pyrox.dev / nix
My Nix Configuration
fork atom

Compare changes

Choose any two refs to compare.

options
unified split
Changed files
+4002 -5194
.envrc
.nvim.lua
.shellcheckrc
Justfile
MIGRATE.md
README.md
TODO.md
devShells
default
default.nix
default.nix
flake.lock
flake.nix
homeModules
all-modules.nix
default.nix
profiles
base
default.nix
cli
default.nix
rbw-config.json
desktop
default.nix
gui
default.nix
programs
caelestia
caelestia-cli.json
caelestia-shell.json
default.nix
default.nix
dms
default.nix
git
default.nix
helix
default.nix
misc-programs
default.nix
neovim
default.nix
onagre
default.nix
ssh
default.nix
wlogout
default.nix
style.nix
zed-editor
settings.nix
services
default.nix
kanshi
default.nix
mako
default.nix
swayidle
default.nix
vicinae
default.nix
wayland
default.nix
env.nix
hypridle.nix
hyprland
default.nix
env.nix
hypridle.nix
hyprlock.nix
hyprpanel.nix
keybindings.nix
monitors.nix
plugins.nix
services.nix
settings.nix
variables.nix
windowrules.nix
keybindings.nix
monitors.nix
plugins.nix
services.nix
settings.nix
sway.nix
swaylock.nix
variables.nix
waybar-mocha.css
waybar-style.css
waybar.nix
windowrules.nix
xdg
default.nix
hosts
default.nix
marvin
default.nix
services
anubis.nix
authentik.nix
bookstack.nix
gdq-cals.nix
git.nix
golink.nix
grafana.nix
iceshrimp.nix
immich-config.json
immich.nix
miniflux.nix
minio.nix
nextcloud
default.nix
office.nix
pinchflat.nix
pingvin-share.nix
planka.nix
pocket-id.nix
postgres.nix
prosody.nix
redlib.nix
scrutiny.nix
secrets
iceshrimp-db-password.age
iceshrimp-secret-config.age
immich
mail-pw.age
oauth-secret.age
pingvin-secrets.age
secrets.nix
tangled.nix
vaultwarden.nix
webmentiond.nix
prefect
bootloader.nix
default.nix
dn42
bgp.nix
bird.conf
default.nix
peers
bandura.nix
catgirls.nix
chrismoos.nix
darkpoint.nix
default.nix
iedon.nix
kioubit.nix
lare.nix
potato.nix
prefixlabs.nix
routedbits.nix
sunnet.nix
uffsalot.nix
services.nix
tunnels.nix
types.nix
wireguard.nix
firewall.nix
secrets
secrets.nix
services
blog-update.nix
blog-update.sh
caddy.nix
dn42-peerfinder.nix
mailserver
acme.nix
auth.nix
auto-ban.nix
calendar.nix
default.nix
imap.nix
logins.nix
monitoring.nix
overrides.nix
queue.nix
report.nix
server.nix
session.nix
signature.nix
stalwart
acme.nix
auth.nix
auto-ban.nix
calendar.nix
default.nix
imap.nix
queue.nix
report.nix
server.nix
session.nix
signature.nix
netdata.nix
nginx
default.nix
pyrox.dev.nix
tailscale.nix
zerotier.nix
thought
secrets
secrets.nix
zaphod
bootloader.nix
default.nix
hardware.nix
misc.nix
packages.nix
programs
sway.nix
services
fprintd.nix
misc.nix
img.png
lib
data
services.toml
default.nix
deploy
default.nix
nixosModules
default-config
bootloader.nix
default.nix
nixConfig.nix
nixpkgsConfig.nix
programs
default.nix
nh.nix
security.nix
services
default.nix
default-users
default.nix
default.nix
dn42Wireguard
default.nix
homes
pyrox
default.nix
pyrox-zaphod
default.nix
thehedgehog
default.nix
thehedgehog-zaphod
default.nix
programs
firefox
extensions.nix
hyprland
default.nix
misc
default.nix
neovim
default.nix
services
forgejo-runner
default.nix
optnix.toml
overlays
cinny
default.nix
default.nix
hy3-fixes
default.nix
nix-index
default.nix
openssh-fixperms
default.nix
packages
anubis-files
default.nix
package.nix
src
policies
default.yaml
forgejo.yaml
grafana.yaml
meta
base.yaml
openGraph.yaml
miniflux.yaml
nextcloud-office.yaml
nextcloud.yaml
pingvin-share.yaml
planka.yaml
pocket-id.yaml
vaultwarden.yaml
rules
block
alibaba-cloud.yaml
challenge
generic-browser.yaml
bgutil-pot-server
librusty_v8.nix
package.nix
update-librusty.sh
default.nix
doc2dash
default.nix
package.nix
glide-browser-bin
package.nix
jellyfin-exporter
default.nix
package.nix
pingvin-share-config
default.nix
package.nix
planka
package.nix
packages.nix
+6 -6
.envrc 
···

       
1

       

       
-

       
if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then


     

       
2

       

       
-

       
  source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM="


     

       

       
1

       
+

       
if ! has nix_direnv_version || ! nix_direnv_version 3.1.0; then


     

       

       
2

       
+

       
  source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.1.0/direnvrc" "sha256-yMJ2OVMzrFaDPn7q8nCBZFRYpL/f0RcHzhmw/i6btJM="


     

       
3

       
3

       
 

       
fi


     

       

       
4

       
+

       



     

       
4

       
5

       
 

       
export NH_NOM=1


     

       
5

       
6

       
 

       
export NH_LOG=nh=info


     

       
6

       

       
-

       
export NH_FLAKE=$(pwd)


     

       

       
7

       
+

       
NH_FLAKE=$(pwd)


     

       

       
8

       
+

       
export NH_FLAKE


     

       
7

       
9

       
 

       



     

       
8

       

       
-

       
if [[ $(hostname) == "zaphod" ]]; then


     

       
9

       

       
-

       
  use flake . --accept-flake-config


     

       
10

       

       
-

       
fi


     

       

       
10

       
+

       
use flake . --accept-flake-config
+31
.nvim.lua 
···

       

       
1

       
+

       
local nvim_lsp = require("lspconfig")


     

       

       
2

       
+

       
nvim_lsp.nixd.setup({


     

       

       
3

       
+

       
  cmd = { "nixd" },


     

       

       
4

       
+

       
  settings = {


     

       

       
5

       
+

       
    nixd = {


     

       

       
6

       
+

       
      nixpkgs = {


     

       

       
7

       
+

       
        expr = "import <nixpkgs> { }",


     

       

       
8

       
+

       
      },


     

       

       
9

       
+

       
      formatting = {


     

       

       
10

       
+

       
        command = { "treefmt" },


     

       

       
11

       
+

       
      },


     

       

       
12

       
+

       
      options = {


     

       

       
13

       
+

       
        nixos = {


     

       

       
14

       
+

       
          expr = "(builtins.getFlake (builtins.toString ./.)).nixosConfigurations.zaphod.options",


     

       

       
15

       
+

       
        },


     

       

       
16

       
+

       
        home_manager = {


     

       

       
17

       
+

       
          expr = "(builtins.getFlake (builtins.toString ./.)).nixosConfigurations.zaphod.options.home-manager.users.type.getSubOptions []",


     

       

       
18

       
+

       
        },


     

       

       
19

       
+

       
        flake_parts = {


     

       

       
20

       
+

       
          expr = "(builtins.getFlake (builtins.toString ./.)).debug.options",


     

       

       
21

       
+

       
        },


     

       

       
22

       
+

       
        flake_parts_perSystem = {


     

       

       
23

       
+

       
          expr = "(builtins.getFlake (builtins.toString ./.)).currentSystem.options",


     

       

       
24

       
+

       
        },


     

       

       
25

       
+

       
        my_modules = {


     

       

       
26

       
+

       
          exper = "(pkgs.lib.evalModules { modules = (builtins.getFlake (builtins.toString ./.)).nixosModules; }).options",


     

       

       
27

       
+

       
        },


     

       

       
28

       
+

       
      },


     

       

       
29

       
+

       
    },


     

       

       
30

       
+

       
  },


     

       

       
31

       
+

       
})
+1
.shellcheckrc 
···

       

       
1

       
+

       
disable=SC2148
+4 -2
Justfile 
···

       
2

       
2

       
 

       
alias s := switch


     

       
3

       
3

       
 

       



     

       
4

       
4

       
 

       
build:


     

       
5

       

       
-

       
  nh os build . --verbose -- --show-trace --accept-flake-config


     

       

       
5

       
+

       
    nixos-rebuild-ng build --flake . --accept-flake-config --verbose --show-trace \


     

       

       
6

       
+

       
      --max-jobs 3 --cores 6 \


     

       

       
7

       
+

       
    && nvd diff /run/current-system result


     

       
6

       
8

       
 

       



     

       
7

       
9

       
 

       
switch:


     

       
8

       

       
-

       
  nh os switch . --verbose -- --show-trace --accept-flake-config


     

       

       
10

       
+

       
    nixos-rebuild-ng switch --flake . --accept-flake-config --verbose --show-trace --sudo
-6
MIGRATE.md 
···

       
1

       

       
-

       
- [ ] easy-hosts


     

       
2

       

       
-

       
- [ ] HM Configs


     

       
3

       

       
-

       
- [x] modules


     

       
4

       

       
-

       
- [x] packages


     

       
5

       

       
-

       
- [x] devShells


     

       
6

       

       
-

       
- [x] overlays
+30 -18
README.md 
···

       
1

       
1

       
 

       
# PyroConf, a custom Nix config


     

       
2

       
2

       
 

       



     

       
3

       
3

       
 

       
## No Place Like ~


     

       
4

       

       
-

       
This is PyroNet's (relatively) production-grade NixOS config repo. It contains configurations for 3 different machines, as well as `home-manager` configurations.


     

       
5

       
4

       
 

       



     

       
6

       

       
-

       
I try to keep the configuration organized. All home-manager related items go in `/home`, host configurations go in `/hosts`, and custom packages are in `/pkgs`, among other folders.


     

       

       
5

       
+

       
This is PyroNet's (relatively) production-grade NixOS config repo. It contains configurations for 3 different machines,


     

       

       
6

       
+

       
as well as `home-manager` configurations.


     

       
7

       
7

       
 

       



     

       
8

       

       
-

       
My machines serve production infra for *.pyrox.dev domains. There are a few exceptions:


     

       
9

       

       
-

       
* [My blog](https://blog.pyrox.dev), and the [root domain](https://pyrox.dev) which are served by [OMG.LOL](https://omg.lol).


     

       
10

       

       
-

       
I highly recommend their services, as you get a great domain name at a company that cares about you. If you do sign up, consider using [my referral link](https://omg.lol?refer=py), as I get 3 months of service credit if you sign up through it.


     

       

       
8

       
+

       
I try to keep the configuration organized. All home-manager related items go in `/home`, host configurations go in


     

       

       
9

       
+

       
`/hosts`, and custom packages are in `/pkgs`, among other folders.


     

       

       
10

       
+

       



     

       

       
11

       
+

       
My machines serve production infra for \*.pyrox.dev domains. There are a few exceptions:


     

       

       
12

       
+

       



     

       

       
13

       
+

       
- [My blog](https://blog.pyrox.dev), and the [root domain](https://pyrox.dev) which are served by


     

       

       
14

       
+

       
  [OMG.LOL](https://omg.lol). I highly recommend their services, as you get a great domain name at a company that cares


     

       

       
15

       
+

       
  about you. If you do sign up, consider using [my referral link](https://omg.lol?refer=py), as I get 3 months of


     

       

       
16

       
+

       
  service credit if you sign up through it.


     

       
11

       
17

       
 

       



     

       
12

       
18

       
 

       
There are some services I run that many homelabs do not. They are:


     

       
13

       

       
-

       
* Authoritative DNS for my domains, run on `prefect`.


     

       
14

       

       
-

       
* A Tailscale tunnel from `marvin` to `prefect` which allows me to run services on `marvin` while having them be externally accessible.


     

       
15

       

       
-

       
* Email services for my domains, also run on `prefect`, with all email data backed up hourly to `marvin`, ensuring data reliability.


     

       
16

       

       
-

       
* Connections to the [DN42](https://dn42.us) network, run on `prefect`.


     

       

       
19

       
+

       



     

       

       
20

       
+

       
- Authoritative DNS for my domains, run on `prefect`.


     

       

       
21

       
+

       
- A Tailscale tunnel from `marvin` to `prefect` which allows me to run services on `marvin` while having them be


     

       

       
22

       
+

       
  externally accessible.


     

       

       
23

       
+

       
- Email services for my domains, also run on `prefect`, with all email data backed up hourly to `marvin`, ensuring data


     

       

       
24

       
+

       
  reliability.


     

       

       
25

       
+

       
- Connections to the [DN42](https://dn42.us) network, run on `prefect`.


     

       
17

       
26

       
 

       



     

       
18

       
27

       
 

       
I also run many typical homelab services, such as:


     

       
19

       

       
-

       
* [Vaultwarden](https://github.com/danigarcia/vaultwarden) for passwords


     

       
20

       

       
-

       
* [Jellyfin](https://jellyfin.org) for media


     

       
21

       

       
-

       
* [Authentik](https://goauthentik.io) for central auth


     

       
22

       

       
-

       
* And many more


     

       

       
28

       
+

       



     

       

       
29

       
+

       
- [Vaultwarden](https://github.com/danigarcia/vaultwarden) for passwords


     

       

       
30

       
+

       
- [Jellyfin](https://jellyfin.org) for media


     

       

       
31

       
+

       
- [Authentik](https://goauthentik.io) for central auth


     

       

       
32

       
+

       
- And many more


     

       
23

       
33

       
 

       



     

       
24

       
34

       
 

       
# Contact


     

       
25

       

       
-

       
If you have any questions about any of the services I run, or would like to reach out, my contact info is on my profile [here](https://pyrox.dev)


     

       

       
35

       
+

       



     

       

       
36

       
+

       
If you have any questions about any of the services I run, or would like to reach out, my contact info is on my profile


     

       

       
37

       
+

       
[here](https://pyrox.dev)


     

       
26

       
38

       
 

       



     

       
27

       
39

       
 

       
# License


     

       
28

       

       
-

       
Copyright (c) 2023 Pyrox and PyroNet. All rights reserved.


     

       
29

       

       
-

       
This Source Code Form is subject to the terms of the Mozilla Public


     

       
30

       

       
-

       
License, v. 2.0. If a copy of the MPL was not distributed with this


     

       
31

       

       
-

       
file, You can obtain one at <http://mozilla.org/MPL/2.0/>.


     

       

       
40

       
+

       



     

       

       
41

       
+

       
Copyright (c) 2023 Pyrox and PyroNet. All rights reserved. This Source Code Form is subject to the terms of the Mozilla


     

       

       
42

       
+

       
Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at


     

       

       
43

       
+

       
<http://mozilla.org/MPL/2.0/>.
-2
TODO.md 
···

       
18

       
18

       
 

       
- [ ] Move all Docker containers to using native versions of databases, redis, etc.


     

       
19

       
19

       
 

       
  - Ensures higher performance and reduces the number of running containers.


     

       
20

       
20

       
 

       
  - https://github.com/felschr/nixos-config/blob/main/services/immich.nix for an example of how to do it


     

       
21

       

       
-

       
- [ ] Add Archivebox service(needs custom module)


     

       
22

       

       
-

       
- [ ] Add Immich service


     

       
23

       
21

       
 

       



     

       
24

       
22

       
 

       
## Zaphod


     

       
25

       
23
+7
devShells/default/default.nix 
···

       
4

       
4

       
 

       
}:


     

       
5

       
5

       
 

       
pkgs.mkShellNoCC {


     

       
6

       
6

       
 

       
  packages = [


     

       

       
7

       
+

       
    # keep-sorted start


     

       
7

       
8

       
 

       
    pkgs.deadnix


     

       
8

       
9

       
 

       
    pkgs.just


     

       
9

       
10

       
 

       
    pkgs.nil


     

       

       
11

       
+

       
    pkgs.nix-output-monitor


     

       
10

       
12

       
 

       
    pkgs.nix-tree


     

       

       
13

       
+

       
    pkgs.nix-update


     

       
11

       
14

       
 

       
    pkgs.nixd


     

       
12

       
15

       
 

       
    pkgs.nixfmt-rfc-style


     

       

       
16

       
+

       
    pkgs.nixos-rebuild-ng


     

       

       
17

       
+

       
    pkgs.nvd


     

       
13

       
18

       
 

       
    pkgs.statix


     

       

       
19

       
+

       
    pkgs.tokei


     

       

       
20

       
+

       
    # keep-sorted endd


     

       
14

       
21

       
 

       
  ];


     

       
15

       
22

       
 

       
}
+1 -4
devShells/default.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  ...


     

       
3

       

       
-

       
}:


     

       
4

       

       
-

       
{


     

       

       
1

       
+

       
_: {


     

       
5

       
2

       
 

       
  perSystem =


     

       
6

       
3

       
 

       
    { pkgs, ... }:


     

       
7

       
4

       
 

       
    {
+267 -349
flake.lock 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  "nodes": {


     

       

       
3

       
+

       
    "actor-typeahead-src": {


     

       

       
4

       
+

       
      "flake": false,


     

       

       
5

       
+

       
      "locked": {


     

       

       
6

       
+

       
        "lastModified": 1762835797,


     

       

       
7

       
+

       
        "narHash": "sha256-heizoWUKDdar6ymfZTnj3ytcEv/L4d4fzSmtr0HlXsQ=",


     

       

       
8

       
+

       
        "ref": "refs/heads/main",


     

       

       
9

       
+

       
        "rev": "677fe7f743050a4e7f09d4a6f87bbf1325a06f6b",


     

       

       
10

       
+

       
        "revCount": 6,


     

       

       
11

       
+

       
        "type": "git",


     

       

       
12

       
+

       
        "url": "https://tangled.org/@jakelazaroff.com/actor-typeahead"


     

       

       
13

       
+

       
      },


     

       

       
14

       
+

       
      "original": {


     

       

       
15

       
+

       
        "type": "git",


     

       

       
16

       
+

       
        "url": "https://tangled.org/@jakelazaroff.com/actor-typeahead"


     

       

       
17

       
+

       
      }


     

       

       
18

       
+

       
    },


     

       
3

       
19

       
 

       
    "agenix": {


     

       
4

       
20

       
 

       
      "inputs": {


     

       
5

       
21

       
 

       
        "darwin": "darwin",


     
···

       
9

       
25

       
 

       
        "nixpkgs": [


     

       
10

       
26

       
 

       
          "nixpkgs"


     

       
11

       
27

       
 

       
        ],


     

       
12

       

       
-

       
        "systems": [


     

       
13

       

       
-

       
          "systems"


     

       
14

       

       
-

       
        ]


     

       

       
28

       
+

       
        "systems": "systems"


     

       
15

       
29

       
 

       
      },


     

       
16

       
30

       
 

       
      "locked": {


     

       
17

       

       
-

       
        "lastModified": 1754433428,


     

       
18

       

       
-

       
        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",


     

       

       
31

       
+

       
        "lastModified": 1762618334,


     

       

       
32

       
+

       
        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",


     

       
19

       
33

       
 

       
        "owner": "ryantm",


     

       
20

       
34

       
 

       
        "repo": "agenix",


     

       
21

       

       
-

       
        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",


     

       

       
35

       
+

       
        "rev": "fcdea223397448d35d9b31f798479227e80183f6",


     

       
22

       
36

       
 

       
        "type": "github"


     

       
23

       
37

       
 

       
      },


     

       
24

       
38

       
 

       
      "original": {


     
···

       
27

       
41

       
 

       
        "type": "github"


     

       
28

       
42

       
 

       
      }


     

       
29

       
43

       
 

       
    },


     

       
30

       

       
-

       
    "blobs": {


     

       
31

       

       
-

       
      "flake": false,


     

       

       
44

       
+

       
    "bird": {


     

       

       
45

       
+

       
      "inputs": {


     

       

       
46

       
+

       
        "flake-utils": "flake-utils",


     

       

       
47

       
+

       
        "nixpkgs": [


     

       

       
48

       
+

       
          "dn42",


     

       

       
49

       
+

       
          "nixpkgs"


     

       

       
50

       
+

       
        ]


     

       

       
51

       
+

       
      },


     

       
32

       
52

       
 

       
      "locked": {


     

       
33

       

       
-

       
        "lastModified": 1604995301,


     

       
34

       

       
-

       
        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",


     

       
35

       

       
-

       
        "owner": "simple-nixos-mailserver",


     

       
36

       

       
-

       
        "repo": "blobs",


     

       
37

       

       
-

       
        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",


     

       
38

       

       
-

       
        "type": "gitlab"


     

       

       
53

       
+

       
        "lastModified": 1757884119,


     

       

       
54

       
+

       
        "narHash": "sha256-RF0Em7PjDRaQ5cBFgc3fL22qgDVbv2HoVW1TDRaaSNo=",


     

       

       
55

       
+

       
        "owner": "NuschtOS",


     

       

       
56

       
+

       
        "repo": "bird.nix",


     

       

       
57

       
+

       
        "rev": "f8d18c2c8eebd477987001a9c0af50a9ca7909e5",


     

       

       
58

       
+

       
        "type": "github"


     

       
39

       
59

       
 

       
      },


     

       
40

       
60

       
 

       
      "original": {


     

       
41

       

       
-

       
        "owner": "simple-nixos-mailserver",


     

       
42

       

       
-

       
        "repo": "blobs",


     

       
43

       

       
-

       
        "type": "gitlab"


     

       

       
61

       
+

       
        "owner": "NuschtOS",


     

       

       
62

       
+

       
        "repo": "bird.nix",


     

       

       
63

       
+

       
        "type": "github"


     

       
44

       
64

       
 

       
      }


     

       
45

       
65

       
 

       
    },


     

       
46

       
66

       
 

       
    "buildbot-nix": {


     
···

       
55

       
75

       
 

       
        "treefmt-nix": []


     

       
56

       
76

       
 

       
      },


     

       
57

       
77

       
 

       
      "locked": {


     

       
58

       

       
-

       
        "lastModified": 1758897213,


     

       
59

       

       
-

       
        "narHash": "sha256-pLZgNsmCMhTWd8aRuGkK23ik5nclpIn1flnURKH6QjI=",


     

       

       
78

       
+

       
        "lastModified": 1763946641,


     

       

       
79

       
+

       
        "narHash": "sha256-kPP7k2b+Dkd91yJO01y3l1F0t+Mqvv8+FrPfjcCwszg=",


     

       
60

       
80

       
 

       
        "owner": "nix-community",


     

       
61

       
81

       
 

       
        "repo": "buildbot-nix",


     

       
62

       

       
-

       
        "rev": "985d069a2a45cf4a571a4346107671adc2bd2a16",


     

       

       
82

       
+

       
        "rev": "cd32d1c420320383bfcc80c1b0b402b6a7eccc23",


     

       
63

       
83

       
 

       
        "type": "github"


     

       
64

       
84

       
 

       
      },


     

       
65

       
85

       
 

       
      "original": {


     
···

       
68

       
88

       
 

       
        "type": "github"


     

       
69

       
89

       
 

       
      }


     

       
70

       
90

       
 

       
    },


     

       

       
91

       
+

       
    "caelestia": {


     

       

       
92

       
+

       
      "inputs": {


     

       

       
93

       
+

       
        "caelestia-cli": "caelestia-cli",


     

       

       
94

       
+

       
        "nixpkgs": [


     

       

       
95

       
+

       
          "nixpkgs"


     

       

       
96

       
+

       
        ],


     

       

       
97

       
+

       
        "quickshell": [


     

       

       
98

       
+

       
          "quickshell"


     

       

       
99

       
+

       
        ]


     

       

       
100

       
+

       
      },


     

       

       
101

       
+

       
      "locked": {


     

       

       
102

       
+

       
        "lastModified": 1764466211,


     

       

       
103

       
+

       
        "narHash": "sha256-rBK+usqfAP9ZuEthw9wMCwTKQgKUMmziuzrrkpDZdzY=",


     

       

       
104

       
+

       
        "owner": "caelestia-dots",


     

       

       
105

       
+

       
        "repo": "shell",


     

       

       
106

       
+

       
        "rev": "40813e520582c5df11f6d4c870a31900fe171cce",


     

       

       
107

       
+

       
        "type": "github"


     

       

       
108

       
+

       
      },


     

       

       
109

       
+

       
      "original": {


     

       

       
110

       
+

       
        "owner": "caelestia-dots",


     

       

       
111

       
+

       
        "repo": "shell",


     

       

       
112

       
+

       
        "type": "github"


     

       

       
113

       
+

       
      }


     

       

       
114

       
+

       
    },


     

       

       
115

       
+

       
    "caelestia-cli": {


     

       

       
116

       
+

       
      "inputs": {


     

       

       
117

       
+

       
        "caelestia-shell": [


     

       

       
118

       
+

       
          "caelestia"


     

       

       
119

       
+

       
        ],


     

       

       
120

       
+

       
        "nixpkgs": [


     

       

       
121

       
+

       
          "caelestia",


     

       

       
122

       
+

       
          "nixpkgs"


     

       

       
123

       
+

       
        ]


     

       

       
124

       
+

       
      },


     

       

       
125

       
+

       
      "locked": {


     

       

       
126

       
+

       
        "lastModified": 1764381410,


     

       

       
127

       
+

       
        "narHash": "sha256-WR/oQQjveFqQxo8oHngZuOVgBQINDgPe+lCXLeNhAAg=",


     

       

       
128

       
+

       
        "owner": "caelestia-dots",


     

       

       
129

       
+

       
        "repo": "cli",


     

       

       
130

       
+

       
        "rev": "ed12d4cb82600872a82feb577711be1148c7af35",


     

       

       
131

       
+

       
        "type": "github"


     

       

       
132

       
+

       
      },


     

       

       
133

       
+

       
      "original": {


     

       

       
134

       
+

       
        "owner": "caelestia-dots",


     

       

       
135

       
+

       
        "repo": "cli",


     

       

       
136

       
+

       
        "type": "github"


     

       

       
137

       
+

       
      }


     

       

       
138

       
+

       
    },


     

       
71

       
139

       
 

       
    "ctp": {


     

       
72

       
140

       
 

       
      "inputs": {


     

       
73

       
141

       
 

       
        "nixpkgs": "nixpkgs"


     

       
74

       
142

       
 

       
      },


     

       
75

       
143

       
 

       
      "locked": {


     

       
76

       

       
-

       
        "lastModified": 1759572023,


     

       
77

       

       
-

       
        "narHash": "sha256-2fzYq/m2PXie5WZO5LhyiZrTIUdUFp1SCLZAwvPL5xo=",


     

       

       
144

       
+

       
        "lastModified": 1764325801,


     

       

       
145

       
+

       
        "narHash": "sha256-LQ7tsrXs1wuB6KBwUctL3JlUsG/FWI2pCI6NkoO52dk=",


     

       
78

       
146

       
 

       
        "owner": "catppuccin",


     

       
79

       
147

       
 

       
        "repo": "nix",


     

       
80

       

       
-

       
        "rev": "eeada12912d80d04733383d231a9d66172858718",


     

       

       
148

       
+

       
        "rev": "a696fed6b9b6aa89ef495842cdca3fc2a7cef0de",


     

       
81

       
149

       
 

       
        "type": "github"


     

       
82

       
150

       
 

       
      },


     

       
83

       
151

       
 

       
      "original": {


     
···

       
108

       
176

       
 

       
        "type": "github"


     

       
109

       
177

       
 

       
      }


     

       
110

       
178

       
 

       
    },


     

       
111

       

       
-

       
    "determinate": {


     

       

       
179

       
+

       
    "dgop": {


     

       
112

       
180

       
 

       
      "inputs": {


     

       
113

       

       
-

       
        "determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin",


     

       
114

       

       
-

       
        "determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux",


     

       
115

       

       
-

       
        "determinate-nixd-x86_64-darwin": [


     

       
116

       

       
-

       
          "determinate",


     

       
117

       

       
-

       
          "determinate-nixd-aarch64-darwin"


     

       
118

       

       
-

       
        ],


     

       
119

       

       
-

       
        "determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux",


     

       
120

       

       
-

       
        "nix": [


     

       
121

       

       
-

       
          "dix"


     

       
122

       

       
-

       
        ],


     

       
123

       
181

       
 

       
        "nixpkgs": [


     

       

       
182

       
+

       
          "dms",


     

       
124

       
183

       
 

       
          "nixpkgs"


     

       
125

       
184

       
 

       
        ]


     

       
126

       
185

       
 

       
      },


     

       
127

       
186

       
 

       
      "locked": {


     

       
128

       

       
-

       
        "lastModified": 1757699119,


     

       
129

       

       
-

       
        "narHash": "sha256-iOOoVdrkcyk95Xg68TuPeAwpz+v80mgZCqil0jpPZuY=",


     

       
130

       

       
-

       
        "owner": "DeterminateSystems",


     

       
131

       

       
-

       
        "repo": "determinate",


     

       
132

       

       
-

       
        "rev": "1e16c8f8a44573bb0648c76b6c98352436f5171e",


     

       

       
187

       
+

       
        "lastModified": 1762435535,


     

       

       
188

       
+

       
        "narHash": "sha256-QhzRn7pYN35IFpKjjxJAj3GPJECuC+VLhoGem3ezycc=",


     

       

       
189

       
+

       
        "owner": "AvengeMedia",


     

       

       
190

       
+

       
        "repo": "dgop",


     

       

       
191

       
+

       
        "rev": "6cf638dde818f9f8a2e26d0243179c43cb3458d7",


     

       
133

       
192

       
 

       
        "type": "github"


     

       
134

       
193

       
 

       
      },


     

       
135

       
194

       
 

       
      "original": {


     

       
136

       

       
-

       
        "owner": "DeterminateSystems",


     

       
137

       

       
-

       
        "repo": "determinate",


     

       

       
195

       
+

       
        "owner": "AvengeMedia",


     

       

       
196

       
+

       
        "repo": "dgop",


     

       
138

       
197

       
 

       
        "type": "github"


     

       
139

       
198

       
 

       
      }


     

       
140

       
199

       
 

       
    },


     

       
141

       

       
-

       
    "determinate-nixd-aarch64-darwin": {


     

       
142

       

       
-

       
      "flake": false,


     

       

       
200

       
+

       
    "dms": {


     

       

       
201

       
+

       
      "inputs": {


     

       

       
202

       
+

       
        "dgop": "dgop",


     

       

       
203

       
+

       
        "nixpkgs": [


     

       

       
204

       
+

       
          "nixpkgs"


     

       

       
205

       
+

       
        ]


     

       

       
206

       
+

       
      },


     

       
143

       
207

       
 

       
      "locked": {


     

       
144

       

       
-

       
        "narHash": "sha256-q1tqDvmfjDgLk/wbYf4pRhyHDS94iY85Q79FPBtcv7g=",


     

       
145

       

       
-

       
        "type": "file",


     

       
146

       

       
-

       
        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.11.2/macOS"


     

       

       
208

       
+

       
        "lastModified": 1764553800,


     

       

       
209

       
+

       
        "narHash": "sha256-kHlx3E3K2UNWI1Hpbyl5zieoOVevZfwz8P/OcyViDHY=",


     

       

       
210

       
+

       
        "owner": "AvengeMedia",


     

       

       
211

       
+

       
        "repo": "DankMaterialShell",


     

       

       
212

       
+

       
        "rev": "7959a795753d9f646cfb9e21cfb778adf7e5c933",


     

       

       
213

       
+

       
        "type": "github"


     

       
147

       
214

       
 

       
      },


     

       
148

       
215

       
 

       
      "original": {


     

       
149

       

       
-

       
        "type": "file",


     

       
150

       

       
-

       
        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.11.2/macOS"


     

       

       
216

       
+

       
        "owner": "AvengeMedia",


     

       

       
217

       
+

       
        "repo": "DankMaterialShell",


     

       

       
218

       
+

       
        "type": "github"


     

       
151

       
219

       
 

       
      }


     

       
152

       
220

       
 

       
    },


     

       
153

       

       
-

       
    "determinate-nixd-aarch64-linux": {


     

       

       
221

       
+

       
    "dms-plugins": {


     

       
154

       
222

       
 

       
      "flake": false,


     

       
155

       
223

       
 

       
      "locked": {


     

       
156

       

       
-

       
        "narHash": "sha256-E1vGfcQ5dqtRG9EDP6eOQWCnCIRB2XFkFBp2C4FgQ8c=",


     

       
157

       

       
-

       
        "type": "file",


     

       
158

       

       
-

       
        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.11.2/aarch64-linux"


     

       

       
224

       
+

       
        "lastModified": 1764085668,


     

       

       
225

       
+

       
        "narHash": "sha256-KtOu12NVLdyho9T4EXJaReNhFO98nAXpemkb6yeOvwE=",


     

       

       
226

       
+

       
        "owner": "AvengeMedia",


     

       

       
227

       
+

       
        "repo": "dms-plugins",


     

       

       
228

       
+

       
        "rev": "3bc66f186a8184cb8eca5fdfc0699cb4a828cd90",


     

       

       
229

       
+

       
        "type": "github"


     

       
159

       
230

       
 

       
      },


     

       
160

       
231

       
 

       
      "original": {


     

       
161

       

       
-

       
        "type": "file",


     

       
162

       

       
-

       
        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.11.2/aarch64-linux"


     

       

       
232

       
+

       
        "owner": "AvengeMedia",


     

       

       
233

       
+

       
        "repo": "dms-plugins",


     

       

       
234

       
+

       
        "type": "github"


     

       
163

       
235

       
 

       
      }


     

       
164

       
236

       
 

       
    },


     

       
165

       

       
-

       
    "determinate-nixd-x86_64-linux": {


     

       

       
237

       
+

       
    "dms-power-usage": {


     

       
166

       
238

       
 

       
      "flake": false,


     

       
167

       
239

       
 

       
      "locked": {


     

       
168

       

       
-

       
        "narHash": "sha256-GtxtkI0cOC2A30Xw6gCDTN7JxN1zJGh7/eIXr6AlTSA=",


     

       
169

       

       
-

       
        "type": "file",


     

       
170

       

       
-

       
        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.11.2/x86_64-linux"


     

       

       
240

       
+

       
        "lastModified": 1760429135,


     

       

       
241

       
+

       
        "narHash": "sha256-M/H4nlAzUFrxZ01ldaR/YH1hqVN4vlBrkaCUqjtMaTM=",


     

       

       
242

       
+

       
        "owner": "Daniel-42-z",


     

       

       
243

       
+

       
        "repo": "dms-power-usage",


     

       

       
244

       
+

       
        "rev": "3f75b651d90210c6f9442a099cf14262ac47750d",


     

       

       
245

       
+

       
        "type": "github"


     

       
171

       
246

       
 

       
      },


     

       
172

       
247

       
 

       
      "original": {


     

       
173

       

       
-

       
        "type": "file",


     

       
174

       

       
-

       
        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.11.2/x86_64-linux"


     

       

       
248

       
+

       
        "owner": "Daniel-42-z",


     

       

       
249

       
+

       
        "repo": "dms-power-usage",


     

       

       
250

       
+

       
        "type": "github"


     

       
175

       
251

       
 

       
      }


     

       
176

       
252

       
 

       
    },


     

       
177

       

       
-

       
    "dix": {


     

       
178

       

       
-

       
      "inputs": {


     

       
179

       

       
-

       
        "flake-parts": [],


     

       
180

       

       
-

       
        "git-hooks-nix": [],


     

       
181

       

       
-

       
        "nixpkgs": [


     

       
182

       

       
-

       
          "nixpkgs"


     

       
183

       

       
-

       
        ],


     

       
184

       

       
-

       
        "nixpkgs-23-11": [],


     

       
185

       

       
-

       
        "nixpkgs-regression": []


     

       
186

       

       
-

       
      },


     

       

       
253

       
+

       
    "dms-wp-shuffler": {


     

       

       
254

       
+

       
      "flake": false,


     

       
187

       
255

       
 

       
      "locked": {


     

       
188

       

       
-

       
        "lastModified": 1757694985,


     

       
189

       

       
-

       
        "narHash": "sha256-3Ia+y7Hbwnzcuf1hyuVnFtbnSR6ErQeFjemHdVxjCNE=",


     

       
190

       

       
-

       
        "rev": "766f43aa6acb1b3578db488c19fbbedf04ed9f24",


     

       
191

       

       
-

       
        "revCount": 22340,


     

       
192

       

       
-

       
        "type": "tarball",


     

       
193

       

       
-

       
        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.11.2/01993ee9-f8e7-7b80-80df-ec0a20a32514/source.tar.gz"


     

       

       
256

       
+

       
        "lastModified": 1760657995,


     

       

       
257

       
+

       
        "narHash": "sha256-71kZLdVZmWMG+sgpbPHH8RFGmvLWve9NNTpZNJXrRd4=",


     

       

       
258

       
+

       
        "owner": "Daniel-42-z",


     

       

       
259

       
+

       
        "repo": "dms-wallpaper-shuffler",


     

       

       
260

       
+

       
        "rev": "cc459906990e562d3a332bd5c6869e8f5af1ee52",


     

       

       
261

       
+

       
        "type": "github"


     

       
194

       
262

       
 

       
      },


     

       
195

       
263

       
 

       
      "original": {


     

       
196

       

       
-

       
        "type": "tarball",


     

       
197

       

       
-

       
        "url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A"


     

       

       
264

       
+

       
        "owner": "Daniel-42-z",


     

       

       
265

       
+

       
        "repo": "dms-wallpaper-shuffler",


     

       

       
266

       
+

       
        "type": "github"


     

       
198

       
267

       
 

       
      }


     

       
199

       
268

       
 

       
    },


     

       
200

       

       
-

       
    "dns": {


     

       

       
269

       
+

       
    "dn42": {


     

       
201

       
270

       
 

       
      "inputs": {


     

       
202

       

       
-

       
        "flake-utils": [


     

       
203

       

       
-

       
          "flake-utils"


     

       
204

       

       
-

       
        ],


     

       

       
271

       
+

       
        "bird": "bird",


     

       
205

       
272

       
 

       
        "nixpkgs": [


     

       
206

       
273

       
 

       
          "nixpkgs"


     

       
207

       
274

       
 

       
        ]


     

       
208

       
275

       
 

       
      },


     

       
209

       
276

       
 

       
      "locked": {


     

       
210

       

       
-

       
        "lastModified": 1759510210,


     

       
211

       

       
-

       
        "narHash": "sha256-rR3BuhcSyQ3bQ0rS14I53O7gWzlPEs15skl1TWx+TeI=",


     

       
212

       

       
-

       
        "owner": "nix-community",


     

       
213

       

       
-

       
        "repo": "dns.nix",


     

       
214

       

       
-

       
        "rev": "f3cb11f642d4fa6224e2b1ddfd2c3ba42e9ffea2",


     

       

       
277

       
+

       
        "lastModified": 1764646680,


     

       

       
278

       
+

       
        "narHash": "sha256-HEVzGL23bev8CuZXbLgDZRWy+mD/qPZhRBpjag7G/dU=",


     

       

       
279

       
+

       
        "owner": "pyrox0",


     

       

       
280

       
+

       
        "repo": "dn43.nix",


     

       

       
281

       
+

       
        "rev": "c8b68602cf1ef696e6a9f9c25e8c177d4101331b",


     

       
215

       
282

       
 

       
        "type": "github"


     

       
216

       
283

       
 

       
      },


     

       
217

       
284

       
 

       
      "original": {


     

       
218

       

       
-

       
        "owner": "nix-community",


     

       
219

       

       
-

       
        "repo": "dns.nix",


     

       

       
285

       
+

       
        "owner": "pyrox0",


     

       

       
286

       
+

       
        "repo": "dn43.nix",


     

       
220

       
287

       
 

       
        "type": "github"


     

       
221

       
288

       
 

       
      }


     

       
222

       
289

       
 

       
    },


     
···

       
237

       
304

       
 

       
    },


     

       
238

       
305

       
 

       
    "flake-compat": {


     

       
239

       
306

       
 

       
      "locked": {


     

       
240

       

       
-

       
        "lastModified": 1747046372,


     

       
241

       

       
-

       
        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",


     

       

       
307

       
+

       
        "lastModified": 1761588595,


     

       

       
308

       
+

       
        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",


     

       
242

       
309

       
 

       
        "owner": "edolstra",


     

       
243

       
310

       
 

       
        "repo": "flake-compat",


     

       
244

       

       
-

       
        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",


     

       

       
311

       
+

       
        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",


     

       
245

       
312

       
 

       
        "type": "github"


     

       
246

       
313

       
 

       
      },


     

       
247

       
314

       
 

       
      "original": {


     
···

       
266

       
333

       
 

       
    },


     

       
267

       
334

       
 

       
    "flake-parts": {


     

       
268

       
335

       
 

       
      "inputs": {


     

       
269

       

       
-

       
        "nixpkgs-lib": [


     

       
270

       

       
-

       
          "nixpkgs-lib"


     

       
271

       

       
-

       
        ]


     

       

       
336

       
+

       
        "nixpkgs-lib": "nixpkgs-lib"


     

       
272

       
337

       
 

       
      },


     

       
273

       
338

       
 

       
      "locked": {


     

       
274

       

       
-

       
        "lastModified": 1759362264,


     

       
275

       

       
-

       
        "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=",


     

       

       
339

       
+

       
        "lastModified": 1763759067,


     

       

       
340

       
+

       
        "narHash": "sha256-LlLt2Jo/gMNYAwOgdRQBrsRoOz7BPRkzvNaI/fzXi2Q=",


     

       
276

       
341

       
 

       
        "owner": "hercules-ci",


     

       
277

       
342

       
 

       
        "repo": "flake-parts",


     

       
278

       

       
-

       
        "rev": "758cf7296bee11f1706a574c77d072b8a7baa881",


     

       

       
343

       
+

       
        "rev": "2cccadc7357c0ba201788ae99c4dfa90728ef5e0",


     

       
279

       
344

       
 

       
        "type": "github"


     

       
280

       
345

       
 

       
      },


     

       
281

       
346

       
 

       
      "original": {


     
···

       
286

       
351

       
 

       
    },


     

       
287

       
352

       
 

       
    "flake-utils": {


     

       
288

       
353

       
 

       
      "inputs": {


     

       
289

       

       
-

       
        "systems": [


     

       
290

       

       
-

       
          "systems"


     

       
291

       

       
-

       
        ]


     

       

       
354

       
+

       
        "systems": "systems_2"


     

       
292

       
355

       
 

       
      },


     

       
293

       
356

       
 

       
      "locked": {


     

       
294

       
357

       
 

       
        "lastModified": 1731533236,


     
···

       
306

       
369

       
 

       
    },


     

       
307

       
370

       
 

       
    "flake-utils_2": {


     

       
308

       
371

       
 

       
      "inputs": {


     

       
309

       

       
-

       
        "systems": "systems_2"


     

       

       
372

       
+

       
        "systems": "systems_3"


     

       
310

       
373

       
 

       
      },


     

       
311

       
374

       
 

       
      "locked": {


     

       
312

       

       
-

       
        "lastModified": 1694529238,


     

       
313

       

       
-

       
        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",


     

       

       
375

       
+

       
        "lastModified": 1731533236,


     

       

       
376

       
+

       
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",


     

       
314

       
377

       
 

       
        "owner": "numtide",


     

       
315

       
378

       
 

       
        "repo": "flake-utils",


     

       
316

       

       
-

       
        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",


     

       

       
379

       
+

       
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",


     

       
317

       
380

       
 

       
        "type": "github"


     

       
318

       
381

       
 

       
      },


     

       
319

       
382

       
 

       
      "original": {


     
···

       
324

       
387

       
 

       
    },


     

       
325

       
388

       
 

       
    "flake-utils_3": {


     

       
326

       
389

       
 

       
      "inputs": {


     

       
327

       

       
-

       
        "systems": "systems_3"


     

       

       
390

       
+

       
        "systems": "systems_5"


     

       
328

       
391

       
 

       
      },


     

       
329

       
392

       
 

       
      "locked": {


     

       
330

       

       
-

       
        "lastModified": 1731533236,


     

       
331

       

       
-

       
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",


     

       

       
393

       
+

       
        "lastModified": 1694529238,


     

       

       
394

       
+

       
        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",


     

       
332

       
395

       
 

       
        "owner": "numtide",


     

       
333

       
396

       
 

       
        "repo": "flake-utils",


     

       
334

       

       
-

       
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",


     

       

       
397

       
+

       
        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",


     

       
335

       
398

       
 

       
        "type": "github"


     

       
336

       
399

       
 

       
      },


     

       
337

       
400

       
 

       
      "original": {


     
···

       
340

       
403

       
 

       
        "type": "github"


     

       
341

       
404

       
 

       
      }


     

       
342

       
405

       
 

       
    },


     

       
343

       

       
-

       
    "git-hooks": {


     

       
344

       

       
-

       
      "inputs": {


     

       
345

       

       
-

       
        "flake-compat": [


     

       
346

       

       
-

       
          "mailserver",


     

       
347

       

       
-

       
          "flake-compat"


     

       
348

       

       
-

       
        ],


     

       
349

       

       
-

       
        "gitignore": "gitignore",


     

       
350

       

       
-

       
        "nixpkgs": [


     

       
351

       

       
-

       
          "mailserver",


     

       
352

       

       
-

       
          "nixpkgs"


     

       
353

       

       
-

       
        ]


     

       
354

       

       
-

       
      },


     

       
355

       

       
-

       
      "locked": {


     

       
356

       

       
-

       
        "lastModified": 1758108966,


     

       
357

       

       
-

       
        "narHash": "sha256-ytw7ROXaWZ7OfwHrQ9xvjpUWeGVm86pwnEd1QhzawIo=",


     

       
358

       

       
-

       
        "owner": "cachix",


     

       
359

       

       
-

       
        "repo": "git-hooks.nix",


     

       
360

       

       
-

       
        "rev": "54df955a695a84cd47d4a43e08e1feaf90b1fd9b",


     

       
361

       

       
-

       
        "type": "github"


     

       
362

       

       
-

       
      },


     

       
363

       

       
-

       
      "original": {


     

       
364

       

       
-

       
        "owner": "cachix",


     

       
365

       

       
-

       
        "repo": "git-hooks.nix",


     

       
366

       

       
-

       
        "type": "github"


     

       
367

       

       
-

       
      }


     

       
368

       

       
-

       
    },


     

       
369

       

       
-

       
    "gitignore": {


     

       
370

       

       
-

       
      "inputs": {


     

       
371

       

       
-

       
        "nixpkgs": [


     

       
372

       

       
-

       
          "mailserver",


     

       
373

       

       
-

       
          "git-hooks",


     

       
374

       

       
-

       
          "nixpkgs"


     

       
375

       

       
-

       
        ]


     

       
376

       

       
-

       
      },


     

       
377

       

       
-

       
      "locked": {


     

       
378

       

       
-

       
        "lastModified": 1709087332,


     

       
379

       

       
-

       
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",


     

       
380

       

       
-

       
        "owner": "hercules-ci",


     

       
381

       

       
-

       
        "repo": "gitignore.nix",


     

       
382

       

       
-

       
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",


     

       
383

       

       
-

       
        "type": "github"


     

       
384

       

       
-

       
      },


     

       
385

       

       
-

       
      "original": {


     

       
386

       

       
-

       
        "owner": "hercules-ci",


     

       
387

       

       
-

       
        "repo": "gitignore.nix",


     

       
388

       

       
-

       
        "type": "github"


     

       
389

       

       
-

       
      }


     

       
390

       

       
-

       
    },


     

       
391

       
406

       
 

       
    "golink": {


     

       
392

       
407

       
 

       
      "inputs": {


     

       
393

       
408

       
 

       
        "nixpkgs": [


     

       
394

       
409

       
 

       
          "nixpkgs"


     

       
395

       
410

       
 

       
        ],


     

       
396

       

       
-

       
        "systems": [


     

       
397

       

       
-

       
          "systems"


     

       
398

       

       
-

       
        ]


     

       

       
411

       
+

       
        "systems": "systems_4"


     

       
399

       
412

       
 

       
      },


     

       
400

       
413

       
 

       
      "locked": {


     

       
401

       

       
-

       
        "lastModified": 1757610027,


     

       
402

       

       
-

       
        "narHash": "sha256-EYc0BuEchmltffjrQaT3O8HDBWf4gaK9ejAkriFToTM=",


     

       

       
414

       
+

       
        "lastModified": 1764170522,


     

       

       
415

       
+

       
        "narHash": "sha256-4c9jCOfkKNRHJLXgOIcVcNSaw/XaiVaqesaLJn86wGA=",


     

       
403

       
416

       
 

       
        "owner": "tailscale",


     

       
404

       
417

       
 

       
        "repo": "golink",


     

       
405

       

       
-

       
        "rev": "e33c1c26e134a3f1ee61233d4108c4e7bb5530b5",


     

       

       
418

       
+

       
        "rev": "6821994de926c565d3ef9fbf3cb0e0fcb780f4be",


     

       
406

       
419

       
 

       
        "type": "github"


     

       
407

       
420

       
 

       
      },


     

       
408

       
421

       
 

       
      "original": {


     
···

       
413

       
426

       
 

       
    },


     

       
414

       
427

       
 

       
    "gomod2nix": {


     

       
415

       
428

       
 

       
      "inputs": {


     

       
416

       

       
-

       
        "flake-utils": "flake-utils_2",


     

       

       
429

       
+

       
        "flake-utils": "flake-utils_3",


     

       
417

       
430

       
 

       
        "nixpkgs": [


     

       
418

       
431

       
 

       
          "tangled",


     

       
419

       
432

       
 

       
          "nixpkgs"


     
···

       
435

       
448

       
 

       
    },


     

       
436

       
449

       
 

       
    "hardware": {


     

       
437

       
450

       
 

       
      "locked": {


     

       
438

       

       
-

       
        "lastModified": 1759582739,


     

       
439

       

       
-

       
        "narHash": "sha256-spZegilADH0q5OngM86u6NmXxduCNv5eX9vCiUPhOYc=",


     

       

       
451

       
+

       
        "lastModified": 1764440730,


     

       

       
452

       
+

       
        "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",


     

       
440

       
453

       
 

       
        "owner": "nixos",


     

       
441

       
454

       
 

       
        "repo": "nixos-hardware",


     

       
442

       

       
-

       
        "rev": "3441b5242af7577230a78ffb03542add264179ab",


     

       

       
455

       
+

       
        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",


     

       
443

       
456

       
 

       
        "type": "github"


     

       
444

       
457

       
 

       
      },


     

       
445

       
458

       
 

       
      "original": {


     
···

       
480

       
493

       
 

       
        ]


     

       
481

       
494

       
 

       
      },


     

       
482

       
495

       
 

       
      "locked": {


     

       
483

       

       
-

       
        "lastModified": 1759853171,


     

       
484

       

       
-

       
        "narHash": "sha256-uqbhyXtqMbYIiMqVqUhNdSuh9AEEkiasoK3mIPIVRhk=",


     

       

       
496

       
+

       
        "lastModified": 1764544324,


     

       

       
497

       
+

       
        "narHash": "sha256-GVBGjO7UsmzLrlOJV8NlKSxukHaHencrJqWkCA6FkqI=",


     

       
485

       
498

       
 

       
        "owner": "nix-community",


     

       
486

       
499

       
 

       
        "repo": "home-manager",


     

       
487

       

       
-

       
        "rev": "1a09eb84fa9e33748432a5253102d01251f72d6d",


     

       

       
500

       
+

       
        "rev": "e4e25a8c310fa45f2a8339c7972dc43d2845a612",


     

       
488

       
501

       
 

       
        "type": "github"


     

       
489

       
502

       
 

       
      },


     

       
490

       
503

       
 

       
      "original": {


     
···

       
530

       
543

       
 

       
        "url": "https://github.com/IBM/plex/releases/download/@ibm/plex-mono@1.1.0/ibm-plex-mono.zip"


     

       
531

       
544

       
 

       
      }


     

       
532

       
545

       
 

       
    },


     

       
533

       

       
-

       
    "iceshrimp": {


     

       
534

       

       
-

       
      "inputs": {


     

       
535

       

       
-

       
        "nixpkgs": [


     

       
536

       

       
-

       
          "nixpkgs"


     

       
537

       

       
-

       
        ]


     

       
538

       

       
-

       
      },


     

       
539

       

       
-

       
      "locked": {


     

       
540

       

       
-

       
        "lastModified": 1721338360,


     

       
541

       

       
-

       
        "narHash": "sha256-1CEhakLtPq+Lqo+p40wo00hkewmyzPAvjBr8ah6Faqk=",


     

       
542

       

       
-

       
        "ref": "refs/heads/dev",


     

       
543

       

       
-

       
        "rev": "98c3678cfbcea5e750a5947394d35a73ae72634a",


     

       
544

       

       
-

       
        "revCount": 48,


     

       
545

       

       
-

       
        "type": "git",


     

       
546

       

       
-

       
        "url": "https://iceshrimp.dev/pyrox/packaging"


     

       
547

       

       
-

       
      },


     

       
548

       

       
-

       
      "original": {


     

       
549

       

       
-

       
        "type": "git",


     

       
550

       

       
-

       
        "url": "https://iceshrimp.dev/pyrox/packaging"


     

       
551

       

       
-

       
      }


     

       
552

       

       
-

       
    },


     

       
553

       
546

       
 

       
    "indigo": {


     

       
554

       
547

       
 

       
      "flake": false,


     

       
555

       
548

       
 

       
      "locked": {


     
···

       
592

       
585

       
 

       
        "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip"


     

       
593

       
586

       
 

       
      }


     

       
594

       
587

       
 

       
    },


     

       
595

       

       
-

       
    "mailserver": {


     

       
596

       

       
-

       
      "inputs": {


     

       
597

       

       
-

       
        "blobs": "blobs",


     

       
598

       

       
-

       
        "flake-compat": [


     

       
599

       

       
-

       
          "flake-compat"


     

       
600

       

       
-

       
        ],


     

       
601

       

       
-

       
        "git-hooks": "git-hooks",


     

       
602

       

       
-

       
        "nixpkgs": [


     

       
603

       

       
-

       
          "nixpkgs"


     

       
604

       

       
-

       
        ],


     

       
605

       

       
-

       
        "nixpkgs-25_05": "nixpkgs-25_05"


     

       
606

       

       
-

       
      },


     

       
607

       

       
-

       
      "locked": {


     

       
608

       

       
-

       
        "lastModified": 1759489698,


     

       
609

       

       
-

       
        "narHash": "sha256-2lT2i5ha23I2vrolEaBaAS/63ChgZPh181Awt6q1bDY=",


     

       
610

       

       
-

       
        "owner": "simple-nixos-mailserver",


     

       
611

       

       
-

       
        "repo": "nixos-mailserver",


     

       
612

       

       
-

       
        "rev": "6005d88bed7a5418f9772b4058a73cd0fd1e69a1",


     

       
613

       

       
-

       
        "type": "gitlab"


     

       
614

       

       
-

       
      },


     

       
615

       

       
-

       
      "original": {


     

       
616

       

       
-

       
        "owner": "simple-nixos-mailserver",


     

       
617

       

       
-

       
        "ref": "master",


     

       
618

       

       
-

       
        "repo": "nixos-mailserver",


     

       
619

       

       
-

       
        "type": "gitlab"


     

       
620

       

       
-

       
      }


     

       
621

       

       
-

       
    },


     

       
622

       
588

       
 

       
    "my-pkgs": {


     

       
623

       
589

       
 

       
      "inputs": {


     

       
624

       
590

       
 

       
        "nixpkgs": [


     
···

       
639

       
605

       
 

       
        "url": "https://git.pyrox.dev/pyrox/pkgs"


     

       
640

       
606

       
 

       
      }


     

       
641

       
607

       
 

       
    },


     

       
642

       

       
-

       
    "nix-index": {


     

       
643

       

       
-

       
      "inputs": {


     

       
644

       

       
-

       
        "flake-compat": [


     

       
645

       

       
-

       
          "flake-compat"


     

       
646

       

       
-

       
        ],


     

       
647

       

       
-

       
        "nixpkgs": [


     

       
648

       

       
-

       
          "nixpkgs"


     

       
649

       

       
-

       
        ]


     

       
650

       

       
-

       
      },


     

       
651

       

       
-

       
      "locked": {


     

       
652

       

       
-

       
        "lastModified": 1756113554,


     

       
653

       

       
-

       
        "narHash": "sha256-fFDr5BYisjkEFSgf+dGJTuhMUaH0aVE6Qy3Ql2EOJ2I=",


     

       
654

       

       
-

       
        "owner": "nix-community",


     

       
655

       

       
-

       
        "repo": "nix-index",


     

       
656

       

       
-

       
        "rev": "0fc38040a22a08052103d0fbbafd67ac54165f2b",


     

       
657

       

       
-

       
        "type": "github"


     

       
658

       

       
-

       
      },


     

       
659

       

       
-

       
      "original": {


     

       
660

       

       
-

       
        "owner": "nix-community",


     

       
661

       

       
-

       
        "repo": "nix-index",


     

       
662

       

       
-

       
        "type": "github"


     

       
663

       

       
-

       
      }


     

       
664

       

       
-

       
    },


     

       
665

       
608

       
 

       
    "nix-index-database": {


     

       
666

       
609

       
 

       
      "inputs": {


     

       
667

       
610

       
 

       
        "nixpkgs": [


     
···

       
669

       
612

       
 

       
        ]


     

       
670

       
613

       
 

       
      },


     

       
671

       
614

       
 

       
      "locked": {


     

       
672

       

       
-

       
        "lastModified": 1759637156,


     

       
673

       

       
-

       
        "narHash": "sha256-8NI1SqntLfKl6Q0Luemc3aIboezSJElofUrqipF5g78=",


     

       

       
615

       
+

       
        "lastModified": 1764475780,


     

       

       
616

       
+

       
        "narHash": "sha256-77jL5H5x51ksLiOUDjY0ZK8e2T4ZXLhj3ap8ETvknWI=",


     

       
674

       
617

       
 

       
        "owner": "Mic92",


     

       
675

       
618

       
 

       
        "repo": "nix-index-database",


     

       
676

       

       
-

       
        "rev": "0ca69684091aa3a6b1fe994c4afeff305b15e915",


     

       

       
619

       
+

       
        "rev": "5a3ff8c1a09003f399f43d5742d893c0b1ab8af0",


     

       
677

       
620

       
 

       
        "type": "github"


     

       
678

       
621

       
 

       
      },


     

       
679

       
622

       
 

       
      "original": {


     
···

       
682

       
625

       
 

       
        "type": "github"


     

       
683

       
626

       
 

       
      }


     

       
684

       
627

       
 

       
    },


     

       
685

       

       
-

       
    "nix-search": {


     

       
686

       

       
-

       
      "inputs": {


     

       
687

       

       
-

       
        "flake-compat": [


     

       
688

       

       
-

       
          "flake-compat"


     

       
689

       

       
-

       
        ],


     

       
690

       

       
-

       
        "flake-utils": [


     

       
691

       

       
-

       
          "flake-utils"


     

       
692

       

       
-

       
        ],


     

       
693

       

       
-

       
        "nixpkgs": [


     

       
694

       

       
-

       
          "nixpkgs"


     

       
695

       

       
-

       
        ]


     

       
696

       

       
-

       
      },


     

       
697

       

       
-

       
      "locked": {


     

       
698

       

       
-

       
        "lastModified": 1741306118,


     

       
699

       

       
-

       
        "narHash": "sha256-699XDyrMhx0nSI2z/WRhTsJhiiMt4WqaPx8//cPiBGY=",


     

       
700

       

       
-

       
        "owner": "diamondburned",


     

       
701

       

       
-

       
        "repo": "nix-search",


     

       
702

       

       
-

       
        "rev": "7dcd7b9ae3ec59b7a8ee61371157f83e6bd87b89",


     

       
703

       

       
-

       
        "type": "github"


     

       
704

       

       
-

       
      },


     

       
705

       

       
-

       
      "original": {


     

       
706

       

       
-

       
        "owner": "diamondburned",


     

       
707

       

       
-

       
        "repo": "nix-search",


     

       
708

       

       
-

       
        "type": "github"


     

       
709

       

       
-

       
      }


     

       
710

       

       
-

       
    },


     

       
711

       
628

       
 

       
    "nixpkgs": {


     

       
712

       
629

       
 

       
      "locked": {


     

       
713

       

       
-

       
        "lastModified": 1759381078,


     

       
714

       

       
-

       
        "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",


     

       

       
630

       
+

       
        "lastModified": 1763966396,


     

       

       
631

       
+

       
        "narHash": "sha256-6eeL1YPcY1MV3DDStIDIdy/zZCDKgHdkCmsrLJFiZf0=",


     

       
715

       
632

       
 

       
        "owner": "NixOS",


     

       
716

       
633

       
 

       
        "repo": "nixpkgs",


     

       
717

       

       
-

       
        "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",


     

       

       
634

       
+

       
        "rev": "5ae3b07d8d6527c42f17c876e404993199144b6a",


     

       
718

       
635

       
 

       
        "type": "github"


     

       
719

       
636

       
 

       
      },


     

       
720

       
637

       
 

       
      "original": {


     
···

       
724

       
641

       
 

       
        "type": "github"


     

       
725

       
642

       
 

       
      }


     

       
726

       
643

       
 

       
    },


     

       
727

       

       
-

       
    "nixpkgs-25_05": {


     

       
728

       

       
-

       
      "locked": {


     

       
729

       

       
-

       
        "lastModified": 1759143472,


     

       
730

       

       
-

       
        "narHash": "sha256-TvODmeR2W7yX/JmOCmP+lAFNkTT7hAxYcF3Kz8SZV3w=",


     

       
731

       

       
-

       
        "owner": "NixOS",


     

       
732

       

       
-

       
        "repo": "nixpkgs",


     

       
733

       

       
-

       
        "rev": "5ed4e25ab58fd4c028b59d5611e14ea64de51d23",


     

       
734

       

       
-

       
        "type": "github"


     

       
735

       

       
-

       
      },


     

       
736

       

       
-

       
      "original": {


     

       
737

       

       
-

       
        "owner": "NixOS",


     

       
738

       

       
-

       
        "ref": "nixos-25.05",


     

       
739

       

       
-

       
        "repo": "nixpkgs",


     

       
740

       

       
-

       
        "type": "github"


     

       
741

       

       
-

       
      }


     

       
742

       

       
-

       
    },


     

       
743

       
644

       
 

       
    "nixpkgs-lib": {


     

       
744

       
645

       
 

       
      "locked": {


     

       
745

       

       
-

       
        "lastModified": 1754788789,


     

       
746

       

       
-

       
        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",


     

       

       
646

       
+

       
        "lastModified": 1761765539,


     

       

       
647

       
+

       
        "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=",


     

       
747

       
648

       
 

       
        "owner": "nix-community",


     

       
748

       
649

       
 

       
        "repo": "nixpkgs.lib",


     

       
749

       

       
-

       
        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",


     

       

       
650

       
+

       
        "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc",


     

       
750

       
651

       
 

       
        "type": "github"


     

       
751

       
652

       
 

       
      },


     

       
752

       
653

       
 

       
      "original": {


     
···

       
757

       
658

       
 

       
    },


     

       
758

       
659

       
 

       
    "nixpkgs-stalwart-fix": {


     

       
759

       
660

       
 

       
      "locked": {


     

       
760

       

       
-

       
        "lastModified": 1755293787,


     

       
761

       

       
-

       
        "narHash": "sha256-L+msFwg9jXAj4JmDFQF9BIg2kQhgUzexVmDYePfKMW8=",


     

       

       
661

       
+

       
        "lastModified": 1762728499,


     

       

       
662

       
+

       
        "narHash": "sha256-XtT/8ID3gz9RGk8ITBnktmodq5/ZG6tF60XSfuKSmro=",


     

       
762

       
663

       
 

       
        "owner": "pyrox0",


     

       
763

       
664

       
 

       
        "repo": "nixpkgs",


     

       
764

       

       
-

       
        "rev": "52f6d43ca3db097cde5d0bfb30db0af5bdf41103",


     

       

       
665

       
+

       
        "rev": "b5178ff139339638e98a1e5833add22b047f96d0",


     

       
765

       
666

       
 

       
        "type": "github"


     

       
766

       
667

       
 

       
      },


     

       
767

       
668

       
 

       
      "original": {


     
···

       
773

       
674

       
 

       
    },


     

       
774

       
675

       
 

       
    "nixpkgs_2": {


     

       
775

       
676

       
 

       
      "locked": {


     

       
776

       

       
-

       
        "lastModified": 315532800,


     

       
777

       

       
-

       
        "narHash": "sha256-K9s0wLYHHR9syJV2Ii28kDT65NeT5EI8vH56/CKm924=",


     

       
778

       

       
-

       
        "rev": "8b5c9dd8856f0c0cf46cc91f2c21c106a9d42e25",


     

       

       
677

       
+

       
        "lastModified": 1764527385,


     

       

       
678

       
+

       
        "narHash": "sha256-gpwyCnyi2or0InBXe+4I9YeED3Uly3EGH58qvVnchBY=",


     

       

       
679

       
+

       
        "rev": "23258e03aaa49b3a68597e3e50eb0cbce7e42e9d",


     

       
779

       
680

       
 

       
        "type": "tarball",


     

       
780

       

       
-

       
        "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.11pre874129.8b5c9dd8856f/nixexprs.tar.xz"


     

       

       
681

       
+

       
        "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre904683.23258e03aaa4/nixexprs.tar.xz"


     

       
781

       
682

       
 

       
      },


     

       
782

       
683

       
 

       
      "original": {


     

       
783

       
684

       
 

       
        "type": "tarball",


     
···

       
800

       
701

       
 

       
        "type": "github"


     

       
801

       
702

       
 

       
      }


     

       
802

       
703

       
 

       
    },


     

       
803

       

       
-

       
    "nixpkgs_4": {


     

       

       
704

       
+

       
    "quickshell": {


     

       

       
705

       
+

       
      "inputs": {


     

       

       
706

       
+

       
        "nixpkgs": [


     

       

       
707

       
+

       
          "nixpkgs"


     

       

       
708

       
+

       
        ]


     

       

       
709

       
+

       
      },


     

       
804

       
710

       
 

       
      "locked": {


     

       
805

       

       
-

       
        "lastModified": 1759036355,


     

       
806

       

       
-

       
        "narHash": "sha256-0m27AKv6ka+q270dw48KflE0LwQYrO7Fm4/2//KCVWg=",


     

       
807

       

       
-

       
        "owner": "nixos",


     

       
808

       

       
-

       
        "repo": "nixpkgs",


     

       
809

       

       
-

       
        "rev": "e9f00bd893984bc8ce46c895c3bf7cac95331127",


     

       

       
711

       
+

       
        "lastModified": 1764482797,


     

       

       
712

       
+

       
        "narHash": "sha256-ynV90KoBrPe38YFlKAHtPFk4Ee3IANUsIFGxRaq7H/s=",


     

       

       
713

       
+

       
        "owner": "quickshell-mirror",


     

       

       
714

       
+

       
        "repo": "quickshell",


     

       

       
715

       
+

       
        "rev": "d24e8e9736287d01ee73ef9d573d2bc316a62d5c",


     

       
810

       
716

       
 

       
        "type": "github"


     

       
811

       
717

       
 

       
      },


     

       
812

       
718

       
 

       
      "original": {


     

       
813

       

       
-

       
        "owner": "nixos",


     

       
814

       

       
-

       
        "ref": "nixos-unstable",


     

       
815

       

       
-

       
        "repo": "nixpkgs",


     

       

       
719

       
+

       
        "owner": "quickshell-mirror",


     

       

       
720

       
+

       
        "repo": "quickshell",


     

       
816

       
721

       
 

       
        "type": "github"


     

       
817

       
722

       
 

       
      }


     

       
818

       
723

       
 

       
    },


     
···

       
820

       
725

       
 

       
      "inputs": {


     

       
821

       
726

       
 

       
        "agenix": "agenix",


     

       
822

       
727

       
 

       
        "buildbot-nix": "buildbot-nix",


     

       

       
728

       
+

       
        "caelestia": "caelestia",


     

       
823

       
729

       
 

       
        "ctp": "ctp",


     

       
824

       

       
-

       
        "determinate": "determinate",


     

       
825

       

       
-

       
        "dix": "dix",


     

       
826

       

       
-

       
        "dns": "dns",


     

       

       
730

       
+

       
        "dms": "dms",


     

       

       
731

       
+

       
        "dms-plugins": "dms-plugins",


     

       

       
732

       
+

       
        "dms-power-usage": "dms-power-usage",


     

       

       
733

       
+

       
        "dms-wp-shuffler": "dms-wp-shuffler",


     

       

       
734

       
+

       
        "dn42": "dn42",


     

       
827

       
735

       
 

       
        "easy-hosts": "easy-hosts",


     

       
828

       
736

       
 

       
        "flake-compat": "flake-compat",


     

       
829

       
737

       
 

       
        "flake-parts": "flake-parts",


     

       
830

       

       
-

       
        "flake-utils": "flake-utils",


     

       

       
738

       
+

       
        "flake-utils": "flake-utils_2",


     

       
831

       
739

       
 

       
        "golink": "golink",


     

       
832

       
740

       
 

       
        "hardware": "hardware",


     

       
833

       
741

       
 

       
        "home-manager": "home-manager",


     

       
834

       

       
-

       
        "iceshrimp": "iceshrimp",


     

       
835

       

       
-

       
        "mailserver": "mailserver",


     

       
836

       
742

       
 

       
        "my-pkgs": "my-pkgs",


     

       
837

       

       
-

       
        "nix-index": "nix-index",


     

       
838

       
743

       
 

       
        "nix-index-database": "nix-index-database",


     

       
839

       

       
-

       
        "nix-search": "nix-search",


     

       
840

       
744

       
 

       
        "nixpkgs": "nixpkgs_2",


     

       
841

       

       
-

       
        "nixpkgs-lib": "nixpkgs-lib",


     

       
842

       
745

       
 

       
        "nixpkgs-stalwart-fix": "nixpkgs-stalwart-fix",


     

       
843

       

       
-

       
        "stable": "stable",


     

       
844

       

       
-

       
        "systems": "systems",


     

       

       
746

       
+

       
        "quickshell": "quickshell",


     

       
845

       
747

       
 

       
        "tangled": "tangled",


     

       
846

       

       
-

       
        "vicinae": "vicinae"


     

       

       
748

       
+

       
        "treefmt-nix": "treefmt-nix"


     

       
847

       
749

       
 

       
      }


     

       
848

       
750

       
 

       
    },


     

       
849

       
751

       
 

       
    "sqlite-lib-src": {


     
···

       
857

       
759

       
 

       
      "original": {


     

       
858

       
760

       
 

       
        "type": "tarball",


     

       
859

       
761

       
 

       
        "url": "https://sqlite.org/2024/sqlite-amalgamation-3450100.zip"


     

       
860

       

       
-

       
      }


     

       
861

       

       
-

       
    },


     

       
862

       

       
-

       
    "stable": {


     

       
863

       

       
-

       
      "locked": {


     

       
864

       

       
-

       
        "lastModified": 1735563628,


     

       
865

       

       
-

       
        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",


     

       
866

       

       
-

       
        "owner": "nixos",


     

       
867

       

       
-

       
        "repo": "nixpkgs",


     

       
868

       

       
-

       
        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",


     

       
869

       

       
-

       
        "type": "github"


     

       
870

       

       
-

       
      },


     

       
871

       

       
-

       
      "original": {


     

       
872

       

       
-

       
        "owner": "nixos",


     

       
873

       

       
-

       
        "ref": "nixos-24.05",


     

       
874

       

       
-

       
        "repo": "nixpkgs",


     

       
875

       

       
-

       
        "type": "github"


     

       
876

       
762

       
 

       
      }


     

       
877

       
763

       
 

       
    },


     

       
878

       
764

       
 

       
    "systems": {


     
···

       
920

       
806

       
 

       
        "type": "github"


     

       
921

       
807

       
 

       
      }


     

       
922

       
808

       
 

       
    },


     

       

       
809

       
+

       
    "systems_4": {


     

       

       
810

       
+

       
      "locked": {


     

       

       
811

       
+

       
        "lastModified": 1681028828,


     

       

       
812

       
+

       
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",


     

       

       
813

       
+

       
        "owner": "nix-systems",


     

       

       
814

       
+

       
        "repo": "default",


     

       

       
815

       
+

       
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",


     

       

       
816

       
+

       
        "type": "github"


     

       

       
817

       
+

       
      },


     

       

       
818

       
+

       
      "original": {


     

       

       
819

       
+

       
        "owner": "nix-systems",


     

       

       
820

       
+

       
        "repo": "default",


     

       

       
821

       
+

       
        "type": "github"


     

       

       
822

       
+

       
      }


     

       

       
823

       
+

       
    },


     

       

       
824

       
+

       
    "systems_5": {


     

       

       
825

       
+

       
      "locked": {


     

       

       
826

       
+

       
        "lastModified": 1681028828,


     

       

       
827

       
+

       
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",


     

       

       
828

       
+

       
        "owner": "nix-systems",


     

       

       
829

       
+

       
        "repo": "default",


     

       

       
830

       
+

       
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",


     

       

       
831

       
+

       
        "type": "github"


     

       

       
832

       
+

       
      },


     

       

       
833

       
+

       
      "original": {


     

       

       
834

       
+

       
        "owner": "nix-systems",


     

       

       
835

       
+

       
        "repo": "default",


     

       

       
836

       
+

       
        "type": "github"


     

       

       
837

       
+

       
      }


     

       

       
838

       
+

       
    },


     

       
923

       
839

       
 

       
    "tangled": {


     

       
924

       
840

       
 

       
      "inputs": {


     

       

       
841

       
+

       
        "actor-typeahead-src": "actor-typeahead-src",


     

       
925

       
842

       
 

       
        "flake-compat": "flake-compat_2",


     

       
926

       
843

       
 

       
        "gomod2nix": "gomod2nix",


     

       
927

       
844

       
 

       
        "htmx-src": "htmx-src",


     
···

       
934

       
851

       
 

       
        "sqlite-lib-src": "sqlite-lib-src"


     

       
935

       
852

       
 

       
      },


     

       
936

       
853

       
 

       
      "locked": {


     

       
937

       

       
-

       
        "lastModified": 1759933847,


     

       
938

       

       
-

       
        "narHash": "sha256-lLyX1f4fSG1IYsjcsUKKCAOHpa3ZTFexJMRc/0K2g3c=",


     

       

       
854

       
+

       
        "lastModified": 1764494836,


     

       

       
855

       
+

       
        "narHash": "sha256-u1i7aMo0fTQ6WVdOZhG2fo/gEx2Fq8+3URmuqEBZGWI=",


     

       
939

       
856

       
 

       
        "ref": "refs/heads/master",


     

       
940

       

       
-

       
        "rev": "eaa11ecb2112c90113a8ee49a8aa05be327b13ad",


     

       
941

       

       
-

       
        "revCount": 1508,


     

       

       
857

       
+

       
        "rev": "d37f774fb8c60aa2bd0cb965c9884457d0afb660",


     

       

       
858

       
+

       
        "revCount": 1689,


     

       
942

       
859

       
 

       
        "type": "git",


     

       
943

       
860

       
 

       
        "url": "https://tangled.org/@tangled.org/core"


     

       
944

       
861

       
 

       
      },


     
···

       
947

       
864

       
 

       
        "url": "https://tangled.org/@tangled.org/core"


     

       
948

       
865

       
 

       
      }


     

       
949

       
866

       
 

       
    },


     

       
950

       

       
-

       
    "vicinae": {


     

       

       
867

       
+

       
    "treefmt-nix": {


     

       
951

       
868

       
 

       
      "inputs": {


     

       
952

       

       
-

       
        "flake-utils": "flake-utils_3",


     

       
953

       

       
-

       
        "nixpkgs": "nixpkgs_4"


     

       

       
869

       
+

       
        "nixpkgs": [


     

       

       
870

       
+

       
          "nixpkgs"


     

       

       
871

       
+

       
        ]


     

       
954

       
872

       
 

       
      },


     

       
955

       
873

       
 

       
      "locked": {


     

       
956

       

       
-

       
        "lastModified": 1759965448,


     

       
957

       

       
-

       
        "narHash": "sha256-A6P8tBlWhUo6lJA/9ku9hjhzs1NlPDs4f8V/qlqf1dQ=",


     

       
958

       

       
-

       
        "owner": "vicinaehq",


     

       
959

       

       
-

       
        "repo": "vicinae",


     

       
960

       

       
-

       
        "rev": "b1f24c7c077b7f55fea25547267ea0489ca1dbb5",


     

       

       
874

       
+

       
        "lastModified": 1762938485,


     

       

       
875

       
+

       
        "narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=",


     

       

       
876

       
+

       
        "owner": "numtide",


     

       

       
877

       
+

       
        "repo": "treefmt-nix",


     

       

       
878

       
+

       
        "rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4",


     

       
961

       
879

       
 

       
        "type": "github"


     

       
962

       
880

       
 

       
      },


     

       
963

       
881

       
 

       
      "original": {


     

       
964

       

       
-

       
        "owner": "vicinaehq",


     

       
965

       

       
-

       
        "repo": "vicinae",


     

       

       
882

       
+

       
        "owner": "numtide",


     

       

       
883

       
+

       
        "repo": "treefmt-nix",


     

       
966

       
884

       
 

       
        "type": "github"


     

       
967

       
885

       
 

       
      }


     

       
968

       
886

       
 

       
    }
+55 -59
flake.nix 
···

       
5

       
5

       
 

       
    extra-substituters = [


     

       
6

       
6

       
 

       
      "https://cache.nixos.org"


     

       
7

       
7

       
 

       
      "https://nix-community.cachix.org"


     

       
8

       

       
-

       
      "https://install.determinate.systems"


     

       
9

       

       
-

       
      "https://vicinae.cachix.org"


     

       
10

       
8

       
 

       
    ];


     

       
11

       
9

       
 

       
    trusted-public-keys = [


     

       
12

       
10

       
 

       
      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="


     

       
13

       
11

       
 

       
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="


     

       
14

       

       
-

       
      "cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM="


     

       
15

       

       
-

       
      "vicinae.cachix.org-1:1kDrfienkGHPYbkpNj1mWTr7Fm1+zcenzgTizIcI3oc="


     

       
16

       
12

       
 

       
    ];


     

       
17

       
13

       
 

       
    cores = 0;


     

       
18

       
14

       
 

       
    max-jobs = 2;


     
···

       
23

       
19

       
 

       
  inputs = {


     

       
24

       
20

       
 

       
    flake-parts = {


     

       
25

       
21

       
 

       
      url = "github:hercules-ci/flake-parts";


     

       
26

       

       
-

       
      inputs.nixpkgs-lib.follows = "nixpkgs-lib";


     

       
27

       
22

       
 

       
    };


     

       
28

       
23

       
 

       
    nixpkgs.url = "https://nixpkgs.dev/channel/nixpkgs-unstable";


     

       
29

       
24

       
 

       
    nixpkgs-stalwart-fix.url = "github:pyrox0/nixpkgs/fix/stalwart-module";


     

       
30

       

       
-

       
    stable.url = "github:nixos/nixpkgs/nixos-24.05";


     

       
31

       
25

       
 

       
    # Overrides


     

       
32

       
26

       
 

       
    flake-compat.url = "github:edolstra/flake-compat";


     

       
33

       

       
-

       
    systems.url = "github:nix-systems/default";


     

       
34

       
27

       
 

       
    flake-utils = {


     

       
35

       
28

       
 

       
      url = "github:numtide/flake-utils";


     

       
36

       

       
-

       
      inputs.systems.follows = "systems";


     

       
37

       
29

       
 

       
    };


     

       
38

       

       
-

       
    nixpkgs-lib.url = "github:nix-community/nixpkgs.lib";


     

       
39

       
30

       
 

       



     

       
40

       
31

       
 

       
    # Inputs


     

       
41

       
32

       
 

       
    agenix = {


     

       
42

       
33

       
 

       
      url = "github:ryantm/agenix";


     

       
43

       
34

       
 

       
      inputs = {


     

       
44

       
35

       
 

       
        nixpkgs.follows = "nixpkgs";


     

       
45

       

       
-

       
        systems.follows = "systems";


     

       
46

       
36

       
 

       
        home-manager.follows = "home-manager";


     

       
47

       
37

       
 

       
      };


     

       
48

       
38

       
 

       
    };


     
···

       
51

       
41

       
 

       
      inputs.nixpkgs.follows = "nixpkgs";


     

       
52

       
42

       
 

       
      inputs.flake-parts.follows = "flake-parts";


     

       
53

       
43

       
 

       
      inputs.treefmt-nix.follows = "";


     

       

       
44

       
+

       
    };


     

       

       
45

       
+

       
    caelestia = {


     

       

       
46

       
+

       
      url = "github:caelestia-dots/shell";


     

       

       
47

       
+

       
      inputs.nixpkgs.follows = "nixpkgs";


     

       

       
48

       
+

       
      inputs.quickshell.follows = "quickshell";


     

       
54

       
49

       
 

       
    };


     

       
55

       
50

       
 

       
    ctp = {


     

       
56

       
51

       
 

       
      url = "github:catppuccin/nix";


     

       
57

       
52

       
 

       
    };


     

       
58

       

       
-

       
    dix = {


     

       
59

       

       
-

       
      url = "https://flakehub.com/f/DeterminateSystems/nix-src/*";


     

       
60

       

       
-

       
      inputs = {


     

       
61

       

       
-

       
        nixpkgs.follows = "nixpkgs";


     

       
62

       

       
-

       
        nixpkgs-regression.follows = "";


     

       
63

       

       
-

       
        nixpkgs-23-11.follows = "";


     

       
64

       

       
-

       



     

       
65

       

       
-

       
        flake-parts.follows = "";


     

       
66

       

       
-

       
        git-hooks-nix.follows = "";


     

       
67

       

       
-

       
      };


     

       

       
53

       
+

       
    dn42 = {


     

       

       
54

       
+

       
      url = "github:pyrox0/dn43.nix";


     

       

       
55

       
+

       
      inputs.nixpkgs.follows = "nixpkgs";


     

       

       
56

       
+

       
    };


     

       

       
57

       
+

       
    dms = {


     

       

       
58

       
+

       
      url = "github:AvengeMedia/DankMaterialShell";


     

       

       
59

       
+

       
      inputs.nixpkgs.follows = "nixpkgs";


     

       

       
60

       
+

       
    };


     

       

       
61

       
+

       
    # DMS Plugins


     

       

       
62

       
+

       
    dms-wp-shuffler = {


     

       

       
63

       
+

       
      url = "github:Daniel-42-z/dms-wallpaper-shuffler";


     

       

       
64

       
+

       
      flake = false;


     

       
68

       
65

       
 

       
    };


     

       
69

       

       
-

       
    determinate = {


     

       
70

       

       
-

       
      url = "github:DeterminateSystems/determinate";


     

       
71

       

       
-

       
      inputs = {


     

       
72

       

       
-

       
        nixpkgs.follows = "nixpkgs";


     

       
73

       

       
-

       
        nix.follows = "dix";


     

       
74

       

       
-

       
      };


     

       

       
66

       
+

       
    dms-power-usage = {


     

       

       
67

       
+

       
      url = "github:Daniel-42-z/dms-power-usage";


     

       

       
68

       
+

       
      flake = false;


     

       
75

       
69

       
 

       
    };


     

       
76

       

       
-

       
    dns = {


     

       
77

       

       
-

       
      url = "github:nix-community/dns.nix";


     

       
78

       

       
-

       
      inputs.flake-utils.follows = "flake-utils";


     

       
79

       

       
-

       
      inputs.nixpkgs.follows = "nixpkgs";


     

       

       
70

       
+

       
    dms-plugins = {


     

       

       
71

       
+

       
      url = "github:AvengeMedia/dms-plugins";


     

       

       
72

       
+

       
      flake = false;


     

       
80

       
73

       
 

       
    };


     

       
81

       
74

       
 

       
    easy-hosts.url = "github:tgirlcloud/easy-hosts";


     

       
82

       
75

       
 

       
    golink = {


     

       
83

       
76

       
 

       
      url = "github:tailscale/golink";


     

       
84

       

       
-

       
      inputs.systems.follows = "systems";


     

       
85

       
77

       
 

       
      inputs.nixpkgs.follows = "nixpkgs";


     

       
86

       
78

       
 

       
    };


     

       
87

       
79

       
 

       
    hardware = {


     
···

       
91

       
83

       
 

       
      url = "github:nix-community/home-manager";


     

       
92

       
84

       
 

       
      inputs.nixpkgs.follows = "nixpkgs";


     

       
93

       
85

       
 

       
    };


     

       
94

       

       
-

       
    iceshrimp = {


     

       
95

       

       
-

       
      url = "git+https://iceshrimp.dev/pyrox/packaging";


     

       
96

       

       
-

       
      inputs.nixpkgs.follows = "nixpkgs";


     

       
97

       

       
-

       
    };


     

       
98

       

       
-

       
    mailserver = {


     

       
99

       

       
-

       
      url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";


     

       
100

       

       
-

       
      inputs = {


     

       
101

       

       
-

       
        flake-compat.follows = "flake-compat";


     

       
102

       

       
-

       
        nixpkgs.follows = "nixpkgs";


     

       
103

       

       
-

       
      };


     

       
104

       

       
-

       
    };


     

       
105

       

       
-

       
    nix-search = {


     

       
106

       

       
-

       
      url = "github:diamondburned/nix-search";


     

       
107

       

       
-

       
      inputs.nixpkgs.follows = "nixpkgs";


     

       
108

       

       
-

       
      inputs.flake-utils.follows = "flake-utils";


     

       
109

       

       
-

       
      inputs.flake-compat.follows = "flake-compat";


     

       
110

       

       
-

       
    };


     

       
111

       

       
-

       
    nix-index = {


     

       
112

       

       
-

       
      url = "github:nix-community/nix-index";


     

       
113

       

       
-

       
      inputs.flake-compat.follows = "flake-compat";


     

       
114

       

       
-

       
      inputs.nixpkgs.follows = "nixpkgs";


     

       
115

       

       
-

       
    };


     

       
116

       
86

       
 

       
    nix-index-database = {


     

       
117

       
87

       
 

       
      url = "github:Mic92/nix-index-database";


     

       
118

       
88

       
 

       
      inputs.nixpkgs.follows = "nixpkgs";


     
···

       
121

       
91

       
 

       
      url = "git+https://git.pyrox.dev/pyrox/pkgs";


     

       
122

       
92

       
 

       
      inputs.nixpkgs.follows = "nixpkgs";


     

       
123

       
93

       
 

       
    };


     

       
124

       

       
-

       
    vicinae = {


     

       
125

       

       
-

       
      url = "github:vicinaehq/vicinae";


     

       

       
94

       
+

       
    quickshell = {


     

       

       
95

       
+

       
      url = "github:quickshell-mirror/quickshell";


     

       

       
96

       
+

       
      inputs.nixpkgs.follows = "nixpkgs";


     

       
126

       
97

       
 

       
    };


     

       
127

       
98

       
 

       
    tangled = {


     

       
128

       
99

       
 

       
      url = "git+https://tangled.org/@tangled.org/core";


     

       

       
100

       
+

       
    };


     

       

       
101

       
+

       
    treefmt-nix = {


     

       

       
102

       
+

       
      url = "github:numtide/treefmt-nix";


     

       

       
103

       
+

       
      inputs.nixpkgs.follows = "nixpkgs";


     

       
129

       
104

       
 

       
    };


     

       
130

       
105

       
 

       
  };


     

       
131

       
106

       
 

       



     
···

       
141

       
116

       
 

       
      imports = [


     

       
142

       
117

       
 

       
        inputs.easy-hosts.flakeModule


     

       
143

       
118

       
 

       
        inputs.home-manager.flakeModules.home-manager


     

       
144

       

       
-

       
        ./packages


     

       

       
119

       
+

       
        inputs.treefmt-nix.flakeModule


     

       

       
120

       
+

       
        ./packages.nix


     

       
145

       
121

       
 

       
        ./lib


     

       
146

       
122

       
 

       
        ./overlays


     

       
147

       
123

       
 

       
        ./devShells


     
···

       
159

       
135

       
 

       
      # Per-system stuff


     

       
160

       
136

       
 

       
      perSystem =


     

       
161

       
137

       
 

       
        {


     

       
162

       

       
-

       
          pkgs,


     

       
163

       
138

       
 

       
          system,


     

       
164

       
139

       
 

       
          ...


     

       
165

       
140

       
 

       
        }:


     
···

       
167

       
142

       
 

       
          _module.args.pkgs = import inputs.nixpkgs {


     

       
168

       
143

       
 

       
            inherit system;


     

       
169

       
144

       
 

       
            overlays = [


     

       
170

       

       
-

       
              # inputs.self.overlays.pyronet-packages


     

       
171

       
145

       
 

       
              inputs.self.overlays.openssh-fixperms


     

       
172

       
146

       
 

       
              inputs.golink.overlays.default


     

       
173

       
147

       
 

       
            ];


     
···

       
175

       
149

       
 

       
              allowUnfree = true;


     

       
176

       
150

       
 

       
            };


     

       
177

       
151

       
 

       
          };


     

       
178

       

       
-

       
          formatter = pkgs.nixfmt;


     

       

       
152

       
+

       
          treefmt = {


     

       

       
153

       
+

       
            programs = {


     

       

       
154

       
+

       
              deadnix = {


     

       

       
155

       
+

       
                enable = true;


     

       

       
156

       
+

       
                no-underscore = true;


     

       

       
157

       
+

       
              };


     

       

       
158

       
+

       
              jsonfmt.enable = true;


     

       

       
159

       
+

       
              jsonfmt.excludes = [ ".zed/settings.json" ];


     

       

       
160

       
+

       
              just.enable = true;


     

       

       
161

       
+

       
              keep-sorted.enable = true;


     

       

       
162

       
+

       
              mdformat.enable = true;


     

       

       
163

       
+

       
              mdformat.settings.wrap = 120;


     

       

       
164

       
+

       
              nixf-diagnose.enable = true;


     

       

       
165

       
+

       
              nixfmt.enable = true;


     

       

       
166

       
+

       
              nixfmt.indent = 2;


     

       

       
167

       
+

       
              nixfmt.width = 120;


     

       

       
168

       
+

       
              shellcheck.enable = true;


     

       

       
169

       
+

       
              statix.enable = true;


     

       

       
170

       
+

       
              stylua.enable = true;


     

       

       
171

       
+

       
              taplo.enable = true;


     

       

       
172

       
+

       
              yamlfmt.enable = true;


     

       

       
173

       
+

       
            };


     

       

       
174

       
+

       
          };


     

       
179

       
175

       
 

       
        };


     

       
180

       
176

       
 

       
      # Enable debugging for nixd


     

       
181

       
177

       
 

       
      debug = true;
+2 -1
homeModules/all-modules.nix 
···

       
11

       
11

       
 

       



     

       
12

       
12

       
 

       
    inputs.nix-index-database.homeModules.nix-index


     

       
13

       
13

       
 

       
    inputs.ctp.homeModules.catppuccin


     

       
14

       

       
-

       
    inputs.vicinae.homeManagerModules.default


     

       

       
14

       
+

       
    inputs.caelestia.homeManagerModules.default


     

       

       
15

       
+

       
    inputs.dms.homeModules.dankMaterialShell.default


     

       
15

       
16

       
 

       
  ];


     

       
16

       
17

       
 

       
}
+5 -1
homeModules/default.nix 
···

       
1

       

       
-

       
{ inputs, flake-parts-lib, ... }:


     

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  inputs,


     

       

       
3

       
+

       
  flake-parts-lib,


     

       

       
4

       
+

       
  ...


     

       

       
5

       
+

       
}:


     

       
2

       
6

       
 

       
{


     

       
3

       
7

       
 

       
  flake.homeModules = {


     

       
4

       
8

       
 

       
    wayland = import ./wayland;
+1 -1
homeModules/profiles/base/default.nix 
···

       
10

       
10

       
 

       
{


     

       
11

       
11

       
 

       
  options.py.profiles.base.enable = lib.mkEnableOption "Base Home Profile";


     

       
12

       
12

       
 

       
  config = lib.mkIf cfg.enable {


     

       
13

       

       
-

       
    home.stateVersion = "25.11";


     

       

       
13

       
+

       
    home.stateVersion = "26.05";


     

       
14

       
14

       
 

       
    home.language = {


     

       
15

       
15

       
 

       
      base = "en_US.utf8";


     

       
16

       
16

       
 

       
    };
+1 -1
homeModules/profiles/cli/default.nix 
···

       
58

       
58

       
 

       
      glow


     

       
59

       
59

       
 

       
      gnupg


     

       
60

       
60

       
 

       
      nix-search


     

       
61

       

       
-

       
      pinentry


     

       

       
61

       
+

       
      pinentry-qt


     

       
62

       
62

       
 

       
      rbw


     

       
63

       
63

       
 

       
      rsync


     

       
64

       
64

       
 

       
      xdg-utils
+7 -1
homeModules/profiles/cli/rbw-config.json 
···

       
1

       

       
-

       
{"email":"pyrox@pyrox.dev","base_url":"https://bw.pyrox.dev","identity_url":null,"lock_timeout":3600,"pinentry":"pinentry"}


     

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  "email": "pyrox@pyrox.dev",


     

       

       
3

       
+

       
  "base_url": "https://bw.pyrox.dev",


     

       

       
4

       
+

       
  "identity_url": null,


     

       

       
5

       
+

       
  "lock_timeout": 3600,


     

       

       
6

       
+

       
  "pinentry": "pinentry"


     

       

       
7

       
+

       
}
+25 -2
homeModules/profiles/desktop/default.nix 
···

       
6

       
6

       
 

       
}:


     

       
7

       
7

       
 

       
let


     

       
8

       
8

       
 

       
  cfg = config.py.profiles.desktop;


     

       

       
9

       
+

       
  inherit (cfg) shell;


     

       
9

       
10

       
 

       
  inherit (lib) mkIf mkDefault mkEnableOption;


     

       

       
11

       
+

       



     

       

       
12

       
+

       
  mkShellOption =


     

       

       
13

       
+

       
    name: var:


     

       

       
14

       
+

       
    lib.mkOption {


     

       

       
15

       
+

       
      type = lib.types.bool;


     

       

       
16

       
+

       
      default = if (shell == var) then true else false;


     

       

       
17

       
+

       
      description = "Enable ${name}";


     

       

       
18

       
+

       
      readOnly = true;


     

       

       
19

       
+

       
      visible = false;


     

       

       
20

       
+

       
      internal = true;


     

       

       
21

       
+

       
    };


     

       
10

       
22

       
 

       
in


     

       
11

       
23

       
 

       
{


     

       
12

       

       
-

       
  options.py.profiles.desktop.enable = mkEnableOption "Desktop Config";


     

       

       
24

       
+

       
  options.py.profiles.desktop = {


     

       

       
25

       
+

       
    enable = mkEnableOption "Desktop Config";


     

       

       
26

       
+

       
    shell = lib.mkOption {


     

       

       
27

       
+

       
      type = lib.types.enum [


     

       

       
28

       
+

       
        "caelestia"


     

       

       
29

       
+

       
        "dms"


     

       

       
30

       
+

       
      ];


     

       

       
31

       
+

       
      default = "caelestia";


     

       

       
32

       
+

       
      description = "The desktop shell to use in the graphical environment";


     

       

       
33

       
+

       
    };


     

       

       
34

       
+

       
    caelestia = mkShellOption "Caelestia shell" "caelestia";


     

       

       
35

       
+

       
    dms = mkShellOption "DMS" "dms";


     

       

       
36

       
+

       
  };


     

       
13

       
37

       
 

       
  config = mkIf cfg.enable {


     

       
14

       
38

       
 

       
    py.profiles.base.enable = true;


     

       
15

       
39

       
 

       
    py.profiles.cli.enable = true;


     
···

       
44

       
68

       
 

       
      playerctl


     

       
45

       
69

       
 

       
      poptracker


     

       
46

       
70

       
 

       
      thunderbird


     

       
47

       

       
-

       
      wlogout


     

       
48

       
71

       
 

       
      wl-clipboard


     

       
49

       
72

       
 

       
      zotero


     

       
50

       
73

       
 

       
    ];
-7
homeModules/profiles/gui/default.nix 
···

       
19

       
19

       
 

       
        ghostty.enable = mkDefault true;


     

       
20

       
20

       
 

       
        kitty.enable = mkDefault false;


     

       
21

       
21

       
 

       
        obs.enable = mkDefault true;


     

       
22

       

       
-

       
        onagre.enable = mkDefault true;


     

       
23

       
22

       
 

       
        vscodium.enable = mkDefault false;


     

       
24

       

       
-

       
        wlogout.enable = mkDefault true;


     

       
25

       
23

       
 

       
        zed-editor.enable = mkDefault true;


     

       
26

       
24

       
 

       
      };


     

       
27

       
25

       
 

       
      services = {


     

       
28

       
26

       
 

       
        gpg-agent.enable = mkDefault true;


     

       
29

       

       
-

       
        kanshi.enable = mkDefault false;


     

       
30

       
27

       
 

       
        kdeconnect.enable = mkDefault true;


     

       
31

       

       
-

       
        mako.enable = mkDefault false;


     

       
32

       

       
-

       
        vicinae.enable = mkDefault true;


     

       
33

       

       
-

       
        swayidle.enable = mkDefault true;


     

       
34

       
28

       
 

       
        syncthing.enable = mkDefault false;


     

       
35

       
29

       
 

       
      };


     

       
36

       
30

       
 

       
    };


     
···

       
40

       
34

       
 

       
      krita


     

       
41

       
35

       
 

       
      libappindicator


     

       
42

       
36

       
 

       
      libappindicator-gtk3


     

       
43

       

       
-

       
      lutris


     

       
44

       
37

       
 

       
      prismlauncher


     

       
45

       
38

       
 

       
      pwvucontrol


     

       
46

       
39

       
 

       
      hyprshot
+50
homeModules/programs/caelestia/caelestia-cli.json 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  "record": {


     

       

       
3

       
+

       
    "extraArgs": []


     

       

       
4

       
+

       
  },


     

       

       
5

       
+

       
  "theme": {


     

       

       
6

       
+

       
    "enableTerm": false,


     

       

       
7

       
+

       
    "enableHypr": false,


     

       

       
8

       
+

       
    "enableDiscord": false,


     

       

       
9

       
+

       
    "enableSpicetify": false,


     

       

       
10

       
+

       
    "enableFuzzel": false,


     

       

       
11

       
+

       
    "enableBtop": true,


     

       

       
12

       
+

       
    "enableGtk": false,


     

       

       
13

       
+

       
    "enableQt": false


     

       

       
14

       
+

       
  },


     

       

       
15

       
+

       
  "toggles": {


     

       

       
16

       
+

       
    "discord": {


     

       

       
17

       
+

       
      "discord": {


     

       

       
18

       
+

       
        "enable": true,


     

       

       
19

       
+

       
        "match": [


     

       

       
20

       
+

       
          {


     

       

       
21

       
+

       
            "class": "equibop"


     

       

       
22

       
+

       
          }


     

       

       
23

       
+

       
        ],


     

       

       
24

       
+

       
        "command": [


     

       

       
25

       
+

       
          "equibop"


     

       

       
26

       
+

       
        ],


     

       

       
27

       
+

       
        "move": true


     

       

       
28

       
+

       
      }


     

       

       
29

       
+

       
    },


     

       

       
30

       
+

       
    "sysmon": {


     

       

       
31

       
+

       
      "btop": {


     

       

       
32

       
+

       
        "enable": true,


     

       

       
33

       
+

       
        "match": [


     

       

       
34

       
+

       
          {


     

       

       
35

       
+

       
            "class": "btop",


     

       

       
36

       
+

       
            "title": "btop",


     

       

       
37

       
+

       
            "workspace": {


     

       

       
38

       
+

       
              "name": "special:sysmon"


     

       

       
39

       
+

       
            }


     

       

       
40

       
+

       
          }


     

       

       
41

       
+

       
        ],


     

       

       
42

       
+

       
        "command": [


     

       

       
43

       
+

       
          "ghostty",


     

       

       
44

       
+

       
          "-e",


     

       

       
45

       
+

       
          "btop"


     

       

       
46

       
+

       
        ]


     

       

       
47

       
+

       
      }


     

       

       
48

       
+

       
    }


     

       

       
49

       
+

       
  }


     

       

       
50

       
+

       
}
+364
homeModules/programs/caelestia/caelestia-shell.json 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  "appearance": {


     

       

       
3

       
+

       
    "anim": {


     

       

       
4

       
+

       
      "durations": {


     

       

       
5

       
+

       
        "scale": 0.5


     

       

       
6

       
+

       
      }


     

       

       
7

       
+

       
    },


     

       

       
8

       
+

       
    "font": {


     

       

       
9

       
+

       
      "family": {


     

       

       
10

       
+

       
        "clock": "Inter",


     

       

       
11

       
+

       
        "material": "Material Symbols Rounded",


     

       

       
12

       
+

       
        "mono": "BlexMono Nerd Font",


     

       

       
13

       
+

       
        "sans": "Inter"


     

       

       
14

       
+

       
      },


     

       

       
15

       
+

       
      "size": {


     

       

       
16

       
+

       
        "scale": 1.1


     

       

       
17

       
+

       
      }


     

       

       
18

       
+

       
    },


     

       

       
19

       
+

       
    "padding": {


     

       

       
20

       
+

       
      "scale": 1


     

       

       
21

       
+

       
    },


     

       

       
22

       
+

       
    "rounding": {


     

       

       
23

       
+

       
      "scale": 0


     

       

       
24

       
+

       
    },


     

       

       
25

       
+

       
    "spacing": {


     

       

       
26

       
+

       
      "scale": 0.5


     

       

       
27

       
+

       
    },


     

       

       
28

       
+

       
    "transparency": {


     

       

       
29

       
+

       
      "base": 0.85,


     

       

       
30

       
+

       
      "enabled": false,


     

       

       
31

       
+

       
      "layers": 0.4


     

       

       
32

       
+

       
    }


     

       

       
33

       
+

       
  },


     

       

       
34

       
+

       
  "background": {


     

       

       
35

       
+

       
    "desktopClock": {


     

       

       
36

       
+

       
      "enabled": false


     

       

       
37

       
+

       
    },


     

       

       
38

       
+

       
    "enabled": true,


     

       

       
39

       
+

       
    "visualiser": {


     

       

       
40

       
+

       
      "autoHide": true,


     

       

       
41

       
+

       
      "enabled": false,


     

       

       
42

       
+

       
      "rounding": 1,


     

       

       
43

       
+

       
      "spacing": 1


     

       

       
44

       
+

       
    }


     

       

       
45

       
+

       
  },


     

       

       
46

       
+

       
  "bar": {


     

       

       
47

       
+

       
    "clock": {


     

       

       
48

       
+

       
      "showIcon": false


     

       

       
49

       
+

       
    },


     

       

       
50

       
+

       
    "dragThreshold": 20,


     

       

       
51

       
+

       
    "entries": [


     

       

       
52

       
+

       
      {


     

       

       
53

       
+

       
        "enabled": true,


     

       

       
54

       
+

       
        "id": "workspaces"


     

       

       
55

       
+

       
      },


     

       

       
56

       
+

       
      {


     

       

       
57

       
+

       
        "enabled": true,


     

       

       
58

       
+

       
        "id": "spacer"


     

       

       
59

       
+

       
      },


     

       

       
60

       
+

       
      {


     

       

       
61

       
+

       
        "enabled": false,


     

       

       
62

       
+

       
        "id": "activeWindow"


     

       

       
63

       
+

       
      },


     

       

       
64

       
+

       
      {


     

       

       
65

       
+

       
        "enabled": true,


     

       

       
66

       
+

       
        "id": "spacer"


     

       

       
67

       
+

       
      },


     

       

       
68

       
+

       
      {


     

       

       
69

       
+

       
        "enabled": true,


     

       

       
70

       
+

       
        "id": "clock"


     

       

       
71

       
+

       
      },


     

       

       
72

       
+

       
      {


     

       

       
73

       
+

       
        "enabled": true,


     

       

       
74

       
+

       
        "id": "statusIcons"


     

       

       
75

       
+

       
      },


     

       

       
76

       
+

       
      {


     

       

       
77

       
+

       
        "enabled": true,


     

       

       
78

       
+

       
        "id": "tray"


     

       

       
79

       
+

       
      },


     

       

       
80

       
+

       
      {


     

       

       
81

       
+

       
        "enabled": true,


     

       

       
82

       
+

       
        "id": "power"


     

       

       
83

       
+

       
      }


     

       

       
84

       
+

       
    ],


     

       

       
85

       
+

       
    "persistent": true,


     

       

       
86

       
+

       
    "scrollActions": {


     

       

       
87

       
+

       
      "brightness": false,


     

       

       
88

       
+

       
      "volume": false,


     

       

       
89

       
+

       
      "workspaces": false


     

       

       
90

       
+

       
    },


     

       

       
91

       
+

       
    "showOnHover": true,


     

       

       
92

       
+

       
    "status": {


     

       

       
93

       
+

       
      "showAudio": true,


     

       

       
94

       
+

       
      "showBattery": true,


     

       

       
95

       
+

       
      "showBluetooth": true,


     

       

       
96

       
+

       
      "showKbLayout": false,


     

       

       
97

       
+

       
      "showLockStatus": true,


     

       

       
98

       
+

       
      "showMicrophone": false,


     

       

       
99

       
+

       
      "showNetwork": true


     

       

       
100

       
+

       
    },


     

       

       
101

       
+

       
    "tray": {


     

       

       
102

       
+

       
      "background": true,


     

       

       
103

       
+

       
      "compact": false,


     

       

       
104

       
+

       
      "iconSubs": [],


     

       

       
105

       
+

       
      "recolour": true


     

       

       
106

       
+

       
    },


     

       

       
107

       
+

       
    "workspaces": {


     

       

       
108

       
+

       
      "activeIndicator": true,


     

       

       
109

       
+

       
      "activeLabel": "",


     

       

       
110

       
+

       
      "activeTrail": false,


     

       

       
111

       
+

       
      "label": "  ",


     

       

       
112

       
+

       
      "occupiedBg": false,


     

       

       
113

       
+

       
      "occupiedLabel": "",


     

       

       
114

       
+

       
      "perMonitorWorkspaces": true,


     

       

       
115

       
+

       
      "showWindows": true,


     

       

       
116

       
+

       
      "shown": 5


     

       

       
117

       
+

       
    }


     

       

       
118

       
+

       
  },


     

       

       
119

       
+

       
  "border": {


     

       

       
120

       
+

       
    "rounding": 0,


     

       

       
121

       
+

       
    "thickness": 10


     

       

       
122

       
+

       
  },


     

       

       
123

       
+

       
  "dashboard": {


     

       

       
124

       
+

       
    "dragThreshold": 50,


     

       

       
125

       
+

       
    "enabled": true,


     

       

       
126

       
+

       
    "mediaUpdateInterval": 500,


     

       

       
127

       
+

       
    "showOnHover": true


     

       

       
128

       
+

       
  },


     

       

       
129

       
+

       
  "general": {


     

       

       
130

       
+

       
    "apps": {


     

       

       
131

       
+

       
      "audio": [


     

       

       
132

       
+

       
        "pwvucontrol"


     

       

       
133

       
+

       
      ],


     

       

       
134

       
+

       
      "explorer": [


     

       

       
135

       
+

       
        "thunar"


     

       

       
136

       
+

       
      ],


     

       

       
137

       
+

       
      "playback": [


     

       

       
138

       
+

       
        "mpv"


     

       

       
139

       
+

       
      ],


     

       

       
140

       
+

       
      "terminal": [


     

       

       
141

       
+

       
        "ghostty"


     

       

       
142

       
+

       
      ]


     

       

       
143

       
+

       
    },


     

       

       
144

       
+

       
    "battery": {


     

       

       
145

       
+

       
      "criticalLevel": 3,


     

       

       
146

       
+

       
      "warnLevels": [


     

       

       
147

       
+

       
        {


     

       

       
148

       
+

       
          "icon": "battery_android_frame_2",


     

       

       
149

       
+

       
          "level": 20,


     

       

       
150

       
+

       
          "message": "You might want to plug in a charger",


     

       

       
151

       
+

       
          "title": "Low battery"


     

       

       
152

       
+

       
        },


     

       

       
153

       
+

       
        {


     

       

       
154

       
+

       
          "icon": "battery_android_frame_1",


     

       

       
155

       
+

       
          "level": 10,


     

       

       
156

       
+

       
          "message": "You should probably plug in a charger <b>now</b>",


     

       

       
157

       
+

       
          "title": "Did you see the previous message?"


     

       

       
158

       
+

       
        },


     

       

       
159

       
+

       
        {


     

       

       
160

       
+

       
          "critical": true,


     

       

       
161

       
+

       
          "icon": "battery_android_alert",


     

       

       
162

       
+

       
          "level": 5,


     

       

       
163

       
+

       
          "message": "PLUG THE CHARGER RIGHT NOW!!",


     

       

       
164

       
+

       
          "title": "Critical battery level"


     

       

       
165

       
+

       
        }


     

       

       
166

       
+

       
      ]


     

       

       
167

       
+

       
    },


     

       

       
168

       
+

       
    "idle": {


     

       

       
169

       
+

       
      "inhibitWhenAudio": false,


     

       

       
170

       
+

       
      "lockBeforeSleep": false,


     

       

       
171

       
+

       
      "timeouts": []


     

       

       
172

       
+

       
    }


     

       

       
173

       
+

       
  },


     

       

       
174

       
+

       
  "launcher": {


     

       

       
175

       
+

       
    "actionPrefix": ">",


     

       

       
176

       
+

       
    "actions": [


     

       

       
177

       
+

       
      {


     

       

       
178

       
+

       
        "command": [


     

       

       
179

       
+

       
          "autocomplete",


     

       

       
180

       
+

       
          "calc"


     

       

       
181

       
+

       
        ],


     

       

       
182

       
+

       
        "dangerous": false,


     

       

       
183

       
+

       
        "description": "Do simple math equations (powered by Qalc)",


     

       

       
184

       
+

       
        "enabled": true,


     

       

       
185

       
+

       
        "icon": "calculate",


     

       

       
186

       
+

       
        "name": "Calculator"


     

       

       
187

       
+

       
      },


     

       

       
188

       
+

       
      {


     

       

       
189

       
+

       
        "name": "Wallpaper",


     

       

       
190

       
+

       
        "icon": "image",


     

       

       
191

       
+

       
        "description": "Change the current wallpaper",


     

       

       
192

       
+

       
        "command": [


     

       

       
193

       
+

       
          "autocomplete",


     

       

       
194

       
+

       
          "wallpaper"


     

       

       
195

       
+

       
        ],


     

       

       
196

       
+

       
        "enabled": true,


     

       

       
197

       
+

       
        "dangerous": false


     

       

       
198

       
+

       
      },


     

       

       
199

       
+

       
      {


     

       

       
200

       
+

       
        "name": "Random",


     

       

       
201

       
+

       
        "icon": "casino",


     

       

       
202

       
+

       
        "description": "Switch to a random wallpaper",


     

       

       
203

       
+

       
        "command": [


     

       

       
204

       
+

       
          "caelestia",


     

       

       
205

       
+

       
          "wallpaper",


     

       

       
206

       
+

       
          "-r"


     

       

       
207

       
+

       
        ],


     

       

       
208

       
+

       
        "enabled": true,


     

       

       
209

       
+

       
        "dangerous": false


     

       

       
210

       
+

       
      },


     

       

       
211

       
+

       
      {


     

       

       
212

       
+

       
        "command": [


     

       

       
213

       
+

       
          "systemctl",


     

       

       
214

       
+

       
          "poweroff"


     

       

       
215

       
+

       
        ],


     

       

       
216

       
+

       
        "dangerous": true,


     

       

       
217

       
+

       
        "description": "Shutdown the system",


     

       

       
218

       
+

       
        "enabled": true,


     

       

       
219

       
+

       
        "icon": "power_settings_new",


     

       

       
220

       
+

       
        "name": "Shutdown"


     

       

       
221

       
+

       
      },


     

       

       
222

       
+

       
      {


     

       

       
223

       
+

       
        "command": [


     

       

       
224

       
+

       
          "systemctl",


     

       

       
225

       
+

       
          "reboot"


     

       

       
226

       
+

       
        ],


     

       

       
227

       
+

       
        "dangerous": true,


     

       

       
228

       
+

       
        "description": "Reboot the system",


     

       

       
229

       
+

       
        "enabled": true,


     

       

       
230

       
+

       
        "icon": "cached",


     

       

       
231

       
+

       
        "name": "Reboot"


     

       

       
232

       
+

       
      },


     

       

       
233

       
+

       
      {


     

       

       
234

       
+

       
        "command": [


     

       

       
235

       
+

       
          "loginctl",


     

       

       
236

       
+

       
          "terminate-user",


     

       

       
237

       
+

       
          ""


     

       

       
238

       
+

       
        ],


     

       

       
239

       
+

       
        "dangerous": true,


     

       

       
240

       
+

       
        "description": "Log out of the current session",


     

       

       
241

       
+

       
        "enabled": true,


     

       

       
242

       
+

       
        "icon": "exit_to_app",


     

       

       
243

       
+

       
        "name": "Logout"


     

       

       
244

       
+

       
      },


     

       

       
245

       
+

       
      {


     

       

       
246

       
+

       
        "command": [


     

       

       
247

       
+

       
          "loginctl",


     

       

       
248

       
+

       
          "lock-session"


     

       

       
249

       
+

       
        ],


     

       

       
250

       
+

       
        "dangerous": false,


     

       

       
251

       
+

       
        "description": "Lock the current session",


     

       

       
252

       
+

       
        "enabled": true,


     

       

       
253

       
+

       
        "icon": "lock",


     

       

       
254

       
+

       
        "name": "Lock"


     

       

       
255

       
+

       
      },


     

       

       
256

       
+

       
      {


     

       

       
257

       
+

       
        "command": [


     

       

       
258

       
+

       
          "systemctl",


     

       

       
259

       
+

       
          "suspend"


     

       

       
260

       
+

       
        ],


     

       

       
261

       
+

       
        "dangerous": false,


     

       

       
262

       
+

       
        "description": "Suspend",


     

       

       
263

       
+

       
        "enabled": true,


     

       

       
264

       
+

       
        "icon": "bedtime",


     

       

       
265

       
+

       
        "name": "Sleep"


     

       

       
266

       
+

       
      }


     

       

       
267

       
+

       
    ],


     

       

       
268

       
+

       
    "dragThreshold": 50,


     

       

       
269

       
+

       
    "enableDangerousActions": false,


     

       

       
270

       
+

       
    "hiddenApps": [],


     

       

       
271

       
+

       
    "maxShown": 7,


     

       

       
272

       
+

       
    "maxWallpapers": 9,


     

       

       
273

       
+

       
    "showOnHover": false,


     

       

       
274

       
+

       
    "specialPrefix": "@",


     

       

       
275

       
+

       
    "useFuzzy": {


     

       

       
276

       
+

       
      "actions": false,


     

       

       
277

       
+

       
      "apps": true,


     

       

       
278

       
+

       
      "schemes": false,


     

       

       
279

       
+

       
      "variants": false,


     

       

       
280

       
+

       
      "wallpapers": false


     

       

       
281

       
+

       
    },


     

       

       
282

       
+

       
    "vimKeybinds": true


     

       

       
283

       
+

       
  },


     

       

       
284

       
+

       
  "lock": {


     

       

       
285

       
+

       
    "recolourLogo": false,


     

       

       
286

       
+

       
    "enableFprint": false


     

       

       
287

       
+

       
  },


     

       

       
288

       
+

       
  "notifs": {


     

       

       
289

       
+

       
    "actionOnClick": true,


     

       

       
290

       
+

       
    "clearThreshold": 0.3,


     

       

       
291

       
+

       
    "defaultExpireTimeout": 5000,


     

       

       
292

       
+

       
    "expandThreshold": 20,


     

       

       
293

       
+

       
    "expire": true


     

       

       
294

       
+

       
  },


     

       

       
295

       
+

       
  "osd": {


     

       

       
296

       
+

       
    "enableBrightness": true,


     

       

       
297

       
+

       
    "enableMicrophone": false,


     

       

       
298

       
+

       
    "enabled": true,


     

       

       
299

       
+

       
    "hideDelay": 2000


     

       

       
300

       
+

       
  },


     

       

       
301

       
+

       
  "paths": {


     

       

       
302

       
+

       
    "mediaGif": "",


     

       

       
303

       
+

       
    "sessionGif": "",


     

       

       
304

       
+

       
    "wallpaperDir": "~/bgs/wallpapers"


     

       

       
305

       
+

       
  },


     

       

       
306

       
+

       
  "services": {


     

       

       
307

       
+

       
    "audioIncrement": 0.1,


     

       

       
308

       
+

       
    "defaultPlayer": "Spotify",


     

       

       
309

       
+

       
    "gpuType": "",


     

       

       
310

       
+

       
    "playerAliases": [


     

       

       
311

       
+

       
      {


     

       

       
312

       
+

       
        "from": "Mozilla firefox",


     

       

       
313

       
+

       
        "to": "Firefox"


     

       

       
314

       
+

       
      }


     

       

       
315

       
+

       
    ],


     

       

       
316

       
+

       
    "smartScheme": false,


     

       

       
317

       
+

       
    "useFahrenheit": true,


     

       

       
318

       
+

       
    "useTwelveHourClock": false,


     

       

       
319

       
+

       
    "visualiserBars": 0,


     

       

       
320

       
+

       
    "weatherLocation": "Norfolk+Virginia"


     

       

       
321

       
+

       
  },


     

       

       
322

       
+

       
  "session": {


     

       

       
323

       
+

       
    "commands": {


     

       

       
324

       
+

       
      "hibernate": [


     

       

       
325

       
+

       
        "systemctl",


     

       

       
326

       
+

       
        "suspend"


     

       

       
327

       
+

       
      ],


     

       

       
328

       
+

       
      "logout": [


     

       

       
329

       
+

       
        "loginctl",


     

       

       
330

       
+

       
        "terminate-user"


     

       

       
331

       
+

       
      ],


     

       

       
332

       
+

       
      "reboot": [


     

       

       
333

       
+

       
        "systemctl",


     

       

       
334

       
+

       
        "reboot"


     

       

       
335

       
+

       
      ],


     

       

       
336

       
+

       
      "shutdown": [


     

       

       
337

       
+

       
        "systemctl",


     

       

       
338

       
+

       
        "poweroff"


     

       

       
339

       
+

       
      ]


     

       

       
340

       
+

       
    },


     

       

       
341

       
+

       
    "dragThreshold": 30,


     

       

       
342

       
+

       
    "enabled": true,


     

       

       
343

       
+

       
    "vimKeybinds": true


     

       

       
344

       
+

       
  },


     

       

       
345

       
+

       
  "sidebar": {


     

       

       
346

       
+

       
    "dragThreshold": 80,


     

       

       
347

       
+

       
    "enabled": true


     

       

       
348

       
+

       
  },


     

       

       
349

       
+

       
  "utilities": {


     

       

       
350

       
+

       
    "enabled": true,


     

       

       
351

       
+

       
    "maxToasts": 4,


     

       

       
352

       
+

       
    "toasts": {


     

       

       
353

       
+

       
      "audioInputChanged": true,


     

       

       
354

       
+

       
      "audioOutputChanged": true,


     

       

       
355

       
+

       
      "capsLockChanged": true,


     

       

       
356

       
+

       
      "chargingChanged": true,


     

       

       
357

       
+

       
      "configLoaded": true,


     

       

       
358

       
+

       
      "dndChanged": true,


     

       

       
359

       
+

       
      "gameModeChanged": true,


     

       

       
360

       
+

       
      "numLockChanged": true,


     

       

       
361

       
+

       
      "nowPlaying": true


     

       

       
362

       
+

       
    }


     

       

       
363

       
+

       
  }


     

       

       
364

       
+

       
}
+23
homeModules/programs/caelestia/default.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  config,


     

       

       
3

       
+

       
  lib,


     

       

       
4

       
+

       
  ...


     

       

       
5

       
+

       
}:


     

       

       
6

       
+

       
let


     

       

       
7

       
+

       
  cfg = config.py.profiles.desktop.caelestia;


     

       

       
8

       
+

       
  en = config.py.profiles.desktop.enable;


     

       

       
9

       
+

       
in


     

       

       
10

       
+

       
{


     

       

       
11

       
+

       
  config = lib.mkIf (cfg && en) {


     

       

       
12

       
+

       
    programs.caelestia = {


     

       

       
13

       
+

       
      enable = true;


     

       

       
14

       
+

       
      settings = builtins.fromJSON (builtins.readFile ./caelestia-shell.json);


     

       

       
15

       
+

       
      systemd = {


     

       

       
16

       
+

       
        enable = true;


     

       

       
17

       
+

       
        target = "graphical-session.target";


     

       

       
18

       
+

       
      };


     

       

       
19

       
+

       
      cli.enable = true;


     

       

       
20

       
+

       
      cli.settings = builtins.fromJSON (builtins.readFile ./caelestia-cli.json);


     

       

       
21

       
+

       
    };


     

       

       
22

       
+

       
  };


     

       

       
23

       
+

       
}
+4 -2
homeModules/programs/default.nix 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  imports = [


     

       

       
3

       
+

       
    # keep-sorted start


     

       

       
4

       
+

       
    ./caelestia


     

       
3

       
5

       
 

       
    ./chromium


     

       

       
6

       
+

       
    ./dms


     

       
4

       
7

       
 

       
    ./firefox


     

       
5

       
8

       
 

       
    ./fish


     

       
6

       
9

       
 

       
    ./ghostty


     
···

       
11

       
14

       
 

       
    ./misc-programs


     

       
12

       
15

       
 

       
    ./neovim


     

       
13

       
16

       
 

       
    ./nushell


     

       
14

       

       
-

       
    ./onagre


     

       
15

       
17

       
 

       
    ./ssh


     

       
16

       
18

       
 

       
    ./starship


     

       
17

       
19

       
 

       
    ./vscodium


     

       
18

       

       
-

       
    ./wlogout


     

       
19

       
20

       
 

       
    ./zed-editor


     

       

       
21

       
+

       
    # keep-sorted end


     

       
20

       
22

       
 

       
  ];


     

       
21

       
23

       
 

       
}
+20
homeModules/programs/dms/default.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  config,


     

       

       
3

       
+

       
  lib,


     

       

       
4

       
+

       
  ...


     

       

       
5

       
+

       
}:


     

       

       
6

       
+

       
let


     

       

       
7

       
+

       
  cfg = config.py.profiles.desktop.dms;


     

       

       
8

       
+

       
  en = config.py.profiles.desktop.enable;


     

       

       
9

       
+

       
in


     

       

       
10

       
+

       
{


     

       

       
11

       
+

       
  config = lib.mkIf (cfg && en) {


     

       

       
12

       
+

       
    programs.dankMaterialShell = {


     

       

       
13

       
+

       
      enable = true;


     

       

       
14

       
+

       
      enableDynamicTheming = false;


     

       

       
15

       
+

       
      enableAudioWavelength = false;


     

       

       
16

       
+

       
      enableCalendarEvents = false;


     

       

       
17

       
+

       
      enableSystemSound = false;


     

       

       
18

       
+

       
    };


     

       

       
19

       
+

       
  };


     

       

       
20

       
+

       
}
+28 -50
homeModules/programs/git/default.nix 
···

       
21

       
21

       
 

       
      git = lib.mkIf cfg.enable {


     

       
22

       
22

       
 

       
        enable = true;


     

       
23

       
23

       
 

       
        package = pkgs.git;


     

       
24

       

       
-

       
        aliases = {


     

       
25

       

       
-

       
          a = "add -p";


     

       
26

       

       
-

       
          co = "checkout";


     

       
27

       

       
-

       
          cob = "checkout -b";


     

       
28

       

       
-

       
          f = "fetch -p";


     

       
29

       

       
-

       
          c = "commit";


     

       
30

       

       
-

       
          p = "push";


     

       
31

       

       
-

       
          ba = "branch -a";


     

       
32

       

       
-

       
          bd = "branch -d";


     

       
33

       

       
-

       
          bD = "branch -D";


     

       
34

       

       
-

       
          d = "diff";


     

       
35

       

       
-

       
          dc = "diff --cached";


     

       
36

       

       
-

       
          ds = "diff --staged";


     

       
37

       

       
-

       
          r = "restore";


     

       
38

       

       
-

       
          rs = "restore --staged";


     

       
39

       

       
-

       
          st = "status -sb";


     

       
40

       

       
-

       
          # reset


     

       
41

       

       
-

       
          soft = "reset --soft";


     

       
42

       

       
-

       
          hard = "reset --hard";


     

       
43

       

       
-

       
          s1ft = "soft HEAD~1";


     

       
44

       

       
-

       
          h1rd = "hard HEAD~1";


     

       
45

       

       
-

       
          # logging


     

       
46

       

       
-

       
          lg = "log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit";


     

       
47

       

       
-

       
          plog = "log --graph --pretty='format:%C(red)%d%C(reset) %C(yellow)%h%C(reset) %ar %C(green)%aN%C(reset) %s'";


     

       
48

       

       
-

       
          tlog = "log --stat --since='1 Day Ago' --graph --pretty=oneline --abbrev-commit --date=relative";


     

       
49

       

       
-

       
          rank = "shortlog -sn --no-merges";


     

       
50

       

       
-

       
          # delete merged branches


     

       
51

       

       
-

       
          bdm = "!git branch --merged | grep -v '*' | xargs -n 1 git branch -d";


     

       
52

       

       
-

       
          wt = "worktree";


     

       
53

       

       
-

       
        };


     

       
54

       

       
-

       
        delta = {


     

       
55

       

       
-

       
          enable = true;


     

       
56

       

       
-

       
          options.line-numbers = true;


     

       
57

       

       
-

       
        };


     

       
58

       

       
-

       
        extraConfig = {


     

       

       
24

       
+

       
        settings = {


     

       
59

       
25

       
 

       
          branch.sort = "-committerdate";


     

       
60

       
26

       
 

       
          column.ui = "auto";


     

       
61

       
27

       
 

       
          core.editor = lib.getExe pkgs.neovim;


     
···

       
81

       
47

       
 

       
          };


     

       
82

       
48

       
 

       
          rebase.updateRefs = true;


     

       
83

       
49

       
 

       
          tag.sort = "version:refname";


     

       
84

       

       
-

       
        };


     

       
85

       

       
-

       
        lfs = {


     

       
86

       

       
-

       
          enable = true;


     

       
87

       

       
-

       
          skipSmudge = false;


     

       

       
50

       
+

       
          lfs = {


     

       

       
51

       
+

       
            enable = true;


     

       

       
52

       
+

       
            skipSmudge = false;


     

       

       
53

       
+

       
          };


     

       

       
54

       
+

       
          user = {


     

       

       
55

       
+

       
            email = "pyrox@pyrox.dev";


     

       

       
56

       
+

       
            name = "dish";


     

       

       
57

       
+

       
          };


     

       

       
58

       
+

       
          signing = {


     

       

       
59

       
+

       
            key = "~/.ssh/main.pub";


     

       

       
60

       
+

       
            format = "ssh";


     

       

       
61

       
+

       
            signByDefault = true;


     

       

       
62

       
+

       
          };


     

       
88

       
63

       
 

       
        };


     

       
89

       

       
-

       
        signing = {


     

       
90

       

       
-

       
          key = "~/.ssh/main.pub";


     

       
91

       

       
-

       
          format = "ssh";


     

       
92

       

       
-

       
          signByDefault = true;


     

       
93

       

       
-

       
        };


     

       
94

       

       
-

       
        userEmail = "pyrox@pyrox.dev";


     

       
95

       

       
-

       
        userName = "dish";


     

       

       
64

       
+

       
      };


     

       

       
65

       
+

       
      delta = {


     

       

       
66

       
+

       
        enable = true;


     

       

       
67

       
+

       
        options.line-numbers = true;


     

       

       
68

       
+

       
        enableGitIntegration = true;


     

       

       
69

       
+

       
      };


     

       

       
70

       
+

       
      mergiraf = lib.mkIf cfg.enable {


     

       

       
71

       
+

       
        enable = true;


     

       
96

       
72

       
 

       
      };


     

       
97

       
73

       
 

       
      lazygit = lib.mkIf cfg.lazygit.enable {


     

       
98

       
74

       
 

       
        enable = true;


     
···

       
102

       
78

       
 

       
            showRandomTip = false;


     

       
103

       
79

       
 

       
            theme.selectedLineBgColor = [ "default" ];


     

       
104

       
80

       
 

       
          };


     

       
105

       

       
-

       
          git.paging = {


     

       
106

       

       
-

       
            pager = "${lib.getExe pkgs.delta} --dark --paging=never";


     

       
107

       

       
-

       
            colorArg = "always";


     

       
108

       

       
-

       
          };


     

       

       
81

       
+

       
          git.pagers = [


     

       

       
82

       
+

       
            {


     

       

       
83

       
+

       
              pager = "${lib.getExe pkgs.delta} --dark --paging=never";


     

       

       
84

       
+

       
              colorArg = "always";


     

       

       
85

       
+

       
            }


     

       

       
86

       
+

       
          ];


     

       
109

       
87

       
 

       
          services = {


     

       
110

       
88

       
 

       
            "git.pyrox.dev" = "gitea:git.pyrox.dev";


     

       
111

       
89

       
 

       
            "git.dn42.dev" = "gitea:git.dn42.dev";
+1 -1
homeModules/programs/helix/default.nix 
···

       
5

       
5

       
 

       
{


     

       
6

       
6

       
 

       
  options.py.programs.helix.enable = lib.mkEnableOption "helix editor";


     

       
7

       
7

       
 

       
  config.catppuccin.helix = {


     

       
8

       

       
-

       
    enable = cfg.enable;


     

       

       
8

       
+

       
    inherit (cfg) enable;


     

       
9

       
9

       
 

       
    useItalics = cfg.enable;


     

       
10

       
10

       
 

       
  };


     

       
11

       
11

       
 

       
  config.programs.helix = lib.mkIf cfg.enable {
+1 -1
homeModules/programs/misc-programs/default.nix 
···

       
69

       
69

       
 

       
      };


     

       
70

       
70

       
 

       
    };


     

       
71

       
71

       
 

       
    home = {


     

       
72

       

       
-

       
      packages = mkIf cfg.wakatime.enable [ pkgs.wakatime ];


     

       

       
72

       
+

       
      packages = mkIf cfg.wakatime.enable [ pkgs.wakatime-cli ];


     

       
73

       
73

       
 

       
      sessionVariables = {


     

       
74

       
74

       
 

       
        WAKATIME_HOME = "${config.xdg.configHome}/wakatime";


     

       
75

       
75

       
 

       
      };
+6 -6
homeModules/programs/neovim/default.nix 
···

       
24

       
24

       
 

       
      pkgs.gcc


     

       
25

       
25

       
 

       
      pkgs.go


     

       
26

       
26

       
 

       
      pkgs.nodejs


     

       
27

       

       
-

       
    ]


     

       
28

       

       
-

       
    ++ lib.optionals config.py.profiles.gui.enable [


     

       
29

       

       
-

       
      pkgs.ffmpegthumbnailer


     

       
30

       

       
-

       
      pkgs.fontpreview


     

       
31

       

       
-

       
      pkgs.poppler


     

       
32

       

       
-

       
      pkgs.ueberzug


     

       

       
27

       
+

       
      # ]


     

       

       
28

       
+

       
      # ++ lib.optionals config.py.profiles.gui.enable [


     

       

       
29

       
+

       
      #   pkgs.ffmpegthumbnailer


     

       

       
30

       
+

       
      #   pkgs.fontpreview


     

       

       
31

       
+

       
      #   pkgs.poppler


     

       

       
32

       
+

       
      #   pkgs.ueberzug


     

       
33

       
33

       
 

       
    ];


     

       
34

       
34

       
 

       
  };


     

       
35

       
35

       
 

       
}
-13
homeModules/programs/onagre/default.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  lib,


     

       
3

       

       
-

       
  config,


     

       
4

       

       
-

       
  pkgs,


     

       
5

       

       
-

       
  ...


     

       
6

       

       
-

       
}:


     

       
7

       

       
-

       
let


     

       
8

       

       
-

       
  cfg = config.py.programs.onagre;


     

       
9

       

       
-

       
in


     

       
10

       

       
-

       
{


     

       
11

       

       
-

       
  options.py.programs.onagre.enable = lib.mkEnableOption "onagre";


     

       
12

       

       
-

       
  config.home.packages = lib.mkIf cfg.enable [ pkgs.onagre ];


     

       
13

       

       
-

       
}
+13 -1
homeModules/programs/ssh/default.nix 
···

       
7

       
7

       
 

       
  config = lib.mkIf cfg.enable {


     

       
8

       
8

       
 

       
    programs.ssh = {


     

       
9

       
9

       
 

       
      enable = true;


     

       
10

       

       
-

       
      compression = true;


     

       

       
10

       
+

       
      enableDefaultConfig = false;


     

       
11

       
11

       
 

       
      matchBlocks = {


     

       

       
12

       
+

       
        "*" = {


     

       

       
13

       
+

       
          forwardAgent = false;


     

       

       
14

       
+

       
          addKeysToAgent = "no";


     

       

       
15

       
+

       
          serverAliveInterval = 0;


     

       

       
16

       
+

       
          serverAliveCountMax = 3;


     

       

       
17

       
+

       
          hashKnownHosts = false;


     

       

       
18

       
+

       
          userKnownHostsFile = "~/.ssh/known_hosts";


     

       

       
19

       
+

       
          controlMaster = "no";


     

       

       
20

       
+

       
          controlPath = "~/.ssh/master-%r@%n:%p";


     

       

       
21

       
+

       
          controlPersist = "no";


     

       

       
22

       
+

       
          compression = true;


     

       

       
23

       
+

       
        };


     

       
12

       
24

       
 

       
        "marvin" = {


     

       
13

       
25

       
 

       
          hostname = "100.123.15.72";


     

       
14

       
26

       
 

       
          user = "thehedgehog";
-55
homeModules/programs/wlogout/default.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  pkgs,


     

       
3

       

       
-

       
  config,


     

       
4

       

       
-

       
  lib,


     

       
5

       

       
-

       
  ...


     

       
6

       

       
-

       
}:


     

       
7

       

       
-

       
let


     

       
8

       

       
-

       
  cfg = config.py.programs.wlogout;


     

       
9

       

       
-

       
  pkg = config.programs.wlogout.package;


     

       
10

       

       
-

       
in


     

       
11

       

       
-

       
{


     

       
12

       

       
-

       
  options.py.programs.wlogout.enable = lib.mkEnableOption "wlogout";


     

       
13

       

       
-

       
  config.programs.wlogout = lib.mkIf cfg.enable {


     

       
14

       

       
-

       
    enable = true;


     

       
15

       

       
-

       
    style = import ./style.nix { inherit pkg; };


     

       
16

       

       
-

       
    layout = [


     

       
17

       

       
-

       
      {


     

       
18

       

       
-

       
        label = "hibernate";


     

       
19

       

       
-

       
        action = "systemctl hibernate";


     

       
20

       

       
-

       
        text = "Hibernate";


     

       
21

       

       
-

       
        keybind = "h";


     

       
22

       

       
-

       
      }


     

       
23

       

       
-

       
      {


     

       
24

       

       
-

       
        label = "reboot";


     

       
25

       

       
-

       
        action = "systemctl reboot";


     

       
26

       

       
-

       
        text = "Reboot";


     

       
27

       

       
-

       
        keybind = "r";


     

       
28

       

       
-

       
      }


     

       
29

       

       
-

       
      {


     

       
30

       

       
-

       
        label = "suspend";


     

       
31

       

       
-

       
        action = "systemctl suspend";


     

       
32

       

       
-

       
        text = "Suspend";


     

       
33

       

       
-

       
        keybind = "u";


     

       
34

       

       
-

       
      }


     

       
35

       

       
-

       
      {


     

       
36

       

       
-

       
        label = "suspend-then-hibernate";


     

       
37

       

       
-

       
        action = "systemctl suspend-then-hibernate";


     

       
38

       

       
-

       
        text = "Supend then Hibernate";


     

       
39

       

       
-

       
        keybind = "p";


     

       
40

       

       
-

       
      }


     

       
41

       

       
-

       
      {


     

       
42

       

       
-

       
        label = "lock";


     

       
43

       

       
-

       
        action = "hyprlock";


     

       
44

       

       
-

       
        text = "Lock";


     

       
45

       

       
-

       
        keybind = "l";


     

       
46

       

       
-

       
      }


     

       
47

       

       
-

       
      {


     

       
48

       

       
-

       
        label = "shutdown";


     

       
49

       

       
-

       
        action = "systemctl poweroff";


     

       
50

       

       
-

       
        text = "Shutdown";


     

       
51

       

       
-

       
        keybind = "s";


     

       
52

       

       
-

       
      }


     

       
53

       

       
-

       
    ];


     

       
54

       

       
-

       
  };


     

       
55

       

       
-

       
}
-52
homeModules/programs/wlogout/style.nix 
···

       
1

       

       
-

       
{ pkg, ... }:


     

       
2

       

       
-

       
let


     

       
3

       

       
-

       
  icon-path = "${pkg}/share/wlogout/icons";


     

       
4

       

       
-

       
in


     

       
5

       

       
-

       
''


     

       
6

       

       
-

       
  * {


     

       
7

       

       
-

       
  	background-image: none;


     

       
8

       

       
-

       
  }


     

       
9

       

       
-

       
  window {


     

       
10

       

       
-

       
  	background-image: image(url("/home/thehedgehog/bgs/wallpapers/xenia/chimmie_valentine_xenia.png"), url("/home/thehedgehog/bgs/wallpapers/xenia/chimmie_valentine_xenia.png"));


     

       
11

       

       
-

       
    background-size: cover;


     

       
12

       

       
-

       
  }


     

       
13

       

       
-

       
  button {


     

       
14

       

       
-

       
    color: #cdd6f4;


     

       
15

       

       
-

       
  	background-color: #11111b;


     

       
16

       

       
-

       
    border: none;


     

       
17

       

       
-

       
    border-color: #6c7086;


     

       
18

       

       
-

       
  	background-repeat: no-repeat;


     

       
19

       

       
-

       
  	background-position: center;


     

       
20

       

       
-

       
  	background-size: 25%;


     

       
21

       

       
-

       
  }


     

       
22

       

       
-

       



     

       
23

       

       
-

       
  button:focus, button:active, button:hover {


     

       
24

       

       
-

       
  	background-color: #1e1e2e;


     

       
25

       

       
-

       
  	outline-style: none;


     

       
26

       

       
-

       
    border:none;


     

       
27

       

       
-

       
  }


     

       
28

       

       
-

       



     

       
29

       

       
-

       
  #lock {


     

       
30

       

       
-

       
      background-image: image(url("${icon-path}/lock.png"), url("${icon-path}/lock.png"));


     

       
31

       

       
-

       
  }


     

       
32

       

       
-

       



     

       
33

       

       
-

       
  #suspend-then-hibernate {


     

       
34

       

       
-

       
      background-image: image(url("${icon-path}/suspend.png"), url("${icon-path}/suspend.png"));


     

       
35

       

       
-

       
  }


     

       
36

       

       
-

       



     

       
37

       

       
-

       
  #suspend {


     

       
38

       

       
-

       
      background-image: image(url("${icon-path}/suspend.png"), url("${icon-path}/suspend.png"));


     

       
39

       

       
-

       
  }


     

       
40

       

       
-

       



     

       
41

       

       
-

       
  #hibernate {


     

       
42

       

       
-

       
      background-image: image(url("${icon-path}/hibernate.png"), url("${icon-path}/hibernate.png"));


     

       
43

       

       
-

       
  }


     

       
44

       

       
-

       



     

       
45

       

       
-

       
  #shutdown {


     

       
46

       

       
-

       
      background-image: image(url("${icon-path}/shutdown.png"), url("${icon-path}/shutdown.png"));


     

       
47

       

       
-

       
  }


     

       
48

       

       
-

       



     

       
49

       

       
-

       
  #reboot {


     

       
50

       

       
-

       
      background-image: image(url("${icon-path}/reboot.png"), url("${icon-path}/reboot.png"));


     

       
51

       

       
-

       
  }


     

       
52

       

       
-

       
''
+1 -11
homeModules/programs/zed-editor/settings.nix 
···

       
2

       
2

       
 

       
  auto_update = false;


     

       
3

       
3

       
 

       
  buffer_font_family = "BlexMono Nerd Font";


     

       
4

       
4

       
 

       
  buffer_font_size = 15;


     

       

       
5

       
+

       
  disable_ai = true;


     

       
5

       
6

       
 

       
  git_panel.button = true;


     

       
6

       
7

       
 

       
  load_direnv = "direct";


     

       
7

       
8

       
 

       
  lsp.deno.settings.deno.enable = true;


     
···

       
14

       
15

       
 

       
  ui_font_size = 15;


     

       
15

       
16

       
 

       
  vim_mode = true;


     

       
16

       
17

       
 

       
  wrap_guides = [ 100 ];


     

       
17

       

       
-

       



     

       
18

       

       
-

       
  assistant = {


     

       
19

       

       
-

       
    enabled = false;


     

       
20

       

       
-

       
    button = false;


     

       
21

       

       
-

       
    version = "2";


     

       
22

       

       
-

       
  };


     

       
23

       

       
-

       



     

       
24

       

       
-

       
  features = {


     

       
25

       

       
-

       
    copilot = false;


     

       
26

       

       
-

       
    edit_prediction_provider = "none";


     

       
27

       

       
-

       
  };


     

       
28

       
18

       
 

       



     

       
29

       
19

       
 

       
  icon_theme = {


     

       
30

       
20

       
 

       
    mode = "dark";
-4
homeModules/services/default.nix 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  imports = [


     

       
3

       
3

       
 

       
    ./gpg-agent


     

       
4

       

       
-

       
    ./kanshi


     

       
5

       
4

       
 

       
    ./kdeconnect


     

       
6

       

       
-

       
    ./mako


     

       
7

       

       
-

       
    ./swayidle


     

       
8

       
5

       
 

       
    ./syncthing


     

       
9

       

       
-

       
    ./vicinae


     

       
10

       
6

       
 

       
  ];


     

       
11

       
7

       
 

       
}
-18
homeModules/services/kanshi/default.nix 
···

       
1

       

       
-

       
{ config, lib, ... }:


     

       
2

       

       
-

       
let


     

       
3

       

       
-

       
  cfg = config.py.services.kanshi;


     

       
4

       

       
-

       
in


     

       
5

       

       
-

       
{


     

       
6

       

       
-

       
  options.py.services.kanshi = {


     

       
7

       

       
-

       
    enable = lib.mkEnableOption "kanshi";


     

       
8

       

       
-

       
    settings = lib.mkOption {


     

       
9

       

       
-

       
      type = lib.types.listOf lib.types.attrs;


     

       
10

       

       
-

       
      default = [ ];


     

       
11

       

       
-

       
      description = "The value of `config.services.kanshi.settings`.";


     

       
12

       

       
-

       
    };


     

       
13

       

       
-

       
  };


     

       
14

       

       
-

       
  config.services.kanshi = lib.mkIf cfg.enable {


     

       
15

       

       
-

       
    enable = true;


     

       
16

       

       
-

       
    inherit (cfg) settings;


     

       
17

       

       
-

       
  };


     

       
18

       

       
-

       
}
-31
homeModules/services/mako/default.nix 
···

       
1

       

       
-

       
{ lib, config, ... }:


     

       
2

       

       
-

       
let


     

       
3

       

       
-

       
  cfg = config.py.services.mako;


     

       
4

       

       
-

       
  hl = config.wayland.windowManager.hyprland;


     

       
5

       

       
-

       
in


     

       
6

       

       
-

       
{


     

       
7

       

       
-

       
  options.py.services.mako.enable = lib.mkEnableOption "mako";


     

       
8

       

       
-

       
  # avoid IFD


     

       
9

       

       
-

       
  config.catppuccin.mako.enable = false;


     

       
10

       

       
-

       
  # Hyprpanel with hyprland uses its own notification daemon


     

       
11

       

       
-

       
  config.services.mako = lib.mkIf (cfg.enable && !hl.enable) {


     

       
12

       

       
-

       
    enable = true;


     

       
13

       

       
-

       



     

       
14

       

       
-

       
    settings = {


     

       
15

       

       
-

       
      font = "IBM Plex Sans 14pt";


     

       
16

       

       
-

       
      # Vendored Catppuccin Theme(avoids IFD)


     

       
17

       

       
-

       
      background-color = "#1e1e2e";


     

       
18

       

       
-

       
      text-color = "#cdd6f4";


     

       
19

       

       
-

       
      border-color = "#89b4fa";


     

       
20

       

       
-

       
      progress-color = "over #313244";


     

       
21

       

       
-

       



     

       
22

       

       
-

       
      actions = 1;


     

       
23

       

       
-

       
      default-timeout = 10000;


     

       
24

       

       
-

       
      icons = 1;


     

       
25

       

       
-

       
      layer = "overlay";


     

       
26

       

       
-

       
      "urgency=high" = {


     

       
27

       

       
-

       
        border-color = "#fab387";


     

       
28

       

       
-

       
      };


     

       
29

       

       
-

       
    };


     

       
30

       

       
-

       
  };


     

       
31

       

       
-

       
}
-35
homeModules/services/swayidle/default.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  pkgs,


     

       
3

       

       
-

       
  config,


     

       
4

       

       
-

       
  lib,


     

       
5

       

       
-

       
  ...


     

       
6

       

       
-

       
}:


     

       
7

       

       
-

       
let


     

       
8

       

       
-

       
  cfg = config.py.services.swayidle;


     

       
9

       

       
-

       
in


     

       
10

       

       
-

       
{


     

       
11

       

       
-

       
  options.py.services.swayidle.enable = lib.mkEnableOption "swayidle";


     

       
12

       

       
-

       
  config.services.swayidle = lib.mkIf cfg.enable {


     

       
13

       

       
-

       
    enable = false;


     

       
14

       

       
-

       
    events = [


     

       
15

       

       
-

       
      {


     

       
16

       

       
-

       
        event = "lock";


     

       
17

       

       
-

       
        command = "lock";


     

       
18

       

       
-

       
      }


     

       
19

       

       
-

       
      {


     

       
20

       

       
-

       
        event = "before-sleep";


     

       
21

       

       
-

       
        command = lib.getExe pkgs.swaylock-effects;


     

       
22

       

       
-

       
      }


     

       
23

       

       
-

       
      {


     

       
24

       

       
-

       
        event = "after-resume";


     

       
25

       

       
-

       
        command = ''swaymsg "output * dpms on"'';


     

       
26

       

       
-

       
      }


     

       
27

       

       
-

       
    ];


     

       
28

       

       
-

       
    timeouts = [


     

       
29

       

       
-

       
      {


     

       
30

       

       
-

       
        timeout = 300;


     

       
31

       

       
-

       
        command = lib.getExe pkgs.swaylock-effects;


     

       
32

       

       
-

       
      }


     

       
33

       

       
-

       
    ];


     

       
34

       

       
-

       
  };


     

       
35

       

       
-

       
}
-15
homeModules/services/vicinae/default.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  config,


     

       
3

       

       
-

       
  lib,


     

       
4

       

       
-

       
  ...


     

       
5

       

       
-

       
}:


     

       
6

       

       
-

       
let


     

       
7

       

       
-

       
  cfg = config.py.services.vicinae;


     

       
8

       

       
-

       
in


     

       
9

       

       
-

       
{


     

       
10

       

       
-

       
  options.py.services.vicinae.enable = lib.mkEnableOption "Vicinae";


     

       
11

       

       
-

       
  config.services.vicinae = lib.mkIf cfg.enable {


     

       
12

       

       
-

       
    enable = true;


     

       
13

       

       
-

       
    autoStart = true;


     

       
14

       

       
-

       
  };


     

       
15

       

       
-

       
}
+28 -5
homeModules/wayland/default.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  pkgs,


     

       

       
3

       
+

       
  config,


     

       

       
4

       
+

       
  osConfig,


     

       

       
5

       
+

       
  lib,


     

       

       
6

       
+

       
  ...


     

       

       
7

       
+

       
}:


     

       

       
8

       
+

       
let


     

       

       
9

       
+

       
  c = osConfig.py.programs.hyprland;


     

       

       
10

       
+

       
in


     

       
1

       
11

       
 

       
{


     

       
2

       
12

       
 

       
  imports = [


     

       
3

       

       
-

       
    ./sway.nix


     

       
4

       

       
-

       
    ./keybindings.nix


     

       
5

       

       
-

       
    ./waybar.nix


     

       
6

       

       
-

       
    ./swaylock.nix


     

       
7

       

       
-

       
    ./hyprland


     

       

       
13

       
+

       
    ./services.nix


     

       

       
14

       
+

       
    ./hypridle.nix


     

       
8

       
15

       
 

       
  ];


     

       

       
16

       
+

       
  config = {


     

       

       
17

       
+

       
    catppuccin.hyprland.enable = c.enable;


     

       

       
18

       
+

       
    wayland.windowManager.hyprland = {


     

       

       
19

       
+

       
      inherit (c) enable;


     

       

       
20

       
+

       
      # Per https://nix-community.github.io/home-manager/options.xhtml#opt-wayland.windowManager.hyprland.package


     

       

       
21

       
+

       
      package = null;


     

       

       
22

       
+

       
      systemd = {


     

       

       
23

       
+

       
        enable = true;


     

       

       
24

       
+

       
        enableXdgAutostart = true;


     

       

       
25

       
+

       
      };


     

       

       
26

       
+

       
      settings = import ./settings.nix { inherit lib config; };


     

       

       
27

       
+

       
      plugins = [


     

       

       
28

       
+

       
        pkgs.hyprlandPlugins.hy3


     

       

       
29

       
+

       
      ];


     

       

       
30

       
+

       
    };


     

       

       
31

       
+

       
  };


     

       
9

       
32

       
 

       
}
+11
homeModules/wayland/env.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  env = [


     

       

       
3

       
+

       
    "WLR_NO_HARDWARE_CURSORS, 1"


     

       

       
4

       
+

       
    "WLR_RENDERER_ALLOW_SOFTWARE, 1"


     

       

       
5

       
+

       
    "NIXOS_OZONE_WL, 1"


     

       

       
6

       
+

       
    "XDG_SESSION_TYPE, wayland"


     

       

       
7

       
+

       
    "QT_QPA_PLATFORM, wayland"


     

       

       
8

       
+

       
    "XDG_CURRENT_DESKTOP, Hyprland"


     

       

       
9

       
+

       
    "XDG_SESSION_DESKTOP, Hyprland"


     

       

       
10

       
+

       
  ];


     

       

       
11

       
+

       
}
+36
homeModules/wayland/hypridle.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  config,


     

       

       
3

       
+

       
  lib,


     

       

       
4

       
+

       
  ...


     

       

       
5

       
+

       
}:


     

       

       
6

       
+

       
let


     

       

       
7

       
+

       
  cfg = config.wayland.windowManager.hyprland;


     

       

       
8

       
+

       
in


     

       

       
9

       
+

       
{


     

       

       
10

       
+

       
  config.services.hypridle = lib.mkIf cfg.enable {


     

       

       
11

       
+

       
    enable = true;


     

       

       
12

       
+

       
    settings = {


     

       

       
13

       
+

       
      general = {


     

       

       
14

       
+

       
        lock_cmd = "loginctl lock-session";


     

       

       
15

       
+

       
        # before_sleep_cmd = "loginctl lock-session";


     

       

       
16

       
+

       
        after_sleep_cmd = "hyprctl dispatch dpms on";


     

       

       
17

       
+

       
        inhibit_sleep = 3;


     

       

       
18

       
+

       
      };


     

       

       
19

       
+

       
      listener = [


     

       

       
20

       
+

       
        {


     

       

       
21

       
+

       
          timeout = 420;


     

       

       
22

       
+

       
          on-timeout = "loginctl lock-session";


     

       

       
23

       
+

       
        }


     

       

       
24

       
+

       
        {


     

       

       
25

       
+

       
          timeout = 600;


     

       

       
26

       
+

       
          on-timeout = "hyprctl dispatch dpms off";


     

       

       
27

       
+

       
          on-resume = "hyprctl dispatch dpms on";


     

       

       
28

       
+

       
        }


     

       

       
29

       
+

       
        {


     

       

       
30

       
+

       
          timeout = 900;


     

       

       
31

       
+

       
          on-timeout = "systemctl resume";


     

       

       
32

       
+

       
        }


     

       

       
33

       
+

       
      ];


     

       

       
34

       
+

       
    };


     

       

       
35

       
+

       
  };


     

       

       
36

       
+

       
}
-35
homeModules/wayland/hyprland/default.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  pkgs,


     

       
3

       

       
-

       
  config,


     

       
4

       

       
-

       
  osConfig,


     

       
5

       

       
-

       
  lib,


     

       
6

       

       
-

       
  ...


     

       
7

       

       
-

       
}:


     

       
8

       

       
-

       
let


     

       
9

       

       
-

       
  c = osConfig.py.programs.hyprland;


     

       
10

       

       
-

       
  cfg = config.wayland.windowManager.hyprland;


     

       
11

       

       
-

       
in


     

       
12

       

       
-

       
{


     

       
13

       

       
-

       
  imports = [


     

       
14

       

       
-

       
    ./hyprpanel.nix


     

       
15

       

       
-

       
    ./services.nix


     

       
16

       

       
-

       
    ./hypridle.nix


     

       
17

       

       
-

       
    ./hyprlock.nix


     

       
18

       

       
-

       
  ];


     

       
19

       

       
-

       
  config = {


     

       
20

       

       
-

       
    catppuccin.hyprland.enable = c.enable;


     

       
21

       

       
-

       
    wayland.windowManager.hyprland = {


     

       
22

       

       
-

       
      enable = c.enable;


     

       
23

       

       
-

       
      # Per https://nix-community.github.io/home-manager/options.xhtml#opt-wayland.windowManager.hyprland.package


     

       
24

       

       
-

       
      package = null;


     

       
25

       

       
-

       
      systemd = {


     

       
26

       

       
-

       
        enable = true;


     

       
27

       

       
-

       
        enableXdgAutostart = true;


     

       
28

       

       
-

       
      };


     

       
29

       

       
-

       
      settings = import ./settings.nix;


     

       
30

       

       
-

       
      plugins = [


     

       
31

       

       
-

       
        pkgs.hyprlandPlugins.hy3


     

       
32

       

       
-

       
      ];


     

       
33

       

       
-

       
    };


     

       
34

       

       
-

       
  };


     

       
35

       

       
-

       
}
-9
homeModules/wayland/hyprland/env.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  env = [


     

       
3

       

       
-

       
    "WLR_NO_HARDWARE_CURSORS, 1"


     

       
4

       

       
-

       
    "WLR_RENDERER_ALLOW_SOFTWARE, 1"


     

       
5

       

       
-

       
    "NIXOS_OZONE_WL, 1"


     

       
6

       

       
-

       
    "XDG_SESSION_TYPE, wayland"


     

       
7

       

       
-

       
    "QT_QPA_PLATFORM, wayland"


     

       
8

       

       
-

       
  ];


     

       
9

       

       
-

       
}
-18
homeModules/wayland/hyprland/hypridle.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  config,


     

       
3

       

       
-

       
  lib,


     

       
4

       

       
-

       
  ...


     

       
5

       

       
-

       
}:


     

       
6

       

       
-

       
let


     

       
7

       

       
-

       
  cfg = config.wayland.windowManager.hyprland;


     

       
8

       

       
-

       
in


     

       
9

       

       
-

       
{


     

       
10

       

       
-

       
  config.services.hypridle = lib.mkIf cfg.enable {


     

       
11

       

       
-

       
    enable = false;


     

       
12

       

       
-

       
    settings = {


     

       
13

       

       
-

       
      general = {


     

       
14

       

       
-

       
        lock_cmd = "hyprlock";


     

       
15

       

       
-

       
      };


     

       
16

       

       
-

       
    };


     

       
17

       

       
-

       
  };


     

       
18

       

       
-

       
}
-93
homeModules/wayland/hyprland/hyprlock.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  config,


     

       
3

       

       
-

       
  lib,


     

       
4

       

       
-

       
  ...


     

       
5

       

       
-

       
}:


     

       
6

       

       
-

       
let


     

       
7

       

       
-

       
  cfg = config.wayland.windowManager.hyprland;


     

       
8

       

       
-

       
in


     

       
9

       

       
-

       
{


     

       
10

       

       
-

       
  config.catppuccin.hyprlock.enable = cfg.enable;


     

       
11

       

       
-

       
  config.catppuccin.hyprlock.useDefaultConfig = false;


     

       
12

       

       
-

       
  config.programs.hyprlock = lib.mkIf cfg.enable {


     

       
13

       

       
-

       
    enable = true;


     

       
14

       

       
-

       
    settings = {


     

       
15

       

       
-

       
      general = {


     

       
16

       

       
-

       
        hide_cursor = true;


     

       
17

       

       
-

       
        immediate_render = true;


     

       
18

       

       
-

       
        text_trim = true;


     

       
19

       

       
-

       
      };


     

       
20

       

       
-

       
    };


     

       
21

       

       
-

       
    extraConfig = ''


     

       
22

       

       
-

       
      $accent = $mauve


     

       
23

       

       
-

       
      $accentAlpha = $mauveAlpha


     

       
24

       

       
-

       
      $font = Blex Mono Nerd Font


     

       
25

       

       
-

       



     

       
26

       

       
-

       
      # BACKGROUND


     

       
27

       

       
-

       
      background {


     

       
28

       

       
-

       
        monitor =


     

       
29

       

       
-

       
        path = $HOME/bgs/wallpapers/xenia/chimmie_valentine_xenia.png


     

       
30

       

       
-

       
        blur_passes = 1


     

       
31

       

       
-

       
        color = $base


     

       
32

       

       
-

       
      }


     

       
33

       

       
-

       



     

       
34

       

       
-

       
      # TIME


     

       
35

       

       
-

       
      label {


     

       
36

       

       
-

       
        monitor =


     

       
37

       

       
-

       
        text = $TIME


     

       
38

       

       
-

       
        color = $text


     

       
39

       

       
-

       
        font_size = 90


     

       
40

       

       
-

       
        font_family = $font


     

       
41

       

       
-

       
        position = -30, 0


     

       
42

       

       
-

       
        halign = right


     

       
43

       

       
-

       
        valign = top


     

       
44

       

       
-

       
      }


     

       
45

       

       
-

       



     

       
46

       

       
-

       
      # DATE


     

       
47

       

       
-

       
      label {


     

       
48

       

       
-

       
        monitor =


     

       
49

       

       
-

       
        text = cmd[update:43200000] date +"%A, %d %B %Y"


     

       
50

       

       
-

       
        color = $text


     

       
51

       

       
-

       
        font_size = 25


     

       
52

       

       
-

       
        font_family = $font


     

       
53

       

       
-

       
        position = -30, -150


     

       
54

       

       
-

       
        halign = right


     

       
55

       

       
-

       
        valign = top


     

       
56

       

       
-

       
      }


     

       
57

       

       
-

       



     

       
58

       

       
-

       
      # USER AVATAR


     

       
59

       

       
-

       
      image {


     

       
60

       

       
-

       
        monitor =


     

       
61

       

       
-

       
        path = $HOME/.face


     

       
62

       

       
-

       
        size = 100


     

       
63

       

       
-

       
        border_color = $accent


     

       
64

       

       
-

       
        position = 0, 75


     

       
65

       

       
-

       
        halign = center


     

       
66

       

       
-

       
        valign = center


     

       
67

       

       
-

       
      }


     

       
68

       

       
-

       



     

       
69

       

       
-

       
      # INPUT FIELD


     

       
70

       

       
-

       
      input-field {


     

       
71

       

       
-

       
        monitor =


     

       
72

       

       
-

       
        size = 300, 60


     

       
73

       

       
-

       
        outline_thickness = 4


     

       
74

       

       
-

       
        dots_size = 0.2


     

       
75

       

       
-

       
        dots_spacing = 0.2


     

       
76

       

       
-

       
        dots_center = true


     

       
77

       

       
-

       
        outer_color = $accent


     

       
78

       

       
-

       
        inner_color = $surface0


     

       
79

       

       
-

       
        font_color = $text


     

       
80

       

       
-

       
        fade_on_empty = false


     

       
81

       

       
-

       
        placeholder_text = <span foreground="##$textAlpha"><i>󰌾 Logged in as </i><span foreground="##$accentAlpha">$USER</span></span>


     

       
82

       

       
-

       
        hide_input = false


     

       
83

       

       
-

       
        check_color = $accent


     

       
84

       

       
-

       
        fail_color = $red


     

       
85

       

       
-

       
        fail_text = <i>$FAIL <b>($ATTEMPTS)</b></i>


     

       
86

       

       
-

       
        capslock_color = $yellow


     

       
87

       

       
-

       
        position = 0, -47


     

       
88

       

       
-

       
        halign = center


     

       
89

       

       
-

       
        valign = center


     

       
90

       

       
-

       
      }


     

       
91

       

       
-

       
    '';


     

       
92

       

       
-

       
  };


     

       
93

       

       
-

       
}
-14
homeModules/wayland/hyprland/hyprpanel.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  config,


     

       
3

       

       
-

       
  lib,


     

       
4

       

       
-

       
  ...


     

       
5

       

       
-

       
}:


     

       
6

       

       
-

       
let


     

       
7

       

       
-

       
  cfg = config.wayland.windowManager.hyprland;


     

       
8

       

       
-

       
in


     

       
9

       

       
-

       
{


     

       
10

       

       
-

       
  programs.hyprpanel = lib.mkIf cfg.enable {


     

       
11

       

       
-

       
    enable = true;


     

       
12

       

       
-

       
    systemd.enable = true;


     

       
13

       

       
-

       
  };


     

       
14

       

       
-

       
}
-98
homeModules/wayland/hyprland/keybindings.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  "$mod" = "SUPER";


     

       
3

       

       
-

       
  "$satty" = "satty -f -";


     

       
4

       

       
-

       



     

       
5

       

       
-

       
  binde = [


     

       
6

       

       
-

       
    # Media binds that can be held and repeated


     

       
7

       

       
-

       
    ", XF86MonBrightnessDown, exec, brightnessctl set 5%-"


     

       
8

       

       
-

       
    ", XF86MonBrightnessUp, exec, brightnessctl set +5%"


     

       
9

       

       
-

       
    ", XF86AudioRaiseVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+"


     

       
10

       

       
-

       
    ", XF86AudioLowerVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-"


     

       
11

       

       
-

       
  ];


     

       
12

       

       
-

       



     

       
13

       

       
-

       
  bind = [


     

       
14

       

       
-

       
    "SUPER_SHIFT, F, exec, MOZ_DISABLE_RDD_SANDBOX=1 firefox"


     

       
15

       

       
-

       
    "$mod, Return, exec, ghostty"


     

       
16

       

       
-

       
    "$mod, X, exec, wlogout"


     

       
17

       

       
-

       
    "$mod, D, exec, vicinae toggle"


     

       
18

       

       
-

       
    "SUPER_SHIFT, E, exit"


     

       
19

       

       
-

       



     

       
20

       

       
-

       
    # Media Binds


     

       
21

       

       
-

       
    ", XF86AudioMute, exec, wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"


     

       
22

       

       
-

       
    ", XF86AudioMicMute, exec, wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle"


     

       
23

       

       
-

       
    ", XF86AudioPlay, exec, playerctl play-pause"


     

       
24

       

       
-

       
    ", XF86AudioNext, exec, playerctl next"


     

       
25

       

       
-

       
    ", XF86AudioPrev, exec, playerctl previous"


     

       
26

       

       
-

       



     

       
27

       

       
-

       
    # Workspace binds


     

       
28

       

       
-

       
    "$mod, 1, workspace, 01"


     

       
29

       

       
-

       
    "SUPER_SHIFT, 1, hy3:movetoworkspace, 01, follow, warp"


     

       
30

       

       
-

       
    "$mod, 2, workspace, 02"


     

       
31

       

       
-

       
    "SUPER_SHIFT, 2, hy3:movetoworkspace, 02, follow, warp"


     

       
32

       

       
-

       
    "$mod, 3, workspace, 03"


     

       
33

       

       
-

       
    "SUPER_SHIFT, 3, hy3:movetoworkspace, 03, follow, warp"


     

       
34

       

       
-

       
    "$mod, 4, workspace, 04"


     

       
35

       

       
-

       
    "SUPER_SHIFT, 4, hy3:movetoworkspace, 04, follow, warp"


     

       
36

       

       
-

       
    "$mod, 5, workspace, 05"


     

       
37

       

       
-

       
    "SUPER_SHIFT, 5, hy3:movetoworkspace, 05, follow, warp"


     

       
38

       

       
-

       
    "$mod, 6, workspace, 06"


     

       
39

       

       
-

       
    "SUPER_SHIFT, 6, hy3:movetoworkspace, 06, follow, warp"


     

       
40

       

       
-

       
    "$mod, 7, workspace, 07"


     

       
41

       

       
-

       
    "SUPER_SHIFT, 7, hy3:movetoworkspace, 07, follow, warp"


     

       
42

       

       
-

       
    "$mod, 8, workspace, 08"


     

       
43

       

       
-

       
    "SUPER_SHIFT, 8, hy3:movetoworkspace, 08, follow, warp"


     

       
44

       

       
-

       
    "$mod, 9, workspace, 09"


     

       
45

       

       
-

       
    "SUPER_SHIFT, 9, hy3:movetoworkspace, 09, follow, warp"


     

       
46

       

       
-

       
    "$mod, 0, workspace, 10"


     

       
47

       

       
-

       
    "SUPER_SHIFT, 0, hy3:movetoworkspace, 10, follow, warp"


     

       
48

       

       
-

       
    # Scratchpad


     

       
49

       

       
-

       
    "SUPER_SHIFT, -, movetoworkspace, special"


     

       
50

       

       
-

       
    "$mod, -, togglespecialworkspace"


     

       
51

       

       
-

       



     

       
52

       

       
-

       
    # Window Management


     

       
53

       

       
-

       
    "SUPER_SHIFT, Up, hy3:movewindow, up, once, visible"


     

       
54

       

       
-

       
    "SUPER_SHIFT, K, hy3:movewindow, up, once, visible"


     

       
55

       

       
-

       
    "$mod, Up, hy3:movefocus, up, visible, warp"


     

       
56

       

       
-

       
    "$mod, K, hy3:movefocus, up, visible, warp"


     

       
57

       

       
-

       



     

       
58

       

       
-

       
    "SUPER_SHIFT, Right, hy3:movewindow, right, once, visible"


     

       
59

       

       
-

       
    "SUPER_SHIFT, L, hy3:movewindow, right, once, visible"


     

       
60

       

       
-

       
    "$mod, Right, hy3:movefocus, right, visible, warp"


     

       
61

       

       
-

       
    "$mod, L, hy3:movefocus, right, visible, warp"


     

       
62

       

       
-

       



     

       
63

       

       
-

       
    "SUPER_SHIFT, Left, hy3:movewindow, left, once, visible"


     

       
64

       

       
-

       
    "SUPER_SHIFT, H, hy3:movewindow, left, once, visible"


     

       
65

       

       
-

       
    "$mod, Left, hy3:movefocus, left, visible, warp"


     

       
66

       

       
-

       
    "$mod, H, hy3:movefocus, left, visible, warp"


     

       
67

       

       
-

       



     

       
68

       

       
-

       
    "SUPER_SHIFT, Down, hy3:movewindow, down, once, visible"


     

       
69

       

       
-

       
    "SUPER_SHIFT, J, hy3:movewindow, down, once, visible"


     

       
70

       

       
-

       
    "$mod, Down, hy3:movefocus, down, visible, warp"


     

       
71

       

       
-

       
    "$mod, J, hy3:movefocus, down, visible, warp"


     

       
72

       

       
-

       



     

       
73

       

       
-

       
    "SUPER_SHIFT, Q, killactive"


     

       
74

       

       
-

       
    "$mod, F, fullscreen, 0"


     

       
75

       

       
-

       
    "$mod, Space, hy3:togglefocuslayer"


     

       
76

       

       
-

       
    "SUPER_SHIFT, Space, togglefloating, active"


     

       
77

       

       
-

       



     

       
78

       

       
-

       
    # Screenshots


     

       
79

       

       
-

       
    "SHIFT, F3, exec, hyprshot -m output --raw -z -s | $satty"


     

       
80

       

       
-

       
    "SHIFT, F4, exec, hyprshot -m region --raw -z -s | $satty"


     

       
81

       

       
-

       
  ];


     

       
82

       

       
-

       



     

       
83

       

       
-

       
  bindm = [


     

       
84

       

       
-

       
    "$mod, mouse:272, movewindow"


     

       
85

       

       
-

       
  ];


     

       
86

       

       
-

       



     

       
87

       

       
-

       
  # Unbind a bunch of default keybinds


     

       
88

       

       
-

       
  unbind = [


     

       
89

       

       
-

       
    "$mod, C"


     

       
90

       

       
-

       
    "$mod, E"


     

       
91

       

       
-

       
    "$mod, J"


     

       
92

       

       
-

       
    "$mod, M"


     

       
93

       

       
-

       
    "$mod, P"


     

       
94

       

       
-

       
    "$mod, Q"


     

       
95

       

       
-

       
    "$mod, R"


     

       
96

       

       
-

       
    "$mod, V"


     

       
97

       

       
-

       
  ];


     

       
98

       

       
-

       
}
-8
homeModules/wayland/hyprland/monitors.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  monitor = [


     

       
3

       

       
-

       
    "eDP-1, 2560x1600@165, 0x0, 1, vrr, 1"


     

       
4

       

       
-

       
    "desc:Acer Technologies SA241Y 0x1497CF17, preferred, 2560x0, 1"


     

       
5

       

       
-

       
    # Fallback for random monitors


     

       
6

       

       
-

       
    ", preferred, auto, 1"


     

       
7

       

       
-

       
  ];


     

       
8

       

       
-

       
}
-7
homeModules/wayland/hyprland/plugins.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  plugin = {


     

       
3

       

       
-

       
    hy3 = {


     

       
4

       

       
-

       
      no_gaps_when_only = 1;


     

       
5

       

       
-

       
    };


     

       
6

       

       
-

       
  };


     

       
7

       

       
-

       
}
-10
homeModules/wayland/hyprland/services.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  config,


     

       
3

       

       
-

       
  ...


     

       
4

       

       
-

       
}:


     

       
5

       

       
-

       
let


     

       
6

       

       
-

       
  cfg = config.wayland.windowManager.hyprland;


     

       
7

       

       
-

       
in


     

       
8

       

       
-

       
{


     

       
9

       

       
-

       
  services.hyprpolkitagent.enable = cfg.enable;


     

       
10

       

       
-

       
}
-22
homeModules/wayland/hyprland/settings.nix 
···

       
1

       

       
-

       
let


     

       
2

       

       
-

       
  keybinds = import ./keybindings.nix;


     

       
3

       

       
-

       
  monitors = import ./monitors.nix;


     

       
4

       

       
-

       
  variables = import ./variables.nix;


     

       
5

       

       
-

       
  plugins = import ./plugins.nix;


     

       
6

       

       
-

       
  env = import ./env.nix;


     

       
7

       

       
-

       
  windowrules = import ./windowrules.nix;


     

       
8

       

       
-

       
in


     

       
9

       

       
-

       
{


     

       
10

       

       
-

       
  exec-once = [


     

       
11

       

       
-

       
    "hyprpanel"


     

       
12

       

       
-

       
  ];


     

       
13

       

       
-

       
  animation = [


     

       
14

       

       
-

       
    "global, 1, 4, default"


     

       
15

       

       
-

       
  ];


     

       
16

       

       
-

       
}


     

       
17

       

       
-

       
// keybinds


     

       
18

       

       
-

       
// monitors


     

       
19

       

       
-

       
// variables


     

       
20

       

       
-

       
// plugins


     

       
21

       

       
-

       
// env


     

       
22

       

       
-

       
// windowrules
-33
homeModules/wayland/hyprland/variables.nix 
···

       
1

       

       
-

       
# https://wiki.hypr.land/Configuring/Variables


     

       
2

       

       
-

       
{


     

       
3

       

       
-

       
  general = {


     

       
4

       

       
-

       
    gaps_in = 1;


     

       
5

       

       
-

       
    gaps_out = 1;


     

       
6

       

       
-

       
    gaps_workspaces = 80;


     

       
7

       

       
-

       
    layout = "hy3";


     

       
8

       

       
-

       
    resize_on_border = true;


     

       
9

       

       
-

       
  };


     

       
10

       

       
-

       
  decoration = {


     

       
11

       

       
-

       
    blur.enabled = false;


     

       
12

       

       
-

       
    shadow.enabled = false;


     

       
13

       

       
-

       
  };


     

       
14

       

       
-

       
  misc = {


     

       
15

       

       
-

       
    disable_hyprland_logo = true;


     

       
16

       

       
-

       
    disable_splash_rendering = true;


     

       
17

       

       
-

       
    font_family = "Inter";


     

       
18

       

       
-

       
    mouse_move_focuses_monitor = true;


     

       
19

       

       
-

       
  };


     

       
20

       

       
-

       
  input = {


     

       
21

       

       
-

       
    kb_options = "caps:escape";


     

       
22

       

       
-

       
    repeat_delay = 300;


     

       
23

       

       
-

       
    touchpad = {


     

       
24

       

       
-

       
      scroll_factor = 1.5;


     

       
25

       

       
-

       
      tap_button_map = "lmr";


     

       
26

       

       
-

       
      tap-and-drag = false;


     

       
27

       

       
-

       
    };


     

       
28

       

       
-

       
  };


     

       
29

       

       
-

       
  ecosystem = {


     

       
30

       

       
-

       
    no_update_news = true;


     

       
31

       

       
-

       
    no_donation_nag = true;


     

       
32

       

       
-

       
  };


     

       
33

       

       
-

       
}
-6
homeModules/wayland/hyprland/windowrules.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  windowrule = [


     

       
3

       

       
-

       
    "immediate, content game, title:Celeste"


     

       
4

       

       
-

       
    "tile, title:Melvor Idle"


     

       
5

       

       
-

       
  ];


     

       
6

       

       
-

       
}
+108 -43
homeModules/wayland/keybindings.nix 
···

       
1

       

       
-

       
{ config, lib, ... }:


     

       
2

       

       
-

       
let


     

       
3

       

       
-

       
  inherit (config.wayland.windowManager.sway.config) menu;


     

       
4

       

       
-

       
  mod = config.wayland.windowManager.sway.config.modifier;


     

       
5

       

       
-

       
  term = config.wayland.windowManager.sway.config.terminal;


     

       
6

       

       
-

       
  grim = "grim -g";


     

       
7

       

       
-

       
  slurp-screen = "\"$(slurp -c -b '#1e1e2e80' -o -r)\" -";


     

       
8

       

       
-

       
  slurp-box = "\"$(slurp -c '#f38ba8ff' -b '#1e1e2e80' -w 1 -d -F 'IBM Plex Mono')\" -";


     

       
9

       

       
-

       
  satty = "satty -f -";


     

       
10

       

       
-

       
  cfg = config.py.profiles.gui;


     

       
11

       

       
-

       
in


     

       

       
1

       
+

       
{ lib, shell }:


     

       
12

       
2

       
 

       
{


     

       
13

       

       
-

       
  config.wayland.windowManager.sway.config.keybindings = lib.mkIf cfg.enable (


     

       
14

       

       
-

       
    lib.mkOptionDefault {


     

       
15

       

       
-

       
      "${mod}+d" = "${menu}";


     

       
16

       

       
-

       
      "${mod}+Shift+F" = "exec MOZ_DISABLE_RDD_SANDBOX=1 firefox";


     

       
17

       

       
-

       
      "${mod}+Return" = "exec ${term}";


     

       
18

       

       
-

       
      "${mod}+x" = "exec wlogout";


     

       
19

       

       
-

       
      "${mod}+s" = null;


     

       
20

       

       
-

       
      "${mod}+w" = null;


     

       
21

       

       
-

       
      "XF86MonBrightnessDown" = "exec brightnessctl set 5%-";


     

       
22

       

       
-

       
      "XF86MonBrightnessUp" = "exec brightnessctl set +5%";


     

       
23

       

       
-

       
      "XF86AudioRaiseVolume" = "exec wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+";


     

       
24

       

       
-

       
      "XF86AudioLowerVolume" = "exec wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-";


     

       
25

       

       
-

       
      "XF86AudioMute" = "exec wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle";


     

       
26

       

       
-

       
      "XF86AudioMicMute" = "exec wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle";


     

       
27

       

       
-

       
      "XF86AudioPlay" = "exec playerctl play-pause";


     

       
28

       

       
-

       
      "XF86AudioNext" = "exec playerctl next";


     

       
29

       

       
-

       
      "XF86AudioPrev" = "exec playerctl previous";


     

       
30

       

       
-

       
      "Shift+F3" = "exec ${grim} ${slurp-screen} | ${satty}";


     

       
31

       

       
-

       
      "Shift+F4" = "exec ${grim} ${slurp-box} | ${satty}";


     

       
32

       

       
-

       
      "${mod}+Shift+1" = "move container to workspace number 1";


     

       
33

       

       
-

       
      "${mod}+Shift+2" = "move container to workspace number 2";


     

       
34

       

       
-

       
      "${mod}+Shift+3" = "move container to workspace number 3";


     

       
35

       

       
-

       
      "${mod}+Shift+4" = "move container to workspace number 4";


     

       
36

       

       
-

       
      "${mod}+Shift+5" = "move container to workspace number 5";


     

       
37

       

       
-

       
      "${mod}+Shift+6" = "move container to workspace number 6";


     

       
38

       

       
-

       
      "${mod}+Shift+7" = "move container to workspace number 7";


     

       
39

       

       
-

       
      "${mod}+Shift+8" = "move container to workspace number 8";


     

       
40

       

       
-

       
      "${mod}+Shift+9" = "move container to workspace number 9";


     

       
41

       

       
-

       
      "${mod}+Shift+0" = "move container to workspace number 10";


     

       
42

       

       
-

       
      "${mod}+0" = "workspace number 10";


     

       
43

       

       
-

       
    }


     

       
44

       

       
-

       
  );


     

       

       
3

       
+

       
  "$mod" = "SUPER";


     

       

       
4

       
+

       
  "$satty" = "satty -f -";


     

       

       
5

       
+

       



     

       

       
6

       
+

       
  binde = [


     

       

       
7

       
+

       
    # Media binds that can be held and repeated


     

       

       
8

       
+

       
    ", XF86MonBrightnessDown, exec, brightnessctl set 5%-"


     

       

       
9

       
+

       
    ", XF86MonBrightnessUp, exec, brightnessctl set +5%"


     

       

       
10

       
+

       
    ", XF86AudioRaiseVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+"


     

       

       
11

       
+

       
    ", XF86AudioLowerVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-"


     

       

       
12

       
+

       
  ];


     

       

       
13

       
+

       



     

       

       
14

       
+

       
  bind = [


     

       

       
15

       
+

       
    "SUPER_SHIFT, F, exec, MOZ_DISABLE_RDD_SANDBOX=1 firefox"


     

       

       
16

       
+

       
    "$mod, Return, exec, ghostty"


     

       

       
17

       
+

       
    "SUPER_SHIFT, E, exit"


     

       

       
18

       
+

       



     

       

       
19

       
+

       
    # Media Binds


     

       

       
20

       
+

       
    ", XF86AudioMute, exec, wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"


     

       

       
21

       
+

       
    ", XF86AudioMicMute, exec, wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle"


     

       

       
22

       
+

       
    ", XF86AudioPlay, exec, playerctl play-pause"


     

       

       
23

       
+

       
    ", XF86AudioNext, exec, playerctl next"


     

       

       
24

       
+

       
    ", XF86AudioPrev, exec, playerctl previous"


     

       

       
25

       
+

       



     

       

       
26

       
+

       
    # Workspace binds


     

       

       
27

       
+

       
    "$mod, 1, workspace, 01"


     

       

       
28

       
+

       
    "SUPER_SHIFT, 1, hy3:movetoworkspace, 01"


     

       

       
29

       
+

       
    "$mod, 2, workspace, 02"


     

       

       
30

       
+

       
    "SUPER_SHIFT, 2, hy3:movetoworkspace, 02"


     

       

       
31

       
+

       
    "$mod, 3, workspace, 03"


     

       

       
32

       
+

       
    "SUPER_SHIFT, 3, hy3:movetoworkspace, 03"


     

       

       
33

       
+

       
    "$mod, 4, workspace, 04"


     

       

       
34

       
+

       
    "SUPER_SHIFT, 4, hy3:movetoworkspace, 04"


     

       

       
35

       
+

       
    "$mod, 5, workspace, 05"


     

       

       
36

       
+

       
    "SUPER_SHIFT, 5, hy3:movetoworkspace, 05"


     

       

       
37

       
+

       
    "$mod, 6, workspace, 06"


     

       

       
38

       
+

       
    "SUPER_SHIFT, 6, hy3:movetoworkspace, 06"


     

       

       
39

       
+

       
    "$mod, 7, workspace, 07"


     

       

       
40

       
+

       
    "SUPER_SHIFT, 7, hy3:movetoworkspace, 07"


     

       

       
41

       
+

       
    "$mod, 8, workspace, 08"


     

       

       
42

       
+

       
    "SUPER_SHIFT, 8, hy3:movetoworkspace, 08"


     

       

       
43

       
+

       
    "$mod, 9, workspace, 09"


     

       

       
44

       
+

       
    "SUPER_SHIFT, 9, hy3:movetoworkspace, 09"


     

       

       
45

       
+

       
    "$mod, 0, workspace, 10"


     

       

       
46

       
+

       
    "SUPER_SHIFT, 0, hy3:movetoworkspace, 10"


     

       

       
47

       
+

       
    # Scratchpad


     

       

       
48

       
+

       
    "SUPER_SHIFT, -, hy3:movetoworkspace, special:default"


     

       

       
49

       
+

       
    "$mod, -, togglespecialworkspace, default"


     

       

       
50

       
+

       



     

       

       
51

       
+

       
    # Window Management


     

       

       
52

       
+

       
    "SUPER_SHIFT, Up, hy3:movewindow, up, once, visible"


     

       

       
53

       
+

       
    "SUPER_SHIFT, K, hy3:movewindow, up, once, visible"


     

       

       
54

       
+

       
    "$mod, Up, hy3:movefocus, up, visible, warp"


     

       

       
55

       
+

       
    "$mod, K, hy3:movefocus, up, visible, warp"


     

       

       
56

       
+

       



     

       

       
57

       
+

       
    "SUPER_SHIFT, Right, hy3:movewindow, right, once, visible"


     

       

       
58

       
+

       
    "SUPER_SHIFT, L, hy3:movewindow, right, once, visible"


     

       

       
59

       
+

       
    "$mod, Right, hy3:movefocus, right, visible, warp"


     

       

       
60

       
+

       
    "$mod, L, hy3:movefocus, right, visible, warp"


     

       

       
61

       
+

       



     

       

       
62

       
+

       
    "SUPER_SHIFT, Left, hy3:movewindow, left, once, visible"


     

       

       
63

       
+

       
    "SUPER_SHIFT, H, hy3:movewindow, left, once, visible"


     

       

       
64

       
+

       
    "$mod, Left, hy3:movefocus, left, visible, warp"


     

       

       
65

       
+

       
    "$mod, H, hy3:movefocus, left, visible, warp"


     

       

       
66

       
+

       



     

       

       
67

       
+

       
    "SUPER_SHIFT, Down, hy3:movewindow, down, once, visible"


     

       

       
68

       
+

       
    "SUPER_SHIFT, J, hy3:movewindow, down, once, visible"


     

       

       
69

       
+

       
    "$mod, Down, hy3:movefocus, down, visible, warp"


     

       

       
70

       
+

       
    "$mod, J, hy3:movefocus, down, visible, warp"


     

       

       
71

       
+

       



     

       

       
72

       
+

       
    "SUPER_SHIFT, Q, killactive"


     

       

       
73

       
+

       
    "$mod, F, fullscreen, 0"


     

       

       
74

       
+

       
    # Super-(literal equals)


     

       

       
75

       
+

       
    "$mod, code:21, hy3:togglefocuslayer"


     

       

       
76

       
+

       
    # Super-(literal plus)


     

       

       
77

       
+

       
    "SUPER_SHIFT, code:21, togglefloating, active"


     

       

       
78

       
+

       



     

       

       
79

       
+

       
    # Screenshots


     

       

       
80

       
+

       
    "SHIFT, F3, exec, hyprshot -m output --raw -z -s | $satty"


     

       

       
81

       
+

       
    "SHIFT, F4, exec, hyprshot -m region --raw -z -s | $satty"


     

       

       
82

       
+

       
  ]


     

       

       
83

       
+

       
  ++ lib.optionals (shell == "caelestia") [


     

       

       
84

       
+

       
    "$mod, X, global, caelestia:session"


     

       

       
85

       
+

       
    ", XF86PowerOff , global, caelestia:session"


     

       

       
86

       
+

       
    "$mod, Space, global, caelestia:launcher"


     

       

       
87

       
+

       
  ]


     

       

       
88

       
+

       
  ++ lib.optionals (shell == "dms") [


     

       

       
89

       
+

       
    "$mod, X, exec, dms ipc call powermenu toggle"


     

       

       
90

       
+

       
    ", XF86PowerOff ,exec, dms ipc call powermenu toggle"


     

       

       
91

       
+

       
    "SUPER_SHIFT, X, exec, dms ipc call lock lock"


     

       

       
92

       
+

       
    "$mod, Space, exec, dms ipc call spotlight toggle"


     

       

       
93

       
+

       
  ];


     

       

       
94

       
+

       



     

       

       
95

       
+

       
  bindm = [


     

       

       
96

       
+

       
    "$mod, mouse:272, movewindow"


     

       

       
97

       
+

       
  ];


     

       

       
98

       
+

       



     

       

       
99

       
+

       
  # Unbind a bunch of default keybinds


     

       

       
100

       
+

       
  unbind = [


     

       

       
101

       
+

       
    "$mod, C"


     

       

       
102

       
+

       
    "$mod, E"


     

       

       
103

       
+

       
    "$mod, J"


     

       

       
104

       
+

       
    "$mod, M"


     

       

       
105

       
+

       
    "$mod, P"


     

       

       
106

       
+

       
    "$mod, Q"


     

       

       
107

       
+

       
    "$mod, R"


     

       

       
108

       
+

       
    "$mod, V"


     

       

       
109

       
+

       
  ];


     

       
45

       
110

       
 

       
}
+8
homeModules/wayland/monitors.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  monitor = [


     

       

       
3

       
+

       
    "eDP-1, 2560x1600@165, 0x0, 1, vrr, 1"


     

       

       
4

       
+

       
    "desc:Acer Technologies SA241Y 0x1497CF17, preferred, 2560x0, 1"


     

       

       
5

       
+

       
    # Fallback for random monitors


     

       

       
6

       
+

       
    ", preferred, auto, 1"


     

       

       
7

       
+

       
  ];


     

       

       
8

       
+

       
}
+7
homeModules/wayland/plugins.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  plugin = {


     

       

       
3

       
+

       
    hy3 = {


     

       

       
4

       
+

       
      no_gaps_when_only = 1;


     

       

       
5

       
+

       
    };


     

       

       
6

       
+

       
  };


     

       

       
7

       
+

       
}
+10
homeModules/wayland/services.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  config,


     

       

       
3

       
+

       
  ...


     

       

       
4

       
+

       
}:


     

       

       
5

       
+

       
let


     

       

       
6

       
+

       
  cfg = config.wayland.windowManager.hyprland;


     

       

       
7

       
+

       
in


     

       

       
8

       
+

       
{


     

       

       
9

       
+

       
  services.hyprpolkitagent.enable = cfg.enable;


     

       

       
10

       
+

       
}
+25
homeModules/wayland/settings.nix 
···

       

       
1

       
+

       
{ config, lib, ... }:


     

       

       
2

       
+

       
let


     

       

       
3

       
+

       
  inherit (config.py.profiles.desktop) shell;


     

       

       
4

       
+

       
  keybinds = import ./keybindings.nix { inherit lib shell; };


     

       

       
5

       
+

       
  monitors = import ./monitors.nix;


     

       

       
6

       
+

       
  variables = import ./variables.nix;


     

       

       
7

       
+

       
  plugins = import ./plugins.nix;


     

       

       
8

       
+

       
  env = import ./env.nix;


     

       

       
9

       
+

       
  windowrules = import ./windowrules.nix;


     

       

       
10

       
+

       
in


     

       

       
11

       
+

       
{


     

       

       
12

       
+

       
  animation = [


     

       

       
13

       
+

       
    "global, 1, 4, default"


     

       

       
14

       
+

       
  ];


     

       

       
15

       
+

       
  exec-once = lib.optionals (shell == "dms") [


     

       

       
16

       
+

       
    "dms run"


     

       

       
17

       
+

       
    "bash -c \"wl-paste --watch cliphist store &\""


     

       

       
18

       
+

       
  ];


     

       

       
19

       
+

       
}


     

       

       
20

       
+

       
// keybinds


     

       

       
21

       
+

       
// monitors


     

       

       
22

       
+

       
// variables


     

       

       
23

       
+

       
// plugins


     

       

       
24

       
+

       
// env


     

       

       
25

       
+

       
// windowrules
-156
homeModules/wayland/sway.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  pkgs,


     

       
3

       

       
-

       
  config,


     

       
4

       

       
-

       
  lib,


     

       
5

       

       
-

       
  ...


     

       
6

       

       
-

       
}:


     

       
7

       

       
-

       
let


     

       
8

       

       
-

       
  term = config.wayland.windowManager.sway.config.terminal;


     

       
9

       

       
-

       
  homeDir = config.home.homeDirectory;


     

       
10

       

       
-

       
  cfg = config.py.profiles.gui;


     

       
11

       

       
-

       
in


     

       
12

       

       
-

       
{


     

       
13

       

       
-

       
  config = lib.mkIf cfg.enable {


     

       
14

       

       
-

       
    catppuccin = {


     

       
15

       

       
-

       
      sway.enable = true;


     

       
16

       

       
-

       
    };


     

       
17

       

       
-

       
    home.sessionVariables = {


     

       
18

       

       
-

       
      XDG_CURRENT_DESKTOP = "sway";


     

       
19

       

       
-

       
    };


     

       
20

       

       
-

       
    wayland.windowManager.sway = {


     

       
21

       

       
-

       
      enable = lib.mkDefault true;


     

       
22

       

       
-

       
      package = null;


     

       
23

       

       
-

       
      # nix-community/home-manager/issues/5311


     

       
24

       

       
-

       
      checkConfig = false;


     

       
25

       

       
-

       
      wrapperFeatures.base = true;


     

       
26

       

       
-

       
      wrapperFeatures.gtk = true;


     

       
27

       

       
-

       
      extraConfig = ''


     

       
28

       

       
-

       
        default_border pixel


     

       
29

       

       
-

       
        focus_on_window_activation smart


     

       
30

       

       
-

       
      '';


     

       
31

       

       
-

       
      systemd = {


     

       
32

       

       
-

       
        enable = true;


     

       
33

       

       
-

       
        xdgAutostart = true;


     

       
34

       

       
-

       
      };


     

       
35

       

       
-

       
      config = {


     

       
36

       

       
-

       
        terminal = lib.getExe pkgs.ghostty;


     

       
37

       

       
-

       
        menu = "exec ${lib.getExe pkgs.onagre}";


     

       
38

       

       
-

       
        modifier = "Mod4";


     

       
39

       

       
-

       
        bars = [ { command = "true"; } ];


     

       
40

       

       
-

       
        focus = {


     

       
41

       

       
-

       
          followMouse = true;


     

       
42

       

       
-

       
          mouseWarping = true;


     

       
43

       

       
-

       
          newWindow = "smart";


     

       
44

       

       
-

       
        };


     

       
45

       

       
-

       
        fonts = {


     

       
46

       

       
-

       
          names = [ "Inter" ];


     

       
47

       

       
-

       
          style = "Regular";


     

       
48

       

       
-

       
          size = 12.0;


     

       
49

       

       
-

       
        };


     

       
50

       

       
-

       
        gaps = {


     

       
51

       

       
-

       
          inner = 1;


     

       
52

       

       
-

       
          outer = 1;


     

       
53

       

       
-

       
          smartBorders = "on";


     

       
54

       

       
-

       
          smartGaps = false;


     

       
55

       

       
-

       
        };


     

       
56

       

       
-

       
        input = {


     

       
57

       

       
-

       
          "type:keyboard" = {


     

       
58

       

       
-

       
            xkb_options = "caps:escape";


     

       
59

       

       
-

       
          };


     

       
60

       

       
-

       
          "type:mouse" = {


     

       
61

       

       
-

       
            accel_profile = "flat";


     

       
62

       

       
-

       
          };


     

       
63

       

       
-

       
          "type:touchpad" = {


     

       
64

       

       
-

       
            accel_profile = "adaptive";


     

       
65

       

       
-

       
            scroll_factor = "1.5";


     

       
66

       

       
-

       
            tap = "enabled";


     

       
67

       

       
-

       
          };


     

       
68

       

       
-

       
        };


     

       
69

       

       
-

       
        modes = {


     

       
70

       

       
-

       
          resize = {


     

       
71

       

       
-

       
            Escape = "mode default";


     

       
72

       

       
-

       
            Return = "mode default";


     

       
73

       

       
-

       
            Up = "resize shrink height 10 px";


     

       
74

       

       
-

       
            Down = "resize grow height 10 px";


     

       
75

       

       
-

       
            Left = "resize shrink width 10 px";


     

       
76

       

       
-

       
            Right = "resize grow width 10 px";


     

       
77

       

       
-

       
            h = "resize shrink width 10 px";


     

       
78

       

       
-

       
            j = "resize grow height 10 px";


     

       
79

       

       
-

       
            k = "resize shrink height 10 px";


     

       
80

       

       
-

       
            l = "resize grow width 10 px";


     

       
81

       

       
-

       
          };


     

       
82

       

       
-

       
        };


     

       
83

       

       
-

       
        output = {


     

       
84

       

       
-

       
          eDP-1 = {


     

       
85

       

       
-

       
            scale = "1.2";


     

       
86

       

       
-

       
          };


     

       
87

       

       
-

       
        };


     

       
88

       

       
-

       
        startup = [


     

       
89

       

       
-

       
          { command = "${pkgs.dex}/bin/dex -a"; }


     

       
90

       

       
-

       
          { command = "${homeDir}/scripts/unfuck-xdg-portals.fish"; }


     

       
91

       

       
-

       
          { command = "wl-paste -t text --watch clipman store --no-persist"; }


     

       
92

       

       
-

       
        ];


     

       
93

       

       
-

       
        window = {


     

       
94

       

       
-

       
          commands = [


     

       
95

       

       
-

       
            {


     

       
96

       

       
-

       
              command = "inhibit_idle fullscreen";


     

       
97

       

       
-

       
              criteria = {


     

       
98

       

       
-

       
                class = "Chromium|zoom|Firefox";


     

       
99

       

       
-

       
              };


     

       
100

       

       
-

       
            }


     

       
101

       

       
-

       
            {


     

       
102

       

       
-

       
              command = "floating enable, sticky enable, resize set 20 ppt 40 ppt, border pixel 4";


     

       
103

       

       
-

       
              criteria = {


     

       
104

       

       
-

       
                app_id = "^py.floating$";


     

       
105

       

       
-

       
              };


     

       
106

       

       
-

       
            }


     

       
107

       

       
-

       
            {


     

       
108

       

       
-

       
              command = "resize set 20 ppt";


     

       
109

       

       
-

       
              criteria = {


     

       
110

       

       
-

       
                title = "Mumble PTT";


     

       
111

       

       
-

       
              };


     

       
112

       

       
-

       
            }


     

       
113

       

       
-

       
          ];


     

       
114

       

       
-

       
        };


     

       
115

       

       
-

       
        colors = {


     

       
116

       

       
-

       
          background = "$base";


     

       
117

       

       
-

       
          focused = {


     

       
118

       

       
-

       
            border = "$pink";


     

       
119

       

       
-

       
            background = "$base";


     

       
120

       

       
-

       
            text = "$text";


     

       
121

       

       
-

       
            indicator = "$rosewater";


     

       
122

       

       
-

       
            childBorder = "$pink";


     

       
123

       

       
-

       
          };


     

       
124

       

       
-

       
          focusedInactive = {


     

       
125

       

       
-

       
            border = "$mauve";


     

       
126

       

       
-

       
            background = "$base";


     

       
127

       

       
-

       
            text = "$text";


     

       
128

       

       
-

       
            indicator = "$rosewater";


     

       
129

       

       
-

       
            childBorder = "$mauve";


     

       
130

       

       
-

       
          };


     

       
131

       

       
-

       
          unfocused = {


     

       
132

       

       
-

       
            border = "$mauve";


     

       
133

       

       
-

       
            background = "$base";


     

       
134

       

       
-

       
            text = "$text";


     

       
135

       

       
-

       
            indicator = "$rosewater";


     

       
136

       

       
-

       
            childBorder = "$mauve";


     

       
137

       

       
-

       
          };


     

       
138

       

       
-

       
          urgent = {


     

       
139

       

       
-

       
            border = "$peach";


     

       
140

       

       
-

       
            background = "$base";


     

       
141

       

       
-

       
            text = "$peach";


     

       
142

       

       
-

       
            indicator = "$overlay0";


     

       
143

       

       
-

       
            childBorder = "$peach";


     

       
144

       

       
-

       
          };


     

       
145

       

       
-

       
          placeholder = {


     

       
146

       

       
-

       
            border = "$overlay0";


     

       
147

       

       
-

       
            background = "$base";


     

       
148

       

       
-

       
            text = "$text";


     

       
149

       

       
-

       
            indicator = "$overlay0";


     

       
150

       

       
-

       
            childBorder = "$overlay0";


     

       
151

       

       
-

       
          };


     

       
152

       

       
-

       
        };


     

       
153

       

       
-

       
      };


     

       
154

       

       
-

       
    };


     

       
155

       

       
-

       
  };


     

       
156

       

       
-

       
}
-67
homeModules/wayland/swaylock.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  lib,


     

       
3

       

       
-

       
  config,


     

       
4

       

       
-

       
  pkgs,


     

       
5

       

       
-

       
  ...


     

       
6

       

       
-

       
}:


     

       
7

       

       
-

       
let


     

       
8

       

       
-

       
  cfg = config.py.profiles.gui;


     

       
9

       

       
-

       
in


     

       
10

       

       
-

       
{


     

       
11

       

       
-

       
  catppuccin = {


     

       
12

       

       
-

       
    swaylock.enable = false;


     

       
13

       

       
-

       
  };


     

       
14

       

       
-

       
  programs.swaylock = lib.mkIf cfg.enable {


     

       
15

       

       
-

       
    enable = lib.mkDefault true;


     

       
16

       

       
-

       
    package = pkgs.swaylock-effects;


     

       
17

       

       
-

       
    settings = {


     

       
18

       

       
-

       
      daemonize = true;


     

       
19

       

       
-

       
      image = "/home/thehedgehog/bgs/ctp-waves.png";


     

       
20

       

       
-

       
      scaling = "fill";


     

       
21

       

       
-

       
      line-uses-ring = true;


     

       
22

       

       
-

       
      ignore-empty-password = true;


     

       
23

       

       
-

       
      clock = true;


     

       
24

       

       
-

       
      timestr = "%T";


     

       
25

       

       
-

       
      effect-blur = "5x5";


     

       
26

       

       
-

       



     

       
27

       

       
-

       
      font = "IBM Plex Sans";


     

       
28

       

       
-

       
      font-size = 20;


     

       
29

       

       
-

       



     

       
30

       

       
-

       
      indicator = true;


     

       
31

       

       
-

       
      indicator-idle-visible = true;


     

       
32

       

       
-

       
      indicator-radius = 100;


     

       
33

       

       
-

       
      indicator-thickness = 5;


     

       
34

       

       
-

       



     

       
35

       

       
-

       
      # Catppuccin Theme(avoid IFD by vendoring it in here)


     

       
36

       

       
-

       
      color = "1e1e2e";


     

       
37

       

       
-

       
      bs-hl-color = "f5e0dc";


     

       
38

       

       
-

       
      caps-lock-bs-hl-color = "f5e0dc";


     

       
39

       

       
-

       
      caps-lock-key-hl-color = "a6e3a1";


     

       
40

       

       
-

       
      inside-color = "00000000";


     

       
41

       

       
-

       
      inside-clear-color = "00000000";


     

       
42

       

       
-

       
      inside-caps-lock-color = "00000000";


     

       
43

       

       
-

       
      inside-ver-color = "00000000";


     

       
44

       

       
-

       
      inside-wrong-color = "00000000";


     

       
45

       

       
-

       
      key-hl-color = "a6e3a1";


     

       
46

       

       
-

       
      layout-bg-color = "00000000";


     

       
47

       

       
-

       
      layout-border-color = "00000000";


     

       
48

       

       
-

       
      layout-text-color = "cdd6f4";


     

       
49

       

       
-

       
      line-color = "00000000";


     

       
50

       

       
-

       
      line-clear-color = "00000000";


     

       
51

       

       
-

       
      line-caps-lock-color = "00000000";


     

       
52

       

       
-

       
      line-ver-color = "00000000";


     

       
53

       

       
-

       
      line-wrong-color = "00000000";


     

       
54

       

       
-

       
      ring-color = "b4befe";


     

       
55

       

       
-

       
      ring-clear-color = "f5e0dc";


     

       
56

       

       
-

       
      ring-caps-lock-color = "fab387";


     

       
57

       

       
-

       
      ring-ver-color = "89b4fa";


     

       
58

       

       
-

       
      ring-wrong-color = "eba0ac";


     

       
59

       

       
-

       
      separator-color = "00000000";


     

       
60

       

       
-

       
      text-color = "cdd6f4";


     

       
61

       

       
-

       
      text-clear-color = "f5e0dc";


     

       
62

       

       
-

       
      text-caps-lock-color = "fab387";


     

       
63

       

       
-

       
      text-ver-color = "89b4fa";


     

       
64

       

       
-

       
      text-wrong-color = "eba0ac";


     

       
65

       

       
-

       
    };


     

       
66

       

       
-

       
  };


     

       
67

       

       
-

       
}
+35
homeModules/wayland/variables.nix 
···

       

       
1

       
+

       
# https://wiki.hypr.land/Configuring/Variables


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  general = {


     

       

       
4

       
+

       
    gaps_in = 1;


     

       

       
5

       
+

       
    gaps_out = 10;


     

       

       
6

       
+

       
    layout = "hy3";


     

       

       
7

       
+

       
    resize_on_border = true;


     

       

       
8

       
+

       
  };


     

       

       
9

       
+

       
  decoration = {


     

       

       
10

       
+

       
    blur.enabled = false;


     

       

       
11

       
+

       
    shadow.enabled = false;


     

       

       
12

       
+

       
  };


     

       

       
13

       
+

       
  misc = {


     

       

       
14

       
+

       
    disable_hyprland_logo = true;


     

       

       
15

       
+

       
    disable_splash_rendering = true;


     

       

       
16

       
+

       
    font_family = "Inter";


     

       

       
17

       
+

       
    mouse_move_focuses_monitor = true;


     

       

       
18

       
+

       
  };


     

       

       
19

       
+

       
  input = {


     

       

       
20

       
+

       
    kb_options = "caps:escape";


     

       

       
21

       
+

       
    repeat_delay = 300;


     

       

       
22

       
+

       
    touchpad = {


     

       

       
23

       
+

       
      scroll_factor = 1.5;


     

       

       
24

       
+

       
      tap_button_map = "lmr";


     

       

       
25

       
+

       
      tap-and-drag = false;


     

       

       
26

       
+

       
    };


     

       

       
27

       
+

       
  };


     

       

       
28

       
+

       
  cursor = {


     

       

       
29

       
+

       
    hotspot_padding = 2;


     

       

       
30

       
+

       
  };


     

       

       
31

       
+

       
  ecosystem = {


     

       

       
32

       
+

       
    no_update_news = true;


     

       

       
33

       
+

       
    no_donation_nag = true;


     

       

       
34

       
+

       
  };


     

       

       
35

       
+

       
}
-37
homeModules/wayland/waybar-mocha.css 
···

       
1

       

       
-

       
/*


     

       
2

       

       
-

       
*


     

       
3

       

       
-

       
* Catppuccin Mocha palette


     

       
4

       

       
-

       
* Maintainer: rubyowo


     

       
5

       

       
-

       
*


     

       
6

       

       
-

       
*/


     

       
7

       

       
-

       



     

       
8

       

       
-

       
@define-color base   #1e1e2e;


     

       
9

       

       
-

       
@define-color mantle #181825;


     

       
10

       

       
-

       
@define-color crust  #11111b;


     

       
11

       

       
-

       



     

       
12

       

       
-

       
@define-color text     #cdd6f4;


     

       
13

       

       
-

       
@define-color subtext0 #a6adc8;


     

       
14

       

       
-

       
@define-color subtext1 #bac2de;


     

       
15

       

       
-

       



     

       
16

       

       
-

       
@define-color surface0 #313244;


     

       
17

       

       
-

       
@define-color surface1 #45475a;


     

       
18

       

       
-

       
@define-color surface2 #585b70;


     

       
19

       

       
-

       



     

       
20

       

       
-

       
@define-color overlay0 #6c7086;


     

       
21

       

       
-

       
@define-color overlay1 #7f849c;


     

       
22

       

       
-

       
@define-color overlay2 #9399b2;


     

       
23

       

       
-

       



     

       
24

       

       
-

       
@define-color blue      #89b4fa;


     

       
25

       

       
-

       
@define-color lavender  #b4befe;


     

       
26

       

       
-

       
@define-color sapphire  #74c7ec;


     

       
27

       

       
-

       
@define-color sky       #89dceb;


     

       
28

       

       
-

       
@define-color teal      #94e2d5;


     

       
29

       

       
-

       
@define-color green     #a6e3a1;


     

       
30

       

       
-

       
@define-color yellow    #f9e2af;


     

       
31

       

       
-

       
@define-color peach     #fab387;


     

       
32

       

       
-

       
@define-color maroon    #eba0ac;


     

       
33

       

       
-

       
@define-color red       #f38ba8;


     

       
34

       

       
-

       
@define-color mauve     #cba6f7;


     

       
35

       

       
-

       
@define-color pink      #f5c2e7;


     

       
36

       

       
-

       
@define-color flamingo  #f2cdcd;


     

       
37

       

       
-

       
@define-color rosewater #f5e0dc;
-128
homeModules/wayland/waybar-style.css 
···

       
1

       

       
-

       
@import "mocha.css";


     

       
2

       

       
-

       
#waybar {


     

       
3

       

       
-

       
  font-family:


     

       
4

       

       
-

       
    BlexMono Nerd Font,


     

       
5

       

       
-

       
    sans-serif;


     

       
6

       

       
-

       
  font-size: 16px;


     

       
7

       

       
-

       
}


     

       
8

       

       
-

       



     

       
9

       

       
-

       
#window {


     

       
10

       

       
-

       
  padding: 0 4px;


     

       
11

       

       
-

       
}


     

       
12

       

       
-

       



     

       
13

       

       
-

       
.modules-center {


     

       
14

       

       
-

       
  padding-right: 20px;


     

       
15

       

       
-

       
}


     

       
16

       

       
-

       



     

       
17

       

       
-

       
window#waybar {


     

       
18

       

       
-

       
  border: none;


     

       
19

       

       
-

       
  border-radius: 0;


     

       
20

       

       
-

       
  box-shadow: none;


     

       
21

       

       
-

       
  text-shadow: none;


     

       
22

       

       
-

       
  transition-duration: 0s;


     

       
23

       

       
-

       
  color: @text;


     

       
24

       

       
-

       
  background: @base;


     

       
25

       

       
-

       
}


     

       
26

       

       
-

       



     

       
27

       

       
-

       
#workspaces {


     

       
28

       

       
-

       
  margin: 0 5px;


     

       
29

       

       
-

       
}


     

       
30

       

       
-

       



     

       
31

       

       
-

       
#workspaces button {


     

       
32

       

       
-

       
  padding: 0 8px;


     

       
33

       

       
-

       
  color: @text;


     

       
34

       

       
-

       
  border-bottom: 2px solid @subtext0;


     

       
35

       

       
-

       
  border-radius: 0px;


     

       
36

       

       
-

       
  min-width: 25px;


     

       
37

       

       
-

       
  margin-right: 8px;


     

       
38

       

       
-

       
}


     

       
39

       

       
-

       



     

       
40

       

       
-

       
#workspaces button.visible {


     

       
41

       

       
-

       
  color: @subtext0;


     

       
42

       

       
-

       
}


     

       
43

       

       
-

       



     

       
44

       

       
-

       
#workspaces button.focused {


     

       
45

       

       
-

       
  border-bottom: 3px solid @mauve;


     

       
46

       

       
-

       
  font-weight: bold;


     

       
47

       

       
-

       
}


     

       
48

       

       
-

       



     

       
49

       

       
-

       
#workspaces button.urgent {


     

       
50

       

       
-

       
  border: 2px solid @red;


     

       
51

       

       
-

       
}


     

       
52

       

       
-

       



     

       
53

       

       
-

       
#workspaces button:hover {


     

       
54

       

       
-

       
  border-color: @blue;


     

       
55

       

       
-

       
  color: @blue;


     

       
56

       

       
-

       
}


     

       
57

       

       
-

       



     

       
58

       

       
-

       
/* Repeat style here to ensure properties are overwritten as there's no !important and button:hover above resets the colour */


     

       
59

       

       
-

       



     

       
60

       

       
-

       
#workspaces button.focused {


     

       
61

       

       
-

       
  color: @subtext0;


     

       
62

       

       
-

       
}


     

       
63

       

       
-

       
#workspaces button.focused:hover {


     

       
64

       

       
-

       
  color: @text;


     

       
65

       

       
-

       
}


     

       
66

       

       
-

       



     

       
67

       

       
-

       
#tray,


     

       
68

       

       
-

       
#mode,


     

       
69

       

       
-

       
#battery,


     

       
70

       

       
-

       
#temperature,


     

       
71

       

       
-

       
#cpu,


     

       
72

       

       
-

       
#memory,


     

       
73

       

       
-

       
#network,


     

       
74

       

       
-

       
#wireplumber,


     

       
75

       

       
-

       
#clock,


     

       
76

       

       
-

       
#idle_inhibitor,


     

       
77

       

       
-

       
#sway-language,


     

       
78

       

       
-

       
#backlight {


     

       
79

       

       
-

       
  padding: 2px 8px;


     

       
80

       

       
-

       
  margin: 2px 5px;


     

       
81

       

       
-

       
  color: @text;


     

       
82

       

       
-

       
}


     

       
83

       

       
-

       



     

       
84

       

       
-

       
#mode:hover,


     

       
85

       

       
-

       
#battery:hover,


     

       
86

       

       
-

       
#temperature:hover,


     

       
87

       

       
-

       
#cpu:hover,


     

       
88

       

       
-

       
#memory:hover,


     

       
89

       

       
-

       
#network:hover,


     

       
90

       

       
-

       
#wireplumber:hover,


     

       
91

       

       
-

       
#clock:hover,


     

       
92

       

       
-

       
#idle_inhibitor:hover,


     

       
93

       

       
-

       
#sway-language:hover,


     

       
94

       

       
-

       
#backlight:hover {


     

       
95

       

       
-

       
  background-color: @subtext1;


     

       
96

       

       
-

       
  color: @base;


     

       
97

       

       
-

       
}


     

       
98

       

       
-

       



     

       
99

       

       
-

       
#clock {


     

       
100

       

       
-

       
  font-weight: bold;


     

       
101

       

       
-

       
}


     

       
102

       

       
-

       



     

       
103

       

       
-

       
#battery.warning {


     

       
104

       

       
-

       
  color: @yellow;


     

       
105

       

       
-

       
}


     

       
106

       

       
-

       



     

       
107

       

       
-

       
#battery.critical {


     

       
108

       

       
-

       
  color: @red;


     

       
109

       

       
-

       
}


     

       
110

       

       
-

       



     

       
111

       

       
-

       
#battery.charging,


     

       
112

       

       
-

       
#battery.full {


     

       
113

       

       
-

       
  color: @green;


     

       
114

       

       
-

       
}


     

       
115

       

       
-

       



     

       
116

       

       
-

       
#battery.warning:hover,


     

       
117

       

       
-

       
#battery.critical:hover,


     

       
118

       

       
-

       
#battery.charging:hover,


     

       
119

       

       
-

       
#battery.full:hover {


     

       
120

       

       
-

       
  color: @base;


     

       
121

       

       
-

       
}


     

       
122

       

       
-

       



     

       
123

       

       
-

       
@keyframes blink {


     

       
124

       

       
-

       
  to {


     

       
125

       

       
-

       
    background-color: #ffffff;


     

       
126

       

       
-

       
    color: black;


     

       
127

       

       
-

       
  }


     

       
128

       

       
-

       
}
-172
homeModules/wayland/waybar.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  pkgs,


     

       
3

       

       
-

       
  lib,


     

       
4

       

       
-

       
  config,


     

       
5

       

       
-

       
  ...


     

       
6

       

       
-

       
}:


     

       
7

       

       
-

       
let


     

       
8

       

       
-

       
  cfg = config.py.profiles.gui;


     

       
9

       

       
-

       
  sway = config.wayland.windowManager.sway;


     

       
10

       

       
-

       
in


     

       
11

       

       
-

       
{


     

       
12

       

       
-

       
  config = {


     

       
13

       

       
-

       
    xdg.configFile."waybar/mocha.css" = lib.mkIf (cfg.enable && sway.enable) {


     

       
14

       

       
-

       
      source = ./waybar-mocha.css;


     

       
15

       

       
-

       
      recursive = false;


     

       
16

       

       
-

       
    };


     

       
17

       

       
-

       
    catppuccin.waybar.enable = false;


     

       
18

       

       
-

       
    programs.waybar = lib.mkIf (cfg.enable && sway.enable) {


     

       
19

       

       
-

       
      enable = lib.mkDefault false;


     

       
20

       

       
-

       
      systemd.enable = true;


     

       
21

       

       
-

       
      systemd.target = "sway-session.target";


     

       
22

       

       
-

       
      style = ./waybar-style.css;


     

       
23

       

       
-

       
      settings = {


     

       
24

       

       
-

       
        mainBar = {


     

       
25

       

       
-

       
          layer = "top";


     

       
26

       

       
-

       
          position = "top";


     

       
27

       

       
-

       
          height = 32;


     

       
28

       

       
-

       
          modules-left = [


     

       
29

       

       
-

       
            "sway/workspaces"


     

       
30

       

       
-

       
            "sway/mode"


     

       
31

       

       
-

       
          ];


     

       
32

       

       
-

       
          modules-center = [ "mpris" ];


     

       
33

       

       
-

       
          modules-right = [


     

       
34

       

       
-

       
            "idle_inhibitor"


     

       
35

       

       
-

       
            "wireplumber"


     

       
36

       

       
-

       
            "network"


     

       
37

       

       
-

       
            "temperature"


     

       
38

       

       
-

       
            "backlight"


     

       
39

       

       
-

       
            "battery"


     

       
40

       

       
-

       
            "clock"


     

       
41

       

       
-

       
            "tray"


     

       
42

       

       
-

       
          ];


     

       
43

       

       
-

       
          "sway/workspaces" = {


     

       
44

       

       
-

       
            disable-scroll = true;


     

       
45

       

       
-

       
            enable-bar-scroll = false;


     

       
46

       

       
-

       
            active-only = false;


     

       
47

       

       
-

       
            all-outputs = false;


     

       
48

       

       
-

       
            format = "{icon}";


     

       
49

       

       
-

       
          };


     

       
50

       

       
-

       
          "idle_inhibitor" = {


     

       
51

       

       
-

       
            format = "{icon} ";


     

       
52

       

       
-

       
            format-icons = {


     

       
53

       

       
-

       
              "activated" = "";


     

       
54

       

       
-

       
              "deactivated" = "";


     

       
55

       

       
-

       
            };


     

       
56

       

       
-

       
          };


     

       
57

       

       
-

       
          "tray" = {


     

       
58

       

       
-

       
            icon-size = 25;


     

       
59

       

       
-

       
            spacing = 12;


     

       
60

       

       
-

       
          };


     

       
61

       

       
-

       
          "clock" = {


     

       
62

       

       
-

       
            tooltip-format = "<tt><small>{calendar}</small></tt>";


     

       
63

       

       
-

       
            format = " {:%H:%M:%S}";


     

       
64

       

       
-

       
            format-alt = "{%d %b %Y}";


     

       
65

       

       
-

       
            interval = 1;


     

       
66

       

       
-

       
            calendar = {


     

       
67

       

       
-

       
              format = {


     

       
68

       

       
-

       
                today = "<span color='#89b4fa'><b><u>{}</u></b></span>";


     

       
69

       

       
-

       
              };


     

       
70

       

       
-

       
            };


     

       
71

       

       
-

       
          };


     

       
72

       

       
-

       
          "cpu" = {


     

       
73

       

       
-

       
            format = " {usage}%";


     

       
74

       

       
-

       
            interval = 5;


     

       
75

       

       
-

       
            tooltip = false;


     

       
76

       

       
-

       
          };


     

       
77

       

       
-

       
          "memory" = {


     

       
78

       

       
-

       
            format = " {}%";


     

       
79

       

       
-

       
          };


     

       
80

       

       
-

       
          "temperature" = {


     

       
81

       

       
-

       
            critical-threshold = 80;


     

       
82

       

       
-

       
            format = "{icon} {temperatureC}°C";


     

       
83

       

       
-

       
            format-icons = [


     

       
84

       

       
-

       
              ""


     

       
85

       

       
-

       
              ""


     

       
86

       

       
-

       
              ""


     

       
87

       

       
-

       
              ""


     

       
88

       

       
-

       
              ""


     

       
89

       

       
-

       
            ];


     

       
90

       

       
-

       
          };


     

       
91

       

       
-

       
          "backlight" = {


     

       
92

       

       
-

       
            format = "{icon} {percent}%";


     

       
93

       

       
-

       
            format-icons = [


     

       
94

       

       
-

       
              "󰃚"


     

       
95

       

       
-

       
              "󰃛"


     

       
96

       

       
-

       
              "󰃜"


     

       
97

       

       
-

       
              "󰃝"


     

       
98

       

       
-

       
              "󰃞"


     

       
99

       

       
-

       
              "󰃟"


     

       
100

       

       
-

       
              "󰃠"


     

       
101

       

       
-

       
            ];


     

       
102

       

       
-

       
          };


     

       
103

       

       
-

       
          "battery" = {


     

       
104

       

       
-

       
            states = {


     

       
105

       

       
-

       
              good = 65;


     

       
106

       

       
-

       
              warning = 30;


     

       
107

       

       
-

       
              critical = 15;


     

       
108

       

       
-

       
            };


     

       
109

       

       
-

       
            full-at = 80;


     

       
110

       

       
-

       
            format = "{icon} {capacity}%";


     

       
111

       

       
-

       
            format-charging = "󰂄 {capacity}%";


     

       
112

       

       
-

       
            format-plugged = " {capacity}%";


     

       
113

       

       
-

       
            format-alt = "{icon} {time}";


     

       
114

       

       
-

       
            format-icons = [


     

       
115

       

       
-

       
              "󰂎"


     

       
116

       

       
-

       
              "󰁺"


     

       
117

       

       
-

       
              "󰁻"


     

       
118

       

       
-

       
              "󰁼"


     

       
119

       

       
-

       
              "󰁽"


     

       
120

       

       
-

       
              "󰁾"


     

       
121

       

       
-

       
              "󰁿"


     

       
122

       

       
-

       
              "󰂀"


     

       
123

       

       
-

       
              "󰂁"


     

       
124

       

       
-

       
              "󰂂"


     

       
125

       

       
-

       
              "󰁹"


     

       
126

       

       
-

       
            ];


     

       
127

       

       
-

       
          };


     

       
128

       

       
-

       
          "network" = {


     

       
129

       

       
-

       
            format-wifi = "<big></big>  {essid}";


     

       
130

       

       
-

       
            format-ethernet = "󰈀 {ifname}: {ipaddr}/{cidr}";


     

       
131

       

       
-

       
            format-linked = "󰄡 {ifname} (No IP)";


     

       
132

       

       
-

       
            format-disconnected = "⚠ Disconnected!";


     

       
133

       

       
-

       
            format-alt = "{ifname}: {ipaddr}/{cidr}";


     

       
134

       

       
-

       
            on-click = lib.getExe pkgs.networkmanagerapplet;


     

       
135

       

       
-

       
          };


     

       
136

       

       
-

       
          "wireplumber" = {


     

       
137

       

       
-

       
            format = "{icon} {volume}%";


     

       
138

       

       
-

       
            format-muted = "󰝟";


     

       
139

       

       
-

       
            format-icons = [


     

       
140

       

       
-

       
              ""


     

       
141

       

       
-

       
              ""


     

       
142

       

       
-

       
              ""


     

       
143

       

       
-

       
            ];


     

       
144

       

       
-

       
            states = {


     

       
145

       

       
-

       
              low = 15;


     

       
146

       

       
-

       
              med = 40;


     

       
147

       

       
-

       
              high = 60;


     

       
148

       

       
-

       
            };


     

       
149

       

       
-

       
            scroll-step = 5;


     

       
150

       

       
-

       
            on-click = lib.getExe pkgs.pwvucontrol;


     

       
151

       

       
-

       
          };


     

       
152

       

       
-

       
          mpris = {


     

       
153

       

       
-

       
            format = "{status_icon} {dynamic}";


     

       
154

       

       
-

       
            max-length = 100;


     

       
155

       

       
-

       
            format-paused = "{status_icon} <i>{dynamic}</i>";


     

       
156

       

       
-

       
            dynamic-order = [


     

       
157

       

       
-

       
              "artist"


     

       
158

       

       
-

       
              "title"


     

       
159

       

       
-

       
            ];


     

       
160

       

       
-

       
            status-icons = {


     

       
161

       

       
-

       
              playing = "";


     

       
162

       

       
-

       
              paused = "";


     

       
163

       

       
-

       
            };


     

       
164

       

       
-

       
            player-icons = {


     

       
165

       

       
-

       
              firefox = "󰈹";


     

       
166

       

       
-

       
            };


     

       
167

       

       
-

       
          };


     

       
168

       

       
-

       
        };


     

       
169

       

       
-

       
      };


     

       
170

       

       
-

       
    };


     

       
171

       

       
-

       
  };


     

       
172

       

       
-

       
}
+7
homeModules/wayland/windowrules.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  windowrule = [


     

       

       
3

       
+

       
    "immediate, content game, title:Celeste"


     

       

       
4

       
+

       
    "tile, title:Melvor Idle"


     

       

       
5

       
+

       
    "immediate, content game, fullscreen, monitor DP-2, class:steam_app_49520, initialClass:steam_app_49520"


     

       

       
6

       
+

       
  ];


     

       

       
7

       
+

       
}
+5 -4
homeModules/xdg/default.nix 
···

       
19

       
19

       
 

       
      xdgOpenUsePortal = true;


     

       
20

       
20

       
 

       
      extraPortals = [


     

       
21

       
21

       
 

       
        pkgs.xdg-desktop-portal-gtk


     

       
22

       

       
-

       
        pkgs.xdg-desktop-portal-wlr


     

       
23

       
22

       
 

       
      ];


     

       
24

       
23

       
 

       
      config = {


     

       
25

       
24

       
 

       
        common = {


     

       
26

       

       
-

       
          default = [ "gtk" ];


     

       
27

       

       
-

       
          "org.freedesktop.impl.portal.Screenshot" = [ "wlr" ];


     

       
28

       

       
-

       
          "org.freedesktop.impl.portal.ScreenCast" = [ "wlr" ];


     

       

       
25

       
+

       
          default = [


     

       

       
26

       
+

       
            "hyprland"


     

       

       
27

       
+

       
            "gtk"


     

       

       
28

       
+

       
          ];


     

       

       
29

       
+

       
          "org.freedesktop.impl.portal.FileChooser" = [ "gtk" ];


     

       
29

       
30

       
 

       
        };


     

       
30

       
31

       
 

       
      };


     

       
31

       
32

       
 

       
    };
+1 -2
hosts/default.nix 
···

       
5

       
5

       
 

       
      modules = [


     

       
6

       
6

       
 

       
        inputs.agenix.nixosModules.default


     

       
7

       
7

       
 

       
        inputs.ctp.nixosModules.catppuccin


     

       
8

       

       
-

       
        inputs.determinate.nixosModules.default


     

       
9

       
8

       
 

       
        inputs.home-manager.nixosModules.home-manager


     

       
10

       
9

       
 

       
        inputs.self.nixosModules.chromium


     

       
11

       
10

       
 

       
        inputs.self.nixosModules.defaultConfig


     
···

       
42

       
41

       
 

       
          "vps"


     

       
43

       
42

       
 

       
        ];


     

       
44

       
43

       
 

       
        modules = [


     

       
45

       

       
-

       
          inputs.mailserver.nixosModule


     

       

       
44

       
+

       
          inputs.dn42.nixosModules.default


     

       
46

       
45

       
 

       
        ];


     

       
47

       
46

       
 

       
      };


     

       
48

       
47

       
 

       
      thought = {
+4 -5
hosts/marvin/default.nix 
···

       
8

       
8

       
 

       
    ./hardware.nix


     

       
9

       
9

       
 

       



     

       
10

       
10

       
 

       
    # Running Services


     

       

       
11

       
+

       
    # keep-sorted start


     

       
11

       
12

       
 

       
    ./services/anubis.nix


     

       
12

       

       
-

       
    # ./services/authentik.nix


     

       
13

       
13

       
 

       
    ./services/avahi.nix


     

       
14

       
14

       
 

       
    ./services/bots.nix


     

       
15

       
15

       
 

       
    ./services/deemix.nix


     
···

       
17

       
17

       
 

       
    ./services/git.nix


     

       
18

       
18

       
 

       
    ./services/golink.nix


     

       
19

       
19

       
 

       
    ./services/grafana.nix


     

       
20

       

       
-

       
    # ./services/iceshrimp.nix


     

       

       
20

       
+

       
    ./services/immich.nix


     

       
21

       
21

       
 

       
    ./services/jellyfin.nix


     

       
22

       
22

       
 

       
    ./services/matrix.nix


     

       
23

       
23

       
 

       
    ./services/miniflux.nix


     

       

       
24

       
+

       
    ./services/nextcloud


     

       
24

       
25

       
 

       
    ./services/nginx.nix


     

       
25

       

       
-

       
    ./services/nextcloud


     

       
26

       
26

       
 

       
    ./services/pinchflat.nix


     

       
27

       

       
-

       
    ./services/pingvin-share.nix


     

       
28

       
27

       
 

       
    ./services/planka.nix


     

       
29

       
28

       
 

       
    ./services/pocket-id.nix


     

       
30

       
29

       
 

       
    ./services/podman.nix


     

       
31

       
30

       
 

       
    ./services/postgres.nix


     

       
32

       
31

       
 

       
    ./services/prometheus.nix


     

       
33

       

       
-

       
    # ./services/redlib.nix


     

       
34

       
32

       
 

       
    ./services/scrutiny.nix


     

       
35

       
33

       
 

       
    ./services/syncthing.nix


     

       
36

       
34

       
 

       
    ./services/tailscale.nix


     

       
37

       
35

       
 

       
    ./services/tangled.nix


     

       
38

       
36

       
 

       
    ./services/vaultwarden.nix


     

       
39

       
37

       
 

       
    ./services/zfs.nix


     

       

       
38

       
+

       
    # keep-sorted end


     

       
40

       
39

       
 

       
  ];


     

       
41

       
40

       
 

       
  nix.settings.max-jobs = 12;


     

       
42

       
41

       
 

       
  networking = {
+3
hosts/marvin/services/anubis.nix 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  config,


     

       

       
3

       
+

       
  self',


     

       
3

       
4

       
 

       
  ...


     

       
4

       
5

       
 

       
}:


     

       
5

       
6

       
 

       
{


     
···

       
9

       
10

       
 

       
      extraFlags = [ "-metrics-bind \"\"" ];


     

       
10

       
11

       
 

       
      settings = {


     

       
11

       
12

       
 

       
        BIND_NETWORK = "tcp";


     

       

       
13

       
+

       
        METRICS_BIND_NETWORK = "tcp";


     

       
12

       
14

       
 

       
        SERVE_ROBOTS_TXT = true;


     

       
13

       
15

       
 

       
        COOKIE_DOMAIN = ".pyrox.dev";


     

       
14

       
16

       
 

       
        ED25519_PRIVATE_KEY_HEX_FILE = config.age.secrets.anubis-key.path;


     

       
15

       
17

       
 

       
        OG_PASSTHROUGH = true;


     

       
16

       
18

       
 

       
        OG_CACHE_CONSIDER_HOST = true;


     

       

       
19

       
+

       
        POLICY_FNAME = "${self'.packages.anubis-files}/policies/default.yaml";


     

       
17

       
20

       
 

       
      };


     

       
18

       
21

       
 

       
    };


     

       
19

       
22

       
 

       
    age.secrets.anubis-key = {
-92
hosts/marvin/services/authentik.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  config,


     

       
3

       

       
-

       
  self,


     

       
4

       

       
-

       
  ...


     

       
5

       

       
-

       
}:


     

       
6

       

       
-

       
let


     

       
7

       

       
-

       
  d = self.lib.data.services.authentik;


     

       
8

       

       
-

       
in


     

       
9

       

       
-

       
{


     

       
10

       

       
-

       
  virtualisation.oci-containers.containers =


     

       
11

       

       
-

       
    let


     

       
12

       

       
-

       
      authentikVersion = "2025.4";


     

       
13

       

       
-

       
      base = {


     

       
14

       

       
-

       
        environmentFiles = [ config.age.secrets.authentik-env.path ];


     

       
15

       

       
-

       
        extraOptions = [ "--network=authentik" ];


     

       
16

       

       
-

       
      };


     

       
17

       

       
-

       
      authentikBase = base // {


     

       
18

       

       
-

       
        image = "ghcr.io/goauthentik/server:${authentikVersion}";


     

       
19

       

       
-

       
        environment = {


     

       
20

       

       
-

       
          AUTHENTIK_REDIS__HOST = "authentik-redict";


     

       
21

       

       
-

       



     

       
22

       

       
-

       
          # Postgres Settings


     

       
23

       

       
-

       
          AUTHENTIK_POSTGRESQL__HOST = "authentik-db";


     

       
24

       

       
-

       
          AUTHENTIK_POSTGRESQL__PORT = "5432";


     

       
25

       

       
-

       
          AUTHENTIK_POSTGRESQL__USER = "authentik";


     

       
26

       

       
-

       
          AUTHENTIK_POSTGRESQL__NAME = "authentik";


     

       
27

       

       
-

       
          AUTHENTIK_POSTGRESQL__PASSWORD = "\${PG_PASS}";


     

       
28

       

       
-

       



     

       
29

       

       
-

       
          # Disable error reporting


     

       
30

       

       
-

       
          AUTHENTIK_ERROR_REPORTING__ENABLED = "false";


     

       
31

       

       
-

       



     

       
32

       

       
-

       
          # Avatars are an attribute based on an uploaded file


     

       
33

       

       
-

       
          AUTHENTIK_AVATARS = "attributes.user.avatar";


     

       
34

       

       
-

       



     

       
35

       

       
-

       
          # Email Settings


     

       
36

       

       
-

       
          AUTHENTIK_EMAIL__HOST = "mail.pyrox.dev";


     

       
37

       

       
-

       
          AUTHENTIK_EMAIL__USERNAME = "auth@pyrox.dev";


     

       
38

       

       
-

       
          AUTHENTIK_EMAIL__PORT = "465";


     

       
39

       

       
-

       
          AUTHENTIK_EMAIL__USE_TLS = "true";


     

       
40

       

       
-

       
          AUTHENTIK_EMAIL__FROM = "PyroServ Auth <auth@pyrox.dev>";


     

       
41

       

       
-

       
        };


     

       
42

       

       
-

       
      };


     

       
43

       

       
-

       
      authentikVols = [


     

       
44

       

       
-

       
        "/var/lib/authentik/media:/media"


     

       
45

       

       
-

       
        "/var/lib/authentik/templates:/templates"


     

       
46

       

       
-

       
      ];


     

       
47

       

       
-

       
    in


     

       
48

       

       
-

       
    {


     

       
49

       

       
-

       
      authentik-db = base // {


     

       
50

       

       
-

       
        image = "postgres:17-alpine";


     

       
51

       

       
-

       
        volumes = [ "/var/lib/authentik/db:/var/lib/postgresql/data" ];


     

       
52

       

       
-

       
        environment = {


     

       
53

       

       
-

       
          POSTGRES_PASSWORD = "\${PG_PASS}";


     

       
54

       

       
-

       
          POSTGRES_USER = "authentik";


     

       
55

       

       
-

       
          POSTGRES_DB = "authentik";


     

       
56

       

       
-

       
        };


     

       
57

       

       
-

       
      };


     

       
58

       

       
-

       
      authentik-redict = {


     

       
59

       

       
-

       
        image = "registry.redict.io/redict:alpine";


     

       
60

       

       
-

       
        extraOptions = [ "--network=authentik" ];


     

       
61

       

       
-

       
      };


     

       
62

       

       
-

       
      authentik-server = authentikBase // {


     

       
63

       

       
-

       
        cmd = [ "server" ];


     

       
64

       

       
-

       
        ports = [


     

       
65

       

       
-

       
          "${toString d.port}:9000"


     

       
66

       

       
-

       
          "6943:9443"


     

       
67

       

       
-

       
          "9301:9300"


     

       
68

       

       
-

       
        ];


     

       
69

       

       
-

       
        volumes = authentikVols ++ [ "/var/lib/authentik/custom.css:/web/dist/custom.css" ];


     

       
70

       

       
-

       
      };


     

       
71

       

       
-

       
      authentik-worker = authentikBase // {


     

       
72

       

       
-

       
        cmd = [ "worker" ];


     

       
73

       

       
-

       
        volumes = authentikVols ++ [ "/var/lib/authentik/certs:/certs" ];


     

       
74

       

       
-

       
      };


     

       
75

       

       
-

       
      authentik-ldap = base // {


     

       
76

       

       
-

       
        image = "ghcr.io/goauthentik/ldap:${authentikVersion}";


     

       
77

       

       
-

       
        ports = [


     

       
78

       

       
-

       
          "389:3389"


     

       
79

       

       
-

       
          "636:6636"


     

       
80

       

       
-

       
        ];


     

       
81

       

       
-

       
        environment = {


     

       
82

       

       
-

       
          AUTHENTIK_HOST = "https://${d.extUrl}";


     

       
83

       

       
-

       
          AUTHENTIK_INSECURE = "false";


     

       
84

       

       
-

       
        };


     

       
85

       

       
-

       
      };


     

       
86

       

       
-

       
    };


     

       
87

       

       
-

       
  age.secrets.authentik-env = {


     

       
88

       

       
-

       
    file = ./secrets/authentik-env.age;


     

       
89

       

       
-

       
    owner = "thehedgehog";


     

       
90

       

       
-

       
    group = "misc";


     

       
91

       

       
-

       
  };


     

       
92

       

       
-

       
}
-5
hosts/marvin/services/bookstack.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  services.bookstack = {


     

       
3

       

       
-

       
    enable = true;


     

       
4

       

       
-

       
  };


     

       
5

       

       
-

       
}
+1 -1
hosts/marvin/services/gdq-cals.nix 
···

       
19

       
19

       
 

       
      description = "GDQ Calendar Updater";


     

       
20

       
20

       
 

       
      path = [ pyWithLibs ];


     

       
21

       
21

       
 

       
      serviceConfig = {


     

       
22

       

       
-

       
        ExecStart = "${lib.getExe pyWithLibs} gdq_cal_ics_exporter.py --id 56 --fatales --gcal";


     

       

       
22

       
+

       
        ExecStart = "${lib.getExe pyWithLibs} gdq_cal_ics_exporter.py --fatales --gcal --disable_general";


     

       
23

       
23

       
 

       
        Type = "oneshot";


     

       
24

       
24

       
 

       
        WorkingDirectory = "/home/thehedgehog/gdq-cals/";


     

       
25

       
25

       
 

       
        User = "thehedgehog";
+5 -5
hosts/marvin/services/git.nix 
···

       
41

       
41

       
 

       
    };


     

       
42

       
42

       
 

       
    settings = {


     

       
43

       
43

       
 

       
      DEFAULT = {


     

       
44

       

       
-

       
        APP_NAME = "PyroNet Git";


     

       

       
44

       
+

       
        APP_NAME = "dishNet Git";


     

       
45

       
45

       
 

       
        RUN_MODE = "prod";


     

       
46

       
46

       
 

       
      };


     

       
47

       
47

       
 

       
      attachment = {


     

       
48

       
48

       
 

       
        MAX_SIZE = 200;


     

       
49

       
49

       
 

       
      };


     

       
50

       

       
-

       
      log."logger.router.MODE" = "";


     

       

       
50

       
+

       
      log.LOGGER_ROUTER_MODE = "";


     

       
51

       
51

       
 

       
      mailer = {


     

       
52

       
52

       
 

       
        ENABLED = true;


     

       
53

       

       
-

       
        FROM = "PyroNet Git <git@pyrox.dev>";


     

       

       
53

       
+

       
        FROM = "dishNet Git <git@pyrox.dev>";


     

       
54

       
54

       
 

       
        PROTOCOL = "smtps";


     

       
55

       
55

       
 

       
        SMTP_ADDR = "mail.pyrox.dev";


     

       
56

       
56

       
 

       
        SMTP_PORT = 465;


     
···

       
66

       
66

       
 

       
      };


     

       
67

       
67

       
 

       
      "ui.meta" = {


     

       
68

       
68

       
 

       
        AUTHOR = "dish";


     

       
69

       

       
-

       
        DESCRIPTION = "PyroNet Git Services";


     

       

       
69

       
+

       
        DESCRIPTION = "dishNet Git Services";


     

       
70

       
70

       
 

       
      };


     

       
71

       
71

       
 

       
      metrics = {


     

       
72

       
72

       
 

       
        ENABLED = true;


     
···

       
85

       
85

       
 

       
        ISSUE_INDEXER_PATH = "indexers/issues.bleve";


     

       
86

       
86

       
 

       
        # Enable repo indexing


     

       
87

       
87

       
 

       
        REPO_INDEXER_ENABLED = true;


     

       
88

       

       
-

       
        REPO_INDEXER_REPO_TYPES = "sources,forks,templates,mirrors";


     

       

       
88

       
+

       
        REPO_INDEXER_REPO_TYPES = "sources,forks";


     

       
89

       
89

       
 

       
        REPO_INDEXER_TYPE = "bleve";


     

       
90

       
90

       
 

       
        REPO_INDEXER_PATH = "indexers/repos.bleve";


     

       
91

       
91

       
 

       
      };
-7
hosts/marvin/services/golink.nix 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  services.golink = {


     

       
3

       
3

       
 

       
    enable = true;


     

       
4

       

       
-

       
    tailscaleAuthKeyFile = /run/agenix/golink-authkey;


     

       
5

       

       
-

       
  };


     

       
6

       

       
-

       
  age.secrets.golink-authkey = {


     

       
7

       

       
-

       
    file = ./secrets/golink-authkey.age;


     

       
8

       

       
-

       
    path = "/run/agenix/golink-authkey";


     

       
9

       

       
-

       
    owner = "golink";


     

       
10

       

       
-

       
    group = "golink";


     

       
11

       
4

       
 

       
  };


     

       
12

       
5

       
 

       
}
+4 -4
hosts/marvin/services/grafana.nix 
···

       
40

       
40

       
 

       
      };


     

       
41

       
41

       
 

       
      smtp = {


     

       
42

       
42

       
 

       
        enabled = true;


     

       
43

       

       
-

       
        user = "grafana@thehedgehog.me";


     

       
44

       

       
-

       
        from_address = "grafana@thehedgehog.me";


     

       
45

       

       
-

       
        host = "smtp.migadu.com:465";


     

       

       
43

       
+

       
        user = "grafana@pyrox.dev";


     

       

       
44

       
+

       
        from_address = "grafana@pyrox.dev";


     

       

       
45

       
+

       
        host = "mail.pyrox.dev:465";


     

       
46

       
46

       
 

       
        password = "$__file{${config.age.secrets.grafana-smtp-password.path}}";


     

       
47

       
47

       
 

       
      };


     

       
48

       
48

       
 

       
    };


     
···

       
62

       
62

       
 

       
  services.anubis.instances.grafana = {


     

       
63

       
63

       
 

       
    settings = {


     

       
64

       
64

       
 

       
      BIND = ":${toString d.anubis}";


     

       
65

       

       
-

       
      POLICY_FNAME = "${self'.packages.anubis-files}/policies/grafana.yaml";


     

       

       
65

       
+

       
      POLICY_FNAME = "${self'.packages.anubis-files}/policies/default.yaml";


     

       
66

       
66

       
 

       
      TARGET = "http://localhost:${toString d.port}";


     

       
67

       
67

       
 

       
    };


     

       
68

       
68

       
 

       
  };
-97
hosts/marvin/services/iceshrimp.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  config,


     

       
3

       

       
-

       
  inputs,


     

       
4

       

       
-

       
  pkgs,


     

       
5

       

       
-

       
  lib,


     

       
6

       

       
-

       
  self,


     

       
7

       

       
-

       
  ...


     

       
8

       

       
-

       
}:


     

       
9

       

       
-

       
let


     

       
10

       

       
-

       



     

       
11

       

       
-

       
  d = self.lib.data.services.iceshrimp;


     

       
12

       

       
-

       



     

       
13

       

       
-

       
  package = inputs.iceshrimp.packages.x86_64-linux.iceshrimp-pre.overrideAttrs rec {


     

       
14

       

       
-

       
    version = "2023.12.8-pyrox1";


     

       
15

       

       
-

       
    src = pkgs.fetchgit {


     

       
16

       

       
-

       
      url = "https://iceshrimp.dev/pyrox/iceshrimp";


     

       
17

       

       
-

       
      hash = "sha256-hxZ3rVVAiAMFAYhZ2o+WhlMuhjbt5EyHKOl1VyyL5RA=";


     

       
18

       

       
-

       
      rev = "v${version}";


     

       
19

       

       
-

       
      fetchLFS = true;


     

       
20

       

       
-

       
      deepClone = false;


     

       
21

       

       
-

       
    };


     

       
22

       

       
-

       
    patches = [ ];


     

       
23

       

       
-

       
  };


     

       
24

       

       
-

       
in


     

       
25

       

       
-

       
{


     

       
26

       

       
-

       
  services.iceshrimp = {


     

       
27

       

       
-

       
    inherit package;


     

       
28

       

       
-

       
    enable = false;


     

       
29

       

       
-

       
    secretConfig = config.age.secrets.iceshrimp-secret-config.path;


     

       
30

       

       
-

       
    dbPasswordFile = config.age.secrets.iceshrimp-db-password.path;


     

       
31

       

       
-

       
    createDb = true;


     

       
32

       

       
-

       
    configureNginx.enable = false;


     

       
33

       

       
-

       
    settings = {


     

       
34

       

       
-

       
      inherit (d) port;


     

       
35

       

       
-

       
      url = "https://${d.extUrl}";


     

       
36

       

       
-

       
      accountDomain = "pyrox.dev";


     

       
37

       

       
-

       
      redis.port = 6997;


     

       
38

       

       
-

       
      maxNoteLength = 16384;


     

       
39

       

       
-

       
      maxCaptionLength = 8192;


     

       
40

       

       
-

       
      clusterLimit = 4;


     

       
41

       

       
-

       
      deliverJobConcurrency = 192;


     

       
42

       

       
-

       
      inboxJobConcurrency = 32;


     

       
43

       

       
-

       
      deliverJobPerSec = 256;


     

       
44

       

       
-

       
      inboxJobPerSec = 32;


     

       
45

       

       
-

       
      outgoingAddressFamily = "dual";


     

       
46

       

       
-

       
      # See the withdrawal patches for obliterate info


     

       
47

       

       
-

       
      enableObliterate = true;


     

       
48

       

       
-

       
      obliterateJobPerSec = 16;


     

       
49

       

       
-

       
      obliterateJobMaxAttempts = 3;


     

       
50

       

       
-

       
      mediaCleanup = {


     

       
51

       

       
-

       
        cron = true;


     

       
52

       

       
-

       
        maxAgeDays = 30;


     

       
53

       

       
-

       
        cleanAvatars = true;


     

       
54

       

       
-

       
        cleanHeaders = true;


     

       
55

       

       
-

       
      };


     

       
56

       

       
-

       
      htmlCache = {


     

       
57

       

       
-

       
        ttl = "6h";


     

       
58

       

       
-

       
        prewarm = true;


     

       
59

       

       
-

       
        dbFallback = true;


     

       
60

       

       
-

       
      };


     

       
61

       

       
-

       
      wordMuteCache.ttl = "24h";


     

       
62

       

       
-

       
      isManagedHosting = true;


     

       
63

       

       
-

       
      email = {


     

       
64

       

       
-

       
        managed = true;


     

       
65

       

       
-

       
        address = "social@pyrox.dev";


     

       
66

       

       
-

       
        host = "mail.pyrox.dev";


     

       
67

       

       
-

       
        port = 465;


     

       
68

       

       
-

       
        user = "social@pyrox.dev";


     

       
69

       

       
-

       
        useImplicitSslTls = true;


     

       
70

       

       
-

       
      };


     

       
71

       

       
-

       
      objectStorage = {


     

       
72

       

       
-

       
        managed = true;


     

       
73

       

       
-

       
        baseUrl = "https://pool.jortage.com/socialpyroxdev";


     

       
74

       

       
-

       
        bucket = "socialpyroxdev";


     

       
75

       

       
-

       
        prefix = "mkmedia";


     

       
76

       

       
-

       
        endpoint = "pool-api.jortage.com";


     

       
77

       

       
-

       
        region = "jort";


     

       
78

       

       
-

       
        useSsl = true;


     

       
79

       

       
-

       
        connnectOverProxy = false;


     

       
80

       

       
-

       
        setPublicReadOnUpload = false;


     

       
81

       

       
-

       
        s3ForcePathStyle = true;


     

       
82

       

       
-

       
      };


     

       
83

       

       
-

       
    };


     

       
84

       

       
-

       
  };


     

       
85

       

       
-

       
  age.secrets = lib.mkIf config.services.iceshrimp.enable {


     

       
86

       

       
-

       
    iceshrimp-secret-config = {


     

       
87

       

       
-

       
      inherit (config.services.iceshrimp) group;


     

       
88

       

       
-

       
      file = ./secrets/iceshrimp-secret-config.age;


     

       
89

       

       
-

       
      owner = config.services.iceshrimp.user;


     

       
90

       

       
-

       
    };


     

       
91

       

       
-

       
    iceshrimp-db-password = {


     

       
92

       

       
-

       
      file = ./secrets/iceshrimp-db-password.age;


     

       
93

       

       
-

       
      owner = "postgres";


     

       
94

       

       
-

       
      group = "postgres";


     

       
95

       

       
-

       
    };


     

       
96

       

       
-

       
  };


     

       
97

       

       
-

       
}
+223
hosts/marvin/services/immich-config.json 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  "backup": {


     

       

       
3

       
+

       
    "database": {


     

       

       
4

       
+

       
      "cronExpression": "0 02 * * *",


     

       

       
5

       
+

       
      "enabled": true,


     

       

       
6

       
+

       
      "keepLastAmount": 14


     

       

       
7

       
+

       
    }


     

       

       
8

       
+

       
  },


     

       

       
9

       
+

       
  "ffmpeg": {


     

       

       
10

       
+

       
    "accel": "vaapi",


     

       

       
11

       
+

       
    "accelDecode": true,


     

       

       
12

       
+

       
    "acceptedAudioCodecs": ["aac", "mp3", "libopus"],


     

       

       
13

       
+

       
    "acceptedContainers": ["mov", "ogg", "webm"],


     

       

       
14

       
+

       
    "acceptedVideoCodecs": ["h264"],


     

       

       
15

       
+

       
    "bframes": -1,


     

       

       
16

       
+

       
    "cqMode": "auto",


     

       

       
17

       
+

       
    "crf": 23,


     

       

       
18

       
+

       
    "gopSize": 0,


     

       

       
19

       
+

       
    "maxBitrate": "0",


     

       

       
20

       
+

       
    "preferredHwDevice": "auto",


     

       

       
21

       
+

       
    "preset": "veryfast",


     

       

       
22

       
+

       
    "refs": 0,


     

       

       
23

       
+

       
    "targetAudioCodec": "aac",


     

       

       
24

       
+

       
    "targetResolution": "720",


     

       

       
25

       
+

       
    "targetVideoCodec": "h264",


     

       

       
26

       
+

       
    "temporalAQ": false,


     

       

       
27

       
+

       
    "threads": 0,


     

       

       
28

       
+

       
    "tonemap": "hable",


     

       

       
29

       
+

       
    "transcode": "required",


     

       

       
30

       
+

       
    "twoPass": false


     

       

       
31

       
+

       
  },


     

       

       
32

       
+

       
  "image": {


     

       

       
33

       
+

       
    "colorspace": "p3",


     

       

       
34

       
+

       
    "extractEmbedded": false,


     

       

       
35

       
+

       
    "fullsize": {


     

       

       
36

       
+

       
      "enabled": false,


     

       

       
37

       
+

       
      "format": "jpeg",


     

       

       
38

       
+

       
      "quality": 80


     

       

       
39

       
+

       
    },


     

       

       
40

       
+

       
    "preview": {


     

       

       
41

       
+

       
      "format": "jpeg",


     

       

       
42

       
+

       
      "quality": 80,


     

       

       
43

       
+

       
      "size": 1440


     

       

       
44

       
+

       
    },


     

       

       
45

       
+

       
    "thumbnail": {


     

       

       
46

       
+

       
      "format": "webp",


     

       

       
47

       
+

       
      "quality": 80,


     

       

       
48

       
+

       
      "size": 250


     

       

       
49

       
+

       
    }


     

       

       
50

       
+

       
  },


     

       

       
51

       
+

       
  "job": {


     

       

       
52

       
+

       
    "backgroundTask": {


     

       

       
53

       
+

       
      "concurrency": 5


     

       

       
54

       
+

       
    },


     

       

       
55

       
+

       
    "faceDetection": {


     

       

       
56

       
+

       
      "concurrency": 2


     

       

       
57

       
+

       
    },


     

       

       
58

       
+

       
    "library": {


     

       

       
59

       
+

       
      "concurrency": 5


     

       

       
60

       
+

       
    },


     

       

       
61

       
+

       
    "metadataExtraction": {


     

       

       
62

       
+

       
      "concurrency": 5


     

       

       
63

       
+

       
    },


     

       

       
64

       
+

       
    "migration": {


     

       

       
65

       
+

       
      "concurrency": 5


     

       

       
66

       
+

       
    },


     

       

       
67

       
+

       
    "notifications": {


     

       

       
68

       
+

       
      "concurrency": 5


     

       

       
69

       
+

       
    },


     

       

       
70

       
+

       
    "ocr": {


     

       

       
71

       
+

       
      "concurrency": 1


     

       

       
72

       
+

       
    },


     

       

       
73

       
+

       
    "search": {


     

       

       
74

       
+

       
      "concurrency": 5


     

       

       
75

       
+

       
    },


     

       

       
76

       
+

       
    "sidecar": {


     

       

       
77

       
+

       
      "concurrency": 5


     

       

       
78

       
+

       
    },


     

       

       
79

       
+

       
    "smartSearch": {


     

       

       
80

       
+

       
      "concurrency": 2


     

       

       
81

       
+

       
    },


     

       

       
82

       
+

       
    "thumbnailGeneration": {


     

       

       
83

       
+

       
      "concurrency": 3


     

       

       
84

       
+

       
    },


     

       

       
85

       
+

       
    "videoConversion": {


     

       

       
86

       
+

       
      "concurrency": 1


     

       

       
87

       
+

       
    },


     

       

       
88

       
+

       
    "workflow": {


     

       

       
89

       
+

       
      "concurrency": 5


     

       

       
90

       
+

       
    }


     

       

       
91

       
+

       
  },


     

       

       
92

       
+

       
  "library": {


     

       

       
93

       
+

       
    "scan": {


     

       

       
94

       
+

       
      "cronExpression": "0 0 * * *",


     

       

       
95

       
+

       
      "enabled": true


     

       

       
96

       
+

       
    },


     

       

       
97

       
+

       
    "watch": {


     

       

       
98

       
+

       
      "enabled": false


     

       

       
99

       
+

       
    }


     

       

       
100

       
+

       
  },


     

       

       
101

       
+

       
  "logging": {


     

       

       
102

       
+

       
    "enabled": true,


     

       

       
103

       
+

       
    "level": "log"


     

       

       
104

       
+

       
  },


     

       

       
105

       
+

       
  "machineLearning": {


     

       

       
106

       
+

       
    "availabilityChecks": {


     

       

       
107

       
+

       
      "enabled": true,


     

       

       
108

       
+

       
      "interval": 30000,


     

       

       
109

       
+

       
      "timeout": 2000


     

       

       
110

       
+

       
    },


     

       

       
111

       
+

       
    "clip": {


     

       

       
112

       
+

       
      "enabled": true,


     

       

       
113

       
+

       
      "modelName": "ViT-B-16-SigLIP2__webli"


     

       

       
114

       
+

       
    },


     

       

       
115

       
+

       
    "duplicateDetection": {


     

       

       
116

       
+

       
      "enabled": true,


     

       

       
117

       
+

       
      "maxDistance": 0.01


     

       

       
118

       
+

       
    },


     

       

       
119

       
+

       
    "enabled": true,


     

       

       
120

       
+

       
    "facialRecognition": {


     

       

       
121

       
+

       
      "enabled": true,


     

       

       
122

       
+

       
      "maxDistance": 0.5,


     

       

       
123

       
+

       
      "minFaces": 7,


     

       

       
124

       
+

       
      "minScore": 0.7,


     

       

       
125

       
+

       
      "modelName": "buffalo_l"


     

       

       
126

       
+

       
    },


     

       

       
127

       
+

       
    "ocr": {


     

       

       
128

       
+

       
      "enabled": true,


     

       

       
129

       
+

       
      "maxResolution": 736,


     

       

       
130

       
+

       
      "minDetectionScore": 0.5,


     

       

       
131

       
+

       
      "minRecognitionScore": 0.8,


     

       

       
132

       
+

       
      "modelName": "EN__PP-OCRv5_mobile"


     

       

       
133

       
+

       
    },


     

       

       
134

       
+

       
    "urls": ["http://localhost:3003"]


     

       

       
135

       
+

       
  },


     

       

       
136

       
+

       
  "map": {


     

       

       
137

       
+

       
    "darkStyle": "https://tiles.immich.cloud/v1/style/dark.json",


     

       

       
138

       
+

       
    "enabled": true,


     

       

       
139

       
+

       
    "lightStyle": "https://tiles.immich.cloud/v1/style/light.json"


     

       

       
140

       
+

       
  },


     

       

       
141

       
+

       
  "metadata": {


     

       

       
142

       
+

       
    "faces": {


     

       

       
143

       
+

       
      "import": false


     

       

       
144

       
+

       
    }


     

       

       
145

       
+

       
  },


     

       

       
146

       
+

       
  "newVersionCheck": {


     

       

       
147

       
+

       
    "enabled": false


     

       

       
148

       
+

       
  },


     

       

       
149

       
+

       
  "nightlyTasks": {


     

       

       
150

       
+

       
    "clusterNewFaces": true,


     

       

       
151

       
+

       
    "databaseCleanup": true,


     

       

       
152

       
+

       
    "generateMemories": true,


     

       

       
153

       
+

       
    "missingThumbnails": true,


     

       

       
154

       
+

       
    "startTime": "00:00",


     

       

       
155

       
+

       
    "syncQuotaUsage": true


     

       

       
156

       
+

       
  },


     

       

       
157

       
+

       
  "notifications": {


     

       

       
158

       
+

       
    "smtp": {


     

       

       
159

       
+

       
      "enabled": true,


     

       

       
160

       
+

       
      "from": "dishNet Photos <immich@pyrox.dev>",


     

       

       
161

       
+

       
      "replyTo": "",


     

       

       
162

       
+

       
      "transport": {


     

       

       
163

       
+

       
        "host": "mail.pyrox.dev",


     

       

       
164

       
+

       
        "ignoreCert": false,


     

       

       
165

       
+

       
        "port": 25,


     

       

       
166

       
+

       
        "secure": true,


     

       

       
167

       
+

       
        "username": "immich@pyrox.dev"


     

       

       
168

       
+

       
      }


     

       

       
169

       
+

       
    }


     

       

       
170

       
+

       
  },


     

       

       
171

       
+

       
  "oauth": {


     

       

       
172

       
+

       
    "autoLaunch": false,


     

       

       
173

       
+

       
    "autoRegister": true,


     

       

       
174

       
+

       
    "buttonText": "Login with Pocket-ID",


     

       

       
175

       
+

       
    "clientId": "f1312240-d9fc-4336-aca6-b98316867848",


     

       

       
176

       
+

       
    "defaultStorageQuota": null,


     

       

       
177

       
+

       
    "enabled": true,


     

       

       
178

       
+

       
    "issuerUrl": "https://auth.pyrox.dev",


     

       

       
179

       
+

       
    "mobileOverrideEnabled": false,


     

       

       
180

       
+

       
    "mobileRedirectUri": "",


     

       

       
181

       
+

       
    "profileSigningAlgorithm": "none",


     

       

       
182

       
+

       
    "roleClaim": "immich_role",


     

       

       
183

       
+

       
    "scope": "openid email profile immich_role",


     

       

       
184

       
+

       
    "signingAlgorithm": "RS256",


     

       

       
185

       
+

       
    "storageLabelClaim": "preferred_username",


     

       

       
186

       
+

       
    "storageQuotaClaim": "immich_quota",


     

       

       
187

       
+

       
    "timeout": 30000,


     

       

       
188

       
+

       
    "tokenEndpointAuthMethod": "client_secret_post"


     

       

       
189

       
+

       
  },


     

       

       
190

       
+

       
  "passwordLogin": {


     

       

       
191

       
+

       
    "enabled": true


     

       

       
192

       
+

       
  },


     

       

       
193

       
+

       
  "reverseGeocoding": {


     

       

       
194

       
+

       
    "enabled": true


     

       

       
195

       
+

       
  },


     

       

       
196

       
+

       
  "server": {


     

       

       
197

       
+

       
    "externalDomain": "https://img.pyrox.dev",


     

       

       
198

       
+

       
    "loginPageMessage": "",


     

       

       
199

       
+

       
    "publicUsers": true


     

       

       
200

       
+

       
  },


     

       

       
201

       
+

       
  "storageTemplate": {


     

       

       
202

       
+

       
    "enabled": false,


     

       

       
203

       
+

       
    "hashVerificationEnabled": true,


     

       

       
204

       
+

       
    "template": "{{y}}/{{y}}-{{MM}}-{{dd}}/{{filename}}"


     

       

       
205

       
+

       
  },


     

       

       
206

       
+

       
  "templates": {


     

       

       
207

       
+

       
    "email": {


     

       

       
208

       
+

       
      "albumInviteTemplate": "",


     

       

       
209

       
+

       
      "albumUpdateTemplate": "",


     

       

       
210

       
+

       
      "welcomeTemplate": ""


     

       

       
211

       
+

       
    }


     

       

       
212

       
+

       
  },


     

       

       
213

       
+

       
  "theme": {


     

       

       
214

       
+

       
    "customCss": ""


     

       

       
215

       
+

       
  },


     

       

       
216

       
+

       
  "trash": {


     

       

       
217

       
+

       
    "days": 30,


     

       

       
218

       
+

       
    "enabled": true


     

       

       
219

       
+

       
  },


     

       

       
220

       
+

       
  "user": {


     

       

       
221

       
+

       
    "deleteDelay": 7


     

       

       
222

       
+

       
  }


     

       

       
223

       
+

       
}
+51
hosts/marvin/services/immich.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  self,


     

       

       
3

       
+

       
  config,


     

       

       
4

       
+

       
  lib,


     

       

       
5

       
+

       
  ...


     

       

       
6

       
+

       
}:


     

       

       
7

       
+

       
let


     

       

       
8

       
+

       
  d = self.lib.data.services.immich;


     

       

       
9

       
+

       
in


     

       

       
10

       
+

       
{


     

       

       
11

       
+

       
  services = {


     

       

       
12

       
+

       
    immich = {


     

       

       
13

       
+

       
      inherit (d) port;


     

       

       
14

       
+

       
      enable = true;


     

       

       
15

       
+

       
      host = "0.0.0.0";


     

       

       
16

       
+

       
      redis.enable = true;


     

       

       
17

       
+

       
      mediaLocation = "/var/media/photos/";


     

       

       
18

       
+

       
      accelerationDevices = [ "/dev/dri/renderD128" ];


     

       

       
19

       
+

       
      settings = lib.recursiveUpdate (builtins.fromJSON (builtins.readFile ./immich-config.json)) {


     

       

       
20

       
+

       
        oauth.clientSecret._secret = config.age.secrets.immich-oauth-secret.path;


     

       

       
21

       
+

       
        notifications.smtp.transport.password._secret = config.age.secrets.immich-mail-pw.path;


     

       

       
22

       
+

       
        server.externalDomain = "https://${d.extUrl}";


     

       

       
23

       
+

       
      };


     

       

       
24

       
+

       
    };


     

       

       
25

       
+

       
    immich-public-proxy = {


     

       

       
26

       
+

       
      enable = true;


     

       

       
27

       
+

       
      port = d.pubProxy;


     

       

       
28

       
+

       
      immichUrl = "http://localhost:${toString d.port}";


     

       

       
29

       
+

       
      settings.ipp = {


     

       

       
30

       
+

       
        downloadedFilename = 1;


     

       

       
31

       
+

       
      };


     

       

       
32

       
+

       
    };


     

       

       
33

       
+

       
  };


     

       

       
34

       
+

       
  systemd.services.immich-public-proxy.environment.PUBLIC_BASE_URL = "https://${d.extUrl}";


     

       

       
35

       
+

       
  users.users.immich.extraGroups = [


     

       

       
36

       
+

       
    "video"


     

       

       
37

       
+

       
    "render"


     

       

       
38

       
+

       
  ];


     

       

       
39

       
+

       
  age.secrets = {


     

       

       
40

       
+

       
    immich-oauth-secret = {


     

       

       
41

       
+

       
      file = ./secrets/immich/oauth-secret.age;


     

       

       
42

       
+

       
      owner = "immich";


     

       

       
43

       
+

       
      group = "immich";


     

       

       
44

       
+

       
    };


     

       

       
45

       
+

       
    immich-mail-pw = {


     

       

       
46

       
+

       
      file = ./secrets/immich/mail-pw.age;


     

       

       
47

       
+

       
      owner = "immich";


     

       

       
48

       
+

       
      group = "immich";


     

       

       
49

       
+

       
    };


     

       

       
50

       
+

       
  };


     

       

       
51

       
+

       
}
-2
hosts/marvin/services/miniflux.nix 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  config,


     

       
3

       

       
-

       
  self',


     

       
4

       
3

       
 

       
  self,


     

       
5

       
4

       
 

       
  ...


     

       
6

       
5

       
 

       
}:


     
···

       
33

       
32

       
 

       
  services.anubis.instances.miniflux = {


     

       
34

       
33

       
 

       
    settings = {


     

       
35

       
34

       
 

       
      BIND = ":${toString d.anubis}";


     

       
36

       

       
-

       
      POLICY_FNAME = "${self'.packages.anubis-files}/policies/miniflux.yaml";


     

       
37

       
35

       
 

       
      TARGET = "http://localhost:${toString d.port}";


     

       
38

       
36

       
 

       
    };


     

       
39

       
37

       
 

       
  };
-11
hosts/marvin/services/minio.nix 
···

       
1

       

       
-

       
{ config, ... }:


     

       
2

       

       
-

       
{


     

       
3

       

       
-

       
  services.minio = {


     

       
4

       

       
-

       
    enable = true;


     

       
5

       

       
-

       
    region = "us-east-1";


     

       
6

       

       
-

       
    browser = true;


     

       
7

       

       
-

       
    listenAddress = ":6990";


     

       
8

       

       
-

       
    consoleAddress = ":6991";


     

       
9

       

       
-

       
    rootCredentialsFile = config.age.secrets.minio-root.path;


     

       
10

       

       
-

       
  };


     

       
11

       

       
-

       
}
+1 -2
hosts/marvin/services/nextcloud/default.nix 
···

       
17

       
17

       
 

       
  ];


     

       
18

       
18

       
 

       
  services.nextcloud = {


     

       
19

       
19

       
 

       
    enable = true;


     

       
20

       

       
-

       
    package = pkgs.nextcloud31;


     

       

       
20

       
+

       
    package = pkgs.nextcloud32;


     

       
21

       
21

       
 

       
    phpPackage = lib.mkForce pkgs.php82;


     

       
22

       
22

       
 

       
    appstoreEnable = true;


     

       
23

       
23

       
 

       
    caching.redis = true;


     
···

       
96

       
96

       
 

       
    configureRedis = true;


     

       
97

       
97

       
 

       
    database.createLocally = true;


     

       
98

       
98

       
 

       
    hostName = d.extUrl;


     

       
99

       

       
-

       
    nginx.recommendedHttpHeaders = true;


     

       
100

       
99

       
 

       
  };


     

       
101

       
100

       
 

       
  age.secrets.nextcloud-admin-pw = {


     

       
102

       
101

       
 

       
    file = ./nextcloud-admin-pw.age;
+1 -1
hosts/marvin/services/nextcloud/office.nix 
···

       
5

       
5

       
 

       
{


     

       
6

       
6

       
 

       
  services.collabora-online = {


     

       
7

       
7

       
 

       
    enable = true;


     

       
8

       

       
-

       
    port = d.port;


     

       

       
8

       
+

       
    inherit (d) port;


     

       
9

       
9

       
 

       
    settings = {


     

       
10

       
10

       
 

       
      ssl.enable = false;


     

       
11

       
11

       
 

       
      ssl.termination = true;
+1 -1
hosts/marvin/services/pinchflat.nix 
···

       
12

       
12

       
 

       
{


     

       
13

       
13

       
 

       
  services.pinchflat = {


     

       
14

       
14

       
 

       
    enable = true;


     

       
15

       

       
-

       
    port = d.port;


     

       

       
15

       
+

       
    inherit (d) port;


     

       
16

       
16

       
 

       
    secretsFile = age.pinchflat-secrets.path;


     

       
17

       
17

       
 

       
    mediaDir = "/var/media/youtube";


     

       
18

       
18

       
 

       
    extraConfig = {
-130
hosts/marvin/services/pingvin-share.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  config,


     

       
3

       

       
-

       
  pkgs,


     

       
4

       

       
-

       
  self',


     

       
5

       

       
-

       
  self,


     

       
6

       

       
-

       
  ...


     

       
7

       

       
-

       
}:


     

       
8

       

       
-

       
let


     

       
9

       

       
-

       
  d = self.lib.data.services.pingvin-share;


     

       
10

       

       
-

       
  cfg = config.services.pingvin-share;


     

       
11

       

       
-

       
  configFormat = pkgs.formats.yaml { };


     

       
12

       

       
-

       
  configFile = configFormat.generate "config.yaml" {


     

       
13

       

       
-

       
    general = {


     

       
14

       

       
-

       
      appName = "dishNet Share";


     

       
15

       

       
-

       
      appUrl = "https://share.pyrox.dev";


     

       
16

       

       
-

       
      secureCookies = "true";


     

       
17

       

       
-

       
      showHomePage = "false";


     

       
18

       

       
-

       
    };


     

       
19

       

       
-

       
    share = {


     

       
20

       

       
-

       
      allowRegistration = "false";


     

       
21

       

       
-

       
      allowUnauthenticatedShares = "false";


     

       
22

       

       
-

       
      maxSize = "10000000000";


     

       
23

       

       
-

       
    };


     

       
24

       

       
-

       
    email.enableShareEmailRecipients = "true";


     

       
25

       

       
-

       
    smtp = {


     

       
26

       

       
-

       
      enabled = "true";


     

       
27

       

       
-

       
      host = "mail.pyrox.dev";


     

       
28

       

       
-

       
      port = "465";


     

       
29

       

       
-

       
      email = "share@pyrox.dev";


     

       
30

       

       
-

       
      username = "share@pyrox.dev";


     

       
31

       

       
-

       
      password = "SMTP_PASSWORD";


     

       
32

       

       
-

       
    };


     

       
33

       

       
-

       
    ldap.enabled = "false";


     

       
34

       

       
-

       
    legal.enabled = "false";


     

       
35

       

       
-

       
    s3.enabled = "false";


     

       
36

       

       
-

       
    oauth = {


     

       
37

       

       
-

       
      ignoreTotp = "true";


     

       
38

       

       
-

       
      oidc-enabled = "true";


     

       
39

       

       
-

       
      oidc-clientSecret = "CLIENT_SECRET";


     

       
40

       

       
-

       
      oidc-clientId = "d83006a6-9b08-47eb-af56-418065db09b5";


     

       
41

       

       
-

       
      oidc-discoveryUri = "https://auth.pyrox.dev/.well-known/openid-configuration";


     

       
42

       

       
-

       
      oidc-signOut = "false";


     

       
43

       

       
-

       
      oidc-scope = "openid email profile groups";


     

       
44

       

       
-

       
      oidc-rolePath = "groups";


     

       
45

       

       
-

       
      oidc-roleAdminAccess = "admins";


     

       
46

       

       
-

       
    };


     

       
47

       

       
-

       
    initUser.enabled = false;


     

       
48

       

       
-

       
  };


     

       
49

       

       
-

       
in


     

       
50

       

       
-

       
{


     

       
51

       

       
-

       
  virtualisation.oci-containers.containers = {


     

       
52

       

       
-

       
    pingvin-share-server = {


     

       
53

       

       
-

       
      image = "ghcr.io/stonith404/pingvin-share:latest";


     

       
54

       

       
-

       
      ports = [


     

       
55

       

       
-

       
        "${toString d.port}:3000"


     

       
56

       

       
-

       
        "${toString d.be-port}:8080"


     

       
57

       

       
-

       
      ];


     

       
58

       

       
-

       
      volumes = [


     

       
59

       

       
-

       
        "/var/lib/pingvin-share/data:/opt/app/backend/data"


     

       
60

       

       
-

       
        "/var/lib/pingvin-share/data/images:/opt/app/frontend/public/img"


     

       
61

       

       
-

       
        "/var/lib/pingvin-share/config.yaml:/opt/app/config.yaml"


     

       
62

       

       
-

       
      ];


     

       
63

       

       
-

       
      environment = {


     

       
64

       

       
-

       
        API_URL = "https://share.pyrox.dev";


     

       
65

       

       
-

       
        PUID = "962";


     

       
66

       

       
-

       
        PGID = "959";


     

       
67

       

       
-

       
      };


     

       
68

       

       
-

       
    };


     

       
69

       

       
-

       
  };


     

       
70

       

       
-

       
  users.users.pingvin = {


     

       
71

       

       
-

       
    uid = 962;


     

       
72

       

       
-

       
    group = cfg.group;


     

       
73

       

       
-

       
    isSystemUser = true;


     

       
74

       

       
-

       
  };


     

       
75

       

       
-

       
  users.groups.pingvin = {


     

       
76

       

       
-

       
    gid = 959;


     

       
77

       

       
-

       
  };


     

       
78

       

       
-

       



     

       
79

       

       
-

       
  services = {


     

       
80

       

       
-

       
    pingvin-share = {


     

       
81

       

       
-

       
      enable = false;


     

       
82

       

       
-

       
      backend.port = d.be-port;


     

       
83

       

       
-

       
      frontend.port = d.port;


     

       
84

       

       
-

       
      hostname = "share.pyrox.dev";


     

       
85

       

       
-

       
      https = true;


     

       
86

       

       
-

       
    };


     

       
87

       

       
-

       
    anubis.instances = {


     

       
88

       

       
-

       
      pingvin-share-be = {


     

       
89

       

       
-

       
        settings = {


     

       
90

       

       
-

       
          BIND = ":${toString d.be-anubis}";


     

       
91

       

       
-

       
          POLICY_FNAME = "${self'.packages.anubis-files}/policies/pingvin-share.yaml";


     

       
92

       

       
-

       
          TARGET = "http://localhost:${toString d.be-port}";


     

       
93

       

       
-

       
        };


     

       
94

       

       
-

       
      };


     

       
95

       

       
-

       
      pingvin-share-fe = {


     

       
96

       

       
-

       
        settings = {


     

       
97

       

       
-

       
          BIND = ":${toString d.anubis}";


     

       
98

       

       
-

       
          POLICY_FNAME = "${self'.packages.anubis-files}/policies/pingvin-share.yaml";


     

       
99

       

       
-

       
          TARGET = "http://localhost:${toString d.port}";


     

       
100

       

       
-

       
        };


     

       
101

       

       
-

       
      };


     

       
102

       

       
-

       
    };


     

       
103

       

       
-

       
  };


     

       
104

       

       
-

       
  systemd.services.init-pingvin-config = {


     

       
105

       

       
-

       
    enable = true;


     

       
106

       

       
-

       
    description = "Pingvin Share configuration setup";


     

       
107

       

       
-

       
    wantedBy = [ "multi-user.target" ];


     

       
108

       

       
-

       
    before = [


     

       
109

       

       
-

       
      "docker-pingvin-share-server.service"


     

       
110

       

       
-

       
    ];


     

       
111

       

       
-

       
    path = [ pkgs.gnused ];


     

       
112

       

       
-

       
    script = ''


     

       
113

       

       
-

       
      rm ${cfg.dataDir}/config.yaml


     

       
114

       

       
-

       
      cp ${configFile} ${cfg.dataDir}/config.yaml


     

       
115

       

       
-

       
      sed -i "s/SMTP_PASSWORD/\"$SMTP_PASSWORD\"/" ${cfg.dataDir}/config.yaml


     

       
116

       

       
-

       
      sed -i "s/CLIENT_SECRET/\"$CLIENT_SECRET\"/" ${cfg.dataDir}/config.yaml


     

       
117

       

       
-

       
    '';


     

       
118

       

       
-

       
    serviceConfig = {


     

       
119

       

       
-

       
      EnvironmentFile = config.age.secrets.pingvin-secrets.path;


     

       
120

       

       
-

       
      User = cfg.user;


     

       
121

       

       
-

       
      Group = cfg.group;


     

       
122

       

       
-

       
      ReadWritePaths = [ "${cfg.dataDir}" ];


     

       
123

       

       
-

       
    };


     

       
124

       

       
-

       
  };


     

       
125

       

       
-

       
  age.secrets.pingvin-secrets = {


     

       
126

       

       
-

       
    file = ./secrets/pingvin-secrets.age;


     

       
127

       

       
-

       
    owner = cfg.user;


     

       
128

       

       
-

       
    group = cfg.group;


     

       
129

       

       
-

       
  };


     

       
130

       

       
-

       
}
+97 -30
hosts/marvin/services/planka.nix 
···

       
1

       
1

       
 

       
{


     

       

       
2

       
+

       
  lib,


     

       
2

       
3

       
 

       
  config,


     

       
3

       

       
-

       
  self',


     

       
4

       
4

       
 

       
  self,


     

       

       
5

       
+

       
  self',


     

       

       
6

       
+

       
  pkgs,


     

       
5

       
7

       
 

       
  ...


     

       
6

       
8

       
 

       
}:


     

       
7

       
9

       
 

       
let


     

       
8

       

       
-

       
  dataDir = "/var/lib/planka";


     

       
9

       
10

       
 

       
  d = self.lib.data.services.planka;


     

       

       
11

       
+

       



     

       

       
12

       
+

       
  commonServiceConfig = {


     

       

       
13

       
+

       
    EnvironmentFile = config.age.secrets.planka-env.path;


     

       

       
14

       
+

       
    StateDirectory = "planka";


     

       

       
15

       
+

       
    WorkingDirectory = "/var/lib/planka";


     

       

       
16

       
+

       
    User = "planka";


     

       

       
17

       
+

       
    Group = "planka";


     

       

       
18

       
+

       



     

       

       
19

       
+

       
    # Hardening


     

       

       
20

       
+

       
    LockPersonality = true;


     

       

       
21

       
+

       
    NoNewPrivileges = true;


     

       

       
22

       
+

       
    PrivateDevices = true;


     

       

       
23

       
+

       
    PrivateMounts = true;


     

       

       
24

       
+

       
    PrivateTmp = true;


     

       

       
25

       
+

       
    PrivateUsers = true;


     

       

       
26

       
+

       
    ProtectClock = true;


     

       

       
27

       
+

       
    ProtectControlGroups = true;


     

       

       
28

       
+

       
    ProtectHome = true;


     

       

       
29

       
+

       
    ProtectHostname = true;


     

       

       
30

       
+

       
    ProtectKernelLogs = true;


     

       

       
31

       
+

       
    ProtectKernelModules = true;


     

       

       
32

       
+

       
    ProtectKernelTunables = true;


     

       

       
33

       
+

       
    ProtectProc = "invisible";


     

       

       
34

       
+

       
    RemoveIPC = true;


     

       

       
35

       
+

       
    RestrictRealtime = true;


     

       

       
36

       
+

       
    RestrictSUIDSGID = true;


     

       

       
37

       
+

       
    UMask = "0660";


     

       

       
38

       
+

       
    RestrictAddressFamilies = [


     

       

       
39

       
+

       
      "AF_UNIX"


     

       

       
40

       
+

       
      "AF_INET"


     

       

       
41

       
+

       
      "AF_INET6"


     

       

       
42

       
+

       
    ];


     

       

       
43

       
+

       
  };


     

       
10

       
44

       
 

       
in


     

       
11

       
45

       
 

       
{


     

       
12

       

       
-

       
  virtualisation.oci-containers.containers = {


     

       
13

       

       
-

       
    planka-server = {


     

       
14

       

       
-

       
      image = "ghcr.io/plankanban/planka:latest";


     

       
15

       

       
-

       
      ports = [ "${toString d.port}:1337" ];


     

       
16

       

       
-

       
      environment = {


     

       
17

       

       
-

       
        BASE_URL = "https://${d.extUrl}";


     

       
18

       

       
-

       
        DATABASE_URL = "postgresql://planka@planka-db/planka";


     

       
19

       

       
-

       
        # Default Admin


     

       
20

       

       
-

       
        DEFAULT_ADMIN_EMAIL = "pyrox@pyrox.dev";


     

       
21

       

       
-

       
        DEFAULT_ADMIN_USERNAME = "pyrox";


     

       

       
46

       
+

       
  systemd = {


     

       

       
47

       
+

       
    tmpfiles.settings = {


     

       

       
48

       
+

       
      "10-planka"."/var/lib/planka".d = {


     

       

       
49

       
+

       
        group = "planka";


     

       

       
50

       
+

       
        user = "planka";


     

       

       
51

       
+

       
        mode = "0755";


     

       
22

       
52

       
 

       
      };


     

       
23

       

       
-

       
      environmentFiles = [ config.age.secrets.planka-env.path ];


     

       
24

       

       
-

       
      volumes = [


     

       
25

       

       
-

       
        "${dataDir}/user-avatars:/app/public/user-avatars"


     

       
26

       

       
-

       
        "${dataDir}/project-background-images:/app/public/project-background-images"


     

       
27

       

       
-

       
        "${dataDir}/attachments:/app/private/attachments"


     

       
28

       

       
-

       
      ];


     

       
29

       

       
-

       
      extraOptions = [ "--network=planka" ];


     

       
30

       
53

       
 

       
    };


     

       
31

       

       
-

       
    planka-db = {


     

       
32

       

       
-

       
      image = "postgres:16-alpine";


     

       
33

       

       
-

       
      volumes = [ "${dataDir}/db:/var/lib/postgresql/data" ];


     

       
34

       

       
-

       
      environment = {


     

       
35

       

       
-

       
        POSTGRES_USER = "planka";


     

       
36

       

       
-

       
        POSTGRES_DB = "planka";


     

       
37

       

       
-

       
        POSTGRES_HOST_AUTH_METHOD = "trust";


     

       

       
54

       
+

       
    services = {


     

       

       
55

       
+

       
      planka-init-db = {


     

       

       
56

       
+

       
        wantedBy = [ "multi-user.target" ];


     

       

       
57

       
+

       
        after = [ "postgres.target" ];


     

       

       
58

       
+

       
        description = "Planka Kanban Database Init Script";


     

       

       
59

       
+

       
        path = [


     

       

       
60

       
+

       
          pkgs.nodejs


     

       

       
61

       
+

       
        ];


     

       

       
62

       
+

       
        script = ''


     

       

       
63

       
+

       
          if [ ! -f /var/lib/planka/db-init-ran ]; then


     

       

       
64

       
+

       
            node run ${self'.packages.planka}/lib/node_modules/planka/db/init.js && \


     

       

       
65

       
+

       
            touch /var/lib/planka/db-init-ran


     

       

       
66

       
+

       
          fi


     

       

       
67

       
+

       
        '';


     

       

       
68

       
+

       
        serviceConfig = commonServiceConfig // {


     

       

       
69

       
+

       
          Type = "oneshot";


     

       

       
70

       
+

       
          SyslogIdentifier = "planka-init-db";


     

       

       
71

       
+

       
        };


     

       

       
72

       
+

       
      };


     

       

       
73

       
+

       
      planka-server = {


     

       

       
74

       
+

       
        after = [ "planka-init-db.service" ];


     

       

       
75

       
+

       
        wantedBy = [ "multi-user.target" ];


     

       

       
76

       
+

       
        description = "Planka Kanban Server";


     

       

       
77

       
+

       
        documentation = [ "https://docs.planka.cloud" ];


     

       

       
78

       
+

       
        environment = {


     

       

       
79

       
+

       
          DATABASE_URL = "postgresql://%2Frun%2Fpostgresql/planka";


     

       

       
80

       
+

       
          DEFAULT_ADMIN_EMAIL = "pyrox@pyrox.dev";


     

       

       
81

       
+

       
          DEFAULT_ADMIN_USERNAME = "pyrox";


     

       

       
82

       
+

       
          TRUST_PROXY = "true";


     

       

       
83

       
+

       
          DEFAULT_LANGUAGE = "en-US";


     

       

       
84

       
+

       
          BASE_URL = "https://${d.extUrl}";


     

       

       
85

       
+

       
          NODE_ENV = "production";


     

       

       
86

       
+

       
        };


     

       

       
87

       
+

       
        serviceConfig = commonServiceConfig // {


     

       

       
88

       
+

       
          Type = "simple";


     

       

       
89

       
+

       
          ExecStart = "${lib.getExe self'.packages.planka} --port ${toString d.port}";


     

       

       
90

       
+

       
          SyslogIdentifier = "planka";


     

       

       
91

       
+

       
        };


     

       
38

       
92

       
 

       
      };


     

       
39

       

       
-

       
      extraOptions = [ "--network=planka" ];


     

       
40

       
93

       
 

       
    };


     

       
41

       
94

       
 

       
  };


     

       

       
95

       
+

       
  users.users.planka = {


     

       

       
96

       
+

       
    isSystemUser = true;


     

       

       
97

       
+

       
    group = "planka";


     

       

       
98

       
+

       
  };


     

       

       
99

       
+

       
  users.groups.planka = { };


     

       

       
100

       
+

       
  services.postgresql = {


     

       

       
101

       
+

       
    ensureUsers = [


     

       

       
102

       
+

       
      {


     

       

       
103

       
+

       
        name = "planka";


     

       

       
104

       
+

       
        ensureDBOwnership = true;


     

       

       
105

       
+

       
        ensureClauses.login = true;


     

       

       
106

       
+

       
      }


     

       

       
107

       
+

       
    ];


     

       

       
108

       
+

       
    ensureDatabases = [ "planka" ];


     

       

       
109

       
+

       
  };


     

       
42

       
110

       
 

       
  age.secrets.planka-env = {


     

       
43

       
111

       
 

       
    file = ./secrets/planka-env.age;


     

       
44

       

       
-

       
    owner = "thehedgehog";


     

       
45

       

       
-

       
    group = "misc";


     

       

       
112

       
+

       
    owner = "planka";


     

       

       
113

       
+

       
    group = "planka";


     

       
46

       
114

       
 

       
  };


     

       
47

       
115

       
 

       
  services.anubis.instances.planka = {


     

       
48

       
116

       
 

       
    settings = {


     

       
49

       
117

       
 

       
      COOKIE_DOMAIN = ".cs2a.club";


     

       
50

       
118

       
 

       
      BIND = ":${toString d.anubis}";


     

       
51

       

       
-

       
      POLICY_FNAME = "${self'.packages.anubis-files}/policies/planka.yaml";


     

       
52

       
119

       
 

       
      TARGET = "http://localhost:${toString d.port}";


     

       
53

       
120

       
 

       
    };


     

       
54

       
121

       
 

       
  };
-2
hosts/marvin/services/pocket-id.nix 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  config,


     

       
3

       

       
-

       
  self',


     

       
4

       
3

       
 

       
  self,


     

       
5

       
4

       
 

       
  ...


     

       
6

       
5

       
 

       
}:


     
···

       
43

       
42

       
 

       
    pocket-id = {


     

       
44

       
43

       
 

       
      settings = {


     

       
45

       
44

       
 

       
        BIND = ":${toString d.anubis}";


     

       
46

       

       
-

       
        POLICY_FNAME = "${self'.packages.anubis-files}/policies/pocket-id.yaml";


     

       
47

       
45

       
 

       
        TARGET = "http://localhost:${toString d.port}";


     

       
48

       
46

       
 

       
      };


     

       
49

       
47

       
 

       
    };
+23 -23
hosts/marvin/services/postgres.nix 
···

       
1

       

       
-

       
{ pkgs, config, ... }:


     

       
2

       

       
-

       
let


     

       
3

       

       
-

       
  cfg = config.services.postgresql;


     

       
4

       

       
-

       
in


     

       

       
1

       
+

       
{ pkgs, ... }:


     

       

       
2

       
+

       
# let


     

       

       
3

       
+

       
#   cfg = config.services.postgresql;


     

       

       
4

       
+

       
# in


     

       
5

       
5

       
 

       
{


     

       
6

       
6

       
 

       
  services.postgresql = {


     

       
7

       
7

       
 

       
    enable = true;


     
···

       
28

       
28

       
 

       
      max_parallel_maintenance_workers = 4;


     

       
29

       
29

       
 

       
    };


     

       
30

       
30

       
 

       
  };


     

       
31

       

       
-

       
  systemd.timers.pg-autovacuum = {


     

       
32

       

       
-

       
    description = "Timer for Postgres Autovacuum";


     

       
33

       

       
-

       
    timerConfig = {


     

       
34

       

       
-

       
      OnCalendar = "*-*-* 01:00:00";


     

       
35

       

       
-

       
      Unit = "pg-autovacuum.service";


     

       
36

       

       
-

       
    };


     

       
37

       

       
-

       
  };


     

       
38

       

       
-

       
  systemd.services.pg-autovacuum = {


     

       
39

       

       
-

       
    description = "Vacuum all Postgres databases.";


     

       
40

       

       
-

       
    requisite = [ "postgresql.service" ];


     

       
41

       

       
-

       
    wantedBy = [ "multi-user.target" ];


     

       
42

       

       
-

       
    serviceConfig = {


     

       
43

       

       
-

       
      Type = "oneshot";


     

       
44

       

       
-

       
      User = "postgres";


     

       
45

       

       
-

       
      Group = "postgres";


     

       
46

       

       
-

       
      SyslogIdentifier = "pg-autovacuum";


     

       
47

       

       
-

       
      ExecStart = "${cfg.package}/bin/vacuumdb --all --echo --jobs=6 --parallel=5 --analyze --verbose";


     

       
48

       

       
-

       
    };


     

       
49

       

       
-

       
  };


     

       

       
31

       
+

       
  # systemd.timers.pg-autovacuum = {


     

       

       
32

       
+

       
  #   description = "Timer for Postgres Autovacuum";


     

       

       
33

       
+

       
  #   timerConfig = {


     

       

       
34

       
+

       
  #     OnCalendar = "*-*-* 01:00:00";


     

       

       
35

       
+

       
  #     Unit = "pg-autovacuum.service";


     

       

       
36

       
+

       
  #   };


     

       

       
37

       
+

       
  # };


     

       

       
38

       
+

       
  # systemd.services.pg-autovacuum = {


     

       

       
39

       
+

       
  #   description = "Vacuum all Postgres databases.";


     

       

       
40

       
+

       
  #   requisite = [ "postgresql.service" ];


     

       

       
41

       
+

       
  #   wantedBy = [ "multi-user.target" ];


     

       

       
42

       
+

       
  #   serviceConfig = {


     

       

       
43

       
+

       
  #     Type = "oneshot";


     

       

       
44

       
+

       
  #     User = "postgres";


     

       

       
45

       
+

       
  #     Group = "postgres";


     

       

       
46

       
+

       
  #     SyslogIdentifier = "pg-autovacuum";


     

       

       
47

       
+

       
  #     ExecStart = "${cfg.package}/bin/vacuumdb --all --echo --jobs=6 --parallel=5 --analyze --verbose";


     

       

       
48

       
+

       
  #   };


     

       

       
49

       
+

       
  # };


     

       
50

       
50

       
 

       
}
-14
hosts/marvin/services/prosody.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  # deadnix: skip


     

       
3

       

       
-

       
  config,


     

       
4

       

       
-

       
  # deadnix: skip


     

       
5

       

       
-

       
  pkgs,


     

       
6

       

       
-

       
  # deadnix: skip


     

       
7

       

       
-

       
  lib,


     

       
8

       

       
-

       
  ...


     

       
9

       

       
-

       
}:


     

       
10

       

       
-

       
{


     

       
11

       

       
-

       
  services.prosody = {


     

       
12

       

       
-

       
    enable = true;


     

       
13

       

       
-

       
  };


     

       
14

       

       
-

       
}
-12
hosts/marvin/services/redlib.nix 
···

       
1

       

       
-

       
{ pkgs, self, ... }:


     

       
2

       

       
-

       
let


     

       
3

       

       
-

       
  d = self.lib.data.services.redlib;


     

       
4

       

       
-

       
in


     

       
5

       

       
-

       
{


     

       
6

       

       
-

       
  services.libreddit = {


     

       
7

       

       
-

       
    inherit (d) port;


     

       
8

       

       
-

       
    enable = true;


     

       
9

       

       
-

       
    package = pkgs.redlib;


     

       
10

       

       
-

       
    openFirewall = false;


     

       
11

       

       
-

       
  };


     

       
12

       

       
-

       
}
+1 -1
hosts/marvin/services/scrutiny.nix 
···

       
9

       
9

       
 

       
    settings = {


     

       
10

       
10

       
 

       
      web = {


     

       
11

       
11

       
 

       
        listen = {


     

       
12

       

       
-

       
          port = d.port;


     

       

       
12

       
+

       
          inherit (d) port;


     

       
13

       
13

       
 

       
        };


     

       
14

       
14

       
 

       
        influxdb.tls.insecure_skip_verify = true;


     

       
15

       
15

       
 

       
      };
-23
hosts/marvin/services/secrets/iceshrimp-db-password.age 
···

       
1

       

       
-

       
age-encryption.org/v1


     

       
2

       

       
-

       
-> ssh-ed25519 iqBxIA g+DkjSGDd+i/sdqRCuU2I2Qzmq4Q+FI7wSyfkdM9q0Q


     

       
3

       

       
-

       
cG52xAS/VPjCNgHdky0/jbMvF5tF+cB8BxFNCHYlf2s


     

       
4

       

       
-

       
-> ssh-rsa fFaiTA


     

       
5

       

       
-

       
r5mQer6QBi+HdSS16OLHfv/oh0hbug5drdX/BuQHMORogiDfHEM03K6pmg9064Ep


     

       
6

       

       
-

       
CJgl6z3IS9hlLX7cSq2kVSvP9gk+l5AmI+pMZkJyT9ED43g6wtRI7yiy1ALO0rqB


     

       
7

       

       
-

       
z/CPaoLkFNFlt7sDg5rijAB+t6DNAxULfFj8KR3b+NvGrrW6Vbaio+T5mg1A2PTd


     

       
8

       

       
-

       
60eEfuqdn9dHVI82FQFmai1LwoyButrUNn3UiP8aIdvFUueixcqsAXSK1zjPJZ5B


     

       
9

       

       
-

       
VeAkshwhB9+HKMH1cyRa6LUbzJYxAQBhkgTFqS/r64h3ZAYHTc0lY44VtVhbnEQI


     

       
10

       

       
-

       
76PBEOcQXXjvPR6yvbcVZfpqCkqfo9hb7wogPfJiRMjKM/qlpR19KOf21T0hsV6q


     

       
11

       

       
-

       
b7nYf01yBscx6GKXREkZoxgpo6iLLzVQqU5SzQgs7nxW089JdJ62WoZvJwTxv2G8


     

       
12

       

       
-

       
AdzImnsw73q55MgOYtv/A3hGM8O1Jw4Q4UfMSS43xB+cuvtlEmSqi5mFh0gPbqQR


     

       
13

       

       
-

       
LN8+OcDLz0SR8U6xHj9ufXfhHc4nwO8iZpzav5nZXMEb3Gmva3k8U+nnmuPKqsrL


     

       
14

       

       
-

       
VxFmGNxqmWPfxO0FJC/cxLKME/Lj2MU9r6KT8RQ00BjHUfoDgbFzHVLqIEbIE+Vr


     

       
15

       

       
-

       
/Glcmz/Ecrt3kTwfAhEDpj6g0XVNHt7HA+r4SDWjI00


     

       
16

       

       
-

       
-> ssh-ed25519 wpmdHA LUF/UncaQTEMQepVAhEqFm345dICeW3d3QGhiflTSH8


     

       
17

       

       
-

       
ImxpR4innOw1jMSF4gvmOGRDl0BzqAhOyz+GFstsJG4


     

       
18

       

       
-

       
-> Cg-grease k7q9


     

       
19

       

       
-

       
MLRf60C4nbEc9XHo26cg7UYySbZtOMP2kZtZmvLiS1XFeIqQaR0RgRcUOoTblYzo


     

       
20

       

       
-

       
KQ


     

       
21

       

       
-

       
--- PV6HHY8kDdpFcgNu83K/cwz4qQCW38jcHkTOkCunxrk


     

       
22

       

       
-

       
�*ǜ�lq��^��fʀ���l�� R��C}Մ�ɧ���F�ĩ�&�~h�


     

       
23

       

       
-

       
̟�r��6ʞac,����lc�
>
hosts/marvin/services/secrets/iceshrimp-secret-config.age

This is a binary file and will not be displayed.

+19
hosts/marvin/services/secrets/immich/mail-pw.age 
···

       

       
1

       
+

       
age-encryption.org/v1


     

       

       
2

       
+

       
-> ssh-ed25519 iqBxIA 3PVJMF6BgxuDxN9NAEYqcZaYEUhK9TB5XprRyW13Kx0


     

       

       
3

       
+

       
AIQQG+4/9SVPcfq9ZtL/JsWDmLvW03UiAJaJ1nHSckQ


     

       

       
4

       
+

       
-> ssh-rsa fFaiTA


     

       

       
5

       
+

       
ZPBI1w2a48Md+Rt92ssVcfxN26zTLCEalT+jG8SJBv07ouOzd4ibPq65m6uOQU/+


     

       

       
6

       
+

       
EEgHe23fGsPP4oISWDUgVFxesLA3wjsTWmbVrkrBzGQNeNnevIRMcJu7vWDtby/+


     

       

       
7

       
+

       
dVxPQIoXH0jPlcDQCm2lwOGD+du+Nb4PnVseRPDaXRypKKmx+J057FQemYBk4OWx


     

       

       
8

       
+

       
yUfbKV2gHHcuRTVUQG6XAQwWvhh4e25fyc+MzKZNPUK4c/SVibjAsUH+Edd+NaV5


     

       

       
9

       
+

       
yxku5k4TFZkU69sl2zCdgWfYVTowTGYGyf4Kf+I/kl9m13zIk9vRpocgt4APaJnv


     

       

       
10

       
+

       
p+KxJvbYRiprWl+IzZg6TwXY5mA1IbvlppR4aak1pwaIE76CgF5mGNDGkviGndtP


     

       

       
11

       
+

       
+eCMIocp6lk2U0dJEYkBtmjNbxFh3dxOcirgdNDypYPlZTSGvSRGhpL4nUJRsR+l


     

       

       
12

       
+

       
A7rJ5aHH2B4Vi93zgSV0PWiWSA7899bzgN1kQKKIgYln6Tl8UxQSNt5L3L4VajuW


     

       

       
13

       
+

       
3UqCltyGWt/926BMS+GrDZSWCEtVsDs5XQqDKEx6D+iviHZJXniI+RhH/eM7FLjp


     

       

       
14

       
+

       
iXgCRkBIALo2lOiScpr2rtfGDViq3Nh64cIslEPiewjVFTCxkxH+LuQ1stukrNki


     

       

       
15

       
+

       
IF0+pZ65rgatMAdnZRFXfRxmywKD99z4WRHAxvYloXc


     

       

       
16

       
+

       
-> ssh-ed25519 wpmdHA SQlzD3yqbnoF0JHqPFFDUugbm8jlBsdntLzF/WlJbjo


     

       

       
17

       
+

       
FggpB1k5xbq62QNlwkocwjiWhEqNjHAxR/GwoPhXbC8


     

       

       
18

       
+

       
--- 1g4f2OQbS5iXm/cqBamEWuapvZHorxfX7wHizfPcYsc


     

       

       
19

       
+

       
�z�92�LN=9���$O���fP���E���~�.��}7�eڰq��y�N�I�L����"%�V�lz'�أ�
+19
hosts/marvin/services/secrets/immich/oauth-secret.age 
···

       

       
1

       
+

       
age-encryption.org/v1


     

       

       
2

       
+

       
-> ssh-ed25519 iqBxIA 4osfKV5/wFT7mCdc4TjP7pJHdD8wzV7VKKiBSGRqImk


     

       

       
3

       
+

       
wU6RSxJh8SBbXbiwCl4lXD/m1THoAg5n1Y7pyKFPiec


     

       

       
4

       
+

       
-> ssh-rsa fFaiTA


     

       

       
5

       
+

       
RTHaBLsBWbDEmY80LktVL/C6CeFinLm3/4t/hoWmbzLLoElBL86EGVdrE5ovjUYl


     

       

       
6

       
+

       
j5+ZacmqahwjCtF/ZGBt8MFkWOK9u90YDfLp+kb2ILVy/E+CcQ3xPpH9bf83pPl/


     

       

       
7

       
+

       
aZmttaRlhnhSDYVXB0lHx3u/cCrYhTf6TjEoVGZ/XrLW0BRmO6GSwcmTrachZzdJ


     

       

       
8

       
+

       
je+pf2ug//mnAJR0y4MxjGlNPD/Vaj/UiaFQjPT+7ZvUUSkbv/QpPqyhhosFA11e


     

       

       
9

       
+

       
1EGp21ppwUnJSNdYh2vulpQGurB5bPlv6Y8FpcFKivq/qKmA4ydyER3NcCca5Ly+


     

       

       
10

       
+

       
01jQ1HRqWylYJj7K4hnxSjnNlOXCrJATuPJYoNdt2U1DnolUAqL6JIP/qNmYx8Fb


     

       

       
11

       
+

       
ZrfFINBmPsNc9XJn14T4J+VB6e68ODBOvZdbzoBQOWAObnP5OH+zLYCB3II+aLPp


     

       

       
12

       
+

       
Zo5WsNBBdZih4EbO0Y9PNWBjyCzxqs7zXPg1PjjDVHN/tIpSGnqoCqCPGuePhgRV


     

       

       
13

       
+

       
h1gnP/lqOW2U1oL004hi3etsUsk3kXHjr35GXMVBeay+3uGXkZqhNYYSluQnJSrs


     

       

       
14

       
+

       
rzahZZ8/q0FDdlUixWHb2uQjL1XMTqUcw8wPsUak8shkx8s7GPKNxtEKFcK46jk4


     

       

       
15

       
+

       
ac9TCyee4HzPC/SWkLGFl0bt9s9lGTBSNQrVzogY/sg


     

       

       
16

       
+

       
-> ssh-ed25519 wpmdHA C6npqn5aqimGJlo+UlvYOoqXSu/hW1JVNAmBPP1Vvjk


     

       

       
17

       
+

       
gWzXqL92jI83iqSr3dydJo+UAz5OGBo6kw6QC4KRWgM


     

       

       
18

       
+

       
--- ltHFDmeAbJsQtyY4CKFEz8OGAkPkue/8upHNOOQgn5I


     

       

       
19

       
+

       
��O�ӌ#&`���P�IZ�#�[��+�tdeG�ui�����?n"��(��b� ]s�	y줔���
-20
hosts/marvin/services/secrets/pingvin-secrets.age 
···

       
1

       

       
-

       
age-encryption.org/v1


     

       
2

       

       
-

       
-> ssh-ed25519 iqBxIA HdZwcvp9cLpqrUp0M7sK7ipTslMxK0EYqFfS8xtYeDk


     

       
3

       

       
-

       
Ud7ismLtRG4RlugV3P5wRNjRe8HcJW0rAz/adadWCNc


     

       
4

       

       
-

       
-> ssh-rsa fFaiTA


     

       
5

       

       
-

       
KwjETLhUBpq8Hfp41rg3++syweOB+yNIIdd0KeS2YjxjbDfgwzRVoM+wlB/C3b4X


     

       
6

       

       
-

       
W0561y9+wsnB5A6k/peXLASfVodw30vI9LdW+nHejQr9v/UooXPztoJNrfgaKUow


     

       
7

       

       
-

       
PsLbLUj+M8Y4i22GRKrY6rrCfJk8F4a+2b0PzDc1EqUcZOjMV7aE+fQ4U7+FD1jv


     

       
8

       

       
-

       
xGmrKNRXNUL1j5GpPAi7E7YXuGj2SxjZOiisKqyep5KTEFyIJ04lrN/rtbi2vkEJ


     

       
9

       

       
-

       
ejAFg2jIvxAWiEzEUbjOLFzeIdpb8pPqQJ3OUF4U0crT/r5dxmJKxB0J7ktS6eEY


     

       
10

       

       
-

       
NZ4/CtY/kLXjo9sWc6G2UtWAm+myXKsxETxFtp/RQ6LXMjS+3xbzGvkAoY/fzVMt


     

       
11

       

       
-

       
zLGdOV0X/paLb1jGl9CHkflq7qrpkdgqc6I5nmsOCRLHrsiVWLaCVCvu2T1fpjCh


     

       
12

       

       
-

       
tP+Mwdjv5ONXduoGUOxjCT8IVv7ceTt93S/9cZakpDIFJ38I1XymrjuFLfbhLMVK


     

       
13

       

       
-

       
VMfo9cLhWyz2/DAKA4gKnmagUhnYO2vdNBzzM9dg0/ysrLoX71ujEcxB0tx21pkE


     

       
14

       

       
-

       
eB3LEfFH94Izzn9crNJ1YMUFCpFayedN2uQjv89LN2oHx+mUKemXCdl+AV2sLP7P


     

       
15

       

       
-

       
pi4/UDjKOcIeK8cSvqJtsemjUn7QJdOamH4/IpgFh5o


     

       
16

       

       
-

       
-> ssh-ed25519 wpmdHA X+4vtGSjMeIuSearcEfYA8Mv5kmghhItcE1n5BPWLSo


     

       
17

       

       
-

       
uYkj1VkPXs8mJu99J4GFth6LyqhWymEH5fsN0+5TDsw


     

       
18

       

       
-

       
--- Ql8rRuZH0kS1eDQ9EYB7mW+GvcHtjXcW/Wu1ZGhjpKI


     

       
19

       

       
-

       
虌d0dj̭�ھ�f����� g�D�+�q��W��d������%5��1�?�U��)�tܫ��[


     

       
20

       

       
-

       
S�DV�+��U�".� q�i�,g{}#y�@���3O/M~��CЎBV�š� }�=����*#�7�?Q��
+2 -3
hosts/marvin/services/secrets/secrets.nix 
···

       
27

       
27

       
 

       
  "golink-authkey.age".publicKeys = marvinDefault;


     

       
28

       
28

       
 

       
  "grafana-admin-password.age".publicKeys = marvinDefault;


     

       
29

       
29

       
 

       
  "grafana-smtp-password.age".publicKeys = marvinDefault;


     

       
30

       

       
-

       
  "iceshrimp-secret-config.age".publicKeys = marvinDefault;


     

       
31

       

       
-

       
  "iceshrimp-db-password.age".publicKeys = marvinDefault;


     

       

       
30

       
+

       
  "immich/oauth-secret.age".publicKeys = marvinDefault;


     

       

       
31

       
+

       
  "immich/mail-pw.age".publicKeys = marvinDefault;


     

       
32

       
32

       
 

       
  "jellyfin-exporter-config.age".publicKeys = marvinDefault;


     

       
33

       
33

       
 

       
  "minio-root.age".publicKeys = marvinDefault;


     

       
34

       
34

       
 

       
  "miniflux-admin.age".publicKeys = marvinDefault;


     

       
35

       
35

       
 

       
  "../nextcloud/nextcloud-admin-pw.age".publicKeys = marvinDefault;


     

       
36

       
36

       
 

       
  "nix-serve-priv.age".publicKeys = marvinDefault;


     

       
37

       
37

       
 

       
  "pinchflat-secrets.age".publicKeys = marvinDefault;


     

       
38

       

       
-

       
  "pingvin-secrets.age".publicKeys = marvinDefault;


     

       
39

       
38

       
 

       
  "planka-env.age".publicKeys = marvinDefault;


     

       
40

       
39

       
 

       
  "pocket-id-secrets.age".publicKeys = marvinDefault;


     

       
41

       
40

       
 

       
  "vaultwarden-vars.age".publicKeys = marvinDefault;
+27 -23
hosts/marvin/services/tangled.nix 
···

       
5

       
5

       
 

       
  ...


     

       
6

       
6

       
 

       
}:


     

       
7

       
7

       
 

       
let


     

       
8

       

       
-

       
  cfg = config.services.tangled-knot;


     

       

       
8

       
+

       
  cfg = config.services.tangled.knot;


     

       
9

       
9

       
 

       
  dk = self.lib.data.services.tangled-knot;


     

       
10

       
10

       
 

       
  ds = self.lib.data.services.tangled-spindle;


     

       
11

       
11

       
 

       
in


     

       
12

       
12

       
 

       
{


     

       
13

       
13

       
 

       
  services = {


     

       
14

       

       
-

       
    tangled-knot = {


     

       
15

       

       
-

       
      enable = true;


     

       
16

       

       
-

       
      gitUser = "git";


     

       
17

       

       
-

       
      stateDir = "/var/lib/tangled-knot";


     

       
18

       

       
-

       
      repo.scanPath = "${cfg.stateDir}/repos";


     

       
19

       

       
-

       
      server = {


     

       
20

       

       
-

       
        listenAddr = "0.0.0.0:${toString dk.port}";


     

       
21

       

       
-

       
        hostname = dk.extUrl;


     

       
22

       

       
-

       
        internalListenAddr = "127.0.0.1:${toString dk.intListenPort}";


     

       
23

       

       
-

       
        owner = "did:plc:5cqzysioqzttihsnbsaxrggu";


     

       

       
14

       
+

       
    tangled = {


     

       

       
15

       
+

       
      knot = {


     

       

       
16

       
+

       
        enable = true;


     

       

       
17

       
+

       
        gitUser = "git";


     

       

       
18

       
+

       
        stateDir = "/var/lib/tangled-knot";


     

       

       
19

       
+

       
        repo.scanPath = "${cfg.stateDir}/repos";


     

       

       
20

       
+

       
        server = {


     

       

       
21

       
+

       
          listenAddr = "0.0.0.0:${toString dk.port}";


     

       

       
22

       
+

       
          hostname = dk.extUrl;


     

       

       
23

       
+

       
          internalListenAddr = "127.0.0.1:${toString dk.intListenPort}";


     

       

       
24

       
+

       
          owner = "did:plc:5cqzysioqzttihsnbsaxrggu";


     

       

       
25

       
+

       
        };


     

       
24

       
26

       
 

       
      };


     

       
25

       

       
-

       
    };


     

       
26

       

       
-

       
    tangled-spindle = {


     

       
27

       

       
-

       
      enable = true;


     

       
28

       

       
-

       
      server = {


     

       
29

       

       
-

       
        listenAddr = "0.0.0.0:${toString ds.port}";


     

       
30

       

       
-

       
        hostname = ds.extUrl;


     

       
31

       

       
-

       
        owner = "did:plc:5cqzysioqzttihsnbsaxrggu";


     

       

       
27

       
+

       
      spindle = {


     

       

       
28

       
+

       
        enable = true;


     

       

       
29

       
+

       
        server = {


     

       

       
30

       
+

       
          listenAddr = "0.0.0.0:${toString ds.port}";


     

       

       
31

       
+

       
          hostname = ds.extUrl;


     

       

       
32

       
+

       
          owner = "did:plc:5cqzysioqzttihsnbsaxrggu";


     

       

       
33

       
+

       
        };


     

       

       
34

       
+

       
        pipelines.workflowTimeout = "10m";


     

       
32

       
35

       
 

       
      };


     

       
33

       

       
-

       
      pipelines.workflowTimeout = "10m";


     

       
34

       
36

       
 

       
    };


     

       
35

       

       
-

       
    openssh.enable = lib.mkForce cfg.enable;


     

       
36

       

       
-

       
    openssh.ports = [ 2222 ];


     

       
37

       

       
-

       
    openssh.settings.AllowUsers = [ "git" ];


     

       
38

       

       
-

       
    openssh.settings.AllowGroups = [ "git" ];


     

       

       
37

       
+

       
    openssh = {


     

       

       
38

       
+

       
      enable = lib.mkForce cfg.enable;


     

       

       
39

       
+

       
      ports = [ 2222 ];


     

       

       
40

       
+

       
      settings.AllowUsers = [ "git" ];


     

       

       
41

       
+

       
      settings.AllowGroups = [ "git" ];


     

       

       
42

       
+

       
    };


     

       
39

       
43

       
 

       
  };


     

       
40

       
44

       
 

       
}
+2 -27
hosts/marvin/services/vaultwarden.nix 
···

       
1

       
1

       
 

       
{


     

       
2

       

       
-

       
  pkgs,


     

       
3

       
2

       
 

       
  config,


     

       
4

       
3

       
 

       
  self,


     

       
5

       
4

       
 

       
  self',


     
···

       
18

       
17

       
 

       
  services.vaultwarden = {


     

       
19

       
18

       
 

       
    enable = true;


     

       
20

       
19

       
 

       
    dbBackend = "postgresql";


     

       
21

       

       
-

       
    webVaultPackage = pkgs.vaultwarden-vault;


     

       
22

       
20

       
 

       
    config = {


     

       
23

       
21

       
 

       
      # Web Server Settings


     

       
24

       
22

       
 

       
      domain = "https://${d.extUrl}";


     

       
25

       

       
-

       
      webVaultFolder = "${pkgs.vaultwarden-vault}/share/vaultwarden/vault";


     

       
26

       
23

       
 

       
      rocketAddress = "0.0.0.0";


     

       
27

       
24

       
 

       
      rocketCliColors = false;


     

       
28

       
25

       
 

       
      rocketPort = d.port;


     

       
29

       

       
-

       
      websocketEnabled = true;


     

       
30

       

       
-

       
      ipHeader = "X-Real-IP";


     

       
31

       
26

       
 

       
      reloadTemplates = false;


     

       
32

       
27

       
 

       
      logTimestampFormat = "%Y-%m-%d %H:%M:%S.%3f";


     

       
33

       
28

       
 

       
      # # Ratelimiting


     
···

       
39

       
34

       
 

       



     

       
40

       
35

       
 

       
      # Logging


     

       
41

       
36

       
 

       
      useSyslog = true;


     

       
42

       

       
-

       
      logLevel = "info";


     

       
43

       
37

       
 

       
      extendedLogging = true;


     

       
44

       
38

       
 

       



     

       
45

       
39

       
 

       
      # Features


     
···

       
49

       
43

       
 

       



     

       
50

       
44

       
 

       
      # Invitations


     

       
51

       
45

       
 

       
      invitationsAllowed = true;


     

       
52

       

       
-

       
      invitationOrgName = "PyroNet Vault";


     

       

       
46

       
+

       
      invitationOrgName = "dishNet Vault";


     

       
53

       
47

       
 

       
      invitationExpirationHours = 168;


     

       
54

       
48

       
 

       



     

       
55

       
49

       
 

       
      # Database


     
···

       
58

       
52

       
 

       
      # Signups


     

       
59

       
53

       
 

       
      signupsAllowed = false;


     

       
60

       
54

       
 

       
      signupsVerify = true;


     

       
61

       

       
-

       
      signupsVerifyResendTime = 3600;


     

       
62

       

       
-

       
      signupsVerifyResendLimit = 5;


     

       
63

       
55

       
 

       
      signupsDomainWhitelist = "pyrox.dev";


     

       
64

       
56

       
 

       



     

       
65

       
57

       
 

       
      # Passwords


     
···

       
70

       
62

       
 

       



     

       
71

       
63

       
 

       
      # Mail


     

       
72

       
64

       
 

       
      smtpFrom = "vault@pyrox.dev";


     

       
73

       

       
-

       
      smtpFromName = "PyroNet Vault <vault@pyrox.dev>";


     

       

       
65

       
+

       
      smtpFromName = "dishNet Vault <vault@pyrox.dev>";


     

       
74

       
66

       
 

       
      smtpUsername = "vault@pyrox.dev";


     

       
75

       
67

       
 

       
      smtpSecurity = "force_tls";


     

       
76

       
68

       
 

       
      smtpPort = 465;


     
···

       
79

       
71

       
 

       
      smtpTimeout = 20;


     

       
80

       
72

       
 

       
      smtpEmbedImages = true;


     

       
81

       
73

       
 

       
      useSendmail = false;


     

       
82

       

       
-

       
      smtpDebug = false;


     

       
83

       

       
-

       
      smtpAcceptInvalidCerts = false;


     

       
84

       

       
-

       
      smtpAcceptInvalidHostnames = false;


     

       
85

       
74

       
 

       



     

       
86

       
75

       
 

       
      # Authentication


     

       
87

       

       
-

       
      authenticatorDisableTimeDrift = false;


     

       
88

       

       
-

       
      disable2faRemember = false;


     

       
89

       
76

       
 

       
      incomplete2faTimeLimit = 5;


     

       
90

       
77

       
 

       
      # # Email 2FA


     

       
91

       

       
-

       
      emailAttemptsLimit = 3;


     

       
92

       
78

       
 

       
      emailExpirationTime = 180;


     

       
93

       
79

       
 

       
      emailTokenSize = 7;


     

       
94

       
80

       
 

       
      requireDeviceEmail = true;


     

       
95

       
81

       
 

       



     

       
96

       

       
-

       
      # Icons


     

       
97

       

       
-

       
      disableIconDownload = false;


     

       
98

       

       
-

       
      iconService = "internal";


     

       
99

       

       
-

       
      iconRedirectCode = 302;


     

       
100

       

       
-

       
      iconDownloadTimeout = 10;


     

       
101

       

       
-

       
      iconBlacklistNonGlobalIps = true;


     

       
102

       

       
-

       
      # # 30 Day TTL


     

       
103

       

       
-

       
      iconCacheTtl = 30 * 24 * 60 * 60;


     

       
104

       

       
-

       
      iconCacheNegttl = 30 * 24 * 60 * 60;


     

       
105

       

       
-

       



     

       
106

       
82

       
 

       
      # Misc Settings


     

       
107

       
83

       
 

       
      trashAutoDeleteDays = 14;


     

       
108

       
84

       
 

       
    };


     

       
109

       
85

       
 

       
    environmentFile = config.age.secrets.vaultwarden-vars.path;


     

       
110

       
86

       
 

       
  };


     

       
111

       
87

       
 

       
  systemd.services.vaultwarden.environment.PGPASSFILE = config.age.secrets.vaultwarden-pgpass.path;


     

       
112

       

       
-

       
  environment.systemPackages = with pkgs; [ vaultwarden-vault ];


     

       
113

       
88

       
 

       
  age.secrets.vaultwarden-vars = vaultwardenSecret // {


     

       
114

       
89

       
 

       
    file = ./secrets/vaultwarden-vars.age;


     

       
115

       
90

       
 

       
  };
-23
hosts/marvin/services/webmentiond.nix 
···

       
1

       

       
-

       
{ config, self, ... }:


     

       
2

       

       
-

       
let


     

       
3

       

       
-

       
  d = self.lib.data.services.webmentiond;


     

       
4

       

       
-

       
  p = toString d.port;


     

       
5

       

       
-

       
in


     

       
6

       

       
-

       
{


     

       
7

       

       
-

       
  virtualisation.oci-containers.containers.webmentiond = {


     

       
8

       

       
-

       
    image = "zerok/webmentiond:latest";


     

       
9

       

       
-

       
    volumes = [ "/var/lib/webmentiond:/data" ];


     

       
10

       

       
-

       
    environmentFiles = [ config.age.secrets.webmentiond-env.path ];


     

       
11

       

       
-

       
    ports = [ "${p}:${p}" ];


     

       
12

       

       
-

       
    cmd = [


     

       
13

       

       
-

       
      "--addr 0.0.0.0:${p}"


     

       
14

       

       
-

       
      "--public-url https://${d.extUrl}"


     

       
15

       

       
-

       
      "--auth-admin-emails pyrox@pyrox.dev"


     

       
16

       

       
-

       
    ];


     

       
17

       

       
-

       
  };


     

       
18

       

       
-

       
  config.age.secrets = {


     

       
19

       

       
-

       
    webmentiond-env.path = ./secrets/webmentiond-env.age;


     

       
20

       

       
-

       
    owner = "thehedgehog";


     

       
21

       

       
-

       
    group = "misc";


     

       
22

       

       
-

       
  };


     

       
23

       

       
-

       
}
+4 -4
hosts/prefect/bootloader.nix 
···

       
32

       
32

       
 

       
    supportedFilesystems = fileSystems;


     

       
33

       
33

       
 

       
    kernelPackages = pkgs.linuxPackages_6_1;


     

       
34

       
34

       
 

       
    kernel.sysctl = {


     

       
35

       

       
-

       
      "net.ipv4.ip_forward" = 1;


     

       
36

       

       
-

       
      "net.ipv6.conf.all.forwarding" = 1;


     

       
37

       

       
-

       
      "net.ipv4.conf.default.rp_filter" = 0;


     

       
38

       

       
-

       
      "net.ipv4.conf.all.rp_filter" = 0;


     

       

       
35

       
+

       
      "net.ipv4.ip_forward" = true;


     

       

       
36

       
+

       
      "net.ipv6.conf.all.forwarding" = true;


     

       

       
37

       
+

       
      "net.ipv4.conf.default.rp_filter" = false;


     

       

       
38

       
+

       
      "net.ipv4.conf.all.rp_filter" = false;


     

       
39

       
39

       
 

       
    };


     

       
40

       
40

       
 

       
  };


     

       
41

       
41

       
 

       
  services.udev.extraRules = ''
+2 -8
hosts/prefect/default.nix 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  pkgs,


     

       
3

       

       
-

       
  system,


     

       
4

       
3

       
 

       
  inputs,


     

       
5

       
4

       
 

       
  ...


     

       
6

       
5

       
 

       
}:


     
···

       
22

       
21

       
 

       



     

       
23

       
22

       
 

       
    # Running Services


     

       
24

       
23

       
 

       
    ./services/acme.nix


     

       
25

       

       
-

       
    # ./services/blog-update.nix


     

       
26

       
24

       
 

       
    ./services/caddy.nix


     

       
27

       

       
-

       
    # ./services/dn42-peerfinder.nix


     

       
28

       
25

       
 

       
    ./services/fail2ban.nix


     

       
29

       

       
-

       
    # ./services/headscale.nix


     

       
30

       
26

       
 

       
    ./services/mailserver


     

       
31

       

       
-

       
    ./services/mailserver/stalwart


     

       
32

       

       
-

       
    # ./services/netdata.nix


     

       
33

       

       
-

       
    # ./services/nginx


     

       
34

       
27

       
 

       
    ./services/prometheus.nix


     

       
35

       
28

       
 

       
    ./services/secrets.nix


     

       
36

       
29

       
 

       
    ./services/tailscale.nix


     

       
37

       

       
-

       
    # ./services/zerotier.nix


     

       
38

       
30

       
 

       
  ];


     

       
39

       
31

       
 

       
  fileSystems = {


     

       
40

       
32

       
 

       
    "/" = {


     
···

       
59

       
51

       
 

       
    };


     

       
60

       
52

       
 

       
    services.scrutiny.collector.enable = false;


     

       
61

       
53

       
 

       
  };


     

       

       
54

       
+

       
  security.tpm2.enable = false;


     

       

       
55

       
+

       
  security.tpm2.abrmd.enable = false;


     

       
62

       
56

       
 

       
}
-109
hosts/prefect/dn42/bgp.nix 
···

       
1

       

       
-

       
_: {


     

       
2

       

       
-

       
  sessions = [


     

       
3

       

       
-

       
    # Chrismoos


     

       
4

       

       
-

       
    {


     

       
5

       

       
-

       
      multi = true;


     

       
6

       

       
-

       
      multihop = false;


     

       
7

       

       
-

       
      gracefulRestart = true;


     

       
8

       

       
-

       
      name = "chrismoos";


     

       
9

       

       
-

       
      neigh = "fe80::1588%wg42_chris";


     

       
10

       

       
-

       
      as = "4242421588";


     

       
11

       

       
-

       
      link = "1";


     

       
12

       

       
-

       
    }


     

       
13

       

       
-

       
    # Kioubit


     

       
14

       

       
-

       
    {


     

       
15

       

       
-

       
      multi = true;


     

       
16

       

       
-

       
      multihop = false;


     

       
17

       

       
-

       
      gracefulRestart = true;


     

       
18

       

       
-

       
      name = "kioubit";


     

       
19

       

       
-

       
      neigh = "fe80::ade0%wg42_kioubit";


     

       
20

       

       
-

       
      as = "4242423914";


     

       
21

       

       
-

       
      link = "3";


     

       
22

       

       
-

       
    }


     

       
23

       

       
-

       
    # IEDON


     

       
24

       

       
-

       
    {


     

       
25

       

       
-

       
      multi = true;


     

       
26

       

       
-

       
      multihop = false;


     

       
27

       

       
-

       
      gracefulRestart = true;


     

       
28

       

       
-

       
      name = "ideon";


     

       
29

       

       
-

       
      neigh = "fe80::2189:e8%wg42_iedon";


     

       
30

       

       
-

       
      as = "4242422189";


     

       
31

       

       
-

       
      link = "5";


     

       
32

       

       
-

       
    }


     

       
33

       

       
-

       
    # SUNNET


     

       
34

       

       
-

       
    {


     

       
35

       

       
-

       
      multi = true;


     

       
36

       

       
-

       
      multihop = false;


     

       
37

       

       
-

       
      gracefulRestart = true;


     

       
38

       

       
-

       
      name = "sunnet";


     

       
39

       

       
-

       
      neigh = "fe80::3088:193%wg42_sunnet";


     

       
40

       

       
-

       
      as = "4242423088";


     

       
41

       

       
-

       
      link = "3";


     

       
42

       

       
-

       
    }


     

       
43

       

       
-

       
    # C4TG1RL5


     

       
44

       

       
-

       
    {


     

       
45

       

       
-

       
      multi = true;


     

       
46

       

       
-

       
      multihop = false;


     

       
47

       

       
-

       
      gracefulRestart = true;


     

       
48

       

       
-

       
      name = "c4tg1rl5";


     

       
49

       

       
-

       
      neigh = "fe80::4242%wg42_catgirls";


     

       
50

       

       
-

       
      as = "4242421411";


     

       
51

       

       
-

       
      link = "6";


     

       
52

       

       
-

       
    }


     

       
53

       

       
-

       
    # Potat0


     

       
54

       

       
-

       
    {


     

       
55

       

       
-

       
      multi = true;


     

       
56

       

       
-

       
      multihop = false;


     

       
57

       

       
-

       
      gracefulRestart = true;


     

       
58

       

       
-

       
      name = "potato";


     

       
59

       

       
-

       
      neigh = "fe80::1816%wg42_potato";


     

       
60

       

       
-

       
      as = "4242421816";


     

       
61

       

       
-

       
      link = "2";


     

       
62

       

       
-

       
    }


     

       
63

       

       
-

       
    # Uffsalot-v6


     

       
64

       

       
-

       
    {


     

       
65

       

       
-

       
      multi = false;


     

       
66

       

       
-

       
      v4 = false;


     

       
67

       

       
-

       
      v6 = true;


     

       
68

       

       
-

       
      multihop = false;


     

       
69

       

       
-

       
      gracefulRestart = true;


     

       
70

       

       
-

       
      name = "uffsalot_v6";


     

       
71

       

       
-

       
      neigh = "fe80::780%wg42_uffsalot";


     

       
72

       

       
-

       
      as = "4242420780";


     

       
73

       

       
-

       
      link = "5";


     

       
74

       

       
-

       
    }


     

       
75

       

       
-

       
    # Uffsalot-v6


     

       
76

       

       
-

       
    {


     

       
77

       

       
-

       
      multi = false;


     

       
78

       

       
-

       
      v4 = true;


     

       
79

       

       
-

       
      v6 = false;


     

       
80

       

       
-

       
      multihop = false;


     

       
81

       

       
-

       
      gracefulRestart = true;


     

       
82

       

       
-

       
      name = "uffsalot_v4";


     

       
83

       

       
-

       
      neigh = "172.20.191.129";


     

       
84

       

       
-

       
      as = "4242420780";


     

       
85

       

       
-

       
      link = "5";


     

       
86

       

       
-

       
    }


     

       
87

       

       
-

       
    # Bandura


     

       
88

       

       
-

       
    {


     

       
89

       

       
-

       
      multi = true;


     

       
90

       

       
-

       
      multihop = false;


     

       
91

       

       
-

       
      gracefulRestart = true;


     

       
92

       

       
-

       
      name = "bandura";


     

       
93

       

       
-

       
      neigh = "fe80::2926%wg42_bandura";


     

       
94

       

       
-

       
      as = "4242422923";


     

       
95

       

       
-

       
      link = "4";


     

       
96

       

       
-

       
    }


     

       
97

       

       
-

       
    # Bluemedia


     

       
98

       

       
-

       
    {


     

       
99

       

       
-

       
      multi = true;


     

       
100

       

       
-

       
      multihop = false;


     

       
101

       

       
-

       
      gracefulRestart = true;


     

       
102

       

       
-

       
      name = "bluemedia";


     

       
103

       

       
-

       
      neigh = "fe80::42:3343:20:1%wg42_bluemedia";


     

       
104

       

       
-

       
      as = "4242423343";


     

       
105

       

       
-

       
      link = "5";


     

       
106

       

       
-

       
    }


     

       
107

       

       
-

       
  ];


     

       
108

       

       
-

       
  extraConfig = "";


     

       
109

       

       
-

       
}
-315
hosts/prefect/dn42/bird.conf 
···

       
1

       

       
-

       
log stderr all;


     

       
2

       

       
-

       
debug protocols all;


     

       
3

       

       
-

       
timeformat protocol iso long;


     

       
4

       

       
-

       
################################################


     

       
5

       

       
-

       
#               Variable header                #


     

       
6

       

       
-

       
################################################


     

       
7

       

       
-

       



     

       
8

       

       
-

       
define OWNAS =  4242422459;


     

       
9

       

       
-

       
define OWNIP =  172.20.43.96;


     

       
10

       

       
-

       
define OWNIPv6 = fd21:1500:66b0::1;


     

       
11

       

       
-

       
define OWNNET = 172.20.43.96/27;


     

       
12

       

       
-

       
define OWNNETv6 = fd21:1500:66b0::/48;


     

       
13

       

       
-

       
define OWNNETSET = [172.20.43.96/29+];


     

       
14

       

       
-

       
define OWNNETSETv6 = [fd21:1500:66b0::/48+];


     

       
15

       

       
-

       
define DN42_REGION = 42;


     

       
16

       

       
-

       



     

       
17

       

       
-

       
################################################


     

       
18

       

       
-

       
#                 Header end                   #


     

       
19

       

       
-

       
################################################


     

       
20

       

       
-

       



     

       
21

       

       
-

       
router id OWNIP;


     

       
22

       

       
-

       



     

       
23

       

       
-

       
protocol device {


     

       
24

       

       
-

       
    scan time 10;


     

       
25

       

       
-

       
}


     

       
26

       

       
-

       



     

       
27

       

       
-

       
/*


     

       
28

       

       
-

       
 *  Utility functions


     

       
29

       

       
-

       
 */


     

       
30

       

       
-

       



     

       
31

       

       
-

       
function is_self_net() {


     

       
32

       

       
-

       
  return net ~ OWNNETSET;


     

       
33

       

       
-

       
}


     

       
34

       

       
-

       



     

       
35

       

       
-

       
function is_self_net_v6() {


     

       
36

       

       
-

       
  return net ~ OWNNETSETv6;


     

       
37

       

       
-

       
}


     

       
38

       

       
-

       



     

       
39

       

       
-

       
function is_valid_network() {


     

       
40

       

       
-

       
  return net ~ [


     

       
41

       

       
-

       
    172.20.0.0/14{21,29}, # dn42


     

       
42

       

       
-

       
    172.20.0.0/24{28,32}, # dn42 Anycast


     

       
43

       

       
-

       
    172.21.0.0/24{28,32}, # dn42 Anycast


     

       
44

       

       
-

       
    172.22.0.0/24{28,32}, # dn42 Anycast


     

       
45

       

       
-

       
    172.23.0.0/24{28,32}, # dn42 Anycast


     

       
46

       

       
-

       
    172.31.0.0/16+,       # ChaosVPN


     

       
47

       

       
-

       
    10.100.0.0/14+,       # ChaosVPN


     

       
48

       

       
-

       
    10.127.0.0/16{16,32}, # neonetwork


     

       
49

       

       
-

       
    10.0.0.0/8{15,24}     # Freifunk.net


     

       
50

       

       
-

       
  ];


     

       
51

       

       
-

       
}


     

       
52

       

       
-

       



     

       
53

       

       
-

       
roa4 table dn42_roa;


     

       
54

       

       
-

       
roa6 table dn42_roa_v6;


     

       
55

       

       
-

       



     

       
56

       

       
-

       
protocol static {


     

       
57

       

       
-

       
    roa4 { table dn42_roa; };


     

       
58

       

       
-

       
    include "/etc/bird/roa_dn42.conf";


     

       
59

       

       
-

       
};


     

       
60

       

       
-

       



     

       
61

       

       
-

       
protocol static {


     

       
62

       

       
-

       
    roa6 { table dn42_roa_v6; };


     

       
63

       

       
-

       
    include "/etc/bird/roa_dn42_v6.conf";


     

       
64

       

       
-

       
};


     

       
65

       

       
-

       



     

       
66

       

       
-

       
function is_valid_network_v6() {


     

       
67

       

       
-

       
  return net ~ [


     

       
68

       

       
-

       
    fd00::/8{44,64} # ULA address space as per RFC 4193


     

       
69

       

       
-

       
  ];


     

       
70

       

       
-

       
}


     

       
71

       

       
-

       



     

       
72

       

       
-

       
protocol kernel {


     

       
73

       

       
-

       
    scan time 20;


     

       
74

       

       
-

       



     

       
75

       

       
-

       
    ipv6 {


     

       
76

       

       
-

       
        import none;


     

       
77

       

       
-

       
        export filter {


     

       
78

       

       
-

       
            if source = RTS_STATIC then reject;


     

       
79

       

       
-

       
            krt_prefsrc = OWNIPv6;


     

       
80

       

       
-

       
            accept;


     

       
81

       

       
-

       
        };


     

       
82

       

       
-

       
    };


     

       
83

       

       
-

       
};


     

       
84

       

       
-

       



     

       
85

       

       
-

       
protocol kernel {


     

       
86

       

       
-

       
    scan time 20;


     

       
87

       

       
-

       
    ipv4 {


     

       
88

       

       
-

       
        import none;


     

       
89

       

       
-

       
        export filter {


     

       
90

       

       
-

       
            if source = RTS_STATIC then reject;


     

       
91

       

       
-

       
            krt_prefsrc = OWNIP;


     

       
92

       

       
-

       
            accept;


     

       
93

       

       
-

       
        };


     

       
94

       

       
-

       
    };


     

       
95

       

       
-

       
}


     

       
96

       

       
-

       



     

       
97

       

       
-

       
protocol static {


     

       
98

       

       
-

       
    route OWNNET reject;


     

       
99

       

       
-

       



     

       
100

       

       
-

       
    ipv4 {


     

       
101

       

       
-

       
        import all;


     

       
102

       

       
-

       
        export none;


     

       
103

       

       
-

       
    };


     

       
104

       

       
-

       
}


     

       
105

       

       
-

       



     

       
106

       

       
-

       
protocol static {


     

       
107

       

       
-

       
    route OWNNETv6 reject;


     

       
108

       

       
-

       



     

       
109

       

       
-

       
    ipv6 {


     

       
110

       

       
-

       
        import all;


     

       
111

       

       
-

       
        export none;


     

       
112

       

       
-

       
    };


     

       
113

       

       
-

       
}


     

       
114

       

       
-

       



     

       
115

       

       
-

       
template bgp dnpeers {


     

       
116

       

       
-

       
    local as OWNAS;


     

       
117

       

       
-

       
    path metric 1;


     

       
118

       

       
-

       
}


     

       
119

       

       
-

       



     

       
120

       

       
-

       
protocol ospf v3 {


     

       
121

       

       
-

       
        ipv4 {


     

       
122

       

       
-

       
                export filter {


     

       
123

       

       
-

       
                        if source = RTS_STATIC || source = RTS_BGP then reject;


     

       
124

       

       
-

       
                        accept;


     

       
125

       

       
-

       
                };


     

       
126

       

       
-

       
        };


     

       
127

       

       
-

       



     

       
128

       

       
-

       
        area 0 {


     

       
129

       

       
-

       
                interface "lo" {


     

       
130

       

       
-

       
                        stub;


     

       
131

       

       
-

       
                };


     

       
132

       

       
-

       



     

       
133

       

       
-

       
                interface "ospf_*"{


     

       
134

       

       
-

       
            		type pointopoint;


     

       
135

       

       
-

       
                };


     

       
136

       

       
-

       
        };


     

       
137

       

       
-

       
}


     

       
138

       

       
-

       



     

       
139

       

       
-

       
protocol ospf v3 {


     

       
140

       

       
-

       
        ipv6 {


     

       
141

       

       
-

       
                export filter {


     

       
142

       

       
-

       
                        if source = RTS_STATIC || source = RTS_BGP then reject;


     

       
143

       

       
-

       
                        accept;


     

       
144

       

       
-

       
                };


     

       
145

       

       
-

       
        };


     

       
146

       

       
-

       



     

       
147

       

       
-

       
        area 0 {


     

       
148

       

       
-

       
                interface "lo" {


     

       
149

       

       
-

       
                        stub;


     

       
150

       

       
-

       
                };


     

       
151

       

       
-

       



     

       
152

       

       
-

       
                interface "ospf_*" {


     

       
153

       

       
-

       
                        type pointopoint;


     

       
154

       

       
-

       
                };


     

       
155

       

       
-

       



     

       
156

       

       
-

       
        };


     

       
157

       

       
-

       
}


     

       
158

       

       
-

       



     

       
159

       

       
-

       



     

       
160

       

       
-

       
function update_latency(int link_latency) {


     

       
161

       

       
-

       
  bgp_community.add((64511, link_latency));


     

       
162

       

       
-

       
       if (64511, 9) ~ bgp_community then { bgp_community.delete([(64511, 1..8)]); return 9; }


     

       
163

       

       
-

       
  else if (64511, 8) ~ bgp_community then { bgp_community.delete([(64511, 1..7)]); return 8; }


     

       
164

       

       
-

       
  else if (64511, 7) ~ bgp_community then { bgp_community.delete([(64511, 1..6)]); return 7; }


     

       
165

       

       
-

       
  else if (64511, 6) ~ bgp_community then { bgp_community.delete([(64511, 1..5)]); return 6; }


     

       
166

       

       
-

       
  else if (64511, 5) ~ bgp_community then { bgp_community.delete([(64511, 1..4)]); return 5; }


     

       
167

       

       
-

       
  else if (64511, 4) ~ bgp_community then { bgp_community.delete([(64511, 1..3)]); return 4; }


     

       
168

       

       
-

       
  else if (64511, 3) ~ bgp_community then { bgp_community.delete([(64511, 1..2)]); return 3; }


     

       
169

       

       
-

       
  else if (64511, 2) ~ bgp_community then { bgp_community.delete([(64511, 1..1)]); return 2; }


     

       
170

       

       
-

       
  else return 1;


     

       
171

       

       
-

       
}


     

       
172

       

       
-

       



     

       
173

       

       
-

       
function update_bandwidth(int link_bandwidth) {


     

       
174

       

       
-

       
  bgp_community.add((64511, link_bandwidth));


     

       
175

       

       
-

       
       if (64511, 21) ~ bgp_community then { bgp_community.delete([(64511, 22..29)]); return 21; }


     

       
176

       

       
-

       
  else if (64511, 22) ~ bgp_community then { bgp_community.delete([(64511, 23..29)]); return 22; }


     

       
177

       

       
-

       
  else if (64511, 23) ~ bgp_community then { bgp_community.delete([(64511, 24..29)]); return 23; }


     

       
178

       

       
-

       
  else if (64511, 24) ~ bgp_community then { bgp_community.delete([(64511, 25..29)]); return 24; }


     

       
179

       

       
-

       
  else if (64511, 25) ~ bgp_community then { bgp_community.delete([(64511, 26..29)]); return 25; }


     

       
180

       

       
-

       
  else if (64511, 26) ~ bgp_community then { bgp_community.delete([(64511, 27..29)]); return 26; }


     

       
181

       

       
-

       
  else if (64511, 27) ~ bgp_community then { bgp_community.delete([(64511, 28..29)]); return 27; }


     

       
182

       

       
-

       
  else if (64511, 28) ~ bgp_community then { bgp_community.delete([(64511, 29..29)]); return 28; }


     

       
183

       

       
-

       
  else return 29;


     

       
184

       

       
-

       
}


     

       
185

       

       
-

       



     

       
186

       

       
-

       
function update_crypto(int link_crypto) {


     

       
187

       

       
-

       
  bgp_community.add((64511, link_crypto));


     

       
188

       

       
-

       
       if (64511, 31) ~ bgp_community then { bgp_community.delete([(64511, 32..34)]); return 31; }


     

       
189

       

       
-

       
  else if (64511, 32) ~ bgp_community then { bgp_community.delete([(64511, 33..34)]); return 32; }


     

       
190

       

       
-

       
  else if (64511, 33) ~ bgp_community then { bgp_community.delete([(64511, 34..34)]); return 33; }


     

       
191

       

       
-

       
  else return 34;


     

       
192

       

       
-

       
}


     

       
193

       

       
-

       



     

       
194

       

       
-

       
function get_region() {


     

       
195

       

       
-

       
if (64511, 41) ~ bgp_community then { return 41; }


     

       
196

       

       
-

       
else if (64511, 42) ~ bgp_community then { return 42; }


     

       
197

       

       
-

       
else if (64511, 43) ~ bgp_community then { return 43; }


     

       
198

       

       
-

       
else if (64511, 44) ~ bgp_community then { return 44; }


     

       
199

       

       
-

       
else if (64511, 45) ~ bgp_community then { return 45; }


     

       
200

       

       
-

       
else if (64511, 46) ~ bgp_community then { return 46; }


     

       
201

       

       
-

       
else if (64511, 47) ~ bgp_community then { return 47; }


     

       
202

       

       
-

       
else if (64511, 48) ~ bgp_community then { return 48; }


     

       
203

       

       
-

       
else if (64511, 49) ~ bgp_community then { return 49; }


     

       
204

       

       
-

       
else if (64511, 50) ~ bgp_community then { return 50; }


     

       
205

       

       
-

       
else if (64511, 51) ~ bgp_community then { return 51; }


     

       
206

       

       
-

       
else if (64511, 52) ~ bgp_community then { return 52; }


     

       
207

       

       
-

       
else if (64511, 53) ~ bgp_community then { return 53; }


     

       
208

       

       
-

       
else return DN42_REGION;


     

       
209

       

       
-

       
}


     

       
210

       

       
-

       



     

       
211

       

       
-

       



     

       
212

       

       
-

       
function calculate_local_pref(int dn42_latency)


     

       
213

       

       
-

       
int pref;


     

       
214

       

       
-

       
{


     

       
215

       

       
-

       
        pref = 100;


     

       
216

       

       
-

       
        if (is_self_net() || is_self_net_v6()) then {


     

       
217

       

       
-

       
                        pref = 2000;


     

       
218

       

       
-

       
        }


     

       
219

       

       
-

       
        else if (bgp_path.len = 1) then {


     

       
220

       

       
-

       
                pref = 1000;


     

       
221

       

       
-

       
        }


     

       
222

       

       
-

       
        else if (DN42_REGION = get_region()) then {


     

       
223

       

       
-

       
                pref= 500;


     

       
224

       

       
-

       
        }


     

       
225

       

       
-

       
	else {


     

       
226

       

       
-

       
		if (DN42_REGION > get_region()) then {


     

       
227

       

       
-

       
			pref = 500 - ((DN42_REGION - get_region()) * 10);


     

       
228

       

       
-

       
	        }


     

       
229

       

       
-

       
		else {


     

       
230

       

       
-

       
			pref = 500 - ((get_region() - DN42_REGION) * 10);


     

       
231

       

       
-

       
		}


     

       
232

       

       
-

       
        }


     

       
233

       

       
-

       
        pref = pref - 10*dn42_latency - 10* bgp_path.len;


     

       
234

       

       
-

       
        if pref > 2000 then {


     

       
235

       

       
-

       
                pref = 10;


     

       
236

       

       
-

       
        }


     

       
237

       

       
-

       
        return pref;


     

       
238

       

       
-

       
}


     

       
239

       

       
-

       



     

       
240

       

       
-

       
function update_flags(int link_latency; int link_bandwidth; int link_crypto)


     

       
241

       

       
-

       
int dn42_latency;


     

       
242

       

       
-

       
int dn42_bandwidth;


     

       
243

       

       
-

       
int dn42_crypto;


     

       
244

       

       
-

       
{


     

       
245

       

       
-

       
  dn42_latency = update_latency(link_latency);


     

       
246

       

       
-

       
  dn42_bandwidth = update_bandwidth(link_bandwidth) - 20;


     

       
247

       

       
-

       
  dn42_crypto = update_crypto(link_crypto) - 30;


     

       
248

       

       
-

       
  if dn42_bandwidth > 5 then dn42_bandwidth = 5;


     

       
249

       

       
-

       
  bgp_local_pref = calculate_local_pref(dn42_latency);


     

       
250

       

       
-

       
  return true;


     

       
251

       

       
-

       
}


     

       
252

       

       
-

       



     

       
253

       

       
-

       



     

       
254

       

       
-

       
function dn42_import_filter(int link_latency; int link_bandwidth; int link_crypto) {


     

       
255

       

       
-

       
  if (is_valid_network() && !is_self_net()) || (is_valid_network_v6() && !is_self_net_v6()) then {


     

       
256

       

       
-

       
    if roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID && roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID  then {


     

       
257

       

       
-

       
      print "[dn42] Import : ROA check failed for ", net, " ASN ", bgp_path.last, " on ", proto;


     

       
258

       

       
-

       
      reject;


     

       
259

       

       
-

       
    }


     

       
260

       

       
-

       
    update_flags(link_latency, link_bandwidth, link_crypto);


     

       
261

       

       
-

       
    if (65535, 666) ~ bgp_community then dest = RTD_BLACKHOLE;


     

       
262

       

       
-

       
    accept;


     

       
263

       

       
-

       
  }


     

       
264

       

       
-

       
  print "[dn42] Import : Invalid Network for ", net, " ASN ", bgp_path.last, " on ", proto;


     

       
265

       

       
-

       
  reject;


     

       
266

       

       
-

       
}


     

       
267

       

       
-

       



     

       
268

       

       
-

       
function dn42_export_filter(int link_latency; int link_bandwith; int link_crypto) {


     

       
269

       

       
-

       
  if is_valid_network() || is_valid_network_v6() then {


     

       
270

       

       
-

       
#    if roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID && roa_check(dn42_roa_v6, net, bgp_path.last) != ROA_VALID  then {


     

       
271

       

       
-

       
#      print "[dn42] Export : ROA check failed for ", net, " ASN ", bgp_path.last, " on ", proto;


     

       
272

       

       
-

       
#      reject;


     

       
273

       

       
-

       
#    }


     

       
274

       

       
-

       
    if source = RTS_STATIC then bgp_community.add((64511, DN42_REGION));


     

       
275

       

       
-

       
    update_flags(link_latency, link_bandwith, link_crypto);


     

       
276

       

       
-

       
    accept;


     

       
277

       

       
-

       
  }


     

       
278

       

       
-

       
  reject;


     

       
279

       

       
-

       
}


     

       
280

       

       
-

       



     

       
281

       

       
-

       
protocol bgp route_collector from dnpeers {


     

       
282

       

       
-

       
  neighbor fd42:4242:2601:ac12::1 as 4242422602;


     

       
283

       

       
-

       
  multihop;


     

       
284

       

       
-

       
  ipv4 {


     

       
285

       

       
-

       
    # export all available paths to the collector


     

       
286

       

       
-

       
    add paths tx;


     

       
287

       

       
-

       



     

       
288

       

       
-

       
    # import/export filters


     

       
289

       

       
-

       
    import none;


     

       
290

       

       
-

       
    export filter {


     

       
291

       

       
-

       
      # export all valid routes


     

       
292

       

       
-

       
      if ( is_valid_network() && source ~ [ RTS_STATIC, RTS_BGP ] )


     

       
293

       

       
-

       
      then {


     

       
294

       

       
-

       
        accept;


     

       
295

       

       
-

       
      }


     

       
296

       

       
-

       
      reject;


     

       
297

       

       
-

       
    };


     

       
298

       

       
-

       
  };


     

       
299

       

       
-

       



     

       
300

       

       
-

       
  ipv6 {


     

       
301

       

       
-

       
    # export all available paths to the collector


     

       
302

       

       
-

       
    add paths tx;


     

       
303

       

       
-

       



     

       
304

       

       
-

       
    # import/export filters


     

       
305

       

       
-

       
    import none;


     

       
306

       

       
-

       
    export filter {


     

       
307

       

       
-

       
      # export all valid routes


     

       
308

       

       
-

       
      if ( is_valid_network_v6() && source ~ [ RTS_STATIC, RTS_BGP ] )


     

       
309

       

       
-

       
      then {


     

       
310

       

       
-

       
        accept;


     

       
311

       

       
-

       
      }


     

       
312

       

       
-

       
      reject;


     

       
313

       

       
-

       
    };


     

       
314

       

       
-

       
  };


     

       
315

       

       
-

       
}
+56 -20
hosts/prefect/dn42/default.nix 
···

       
1

       

       
-

       
{ pkgs, ... }:


     

       

       
1

       
+

       
{ pkgs, config, ... }:


     

       

       
2

       
+

       
let


     

       

       
3

       
+

       
  cfg42 = config.dn42;


     

       

       
4

       
+

       
in


     

       
2

       
5

       
 

       
{


     

       
3

       
6

       
 

       
  imports = [


     

       
4

       

       
-

       
    ./services.nix


     

       
5

       

       
-

       
    ./wireguard.nix


     

       

       
7

       
+

       
    ./peers


     

       
6

       
8

       
 

       
  ];


     

       
7

       

       
-

       
  networking.interfaces.lo = {


     

       
8

       

       
-

       
    ipv4.addresses = [


     

       
9

       

       
-

       
      {


     

       
10

       

       
-

       
        address = "172.20.43.96";


     

       
11

       

       
-

       
        prefixLength = 32;


     

       
12

       

       
-

       
      }


     

       
13

       

       
-

       
    ];


     

       
14

       

       
-

       
    ipv6.addresses = [


     

       
15

       

       
-

       
      {


     

       
16

       

       
-

       
        address = "fd21:1500:66b0::1";


     

       
17

       

       
-

       
        prefixLength = 128;


     

       
18

       

       
-

       
      }


     

       
19

       

       
-

       
      {


     

       
20

       

       
-

       
        address = "fe80::1";


     

       
21

       

       
-

       
        prefixLength = 128;


     

       
22

       

       
-

       
      }


     

       
23

       

       
-

       
    ];


     

       

       
9

       
+

       
  networking = {


     

       

       
10

       
+

       
    interfaces.lo = {


     

       

       
11

       
+

       
      ipv4.addresses = [


     

       

       
12

       
+

       
        {


     

       

       
13

       
+

       
          address = "172.20.43.96";


     

       

       
14

       
+

       
          prefixLength = 32;


     

       

       
15

       
+

       
        }


     

       

       
16

       
+

       
      ];


     

       

       
17

       
+

       
      ipv6.addresses = [


     

       

       
18

       
+

       
        {


     

       

       
19

       
+

       
          address = "fd21:1500:66b0::1";


     

       

       
20

       
+

       
          prefixLength = 128;


     

       

       
21

       
+

       
        }


     

       

       
22

       
+

       
        {


     

       

       
23

       
+

       
          address = "fe80::1";


     

       

       
24

       
+

       
          prefixLength = 128;


     

       

       
25

       
+

       
        }


     

       

       
26

       
+

       
      ];


     

       

       
27

       
+

       
    };


     

       
24

       
28

       
 

       
  };


     

       

       
29

       
+

       



     

       
25

       
30

       
 

       
  environment.systemPackages = with pkgs; [


     

       
26

       
31

       
 

       
    dnsutils


     

       
27

       
32

       
 

       
    mtr


     

       
28

       
33

       
 

       
    tcpdump


     

       
29

       
34

       
 

       
    wireguard-tools


     

       
30

       
35

       
 

       
  ];


     

       

       
36

       
+

       
  dn42 = {


     

       

       
37

       
+

       
    enable = true;


     

       

       
38

       
+

       
    # ASN corresponding to DN42 PYRONET


     

       

       
39

       
+

       
    as = 4242422459;


     

       

       
40

       
+

       
    # Communities config


     

       

       
41

       
+

       
    # https://dn42.dev/howto/BGP-communities


     

       

       
42

       
+

       
    region = 42;


     

       

       
43

       
+

       
    country = 1840;


     

       

       
44

       
+

       
    routerId = cfg42.addr.v4;


     

       

       
45

       
+

       
    # Primary IP Addresses


     

       

       
46

       
+

       
    addr = {


     

       

       
47

       
+

       
      v4 = "172.20.43.96";


     

       

       
48

       
+

       
      v6 = "fd21:1500:66b0::1";


     

       

       
49

       
+

       
    };


     

       

       
50

       
+

       
    # Owned IP Ranges


     

       

       
51

       
+

       
    nets = {


     

       

       
52

       
+

       
      v4 = [ "172.20.43.96/27" ];


     

       

       
53

       
+

       
      v6 = [ "fd21:1500:66b0::/48" ];


     

       

       
54

       
+

       
    };


     

       

       
55

       
+

       
    # Enable StayRTR


     

       

       
56

       
+

       
    # https://github.com/bgp/stayrtr


     

       

       
57

       
+

       
    stayrtr.enable = true;


     

       

       
58

       
+

       
    # Peer with GRC


     

       

       
59

       
+

       
    # https://dn42.dev/services/Route-Collector


     

       

       
60

       
+

       
    collector.enable = true;


     

       

       
61

       
+

       



     

       

       
62

       
+

       
    wg.tunnelDefaults = {


     

       

       
63

       
+

       
      privateKeyFile = "/run/agenix/dn42-privkey";


     

       

       
64

       
+

       
      localAddrs.v4 = cfg42.addr.v4;


     

       

       
65

       
+

       
    };


     

       

       
66

       
+

       
  };


     

       
31

       
67

       
 

       
}
+25
hosts/prefect/dn42/peers/bandura.nix 
···

       

       
1

       
+

       
{ dn42Types, ... }:


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  config.dn42 = {


     

       

       
4

       
+

       
    peers.bandura = {


     

       

       
5

       
+

       
      as = 4242422923;


     

       

       
6

       
+

       
      addr.v6 = "fe80::2926";


     

       

       
7

       
+

       
      interface = "wg42_bandura";


     

       

       
8

       
+

       
      extendedNextHop = true;


     

       

       
9

       
+

       
      # My side


     

       

       
10

       
+

       
      srcAddr.v6 = "fe80::11";


     

       

       
11

       
+

       
      # Communities


     

       

       
12

       
+

       
      crypto = dn42Types.crypto.safePFS;


     

       

       
13

       
+

       
      latency = dn42Types.latency."55ms";


     

       

       
14

       
+

       
      bandwidth = dn42Types.bandwidth."1000mb";


     

       

       
15

       
+

       
      transit = true;


     

       

       
16

       
+

       
    };


     

       

       
17

       
+

       
    wg.tunnels.bandura = {


     

       

       
18

       
+

       
      listenPort = 44923;


     

       

       
19

       
+

       
      peerPubKey = "xPW1/cWYDkk/IAss1GbdwVMW7fzKtyHA+qrfCriOB2k=";


     

       

       
20

       
+

       
      peerEndpoint = "aurora.mk16.de:52459";


     

       

       
21

       
+

       
      peerAddrs.v6 = "fe80::2926";


     

       

       
22

       
+

       
      localAddrs.v6 = "fe80::11";


     

       

       
23

       
+

       
    };


     

       

       
24

       
+

       
  };


     

       

       
25

       
+

       
}
+26
hosts/prefect/dn42/peers/catgirls.nix 
···

       

       
1

       
+

       
{ dn42Types, ... }:


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  config.dn42 = {


     

       

       
4

       
+

       
    peers.catgirls = {


     

       

       
5

       
+

       
      as = 4242421411;


     

       

       
6

       
+

       
      addr.v6 = "fe80::2189:124";


     

       

       
7

       
+

       
      interface = "wg42_catgirls";


     

       

       
8

       
+

       
      extendedNextHop = true;


     

       

       
9

       
+

       
      # My side


     

       

       
10

       
+

       
      srcAddr.v6 = "fe80::111";


     

       

       
11

       
+

       
      # Communities


     

       

       
12

       
+

       
      crypto = dn42Types.crypto.safePFS;


     

       

       
13

       
+

       
      latency = dn42Types.latency."148ms";


     

       

       
14

       
+

       
      bandwidth = dn42Types.bandwidth."1000mb";


     

       

       
15

       
+

       
      transit = true;


     

       

       
16

       
+

       
    };


     

       

       
17

       
+

       
    wg.tunnels.catgirls = {


     

       

       
18

       
+

       
      enable = false;


     

       

       
19

       
+

       
      listenPort = 43411;


     

       

       
20

       
+

       
      peerPubKey = "";


     

       

       
21

       
+

       
      peerEndpoint = "";


     

       

       
22

       
+

       
      peerAddrs.v6 = "fe80::111";


     

       

       
23

       
+

       
      localAddrs.v6 = "fe80::7";


     

       

       
24

       
+

       
    };


     

       

       
25

       
+

       
  };


     

       

       
26

       
+

       
}
+26
hosts/prefect/dn42/peers/chrismoos.nix 
···

       

       
1

       
+

       
{ dn42Types, ... }:


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  config.dn42 = {


     

       

       
4

       
+

       
    peers.chrismoos = {


     

       

       
5

       
+

       
      as = 4242421588;


     

       

       
6

       
+

       
      addr.v6 = "fe80::1588";


     

       

       
7

       
+

       
      interface = "wg42_chrismoos";


     

       

       
8

       
+

       
      extendedNextHop = true;


     

       

       
9

       
+

       
      # My side


     

       

       
10

       
+

       
      srcAddr.v6 = "fe80::100";


     

       

       
11

       
+

       
      # Communities


     

       

       
12

       
+

       
      crypto = dn42Types.crypto.safePFS;


     

       

       
13

       
+

       
      latency = dn42Types.latency."2.7ms";


     

       

       
14

       
+

       
      bandwidth = dn42Types.bandwidth."1000mb";


     

       

       
15

       
+

       
      transit = true;


     

       

       
16

       
+

       
    };


     

       

       
17

       
+

       
    wg.tunnels.chrismoos = {


     

       

       
18

       
+

       
      listenPort = 43588;


     

       

       
19

       
+

       
      peerPubKey = "itmJ4Z8V1aNN368P6kMzuQM+GdzWbBKZjJiXrgSeGlw=";


     

       

       
20

       
+

       
      peerEndpoint = "us-qas01.dn42.tech9.io:58768";


     

       

       
21

       
+

       
      peerAddrs.v4 = "172.20.16.143";


     

       

       
22

       
+

       
      peerAddrs.v6 = "fe80::1588";


     

       

       
23

       
+

       
      localAddrs.v6 = "fe80::100";


     

       

       
24

       
+

       
    };


     

       

       
25

       
+

       
  };


     

       

       
26

       
+

       
}
+29
hosts/prefect/dn42/peers/darkpoint.nix 
···

       

       
1

       
+

       
{ dn42Types, ... }:


     

       

       
2

       
+

       
let


     

       

       
3

       
+

       
  peerv6 = "fe80::150";


     

       

       
4

       
+

       
  localv6 = "fe80::113";


     

       

       
5

       
+

       
in


     

       

       
6

       
+

       
{


     

       

       
7

       
+

       
  config.dn42 = {


     

       

       
8

       
+

       
    peers.darkpoint = {


     

       

       
9

       
+

       
      as = 4242420150;


     

       

       
10

       
+

       
      addr.v6 = peerv6;


     

       

       
11

       
+

       
      interface = "wg42_darkpoint";


     

       

       
12

       
+

       
      extendedNextHop = true;


     

       

       
13

       
+

       
      # My side


     

       

       
14

       
+

       
      srcAddr.v6 = localv6;


     

       

       
15

       
+

       
      # Communities


     

       

       
16

       
+

       
      crypto = dn42Types.crypto.safePFS;


     

       

       
17

       
+

       
      latency = dn42Types.latency."2.7ms";


     

       

       
18

       
+

       
      bandwidth = dn42Types.bandwidth."1000mb";


     

       

       
19

       
+

       
      transit = true;


     

       

       
20

       
+

       
    };


     

       

       
21

       
+

       
    wg.tunnels.darkpoint = {


     

       

       
22

       
+

       
      listenPort = 42150;


     

       

       
23

       
+

       
      peerPubKey = "1o0XfQvBM1gqknqzfuOnVmf2RjRTHuyMZYNipSSb2TQ=";


     

       

       
24

       
+

       
      peerEndpoint = "iad.darkpoint.xyz:22459";


     

       

       
25

       
+

       
      peerAddrs.v6 = peerv6;


     

       

       
26

       
+

       
      localAddrs.v6 = localv6;


     

       

       
27

       
+

       
    };


     

       

       
28

       
+

       
  };


     

       

       
29

       
+

       
}
+23
hosts/prefect/dn42/peers/default.nix 
···

       

       
1

       
+

       
_:


     

       

       
2

       
+

       
let


     

       

       
3

       
+

       
  dn42Types = import ../types.nix;


     

       

       
4

       
+

       
in


     

       

       
5

       
+

       
{


     

       

       
6

       
+

       
  # Port numbers are 42000 + `last 4 digits of ASN`


     

       

       
7

       
+

       
  imports = [


     

       

       
8

       
+

       
    # keep-sorted start


     

       

       
9

       
+

       
    (import ./bandura.nix { inherit dn42Types; })


     

       

       
10

       
+

       
    # (import ./catgirls.nix { inherit dn42Types; })


     

       

       
11

       
+

       
    (import ./chrismoos.nix { inherit dn42Types; })


     

       

       
12

       
+

       
    (import ./darkpoint.nix { inherit dn42Types; })


     

       

       
13

       
+

       
    (import ./iedon.nix { inherit dn42Types; })


     

       

       
14

       
+

       
    (import ./kioubit.nix { inherit dn42Types; })


     

       

       
15

       
+

       
    (import ./lare.nix { inherit dn42Types; })


     

       

       
16

       
+

       
    (import ./potato.nix { inherit dn42Types; })


     

       

       
17

       
+

       
    (import ./prefixlabs.nix { inherit dn42Types; })


     

       

       
18

       
+

       
    (import ./routedbits.nix { inherit dn42Types; })


     

       

       
19

       
+

       
    (import ./sunnet.nix { inherit dn42Types; })


     

       

       
20

       
+

       
    (import ./uffsalot.nix { inherit dn42Types; })


     

       

       
21

       
+

       
    # keep-sorted end


     

       

       
22

       
+

       
  ];


     

       

       
23

       
+

       
}
+26
hosts/prefect/dn42/peers/iedon.nix 
···

       

       
1

       
+

       
{ dn42Types, ... }:


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  config.dn42 = {


     

       

       
4

       
+

       
    peers.iedon = {


     

       

       
5

       
+

       
      as = 4242422189;


     

       

       
6

       
+

       
      addr.v6 = "fe80::2189:124";


     

       

       
7

       
+

       
      interface = "wg42_iedon";


     

       

       
8

       
+

       
      extendedNextHop = true;


     

       

       
9

       
+

       
      # My side


     

       

       
10

       
+

       
      srcAddr.v6 = "fe80::6";


     

       

       
11

       
+

       
      # Communities


     

       

       
12

       
+

       
      crypto = dn42Types.crypto.safePFS;


     

       

       
13

       
+

       
      latency = dn42Types.latency."20ms";


     

       

       
14

       
+

       
      bandwidth = dn42Types.bandwidth."1000mb";


     

       

       
15

       
+

       
      transit = true;


     

       

       
16

       
+

       
    };


     

       

       
17

       
+

       
    wg.tunnels.iedon = {


     

       

       
18

       
+

       
      listenPort = 44198;


     

       

       
19

       
+

       
      peerPubKey = "2Wmv10a9eVSni9nfZ7YPsyl3ZC5z7vHq0sTZGgk5WGo=";


     

       

       
20

       
+

       
      peerEndpoint = "us-nyc.dn42.iedon.net:48883";


     

       

       
21

       
+

       
      peerAddrs.v4 = "172.23.91.124";


     

       

       
22

       
+

       
      peerAddrs.v6 = "fe80::2189:124";


     

       

       
23

       
+

       
      localAddrs.v6 = "fe80::6";


     

       

       
24

       
+

       
    };


     

       

       
25

       
+

       
  };


     

       

       
26

       
+

       
}
+27
hosts/prefect/dn42/peers/kioubit.nix 
···

       

       
1

       
+

       
{ dn42Types, ... }:


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  config.dn42 = {


     

       

       
4

       
+

       
    peers.kioubit = {


     

       

       
5

       
+

       
      as = 4242423914;


     

       

       
6

       
+

       
      addr.v6 = "fe80::ade0";


     

       

       
7

       
+

       
      interface = "wg42_kioubit";


     

       

       
8

       
+

       
      extendedNextHop = true;


     

       

       
9

       
+

       
      # My side


     

       

       
10

       
+

       
      srcAddr.v6 = "fe80::ade1";


     

       

       
11

       
+

       
      # Communities


     

       

       
12

       
+

       
      crypto = dn42Types.crypto.safePFS;


     

       

       
13

       
+

       
      latency = dn42Types.latency."7.3ms";


     

       

       
14

       
+

       
      bandwidth = dn42Types.bandwidth."1000mb";


     

       

       
15

       
+

       
      transit = true;


     

       

       
16

       
+

       
    };


     

       

       
17

       
+

       
    wg.tunnels.kioubit = {


     

       

       
18

       
+

       
      listenPort = 45914;


     

       

       
19

       
+

       
      peerPubKey = "6Cylr9h1xFduAO+5nyXhFI1XJ0+Sw9jCpCDvcqErF1s=";


     

       

       
20

       
+

       
      peerEndpoint = "us2.g-load.eu:22459";


     

       

       
21

       
+

       
      peerAddrs.v4 = "172.20.53.98";


     

       

       
22

       
+

       
      peerAddrs.v6 = "fe80::ade0";


     

       

       
23

       
+

       
      localAddrs.v4 = "192.168.220.70";


     

       

       
24

       
+

       
      localAddrs.v6 = "fe80::ade1";


     

       

       
25

       
+

       
    };


     

       

       
26

       
+

       
  };


     

       

       
27

       
+

       
}
+25
hosts/prefect/dn42/peers/lare.nix 
···

       

       
1

       
+

       
{ dn42Types, ... }:


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  config.dn42 = {


     

       

       
4

       
+

       
    peers.lare = {


     

       

       
5

       
+

       
      as = 4242423035;


     

       

       
6

       
+

       
      addr.v6 = "fe80::3035:137";


     

       

       
7

       
+

       
      interface = "wg42_lare";


     

       

       
8

       
+

       
      extendedNextHop = true;


     

       

       
9

       
+

       
      # My side


     

       

       
10

       
+

       
      srcAddr.v6 = "fe80::112";


     

       

       
11

       
+

       
      # Communities


     

       

       
12

       
+

       
      crypto = dn42Types.crypto.safePFS;


     

       

       
13

       
+

       
      latency = dn42Types.latency."20ms";


     

       

       
14

       
+

       
      bandwidth = dn42Types.bandwidth."1000mb";


     

       

       
15

       
+

       
      transit = true;


     

       

       
16

       
+

       
    };


     

       

       
17

       
+

       
    wg.tunnels.lare = {


     

       

       
18

       
+

       
      listenPort = 45035;


     

       

       
19

       
+

       
      peerPubKey = "AREskFoxP2cd6DXoJ7druDsiWKX+8TwrkQqfi4JxRRw=";


     

       

       
20

       
+

       
      peerEndpoint = "use2.dn42.lare.cc:22459";


     

       

       
21

       
+

       
      peerAddrs.v6 = "fe80::3035:137";


     

       

       
22

       
+

       
      localAddrs.v6 = "fe80::112";


     

       

       
23

       
+

       
    };


     

       

       
24

       
+

       
  };


     

       

       
25

       
+

       
}
+26
hosts/prefect/dn42/peers/potato.nix 
···

       

       
1

       
+

       
{ dn42Types, ... }:


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  config.dn42 = {


     

       

       
4

       
+

       
    peers.potato = {


     

       

       
5

       
+

       
      as = 4242421816;


     

       

       
6

       
+

       
      addr.v6 = "fe80::1816";


     

       

       
7

       
+

       
      interface = "wg42_potato";


     

       

       
8

       
+

       
      extendedNextHop = true;


     

       

       
9

       
+

       
      # My side


     

       

       
10

       
+

       
      srcAddr.v6 = "fe80::111";


     

       

       
11

       
+

       
      # Communities


     

       

       
12

       
+

       
      crypto = dn42Types.crypto.safePFS;


     

       

       
13

       
+

       
      latency = dn42Types.latency."148ms";


     

       

       
14

       
+

       
      bandwidth = dn42Types.bandwidth."1000mb";


     

       

       
15

       
+

       
      transit = true;


     

       

       
16

       
+

       
    };


     

       

       
17

       
+

       
    wg.tunnels.potato = {


     

       

       
18

       
+

       
      enable = false;


     

       

       
19

       
+

       
      listenPort = 43816;


     

       

       
20

       
+

       
      peerPubKey = "LUwqKS6QrCPv510Pwt1eAIiHACYDsbMjrkrbGTJfviU=";


     

       

       
21

       
+

       
      peerEndpoint = "las.node.potat0.cc:22459";


     

       

       
22

       
+

       
      peerAddrs.v6 = "fe80::1816";


     

       

       
23

       
+

       
      localAddrs.v6 = "fe80::9";


     

       

       
24

       
+

       
    };


     

       

       
25

       
+

       
  };


     

       

       
26

       
+

       
}
+26
hosts/prefect/dn42/peers/prefixlabs.nix 
···

       

       
1

       
+

       
{ dn42Types, ... }:


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  config.dn42 = {


     

       

       
4

       
+

       
    peers.prefixlabs = {


     

       

       
5

       
+

       
      as = 4242421240;


     

       

       
6

       
+

       
      addr.v6 = "fe80::1240:2";


     

       

       
7

       
+

       
      interface = "wg42_prefixlabs";


     

       

       
8

       
+

       
      extendedNextHop = true;


     

       

       
9

       
+

       
      # My side


     

       

       
10

       
+

       
      srcAddr.v6 = "fe80::240";


     

       

       
11

       
+

       
      # Communities


     

       

       
12

       
+

       
      crypto = dn42Types.crypto.safePFS;


     

       

       
13

       
+

       
      latency = dn42Types.latency."7.3ms";


     

       

       
14

       
+

       
      bandwidth = dn42Types.bandwidth."1000mb";


     

       

       
15

       
+

       
      transit = true;


     

       

       
16

       
+

       
    };


     

       

       
17

       
+

       
    wg.tunnels.prefixlabs = {


     

       

       
18

       
+

       
      listenPort = 43240;


     

       

       
19

       
+

       
      peerPubKey = "uRYzFGi+/B6pD0FR2SW3G/OzC5LPJXePNIt0s+nJfW0=";


     

       

       
20

       
+

       
      peerEndpoint = "us-01.prefixlabs.net:22459";


     

       

       
21

       
+

       
      peerAddrs.v4 = "172.20.209.11";


     

       

       
22

       
+

       
      peerAddrs.v6 = "fe80::1240:2";


     

       

       
23

       
+

       
      localAddrs.v6 = "fe80::240";


     

       

       
24

       
+

       
    };


     

       

       
25

       
+

       
  };


     

       

       
26

       
+

       
}
+26
hosts/prefect/dn42/peers/routedbits.nix 
···

       

       
1

       
+

       
{ dn42Types, ... }:


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  config.dn42 = {


     

       

       
4

       
+

       
    peers.routedbits = {


     

       

       
5

       
+

       
      as = 4242420207;


     

       

       
6

       
+

       
      addr.v6 = "fe80::207";


     

       

       
7

       
+

       
      interface = "wg42_routedbits";


     

       

       
8

       
+

       
      extendedNextHop = true;


     

       

       
9

       
+

       
      # My side


     

       

       
10

       
+

       
      srcAddr.v6 = "fe80::5";


     

       

       
11

       
+

       
      # Communities


     

       

       
12

       
+

       
      crypto = dn42Types.crypto.safePFS;


     

       

       
13

       
+

       
      latency = dn42Types.latency."2.7ms";


     

       

       
14

       
+

       
      bandwidth = dn42Types.bandwidth."1000mb";


     

       

       
15

       
+

       
      transit = true;


     

       

       
16

       
+

       
    };


     

       

       
17

       
+

       
    wg.tunnels.routedbits = {


     

       

       
18

       
+

       
      listenPort = 42207;


     

       

       
19

       
+

       
      peerPubKey = "/RLM4EcF8b7FKKcxnvHIYyDoES59HXIBqhKEWt4yRy0=";


     

       

       
20

       
+

       
      peerEndpoint = "router.iad1.routedbits.com:52459";


     

       

       
21

       
+

       
      peerAddrs.v4 = "172.20.19.73";


     

       

       
22

       
+

       
      peerAddrs.v6 = "fe80::207";


     

       

       
23

       
+

       
      localAddrs.v6 = "fe80::5";


     

       

       
24

       
+

       
    };


     

       

       
25

       
+

       
  };


     

       

       
26

       
+

       
}
+26
hosts/prefect/dn42/peers/sunnet.nix 
···

       

       
1

       
+

       
{ dn42Types, ... }:


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  config.dn42 = {


     

       

       
4

       
+

       
    peers.sunnet = {


     

       

       
5

       
+

       
      as = 4242423088;


     

       

       
6

       
+

       
      addr.v6 = "fe80::3088:193";


     

       

       
7

       
+

       
      interface = "wg42_sunnet";


     

       

       
8

       
+

       
      extendedNextHop = true;


     

       

       
9

       
+

       
      # My side


     

       

       
10

       
+

       
      srcAddr.v6 = "fe80::abcd";


     

       

       
11

       
+

       
      # Communities


     

       

       
12

       
+

       
      crypto = dn42Types.crypto.safePFS;


     

       

       
13

       
+

       
      latency = dn42Types.latency."148ms";


     

       

       
14

       
+

       
      bandwidth = dn42Types.bandwidth."1000mb";


     

       

       
15

       
+

       
      transit = true;


     

       

       
16

       
+

       
    };


     

       

       
17

       
+

       
    wg.tunnels.sunnet = {


     

       

       
18

       
+

       
      listenPort = 45088;


     

       

       
19

       
+

       
      peerPubKey = "QSAeFPotqFpF6fFe3CMrMjrpS5AL54AxWY2w1+Ot2Bo=";


     

       

       
20

       
+

       
      peerEndpoint = "lax1-us.dn42.6700.cc:22459";


     

       

       
21

       
+

       
      peerAddrs.v4 = "172.21.100.193";


     

       

       
22

       
+

       
      peerAddrs.v6 = "fe80::3088:193";


     

       

       
23

       
+

       
      localAddrs.v6 = "fe80::abcd";


     

       

       
24

       
+

       
    };


     

       

       
25

       
+

       
  };


     

       

       
26

       
+

       
}
+26
hosts/prefect/dn42/peers/uffsalot.nix 
···

       

       
1

       
+

       
{ dn42Types, ... }:


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  config.dn42 = {


     

       

       
4

       
+

       
    peers.uffsalot = {


     

       

       
5

       
+

       
      as = 4242420780;


     

       

       
6

       
+

       
      addr.v6 = "fe80::780";


     

       

       
7

       
+

       
      interface = "wg42_uffsalot";


     

       

       
8

       
+

       
      extendedNextHop = true;


     

       

       
9

       
+

       
      # My side


     

       

       
10

       
+

       
      srcAddr.v6 = "fe80::10";


     

       

       
11

       
+

       
      # Communities


     

       

       
12

       
+

       
      crypto = dn42Types.crypto.safePFS;


     

       

       
13

       
+

       
      latency = dn42Types.latency."148ms";


     

       

       
14

       
+

       
      bandwidth = dn42Types.bandwidth."1000mb";


     

       

       
15

       
+

       
      transit = true;


     

       

       
16

       
+

       
    };


     

       

       
17

       
+

       
    wg.tunnels.uffsalot = {


     

       

       
18

       
+

       
      listenPort = 42780;


     

       

       
19

       
+

       
      peerPubKey = "7V65FxvD9AQetyUr0qSiu+ik8samB4Atrw2ekvC0xQM=";


     

       

       
20

       
+

       
      peerEndpoint = "dn42-de-fra4.brand-web.net:42459";


     

       

       
21

       
+

       
      peerAddrs.v4 = "172.20.191.129";


     

       

       
22

       
+

       
      peerAddrs.v6 = "fe80::780";


     

       

       
23

       
+

       
      localAddrs.v6 = "fe80::10";


     

       

       
24

       
+

       
    };


     

       

       
25

       
+

       
  };


     

       

       
26

       
+

       
}
-71
hosts/prefect/dn42/services.nix 
···

       
1

       

       
-

       
{ pkgs, lib, ... }:


     

       
2

       

       
-

       
let


     

       
3

       

       
-

       
  script = pkgs.writeShellScriptBin "update-roa" ''


     

       
4

       

       
-

       
    mkdir -p /etc/bird/


     

       
5

       

       
-

       
    ${pkgs.curl}/bin/curl -sfSLR {-o,-z}/etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf


     

       
6

       

       
-

       
    ${pkgs.curl}/bin/curl -sfSLR {-o,-z}/etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf


     

       
7

       

       
-

       
    ${pkgs.bird2}/bin/birdc c


     

       
8

       

       
-

       
    ${pkgs.bird2}/bin/birdc reload in all


     

       
9

       

       
-

       
  '';


     

       
10

       

       
-

       
  bgp = import ./bgp.nix { };


     

       
11

       

       
-

       
in


     

       
12

       

       
-

       
{


     

       
13

       

       
-

       
  systemd = {


     

       
14

       

       
-

       
    timers.dn42-roa = {


     

       
15

       

       
-

       
      description = "Trigger a ROA table update";


     

       
16

       

       
-

       



     

       
17

       

       
-

       
      timerConfig = {


     

       
18

       

       
-

       
        OnBootSec = "5m";


     

       
19

       

       
-

       
        OnUnitInactiveSec = "1h";


     

       
20

       

       
-

       
        Unit = "dn42-roa.service";


     

       
21

       

       
-

       
      };


     

       
22

       

       
-

       



     

       
23

       

       
-

       
      wantedBy = [ "timers.target" ];


     

       
24

       

       
-

       
      before = [ "bird.service" ];


     

       
25

       

       
-

       
    };


     

       
26

       

       
-

       
    services = {


     

       
27

       

       
-

       
      dn42-roa = {


     

       
28

       

       
-

       
        after = [ "network.target" ];


     

       
29

       

       
-

       
        description = "DN42 ROA Updated";


     

       
30

       

       
-

       
        unitConfig = {


     

       
31

       

       
-

       
          Type = "one-shot";


     

       
32

       

       
-

       
        };


     

       
33

       

       
-

       
        serviceConfig = {


     

       
34

       

       
-

       
          ExecStart = "${script}/bin/update-roa";


     

       
35

       

       
-

       
        };


     

       
36

       

       
-

       
      };


     

       
37

       

       
-

       
    };


     

       
38

       

       
-

       
  };


     

       
39

       

       
-

       



     

       
40

       

       
-

       
  services = {


     

       
41

       

       
-

       
    bird = {


     

       
42

       

       
-

       
      enable = true;


     

       
43

       

       
-

       
      package = pkgs.bird2;


     

       
44

       

       
-

       
      checkConfig = false;


     

       
45

       

       
-

       
      config =


     

       
46

       

       
-

       
        builtins.readFile ./bird.conf


     

       
47

       

       
-

       
        + lib.concatStrings (


     

       
48

       

       
-

       
          builtins.map (


     

       
49

       

       
-

       
            x:


     

       
50

       

       
-

       
            "\n      protocol bgp ${x.name} from dnpeers {\n        ${


     

       
51

       

       
-

       
              if x.multihop then "multihop;" else ""


     

       
52

       

       
-

       
            }\n        ${


     

       
53

       

       
-

       
              if x.gracefulRestart then "graceful restart on;" else ""


     

       
54

       

       
-

       
            }\n        neighbor ${x.neigh} as ${x.as};\n        ${


     

       
55

       

       
-

       
              if x.multi || x.v4 then


     

       
56

       

       
-

       
                "\n        ipv4 {\n                extended next hop on;\n                import where dn42_import_filter(${x.link},25,34);\n                export where dn42_export_filter(${x.link},25,34);\n                import keep filtered;\n        };\n        "


     

       
57

       

       
-

       
              else


     

       
58

       

       
-

       
                ""


     

       
59

       

       
-

       
            }\n        ${


     

       
60

       

       
-

       
              if x.multi || x.v6 then


     

       
61

       

       
-

       
                "\n        ipv6 {\n                extended next hop on;\n                import where dn42_import_filter(${x.link},25,34);\n                export where dn42_export_filter(${x.link},25,34);\n                import keep filtered;\n        };\n        "


     

       
62

       

       
-

       
              else


     

       
63

       

       
-

       
                ""


     

       
64

       

       
-

       
            }\n    }\n        "


     

       
65

       

       
-

       
          ) bgp.sessions


     

       
66

       

       
-

       
        )


     

       
67

       

       
-

       
        + bgp.extraConfig;


     

       
68

       

       
-

       
    };


     

       
69

       

       
-

       
  };


     

       
70

       

       
-

       
  users.users.thehedgehog.extraGroups = [ "bird2" ];


     

       
71

       

       
-

       
}
-86
hosts/prefect/dn42/tunnels.nix 
···

       
1

       

       
-

       
{ tunnel, ... }:


     

       
2

       

       
-

       
let


     

       
3

       

       
-

       
  # deadnix: skip


     

       
4

       

       
-

       
  defaultPubKey = "e6kp9sca4XIzncKa9GEQwyOnMjje299Xg9ZdgXWMwHg=";


     

       
5

       

       
-

       
  defaultPrivKeyFile = "/run/agenix/dn42-privkey";


     

       
6

       

       
-

       
  defaultLocalIPv4 = "172.20.43.96";


     

       
7

       

       
-

       
in


     

       
8

       

       
-

       
{


     

       
9

       

       
-

       
  wg42_chris =


     

       
10

       

       
-

       
    # Ports 485-486 available


     

       
11

       

       
-

       



     

       
12

       

       
-

       
    tunnel 487 defaultPrivKeyFile "itmJ4Z8V1aNN368P6kMzuQM+GdzWbBKZjJiXrgSeGlw=" defaultLocalIPv4


     

       
13

       

       
-

       
      "fe80::100"


     

       
14

       

       
-

       
      "us-qas01.dn42.tech9.io:52322"


     

       
15

       

       
-

       
      "wg42_chris"


     

       
16

       

       
-

       
      "172.20.16.143"


     

       
17

       

       
-

       
      "fe80::1588";


     

       
18

       

       
-

       



     

       
19

       

       
-

       
  wg42_kioubit =


     

       
20

       

       
-

       
    tunnel 488 defaultPrivKeyFile "6Cylr9h1xFduAO+5nyXhFI1XJ0+Sw9jCpCDvcqErF1s=" defaultLocalIPv4


     

       
21

       

       
-

       
      "fe80::3"


     

       
22

       

       
-

       
      "us2.g-load.eu:22459"


     

       
23

       

       
-

       
      "wg42_kioubit"


     

       
24

       

       
-

       
      "172.20.53.98"


     

       
25

       

       
-

       
      "fe80::ade0";


     

       
26

       

       
-

       



     

       
27

       

       
-

       
  # Ports 489-490 available


     

       
28

       

       
-

       



     

       
29

       

       
-

       
  wg42_iedon =


     

       
30

       

       
-

       
    tunnel 491 defaultPrivKeyFile "Sz0UhewjDk2yRKI0QL9rB+5daWpXFVlbbz9cLfVVLn4=" defaultLocalIPv4


     

       
31

       

       
-

       
      "fe80::6"


     

       
32

       

       
-

       
      "us-sjc.dn42.kuu.moe:35470"


     

       
33

       

       
-

       
      "wg42_iedon"


     

       
34

       

       
-

       
      "172.23.91.117"


     

       
35

       

       
-

       
      "fe80::2189:e8";


     

       
36

       

       
-

       



     

       
37

       

       
-

       
  wg42_sunnet =


     

       
38

       

       
-

       
    tunnel 492 defaultPrivKeyFile "QSAeFPotqFpF6fFe3CMrMjrpS5AL54AxWY2w1+Ot2Bo=" defaultLocalIPv4


     

       
39

       

       
-

       
      "fe80::abcd"


     

       
40

       

       
-

       
      "v6.lax1-us.dn42.6700.cc:22459"


     

       
41

       

       
-

       
      "wg42_sunnet"


     

       
42

       

       
-

       
      "172.21.100.193"


     

       
43

       

       
-

       
      "fe80::3088:193";


     

       
44

       

       
-

       



     

       
45

       

       
-

       
  wg42_catgirls =


     

       
46

       

       
-

       
    tunnel 493 defaultPrivKeyFile "jo8eAfY8LeA4FAEJ4laYYMNkMd4z3oO/zN5DN0Mo+RQ=" defaultLocalIPv4


     

       
47

       

       
-

       
      "fe80::7"


     

       
48

       

       
-

       
      "karx.xyz:22459"


     

       
49

       

       
-

       
      "wg42_catgirls"


     

       
50

       

       
-

       
      ""


     

       
51

       

       
-

       
      "fe80::4242";


     

       
52

       

       
-

       



     

       
53

       

       
-

       
  # Port 494 Available


     

       
54

       

       
-

       



     

       
55

       

       
-

       
  wg42_potato =


     

       
56

       

       
-

       
    tunnel 495 defaultPrivKeyFile "LUwqKS6QrCPv510Pwt1eAIiHACYDsbMjrkrbGTJfviU=" defaultLocalIPv4


     

       
57

       

       
-

       
      "fe80::9"


     

       
58

       

       
-

       
      "las.node.potat0.cc:22459"


     

       
59

       

       
-

       
      "wg42_potato"


     

       
60

       

       
-

       
      ""


     

       
61

       

       
-

       
      "fe80::1816";


     

       
62

       

       
-

       



     

       
63

       

       
-

       
  wg42_uffsalot =


     

       
64

       

       
-

       
    tunnel 496 defaultPrivKeyFile "7V65FxvD9AQetyUr0qSiu+ik8samB4Atrw2ekvC0xQM=" defaultLocalIPv4


     

       
65

       

       
-

       
      "fe80::10"


     

       
66

       

       
-

       
      "dn42-de-fra4.brand-web.net:42459"


     

       
67

       

       
-

       
      "wg42_uffsalot"


     

       
68

       

       
-

       
      "172.20.191.129"


     

       
69

       

       
-

       
      "fe80::780";


     

       
70

       

       
-

       



     

       
71

       

       
-

       
  wg42_bandura =


     

       
72

       

       
-

       
    tunnel 497 defaultPrivKeyFile "xPW1/cWYDkk/IAss1GbdwVMW7fzKtyHA+qrfCriOB2k=" defaultLocalIPv4


     

       
73

       

       
-

       
      "fe80::11"


     

       
74

       

       
-

       
      "aurora.mk16.de:52459"


     

       
75

       

       
-

       
      "wg42_bandura"


     

       
76

       

       
-

       
      ""


     

       
77

       

       
-

       
      "fe80::2926";


     

       
78

       

       
-

       



     

       
79

       

       
-

       
  wg42_bluemedia =


     

       
80

       

       
-

       
    tunnel 498 defaultPrivKeyFile "7HNg2+uMI2WfntN+WlMnlTDG6xra/Dusee82cuXWMBY=" defaultLocalIPv4


     

       
81

       

       
-

       
      "fe80::12"


     

       
82

       

       
-

       
      "de-fra01.dn42.bluemedia.dev:22459"


     

       
83

       

       
-

       
      "wg42_bluemedia"


     

       
84

       

       
-

       
      "172.22.167.82"


     

       
85

       

       
-

       
      "fe80::42:3343:20:1";


     

       
86

       

       
-

       
}
+63
hosts/prefect/dn42/types.nix 
···

       

       
1

       
+

       
# DN42 Community Standard BGP Communities


     

       

       
2

       
+

       
# See main lists here: https://dn42.dev/howto/BGP-communities


     

       

       
3

       
+

       
{


     

       

       
4

       
+

       
  latency = {


     

       

       
5

       
+

       
    "2.7ms" = 1;


     

       

       
6

       
+

       
    "7.3ms" = 2;


     

       

       
7

       
+

       
    "20ms" = 3;


     

       

       
8

       
+

       
    "55ms" = 4;


     

       

       
9

       
+

       
    "148ms" = 5;


     

       

       
10

       
+

       
    "403ms" = 6;


     

       

       
11

       
+

       
    "1097ms" = 7;


     

       

       
12

       
+

       
    "2981ms" = 8;


     

       

       
13

       
+

       
    "gt2981" = 9;


     

       

       
14

       
+

       
  };


     

       

       
15

       
+

       
  bandwidth = {


     

       

       
16

       
+

       
    "0.1mb" = 21;


     

       

       
17

       
+

       
    "1mb" = 22;


     

       

       
18

       
+

       
    "10mb" = 23;


     

       

       
19

       
+

       
    "100mb" = 24;


     

       

       
20

       
+

       
    "1000mb" = 25;


     

       

       
21

       
+

       
  };


     

       

       
22

       
+

       
  crypto = {


     

       

       
23

       
+

       
    unencrypted = 31;


     

       

       
24

       
+

       
    unsafeVPN = 32;


     

       

       
25

       
+

       
    safeNoPFS = 33;


     

       

       
26

       
+

       
    safePFS = 34;


     

       

       
27

       
+

       
  };


     

       

       
28

       
+

       
  region = {


     

       

       
29

       
+

       
    europe = 41;


     

       

       
30

       
+

       
    northAmericaEast = 42;


     

       

       
31

       
+

       
    northAmericaCentral = 43;


     

       

       
32

       
+

       
    northAmericaWest = 44;


     

       

       
33

       
+

       
    centralAmerica = 45;


     

       

       
34

       
+

       
    southAmericaEast = 46;


     

       

       
35

       
+

       
    southAmericaWest = 47;


     

       

       
36

       
+

       
    africaNorth = 48;


     

       

       
37

       
+

       
    africaSouth = 49;


     

       

       
38

       
+

       
    asiaSouth = 50;


     

       

       
39

       
+

       
    asiaSouthEast = 51;


     

       

       
40

       
+

       
    asiaEast = 52;


     

       

       
41

       
+

       
    pacificOceania = 53;


     

       

       
42

       
+

       
    antarctica = 54;


     

       

       
43

       
+

       
    asiaNorth = 55;


     

       

       
44

       
+

       
    asiaWest = 56;


     

       

       
45

       
+

       
    centralAsia = 57;


     

       

       
46

       
+

       
  };


     

       

       
47

       
+

       
  country = {


     

       

       
48

       
+

       
    canada = 1124;


     

       

       
49

       
+

       
    china = 1156;


     

       

       
50

       
+

       
    taiwan = 1158;


     

       

       
51

       
+

       
    france = 1250;


     

       

       
52

       
+

       
    germany = 1276;


     

       

       
53

       
+

       
    hongKong = 1344;


     

       

       
54

       
+

       
    japan = 1392;


     

       

       
55

       
+

       
    netherlands = 1528;


     

       

       
56

       
+

       
    norway = 1578;


     

       

       
57

       
+

       
    russianFederation = 1643;


     

       

       
58

       
+

       
    singapore = 1702;


     

       

       
59

       
+

       
    switzerland = 1756;


     

       

       
60

       
+

       
    unitedKingdom = 1826;


     

       

       
61

       
+

       
    unitedStatesOfAmerica = 1840;


     

       

       
62

       
+

       
  };


     

       

       
63

       
+

       
}
-59
hosts/prefect/dn42/wireguard.nix 
···

       
1

       

       
-

       
{ pkgs, lib, ... }:


     

       
2

       

       
-

       
let


     

       
3

       

       
-

       
  defaultLocalIPv4 = "172.20.43.96/32";


     

       
4

       

       
-

       
  defaultLocalIPv6 = "fe80::1/64";


     

       
5

       

       
-

       
  privKeyFile = "/run/agenix/dn42-privkey";


     

       
6

       

       
-

       
  # deadnix: skip


     

       
7

       

       
-

       
  defaultPubKey = "e6kp9sca4XIzncKa9GEQwyOnMjje299Xg9ZdgXWMwHg=";


     

       
8

       

       
-

       
in


     

       
9

       

       
-

       
{


     

       
10

       

       
-

       
  environment.systemPackages = [ pkgs.wireguard-tools ];


     

       
11

       

       
-

       



     

       
12

       

       
-

       
  networking.wireguard.interfaces = import ./tunnels.nix rec {


     

       
13

       

       
-

       
    customTunnel =


     

       
14

       

       
-

       
      listenPort: privKeyFile: peerPubKey: endpoint: name: peerIPv4: peerIPv6: localIPv4: localIPv6: isOspf: {


     

       
15

       

       
-

       
        inherit listenPort;


     

       
16

       

       
-

       
        privateKeyFile = privKeyFile;


     

       
17

       

       
-

       
        allowedIPsAsRoutes = false;


     

       
18

       

       
-

       
        peers = [


     

       
19

       

       
-

       
          {


     

       
20

       

       
-

       
            inherit endpoint;


     

       
21

       

       
-

       
            publicKey = peerPubKey;


     

       
22

       

       
-

       
            allowedIPs = [


     

       
23

       

       
-

       
              "0.0.0.0/0"


     

       
24

       

       
-

       
              "::/0"


     

       
25

       

       
-

       
            ];


     

       
26

       

       
-

       
            dynamicEndpointRefreshSeconds = 5;


     

       
27

       

       
-

       
            persistentKeepalive = 15;


     

       
28

       

       
-

       
          }


     

       
29

       

       
-

       
        ];


     

       
30

       

       
-

       
        postSetup =


     

       
31

       

       
-

       
          ''


     

       
32

       

       
-

       
            ${


     

       
33

       

       
-

       
              if peerIPv4 != "" then


     

       
34

       

       
-

       
                "${pkgs.iproute2}/bin/ip addr add ${localIPv4} peer ${peerIPv4} dev ${name}"


     

       
35

       

       
-

       
              else


     

       
36

       

       
-

       
                ""


     

       
37

       

       
-

       
            }


     

       
38

       

       
-

       
            ${


     

       
39

       

       
-

       
              if peerIPv6 != "" then


     

       
40

       

       
-

       
                "${pkgs.iproute2}/bin/ip -6 addr add ${localIPv6} peer ${peerIPv6} dev ${name}"


     

       
41

       

       
-

       
              else


     

       
42

       

       
-

       
                ""


     

       
43

       

       
-

       
            }


     

       
44

       

       
-

       
          ''


     

       
45

       

       
-

       
          + lib.optionalString isOspf "${pkgs.iproute2}/bin/ip -6 addr add ${defaultLocalIPv6} dev ${name}";


     

       
46

       

       
-

       
      };


     

       
47

       

       
-

       
    # deadnix: skip


     

       
48

       

       
-

       
    tunnel =


     

       
49

       

       
-

       
      listenPort: privKey: peerPubKey: localIPv4: localIPv6: endpoint: name: peerIPv4: peerIPv6:


     

       
50

       

       
-

       
      customTunnel listenPort privKeyFile peerPubKey endpoint name peerIPv4 peerIPv6 localIPv4 localIPv6


     

       
51

       

       
-

       
        false;


     

       
52

       

       
-

       
    # deadnix: skip


     

       
53

       

       
-

       
    ospf =


     

       
54

       

       
-

       
      listenPort: privKey: peerPubKey: endpoint: name: peerIPv4: peerIPv6: ULAIPv6:


     

       
55

       

       
-

       
      customTunnel listenPort privKeyFile peerPubKey endpoint name peerIPv4 peerIPv6 defaultLocalIPv4


     

       
56

       

       
-

       
        ULAIPv6


     

       
57

       

       
-

       
        true;


     

       
58

       

       
-

       
  };


     

       
59

       

       
-

       
}
+2 -17
hosts/prefect/firewall.nix 
···

       
28

       
28

       
 

       
    ];


     

       
29

       
29

       
 

       
    allowedUDPPortRanges = [


     

       
30

       
30

       
 

       
      {


     

       
31

       

       
-

       
        from = 480;


     

       
32

       

       
-

       
        to = 510;


     

       

       
31

       
+

       
        from = 42000;


     

       

       
32

       
+

       
        to = 52000;


     

       
33

       
33

       
 

       
      }


     

       
34

       
34

       
 

       
    ];


     

       
35

       
35

       
 

       
    trustedInterfaces = [


     

       
36

       

       
-

       
      "tailscale0"


     

       
37

       
36

       
 

       
      "wg0"


     

       
38

       

       
-

       



     

       
39

       

       
-

       
      # DN42 Interfaces


     

       
40

       

       
-

       
      "wg42_bandura"


     

       
41

       

       
-

       
      "wg42_bluemedia"


     

       
42

       

       
-

       
      "wg42_catgirls"


     

       
43

       

       
-

       
      "wg42_chris"


     

       
44

       

       
-

       
      "wg42_iedon"


     

       
45

       

       
-

       
      "wg42_kioubit"


     

       
46

       

       
-

       
      "wg42_liki"


     

       
47

       

       
-

       
      "wg42_lutoma"


     

       
48

       

       
-

       
      "wg42_potato"


     

       
49

       

       
-

       
      "wg42_sunnet"


     

       
50

       

       
-

       
      "wg42_uffsalot"


     

       
51

       

       
-

       
      "wg42_usman"


     

       
52

       
37

       
 

       
    ];


     

       
53

       
38

       
 

       
    extraForwardRules = ''


     

       
54

       
39

       
 

       
      meta iifname "wg42_*" meta oifname "wg42_*" accept
-1
hosts/prefect/secrets/secrets.nix 
···

       
1

       
1

       
 

       
let


     

       
2

       
2

       
 

       
  yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw==";


     

       
3

       

       
-

       
  yubi-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746";


     

       
4

       
3

       
 

       
  prefect = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP532AB5mkNvE29MkDDY8HEf8ZdktGWiI0PzLrvbmLQe";


     

       
5

       
4

       
 

       
  ssh-new = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAxOg9nOtfbedq9AlnXNVUfyU8Mwfj4IB7HX/4VoWeXP";


     

       
6

       
5

       
 

       
  default = [
-30
hosts/prefect/services/blog-update.nix 
···

       
1

       

       
-

       
{ pkgs, lib, ... }:


     

       
2

       

       
-

       
{


     

       
3

       

       
-

       
  systemd.timers.blog-update = {


     

       
4

       

       
-

       
    enable = false;


     

       
5

       

       
-

       
    after = [ "network.target" ];


     

       
6

       

       
-

       
    wantedBy = [ "multi-user.target" ];


     

       
7

       

       
-

       
    description = "Blog Update Timer";


     

       
8

       

       
-

       
    timerConfig = {


     

       
9

       

       
-

       
      Unit = "blog-update.service";


     

       
10

       

       
-

       
      OnUnitActiveSec = 300;


     

       
11

       

       
-

       
    };


     

       
12

       

       
-

       
  };


     

       
13

       

       
-

       



     

       
14

       

       
-

       
  systemd.services.blog-update = {


     

       
15

       

       
-

       
    enable = false;


     

       
16

       

       
-

       
    wantedBy = [ "multi-user.target" ];


     

       
17

       

       
-

       
    description = "Blog Update Service";


     

       
18

       

       
-

       
    path = [


     

       
19

       

       
-

       
      "${pkgs.git}"


     

       
20

       

       
-

       
    ];


     

       
21

       

       
-

       
    serviceConfig = {


     

       
22

       

       
-

       
      WorkingDirectory = "/var/www/blog";


     

       
23

       

       
-

       
      User = "caddy";


     

       
24

       

       
-

       
      Group = "caddy";


     

       
25

       

       
-

       
      Type = "oneshot";


     

       
26

       

       
-

       
      ExecStartPre = "${lib.getExe pkgs.git} fetch origin pages";


     

       
27

       

       
-

       
      ExecStart = "${lib.getExe pkgs.git} reset --hard origin/pages";


     

       
28

       

       
-

       
    };


     

       
29

       

       
-

       
  };


     

       
30

       

       
-

       
}
-5
hosts/prefect/services/blog-update.sh 
···

       
1

       

       
-

       
node scripts/precommit.js


     

       
2

       

       
-

       
node scripts/predeploy.js


     

       
3

       

       
-

       
hugo -d out


     

       
4

       

       
-

       
cp -fvr out/ /var/www/blog/


     

       
5

       

       
-

       
exit 0
+13 -18
hosts/prefect/services/caddy.nix 
···

       
1

       
1

       
 

       
{ pkgs, self, ... }:


     

       
2

       
2

       
 

       
let


     

       
3

       
3

       
 

       
  pns = self.lib.data.services;


     

       
4

       

       
-

       
  mail = self.lib.data.mail;


     

       

       
4

       
+

       
  inherit (self.lib.data) mail;


     

       
5

       
5

       
 

       
  marvin = "http://${self.lib.data.hosts.marvin.ts.ip4}";


     

       
6

       
6

       
 

       
  marvinIP = self.lib.data.hosts.marvin.ts.ip4;


     

       
7

       

       
-

       
  tsNet = self.lib.data.tsNet;


     

       

       
7

       
+

       
  inherit (self.lib.data) tsNet;


     

       
8

       
8

       
 

       
in


     

       
9

       
9

       
 

       
{


     

       
10

       
10

       
 

       
  services.caddy = {


     
···

       
13

       
13

       
 

       
      plugins = [


     

       
14

       
14

       
 

       
        "github.com/caddy-dns/desec@v1.0.1"


     

       
15

       
15

       
 

       
        "github.com/greenpau/caddy-security@v1.1.31"


     

       
16

       

       
-

       
        "github.com/tailscale/caddy-tailscale@v0.0.0-20250508175905-642f61fea3cc"


     

       
17

       

       
-

       
        "github.com/mholt/caddy-l4@v0.0.0-20250902102621-4a517a98d7fa"


     

       

       
16

       
+

       
        "github.com/tailscale/caddy-tailscale@v0.0.0-20251016213337-01d084e119cb"


     

       

       
17

       
+

       
        "github.com/mholt/caddy-l4@v0.0.0-20251001194302-2e3e6cf60b25"


     

       
18

       
18

       
 

       
        "github.com/mohammed90/caddy-git-fs@v0.0.0-20240805164056-529acecd1830"


     

       
19

       
19

       
 

       
      ];


     

       
20

       

       
-

       
      hash = "sha256-mmiBqKgzWm6HehThvd3zMuF7Vi0NiT1zcrJMw6K305I=";


     

       

       
20

       
+

       
      hash = "sha256-kvChIK67UKn5vMFMcLszSl5AfW1BNHTRm1aXX5t5Wyc=";


     

       
21

       
21

       
 

       
    };


     

       
22

       
22

       
 

       
    email = "pyrox@pyrox.dev";


     

       
23

       
23

       
 

       
    virtualHosts = {


     
···

       
67

       
67

       
 

       
      # Authentication


     

       
68

       
68

       
 

       
      ${pns.pocket-id.extUrl} = {


     

       
69

       
69

       
 

       
        extraConfig = ''


     

       
70

       

       
-

       
          reverse_proxy / ${marvin}:${toString pns.pocket-id.port} {


     

       
71

       

       
-

       
            header_up X-Real-IP {remote_host}


     

       
72

       

       
-

       
            header_up X-Http-Version {http.request.proto}


     

       
73

       

       
-

       
          }


     

       

       
70

       
+

       
          reverse_proxy ${marvin}:${toString pns.pocket-id.port}


     

       
74

       
71

       
 

       
        '';


     

       
75

       
72

       
 

       
      };


     

       
76

       
73

       
 

       



     
···

       
214

       
211

       
 

       
        '';


     

       
215

       
212

       
 

       
      };


     

       
216

       
213

       
 

       



     

       
217

       

       
-

       
      # Pingvin Share


     

       
218

       

       
-

       
      ${pns.pingvin-share.extUrl} = {


     

       

       
214

       
+

       
      # Immich


     

       

       
215

       
+

       
      ${pns.immich.extUrl} = {


     

       
219

       
216

       
 

       
        extraConfig = ''


     

       
220

       

       
-

       
          reverse_proxy /api/* ${marvin}:${toString pns.pingvin-share.be-anubis} {


     

       
221

       

       
-

       
            header_up X-Real-IP {remote_host}


     

       
222

       

       
-

       
            header_up X-Http-Version {http.request.proto}


     

       
223

       

       
-

       
          }


     

       
224

       

       
-

       
          reverse_proxy /* ${marvin}:${toString pns.pingvin-share.anubis} {


     

       
225

       

       
-

       
            header_up X-Real-IP {remote_host}


     

       
226

       

       
-

       
            header_up X-Http-Version {http.request.proto}


     

       

       
217

       
+

       
          @public path /share /share/*


     

       

       
218

       
+

       
          handle @public {


     

       

       
219

       
+

       
            reverse_proxy ${marvin}:${toString pns.immich.pubProxy}


     

       
227

       
220

       
 

       
          }


     

       

       
221

       
+

       
          reverse_proxy ${marvin}:${toString pns.immich.port}


     

       
228

       
222

       
 

       
        '';


     

       
229

       
223

       
 

       
      };


     

       

       
224

       
+

       



     

       
230

       
225

       
 

       
      # Tangled Services


     

       
231

       
226

       
 

       
      ${pns.tangled-knot.extUrl} = {


     

       
232

       
227

       
 

       
        extraConfig = ''
-4
hosts/prefect/services/dn42-peerfinder.nix 
···

       
1

       

       
-

       
{ config, ... }:


     

       
2

       

       
-

       
{


     

       
3

       

       
-

       
  config.py.services.dn42-pingfinder.uuidFile = config.age.secrets.dn42-peerfinder-uuid.path;


     

       
4

       

       
-

       
}
+21
hosts/prefect/services/mailserver/acme.nix 
···

       

       
1

       
+

       
# ACME for certs, using TLS-ALPN-01 Challenges(one fewer ports open)


     

       

       
2

       
+

       
# https://stalw.art/docs/server/tls/acme/configuration


     

       

       
3

       
+

       
{ cfg, sec }:


     

       

       
4

       
+

       
{


     

       

       
5

       
+

       
  letsencrypt = {


     

       

       
6

       
+

       
    directory = "https://acme-staging-v02.api.letsencrypt.org/directory";


     

       

       
7

       
+

       
    challenge = "dns-01";


     

       

       
8

       
+

       
    contact = [ "pyrox@pyrox.dev" ];


     

       

       
9

       
+

       
    domains = [


     

       

       
10

       
+

       
      "mail.pyrox.dev"


     

       

       
11

       
+

       
      "mta-sts.pyrox.dev"


     

       

       
12

       
+

       
      "autoconfig.pyrox.dev"


     

       

       
13

       
+

       
      "autodiscover.pyrox.dev"


     

       

       
14

       
+

       
    ];


     

       

       
15

       
+

       
    cache = "${cfg.dataDir}/acme/certs";


     

       

       
16

       
+

       
    renew-before = "30d";


     

       

       
17

       
+

       
    default = true;


     

       

       
18

       
+

       
    provider = "desec";


     

       

       
19

       
+

       
    secret = "%{file:${sec.stalwart-desec-token.path}}%";


     

       

       
20

       
+

       
  };


     

       

       
21

       
+

       
}
+21
hosts/prefect/services/mailserver/auth.nix 
···

       

       
1

       
+

       
{ ifThen, otherwise }:


     

       

       
2

       
+

       
let


     

       

       
3

       
+

       
  relVer = [


     

       

       
4

       
+

       
    (ifThen "protocol = 'smtp'" "relaxed")


     

       

       
5

       
+

       
    (otherwise "disable")


     

       

       
6

       
+

       
  ];


     

       

       
7

       
+

       
in


     

       

       
8

       
+

       
{


     

       

       
9

       
+

       
  dkim = {


     

       

       
10

       
+

       
    sign = [


     

       

       
11

       
+

       
      (ifThen "sender_domain = 'pyrox.dev'" "['rsa', 'ed25519']")


     

       

       
12

       
+

       
      (otherwise false)


     

       

       
13

       
+

       
    ];


     

       

       
14

       
+

       
  };


     

       

       
15

       
+

       
  spf.verify.ehlo = relVer;


     

       

       
16

       
+

       
  spf.verify.mail-from = relVer;


     

       

       
17

       
+

       
  dmarc.verify = relVer;


     

       

       
18

       
+

       
  iprev.verify = relVer;


     

       

       
19

       
+

       
  arc.seal = "'ed25519'";


     

       

       
20

       
+

       
  arc.verify = "relaxed";


     

       

       
21

       
+

       
}
+25
hosts/prefect/services/mailserver/auto-ban.nix 
···

       

       
1

       
+

       
# Strict Auto-ban


     

       

       
2

       
+

       
# https://stalw.art/docs/server/auto-ban


     

       

       
3

       
+

       
{


     

       

       
4

       
+

       
  auth.rate = "15/1d";


     

       

       
5

       
+

       
  abuse.rate = "15/1d";


     

       

       
6

       
+

       
  loiter.rate = "15/1d";


     

       

       
7

       
+

       
  scan = {


     

       

       
8

       
+

       
    rate = "20/1d";


     

       

       
9

       
+

       
    paths = [


     

       

       
10

       
+

       
      "*.php*"


     

       

       
11

       
+

       
      "*.cgi*"


     

       

       
12

       
+

       
      "*.asp*"


     

       

       
13

       
+

       
      "*/wp-*"


     

       

       
14

       
+

       
      "*/php*"


     

       

       
15

       
+

       
      "*/cgi-bin*"


     

       

       
16

       
+

       
      "*xmlrpc*"


     

       

       
17

       
+

       
      "*../*"


     

       

       
18

       
+

       
      "*/..*"


     

       

       
19

       
+

       
      "*joomla*"


     

       

       
20

       
+

       
      "*wordpress*"


     

       

       
21

       
+

       
      "*drupal*"


     

       

       
22

       
+

       
      "/.git*"


     

       

       
23

       
+

       
    ];


     

       

       
24

       
+

       
  };


     

       

       
25

       
+

       
}
+25
hosts/prefect/services/mailserver/calendar.nix 
···

       

       
1

       
+

       
# Calendar settings


     

       

       
2

       
+

       
# https://stalw.art/docs/collaboration/calendar


     

       

       
3

       
+

       
{


     

       

       
4

       
+

       
  max-recurrence-expansions = 2048;


     

       

       
5

       
+

       
  # 512 KiB


     

       

       
6

       
+

       
  max-size = 524288;


     

       

       
7

       
+

       
  max-attendees-per-instance = 20;


     

       

       
8

       
+

       
  default.href-name = "default";


     

       

       
9

       
+

       
  default.display-name = "Personal";


     

       

       
10

       
+

       
  # Scheduling


     

       

       
11

       
+

       
  # https://stalw.art/docs/collaboration/scheduling


     

       

       
12

       
+

       
  scheduling.enable = true;


     

       

       
13

       
+

       
  # 1 MiB


     

       

       
14

       
+

       
  scheduling.inbound.max-size = 1048576;


     

       

       
15

       
+

       
  scheduling.outbound.max-recipients = 100;


     

       

       
16

       
+

       
  scheduling.inbox.auto-expunge = "30d";


     

       

       
17

       
+

       
  scheduling.http-rsvp.enable = true;


     

       

       
18

       
+

       
  scheduling.http-rsvp.expiration = "7d";


     

       

       
19

       
+

       
  # Notifications


     

       

       
20

       
+

       
  # https://stalw.art/docs/collaboration/notifications


     

       

       
21

       
+

       
  alarms.enable = true;


     

       

       
22

       
+

       
  alarms.minimum-interval = "1h";


     

       

       
23

       
+

       
  alarms.from.name = "PyroNet Calendars";


     

       

       
24

       
+

       
  alarms.from.email = "calendar-notifs@pyrox.dev";


     

       

       
25

       
+

       
}
+203 -105
hosts/prefect/services/mailserver/default.nix 
···

       
1

       

       
-

       
{ lib, pkgs, ... }:


     

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  config,


     

       

       
3

       
+

       
  lib,


     

       

       
4

       
+

       
  self,


     

       

       
5

       
+

       
  ...


     

       

       
6

       
+

       
}:


     

       

       
7

       
+

       
let


     

       

       
8

       
+

       
  d = self.lib.data.mail;


     

       

       
9

       
+

       
  cfg = config.services.stalwart-mail;


     

       

       
10

       
+

       
  sec = config.age.secrets;


     

       

       
11

       
+

       
  credsDir = "/run/credentials/stalwart-mail.service";


     

       

       
12

       
+

       
  certDir = config.security.acme.certs."pyroxdev-mail".directory;


     

       

       
13

       
+

       
  isAuthenticated = d: {


     

       

       
14

       
+

       
    "if" = "!is_empty(authenticated_as)";


     

       

       
15

       
+

       
    "then" = d;


     

       

       
16

       
+

       
  };


     

       

       
17

       
+

       
  otherwise = d: {


     

       

       
18

       
+

       
    "else" = d;


     

       

       
19

       
+

       
  };


     

       

       
20

       
+

       
  ifThen = f: d: {


     

       

       
21

       
+

       
    "if" = f;


     

       

       
22

       
+

       
    "then" = d;


     

       

       
23

       
+

       
  };


     

       

       
24

       
+

       
  smSecret = {


     

       

       
25

       
+

       
    owner = "stalwart-mail";


     

       

       
26

       
+

       
    group = "stalwart-mail";


     

       

       
27

       
+

       
  };


     

       

       
28

       
+

       
in


     

       
2

       
29

       
 

       
{


     

       
3

       

       
-

       
  imports = [


     

       
4

       

       
-

       
    ./logins.nix


     

       
5

       

       
-

       
    ./monitoring.nix


     

       
6

       

       
-

       
    ./overrides.nix


     

       
7

       

       
-

       
  ];


     

       
8

       

       
-

       
  mailserver = {


     

       
9

       

       
-

       
    enable = false;


     

       
10

       

       
-

       
    fqdn = "mail.pyrox.dev";


     

       
11

       

       
-

       
    systemName = "PyroNet Mail";


     

       
12

       

       
-

       
    systemDomain = "mail.pyrox.dev";


     

       
13

       

       
-

       
    openFirewall = true;


     

       
14

       

       
-

       
    stateVersion = 3;


     

       
15

       

       
-

       



     

       
16

       

       
-

       
    # All domains this server runs email for


     

       
17

       

       
-

       
    domains = [ "pyrox.dev" ];


     

       
18

       

       
-

       



     

       
19

       

       
-

       
    # Enable STARTTLS


     

       
20

       

       
-

       
    enableImap = true;


     

       
21

       

       
-

       
    enableSubmission = true;


     

       
22

       

       
-

       



     

       
23

       

       
-

       
    # Disable POP3, I don't use it and neither should you


     

       
24

       

       
-

       
    enablePop3 = false;


     

       
25

       

       
-

       
    enablePop3Ssl = false;


     

       
26

       

       
-

       



     

       
27

       

       
-

       
    # Enable ManageSieve so that we don't need to change the config to update sieves


     

       
28

       

       
-

       
    enableManageSieve = true;


     

       
29

       

       
-

       



     

       
30

       

       
-

       
    # Set directories for services


     

       
31

       

       
-

       
    mailDirectory = "/srv/mail/vmail";


     

       
32

       

       
-

       
    sieveDirectory = "/srv/mail/sieve";


     

       
33

       

       
-

       
    indexDir = "/var/lib/dovecot/indices";


     

       
34

       

       
-

       
    dkimKeyDirectory = "/srv/mail/dkim";


     

       
35

       

       
-

       



     

       
36

       

       
-

       
    # Set all no-reply addresses


     

       
37

       

       
-

       
    rejectRecipients = [


     

       
38

       

       
-

       
      "no-reply@pyrox.dev"


     

       
39

       

       
-

       
      "dmarc-noreply@pyrox.dev"


     

       
40

       

       
-

       
    ];


     

       
41

       

       
-

       



     

       
42

       

       
-

       
    # DKIM Settings


     

       
43

       

       
-

       
    dkimKeyBits = 4096;


     

       
44

       

       
-

       
    dkimSelector = "mail";


     

       
45

       

       
-

       
    dkimSigning = true;


     

       
46

       

       
-

       



     

       
47

       

       
-

       
    # DMARC Settings


     

       
48

       

       
-

       
    dmarcReporting = {


     

       
49

       

       
-

       
      enable = true;


     

       

       
30

       
+

       
  services.stalwart-mail = {


     

       

       
31

       
+

       
    credentials = {


     

       

       
32

       
+

       
      cert = "${certDir}/cert.pem";


     

       

       
33

       
+

       
      key = "${certDir}/key.pem";


     

       
50

       
34

       
 

       
    };


     

       
51

       

       
-

       



     

       
52

       

       
-

       
    # Mailboxes for all users


     

       
53

       

       
-

       
    mailboxes = {


     

       
54

       

       
-

       
      Drafts = {


     

       
55

       

       
-

       
        auto = "subscribe";


     

       
56

       

       
-

       
        specialUse = "Drafts";


     

       

       
35

       
+

       
    enable = true;


     

       

       
36

       
+

       
    dataDir = "/var/lib/stalwart";


     

       

       
37

       
+

       
    settings = {


     

       

       
38

       
+

       
      tracer.stdout.level = "info";


     

       

       
39

       
+

       
      authentication.fallback-admin = {


     

       

       
40

       
+

       
        user = "fallback";


     

       

       
41

       
+

       
        secret = "%{file:${sec.stalwart-fallback-admin-pw.path}}%";


     

       
57

       
42

       
 

       
      };


     

       
58

       

       
-

       
      Junk = {


     

       
59

       

       
-

       
        auto = "subscribe";


     

       
60

       

       
-

       
        specialUse = "Junk";


     

       

       
43

       
+

       
      config = {


     

       

       
44

       
+

       
        local-keys = [


     

       

       
45

       
+

       
          "asn.*"


     

       

       
46

       
+

       
          "auth.*"


     

       

       
47

       
+

       
          "authentication.*"


     

       

       
48

       
+

       
          "auto-ban.*"


     

       

       
49

       
+

       
          "calendar.*"


     

       

       
50

       
+

       
          "certificate.*"


     

       

       
51

       
+

       
          "changes.*"


     

       

       
52

       
+

       
          "cluster.*"


     

       

       
53

       
+

       
          "config.*"


     

       

       
54

       
+

       
          "contacts.*"


     

       

       
55

       
+

       
          "directory.*"


     

       

       
56

       
+

       
          "http.*"


     

       

       
57

       
+

       
          "imap.*"


     

       

       
58

       
+

       
          "jmap.*"


     

       

       
59

       
+

       
          "queue.*"


     

       

       
60

       
+

       
          "report.*"


     

       

       
61

       
+

       
          "resolver.*"


     

       

       
62

       
+

       
          "server.*"


     

       

       
63

       
+

       
          "session.*"


     

       

       
64

       
+

       
          "signature.*"


     

       

       
65

       
+

       
          "storage.*"


     

       

       
66

       
+

       
          "store.*"


     

       

       
67

       
+

       
          "tracer.*"


     

       

       
68

       
+

       
          "webadmin.*"


     

       

       
69

       
+

       
          "form.*"


     

       

       
70

       
+

       
          "email.*"


     

       

       
71

       
+

       
          "spam-filter.*"


     

       

       
72

       
+

       
        ];


     

       
61

       
73

       
 

       
      };


     

       
62

       

       
-

       
      Sent = {


     

       
63

       

       
-

       
        auto = "subscribe";


     

       
64

       

       
-

       
        specialUse = "Sent";


     

       

       
74

       
+

       
      certificate = {


     

       

       
75

       
+

       
        default = {


     

       

       
76

       
+

       
          default = true;


     

       

       
77

       
+

       
          cert = "%{file:${credsDir}/cert}%";


     

       

       
78

       
+

       
          private-key = "%{file:${credsDir}/key}%";


     

       

       
79

       
+

       
          subjects = [


     

       

       
80

       
+

       
            "dav.pyrox.dev"


     

       

       
81

       
+

       
            "mail.pyrox.dev"


     

       

       
82

       
+

       
            "mta-sts.pyrox.dev"


     

       

       
83

       
+

       
            "autoconfig.pyrox.dev"


     

       

       
84

       
+

       
            "autodiscover.pyrox.dev"


     

       

       
85

       
+

       
          ];


     

       

       
86

       
+

       
        };


     

       
65

       
87

       
 

       
      };


     

       
66

       

       
-

       
      Trash = {


     

       
67

       

       
-

       
        auto = "subscribe";


     

       
68

       

       
-

       
        specialUse = "Trash";


     

       

       
88

       
+

       
      server = import ./server.nix { inherit d; };


     

       

       
89

       
+

       
      # Use NixOS-generated certs now, since stalwart can't do it on its own


     

       

       
90

       
+

       
      # (DeSec API Errors abound)


     

       

       
91

       
+

       
      # acme = import ./acme.nix { inherit cfg sec; };


     

       

       
92

       
+

       
      # HTTP Configuration


     

       

       
93

       
+

       
      # https://stalw.art/docs/http/overview


     

       

       
94

       
+

       
      http = {


     

       

       
95

       
+

       
        url = "'https://${d.extUrl}'";


     

       

       
96

       
+

       
        hsts = true;


     

       

       
97

       
+

       
        rate-limit = {


     

       

       
98

       
+

       
          account = "10000/1m";


     

       

       
99

       
+

       
        };


     

       
69

       
100

       
 

       
      };


     

       
70

       

       
-

       
    };


     

       
71

       

       
-

       



     

       
72

       

       
-

       
    # Full-Text-Search Settings


     

       
73

       

       
-

       
    fullTextSearch = {


     

       
74

       

       
-

       
      enable = true;


     

       
75

       

       
-

       
      autoIndex = true;


     

       
76

       

       
-

       
      enforced = "body";


     

       
77

       

       
-

       
      memoryLimit = 2048;


     

       

       
101

       
+

       
      # Disable HTTP Forms submission


     

       

       
102

       
+

       
      # https://stalw.art/docs/http/form-submission


     

       

       
103

       
+

       
      form.enable = false;


     

       

       
104

       
+

       
      # DKIM Signatures


     

       

       
105

       
+

       
      signature = import ./signature.nix { inherit sec; };


     

       

       
106

       
+

       
      # Storage Settings


     

       

       
107

       
+

       
      # https://stalw.art/docs/storage/overview


     

       

       
108

       
+

       
      store = {


     

       

       
109

       
+

       
        data = {


     

       

       
110

       
+

       
          type = "rocksdb";


     

       

       
111

       
+

       
          path = "${cfg.dataDir}/db";


     

       

       
112

       
+

       
          purge.frequency = "0 3 *";


     

       

       
113

       
+

       
        };


     

       

       
114

       
+

       
        blob = {


     

       

       
115

       
+

       
          type = "fs";


     

       

       
116

       
+

       
          path = "${cfg.dataDir}/blobs";


     

       

       
117

       
+

       
          depth = 2;


     

       

       
118

       
+

       
          compression = "lz4";


     

       

       
119

       
+

       
          purge.frequency = "0 4 *";


     

       

       
120

       
+

       
        };


     

       

       
121

       
+

       
        db.path = "${cfg.dataDir}/db2";


     

       

       
122

       
+

       
      };


     

       

       
123

       
+

       
      storage = {


     

       

       
124

       
+

       
        data = "data";


     

       

       
125

       
+

       
        blob = "blob";


     

       

       
126

       
+

       
        fts = "data";


     

       

       
127

       
+

       
        lookup = "data";


     

       

       
128

       
+

       
        directory = "default";


     

       

       
129

       
+

       
      };


     

       

       
130

       
+

       
      directory = {


     

       

       
131

       
+

       
        default = {


     

       

       
132

       
+

       
          type = "internal";


     

       

       
133

       
+

       
          store = "data";


     

       

       
134

       
+

       
        };


     

       

       
135

       
+

       
      };


     

       

       
136

       
+

       
      # ASN/GeoIP Lookups


     

       

       
137

       
+

       
      # https://stalw.art/docs/server/asn


     

       

       
138

       
+

       
      asn = {


     

       

       
139

       
+

       
        type = "dns";


     

       

       
140

       
+

       
        separator = "|";


     

       

       
141

       
+

       
        zone.ipv4 = "origin.asn.cymru.com";


     

       

       
142

       
+

       
        zone.ipv6 = "origin6.asn.cymru.com";


     

       

       
143

       
+

       
        index.asn = 0;


     

       

       
144

       
+

       
        index.asn-name = 1;


     

       

       
145

       
+

       
        index.country = 2;


     

       

       
146

       
+

       
      };


     

       

       
147

       
+

       
      auto-ban = import ./auto-ban.nix;


     

       

       
148

       
+

       
      # JMAP Settings


     

       

       
149

       
+

       
      # https://stalw.art/docs/email/jmap


     

       

       
150

       
+

       
      jmap = {


     

       

       
151

       
+

       
        mailbox.max-depth = 10;


     

       

       
152

       
+

       
        mailbox.max-name-length = 255;


     

       

       
153

       
+

       
        # 50 MB


     

       

       
154

       
+

       
        email.max-attachment-size = 50 * 1000 * 1000;


     

       

       
155

       
+

       
        # 75 MB


     

       

       
156

       
+

       
        email.max-size = 75 * 1000 * 1000;


     

       

       
157

       
+

       
        email.parse.max-items = 10;


     

       

       
158

       
+

       
      };


     

       

       
159

       
+

       
      imap = import ./imap.nix;


     

       

       
160

       
+

       
      # Maintainance


     

       

       
161

       
+

       
      # https://stalw.art/docs/email/maintenance


     

       

       
162

       
+

       
      email.auto-expunge = "180d";


     

       

       
163

       
+

       
      changes.max-history = 10000;


     

       

       
164

       
+

       
      session = import ./session.nix { inherit isAuthenticated otherwise ifThen; };


     

       

       
165

       
+

       
      queue = import ./queue.nix { inherit d ifThen otherwise; };


     

       

       
166

       
+

       
      # DNS Settings


     

       

       
167

       
+

       
      # https://stalw.art/docs/mta/outbound/dns


     

       

       
168

       
+

       
      resolver = {


     

       

       
169

       
+

       
        custom = [


     

       

       
170

       
+

       
          "tls://dns11.quad9.net"


     

       

       
171

       
+

       
          "tcp://1.1.1.1"


     

       

       
172

       
+

       
        ];


     

       

       
173

       
+

       
        concurrency = 2;


     

       

       
174

       
+

       
        preserve-intermediates = true;


     

       

       
175

       
+

       
        timeout = "5s";


     

       

       
176

       
+

       
        attempts = 3;


     

       

       
177

       
+

       
        edns = true;


     

       

       
178

       
+

       
      };


     

       

       
179

       
+

       
      report = import ./report.nix { inherit d; };


     

       

       
180

       
+

       
      calendar = import ./calendar.nix;


     

       

       
181

       
+

       
      # Authentication


     

       

       
182

       
+

       
      auth = import ./auth.nix { inherit ifThen otherwise; };


     

       

       
183

       
+

       
      # Contacts


     

       

       
184

       
+

       
      # https://stalw.art/docs/collaboration/contact


     

       

       
185

       
+

       
      contacts = {


     

       

       
186

       
+

       
        # 512 KiB


     

       

       
187

       
+

       
        max-size = 524288;


     

       

       
188

       
+

       
        default.href-name = "default";


     

       

       
189

       
+

       
        default.display-name = "Contacts";


     

       

       
190

       
+

       
      };


     

       

       
191

       
+

       
      # Spam Filtering


     

       

       
192

       
+

       
      # https://stalw.art/docs/spamfilter/overview


     

       

       
193

       
+

       
      spam-filter = {


     

       

       
194

       
+

       
        card-is-ham = true;


     

       

       
195

       
+

       
      };


     

       
78

       
196

       
 

       
    };


     

       
79

       

       
-

       



     

       
80

       

       
-

       
    # Certificate Settings


     

       
81

       

       
-

       
    certificateScheme = "manual";


     

       
82

       

       
-

       
    certificateFile = "/var/lib/mail/mail.crt";


     

       
83

       

       
-

       
    keyFile = "/var/lib/mail/mail.key";


     

       
84

       
197

       
 

       
  };


     

       
85

       

       
-

       



     

       
86

       

       
-

       
  services.opendkim = {


     

       
87

       

       
-

       
    user = lib.mkForce "virtualMail";


     

       
88

       

       
-

       
    group = lib.mkForce "virtualMail";


     

       

       
198

       
+

       
  systemd.services.stalwart-mail.serviceConfig = {


     

       

       
199

       
+

       
    Restart = lib.mkForce "always";


     

       

       
200

       
+

       
    RestartSec = lib.mkForce 1;


     

       
89

       
201

       
 

       
  };


     

       
90

       

       
-

       



     

       
91

       

       
-

       
  # Copy mail certs every month so that they don't expire


     

       
92

       

       
-

       
  systemd = {


     

       
93

       

       
-

       
    timers."copy-mail-certs" = {


     

       
94

       

       
-

       
      wantedBy = [ "timers.target" ];


     

       
95

       

       
-

       
      timerConfig = {


     

       
96

       

       
-

       
        OnBootSec = "5m";


     

       
97

       

       
-

       
        OnCalendar = "daily";


     

       
98

       

       
-

       
        Unit = "copy-mail-certs.service";


     

       
99

       

       
-

       
      };


     

       

       
202

       
+

       
  age.secrets = {


     

       

       
203

       
+

       
    stalwart-secret-rsa = smSecret // {


     

       

       
204

       
+

       
      file = ../../secrets/stalwart-secret-rsa.age;


     

       
100

       
205

       
 

       
    };


     

       
101

       

       
-

       



     

       
102

       

       
-

       
    services."copy-mail-certs" = {


     

       
103

       

       
-

       
      script = ''


     

       
104

       

       
-

       
        set -eu


     

       
105

       

       
-

       
        cp -fvr /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.pyrox.dev/mail.pyrox.dev.crt /var/lib/mail/mail.crt


     

       
106

       

       
-

       
        chmod a+r /var/lib/mail/mail.crt


     

       
107

       

       
-

       
        cp -fvr /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.pyrox.dev/mail.pyrox.dev.key /var/lib/mail/mail.key


     

       
108

       

       
-

       
        chmod a+r /var/lib/mail/mail.key


     

       
109

       

       
-

       
        chown -hR virtualMail:virtualMail /var/lib/mail/


     

       
110

       

       
-

       
      '';


     

       
111

       

       
-

       
      serviceConfig = {


     

       
112

       

       
-

       
        Type = "oneshot";


     

       
113

       

       
-

       
        User = "root";


     

       
114

       

       
-

       
      };


     

       

       
206

       
+

       
    stalwart-secret-ed25519 = smSecret // {


     

       

       
207

       
+

       
      file = ../../secrets/stalwart-secret-ed25519.age;


     

       

       
208

       
+

       
    };


     

       

       
209

       
+

       
    stalwart-desec-token = smSecret // {


     

       

       
210

       
+

       
      file = ../../secrets/stalwart-desec-token.age;


     

       

       
211

       
+

       
    };


     

       

       
212

       
+

       
    stalwart-fallback-admin-pw = smSecret // {


     

       

       
213

       
+

       
      file = ../../secrets/stalwart-fallback-admin-pw.age;


     

       
115

       
214

       
 

       
    };


     

       
116

       
215

       
 

       
  };


     

       
117

       

       
-

       



     

       
118

       
216

       
 

       
}
+42
hosts/prefect/services/mailserver/imap.nix 
···

       

       
1

       
+

       
# https://stalw.art/docs/email/imap


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  # 50 MiB


     

       

       
4

       
+

       
  request.max-size = 52428800;


     

       

       
5

       
+

       
  auth.max-failures = 3;


     

       

       
6

       
+

       
  auth.allow-plain-text = false;


     

       

       
7

       
+

       
  folders =


     

       

       
8

       
+

       
    let


     

       

       
9

       
+

       
      folder = {


     

       

       
10

       
+

       
        create = true;


     

       

       
11

       
+

       
        subscribe = true;


     

       

       
12

       
+

       
      };


     

       

       
13

       
+

       
    in


     

       

       
14

       
+

       
    {


     

       

       
15

       
+

       
      inbox = folder // {


     

       

       
16

       
+

       
        name = "Inbox";


     

       

       
17

       
+

       
      };


     

       

       
18

       
+

       
      drafts = folder // {


     

       

       
19

       
+

       
        name = "Drafts";


     

       

       
20

       
+

       
      };


     

       

       
21

       
+

       
      sent = folder // {


     

       

       
22

       
+

       
        name = "Sent";


     

       

       
23

       
+

       
      };


     

       

       
24

       
+

       
      trash = folder // {


     

       

       
25

       
+

       
        name = "Trash";


     

       

       
26

       
+

       
      };


     

       

       
27

       
+

       
      archive = folder // {


     

       

       
28

       
+

       
        name = "Archive";


     

       

       
29

       
+

       
      };


     

       

       
30

       
+

       
      junk = folder // {


     

       

       
31

       
+

       
        name = "Junk";


     

       

       
32

       
+

       
      };


     

       

       
33

       
+

       
      shared = {


     

       

       
34

       
+

       
        name = "Shared Folders";


     

       

       
35

       
+

       
        create = true;


     

       

       
36

       
+

       
        subscribe = false;


     

       

       
37

       
+

       
      };


     

       

       
38

       
+

       
    };


     

       

       
39

       
+

       
  timeout.authenticated = "30m";


     

       

       
40

       
+

       
  timeout.anonymous = "1m";


     

       

       
41

       
+

       
  timeout.idle = "30m";


     

       

       
42

       
+

       
}
-41
hosts/prefect/services/mailserver/logins.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  mailserver.loginAccounts = {


     

       
3

       

       
-

       
    "pyrox@pyrox.dev" = {


     

       
4

       

       
-

       
      hashedPassword = "$2b$05$8k04quBe6adg8d1yznEp3uNYM54MOVJTwDGIWvzocQFoWbmcCvebC";


     

       
5

       

       
-

       
      aliases = [


     

       
6

       

       
-

       
        "pyrox"


     

       
7

       

       
-

       
        "postmaster@pyrox.dev"


     

       
8

       

       
-

       
        "abuse@pyrox.dev"


     

       
9

       

       
-

       
        "domains@pyrox.dev"


     

       
10

       

       
-

       
      ];


     

       
11

       

       
-

       
    };


     

       
12

       

       
-

       
    "social@pyrox.dev" = {


     

       
13

       

       
-

       
      hashedPassword = "$2b$05$kFDeXvSKU9oXuQXlitA7v.kkbzgCDTrm4O3Nb1kifPe7yAR7.KimO";


     

       
14

       

       
-

       
      sendOnly = true;


     

       
15

       

       
-

       
    };


     

       
16

       

       
-

       
    "auth@pyrox.dev" = {


     

       
17

       

       
-

       
      hashedPassword = "$2b$05$O049hbSwRJ5VYeAA8lLR4e6.fqVWf4PotgIUAO356j5K.OoGH5PF.";


     

       
18

       

       
-

       
      sendOnly = true;


     

       
19

       

       
-

       
    };


     

       
20

       

       
-

       
    "vault@pyrox.dev" = {


     

       
21

       

       
-

       
      hashedPassword = "$2b$05$MHo03BG3AVpBh4NE97zQ8.gTPx2sCoa6Jsw.DRxHBOBaKZ8DbfPrS";


     

       
22

       

       
-

       
      sendOnly = true;


     

       
23

       

       
-

       
    };


     

       
24

       

       
-

       
    "library@pyrox.dev" = {


     

       
25

       

       
-

       
      hashedPassword = "$2b$05$IHsSbEla8KL4gwExvFECFuuoP0ESk66K29R.vawTpbxEpuw1ahii.";


     

       
26

       

       
-

       
      sendOnly = true;


     

       
27

       

       
-

       
    };


     

       
28

       

       
-

       
    "cloud@pyrox.dev" = {


     

       
29

       

       
-

       
      hashedPassword = "$2b$05$kmbsJ2X3Y2l0KYO8jjy1SOJP29coEeKFaMqU6qvRzz/dLJp78CAk6";


     

       
30

       

       
-

       
      sendOnly = true;


     

       
31

       

       
-

       
    };


     

       
32

       

       
-

       
    "git@pyrox.dev" = {


     

       
33

       

       
-

       
      hashedPassword = "$2b$05$uZoLVdCo48rLVBFdG0.UXua8a.84w1PzmLYOpJ1qTNo25KCdQlflm";


     

       
34

       

       
-

       
      sendOnly = true;


     

       
35

       

       
-

       
    };


     

       
36

       

       
-

       
    "share@pyrox.dev" = {


     

       
37

       

       
-

       
      hashedPassword = "$2b$05$LDvYYmxYcTgqPMDvvhA.uO8UFh8yLqPzVuOdeYBq0x/WJ/85X3DEC";


     

       
38

       

       
-

       
      sendOnly = true;


     

       
39

       

       
-

       
    };


     

       
40

       

       
-

       
  };


     

       
41

       

       
-

       
}
-46
hosts/prefect/services/mailserver/monitoring.nix 
···

       
1

       

       
-

       
{ config, pkgs, ... }:


     

       
2

       

       
-

       
# let


     

       
3

       

       
-

       
#   cfg = config.mailserver;


     

       
4

       

       
-

       
# in


     

       
5

       

       
-

       
{


     

       
6

       

       
-

       
  mailserver.monitoring = {


     

       
7

       

       
-

       
    enable = true;


     

       
8

       

       
-

       
    alertAddress = "pyrox@pyrox.dev";


     

       
9

       

       
-

       
    config = ''


     

       
10

       

       
-

       
      set daemon 120 with start delay 60


     

       
11

       

       
-

       
      set mailserver


     

       
12

       

       
-

       
        localhost


     

       
13

       

       
-

       
      set alert ${config.mailserver.monitoring.alertAddress}


     

       
14

       

       
-

       



     

       
15

       

       
-

       
      set httpd port 2812 and use address localhost


     

       
16

       

       
-

       
        allow localhost


     

       
17

       

       
-

       
        allow admin:obwjoawijerfoijsiwfj29jf2f2jd


     

       
18

       

       
-

       



     

       
19

       

       
-

       
      check filesystem root with path /


     

       
20

       

       
-

       
          if space usage > 80% then alert


     

       
21

       

       
-

       
          if inode usage > 80% then alert


     

       
22

       

       
-

       



     

       
23

       

       
-

       
      check system $HOST


     

       
24

       

       
-

       
          if cpu usage > 95% for 10 cycles then alert


     

       
25

       

       
-

       
          if memory usage > 75% for 5 cycles then alert


     

       
26

       

       
-

       
          if swap usage > 20% for 10 cycles then alert


     

       
27

       

       
-

       
          if loadavg (1min) > 90 for 15 cycles then alert


     

       
28

       

       
-

       
          if loadavg (5min) > 80 for 10 cycles then alert


     

       
29

       

       
-

       
          if loadavg (15min) > 70 for 8 cycles then alert


     

       
30

       

       
-

       



     

       
31

       

       
-

       
      check process postfix with pidfile /var/lib/postfix/queue/pid/master.pid


     

       
32

       

       
-

       
          start program = "${pkgs.systemd}/bin/systemctl start postfix"


     

       
33

       

       
-

       
          stop program = "${pkgs.systemd}/bin/systemctl stop postfix"


     

       
34

       

       
-

       
          if failed port 25 protocol smtp for 5 cycles then restart


     

       
35

       

       
-

       



     

       
36

       

       
-

       
      check process dovecot with pidfile /var/run/dovecot2/master.pid


     

       
37

       

       
-

       
          start program = "${pkgs.systemd}/bin/systemctl start dovecot2"


     

       
38

       

       
-

       
          stop program = "${pkgs.systemd}/bin/systemctl stop dovecot2"


     

       
39

       

       
-

       
          if failed host ${config.mailserver.fqdn} port 993 type tcpssl sslauto protocol imap for 5 cycles then restart


     

       
40

       

       
-

       



     

       
41

       

       
-

       
      check process rspamd with matching "rspamd: main process"


     

       
42

       

       
-

       
          start program = "${pkgs.systemd}/bin/systemctl start rspamd"


     

       
43

       

       
-

       
          stop program = "${pkgs.systemd}/bin/systemctl stop rspamd"


     

       
44

       

       
-

       
    '';


     

       
45

       

       
-

       
  };


     

       
46

       

       
-

       
}
-21
hosts/prefect/services/mailserver/overrides.nix 
···

       
1

       

       
-

       
{ lib, ... }:


     

       
2

       

       
-

       
let


     

       
3

       

       
-

       
  inherit (lib) mkForce;


     

       
4

       

       
-

       
  tlsProtocols = ">=TLSv1.2";


     

       
5

       

       
-

       
  excludeCiphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, AES128-SHA, AES256-SHA";


     

       
6

       

       
-

       
in


     

       
7

       

       
-

       
{


     

       
8

       

       
-

       
  services.postfix.config = {


     

       
9

       

       
-

       
    # only support TLS 1.3/1.2


     

       
10

       

       
-

       
    smtpd_tls_protocols = mkForce tlsProtocols;


     

       
11

       

       
-

       
    smtp_tls_protocols = mkForce tlsProtocols;


     

       
12

       

       
-

       
    smtpd_tls_mandatory_protocols = mkForce tlsProtocols;


     

       
13

       

       
-

       
    smtp_tls_mandatory_protocols = mkForce tlsProtocols;


     

       
14

       

       
-

       



     

       
15

       

       
-

       
    # Exclude insecure ciphers


     

       
16

       

       
-

       
    smtpd_tls_mandatory_exclude_ciphers = mkForce excludeCiphers;


     

       
17

       

       
-

       
    smtpd_tls_exclude_ciphers = mkForce excludeCiphers;


     

       
18

       

       
-

       
    smtp_tls_mandatory_exclude_ciphers = mkForce excludeCiphers;


     

       
19

       

       
-

       
    smtp_tls_exclude_ciphers = mkForce excludeCiphers;


     

       
20

       

       
-

       
  };


     

       
21

       

       
-

       
}
+97
hosts/prefect/services/mailserver/queue.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  d,


     

       

       
3

       
+

       
  ifThen,


     

       

       
4

       
+

       
  otherwise,


     

       

       
5

       
+

       
}:


     

       

       
6

       
+

       
# Queue Management


     

       

       
7

       
+

       
# https://stalw.art/docs/mta/outbound/overview


     

       

       
8

       
+

       
{


     

       

       
9

       
+

       
  # Virtual Queues


     

       

       
10

       
+

       
  # https://stalw.art/docs/mta/outbound/queue


     

       

       
11

       
+

       
  virtual.default.threads-per-node = 100;


     

       

       
12

       
+

       
  virtual.admin.threads-per-node = 10;


     

       

       
13

       
+

       
  virtual.local.threads-per-node = 100;


     

       

       
14

       
+

       
  # Schedules


     

       

       
15

       
+

       
  # https://stalw.art/docs/mta/outbound/schedule


     

       

       
16

       
+

       
  schedule =


     

       

       
17

       
+

       
    let


     

       

       
18

       
+

       
      queue = {


     

       

       
19

       
+

       
        retry = [


     

       

       
20

       
+

       
          "1m"


     

       

       
21

       
+

       
          "2m"


     

       

       
22

       
+

       
          "5m"


     

       

       
23

       
+

       
          "10m"


     

       

       
24

       
+

       
          "15m"


     

       

       
25

       
+

       
          "30m"


     

       

       
26

       
+

       
          "1h"


     

       

       
27

       
+

       
          "2h"


     

       

       
28

       
+

       
        ];


     

       

       
29

       
+

       
        notify = [


     

       

       
30

       
+

       
          "1d"


     

       

       
31

       
+

       
          "3d"


     

       

       
32

       
+

       
        ];


     

       

       
33

       
+

       
        max-attempts = 15;


     

       

       
34

       
+

       
      };


     

       

       
35

       
+

       
    in


     

       

       
36

       
+

       
    {


     

       

       
37

       
+

       
      default = queue // {


     

       

       
38

       
+

       
        queue-name = "default";


     

       

       
39

       
+

       
      };


     

       

       
40

       
+

       
      admin = queue // {


     

       

       
41

       
+

       
        queue-name = "admin";


     

       

       
42

       
+

       
      };


     

       

       
43

       
+

       
      local = queue // {


     

       

       
44

       
+

       
        queue-name = "local";


     

       

       
45

       
+

       
      };


     

       

       
46

       
+

       
    };


     

       

       
47

       
+

       
  # Routes


     

       

       
48

       
+

       
  # https://stalw.art/docs/mta/outbound/routing


     

       

       
49

       
+

       
  route = {


     

       

       
50

       
+

       
    local.type = "local";


     

       

       
51

       
+

       
    remote = {


     

       

       
52

       
+

       
      type = "mx";


     

       

       
53

       
+

       
      ip-lookup = "ipv6_then_ipv4";


     

       

       
54

       
+

       
      tls.implicit = false;


     

       

       
55

       
+

       
      tls.allow-invalid-certs = false;


     

       

       
56

       
+

       
    };


     

       

       
57

       
+

       
  };


     

       

       
58

       
+

       
  # Strategies


     

       

       
59

       
+

       
  # https://stalw.art/docs/mta/outbound/strategy


     

       

       
60

       
+

       
  strategy = {


     

       

       
61

       
+

       
    schedule = [


     

       

       
62

       
+

       
      (ifThen "is_local_domain('', rcpt_domain)" "'local'")


     

       

       
63

       
+

       
      (ifThen "source = 'dsn'" "'admin'")


     

       

       
64

       
+

       
      (ifThen "source = 'report'" "'admin'")


     

       

       
65

       
+

       
      (ifThen "source = 'autogenerated'" "'admin'")


     

       

       
66

       
+

       
      (otherwise "'default'")


     

       

       
67

       
+

       
    ];


     

       

       
68

       
+

       
    route = [


     

       

       
69

       
+

       
      (ifThen "is_local_domain('', rcpt_domain)" "'local'")


     

       

       
70

       
+

       
      (otherwise "'remote'")


     

       

       
71

       
+

       
    ];


     

       

       
72

       
+

       
    connection = "'default'";


     

       

       
73

       
+

       
    tls = "'default'";


     

       

       
74

       
+

       
  };


     

       

       
75

       
+

       
  # Remote Connection


     

       

       
76

       
+

       
  # https://stalw.art/docs/mta/outbound/connection


     

       

       
77

       
+

       
  connection.default = {


     

       

       
78

       
+

       
    ehlo-hostname = d.extUrl;


     

       

       
79

       
+

       
    source-ips = d.extIPs;


     

       

       
80

       
+

       
    timeout = {


     

       

       
81

       
+

       
      connect = "3m";


     

       

       
82

       
+

       
      greeting = "3m";


     

       

       
83

       
+

       
      ehlo = "3m";


     

       

       
84

       
+

       
      mail-from = "3m";


     

       

       
85

       
+

       
      rcpt-to = "3m";


     

       

       
86

       
+

       
      data = "10m";


     

       

       
87

       
+

       
    };


     

       

       
88

       
+

       
  };


     

       

       
89

       
+

       
  tls.default = {


     

       

       
90

       
+

       
    dane = "optional";


     

       

       
91

       
+

       
    mta-sts = "optional";


     

       

       
92

       
+

       
    starttls = "optional";


     

       

       
93

       
+

       
    allow-invalid-certs = false;


     

       

       
94

       
+

       
    timeout.tls = "3m";


     

       

       
95

       
+

       
    timeout.mta-sts = "3m";


     

       

       
96

       
+

       
  };


     

       

       
97

       
+

       
}
+64
hosts/prefect/services/mailserver/report.nix 
···

       

       
1

       
+

       
{ d }:


     

       

       
2

       
+

       
# Reports


     

       

       
3

       
+

       
# https://stalw.art/docs/mta/reports/overview


     

       

       
4

       
+

       
{


     

       

       
5

       
+

       
  domain = "pyrox.dev";


     

       

       
6

       
+

       
  submitter = "'${d.extUrl}'";


     

       

       
7

       
+

       
  analysis = {


     

       

       
8

       
+

       
    addresses = [


     

       

       
9

       
+

       
      "dmarc@"


     

       

       
10

       
+

       
      "reports@"


     

       

       
11

       
+

       
      "spf@"


     

       

       
12

       
+

       
      "dkim@"


     

       

       
13

       
+

       
      "abuse@"


     

       

       
14

       
+

       
    ];


     

       

       
15

       
+

       
    forward = true;


     

       

       
16

       
+

       
    store = "30d";


     

       

       
17

       
+

       
  };


     

       

       
18

       
+

       
  dsn = {


     

       

       
19

       
+

       
    from-name = "'PyroNet Mail'";


     

       

       
20

       
+

       
    from-address = "'mail@pyrox.dev'";


     

       

       
21

       
+

       
    sign = "['rsa', 'ed25519']";


     

       

       
22

       
+

       
  };


     

       

       
23

       
+

       
  dkim = {


     

       

       
24

       
+

       
    from-name = "'PyroNet Mail Reports'";


     

       

       
25

       
+

       
    from-address = "'noreply-dkim@pyrox.dev'";


     

       

       
26

       
+

       
    subject = "'DKIM Authentication Failure Report'";


     

       

       
27

       
+

       
    sign = "['rsa', 'ed25519']";


     

       

       
28

       
+

       
    send = "1/1d";


     

       

       
29

       
+

       
  };


     

       

       
30

       
+

       
  spf = {


     

       

       
31

       
+

       
    from-name = "'PyroNet Mail Reports'";


     

       

       
32

       
+

       
    from-address = "'noreply-spf@pyrox.dev'";


     

       

       
33

       
+

       
    subject = "'SPF Authentication Failure Report'";


     

       

       
34

       
+

       
    sign = "['rsa', 'ed25519']";


     

       

       
35

       
+

       
    send = "1/1d";


     

       

       
36

       
+

       
  };


     

       

       
37

       
+

       
  dmarc = {


     

       

       
38

       
+

       
    from-name = "'PyroNet Mail Reports'";


     

       

       
39

       
+

       
    from-address = "'noreply-dmarc@pyrox.dev'";


     

       

       
40

       
+

       
    subject = "'DMARC Authentication Failure Report'";


     

       

       
41

       
+

       
    sign = "['rsa', 'ed25519']";


     

       

       
42

       
+

       
    send = "1/1d";


     

       

       
43

       
+

       
    aggregate = {


     

       

       
44

       
+

       
      from-name = "'DMARC Report'";


     

       

       
45

       
+

       
      from-address = "'noreply-dmarc@pyrox.dev'";


     

       

       
46

       
+

       
      org-name = "'PyroNet Mail'";


     

       

       
47

       
+

       
      contact-info = "'pyrox@pyrox.dev'";


     

       

       
48

       
+

       
      send = "daily";


     

       

       
49

       
+

       
      # 25 MiB


     

       

       
50

       
+

       
      max-size = 26214400;


     

       

       
51

       
+

       
      sign = "['rsa', 'ed25519']";


     

       

       
52

       
+

       
    };


     

       

       
53

       
+

       
  };


     

       

       
54

       
+

       
  tls.aggregate = {


     

       

       
55

       
+

       
    from-name = "'PyroNet Mail Reports'";


     

       

       
56

       
+

       
    from-address = "'noreply-tls@pyrox.dev'";


     

       

       
57

       
+

       
    org-name = "'PyroNet Mail'";


     

       

       
58

       
+

       
    contact-info = "'pyrox@pyrox.dev'";


     

       

       
59

       
+

       
    send = "daily";


     

       

       
60

       
+

       
    # 25 MiB


     

       

       
61

       
+

       
    max-size = 26214400;


     

       

       
62

       
+

       
    sign = "['rsa', 'ed25519']";


     

       

       
63

       
+

       
  };


     

       

       
64

       
+

       
}
+69
hosts/prefect/services/mailserver/server.nix 
···

       

       
1

       
+

       
{ d }:


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  hostname = d.extUrl;


     

       

       
4

       
+

       
  # TLS


     

       

       
5

       
+

       
  # https://stalw.art/docs/server/tls/overview


     

       

       
6

       
+

       
  tls = {


     

       

       
7

       
+

       
    enable = true;


     

       

       
8

       
+

       
    implicit = false;


     

       

       
9

       
+

       
    ignore-client-order = true;


     

       

       
10

       
+

       
  };


     

       

       
11

       
+

       
  # Listeners


     

       

       
12

       
+

       
  # https://stalw.art/docs/server/listener


     

       

       
13

       
+

       
  listener = {


     

       

       
14

       
+

       
    smtp = {


     

       

       
15

       
+

       
      bind = [


     

       

       
16

       
+

       
        "[::]:${toString d.intSMTP}"


     

       

       
17

       
+

       
        "[::]:40025"


     

       

       
18

       
+

       
      ];


     

       

       
19

       
+

       
      protocol = "smtp";


     

       

       
20

       
+

       
      # Explicit TLS


     

       

       
21

       
+

       
      tls.implicit = false;


     

       

       
22

       
+

       
    };


     

       

       
23

       
+

       
    smtps = {


     

       

       
24

       
+

       
      bind = "[::]:${toString d.intSMTPS}";


     

       

       
25

       
+

       
      protocol = "smtp";


     

       

       
26

       
+

       
      # Implicit TLS


     

       

       
27

       
+

       
      tls.implicit = true;


     

       

       
28

       
+

       
    };


     

       

       
29

       
+

       
    imap = {


     

       

       
30

       
+

       
      bind = "[::]:${toString d.intIMAP}";


     

       

       
31

       
+

       
      protocol = "imap";


     

       

       
32

       
+

       
      # Explicit TLS


     

       

       
33

       
+

       
      tls.implicit = false;


     

       

       
34

       
+

       
    };


     

       

       
35

       
+

       
    imaps = {


     

       

       
36

       
+

       
      bind = "[::]:${toString d.intIMAPS}";


     

       

       
37

       
+

       
      protocol = "imap";


     

       

       
38

       
+

       
      # Implicit TLS


     

       

       
39

       
+

       
      tls.implicit = true;


     

       

       
40

       
+

       
    };


     

       

       
41

       
+

       
    managesieve = {


     

       

       
42

       
+

       
      bind = "[::]:${toString d.intManageSieve}";


     

       

       
43

       
+

       
      protocol = "managesieve";


     

       

       
44

       
+

       
      # Explicit TLS


     

       

       
45

       
+

       
      tls.implicit = false;


     

       

       
46

       
+

       
    };


     

       

       
47

       
+

       
    https = {


     

       

       
48

       
+

       
      bind = "[::]:${toString d.intHTTPS}";


     

       

       
49

       
+

       
      protocol = "http";


     

       

       
50

       
+

       
      # Implicit TLS


     

       

       
51

       
+

       
      tls.implicit = true;


     

       

       
52

       
+

       
    };


     

       

       
53

       
+

       
    http = {


     

       

       
54

       
+

       
      bind = "[::]:${toString d.intHTTP}";


     

       

       
55

       
+

       
      protocol = "http";


     

       

       
56

       
+

       
      # Implicit TLS


     

       

       
57

       
+

       
      tls.implicit = false;


     

       

       
58

       
+

       
    };


     

       

       
59

       
+

       
  };


     

       

       
60

       
+

       
  # Proxy Protocol from Caddy


     

       

       
61

       
+

       
  # Only accepts proxy protocol from Tailscale IP Ranges


     

       

       
62

       
+

       
  # https://tailscale.com/kb/1015/100.x-addresses


     

       

       
63

       
+

       
  # https://tailscale.com/kb/1033/ip-and-dns-addresses


     

       

       
64

       
+

       
  proxy.trusted-networks = [


     

       

       
65

       
+

       
    "fd7a:115c:a1e0::/48"


     

       

       
66

       
+

       
    "100.64.0.0/10"


     

       

       
67

       
+

       
    "127.0.0.1/8"


     

       

       
68

       
+

       
  ];


     

       

       
69

       
+

       
}
+63
hosts/prefect/services/mailserver/session.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  isAuthenticated,


     

       

       
3

       
+

       
  otherwise,


     

       

       
4

       
+

       
  ifThen,


     

       

       
5

       
+

       
}:


     

       

       
6

       
+

       
# MTA Settings


     

       

       
7

       
+

       
# https://stalw.art/docs/mta/overview


     

       

       
8

       
+

       
{


     

       

       
9

       
+

       
  # Inbound


     

       

       
10

       
+

       
  # https://stalw.art/docs/mta/inbound/overview


     

       

       
11

       
+

       
  # # EHLO Stage


     

       

       
12

       
+

       
  # # https://stalw.art/docs/mta/inbound/ehlo


     

       

       
13

       
+

       
  ehlo = {


     

       

       
14

       
+

       
    require = true;


     

       

       
15

       
+

       
    reject-non-fqdn = [


     

       

       
16

       
+

       
      (ifThen "protocol = 'smtp'" true)


     

       

       
17

       
+

       
      (otherwise false)


     

       

       
18

       
+

       
    ];


     

       

       
19

       
+

       
  };


     

       

       
20

       
+

       
  # # RCPT Stage


     

       

       
21

       
+

       
  # # https://stalw.art/docs/mta/inbound/rcpt


     

       

       
22

       
+

       
  rcpt = {


     

       

       
23

       
+

       
    relay = [


     

       

       
24

       
+

       
      (isAuthenticated true)


     

       

       
25

       
+

       
      (otherwise false)


     

       

       
26

       
+

       
    ];


     

       

       
27

       
+

       
    subaddressing = true;


     

       

       
28

       
+

       
  };


     

       

       
29

       
+

       
  auth = {


     

       

       
30

       
+

       
    mechanisms = [


     

       

       
31

       
+

       
      (ifThen "local_port != 40025 && is_tls" "[plain, login, oauthbearer, xoauth2]")


     

       

       
32

       
+

       
      (ifThen "local_port != 40025" "[oauthbearer, xoauth2]")


     

       

       
33

       
+

       
      (otherwise false)


     

       

       
34

       
+

       
    ];


     

       

       
35

       
+

       
    directory = "'default'";


     

       

       
36

       
+

       
    require = [


     

       

       
37

       
+

       
      (ifThen "local_port != 40025" true)


     

       

       
38

       
+

       
      (otherwise false)


     

       

       
39

       
+

       
    ];


     

       

       
40

       
+

       
    must-match-sender = true;


     

       

       
41

       
+

       
  };


     

       

       
42

       
+

       
  extensions =


     

       

       
43

       
+

       
    let


     

       

       
44

       
+

       
      ifAuthed = [


     

       

       
45

       
+

       
        (isAuthenticated true)


     

       

       
46

       
+

       
        (otherwise false)


     

       

       
47

       
+

       
      ];


     

       

       
48

       
+

       
    in


     

       

       
49

       
+

       
    {


     

       

       
50

       
+

       
      pipelining = true;


     

       

       
51

       
+

       
      chunking = true;


     

       

       
52

       
+

       
      requiretls = true;


     

       

       
53

       
+

       
      no-soliciting = "";


     

       

       
54

       
+

       
      dsn = ifAuthed;


     

       

       
55

       
+

       
      deliver-by = [


     

       

       
56

       
+

       
        (isAuthenticated "15d")


     

       

       
57

       
+

       
        (otherwise false)


     

       

       
58

       
+

       
      ];


     

       

       
59

       
+

       
      mt-priority = false;


     

       

       
60

       
+

       
      vrfy = ifAuthed;


     

       

       
61

       
+

       
      expn = ifAuthed;


     

       

       
62

       
+

       
    };


     

       

       
63

       
+

       
}
+42
hosts/prefect/services/mailserver/signature.nix 
···

       

       
1

       
+

       
{ sec }:


     

       

       
2

       
+

       
let


     

       

       
3

       
+

       
  headers = [


     

       

       
4

       
+

       
    "From"


     

       

       
5

       
+

       
    "To"


     

       

       
6

       
+

       
    "Cc"


     

       

       
7

       
+

       
    "Date"


     

       

       
8

       
+

       
    "Subject"


     

       

       
9

       
+

       
    "Message-ID"


     

       

       
10

       
+

       
    "Organization"


     

       

       
11

       
+

       
    "MIME-Version"


     

       

       
12

       
+

       
    "Content-Type"


     

       

       
13

       
+

       
    "In-Reply-To"


     

       

       
14

       
+

       
    "References"


     

       

       
15

       
+

       
    "List-Id"


     

       

       
16

       
+

       
    "User-Agent"


     

       

       
17

       
+

       
    "Thread-Topic"


     

       

       
18

       
+

       
    "Thread-Index"


     

       

       
19

       
+

       
  ];


     

       

       
20

       
+

       
in


     

       

       
21

       
+

       
{


     

       

       
22

       
+

       
  rsa = {


     

       

       
23

       
+

       
    inherit headers;


     

       

       
24

       
+

       
    private-key = "%{file:${sec.stalwart-secret-rsa.path}}%";


     

       

       
25

       
+

       
    domain = "pyrox.dev";


     

       

       
26

       
+

       
    selector = "rsa-default";


     

       

       
27

       
+

       
    algorithm = "rsa-sha256";


     

       

       
28

       
+

       
    canonicalization = "relaxed/relaxed";


     

       

       
29

       
+

       
    expire = "10d";


     

       

       
30

       
+

       
    report = true;


     

       

       
31

       
+

       
  };


     

       

       
32

       
+

       
  ed25519 = {


     

       

       
33

       
+

       
    inherit headers;


     

       

       
34

       
+

       
    private-key = "%{file:${sec.stalwart-secret-ed25519.path}}%";


     

       

       
35

       
+

       
    domain = "pyrox.dev";


     

       

       
36

       
+

       
    selector = "default";


     

       

       
37

       
+

       
    algorithm = "ed25519-sha256";


     

       

       
38

       
+

       
    canonicalization = "relaxed/relaxed";


     

       

       
39

       
+

       
    expire = "10d";


     

       

       
40

       
+

       
    report = true;


     

       

       
41

       
+

       
  };


     

       

       
42

       
+

       
}
-21
hosts/prefect/services/mailserver/stalwart/acme.nix 
···

       
1

       

       
-

       
# ACME for certs, using TLS-ALPN-01 Challenges(one fewer ports open)


     

       
2

       

       
-

       
# https://stalw.art/docs/server/tls/acme/configuration


     

       
3

       

       
-

       
{ cfg, sec }:


     

       
4

       

       
-

       
{


     

       
5

       

       
-

       
  letsencrypt = {


     

       
6

       

       
-

       
    directory = "https://acme-staging-v02.api.letsencrypt.org/directory";


     

       
7

       

       
-

       
    challenge = "dns-01";


     

       
8

       

       
-

       
    contact = [ "pyrox@pyrox.dev" ];


     

       
9

       

       
-

       
    domains = [


     

       
10

       

       
-

       
      "mail.pyrox.dev"


     

       
11

       

       
-

       
      "mta-sts.pyrox.dev"


     

       
12

       

       
-

       
      "autoconfig.pyrox.dev"


     

       
13

       

       
-

       
      "autodiscover.pyrox.dev"


     

       
14

       

       
-

       
    ];


     

       
15

       

       
-

       
    cache = "${cfg.dataDir}/acme/certs";


     

       
16

       

       
-

       
    renew-before = "30d";


     

       
17

       

       
-

       
    default = true;


     

       
18

       

       
-

       
    provider = "desec";


     

       
19

       

       
-

       
    secret = "%{file:${sec.stalwart-desec-token.path}}%";


     

       
20

       

       
-

       
  };


     

       
21

       

       
-

       
}
-21
hosts/prefect/services/mailserver/stalwart/auth.nix 
···

       
1

       

       
-

       
{ ifThen, otherwise }:


     

       
2

       

       
-

       
let


     

       
3

       

       
-

       
  relVer = [


     

       
4

       

       
-

       
    (ifThen "protocol = 'smtp'" "relaxed")


     

       
5

       

       
-

       
    (otherwise "disable")


     

       
6

       

       
-

       
  ];


     

       
7

       

       
-

       
in


     

       
8

       

       
-

       
{


     

       
9

       

       
-

       
  dkim = {


     

       
10

       

       
-

       
    sign = [


     

       
11

       

       
-

       
      (ifThen "sender_domain = 'pyrox.dev'" "['rsa', 'ed25519']")


     

       
12

       

       
-

       
      (otherwise false)


     

       
13

       

       
-

       
    ];


     

       
14

       

       
-

       
  };


     

       
15

       

       
-

       
  spf.verify.ehlo = relVer;


     

       
16

       

       
-

       
  spf.verify.mail-from = relVer;


     

       
17

       

       
-

       
  dmarc.verify = relVer;


     

       
18

       

       
-

       
  iprev.verify = relVer;


     

       
19

       

       
-

       
  arc.seal = "'ed25519'";


     

       
20

       

       
-

       
  arc.verify = "relaxed";


     

       
21

       

       
-

       
}
-25
hosts/prefect/services/mailserver/stalwart/auto-ban.nix 
···

       
1

       

       
-

       
# Strict Auto-ban


     

       
2

       

       
-

       
# https://stalw.art/docs/server/auto-ban


     

       
3

       

       
-

       
{


     

       
4

       

       
-

       
  auth.rate = "15/1d";


     

       
5

       

       
-

       
  abuse.rate = "15/1d";


     

       
6

       

       
-

       
  loiter.rate = "15/1d";


     

       
7

       

       
-

       
  scan = {


     

       
8

       

       
-

       
    rate = "20/1d";


     

       
9

       

       
-

       
    paths = [


     

       
10

       

       
-

       
      "*.php*"


     

       
11

       

       
-

       
      "*.cgi*"


     

       
12

       

       
-

       
      "*.asp*"


     

       
13

       

       
-

       
      "*/wp-*"


     

       
14

       

       
-

       
      "*/php*"


     

       
15

       

       
-

       
      "*/cgi-bin*"


     

       
16

       

       
-

       
      "*xmlrpc*"


     

       
17

       

       
-

       
      "*../*"


     

       
18

       

       
-

       
      "*/..*"


     

       
19

       

       
-

       
      "*joomla*"


     

       
20

       

       
-

       
      "*wordpress*"


     

       
21

       

       
-

       
      "*drupal*"


     

       
22

       

       
-

       
      "/.git*"


     

       
23

       

       
-

       
    ];


     

       
24

       

       
-

       
  };


     

       
25

       

       
-

       
}
-25
hosts/prefect/services/mailserver/stalwart/calendar.nix 
···

       
1

       

       
-

       
# Calendar settings


     

       
2

       

       
-

       
# https://stalw.art/docs/collaboration/calendar


     

       
3

       

       
-

       
{


     

       
4

       

       
-

       
  max-recurrence-expansions = 2048;


     

       
5

       

       
-

       
  # 512 KiB


     

       
6

       

       
-

       
  max-size = 524288;


     

       
7

       

       
-

       
  max-attendees-per-instance = 20;


     

       
8

       

       
-

       
  default.href-name = "default";


     

       
9

       

       
-

       
  default.display-name = "Personal";


     

       
10

       

       
-

       
  # Scheduling


     

       
11

       

       
-

       
  # https://stalw.art/docs/collaboration/scheduling


     

       
12

       

       
-

       
  scheduling.enable = true;


     

       
13

       

       
-

       
  # 1 MiB


     

       
14

       

       
-

       
  scheduling.inbound.max-size = 1048576;


     

       
15

       

       
-

       
  scheduling.outbound.max-recipients = 100;


     

       
16

       

       
-

       
  scheduling.inbox.auto-expunge = "30d";


     

       
17

       

       
-

       
  scheduling.http-rsvp.enable = true;


     

       
18

       

       
-

       
  scheduling.http-rsvp.expiration = "7d";


     

       
19

       

       
-

       
  # Notifications


     

       
20

       

       
-

       
  # https://stalw.art/docs/collaboration/notifications


     

       
21

       

       
-

       
  alarms.enable = true;


     

       
22

       

       
-

       
  alarms.minimum-interval = "1h";


     

       
23

       

       
-

       
  alarms.from.name = "PyroNet Calendars";


     

       
24

       

       
-

       
  alarms.from.email = "calendar-notifs@pyrox.dev";


     

       
25

       

       
-

       
}
-217
hosts/prefect/services/mailserver/stalwart/default.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  config,


     

       
3

       

       
-

       
  lib,


     

       
4

       

       
-

       
  self,


     

       
5

       

       
-

       
  ...


     

       
6

       

       
-

       
}:


     

       
7

       

       
-

       
let


     

       
8

       

       
-

       
  d = self.lib.data.mail;


     

       
9

       

       
-

       
  cfg = config.services.stalwart-mail;


     

       
10

       

       
-

       
  sec = config.age.secrets;


     

       
11

       

       
-

       
  creds = config.services.stalwart-mail.credentials;


     

       
12

       

       
-

       
  credsDir = "/run/credentials/stalwart-mail.service";


     

       
13

       

       
-

       
  certDir = config.security.acme.certs."pyroxdev-mail".directory;


     

       
14

       

       
-

       
  isAuthenticated = d: {


     

       
15

       

       
-

       
    "if" = "!is_empty(authenticated_as)";


     

       
16

       

       
-

       
    "then" = d;


     

       
17

       

       
-

       
  };


     

       
18

       

       
-

       
  otherwise = d: {


     

       
19

       

       
-

       
    "else" = d;


     

       
20

       

       
-

       
  };


     

       
21

       

       
-

       
  ifThen = f: d: {


     

       
22

       

       
-

       
    "if" = f;


     

       
23

       

       
-

       
    "then" = d;


     

       
24

       

       
-

       
  };


     

       
25

       

       
-

       
  smSecret = {


     

       
26

       

       
-

       
    owner = "stalwart-mail";


     

       
27

       

       
-

       
    group = "stalwart-mail";


     

       
28

       

       
-

       
  };


     

       
29

       

       
-

       
in


     

       
30

       

       
-

       
{


     

       
31

       

       
-

       
  services.stalwart-mail = {


     

       
32

       

       
-

       
    credentials = {


     

       
33

       

       
-

       
      cert = "${certDir}/cert.pem";


     

       
34

       

       
-

       
      key = "${certDir}/key.pem";


     

       
35

       

       
-

       
    };


     

       
36

       

       
-

       
    enable = true;


     

       
37

       

       
-

       
    dataDir = "/var/lib/stalwart";


     

       
38

       

       
-

       
    settings = {


     

       
39

       

       
-

       
      tracer.stdout.level = "info";


     

       
40

       

       
-

       
      authentication.fallback-admin = {


     

       
41

       

       
-

       
        user = "fallback";


     

       
42

       

       
-

       
        secret = "%{file:${sec.stalwart-fallback-admin-pw.path}}%";


     

       
43

       

       
-

       
      };


     

       
44

       

       
-

       
      config = {


     

       
45

       

       
-

       
        local-keys = [


     

       
46

       

       
-

       
          "asn.*"


     

       
47

       

       
-

       
          "auth.*"


     

       
48

       

       
-

       
          "authentication.*"


     

       
49

       

       
-

       
          "auto-ban.*"


     

       
50

       

       
-

       
          "calendar.*"


     

       
51

       

       
-

       
          "certificate.*"


     

       
52

       

       
-

       
          "changes.*"


     

       
53

       

       
-

       
          "cluster.*"


     

       
54

       

       
-

       
          "config.*"


     

       
55

       

       
-

       
          "contacts.*"


     

       
56

       

       
-

       
          "directory.*"


     

       
57

       

       
-

       
          "http.*"


     

       
58

       

       
-

       
          "imap.*"


     

       
59

       

       
-

       
          "jmap.*"


     

       
60

       

       
-

       
          "queue.*"


     

       
61

       

       
-

       
          "report.*"


     

       
62

       

       
-

       
          "resolver.*"


     

       
63

       

       
-

       
          "server.*"


     

       
64

       

       
-

       
          "session.*"


     

       
65

       

       
-

       
          "signature.*"


     

       
66

       

       
-

       
          "storage.*"


     

       
67

       

       
-

       
          "store.*"


     

       
68

       

       
-

       
          "tracer.*"


     

       
69

       

       
-

       
          "webadmin.*"


     

       
70

       

       
-

       
          "form.*"


     

       
71

       

       
-

       
          "email.*"


     

       
72

       

       
-

       
          "spam-filter.*"


     

       
73

       

       
-

       
        ];


     

       
74

       

       
-

       
      };


     

       
75

       

       
-

       
      certificate = {


     

       
76

       

       
-

       
        default = {


     

       
77

       

       
-

       
          default = true;


     

       
78

       

       
-

       
          cert = "%{file:${credsDir}/cert}%";


     

       
79

       

       
-

       
          private-key = "%{file:${credsDir}/key}%";


     

       
80

       

       
-

       
          subjects = [


     

       
81

       

       
-

       
            "dav.pyrox.dev"


     

       
82

       

       
-

       
            "mail.pyrox.dev"


     

       
83

       

       
-

       
            "mta-sts.pyrox.dev"


     

       
84

       

       
-

       
            "autoconfig.pyrox.dev"


     

       
85

       

       
-

       
            "autodiscover.pyrox.dev"


     

       
86

       

       
-

       
          ];


     

       
87

       

       
-

       
        };


     

       
88

       

       
-

       
      };


     

       
89

       

       
-

       
      server = import ./server.nix { inherit d; };


     

       
90

       

       
-

       
      # Use NixOS-generated certs now, since stalwart can't do it on its own


     

       
91

       

       
-

       
      # (DeSec API Errors abound)


     

       
92

       

       
-

       
      # acme = import ./acme.nix { inherit cfg sec; };


     

       
93

       

       
-

       
      # HTTP Configuration


     

       
94

       

       
-

       
      # https://stalw.art/docs/http/overview


     

       
95

       

       
-

       
      http = {


     

       
96

       

       
-

       
        url = "'https://${d.extUrl}'";


     

       
97

       

       
-

       
        hsts = true;


     

       
98

       

       
-

       
        rate-limit = {


     

       
99

       

       
-

       
          account = "10000/1m";


     

       
100

       

       
-

       
        };


     

       
101

       

       
-

       
      };


     

       
102

       

       
-

       
      # Disable HTTP Forms submission


     

       
103

       

       
-

       
      # https://stalw.art/docs/http/form-submission


     

       
104

       

       
-

       
      form.enable = false;


     

       
105

       

       
-

       
      # DKIM Signatures


     

       
106

       

       
-

       
      signature = import ./signature.nix { inherit sec; };


     

       
107

       

       
-

       
      # Storage Settings


     

       
108

       

       
-

       
      # https://stalw.art/docs/storage/overview


     

       
109

       

       
-

       
      store = {


     

       
110

       

       
-

       
        data = {


     

       
111

       

       
-

       
          type = "rocksdb";


     

       
112

       

       
-

       
          path = "${cfg.dataDir}/db";


     

       
113

       

       
-

       
          purge.frequency = "0 3 *";


     

       
114

       

       
-

       
        };


     

       
115

       

       
-

       
        blob = {


     

       
116

       

       
-

       
          type = "fs";


     

       
117

       

       
-

       
          path = "${cfg.dataDir}/blobs";


     

       
118

       

       
-

       
          depth = 2;


     

       
119

       

       
-

       
          compression = "lz4";


     

       
120

       

       
-

       
          purge.frequency = "0 4 *";


     

       
121

       

       
-

       
        };


     

       
122

       

       
-

       
        db.path = "${cfg.dataDir}/db2";


     

       
123

       

       
-

       
      };


     

       
124

       

       
-

       
      storage = {


     

       
125

       

       
-

       
        data = "data";


     

       
126

       

       
-

       
        blob = "blob";


     

       
127

       

       
-

       
        fts = "data";


     

       
128

       

       
-

       
        lookup = "data";


     

       
129

       

       
-

       
        directory = "default";


     

       
130

       

       
-

       
      };


     

       
131

       

       
-

       
      directory = {


     

       
132

       

       
-

       
        default = {


     

       
133

       

       
-

       
          type = "internal";


     

       
134

       

       
-

       
          store = "data";


     

       
135

       

       
-

       
        };


     

       
136

       

       
-

       
      };


     

       
137

       

       
-

       
      # ASN/GeoIP Lookups


     

       
138

       

       
-

       
      # https://stalw.art/docs/server/asn


     

       
139

       

       
-

       
      asn = {


     

       
140

       

       
-

       
        type = "dns";


     

       
141

       

       
-

       
        separator = "|";


     

       
142

       

       
-

       
        zone.ipv4 = "origin.asn.cymru.com";


     

       
143

       

       
-

       
        zone.ipv6 = "origin6.asn.cymru.com";


     

       
144

       

       
-

       
        index.asn = 0;


     

       
145

       

       
-

       
        index.asn-name = 1;


     

       
146

       

       
-

       
        index.country = 2;


     

       
147

       

       
-

       
      };


     

       
148

       

       
-

       
      auto-ban = import ./auto-ban.nix;


     

       
149

       

       
-

       
      # JMAP Settings


     

       
150

       

       
-

       
      # https://stalw.art/docs/email/jmap


     

       
151

       

       
-

       
      jmap = {


     

       
152

       

       
-

       
        mailbox.max-depth = 10;


     

       
153

       

       
-

       
        mailbox.max-name-length = 255;


     

       
154

       

       
-

       
        # 50 MB


     

       
155

       

       
-

       
        email.max-attachment-size = 50 * 1000 * 1000;


     

       
156

       

       
-

       
        # 75 MB


     

       
157

       

       
-

       
        email.max-size = 75 * 1000 * 1000;


     

       
158

       

       
-

       
        email.parse.max-items = 10;


     

       
159

       

       
-

       
      };


     

       
160

       

       
-

       
      imap = import ./imap.nix;


     

       
161

       

       
-

       
      # Maintainance


     

       
162

       

       
-

       
      # https://stalw.art/docs/email/maintenance


     

       
163

       

       
-

       
      email.auto-expunge = "180d";


     

       
164

       

       
-

       
      changes.max-history = 10000;


     

       
165

       

       
-

       
      session = import ./session.nix { inherit isAuthenticated otherwise ifThen; };


     

       
166

       

       
-

       
      queue = import ./queue.nix { inherit d ifThen otherwise; };


     

       
167

       

       
-

       
      # DNS Settings


     

       
168

       

       
-

       
      # https://stalw.art/docs/mta/outbound/dns


     

       
169

       

       
-

       
      resolver = {


     

       
170

       

       
-

       
        custom = [


     

       
171

       

       
-

       
          "tls://dns11.quad9.net"


     

       
172

       

       
-

       
          "tcp://1.1.1.1"


     

       
173

       

       
-

       
        ];


     

       
174

       

       
-

       
        concurrency = 2;


     

       
175

       

       
-

       
        preserve-intermediates = true;


     

       
176

       

       
-

       
        timeout = "5s";


     

       
177

       

       
-

       
        attempts = 3;


     

       
178

       

       
-

       
        edns = true;


     

       
179

       

       
-

       
      };


     

       
180

       

       
-

       
      report = import ./report.nix { inherit d; };


     

       
181

       

       
-

       
      calendar = import ./calendar.nix;


     

       
182

       

       
-

       
      # Authentication


     

       
183

       

       
-

       
      auth = import ./auth.nix { inherit ifThen otherwise; };


     

       
184

       

       
-

       
      # Contacts


     

       
185

       

       
-

       
      # https://stalw.art/docs/collaboration/contact


     

       
186

       

       
-

       
      contacts = {


     

       
187

       

       
-

       
        # 512 KiB


     

       
188

       

       
-

       
        max-size = 524288;


     

       
189

       

       
-

       
        default.href-name = "default";


     

       
190

       

       
-

       
        default.display-name = "Contacts";


     

       
191

       

       
-

       
      };


     

       
192

       

       
-

       
      # Spam Filtering


     

       
193

       

       
-

       
      # https://stalw.art/docs/spamfilter/overview


     

       
194

       

       
-

       
      spam-filter = {


     

       
195

       

       
-

       
        card-is-ham = true;


     

       
196

       

       
-

       
      };


     

       
197

       

       
-

       
    };


     

       
198

       

       
-

       
  };


     

       
199

       

       
-

       
  systemd.services.stalwart-mail.serviceConfig = {


     

       
200

       

       
-

       
    Restart = lib.mkForce "always";


     

       
201

       

       
-

       
    RestartSec = lib.mkForce 1;


     

       
202

       

       
-

       
  };


     

       
203

       

       
-

       
  age.secrets = {


     

       
204

       

       
-

       
    stalwart-secret-rsa = smSecret // {


     

       
205

       

       
-

       
      file = ../../../secrets/stalwart-secret-rsa.age;


     

       
206

       

       
-

       
    };


     

       
207

       

       
-

       
    stalwart-secret-ed25519 = smSecret // {


     

       
208

       

       
-

       
      file = ../../../secrets/stalwart-secret-ed25519.age;


     

       
209

       

       
-

       
    };


     

       
210

       

       
-

       
    stalwart-desec-token = smSecret // {


     

       
211

       

       
-

       
      file = ../../../secrets/stalwart-desec-token.age;


     

       
212

       

       
-

       
    };


     

       
213

       

       
-

       
    stalwart-fallback-admin-pw = smSecret // {


     

       
214

       

       
-

       
      file = ../../../secrets/stalwart-fallback-admin-pw.age;


     

       
215

       

       
-

       
    };


     

       
216

       

       
-

       
  };


     

       
217

       

       
-

       
}
-42
hosts/prefect/services/mailserver/stalwart/imap.nix 
···

       
1

       

       
-

       
# https://stalw.art/docs/email/imap


     

       
2

       

       
-

       
{


     

       
3

       

       
-

       
  # 50 MiB


     

       
4

       

       
-

       
  request.max-size = 52428800;


     

       
5

       

       
-

       
  auth.max-failures = 3;


     

       
6

       

       
-

       
  auth.allow-plain-text = false;


     

       
7

       

       
-

       
  folders =


     

       
8

       

       
-

       
    let


     

       
9

       

       
-

       
      folder = {


     

       
10

       

       
-

       
        create = true;


     

       
11

       

       
-

       
        subscribe = true;


     

       
12

       

       
-

       
      };


     

       
13

       

       
-

       
    in


     

       
14

       

       
-

       
    {


     

       
15

       

       
-

       
      inbox = folder // {


     

       
16

       

       
-

       
        name = "Inbox";


     

       
17

       

       
-

       
      };


     

       
18

       

       
-

       
      drafts = folder // {


     

       
19

       

       
-

       
        name = "Drafts";


     

       
20

       

       
-

       
      };


     

       
21

       

       
-

       
      sent = folder // {


     

       
22

       

       
-

       
        name = "Sent";


     

       
23

       

       
-

       
      };


     

       
24

       

       
-

       
      trash = folder // {


     

       
25

       

       
-

       
        name = "Trash";


     

       
26

       

       
-

       
      };


     

       
27

       

       
-

       
      archive = folder // {


     

       
28

       

       
-

       
        name = "Archive";


     

       
29

       

       
-

       
      };


     

       
30

       

       
-

       
      junk = folder // {


     

       
31

       

       
-

       
        name = "Junk";


     

       
32

       

       
-

       
      };


     

       
33

       

       
-

       
      shared = {


     

       
34

       

       
-

       
        name = "Shared Folders";


     

       
35

       

       
-

       
        create = true;


     

       
36

       

       
-

       
        subscribe = false;


     

       
37

       

       
-

       
      };


     

       
38

       

       
-

       
    };


     

       
39

       

       
-

       
  timeout.authenticated = "30m";


     

       
40

       

       
-

       
  timeout.anonymous = "1m";


     

       
41

       

       
-

       
  timeout.idle = "30m";


     

       
42

       

       
-

       
}
-97
hosts/prefect/services/mailserver/stalwart/queue.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  d,


     

       
3

       

       
-

       
  ifThen,


     

       
4

       

       
-

       
  otherwise,


     

       
5

       

       
-

       
}:


     

       
6

       

       
-

       
# Queue Management


     

       
7

       

       
-

       
# https://stalw.art/docs/mta/outbound/overview


     

       
8

       

       
-

       
{


     

       
9

       

       
-

       
  # Virtual Queues


     

       
10

       

       
-

       
  # https://stalw.art/docs/mta/outbound/queue


     

       
11

       

       
-

       
  virtual.default.threads-per-node = 100;


     

       
12

       

       
-

       
  virtual.admin.threads-per-node = 10;


     

       
13

       

       
-

       
  virtual.local.threads-per-node = 100;


     

       
14

       

       
-

       
  # Schedules


     

       
15

       

       
-

       
  # https://stalw.art/docs/mta/outbound/schedule


     

       
16

       

       
-

       
  schedule =


     

       
17

       

       
-

       
    let


     

       
18

       

       
-

       
      queue = {


     

       
19

       

       
-

       
        retry = [


     

       
20

       

       
-

       
          "1m"


     

       
21

       

       
-

       
          "2m"


     

       
22

       

       
-

       
          "5m"


     

       
23

       

       
-

       
          "10m"


     

       
24

       

       
-

       
          "15m"


     

       
25

       

       
-

       
          "30m"


     

       
26

       

       
-

       
          "1h"


     

       
27

       

       
-

       
          "2h"


     

       
28

       

       
-

       
        ];


     

       
29

       

       
-

       
        notify = [


     

       
30

       

       
-

       
          "1d"


     

       
31

       

       
-

       
          "3d"


     

       
32

       

       
-

       
        ];


     

       
33

       

       
-

       
        max-attempts = 15;


     

       
34

       

       
-

       
      };


     

       
35

       

       
-

       
    in


     

       
36

       

       
-

       
    {


     

       
37

       

       
-

       
      default = queue // {


     

       
38

       

       
-

       
        queue-name = "default";


     

       
39

       

       
-

       
      };


     

       
40

       

       
-

       
      admin = queue // {


     

       
41

       

       
-

       
        queue-name = "admin";


     

       
42

       

       
-

       
      };


     

       
43

       

       
-

       
      local = queue // {


     

       
44

       

       
-

       
        queue-name = "local";


     

       
45

       

       
-

       
      };


     

       
46

       

       
-

       
    };


     

       
47

       

       
-

       
  # Routes


     

       
48

       

       
-

       
  # https://stalw.art/docs/mta/outbound/routing


     

       
49

       

       
-

       
  route = {


     

       
50

       

       
-

       
    local.type = "local";


     

       
51

       

       
-

       
    remote = {


     

       
52

       

       
-

       
      type = "mx";


     

       
53

       

       
-

       
      ip-lookup = "ipv6_then_ipv4";


     

       
54

       

       
-

       
      tls.implicit = false;


     

       
55

       

       
-

       
      tls.allow-invalid-certs = false;


     

       
56

       

       
-

       
    };


     

       
57

       

       
-

       
  };


     

       
58

       

       
-

       
  # Strategies


     

       
59

       

       
-

       
  # https://stalw.art/docs/mta/outbound/strategy


     

       
60

       

       
-

       
  strategy = {


     

       
61

       

       
-

       
    schedule = [


     

       
62

       

       
-

       
      (ifThen "is_local_domain('', rcpt_domain)" "'local'")


     

       
63

       

       
-

       
      (ifThen "source = 'dsn'" "'admin'")


     

       
64

       

       
-

       
      (ifThen "source = 'report'" "'admin'")


     

       
65

       

       
-

       
      (ifThen "source = 'autogenerated'" "'admin'")


     

       
66

       

       
-

       
      (otherwise "'default'")


     

       
67

       

       
-

       
    ];


     

       
68

       

       
-

       
    route = [


     

       
69

       

       
-

       
      (ifThen "is_local_domain('', rcpt_domain)" "'local'")


     

       
70

       

       
-

       
      (otherwise "'remote'")


     

       
71

       

       
-

       
    ];


     

       
72

       

       
-

       
    connection = "'default'";


     

       
73

       

       
-

       
    tls = "'default'";


     

       
74

       

       
-

       
  };


     

       
75

       

       
-

       
  # Remote Connection


     

       
76

       

       
-

       
  # https://stalw.art/docs/mta/outbound/connection


     

       
77

       

       
-

       
  connection.default = {


     

       
78

       

       
-

       
    ehlo-hostname = d.extUrl;


     

       
79

       

       
-

       
    source-ips = d.extIPs;


     

       
80

       

       
-

       
    timeout = {


     

       
81

       

       
-

       
      connect = "3m";


     

       
82

       

       
-

       
      greeting = "3m";


     

       
83

       

       
-

       
      ehlo = "3m";


     

       
84

       

       
-

       
      mail-from = "3m";


     

       
85

       

       
-

       
      rcpt-to = "3m";


     

       
86

       

       
-

       
      data = "10m";


     

       
87

       

       
-

       
    };


     

       
88

       

       
-

       
  };


     

       
89

       

       
-

       
  tls.default = {


     

       
90

       

       
-

       
    dane = "optional";


     

       
91

       

       
-

       
    mta-sts = "optional";


     

       
92

       

       
-

       
    starttls = "optional";


     

       
93

       

       
-

       
    allow-invalid-certs = false;


     

       
94

       

       
-

       
    timeout.tls = "3m";


     

       
95

       

       
-

       
    timeout.mta-sts = "3m";


     

       
96

       

       
-

       
  };


     

       
97

       

       
-

       
}
-64
hosts/prefect/services/mailserver/stalwart/report.nix 
···

       
1

       

       
-

       
{ d }:


     

       
2

       

       
-

       
# Reports


     

       
3

       

       
-

       
# https://stalw.art/docs/mta/reports/overview


     

       
4

       

       
-

       
{


     

       
5

       

       
-

       
  domain = "pyrox.dev";


     

       
6

       

       
-

       
  submitter = "'${d.extUrl}'";


     

       
7

       

       
-

       
  analysis = {


     

       
8

       

       
-

       
    addresses = [


     

       
9

       

       
-

       
      "dmarc@"


     

       
10

       

       
-

       
      "reports@"


     

       
11

       

       
-

       
      "spf@"


     

       
12

       

       
-

       
      "dkim@"


     

       
13

       

       
-

       
      "abuse@"


     

       
14

       

       
-

       
    ];


     

       
15

       

       
-

       
    forward = true;


     

       
16

       

       
-

       
    store = "30d";


     

       
17

       

       
-

       
  };


     

       
18

       

       
-

       
  dsn = {


     

       
19

       

       
-

       
    from-name = "'PyroNet Mail'";


     

       
20

       

       
-

       
    from-address = "'mail@pyrox.dev'";


     

       
21

       

       
-

       
    sign = "['rsa', 'ed25519']";


     

       
22

       

       
-

       
  };


     

       
23

       

       
-

       
  dkim = {


     

       
24

       

       
-

       
    from-name = "'PyroNet Mail Reports'";


     

       
25

       

       
-

       
    from-address = "'noreply-dkim@pyrox.dev'";


     

       
26

       

       
-

       
    subject = "'DKIM Authentication Failure Report'";


     

       
27

       

       
-

       
    sign = "['rsa', 'ed25519']";


     

       
28

       

       
-

       
    send = "1/1d";


     

       
29

       

       
-

       
  };


     

       
30

       

       
-

       
  spf = {


     

       
31

       

       
-

       
    from-name = "'PyroNet Mail Reports'";


     

       
32

       

       
-

       
    from-address = "'noreply-spf@pyrox.dev'";


     

       
33

       

       
-

       
    subject = "'SPF Authentication Failure Report'";


     

       
34

       

       
-

       
    sign = "['rsa', 'ed25519']";


     

       
35

       

       
-

       
    send = "1/1d";


     

       
36

       

       
-

       
  };


     

       
37

       

       
-

       
  dmarc = {


     

       
38

       

       
-

       
    from-name = "'PyroNet Mail Reports'";


     

       
39

       

       
-

       
    from-address = "'noreply-dmarc@pyrox.dev'";


     

       
40

       

       
-

       
    subject = "'DMARC Authentication Failure Report'";


     

       
41

       

       
-

       
    sign = "['rsa', 'ed25519']";


     

       
42

       

       
-

       
    send = "1/1d";


     

       
43

       

       
-

       
    aggregate = {


     

       
44

       

       
-

       
      from-name = "'DMARC Report'";


     

       
45

       

       
-

       
      from-address = "'noreply-dmarc@pyrox.dev'";


     

       
46

       

       
-

       
      org-name = "'PyroNet Mail'";


     

       
47

       

       
-

       
      contact-info = "'pyrox@pyrox.dev'";


     

       
48

       

       
-

       
      send = "daily";


     

       
49

       

       
-

       
      # 25 MiB


     

       
50

       

       
-

       
      max-size = 26214400;


     

       
51

       

       
-

       
      sign = "['rsa', 'ed25519']";


     

       
52

       

       
-

       
    };


     

       
53

       

       
-

       
  };


     

       
54

       

       
-

       
  tls.aggregate = {


     

       
55

       

       
-

       
    from-name = "'PyroNet Mail Reports'";


     

       
56

       

       
-

       
    from-address = "'noreply-tls@pyrox.dev'";


     

       
57

       

       
-

       
    org-name = "'PyroNet Mail'";


     

       
58

       

       
-

       
    contact-info = "'pyrox@pyrox.dev'";


     

       
59

       

       
-

       
    send = "daily";


     

       
60

       

       
-

       
    # 25 MiB


     

       
61

       

       
-

       
    max-size = 26214400;


     

       
62

       

       
-

       
    sign = "['rsa', 'ed25519']";


     

       
63

       

       
-

       
  };


     

       
64

       

       
-

       
}
-69
hosts/prefect/services/mailserver/stalwart/server.nix 
···

       
1

       

       
-

       
{ d }:


     

       
2

       

       
-

       
{


     

       
3

       

       
-

       
  hostname = d.extUrl;


     

       
4

       

       
-

       
  # TLS


     

       
5

       

       
-

       
  # https://stalw.art/docs/server/tls/overview


     

       
6

       

       
-

       
  tls = {


     

       
7

       

       
-

       
    enable = true;


     

       
8

       

       
-

       
    implicit = false;


     

       
9

       

       
-

       
    ignore-client-order = true;


     

       
10

       

       
-

       
  };


     

       
11

       

       
-

       
  # Listeners


     

       
12

       

       
-

       
  # https://stalw.art/docs/server/listener


     

       
13

       

       
-

       
  listener = {


     

       
14

       

       
-

       
    smtp = {


     

       
15

       

       
-

       
      bind = [


     

       
16

       

       
-

       
        "[::]:${toString d.intSMTP}"


     

       
17

       

       
-

       
        "[::]:40025"


     

       
18

       

       
-

       
      ];


     

       
19

       

       
-

       
      protocol = "smtp";


     

       
20

       

       
-

       
      # Explicit TLS


     

       
21

       

       
-

       
      tls.implicit = false;


     

       
22

       

       
-

       
    };


     

       
23

       

       
-

       
    smtps = {


     

       
24

       

       
-

       
      bind = "[::]:${toString d.intSMTPS}";


     

       
25

       

       
-

       
      protocol = "smtp";


     

       
26

       

       
-

       
      # Implicit TLS


     

       
27

       

       
-

       
      tls.implicit = true;


     

       
28

       

       
-

       
    };


     

       
29

       

       
-

       
    imap = {


     

       
30

       

       
-

       
      bind = "[::]:${toString d.intIMAP}";


     

       
31

       

       
-

       
      protocol = "imap";


     

       
32

       

       
-

       
      # Explicit TLS


     

       
33

       

       
-

       
      tls.implicit = false;


     

       
34

       

       
-

       
    };


     

       
35

       

       
-

       
    imaps = {


     

       
36

       

       
-

       
      bind = "[::]:${toString d.intIMAPS}";


     

       
37

       

       
-

       
      protocol = "imap";


     

       
38

       

       
-

       
      # Implicit TLS


     

       
39

       

       
-

       
      tls.implicit = true;


     

       
40

       

       
-

       
    };


     

       
41

       

       
-

       
    managesieve = {


     

       
42

       

       
-

       
      bind = "[::]:${toString d.intManageSieve}";


     

       
43

       

       
-

       
      protocol = "managesieve";


     

       
44

       

       
-

       
      # Explicit TLS


     

       
45

       

       
-

       
      tls.implicit = false;


     

       
46

       

       
-

       
    };


     

       
47

       

       
-

       
    https = {


     

       
48

       

       
-

       
      bind = "[::]:${toString d.intHTTPS}";


     

       
49

       

       
-

       
      protocol = "http";


     

       
50

       

       
-

       
      # Implicit TLS


     

       
51

       

       
-

       
      tls.implicit = true;


     

       
52

       

       
-

       
    };


     

       
53

       

       
-

       
    http = {


     

       
54

       

       
-

       
      bind = "[::]:${toString d.intHTTP}";


     

       
55

       

       
-

       
      protocol = "http";


     

       
56

       

       
-

       
      # Implicit TLS


     

       
57

       

       
-

       
      tls.implicit = false;


     

       
58

       

       
-

       
    };


     

       
59

       

       
-

       
  };


     

       
60

       

       
-

       
  # Proxy Protocol from Caddy


     

       
61

       

       
-

       
  # Only accepts proxy protocol from Tailscale IP Ranges


     

       
62

       

       
-

       
  # https://tailscale.com/kb/1015/100.x-addresses


     

       
63

       

       
-

       
  # https://tailscale.com/kb/1033/ip-and-dns-addresses


     

       
64

       

       
-

       
  proxy.trusted-networks = [


     

       
65

       

       
-

       
    "fd7a:115c:a1e0::/48"


     

       
66

       

       
-

       
    "100.64.0.0/10"


     

       
67

       

       
-

       
    "127.0.0.1/8"


     

       
68

       

       
-

       
  ];


     

       
69

       

       
-

       
}
-63
hosts/prefect/services/mailserver/stalwart/session.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  isAuthenticated,


     

       
3

       

       
-

       
  otherwise,


     

       
4

       

       
-

       
  ifThen,


     

       
5

       

       
-

       
}:


     

       
6

       

       
-

       
# MTA Settings


     

       
7

       

       
-

       
# https://stalw.art/docs/mta/overview


     

       
8

       

       
-

       
{


     

       
9

       

       
-

       
  # Inbound


     

       
10

       

       
-

       
  # https://stalw.art/docs/mta/inbound/overview


     

       
11

       

       
-

       
  # # EHLO Stage


     

       
12

       

       
-

       
  # # https://stalw.art/docs/mta/inbound/ehlo


     

       
13

       

       
-

       
  ehlo = {


     

       
14

       

       
-

       
    require = true;


     

       
15

       

       
-

       
    reject-non-fqdn = [


     

       
16

       

       
-

       
      (ifThen "protocol = 'smtp'" true)


     

       
17

       

       
-

       
      (otherwise false)


     

       
18

       

       
-

       
    ];


     

       
19

       

       
-

       
  };


     

       
20

       

       
-

       
  # # RCPT Stage


     

       
21

       

       
-

       
  # # https://stalw.art/docs/mta/inbound/rcpt


     

       
22

       

       
-

       
  rcpt = {


     

       
23

       

       
-

       
    relay = [


     

       
24

       

       
-

       
      (isAuthenticated true)


     

       
25

       

       
-

       
      (otherwise false)


     

       
26

       

       
-

       
    ];


     

       
27

       

       
-

       
    subaddressing = true;


     

       
28

       

       
-

       
  };


     

       
29

       

       
-

       
  auth = {


     

       
30

       

       
-

       
    mechanisms = [


     

       
31

       

       
-

       
      (ifThen "local_port != 40025 && is_tls" "[plain, login, oauthbearer, xoauth2]")


     

       
32

       

       
-

       
      (ifThen "local_port != 40025" "[oauthbearer, xoauth2]")


     

       
33

       

       
-

       
      (otherwise false)


     

       
34

       

       
-

       
    ];


     

       
35

       

       
-

       
    directory = "'default'";


     

       
36

       

       
-

       
    require = [


     

       
37

       

       
-

       
      (ifThen "local_port != 40025" true)


     

       
38

       

       
-

       
      (otherwise false)


     

       
39

       

       
-

       
    ];


     

       
40

       

       
-

       
    must-match-sender = true;


     

       
41

       

       
-

       
  };


     

       
42

       

       
-

       
  extensions =


     

       
43

       

       
-

       
    let


     

       
44

       

       
-

       
      ifAuthed = [


     

       
45

       

       
-

       
        (isAuthenticated true)


     

       
46

       

       
-

       
        (otherwise false)


     

       
47

       

       
-

       
      ];


     

       
48

       

       
-

       
    in


     

       
49

       

       
-

       
    {


     

       
50

       

       
-

       
      pipelining = true;


     

       
51

       

       
-

       
      chunking = true;


     

       
52

       

       
-

       
      requiretls = true;


     

       
53

       

       
-

       
      no-soliciting = "";


     

       
54

       

       
-

       
      dsn = ifAuthed;


     

       
55

       

       
-

       
      deliver-by = [


     

       
56

       

       
-

       
        (isAuthenticated "15d")


     

       
57

       

       
-

       
        (otherwise false)


     

       
58

       

       
-

       
      ];


     

       
59

       

       
-

       
      mt-priority = false;


     

       
60

       

       
-

       
      vrfy = ifAuthed;


     

       
61

       

       
-

       
      expn = ifAuthed;


     

       
62

       

       
-

       
    };


     

       
63

       

       
-

       
}
-42
hosts/prefect/services/mailserver/stalwart/signature.nix 
···

       
1

       

       
-

       
{ sec }:


     

       
2

       

       
-

       
let


     

       
3

       

       
-

       
  headers = [


     

       
4

       

       
-

       
    "From"


     

       
5

       

       
-

       
    "To"


     

       
6

       

       
-

       
    "Cc"


     

       
7

       

       
-

       
    "Date"


     

       
8

       

       
-

       
    "Subject"


     

       
9

       

       
-

       
    "Message-ID"


     

       
10

       

       
-

       
    "Organization"


     

       
11

       

       
-

       
    "MIME-Version"


     

       
12

       

       
-

       
    "Content-Type"


     

       
13

       

       
-

       
    "In-Reply-To"


     

       
14

       

       
-

       
    "References"


     

       
15

       

       
-

       
    "List-Id"


     

       
16

       

       
-

       
    "User-Agent"


     

       
17

       

       
-

       
    "Thread-Topic"


     

       
18

       

       
-

       
    "Thread-Index"


     

       
19

       

       
-

       
  ];


     

       
20

       

       
-

       
in


     

       
21

       

       
-

       
{


     

       
22

       

       
-

       
  rsa = {


     

       
23

       

       
-

       
    inherit headers;


     

       
24

       

       
-

       
    private-key = "%{file:${sec.stalwart-secret-rsa.path}}%";


     

       
25

       

       
-

       
    domain = "pyrox.dev";


     

       
26

       

       
-

       
    selector = "rsa-default";


     

       
27

       

       
-

       
    algorithm = "rsa-sha256";


     

       
28

       

       
-

       
    canonicalization = "relaxed/relaxed";


     

       
29

       

       
-

       
    expire = "10d";


     

       
30

       

       
-

       
    report = true;


     

       
31

       

       
-

       
  };


     

       
32

       

       
-

       
  ed25519 = {


     

       
33

       

       
-

       
    inherit headers;


     

       
34

       

       
-

       
    private-key = "%{file:${sec.stalwart-secret-ed25519.path}}%";


     

       
35

       

       
-

       
    domain = "pyrox.dev";


     

       
36

       

       
-

       
    selector = "default";


     

       
37

       

       
-

       
    algorithm = "ed25519-sha256";


     

       
38

       

       
-

       
    canonicalization = "relaxed/relaxed";


     

       
39

       

       
-

       
    expire = "10d";


     

       
40

       

       
-

       
    report = true;


     

       
41

       

       
-

       
  };


     

       
42

       

       
-

       
}
-7
hosts/prefect/services/netdata.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  services.netdata = {


     

       
3

       

       
-

       
    enable = true;


     

       
4

       

       
-

       
    python.enable = true;


     

       
5

       

       
-

       
    enableAnalyticsReporting = false;


     

       
6

       

       
-

       
  };


     

       
7

       

       
-

       
}
-38
hosts/prefect/services/nginx/default.nix 
···

       
1

       

       
-

       
{ lib, ... }:


     

       
2

       

       
-

       
{


     

       
3

       

       
-

       
  services.nginx = {


     

       
4

       

       
-

       
    enable = true;


     

       
5

       

       
-

       
    additionalModules = [ ];


     

       
6

       

       
-

       
    recommendedOptimisation = true;


     

       
7

       

       
-

       
    recommendedTlsSettings = true;


     

       
8

       

       
-

       
    recommendedGzipSettings = true;


     

       
9

       

       
-

       
    recommendedProxySettings = true;


     

       
10

       

       
-

       
    virtualHosts = lib.mkForce { };


     

       
11

       

       
-

       
    streamConfig = ''


     

       
12

       

       
-

       
      server {


     

       
13

       

       
-

       
          listen 34197 udp;


     

       
14

       

       
-

       
          proxy_pass 100.123.15.72:34197;


     

       
15

       

       
-

       
          proxy_responses 0;


     

       
16

       

       
-

       
      }


     

       
17

       

       
-

       
    '';


     

       
18

       

       
-

       
    appendHttpConfig = ''


     

       
19

       

       
-

       
      # Add X-Frame-Options to prevent clickjacking


     

       
20

       

       
-

       
      add_header X-Frame-Options SAMEORIGIN;


     

       
21

       

       
-

       



     

       
22

       

       
-

       
      # Prevent mime type sniffing


     

       
23

       

       
-

       
      add_header X-Content-Type-Options nosniff;


     

       
24

       

       
-

       



     

       
25

       

       
-

       
      # Never send Referer header


     

       
26

       

       
-

       
      add_header Referrer-Policy no-referrer;


     

       
27

       

       
-

       



     

       
28

       

       
-

       
      # Require CORS or CORP headers for cross-origin resources


     

       
29

       

       
-

       
      add_header Cross-Origin-Embedder-Policy require-corp;


     

       
30

       

       
-

       



     

       
31

       

       
-

       
      # Keep our own Browsing Context Group


     

       
32

       

       
-

       
      add_header Cross-Origin-Opener-Policy same-origin;


     

       
33

       

       
-

       



     

       
34

       

       
-

       
      # Sites that require CORP will not load my assets


     

       
35

       

       
-

       
      add_header Cross-Origin-Resource-Policy same-origin;


     

       
36

       

       
-

       
    '';


     

       
37

       

       
-

       
  };


     

       
38

       

       
-

       
}
-1
hosts/prefect/services/nginx/pyrox.dev.nix 
···

       
1

       

       
-

       
{ }
-1
hosts/prefect/services/tailscale.nix 
···

       
6

       
6

       
 

       
  networking.firewall = {


     

       
7

       
7

       
 

       
    trustedInterfaces = [ "tailscale0" ];


     

       
8

       
8

       
 

       
    allowedUDPPorts = [ config.services.tailscale.port ];


     

       
9

       

       
-

       
    checkReversePath = "loose";


     

       
10

       
9

       
 

       
  };


     

       
11

       
10

       
 

       
}
-6
hosts/prefect/services/zerotier.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  services.zerotierone = {


     

       
3

       

       
-

       
    enable = true;


     

       
4

       

       
-

       
    joinNetworks = [ "a84ac5c10a3b1d69" ];


     

       
5

       

       
-

       
  };


     

       
6

       

       
-

       
}
-10
hosts/thought/secrets/secrets.nix 
···

       
1

       

       
-

       
let


     

       
2

       

       
-

       
  # deadnix: skip


     

       
3

       

       
-

       
  yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw==";


     

       
4

       

       
-

       
  # deadnix: skip


     

       
5

       

       
-

       
  yubi-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746";


     

       
6

       

       
-

       
  # deadnix: skip


     

       
7

       

       
-

       
  backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM=";


     

       
8

       

       
-

       
  # deadnix: skip


     

       
9

       

       
-

       
  thought = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGkJcLykggEp427h2IywoiR74Yl3N+FU6Pwx9ZFQ3vjq";


     

       
10

       

       
-

       
in


     

       
11

       
1

       
 

       
{


     

       
12

       
2

       
 

       
  imports = [ ../../common/secrets/secrets.nix ];


     

       
13

       
3

       
 

       
  # "headscale-oidc-secret.age".publicKeys = [ prefect yubi-main yubi-back ];
+3
hosts/zaphod/bootloader.nix 
···

       
16

       
16

       
 

       
    kernelPackages = pkgs.linuxPackages_latest;


     

       
17

       
17

       
 

       
    extraModulePackages = with config.boot.kernelPackages; [


     

       
18

       
18

       
 

       
      v4l2loopback


     

       

       
19

       
+

       
      framework-laptop-kmod


     

       
19

       
20

       
 

       
    ];


     

       
20

       
21

       
 

       
    kernelModules = [


     

       
21

       
22

       
 

       
      "v4l2loopback"


     

       
22

       
23

       
 

       
      "btusb"


     

       

       
24

       
+

       
      "cros_ec"


     

       

       
25

       
+

       
      "cros_ec_lpcs"


     

       
23

       
26

       
 

       
    ];


     

       
24

       
27

       
 

       
    supportedFilesystems = fileSystems;


     

       
25

       
28

       
 

       
    initrd = {
-1
hosts/zaphod/default.nix 
···

       
20

       
20

       
 

       



     

       
21

       
21

       
 

       
    # Machine-specific programs.


     

       
22

       
22

       
 

       
    ./programs/ssh.nix


     

       
23

       

       
-

       
    ./programs/sway.nix


     

       
24

       
23

       
 

       
    ./programs/zsh.nix


     

       
25

       
24

       
 

       



     

       
26

       
25

       
 

       
    # Agenix secrets
+7 -4
hosts/zaphod/hardware.nix 
···

       
14

       
14

       
 

       
      powerOnBoot = true;


     

       
15

       
15

       
 

       
    };


     

       
16

       
16

       
 

       
    gpgSmartcards.enable = true;


     

       

       
17

       
+

       
    amdgpu = {


     

       

       
18

       
+

       
      opencl.enable = false;


     

       

       
19

       
+

       
      initrd.enable = true;


     

       

       
20

       
+

       
    };


     

       
17

       
21

       
 

       
    graphics = {


     

       
18

       
22

       
 

       
      enable = true;


     

       
19

       
23

       
 

       
      extraPackages = [


     
···

       
25

       
29

       
 

       
      ];


     

       
26

       
30

       
 

       
    };


     

       
27

       
31

       
 

       
    wirelessRegulatoryDatabase = true;


     

       

       
32

       
+

       
    framework.enableKmod = false;


     

       

       
33

       
+

       
    keyboard.qmk.enable = true;


     

       

       
34

       
+

       
    keyboard.qmk.keychronSupport = true;


     

       
28

       
35

       
 

       
  };


     

       
29

       
36

       
 

       
  services.udev.packages = [


     

       
30

       
37

       
 

       
    pkgs.qmk-udev-rules


     

       
31

       
38

       
 

       
    pkgs.logitech-udev-rules


     

       
32

       
39

       
 

       
  ];


     

       
33

       

       
-

       
  hardware.amdgpu = {


     

       
34

       

       
-

       
    opencl.enable = false;


     

       
35

       

       
-

       
    initrd.enable = true;


     

       
36

       

       
-

       
  };


     

       
37

       
40

       
 

       
}
+9 -6
hosts/zaphod/misc.nix 
···

       
39

       
39

       
 

       
    "pyrox"


     

       
40

       
40

       
 

       
  ];


     

       
41

       
41

       
 

       
  # users.extraGroups.libvirtd.members = ["thehedgehog" "pyrox"];


     

       
42

       

       
-

       
  # xdg.portal.extraPortals = [


     

       
43

       

       
-

       
  #   pkgs.xdg-desktop-portal-gtk


     

       
44

       

       
-

       
  # ];


     

       
45

       

       
-

       
  xdg.portal.wlr.enable = true;


     

       
46

       
42

       
 

       
  xdg.portal.xdgOpenUsePortal = true;


     

       
47

       

       
-

       



     

       
48

       

       
-

       
  users.users.root.hashedPassword = "$6$6EtuZhVOJdfI9DYP$1Qnd7R8qdN.E5yE2kDQCNg2zgJ5cIjNBKsIW/qJgb8wcKlUpIoVg/fEKvBkAgCiLyojVG2kzfu4J9LR8rA8a2/";


     

       
49

       
43

       
 

       



     

       
50

       
44

       
 

       
  # Nix-LD


     

       
51

       
45

       
 

       
  programs.nix-ld.enable = true;


     
···

       
53

       
47

       
 

       
  programs.steam.extraPackages = [


     

       
54

       
48

       
 

       
    pkgs.pixman


     

       
55

       
49

       
 

       
  ];


     

       

       
50

       
+

       



     

       

       
51

       
+

       
  services.upower = {


     

       

       
52

       
+

       
    enable = true;


     

       

       
53

       
+

       
    percentageLow = 30;


     

       

       
54

       
+

       
    percentageCritical = 15;


     

       

       
55

       
+

       
  };


     

       

       
56

       
+

       



     

       

       
57

       
+

       
  # For caelestia screen recording


     

       

       
58

       
+

       
  programs.gpu-screen-recorder.enable = true;


     

       
56

       
59

       
 

       
}
+6 -8
hosts/zaphod/packages.nix 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  pkgs,


     

       
3

       

       
-

       
  inputs,


     

       

       
3

       
+

       
  inputs',


     

       
4

       
4

       
 

       
  ...


     

       
5

       
5

       
 

       
}:


     

       
6

       
6

       
 

       
{


     

       
7

       
7

       
 

       
  environment.systemPackages = [


     

       
8

       

       
-

       
    inputs.agenix.packages.${pkgs.system}.default


     

       
9

       

       
-

       
    pkgs.deadnix


     

       

       
8

       
+

       
    inputs'.agenix.packages.default


     

       
10

       
9

       
 

       
    pkgs.file


     

       
11

       

       
-

       
    pkgs.gamescope


     

       
12

       
10

       
 

       
    pkgs.gnupg


     

       
13

       

       
-

       
    pkgs.goverlay


     

       
14

       
11

       
 

       
    pkgs.libappindicator


     

       
15

       
12

       
 

       
    pkgs.kdePackages.kdenlive


     

       
16

       
13

       
 

       
    pkgs.libappindicator-gtk3


     

       
17

       

       
-

       
    pkgs.mangohud


     

       
18

       

       
-

       
    pkgs.networkmanagerapplet


     

       
19

       
14

       
 

       
    pkgs.nixpkgs-track


     

       
20

       
15

       
 

       
    pkgs.pmutils


     

       
21

       
16

       
 

       
    pkgs.qbittorrent


     

       
22

       

       
-

       
    pkgs.scrcpy


     

       
23

       
17

       
 

       
    pkgs.steam-run


     

       

       
18

       
+

       
    # Tools for working with Framework computers


     

       

       
19

       
+

       
    pkgs.framework-tool-tui


     

       

       
20

       
+

       
    pkgs.fw-ectool


     

       

       
21

       
+

       
    pkgs.framework-tool


     

       
24

       
22

       
 

       
  ];


     

       
25

       
23

       
 

       
}
-7
hosts/zaphod/programs/sway.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  programs.sway = {


     

       
3

       

       
-

       
    enable = false;


     

       
4

       

       
-

       
    wrapperFeatures.base = true;


     

       
5

       

       
-

       
    wrapperFeatures.gtk = true;


     

       
6

       

       
-

       
  };


     

       
7

       

       
-

       
}
+1 -1
hosts/zaphod/services/fprintd.nix 
···

       
1

       
1

       
 

       
{ pkgs, ... }:


     

       
2

       
2

       
 

       
{


     

       
3

       
3

       
 

       
  services.fprintd = {


     

       
4

       

       
-

       
    enable = true;


     

       

       
4

       
+

       
    enable = false;


     

       
5

       
5

       
 

       
    tod.enable = false;


     

       
6

       
6

       
 

       
    tod.driver = pkgs.libfprint-2-tod1-goodix;


     

       
7

       
7

       
 

       
  };
+9 -3
hosts/zaphod/services/misc.nix 
···

       
1

       
1

       
 

       
{ config, lib, ... }:


     

       
2

       
2

       
 

       
{


     

       
3

       
3

       
 

       
  services = {


     

       
4

       

       
-

       
    blueman.enable = true;


     

       

       
4

       
+

       
    blueman.enable = false;


     

       
5

       
5

       
 

       
    fstrim.enable = lib.mkDefault true;


     

       
6

       
6

       
 

       
    tlp.enable = lib.mkDefault (


     

       
7

       

       
-

       
      (lib.versionOlder (lib.versions.majorMinor lib.version) "21.05")


     

       
8

       

       
-

       
      || !config.services.power-profiles-daemon.enable


     

       

       
7

       
+

       
      (lib.versionOlder (lib.versions.majorMinor lib.version) "21.05") || !config.services.power-profiles-daemon.enable


     

       
9

       
8

       
 

       
    );


     

       
10

       
9

       
 

       
    libinput.enable = lib.mkDefault true;


     

       

       
10

       
+

       
    logind.settings.Login = {


     

       

       
11

       
+

       
      HandlePowerKey = "ignore";


     

       

       
12

       
+

       
      HandlePowerKeyLongPress = "ignore";


     

       

       
13

       
+

       
      HandleLidSwitch = "ignore";


     

       

       
14

       
+

       
      HandleLidSwitchExternalPower = "ignore";


     

       

       
15

       
+

       
      HandleLidSwitchDocked = "ignore";


     

       

       
16

       
+

       
    };


     

       
11

       
17

       
 

       
  };


     

       
12

       
18

       
 

       
}
img.png

This is a binary file and will not be displayed.

+7
lib/data/services.toml 
···

       
5

       
5

       
 

       
# anubis: What port the anubis service for this domain will use, int


     

       
6

       
6

       
 

       
# tsHost: (optional) What Tailscale host this service will run on, for services only available via Tailscale.


     

       
7

       
7

       
 

       
# # Should only be set if this is available externally, if at all, since TS-only services aren't able to be scraped.


     

       

       
8

       
+

       
# Current lowest unassigned port: 6938


     

       
8

       
9

       
 

       
[authentik]


     

       
9

       
10

       
 

       
port = 6908


     

       
10

       
11

       
 

       
host = "marvin"


     
···

       
43

       
44

       
 

       
port = 6923


     

       
44

       
45

       
 

       
host = "marvin"


     

       
45

       
46

       
 

       
extUrl = "soc.pyrox.dev"


     

       

       
47

       
+

       



     

       

       
48

       
+

       
[immich]


     

       

       
49

       
+

       
port = 6936


     

       

       
50

       
+

       
host = "marvin"


     

       

       
51

       
+

       
extUrl = "img.pyrox.dev"


     

       

       
52

       
+

       
pubProxy = 6937


     

       
46

       
53

       
 

       



     

       
47

       
54

       
 

       
[jellyfin]


     

       
48

       
55

       
 

       
port = 8096
+1 -4
lib/default.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  ...


     

       
3

       

       
-

       
}:


     

       
4

       

       
-

       
{


     

       

       
1

       
+

       
_: {


     

       
5

       
2

       
 

       
  flake = {


     

       
6

       
3

       
 

       
    lib.data = import ./data;


     

       
7

       
4

       
 

       
  };
+1 -1
lib/deploy/default.nix 
···

       
8

       
8

       
 

       
let


     

       
9

       
9

       
 

       
  inherit (inputs) deploy-rs;


     

       
10

       
10

       
 

       
in


     

       
11

       

       
-

       
rec {


     

       

       
11

       
+

       
{


     

       
12

       
12

       
 

       
  ## Create deployment configuration for use with deploy-rs.


     

       
13

       
13

       
 

       
  ##


     

       
14

       
14

       
 

       
  ## ```nix
+3
nixosModules/default-config/bootloader.nix 
···

       
67

       
67

       
 

       
      # Should hardon and improve performance


     

       
68

       
68

       
 

       
      "page_alloc.shuffle=1"


     

       
69

       
69

       
 

       
    ];


     

       

       
70

       
+

       
    # Don't use either of these so disable them


     

       

       
71

       
+

       
    kexec.enable = false;


     

       

       
72

       
+

       
    bcache.enable = false;


     

       
70

       
73

       
 

       
  };


     

       
71

       
74

       
 

       
}
+5 -2
nixosModules/default-config/default.nix 
···

       
13

       
13

       
 

       
    ./ssh.nix


     

       
14

       
14

       
 

       
    ./users.nix


     

       
15

       
15

       
 

       
  ];


     

       
16

       

       
-

       
  system.stateVersion = "25.05";


     

       
17

       

       
-

       
  system.disableInstallerTools = true;


     

       

       
16

       
+

       
  system = {


     

       

       
17

       
+

       
    stateVersion = "26.05";


     

       

       
18

       
+

       
    disableInstallerTools = true;


     

       

       
19

       
+

       
    tools.nixos-rebuild.enable = true;


     

       

       
20

       
+

       
  };


     

       
18

       
21

       
 

       
  catppuccin = {


     

       
19

       
22

       
 

       
    flavor = "mocha";


     

       
20

       
23

       
 

       
    accent = "mauve";
+2 -6
nixosModules/default-config/nixConfig.nix 
···

       
15

       
15

       
 

       
{


     

       
16

       
16

       
 

       
  nix = {


     

       
17

       
17

       
 

       
    enable = true;


     

       
18

       

       
-

       
    # We use `nh.clean` instead, so this is disabled


     

       
19

       

       
-

       
    gc.automatic = false;


     

       

       
18

       
+

       
    gc.automatic = true;


     

       
20

       
19

       
 

       
    registry = lib.mapAttrs (_: v: { flake = v; }) flakeInputs;


     

       
21

       
20

       
 

       
    settings = {


     

       
22

       
21

       
 

       
      # Don't auto-accept flake-defined nix settings, they're a CVE waiting to happen.


     
···

       
58

       
57

       
 

       
      keep-going = true;


     

       
59

       
58

       
 

       
      # More direnv gc root stuff


     

       
60

       
59

       
 

       
      keep-outputs = true;


     

       
61

       

       
-

       
      # Show fewer log lines from failed builds since I get them from nh


     

       
62

       

       
-

       
      log-lines = 10;


     

       

       
60

       
+

       
      log-lines = 20;


     

       
63

       
61

       
 

       
      # Limit the max amount of builds


     

       
64

       
62

       
 

       
      max-jobs = lib.mkDefault 4;


     

       
65

       
63

       
 

       
      # Extra system features


     
···

       
72

       
70

       
 

       
      trusted-public-keys = [


     

       
73

       
71

       
 

       
        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="


     

       
74

       
72

       
 

       
        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="


     

       
75

       

       
-

       
        "cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM="


     

       
76

       
73

       
 

       
      ];


     

       
77

       
74

       
 

       
      # Extra substituters


     

       
78

       
75

       
 

       
      trusted-substituters = [


     

       
79

       
76

       
 

       
        "https://cache.nixos.org"


     

       
80

       
77

       
 

       
        "https://nix-community.cachix.org"


     

       
81

       

       
-

       
        "https://install.determinate.systems"


     

       
82

       
78

       
 

       
      ];


     

       
83

       
79

       
 

       
      # These users have additional daemon rights


     

       
84

       
80

       
 

       
      trusted-users = userList;
+2
nixosModules/default-config/nixpkgsConfig.nix 
···

       
6

       
6

       
 

       
  nixpkgs = {


     

       
7

       
7

       
 

       
    overlays = [


     

       
8

       
8

       
 

       
      inputs.self.overlays.openssh-fixperms


     

       

       
9

       
+

       
      inputs.self.overlays.hy3-fixes


     

       
9

       
10

       
 

       
      inputs.golink.overlays.default


     

       

       
11

       
+

       
      inputs.quickshell.overlays.default


     

       
10

       
12

       
 

       
    ];


     

       
11

       
13

       
 

       
    config = {


     

       
12

       
14

       
 

       
      allowUnfree = true;
-1
nixosModules/default-config/programs/default.nix 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  imports = [


     

       
3

       
3

       
 

       
    ./ssh.nix


     

       
4

       

       
-

       
    ./nh.nix


     

       
5

       
4

       
 

       
  ];


     

       
6

       
5

       
 

       
  programs.fish.enable = true;


     

       
7

       
6

       
 

       
}
-8
nixosModules/default-config/programs/nh.nix 
···

       
1

       

       
-

       
{ pkgs, ... }:


     

       
2

       

       
-

       
{


     

       
3

       

       
-

       
  programs.nh = {


     

       
4

       

       
-

       
    enable = true;


     

       
5

       

       
-

       
    clean.enable = true;


     

       
6

       

       
-

       
    clean.extraArgs = "-k 5";


     

       
7

       

       
-

       
  };


     

       
8

       

       
-

       
}
+8 -5
nixosModules/default-config/security.nix 
···

       
1

       

       
-

       
{ pkgs, ... }:


     

       

       
1

       
+

       
{ pkgs, lib, ... }:


     

       

       
2

       
+

       
let


     

       

       
3

       
+

       
  inherit (lib) mkDefault;


     

       

       
4

       
+

       
in


     

       
2

       
5

       
 

       
{


     

       
3

       
6

       
 

       
  # Everything should use doas instead of sudo


     

       
4

       
7

       
 

       
  # Sudo is kept enabled for tools that ~can't~ won't use doas.


     
···

       
12

       
15

       
 

       



     

       
13

       
16

       
 

       
    # TPM configuration


     

       
14

       
17

       
 

       
    tpm2 = {


     

       
15

       

       
-

       
      enable = true;


     

       
16

       

       
-

       
      abrmd.enable = true;


     

       
17

       

       
-

       
      applyUdevRules = true;


     

       
18

       

       
-

       
      pkcs11.enable = false;


     

       

       
18

       
+

       
      enable = mkDefault true;


     

       

       
19

       
+

       
      abrmd.enable = mkDefault true;


     

       

       
20

       
+

       
      applyUdevRules = mkDefault true;


     

       

       
21

       
+

       
      pkcs11.enable = mkDefault false;


     

       
19

       
22

       
 

       
    };


     

       
20

       
23

       
 

       



     

       
21

       
24

       
 

       
    # Set up extra certificates for DN42 specifically
+6
nixosModules/default-config/services/default.nix 
···

       
3

       
3

       
 

       
    ./ntp.nix


     

       
4

       
4

       
 

       
    ./tailscale.nix


     

       
5

       
5

       
 

       
  ];


     

       

       
6

       
+

       
  services = {


     

       

       
7

       
+

       
    # Perlless user management


     

       

       
8

       
+

       
    userborn = {


     

       

       
9

       
+

       
      enable = true;


     

       

       
10

       
+

       
    };


     

       

       
11

       
+

       
  };


     

       
6

       
12

       
 

       
}
+2 -2
nixosModules/default-users/default.nix 
···

       
28

       
28

       
 

       
        "wireshark"


     

       
29

       
29

       
 

       
        "input"


     

       
30

       
30

       
 

       
      ];


     

       
31

       

       
-

       
      hashedPassword = "$6$6EtuZhVOJdfI9DYP$1Qnd7R8qdN.E5yE2kDQCNg2zgJ5cIjNBKsIW/qJgb8wcKlUpIoVg/fEKvBkAgCiLyojVG2kzfu4J9LR8rA8a2/";


     

       

       
31

       
+

       
      hashedPassword = "$y$j9T$Lwu/kwfIYVH6ApPNFv5TL.$xXtWoVxOKDW0xQtw7yf2JGWP3JI6r9WIqV19W0/zrg5";


     

       
32

       
32

       
 

       
      shell = pkgs.fish;


     

       
33

       
33

       
 

       
      openssh = {


     

       
34

       
34

       
 

       
        authorizedKeys = {


     
···

       
54

       
54

       
 

       
        "wireshark"


     

       
55

       
55

       
 

       
        "input"


     

       
56

       
56

       
 

       
      ];


     

       
57

       

       
-

       
      hashedPassword = "$6$6EtuZhVOJdfI9DYP$1Qnd7R8qdN.E5yE2kDQCNg2zgJ5cIjNBKsIW/qJgb8wcKlUpIoVg/fEKvBkAgCiLyojVG2kzfu4J9LR8rA8a2/";


     

       

       
57

       
+

       
      hashedPassword = "$y$j9T$Lwu/kwfIYVH6ApPNFv5TL.$xXtWoVxOKDW0xQtw7yf2JGWP3JI6r9WIqV19W0/zrg5";


     

       
58

       
58

       
 

       
      shell = pkgs.fish;


     

       
59

       
59

       
 

       
      openssh = {


     

       
60

       
60

       
 

       
        authorizedKeys = {
+3 -4
nixosModules/default.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  ...


     

       
3

       

       
-

       
}:


     

       
4

       

       
-

       
{


     

       

       
1

       
+

       
_: {


     

       
5

       
2

       
 

       
  flake.nixosModules = {


     

       
6

       
3

       
 

       
    # Top-level


     

       
7

       
4

       
 

       
    defaultConfig = import ./default-config;


     

       
8

       
5

       
 

       
    defaultUsers = import ./default-users;


     

       
9

       
6

       
 

       
    profiles = import ./profiles;


     

       

       
7

       
+

       



     

       

       
8

       
+

       
    dn42Wireguard = import ./dn42Wireguard;


     

       
10

       
9

       
 

       



     

       
11

       
10

       
 

       
    # Programs


     

       
12

       
11

       
 

       
    chromium = import ./programs/chromium;
+125
nixosModules/dn42Wireguard/default.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  config,


     

       

       
3

       
+

       
  lib,


     

       

       
4

       
+

       
  pkgs,


     

       

       
5

       
+

       
  ...


     

       

       
6

       
+

       
}:


     

       

       
7

       
+

       
let


     

       

       
8

       
+

       
  inherit (lib) types;


     

       

       
9

       
+

       
  cfg = config.networking.dn42.wg;


     

       

       
10

       
+

       



     

       

       
11

       
+

       
  tunnelDef = {


     

       

       
12

       
+

       
    options = {


     

       

       
13

       
+

       
      enable = lib.mkOption {


     

       

       
14

       
+

       
        description = "Whether to enable this wireguard tunnel";


     

       

       
15

       
+

       
        type = types.bool;


     

       

       
16

       
+

       
        default = true;


     

       

       
17

       
+

       
        example = false;


     

       

       
18

       
+

       
      };


     

       

       
19

       
+

       
      listenPort = lib.mkOption {


     

       

       
20

       
+

       
        description = "The port this tunnel listens on";


     

       

       
21

       
+

       
        type = types.port;


     

       

       
22

       
+

       
        example = 42000;


     

       

       
23

       
+

       
      };


     

       

       
24

       
+

       
      privateKeyFile = lib.mkOption {


     

       

       
25

       
+

       
        description = "Path to the tunnel's private key";


     

       

       
26

       
+

       
        type = types.nullOr types.path;


     

       

       
27

       
+

       
        example = "/path/to/private/key";


     

       

       
28

       
+

       
        default = null;


     

       

       
29

       
+

       
      };


     

       

       
30

       
+

       
      peerPubKey = lib.mkOption {


     

       

       
31

       
+

       
        description = "Public key of the peer you're connecting to";


     

       

       
32

       
+

       
        type = types.str;


     

       

       
33

       
+

       
        example = "e6kp9sca4XIzncKa9GEQwyOnMjje299Xg9ZdgXWMwHg=";


     

       

       
34

       
+

       
      };


     

       

       
35

       
+

       
      peerEndpoint = lib.mkOption {


     

       

       
36

       
+

       
        description = "The endpoint of the peer you're connecting to";


     

       

       
37

       
+

       
        type = types.str;


     

       

       
38

       
+

       
        example = "example.com:42000";


     

       

       
39

       
+

       
      };


     

       

       
40

       
+

       
      peerAddrs = {


     

       

       
41

       
+

       
        v4 = lib.mkOption {


     

       

       
42

       
+

       
          description = "The peer IPv4 address to connect to in the tunnel";


     

       

       
43

       
+

       
          type = types.nullOr types.str;


     

       

       
44

       
+

       
          example = "192.168.1.1";


     

       

       
45

       
+

       
          default = null;


     

       

       
46

       
+

       
        };


     

       

       
47

       
+

       
        v6 = lib.mkOption {


     

       

       
48

       
+

       
          description = "The peer IPv6 address to connect to in the tunnel";


     

       

       
49

       
+

       
          type = types.nullOr types.str;


     

       

       
50

       
+

       
          example = "fe80::42";


     

       

       
51

       
+

       
          default = null;


     

       

       
52

       
+

       
        };


     

       

       
53

       
+

       
      };


     

       

       
54

       
+

       
      localAddrs = {


     

       

       
55

       
+

       
        v4 = lib.mkOption {


     

       

       
56

       
+

       
          description = "The local IPv4 address to listen on in the tunnel";


     

       

       
57

       
+

       
          type = types.nullOr types.str;


     

       

       
58

       
+

       
          example = "192.168.1.1";


     

       

       
59

       
+

       
          default = null;


     

       

       
60

       
+

       
        };


     

       

       
61

       
+

       
        v6 = lib.mkOption {


     

       

       
62

       
+

       
          description = "The local IPv6 address to listen on in the tunnel";


     

       

       
63

       
+

       
          type = types.nullOr types.str;


     

       

       
64

       
+

       
          example = "fe80::42";


     

       

       
65

       
+

       
          default = null;


     

       

       
66

       
+

       
        };


     

       

       
67

       
+

       
      };


     

       

       
68

       
+

       
    };


     

       

       
69

       
+

       
  };


     

       

       
70

       
+

       
in


     

       

       
71

       
+

       
{


     

       

       
72

       
+

       
  options.networking.dn42.wg = {


     

       

       
73

       
+

       
    tunnelDefaults = lib.mkOption {


     

       

       
74

       
+

       
      description = "The default settings to apply to all tunnels";


     

       

       
75

       
+

       
      type = types.submodule tunnelDef;


     

       

       
76

       
+

       
    };


     

       

       
77

       
+

       
    tunnels = lib.mkOption {


     

       

       
78

       
+

       
      description = "DN42 WireGuard tunnels configuration";


     

       

       
79

       
+

       
      type = types.attrsOf (types.submodule tunnelDef);


     

       

       
80

       
+

       
    };


     

       

       
81

       
+

       
  };


     

       

       
82

       
+

       
  config.networking = {


     

       

       
83

       
+

       
    wireguard.interfaces = lib.mapAttrs' (


     

       

       
84

       
+

       
      name: value:


     

       

       
85

       
+

       
      let


     

       

       
86

       
+

       
        # Merge defaults with tunnel config, right side has priority


     

       

       
87

       
+

       
        # so tunnel config overrides defaults


     

       

       
88

       
+

       
        fc = cfg.tunnelDefaults // (lib.filterAttrs (_: v: v != null) value);


     

       

       
89

       
+

       
      in


     

       

       
90

       
+

       
      lib.nameValuePair "wg42_${name}" {


     

       

       
91

       
+

       
        inherit (fc) listenPort privateKeyFile;


     

       

       
92

       
+

       
        allowedIPsAsRoutes = false;


     

       

       
93

       
+

       
        peers = [


     

       

       
94

       
+

       
          {


     

       

       
95

       
+

       
            endpoint = fc.peerEndpoint;


     

       

       
96

       
+

       
            publicKey = fc.peerPubKey;


     

       

       
97

       
+

       
            allowedIPs = [


     

       

       
98

       
+

       
              "0.0.0.0/0"


     

       

       
99

       
+

       
              "::/0"


     

       

       
100

       
+

       
            ];


     

       

       
101

       
+

       
            dynamicEndpointRefreshSeconds = 5;


     

       

       
102

       
+

       
            persistentKeepalive = 15;


     

       

       
103

       
+

       
          }


     

       

       
104

       
+

       
        ];


     

       

       
105

       
+

       
        postSetup = ''


     

       

       
106

       
+

       
          ${lib.optionalString (


     

       

       
107

       
+

       
            fc.peerAddrs.v4 != null && fc.localAddrs.v4 != null


     

       

       
108

       
+

       
          ) "${pkgs.iproute2}/bin/ip addr add ${fc.localAddrs.v4} peer ${fc.peerAddrs.v4} dev wg42_${name}"}


     

       

       
109

       
+

       
          ${lib.optionalString (


     

       

       
110

       
+

       
            fc.peerAddrs.v6 != null && fc.localAddrs.v6 != null


     

       

       
111

       
+

       
          ) "${pkgs.iproute2}/bin/ip addr add ${fc.localAddrs.v6} peer ${fc.peerAddrs.v6} dev wg42_${name}"}


     

       

       
112

       
+

       
        '';


     

       

       
113

       
+

       
      }


     

       

       
114

       
+

       
    ) (lib.filterAttrs (_: v: v.enable) cfg.tunnels);


     

       

       
115

       
+

       
    firewall = {


     

       

       
116

       
+

       
      trustedInterfaces = lib.mapAttrsToList (name: _: "wg42_" + name) (lib.filterAttrs (_: v: v.enable) cfg.tunnels);


     

       

       
117

       
+

       
      checkReversePath = false;


     

       

       
118

       
+

       
      extraInputRules = ''


     

       

       
119

       
+

       
        ip saddr 172.20.0.0/14 accept


     

       

       
120

       
+

       
        ip6 saddr fd00::/8 accept


     

       

       
121

       
+

       
        ip6 saddr fe80::/64 accept


     

       

       
122

       
+

       
      '';


     

       

       
123

       
+

       
    };


     

       

       
124

       
+

       
  };


     

       

       
125

       
+

       
}
+1 -1
nixosModules/homes/pyrox/default.nix 
···

       
9

       
9

       
 

       
      inputs.self.homeModules.allModules


     

       
10

       
10

       
 

       
      {


     

       
11

       
11

       
 

       
        home.username = "pyrox";


     

       
12

       

       
-

       
        home.stateVersion = "25.11";


     

       

       
12

       
+

       
        home.stateVersion = "26.05";


     

       
13

       
13

       
 

       
        py.profiles.server.enable = lib.mkDefault true;


     

       
14

       
14

       
 

       
        py.profiles.desktop.enable = lib.mkDefault false;


     

       
15

       
15

       
 

       
      }
-36
nixosModules/homes/pyrox-zaphod/default.nix 
···

       
12

       
12

       
 

       
      pkgs.mindustry


     

       
13

       
13

       
 

       
    ];


     

       
14

       
14

       
 

       
    py.profiles.desktop.enable = true;


     

       
15

       

       
-

       
    py.services.kanshi.settings = [


     

       
16

       

       
-

       
      {


     

       
17

       

       
-

       
        profile = {


     

       
18

       

       
-

       
          name = "laptop-only";


     

       
19

       

       
-

       
          outputs = [


     

       
20

       

       
-

       
            {


     

       
21

       

       
-

       
              criteria = "eDP-1";


     

       
22

       

       
-

       
              status = "enable";


     

       
23

       

       
-

       
              scale = 1.2;


     

       
24

       

       
-

       
              position = "0,0";


     

       
25

       

       
-

       
              adaptiveSync = true;


     

       
26

       

       
-

       
            }


     

       
27

       

       
-

       
          ];


     

       
28

       

       
-

       
        };


     

       
29

       

       
-

       
      }


     

       
30

       

       
-

       
      {


     

       
31

       

       
-

       
        profile = {


     

       
32

       

       
-

       
          name = "office";


     

       
33

       

       
-

       
          outputs = [


     

       
34

       

       
-

       
            {


     

       
35

       

       
-

       
              criteria = "eDP-1";


     

       
36

       

       
-

       
              status = "enable";


     

       
37

       

       
-

       
              scale = 1.2;


     

       
38

       

       
-

       
              position = "0,0";


     

       
39

       

       
-

       
              adaptiveSync = true;


     

       
40

       

       
-

       
            }


     

       
41

       

       
-

       
            {


     

       
42

       

       
-

       
              criteria = "Acer Technologies SA241Y 0x1497CF17";


     

       
43

       

       
-

       
              status = "enable";


     

       
44

       

       
-

       
              scale = 1.0;


     

       
45

       

       
-

       
              position = "2160,0";


     

       
46

       

       
-

       
            }


     

       
47

       

       
-

       
          ];


     

       
48

       

       
-

       
        };


     

       
49

       

       
-

       
      }


     

       
50

       

       
-

       
    ];


     

       
51

       
15

       
 

       
  };


     

       
52

       
16

       
 

       
}
+1 -1
nixosModules/homes/thehedgehog/default.nix 
···

       
9

       
9

       
 

       
      inputs.self.homeModules.allModules


     

       
10

       
10

       
 

       
      {


     

       
11

       
11

       
 

       
        home.username = "thehedgehog";


     

       
12

       

       
-

       
        home.stateVersion = "25.11";


     

       

       
12

       
+

       
        home.stateVersion = "26.05";


     

       
13

       
13

       
 

       
        py.profiles.server.enable = lib.mkDefault true;


     

       
14

       
14

       
 

       
        py.profiles.desktop.enable = lib.mkDefault false;


     

       
15

       
15

       
 

       
      }
+18 -49
nixosModules/homes/thehedgehog-zaphod/default.nix 
···

       
1

       
1

       
 

       
{


     

       
2

       
2

       
 

       
  pkgs,


     

       
3

       

       
-

       
  config,


     

       

       
3

       
+

       
  lib,


     

       

       
4

       
+

       
  inputs,


     

       

       
5

       
+

       
  self',


     

       
4

       
6

       
 

       
  ...


     

       
5

       
7

       
 

       
}:


     

       
6

       
8

       
 

       
let


     

       
7

       

       
-

       
  hmConfig = config.home-manager.users.thehedgehog;


     

       

       
9

       
+

       
  shell = "caelestia";


     

       
8

       
10

       
 

       
in


     

       
9

       
11

       
 

       
{


     

       
10

       
12

       
 

       
  home-manager.users.thehedgehog = {


     

       
11

       
13

       
 

       
    home.packages = [


     

       
12

       
14

       
 

       
      pkgs.mindustry


     

       
13

       
15

       
 

       
      pkgs.signal-desktop


     

       

       
16

       
+

       
      self'.packages.glide-browser-bin


     

       
14

       
17

       
 

       
    ];


     

       
15

       

       
-

       
    services.wpaperd = {


     

       

       
18

       
+

       
    home.sessionVariables = {


     

       

       
19

       
+

       
      QT_QPA_PLATFORM = "wayland;xcb";


     

       

       
20

       
+

       
      GDK_BACKEND = "wayland,x11,*";


     

       

       
21

       
+

       
      NIXOS_OZONE_WL = "1";


     

       

       
22

       
+

       
    };


     

       

       
23

       
+

       
    py.profiles.desktop = {


     

       

       
24

       
+

       
      inherit shell;


     

       
16

       
25

       
 

       
      enable = true;


     

       
17

       

       
-

       
      settings = {


     

       
18

       

       
-

       
        default = {


     

       
19

       

       
-

       
          path = "${hmConfig.home.homeDirectory}/bgs/wallpapers";


     

       
20

       

       
-

       
          duration = "3h";


     

       
21

       

       
-

       
          sorting = "random";


     

       
22

       

       
-

       
          queue-size = 50;


     

       
23

       

       
-

       
          recursive = true;


     

       
24

       

       
-

       
        };


     

       
25

       

       
-

       
      };


     

       

       
26

       
+

       
    };


     

       

       
27

       
+

       
    programs.dankMaterialShell.plugins = lib.mkIf (shell == "dms") {


     

       

       
28

       
+

       
      dms-wallpaper-shuffler.src = inputs.dms-wp-shuffler;


     

       

       
29

       
+

       
      dms-power-usage.src = inputs.dms-power-usage;


     

       

       
30

       
+

       
      DankPomodoroTimer.src = "${inputs.dms-plugins}/DankPomodoroTimer";


     

       

       
31

       
+

       
      DankBatteryAlerts.src = "${inputs.dms-plugins}/DankBatteryAlerts";


     

       
26

       
32

       
 

       
    };


     

       
27

       

       
-

       
    py.profiles.desktop.enable = true;


     

       
28

       

       
-

       
    py.services.kanshi.settings = [


     

       
29

       

       
-

       
      {


     

       
30

       

       
-

       
        profile = {


     

       
31

       

       
-

       
          name = "laptop-only";


     

       
32

       

       
-

       
          outputs = [


     

       
33

       

       
-

       
            {


     

       
34

       

       
-

       
              criteria = "eDP-1";


     

       
35

       

       
-

       
              status = "enable";


     

       
36

       

       
-

       
              scale = 1.2;


     

       
37

       

       
-

       
              position = "0,0";


     

       
38

       

       
-

       
              adaptiveSync = true;


     

       
39

       

       
-

       
            }


     

       
40

       

       
-

       
          ];


     

       
41

       

       
-

       
        };


     

       
42

       

       
-

       
      }


     

       
43

       

       
-

       
      {


     

       
44

       

       
-

       
        profile = {


     

       
45

       

       
-

       
          name = "office";


     

       
46

       

       
-

       
          outputs = [


     

       
47

       

       
-

       
            {


     

       
48

       

       
-

       
              criteria = "eDP-1";


     

       
49

       

       
-

       
              status = "enable";


     

       
50

       

       
-

       
              scale = 1.2;


     

       
51

       

       
-

       
              position = "0,0";


     

       
52

       

       
-

       
              adaptiveSync = true;


     

       
53

       

       
-

       
            }


     

       
54

       

       
-

       
            {


     

       
55

       

       
-

       
              criteria = "Acer Technologies SA241Y 0x1497CF17";


     

       
56

       

       
-

       
              status = "enable";


     

       
57

       

       
-

       
              scale = 1.0;


     

       
58

       

       
-

       
              position = "2160,0";


     

       
59

       

       
-

       
            }


     

       
60

       

       
-

       
          ];


     

       
61

       

       
-

       
        };


     

       
62

       

       
-

       
      }


     

       
63

       

       
-

       
    ];


     

       
64

       
33

       
 

       
  };


     

       
65

       
34

       
 

       
}
-2
nixosModules/programs/firefox/extensions.nix 
···

       
32

       
32

       
 

       
  "{30280527-c46c-4e03-bb16-2e3ed94fa57c}" = mkAMO "protondb-for-steam";


     

       
33

       
33

       
 

       
  "redirector@einaregilsson.com" = mkAMO "redirector";


     

       
34

       
34

       
 

       
  "{a4c4eda4-fb84-4a84-b4a1-f7c1cbf2a1ad}" = mkAMO "refined-github-";


     

       
35

       

       
-

       
  "{762f9885-5a13-4abd-9c77-433dcd38b8fd}" = mkAMO "return-youtube-dislikes";


     

       
36

       

       
-

       
  "{48748554-4c01-49e8-94af-79662bf34d50}" = mkAMO "privacy-pass";


     

       
37

       
35

       
 

       
  "sponsorBlocker@ajay.app" = mkAMO "sponsorblock";


     

       
38

       
36

       
 

       
  "firefox-extension@steamdb.info" = mkAMO "steam-database";


     

       
39

       
37

       
 

       
  "{7a7a4a92-a2a0-41d1-9fd7-1e92480d612d}" = mkAMO "styl-us" // {
-1
nixosModules/programs/hyprland/default.nix 
···

       
15

       
15

       
 

       
      enable = true;


     

       
16

       
16

       
 

       
      xwayland.enable = true;


     

       
17

       
17

       
 

       
    };


     

       
18

       

       
-

       
    programs.hyprlock.enable = cfg.enable;


     

       
19

       
18

       
 

       
  };


     

       
20

       
19

       
 

       
}
+29 -11
nixosModules/programs/misc/default.nix 
···

       
1

       

       
-

       
{ config, lib, ... }:


     

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  config,


     

       

       
3

       
+

       
  lib,


     

       

       
4

       
+

       
  pkgs,


     

       

       
5

       
+

       
  ...


     

       

       
6

       
+

       
}:


     

       
2

       
7

       
 

       
let


     

       
3

       
8

       
 

       
  cfg = config.py.programs;


     

       
4

       
9

       
 

       
  inherit (lib) mkEnableOption mkIf;


     
···

       
13

       
18

       
 

       
    steam.enable = mkEnableOption "Steam";


     

       
14

       
19

       
 

       
    wireshark.enable = mkEnableOption "Wireshark";


     

       
15

       
20

       
 

       
  };


     

       
16

       

       
-

       
  config.programs = {


     

       
17

       

       
-

       
    appimage = mkIf cfg.appimage.enable {


     

       
18

       

       
-

       
      enable = true;


     

       
19

       

       
-

       
      binfmt = true;


     

       

       
21

       
+

       
  config = {


     

       

       
22

       
+

       
    programs = {


     

       

       
23

       
+

       
      appimage = mkIf cfg.appimage.enable {


     

       

       
24

       
+

       
        enable = true;


     

       

       
25

       
+

       
        binfmt = true;


     

       

       
26

       
+

       
      };


     

       

       
27

       
+

       
      dconf.enable = mkIf cfg.dconf.enable true;


     

       

       
28

       
+

       
      fish.enable = mkIf cfg.fish.enable true;


     

       

       
29

       
+

       
      less.enable = mkIf cfg.less.enable true;


     

       

       
30

       
+

       
      noisetorch.enable = mkIf cfg.noisetorch.enable true;


     

       

       
31

       
+

       
      steam = mkIf cfg.steam.enable {


     

       

       
32

       
+

       
        enable = true;


     

       

       
33

       
+

       
        protontricks.enable = true;


     

       

       
34

       
+

       
        gamescopeSession.enable = true;


     

       

       
35

       
+

       
        extraCompatPackages = with pkgs; [


     

       

       
36

       
+

       
          steamtinkerlaunch


     

       

       
37

       
+

       
        ];


     

       

       
38

       
+

       
      };


     

       

       
39

       
+

       
      wireshark.enable = mkIf cfg.wireshark.enable true;


     

       
20

       
40

       
 

       
    };


     

       
21

       

       
-

       
    dconf.enable = mkIf cfg.dconf.enable true;


     

       
22

       

       
-

       
    fish.enable = mkIf cfg.fish.enable true;


     

       
23

       

       
-

       
    less.enable = mkIf cfg.less.enable true;


     

       
24

       

       
-

       
    noisetorch.enable = mkIf cfg.noisetorch.enable true;


     

       
25

       

       
-

       
    steam.enable = mkIf cfg.steam.enable true;


     

       
26

       

       
-

       
    wireshark.enable = mkIf cfg.wireshark.enable true;


     

       

       
41

       
+

       
    environment.systemPackages = lib.optionals cfg.steam.enable [


     

       

       
42

       
+

       
      pkgs.steamtinkerlaunch


     

       

       
43

       
+

       
      pkgs.protonplus


     

       

       
44

       
+

       
    ];


     

       
27

       
45

       
 

       
  };


     

       
28

       
46

       
 

       
}
-1
nixosModules/programs/neovim/default.nix 
···

       
1

       
1

       
 

       
{


     

       
2

       

       
-

       
  pkgs,


     

       
3

       
2

       
 

       
  lib,


     

       
4

       
3

       
 

       
  config,


     

       
5

       
4

       
 

       
  ...
+1 -3
nixosModules/services/forgejo-runner/default.nix 
···

       
26

       
26

       
 

       
      };


     

       
27

       
27

       
 

       
      cache = {


     

       
28

       
28

       
 

       
        enabled = true;


     

       
29

       

       
-

       
        dir = "/var/lib/forgejo/runners/cache/";


     

       
30

       

       
-

       
        host = "";


     

       
31

       
29

       
 

       
        port = 0;


     

       
32

       
30

       
 

       
      };


     

       
33

       
31

       
 

       
      container = {


     
···

       
50

       
48

       
 

       
  };


     

       
51

       
49

       
 

       



     

       
52

       
50

       
 

       
  config.services.gitea-actions-runner = lib.mkIf cfg.enable {


     

       
53

       

       
-

       
    package = pkgs.forgejo-actions-runner;


     

       

       
51

       
+

       
    package = pkgs.forgejo-runner;


     

       
54

       
52

       
 

       
    instances = {


     

       
55

       
53

       
 

       
      "${config.networking.hostName}-default" = runnerBase // {


     

       
56

       
54

       
 

       
        inherit (cfg) tokenFile;
+4
optnix.toml 
···

       

       
1

       
+

       
[scopes.flake-parts]


     

       

       
2

       
+

       
description = "flake-parts config"


     

       

       
3

       
+

       
options-list-cmd = "nix eval --json .#debug.options-doc"


     

       

       
4

       
+

       
evaluator = "nix eval .#debug.config.{{ .Option }}"
+1 -1
overlays/cinny/default.nix 
···

       
1

       

       
-

       
_: final: prev: {


     

       

       
1

       
+

       
_: _final: prev: {


     

       
2

       
2

       
 

       
  cinny-unwrapped = prev.cinny-unwrapped.overrideAttrs (old: {


     

       
3

       
3

       
 

       
    patches = (old.patches or [ ]) ++ [ ./nix-commands.patch ];


     

       
4

       
4

       
 

       
  });
+1
overlays/default.nix 
···

       
2

       
2

       
 

       
  flake.overlays = {


     

       
3

       
3

       
 

       
    cinny = import ./cinny;


     

       
4

       
4

       
 

       
    openssh-fixperms = import ./openssh-fixperms;


     

       

       
5

       
+

       
    hy3-fixes = import ./hy3-fixes;


     

       
5

       
6

       
 

       
  };


     

       
6

       
7

       
 

       
}
+12
overlays/hy3-fixes/default.nix 
···

       

       
1

       
+

       
_final: prev: {


     

       

       
2

       
+

       
  hyprlandPlugins = prev.hyprlandPlugins // {


     

       

       
3

       
+

       
    hy3 = prev.hyprlandPlugins.hy3.overrideAttrs (old: {


     

       

       
4

       
+

       
      patches = (old.patches or [ ]) ++ [


     

       

       
5

       
+

       
        (prev.fetchpatch {


     

       

       
6

       
+

       
          url = "https://github.com/outfoxxed/hy3/commit/8a3f46a40984e74094f71b5bd38df3dbe5daa97f.patch?full_index=1";


     

       

       
7

       
+

       
          hash = "sha256-zNGCMcidRx7zV3mnlQT4EjA36g7MeBf6A9gyvITeZ4c=";


     

       

       
8

       
+

       
        })


     

       

       
9

       
+

       
      ];


     

       

       
10

       
+

       
    });


     

       

       
11

       
+

       
  };


     

       

       
12

       
+

       
}
-2
overlays/nix-index/default.nix 
···

       
1

       

       
-

       
# deadnix: skip


     

       
2

       

       
-

       
{ inputs, ... }: final: prev: { inherit (inputs.nix-index.packages.${prev.system}) nix-index; }
+1 -1
overlays/openssh-fixperms/default.nix 
···

       
1

       

       
-

       
final: prev: {


     

       

       
1

       
+

       
_final: prev: {


     

       
2

       
2

       
 

       
  openssh-patched = prev.openssh.overrideAttrs (old: {


     

       
3

       
3

       
 

       
    patches = (old.patches or [ ]) ++ [ ./permfix.patch ];


     

       
4

       
4

       
 

       
    doCheck = false;
-20
packages/anubis-files/default.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  stdenv,


     

       
3

       

       
-

       
  ...


     

       
4

       

       
-

       
}:


     

       
5

       

       
-

       
stdenv.mkDerivation {


     

       
6

       

       
-

       
  pname = "pyronet-anubis-files";


     

       
7

       

       
-

       
  version = "1.0.0";


     

       
8

       

       
-

       



     

       
9

       

       
-

       
  src = ./src;


     

       
10

       

       
-

       



     

       
11

       

       
-

       
  buildPhase = ''


     

       
12

       

       
-

       
    substituteInPlace policies/*.yaml \


     

       
13

       

       
-

       
      --replace-fail "CUSTOM" $out/rules


     

       
14

       

       
-

       
  '';


     

       
15

       

       
-

       



     

       
16

       

       
-

       
  installPhase = ''


     

       
17

       

       
-

       
    mkdir $out


     

       
18

       

       
-

       
    cp -r * $out/


     

       
19

       

       
-

       
  '';


     

       
20

       

       
-

       
}
+20
packages/anubis-files/package.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  stdenv,


     

       

       
3

       
+

       
  ...


     

       

       
4

       
+

       
}:


     

       

       
5

       
+

       
stdenv.mkDerivation {


     

       

       
6

       
+

       
  pname = "pyronet-anubis-files";


     

       

       
7

       
+

       
  version = "1.0.0";


     

       

       
8

       
+

       



     

       

       
9

       
+

       
  src = ./src;


     

       

       
10

       
+

       



     

       

       
11

       
+

       
  buildPhase = ''


     

       

       
12

       
+

       
    substituteInPlace policies/*.yaml \


     

       

       
13

       
+

       
      --replace-fail "CUSTOM" $out


     

       

       
14

       
+

       
  '';


     

       

       
15

       
+

       



     

       

       
16

       
+

       
  installPhase = ''


     

       

       
17

       
+

       
    mkdir $out


     

       

       
18

       
+

       
    cp -r * $out/


     

       

       
19

       
+

       
  '';


     

       

       
20

       
+

       
}
+56
packages/anubis-files/src/policies/default.yaml 
···

       

       
1

       
+

       
bots:


     

       

       
2

       
+

       
  - import: CUSTOM/policies/meta/base.yaml


     

       

       
3

       
+

       
dnsbl: false


     

       

       
4

       
+

       
openGraph:


     

       

       
5

       
+

       
  enabled: true


     

       

       
6

       
+

       
  considerHost: false


     

       

       
7

       
+

       
  ttl: 24h


     

       

       
8

       
+

       
status_codes:


     

       

       
9

       
+

       
  CHALLENGE: 200


     

       

       
10

       
+

       
  DENY: 200


     

       

       
11

       
+

       
thresholds:


     

       

       
12

       
+

       
  - name: minimal-suspicion


     

       

       
13

       
+

       
    expression: weight <= 0


     

       

       
14

       
+

       
    action: ALLOW


     

       

       
15

       
+

       
  - name: mild-suspicion


     

       

       
16

       
+

       
    expression:


     

       

       
17

       
+

       
      all:


     

       

       
18

       
+

       
        - weight > 0


     

       

       
19

       
+

       
        - weight < 10


     

       

       
20

       
+

       
    action: CHALLENGE


     

       

       
21

       
+

       
    challenge:


     

       

       
22

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh


     

       

       
23

       
+

       
      algorithm: metarefresh


     

       

       
24

       
+

       
      difficulty: 1


     

       

       
25

       
+

       
      report_as: 1


     

       

       
26

       
+

       
  - name: moderate-suspicion


     

       

       
27

       
+

       
    expression:


     

       

       
28

       
+

       
      all:


     

       

       
29

       
+

       
        - weight >= 10


     

       

       
30

       
+

       
        - weight < 20


     

       

       
31

       
+

       
    action: CHALLENGE


     

       

       
32

       
+

       
    challenge:


     

       

       
33

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work


     

       

       
34

       
+

       
      algorithm: fast


     

       

       
35

       
+

       
      difficulty: 2 # two leading zeros, very fast for most clients


     

       

       
36

       
+

       
      report_as: 2


     

       

       
37

       
+

       
  - name: mild-proof-of-work


     

       

       
38

       
+

       
    expression:


     

       

       
39

       
+

       
      all:


     

       

       
40

       
+

       
        - weight >= 20


     

       

       
41

       
+

       
        - weight < 30


     

       

       
42

       
+

       
    action: CHALLENGE


     

       

       
43

       
+

       
    challenge:


     

       

       
44

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work


     

       

       
45

       
+

       
      algorithm: fast


     

       

       
46

       
+

       
      difficulty: 4


     

       

       
47

       
+

       
      report_as: 4


     

       

       
48

       
+

       
  # For clients that are browser like and have gained many points from custom rules


     

       

       
49

       
+

       
  - name: extreme-suspicion


     

       

       
50

       
+

       
    expression: weight >= 30


     

       

       
51

       
+

       
    action: CHALLENGE


     

       

       
52

       
+

       
    challenge:


     

       

       
53

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work


     

       

       
54

       
+

       
      algorithm: fast


     

       

       
55

       
+

       
      difficulty: 6


     

       

       
56

       
+

       
      report_as: 5
+59 -6
packages/anubis-files/src/policies/forgejo.yaml 
···

       
1

       
1

       
 

       
bots:


     

       
2

       

       
-

       
  - import: (data)/bots/ai-robots-txt.yaml


     

       
3

       

       
-

       
  - import: CUSTOM/block/alibaba-cloud.yaml


     

       

       
2

       
+

       
  - import: CUSTOM/policies/meta/base.yaml


     

       
4

       
3

       
 

       
  - import: (data)/clients/git.yaml


     

       
5

       

       
-

       
  - import: (data)/common/keep-internet-working.yaml


     

       
6

       
4

       
 

       
  - import: (data)/apps/gitea-rss-feeds.yaml


     

       
7

       

       
-

       
  - import: (data)/crawlers/internet-archive.yaml


     

       
8

       

       
-

       
  - import: (data)/crawlers/kagibot.yaml


     

       
9

       

       
-

       
  - import: CUSTOM/challenge/generic-browser.yaml


     

       

       
5

       
+

       



     

       

       
6

       
+

       
  # Allow forgejo runner connections from localhost and tailscale


     

       

       
7

       
+

       
  - name: forgejo-runner


     

       

       
8

       
+

       
    user_agent_regex: connect-go


     

       

       
9

       
+

       
    action: ALLOW


     

       
10

       
10

       
 

       



     

       
11

       
11

       
 

       
dnsbl: false


     

       

       
12

       
+

       
openGraph:


     

       

       
13

       
+

       
  enabled: true


     

       

       
14

       
+

       
  considerHost: false


     

       

       
15

       
+

       
  ttl: 24h


     

       

       
16

       
+

       
status_codes:


     

       

       
17

       
+

       
  CHALLENGE: 200


     

       

       
18

       
+

       
  DENY: 200


     

       

       
19

       
+

       
thresholds:


     

       

       
20

       
+

       
  - name: minimal-suspicion


     

       

       
21

       
+

       
    expression: weight <= 0


     

       

       
22

       
+

       
    action: ALLOW


     

       

       
23

       
+

       
  - name: mild-suspicion


     

       

       
24

       
+

       
    expression:


     

       

       
25

       
+

       
      all:


     

       

       
26

       
+

       
        - weight > 0


     

       

       
27

       
+

       
        - weight < 10


     

       

       
28

       
+

       
    action: CHALLENGE


     

       

       
29

       
+

       
    challenge:


     

       

       
30

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh


     

       

       
31

       
+

       
      algorithm: metarefresh


     

       

       
32

       
+

       
      difficulty: 1


     

       

       
33

       
+

       
      report_as: 1


     

       

       
34

       
+

       
  - name: moderate-suspicion


     

       

       
35

       
+

       
    expression:


     

       

       
36

       
+

       
      all:


     

       

       
37

       
+

       
        - weight >= 10


     

       

       
38

       
+

       
        - weight < 20


     

       

       
39

       
+

       
    action: CHALLENGE


     

       

       
40

       
+

       
    challenge:


     

       

       
41

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work


     

       

       
42

       
+

       
      algorithm: fast


     

       

       
43

       
+

       
      difficulty: 2 # two leading zeros, very fast for most clients


     

       

       
44

       
+

       
      report_as: 2


     

       

       
45

       
+

       
  - name: mild-proof-of-work


     

       

       
46

       
+

       
    expression:


     

       

       
47

       
+

       
      all:


     

       

       
48

       
+

       
        - weight >= 20


     

       

       
49

       
+

       
        - weight < 30


     

       

       
50

       
+

       
    action: CHALLENGE


     

       

       
51

       
+

       
    challenge:


     

       

       
52

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work


     

       

       
53

       
+

       
      algorithm: fast


     

       

       
54

       
+

       
      difficulty: 4


     

       

       
55

       
+

       
      report_as: 4


     

       

       
56

       
+

       
  # For clients that are browser like and have gained many points from custom rules


     

       

       
57

       
+

       
  - name: extreme-suspicion


     

       

       
58

       
+

       
    expression: weight >= 30


     

       

       
59

       
+

       
    action: CHALLENGE


     

       

       
60

       
+

       
    challenge:


     

       

       
61

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work


     

       

       
62

       
+

       
      algorithm: fast


     

       

       
63

       
+

       
      difficulty: 6


     

       

       
64

       
+

       
      report_as: 5
-7
packages/anubis-files/src/policies/grafana.yaml 
···

       
1

       

       
-

       
bots:


     

       
2

       

       
-

       
  - import: (data)/bots/ai-robots-txt.yaml


     

       
3

       

       
-

       
  - import: CUSTOM/block/alibaba-cloud.yaml


     

       
4

       

       
-

       
  - import: (data)/common/keep-internet-working.yaml


     

       
5

       

       
-

       
  - import: CUSTOM/challenge/generic-browser.yaml


     

       
6

       

       
-

       



     

       
7

       

       
-

       
dnsbl: false
+54
packages/anubis-files/src/policies/meta/base.yaml 
···

       

       
1

       
+

       
# keep-sorted start


     

       

       
2

       
+

       
- import: (data)/bots/_deny-pathological.yaml


     

       

       
3

       
+

       
- import: (data)/bots/aggressive-brazilian-scrapers.yaml


     

       

       
4

       
+

       
- import: (data)/clients/x-firefox-ai.yaml


     

       

       
5

       
+

       
- import: (data)/common/keep-internet-working.yaml


     

       

       
6

       
+

       
- import: (data)/common/rfc-violations.yaml


     

       

       
7

       
+

       
- import: (data)/crawlers/_allow-good.yaml


     

       

       
8

       
+

       
- import: (data)/meta/ai-block-aggressive.yaml


     

       

       
9

       
+

       
# keep-sorted end


     

       

       
10

       
+

       
- name: realistic-browser-catchall


     

       

       
11

       
+

       
  expression:


     

       

       
12

       
+

       
    all:


     

       

       
13

       
+

       
      - '"User-Agent" in headers'


     

       

       
14

       
+

       
      - '( userAgent.contains("Firefox") ) || ( userAgent.contains("Chrome") ) || ( userAgent.contains("Safari") )'


     

       

       
15

       
+

       
      - '"Accept" in headers'


     

       

       
16

       
+

       
      - '"Sec-Fetch-Dest" in headers'


     

       

       
17

       
+

       
      - '"Sec-Fetch-Mode" in headers'


     

       

       
18

       
+

       
      - '"Sec-Fetch-Site" in headers'


     

       

       
19

       
+

       
      - '"Accept-Encoding" in headers'


     

       

       
20

       
+

       
      - '( headers["Accept-Encoding"].contains("zstd") || headers["Accept-Encoding"].contains("br") )'


     

       

       
21

       
+

       
      - '"Accept-Language" in headers'


     

       

       
22

       
+

       
  action: WEIGH


     

       

       
23

       
+

       
  weight:


     

       

       
24

       
+

       
    adjust: -10


     

       

       
25

       
+

       
    # The Upgrade-Insecure-Requests header is typically sent by browsers, but not always


     

       

       
26

       
+

       
- name: upgrade-insecure-requests


     

       

       
27

       
+

       
  expression: '"Upgrade-Insecure-Requests" in headers'


     

       

       
28

       
+

       
  action: WEIGH


     

       

       
29

       
+

       
  weight:


     

       

       
30

       
+

       
    adjust: -2


     

       

       
31

       
+

       
# Chrome should behave like Chrome


     

       

       
32

       
+

       
- name: chrome-is-proper


     

       

       
33

       
+

       
  expression:


     

       

       
34

       
+

       
    all:


     

       

       
35

       
+

       
      - userAgent.contains("Chrome")


     

       

       
36

       
+

       
      - '"Sec-Ch-Ua" in headers'


     

       

       
37

       
+

       
      - 'headers["Sec-Ch-Ua"].contains("Chromium")'


     

       

       
38

       
+

       
      - '"Sec-Ch-Ua-Mobile" in headers'


     

       

       
39

       
+

       
      - '"Sec-Ch-Ua-Platform" in headers'


     

       

       
40

       
+

       
  action: WEIGH


     

       

       
41

       
+

       
  weight:


     

       

       
42

       
+

       
    adjust: -5


     

       

       
43

       
+

       
- name: should-have-accept


     

       

       
44

       
+

       
  expression: '!("Accept" in headers)'


     

       

       
45

       
+

       
  action: WEIGH


     

       

       
46

       
+

       
  weight:


     

       

       
47

       
+

       
    adjust: 5


     

       

       
48

       
+

       
# Generic catchall rule


     

       

       
49

       
+

       
- name: generic-browser


     

       

       
50

       
+

       
  user_agent_regex: >-


     

       

       
51

       
+

       
    Mozilla|Opera|Chrome|Chromium


     

       

       
52

       
+

       
  action: WEIGH


     

       

       
53

       
+

       
  weight:


     

       

       
54

       
+

       
    adjust: 10
packages/anubis-files/src/policies/meta/openGraph.yaml

This is a binary file and will not be displayed.

-7
packages/anubis-files/src/policies/miniflux.yaml 
···

       
1

       

       
-

       
bots:


     

       
2

       

       
-

       
  - import: (data)/bots/ai-robots-txt.yaml


     

       
3

       

       
-

       
  - import: CUSTOM/block/alibaba-cloud.yaml


     

       
4

       

       
-

       
  - import: (data)/common/keep-internet-working.yaml


     

       
5

       

       
-

       
  - import: CUSTOM/challenge/generic-browser.yaml


     

       
6

       

       
-

       



     

       
7

       

       
-

       
dnsbl: false
+50 -7
packages/anubis-files/src/policies/nextcloud-office.yaml 
···

       
1

       
1

       
 

       
bots:


     

       
2

       

       
-

       
  - import: (data)/bots/ai-robots-txt.yaml


     

       
3

       

       
-

       
  - import: CUSTOM/block/alibaba-cloud.yaml


     

       
4

       

       
-

       



     

       

       
2

       
+

       
  - import: CUSTOM/policies/meta/base.yaml


     

       
5

       
3

       
 

       
  # Allow requests from the nextcloud server to bypass checks


     

       
6

       
4

       
 

       
  - name: allow-nextcloud-server


     

       
7

       
5

       
 

       
    user_agent_regex: ^Nextcloud Server / richdocuments$


     

       
8

       
6

       
 

       
    action: ALLOW


     

       
9

       

       
-

       



     

       
10

       

       
-

       
  - import: (data)/common/keep-internet-working.yaml


     

       
11

       

       
-

       
  - import: CUSTOM/challenge/generic-browser.yaml


     

       
12

       

       
-

       



     

       
13

       
7

       
 

       
dnsbl: false


     

       

       
8

       
+

       
status_codes:


     

       

       
9

       
+

       
  CHALLENGE: 200


     

       

       
10

       
+

       
  DENY: 200


     

       

       
11

       
+

       
thresholds:


     

       

       
12

       
+

       
  - name: minimal-suspicion


     

       

       
13

       
+

       
    expression: weight <= 0


     

       

       
14

       
+

       
    action: ALLOW


     

       

       
15

       
+

       
  - name: mild-suspicion


     

       

       
16

       
+

       
    expression:


     

       

       
17

       
+

       
      all:


     

       

       
18

       
+

       
        - weight > 0


     

       

       
19

       
+

       
        - weight < 10


     

       

       
20

       
+

       
    action: CHALLENGE


     

       

       
21

       
+

       
    challenge:


     

       

       
22

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh


     

       

       
23

       
+

       
      algorithm: metarefresh


     

       

       
24

       
+

       
      difficulty: 1


     

       

       
25

       
+

       
      report_as: 1


     

       

       
26

       
+

       
  - name: moderate-suspicion


     

       

       
27

       
+

       
    expression:


     

       

       
28

       
+

       
      all:


     

       

       
29

       
+

       
        - weight >= 10


     

       

       
30

       
+

       
        - weight < 20


     

       

       
31

       
+

       
    action: CHALLENGE


     

       

       
32

       
+

       
    challenge:


     

       

       
33

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work


     

       

       
34

       
+

       
      algorithm: fast


     

       

       
35

       
+

       
      difficulty: 2 # two leading zeros, very fast for most clients


     

       

       
36

       
+

       
      report_as: 2


     

       

       
37

       
+

       
  - name: mild-proof-of-work


     

       

       
38

       
+

       
    expression:


     

       

       
39

       
+

       
      all:


     

       

       
40

       
+

       
        - weight >= 20


     

       

       
41

       
+

       
        - weight < 30


     

       

       
42

       
+

       
    action: CHALLENGE


     

       

       
43

       
+

       
    challenge:


     

       

       
44

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work


     

       

       
45

       
+

       
      algorithm: fast


     

       

       
46

       
+

       
      difficulty: 4


     

       

       
47

       
+

       
      report_as: 4


     

       

       
48

       
+

       
  # For clients that are browser like and have gained many points from custom rules


     

       

       
49

       
+

       
  - name: extreme-suspicion


     

       

       
50

       
+

       
    expression: weight >= 30


     

       

       
51

       
+

       
    action: CHALLENGE


     

       

       
52

       
+

       
    challenge:


     

       

       
53

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work


     

       

       
54

       
+

       
      algorithm: fast


     

       

       
55

       
+

       
      difficulty: 6


     

       

       
56

       
+

       
      report_as: 5
+54 -12
packages/anubis-files/src/policies/nextcloud.yaml 
···

       
1

       
1

       
 

       
bots:


     

       
2

       

       
-

       
  # Block scrapers and abusive cloud providers


     

       
3

       

       
-

       
  - import: (data)/bots/ai-robots-txt.yaml


     

       
4

       

       
-

       
  - import: CUSTOM/block/alibaba-cloud.yaml


     

       
5

       

       
-

       



     

       

       
2

       
+

       
  - import: CUSTOM/policies/meta/base.yaml


     

       
6

       
3

       
 

       
  # Allow android apps that I use


     

       
7

       
4

       
 

       
  - name: allow-android-apps


     

       
8

       
5

       
 

       
    user_agent_regex: Nextcloud-android|DAVx5|ICSx5


     

       
9

       
6

       
 

       
    action: ALLOW


     

       
10

       

       
-

       



     

       
11

       
7

       
 

       
  # Allow the Thunderbird Filelink app


     

       
12

       
8

       
 

       
  - name: allow-thunderbird-filelink


     

       
13

       
9

       
 

       
    user_agent_regex: ^Filelink for \*cloud.*$


     

       
14

       
10

       
 

       
    action: ALLOW


     

       
15

       

       
-

       



     

       
16

       
11

       
 

       
  # Allow anyone accessing the **authenticated** DAV endpoint.


     

       
17

       
12

       
 

       
  - name: allow-dav


     

       
18

       
13

       
 

       
    path_regex: ^/remote.php/dav/.*$


     

       
19

       
14

       
 

       
    action: ALLOW


     

       
20

       

       
-

       



     

       
21

       
15

       
 

       
  # Allow public shares so that I can more easily send them


     

       
22

       
16

       
 

       
  - name: allow-public-shares


     

       
23

       
17

       
 

       
    path_regex: ^/s/.*$


     

       
24

       
18

       
 

       
    action: ALLOW


     

       
25

       

       
-

       



     

       
26

       
19

       
 

       
  # Allow clients to load assets to not break public shares


     

       
27

       
20

       
 

       
  - name: allow-assets


     

       
28

       
21

       
 

       
    action: ALLOW


     
···

       
39

       
32

       
 

       
        - 'path.startsWith("/apps/theming/")'


     

       
40

       
33

       
 

       
        # Public DAV endpoint


     

       
41

       
34

       
 

       
        - 'path.startsWith("/public.php/dav/files/")'


     

       
42

       

       
-

       



     

       
43

       

       
-

       
  - import: (data)/common/keep-internet-working.yaml


     

       
44

       

       
-

       
  - import: CUSTOM/challenge/generic-browser.yaml


     

       
45

       

       
-

       



     

       
46

       
35

       
 

       
dnsbl: false


     

       

       
36

       
+

       
openGraph:


     

       

       
37

       
+

       
  enabled: true


     

       

       
38

       
+

       
  considerHost: false


     

       

       
39

       
+

       
  ttl: 24h


     

       

       
40

       
+

       
status_codes:


     

       

       
41

       
+

       
  CHALLENGE: 200


     

       

       
42

       
+

       
  DENY: 200


     

       

       
43

       
+

       
thresholds:


     

       

       
44

       
+

       
  - name: minimal-suspicion


     

       

       
45

       
+

       
    expression: weight <= 0


     

       

       
46

       
+

       
    action: ALLOW


     

       

       
47

       
+

       
  - name: mild-suspicion


     

       

       
48

       
+

       
    expression:


     

       

       
49

       
+

       
      all:


     

       

       
50

       
+

       
        - weight > 0


     

       

       
51

       
+

       
        - weight < 10


     

       

       
52

       
+

       
    action: CHALLENGE


     

       

       
53

       
+

       
    challenge:


     

       

       
54

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh


     

       

       
55

       
+

       
      algorithm: metarefresh


     

       

       
56

       
+

       
      difficulty: 1


     

       

       
57

       
+

       
      report_as: 1


     

       

       
58

       
+

       
  - name: moderate-suspicion


     

       

       
59

       
+

       
    expression:


     

       

       
60

       
+

       
      all:


     

       

       
61

       
+

       
        - weight >= 10


     

       

       
62

       
+

       
        - weight < 20


     

       

       
63

       
+

       
    action: CHALLENGE


     

       

       
64

       
+

       
    challenge:


     

       

       
65

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work


     

       

       
66

       
+

       
      algorithm: fast


     

       

       
67

       
+

       
      difficulty: 2 # two leading zeros, very fast for most clients


     

       

       
68

       
+

       
      report_as: 2


     

       

       
69

       
+

       
  - name: mild-proof-of-work


     

       

       
70

       
+

       
    expression:


     

       

       
71

       
+

       
      all:


     

       

       
72

       
+

       
        - weight >= 20


     

       

       
73

       
+

       
        - weight < 30


     

       

       
74

       
+

       
    action: CHALLENGE


     

       

       
75

       
+

       
    challenge:


     

       

       
76

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work


     

       

       
77

       
+

       
      algorithm: fast


     

       

       
78

       
+

       
      difficulty: 4


     

       

       
79

       
+

       
      report_as: 4


     

       

       
80

       
+

       
  # For clients that are browser like and have gained many points from custom rules


     

       

       
81

       
+

       
  - name: extreme-suspicion


     

       

       
82

       
+

       
    expression: weight >= 30


     

       

       
83

       
+

       
    action: CHALLENGE


     

       

       
84

       
+

       
    challenge:


     

       

       
85

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work


     

       

       
86

       
+

       
      algorithm: fast


     

       

       
87

       
+

       
      difficulty: 6


     

       

       
88

       
+

       
      report_as: 5
-7
packages/anubis-files/src/policies/pingvin-share.yaml 
···

       
1

       

       
-

       
bots:


     

       
2

       

       
-

       
  - import: (data)/bots/ai-robots-txt.yaml


     

       
3

       

       
-

       
  - import: CUSTOM/block/alibaba-cloud.yaml


     

       
4

       

       
-

       
  - import: (data)/common/keep-internet-working.yaml


     

       
5

       

       
-

       
  - import: CUSTOM/challenge/generic-browser.yaml


     

       
6

       

       
-

       



     

       
7

       

       
-

       
dnsbl: false
-7
packages/anubis-files/src/policies/planka.yaml 
···

       
1

       

       
-

       
bots:


     

       
2

       

       
-

       
  - import: (data)/bots/ai-robots-txt.yaml


     

       
3

       

       
-

       
  - import: CUSTOM/block/alibaba-cloud.yaml


     

       
4

       

       
-

       
  - import: (data)/common/keep-internet-working.yaml


     

       
5

       

       
-

       
  - import: CUSTOM/challenge/generic-browser.yaml


     

       
6

       

       
-

       



     

       
7

       

       
-

       
dnsbl: false
-7
packages/anubis-files/src/policies/pocket-id.yaml 
···

       
1

       

       
-

       
bots:


     

       
2

       

       
-

       
  - import: (data)/bots/ai-robots-txt.yaml


     

       
3

       

       
-

       
  - import: CUSTOM/block/alibaba-cloud.yaml


     

       
4

       

       
-

       
  - import: (data)/common/keep-internet-working.yaml


     

       
5

       

       
-

       
  - import: CUSTOM/challenge/generic-browser.yaml


     

       
6

       

       
-

       



     

       
7

       

       
-

       
dnsbl: false
+54 -7
packages/anubis-files/src/policies/vaultwarden.yaml 
···

       
1

       
1

       
 

       
bots:


     

       
2

       

       
-

       
  - import: (data)/bots/ai-robots-txt.yaml


     

       
3

       

       
-

       
  - import: CUSTOM/block/alibaba-cloud.yaml


     

       
4

       

       
-

       



     

       

       
2

       
+

       
  - import: CUSTOM/policies/meta/base.yaml


     

       
5

       
3

       
 

       
  # Allow bitwarden apps


     

       
6

       
4

       
 

       
  - name: allow-bitwarden-mobile


     

       
7

       
5

       
 

       
    user_agent_regex: Bitwarden_Mobile


     
···

       
9

       
7

       
 

       
  - name: allow-bitwarden-webext


     

       
10

       
8

       
 

       
    user_agent_regex: Mozilla


     

       
11

       
9

       
 

       
    action: ALLOW


     

       
12

       

       
-

       



     

       
13

       

       
-

       
  - import: (data)/common/keep-internet-working.yaml


     

       
14

       

       
-

       
  - import: CUSTOM/challenge/generic-browser.yaml


     

       
15

       

       
-

       



     

       
16

       
10

       
 

       
dnsbl: false


     

       

       
11

       
+

       
openGraph:


     

       

       
12

       
+

       
  enabled: true


     

       

       
13

       
+

       
  considerHost: false


     

       

       
14

       
+

       
  ttl: 24h


     

       

       
15

       
+

       
status_codes:


     

       

       
16

       
+

       
  CHALLENGE: 200


     

       

       
17

       
+

       
  DENY: 200


     

       

       
18

       
+

       
thresholds:


     

       

       
19

       
+

       
  - name: minimal-suspicion


     

       

       
20

       
+

       
    expression: weight <= 0


     

       

       
21

       
+

       
    action: ALLOW


     

       

       
22

       
+

       
  - name: mild-suspicion


     

       

       
23

       
+

       
    expression:


     

       

       
24

       
+

       
      all:


     

       

       
25

       
+

       
        - weight > 0


     

       

       
26

       
+

       
        - weight < 10


     

       

       
27

       
+

       
    action: CHALLENGE


     

       

       
28

       
+

       
    challenge:


     

       

       
29

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh


     

       

       
30

       
+

       
      algorithm: metarefresh


     

       

       
31

       
+

       
      difficulty: 1


     

       

       
32

       
+

       
      report_as: 1


     

       

       
33

       
+

       
  - name: moderate-suspicion


     

       

       
34

       
+

       
    expression:


     

       

       
35

       
+

       
      all:


     

       

       
36

       
+

       
        - weight >= 10


     

       

       
37

       
+

       
        - weight < 20


     

       

       
38

       
+

       
    action: CHALLENGE


     

       

       
39

       
+

       
    challenge:


     

       

       
40

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work


     

       

       
41

       
+

       
      algorithm: fast


     

       

       
42

       
+

       
      difficulty: 2 # two leading zeros, very fast for most clients


     

       

       
43

       
+

       
      report_as: 2


     

       

       
44

       
+

       
  - name: mild-proof-of-work


     

       

       
45

       
+

       
    expression:


     

       

       
46

       
+

       
      all:


     

       

       
47

       
+

       
        - weight >= 20


     

       

       
48

       
+

       
        - weight < 30


     

       

       
49

       
+

       
    action: CHALLENGE


     

       

       
50

       
+

       
    challenge:


     

       

       
51

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work


     

       

       
52

       
+

       
      algorithm: fast


     

       

       
53

       
+

       
      difficulty: 4


     

       

       
54

       
+

       
      report_as: 4


     

       

       
55

       
+

       
  # For clients that are browser like and have gained many points from custom rules


     

       

       
56

       
+

       
  - name: extreme-suspicion


     

       

       
57

       
+

       
    expression: weight >= 30


     

       

       
58

       
+

       
    action: CHALLENGE


     

       

       
59

       
+

       
    challenge:


     

       

       
60

       
+

       
      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work


     

       

       
61

       
+

       
      algorithm: fast


     

       

       
62

       
+

       
      difficulty: 6


     

       

       
63

       
+

       
      report_as: 5
-828
packages/anubis-files/src/rules/block/alibaba-cloud.yaml 
···

       
1

       

       
-

       
- name: alibaba-cloud


     

       
2

       

       
-

       
  action: DENY


     

       
3

       

       
-

       
  remote_addresses:


     

       
4

       

       
-

       
    [


     

       
5

       

       
-

       
      "45.196.28.0/24",


     

       
6

       

       
-

       
      "161.117.128.0/17",


     

       
7

       

       
-

       
      "8.209.42.0/23",


     

       
8

       

       
-

       
      "47.89.125.0/24",


     

       
9

       

       
-

       
      "8.222.48.0/20",


     

       
10

       

       
-

       
      "47.79.16.0/21",


     

       
11

       

       
-

       
      "149.129.16.0/23",


     

       
12

       

       
-

       
      "8.212.0.0/17",


     

       
13

       

       
-

       
      "47.89.0.0/19",


     

       
14

       

       
-

       
      "47.240.128.0/17",


     

       
15

       

       
-

       
      "8.213.176.0/20",


     

       
16

       

       
-

       
      "47.77.8.0/22",


     

       
17

       

       
-

       
      "47.79.96.0/19",


     

       
18

       

       
-

       
      "47.246.198.0/23",


     

       
19

       

       
-

       
      "47.91.128.0/17",


     

       
20

       

       
-

       
      "47.89.104.0/21",


     

       
21

       

       
-

       
      "47.89.102.0/24",


     

       
22

       

       
-

       
      "8.222.96.0/19",


     

       
23

       

       
-

       
      "170.33.31.0/24",


     

       
24

       

       
-

       
      "8.215.168.0/24",


     

       
25

       

       
-

       
      "8.222.40.0/21",


     

       
26

       

       
-

       
      "47.235.1.0/24",


     

       
27

       

       
-

       
      "240b:400f::/32",


     

       
28

       

       
-

       
      "170.33.32.0/24",


     

       
29

       

       
-

       
      "8.208.0.0/18",


     

       
30

       

       
-

       
      "47.79.24.0/21",


     

       
31

       

       
-

       
      "47.91.16.0/20",


     

       
32

       

       
-

       
      "47.252.0.0/17",


     

       
33

       

       
-

       
      "8.213.176.0/21",


     

       
34

       

       
-

       
      "8.212.0.0/18",


     

       
35

       

       
-

       
      "8.211.192.0/18",


     

       
36

       

       
-

       
      "47.79.54.0/23",


     

       
37

       

       
-

       
      "47.235.18.0/24",


     

       
38

       

       
-

       
      "47.88.0.0/17",


     

       
39

       

       
-

       
      "43.96.21.0/24",


     

       
40

       

       
-

       
      "47.235.22.0/24",


     

       
41

       

       
-

       
      "240b:4001::/33",


     

       
42

       

       
-

       
      "47.79.64.0/20",


     

       
43

       

       
-

       
      "139.95.4.0/23",


     

       
44

       

       
-

       
      "47.254.128.0/19",


     

       
45

       

       
-

       
      "47.81.64.0/18",


     

       
46

       

       
-

       
      "47.77.128.0/18",


     

       
47

       

       
-

       
      "240b:4009::/33",


     

       
48

       

       
-

       
      "47.246.90.0/23",


     

       
49

       

       
-

       
      "47.89.32.0/19",


     

       
50

       

       
-

       
      "205.204.125.0/24",


     

       
51

       

       
-

       
      "47.79.56.0/23",


     

       
52

       

       
-

       
      "240b:400c:100::/41",


     

       
53

       

       
-

       
      "47.235.26.0/23",


     

       
54

       

       
-

       
      "8.209.64.0/19",


     

       
55

       

       
-

       
      "8.222.16.0/20",


     

       
56

       

       
-

       
      "47.235.12.0/23",


     

       
57

       

       
-

       
      "116.251.64.0/18",


     

       
58

       

       
-

       
      "139.95.64.0/24",


     

       
59

       

       
-

       
      "47.235.31.0/24",


     

       
60

       

       
-

       
      "8.208.32.0/19",


     

       
61

       

       
-

       
      "240b:400c:f00::/48",


     

       
62

       

       
-

       
      "47.235.6.0/24",


     

       
63

       

       
-

       
      "47.246.160.0/21",


     

       
64

       

       
-

       
      "47.246.196.0/22",


     

       
65

       

       
-

       
      "2404:2280:3000::/37",


     

       
66

       

       
-

       
      "47.74.0.0/21",


     

       
67

       

       
-

       
      "240b:4007:8000::/33",


     

       
68

       

       
-

       
      "47.91.0.0/20",


     

       
69

       

       
-

       
      "2400:3200:baba::/48",


     

       
70

       

       
-

       
      "198.11.137.0/24",


     

       
71

       

       
-

       
      "47.84.168.0/21",


     

       
72

       

       
-

       
      "240b:4006:1020::/44",


     

       
73

       

       
-

       
      "149.129.192.0/18",


     

       
74

       

       
-

       
      "8.219.40.0/21",


     

       
75

       

       
-

       
      "43.96.3.0/24",


     

       
76

       

       
-

       
      "240b:4004::/32",


     

       
77

       

       
-

       
      "47.77.64.0/20",


     

       
78

       

       
-

       
      "47.83.48.0/21",


     

       
79

       

       
-

       
      "47.77.104.0/21",


     

       
80

       

       
-

       
      "240b:4001:8000::/33",


     

       
81

       

       
-

       
      "43.96.5.0/24",


     

       
82

       

       
-

       
      "240b:400c:180::/41",


     

       
83

       

       
-

       
      "43.96.25.0/24",


     

       
84

       

       
-

       
      "47.77.96.0/21",


     

       
85

       

       
-

       
      "8.211.160.0/19",


     

       
86

       

       
-

       
      "47.245.32.0/19",


     

       
87

       

       
-

       
      "8.215.0.0/16",


     

       
88

       

       
-

       
      "47.79.32.0/20",


     

       
89

       

       
-

       
      "8.213.160.0/21",


     

       
90

       

       
-

       
      "47.74.0.0/19",


     

       
91

       

       
-

       
      "43.96.4.0/24",


     

       
92

       

       
-

       
      "170.33.75.0/24",


     

       
93

       

       
-

       
      "8.211.128.0/18",


     

       
94

       

       
-

       
      "8.217.0.0/16",


     

       
95

       

       
-

       
      "47.81.0.0/19",


     

       
96

       

       
-

       
      "47.82.96.0/19",


     

       
97

       

       
-

       
      "47.83.56.0/21",


     

       
98

       

       
-

       
      "203.107.64.0/24",


     

       
99

       

       
-

       
      "240b:4006:1020::/45",


     

       
100

       

       
-

       
      "240b:4004::/33",


     

       
101

       

       
-

       
      "47.242.0.0/15",


     

       
102

       

       
-

       
      "47.80.128.0/17",


     

       
103

       

       
-

       
      "8.215.0.0/17",


     

       
104

       

       
-

       
      "240b:4000::/32",


     

       
105

       

       
-

       
      "47.246.192.0/23",


     

       
106

       

       
-

       
      "47.246.176.0/21",


     

       
107

       

       
-

       
      "8.212.224.0/19",


     

       
108

       

       
-

       
      "47.90.0.0/17",


     

       
109

       

       
-

       
      "170.33.107.0/24",


     

       
110

       

       
-

       
      "47.237.32.0/20",


     

       
111

       

       
-

       
      "47.240.0.0/16",


     

       
112

       

       
-

       
      "47.253.0.0/16",


     

       
113

       

       
-

       
      "161.117.0.0/16",


     

       
114

       

       
-

       
      "47.77.12.0/22",


     

       
115

       

       
-

       
      "47.88.128.0/17",


     

       
116

       

       
-

       
      "8.220.147.0/24",


     

       
117

       

       
-

       
      "47.236.0.0/16",


     

       
118

       

       
-

       
      "149.129.192.0/19",


     

       
119

       

       
-

       
      "170.33.73.0/24",


     

       
120

       

       
-

       
      "47.87.160.0/19",


     

       
121

       

       
-

       
      "47.79.0.0/20",


     

       
122

       

       
-

       
      "47.246.153.0/24",


     

       
123

       

       
-

       
      "47.235.29.0/24",


     

       
124

       

       
-

       
      "47.81.128.0/18",


     

       
125

       

       
-

       
      "43.96.35.0/24",


     

       
126

       

       
-

       
      "8.212.128.0/18",


     

       
127

       

       
-

       
      "8.219.0.0/16",


     

       
128

       

       
-

       
      "47.246.155.0/24",


     

       
129

       

       
-

       
      "8.216.64.0/18",


     

       
130

       

       
-

       
      "8.213.253.0/24",


     

       
131

       

       
-

       
      "8.220.116.0/24",


     

       
132

       

       
-

       
      "8.222.128.0/18",


     

       
133

       

       
-

       
      "240b:400e:8000::/33",


     

       
134

       

       
-

       
      "43.96.33.0/24",


     

       
135

       

       
-

       
      "47.77.192.0/18",


     

       
136

       

       
-

       
      "47.81.32.0/19",


     

       
137

       

       
-

       
      "47.77.8.0/21",


     

       
138

       

       
-

       
      "47.79.16.0/20",


     

       
139

       

       
-

       
      "240b:400f:8000::/33",


     

       
140

       

       
-

       
      "47.246.145.0/24",


     

       
141

       

       
-

       
      "47.88.128.0/18",


     

       
142

       

       
-

       
      "170.33.104.0/24",


     

       
143

       

       
-

       
      "8.219.0.0/17",


     

       
144

       

       
-

       
      "47.82.0.0/18",


     

       
145

       

       
-

       
      "139.95.10.0/23",


     

       
146

       

       
-

       
      "47.238.0.0/16",


     

       
147

       

       
-

       
      "240b:4006:1002::/47",


     

       
148

       

       
-

       
      "8.221.188.0/22",


     

       
149

       

       
-

       
      "8.213.251.0/24",


     

       
150

       

       
-

       
      "47.254.192.0/19",


     

       
151

       

       
-

       
      "47.79.32.0/21",


     

       
152

       

       
-

       
      "8.212.128.0/19",


     

       
153

       

       
-

       
      "47.246.83.0/24",


     

       
154

       

       
-

       
      "47.87.64.0/19",


     

       
155

       

       
-

       
      "8.222.192.0/18",


     

       
156

       

       
-

       
      "170.33.68.0/24",


     

       
157

       

       
-

       
      "240b:400c:f01::/48",


     

       
158

       

       
-

       
      "170.33.136.0/24",


     

       
159

       

       
-

       
      "2400:b200:4101::/48",


     

       
160

       

       
-

       
      "2401:8680:4100::/48",


     

       
161

       

       
-

       
      "240b:400c::/32",


     

       
162

       

       
-

       
      "47.89.92.0/22",


     

       
163

       

       
-

       
      "8.223.128.0/18",


     

       
164

       

       
-

       
      "47.89.124.0/23",


     

       
165

       

       
-

       
      "47.74.32.0/19",


     

       
166

       

       
-

       
      "47.244.0.0/17",


     

       
167

       

       
-

       
      "43.96.80.0/24",


     

       
168

       

       
-

       
      "8.211.104.0/21",


     

       
169

       

       
-

       
      "8.213.224.0/19",


     

       
170

       

       
-

       
      "47.86.0.0/17",


     

       
171

       

       
-

       
      "8.222.64.0/21",


     

       
172

       

       
-

       
      "240b:400e::/33",


     

       
173

       

       
-

       
      "161.117.143.0/24",


     

       
174

       

       
-

       
      "47.246.152.0/23",


     

       
175

       

       
-

       
      "47.246.93.0/24",


     

       
176

       

       
-

       
      "240b:4006:1010::/45",


     

       
177

       

       
-

       
      "47.254.224.0/19",


     

       
178

       

       
-

       
      "8.209.40.0/22",


     

       
179

       

       
-

       
      "149.129.64.0/18",


     

       
180

       

       
-

       
      "43.96.20.0/24",


     

       
181

       

       
-

       
      "240b:4000:8000::/33",


     

       
182

       

       
-

       
      "47.251.0.0/16",


     

       
183

       

       
-

       
      "240b:4002::/32",


     

       
184

       

       
-

       
      "8.222.16.0/21",


     

       
185

       

       
-

       
      "203.107.66.0/24",


     

       
186

       

       
-

       
      "8.222.24.0/21",


     

       
187

       

       
-

       
      "47.89.128.0/19",


     

       
188

       

       
-

       
      "240b:400c:8000::/33",


     

       
189

       

       
-

       
      "8.218.128.0/17",


     

       
190

       

       
-

       
      "8.216.128.0/17",


     

       
191

       

       
-

       
      "47.91.128.0/18",


     

       
192

       

       
-

       
      "8.221.64.0/18",


     

       
193

       

       
-

       
      "2404:2280:4000::/36",


     

       
194

       

       
-

       
      "8.211.80.0/21",


     

       
195

       

       
-

       
      "8.217.128.0/17",


     

       
196

       

       
-

       
      "8.220.229.0/24",


     

       
197

       

       
-

       
      "170.33.66.0/24",


     

       
198

       

       
-

       
      "47.237.0.0/16",


     

       
199

       

       
-

       
      "47.235.28.0/23",


     

       
200

       

       
-

       
      "170.33.74.0/24",


     

       
201

       

       
-

       
      "47.90.64.0/18",


     

       
202

       

       
-

       
      "47.246.82.0/23",


     

       
203

       

       
-

       
      "8.209.38.0/23",


     

       
204

       

       
-

       
      "240b:4005:8000::/33",


     

       
205

       

       
-

       
      "8.220.128.0/18",


     

       
206

       

       
-

       
      "139.95.14.0/23",


     

       
207

       

       
-

       
      "8.216.192.0/18",


     

       
208

       

       
-

       
      "8.218.0.0/16",


     

       
209

       

       
-

       
      "47.91.192.0/18",


     

       
210

       

       
-

       
      "8.221.48.0/21",


     

       
211

       

       
-

       
      "149.129.8.0/21",


     

       
212

       

       
-

       
      "43.91.0.0/16",


     

       
213

       

       
-

       
      "8.223.64.0/18",


     

       
214

       

       
-

       
      "8.216.148.0/24",


     

       
215

       

       
-

       
      "8.222.80.0/21",


     

       
216

       

       
-

       
      "2401:b180:4100::/48",


     

       
217

       

       
-

       
      "47.91.0.0/19",


     

       
218

       

       
-

       
      "47.246.154.0/24",


     

       
219

       

       
-

       
      "47.246.152.0/24",


     

       
220

       

       
-

       
      "47.250.64.0/18",


     

       
221

       

       
-

       
      "8.216.128.0/18",


     

       
222

       

       
-

       
      "170.33.72.0/24",


     

       
223

       

       
-

       
      "139.95.12.0/23",


     

       
224

       

       
-

       
      "240b:400c::/40",


     

       
225

       

       
-

       
      "8.221.128.0/18",


     

       
226

       

       
-

       
      "43.96.32.0/24",


     

       
227

       

       
-

       
      "47.90.128.0/17",


     

       
228

       

       
-

       
      "47.251.0.0/17",


     

       
229

       

       
-

       
      "43.96.34.0/24",


     

       
230

       

       
-

       
      "47.245.0.0/18",


     

       
231

       

       
-

       
      "47.85.112.0/23",


     

       
232

       

       
-

       
      "8.209.56.0/21",


     

       
233

       

       
-

       
      "8.213.252.0/24",


     

       
234

       

       
-

       
      "47.77.128.0/17",


     

       
235

       

       
-

       
      "139.95.2.0/23",


     

       
236

       

       
-

       
      "43.96.69.0/24",


     

       
237

       

       
-

       
      "161.117.126.0/24",


     

       
238

       

       
-

       
      "47.75.0.0/16",


     

       
239

       

       
-

       
      "47.89.82.0/23",


     

       
240

       

       
-

       
      "47.89.224.0/19",


     

       
241

       

       
-

       
      "8.209.0.0/20",


     

       
242

       

       
-

       
      "47.246.128.0/22",


     

       
243

       

       
-

       
      "8.221.0.0/21",


     

       
244

       

       
-

       
      "139.95.8.0/23",


     

       
245

       

       
-

       
      "47.253.128.0/17",


     

       
246

       

       
-

       
      "156.236.12.0/24",


     

       
247

       

       
-

       
      "203.107.65.0/24",


     

       
248

       

       
-

       
      "47.241.128.0/17",


     

       
249

       

       
-

       
      "8.222.88.0/21",


     

       
250

       

       
-

       
      "47.87.128.0/18",


     

       
251

       

       
-

       
      "47.254.128.0/18",


     

       
252

       

       
-

       
      "8.221.192.0/18",


     

       
253

       

       
-

       
      "240b:4001::/32",


     

       
254

       

       
-

       
      "47.235.16.0/24",


     

       
255

       

       
-

       
      "240b:4007::/32",


     

       
256

       

       
-

       
      "47.235.13.0/24",


     

       
257

       

       
-

       
      "47.235.24.0/23",


     

       
258

       

       
-

       
      "47.91.80.0/20",


     

       
259

       

       
-

       
      "43.96.11.0/24",


     

       
260

       

       
-

       
      "47.235.5.0/24",


     

       
261

       

       
-

       
      "8.209.160.0/19",


     

       
262

       

       
-

       
      "47.246.88.0/23",


     

       
263

       

       
-

       
      "47.77.4.0/22",


     

       
264

       

       
-

       
      "156.236.17.0/24",


     

       
265

       

       
-

       
      "8.209.224.0/19",


     

       
266

       

       
-

       
      "14.1.115.0/24",


     

       
267

       

       
-

       
      "149.129.96.0/19",


     

       
268

       

       
-

       
      "47.254.192.0/18",


     

       
269

       

       
-

       
      "47.245.192.0/18",


     

       
270

       

       
-

       
      "8.208.0.0/16",


     

       
271

       

       
-

       
      "47.83.0.0/16",


     

       
272

       

       
-

       
      "47.87.96.0/19",


     

       
273

       

       
-

       
      "47.252.64.0/18",


     

       
274

       

       
-

       
      "47.89.192.0/18",


     

       
275

       

       
-

       
      "47.89.122.0/24",


     

       
276

       

       
-

       
      "47.85.114.0/23",


     

       
277

       

       
-

       
      "2404:2280:1000::/36",


     

       
278

       

       
-

       
      "47.81.128.0/17",


     

       
279

       

       
-

       
      "47.246.147.0/24",


     

       
280

       

       
-

       
      "47.87.64.0/18",


     

       
281

       

       
-

       
      "47.235.9.0/24",


     

       
282

       

       
-

       
      "47.52.0.0/17",


     

       
283

       

       
-

       
      "47.246.156.0/22",


     

       
284

       

       
-

       
      "47.246.96.0/22",


     

       
285

       

       
-

       
      "47.74.0.0/18",


     

       
286

       

       
-

       
      "8.214.0.0/17",


     

       
287

       

       
-

       
      "47.246.192.0/22",


     

       
288

       

       
-

       
      "47.246.150.0/24",


     

       
289

       

       
-

       
      "43.91.0.0/17",


     

       
290

       

       
-

       
      "170.33.138.0/24",


     

       
291

       

       
-

       
      "8.213.0.0/18",


     

       
292

       

       
-

       
      "47.90.192.0/18",


     

       
293

       

       
-

       
      "47.85.0.0/16",


     

       
294

       

       
-

       
      "47.235.24.0/22",


     

       
295

       

       
-

       
      "47.235.16.0/23",


     

       
296

       

       
-

       
      "47.85.128.0/17",


     

       
297

       

       
-

       
      "103.81.186.0/23",


     

       
298

       

       
-

       
      "8.221.0.0/18",


     

       
299

       

       
-

       
      "43.96.7.0/24",


     

       
300

       

       
-

       
      "47.79.56.0/21",


     

       
301

       

       
-

       
      "240b:4013::/32",


     

       
302

       

       
-

       
      "47.89.108.0/22",


     

       
303

       

       
-

       
      "47.235.28.0/24",


     

       
304

       

       
-

       
      "47.246.82.0/24",


     

       
305

       

       
-

       
      "47.91.48.0/20",


     

       
306

       

       
-

       
      "185.78.106.0/23",


     

       
307

       

       
-

       
      "47.84.160.0/21",


     

       
308

       

       
-

       
      "140.205.1.0/24",


     

       
309

       

       
-

       
      "47.88.43.0/24",


     

       
310

       

       
-

       
      "47.83.32.0/21",


     

       
311

       

       
-

       
      "47.91.64.0/19",


     

       
312

       

       
-

       
      "43.96.100.0/24",


     

       
313

       

       
-

       
      "43.96.72.0/24",


     

       
314

       

       
-

       
      "47.87.0.0/18",


     

       
315

       

       
-

       
      "8.210.0.0/16",


     

       
316

       

       
-

       
      "47.88.192.0/18",


     

       
317

       

       
-

       
      "47.88.42.0/24",


     

       
318

       

       
-

       
      "170.33.92.0/24",


     

       
319

       

       
-

       
      "149.129.32.0/19",


     

       
320

       

       
-

       
      "47.52.128.0/17",


     

       
321

       

       
-

       
      "47.246.108.0/22",


     

       
322

       

       
-

       
      "8.221.56.0/21",


     

       
323

       

       
-

       
      "47.253.0.0/17",


     

       
324

       

       
-

       
      "110.76.23.0/24",


     

       
325

       

       
-

       
      "170.33.65.0/24",


     

       
326

       

       
-

       
      "240b:4006::/48",


     

       
327

       

       
-

       
      "47.245.0.0/19",


     

       
328

       

       
-

       
      "47.77.64.0/19",


     

       
329

       

       
-

       
      "8.209.39.0/24",


     

       
330

       

       
-

       
      "47.77.96.0/20",


     

       
331

       

       
-

       
      "47.80.128.0/18",


     

       
332

       

       
-

       
      "170.33.83.0/24",


     

       
333

       

       
-

       
      "47.77.32.0/19",


     

       
334

       

       
-

       
      "8.212.64.0/18",


     

       
335

       

       
-

       
      "43.96.40.0/24",


     

       
336

       

       
-

       
      "2400:b200:4102::/48",


     

       
337

       

       
-

       
      "43.96.81.0/24",


     

       
338

       

       
-

       
      "8.214.0.0/16",


     

       
339

       

       
-

       
      "161.117.128.0/24",


     

       
340

       

       
-

       
      "43.96.75.0/24",


     

       
341

       

       
-

       
      "8.215.160.0/24",


     

       
342

       

       
-

       
      "47.77.0.0/22",


     

       
343

       

       
-

       
      "47.239.0.0/16",


     

       
344

       

       
-

       
      "47.89.76.0/22",


     

       
345

       

       
-

       
      "47.82.14.0/23",


     

       
346

       

       
-

       
      "43.91.128.0/17",


     

       
347

       

       
-

       
      "47.89.88.0/22",


     

       
348

       

       
-

       
      "47.79.8.0/21",


     

       
349

       

       
-

       
      "240b:4004:8000::/33",


     

       
350

       

       
-

       
      "47.246.140.0/22",


     

       
351

       

       
-

       
      "43.96.74.0/24",


     

       
352

       

       
-

       
      "161.117.127.0/24",


     

       
353

       

       
-

       
      "8.212.192.0/19",


     

       
354

       

       
-

       
      "240b:4006:1000::/44",


     

       
355

       

       
-

       
      "47.80.192.0/18",


     

       
356

       

       
-

       
      "47.79.48.0/21",


     

       
357

       

       
-

       
      "47.254.64.0/18",


     

       
358

       

       
-

       
      "47.246.144.0/23",


     

       
359

       

       
-

       
      "47.246.92.0/24",


     

       
360

       

       
-

       
      "47.246.66.0/24",


     

       
361

       

       
-

       
      "47.246.150.0/23",


     

       
362

       

       
-

       
      "47.91.96.0/20",


     

       
363

       

       
-

       
      "47.89.98.0/23",


     

       
364

       

       
-

       
      "47.77.80.0/20",


     

       
365

       

       
-

       
      "8.210.240.0/24",


     

       
366

       

       
-

       
      "8.213.0.0/17",


     

       
367

       

       
-

       
      "47.250.99.0/24",


     

       
368

       

       
-

       
      "47.88.41.0/24",


     

       
369

       

       
-

       
      "47.80.32.0/19",


     

       
370

       

       
-

       
      "47.250.0.0/17",


     

       
371

       

       
-

       
      "43.96.8.0/24",


     

       
372

       

       
-

       
      "14.1.112.0/22",


     

       
373

       

       
-

       
      "240b:4006:1008::/45",


     

       
374

       

       
-

       
      "8.211.224.0/19",


     

       
375

       

       
-

       
      "47.84.144.0/21",


     

       
376

       

       
-

       
      "47.88.109.0/24",


     

       
377

       

       
-

       
      "2400:3200::/48",


     

       
378

       

       
-

       
      "47.56.0.0/16",


     

       
379

       

       
-

       
      "8.220.192.0/18",


     

       
380

       

       
-

       
      "8.223.0.0/17",


     

       
381

       

       
-

       
      "8.222.72.0/21",


     

       
382

       

       
-

       
      "47.246.69.0/24",


     

       
383

       

       
-

       
      "240b:4002:8000::/33",


     

       
384

       

       
-

       
      "43.96.66.0/24",


     

       
385

       

       
-

       
      "47.246.92.0/23",


     

       
386

       

       
-

       
      "47.246.136.0/22",


     

       
387

       

       
-

       
      "205.204.117.0/24",


     

       
388

       

       
-

       
      "8.222.80.0/20",


     

       
389

       

       
-

       
      "47.85.112.0/22",


     

       
390

       

       
-

       
      "47.79.128.0/19",


     

       
391

       

       
-

       
      "240b:400d:8000::/33",


     

       
392

       

       
-

       
      "170.33.64.0/24",


     

       
393

       

       
-

       
      "8.222.56.0/21",


     

       
394

       

       
-

       
      "240b:400d::/33",


     

       
395

       

       
-

       
      "8.222.64.0/20",


     

       
396

       

       
-

       
      "47.75.128.0/17",


     

       
397

       

       
-

       
      "8.209.48.0/21",


     

       
398

       

       
-

       
      "47.57.0.0/16",


     

       
399

       

       
-

       
      "139.95.0.0/23",


     

       
400

       

       
-

       
      "47.79.192.0/18",


     

       
401

       

       
-

       
      "170.33.30.0/24",


     

       
402

       

       
-

       
      "47.77.152.0/21",


     

       
403

       

       
-

       
      "8.212.192.0/18",


     

       
404

       

       
-

       
      "8.213.128.0/19",


     

       
405

       

       
-

       
      "47.77.6.0/23",


     

       
406

       

       
-

       
      "47.246.32.0/22",


     

       
407

       

       
-

       
      "140.205.122.0/24",


     

       
408

       

       
-

       
      "47.244.0.0/16",


     

       
409

       

       
-

       
      "47.246.158.0/23",


     

       
410

       

       
-

       
      "8.209.192.0/19",


     

       
411

       

       
-

       
      "170.33.77.0/24",


     

       
412

       

       
-

       
      "8.216.69.0/24",


     

       
413

       

       
-

       
      "8.213.192.0/19",


     

       
414

       

       
-

       
      "47.77.16.0/22",


     

       
415

       

       
-

       
      "47.235.10.0/24",


     

       
416

       

       
-

       
      "202.144.199.0/24",


     

       
417

       

       
-

       
      "47.254.0.0/17",


     

       
418

       

       
-

       
      "43.98.128.0/17",


     

       
419

       

       
-

       
      "240b:400c::/41",


     

       
420

       

       
-

       
      "47.250.128.0/17",


     

       
421

       

       
-

       
      "47.89.101.0/24",


     

       
422

       

       
-

       
      "47.90.128.0/18",


     

       
423

       

       
-

       
      "240b:4013:8000::/33",


     

       
424

       

       
-

       
      "8.209.44.0/23",


     

       
425

       

       
-

       
      "240b:400c:80::/41",


     

       
426

       

       
-

       
      "161.117.129.0/24",


     

       
427

       

       
-

       
      "47.91.64.0/20",


     

       
428

       

       
-

       
      "8.209.36.0/24",


     

       
429

       

       
-

       
      "8.221.8.0/21",


     

       
430

       

       
-

       
      "47.82.32.0/19",


     

       
431

       

       
-

       
      "47.77.4.0/23",


     

       
432

       

       
-

       
      "47.79.72.0/21",


     

       
433

       

       
-

       
      "8.212.160.0/19",


     

       
434

       

       
-

       
      "170.33.80.0/24",


     

       
435

       

       
-

       
      "47.246.156.0/23",


     

       
436

       

       
-

       
      "8.220.192.0/19",


     

       
437

       

       
-

       
      "47.246.68.0/24",


     

       
438

       

       
-

       
      "47.254.160.0/19",


     

       
439

       

       
-

       
      "47.82.56.0/21",


     

       
440

       

       
-

       
      "8.223.128.0/17",


     

       
441

       

       
-

       
      "47.74.128.0/18",


     

       
442

       

       
-

       
      "47.77.24.0/23",


     

       
443

       

       
-

       
      "170.33.93.0/24",


     

       
444

       

       
-

       
      "47.89.72.0/23",


     

       
445

       

       
-

       
      "47.84.152.0/21",


     

       
446

       

       
-

       
      "240b:400e::/32",


     

       
447

       

       
-

       
      "149.129.224.0/19",


     

       
448

       

       
-

       
      "2400:b200:4103::/48",


     

       
449

       

       
-

       
      "47.87.32.0/19",


     

       
450

       

       
-

       
      "47.86.0.0/16",


     

       
451

       

       
-

       
      "47.235.4.0/24",


     

       
452

       

       
-

       
      "139.95.6.0/23",


     

       
453

       

       
-

       
      "47.252.67.0/24",


     

       
454

       

       
-

       
      "47.246.123.0/24",


     

       
455

       

       
-

       
      "47.81.96.0/19",


     

       
456

       

       
-

       
      "43.96.10.0/24",


     

       
457

       

       
-

       
      "8.223.0.0/18",


     

       
458

       

       
-

       
      "240b:4005::/32",


     

       
459

       

       
-

       
      "47.246.130.0/23",


     

       
460

       

       
-

       
      "47.91.96.0/19",


     

       
461

       

       
-

       
      "240b:400b::/33",


     

       
462

       

       
-

       
      "47.246.132.0/23",


     

       
463

       

       
-

       
      "8.213.184.0/21",


     

       
464

       

       
-

       
      "47.246.124.0/24",


     

       
465

       

       
-

       
      "8.209.64.0/18",


     

       
466

       

       
-

       
      "2404:2280:3000::/36",


     

       
467

       

       
-

       
      "47.89.78.0/23",


     

       
468

       

       
-

       
      "47.250.128.0/18",


     

       
469

       

       
-

       
      "47.79.128.0/20",


     

       
470

       

       
-

       
      "240b:4011::/33",


     

       
471

       

       
-

       
      "47.244.128.0/17",


     

       
472

       

       
-

       
      "47.246.151.0/24",


     

       
473

       

       
-

       
      "8.211.226.0/24",


     

       
474

       

       
-

       
      "47.88.135.0/24",


     

       
475

       

       
-

       
      "47.80.0.0/18",


     

       
476

       

       
-

       
      "43.96.88.0/24",


     

       
477

       

       
-

       
      "47.235.6.0/23",


     

       
478

       

       
-

       
      "205.204.111.0/24",


     

       
479

       

       
-

       
      "240b:4006:1000::/45",


     

       
480

       

       
-

       
      "47.250.0.0/18",


     

       
481

       

       
-

       
      "47.89.76.0/23",


     

       
482

       

       
-

       
      "47.89.99.0/24",


     

       
483

       

       
-

       
      "8.211.0.0/17",


     

       
484

       

       
-

       
      "47.89.123.0/24",


     

       
485

       

       
-

       
      "8.209.128.0/19",


     

       
486

       

       
-

       
      "47.246.160.0/20",


     

       
487

       

       
-

       
      "43.99.0.0/16",


     

       
488

       

       
-

       
      "47.236.0.0/15",


     

       
489

       

       
-

       
      "240b:400e:fffe::/48",


     

       
490

       

       
-

       
      "47.80.96.0/19",


     

       
491

       

       
-

       
      "47.246.184.0/21",


     

       
492

       

       
-

       
      "47.235.8.0/24",


     

       
493

       

       
-

       
      "8.222.48.0/21",


     

       
494

       

       
-

       
      "47.89.94.0/23",


     

       
495

       

       
-

       
      "47.245.64.0/18",


     

       
496

       

       
-

       
      "47.77.128.0/21",


     

       
497

       

       
-

       
      "47.74.192.0/18",


     

       
498

       

       
-

       
      "2404:2280:4000::/37",


     

       
499

       

       
-

       
      "8.211.88.0/21",


     

       
500

       

       
-

       
      "8.213.192.0/18",


     

       
501

       

       
-

       
      "8.223.192.0/18",


     

       
502

       

       
-

       
      "240b:4002::/33",


     

       
503

       

       
-

       
      "149.129.64.0/19",


     

       
504

       

       
-

       
      "47.241.0.0/16",


     

       
505

       

       
-

       
      "240b:4006:1018::/45",


     

       
506

       

       
-

       
      "8.216.0.0/17",


     

       
507

       

       
-

       
      "149.129.0.0/21",


     

       
508

       

       
-

       
      "47.254.0.0/18",


     

       
509

       

       
-

       
      "8.220.64.0/18",


     

       
510

       

       
-

       
      "43.96.22.0/24",


     

       
511

       

       
-

       
      "170.33.33.0/24",


     

       
512

       

       
-

       
      "47.91.32.0/19",


     

       
513

       

       
-

       
      "47.246.76.0/22",


     

       
514

       

       
-

       
      "47.246.68.0/23",


     

       
515

       

       
-

       
      "47.246.146.0/23",


     

       
516

       

       
-

       
      "47.254.113.0/24",


     

       
517

       

       
-

       
      "47.89.128.0/18",


     

       
518

       

       
-

       
      "47.77.144.0/21",


     

       
519

       

       
-

       
      "47.89.104.0/22",


     

       
520

       

       
-

       
      "8.211.96.0/21",


     

       
521

       

       
-

       
      "47.80.0.0/19",


     

       
522

       

       
-

       
      "47.246.104.0/22",


     

       
523

       

       
-

       
      "47.80.64.0/18",


     

       
524

       

       
-

       
      "161.117.0.0/17",


     

       
525

       

       
-

       
      "170.33.88.0/24",


     

       
526

       

       
-

       
      "47.77.2.0/23",


     

       
527

       

       
-

       
      "47.241.0.0/17",


     

       
528

       

       
-

       
      "47.79.224.0/19",


     

       
529

       

       
-

       
      "170.33.105.0/24",


     

       
530

       

       
-

       
      "47.82.12.0/23",


     

       
531

       

       
-

       
      "47.246.146.0/24",


     

       
532

       

       
-

       
      "8.213.144.0/20",


     

       
533

       

       
-

       
      "43.99.0.0/17",


     

       
534

       

       
-

       
      "47.89.88.0/23",


     

       
535

       

       
-

       
      "8.220.64.0/19",


     

       
536

       

       
-

       
      "47.89.90.0/23",


     

       
537

       

       
-

       
      "47.235.19.0/24",


     

       
538

       

       
-

       
      "8.215.128.0/17",


     

       
539

       

       
-

       
      "47.235.21.0/24",


     

       
540

       

       
-

       
      "47.81.192.0/18",


     

       
541

       

       
-

       
      "8.211.0.0/18",


     

       
542

       

       
-

       
      "47.246.72.0/22",


     

       
543

       

       
-

       
      "8.211.64.0/18",


     

       
544

       

       
-

       
      "203.107.68.0/24",


     

       
545

       

       
-

       
      "59.82.136.0/23",


     

       
546

       

       
-

       
      "8.209.44.0/22",


     

       
547

       

       
-

       
      "8.209.36.0/23",


     

       
548

       

       
-

       
      "47.89.0.0/18",


     

       
549

       

       
-

       
      "8.216.0.0/18",


     

       
550

       

       
-

       
      "47.246.104.0/21",


     

       
551

       

       
-

       
      "240b:400b::/32",


     

       
552

       

       
-

       
      "47.246.72.0/21",


     

       
553

       

       
-

       
      "8.214.128.0/17",


     

       
554

       

       
-

       
      "8.209.48.0/20",


     

       
555

       

       
-

       
      "170.33.86.0/24",


     

       
556

       

       
-

       
      "110.76.21.0/24",


     

       
557

       

       
-

       
      "8.209.128.0/18",


     

       
558

       

       
-

       
      "8.222.96.0/20",


     

       
559

       

       
-

       
      "47.89.100.0/24",


     

       
560

       

       
-

       
      "47.89.192.0/19",


     

       
561

       

       
-

       
      "8.213.128.0/20",


     

       
562

       

       
-

       
      "2400:b200:4100::/48",


     

       
563

       

       
-

       
      "8.208.0.0/17",


     

       
564

       

       
-

       
      "170.33.90.0/24",


     

       
565

       

       
-

       
      "47.83.0.0/17",


     

       
566

       

       
-

       
      "240b:400c:100::/40",


     

       
567

       

       
-

       
      "170.33.82.0/24",


     

       
568

       

       
-

       
      "8.222.32.0/21",


     

       
569

       

       
-

       
      "47.246.86.0/23",


     

       
570

       

       
-

       
      "47.52.0.0/16",


     

       
571

       

       
-

       
      "47.79.192.0/19",


     

       
572

       

       
-

       
      "2404:2280:1800::/37",


     

       
573

       

       
-

       
      "8.222.112.0/20",


     

       
574

       

       
-

       
      "170.33.24.0/24",


     

       
575

       

       
-

       
      "47.89.92.0/23",


     

       
576

       

       
-

       
      "47.78.0.0/17",


     

       
577

       

       
-

       
      "47.84.0.0/16",


     

       
578

       

       
-

       
      "240b:400b:8000::/33",


     

       
579

       

       
-

       
      "8.209.38.0/24",


     

       
580

       

       
-

       
      "47.235.7.0/24",


     

       
581

       

       
-

       
      "47.235.23.0/24",


     

       
582

       

       
-

       
      "47.237.34.0/24",


     

       
583

       

       
-

       
      "47.79.144.0/20",


     

       
584

       

       
-

       
      "43.96.71.0/24",


     

       
585

       

       
-

       
      "5.181.224.0/23",


     

       
586

       

       
-

       
      "47.246.88.0/22",


     

       
587

       

       
-

       
      "47.246.96.0/21",


     

       
588

       

       
-

       
      "47.82.0.0/19",


     

       
589

       

       
-

       
      "8.209.40.0/23",


     

       
590

       

       
-

       
      "47.77.48.0/20",


     

       
591

       

       
-

       
      "8.209.16.0/20",


     

       
592

       

       
-

       
      "240b:4009::/32",


     

       
593

       

       
-

       
      "47.246.176.0/20",


     

       
594

       

       
-

       
      "47.250.192.0/18",


     

       
595

       

       
-

       
      "47.246.168.0/21",


     

       
596

       

       
-

       
      "47.89.160.0/19",


     

       
597

       

       
-

       
      "8.222.32.0/20",


     

       
598

       

       
-

       
      "223.5.5.0/24",


     

       
599

       

       
-

       
      "47.81.0.0/18",


     

       
600

       

       
-

       
      "47.89.96.0/24",


     

       
601

       

       
-

       
      "47.77.0.0/23",


     

       
602

       

       
-

       
      "43.96.24.0/24",


     

       
603

       

       
-

       
      "8.221.128.0/17",


     

       
604

       

       
-

       
      "47.246.144.0/24",


     

       
605

       

       
-

       
      "47.246.125.0/24",


     

       
606

       

       
-

       
      "240b:400e:ffff::/48",


     

       
607

       

       
-

       
      "47.84.0.0/17",


     

       
608

       

       
-

       
      "170.33.106.0/24",


     

       
609

       

       
-

       
      "156.227.20.0/24",


     

       
610

       

       
-

       
      "170.33.35.0/24",


     

       
611

       

       
-

       
      "240b:4006:1028::/45",


     

       
612

       

       
-

       
      "170.33.78.0/24",


     

       
613

       

       
-

       
      "198.11.128.0/18",


     

       
614

       

       
-

       
      "8.210.0.0/17",


     

       
615

       

       
-

       
      "47.83.40.0/21",


     

       
616

       

       
-

       
      "47.89.80.0/23",


     

       
617

       

       
-

       
      "43.98.0.0/16",


     

       
618

       

       
-

       
      "47.88.0.0/18",


     

       
619

       

       
-

       
      "47.89.74.0/23",


     

       
620

       

       
-

       
      "43.96.67.0/24",


     

       
621

       

       
-

       
      "47.79.48.0/20",


     

       
622

       

       
-

       
      "2404:2280:3800::/37",


     

       
623

       

       
-

       
      "47.235.11.0/24",


     

       
624

       

       
-

       
      "8.220.160.0/19",


     

       
625

       

       
-

       
      "43.96.84.0/24",


     

       
626

       

       
-

       
      "8.221.208.0/21",


     

       
627

       

       
-

       
      "139.95.18.0/23",


     

       
628

       

       
-

       
      "47.246.84.0/22",


     

       
629

       

       
-

       
      "47.77.16.0/21",


     

       
630

       

       
-

       
      "170.33.69.0/24",


     

       
631

       

       
-

       
      "47.78.128.0/17",


     

       
632

       

       
-

       
      "8.220.96.0/19",


     

       
633

       

       
-

       
      "8.209.0.0/19",


     

       
634

       

       
-

       
      "240b:400d::/32",


     

       
635

       

       
-

       
      "205.204.102.0/23",


     

       
636

       

       
-

       
      "47.87.128.0/19",


     

       
637

       

       
-

       
      "47.83.128.0/17",


     

       
638

       

       
-

       
      "8.218.0.0/17",


     

       
639

       

       
-

       
      "47.235.10.0/23",


     

       
640

       

       
-

       
      "8.208.128.0/17",


     

       
641

       

       
-

       
      "170.33.137.0/24",


     

       
642

       

       
-

       
      "8.209.37.0/24",


     

       
643

       

       
-

       
      "8.220.128.0/19",


     

       
644

       

       
-

       
      "47.79.112.0/20",


     

       
645

       

       
-

       
      "47.243.0.0/16",


     

       
646

       

       
-

       
      "47.246.196.0/23",


     

       
647

       

       
-

       
      "170.33.79.0/24",


     

       
648

       

       
-

       
      "47.252.0.0/18",


     

       
649

       

       
-

       
      "47.87.0.0/19",


     

       
650

       

       
-

       
      "2404:2280:2000::/36",


     

       
651

       

       
-

       
      "47.79.58.0/23",


     

       
652

       

       
-

       
      "170.33.34.0/24",


     

       
653

       

       
-

       
      "47.246.132.0/22",


     

       
654

       

       
-

       
      "240b:4012::/48",


     

       
655

       

       
-

       
      "47.91.112.0/20",


     

       
656

       

       
-

       
      "47.77.32.0/20",


     

       
657

       

       
-

       
      "240b:4005::/33",


     

       
658

       

       
-

       
      "8.222.8.0/21",


     

       
659

       

       
-

       
      "47.246.194.0/23",


     

       
660

       

       
-

       
      "2404:2280:1000::/37",


     

       
661

       

       
-

       
      "8.221.200.0/21",


     

       
662

       

       
-

       
      "43.96.23.0/24",


     

       
663

       

       
-

       
      "47.82.64.0/18",


     

       
664

       

       
-

       
      "147.139.128.0/17",


     

       
665

       

       
-

       
      "8.211.192.0/19",


     

       
666

       

       
-

       
      "47.251.128.0/17",


     

       
667

       

       
-

       
      "240b:4011::/32",


     

       
668

       

       
-

       
      "8.222.0.0/20",


     

       
669

       

       
-

       
      "47.235.12.0/24",


     

       
670

       

       
-

       
      "43.99.128.0/17",


     

       
671

       

       
-

       
      "47.246.80.0/24",


     

       
672

       

       
-

       
      "47.246.67.0/24",


     

       
673

       

       
-

       
      "47.246.122.0/24",


     

       
674

       

       
-

       
      "156.245.1.0/24",


     

       
675

       

       
-

       
      "8.210.128.0/17",


     

       
676

       

       
-

       
      "8.213.64.0/18",


     

       
677

       

       
-

       
      "45.199.179.0/24",


     

       
678

       

       
-

       
      "47.235.0.0/22",


     

       
679

       

       
-

       
      "47.246.136.0/21",


     

       
680

       

       
-

       
      "8.213.164.0/22",


     

       
681

       

       
-

       
      "8.209.192.0/18",


     

       
682

       

       
-

       
      "47.77.24.0/22",


     

       
683

       

       
-

       
      "47.82.64.0/19",


     

       
684

       

       
-

       
      "47.244.73.0/24",


     

       
685

       

       
-

       
      "47.89.72.0/22",


     

       
686

       

       
-

       
      "47.76.128.0/17",


     

       
687

       

       
-

       
      "47.76.0.0/16",


     

       
688

       

       
-

       
      "47.245.128.0/17",


     

       
689

       

       
-

       
      "47.75.0.0/17",


     

       
690

       

       
-

       
      "47.245.96.0/19",


     

       
691

       

       
-

       
      "47.235.20.0/24",


     

       
692

       

       
-

       
      "47.79.52.0/23",


     

       
693

       

       
-

       
      "47.79.80.0/20",


     

       
694

       

       
-

       
      "47.82.32.0/21",


     

       
695

       

       
-

       
      "47.251.224.0/22",


     

       
696

       

       
-

       
      "47.74.128.0/17",


     

       
697

       

       
-

       
      "223.6.6.0/24",


     

       
698

       

       
-

       
      "47.246.128.0/23",


     

       
699

       

       
-

       
      "147.139.128.0/18",


     

       
700

       

       
-

       
      "47.246.84.0/23",


     

       
701

       

       
-

       
      "240b:4007::/33",


     

       
702

       

       
-

       
      "170.33.85.0/24",


     

       
703

       

       
-

       
      "43.96.102.0/24",


     

       
704

       

       
-

       
      "43.98.0.0/17",


     

       
705

       

       
-

       
      "203.107.67.0/24",


     

       
706

       

       
-

       
      "8.222.0.0/21",


     

       
707

       

       
-

       
      "2404:2280:2800::/37",


     

       
708

       

       
-

       
      "43.96.101.0/24",


     

       
709

       

       
-

       
      "170.33.84.0/24",


     

       
710

       

       
-

       
      "8.219.128.0/17",


     

       
711

       

       
-

       
      "47.80.64.0/19",


     

       
712

       

       
-

       
      "43.96.85.0/24",


     

       
713

       

       
-

       
      "43.96.96.0/24",


     

       
714

       

       
-

       
      "43.96.73.0/24",


     

       
715

       

       
-

       
      "47.246.100.0/22",


     

       
716

       

       
-

       
      "47.79.60.0/23",


     

       
717

       

       
-

       
      "47.77.26.0/23",


     

       
718

       

       
-

       
      "8.222.128.0/17",


     

       
719

       

       
-

       
      "161.117.138.0/24",


     

       
720

       

       
-

       
      "47.235.18.0/23",


     

       
721

       

       
-

       
      "47.235.0.0/23",


     

       
722

       

       
-

       
      "240b:4006:1010::/44",


     

       
723

       

       
-

       
      "47.76.0.0/17",


     

       
724

       

       
-

       
      "8.221.216.0/21",


     

       
725

       

       
-

       
      "47.82.8.0/23",


     

       
726

       

       
-

       
      "2404:2280:4800::/37",


     

       
727

       

       
-

       
      "170.33.29.0/24",


     

       
728

       

       
-

       
      "47.245.128.0/18",


     

       
729

       

       
-

       
      "47.79.80.0/21",


     

       
730

       

       
-

       
      "47.89.221.0/24",


     

       
731

       

       
-

       
      "198.11.184.0/21",


     

       
732

       

       
-

       
      "240b:4009:8000::/33",


     

       
733

       

       
-

       
      "8.215.162.0/23",


     

       
734

       

       
-

       
      "8.211.128.0/19",


     

       
735

       

       
-

       
      "47.79.83.0/24",


     

       
736

       

       
-

       
      "2408:4009:500::/48",


     

       
737

       

       
-

       
      "47.81.64.0/19",


     

       
738

       

       
-

       
      "8.208.0.0/19",


     

       
739

       

       
-

       
      "47.240.0.0/17",


     

       
740

       

       
-

       
      "47.79.64.0/21",


     

       
741

       

       
-

       
      "47.90.0.0/18",


     

       
742

       

       
-

       
      "43.96.70.0/24",


     

       
743

       

       
-

       
      "149.129.0.0/20",


     

       
744

       

       
-

       
      "240b:400c::/33",


     

       
745

       

       
-

       
      "2408:4000:1000::/48",


     

       
746

       

       
-

       
      "170.33.76.0/24",


     

       
747

       

       
-

       
      "205.204.96.0/19",


     

       
748

       

       
-

       
      "47.88.64.0/18",


     

       
749

       

       
-

       
      "8.209.96.0/19",


     

       
750

       

       
-

       
      "47.79.104.0/21",


     

       
751

       

       
-

       
      "47.82.10.0/23",


     

       
752

       

       
-

       
      "47.79.88.0/21",


     

       
753

       

       
-

       
      "47.245.64.0/19",


     

       
754

       

       
-

       
      "139.95.16.0/23",


     

       
755

       

       
-

       
      "47.77.20.0/22",


     

       
756

       

       
-

       
      "240b:400f::/33",


     

       
757

       

       
-

       
      "47.235.2.0/23",


     

       
758

       

       
-

       
      "8.221.0.0/17",


     

       
759

       

       
-

       
      "8.213.160.0/22",


     

       
760

       

       
-

       
      "8.215.169.0/24",


     

       
761

       

       
-

       
      "170.33.81.0/24",


     

       
762

       

       
-

       
      "47.89.124.0/24",


     

       
763

       

       
-

       
      "47.235.30.0/24",


     

       
764

       

       
-

       
      "47.79.62.0/23",


     

       
765

       

       
-

       
      "43.96.68.0/24",


     

       
766

       

       
-

       
      "47.246.120.0/24",


     

       
767

       

       
-

       
      "8.221.192.0/21",


     

       
768

       

       
-

       
      "8.221.184.0/22",


     

       
769

       

       
-

       
      "47.77.136.0/21",


     

       
770

       

       
-

       
      "8.220.224.0/19",


     

       
771

       

       
-

       
      "156.240.76.0/23",


     

       
772

       

       
-

       
      "8.208.141.0/24",


     

       
773

       

       
-

       
      "2404:2280:2000::/37",


     

       
774

       

       
-

       
      "47.84.128.0/17",


     

       
775

       

       
-

       
      "47.85.0.0/17",


     

       
776

       

       
-

       
      "8.217.0.0/17",


     

       
777

       

       
-

       
      "47.89.84.0/24",


     

       
778

       

       
-

       
      "47.238.0.0/15",


     

       
779

       

       
-

       
      "47.86.128.0/17",


     

       
780

       

       
-

       
      "240b:4011:8000::/33",


     

       
781

       

       
-

       
      "240b:4006:1000::/47",


     

       
782

       

       
-

       
      "47.246.134.0/23",


     

       
783

       

       
-

       
      "47.79.96.0/20",


     

       
784

       

       
-

       
      "47.79.0.0/21",


     

       
785

       

       
-

       
      "47.89.103.0/24",


     

       
786

       

       
-

       
      "47.89.97.0/24",


     

       
787

       

       
-

       
      "240b:4000::/33",


     

       
788

       

       
-

       
      "47.242.0.0/16",


     

       
789

       

       
-

       
      "47.56.0.0/15",


     

       
790

       

       
-

       
      "47.91.32.0/20",


     

       
791

       

       
-

       
      "147.139.192.0/18",


     

       
792

       

       
-

       
      "240b:4013::/33",


     

       
793

       

       
-

       
      "47.79.40.0/21",


     

       
794

       

       
-

       
      "8.209.46.0/23",


     

       
795

       

       
-

       
      "47.82.48.0/21",


     

       
796

       

       
-

       
      "47.82.40.0/21",


     

       
797

       

       
-

       
      "47.87.192.0/22",


     

       
798

       

       
-

       
      "47.87.192.0/23",


     

       
799

       

       
-

       
      "47.87.194.0/23",


     

       
800

       

       
-

       
      "47.87.196.0/22",


     

       
801

       

       
-

       
      "47.87.196.0/23",


     

       
802

       

       
-

       
      "47.87.198.0/23",


     

       
803

       

       
-

       
      "240b:400c:ffff::/48",


     

       
804

       

       
-

       
      "47.87.208.0/23",


     

       
805

       

       
-

       
      "47.87.210.0/23",


     

       
806

       

       
-

       
      "47.87.208.0/22",


     

       
807

       

       
-

       
      "47.87.222.0/23",


     

       
808

       

       
-

       
      "47.87.216.0/23",


     

       
809

       

       
-

       
      "47.87.200.0/23",


     

       
810

       

       
-

       
      "47.87.220.0/23",


     

       
811

       

       
-

       
      "47.87.216.0/22",


     

       
812

       

       
-

       
      "47.87.224.0/22",


     

       
813

       

       
-

       
      "47.87.204.0/22",


     

       
814

       

       
-

       
      "47.87.212.0/23",


     

       
815

       

       
-

       
      "47.87.226.0/23",


     

       
816

       

       
-

       
      "47.87.200.0/22",


     

       
817

       

       
-

       
      "47.87.206.0/23",


     

       
818

       

       
-

       
      "43.100.0.0/16",


     

       
819

       

       
-

       
      "47.87.212.0/22",


     

       
820

       

       
-

       
      "47.87.218.0/23",


     

       
821

       

       
-

       
      "47.87.214.0/23",


     

       
822

       

       
-

       
      "43.100.0.0/15",


     

       
823

       

       
-

       
      "47.87.204.0/23",


     

       
824

       

       
-

       
      "47.87.220.0/22",


     

       
825

       

       
-

       
      "43.101.0.0/16",


     

       
826

       

       
-

       
      "47.87.224.0/23",


     

       
827

       

       
-

       
      "47.87.202.0/23",


     

       
828

       

       
-

       
    ]
-4
packages/anubis-files/src/rules/challenge/generic-browser.yaml 
···

       
1

       

       
-

       
- name: generic-browser


     

       
2

       

       
-

       
  user_agent_regex: >-


     

       
3

       

       
-

       
    Mozilla|Opera


     

       
4

       

       
-

       
  action: CHALLENGE
+26
packages/bgutil-pot-server/librusty_v8.nix 
···

       

       
1

       
+

       
# COPIED FROM nixpkgs/pkgs/by-name/router


     

       

       
2

       
+

       
{


     

       

       
3

       
+

       
  lib,


     

       

       
4

       
+

       
  stdenv,


     

       

       
5

       
+

       
  fetchurl,


     

       

       
6

       
+

       
}:


     

       

       
7

       
+

       



     

       

       
8

       
+

       
let


     

       

       
9

       
+

       
  fetch_librusty_v8 =


     

       

       
10

       
+

       
    args:


     

       

       
11

       
+

       
    fetchurl {


     

       

       
12

       
+

       
      name = "librusty_v8-${args.version}";


     

       

       
13

       
+

       
      url = "https://github.com/denoland/rusty_v8/releases/download/v${args.version}/librusty_v8_release_${stdenv.hostPlatform.rust.rustcTarget}.a";


     

       

       
14

       
+

       
      sha256 = args.shas.${stdenv.hostPlatform.system};


     

       

       
15

       
+

       
      meta = {


     

       

       
16

       
+

       
        inherit (args) version;


     

       

       
17

       
+

       
        sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ];


     

       

       
18

       
+

       
      };


     

       

       
19

       
+

       
    };


     

       

       
20

       
+

       
in


     

       

       
21

       
+

       
fetch_librusty_v8 {


     

       

       
22

       
+

       
  version = "130.0.7";


     

       

       
23

       
+

       
  shas = {


     

       

       
24

       
+

       
    x86_64-linux = "sha256-pkdsuU6bAkcIHEZUJOt5PXdzK424CEgTLXjLtQ80t10=";


     

       

       
25

       
+

       
  };


     

       

       
26

       
+

       
}
+49
packages/bgutil-pot-server/package.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  lib,


     

       

       
3

       
+

       
  callPackage,


     

       

       
4

       
+

       
  rustPlatform,


     

       

       
5

       
+

       
  fetchFromGitHub,


     

       

       
6

       
+

       
  pkg-config,


     

       

       
7

       
+

       
  openssl,


     

       

       
8

       
+

       
  _experimental-update-script-combinators,


     

       

       
9

       
+

       
  nix-update-script,


     

       

       
10

       
+

       
}:


     

       

       
11

       
+

       
rustPlatform.buildRustPackage (finalAttrs: {


     

       

       
12

       
+

       
  pname = "bgutil-pot-server";


     

       

       
13

       
+

       
  version = "0.6.0";


     

       

       
14

       
+

       



     

       

       
15

       
+

       
  src = fetchFromGitHub {


     

       

       
16

       
+

       
    owner = "jim60105";


     

       

       
17

       
+

       
    repo = "bgutil-ytdlp-pot-provider-rs";


     

       

       
18

       
+

       
    tag = "v${finalAttrs.version}";


     

       

       
19

       
+

       
    hash = "sha256-kEu5WqOymH8yAyMhGKtVPOq3qlTRpFU/FO71uWEX/e8=";


     

       

       
20

       
+

       
  };


     

       

       
21

       
+

       



     

       

       
22

       
+

       
  cargoHash = "sha256-fJZeyIsFUfpWeC1MWsU1hANb6cqC9xHQOnhcohEMTeM=";


     

       

       
23

       
+

       



     

       

       
24

       
+

       
  nativeBuildInputs = [


     

       

       
25

       
+

       
    pkg-config


     

       

       
26

       
+

       
  ];


     

       

       
27

       
+

       



     

       

       
28

       
+

       
  buildInputs = [


     

       

       
29

       
+

       
    openssl


     

       

       
30

       
+

       
  ];


     

       

       
31

       
+

       



     

       

       
32

       
+

       
  env.RUSTY_V8_ARCHIVE = callPackage ./librusty_v8.nix { };


     

       

       
33

       
+

       



     

       

       
34

       
+

       
  doCheck = false;


     

       

       
35

       
+

       



     

       

       
36

       
+

       
  passthru.updateScript = _experimental-update-script-combinators.sequence [


     

       

       
37

       
+

       
    (nix-update-script { })


     

       

       
38

       
+

       
    ./update-librusty.sh


     

       

       
39

       
+

       
  ];


     

       

       
40

       
+

       



     

       

       
41

       
+

       
  meta = {


     

       

       
42

       
+

       
    changelog = "https://github.com/jim60105/bgutil-ytdlp-pot-provider-rs/releases/tag/v${finalAttrs.version}";


     

       

       
43

       
+

       
    description = "Proof-of-origin token provider plugin for yt-dlp in Rust";


     

       

       
44

       
+

       
    homepage = "https://github.com/jim60105/bgutil-ytdlp-pot-provider-rs";


     

       

       
45

       
+

       
    license = lib.licenses.gpl3Plus;


     

       

       
46

       
+

       
    maintainers = with lib.maintainers; [ pyrox0 ];


     

       

       
47

       
+

       
    mainProgram = "bgutil-pot";


     

       

       
48

       
+

       
  };


     

       

       
49

       
+

       
})
+45
packages/bgutil-pot-server/update-librusty.sh 
···

       

       
1

       
+

       
#!/usr/bin/env nix-shell


     

       

       
2

       
+

       
#!nix-shell -i bash -p gnugrep gnused nix jq


     

       

       
3

       
+

       
# shellcheck shell=bash


     

       

       
4

       
+

       
# COPIED FROM nixpkgs/pkgs/by-name/wi/windmill


     

       

       
5

       
+

       



     

       

       
6

       
+

       
set -eu -o pipefail


     

       

       
7

       
+

       



     

       

       
8

       
+

       
echo "librusty_v8: UPDATING"


     

       

       
9

       
+

       



     

       

       
10

       
+

       
BGUTIL_LATEST_VERSION=$(curl ${GITHUB_TOKEN:+-u ":$GITHUB_TOKEN"} --silent --fail --location "https://api.github.com/repos/jim60105/bgutil-ytdlp-pot-provider-rs/releases/latest" | jq --raw-output .tag_name)


     

       

       
11

       
+

       
CARGO_LOCK=$(curl ${GITHUB_TOKEN:+-u ":$GITHUB_TOKEN"} --silent --fail --location "https://github.com/jim60105/bgutil-ytdlp-pot-provider-rs/raw/$BGUTIL_LATEST_VERSION/Cargo.lock")


     

       

       
12

       
+

       



     

       

       
13

       
+

       
PACKAGE_DIR=$(dirname "$(readlink --canonicalize-existing "${BASH_SOURCE[0]}")")


     

       

       
14

       
+

       
OUTPUT_FILE="$PACKAGE_DIR/librusty_v8.nix"


     

       

       
15

       
+

       
NEW_VERSION=$(echo "$CARGO_LOCK" | grep --after-context 5 'name = "v8"' | grep 'version =' | sed -E 's/version = "//;s/"//')


     

       

       
16

       
+

       



     

       

       
17

       
+

       
CURRENT_VERSION=""


     

       

       
18

       
+

       
if [ -f "$OUTPUT_FILE" ]; then


     

       

       
19

       
+

       
  CURRENT_VERSION="$(grep 'version =' "$OUTPUT_FILE" | sed -E 's/version = "//;s/"//')"


     

       

       
20

       
+

       
fi


     

       

       
21

       
+

       



     

       

       
22

       
+

       
if [ "$CURRENT_VERSION" == "$NEW_VERSION" ]; then


     

       

       
23

       
+

       
  echo "No update needed, $CURRENT_VERSION is already latest"


     

       

       
24

       
+

       
  exit 0


     

       

       
25

       
+

       
fi


     

       

       
26

       
+

       



     

       

       
27

       
+

       
x86Hash="$(nix-prefetch-url --type sha256 https://github.com/denoland/rusty_v8/releases/download/v"$NEW_V")"


     

       

       
28

       
+

       
TEMP_FILE="$OUTPUT_FILE.tmp"


     

       

       
29

       
+

       
cat >"$TEMP_FILE" <<EOF


     

       

       
30

       
+

       
# COPIED FROM nixpkgs/pkgs/by-name/wi/windmill


     

       

       
31

       
+

       
# auto-generated file -- DO NOT EDIT!


     

       

       
32

       
+

       
{ fetchLibrustyV8 }:


     

       

       
33

       
+

       



     

       

       
34

       
+

       
fetchLibrustyV8 {


     

       

       
35

       
+

       
  version = "$NEW_VERSION";


     

       

       
36

       
+

       
  shas = {


     

       

       
37

       
+

       
    # NOTE; Follows supported platforms of package (see meta.platforms attribute)!


     

       

       
38

       
+

       
    x86_64-linux = "$(nix hash convert --hash-algo sha256 --from nix32 "$x86Hash")";


     

       

       
39

       
+

       
  };


     

       

       
40

       
+

       
}


     

       

       
41

       
+

       
EOF


     

       

       
42

       
+

       



     

       

       
43

       
+

       
mv "$TEMP_FILE" "$OUTPUT_FILE"


     

       

       
44

       
+

       



     

       

       
45

       
+

       
echo "librusty_v8: UPDATE DONE"
-31
packages/default.nix 
···

       
1

       

       
-

       
{ ... }:


     

       
2

       

       
-

       
{


     

       
3

       

       
-

       



     

       
4

       

       
-

       
  perSystem =


     

       
5

       

       
-

       
    {


     

       
6

       

       
-

       
      pkgs,


     

       
7

       

       
-

       
      lib,


     

       
8

       

       
-

       
      ...


     

       
9

       

       
-

       
    }:


     

       
10

       

       
-

       
    let


     

       
11

       

       
-

       
      packages = lib.makeScope pkgs.newScope (_: {


     

       
12

       

       
-

       
        anubis-files = pkgs.callPackage ./anubis-files { };


     

       
13

       

       
-

       
        doc2dash = pkgs.callPackage ./doc2dash { };


     

       
14

       

       
-

       
        jellyfin-exporter = pkgs.callPackage ./jellyfin-exporter { };


     

       
15

       

       
-

       
        pingvin-share-config = pkgs.callPackage ./pingvin-share-config { };


     

       
16

       

       
-

       



     

       
17

       

       
-

       
      });


     

       
18

       

       
-

       
    in


     

       
19

       

       
-

       
    {


     

       
20

       

       
-

       
      legacyPackages = packages;


     

       
21

       

       
-

       
      packages = lib.filterAttrs (


     

       
22

       

       
-

       
        _: pkg:


     

       
23

       

       
-

       
        let


     

       
24

       

       
-

       
          isDerivation = lib.isDerivation pkg;


     

       
25

       

       
-

       
          availableOnHost = lib.meta.availableOn pkgs.stdenv.hostPlatform pkg;


     

       
26

       

       
-

       
          isBroken = pkg.meta.broken or false;


     

       
27

       

       
-

       
        in


     

       
28

       

       
-

       
        isDerivation && !isBroken && availableOnHost


     

       
29

       

       
-

       
      ) packages;


     

       
30

       

       
-

       
    };


     

       
31

       

       
-

       
}
-24
packages/doc2dash/default.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  fetchFromGitHub,


     

       
3

       

       
-

       
  python3Packages,


     

       
4

       

       
-

       
}: python3Packages.buildPythonApplication rec {


     

       
5

       

       
-

       
  pname = "doc2dash";


     

       
6

       

       
-

       
  version = "3.1.0";


     

       
7

       

       
-

       
  pyproject = true;


     

       
8

       

       
-

       



     

       
9

       

       
-

       
  src = fetchFromGitHub {


     

       
10

       

       
-

       
    owner = "hynek";


     

       
11

       

       
-

       
    repo = "doc2dash";


     

       
12

       

       
-

       
    rev = version;


     

       
13

       

       
-

       
    hash = "sha256-u6K+BDc9tUxq4kCekTaqQLtNN/OLVc3rh14sVSfPtoQ=";


     

       
14

       

       
-

       
  };


     

       
15

       

       
-

       



     

       
16

       

       
-

       
  build-system = with python3Packages; [ hatchling hatch-vcs hatch-fancy-pypi-readme];


     

       
17

       

       
-

       



     

       
18

       

       
-

       
  dependencies = with python3Packages; [attrs beautifulsoup4 click rich];


     

       
19

       

       
-

       



     

       
20

       

       
-

       
  nativeCheckInputs = with python3Packages; [


     

       
21

       

       
-

       
    pytestCheckHook


     

       
22

       

       
-

       
    pytest-cov-stub


     

       
23

       

       
-

       
  ];


     

       
24

       

       
-

       
}
+34
packages/doc2dash/package.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  fetchFromGitHub,


     

       

       
3

       
+

       
  python3Packages,


     

       

       
4

       
+

       
}:


     

       

       
5

       
+

       
python3Packages.buildPythonApplication rec {


     

       

       
6

       
+

       
  pname = "doc2dash";


     

       

       
7

       
+

       
  version = "3.1.0";


     

       

       
8

       
+

       
  pyproject = true;


     

       

       
9

       
+

       



     

       

       
10

       
+

       
  src = fetchFromGitHub {


     

       

       
11

       
+

       
    owner = "hynek";


     

       

       
12

       
+

       
    repo = "doc2dash";


     

       

       
13

       
+

       
    rev = version;


     

       

       
14

       
+

       
    hash = "sha256-u6K+BDc9tUxq4kCekTaqQLtNN/OLVc3rh14sVSfPtoQ=";


     

       

       
15

       
+

       
  };


     

       

       
16

       
+

       



     

       

       
17

       
+

       
  build-system = with python3Packages; [


     

       

       
18

       
+

       
    hatchling


     

       

       
19

       
+

       
    hatch-vcs


     

       

       
20

       
+

       
    hatch-fancy-pypi-readme


     

       

       
21

       
+

       
  ];


     

       

       
22

       
+

       



     

       

       
23

       
+

       
  dependencies = with python3Packages; [


     

       

       
24

       
+

       
    attrs


     

       

       
25

       
+

       
    beautifulsoup4


     

       

       
26

       
+

       
    click


     

       

       
27

       
+

       
    rich


     

       

       
28

       
+

       
  ];


     

       

       
29

       
+

       



     

       

       
30

       
+

       
  nativeCheckInputs = with python3Packages; [


     

       

       
31

       
+

       
    pytestCheckHook


     

       

       
32

       
+

       
    pytest-cov-stub


     

       

       
33

       
+

       
  ];


     

       

       
34

       
+

       
}
+147
packages/glide-browser-bin/package.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  lib,


     

       

       
3

       
+

       
  stdenv,


     

       

       
4

       
+

       
  fetchurl,


     

       

       
5

       
+

       
  # keep-sorted start


     

       

       
6

       
+

       
  adwaita-icon-theme,


     

       

       
7

       
+

       
  alsa-lib,


     

       

       
8

       
+

       
  autoPatchelfHook,


     

       

       
9

       
+

       
  copyDesktopItems,


     

       

       
10

       
+

       
  curl,


     

       

       
11

       
+

       
  dbus-glib,


     

       

       
12

       
+

       
  gtk3,


     

       

       
13

       
+

       
  hicolor-icon-theme,


     

       

       
14

       
+

       
  libXtst,


     

       

       
15

       
+

       
  libva,


     

       

       
16

       
+

       
  makeBinaryWrapper,


     

       

       
17

       
+

       
  makeDesktopItem,


     

       

       
18

       
+

       
  patchelfUnstable,


     

       

       
19

       
+

       
  pciutils,


     

       

       
20

       
+

       
  pipewire,


     

       

       
21

       
+

       
  wrapGAppsHook3,


     

       

       
22

       
+

       
  # keep-sorted end


     

       

       
23

       
+

       
  nix-update-script,


     

       

       
24

       
+

       
  ...


     

       

       
25

       
+

       
}:


     

       

       
26

       
+

       
stdenv.mkDerivation (finalAttrs: {


     

       

       
27

       
+

       
  pname = "glide-browser";


     

       

       
28

       
+

       
  version = "0.1.55a";


     

       

       
29

       
+

       



     

       

       
30

       
+

       
  src = fetchurl {


     

       

       
31

       
+

       
    url = "https://github.com/glide-browser/glide/releases/download/${finalAttrs.version}/glide.linux-x86_64.tar.xz";


     

       

       
32

       
+

       
    hash = "sha256-mjk8KmB/T5ZpB9AMQw1mtb9VbMXVX2VV4N+hWpWkSYI=";


     

       

       
33

       
+

       
  };


     

       

       
34

       
+

       



     

       

       
35

       
+

       
  nativeBuildInputs = [


     

       

       
36

       
+

       
    # keep-sorted start


     

       

       
37

       
+

       
    autoPatchelfHook


     

       

       
38

       
+

       
    copyDesktopItems


     

       

       
39

       
+

       
    makeBinaryWrapper


     

       

       
40

       
+

       
    patchelfUnstable


     

       

       
41

       
+

       
    wrapGAppsHook3


     

       

       
42

       
+

       
    # keep-sorted end


     

       

       
43

       
+

       
  ];


     

       

       
44

       
+

       



     

       

       
45

       
+

       
  buildInputs = [


     

       

       
46

       
+

       
    # keep-sorted start


     

       

       
47

       
+

       
    adwaita-icon-theme


     

       

       
48

       
+

       
    alsa-lib


     

       

       
49

       
+

       
    dbus-glib


     

       

       
50

       
+

       
    gtk3


     

       

       
51

       
+

       
    hicolor-icon-theme


     

       

       
52

       
+

       
    libXtst


     

       

       
53

       
+

       
    # keep-sorted end


     

       

       
54

       
+

       
  ];


     

       

       
55

       
+

       



     

       

       
56

       
+

       
  runtimeDependencies = [


     

       

       
57

       
+

       
    # keep-sorted start


     

       

       
58

       
+

       
    curl


     

       

       
59

       
+

       
    libva.out


     

       

       
60

       
+

       
    pciutils


     

       

       
61

       
+

       
    # keep-sorted end


     

       

       
62

       
+

       
  ];


     

       

       
63

       
+

       



     

       

       
64

       
+

       
  appendRunpaths = [ "${pipewire}/lib" ];


     

       

       
65

       
+

       



     

       

       
66

       
+

       
  # Firefox uses "relrhack" to manually process relocations from a fixed offset


     

       

       
67

       
+

       
  patchelfFlags = [ "--no-clobber-old-sections" ];


     

       

       
68

       
+

       



     

       

       
69

       
+

       
  installPhase = ''


     

       

       
70

       
+

       
    runHook preInstall


     

       

       
71

       
+

       



     

       

       
72

       
+

       
    mkdir -p $out/bin $out/share/icons/hicolor/ $out/lib/glide-browser-bin-${finalAttrs.version}


     

       

       
73

       
+

       
    cp -t $out/lib/glide-browser-bin-${finalAttrs.version} -r *


     

       

       
74

       
+

       
    chmod +x $out/lib/glide-browser-bin-${finalAttrs.version}/glide


     

       

       
75

       
+

       
    iconDir=$out/share/icons/hicolor


     

       

       
76

       
+

       
    browserIcons=$out/lib/glide-browser-bin-${finalAttrs.version}/browser/chrome/icons/default


     

       

       
77

       
+

       



     

       

       
78

       
+

       
    for i in 16 32 48 64 128; do


     

       

       
79

       
+

       
      iconSizeDir="$iconDir/''${i}x$i/apps"


     

       

       
80

       
+

       
      mkdir -p $iconSizeDir


     

       

       
81

       
+

       
      cp $browserIcons/default$i.png $iconSizeDir/glide-browser.png


     

       

       
82

       
+

       
    done


     

       

       
83

       
+

       



     

       

       
84

       
+

       



     

       

       
85

       
+

       
    ln -s $out/lib/glide-browser-bin-${finalAttrs.version}/glide $out/bin/glide


     

       

       
86

       
+

       
    ln -s $out/bin/glide $out/bin/glide-browser


     

       

       
87

       
+

       



     

       

       
88

       
+

       
    runHook postInstall


     

       

       
89

       
+

       
  '';


     

       

       
90

       
+

       



     

       

       
91

       
+

       
  desktopItems = [


     

       

       
92

       
+

       
    (makeDesktopItem {


     

       

       
93

       
+

       
      name = "glide-browser-bin";


     

       

       
94

       
+

       
      exec = "glide-browser --name glide-browser %U";


     

       

       
95

       
+

       
      icon = "glide-browser";


     

       

       
96

       
+

       
      desktopName = "Glide Browser";


     

       

       
97

       
+

       
      genericName = "Web Browser";


     

       

       
98

       
+

       
      terminal = false;


     

       

       
99

       
+

       
      startupNotify = true;


     

       

       
100

       
+

       
      startupWMClass = "glide-browser";


     

       

       
101

       
+

       
      categories = [


     

       

       
102

       
+

       
        "Network"


     

       

       
103

       
+

       
        "WebBrowser"


     

       

       
104

       
+

       
      ];


     

       

       
105

       
+

       
      mimeTypes = [


     

       

       
106

       
+

       
        "text/html"


     

       

       
107

       
+

       
        "text/xml"


     

       

       
108

       
+

       
        "application/xhtml+xml"


     

       

       
109

       
+

       
        "application/vnd.mozilla.xul+xml"


     

       

       
110

       
+

       
        "x-scheme-handler/http"


     

       

       
111

       
+

       
        "x-scheme-handler/https"


     

       

       
112

       
+

       
      ];


     

       

       
113

       
+

       
      actions = {


     

       

       
114

       
+

       
        new-window = {


     

       

       
115

       
+

       
          name = "New Window";


     

       

       
116

       
+

       
          exec = "glide-browser --new-window %U";


     

       

       
117

       
+

       
        };


     

       

       
118

       
+

       
        new-private-window = {


     

       

       
119

       
+

       
          name = "New Private Window";


     

       

       
120

       
+

       
          exec = "glide-browser --private-window %U";


     

       

       
121

       
+

       
        };


     

       

       
122

       
+

       
        profile-manager-window = {


     

       

       
123

       
+

       
          name = "Profile Manager";


     

       

       
124

       
+

       
          exec = "glide-browser --ProfileManager";


     

       

       
125

       
+

       
        };


     

       

       
126

       
+

       
      };


     

       

       
127

       
+

       
    })


     

       

       
128

       
+

       
  ];


     

       

       
129

       
+

       



     

       

       
130

       
+

       
  passthru.updateScript = nix-update-script {


     

       

       
131

       
+

       
    extraArgs = [


     

       

       
132

       
+

       
      "--url"


     

       

       
133

       
+

       
      "https://github.com/glide-browser/glide"


     

       

       
134

       
+

       
    ];


     

       

       
135

       
+

       
  };


     

       

       
136

       
+

       



     

       

       
137

       
+

       
  meta = {


     

       

       
138

       
+

       
    changelog = "https://glide-browser.app/changelog#${finalAttrs.version}";


     

       

       
139

       
+

       
    description = "Extensible and keyboard-focused web browser, based on Firefox (binary package)";


     

       

       
140

       
+

       
    homepage = "https://glide-browser.app/";


     

       

       
141

       
+

       
    license = lib.licenses.mpl20;


     

       

       
142

       
+

       
    sourceProvenance = [ lib.sourceTypes.binaryNativeCode ];


     

       

       
143

       
+

       
    platforms = [ "x86_64-linux" ];


     

       

       
144

       
+

       
    maintainers = with lib.maintainers; [ pyrox0 ];


     

       

       
145

       
+

       
    mainProgram = "glide-browser";


     

       

       
146

       
+

       
  };


     

       

       
147

       
+

       
})
-34
packages/jellyfin-exporter/default.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  lib,


     

       
3

       

       
-

       
  buildGoModule,


     

       
4

       

       
-

       
  fetchFromGitHub,


     

       
5

       

       
-

       
  ...


     

       
6

       

       
-

       
}:


     

       
7

       

       
-

       
buildGoModule (finalAttrs: {


     

       
8

       

       
-

       
  pname = "jellyfin-exporter";


     

       
9

       

       
-

       
  version = "1.3.8";


     

       
10

       

       
-

       



     

       
11

       

       
-

       
  src = fetchFromGitHub {


     

       
12

       

       
-

       
    owner = "rebelcore";


     

       
13

       

       
-

       
    repo = "jellyfin_exporter";


     

       
14

       

       
-

       
    tag = "v${finalAttrs.version}";


     

       
15

       

       
-

       
    hash = "sha256-7fIrjcy6y/Ayj43WeuPNCx3uVJyl5Wf6bWs5ta2PpWc=";


     

       
16

       

       
-

       
  };


     

       
17

       

       
-

       



     

       
18

       

       
-

       
  # We need to patch the tests since we don't move the binary to `$GOPATH/bin`, but to `$out/bin` instead.


     

       
19

       

       
-

       
  postPatch = ''


     

       
20

       

       
-

       
    substituteInPlace jellyfin_exporter_test.go \


     

       
21

       

       
-

       
      --replace-fail "GOPATH" "out"


     

       
22

       

       
-

       
  '';


     

       
23

       

       
-

       



     

       
24

       

       
-

       
  vendorHash = "sha256-JSOKDbefQyDLNy2y1oW7HUplQw8uhhOGZ+ueWyUYYQ0=";


     

       
25

       

       
-

       



     

       
26

       

       
-

       
  meta = {


     

       
27

       

       
-

       
    changelog = "https://github.com/rebelcore/jellyfin_exporter/blob/v${finalAttrs.version}/CHANGELOG.md";


     

       
28

       

       
-

       
    description = "Jellyfin Media System metrics exporter for prometheus";


     

       
29

       

       
-

       
    homepage = "https://github.com/rebelcore/jellyfin_exporter";


     

       
30

       

       
-

       
    license = lib.licenses.asl20;


     

       
31

       

       
-

       
    maintainers = with lib.maintainers; [ pyrox0 ];


     

       
32

       

       
-

       
    mainProgram = "jellyfin_exporter";


     

       
33

       

       
-

       
  };


     

       
34

       

       
-

       
})
+34
packages/jellyfin-exporter/package.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  lib,


     

       

       
3

       
+

       
  buildGoModule,


     

       

       
4

       
+

       
  fetchFromGitHub,


     

       

       
5

       
+

       
  ...


     

       

       
6

       
+

       
}:


     

       

       
7

       
+

       
buildGoModule (finalAttrs: {


     

       

       
8

       
+

       
  pname = "jellyfin-exporter";


     

       

       
9

       
+

       
  version = "1.3.9";


     

       

       
10

       
+

       



     

       

       
11

       
+

       
  src = fetchFromGitHub {


     

       

       
12

       
+

       
    owner = "rebelcore";


     

       

       
13

       
+

       
    repo = "jellyfin_exporter";


     

       

       
14

       
+

       
    tag = "v${finalAttrs.version}";


     

       

       
15

       
+

       
    hash = "sha256-oHPzdV+Fe7XmSyRWm5jh7oGqlY9uyLy7u9tCTlkfhQk=";


     

       

       
16

       
+

       
  };


     

       

       
17

       
+

       



     

       

       
18

       
+

       
  # We need to patch the tests since we don't move the binary to `$GOPATH/bin`, but to `$out/bin` instead.


     

       

       
19

       
+

       
  postPatch = ''


     

       

       
20

       
+

       
    substituteInPlace jellyfin_exporter_test.go \


     

       

       
21

       
+

       
      --replace-fail "GOPATH" "out"


     

       

       
22

       
+

       
  '';


     

       

       
23

       
+

       



     

       

       
24

       
+

       
  vendorHash = "sha256-Z3XM4vTsm5R/Me1jR9oqLcWqmEn1bd653UNvDKLM80g=";


     

       

       
25

       
+

       



     

       

       
26

       
+

       
  meta = {


     

       

       
27

       
+

       
    changelog = "https://github.com/rebelcore/jellyfin_exporter/blob/v${finalAttrs.version}/CHANGELOG.md";


     

       

       
28

       
+

       
    description = "Jellyfin Media System metrics exporter for prometheus";


     

       

       
29

       
+

       
    homepage = "https://github.com/rebelcore/jellyfin_exporter";


     

       

       
30

       
+

       
    license = lib.licenses.asl20;


     

       

       
31

       
+

       
    maintainers = with lib.maintainers; [ pyrox0 ];


     

       

       
32

       
+

       
    mainProgram = "jellyfin_exporter";


     

       

       
33

       
+

       
  };


     

       

       
34

       
+

       
})
-19
packages/pingvin-share-config/default.nix 
···

       
1

       

       
-

       
{


     

       
2

       

       
-

       
  pkgs,


     

       
3

       

       
-

       
  stdenv,


     

       
4

       

       
-

       
  settings ? { },


     

       
5

       

       
-

       
  ...


     

       
6

       

       
-

       
}:


     

       
7

       

       
-

       
let


     

       
8

       

       
-

       
  format = pkgs.formats.yaml { };


     

       
9

       

       
-

       
  file = format.generate "config.yaml" settings;


     

       
10

       

       
-

       
in


     

       
11

       

       
-

       
stdenv.mkDerivation {


     

       
12

       

       
-

       
  pname = "pingvin-share-config";


     

       
13

       

       
-

       
  version = "1.0.0";


     

       
14

       

       
-

       



     

       
15

       

       
-

       
  installPhase = ''


     

       
16

       

       
-

       
    mkdir $out


     

       
17

       

       
-

       
    cp ${file} $out/config.yaml


     

       
18

       

       
-

       
  '';


     

       
19

       

       
-

       
}
+19
packages/pingvin-share-config/package.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  pkgs,


     

       

       
3

       
+

       
  stdenv,


     

       

       
4

       
+

       
  settings ? { },


     

       

       
5

       
+

       
  ...


     

       

       
6

       
+

       
}:


     

       

       
7

       
+

       
let


     

       

       
8

       
+

       
  format = pkgs.formats.yaml { };


     

       

       
9

       
+

       
  file = format.generate "config.yaml" settings;


     

       

       
10

       
+

       
in


     

       

       
11

       
+

       
stdenv.mkDerivation {


     

       

       
12

       
+

       
  pname = "pingvin-share-config";


     

       

       
13

       
+

       
  version = "1.0.0";


     

       

       
14

       
+

       



     

       

       
15

       
+

       
  installPhase = ''


     

       

       
16

       
+

       
    mkdir $out


     

       

       
17

       
+

       
    cp ${file} $out/config.yaml


     

       

       
18

       
+

       
  '';


     

       

       
19

       
+

       
}
+138
packages/planka/package.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  lib,


     

       

       
3

       
+

       
  stdenv,


     

       

       
4

       
+

       
  fetchFromGitHub,


     

       

       
5

       
+

       
  fetchNpmDeps,


     

       

       
6

       
+

       
  nix-update-script,


     

       

       
7

       
+

       
  npmHooks,


     

       

       
8

       
+

       
  dart-sass,


     

       

       
9

       
+

       
  nodejs,


     

       

       
10

       
+

       
  python3,


     

       

       
11

       
+

       
}:


     

       

       
12

       
+

       
let


     

       

       
13

       
+

       
  version = "2.0.0-rc.4";


     

       

       
14

       
+

       
  src = fetchFromGitHub {


     

       

       
15

       
+

       
    owner = "plankanban";


     

       

       
16

       
+

       
    repo = "planka";


     

       

       
17

       
+

       
    tag = "v${version}";


     

       

       
18

       
+

       
    hash = "sha256-RUOIOXrpoNGxoKwUlgkPsk4kTnA95E+iwYIjBzSBoTA=";


     

       

       
19

       
+

       
  };


     

       

       
20

       
+

       
  meta = {


     

       

       
21

       
+

       
    description = "Kanban-style project mastering tool for everyone";


     

       

       
22

       
+

       
    homepage = "https://docs.planka.cloud/";


     

       

       
23

       
+

       
    license = {


     

       

       
24

       
+

       
      fullName = "Planka Community License";


     

       

       
25

       
+

       
      url = "https://github.com/plankanban/planka/blob/master/LICENSE.md";


     

       

       
26

       
+

       
      free = false;


     

       

       
27

       
+

       
      redistributable = true;


     

       

       
28

       
+

       
    };


     

       

       
29

       
+

       
    maintainers = with lib.maintainers; [ pyrox0 ];


     

       

       
30

       
+

       
  };


     

       

       
31

       
+

       



     

       

       
32

       
+

       
  frontend = stdenv.mkDerivation (finalAttrs: {


     

       

       
33

       
+

       
    pname = "planka-frontend";


     

       

       
34

       
+

       
    inherit version src meta;


     

       

       
35

       
+

       



     

       

       
36

       
+

       
    sourceRoot = "${finalAttrs.src.name}/client";


     

       

       
37

       
+

       



     

       

       
38

       
+

       
    npmDeps = fetchNpmDeps {


     

       

       
39

       
+

       
      inherit (finalAttrs) src sourceRoot;


     

       

       
40

       
+

       
      hash = "sha256-XtVwO8253XBVtG0jrikeVr1yaS1PpphCbN5B6jz54qc=";


     

       

       
41

       
+

       
    };


     

       

       
42

       
+

       



     

       

       
43

       
+

       
    npmFlags = [


     

       

       
44

       
+

       
      "--ignore-scripts"


     

       

       
45

       
+

       
    ];


     

       

       
46

       
+

       



     

       

       
47

       
+

       
    nativeBuildInputs = [


     

       

       
48

       
+

       
      npmHooks.npmConfigHook


     

       

       
49

       
+

       
      nodejs


     

       

       
50

       
+

       
      dart-sass


     

       

       
51

       
+

       
    ];


     

       

       
52

       
+

       



     

       

       
53

       
+

       
    buildPhase = ''


     

       

       
54

       
+

       
      runHook preBuild


     

       

       
55

       
+

       



     

       

       
56

       
+

       
      npx patch-package


     

       

       
57

       
+

       



     

       

       
58

       
+

       
      # Replace dart path in sass-embedded since node_modules doesn't have the native binary


     

       

       
59

       
+

       
      substituteInPlace node_modules/sass-embedded/dist/lib/src/compiler-path.js \


     

       

       
60

       
+

       
        --replace-fail 'compilerCommand = (() => {' 'compilerCommand = (() => { return ["${lib.getExe dart-sass}"];'


     

       

       
61

       
+

       



     

       

       
62

       
+

       
      npm run build


     

       

       
63

       
+

       



     

       

       
64

       
+

       
      runHook postBuild


     

       

       
65

       
+

       
    '';


     

       

       
66

       
+

       



     

       

       
67

       
+

       
    installPhase = ''


     

       

       
68

       
+

       
      runHook preInstall


     

       

       
69

       
+

       



     

       

       
70

       
+

       
      mkdir $out/


     

       

       
71

       
+

       
      mv dist $out/dist


     

       

       
72

       
+

       



     

       

       
73

       
+

       
      runHook postInstall


     

       

       
74

       
+

       
    '';


     

       

       
75

       
+

       
  });


     

       

       
76

       
+

       



     

       

       
77

       
+

       
  serverPython = python3.withPackages (ps: [ ps.apprise ]);


     

       

       
78

       
+

       
in


     

       

       
79

       
+

       
stdenv.mkDerivation (finalAttrs: {


     

       

       
80

       
+

       
  pname = "planka";


     

       

       
81

       
+

       
  inherit version src;


     

       

       
82

       
+

       



     

       

       
83

       
+

       
  sourceRoot = "${finalAttrs.src.name}/server";


     

       

       
84

       
+

       



     

       

       
85

       
+

       
  npmDeps = fetchNpmDeps {


     

       

       
86

       
+

       
    inherit (finalAttrs) src sourceRoot;


     

       

       
87

       
+

       
    hash = "sha256-yW9uzPALGdPrrUV129ToXayLyeLbAK9mCl2emCPYUdc=";


     

       

       
88

       
+

       
  };


     

       

       
89

       
+

       



     

       

       
90

       
+

       
  npmFlags = [ "--ignore-scripts" ];


     

       

       
91

       
+

       



     

       

       
92

       
+

       
  nativeBuildInputs = [


     

       

       
93

       
+

       
    npmHooks.npmConfigHook


     

       

       
94

       
+

       
    nodejs


     

       

       
95

       
+

       
  ];


     

       

       
96

       
+

       



     

       

       
97

       
+

       
  buildInputs = [


     

       

       
98

       
+

       
    serverPython


     

       

       
99

       
+

       
    nodejs


     

       

       
100

       
+

       
  ];


     

       

       
101

       
+

       



     

       

       
102

       
+

       
  preBuild = ''


     

       

       
103

       
+

       
    # Patch notifs helper to use nixpkgs' python


     

       

       
104

       
+

       
    substituteInPlace api/helpers/utils/send-notifications.js \


     

       

       
105

       
+

       
      --replace-fail '(`$' '(`' \


     

       

       
106

       
+

       
      --replace-fail "{sails.config.appPath}/.venv/bin/python3" "${lib.getExe serverPython}"


     

       

       
107

       
+

       
  '';


     

       

       
108

       
+

       



     

       

       
109

       
+

       
  buildPhase = ''


     

       

       
110

       
+

       
    runHook preBuild


     

       

       
111

       
+

       



     

       

       
112

       
+

       
    npx patch-package


     

       

       
113

       
+

       



     

       

       
114

       
+

       
    runHook postBuild


     

       

       
115

       
+

       
  '';


     

       

       
116

       
+

       



     

       

       
117

       
+

       
  installPhase = ''


     

       

       
118

       
+

       
    runHook preInstall


     

       

       
119

       
+

       



     

       

       
120

       
+

       
    npm prune --omit=dev --no-save $npmFlags "$${npmFlagsArray[@]}"


     

       

       
121

       
+

       
    find node_modules -maxdepth 1 -type d -empty -delete


     

       

       
122

       
+

       



     

       

       
123

       
+

       
    mkdir -p $out/lib/node_modules/planka


     

       

       
124

       
+

       
    mkdir $out/bin


     

       

       
125

       
+

       
    mv * $out/lib/node_modules/planka


     

       

       
126

       
+

       
    cp -t $out/lib/node_modules/planka/public -r ${frontend}/dist/*


     

       

       
127

       
+

       
    cp ${frontend}/dist/index.html $out/lib/node_modules/planka/views/index.html


     

       

       
128

       
+

       



     

       

       
129

       
+

       
    ln -s $out/lib/node_modules/planka/start.sh $out/bin/planka


     

       

       
130

       
+

       



     

       

       
131

       
+

       
    runHook postInstall


     

       

       
132

       
+

       
  '';


     

       

       
133

       
+

       



     

       

       
134

       
+

       
  passthru.updateScript = nix-update-script { extraArgs = [ "--version=unstable" ]; };


     

       

       
135

       
+

       
  meta = meta // {


     

       

       
136

       
+

       
    mainProgram = "planka";


     

       

       
137

       
+

       
  };


     

       

       
138

       
+

       
})
+26
packages.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  perSystem =


     

       

       
3

       
+

       
    {


     

       

       
4

       
+

       
      pkgs,


     

       

       
5

       
+

       
      lib,


     

       

       
6

       
+

       
      ...


     

       

       
7

       
+

       
    }:


     

       

       
8

       
+

       
    let


     

       

       
9

       
+

       
      packages = lib.packagesFromDirectoryRecursive {


     

       

       
10

       
+

       
        inherit (pkgs) callPackage;


     

       

       
11

       
+

       
        directory = ./packages;


     

       

       
12

       
+

       
      };


     

       

       
13

       
+

       
    in


     

       

       
14

       
+

       
    {


     

       

       
15

       
+

       
      legacyPackages = packages;


     

       

       
16

       
+

       
      packages = lib.filterAttrs (


     

       

       
17

       
+

       
        _: pkg:


     

       

       
18

       
+

       
        let


     

       

       
19

       
+

       
          isDerivation = lib.isDerivation pkg;


     

       

       
20

       
+

       
          availableOnHost = lib.meta.availableOn pkgs.stdenv.hostPlatform pkg;


     

       

       
21

       
+

       
          isBroken = pkg.meta.broken or false;


     

       

       
22

       
+

       
        in


     

       

       
23

       
+

       
        isDerivation && !isBroken && availableOnHost


     

       

       
24

       
+

       
      ) packages;


     

       

       
25

       
+

       
    };


     

       

       
26

       
+

       
}