commit 63d47bc3778a30168c2e008196e2ed33f37b8f5f · soopy.moe/gensokyo

+4 -4

flake.nix

···

       15
        
         inputs = {

     

       16
        
           mystia.url = "github:soopyc/mystia";

     

       17
        
           # nixpkgs.follows = "mystia/nixpkgs";

     

       18
       -
           nixpkgs.url = "https://nixpkgs.dev/channel/nixos-25.05";

     

       19
        
       

     

       20
        
           nixos-hardware.url = "github:soopyc/nixos-hardware/apple-t2-updates";

     

       21
       -
           catppuccin.url = "github:catppuccin/nix/release-25.05";

     

       22
        
           hydra.url = "github:NixOS/hydra";

     

       23
        
           ghostty.url = "github:ghostty-org/ghostty";

     

       24
        
       

     
···

       29
        
       

     

       30
        
           home-manager = {

     

       31
        
             # sync with nixpkgs!

     

       32
       -
             url = "github:nix-community/home-manager/release-25.05";

     

       33
        
             inputs.nixpkgs.follows = "nixpkgs";

     

       34
        
           };

     

       35
        
       

     
···

       39
        
           };

     

       40
        
       

     

       41
        
           lanzaboote = {

     

       42
       -
             url = "github:nix-community/lanzaboote/v0.4.2";

     

       43
        
             inputs.nixpkgs.follows = "nixpkgs";

     

       44
        
           };

     

       45

···

       15
        
         inputs = {

     

       16
        
           mystia.url = "github:soopyc/mystia";

     

       17
        
           # nixpkgs.follows = "mystia/nixpkgs";

     

       18
       +
           nixpkgs.url = "https://nixpkgs.dev/channel/nixos-25.11";

     

       19
        
       

     

       20
        
           nixos-hardware.url = "github:soopyc/nixos-hardware/apple-t2-updates";

     

       21
       +
           catppuccin.url = "github:catppuccin/nix/release-25.05"; # TODO

     

       22
        
           hydra.url = "github:NixOS/hydra";

     

       23
        
           ghostty.url = "github:ghostty-org/ghostty";

     

       24
        
       

     
···

       29
        
       

     

       30
        
           home-manager = {

     

       31
        
             # sync with nixpkgs!

     

       32
       +
             url = "github:nix-community/home-manager/release-25.11";

     

       33
        
             inputs.nixpkgs.follows = "nixpkgs";

     

       34
        
           };

     

       35
        
       

     
···

       39
        
           };

     

       40
        
       

     

       41
        
           lanzaboote = {

     

       42
       +
             url = "github:nix-community/lanzaboote/v0.4.3";

     

       43
        
             inputs.nixpkgs.follows = "nixpkgs";

     

       44
        
           };

     

       45

-2

global/gensokyo/presets/nginx.nix

···

       1
        
       {

     

       2
        
         lib,

     

       3
       -
         pkgs,

     

       4
        
         config,

     

       5
        
         ...

     

       6
        
       }:

     
···

       13
        
             services.nginx = {

     

       14
        
               enable = lib.mkDefault true;

     

       15
        
               enableReload = lib.mkDefault true;

     

       16
       -
               package = lib.mkDefault pkgs.nginxQuic;

     

       17
        
       

     

       18
        
               statusPage = true;

     

       19

···

       1
        
       {

     

       2
        
         lib,

     

       0
        
       
     

       3
        
         config,

     

       4
        
         ...

     

       5
        
       }:

     
···

       12
        
             services.nginx = {

     

       13
        
               enable = lib.mkDefault true;

     

       14
        
               enableReload = lib.mkDefault true;

     

       0
        
       
     

       15
        
       

     

       16
        
               statusPage = true;

     

       17

-1

global/gui/browser.nix

+5 -4

global/overlays/default.nix

···

       1
       -
       inputs: [

     

       2
       -
         # we can probably live without an overlay?

     

       3
       -
         # inputs.mystia.overlays.default

     

       4
       -
       ]

     

       0

···

       1
       +
       _: []

     

       2
       +
       # inputs: [

     

       3
       +
       #   # we can probably live without an overlay?

     

       4
       +
       #   # inputs.mystia.overlays.default

     

       5
       +
       # ]

+1 -1

global/programs/misc.nix

+2

global/programs/nix/config.nix

···

       41
        
             max-jobs = "auto";

     

       42
        
             auto-optimise-store = true;

     

       43
        
             download-buffer-size = 268435456; # 256 MiB

     

       0
        
       
     

       0
        
       
     

       44
        
           };

     

       45
        
       

     

       46
        
           nix.gc = {

···

       41
        
             max-jobs = "auto";

     

       42
        
             auto-optimise-store = true;

     

       43
        
             download-buffer-size = 268435456; # 256 MiB

     

       44
       +
       

     

       45
       +
             trace-import-from-derivation = true;

     

       46
        
           };

     

       47
        
       

     

       48
        
           nix.gc = {

+1

global/programs/scm.nix

···

       7
        
             push.autoSetupRemote = true;

     

       8
        
             gpg.ssh.allowedSignersFile = pkgs.writeText "soopyc.allowedsigners" ''

     

       9
        
               me@soopy.moe namespaces="git" ${builtins.readFile ../../creds/ssh/auth}

     

       0
        
       
     

       10
        
             '';

     

       11
        
       

     

       12
        
             rebase.autoStash = true;

···

       7
        
             push.autoSetupRemote = true;

     

       8
        
             gpg.ssh.allowedSignersFile = pkgs.writeText "soopyc.allowedsigners" ''

     

       9
        
               me@soopy.moe namespaces="git" ${builtins.readFile ../../creds/ssh/auth}

     

       10
       +
               git@soopy.moe namespaces="git" ${builtins.readFile ../../creds/ssh/auth}

     

       11
        
             '';

     

       12
        
       

     

       13
        
             rebase.autoStash = true;

+2 -1

global/programs/security/crypto.nix

···

       3
        
       {

     

       4
        
         environment.systemPackages = with pkgs; [

     

       5
        
           gnupg

     

       6
       -
           pinentry

     

       0
        
       
     

       7
        
           opensc

     

       8
        
       

     

       9
        
           rage

···

       3
        
       {

     

       4
        
         environment.systemPackages = with pkgs; [

     

       5
        
           gnupg

     

       6
       +
           pinentry-curses

     

       7
       +
           pinentry-qt

     

       8
        
           opensc

     

       9
        
       

     

       10
        
           rage

+1 -1

global/programs/security/kanidm.nix

···

       2
        
       {

     

       3
        
         services.kanidm = {

     

       4
        
           enableClient = true;

     

       5
       -
           package = pkgs.kanidm_1_7;

     

       6
        
           clientSettings = {

     

       7
        
             uri = "https://serenity.mist-nessie.ts.net";

     

       8
        
           };

···

       2
        
       {

     

       3
        
         services.kanidm = {

     

       4
        
           enableClient = true;

     

       5
       +
           package = pkgs.kanidm_1_8;

     

       6
        
           clientSettings = {

     

       7
        
             uri = "https://serenity.mist-nessie.ts.net";

     

       8
        
           };

+2 -1

systems/koumakan/services/proxies/searxng.nix

···

       22
        
       

     

       23
        
         services.searx = {

     

       24
        
           enable = true;

     

       25
       -
           runInUwsgi = true;

     

       26
        
           environmentFile = secrets.getTemplate "searxng.env";

     

       27
        
           redisCreateLocally = true;

     

       0
        
       
     

       0
        
       
     

       28
        
           uwsgiConfig = {

     

       29
        
             http = "/run/searx/searxng.sock";

     

       30
        
             chmod-socket = "660";

···

       22
        
       

     

       23
        
         services.searx = {

     

       24
        
           enable = true;

     

       0
        
       
     

       25
        
           environmentFile = secrets.getTemplate "searxng.env";

     

       26
        
           redisCreateLocally = true;

     

       27
       +
       

     

       28
       +
           configureUwsgi = true;

     

       29
        
           uwsgiConfig = {

     

       30
        
             http = "/run/searx/searxng.sock";

     

       31
        
             chmod-socket = "660";

-7

systems/koumakan/services/scm/tangled-knot.nix

···

       1
        
       {

     

       2
        
         _utils,

     

       3
       -
         config,

     

       4
        
         ...

     

       5
        
       }:

     

       6
       -
       let

     

       7
       -
         secrets = _utils.setupSecrets config {

     

       8
       -
           namespace = "tangled";

     

       9
       -
           secrets = [ "knot/key" ];

     

       10
       -
         };

     

       11
       -
       in

     

       12
        
       {

     

       13
        
         services.tangled-knotserver = {

     

       14
        
           enable = true;

···

       1
        
       {

     

       2
        
         _utils,

     

       0
        
       
     

       3
        
         ...

     

       4
        
       }:

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       5
        
       {

     

       6
        
         services.tangled-knotserver = {

     

       7
        
           enable = true;

+2 -2

systems/koumakan/services/security/pocket-id.nix

···

       1
        
       {

     

       2
        
         _utils,

     

       3
        
         config,

     

       4
       -
         # lib,

     

       5
        
         ...

     

       6
        
       }:

     

       7
        
       let

     
···

       23
        
           enable = true;

     

       24
        
       

     

       25
        
           settings = {

     

       26
       -
             PUBLIC_APP_URL = "https://gatekeeper.soopy.moe";

     

       0
        
       
     

       27
        
             TRUST_PROXY = true;

     

       28
        
             PORT = "31411";

     

       29
        
             KEYS_STORAGE = "database";

···

       1
        
       {

     

       2
        
         _utils,

     

       3
        
         config,

     

       0
        
       
     

       4
        
         ...

     

       5
        
       }:

     

       6
        
       let

     
···

       22
        
           enable = true;

     

       23
        
       

     

       24
        
           settings = {

     

       25
       +
             APP_URL = "https://gatekeeper.soopy.moe";

     

       26
       +
             HOST = "127.0.0.1";

     

       27
        
             TRUST_PROXY = true;

     

       28
        
             PORT = "31411";

     

       29
        
             KEYS_STORAGE = "database";

+1 -1

systems/koumakan/services/storage/garage.nix

···

       24
        
             isSystemUser = true;

     

       25
        
             group = "garage";

     

       26
        
           };

     

       27
       -
           groups.garage = {};

     

       28
        
         };

     

       29
        
       

     

       30
        
         services.garage = {

···

       24
        
             isSystemUser = true;

     

       25
        
             group = "garage";

     

       26
        
           };

     

       27
       +
           groups.garage = { };

     

       28
        
         };

     

       29
        
       

     

       30
        
         services.garage = {

+5

systems/koumakan/services/storage/zipline.nix

···

       44
        
             client_max_body_size 100M;

     

       45
        
           '';

     

       46
        
         };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       47
        
       }

···

       44
        
             client_max_body_size 100M;

     

       45
        
           '';

     

       46
        
         };

     

       47
       +
       

     

       48
       +
         systemd.services.zipline.serviceConfig = {

     

       49
       +
           Restart = "on-failure";

     

       50
       +
           RestartSec = "10s";

     

       51
       +
         };

     

       52
        
       }

+1 -1

systems/renko/services/forgejo-runner.nix

···

       15
        
         imports = lib.singleton secrets.generate;

     

       16
        
       

     

       17
        
         services.gitea-actions-runner = {

     

       18
       -
           package = pkgs.forgejo-actions-runner;

     

       19
        
           instances.default = {

     

       20
        
             enable = true;

     

       21
        
             name = "renko-default";

···

       15
        
         imports = lib.singleton secrets.generate;

     

       16
        
       

     

       17
        
         services.gitea-actions-runner = {

     

       18
       +
           package = pkgs.forgejo-runner;

     

       19
        
           instances.default = {

     

       20
        
             enable = true;

     

       21
        
             name = "renko-default";

+16 -14

users/cassie/home/dev/git.nix

···

       8
        
         programs.git = lib.mkMerge [

     

       9
        
           {

     

       10
        
             enable = true;

     

       11
       -
             userName = "Sophie Cheung";

     

       12
       -
             userEmail = "me@soopy.moe";

     

       13
        
       

     

       14
       -
             # difftastic.enable = true;

     

       15
       -
             # delta.enable = true;

     

       16
       -
             diff-so-fancy = {

     

       17
       -
               enable = true;

     

       18
       -
               stripLeadingSymbols = false;

     

       19
        
             };

     

       20
        
           }

     

       21
        
       

     

       22
        
           (lib.mkIf traits.gui {

     

       23
       -
             signing = {

     

       24
       -
               signByDefault = true;

     

       25
       -
               key = inputs.self + "/creds/ssh/auth";

     

       26
       -
             };

     

       27
       -
       

     

       28
       -
             extraConfig = {

     

       29
        
               gpg.format = "ssh";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       30
        
             };

     

       31
        
           })

     

       32
        
         ];

     

       33
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       34
        
         home.shellAliases = {

     

       35
        
           # redo previous commit when something explodes, like my key died or something

     

       36
       -
           gcmm = "git commit -eF .git/COMMIT_EDITMSG";

     

       37
        
         };

     

       38
        
       }

···

       8
        
         programs.git = lib.mkMerge [

     

       9
        
           {

     

       10
        
             enable = true;

     

       0
        
       
     

       0
        
       
     

       11
        
       

     

       12
       +
             settings = {

     

       13
       +
               user.name = "Sophie Cheung";

     

       14
       +
               user.email = "git@soopy.moe";

     

       0
        
       
     

       0
        
       
     

       15
        
             };

     

       16
        
           }

     

       17
        
       

     

       18
        
           (lib.mkIf traits.gui {

     

       19
       +
             settings = {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       20
        
               gpg.format = "ssh";

     

       21
       +
               commit.gpgSign = true;

     

       22
       +
               tag.gpgSign = true;

     

       23
       +
       

     

       24
       +
               user.signingKey = inputs.self + "/creds/ssh/auth";

     

       25
        
             };

     

       26
        
           })

     

       27
        
         ];

     

       28
        
       

     

       29
       +
         programs.diff-so-fancy = {

     

       30
       +
           enable = true;

     

       31
       +
           enableGitIntegration = true;

     

       32
       +
       

     

       33
       +
           settings.stripLeadingSymbols = false;

     

       34
       +
         };

     

       35
       +
       

     

       36
        
         home.shellAliases = {

     

       37
        
           # redo previous commit when something explodes, like my key died or something

     

       38
       +
           gcmm = "git commit -eF .git/COMMIT_EDITMSG"; # FIXME: strip the thing after ------ 8< ------

     

       39
        
         };

     

       40
        
       }

+12 -3

users/cassie/home/dev/ssh.nix

···

       2
        
       {

     

       3
        
         programs.ssh = {

     

       4
        
           enable = true;

     

       5
       -
           hashKnownHosts = true;

     

       6
       -
           forwardAgent = true;

     

       7
        
       

     

       8
        
           matchBlocks = {

     

       9
        
             # most intuitive design /s

     
···

       24
        
               identitiesOnly = true;

     

       25
        
               identityFile = "~/.ssh/id_minecraft_backup";

     

       26
        
             };

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       27
        
           };

     

       28
        
       

     

       29
        
           # extraConfig is config for the Host * block.

     

       30
        
           ## n.b.: identitesonly and identityfile makes bootstrapping other devices hard esp.

     

       31
        
           ##       if they're embedded or resource constrained.

     

       32
        
           extraConfig = ''

     

       33
       -
             VisualHostKey yes

     

       34
        
           '';

     

       35
        
         };

     

       36
        
       }

···

       2
        
       {

     

       3
        
         programs.ssh = {

     

       4
        
           enable = true;

     

       5
       +
           enableDefaultConfig = false; # silent warning

     

       0
        
       
     

       6
        
       

     

       7
        
           matchBlocks = {

     

       8
        
             # most intuitive design /s

     
···

       23
        
               identitiesOnly = true;

     

       24
        
               identityFile = "~/.ssh/id_minecraft_backup";

     

       25
        
             };

     

       26
       +
       

     

       27
       +
             "*" = {

     

       28
       +
               forwardAgent = true;

     

       29
       +
               compression = false;

     

       30
       +
               serverAliveInterval = 0;

     

       31
       +
               serverAliveCountMax = 3;

     

       32
       +
               hashKnownHosts = true;

     

       33
       +
               userKnownHostsFile = "~/.ssh/known_hosts";

     

       34
       +
               # visualHostKey = true; # if this doesn't work im moving to hjem

     

       35
       +
             };

     

       36
        
           };

     

       37
        
       

     

       38
        
           # extraConfig is config for the Host * block.

     

       39
        
           ## n.b.: identitesonly and identityfile makes bootstrapping other devices hard esp.

     

       40
        
           ##       if they're embedded or resource constrained.

     

       41
        
           extraConfig = ''

     

       42
       +
             VisualHostKey = true; # if this doesn't work im moving to hjem

     

       43
        
           '';

     

       44
        
         };

     

       45
        
       }