···

       
1
       
1
       
+
       
# NixOS Configuration

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
My personal Nix and NixOS configuration for reproducible, declarative systems and environments across multiple hosts.

     

       
4
       
4
       
+
       
This is a personal configuration with limited applicability to others, though some patterns may be useful for reference.

     

       
5
       
5
       
+
       
Common self-hosting services have been extracted to a separate project, [Eilean](https://github.com/RyanGibb/eilean-nix).

     

       
6
       
6
       
+
       


     

       
7
       
7
       
+
       
## Usage

     

       
8
       
8
       
+
       


     

       
9
       
9
       
+
       
### NixOS

     

       
10
       
10
       
+
       


     

       
11
       
11
       
+
       
See the [NixOS manual](https://nixos.org/manual/nixos/stable/#ch-installation) for how to install NixOS.

     

       
12
       
12
       
+
       


     

       
13
       
13
       
+
       
1. Clone this repository to `/etc/nixos/` on a NixOS system.

     

       
14
       
14
       
+
       
2. Set up the host configuration in `/etc/nixos/hosts/<hostname>/`.

     

       
15
       
15
       
+
       
3. Deploy the host with `nixos-rebuild switch`.

     

       
16
       
16
       
+
       


     

       
17
       
17
       
+
       
### Remote Deployment

     

       
18
       
18
       
+
       


     

       
19
       
19
       
+
       
[`deploy-rs`](https://github.com/serokell/deploy-rs) can be used to update remote hosts via SSH with `deploy .#hostname`.

     

       
20
       
20
       
+
       


     

       
21
       
21
       
+
       
### Home Manager

     

       
22
       
22
       
+
       


     

       
23
       
23
       
+
       
For non-NixOS systems, you can use Home Manager standalone:

     

       
24
       
24
       
+
       


     

       
25
       
25
       
+
       
1. Install [Nix](https://nixos.org/download/) and [enable flakes](https://nixos.wiki/wiki/flakes#Other_Distros.2C_without_Home-Manager).

     

       
26
       
26
       
+
       
2. Clone this repository and follow the [Home Manager manual](https://nix-community.github.io/home-manager/index.xhtml#sec-install-standalone).

     

       
27
       
27
       
+
       
3. Deploy the profile with `home-manager switch`.

     

       
28
       
28
       
+
       


     

       
29
       
29
       
+
       
### Nix-on-Droid

     

       
30
       
30
       
+
       


     

       
31
       
31
       
+
       
See [upstream](https://github.com/nix-community/nix-on-droid/).

     

       
32
       
32
       
+
       


     

       
33
       
33
       
+
       
## Repository Structure

     

       
1
       
34
       
 
       


     

       
2
       
2
       
-
       
My NixOS configs.

     

       
35
       
35
       
+
       
- [`flake.nix`](./flake.nix) - Entry point where inputs, outputs, and [overlays](https://nixos.org/manual/nixpkgs/stable/#chap-overlays) are defined.

     

       
36
       
36
       
+
       
  The [`flake.lock`](./flake.lock) file locks these inputs for reproducibility.

     

       
37
       
37
       
+
       
- [`hosts/`](./hosts/) - Host-specific configurations where each subdirectory represents a separate machine.

     

       
38
       
38
       
+
       
  - Hosts are named after animals, following a rough naming scheme where,

     

       
39
       
39
       
+
       
    - Stationary hosts are mammals.

     

       
40
       
40
       
+
       
      - Servers are even-toed ungulates ([Artiodactyls](https://en.wikipedia.org/wiki/Artiodactyl)), e.g. the [Network-Attached Storage (NAS) server](https://ryan.freumh.org/nas.html) [`elephant`](./hosts/elephant).

     

       
41
       
41
       
+
       
      - SBCs are small mammals ([Eulipotyphla](https://en.wikipedia.org/wiki/Eulipotyphla)), e.g. the [Home Assistant](https://www.home-assistant.io/) server and [Zigbee](https://en.wikipedia.org/wiki/Zigbee) bridge [`shrew`](./hosts/shrew).

     

       
42
       
42
       
+
       
      - Desktops are carnivores ([Carnivora](https://en.wikipedia.org/wiki/Carnivora)), e.g. the tower PC [`vulpine`](./hosts/vulpine).

     

       
43
       
43
       
+
       
    - Mobile (battery powered) hosts are reptiles, e.g. the laptop [`gecko`](./hosts/gecko).

     

       
44
       
44
       
+
       
    - Virtual hosts are birds, e.g. the virtual private server (VPS) [`owl`](./hosts/owl).

     

       
45
       
45
       
+
       
    - Work-associated hosts are aquatic, e.g. the VPSs for [Eon](https://github.com/RyanGibb/eon) experiments [`duck`](./hosts/duck), and running the [EEG](https://www.cst.cam.ac.uk/research/eeg) infrastructure including using the federated [Shibboleth](https://www.shibboleth.net/) identity server to provision [Matrix](https://matrix.org/) accounts [`swan`](./hosts/swan).

     

       
46
       
46
       
+
       
    - [`barnacle`](./hosts/barnacle/default.nix) builds an ISO image that can be written to media like a USB flash drive to create a read-only live USB that can be booted to provide the custom environment on all my other hosts and used to, for example, install an operating system, with the [`install.sh`](./hosts/barnacle/install.sh) script.

     

       
47
       
47
       
+
       
  - Each host directory typically contains,

     

       
48
       
48
       
+
       
    - `default.nix` - Main configuration entry point that imports other modules.

     

       
49
       
49
       
+
       
    - `hardware-configuration.nix` - Hardware-specific configuration generated by `nixos-generate-config`.

     

       
50
       
50
       
+
       
    - `minimal.nix` - A minimal configuration that can be useful when updating with insufficient disk space.

     

       
51
       
51
       
+
       
      The minimal configuration can be build, the `default.nix` system garbage collected, and then the updated configuration built.

     

       
52
       
52
       
+
       
      Note this precludes trivial rollback.

     

       
53
       
53
       
+
       
    - Other modules separating functionality, such as `services.nix`.

     

       
54
       
54
       
+
       
- [`modules/`](./modules/) - NixOS modules of common functionality extracted into modular components which can be enabled by host configurations.

     

       
55
       
55
       
+
       
- [`pkgs/`](./pkgs/) - Custom package definitions for packages not available in nixpkgs or requiring modifications.

     

       
56
       
56
       
+
       
- [`home/`](./home/) - Home-manager NixOS modules configurations.

     

       
57
       
57
       
+
       
- [`secrets/`](./secrets/) - Encrypted secrets managed by agenix.

     

       
58
       
58
       
+
       
- [`scripts/`](./scripts/) - Miscellaneous scripts.

     

       
59
       
59
       
+
       
- [`nix-on-droid/`](./nix-on-droid/) - [Nix-on-Droid](./#nix-on-droid) configuration.

     

       
3
       
60
       
 
       


     

       
4
       
4
       
-
       
Uses flakes.

     

       
61
       
61
       
+
       
## Managing Secrets

     

       
62
       
62
       
+
       


     

       
63
       
63
       
+
       
Secrets are managed using [agenix](https://github.com/ryantm/agenix).

     

       
64
       
64
       
+
       
To add a new secret, update [secrets.nix](./secrets/secrets.nix) and run `cd secrets && agenix -e <secret-name>.age`.

     

       
65
       
65
       
+
       
To update an existing secret you need only do the latter.

     

       
5
       
66
       
 
       


     

···

       
58
       
58
       
 
       
        "type": "gitlab"

     

       
59
       
59
       
 
       
      }

     

       
60
       
60
       
 
       
    },

     

       
61
       
61
       
-
       
    "colour-guesser": {

     

       
62
       
62
       
-
       
      "inputs": {

     

       
63
       
63
       
-
       
        "flake-utils": "flake-utils_2",

     

       
64
       
64
       
-
       
        "nix-filter": "nix-filter",

     

       
65
       
65
       
-
       
        "nixpkgs": [

     

       
66
       
66
       
-
       
          "nixpkgs"

     

       
67
       
67
       
-
       
        ]

     

       
68
       
68
       
-
       
      },

     

       
69
       
69
       
-
       
      "locked": {

     

       
70
       
70
       
-
       
        "lastModified": 1713180220,

     

       
71
       
71
       
-
       
        "narHash": "sha256-hTdD8t3/hvaexQXDFL2lsXgyxg93IrTFszXeCrBcmEY=",

     

       
72
       
72
       
-
       
        "ref": "develop",

     

       
73
       
73
       
-
       
        "rev": "6ecf853ca91af2e6ddcecd64e6eaa1214aaf87fa",

     

       
74
       
74
       
-
       
        "revCount": 11,

     

       
75
       
75
       
-
       
        "type": "git",

     

       
76
       
76
       
-
       
        "url": "ssh://git@github.com/ryangibb/colour-guesser.git"

     

       
77
       
77
       
-
       
      },

     

       
78
       
78
       
-
       
      "original": {

     

       
79
       
79
       
-
       
        "ref": "develop",

     

       
80
       
80
       
-
       
        "type": "git",

     

       
81
       
81
       
-
       
        "url": "ssh://git@github.com/ryangibb/colour-guesser.git"

     

       
82
       
82
       
-
       
      }

     

       
83
       
83
       
-
       
    },

     

       
84
       
61
       
 
       
    "darwin": {

     

       
85
       
62
       
 
       
      "inputs": {

     

       
86
       
63
       
 
       
        "nixpkgs": [

     
···

       
125
       
102
       
 
       
        "type": "github"

     

       
126
       
103
       
 
       
      }

     

       
127
       
104
       
 
       
    },

     

       
105
       
105
       
+
       
    "disko": {

     

       
106
       
106
       
+
       
      "inputs": {

     

       
107
       
107
       
+
       
        "nixpkgs": [

     

       
108
       
108
       
+
       
          "nixpkgs"

     

       
109
       
109
       
+
       
        ]

     

       
110
       
110
       
+
       
      },

     

       
111
       
111
       
+
       
      "locked": {

     

       
112
       
112
       
+
       
        "lastModified": 1743598667,

     

       
113
       
113
       
+
       
        "narHash": "sha256-ViE7NoFWytYO2uJONTAX35eGsvTYXNHjWALeHAg8OQY=",

     

       
114
       
114
       
+
       
        "owner": "nix-community",

     

       
115
       
115
       
+
       
        "repo": "disko",

     

       
116
       
116
       
+
       
        "rev": "329d3d7e8bc63dd30c39e14e6076db590a6eabe6",

     

       
117
       
117
       
+
       
        "type": "github"

     

       
118
       
118
       
+
       
      },

     

       
119
       
119
       
+
       
      "original": {

     

       
120
       
120
       
+
       
        "owner": "nix-community",

     

       
121
       
121
       
+
       
        "repo": "disko",

     

       
122
       
122
       
+
       
        "type": "github"

     

       
123
       
123
       
+
       
      }

     

       
124
       
124
       
+
       
    },

     

       
128
       
125
       
 
       
    "eilean": {

     

       
129
       
126
       
 
       
      "inputs": {

     

       
130
       
127
       
 
       
        "eon": [

     
···

       
152
       
149
       
 
       
    },

     

       
153
       
150
       
 
       
    "eon": {

     

       
154
       
151
       
 
       
      "inputs": {

     

       
155
       
155
       
-
       
        "flake-utils": "flake-utils_3",

     

       
152
       
152
       
+
       
        "flake-utils": "flake-utils_2",

     

       
156
       
153
       
 
       
        "nixpkgs": [

     

       
157
       
154
       
 
       
          "nixpkgs"

     

       
158
       
155
       
 
       
        ],

     

       
159
       
156
       
 
       
        "opam-nix": "opam-nix"

     

       
160
       
157
       
 
       
      },

     

       
161
       
158
       
 
       
      "locked": {

     

       
162
       
162
       
-
       
        "lastModified": 1738667109,

     

       
163
       
163
       
-
       
        "narHash": "sha256-BDTEsrdmS/V4Kpjx7yBafqMEtw629xJCZel9jbT7dlg=",

     

       
159
       
159
       
+
       
        "lastModified": 1743149102,

     

       
160
       
160
       
+
       
        "narHash": "sha256-pW24ij8CqAdU8m5OFD1amwNmovf25YRygl1bv+s390o=",

     

       
164
       
161
       
 
       
        "owner": "RyanGibb",

     

       
165
       
162
       
 
       
        "repo": "eon",

     

       
166
       
166
       
-
       
        "rev": "5a56fd3173a3f123d99cb674cb28c133e0cfc263",

     

       
163
       
163
       
+
       
        "rev": "81bdd51d1e2651c46df2a1ce38b7df5661e7eef1",

     

       
167
       
164
       
 
       
        "type": "github"

     

       
168
       
165
       
 
       
      },

     

       
169
       
166
       
 
       
      "original": {

     
···

       
287
       
284
       
 
       
    },

     

       
288
       
285
       
 
       
    "flake-utils_2": {

     

       
289
       
286
       
 
       
      "inputs": {

     

       
290
       
290
       
-
       
        "systems": "systems_2"

     

       
291
       
291
       
-
       
      },

     

       
292
       
292
       
-
       
      "locked": {

     

       
293
       
293
       
-
       
        "lastModified": 1681202837,

     

       
294
       
294
       
-
       
        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",

     

       
295
       
295
       
-
       
        "owner": "numtide",

     

       
296
       
296
       
-
       
        "repo": "flake-utils",

     

       
297
       
297
       
-
       
        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",

     

       
298
       
298
       
-
       
        "type": "github"

     

       
299
       
299
       
-
       
      },

     

       
300
       
300
       
-
       
      "original": {

     

       
301
       
301
       
-
       
        "id": "flake-utils",

     

       
302
       
302
       
-
       
        "type": "indirect"

     

       
303
       
303
       
-
       
      }

     

       
304
       
304
       
-
       
    },

     

       
305
       
305
       
-
       
    "flake-utils_3": {

     

       
306
       
306
       
-
       
      "inputs": {

     

       
307
       
307
       
-
       
        "systems": "systems_5"

     

       
287
       
287
       
+
       
        "systems": "systems_4"

     

       
308
       
288
       
 
       
      },

     

       
309
       
289
       
 
       
      "locked": {

     

       
310
       
290
       
 
       
        "lastModified": 1731533236,

     
···

       
320
       
300
       
 
       
        "type": "github"

     

       
321
       
301
       
 
       
      }

     

       
322
       
302
       
 
       
    },

     

       
323
       
323
       
-
       
    "flake-utils_4": {

     

       
303
       
303
       
+
       
    "flake-utils_3": {

     

       
324
       
304
       
 
       
      "locked": {

     

       
325
       
305
       
 
       
        "lastModified": 1676283394,

     

       
326
       
306
       
 
       
        "narHash": "sha256-XX2f9c3iySLCw54rJ/CZs+ZK6IQy7GXNY4nSOyu2QG4=",

     
···

       
334
       
314
       
 
       
        "type": "indirect"

     

       
335
       
315
       
 
       
      }

     

       
336
       
316
       
 
       
    },

     

       
337
       
337
       
-
       
    "flake-utils_5": {

     

       
317
       
317
       
+
       
    "flake-utils_4": {

     

       
338
       
318
       
 
       
      "inputs": {

     

       
339
       
339
       
-
       
        "systems": "systems_6"

     

       
319
       
319
       
+
       
        "systems": "systems_5"

     

       
340
       
320
       
 
       
      },

     

       
341
       
321
       
 
       
      "locked": {

     

       
342
       
322
       
 
       
        "lastModified": 1694529238,

     
···

       
352
       
332
       
 
       
        "type": "github"

     

       
353
       
333
       
 
       
      }

     

       
354
       
334
       
 
       
    },

     

       
355
       
355
       
-
       
    "flake-utils_6": {

     

       
335
       
335
       
+
       
    "flake-utils_5": {

     

       
356
       
336
       
 
       
      "locked": {

     

       
357
       
337
       
 
       
        "lastModified": 1638122382,

     

       
358
       
338
       
 
       
        "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",

     
···

       
367
       
347
       
 
       
        "type": "github"

     

       
368
       
348
       
 
       
      }

     

       
369
       
349
       
 
       
    },

     

       
370
       
370
       
-
       
    "flake-utils_7": {

     

       
350
       
350
       
+
       
    "flake-utils_6": {

     

       
371
       
351
       
 
       
      "inputs": {

     

       
372
       
372
       
-
       
        "systems": "systems_7"

     

       
352
       
352
       
+
       
        "systems": "systems_6"

     

       
373
       
353
       
 
       
      },

     

       
374
       
354
       
 
       
      "locked": {

     

       
375
       
355
       
 
       
        "lastModified": 1692799911,

     
···

       
387
       
367
       
 
       
    },

     

       
388
       
368
       
 
       
    "fn06-website": {

     

       
389
       
369
       
 
       
      "inputs": {

     

       
390
       
390
       
-
       
        "flake-utils": "flake-utils_4",

     

       
370
       
370
       
+
       
        "flake-utils": "flake-utils_3",

     

       
391
       
371
       
 
       
        "nixpkgs": [

     

       
392
       
372
       
 
       
          "nixpkgs"

     

       
393
       
373
       
 
       
        ]

     
···

       
406
       
386
       
 
       
        "type": "github"

     

       
407
       
387
       
 
       
      }

     

       
408
       
388
       
 
       
    },

     

       
389
       
389
       
+
       
    "gitignore": {

     

       
390
       
390
       
+
       
      "inputs": {

     

       
391
       
391
       
+
       
        "nixpkgs": [

     

       
392
       
392
       
+
       
          "tangled",

     

       
393
       
393
       
+
       
          "nixpkgs"

     

       
394
       
394
       
+
       
        ]

     

       
395
       
395
       
+
       
      },

     

       
396
       
396
       
+
       
      "locked": {

     

       
397
       
397
       
+
       
        "lastModified": 1709087332,

     

       
398
       
398
       
+
       
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",

     

       
399
       
399
       
+
       
        "owner": "hercules-ci",

     

       
400
       
400
       
+
       
        "repo": "gitignore.nix",

     

       
401
       
401
       
+
       
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",

     

       
402
       
402
       
+
       
        "type": "github"

     

       
403
       
403
       
+
       
      },

     

       
404
       
404
       
+
       
      "original": {

     

       
405
       
405
       
+
       
        "owner": "hercules-ci",

     

       
406
       
406
       
+
       
        "repo": "gitignore.nix",

     

       
407
       
407
       
+
       
        "type": "github"

     

       
408
       
408
       
+
       
      }

     

       
409
       
409
       
+
       
    },

     

       
409
       
410
       
 
       
    "gomod2nix": {

     

       
410
       
411
       
 
       
      "inputs": {

     

       
411
       
412
       
 
       
        "nixpkgs": [

     
···

       
456
       
457
       
 
       
        ]

     

       
457
       
458
       
 
       
      },

     

       
458
       
459
       
 
       
      "locked": {

     

       
459
       
459
       
-
       
        "lastModified": 1736373539,

     

       
460
       
460
       
-
       
        "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=",

     

       
460
       
460
       
+
       
        "lastModified": 1743387206,

     

       
461
       
461
       
+
       
        "narHash": "sha256-24N3NAuZZbYqZ39NgToZgHUw6M7xHrtrAm18kv0+2Wo=",

     

       
461
       
462
       
 
       
        "owner": "nix-community",

     

       
462
       
463
       
 
       
        "repo": "home-manager",

     

       
463
       
463
       
-
       
        "rev": "bd65bc3cde04c16755955630b344bc9e35272c56",

     

       
464
       
464
       
+
       
        "rev": "15c5f9d04fabd176f30286c8f52bbdb2c853a146",

     

       
464
       
465
       
 
       
        "type": "github"

     

       
465
       
466
       
 
       
      },

     

       
466
       
467
       
 
       
      "original": {

     
···

       
470
       
471
       
 
       
        "type": "github"

     

       
471
       
472
       
 
       
      }

     

       
472
       
473
       
 
       
    },

     

       
474
       
474
       
+
       
    "htmx-src": {

     

       
475
       
475
       
+
       
      "flake": false,

     

       
476
       
476
       
+
       
      "locked": {

     

       
477
       
477
       
+
       
        "narHash": "sha256-nm6avZuEBg67SSyyZUhjpXVNstHHgUxrtBHqJgowU08=",

     

       
478
       
478
       
+
       
        "type": "file",

     

       
479
       
479
       
+
       
        "url": "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js"

     

       
480
       
480
       
+
       
      },

     

       
481
       
481
       
+
       
      "original": {

     

       
482
       
482
       
+
       
        "type": "file",

     

       
483
       
483
       
+
       
        "url": "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js"

     

       
484
       
484
       
+
       
      }

     

       
485
       
485
       
+
       
    },

     

       
473
       
486
       
 
       
    "hyperbib-eeg": {

     

       
474
       
487
       
 
       
      "inputs": {

     

       
475
       
475
       
-
       
        "flake-utils": "flake-utils_5",

     

       
488
       
488
       
+
       
        "flake-utils": "flake-utils_4",

     

       
476
       
489
       
 
       
        "nixpkgs": [

     

       
477
       
490
       
 
       
          "nixpkgs"

     

       
478
       
491
       
 
       
        ],

     
···

       
496
       
509
       
 
       
    },

     

       
497
       
510
       
 
       
    "i3-workspace-history": {

     

       
498
       
511
       
 
       
      "inputs": {

     

       
499
       
499
       
-
       
        "flake-utils": "flake-utils_7",

     

       
512
       
512
       
+
       
        "flake-utils": "flake-utils_6",

     

       
500
       
513
       
 
       
        "gomod2nix": "gomod2nix",

     

       
501
       
514
       
 
       
        "nixpkgs": [

     

       
502
       
515
       
 
       
          "nixpkgs"

     
···

       
516
       
529
       
 
       
        "type": "github"

     

       
517
       
530
       
 
       
      }

     

       
518
       
531
       
 
       
    },

     

       
532
       
532
       
+
       
    "ia-fonts-src": {

     

       
533
       
533
       
+
       
      "flake": false,

     

       
534
       
534
       
+
       
      "locked": {

     

       
535
       
535
       
+
       
        "lastModified": 1686932517,

     

       
536
       
536
       
+
       
        "narHash": "sha256-2T165nFfCzO65/PIHauJA//S+zug5nUwPcg8NUEydfc=",

     

       
537
       
537
       
+
       
        "owner": "iaolo",

     

       
538
       
538
       
+
       
        "repo": "iA-Fonts",

     

       
539
       
539
       
+
       
        "rev": "f32c04c3058a75d7ce28919ce70fe8800817491b",

     

       
540
       
540
       
+
       
        "type": "github"

     

       
541
       
541
       
+
       
      },

     

       
542
       
542
       
+
       
      "original": {

     

       
543
       
543
       
+
       
        "owner": "iaolo",

     

       
544
       
544
       
+
       
        "repo": "iA-Fonts",

     

       
545
       
545
       
+
       
        "type": "github"

     

       
546
       
546
       
+
       
      }

     

       
547
       
547
       
+
       
    },

     

       
548
       
548
       
+
       
    "indigo": {

     

       
549
       
549
       
+
       
      "flake": false,

     

       
550
       
550
       
+
       
      "locked": {

     

       
551
       
551
       
+
       
        "lastModified": 1738491661,

     

       
552
       
552
       
+
       
        "narHash": "sha256-+njDigkvjH4XmXZMog5Mp0K4x9mamHX6gSGJCZB9mE4=",

     

       
553
       
553
       
+
       
        "owner": "oppiliappan",

     

       
554
       
554
       
+
       
        "repo": "indigo",

     

       
555
       
555
       
+
       
        "rev": "feb802f02a462ac0a6392ffc3e40b0529f0cdf71",

     

       
556
       
556
       
+
       
        "type": "github"

     

       
557
       
557
       
+
       
      },

     

       
558
       
558
       
+
       
      "original": {

     

       
559
       
559
       
+
       
        "owner": "oppiliappan",

     

       
560
       
560
       
+
       
        "repo": "indigo",

     

       
561
       
561
       
+
       
        "type": "github"

     

       
562
       
562
       
+
       
      }

     

       
563
       
563
       
+
       
    },

     

       
564
       
564
       
+
       
    "lucide-src": {

     

       
565
       
565
       
+
       
      "flake": false,

     

       
566
       
566
       
+
       
      "locked": {

     

       
567
       
567
       
+
       
        "lastModified": 1742302029,

     

       
568
       
568
       
+
       
        "narHash": "sha256-OyPVtpnC4/AAmPq84Wt1r1Gcs48d9KG+UBCtZK87e9k=",

     

       
569
       
569
       
+
       
        "type": "tarball",

     

       
570
       
570
       
+
       
        "url": "https://github.com/lucide-icons/lucide/releases/download/0.483.0/lucide-icons-0.483.0.zip"

     

       
571
       
571
       
+
       
      },

     

       
572
       
572
       
+
       
      "original": {

     

       
573
       
573
       
+
       
        "type": "tarball",

     

       
574
       
574
       
+
       
        "url": "https://github.com/lucide-icons/lucide/releases/download/0.483.0/lucide-icons-0.483.0.zip"

     

       
575
       
575
       
+
       
      }

     

       
576
       
576
       
+
       
    },

     

       
519
       
577
       
 
       
    "mirage-opam-overlays": {

     

       
520
       
578
       
 
       
      "flake": false,

     

       
521
       
579
       
 
       
      "locked": {

     
···

       
545
       
603
       
 
       
      "original": {

     

       
546
       
604
       
 
       
        "owner": "dune-universe",

     

       
547
       
605
       
 
       
        "repo": "mirage-opam-overlays",

     

       
548
       
548
       
-
       
        "type": "github"

     

       
549
       
549
       
-
       
      }

     

       
550
       
550
       
-
       
    },

     

       
551
       
551
       
-
       
    "nix-filter": {

     

       
552
       
552
       
-
       
      "locked": {

     

       
553
       
553
       
-
       
        "lastModified": 1681154353,

     

       
554
       
554
       
-
       
        "narHash": "sha256-MCJ5FHOlbfQRFwN0brqPbCunLEVw05D/3sRVoNVt2tI=",

     

       
555
       
555
       
-
       
        "owner": "numtide",

     

       
556
       
556
       
-
       
        "repo": "nix-filter",

     

       
557
       
557
       
-
       
        "rev": "f529f42792ade8e32c4be274af6b6d60857fbee7",

     

       
558
       
558
       
-
       
        "type": "github"

     

       
559
       
559
       
-
       
      },

     

       
560
       
560
       
-
       
      "original": {

     

       
561
       
561
       
-
       
        "owner": "numtide",

     

       
562
       
562
       
-
       
        "repo": "nix-filter",

     

       
563
       
606
       
 
       
        "type": "github"

     

       
564
       
607
       
 
       
      }

     

       
565
       
608
       
 
       
    },

     
···

       
638
       
681
       
 
       
    },

     

       
639
       
682
       
 
       
    "nixos-hardware": {

     

       
640
       
683
       
 
       
      "locked": {

     

       
641
       
641
       
-
       
        "lastModified": 1737590910,

     

       
642
       
642
       
-
       
        "narHash": "sha256-qM/y6Dtpu9Wmf5HqeZajQdn+cS0aljdYQQQnrvx+LJE=",

     

       
684
       
684
       
+
       
        "lastModified": 1743420942,

     

       
685
       
685
       
+
       
        "narHash": "sha256-b/exDDQSLmENZZgbAEI3qi9yHkuXAXCPbormD8CSJXo=",

     

       
643
       
686
       
 
       
        "owner": "nixos",

     

       
644
       
687
       
 
       
        "repo": "nixos-hardware",

     

       
645
       
645
       
-
       
        "rev": "9368027715d8dde4b84c79c374948b5306fdd2db",

     

       
688
       
688
       
+
       
        "rev": "de6fc5551121c59c01e2a3d45b277a6d05077bc4",

     

       
646
       
689
       
 
       
        "type": "github"

     

       
647
       
690
       
 
       
      },

     

       
648
       
691
       
 
       
      "original": {

     
···

       
806
       
849
       
 
       
    },

     

       
807
       
850
       
 
       
    "nixpkgs-unstable": {

     

       
808
       
851
       
 
       
      "locked": {

     

       
809
       
809
       
-
       
        "lastModified": 1737469691,

     

       
810
       
810
       
-
       
        "narHash": "sha256-nmKOgAU48S41dTPIXAq0AHZSehWUn6ZPrUKijHAMmIk=",

     

       
852
       
852
       
+
       
        "lastModified": 1743448293,

     

       
853
       
853
       
+
       
        "narHash": "sha256-bmEPmSjJakAp/JojZRrUvNcDX2R5/nuX6bm+seVaGhs=",

     

       
811
       
854
       
 
       
        "owner": "nixos",

     

       
812
       
855
       
 
       
        "repo": "nixpkgs",

     

       
813
       
813
       
-
       
        "rev": "9e4d5190a9482a1fb9d18adf0bdb83c6e506eaab",

     

       
856
       
856
       
+
       
        "rev": "77b584d61ff80b4cef9245829a6f1dfad5afdfa3",

     

       
814
       
857
       
 
       
        "type": "github"

     

       
815
       
858
       
 
       
      },

     

       
816
       
859
       
 
       
      "original": {

     
···

       
822
       
865
       
 
       
    },

     

       
823
       
866
       
 
       
    "nixpkgs_2": {

     

       
824
       
867
       
 
       
      "locked": {

     

       
825
       
825
       
-
       
        "lastModified": 1737569578,

     

       
826
       
826
       
-
       
        "narHash": "sha256-6qY0pk2QmUtBT9Mywdvif0i/CLVgpCjMUn6g9vB+f3M=",

     

       
868
       
868
       
+
       
        "lastModified": 1743501102,

     

       
869
       
869
       
+
       
        "narHash": "sha256-7PCBQ4aGVF8OrzMkzqtYSKyoQuU2jtpPi4lmABpe5X4=",

     

       
827
       
870
       
 
       
        "owner": "nixos",

     

       
828
       
871
       
 
       
        "repo": "nixpkgs",

     

       
829
       
829
       
-
       
        "rev": "47addd76727f42d351590c905d9d1905ca895b82",

     

       
872
       
872
       
+
       
        "rev": "02f2af8c8a8c3b2c05028936a1e84daefa1171d4",

     

       
830
       
873
       
 
       
        "type": "github"

     

       
831
       
874
       
 
       
      },

     

       
832
       
875
       
 
       
      "original": {

     
···

       
930
       
973
       
 
       
        "opam2json": "opam2json"

     

       
931
       
974
       
 
       
      },

     

       
932
       
975
       
 
       
      "locked": {

     

       
933
       
933
       
-
       
        "lastModified": 1732617437,

     

       
934
       
934
       
-
       
        "narHash": "sha256-jj25fziYrES8Ix6HkfSiLzrN6MZjiwlHUxFSIuLRjgE=",

     

       
976
       
976
       
+
       
        "lastModified": 1741156005,

     

       
977
       
977
       
+
       
        "narHash": "sha256-JBPvXe5g1V2xpmPVMlf5CP5+T1E+TCK73lqeqV89EJE=",

     

       
935
       
978
       
 
       
        "owner": "tweag",

     

       
936
       
979
       
 
       
        "repo": "opam-nix",

     

       
937
       
937
       
-
       
        "rev": "ea8b9cb81fe94e1fc45c6376fcff15f17319c445",

     

       
980
       
980
       
+
       
        "rev": "e71936b31658f0b039a7d26b0c9c7a461d949ba4",

     

       
938
       
981
       
 
       
        "type": "github"

     

       
939
       
982
       
 
       
      },

     

       
940
       
983
       
 
       
      "original": {

     
···

       
946
       
989
       
 
       
    "opam-nix_2": {

     

       
947
       
990
       
 
       
      "inputs": {

     

       
948
       
991
       
 
       
        "flake-compat": "flake-compat_4",

     

       
949
       
949
       
-
       
        "flake-utils": "flake-utils_6",

     

       
992
       
992
       
+
       
        "flake-utils": "flake-utils_5",

     

       
950
       
993
       
 
       
        "mirage-opam-overlays": "mirage-opam-overlays_2",

     

       
951
       
994
       
 
       
        "nixpkgs": [

     

       
952
       
995
       
 
       
          "hyperbib-eeg",

     
···

       
1008
       
1051
       
 
       
    "opam-repository": {

     

       
1009
       
1052
       
 
       
      "flake": false,

     

       
1010
       
1053
       
 
       
      "locked": {

     

       
1011
       
1011
       
-
       
        "lastModified": 1732612513,

     

       
1012
       
1012
       
-
       
        "narHash": "sha256-kju4NWEQo4xTxnKeBIsmqnyxIcCg6sNZYJ1FmG/gCDw=",

     

       
1054
       
1054
       
+
       
        "lastModified": 1740730647,

     

       
1055
       
1055
       
+
       
        "narHash": "sha256-6veU2WjUGcWDAzLDjoAI1L6GWZd0KIUq19sHcbJS+u8=",

     

       
1013
       
1056
       
 
       
        "owner": "ocaml",

     

       
1014
       
1057
       
 
       
        "repo": "opam-repository",

     

       
1015
       
1015
       
-
       
        "rev": "3d52b66b04788999a23f22f0d59c2dfc831c4f32",

     

       
1058
       
1058
       
+
       
        "rev": "f1f75fef5fbf1e8bd1cc9544e50b89ba59f625e2",

     

       
1016
       
1059
       
 
       
        "type": "github"

     

       
1017
       
1060
       
 
       
      },

     

       
1018
       
1061
       
 
       
      "original": {

     
···

       
1085
       
1128
       
 
       
      "inputs": {

     

       
1086
       
1129
       
 
       
        "agenix": "agenix",

     

       
1087
       
1130
       
 
       
        "alec-website": "alec-website",

     

       
1088
       
1088
       
-
       
        "colour-guesser": "colour-guesser",

     

       
1089
       
1131
       
 
       
        "deploy-rs": "deploy-rs",

     

       
1132
       
1132
       
+
       
        "disko": "disko",

     

       
1090
       
1133
       
 
       
        "eilean": "eilean",

     

       
1091
       
1134
       
 
       
        "eon": "eon",

     

       
1092
       
1135
       
 
       
        "fn06-website": "fn06-website",

     
···

       
1103
       
1146
       
 
       
        "nixpkgs-sonarr": "nixpkgs-sonarr",

     

       
1104
       
1147
       
 
       
        "nixpkgs-unstable": "nixpkgs-unstable",

     

       
1105
       
1148
       
 
       
        "nur": "nur",

     

       
1149
       
1149
       
+
       
        "tangled": "tangled",

     

       
1106
       
1150
       
 
       
        "timewall": "timewall"

     

       
1107
       
1151
       
 
       
      }

     

       
1108
       
1152
       
 
       
    },

     
···

       
1233
       
1277
       
 
       
        "type": "github"

     

       
1234
       
1278
       
 
       
      }

     

       
1235
       
1279
       
 
       
    },

     

       
1236
       
1236
       
-
       
    "systems_7": {

     

       
1280
       
1280
       
+
       
    "tangled": {

     

       
1281
       
1281
       
+
       
      "inputs": {

     

       
1282
       
1282
       
+
       
        "gitignore": "gitignore",

     

       
1283
       
1283
       
+
       
        "htmx-src": "htmx-src",

     

       
1284
       
1284
       
+
       
        "ia-fonts-src": "ia-fonts-src",

     

       
1285
       
1285
       
+
       
        "indigo": "indigo",

     

       
1286
       
1286
       
+
       
        "lucide-src": "lucide-src",

     

       
1287
       
1287
       
+
       
        "nixpkgs": [

     

       
1288
       
1288
       
+
       
          "nixpkgs"

     

       
1289
       
1289
       
+
       
        ]

     

       
1290
       
1290
       
+
       
      },

     

       
1237
       
1291
       
 
       
      "locked": {

     

       
1238
       
1238
       
-
       
        "lastModified": 1681028828,

     

       
1239
       
1239
       
-
       
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",

     

       
1240
       
1240
       
-
       
        "owner": "nix-systems",

     

       
1241
       
1241
       
-
       
        "repo": "default",

     

       
1242
       
1242
       
-
       
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",

     

       
1243
       
1243
       
-
       
        "type": "github"

     

       
1292
       
1292
       
+
       
        "lastModified": 1743620557,

     

       
1293
       
1293
       
+
       
        "narHash": "sha256-w7a9Qn/IUdCe+gk5cMvSUS+YKItK2iTiu2Qcq49a+zU=",

     

       
1294
       
1294
       
+
       
        "ref": "refs/heads/master",

     

       
1295
       
1295
       
+
       
        "rev": "19ee94f42ab259c218762e6f0ed87952f80b5162",

     

       
1296
       
1296
       
+
       
        "revCount": 420,

     

       
1297
       
1297
       
+
       
        "type": "git",

     

       
1298
       
1298
       
+
       
        "url": "https://tangled.sh/@tangled.sh/core"

     

       
1244
       
1299
       
 
       
      },

     

       
1245
       
1300
       
 
       
      "original": {

     

       
1246
       
1246
       
-
       
        "owner": "nix-systems",

     

       
1247
       
1247
       
-
       
        "repo": "default",

     

       
1248
       
1248
       
-
       
        "type": "github"

     

       
1301
       
1301
       
+
       
        "type": "git",

     

       
1302
       
1302
       
+
       
        "url": "https://tangled.sh/@tangled.sh/core"

     

       
1249
       
1303
       
 
       
      }

     

       
1250
       
1304
       
 
       
    },

     

       
1251
       
1305
       
 
       
    "timewall": {

     
···

       
1256
       
1310
       
 
       
        "rust-overlay": "rust-overlay"

     

       
1257
       
1311
       
 
       
      },

     

       
1258
       
1312
       
 
       
      "locked": {

     

       
1259
       
1259
       
-
       
        "lastModified": 1739621014,

     

       
1260
       
1260
       
-
       
        "narHash": "sha256-bFNAAmytYErdLqw7OJyKKeCSeHZ2XcxmXMSg09Y9b6U=",

     

       
1313
       
1313
       
+
       
        "lastModified": 1743524557,

     

       
1314
       
1314
       
+
       
        "narHash": "sha256-0rNcLtKWbjI0VqlusrqPMcpPgdkkZGkOIt9s3CnsCao=",

     

       
1261
       
1315
       
 
       
        "owner": "bcyran",

     

       
1262
       
1316
       
 
       
        "repo": "timewall",

     

       
1263
       
1263
       
-
       
        "rev": "686e9d2154621fadf6ce4c8d5fae0b16c29acc8e",

     

       
1317
       
1317
       
+
       
        "rev": "789befef40bf0d45e48285f17f512b41924cfeb7",

     

       
1264
       
1318
       
 
       
        "type": "github"

     

       
1265
       
1319
       
 
       
      },

     

       
1266
       
1320
       
 
       
      "original": {

     
···

       
1292
       
1346
       
 
       
    },

     

       
1293
       
1347
       
 
       
    "utils": {

     

       
1294
       
1348
       
 
       
      "inputs": {

     

       
1295
       
1295
       
-
       
        "systems": "systems_3"

     

       
1349
       
1349
       
+
       
        "systems": "systems_2"

     

       
1296
       
1350
       
 
       
      },

     

       
1297
       
1351
       
 
       
      "locked": {

     

       
1298
       
1352
       
 
       
        "lastModified": 1701680307,

     
···

       
1310
       
1364
       
 
       
    },

     

       
1311
       
1365
       
 
       
    "utils_2": {

     

       
1312
       
1366
       
 
       
      "inputs": {

     

       
1313
       
1313
       
-
       
        "systems": "systems_4"

     

       
1367
       
1367
       
+
       
        "systems": "systems_3"

     

       
1314
       
1368
       
 
       
      },

     

       
1315
       
1369
       
 
       
      "locked": {

     

       
1316
       
1370
       
 
       
        "lastModified": 1709126324,

     

···

       
15
       
15
       
 
       
    eilean.url = "github:RyanGibb/eilean-nix/main";

     

       
16
       
16
       
 
       
    alec-website.url = "github:alexanderhthompson/website";

     

       
17
       
17
       
 
       
    fn06-website.url = "github:RyanGibb/fn06";

     

       
18
       
18
       
-
       
    colour-guesser.url = "git+ssh://git@github.com/ryangibb/colour-guesser.git?ref=develop";

     

       
19
       
18
       
 
       
    i3-workspace-history.url = "github:RyanGibb/i3-workspace-history";

     

       
20
       
19
       
 
       
    hyperbib-eeg.url = "github:RyanGibb/hyperbib?ref=nixify";

     

       
21
       
20
       
 
       
    nix-rpi5.url = "gitlab:vriska/nix-rpi5?ref=main";

     

       
22
       
21
       
 
       
    nur.url = "github:nix-community/NUR/e9e77b7985ef9bdeca12a38523c63d47555cc89b";

     

       
23
       
22
       
 
       
    timewall.url = "github:bcyran/timewall/";

     

       
23
       
23
       
+
       
    tangled.url = "git+https://tangled.sh/@tangled.sh/core";

     

       
24
       
24
       
+
       
    disko.url = "github:nix-community/disko";

     

       
24
       
25
       
 
       


     

       
25
       
26
       
 
       
    # deduplicate flake inputs

     

       
26
       
27
       
 
       
    eilean.inputs.nixpkgs.follows = "nixpkgs";

     
···

       
32
       
33
       
 
       
    alec-website.inputs.nixpkgs.follows = "nixpkgs";

     

       
33
       
34
       
 
       
    fn06-website.inputs.nixpkgs.follows = "nixpkgs";

     

       
34
       
35
       
 
       
    eon.inputs.nixpkgs.follows = "nixpkgs";

     

       
35
       
35
       
-
       
    colour-guesser.inputs.nixpkgs.follows = "nixpkgs";

     

       
36
       
36
       
 
       
    i3-workspace-history.inputs.nixpkgs.follows = "nixpkgs";

     

       
37
       
37
       
 
       
    hyperbib-eeg.inputs.nixpkgs.follows = "nixpkgs";

     

       
38
       
38
       
 
       
    nix-rpi5.inputs.nixpkgs.follows = "nixpkgs";

     

       
39
       
39
       
 
       
    nur.inputs.nixpkgs.follows = "nixpkgs";

     

       
40
       
40
       
 
       
    timewall.inputs.nixpkgs.follows = "nixpkgs";

     

       
41
       
41
       
+
       
    tangled.inputs.nixpkgs.follows = "nixpkgs";

     

       
42
       
42
       
+
       
    disko.inputs.nixpkgs.follows = "nixpkgs";

     

       
41
       
43
       
 
       
  };

     

       
42
       
44
       
 
       


     

       
43
       
45
       
 
       
  outputs =

     
···

       
116
       
118
       
 
       
                (

     

       
117
       
119
       
 
       
                  { config, ... }:

     

       
118
       
120
       
 
       
                  {

     

       
119
       
119
       
-
       
                    networking.hostName = "${host}";

     

       
121
       
121
       
+
       
                    networking.hostName = host-nixpkgs.lib.mkDefault "${host}";

     

       
120
       
122
       
 
       
                    # pin nix command's nixpkgs flake to the system flake to avoid unnecessary downloads

     

       
121
       
123
       
 
       
                    nix.registry.nixpkgs.flake = host-nixpkgs;

     

       
122
       
124
       
 
       
                    system.stateVersion = "24.05";

     
···

       
275
       
277
       
 
       
      formatter = inputs.nixpkgs.lib.genAttrs inputs.nixpkgs.lib.systems.flakeExposed (

     

       
276
       
278
       
 
       
        system: inputs.nixpkgs.legacyPackages.${system}.nixfmt-rfc-style

     

       
277
       
279
       
 
       
      );

     

       
278
       
278
       
-
       


     

       
279
       
279
       
-
       
      templates.host.path = ./templates/host;

     

       
280
       
280
       
 
       
    };

     

       
281
       
281
       
 
       
}

     

···

       
12
       
12
       
 
       
  options.custom.calendar.enable = lib.mkEnableOption "calendar";

     

       
13
       
13
       
 
       


     

       
14
       
14
       
 
       
  config = lib.mkIf cfg.enable {

     

       
15
       
15
       
+
       
    home.packages = with pkgs; [

     

       
16
       
16
       
+
       
      vdirsyncer

     

       
17
       
17
       
+
       
    ];

     

       
18
       
18
       
+
       


     

       
15
       
19
       
 
       
    programs = {

     

       
16
       
20
       
 
       
      password-store.enable = true;

     

       
17
       
21
       
 
       
      gpg.enable = true;

     

       
18
       
18
       
-
       
      vdirsyncer.enable = true;

     

       
19
       
19
       
-
       
      khal = {

     

       
20
       
20
       
-
       
        enable = true;

     

       
21
       
21
       
-
       
        locale = {

     

       
22
       
22
       
-
       
          timeformat = "%I:%M%p";

     

       
23
       
23
       
-
       
          dateformat = "%y-%m-%d";

     

       
24
       
24
       
-
       
          longdateformat = "%Y-%m-%d";

     

       
25
       
25
       
-
       
          datetimeformat = "%y-%m-%d %I:%M%p";

     

       
26
       
26
       
-
       
          longdatetimeformat = "%Y-%m-%d %I:%M%p";

     

       
27
       
27
       
-
       
        };

     

       
28
       
28
       
-
       
        settings = {

     

       
29
       
29
       
-
       
          default.default_calendar = "ryan_freumh_org";

     

       
30
       
30
       
-
       
          keybindings.external_edit = "ctrl e";

     

       
31
       
31
       
-
       
          keybindings.save = "ctrl s";

     

       
32
       
32
       
-
       
        };

     

       
33
       
33
       
-
       
      };

     

       
34
       
22
       
 
       
    };

     

       
35
       
23
       
 
       


     

       
36
       
24
       
 
       
    services = {

     

       
37
       
25
       
 
       
      gpg-agent.enable = true;

     

       
38
       
38
       
-
       
    };

     

       
39
       
39
       
-
       


     

       
40
       
40
       
-
       
    accounts.calendar = {

     

       
41
       
41
       
-
       
      basePath = "calendar";

     

       
42
       
42
       
-
       
      accounts = {

     

       
43
       
43
       
-
       
        "ryan_freumh_org" = {

     

       
44
       
44
       
-
       
          khal = {

     

       
45
       
45
       
-
       
            enable = true;

     

       
46
       
46
       
-
       
            color = "white";

     

       
47
       
47
       
-
       
          };

     

       
48
       
48
       
-
       
          vdirsyncer = {

     

       
49
       
49
       
-
       
            enable = true;

     

       
50
       
50
       
-
       
          };

     

       
51
       
51
       
-
       
          remote = {

     

       
52
       
52
       
-
       
            type = "caldav";

     

       
53
       
53
       
-
       
            url = "https://cal.freumh.org/ryan/f497c073-d027-2aa5-1e58-cbec1bf5a8c7/";

     

       
54
       
54
       
-
       
            passwordCommand = [

     

       
55
       
55
       
-
       
              "${pkgs.pass}/bin/pass"

     

       
56
       
56
       
-
       
              "show"

     

       
57
       
57
       
-
       
              "calendar/ryan@freumh.org"

     

       
58
       
58
       
-
       
            ];

     

       
59
       
59
       
-
       
            userName = "ryan";

     

       
60
       
60
       
-
       
          };

     

       
61
       
61
       
-
       
          local = {

     

       
62
       
62
       
-
       
            type = "filesystem";

     

       
63
       
63
       
-
       
            fileExt = ".ics";

     

       
64
       
64
       
-
       
          };

     

       
65
       
65
       
-
       
        };

     

       
66
       
66
       
-
       
      };

     

       
67
       
26
       
 
       
    };

     

       
68
       
27
       
 
       
  };

     

       
69
       
28
       
 
       
}

     

···

       
14
       
14
       
 
       
    if [[ $# -eq 1 ]]; then

     

       
15
       
15
       
 
       
        selected=$1

     

       
16
       
16
       
 
       
    else

     

       
17
       
17
       
-
       
        selected=$((tac "$hist_file"; find ~/ ~/projects -mindepth 1 -maxdepth 1 -type d -not -path '*/[.]*'; echo /etc/nixos) | awk '!seen[$0]++' | fzf --print-query | tail -n 1)

     

       
17
       
17
       
+
       
        selected=$((tac "$hist_file"

     

       
18
       
18
       
+
       
            find ~/ ~/projects -mindepth 1 -maxdepth 1 -type d -not -path '*/[.]*'

     

       
19
       
19
       
+
       
            awk '{print "ssh " $1}' ~/.ssh/known_hosts 2>/dev/null | sort -u

     

       
20
       
20
       
+
       
            echo /etc/nixos) | awk '!seen[$0]++' | fzf --print-query | tail -n 1)

     

       
18
       
21
       
 
       
    fi

     

       
19
       
22
       
 
       


     

       
20
       
23
       
 
       
    if [[ -z $selected ]]; then

     
···

       
26
       
29
       
 
       
    selected_name=$(basename "$selected" | tr . _)

     

       
27
       
30
       
 
       
    tmux_running=$(pgrep tmux)

     

       
28
       
31
       
 
       


     

       
29
       
29
       
-
       
    if [[ -z $TMUX ]] && [[ -z $tmux_running ]]; then

     

       
30
       
30
       
-
       
        tmux new-session -s $selected_name -c $selected

     

       
31
       
31
       
-
       
        exit 0

     

       
32
       
32
       
+
       
    if [[ $selected == ssh\ * ]]; then

     

       
33
       
33
       
+
       
        if [[ -z $TMUX ]] && [[ -z $tmux_running ]]; then

     

       
34
       
34
       
+
       
            tmux new-session -s "$selected_name" "$selected"

     

       
35
       
35
       
+
       
            exit 0

     

       
36
       
36
       
+
       
        fi

     

       
37
       
37
       
+
       


     

       
38
       
38
       
+
       
        if ! tmux has-session -t="$selected_name" 2> /dev/null; then

     

       
39
       
39
       
+
       
            tmux new-session -ds "$selected_name" "$selected"

     

       
40
       
40
       
+
       
        fi

     

       
41
       
41
       
+
       
    else

     

       
42
       
42
       
+
       
        if [[ -z $TMUX ]] && [[ -z "$tmux_running" ]]; then

     

       
43
       
43
       
+
       
            tmux new-session -s "$selected_name" -c "$selected"

     

       
44
       
44
       
+
       
            exit 0

     

       
45
       
45
       
+
       
        fi

     

       
46
       
46
       
+
       


     

       
47
       
47
       
+
       
        if ! tmux has-session -t="$selected_name" 2> /dev/null; then

     

       
48
       
48
       
+
       
            tmux new-session -ds "$selected_name" -c "$selected"

     

       
49
       
49
       
+
       
        fi

     

       
32
       
50
       
 
       
    fi

     

       
33
       
51
       
 
       


     

       
34
       
34
       
-
       
    if ! tmux has-session -t=$selected_name 2> /dev/null; then

     

       
35
       
35
       
-
       
        tmux new-session -ds $selected_name -c $selected

     

       
36
       
36
       
-
       
    fi

     

       
37
       
52
       
 
       


     

       
38
       
38
       
-
       
    tmux switch-client -t $selected_name

     

       
53
       
53
       
+
       
    tmux switch-client -t "$selected_name"

     

       
39
       
54
       
 
       
  '';

     

       
40
       
55
       
 
       
in

     

       
41
       
56
       
 
       
{

     
···

       
216
       
231
       
 
       
          unbind C-b

     

       
217
       
232
       
 
       
          set-option -g prefix C-a

     

       
218
       
233
       
 
       
          bind-key C-a send-prefix

     

       
219
       
219
       
-
       


     

       
220
       
234
       
 
       
          set-window-option -g mode-keys vi

     

       
221
       
235
       
 
       
          set-option -g mouse on

     

       
222
       
236
       
 
       
          set-option -g set-titles on

     
···

       
230
       
244
       
 
       
          # https://stackoverflow.com/questions/62182401/neovim-screen-lagging-when-switching-mode-from-insert-to-normal

     

       
231
       
245
       
 
       
          # locking

     

       
232
       
246
       
 
       
          set -s escape-time 0

     

       
233
       
233
       
-
       
          set -g lock-command ${pkgs.vlock}/bin/vlock

     

       
234
       
234
       
-
       
          set -g lock-after-time 0 # Seconds; 0 = never

     

       
235
       
235
       
-
       
          bind L lock-session

     

       
236
       
247
       
 
       
          # for .zprofile display environment starting https://github.com/tmux/tmux/issues/3483

     

       
237
       
248
       
 
       
          set-option -g update-environment XDG_VTNR

     

       
238
       
249
       
 
       
          # Allow clipboard with OSC-52 work

     
···

       
246
       
257
       
 
       
          bind-key -r f run-shell "tmux neww tmux-sessionizer"

     

       
247
       
258
       
 
       
          # reload

     

       
248
       
259
       
 
       
          bind-key r source-file ~/.config/tmux/tmux.conf

     

       
249
       
249
       
-
       
          # kill unattached

     

       
250
       
250
       
-
       
          bind-key K run-shell 'tmux ls | grep -v attached | cut -d: -f1 | xargs -I {} tmux kill-window -t {}'

     

       
251
       
260
       
 
       
        '';

     

       
252
       
261
       
 
       
    };

     

       
253
       
262
       
 
       


     

···

       
7
       
7
       
 
       


     

       
8
       
8
       
 
       
let

     

       
9
       
9
       
 
       
  cfg = config.custom.emacs;

     

       
10
       
10
       
-
       
  emacs = (pkgs.emacsPackagesFor pkgs.emacs29-pgtk).emacsWithPackages (

     

       
10
       
10
       
+
       
  emacs = (pkgs.emacsPackagesFor pkgs.emacs30-pgtk).emacsWithPackages (

     

       
11
       
11
       
 
       
    epkgs: with epkgs; [

     

       
12
       
12
       
 
       
      treesit-grammars.with-all-grammars

     

       
13
       
13
       
 
       
      vterm

     

···

       
186
       
186
       
 
       
      };

     

       
187
       
187
       
 
       
    };

     

       
188
       
188
       
 
       


     

       
189
       
189
       
-
       
    services.timewall = {

     

       
189
       
189
       
+
       
    services.timewall = lib.mkIf (inputs ? timewall) {

     

       
190
       
190
       
 
       
      enable = true;

     

       
191
       
191
       
 
       
      config = {

     

       
192
       
192
       
 
       
        geoclue.timeout = 1000;

     

···

       
63
       
63
       
 
       
        export MOZ_ENABLE_WAYLAND=1

     

       
64
       
64
       
 
       
        export MOZ_DBUS_REMOTE=1

     

       
65
       
65
       
 
       
        export QT_STYLE_OVERRIDE="Fusion"

     

       
66
       
66
       
-
       
        export WLR_NO_HARDWARE_CURSORS=1

     

       
67
       
66
       
 
       
        export NIXOS_OZONE_WL=1

     

       
68
       
67
       
 
       


     

       
69
       
68
       
 
       
        # for intellij

     

···

       
201
       
201
       
 
       
bindsym $mod+Control+Shift+k resize shrink height 1px

     

       
202
       
202
       
 
       
bindsym $mod+Control+Shift+l resize grow   width  1px

     

       
203
       
203
       
 
       


     

       
204
       
204
       
-
       
bindsym $mod+$alt+h focus output left

     

       
205
       
205
       
-
       
bindsym $mod+$alt+j focus output down

     

       
206
       
206
       
-
       
bindsym $mod+$alt+k focus output up

     

       
207
       
207
       
-
       
bindsym $mod+$alt+l focus output right

     

       
204
       
204
       
+
       
bindsym $mod+$alt+h focus output left ; exec st workspace -t 500

     

       
205
       
205
       
+
       
bindsym $mod+$alt+j focus output down ; exec st workspace -t 500

     

       
206
       
206
       
+
       
bindsym $mod+$alt+k focus output up ; exec st workspace -t 500

     

       
207
       
207
       
+
       
bindsym $mod+$alt+l focus output right ; exec st workspace -t 500

     

       
208
       
208
       
 
       


     

       
209
       
209
       
 
       
bindsym $mod+$alt+Shift+h move container to output left

     

       
210
       
210
       
 
       
bindsym $mod+$alt+Shift+j move container to output down

     

···

       
40
       
40
       
 
       
      mu.enable = true;

     

       
41
       
41
       
 
       
      msmtp.enable = true;

     

       
42
       
42
       
 
       
      aerc = {

     

       
43
       
43
       
-
       
        enable = true;

     

       
43
       
43
       
+
       
        # enable = true;

     

       
44
       
44
       
 
       
        extraConfig = {

     

       
45
       
45
       
 
       
          general.unsafe-accounts-conf = true;

     

       
46
       
46
       
 
       
          general.default-save-path = "~/downloads";

     
···

       
66
       
66
       
 
       
        extraBinds = import ./aerc-binds.nix { inherit pkgs; };

     

       
67
       
67
       
 
       
      };

     

       
68
       
68
       
 
       
      neomutt = {

     

       
69
       
69
       
-
       
        enable = true;

     

       
69
       
69
       
+
       
        # enable = true;

     

       
70
       
70
       
 
       
        extraConfig = ''

     

       
71
       
71
       
 
       
          # Macro to switch accounts

     

       
72
       
72
       
 
       
          macro index,pager <F1> '"<change-folder> ${config.accounts.email.maildirBasePath}/ryan@freumh.org/Inbox<enter>"'

     
···

       
80
       
80
       
 
       
                                         "mu find results"

     

       
81
       
81
       
 
       
        '';

     

       
82
       
82
       
 
       
      };

     

       
83
       
83
       
-
       
      notmuch.enable = true;

     

       
84
       
83
       
 
       
    };

     

       
85
       
84
       
 
       


     

       
86
       
85
       
 
       
    services = {

     
···

       
152
       
151
       
 
       
              macro index gt "<change-folder>=${folders.trash}<enter>"

     

       
153
       
152
       
 
       
            '';

     

       
154
       
153
       
 
       
          };

     

       
155
       
155
       
-
       
          notmuch.enable = true;

     

       
156
       
154
       
 
       
        };

     

       
157
       
155
       
 
       
        "misc@freumh.org" = rec {

     

       
158
       
156
       
 
       
          userName = "misc@freumh.org";

     
···

       
194
       
192
       
 
       
              macro index gt "<change-folder>=${folders.trash}<enter>"

     

       
195
       
193
       
 
       
            '';

     

       
196
       
194
       
 
       
          };

     

       
197
       
197
       
-
       
          notmuch.enable = true;

     

       
198
       
195
       
 
       
        };

     

       
199
       
196
       
 
       
        "ryan.gibb@cl.cam.ac.uk" = rec {

     

       
200
       
197
       
 
       
          userName = "rtg24@fm.cl.cam.ac.uk";

     
···

       
210
       
207
       
 
       
          };

     

       
211
       
208
       
 
       
          imapnotify = {

     

       
212
       
209
       
 
       
            enable = true;

     

       
213
       
213
       
-
       
            boxes = [ "Inbox" "Sidebox" ];

     

       
210
       
210
       
+
       
            boxes = [

     

       
211
       
211
       
+
       
              "Inbox"

     

       
212
       
212
       
+
       
              "Sidebox"

     

       
213
       
213
       
+
       
            ];

     

       
214
       
214
       
 
       
            onNotify = "${sync-mail}/bin/sync-mail ryan.gibb@cl.cam.ac.uk:INBOX ryan.gibb@cl.cam.ac.uk:Sidebox";

     

       
215
       
215
       
 
       
          };

     

       
216
       
216
       
 
       
          mbsync = {

     
···

       
253
       
253
       
 
       
              macro index gt "<change-folder>=${folders.trash}<enter>"

     

       
254
       
254
       
 
       
            '';

     

       
255
       
255
       
 
       
          };

     

       
256
       
256
       
-
       
          notmuch.enable = true;

     

       
257
       
256
       
 
       
        };

     

       
258
       
257
       
 
       
        "ryangibb321@gmail.com" = rec {

     

       
259
       
258
       
 
       
          userName = "ryangibb321@gmail.com";

     
···

       
269
       
268
       
 
       
          };

     

       
270
       
269
       
 
       
          imapnotify = {

     

       
271
       
270
       
 
       
            enable = true;

     

       
272
       
272
       
-
       
            boxes = [ "Inbox" "Sidebox" ];

     

       
271
       
271
       
+
       
            boxes = [

     

       
272
       
272
       
+
       
              "Inbox"

     

       
273
       
273
       
+
       
              "Sidebox"

     

       
274
       
274
       
+
       
            ];

     

       
273
       
275
       
 
       
            onNotify = "${sync-mail}/bin/sync-mail ryangibb321@gmail.com:INBOX ryangibb321@gmail.com:Sidebox";

     

       
274
       
276
       
 
       
          };

     

       
275
       
277
       
 
       
          mbsync = {

     
···

       
311
       
313
       
 
       
              macro index gt "<change-folder>=${folders.trash}<enter>"

     

       
312
       
314
       
 
       
            '';

     

       
313
       
315
       
 
       
          };

     

       
314
       
314
       
-
       
          notmuch.enable = true;

     

       
315
       
316
       
 
       
        };

     

       
316
       
317
       
 
       
        search = {

     

       
317
       
318
       
 
       
          maildir.path = "search";

     

···

       
1
       
1
       
+
       


     

       
2
       
2
       
+
       
# https://www.emacswiki.org/emacs/TrampMode#h5o-9

     

       
3
       
3
       
+
       
[[ $TERM == "dumb" ]] && unsetopt zle && PS1='$ ' && return

     

       
1
       
4
       
 
       


     

       
2
       
5
       
 
       
setopt autocd nomatch notify interactive_comments inc_append_history 

     

       
3
       
6
       
 
       
unsetopt beep extendedglob share_history

     
···

       
111
       
114
       
 
       
	source /run/current-system/sw/share/bash-completion/completions/ledger.bash

     

       
112
       
115
       
 
       
fi

     

       
113
       
116
       
 
       


     

       
117
       
117
       
+
       
eval $(opam env)

     

···

       
30
       
30
       
 
       
      "owntracks.vpn.freumh.org"

     

       
31
       
31
       
 
       
      "immich.vpn.freumh.org"

     

       
32
       
32
       
 
       
      "calibre.freumh.org"

     

       
33
       
33
       
+
       
      "audiobookshelf.vpn.freumh.org"

     

       
33
       
34
       
 
       
    ];

     

       
34
       
35
       
 
       
  };

     

       
35
       
36
       
 
       


     
···

       
109
       
110
       
 
       
            proxy_buffers 4 256k;

     

       
110
       
111
       
 
       
            proxy_busy_buffers_size 256k;

     

       
111
       
112
       
 
       
          '';

     

       
112
       
112
       
-
       
          };

     

       
113
       
113
       
+
       
        };

     

       
114
       
114
       
+
       
      };

     

       
115
       
115
       
+
       
      "audiobookshelf.vpn.freumh.org" = {

     

       
116
       
116
       
+
       
        onlySSL = true;

     

       
117
       
117
       
+
       
        listenAddresses = [ "100.64.0.9" ];

     

       
118
       
118
       
+
       
        locations."/" = {

     

       
119
       
119
       
+
       
          proxyPass = ''

     

       
120
       
120
       
+
       
            http://localhost:${builtins.toString config.services.audiobookshelf.port}

     

       
121
       
121
       
+
       
          '';

     

       
122
       
122
       
+
       
          proxyWebsockets = true;

     

       
123
       
123
       
+
       
        };

     

       
113
       
124
       
 
       
      };

     

       
114
       
125
       
 
       
    };

     

       
115
       
126
       
 
       
  };

     
···

       
246
       
257
       
 
       
      enableKepubify = true;

     

       
247
       
258
       
 
       
    };

     

       
248
       
259
       
 
       
  };

     

       
260
       
260
       
+
       
  users.users.${config.services.calibre-web.user}.extraGroups = [

     

       
261
       
261
       
+
       
    config.services.readarr.user

     

       
262
       
262
       
+
       
  ];

     

       
249
       
263
       
 
       


     

       
250
       
264
       
 
       
  age.secrets.restic-owl.file = ../../secrets/restic-owl.age;

     

       
251
       
265
       
 
       
  age.secrets.restic-gecko.file = ../../secrets/restic-gecko.age;

     
···

       
302
       
316
       
 
       
    host = "100.64.0.9";

     

       
303
       
317
       
 
       
    mediaLocation = "/tank/immich";

     

       
304
       
318
       
 
       
  };

     

       
319
       
319
       
+
       


     

       
320
       
320
       
+
       
  services.audiobookshelf = {

     

       
321
       
321
       
+
       
    enable = true;

     

       
322
       
322
       
+
       
    port = 8001;

     

       
323
       
323
       
+
       
  };

     

       
324
       
324
       
+
       
  users.users.${config.services.audiobookshelf.user}.extraGroups = [

     

       
325
       
325
       
+
       
    config.services.readarr.user

     

       
326
       
326
       
+
       
  ];

     

       
305
       
327
       
 
       


     

       
306
       
328
       
 
       
  services.fail2ban = {

     

       
307
       
329
       
 
       
    enable = true;

     

···

       
41
       
41
       
 
       
      emacs.enable = true;

     

       
42
       
42
       
 
       
    };

     

       
43
       
43
       
 
       
    home.sessionVariables = {

     

       
44
       
44
       
-
       
      LEDGER_FILE = "~/vault/finances.ledger";

     

       
44
       
44
       
+
       
      LEDGER_FILE = "$HOME/vault/finances.ledger";

     

       
45
       
45
       
+
       
      CALENDAR_DIR = "$HOME/calendar";

     

       
45
       
46
       
 
       
    };

     

       
46
       
47
       
 
       
    programs.git.extraConfig.commit.gpgSign = true;

     

       
47
       
48
       
 
       
    programs.direnv = {

     
···

       
136
       
137
       
 
       
    ocamlPackages.ocaml-lsp

     

       
137
       
138
       
 
       
    ocamlPackages.ocamlformat

     

       
138
       
139
       
 
       
    # rust

     

       
139
       
139
       
-
       
    cargo

     

       
140
       
140
       
-
       
    rustc

     

       
141
       
141
       
-
       
    rust-analyzer

     

       
142
       
142
       
-
       
    rustfmt

     

       
140
       
140
       
+
       
    overlay-unstable.cargo

     

       
141
       
141
       
+
       
    overlay-unstable.rustc

     

       
142
       
142
       
+
       
    overlay-unstable.rust-analyzer

     

       
143
       
143
       
+
       
    overlay-unstable.rustfmt

     

       
143
       
144
       
 
       
    # haskell

     

       
144
       
145
       
 
       
    cabal-install

     

       
145
       
146
       
 
       
    ghc

     
···

       
157
       
158
       
 
       
    # other

     

       
158
       
159
       
 
       
    ltex-ls

     

       
159
       
160
       
 
       
    typst-lsp

     

       
161
       
161
       
+
       


     

       
162
       
162
       
+
       
    overlay-unstable.claude-code

     

       
160
       
163
       
 
       
  ];

     

       
161
       
164
       
 
       


     

       
162
       
165
       
 
       
  services.gnome.gnome-keyring.enable = true;

     

···

       
1
       
1
       
+
       
{

     

       
2
       
2
       
+
       
  pkgs,

     

       
3
       
3
       
+
       
  config,

     

       
4
       
4
       
+
       
  lib,

     

       
5
       
5
       
+
       
  disko,

     

       
6
       
6
       
+
       
  ...

     

       
7
       
7
       
+
       
}:

     

       
8
       
8
       
+
       


     

       
9
       
9
       
+
       
{

     

       
10
       
10
       
+
       
  imports = [

     

       
11
       
11
       
+
       
    ./hardware-configuration.nix

     

       
12
       
12
       
+
       
    disko.nixosModules.disko

     

       
13
       
13
       
+
       
    ./disk-config.nix

     

       
14
       
14
       
+
       
  ];

     

       
15
       
15
       
+
       


     

       
16
       
16
       
+
       
  custom = {

     

       
17
       
17
       
+
       
    enable = true;

     

       
18
       
18
       
+
       
    autoUpgrade.enable = true;

     

       
19
       
19
       
+
       
    homeManager.enable = true;

     

       
20
       
20
       
+
       
  };

     

       
21
       
21
       
+
       


     

       
22
       
22
       
+
       
  home-manager.users.${config.custom.username}.config.custom.machineColour = "blue";

     

       
23
       
23
       
+
       


     

       
24
       
24
       
+
       
  networking.hostName = "iphito";

     

       
25
       
25
       
+
       


     

       
26
       
26
       
+
       
  services.openssh.openFirewall = true;

     

       
27
       
27
       
+
       


     

       
28
       
28
       
+
       
  users.users.root.openssh.authorizedKeys.keys = [

     

       
29
       
29
       
+
       
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA7UrJmBFWR3c7jVzpoyg4dJjON9c7t9bT9acfrj6G7i mtelvers"

     

       
30
       
30
       
+
       
  ];

     

       
31
       
31
       
+
       
}

     

···

       
1
       
1
       
+
       
{ lib, ... }:

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
{

     

       
4
       
4
       
+
       
  disko.devices = {

     

       
5
       
5
       
+
       
    disk.disk1 = {

     

       
6
       
6
       
+
       
      device = lib.mkDefault "/dev/sda";

     

       
7
       
7
       
+
       
      type = "disk";

     

       
8
       
8
       
+
       
      content = {

     

       
9
       
9
       
+
       
        type = "gpt";

     

       
10
       
10
       
+
       
        partitions = {

     

       
11
       
11
       
+
       
          ESP = {

     

       
12
       
12
       
+
       
            type = "EF00";

     

       
13
       
13
       
+
       
            size = "500M";

     

       
14
       
14
       
+
       
            content = {

     

       
15
       
15
       
+
       
              type = "filesystem";

     

       
16
       
16
       
+
       
              format = "vfat";

     

       
17
       
17
       
+
       
              mountpoint = "/boot";

     

       
18
       
18
       
+
       
              mountOptions = [ "umask=0077" ];

     

       
19
       
19
       
+
       
            };

     

       
20
       
20
       
+
       
          };

     

       
21
       
21
       
+
       
          root = {

     

       
22
       
22
       
+
       
            size = "100%";

     

       
23
       
23
       
+
       
            content = {

     

       
24
       
24
       
+
       
              type = "filesystem";

     

       
25
       
25
       
+
       
              format = "ext4";

     

       
26
       
26
       
+
       
              mountpoint = "/";

     

       
27
       
27
       
+
       
            };

     

       
28
       
28
       
+
       
          };

     

       
29
       
29
       
+
       
        };

     

       
30
       
30
       
+
       
      };

     

       
31
       
31
       
+
       
    };

     

       
32
       
32
       
+
       
  };

     

       
33
       
33
       
+
       
}

     

···

       
1
       
1
       
+
       
{

     

       
2
       
2
       
+
       
  config,

     

       
3
       
3
       
+
       
  lib,

     

       
4
       
4
       
+
       
  pkgs,

     

       
5
       
5
       
+
       
  modulesPath,

     

       
6
       
6
       
+
       
  ...

     

       
7
       
7
       
+
       
}:

     

       
8
       
8
       
+
       


     

       
9
       
9
       
+
       
{

     

       
10
       
10
       
+
       
  imports = [

     

       
11
       
11
       
+
       
    (modulesPath + "/installer/scan/not-detected.nix")

     

       
12
       
12
       
+
       
  ];

     

       
13
       
13
       
+
       


     

       
14
       
14
       
+
       
  boot.initrd.availableKernelModules = [

     

       
15
       
15
       
+
       
    "megaraid_sas"

     

       
16
       
16
       
+
       
    "xhci_pci"

     

       
17
       
17
       
+
       
    "nvme"

     

       
18
       
18
       
+
       
    "ahci"

     

       
19
       
19
       
+
       
    "sd_mod"

     

       
20
       
20
       
+
       
  ];

     

       
21
       
21
       
+
       
  boot.initrd.kernelModules = [ "dm-snapshot" ];

     

       
22
       
22
       
+
       
  boot.kernelModules = [ "kvm-amd" ];

     

       
23
       
23
       
+
       
  boot.extraModulePackages = [ ];

     

       
24
       
24
       
+
       


     

       
25
       
25
       
+
       
  networking.useDHCP = lib.mkDefault true;

     

       
26
       
26
       
+
       


     

       
27
       
27
       
+
       
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

     

       
28
       
28
       
+
       
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

     

       
29
       
29
       
+
       


     

       
30
       
30
       
+
       
  boot.loader.grub = {

     

       
31
       
31
       
+
       
    enable = true;

     

       
32
       
32
       
+
       
    device = "nodev";

     

       
33
       
33
       
+
       
    efiSupport = true;

     

       
34
       
34
       
+
       
    efiInstallAsRemovable = true;

     

       
35
       
35
       
+
       
  };

     

       
36
       
36
       
+
       


     

       
37
       
37
       
+
       
  boot.kernelParams = [

     

       
38
       
38
       
+
       
    "console=ttyS1,115200n8"

     

       
39
       
39
       
+
       
  ];

     

       
40
       
40
       
+
       
}

     

···

       
1
       
1
       
 
       
{

     

       
2
       
2
       
 
       
  pkgs,

     

       
3
       
3
       
-
       
  config,

     

       
4
       
3
       
 
       
  lib,

     

       
5
       
5
       
-
       
  eon,

     

       
6
       
4
       
 
       
  ...

     

       
7
       
5
       
 
       
}@inputs:

     

       
8
       
6
       
 
       


     

       
9
       
9
       
-
       
let

     

       
10
       
10
       
-
       
  vpnRecords = [

     

       
11
       
11
       
-
       
    {

     

       
12
       
12
       
-
       
      name = "nix-cache.vpn.${config.networking.domain}.";

     

       
13
       
13
       
-
       
      type = "A";

     

       
14
       
14
       
-
       
      value = "100.64.0.9";

     

       
15
       
15
       
-
       
    }

     

       
16
       
16
       
-
       
    {

     

       
17
       
17
       
-
       
      name = "jellyfin.vpn.${config.networking.domain}.";

     

       
18
       
18
       
-
       
      type = "A";

     

       
19
       
19
       
-
       
      value = "100.64.0.9";

     

       
20
       
20
       
-
       
    }

     

       
21
       
21
       
-
       
    {

     

       
22
       
22
       
-
       
      name = "nextcloud.vpn.${config.networking.domain}.";

     

       
23
       
23
       
-
       
      type = "A";

     

       
24
       
24
       
-
       
      value = "100.64.0.9";

     

       
25
       
25
       
-
       
    }

     

       
26
       
26
       
-
       
    {

     

       
27
       
27
       
-
       
      name = "transmission.vpn.${config.networking.domain}.";

     

       
28
       
28
       
-
       
      type = "A";

     

       
29
       
29
       
-
       
      value = "100.64.0.9";

     

       
30
       
30
       
-
       
    }

     

       
31
       
31
       
-
       
    {

     

       
32
       
32
       
-
       
      name = "owntracks.vpn.${config.networking.domain}.";

     

       
33
       
33
       
-
       
      type = "A";

     

       
34
       
34
       
-
       
      value = "100.64.0.9";

     

       
35
       
35
       
-
       
    }

     

       
36
       
36
       
-
       
    {

     

       
37
       
37
       
-
       
      name = "immich.vpn.${config.networking.domain}.";

     

       
38
       
38
       
-
       
      type = "A";

     

       
39
       
39
       
-
       
      value = "100.64.0.9";

     

       
40
       
40
       
-
       
    }

     

       
41
       
41
       
-
       
  ];

     

       
42
       
42
       
-
       
in

     

       
43
       
7
       
 
       
{

     

       
44
       
8
       
 
       
  imports = [

     

       
45
       
9
       
 
       
    ./hardware-configuration.nix

     

       
46
       
10
       
 
       
    ./minimal.nix

     

       
47
       
47
       
-
       
    ../../modules/colour-guesser.nix

     

       
11
       
11
       
+
       
    ./services.nix

     

       
48
       
12
       
 
       
    ../../modules/ryan-website.nix

     

       
49
       
13
       
 
       
    ../../modules/alec-website.nix

     

       
50
       
14
       
 
       
    ../../modules/fn06-website.nix

     

       
15
       
15
       
+
       
    inputs.tangled.nixosModules.knotserver

     

       
51
       
16
       
 
       
  ];

     

       
52
       
17
       
 
       


     

       
53
       
18
       
 
       
  environment.systemPackages = with pkgs; [

     

       
54
       
54
       
-
       
    # nix

     

       
55
       
19
       
 
       
    nixd

     

       
56
       
20
       
 
       
    nixfmt-rfc-style

     

       
57
       
21
       
 
       
  ];

     

       
58
       
22
       
 
       


     

       
59
       
59
       
-
       
  age.secrets.eon-capnp = {

     

       
60
       
60
       
-
       
    file = ../../secrets/eon-capnp.age;

     

       
61
       
61
       
-
       
    mode = "770";

     

       
62
       
62
       
-
       
    owner = "eon";

     

       
63
       
63
       
-
       
    group = "eon";

     

       
64
       
64
       
-
       
  };

     

       
65
       
65
       
-
       
  age.secrets.eon-sirref-primary = {

     

       
66
       
66
       
-
       
    file = ../../secrets/eon-sirref-primary.cap.age;

     

       
67
       
67
       
-
       
    mode = "770";

     

       
68
       
68
       
-
       
    owner = "eon";

     

       
69
       
69
       
-
       
    group = "eon";

     

       
70
       
70
       
-
       
  };

     

       
71
       
71
       
-
       
  services.eon = {

     

       
72
       
72
       
-
       
    capnpSecretKeyFile = config.age.secrets.eon-capnp.path;

     

       
73
       
73
       
-
       
    primaries = [ config.age.secrets.eon-sirref-primary.path ];

     

       
74
       
74
       
-
       
    prod = true;

     

       
75
       
75
       
-
       
    capnpAddress = "135.181.100.27";

     

       
76
       
76
       
-
       
    logLevel = 0;

     

       
77
       
77
       
-
       
  };

     

       
78
       
78
       
-
       


     

       
79
       
79
       
-
       
  security.acme-eon = {

     

       
80
       
80
       
-
       
    acceptTerms = true;

     

       
81
       
81
       
-
       
    package = eon.defaultPackage.${config.nixpkgs.hostPlatform.system};

     

       
82
       
82
       
-
       
    defaults.email = "${config.custom.username}@${config.networking.domain}";

     

       
83
       
83
       
-
       
    defaults.capFile = "/var/lib/eon/caps/domain/freumh.org.cap";

     

       
84
       
84
       
-
       
    certs = {

     

       
85
       
85
       
-
       
      "fn06.org".capFile = "/var/lib/eon/caps/domain/fn06.org.cap";

     

       
86
       
86
       
-
       
      "capybara.fn06.org".capFile = "/var/lib/eon/caps/domain/fn06.org.cap";

     

       
87
       
87
       
-
       
    };

     

       
88
       
88
       
-
       
  };

     

       
89
       
89
       
-
       


     

       
90
       
90
       
-
       
  eilean = {

     

       
91
       
91
       
-
       
    username = config.custom.username;

     

       
92
       
92
       
-
       
    serverIpv4 = "135.181.100.27";

     

       
93
       
93
       
-
       
    serverIpv6 = "2a01:4f9:c011:87ad:0:0:0:0";

     

       
94
       
94
       
-
       
    acme-eon = true;

     

       
95
       
95
       
-
       
    fail2ban.enable = true;

     

       
96
       
96
       
-
       
  };

     

       
97
       
97
       
-
       
  networking.domain = lib.mkDefault "freumh.org";

     

       
98
       
98
       
-
       
  eilean.publicInterface = "enp1s0";

     

       
99
       
99
       
-
       
  eilean.mailserver.enable = true;

     

       
100
       
100
       
-
       
  eilean.radicale = {

     

       
101
       
101
       
-
       
    enable = true;

     

       
102
       
102
       
-
       
    users = null;

     

       
103
       
103
       
-
       
  };

     

       
104
       
104
       
-
       
  age.secrets.matrix-shared-secret = {

     

       
105
       
105
       
-
       
    file = ../../secrets/matrix-shared-secret.age;

     

       
106
       
106
       
-
       
    mode = "770";

     

       
107
       
107
       
-
       
    owner = "${config.systemd.services.matrix-synapse.serviceConfig.User}";

     

       
108
       
108
       
-
       
    group = "${config.systemd.services.matrix-synapse.serviceConfig.Group}";

     

       
109
       
109
       
-
       
  };

     

       
110
       
110
       
-
       
  eilean.matrix = {

     

       
111
       
111
       
-
       
    enable = true;

     

       
112
       
112
       
-
       
    registrationSecretFile = config.age.secrets.matrix-shared-secret.path;

     

       
113
       
113
       
-
       
    bridges.whatsapp = true;

     

       
114
       
114
       
-
       
    bridges.signal = true;

     

       
115
       
115
       
-
       
    bridges.instagram = true;

     

       
116
       
116
       
-
       
    bridges.messenger = true;

     

       
117
       
117
       
-
       
  };

     

       
118
       
118
       
-
       
  eilean.turn.enable = true;

     

       
119
       
119
       
-
       
  eilean.mastodon.enable = true;

     

       
120
       
120
       
-
       
  eilean.headscale.enable = true;

     

       
121
       
121
       
-
       
  #eilean.dns.enable = lib.mkForce false;

     

       
122
       
122
       
-
       


     

       
123
       
123
       
-
       
  systemd.services.matrix-as-meta = {

     

       
124
       
124
       
-
       
    # voice messages need `ffmpeg`

     

       
125
       
125
       
-
       
    path = [ pkgs.ffmpeg ];

     

       
126
       
126
       
-
       
  };

     

       
127
       
127
       
-
       


     

       
128
       
128
       
-
       
  custom = {

     

       
129
       
129
       
-
       
    freumh.enable = true;

     

       
130
       
130
       
-
       
    rmfakecloud.enable = true;

     

       
131
       
131
       
-
       
    website = {

     

       
132
       
132
       
-
       
      ryan = {

     

       
133
       
133
       
-
       
        enable = true;

     

       
134
       
134
       
-
       
        cname = "vps";

     

       
135
       
135
       
-
       
      };

     

       
136
       
136
       
-
       
      alec = {

     

       
137
       
137
       
-
       
        enable = true;

     

       
138
       
138
       
-
       
        cname = "vps";

     

       
139
       
139
       
-
       
      };

     

       
140
       
140
       
-
       
      fn06 = {

     

       
141
       
141
       
-
       
        enable = true;

     

       
142
       
142
       
-
       
        cname = "vps";

     

       
143
       
143
       
-
       
        domain = "fn06.org";

     

       
144
       
144
       
-
       
      };

     

       
145
       
145
       
-
       
      colour-guesser = {

     

       
146
       
146
       
-
       
        # enable = true;

     

       
147
       
147
       
-
       
        cname = "vps";

     

       
148
       
148
       
-
       
      };

     

       
149
       
149
       
-
       
    };

     

       
150
       
150
       
-
       
  };

     

       
151
       
151
       
-
       


     

       
152
       
152
       
-
       
  eilean.dns.nameservers = [ "ns1" ];

     

       
153
       
153
       
-
       
  eilean.services.dns.zones = {

     

       
154
       
154
       
-
       
    ${config.networking.domain} = {

     

       
155
       
155
       
-
       
      ttl = 300;

     

       
156
       
156
       
-
       
      soa = {

     

       
157
       
157
       
-
       
        serial = 2018011660;

     

       
158
       
158
       
-
       
        refresh = 300;

     

       
159
       
159
       
-
       
      };

     

       
160
       
160
       
-
       
      records = [

     

       
161
       
161
       
-
       
        {

     

       
162
       
162
       
-
       
          name = "@";

     

       
163
       
163
       
-
       
          type = "TXT";

     

       
164
       
164
       
-
       
          value = "google-site-verification=rEvwSqf7RYKRQltY412qMtTuoxPp64O3L7jMotj9Jnc";

     

       
165
       
165
       
-
       
        }

     

       
166
       
166
       
-
       
        {

     

       
167
       
167
       
-
       
          name = "_atproto.ryan";

     

       
168
       
168
       
-
       
          type = "TXT";

     

       
169
       
169
       
-
       
          value = "did=did:plc:3lfhu6ehlynzjgehef6alnvg";

     

       
170
       
170
       
-
       
        }

     

       
171
       
171
       
-
       


     

       
172
       
172
       
-
       
        {

     

       
173
       
173
       
-
       
          name = "teapot";

     

       
174
       
174
       
-
       
          type = "CNAME";

     

       
175
       
175
       
-
       
          value = "vps";

     

       
176
       
176
       
-
       
        }

     

       
177
       
177
       
-
       


     

       
178
       
178
       
-
       
        {

     

       
179
       
179
       
-
       
          name = "@";

     

       
180
       
180
       
-
       
          type = "NS";

     

       
181
       
181
       
-
       
          value = "ns1.sirref.org.";

     

       
182
       
182
       
-
       
        }

     

       
183
       
183
       
-
       


     

       
184
       
184
       
-
       
        {

     

       
185
       
185
       
-
       
          name = "@";

     

       
186
       
186
       
-
       
          type = "A";

     

       
187
       
187
       
-
       
          value = config.eilean.serverIpv4;

     

       
188
       
188
       
-
       
        }

     

       
189
       
189
       
-
       
        {

     

       
190
       
190
       
-
       
          name = "@";

     

       
191
       
191
       
-
       
          type = "AAAA";

     

       
192
       
192
       
-
       
          value = config.eilean.serverIpv6;

     

       
193
       
193
       
-
       
        }

     

       
194
       
194
       
-
       
        {

     

       
195
       
195
       
-
       
          name = "vps";

     

       
196
       
196
       
-
       
          type = "A";

     

       
197
       
197
       
-
       
          value = config.eilean.serverIpv4;

     

       
198
       
198
       
-
       
        }

     

       
199
       
199
       
-
       
        {

     

       
200
       
200
       
-
       
          name = "vps";

     

       
201
       
201
       
-
       
          type = "AAAA";

     

       
202
       
202
       
-
       
          value = config.eilean.serverIpv6;

     

       
203
       
203
       
-
       
        }

     

       
204
       
204
       
-
       


     

       
205
       
205
       
-
       
        {

     

       
206
       
206
       
-
       
          name = "@";

     

       
207
       
207
       
-
       
          type = "LOC";

     

       
208
       
208
       
-
       
          value = "52 12 40.4 N 0 5 31.9 E 22m 10m 10m 10m";

     

       
209
       
209
       
-
       
        }

     

       
210
       
210
       
-
       


     

       
211
       
211
       
-
       
        {

     

       
212
       
212
       
-
       
          name = "ns.cl";

     

       
213
       
213
       
-
       
          type = "A";

     

       
214
       
214
       
-
       
          value = "128.232.113.136";

     

       
215
       
215
       
-
       
        }

     

       
216
       
216
       
-
       
        {

     

       
217
       
217
       
-
       
          name = "cl";

     

       
218
       
218
       
-
       
          type = "NS";

     

       
219
       
219
       
-
       
          value = "ns.cl";

     

       
220
       
220
       
-
       
        }

     

       
221
       
221
       
-
       


     

       
222
       
222
       
-
       
        {

     

       
223
       
223
       
-
       
          name = "ns1.eilean";

     

       
224
       
224
       
-
       
          type = "A";

     

       
225
       
225
       
-
       
          value = "65.109.10.223";

     

       
226
       
226
       
-
       
        }

     

       
227
       
227
       
-
       
        {

     

       
228
       
228
       
-
       
          name = "eilean";

     

       
229
       
229
       
-
       
          type = "NS";

     

       
230
       
230
       
-
       
          value = "ns1.eilean";

     

       
231
       
231
       
-
       
        }

     

       
232
       
232
       
-
       


     

       
233
       
233
       
-
       
        {

     

       
234
       
234
       
-
       
          name = "shrew";

     

       
235
       
235
       
-
       
          type = "CNAME";

     

       
236
       
236
       
-
       
          value = "vps";

     

       
237
       
237
       
-
       
        }

     

       
238
       
238
       
-
       


     

       
239
       
239
       
-
       
        # generate with

     

       
240
       
240
       
-
       
        #   sudo openssl x509 -in /var/lib/acme/mail.freumh.org/fullchain.pem -pubkey -noout | openssl pkey -pubin -outform der | sha256sum | awk '{print "3 1 1", $1}'

     

       
241
       
241
       
-
       
        {

     

       
242
       
242
       
-
       
          name = "_25._tcp.mail";

     

       
243
       
243
       
-
       
          type = "TLSA";

     

       
244
       
244
       
-
       
          value = "3 1 1 2f0fd413f063c75141937dd196a9f4ab66139d599e0dcf2a7ce6d557647e26a6";

     

       
245
       
245
       
-
       
        }

     

       
246
       
246
       
-
       
        # generate with

     

       
247
       
247
       
-
       
        #   for i in r3 e1 r4-cross-signed e2

     

       
248
       
248
       
-
       
        #   openssl x509 -in ~/downloads/lets-encrypt-$i.pem -pubkey -noout | openssl pkey -pubin -outform der | sha256sum | awk '{print "2 1 1", $1}'

     

       
249
       
249
       
-
       
        # LE R3

     

       
250
       
250
       
-
       
        {

     

       
251
       
251
       
-
       
          name = "_25._tcp.mail";

     

       
252
       
252
       
-
       
          type = "TLSA";

     

       
253
       
253
       
-
       
          value = "2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d";

     

       
254
       
254
       
-
       
        }

     

       
255
       
255
       
-
       
        # LE E1

     

       
256
       
256
       
-
       
        {

     

       
257
       
257
       
-
       
          name = "_25._tcp.mail";

     

       
258
       
258
       
-
       
          type = "TLSA";

     

       
259
       
259
       
-
       
          value = "2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10";

     

       
260
       
260
       
-
       
        }

     

       
261
       
261
       
-
       
        # LE R4

     

       
262
       
262
       
-
       
        {

     

       
263
       
263
       
-
       
          name = "_25._tcp.mail";

     

       
264
       
264
       
-
       
          type = "TLSA";

     

       
265
       
265
       
-
       
          value = "2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03";

     

       
266
       
266
       
-
       
        }

     

       
267
       
267
       
-
       
        # LE E2

     

       
268
       
268
       
-
       
        {

     

       
269
       
269
       
-
       
          name = "_25._tcp.mail";

     

       
270
       
270
       
-
       
          type = "TLSA";

     

       
271
       
271
       
-
       
          value = "2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270";

     

       
272
       
272
       
-
       
        }

     

       
273
       
273
       
-
       
      ] ++ vpnRecords;

     

       
274
       
274
       
-
       
    };

     

       
275
       
275
       
-
       
    "fn06.org" = {

     

       
276
       
276
       
-
       
      soa.serial = 1706745602;

     

       
277
       
277
       
-
       
      records = [

     

       
278
       
278
       
-
       
        {

     

       
279
       
279
       
-
       
          name = "@";

     

       
280
       
280
       
-
       
          type = "NS";

     

       
281
       
281
       
-
       
          value = "ns1";

     

       
282
       
282
       
-
       
        }

     

       
283
       
283
       
-
       
        {

     

       
284
       
284
       
-
       
          name = "@";

     

       
285
       
285
       
-
       
          type = "NS";

     

       
286
       
286
       
-
       
          value = "ns2";

     

       
287
       
287
       
-
       
        }

     

       
288
       
288
       
-
       


     

       
289
       
289
       
-
       
        {

     

       
290
       
290
       
-
       
          name = "ns1";

     

       
291
       
291
       
-
       
          type = "A";

     

       
292
       
292
       
-
       
          value = config.eilean.serverIpv4;

     

       
293
       
293
       
-
       
        }

     

       
294
       
294
       
-
       
        {

     

       
295
       
295
       
-
       
          name = "ns1";

     

       
296
       
296
       
-
       
          type = "AAAA";

     

       
297
       
297
       
-
       
          value = config.eilean.serverIpv6;

     

       
298
       
298
       
-
       
        }

     

       
299
       
299
       
-
       
        {

     

       
300
       
300
       
-
       
          name = "ns2";

     

       
301
       
301
       
-
       
          type = "A";

     

       
302
       
302
       
-
       
          value = config.eilean.serverIpv4;

     

       
303
       
303
       
-
       
        }

     

       
304
       
304
       
-
       
        {

     

       
305
       
305
       
-
       
          name = "ns2";

     

       
306
       
306
       
-
       
          type = "AAAA";

     

       
307
       
307
       
-
       
          value = config.eilean.serverIpv6;

     

       
308
       
308
       
-
       
        }

     

       
309
       
309
       
-
       


     

       
310
       
310
       
-
       
        {

     

       
311
       
311
       
-
       
          name = "@";

     

       
312
       
312
       
-
       
          type = "A";

     

       
313
       
313
       
-
       
          value = config.eilean.serverIpv4;

     

       
314
       
314
       
-
       
        }

     

       
315
       
315
       
-
       
        {

     

       
316
       
316
       
-
       
          name = "@";

     

       
317
       
317
       
-
       
          type = "AAAA";

     

       
318
       
318
       
-
       
          value = config.eilean.serverIpv6;

     

       
319
       
319
       
-
       
        }

     

       
320
       
320
       
-
       


     

       
321
       
321
       
-
       
        {

     

       
322
       
322
       
-
       
          name = "www.fn06.org.";

     

       
323
       
323
       
-
       
          type = "CNAME";

     

       
324
       
324
       
-
       
          value = "fn06.org.";

     

       
325
       
325
       
-
       
        }

     

       
326
       
326
       
-
       


     

       
327
       
327
       
-
       
        {

     

       
328
       
328
       
-
       
          name = "@";

     

       
329
       
329
       
-
       
          type = "LOC";

     

       
330
       
330
       
-
       
          value = "52 12 40.4 N 0 5 31.9 E 22m 10m 10m 10m";

     

       
331
       
331
       
-
       
        }

     

       
332
       
332
       
-
       


     

       
333
       
333
       
-
       
        {

     

       
334
       
334
       
-
       
          name = "capybara.fn06.org.";

     

       
335
       
335
       
-
       
          type = "CNAME";

     

       
336
       
336
       
-
       
          value = "fn06.org.";

     

       
337
       
337
       
-
       
        }

     

       
338
       
338
       
-
       


     

       
339
       
339
       
-
       
        {

     

       
340
       
340
       
-
       
          name = "jellyfin.${config.networking.domain}.";

     

       
341
       
341
       
-
       
          type = "AAAA";

     

       
342
       
342
       
-
       
          value = "2a00:23c6:aa22:e401:8dff:9b9a:cb3c:3fcb";

     

       
343
       
343
       
-
       
        }

     

       
344
       
344
       
-
       
        {

     

       
345
       
345
       
-
       
          name = "jellyseerr.${config.networking.domain}.";

     

       
346
       
346
       
-
       
          type = "AAAA";

     

       
347
       
347
       
-
       
          value = "2a00:23c6:aa22:e401:8dff:9b9a:cb3c:3fcb";

     

       
348
       
348
       
-
       
        }

     

       
349
       
349
       
-
       
        {

     

       
350
       
350
       
-
       
          name = "calibre.${config.networking.domain}.";

     

       
351
       
351
       
-
       
          type = "AAAA";

     

       
352
       
352
       
-
       
          value = "2a00:23c6:aa22:e401:8dff:9b9a:cb3c:3fcb";

     

       
353
       
353
       
-
       
        }

     

       
354
       
354
       
-
       
      ];

     

       
355
       
355
       
-
       
    };

     

       
356
       
356
       
-
       
  };

     

       
357
       
357
       
-
       
  services.bind.zones.${config.networking.domain}.extraConfig =

     

       
358
       
358
       
-
       
    ''

     

       
359
       
359
       
-
       
      dnssec-policy default;

     

       
360
       
360
       
-
       
      inline-signing yes;

     

       
361
       
361
       
-
       
      journal "${config.services.bind.directory}/${config.networking.domain}.signed.jnl";

     

       
362
       
362
       
-
       
    ''

     

       
363
       
363
       
-
       
    +

     

       
364
       
364
       
-
       
      # dig ns org +short | xargs dig +short

     

       
365
       
365
       
-
       
      # replace with `checkds true;` in bind 9.20

     

       
366
       
366
       
-
       
      ''

     

       
367
       
367
       
-
       
        parental-agents {

     

       
368
       
368
       
-
       
          199.19.56.1;

     

       
369
       
369
       
-
       
          199.249.112.1;

     

       
370
       
370
       
-
       
          199.19.54.1;

     

       
371
       
371
       
-
       
          199.249.120.1;

     

       
372
       
372
       
-
       
          199.19.53.1;

     

       
373
       
373
       
-
       
          199.19.57.1;

     

       
374
       
374
       
-
       
        };

     

       
375
       
375
       
-
       
      '';

     

       
376
       
376
       
-
       


     

       
377
       
377
       
-
       
  services.nginx.commonHttpConfig = ''

     

       
378
       
378
       
-
       
    add_header Strict-Transport-Security max-age=31536000 always;

     

       
379
       
379
       
-
       
    add_header X-Frame-Options SAMEORIGIN always;

     

       
380
       
380
       
-
       
    add_header X-Content-Type-Options nosniff always;

     

       
381
       
381
       
-
       
    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; base-uri 'self'; frame-src 'self'; frame-ancestors 'self'; form-action 'self';" always;

     

       
382
       
382
       
-
       
    add_header Referrer-Policy 'same-origin';

     

       
383
       
383
       
-
       
  '';

     

       
384
       
384
       
-
       
  services.nginx.virtualHosts."teapot.${config.networking.domain}" = {

     

       
385
       
385
       
-
       
    extraConfig = ''

     

       
386
       
386
       
-
       
      return 418;

     

       
387
       
387
       
-
       
    '';

     

       
388
       
388
       
-
       
  };

     

       
389
       
389
       
-
       
  age.secrets.website-phd = {

     

       
390
       
390
       
-
       
    file = ../../secrets/website-phd.age;

     

       
391
       
391
       
-
       
    mode = "770";

     

       
392
       
392
       
-
       
    owner = "${config.systemd.services.nginx.serviceConfig.User}";

     

       
393
       
393
       
-
       
    group = "${config.systemd.services.nginx.serviceConfig.Group}";

     

       
394
       
394
       
-
       
  };

     

       
395
       
395
       
-
       
  services.nginx.virtualHosts."${config.custom.website.ryan.domain}" = {

     

       
396
       
396
       
-
       
    locations."/phd/" = {

     

       
397
       
397
       
-
       
      basicAuthFile = config.age.secrets.website-phd.path;

     

       
398
       
398
       
-
       
    };

     

       
399
       
399
       
-
       
  };

     

       
400
       
400
       
-
       


     

       
401
       
401
       
-
       
  security.acme-eon.nginxCerts = [

     

       
402
       
402
       
-
       
    "capybara.fn06.org"

     

       
403
       
403
       
-
       
    "shrew.freumh.org"

     

       
404
       
404
       
-
       
  ];

     

       
405
       
405
       
-
       
  services.nginx.virtualHosts."capybara.fn06.org" = {

     

       
406
       
406
       
-
       
    forceSSL = true;

     

       
407
       
407
       
-
       
    locations."/" = {

     

       
408
       
408
       
-
       
      proxyPass = ''

     

       
409
       
409
       
-
       
        http://100.64.0.10:8123

     

       
410
       
410
       
-
       
      '';

     

       
411
       
411
       
-
       
      proxyWebsockets = true;

     

       
412
       
412
       
-
       
    };

     

       
413
       
413
       
-
       
  };

     

       
414
       
414
       
-
       
  services.nginx.virtualHosts."shrew.freumh.org" = {

     

       
415
       
415
       
-
       
    forceSSL = true;

     

       
416
       
416
       
-
       
    locations."/" = {

     

       
417
       
417
       
-
       
      # need to specify ip or there's a bootstrap problem with headscale

     

       
418
       
418
       
-
       
      proxyPass = ''

     

       
419
       
419
       
-
       
        http://100.64.0.6:8123

     

       
420
       
420
       
-
       
      '';

     

       
421
       
421
       
-
       
      proxyWebsockets = true;

     

       
422
       
422
       
-
       
    };

     

       
423
       
423
       
-
       
  };

     

       
424
       
424
       
-
       


     

       
425
       
425
       
-
       
  services.mastodon = {

     

       
426
       
426
       
-
       
    webProcesses = lib.mkForce 1;

     

       
427
       
427
       
-
       
    webThreads = lib.mkForce 1;

     

       
428
       
428
       
-
       
    sidekiqThreads = lib.mkForce 1;

     

       
429
       
429
       
-
       
    streamingProcesses = lib.mkForce 1;

     

       
430
       
430
       
-
       
  };

     

       
431
       
431
       
-
       


     

       
432
       
432
       
-
       
  boot.kernel.sysctl = {

     

       
433
       
433
       
-
       
    "net.ipv4.ip_forward" = 1;

     

       
434
       
434
       
-
       
    "net.ipv6.conf.all.forwarding" = 1;

     

       
435
       
435
       
-
       
  };

     

       
436
       
436
       
-
       


     

       
437
       
437
       
-
       
  services.headscale.settings.dns = {

     

       
438
       
438
       
-
       
    extra_records = vpnRecords;

     

       
439
       
439
       
-
       
    base_domain = "vpn.freumh.org";

     

       
440
       
440
       
-
       
    nameservers.global = config.networking.nameservers;

     

       
441
       
441
       
-
       
  };

     

       
442
       
442
       
-
       


     

       
443
       
443
       
-
       
  age.secrets.restic-owl.file = ../../secrets/restic-owl.age;

     

       
444
       
444
       
-
       
  services.restic.backups.${config.networking.hostName} = {

     

       
445
       
445
       
-
       
    repository = "rest:http://100.64.0.9:8000/${config.networking.hostName}/";

     

       
446
       
446
       
-
       
    passwordFile = config.age.secrets.restic-owl.path;

     

       
447
       
447
       
-
       
    initialize = true;

     

       
448
       
448
       
-
       
    paths = [

     

       
449
       
449
       
-
       
      "/var/"

     

       
450
       
450
       
-
       
      "/run/"

     

       
451
       
451
       
-
       
      "/etc/"

     

       
452
       
452
       
-
       
    ];

     

       
453
       
453
       
-
       
    timerConfig = {

     

       
454
       
454
       
-
       
      OnCalendar = "03:00";

     

       
455
       
455
       
-
       
      randomizedDelaySec = "1hr";

     

       
456
       
456
       
-
       
    };

     

       
457
       
457
       
-
       
  };

     

       
458
       
458
       
-
       


     

       
459
       
23
       
 
       
  nix = {

     

       
460
       
24
       
 
       
    gc = {

     

       
461
       
25
       
 
       
      automatic = true;

     
···

       
464
       
28
       
 
       
      options = lib.mkForce "--delete-older-than 2d";

     

       
465
       
29
       
 
       
    };

     

       
466
       
30
       
 
       
  };

     

       
467
       
467
       
-
       


     

       
468
       
468
       
-
       
  age.secrets.email-ryan.file = ../../secrets/email-ryan.age;

     

       
469
       
469
       
-
       
  age.secrets.email-system.file = ../../secrets/email-system.age;

     

       
470
       
470
       
-
       
  eilean.mailserver.systemAccountPasswordFile = config.age.secrets.email-system.path;

     

       
471
       
471
       
-
       
  mailserver.loginAccounts = {

     

       
472
       
472
       
-
       
    "${config.eilean.username}@${config.networking.domain}" = {

     

       
473
       
473
       
-
       
      passwordFile = config.age.secrets.email-ryan.path;

     

       
474
       
474
       
-
       
      aliases = [

     

       
475
       
475
       
-
       
        "dns@${config.networking.domain}"

     

       
476
       
476
       
-
       
        "postmaster@${config.networking.domain}"

     

       
477
       
477
       
-
       
      ];

     

       
478
       
478
       
-
       
      sieveScript = ''

     

       
479
       
479
       
-
       
        require ["fileinto", "mailbox"];

     

       
480
       
480
       
-
       


     

       
481
       
481
       
-
       
        if header :contains ["to", "cc"] ["~rjarry/aerc-discuss@lists.sr.ht"] {

     

       
482
       
482
       
-
       
          fileinto :create "lists.aerc";

     

       
483
       
483
       
-
       
          stop;

     

       
484
       
484
       
-
       
        }

     

       
485
       
485
       
-
       
      '';

     

       
486
       
486
       
-
       
    };

     

       
487
       
487
       
-
       
    "misc@${config.networking.domain}" = {

     

       
488
       
488
       
-
       
      passwordFile = config.age.secrets.email-ryan.path;

     

       
489
       
489
       
-
       
      catchAll = [ "${config.networking.domain}" ];

     

       
490
       
490
       
-
       
    };

     

       
491
       
491
       
-
       
    "system@${config.networking.domain}" = {

     

       
492
       
492
       
-
       
      aliases = [ "nas@${config.networking.domain}" ];

     

       
493
       
493
       
-
       
    };

     

       
494
       
494
       
-
       
  };

     

       
495
       
495
       
-
       


     

       
496
       
496
       
-
       
  services.minecraft-server = {

     

       
497
       
497
       
-
       
    enable = true;

     

       
498
       
498
       
-
       
    package = pkgs.overlay-unstable.minecraft-server;

     

       
499
       
499
       
-
       
    eula = true;

     

       
500
       
500
       
-
       
    openFirewall = true;

     

       
501
       
501
       
-
       
  };

     

       
502
       
502
       
-
       


     

       
503
       
503
       
-
       
  networking.firewall.allowedTCPPorts = [ 7001 ];

     

       
504
       
31
       
 
       


     

       
505
       
32
       
 
       
  services.openssh.openFirewall = true;

     

       
506
       
33
       
 
       
}