 + unrar 15 + unzip 16 + zip 17 + usbutils 18 + ]; 19 + }

+6

nixosModules/default-config/programs/default.nix

··· 1 + { 2 + imports = [ 3 + ./ssh.nix 4 + ]; 5 + programs.fish.enable = true; 6 + }

+35

nixosModules/default-config/programs/ssh.nix

··· 1 + { 2 + programs.ssh = { 3 + ciphers = [ 4 + "chacha20-poly1305@openssh.com" 5 + "aes256-gcm@openssh.com" 6 + "aes128-gcm@openssh.com" 7 + "aes256-ctr" 8 + "aes192-ctr" 9 + "aes128-ctr" 10 + ]; 11 + macs = [ 12 + "umac-128-etm@openssh.com" 13 + "hmac-sha2-256-etm@openssh.com" 14 + "hmac-sha2-512-etm@openssh.com" 15 + ]; 16 + kexAlgorithms = [ 17 + # Experimental, disabled for now. 18 + # "sntrup761x25519-sha512@openssh.com" 19 + "curve25519-sha256" 20 + "curve25519-sha256@libssh.org" 21 + # Disabled for being 2048-bit 22 + # "diffie-hellman-group-exchange-sha256" 23 + ]; 24 + hostKeyAlgorithms = [ 25 + "ssh-ed25519-cert-v01@openssh.com" 26 + "sk-ssh-ed25519-cert-v01@openssh.com" 27 + "rsa-sha2-512-cert-v01@openssh.com" 28 + "rsa-sha2-256-cert-v01@openssh.com" 29 + "ssh-ed25519" 30 + "sk-ssh-ed25519@openssh.com" 31 + "rsa-sha2-512" 32 + "rsa-sha2-256" 33 + ]; 34 + }; 35 + }

+8

nixosModules/default-config/root.nix

··· 1 + { 2 + users.users.root = { 3 + openssh.authorizedKeys.keys = [ 4 + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw==" 5 + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM=" 6 + ]; 7 + }; 8 + }

nixosModules/default-config/secrets/powerdns-secrets.age

This is a binary file and will not be displayed.

+22

nixosModules/default-config/secrets/secrets.nix

··· 1 + let 2 + prefect = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP532AB5mkNvE29MkDDY8HEf8ZdktGWiI0PzLrvbmLQe"; 3 + thought = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGkJcLykggEp427h2IywoiR74Yl3N+FU6Pwx9ZFQ3vjq"; 4 + yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw=="; 5 + yubi-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746"; 6 + backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM="; 7 + marvin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP60B1IOdfJRrDcCKajMV8YJNC01gSsccZi3DKHlS6YJ"; 8 + servers = [ 9 + prefect 10 + thought 11 + marvin 12 + ]; 13 + personal = [ 14 + yubi-back 15 + yubi-main 16 + backup 17 + ]; 18 + all-keys = servers ++ personal; 19 + in 20 + { 21 + "powerdns-secrets.age".publicKeys = all-keys; 22 + }

+38

nixosModules/default-config/security.nix

··· 1 + { pkgs, lib, ... }: 2 + let 3 + inherit (lib) mkDefault; 4 + in 5 + { 6 + # Everything should use doas instead of sudo 7 + # Sudo is kept enabled for tools that ~can't~ won't use doas. 8 + security = { 9 + doas = { 10 + enable = true; 11 + wheelNeedsPassword = false; 12 + }; 13 + # Needed for nixos-rebuild to work properly 14 + sudo.enable = true; 15 + 16 + # TPM configuration 17 + tpm2 = { 18 + enable = mkDefault true; 19 + abrmd.enable = mkDefault true; 20 + applyUdevRules = mkDefault true; 21 + pkcs11.enable = mkDefault false; 22 + }; 23 + 24 + # Set up extra certificates for DN42 specifically 25 + pki.certificateFiles = [ 26 + (pkgs.fetchurl { 27 + url = "https://dn42.burble.com/burble-dn42-ca.pem"; 28 + name = "burble-dn42-ca.pem"; 29 + sha256 = "0wcrjkiav018bpl87583g0v60clx3jg3wfyf8d9h8zdkwcb16b2g"; 30 + }) 31 + (pkgs.fetchurl { 32 + url = "https://aur.archlinux.org/cgit/aur.git/plain/dn42.crt?h=ca-certificates-dn42&id=646f7effb290adf25c7e9fea3b41bf055522ba29"; 33 + name = "dn42.crt"; 34 + sha256 = "sha256-wsMeC9/tlppSNZGrqfZFLAjv3AMj1KwIAWeh2XBpiYs="; 35 + }) 36 + ]; 37 + }; 38 + }

+12

nixosModules/default-config/services/default.nix

··· 1 + { 2 + imports = [ 3 + ./ntp.nix 4 + ./tailscale.nix 5 + ]; 6 + services = { 7 + # Perlless user management 8 + userborn = { 9 + enable = true; 10 + }; 11 + }; 12 + }

+5

nixosModules/default-config/services/ntp.nix

··· 1 + { 2 + services.ntp = { 3 + enable = true; 4 + }; 5 + }

+5

nixosModules/default-config/services/tailscale.nix

··· 1 + { 2 + services.tailscale = { 3 + enable = true; 4 + }; 5 + }

+34

nixosModules/default-config/ssh.nix

··· 1 + { 2 + age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; 3 + services.openssh = { 4 + enable = false; 5 + allowSFTP = false; 6 + settings = { 7 + PermitRootLogin = "prohibit-password"; 8 + PasswordAuthentication = false; 9 + KbdInteractiveAuthentication = false; 10 + KexAlgorithms = [ 11 + # Experimental, disabled for now. 12 + # "sntrup761x25519-sha512@openssh.com" 13 + "curve25519-sha256" 14 + "curve25519-sha256@libssh.org" 15 + # Disabled for being 2048-bit 16 + # "diffie-hellman-group-exchange-sha256" 17 + ]; 18 + Ciphers = [ 19 + "chacha20-poly1305@openssh.com" 20 + "aes256-gcm@openssh.com" 21 + "aes128-gcm@openssh.com" 22 + "aes256-ctr" 23 + "aes192-ctr" 24 + "aes128-ctr" 25 + ]; 26 + Macs = [ 27 + "hmac-sha2-512-etm@openssh.com" 28 + "hmac-sha2-256-etm@openssh.com" 29 + "umac-128-etm@openssh.com" 30 + ]; 31 + }; 32 + }; 33 + networking.firewall.allowedTCPPorts = [ 22 ]; 34 + }

+15

nixosModules/default-config/users.nix

··· 1 + { lib, ... }: 2 + { 3 + users.users = { 4 + pyrox = lib.mkDefault { 5 + isNormalUser = true; 6 + description = lib.mkDefault "Pyrox"; 7 + extraGroups = [ 8 + "networkmanager" 9 + "wheel" 10 + "input" 11 + "wireshark" 12 + ]; 13 + }; 14 + }; 15 + }

+1

nixosModules/default-users/backup.pub

··· 1 + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM= 993390@993390-student-FVFD26HVJ1WK

+72

nixosModules/default-users/default.nix

··· 1 + { 2 + pkgs, 3 + config, 4 + lib, 5 + ... 6 + }: 7 + let 8 + cfg = config.py.users.default; 9 + in 10 + { 11 + options.py.users.default.enable = lib.mkEnableOption "Default PyroNet Users"; 12 + options.py.user.name = lib.mkOption { 13 + type = lib.types.str; 14 + default = "thehedgehog"; 15 + description = "User for deploy-rs deployments."; 16 + }; 17 + 18 + config = lib.mkIf cfg.enable { 19 + users.users.pyrox = { 20 + description = "Pyrox"; 21 + isNormalUser = true; 22 + extraGroups = [ 23 + "adbusers" 24 + "wheel" 25 + "networkmanager" 26 + "video" 27 + "docker" 28 + "wireshark" 29 + "input" 30 + ]; 31 + hashedPassword = "$y$j9T$Lwu/kwfIYVH6ApPNFv5TL.$xXtWoVxOKDW0xQtw7yf2JGWP3JI6r9WIqV19W0/zrg5"; 32 + shell = pkgs.fish; 33 + openssh = { 34 + authorizedKeys = { 35 + keyFiles = [ 36 + ./yubikey-new.pub 37 + ./yubikey-main.pub 38 + ./yubikey-back.pub 39 + ./backup.pub 40 + ]; 41 + keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP532AB5mkNvE29MkDDY8HEf8ZdktGWiI0PzLrvbmLQe" ]; 42 + }; 43 + }; 44 + }; 45 + users.users.thehedgehog = { 46 + description = "The Hedgehog"; 47 + isNormalUser = true; 48 + extraGroups = [ 49 + "adbusers" 50 + "wheel" 51 + "networkmanager" 52 + "video" 53 + "docker" 54 + "wireshark" 55 + "input" 56 + ]; 57 + hashedPassword = "$y$j9T$Lwu/kwfIYVH6ApPNFv5TL.$xXtWoVxOKDW0xQtw7yf2JGWP3JI6r9WIqV19W0/zrg5"; 58 + shell = pkgs.fish; 59 + openssh = { 60 + authorizedKeys = { 61 + keyFiles = [ 62 + ./yubikey-new.pub 63 + ./yubikey-main.pub 64 + ./yubikey-back.pub 65 + ./backup.pub 66 + ]; 67 + keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP532AB5mkNvE29MkDDY8HEf8ZdktGWiI0PzLrvbmLQe" ]; 68 + }; 69 + }; 70 + }; 71 + }; 72 + }

+1

nixosModules/default-users/yubikey-back.pub

··· 1 + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw== cardno:15 567 372

+1

nixosModules/default-users/yubikey-main.pub

··· 1 + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746

+1

nixosModules/default-users/yubikey-new.pub

··· 1 + ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK97n2SgV/U1mLzxcaEDl85iF5D3jm7xboZ+S01+CbM/8zxVoWyjVHCqTwDcrLwP0c5Z51BNj7U0UkGIgR4zTSM=

+27

nixosModules/default.nix

··· 1 + _: { 2 + flake.nixosModules = { 3 + # Top-level 4 + defaultConfig = import ./default-config; 5 + defaultUsers = import ./default-users; 6 + profiles = import ./profiles; 7 + 8 + dn42Wireguard = import ./dn42Wireguard; 9 + 10 + # Programs 11 + chromium = import ./programs/chromium; 12 + firefox = import ./programs/firefox; 13 + hyprland = import ./programs/hyprland; 14 + miscPrograms = import ./programs/misc; 15 + neovim = import ./programs/neovim; 16 + 17 + # Services 18 + buildbot = import ./services/buildbot; 19 + forgejo-runner = import ./services/forgejo-runner; 20 + scrutiny = import ./services/scrutiny; 21 + 22 + hm-pyrox = import ./homes/pyrox; 23 + hm-thehedgehog = import ./homes/thehedgehog; 24 + hm-pyrox-zaphod = import ./homes/pyrox-zaphod; 25 + hm-thehedgehog-zaphod = import ./homes/thehedgehog-zaphod; 26 + }; 27 + }

+125

nixosModules/dn42Wireguard/default.nix

··· 1 + { 2 + config, 3 + lib, 4 + pkgs, 5 + ... 6 + }: 7 + let 8 + inherit (lib) types; 9 + cfg = config.networking.dn42.wg; 10 + 11 + tunnelDef = { 12 + options = { 13 + enable = lib.mkOption { 14 + description = "Whether to enable this wireguard tunnel"; 15 + type = types.bool; 16 + default = true; 17 + example = false; 18 + }; 19 + listenPort = lib.mkOption { 20 + description = "The port this tunnel listens on"; 21 + type = types.port; 22 + example = 42000; 23 + }; 24 + privateKeyFile = lib.mkOption { 25 + description = "Path to the tunnel's private key"; 26 + type = types.nullOr types.path; 27 + example = "/path/to/private/key"; 28 + default = null; 29 + }; 30 + peerPubKey = lib.mkOption { 31 + description = "Public key of the peer you're connecting to"; 32 + type = types.str; 33 + example = "e6kp9sca4XIzncKa9GEQwyOnMjje299Xg9ZdgXWMwHg="; 34 + }; 35 + peerEndpoint = lib.mkOption { 36 + description = "The endpoint of the peer you're connecting to"; 37 + type = types.str; 38 + example = "example.com:42000"; 39 + }; 40 + peerAddrs = { 41 + v4 = lib.mkOption { 42 + description = "The peer IPv4 address to connect to in the tunnel"; 43 + type = types.nullOr types.str; 44 + example = "192.168.1.1"; 45 + default = null; 46 + }; 47 + v6 = lib.mkOption { 48 + description = "The peer IPv6 address to connect to in the tunnel"; 49 + type = types.nullOr types.str; 50 + example = "fe80::42"; 51 + default = null; 52 + }; 53 + }; 54 + localAddrs = { 55 + v4 = lib.mkOption { 56 + description = "The local IPv4 address to listen on in the tunnel"; 57 + type = types.nullOr types.str; 58 + example = "192.168.1.1"; 59 + default = null; 60 + }; 61 + v6 = lib.mkOption { 62 + description = "The local IPv6 address to listen on in the tunnel"; 63 + type = types.nullOr types.str; 64 + example = "fe80::42"; 65 + default = null; 66 + }; 67 + }; 68 + }; 69 + }; 70 + in 71 + { 72 + options.networking.dn42.wg = { 73 + tunnelDefaults = lib.mkOption { 74 + description = "The default settings to apply to all tunnels"; 75 + type = types.submodule tunnelDef; 76 + }; 77 + tunnels = lib.mkOption { 78 + description = "DN42 WireGuard tunnels configuration"; 79 + type = types.attrsOf (types.submodule tunnelDef); 80 + }; 81 + }; 82 + config.networking = { 83 + wireguard.interfaces = lib.mapAttrs' ( 84 + name: value: 85 + let 86 + # Merge defaults with tunnel config, right side has priority 87 + # so tunnel config overrides defaults 88 + fc = cfg.tunnelDefaults // (lib.filterAttrs (_: v: v != null) value); 89 + in 90 + lib.nameValuePair "wg42_${name}" { 91 + inherit (fc) listenPort privateKeyFile; 92 + allowedIPsAsRoutes = false; 93 + peers = [ 94 + { 95 + endpoint = fc.peerEndpoint; 96 + publicKey = fc.peerPubKey; 97 + allowedIPs = [ 98 + "0.0.0.0/0" 99 + "::/0" 100 + ]; 101 + dynamicEndpointRefreshSeconds = 5; 102 + persistentKeepalive = 15; 103 + } 104 + ]; 105 + postSetup = '' 106 + ${lib.optionalString ( 107 + fc.peerAddrs.v4 != null && fc.localAddrs.v4 != null 108 + ) "${pkgs.iproute2}/bin/ip addr add ${fc.localAddrs.v4} peer ${fc.peerAddrs.v4} dev wg42_${name}"} 109 + ${lib.optionalString ( 110 + fc.peerAddrs.v6 != null && fc.localAddrs.v6 != null 111 + ) "${pkgs.iproute2}/bin/ip addr add ${fc.localAddrs.v6} peer ${fc.peerAddrs.v6} dev wg42_${name}"} 112 + ''; 113 + } 114 + ) (lib.filterAttrs (_: v: v.enable) cfg.tunnels); 115 + firewall = { 116 + trustedInterfaces = lib.mapAttrsToList (name: _: "wg42_" + name) (lib.filterAttrs (_: v: v.enable) cfg.tunnels); 117 + checkReversePath = false; 118 + extraInputRules = '' 119 + ip saddr 172.20.0.0/14 accept 120 + ip6 saddr fd00::/8 accept 121 + ip6 saddr fe80::/64 accept 122 + ''; 123 + }; 124 + }; 125 + }

+18

nixosModules/homes/pyrox/default.nix

··· 1 + { 2 + lib, 3 + inputs, 4 + ... 5 + }: 6 + { 7 + home-manager.users.pyrox = { 8 + imports = [ 9 + inputs.self.homeModules.allModules 10 + { 11 + home.username = "pyrox"; 12 + home.stateVersion = "26.05"; 13 + py.profiles.server.enable = lib.mkDefault true; 14 + py.profiles.desktop.enable = lib.mkDefault false; 15 + } 16 + ]; 17 + }; 18 + }

+16

nixosModules/homes/pyrox-zaphod/default.nix

··· 1 + { 2 + pkgs, 3 + ... 4 + }: 5 + { 6 + home-manager.users.pyrox = { 7 + imports = [ 8 + ./files/pamKeys.nix 9 + ./files/distrobox-config.nix 10 + ]; 11 + home.packages = [ 12 + pkgs.mindustry 13 + ]; 14 + py.profiles.desktop.enable = true; 15 + }; 16 + }

+7

nixosModules/homes/pyrox-zaphod/files/distrobox-config.nix

··· 1 + { 2 + xdg.configFile."distrobox/distrobox.conf" = { 3 + text = '' 4 + distrobox_sudo_program="doas" 5 + ''; 6 + }; 7 + }

+5

nixosModules/homes/pyrox-zaphod/files/pamKeys.nix

··· 1 + { 2 + xdg.configFile."Yubico/u2f_keys".text = '' 3 + thehedgehog:iC1dk7d+DYFX60wpkDlWdwNpkRLXmML7iDjxh4TRXe8OhsAb2pgKiY6tVLHeZIK3WOVA1DuWU8rWlHdma3eqJg==,NdBJTVCvOamU35ad3fJRv6A6YZQIYrojcVk9a8WYMVvTtKO+xyIeBvunlidHv4Zb0rYrOvK6u7Gb4N5x6T6FIQ==,es256,+presence:juWx2IphhNuHZHiv8nG3i2WWTyR5A+CWp5iHz2AmE7aj3b3rgj85Gl1PMpmZlvlwDgbCP+dlcP5PPzTFloB3Ow==,FEXBkP0PzZSURoIbLuGiRRHFIcSiqEz/ieNPRqRY/hqLJ4AsvGwJ1xdIX7F8qAQuMSp8m7usuBLS4u+4FGg3Ng==,es256,+presence 4 + ''; 5 + }

+18

nixosModules/homes/thehedgehog/default.nix

··· 1 + { 2 + lib, 3 + inputs, 4 + ... 5 + }: 6 + { 7 + home-manager.users.thehedgehog = { 8 + imports = [ 9 + inputs.self.homeModules.allModules 10 + { 11 + home.username = "thehedgehog"; 12 + home.stateVersion = "26.05"; 13 + py.profiles.server.enable = lib.mkDefault true; 14 + py.profiles.desktop.enable = lib.mkDefault false; 15 + } 16 + ]; 17 + }; 18 + }

+34

nixosModules/homes/thehedgehog-zaphod/default.nix

··· 1 + { 2 + pkgs, 3 + lib, 4 + inputs, 5 + self', 6 + ... 7 + }: 8 + let 9 + shell = "caelestia"; 10 + in 11 + { 12 + home-manager.users.thehedgehog = { 13 + home.packages = [ 14 + pkgs.mindustry 15 + pkgs.signal-desktop 16 + self'.packages.glide-browser-bin 17 + ]; 18 + home.sessionVariables = { 19 + QT_QPA_PLATFORM = "wayland;xcb"; 20 + GDK_BACKEND = "wayland,x11,*"; 21 + NIXOS_OZONE_WL = "1"; 22 + }; 23 + py.profiles.desktop = { 24 + inherit shell; 25 + enable = true; 26 + }; 27 + programs.dankMaterialShell.plugins = lib.mkIf (shell == "dms") { 28 + dms-wallpaper-shuffler.src = inputs.dms-wp-shuffler; 29 + dms-power-usage.src = inputs.dms-power-usage; 30 + DankPomodoroTimer.src = "${inputs.dms-plugins}/DankPomodoroTimer"; 31 + DankBatteryAlerts.src = "${inputs.dms-plugins}/DankBatteryAlerts"; 32 + }; 33 + }; 34 + }

+20

nixosModules/profiles/default.nix

··· 1 + { config, lib, ... }: 2 + let 3 + cfg = config.py.profiles; 4 + in 5 + { 6 + options.py.profiles = { 7 + base.enable = lib.mkEnableOption "Base Profile"; 8 + cli.enable = lib.mkEnableOption "CLI Profile"; 9 + development.enable = lib.mkEnableOption "Development Profile"; 10 + gui.enable = lib.mkEnableOption "GUI Profile"; 11 + server.enable = lib.mkEnableOption "Server Profile"; 12 + }; 13 + config = { 14 + py.profiles = { 15 + base.enable = lib.mkDefault true; 16 + cli.enable = lib.mkDefault true; 17 + development.enable = lib.mkDefault cfg.gui.enable; 18 + }; 19 + }; 20 + }

+16

nixosModules/programs/chromium/default.nix

··· 1 + { config, lib, ... }: 2 + let 3 + cfg = config.py.programs.chromium; 4 + in 5 + { 6 + options.py.programs.chromium.enable = lib.mkEnableOption "Chromium"; 7 + 8 + config = lib.mkIf cfg.enable { 9 + programs.chromium = { 10 + enable = true; 11 + defaultSearchProviderEnabled = true; 12 + defaultSearchProviderSearchURL = "https://kagi.com/search?q={searchTerms}"; 13 + extraOpts = import ./extraOpts.nix; 14 + }; 15 + }; 16 + }

+82

nixosModules/programs/chromium/extraOpts.nix

··· 1 + { 2 + AbusiveExperienceInterventionEnforce = false; 3 + AccessCodeCastEnabled = false; 4 + AdsSettingForIntrusiveAdsSites = 2; 5 + AllowDeletingBrowserHistory = true; 6 + AllowDinosaurEasterEgg = true; 7 + AllowFileSelectionDialogs = true; 8 + AllowSystemNotifications = true; 9 + AudioCaptureAllowed = true; 10 + AudioSandboxEnabled = true; 11 + AutofillAddressEnabled = false; 12 + AutofillCreditCardEnabled = false; 13 + AutoplayAllowed = false; 14 + BackgroundModeEnabled = false; 15 + BookmarkBarEnabled = false; 16 + BrowserLabsEnabled = true; 17 + BrowserSignin = 0; 18 + BuiltInDnsClientEnabled = false; 19 + ChromeVariations = 2; 20 + ClickToCallEnabled = false; 21 + ClientCertificateManagementAllowed = 0; 22 + CloudExtensionRequestEnabled = false; 23 + CloudProfileReportingEnabled = false; 24 + CloudReportingEnabled = false; 25 + CommandLineFlagSecurityWarningsEnabled = false; 26 + ComponentUpdatesEnabled = false; 27 + ContextualSearchEnabled = false; 28 + DNSInterceptionChecksEnabled = false; 29 + DataLeakPreventionReportingEnabled = false; 30 + DefaultBrowserSettingEnabled = false; 31 + DefaultClipboardSetting = 3; 32 + DefaultFileSystemReadGuardSetting = 3; 33 + DefaultFileSystemWriteGuardSetting = 3; 34 + DefaultGeolocationSetting = 3; 35 + DefaultImagesSetting = 1; 36 + DefaultInsecureContentSetting = 3; 37 + DefaultNotificationsSetting = 2; 38 + DefaultSensorsSetting = 2; 39 + DefaultSerialGuardSetting = 2; 40 + DefaultWebBluetoothGuardSetting = 3; 41 + DefaultWebHidGuardSetting = 3; 42 + DefaultWebUsbGuardSetting = 3; 43 + DefaultWindowPlacementSetting = 3; 44 + DesktopSharingHubEnabled = false; 45 + DeveloperToolsAvailability = 1; 46 + DevToolsGenAiSettings = 2; 47 + GenAILocalFoundationalModelSettings = 1; 48 + HelpMeWriteSettings = 2; 49 + TabOrganizerSettings = 2; 50 + CreateThemesSettings = 2; 51 + Disable3DAPIs = false; 52 + DisableScreenshots = false; 53 + EditBookmarksEnabled = true; 54 + EnableMediaRouter = false; 55 + ForceGoogleSafeSearch = false; 56 + ForceYouTubeRestrict = 0; 57 + FullscreenAllowed = true; 58 + HardwareAccelerationModeEnabled = true; 59 + HeadlessMode = 1; 60 + HideWebStoreIcon = true; 61 + HttpsOnlyMode = "allowed"; 62 + ImportAutofillFormData = false; 63 + ImportBookmarks = false; 64 + ImportHistory = false; 65 + ImportHomepage = false; 66 + ImportSavedPasswords = false; 67 + ImportSearchEngine = false; 68 + IncognitoModeAvailability = 0; 69 + InsecureFormsWarningsEnabled = false; 70 + LensRegionSearchEnabled = false; 71 + MediaRecommendationsEnabled = false; 72 + MetricsReportingEnabled = false; 73 + NTPCardsVisible = false; 74 + NetworkPredictionOptions = 2; 75 + PasswordDismissCompromisedAlertEnabled = false; 76 + PasswordLeakDetectionEnabled = false; 77 + PasswordManagerEnabled = false; 78 + PaymentMethodQueryEnabled = false; 79 + ShowCastIconInToolbar = false; 80 + SyncDisabled = true; 81 + SystemUse24HourClock = true; 82 + }

+28

nixosModules/programs/firefox/default.nix

··· 1 + { 2 + config, 3 + lib, 4 + pkgs, 5 + ... 6 + }: 7 + let 8 + cfg = config.py.programs.firefox; 9 + in 10 + { 11 + options.py.programs.firefox = { 12 + enable = lib.mkEnableOption "Firefox configuration"; 13 + }; 14 + 15 + config = lib.mkIf cfg.enable { 16 + programs.firefox = { 17 + enable = true; 18 + package = pkgs.firefox; 19 + wrapperConfig.cfg = { 20 + smartcardSupport = true; 21 + pipewireSupport = true; 22 + ffmpegSupport = true; 23 + }; 24 + policies = import ./policies.nix; 25 + preferences = import ./extraPrefs.nix; 26 + }; 27 + }; 28 + }

+68

nixosModules/programs/firefox/extensions.nix

··· 1 + let 2 + mkAMO = short: { 3 + installation_mode = "force_installed"; 4 + install_url = "https://addons.mozilla.org/firefox/downloads/latest/${short}/latest.xpi"; 5 + }; 6 + in 7 + { 8 + # Addons from AMO 9 + "{1be309c5-3e4f-4b99-927d-bb500eb4fa88}" = mkAMO "augmented-steam"; 10 + "{446900e4-71c2-419f-a6a7-df9c091e268b}" = mkAMO "bitwarden-password-manager" // { 11 + default_area = "navbar"; 12 + }; 13 + "{bbb880ce-43c9-47ae-b746-c3e0096c5b76}" = mkAMO "catppuccin-gh-file-explorer"; 14 + "{74145f27-f039-47ce-a470-a662b129930a}" = mkAMO "clearurls"; 15 + "gdpr@cavi.au.dk" = mkAMO "consent-o-matic"; 16 + "{5cce4ab5-3d47-41b9-af5e-8203eea05245}" = mkAMO "control-panel-for-twitter"; 17 + "CookieAutoDelete@kennydo.com" = mkAMO "cookie-autodelete"; 18 + "addon@darkreader.org" = mkAMO "darkreader" // { 19 + default_area = "navbar"; 20 + }; 21 + "DontFuckWithPaste@raim.ist" = mkAMO "don-t-fuck-with-paste"; 22 + "{72bd91c9-3dc5-40a8-9b10-dec633c0873f}" = mkAMO "enhanced-github"; 23 + "headereditor-amo@addon.firefoxcn.net" = mkAMO "header-editor"; 24 + "{cb31ec5d-c49a-4e5a-b240-16c767444f62}" = mkAMO "indie-wiki-buddy"; 25 + "idcac-pub@guus.ninja" = mkAMO "istilldontcareaboutcookies"; 26 + "search@kagi.com" = mkAMO "kagi-search-for-firefox"; 27 + "7esoorv3@alefvanoon.anonaddy.me" = mkAMO "libredirect" // { 28 + default_area = "navbar"; 29 + }; 30 + "github-forks-addon@musicallyut.in" = mkAMO "lovely-forks"; 31 + "firefox-addon@pronoundb.org" = mkAMO "pronoundb"; 32 + "{30280527-c46c-4e03-bb16-2e3ed94fa57c}" = mkAMO "protondb-for-steam"; 33 + "redirector@einaregilsson.com" = mkAMO "redirector"; 34 + "{a4c4eda4-fb84-4a84-b4a1-f7c1cbf2a1ad}" = mkAMO "refined-github-"; 35 + "sponsorBlocker@ajay.app" = mkAMO "sponsorblock"; 36 + "firefox-extension@steamdb.info" = mkAMO "steam-database"; 37 + "{7a7a4a92-a2a0-41d1-9fd7-1e92480d612d}" = mkAMO "styl-us" // { 38 + default_area = "navbar"; 39 + }; 40 + "jid0-3GUEt1r69sQNSrca5p8kx9Ezc3U@jetpack" = mkAMO "terms-of-service-didnt-read"; 41 + "{76ef94a4-e3d0-4c6f-961a-d38a429a332b}" = mkAMO "ttv-lol-pro"; 42 + "uBlock0@raymondhill.net" = mkAMO "ublock-origin" // { 43 + default_area = "navbar"; 44 + }; 45 + "{799c0914-748b-41df-a25c-22d008f9e83f}" = mkAMO "web-scrobbler" // { 46 + default_area = "navbar"; 47 + }; 48 + "yeah@dimden.dev" = mkAMO "yeah-for-twitter"; 49 + # Official Mozilla Extensions 50 + # Still downloaded from AMO 51 + "@contain-facebook" = mkAMO "facebook-container"; 52 + "FirefoxColor@mozilla.com" = mkAMO "firefox-color"; 53 + "firefox-translations-addon@mozilla.org" = mkAMO "firefox-translations"; 54 + "@testpilot-containers" = mkAMO "multi-account-containers"; 55 + # External Addons 56 + "frankerfacez@frankerfacez.com" = { 57 + installation_mode = "force_installed"; 58 + install_url = "https://cdn.frankerfacez.com/script/frankerfacez-4.0-an+fx.xpi"; 59 + }; 60 + "magnolia@12.34" = { 61 + installation_mode = "force_installed"; 62 + install_url = "https://github.com/bpc-clone/bpc_updates/releases/download/latest/bypass_paywalls_clean-latest.xpi"; 63 + }; 64 + "zotero@chnm.gmu.edu" = { 65 + installation_mode = "force_installed"; 66 + install_url = "https://www.zotero.org/download/connector/dl?browser=firefox"; 67 + }; 68 + }

+172

nixosModules/programs/firefox/extraPrefs.nix

··· 1 + { 2 + "accessibility.typeaheadfind.flashBar" = 0; 3 + "app.normandy.api_url" = ""; 4 + "app.normandy.enabled" = false; 5 + "app.normandy.first_run" = false; 6 + "app.shield.optoutstudies.enabled" = false; 7 + "app.update.auto" = false; 8 + "app.update.backgroundErrors" = 1; 9 + "app.update.disable_button.showUpdateHistory" = false; 10 + "beacon.enabled" = false; 11 + "browser.aboutConfig.showWarning" = false; 12 + "browser.bookmarks.addedImportButton" = true; 13 + "browser.contentblocking.report.hide_vpn_banner" = true; 14 + "browser.contentblocking.report.lockwise.enabled" = false; 15 + "browser.contentblocking.report.show_mobile_app" = false; 16 + "browser.contentblocking.report.social.url" = ""; 17 + "browser.formfill.enable" = false; 18 + "browser.laterrun.bookkeeping.profileCreationTime" = 0; 19 + "browser.laterrun.bookkeeping.sessionCount" = 0; 20 + "browser.newtabpage.activity-stream.discoverystream.enabled" = false; 21 + "browser.newtabpage.activity-stream.discoverystream.endpointSpocsClear" = ""; 22 + "browser.newtabpage.activity-stream.discoverystream.endpoints" = ""; 23 + "browser.newtabpage.activity-stream.discoverystream.personalization.enabled" = false; 24 + "browser.newtabpage.activity-stream.discoverystream.readTime.enabled" = false; 25 + "browser.newtabpage.activity-stream.discoverystream.rec.impressions" = "{}"; 26 + "browser.newtabpage.activity-stream.discoverystream.recentSaves.enabled" = false; 27 + "browser.newtabpage.activity-stream.discoverystream.saveToPocketCard.enabled" = false; 28 + "browser.newtabpage.activity-stream.discoverystream.sendToPocket.enabled" = false; 29 + "browser.newtabpage.activity-stream.discoverystream.spoc.impressions" = "{}"; 30 + "browser.newtabpage.activity-stream.feeds.recommendationprovider" = false; 31 + "browser.newtabpage.activity-stream.feeds.telemetry" = false; 32 + "browser.newtabpage.activity-stream.impressionId" = "{}"; 33 + "browser.newtabpage.activity-stream.section.highlights.includePocket" = false; 34 + "browser.newtabpage.activity-stream.telemetry" = false; 35 + "browser.newtabpage.activity-stream.telemetry.structuredIngestion.endpoint" = ""; 36 + "browser.newtabpage.activity-stream.telemetry.ut.events" = false; 37 + "browser.partnerlink.attributionURL" = ""; 38 + "browser.partnerlink.campaign.topsites" = ""; 39 + "browser.ping-centre.telemetry" = false; 40 + "browser.places.importBookmarksHTML" = false; 41 + "browser.pocket.enabled" = false; 42 + "browser.safebrowsing.downloads.enabled" = false; 43 + "browser.safebrowsing.downloads.remote.block_dangerous" = false; 44 + "browser.safebrowsing.downloads.remote.block_dangerous_host" = false; 45 + "browser.safebrowsing.downloads.remote.block_potentially_unwanted" = false; 46 + "browser.safebrowsing.downloads.remote.block_uncommon" = false; 47 + "browser.safebrowsing.downloads.remote.enabled" = false; 48 + "browser.safebrowsing.downloads.remote.url" = ""; 49 + "browser.safebrowsing.malware.enabled" = false; 50 + "browser.safebrowsing.phishing.enabled" = false; 51 + # Disable safebrowsing shit 52 + "browser.safebrowsing.provider.google.advisoryURL" = ""; 53 + "browser.safebrowsing.provider.google.gethashURL" = ""; 54 + "browser.safebrowsing.provider.google.reportURL" = ""; 55 + "browser.safebrowsing.provider.google.updateURL" = ""; 56 + "browser.safebrowsing.provider.google4.advisoryURL" = ""; 57 + "browser.safebrowsing.provider.google4.dataSharingURL" = ""; 58 + "browser.safebrowsing.provider.google4.gethashURL" = ""; 59 + "browser.safebrowsing.provider.google4.lists" = ""; 60 + "browser.safebrowsing.provider.google4.reportURL" = ""; 61 + "browser.safebrowsing.provider.google4.updateURL" = ""; 62 + "browser.safebrowsing.provider.mozilla.gethashURL" = ""; 63 + "browser.safebrowsing.provider.mozilla.lastupdatetime" = ""; 64 + "browser.safebrowsing.provider.mozilla.lists" = ""; 65 + "browser.safebrowsing.provider.mozilla.lists.base" = ""; 66 + "browser.safebrowsing.provider.mozilla.lists.content" = ""; 67 + "browser.safebrowsing.provider.mozilla.nextupdatetime" = ""; 68 + "browser.safebrowsing.provider.mozilla.updateURL" = ""; 69 + "browser.search.serpEventTelemetry.enabled" = false; 70 + "browser.send_pings" = false; 71 + "browser.tabs.warnOnClose" = true; 72 + # Disable useless suggestions 73 + "browser.urlbar.suggest.addons" = false; 74 + "browser.urlbar.suggest.bookmark" = true; 75 + "browser.urlbar.suggest.calculator" = true; 76 + "browser.urlbar.suggest.clipboard" = false; 77 + "browser.urlbar.suggest.engines" = false; 78 + "browser.urlbar.suggest.history" = true; 79 + "browser.urlbar.suggest.mdn" = false; 80 + "browser.urlbar.suggest.openpage" = true; 81 + "browser.urlbar.suggest.pocket" = false; 82 + "browser.urlbar.suggest.quicksuggest.nonsponsored" = false; 83 + "browser.urlbar.suggest.quicksuggest.sponsored" = false; 84 + "browser.urlbar.suggest.topsites" = false; 85 + "browser.urlbar.suggest.trending" = false; 86 + "browser.urlbar.suggest.weather" = false; 87 + # Disable sensors 88 + "device.sensors.ambientLight.enabled" = false; 89 + "device.sensors.enabled" = false; 90 + "device.sensors.motion.enabled" = false; 91 + "device.sensors.orientation.enabled" = false; 92 + "device.sensors.proximity.enabled" = false; 93 + "device.sensors.test.events" = false; 94 + "devtools.chrome.enabled" = true; 95 + "doh-rollout.uri" = ""; 96 + "dom.battery.enabled" = false; 97 + "dom.event.clipboardevents.enabled" = false; 98 + "dom.security.unexpected_system_load_telemetry_enabled" = false; 99 + "dom.webgpu.enabled" = true; 100 + "extensions.formautofill.addresses.enabled" = false; 101 + "extensions.formautofill.creditCards.enabled" = false; 102 + "extensions.htmlaboutaddons.recommendations.enabled" = false; 103 + # Disable Pocket 104 + "extensions.pocket.enabled" = false; 105 + "extensions.pocket.showHome" = false; 106 + "extensions.pocket.site" = ""; 107 + "extensions.recommendations.privacyPolicyUrl" = ""; 108 + "extensions.recommendations.themeRecommendationUrl" = ""; 109 + "extensions.ui.dictionary.hidden" = true; 110 + "extensions.update.autoUpdateDefault" = false; 111 + "extensions.webextensions.restrictedDomains" = ""; 112 + "privacy.clearOnShutdown.downloads" = true; 113 + "privacy.donottrackheader.enabled" = false; 114 + "privacy.resistFingerprinting.block_mozAddonManager" = true; 115 + "remote.prefs.recommended" = false; 116 + "services.settings.server" = ""; 117 + "signon.autofillForms" = false; 118 + "signon.generation.enabled" = false; 119 + "signon.management.page.breach-alerts.enabled" = false; 120 + "toolkit.legacyUserProfileCustomizations.stylesheets" = true; 121 + "ui.systemUsesDarkTheme" = 1; 122 + "webgl.force-enabled" = true; 123 + "xpinstall.signatures.required" = false; 124 + # Disable telemetry stuff 125 + # Already disabled in policies, but better safe than sorry. 126 + "browser.urlbar.eventTelemetry.enabled" = false; 127 + "browser.urlbar.quicksuggest.dataCollection.enabled" = false; 128 + "datareporting.healthreport.infoURL" = ""; 129 + "datareporting.policy.firstRunURL" = ""; 130 + "security.app_menu.recordEventTelemetry" = false; 131 + "security.certerrors.recordEventTelemetry" = false; 132 + "security.identitypopup.recordEventTelemetry" = false; 133 + "security.protectionspopup.recordEventTelemetry" = false; 134 + "network.trr.confirmation_telemetry_enabled" = false; 135 + "privacy.trackingprotection.origin_telemetry.enabled" = false; 136 + "toolkit.telemetry.bhrPing.enabled" = false; 137 + "toolkit.telemetry.cachedClientID" = ""; 138 + "toolkit.telemetry.dap_enabled" = false; 139 + "toolkit.telemetry.dap_helper" = ""; 140 + "toolkit.telemetry.dap_leader" = ""; 141 + "toolkit.telemetry.dap_task1_enabled" = false; 142 + "toolkit.telemetry.debugSlowSql" = false; 143 + "toolkit.telemetry.firstShutdownPing.enabled" = false; 144 + "toolkit.telemetry.geckoview.streaming" = false; 145 + "toolkit.telemetry.newProfilePing.enabled" = false; 146 + "toolkit.telemetry.pioneer-new-studies-available" = false; 147 + "toolkit.telemetry.previousBuildID" = ""; 148 + "toolkit.telemetry.reportingpolicy.firstRun" = ""; 149 + "toolkit.telemetry.server" = ""; 150 + "toolkit.telemetry.server_owner" = ""; 151 + "toolkit.telemetry.shutdownPingSender.backgroundtask.enabled" = false; 152 + "toolkit.telemetry.shutdownPingSender.enabled" = false; 153 + "toolkit.telemetry.shutdownPingSender.enabledFirstSession" = false; 154 + "toolkit.telemetry.testing.overrideProductsCheck" = false; 155 + "toolkit.telemetry.unified" = false; 156 + "toolkit.telemetry.updatePing.enabled" = ""; 157 + # FastFox 158 + "media.memory_cache_max_size" = 65536; 159 + "browser.cache.jsbc_compression_level" = 3; 160 + "image.mem.decode_bytes_at_a_time" = 32768; 161 + "network.http.max-connections" = 1800; 162 + "network.http.max-persistent-connections-per-server" = 10; 163 + "network.http.max-urgent-start-excessive-connections-per-host" = 5; 164 + "network.dns.max_high_priority_threads" = 8; 165 + "network.ssl_tokens_cache_capacity" = 10240; 166 + "network.dns.disablePrefetch" = true; 167 + "browser.places.speculativeConnect.enabled" = false; 168 + "browser.urlbar.speculativeConnect.enabled" = false; 169 + 170 + # Other Tweaks 171 + "security.fileuri.strict_origin_policy" = false; 172 + }

+66

nixosModules/programs/firefox/policies.nix

··· 1 + { 2 + AppAutoUpdate = false; 3 + AutofillAddressEnabled = false; 4 + AutofillCreditCardEnabled = false; 5 + BackgroundAppUpdate = false; 6 + DisableAppUpdate = true; 7 + DisableBuiltinPDFViewer = false; 8 + DisableFirefoxAccounts = true; 9 + DisableFirefoxStudies = true; 10 + DisableMasterPasswordCreation = true; 11 + DisablePocket = true; 12 + DisableSetDesktopBackground = true; 13 + DisableTelemetry = true; 14 + DNSOverHTTPS = { 15 + Enabled = false; 16 + ProviderURL = "https://dns.nextdns.io/36e7f7"; 17 + Locked = true; 18 + }; 19 + DontCheckDefaultBrowser = true; 20 + ExtensionSettings = import ./extensions.nix; 21 + ExtensionUpdate = true; 22 + FirefoxHome = { 23 + Search = true; 24 + TopSites = false; 25 + SponsoredTopSites = false; 26 + Highlights = false; 27 + Pocket = false; 28 + SponsoredPocket = false; 29 + Snippets = false; 30 + Locked = true; 31 + }; 32 + FirefoxSuggest = { 33 + WebSuggestions = false; 34 + SponsoredSuggestions = false; 35 + ImproveSuggest = false; 36 + Locked = true; 37 + }; 38 + HardwareAcceleration = true; 39 + Homepage = { 40 + URL = "about:blank"; 41 + Locked = true; 42 + StartPage = "previous-session"; 43 + }; 44 + ManualAppUpdateOnly = true; 45 + OfferToSaveLogins = false; 46 + OfferToSaveLoginsDefault = false; 47 + OverrideFirstRunPage = ""; 48 + OverridePostUpdatePage = ""; 49 + PasswordManagerEnabled = false; 50 + PDFjs = { 51 + Enabled = true; 52 + EnablePermissions = false; 53 + }; 54 + PrintingEnabled = true; 55 + SearchBar = "unified"; 56 + ShowHomeButton = false; 57 + UserMessaging = { 58 + WhatsNew = false; 59 + ExtensionRecommendations = false; 60 + FeatureRecommendations = false; 61 + UrlbarInterventions = false; 62 + SkipOnboarding = false; 63 + MoreFromMozilla = false; 64 + Locked = true; 65 + }; 66 + }

+19

nixosModules/programs/hyprland/default.nix

··· 1 + { 2 + config, 3 + lib, 4 + ... 5 + }: 6 + let 7 + cfg = config.py.programs.hyprland; 8 + in 9 + { 10 + options = { 11 + py.programs.hyprland.enable = lib.mkEnableOption "Hyprland"; 12 + }; 13 + config = lib.mkIf cfg.enable { 14 + programs.hyprland = { 15 + enable = true; 16 + xwayland.enable = true; 17 + }; 18 + }; 19 + }

+46

nixosModules/programs/misc/default.nix

··· 1 + { 2 + config, 3 + lib, 4 + pkgs, 5 + ... 6 + }: 7 + let 8 + cfg = config.py.programs; 9 + inherit (lib) mkEnableOption mkIf; 10 + in 11 + { 12 + options.py.programs = { 13 + appimage.enable = mkEnableOption "Appimage"; 14 + dconf.enable = mkEnableOption "dconf"; 15 + fish.enable = mkEnableOption "fish shell"; 16 + less.enable = mkEnableOption "less"; 17 + noisetorch.enable = mkEnableOption "NoiseTorch"; 18 + steam.enable = mkEnableOption "Steam"; 19 + wireshark.enable = mkEnableOption "Wireshark"; 20 + }; 21 + config = { 22 + programs = { 23 + appimage = mkIf cfg.appimage.enable { 24 + enable = true; 25 + binfmt = true; 26 + }; 27 + dconf.enable = mkIf cfg.dconf.enable true; 28 + fish.enable = mkIf cfg.fish.enable true; 29 + less.enable = mkIf cfg.less.enable true; 30 + noisetorch.enable = mkIf cfg.noisetorch.enable true; 31 + steam = mkIf cfg.steam.enable { 32 + enable = true; 33 + protontricks.enable = true; 34 + gamescopeSession.enable = true; 35 + extraCompatPackages = with pkgs; [ 36 + steamtinkerlaunch 37 + ]; 38 + }; 39 + wireshark.enable = mkIf cfg.wireshark.enable true; 40 + }; 41 + environment.systemPackages = lib.optionals cfg.steam.enable [ 42 + pkgs.steamtinkerlaunch 43 + pkgs.protonplus 44 + ]; 45 + }; 46 + }

+21

nixosModules/programs/neovim/default.nix

··· 1 + { 2 + lib, 3 + config, 4 + ... 5 + }: 6 + let 7 + cfg = config.py.programs.neovim; 8 + in 9 + { 10 + options.py.programs.neovim.enable = lib.mkEnableOption "Neovim configuration"; 11 + 12 + config.programs.neovim = lib.mkIf cfg.enable { 13 + enable = true; 14 + defaultEditor = true; 15 + viAlias = true; 16 + vimAlias = true; 17 + withRuby = false; 18 + withNodeJs = false; 19 + withPython3 = false; 20 + }; 21 + }

+20

nixosModules/services/buildbot/default.nix

··· 1 + { config, lib, ... }: 2 + let 3 + cfg = config.py.services.buildbot.worker; 4 + in 5 + { 6 + options.py.services.buildbot.worker = { 7 + enable = lib.mkEnableOption "buildbot worker"; 8 + passwordFile = lib.mkOption { 9 + type = lib.types.path; 10 + description = "Password file for the worker"; 11 + default = null; 12 + }; 13 + }; 14 + config.services.buildbot-nix.worker = lib.mkIf cfg.enable { 15 + enable = true; 16 + name = config.networking.hostName; 17 + masterUrl = "tcp:host=marvin:port=6915"; 18 + workerPasswordFile = cfg.passwordFile; 19 + }; 20 + }

+59

nixosModules/services/forgejo-runner/default.nix

··· 1 + { 2 + pkgs, 3 + config, 4 + lib, 5 + ... 6 + }: 7 + let 8 + runnerBase = { 9 + enable = true; 10 + url = "https://git.pyrox.dev"; 11 + labels = [ 12 + "default:docker://git.pyrox.dev/pyrox/flake-base:latest" 13 + "nodejs:docker://node:20" 14 + "nodejs-alpine:docker://node:20-alpine" 15 + "nodejs-lts:docker://node:20" 16 + "nodejs-lts:docker://node:20-alpine" 17 + "nodejs-latest:docker://node:21" 18 + "nodejs-latest-alpine:docker://node:21-alpine" 19 + "alpine:docker://alpine:3.19" 20 + ]; 21 + settings = { 22 + log.level = "info"; 23 + runner = { 24 + insecure = false; 25 + capacity = 4; 26 + }; 27 + cache = { 28 + enabled = true; 29 + port = 0; 30 + }; 31 + container = { 32 + # Automatically create a network for containers 33 + network = ""; 34 + enable_ipv6 = false; 35 + }; 36 + }; 37 + }; 38 + cfg = config.py.services.forgejo-runner; 39 + in 40 + { 41 + options.py.services.forgejo-runner = { 42 + enable = lib.mkEnableOption "Forgejo Actions Runner configuration"; 43 + tokenFile = lib.mkOption { 44 + type = lib.types.path; 45 + description = "Token for default runner"; 46 + example = /path/to/token/file; 47 + }; 48 + }; 49 + 50 + config.services.gitea-actions-runner = lib.mkIf cfg.enable { 51 + package = pkgs.forgejo-runner; 52 + instances = { 53 + "${config.networking.hostName}-default" = runnerBase // { 54 + inherit (cfg) tokenFile; 55 + name = "${config.networking.hostName}"; 56 + }; 57 + }; 58 + }; 59 + }

+30

nixosModules/services/scrutiny/default.nix

··· 1 + { 2 + config, 3 + lib, 4 + self, 5 + ... 6 + }: 7 + let 8 + cfg = config.py.services.scrutiny.collector; 9 + apiUrl = "https://marvin.${self.lib.data.tsNet}:${toString self.lib.data.services.scrutiny.port}"; 10 + in 11 + { 12 + options.py.services.scrutiny = { 13 + collector = { 14 + enable = lib.mkEnableOption "Scrutiny Collector"; 15 + extraSettings = lib.mkOption { 16 + type = lib.types.attrs; 17 + description = "Extra settings to merge to the default scrutiny collector options"; 18 + default = { }; 19 + }; 20 + }; 21 + }; 22 + config.services.scrutiny.collector = lib.mkIf cfg.enable { 23 + enable = true; 24 + settings = { 25 + host.id = config.networking.hostName; 26 + api.endpoint = apiUrl; 27 + } 28 + // cfg.extraSettings; 29 + }; 30 + }

+4

optnix.toml

··· 1 + [scopes.flake-parts] 2 + description = "flake-parts config" 3 + options-list-cmd = "nix eval --json .#debug.options-doc" 4 + evaluator = "nix eval .#debug.config.{{ .Option }}"

+1 -1

overlays/cinny/default.nix

··· 1 - _: final: prev: { 1 + _: _final: prev: { 2 2 cinny-unwrapped = prev.cinny-unwrapped.overrideAttrs (old: { 3 3 patches = (old.patches or [ ]) ++ [ ./nix-commands.patch ]; 4 4 });

+7

overlays/default.nix

··· 1 + { 2 + flake.overlays = { 3 + cinny = import ./cinny; 4 + openssh-fixperms = import ./openssh-fixperms; 5 + hy3-fixes = import ./hy3-fixes; 6 + }; 7 + }

+12

overlays/hy3-fixes/default.nix

··· 1 + _final: prev: { 2 + hyprlandPlugins = prev.hyprlandPlugins // { 3 + hy3 = prev.hyprlandPlugins.hy3.overrideAttrs (old: { 4 + patches = (old.patches or [ ]) ++ [ 5 + (prev.fetchpatch { 6 + url = "https://github.com/outfoxxed/hy3/commit/8a3f46a40984e74094f71b5bd38df3dbe5daa97f.patch?full_index=1"; 7 + hash = "sha256-zNGCMcidRx7zV3mnlQT4EjA36g7MeBf6A9gyvITeZ4c="; 8 + }) 9 + ]; 10 + }); 11 + }; 12 + }

-2

overlays/nix-index/default.nix

··· 1 - # deadnix: skip 2 - { inputs, ... }: final: prev: { inherit (inputs.nix-index.packages.${prev.system}) nix-index; }

+6

overlays/openssh-fixperms/default.nix

··· 1 + _final: prev: { 2 + openssh-patched = prev.openssh.overrideAttrs (old: { 3 + patches = (old.patches or [ ]) ++ [ ./permfix.patch ]; 4 + doCheck = false; 5 + }); 6 + }

+13

overlays/openssh-fixperms/permfix.patch

··· 1 + diff --git a/readconf.h b/readconf.h 2 + index ded13c9..94f489e 100644 3 + --- a/readconf.h 4 + +++ b/readconf.h 5 + @@ -213,7 +213,7 @@ typedef struct { 6 + #define SESSION_TYPE_SUBSYSTEM 1 7 + #define SESSION_TYPE_DEFAULT 2 8 + 9 + -#define SSHCONF_CHECKPERM 1 /* check permissions on config file */ 10 + +#define SSHCONF_CHECKPERM 0 /* check permissions on config file */ 11 + #define SSHCONF_USERCONF 2 /* user provided config file not system */ 12 + #define SSHCONF_FINAL 4 /* Final pass over config, after canon. */ 13 + #define SSHCONF_NEVERMATCH 8 /* Match/Host never matches; internal only */

-15

overlays/sway-unwrapped/default.nix

··· 1 - # deadnix: skip 2 - _: 3 - # deadnix: skip 4 - final: prev: 5 - let 6 - inherit (prev.lib.strings) mesonOption mesonEnable; 7 - in 8 - { 9 - sway-unwrapped = prev.sway-unwrapped.overrideAttrs { 10 - mesonFlags = [ 11 - (mesonOption "sd-bus-provider" "libsystemd") 12 - (mesonEnable "tray" true) 13 - ]; 14 - }; 15 - }

+20

packages/anubis-files/package.nix

··· 1 + { 2 + stdenv, 3 + ... 4 + }: 5 + stdenv.mkDerivation { 6 + pname = "pyronet-anubis-files"; 7 + version = "1.0.0"; 8 + 9 + src = ./src; 10 + 11 + buildPhase = '' 12 + substituteInPlace policies/*.yaml \ 13 + --replace-fail "CUSTOM" $out 14 + ''; 15 + 16 + installPhase = '' 17 + mkdir $out 18 + cp -r * $out/ 19 + ''; 20 + }

+56

packages/anubis-files/src/policies/default.yaml

··· 1 + bots: 2 + - import: CUSTOM/policies/meta/base.yaml 3 + dnsbl: false 4 + openGraph: 5 + enabled: true 6 + considerHost: false 7 + ttl: 24h 8 + status_codes: 9 + CHALLENGE: 200 10 + DENY: 200 11 + thresholds: 12 + - name: minimal-suspicion 13 + expression: weight <= 0 14 + action: ALLOW 15 + - name: mild-suspicion 16 + expression: 17 + all: 18 + - weight > 0 19 + - weight < 10 20 + action: CHALLENGE 21 + challenge: 22 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh 23 + algorithm: metarefresh 24 + difficulty: 1 25 + report_as: 1 26 + - name: moderate-suspicion 27 + expression: 28 + all: 29 + - weight >= 10 30 + - weight < 20 31 + action: CHALLENGE 32 + challenge: 33 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work 34 + algorithm: fast 35 + difficulty: 2 # two leading zeros, very fast for most clients 36 + report_as: 2 37 + - name: mild-proof-of-work 38 + expression: 39 + all: 40 + - weight >= 20 41 + - weight < 30 42 + action: CHALLENGE 43 + challenge: 44 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work 45 + algorithm: fast 46 + difficulty: 4 47 + report_as: 4 48 + # For clients that are browser like and have gained many points from custom rules 49 + - name: extreme-suspicion 50 + expression: weight >= 30 51 + action: CHALLENGE 52 + challenge: 53 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work 54 + algorithm: fast 55 + difficulty: 6 56 + report_as: 5

+64

packages/anubis-files/src/policies/forgejo.yaml

··· 1 + bots: 2 + - import: CUSTOM/policies/meta/base.yaml 3 + - import: (data)/clients/git.yaml 4 + - import: (data)/apps/gitea-rss-feeds.yaml 5 + 6 + # Allow forgejo runner connections from localhost and tailscale 7 + - name: forgejo-runner 8 + user_agent_regex: connect-go 9 + action: ALLOW 10 + 11 + dnsbl: false 12 + openGraph: 13 + enabled: true 14 + considerHost: false 15 + ttl: 24h 16 + status_codes: 17 + CHALLENGE: 200 18 + DENY: 200 19 + thresholds: 20 + - name: minimal-suspicion 21 + expression: weight <= 0 22 + action: ALLOW 23 + - name: mild-suspicion 24 + expression: 25 + all: 26 + - weight > 0 27 + - weight < 10 28 + action: CHALLENGE 29 + challenge: 30 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh 31 + algorithm: metarefresh 32 + difficulty: 1 33 + report_as: 1 34 + - name: moderate-suspicion 35 + expression: 36 + all: 37 + - weight >= 10 38 + - weight < 20 39 + action: CHALLENGE 40 + challenge: 41 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work 42 + algorithm: fast 43 + difficulty: 2 # two leading zeros, very fast for most clients 44 + report_as: 2 45 + - name: mild-proof-of-work 46 + expression: 47 + all: 48 + - weight >= 20 49 + - weight < 30 50 + action: CHALLENGE 51 + challenge: 52 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work 53 + algorithm: fast 54 + difficulty: 4 55 + report_as: 4 56 + # For clients that are browser like and have gained many points from custom rules 57 + - name: extreme-suspicion 58 + expression: weight >= 30 59 + action: CHALLENGE 60 + challenge: 61 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work 62 + algorithm: fast 63 + difficulty: 6 64 + report_as: 5

+54

packages/anubis-files/src/policies/meta/base.yaml

··· 1 + # keep-sorted start 2 + - import: (data)/bots/_deny-pathological.yaml 3 + - import: (data)/bots/aggressive-brazilian-scrapers.yaml 4 + - import: (data)/clients/x-firefox-ai.yaml 5 + - import: (data)/common/keep-internet-working.yaml 6 + - import: (data)/common/rfc-violations.yaml 7 + - import: (data)/crawlers/_allow-good.yaml 8 + - import: (data)/meta/ai-block-aggressive.yaml 9 + # keep-sorted end 10 + - name: realistic-browser-catchall 11 + expression: 12 + all: 13 + - '"User-Agent" in headers' 14 + - '( userAgent.contains("Firefox") ) || ( userAgent.contains("Chrome") ) || ( userAgent.contains("Safari") )' 15 + - '"Accept" in headers' 16 + - '"Sec-Fetch-Dest" in headers' 17 + - '"Sec-Fetch-Mode" in headers' 18 + - '"Sec-Fetch-Site" in headers' 19 + - '"Accept-Encoding" in headers' 20 + - '( headers["Accept-Encoding"].contains("zstd") || headers["Accept-Encoding"].contains("br") )' 21 + - '"Accept-Language" in headers' 22 + action: WEIGH 23 + weight: 24 + adjust: -10 25 + # The Upgrade-Insecure-Requests header is typically sent by browsers, but not always 26 + - name: upgrade-insecure-requests 27 + expression: '"Upgrade-Insecure-Requests" in headers' 28 + action: WEIGH 29 + weight: 30 + adjust: -2 31 + # Chrome should behave like Chrome 32 + - name: chrome-is-proper 33 + expression: 34 + all: 35 + - userAgent.contains("Chrome") 36 + - '"Sec-Ch-Ua" in headers' 37 + - 'headers["Sec-Ch-Ua"].contains("Chromium")' 38 + - '"Sec-Ch-Ua-Mobile" in headers' 39 + - '"Sec-Ch-Ua-Platform" in headers' 40 + action: WEIGH 41 + weight: 42 + adjust: -5 43 + - name: should-have-accept 44 + expression: '!("Accept" in headers)' 45 + action: WEIGH 46 + weight: 47 + adjust: 5 48 + # Generic catchall rule 49 + - name: generic-browser 50 + user_agent_regex: >- 51 + Mozilla|Opera|Chrome|Chromium 52 + action: WEIGH 53 + weight: 54 + adjust: 10

packages/anubis-files/src/policies/meta/openGraph.yaml

This is a binary file and will not be displayed.

+56

packages/anubis-files/src/policies/nextcloud-office.yaml

··· 1 + bots: 2 + - import: CUSTOM/policies/meta/base.yaml 3 + # Allow requests from the nextcloud server to bypass checks 4 + - name: allow-nextcloud-server 5 + user_agent_regex: ^Nextcloud Server / richdocuments$ 6 + action: ALLOW 7 + dnsbl: false 8 + status_codes: 9 + CHALLENGE: 200 10 + DENY: 200 11 + thresholds: 12 + - name: minimal-suspicion 13 + expression: weight <= 0 14 + action: ALLOW 15 + - name: mild-suspicion 16 + expression: 17 + all: 18 + - weight > 0 19 + - weight < 10 20 + action: CHALLENGE 21 + challenge: 22 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh 23 + algorithm: metarefresh 24 + difficulty: 1 25 + report_as: 1 26 + - name: moderate-suspicion 27 + expression: 28 + all: 29 + - weight >= 10 30 + - weight < 20 31 + action: CHALLENGE 32 + challenge: 33 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work 34 + algorithm: fast 35 + difficulty: 2 # two leading zeros, very fast for most clients 36 + report_as: 2 37 + - name: mild-proof-of-work 38 + expression: 39 + all: 40 + - weight >= 20 41 + - weight < 30 42 + action: CHALLENGE 43 + challenge: 44 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work 45 + algorithm: fast 46 + difficulty: 4 47 + report_as: 4 48 + # For clients that are browser like and have gained many points from custom rules 49 + - name: extreme-suspicion 50 + expression: weight >= 30 51 + action: CHALLENGE 52 + challenge: 53 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work 54 + algorithm: fast 55 + difficulty: 6 56 + report_as: 5

+88

packages/anubis-files/src/policies/nextcloud.yaml

··· 1 + bots: 2 + - import: CUSTOM/policies/meta/base.yaml 3 + # Allow android apps that I use 4 + - name: allow-android-apps 5 + user_agent_regex: Nextcloud-android|DAVx5|ICSx5 6 + action: ALLOW 7 + # Allow the Thunderbird Filelink app 8 + - name: allow-thunderbird-filelink 9 + user_agent_regex: ^Filelink for \*cloud.*$ 10 + action: ALLOW 11 + # Allow anyone accessing the **authenticated** DAV endpoint. 12 + - name: allow-dav 13 + path_regex: ^/remote.php/dav/.*$ 14 + action: ALLOW 15 + # Allow public shares so that I can more easily send them 16 + - name: allow-public-shares 17 + path_regex: ^/s/.*$ 18 + action: ALLOW 19 + # Allow clients to load assets to not break public shares 20 + - name: allow-assets 21 + action: ALLOW 22 + expression: 23 + any: 24 + # Dist files from nextcloud core 25 + - 'path.startsWith("/dist/")' 26 + # Core Nextcloud files 27 + - 'path.startsWith("/js/core")' 28 + - 'path.startsWith("/core/css/")' 29 + # Viewer app files 30 + - 'path.startsWith("/apps/viewer")' 31 + # Theme CSS 32 + - 'path.startsWith("/apps/theming/")' 33 + # Public DAV endpoint 34 + - 'path.startsWith("/public.php/dav/files/")' 35 + dnsbl: false 36 + openGraph: 37 + enabled: true 38 + considerHost: false 39 + ttl: 24h 40 + status_codes: 41 + CHALLENGE: 200 42 + DENY: 200 43 + thresholds: 44 + - name: minimal-suspicion 45 + expression: weight <= 0 46 + action: ALLOW 47 + - name: mild-suspicion 48 + expression: 49 + all: 50 + - weight > 0 51 + - weight < 10 52 + action: CHALLENGE 53 + challenge: 54 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh 55 + algorithm: metarefresh 56 + difficulty: 1 57 + report_as: 1 58 + - name: moderate-suspicion 59 + expression: 60 + all: 61 + - weight >= 10 62 + - weight < 20 63 + action: CHALLENGE 64 + challenge: 65 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work 66 + algorithm: fast 67 + difficulty: 2 # two leading zeros, very fast for most clients 68 + report_as: 2 69 + - name: mild-proof-of-work 70 + expression: 71 + all: 72 + - weight >= 20 73 + - weight < 30 74 + action: CHALLENGE 75 + challenge: 76 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work 77 + algorithm: fast 78 + difficulty: 4 79 + report_as: 4 80 + # For clients that are browser like and have gained many points from custom rules 81 + - name: extreme-suspicion 82 + expression: weight >= 30 83 + action: CHALLENGE 84 + challenge: 85 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work 86 + algorithm: fast 87 + difficulty: 6 88 + report_as: 5

+63

packages/anubis-files/src/policies/vaultwarden.yaml

··· 1 + bots: 2 + - import: CUSTOM/policies/meta/base.yaml 3 + # Allow bitwarden apps 4 + - name: allow-bitwarden-mobile 5 + user_agent_regex: Bitwarden_Mobile 6 + action: ALLOW 7 + - name: allow-bitwarden-webext 8 + user_agent_regex: Mozilla 9 + action: ALLOW 10 + dnsbl: false 11 + openGraph: 12 + enabled: true 13 + considerHost: false 14 + ttl: 24h 15 + status_codes: 16 + CHALLENGE: 200 17 + DENY: 200 18 + thresholds: 19 + - name: minimal-suspicion 20 + expression: weight <= 0 21 + action: ALLOW 22 + - name: mild-suspicion 23 + expression: 24 + all: 25 + - weight > 0 26 + - weight < 10 27 + action: CHALLENGE 28 + challenge: 29 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh 30 + algorithm: metarefresh 31 + difficulty: 1 32 + report_as: 1 33 + - name: moderate-suspicion 34 + expression: 35 + all: 36 + - weight >= 10 37 + - weight < 20 38 + action: CHALLENGE 39 + challenge: 40 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work 41 + algorithm: fast 42 + difficulty: 2 # two leading zeros, very fast for most clients 43 + report_as: 2 44 + - name: mild-proof-of-work 45 + expression: 46 + all: 47 + - weight >= 20 48 + - weight < 30 49 + action: CHALLENGE 50 + challenge: 51 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work 52 + algorithm: fast 53 + difficulty: 4 54 + report_as: 4 55 + # For clients that are browser like and have gained many points from custom rules 56 + - name: extreme-suspicion 57 + expression: weight >= 30 58 + action: CHALLENGE 59 + challenge: 60 + # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work 61 + algorithm: fast 62 + difficulty: 6 63 + report_as: 5

+26

packages/bgutil-pot-server/librusty_v8.nix

··· 1 + # COPIED FROM nixpkgs/pkgs/by-name/router 2 + { 3 + lib, 4 + stdenv, 5 + fetchurl, 6 + }: 7 + 8 + let 9 + fetch_librusty_v8 = 10 + args: 11 + fetchurl { 12 + name = "librusty_v8-${args.version}"; 13 + url = "https://github.com/denoland/rusty_v8/releases/download/v${args.version}/librusty_v8_release_${stdenv.hostPlatform.rust.rustcTarget}.a"; 14 + sha256 = args.shas.${stdenv.hostPlatform.system}; 15 + meta = { 16 + inherit (args) version; 17 + sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; 18 + }; 19 + }; 20 + in 21 + fetch_librusty_v8 { 22 + version = "130.0.7"; 23 + shas = { 24 + x86_64-linux = "sha256-pkdsuU6bAkcIHEZUJOt5PXdzK424CEgTLXjLtQ80t10="; 25 + }; 26 + }

+49

packages/bgutil-pot-server/package.nix

··· 1 + { 2 + lib, 3 + callPackage, 4 + rustPlatform, 5 + fetchFromGitHub, 6 + pkg-config, 7 + openssl, 8 + _experimental-update-script-combinators, 9 + nix-update-script, 10 + }: 11 + rustPlatform.buildRustPackage (finalAttrs: { 12 + pname = "bgutil-pot-server"; 13 + version = "0.6.0"; 14 + 15 + src = fetchFromGitHub { 16 + owner = "jim60105"; 17 + repo = "bgutil-ytdlp-pot-provider-rs"; 18 + tag = "v${finalAttrs.version}"; 19 + hash = "sha256-kEu5WqOymH8yAyMhGKtVPOq3qlTRpFU/FO71uWEX/e8="; 20 + }; 21 + 22 + cargoHash = "sha256-fJZeyIsFUfpWeC1MWsU1hANb6cqC9xHQOnhcohEMTeM="; 23 + 24 + nativeBuildInputs = [ 25 + pkg-config 26 + ]; 27 + 28 + buildInputs = [ 29 + openssl 30 + ]; 31 + 32 + env.RUSTY_V8_ARCHIVE = callPackage ./librusty_v8.nix { }; 33 + 34 + doCheck = false; 35 + 36 + passthru.updateScript = _experimental-update-script-combinators.sequence [ 37 + (nix-update-script { }) 38 + ./update-librusty.sh 39 + ]; 40 + 41 + meta = { 42 + changelog = "https://github.com/jim60105/bgutil-ytdlp-pot-provider-rs/releases/tag/v${finalAttrs.version}"; 43 + description = "Proof-of-origin token provider plugin for yt-dlp in Rust"; 44 + homepage = "https://github.com/jim60105/bgutil-ytdlp-pot-provider-rs"; 45 + license = lib.licenses.gpl3Plus; 46 + maintainers = with lib.maintainers; [ pyrox0 ]; 47 + mainProgram = "bgutil-pot"; 48 + }; 49 + })

+45

packages/bgutil-pot-server/update-librusty.sh

··· 1 + #!/usr/bin/env nix-shell 2 + #!nix-shell -i bash -p gnugrep gnused nix jq 3 + # shellcheck shell=bash 4 + # COPIED FROM nixpkgs/pkgs/by-name/wi/windmill 5 + 6 + set -eu -o pipefail 7 + 8 + echo "librusty_v8: UPDATING" 9 + 10 + BGUTIL_LATEST_VERSION=$(curl ${GITHUB_TOKEN:+-u ":$GITHUB_TOKEN"} --silent --fail --location "https://api.github.com/repos/jim60105/bgutil-ytdlp-pot-provider-rs/releases/latest" | jq --raw-output .tag_name) 11 + CARGO_LOCK=$(curl ${GITHUB_TOKEN:+-u ":$GITHUB_TOKEN"} --silent --fail --location "https://github.com/jim60105/bgutil-ytdlp-pot-provider-rs/raw/$BGUTIL_LATEST_VERSION/Cargo.lock") 12 + 13 + PACKAGE_DIR=$(dirname "$(readlink --canonicalize-existing "${BASH_SOURCE[0]}")") 14 + OUTPUT_FILE="$PACKAGE_DIR/librusty_v8.nix" 15 + NEW_VERSION=$(echo "$CARGO_LOCK" | grep --after-context 5 'name = "v8"' | grep 'version =' | sed -E 's/version = "//;s/"//') 16 + 17 + CURRENT_VERSION="" 18 + if [ -f "$OUTPUT_FILE" ]; then 19 + CURRENT_VERSION="$(grep 'version =' "$OUTPUT_FILE" | sed -E 's/version = "//;s/"//')" 20 + fi 21 + 22 + if [ "$CURRENT_VERSION" == "$NEW_VERSION" ]; then 23 + echo "No update needed, $CURRENT_VERSION is already latest" 24 + exit 0 25 + fi 26 + 27 + x86Hash="$(nix-prefetch-url --type sha256 https://github.com/denoland/rusty_v8/releases/download/v"$NEW_V")" 28 + TEMP_FILE="$OUTPUT_FILE.tmp" 29 + cat >"$TEMP_FILE" <<EOF 30 + # COPIED FROM nixpkgs/pkgs/by-name/wi/windmill 31 + # auto-generated file -- DO NOT EDIT! 32 + { fetchLibrustyV8 }: 33 + 34 + fetchLibrustyV8 { 35 + version = "$NEW_VERSION"; 36 + shas = { 37 + # NOTE; Follows supported platforms of package (see meta.platforms attribute)! 38 + x86_64-linux = "$(nix hash convert --hash-algo sha256 --from nix32 "$x86Hash")"; 39 + }; 40 + } 41 + EOF 42 + 43 + mv "$TEMP_FILE" "$OUTPUT_FILE" 44 + 45 + echo "librusty_v8: UPDATE DONE"

-24

packages/doc2dash/default.nix

··· 1 - { 2 - fetchFromGitHub, 3 - python3Packages, 4 - }: python3Packages.buildPythonApplication rec { 5 - pname = "doc2dash"; 6 - version = "3.1.0"; 7 - pyproject = true; 8 - 9 - src = fetchFromGitHub { 10 - owner = "hynek"; 11 - repo = "doc2dash"; 12 - rev = version; 13 - hash = "sha256-u6K+BDc9tUxq4kCekTaqQLtNN/OLVc3rh14sVSfPtoQ="; 14 - }; 15 - 16 - build-system = with python3Packages; [ hatchling hatch-vcs hatch-fancy-pypi-readme]; 17 - 18 - dependencies = with python3Packages; [attrs beautifulsoup4 click rich]; 19 - 20 - nativeCheckInputs = with python3Packages; [ 21 - pytestCheckHook 22 - pytest-cov-stub 23 - ]; 24 - }

+34

packages/doc2dash/package.nix

··· 1 + { 2 + fetchFromGitHub, 3 + python3Packages, 4 + }: 5 + python3Packages.buildPythonApplication rec { 6 + pname = "doc2dash"; 7 + version = "3.1.0"; 8 + pyproject = true; 9 + 10 + src = fetchFromGitHub { 11 + owner = "hynek"; 12 + repo = "doc2dash"; 13 + rev = version; 14 + hash = "sha256-u6K+BDc9tUxq4kCekTaqQLtNN/OLVc3rh14sVSfPtoQ="; 15 + }; 16 + 17 + build-system = with python3Packages; [ 18 + hatchling 19 + hatch-vcs 20 + hatch-fancy-pypi-readme 21 + ]; 22 + 23 + dependencies = with python3Packages; [ 24 + attrs 25 + beautifulsoup4 26 + click 27 + rich 28 + ]; 29 + 30 + nativeCheckInputs = with python3Packages; [ 31 + pytestCheckHook 32 + pytest-cov-stub 33 + ]; 34 + }

+147

packages/glide-browser-bin/package.nix

··· 1 + { 2 + lib, 3 + stdenv, 4 + fetchurl, 5 + # keep-sorted start 6 + adwaita-icon-theme, 7 + alsa-lib, 8 + autoPatchelfHook, 9 + copyDesktopItems, 10 + curl, 11 + dbus-glib, 12 + gtk3, 13 + hicolor-icon-theme, 14 + libXtst, 15 + libva, 16 + makeBinaryWrapper, 17 + makeDesktopItem, 18 + patchelfUnstable, 19 + pciutils, 20 + pipewire, 21 + wrapGAppsHook3, 22 + # keep-sorted end 23 + nix-update-script, 24 + ... 25 + }: 26 + stdenv.mkDerivation (finalAttrs: { 27 + pname = "glide-browser"; 28 + version = "0.1.55a"; 29 + 30 + src = fetchurl { 31 + url = "https://github.com/glide-browser/glide/releases/download/${finalAttrs.version}/glide.linux-x86_64.tar.xz"; 32 + hash = "sha256-mjk8KmB/T5ZpB9AMQw1mtb9VbMXVX2VV4N+hWpWkSYI="; 33 + }; 34 + 35 + nativeBuildInputs = [ 36 + # keep-sorted start 37 + autoPatchelfHook 38 + copyDesktopItems 39 + makeBinaryWrapper 40 + patchelfUnstable 41 + wrapGAppsHook3 42 + # keep-sorted end 43 + ]; 44 + 45 + buildInputs = [ 46 + # keep-sorted start 47 + adwaita-icon-theme 48 + alsa-lib 49 + dbus-glib 50 + gtk3 51 + hicolor-icon-theme 52 + libXtst 53 + # keep-sorted end 54 + ]; 55 + 56 + runtimeDependencies = [ 57 + # keep-sorted start 58 + curl 59 + libva.out 60 + pciutils 61 + # keep-sorted end 62 + ]; 63 + 64 + appendRunpaths = [ "${pipewire}/lib" ]; 65 + 66 + # Firefox uses "relrhack" to manually process relocations from a fixed offset 67 + patchelfFlags = [ "--no-clobber-old-sections" ]; 68 + 69 + installPhase = '' 70 + runHook preInstall 71 + 72 + mkdir -p $out/bin $out/share/icons/hicolor/ $out/lib/glide-browser-bin-${finalAttrs.version} 73 + cp -t $out/lib/glide-browser-bin-${finalAttrs.version} -r * 74 + chmod +x $out/lib/glide-browser-bin-${finalAttrs.version}/glide 75 + iconDir=$out/share/icons/hicolor 76 + browserIcons=$out/lib/glide-browser-bin-${finalAttrs.version}/browser/chrome/icons/default 77 + 78 + for i in 16 32 48 64 128; do 79 + iconSizeDir="$iconDir/''${i}x$i/apps" 80 + mkdir -p $iconSizeDir 81 + cp $browserIcons/default$i.png $iconSizeDir/glide-browser.png 82 + done 83 + 84 + 85 + ln -s $out/lib/glide-browser-bin-${finalAttrs.version}/glide $out/bin/glide 86 + ln -s $out/bin/glide $out/bin/glide-browser 87 + 88 + runHook postInstall 89 + ''; 90 + 91 + desktopItems = [ 92 + (makeDesktopItem { 93 + name = "glide-browser-bin"; 94 + exec = "glide-browser --name glide-browser %U"; 95 + icon = "glide-browser"; 96 + desktopName = "Glide Browser"; 97 + genericName = "Web Browser"; 98 + terminal = false; 99 + startupNotify = true; 100 + startupWMClass = "glide-browser"; 101 + categories = [ 102 + "Network" 103 + "WebBrowser" 104 + ]; 105 + mimeTypes = [ 106 + "text/html" 107 + "text/xml" 108 + "application/xhtml+xml" 109 + "application/vnd.mozilla.xul+xml" 110 + "x-scheme-handler/http" 111 + "x-scheme-handler/https" 112 + ]; 113 + actions = { 114 + new-window = { 115 + name = "New Window"; 116 + exec = "glide-browser --new-window %U"; 117 + }; 118 + new-private-window = { 119 + name = "New Private Window"; 120 + exec = "glide-browser --private-window %U"; 121 + }; 122 + profile-manager-window = { 123 + name = "Profile Manager"; 124 + exec = "glide-browser --ProfileManager"; 125 + }; 126 + }; 127 + }) 128 + ]; 129 + 130 + passthru.updateScript = nix-update-script { 131 + extraArgs = [ 132 + "--url" 133 + "https://github.com/glide-browser/glide" 134 + ]; 135 + }; 136 + 137 + meta = { 138 + changelog = "https://glide-browser.app/changelog#${finalAttrs.version}"; 139 + description = "Extensible and keyboard-focused web browser, based on Firefox (binary package)"; 140 + homepage = "https://glide-browser.app/"; 141 + license = lib.licenses.mpl20; 142 + sourceProvenance = [ lib.sourceTypes.binaryNativeCode ]; 143 + platforms = [ "x86_64-linux" ]; 144 + maintainers = with lib.maintainers; [ pyrox0 ]; 145 + mainProgram = "glide-browser"; 146 + }; 147 + })

+34

packages/jellyfin-exporter/package.nix

··· 1 + { 2 + lib, 3 + buildGoModule, 4 + fetchFromGitHub, 5 + ... 6 + }: 7 + buildGoModule (finalAttrs: { 8 + pname = "jellyfin-exporter"; 9 + version = "1.3.9"; 10 + 11 + src = fetchFromGitHub { 12 + owner = "rebelcore"; 13 + repo = "jellyfin_exporter"; 14 + tag = "v${finalAttrs.version}"; 15 + hash = "sha256-oHPzdV+Fe7XmSyRWm5jh7oGqlY9uyLy7u9tCTlkfhQk="; 16 + }; 17 + 18 + # We need to patch the tests since we don't move the binary to `$GOPATH/bin`, but to `$out/bin` instead. 19 + postPatch = '' 20 + substituteInPlace jellyfin_exporter_test.go \ 21 + --replace-fail "GOPATH" "out" 22 + ''; 23 + 24 + vendorHash = "sha256-Z3XM4vTsm5R/Me1jR9oqLcWqmEn1bd653UNvDKLM80g="; 25 + 26 + meta = { 27 + changelog = "https://github.com/rebelcore/jellyfin_exporter/blob/v${finalAttrs.version}/CHANGELOG.md"; 28 + description = "Jellyfin Media System metrics exporter for prometheus"; 29 + homepage = "https://github.com/rebelcore/jellyfin_exporter"; 30 + license = lib.licenses.asl20; 31 + maintainers = with lib.maintainers; [ pyrox0 ]; 32 + mainProgram = "jellyfin_exporter"; 33 + }; 34 + })

-45

packages/olympus/default.nix

··· 1 - { pkgs }: 2 - let 3 - olympus = pkgs.stdenv.mkDerivation rec { 4 - pname = "olympus"; 5 - version = "4238"; 6 - 7 - # https://everestapi.github.io/ 8 - src = pkgs.fetchzip { 9 - url = "https://dev.azure.com/EverestAPI/Olympus/_apis/build/builds/${version}/artifacts?artifactName=linux.main&$format=zip#linux.main.zip"; 10 - hash = "sha256-KWDr4KsF23iDWA9h/r+cnpDIKKwCVVOfuh6sjvXSnII="; 11 - }; 12 - 13 - buildInputs = [ pkgs.unzip ]; 14 - installPhase = '' 15 - mkdir -p "$out/opt/olympus/" 16 - mv dist.zip "$out/opt/olympus/" && cd "$out/opt/olympus/" 17 - 18 - unzip dist.zip && rm dist.zip 19 - mkdir $out && echo XDG_DATA_HOME=$out 20 - 21 - echo y | XDG_DATA_HOME="$out/share/" bash install.sh 22 - sed -i "/ldconfig/d" ./love 23 - sed -i "s/Exec=.*/Exec=olympus %u/g" ../../share/applications/Olympus.desktop 24 - ''; 25 - }; 26 - in 27 - pkgs.buildFHSEnv { 28 - name = "olympus"; 29 - runScript = "${olympus}/opt/olympus/olympus"; 30 - targetPkgs = pkgs: [ 31 - pkgs.freetype 32 - pkgs.zlib 33 - pkgs.SDL2 34 - pkgs.curl 35 - pkgs.libpulseaudio 36 - pkgs.gtk3 37 - pkgs.glib 38 - pkgs.libGL 39 - pkgs.libdrm 40 - ]; 41 - 42 - # https://github.com/EverestAPI/Olympus/blob/main/lib-linux/olympus.desktop 43 - # https://stackoverflow.com/questions/8822097/how-to-replace-a-whole-line-with-sed 44 - extraInstallCommands = ''cp -r "${olympus}/share/" $out''; 45 - }

+19

packages/pingvin-share-config/package.nix

···

+138

packages/planka/package.nix

··· 1 + { 2 + lib, 3 + stdenv, 4 + fetchFromGitHub, 5 + fetchNpmDeps, 6 + nix-update-script, 7 + npmHooks, 8 + dart-sass, 9 + nodejs, 10 + python3, 11 + }: 12 + let 13 + version = "2.0.0-rc.4"; 14 + src = fetchFromGitHub { 15 + owner = "plankanban"; 16 + repo = "planka"; 17 + tag = "v${version}"; 18 + hash = "sha256-RUOIOXrpoNGxoKwUlgkPsk4kTnA95E+iwYIjBzSBoTA="; 19 + }; 20 + meta = { 21 + description = "Kanban-style project mastering tool for everyone"; 22 + homepage = "https://docs.planka.cloud/"; 23 + license = { 24 + fullName = "Planka Community License"; 25 + url = "https://github.com/plankanban/planka/blob/master/LICENSE.md"; 26 + free = false; 27 + redistributable = true; 28 + }; 29 + maintainers = with lib.maintainers; [ pyrox0 ]; 30 + }; 31 + 32 + frontend = stdenv.mkDerivation (finalAttrs: { 33 + pname = "planka-frontend"; 34 + inherit version src meta; 35 + 36 + sourceRoot = "${finalAttrs.src.name}/client"; 37 + 38 + npmDeps = fetchNpmDeps { 39 + inherit (finalAttrs) src sourceRoot; 40 + hash = "sha256-XtVwO8253XBVtG0jrikeVr1yaS1PpphCbN5B6jz54qc="; 41 + }; 42 + 43 + npmFlags = [ 44 + "--ignore-scripts" 45 + ]; 46 + 47 + nativeBuildInputs = [ 48 + npmHooks.npmConfigHook 49 + nodejs 50 + dart-sass 51 + ]; 52 + 53 + buildPhase = '' 54 + runHook preBuild 55 + 56 + npx patch-package 57 + 58 + # Replace dart path in sass-embedded since node_modules doesn't have the native binary 59 + substituteInPlace node_modules/sass-embedded/dist/lib/src/compiler-path.js \ 60 + --replace-fail 'compilerCommand = (() => {' 'compilerCommand = (() => { return ["${lib.getExe dart-sass}"];' 61 + 62 + npm run build 63 + 64 + runHook postBuild 65 + ''; 66 + 67 + installPhase = '' 68 + runHook preInstall 69 + 70 + mkdir $out/ 71 + mv dist $out/dist 72 + 73 + runHook postInstall 74 + ''; 75 + }); 76 + 77 + serverPython = python3.withPackages (ps: [ ps.apprise ]); 78 + in 79 + stdenv.mkDerivation (finalAttrs: { 80 + pname = "planka"; 81 + inherit version src; 82 + 83 + sourceRoot = "${finalAttrs.src.name}/server"; 84 + 85 + npmDeps = fetchNpmDeps { 86 + inherit (finalAttrs) src sourceRoot; 87 + hash = "sha256-yW9uzPALGdPrrUV129ToXayLyeLbAK9mCl2emCPYUdc="; 88 + }; 89 + 90 + npmFlags = [ "--ignore-scripts" ]; 91 + 92 + nativeBuildInputs = [ 93 + npmHooks.npmConfigHook 94 + nodejs 95 + ]; 96 + 97 + buildInputs = [ 98 + serverPython 99 + nodejs 100 + ]; 101 + 102 + preBuild = '' 103 + # Patch notifs helper to use nixpkgs' python 104 + substituteInPlace api/helpers/utils/send-notifications.js \ 105 + --replace-fail '(`$' '(`' \ 106 + --replace-fail "{sails.config.appPath}/.venv/bin/python3" "${lib.getExe serverPython}" 107 + ''; 108 + 109 + buildPhase = '' 110 + runHook preBuild 111 + 112 + npx patch-package 113 + 114 + runHook postBuild 115 + ''; 116 + 117 + installPhase = '' 118 + runHook preInstall 119 + 120 + npm prune --omit=dev --no-save $npmFlags "$${npmFlagsArray[@]}" 121 + find node_modules -maxdepth 1 -type d -empty -delete 122 + 123 + mkdir -p $out/lib/node_modules/planka 124 + mkdir $out/bin 125 + mv * $out/lib/node_modules/planka 126 + cp -t $out/lib/node_modules/planka/public -r ${frontend}/dist/* 127 + cp ${frontend}/dist/index.html $out/lib/node_modules/planka/views/index.html 128 + 129 + ln -s $out/lib/node_modules/planka/start.sh $out/bin/planka 130 + 131 + runHook postInstall 132 + ''; 133 + 134 + passthru.updateScript = nix-update-script { extraArgs = [ "--version=unstable" ]; }; 135 + meta = meta // { 136 + mainProgram = "planka"; 137 + }; 138 + })

+26

packages.nix

··· 1 + { 2 + perSystem = 3 + { 4 + pkgs, 5 + lib, 6 + ... 7 + }: 8 + let 9 + packages = lib.packagesFromDirectoryRecursive { 10 + inherit (pkgs) callPackage; 11 + directory = ./packages; 12 + }; 13 + in 14 + { 15 + legacyPackages = packages; 16 + packages = lib.filterAttrs ( 17 + _: pkg: 18 + let 19 + isDerivation = lib.isDerivation pkg; 20 + availableOnHost = lib.meta.availableOn pkgs.stdenv.hostPlatform pkg; 21 + isBroken = pkg.meta.broken or false; 22 + in 23 + isDerivation && !isBroken && availableOnHost 24 + ) packages; 25 + }; 26 + }

-15

shells/default/default.nix

··· 1 - { 2 - pkgs, 3 - ... 4 - }: 5 - pkgs.mkShellNoCC { 6 - packages = [ 7 - pkgs.deadnix 8 - pkgs.just 9 - pkgs.nil 10 - pkgs.nix-tree 11 - pkgs.nixd 12 - pkgs.nixfmt-rfc-style 13 - pkgs.statix 14 - ]; 15 - }

-58

systems/x86_64-linux/marvin/bootloader.nix

··· 1 - { pkgs, ... }: 2 - let 3 - fileSystems = { 4 - btrfs = true; 5 - ext4 = true; 6 - vfat = true; 7 - zfs = true; 8 - }; 9 - in 10 - { 11 - boot = { 12 - extraModulePackages = [ ]; 13 - kernelModules = [ "kvm-amd" ]; 14 - kernelPackages = pkgs.linuxPackages_6_1; 15 - kernelParams = [ "nohibernate" ]; 16 - supportedFilesystems = fileSystems; 17 - zfs.devNodes = "/dev/"; 18 - 19 - # Initrd config 20 - initrd = { 21 - availableKernelModules = [ 22 - "xhci_pci" 23 - "ahci" 24 - "nvme" 25 - "usbhid" 26 - "usb_storage" 27 - "sd_mod" 28 - ]; 29 - supportedFilesystems = fileSystems; 30 - kernelModules = [ ]; 31 - }; 32 - 33 - # Systemd-boot config 34 - loader = { 35 - systemd-boot.enable = true; 36 - systemd-boot.configurationLimit = 5; 37 - efi = { 38 - canTouchEfiVariables = true; 39 - efiSysMountPoint = "/boot/efi"; 40 - }; 41 - }; 42 - 43 - kernel.sysctl = { 44 - "net.ipv4.ip_forward" = 1; 45 - "net.ipv6.conf.all.forwarding" = 1; 46 - }; 47 - 48 - # ZFS Config 49 - # I use ZFS as my bulk data storage 50 - # zfs = { 51 - # enabled = true; 52 - # }; 53 - }; 54 - # ZFS mount stuff 55 - services.udev.extraRules = '' 56 - ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ENV{ID_FS_TYPE}=="zfs_member", ATTR{../queue/scheduler}="none" 57 - ''; 58 - }

-78

systems/x86_64-linux/marvin/default.nix

··· 1 - { system, ... }: 2 - { 3 - imports = [ 4 - # Machine-specific configurations. 5 - ./bootloader.nix 6 - ./firewall.nix 7 - ./networking.nix 8 - ./hardware.nix 9 - 10 - # Running Services 11 - ./services/authentik.nix 12 - ./services/avahi.nix 13 - ./services/bots.nix 14 - ./services/deemix.nix 15 - ./services/git.nix 16 - ./services/golink.nix 17 - ./services/grafana.nix 18 - ./services/iceshrimp.nix 19 - ./services/jellyfin.nix 20 - ./services/matrix.nix 21 - ./services/miniflux.nix 22 - ./services/nginx.nix 23 - ./services/nextcloud 24 - ./services/pinchflat.nix 25 - ./services/planka.nix 26 - ./services/podman.nix 27 - ./services/postgres.nix 28 - ./services/prometheus.nix 29 - # ./services/redlib.nix 30 - ./services/scrutiny.nix 31 - ./services/syncthing.nix 32 - ./services/tailscale.nix 33 - ./services/vaultwarden.nix 34 - ./services/zfs.nix 35 - ]; 36 - nix.settings.max-jobs = 12; 37 - nixpkgs.hostPlatform.system = system; 38 - networking = { 39 - networkmanager = { 40 - enable = true; 41 - }; 42 - wireless = { 43 - enable = false; 44 - }; 45 - }; 46 - fileSystems = { 47 - "/" = { 48 - fsType = "btrfs"; 49 - device = "/dev/disk/by-uuid/f15e4072-80dc-414e-a1fc-158ea441aebd"; 50 - # options = [ "subvol=@" ]; 51 - }; 52 - "/boot/efi" = { 53 - fsType = "vfat"; 54 - device = "/dev/disk/by-uuid/EE05-66B4"; 55 - }; 56 - "/var" = { 57 - fsType = "zfs"; 58 - device = "tank/var"; 59 - options = [ "zfsutil" ]; 60 - }; 61 - "/var/log/journal" = { 62 - fsType = "zfs"; 63 - device = "tank/var/log/journal"; 64 - options = [ "zfsutil" ]; 65 - }; 66 - }; 67 - swapDevices = [ { device = "/dev/disk/by-uuid/e69409bc-9cf0-4795-8620-33a021a4b729"; } ]; 68 - users.groups.misc.gid = 1000; 69 - time.timeZone = "America/New_York"; 70 - py = { 71 - users.default.enable = true; 72 - programs = { 73 - fish.enable = true; 74 - neovim.enable = true; 75 - }; 76 - }; 77 - services.pulseaudio.enable = false; 78 - }

-18

systems/x86_64-linux/marvin/firewall.nix

··· 1 - { 2 - networking.firewall = { 3 - allowedTCPPorts = [ 4 - 80 5 - 443 6 - 6912 7 - 34197 8 - ]; 9 - allowedUDPPorts = [ 10 - 4367 11 - 34197 12 - ]; 13 - trustedInterfaces = [ 14 - "tailscale0" 15 - "wg0" 16 - ]; 17 - }; 18 - }

-12

systems/x86_64-linux/marvin/hardware.nix

··· 1 - { 2 - hardware = { 3 - enableAllFirmware = true; 4 - enableRedistributableFirmware = true; 5 - bluetooth.enable = false; 6 - bumblebee.enable = false; 7 - ckb-next.enable = false; 8 - cpu.amd.updateMicrocode = true; 9 - gpgSmartcards.enable = true; 10 - graphics.enable = false; 11 - }; 12 - }

-35

systems/x86_64-linux/marvin/networking.nix

··· 1 - { lib, pkgs, ... }: 2 - { 3 - networking = { 4 - hostName = "marvin"; 5 - hostId = "5711215d"; 6 - enableIPv6 = true; 7 - useDHCP = lib.mkDefault true; 8 - interfaces = { 9 - enp42s0.useDHCP = lib.mkDefault true; 10 - wlp41s0.useDHCP = lib.mkDefault true; 11 - }; 12 - networkmanager = { 13 - enable = true; 14 - }; 15 - wireless.enable = false; 16 - 17 - # Enable NAT for containers 18 - nat = { 19 - enable = true; 20 - internalInterfaces = [ "ve-+" ]; 21 - externalInterface = "wlp41s0"; 22 - # Lazy IPv6 connectivity for the container 23 - enableIPv6 = true; 24 - }; 25 - }; 26 - systemd.services.wpa_supplicant.environment.OPENSSL_CONF = pkgs.writeText "openssl.cnf" '' 27 - openssl_conf = openssl_init 28 - [openssl_init] 29 - ssl_conf = ssl_sect 30 - [ssl_sect] 31 - system_default = system_default_sect 32 - [system_default_sect] 33 - Options = UnsafeLegacyRenegotiation 34 - ''; 35 - }

-88

systems/x86_64-linux/marvin/services/authentik.nix

··· 1 - { config, lib, ... }: 2 - let 3 - d = lib.py.data.services.authentik; 4 - in 5 - { 6 - virtualisation.oci-containers.containers = 7 - let 8 - authentikVersion = "2024.10"; 9 - base = { 10 - environmentFiles = [ config.age.secrets.authentik-env.path ]; 11 - extraOptions = [ "--network=authentik" ]; 12 - }; 13 - authentikBase = base // { 14 - image = "ghcr.io/goauthentik/server:${authentikVersion}"; 15 - environment = { 16 - AUTHENTIK_REDIS__HOST = "authentik-redict"; 17 - 18 - # Postgres Settings 19 - AUTHENTIK_POSTGRESQL__HOST = "authentik-db"; 20 - AUTHENTIK_POSTGRESQL__PORT = "5432"; 21 - AUTHENTIK_POSTGRESQL__USER = "authentik"; 22 - AUTHENTIK_POSTGRESQL__NAME = "authentik"; 23 - AUTHENTIK_POSTGRESQL__PASSWORD = "\${PG_PASS}"; 24 - 25 - # Disable error reporting 26 - AUTHENTIK_ERROR_REPORTING__ENABLED = "false"; 27 - 28 - # Avatars are an attribute based on an uploaded file 29 - AUTHENTIK_AVATARS = "attributes.user.avatar"; 30 - 31 - # Email Settings 32 - AUTHENTIK_EMAIL__HOST = "mail.pyrox.dev"; 33 - AUTHENTIK_EMAIL__USERNAME = "auth@pyrox.dev"; 34 - AUTHENTIK_EMAIL__PORT = "465"; 35 - AUTHENTIK_EMAIL__USE_TLS = "true"; 36 - AUTHENTIK_EMAIL__FROM = "PyroServ Auth <auth@pyrox.dev>"; 37 - }; 38 - }; 39 - authentikVols = [ 40 - "/var/lib/authentik/media:/media" 41 - "/var/lib/authentik/templates:/templates" 42 - ]; 43 - in 44 - { 45 - authentik-db = base // { 46 - image = "postgres:12-alpine"; 47 - volumes = [ "/var/lib/authentik/db_12:/var/lib/postgresql/data" ]; 48 - environment = { 49 - POSTGRES_PASSWORD = "\${PG_PASS}"; 50 - POSTGRES_USER = "authentik"; 51 - POSTGRES_DB = "authentik"; 52 - }; 53 - }; 54 - authentik-redict = { 55 - image = "registry.redict.io/redict:alpine"; 56 - extraOptions = [ "--network=authentik" ]; 57 - }; 58 - authentik-server = authentikBase // { 59 - cmd = [ "server" ]; 60 - ports = [ 61 - "${toString d.port}:9000" 62 - "6943:9443" 63 - "9301:9300" 64 - ]; 65 - volumes = authentikVols ++ [ "/var/lib/authentik/custom.css:/web/dist/custom.css" ]; 66 - }; 67 - authentik-worker = authentikBase // { 68 - cmd = [ "worker" ]; 69 - volumes = authentikVols ++ [ "/var/lib/authentik/certs:/certs" ]; 70 - }; 71 - authentik-ldap = base // { 72 - image = "ghcr.io/goauthentik/ldap:${authentikVersion}"; 73 - ports = [ 74 - "389:3389" 75 - "636:6636" 76 - ]; 77 - environment = { 78 - AUTHENTIK_HOST = "https://${d.extUrl}"; 79 - AUTHENTIK_INSECURE = "false"; 80 - }; 81 - }; 82 - }; 83 - age.secrets.authentik-env = { 84 - file = ./secrets/authentik-env.age; 85 - owner = "thehedgehog"; 86 - group = "misc"; 87 - }; 88 - }

-10

systems/x86_64-linux/marvin/services/avahi.nix

··· 1 - { 2 - services.avahi = { 3 - enable = true; 4 - publish = { 5 - enable = true; 6 - addresses = true; 7 - workstation = true; 8 - }; 9 - }; 10 - }

-5

systems/x86_64-linux/marvin/services/bookstack.nix

··· 1 - { 2 - services.bookstack = { 3 - enable = true; 4 - }; 5 - }

-46

systems/x86_64-linux/marvin/services/bots.nix

··· 1 - { pkgs, ... }: 2 - { 3 - systemd.services = { 4 - io-bot = { 5 - enable = false; 6 - wantedBy = [ "multi-user.target" ]; 7 - after = [ 8 - "network.target" 9 - "io-bot-lavalink.service" 10 - ]; 11 - description = "I/O, my personal bot"; 12 - path = [ pkgs.python311 ]; 13 - serviceConfig = { 14 - ExecStart = "${pkgs.bash}/bin/bash start.sh"; 15 - Restart = "always"; 16 - RestartSec = 3; 17 - WorkingDirectory = "/home/thehedgehog/io-py"; 18 - }; 19 - }; 20 - io-bot-lavalink = { 21 - enable = false; 22 - wantedBy = [ "multi-user.target" ]; 23 - after = [ "network.target" ]; 24 - description = "Lavalink server for I/O"; 25 - serviceConfig = { 26 - ExecStart = "${pkgs.openjdk17_headless}/bin/java -jar ../Lavalink.jar"; 27 - Restart = "always"; 28 - RestartSec = 3; 29 - WorkingDirectory = "/home/thehedgehog/io-py/config"; 30 - }; 31 - }; 32 - misc-bot = { 33 - enable = false; 34 - wantedBy = [ "multi-user.target" ]; 35 - after = [ "network.target" ]; 36 - description = "Random Bot 1"; 37 - path = [ pkgs.python311 ]; 38 - serviceConfig = { 39 - ExecStart = "${pkgs.bash}/bin/bash start.sh"; 40 - Restart = "always"; 41 - RestartSec = 3; 42 - WorkingDirectory = "/home/thehedgehog/bots/bot1"; 43 - }; 44 - }; 45 - }; 46 - }

-53

systems/x86_64-linux/marvin/services/buildbot.nix

··· 1 - { config, lib, ... }: 2 - let 3 - as = config.age.secrets; 4 - d = lib.py.data.services.buildbot; 5 - g = lib.py.data.services.git; 6 - bbSecret = { 7 - owner = "buildbot"; 8 - group = "buildbot"; 9 - }; 10 - in 11 - { 12 - services = { 13 - buildbot-nix.master = { 14 - enable = true; 15 - dbUrl = "postgresql://buildbot@localhost/buildbot"; 16 - workersFile = as.buildbot-workers.path; 17 - authBackend = "gitea"; 18 - gitea = { 19 - enable = true; 20 - tokenFile = as.buildbot-gitea-token.path; 21 - oauthSecretFile = as.buildbot-oauth-secret.path; 22 - instanceUrl = g.extUrl; 23 - oauthId = "2bfd5c46-43a7-4d98-b443-9176dc0a9452"; 24 - topic = "buildbot-enable"; 25 - }; 26 - admins = [ "pyrox" ]; 27 - domain = d.extUrl; 28 - useHttps = true; 29 - }; 30 - postgresql = { 31 - ensureUsers = [ 32 - { 33 - name = "buildbot"; 34 - ensureDBOwnership = true; 35 - ensureClauses.login = true; 36 - } 37 - ]; 38 - ensureDatabases = [ "buildbot" ]; 39 - }; 40 - buildbot-master.port = 6915; 41 - }; 42 - age.secrets = { 43 - buildbot-gitea-token = bbSecret // { 44 - file = ./secrets/buildbot-gitea-token.age; 45 - }; 46 - buildbot-oauth-secret = bbSecret // { 47 - file = ./secrets/buildbot-oauth-secret.age; 48 - }; 49 - buildbot-workers = bbSecret // { 50 - file = ./secrets/buildbot-workers.age; 51 - }; 52 - }; 53 - }

-21

systems/x86_64-linux/marvin/services/deemix.nix

··· 1 - { data, lib, ... }: 2 - let 3 - d = lib.py.data.services.deemix; 4 - in 5 - { 6 - virtualisation.oci-containers.containers.deemix = { 7 - image = "registry.gitlab.com/bockiii/deemix-docker"; 8 - volumes = [ 9 - "/var/lib/deemix:/config" 10 - "/var/lib/music:/downloads" 11 - ]; 12 - ports = [ "${toString d.port}:6595" ]; 13 - environment = { 14 - PUID = "1000"; 15 - PGID = "1000"; 16 - UMASK_SET = "022"; 17 - DEEMIX_SINGLE_USER = "true"; 18 - DISABLE_OWNERSHIP_CHECK = "true"; 19 - }; 20 - }; 21 - }

-149

systems/x86_64-linux/marvin/services/git.nix

··· 1 - { 2 - config, 3 - lib, 4 - pkgs, 5 - ... 6 - }: 7 - let 8 - cfg = config.services.forgejo.settings; 9 - age = config.age.secrets; 10 - 11 - forgejoSecret = { 12 - owner = "forgejo"; 13 - group = "forgejo"; 14 - }; 15 - 16 - d = lib.py.data.services.git; 17 - in 18 - { 19 - catppuccin.forgejo.enable = true; 20 - py.services.forgejo-runner = { 21 - enable = true; 22 - tokenFile = age.forgejo-default-runner-token.path; 23 - }; 24 - services.forgejo = { 25 - enable = true; 26 - package = pkgs.forgejo; 27 - lfs.enable = true; 28 - database = { 29 - type = "postgres"; 30 - createDatabase = true; 31 - passwordFile = age.forgejo-db-pw.path; 32 - }; 33 - secrets = { 34 - mailer.PASSWD = age.forgejo-mail-pw.path; 35 - security.SECRET_KEY = lib.mkForce age.forgejo-secret-key.path; 36 - security.INTERNAL_TOKEN = lib.mkForce age.forgejo-internal-token.path; 37 - oauth2.JWT_SECRET = lib.mkForce age.forgejo-oauth2-jwt-secret.path; 38 - server.LFS_JWT_SECRET = lib.mkForce age.forgejo-lfs-jwt-secret.path; 39 - }; 40 - settings = { 41 - DEFAULT = { 42 - APP_NAME = "PyroNet Git"; 43 - RUN_MODE = "prod"; 44 - }; 45 - attachment = { 46 - MAX_SIZE = 200; 47 - }; 48 - log."logger.router.MODE" = ""; 49 - mailer = { 50 - ENABLED = true; 51 - FROM = "PyroNet Git <git@pyrox.dev>"; 52 - PROTOCOL = "smtps"; 53 - SMTP_ADDR = "mail.pyrox.dev"; 54 - SMTP_PORT = 465; 55 - USER = "git@pyrox.dev"; 56 - }; 57 - picture = { 58 - ENABLE_FEDERATED_AVATAR = true; 59 - }; 60 - ui = { 61 - DEFAULT_SHOW_FULL_NAME = true; 62 - USE_SERVICE_WORKER = true; 63 - SHOW_USER_EMAIL = false; 64 - }; 65 - "ui.meta" = { 66 - AUTHOR = "dish"; 67 - DESCRIPTION = "PyroNet Git Services"; 68 - }; 69 - metrics = { 70 - ENABLED = true; 71 - }; 72 - server = { 73 - DISABLE_SSH = true; 74 - DOMAIN = d.extUrl; 75 - HTTP_PORT = d.port; 76 - ROOT_URL = "https://${cfg.server.DOMAIN}"; 77 - LFS_START_SERVER = true; 78 - }; 79 - # 80 - indexer = { 81 - # Enable issue indexing 82 - ISSUE_INDEXER_TYPE = "bleve"; 83 - ISSUE_INDEXER_PATH = "indexers/issues.bleve"; 84 - # Enable repo indexing 85 - REPO_INDEXER_ENABLED = true; 86 - REPO_INDEXER_REPO_TYPES = "sources,forks,templates,mirrors"; 87 - REPO_INDEXER_TYPE = "bleve"; 88 - REPO_INDEXER_PATH = "indexers/repos.bleve"; 89 - }; 90 - session = { 91 - PROVIDER = "db"; 92 - COOKIE_SECURE = true; 93 - COOKIE_NAME = "pyrogit-session"; 94 - DOMAIN = d.extUrl; 95 - # Sessions last for 1 week 96 - GC_INTERVAL_TIME = 86400 * 7; 97 - SESSION_LIFE_TIME = 86400 * 7; 98 - }; 99 - service = { 100 - DISABLE_REGISTRATION = true; 101 - AUTO_WATCH_NEW_REPOS = false; 102 - }; 103 - security = { 104 - INSTALL_LOCK = true; 105 - COOKIE_USERNAME = "pyrogit-user"; 106 - COOKIE_REMEMBER_NAME = "pyrogit-auth"; 107 - MIN_PASSWORD_LENGTH = 10; 108 - PASSWORD_COMPLEXITY = "lower,upper,digit,spec"; 109 - PASSWORD_HASH_ALGO = "argon2"; 110 - PASSWORD_CHECK_PWN = true; 111 - ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true; 112 - # Only allow reverse proxies from Tailscale tailnet 113 - REVERSE_PROXY_TRUSTED_PROXIES = "10.64.0.0/10"; 114 - }; 115 - actions = { 116 - ENABLED = true; 117 - }; 118 - }; 119 - }; 120 - age.secrets = { 121 - forgejo-db-pw = forgejoSecret // { 122 - file = ./secrets/forgejo-db-pw.age; 123 - }; 124 - forgejo-mail-pw = forgejoSecret // { 125 - file = ./secrets/forgejo-mail-pw.age; 126 - }; 127 - forgejo-aux-docs-runner-token = forgejoSecret // { 128 - file = ./secrets/forgejo-aux-docs-runner-token.age; 129 - }; 130 - forgejo-default-runner-token = forgejoSecret // { 131 - file = ./secrets/forgejo-default-runner-token.age; 132 - }; 133 - forgejo-gitgay-runner-token = forgejoSecret // { 134 - file = ./secrets/forgejo-gitgay-runner-token.age; 135 - }; 136 - forgejo-internal-token = forgejoSecret // { 137 - file = ./secrets/forgejo-internal-token.age; 138 - }; 139 - forgejo-oauth2-jwt-secret = forgejoSecret // { 140 - file = ./secrets/forgejo-oauth2-jwt-secret.age; 141 - }; 142 - forgejo-lfs-jwt-secret = forgejoSecret // { 143 - file = ./secrets/forgejo-lfs-jwt-secret.age; 144 - }; 145 - forgejo-secret-key = forgejoSecret // { 146 - file = ./secrets/forgejo-secret-key.age; 147 - }; 148 - }; 149 - }

-12

systems/x86_64-linux/marvin/services/golink.nix

··· 1 - { 2 - services.golink = { 3 - enable = true; 4 - tailscaleAuthKeyFile = /run/agenix/golink-authkey; 5 - }; 6 - age.secrets.golink-authkey = { 7 - file = ./secrets/golink-authkey.age; 8 - path = "/run/agenix/golink-authkey"; 9 - owner = "golink"; 10 - group = "golink"; 11 - }; 12 - }

-57

systems/x86_64-linux/marvin/services/grafana.nix

··· 1 - { config, lib, ... }: 2 - let 3 - d = lib.py.data.services.grafana; 4 - a = lib.py.data.services.authentik; 5 - in 6 - { 7 - services.grafana = { 8 - enable = true; 9 - settings = { 10 - analytics.reporting_enable = false; 11 - "auth.generic_oauth" = { 12 - name = "central"; 13 - icon = "signin"; 14 - enabled = "true"; 15 - client_id = "89f4607cf446a777a6b25ebde8731cdcb80b04c1"; 16 - client_secret = "89eccaa8a31104c218df5cfe37c87f0ea0bbddcd1571bddb7f7fbf5a09045efd59c61f1caaa79483ad59aac2c19488b254acdaced47e66a6505865a14a63ac4a"; 17 - auth_url = "https://${a.extUrl}/application/o/authorize/"; 18 - token_url = "https://${a.extUrl}/application/o/token/"; 19 - api_url = "https://${a.extUrl}/application/o/userinfo/"; 20 - scopes = "openid profile email"; 21 - }; 22 - "auth" = { 23 - signout_redirect_url = "https://${a.extUrl}/if/session-end/stathog/"; 24 - disableLoginForm = true; 25 - }; 26 - security = { 27 - admin_user = "pyrox"; 28 - admin_password = "$__file{${config.age.secrets.grafana-admin.path}}"; 29 - }; 30 - server = { 31 - root_url = "https://${d.extUrl}"; 32 - domain = d.extUrl; 33 - http_port = d.port; 34 - http_addr = "0.0.0.0"; 35 - }; 36 - smtp = { 37 - enabled = true; 38 - user = "grafana@thehedgehog.me"; 39 - from_address = "grafana@thehedgehog.me"; 40 - host = "smtp.migadu.com:465"; 41 - password = "$__file{${config.age.secrets.grafana-smtp-password.path}}"; 42 - }; 43 - }; 44 - }; 45 - age.secrets = { 46 - grafana-admin = { 47 - file = ./secrets/grafana-admin-password.age; 48 - owner = "grafana"; 49 - group = "grafana"; 50 - }; 51 - grafana-smtp-password = { 52 - file = ./secrets/grafana-smtp-password.age; 53 - owner = "grafana"; 54 - group = "grafana"; 55 - }; 56 - }; 57 - }

-96

systems/x86_64-linux/marvin/services/iceshrimp.nix

··· 1 - { 2 - config, 3 - inputs, 4 - pkgs, 5 - lib, 6 - ... 7 - }: 8 - let 9 - 10 - d = lib.py.data.services.iceshrimp; 11 - 12 - package = inputs.iceshrimp.packages.x86_64-linux.iceshrimp-pre.overrideAttrs rec { 13 - version = "2023.12.8-pyrox1"; 14 - src = pkgs.fetchgit { 15 - url = "https://iceshrimp.dev/pyrox/iceshrimp"; 16 - hash = "sha256-hxZ3rVVAiAMFAYhZ2o+WhlMuhjbt5EyHKOl1VyyL5RA="; 17 - rev = "v${version}"; 18 - fetchLFS = true; 19 - deepClone = false; 20 - }; 21 - patches = [ ]; 22 - }; 23 - in 24 - { 25 - services.iceshrimp = { 26 - inherit package; 27 - enable = false; 28 - secretConfig = config.age.secrets.iceshrimp-secret-config.path; 29 - dbPasswordFile = config.age.secrets.iceshrimp-db-password.path; 30 - createDb = true; 31 - configureNginx.enable = false; 32 - settings = { 33 - inherit (d) port; 34 - url = "https://${d.extUrl}"; 35 - accountDomain = "pyrox.dev"; 36 - redis.port = 6997; 37 - maxNoteLength = 16384; 38 - maxCaptionLength = 8192; 39 - clusterLimit = 4; 40 - deliverJobConcurrency = 192; 41 - inboxJobConcurrency = 32; 42 - deliverJobPerSec = 256; 43 - inboxJobPerSec = 32; 44 - outgoingAddressFamily = "dual"; 45 - # See the withdrawal patches for obliterate info 46 - enableObliterate = true; 47 - obliterateJobPerSec = 16; 48 - obliterateJobMaxAttempts = 3; 49 - mediaCleanup = { 50 - cron = true; 51 - maxAgeDays = 30; 52 - cleanAvatars = true; 53 - cleanHeaders = true; 54 - }; 55 - htmlCache = { 56 - ttl = "6h"; 57 - prewarm = true; 58 - dbFallback = true; 59 - }; 60 - wordMuteCache.ttl = "24h"; 61 - isManagedHosting = true; 62 - email = { 63 - managed = true; 64 - address = "social@pyrox.dev"; 65 - host = "mail.pyrox.dev"; 66 - port = 465; 67 - user = "social@pyrox.dev"; 68 - useImplicitSslTls = true; 69 - }; 70 - objectStorage = { 71 - managed = true; 72 - baseUrl = "https://pool.jortage.com/socialpyroxdev"; 73 - bucket = "socialpyroxdev"; 74 - prefix = "mkmedia"; 75 - endpoint = "pool-api.jortage.com"; 76 - region = "jort"; 77 - useSsl = true; 78 - connnectOverProxy = false; 79 - setPublicReadOnUpload = false; 80 - s3ForcePathStyle = true; 81 - }; 82 - }; 83 - }; 84 - age.secrets = { 85 - iceshrimp-secret-config = { 86 - inherit (config.services.iceshrimp) group; 87 - file = ./secrets/iceshrimp-secret-config.age; 88 - owner = config.services.iceshrimp.user; 89 - }; 90 - iceshrimp-db-password = { 91 - file = ./secrets/iceshrimp-db-password.age; 92 - owner = "postgres"; 93 - group = "postgres"; 94 - }; 95 - }; 96 - }

-9

systems/x86_64-linux/marvin/services/jellyfin.nix

··· 1 - { 2 - services.jellyfin = { 3 - enable = true; 4 - }; 5 - networking.firewall.allowedUDPPorts = [ 6 - 1900 7 - 7359 8 - ]; 9 - }

-29

systems/x86_64-linux/marvin/services/matrix.nix

··· 1 - { 2 - lib, 3 - ... 4 - }: 5 - let 6 - d = lib.py.data.services.matrix-server; 7 - in 8 - { 9 - services.matrix-conduit = { 10 - enable = true; 11 - 12 - settings.global = { 13 - inherit (d) port; 14 - server_name = "pyrox.dev"; 15 - max_request_size = 1024 * 1024 * 50; 16 - allow_registration = false; 17 - allow_federation = true; 18 - allow_check_for_updates = false; 19 - trusted_servers = [ 20 - "matrix.org" 21 - "vector.im" 22 - "catgirl.cloud" 23 - ]; 24 - address = "0.0.0.0"; 25 - well_known_client = "https://${d.extUrl}"; 26 - well_known_server = "${d.extUrl}:443"; 27 - }; 28 - }; 29 - }

-26

systems/x86_64-linux/marvin/services/miniflux.nix

··· 1 - {config, lib, ...}: let 2 - d = lib.py.data.services.miniflux; 3 - in { 4 - services.miniflux = { 5 - enable = true; 6 - config = { 7 - PORT = d.port; 8 - FETCH_YOUTUBE_WATCH_TIME = 1; 9 - BASE_URL = "https://${d.extUrl}"; 10 - CREATE_ADMIN = 1; 11 - WEBAUTHN = 1; 12 - WORKER_POOL_SIZE = 5; 13 - }; 14 - adminCredentialsFile = config.age.secrets.miniflux-admin.path; 15 - }; 16 - users.users.miniflux.isSystemUser = true; 17 - users.users.miniflux.group = "miniflux"; 18 - users.groups.miniflux = {}; 19 - age.secrets = { 20 - miniflux-admin = { 21 - file = ./secrets/miniflux-admin.age; 22 - owner = "miniflux"; 23 - group = "miniflux"; 24 - }; 25 - }; 26 - }

-11

systems/x86_64-linux/marvin/services/minio.nix

··· 1 - { config, ... }: 2 - { 3 - services.minio = { 4 - enable = true; 5 - region = "us-east-1"; 6 - browser = true; 7 - listenAddress = ":6990"; 8 - consoleAddress = ":6991"; 9 - rootCredentialsFile = config.age.secrets.minio-root.path; 10 - }; 11 - }

-104

systems/x86_64-linux/marvin/services/nextcloud/default.nix

··· 1 - { 2 - config, 3 - pkgs, 4 - lib, 5 - ... 6 - }: 7 - let 8 - d = lib.py.data.services.nextcloud; 9 - i = lib.py.data.services.nextcloud-imaginary; 10 - in 11 - { 12 - imports = [ 13 - ./office.nix 14 - ./imaginary.nix 15 - ]; 16 - services.nextcloud = { 17 - enable = true; 18 - package = pkgs.nextcloud31; 19 - phpPackage = lib.mkForce pkgs.php82; 20 - appstoreEnable = true; 21 - caching.redis = true; 22 - # Enable Webfinger 23 - webfinger = true; 24 - # Any additional PHP Extensions we need 25 - phpExtraExtensions = all: [ 26 - all.pdlib 27 - all.bz2 28 - ]; 29 - config = { 30 - adminpassFile = config.age.secrets.nextcloud-admin-pw.path; 31 - adminuser = "pyrox"; 32 - dbtype = "pgsql"; 33 - }; 34 - settings = { 35 - default_phone_region = "US"; 36 - overwriteprotocol = "https"; 37 - trusted_proxies = [ "100.64.0.0/10" ]; 38 - # Preview Settings 39 - "preview_imaginary_url" = "http://localhost:${builtins.toString i.port}"; 40 - "preview_format" = "webp"; 41 - "preview_ffmpeg_path" = "${pkgs.ffmpeg-headless}/bin/ffmpeg"; 42 - "enabledPreviewProviders" = [ 43 - "OC\\Preview\\Font" 44 - "OC\\Preview\\Krita" 45 - "OC\\Preview\\MP3" 46 - "OC\\Preview\\MarkDown" 47 - "OC\\Preview\\MSOfficeDoc" 48 - "OC\\Preview\\OpenDocument" 49 - "OC\\Preview\\TXT" 50 - "OC\\Preview\\Imaginary" 51 - ]; 52 - # Memories Configuration 53 - "memories.exiftool" = "${pkgs.exiftool}/bin/exiftool"; 54 - "memories.exiftool_no_local" = true; 55 - # # Index Everything 56 - "memories.index.mode" = 1; 57 - # # GIS Data in Postgres 58 - "memories.gis_type" = 2; 59 - # # Transcoding 60 - "memories.vod.disable" = false; 61 - "memories.vod.vaapi" = true; 62 - "memories.vod.nvenc" = false; 63 - "memories.vod.use_gop_size" = false; # NVENV-only 64 - "memories.vod.ffmpeg" = "${pkgs.ffmpeg-headless}/bin/ffmpeg"; 65 - "memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe"; 66 - "memories.vod.path" = "/var/lib/nextcloud/store-apps/memories/bin-ext/go-vod-amd64"; 67 - "memories.vod.external" = false; 68 - 69 - # Recognize Options 70 - "node_binary" = "${pkgs.nodejs_20}/bin/node"; 71 - "tensorflow.cores" = 6; 72 - "tensorflow.gpu" = false; 73 - "musicnn.enabled" = false; 74 - "movinet.enabled" = false; 75 - "faces.enable" = true; 76 - "imagenet.enabled" = true; 77 - "landmarks.enabled" = true; 78 - }; 79 - phpOptions = { 80 - "opcache.interned_strings_buffer" = "32"; 81 - "opcache.jit" = "1255"; 82 - "opcache.jit_buffer_size" = "256M"; 83 - "opcache.save_comments" = "1"; 84 - "opcache.validate_timestamps" = "0"; 85 - }; 86 - poolSettings = { 87 - "pm" = "dynamic"; 88 - "pm.max_children" = 43; 89 - "pm.start_servers" = 10; 90 - "pm.min_spare_servers" = 10; 91 - "pm.max_spare_servers" = 32; 92 - "pm.max_requests" = 500; 93 - }; 94 - configureRedis = true; 95 - database.createLocally = true; 96 - hostName = d.extUrl; 97 - nginx.recommendedHttpHeaders = true; 98 - }; 99 - age.secrets.nextcloud-admin-pw = { 100 - file = ./nextcloud-admin-pw.age; 101 - owner = "nextcloud"; 102 - group = "nextcloud"; 103 - }; 104 - }

-13

systems/x86_64-linux/marvin/services/nextcloud/imaginary.nix

··· 1 - { lib, ... }: 2 - let 3 - d = lib.py.data.services.nextcloud-imaginary; 4 - in 5 - { 6 - services.imaginary = { 7 - inherit (d) port; 8 - enable = true; 9 - address = "localhost"; 10 - settings.return-size = true; 11 - settings.disable-endpoints = "form"; 12 - }; 13 - }

-21

systems/x86_64-linux/marvin/services/nextcloud/nextcloud-admin-pw.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 iqBxIA f3m5ux9oJxmPDheJ82b171yuc+2/YfPklKOi9+TRqAk 3 - QlVi9vN0mFBwa4lGeWgHhy7xeGmzv87lHy1teE4Ju38 4 - -> ssh-rsa fFaiTA 5 - OE+aFl2tmjMJOOtfhoVGOnWmF64OqGQ21FuhcCaDz+K05lmO4F+6q0dblr/8gOD/ 6 - aUX7qKNS6/ylBn1sjdWs6LKEFSfQQmPD26MDAFciDRMR5GCylKQzVN+ZVFjS36tr 7 - tWl1wiuGlK25szMdPMTfH2mUd2RpyceGirTFXbDppBQvlboivVV51FVgHQJUmell 8 - ak4dXDNvlSX/Q2VfIrfr6LurJrPPpJ8phgD/yqvwoEr1DhbrtdBJWHLnP7GlAi9D 9 - WexmhyWALCbfJjpPTKBumGmFFzCf5FvEhw4WW3wSkK+RwoyPDq+f5JyM0mEUNgjM 10 - tI5cbyaZ+FuoZgwouSLPU1zSaE5DCucRrWoMLw/F/1rXZl6aXmiX+sJYhwTOnfvS 11 - UxEs+7i+E/+yPP0otfoEeU7fSUQgkVcfDwwCF95vvSoX2ZeocU3IaosovmQNHiQk 12 - VNR2z8WZx7y5bBxxxMuA9sKwhDbqpS+O7Yr34PSO2aZMvctfJZMFHOGO3LWtCMOo 13 - /EtZSwtTL1P3z7ZVr9SpBOT1Cp5f6JhM8fRwcv/+cssWrv031LDpX7R2lUXd0E9/ 14 - b8ZI6NotJfXicqf1qS91GYttz9FpXKSTx+wc28eEQNoHdE9vJydYd8p/FfsPNnbo 15 - E7kEz0KgTTIC0lfRN5/CKHJ3urAN47UCzBkht/gArHM 16 - -> ssh-ed25519 wpmdHA miwIKKntwHzAVfbSs0wQyxEuiPGS4OPisTtLkasNaHE 17 - psG8Q1MCrd2cuHNFhBoJlHTUA8Rk2alsRahoaTaZ96I 18 - -> f-grease Q=!6H\ CBdSy[)u 19 - sOGvXIX7dyTl5tFUlDOfuXyR5KrAFTehzsMhjUiqFD/N 20 - --- 6GHjrSO/f/nkqePu2iFESH76n7G1KPN6F+xp6ChHPec 21 - ��!��c�8i^��lκ�l>�E|o�q��T�[9��V�I�J^}��O{:5�>��Sb��J�p�

-22

systems/x86_64-linux/marvin/services/nextcloud/office.nix

··· 1 - { lib, ... }: 2 - let 3 - d = lib.py.data.services.nextcloud-office; 4 - in 5 - { 6 - services.collabora-online = { 7 - enable = true; 8 - port = d.port; 9 - settings = { 10 - ssl.enable = false; 11 - ssl.termination = true; 12 - }; 13 - aliasGroups = [ 14 - { 15 - host = "https://office.pyrox.dev:443"; 16 - } 17 - { 18 - host = "https://cloud.pyrox.dev:443"; 19 - } 20 - ]; 21 - }; 22 - }

-18

systems/x86_64-linux/marvin/services/nginx.nix

··· 1 - { lib, ... }: 2 - let 3 - n = lib.py.data.services.nextcloud; 4 - in 5 - { 6 - services.nginx = { 7 - virtualHosts = { 8 - "${n.extUrl}" = { 9 - listen = [ 10 - { 11 - inherit (n) port; 12 - addr = "0.0.0.0"; 13 - } 14 - ]; 15 - }; 16 - }; 17 - }; 18 - }

-43

systems/x86_64-linux/marvin/services/pinchflat.nix

··· 1 - { config, lib, ... }: 2 - let 3 - cfg = config.services.pinchflat; 4 - age = config.age.secrets; 5 - d = lib.py.data.services.pinchflat; 6 - in 7 - { 8 - services.pinchflat = { 9 - enable = true; 10 - port = d.port; 11 - secretsFile = age.pinchflat-secrets.path; 12 - mediaDir = "/var/lib/youtube"; 13 - extraConfig = { 14 - YT_DLP_WORKER_CONCURRENCY = 2; 15 - }; 16 - }; 17 - systemd.services.pinchflat = lib.mkIf cfg.enable { 18 - serviceConfig = { 19 - DynamicUser = lib.mkForce false; 20 - User = lib.mkForce "pinchflat"; 21 - Group = lib.mkForce "pinchflat"; 22 - }; 23 - }; 24 - users.users.pinchflat = lib.mkIf cfg.enable { 25 - isSystemUser = true; 26 - group = "pinchflat"; 27 - }; 28 - users.groups.pinchflat = lib.mkIf cfg.enable { }; 29 - age.secrets = lib.mkIf cfg.enable { 30 - pinchflat-secrets = { 31 - owner = "pinchflat"; 32 - group = "pinchflat"; 33 - file = ./secrets/pinchflat-secrets.age; 34 - }; 35 - }; 36 - # BGUtil Docker Container for yt-dlp 37 - virtualisation.oci-containers.containers.ytdlp-bgutil-provider = lib.mkIf cfg.enable { 38 - image = "brainicism/bgutil-ytdlp-pot-provider"; 39 - ports = [ 40 - "4416:4416" 41 - ]; 42 - }; 43 - }

-42

systems/x86_64-linux/marvin/services/planka.nix

··· 1 - { config, lib, ... }: 2 - let 3 - dataDir = "/var/lib/planka"; 4 - d = lib.py.data.services.planka; 5 - in 6 - { 7 - virtualisation.oci-containers.containers = { 8 - planka-server = { 9 - image = "ghcr.io/plankanban/planka:latest"; 10 - ports = [ "${toString d.port}:1337" ]; 11 - environment = { 12 - BASE_URL = "https://${d.extUrl}"; 13 - DATABASE_URL = "postgresql://planka@planka-db/planka"; 14 - # Default Admin 15 - DEFAULT_ADMIN_EMAIL = "pyrox@pyrox.dev"; 16 - DEFAULT_ADMIN_USERNAME = "pyrox"; 17 - }; 18 - environmentFiles = [ config.age.secrets.planka-env.path ]; 19 - volumes = [ 20 - "${dataDir}/user-avatars:/app/public/user-avatars" 21 - "${dataDir}/project-background-images:/app/public/project-background-images" 22 - "${dataDir}/attachments:/app/private/attachments" 23 - ]; 24 - extraOptions = [ "--network=planka" ]; 25 - }; 26 - planka-db = { 27 - image = "postgres:16-alpine"; 28 - volumes = [ "${dataDir}/db:/var/lib/postgresql/data" ]; 29 - environment = { 30 - POSTGRES_USER = "planka"; 31 - POSTGRES_DB = "planka"; 32 - POSTGRES_HOST_AUTH_METHOD = "trust"; 33 - }; 34 - extraOptions = [ "--network=planka" ]; 35 - }; 36 - }; 37 - age.secrets.planka-env = { 38 - file = ./secrets/planka-env.age; 39 - owner = "thehedgehog"; 40 - group = "misc"; 41 - }; 42 - }

-16

systems/x86_64-linux/marvin/services/podman.nix

··· 1 - { 2 - virtualisation = { 3 - oci-containers.backend = "docker"; 4 - docker = { 5 - enable = true; 6 - storageDriver = "zfs"; 7 - autoPrune.enable = true; 8 - liveRestore = true; 9 - daemon.settings = { 10 - experimental = true; 11 - ip6tables = true; 12 - fixed-cidr-v6 = "2001:db8:1::/64"; 13 - }; 14 - }; 15 - }; 16 - }

-50

systems/x86_64-linux/marvin/services/postgres.nix

··· 1 - { pkgs, config, ... }: 2 - let 3 - cfg = config.services.postgresql; 4 - in 5 - { 6 - services.postgresql = { 7 - enable = true; 8 - package = pkgs.postgresql_16; 9 - enableJIT = true; 10 - # Settings taken from [PGTune](https://pgtune.leopard.in.ua/) 11 - settings = { 12 - max_connections = "300"; 13 - shared_buffers = "2GB"; 14 - effective_cache_size = "6GB"; 15 - maintenance_work_mem = "512MB"; 16 - checkpoint_completion_target = 0.9; 17 - wal_buffers = "16MB"; 18 - default_statistics_target = 100; 19 - random_page_cost = 4; 20 - effective_io_concurrency = 2; 21 - work_mem = "2621kB"; 22 - huge_pages = "off"; 23 - min_wal_size = "1GB"; 24 - max_wal_size = "4GB"; 25 - max_worker_processes = 8; 26 - max_parallel_workers_per_gather = 4; 27 - max_parallel_workers = 8; 28 - max_parallel_maintenance_workers = 4; 29 - }; 30 - }; 31 - systemd.timers.pg-autovacuum = { 32 - description = "Timer for Postgres Autovacuum"; 33 - timerConfig = { 34 - OnCalendar = "*-*-* 01:00:00"; 35 - Unit = "pg-autovacuum.service"; 36 - }; 37 - }; 38 - systemd.services.pg-autovacuum = { 39 - description = "Vacuum all Postgres databases."; 40 - requisite = [ "postgresql.service" ]; 41 - wantedBy = [ "multi-user.target" ]; 42 - serviceConfig = { 43 - Type = "oneshot"; 44 - User = "postgres"; 45 - Group = "postgres"; 46 - SyslogIdentifier = "pg-autovacuum"; 47 - ExecStart = "${cfg.package}/bin/vacuumdb --all --echo --jobs=6 --parallel=5 --analyze --verbose"; 48 - }; 49 - }; 50 - }

-40

systems/x86_64-linux/marvin/services/prometheus.nix

··· 1 - { config, ... }: 2 - { 3 - services.prometheus = { 4 - enable = true; 5 - port = 6999; 6 - exporters = { 7 - node = { 8 - enable = true; 9 - enabledCollectors = [ "systemd" ]; 10 - port = 6998; 11 - }; 12 - }; 13 - scrapeConfigs = [ 14 - { 15 - job_name = "marvin"; 16 - static_configs = [ 17 - { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; } 18 - ]; 19 - } 20 - { 21 - job_name = "gitea"; 22 - static_configs = [ 23 - { targets = [ "127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}" ]; } 24 - ]; 25 - } 26 - { 27 - job_name = "jellyfin"; 28 - static_configs = [ { targets = [ "127.0.0.1:8096" ]; } ]; 29 - } 30 - { 31 - job_name = "authentik"; 32 - static_configs = [ { targets = [ "127.0.0.1:9301" ]; } ]; 33 - } 34 - { 35 - job_name = "prometheus"; 36 - static_configs = [ { targets = [ "127.0.0.1:6999" ]; } ]; 37 - } 38 - ]; 39 - }; 40 - }

-14

systems/x86_64-linux/marvin/services/prosody.nix

··· 1 - { 2 - # deadnix: skip 3 - config, 4 - # deadnix: skip 5 - pkgs, 6 - # deadnix: skip 7 - lib, 8 - ... 9 - }: 10 - { 11 - services.prosody = { 12 - enable = true; 13 - }; 14 - }

-12

systems/x86_64-linux/marvin/services/redlib.nix

··· 1 - { pkgs, lib, ... }: 2 - let 3 - d = lib.py.data.services.redlib; 4 - in 5 - { 6 - services.libreddit = { 7 - inherit (d) port; 8 - enable = true; 9 - package = pkgs.redlib; 10 - openFirewall = false; 11 - }; 12 - }

-32

systems/x86_64-linux/marvin/services/scrutiny.nix

··· 1 - { config, lib, ... }: 2 - let 3 - d = lib.py.data.services.scrutiny; 4 - in 5 - { 6 - services.scrutiny = { 7 - enable = true; 8 - influxdb.enable = true; 9 - settings = { 10 - web = { 11 - listen = { 12 - port = d.port; 13 - }; 14 - influxdb.tls.insecure_skip_verify = true; 15 - }; 16 - }; 17 - collector = { 18 - enable = true; 19 - settings = { 20 - api.endpoint = "http://localhost:${toString d.port}"; 21 - devices = [ 22 - { 23 - device = "/dev/sdb"; 24 - commands = { 25 - metrics_smart_args = "-xv 188,raw16 --xall --json -T permissive"; 26 - }; 27 - } 28 - ]; 29 - }; 30 - }; 31 - }; 32 - }

-23

systems/x86_64-linux/marvin/services/secrets/authentik-env.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 iqBxIA Mq6LpVWnock3MlBHyxTdIz0MRgayV1DmPc7G0YUYmno 3 - Hjhpy+AkQ12MPP5/nFdfCbUYjlB7urYgodmNH3MYQys 4 - -> ssh-rsa fFaiTA 5 - nUWzhFls8eejZQcIvXT1OQcoLCUPs/xkrGmJZ9nYsimIg9O1SvSvsksTzpF+kPxb 6 - FSm0mpN5LSI5qIWkTVCARSygCXh5oW7O5BteIEslfZQ2mBWWfUIUfXjxgyMR5YNI 7 - WuMQ5NLag3uulDKFm7nX/MW9MdF5TQqsp2waDxZR8twErIHXxyYV7L50OpgHXshN 8 - YF+MQ44G8CpKfnMlJT2LqYdcwtCD5CbPyyJVGzPtKXXMCO90ep7kgsdAtwRzRQ/A 9 - pOm1kN0E4OtOCCTuUEu9KcTjREFEzVdNDo+sK1aTxZVgDMT5Q+1MW8LMAjxJkJaH 10 - EhgiwzOB1wuKNJmT3oTHxCZeXebEZVIgzrM0d8G/ZpRezMhPQuVhPNwTuSTS6Nmu 11 - UoLpGd836qa4wRiCnyw2wv5NWC9dk9egXGmpJP0WuYkm977nV8rNPD6Y0yo1zdXN 12 - bR11U5nGhNmKaZR7JuF4uXnscDwuLjezTqbnfWLnWWfsPchUdwxSLkBWfxOt9Bwb 13 - UXXRCXmP1G7G76L8Lq4px5w9cuOf1m40aIRFDAQvsU8lcjNh+x6Hlrs6e6JLpTIU 14 - hSm9RNis+NfC4eUTbBzvHQJl5pOcc4qGDhRfZHHHgFviGtDRNnCX8Qti0s55z5xj 15 - 92YLwusKCLsY/qfUMGxR6xJOH+qF1slnKJUze6Fm+3A 16 - -> ssh-ed25519 wpmdHA y8GnMn9T4Pd/luf2iFGLgwiH2+28omDf+koJjTnjHjY 17 - bhwyh4cWPs0/WaDEAV6tQ9VT8Rwg+54O48IXDlp3WnM 18 - -> zEWmG,-grease 19 - RnR4Sk7VgVxA 20 - --- rw5rtJ/Nk3pe6NIho1qUG8THDMN/gyC82qDL9WF+1ec 21 - �as��Dp��c�´��i�x�AQ>�w��o�bI 0�X��Za�AH#��0�|��HR5��S��G��9Y��{��ּ_"��r4?x՚5�tG�F|�&�gXC�\9�P 22 - y�K�`��LeS` !��21��U1��S�?�X1[�7Qӫ��D�!�>��XǍ�)mH��#[�C�r�4��9σb 23 - lf�K_PB��$�X�n��(V�Q��u�?ix�z��I��Zܘ

-20

systems/x86_64-linux/marvin/services/secrets/buildbot-gitea-token.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 iqBxIA sXjW2SR1XZX72GNOub2LDOyPErSL1frz/6h1/PCpYQc 3 - C1S5xYK8e0wjxXUo3Fv1Bly/KexFni/vUVQXvTOaYjM 4 - -> ssh-rsa fFaiTA 5 - hp5tbxse6zTj3F9+cURU7l1wgQ7xPqetn//fPbeAWgOaE6mV5AgKmul7rHEL9IIH 6 - aFTvalTWR/KnFznYtlW/k8NJ8kxsO8xF+E5TzFnJHoJ1kcnxzx470m/erc928n48 7 - XcqN+XT2OS7xxH8i4v+pTqsCniK5oKpUbXujFBDdLQzHr6PfudD7KflSDklIdYEB 8 - Hcd1wPtnOwD7lPPrH4MIVNcAsZdc1gdieWI6WAyYhwyCGkHx+AAtbGBGIRxpM6eA 9 - /iau2CyIL3NoQO5ahuocI3j6JZg/rjf8CrB6BOcjST63xxJOtb/Z1vCDMN8IL7h5 10 - BC/W0jeLSWG6j/HtGXQHcBuuCe9X6ghNxHjJnXTlW5gyy/5fkfg1VwH1GH7LSgr3 11 - tULl2deCUc13COd+c74wPl1tndaCFou3syWQI1+g6cxafdjNeC4toQVVTjiWKArW 12 - 9FxAfmOHRqkren+G68rV3r9HUwiik5yfFj3i0ReiSJOs+PnFdwiia+qEyEU6c+RA 13 - ZKm02DA0xdIKvWRhBcV3LfXa59gM/fqHY7fPOr764UE8G3OxhU41YokRxSF2Amjr 14 - SrrTdd9ifydgm/6QOezR/rGdIPednZGw7AifVDtzStqfeK2N/1UptXmRTqJxNKDl 15 - HqChILGJP+4oQ9C40DBJKqoDoQ4cgdABf+cVvum4Vuo 16 - -> ssh-ed25519 wpmdHA ihAY2EmeXBKtEYivtyxIM4f9DT8l4r+fB1aZq+/bBjI 17 - cTxIJd2UpHpk6+kRC6kYnkWpk5vNOKN3KaTObI2yK60 18 - --- wb5Zy32SMDk6XSAwzGDLz1fHZkTmFQRJu3UdOSO6ALs 19 - �6�3 20 - ��x�p�(SFx��9%�l�`��mNy�i'��?i��@Nw��ϖ�Xh\ơ� �A�X�{�

systems/x86_64-linux/marvin/services/secrets/buildbot-oauth-secret.age

This is a binary file and will not be displayed.

-19

systems/x86_64-linux/marvin/services/secrets/buildbot-worker-password.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 iqBxIA gwCfKQU/RuO5wvWJt+BNo9vMIH4cQNKC4YBo4zgeM00 3 - 568cl7NUSUNWPCF3SL8SSqsyV3qqKmM4CoqmQ+yynUs 4 - -> ssh-rsa fFaiTA 5 - xa/L5kqpE+MAOnbQFeOi4u53k9RdTz7di+bFiDwkUMoxPwKKWmT6DejEq2JmqcL6 6 - adkNyc7sS9mfyoCC55WttpC1VBtyCtWCvJIuG8vtO11RsBfA6GvHLG4uuuHRGEqQ 7 - i9IGIVBIUdCT+q4Eu8zV5hVEdbuufDGTbp1Ye2MZszl99XE3FKBgBNMfMyYL4fO4 8 - +GE6kuTMdgwlI1CKFlQH5cZSMwGtm1ElTZcwd0Zl1Zu/5Y4mKwJ78RLtdmoIpYW/ 9 - 8TnvuH1uD6PFZQ6f0RDxNnEnyZuAezTx16tjFfTuoI1/lyvq6t6et/f9TysKTnZZ 10 - W0PSBFvTaxE1IKaO/PRynd9ZrBbLgk8pibCP6HgM8ev1Gbl4vLjq/0t+t0PEVquH 11 - y0MXvO6OvjGs89JS9/AYbBAsFxmD/FcKGm857fKFqE2a+SguX0oTBbjNx/PG0rAm 12 - RTx9CR2wCUhTq5KheRmL+Ik/T/Yv4QuDid6p93PHcwJ2YUqXPyMEuTyv/nhjSEGa 13 - v3GX7sIQh0aC0LSHF0ielfyxjvAXysNKiIZaN+DU0tGTgKW/QvMOnUKB4X3EZCHu 14 - yMGgV1vR+pVTLx7xoAyjPL9DQC9ezMlSs5gcZVEV3NLRndz5Es2SAgg7r0mXy5fg 15 - PZz7XVriGa+2JhcAnDbFWgFjqwI7r5MSTpq8Sl9FZ8E 16 - -> ssh-ed25519 wpmdHA wfideEEHVJwKpYxqET5LDOE859htEZIpg1UxKIGSayM 17 - V5vr78i22cOHPS8+ZFluqMDfH9D3vzkHQ51Oos+MWq0 18 - --- ltXrwcgDWjvOiOkbNmi8MAUtgcevsUKA2ooV7UyB03s 19 - �� U����q��{l��˓��<��=r��Žv�ݸ�H��Z��V��

-21

systems/x86_64-linux/marvin/services/secrets/buildbot-workers.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 iqBxIA NyjUU036+HYwviv9FB7Onyl3YYScNe/vLXpAYnbbJxU 3 - pecvax2BSVOYEgCHxoQyWTRzBRpq8N2ertX0QAw600Y 4 - -> ssh-rsa fFaiTA 5 - Tdwy6FqSqpMxc7x/Ygwiz8ssPwug7sk1BZ0QghMZkoO8KPJwldUcYfsgQxklzisx 6 - JuMDTBacCxN6/RnIfvcagtYZ2NeKsGkhk6KZ1QtcDt9oWrLD9KQBs/YlBmkJGE3L 7 - SqAcQX9AybGQ+ODS8ZbXR7WTcCy0I85Jiy60QYRfkX5lElL0BAbbuphn6xtm0dt7 8 - YuArYTndGI1KOgcnDCia8Az84vzjIh/Cp4AGthmhAOQP2R1k94LI8p1639RqlrkT 9 - XAdsglg344l7ki2Eib4pPADDmhKttrJ/79DTK0X+1757PaUyxMif55WIrxQLzE2s 10 - QHhwj1pka1HynIGy87cwILAlvqWNFUQ9lTbfMNfTLMBEJ7hH/HB6Adpmr0CVhKKG 11 - B3WfC9l3v/15owcb3qLeP/dkaarjHbTM4FafOLkjrhdEgYCEGK/ls3vx0Deq4x39 12 - G3WO/fclUQyjcO/g17i9yyfmuupL11Juk8xRyaU5fzi5O7gtGnPlLxhBqXE1s9Xa 13 - FzSSBHztAYAT7D7wodoE+LsTAajRoMQnTkFuP0pvO81C8z7dMXVckYvPco8dTbHY 14 - wujBpw+h//2oIfWxgM6lzZGKny+VsbFSVDz3JURCeWUaFpjdDHzkk7fd+fXAdhcx 15 - Wh25XuYYKvr1SOjo1ux9hAgbH/KAGKy9hoXzpbs6q6I 16 - -> ssh-ed25519 wpmdHA iO+7sYjfsEVkwxtiRMgi/5liBd5I56Cl3nIo5fFe6gc 17 - Rhez8a+eG9D4kV6I3R7eRdEty3dVyYybBCsDoD3gy8Q 18 - --- W7rtaU3i9bkD3+2PKJbOeDK8AlFhpW0t3Lp6MeJ7RiQ 19 - �� 20 - .I�s��q^hA��Ch�D��s��|��8[�%xX�n+�Qb�#f�gUL�C�c9p��RgBd9e%'Y8�F��gկ~�15�D��d�K��C�c>��w 21 - tP(�cr��p7

systems/x86_64-linux/marvin/services/secrets/forgejo-aux-docs-runner-token.age

This is a binary file and will not be displayed.

-21

systems/x86_64-linux/marvin/services/secrets/forgejo-db-pw.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 iqBxIA 2iR3dpVJpZQc8SpHKJMDdoFgRQ3SdR+1Z6MJNOXBYRA 3 - gN/aJwxHXwAH+UPyVG3C0iwNyitvqleasEId230Ta5I 4 - -> ssh-rsa fFaiTA 5 - o1krn+dfavUdLS/kL1jr0fzPdM9U8r22e2HXUyB8Cjg8K39QNR0tIUnJOeDh+ySk 6 - 5mnA2fIhCc8TDmxViSVelV34xPBJUE97Uv4ny8d33oAM/h+Z9lUVkNYqBQIvy/7A 7 - VbXPr4exw09vIKqMII8r7Jk84h/W/+FNCOD0eD/hoIEihkEKmTlGaKnDrIukWK5u 8 - 3oohSQ8vjz57NjyNAVMpqBR+N/kgix7Qn2nWie0Y+8a6Oe09KGv8o4NSvMsoF36g 9 - ZoahpTkWqN5kEMciduo4bGUPO0WlKS8JtmpgZnOB9s0BN1xHqGyFheh2lkprW8m7 10 - 5RsnmjveQ5W/YOjQwfZcyx7MzWGu/tdAOa24ZxDMoVuz6p1fVYNmVx5roj8ddU8M 11 - Zf4LIRyq+p0reWEZyx4kGM9KO3e3uBdjEcd1hN8c11Nuhq8sQWtCzZIfXUpbWFsc 12 - tFdKrAkxnrCjFbwkBLj9KRrstJ2U9kvQPjv/TLUu3nfZvQrT3r6La7nh43yJVFbO 13 - BEKiebbMKZ/uXpat9ysBblaDSDLgFq9bG+fKaDCurK8xLeihEmUUto3+zJ2ju0xN 14 - 9/5y4wvaHp2ubn2garimQA5SL/MXviroM3Ihis1QXh/EjCqUAsNDWuxj4yGq7KjH 15 - pyJh4POTwFwa1+dieajao44dXbjR8agomTDNsFcvciw 16 - -> ssh-ed25519 wpmdHA Yn2SflGKXRy8gFw49DgIgYgQ4wW8E2DGGI7dB08Fp3g 17 - h+CktGIMZuh8mRJawXRRNrN6ekc96ET5vIHEE+560R0 18 - -> VEh-grease \tZ(& 19 - sarIr7CdltfkDsPGC746Bj2bSi4JYbJyJyqFIY6mTlr89qhx+Q 20 - --- Oogb2JMBAeU5WMAOhFDuLMUwj6Y3yGjn4FDAJ8IsNTo 21 - �oi�KAe�+��i��\��*��:�� c�6��(�1��敽#�Stq��y�/�T�� h�|

-20

systems/x86_64-linux/marvin/services/secrets/forgejo-default-runner-token.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 iqBxIA wAo/lrx6N+r+RDRkW+diss7p9GXRuBKJ8X3m9SqsUms 3 - j7n9oR9u1XkSPikdXm7ck0nOlt1QOJ1ZBGcU/b+kgr4 4 - -> ssh-rsa fFaiTA 5 - jP6zvnCemRTSeHZzkwCQw4ISRuQVNwPRDVr1zqPlx19z7s+c5NSH2k+ryjgbVWkc 6 - EoP+SMR2sguwhi6SvKNvFZOp4+oAu4ATWGCvjTiqD+iNj0IR9pd+TMIVD6g117eM 7 - 0W2LQN+Yw9tDpT5vX4RSR+Vs9rvWkNgZI58Rib4DprRP9lcD4hjpUyFWLnjsm/PV 8 - 4YGMyt9CCQWT4UuEj8PZGK/l1uQRNIoXlHj83Ewl7WNhlO7I08kSDKke39VkIiXj 9 - 55FOLCIq8rgT8mUsBqr2EJRzS9hJpKIytYdhLmTdAMdpfXWvjDTVAKIYO7DnAWdk 10 - uU+ORVOfKEYjD4uuYODhS/n2U6USwNF/R2E6JB806LOglASacw7o9h2oTXEpiW8u 11 - KJq3VkmnhaE9h7SOkBISlGC+y9MDm0Lv07P0hHBr1j+oaeVehMst9HO8S2ngVp6H 12 - 0ZjokI6JpExinFn+UDoocXUK9s33Hvzg/q672JmgIos56wmCtFX7A/ba2isKpajp 13 - WIQMgvQEVxaUBpbRQTjj5SNGVRMns2cJWWpvinyjLMWRj8J+0OEzOLyrvnCpZZw1 14 - DS+ffnwCd/7t3zxnyyl+xeRVD0tq7Dd1X4oxmSNDEHKcNKhjsDnIEd1y/tcTsUUN 15 - X9GDhHLFLoS3BxBydkJ6dSH9knlE5KZAc3wKtjw+AQA 16 - -> ssh-ed25519 wpmdHA hgNiJmcUepbnNwU+8zcRC7xlhou25Uv3mKO7L36RlQA 17 - 1uSnVNpcQTGhYw+L02JQSd1PUrC6t6Dh4QI+eXbr8NI 18 - --- H3xuoJ0qmwWqAJoiY8nFXbTOpOeEcKcr2zc6CozBFtU 19 - W��S��2��+jz[�귐��P1�>��b�R�J�-�� 20 - &�jm^��E ~��37ܢ6��/�$�ÒH>9p� ,

-19

systems/x86_64-linux/marvin/services/secrets/forgejo-gitgay-runner-token.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 iqBxIA NtvHYtlP2R1/ySw+0gQk8q1QJcujtjMK9h8BXTLnpFU 3 - 5+iRMI+OvjQMSR8TkEO5QXFp0u6De3EVtmt+OttYLAw 4 - -> ssh-rsa fFaiTA 5 - MiYovathZe/ZO/NvHsRTFaAlj8GsHgBcbVkkV9MDoYhacdomegj+J2nQks/j+TbP 6 - zU9BSBMSyzWrYuCi15kISyk962mSc7Gte4nwJvUUiZdWq/Vm2dSLyV57EHBgSXl/ 7 - C9DHnS78OgTDn8YeeRviLkJ87LEEPF9yGG2z/YN4i53Cuy8UDQagdpFG4dWjGnQn 8 - hImg4bI99h1coaCf8PfsuLsdumbR6y12rdW0A5cEyhfDoodV9hILGuP9KCtUXNxO 9 - BrxDlpVC5CjUZ1xcz1qgQA8QvKbl7qVitxmr5+1pHwtscaiTufOs4MI+ZxCKwOhJ 10 - VPiy01TesPHR9oua/7Ap4dBOTpKRPb8GyaCVyRvkb4cVIlQNgIYuL3pkB3KOM3Ct 11 - VhvXVgXxB6Gb78gJkBy/uwmnSybfnzjv1z+yA9f8VFBzt+i2kDq8/37Tng9DSVGj 12 - 4yS67uYQkT5+OVrcjNwBd3NAguVNNg1PEsIE8SvnLXRmI79gjiMdlmZFTsAl2EZN 13 - 2CMUaR9r0O88xhEf7FKQ9CUjZjfZvyhHPaJXADfducaVhB56RCIf3jwtsdFnTzzZ 14 - UMIYJ57Pe8m0ESjzp/8+6wH4MPaMULSJhxnpUJW5y5qqnpvRo1dQiPRkW3Xxjh3H 15 - 2ulClJg8m7Tqj/nASJFZkqI7PUxjnAteEUcY2WBRtMA 16 - -> ssh-ed25519 wpmdHA OYK95VOo8jFn31+P4keeW0eJco7PKVE82NQL0U+0f1I 17 - D7O1m8QTLBARYjzUJBBX18Ko62iu7ETDD/CJHptTBf8 18 - --- ku5u3TkIGQvE212JtizdwVoz4B0Jx3wvvPrGFfvihGg 19 - �gL�y+72.O\A�,U&z��y +�Y��OB=�#��=/��}�@W�xx�� \'��~�x.��5?�X�

systems/x86_64-linux/marvin/services/secrets/forgejo-internal-token.age

This is a binary file and will not be displayed.

systems/x86_64-linux/marvin/services/secrets/forgejo-lfs-jwt-secret.age

This is a binary file and will not be displayed.

-22

systems/x86_64-linux/marvin/services/secrets/forgejo-mail-pw.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 iqBxIA QbfTwmaq7Y7u8CL4KBCcGrCyT4b1lGky7FH11QCTvmk 3 - IdVtZ+2EyxvRLVXUTiiLPfAcKdkfY34MZrzn7SSl9eg 4 - -> ssh-rsa fFaiTA 5 - XfTTdTEAls+Qtl2WYcHCaKd+vE4eZaY5Rh1llYAfeAxBsmgq4vmSS1UFkPD5HUMl 6 - 9dkHZuEYyySdhOM7RFICYpwbWAdSybs08dFI4rjpYiU0ZuT54aDmvTtioVIIVvn+ 7 - E9YEphsIO4jbqTDEk0lgBNs622vlJ/d6xV6Loc15ZFYxyqteXTTpQii2Jpzh010b 8 - PW+LlzSChr4yMZWRqKQV2QcHQD699L3p4X5eleuUkMh1N+mM0U0RlDPnRzDx+10L 9 - yMZxyRjWs+u2mo1SuNrgzn14D9SewJXbhYvc+KcigTWhQymr4XHDCPguB4UExonu 10 - /JodLIpjVA4ZlTQV56jjMgOXDE5bk+TpHMULn2mxxXFxtDPzvamOjnjTNS9b6PVF 11 - /JHcRgHpoY4Z6KgQN4cR7naj23pco/k8DbI2f7TYTXTHxSl1wfLbaTwdtEpnuO4F 12 - D+sNXQC1wI5Kr0fQV6l1NwtPI1De2NbR4S8SKKJRDk+xdhnmiD3qawy+I5D2e8Ri 13 - JLkzUn4xeQgSLibXrDWJI++JCnc0le2OgdZ/uJd5feJJaSr8ISRW2Rhvq168bamf 14 - tTPFVG6V0YRC/oGgytT2TOtqrx9+Ewf2TN2BUdlckUp3k1L6JiZJg3Tnps8RaCvo 15 - wfsGS1ZKcadS6dQyfAKe7vr9Q/dEVYoOR0SIstLae6o 16 - -> ssh-ed25519 wpmdHA L3dLS8TuV+mkf9lT3ChtIvLxciLJIHhPdUFz8dcoe3I 17 - tpSkZkQ3yidTctaAk3yzye/DJiUYBeHvJBu7JDVsCqk 18 - -> 4-nZ-grease @h[XP&o 19 - g+aR0SZXoWycWqRgm2Ry00EJ29VWxfzDI3UmPg 20 - --- SlVpGEGQXxhp7CUE1f+LoX4rGtOONFm1SSq/gwGITpk 21 - \�;^_��T�p�R��21f��v̵]��O(��L��5X��ol&��$ 22 - ��y��l^��"��V�c~

-19

systems/x86_64-linux/marvin/services/secrets/forgejo-oauth2-jwt-secret.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 iqBxIA yaO0bR/AMXXrY7ZqH9GlFFFNSYtd3YdIaZHeBkmAV2Y 3 - emQoXCiHu59lqhMo6+6RZcjykzCFgQL//LeMoMf42m0 4 - -> ssh-rsa fFaiTA 5 - vUrw2prvE5tBUMfKD/VtBYzoCz+OholrDVO4/8gvKWcUVBls1wjDHH3DXR68YRTt 6 - Kxxv/Nzi4aHOdwBgF/UQ4FkFE8Lq13N8upgVhUph6ryFI77bEZ30EJdI9bSNEPiD 7 - L75lnD/oqvALZviQGypX+phllyc/vihJuWF7wHEkNzowLYSfoYv0SoZYUym9nORG 8 - aRyw936NP1GGhOgnoqCfl/AJqE48nXlhK9SfJ/8xTfHrEgeT5e5lid6s9Uw0j/m0 9 - ZXA/ut6yoLS4+SgbOJR1RosiMav55+DGOVJ4PgK8s7hhzxyUTPqtoSPiQoLzjvqW 10 - vp4IY3DMSqPEsb7rbHn2eIfnaGqFof7x4HbG/ablKRQtx13DTJ0m2MKDubH2RWQT 11 - MZGiqA+h4jVShLBY8zX0l596K3eFdJqxZyxU5rzP5ahgS2JKaaaEarPdHXuZ1P+U 12 - NSGZ1O8hW0GQ6lyeTjyGA+ZwjWk+CBZFj4iaTGi9tnMLeF9GctVcNrSTNVxlUmek 13 - rBIfb5QXA8zuTJWbxcEjrFJb9dmjC7Sd9EtCfIRh6VQBXlClBQgSOZVqH6RBhJ51 14 - iRL9Po2Xrb/Y08w+BrCqdecfeDU027E/Ds2uSdoSK2OMJ6ZNaz3RER4HXitltPA+ 15 - gN3W5et8lD9DIW+cc1wj2MyitEFZh9pJ7C+uB6YF81Y 16 - -> ssh-ed25519 wpmdHA w2zM2j5IAfn51aylYdRUz8WCuv7FkumpxepsfqS//W0 17 - gVcYqjAA4ULVcSmS7BVRqF8kfWHbtjlX3659+CGQbME 18 - --- 1L+ACPbJPa2Y3wxSGr/7CBTPYXIOxOHynEhlUZGLgzw 19 - ��jq�uz�P3� "�}ܬĩ�W/距��ߎ+�΀q��*}�a��6��I,5<sB�m�{J�%(��a�A��

-19

systems/x86_64-linux/marvin/services/secrets/forgejo-secret-key.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 iqBxIA 2bKuQvw8O9MVoEjaS212yLxAjIcnoT9K1XfZ+WDUsQI 3 - sA0hNHX+vfLlM0WORLnrxMbHsqwNoqCrSTCY7iIBtmY 4 - -> ssh-rsa fFaiTA 5 - qIb+f5jyeTmKqW/ylUBcQH5tz0/0SM/ovGWkr1xiloqieANaMEdMTiQRYNrMpOtl 6 - HUn4YjLZ7RqlOUBvRWJkMsSaj2gnPCUBnnNh2exCG/rLWnbL2OfC3yFAcfFKSAc+ 7 - f/jiudo0PmSStP8o8S/Q+k74cxbg1ic/eMfX4hdHCxliI7privKtxOSz3yiuW2Tq 8 - ZOMKQ/YF3rqMD/O0jdUFu1OzdCuBj+GtpPrJGR5NJmeQJw8wM9Zk4ZMpW6MkOPij 9 - tK5URdwX15dDTC8woUCwvFdVKTd7+VV0E5p2y2ooIr9SNFOyK6ehwINIpoPvoQKn 10 - SgObyRUc4jksyPirl0r+1h2bFuJdWY/JhPb5pyeSZpI4VybZwWY0RpYgWtMNUJ3j 11 - 4YJ22pKKtkH0NXsWhwzG8Tmv7S0kDsZS+yD3vMD/mkAnlSt5cK0MnMXpqxfS0PWM 12 - lhk7iD/ne29yCvl3aWTfJF2Uc7gi2gcHZ9WscS07ysWD2kBkQAsMBohSNPP+sE9C 13 - qH8BFrlFBJs1K95jmnbtIprA9k7S0P9ahqnCh4B1PmNP7dWvVDjWeknrij3p4Vuo 14 - GibCDtFWrbO37Aksefs0AF2wGQmaHRHtAhdL2Ieh/v5yP1HMcMTpYvTFqw04AnRq 15 - C5Qj3pd89I2Zxfu71X8UuNqXFaDt7FTVPqQXA/QXmi4 16 - -> ssh-ed25519 wpmdHA bOhWTK7ltgJA9tVCQn/Has4cqeiGkLukCtV6ns2xgmg 17 - m18TCv820K+AhM3DsTG14LXWSSJ2Q0agwW/67B2cv7s 18 - --- RDzTUIZVWDsM2snL8JjZNi7JR3+uDVBqCpcXQwq5ics 19 - %-�t�'=*єNzW2�N��v�*��3��Ew�-��9yMg�Ğ��p/�OQ��I@},��VZy�ꧣUQ"��q��9moی��g�to�

systems/x86_64-linux/marvin/services/secrets/golink-authkey.age

This is a binary file and will not be displayed.

-23

systems/x86_64-linux/marvin/services/secrets/grafana-admin-password.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 iqBxIA XeXuqrum348P3vNXQH2ikpZfSIiLeJWejxY3tgGv+2g 3 - C40Ha7mJHes78csqAtgEBOMrVhZ84jR2MIw96o6xlKg 4 - -> ssh-rsa fFaiTA 5 - gMFfSu49RZeKk9Gj2jhdeG+Yvais/e8Xfw/7Vysgv5a9aZrNcduGcaVV36jYogMG 6 - D5nC5LqFDlvYKrfJDeQ5JKoYb6SJQ027qopoithQPMSRAIc4Ke6EwkIGPkH8a/R6 7 - +WgfUlaFiacOqRmNB2ObQvQvyKQt4EPihkqt76b2gGoz3e+lS6SS6pT2UUqHbV6d 8 - BqBgzc68YWS0IZPtyMcLNFL/TpGH3y0sf335ypuytiEHMmH9qN39h33rFRYB7gdB 9 - nGuKZ0nhqn3VQUWAiSWJW46+oGF78bsFRgnPvMVqc4TQaiXLG/Qv1jVEgBU/GSHC 10 - GbrE7fgBMMN2noX7zQ7NdBbOZF9J4gVm031lo3mpI4GlaO7G24EUTdG8JmP2cTcZ 11 - Q4iiiiZaOxWWhJ9ObDYr2clvm8P3TLqE6C77yzlA1QMo957rr4RO3HHDgfn/Ge6n 12 - gx30M/SCLKvCeyZTmRWHULlzlsr8MShENJf/zeKdbnNaMacofXgwL+mCe8bWHcrQ 13 - OfPmXBHa4UPb7zbESOaNgbYhCzjNEhqcXKn2AXbWcNJGImyOf0PievCBPGo/B013 14 - VETrs8gd1ud8GplsT8b0XMmAJDrJSPSJC7ieyjBFGU+dWucwtUtw3VajqMjklAZO 15 - 6gWo+ybtXA473LFpzu4MVA0Zr1nwaYajJDMsygfVVos 16 - -> ssh-ed25519 wpmdHA hqXiyptEBUhTluqATQtTHNjpQMsEWGweLZBM0vNr+0Q 17 - sSUev74dcNmHWZZF4l0iJjgEH+zX3pJ+1d88cZFU1QA 18 - -> W-grease dB_Ln,<Q 8OG= 19 - mn5NEEyg97gp+G6d9APe+CT+9uqp68TCOpqqwOYMk2BZwpVqmTysx1r595h66ShQ 20 - 4fDWVuM9W8k+nr7tuV1jSRtA/XH0NhwxgwM 21 - --- uqf0oP6H6UKtTSOO2W5kZtxmF3loWg9vD1tVqn442PQ 22 - ��ц�-��^W�� qv�UP'w�=��N�7��;n�� 23 - ,a�%5�'һRTz��u]��P,

systems/x86_64-linux/marvin/services/secrets/grafana-smtp-password.age

This is a binary file and will not be displayed.

-23

systems/x86_64-linux/marvin/services/secrets/iceshrimp-db-password.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 iqBxIA g+DkjSGDd+i/sdqRCuU2I2Qzmq4Q+FI7wSyfkdM9q0Q 3 - cG52xAS/VPjCNgHdky0/jbMvF5tF+cB8BxFNCHYlf2s 4 - -> ssh-rsa fFaiTA 5 - r5mQer6QBi+HdSS16OLHfv/oh0hbug5drdX/BuQHMORogiDfHEM03K6pmg9064Ep 6 - CJgl6z3IS9hlLX7cSq2kVSvP9gk+l5AmI+pMZkJyT9ED43g6wtRI7yiy1ALO0rqB 7 - z/CPaoLkFNFlt7sDg5rijAB+t6DNAxULfFj8KR3b+NvGrrW6Vbaio+T5mg1A2PTd 8 - 60eEfuqdn9dHVI82FQFmai1LwoyButrUNn3UiP8aIdvFUueixcqsAXSK1zjPJZ5B 9 - VeAkshwhB9+HKMH1cyRa6LUbzJYxAQBhkgTFqS/r64h3ZAYHTc0lY44VtVhbnEQI 10 - 76PBEOcQXXjvPR6yvbcVZfpqCkqfo9hb7wogPfJiRMjKM/qlpR19KOf21T0hsV6q 11 - b7nYf01yBscx6GKXREkZoxgpo6iLLzVQqU5SzQgs7nxW089JdJ62WoZvJwTxv2G8 12 - AdzImnsw73q55MgOYtv/A3hGM8O1Jw4Q4UfMSS43xB+cuvtlEmSqi5mFh0gPbqQR 13 - LN8+OcDLz0SR8U6xHj9ufXfhHc4nwO8iZpzav5nZXMEb3Gmva3k8U+nnmuPKqsrL 14 - VxFmGNxqmWPfxO0FJC/cxLKME/Lj2MU9r6KT8RQ00BjHUfoDgbFzHVLqIEbIE+Vr 15 - /Glcmz/Ecrt3kTwfAhEDpj6g0XVNHt7HA+r4SDWjI00 16 - -> ssh-ed25519 wpmdHA LUF/UncaQTEMQepVAhEqFm345dICeW3d3QGhiflTSH8 17 - ImxpR4innOw1jMSF4gvmOGRDl0BzqAhOyz+GFstsJG4 18 - -> Cg-grease k7q9 19 - MLRf60C4nbEc9XHo26cg7UYySbZtOMP2kZtZmvLiS1XFeIqQaR0RgRcUOoTblYzo 20 - KQ 21 - --- PV6HHY8kDdpFcgNu83K/cwz4qQCW38jcHkTOkCunxrk 22 - �*ǜ�lq��^��fʀ��l�� R��C}Մ�ɧ��F�ĩ�&�~h� 23 - ̟�r��6ʞac,��lc� >

systems/x86_64-linux/marvin/services/secrets/iceshrimp-secret-config.age

This is a binary file and will not be displayed.

systems/x86_64-linux/marvin/services/secrets/miniflux-admin.age

This is a binary file and will not be displayed.

-24

systems/x86_64-linux/marvin/services/secrets/minio-root.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 iqBxIA mgvSF87cU7AZU7wodayiSUZAKkAkwqSrtjhqa4Pykl4 3 - eFNRjsChXz5ij9uOJvf+mJIE5zd6pwKJie7UKmwl5bE 4 - -> ssh-rsa fFaiTA 5 - NcGWHG9CTQ1Gpje+gsMrVlp1qc8w9NW+Onvv8WhaI+IFVEcUD85fvgPaO2jI88jK 6 - TXyPk9RanxiCupk7dF9OXqMprOHexss+h9SSl1AN+4V0Ob/H0r63de0Uuro70t/4 7 - /4FP8t5AE/aoFGdw6CeGyhOYjoLo6YRZAq4fYO0vvitFdcbWVm99OFbO3WfoxNZB 8 - TgUJ2ELV1mRfPKe3QwHYLztKcyxN4CArjNjQvjQbLXS2Hbu3I4f4qIdKPwGVC1HE 9 - Q0c9veAaffaAGgbNUyohDjN4I4jEzkRhTlRN4LNQmOUNLBorWu9ml+IyCnsg2Q+a 10 - nIyp6OvE7t0qElPv7H4m7krBP6WsSXLhUkCd75VgWEgJRqsLz7p8XyUpb/EhPmql 11 - CQy8gcAnsvNjYzC0xpZKsxN37dRvmTmQkWd3E1w4XDwHoh8EMdVXFkTAIZ3IZabZ 12 - 4MSkwhtgTBMiQvWMxIPN9fgsd6t1GawDsH+uN0tPpBslerlF17bszmdSdVYpYZBN 13 - Z2YE9z13vbL3eHvp83fp7n7Ale8sFd6FQ6VpbAa0xHiwYV0WooUHymhcG2W8Lcq9 14 - 5w9LJSaV7HMxjc0nUBloxsOF6ODcrOsfNo1VXe1vnbDAwhDqpcwaylxUoh3zpXHW 15 - XBEIzqVG3qC3ACD/xqCy27DkomgKXCG9eJvirAiQ2Uk 16 - -> ssh-ed25519 wpmdHA xWldzzokOiLqGXnhbDz+xpHYeqkV0ZNuQJqGp1h28VQ 17 - i2/gdjHevsacZhuSDeABMAKEbU0U00U0TQWSHDS82ws 18 - -> \G-grease v0 "."c0,-f Y3. 19 - MpzHrbDONd6D0zPzvCfz/ycI8sKBIP20soAtSN7EucFLN6BCbb13KT1BOh/Yvg5o 20 - +52Mlpg3p0KAdZFYp9Siqmcrb8GEEZ/8lqKu/n8TyD1BWe+eWq2PfbrhCtgqvMlR 21 - Dg 22 - --- lLxTWRzSaZ/GAzAmD88c//dzNqT4UDZQb4szP7MgCGY 23 - +�P��q�f=Yc��,)��F�P�9�.��Z<��ɟF�c,�q��o��Y �>��\�l��z��2ϯ��_s��z��&_�B��q<�J��+0h�_��W 24 - 隓

systems/x86_64-linux/marvin/services/secrets/nix-serve-priv.age

This is a binary file and will not be displayed.

systems/x86_64-linux/marvin/services/secrets/pinchflat-secrets.age

This is a binary file and will not be displayed.

systems/x86_64-linux/marvin/services/secrets/planka-env.age

This is a binary file and will not be displayed.

-40

systems/x86_64-linux/marvin/services/secrets/secrets.nix

··· 1 - let 2 - ssh-new = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxOg9nOtfbedq9AlnXNVUfyU8Mwfj4IB7HX/4VoWeXP"; 3 - yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw=="; 4 - marvin = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP60B1IOdfJRrDcCKajMV8YJNC01gSsccZi3DKHlS6YJ"; 5 - marvinDefault = [ 6 - marvin 7 - yubi-back 8 - ssh-new 9 - ]; 10 - in 11 - { 12 - "authentik-env.age".publicKeys = marvinDefault; 13 - "buildbot-worker-password.age".publicKeys = marvinDefault; 14 - "buildbot-gitea-token.age".publicKeys = marvinDefault; 15 - "buildbot-oauth-secret.age".publicKeys = marvinDefault; 16 - "buildbot-workers.age".publicKeys = marvinDefault; 17 - "forgejo-db-pw.age".publicKeys = marvinDefault; 18 - "forgejo-mail-pw.age".publicKeys = marvinDefault; 19 - "forgejo-aux-docs-runner-token.age".publicKeys = marvinDefault; 20 - "forgejo-default-runner-token.age".publicKeys = marvinDefault; 21 - "forgejo-gitgay-runner-token.age".publicKeys = marvinDefault; 22 - "forgejo-internal-token.age".publicKeys = marvinDefault; 23 - "forgejo-lfs-jwt-secret.age".publicKeys = marvinDefault; 24 - "forgejo-oauth2-jwt-secret.age".publicKeys = marvinDefault; 25 - "forgejo-secret-key.age".publicKeys = marvinDefault; 26 - "golink-authkey.age".publicKeys = marvinDefault; 27 - "grafana-admin-password.age".publicKeys = marvinDefault; 28 - "grafana-smtp-password.age".publicKeys = marvinDefault; 29 - "iceshrimp-secret-config.age".publicKeys = marvinDefault; 30 - "iceshrimp-db-password.age".publicKeys = marvinDefault; 31 - "minio-root.age".publicKeys = marvinDefault; 32 - "miniflux-admin.age".publicKeys = marvinDefault; 33 - "../nextcloud/nextcloud-admin-pw.age".publicKeys = marvinDefault; 34 - "nix-serve-priv.age".publicKeys = marvinDefault; 35 - "pinchflat-secrets.age".publicKeys = marvinDefault; 36 - "planka-env.age".publicKeys = marvinDefault; 37 - "vaultwarden-vars.age".publicKeys = marvinDefault; 38 - "vaultwarden-pgpass.age".publicKeys = marvinDefault; 39 - "webmentiond-env.age".publicKeys = marvinDefault; 40 - }

systems/x86_64-linux/marvin/services/secrets/thehedgehog-key.age

This is a binary file and will not be displayed.

systems/x86_64-linux/marvin/services/secrets/thehedgehog-pem.age

This is a binary file and will not be displayed.

-20

systems/x86_64-linux/marvin/services/secrets/vaultwarden-pgpass.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 iqBxIA MmMZMGXNjC0521Tc/YRvAc4uV6Mj14Hrncf05PEEEns 3 - 3gv8ZFgFx8CHTRelKT4AOGdNTnTtNsJqOCoynmzuOWI 4 - -> ssh-rsa fFaiTA 5 - Uy93t1IeeIHUwzKCA6m00kl58Z7Uyzsx08CFF2trLruf3iB6+mk703K6QMkrBUHR 6 - awSxL8TOLlRwV/h/ckFfTMlltPYcs49s1NV5BhqRSFQJpFOWtoh2RH+6HpZt7lVv 7 - 8rS2lnlrsm+s+oragwMPMtjLbN5llH3NiZ4V8C2bksKllxAYZJ98rT+kFB+k1BGI 8 - o8GcP7Z4+SyEyr4NZBo7pIdpyPYIvhw2MQUSM80Hs30IKGkvBuybDefYY7tSSCZ8 9 - puFY2uGI0tLcX9PCT73M7NRCO4Z9lgQgixDrLerDl4pwLd+6p5UHBk9DdmcxyX3f 10 - hYC75XcIMOKJfnSUd/maMzx7xgCHtGRuGTp2sHccC5pkjlhI7S8e6Exae66UjXYC 11 - 5AAA18m8Vzjcck0WiEE7XsZMCwYuKLg53wzsyhPLsHOTiu7BqRg8S/pmArY2SOa+ 12 - DfQE/fjpljGeKC9mDfyLe4+lyGQ1lUCzASacd1kG5iWS2NM0KDEG/iUTsurfY2gI 13 - 5v76P3r5iV6jQUGpwScH5XgaekbqC/Xp58p9JbNmPeD5q10ORPggJov4BmqZlX/c 14 - Zf2ImTzmECdFRRpcQHZEd/XpR2BfEXCfeLKJiwjYEYKYchD0eWOC7LUnb3+n1Ce+ 15 - XtlEs77kAkY1SfZyBv9AkP0FXUrfh7VLMeAh2cIsNzw 16 - -> ssh-ed25519 wpmdHA tjOcqTNJbYxD3s9DqfIHUHdw0xqtkWjMou7lPrANHEA 17 - s+9wASJ94ILA0SZYCrHO877yLLs+rZApqrJGi3sBznI 18 - --- CM35xl4mV3DtEYw5Fhzjpj79v4twt09X+weM5EoNkGw 19 - ��M�y&�q��p{p�W>û`A��@��L��/�@��:P��߿u�Nڏ&��^v��0�*/�u�q[�<�M<6J�W� ��9��~c��v�z 20 - k>��ˊ�I�

systems/x86_64-linux/marvin/services/secrets/vaultwarden-vars.age

This is a binary file and will not be displayed.

systems/x86_64-linux/marvin/services/secrets/webmentiond-env.age

This is a binary file and will not be displayed.

-15

systems/x86_64-linux/marvin/services/syncthing.nix

··· 1 - { 2 - services.syncthing = { 3 - enable = false; 4 - guiAddress = "0.0.0.0:8384"; 5 - }; 6 - # Open The Ports! 7 - networking.firewall.allowedTCPPorts = [ 8 - 8384 9 - 22000 10 - ]; 11 - networking.firewall.allowedUDPPorts = [ 12 - 22000 13 - 21027 14 - ]; 15 - }

-12

systems/x86_64-linux/marvin/services/tailscale.nix

··· 1 - { config, ... }: 2 - { 3 - services.tailscale = { 4 - enable = true; 5 - permitCertUid = "962"; 6 - }; 7 - networking.firewall = { 8 - trustedInterfaces = [ "tailscale0" ]; 9 - allowedUDPPorts = [ config.services.tailscale.port ]; 10 - checkReversePath = "loose"; 11 - }; 12 - }

-118

systems/x86_64-linux/marvin/services/vaultwarden.nix

··· 1 - { 2 - pkgs, 3 - config, 4 - lib, 5 - ... 6 - }: 7 - let 8 - 9 - d = lib.py.data.services.vaultwarden; 10 - 11 - vaultwardenSecret = { 12 - owner = "vaultwarden"; 13 - group = "vaultwarden"; 14 - }; 15 - in 16 - { 17 - services.vaultwarden = { 18 - enable = true; 19 - dbBackend = "postgresql"; 20 - webVaultPackage = pkgs.vaultwarden-vault; 21 - config = { 22 - # Web Server Settings 23 - domain = "https://${d.extUrl}"; 24 - webVaultFolder = "${pkgs.vaultwarden-vault}/share/vaultwarden/vault"; 25 - rocketAddress = "0.0.0.0"; 26 - rocketCliColors = false; 27 - rocketPort = d.port; 28 - websocketEnabled = true; 29 - ipHeader = "X-Real-IP"; 30 - reloadTemplates = false; 31 - logTimestampFormat = "%Y-%m-%d %H:%M:%S.%3f"; 32 - # # Ratelimiting 33 - loginRatelimitSeconds = 60; 34 - loginRatelimitMaxBurst = 10; 35 - adminRatelimitSeconds = 120; 36 - adminRatelimitMaxBurst = 2; 37 - adminSessionLifetime = 10; 38 - 39 - # Logging 40 - useSyslog = true; 41 - logLevel = "info"; 42 - extendedLogging = true; 43 - 44 - # Features 45 - sendsAllowed = true; 46 - emailChangeAllowed = true; 47 - emergencyAccessAllowed = true; 48 - 49 - # Invitations 50 - invitationsAllowed = true; 51 - invitationOrgName = "PyroNet Vault"; 52 - invitationExpirationHours = 168; 53 - 54 - # Database 55 - databaseUrl = "postgresql://localhost:5432/vaultwarden"; 56 - 57 - # Signups 58 - signupsAllowed = false; 59 - signupsVerify = true; 60 - signupsVerifyResendTime = 3600; 61 - signupsVerifyResendLimit = 5; 62 - signupsDomainWhitelist = "pyrox.dev"; 63 - 64 - # Passwords 65 - # # 1 Mil hash iterations by default 66 - passwordIterations = 1000000; 67 - passwordHintsAllowed = true; 68 - showPasswordHint = true; 69 - 70 - # Mail 71 - smtpFrom = "vault@pyrox.dev"; 72 - smtpFromName = "PyroNet Vault <vault@pyrox.dev>"; 73 - smtpUsername = "vault@pyrox.dev"; 74 - smtpSecurity = "force_tls"; 75 - smtpPort = 465; 76 - smtpHost = "mail.pyrox.dev"; 77 - smtpAuthMechanism = "Login"; 78 - smtpTimeout = 20; 79 - smtpEmbedImages = true; 80 - useSendmail = false; 81 - smtpDebug = false; 82 - smtpAcceptInvalidCerts = false; 83 - smtpAcceptInvalidHostnames = false; 84 - 85 - # Authentication 86 - authenticatorDisableTimeDrift = false; 87 - disable2faRemember = false; 88 - incomplete2faTimeLimit = 5; 89 - # # Email 2FA 90 - emailAttemptsLimit = 3; 91 - emailExpirationTime = 180; 92 - emailTokenSize = 7; 93 - requireDeviceEmail = true; 94 - 95 - # Icons 96 - disableIconDownload = false; 97 - iconService = "internal"; 98 - iconRedirectCode = 302; 99 - iconDownloadTimeout = 10; 100 - iconBlacklistNonGlobalIps = true; 101 - # # 30 Day TTL 102 - iconCacheTtl = 30 * 24 * 60 * 60; 103 - iconCacheNegttl = 30 * 24 * 60 * 60; 104 - 105 - # Misc Settings 106 - trashAutoDeleteDays = 14; 107 - }; 108 - environmentFile = config.age.secrets.vaultwarden-vars.path; 109 - }; 110 - systemd.services.vaultwarden.environment.PGPASSFILE = config.age.secrets.vaultwarden-pgpass.path; 111 - environment.systemPackages = with pkgs; [ vaultwarden-vault ]; 112 - age.secrets.vaultwarden-vars = vaultwardenSecret // { 113 - file = ./secrets/vaultwarden-vars.age; 114 - }; 115 - age.secrets.vaultwarden-pgpass = vaultwardenSecret // { 116 - file = ./secrets/vaultwarden-pgpass.age; 117 - }; 118 - }

-23

systems/x86_64-linux/marvin/services/webmentiond.nix

··· 1 - { config, lib, ... }: 2 - let 3 - d = lib.py.data.services.webmentiond; 4 - p = toString d.port; 5 - in 6 - { 7 - virtualisation.oci-containers.containers.webmentiond = { 8 - image = "zerok/webmentiond:latest"; 9 - volumes = [ "/var/lib/webmentiond:/data" ]; 10 - environmentFiles = [ config.age.secrets.webmentiond-env.path ]; 11 - ports = [ "${p}:${p}" ]; 12 - cmd = [ 13 - "--addr 0.0.0.0:${p}" 14 - "--public-url https://${d.extUrl}" 15 - "--auth-admin-emails pyrox@pyrox.dev" 16 - ]; 17 - }; 18 - config.age.secrets = { 19 - webmentiond-env.path = ./secrets/webmentiond-env.age; 20 - owner = "thehedgehog"; 21 - group = "misc"; 22 - }; 23 - }

-8

systems/x86_64-linux/marvin/services/zfs.nix

··· 1 - { 2 - services.zfs = { 3 - trim.enable = true; 4 - autoScrub.enable = true; 5 - autoScrub.pools = [ "tank" ]; 6 - autoSnapshot.enable = true; 7 - }; 8 - }

-44

systems/x86_64-linux/prefect/bootloader.nix

··· 1 - { pkgs, modulesPath, ... }: 2 - let 3 - fileSystems = { 4 - btrfs = true; 5 - ext4 = true; 6 - vfat = true; 7 - zfs = true; 8 - }; 9 - in 10 - { 11 - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; 12 - boot = { 13 - zfs.devNodes = "/dev/"; 14 - loader = { 15 - grub.device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_21170924"; 16 - grub.enable = true; 17 - }; 18 - initrd = { 19 - availableKernelModules = [ 20 - "ata_piix" 21 - "uhci_hcd" 22 - "xen_blkfront" 23 - "ahci" 24 - "xhci_pci" 25 - "virtio_pci" 26 - "sd_mod" 27 - "sr_mod" 28 - ]; 29 - kernelModules = [ "nvme" ]; 30 - supportedFilesystems = fileSystems; 31 - }; 32 - supportedFilesystems = fileSystems; 33 - kernelPackages = pkgs.linuxPackages_6_1; 34 - kernel.sysctl = { 35 - "net.ipv4.ip_forward" = 1; 36 - "net.ipv6.conf.all.forwarding" = 1; 37 - "net.ipv4.conf.default.rp_filter" = 0; 38 - "net.ipv4.conf.all.rp_filter" = 0; 39 - }; 40 - }; 41 - services.udev.extraRules = '' 42 - ACTION=="add|change", KERNEL=="sd[a-z]*[0-9]*|mmcblk[0-9]*p[0-9]*|nvme[0-9]*n[0-9]*p[0-9]*", ENV{ID_FS_TYPE}=="zfs_member", ATTR{../queue/scheduler}="none" 43 - ''; 44 - }

-49

systems/x86_64-linux/prefect/default.nix

··· 1 - { pkgs, system, ... }: 2 - { 3 - imports = [ 4 - # Machine-specific configurations. 5 - ./bootloader.nix 6 - ./firewall.nix 7 - ./networking.nix 8 - ./hardware.nix 9 - ./packages.nix 10 - 11 - # DN42 Services 12 - ./dn42/default.nix 13 - 14 - # Running Services 15 - # ./services/acme.nix 16 - ./services/blog-update.nix 17 - ./services/caddy.nix 18 - # ./services/dn42-peerfinder.nix 19 - ./services/fail2ban.nix 20 - # ./services/headscale.nix 21 - ./services/mailserver 22 - # ./services/netdata.nix 23 - ./services/nginx 24 - ./services/prometheus.nix 25 - ./services/secrets.nix 26 - ./services/tailscale.nix 27 - # ./services/zerotier.nix 28 - ]; 29 - nixpkgs.hostPlatform.system = system; 30 - fileSystems = { 31 - "/" = { 32 - fsType = "ext4"; 33 - device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_21170924-part1"; 34 - }; 35 - }; 36 - 37 - programs.fish.enable = true; 38 - programs.fish.interactiveShellInit = '' 39 - ${pkgs.direnv}/bin/direnv hook fish | source 40 - ''; 41 - py = { 42 - users.default.enable = true; 43 - programs = { 44 - fish.enable = true; 45 - neovim.enable = true; 46 - }; 47 - services.scrutiny.collector.enable = true; 48 - }; 49 - }

-109

systems/x86_64-linux/prefect/dn42/bgp.nix

··· 1 - _: { 2 - sessions = [ 3 - # Chrismoos 4 - { 5 - multi = true; 6 - multihop = false; 7 - gracefulRestart = true; 8 - name = "chrismoos"; 9 - neigh = "fe80::1588%wg42_chris"; 10 - as = "4242421588"; 11 - link = "1"; 12 - } 13 - # Kioubit 14 - { 15 - multi = true; 16 - multihop = false; 17 - gracefulRestart = true; 18 - name = "kioubit"; 19 - neigh = "fe80::ade0%wg42_kioubit"; 20 - as = "4242423914"; 21 - link = "3"; 22 - } 23 - # IEDON 24 - { 25 - multi = true; 26 - multihop = false; 27 - gracefulRestart = true; 28 - name = "ideon"; 29 - neigh = "fe80::2189:e8%wg42_iedon"; 30 - as = "4242422189"; 31 - link = "5"; 32 - } 33 - # SUNNET 34 - { 35 - multi = true; 36 - multihop = false; 37 - gracefulRestart = true; 38 - name = "sunnet"; 39 - neigh = "fe80::3088:193%wg42_sunnet"; 40 - as = "4242423088"; 41 - link = "3"; 42 - } 43 - # C4TG1RL5 44 - { 45 - multi = true; 46 - multihop = false; 47 - gracefulRestart = true; 48 - name = "c4tg1rl5"; 49 - neigh = "fe80::4242%wg42_catgirls"; 50 - as = "4242421411"; 51 - link = "6"; 52 - } 53 - # Potat0 54 - { 55 - multi = true; 56 - multihop = false; 57 - gracefulRestart = true; 58 - name = "potato"; 59 - neigh = "fe80::1816%wg42_potato"; 60 - as = "4242421816"; 61 - link = "2"; 62 - } 63 - # Uffsalot-v6 64 - { 65 - multi = false; 66 - v4 = false; 67 - v6 = true; 68 - multihop = false; 69 - gracefulRestart = true; 70 - name = "uffsalot_v6"; 71 - neigh = "fe80::780%wg42_uffsalot"; 72 - as = "4242420780"; 73 - link = "5"; 74 - } 75 - # Uffsalot-v6 76 - { 77 - multi = false; 78 - v4 = true; 79 - v6 = false; 80 - multihop = false; 81 - gracefulRestart = true; 82 - name = "uffsalot_v4"; 83 - neigh = "172.20.191.129"; 84 - as = "4242420780"; 85 - link = "5"; 86 - } 87 - # Bandura 88 - { 89 - multi = true; 90 - multihop = false; 91 - gracefulRestart = true; 92 - name = "bandura"; 93 - neigh = "fe80::2926%wg42_bandura"; 94 - as = "4242422923"; 95 - link = "4"; 96 - } 97 - # Bluemedia 98 - { 99 - multi = true; 100 - multihop = false; 101 - gracefulRestart = true; 102 - name = "bluemedia"; 103 - neigh = "fe80::42:3343:20:1%wg42_bluemedia"; 104 - as = "4242423343"; 105 - link = "5"; 106 - } 107 - ]; 108 - extraConfig = ""; 109 - }

-315

systems/x86_64-linux/prefect/dn42/bird.conf

··· 1 - log stderr all; 2 - debug protocols all; 3 - timeformat protocol iso long; 4 - ################################################ 5 - # Variable header # 6 - ################################################ 7 - 8 - define OWNAS = 4242422459; 9 - define OWNIP = 172.20.43.96; 10 - define OWNIPv6 = fd21:1500:66b0::1; 11 - define OWNNET = 172.20.43.96/27; 12 - define OWNNETv6 = fd21:1500:66b0::/48; 13 - define OWNNETSET = [172.20.43.96/29+]; 14 - define OWNNETSETv6 = [fd21:1500:66b0::/48+]; 15 - define DN42_REGION = 42; 16 - 17 - ################################################ 18 - # Header end # 19 - ################################################ 20 - 21 - router id OWNIP; 22 - 23 - protocol device { 24 - scan time 10; 25 - } 26 - 27 - /* 28 - * Utility functions 29 - */ 30 - 31 - function is_self_net() { 32 - return net ~ OWNNETSET; 33 - } 34 - 35 - function is_self_net_v6() { 36 - return net ~ OWNNETSETv6; 37 - } 38 - 39 - function is_valid_network() { 40 - return net ~ [ 41 - 172.20.0.0/14{21,29}, # dn42 42 - 172.20.0.0/24{28,32}, # dn42 Anycast 43 - 172.21.0.0/24{28,32}, # dn42 Anycast 44 - 172.22.0.0/24{28,32}, # dn42 Anycast 45 - 172.23.0.0/24{28,32}, # dn42 Anycast 46 - 172.31.0.0/16+, # ChaosVPN 47 - 10.100.0.0/14+, # ChaosVPN 48 - 10.127.0.0/16{16,32}, # neonetwork 49 - 10.0.0.0/8{15,24} # Freifunk.net 50 - ]; 51 - } 52 - 53 - roa4 table dn42_roa; 54 - roa6 table dn42_roa_v6; 55 - 56 - protocol static { 57 - roa4 { table dn42_roa; }; 58 - include "/etc/bird/roa_dn42.conf"; 59 - }; 60 - 61 - protocol static { 62 - roa6 { table dn42_roa_v6; }; 63 - include "/etc/bird/roa_dn42_v6.conf"; 64 - }; 65 - 66 - function is_valid_network_v6() { 67 - return net ~ [ 68 - fd00::/8{44,64} # ULA address space as per RFC 4193 69 - ]; 70 - } 71 - 72 - protocol kernel { 73 - scan time 20; 74 - 75 - ipv6 { 76 - import none; 77 - export filter { 78 - if source = RTS_STATIC then reject; 79 - krt_prefsrc = OWNIPv6; 80 - accept; 81 - }; 82 - }; 83 - }; 84 - 85 - protocol kernel { 86 - scan time 20; 87 - ipv4 { 88 - import none; 89 - export filter { 90 - if source = RTS_STATIC then reject; 91 - krt_prefsrc = OWNIP; 92 - accept; 93 - }; 94 - }; 95 - } 96 - 97 - protocol static { 98 - route OWNNET reject; 99 - 100 - ipv4 { 101 - import all; 102 - export none; 103 - }; 104 - } 105 - 106 - protocol static { 107 - route OWNNETv6 reject; 108 - 109 - ipv6 { 110 - import all; 111 - export none; 112 - }; 113 - } 114 - 115 - template bgp dnpeers { 116 - local as OWNAS; 117 - path metric 1; 118 - } 119 - 120 - protocol ospf v3 { 121 - ipv4 { 122 - export filter { 123 - if source = RTS_STATIC || source = RTS_BGP then reject; 124 - accept; 125 - }; 126 - }; 127 - 128 - area 0 { 129 - interface "lo" { 130 - stub; 131 - }; 132 - 133 - interface "ospf_*"{ 134 - type pointopoint; 135 - }; 136 - }; 137 - } 138 - 139 - protocol ospf v3 { 140 - ipv6 { 141 - export filter { 142 - if source = RTS_STATIC || source = RTS_BGP then reject; 143 - accept; 144 - }; 145 - }; 146 - 147 - area 0 { 148 - interface "lo" { 149 - stub; 150 - }; 151 - 152 - interface "ospf_*" { 153 - type pointopoint; 154 - }; 155 - 156 - }; 157 - } 158 - 159 - 160 - function update_latency(int link_latency) { 161 - bgp_community.add((64511, link_latency)); 162 - if (64511, 9) ~ bgp_community then { bgp_community.delete([(64511, 1..8)]); return 9; } 163 - else if (64511, 8) ~ bgp_community then { bgp_community.delete([(64511, 1..7)]); return 8; } 164 - else if (64511, 7) ~ bgp_community then { bgp_community.delete([(64511, 1..6)]); return 7; } 165 - else if (64511, 6) ~ bgp_community then { bgp_community.delete([(64511, 1..5)]); return 6; } 166 - else if (64511, 5) ~ bgp_community then { bgp_community.delete([(64511, 1..4)]); return 5; } 167 - else if (64511, 4) ~ bgp_community then { bgp_community.delete([(64511, 1..3)]); return 4; } 168 - else if (64511, 3) ~ bgp_community then { bgp_community.delete([(64511, 1..2)]); return 3; } 169 - else if (64511, 2) ~ bgp_community then { bgp_community.delete([(64511, 1..1)]); return 2; } 170 - else return 1; 171 - } 172 - 173 - function update_bandwidth(int link_bandwidth) { 174 - bgp_community.add((64511, link_bandwidth)); 175 - if (64511, 21) ~ bgp_community then { bgp_community.delete([(64511, 22..29)]); return 21; } 176 - else if (64511, 22) ~ bgp_community then { bgp_community.delete([(64511, 23..29)]); return 22; } 177 - else if (64511, 23) ~ bgp_community then { bgp_community.delete([(64511, 24..29)]); return 23; } 178 - else if (64511, 24) ~ bgp_community then { bgp_community.delete([(64511, 25..29)]); return 24; } 179 - else if (64511, 25) ~ bgp_community then { bgp_community.delete([(64511, 26..29)]); return 25; } 180 - else if (64511, 26) ~ bgp_community then { bgp_community.delete([(64511, 27..29)]); return 26; } 181 - else if (64511, 27) ~ bgp_community then { bgp_community.delete([(64511, 28..29)]); return 27; } 182 - else if (64511, 28) ~ bgp_community then { bgp_community.delete([(64511, 29..29)]); return 28; } 183 - else return 29; 184 - } 185 - 186 - function update_crypto(int link_crypto) { 187 - bgp_community.add((64511, link_crypto)); 188 - if (64511, 31) ~ bgp_community then { bgp_community.delete([(64511, 32..34)]); return 31; } 189 - else if (64511, 32) ~ bgp_community then { bgp_community.delete([(64511, 33..34)]); return 32; } 190 - else if (64511, 33) ~ bgp_community then { bgp_community.delete([(64511, 34..34)]); return 33; } 191 - else return 34; 192 - } 193 - 194 - function get_region() { 195 - if (64511, 41) ~ bgp_community then { return 41; } 196 - else if (64511, 42) ~ bgp_community then { return 42; } 197 - else if (64511, 43) ~ bgp_community then { return 43; } 198 - else if (64511, 44) ~ bgp_community then { return 44; } 199 - else if (64511, 45) ~ bgp_community then { return 45; } 200 - else if (64511, 46) ~ bgp_community then { return 46; } 201 - else if (64511, 47) ~ bgp_community then { return 47; } 202 - else if (64511, 48) ~ bgp_community then { return 48; } 203 - else if (64511, 49) ~ bgp_community then { return 49; } 204 - else if (64511, 50) ~ bgp_community then { return 50; } 205 - else if (64511, 51) ~ bgp_community then { return 51; } 206 - else if (64511, 52) ~ bgp_community then { return 52; } 207 - else if (64511, 53) ~ bgp_community then { return 53; } 208 - else return DN42_REGION; 209 - } 210 - 211 - 212 - function calculate_local_pref(int dn42_latency) 213 - int pref; 214 - { 215 - pref = 100; 216 - if (is_self_net() || is_self_net_v6()) then { 217 - pref = 2000; 218 - } 219 - else if (bgp_path.len = 1) then { 220 - pref = 1000; 221 - } 222 - else if (DN42_REGION = get_region()) then { 223 - pref= 500; 224 - } 225 - else { 226 - if (DN42_REGION > get_region()) then { 227 - pref = 500 - ((DN42_REGION - get_region()) * 10); 228 - } 229 - else { 230 - pref = 500 - ((get_region() - DN42_REGION) * 10); 231 - } 232 - } 233 - pref = pref - 10*dn42_latency - 10* bgp_path.len; 234 - if pref > 2000 then { 235 - pref = 10; 236 - } 237 - return pref; 238 - } 239 - 240 - function update_flags(int link_latency; int link_bandwidth; int link_crypto) 241 - int dn42_latency; 242 - int dn42_bandwidth; 243 - int dn42_crypto; 244 - { 245 - dn42_latency = update_latency(link_latency); 246 - dn42_bandwidth = update_bandwidth(link_bandwidth) - 20; 247 - dn42_crypto = update_crypto(link_crypto) - 30; 248 - if dn42_bandwidth > 5 then dn42_bandwidth = 5; 249 - bgp_local_pref = calculate_local_pref(dn42_latency); 250 - return true; 251 - } 252 - 253 - 254 - function dn42_import_filter(int link_latency; int link_bandwidth; int link_crypto) { 255 - if (is_valid_network() && !is_self_net()) || (is_valid_network_v6() && !is_self_net_v6()) then { 256 - if roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID && roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID then { 257 - print "[dn42] Import : ROA check failed for ", net, " ASN ", bgp_path.last, " on ", proto; 258 - reject; 259 - } 260 - update_flags(link_latency, link_bandwidth, link_crypto); 261 - if (65535, 666) ~ bgp_community then dest = RTD_BLACKHOLE; 262 - accept; 263 - } 264 - print "[dn42] Import : Invalid Network for ", net, " ASN ", bgp_path.last, " on ", proto; 265 - reject; 266 - } 267 - 268 - function dn42_export_filter(int link_latency; int link_bandwith; int link_crypto) { 269 - if is_valid_network() || is_valid_network_v6() then { 270 - # if roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID && roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID then { 271 - # print "[dn42] Export : ROA check failed for ", net, " ASN ", bgp_path.last, " on ", proto; 272 - # reject; 273 - # } 274 - if source = RTS_STATIC then bgp_community.add((64511, DN42_REGION)); 275 - update_flags(link_latency, link_bandwith, link_crypto); 276 - accept; 277 - } 278 - reject; 279 - } 280 - 281 - protocol bgp route_collector from dnpeers { 282 - neighbor fd42:4242:2601:ac12::1 as 4242422602; 283 - multihop; 284 - ipv4 { 285 - # export all available paths to the collector 286 - add paths tx; 287 - 288 - # import/export filters 289 - import none; 290 - export filter { 291 - # export all valid routes 292 - if ( is_valid_network() && source ~ [ RTS_STATIC, RTS_BGP ] ) 293 - then { 294 - accept; 295 - } 296 - reject; 297 - }; 298 - }; 299 - 300 - ipv6 { 301 - # export all available paths to the collector 302 - add paths tx; 303 - 304 - # import/export filters 305 - import none; 306 - export filter { 307 - # export all valid routes 308 - if ( is_valid_network_v6() && source ~ [ RTS_STATIC, RTS_BGP ] ) 309 - then { 310 - accept; 311 - } 312 - reject; 313 - }; 314 - }; 315 - }

-31

systems/x86_64-linux/prefect/dn42/default.nix

··· 1 - { pkgs, ... }: 2 - { 3 - imports = [ 4 - ./services.nix 5 - ./wireguard.nix 6 - ]; 7 - networking.interfaces.lo = { 8 - ipv4.addresses = [ 9 - { 10 - address = "172.20.43.96"; 11 - prefixLength = 32; 12 - } 13 - ]; 14 - ipv6.addresses = [ 15 - { 16 - address = "fd21:1500:66b0::1"; 17 - prefixLength = 128; 18 - } 19 - { 20 - address = "fe80::1"; 21 - prefixLength = 128; 22 - } 23 - ]; 24 - }; 25 - environment.systemPackages = with pkgs; [ 26 - dnsutils 27 - mtr 28 - tcpdump 29 - wireguard-tools 30 - ]; 31 - }

-71

systems/x86_64-linux/prefect/dn42/services.nix

··· 1 - { pkgs, lib, ... }: 2 - let 3 - script = pkgs.writeShellScriptBin "update-roa" '' 4 - mkdir -p /etc/bird/ 5 - ${pkgs.curl}/bin/curl -sfSLR {-o,-z}/etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf 6 - ${pkgs.curl}/bin/curl -sfSLR {-o,-z}/etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf 7 - ${pkgs.bird2}/bin/birdc c 8 - ${pkgs.bird2}/bin/birdc reload in all 9 - ''; 10 - bgp = import ./bgp.nix { }; 11 - in 12 - { 13 - systemd = { 14 - timers.dn42-roa = { 15 - description = "Trigger a ROA table update"; 16 - 17 - timerConfig = { 18 - OnBootSec = "5m"; 19 - OnUnitInactiveSec = "1h"; 20 - Unit = "dn42-roa.service"; 21 - }; 22 - 23 - wantedBy = [ "timers.target" ]; 24 - before = [ "bird.service" ]; 25 - }; 26 - services = { 27 - dn42-roa = { 28 - after = [ "network.target" ]; 29 - description = "DN42 ROA Updated"; 30 - unitConfig = { 31 - Type = "one-shot"; 32 - }; 33 - serviceConfig = { 34 - ExecStart = "${script}/bin/update-roa"; 35 - }; 36 - }; 37 - }; 38 - }; 39 - 40 - services = { 41 - bird = { 42 - enable = true; 43 - package = pkgs.bird2; 44 - checkConfig = false; 45 - config = 46 - builtins.readFile ./bird.conf 47 - + lib.concatStrings ( 48 - builtins.map ( 49 - x: 50 - "\n protocol bgp ${x.name} from dnpeers {\n ${ 51 - if x.multihop then "multihop;" else "" 52 - }\n ${ 53 - if x.gracefulRestart then "graceful restart on;" else "" 54 - }\n neighbor ${x.neigh} as ${x.as};\n ${ 55 - if x.multi || x.v4 then 56 - "\n ipv4 {\n extended next hop on;\n import where dn42_import_filter(${x.link},25,34);\n export where dn42_export_filter(${x.link},25,34);\n import keep filtered;\n };\n " 57 - else 58 - "" 59 - }\n ${ 60 - if x.multi || x.v6 then 61 - "\n ipv6 {\n extended next hop on;\n import where dn42_import_filter(${x.link},25,34);\n export where dn42_export_filter(${x.link},25,34);\n import keep filtered;\n };\n " 62 - else 63 - "" 64 - }\n }\n " 65 - ) bgp.sessions 66 - ) 67 - + bgp.extraConfig; 68 - }; 69 - }; 70 - users.users.thehedgehog.extraGroups = [ "bird2" ]; 71 - }

-86

systems/x86_64-linux/prefect/dn42/tunnels.nix

··· 1 - { tunnel, ... }: 2 - let 3 - # deadnix: skip 4 - defaultPubKey = "e6kp9sca4XIzncKa9GEQwyOnMjje299Xg9ZdgXWMwHg="; 5 - defaultPrivKeyFile = "/run/agenix/dn42-privkey"; 6 - defaultLocalIPv4 = "172.20.43.96"; 7 - in 8 - { 9 - wg42_chris = 10 - # Ports 485-486 available 11 - 12 - tunnel 487 defaultPrivKeyFile "itmJ4Z8V1aNN368P6kMzuQM+GdzWbBKZjJiXrgSeGlw=" defaultLocalIPv4 13 - "fe80::100" 14 - "us-qas01.dn42.tech9.io:52322" 15 - "wg42_chris" 16 - "172.20.16.143" 17 - "fe80::1588"; 18 - 19 - wg42_kioubit = 20 - tunnel 488 defaultPrivKeyFile "6Cylr9h1xFduAO+5nyXhFI1XJ0+Sw9jCpCDvcqErF1s=" defaultLocalIPv4 21 - "fe80::3" 22 - "us2.g-load.eu:22459" 23 - "wg42_kioubit" 24 - "172.20.53.98" 25 - "fe80::ade0"; 26 - 27 - # Ports 489-490 available 28 - 29 - wg42_iedon = 30 - tunnel 491 defaultPrivKeyFile "Sz0UhewjDk2yRKI0QL9rB+5daWpXFVlbbz9cLfVVLn4=" defaultLocalIPv4 31 - "fe80::6" 32 - "us-sjc.dn42.kuu.moe:35470" 33 - "wg42_iedon" 34 - "172.23.91.117" 35 - "fe80::2189:e8"; 36 - 37 - wg42_sunnet = 38 - tunnel 492 defaultPrivKeyFile "QSAeFPotqFpF6fFe3CMrMjrpS5AL54AxWY2w1+Ot2Bo=" defaultLocalIPv4 39 - "fe80::abcd" 40 - "v6.lax1-us.dn42.6700.cc:22459" 41 - "wg42_sunnet" 42 - "172.21.100.193" 43 - "fe80::3088:193"; 44 - 45 - wg42_catgirls = 46 - tunnel 493 defaultPrivKeyFile "jo8eAfY8LeA4FAEJ4laYYMNkMd4z3oO/zN5DN0Mo+RQ=" defaultLocalIPv4 47 - "fe80::7" 48 - "karx.xyz:22459" 49 - "wg42_catgirls" 50 - "" 51 - "fe80::4242"; 52 - 53 - # Port 494 Available 54 - 55 - wg42_potato = 56 - tunnel 495 defaultPrivKeyFile "LUwqKS6QrCPv510Pwt1eAIiHACYDsbMjrkrbGTJfviU=" defaultLocalIPv4 57 - "fe80::9" 58 - "las.node.potat0.cc:22459" 59 - "wg42_potato" 60 - "" 61 - "fe80::1816"; 62 - 63 - wg42_uffsalot = 64 - tunnel 496 defaultPrivKeyFile "7V65FxvD9AQetyUr0qSiu+ik8samB4Atrw2ekvC0xQM=" defaultLocalIPv4 65 - "fe80::10" 66 - "dn42-de-fra4.brand-web.net:42459" 67 - "wg42_uffsalot" 68 - "172.20.191.129" 69 - "fe80::780"; 70 - 71 - wg42_bandura = 72 - tunnel 497 defaultPrivKeyFile "xPW1/cWYDkk/IAss1GbdwVMW7fzKtyHA+qrfCriOB2k=" defaultLocalIPv4 73 - "fe80::11" 74 - "aurora.mk16.de:52459" 75 - "wg42_bandura" 76 - "" 77 - "fe80::2926"; 78 - 79 - wg42_bluemedia = 80 - tunnel 498 defaultPrivKeyFile "7HNg2+uMI2WfntN+WlMnlTDG6xra/Dusee82cuXWMBY=" defaultLocalIPv4 81 - "fe80::12" 82 - "de-fra01.dn42.bluemedia.dev:22459" 83 - "wg42_bluemedia" 84 - "172.22.167.82" 85 - "fe80::42:3343:20:1"; 86 - }

-59

systems/x86_64-linux/prefect/dn42/wireguard.nix

··· 1 - { pkgs, lib, ... }: 2 - let 3 - defaultLocalIPv4 = "172.20.43.96/32"; 4 - defaultLocalIPv6 = "fe80::1/64"; 5 - privKeyFile = "/run/agenix/dn42-privkey"; 6 - # deadnix: skip 7 - defaultPubKey = "e6kp9sca4XIzncKa9GEQwyOnMjje299Xg9ZdgXWMwHg="; 8 - in 9 - { 10 - environment.systemPackages = [ pkgs.wireguard-tools ]; 11 - 12 - networking.wireguard.interfaces = import ./tunnels.nix rec { 13 - customTunnel = 14 - listenPort: privKeyFile: peerPubKey: endpoint: name: peerIPv4: peerIPv6: localIPv4: localIPv6: isOspf: { 15 - inherit listenPort; 16 - privateKeyFile = privKeyFile; 17 - allowedIPsAsRoutes = false; 18 - peers = [ 19 - { 20 - inherit endpoint; 21 - publicKey = peerPubKey; 22 - allowedIPs = [ 23 - "0.0.0.0/0" 24 - "::/0" 25 - ]; 26 - dynamicEndpointRefreshSeconds = 5; 27 - persistentKeepalive = 15; 28 - } 29 - ]; 30 - postSetup = 31 - '' 32 - ${ 33 - if peerIPv4 != "" then 34 - "${pkgs.iproute2}/bin/ip addr add ${localIPv4} peer ${peerIPv4} dev ${name}" 35 - else 36 - "" 37 - } 38 - ${ 39 - if peerIPv6 != "" then 40 - "${pkgs.iproute2}/bin/ip -6 addr add ${localIPv6} peer ${peerIPv6} dev ${name}" 41 - else 42 - "" 43 - } 44 - '' 45 - + lib.optionalString isOspf "${pkgs.iproute2}/bin/ip -6 addr add ${defaultLocalIPv6} dev ${name}"; 46 - }; 47 - # deadnix: skip 48 - tunnel = 49 - listenPort: privKey: peerPubKey: localIPv4: localIPv6: endpoint: name: peerIPv4: peerIPv6: 50 - customTunnel listenPort privKeyFile peerPubKey endpoint name peerIPv4 peerIPv6 localIPv4 localIPv6 51 - false; 52 - # deadnix: skip 53 - ospf = 54 - listenPort: privKey: peerPubKey: endpoint: name: peerIPv4: peerIPv6: ULAIPv6: 55 - customTunnel listenPort privKeyFile peerPubKey endpoint name peerIPv4 peerIPv6 defaultLocalIPv4 56 - ULAIPv6 57 - true; 58 - }; 59 - }

-56

systems/x86_64-linux/prefect/firewall.nix

··· 1 - { 2 - # Enable using nftables instead of iptables 3 - networking.nftables.enable = true; 4 - networking.firewall = { 5 - enable = true; 6 - allowedTCPPorts = [ 7 - 80 8 - 143 9 - 179 10 - 389 11 - 443 12 - 465 13 - 587 14 - 636 15 - 993 16 - 4130 17 - 6900 18 - 8000 19 - ]; 20 - allowedUDPPorts = [ 21 - 636 22 - 4367 23 - 6900 24 - 34197 25 - ]; 26 - allowedUDPPortRanges = [ 27 - { 28 - from = 480; 29 - to = 510; 30 - } 31 - ]; 32 - trustedInterfaces = [ 33 - "tailscale0" 34 - "wg0" 35 - 36 - # DN42 Interfaces 37 - "wg42_bandura" 38 - "wg42_bluemedia" 39 - "wg42_catgirls" 40 - "wg42_chris" 41 - "wg42_iedon" 42 - "wg42_kioubit" 43 - "wg42_liki" 44 - "wg42_lutoma" 45 - "wg42_potato" 46 - "wg42_sunnet" 47 - "wg42_uffsalot" 48 - "wg42_usman" 49 - ]; 50 - extraForwardRules = '' 51 - meta iifname "wg42_*" meta oifname "wg42_*" accept 52 - meta iifname tailscale0 meta oifname "wg42_*" accept 53 - meta iifname "wg42_*" meta oifname tailscale0 tcp dport 22 accept 54 - ''; 55 - }; 56 - }

-1

systems/x86_64-linux/prefect/hardware.nix

··· 1 - { zramSwap.enable = true; }

-35

systems/x86_64-linux/prefect/networking.nix

··· 1 - { lib, ... }: 2 - { 3 - networking = { 4 - hostName = "prefect"; 5 - hostId = "496e5e96"; 6 - nameservers = lib.mkForce [ 7 - "172.20.0.53" 8 - "172.23.0.53" 9 - "fd42:d42:d42:53::1" 10 - "fd42:d42:d42:54::1" 11 - "2a01:4ff:ff00::add:2" 12 - "2a01:4ff:ff00::add:1" 13 - "185.12.64.1" 14 - "185.12.64.2" 15 - "100.123.15.72" 16 - ]; 17 - resolvconf.enable = false; 18 - resolvconf.extraConfig = '' 19 - name_servers="172.20.0.53 172.23.0.53 fd42:d42:d42:53::1 fd42:d42:d42:54::1 2a01:4ff:ff00::add:2 2a01:4ff:ff00::add:1 185.12.64.1 185.12.64.2 100.64.0.3 45.11.45.11" 20 - # name_servers="100.64.0.3" 21 - ''; 22 - interfaces.enp1s0 = { 23 - ipv6.addresses = [ 24 - { 25 - address = "2a01:4ff:f0:98bf::1"; 26 - prefixLength = 64; 27 - } 28 - ]; 29 - }; 30 - defaultGateway6 = { 31 - address = "fe80::1"; 32 - interface = "enp1s0"; 33 - }; 34 - }; 35 - }

-4

systems/x86_64-linux/prefect/packages.nix

··· 1 - { pkgs, ... }: 2 - { 3 - environment.systemPackages = with pkgs; [ direnv ]; 4 - }

systems/x86_64-linux/prefect/secrets/acme-creds.age

This is a binary file and will not be displayed.

-22

systems/x86_64-linux/prefect/secrets/dn42-peerfinder-uuid.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 LcWOqQ lCXo2TQBEAvr7KhmVvvbwjN83hnL+5UcpStdcjqv60g 3 - nDAEHj5Sjvm3OKeu/sGKp+/2ev9xRzNt7nKEQF4mXKc 4 - -> ssh-ed25519 ihSg8g a5yUPLIjgg66GHD2e786WRLBw4WM/uS9sgNpfB12h3A 5 - z9i6/l6PuvvpectHTX8Pukk32IWs1fxW9PeEsKwJi6o 6 - -> ssh-rsa fFaiTA 7 - DQCJr2/nQoGFk0D/0V6BF8n+q1l8EQoxPIxW0UpiGMaXo4XyquW7ml+NReZLZlbX 8 - Mn6YZ34OVX5G9iyopbFxwrXlKynFkVMOHBSdZLUMA0jcACB8NjyXOd6Xul47mgXO 9 - gfPnDctyz5koORMkBDIXVq0nFz/JcjtoZw+Dt+4xF9S5YpL85c1c0mNBk11KZ5lk 10 - +m1fQYeH9VvVGd85f5w3ar8boKOr9bzWemBezlA1kYWuepvNj02TmM7BTidujvSW 11 - i3aaJz9x0I8YYP8A97sUiHqoOile9iEwgxmR+jIbAayGoA/psHuWhoZEc6vCpmO1 12 - J/EUc3XVeNi65XsTNHnp9Am+R6v0oHELy7ZTb6ZmFvcI+YiCOK9Z6Uu/s9HADXdg 13 - HStH8rnWprr+OOhJCKsG+sER9yeVEHxasnYp19RWiQfey/uRZ0c8pgNHl6gL/dP5 14 - liGO2S1z5XutLHtano4KqMrLuhx0Q3LMwCCYqwh8Im8Ys99ybhqwsIiswcp2reO/ 15 - eAf5JqsMSAV2RF9FPbaje5iIjguot5b/hW3oHqyolxx4YW71paPT0XY5jxAdX8uB 16 - 78Ix6hfb/VuWYX9bbwWOd+m9LGWmMXlcXaq/0sP4vtyTFtwx4YUhNDgAFZS9SQN0 17 - Qn86PhoH7v+u3UL8KaRqyGdtPMHBu5dSLk4rstagMww 18 - -> 7{1=-grease 19 - aCyD1f3xk2/qELFbODbpIM/Dc4bsllly+tqxNS2UGdGF9QKUd3q3qGZ+J/OAwo6U 20 - sOXwmgGsvUWTuZKkOiq8dZAAJBMI+gm7F887iIziTM7c70nDZgM4ZJw 21 - --- Deear164Z0UavR1aoVnqYOKLN1JSbzTWP0e1aAB2UyQ 22 - �kv<��c��F��߶��i��-��ql�7V�+CMbm�/�*�vy��KO��t�f��H/�

-21

systems/x86_64-linux/prefect/secrets/dn42-privkey.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 LcWOqQ 2p/ECOGBMuvZJOXwJbUaGNYqscmr71TA3DkWzjjBr24 3 - 6PSCl0C856tR1awTfzINwvRzMiYnj22Me6rLn7/MxIg 4 - -> ssh-ed25519 ihSg8g MjXixI0aAR7c9QawSq82iQhvdN3ymq/DgydGfS6Hqxs 5 - LL2aqkMnudIef3LrUj64bnQNnX2OuNYU7fSwiDy9GUc 6 - -> ssh-rsa fFaiTA 7 - c2QK8KSL9TLDT4WtkxN/uM7Qr0IV046TvIUMH+AEuM2/6n+na1vWDMSAN0peVADE 8 - e1lDmEPQZhXJJivm4QiZGIHMRqQlLIsxVIFc/x8UERrEKbZFx2ixRedjLZIggx98 9 - ran0p0B5hYujepGGnEeTdN57fGOMwUm7cjt8lt+NNFxNYAPpAp9HWgNl/zEnUfIJ 10 - jva09tcxel3UOo+pKXU9ABZwdEJulKQh0LWby7oIR7VSSTaazlS78jSPFtGb4usB 11 - evHs3tM2bEOHmzyjhkpoP4mOpKhT17kAZW/79GyngPRFo/KzLLXMdvHP7WA/BHuk 12 - Au4elgb/PPyknzq0l/Bdona0JQMLiqU7VKRhWVhd/hfk1ebryhDFUFdd3DCQIYMu 13 - FZPaBPWv97C2wuCI9x0MCojrg4YZ8vg7MzIqcjoRliOSQzzbtwLbHSbqABF24kvD 14 - qSu7MNzOkA268meCoKq4Zwq/7/iBx2Y7kU60QOtcF5wr8h8ItxCoIsFY4du+eGsu 15 - KMlmyATiQQSlLPV0XYbVfXj+QqFUT6uaL8+pcihxf89Z18dDr0faFBJdCMzg0oQU 16 - cC0Fger4mdesMCzTwwiQKDgmr4VEY8FEKVYJKEyvNmAMgQ4ffu1ayDwvCKT7J6Cl 17 - MWFJd/Uu3FwQW4js06xesk6gFapRho6pX1bW3O30GAw 18 - -> Y8W~90-grease 19 - rMjbbRProIOJp5bL7fpF3LcUpd15dRntintI6J4wQ5UUcteGWsu/XQeHdAw 20 - --- ZbmVkB97YWXL+/wk1XWkkcjFWTlppeJVKfT0f5SAhRE 21 - �D�;��}�P��S��_�\�x�j�T3�Ex�?=��ē�Uo��xնPS��K#��/�r�$�Q��s"~c

-23

systems/x86_64-linux/prefect/secrets/headscale-oidc-secret.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 LcWOqQ /qbLa3wYnzmIzStlN1bkWacoEu10eYMK+QuqiQG40yU 3 - RF5tvyMowBrPbJ/GwkAEcC4CZAIJO03IxVTzXoP4UW4 4 - -> ssh-ed25519 ihSg8g G0//nDlcriBk3ZD0eYSz5fLniG3QtTI+7lOVJRuSkAI 5 - GIgnujrTlNpP5sKN83+jcLbKldDFRD8raGc0NFiSGGk 6 - -> ssh-rsa fFaiTA 7 - MTceua+C/2xtv7AhC1Z5JfNGDRQgewr7cgLI3cJ1LVZ2MvE7d8mGhrXcB5ZTj3Ew 8 - +hdNloFxvIqFH9SGvwyOUuyCHdvWnBbgo/jQMSHCfIjrzWAiW//jDuYoVpQDAAkj 9 - PUbIEwxsKOcxVovYXI8Km0xlJipAfYb947nmSX4fEvopqSv8CcDSMKuMarmsk28C 10 - NKBzpduYZO5EtrzyxEjxF3gsM19Eak/kdwYNBqpAfSy83gm62qcXnlYOO9qyQfY+ 11 - lG0fRwI4bj0s9CGUuovOkqX1htPT6paAJauXfz76Z+I2+EU0mzxTj3Cbw33DXrY6 12 - ygtbQcx16442q9NT6MubPPQLhneu3iTLkFjYp/tyRi3SaYJq0Xq00kvcS3Fa33yh 13 - uOxSm1zRp808oamRMvjaeT5dK0dCqCH3w90er3qUQDPjr1l5PQk38QkNIDKew+V9 14 - 6wjIAhELdSNiiIHdzrsps9NzcuGYiq22VsIbdMP33dHRHUVfg9BTKZ+b0D9PKIeW 15 - IWZP9JgZ3n1oTLEz8JA6zLoIOCNEA/UxXJQt+rOC4Iab61tM8nc78YvDU/JI3Q5y 16 - cRneNiR8ajPy3JHDtf8seplSP8iOQuGUzQOjReaXRKoZAiJqOZfVAAfnWAWbtKEC 17 - 01YBxhcUqi5lTo+MLdfGDU+JGnkwJY2WY5JpsFRMR+I 18 - -> ]Wd5-grease A8@{\ D" ip5n1A 6O$*i 19 - FdMZg+d1pT6zi7iuAYoSZTh/qNszRzmWTPiuVStOAKxKCZ9s38w2BDdM8hnPywkB 20 - kp/IkIP4DdcstuTjjXeA8Iq0au1HXV7lv6bhsaRxUQ 21 - --- /HHMIZdum4T0wQ1w2Uxk+p2uLdohkg6sSsQ3VRWDjvo 22 - ��*ԏ��g�pg��h�X�?H�� Vo 23 - ��;��$Q��!I@�Α��,[�@��c��Ű �߅�lܲB�NeˎY��O��q�,�=h�n7"��>�y�[�=O�~^{�fʷa��}sV�o<�at��|]�T$�ϱ� , �w�Q

-35

systems/x86_64-linux/prefect/secrets/secrets.nix

··· 1 - let 2 - yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw=="; 3 - yubi-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746"; 4 - # deadnix: skip 5 - backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM="; 6 - prefect = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP532AB5mkNvE29MkDDY8HEf8ZdktGWiI0PzLrvbmLQe"; 7 - in 8 - { 9 - imports = [ ../../common/secrets/secrets.nix ]; 10 - "headscale-oidc-secret.age".publicKeys = [ 11 - prefect 12 - yubi-main 13 - yubi-back 14 - ]; 15 - "dn42-privkey.age".publicKeys = [ 16 - prefect 17 - yubi-main 18 - yubi-back 19 - ]; 20 - "dn42-peerfinder-uuid.age".publicKeys = [ 21 - prefect 22 - yubi-main 23 - yubi-back 24 - ]; 25 - "wireguard-priv-key.age".publicKeys = [ 26 - prefect 27 - yubi-main 28 - yubi-back 29 - ]; 30 - "acme-creds.age".publicKeys = [ 31 - prefect 32 - yubi-main 33 - yubi-back 34 - ]; 35 - }

-22

systems/x86_64-linux/prefect/secrets/wireguard-priv-key.age

··· 1 - age-encryption.org/v1 2 - -> ssh-ed25519 LcWOqQ g84V98MwKjOCCuR5Rtg+gkLlqFolPYg3LV39a5tZGUI 3 - h/UWIu+BTynxqpNQ6/Bd/b3It/YQ62dDZE+EG939kZU 4 - -> ssh-ed25519 ihSg8g X1E3eKRhjuYNxFysUvqVmYhOXTq8caTiBELvon2S6Rw 5 - tp/90DAk5j3C8FC9xDLnZrFYehYr7LUgNEt1wv35uJo 6 - -> ssh-rsa fFaiTA 7 - vdTyDtO1BW6AqZKXqYuD2+LSrItuTQ7V621EQztUNRH5Xqnvmu+iBrWrp0N+mskj 8 - CXnOvTmljRKVZeYrL7klVrMm9injKnm/RE7xXFGH0r3RACCZBAM8RBeTP+2uaY3k 9 - 80h7lFdGbaYr7Cll4GFrE7yu4U3ppEz64miTm9flPSqbYWhx95KErzDrqHjpX/Z2 10 - DUUPElZoOROSItMhFIJrTjpvSphZl/iaQvXNN4Iyyo4/jJuTEfyjjSdJxoZFDTuA 11 - A9MDAe8ntpv//fCVmf5Fl0n/Z3ZGZUiuxfLKmoNk1YiU/iZHKYjqgNvqUjcBMKdL 12 - 0kH0TEONYpXnJRRPZ1WdpPaAZRdAv8vDRbBImAmswKRp86JV6l1FKmiyJ+f26Szx 13 - C+tUpSA99To7Qu5sd3f1FZvyO7uYxKaRXTVGz31GjaLfTVqoz//SANDTex6fbhrh 14 - T6MQQpN8qA0iGzl8oIGoA4yAcvOTRyDhYFQ7Pl4e5RxfYg+LSf7aHFTcqBW3W+R/ 15 - 8ZgV8uMVVqPHaE7ALmd/Ohwf5/ijk7fpkhcUQrZW7Phh+q1i/RwgM27C+/9Ci+Y/ 16 - Lld9c5brVFpr2zc4nky9SSEgn5LX3WQ+NBcI/7p2oqf10L9rXQg70nkrnc484V4I 17 - H/ijJorqeqpF5APsS7PQvFaq4pM6KNEPkBJXvSmRDfM 18 - -> U-grease K/ {M?A uT &Znu 19 - HQXShu9SFsh/px2FbJYOujtCUFuADqncNSrabK336xrvF0DatA7g0JIdK+sL/gBE 20 - OGTuNwJO6VYm0AHh9UK/3K1gCqrvge3s/E5/FoDPUkcdnw 21 - --- FA4ZAcsL7emSCKvfVXZPp0lSxto1VXJxRYRVqm6jBjY 22 - � ��07��ܼ`�H}��k�R��\�'m��-�Rk�]Z��"0ʎ��r�H��+�� H�y#

-23

systems/x86_64-linux/prefect/services/acme.nix

··· 1 - { config, ... }: 2 - { 3 - security.acme = { 4 - certs."pyrox.dev" = { 5 - domain = "*.pyrox.dev"; 6 - }; 7 - defaults = { 8 - # LE Production Server 9 - server = "https://acme-v02.api.letsencrypt.org/directory"; 10 - # use EC-384 instead of the default, EC-256 11 - keyType = "ec384"; 12 - email = "pyrox@pyrox.dev"; 13 - # Enable OSCP Must-Staple(see https://blog.apnic.net/2019/01/15/is-the-web-ready-for-ocsp-must-staple/ ) 14 - ocspMustStaple = true; 15 - # For DNS Challenges, use ClouDNS(my provider) 16 - dnsProvider = "cloudns"; 17 - # Enable DNS Propagation checks(ensure DNS records exist before requesting certs) 18 - dnsPropagationCheck = true; 19 - # Agenix-encrypted credentials for ClouDNS 20 - credentialsFile = config.age.secrets.acme-creds.path; 21 - }; 22 - }; 23 - }

-30

systems/x86_64-linux/prefect/services/blog-update.nix

··· 1 - { pkgs, lib, ... }: 2 - { 3 - systemd.timers.blog-update = { 4 - enable = true; 5 - after = [ "network.target" ]; 6 - wantedBy = [ "multi-user.target" ]; 7 - description = "Blog Update Timer"; 8 - timerConfig = { 9 - Unit = "blog-update.service"; 10 - OnUnitActiveSec = 300; 11 - }; 12 - }; 13 - 14 - systemd.services.blog-update = { 15 - enable = true; 16 - wantedBy = [ "multi-user.target" ]; 17 - description = "Blog Update Service"; 18 - path = [ 19 - "${pkgs.git}" 20 - ]; 21 - serviceConfig = { 22 - WorkingDirectory = "/var/www/blog"; 23 - User = "caddy"; 24 - Group = "caddy"; 25 - Type = "oneshot"; 26 - ExecStartPre = "${lib.getExe pkgs.git} fetch origin pages"; 27 - ExecStart = "${lib.getExe pkgs.git} reset --hard origin/pages"; 28 - }; 29 - }; 30 - }

-5

systems/x86_64-linux/prefect/services/blog-update.sh

··· 1 - node scripts/precommit.js 2 - node scripts/predeploy.js 3 - hugo -d out 4 - cp -fvr out/ /var/www/blog/ 5 - exit 0

-234

systems/x86_64-linux/prefect/services/caddy.nix

··· 1 - { pkgs, lib, ... }: 2 - let 3 - pns = lib.py.data.services; 4 - marvin = lib.py.data.hosts.marvin.ts.ip4; 5 - tsNet = lib.py.data.tsNet; 6 - reverseProxyToMarvin = port: ts: { 7 - extraConfig = '' 8 - reverse_proxy http://${marvin}:${toString port} 9 - ${if ts then "tailscale_auth" else ""} 10 - ''; 11 - }; 12 - in 13 - { 14 - services.caddy = { 15 - enable = true; 16 - package = pkgs.caddy.withPlugins { 17 - plugins = [ 18 - "github.com/caddy-dns/desec@v0.0.0-20240526070323-822a6a2014b2" 19 - "github.com/greenpau/caddy-security@v1.1.31" 20 - "github.com/tailscale/caddy-tailscale@v0.0.0-20250207163903-69a970c84556" 21 - ]; 22 - hash = "sha256-rvPZ/Lomx40tvlqqhUBIG9wCHJorN2FGus7gtO7ob/0="; 23 - }; 24 - email = "pyrox@pyrox.dev"; 25 - virtualHosts = { 26 - # Just get TLS certs for mailserver 27 - "mail.pyrox.dev" = { }; 28 - # Redirect old domains -> pyrox.dev 29 - "blog.pyrox.dev" = { 30 - serverAliases = [ 31 - "www.pyrox.dev" 32 - "thehedgehog.me" 33 - ]; 34 - extraConfig = '' 35 - redir https://pyrox.dev{uri} permanent 36 - ''; 37 - }; 38 - "pyrox.dev" = { 39 - extraConfig = '' 40 - route { 41 - header /.well-known/matrix/* Access-Control-Allow-Origin * 42 - reverse_proxy /.well-known/matrix/* http://100.123.15.72:6922 43 - redir /.well-known/carddav https://cloud.pyrox.dev/.well-known/carddav temporary 44 - redir /.well-known/caldav https://cloud.pyrox.dev/.well-known/caldav temporary 45 - header /.well-known/openpgpkey/* Access-Control-Allow-Origin * 46 - header /.well-known/openpgpkey/hu/* application/octet-stream 47 - respond /.well-known/openpgpkey/*/policy 200 48 - header /.well-known/fursona Content-Type application/json 49 - header { 50 - X-Content-Type-Options nosniff 51 - Permissions-Policy accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), unload=(), 52 - +Permissions-Policy display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), 53 - +Permissions-Policy gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), 54 - +Permissions-Policy payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), 55 - +Permissions-Policy sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), 56 - +Permissions-Policy clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=() 57 - X-Frame-Options SAMEORIGIN 58 - Referrer-Policy origin 59 - -Server 60 - } 61 - file_server { 62 - root /var/www/blog 63 - hide .git 64 - precompressed br gzip 65 - } 66 - } 67 - ''; 68 - }; 69 - 70 - # Authentik 71 - "${pns.authentik.extUrl}:443" = reverseProxyToMarvin pns.authentik.port false; 72 - "${pns.authentik.extUrl}:80" = reverseProxyToMarvin pns.authentik.port false; 73 - "http://${pns.authentik.extUrl}:389" = reverseProxyToMarvin 389 false; 74 - "${pns.authentik.extUrl}:636" = reverseProxyToMarvin 636 false; 75 - 76 - # Vaultwarden 77 - ${pns.vaultwarden.extUrl} = { 78 - extraConfig = '' 79 - header / { 80 - Strict-Transport-Security "max-age=31536000;" 81 - X-XSS-Protection "0" 82 - X-Frame-Options "DENY" 83 - X-Robots-Tag "noindex, nofollow" 84 - X-Content-Type-Options "nosniff" 85 - -Server 86 - -X-Powered-By 87 - -Last-Modified 88 - } 89 - reverse_proxy ${marvin}:${toString pns.vaultwarden.port} { 90 - header_up X-Real-IP {remote_host} 91 - } 92 - ''; 93 - }; 94 - 95 - # Cinny + Conduit 96 - ${pns.matrix-server.extUrl} = { 97 - extraConfig = '' 98 - handle /_matrix/* { 99 - reverse_proxy http://${marvin}:${toString pns.matrix-server.port} 100 - } 101 - handle { 102 - root * /var/www/cinny/dist/ 103 - try_files {path} / index.html 104 - file_server 105 - } 106 - ''; 107 - }; 108 - # Jellyfin 109 - ${pns.jellyfin.extUrl} = { 110 - extraConfig = '' 111 - @blocked not remote_ip 100.64.0.0/10 private_ranges 112 - reverse_proxy http://${marvin}:${toString pns.jellyfin.port} 113 - handle /metrics* { 114 - respond @blocked "Access Denied" 403 115 - } 116 - ''; 117 - }; 118 - 119 - # MTA-STS Setup for mailserver 120 - "mta-sts.pyrox.dev" = { 121 - extraConfig = '' 122 - header Content-Type text/plain; charset=utf-8 123 - respond /.well-known/mta-sts.txt <<END 124 - version: STSv1 125 - mode: enforce 126 - mx: mail.pyrox.dev 127 - mx:mail2.pyrox.dev 128 - max_age: 2419200 129 - END 200 130 - ''; 131 - }; 132 - 133 - # Yourmother.website 134 - "yourmother.website" = { 135 - extraConfig = '' 136 - header Content-Type text/html 137 - respond 200 { 138 - body `<!DOCTYPE html> 139 - <html> 140 - <head> 141 - <meta http-equiv="Refresh" content="0; url=https://youtube.com/watch?v=oHg5SJYRHA0" /> 142 - </head> 143 - </html>` 144 - } 145 - ''; 146 - }; 147 - 148 - # OpenPGP WKD stuff 149 - "openpgpkey.pyrox.dev" = { 150 - serverAliases = [ "openpgpkey.thehedgehog.me" ]; 151 - extraConfig = '' 152 - respond /.well-known/openpgpkey/{labels.1}.{labels.0}/policy 200 153 - header Access-Control-Allow-Origin * 154 - header /.well-known/openpgpkey/{labels.1}.{labels.0}/hu/* Content-Type application/octet-stream 155 - file_server { 156 - root /var/www/blog/ 157 - } 158 - ''; 159 - }; 160 - 161 - # Metrics 162 - ":6899" = { 163 - extraConfig = '' 164 - metrics /metrics 165 - ''; 166 - }; 167 - # SIMPLE HOSTS 168 - 169 - # Forgejo 170 - ${pns.git.extUrl} = { 171 - extraConfig = '' 172 - reverse_proxy http://${marvin}:${toString pns.git.port} 173 - ''; 174 - }; 175 - 176 - # Grafana 177 - ${pns.grafana.extUrl} = { 178 - extraConfig = '' 179 - reverse_proxy http://${marvin}:${toString pns.grafana.port} 180 - ''; 181 - }; 182 - 183 - # Miniflux 184 - ${pns.miniflux.extUrl} = { 185 - extraConfig = '' 186 - reverse_proxy http://${marvin}:${toString pns.miniflux.port} 187 - ''; 188 - }; 189 - 190 - # Nextcloud 191 - ${pns.nextcloud.extUrl} = { 192 - extraConfig = '' 193 - reverse_proxy http://${marvin}:${toString pns.nextcloud.port} 194 - ''; 195 - }; 196 - 197 - # Nextcloud-Office(Collabora) 198 - ${pns.nextcloud-office.extUrl} = { 199 - extraConfig = '' 200 - reverse_proxy http://${marvin}:${toString pns.nextcloud-office.port} 201 - ''; 202 - }; 203 - 204 - # Planka 205 - ${pns.planka.extUrl} = { 206 - extraConfig = '' 207 - reverse_proxy http://${marvin}:${toString pns.planka.port} 208 - ''; 209 - }; 210 - 211 - # Simple Tailscale Hosts 212 - 213 - # Deemix 214 - "${pns.deemix.tsHost}.${tsNet}" = { 215 - extraConfig = '' 216 - bind tailscale/${pns.deemix.tsHost} 217 - tailscale_auth 218 - reverse_proxy http://${marvin}:${toString pns.deemix.port} 219 - ''; 220 - }; 221 - # Pinchflat 222 - "${pns.pinchflat.tsHost}.${tsNet}" = { 223 - extraConfig = '' 224 - bind tailscale/${pns.pinchflat.tsHost} 225 - tailscale_auth 226 - reverse_proxy http://${marvin}:${toString pns.pinchflat.port} 227 - ''; 228 - }; 229 - 230 - }; 231 - }; 232 - systemd.services.caddy.serviceConfig.CapabilityBoundingSet = "CAP_NET_BIND_SERVICE"; 233 - systemd.services.caddy.serviceConfig.AmbientCapabilities = "CAP_NET_BIND_SERVICE"; 234 - }

-4

systems/x86_64-linux/prefect/services/dn42-peerfinder.nix

··· 1 - { config, ... }: 2 - { 3 - config.py.services.dn42-pingfinder.uuidFile = config.age.secrets.dn42-peerfinder-uuid.path; 4 - }

-38

systems/x86_64-linux/prefect/services/fail2ban.nix

··· 1 - { 2 - services.fail2ban = { 3 - enable = true; 4 - maxretry = 5; 5 - ignoreIP = [ 6 - "4349:3909:beef::/48" 7 - "100.64.0.0/10" 8 - "127.0.0.0/8" 9 - "10.0.0.0/8" 10 - "172.16.0.0/12" 11 - "192.168.0.0/16" 12 - ]; 13 - jails = { 14 - postfix = { 15 - filter = "postfix"; 16 - settings = { 17 - action = "nftables"; 18 - port = "143,993"; 19 - }; 20 - }; 21 - dovecot = { 22 - filter = "dovecot"; 23 - settings = { 24 - action = "nftables"; 25 - port = "25,465,587"; 26 - }; 27 - }; 28 - # I don't use SSHd right now, but if I do, re-enable this. 29 - # sshd = { 30 - # filter = "sshd"; 31 - # settings = { 32 - # action = "nftables"; 33 - # port = "22"; 34 - # }; 35 - # }; 36 - }; 37 - }; 38 - }

-73

systems/x86_64-linux/prefect/services/headscale.nix

··· 1 - # Headscale is a tailscale-compatible control plane that you can use with all of the clients. 2 - { 3 - services.headscale = { 4 - enable = true; 5 - port = 6900; 6 - # Set so that anything can access this. Default is localhost only, which is useless 7 - address = "0.0.0.0"; 8 - # Server URL is the FQDN of this server 9 - serverUrl = "https://vpn.thehedgehog.me:6900"; 10 - dns = { 11 - # All domains are .hog domains internally 12 - baseDomain = "hog"; 13 - # Enable MagicDNS 14 - # See https://tailscale.com/kb/1081/magicdns/ for more details 15 - magicDns = true; 16 - # I inject DNS.sb as my secondary nameserver, and my adblocking server as primary. 17 - nameservers = [ "45.11.45.11" ]; 18 - # Domains to inject, so I can type "media/" into my search bar and go to "media.main.hog" 19 - # You can't tell headscale to not create a namespace, so this is the best that I can do 20 - domains = [ "main.hog" ]; 21 - }; 22 - # Automatic TLS 23 - tls = { 24 - letsencrypt = { 25 - # Set up automatic Let's Encrypt cert pulls 26 - hostname = "vpn.thehedgehog.me"; 27 - }; 28 - }; 29 - # Disabled since if this goes down, then it's a pain to reconnect to auth 30 - # OIDC configuration, so I can have my beloved SSO. 31 - # openIdConnect = { 32 - # # Issuer is HedgeCloud auth, my private auth server 33 - # issuer = "https://auth.thehedgehog.me/application/o/hedgevpn/"; 34 - # # All people get assigned to the "main" namespace 35 - # domainMap = { 36 - # ".*" = "main"; 37 - # }; 38 - # # Set client ID for OIDC 39 - # clientId = "25066b6b1e72718186f8c0dc20f7892951834b6e"; 40 - # # Client Secret is in this file 41 - # clientSecretFile = "/run/agenix/headscale-oidc-secret"; 42 - # }; 43 - # Misc settings that aren't set in the above sections 44 - settings = { 45 - # Set challenge type, forwarded by Caddy 46 - tls_letsencrypt_challenge_type = "HTTP-01"; 47 - # oidc.strip_email_domain = true; 48 - # NixOS handles our updates 49 - disable_check_updates = true; 50 - ip_prefixes = [ 51 - "4349:3909:beef::/48" 52 - "100.64.0.0/10" 53 - ]; 54 - derp = { 55 - server = { 56 - enabled = true; 57 - region_id = 969; 58 - region_code = "internal"; 59 - region_name = "Internal DERP"; 60 - stun_listen_addr = "0.0.0.0:6869"; 61 - }; 62 - }; 63 - }; 64 - }; 65 - systemd.services.headscale.serviceConfig.CapabilityBoundingSet = [ 66 - "CAP_CHOWN" 67 - "CAP_NET_BIND_SERVICE" 68 - ]; 69 - systemd.services.headscale.serviceConfig.AmbientCapabilities = [ 70 - "CAP_CHOWN" 71 - "CAP_NET_BIND_SERVICE" 72 - ]; 73 - }

-127

systems/x86_64-linux/prefect/services/mailserver/default.nix

··· 1 - { lib, pkgs, ... }: 2 - { 3 - imports = [ 4 - ./logins.nix 5 - ./monitoring.nix 6 - ./overrides.nix 7 - ]; 8 - mailserver = { 9 - enable = true; 10 - fqdn = "mail.pyrox.dev"; 11 - openFirewall = true; 12 - 13 - # All domains this server runs email for 14 - domains = [ "pyrox.dev" ]; 15 - 16 - # Enable STARTTLS 17 - enableImap = true; 18 - enableSubmission = true; 19 - 20 - # Disable POP3, I don't use it and neither should you 21 - enablePop3 = false; 22 - enablePop3Ssl = false; 23 - 24 - # Enable ManageSieve so that we don't need to change the config to update sieves 25 - enableManageSieve = true; 26 - 27 - # Set directories for services 28 - mailDirectory = "/srv/mail/vmail"; 29 - sieveDirectory = "/srv/mail/sieve"; 30 - indexDir = "/var/lib/dovecot/indices"; 31 - dkimKeyDirectory = "/srv/mail/dkim"; 32 - 33 - # Set all no-reply addresses 34 - rejectRecipients = [ 35 - "no-reply@pyrox.dev" 36 - "dmarc-noreply@pyrox.dev" 37 - ]; 38 - 39 - # DKIM Settings 40 - dkimBodyCanonicalization = "relaxed"; 41 - dkimHeaderCanonicalization = "relaxed"; 42 - dkimKeyBits = 4096; 43 - dkimSelector = "mail"; 44 - dkimSigning = true; 45 - 46 - # DMARC Settings 47 - dmarcReporting = { 48 - enable = true; 49 - domain = "pyrox.dev"; 50 - localpart = "dmarc-noreply"; 51 - fromName = "PyroNet Mail DMARC Service"; 52 - organizationName = "PyroNet Mail"; 53 - }; 54 - 55 - # Mailboxes for all users 56 - mailboxes = { 57 - Drafts = { 58 - auto = "subscribe"; 59 - specialUse = "Drafts"; 60 - }; 61 - Junk = { 62 - auto = "subscribe"; 63 - specialUse = "Junk"; 64 - }; 65 - Sent = { 66 - auto = "subscribe"; 67 - specialUse = "Sent"; 68 - }; 69 - Trash = { 70 - auto = "subscribe"; 71 - specialUse = "Trash"; 72 - }; 73 - }; 74 - 75 - # Full-Text-Search Settings 76 - fullTextSearch = { 77 - enable = true; 78 - autoIndex = true; 79 - enforced = "body"; 80 - maintenance = { 81 - enable = true; 82 - onCalendar = "daily"; 83 - randomizedDelaySec = 1000; 84 - }; 85 - memoryLimit = 2048; 86 - minSize = 3; 87 - }; 88 - 89 - # Certificate Settings 90 - certificateScheme = "manual"; 91 - certificateFile = "/var/lib/mail/mail.crt"; 92 - keyFile = "/var/lib/mail/mail.key"; 93 - }; 94 - 95 - services.opendkim = { 96 - user = lib.mkForce "virtualMail"; 97 - group = lib.mkForce "virtualMail"; 98 - }; 99 - 100 - # Copy mail certs every month so that they don't expire 101 - systemd = { 102 - timers."copy-mail-certs" = { 103 - wantedBy = [ "timers.target" ]; 104 - timerConfig = { 105 - OnBootSec = "5m"; 106 - OnCalendar = "daily"; 107 - Unit = "copy-mail-certs.service"; 108 - }; 109 - }; 110 - 111 - services."copy-mail-certs" = { 112 - script = '' 113 - set -eu 114 - cp -fvr /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.pyrox.dev/mail.pyrox.dev.crt /var/lib/mail/mail.crt 115 - chmod a+r /var/lib/mail/mail.crt 116 - cp -fvr /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.pyrox.dev/mail.pyrox.dev.key /var/lib/mail/mail.key 117 - chmod a+r /var/lib/mail/mail.key 118 - chown -hR virtualMail:virtualMail /var/lib/mail/ 119 - ''; 120 - serviceConfig = { 121 - Type = "oneshot"; 122 - User = "root"; 123 - }; 124 - }; 125 - }; 126 - 127 - }

-37

systems/x86_64-linux/prefect/services/mailserver/logins.nix

··· 1 - { 2 - mailserver.loginAccounts = { 3 - "pyrox@pyrox.dev" = { 4 - hashedPassword = "$2b$05$8k04quBe6adg8d1yznEp3uNYM54MOVJTwDGIWvzocQFoWbmcCvebC"; 5 - aliases = [ 6 - "pyrox" 7 - "postmaster@pyrox.dev" 8 - "abuse@pyrox.dev" 9 - "domains@pyrox.dev" 10 - ]; 11 - }; 12 - "social@pyrox.dev" = { 13 - hashedPassword = "$2b$05$kFDeXvSKU9oXuQXlitA7v.kkbzgCDTrm4O3Nb1kifPe7yAR7.KimO"; 14 - sendOnly = true; 15 - }; 16 - "auth@pyrox.dev" = { 17 - hashedPassword = "$2b$05$O049hbSwRJ5VYeAA8lLR4e6.fqVWf4PotgIUAO356j5K.OoGH5PF."; 18 - sendOnly = true; 19 - }; 20 - "vault@pyrox.dev" = { 21 - hashedPassword = "$2b$05$MHo03BG3AVpBh4NE97zQ8.gTPx2sCoa6Jsw.DRxHBOBaKZ8DbfPrS"; 22 - sendOnly = true; 23 - }; 24 - "library@pyrox.dev" = { 25 - hashedPassword = "$2b$05$IHsSbEla8KL4gwExvFECFuuoP0ESk66K29R.vawTpbxEpuw1ahii."; 26 - sendOnly = true; 27 - }; 28 - "cloud@pyrox.dev" = { 29 - hashedPassword = "$2b$05$kmbsJ2X3Y2l0KYO8jjy1SOJP29coEeKFaMqU6qvRzz/dLJp78CAk6"; 30 - sendOnly = true; 31 - }; 32 - "git@pyrox.dev" = { 33 - hashedPassword = "$2b$05$uZoLVdCo48rLVBFdG0.UXua8a.84w1PzmLYOpJ1qTNo25KCdQlflm"; 34 - sendOnly = true; 35 - }; 36 - }; 37 - }

-46

systems/x86_64-linux/prefect/services/mailserver/monitoring.nix

··· 1 - { config, pkgs, ... }: 2 - # let 3 - # cfg = config.mailserver; 4 - # in 5 - { 6 - mailserver.monitoring = { 7 - enable = true; 8 - alertAddress = "pyrox@pyrox.dev"; 9 - config = '' 10 - set daemon 120 with start delay 60 11 - set mailserver 12 - localhost 13 - set alert ${config.mailserver.monitoring.alertAddress} 14 - 15 - set httpd port 2812 and use address localhost 16 - allow localhost 17 - allow admin:obwjoawijerfoijsiwfj29jf2f2jd 18 - 19 - check filesystem root with path / 20 - if space usage > 80% then alert 21 - if inode usage > 80% then alert 22 - 23 - check system $HOST 24 - if cpu usage > 95% for 10 cycles then alert 25 - if memory usage > 75% for 5 cycles then alert 26 - if swap usage > 20% for 10 cycles then alert 27 - if loadavg (1min) > 90 for 15 cycles then alert 28 - if loadavg (5min) > 80 for 10 cycles then alert 29 - if loadavg (15min) > 70 for 8 cycles then alert 30 - 31 - check process postfix with pidfile /var/lib/postfix/queue/pid/master.pid 32 - start program = "${pkgs.systemd}/bin/systemctl start postfix" 33 - stop program = "${pkgs.systemd}/bin/systemctl stop postfix" 34 - if failed port 25 protocol smtp for 5 cycles then restart 35 - 36 - check process dovecot with pidfile /var/run/dovecot2/master.pid 37 - start program = "${pkgs.systemd}/bin/systemctl start dovecot2" 38 - stop program = "${pkgs.systemd}/bin/systemctl stop dovecot2" 39 - if failed host ${config.mailserver.fqdn} port 993 type tcpssl sslauto protocol imap for 5 cycles then restart 40 - 41 - check process rspamd with matching "rspamd: main process" 42 - start program = "${pkgs.systemd}/bin/systemctl start rspamd" 43 - stop program = "${pkgs.systemd}/bin/systemctl stop rspamd" 44 - ''; 45 - }; 46 - }

-21

systems/x86_64-linux/prefect/services/mailserver/overrides.nix

··· 1 - { lib, ... }: 2 - let 3 - inherit (lib) mkForce; 4 - tlsProtocols = ">=TLSv1.2"; 5 - excludeCiphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, AES128-SHA, AES256-SHA"; 6 - in 7 - { 8 - services.postfix.config = { 9 - # only support TLS 1.3/1.2 10 - smtpd_tls_protocols = mkForce tlsProtocols; 11 - smtp_tls_protocols = mkForce tlsProtocols; 12 - smtpd_tls_mandatory_protocols = mkForce tlsProtocols; 13 - smtp_tls_mandatory_protocols = mkForce tlsProtocols; 14 - 15 - # Exclude insecure ciphers 16 - smtpd_tls_mandatory_exclude_ciphers = mkForce excludeCiphers; 17 - smtpd_tls_exclude_ciphers = mkForce excludeCiphers; 18 - smtp_tls_mandatory_exclude_ciphers = mkForce excludeCiphers; 19 - smtp_tls_exclude_ciphers = mkForce excludeCiphers; 20 - }; 21 - }

-158

systems/x86_64-linux/prefect/services/named.conf

··· 1 - include "/etc/bind/rndc.key"; 2 - controls { 3 - inet 127.0.0.1 allow {localhost;} keys {"rndc-key";}; 4 - }; 5 - 6 - acl cachenetworks { 127.0.0.0/24; }; 7 - acl dn42-dns { 172.20.129.2; 172.20.1.255; 172.22.76.110; 172.20.14.33; }; 8 - 9 - options { 10 - directory "/run/named"; 11 - pid-file "/run/named/named.pid"; 12 - 13 - # Server Identity 14 - version "420.69"; 15 - server-id "zaphod"; 16 - hostname "zaphod"; 17 - 18 - # Enable DNSSEC 19 - dnssec-validation no; 20 - 21 - # Only listen to local addresses 22 - listen-on { 127.0.0.1; }; 23 - listen-on-v6 { ::1; }; 24 - allow-query { any; }; 25 - # disable the integrated handling of RFC1918 and non-assigned IPv6 space reverse dns 26 - empty-zones-enable no; 27 - validate-except { 28 - # DN42 Zones 29 - "dn42"; 30 - "20.172.in-addr.arpa"; 31 - "21.172.in-addr.arpa"; 32 - "22.172.in-addr.arpa"; 33 - "23.172.in-addr.arpa"; 34 - "10.in-addr.arpa"; 35 - "d.f.ip6.arpa"; 36 - # ChaosVPN Zones 37 - "hack"; 38 - "31.172.in-addr.arpa"; 39 - "100.10.in-addr.arpa"; 40 - "101.10.in-addr.arpa"; 41 - "102.10.in-addr.arpa"; 42 - "103.10.in-addr.arpa"; 43 - 44 - # NeoNetwork Zones 45 - "neo"; 46 - "127.10.in-addr.arpa"; 47 - "7.2.1.0.0.1.d.f.ip6.arpa"; 48 - }; 49 - 50 - # Recursion settings 51 - recursion yes; 52 - allow-recursion { any; }; 53 - allow-recursion-on { any; }; 54 - allow-query-cache { any; }; 55 - allow-query-cache-on { any; }; 56 - prefetch 10; 57 - }; 58 - 59 - # DN42 Zones 60 - zone "dn42" { 61 - type forward; 62 - forward only; 63 - forwarders { 172.20.0.53; 172.23.0.53; }; 64 - }; 65 - zone "20.172.in-addr.arpa" { 66 - type forward; 67 - forward only; 68 - forwarders { 172.20.0.53; 172.23.0.53; }; 69 - }; 70 - zone "21.172.in-addr.arpa" { 71 - type forward; 72 - forward only; 73 - forwarders { 172.20.0.53; 172.23.0.53; }; 74 - }; 75 - zone "22.172.in-addr.arpa" { 76 - type forward; 77 - forward only; 78 - forwarders { 172.20.0.53; 172.23.0.53; }; 79 - }; 80 - zone "23.172.in-addr.arpa" { 81 - type forward; 82 - forward only; 83 - forwarders { 172.20.0.53; 172.23.0.53; }; 84 - }; 85 - zone "10.in-addr.arpa" { 86 - type forward; 87 - forward only; 88 - forwarders { 172.20.0.53; 172.23.0.53; }; 89 - }; 90 - zone "d.f.ip6.arpa" { 91 - type forward; 92 - forward only; 93 - forwarders { 172.20.0.53; 172.23.0.53; }; 94 - }; 95 - 96 - # ChaosVPN Zones 97 - zone "hack" { 98 - type forward; 99 - forward only; 100 - forwarders { 172.31.0.5; 172.31.255.53; }; 101 - }; 102 - zone "31.172.in-addr.arpa" { 103 - type forward; 104 - forward only; 105 - forwarders { 172.31.0.5; 172.31.255.53; }; 106 - }; 107 - zone "100.10.in-addr.arpa" { 108 - type forward; 109 - forward only; 110 - forwarders { 172.31.0.5; 172.31.255.53; }; 111 - }; 112 - zone "101.10.in-addr.arpa" { 113 - type forward; 114 - forward only; 115 - forwarders { 172.31.0.5; 172.31.255.53; }; 116 - }; 117 - zone "102.10.in-addr.arpa" { 118 - type forward; 119 - forward only; 120 - forwarders { 172.31.0.5; 172.31.255.53; }; 121 - }; 122 - zone "103.10.in-addr.arpa" { 123 - type forward; 124 - forward only; 125 - forwarders { 172.31.0.5; 172.31.255.53; }; 126 - }; 127 - 128 - # NeoNetwork 129 - zone "neo" { 130 - type forward; 131 - forward only; 132 - forwarders { 10.127.255.53; }; 133 - }; 134 - zone "127.10.in-addr.arpa" { 135 - type forward; 136 - forward only; 137 - forwarders { 10.127.255.53; }; 138 - }; 139 - zone "7.2.1.0.0.1.d.f.ip6.arpa" { 140 - type forward; 141 - forward only; 142 - forwarders { 10.127.255.53; }; 143 - }; 144 - 145 - zone "crxn" { 146 - type forward; 147 - forward only; 148 - forwarders { fd92:58b6:2b2::5353; }; 149 - }; 150 - # Fallback root zone 151 - zone "." { 152 - type forward; 153 - forward only; 154 - forwarders { 100.123.15.72; 9.9.9.9; }; 155 - }; 156 - 157 - 158 -

-7

systems/x86_64-linux/prefect/services/netdata.nix

··· 1 - { 2 - services.netdata = { 3 - enable = true; 4 - python.enable = true; 5 - enableAnalyticsReporting = false; 6 - }; 7 - }

-38

systems/x86_64-linux/prefect/services/nginx/default.nix

··· 1 - { lib, ... }: 2 - { 3 - services.nginx = { 4 - enable = true; 5 - additionalModules = [ ]; 6 - recommendedOptimisation = true; 7 - recommendedTlsSettings = true; 8 - recommendedGzipSettings = true; 9 - recommendedProxySettings = true; 10 - virtualHosts = lib.mkForce { }; 11 - streamConfig = '' 12 - server { 13 - listen 34197 udp; 14 - proxy_pass 100.123.15.72:34197; 15 - proxy_responses 0; 16 - } 17 - ''; 18 - appendHttpConfig = '' 19 - # Add X-Frame-Options to prevent clickjacking 20 - add_header X-Frame-Options SAMEORIGIN; 21 - 22 - # Prevent mime type sniffing 23 - add_header X-Content-Type-Options nosniff; 24 - 25 - # Never send Referer header 26 - add_header Referrer-Policy no-referrer; 27 - 28 - # Require CORS or CORP headers for cross-origin resources 29 - add_header Cross-Origin-Embedder-Policy require-corp; 30 - 31 - # Keep our own Browsing Context Group 32 - add_header Cross-Origin-Opener-Policy same-origin; 33 - 34 - # Sites that require CORP will not load my assets 35 - add_header Cross-Origin-Resource-Policy same-origin; 36 - ''; 37 - }; 38 - }

-1

systems/x86_64-linux/prefect/services/nginx/pyrox.dev.nix

··· 1 - { }

-37

systems/x86_64-linux/prefect/services/prometheus.nix

··· 1 - { config, ... }: 2 - { 3 - services.prometheus = { 4 - enable = true; 5 - port = 6999; 6 - exporters = { 7 - node = { 8 - enable = true; 9 - enabledCollectors = [ "systemd" ]; 10 - port = 6998; 11 - }; 12 - bird = { 13 - enable = true; 14 - }; 15 - }; 16 - scrapeConfigs = [ 17 - { 18 - job_name = "prefect"; 19 - static_configs = [ 20 - { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; } 21 - ]; 22 - } 23 - { 24 - job_name = "caddy"; 25 - static_configs = [ { targets = [ "127.0.0.1:6899" ]; } ]; 26 - } 27 - { 28 - job_name = "bird"; 29 - static_configs = [ { targets = [ "127.0.0.1:9324" ]; } ]; 30 - } 31 - { 32 - job_name = "prometheus"; 33 - static_configs = [ { targets = [ "127.0.0.1:6999" ]; } ]; 34 - } 35 - ]; 36 - }; 37 - }

-26

systems/x86_64-linux/prefect/services/secrets.nix

··· 1 - { 2 - config.age.secrets = { 3 - # headscale-oidc-secret = { 4 - # file = ../secrets/headscale-oidc-secret.age; 5 - # path = "/run/agenix/headscale-oidc-secret"; 6 - # owner = "headscale"; 7 - # group = "headscale"; 8 - # }; 9 - dn42-privkey = { 10 - file = ../secrets/dn42-privkey.age; 11 - path = "/run/agenix/dn42-privkey"; 12 - }; 13 - dn42-peerfinder-uuid = { 14 - file = ../secrets/dn42-peerfinder-uuid.age; 15 - path = "/run/agenix/dn42-peerfinder-uuid"; 16 - }; 17 - wireguard-priv-key = { 18 - file = ../secrets/wireguard-priv-key.age; 19 - path = "/run/agenix/wireguard-priv-key"; 20 - }; 21 - acme-creds = { 22 - file = ../secrets/acme-creds.age; 23 - group = "acme"; 24 - }; 25 - }; 26 - }

-11

systems/x86_64-linux/prefect/services/tailscale.nix

··· 1 - { config, ... }: 2 - { 3 - services.tailscale = { 4 - enable = true; 5 - }; 6 - networking.firewall = { 7 - trustedInterfaces = [ "tailscale0" ]; 8 - allowedUDPPorts = [ config.services.tailscale.port ]; 9 - checkReversePath = "loose"; 10 - }; 11 - }

-6

systems/x86_64-linux/prefect/services/zerotier.nix

··· 1 - { 2 - services.zerotierone = { 3 - enable = true; 4 - joinNetworks = [ "a84ac5c10a3b1d69" ]; 5 - }; 6 - }

-39

systems/x86_64-linux/thought/bootloader.nix

··· 1 - { pkgs, modulesPath, ... }: 2 - let 3 - fileSystems = { 4 - btrfs = true; 5 - ext4 = true; 6 - vfat = true; 7 - }; 8 - in 9 - { 10 - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; 11 - boot = { 12 - loader = { 13 - grub.device = "/dev/sda"; 14 - grub.enable = true; 15 - }; 16 - initrd = { 17 - availableKernelModules = [ 18 - "ata_piix" 19 - "uhci_hcd" 20 - "xen_blkfront" 21 - "ahci" 22 - "xhci_pci" 23 - "virtio_pci" 24 - "sd_mod" 25 - "sr_mod" 26 - ]; 27 - kernelModules = [ "nvme" ]; 28 - supportedFilesystems = fileSystems; 29 - }; 30 - supportedFilesystems = fileSystems; 31 - kernelPackages = pkgs.linuxPackages_latest; 32 - kernel.sysctl = { 33 - "net.ipv4.ip_forward" = 1; 34 - "net.ipv6.conf.all.forwarding" = 1; 35 - "net.ipv4.conf.default.rp_filter" = 0; 36 - "net.ipv4.conf.all.rp_filter" = 0; 37 - }; 38 - }; 39 - }

-34

systems/x86_64-linux/thought/default.nix

··· 1 - { pkgs, system, ... }: 2 - { 3 - imports = [ 4 - # Machine-specific configurations. 5 - ./bootloader.nix 6 - ./firewall.nix 7 - ./networking.nix 8 - ./hardware.nix 9 - ./packages.nix 10 - 11 - # Running Services 12 - ./services/prometheus.nix 13 - ./services/tailscale.nix 14 - ]; 15 - nixpkgs.hostPlatform.system = system; 16 - py = { 17 - users.default.enable = true; 18 - programs = { 19 - fish.enable = true; 20 - neovim.enable = true; 21 - }; 22 - }; 23 - fileSystems = { 24 - "/" = { 25 - fsType = "ext4"; 26 - device = "/dev/sda1"; 27 - }; 28 - }; 29 - 30 - programs.fish.enable = true; 31 - programs.fish.interactiveShellInit = '' 32 - ${pkgs.direnv}/bin/direnv hook fish | source 33 - ''; 34 - }

-25

systems/x86_64-linux/thought/disks.nix

··· 1 - { 2 - disko.devices.disk = { 3 - main = { 4 - type = "disk"; 5 - device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_33656227"; 6 - content = { 7 - type = "gpt"; 8 - partitions = { 9 - boot = { 10 - size = "1M"; 11 - type = "EF02"; 12 - }; 13 - root = { 14 - size = "100%"; 15 - content = { 16 - type = "filesystem"; 17 - format = "btrfs"; 18 - mountpoint = "/"; 19 - }; 20 - }; 21 - }; 22 - }; 23 - }; 24 - }; 25 - }

-46

systems/x86_64-linux/thought/firewall.nix

··· 1 - { 2 - networking.firewall = { 3 - enable = true; 4 - allowedTCPPorts = [ 8000 ]; 5 - allowedUDPPorts = [ 34197 ]; 6 - }; 7 - services.ferm = { 8 - enable = true; 9 - config = '' 10 - domain ip table filter chain INPUT proto icmp ACCEPT; 11 - domain ip6 table filter chain INPUT proto (ipv6-icmp icmp) ACCEPT; 12 - domain (ip ip6) table filter { 13 - chain INPUT { 14 - policy DROP; 15 - interface lo ACCEPT; 16 - interface tailscale0 ACCEPT; 17 - interface wg42_+ ACCEPT; 18 - interface wg0 ACCEPT; 19 - proto tcp dport (22 25 53 80 143 389 443 465 587 636 993 4190 6900 8000 http https 34197) ACCEPT; 20 - proto udp dport (22 25 53 480:510 636 4367 6900 8000 34197) ACCEPT; 21 - proto tcp dport (179) ACCEPT; 22 - # dns 23 - proto (udp tcp) dport domain ACCEPT; 24 - mod state state (INVALID) DROP; 25 - mod state state (ESTABLISHED RELATED) ACCEPT; 26 - } 27 - chain OUTPUT { 28 - policy ACCEPT; 29 - } 30 - chain FORWARD { 31 - policy DROP; 32 - # allow intern routing and dn42 forwarding 33 - interface wg42_+ outerface wg42_+ ACCEPT; 34 - interface tailscale0 outerface tailscale0 ACCEPT; 35 - interface tailscale0 outerface wg42_+ ACCEPT; 36 - # but dn42 -> intern only with execptions 37 - interface wg42_+ outerface tailscale0 { 38 - proto (ipv6-icmp icmp) ACCEPT; # Allow SSH Access from dn42 to devices behind tailscale0 Interfaces 39 - proto tcp dport (ssh) ACCEPT; 40 - mod state state (ESTABLISHED) ACCEPT; 41 - } 42 - } 43 - } 44 - ''; 45 - }; 46 - }

-1

systems/x86_64-linux/thought/hardware.nix

··· 1 - { zramSwap.enable = true; }

-22

systems/x86_64-linux/thought/networking.nix

··· 1 - { lib, ... }: 2 - { 3 - networking = { 4 - hostName = "thought"; 5 - hostId = "1e22528e"; 6 - useDHCP = false; 7 - nameservers = lib.mkForce [ ]; 8 - resolvconf.enable = false; 9 - interfaces.enp1s0 = { 10 - ipv6.addresses = [ 11 - { 12 - address = "2a01:4ff:1f0:c98a::1"; 13 - prefixLength = 64; 14 - } 15 - ]; 16 - }; 17 - defaultGateway6 = { 18 - address = "fe80::1"; 19 - interface = "enp1s0"; 20 - }; 21 - }; 22 - }

-4

systems/x86_64-linux/thought/packages.nix

··· 1 - { pkgs, ... }: 2 - { 3 - environment.systemPackages = with pkgs; [ direnv ]; 4 - }

-14

systems/x86_64-linux/thought/secrets/secrets.nix

··· 1 - let 2 - # deadnix: skip 3 - yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw=="; 4 - # deadnix: skip 5 - yubi-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746"; 6 - # deadnix: skip 7 - backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM="; 8 - # deadnix: skip 9 - thought = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGkJcLykggEp427h2IywoiR74Yl3N+FU6Pwx9ZFQ3vjq"; 10 - in 11 - { 12 - imports = [ ../../common/secrets/secrets.nix ]; 13 - # "headscale-oidc-secret.age".publicKeys = [ prefect yubi-main yubi-back ]; 14 - }

-37

systems/x86_64-linux/thought/services/prometheus.nix

··· 1 - { config, ... }: 2 - { 3 - services.prometheus = { 4 - enable = true; 5 - port = 6999; 6 - exporters = { 7 - node = { 8 - enable = true; 9 - enabledCollectors = [ "systemd" ]; 10 - port = 6998; 11 - }; 12 - bird = { 13 - enable = true; 14 - }; 15 - }; 16 - scrapeConfigs = [ 17 - { 18 - job_name = "prefect"; 19 - static_configs = [ 20 - { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; } 21 - ]; 22 - } 23 - { 24 - job_name = "caddy"; 25 - static_configs = [ { targets = [ "127.0.0.1:6899" ]; } ]; 26 - } 27 - { 28 - job_name = "bird"; 29 - static_configs = [ { targets = [ "127.0.0.1:9324" ]; } ]; 30 - } 31 - { 32 - job_name = "prometheus"; 33 - static_configs = [ { targets = [ "127.0.0.1:6999" ]; } ]; 34 - } 35 - ]; 36 - }; 37 - }

-11

systems/x86_64-linux/thought/services/tailscale.nix

··· 1 - { config, ... }: 2 - { 3 - services.tailscale = { 4 - enable = true; 5 - }; 6 - networking.firewall = { 7 - trustedInterfaces = [ "tailscale0" ]; 8 - allowedUDPPorts = [ config.services.tailscale.port ]; 9 - checkReversePath = "loose"; 10 - }; 11 - }

-45

systems/x86_64-linux/zaphod/bootloader.nix

··· 1 - { pkgs, ... }: 2 - let 3 - fileSystems = { 4 - btrfs = true; 5 - ext4 = true; 6 - vfat = true; 7 - }; 8 - in 9 - { 10 - boot = { 11 - kernelParams = [ 12 - "amdgpu.dcdebugmask=0x410" 13 - ]; 14 - bootspec.enable = true; 15 - kernelPackages = pkgs.linuxPackages_latest; 16 - extraModulePackages = with pkgs.linuxPackages_latest; [ v4l2loopback ]; 17 - kernelModules = [ 18 - "v4l2loopback" 19 - "kvm-amd" 20 - "btusb" 21 - ]; 22 - supportedFilesystems = fileSystems; 23 - initrd = { 24 - enable = true; 25 - network.enable = false; 26 - availableKernelModules = [ 27 - "xhci_pci" 28 - "thunderbolt" 29 - "nvme" 30 - "usb_storage" 31 - "usbhid" 32 - "sd_mod" 33 - ]; 34 - kernelModules = [ ]; 35 - }; 36 - loader = { 37 - systemd-boot = { 38 - enable = true; 39 - configurationLimit = 5; 40 - }; 41 - efi.canTouchEfiVariables = true; 42 - }; 43 - plymouth.enable = true; 44 - }; 45 - }

-22

systems/x86_64-linux/zaphod/console.nix

··· 1 - { 2 - console = { 3 - colors = [ 4 - "1a1b26" 5 - "f7768e" 6 - "73daca" 7 - "e0af68" 8 - "7aa2f7" 9 - "bb9af7" 10 - "7dcfff" 11 - "c0caf5" 12 - "565f89" 13 - "f7768e" 14 - "73daca" 15 - "e0af68" 16 - "7aa2f7" 17 - "bb9af7" 18 - "7dcfff" 19 - "c0caf5" 20 - ]; 21 - }; 22 - }

-57

systems/x86_64-linux/zaphod/default.nix

··· 1 - { system, ... }: 2 - { 3 - imports = [ 4 - # Machine specific configs 5 - ./bootloader.nix 6 - ./console.nix 7 - ./fonts.nix 8 - ./hardware.nix 9 - # ./kde.nix 10 - ./networking.nix 11 - ./misc.nix 12 - ./packages.nix 13 - ./power.nix 14 - 15 - # Security 16 - ./security/modules.nix 17 - 18 - # Services 19 - ./services/modules.nix 20 - 21 - # Machine-specific programs. 22 - ./programs/ssh.nix 23 - ./programs/sway.nix 24 - ./programs/zsh.nix 25 - 26 - # Agenix secrets 27 - # ./secret-files.nix 28 - ]; 29 - nixpkgs.hostPlatform.system = system; 30 - py = { 31 - users.default.enable = true; 32 - programs = { 33 - appimage.enable = true; 34 - chromium.enable = true; 35 - dconf.enable = true; 36 - firefox.enable = true; 37 - fish.enable = true; 38 - less.enable = true; 39 - neovim.enable = true; 40 - noisetorch.enable = true; 41 - steam.enable = true; 42 - wireshark.enable = true; 43 - }; 44 - }; 45 - 46 - fileSystems = { 47 - "/" = { 48 - fsType = "btrfs"; 49 - device = "/dev/disk/by-uuid/dce547b5-71db-4b80-a029-370c4b7765ab"; 50 - }; 51 - "/boot" = { 52 - fsType = "vfat"; 53 - device = "/dev/disk/by-uuid/2F06-FA92"; 54 - }; 55 - }; 56 - swapDevices = [ { device = "/dev/disk/by-uuid/5f64b6ad-f471-4c6f-8536-59f581e16827"; } ]; 57 - }

-24

systems/x86_64-linux/zaphod/fonts.nix

··· 1 - { pkgs, lib, ... }: 2 - { 3 - fonts = { 4 - fontDir.enable = true; 5 - fontconfig = { 6 - enable = lib.mkForce true; 7 - defaultFonts = { 8 - serif = [ "IBM Plex Serif" ]; 9 - sansSerif = [ "IBM Plex Sans" ]; 10 - monospace = [ 11 - "IBM Plex Mono" 12 - "FiraCode Nerd Font Mono" 13 - ]; 14 - emoji = [ "JoyPixels" ]; 15 - }; 16 - }; 17 - packages = with pkgs; [ 18 - ibm-plex 19 - nerd-fonts.blex-mono 20 - nerd-fonts.symbols-only 21 - inter 22 - ]; 23 - }; 24 - }

-41

systems/x86_64-linux/zaphod/hardware.nix

··· 1 - { pkgs, ... }: 2 - { 3 - hardware = { 4 - enableAllFirmware = true; 5 - enableRedistributableFirmware = true; 6 - bluetooth = { 7 - enable = true; 8 - hsphfpd.enable = false; 9 - powerOnBoot = true; 10 - }; 11 - brillo.enable = true; 12 - deviceTree.enable = false; 13 - gpgSmartcards.enable = true; 14 - graphics = { 15 - enable = true; 16 - extraPackages = [ 17 - pkgs.gamescope 18 - pkgs.mangohud 19 - ]; 20 - extraPackages32 = [ 21 - pkgs.pkgsi686Linux.mangohud 22 - ]; 23 - }; 24 - sensor = { 25 - hddtemp = { 26 - enable = true; 27 - drives = [ "/dev/disk/by-id/nvme-CT2000P2SSD8_2128E5B6F934" ]; 28 - unit = "F"; 29 - }; 30 - }; 31 - wirelessRegulatoryDatabase = true; 32 - }; 33 - services.udev.packages = [ 34 - pkgs.qmk-udev-rules 35 - pkgs.logitech-udev-rules 36 - ]; 37 - hardware.amdgpu = { 38 - opencl.enable = false; 39 - initrd.enable = true; 40 - }; 41 - }

-20

systems/x86_64-linux/zaphod/kde.nix

··· 1 - { 2 - services.xserver = { 3 - enable = false; 4 - displayManager = { 5 - sddm.enable = false; 6 - defaultSession = "plasmawayland"; 7 - }; 8 - desktopManager.plasma5 = { 9 - enable = false; 10 - phononBackend = "vlc"; 11 - runUsingSystemd = true; 12 - useQtScaling = true; 13 - }; 14 - }; 15 - qt = { 16 - enable = true; 17 - platformTheme = "kde"; 18 - style = "cleanlooks"; 19 - }; 20 - }

-57

systems/x86_64-linux/zaphod/misc.nix

··· 1 - { lib, pkgs, ... }: 2 - { 3 - documentation = { 4 - enable = true; 5 - doc.enable = false; 6 - man = { 7 - enable = true; 8 - generateCaches = false; 9 - man-db.enable = false; 10 - mandoc.enable = true; 11 - }; 12 - nixos.enable = false; 13 - }; 14 - environment = { 15 - homeBinInPath = true; 16 - localBinInPath = true; 17 - }; 18 - services.openssh.settings.PermitRootLogin = lib.mkForce "yes"; 19 - time.timeZone = "America/New_York"; 20 - # 21 - # systemd.tmpfiles.rules = ["L+ /lib64 - - - - /run/current-system/sw/lib64"]; 22 - 23 - virtualisation.virtualbox = { 24 - host.enable = true; 25 - host.enableExtensionPack = false; 26 - guest = { 27 - enable = false; 28 - clipboard = true; 29 - seamless = false; 30 - dragAndDrop = true; 31 - }; 32 - }; 33 - # Enable Virt-manager 34 - virtualisation.libvirtd.enable = false; 35 - programs.dconf.enable = true; 36 - # environment.systemPackages = with pkgs; [virt-manager]; 37 - 38 - users.extraGroups.vboxusers.members = [ 39 - "thehedgehog" 40 - "pyrox" 41 - ]; 42 - # users.extraGroups.libvirtd.members = ["thehedgehog" "pyrox"]; 43 - # xdg.portal.extraPortals = [ 44 - # pkgs.xdg-desktop-portal-gtk 45 - # ]; 46 - xdg.portal.wlr.enable = true; 47 - xdg.portal.xdgOpenUsePortal = true; 48 - 49 - users.users.root.hashedPassword = "$6$6EtuZhVOJdfI9DYP$1Qnd7R8qdN.E5yE2kDQCNg2zgJ5cIjNBKsIW/qJgb8wcKlUpIoVg/fEKvBkAgCiLyojVG2kzfu4J9LR8rA8a2/"; 50 - 51 - # Nix-LD 52 - programs.nix-ld.enable = true; 53 - 54 - programs.steam.extraPackages = [ 55 - pkgs.pixman 56 - ]; 57 - }

-51

systems/x86_64-linux/zaphod/networking.nix

··· 1 - { lib, pkgs, ... }: 2 - { 3 - networking = { 4 - enableB43Firmware = false; 5 - enableIPv6 = true; 6 - hostId = "28c6bad2"; 7 - hostName = "zaphod"; 8 - usePredictableInterfaceNames = lib.mkDefault true; 9 - # Interface config 10 - interfaces.wlp1s0.useDHCP = lib.mkDefault true; 11 - # Enable NetworkManager and disable wpa_supplicant 12 - networkmanager = { 13 - enable = true; 14 - dns = lib.mkForce "default"; 15 - wifi.powersave = true; 16 - }; 17 - wireless = { 18 - enable = false; 19 - }; 20 - 21 - # Tailscale fix(not needed, but recommended) 22 - firewall.checkReversePath = "loose"; 23 - 24 - # DNS Servers 25 - # Only use local resolver 26 - nameservers = lib.mkForce [ ]; 27 - 28 - resolvconf.enable = false; 29 - }; 30 - services.resolved = { 31 - enable = false; 32 - llmnr = "true"; 33 - fallbackDns = [ "158.59.252.11" ]; 34 - extraConfig = '' 35 - MulticastDNS=true 36 - ''; 37 - }; 38 - systemd.services.wpa_supplicant.environment.OPENSSL_CONF = pkgs.writeText "openssl.cnf" '' 39 - openssl_conf = openssl_init 40 - [openssl_init] 41 - ssl_conf = ssl_sect 42 - [ssl_sect] 43 - system_default = system_default_sect 44 - [system_default_sect] 45 - Options = UnsafeLegacyRenegotiation 46 - ''; 47 - services.mullvad-vpn = { 48 - enable = true; 49 - package = pkgs.mullvad-vpn; 50 - }; 51 - }

-35

systems/x86_64-linux/zaphod/packages.nix

··· 1 - { 2 - pkgs, 3 - inputs, 4 - ... 5 - }: 6 - { 7 - environment.systemPackages = [ 8 - inputs.agenix.packages.${pkgs.system}.default 9 - pkgs.android-tools 10 - pkgs.clinfo 11 - pkgs.deadnix 12 - pkgs.file 13 - pkgs.gamescope 14 - pkgs.gnupg 15 - pkgs.hibernate 16 - pkgs.goverlay 17 - pkgs.libappindicator 18 - pkgs.kdePackages.kdenlive 19 - pkgs.libappindicator-gtk3 20 - pkgs.mangohud 21 - pkgs.networkmanagerapplet 22 - pkgs.nixpkgs-track 23 - pkgs.pipewire.jack 24 - pkgs.pmutils 25 - pkgs.qbittorrent 26 - pkgs.sbctl 27 - pkgs.scrcpy 28 - pkgs.statix 29 - pkgs.steam-run 30 - pkgs.libva-utils 31 - pkgs.v4l-utils 32 - pkgs.vdpauinfo 33 - pkgs.py.doc2dash 34 - ]; 35 - }

-1

systems/x86_64-linux/zaphod/power.nix

··· 1 - { powerManagement.enable = true; }

-10

systems/x86_64-linux/zaphod/programs/gnupg.nix

··· 1 - { 2 - programs.gnupg = { 3 - agent = { 4 - enable = true; 5 - enableSSHSupport = true; 6 - enableBrowserSocket = true; 7 - }; 8 - dirmngr.enable = true; 9 - }; 10 - }

-6

systems/x86_64-linux/zaphod/programs/ssh.nix

··· 1 - { 2 - programs.ssh = { 3 - enableAskPassword = false; 4 - forwardX11 = false; 5 - }; 6 - }

-12

systems/x86_64-linux/zaphod/programs/sway.nix

··· 1 - { pkgs, ... }: 2 - { 3 - programs.sway = { 4 - enable = true; 5 - extraPackages = with pkgs; [ 6 - swaylock-effects 7 - swayidle 8 - ]; 9 - wrapperFeatures.base = true; 10 - wrapperFeatures.gtk = true; 11 - }; 12 - }

-13

systems/x86_64-linux/zaphod/programs/zsh.nix

··· 1 - { 2 - programs.zsh = { 3 - enable = true; 4 - enableBashCompletion = true; 5 - enableCompletion = true; 6 - enableGlobalCompInit = true; 7 - autosuggestions.enable = true; 8 - autosuggestions.async = true; 9 - histSize = 10000; 10 - syntaxHighlighting.enable = true; 11 - vteIntegration = true; 12 - }; 13 - }

-8

systems/x86_64-linux/zaphod/secret-files.nix

··· 1 - { 2 - config.age.secrets = { 3 - wg-privkey = { 4 - file = ./secrets/wg-privkey.age; 5 - path = "/run/agenix/wg-privkey"; 6 - }; 7 - }; 8 - }

-12

systems/x86_64-linux/zaphod/secrets/secrets.nix

··· 1 - let 2 - yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw=="; 3 - yubi-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746"; 4 - backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM="; 5 - in 6 - { 7 - "wg-privkey.age".publicKeys = [ 8 - yubi-back 9 - yubi-main 10 - backup 11 - ]; 12 - }

systems/x86_64-linux/zaphod/secrets/wg-privkey.age

This is a binary file and will not be displayed.

-6

systems/x86_64-linux/zaphod/security/modules.nix

··· 1 - { 2 - imports = [ ./pam.nix ]; 3 - security = { 4 - protectKernelImage = true; 5 - }; 6 - }

-9

systems/x86_64-linux/zaphod/security/pam.nix

··· 1 - { 2 - security.pam = { 3 - p11.enable = false; 4 - p11.control = "sufficient"; 5 - u2f.enable = true; 6 - u2f.settings.cue = true; 7 - sshAgentAuth.enable = false; 8 - }; 9 - }

-6

systems/x86_64-linux/zaphod/services/avahi.nix

··· 1 - { 2 - services.avahi = { 3 - enable = true; 4 - nssmdns4 = true; 5 - }; 6 - }

-20

systems/x86_64-linux/zaphod/services/docker.nix

··· 1 - { pkgs, ... }: 2 - let 3 - betterDocker = pkgs.docker.override { 4 - buildxSupport = false; 5 - composeSupport = false; 6 - sbomSupport = false; 7 - }; 8 - in 9 - { 10 - virtualisation.docker = { 11 - enable = false; 12 - package = betterDocker; 13 - rootless = { 14 - enable = true; 15 - package = betterDocker; 16 - setSocketVariable = true; 17 - }; 18 - storageDriver = "btrfs"; 19 - }; 20 - }

-4

systems/x86_64-linux/zaphod/services/flatpak.nix

··· 1 - { 2 - services.flatpak.enable = true; 3 - xdg.portal.enable = true; 4 - }

-8

systems/x86_64-linux/zaphod/services/fprintd.nix

··· 1 - { pkgs, ... }: 2 - { 3 - services.fprintd = { 4 - enable = true; 5 - tod.enable = false; 6 - tod.driver = pkgs.libfprint-2-tod1-goodix; 7 - }; 8 - }

-9

systems/x86_64-linux/zaphod/services/fwupd.nix

··· 1 - { 2 - services.fwupd = { 3 - enable = true; 4 - extraRemotes = [ "lvfs-testing" ]; 5 - uefiCapsuleSettings = { 6 - "DisableCapsuleUpdateOnDisk" = true; 7 - }; 8 - }; 9 - }

-12

systems/x86_64-linux/zaphod/services/greetd.nix

··· 1 - { pkgs, ... }: 2 - { 3 - services.greetd = { 4 - enable = true; 5 - settings = { 6 - default_session = { 7 - command = "${pkgs.greetd.tuigreet}/bin/tuigreet --time --cmd 'sway -c /home/thehedgehog/.config/sway/config'"; 8 - user = "greeter"; 9 - }; 10 - }; 11 - }; 12 - }

-13

systems/x86_64-linux/zaphod/services/kmscon.nix

··· 1 - { pkgs, ... }: 2 - { 3 - services.kmscon = { 4 - enable = true; 5 - hwRender = true; 6 - fonts = [ 7 - { 8 - name = "BlexMono Nerd Font"; 9 - package = pkgs.nerd-fonts.blex-mono; 10 - } 11 - ]; 12 - }; 13 - }

-12

systems/x86_64-linux/zaphod/services/misc.nix

··· 1 - { config, lib, ... }: 2 - { 3 - services = { 4 - blueman.enable = true; 5 - fstrim.enable = lib.mkDefault true; 6 - tlp.enable = lib.mkDefault ( 7 - (lib.versionOlder (lib.versions.majorMinor lib.version) "21.05") 8 - || !config.services.power-profiles-daemon.enable 9 - ); 10 - libinput.enable = lib.mkDefault true; 11 - }; 12 - }

-17

systems/x86_64-linux/zaphod/services/modules.nix

··· 1 - { 2 - imports = [ 3 - ./avahi.nix 4 - ./docker.nix 5 - ./flatpak.nix 6 - ./fprintd.nix 7 - ./fwupd.nix 8 - ./greetd.nix 9 - ./kmscon.nix 10 - ./misc.nix 11 - ./packagekit.nix 12 - ./pcscd.nix 13 - ./pipewire.nix 14 - ./ssh.nix 15 - ./tailscale.nix 16 - ]; 17 - }

-5

systems/x86_64-linux/zaphod/services/packagekit.nix

··· 1 - { 2 - services = { 3 - packagekit.enable = false; 4 - }; 5 - }

-5

systems/x86_64-linux/zaphod/services/pcscd.nix

··· 1 - { 2 - services.pcscd = { 3 - enable = true; 4 - }; 5 - }

-12

systems/x86_64-linux/zaphod/services/pipewire.nix

··· 1 - { 2 - services.pipewire = { 3 - enable = true; 4 - alsa.enable = true; 5 - alsa.support32Bit = true; 6 - audio.enable = true; 7 - jack.enable = true; 8 - pulse.enable = true; 9 - wireplumber.enable = true; 10 - }; 11 - security.rtkit.enable = true; 12 - }

-6

systems/x86_64-linux/zaphod/services/ssh.nix

··· 1 - { 2 - # services.openssh = { 3 - # enable = true; 4 - # permitRootLogin = "prohibit-password"; 5 - # }; 6 - }

-5

systems/x86_64-linux/zaphod/services/tailscale.nix

··· 1 - { 2 - services.tailscale = { 3 - enable = true; 4 - }; 5 - }

+15

templates/default.nix

··· 1 + { 2 + self, 3 + ... 4 + }: 5 + { 6 + flake = { 7 + templates = { 8 + uv = { 9 + path = ./uv; 10 + description = "uv project template"; 11 + }; 12 + }; 13 + defaultTemplate = self.templates.uv; 14 + }; 15 + }

-78

topology.nix

··· 1 - { config, ... }: 2 - let 3 - inherit (config.lib.topology) mkInternet mkConnection; 4 - mkTS = addresses: { 5 - inherit addresses; 6 - network = "tailscale"; 7 - virtual = true; 8 - }; 9 - in 10 - { 11 - topology = { 12 - 13 - }; 14 - nodes.internet = mkInternet { 15 - connections = [ 16 - (mkConnection "marvin" "wlp41s0") 17 - (mkConnection "prefect" "enp1s0") 18 - (mkConnection "thought" "enp1s0") 19 - (mkConnection "zaphod" "wlp1s0") 20 - ]; 21 - }; 22 - networks.tailscale = { 23 - name = "Tailscale"; 24 - cidrv4 = "100.64.0.0/10"; 25 - cidrv6 = "fd7a:115c:a1e0::/96"; 26 - }; 27 - nodes = { 28 - marvin = { 29 - interfaces.enp42s0 = { 30 - renderer.hidePhysicalConnections = true; 31 - }; 32 - interfaces.tailscale0 = 33 - mkTS [ 34 - "100.123.15.72" 35 - "\n" 36 - "fd7a:115c:a1e0:ab12:4843:cd96:627b:f48" 37 - ] 38 - // { 39 - physicalConnections = [ 40 - (mkConnection "prefect" "tailscale0") 41 - (mkConnection "marvin" "tailscale0") 42 - ]; 43 - }; 44 - }; 45 - zaphod = { 46 - interfaces = { 47 - vboxnet0.virtual = true; 48 - tailscale0 = 49 - mkTS [ 50 - "100.125.9.36" 51 - "" 52 - "fd7a:115c:a1e0:ab12:4843:cd96:627d:924" 53 - ] 54 - // { 55 - physicalConnections = [ 56 - (mkConnection "prefect" "tailscale0") 57 - (mkConnection "marvin" "tailscale0") 58 - ]; 59 - }; 60 - }; 61 - }; 62 - prefect = { 63 - interfaces.tailscale0 = 64 - mkTS [ 65 - "100.93.63.54" 66 - "\n" 67 - "fd7a:115c:a1e0:ab12:4843:cd96:625d:3f36" 68 - ] 69 - // { 70 - physicalConnections = [ 71 - (mkConnection "marvin" "tailscale0") 72 - (mkConnection "zaphod" "tailscale0") 73 - ]; 74 - }; 75 - }; 76 - thought = { }; 77 - }; 78 - }

Compare changes