comparing a805ac62169eca858879321be77aa55109d139fd and main on wiro.world/dotfiles

.ignore

···

       1
       1
       +
       *.age

+3 -3

Justfile

···

       21
       21
        
       home-switch profile *args:

     

       22
       22
        
       	home-manager switch --show-trace --flake .#{{profile}} {{args}}

     

       23
       23
        
       

     

       24
       24
       -
       switch-target profile host *args:

     

       24
       24
       +
       switch-target host *args:

     

       25
       25
        
       	nixos-rebuild switch \

     

       26
       26
       -
       		--flake .#{{profile}} \

     

       26
       26
       +
       		--flake .#{{host}} \

     

       27
       27
        
       		--target-host {{host}} \

     

       28
       28
       -
       		--use-remote-sudo {{args}}

     

       28
       28
       +
       		--sudo {{args}}

+1 -1

README.md

···

       20
       20
        
       	- `fragments`: Home Manager configuration fragments

     

       21
       21
        
       	- `options`: Home Manager configuration flags

     

       22
       22
        
       	- `profiles`: Base Home Manager configurations to build upon (e.g. `desktop`, `minimal`)

     

       23
       23
       -
       - `lib`: Additional custom lib and flake helpers 

     

       23
       23
       +
       - `lib`: Additional custom lib and flake helpers

     

       24
       24
        
       - `modules`: modules that fill a missing feature of NixOS or Home Manager

     

       25
       25
        
       - `nixos`: NixOS related config

     

       26
       26
        
       	- `hardware/<hostname>.nix`: Device-specific settings like settings generated by `nixos-generate-config`

+1 -1

apps/flash-installer.nix

···

       29
       29
        
           fi

     

       30
       30
        
       

     

       31
       31
        
           echo "Flashing to $dev"

     

       32
       32
       -
           

     

       32
       32
       +
       

     

       33
       33
        
           # Format selected disk

     

       34
       34
        
           pv -tpreb "${isoPath}" | sudo dd bs=4M of="$dev" iflag=fullblock conv=notrunc,noerror oflag=sync

     

       35
       35
        
         '';

+2 -1

configurations.nix

···

       19
       19
        
       

     

       20
       20
        
           # Servers

     

       21
       21
        
           "weird-row-server" = createSystem pkgs [

     

       22
       22
       -
             (system "weird-row-server" "server")

     

       22
       22
       +
             (host "weird-row-server")

     

       23
       23
        
             (managedDiskLayout "ext4-hetzner" { device = "sda"; swapSize = 2; })

     

       24
       24
       +
             # TODO: should we keep a real user there?

     

       24
       25
        
             (user "milomoisson" { description = "Milo Moisson"; profile = "server"; keys = keys.users; })

     

       25
       26
        
           ];

     

       26
       27
        
         };

+183 -158

flake.lock

···

       24
       24
        
               ],

     

       25
       25
        
               "nixpkgs": [

     

       26
       26
        
                 "nixpkgs"

     

       27
       27
       -
               ]

     

       27
       27
       +
               ],

     

       28
       28
       +
               "systems": "systems"

     

       28
       29
        
             },

     

       29
       30
        
             "locked": {

     

       30
       30
       -
               "lastModified": 1703089996,

     

       31
       31
       -
               "narHash": "sha256-ipqShkBmHKC9ft1ZAsA6aeKps32k7+XZSPwfxeHLsAU=",

     

       31
       31
       +
               "lastModified": 1762618334,

     

       32
       32
       +
               "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",

     

       32
       33
        
               "owner": "ryantm",

     

       33
       34
        
               "repo": "agenix",

     

       34
       34
       -
               "rev": "564595d0ad4be7277e07fa63b5a991b3c645655d",

     

       35
       35
       +
               "rev": "fcdea223397448d35d9b31f798479227e80183f6",

     

       35
       36
        
               "type": "github"

     

       36
       37
        
             },

     

       37
       38
        
             "original": {

     

       38
       39
        
               "owner": "ryantm",

     

       39
       39
       -
               "ref": "0.15.0",

     

       40
       40
        
               "repo": "agenix",

     

       41
       41
        
               "type": "github"

     

       42
       42
        
             }

     
···

       46
       46
        
               "fromYaml": "fromYaml"

     

       47
       47
        
             },

     

       48
       48
        
             "locked": {

     

       49
       49
       -
               "lastModified": 1746562888,

     

       50
       50
       -
               "narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=",

     

       49
       49
       +
               "lastModified": 1755819240,

     

       50
       50
       +
               "narHash": "sha256-qcMhnL7aGAuFuutH4rq9fvAhCpJWVHLcHVZLtPctPlo=",

     

       51
       51
        
               "owner": "SenchoPens",

     

       52
       52
        
               "repo": "base16.nix",

     

       53
       53
       -
               "rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89",

     

       53
       53
       +
               "rev": "75ed5e5e3fce37df22e49125181fa37899c3ccd6",

     

       54
       54
        
               "type": "github"

     

       55
       55
        
             },

     

       56
       56
        
             "original": {

     
···

       79
       79
        
           "base16-helix": {

     

       80
       80
        
             "flake": false,

     

       81
       81
        
             "locked": {

     

       82
       82
       -
               "lastModified": 1748408240,

     

       83
       83
       -
               "narHash": "sha256-9M2b1rMyMzJK0eusea0x3lyh3mu5nMeEDSc4RZkGm+g=",

     

       82
       82
       +
               "lastModified": 1752979451,

     

       83
       83
       +
               "narHash": "sha256-0CQM+FkYy0fOO/sMGhOoNL80ftsAzYCg9VhIrodqusM=",

     

       84
       84
        
               "owner": "tinted-theming",

     

       85
       85
        
               "repo": "base16-helix",

     

       86
       86
       -
               "rev": "6c711ab1a9db6f51e2f6887cc3345530b33e152e",

     

       86
       86
       +
               "rev": "27cf1e66e50abc622fb76a3019012dc07c678fac",

     

       87
       87
        
               "type": "github"

     

       88
       88
        
             },

     

       89
       89
        
             "original": {

     
···

       132
       132
        
               ]

     

       133
       133
        
             },

     

       134
       134
        
             "locked": {

     

       135
       135
       -
               "lastModified": 1673295039,

     

       136
       136
       -
               "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",

     

       135
       135
       +
               "lastModified": 1744478979,

     

       136
       136
       +
               "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",

     

       137
       137
        
               "owner": "lnl7",

     

       138
       138
        
               "repo": "nix-darwin",

     

       139
       139
       -
               "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",

     

       139
       139
       +
               "rev": "43975d782b418ebf4969e9ccba82466728c2851b",

     

       140
       140
        
               "type": "github"

     

       141
       141
        
             },

     

       142
       142
        
             "original": {

     
···

       153
       153
        
               ]

     

       154
       154
        
             },

     

       155
       155
        
             "locked": {

     

       156
       156
       -
               "lastModified": 1736864502,

     

       157
       157
       -
               "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",

     

       156
       156
       +
               "lastModified": 1764627417,

     

       157
       157
       +
               "narHash": "sha256-D6xc3Rl8Ab6wucJWdvjNsGYGSxNjQHzRc2EZ6eeQ6l4=",

     

       158
       158
        
               "owner": "nix-community",

     

       159
       159
        
               "repo": "disko",

     

       160
       160
       -
               "rev": "0141aabed359f063de7413f80d906e1d98c0c123",

     

       160
       160
       +
               "rev": "5a88a6eceb8fd732b983e72b732f6f4b8269bef3",

     

       161
       161
        
               "type": "github"

     

       162
       162
        
             },

     

       163
       163
        
             "original": {

     

       164
       164
        
               "owner": "nix-community",

     

       165
       165
       -
               "ref": "v1.11.0",

     

       166
       165
        
               "repo": "disko",

     

       167
       166
        
               "type": "github"

     

       168
       167
        
             }

     
···

       170
       169
        
           "firefox-gnome-theme": {

     

       171
       170
        
             "flake": false,

     

       172
       171
        
             "locked": {

     

       173
       173
       -
               "lastModified": 1748383148,

     

       174
       174
       -
               "narHash": "sha256-pGvD/RGuuPf/4oogsfeRaeMm6ipUIznI2QSILKjKzeA=",

     

       172
       172
       +
               "lastModified": 1758112371,

     

       173
       173
       +
               "narHash": "sha256-lizRM2pj6PHrR25yimjyFn04OS4wcdbc38DCdBVa2rk=",

     

       175
       174
        
               "owner": "rafaelmardojai",

     

       176
       175
        
               "repo": "firefox-gnome-theme",

     

       177
       177
       -
               "rev": "4eb2714fbed2b80e234312611a947d6cb7d70caf",

     

       176
       176
       +
               "rev": "0909cfe4a2af8d358ad13b20246a350e14c2473d",

     

       178
       177
        
               "type": "github"

     

       179
       178
        
             },

     

       180
       179
        
             "original": {

     
···

       186
       185
        
           "flake-compat": {

     

       187
       186
        
             "flake": false,

     

       188
       187
        
             "locked": {

     

       189
       189
       -
               "lastModified": 1747046372,

     

       190
       190
       -
               "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",

     

       188
       188
       +
               "lastModified": 1761588595,

     

       189
       189
       +
               "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",

     

       191
       190
        
               "owner": "edolstra",

     

       192
       191
        
               "repo": "flake-compat",

     

       193
       193
       -
               "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",

     

       192
       192
       +
               "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",

     

       194
       193
        
               "type": "github"

     

       195
       194
        
             },

     

       196
       195
        
             "original": {

     
···

       200
       199
        
             }

     

       201
       200
        
           },

     

       202
       201
        
           "flake-compat_2": {

     

       202
       202
       +
             "locked": {

     

       203
       203
       +
               "lastModified": 1761588595,

     

       204
       204
       +
               "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",

     

       205
       205
       +
               "owner": "edolstra",

     

       206
       206
       +
               "repo": "flake-compat",

     

       207
       207
       +
               "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",

     

       208
       208
       +
               "type": "github"

     

       209
       209
       +
             },

     

       210
       210
       +
             "original": {

     

       211
       211
       +
               "owner": "edolstra",

     

       212
       212
       +
               "repo": "flake-compat",

     

       213
       213
       +
               "type": "github"

     

       214
       214
       +
             }

     

       215
       215
       +
           },

     

       216
       216
       +
           "flake-compat_3": {

     

       203
       217
        
             "flake": false,

     

       204
       218
        
             "locked": {

     

       205
       219
        
               "lastModified": 1751685974,

     
···

       216
       230
        
           "flake-parts": {

     

       217
       231
        
             "inputs": {

     

       218
       232
        
               "nixpkgs-lib": [

     

       219
       219
       -
                 "lanzaboote",

     

       220
       220
       -
                 "nixpkgs"

     

       221
       221
       -
               ]

     

       222
       222
       -
             },

     

       223
       223
       -
             "locked": {

     

       224
       224
       -
               "lastModified": 1754091436,

     

       225
       225
       -
               "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=",

     

       226
       226
       -
               "owner": "hercules-ci",

     

       227
       227
       -
               "repo": "flake-parts",

     

       228
       228
       -
               "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd",

     

       229
       229
       -
               "type": "github"

     

       230
       230
       -
             },

     

       231
       231
       -
             "original": {

     

       232
       232
       -
               "owner": "hercules-ci",

     

       233
       233
       -
               "repo": "flake-parts",

     

       234
       234
       -
               "type": "github"

     

       235
       235
       -
             }

     

       236
       236
       -
           },

     

       237
       237
       -
           "flake-parts_2": {

     

       238
       238
       -
             "inputs": {

     

       239
       239
       -
               "nixpkgs-lib": [

     

       240
       233
        
                 "stylix",

     

       241
       234
        
                 "nixpkgs"

     

       242
       235
        
               ]

     

       243
       236
        
             },

     

       244
       237
        
             "locked": {

     

       245
       245
       -
               "lastModified": 1749398372,

     

       246
       246
       -
               "narHash": "sha256-tYBdgS56eXYaWVW3fsnPQ/nFlgWi/Z2Ymhyu21zVM98=",

     

       238
       238
       +
               "lastModified": 1756770412,

     

       239
       239
       +
               "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",

     

       247
       240
        
               "owner": "hercules-ci",

     

       248
       241
        
               "repo": "flake-parts",

     

       249
       249
       -
               "rev": "9305fe4e5c2a6fcf5ba6a3ff155720fbe4076569",

     

       242
       242
       +
               "rev": "4524271976b625a4a605beefd893f270620fd751",

     

       250
       243
        
               "type": "github"

     

       251
       244
        
             },

     

       252
       245
        
             "original": {

     
···

       257
       250
        
           },

     

       258
       251
        
           "flake-utils": {

     

       259
       252
        
             "inputs": {

     

       260
       260
       -
               "systems": "systems_2"

     

       253
       253
       +
               "systems": "systems_3"

     

       261
       254
        
             },

     

       262
       255
        
             "locked": {

     

       263
       256
        
               "lastModified": 1694529238,

     
···

       298
       291
        
               "rust-overlay": "rust-overlay"

     

       299
       292
        
             },

     

       300
       293
        
             "locked": {

     

       301
       301
       -
               "lastModified": 1747139554,

     

       302
       302
       -
               "narHash": "sha256-CpjdfdzyN0tAcBvtg9AQk+mDlNSb+NAZPUBpx/4VzvA=",

     

       294
       294
       +
               "lastModified": 1764804992,

     

       295
       295
       +
               "narHash": "sha256-6XIwDQwquGUfiwoTsukMyE6DcXW4Cx0fjE4cLTgQ7RM=",

     

       303
       296
        
               "owner": "mrnossiom",

     

       304
       297
        
               "repo": "git-leave",

     

       305
       305
       -
               "rev": "bf125663fa992097620ca034ec57ebd20ed50532",

     

       298
       298
       +
               "rev": "3c09ab6afafae76be08956cc7bf563f80e0f8394",

     

       306
       299
        
               "type": "github"

     

       307
       300
        
             },

     

       308
       301
        
             "original": {

     
···

       319
       312
        
               ]

     

       320
       313
        
             },

     

       321
       314
        
             "locked": {

     

       322
       322
       -
               "lastModified": 1709087332,

     

       323
       323
       -
               "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",

     

       315
       315
       +
               "lastModified": 1762808025,

     

       316
       316
       +
               "narHash": "sha256-XmjITeZNMTQXGhhww6ed/Wacy2KzD6svioyCX7pkUu4=",

     

       324
       317
        
               "owner": "hercules-ci",

     

       325
       318
        
               "repo": "gitignore.nix",

     

       326
       326
       -
               "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",

     

       319
       319
       +
               "rev": "cb5e3fdca1de58ccbc3ef53de65bd372b48f567c",

     

       327
       320
        
               "type": "github"

     

       328
       321
        
             },

     

       329
       322
        
             "original": {

     
···

       357
       350
        
             "inputs": {

     

       358
       351
        
               "nixpkgs": [

     

       359
       352
        
                 "lanzaboote",

     

       360
       360
       -
                 "pre-commit-hooks-nix",

     

       353
       353
       +
                 "pre-commit",

     

       361
       354
        
                 "nixpkgs"

     

       362
       355
        
               ]

     

       363
       356
        
             },

     
···

       399
       392
        
           "gnome-shell": {

     

       400
       393
        
             "flake": false,

     

       401
       394
        
             "locked": {

     

       402
       402
       -
               "lastModified": 1744584021,

     

       403
       403
       -
               "narHash": "sha256-0RJ4mJzf+klKF4Fuoc8VN8dpQQtZnKksFmR2jhWE1Ew=",

     

       395
       395
       +
               "host": "gitlab.gnome.org",

     

       396
       396
       +
               "lastModified": 1762869044,

     

       397
       397
       +
               "narHash": "sha256-nwm/GJ2Syigf7VccLAZ66mFC8mZJFqpJmIxSGKl7+Ds=",

     

       404
       398
        
               "owner": "GNOME",

     

       405
       399
        
               "repo": "gnome-shell",

     

       406
       406
       -
               "rev": "52c517c8f6c199a1d6f5118fae500ef69ea845ae",

     

       407
       407
       -
               "type": "github"

     

       400
       400
       +
               "rev": "680e3d195a92203f28d4bf8c6e8bb537cc3ed4ad",

     

       401
       401
       +
               "type": "gitlab"

     

       408
       402
        
             },

     

       409
       403
        
             "original": {

     

       404
       404
       +
               "host": "gitlab.gnome.org",

     

       410
       405
        
               "owner": "GNOME",

     

       411
       411
       -
               "ref": "48.1",

     

       406
       406
       +
               "ref": "gnome-49",

     

       412
       407
        
               "repo": "gnome-shell",

     

       413
       413
       -
               "type": "github"

     

       408
       408
       +
               "type": "gitlab"

     

       414
       409
        
             }

     

       415
       410
        
           },

     

       416
       411
        
           "gomod2nix": {

     
···

       442
       437
        
               ]

     

       443
       438
        
             },

     

       444
       439
        
             "locked": {

     

       445
       445
       -
               "lastModified": 1758463745,

     

       446
       446
       -
               "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",

     

       440
       440
       +
               "lastModified": 1764398914,

     

       441
       441
       +
               "narHash": "sha256-YPrpwlVQidzQlMh0OnquaJR+58rKe9YNnuRis293Ilo=",

     

       447
       442
        
               "owner": "nix-community",

     

       448
       443
        
               "repo": "home-manager",

     

       449
       449
       -
               "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",

     

       444
       444
       +
               "rev": "d0c5fdc48db6f19471b8adc954eca09194e68036",

     

       450
       445
        
               "type": "github"

     

       451
       446
        
             },

     

       452
       447
        
             "original": {

     

       453
       448
        
               "owner": "nix-community",

     

       454
       454
       -
               "ref": "release-25.05",

     

       449
       449
       +
               "ref": "release-25.11",

     

       455
       450
        
               "repo": "home-manager",

     

       456
       451
        
               "type": "github"

     

       457
       452
        
             }

     
···

       489
       484
        
               "rust-overlay": "rust-overlay_2"

     

       490
       485
        
             },

     

       491
       486
        
             "locked": {

     

       492
       492
       -
               "lastModified": 1763289634,

     

       493
       493
       -
               "narHash": "sha256-NbaPpZFy3A14TIPGry09TGvO2u0/iu0lJE/Nmef6AiU=",

     

       487
       487
       +
               "lastModified": 1764455123,

     

       488
       488
       +
               "narHash": "sha256-ePlZ3OHBLTRlRa9zs2IeHNA8CuiMLyu5ZUzxoGI5Hp0=",

     

       494
       489
        
               "owner": "pixilie",

     

       495
       490
        
               "repo": "hypixel-bank-tracker",

     

       496
       496
       -
               "rev": "d8907749d733f7dd5d9e08f4c4b69c0f55bf1935",

     

       491
       491
       +
               "rev": "8e4e91b1a8fa264895fa40dda93c3363be33a958",

     

       497
       492
        
               "type": "github"

     

       498
       493
        
             },

     

       499
       494
        
             "original": {

     
···

       547
       542
        
           "lanzaboote": {

     

       548
       543
        
             "inputs": {

     

       549
       544
        
               "crane": "crane",

     

       550
       550
       -
               "flake-compat": "flake-compat",

     

       551
       551
       -
               "flake-parts": "flake-parts",

     

       552
       545
        
               "nixpkgs": [

     

       553
       546
        
                 "unixpkgs"

     

       554
       547
        
               ],

     

       555
       555
       -
               "pre-commit-hooks-nix": "pre-commit-hooks-nix",

     

       548
       548
       +
               "pre-commit": "pre-commit",

     

       556
       549
        
               "rust-overlay": "rust-overlay_3"

     

       557
       550
        
             },

     

       558
       551
        
             "locked": {

     

       559
       559
       -
               "lastModified": 1762205063,

     

       560
       560
       -
               "narHash": "sha256-If6vQ+KvtKs3ARBO9G3l+4wFSCYtRBrwX1z+I+B61wQ=",

     

       552
       552
       +
               "lastModified": 1764622702,

     

       553
       553
       +
               "narHash": "sha256-HggOVvg2U3EwT44wPHEwFKromf9qR9rTqfV1i3q7rYs=",

     

       561
       554
        
               "owner": "nix-community",

     

       562
       555
        
               "repo": "lanzaboote",

     

       563
       563
       -
               "rev": "88b8a563ff5704f4e8d8e5118fb911fa2110ca05",

     

       556
       556
       +
               "rev": "6242b3b2b5e5afcf329027ed4eb5fa6e2eab10f1",

     

       564
       557
        
               "type": "github"

     

       565
       558
        
             },

     

       566
       559
        
             "original": {

     

       567
       560
        
               "owner": "nix-community",

     

       568
       568
       -
               "ref": "v0.4.3",

     

       569
       561
        
               "repo": "lanzaboote",

     

       570
       562
        
               "type": "github"

     

       571
       563
        
             }

     
···

       583
       575
        
               "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip"

     

       584
       576
        
             }

     

       585
       577
        
           },

     

       578
       578
       +
           "nix-alien": {

     

       579
       579
       +
             "inputs": {

     

       580
       580
       +
               "flake-compat": "flake-compat_2",

     

       581
       581
       +
               "nix-index-database": "nix-index-database",

     

       582
       582
       +
               "nixpkgs": [

     

       583
       583
       +
                 "nixpkgs"

     

       584
       584
       +
               ]

     

       585
       585
       +
             },

     

       586
       586
       +
             "locked": {

     

       587
       587
       +
               "lastModified": 1764061716,

     

       588
       588
       +
               "narHash": "sha256-xKnIoMPv2kIsWhjRhJayqMWU2xkjeq2pyPmR1dLFPHs=",

     

       589
       589
       +
               "owner": "thiagokokada",

     

       590
       590
       +
               "repo": "nix-alien",

     

       591
       591
       +
               "rev": "9bc9c1ab671eb1b610f549e15bc0b750ab987409",

     

       592
       592
       +
               "type": "github"

     

       593
       593
       +
             },

     

       594
       594
       +
             "original": {

     

       595
       595
       +
               "owner": "thiagokokada",

     

       596
       596
       +
               "repo": "nix-alien",

     

       597
       597
       +
               "type": "github"

     

       598
       598
       +
             }

     

       599
       599
       +
           },

     

       586
       600
        
           "nix-darwin": {

     

       587
       601
        
             "inputs": {

     

       588
       602
        
               "nixpkgs": [

     
···

       590
       604
        
               ]

     

       591
       605
        
             },

     

       592
       606
        
             "locked": {

     

       593
       593
       -
               "lastModified": 1762912391,

     

       594
       594
       -
               "narHash": "sha256-4hpBE7bGd24SfD28rzMdUGXsLsNEYxCCrTipFdoqoNM=",

     

       595
       595
       -
               "owner": "LnL7",

     

       607
       607
       +
               "lastModified": 1764161084,

     

       608
       608
       +
               "narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=",

     

       609
       609
       +
               "owner": "nix-darwin",

     

       596
       610
        
               "repo": "nix-darwin",

     

       597
       597
       -
               "rev": "d76299b2cd01837c4c271a7b5186e3d5d8ebd126",

     

       611
       611
       +
               "rev": "e95de00a471d07435e0527ff4db092c84998698e",

     

       598
       612
        
               "type": "github"

     

       599
       613
        
             },

     

       600
       614
        
             "original": {

     

       601
       601
       -
               "owner": "LnL7",

     

       602
       602
       -
               "ref": "nix-darwin-25.05",

     

       615
       615
       +
               "owner": "nix-darwin",

     

       616
       616
       +
               "ref": "nix-darwin-25.11",

     

       603
       617
        
               "repo": "nix-darwin",

     

       604
       618
        
               "type": "github"

     

       605
       619
        
             }

     

       606
       620
        
           },

     

       621
       621
       +
           "nix-index-database": {

     

       622
       622
       +
             "inputs": {

     

       623
       623
       +
               "nixpkgs": [

     

       624
       624
       +
                 "nix-alien",

     

       625
       625
       +
                 "nixpkgs"

     

       626
       626
       +
               ]

     

       627
       627
       +
             },

     

       628
       628
       +
             "locked": {

     

       629
       629
       +
               "lastModified": 1762660502,

     

       630
       630
       +
               "narHash": "sha256-C9F1C31ys0V7mnp4EcDy7L1cLZw/sCTEXqqTtGnvu08=",

     

       631
       631
       +
               "owner": "nix-community",

     

       632
       632
       +
               "repo": "nix-index-database",

     

       633
       633
       +
               "rev": "15c5451c63f4c612874a43846bfe3fa828b03eee",

     

       634
       634
       +
               "type": "github"

     

       635
       635
       +
             },

     

       636
       636
       +
             "original": {

     

       637
       637
       +
               "owner": "nix-community",

     

       638
       638
       +
               "repo": "nix-index-database",

     

       639
       639
       +
               "type": "github"

     

       640
       640
       +
             }

     

       641
       641
       +
           },

     

       607
       642
        
           "nixos-hardware": {

     

       608
       643
        
             "locked": {

     

       609
       609
       -
               "lastModified": 1762847253,

     

       610
       610
       -
               "narHash": "sha256-BWWnUUT01lPwCWUvS0p6Px5UOBFeXJ8jR+ZdLX8IbrU=",

     

       644
       644
       +
               "lastModified": 1764440730,

     

       645
       645
       +
               "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",

     

       611
       646
        
               "owner": "nixos",

     

       612
       647
        
               "repo": "nixos-hardware",

     

       613
       613
       -
               "rev": "899dc449bc6428b9ee6b3b8f771ca2b0ef945ab9",

     

       648
       648
       +
               "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",

     

       614
       649
        
               "type": "github"

     

       615
       650
        
             },

     

       616
       651
        
             "original": {

     
···

       621
       656
        
           },

     

       622
       657
        
           "nixpkgs": {

     

       623
       658
        
             "locked": {

     

       624
       624
       -
               "lastModified": 1763049705,

     

       625
       625
       -
               "narHash": "sha256-A5LS0AJZ1yDPTa2fHxufZN++n8MCmtgrJDtxFxrH4S8=",

     

       659
       659
       +
               "lastModified": 1764406085,

     

       660
       660
       +
               "narHash": "sha256-CYbMp8hwuOf4umokSNp+t1s4Hjd4vxXq4S5CD+xvgNs=",

     

       626
       661
        
               "owner": "nixos",

     

       627
       662
        
               "repo": "nixpkgs",

     

       628
       628
       -
               "rev": "3acb677ea67d4c6218f33de0db0955f116b7588c",

     

       663
       663
       +
               "rev": "9561691c9f450fad7c3526916e1c4f44be0d1192",

     

       629
       664
        
               "type": "github"

     

       630
       665
        
             },

     

       631
       666
        
             "original": {

     

       632
       667
        
               "owner": "nixos",

     

       633
       633
       -
               "ref": "nixos-25.05",

     

       668
       668
       +
               "ref": "nixos-25.11",

     

       634
       669
        
               "repo": "nixpkgs",

     

       635
       670
        
               "type": "github"

     

       636
       671
        
             }

     
···

       644
       679
        
               "nixpkgs": [

     

       645
       680
        
                 "stylix",

     

       646
       681
        
                 "nixpkgs"

     

       647
       647
       -
               ],

     

       648
       648
       -
               "treefmt-nix": "treefmt-nix"

     

       682
       682
       +
               ]

     

       649
       683
        
             },

     

       650
       684
        
             "locked": {

     

       651
       651
       -
               "lastModified": 1751320053,

     

       652
       652
       -
               "narHash": "sha256-3m6RMw0FbbaUUa01PNaMLoO7D99aBClmY5ed9V3vz+0=",

     

       685
       685
       +
               "lastModified": 1758998580,

     

       686
       686
       +
               "narHash": "sha256-VLx0z396gDCGSiowLMFz5XRO/XuNV+4EnDYjdJhHvUk=",

     

       653
       687
        
               "owner": "nix-community",

     

       654
       688
        
               "repo": "NUR",

     

       655
       655
       -
               "rev": "cbde1735782f9c2bb2c63d5e05fba171a14a4670",

     

       689
       689
       +
               "rev": "ba8d9c98f5f4630bcb0e815ab456afd90c930728",

     

       656
       690
        
               "type": "github"

     

       657
       691
        
             },

     

       658
       692
        
             "original": {

     
···

       661
       695
        
               "type": "github"

     

       662
       696
        
             }

     

       663
       697
        
           },

     

       664
       664
       -
           "pre-commit-hooks-nix": {

     

       698
       698
       +
           "pre-commit": {

     

       665
       699
        
             "inputs": {

     

       666
       666
       -
               "flake-compat": [

     

       667
       667
       -
                 "lanzaboote",

     

       668
       668
       -
                 "flake-compat"

     

       669
       669
       -
               ],

     

       700
       700
       +
               "flake-compat": "flake-compat",

     

       670
       701
        
               "gitignore": "gitignore_3",

     

       671
       702
        
               "nixpkgs": [

     

       672
       703
        
                 "lanzaboote",

     
···

       674
       705
        
               ]

     

       675
       706
        
             },

     

       676
       707
        
             "locked": {

     

       677
       677
       -
               "lastModified": 1750779888,

     

       678
       678
       -
               "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",

     

       708
       708
       +
               "lastModified": 1763988335,

     

       709
       709
       +
               "narHash": "sha256-QlcnByMc8KBjpU37rbq5iP7Cp97HvjRP0ucfdh+M4Qc=",

     

       679
       710
        
               "owner": "cachix",

     

       680
       711
        
               "repo": "pre-commit-hooks.nix",

     

       681
       681
       -
               "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",

     

       712
       712
       +
               "rev": "50b9238891e388c9fdc6a5c49e49c42533a1b5ce",

     

       682
       713
        
               "type": "github"

     

       683
       714
        
             },

     

       684
       715
        
             "original": {

     
···

       695
       726
        
               "home-manager": "home-manager",

     

       696
       727
        
               "hypixel-bank-tracker": "hypixel-bank-tracker",

     

       697
       728
        
               "lanzaboote": "lanzaboote",

     

       729
       729
       +
               "nix-alien": "nix-alien",

     

       698
       730
        
               "nix-darwin": "nix-darwin",

     

       699
       731
        
               "nixos-hardware": "nixos-hardware",

     

       700
       732
        
               "nixpkgs": "nixpkgs",

     
···

       714
       746
        
               ]

     

       715
       747
        
             },

     

       716
       748
        
             "locked": {

     

       717
       717
       -
               "lastModified": 1744599145,

     

       718
       718
       -
               "narHash": "sha256-yzaDPkJwZdUtRj/dzdOeB74yryWzpngYaD7BedqFKk8=",

     

       749
       749
       +
               "lastModified": 1764557621,

     

       750
       750
       +
               "narHash": "sha256-kX5PoY8hQZ80+amMQgOO9t8Tc1JZ70gYRnzaVD4AA+o=",

     

       719
       751
        
               "owner": "oxalica",

     

       720
       752
        
               "repo": "rust-overlay",

     

       721
       721
       -
               "rev": "fd6795d3d28f956de01a0458b6fa7baae5c793b4",

     

       753
       753
       +
               "rev": "93316876c2229460a5d6f5f052766cc4cef538ce",

     

       722
       754
        
               "type": "github"

     

       723
       755
        
             },

     

       724
       756
        
             "original": {

     
···

       810
       842
        
               ]

     

       811
       843
        
             },

     

       812
       844
        
             "locked": {

     

       813
       813
       -
               "lastModified": 1762737305,

     

       814
       814
       -
               "narHash": "sha256-5zN6jJ6KKBGiJeK3Q4+afZfJU7VyyUgehOAA3zYegTc=",

     

       845
       845
       +
               "lastModified": 1764205213,

     

       846
       846
       +
               "narHash": "sha256-VWKPkM4m5kGgJ0HY1WKfvlPkKka6tYwUR8snetAFTu8=",

     

       815
       847
        
               "owner": "nix-community",

     

       816
       848
        
               "repo": "srvos",

     

       817
       817
       -
               "rev": "c04379f95fca70b38cdd45a1a7affe6d4226912b",

     

       849
       849
       +
               "rev": "8b90cbaadae462563297a2d08870cccfd986ca28",

     

       818
       850
        
               "type": "github"

     

       819
       851
        
             },

     

       820
       852
        
             "original": {

     
···

       830
       862
        
               "base16-helix": "base16-helix",

     

       831
       863
        
               "base16-vim": "base16-vim",

     

       832
       864
        
               "firefox-gnome-theme": "firefox-gnome-theme",

     

       833
       833
       -
               "flake-parts": "flake-parts_2",

     

       865
       865
       +
               "flake-parts": "flake-parts",

     

       834
       866
        
               "gnome-shell": "gnome-shell",

     

       835
       867
        
               "nixpkgs": [

     

       836
       868
        
                 "nixpkgs"

     

       837
       869
        
               ],

     

       838
       870
        
               "nur": "nur",

     

       839
       839
       -
               "systems": "systems",

     

       871
       871
       +
               "systems": "systems_2",

     

       840
       872
        
               "tinted-foot": "tinted-foot",

     

       841
       873
        
               "tinted-kitty": "tinted-kitty",

     

       842
       874
        
               "tinted-schemes": "tinted-schemes",

     
···

       844
       876
        
               "tinted-zed": "tinted-zed"

     

       845
       877
        
             },

     

       846
       878
        
             "locked": {

     

       847
       847
       -
               "lastModified": 1762295027,

     

       848
       848
       -
               "narHash": "sha256-5z5cGrp9F8g8iyQrM8WkB6pAwP4AaicljKZ15gx+X9Y=",

     

       879
       879
       +
               "lastModified": 1764193603,

     

       880
       880
       +
               "narHash": "sha256-guX30TWe8HRG2qPFiM9893F2uTw4B8D/xkE6Mq7MiYg=",

     

       849
       881
        
               "owner": "nix-community",

     

       850
       882
        
               "repo": "stylix",

     

       851
       851
       -
               "rev": "91b9a270523361268ba6a8772152fde31103869f",

     

       883
       883
       +
               "rev": "9bf8725a3d65b3ff0ba68ce13779657f5095e36b",

     

       852
       884
        
               "type": "github"

     

       853
       885
        
             },

     

       854
       886
        
             "original": {

     

       855
       887
        
               "owner": "nix-community",

     

       856
       856
       -
               "ref": "release-25.05",

     

       888
       888
       +
               "ref": "release-25.11",

     

       857
       889
        
               "repo": "stylix",

     

       858
       890
        
               "type": "github"

     

       859
       891
        
             }

     
···

       888
       920
        
               "type": "github"

     

       889
       921
        
             }

     

       890
       922
        
           },

     

       923
       923
       +
           "systems_3": {

     

       924
       924
       +
             "locked": {

     

       925
       925
       +
               "lastModified": 1681028828,

     

       926
       926
       +
               "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",

     

       927
       927
       +
               "owner": "nix-systems",

     

       928
       928
       +
               "repo": "default",

     

       929
       929
       +
               "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",

     

       930
       930
       +
               "type": "github"

     

       931
       931
       +
             },

     

       932
       932
       +
             "original": {

     

       933
       933
       +
               "owner": "nix-systems",

     

       934
       934
       +
               "repo": "default",

     

       935
       935
       +
               "type": "github"

     

       936
       936
       +
             }

     

       937
       937
       +
           },

     

       891
       938
        
           "tangled": {

     

       892
       939
        
             "inputs": {

     

       893
       940
        
               "actor-typeahead-src": "actor-typeahead-src",

     

       894
       894
       -
               "flake-compat": "flake-compat_2",

     

       941
       941
       +
               "flake-compat": "flake-compat_3",

     

       895
       942
        
               "gomod2nix": "gomod2nix",

     

       896
       943
        
               "htmx-src": "htmx-src",

     

       897
       944
        
               "htmx-ws-src": "htmx-ws-src",

     
···

       905
       952
        
               "sqlite-lib-src": "sqlite-lib-src"

     

       906
       953
        
             },

     

       907
       954
        
             "locked": {

     

       908
       908
       -
               "lastModified": 1763089726,

     

       909
       909
       -
               "narHash": "sha256-lRTZLRcqWpVf6CzJmvg+ggp/YWWasT4u2lFKIiIopoM=",

     

       955
       955
       +
               "lastModified": 1764005195,

     

       956
       956
       +
               "narHash": "sha256-PzuWiW/nMxwQTX0i1bHwGazQF4ptLNI9OGwpmhDb9i0=",

     

       910
       957
        
               "ref": "refs/heads/master",

     

       911
       911
       -
               "rev": "3eb9cefd98d13ab9864abb2e394fc41f89ffd923",

     

       912
       912
       -
               "revCount": 1660,

     

       958
       958
       +
               "rev": "7358ec6edfa4d17b8b8f543d99e83a4705901148",

     

       959
       959
       +
               "revCount": 1687,

     

       913
       960
        
               "type": "git",

     

       914
       914
       -
               "url": "https://tangled.org/@tangled.org/core"

     

       961
       961
       +
               "url": "https://tangled.org/tangled.org/core"

     

       915
       962
        
             },

     

       916
       963
        
             "original": {

     

       917
       964
        
               "type": "git",

     

       918
       918
       -
               "url": "https://tangled.org/@tangled.org/core"

     

       965
       965
       +
               "url": "https://tangled.org/tangled.org/core"

     

       919
       966
        
             }

     

       920
       967
        
           },

     

       921
       968
        
           "tinted-foot": {

     
···

       954
       1001
        
           "tinted-schemes": {

     

       955
       1002
        
             "flake": false,

     

       956
       1003
        
             "locked": {

     

       957
       957
       -
               "lastModified": 1750770351,

     

       958
       958
       -
               "narHash": "sha256-LI+BnRoFNRa2ffbe3dcuIRYAUcGklBx0+EcFxlHj0SY=",

     

       1004
       1004
       +
               "lastModified": 1757716333,

     

       1005
       1005
       +
               "narHash": "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=",

     

       959
       1006
        
               "owner": "tinted-theming",

     

       960
       1007
        
               "repo": "schemes",

     

       961
       961
       -
               "rev": "5a775c6ffd6e6125947b393872cde95867d85a2a",

     

       1008
       1008
       +
               "rev": "317a5e10c35825a6c905d912e480dfe8e71c7559",

     

       962
       1009
        
               "type": "github"

     

       963
       1010
        
             },

     

       964
       1011
        
             "original": {

     
···

       970
       1017
        
           "tinted-tmux": {

     

       971
       1018
        
             "flake": false,

     

       972
       1019
        
             "locked": {

     

       973
       973
       -
               "lastModified": 1751159871,

     

       974
       974
       -
               "narHash": "sha256-UOHBN1fgHIEzvPmdNMHaDvdRMgLmEJh2hNmDrp3d3LE=",

     

       1020
       1020
       +
               "lastModified": 1757811970,

     

       1021
       1021
       +
               "narHash": "sha256-n5ZJgmzGZXOD9pZdAl1OnBu3PIqD+X3vEBUGbTi4JiI=",

     

       975
       1022
        
               "owner": "tinted-theming",

     

       976
       1023
        
               "repo": "tinted-tmux",

     

       977
       977
       -
               "rev": "bded5e24407cec9d01bd47a317d15b9223a1546c",

     

       1024
       1024
       +
               "rev": "d217ba31c846006e9e0ae70775b0ee0f00aa6b1e",

     

       978
       1025
        
               "type": "github"

     

       979
       1026
        
             },

     

       980
       1027
        
             "original": {

     
···

       986
       1033
        
           "tinted-zed": {

     

       987
       1034
        
             "flake": false,

     

       988
       1035
        
             "locked": {

     

       989
       989
       -
               "lastModified": 1751158968,

     

       990
       990
       -
               "narHash": "sha256-ksOyv7D3SRRtebpXxgpG4TK8gZSKFc4TIZpR+C98jX8=",

     

       1036
       1036
       +
               "lastModified": 1757811247,

     

       1037
       1037
       +
               "narHash": "sha256-4EFOUyLj85NRL3OacHoLGEo0wjiRJzfsXtR4CZWAn6w=",

     

       991
       1038
        
               "owner": "tinted-theming",

     

       992
       1039
        
               "repo": "base16-zed",

     

       993
       993
       -
               "rev": "86a470d94204f7652b906ab0d378e4231a5b3384",

     

       1040
       1040
       +
               "rev": "824fe0aacf82b3c26690d14e8d2cedd56e18404e",

     

       994
       1041
        
               "type": "github"

     

       995
       1042
        
             },

     

       996
       1043
        
             "original": {

     
···

       999
       1046
        
               "type": "github"

     

       1000
       1047
        
             }

     

       1001
       1048
        
           },

     

       1002
       1002
       -
           "treefmt-nix": {

     

       1003
       1003
       -
             "inputs": {

     

       1004
       1004
       -
               "nixpkgs": [

     

       1005
       1005
       -
                 "stylix",

     

       1006
       1006
       -
                 "nur",

     

       1007
       1007
       -
                 "nixpkgs"

     

       1008
       1008
       -
               ]

     

       1009
       1009
       -
             },

     

       1010
       1010
       -
             "locked": {

     

       1011
       1011
       -
               "lastModified": 1733222881,

     

       1012
       1012
       -
               "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=",

     

       1013
       1013
       -
               "owner": "numtide",

     

       1014
       1014
       -
               "repo": "treefmt-nix",

     

       1015
       1015
       -
               "rev": "49717b5af6f80172275d47a418c9719a31a78b53",

     

       1016
       1016
       -
               "type": "github"

     

       1017
       1017
       -
             },

     

       1018
       1018
       -
             "original": {

     

       1019
       1019
       -
               "owner": "numtide",

     

       1020
       1020
       -
               "repo": "treefmt-nix",

     

       1021
       1021
       -
               "type": "github"

     

       1022
       1022
       -
             }

     

       1023
       1023
       -
           },

     

       1024
       1049
        
           "unixpkgs": {

     

       1025
       1050
        
             "locked": {

     

       1026
       1026
       -
               "lastModified": 1762977756,

     

       1027
       1027
       -
               "narHash": "sha256-4PqRErxfe+2toFJFgcRKZ0UI9NSIOJa+7RXVtBhy4KE=",

     

       1051
       1051
       +
               "lastModified": 1764950072,

     

       1052
       1052
       +
               "narHash": "sha256-BmPWzogsG2GsXZtlT+MTcAWeDK5hkbGRZTeZNW42fwA=",

     

       1028
       1053
        
               "owner": "nixos",

     

       1029
       1054
        
               "repo": "nixpkgs",

     

       1030
       1030
       -
               "rev": "c5ae371f1a6a7fd27823bc500d9390b38c05fa55",

     

       1055
       1055
       +
               "rev": "f61125a668a320878494449750330ca58b78c557",

     

       1031
       1056
        
               "type": "github"

     

       1032
       1057
        
             },

     

       1033
       1058
        
             "original": {

     
···

       1069
       1094
        
               ]

     

       1070
       1095
        
             },

     

       1071
       1096
        
             "locked": {

     

       1072
       1072
       -
               "lastModified": 1763097615,

     

       1073
       1073
       -
               "narHash": "sha256-qxpsf2FVzXrN0WDWRgeBz7RJ5vjHNFDy8oLqbC6gU3Y=",

     

       1097
       1097
       +
               "lastModified": 1764414951,

     

       1098
       1098
       +
               "narHash": "sha256-pZ2m2JmTTMyqiKB8WSigsSvAeoShI6OSRhzBuRO9SVY=",

     

       1074
       1099
        
               "owner": "0xc000022070",

     

       1075
       1100
        
               "repo": "zen-browser-flake",

     

       1076
       1076
       -
               "rev": "479ca480bf531285e88006aa1c70fd3bb5529f3d",

     

       1101
       1101
       +
               "rev": "10d2aa53ada9b14f6df2f9877d6a057f0a2b262f",

     

       1077
       1102
        
               "type": "github"

     

       1078
       1103
        
             },

     

       1079
       1104
        
             "original": {

+15 -12

flake.nix

···

       2
       2
        
         description = "NixOS and Home Manager configuration for Milo's laptops";

     

       3
       3
        
       

     

       4
       4
        
         inputs = {

     

       5
       5
       -
           nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";

     

       5
       5
       +
           nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";

     

       6
       6
        
           unixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";

     

       7
       7
        
       

     

       8
       8
       -
           home-manager.url = "github:nix-community/home-manager/release-25.05";

     

       8
       8
       +
           home-manager.url = "github:nix-community/home-manager/release-25.11";

     

       9
       9
        
           home-manager.inputs.nixpkgs.follows = "nixpkgs";

     

       10
       10
        
       

     

       11
       11
       -
           nix-darwin.url = "github:LnL7/nix-darwin/nix-darwin-25.05";

     

       11
       11
       +
           nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";

     

       12
       12
        
           nix-darwin.inputs.nixpkgs.follows = "nixpkgs";

     

       13
       13
        
       

     

       14
       14
       -
           stylix.url = "github:nix-community/stylix/release-25.05";

     

       14
       14
       +
           stylix.url = "github:nix-community/stylix/release-25.11";

     

       15
       15
        
           stylix.inputs.nixpkgs.follows = "nixpkgs";

     

       16
       16
        
       

     

       17
       17
        
           ## Miscellaneous

     

       18
       18
        
       

     

       19
       19
       -
           agenix.url = "github:ryantm/agenix/0.15.0";

     

       19
       19
       +
           agenix.url = "github:ryantm/agenix";

     

       20
       20
        
           agenix.inputs.nixpkgs.follows = "nixpkgs";

     

       21
       21
        
           agenix.inputs.home-manager.follows = "home-manager";

     

       22
       22
        
       

     

       23
       23
       -
           disko.url = "github:nix-community/disko/v1.11.0";

     

       23
       23
       +
           disko.url = "github:nix-community/disko";

     

       24
       24
        
           disko.inputs.nixpkgs.follows = "nixpkgs";

     

       25
       25
        
       

     

       26
       26
        
           nixos-hardware.url = "github:nixos/nixos-hardware";

     

       27
       27
        
       

     

       28
       28
       -
           lanzaboote.url = "github:nix-community/lanzaboote/v0.4.3";

     

       28
       28
       +
           lanzaboote.url = "github:nix-community/lanzaboote";

     

       29
       29
        
           lanzaboote.inputs.nixpkgs.follows = "unixpkgs";

     

       30
       30
        
       

     

       31
       31
        
           srvos.url = "github:nix-community/srvos";

     
···

       39
       39
        
           hypixel-bank-tracker.url = "github:pixilie/hypixel-bank-tracker";

     

       40
       40
        
           hypixel-bank-tracker.inputs.nixpkgs.follows = "nixpkgs";

     

       41
       41
        
       

     

       42
       42
       -
           tangled.url = "git+https://tangled.org/@tangled.org/core";

     

       42
       42
       +
           nix-alien.url = "github:thiagokokada/nix-alien";

     

       43
       43
       +
           nix-alien.inputs.nixpkgs.follows = "nixpkgs";

     

       44
       44
       +
       

     

       45
       45
       +
           tangled.url = "git+https://tangled.org/tangled.org/core";

     

       43
       46
        
           tangled.inputs.nixpkgs.follows = "unixpkgs";

     

       44
       47
        
       

     

       45
       48
        
           wakatime-ls.url = "github:mrnossiom/wakatime-ls";

     
···

       56
       59
        
             inherit (flake-lib) forAllSystems;

     

       57
       60
        
       

     

       58
       61
        
             flake-lib = import ./lib/flake (nixpkgs // { inherit self; });

     

       59
       59
       -
       

     

       60
       60
       -
             forAllPkgs = func: forAllSystems (system: func pkgs.${system});

     

       61
       62
        
       

     

       62
       63
        
             # This should be the only constructed nixpkgs instances in this flake

     

       63
       63
       -
             pkgs = forAllSystems (system: (import nixpkgs {

     

       64
       64
       +
             allPkgs = forAllSystems (system: (import nixpkgs {

     

       64
       65
        
               inherit system;

     

       65
       66
        
               config.allowUnfreePredicate = import ./lib/unfree.nix { lib = nixpkgs.lib; };

     

       66
       67
        
               overlays = [ outputs.overlays.all ];

     

       67
       68
        
             }));

     

       69
       69
       +
       

     

       70
       70
       +
             forAllPkgs = func: forAllSystems (system: func allPkgs.${system});

     

       68
       71
        
           in

     

       69
       72
        
           {

     

       70
       73
        
             formatter = forAllPkgs (pkgs: pkgs.nixpkgs-fmt);

     
···

       73
       76
        
             lib = forAllPkgs (import ./lib);

     

       74
       77
        
             templates = import ./templates;

     

       75
       78
        
       

     

       76
       76
       -
             apps = forAllPkgs (import ./apps { pkgs-per-system = pkgs; });

     

       79
       79
       +
             apps = forAllPkgs (import ./apps { pkgs-per-system = allPkgs; });

     

       77
       80
        
             devShells = forAllPkgs (import ./shells.nix);

     

       78
       81
        
             overlays = import ./overlays (nixpkgs // { inherit self; });

     

       79
       82
        
             packages = forAllPkgs (import ./pkgs);

home-manager/fragments/firefox.nix

···

       84
       84
        
             enable = false;

     

       85
       85
        
             profileNames = [ "default" ];

     

       86
       86
        
           };

     

       87
       87
       +
           stylix.targets.zen-browser = {

     

       88
       88
       +
             enable = false;

     

       89
       89
       +
             profileNames = [ "default" ];

     

       90
       90
       +
           };

     

       87
       91
        
       

     

       88
       92
        
           programs.zen-browser = {

     

       89
       93
        
             enable = true;

+57 -53

home-manager/fragments/git.nix

···

       15
       15
        
         '';

     

       16
       16
        
       

     

       17
       17
        
         config = lib.mkIf cfg.enable {

     

       18
       18
       -
           assertions = [

     

       19
       19
       -
             { assertion = config.local.fragment.agenix.enable; message = "`git` fragment depends on `agenix` fragment"; }

     

       20
       20
       -
           ];

     

       21
       21
       -
       

     

       22
       18
        
           home.sessionVariables = {

     

       23
       19
        
             # Disable annoying warning message

     

       24
       20
        
             GIT_DISCOVERY_ACROSS_FILESYSTEM = 0;

     
···

       28
       24
        
             enable = true;

     

       29
       25
        
             lfs.enable = true;

     

       30
       26
        
       

     

       31
       31
       -
             userName = "Milo Moisson";

     

       32
       32
       -
             # TODO: this email should be behind a secret or at least a config

     

       33
       33
       -
             userEmail = "milo@wiro.world";

     

       34
       34
       -
       

     

       35
       27
        
             signing.signByDefault = true;

     

       36
       28
        
             signing.key = "~/.ssh/id_ed25519.pub";

     

       37
       29
        
       

     
···

       43
       35
        
               "result"

     

       44
       36
        
             ];

     

       45
       37
        
       

     

       46
       46
       -
             aliases = {

     

       47
       47
       -
               b = "branch --all";

     

       48
       48
       -
               brm = "branch --delete";

     

       38
       38
       +
             settings = {

     

       39
       39
       +
               user = {

     

       40
       40
       +
                 name = "Milo Moisson";

     

       41
       41
       +
                 # TODO: this email should be behind a secret or at least a config

     

       42
       42
       +
                 email = "milo@wiro.world";

     

       43
       43
       +
               };

     

       49
       44
        
       

     

       50
       50
       -
               ll = "log --graph --oneline --pretty=custom";

     

       51
       51
       -
               lla = "log --graph --oneline --pretty=custom --all";

     

       52
       52
       -
               last = "log -1 HEAD --stat";

     

       45
       45
       +
               alias = {

     

       46
       46
       +
                 b = "branch --all";

     

       47
       47
       +
                 brm = "branch --delete";

     

       53
       48
        
       

     

       54
       54
       -
               st = "status --short --branch";

     

       49
       49
       +
                 ll = "log --graph --oneline --pretty=custom";

     

       50
       50
       +
                 lla = "log --graph --oneline --pretty=custom --all";

     

       51
       51
       +
                 last = "log -1 HEAD --stat";

     

       55
       52
        
       

     

       56
       56
       -
               cm = "commit --message";

     

       57
       57
       -
               oups = "commit --amend";

     

       53
       53
       +
                 st = "status --short --branch";

     

       58
       54
        
       

     

       59
       59
       -
               ui = "!lazygit";

     

       55
       55
       +
                 cm = "commit --message";

     

       56
       56
       +
                 oups = "commit --amend";

     

       60
       57
        
       

     

       61
       61
       -
               rv = "remote --verbose";

     

       58
       58
       +
                 ui = "!lazygit";

     

       62
       59
        
       

     

       63
       63
       -
               ri = "rebase --interactive";

     

       64
       64
       -
               ris = "!git ri $(git slc)";

     

       65
       65
       -
               rc = "rebase --continue";

     

       66
       66
       -
               rs = "rebase --skip";

     

       67
       67
       -
               ra = "rebase --abort";

     

       60
       60
       +
                 rv = "remote --verbose";

     

       68
       61
        
       

     

       69
       69
       -
               # Select commit

     

       70
       70
       -
               slc = "!git log --oneline --pretty=custom | fzf | awk '{printf $1}'";

     

       62
       62
       +
                 ri = "rebase --interactive";

     

       63
       63
       +
                 ris = "!git ri $(git slc)";

     

       64
       64
       +
                 rc = "rebase --continue";

     

       65
       65
       +
                 rs = "rebase --skip";

     

       66
       66
       +
                 ra = "rebase --abort";

     

       71
       67
        
       

     

       72
       72
       -
               a = "add";

     

       73
       73
       -
               al = "add --all";

     

       74
       74
       -
               ac = "add .";

     

       75
       75
       -
               ap = "add --patch";

     

       68
       68
       +
                 # Select commit

     

       69
       69
       +
                 slc = "!git log --oneline --pretty=custom | fzf | awk '{printf $1}'";

     

       76
       70
        
       

     

       77
       77
       -
               pu = "push";

     

       78
       78
       -
               put = "push --follow-tags";

     

       79
       79
       -
               puf = "push --force-with-lease";

     

       80
       80
       -
               pl = "pull";

     

       71
       71
       +
                 a = "add";

     

       72
       72
       +
                 al = "add --all";

     

       73
       73
       +
                 ac = "add .";

     

       74
       74
       +
                 ap = "add --patch";

     

       81
       75
        
       

     

       82
       82
       -
               f = "fetch";

     

       76
       76
       +
                 pu = "push";

     

       77
       77
       +
                 put = "push --follow-tags";

     

       78
       78
       +
                 puf = "push --force-with-lease";

     

       79
       79
       +
                 pl = "pull";

     

       83
       80
        
       

     

       84
       84
       -
               s = "switch";

     

       85
       85
       -
               sc = "switch --create";

     

       81
       81
       +
                 f = "fetch";

     

       86
       82
        
       

     

       87
       87
       -
               ck = "checkout";

     

       83
       83
       +
                 s = "switch";

     

       84
       84
       +
                 sc = "switch --create";

     

       88
       85
        
       

     

       89
       89
       -
               cp = "cherry-pick";

     

       86
       86
       +
                 ck = "checkout";

     

       90
       87
        
       

     

       91
       91
       -
               df = "diff";

     

       92
       92
       -
               dfs = "diff --staged";

     

       93
       93
       -
               dfc = "diff --cached";

     

       88
       88
       +
                 cp = "cherry-pick";

     

       89
       89
       +
       

     

       90
       90
       +
                 df = "diff";

     

       91
       91
       +
                 dfs = "diff --staged";

     

       92
       92
       +
                 dfc = "diff --cached";

     

       94
       93
        
       

     

       95
       95
       -
               m = "merge";

     

       94
       94
       +
                 m = "merge";

     

       96
       95
        
       

     

       97
       97
       -
               rms = "restore --staged";

     

       98
       98
       -
               res = "restore";

     

       96
       96
       +
                 rms = "restore --staged";

     

       97
       97
       +
                 res = "restore";

     

       99
       98
        
       

     

       100
       100
       -
               sh = "stash";

     

       101
       101
       -
               shl = "stash list";

     

       102
       102
       -
               sha = "stash apply";

     

       103
       103
       -
               shp = "stash pop";

     

       104
       104
       -
             };

     

       99
       99
       +
                 sh = "stash";

     

       100
       100
       +
                 shl = "stash list";

     

       101
       101
       +
                 sha = "stash apply";

     

       102
       102
       +
                 shp = "stash pop";

     

       103
       103
       +
               };

     

       105
       104
        
       

     

       106
       106
       -
             extraConfig = {

     

       107
       105
        
               fetch.prune = true;

     

       108
       106
        
               color.ui = true;

     

       109
       107
        
               init.defaultBranch = "main";

     
···

       131
       129
        
               "credentials \"https://github.com\"".helper = "!${lib.getExe pkgs.gh} auth git-credential";

     

       132
       130
        
       

     

       133
       131
        
               # TODO: change to $PROJECTS env var?

     

       134
       134
       -
               leaveTool.defaultFolder = "~/Development";

     

       132
       132
       +
               leaveTool = {

     

       133
       133
       +
                 defaultFolder = "${config.home.homeDirectory}/Development";

     

       134
       134
       +
                 checks = [ "dirty" "ahead-branches" ];

     

       135
       135
       +
               };

     

       135
       136
        
             };

     

       136
       137
        
           };

     

       137
       138
        
       

     
···

       158
       159
        
                 showCommandLog = false;

     

       159
       160
        
                 border = "single";

     

       160
       161
        
               };

     

       162
       162
       +
       

     

       161
       163
        
               git = {

     

       162
       162
       -
                 paging.externalDiffCommand = "difft --color=always";

     

       164
       164
       +
                 pagers = [

     

       165
       165
       +
                   { externalDiffCommand = "difft --color=always"; }

     

       166
       166
       +
                 ];

     

       163
       167
        
               };

     

       164
       168
        
       

     

       165
       169
        
               # to be declarative or not to be declarative?

-1

home-manager/fragments/helix.nix

···

       93
       93
        
             };

     

       94
       94
        
       

     

       95
       95
        
             extraPackages = with pkgs; [

     

       96
       96
       -
               ansible-language-server

     

       97
       96
        
               clang-tools

     

       98
       97
        
               gopls

     

       99
       98
        
               kotlin-language-server

+2 -2

home-manager/fragments/jujutsu.nix

···

       29
       29
        
               signing = {

     

       30
       30
        
                 behavior = "own";

     

       31
       31
        
                 backend = "ssh";

     

       32
       32
       -
                 key = keys.milomoisson;

     

       33
       33
       -
       

     

       32
       32
       +
                 key = keys.milo-ed25519;

     

       34
       33
        
                 git.sign-on-push = true;

     

       35
       34
        
               };

     

       36
       35
        
       

     
···

       63
       62
        
       

     

       64
       63
        
               templates = {

     

       65
       64
        
                 log = "custom_log_compact";

     

       65
       65
       +
                 git_push_bookmark = ''"push-" ++ change_id.short()'';

     

       66
       66
        
               };

     

       67
       67
        
       

     

       68
       68
        
               ui = {

+18 -14

home-manager/fragments/shell.nix

···

       1
       1
        
       { config

     

       2
       2
        
       , lib

     

       3
       3
        
       , pkgs

     

       4
       4
       +
       , upkgs

     

       4
       5
        
       , lpkgs

     

       5
       6
        
       

     

       6
       7
        
       , isDarwin

     
···

       28
       29
        
               git_status.disabled = true;

     

       29
       30
        
       

     

       30
       31
        
               nix_shell = {

     

       31
       31
       -
                 format = "via [$symbol$state]($style) "; # Remove nix shell name

     

       32
       32
       +
                  # remove nix shell name

     

       33
       33
       +
                 format = "via [$symbol]($style)";

     

       32
       34
        
                 symbol = " ";

     

       33
       35
        
               };

     

       34
       36
        
             };

     
···

       37
       39
        
           programs.direnv = {

     

       38
       40
        
             enable = true;

     

       39
       41
        
             silent = true;

     

       42
       42
       +
       

     

       40
       43
        
             nix-direnv.enable = true;

     

       41
       41
       -
           };

     

       42
       44
        
       

     

       43
       43
       -
           programs.nushell = {

     

       44
       44
       -
             enable = true;

     

       45
       45
       -
       

     

       46
       46
       -
             extraConfig = ''

     

       47
       47
       -
               $env.config = {

     

       48
       48
       -
                 show_banner: false,

     

       49
       49
       -
               }

     

       45
       45
       +
             stdlib = ''

     

       46
       46
       +
               use angrr

     

       50
       47
        
             '';

     

       51
       48
        
           };

     

       49
       49
       +
           # TODO: depend on osConfig

     

       50
       50
       +
           xdg.configFile."direnv/lib/angrr.sh".text = ''

     

       51
       51
       +
             use_angrr() {

     

       52
       52
       +
               layout_dir="$(direnv_layout_dir)"

     

       53
       53
       +
               log_status "angrr: touch GC roots $layout_dir"

     

       54
       54
       +
               RUST_LOG="''${ANGRR_DIRENV_LOG:-angrr=error}" ${lib.getExe upkgs.angrr} touch "$layout_dir" --silent

     

       55
       55
       +
             }

     

       56
       56
       +
           '';

     

       52
       57
        
       

     

       53
       58
        
           programs.zoxide = {

     

       54
       59
        
             enable = true;

     
···

       70
       75
        
               # This is also a more pure version than using `__fish_ls_*` variables

     

       71
       76
        
               # that depends on fish internal ls wrappers and can be overridden by

     

       72
       77
        
               # bad configuration. (e.g. NixOS `environment.shellAliases` default)

     

       73
       73
       -
               ls = "${lib.getExe pkgs.eza} --color=auto --icons=auto --hyperlink";

     

       78
       78
       +
               ls = "${lib.getExe upkgs.lsr}";

     

       74
       79
        
       

     

       75
       80
        
               pasters = "${lib.getExe pkgs.curl} --data-binary @- https://paste.rs/";

     

       76
       81
        
       

     
···

       95
       100
        
               tp = "trash-put";

     

       96
       101
        
       

     

       97
       102
        
               # Listing utilities

     

       98
       98
       -
               l = "ls -aF";

     

       99
       99
       -
               ll = "ls -lhaF";

     

       100
       100
       -
               tree = "ls -T";

     

       103
       103
       +
               l = "ls -A1";

     

       104
       104
       +
               ll = "ls -Al";

     

       101
       105
        
       

     

       102
       106
        
               # Nix-related

     

       103
       107
        
               ur = " unlink result";

     
···

       147
       151
        
               '';

     

       148
       152
        
       

     

       149
       153
        
               # Quickly explore a derivation (using registry syntax)

     

       150
       150
       -
               # e.g. `cdd nixpkgs#fontforge` or `cdd unixpkgs#fontforge` 

     

       154
       154
       +
               # e.g. `cdd nixpkgs#fontforge` or `cdd unixpkgs#fontforge`

     

       151
       155
        
               cdd = "cd (nix build --no-link --print-out-paths $argv | ${lib.getExe pkgs.fzf})";

     

       152
       156
        
             } // lib.optionalAttrs (!flags.onlyCached) {

     

       153
       157
        
               # Quickly get outta here to test something

+5 -1

home-manager/fragments/stylix.nix

···

       11
       11
        
         cfg = config.local.fragment.stylix;

     

       12
       12
        
       in

     

       13
       13
        
       {

     

       14
       14
       -
         imports = [ stylix.homeModules.stylix ];

     

       14
       14
       +
         imports = [

     

       15
       15
       +
           stylix.homeModules.stylix

     

       16
       16
       +
           # issues a warning because we use `useGlobalPkgs`

     

       17
       17
       +
           { config.stylix.overlays.enable = false; }

     

       18
       18
       +
         ];

     

       15
       19
        
       

     

       16
       20
        
         options.local.fragment.stylix.enable = lib.mkEnableOption ''

     

       17
       21
        
           Stylix related

+9 -8

home-manager/fragments/sway.nix

···

       1
       1
       -
       { self

     

       2
       2
       -
       , config

     

       1
       1
       +
       { config

     

       3
       2
        
       , lib

     

       4
       3
        
       , pkgs

     

       5
       4
        
       

     
···

       8
       7
        
       }:

     

       9
       8
        
       

     

       10
       9
        
       let

     

       11
       11
       -
         inherit (self.outputs) homeManagerModules;

     

       12
       12
       -
       

     

       13
       10
        
         cfg = config.local.fragment.sway;

     

       14
       11
        
         cfg-sway = config.wayland.windowManager.sway.config;

     

       15
       12
        
       

     

       16
       13
        
         workspacesRange = lib.zipListsWith (key-idx: workspace-idx: { inherit key-idx workspace-idx; }) [ 1 2 3 4 5 6 7 8 9 0 ] (lib.range 1 10);

     

       17
       14
        
       in

     

       18
       15
        
       {

     

       19
       19
       -
         imports = [

     

       20
       20
       -
           homeManagerModules.wl-clip-persist

     

       21
       21
       -
         ];

     

       22
       22
       -
       

     

       23
       16
        
         options.local.fragment.sway.enable = lib.mkEnableOption ''

     

       24
       17
        
           Sway related

     

       25
       18
        
         '';

     
···

       171
       164
        
                   repeat_rate = toString 30;

     

       172
       165
        
                 };

     

       173
       166
        
       

     

       167
       167
       +
                 "type:touchpad" = {

     

       168
       168
       +
                   dwt = "enabled";

     

       169
       169
       +
                   tap = "enabled";

     

       170
       170
       +
                   tap_button_map = "lrm";

     

       171
       171
       +
                 };

     

       172
       172
       +
       

     

       174
       173
        
                 # Split keyboard also acts as a mouse

     

       175
       174
        
                 # "type:touchpad" = { events = "disabled_on_external_mouse"; };

     

       176
       175
        
       

     
···

       219
       218
        
       

     

       220
       219
        
                         rm $tmpimg

     

       221
       220
        
                       ''}";

     

       221
       221
       +
       

     

       222
       222
       +
                       "${modifier}+t" = ''input "type:touch" events toggle'';

     

       222
       223
        
       

     

       223
       224
        
                       "${modifier}+${cfg-sway.left}" = "focus left";

     

       224
       225
        
                       "${modifier}+${cfg-sway.down}" = "focus down";

+3 -2

home-manager/fragments/tools.nix

···

       29
       29
        
             csvlens

     

       30
       30
        
             delta

     

       31
       31
        
             dogdns

     

       32
       32
       -
             du-dust

     

       32
       32
       +
             dust

     

       33
       33
        
             encfs

     

       34
       34
        
             fastfetch

     

       35
       35
        
             fd

     

       36
       36
        
             ffmpeg

     

       37
       37
        
             file

     

       38
       38
        
             fzf

     

       39
       39
       +
             gemini-cli

     

       39
       40
        
             inetutils

     

       40
       41
        
             jq

     

       41
       42
        
             just

     
···

       47
       48
        
             otree

     

       48
       49
        
             ouch

     

       49
       50
        
             parallel

     

       51
       51
       +
             perf

     

       50
       52
        
             pv

     

       51
       53
        
             restic

     

       52
       54
        
             ripgrep

     
···

       60
       62
        
             uni

     

       61
       63
        
             unzip

     

       62
       64
        
             vlock

     

       63
       63
       -
             wcurl

     

       64
       65
        
             wormhole-rs

     

       65
       66
        
           ]) ++ lib.optionals (!flags.onlyCached) [ ];

     

       66
       67

+1 -1

home-manager/fragments/waybar.nix

···

       232
       232
        
               .modules-right widget .module {

     

       233
       233
        
                 padding: 0 1rem;

     

       234
       234
        
       

     

       235
       235
       -
                 color: @base07; 

     

       235
       235
       +
                 color: @base07;

     

       236
       236
        
               }

     

       237
       237
        
       

     

       238
       238
        
               /* Round first and last child of left, right and center modules. Disable rounding on the sides*/

home-manager/fragments/xdg-mime.nix

···

       24
       24
        
             { assertion = lib.lists.count (drv: (drv.pname or "") == pkgs.nautilus.pname) config.home.packages > 0; message = "`xdg-mime` fragment depends on `nautilus` program"; }

     

       25
       25
        
           ];

     

       26
       26
        
       

     

       27
       27
       +
           xdg.enable = true;

     

       28
       28
       +
       

     

       27
       29
        
           xdg.mimeApps = {

     

       28
       30
        
             enable = true;

     

       29
       31

+6 -1

home-manager/profiles/desktop.nix

···

       95
       95
        
               transmission_4-gtk

     

       96
       96
        
               wdisplays

     

       97
       97
        
               wireshark

     

       98
       98
       +
               zulip

     

       98
       99
        
       

     

       99
       100
        
               # Needed for libreoffice spellchecking

     

       100
       101
        
               hunspell

     
···

       124
       125
        
       

     

       125
       126
        
           programs.go = {

     

       126
       127
        
             enable = true;

     

       127
       127
       -
             goPath = ".local/share/go";

     

       128
       128
       +
             env.GOPATH = "${config.home.homeDirectory}/.local/share/go";

     

       128
       129
        
           };

     

       129
       130
        
       

     

       130
       131
        
           programs.gpg = {

     
···

       138
       139
        
             enableFishIntegration = false;

     

       139
       140
        
             enableZshIntegration = false;

     

       140
       141
        
           };

     

       142
       142
       +
       

     

       143
       143
       +
           programs.ssh.enableDefaultConfig = false;

     

       144
       144
       +
       

     

       145
       145
       +
           services.tailscale-systray.enable = true;

     

       141
       146
        
         };

     

       142
       147
        
       }

+163

hosts/weird-row-server/authelia.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         authelia-port = 3008;

     

       7
       7
       +
         authelia-hostname = "auth.wiro.world";

     

       8
       8
       +
       

     

       9
       9
       +
         authelia-metrics-port = 9004;

     

       10
       10
       +
         headscale-hostname = "headscale.wiro.world";

     

       11
       11
       +
         grafana-hostname = "console.net.wiro.world";

     

       12
       12
       +
         miniflux-hostname = "news.wiro.world";

     

       13
       13
       +
       in

     

       14
       14
       +
       {

     

       15
       15
       +
         config = {

     

       16
       16
       +
           age.secrets.authelia-jwt-secret = { file = secrets/authelia-jwt-secret.age; owner = config.services.authelia.instances.main.user; };

     

       17
       17
       +
           age.secrets.authelia-issuer-private-key = { file = secrets/authelia-issuer-private-key.age; owner = config.services.authelia.instances.main.user; };

     

       18
       18
       +
           age.secrets.authelia-storage-key = { file = secrets/authelia-storage-key.age; owner = config.services.authelia.instances.main.user; };

     

       19
       19
       +
           age.secrets.authelia-ldap-password = { file = secrets/authelia-ldap-password.age; owner = config.services.authelia.instances.main.user; };

     

       20
       20
       +
           age.secrets.authelia-smtp-password = { file = secrets/authelia-smtp-password.age; owner = config.services.authelia.instances.main.user; };

     

       21
       21
       +
           services.authelia.instances.main = {

     

       22
       22
       +
             enable = true;

     

       23
       23
       +
       

     

       24
       24
       +
             secrets = {

     

       25
       25
       +
               jwtSecretFile = config.age.secrets.authelia-jwt-secret.path;

     

       26
       26
       +
               oidcIssuerPrivateKeyFile = config.age.secrets.authelia-issuer-private-key.path;

     

       27
       27
       +
               storageEncryptionKeyFile = config.age.secrets.authelia-storage-key.path;

     

       28
       28
       +
             };

     

       29
       29
       +
             environmentVariables = {

     

       30
       30
       +
               AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.authelia-ldap-password.path;

     

       31
       31
       +
               AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.authelia-smtp-password.path;

     

       32
       32
       +
             };

     

       33
       33
       +
             settings = {

     

       34
       34
       +
               server.address = "localhost:${toString authelia-port}";

     

       35
       35
       +
               storage.local.path = "/var/lib/authelia-main/db.sqlite3";

     

       36
       36
       +
               telemetry.metrics = {

     

       37
       37
       +
                 enabled = true;

     

       38
       38
       +
                 address = "tcp://:${toString authelia-metrics-port}/metrics";

     

       39
       39
       +
               };

     

       40
       40
       +
       

     

       41
       41
       +
               session = {

     

       42
       42
       +
                 cookies = [{

     

       43
       43
       +
                   domain = "wiro.world";

     

       44
       44
       +
                   authelia_url = "https://${authelia-hostname}";

     

       45
       45
       +
                   default_redirection_url = "https://wiro.world";

     

       46
       46
       +
                 }];

     

       47
       47
       +
               };

     

       48
       48
       +
       

     

       49
       49
       +
               authentication_backend.ldap = {

     

       50
       50
       +
                 address = "ldap://localhost:3890";

     

       51
       51
       +
                 timeout = "5m"; # replace with systemd dependency

     

       52
       52
       +
       

     

       53
       53
       +
                 user = "uid=authelia,ou=people,dc=wiro,dc=world";

     

       54
       54
       +
                 # Set in `AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE`.

     

       55
       55
       +
                 # password = "";

     

       56
       56
       +
       

     

       57
       57
       +
                 base_dn = "dc=wiro,dc=world";

     

       58
       58
       +
                 users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";

     

       59
       59
       +
                 additional_users_dn = "ou=people";

     

       60
       60
       +
                 groups_filter = "(&(member={dn})(objectClass=groupOfNames))";

     

       61
       61
       +
                 additional_groups_dn = "ou=groups";

     

       62
       62
       +
       

     

       63
       63
       +
                 attributes = {

     

       64
       64
       +
                   username = "uid";

     

       65
       65
       +
                   display_name = "cn";

     

       66
       66
       +
                   given_name = "givenname";

     

       67
       67
       +
                   family_name = "last_name";

     

       68
       68
       +
                   mail = "mail";

     

       69
       69
       +
                   picture = "avatar";

     

       70
       70
       +
       

     

       71
       71
       +
                   group_name = "cn";

     

       72
       72
       +
                 };

     

       73
       73
       +
               };

     

       74
       74
       +
       

     

       75
       75
       +
               access_control = {

     

       76
       76
       +
                 default_policy = "deny";

     

       77
       77
       +
                 # Rules are sequential and do not apply to OIDC

     

       78
       78
       +
                 rules = [

     

       79
       79
       +
                   {

     

       80
       80
       +
                     domain = "headscale.wiro.world";

     

       81
       81
       +
                     policy = "two_factor";

     

       82
       82
       +
       

     

       83
       83
       +
                   }

     

       84
       84
       +
                   {

     

       85
       85
       +
                     domain = "news.wiro.world";

     

       86
       86
       +
                     policy = "one_factor";

     

       87
       87
       +
       

     

       88
       88
       +
                     subject = [ [ "group:miniflux" "oauth2:client:miniflux" ] ];

     

       89
       89
       +
                   }

     

       90
       90
       +
                   {

     

       91
       91
       +
                     domain = "*.wiro.world";

     

       92
       92
       +
                     policy = "two_factor";

     

       93
       93
       +
                   }

     

       94
       94
       +
                 ];

     

       95
       95
       +
               };

     

       96
       96
       +
       

     

       97
       97
       +
               identity_providers.oidc = {

     

       98
       98
       +
                 enforce_pkce = "always";

     

       99
       99
       +
       

     

       100
       100
       +
                 authorization_policies =

     

       101
       101
       +
                   let

     

       102
       102
       +
                     mkStrictPolicy = policy: subject:

     

       103
       103
       +
                       { default_policy = "deny"; rules = [{ inherit policy subject; }]; };

     

       104
       104
       +
                   in

     

       105
       105
       +
                   {

     

       106
       106
       +
                     headscale = mkStrictPolicy "two_factor" [ "group:headscale" ];

     

       107
       107
       +
                     tailscale = mkStrictPolicy "two_factor" [ "group:headscale" ];

     

       108
       108
       +
                     grafana = mkStrictPolicy "one_factor" [ "group:grafana" ];

     

       109
       109
       +
                     miniflux = mkStrictPolicy "one_factor" [ "group:miniflux" ];

     

       110
       110
       +
                   };

     

       111
       111
       +
       

     

       112
       112
       +
                 claims_policies.headscale = { id_token = [ "email" "name" "preferred_username" "picture" "groups" ]; };

     

       113
       113
       +
       

     

       114
       114
       +
                 clients = [

     

       115
       115
       +
                   {

     

       116
       116
       +
                     client_name = "Headscale";

     

       117
       117
       +
                     client_id = "headscale";

     

       118
       118
       +
                     client_secret = "$pbkdf2-sha256$310000$XY680D9gkSoWhD0UtYHNFg$ptWB3exOYCga6uq1N.oimuV3ILjK3F8lBWBpsBpibos";

     

       119
       119
       +
                     redirect_uris = [ "https://${headscale-hostname}/oidc/callback" ];

     

       120
       120
       +
                     authorization_policy = "headscale";

     

       121
       121
       +
                     claims_policy = "headscale";

     

       122
       122
       +
                   }

     

       123
       123
       +
                   {

     

       124
       124
       +
                     client_name = "Tailscale";

     

       125
       125
       +
                     client_id = "tailscale";

     

       126
       126
       +
                     client_secret = "$pbkdf2-sha256$310000$PcUaup9aWKI9ZLeCF6.avw$FpsTxkDaxcoQlBi8aIacegXpjEDiCI6nXcaHyZ2Sxyc";

     

       127
       127
       +
                     redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ];

     

       128
       128
       +
                     authorization_policy = "tailscale";

     

       129
       129
       +
                   }

     

       130
       130
       +
                   {

     

       131
       131
       +
                     client_name = "Grafana Console";

     

       132
       132
       +
                     client_id = "grafana";

     

       133
       133
       +
                     client_secret = "$pbkdf2-sha256$310000$UkwrqxTZodGMs9.Ca2cXAA$HCWFgQbFHGXZpuz.I3HHdkTZLUevRVGlhKEFaOlPmKs";

     

       134
       134
       +
                     redirect_uris = [ "https://${grafana-hostname}/login/generic_oauth" ];

     

       135
       135
       +
                     authorization_policy = "grafana";

     

       136
       136
       +
                   }

     

       137
       137
       +
                   {

     

       138
       138
       +
                     client_name = "Miniflux";

     

       139
       139
       +
                     client_id = "miniflux";

     

       140
       140
       +
                     client_secret = "$pbkdf2-sha256$310000$uPqbWfCOBXDY6nV1vsx3uA$HOWG2hL.c/bs9Dwaee3b9DxjH7KFO.SaZMbasXV9Vdw";

     

       141
       141
       +
                     redirect_uris = [ "https://${miniflux-hostname}/oauth2/oidc/callback" ];

     

       142
       142
       +
                     authorization_policy = "miniflux";

     

       143
       143
       +
                   }

     

       144
       144
       +
                 ];

     

       145
       145
       +
               };

     

       146
       146
       +
       

     

       147
       147
       +
               notifier.smtp = {

     

       148
       148
       +
                 address = "smtp://smtp.resend.com:2587";

     

       149
       149
       +
                 username = "resend";

     

       150
       150
       +
                 # Set in `AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE`.

     

       151
       151
       +
                 # password = "";

     

       152
       152
       +
                 sender = "authelia@wiro.world";

     

       153
       153
       +
               };

     

       154
       154
       +
             };

     

       155
       155
       +
           };

     

       156
       156
       +
       

     

       157
       157
       +
           services.caddy = {

     

       158
       158
       +
             virtualHosts.${authelia-hostname}.extraConfig = ''

     

       159
       159
       +
               reverse_proxy http://localhost:${toString authelia-port}

     

       160
       160
       +
             '';

     

       161
       161
       +
           };

     

       162
       162
       +
         };

     

       163
       163
       +
       }

+143

hosts/weird-row-server/default.nix

···

       1
       1
       +
       { self

     

       2
       2
       +
       , config

     

       3
       3
       +
       , pkgs

     

       4
       4
       +
       , ...

     

       5
       5
       +
       }:

     

       6
       6
       +
       

     

       7
       7
       +
       let

     

       8
       8
       +
         inherit (self.inputs) srvos;

     

       9
       9
       +
       

     

       10
       10
       +
         ext-if = "eth0";

     

       11
       11
       +
         external-ip = "91.99.55.74";

     

       12
       12
       +
         external-netmask = 27;

     

       13
       13
       +
         external-gw = "144.x.x.255";

     

       14
       14
       +
         external-ip6 = "2a01:4f8:c2c:76d2::1";

     

       15
       15
       +
         external-netmask6 = 64;

     

       16
       16
       +
         external-gw6 = "fe80::1";

     

       17
       17
       +
       

     

       18
       18
       +
         website-hostname = "wiro.world";

     

       19
       19
       +
       

     

       20
       20
       +
         static-hostname = "static.wiro.world";

     

       21
       21
       +
       in

     

       22
       22
       +
       {

     

       23
       23
       +
         imports = [

     

       24
       24
       +
           srvos.nixosModules.server

     

       25
       25
       +
           srvos.nixosModules.hardware-hetzner-cloud

     

       26
       26
       +
           srvos.nixosModules.mixins-terminfo

     

       27
       27
       +
       

     

       28
       28
       +
           ./authelia.nix

     

       29
       29
       +
           ./goatcounter.nix

     

       30
       30
       +
           ./grafana.nix

     

       31
       31
       +
           ./headscale.nix

     

       32
       32
       +
           ./hypixel-bank-tracker.nix

     

       33
       33
       +
           ./lldap.nix

     

       34
       34
       +
           ./miniflux.nix

     

       35
       35
       +
           ./pds.nix

     

       36
       36
       +
           ./tangled.nix

     

       37
       37
       +
           ./thelounge.nix

     

       38
       38
       +
           ./tuwunel.nix

     

       39
       39
       +
           ./vaultwarden.nix

     

       40
       40
       +
           ./warrior.nix

     

       41
       41
       +
           ./webfinger.nix

     

       42
       42
       +
         ];

     

       43
       43
       +
       

     

       44
       44
       +
         config = {

     

       45
       45
       +
           boot.loader.grub.enable = true;

     

       46
       46
       +
           boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "ext4" ];

     

       47
       47
       +
       

     

       48
       48
       +
           # Single network card is `eth0`

     

       49
       49
       +
           networking.usePredictableInterfaceNames = false;

     

       50
       50
       +
       

     

       51
       51
       +
           networking.nameservers = [ "2001:4860:4860::8888" "2001:4860:4860::8844" ];

     

       52
       52
       +
       

     

       53
       53
       +
           networking = {

     

       54
       54
       +
             interfaces.${ext-if} = {

     

       55
       55
       +
               ipv4.addresses = [{ address = external-ip; prefixLength = external-netmask; }];

     

       56
       56
       +
               ipv6.addresses = [{ address = external-ip6; prefixLength = external-netmask6; }];

     

       57
       57
       +
             };

     

       58
       58
       +
             defaultGateway = { interface = ext-if; address = external-gw; };

     

       59
       59
       +
             defaultGateway6 = { interface = ext-if; address = external-gw6; };

     

       60
       60
       +
       

     

       61
       61
       +
             # Reflect firewall configuration on Hetzner

     

       62
       62
       +
             firewall.allowedTCPPorts = [ 22 80 443 ];

     

       63
       63
       +
           };

     

       64
       64
       +
       

     

       65
       65
       +
           services.qemuGuest.enable = true;

     

       66
       66
       +
       

     

       67
       67
       +
           services.openssh.enable = true;

     

       68
       68
       +
       

     

       69
       69
       +
           # age.secrets.tailscale-authkey.file = secrets/tailscale-authkey.age;

     

       70
       70
       +
           services.tailscale = {

     

       71
       71
       +
             enable = true;

     

       72
       72
       +
             extraSetFlags = [ "--advertise-exit-node" ];

     

       73
       73
       +
             # authKeyFile = config.age.secrets.tailscale-authkey.path;

     

       74
       74
       +
             authKeyParameters = {

     

       75
       75
       +
               baseURL = "https://headscale.wiro.world";

     

       76
       76
       +
               ephemeral = true;

     

       77
       77
       +
               preauthorized = true;

     

       78
       78
       +
             };

     

       79
       79
       +
           };

     

       80
       80
       +
       

     

       81
       81
       +
           security.sudo.wheelNeedsPassword = false;

     

       82
       82
       +
       

     

       83
       83
       +
           local.fragment.nix.enable = true;

     

       84
       84
       +
       

     

       85
       85
       +
           programs.fish.enable = true;

     

       86
       86
       +
       

     

       87
       87
       +
           services.fail2ban = {

     

       88
       88
       +
             enable = true;

     

       89
       89
       +
       

     

       90
       90
       +
             maxretry = 5;

     

       91
       91
       +
             ignoreIP = [ ];

     

       92
       92
       +
       

     

       93
       93
       +
             bantime = "24h";

     

       94
       94
       +
             bantime-increment = {

     

       95
       95
       +
               enable = true;

     

       96
       96
       +
               multipliers = "1 2 4 8 16 32 64";

     

       97
       97
       +
               maxtime = "168h";

     

       98
       98
       +
               overalljails = true;

     

       99
       99
       +
             };

     

       100
       100
       +
       

     

       101
       101
       +
             jails = { };

     

       102
       102
       +
           };

     

       103
       103
       +
       

     

       104
       104
       +
           age.secrets.caddy-env.file = secrets/caddy-env.age;

     

       105
       105
       +
           services.caddy = {

     

       106
       106
       +
             enable = true;

     

       107
       107
       +
             package = pkgs.caddy.withPlugins {

     

       108
       108
       +
               plugins = [

     

       109
       109
       +
                 "github.com/caddy-dns/hetzner/v2@v2.0.0-preview-1"

     

       110
       110
       +
                 "github.com/tailscale/caddy-tailscale@v0.0.0-20251016213337-01d084e119cb"

     

       111
       111
       +
               ];

     

       112
       112
       +
               hash = "sha256-muKwDYs5Jp4ib/psZxpp1Kyfsqz6wPz/lpHFGtx67uY=";

     

       113
       113
       +
             };

     

       114
       114
       +
       

     

       115
       115
       +
             environmentFile = config.age.secrets.caddy-env.path;

     

       116
       116
       +
       

     

       117
       117
       +
             globalConfig = ''

     

       118
       118
       +
               tailscale {

     

       119
       119
       +
                 # this caddy instance already proxies headscale but needs to access headscale to start

     

       120
       120
       +
                 # control_url https://headscale.wiro.world

     

       121
       121
       +
                 control_url http://localhost:3006

     

       122
       122
       +
       

     

       123
       123
       +
                 ephemeral

     

       124
       124
       +
               }

     

       125
       125
       +
             '';

     

       126
       126
       +
       

     

       127
       127
       +
             virtualHosts.${website-hostname}.extraConfig =

     

       128
       128
       +
               # TODO: host website on server with automatic deployment

     

       129
       129
       +
               ''

     

       130
       130
       +
                 reverse_proxy https://mrnossiom.github.io {

     

       131
       131
       +
                 	header_up Host {http.request.host}

     

       132
       132
       +
                 }

     

       133
       133
       +
               '';

     

       134
       134
       +
       

     

       135
       135
       +
             virtualHosts.${static-hostname}.extraConfig = ''

     

       136
       136
       +
               root /var/www/static

     

       137
       137
       +
               file_server browse

     

       138
       138
       +
             '';

     

       139
       139
       +
           };

     

       140
       140
       +
       

     

       141
       141
       +
           # TODO: use bind to declare dns records declaratively

     

       142
       142
       +
         };

     

       143
       143
       +
       }

+25

hosts/weird-row-server/goatcounter.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         goatcounter-port = 3010;

     

       7
       7
       +
         goatcounter-hostname = "stats.wiro.world";

     

       8
       8
       +
       in

     

       9
       9
       +
       {

     

       10
       10
       +
         config = {

     

       11
       11
       +
           services.goatcounter = {

     

       12
       12
       +
             enable = true;

     

       13
       13
       +
       

     

       14
       14
       +
             port = goatcounter-port;

     

       15
       15
       +
             proxy = true;

     

       16
       16
       +
             extraArgs = [ "-automigrate" ];

     

       17
       17
       +
           };

     

       18
       18
       +
       

     

       19
       19
       +
           services.caddy = {

     

       20
       20
       +
             virtualHosts.${goatcounter-hostname}.extraConfig = ''

     

       21
       21
       +
               reverse_proxy http://localhost:${toString config.services.goatcounter.port}

     

       22
       22
       +
             '';

     

       23
       23
       +
           };

     

       24
       24
       +
         };

     

       25
       25
       +
       }

+85

hosts/weird-row-server/grafana.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         grafana-port = 3002;

     

       7
       7
       +
         grafana-hostname = "console.net.wiro.world";

     

       8
       8
       +
       

     

       9
       9
       +
         prometheus-port = 9001;

     

       10
       10
       +
         prometheus-node-exporter-port = 9002;

     

       11
       11
       +
         caddy-metrics-port = 2019;

     

       12
       12
       +
         authelia-metrics-port = 9004;

     

       13
       13
       +
         headscale-metrics-port = 9003;

     

       14
       14
       +
       in

     

       15
       15
       +
       {

     

       16
       16
       +
         config = {

     

       17
       17
       +
           age.secrets.grafana-oidc-secret = { file = secrets/grafana-oidc-secret.age; owner = "grafana"; };

     

       18
       18
       +
           services.grafana = {

     

       19
       19
       +
             enable = true;

     

       20
       20
       +
       

     

       21
       21
       +
             settings = {

     

       22
       22
       +
               server = {

     

       23
       23
       +
                 http_port = grafana-port;

     

       24
       24
       +
                 domain = grafana-hostname;

     

       25
       25
       +
                 root_url = "https://${grafana-hostname}";

     

       26
       26
       +
               };

     

       27
       27
       +
       

     

       28
       28
       +
               "auth.generic_oauth" = {

     

       29
       29
       +
                 enable = true;

     

       30
       30
       +
                 name = "Authelia";

     

       31
       31
       +
                 icon = "signin";

     

       32
       32
       +
       

     

       33
       33
       +
                 client_id = "grafana";

     

       34
       34
       +
                 client_secret_path = config.age.secrets.grafana-oidc-secret.path;

     

       35
       35
       +
                 auto_login = true;

     

       36
       36
       +
       

     

       37
       37
       +
                 scopes = [ "openid" "profile" "email" "groups" ];

     

       38
       38
       +
                 auth_url = "https://auth.wiro.world/api/oidc/authorization";

     

       39
       39
       +
                 token_url = "https://auth.wiro.world/api/oidc/token";

     

       40
       40
       +
                 api_url = "https://auth.wiro.world/api/oidc/userinfo";

     

       41
       41
       +
                 use_pkce = true;

     

       42
       42
       +
               };

     

       43
       43
       +
             };

     

       44
       44
       +
           };

     

       45
       45
       +
       

     

       46
       46
       +
           services.prometheus = {

     

       47
       47
       +
             enable = true;

     

       48
       48
       +
             port = prometheus-port;

     

       49
       49
       +
       

     

       50
       50
       +
             exporters.node = {

     

       51
       51
       +
               enable = true;

     

       52
       52
       +
               port = prometheus-node-exporter-port;

     

       53
       53
       +
             };

     

       54
       54
       +
       

     

       55
       55
       +
             scrapeConfigs = [

     

       56
       56
       +
               {

     

       57
       57
       +
                 job_name = "caddy";

     

       58
       58
       +
                 static_configs = [{ targets = [ "localhost:${toString caddy-metrics-port}" ]; }];

     

       59
       59
       +
               }

     

       60
       60
       +
               {

     

       61
       61
       +
                 job_name = "node-exporter";

     

       62
       62
       +
                 static_configs = [{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }];

     

       63
       63
       +
               }

     

       64
       64
       +
               {

     

       65
       65
       +
                 job_name = "headscale";

     

       66
       66
       +
                 static_configs = [{ targets = [ "localhost:${toString headscale-metrics-port}" ]; }];

     

       67
       67
       +
               }

     

       68
       68
       +
               {

     

       69
       69
       +
                 job_name = "authelia";

     

       70
       70
       +
                 static_configs = [{ targets = [ "localhost:${toString authelia-metrics-port}" ]; }];

     

       71
       71
       +
               }

     

       72
       72
       +
             ];

     

       73
       73
       +
           };

     

       74
       74
       +
       

     

       75
       75
       +
           services.caddy = {

     

       76
       76
       +
             globalConfig = ''

     

       77
       77
       +
               metrics { per_host }

     

       78
       78
       +
             '';

     

       79
       79
       +
             virtualHosts."http://${grafana-hostname}".extraConfig = ''

     

       80
       80
       +
               bind tailscale/console

     

       81
       81
       +
               reverse_proxy http://localhost:${toString grafana-port}

     

       82
       82
       +
             '';

     

       83
       83
       +
           };

     

       84
       84
       +
         };

     

       85
       85
       +
       }

+84

hosts/weird-row-server/headscale.nix

···

       1
       1
       +
       { pkgs

     

       2
       2
       +
       , config

     

       3
       3
       +
       , ...

     

       4
       4
       +
       }:

     

       5
       5
       +
       

     

       6
       6
       +
       let

     

       7
       7
       +
         json-format = pkgs.formats.json { };

     

       8
       8
       +
       

     

       9
       9
       +
         headscale-port = 3006;

     

       10
       10
       +
         headscale-derp-port = 3478;

     

       11
       11
       +
         headscale-hostname = "headscale.wiro.world";

     

       12
       12
       +
       

     

       13
       13
       +
         headscale-metrics-port = 9003;

     

       14
       14
       +
       in

     

       15
       15
       +
       {

     

       16
       16
       +
         config = {

     

       17
       17
       +
           networking.firewall.allowedUDPPorts = [ headscale-derp-port ];

     

       18
       18
       +
       

     

       19
       19
       +
           age.secrets.headscale-oidc-secret = { file = secrets/headscale-oidc-secret.age; owner = config.services.headscale.user; };

     

       20
       20
       +
           services.headscale = {

     

       21
       21
       +
             enable = true;

     

       22
       22
       +
       

     

       23
       23
       +
             port = headscale-port;

     

       24
       24
       +
             settings = {

     

       25
       25
       +
               server_url = "https://${headscale-hostname}";

     

       26
       26
       +
               metrics_listen_addr = "127.0.0.1:${toString headscale-metrics-port}";

     

       27
       27
       +
       

     

       28
       28
       +
               policy.path = json-format.generate "policy.json" {

     

       29
       29
       +
                 acls = [

     

       30
       30
       +
                   {

     

       31
       31
       +
                     action = "accept";

     

       32
       32
       +
                     src = [ "autogroup:member" ];

     

       33
       33
       +
                     dst = [ "autogroup:self:*" ];

     

       34
       34
       +
                   }

     

       35
       35
       +
                 ];

     

       36
       36
       +
                 ssh = [

     

       37
       37
       +
                   {

     

       38
       38
       +
                     action = "accept";

     

       39
       39
       +
                     src = [ "autogroup:member" ];

     

       40
       40
       +
                     dst = [ "autogroup:self" ];

     

       41
       41
       +
                     # Adding root here is privilege escalation as a feature :)

     

       42
       42
       +
                     users = [ "autogroup:nonroot" ];

     

       43
       43
       +
                   }

     

       44
       44
       +
                 ];

     

       45
       45
       +
               };

     

       46
       46
       +
       

     

       47
       47
       +
               # disable TLS

     

       48
       48
       +
               tls_cert_path = null;

     

       49
       49
       +
               tls_key_path = null;

     

       50
       50
       +
       

     

       51
       51
       +
               dns = {

     

       52
       52
       +
                 magic_dns = true;

     

       53
       53
       +
                 base_domain = "net.wiro.world";

     

       54
       54
       +
       

     

       55
       55
       +
                 override_local_dns = true;

     

       56
       56
       +
                 # Quad9 nameservers

     

       57
       57
       +
                 nameservers.global = [ "9.9.9.9" "149.112.112.112" "2620:fe::fe" "2620:fe::9" ];

     

       58
       58
       +
               };

     

       59
       59
       +
       

     

       60
       60
       +
               oidc = {

     

       61
       61
       +
                 only_start_if_oidc_is_available = true;

     

       62
       62
       +
                 issuer = "https://auth.wiro.world";

     

       63
       63
       +
                 client_id = "headscale";

     

       64
       64
       +
                 client_secret_path = config.age.secrets.headscale-oidc-secret.path;

     

       65
       65
       +
                 scope = [ "openid" "profile" "email" "groups" ];

     

       66
       66
       +
                 pkce.enabled = true;

     

       67
       67
       +
               };

     

       68
       68
       +
       

     

       69
       69
       +
               derp.server = {

     

       70
       70
       +
                 enable = true;

     

       71
       71
       +
                 stun_listen_addr = "0.0.0.0:${toString headscale-derp-port}";

     

       72
       72
       +
               };

     

       73
       73
       +
             };

     

       74
       74
       +
           };

     

       75
       75
       +
           # headscale only starts if oidc is available

     

       76
       76
       +
           systemd.services.headscale.after = [ "authelia-main.service" ];

     

       77
       77
       +
       

     

       78
       78
       +
           services.caddy = {

     

       79
       79
       +
             virtualHosts.${headscale-hostname}.extraConfig = ''

     

       80
       80
       +
               reverse_proxy http://localhost:${toString headscale-port}

     

       81
       81
       +
             '';

     

       82
       82
       +
           };

     

       83
       83
       +
         };

     

       84
       84
       +
       }

+42

hosts/weird-row-server/hypixel-bank-tracker.nix

···

       1
       1
       +
       { self

     

       2
       2
       +
       , config

     

       3
       3
       +
       , ...

     

       4
       4
       +
       }:

     

       5
       5
       +
       

     

       6
       6
       +
       let

     

       7
       7
       +
         inherit (self.inputs) hypixel-bank-tracker;

     

       8
       8
       +
       

     

       9
       9
       +
         hbt-main-port = 3013;

     

       10
       10
       +
         hbt-banana-port = 3014;

     

       11
       11
       +
       in

     

       12
       12
       +
       {

     

       13
       13
       +
         imports = [ hypixel-bank-tracker.nixosModules.default ];

     

       14
       14
       +
       

     

       15
       15
       +
         config = {

     

       16
       16
       +
           age.secrets.hypixel-bank-tracker-main.file = secrets/hypixel-bank-tracker-main.age;

     

       17
       17
       +
           services.hypixel-bank-tracker.instances.main = {

     

       18
       18
       +
             enable = true;

     

       19
       19
       +
       

     

       20
       20
       +
             port = hbt-main-port;

     

       21
       21
       +
             environmentFile = config.age.secrets.hypixel-bank-tracker-main.path;

     

       22
       22
       +
           };

     

       23
       23
       +
       

     

       24
       24
       +
           age.secrets.hypixel-bank-tracker-banana.file = secrets/hypixel-bank-tracker-banana.age;

     

       25
       25
       +
           services.hypixel-bank-tracker.instances.banana = {

     

       26
       26
       +
             enable = true;

     

       27
       27
       +
       

     

       28
       28
       +
             port = hbt-banana-port;

     

       29
       29
       +
             environmentFile = config.age.secrets.hypixel-bank-tracker-banana.path;

     

       30
       30
       +
           };

     

       31
       31
       +
       

     

       32
       32
       +
           services.caddy = {

     

       33
       33
       +
             virtualHosts."hypixel-bank-tracker.xyz".extraConfig = ''

     

       34
       34
       +
               reverse_proxy http://localhost:${toString config.services.hypixel-bank-tracker.instances.main.port}

     

       35
       35
       +
             '';

     

       36
       36
       +
       

     

       37
       37
       +
             virtualHosts."banana.hypixel-bank-tracker.xyz".extraConfig = ''

     

       38
       38
       +
               reverse_proxy http://localhost:${toString config.services.hypixel-bank-tracker.instances.banana.port}

     

       39
       39
       +
             '';

     

       40
       40
       +
           };

     

       41
       41
       +
         };

     

       42
       42
       +
       }

+39

hosts/weird-row-server/lldap.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         lldap-port = 3007;

     

       7
       7
       +
         lldap-hostname = "ldap.net.wiro.world";

     

       8
       8
       +
       in

     

       9
       9
       +
       {

     

       10
       10
       +
         config = {

     

       11
       11
       +
           age.secrets.lldap-env.file = secrets/lldap-env.age;

     

       12
       12
       +
           users.users.lldap = { isSystemUser = true; group = "lldap"; };

     

       13
       13
       +
           users.groups.lldap = { };

     

       14
       14
       +
           age.secrets.lldap-user-pass = { file = secrets/lldap-user-pass.age; owner = "lldap"; };

     

       15
       15
       +
           services.lldap = {

     

       16
       16
       +
             enable = true;

     

       17
       17
       +
       

     

       18
       18
       +
             silenceForceUserPassResetWarning = true;

     

       19
       19
       +
       

     

       20
       20
       +
             settings = {

     

       21
       21
       +
               http_url = "https://${lldap-hostname}";

     

       22
       22
       +
               http_port = lldap-port;

     

       23
       23
       +
       

     

       24
       24
       +
               ldap_user_pass_file = config.age.secrets.lldap-user-pass.path;

     

       25
       25
       +
               force_ldap_user_pass_reset = false;

     

       26
       26
       +
       

     

       27
       27
       +
               ldap_base_dn = "dc=wiro,dc=world";

     

       28
       28
       +
             };

     

       29
       29
       +
             environmentFile = config.age.secrets.lldap-env.path;

     

       30
       30
       +
           };

     

       31
       31
       +
       

     

       32
       32
       +
           services.caddy = {

     

       33
       33
       +
             virtualHosts."http://${lldap-hostname}".extraConfig = ''

     

       34
       34
       +
               bind tailscale/ldap

     

       35
       35
       +
               reverse_proxy http://localhost:${toString config.services.lldap.settings.http_port}

     

       36
       36
       +
             '';

     

       37
       37
       +
           };

     

       38
       38
       +
         };

     

       39
       39
       +
       }

+52

hosts/weird-row-server/miniflux.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         miniflux-port = 3012;

     

       7
       7
       +
         miniflux-hostname = "news.wiro.world";

     

       8
       8
       +
       in

     

       9
       9
       +
       {

     

       10
       10
       +
         config = {

     

       11
       11
       +
           users.users.miniflux = { isSystemUser = true; group = "miniflux"; };

     

       12
       12
       +
           users.groups.miniflux = { };

     

       13
       13
       +
           age.secrets.miniflux-oidc-secret = { file = secrets/miniflux-oidc-secret.age; owner = "miniflux"; };

     

       14
       14
       +
           services.miniflux = {

     

       15
       15
       +
             enable = true;

     

       16
       16
       +
       

     

       17
       17
       +
             createDatabaseLocally = true;

     

       18
       18
       +
             config = {

     

       19
       19
       +
               BASE_URL = "https://${miniflux-hostname}/";

     

       20
       20
       +
               LISTEN_ADDR = "127.0.0.1:${toString miniflux-port}";

     

       21
       21
       +
               CREATE_ADMIN = 0;

     

       22
       22
       +
       

     

       23
       23
       +
               METRICS_COLLECTOR = 1;

     

       24
       24
       +
       

     

       25
       25
       +
               OAUTH2_PROVIDER = "oidc";

     

       26
       26
       +
               OAUTH2_OIDC_PROVIDER_NAME = "wiro.world SSO";

     

       27
       27
       +
               OAUTH2_CLIENT_ID = "miniflux";

     

       28
       28
       +
               OAUTH2_CLIENT_SECRET_FILE = config.age.secrets.miniflux-oidc-secret.path;

     

       29
       29
       +
               OAUTH2_REDIRECT_URL = "https://${miniflux-hostname}/oauth2/oidc/callback";

     

       30
       30
       +
               OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.wiro.world";

     

       31
       31
       +
               OAUTH2_USER_CREATION = 1;

     

       32
       32
       +
               DISABLE_LOCAL_AUTH = 1;

     

       33
       33
       +
       

     

       34
       34
       +
               RUN_MIGRATIONS = 1;

     

       35
       35
       +
       

     

       36
       36
       +
               # NetNewsWire is a very good iOS oss client that integrates well

     

       37
       37
       +
               # https://b.j4.lc/2025/05/05/setting-up-netnewswire-with-miniflux/

     

       38
       38
       +
             };

     

       39
       39
       +
           };

     

       40
       40
       +
       

     

       41
       41
       +
           services.prometheus.scrapeConfigs = [{

     

       42
       42
       +
             job_name = "miniflux";

     

       43
       43
       +
             static_configs = [{ targets = [ "localhost:${toString miniflux-port}" ]; }];

     

       44
       44
       +
           }];

     

       45
       45
       +
       

     

       46
       46
       +
           services.caddy = {

     

       47
       47
       +
             virtualHosts.${miniflux-hostname}.extraConfig = ''

     

       48
       48
       +
               reverse_proxy http://localhost:${toString miniflux-port}

     

       49
       49
       +
             '';

     

       50
       50
       +
           };

     

       51
       51
       +
         };

     

       52
       52
       +
       }

+43

hosts/weird-row-server/pds.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         pds-port = 3001;

     

       7
       7
       +
         pds-hostname = "pds.wiro.world";

     

       8
       8
       +
       in

     

       9
       9
       +
       {

     

       10
       10
       +
         config = {

     

       11
       11
       +
           age.secrets.pds-env.file = secrets/pds-env.age;

     

       12
       12
       +
           services.bluesky-pds = {

     

       13
       13
       +
             enable = true;

     

       14
       14
       +
       

     

       15
       15
       +
             settings = {

     

       16
       16
       +
               PDS_HOSTNAME = "pds.wiro.world";

     

       17
       17
       +
               PDS_PORT = pds-port;

     

       18
       18
       +
               # is in systemd /tmp subfolder

     

       19
       19
       +
               LOG_DESTINATION = "/tmp/pds.log";

     

       20
       20
       +
             };

     

       21
       21
       +
       

     

       22
       22
       +
             environmentFiles = [

     

       23
       23
       +
               config.age.secrets.pds-env.path

     

       24
       24
       +
             ];

     

       25
       25
       +
           };

     

       26
       26
       +
       

     

       27
       27
       +
           services.caddy = {

     

       28
       28
       +
             globalConfig = ''

     

       29
       29
       +
               on_demand_tls {

     

       30
       30
       +
                 ask http://localhost:${toString pds-port}/tls-check

     

       31
       31
       +
               }

     

       32
       32
       +
             '';

     

       33
       33
       +
       

     

       34
       34
       +
             virtualHosts.${pds-hostname} = {

     

       35
       35
       +
               serverAliases = [ "*.${pds-hostname}" ];

     

       36
       36
       +
               extraConfig = ''

     

       37
       37
       +
               	tls { on_demand }

     

       38
       38
       +
                 reverse_proxy http://localhost:${toString config.services.bluesky-pds.settings.PDS_HOSTNAME}

     

       39
       39
       +
               '';

     

       40
       40
       +
             };

     

       41
       41
       +
           };

     

       42
       42
       +
         };

     

       43
       43
       +
       }

hosts/weird-row-server/secrets/authelia-issuer-private-key.age

This is a binary file and will not be displayed.

hosts/weird-row-server/secrets/authelia-jwt-secret.age

This is a binary file and will not be displayed.

hosts/weird-row-server/secrets/authelia-ldap-password.age

This is a binary file and will not be displayed.

hosts/weird-row-server/secrets/authelia-smtp-password.age

···

       1
       1
       +
       age-encryption.org/v1

     

       2
       2
       +
       -> ssh-ed25519 sMF1bg 0duJYaUlZd2G3tYi7CuV+c7KNaqWusLoMpoILvaajgc

     

       3
       3
       +
       AnAlDVzRdeoXGXvyllhSNCoDQjZ+nucLGHCfPWR8IBQ

     

       4
       4
       +
       -> ssh-ed25519 SmMcWg oX82fe4sQmKyjJqv9AFRY6Bww43V/8myNRsN9/M8Sho

     

       5
       5
       +
       Et6ycO8hm2XV36X5q7iO+nJCtjkYoq6mDBEssrjt/70

     

       6
       6
       +
       -> ssh-ed25519 Q8rMFA /gU1tIVjqExV8NXB1gSDsWIXpVfxm3zPJX7xOAqeqWM

     

       7
       7
       +
       szrd67kHWslLO+jMCuDmzYR0LPVVzd7idgl3AKt+USU

     

       8
       8
       +
       --- ojxyQVhx4rX+x5gzEEx8KFiorwywqEEyTNWUJY39jIk

     

       9
       9
       +
       �������ş*
l��1����=n�Ŏ��(�	�Iamz~B�����������鰦�.�.Z>�',p��

+11

hosts/weird-row-server/secrets/authelia-storage-key.age

···

       1
       1
       +
       age-encryption.org/v1

     

       2
       2
       +
       -> ssh-ed25519 sMF1bg PYC6LaFo/DTQlRMewqbVtS4lzVtKyuFZQSqCrQwwEyg

     

       3
       3
       +
       kj0sHy8IpnBsMBQy/XYtj2pLXlk6wprF3MxjFTOiZ6E

     

       4
       4
       +
       -> ssh-ed25519 SmMcWg rvlLGzf6D96Dh1lL8as2vjc3PB7G/86U8AR7/lAELT0

     

       5
       5
       +
       qcdOqVV6o+5OfJYj5pfZ62hOnrBQwY0DAeIJkLoyYss

     

       6
       6
       +
       -> ssh-ed25519 Q8rMFA eALgQVN5OA0EuYYEyEbFnju/Yii71e+xcs98LkXnyyo

     

       7
       7
       +
       Rbxu60qvXKdFaJ7lfs7LeYx37TIKYK2Gxw2QcxF3soA

     

       8
       8
       +
       --- ryt5q5lXn1Cyn4T6RSU1IR7dHZOTbyanaG6ZqeYYGBQ

     

       9
       9
       +
       �G���*	\�ʕ�|���

     

       10
       10
       +
       �S�T���z�!
�FIG͍��,��2Q��+�s�76Z�D`��Q�hM�],��E7�2<Q�

     

       11
       11
       +
       ?ׯ�t��u\���xpe/rrR��L}��S��g�%�:�Oj����{T%h��D�~�+DЫ��W%� �ŗ�r�v$%m$

hosts/weird-row-server/secrets/caddy-env.age

This is a binary file and will not be displayed.

+27

hosts/weird-row-server/secrets/default.nix

···

       1
       1
       +
       keys:

     

       2
       2
       +
       let

     

       3
       3
       +
         inherit (keys) servers users;

     

       4
       4
       +
         deploy = servers ++ users;

     

       5
       5
       +
       in

     

       6
       6
       +
       {

     

       7
       7
       +
         # Defines `PDS_JWT_SECRET`, `PDS_ADMIN_PASSWORD`, `PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX`, `PDS_EMAIL_SMTP_URL`, `PDS_EMAIL_FROM_ADDRESS`.

     

       8
       8
       +
         "pds-env.age".publicKeys = deploy;

     

       9
       9
       +
         # Defines `LLDAP_JWT_SECRET`, `LLDAP_KEY_SEED`.

     

       10
       10
       +
         "lldap-env.age".publicKeys = deploy;

     

       11
       11
       +
         "lldap-user-pass.age".publicKeys = deploy;

     

       12
       12
       +
         "headscale-oidc-secret.age".publicKeys = deploy;

     

       13
       13
       +
         "grafana-oidc-secret.age".publicKeys = deploy;

     

       14
       14
       +
         "authelia-jwt-secret.age".publicKeys = deploy;

     

       15
       15
       +
         "authelia-issuer-private-key.age".publicKeys = deploy;

     

       16
       16
       +
         "authelia-storage-key.age".publicKeys = deploy;

     

       17
       17
       +
         "authelia-ldap-password.age".publicKeys = deploy;

     

       18
       18
       +
         "authelia-smtp-password.age".publicKeys = deploy;

     

       19
       19
       +
         "tuwunel-registration-tokens.age".publicKeys = deploy;

     

       20
       20
       +
         # Defines `SMTP_PASSWORD`

     

       21
       21
       +
         "vaultwarden-env.age".publicKeys = deploy;

     

       22
       22
       +
         "miniflux-oidc-secret.age".publicKeys = deploy;

     

       23
       23
       +
         # Defines `HYPIXEL_API_KEY`, `PROFILE_UUID`

     

       24
       24
       +
         "hypixel-bank-tracker-main.age".publicKeys = deploy;

     

       25
       25
       +
         "hypixel-bank-tracker-banana.age".publicKeys = deploy;

     

       26
       26
       +
         "caddy-env.age".publicKeys = deploy;

     

       27
       27
       +
       }

hosts/weird-row-server/secrets/grafana-oidc-secret.age

···

       1
       1
       +
       age-encryption.org/v1

     

       2
       2
       +
       -> ssh-ed25519 sMF1bg 2+JZ3WMnTgnnNYmJqdqAtOsEIk9pAefHfwLcXZQpqlg

     

       3
       3
       +
       yE0R9b0mSzoT6mvoWUG829UmkgGkm6vg0i7WLORaTis

     

       4
       4
       +
       -> ssh-ed25519 SmMcWg c8goAmCIPQ5rsTwoOej9ndGc0uBpWILSn/wy6XJHK14

     

       5
       5
       +
       ArjlEl4hxi4N6Py1emxgxUFKvSXIwLWsy6HrWNqJUHw

     

       6
       6
       +
       -> ssh-ed25519 Q8rMFA t72V+A0n5Tnb0VqvBrzt3j75CbcfvQltodKMhF64SXY

     

       7
       7
       +
       V+Ynzd4tIUI8JPy9uyoi+frW6wJnQxDavHAqnp/lem8

     

       8
       8
       +
       --- mzRky/dA1MDArnDSSaGyZP9yAQgD2va4MfopbrdM0iU

     

       9
       9
       +
       ��*�٪l����a5�QE£uަ��"�;��3�l.!`	�u�
_+)$��d��ˤ����ff�F��mѳc�a�EV��Nߧ��,�@����

hosts/weird-row-server/secrets/headscale-oidc-secret.age

This is a binary file and will not be displayed.

hosts/weird-row-server/secrets/hypixel-bank-tracker-banana.age

This is a binary file and will not be displayed.

+12

hosts/weird-row-server/secrets/hypixel-bank-tracker-main.age

···

       1
       1
       +
       age-encryption.org/v1

     

       2
       2
       +
       -> ssh-ed25519 sMF1bg B3wX5eWrSUivBKJzdiSOVvWEdGuZvGJHVDCCSFa29kw

     

       3
       3
       +
       F1H0QzBPS1FPvactH7z3OvR5wPdawkMzIj1awUmkrqA

     

       4
       4
       +
       -> ssh-ed25519 SmMcWg DtmTaO1Ox4y+AyZbOgaJU2PxMRdHloHECLOrvdI/g28

     

       5
       5
       +
       my6GKU1rxPyClyos0efuInWok5w3xwwoJ4p3M6roBIw

     

       6
       6
       +
       -> ssh-ed25519 Q8rMFA LKyAN4v78N/OcleCPuYpPlZ0se5Dmp4qiWynY4zTfDo

     

       7
       7
       +
       2lOqk3QF2lB/b7Md6yWq4R2jn+J3PiATIkrFUxgt104

     

       8
       8
       +
       -> OR`n;K-grease

     

       9
       9
       +
       lWGBER6K10zAcNHyiUMJAnJ84h1ppo5MJ5ztgw

     

       10
       10
       +
       --- abe4RLNH3d9h7UpWD3PRIBgHWagt8cU+AHIFbX1D9/E

     

       11
       11
       +
       �LJu���k؜��_��%��|�J]��KN��?]��tR�<�]�|���ߟ��¾FzU��������:�Y��TX����p,9v6q�7�~�y�]X���͇ǷR5՚>[������#�#�-

     

       12
       12
       +
       cM,1Ǜ"M��"'F�W�3o�

hosts/weird-row-server/secrets/lldap-env.age

This is a binary file and will not be displayed.

+11

hosts/weird-row-server/secrets/lldap-user-pass.age

···

       1
       1
       +
       age-encryption.org/v1

     

       2
       2
       +
       -> ssh-ed25519 sMF1bg rkX6nxV4pATfwzkzJtI08/Z0bvi0wYwnLJsppUAsz20

     

       3
       3
       +
       X+znUc5AKAunPqr1jdq10obvQBU+rqs/LmeQaZzI+F4

     

       4
       4
       +
       -> ssh-ed25519 SmMcWg xaZtLP6GOocdiMf3hgoujWigGgi7KxDUMGuPYNqS8WU

     

       5
       5
       +
       00Y+8L4QssKFqRlGB2e0yiv9SyoqbxeZ/lWL6DCLlpo

     

       6
       6
       +
       -> ssh-ed25519 Q8rMFA kHA5wVVhmpodSn3OcZuc78xttymjOoy9voa8GqIE+F8

     

       7
       7
       +
       a7HpZf6sjmxr49QoV9tXrATheu8u20JmKCEIkmAZdhA

     

       8
       8
       +
       -> U=6S`1*-grease \8na]onc

     

       9
       9
       +
       PP5XQ1vbpadHeiMBOkmEccTIAg

     

       10
       10
       +
       --- 1hkJN6ZLX8GJ8y0WuFcMEv66om+Phc0wYJFKCB8Amzg

     

       11
       11
       +
       �M�	��}ޘ*;f��y��]����2ef���}�d������J�\��8�h��1�u� ������SHN��yS�D>W��x�J���yh������

hosts/weird-row-server/secrets/miniflux-oidc-secret.age

···

       1
       1
       +
       age-encryption.org/v1

     

       2
       2
       +
       -> ssh-ed25519 sMF1bg E4UVPOuq5ZUSxGvIvr0Tod9PQRqDdqHu2Byv4fKi2io

     

       3
       3
       +
       FcdCyfLmRCmK5rmoLQ/m1KOJe9Etu9N/GHCM5lWCIPE

     

       4
       4
       +
       -> ssh-ed25519 SmMcWg wrKv3V6uSLnWQqIp65Rgi0qv7lQtyOXaxnahMo+s3EU

     

       5
       5
       +
       mXsJ1CbS3pzstf3xaWWF150+aXxW2kY2J5kAZWqtl+A

     

       6
       6
       +
       -> ssh-ed25519 Q8rMFA 91npFfTkw9Ur6aZp/pLzLUOIwwPJ9OA1peaZyTlROBU

     

       7
       7
       +
       12sib8HLjvgN06X6H0/AN4wMewQ8xup813DauZKQ+QY

     

       8
       8
       +
       --- /AGwAMAsPvvuRH6PPNrizBCsJedclYzdj6Kq4V3mx0o

     

       9
       9
       +
       zN��0�=�YP������rլ�!U�n;���n���/��}mCo�F��������!z���r������)u��o�3�>��>Z�f�񡤙1Ň
����

hosts/weird-row-server/secrets/pds-env.age

This is a binary file and will not be displayed.

hosts/weird-row-server/secrets/tuwunel-registration-tokens.age

···

       1
       1
       +
       age-encryption.org/v1

     

       2
       2
       +
       -> ssh-ed25519 sMF1bg TVYRDtTe5khTJo0q8ShrR5o1WBrbK2htHjYCvi5QYAA

     

       3
       3
       +
       kx6Hke5RAZFfugR4aU28SRh4U8e4ymzeIY/+kYlAWhw

     

       4
       4
       +
       -> ssh-ed25519 SmMcWg AyJOM5lQHETeGiI/V5vUtu2vD6PqCZNnuTPvfnU90zE

     

       5
       5
       +
       9vM7/8JUbScHaeDWig16MgqtULryofSrRqhw2OMWfBs

     

       6
       6
       +
       -> ssh-ed25519 Q8rMFA TeUNtmHquyhhDrXf+zXY56oTGvzkhkaReIoBx5Yb+TE

     

       7
       7
       +
       DLfVy9cO1JrVln9CHV1ag66z2kIMrVzhcaIugLytojE

     

       8
       8
       +
       --- nr/3KZTVXNdemLdmp2bO2bjxKDHvcy3gezZKYN5Z1qI

     

       9
       9
       +
       �"��Z8��ԛ�GvJ�{��(�V9��1�N"��o���o����Х�oJ�~�1�!�}Egd�!�

hosts/weird-row-server/secrets/vaultwarden-env.age

This is a binary file and will not be displayed.

+54

hosts/weird-row-server/tangled.nix

···

       1
       1
       +
       { self

     

       2
       2
       +
       , config

     

       3
       3
       +
       , ...

     

       4
       4
       +
       }:

     

       5
       5
       +
       

     

       6
       6
       +
       let

     

       7
       7
       +
         inherit (self.inputs) tangled;

     

       8
       8
       +
       

     

       9
       9
       +
         tangled-owner = "did:plc:xhgrjm4mcx3p5h3y6eino6ti";

     

       10
       10
       +
         tangled-knot-port = 3003;

     

       11
       11
       +
         tangled-knot-hostname = "knot.wiro.world";

     

       12
       12
       +
         tangled-spindle-port = 3004;

     

       13
       13
       +
         tangled-spindle-hostname = "spindle.wiro.world";

     

       14
       14
       +
       in

     

       15
       15
       +
       {

     

       16
       16
       +
         imports = [

     

       17
       17
       +
           tangled.nixosModules.knot

     

       18
       18
       +
           tangled.nixosModules.spindle

     

       19
       19
       +
         ];

     

       20
       20
       +
       

     

       21
       21
       +
         config = {

     

       22
       22
       +
           services.tangled.knot = {

     

       23
       23
       +
             enable = true;

     

       24
       24
       +
             openFirewall = true;

     

       25
       25
       +
       

     

       26
       26
       +
             motd = "Welcome to @wiro.world's knot!\n";

     

       27
       27
       +
             server = {

     

       28
       28
       +
               listenAddr = "localhost:${toString tangled-knot-port}";

     

       29
       29
       +
               hostname = tangled-knot-hostname;

     

       30
       30
       +
               owner = tangled-owner;

     

       31
       31
       +
             };

     

       32
       32
       +
           };

     

       33
       33
       +
       

     

       34
       34
       +
           services.tangled.spindle = {

     

       35
       35
       +
             enable = true;

     

       36
       36
       +
       

     

       37
       37
       +
             server = {

     

       38
       38
       +
               listenAddr = "localhost:${toString tangled-spindle-port}";

     

       39
       39
       +
               hostname = tangled-spindle-hostname;

     

       40
       40
       +
               owner = tangled-owner;

     

       41
       41
       +
             };

     

       42
       42
       +
           };

     

       43
       43
       +
       

     

       44
       44
       +
           services.caddy = {

     

       45
       45
       +
             virtualHosts.${tangled-knot-hostname}.extraConfig = ''

     

       46
       46
       +
               reverse_proxy http://localhost:${toString tangled-knot-port}

     

       47
       47
       +
             '';

     

       48
       48
       +
       

     

       49
       49
       +
             virtualHosts.${tangled-spindle-hostname}.extraConfig = ''

     

       50
       50
       +
               reverse_proxy http://localhost:${toString tangled-spindle-port}

     

       51
       51
       +
             '';

     

       52
       52
       +
           };

     

       53
       53
       +
         };

     

       54
       54
       +
       }

+31

hosts/weird-row-server/thelounge.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         thelounge-port = 3005;

     

       7
       7
       +
         thelounge-hostname = "irc-lounge.net.wiro.world";

     

       8
       8
       +
       in

     

       9
       9
       +
       {

     

       10
       10
       +
         config = {

     

       11
       11
       +
           services.thelounge = {

     

       12
       12
       +
             enable = true;

     

       13
       13
       +
             port = thelounge-port;

     

       14
       14
       +
             public = false;

     

       15
       15
       +
       

     

       16
       16
       +
             extraConfig = {

     

       17
       17
       +
               host = "127.0.0.1";

     

       18
       18
       +
               reverseProxy = true;

     

       19
       19
       +
       

     

       20
       20
       +
               # TODO: use ldap, find a way to hide password

     

       21
       21
       +
             };

     

       22
       22
       +
           };

     

       23
       23
       +
       

     

       24
       24
       +
           services.caddy = {

     

       25
       25
       +
             virtualHosts."http://${thelounge-hostname}".extraConfig = ''

     

       26
       26
       +
               bind tailscale/irc-lounge

     

       27
       27
       +
               reverse_proxy http://localhost:${toString config.services.thelounge.port}

     

       28
       28
       +
             '';

     

       29
       29
       +
           };

     

       30
       30
       +
         };

     

       31
       31
       +
       }

+45

hosts/weird-row-server/tuwunel.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         matrix-port = 3009;

     

       7
       7
       +
         matrix-hostname = "matrix.wiro.world";

     

       8
       8
       +
       

     

       9
       9
       +
         website-hostname = "wiro.world";

     

       10
       10
       +
       in

     

       11
       11
       +
       {

     

       12
       12
       +
         config = {

     

       13
       13
       +
           age.secrets.tuwunel-registration-tokens = { file = secrets/tuwunel-registration-tokens.age; owner = config.services.matrix-tuwunel.user; };

     

       14
       14
       +
           services.matrix-tuwunel = {

     

       15
       15
       +
             enable = true;

     

       16
       16
       +
       

     

       17
       17
       +
             settings.global = {

     

       18
       18
       +
               address = [ "127.0.0.1" ];

     

       19
       19
       +
               port = [ matrix-port ];

     

       20
       20
       +
       

     

       21
       21
       +
               server_name = "wiro.world";

     

       22
       22
       +
               well_known = {

     

       23
       23
       +
                 client = "https://matrix.wiro.world";

     

       24
       24
       +
                 server = "matrix.wiro.world:443";

     

       25
       25
       +
               };

     

       26
       26
       +
       

     

       27
       27
       +
               grant_admin_to_first_user = true;

     

       28
       28
       +
               new_user_displayname_suffix = "";

     

       29
       29
       +
       

     

       30
       30
       +
               allow_registration = true;

     

       31
       31
       +
               registration_token_file = config.age.secrets.tuwunel-registration-tokens.path;

     

       32
       32
       +
             };

     

       33
       33
       +
           };

     

       34
       34
       +
       

     

       35
       35
       +
           services.caddy = {

     

       36
       36
       +
             virtualHosts.${matrix-hostname}.extraConfig = ''

     

       37
       37
       +
               reverse_proxy /_matrix/* http://localhost:${toString matrix-port}

     

       38
       38
       +
             '';

     

       39
       39
       +
       

     

       40
       40
       +
             virtualHosts.${website-hostname}.extraConfig = ''

     

       41
       41
       +
               reverse_proxy /.well-known/matrix/* http://localhost:${toString matrix-port}

     

       42
       42
       +
             '';

     

       43
       43
       +
           };

     

       44
       44
       +
         };

     

       45
       45
       +
       }

+38

hosts/weird-row-server/vaultwarden.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         vaultwarden-port = 3011;

     

       7
       7
       +
         vaultwarden-hostname = "vault.wiro.world";

     

       8
       8
       +
       in

     

       9
       9
       +
       {

     

       10
       10
       +
         config = {

     

       11
       11
       +
           age.secrets.vaultwarden-env.file = secrets/vaultwarden-env.age;

     

       12
       12
       +
           services.vaultwarden = {

     

       13
       13
       +
             enable = true;

     

       14
       14
       +
       

     

       15
       15
       +
             environmentFile = config.age.secrets.vaultwarden-env.path;

     

       16
       16
       +
             config = {

     

       17
       17
       +
               ROCKET_PORT = vaultwarden-port;

     

       18
       18
       +
               DOMAIN = "https://${vaultwarden-hostname}";

     

       19
       19
       +
               SIGNUPS_ALLOWED = false;

     

       20
       20
       +
               ADMIN_TOKEN = "$argon2id$v=19$m=65540,t=3,p=4$YIe9wmrTsmjgZNPxe8m34O/d3XW3Fl/uZPPLQs79dAc$mjDVQSdBJqz2uBJuxtAvCIoHPzOnTDhNPuhER3dhHrY";

     

       21
       21
       +
       

     

       22
       22
       +
               SMTP_HOST = "smtp.resend.com";

     

       23
       23
       +
               SMTP_PORT = 2465;

     

       24
       24
       +
               SMTP_SECURITY = "force_tls";

     

       25
       25
       +
               SMTP_USERNAME = "resend";

     

       26
       26
       +
               # SMTP_PASSWORD = ...; # Via secret env

     

       27
       27
       +
               SMTP_FROM = "bitwarden@wiro.world";

     

       28
       28
       +
               SMTP_FROM_NAME = "Bitwarden wiro.world";

     

       29
       29
       +
             };

     

       30
       30
       +
           };

     

       31
       31
       +
       

     

       32
       32
       +
           services.caddy = {

     

       33
       33
       +
             virtualHosts.${vaultwarden-hostname}.extraConfig = ''

     

       34
       34
       +
               reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}

     

       35
       35
       +
             '';

     

       36
       36
       +
           };

     

       37
       37
       +
         };

     

       38
       38
       +
       }

+24

hosts/weird-row-server/warrior.nix

···

       1
       1
       +
       { config

     

       2
       2
       +
       , ...

     

       3
       3
       +
       }:

     

       4
       4
       +
       

     

       5
       5
       +
       let

     

       6
       6
       +
         warrior-port = 3015;

     

       7
       7
       +
         warrior-hostname = "warrior.net.wiro.world";

     

       8
       8
       +
       in

     

       9
       9
       +
       {

     

       10
       10
       +
         config = {

     

       11
       11
       +
           virtualisation.oci-containers.containers.archive-warrior = {

     

       12
       12
       +
             image = "atdr.meo.ws/archiveteam/warrior-dockerfile";

     

       13
       13
       +
             ports = [ "127.0.0.1:${toString warrior-port}:8001" ];

     

       14
       14
       +
             pull = "newer";

     

       15
       15
       +
           };

     

       16
       16
       +
       

     

       17
       17
       +
           services.caddy = {

     

       18
       18
       +
             virtualHosts."http://${warrior-hostname}".extraConfig = ''

     

       19
       19
       +
               bind tailscale/warrior

     

       20
       20
       +
               reverse_proxy http://localhost:${toString warrior-port}

     

       21
       21
       +
             '';

     

       22
       22
       +
           };

     

       23
       23
       +
         };

     

       24
       24
       +
       }

+77

hosts/weird-row-server/webfinger.nix

···

       1
       1
       +
       { pkgs

     

       2
       2
       +
       , config

     

       3
       3
       +
       , ...

     

       4
       4
       +
       }:

     

       5
       5
       +
       

     

       6
       6
       +
       let

     

       7
       7
       +
         webfinger-dir = pkgs.writeTextDir ".well-known/webfinger" ''

     

       8
       8
       +
           {

     

       9
       9
       +
             "subject": "acct:milo@wiro.world",

     

       10
       10
       +
             "aliases": [

     

       11
       11
       +
               "mailto:milo@wiro.world",

     

       12
       12
       +
               "https://wiro.world/"

     

       13
       13
       +
             ],

     

       14
       14
       +
             "links": [

     

       15
       15
       +
               {

     

       16
       16
       +
                 "rel": "http://wiro.world/rel/avatar",

     

       17
       17
       +
                 "href": "https://wiro.world/logo.jpg",

     

       18
       18
       +
                 "type": "image/jpeg"

     

       19
       19
       +
               },

     

       20
       20
       +
               {

     

       21
       21
       +
                 "rel": "http://webfinger.net/rel/profile-page",

     

       22
       22
       +
                 "href": "https://wiro.world/",

     

       23
       23
       +
                 "type": "text/html"

     

       24
       24
       +
               },

     

       25
       25
       +
               {

     

       26
       26
       +
                 "rel": "http://openid.net/specs/connect/1.0/issuer",

     

       27
       27
       +
                 "href": "https://auth.wiro.world"

     

       28
       28
       +
               }

     

       29
       29
       +
             ]

     

       30
       30
       +
           }

     

       31
       31
       +
         '';

     

       32
       32
       +
       

     

       33
       33
       +
         well-known-discord-dir = pkgs.writeTextDir ".well-known/discord" ''

     

       34
       34
       +
           dh=919234284ceb2aba439d15b9136073eb2308989b

     

       35
       35
       +
         '';

     

       36
       36
       +
       

     

       37
       37
       +
         website-hostname = "wiro.world";

     

       38
       38
       +
       in

     

       39
       39
       +
       {

     

       40
       40
       +
         config = {

     

       41
       41
       +
           services.caddy = {

     

       42
       42
       +
             virtualHosts.${website-hostname}.extraConfig = ''

     

       43
       43
       +
               @webfinger {

     

       44
       44
       +
                 path /.well-known/webfinger

     

       45
       45
       +
                 method GET HEAD

     

       46
       46
       +
                 query resource=acct:milo@wiro.world

     

       47
       47
       +
                 query resource=mailto:milo@wiro.world

     

       48
       48
       +
                 query resource=https://wiro.world

     

       49
       49
       +
                 query resource=https://wiro.world/

     

       50
       50
       +
               }

     

       51
       51
       +
               route @webfinger {

     

       52
       52
       +
                 header {

     

       53
       53
       +
                   Content-Type "application/jrd+json"

     

       54
       54
       +
                   Access-Control-Allow-Origin "*"

     

       55
       55
       +
                   X-Robots-Tag "noindex"

     

       56
       56
       +
                 }

     

       57
       57
       +
                 root ${webfinger-dir}

     

       58
       58
       +
                 file_server

     

       59
       59
       +
               }

     

       60
       60
       +
             '' +

     

       61
       61
       +
             ''

     

       62
       62
       +
               @discord {

     

       63
       63
       +
                 path /.well-known/discord

     

       64
       64
       +
                 method GET HEAD

     

       65
       65
       +
               }

     

       66
       66
       +
               route @discord {

     

       67
       67
       +
                 header {

     

       68
       68
       +
                   Access-Control-Allow-Origin "*"

     

       69
       69
       +
                   X-Robots-Tag "noindex"

     

       70
       70
       +
                 }

     

       71
       71
       +
                 root ${well-known-discord-dir}

     

       72
       72
       +
                 file_server

     

       73
       73
       +
               }

     

       74
       74
       +
             '';

     

       75
       75
       +
           };

     

       76
       76
       +
         };

     

       77
       77
       +
       }

+12 -2

lib/flake/default.nix

···

       20
       20
        
           # local packages set

     

       21
       21
        
           lpkgs = import ../../pkgs pkgs;

     

       22
       22
        
           # unstable nixpkgs set

     

       23
       23
       -
           upkgs = import unixpkgs { inherit (pkgs) system config; };

     

       23
       23
       +
           upkgs = import unixpkgs {

     

       24
       24
       +
             config = pkgs.config;

     

       25
       25
       +
             system = pkgs.stdenv.hostPlatform.system;

     

       26
       26
       +
           };

     

       24
       27
        
           # indicates if system is darwin

     

       25
       28
        
           isDarwin = pkgs.stdenv.isDarwin;

     

       26
       29
        
         };

     
···

       41
       44
        
               ../../nixos/hardware/${hostName}.nix

     

       42
       45
        
               ../../nixos/profiles/${profile}.nix

     

       43
       46
        
             ];

     

       44
       44
       -
             networking.hostName = hostName;

     

       47
       47
       +
             config.networking.hostName = hostName;

     

       48
       48
       +
           };

     

       49
       49
       +
           host = hostName: {

     

       50
       50
       +
             imports = [

     

       51
       51
       +
               ../../nixos/hardware/${hostName}.nix

     

       52
       52
       +
               ../../hosts/${hostName}/default.nix

     

       53
       53
       +
             ];

     

       54
       54
       +
             config.networking.hostName = hostName;

     

       45
       55
        
           };

     

       46
       56
        
           user = import ./user.nix;

     

       47
       57
        
           managedDiskLayout = import ./managedDiskLayout.nix;

+1 -1

lib/flake/managedDiskLayout.nix

···

       26
       26
        
       

     

       27
       27
        
               The recommended amount from RedHat is:

     

       28
       28
        
       

     

       29
       29
       -
               Amount of RAM    Recommended swap space       Recommended swap space 

     

       29
       29
       +
               Amount of RAM    Recommended swap space       Recommended swap space

     

       30
       30
        
               in the system                                 if allowing for hibernation

     

       31
       31
        
               ——————————————   ——————————————————————————   ———————————————————————————

     

       32
       32
        
               ⩽ 2 GB           2 times the amount of RAM    3 times the amount of RAM

lib/flake/user.nix

···

       36
       36
        
           } else {

     

       37
       37
        
             home = "/home/${name}";

     

       38
       38
        
             extraGroups = [

     

       39
       39
       +
               # TODO: remove or put under an condition

     

       39
       40
        
               "wheel" # sudo access

     

       40
       41
        
               "networkmanager" # needed for nm

     

       41
       42
        
             ];

+2 -3

modules/home-manager/default.nix

···

       1
       1
        
       {

     

       2
       2
       -
         wakatime = import ./wakatime.nix;

     

       3
       3
       -
         wl-clip-persist = import ./wl-clip-persist.nix;

     

       4
       4
       -
         xcompose = import ./xcompose.nix;

     

       2
       2
       +
         wakatime = ./wakatime.nix;

     

       3
       3
       +
         xcompose = ./xcompose.nix;

     

       5
       4
        
       }

-99

modules/home-manager/wl-clip-persist.nix

···

       1
       1
       -
       { config

     

       2
       2
       -
       , lib

     

       3
       3
       -
       , pkgs

     

       4
       4
       -
       , ...

     

       5
       5
       -
       }:

     

       6
       6
       -
       

     

       7
       7
       -
       let

     

       8
       8
       -
         cfg = config.services.wl-clip-persist;

     

       9
       9
       -
       in

     

       10
       10
       -
       {

     

       11
       11
       -
         options.services.wl-clip-persist = with lib; {

     

       12
       12
       -
           enable = mkEnableOption "";

     

       13
       13
       -
       

     

       14
       14
       -
           package = mkPackageOption pkgs "wl-clip-persist" { };

     

       15
       15
       -
       

     

       16
       16
       -
           clipboard = mkOption {

     

       17
       17
       -
             description = "The clipboard type to operate on";

     

       18
       18
       -
             default = "regular";

     

       19
       19
       -
             type = types.enum [ "regular" "primary" "both" ];

     

       20
       20
       -
           };

     

       21
       21
       -
       

     

       22
       22
       -
           display = mkOption {

     

       23
       23
       -
             description = "The wayland display to operate on";

     

       24
       24
       -
             default = null;

     

       25
       25
       -
             type = types.nullOr types.str;

     

       26
       26
       -
           };

     

       27
       27
       -
       

     

       28
       28
       -
           ignoreEventOnError = mkOption {

     

       29
       29
       -
             description = "Only handle selection events where no error occurred";

     

       30
       30
       -
             default = null;

     

       31
       31
       -
             type = types.nullOr types.bool;

     

       32
       32
       -
           };

     

       33
       33
       -
       

     

       34
       34
       -
           allMimeTypeRegex = mkOption {

     

       35
       35
       -
             description = "Only handle selection events where all offered MIME types have a match for the regex";

     

       36
       36
       -
             default = null;

     

       37
       37
       -
             type = types.nullOr types.str;

     

       38
       38
       -
           };

     

       39
       39
       -
       

     

       40
       40
       -
           interruptOldClipboardRequests = mkOption {

     

       41
       41
       -
             description = "Interrupt trying to send the old clipboard to other programs when the clipboard has been updated";

     

       42
       42
       -
             default = null;

     

       43
       43
       -
             type = types.nullOr types.bool;

     

       44
       44
       -
           };

     

       45
       45
       -
       

     

       46
       46
       -
           selectionSizeLimit = mkOption {

     

       47
       47
       -
             description = "Only handle selection events whose total data size does not exceed the size limit";

     

       48
       48
       -
             default = null;

     

       49
       49
       -
             type = types.nullOr types.int;

     

       50
       50
       -
           };

     

       51
       51
       -
       

     

       52
       52
       -
           readTimeout = mkOption {

     

       53
       53
       -
             description = "Timeout for trying to get the current clipboard";

     

       54
       54
       -
             default = 500;

     

       55
       55
       -
             type = types.int;

     

       56
       56
       -
           };

     

       57
       57
       -
       

     

       58
       58
       -
           ignoreEventOnTimeout = mkOption {

     

       59
       59
       -
             description = "Only handle selection events where no timeout occurred";

     

       60
       60
       -
             default = null;

     

       61
       61
       -
             type = types.nullOr types.bool;

     

       62
       62
       -
           };

     

       63
       63
       -
       

     

       64
       64
       -
           writeTimeout = mkOption {

     

       65
       65
       -
             description = "Timeout for trying to send the current clipboard to other programs";

     

       66
       66
       -
             default = 3000;

     

       67
       67
       -
             type = types.int;

     

       68
       68
       -
           };

     

       69
       69
       -
         };

     

       70
       70
       -
       

     

       71
       71
       -
         config = lib.mkIf cfg.enable {

     

       72
       72
       -
           systemd.user.services.wl-clip-persist = {

     

       73
       73
       -
             Unit = {

     

       74
       74
       -
               Description = "wl-clip-persist system service";

     

       75
       75
       -
               PartOf = [ "graphical-session.target" ];

     

       76
       76
       -
               BindsTo = [ "graphical-session.target" ];

     

       77
       77
       -
             };

     

       78
       78
       -
       

     

       79
       79
       -
             Service = {

     

       80
       80
       -
               Type = "simple";

     

       81
       81
       -
               ExecStart = "${lib.getExe cfg.package} ${lib.cli.toGNUCommandLineShell {} {

     

       82
       82
       -
                 clipboard = cfg.clipboard;

     

       83
       83
       -
                 display = cfg.display;

     

       84
       84
       -
                 ignore-event-on-error = cfg.ignoreEventOnError;

     

       85
       85
       -
                 all-mime-type-regex = cfg.allMimeTypeRegex;

     

       86
       86
       -
                 interrupt-old-clipboard-requests = cfg.interruptOldClipboardRequests;

     

       87
       87
       -
                 selection-size-limit = cfg.selectionSizeLimit;

     

       88
       88
       -
                 read-timeout = cfg.readTimeout;

     

       89
       89
       -
                 ignore-event-on-timeout = cfg.ignoreEventOnTimeout;

     

       90
       90
       -
                 write-timeout = cfg.writeTimeout;

     

       91
       91
       -
               }}";

     

       92
       92
       -
               Restart = "on-failure";

     

       93
       93
       -
               TimeoutStopSec = 15;

     

       94
       94
       -
             };

     

       95
       95
       -
       

     

       96
       96
       -
             Install.WantedBy = lib.mkDefault [ "graphical-session.target" ];

     

       97
       97
       -
           };

     

       98
       98
       -
         };

     

       99
       99
       -
       }

+1 -1

modules/home-manager/xcompose.nix

···

       14
       14
        
           loadConfigInEnv = mkOption {

     

       15
       15
        
             description = ''

     

       16
       16
        
               Load the XCompose file by passing the `XCOMPOSEFILE` environment variable instead of linking to ~/.XCompose.

     

       17
       17
       -
               

     

       17
       17
       +
       

     

       18
       18
        
               That is nice to avoid cluttering the HOME directory, it's preferable to disable it when experimenting

     

       19
       19
        
               with your compose config to reload faster than having to reload your VM.

     

       20
       20
        
             '';

-2

modules/nixos/default.nix

···

       1
       1
        
       {

     

       2
       2
       -
         geoclue2 = ./geoclue2.nix;

     

       3
       3
       -
         headscale = ./headscale.nix;

     

       4
       2
        
         logiops = ./logiops.nix;

     

       5
       3
        
       }

-324

modules/nixos/geoclue2.nix

···

       1
       1
       -
       # Adapted from the original nixpkgs repo

     

       2
       2
       -
       #

     

       3
       3
       -
       # It supports static location fallback. This is a workaround waiting for an

     

       4
       4
       -
       # alternative to MLS (Mozilla Location Services).

     

       5
       5
       -
       

     

       6
       6
       -
       # Target interface to manage the static file would be:

     

       7
       7
       -
       # static = {

     

       8
       8
       -
       #   latitude = 48.8;

     

       9
       9
       -
       #   longitude = 2.3;

     

       10
       10
       -
       # };

     

       11
       11
       -
       #

     

       12
       12
       -
       # I spent way too much time getting this to work with a submodule.

     

       13
       13
       -
       

     

       14
       14
       -
       { config

     

       15
       15
       -
       , lib

     

       16
       16
       -
       , pkgs

     

       17
       17
       -
       , ...

     

       18
       18
       -
       }:

     

       19
       19
       -
       

     

       20
       20
       -
       let

     

       21
       21
       -
         package = pkgs.geoclue2.override { withDemoAgent = config.services.geoclue2.enableDemoAgent; };

     

       22
       22
       -
       

     

       23
       23
       -
         cfg = config.services.geoclue2;

     

       24
       24
       -
       

     

       25
       25
       -
         defaultWhitelist = [ "gnome-shell" "io.elementary.desktop.agent-geoclue2" ];

     

       26
       26
       -
       

     

       27
       27
       -
         appConfigModule = lib.types.submodule ({ name, ... }: with lib; {

     

       28
       28
       -
           options = {

     

       29
       29
       -
             desktopID = mkOption {

     

       30
       30
       -
               type = types.str;

     

       31
       31
       -
               description = "Desktop ID of the application.";

     

       32
       32
       -
             };

     

       33
       33
       -
       

     

       34
       34
       -
             isAllowed = mkOption {

     

       35
       35
       -
               type = types.bool;

     

       36
       36
       -
               description = ''

     

       37
       37
       -
                 Whether the application will be allowed access to location information.

     

       38
       38
       -
               '';

     

       39
       39
       -
             };

     

       40
       40
       -
       

     

       41
       41
       -
             isSystem = mkOption {

     

       42
       42
       -
               type = types.bool;

     

       43
       43
       -
               description = ''

     

       44
       44
       -
                 Whether the application is a system component or not.

     

       45
       45
       -
               '';

     

       46
       46
       -
             };

     

       47
       47
       -
       

     

       48
       48
       -
             users = mkOption {

     

       49
       49
       -
               type = types.listOf types.str;

     

       50
       50
       -
               default = [ ];

     

       51
       51
       -
               description = ''

     

       52
       52
       -
                 List of UIDs of all users for which this application is allowed location

     

       53
       53
       -
                 info access, Defaults to an empty string to allow it for all users.

     

       54
       54
       -
               '';

     

       55
       55
       -
             };

     

       56
       56
       -
           };

     

       57
       57
       -
       

     

       58
       58
       -
           config.desktopID = mkDefault name;

     

       59
       59
       -
         });

     

       60
       60
       -
       

     

       61
       61
       -
         # staticModule = types.submodule ({ name, ... }: {

     

       62
       62
       -
         #   options = {

     

       63
       63
       -
         #     latitude = mkOption {

     

       64
       64
       -
         #       type = types.float;

     

       65
       65
       -
         #       example = 40.6893129;

     

       66
       66
       -
         #     };

     

       67
       67
       -
       

     

       68
       68
       -
         #     longitude = mkOption {

     

       69
       69
       -
         #       type = types.float;

     

       70
       70
       -
         #       example = -74.0445531;

     

       71
       71
       -
         #     };

     

       72
       72
       -
       

     

       73
       73
       -
         #     altitude = mkOption {

     

       74
       74
       -
         #       type = types.float;

     

       75
       75
       -
         #       default = 0;

     

       76
       76
       -
         #       example = 96;

     

       77
       77
       -
         #     };

     

       78
       78
       -
       

     

       79
       79
       -
         #     accuracyRadius = mkOption {

     

       80
       80
       -
         #       type = types.float;

     

       81
       81
       -
         #       default = 0;

     

       82
       82
       -
         #       example = 1.83;

     

       83
       83
       -
         #     };

     

       84
       84
       -
         #   };

     

       85
       85
       -
         # });

     

       86
       86
       -
       

     

       87
       87
       -
         appConfigToINICompatible = _: { desktopID, isAllowed, isSystem, users, ... }: {

     

       88
       88
       -
           name = desktopID;

     

       89
       89
       -
           value = {

     

       90
       90
       -
             allowed = isAllowed;

     

       91
       91
       -
             system = isSystem;

     

       92
       92
       -
             users = lib.concatStringsSep ";" users;

     

       93
       93
       -
           };

     

       94
       94
       -
         };

     

       95
       95
       -
       

     

       96
       96
       -
       in

     

       97
       97
       -
       {

     

       98
       98
       -
         disabledModules = [ "services/desktops/geoclue2.nix" ];

     

       99
       99
       -
       

     

       100
       100
       -
         options.services.geoclue2 = with lib; {

     

       101
       101
       -
           enable = mkOption {

     

       102
       102
       -
             type = types.bool;

     

       103
       103
       -
             default = false;

     

       104
       104
       -
             description = ''

     

       105
       105
       -
               Whether to enable GeoClue 2 daemon, a DBus service

     

       106
       106
       -
               that provides location information for accessing.

     

       107
       107
       -
             '';

     

       108
       108
       -
           };

     

       109
       109
       -
       

     

       110
       110
       -
           enableDemoAgent = mkOption {

     

       111
       111
       -
             type = types.bool;

     

       112
       112
       -
             default = true;

     

       113
       113
       -
             description = ''

     

       114
       114
       -
               Whether to use the GeoClue demo agent. This should be

     

       115
       115
       -
               overridden by desktop environments that provide their own

     

       116
       116
       -
               agent.

     

       117
       117
       -
             '';

     

       118
       118
       -
           };

     

       119
       119
       -
       

     

       120
       120
       -
           enableNmea = mkOption {

     

       121
       121
       -
             type = types.bool;

     

       122
       122
       -
             default = true;

     

       123
       123
       -
             description = ''

     

       124
       124
       -
               Whether to fetch location from NMEA sources on local network.

     

       125
       125
       -
             '';

     

       126
       126
       -
           };

     

       127
       127
       -
       

     

       128
       128
       -
           enable3G = mkOption {

     

       129
       129
       -
             type = types.bool;

     

       130
       130
       -
             default = true;

     

       131
       131
       -
             description = ''

     

       132
       132
       -
               Whether to enable 3G source.

     

       133
       133
       -
             '';

     

       134
       134
       -
           };

     

       135
       135
       -
       

     

       136
       136
       -
           enableCDMA = mkOption {

     

       137
       137
       -
             type = types.bool;

     

       138
       138
       -
             default = true;

     

       139
       139
       -
             description = ''

     

       140
       140
       -
               Whether to enable CDMA source.

     

       141
       141
       -
             '';

     

       142
       142
       -
           };

     

       143
       143
       -
       

     

       144
       144
       -
           enableModemGPS = mkOption {

     

       145
       145
       -
             type = types.bool;

     

       146
       146
       -
             default = true;

     

       147
       147
       -
             description = ''

     

       148
       148
       -
               Whether to enable Modem-GPS source.

     

       149
       149
       -
             '';

     

       150
       150
       -
           };

     

       151
       151
       -
       

     

       152
       152
       -
           enableWifi = mkOption {

     

       153
       153
       -
             type = types.bool;

     

       154
       154
       -
             default = true;

     

       155
       155
       -
             description = ''

     

       156
       156
       -
               Whether to enable WiFi source.

     

       157
       157
       -
             '';

     

       158
       158
       -
           };

     

       159
       159
       -
       

     

       160
       160
       -
           geoProviderUrl = mkOption {

     

       161
       161
       -
             type = types.str;

     

       162
       162
       -
             default = "https://location.services.mozilla.com/v1/geolocate?key=geoclue";

     

       163
       163
       -
             example = "https://www.googleapis.com/geolocation/v1/geolocate?key=YOUR_KEY";

     

       164
       164
       -
             description = ''

     

       165
       165
       -
               The url to the wifi GeoLocation Service.

     

       166
       166
       -
             '';

     

       167
       167
       -
           };

     

       168
       168
       -
       

     

       169
       169
       -
           submitData = mkOption {

     

       170
       170
       -
             type = types.bool;

     

       171
       171
       -
             default = false;

     

       172
       172
       -
             description = ''

     

       173
       173
       -
               Whether to submit data to a GeoLocation Service.

     

       174
       174
       -
             '';

     

       175
       175
       -
           };

     

       176
       176
       -
       

     

       177
       177
       -
           submissionUrl = mkOption {

     

       178
       178
       -
             type = types.str;

     

       179
       179
       -
             default = "https://location.services.mozilla.com/v1/submit?key=geoclue";

     

       180
       180
       -
             description = ''

     

       181
       181
       -
               The url to submit data to a GeoLocation Service.

     

       182
       182
       -
             '';

     

       183
       183
       -
           };

     

       184
       184
       -
       

     

       185
       185
       -
           submissionNick = mkOption {

     

       186
       186
       -
             type = types.str;

     

       187
       187
       -
             default = "geoclue";

     

       188
       188
       -
             description = ''

     

       189
       189
       -
               A nickname to submit network data with.

     

       190
       190
       -
               Must be 2-32 characters long.

     

       191
       191
       -
             '';

     

       192
       192
       -
           };

     

       193
       193
       -
       

     

       194
       194
       -
           appConfig = mkOption {

     

       195
       195
       -
             type = types.attrsOf appConfigModule;

     

       196
       196
       -
             default = { };

     

       197
       197
       -
             example = {

     

       198
       198
       -
               "com.github.app" = {

     

       199
       199
       -
                 isAllowed = true;

     

       200
       200
       -
                 isSystem = true;

     

       201
       201
       -
                 users = [ "300" ];

     

       202
       202
       -
               };

     

       203
       203
       -
             };

     

       204
       204
       -
             description = ''

     

       205
       205
       -
               Specify extra settings per application.

     

       206
       206
       -
             '';

     

       207
       207
       -
           };

     

       208
       208
       -
       

     

       209
       209
       -
           # static = mkOption {

     

       210
       210
       -
           #   type = types.nullOr (types.attrsOf staticModule);

     

       211
       211
       -
           #   default = null;

     

       212
       212
       -
           #   description = ''

     

       213
       213
       -
           #     Add a fallback location that will be overridden by other location services

     

       214
       214
       -
           #   '';

     

       215
       215
       -
           # };

     

       216
       216
       -
       

     

       217
       217
       -
           staticFile = mkOption {

     

       218
       218
       -
             type = types.nullOr (types.str);

     

       219
       219
       -
             default = null;

     

       220
       220
       -
             description = ''

     

       221
       221
       -
               Add a fallback location that will be overridden by other location services

     

       222
       222
       -
             '';

     

       223
       223
       -
           };

     

       224
       224
       -
         };

     

       225
       225
       -
       

     

       226
       226
       -
         config = lib.mkIf cfg.enable {

     

       227
       227
       -
           environment.systemPackages = [ package ];

     

       228
       228
       -
       

     

       229
       229
       -
           services.dbus.packages = [ package ];

     

       230
       230
       -
       

     

       231
       231
       -
           systemd.packages = [ package ];

     

       232
       232
       -
       

     

       233
       233
       -
           # we cannot use DynamicUser as we need the the geoclue user to exist for the

     

       234
       234
       -
           # dbus policy to work

     

       235
       235
       -
           users = {

     

       236
       236
       -
             users.geoclue = {

     

       237
       237
       -
               isSystemUser = true;

     

       238
       238
       -
               home = "/var/lib/geoclue";

     

       239
       239
       -
               group = "geoclue";

     

       240
       240
       -
               description = "Geoinformation service";

     

       241
       241
       -
             };

     

       242
       242
       -
       

     

       243
       243
       -
             groups.geoclue = { };

     

       244
       244
       -
           };

     

       245
       245
       -
       

     

       246
       246
       -
           systemd.services.geoclue = {

     

       247
       247
       -
             wants = lib.optionals cfg.enableWifi [ "network-online.target" ];

     

       248
       248
       -
             after = lib.optionals cfg.enableWifi [ "network-online.target" ];

     

       249
       249
       -
             # restart geoclue service when the configuration changes

     

       250
       250
       -
             restartTriggers = [

     

       251
       251
       -
               config.environment.etc."geoclue/geoclue.conf".source

     

       252
       252
       -
             ];

     

       253
       253
       -
             serviceConfig.StateDirectory = "geoclue";

     

       254
       254
       -
           };

     

       255
       255
       -
       

     

       256
       256
       -
           # this needs to run as a user service, since it's associated with the

     

       257
       257
       -
           # user who is making the requests

     

       258
       258
       -
           systemd.user.services = lib.mkIf cfg.enableDemoAgent {

     

       259
       259
       -
             geoclue-agent = {

     

       260
       260
       -
               description = "Geoclue agent";

     

       261
       261
       -
               # this should really be `partOf = [ "geoclue.service" ]`, but

     

       262
       262
       -
               # we can't be part of a system service, and the agent should

     

       263
       263
       -
               # be okay with the main service coming and going

     

       264
       264
       -
               wantedBy = [ "default.target" ];

     

       265
       265
       -
               wants = lib.optionals cfg.enableWifi [ "network-online.target" ];

     

       266
       266
       -
               after = lib.optionals cfg.enableWifi [ "network-online.target" ];

     

       267
       267
       -
               unitConfig.ConditionUser = "!@system";

     

       268
       268
       -
               serviceConfig = {

     

       269
       269
       -
                 Type = "exec";

     

       270
       270
       -
                 ExecStart = "${package}/libexec/geoclue-2.0/demos/agent";

     

       271
       271
       -
                 Restart = "on-failure";

     

       272
       272
       -
                 PrivateTmp = true;

     

       273
       273
       -
               };

     

       274
       274
       -
             };

     

       275
       275
       -
           };

     

       276
       276
       -
       

     

       277
       277
       -
           services.geoclue2.appConfig = {

     

       278
       278
       -
             epiphany = { isAllowed = true; isSystem = false; };

     

       279
       279
       -
             firefox = { isAllowed = true; isSystem = false; };

     

       280
       280
       -
           };

     

       281
       281
       -
       

     

       282
       282
       -
           environment.etc."geoclue/geoclue.conf".text =

     

       283
       283
       -
             lib.generators.toINI { } ({

     

       284
       284
       -
               agent = {

     

       285
       285
       -
                 whitelist = lib.concatStringsSep ";"

     

       286
       286
       -
                   (lib.optional cfg.enableDemoAgent "geoclue-demo-agent" ++ defaultWhitelist);

     

       287
       287
       -
               };

     

       288
       288
       -
               network-nmea = {

     

       289
       289
       -
                 enable = cfg.enableNmea;

     

       290
       290
       -
               };

     

       291
       291
       -
               "3g" = {

     

       292
       292
       -
                 enable = cfg.enable3G;

     

       293
       293
       -
               };

     

       294
       294
       -
               cdma = {

     

       295
       295
       -
                 enable = cfg.enableCDMA;

     

       296
       296
       -
               };

     

       297
       297
       -
               modem-gps = {

     

       298
       298
       -
                 enable = cfg.enableModemGPS;

     

       299
       299
       -
               };

     

       300
       300
       -
               wifi = {

     

       301
       301
       -
                 enable = cfg.enableWifi;

     

       302
       302
       -
                 url = cfg.geoProviderUrl;

     

       303
       303
       -
                 submit-data = lib.boolToString cfg.submitData;

     

       304
       304
       -
                 submission-url = cfg.submissionUrl;

     

       305
       305
       -
                 submission-nick = cfg.submissionNick;

     

       306
       306
       -
               };

     

       307
       307
       -
             } // lib.mapAttrs' appConfigToINICompatible cfg.appConfig);

     

       308
       308
       -
       

     

       309
       309
       -
           # environment.etc."geolocation" = mkIf (cfg.static != null) {

     

       310
       310
       -
           #   text = ''

     

       311
       311
       -
           #     ${toString cfg.static.latitude}

     

       312
       312
       -
           #     ${toString cfg.static.longitude}

     

       313
       313
       -
           #     ${toString cfg.static.altitude}

     

       314
       314
       -
           #     ${toString cfg.static.accuracyRadius}

     

       315
       315
       -
           #   '';

     

       316
       316
       -
           # };

     

       317
       317
       -
       

     

       318
       318
       -
           environment.etc."geolocation" = lib.mkIf (cfg.staticFile != null) { text = cfg.staticFile; };

     

       319
       319
       -
         };

     

       320
       320
       -
       

     

       321
       321
       -
         meta = with lib; {

     

       322
       322
       -
           maintainers = with maintainers; [ ] ++ teams.pantheon.members;

     

       323
       323
       -
         };

     

       324
       324
       -
       }

-673

modules/nixos/headscale.nix

···

       1
       1
       -
       { config

     

       2
       2
       -
       , lib

     

       3
       3
       -
       , pkgs

     

       4
       4
       -
       , ...

     

       5
       5
       -
       }:

     

       6
       6
       -
       let

     

       7
       7
       -
         cfg = config.services.headscale;

     

       8
       8
       -
       

     

       9
       9
       -
         dataDir = "/var/lib/headscale";

     

       10
       10
       -
         runDir = "/run/headscale";

     

       11
       11
       -
       

     

       12
       12
       -
         cliConfig = {

     

       13
       13
       -
           # Turn off update checks since the origin of our package

     

       14
       14
       -
           # is nixpkgs and not Github.

     

       15
       15
       -
           disable_check_updates = true;

     

       16
       16
       -
       

     

       17
       17
       -
           unix_socket = "${runDir}/headscale.sock";

     

       18
       18
       -
         };

     

       19
       19
       -
       

     

       20
       20
       -
         settingsFormat = pkgs.formats.yaml { };

     

       21
       21
       -
         configFile = settingsFormat.generate "headscale.yaml" cfg.settings;

     

       22
       22
       -
         cliConfigFile = settingsFormat.generate "headscale.yaml" cliConfig;

     

       23
       23
       -
       

     

       24
       24
       -
         assertRemovedOption = option: message: {

     

       25
       25
       -
           assertion = !lib.hasAttrByPath option cfg;

     

       26
       26
       -
           message =

     

       27
       27
       -
             "The option `services.headscale.${lib.options.showOption option}` was removed. " + message;

     

       28
       28
       -
         };

     

       29
       29
       -
       in

     

       30
       30
       -
       {

     

       31
       31
       -
         options = {

     

       32
       32
       -
           services.headscale = {

     

       33
       33
       -
             enable = lib.mkEnableOption "headscale, Open Source coordination server for Tailscale";

     

       34
       34
       -
       

     

       35
       35
       -
             package = lib.mkPackageOption pkgs "headscale" { };

     

       36
       36
       -
       

     

       37
       37
       -
             user = lib.mkOption {

     

       38
       38
       -
               default = "headscale";

     

       39
       39
       -
               type = lib.types.str;

     

       40
       40
       -
               description = ''

     

       41
       41
       -
                 User account under which headscale runs.

     

       42
       42
       -
       

     

       43
       43
       -
                 ::: {.note}

     

       44
       44
       -
                 If left as the default value this user will automatically be created

     

       45
       45
       -
                 on system activation, otherwise you are responsible for

     

       46
       46
       -
                 ensuring the user exists before the headscale service starts.

     

       47
       47
       -
                 :::

     

       48
       48
       -
               '';

     

       49
       49
       -
             };

     

       50
       50
       -
       

     

       51
       51
       -
             group = lib.mkOption {

     

       52
       52
       -
               default = "headscale";

     

       53
       53
       -
               type = lib.types.str;

     

       54
       54
       -
               description = ''

     

       55
       55
       -
                 Group under which headscale runs.

     

       56
       56
       -
       

     

       57
       57
       -
                 ::: {.note}

     

       58
       58
       -
                 If left as the default value this group will automatically be created

     

       59
       59
       -
                 on system activation, otherwise you are responsible for

     

       60
       60
       -
                 ensuring the user exists before the headscale service starts.

     

       61
       61
       -
                 :::

     

       62
       62
       -
               '';

     

       63
       63
       -
             };

     

       64
       64
       -
       

     

       65
       65
       -
             address = lib.mkOption {

     

       66
       66
       -
               type = lib.types.str;

     

       67
       67
       -
               default = "127.0.0.1";

     

       68
       68
       -
               description = ''

     

       69
       69
       -
                 Listening address of headscale.

     

       70
       70
       -
               '';

     

       71
       71
       -
               example = "0.0.0.0";

     

       72
       72
       -
             };

     

       73
       73
       -
       

     

       74
       74
       -
             port = lib.mkOption {

     

       75
       75
       -
               type = lib.types.port;

     

       76
       76
       -
               default = 8080;

     

       77
       77
       -
               description = ''

     

       78
       78
       -
                 Listening port of headscale.

     

       79
       79
       -
               '';

     

       80
       80
       -
               example = 443;

     

       81
       81
       -
             };

     

       82
       82
       -
       

     

       83
       83
       -
             settings = lib.mkOption {

     

       84
       84
       -
               description = ''

     

       85
       85
       -
                 Overrides to {file}`config.yaml` as a Nix attribute set.

     

       86
       86
       -
                 Check the [example config](https://github.com/juanfont/headscale/blob/main/config-example.yaml)

     

       87
       87
       -
                 for possible options.

     

       88
       88
       -
               '';

     

       89
       89
       -
               type = lib.types.submodule {

     

       90
       90
       -
                 freeformType = settingsFormat.type;

     

       91
       91
       -
       

     

       92
       92
       -
                 options = {

     

       93
       93
       -
                   server_url = lib.mkOption {

     

       94
       94
       -
                     type = lib.types.str;

     

       95
       95
       -
                     default = "http://127.0.0.1:8080";

     

       96
       96
       -
                     description = ''

     

       97
       97
       -
                       The url clients will connect to.

     

       98
       98
       -
                     '';

     

       99
       99
       -
                     example = "https://myheadscale.example.com:443";

     

       100
       100
       -
                   };

     

       101
       101
       -
       

     

       102
       102
       -
                   noise.private_key_path = lib.mkOption {

     

       103
       103
       -
                     type = lib.types.path;

     

       104
       104
       -
                     default = "${dataDir}/noise_private.key";

     

       105
       105
       -
                     description = ''

     

       106
       106
       -
                       Path to noise private key file, generated automatically if it does not exist.

     

       107
       107
       -
                     '';

     

       108
       108
       -
                   };

     

       109
       109
       -
       

     

       110
       110
       -
                   prefixes =

     

       111
       111
       -
                     let

     

       112
       112
       -
                       prefDesc = ''

     

       113
       113
       -
                         Each prefix consists of either an IPv4 or IPv6 address,

     

       114
       114
       -
                         and the associated prefix length, delimited by a slash.

     

       115
       115
       -
                         It must be within IP ranges supported by the Tailscale

     

       116
       116
       -
                         client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.

     

       117
       117
       -
                       '';

     

       118
       118
       -
                     in

     

       119
       119
       -
                     {

     

       120
       120
       -
                       v4 = lib.mkOption {

     

       121
       121
       -
                         type = lib.types.str;

     

       122
       122
       -
                         default = "100.64.0.0/10";

     

       123
       123
       -
                         description = prefDesc;

     

       124
       124
       -
                       };

     

       125
       125
       -
       

     

       126
       126
       -
                       v6 = lib.mkOption {

     

       127
       127
       -
                         type = lib.types.str;

     

       128
       128
       -
                         default = "fd7a:115c:a1e0::/48";

     

       129
       129
       -
                         description = prefDesc;

     

       130
       130
       -
                       };

     

       131
       131
       -
       

     

       132
       132
       -
                       allocation = lib.mkOption {

     

       133
       133
       -
                         type = lib.types.enum [

     

       134
       134
       -
                           "sequential"

     

       135
       135
       -
                           "random"

     

       136
       136
       -
                         ];

     

       137
       137
       -
                         example = "random";

     

       138
       138
       -
                         default = "sequential";

     

       139
       139
       -
                         description = ''

     

       140
       140
       -
                           Strategy used for allocation of IPs to nodes, available options:

     

       141
       141
       -
                           - sequential (default): assigns the next free IP from the previous given IP.

     

       142
       142
       -
                           - random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).

     

       143
       143
       -
                         '';

     

       144
       144
       -
                       };

     

       145
       145
       -
                     };

     

       146
       146
       -
       

     

       147
       147
       -
                   derp = {

     

       148
       148
       -
                     urls = lib.mkOption {

     

       149
       149
       -
                       type = lib.types.listOf lib.types.str;

     

       150
       150
       -
                       default = [ "https://controlplane.tailscale.com/derpmap/default" ];

     

       151
       151
       -
                       description = ''

     

       152
       152
       -
                         List of urls containing DERP maps.

     

       153
       153
       -
                         See [How Tailscale works](https://tailscale.com/blog/how-tailscale-works/) for more information on DERP maps.

     

       154
       154
       -
                       '';

     

       155
       155
       -
                     };

     

       156
       156
       -
       

     

       157
       157
       -
                     paths = lib.mkOption {

     

       158
       158
       -
                       type = lib.types.listOf lib.types.path;

     

       159
       159
       -
                       default = [ ];

     

       160
       160
       -
                       description = ''

     

       161
       161
       -
                         List of file paths containing DERP maps.

     

       162
       162
       -
                         See [How Tailscale works](https://tailscale.com/blog/how-tailscale-works/) for more information on DERP maps.

     

       163
       163
       -
                       '';

     

       164
       164
       -
                     };

     

       165
       165
       -
       

     

       166
       166
       -
                     auto_update_enable = lib.mkOption {

     

       167
       167
       -
                       type = lib.types.bool;

     

       168
       168
       -
                       default = true;

     

       169
       169
       -
                       description = ''

     

       170
       170
       -
                         Whether to automatically update DERP maps on a set frequency.

     

       171
       171
       -
                       '';

     

       172
       172
       -
                       example = false;

     

       173
       173
       -
                     };

     

       174
       174
       -
       

     

       175
       175
       -
                     update_frequency = lib.mkOption {

     

       176
       176
       -
                       type = lib.types.str;

     

       177
       177
       -
                       default = "24h";

     

       178
       178
       -
                       description = ''

     

       179
       179
       -
                         Frequency to update DERP maps.

     

       180
       180
       -
                       '';

     

       181
       181
       -
                       example = "5m";

     

       182
       182
       -
                     };

     

       183
       183
       -
       

     

       184
       184
       -
                     server.private_key_path = lib.mkOption {

     

       185
       185
       -
                       type = lib.types.path;

     

       186
       186
       -
                       default = "${dataDir}/derp_server_private.key";

     

       187
       187
       -
                       description = ''

     

       188
       188
       -
                         Path to derp private key file, generated automatically if it does not exist.

     

       189
       189
       -
                       '';

     

       190
       190
       -
                     };

     

       191
       191
       -
                   };

     

       192
       192
       -
       

     

       193
       193
       -
                   ephemeral_node_inactivity_timeout = lib.mkOption {

     

       194
       194
       -
                     type = lib.types.str;

     

       195
       195
       -
                     default = "30m";

     

       196
       196
       -
                     description = ''

     

       197
       197
       -
                       Time before an inactive ephemeral node is deleted.

     

       198
       198
       -
                     '';

     

       199
       199
       -
                     example = "5m";

     

       200
       200
       -
                   };

     

       201
       201
       -
       

     

       202
       202
       -
                   database = {

     

       203
       203
       -
                     type = lib.mkOption {

     

       204
       204
       -
                       type = lib.types.enum [

     

       205
       205
       -
                         "sqlite"

     

       206
       206
       -
                         "sqlite3"

     

       207
       207
       -
                         "postgres"

     

       208
       208
       -
                       ];

     

       209
       209
       -
                       example = "postgres";

     

       210
       210
       -
                       default = "sqlite";

     

       211
       211
       -
                       description = ''

     

       212
       212
       -
                         Database engine to use.

     

       213
       213
       -
                         Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.

     

       214
       214
       -
                         All new development, testing and optimisations are done with SQLite in mind.

     

       215
       215
       -
                       '';

     

       216
       216
       -
                     };

     

       217
       217
       -
       

     

       218
       218
       -
                     sqlite = {

     

       219
       219
       -
                       path = lib.mkOption {

     

       220
       220
       -
                         type = lib.types.nullOr lib.types.str;

     

       221
       221
       -
                         default = "${dataDir}/db.sqlite";

     

       222
       222
       -
                         description = "Path to the sqlite3 database file.";

     

       223
       223
       -
                       };

     

       224
       224
       -
       

     

       225
       225
       -
                       write_ahead_log = lib.mkOption {

     

       226
       226
       -
                         type = lib.types.bool;

     

       227
       227
       -
                         default = true;

     

       228
       228
       -
                         description = ''

     

       229
       229
       -
                           Enable WAL mode for SQLite. This is recommended for production environments.

     

       230
       230
       -
                           <https://www.sqlite.org/wal.html>

     

       231
       231
       -
                         '';

     

       232
       232
       -
                         example = true;

     

       233
       233
       -
                       };

     

       234
       234
       -
                     };

     

       235
       235
       -
       

     

       236
       236
       -
                     postgres = {

     

       237
       237
       -
                       host = lib.mkOption {

     

       238
       238
       -
                         type = lib.types.nullOr lib.types.str;

     

       239
       239
       -
                         default = null;

     

       240
       240
       -
                         example = "127.0.0.1";

     

       241
       241
       -
                         description = "Database host address.";

     

       242
       242
       -
                       };

     

       243
       243
       -
       

     

       244
       244
       -
                       port = lib.mkOption {

     

       245
       245
       -
                         type = lib.types.nullOr lib.types.port;

     

       246
       246
       -
                         default = null;

     

       247
       247
       -
                         example = 3306;

     

       248
       248
       -
                         description = "Database host port.";

     

       249
       249
       -
                       };

     

       250
       250
       -
       

     

       251
       251
       -
                       name = lib.mkOption {

     

       252
       252
       -
                         type = lib.types.nullOr lib.types.str;

     

       253
       253
       -
                         default = null;

     

       254
       254
       -
                         example = "headscale";

     

       255
       255
       -
                         description = "Database name.";

     

       256
       256
       -
                       };

     

       257
       257
       -
       

     

       258
       258
       -
                       user = lib.mkOption {

     

       259
       259
       -
                         type = lib.types.nullOr lib.types.str;

     

       260
       260
       -
                         default = null;

     

       261
       261
       -
                         example = "headscale";

     

       262
       262
       -
                         description = "Database user.";

     

       263
       263
       -
                       };

     

       264
       264
       -
       

     

       265
       265
       -
                       password_file = lib.mkOption {

     

       266
       266
       -
                         type = lib.types.nullOr lib.types.path;

     

       267
       267
       -
                         default = null;

     

       268
       268
       -
                         example = "/run/keys/headscale-dbpassword";

     

       269
       269
       -
                         description = ''

     

       270
       270
       -
                           A file containing the password corresponding to

     

       271
       271
       -
                           {option}`database.user`.

     

       272
       272
       -
                         '';

     

       273
       273
       -
                       };

     

       274
       274
       -
                     };

     

       275
       275
       -
                   };

     

       276
       276
       -
       

     

       277
       277
       -
                   log = {

     

       278
       278
       -
                     level = lib.mkOption {

     

       279
       279
       -
                       type = lib.types.str;

     

       280
       280
       -
                       default = "info";

     

       281
       281
       -
                       description = ''

     

       282
       282
       -
                         headscale log level.

     

       283
       283
       -
                       '';

     

       284
       284
       -
                       example = "debug";

     

       285
       285
       -
                     };

     

       286
       286
       -
       

     

       287
       287
       -
                     format = lib.mkOption {

     

       288
       288
       -
                       type = lib.types.str;

     

       289
       289
       -
                       default = "text";

     

       290
       290
       -
                       description = ''

     

       291
       291
       -
                         headscale log format.

     

       292
       292
       -
                       '';

     

       293
       293
       -
                       example = "json";

     

       294
       294
       -
                     };

     

       295
       295
       -
                   };

     

       296
       296
       -
       

     

       297
       297
       -
                   dns = {

     

       298
       298
       -
                     magic_dns = lib.mkOption {

     

       299
       299
       -
                       type = lib.types.bool;

     

       300
       300
       -
                       default = true;

     

       301
       301
       -
                       description = ''

     

       302
       302
       -
                         Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).

     

       303
       303
       -
                       '';

     

       304
       304
       -
                       example = false;

     

       305
       305
       -
                     };

     

       306
       306
       -
       

     

       307
       307
       -
                     base_domain = lib.mkOption {

     

       308
       308
       -
                       type = lib.types.str;

     

       309
       309
       -
                       default = "";

     

       310
       310
       -
                       description = ''

     

       311
       311
       -
                         Defines the base domain to create the hostnames for MagicDNS.

     

       312
       312
       -
                         This domain must be different from the {option}`server_url`

     

       313
       313
       -
                         domain.

     

       314
       314
       -
                         {option}`base_domain` must be a FQDN, without the trailing dot.

     

       315
       315
       -
                         The FQDN of the hosts will be `hostname.base_domain` (e.g.

     

       316
       316
       -
                         `myhost.tailnet.example.com`).

     

       317
       317
       -
                       '';

     

       318
       318
       -
                       example = "tailnet.example.com";

     

       319
       319
       -
                     };

     

       320
       320
       -
       

     

       321
       321
       -
                     nameservers = {

     

       322
       322
       -
                       global = lib.mkOption {

     

       323
       323
       -
                         type = lib.types.listOf lib.types.str;

     

       324
       324
       -
                         default = [ ];

     

       325
       325
       -
                         description = ''

     

       326
       326
       -
                           List of nameservers to pass to Tailscale clients.

     

       327
       327
       -
                         '';

     

       328
       328
       -
                       };

     

       329
       329
       -
                     };

     

       330
       330
       -
       

     

       331
       331
       -
                     search_domains = lib.mkOption {

     

       332
       332
       -
                       type = lib.types.listOf lib.types.str;

     

       333
       333
       -
                       default = [ ];

     

       334
       334
       -
                       description = ''

     

       335
       335
       -
                         Search domains to inject to Tailscale clients.

     

       336
       336
       -
                       '';

     

       337
       337
       -
                       example = [ "mydomain.internal" ];

     

       338
       338
       -
                     };

     

       339
       339
       -
                   };

     

       340
       340
       -
       

     

       341
       341
       -
                   oidc = {

     

       342
       342
       -
                     issuer = lib.mkOption {

     

       343
       343
       -
                       type = lib.types.str;

     

       344
       344
       -
                       default = "";

     

       345
       345
       -
                       description = ''

     

       346
       346
       -
                         URL to OpenID issuer.

     

       347
       347
       -
                       '';

     

       348
       348
       -
                       example = "https://openid.example.com";

     

       349
       349
       -
                     };

     

       350
       350
       -
       

     

       351
       351
       -
                     client_id = lib.mkOption {

     

       352
       352
       -
                       type = lib.types.str;

     

       353
       353
       -
                       default = "";

     

       354
       354
       -
                       description = ''

     

       355
       355
       -
                         OpenID Connect client ID.

     

       356
       356
       -
                       '';

     

       357
       357
       -
                     };

     

       358
       358
       -
       

     

       359
       359
       -
                     client_secret_path = lib.mkOption {

     

       360
       360
       -
                       type = lib.types.nullOr lib.types.str;

     

       361
       361
       -
                       default = null;

     

       362
       362
       -
                       description = ''

     

       363
       363
       -
                         Path to OpenID Connect client secret file. Expands environment variables in format ''${VAR}.

     

       364
       364
       -
                       '';

     

       365
       365
       -
                     };

     

       366
       366
       -
       

     

       367
       367
       -
                     scope = lib.mkOption {

     

       368
       368
       -
                       type = lib.types.listOf lib.types.str;

     

       369
       369
       -
                       default = [

     

       370
       370
       -
                         "openid"

     

       371
       371
       -
                         "profile"

     

       372
       372
       -
                         "email"

     

       373
       373
       -
                       ];

     

       374
       374
       -
                       description = ''

     

       375
       375
       -
                         Scopes used in the OIDC flow.

     

       376
       376
       -
                       '';

     

       377
       377
       -
                     };

     

       378
       378
       -
       

     

       379
       379
       -
                     extra_params = lib.mkOption {

     

       380
       380
       -
                       type = lib.types.attrsOf lib.types.str;

     

       381
       381
       -
                       default = { };

     

       382
       382
       -
                       description = ''

     

       383
       383
       -
                         Custom query parameters to send with the Authorize Endpoint request.

     

       384
       384
       -
                       '';

     

       385
       385
       -
                       example = {

     

       386
       386
       -
                         domain_hint = "example.com";

     

       387
       387
       -
                       };

     

       388
       388
       -
                     };

     

       389
       389
       -
       

     

       390
       390
       -
                     allowed_domains = lib.mkOption {

     

       391
       391
       -
                       type = lib.types.listOf lib.types.str;

     

       392
       392
       -
                       default = [ ];

     

       393
       393
       -
                       description = ''

     

       394
       394
       -
                         Allowed principal domains. if an authenticated user's domain

     

       395
       395
       -
                         is not in this list authentication request will be rejected.

     

       396
       396
       -
                       '';

     

       397
       397
       -
                       example = [ "example.com" ];

     

       398
       398
       -
                     };

     

       399
       399
       -
       

     

       400
       400
       -
                     allowed_users = lib.mkOption {

     

       401
       401
       -
                       type = lib.types.listOf lib.types.str;

     

       402
       402
       -
                       default = [ ];

     

       403
       403
       -
                       description = ''

     

       404
       404
       -
                         Users allowed to authenticate even if not in allowedDomains.

     

       405
       405
       -
                       '';

     

       406
       406
       -
                       example = [ "alice@example.com" ];

     

       407
       407
       -
                     };

     

       408
       408
       -
                   };

     

       409
       409
       -
       

     

       410
       410
       -
                   tls_letsencrypt_hostname = lib.mkOption {

     

       411
       411
       -
                     type = lib.types.nullOr lib.types.str;

     

       412
       412
       -
                     default = "";

     

       413
       413
       -
                     description = ''

     

       414
       414
       -
                       Domain name to request a TLS certificate for.

     

       415
       415
       -
                     '';

     

       416
       416
       -
                   };

     

       417
       417
       -
       

     

       418
       418
       -
                   tls_letsencrypt_challenge_type = lib.mkOption {

     

       419
       419
       -
                     type = lib.types.enum [

     

       420
       420
       -
                       "TLS-ALPN-01"

     

       421
       421
       -
                       "HTTP-01"

     

       422
       422
       -
                     ];

     

       423
       423
       -
                     default = "HTTP-01";

     

       424
       424
       -
                     description = ''

     

       425
       425
       -
                       Type of ACME challenge to use, currently supported types:

     

       426
       426
       -
                       `HTTP-01` or `TLS-ALPN-01`.

     

       427
       427
       -
                     '';

     

       428
       428
       -
                   };

     

       429
       429
       -
       

     

       430
       430
       -
                   tls_letsencrypt_listen = lib.mkOption {

     

       431
       431
       -
                     type = lib.types.nullOr lib.types.str;

     

       432
       432
       -
                     default = ":http";

     

       433
       433
       -
                     description = ''

     

       434
       434
       -
                       When HTTP-01 challenge is chosen, letsencrypt must set up a

     

       435
       435
       -
                       verification endpoint, and it will be listening on:

     

       436
       436
       -
                       `:http = port 80`.

     

       437
       437
       -
                     '';

     

       438
       438
       -
                   };

     

       439
       439
       -
       

     

       440
       440
       -
                   tls_cert_path = lib.mkOption {

     

       441
       441
       -
                     type = lib.types.nullOr lib.types.path;

     

       442
       442
       -
                     default = null;

     

       443
       443
       -
                     description = ''

     

       444
       444
       -
                       Path to already created certificate.

     

       445
       445
       -
                     '';

     

       446
       446
       -
                   };

     

       447
       447
       -
       

     

       448
       448
       -
                   tls_key_path = lib.mkOption {

     

       449
       449
       -
                     type = lib.types.nullOr lib.types.path;

     

       450
       450
       -
                     default = null;

     

       451
       451
       -
                     description = ''

     

       452
       452
       -
                       Path to key for already created certificate.

     

       453
       453
       -
                     '';

     

       454
       454
       -
                   };

     

       455
       455
       -
       

     

       456
       456
       -
                   policy = {

     

       457
       457
       -
                     mode = lib.mkOption {

     

       458
       458
       -
                       type = lib.types.enum [

     

       459
       459
       -
                         "file"

     

       460
       460
       -
                         "database"

     

       461
       461
       -
                       ];

     

       462
       462
       -
                       default = "file";

     

       463
       463
       -
                       description = ''

     

       464
       464
       -
                         The mode can be "file" or "database" that defines

     

       465
       465
       -
                         where the ACL policies are stored and read from.

     

       466
       466
       -
                       '';

     

       467
       467
       -
                     };

     

       468
       468
       -
       

     

       469
       469
       -
                     path = lib.mkOption {

     

       470
       470
       -
                       type = lib.types.nullOr lib.types.path;

     

       471
       471
       -
                       default = null;

     

       472
       472
       -
                       description = ''

     

       473
       473
       -
                         If the mode is set to "file", the path to a

     

       474
       474
       -
                         HuJSON file containing ACL policies.

     

       475
       475
       -
                       '';

     

       476
       476
       -
                     };

     

       477
       477
       -
                   };

     

       478
       478
       -
                 };

     

       479
       479
       -
               };

     

       480
       480
       -
             };

     

       481
       481
       -
           };

     

       482
       482
       -
         };

     

       483
       483
       -
       

     

       484
       484
       -
         imports = with lib; [

     

       485
       485
       -
           (mkRenamedOptionModule

     

       486
       486
       -
             [ "services" "headscale" "derp" "autoUpdate" ]

     

       487
       487
       -
             [ "services" "headscale" "settings" "derp" "auto_update_enable" ]

     

       488
       488
       -
           )

     

       489
       489
       -
           (mkRenamedOptionModule

     

       490
       490
       -
             [ "services" "headscale" "derp" "paths" ]

     

       491
       491
       -
             [ "services" "headscale" "settings" "derp" "paths" ]

     

       492
       492
       -
           )

     

       493
       493
       -
           (mkRenamedOptionModule

     

       494
       494
       -
             [ "services" "headscale" "derp" "updateFrequency" ]

     

       495
       495
       -
             [ "services" "headscale" "settings" "derp" "update_frequency" ]

     

       496
       496
       -
           )

     

       497
       497
       -
           (mkRenamedOptionModule

     

       498
       498
       -
             [ "services" "headscale" "derp" "urls" ]

     

       499
       499
       -
             [ "services" "headscale" "settings" "derp" "urls" ]

     

       500
       500
       -
           )

     

       501
       501
       -
           (mkRenamedOptionModule

     

       502
       502
       -
             [ "services" "headscale" "ephemeralNodeInactivityTimeout" ]

     

       503
       503
       -
             [ "services" "headscale" "settings" "ephemeral_node_inactivity_timeout" ]

     

       504
       504
       -
           )

     

       505
       505
       -
           (mkRenamedOptionModule

     

       506
       506
       -
             [ "services" "headscale" "logLevel" ]

     

       507
       507
       -
             [ "services" "headscale" "settings" "log" "level" ]

     

       508
       508
       -
           )

     

       509
       509
       -
           (mkRenamedOptionModule

     

       510
       510
       -
             [ "services" "headscale" "openIdConnect" "clientId" ]

     

       511
       511
       -
             [ "services" "headscale" "settings" "oidc" "client_id" ]

     

       512
       512
       -
           )

     

       513
       513
       -
           (mkRenamedOptionModule

     

       514
       514
       -
             [ "services" "headscale" "openIdConnect" "clientSecretFile" ]

     

       515
       515
       -
             [ "services" "headscale" "settings" "oidc" "client_secret_path" ]

     

       516
       516
       -
           )

     

       517
       517
       -
           (mkRenamedOptionModule

     

       518
       518
       -
             [ "services" "headscale" "openIdConnect" "issuer" ]

     

       519
       519
       -
             [ "services" "headscale" "settings" "oidc" "issuer" ]

     

       520
       520
       -
           )

     

       521
       521
       -
           (mkRenamedOptionModule

     

       522
       522
       -
             [ "services" "headscale" "serverUrl" ]

     

       523
       523
       -
             [ "services" "headscale" "settings" "server_url" ]

     

       524
       524
       -
           )

     

       525
       525
       -
           (mkRenamedOptionModule

     

       526
       526
       -
             [ "services" "headscale" "tls" "certFile" ]

     

       527
       527
       -
             [ "services" "headscale" "settings" "tls_cert_path" ]

     

       528
       528
       -
           )

     

       529
       529
       -
           (mkRenamedOptionModule

     

       530
       530
       -
             [ "services" "headscale" "tls" "keyFile" ]

     

       531
       531
       -
             [ "services" "headscale" "settings" "tls_key_path" ]

     

       532
       532
       -
           )

     

       533
       533
       -
           (mkRenamedOptionModule

     

       534
       534
       -
             [ "services" "headscale" "tls" "letsencrypt" "challengeType" ]

     

       535
       535
       -
             [ "services" "headscale" "settings" "tls_letsencrypt_challenge_type" ]

     

       536
       536
       -
           )

     

       537
       537
       -
           (mkRenamedOptionModule

     

       538
       538
       -
             [ "services" "headscale" "tls" "letsencrypt" "hostname" ]

     

       539
       539
       -
             [ "services" "headscale" "settings" "tls_letsencrypt_hostname" ]

     

       540
       540
       -
           )

     

       541
       541
       -
           (mkRenamedOptionModule

     

       542
       542
       -
             [ "services" "headscale" "tls" "letsencrypt" "httpListen" ]

     

       543
       543
       -
             [ "services" "headscale" "settings" "tls_letsencrypt_listen" ]

     

       544
       544
       -
           )

     

       545
       545
       -
       

     

       546
       546
       -
           (mkRemovedOptionModule [ "services" "headscale" "openIdConnect" "domainMap" ] ''

     

       547
       547
       -
             Headscale no longer uses domain_map. If you're using an old version of headscale you can still set this option via services.headscale.settings.oidc.domain_map.

     

       548
       548
       -
           '')

     

       549
       549
       -
         ];

     

       550
       550
       -
       

     

       551
       551
       -
         config = lib.mkIf cfg.enable {

     

       552
       552
       -
           assertions = [

     

       553
       553
       -
             {

     

       554
       554
       -
               assertion = with cfg.settings; dns.magic_dns -> dns.base_domain != "";

     

       555
       555
       -
               message = "dns.base_domain must be set when using MagicDNS";

     

       556
       556
       -
             }

     

       557
       557
       -
             (assertRemovedOption [ "settings" "acl_policy_path" ] "Use `policy.path` instead.")

     

       558
       558
       -
             (assertRemovedOption [ "settings" "db_host" ] "Use `database.postgres.host` instead.")

     

       559
       559
       -
             (assertRemovedOption [ "settings" "db_name" ] "Use `database.postgres.name` instead.")

     

       560
       560
       -
             (assertRemovedOption [

     

       561
       561
       -
               "settings"

     

       562
       562
       -
               "db_password_file"

     

       563
       563
       -
             ] "Use `database.postgres.password_file` instead.")

     

       564
       564
       -
             (assertRemovedOption [ "settings" "db_path" ] "Use `database.sqlite.path` instead.")

     

       565
       565
       -
             (assertRemovedOption [ "settings" "db_port" ] "Use `database.postgres.port` instead.")

     

       566
       566
       -
             (assertRemovedOption [ "settings" "db_type" ] "Use `database.type` instead.")

     

       567
       567
       -
             (assertRemovedOption [ "settings" "db_user" ] "Use `database.postgres.user` instead.")

     

       568
       568
       -
             (assertRemovedOption [ "settings" "dns_config" ] "Use `dns` instead.")

     

       569
       569
       -
             (assertRemovedOption [ "settings" "dns_config" "domains" ] "Use `dns.search_domains` instead.")

     

       570
       570
       -
             (assertRemovedOption [

     

       571
       571
       -
               "settings"

     

       572
       572
       -
               "dns_config"

     

       573
       573
       -
               "nameservers"

     

       574
       574
       -
             ] "Use `dns.nameservers.global` instead.")

     

       575
       575
       -
           ];

     

       576
       576
       -
       

     

       577
       577
       -
           services.headscale.settings = lib.mkMerge [

     

       578
       578
       -
             cliConfig

     

       579
       579
       -
             {

     

       580
       580
       -
               listen_addr = lib.mkDefault "${cfg.address}:${toString cfg.port}";

     

       581
       581
       -
       

     

       582
       582
       -
               tls_letsencrypt_cache_dir = "${dataDir}/.cache";

     

       583
       583
       -
             }

     

       584
       584
       -
           ];

     

       585
       585
       -
       

     

       586
       586
       -
           environment = {

     

       587
       587
       -
             # Headscale CLI needs a minimal config to be able to locate the unix socket

     

       588
       588
       -
             # to talk to the server instance.

     

       589
       589
       -
             etc."headscale/config.yaml".source = cliConfigFile;

     

       590
       590
       -
       

     

       591
       591
       -
             systemPackages = [ cfg.package ];

     

       592
       592
       -
           };

     

       593
       593
       -
       

     

       594
       594
       -
           users.groups.headscale = lib.mkIf (cfg.group == "headscale") { };

     

       595
       595
       -
       

     

       596
       596
       -
           users.users.headscale = lib.mkIf (cfg.user == "headscale") {

     

       597
       597
       -
             description = "headscale user";

     

       598
       598
       -
             home = dataDir;

     

       599
       599
       -
             group = cfg.group;

     

       600
       600
       -
             isSystemUser = true;

     

       601
       601
       -
           };

     

       602
       602
       -
       

     

       603
       603
       -
           systemd.services.headscale = {

     

       604
       604
       -
             description = "headscale coordination server for Tailscale";

     

       605
       605
       -
             wants = [ "network-online.target" ];

     

       606
       606
       -
             after = [ "network-online.target" ];

     

       607
       607
       -
             wantedBy = [ "multi-user.target" ];

     

       608
       608
       -
       

     

       609
       609
       -
             script = ''

     

       610
       610
       -
               ${lib.optionalString (cfg.settings.database.postgres.password_file != null) ''

     

       611
       611
       -
                 export HEADSCALE_DATABASE_POSTGRES_PASS="$(head -n1 ${lib.escapeShellArg cfg.settings.database.postgres.password_file})"

     

       612
       612
       -
               ''}

     

       613
       613
       -
       

     

       614
       614
       -
               exec ${lib.getExe cfg.package} serve --config ${configFile}

     

       615
       615
       -
             '';

     

       616
       616
       -
       

     

       617
       617
       -
             serviceConfig =

     

       618
       618
       -
               let

     

       619
       619
       -
                 capabilityBoundingSet = [ "CAP_CHOWN" ] ++ lib.optional (cfg.port < 1024) "CAP_NET_BIND_SERVICE";

     

       620
       620
       -
               in

     

       621
       621
       -
               {

     

       622
       622
       -
                 Restart = "always";

     

       623
       623
       -
                 Type = "simple";

     

       624
       624
       -
                 User = cfg.user;

     

       625
       625
       -
                 Group = cfg.group;

     

       626
       626
       -
       

     

       627
       627
       -
                 # Hardening options

     

       628
       628
       -
                 RuntimeDirectory = "headscale";

     

       629
       629
       -
                 # Allow headscale group access so users can be added and use the CLI.

     

       630
       630
       -
                 RuntimeDirectoryMode = "0750";

     

       631
       631
       -
       

     

       632
       632
       -
                 StateDirectory = "headscale";

     

       633
       633
       -
                 StateDirectoryMode = "0750";

     

       634
       634
       -
       

     

       635
       635
       -
                 ProtectSystem = "strict";

     

       636
       636
       -
                 ProtectHome = true;

     

       637
       637
       -
                 PrivateTmp = true;

     

       638
       638
       -
                 PrivateDevices = true;

     

       639
       639
       -
                 ProtectKernelTunables = true;

     

       640
       640
       -
                 ProtectControlGroups = true;

     

       641
       641
       -
                 RestrictSUIDSGID = true;

     

       642
       642
       -
                 PrivateMounts = true;

     

       643
       643
       -
                 ProtectKernelModules = true;

     

       644
       644
       -
                 ProtectKernelLogs = true;

     

       645
       645
       -
                 ProtectHostname = true;

     

       646
       646
       -
                 ProtectClock = true;

     

       647
       647
       -
                 ProtectProc = "invisible";

     

       648
       648
       -
                 ProcSubset = "pid";

     

       649
       649
       -
                 RestrictNamespaces = true;

     

       650
       650
       -
                 RemoveIPC = true;

     

       651
       651
       -
                 UMask = "0077";

     

       652
       652
       -
       

     

       653
       653
       -
                 CapabilityBoundingSet = capabilityBoundingSet;

     

       654
       654
       -
                 AmbientCapabilities = capabilityBoundingSet;

     

       655
       655
       -
                 NoNewPrivileges = true;

     

       656
       656
       -
                 LockPersonality = true;

     

       657
       657
       -
                 RestrictRealtime = true;

     

       658
       658
       -
                 SystemCallFilter = [

     

       659
       659
       -
                   "@system-service"

     

       660
       660
       -
                   "~@privileged"

     

       661
       661
       -
                   "@chown"

     

       662
       662
       -
                 ];

     

       663
       663
       -
                 SystemCallArchitectures = "native";

     

       664
       664
       -
                 RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX";

     

       665
       665
       -
               };

     

       666
       666
       -
           };

     

       667
       667
       -
         };

     

       668
       668
       -
       

     

       669
       669
       -
         meta.maintainers = with lib.maintainers; [

     

       670
       670
       -
           kradalby

     

       671
       671
       -
           misterio77

     

       672
       672
       -
         ];

     

       673
       673
       -
       }

+5 -7

modules/nixos/logiops.nix

···

       11
       11
        
         rendered-config = libconfig-format.generate "logid.cfg" cfg.settings;

     

       12
       12
        
       in

     

       13
       13
        
       {

     

       14
       14
       -
         options.services.logiops = with lib; {

     

       15
       15
       -
           enable = mkEnableOption (mdDoc "Logiops HID++ configuration");

     

       14
       14
       +
         options.services.logiops = {

     

       15
       15
       +
           enable = lib.mkEnableOption "Logiops HID++ configuration";

     

       16
       16
        
       

     

       17
       17
       -
           package = mkPackageOption pkgs "logiops" { };

     

       17
       17
       +
           package = lib.mkPackageOption pkgs "logiops_0_2_3" { };

     

       18
       18
        
       

     

       19
       19
       -
           settings = mkOption {

     

       19
       19
       +
           settings = lib.mkOption {

     

       20
       20
        
             type = libconfig-format.type;

     

       21
       21
        
             default = { };

     

       22
       22
        
             example = {

     
···

       54
       54
        
                 ];

     

       55
       55
        
               }];

     

       56
       56
        
             };

     

       57
       57
       -
             description = mdDoc ''

     

       57
       57
       +
             description = lib.mdDoc ''

     

       58
       58
        
               Logid configuration. Refer to

     

       59
       59
        
               [the `logiops` wiki](https://github.com/PixlOne/logiops/wiki/Configuration)

     

       60
       60
        
               for details on supported values.

     
···

       72
       72
        
             restartTriggers = [ rendered-config ];

     

       73
       73
        
           };

     

       74
       74
        
         };

     

       75
       75
       -
       

     

       76
       76
       -
         meta.maintainers = with lib.maintainers; [ ckie ];

     

       77
       75
        
       }

+1 -1

nixos/fragments/kanata/arsenik.kbd.lisp

···

       59
       59
        
       ;; Numrow layer

     

       60
       60
        
       (deflayer numrow

     

       61
       61
        
         XX   XX   XX   XX   XX   XX   XX   XX   XX   XX   XX

     

       62
       62
       -
         XX   XX   XX   XX   XX        XX   XX   XX   XX   XX  

     

       62
       62
       +
         XX   XX   XX   XX   XX        XX   XX   XX   XX   XX

     

       63
       63
        
         @1   @2   @3   @4   @5        @6   @7   @8   @9   @0

     

       64
       64
        
         XX   XX   XX   XX   XX   XX   XX   XX   XX   XX   XX

     

       65
       65
        
              XX   XX             XX             XX   XX

+2 -4

nixos/fragments/logiops.nix

···

       1
       1
        
       { self

     

       2
       2
        
       , config

     

       3
       3
        
       , lib

     

       4
       4
       -
       , pkgs

     

       5
       4
        
       , ...

     

       6
       5
        
       }:

     

       7
       6
        
       

     
···

       19
       18
        
       

     

       20
       19
        
         config.services.logiops = lib.mkIf cfg.enable {

     

       21
       20
        
           enable = true;

     

       22
       22
       -
           package = pkgs.logiops_0_2_3;

     

       23
       21
        
       

     

       24
       22
        
           settings =

     

       25
       23
        
             let

     

       26
       24
        
               cid = {

     

       27
       25
        
                 #                  Control IDs │ reprog? │ fn key? │ mouse key? │ gesture support?

     

       28
       28
       -
                 leftMouse = 80; #         0x50 │         │         │ YES        │ 

     

       29
       29
       -
                 rightMouse = 81; #        0x51 │         │         │ YES        │ 

     

       26
       26
       +
                 leftMouse = 80; #         0x50 │         │         │ YES        │

     

       27
       27
       +
                 rightMouse = 81; #        0x51 │         │         │ YES        │

     

       30
       28
        
                 middleMouse = 81; #       0x52 │ YES     │         │ YES        │ YES

     

       31
       29
        
                 back = 83; #              0x53 │ YES     │         │ YES        │ YES

     

       32
       30
        
                 forward = 86; #           0x56 │ YES     │         │ YES        │ YES

+9 -1

nixos/fragments/nix.nix

···

       33
       33
        
               # Make NixOS system's legacy channels consistent with registry and flake inputs

     

       34
       34
        
               else lib.mapAttrsToList (key: value: "${key}=${value.to.path}") config.nix.registry;

     

       35
       35
        
       

     

       36
       36
       -
       

     

       37
       36
        
             gc = {

     

       38
       37
        
               automatic = true;

     

       39
       38
        
               # absolute disk space saver, if you forget to run GC

     
···

       55
       54
        
               # avoid network calls at each nix invoation.

     

       56
       55
        
               flake-registry = "";

     

       57
       56
        
       

     

       57
       57
       +
               use-xdg-base-directories = true;

     

       58
       58
       +
       

     

       58
       59
        
               keep-going = true;

     

       59
       60
        
       

     

       60
       61
        
               extra-platforms = config.boot.binfmt.emulatedSystems;

     
···

       63
       64
        
               extra-substituters = [ "https://nix-community.cachix.org" ];

     

       64
       65
        
               extra-trusted-public-keys = [ "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ];

     

       65
       66
        
             };

     

       67
       67
       +
           };

     

       68
       68
       +
       

     

       69
       69
       +
           # other disk space saver

     

       70
       70
       +
           services.angrr = {

     

       71
       71
       +
             enable = true;

     

       72
       72
       +
             period = "2weeks";

     

       73
       73
       +
             enableNixGcIntegration = true;

     

       66
       74
        
           };

     

       67
       75
        
         };

     

       68
       76
        
       }

+7 -8

nixos/fragments/security.nix

···

       21
       21
        
           security.rtkit.enable = true;

     

       22
       22
        
       

     

       23
       23
        
           # Systemd Login

     

       24
       24
       -
           services.logind = {

     

       25
       25
       -
             lidSwitch = "suspend";

     

       26
       26
       -
             extraConfig = lib.generators.toKeyValue { } {

     

       27
       27
       -
               IdleAction = "lock";

     

       28
       28
       -
               # Don’t shutdown when power button is short-pressed

     

       29
       29
       -
               HandlePowerKey = "lock";

     

       30
       30
       -
               HandlePowerKeyLongPress = "suspend";

     

       31
       31
       -
             };

     

       24
       24
       +
           services.logind.settings.Login = {

     

       25
       25
       +
             HandleLidSwitch = "suspend";

     

       26
       26
       +
             IdleAction = "lock";

     

       27
       27
       +
             # Don’t shutdown when power button is short-pressed

     

       28
       28
       +
             HandlePowerKey = "lock";

     

       29
       29
       +
             HandlePowerKeyLongPress = "suspend";

     

       32
       30
        
           };

     

       33
       31
        
       

     

       34
       32
        
           # `swaylock` pam service must be at least declared to work properly

     
···

       40
       38
        
           # Signing

     

       41
       39
        
           programs.gnupg.agent.enable = true;

     

       42
       40
        
           services.gnome.gnome-keyring.enable = true;

     

       41
       41
       +
           services.gnome.gcr-ssh-agent.enable = false;

     

       43
       42
        
       

     

       44
       43
        
           # SSH

     

       45
       44
        
           services.openssh = {

+6 -19

nixos/profiles/laptop.nix

···

       1
       1
       -
       { self

     

       2
       2
       -
       , config

     

       1
       1
       +
       { config

     

       3
       2
        
       , pkgs

     

       4
       3
        
       , ...

     

       5
       4
        
       }:

     

       6
       5
        
       

     

       7
       7
       -
       let

     

       8
       8
       -
         inherit (self.outputs) nixosModules;

     

       9
       9
       -
       in

     

       10
       6
        
       {

     

       11
       11
       -
         imports = [

     

       12
       12
       -
           # Replaces nixpkgs module with a custom one that support fallback static location

     

       13
       13
       -
           nixosModules.geoclue2

     

       14
       14
       -
         ];

     

       15
       15
       -
       

     

       16
       7
        
         config = {

     

       17
       8
        
           local.fragment = {

     

       18
       9
        
             agenix.enable = true;

     
···

       42
       33
        
             kernel.sysctl."kernel.perf_event_paranoid" = -1;

     

       43
       34
        
       

     

       44
       35
        
             kernelPackages = pkgs.linuxKernel.packages.linux_zen;

     

       45
       45
       -
             extraModulePackages = with config.boot.kernelPackages; [ perf xone ];

     

       36
       36
       +
             extraModulePackages = with config.boot.kernelPackages; [ xone ];

     

       46
       37
        
       

     

       47
       38
        
             loader = {

     

       48
       39
        
               systemd-boot.enable = true;

     
···

       56
       47
        
       

     

       57
       48
        
           # Once in a while, the session stop job hangs and lasts the full default

     

       58
       49
        
           # time (1min30). I just want to shutdown my computer please.

     

       59
       59
       -
           systemd.extraConfig = ''

     

       60
       60
       -
             DefaultTimeoutStopSec = 10s

     

       61
       61
       -
           '';

     

       50
       50
       +
           systemd.settings.Manager.DefaultTimeoutStopSec = "10s";

     

       62
       51
        
       

     

       63
       52
        
           programs.dconf.enable = true;

     

       64
       53
        
       

     
···

       86
       75
        
               };

     

       87
       76
        
             };

     

       88
       77
        
       

     

       89
       89
       -
           programs.command-not-found.enable = false;

     

       90
       90
       -
       

     

       91
       78
        
           # This is needed for services like `darkman` and `gammastep`

     

       92
       79
        
           services.geoclue2 = {

     

       93
       80
        
             enable = true;

     

       94
       81
        
       

     

       95
       95
       -
             # Fallback using custom geoclue2 module waitng for an alternative to MLS

     

       82
       82
       +
             # Fallback using custom geoclue2 module waiting for an alternative to MLS

     

       96
       83
        
             # (Mozilla Location Services). See related module in repo.

     

       97
       84
        
             # INFO:   lat vvvv  vvv long → Paris rough location

     

       98
       98
       -
             staticFile = "48.8\n2.3\n0\n0\n";

     

       85
       85
       +
             # staticFile = "48.8\n2.3\n0\n0\n";

     

       99
       86
        
           };

     

       100
       87
        
       

     

       101
       88
        
           programs.wireshark = {

     
···

       104
       91
        
           };

     

       105
       92
        
           users.users.${config.local.user.username}.extraGroups = [ "wireshark" "plugdev" ];

     

       106
       93
        
       

     

       107
       107
       -
           # This option is already filled with aliases that snowball and have 

     

       94
       94
       +
           # This option is already filled with aliases that snowball and have

     

       108
       95
        
           # priority on fish internal `ls` aliases

     

       109
       96
        
           environment.shellAliases = { ls = null; ll = null; l = null; };

     

       110
       97
        
           programs.fish.enable = true;

-708

nixos/profiles/server.nix

···

       1
       1
       -
       { self

     

       2
       2
       -
       , config

     

       3
       3
       -
       , pkgs

     

       4
       4
       -
       , upkgs

     

       5
       5
       -
       , ...

     

       6
       6
       -
       }:

     

       7
       7
       -
       

     

       8
       8
       -
       let

     

       9
       9
       -
         inherit (self.inputs) unixpkgs srvos hypixel-bank-tracker tangled;

     

       10
       10
       -
       

     

       11
       11
       -
         json-format = pkgs.formats.json { };

     

       12
       12
       -
       

     

       13
       13
       -
         ext-if = "eth0";

     

       14
       14
       -
         external-ip = "91.99.55.74";

     

       15
       15
       -
         external-netmask = 27;

     

       16
       16
       -
         external-gw = "144.x.x.255";

     

       17
       17
       -
         external-ip6 = "2a01:4f8:c2c:76d2::1";

     

       18
       18
       -
         external-netmask6 = 64;

     

       19
       19
       -
         external-gw6 = "fe80::1";

     

       20
       20
       -
       

     

       21
       21
       -
         well-known-discord-dir = pkgs.writeTextDir ".well-known/discord" ''

     

       22
       22
       -
           dh=919234284ceb2aba439d15b9136073eb2308989b

     

       23
       23
       -
         '';

     

       24
       24
       -
         webfinger-dir = pkgs.writeTextDir ".well-known/webfinger" ''

     

       25
       25
       -
           {

     

       26
       26
       -
             "subject": "acct:milo@wiro.world",

     

       27
       27
       -
             "aliases": [

     

       28
       28
       -
               "mailto:milo@wiro.world",

     

       29
       29
       -
               "https://wiro.world/"

     

       30
       30
       -
             ],

     

       31
       31
       -
             "links": [

     

       32
       32
       -
               {

     

       33
       33
       -
                 "rel": "http://wiro.world/rel/avatar",

     

       34
       34
       -
                 "href": "https://wiro.world/logo.jpg",

     

       35
       35
       -
                 "type": "image/jpeg"

     

       36
       36
       -
               },

     

       37
       37
       -
               {

     

       38
       38
       -
                 "rel": "http://webfinger.net/rel/profile-page",

     

       39
       39
       -
                 "href": "https://wiro.world/",

     

       40
       40
       -
                 "type": "text/html"

     

       41
       41
       -
               },

     

       42
       42
       -
               {

     

       43
       43
       -
                 "rel": "http://openid.net/specs/connect/1.0/issuer",

     

       44
       44
       -
                 "href": "https://auth.wiro.world"

     

       45
       45
       -
               }

     

       46
       46
       -
             ]

     

       47
       47
       -
           }

     

       48
       48
       -
         '';

     

       49
       49
       -
       

     

       50
       50
       -
         website-hostname = "wiro.world";

     

       51
       51
       -
       

     

       52
       52
       -
         pds-port = 3001;

     

       53
       53
       -
         pds-hostname = "pds.wiro.world";

     

       54
       54
       -
       

     

       55
       55
       -
         grafana-port = 3002;

     

       56
       56
       -
         grafana-hostname = "console.wiro.world";

     

       57
       57
       -
       

     

       58
       58
       -
         tangled-owner = "did:plc:xhgrjm4mcx3p5h3y6eino6ti";

     

       59
       59
       -
         tangled-knot-port = 3003;

     

       60
       60
       -
         tangled-knot-hostname = "knot.wiro.world";

     

       61
       61
       -
         tangled-spindle-port = 3004;

     

       62
       62
       -
         tangled-spindle-hostname = "spindle.wiro.world";

     

       63
       63
       -
       

     

       64
       64
       -
         thelounge-port = 3005;

     

       65
       65
       -
         thelounge-hostname = "lounge.wiro.world";

     

       66
       66
       -
       

     

       67
       67
       -
         headscale-port = 3006;

     

       68
       68
       -
         headscale-derp-port = 3478;

     

       69
       69
       -
         headscale-hostname = "headscale.wiro.world";

     

       70
       70
       -
       

     

       71
       71
       -
         lldap-port = 3007;

     

       72
       72
       -
         lldap-hostname = "ldap.wiro.world";

     

       73
       73
       -
       

     

       74
       74
       -
         authelia-port = 3008;

     

       75
       75
       -
         authelia-hostname = "auth.wiro.world";

     

       76
       76
       -
       

     

       77
       77
       -
         matrix-port = 3009;

     

       78
       78
       -
         matrix-hostname = "matrix.wiro.world";

     

       79
       79
       -
       

     

       80
       80
       -
         goatcounter-port = 3010;

     

       81
       81
       -
         goatcounter-hostname = "stats.wiro.world";

     

       82
       82
       -
       

     

       83
       83
       -
         vaultwarden-port = 3011;

     

       84
       84
       -
         vaultwarden-hostname = "vault.wiro.world";

     

       85
       85
       -
       

     

       86
       86
       -
         miniflux-port = 3012;

     

       87
       87
       -
         miniflux-hostname = "news.wiro.world";

     

       88
       88
       -
       

     

       89
       89
       -
         hbt-main-port = 3013;

     

       90
       90
       -
         hbt-banana-port = 3014;

     

       91
       91
       -
       

     

       92
       92
       -
         prometheus-port = 9001;

     

       93
       93
       -
         prometheus-node-exporter-port = 9002;

     

       94
       94
       -
         headscale-metrics-port = 9003;

     

       95
       95
       -
         authelia-metrics-port = 9004;

     

       96
       96
       -
       in

     

       97
       97
       -
       {

     

       98
       98
       -
         disabledModules = [ "services/networking/headscale.nix" ];

     

       99
       99
       -
       

     

       100
       100
       -
         imports = [

     

       101
       101
       -
           srvos.nixosModules.server

     

       102
       102
       -
           srvos.nixosModules.hardware-hetzner-cloud

     

       103
       103
       -
           srvos.nixosModules.mixins-terminfo

     

       104
       104
       -
       

     

       105
       105
       -
           self.nixosModules.headscale

     

       106
       106
       -
       

     

       107
       107
       -
           hypixel-bank-tracker.nixosModules.default

     

       108
       108
       -
       

     

       109
       109
       -
           tangled.nixosModules.knot

     

       110
       110
       -
           tangled.nixosModules.spindle

     

       111
       111
       -
       

     

       112
       112
       -
           "${unixpkgs}/nixos/modules/services/matrix/tuwunel.nix"

     

       113
       113
       -
         ];

     

       114
       114
       -
       

     

       115
       115
       -
         config = {

     

       116
       116
       -
           boot.loader.grub.enable = true;

     

       117
       117
       -
           boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "ext4" ];

     

       118
       118
       -
       

     

       119
       119
       -
           # Single network card is `eth0`

     

       120
       120
       -
           networking.usePredictableInterfaceNames = false;

     

       121
       121
       -
       

     

       122
       122
       -
           networking.nameservers = [ "2001:4860:4860::8888" "2001:4860:4860::8844" ];

     

       123
       123
       -
       

     

       124
       124
       -
           networking = {

     

       125
       125
       -
             interfaces.${ext-if} = {

     

       126
       126
       -
               ipv4.addresses = [{ address = external-ip; prefixLength = external-netmask; }];

     

       127
       127
       -
               ipv6.addresses = [{ address = external-ip6; prefixLength = external-netmask6; }];

     

       128
       128
       -
             };

     

       129
       129
       -
             defaultGateway = { interface = ext-if; address = external-gw; };

     

       130
       130
       -
             defaultGateway6 = { interface = ext-if; address = external-gw6; };

     

       131
       131
       -
       

     

       132
       132
       -
             # Reflect firewall configuration on Hetzner

     

       133
       133
       -
             firewall.allowedTCPPorts = [ 22 80 443 ];

     

       134
       134
       -
             firewall.allowedUDPPorts = [ headscale-derp-port ];

     

       135
       135
       -
           };

     

       136
       136
       -
       

     

       137
       137
       -
           services.qemuGuest.enable = true;

     

       138
       138
       -
       

     

       139
       139
       -
           services.openssh.enable = true;

     

       140
       140
       -
       

     

       141
       141
       -
           services.tailscale.enable = true;

     

       142
       142
       -
       

     

       143
       143
       -
           security.sudo.wheelNeedsPassword = false;

     

       144
       144
       -
       

     

       145
       145
       -
           local.fragment.nix.enable = true;

     

       146
       146
       -
       

     

       147
       147
       -
           programs.fish.enable = true;

     

       148
       148
       -
       

     

       149
       149
       -
           services.fail2ban = {

     

       150
       150
       -
             enable = true;

     

       151
       151
       -
       

     

       152
       152
       -
             maxretry = 5;

     

       153
       153
       -
             ignoreIP = [ ];

     

       154
       154
       -
       

     

       155
       155
       -
             bantime = "24h";

     

       156
       156
       -
             bantime-increment = {

     

       157
       157
       -
               enable = true;

     

       158
       158
       -
               multipliers = "1 2 4 8 16 32 64";

     

       159
       159
       -
               maxtime = "168h";

     

       160
       160
       -
               overalljails = true;

     

       161
       161
       -
             };

     

       162
       162
       -
       

     

       163
       163
       -
             jails = { };

     

       164
       164
       -
           };

     

       165
       165
       -
       

     

       166
       166
       -
           services.caddy = {

     

       167
       167
       -
             enable = true;

     

       168
       168
       -
       

     

       169
       169
       -
             globalConfig = ''

     

       170
       170
       -
               metrics { per_host }

     

       171
       171
       -
       

     

       172
       172
       -
               on_demand_tls {

     

       173
       173
       -
                 ask http://localhost:${toString pds-port}/tls-check

     

       174
       174
       -
               }

     

       175
       175
       -
             '';

     

       176
       176
       -
       

     

       177
       177
       -
             virtualHosts.${website-hostname}.extraConfig =

     

       178
       178
       -
               ''

     

       179
       179
       -
                 @discord {

     

       180
       180
       -
                   path /.well-known/discord

     

       181
       181
       -
                   method GET HEAD

     

       182
       182
       -
                 }

     

       183
       183
       -
                 route @discord {

     

       184
       184
       -
                   header {

     

       185
       185
       -
                     Access-Control-Allow-Origin "*"

     

       186
       186
       -
                     X-Robots-Tag "noindex"

     

       187
       187
       -
                   }

     

       188
       188
       -
                   root ${well-known-discord-dir}

     

       189
       189
       -
                   file_server

     

       190
       190
       -
                 }

     

       191
       191
       -
               '' +

     

       192
       192
       -
               ''

     

       193
       193
       -
                 @webfinger {

     

       194
       194
       -
                   path /.well-known/webfinger

     

       195
       195
       -
                   method GET HEAD

     

       196
       196
       -
                   query resource=acct:milo@wiro.world

     

       197
       197
       -
                   query resource=mailto:milo@wiro.world

     

       198
       198
       -
                   query resource=https://wiro.world

     

       199
       199
       -
                   query resource=https://wiro.world/

     

       200
       200
       -
                 }

     

       201
       201
       -
                 route @webfinger {

     

       202
       202
       -
                   header {

     

       203
       203
       -
                     Content-Type "application/jrd+json"

     

       204
       204
       -
                     Access-Control-Allow-Origin "*"

     

       205
       205
       -
                     X-Robots-Tag "noindex"

     

       206
       206
       -
                   }

     

       207
       207
       -
                   root ${webfinger-dir}

     

       208
       208
       -
                   file_server

     

       209
       209
       -
                 }

     

       210
       210
       -
               '' +

     

       211
       211
       -
               ''

     

       212
       212
       -
                 reverse_proxy /.well-known/matrix/* http://localhost:${toString matrix-port}

     

       213
       213
       -
               '' +

     

       214
       214
       -
               # TODO: host website on server with automatic deployment

     

       215
       215
       -
               ''

     

       216
       216
       -
                 reverse_proxy https://mrnossiom.github.io {

     

       217
       217
       -
                 	header_up Host {http.request.host}

     

       218
       218
       -
                 }

     

       219
       219
       -
               '';

     

       220
       220
       -
       

     

       221
       221
       -
             virtualHosts.${grafana-hostname}.extraConfig = ''

     

       222
       222
       -
               reverse_proxy http://localhost:${toString grafana-port}

     

       223
       223
       -
             '';

     

       224
       224
       -
       

     

       225
       225
       -
             virtualHosts.${pds-hostname} = {

     

       226
       226
       -
               serverAliases = [ "*.${pds-hostname}" ];

     

       227
       227
       -
               extraConfig = ''

     

       228
       228
       -
                 	tls { on_demand }

     

       229
       229
       -
                   reverse_proxy http://localhost:${toString pds-port}

     

       230
       230
       -
               '';

     

       231
       231
       -
             };

     

       232
       232
       -
       

     

       233
       233
       -
             virtualHosts.${tangled-knot-hostname}.extraConfig = ''

     

       234
       234
       -
               reverse_proxy http://localhost:${toString tangled-knot-port}

     

       235
       235
       -
             '';

     

       236
       236
       -
       

     

       237
       237
       -
             virtualHosts.${tangled-spindle-hostname}.extraConfig = ''

     

       238
       238
       -
               reverse_proxy http://localhost:${toString tangled-spindle-port}

     

       239
       239
       -
             '';

     

       240
       240
       -
       

     

       241
       241
       -
             virtualHosts.${thelounge-hostname}.extraConfig = ''

     

       242
       242
       -
               reverse_proxy http://localhost:${toString thelounge-port}

     

       243
       243
       -
             '';

     

       244
       244
       -
       

     

       245
       245
       -
             virtualHosts.${headscale-hostname}.extraConfig = ''

     

       246
       246
       -
               reverse_proxy http://localhost:${toString headscale-port}

     

       247
       247
       -
             '';

     

       248
       248
       -
       

     

       249
       249
       -
             virtualHosts.${lldap-hostname}.extraConfig = ''

     

       250
       250
       -
               reverse_proxy http://localhost:${toString lldap-port}

     

       251
       251
       -
             '';

     

       252
       252
       -
       

     

       253
       253
       -
             virtualHosts.${authelia-hostname}.extraConfig = ''

     

       254
       254
       -
               reverse_proxy http://localhost:${toString authelia-port}

     

       255
       255
       -
             '';

     

       256
       256
       -
       

     

       257
       257
       -
             virtualHosts.${matrix-hostname}.extraConfig = ''

     

       258
       258
       -
               reverse_proxy /_matrix/* http://localhost:${toString matrix-port}

     

       259
       259
       -
             '';

     

       260
       260
       -
       

     

       261
       261
       -
             virtualHosts.${goatcounter-hostname}.extraConfig = ''

     

       262
       262
       -
               reverse_proxy http://localhost:${toString goatcounter-port}

     

       263
       263
       -
             '';

     

       264
       264
       -
       

     

       265
       265
       -
             virtualHosts.${vaultwarden-hostname}.extraConfig = ''

     

       266
       266
       -
               reverse_proxy http://localhost:${toString vaultwarden-port}

     

       267
       267
       -
             '';

     

       268
       268
       -
       

     

       269
       269
       -
             virtualHosts.${miniflux-hostname}.extraConfig = ''

     

       270
       270
       -
               reverse_proxy http://localhost:${toString miniflux-port}

     

       271
       271
       -
             '';

     

       272
       272
       -
       

     

       273
       273
       -
             virtualHosts."hypixel-bank-tracker.xyz".extraConfig = ''

     

       274
       274
       -
               reverse_proxy http://localhost:${toString hbt-main-port}

     

       275
       275
       -
             '';

     

       276
       276
       -
       

     

       277
       277
       -
             virtualHosts."banana.hypixel-bank-tracker.xyz".extraConfig = ''

     

       278
       278
       -
               reverse_proxy http://localhost:${toString hbt-banana-port}

     

       279
       279
       -
             '';

     

       280
       280
       -
           };

     

       281
       281
       -
       

     

       282
       282
       -
           age.secrets.pds-env.file = ../../secrets/pds-env.age;

     

       283
       283
       -
           services.pds = {

     

       284
       284
       -
             enable = true;

     

       285
       285
       -
             package = upkgs.bluesky-pds;

     

       286
       286
       -
       

     

       287
       287
       -
             settings = {

     

       288
       288
       -
               PDS_HOSTNAME = "pds.wiro.world";

     

       289
       289
       -
               PDS_PORT = pds-port;

     

       290
       290
       -
               # is in systemd /tmp subfolder

     

       291
       291
       -
               LOG_DESTINATION = "/tmp/pds.log";

     

       292
       292
       -
             };

     

       293
       293
       -
       

     

       294
       294
       -
             environmentFiles = [

     

       295
       295
       -
               config.age.secrets.pds-env.path

     

       296
       296
       -
             ];

     

       297
       297
       -
           };

     

       298
       298
       -
       

     

       299
       299
       -
           services.tangled.knot = {

     

       300
       300
       -
             enable = true;

     

       301
       301
       -
             openFirewall = true;

     

       302
       302
       -
       

     

       303
       303
       -
             motd = "Welcome to @wiro.world's knot!\n";

     

       304
       304
       -
             server = {

     

       305
       305
       -
               listenAddr = "localhost:${toString tangled-knot-port}";

     

       306
       306
       -
               hostname = tangled-knot-hostname;

     

       307
       307
       -
               owner = tangled-owner;

     

       308
       308
       -
             };

     

       309
       309
       -
           };

     

       310
       310
       -
       

     

       311
       311
       -
           services.tangled.spindle = {

     

       312
       312
       -
             enable = true;

     

       313
       313
       -
       

     

       314
       314
       -
             server = {

     

       315
       315
       -
               listenAddr = "localhost:${toString tangled-spindle-port}";

     

       316
       316
       -
               hostname = tangled-spindle-hostname;

     

       317
       317
       -
               owner = tangled-owner;

     

       318
       318
       -
             };

     

       319
       319
       -
           };

     

       320
       320
       -
       

     

       321
       321
       -
           age.secrets.grafana-oidc-secret = { file = ../../secrets/grafana-oidc-secret.age; owner = "grafana"; };

     

       322
       322
       -
           services.grafana = {

     

       323
       323
       -
             enable = true;

     

       324
       324
       -
       

     

       325
       325
       -
             settings = {

     

       326
       326
       -
               server = {

     

       327
       327
       -
                 http_port = grafana-port;

     

       328
       328
       -
                 domain = grafana-hostname;

     

       329
       329
       -
                 root_url = "https://${grafana-hostname}";

     

       330
       330
       -
               };

     

       331
       331
       -
       

     

       332
       332
       -
               "auth.generic_oauth" = {

     

       333
       333
       -
                 enable = true;

     

       334
       334
       -
                 name = "Authelia";

     

       335
       335
       -
                 icon = "signin";

     

       336
       336
       -
       

     

       337
       337
       -
                 client_id = "grafana";

     

       338
       338
       -
                 client_secret_path = config.age.secrets.grafana-oidc-secret.path;

     

       339
       339
       -
                 auto_login = true;

     

       340
       340
       -
       

     

       341
       341
       -
                 scopes = [ "openid" "profile" "email" "groups" ];

     

       342
       342
       -
                 auth_url = "https://auth.wiro.world/api/oidc/authorization";

     

       343
       343
       -
                 token_url = "https://auth.wiro.world/api/oidc/token";

     

       344
       344
       -
                 api_url = "https://auth.wiro.world/api/oidc/userinfo";

     

       345
       345
       -
                 use_pkce = true;

     

       346
       346
       -
               };

     

       347
       347
       -
             };

     

       348
       348
       -
           };

     

       349
       349
       -
       

     

       350
       350
       -
           services.prometheus = {

     

       351
       351
       -
             enable = true;

     

       352
       352
       -
             port = prometheus-port;

     

       353
       353
       -
       

     

       354
       354
       -
             scrapeConfigs = [

     

       355
       355
       -
               {

     

       356
       356
       -
                 job_name = "caddy";

     

       357
       357
       -
                 static_configs = [{ targets = [ "localhost:${toString 2019}" ]; }];

     

       358
       358
       -
               }

     

       359
       359
       -
               {

     

       360
       360
       -
                 job_name = "node-exporter";

     

       361
       361
       -
                 static_configs = [{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }];

     

       362
       362
       -
               }

     

       363
       363
       -
               {

     

       364
       364
       -
                 job_name = "headscale";

     

       365
       365
       -
                 static_configs = [{ targets = [ "localhost:${toString headscale-metrics-port}" ]; }];

     

       366
       366
       -
               }

     

       367
       367
       -
               {

     

       368
       368
       -
                 job_name = "authelia";

     

       369
       369
       -
                 static_configs = [{ targets = [ "localhost:${toString authelia-metrics-port}" ]; }];

     

       370
       370
       -
               }

     

       371
       371
       -
               {

     

       372
       372
       -
                 job_name = "miniflux";

     

       373
       373
       -
                 static_configs = [{ targets = [ "localhost:${toString miniflux-port}" ]; }];

     

       374
       374
       -
               }

     

       375
       375
       -
             ];

     

       376
       376
       -
       

     

       377
       377
       -
             exporters.node = {

     

       378
       378
       -
               enable = true;

     

       379
       379
       -
               port = prometheus-node-exporter-port;

     

       380
       380
       -
             };

     

       381
       381
       -
           };

     

       382
       382
       -
       

     

       383
       383
       -
           services.thelounge = {

     

       384
       384
       -
             enable = true;

     

       385
       385
       -
             port = thelounge-port;

     

       386
       386
       -
             public = false;

     

       387
       387
       -
       

     

       388
       388
       -
             extraConfig = {

     

       389
       389
       -
               host = "127.0.0.1";

     

       390
       390
       -
               reverseProxy = true;

     

       391
       391
       -
       

     

       392
       392
       -
               # TODO: use ldap, find a way to hide password

     

       393
       393
       -
             };

     

       394
       394
       -
           };

     

       395
       395
       -
       

     

       396
       396
       -
           age.secrets.headscale-oidc-secret = { file = ../../secrets/headscale-oidc-secret.age; owner = config.services.headscale.user; };

     

       397
       397
       -
           # TODO: add dependency on authelia

     

       398
       398
       -
           services.headscale = {

     

       399
       399
       -
             enable = true;

     

       400
       400
       -
             package = upkgs.headscale;

     

       401
       401
       -
       

     

       402
       402
       -
             port = headscale-port;

     

       403
       403
       -
             settings = {

     

       404
       404
       -
               server_url = "https://${headscale-hostname}";

     

       405
       405
       -
               metrics_listen_addr = "127.0.0.1:${toString headscale-metrics-port}";

     

       406
       406
       -
       

     

       407
       407
       -
               policy.path = json-format.generate "policy.json" {

     

       408
       408
       -
                 acls = [

     

       409
       409
       -
                   {

     

       410
       410
       -
                     action = "accept";

     

       411
       411
       -
                     src = [ "autogroup:member" ];

     

       412
       412
       -
                     dst = [ "autogroup:self:*" ];

     

       413
       413
       -
                   }

     

       414
       414
       -
                 ];

     

       415
       415
       -
                 ssh = [

     

       416
       416
       -
                   {

     

       417
       417
       -
                     action = "accept";

     

       418
       418
       -
                     src = [ "autogroup:member" ];

     

       419
       419
       -
                     dst = [ "autogroup:self" ];

     

       420
       420
       -
                     # Adding root here is privilege escalation as a feature :)

     

       421
       421
       -
                     users = [ "autogroup:nonroot" ];

     

       422
       422
       -
                   }

     

       423
       423
       -
                 ];

     

       424
       424
       -
               };

     

       425
       425
       -
       

     

       426
       426
       -
               # disable TLS

     

       427
       427
       -
               tls_cert_path = null;

     

       428
       428
       -
               tls_key_path = null;

     

       429
       429
       -
       

     

       430
       430
       -
               dns = {

     

       431
       431
       -
                 magic_dns = true;

     

       432
       432
       -
                 base_domain = "net.wiro.world";

     

       433
       433
       -
       

     

       434
       434
       -
                 override_local_dns = true;

     

       435
       435
       -
                 # Quad9 nameservers

     

       436
       436
       -
                 nameservers.global = [ "9.9.9.9" "149.112.112.112" "2620:fe::fe" "2620:fe::9" ];

     

       437
       437
       -
               };

     

       438
       438
       -
       

     

       439
       439
       -
               oidc = {

     

       440
       440
       -
                 only_start_if_oidc_is_available = true;

     

       441
       441
       -
                 issuer = "https://auth.wiro.world";

     

       442
       442
       -
                 client_id = "headscale";

     

       443
       443
       -
                 client_secret_path = config.age.secrets.headscale-oidc-secret.path;

     

       444
       444
       -
                 scope = [ "openid" "profile" "email" "groups" ];

     

       445
       445
       -
                 pkce.enabled = true;

     

       446
       446
       -
               };

     

       447
       447
       -
       

     

       448
       448
       -
               derp.server = {

     

       449
       449
       -
                 enable = true;

     

       450
       450
       -
                 stun_listen_addr = "0.0.0.0:${toString headscale-derp-port}";

     

       451
       451
       -
               };

     

       452
       452
       -
             };

     

       453
       453
       -
           };

     

       454
       454
       -
       

     

       455
       455
       -
           age.secrets.lldap-env.file = ../../secrets/lldap-env.age;

     

       456
       456
       -
           services.lldap = {

     

       457
       457
       -
             enable = true;

     

       458
       458
       -
             settings = {

     

       459
       459
       -
               http_url = "https://${lldap-hostname}";

     

       460
       460
       -
               http_port = lldap-port;

     

       461
       461
       -
       

     

       462
       462
       -
               ldap_base_dn = "dc=wiro,dc=world";

     

       463
       463
       -
             };

     

       464
       464
       -
             environmentFile = config.age.secrets.lldap-env.path;

     

       465
       465
       -
           };

     

       466
       466
       -
       

     

       467
       467
       -
           age.secrets.authelia-jwt-secret = { file = ../../secrets/authelia-jwt-secret.age; owner = config.services.authelia.instances.main.user; };

     

       468
       468
       -
           age.secrets.authelia-issuer-private-key = { file = ../../secrets/authelia-issuer-private-key.age; owner = config.services.authelia.instances.main.user; };

     

       469
       469
       -
           age.secrets.authelia-storage-key = { file = ../../secrets/authelia-storage-key.age; owner = config.services.authelia.instances.main.user; };

     

       470
       470
       -
           age.secrets.authelia-ldap-password = { file = ../../secrets/authelia-ldap-password.age; owner = config.services.authelia.instances.main.user; };

     

       471
       471
       -
           age.secrets.authelia-smtp-password = { file = ../../secrets/authelia-smtp-password.age; owner = config.services.authelia.instances.main.user; };

     

       472
       472
       -
           services.authelia.instances.main = {

     

       473
       473
       -
             enable = true;

     

       474
       474
       -
       

     

       475
       475
       -
             secrets = {

     

       476
       476
       -
               jwtSecretFile = config.age.secrets.authelia-jwt-secret.path;

     

       477
       477
       -
               oidcIssuerPrivateKeyFile = config.age.secrets.authelia-issuer-private-key.path;

     

       478
       478
       -
               storageEncryptionKeyFile = config.age.secrets.authelia-storage-key.path;

     

       479
       479
       -
             };

     

       480
       480
       -
             environmentVariables = {

     

       481
       481
       -
               AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.authelia-ldap-password.path;

     

       482
       482
       -
               AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.authelia-smtp-password.path;

     

       483
       483
       -
             };

     

       484
       484
       -
             settings = {

     

       485
       485
       -
               server.address = "localhost:${toString authelia-port}";

     

       486
       486
       -
               storage.local.path = "/var/lib/authelia-main/db.sqlite3";

     

       487
       487
       -
               telemetry.metrics = {

     

       488
       488
       -
                 enabled = true;

     

       489
       489
       -
                 address = "tcp://:${toString authelia-metrics-port}/metrics";

     

       490
       490
       -
               };

     

       491
       491
       -
       

     

       492
       492
       -
               session = {

     

       493
       493
       -
                 cookies = [{

     

       494
       494
       -
                   domain = "wiro.world";

     

       495
       495
       -
                   authelia_url = "https://${authelia-hostname}";

     

       496
       496
       -
                   default_redirection_url = "https://wiro.world";

     

       497
       497
       -
                 }];

     

       498
       498
       -
               };

     

       499
       499
       -
       

     

       500
       500
       -
               authentication_backend.ldap = {

     

       501
       501
       -
                 address = "ldap://localhost:3890";

     

       502
       502
       -
                 timeout = "5m"; # replace with systemd dependency

     

       503
       503
       -
       

     

       504
       504
       -
                 user = "uid=authelia,ou=people,dc=wiro,dc=world";

     

       505
       505
       -
                 # Set in `AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE`.

     

       506
       506
       -
                 # password = "";

     

       507
       507
       -
       

     

       508
       508
       -
                 base_dn = "dc=wiro,dc=world";

     

       509
       509
       -
                 users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";

     

       510
       510
       -
                 additional_users_dn = "ou=people";

     

       511
       511
       -
                 groups_filter = "(&(member={dn})(objectClass=groupOfNames))";

     

       512
       512
       -
                 additional_groups_dn = "ou=groups";

     

       513
       513
       -
       

     

       514
       514
       -
                 attributes = {

     

       515
       515
       -
                   username = "uid";

     

       516
       516
       -
                   display_name = "cn";

     

       517
       517
       -
                   given_name = "givenname";

     

       518
       518
       -
                   family_name = "last_name";

     

       519
       519
       -
                   mail = "mail";

     

       520
       520
       -
                   picture = "avatar";

     

       521
       521
       -
       

     

       522
       522
       -
                   group_name = "cn";

     

       523
       523
       -
                 };

     

       524
       524
       -
               };

     

       525
       525
       -
       

     

       526
       526
       -
               access_control = {

     

       527
       527
       -
                 default_policy = "deny";

     

       528
       528
       -
                 # Rules are sequential and do not apply to OIDC

     

       529
       529
       -
                 rules = [

     

       530
       530
       -
                   {

     

       531
       531
       -
                     domain = "headscale.wiro.world";

     

       532
       532
       -
                     policy = "two_factor";

     

       533
       533
       -
       

     

       534
       534
       -
                   }

     

       535
       535
       -
                   {

     

       536
       536
       -
                     domain = "news.wiro.world";

     

       537
       537
       -
                     policy = "one_factor";

     

       538
       538
       -
       

     

       539
       539
       -
                     subject = [ [ "group:miniflux" "oauth2:client:miniflux" ] ];

     

       540
       540
       -
                   }

     

       541
       541
       -
                   {

     

       542
       542
       -
                     domain = "*.wiro.world";

     

       543
       543
       -
                     policy = "two_factor";

     

       544
       544
       -
                   }

     

       545
       545
       -
                 ];

     

       546
       546
       -
               };

     

       547
       547
       -
       

     

       548
       548
       -
               identity_providers.oidc = {

     

       549
       549
       -
                 enforce_pkce = "always";

     

       550
       550
       -
       

     

       551
       551
       -
                 authorization_policies =

     

       552
       552
       -
                   let

     

       553
       553
       -
                     mkStrictPolicy = policy: subject:

     

       554
       554
       -
                       { default_policy = "deny"; rules = [{ inherit policy subject; }]; };

     

       555
       555
       -
                   in

     

       556
       556
       -
                   {

     

       557
       557
       -
                     headscale = mkStrictPolicy "two_factor" [ "group:headscale" ];

     

       558
       558
       -
                     tailscale = mkStrictPolicy "two_factor" [ "group:headscale" ];

     

       559
       559
       -
                     grafana = mkStrictPolicy "one_factor" [ "group:grafana" ];

     

       560
       560
       -
                     miniflux = mkStrictPolicy "one_factor" [ "group:miniflux" ];

     

       561
       561
       -
                   };

     

       562
       562
       -
       

     

       563
       563
       -
                 claims_policies.headscale = { id_token = [ "email" "name" "preferred_username" "picture" "groups" ]; };

     

       564
       564
       -
       

     

       565
       565
       -
                 clients = [

     

       566
       566
       -
                   {

     

       567
       567
       -
                     client_name = "Headscale";

     

       568
       568
       -
                     client_id = "headscale";

     

       569
       569
       -
                     client_secret = "$pbkdf2-sha256$310000$XY680D9gkSoWhD0UtYHNFg$ptWB3exOYCga6uq1N.oimuV3ILjK3F8lBWBpsBpibos";

     

       570
       570
       -
                     redirect_uris = [ "https://${headscale-hostname}/oidc/callback" ];

     

       571
       571
       -
                     authorization_policy = "headscale";

     

       572
       572
       -
                     claims_policy = "headscale";

     

       573
       573
       -
                   }

     

       574
       574
       -
                   {

     

       575
       575
       -
                     client_name = "Tailscale";

     

       576
       576
       -
                     client_id = "tailscale";

     

       577
       577
       -
                     client_secret = "$pbkdf2-sha256$310000$PcUaup9aWKI9ZLeCF6.avw$FpsTxkDaxcoQlBi8aIacegXpjEDiCI6nXcaHyZ2Sxyc";

     

       578
       578
       -
                     redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ];

     

       579
       579
       -
                     authorization_policy = "tailscale";

     

       580
       580
       -
                   }

     

       581
       581
       -
                   {

     

       582
       582
       -
                     client_name = "Grafana Console";

     

       583
       583
       -
                     client_id = "grafana";

     

       584
       584
       -
                     client_secret = "$pbkdf2-sha256$310000$UkwrqxTZodGMs9.Ca2cXAA$HCWFgQbFHGXZpuz.I3HHdkTZLUevRVGlhKEFaOlPmKs";

     

       585
       585
       -
                     redirect_uris = [ "https://${grafana-hostname}/login/generic_oauth" ];

     

       586
       586
       -
                     authorization_policy = "grafana";

     

       587
       587
       -
                   }

     

       588
       588
       -
                   {

     

       589
       589
       -
                     client_name = "Miniflux";

     

       590
       590
       -
                     client_id = "miniflux";

     

       591
       591
       -
                     client_secret = "$pbkdf2-sha256$310000$uPqbWfCOBXDY6nV1vsx3uA$HOWG2hL.c/bs9Dwaee3b9DxjH7KFO.SaZMbasXV9Vdw";

     

       592
       592
       -
                     redirect_uris = [ "https://${miniflux-hostname}/oauth2/oidc/callback" ];

     

       593
       593
       -
                     authorization_policy = "miniflux";

     

       594
       594
       -
                   }

     

       595
       595
       -
                 ];

     

       596
       596
       -
               };

     

       597
       597
       -
       

     

       598
       598
       -
       

     

       599
       599
       -
               notifier.smtp = {

     

       600
       600
       -
                 address = "smtp://smtp.resend.com:2587";

     

       601
       601
       -
                 username = "resend";

     

       602
       602
       -
                 # Set in `AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE`.

     

       603
       603
       -
                 # password = "";

     

       604
       604
       -
                 sender = "authelia@wiro.world";

     

       605
       605
       -
               };

     

       606
       606
       -
             };

     

       607
       607
       -
           };

     

       608
       608
       -
       

     

       609
       609
       -
           age.secrets.tuwunel-registration-tokens = { file = ../../secrets/tuwunel-registration-tokens.age; owner = config.services.matrix-tuwunel.user; };

     

       610
       610
       -
           services.matrix-tuwunel = {

     

       611
       611
       -
             enable = true;

     

       612
       612
       -
             package = upkgs.matrix-tuwunel;

     

       613
       613
       -
       

     

       614
       614
       -
             settings.global = {

     

       615
       615
       -
               address = [ "127.0.0.1" ];

     

       616
       616
       -
               port = [ matrix-port ];

     

       617
       617
       -
       

     

       618
       618
       -
               server_name = "wiro.world";

     

       619
       619
       -
               well_known = {

     

       620
       620
       -
                 client = "https://matrix.wiro.world";

     

       621
       621
       -
                 server = "matrix.wiro.world:443";

     

       622
       622
       -
               };

     

       623
       623
       -
       

     

       624
       624
       -
               grant_admin_to_first_user = true;

     

       625
       625
       -
               new_user_displayname_suffix = "";

     

       626
       626
       -
       

     

       627
       627
       -
               allow_registration = true;

     

       628
       628
       -
               registration_token_file = config.age.secrets.tuwunel-registration-tokens.path;

     

       629
       629
       -
             };

     

       630
       630
       -
           };

     

       631
       631
       -
       

     

       632
       632
       -
           services.goatcounter = {

     

       633
       633
       -
             enable = true;

     

       634
       634
       -
       

     

       635
       635
       -
             port = goatcounter-port;

     

       636
       636
       -
             proxy = true;

     

       637
       637
       -
             extraArgs = [ "-automigrate" ];

     

       638
       638
       -
           };

     

       639
       639
       -
       

     

       640
       640
       -
           age.secrets.vaultwarden-env.file = ../../secrets/vaultwarden-env.age;

     

       641
       641
       -
           services.vaultwarden = {

     

       642
       642
       -
             enable = true;

     

       643
       643
       -
             package = upkgs.vaultwarden;

     

       644
       644
       -
       

     

       645
       645
       -
             environmentFile = config.age.secrets.vaultwarden-env.path;

     

       646
       646
       -
             config = {

     

       647
       647
       -
               ROCKET_PORT = vaultwarden-port;

     

       648
       648
       -
               DOMAIN = "https://${vaultwarden-hostname}";

     

       649
       649
       -
               SIGNUPS_ALLOWED = false;

     

       650
       650
       -
               ADMIN_TOKEN = "$argon2id$v=19$m=65540,t=3,p=4$YIe9wmrTsmjgZNPxe8m34O/d3XW3Fl/uZPPLQs79dAc$mjDVQSdBJqz2uBJuxtAvCIoHPzOnTDhNPuhER3dhHrY";

     

       651
       651
       -
       

     

       652
       652
       -
               SMTP_HOST = "smtp.resend.com";

     

       653
       653
       -
               SMTP_PORT = 2465;

     

       654
       654
       -
               SMTP_SECURITY = "force_tls";

     

       655
       655
       -
               SMTP_USERNAME = "resend";

     

       656
       656
       -
               # SMTP_PASSWORD = ...; # Via secret env

     

       657
       657
       -
               SMTP_FROM = "bitwarden@wiro.world";

     

       658
       658
       -
               SMTP_FROM_NAME = "Bitwarden wiro.world";

     

       659
       659
       -
             };

     

       660
       660
       -
           };

     

       661
       661
       -
       

     

       662
       662
       -
           users.users.miniflux = { isSystemUser = true; group = "miniflux"; };

     

       663
       663
       -
           users.groups.miniflux = { };

     

       664
       664
       -
           age.secrets.miniflux-oidc-secret = { file = ../../secrets/miniflux-oidc-secret.age; owner = "miniflux"; };

     

       665
       665
       -
           services.miniflux = {

     

       666
       666
       -
             enable = true;

     

       667
       667
       -
       

     

       668
       668
       -
             createDatabaseLocally = true;

     

       669
       669
       -
             config = {

     

       670
       670
       -
               BASE_URL = "https://${miniflux-hostname}/";

     

       671
       671
       -
               LISTEN_ADDR = "127.0.0.1:${toString miniflux-port}";

     

       672
       672
       -
               CREATE_ADMIN = 0;

     

       673
       673
       -
       

     

       674
       674
       -
               METRICS_COLLECTOR = 1;

     

       675
       675
       -
       

     

       676
       676
       -
               OAUTH2_PROVIDER = "oidc";

     

       677
       677
       -
               OAUTH2_OIDC_PROVIDER_NAME = "wiro.world SSO";

     

       678
       678
       -
               OAUTH2_CLIENT_ID = "miniflux";

     

       679
       679
       -
               OAUTH2_CLIENT_SECRET_FILE = config.age.secrets.miniflux-oidc-secret.path;

     

       680
       680
       -
               OAUTH2_REDIRECT_URL = "https://${miniflux-hostname}/oauth2/oidc/callback";

     

       681
       681
       -
               OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.wiro.world";

     

       682
       682
       -
               OAUTH2_USER_CREATION = 1;

     

       683
       683
       -
               DISABLE_LOCAL_AUTH = 1;

     

       684
       684
       -
       

     

       685
       685
       -
               RUN_MIGRATIONS = 1;

     

       686
       686
       -
       

     

       687
       687
       -
               # NetNewsWire is a very good iOS oss client that integrates well

     

       688
       688
       -
               # https://b.j4.lc/2025/05/05/setting-up-netnewswire-with-miniflux/

     

       689
       689
       -
             };

     

       690
       690
       -
           };

     

       691
       691
       -
       

     

       692
       692
       -
           age.secrets.hypixel-bank-tracker-main.file = ../../secrets/hypixel-bank-tracker-main.age;

     

       693
       693
       -
           services.hypixel-bank-tracker.instances.main = {

     

       694
       694
       -
             enable = true;

     

       695
       695
       -
       

     

       696
       696
       -
             port = hbt-main-port;

     

       697
       697
       -
             environmentFile = config.age.secrets.hypixel-bank-tracker-main.path;

     

       698
       698
       -
           };

     

       699
       699
       -
       

     

       700
       700
       -
           age.secrets.hypixel-bank-tracker-banana.file = ../../secrets/hypixel-bank-tracker-banana.age;

     

       701
       701
       -
           services.hypixel-bank-tracker.instances.banana = {

     

       702
       702
       -
             enable = true;

     

       703
       703
       -
       

     

       704
       704
       -
             port = hbt-banana-port;

     

       705
       705
       -
             environmentFile = config.age.secrets.hypixel-bank-tracker-banana.path;

     

       706
       706
       -
           };

     

       707
       707
       -
         };

     

       708
       708
       -
       }

+15 -6

pkgs/default.nix

···

       1
       1
       -
       { self, system, ... }@pkgs:

     

       1
       1
       +
       { self

     

       2
       2
       +
       

     

       3
       3
       +
       , stdenv

     

       4
       4
       +
       , callPackage

     

       5
       5
       +
       , ...

     

       6
       6
       +
       }:

     

       2
       7
        
       

     

       3
       8
        
       let

     

       9
       9
       +
         inherit (stdenv.hostPlatform) system;

     

       10
       10
       +
       

     

       4
       11
        
         inherit (self.inputs)

     

       5
       12
        
           agenix

     

       6
       13
        
           git-leave

     

       14
       14
       +
           nix-alien

     

       7
       15
        
           wakatime-ls

     

       8
       16
        
           ;

     

       9
       17
        
       in

     

       10
       18
        
       {

     

       11
       11
       -
         asak = pkgs.callPackage ./asak.nix { };

     

       12
       12
       -
         ebnfer = pkgs.callPackage ./ebnfer.nix { };

     

       13
       13
       -
         find-unicode = pkgs.callPackage ./find-unicode.nix { };

     

       14
       14
       -
         names = pkgs.callPackage ./names.nix { };

     

       15
       15
       -
         probe-rs-udev-rules = pkgs.callPackage ./probe-rs-udev-rules.nix { };

     

       19
       19
       +
         asak = callPackage ./asak.nix { };

     

       20
       20
       +
         ebnfer = callPackage ./ebnfer.nix { };

     

       21
       21
       +
         find-unicode = callPackage ./find-unicode.nix { };

     

       22
       22
       +
         names = callPackage ./names.nix { };

     

       23
       23
       +
         probe-rs-udev-rules = callPackage ./probe-rs-udev-rules.nix { };

     

       16
       24
        
       

     

       17
       25
        
         # Import packages defined in foreign repositories

     

       18
       26
        
         inherit (agenix.packages.${system}) agenix;

     

       19
       27
        
         inherit (git-leave.packages.${system}) git-leave;

     

       28
       28
       +
         inherit (nix-alien.packages.${system}) nix-alien;

     

       20
       29
        
         inherit (wakatime-ls.packages.${system}) wakatime-ls;

     

       21
       30
        
       }

secrets/authelia-issuer-private-key.age

This is a binary file and will not be displayed.

secrets/authelia-jwt-secret.age

This is a binary file and will not be displayed.

secrets/authelia-ldap-password.age

This is a binary file and will not be displayed.

-9

secrets/authelia-smtp-password.age

···

       1
       1
       -
       age-encryption.org/v1

     

       2
       2
       -
       -> ssh-ed25519 sMF1bg 0duJYaUlZd2G3tYi7CuV+c7KNaqWusLoMpoILvaajgc

     

       3
       3
       -
       AnAlDVzRdeoXGXvyllhSNCoDQjZ+nucLGHCfPWR8IBQ

     

       4
       4
       -
       -> ssh-ed25519 SmMcWg oX82fe4sQmKyjJqv9AFRY6Bww43V/8myNRsN9/M8Sho

     

       5
       5
       -
       Et6ycO8hm2XV36X5q7iO+nJCtjkYoq6mDBEssrjt/70

     

       6
       6
       -
       -> ssh-ed25519 Q8rMFA /gU1tIVjqExV8NXB1gSDsWIXpVfxm3zPJX7xOAqeqWM

     

       7
       7
       -
       szrd67kHWslLO+jMCuDmzYR0LPVVzd7idgl3AKt+USU

     

       8
       8
       -
       --- ojxyQVhx4rX+x5gzEEx8KFiorwywqEEyTNWUJY39jIk

     

       9
       9
       -
       �������ş*
l��1����=n�Ŏ��(�	�Iamz~B�����������鰦�.�.Z>�',p��

-11

secrets/authelia-storage-key.age

···

       1
       1
       -
       age-encryption.org/v1

     

       2
       2
       -
       -> ssh-ed25519 sMF1bg PYC6LaFo/DTQlRMewqbVtS4lzVtKyuFZQSqCrQwwEyg

     

       3
       3
       -
       kj0sHy8IpnBsMBQy/XYtj2pLXlk6wprF3MxjFTOiZ6E

     

       4
       4
       -
       -> ssh-ed25519 SmMcWg rvlLGzf6D96Dh1lL8as2vjc3PB7G/86U8AR7/lAELT0

     

       5
       5
       -
       qcdOqVV6o+5OfJYj5pfZ62hOnrBQwY0DAeIJkLoyYss

     

       6
       6
       -
       -> ssh-ed25519 Q8rMFA eALgQVN5OA0EuYYEyEbFnju/Yii71e+xcs98LkXnyyo

     

       7
       7
       -
       Rbxu60qvXKdFaJ7lfs7LeYx37TIKYK2Gxw2QcxF3soA

     

       8
       8
       -
       --- ryt5q5lXn1Cyn4T6RSU1IR7dHZOTbyanaG6ZqeYYGBQ

     

       9
       9
       -
       �G���*	\�ʕ�|���

     

       10
       10
       -
       �S�T���z�!
�FIG͍��,��2Q��+�s�76Z�D`��Q�hM�],��E7�2<Q�

     

       11
       11
       -
       ?ׯ�t��u\���xpe/rrR��L}��S��g�%�:�Oj����{T%h��D�~�+DЫ��W%� �ŗ�r�v$%m$

+22

secrets/default.nix

···

       1
       1
       +
       keys:

     

       2
       2
       +
       

     

       3
       3
       +
       let

     

       4
       4
       +
         inherit (keys) sessions systems users;

     

       5
       5
       +
       

     

       6
       6
       +
         nixos = systems ++ users;

     

       7
       7
       +
         home-manager = sessions ++ users;

     

       8
       8
       +
       in

     

       9
       9
       +
       {

     

       10
       10
       +
         # Used in NixOS config

     

       11
       11
       +
         "backup-rclone-googledrive.age".publicKeys = nixos;

     

       12
       12
       +
         "backup-restic-key.age".publicKeys = nixos;

     

       13
       13
       +
       

     

       14
       14
       +
         # Used in Home Manager

     

       15
       15
       +
         "api-crates-io.age".publicKeys = home-manager;

     

       16
       16
       +
         "api-wakatime.age".publicKeys = home-manager;

     

       17
       17
       +
         "api-wakapi.age".publicKeys = home-manager;

     

       18
       18
       +
       

     

       19
       19
       +
         # Not used in config but useful

     

       20
       20
       +
         "pgp-ca5e.age".publicKeys = users;

     

       21
       21
       +
         "ssh-uxgi.age".publicKeys = users;

     

       22
       22
       +
       }

-9

secrets/grafana-oidc-secret.age

···

       1
       1
       -
       age-encryption.org/v1

     

       2
       2
       -
       -> ssh-ed25519 sMF1bg 2+JZ3WMnTgnnNYmJqdqAtOsEIk9pAefHfwLcXZQpqlg

     

       3
       3
       -
       yE0R9b0mSzoT6mvoWUG829UmkgGkm6vg0i7WLORaTis

     

       4
       4
       -
       -> ssh-ed25519 SmMcWg c8goAmCIPQ5rsTwoOej9ndGc0uBpWILSn/wy6XJHK14

     

       5
       5
       -
       ArjlEl4hxi4N6Py1emxgxUFKvSXIwLWsy6HrWNqJUHw

     

       6
       6
       -
       -> ssh-ed25519 Q8rMFA t72V+A0n5Tnb0VqvBrzt3j75CbcfvQltodKMhF64SXY

     

       7
       7
       -
       V+Ynzd4tIUI8JPy9uyoi+frW6wJnQxDavHAqnp/lem8

     

       8
       8
       -
       --- mzRky/dA1MDArnDSSaGyZP9yAQgD2va4MfopbrdM0iU

     

       9
       9
       -
       ��*�٪l����a5�QE£uަ��"�;��3�l.!`	�u�
_+)$��d��ˤ����ff�F��mѳc�a�EV��Nߧ��,�@����

secrets/headscale-oidc-secret.age

This is a binary file and will not be displayed.

-13

secrets/hypixel-bank-tracker-banana.age

···

       1
       1
       -
       age-encryption.org/v1

     

       2
       2
       -
       -> ssh-ed25519 sMF1bg L4Bb77BNTN5+2CVUxkUrYNrAj6FqaT3DkH84qqjiQxE

     

       3
       3
       -
       7qBoMysStcR8/TpQFAVMhDT59uKrNg80oIJruRO7sLo

     

       4
       4
       -
       -> ssh-ed25519 SmMcWg L5YrRltkxQF4wukSrg5QmOmGSfNqFQ/Q+MjDIarpqBk

     

       5
       5
       -
       wVMUhK3WnVyRq2whgZP1OFlS94NOHFhDm4GNqG+SD2Q

     

       6
       6
       -
       -> ssh-ed25519 Q8rMFA hfofGpblCvt5hkhAvq3eIXHCIKUt0y9HYRDXGu1pDB0

     

       7
       7
       -
       vB5xSjAJNfX4t224hDyxGAiUrN54ZTqA7dFUXnnAoNc

     

       8
       8
       -
       -> @UtB#-grease

     

       9
       9
       -
       tzHnzFDaCXfotjJH27bFWHSx6BkcuZi9kRC/XxzegMfScde08g84Lq0uwcIJBQv6

     

       10
       10
       -
       jnOLVfcHrtl+80V6D63x+rDmHV3QRhW7uXl4XRKEPYfRLVzkGdG69fDADg

     

       11
       11
       -
       --- UxCVaHhB7UXfuUiLRZ8tk7vJ8Iu9SpaWOpOoZslvMDg

     

       12
       12
       -
       Acv�������B��/3t���#ȝ���Os�9���
<�w��K���_�c,������K���p Y	��I�)׫

     

       13
       13
       -
       $�RB�x�� �=��fՍ�- ��&��!��ǌG�-�8i����a��5�*u��#��s

-13

secrets/hypixel-bank-tracker-main.age

···

       1
       1
       -
       age-encryption.org/v1

     

       2
       2
       -
       -> ssh-ed25519 sMF1bg 2rKzzE4Pua0+TwAn9yZsdhXziinxzJF5Whezuc6DPl4

     

       3
       3
       -
       qUPSXShxUf/7jDh0X5TnvfeUC+m83jmWSrP8/lweftc

     

       4
       4
       -
       -> ssh-ed25519 SmMcWg O5/Uj+Ds1S4G0VfTQs9jwUX+Dfcca2Yv3wk8g0N4Xls

     

       5
       5
       -
       HNIW22wiacVbCEPsxoC8zhVBzwNosJbJDFsUvB2EvcI

     

       6
       6
       -
       -> ssh-ed25519 Q8rMFA zVH1aTPabm7ede9LnUaS7jPRuwquRme1zL8zERbHC0s

     

       7
       7
       -
       BzsHGkLWh58yr369Qj4D/QAbaYBkL5dyw4spnGrhPXA

     

       8
       8
       -
       -> l-grease

     

       9
       9
       -
       RQnVuYNAWukXav0qt8jW2vHHvStxUyDcBWjxn9r20cqb9pcEqX8YmmY0fGxvq59V

     

       10
       10
       -
       EA

     

       11
       11
       -
       --- 2HqXUZzs3uyQ9g4jKAu55emz7/CQvK5AI/NQ8ONxjuk

     

       12
       12
       -
       �
��}F

     

       13
       13
       -
       �~���T�c������Ym��'>�"0q���������Z�����H}�ϛ'����� ��k/���t�v��Q�p,�ڝ�X�
Ȉ6�g�'�̍ή�$}۷��\"،4F`�C�HŴ�@�q��D��k��~F=�n)�z

+10 -10

secrets/keys.nix

···

       1
       1
        
       rec {

     

       2
       2
        
         # Machine SSH key (/etc/ssh/ssh_host_ed25519_key.pub)

     

       3
       3
       -
         archaic = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDuBHC0f7N0q1KRczJMoaBVdY0JFOtcpPy6WlYsoxUh";

     

       4
       4
       -
         neo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINR1/9o1HLnSRkXt3xxAM5So1YCCNdJpBN1leSu7giuR";

     

       5
       5
       -
         systems = [ archaic neo ];

     

       3
       3
       +
         archaic-wiro-laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDuBHC0f7N0q1KRczJMoaBVdY0JFOtcpPy6WlYsoxUh";

     

       4
       4
       +
         neo-wiro-laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINR1/9o1HLnSRkXt3xxAM5So1YCCNdJpBN1leSu7giuR";

     

       5
       5
       +
         systems = [ archaic-wiro-laptop neo-wiro-laptop ];

     

       6
       6
        
       

     

       7
       7
       -
         weird-row = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII5sThvKuIj8yfeZzUPYfxWxnjTTdNtSID2OL4czE8AL";

     

       8
       8
       -
         servers = [ weird-row ];

     

       7
       7
       +
         weird-row-server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII5sThvKuIj8yfeZzUPYfxWxnjTTdNtSID2OL4czE8AL";

     

       8
       8
       +
         servers = [ weird-row-server ];

     

       9
       9
        
       

     

       10
       10
        
         # Sessions specific age key (~/.ssh/id_home_manager.pub)

     

       11
       11
       -
         neo-milomoisson = "age1vz2zmduaqhaw5jrqh277pmp36plyth8rz5k9ccxeftfcl2nlhalqwvx5xz";

     

       12
       12
       -
         sessions = [ neo-milomoisson ];

     

       11
       11
       +
         neo-milo = "age1vz2zmduaqhaw5jrqh277pmp36plyth8rz5k9ccxeftfcl2nlhalqwvx5xz";

     

       12
       12
       +
         sessions = [ neo-milo ];

     

       13
       13
        
       

     

       14
       14
       -
         # User keys (~/.ssh/id_ed25519.pub)

     

       15
       15
       -
         milomoisson = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJdt7atyPTOfaBIsgDYYb0DG1yid2u78abaCDji6Uxgi";

     

       14
       14
       +
         # User keys (~/.ssh/id_{ed25519,ecdsa}.pub)

     

       15
       15
       +
         milo-ed25519 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJdt7atyPTOfaBIsgDYYb0DG1yid2u78abaCDji6Uxgi";

     

       16
       16
        
         wirody = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdW6ijH9oTsrswUJmQBF2LQkhjrMFkJ1LktnirPuL2S";

     

       17
       17
       -
         users = [ milomoisson wirody ];

     

       17
       17
       +
         users = [ milo-ed25519 wirody ];

     

       18
       18
        
       }

secrets/lldap-env.age

This is a binary file and will not be displayed.

-9

secrets/miniflux-oidc-secret.age

···

       1
       1
       -
       age-encryption.org/v1

     

       2
       2
       -
       -> ssh-ed25519 sMF1bg E4UVPOuq5ZUSxGvIvr0Tod9PQRqDdqHu2Byv4fKi2io

     

       3
       3
       -
       FcdCyfLmRCmK5rmoLQ/m1KOJe9Etu9N/GHCM5lWCIPE

     

       4
       4
       -
       -> ssh-ed25519 SmMcWg wrKv3V6uSLnWQqIp65Rgi0qv7lQtyOXaxnahMo+s3EU

     

       5
       5
       -
       mXsJ1CbS3pzstf3xaWWF150+aXxW2kY2J5kAZWqtl+A

     

       6
       6
       -
       -> ssh-ed25519 Q8rMFA 91npFfTkw9Ur6aZp/pLzLUOIwwPJ9OA1peaZyTlROBU

     

       7
       7
       -
       12sib8HLjvgN06X6H0/AN4wMewQ8xup813DauZKQ+QY

     

       8
       8
       -
       --- /AGwAMAsPvvuRH6PPNrizBCsJedclYzdj6Kq4V3mx0o

     

       9
       9
       -
       zN��0�=�YP������rլ�!U�n;���n���/��}mCo�F��������!z���r������)u��o�3�>��>Z�f�񡤙1Ň
����

secrets/pds-env.age

This is a binary file and will not be displayed.

-42

secrets/secrets.nix

···

       1
       1
       -
       let

     

       2
       2
       -
         inherit (import ./keys.nix) servers sessions systems users;

     

       3
       3
       -
       

     

       4
       4
       -
         nixos = systems ++ users;

     

       5
       5
       -
         home-manager = sessions ++ users;

     

       6
       6
       -
         deploy = servers ++ users;

     

       7
       7
       -
       in

     

       8
       8
       -
       {

     

       9
       9
       -
         # Used in NixOS config

     

       10
       10
       -
         "backup-rclone-googledrive.age".publicKeys = nixos;

     

       11
       11
       -
         "backup-restic-key.age".publicKeys = nixos;

     

       12
       12
       -
       

     

       13
       13
       -
         # Used in Home Manager

     

       14
       14
       -
         "api-crates-io.age".publicKeys = home-manager;

     

       15
       15
       -
         "api-wakatime.age".publicKeys = home-manager;

     

       16
       16
       -
         "api-wakapi.age".publicKeys = home-manager;

     

       17
       17
       -
       

     

       18
       18
       -
         # Used in server deployment

     

       19
       19
       -
       

     

       20
       20
       -
         # Defines `PDS_JWT_SECRET`, `PDS_ADMIN_PASSWORD`, `PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX`, `PDS_EMAIL_SMTP_URL`, `PDS_EMAIL_FROM_ADDRESS`.

     

       21
       21
       -
         "pds-env.age".publicKeys = deploy;

     

       22
       22
       -
         # Defines `LLDAP_JWT_SECRET`, `LLDAP_KEY_SEED`.

     

       23
       23
       -
         "lldap-env.age".publicKeys = deploy;

     

       24
       24
       -
         "headscale-oidc-secret.age".publicKeys = deploy;

     

       25
       25
       -
         "grafana-oidc-secret.age".publicKeys = deploy;

     

       26
       26
       -
         "authelia-jwt-secret.age".publicKeys = deploy;

     

       27
       27
       -
         "authelia-issuer-private-key.age".publicKeys = deploy;

     

       28
       28
       -
         "authelia-storage-key.age".publicKeys = deploy;

     

       29
       29
       -
         "authelia-ldap-password.age".publicKeys = deploy;

     

       30
       30
       -
         "authelia-smtp-password.age".publicKeys = deploy;

     

       31
       31
       -
         "tuwunel-registration-tokens.age".publicKeys = deploy;

     

       32
       32
       -
         # Defines `SMTP_PASSWORD`

     

       33
       33
       -
         "vaultwarden-env.age".publicKeys = deploy;

     

       34
       34
       -
         "miniflux-oidc-secret.age".publicKeys = deploy;

     

       35
       35
       -
         # Defines `HYPIXEL_API_KEY`, `PROFILE_UUID`

     

       36
       36
       -
         "hypixel-bank-tracker-main.age".publicKeys = deploy;

     

       37
       37
       -
         "hypixel-bank-tracker-banana.age".publicKeys = deploy;

     

       38
       38
       -
       

     

       39
       39
       -
         # Not used in config but useful

     

       40
       40
       -
         "pgp-ca5e.age".publicKeys = users;

     

       41
       41
       -
         "ssh-uxgi.age".publicKeys = users;

     

       42
       42
       -
       }

-9

secrets/tuwunel-registration-tokens.age

···

       1
       1
       -
       age-encryption.org/v1

     

       2
       2
       -
       -> ssh-ed25519 sMF1bg TVYRDtTe5khTJo0q8ShrR5o1WBrbK2htHjYCvi5QYAA

     

       3
       3
       -
       kx6Hke5RAZFfugR4aU28SRh4U8e4ymzeIY/+kYlAWhw

     

       4
       4
       -
       -> ssh-ed25519 SmMcWg AyJOM5lQHETeGiI/V5vUtu2vD6PqCZNnuTPvfnU90zE

     

       5
       5
       -
       9vM7/8JUbScHaeDWig16MgqtULryofSrRqhw2OMWfBs

     

       6
       6
       -
       -> ssh-ed25519 Q8rMFA TeUNtmHquyhhDrXf+zXY56oTGvzkhkaReIoBx5Yb+TE

     

       7
       7
       -
       DLfVy9cO1JrVln9CHV1ag66z2kIMrVzhcaIugLytojE

     

       8
       8
       -
       --- nr/3KZTVXNdemLdmp2bO2bjxKDHvcy3gezZKYN5Z1qI

     

       9
       9
       -
       �"��Z8��ԛ�GvJ�{��(�V9��1�N"��o���o����Х�oJ�~�1�!�}Egd�!�

secrets/vaultwarden-env.age

This is a binary file and will not be displayed.

+9 -2

secrets.nix

···

       1
       1
        
       let

     

       2
       2
        
         inherit (builtins) listToAttrs attrNames;

     

       3
       3
       +
       

     

       4
       4
       +
         # Map the name and value of all items of an attrset

     

       3
       5
        
         mapAttrs' =

     

       4
       6
        
           f:

     

       5
       7
        
           set:

     

       6
       8
        
           listToAttrs (map (attr: f attr set.${attr}) (attrNames set));

     

       9
       9
       +
       

     

       10
       10
       +
         keys = import ./secrets/keys.nix;

     

       11
       11
       +
       

     

       12
       12
       +
         prependAttrsName = prefix: mapAttrs' (name: value: { name = prefix + name; inherit value; });

     

       13
       13
       +
         secretsDir = path: prependAttrsName (path + "/") ((import ./${path}/default.nix) keys);

     

       7
       14
        
       in

     

       8
       15
        
       

     

       9
       9
       -
       # You can use agenix directly at repo top-level instead of having to change directory into `secrets/`

     

       10
       10
       -
       mapAttrs' (name: value: { name = ("secrets/" + name); inherit value; }) (import ./secrets/secrets.nix)

     

       16
       16
       +
       secretsDir "secrets"

     

       17
       17
       +
         // secretsDir "hosts/weird-row-server/secrets"

+1 -1

templates/blank/flake.nix

···

       1
       1
        
       {

     

       2
       2
        
         inputs = {

     

       3
       3
       -
           nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";

     

       3
       3
       +
           nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

     

       4
       4
        
         };

     

       5
       5
        
       

     

       6
       6
        
         outputs = { self, nixpkgs }:

+1 -1

templates/c/flake.nix

···

       1
       1
        
       {

     

       2
       2
        
         inputs = {

     

       3
       3
       -
           nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";

     

       3
       3
       +
           nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

     

       4
       4
        
         };

     

       5
       5
        
       

     

       6
       6
        
         outputs = { self, nixpkgs }:

+1 -1

templates/rust/flake.nix

···

       1
       1
        
       {

     

       2
       2
        
         inputs = {

     

       3
       3
       -
           nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";

     

       3
       3
       +
           nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

     

       4
       4
        
       

     

       5
       5
        
           rust-overlay.url = "github:oxalica/rust-overlay";

     

       6
       6
        
           rust-overlay.inputs.nixpkgs.follows = "nixpkgs";

+1 -1

templates/rust-pkg/flake.nix

···

       1
       1
        
       {

     

       2
       2
        
         inputs = {

     

       3
       3
       -
           nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";

     

       3
       3
       +
           nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

     

       4
       4
        
       

     

       5
       5
        
           rust-overlay.url = "github:oxalica/rust-overlay";

     

       6
       6
        
           rust-overlay.inputs.nixpkgs.follows = "nixpkgs";

Compare changes