comparing bc42796323c00ac7d97e5eae7d3cffe21e3e38d8 and main on wiro.world/dotfiles

.ignore

···

       0

···

       1
       +
       *.age

+1 -1

README.md

···

       20
        
       	- `fragments`: Home Manager configuration fragments

     

       21
        
       	- `options`: Home Manager configuration flags

     

       22
        
       	- `profiles`: Base Home Manager configurations to build upon (e.g. `desktop`, `minimal`)

     

       23
       -
       - `lib`: Additional custom lib and flake helpers 

     

       24
        
       - `modules`: modules that fill a missing feature of NixOS or Home Manager

     

       25
        
       - `nixos`: NixOS related config

     

       26
        
       	- `hardware/<hostname>.nix`: Device-specific settings like settings generated by `nixos-generate-config`

···

       20
        
       	- `fragments`: Home Manager configuration fragments

     

       21
        
       	- `options`: Home Manager configuration flags

     

       22
        
       	- `profiles`: Base Home Manager configurations to build upon (e.g. `desktop`, `minimal`)

     

       23
       +
       - `lib`: Additional custom lib and flake helpers

     

       24
        
       - `modules`: modules that fill a missing feature of NixOS or Home Manager

     

       25
        
       - `nixos`: NixOS related config

     

       26
        
       	- `hardware/<hostname>.nix`: Device-specific settings like settings generated by `nixos-generate-config`

+1 -1

apps/flash-installer.nix

···

       29
        
           fi

     

       30
        
       

     

       31
        
           echo "Flashing to $dev"

     

       32
       -
           

     

       33
        
           # Format selected disk

     

       34
        
           pv -tpreb "${isoPath}" | sudo dd bs=4M of="$dev" iflag=fullblock conv=notrunc,noerror oflag=sync

     

       35
        
         '';

···

       29
        
           fi

     

       30
        
       

     

       31
        
           echo "Flashing to $dev"

     

       32
       +
       

     

       33
        
           # Format selected disk

     

       34
        
           pv -tpreb "${isoPath}" | sudo dd bs=4M of="$dev" iflag=fullblock conv=notrunc,noerror oflag=sync

     

       35
        
         '';

+2 -1

configurations.nix

···

       19
        
       

     

       20
        
           # Servers

     

       21
        
           "weird-row-server" = createSystem pkgs [

     

       22
       -
             (system "weird-row-server" "server")

     

       23
        
             (managedDiskLayout "ext4-hetzner" { device = "sda"; swapSize = 2; })

     

       0
        
       
     

       24
        
             (user "milomoisson" { description = "Milo Moisson"; profile = "server"; keys = keys.users; })

     

       25
        
           ];

     

       26
        
         };

···

       19
        
       

     

       20
        
           # Servers

     

       21
        
           "weird-row-server" = createSystem pkgs [

     

       22
       +
             (host "weird-row-server")

     

       23
        
             (managedDiskLayout "ext4-hetzner" { device = "sda"; swapSize = 2; })

     

       24
       +
             # TODO: should we keep a real user there?

     

       25
        
             (user "milomoisson" { description = "Milo Moisson"; profile = "server"; keys = keys.users; })

     

       26
        
           ];

     

       27
        
         };

+95 -64

flake.lock

···

       30
        
             "locked": {

     

       31
        
               "lastModified": 1762618334,

     

       32
        
               "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",

     

       33
       -
               "owner": "mrnossiom",

     

       34
        
               "repo": "agenix",

     

       35
        
               "rev": "fcdea223397448d35d9b31f798479227e80183f6",

     

       36
        
               "type": "github"

     

       37
        
             },

     

       38
        
             "original": {

     

       39
       -
               "owner": "mrnossiom",

     

       40
        
               "repo": "agenix",

     

       41
        
               "type": "github"

     

       42
        
             }

     
···

       153
        
               ]

     

       154
        
             },

     

       155
        
             "locked": {

     

       156
       -
               "lastModified": 1736864502,

     

       157
       -
               "narHash": "sha256-ItkIZyebGvNH2dK9jVGzJHGPtb6BSWLN8Gmef16NeY0=",

     

       158
        
               "owner": "nix-community",

     

       159
        
               "repo": "disko",

     

       160
       -
               "rev": "0141aabed359f063de7413f80d906e1d98c0c123",

     

       161
        
               "type": "github"

     

       162
        
             },

     

       163
        
             "original": {

     

       164
        
               "owner": "nix-community",

     

       165
       -
               "ref": "v1.11.0",

     

       166
        
               "repo": "disko",

     

       167
        
               "type": "github"

     

       168
        
             }

     
···

       186
        
           "flake-compat": {

     

       187
        
             "flake": false,

     

       188
        
             "locked": {

     

       189
       -
               "lastModified": 1747046372,

     

       190
       -
               "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",

     

       191
        
               "owner": "edolstra",

     

       192
        
               "repo": "flake-compat",

     

       193
       -
               "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",

     

       194
        
               "type": "github"

     

       195
        
             },

     

       196
        
             "original": {

     
···

       200
        
             }

     

       201
        
           },

     

       202
        
           "flake-compat_2": {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       203
        
             "flake": false,

     

       204
        
             "locked": {

     

       205
        
               "lastModified": 1751685974,

     
···

       216
        
           "flake-parts": {

     

       217
        
             "inputs": {

     

       218
        
               "nixpkgs-lib": [

     

       219
       -
                 "lanzaboote",

     

       220
       -
                 "nixpkgs"

     

       221
       -
               ]

     

       222
       -
             },

     

       223
       -
             "locked": {

     

       224
       -
               "lastModified": 1754091436,

     

       225
       -
               "narHash": "sha256-XKqDMN1/Qj1DKivQvscI4vmHfDfvYR2pfuFOJiCeewM=",

     

       226
       -
               "owner": "hercules-ci",

     

       227
       -
               "repo": "flake-parts",

     

       228
       -
               "rev": "67df8c627c2c39c41dbec76a1f201929929ab0bd",

     

       229
       -
               "type": "github"

     

       230
       -
             },

     

       231
       -
             "original": {

     

       232
       -
               "owner": "hercules-ci",

     

       233
       -
               "repo": "flake-parts",

     

       234
       -
               "type": "github"

     

       235
       -
             }

     

       236
       -
           },

     

       237
       -
           "flake-parts_2": {

     

       238
       -
             "inputs": {

     

       239
       -
               "nixpkgs-lib": [

     

       240
        
                 "stylix",

     

       241
        
                 "nixpkgs"

     

       242
        
               ]

     
···

       298
        
               "rust-overlay": "rust-overlay"

     

       299
        
             },

     

       300
        
             "locked": {

     

       301
       -
               "lastModified": 1747139554,

     

       302
       -
               "narHash": "sha256-CpjdfdzyN0tAcBvtg9AQk+mDlNSb+NAZPUBpx/4VzvA=",

     

       303
        
               "owner": "mrnossiom",

     

       304
        
               "repo": "git-leave",

     

       305
       -
               "rev": "bf125663fa992097620ca034ec57ebd20ed50532",

     

       306
        
               "type": "github"

     

       307
        
             },

     

       308
        
             "original": {

     
···

       319
        
               ]

     

       320
        
             },

     

       321
        
             "locked": {

     

       322
       -
               "lastModified": 1709087332,

     

       323
       -
               "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",

     

       324
        
               "owner": "hercules-ci",

     

       325
        
               "repo": "gitignore.nix",

     

       326
       -
               "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",

     

       327
        
               "type": "github"

     

       328
        
             },

     

       329
        
             "original": {

     
···

       357
        
             "inputs": {

     

       358
        
               "nixpkgs": [

     

       359
        
                 "lanzaboote",

     

       360
       -
                 "pre-commit-hooks-nix",

     

       361
        
                 "nixpkgs"

     

       362
        
               ]

     

       363
        
             },

     
···

       549
        
           "lanzaboote": {

     

       550
        
             "inputs": {

     

       551
        
               "crane": "crane",

     

       552
       -
               "flake-compat": "flake-compat",

     

       553
       -
               "flake-parts": "flake-parts",

     

       554
        
               "nixpkgs": [

     

       555
        
                 "unixpkgs"

     

       556
        
               ],

     

       557
       -
               "pre-commit-hooks-nix": "pre-commit-hooks-nix",

     

       558
        
               "rust-overlay": "rust-overlay_3"

     

       559
        
             },

     

       560
        
             "locked": {

     

       561
       -
               "lastModified": 1762205063,

     

       562
       -
               "narHash": "sha256-If6vQ+KvtKs3ARBO9G3l+4wFSCYtRBrwX1z+I+B61wQ=",

     

       563
        
               "owner": "nix-community",

     

       564
        
               "repo": "lanzaboote",

     

       565
       -
               "rev": "88b8a563ff5704f4e8d8e5118fb911fa2110ca05",

     

       566
        
               "type": "github"

     

       567
        
             },

     

       568
        
             "original": {

     

       569
        
               "owner": "nix-community",

     

       570
       -
               "ref": "v0.4.3",

     

       571
        
               "repo": "lanzaboote",

     

       572
        
               "type": "github"

     

       573
        
             }

     
···

       585
        
               "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip"

     

       586
        
             }

     

       587
        
           },

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       588
        
           "nix-darwin": {

     

       589
        
             "inputs": {

     

       590
        
               "nixpkgs": [

     
···

       592
        
               ]

     

       593
        
             },

     

       594
        
             "locked": {

     

       595
       -
               "lastModified": 1762912391,

     

       596
       -
               "narHash": "sha256-4hpBE7bGd24SfD28rzMdUGXsLsNEYxCCrTipFdoqoNM=",

     

       597
        
               "owner": "nix-darwin",

     

       598
        
               "repo": "nix-darwin",

     

       599
       -
               "rev": "d76299b2cd01837c4c271a7b5186e3d5d8ebd126",

     

       600
        
               "type": "github"

     

       601
        
             },

     

       602
        
             "original": {

     

       603
        
               "owner": "nix-darwin",

     

       604
       -
               "ref": "nix-darwin-25.05",

     

       605
        
               "repo": "nix-darwin",

     

       606
        
               "type": "github"

     

       607
        
             }

     

       608
        
           },

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       609
        
           "nixos-hardware": {

     

       610
        
             "locked": {

     

       611
        
               "lastModified": 1764440730,

     
···

       662
        
               "type": "github"

     

       663
        
             }

     

       664
        
           },

     

       665
       -
           "pre-commit-hooks-nix": {

     

       666
        
             "inputs": {

     

       667
       -
               "flake-compat": [

     

       668
       -
                 "lanzaboote",

     

       669
       -
                 "flake-compat"

     

       670
       -
               ],

     

       671
        
               "gitignore": "gitignore_3",

     

       672
        
               "nixpkgs": [

     

       673
        
                 "lanzaboote",

     
···

       675
        
               ]

     

       676
        
             },

     

       677
        
             "locked": {

     

       678
       -
               "lastModified": 1750779888,

     

       679
       -
               "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",

     

       680
        
               "owner": "cachix",

     

       681
        
               "repo": "pre-commit-hooks.nix",

     

       682
       -
               "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",

     

       683
        
               "type": "github"

     

       684
        
             },

     

       685
        
             "original": {

     
···

       696
        
               "home-manager": "home-manager",

     

       697
        
               "hypixel-bank-tracker": "hypixel-bank-tracker",

     

       698
        
               "lanzaboote": "lanzaboote",

     

       0
        
       
     

       699
        
               "nix-darwin": "nix-darwin",

     

       700
        
               "nixos-hardware": "nixos-hardware",

     

       701
        
               "nixpkgs": "nixpkgs",

     
···

       715
        
               ]

     

       716
        
             },

     

       717
        
             "locked": {

     

       718
       -
               "lastModified": 1744599145,

     

       719
       -
               "narHash": "sha256-yzaDPkJwZdUtRj/dzdOeB74yryWzpngYaD7BedqFKk8=",

     

       720
        
               "owner": "oxalica",

     

       721
        
               "repo": "rust-overlay",

     

       722
       -
               "rev": "fd6795d3d28f956de01a0458b6fa7baae5c793b4",

     

       723
        
               "type": "github"

     

       724
        
             },

     

       725
        
             "original": {

     
···

       831
        
               "base16-helix": "base16-helix",

     

       832
        
               "base16-vim": "base16-vim",

     

       833
        
               "firefox-gnome-theme": "firefox-gnome-theme",

     

       834
       -
               "flake-parts": "flake-parts_2",

     

       835
        
               "gnome-shell": "gnome-shell",

     

       836
        
               "nixpkgs": [

     

       837
        
                 "nixpkgs"

     
···

       907
        
           "tangled": {

     

       908
        
             "inputs": {

     

       909
        
               "actor-typeahead-src": "actor-typeahead-src",

     

       910
       -
               "flake-compat": "flake-compat_2",

     

       911
        
               "gomod2nix": "gomod2nix",

     

       912
        
               "htmx-src": "htmx-src",

     

       913
        
               "htmx-ws-src": "htmx-ws-src",

     
···

       1017
        
           },

     

       1018
        
           "unixpkgs": {

     

       1019
        
             "locked": {

     

       1020
       -
               "lastModified": 1764242076,

     

       1021
       -
               "narHash": "sha256-sKoIWfnijJ0+9e4wRvIgm/HgE27bzwQxcEmo2J/gNpI=",

     

       1022
        
               "owner": "nixos",

     

       1023
        
               "repo": "nixpkgs",

     

       1024
       -
               "rev": "2fad6eac6077f03fe109c4d4eb171cf96791faa4",

     

       1025
        
               "type": "github"

     

       1026
        
             },

     

       1027
        
             "original": {

···

       30
        
             "locked": {

     

       31
        
               "lastModified": 1762618334,

     

       32
        
               "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",

     

       33
       +
               "owner": "ryantm",

     

       34
        
               "repo": "agenix",

     

       35
        
               "rev": "fcdea223397448d35d9b31f798479227e80183f6",

     

       36
        
               "type": "github"

     

       37
        
             },

     

       38
        
             "original": {

     

       39
       +
               "owner": "ryantm",

     

       40
        
               "repo": "agenix",

     

       41
        
               "type": "github"

     

       42
        
             }

     
···

       153
        
               ]

     

       154
        
             },

     

       155
        
             "locked": {

     

       156
       +
               "lastModified": 1764627417,

     

       157
       +
               "narHash": "sha256-D6xc3Rl8Ab6wucJWdvjNsGYGSxNjQHzRc2EZ6eeQ6l4=",

     

       158
        
               "owner": "nix-community",

     

       159
        
               "repo": "disko",

     

       160
       +
               "rev": "5a88a6eceb8fd732b983e72b732f6f4b8269bef3",

     

       161
        
               "type": "github"

     

       162
        
             },

     

       163
        
             "original": {

     

       164
        
               "owner": "nix-community",

     

       0
        
       
     

       165
        
               "repo": "disko",

     

       166
        
               "type": "github"

     

       167
        
             }

     
···

       185
        
           "flake-compat": {

     

       186
        
             "flake": false,

     

       187
        
             "locked": {

     

       188
       +
               "lastModified": 1761588595,

     

       189
       +
               "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",

     

       190
        
               "owner": "edolstra",

     

       191
        
               "repo": "flake-compat",

     

       192
       +
               "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",

     

       193
        
               "type": "github"

     

       194
        
             },

     

       195
        
             "original": {

     
···

       199
        
             }

     

       200
        
           },

     

       201
        
           "flake-compat_2": {

     

       202
       +
             "locked": {

     

       203
       +
               "lastModified": 1761588595,

     

       204
       +
               "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",

     

       205
       +
               "owner": "edolstra",

     

       206
       +
               "repo": "flake-compat",

     

       207
       +
               "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",

     

       208
       +
               "type": "github"

     

       209
       +
             },

     

       210
       +
             "original": {

     

       211
       +
               "owner": "edolstra",

     

       212
       +
               "repo": "flake-compat",

     

       213
       +
               "type": "github"

     

       214
       +
             }

     

       215
       +
           },

     

       216
       +
           "flake-compat_3": {

     

       217
        
             "flake": false,

     

       218
        
             "locked": {

     

       219
        
               "lastModified": 1751685974,

     
···

       230
        
           "flake-parts": {

     

       231
        
             "inputs": {

     

       232
        
               "nixpkgs-lib": [

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       233
        
                 "stylix",

     

       234
        
                 "nixpkgs"

     

       235
        
               ]

     
···

       291
        
               "rust-overlay": "rust-overlay"

     

       292
        
             },

     

       293
        
             "locked": {

     

       294
       +
               "lastModified": 1764804992,

     

       295
       +
               "narHash": "sha256-6XIwDQwquGUfiwoTsukMyE6DcXW4Cx0fjE4cLTgQ7RM=",

     

       296
        
               "owner": "mrnossiom",

     

       297
        
               "repo": "git-leave",

     

       298
       +
               "rev": "3c09ab6afafae76be08956cc7bf563f80e0f8394",

     

       299
        
               "type": "github"

     

       300
        
             },

     

       301
        
             "original": {

     
···

       312
        
               ]

     

       313
        
             },

     

       314
        
             "locked": {

     

       315
       +
               "lastModified": 1762808025,

     

       316
       +
               "narHash": "sha256-XmjITeZNMTQXGhhww6ed/Wacy2KzD6svioyCX7pkUu4=",

     

       317
        
               "owner": "hercules-ci",

     

       318
        
               "repo": "gitignore.nix",

     

       319
       +
               "rev": "cb5e3fdca1de58ccbc3ef53de65bd372b48f567c",

     

       320
        
               "type": "github"

     

       321
        
             },

     

       322
        
             "original": {

     
···

       350
        
             "inputs": {

     

       351
        
               "nixpkgs": [

     

       352
        
                 "lanzaboote",

     

       353
       +
                 "pre-commit",

     

       354
        
                 "nixpkgs"

     

       355
        
               ]

     

       356
        
             },

     
···

       542
        
           "lanzaboote": {

     

       543
        
             "inputs": {

     

       544
        
               "crane": "crane",

     

       0
        
       
     

       0
        
       
     

       545
        
               "nixpkgs": [

     

       546
        
                 "unixpkgs"

     

       547
        
               ],

     

       548
       +
               "pre-commit": "pre-commit",

     

       549
        
               "rust-overlay": "rust-overlay_3"

     

       550
        
             },

     

       551
        
             "locked": {

     

       552
       +
               "lastModified": 1764622702,

     

       553
       +
               "narHash": "sha256-HggOVvg2U3EwT44wPHEwFKromf9qR9rTqfV1i3q7rYs=",

     

       554
        
               "owner": "nix-community",

     

       555
        
               "repo": "lanzaboote",

     

       556
       +
               "rev": "6242b3b2b5e5afcf329027ed4eb5fa6e2eab10f1",

     

       557
        
               "type": "github"

     

       558
        
             },

     

       559
        
             "original": {

     

       560
        
               "owner": "nix-community",

     

       0
        
       
     

       561
        
               "repo": "lanzaboote",

     

       562
        
               "type": "github"

     

       563
        
             }

     
···

       575
        
               "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip"

     

       576
        
             }

     

       577
        
           },

     

       578
       +
           "nix-alien": {

     

       579
       +
             "inputs": {

     

       580
       +
               "flake-compat": "flake-compat_2",

     

       581
       +
               "nix-index-database": "nix-index-database",

     

       582
       +
               "nixpkgs": [

     

       583
       +
                 "nixpkgs"

     

       584
       +
               ]

     

       585
       +
             },

     

       586
       +
             "locked": {

     

       587
       +
               "lastModified": 1764061716,

     

       588
       +
               "narHash": "sha256-xKnIoMPv2kIsWhjRhJayqMWU2xkjeq2pyPmR1dLFPHs=",

     

       589
       +
               "owner": "thiagokokada",

     

       590
       +
               "repo": "nix-alien",

     

       591
       +
               "rev": "9bc9c1ab671eb1b610f549e15bc0b750ab987409",

     

       592
       +
               "type": "github"

     

       593
       +
             },

     

       594
       +
             "original": {

     

       595
       +
               "owner": "thiagokokada",

     

       596
       +
               "repo": "nix-alien",

     

       597
       +
               "type": "github"

     

       598
       +
             }

     

       599
       +
           },

     

       600
        
           "nix-darwin": {

     

       601
        
             "inputs": {

     

       602
        
               "nixpkgs": [

     
···

       604
        
               ]

     

       605
        
             },

     

       606
        
             "locked": {

     

       607
       +
               "lastModified": 1764161084,

     

       608
       +
               "narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=",

     

       609
        
               "owner": "nix-darwin",

     

       610
        
               "repo": "nix-darwin",

     

       611
       +
               "rev": "e95de00a471d07435e0527ff4db092c84998698e",

     

       612
        
               "type": "github"

     

       613
        
             },

     

       614
        
             "original": {

     

       615
        
               "owner": "nix-darwin",

     

       616
       +
               "ref": "nix-darwin-25.11",

     

       617
        
               "repo": "nix-darwin",

     

       618
        
               "type": "github"

     

       619
        
             }

     

       620
        
           },

     

       621
       +
           "nix-index-database": {

     

       622
       +
             "inputs": {

     

       623
       +
               "nixpkgs": [

     

       624
       +
                 "nix-alien",

     

       625
       +
                 "nixpkgs"

     

       626
       +
               ]

     

       627
       +
             },

     

       628
       +
             "locked": {

     

       629
       +
               "lastModified": 1762660502,

     

       630
       +
               "narHash": "sha256-C9F1C31ys0V7mnp4EcDy7L1cLZw/sCTEXqqTtGnvu08=",

     

       631
       +
               "owner": "nix-community",

     

       632
       +
               "repo": "nix-index-database",

     

       633
       +
               "rev": "15c5451c63f4c612874a43846bfe3fa828b03eee",

     

       634
       +
               "type": "github"

     

       635
       +
             },

     

       636
       +
             "original": {

     

       637
       +
               "owner": "nix-community",

     

       638
       +
               "repo": "nix-index-database",

     

       639
       +
               "type": "github"

     

       640
       +
             }

     

       641
       +
           },

     

       642
        
           "nixos-hardware": {

     

       643
        
             "locked": {

     

       644
        
               "lastModified": 1764440730,

     
···

       695
        
               "type": "github"

     

       696
        
             }

     

       697
        
           },

     

       698
       +
           "pre-commit": {

     

       699
        
             "inputs": {

     

       700
       +
               "flake-compat": "flake-compat",

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       701
        
               "gitignore": "gitignore_3",

     

       702
        
               "nixpkgs": [

     

       703
        
                 "lanzaboote",

     
···

       705
        
               ]

     

       706
        
             },

     

       707
        
             "locked": {

     

       708
       +
               "lastModified": 1763988335,

     

       709
       +
               "narHash": "sha256-QlcnByMc8KBjpU37rbq5iP7Cp97HvjRP0ucfdh+M4Qc=",

     

       710
        
               "owner": "cachix",

     

       711
        
               "repo": "pre-commit-hooks.nix",

     

       712
       +
               "rev": "50b9238891e388c9fdc6a5c49e49c42533a1b5ce",

     

       713
        
               "type": "github"

     

       714
        
             },

     

       715
        
             "original": {

     
···

       726
        
               "home-manager": "home-manager",

     

       727
        
               "hypixel-bank-tracker": "hypixel-bank-tracker",

     

       728
        
               "lanzaboote": "lanzaboote",

     

       729
       +
               "nix-alien": "nix-alien",

     

       730
        
               "nix-darwin": "nix-darwin",

     

       731
        
               "nixos-hardware": "nixos-hardware",

     

       732
        
               "nixpkgs": "nixpkgs",

     
···

       746
        
               ]

     

       747
        
             },

     

       748
        
             "locked": {

     

       749
       +
               "lastModified": 1764557621,

     

       750
       +
               "narHash": "sha256-kX5PoY8hQZ80+amMQgOO9t8Tc1JZ70gYRnzaVD4AA+o=",

     

       751
        
               "owner": "oxalica",

     

       752
        
               "repo": "rust-overlay",

     

       753
       +
               "rev": "93316876c2229460a5d6f5f052766cc4cef538ce",

     

       754
        
               "type": "github"

     

       755
        
             },

     

       756
        
             "original": {

     
···

       862
        
               "base16-helix": "base16-helix",

     

       863
        
               "base16-vim": "base16-vim",

     

       864
        
               "firefox-gnome-theme": "firefox-gnome-theme",

     

       865
       +
               "flake-parts": "flake-parts",

     

       866
        
               "gnome-shell": "gnome-shell",

     

       867
        
               "nixpkgs": [

     

       868
        
                 "nixpkgs"

     
···

       938
        
           "tangled": {

     

       939
        
             "inputs": {

     

       940
        
               "actor-typeahead-src": "actor-typeahead-src",

     

       941
       +
               "flake-compat": "flake-compat_3",

     

       942
        
               "gomod2nix": "gomod2nix",

     

       943
        
               "htmx-src": "htmx-src",

     

       944
        
               "htmx-ws-src": "htmx-ws-src",

     
···

       1048
        
           },

     

       1049
        
           "unixpkgs": {

     

       1050
        
             "locked": {

     

       1051
       +
               "lastModified": 1764950072,

     

       1052
       +
               "narHash": "sha256-BmPWzogsG2GsXZtlT+MTcAWeDK5hkbGRZTeZNW42fwA=",

     

       1053
        
               "owner": "nixos",

     

       1054
        
               "repo": "nixpkgs",

     

       1055
       +
               "rev": "f61125a668a320878494449750330ca58b78c557",

     

       1056
        
               "type": "github"

     

       1057
        
             },

     

       1058
        
             "original": {

+7 -6

flake.nix

···

       8
        
           home-manager.url = "github:nix-community/home-manager/release-25.11";

     

       9
        
           home-manager.inputs.nixpkgs.follows = "nixpkgs";

     

       10
        
       

     

       11
       -
           # nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";

     

       12
       -
           nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.05";

     

       13
        
           nix-darwin.inputs.nixpkgs.follows = "nixpkgs";

     

       14
        
       

     

       15
        
           stylix.url = "github:nix-community/stylix/release-25.11";

     
···

       17
        
       

     

       18
        
           ## Miscellaneous

     

       19
        
       

     

       20
       -
           # agenix.url = "github:ryantm/agenix/0.15.0";

     

       21
       -
           agenix.url = "github:mrnossiom/agenix";

     

       22
        
           agenix.inputs.nixpkgs.follows = "nixpkgs";

     

       23
        
           agenix.inputs.home-manager.follows = "home-manager";

     

       24
        
       

     

       25
       -
           disko.url = "github:nix-community/disko/v1.11.0";

     

       26
        
           disko.inputs.nixpkgs.follows = "nixpkgs";

     

       27
        
       

     

       28
        
           nixos-hardware.url = "github:nixos/nixos-hardware";

     

       29
        
       

     

       30
       -
           lanzaboote.url = "github:nix-community/lanzaboote/v0.4.3";

     

       31
        
           lanzaboote.inputs.nixpkgs.follows = "unixpkgs";

     

       32
        
       

     

       33
        
           srvos.url = "github:nix-community/srvos";

     
···

       40
        
       

     

       41
        
           hypixel-bank-tracker.url = "github:pixilie/hypixel-bank-tracker";

     

       42
        
           hypixel-bank-tracker.inputs.nixpkgs.follows = "nixpkgs";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       43
        
       

     

       44
        
           tangled.url = "git+https://tangled.org/tangled.org/core";

     

       45
        
           tangled.inputs.nixpkgs.follows = "unixpkgs";

···

       8
        
           home-manager.url = "github:nix-community/home-manager/release-25.11";

     

       9
        
           home-manager.inputs.nixpkgs.follows = "nixpkgs";

     

       10
        
       

     

       11
       +
           nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";

     

       0
        
       
     

       12
        
           nix-darwin.inputs.nixpkgs.follows = "nixpkgs";

     

       13
        
       

     

       14
        
           stylix.url = "github:nix-community/stylix/release-25.11";

     
···

       16
        
       

     

       17
        
           ## Miscellaneous

     

       18
        
       

     

       19
       +
           agenix.url = "github:ryantm/agenix";

     

       0
        
       
     

       20
        
           agenix.inputs.nixpkgs.follows = "nixpkgs";

     

       21
        
           agenix.inputs.home-manager.follows = "home-manager";

     

       22
        
       

     

       23
       +
           disko.url = "github:nix-community/disko";

     

       24
        
           disko.inputs.nixpkgs.follows = "nixpkgs";

     

       25
        
       

     

       26
        
           nixos-hardware.url = "github:nixos/nixos-hardware";

     

       27
        
       

     

       28
       +
           lanzaboote.url = "github:nix-community/lanzaboote";

     

       29
        
           lanzaboote.inputs.nixpkgs.follows = "unixpkgs";

     

       30
        
       

     

       31
        
           srvos.url = "github:nix-community/srvos";

     
···

       38
        
       

     

       39
        
           hypixel-bank-tracker.url = "github:pixilie/hypixel-bank-tracker";

     

       40
        
           hypixel-bank-tracker.inputs.nixpkgs.follows = "nixpkgs";

     

       41
       +
       

     

       42
       +
           nix-alien.url = "github:thiagokokada/nix-alien";

     

       43
       +
           nix-alien.inputs.nixpkgs.follows = "nixpkgs";

     

       44
        
       

     

       45
        
           tangled.url = "git+https://tangled.org/tangled.org/core";

     

       46
        
           tangled.inputs.nixpkgs.follows = "unixpkgs";

+7 -6

home-manager/fragments/git.nix

···

       15
        
         '';

     

       16
        
       

     

       17
        
         config = lib.mkIf cfg.enable {

     

       18
       -
           assertions = [

     

       19
       -
             { assertion = config.local.fragment.agenix.enable; message = "`git` fragment depends on `agenix` fragment"; }

     

       20
       -
           ];

     

       21
       -
       

     

       22
        
           home.sessionVariables = {

     

       23
        
             # Disable annoying warning message

     

       24
        
             GIT_DISCOVERY_ACROSS_FILESYSTEM = 0;

     
···

       133
        
               "credentials \"https://github.com\"".helper = "!${lib.getExe pkgs.gh} auth git-credential";

     

       134
        
       

     

       135
        
               # TODO: change to $PROJECTS env var?

     

       136
       -
               leaveTool.defaultFolder = "~/Development";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       137
        
             };

     

       138
        
           };

     

       139
        
       

     
···

       162
        
               };

     

       163
        
       

     

       164
        
               git = {

     

       165
       -
                 pagers.externalDiffCommand = "difft --color=always";

     

       0
        
       
     

       0
        
       
     

       166
        
               };

     

       167
        
       

     

       168
        
               # to be declarative or not to be declarative?

···

       15
        
         '';

     

       16
        
       

     

       17
        
         config = lib.mkIf cfg.enable {

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       18
        
           home.sessionVariables = {

     

       19
        
             # Disable annoying warning message

     

       20
        
             GIT_DISCOVERY_ACROSS_FILESYSTEM = 0;

     
···

       129
        
               "credentials \"https://github.com\"".helper = "!${lib.getExe pkgs.gh} auth git-credential";

     

       130
        
       

     

       131
        
               # TODO: change to $PROJECTS env var?

     

       132
       +
               leaveTool = {

     

       133
       +
                 defaultFolder = "${config.home.homeDirectory}/Development";

     

       134
       +
                 checks = [ "dirty" "ahead-branches" ];

     

       135
       +
               };

     

       136
        
             };

     

       137
        
           };

     

       138
        
       

     
···

       161
        
               };

     

       162
        
       

     

       163
        
               git = {

     

       164
       +
                 pagers = [

     

       165
       +
                   { externalDiffCommand = "difft --color=always"; }

     

       166
       +
                 ];

     

       167
        
               };

     

       168
        
       

     

       169
        
               # to be declarative or not to be declarative?

home-manager/fragments/jujutsu.nix

···

       62
        
       

     

       63
        
               templates = {

     

       64
        
                 log = "custom_log_compact";

     

       0
        
       
     

       65
        
               };

     

       66
        
       

     

       67
        
               ui = {

···

       62
        
       

     

       63
        
               templates = {

     

       64
        
                 log = "custom_log_compact";

     

       65
       +
                 git_push_bookmark = ''"push-" ++ change_id.short()'';

     

       66
        
               };

     

       67
        
       

     

       68
        
               ui = {

+3 -2

home-manager/fragments/shell.nix

···

       29
        
               git_status.disabled = true;

     

       30
        
       

     

       31
        
               nix_shell = {

     

       32
       -
                 format = "via [$symbol]($style) "; # Remove nix shell name

     

       0
        
       
     

       33
        
                 symbol = " ";

     

       34
        
               };

     

       35
        
             };

     
···

       150
        
               '';

     

       151
        
       

     

       152
        
               # Quickly explore a derivation (using registry syntax)

     

       153
       -
               # e.g. `cdd nixpkgs#fontforge` or `cdd unixpkgs#fontforge` 

     

       154
        
               cdd = "cd (nix build --no-link --print-out-paths $argv | ${lib.getExe pkgs.fzf})";

     

       155
        
             } // lib.optionalAttrs (!flags.onlyCached) {

     

       156
        
               # Quickly get outta here to test something

···

       29
        
               git_status.disabled = true;

     

       30
        
       

     

       31
        
               nix_shell = {

     

       32
       +
                  # remove nix shell name

     

       33
       +
                 format = "via [$symbol]($style)";

     

       34
        
                 symbol = " ";

     

       35
        
               };

     

       36
        
             };

     
···

       151
        
               '';

     

       152
        
       

     

       153
        
               # Quickly explore a derivation (using registry syntax)

     

       154
       +
               # e.g. `cdd nixpkgs#fontforge` or `cdd unixpkgs#fontforge`

     

       155
        
               cdd = "cd (nix build --no-link --print-out-paths $argv | ${lib.getExe pkgs.fzf})";

     

       156
        
             } // lib.optionalAttrs (!flags.onlyCached) {

     

       157
        
               # Quickly get outta here to test something

+5 -4

home-manager/fragments/stylix.nix

···

       11
        
         cfg = config.local.fragment.stylix;

     

       12
        
       in

     

       13
        
       {

     

       14
       -
         imports = [ stylix.homeModules.stylix ];

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       15
        
       

     

       16
        
         options.local.fragment.stylix.enable = lib.mkEnableOption ''

     

       17
        
           Stylix related

     
···

       26
        
           stylix = {

     

       27
        
             enable = true;

     

       28
        
             base16Scheme = lib.mkDefault "${pkgs.base16-schemes}/share/themes/onedark-dark.yaml";

     

       29
       -
       

     

       30
       -
             # issues a warning because we use `useGlobalPkgs`

     

       31
       -
             overlays.enable = false;

     

       32
        
       

     

       33
        
             image = ../../assets/wallpaper-binary-cloud.png;

     

       34

···

       11
        
         cfg = config.local.fragment.stylix;

     

       12
        
       in

     

       13
        
       {

     

       14
       +
         imports = [

     

       15
       +
           stylix.homeModules.stylix

     

       16
       +
           # issues a warning because we use `useGlobalPkgs`

     

       17
       +
           { config.stylix.overlays.enable = false; }

     

       18
       +
         ];

     

       19
        
       

     

       20
        
         options.local.fragment.stylix.enable = lib.mkEnableOption ''

     

       21
        
           Stylix related

     
···

       30
        
           stylix = {

     

       31
        
             enable = true;

     

       32
        
             base16Scheme = lib.mkDefault "${pkgs.base16-schemes}/share/themes/onedark-dark.yaml";

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       33
        
       

     

       34
        
             image = ../../assets/wallpaper-binary-cloud.png;

     

       35

home-manager/fragments/sway.nix

···

       164
        
                   repeat_rate = toString 30;

     

       165
        
                 };

     

       166
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       167
        
                 # Split keyboard also acts as a mouse

     

       168
        
                 # "type:touchpad" = { events = "disabled_on_external_mouse"; };

     

       169

···

       164
        
                   repeat_rate = toString 30;

     

       165
        
                 };

     

       166
        
       

     

       167
       +
                 "type:touchpad" = {

     

       168
       +
                   dwt = "enabled";

     

       169
       +
                   tap = "enabled";

     

       170
       +
                   tap_button_map = "lrm";

     

       171
       +
                 };

     

       172
       +
       

     

       173
        
                 # Split keyboard also acts as a mouse

     

       174
        
                 # "type:touchpad" = { events = "disabled_on_external_mouse"; };

     

       175

home-manager/fragments/tools.nix

+1 -1

home-manager/fragments/waybar.nix

···

       232
        
               .modules-right widget .module {

     

       233
        
                 padding: 0 1rem;

     

       234
        
       

     

       235
       -
                 color: @base07; 

     

       236
        
               }

     

       237
        
       

     

       238
        
               /* Round first and last child of left, right and center modules. Disable rounding on the sides*/

···

       232
        
               .modules-right widget .module {

     

       233
        
                 padding: 0 1rem;

     

       234
        
       

     

       235
       +
                 color: @base07;

     

       236
        
               }

     

       237
        
       

     

       238
        
               /* Round first and last child of left, right and center modules. Disable rounding on the sides*/

+1 -1

home-manager/profiles/desktop.nix

···

       125
        
       

     

       126
        
           programs.go = {

     

       127
        
             enable = true;

     

       128
       -
             env.GOPATH = ".local/share/go";

     

       129
        
           };

     

       130
        
       

     

       131
        
           programs.gpg = {

···

       125
        
       

     

       126
        
           programs.go = {

     

       127
        
             enable = true;

     

       128
       +
             env.GOPATH = "${config.home.homeDirectory}/.local/share/go";

     

       129
        
           };

     

       130
        
       

     

       131
        
           programs.gpg = {

+163

hosts/weird-row-server/authelia.nix

···

       1
       +
       { config

     

       2
       +
       , ...

     

       3
       +
       }:

     

       4
       +
       

     

       5
       +
       let

     

       6
       +
         authelia-port = 3008;

     

       7
       +
         authelia-hostname = "auth.wiro.world";

     

       8
       +
       

     

       9
       +
         authelia-metrics-port = 9004;

     

       10
       +
         headscale-hostname = "headscale.wiro.world";

     

       11
       +
         grafana-hostname = "console.net.wiro.world";

     

       12
       +
         miniflux-hostname = "news.wiro.world";

     

       13
       +
       in

     

       14
       +
       {

     

       15
       +
         config = {

     

       16
       +
           age.secrets.authelia-jwt-secret = { file = secrets/authelia-jwt-secret.age; owner = config.services.authelia.instances.main.user; };

     

       17
       +
           age.secrets.authelia-issuer-private-key = { file = secrets/authelia-issuer-private-key.age; owner = config.services.authelia.instances.main.user; };

     

       18
       +
           age.secrets.authelia-storage-key = { file = secrets/authelia-storage-key.age; owner = config.services.authelia.instances.main.user; };

     

       19
       +
           age.secrets.authelia-ldap-password = { file = secrets/authelia-ldap-password.age; owner = config.services.authelia.instances.main.user; };

     

       20
       +
           age.secrets.authelia-smtp-password = { file = secrets/authelia-smtp-password.age; owner = config.services.authelia.instances.main.user; };

     

       21
       +
           services.authelia.instances.main = {

     

       22
       +
             enable = true;

     

       23
       +
       

     

       24
       +
             secrets = {

     

       25
       +
               jwtSecretFile = config.age.secrets.authelia-jwt-secret.path;

     

       26
       +
               oidcIssuerPrivateKeyFile = config.age.secrets.authelia-issuer-private-key.path;

     

       27
       +
               storageEncryptionKeyFile = config.age.secrets.authelia-storage-key.path;

     

       28
       +
             };

     

       29
       +
             environmentVariables = {

     

       30
       +
               AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.authelia-ldap-password.path;

     

       31
       +
               AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.authelia-smtp-password.path;

     

       32
       +
             };

     

       33
       +
             settings = {

     

       34
       +
               server.address = "localhost:${toString authelia-port}";

     

       35
       +
               storage.local.path = "/var/lib/authelia-main/db.sqlite3";

     

       36
       +
               telemetry.metrics = {

     

       37
       +
                 enabled = true;

     

       38
       +
                 address = "tcp://:${toString authelia-metrics-port}/metrics";

     

       39
       +
               };

     

       40
       +
       

     

       41
       +
               session = {

     

       42
       +
                 cookies = [{

     

       43
       +
                   domain = "wiro.world";

     

       44
       +
                   authelia_url = "https://${authelia-hostname}";

     

       45
       +
                   default_redirection_url = "https://wiro.world";

     

       46
       +
                 }];

     

       47
       +
               };

     

       48
       +
       

     

       49
       +
               authentication_backend.ldap = {

     

       50
       +
                 address = "ldap://localhost:3890";

     

       51
       +
                 timeout = "5m"; # replace with systemd dependency

     

       52
       +
       

     

       53
       +
                 user = "uid=authelia,ou=people,dc=wiro,dc=world";

     

       54
       +
                 # Set in `AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE`.

     

       55
       +
                 # password = "";

     

       56
       +
       

     

       57
       +
                 base_dn = "dc=wiro,dc=world";

     

       58
       +
                 users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";

     

       59
       +
                 additional_users_dn = "ou=people";

     

       60
       +
                 groups_filter = "(&(member={dn})(objectClass=groupOfNames))";

     

       61
       +
                 additional_groups_dn = "ou=groups";

     

       62
       +
       

     

       63
       +
                 attributes = {

     

       64
       +
                   username = "uid";

     

       65
       +
                   display_name = "cn";

     

       66
       +
                   given_name = "givenname";

     

       67
       +
                   family_name = "last_name";

     

       68
       +
                   mail = "mail";

     

       69
       +
                   picture = "avatar";

     

       70
       +
       

     

       71
       +
                   group_name = "cn";

     

       72
       +
                 };

     

       73
       +
               };

     

       74
       +
       

     

       75
       +
               access_control = {

     

       76
       +
                 default_policy = "deny";

     

       77
       +
                 # Rules are sequential and do not apply to OIDC

     

       78
       +
                 rules = [

     

       79
       +
                   {

     

       80
       +
                     domain = "headscale.wiro.world";

     

       81
       +
                     policy = "two_factor";

     

       82
       +
       

     

       83
       +
                   }

     

       84
       +
                   {

     

       85
       +
                     domain = "news.wiro.world";

     

       86
       +
                     policy = "one_factor";

     

       87
       +
       

     

       88
       +
                     subject = [ [ "group:miniflux" "oauth2:client:miniflux" ] ];

     

       89
       +
                   }

     

       90
       +
                   {

     

       91
       +
                     domain = "*.wiro.world";

     

       92
       +
                     policy = "two_factor";

     

       93
       +
                   }

     

       94
       +
                 ];

     

       95
       +
               };

     

       96
       +
       

     

       97
       +
               identity_providers.oidc = {

     

       98
       +
                 enforce_pkce = "always";

     

       99
       +
       

     

       100
       +
                 authorization_policies =

     

       101
       +
                   let

     

       102
       +
                     mkStrictPolicy = policy: subject:

     

       103
       +
                       { default_policy = "deny"; rules = [{ inherit policy subject; }]; };

     

       104
       +
                   in

     

       105
       +
                   {

     

       106
       +
                     headscale = mkStrictPolicy "two_factor" [ "group:headscale" ];

     

       107
       +
                     tailscale = mkStrictPolicy "two_factor" [ "group:headscale" ];

     

       108
       +
                     grafana = mkStrictPolicy "one_factor" [ "group:grafana" ];

     

       109
       +
                     miniflux = mkStrictPolicy "one_factor" [ "group:miniflux" ];

     

       110
       +
                   };

     

       111
       +
       

     

       112
       +
                 claims_policies.headscale = { id_token = [ "email" "name" "preferred_username" "picture" "groups" ]; };

     

       113
       +
       

     

       114
       +
                 clients = [

     

       115
       +
                   {

     

       116
       +
                     client_name = "Headscale";

     

       117
       +
                     client_id = "headscale";

     

       118
       +
                     client_secret = "$pbkdf2-sha256$310000$XY680D9gkSoWhD0UtYHNFg$ptWB3exOYCga6uq1N.oimuV3ILjK3F8lBWBpsBpibos";

     

       119
       +
                     redirect_uris = [ "https://${headscale-hostname}/oidc/callback" ];

     

       120
       +
                     authorization_policy = "headscale";

     

       121
       +
                     claims_policy = "headscale";

     

       122
       +
                   }

     

       123
       +
                   {

     

       124
       +
                     client_name = "Tailscale";

     

       125
       +
                     client_id = "tailscale";

     

       126
       +
                     client_secret = "$pbkdf2-sha256$310000$PcUaup9aWKI9ZLeCF6.avw$FpsTxkDaxcoQlBi8aIacegXpjEDiCI6nXcaHyZ2Sxyc";

     

       127
       +
                     redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ];

     

       128
       +
                     authorization_policy = "tailscale";

     

       129
       +
                   }

     

       130
       +
                   {

     

       131
       +
                     client_name = "Grafana Console";

     

       132
       +
                     client_id = "grafana";

     

       133
       +
                     client_secret = "$pbkdf2-sha256$310000$UkwrqxTZodGMs9.Ca2cXAA$HCWFgQbFHGXZpuz.I3HHdkTZLUevRVGlhKEFaOlPmKs";

     

       134
       +
                     redirect_uris = [ "https://${grafana-hostname}/login/generic_oauth" ];

     

       135
       +
                     authorization_policy = "grafana";

     

       136
       +
                   }

     

       137
       +
                   {

     

       138
       +
                     client_name = "Miniflux";

     

       139
       +
                     client_id = "miniflux";

     

       140
       +
                     client_secret = "$pbkdf2-sha256$310000$uPqbWfCOBXDY6nV1vsx3uA$HOWG2hL.c/bs9Dwaee3b9DxjH7KFO.SaZMbasXV9Vdw";

     

       141
       +
                     redirect_uris = [ "https://${miniflux-hostname}/oauth2/oidc/callback" ];

     

       142
       +
                     authorization_policy = "miniflux";

     

       143
       +
                   }

     

       144
       +
                 ];

     

       145
       +
               };

     

       146
       +
       

     

       147
       +
               notifier.smtp = {

     

       148
       +
                 address = "smtp://smtp.resend.com:2587";

     

       149
       +
                 username = "resend";

     

       150
       +
                 # Set in `AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE`.

     

       151
       +
                 # password = "";

     

       152
       +
                 sender = "authelia@wiro.world";

     

       153
       +
               };

     

       154
       +
             };

     

       155
       +
           };

     

       156
       +
       

     

       157
       +
           services.caddy = {

     

       158
       +
             virtualHosts.${authelia-hostname}.extraConfig = ''

     

       159
       +
               reverse_proxy http://localhost:${toString authelia-port}

     

       160
       +
             '';

     

       161
       +
           };

     

       162
       +
         };

     

       163
       +
       }

+143

hosts/weird-row-server/default.nix

···

       1
       +
       { self

     

       2
       +
       , config

     

       3
       +
       , pkgs

     

       4
       +
       , ...

     

       5
       +
       }:

     

       6
       +
       

     

       7
       +
       let

     

       8
       +
         inherit (self.inputs) srvos;

     

       9
       +
       

     

       10
       +
         ext-if = "eth0";

     

       11
       +
         external-ip = "91.99.55.74";

     

       12
       +
         external-netmask = 27;

     

       13
       +
         external-gw = "144.x.x.255";

     

       14
       +
         external-ip6 = "2a01:4f8:c2c:76d2::1";

     

       15
       +
         external-netmask6 = 64;

     

       16
       +
         external-gw6 = "fe80::1";

     

       17
       +
       

     

       18
       +
         website-hostname = "wiro.world";

     

       19
       +
       

     

       20
       +
         static-hostname = "static.wiro.world";

     

       21
       +
       in

     

       22
       +
       {

     

       23
       +
         imports = [

     

       24
       +
           srvos.nixosModules.server

     

       25
       +
           srvos.nixosModules.hardware-hetzner-cloud

     

       26
       +
           srvos.nixosModules.mixins-terminfo

     

       27
       +
       

     

       28
       +
           ./authelia.nix

     

       29
       +
           ./goatcounter.nix

     

       30
       +
           ./grafana.nix

     

       31
       +
           ./headscale.nix

     

       32
       +
           ./hypixel-bank-tracker.nix

     

       33
       +
           ./lldap.nix

     

       34
       +
           ./miniflux.nix

     

       35
       +
           ./pds.nix

     

       36
       +
           ./tangled.nix

     

       37
       +
           ./thelounge.nix

     

       38
       +
           ./tuwunel.nix

     

       39
       +
           ./vaultwarden.nix

     

       40
       +
           ./warrior.nix

     

       41
       +
           ./webfinger.nix

     

       42
       +
         ];

     

       43
       +
       

     

       44
       +
         config = {

     

       45
       +
           boot.loader.grub.enable = true;

     

       46
       +
           boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "ext4" ];

     

       47
       +
       

     

       48
       +
           # Single network card is `eth0`

     

       49
       +
           networking.usePredictableInterfaceNames = false;

     

       50
       +
       

     

       51
       +
           networking.nameservers = [ "2001:4860:4860::8888" "2001:4860:4860::8844" ];

     

       52
       +
       

     

       53
       +
           networking = {

     

       54
       +
             interfaces.${ext-if} = {

     

       55
       +
               ipv4.addresses = [{ address = external-ip; prefixLength = external-netmask; }];

     

       56
       +
               ipv6.addresses = [{ address = external-ip6; prefixLength = external-netmask6; }];

     

       57
       +
             };

     

       58
       +
             defaultGateway = { interface = ext-if; address = external-gw; };

     

       59
       +
             defaultGateway6 = { interface = ext-if; address = external-gw6; };

     

       60
       +
       

     

       61
       +
             # Reflect firewall configuration on Hetzner

     

       62
       +
             firewall.allowedTCPPorts = [ 22 80 443 ];

     

       63
       +
           };

     

       64
       +
       

     

       65
       +
           services.qemuGuest.enable = true;

     

       66
       +
       

     

       67
       +
           services.openssh.enable = true;

     

       68
       +
       

     

       69
       +
           # age.secrets.tailscale-authkey.file = secrets/tailscale-authkey.age;

     

       70
       +
           services.tailscale = {

     

       71
       +
             enable = true;

     

       72
       +
             extraSetFlags = [ "--advertise-exit-node" ];

     

       73
       +
             # authKeyFile = config.age.secrets.tailscale-authkey.path;

     

       74
       +
             authKeyParameters = {

     

       75
       +
               baseURL = "https://headscale.wiro.world";

     

       76
       +
               ephemeral = true;

     

       77
       +
               preauthorized = true;

     

       78
       +
             };

     

       79
       +
           };

     

       80
       +
       

     

       81
       +
           security.sudo.wheelNeedsPassword = false;

     

       82
       +
       

     

       83
       +
           local.fragment.nix.enable = true;

     

       84
       +
       

     

       85
       +
           programs.fish.enable = true;

     

       86
       +
       

     

       87
       +
           services.fail2ban = {

     

       88
       +
             enable = true;

     

       89
       +
       

     

       90
       +
             maxretry = 5;

     

       91
       +
             ignoreIP = [ ];

     

       92
       +
       

     

       93
       +
             bantime = "24h";

     

       94
       +
             bantime-increment = {

     

       95
       +
               enable = true;

     

       96
       +
               multipliers = "1 2 4 8 16 32 64";

     

       97
       +
               maxtime = "168h";

     

       98
       +
               overalljails = true;

     

       99
       +
             };

     

       100
       +
       

     

       101
       +
             jails = { };

     

       102
       +
           };

     

       103
       +
       

     

       104
       +
           age.secrets.caddy-env.file = secrets/caddy-env.age;

     

       105
       +
           services.caddy = {

     

       106
       +
             enable = true;

     

       107
       +
             package = pkgs.caddy.withPlugins {

     

       108
       +
               plugins = [

     

       109
       +
                 "github.com/caddy-dns/hetzner/v2@v2.0.0-preview-1"

     

       110
       +
                 "github.com/tailscale/caddy-tailscale@v0.0.0-20251016213337-01d084e119cb"

     

       111
       +
               ];

     

       112
       +
               hash = "sha256-muKwDYs5Jp4ib/psZxpp1Kyfsqz6wPz/lpHFGtx67uY=";

     

       113
       +
             };

     

       114
       +
       

     

       115
       +
             environmentFile = config.age.secrets.caddy-env.path;

     

       116
       +
       

     

       117
       +
             globalConfig = ''

     

       118
       +
               tailscale {

     

       119
       +
                 # this caddy instance already proxies headscale but needs to access headscale to start

     

       120
       +
                 # control_url https://headscale.wiro.world

     

       121
       +
                 control_url http://localhost:3006

     

       122
       +
       

     

       123
       +
                 ephemeral

     

       124
       +
               }

     

       125
       +
             '';

     

       126
       +
       

     

       127
       +
             virtualHosts.${website-hostname}.extraConfig =

     

       128
       +
               # TODO: host website on server with automatic deployment

     

       129
       +
               ''

     

       130
       +
                 reverse_proxy https://mrnossiom.github.io {

     

       131
       +
                 	header_up Host {http.request.host}

     

       132
       +
                 }

     

       133
       +
               '';

     

       134
       +
       

     

       135
       +
             virtualHosts.${static-hostname}.extraConfig = ''

     

       136
       +
               root /var/www/static

     

       137
       +
               file_server browse

     

       138
       +
             '';

     

       139
       +
           };

     

       140
       +
       

     

       141
       +
           # TODO: use bind to declare dns records declaratively

     

       142
       +
         };

     

       143
       +
       }

+25

hosts/weird-row-server/goatcounter.nix

···

       1
       +
       { config

     

       2
       +
       , ...

     

       3
       +
       }:

     

       4
       +
       

     

       5
       +
       let

     

       6
       +
         goatcounter-port = 3010;

     

       7
       +
         goatcounter-hostname = "stats.wiro.world";

     

       8
       +
       in

     

       9
       +
       {

     

       10
       +
         config = {

     

       11
       +
           services.goatcounter = {

     

       12
       +
             enable = true;

     

       13
       +
       

     

       14
       +
             port = goatcounter-port;

     

       15
       +
             proxy = true;

     

       16
       +
             extraArgs = [ "-automigrate" ];

     

       17
       +
           };

     

       18
       +
       

     

       19
       +
           services.caddy = {

     

       20
       +
             virtualHosts.${goatcounter-hostname}.extraConfig = ''

     

       21
       +
               reverse_proxy http://localhost:${toString config.services.goatcounter.port}

     

       22
       +
             '';

     

       23
       +
           };

     

       24
       +
         };

     

       25
       +
       }

+85

hosts/weird-row-server/grafana.nix

···

       1
       +
       { config

     

       2
       +
       , ...

     

       3
       +
       }:

     

       4
       +
       

     

       5
       +
       let

     

       6
       +
         grafana-port = 3002;

     

       7
       +
         grafana-hostname = "console.net.wiro.world";

     

       8
       +
       

     

       9
       +
         prometheus-port = 9001;

     

       10
       +
         prometheus-node-exporter-port = 9002;

     

       11
       +
         caddy-metrics-port = 2019;

     

       12
       +
         authelia-metrics-port = 9004;

     

       13
       +
         headscale-metrics-port = 9003;

     

       14
       +
       in

     

       15
       +
       {

     

       16
       +
         config = {

     

       17
       +
           age.secrets.grafana-oidc-secret = { file = secrets/grafana-oidc-secret.age; owner = "grafana"; };

     

       18
       +
           services.grafana = {

     

       19
       +
             enable = true;

     

       20
       +
       

     

       21
       +
             settings = {

     

       22
       +
               server = {

     

       23
       +
                 http_port = grafana-port;

     

       24
       +
                 domain = grafana-hostname;

     

       25
       +
                 root_url = "https://${grafana-hostname}";

     

       26
       +
               };

     

       27
       +
       

     

       28
       +
               "auth.generic_oauth" = {

     

       29
       +
                 enable = true;

     

       30
       +
                 name = "Authelia";

     

       31
       +
                 icon = "signin";

     

       32
       +
       

     

       33
       +
                 client_id = "grafana";

     

       34
       +
                 client_secret_path = config.age.secrets.grafana-oidc-secret.path;

     

       35
       +
                 auto_login = true;

     

       36
       +
       

     

       37
       +
                 scopes = [ "openid" "profile" "email" "groups" ];

     

       38
       +
                 auth_url = "https://auth.wiro.world/api/oidc/authorization";

     

       39
       +
                 token_url = "https://auth.wiro.world/api/oidc/token";

     

       40
       +
                 api_url = "https://auth.wiro.world/api/oidc/userinfo";

     

       41
       +
                 use_pkce = true;

     

       42
       +
               };

     

       43
       +
             };

     

       44
       +
           };

     

       45
       +
       

     

       46
       +
           services.prometheus = {

     

       47
       +
             enable = true;

     

       48
       +
             port = prometheus-port;

     

       49
       +
       

     

       50
       +
             exporters.node = {

     

       51
       +
               enable = true;

     

       52
       +
               port = prometheus-node-exporter-port;

     

       53
       +
             };

     

       54
       +
       

     

       55
       +
             scrapeConfigs = [

     

       56
       +
               {

     

       57
       +
                 job_name = "caddy";

     

       58
       +
                 static_configs = [{ targets = [ "localhost:${toString caddy-metrics-port}" ]; }];

     

       59
       +
               }

     

       60
       +
               {

     

       61
       +
                 job_name = "node-exporter";

     

       62
       +
                 static_configs = [{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }];

     

       63
       +
               }

     

       64
       +
               {

     

       65
       +
                 job_name = "headscale";

     

       66
       +
                 static_configs = [{ targets = [ "localhost:${toString headscale-metrics-port}" ]; }];

     

       67
       +
               }

     

       68
       +
               {

     

       69
       +
                 job_name = "authelia";

     

       70
       +
                 static_configs = [{ targets = [ "localhost:${toString authelia-metrics-port}" ]; }];

     

       71
       +
               }

     

       72
       +
             ];

     

       73
       +
           };

     

       74
       +
       

     

       75
       +
           services.caddy = {

     

       76
       +
             globalConfig = ''

     

       77
       +
               metrics { per_host }

     

       78
       +
             '';

     

       79
       +
             virtualHosts."http://${grafana-hostname}".extraConfig = ''

     

       80
       +
               bind tailscale/console

     

       81
       +
               reverse_proxy http://localhost:${toString grafana-port}

     

       82
       +
             '';

     

       83
       +
           };

     

       84
       +
         };

     

       85
       +
       }

+84

hosts/weird-row-server/headscale.nix

···

       1
       +
       { pkgs

     

       2
       +
       , config

     

       3
       +
       , ...

     

       4
       +
       }:

     

       5
       +
       

     

       6
       +
       let

     

       7
       +
         json-format = pkgs.formats.json { };

     

       8
       +
       

     

       9
       +
         headscale-port = 3006;

     

       10
       +
         headscale-derp-port = 3478;

     

       11
       +
         headscale-hostname = "headscale.wiro.world";

     

       12
       +
       

     

       13
       +
         headscale-metrics-port = 9003;

     

       14
       +
       in

     

       15
       +
       {

     

       16
       +
         config = {

     

       17
       +
           networking.firewall.allowedUDPPorts = [ headscale-derp-port ];

     

       18
       +
       

     

       19
       +
           age.secrets.headscale-oidc-secret = { file = secrets/headscale-oidc-secret.age; owner = config.services.headscale.user; };

     

       20
       +
           services.headscale = {

     

       21
       +
             enable = true;

     

       22
       +
       

     

       23
       +
             port = headscale-port;

     

       24
       +
             settings = {

     

       25
       +
               server_url = "https://${headscale-hostname}";

     

       26
       +
               metrics_listen_addr = "127.0.0.1:${toString headscale-metrics-port}";

     

       27
       +
       

     

       28
       +
               policy.path = json-format.generate "policy.json" {

     

       29
       +
                 acls = [

     

       30
       +
                   {

     

       31
       +
                     action = "accept";

     

       32
       +
                     src = [ "autogroup:member" ];

     

       33
       +
                     dst = [ "autogroup:self:*" ];

     

       34
       +
                   }

     

       35
       +
                 ];

     

       36
       +
                 ssh = [

     

       37
       +
                   {

     

       38
       +
                     action = "accept";

     

       39
       +
                     src = [ "autogroup:member" ];

     

       40
       +
                     dst = [ "autogroup:self" ];

     

       41
       +
                     # Adding root here is privilege escalation as a feature :)

     

       42
       +
                     users = [ "autogroup:nonroot" ];

     

       43
       +
                   }

     

       44
       +
                 ];

     

       45
       +
               };

     

       46
       +
       

     

       47
       +
               # disable TLS

     

       48
       +
               tls_cert_path = null;

     

       49
       +
               tls_key_path = null;

     

       50
       +
       

     

       51
       +
               dns = {

     

       52
       +
                 magic_dns = true;

     

       53
       +
                 base_domain = "net.wiro.world";

     

       54
       +
       

     

       55
       +
                 override_local_dns = true;

     

       56
       +
                 # Quad9 nameservers

     

       57
       +
                 nameservers.global = [ "9.9.9.9" "149.112.112.112" "2620:fe::fe" "2620:fe::9" ];

     

       58
       +
               };

     

       59
       +
       

     

       60
       +
               oidc = {

     

       61
       +
                 only_start_if_oidc_is_available = true;

     

       62
       +
                 issuer = "https://auth.wiro.world";

     

       63
       +
                 client_id = "headscale";

     

       64
       +
                 client_secret_path = config.age.secrets.headscale-oidc-secret.path;

     

       65
       +
                 scope = [ "openid" "profile" "email" "groups" ];

     

       66
       +
                 pkce.enabled = true;

     

       67
       +
               };

     

       68
       +
       

     

       69
       +
               derp.server = {

     

       70
       +
                 enable = true;

     

       71
       +
                 stun_listen_addr = "0.0.0.0:${toString headscale-derp-port}";

     

       72
       +
               };

     

       73
       +
             };

     

       74
       +
           };

     

       75
       +
           # headscale only starts if oidc is available

     

       76
       +
           systemd.services.headscale.after = [ "authelia-main.service" ];

     

       77
       +
       

     

       78
       +
           services.caddy = {

     

       79
       +
             virtualHosts.${headscale-hostname}.extraConfig = ''

     

       80
       +
               reverse_proxy http://localhost:${toString headscale-port}

     

       81
       +
             '';

     

       82
       +
           };

     

       83
       +
         };

     

       84
       +
       }

+42

hosts/weird-row-server/hypixel-bank-tracker.nix

···

       1
       +
       { self

     

       2
       +
       , config

     

       3
       +
       , ...

     

       4
       +
       }:

     

       5
       +
       

     

       6
       +
       let

     

       7
       +
         inherit (self.inputs) hypixel-bank-tracker;

     

       8
       +
       

     

       9
       +
         hbt-main-port = 3013;

     

       10
       +
         hbt-banana-port = 3014;

     

       11
       +
       in

     

       12
       +
       {

     

       13
       +
         imports = [ hypixel-bank-tracker.nixosModules.default ];

     

       14
       +
       

     

       15
       +
         config = {

     

       16
       +
           age.secrets.hypixel-bank-tracker-main.file = secrets/hypixel-bank-tracker-main.age;

     

       17
       +
           services.hypixel-bank-tracker.instances.main = {

     

       18
       +
             enable = true;

     

       19
       +
       

     

       20
       +
             port = hbt-main-port;

     

       21
       +
             environmentFile = config.age.secrets.hypixel-bank-tracker-main.path;

     

       22
       +
           };

     

       23
       +
       

     

       24
       +
           age.secrets.hypixel-bank-tracker-banana.file = secrets/hypixel-bank-tracker-banana.age;

     

       25
       +
           services.hypixel-bank-tracker.instances.banana = {

     

       26
       +
             enable = true;

     

       27
       +
       

     

       28
       +
             port = hbt-banana-port;

     

       29
       +
             environmentFile = config.age.secrets.hypixel-bank-tracker-banana.path;

     

       30
       +
           };

     

       31
       +
       

     

       32
       +
           services.caddy = {

     

       33
       +
             virtualHosts."hypixel-bank-tracker.xyz".extraConfig = ''

     

       34
       +
               reverse_proxy http://localhost:${toString config.services.hypixel-bank-tracker.instances.main.port}

     

       35
       +
             '';

     

       36
       +
       

     

       37
       +
             virtualHosts."banana.hypixel-bank-tracker.xyz".extraConfig = ''

     

       38
       +
               reverse_proxy http://localhost:${toString config.services.hypixel-bank-tracker.instances.banana.port}

     

       39
       +
             '';

     

       40
       +
           };

     

       41
       +
         };

     

       42
       +
       }

+39

hosts/weird-row-server/lldap.nix

···

       1
       +
       { config

     

       2
       +
       , ...

     

       3
       +
       }:

     

       4
       +
       

     

       5
       +
       let

     

       6
       +
         lldap-port = 3007;

     

       7
       +
         lldap-hostname = "ldap.net.wiro.world";

     

       8
       +
       in

     

       9
       +
       {

     

       10
       +
         config = {

     

       11
       +
           age.secrets.lldap-env.file = secrets/lldap-env.age;

     

       12
       +
           users.users.lldap = { isSystemUser = true; group = "lldap"; };

     

       13
       +
           users.groups.lldap = { };

     

       14
       +
           age.secrets.lldap-user-pass = { file = secrets/lldap-user-pass.age; owner = "lldap"; };

     

       15
       +
           services.lldap = {

     

       16
       +
             enable = true;

     

       17
       +
       

     

       18
       +
             silenceForceUserPassResetWarning = true;

     

       19
       +
       

     

       20
       +
             settings = {

     

       21
       +
               http_url = "https://${lldap-hostname}";

     

       22
       +
               http_port = lldap-port;

     

       23
       +
       

     

       24
       +
               ldap_user_pass_file = config.age.secrets.lldap-user-pass.path;

     

       25
       +
               force_ldap_user_pass_reset = false;

     

       26
       +
       

     

       27
       +
               ldap_base_dn = "dc=wiro,dc=world";

     

       28
       +
             };

     

       29
       +
             environmentFile = config.age.secrets.lldap-env.path;

     

       30
       +
           };

     

       31
       +
       

     

       32
       +
           services.caddy = {

     

       33
       +
             virtualHosts."http://${lldap-hostname}".extraConfig = ''

     

       34
       +
               bind tailscale/ldap

     

       35
       +
               reverse_proxy http://localhost:${toString config.services.lldap.settings.http_port}

     

       36
       +
             '';

     

       37
       +
           };

     

       38
       +
         };

     

       39
       +
       }

+52

hosts/weird-row-server/miniflux.nix

···

       1
       +
       { config

     

       2
       +
       , ...

     

       3
       +
       }:

     

       4
       +
       

     

       5
       +
       let

     

       6
       +
         miniflux-port = 3012;

     

       7
       +
         miniflux-hostname = "news.wiro.world";

     

       8
       +
       in

     

       9
       +
       {

     

       10
       +
         config = {

     

       11
       +
           users.users.miniflux = { isSystemUser = true; group = "miniflux"; };

     

       12
       +
           users.groups.miniflux = { };

     

       13
       +
           age.secrets.miniflux-oidc-secret = { file = secrets/miniflux-oidc-secret.age; owner = "miniflux"; };

     

       14
       +
           services.miniflux = {

     

       15
       +
             enable = true;

     

       16
       +
       

     

       17
       +
             createDatabaseLocally = true;

     

       18
       +
             config = {

     

       19
       +
               BASE_URL = "https://${miniflux-hostname}/";

     

       20
       +
               LISTEN_ADDR = "127.0.0.1:${toString miniflux-port}";

     

       21
       +
               CREATE_ADMIN = 0;

     

       22
       +
       

     

       23
       +
               METRICS_COLLECTOR = 1;

     

       24
       +
       

     

       25
       +
               OAUTH2_PROVIDER = "oidc";

     

       26
       +
               OAUTH2_OIDC_PROVIDER_NAME = "wiro.world SSO";

     

       27
       +
               OAUTH2_CLIENT_ID = "miniflux";

     

       28
       +
               OAUTH2_CLIENT_SECRET_FILE = config.age.secrets.miniflux-oidc-secret.path;

     

       29
       +
               OAUTH2_REDIRECT_URL = "https://${miniflux-hostname}/oauth2/oidc/callback";

     

       30
       +
               OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.wiro.world";

     

       31
       +
               OAUTH2_USER_CREATION = 1;

     

       32
       +
               DISABLE_LOCAL_AUTH = 1;

     

       33
       +
       

     

       34
       +
               RUN_MIGRATIONS = 1;

     

       35
       +
       

     

       36
       +
               # NetNewsWire is a very good iOS oss client that integrates well

     

       37
       +
               # https://b.j4.lc/2025/05/05/setting-up-netnewswire-with-miniflux/

     

       38
       +
             };

     

       39
       +
           };

     

       40
       +
       

     

       41
       +
           services.prometheus.scrapeConfigs = [{

     

       42
       +
             job_name = "miniflux";

     

       43
       +
             static_configs = [{ targets = [ "localhost:${toString miniflux-port}" ]; }];

     

       44
       +
           }];

     

       45
       +
       

     

       46
       +
           services.caddy = {

     

       47
       +
             virtualHosts.${miniflux-hostname}.extraConfig = ''

     

       48
       +
               reverse_proxy http://localhost:${toString miniflux-port}

     

       49
       +
             '';

     

       50
       +
           };

     

       51
       +
         };

     

       52
       +
       }

+43

hosts/weird-row-server/pds.nix

···

       1
       +
       { config

     

       2
       +
       , ...

     

       3
       +
       }:

     

       4
       +
       

     

       5
       +
       let

     

       6
       +
         pds-port = 3001;

     

       7
       +
         pds-hostname = "pds.wiro.world";

     

       8
       +
       in

     

       9
       +
       {

     

       10
       +
         config = {

     

       11
       +
           age.secrets.pds-env.file = secrets/pds-env.age;

     

       12
       +
           services.bluesky-pds = {

     

       13
       +
             enable = true;

     

       14
       +
       

     

       15
       +
             settings = {

     

       16
       +
               PDS_HOSTNAME = "pds.wiro.world";

     

       17
       +
               PDS_PORT = pds-port;

     

       18
       +
               # is in systemd /tmp subfolder

     

       19
       +
               LOG_DESTINATION = "/tmp/pds.log";

     

       20
       +
             };

     

       21
       +
       

     

       22
       +
             environmentFiles = [

     

       23
       +
               config.age.secrets.pds-env.path

     

       24
       +
             ];

     

       25
       +
           };

     

       26
       +
       

     

       27
       +
           services.caddy = {

     

       28
       +
             globalConfig = ''

     

       29
       +
               on_demand_tls {

     

       30
       +
                 ask http://localhost:${toString pds-port}/tls-check

     

       31
       +
               }

     

       32
       +
             '';

     

       33
       +
       

     

       34
       +
             virtualHosts.${pds-hostname} = {

     

       35
       +
               serverAliases = [ "*.${pds-hostname}" ];

     

       36
       +
               extraConfig = ''

     

       37
       +
               	tls { on_demand }

     

       38
       +
                 reverse_proxy http://localhost:${toString config.services.bluesky-pds.settings.PDS_HOSTNAME}

     

       39
       +
               '';

     

       40
       +
             };

     

       41
       +
           };

     

       42
       +
         };

     

       43
       +
       }

hosts/weird-row-server/secrets/authelia-issuer-private-key.age

This is a binary file and will not be displayed.

hosts/weird-row-server/secrets/authelia-jwt-secret.age

This is a binary file and will not be displayed.

hosts/weird-row-server/secrets/authelia-ldap-password.age

This is a binary file and will not be displayed.

hosts/weird-row-server/secrets/authelia-smtp-password.age

···

       1
       +
       age-encryption.org/v1

     

       2
       +
       -> ssh-ed25519 sMF1bg 0duJYaUlZd2G3tYi7CuV+c7KNaqWusLoMpoILvaajgc

     

       3
       +
       AnAlDVzRdeoXGXvyllhSNCoDQjZ+nucLGHCfPWR8IBQ

     

       4
       +
       -> ssh-ed25519 SmMcWg oX82fe4sQmKyjJqv9AFRY6Bww43V/8myNRsN9/M8Sho

     

       5
       +
       Et6ycO8hm2XV36X5q7iO+nJCtjkYoq6mDBEssrjt/70

     

       6
       +
       -> ssh-ed25519 Q8rMFA /gU1tIVjqExV8NXB1gSDsWIXpVfxm3zPJX7xOAqeqWM

     

       7
       +
       szrd67kHWslLO+jMCuDmzYR0LPVVzd7idgl3AKt+USU

     

       8
       +
       --- ojxyQVhx4rX+x5gzEEx8KFiorwywqEEyTNWUJY39jIk

     

       9
       +
       �������ş*
l��1����=n�Ŏ��(�	�Iamz~B�����������鰦�.�.Z>�',p��

+11

hosts/weird-row-server/secrets/authelia-storage-key.age

···

       1
       +
       age-encryption.org/v1

     

       2
       +
       -> ssh-ed25519 sMF1bg PYC6LaFo/DTQlRMewqbVtS4lzVtKyuFZQSqCrQwwEyg

     

       3
       +
       kj0sHy8IpnBsMBQy/XYtj2pLXlk6wprF3MxjFTOiZ6E

     

       4
       +
       -> ssh-ed25519 SmMcWg rvlLGzf6D96Dh1lL8as2vjc3PB7G/86U8AR7/lAELT0

     

       5
       +
       qcdOqVV6o+5OfJYj5pfZ62hOnrBQwY0DAeIJkLoyYss

     

       6
       +
       -> ssh-ed25519 Q8rMFA eALgQVN5OA0EuYYEyEbFnju/Yii71e+xcs98LkXnyyo

     

       7
       +
       Rbxu60qvXKdFaJ7lfs7LeYx37TIKYK2Gxw2QcxF3soA

     

       8
       +
       --- ryt5q5lXn1Cyn4T6RSU1IR7dHZOTbyanaG6ZqeYYGBQ

     

       9
       +
       �G���*	\�ʕ�|���

     

       10
       +
       �S�T���z�!
�FIG͍��,��2Q��+�s�76Z�D`��Q�hM�],��E7�2<Q�

     

       11
       +
       ?ׯ�t��u\���xpe/rrR��L}��S��g�%�:�Oj����{T%h��D�~�+DЫ��W%� �ŗ�r�v$%m$

hosts/weird-row-server/secrets/caddy-env.age

This is a binary file and will not be displayed.

+27

hosts/weird-row-server/secrets/default.nix

···

       1
       +
       keys:

     

       2
       +
       let

     

       3
       +
         inherit (keys) servers users;

     

       4
       +
         deploy = servers ++ users;

     

       5
       +
       in

     

       6
       +
       {

     

       7
       +
         # Defines `PDS_JWT_SECRET`, `PDS_ADMIN_PASSWORD`, `PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX`, `PDS_EMAIL_SMTP_URL`, `PDS_EMAIL_FROM_ADDRESS`.

     

       8
       +
         "pds-env.age".publicKeys = deploy;

     

       9
       +
         # Defines `LLDAP_JWT_SECRET`, `LLDAP_KEY_SEED`.

     

       10
       +
         "lldap-env.age".publicKeys = deploy;

     

       11
       +
         "lldap-user-pass.age".publicKeys = deploy;

     

       12
       +
         "headscale-oidc-secret.age".publicKeys = deploy;

     

       13
       +
         "grafana-oidc-secret.age".publicKeys = deploy;

     

       14
       +
         "authelia-jwt-secret.age".publicKeys = deploy;

     

       15
       +
         "authelia-issuer-private-key.age".publicKeys = deploy;

     

       16
       +
         "authelia-storage-key.age".publicKeys = deploy;

     

       17
       +
         "authelia-ldap-password.age".publicKeys = deploy;

     

       18
       +
         "authelia-smtp-password.age".publicKeys = deploy;

     

       19
       +
         "tuwunel-registration-tokens.age".publicKeys = deploy;

     

       20
       +
         # Defines `SMTP_PASSWORD`

     

       21
       +
         "vaultwarden-env.age".publicKeys = deploy;

     

       22
       +
         "miniflux-oidc-secret.age".publicKeys = deploy;

     

       23
       +
         # Defines `HYPIXEL_API_KEY`, `PROFILE_UUID`

     

       24
       +
         "hypixel-bank-tracker-main.age".publicKeys = deploy;

     

       25
       +
         "hypixel-bank-tracker-banana.age".publicKeys = deploy;

     

       26
       +
         "caddy-env.age".publicKeys = deploy;

     

       27
       +
       }

hosts/weird-row-server/secrets/grafana-oidc-secret.age

···

       1
       +
       age-encryption.org/v1

     

       2
       +
       -> ssh-ed25519 sMF1bg 2+JZ3WMnTgnnNYmJqdqAtOsEIk9pAefHfwLcXZQpqlg

     

       3
       +
       yE0R9b0mSzoT6mvoWUG829UmkgGkm6vg0i7WLORaTis

     

       4
       +
       -> ssh-ed25519 SmMcWg c8goAmCIPQ5rsTwoOej9ndGc0uBpWILSn/wy6XJHK14

     

       5
       +
       ArjlEl4hxi4N6Py1emxgxUFKvSXIwLWsy6HrWNqJUHw

     

       6
       +
       -> ssh-ed25519 Q8rMFA t72V+A0n5Tnb0VqvBrzt3j75CbcfvQltodKMhF64SXY

     

       7
       +
       V+Ynzd4tIUI8JPy9uyoi+frW6wJnQxDavHAqnp/lem8

     

       8
       +
       --- mzRky/dA1MDArnDSSaGyZP9yAQgD2va4MfopbrdM0iU

     

       9
       +
       ��*�٪l����a5�QE£uަ��"�;��3�l.!`	�u�
_+)$��d��ˤ����ff�F��mѳc�a�EV��Nߧ��,�@����

hosts/weird-row-server/secrets/headscale-oidc-secret.age

This is a binary file and will not be displayed.

hosts/weird-row-server/secrets/hypixel-bank-tracker-banana.age

This is a binary file and will not be displayed.

+12

hosts/weird-row-server/secrets/hypixel-bank-tracker-main.age

···

       1
       +
       age-encryption.org/v1

     

       2
       +
       -> ssh-ed25519 sMF1bg B3wX5eWrSUivBKJzdiSOVvWEdGuZvGJHVDCCSFa29kw

     

       3
       +
       F1H0QzBPS1FPvactH7z3OvR5wPdawkMzIj1awUmkrqA

     

       4
       +
       -> ssh-ed25519 SmMcWg DtmTaO1Ox4y+AyZbOgaJU2PxMRdHloHECLOrvdI/g28

     

       5
       +
       my6GKU1rxPyClyos0efuInWok5w3xwwoJ4p3M6roBIw

     

       6
       +
       -> ssh-ed25519 Q8rMFA LKyAN4v78N/OcleCPuYpPlZ0se5Dmp4qiWynY4zTfDo

     

       7
       +
       2lOqk3QF2lB/b7Md6yWq4R2jn+J3PiATIkrFUxgt104

     

       8
       +
       -> OR`n;K-grease

     

       9
       +
       lWGBER6K10zAcNHyiUMJAnJ84h1ppo5MJ5ztgw

     

       10
       +
       --- abe4RLNH3d9h7UpWD3PRIBgHWagt8cU+AHIFbX1D9/E

     

       11
       +
       �LJu���k؜��_��%��|�J]��KN��?]��tR�<�]�|���ߟ��¾FzU��������:�Y��TX����p,9v6q�7�~�y�]X���͇ǷR5՚>[������#�#�-

     

       12
       +
       cM,1Ǜ"M��"'F�W�3o�

hosts/weird-row-server/secrets/lldap-env.age

This is a binary file and will not be displayed.

+11

hosts/weird-row-server/secrets/lldap-user-pass.age

···

       1
       +
       age-encryption.org/v1

     

       2
       +
       -> ssh-ed25519 sMF1bg rkX6nxV4pATfwzkzJtI08/Z0bvi0wYwnLJsppUAsz20

     

       3
       +
       X+znUc5AKAunPqr1jdq10obvQBU+rqs/LmeQaZzI+F4

     

       4
       +
       -> ssh-ed25519 SmMcWg xaZtLP6GOocdiMf3hgoujWigGgi7KxDUMGuPYNqS8WU

     

       5
       +
       00Y+8L4QssKFqRlGB2e0yiv9SyoqbxeZ/lWL6DCLlpo

     

       6
       +
       -> ssh-ed25519 Q8rMFA kHA5wVVhmpodSn3OcZuc78xttymjOoy9voa8GqIE+F8

     

       7
       +
       a7HpZf6sjmxr49QoV9tXrATheu8u20JmKCEIkmAZdhA

     

       8
       +
       -> U=6S`1*-grease \8na]onc

     

       9
       +
       PP5XQ1vbpadHeiMBOkmEccTIAg

     

       10
       +
       --- 1hkJN6ZLX8GJ8y0WuFcMEv66om+Phc0wYJFKCB8Amzg

     

       11
       +
       �M�	��}ޘ*;f��y��]����2ef���}�d������J�\��8�h��1�u� ������SHN��yS�D>W��x�J���yh������

hosts/weird-row-server/secrets/miniflux-oidc-secret.age

···

       1
       +
       age-encryption.org/v1

     

       2
       +
       -> ssh-ed25519 sMF1bg E4UVPOuq5ZUSxGvIvr0Tod9PQRqDdqHu2Byv4fKi2io

     

       3
       +
       FcdCyfLmRCmK5rmoLQ/m1KOJe9Etu9N/GHCM5lWCIPE

     

       4
       +
       -> ssh-ed25519 SmMcWg wrKv3V6uSLnWQqIp65Rgi0qv7lQtyOXaxnahMo+s3EU

     

       5
       +
       mXsJ1CbS3pzstf3xaWWF150+aXxW2kY2J5kAZWqtl+A

     

       6
       +
       -> ssh-ed25519 Q8rMFA 91npFfTkw9Ur6aZp/pLzLUOIwwPJ9OA1peaZyTlROBU

     

       7
       +
       12sib8HLjvgN06X6H0/AN4wMewQ8xup813DauZKQ+QY

     

       8
       +
       --- /AGwAMAsPvvuRH6PPNrizBCsJedclYzdj6Kq4V3mx0o

     

       9
       +
       zN��0�=�YP������rլ�!U�n;���n���/��}mCo�F��������!z���r������)u��o�3�>��>Z�f�񡤙1Ň
����

hosts/weird-row-server/secrets/pds-env.age

This is a binary file and will not be displayed.

hosts/weird-row-server/secrets/tuwunel-registration-tokens.age

···

       1
       +
       age-encryption.org/v1

     

       2
       +
       -> ssh-ed25519 sMF1bg TVYRDtTe5khTJo0q8ShrR5o1WBrbK2htHjYCvi5QYAA

     

       3
       +
       kx6Hke5RAZFfugR4aU28SRh4U8e4ymzeIY/+kYlAWhw

     

       4
       +
       -> ssh-ed25519 SmMcWg AyJOM5lQHETeGiI/V5vUtu2vD6PqCZNnuTPvfnU90zE

     

       5
       +
       9vM7/8JUbScHaeDWig16MgqtULryofSrRqhw2OMWfBs

     

       6
       +
       -> ssh-ed25519 Q8rMFA TeUNtmHquyhhDrXf+zXY56oTGvzkhkaReIoBx5Yb+TE

     

       7
       +
       DLfVy9cO1JrVln9CHV1ag66z2kIMrVzhcaIugLytojE

     

       8
       +
       --- nr/3KZTVXNdemLdmp2bO2bjxKDHvcy3gezZKYN5Z1qI

     

       9
       +
       �"��Z8��ԛ�GvJ�{��(�V9��1�N"��o���o����Х�oJ�~�1�!�}Egd�!�

hosts/weird-row-server/secrets/vaultwarden-env.age

This is a binary file and will not be displayed.

+54

hosts/weird-row-server/tangled.nix

···

       1
       +
       { self

     

       2
       +
       , config

     

       3
       +
       , ...

     

       4
       +
       }:

     

       5
       +
       

     

       6
       +
       let

     

       7
       +
         inherit (self.inputs) tangled;

     

       8
       +
       

     

       9
       +
         tangled-owner = "did:plc:xhgrjm4mcx3p5h3y6eino6ti";

     

       10
       +
         tangled-knot-port = 3003;

     

       11
       +
         tangled-knot-hostname = "knot.wiro.world";

     

       12
       +
         tangled-spindle-port = 3004;

     

       13
       +
         tangled-spindle-hostname = "spindle.wiro.world";

     

       14
       +
       in

     

       15
       +
       {

     

       16
       +
         imports = [

     

       17
       +
           tangled.nixosModules.knot

     

       18
       +
           tangled.nixosModules.spindle

     

       19
       +
         ];

     

       20
       +
       

     

       21
       +
         config = {

     

       22
       +
           services.tangled.knot = {

     

       23
       +
             enable = true;

     

       24
       +
             openFirewall = true;

     

       25
       +
       

     

       26
       +
             motd = "Welcome to @wiro.world's knot!\n";

     

       27
       +
             server = {

     

       28
       +
               listenAddr = "localhost:${toString tangled-knot-port}";

     

       29
       +
               hostname = tangled-knot-hostname;

     

       30
       +
               owner = tangled-owner;

     

       31
       +
             };

     

       32
       +
           };

     

       33
       +
       

     

       34
       +
           services.tangled.spindle = {

     

       35
       +
             enable = true;

     

       36
       +
       

     

       37
       +
             server = {

     

       38
       +
               listenAddr = "localhost:${toString tangled-spindle-port}";

     

       39
       +
               hostname = tangled-spindle-hostname;

     

       40
       +
               owner = tangled-owner;

     

       41
       +
             };

     

       42
       +
           };

     

       43
       +
       

     

       44
       +
           services.caddy = {

     

       45
       +
             virtualHosts.${tangled-knot-hostname}.extraConfig = ''

     

       46
       +
               reverse_proxy http://localhost:${toString tangled-knot-port}

     

       47
       +
             '';

     

       48
       +
       

     

       49
       +
             virtualHosts.${tangled-spindle-hostname}.extraConfig = ''

     

       50
       +
               reverse_proxy http://localhost:${toString tangled-spindle-port}

     

       51
       +
             '';

     

       52
       +
           };

     

       53
       +
         };

     

       54
       +
       }

+31

hosts/weird-row-server/thelounge.nix

···

       1
       +
       { config

     

       2
       +
       , ...

     

       3
       +
       }:

     

       4
       +
       

     

       5
       +
       let

     

       6
       +
         thelounge-port = 3005;

     

       7
       +
         thelounge-hostname = "irc-lounge.net.wiro.world";

     

       8
       +
       in

     

       9
       +
       {

     

       10
       +
         config = {

     

       11
       +
           services.thelounge = {

     

       12
       +
             enable = true;

     

       13
       +
             port = thelounge-port;

     

       14
       +
             public = false;

     

       15
       +
       

     

       16
       +
             extraConfig = {

     

       17
       +
               host = "127.0.0.1";

     

       18
       +
               reverseProxy = true;

     

       19
       +
       

     

       20
       +
               # TODO: use ldap, find a way to hide password

     

       21
       +
             };

     

       22
       +
           };

     

       23
       +
       

     

       24
       +
           services.caddy = {

     

       25
       +
             virtualHosts."http://${thelounge-hostname}".extraConfig = ''

     

       26
       +
               bind tailscale/irc-lounge

     

       27
       +
               reverse_proxy http://localhost:${toString config.services.thelounge.port}

     

       28
       +
             '';

     

       29
       +
           };

     

       30
       +
         };

     

       31
       +
       }

+45

hosts/weird-row-server/tuwunel.nix

···

       1
       +
       { config

     

       2
       +
       , ...

     

       3
       +
       }:

     

       4
       +
       

     

       5
       +
       let

     

       6
       +
         matrix-port = 3009;

     

       7
       +
         matrix-hostname = "matrix.wiro.world";

     

       8
       +
       

     

       9
       +
         website-hostname = "wiro.world";

     

       10
       +
       in

     

       11
       +
       {

     

       12
       +
         config = {

     

       13
       +
           age.secrets.tuwunel-registration-tokens = { file = secrets/tuwunel-registration-tokens.age; owner = config.services.matrix-tuwunel.user; };

     

       14
       +
           services.matrix-tuwunel = {

     

       15
       +
             enable = true;

     

       16
       +
       

     

       17
       +
             settings.global = {

     

       18
       +
               address = [ "127.0.0.1" ];

     

       19
       +
               port = [ matrix-port ];

     

       20
       +
       

     

       21
       +
               server_name = "wiro.world";

     

       22
       +
               well_known = {

     

       23
       +
                 client = "https://matrix.wiro.world";

     

       24
       +
                 server = "matrix.wiro.world:443";

     

       25
       +
               };

     

       26
       +
       

     

       27
       +
               grant_admin_to_first_user = true;

     

       28
       +
               new_user_displayname_suffix = "";

     

       29
       +
       

     

       30
       +
               allow_registration = true;

     

       31
       +
               registration_token_file = config.age.secrets.tuwunel-registration-tokens.path;

     

       32
       +
             };

     

       33
       +
           };

     

       34
       +
       

     

       35
       +
           services.caddy = {

     

       36
       +
             virtualHosts.${matrix-hostname}.extraConfig = ''

     

       37
       +
               reverse_proxy /_matrix/* http://localhost:${toString matrix-port}

     

       38
       +
             '';

     

       39
       +
       

     

       40
       +
             virtualHosts.${website-hostname}.extraConfig = ''

     

       41
       +
               reverse_proxy /.well-known/matrix/* http://localhost:${toString matrix-port}

     

       42
       +
             '';

     

       43
       +
           };

     

       44
       +
         };

     

       45
       +
       }

+38

hosts/weird-row-server/vaultwarden.nix

···

       1
       +
       { config

     

       2
       +
       , ...

     

       3
       +
       }:

     

       4
       +
       

     

       5
       +
       let

     

       6
       +
         vaultwarden-port = 3011;

     

       7
       +
         vaultwarden-hostname = "vault.wiro.world";

     

       8
       +
       in

     

       9
       +
       {

     

       10
       +
         config = {

     

       11
       +
           age.secrets.vaultwarden-env.file = secrets/vaultwarden-env.age;

     

       12
       +
           services.vaultwarden = {

     

       13
       +
             enable = true;

     

       14
       +
       

     

       15
       +
             environmentFile = config.age.secrets.vaultwarden-env.path;

     

       16
       +
             config = {

     

       17
       +
               ROCKET_PORT = vaultwarden-port;

     

       18
       +
               DOMAIN = "https://${vaultwarden-hostname}";

     

       19
       +
               SIGNUPS_ALLOWED = false;

     

       20
       +
               ADMIN_TOKEN = "$argon2id$v=19$m=65540,t=3,p=4$YIe9wmrTsmjgZNPxe8m34O/d3XW3Fl/uZPPLQs79dAc$mjDVQSdBJqz2uBJuxtAvCIoHPzOnTDhNPuhER3dhHrY";

     

       21
       +
       

     

       22
       +
               SMTP_HOST = "smtp.resend.com";

     

       23
       +
               SMTP_PORT = 2465;

     

       24
       +
               SMTP_SECURITY = "force_tls";

     

       25
       +
               SMTP_USERNAME = "resend";

     

       26
       +
               # SMTP_PASSWORD = ...; # Via secret env

     

       27
       +
               SMTP_FROM = "bitwarden@wiro.world";

     

       28
       +
               SMTP_FROM_NAME = "Bitwarden wiro.world";

     

       29
       +
             };

     

       30
       +
           };

     

       31
       +
       

     

       32
       +
           services.caddy = {

     

       33
       +
             virtualHosts.${vaultwarden-hostname}.extraConfig = ''

     

       34
       +
               reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT}

     

       35
       +
             '';

     

       36
       +
           };

     

       37
       +
         };

     

       38
       +
       }

+24

hosts/weird-row-server/warrior.nix

···

       1
       +
       { config

     

       2
       +
       , ...

     

       3
       +
       }:

     

       4
       +
       

     

       5
       +
       let

     

       6
       +
         warrior-port = 3015;

     

       7
       +
         warrior-hostname = "warrior.net.wiro.world";

     

       8
       +
       in

     

       9
       +
       {

     

       10
       +
         config = {

     

       11
       +
           virtualisation.oci-containers.containers.archive-warrior = {

     

       12
       +
             image = "atdr.meo.ws/archiveteam/warrior-dockerfile";

     

       13
       +
             ports = [ "127.0.0.1:${toString warrior-port}:8001" ];

     

       14
       +
             pull = "newer";

     

       15
       +
           };

     

       16
       +
       

     

       17
       +
           services.caddy = {

     

       18
       +
             virtualHosts."http://${warrior-hostname}".extraConfig = ''

     

       19
       +
               bind tailscale/warrior

     

       20
       +
               reverse_proxy http://localhost:${toString warrior-port}

     

       21
       +
             '';

     

       22
       +
           };

     

       23
       +
         };

     

       24
       +
       }

+77

hosts/weird-row-server/webfinger.nix

···

       1
       +
       { pkgs

     

       2
       +
       , config

     

       3
       +
       , ...

     

       4
       +
       }:

     

       5
       +
       

     

       6
       +
       let

     

       7
       +
         webfinger-dir = pkgs.writeTextDir ".well-known/webfinger" ''

     

       8
       +
           {

     

       9
       +
             "subject": "acct:milo@wiro.world",

     

       10
       +
             "aliases": [

     

       11
       +
               "mailto:milo@wiro.world",

     

       12
       +
               "https://wiro.world/"

     

       13
       +
             ],

     

       14
       +
             "links": [

     

       15
       +
               {

     

       16
       +
                 "rel": "http://wiro.world/rel/avatar",

     

       17
       +
                 "href": "https://wiro.world/logo.jpg",

     

       18
       +
                 "type": "image/jpeg"

     

       19
       +
               },

     

       20
       +
               {

     

       21
       +
                 "rel": "http://webfinger.net/rel/profile-page",

     

       22
       +
                 "href": "https://wiro.world/",

     

       23
       +
                 "type": "text/html"

     

       24
       +
               },

     

       25
       +
               {

     

       26
       +
                 "rel": "http://openid.net/specs/connect/1.0/issuer",

     

       27
       +
                 "href": "https://auth.wiro.world"

     

       28
       +
               }

     

       29
       +
             ]

     

       30
       +
           }

     

       31
       +
         '';

     

       32
       +
       

     

       33
       +
         well-known-discord-dir = pkgs.writeTextDir ".well-known/discord" ''

     

       34
       +
           dh=919234284ceb2aba439d15b9136073eb2308989b

     

       35
       +
         '';

     

       36
       +
       

     

       37
       +
         website-hostname = "wiro.world";

     

       38
       +
       in

     

       39
       +
       {

     

       40
       +
         config = {

     

       41
       +
           services.caddy = {

     

       42
       +
             virtualHosts.${website-hostname}.extraConfig = ''

     

       43
       +
               @webfinger {

     

       44
       +
                 path /.well-known/webfinger

     

       45
       +
                 method GET HEAD

     

       46
       +
                 query resource=acct:milo@wiro.world

     

       47
       +
                 query resource=mailto:milo@wiro.world

     

       48
       +
                 query resource=https://wiro.world

     

       49
       +
                 query resource=https://wiro.world/

     

       50
       +
               }

     

       51
       +
               route @webfinger {

     

       52
       +
                 header {

     

       53
       +
                   Content-Type "application/jrd+json"

     

       54
       +
                   Access-Control-Allow-Origin "*"

     

       55
       +
                   X-Robots-Tag "noindex"

     

       56
       +
                 }

     

       57
       +
                 root ${webfinger-dir}

     

       58
       +
                 file_server

     

       59
       +
               }

     

       60
       +
             '' +

     

       61
       +
             ''

     

       62
       +
               @discord {

     

       63
       +
                 path /.well-known/discord

     

       64
       +
                 method GET HEAD

     

       65
       +
               }

     

       66
       +
               route @discord {

     

       67
       +
                 header {

     

       68
       +
                   Access-Control-Allow-Origin "*"

     

       69
       +
                   X-Robots-Tag "noindex"

     

       70
       +
                 }

     

       71
       +
                 root ${well-known-discord-dir}

     

       72
       +
                 file_server

     

       73
       +
               }

     

       74
       +
             '';

     

       75
       +
           };

     

       76
       +
         };

     

       77
       +
       }

+8 -1

lib/flake/default.nix

···

       44
        
               ../../nixos/hardware/${hostName}.nix

     

       45
        
               ../../nixos/profiles/${profile}.nix

     

       46
        
             ];

     

       47
       -
             networking.hostName = hostName;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       48
        
           };

     

       49
        
           user = import ./user.nix;

     

       50
        
           managedDiskLayout = import ./managedDiskLayout.nix;

···

       44
        
               ../../nixos/hardware/${hostName}.nix

     

       45
        
               ../../nixos/profiles/${profile}.nix

     

       46
        
             ];

     

       47
       +
             config.networking.hostName = hostName;

     

       48
       +
           };

     

       49
       +
           host = hostName: {

     

       50
       +
             imports = [

     

       51
       +
               ../../nixos/hardware/${hostName}.nix

     

       52
       +
               ../../hosts/${hostName}/default.nix

     

       53
       +
             ];

     

       54
       +
             config.networking.hostName = hostName;

     

       55
        
           };

     

       56
        
           user = import ./user.nix;

     

       57
        
           managedDiskLayout = import ./managedDiskLayout.nix;

+1 -1

lib/flake/managedDiskLayout.nix

···

       26
        
       

     

       27
        
               The recommended amount from RedHat is:

     

       28
        
       

     

       29
       -
               Amount of RAM    Recommended swap space       Recommended swap space 

     

       30
        
               in the system                                 if allowing for hibernation

     

       31
        
               ——————————————   ——————————————————————————   ———————————————————————————

     

       32
        
               ⩽ 2 GB           2 times the amount of RAM    3 times the amount of RAM

···

       26
        
       

     

       27
        
               The recommended amount from RedHat is:

     

       28
        
       

     

       29
       +
               Amount of RAM    Recommended swap space       Recommended swap space

     

       30
        
               in the system                                 if allowing for hibernation

     

       31
        
               ——————————————   ——————————————————————————   ———————————————————————————

     

       32
        
               ⩽ 2 GB           2 times the amount of RAM    3 times the amount of RAM

+1 -1

modules/home-manager/xcompose.nix

···

       14
        
           loadConfigInEnv = mkOption {

     

       15
        
             description = ''

     

       16
        
               Load the XCompose file by passing the `XCOMPOSEFILE` environment variable instead of linking to ~/.XCompose.

     

       17
       -
               

     

       18
        
               That is nice to avoid cluttering the HOME directory, it's preferable to disable it when experimenting

     

       19
        
               with your compose config to reload faster than having to reload your VM.

     

       20
        
             '';

···

       14
        
           loadConfigInEnv = mkOption {

     

       15
        
             description = ''

     

       16
        
               Load the XCompose file by passing the `XCOMPOSEFILE` environment variable instead of linking to ~/.XCompose.

     

       17
       +
       

     

       18
        
               That is nice to avoid cluttering the HOME directory, it's preferable to disable it when experimenting

     

       19
        
               with your compose config to reload faster than having to reload your VM.

     

       20
        
             '';

+1 -1

nixos/fragments/kanata/arsenik.kbd.lisp

···

       59
        
       ;; Numrow layer

     

       60
        
       (deflayer numrow

     

       61
        
         XX   XX   XX   XX   XX   XX   XX   XX   XX   XX   XX

     

       62
       -
         XX   XX   XX   XX   XX        XX   XX   XX   XX   XX  

     

       63
        
         @1   @2   @3   @4   @5        @6   @7   @8   @9   @0

     

       64
        
         XX   XX   XX   XX   XX   XX   XX   XX   XX   XX   XX

     

       65
        
              XX   XX             XX             XX   XX

···

       59
        
       ;; Numrow layer

     

       60
        
       (deflayer numrow

     

       61
        
         XX   XX   XX   XX   XX   XX   XX   XX   XX   XX   XX

     

       62
       +
         XX   XX   XX   XX   XX        XX   XX   XX   XX   XX

     

       63
        
         @1   @2   @3   @4   @5        @6   @7   @8   @9   @0

     

       64
        
         XX   XX   XX   XX   XX   XX   XX   XX   XX   XX   XX

     

       65
        
              XX   XX             XX             XX   XX

+2 -2

nixos/fragments/logiops.nix

···

       23
        
             let

     

       24
        
               cid = {

     

       25
        
                 #                  Control IDs │ reprog? │ fn key? │ mouse key? │ gesture support?

     

       26
       -
                 leftMouse = 80; #         0x50 │         │         │ YES        │ 

     

       27
       -
                 rightMouse = 81; #        0x51 │         │         │ YES        │ 

     

       28
        
                 middleMouse = 81; #       0x52 │ YES     │         │ YES        │ YES

     

       29
        
                 back = 83; #              0x53 │ YES     │         │ YES        │ YES

     

       30
        
                 forward = 86; #           0x56 │ YES     │         │ YES        │ YES

···

       23
        
             let

     

       24
        
               cid = {

     

       25
        
                 #                  Control IDs │ reprog? │ fn key? │ mouse key? │ gesture support?

     

       26
       +
                 leftMouse = 80; #         0x50 │         │         │ YES        │

     

       27
       +
                 rightMouse = 81; #        0x51 │         │         │ YES        │

     

       28
        
                 middleMouse = 81; #       0x52 │ YES     │         │ YES        │ YES

     

       29
        
                 back = 83; #              0x53 │ YES     │         │ YES        │ YES

     

       30
        
                 forward = 86; #           0x56 │ YES     │         │ YES        │ YES

+1 -1

nixos/fragments/security.nix

···

       20
        
           security.polkit.enable = true;

     

       21
        
           security.rtkit.enable = true;

     

       22
        
       

     

       23
       -
           # Systemd Login  

     

       24
        
           services.logind.settings.Login = {

     

       25
        
             HandleLidSwitch = "suspend";

     

       26
        
             IdleAction = "lock";

···

       20
        
           security.polkit.enable = true;

     

       21
        
           security.rtkit.enable = true;

     

       22
        
       

     

       23
       +
           # Systemd Login

     

       24
        
           services.logind.settings.Login = {

     

       25
        
             HandleLidSwitch = "suspend";

     

       26
        
             IdleAction = "lock";

+1 -1

nixos/profiles/laptop.nix

···

       91
        
           };

     

       92
        
           users.users.${config.local.user.username}.extraGroups = [ "wireshark" "plugdev" ];

     

       93
        
       

     

       94
       -
           # This option is already filled with aliases that snowball and have 

     

       95
        
           # priority on fish internal `ls` aliases

     

       96
        
           environment.shellAliases = { ls = null; ll = null; l = null; };

     

       97
        
           programs.fish.enable = true;

···

       91
        
           };

     

       92
        
           users.users.${config.local.user.username}.extraGroups = [ "wireshark" "plugdev" ];

     

       93
        
       

     

       94
       +
           # This option is already filled with aliases that snowball and have

     

       95
        
           # priority on fish internal `ls` aliases

     

       96
        
           environment.shellAliases = { ls = null; ll = null; l = null; };

     

       97
        
           programs.fish.enable = true;

-724

nixos/profiles/server.nix

···

       1
       -
       { self

     

       2
       -
       , config

     

       3
       -
       , pkgs

     

       4
       -
       , ...

     

       5
       -
       }:

     

       6
       -
       

     

       7
       -
       let

     

       8
       -
         inherit (self.inputs) srvos hypixel-bank-tracker tangled;

     

       9
       -
       

     

       10
       -
         json-format = pkgs.formats.json { };

     

       11
       -
       

     

       12
       -
         ext-if = "eth0";

     

       13
       -
         external-ip = "91.99.55.74";

     

       14
       -
         external-netmask = 27;

     

       15
       -
         external-gw = "144.x.x.255";

     

       16
       -
         external-ip6 = "2a01:4f8:c2c:76d2::1";

     

       17
       -
         external-netmask6 = 64;

     

       18
       -
         external-gw6 = "fe80::1";

     

       19
       -
       

     

       20
       -
         well-known-discord-dir = pkgs.writeTextDir ".well-known/discord" ''

     

       21
       -
           dh=919234284ceb2aba439d15b9136073eb2308989b

     

       22
       -
         '';

     

       23
       -
         webfinger-dir = pkgs.writeTextDir ".well-known/webfinger" ''

     

       24
       -
           {

     

       25
       -
             "subject": "acct:milo@wiro.world",

     

       26
       -
             "aliases": [

     

       27
       -
               "mailto:milo@wiro.world",

     

       28
       -
               "https://wiro.world/"

     

       29
       -
             ],

     

       30
       -
             "links": [

     

       31
       -
               {

     

       32
       -
                 "rel": "http://wiro.world/rel/avatar",

     

       33
       -
                 "href": "https://wiro.world/logo.jpg",

     

       34
       -
                 "type": "image/jpeg"

     

       35
       -
               },

     

       36
       -
               {

     

       37
       -
                 "rel": "http://webfinger.net/rel/profile-page",

     

       38
       -
                 "href": "https://wiro.world/",

     

       39
       -
                 "type": "text/html"

     

       40
       -
               },

     

       41
       -
               {

     

       42
       -
                 "rel": "http://openid.net/specs/connect/1.0/issuer",

     

       43
       -
                 "href": "https://auth.wiro.world"

     

       44
       -
               }

     

       45
       -
             ]

     

       46
       -
           }

     

       47
       -
         '';

     

       48
       -
       

     

       49
       -
         website-hostname = "wiro.world";

     

       50
       -
       

     

       51
       -
         pds-port = 3001;

     

       52
       -
         pds-hostname = "pds.wiro.world";

     

       53
       -
       

     

       54
       -
         grafana-port = 3002;

     

       55
       -
         grafana-hostname = "console.wiro.world";

     

       56
       -
       

     

       57
       -
         tangled-owner = "did:plc:xhgrjm4mcx3p5h3y6eino6ti";

     

       58
       -
         tangled-knot-port = 3003;

     

       59
       -
         tangled-knot-hostname = "knot.wiro.world";

     

       60
       -
         tangled-spindle-port = 3004;

     

       61
       -
         tangled-spindle-hostname = "spindle.wiro.world";

     

       62
       -
       

     

       63
       -
         thelounge-port = 3005;

     

       64
       -
         thelounge-hostname = "lounge.wiro.world";

     

       65
       -
       

     

       66
       -
         headscale-port = 3006;

     

       67
       -
         headscale-derp-port = 3478;

     

       68
       -
         headscale-hostname = "headscale.wiro.world";

     

       69
       -
       

     

       70
       -
         lldap-port = 3007;

     

       71
       -
         lldap-hostname = "ldap.wiro.world";

     

       72
       -
       

     

       73
       -
         authelia-port = 3008;

     

       74
       -
         authelia-hostname = "auth.wiro.world";

     

       75
       -
       

     

       76
       -
         matrix-port = 3009;

     

       77
       -
         matrix-hostname = "matrix.wiro.world";

     

       78
       -
       

     

       79
       -
         goatcounter-port = 3010;

     

       80
       -
         goatcounter-hostname = "stats.wiro.world";

     

       81
       -
       

     

       82
       -
         vaultwarden-port = 3011;

     

       83
       -
         vaultwarden-hostname = "vault.wiro.world";

     

       84
       -
       

     

       85
       -
         miniflux-port = 3012;

     

       86
       -
         miniflux-hostname = "news.wiro.world";

     

       87
       -
       

     

       88
       -
         static-hostname = "static.wiro.world";

     

       89
       -
       

     

       90
       -
         hbt-main-port = 3013;

     

       91
       -
         hbt-banana-port = 3014;

     

       92
       -
       

     

       93
       -
         warrior-port = 3015;

     

       94
       -
         warrior-hostname = "warrior.wiro.world";

     

       95
       -
       

     

       96
       -
         prometheus-port = 9001;

     

       97
       -
         prometheus-node-exporter-port = 9002;

     

       98
       -
         headscale-metrics-port = 9003;

     

       99
       -
         authelia-metrics-port = 9004;

     

       100
       -
       in

     

       101
       -
       {

     

       102
       -
         imports = [

     

       103
       -
           srvos.nixosModules.server

     

       104
       -
           srvos.nixosModules.hardware-hetzner-cloud

     

       105
       -
           srvos.nixosModules.mixins-terminfo

     

       106
       -
       

     

       107
       -
           hypixel-bank-tracker.nixosModules.default

     

       108
       -
       

     

       109
       -
           tangled.nixosModules.knot

     

       110
       -
           tangled.nixosModules.spindle

     

       111
       -
         ];

     

       112
       -
       

     

       113
       -
         config = {

     

       114
       -
           boot.loader.grub.enable = true;

     

       115
       -
           boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" "ext4" ];

     

       116
       -
       

     

       117
       -
           # Single network card is `eth0`

     

       118
       -
           networking.usePredictableInterfaceNames = false;

     

       119
       -
       

     

       120
       -
           networking.nameservers = [ "2001:4860:4860::8888" "2001:4860:4860::8844" ];

     

       121
       -
       

     

       122
       -
           networking = {

     

       123
       -
             interfaces.${ext-if} = {

     

       124
       -
               ipv4.addresses = [{ address = external-ip; prefixLength = external-netmask; }];

     

       125
       -
               ipv6.addresses = [{ address = external-ip6; prefixLength = external-netmask6; }];

     

       126
       -
             };

     

       127
       -
             defaultGateway = { interface = ext-if; address = external-gw; };

     

       128
       -
             defaultGateway6 = { interface = ext-if; address = external-gw6; };

     

       129
       -
       

     

       130
       -
             # Reflect firewall configuration on Hetzner

     

       131
       -
             firewall.allowedTCPPorts = [ 22 80 443 ];

     

       132
       -
             firewall.allowedUDPPorts = [ headscale-derp-port ];

     

       133
       -
           };

     

       134
       -
       

     

       135
       -
           services.qemuGuest.enable = true;

     

       136
       -
       

     

       137
       -
           services.openssh.enable = true;

     

       138
       -
       

     

       139
       -
           services.tailscale.enable = true;

     

       140
       -
       

     

       141
       -
           security.sudo.wheelNeedsPassword = false;

     

       142
       -
       

     

       143
       -
           local.fragment.nix.enable = true;

     

       144
       -
       

     

       145
       -
           programs.fish.enable = true;

     

       146
       -
       

     

       147
       -
           services.fail2ban = {

     

       148
       -
             enable = true;

     

       149
       -
       

     

       150
       -
             maxretry = 5;

     

       151
       -
             ignoreIP = [ ];

     

       152
       -
       

     

       153
       -
             bantime = "24h";

     

       154
       -
             bantime-increment = {

     

       155
       -
               enable = true;

     

       156
       -
               multipliers = "1 2 4 8 16 32 64";

     

       157
       -
               maxtime = "168h";

     

       158
       -
               overalljails = true;

     

       159
       -
             };

     

       160
       -
       

     

       161
       -
             jails = { };

     

       162
       -
           };

     

       163
       -
       

     

       164
       -
           services.caddy = {

     

       165
       -
             enable = true;

     

       166
       -
       

     

       167
       -
             globalConfig = ''

     

       168
       -
               metrics { per_host }

     

       169
       -
       

     

       170
       -
               on_demand_tls {

     

       171
       -
                 ask http://localhost:${toString pds-port}/tls-check

     

       172
       -
               }

     

       173
       -
             '';

     

       174
       -
       

     

       175
       -
             virtualHosts.${website-hostname}.extraConfig =

     

       176
       -
               ''

     

       177
       -
                 @discord {

     

       178
       -
                   path /.well-known/discord

     

       179
       -
                   method GET HEAD

     

       180
       -
                 }

     

       181
       -
                 route @discord {

     

       182
       -
                   header {

     

       183
       -
                     Access-Control-Allow-Origin "*"

     

       184
       -
                     X-Robots-Tag "noindex"

     

       185
       -
                   }

     

       186
       -
                   root ${well-known-discord-dir}

     

       187
       -
                   file_server

     

       188
       -
                 }

     

       189
       -
               '' +

     

       190
       -
               ''

     

       191
       -
                 @webfinger {

     

       192
       -
                   path /.well-known/webfinger

     

       193
       -
                   method GET HEAD

     

       194
       -
                   query resource=acct:milo@wiro.world

     

       195
       -
                   query resource=mailto:milo@wiro.world

     

       196
       -
                   query resource=https://wiro.world

     

       197
       -
                   query resource=https://wiro.world/

     

       198
       -
                 }

     

       199
       -
                 route @webfinger {

     

       200
       -
                   header {

     

       201
       -
                     Content-Type "application/jrd+json"

     

       202
       -
                     Access-Control-Allow-Origin "*"

     

       203
       -
                     X-Robots-Tag "noindex"

     

       204
       -
                   }

     

       205
       -
                   root ${webfinger-dir}

     

       206
       -
                   file_server

     

       207
       -
                 }

     

       208
       -
               '' +

     

       209
       -
               ''

     

       210
       -
                 reverse_proxy /.well-known/matrix/* http://localhost:${toString matrix-port}

     

       211
       -
               '' +

     

       212
       -
               # TODO: host website on server with automatic deployment

     

       213
       -
               ''

     

       214
       -
                 reverse_proxy https://mrnossiom.github.io {

     

       215
       -
                 	header_up Host {http.request.host}

     

       216
       -
                 }

     

       217
       -
               '';

     

       218
       -
       

     

       219
       -
             virtualHosts.${grafana-hostname}.extraConfig = ''

     

       220
       -
               reverse_proxy http://localhost:${toString grafana-port}

     

       221
       -
             '';

     

       222
       -
       

     

       223
       -
             virtualHosts.${pds-hostname} = {

     

       224
       -
               serverAliases = [ "*.${pds-hostname}" ];

     

       225
       -
               extraConfig = ''

     

       226
       -
                 	tls { on_demand }

     

       227
       -
                   reverse_proxy http://localhost:${toString pds-port}

     

       228
       -
               '';

     

       229
       -
             };

     

       230
       -
       

     

       231
       -
             virtualHosts.${tangled-knot-hostname}.extraConfig = ''

     

       232
       -
               reverse_proxy http://localhost:${toString tangled-knot-port}

     

       233
       -
             '';

     

       234
       -
       

     

       235
       -
             virtualHosts.${tangled-spindle-hostname}.extraConfig = ''

     

       236
       -
               reverse_proxy http://localhost:${toString tangled-spindle-port}

     

       237
       -
             '';

     

       238
       -
       

     

       239
       -
             virtualHosts.${thelounge-hostname}.extraConfig = ''

     

       240
       -
               reverse_proxy http://localhost:${toString thelounge-port}

     

       241
       -
             '';

     

       242
       -
       

     

       243
       -
             virtualHosts.${headscale-hostname}.extraConfig = ''

     

       244
       -
               reverse_proxy http://localhost:${toString headscale-port}

     

       245
       -
             '';

     

       246
       -
       

     

       247
       -
             virtualHosts.${lldap-hostname}.extraConfig = ''

     

       248
       -
               reverse_proxy http://localhost:${toString lldap-port}

     

       249
       -
             '';

     

       250
       -
       

     

       251
       -
             virtualHosts.${authelia-hostname}.extraConfig = ''

     

       252
       -
               reverse_proxy http://localhost:${toString authelia-port}

     

       253
       -
             '';

     

       254
       -
       

     

       255
       -
             virtualHosts.${matrix-hostname}.extraConfig = ''

     

       256
       -
               reverse_proxy /_matrix/* http://localhost:${toString matrix-port}

     

       257
       -
             '';

     

       258
       -
       

     

       259
       -
             virtualHosts.${goatcounter-hostname}.extraConfig = ''

     

       260
       -
               reverse_proxy http://localhost:${toString goatcounter-port}

     

       261
       -
             '';

     

       262
       -
       

     

       263
       -
             virtualHosts.${vaultwarden-hostname}.extraConfig = ''

     

       264
       -
               reverse_proxy http://localhost:${toString vaultwarden-port}

     

       265
       -
             '';

     

       266
       -
       

     

       267
       -
             virtualHosts.${miniflux-hostname}.extraConfig = ''

     

       268
       -
               reverse_proxy http://localhost:${toString miniflux-port}

     

       269
       -
             '';

     

       270
       -
       

     

       271
       -
             virtualHosts.${static-hostname}.extraConfig = ''

     

       272
       -
               root /var/www/static

     

       273
       -
               file_server browse

     

       274
       -
             '';

     

       275
       -
       

     

       276
       -
             virtualHosts."hypixel-bank-tracker.xyz".extraConfig = ''

     

       277
       -
               reverse_proxy http://localhost:${toString hbt-main-port}

     

       278
       -
             '';

     

       279
       -
             virtualHosts."banana.hypixel-bank-tracker.xyz".extraConfig = ''

     

       280
       -
               reverse_proxy http://localhost:${toString hbt-banana-port}

     

       281
       -
             '';

     

       282
       -
       

     

       283
       -
             virtualHosts.${warrior-hostname}.extraConfig = ''

     

       284
       -
               forward_auth localhost:${toString authelia-port} {

     

       285
       -
                   uri /api/authz/forward-auth

     

       286
       -
               }

     

       287
       -
               reverse_proxy http://localhost:${toString warrior-port}

     

       288
       -
             '';

     

       289
       -
           };

     

       290
       -
       

     

       291
       -
           age.secrets.pds-env.file = ../../secrets/pds-env.age;

     

       292
       -
           services.bluesky-pds = {

     

       293
       -
             enable = true;

     

       294
       -
       

     

       295
       -
             settings = {

     

       296
       -
               PDS_HOSTNAME = "pds.wiro.world";

     

       297
       -
               PDS_PORT = pds-port;

     

       298
       -
               # is in systemd /tmp subfolder

     

       299
       -
               LOG_DESTINATION = "/tmp/pds.log";

     

       300
       -
             };

     

       301
       -
       

     

       302
       -
             environmentFiles = [

     

       303
       -
               config.age.secrets.pds-env.path

     

       304
       -
             ];

     

       305
       -
           };

     

       306
       -
       

     

       307
       -
           services.tangled.knot = {

     

       308
       -
             enable = true;

     

       309
       -
             openFirewall = true;

     

       310
       -
       

     

       311
       -
             motd = "Welcome to @wiro.world's knot!\n";

     

       312
       -
             server = {

     

       313
       -
               listenAddr = "localhost:${toString tangled-knot-port}";

     

       314
       -
               hostname = tangled-knot-hostname;

     

       315
       -
               owner = tangled-owner;

     

       316
       -
             };

     

       317
       -
           };

     

       318
       -
       

     

       319
       -
           services.tangled.spindle = {

     

       320
       -
             enable = true;

     

       321
       -
       

     

       322
       -
             server = {

     

       323
       -
               listenAddr = "localhost:${toString tangled-spindle-port}";

     

       324
       -
               hostname = tangled-spindle-hostname;

     

       325
       -
               owner = tangled-owner;

     

       326
       -
             };

     

       327
       -
           };

     

       328
       -
       

     

       329
       -
           age.secrets.grafana-oidc-secret = { file = ../../secrets/grafana-oidc-secret.age; owner = "grafana"; };

     

       330
       -
           services.grafana = {

     

       331
       -
             enable = true;

     

       332
       -
       

     

       333
       -
             settings = {

     

       334
       -
               server = {

     

       335
       -
                 http_port = grafana-port;

     

       336
       -
                 domain = grafana-hostname;

     

       337
       -
                 root_url = "https://${grafana-hostname}";

     

       338
       -
               };

     

       339
       -
       

     

       340
       -
               "auth.generic_oauth" = {

     

       341
       -
                 enable = true;

     

       342
       -
                 name = "Authelia";

     

       343
       -
                 icon = "signin";

     

       344
       -
       

     

       345
       -
                 client_id = "grafana";

     

       346
       -
                 client_secret_path = config.age.secrets.grafana-oidc-secret.path;

     

       347
       -
                 auto_login = true;

     

       348
       -
       

     

       349
       -
                 scopes = [ "openid" "profile" "email" "groups" ];

     

       350
       -
                 auth_url = "https://auth.wiro.world/api/oidc/authorization";

     

       351
       -
                 token_url = "https://auth.wiro.world/api/oidc/token";

     

       352
       -
                 api_url = "https://auth.wiro.world/api/oidc/userinfo";

     

       353
       -
                 use_pkce = true;

     

       354
       -
               };

     

       355
       -
             };

     

       356
       -
           };

     

       357
       -
       

     

       358
       -
           services.prometheus = {

     

       359
       -
             enable = true;

     

       360
       -
             port = prometheus-port;

     

       361
       -
       

     

       362
       -
             scrapeConfigs = [

     

       363
       -
               {

     

       364
       -
                 job_name = "caddy";

     

       365
       -
                 static_configs = [{ targets = [ "localhost:${toString 2019}" ]; }];

     

       366
       -
               }

     

       367
       -
               {

     

       368
       -
                 job_name = "node-exporter";

     

       369
       -
                 static_configs = [{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }];

     

       370
       -
               }

     

       371
       -
               {

     

       372
       -
                 job_name = "headscale";

     

       373
       -
                 static_configs = [{ targets = [ "localhost:${toString headscale-metrics-port}" ]; }];

     

       374
       -
               }

     

       375
       -
               {

     

       376
       -
                 job_name = "authelia";

     

       377
       -
                 static_configs = [{ targets = [ "localhost:${toString authelia-metrics-port}" ]; }];

     

       378
       -
               }

     

       379
       -
               {

     

       380
       -
                 job_name = "miniflux";

     

       381
       -
                 static_configs = [{ targets = [ "localhost:${toString miniflux-port}" ]; }];

     

       382
       -
               }

     

       383
       -
             ];

     

       384
       -
       

     

       385
       -
             exporters.node = {

     

       386
       -
               enable = true;

     

       387
       -
               port = prometheus-node-exporter-port;

     

       388
       -
             };

     

       389
       -
           };

     

       390
       -
       

     

       391
       -
           services.thelounge = {

     

       392
       -
             enable = true;

     

       393
       -
             port = thelounge-port;

     

       394
       -
             public = false;

     

       395
       -
       

     

       396
       -
             extraConfig = {

     

       397
       -
               host = "127.0.0.1";

     

       398
       -
               reverseProxy = true;

     

       399
       -
       

     

       400
       -
               # TODO: use ldap, find a way to hide password

     

       401
       -
             };

     

       402
       -
           };

     

       403
       -
       

     

       404
       -
           age.secrets.headscale-oidc-secret = { file = ../../secrets/headscale-oidc-secret.age; owner = config.services.headscale.user; };

     

       405
       -
           # TODO: add dependency on authelia

     

       406
       -
           services.headscale = {

     

       407
       -
             enable = true;

     

       408
       -
       

     

       409
       -
             port = headscale-port;

     

       410
       -
             settings = {

     

       411
       -
               server_url = "https://${headscale-hostname}";

     

       412
       -
               metrics_listen_addr = "127.0.0.1:${toString headscale-metrics-port}";

     

       413
       -
       

     

       414
       -
               policy.path = json-format.generate "policy.json" {

     

       415
       -
                 acls = [

     

       416
       -
                   {

     

       417
       -
                     action = "accept";

     

       418
       -
                     src = [ "autogroup:member" ];

     

       419
       -
                     dst = [ "autogroup:self:*" ];

     

       420
       -
                   }

     

       421
       -
                 ];

     

       422
       -
                 ssh = [

     

       423
       -
                   {

     

       424
       -
                     action = "accept";

     

       425
       -
                     src = [ "autogroup:member" ];

     

       426
       -
                     dst = [ "autogroup:self" ];

     

       427
       -
                     # Adding root here is privilege escalation as a feature :)

     

       428
       -
                     users = [ "autogroup:nonroot" ];

     

       429
       -
                   }

     

       430
       -
                 ];

     

       431
       -
               };

     

       432
       -
       

     

       433
       -
               # disable TLS

     

       434
       -
               tls_cert_path = null;

     

       435
       -
               tls_key_path = null;

     

       436
       -
       

     

       437
       -
               dns = {

     

       438
       -
                 magic_dns = true;

     

       439
       -
                 base_domain = "net.wiro.world";

     

       440
       -
       

     

       441
       -
                 override_local_dns = true;

     

       442
       -
                 # Quad9 nameservers

     

       443
       -
                 nameservers.global = [ "9.9.9.9" "149.112.112.112" "2620:fe::fe" "2620:fe::9" ];

     

       444
       -
               };

     

       445
       -
       

     

       446
       -
               oidc = {

     

       447
       -
                 only_start_if_oidc_is_available = true;

     

       448
       -
                 issuer = "https://auth.wiro.world";

     

       449
       -
                 client_id = "headscale";

     

       450
       -
                 client_secret_path = config.age.secrets.headscale-oidc-secret.path;

     

       451
       -
                 scope = [ "openid" "profile" "email" "groups" ];

     

       452
       -
                 pkce.enabled = true;

     

       453
       -
               };

     

       454
       -
       

     

       455
       -
               derp.server = {

     

       456
       -
                 enable = true;

     

       457
       -
                 stun_listen_addr = "0.0.0.0:${toString headscale-derp-port}";

     

       458
       -
               };

     

       459
       -
             };

     

       460
       -
           };

     

       461
       -
       

     

       462
       -
           age.secrets.lldap-env.file = ../../secrets/lldap-env.age;

     

       463
       -
           users.users.lldap = { isSystemUser = true; group = "lldap"; };

     

       464
       -
           users.groups.lldap = { };

     

       465
       -
           age.secrets.lldap-user-pass = { file = ../../secrets/lldap-user-pass.age; owner = "lldap"; };

     

       466
       -
           services.lldap = {

     

       467
       -
             enable = true;

     

       468
       -
             settings = {

     

       469
       -
               http_url = "https://${lldap-hostname}";

     

       470
       -
               http_port = lldap-port;

     

       471
       -
       

     

       472
       -
               ldap_user_pass_file = config.age.secrets.lldap-user-pass.path;

     

       473
       -
               force_ldap_user_pass_reset = false;

     

       474
       -
       

     

       475
       -
               ldap_base_dn = "dc=wiro,dc=world";

     

       476
       -
             };

     

       477
       -
             environmentFile = config.age.secrets.lldap-env.path;

     

       478
       -
           };

     

       479
       -
       

     

       480
       -
           age.secrets.authelia-jwt-secret = { file = ../../secrets/authelia-jwt-secret.age; owner = config.services.authelia.instances.main.user; };

     

       481
       -
           age.secrets.authelia-issuer-private-key = { file = ../../secrets/authelia-issuer-private-key.age; owner = config.services.authelia.instances.main.user; };

     

       482
       -
           age.secrets.authelia-storage-key = { file = ../../secrets/authelia-storage-key.age; owner = config.services.authelia.instances.main.user; };

     

       483
       -
           age.secrets.authelia-ldap-password = { file = ../../secrets/authelia-ldap-password.age; owner = config.services.authelia.instances.main.user; };

     

       484
       -
           age.secrets.authelia-smtp-password = { file = ../../secrets/authelia-smtp-password.age; owner = config.services.authelia.instances.main.user; };

     

       485
       -
           services.authelia.instances.main = {

     

       486
       -
             enable = true;

     

       487
       -
       

     

       488
       -
             secrets = {

     

       489
       -
               jwtSecretFile = config.age.secrets.authelia-jwt-secret.path;

     

       490
       -
               oidcIssuerPrivateKeyFile = config.age.secrets.authelia-issuer-private-key.path;

     

       491
       -
               storageEncryptionKeyFile = config.age.secrets.authelia-storage-key.path;

     

       492
       -
             };

     

       493
       -
             environmentVariables = {

     

       494
       -
               AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.authelia-ldap-password.path;

     

       495
       -
               AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.authelia-smtp-password.path;

     

       496
       -
             };

     

       497
       -
             settings = {

     

       498
       -
               server.address = "localhost:${toString authelia-port}";

     

       499
       -
               storage.local.path = "/var/lib/authelia-main/db.sqlite3";

     

       500
       -
               telemetry.metrics = {

     

       501
       -
                 enabled = true;

     

       502
       -
                 address = "tcp://:${toString authelia-metrics-port}/metrics";

     

       503
       -
               };

     

       504
       -
       

     

       505
       -
               session = {

     

       506
       -
                 cookies = [{

     

       507
       -
                   domain = "wiro.world";

     

       508
       -
                   authelia_url = "https://${authelia-hostname}";

     

       509
       -
                   default_redirection_url = "https://wiro.world";

     

       510
       -
                 }];

     

       511
       -
               };

     

       512
       -
       

     

       513
       -
               authentication_backend.ldap = {

     

       514
       -
                 address = "ldap://localhost:3890";

     

       515
       -
                 timeout = "5m"; # replace with systemd dependency

     

       516
       -
       

     

       517
       -
                 user = "uid=authelia,ou=people,dc=wiro,dc=world";

     

       518
       -
                 # Set in `AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE`.

     

       519
       -
                 # password = "";

     

       520
       -
       

     

       521
       -
                 base_dn = "dc=wiro,dc=world";

     

       522
       -
                 users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";

     

       523
       -
                 additional_users_dn = "ou=people";

     

       524
       -
                 groups_filter = "(&(member={dn})(objectClass=groupOfNames))";

     

       525
       -
                 additional_groups_dn = "ou=groups";

     

       526
       -
       

     

       527
       -
                 attributes = {

     

       528
       -
                   username = "uid";

     

       529
       -
                   display_name = "cn";

     

       530
       -
                   given_name = "givenname";

     

       531
       -
                   family_name = "last_name";

     

       532
       -
                   mail = "mail";

     

       533
       -
                   picture = "avatar";

     

       534
       -
       

     

       535
       -
                   group_name = "cn";

     

       536
       -
                 };

     

       537
       -
               };

     

       538
       -
       

     

       539
       -
               access_control = {

     

       540
       -
                 default_policy = "deny";

     

       541
       -
                 # Rules are sequential and do not apply to OIDC

     

       542
       -
                 rules = [

     

       543
       -
                   {

     

       544
       -
                     domain = "headscale.wiro.world";

     

       545
       -
                     policy = "two_factor";

     

       546
       -
       

     

       547
       -
                   }

     

       548
       -
                   {

     

       549
       -
                     domain = "news.wiro.world";

     

       550
       -
                     policy = "one_factor";

     

       551
       -
       

     

       552
       -
                     subject = [ [ "group:miniflux" "oauth2:client:miniflux" ] ];

     

       553
       -
                   }

     

       554
       -
                   {

     

       555
       -
                     domain = "*.wiro.world";

     

       556
       -
                     policy = "two_factor";

     

       557
       -
                   }

     

       558
       -
                 ];

     

       559
       -
               };

     

       560
       -
       

     

       561
       -
               identity_providers.oidc = {

     

       562
       -
                 enforce_pkce = "always";

     

       563
       -
       

     

       564
       -
                 authorization_policies =

     

       565
       -
                   let

     

       566
       -
                     mkStrictPolicy = policy: subject:

     

       567
       -
                       { default_policy = "deny"; rules = [{ inherit policy subject; }]; };

     

       568
       -
                   in

     

       569
       -
                   {

     

       570
       -
                     headscale = mkStrictPolicy "two_factor" [ "group:headscale" ];

     

       571
       -
                     tailscale = mkStrictPolicy "two_factor" [ "group:headscale" ];

     

       572
       -
                     grafana = mkStrictPolicy "one_factor" [ "group:grafana" ];

     

       573
       -
                     miniflux = mkStrictPolicy "one_factor" [ "group:miniflux" ];

     

       574
       -
                   };

     

       575
       -
       

     

       576
       -
                 claims_policies.headscale = { id_token = [ "email" "name" "preferred_username" "picture" "groups" ]; };

     

       577
       -
       

     

       578
       -
                 clients = [

     

       579
       -
                   {

     

       580
       -
                     client_name = "Headscale";

     

       581
       -
                     client_id = "headscale";

     

       582
       -
                     client_secret = "$pbkdf2-sha256$310000$XY680D9gkSoWhD0UtYHNFg$ptWB3exOYCga6uq1N.oimuV3ILjK3F8lBWBpsBpibos";

     

       583
       -
                     redirect_uris = [ "https://${headscale-hostname}/oidc/callback" ];

     

       584
       -
                     authorization_policy = "headscale";

     

       585
       -
                     claims_policy = "headscale";

     

       586
       -
                   }

     

       587
       -
                   {

     

       588
       -
                     client_name = "Tailscale";

     

       589
       -
                     client_id = "tailscale";

     

       590
       -
                     client_secret = "$pbkdf2-sha256$310000$PcUaup9aWKI9ZLeCF6.avw$FpsTxkDaxcoQlBi8aIacegXpjEDiCI6nXcaHyZ2Sxyc";

     

       591
       -
                     redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ];

     

       592
       -
                     authorization_policy = "tailscale";

     

       593
       -
                   }

     

       594
       -
                   {

     

       595
       -
                     client_name = "Grafana Console";

     

       596
       -
                     client_id = "grafana";

     

       597
       -
                     client_secret = "$pbkdf2-sha256$310000$UkwrqxTZodGMs9.Ca2cXAA$HCWFgQbFHGXZpuz.I3HHdkTZLUevRVGlhKEFaOlPmKs";

     

       598
       -
                     redirect_uris = [ "https://${grafana-hostname}/login/generic_oauth" ];

     

       599
       -
                     authorization_policy = "grafana";

     

       600
       -
                   }

     

       601
       -
                   {

     

       602
       -
                     client_name = "Miniflux";

     

       603
       -
                     client_id = "miniflux";

     

       604
       -
                     client_secret = "$pbkdf2-sha256$310000$uPqbWfCOBXDY6nV1vsx3uA$HOWG2hL.c/bs9Dwaee3b9DxjH7KFO.SaZMbasXV9Vdw";

     

       605
       -
                     redirect_uris = [ "https://${miniflux-hostname}/oauth2/oidc/callback" ];

     

       606
       -
                     authorization_policy = "miniflux";

     

       607
       -
                   }

     

       608
       -
                 ];

     

       609
       -
               };

     

       610
       -
       

     

       611
       -
               notifier.smtp = {

     

       612
       -
                 address = "smtp://smtp.resend.com:2587";

     

       613
       -
                 username = "resend";

     

       614
       -
                 # Set in `AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE`.

     

       615
       -
                 # password = "";

     

       616
       -
                 sender = "authelia@wiro.world";

     

       617
       -
               };

     

       618
       -
             };

     

       619
       -
           };

     

       620
       -
       

     

       621
       -
           age.secrets.tuwunel-registration-tokens = { file = ../../secrets/tuwunel-registration-tokens.age; owner = config.services.matrix-tuwunel.user; };

     

       622
       -
           services.matrix-tuwunel = {

     

       623
       -
             enable = true;

     

       624
       -
       

     

       625
       -
             settings.global = {

     

       626
       -
               address = [ "127.0.0.1" ];

     

       627
       -
               port = [ matrix-port ];

     

       628
       -
       

     

       629
       -
               server_name = "wiro.world";

     

       630
       -
               well_known = {

     

       631
       -
                 client = "https://matrix.wiro.world";

     

       632
       -
                 server = "matrix.wiro.world:443";

     

       633
       -
               };

     

       634
       -
       

     

       635
       -
               grant_admin_to_first_user = true;

     

       636
       -
               new_user_displayname_suffix = "";

     

       637
       -
       

     

       638
       -
               allow_registration = true;

     

       639
       -
               registration_token_file = config.age.secrets.tuwunel-registration-tokens.path;

     

       640
       -
             };

     

       641
       -
           };

     

       642
       -
       

     

       643
       -
           services.goatcounter = {

     

       644
       -
             enable = true;

     

       645
       -
       

     

       646
       -
             port = goatcounter-port;

     

       647
       -
             proxy = true;

     

       648
       -
             extraArgs = [ "-automigrate" ];

     

       649
       -
           };

     

       650
       -
       

     

       651
       -
           age.secrets.vaultwarden-env.file = ../../secrets/vaultwarden-env.age;

     

       652
       -
           services.vaultwarden = {

     

       653
       -
             enable = true;

     

       654
       -
       

     

       655
       -
             environmentFile = config.age.secrets.vaultwarden-env.path;

     

       656
       -
             config = {

     

       657
       -
               ROCKET_PORT = vaultwarden-port;

     

       658
       -
               DOMAIN = "https://${vaultwarden-hostname}";

     

       659
       -
               SIGNUPS_ALLOWED = false;

     

       660
       -
               ADMIN_TOKEN = "$argon2id$v=19$m=65540,t=3,p=4$YIe9wmrTsmjgZNPxe8m34O/d3XW3Fl/uZPPLQs79dAc$mjDVQSdBJqz2uBJuxtAvCIoHPzOnTDhNPuhER3dhHrY";

     

       661
       -
       

     

       662
       -
               SMTP_HOST = "smtp.resend.com";

     

       663
       -
               SMTP_PORT = 2465;

     

       664
       -
               SMTP_SECURITY = "force_tls";

     

       665
       -
               SMTP_USERNAME = "resend";

     

       666
       -
               # SMTP_PASSWORD = ...; # Via secret env

     

       667
       -
               SMTP_FROM = "bitwarden@wiro.world";

     

       668
       -
               SMTP_FROM_NAME = "Bitwarden wiro.world";

     

       669
       -
             };

     

       670
       -
           };

     

       671
       -
       

     

       672
       -
           users.users.miniflux = { isSystemUser = true; group = "miniflux"; };

     

       673
       -
           users.groups.miniflux = { };

     

       674
       -
           age.secrets.miniflux-oidc-secret = { file = ../../secrets/miniflux-oidc-secret.age; owner = "miniflux"; };

     

       675
       -
           services.miniflux = {

     

       676
       -
             enable = true;

     

       677
       -
       

     

       678
       -
             createDatabaseLocally = true;

     

       679
       -
             config = {

     

       680
       -
               BASE_URL = "https://${miniflux-hostname}/";

     

       681
       -
               LISTEN_ADDR = "127.0.0.1:${toString miniflux-port}";

     

       682
       -
               CREATE_ADMIN = 0;

     

       683
       -
       

     

       684
       -
               METRICS_COLLECTOR = 1;

     

       685
       -
       

     

       686
       -
               OAUTH2_PROVIDER = "oidc";

     

       687
       -
               OAUTH2_OIDC_PROVIDER_NAME = "wiro.world SSO";

     

       688
       -
               OAUTH2_CLIENT_ID = "miniflux";

     

       689
       -
               OAUTH2_CLIENT_SECRET_FILE = config.age.secrets.miniflux-oidc-secret.path;

     

       690
       -
               OAUTH2_REDIRECT_URL = "https://${miniflux-hostname}/oauth2/oidc/callback";

     

       691
       -
               OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.wiro.world";

     

       692
       -
               OAUTH2_USER_CREATION = 1;

     

       693
       -
               DISABLE_LOCAL_AUTH = 1;

     

       694
       -
       

     

       695
       -
               RUN_MIGRATIONS = 1;

     

       696
       -
       

     

       697
       -
               # NetNewsWire is a very good iOS oss client that integrates well

     

       698
       -
               # https://b.j4.lc/2025/05/05/setting-up-netnewswire-with-miniflux/

     

       699
       -
             };

     

       700
       -
           };

     

       701
       -
       

     

       702
       -
           age.secrets.hypixel-bank-tracker-main.file = ../../secrets/hypixel-bank-tracker-main.age;

     

       703
       -
           services.hypixel-bank-tracker.instances.main = {

     

       704
       -
             enable = true;

     

       705
       -
       

     

       706
       -
             port = hbt-main-port;

     

       707
       -
             environmentFile = config.age.secrets.hypixel-bank-tracker-main.path;

     

       708
       -
           };

     

       709
       -
       

     

       710
       -
           age.secrets.hypixel-bank-tracker-banana.file = ../../secrets/hypixel-bank-tracker-banana.age;

     

       711
       -
           services.hypixel-bank-tracker.instances.banana = {

     

       712
       -
             enable = true;

     

       713
       -
       

     

       714
       -
             port = hbt-banana-port;

     

       715
       -
             environmentFile = config.age.secrets.hypixel-bank-tracker-banana.path;

     

       716
       -
           };

     

       717
       -
       

     

       718
       -
           virtualisation.oci-containers.containers.archive-warrior = {

     

       719
       -
             image = "atdr.meo.ws/archiveteam/warrior-dockerfile";

     

       720
       -
             ports = [ "127.0.0.1:${toString warrior-port}:8001" ];

     

       721
       -
             pull = "newer";

     

       722
       -
           };

     

       723
       -
         };

     

       724
       -
       }

pkgs/default.nix

···

       11
        
         inherit (self.inputs)

     

       12
        
           agenix

     

       13
        
           git-leave

     

       0
        
       
     

       14
        
           wakatime-ls

     

       15
        
           ;

     

       16
        
       in

     
···

       24
        
         # Import packages defined in foreign repositories

     

       25
        
         inherit (agenix.packages.${system}) agenix;

     

       26
        
         inherit (git-leave.packages.${system}) git-leave;

     

       0
        
       
     

       27
        
         inherit (wakatime-ls.packages.${system}) wakatime-ls;

     

       28
        
       }

···

       11
        
         inherit (self.inputs)

     

       12
        
           agenix

     

       13
        
           git-leave

     

       14
       +
           nix-alien

     

       15
        
           wakatime-ls

     

       16
        
           ;

     

       17
        
       in

     
···

       25
        
         # Import packages defined in foreign repositories

     

       26
        
         inherit (agenix.packages.${system}) agenix;

     

       27
        
         inherit (git-leave.packages.${system}) git-leave;

     

       28
       +
         inherit (nix-alien.packages.${system}) nix-alien;

     

       29
        
         inherit (wakatime-ls.packages.${system}) wakatime-ls;

     

       30
        
       }

secrets/authelia-issuer-private-key.age

This is a binary file and will not be displayed.

secrets/authelia-jwt-secret.age

This is a binary file and will not be displayed.

secrets/authelia-ldap-password.age

This is a binary file and will not be displayed.

-9

secrets/authelia-smtp-password.age

···

       1
       -
       age-encryption.org/v1

     

       2
       -
       -> ssh-ed25519 sMF1bg 0duJYaUlZd2G3tYi7CuV+c7KNaqWusLoMpoILvaajgc

     

       3
       -
       AnAlDVzRdeoXGXvyllhSNCoDQjZ+nucLGHCfPWR8IBQ

     

       4
       -
       -> ssh-ed25519 SmMcWg oX82fe4sQmKyjJqv9AFRY6Bww43V/8myNRsN9/M8Sho

     

       5
       -
       Et6ycO8hm2XV36X5q7iO+nJCtjkYoq6mDBEssrjt/70

     

       6
       -
       -> ssh-ed25519 Q8rMFA /gU1tIVjqExV8NXB1gSDsWIXpVfxm3zPJX7xOAqeqWM

     

       7
       -
       szrd67kHWslLO+jMCuDmzYR0LPVVzd7idgl3AKt+USU

     

       8
       -
       --- ojxyQVhx4rX+x5gzEEx8KFiorwywqEEyTNWUJY39jIk

     

       9
       -
       �������ş*
l��1����=n�Ŏ��(�	�Iamz~B�����������鰦�.�.Z>�',p��

-11

secrets/authelia-storage-key.age

···

       1
       -
       age-encryption.org/v1

     

       2
       -
       -> ssh-ed25519 sMF1bg PYC6LaFo/DTQlRMewqbVtS4lzVtKyuFZQSqCrQwwEyg

     

       3
       -
       kj0sHy8IpnBsMBQy/XYtj2pLXlk6wprF3MxjFTOiZ6E

     

       4
       -
       -> ssh-ed25519 SmMcWg rvlLGzf6D96Dh1lL8as2vjc3PB7G/86U8AR7/lAELT0

     

       5
       -
       qcdOqVV6o+5OfJYj5pfZ62hOnrBQwY0DAeIJkLoyYss

     

       6
       -
       -> ssh-ed25519 Q8rMFA eALgQVN5OA0EuYYEyEbFnju/Yii71e+xcs98LkXnyyo

     

       7
       -
       Rbxu60qvXKdFaJ7lfs7LeYx37TIKYK2Gxw2QcxF3soA

     

       8
       -
       --- ryt5q5lXn1Cyn4T6RSU1IR7dHZOTbyanaG6ZqeYYGBQ

     

       9
       -
       �G���*	\�ʕ�|���

     

       10
       -
       �S�T���z�!
�FIG͍��,��2Q��+�s�76Z�D`��Q�hM�],��E7�2<Q�

     

       11
       -
       ?ׯ�t��u\���xpe/rrR��L}��S��g�%�:�Oj����{T%h��D�~�+DЫ��W%� �ŗ�r�v$%m$

+22

secrets/default.nix

···

       1
       +
       keys:

     

       2
       +
       

     

       3
       +
       let

     

       4
       +
         inherit (keys) sessions systems users;

     

       5
       +
       

     

       6
       +
         nixos = systems ++ users;

     

       7
       +
         home-manager = sessions ++ users;

     

       8
       +
       in

     

       9
       +
       {

     

       10
       +
         # Used in NixOS config

     

       11
       +
         "backup-rclone-googledrive.age".publicKeys = nixos;

     

       12
       +
         "backup-restic-key.age".publicKeys = nixos;

     

       13
       +
       

     

       14
       +
         # Used in Home Manager

     

       15
       +
         "api-crates-io.age".publicKeys = home-manager;

     

       16
       +
         "api-wakatime.age".publicKeys = home-manager;

     

       17
       +
         "api-wakapi.age".publicKeys = home-manager;

     

       18
       +
       

     

       19
       +
         # Not used in config but useful

     

       20
       +
         "pgp-ca5e.age".publicKeys = users;

     

       21
       +
         "ssh-uxgi.age".publicKeys = users;

     

       22
       +
       }

-9

secrets/grafana-oidc-secret.age

···

       1
       -
       age-encryption.org/v1

     

       2
       -
       -> ssh-ed25519 sMF1bg 2+JZ3WMnTgnnNYmJqdqAtOsEIk9pAefHfwLcXZQpqlg

     

       3
       -
       yE0R9b0mSzoT6mvoWUG829UmkgGkm6vg0i7WLORaTis

     

       4
       -
       -> ssh-ed25519 SmMcWg c8goAmCIPQ5rsTwoOej9ndGc0uBpWILSn/wy6XJHK14

     

       5
       -
       ArjlEl4hxi4N6Py1emxgxUFKvSXIwLWsy6HrWNqJUHw

     

       6
       -
       -> ssh-ed25519 Q8rMFA t72V+A0n5Tnb0VqvBrzt3j75CbcfvQltodKMhF64SXY

     

       7
       -
       V+Ynzd4tIUI8JPy9uyoi+frW6wJnQxDavHAqnp/lem8

     

       8
       -
       --- mzRky/dA1MDArnDSSaGyZP9yAQgD2va4MfopbrdM0iU

     

       9
       -
       ��*�٪l����a5�QE£uަ��"�;��3�l.!`	�u�
_+)$��d��ˤ����ff�F��mѳc�a�EV��Nߧ��,�@����

secrets/headscale-oidc-secret.age

This is a binary file and will not be displayed.

secrets/hypixel-bank-tracker-banana.age

This is a binary file and will not be displayed.

-12

secrets/hypixel-bank-tracker-main.age

···

       1
       -
       age-encryption.org/v1

     

       2
       -
       -> ssh-ed25519 sMF1bg B3wX5eWrSUivBKJzdiSOVvWEdGuZvGJHVDCCSFa29kw

     

       3
       -
       F1H0QzBPS1FPvactH7z3OvR5wPdawkMzIj1awUmkrqA

     

       4
       -
       -> ssh-ed25519 SmMcWg DtmTaO1Ox4y+AyZbOgaJU2PxMRdHloHECLOrvdI/g28

     

       5
       -
       my6GKU1rxPyClyos0efuInWok5w3xwwoJ4p3M6roBIw

     

       6
       -
       -> ssh-ed25519 Q8rMFA LKyAN4v78N/OcleCPuYpPlZ0se5Dmp4qiWynY4zTfDo

     

       7
       -
       2lOqk3QF2lB/b7Md6yWq4R2jn+J3PiATIkrFUxgt104

     

       8
       -
       -> OR`n;K-grease

     

       9
       -
       lWGBER6K10zAcNHyiUMJAnJ84h1ppo5MJ5ztgw

     

       10
       -
       --- abe4RLNH3d9h7UpWD3PRIBgHWagt8cU+AHIFbX1D9/E

     

       11
       -
       �LJu���k؜��_��%��|�J]��KN��?]��tR�<�]�|���ߟ��¾FzU��������:�Y��TX����p,9v6q�7�~�y�]X���͇ǷR5՚>[������#�#�-

     

       12
       -
       cM,1Ǜ"M��"'F�W�3o�

secrets/lldap-env.age

This is a binary file and will not be displayed.

-11

secrets/lldap-user-pass.age

···

       1
       -
       age-encryption.org/v1

     

       2
       -
       -> ssh-ed25519 sMF1bg rkX6nxV4pATfwzkzJtI08/Z0bvi0wYwnLJsppUAsz20

     

       3
       -
       X+znUc5AKAunPqr1jdq10obvQBU+rqs/LmeQaZzI+F4

     

       4
       -
       -> ssh-ed25519 SmMcWg xaZtLP6GOocdiMf3hgoujWigGgi7KxDUMGuPYNqS8WU

     

       5
       -
       00Y+8L4QssKFqRlGB2e0yiv9SyoqbxeZ/lWL6DCLlpo

     

       6
       -
       -> ssh-ed25519 Q8rMFA kHA5wVVhmpodSn3OcZuc78xttymjOoy9voa8GqIE+F8

     

       7
       -
       a7HpZf6sjmxr49QoV9tXrATheu8u20JmKCEIkmAZdhA

     

       8
       -
       -> U=6S`1*-grease \8na]onc

     

       9
       -
       PP5XQ1vbpadHeiMBOkmEccTIAg

     

       10
       -
       --- 1hkJN6ZLX8GJ8y0WuFcMEv66om+Phc0wYJFKCB8Amzg

     

       11
       -
       �M�	��}ޘ*;f��y��]����2ef���}�d������J�\��8�h��1�u� ������SHN��yS�D>W��x�J���yh������

-9

secrets/miniflux-oidc-secret.age

···

       1
       -
       age-encryption.org/v1

     

       2
       -
       -> ssh-ed25519 sMF1bg E4UVPOuq5ZUSxGvIvr0Tod9PQRqDdqHu2Byv4fKi2io

     

       3
       -
       FcdCyfLmRCmK5rmoLQ/m1KOJe9Etu9N/GHCM5lWCIPE

     

       4
       -
       -> ssh-ed25519 SmMcWg wrKv3V6uSLnWQqIp65Rgi0qv7lQtyOXaxnahMo+s3EU

     

       5
       -
       mXsJ1CbS3pzstf3xaWWF150+aXxW2kY2J5kAZWqtl+A

     

       6
       -
       -> ssh-ed25519 Q8rMFA 91npFfTkw9Ur6aZp/pLzLUOIwwPJ9OA1peaZyTlROBU

     

       7
       -
       12sib8HLjvgN06X6H0/AN4wMewQ8xup813DauZKQ+QY

     

       8
       -
       --- /AGwAMAsPvvuRH6PPNrizBCsJedclYzdj6Kq4V3mx0o

     

       9
       -
       zN��0�=�YP������rլ�!U�n;���n���/��}mCo�F��������!z���r������)u��o�3�>��>Z�f�񡤙1Ň
����

secrets/pds-env.age

This is a binary file and will not be displayed.

-43

secrets/secrets.nix

···

       1
       -
       let

     

       2
       -
         inherit (import ./keys.nix) servers sessions systems users;

     

       3
       -
       

     

       4
       -
         nixos = systems ++ users;

     

       5
       -
         home-manager = sessions ++ users;

     

       6
       -
         deploy = servers ++ users;

     

       7
       -
       in

     

       8
       -
       {

     

       9
       -
         # Used in NixOS config

     

       10
       -
         "backup-rclone-googledrive.age".publicKeys = nixos;

     

       11
       -
         "backup-restic-key.age".publicKeys = nixos;

     

       12
       -
       

     

       13
       -
         # Used in Home Manager

     

       14
       -
         "api-crates-io.age".publicKeys = home-manager;

     

       15
       -
         "api-wakatime.age".publicKeys = home-manager;

     

       16
       -
         "api-wakapi.age".publicKeys = home-manager;

     

       17
       -
       

     

       18
       -
         # Used in server deployment

     

       19
       -
       

     

       20
       -
         # Defines `PDS_JWT_SECRET`, `PDS_ADMIN_PASSWORD`, `PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX`, `PDS_EMAIL_SMTP_URL`, `PDS_EMAIL_FROM_ADDRESS`.

     

       21
       -
         "pds-env.age".publicKeys = deploy;

     

       22
       -
         # Defines `LLDAP_JWT_SECRET`, `LLDAP_KEY_SEED`.

     

       23
       -
         "lldap-env.age".publicKeys = deploy;

     

       24
       -
         "lldap-user-pass.age".publicKeys = deploy;

     

       25
       -
         "headscale-oidc-secret.age".publicKeys = deploy;

     

       26
       -
         "grafana-oidc-secret.age".publicKeys = deploy;

     

       27
       -
         "authelia-jwt-secret.age".publicKeys = deploy;

     

       28
       -
         "authelia-issuer-private-key.age".publicKeys = deploy;

     

       29
       -
         "authelia-storage-key.age".publicKeys = deploy;

     

       30
       -
         "authelia-ldap-password.age".publicKeys = deploy;

     

       31
       -
         "authelia-smtp-password.age".publicKeys = deploy;

     

       32
       -
         "tuwunel-registration-tokens.age".publicKeys = deploy;

     

       33
       -
         # Defines `SMTP_PASSWORD`

     

       34
       -
         "vaultwarden-env.age".publicKeys = deploy;

     

       35
       -
         "miniflux-oidc-secret.age".publicKeys = deploy;

     

       36
       -
         # Defines `HYPIXEL_API_KEY`, `PROFILE_UUID`

     

       37
       -
         "hypixel-bank-tracker-main.age".publicKeys = deploy;

     

       38
       -
         "hypixel-bank-tracker-banana.age".publicKeys = deploy;

     

       39
       -
       

     

       40
       -
         # Not used in config but useful

     

       41
       -
         "pgp-ca5e.age".publicKeys = users;

     

       42
       -
         "ssh-uxgi.age".publicKeys = users;

     

       43
       -
       }

-9

secrets/tuwunel-registration-tokens.age

···

       1
       -
       age-encryption.org/v1

     

       2
       -
       -> ssh-ed25519 sMF1bg TVYRDtTe5khTJo0q8ShrR5o1WBrbK2htHjYCvi5QYAA

     

       3
       -
       kx6Hke5RAZFfugR4aU28SRh4U8e4ymzeIY/+kYlAWhw

     

       4
       -
       -> ssh-ed25519 SmMcWg AyJOM5lQHETeGiI/V5vUtu2vD6PqCZNnuTPvfnU90zE

     

       5
       -
       9vM7/8JUbScHaeDWig16MgqtULryofSrRqhw2OMWfBs

     

       6
       -
       -> ssh-ed25519 Q8rMFA TeUNtmHquyhhDrXf+zXY56oTGvzkhkaReIoBx5Yb+TE

     

       7
       -
       DLfVy9cO1JrVln9CHV1ag66z2kIMrVzhcaIugLytojE

     

       8
       -
       --- nr/3KZTVXNdemLdmp2bO2bjxKDHvcy3gezZKYN5Z1qI

     

       9
       -
       �"��Z8��ԛ�GvJ�{��(�V9��1�N"��o���o����Х�oJ�~�1�!�}Egd�!�

secrets/vaultwarden-env.age

This is a binary file and will not be displayed.

+9 -2

secrets.nix

···

       1
        
       let

     

       2
        
         inherit (builtins) listToAttrs attrNames;

     

       0
        
       
     

       0
        
       
     

       3
        
         mapAttrs' =

     

       4
        
           f:

     

       5
        
           set:

     

       6
        
           listToAttrs (map (attr: f attr set.${attr}) (attrNames set));

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       7
        
       in

     

       8
        
       

     

       9
       -
       # You can use agenix directly at repo top-level instead of having to change directory into `secrets/`

     

       10
       -
       mapAttrs' (name: value: { name = ("secrets/" + name); inherit value; }) (import ./secrets/secrets.nix)

···

       1
        
       let

     

       2
        
         inherit (builtins) listToAttrs attrNames;

     

       3
       +
       

     

       4
       +
         # Map the name and value of all items of an attrset

     

       5
        
         mapAttrs' =

     

       6
        
           f:

     

       7
        
           set:

     

       8
        
           listToAttrs (map (attr: f attr set.${attr}) (attrNames set));

     

       9
       +
       

     

       10
       +
         keys = import ./secrets/keys.nix;

     

       11
       +
       

     

       12
       +
         prependAttrsName = prefix: mapAttrs' (name: value: { name = prefix + name; inherit value; });

     

       13
       +
         secretsDir = path: prependAttrsName (path + "/") ((import ./${path}/default.nix) keys);

     

       14
        
       in

     

       15
        
       

     

       16
       +
       secretsDir "secrets"

     

       17
       +
         // secretsDir "hosts/weird-row-server/secrets"

Compare changes