+7 -1

hive.nix

reviewed

··· 21 21 nixpkgs = pkgs.applyPatches { 22 22 name = "nixpkgs_patched"; 23 23 src = sources.nixpkgs; 24 24 - patches = [ ./patches/forgejo.patch ]; 24 24 + patches = [ 25 25 + ./patches/forgejo.patch 26 26 + (pkgs.fetchpatch2 { 27 27 + url = "https://github.com/NixOS/nixpkgs/pull/483203.patch"; 28 28 + sha256 = "sha256-IltHn1AVUUefDI2tluzomXBsroK6a1NVTt+IBqx2Dc8="; 29 29 + }) 30 30 + ]; 25 31 }; 26 32 27 33 args = {

+6 -2

hosts/sand-archives/core/networking.nix

reviewed

··· 45 45 hosts = { 46 46 "127.0.0.1" = [ 47 47 "netbird.killuaa.dev" 48 48 - "auth.killuaa.dev" 48 48 + "auth.awoo.ren" 49 49 ]; 50 50 }; 51 51 52 52 firewall = { 53 53 enable = true; 54 54 - extraCommands = pm.net.firewall.sand-archives.extraCommands; 54 54 + extraInputRules = pm.net.firewall.sand-archives.extraInputRules; 55 55 + }; 56 56 + nftables = { 57 57 + enable = true; 58 58 + tables = pm.net.firewall.sand-archives.tables; 55 59 }; 56 60 }; 57 61 }

+72 -39

hosts/sand-archives/core/services.nix

reviewed

··· 10 10 netbird_dashboard_settings = { 11 11 NETBIRD_MGMT_API_ENDPOINT = "https://netbird.killuaa.dev"; 12 12 NETBIRD_MGMT_GRPC_API_ENDPOINT = "https://netbird.killuaa.dev"; 13 13 - AUTH_AUTHORITY = "https://auth.killuaa.dev/oauth2/openid/netbird"; 13 13 + AUTH_AUTHORITY = "https://auth.awoo.ren/oauth2/openid/netbird"; 14 14 AUTH_AUDIENCE = "netbird"; 15 15 AUTH_CLIENT_ID = "netbird"; 16 16 AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api"; ··· 50 50 server = { 51 51 enable = true; 52 52 exports = '' 53 53 - /export/hd1/cave ${pm.net.hosts.vulpes.public-ip}(rw,nohide,no_subtree_check,no_root_squash) 53 53 + /export/hd1/cave ${pm.net.ipv4.vulpes.public-addr}(rw,nohide,no_subtree_check,no_root_squash) 54 54 ''; 55 55 }; 56 56 }; ··· 61 61 package = pkgs.caddy.withPlugins { 62 62 plugins = [ 63 63 "github.com/mholt/caddy-l4@v0.0.0-20251209130418-1a3490ef786a" 64 64 + "github.com/caddy-dns/rfc2136@v1.0.0" 65 65 + "github.com/mholt/caddy-events-exec@v0.1.0" 64 66 ]; 65 65 - hash = "sha256-E2/YH/Uzd2GIvuB+QmNtjNgTS47Dla/ym+DwRSJm/F8="; 67 67 + hash = "sha256-61qiNHbh7vgQuI6Ecc9xVpHpy4faTbpvIxz9B/8bPqQ="; 66 68 }; 67 69 logFormat = pkgs.lib.mkForce "level DEBUG"; 68 70 globalConfig = '' 71 71 + events { 72 72 + on certificate_obtained exec /run/current-system/sw/bin/chmod 640 /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/{event.data.domain}/{event.data.domain}.crt /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/{event.data.domain}/{event.data.domain}.key 73 73 + } 74 74 + acme_dns rfc2136 { 75 75 + key_name "caddy_key" 76 76 + key_alg "hmac-sha512" 77 77 + key "${pm.srv.bind.caddy_key}" 78 78 + server "127.0.0.1:5353" 79 79 + } 69 80 http_port 8880 70 81 https_port 4443 71 82 layer4 { 72 83 :80 { 73 84 @local_http { 74 85 http { 75 75 - host netbird.killuaa.dev auth.killuaa.dev 86 86 + host netbird.killuaa.dev auth.awoo.ren 76 87 } 77 88 } 78 89 route @local_http { ··· 85 96 } 86 97 } 87 98 route @inner_http { 88 88 - proxy ${pm.net.hosts.vulpes.ip}:80 99 99 + proxy ${pm.net.ipv4.vulpes.addr}:80 89 100 } 90 101 } 91 102 92 103 :443 { 93 104 @local_https { 94 105 tls { 95 95 - sni netbird.killuaa.dev auth.killuaa.dev syncthing.killuaa.dev 106 106 + sni netbird.killuaa.dev auth.awoo.ren syncthing.killuaa.dev 96 107 } 97 108 } 98 109 route @local_https { ··· 105 116 } 106 117 } 107 118 route @inner_https { 108 108 - proxy ${pm.net.hosts.vulpes.ip}:443 119 119 + proxy ${pm.net.ipv4.vulpes.addr}:443 120 120 + } 121 121 + } 122 122 + 123 123 + udp/:5353 { 124 124 + route { 125 125 + proxy udp/${pm.net.ipv4.vulpes.addr}:5300 126 126 + } 127 127 + } 128 128 + 129 129 + tcp/:5353 { 130 130 + route { 131 131 + proxy tcp/${pm.net.ipv4.vulpes.addr}:5300 109 132 } 110 133 } 111 134 } 112 135 ''; 113 136 virtualHosts = { 114 114 - "auth.killuaa.dev:4443" = { 137 137 + "auth.awoo.ren" = { 115 138 extraConfig = '' 116 139 reverse_proxy https://127.0.0.1:8443 { 117 140 transport http { 118 141 tls 119 119 - tls_server_name auth.killuaa.dev 142 142 + tls_server_name auth.awoo.ren 120 143 } 121 144 } 122 145 ''; ··· 170 193 }; 171 194 172 195 kanidm = { 173 173 - package = pkgs.kanidm_1_8; 174 174 - enableServer = true; 175 175 - enableClient = true; 176 176 - clientSettings = { 177 177 - uri = "https://auth.killuaa.dev"; 178 178 - ca_path = "/var/lib/acme/auth.killuaa.dev/fullchain.pem"; 196 196 + package = pkgs.kanidm_1_9; 197 197 + client = { 198 198 + enable = true; 199 199 + settings = { 200 200 + uri = "https://auth.awoo.ren"; 201 201 + ca_path = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/auth.awoo.ren/auth.awoo.ren.crt"; 202 202 + }; 179 203 }; 180 180 - serverSettings = { 181 181 - domain = "auth.killuaa.dev"; 182 182 - origin = "https://auth.killuaa.dev"; 183 183 - bindaddress = "[::]:8443"; 184 184 - tls_key = "/var/lib/acme/auth.killuaa.dev/key.pem"; 185 185 - tls_chain = "/var/lib/acme/auth.killuaa.dev/fullchain.pem"; 204 204 + server = { 205 205 + enable = true; 206 206 + settings = { 207 207 + domain = "auth.awoo.ren"; 208 208 + origin = "https://auth.awoo.ren"; 209 209 + bindaddress = "[::]:8443"; 210 210 + tls_key = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/auth.awoo.ren/auth.awoo.ren.key"; 211 211 + tls_chain = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/auth.awoo.ren/auth.awoo.ren.crt"; 212 212 + }; 186 213 }; 187 214 }; 188 215 ··· 201 228 domain = "netbird.killuaa.dev"; 202 229 management = { 203 230 enable = true; 204 204 - oidcConfigEndpoint = "https://auth.killuaa.dev/oauth2/openid/netbird/.well-known/openid-configuration"; 231 231 + oidcConfigEndpoint = "https://auth.awoo.ren/oauth2/openid/netbird/.well-known/openid-configuration"; 205 232 settings = { 206 233 DataStoreEncryptionKey = { 207 234 _secret = config.sops.secrets.netbird_data_store_encryption_key.path; 208 235 }; 209 209 - TURNConfig.Turns = [ 210 210 - { 211 211 - Proto = "udp"; 212 212 - URI = "turn:netbird.killuaa.dev:3478"; 213 213 - Username = "netbird"; 214 214 - Password = { 215 215 - _secret = config.sops.secrets.coturn_password.path; 216 216 - }; 217 217 - } 218 218 - ]; 236 236 + TURNConfig.Turns = [ ]; 237 237 + Stuns = [ ]; 238 238 + Relay = { 239 239 + Addresses = [ "rels://netbird.killuaa.dev:443" ]; 240 240 + CredentialsTTL = "12h"; 241 241 + Secret = { 242 242 + _secret = config.sops.secrets.netbird_relay_secret.path; 243 243 + }; 244 244 + TimeBasedCredentials = false; 245 245 + }; 219 246 }; 220 247 }; 221 248 dashboard = { 222 222 - settings.AUTH_AUTHORITY = "https://auth.killuaa.dev/oauth2/openid/netbird"; 249 249 + settings.AUTH_AUTHORITY = "https://auth.awoo.ren/oauth2/openid/netbird"; 223 250 }; 224 251 signal = { 225 252 enable = true; 226 226 - }; 227 227 - coturn = { 228 228 - enable = true; 229 229 - passwordFile = config.sops.secrets.coturn_password.path; 230 230 - domain = "netbird.killuaa.dev"; 231 253 }; 232 254 }; 233 255 clients.sand_arc = { 234 256 port = 51820; 257 257 + openFirewall = false; 235 258 environment = { 236 259 NB_MANAGEMENT_URL = "https://netbird.killuaa.dev"; 237 260 NB_SETUP_KEY_FILE = config.sops.secrets.nb_setup_key.path; 238 261 }; 239 262 }; 240 240 - 241 263 }; 242 264 }; 243 265 ··· 252 274 "/etc/resolv.conf" 253 275 "/etc/resolv.conf.original.netbird" 254 276 ]; 277 277 + }; 278 278 + }; 279 279 + netbird-relay = { 280 280 + enable = true; 281 281 + wantedBy = [ "multi-user.target" ]; 282 282 + after = [ "network.target" ]; 283 283 + serviceConfig = { 284 284 + User = "netbird-sand_arc"; 285 285 + Group = "netbird-sand_arc"; 286 286 + ExecStart = "${pkgs.netbird-relay}/bin/netbird-relay --exposed-address rels://netbird.killuaa.dev:443 --listen-address :33080 --metrics-port 9092 --auth-secret ${pm.srv.netbird.relay_secret}"; 287 287 + Restart = "always"; 255 288 }; 256 289 }; 257 290 };

+8 -6

hosts/sand-archives/core/sops.nix

reviewed

··· 25 25 group = "netbird-sand_arc"; 26 26 mode = "0440"; 27 27 }; 28 28 - # 29 29 - # Coturn 30 30 - # 31 31 - coturn_password = { 32 32 - owner = "turnserver"; 33 33 - group = "turnserver"; 28 28 + netbird_relay_secret = { 29 29 + owner = "netbird-sand_arc"; 30 30 + group = "netbird-sand_arc"; 34 31 mode = "0440"; 35 32 }; 33 33 + # bind_caddy_key = { 34 34 + # owner = "acme"; 35 35 + # group = "acme"; 36 36 + # mode = "0440"; 37 37 + # }; 36 38 }; 37 39 }; 38 40 }

+3

hosts/sand-archives/core/users.nix

reviewed

··· 21 21 group = "arr"; 22 22 isSystemUser = true; 23 23 }; 24 24 + kanidm = { 25 25 + extraGroups = [ "caddy" ]; 26 26 + }; 24 27 }; 25 28 extraGroups = { 26 29 roufpup = {

-17

hosts/sand-archives/default.nix

reviewed

··· 1 1 { 2 2 args, 3 3 - config, 4 3 pkgs, 5 4 ... 6 5 }: ··· 12 11 ++ (args.pup_lib.module_imports ./core); 13 12 14 13 security = { 15 15 - acme = { 16 16 - acceptTerms = true; 17 17 - defaults = { 18 18 - email = "roufpup@killuaa.dev"; 19 19 - dnsProvider = "porkbun"; 20 20 - credentialFiles = { 21 21 - "PORKBUN_API_KEY_FILE" = config.sops.secrets.porkbun_api_key.path; 22 22 - "PORKBUN_SECRET_API_KEY_FILE" = config.sops.secrets.porkbun_secret_api_key.path; 23 23 - }; 24 24 - }; 25 25 - certs = { 26 26 - "auth.killuaa.dev" = { 27 27 - group = "kanidm"; 28 28 - }; 29 29 - }; 30 30 - }; 31 14 sudo-rs = { 32 15 enable = true; 33 16 execWheelOnly = true;

+13 -2

hosts/vulpes/core/boot.nix

reviewed

··· 6 6 boot = { 7 7 kernelPackages = pkgs.linuxPackages_latest; 8 8 9 9 + lanzaboote = { 10 10 + enable = true; 11 11 + pkiBundle = "/var/lib/sbctl"; 12 12 + }; 13 13 + 9 14 loader = { 10 10 - systemd-boot.enable = true; 15 15 + systemd-boot.enable = false; 11 16 efi.canTouchEfiVariables = true; 12 17 }; 13 18 ··· 20 25 "usb_storage" 21 26 "sd_mod" 22 27 ]; 23 23 - kernelModules = [ "dm-snapshot" ]; 28 28 + kernelModules = [ 29 29 + "dm-snapshot" 30 30 + "tpm_tis" 31 31 + ]; 32 32 + systemd = { 33 33 + enable = true; 34 34 + }; 24 35 }; 25 36 kernelModules = [ "kvm-amd" ]; 26 37 supportedFilesystems = [ "nfs" ];

+62 -8

hosts/vulpes/core/hardware.nix

reviewed

··· 8 8 (modulesPath + "/installer/scan/not-detected.nix") 9 9 ]; 10 10 11 11 + boot.initrd.luks = { 12 12 + devices = { 13 13 + crypt-root = { 14 14 + device = "/dev/disk/by-uuid/c04d78db-937f-4666-ab55-0caae96b7105"; 15 15 + allowDiscards = true; 16 16 + crypttabExtraOpts = [ 17 17 + "tpm2-device=auto" 18 18 + "tpm2-measure-pcr=yes" 19 19 + ]; 20 20 + }; 21 21 + }; 22 22 + }; 23 23 + 11 24 fileSystems = { 12 25 "/" = { 13 13 - device = "/dev/mapper/vulpes-root"; 14 14 - fsType = "ext4"; 26 26 + device = "/dev/mapper/crypt-root"; 27 27 + fsType = "btrfs"; 28 28 + options = [ 29 29 + "subvol=@" 30 30 + "compress=zstd" 31 31 + "noatime" 32 32 + ]; 33 33 + }; 34 34 + 35 35 + "/home" = { 36 36 + device = "/dev/mapper/crypt-root"; 37 37 + fsType = "btrfs"; 38 38 + options = [ 39 39 + "subvol=@home" 40 40 + "compress=zstd" 41 41 + "noatime" 42 42 + ]; 43 43 + }; 44 44 + 45 45 + "/var" = { 46 46 + device = "/dev/mapper/crypt-root"; 47 47 + fsType = "btrfs"; 48 48 + options = [ 49 49 + "subvol=@var" 50 50 + "compress=zstd" 51 51 + "noatime" 52 52 + ]; 53 53 + }; 54 54 + 55 55 + "/nix" = { 56 56 + device = "/dev/mapper/crypt-root"; 57 57 + fsType = "btrfs"; 58 58 + options = [ 59 59 + "subvol=@nix" 60 60 + "compress=zstd" 61 61 + "noatime" 62 62 + ]; 63 63 + }; 64 64 + 65 65 + "/.snapshots" = { 66 66 + device = "/dev/mapper/crypt-root"; 67 67 + fsType = "btrfs"; 68 68 + options = [ 69 69 + "subvol=@snapshots" 70 70 + "compress=zstd" 71 71 + "noatime" 72 72 + ]; 15 73 }; 16 74 17 75 "/boot" = { 18 18 - device = "/dev/disk/by-uuid/18CE-060A"; 76 76 + device = "/dev/disk/by-uuid/12CE-A600"; 19 77 fsType = "vfat"; 20 78 options = [ 21 79 "fmask=0077" 22 80 "dmask=0077" 23 81 ]; 24 82 }; 83 83 + 25 84 "/mnt/hd1" = { 26 85 device = "sand-archives:/export/hd1/cave"; 27 86 fsType = "nfs"; ··· 33 92 }; 34 93 hardware = { 35 94 enableRedistributableFirmware = true; 36 36 - 37 37 - bluetooth = { 38 38 - enable = true; 39 39 - powerOnBoot = true; 40 40 - }; 41 95 42 96 amdgpu = { 43 97 opencl = {

+6 -2

hosts/vulpes/core/networking.nix

reviewed

··· 12 12 useDHCP = true; 13 13 firewall = { 14 14 enable = true; 15 15 - extraCommands = pm.net.firewall.vulpes.extraCommands; 15 15 + extraInputRules = pm.net.firewall.vulpes.extraInputRules; 16 16 + trustedInterfaces = [ "incusbr0" ]; 17 17 + }; 18 18 + nftables = { 19 19 + enable = true; 16 20 }; 17 21 18 22 hosts = { 19 19 - "${pm.net.hosts.sand-archives.ip}" = [ 23 23 + "${pm.net.ipv4.sand-archives.addr}" = [ 20 24 "sand-archives" 21 25 "netbird.killuaa.dev" 22 26 ];

+6 -1

hosts/vulpes/core/services.nix

reviewed

··· 11 11 openssh = { 12 12 enable = true; 13 13 ports = pm.srv.ssh.ports; 14 14 + openFirewall = false; 14 15 listenAddresses = [ 15 16 { 16 17 addr = pm.srv.ssh.addr; ··· 23 24 authorizedKeysInHomedir = true; 24 25 }; 25 26 26 26 - netbird = { 27 27 + fwupd = { 27 28 enable = true; 29 29 + }; 30 30 + 31 31 + netbird = { 28 32 clients.vulpes = { 29 33 port = 51820; 34 34 + openFirewall = false; 30 35 environment = { 31 36 NB_MANAGEMENT_URL = "https://netbird.killuaa.dev"; 32 37 NB_SETUP_KEY_FILE = config.sops.secrets.nb_setup_key.path;

+8 -9

hosts/vulpes/core/sops.nix

reviewed

··· 88 88 ente_jwt_secret = { }; 89 89 ente_admin_id = { }; 90 90 # 91 91 - # Zerda 91 91 + # Coder 92 92 # 93 93 - zerda_env = { 94 94 - owner = "zerda"; 95 95 - group = "zerda"; 93 93 + coder_db_pass = { 94 94 + owner = "coder"; 95 95 + group = "coder"; 96 96 mode = "0440"; 97 97 }; 98 98 - zerda_db_pass = { 99 99 - owner = "zerda"; 100 100 - group = "zerda"; 101 101 - mode = "0440"; 102 102 - }; 98 98 + # 99 99 + # Miniflux 100 100 + # 101 101 + miniflux_admin_credentials = { }; 103 102 }; 104 103 }; 105 104 }

+5 -7

hosts/vulpes/core/users.nix

reviewed

··· 44 44 group = "ente"; 45 45 isSystemUser = true; 46 46 }; 47 47 - zerda = { 48 48 - group = "zerda"; 49 49 - isSystemUser = true; 47 47 + coder = { 48 48 + extraGroups = [ 49 49 + "podman" 50 50 + "incus-admin" 51 51 + ]; 50 52 }; 51 53 }; 52 54 extraGroups = { ··· 64 66 gid = 500; 65 67 name = "ente"; 66 68 members = [ "ente" ]; 67 67 - }; 68 68 - zerda = { 69 69 - name = "zerda"; 70 70 - members = [ "zerda" ]; 71 69 }; 72 70 sunshine = { 73 71 name = "sunshine";

+29

hosts/vulpes/core/virtualization.nix

reviewed

··· 1 1 + { ... }: 2 2 + { 3 3 + virtualisation = { 4 4 + podman = { 5 5 + enable = true; 6 6 + autoPrune = { 7 7 + enable = true; 8 8 + dates = "daily"; 9 9 + }; 10 10 + dockerCompat = true; 11 11 + dockerSocket = { 12 12 + enable = true; 13 13 + }; 14 14 + }; 15 15 + incus = { 16 16 + enable = true; 17 17 + ui = { 18 18 + enable = true; 19 19 + }; 20 20 + preseed = { 21 21 + config = { 22 22 + "core.https_address" = "127.0.0.1:8443"; 23 23 + "oidc.issuer" = "https://auth.awoo.ren/oauth2/openid/incus"; 24 24 + "oidc.client.id" = "incus"; 25 25 + }; 26 26 + }; 27 27 + }; 28 28 + }; 29 29 + }

+2 -3

hosts/vulpes/default.nix

reviewed

··· 8 8 in 9 9 { 10 10 imports = [ 11 11 - args.pins.nix-minecraft.nixosModules.minecraft-servers 12 11 args.pins.sops-nix.nixosModules.sops 12 12 + args.pins.lanzaboote.nixosModules.lanzaboote 13 13 ] 14 14 ++ (args.pup_lib.module_imports ./core) 15 15 ++ (args.pup_lib.module_imports ./infra); ··· 21 21 bat 22 22 btop 23 23 zellij 24 24 - configarr 25 24 vulkan-tools 26 25 mangohud 26 26 + sbctl 27 27 ]; 28 28 29 29 nix.settings = { ··· 47 47 hostPlatform = "x86_64-linux"; 48 48 overlays = [ 49 49 overlays.default 50 50 - args.pins.nix-minecraft.overlay 51 50 ]; 52 51 }; 53 52

+98 -9

hosts/vulpes/infra/caddy.nix

reviewed

··· 1 1 - { pkgs, lib, ... }: 1 1 + { 2 2 + pkgs, 3 3 + lib, 4 4 + args, 5 5 + ... 6 6 + }: 2 7 let 3 8 photos-pkg = ( 4 9 pkgs.ente-web.override { ··· 11 16 }; 12 17 } 13 18 ); 19 19 + pm = (args.mods.priv_mod.get_data args); 14 20 in 15 21 { 16 22 services.caddy = { 17 23 enable = true; 18 24 package = pkgs.caddy.withPlugins { 19 19 - plugins = [ "github.com/caddy-dns/porkbun@v0.3.1" ]; 20 20 - hash = "sha256-R1ZqQ8drcBQIH7cLq9kEvdg9Ze3bKkT8IAFavldVeC0="; 25 25 + plugins = [ "github.com/caddy-dns/rfc2136@v1.0.0" ]; 26 26 + hash = "sha256-S078bVfUolEa6icL2hJgTTzZ8r7+j+D9lfyOc5SCvzQ="; 21 27 }; 22 28 email = "rouffy@killuaa.dev"; 23 29 logFormat = lib.mkForce "level DEBUG"; 30 30 + globalConfig = '' 31 31 + acme_dns rfc2136 { 32 32 + key_name "caddy_key" 33 33 + key_alg "hmac-sha512" 34 34 + key "${pm.srv.bind.caddy_key}" 35 35 + server "127.0.0.1:5300" 36 36 + } 37 37 + ''; 24 38 virtualHosts = { 39 39 + "rss.awoo.ren" = { 40 40 + extraConfig = '' 41 41 + reverse_proxy 127.0.0.1:4678 42 42 + ''; 43 43 + }; 44 44 + "incus.awoo.ren" = { 45 45 + extraConfig = '' 46 46 + reverse_proxy https://127.0.0.1:8443 { 47 47 + header_up Host incus.awoo.ren 48 48 + transport http { 49 49 + tls_insecure_skip_verify 50 50 + } 51 51 + } 52 52 + ''; 53 53 + }; 54 54 + 25 55 # Killuaa 26 56 "killuaa.dev" = { 27 57 extraConfig = '' ··· 42 72 ''; 43 73 }; 44 74 75 75 + "fluxer.killuaa.dev" = { 76 76 + extraConfig = '' 77 77 + handle /_caddy_health { 78 78 + respond "OK" 200 79 79 + } 80 80 + @gateway path /gateway /gateway/* 81 81 + handle @gateway { 82 82 + uri strip_prefix /gateway 83 83 + reverse_proxy 127.0.0.1:5080 84 84 + } 85 85 + @marketing path /marketing /marketing/* 86 86 + handle @marketing { 87 87 + uri strip_prefix /marketing 88 88 + reverse_proxy 127.0.0.1:49531 89 89 + } 90 90 + @server path /admin /admin/* /api /api/* /s3 /s3/* /queue /queue/* /media /media/* /_health /_ready /_live /.well-known/fluxer 91 91 + handle @server { 92 92 + reverse_proxy 127.0.0.1:5079 93 93 + } 94 94 + @livekit path /livekit /livekit/* 95 95 + handle @livekit { 96 96 + uri strip_prefix /livekit 97 97 + reverse_proxy 127.0.0.1:7880 98 98 + } 99 99 + handle { 100 100 + reverse_proxy 127.0.0.1:49427 { 101 101 + header_up Connection {http.request.header.Connection} 102 102 + header_up Upgrade {http.request.header.Upgrade} 103 103 + } 104 104 + } 105 105 + log { 106 106 + output stdout 107 107 + format console 108 108 + } 109 109 + ''; 110 110 + }; 111 111 + 45 112 # Git Forge 46 113 "git.killuaa.dev" = { 47 114 extraConfig = '' 48 115 reverse_proxy 127.0.0.1:3000 116 116 + ''; 117 117 + }; 118 118 + "git.awoo.ren" = { 119 119 + extraConfig = '' 120 120 + reverse_proxy 127.0.0.1:3000 121 121 + ''; 122 122 + }; 123 123 + "code.killuaa.dev" = { 124 124 + extraConfig = '' 125 125 + reverse_proxy 127.0.0.1:3300 { 126 126 + transport http { 127 127 + keepalive 30s 128 128 + keepalive_idle_conns 10 129 129 + } 130 130 + flush_interval -1 131 131 + } 132 132 + ''; 133 133 + serverAliases = [ "*.code.killuaa.dev" ]; 134 134 + }; 135 135 + 136 136 + "pgadmin.killuaa.dev" = { 137 137 + extraConfig = '' 138 138 + reverse_proxy 127.0.0.1:5050 49 139 ''; 50 140 }; 51 141 ··· 145 235 ''; 146 236 }; 147 237 148 148 - # Zerda 149 149 - "zerda.killuaa.dev" = { 238 238 + # Vaultwarden 239 239 + "vaultwarden.killuaa.dev" = { 150 240 extraConfig = '' 151 151 - reverse_proxy 127.0.0.1:3232 241 241 + reverse_proxy 127.0.0.1:7474 152 242 ''; 153 243 }; 154 244 155 155 - # Vaultwarden 156 156 - "vaultwarden.killuaa.dev" = { 245 245 + "cockpit.killuaa.dev" = { 157 246 extraConfig = '' 158 158 - reverse_proxy 127.0.0.1:7474 247 247 + reverse_proxy 127.0.0.1:9090 159 248 ''; 160 249 }; 161 250 };

+25

hosts/vulpes/infra/coder.nix

reviewed

··· 1 1 + { args, ... }: 2 2 + let 3 3 + pm = (args.mods.priv_mod.get_data args); 4 4 + in 5 5 + { 6 6 + services.coder = { 7 7 + enable = true; 8 8 + listenAddress = "127.0.0.1:3300"; 9 9 + accessUrl = "https://code.killuaa.dev"; 10 10 + wildcardAccessUrl = "*.code.killuaa.dev"; 11 11 + database = { 12 12 + createLocally = false; 13 13 + host = "127.0.0.1"; 14 14 + password = pm.srv.coder.db_pass; 15 15 + }; 16 16 + environment.extra = { 17 17 + CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS = "false"; 18 18 + CODER_OAUTH2_GITHUB_DEFAULT_PROVIDER_ENABLE = "false"; 19 19 + CODER_TELEMETRY_ENABLE = "false"; 20 20 + CODER_BLOCK_DIRECT = "true"; 21 21 + CODER_DERP_FORCE_WEBSOCKETS = "true"; 22 22 + # CODER_DISABLE_PASSWORD_AUTH = "true"; 23 23 + }; 24 24 + }; 25 25 + }

+192 -56

hosts/vulpes/infra/dns.nix

reviewed

··· 1 1 - { args, ... }: 1 1 + { args, pkgs, ... }: 2 2 let 3 3 pm = (args.mods.priv_mod.get_data args); 4 4 in ··· 36 36 } 37 37 ]; 38 38 }; 39 39 + bind = { 40 40 + enable = true; 41 41 + cacheNetworks = [ 42 42 + "127.0.0.0/24" 43 43 + "::1/128" 44 44 + ]; 45 45 + listenOn = [ "any" ]; 46 46 + listenOnPort = 5300; 47 47 + forward = "only"; 48 48 + forwarders = [ ]; 49 49 + ipv4Only = true; 50 50 + extraConfig = '' 51 51 + key "caddy_key" { 52 52 + algorithm hmac-sha512; 53 53 + secret "${pm.srv.bind.caddy_key}"; 54 54 + }; 55 55 + ''; 56 56 + zones = { 57 57 + "killuaa.dev" = { 58 58 + master = true; 59 59 + allowQuery = [ 60 60 + "any" 61 61 + ]; 62 62 + extraConfig = '' 63 63 + update-policy { 64 64 + grant caddy_key wildcard *.killuaa.dev. TXT; 65 65 + }; 66 66 + journal "/var/lib/named/killuaa.dev.jnl"; 67 67 + ''; 68 68 + file = pkgs.writeText "zone_killuaa.dev" '' 69 69 + $ORIGIN killuaa.dev. 70 70 + $TTL 1h 71 71 + @ IN SOA ns.killuaa.dev. roufpup.killuaa.dev. ( 72 72 + 2026022201 ; serial 73 73 + 3h ; refresh 74 74 + 1h ; retry 75 75 + 1w ; expire 76 76 + 1h ) ; negative cache TTL 77 77 + 78 78 + IN NS ns.killuaa.dev. 79 79 + 80 80 + ns IN A ${pm.net.ipv4.sand-archives.addr} 81 81 + ns IN AAAA ${pm.net.ipv6.sand-archives.addr} 82 82 + @ IN A ${pm.net.ipv4.sand-archives.addr} 83 83 + @ IN AAAA ${pm.net.ipv6.sand-archives.addr} 84 84 + 85 85 + ; Tuta 86 86 + 87 87 + @ IN MX 10 mail.tutanota.de. 88 88 + @ IN TXT "t-verify=3971cf62a080f647ea848e037ac87776" 89 89 + @ IN TXT "v=spf1 include:spf.tutanota.de -all" 90 90 + _dmarc IN TXT "v=DMARC1; p=quarantine; adkim=s" 91 91 + s1._domainkey IN CNAME s1.domainkey.tutanota.de. 92 92 + s2._domainkey IN CNAME s2.domainkey.tutanota.de. 93 93 + _mta-sts IN CNAME mta-sts.tutanota.de. 94 94 + mta-sts IN CNAME mta-sts.tutanota.de. 95 95 + 96 96 + ; Domain verificaitons 97 97 + 98 98 + _atproto IN TXT "did=did:plc:e6e4lgy3nzdshjbpmjvnkbfd" 99 99 + _fluxer IN TXT "fluxer-verification=a83d4bbb46d22050a732b4ea17b0ecba76589d60e9abcc9a2d727e021e53d435" 100 100 + 101 101 + git IN A ${pm.net.ipv4.sand-archives.addr} 102 102 + git IN AAAA ${pm.net.ipv6.sand-archives.addr} 103 103 + code IN A ${pm.net.ipv4.sand-archives.addr} 104 104 + *.code IN A ${pm.net.ipv4.sand-archives.addr} 105 105 + fluxer IN A ${pm.net.ipv4.sand-archives.addr} 106 106 + 107 107 + netbird IN A ${pm.net.ipv4.sand-archives.addr} 108 108 + netbird IN AAAA ${pm.net.ipv6.sand-archives.addr} 109 109 + auth IN A ${pm.net.ipv4.sand-archives.addr} 110 110 + 111 111 + ente IN A ${pm.net.ipv4.sand-archives.addr} 112 112 + api.ente IN A ${pm.net.ipv4.sand-archives.addr} 113 113 + albums.ente IN A ${pm.net.ipv4.sand-archives.addr} 114 114 + s3.garage IN A ${pm.net.ipv4.sand-archives.addr} 115 115 + 116 116 + media IN A ${pm.net.ipv4.sand-archives.addr} 117 117 + media IN AAAA ${pm.net.ipv6.sand-archives.addr} 118 118 + seerr IN A ${pm.net.ipv4.sand-archives.addr} 119 119 + anisonarr IN A ${pm.net.ipv4.sand-archives.addr} 120 120 + aniradarr IN A ${pm.net.ipv4.sand-archives.addr} 121 121 + showsonarr IN A ${pm.net.ipv4.sand-archives.addr} 122 122 + movieradarr IN A ${pm.net.ipv4.sand-archives.addr} 123 123 + prowlarr IN A ${pm.net.ipv4.sand-archives.addr} 124 124 + torrent IN A ${pm.net.ipv4.vulpes.addr} 125 125 + 126 126 + yap IN A ${pm.net.ipv4.sand-archives.addr} 127 127 + 128 128 + ntfy IN A ${pm.net.ipv4.sand-archives.addr} 129 129 + mollysocket IN A ${pm.net.ipv4.sand-archives.addr} 130 130 + 131 131 + vaultwarden IN A ${pm.net.ipv4.sand-archives.addr} 132 132 + 133 133 + syncthing IN A ${pm.net.ipv4.sand-archives.addr} 134 134 + 135 135 + cockpit IN A ${pm.net.ipv4.sand-archives.addr} 136 136 + ''; 137 137 + }; 138 138 + "awoo.ren" = { 139 139 + master = true; 140 140 + allowQuery = [ 141 141 + "any" 142 142 + ]; 143 143 + extraConfig = '' 144 144 + update-policy { 145 145 + grant caddy_key wildcard *.awoo.ren. TXT; 146 146 + }; 147 147 + journal "/var/lib/named/awoo.ren.jnl"; 148 148 + ''; 149 149 + file = pkgs.writeText "zone_awoo.ren" '' 150 150 + $ORIGIN awoo.ren. 151 151 + $TTL 5m 152 152 + @ IN SOA ns1.awoo.ren. pup.awoo.ren. ( 153 153 + 2026022201 ; serial 154 154 + 3h ; refresh 155 155 + 1h ; retry 156 156 + 1w ; expire 157 157 + 1h ) ; negative cache TTL 158 158 + 159 159 + IN NS ns1.awoo.ren. 160 160 + 161 161 + ns1 IN A ${pm.net.ipv4.sand-archives.addr} 162 162 + ns1 IN AAAA ${pm.net.ipv6.sand-archives.addr} 163 163 + @ IN A ${pm.net.ipv4.sand-archives.addr} 164 164 + @ IN AAAA ${pm.net.ipv6.sand-archives.addr} 165 165 + 166 166 + ; Tuta 167 167 + @ IN MX 10 mail.tutanota.de. 168 168 + @ IN TXT "t-verify=83be8df1ae29ced5fea6432b3a22111e" 169 169 + @ IN TXT "v=spf1 include:spf.tutanota.de -all" 170 170 + _dmarc IN TXT "v=DMARC1; p=quarantine; adkim=s" 171 171 + s1._domainkey IN CNAME s1.domainkey.tutanota.de. 172 172 + s2._domainkey IN CNAME s2.domainkey.tutanota.de. 173 173 + _mta-sts IN CNAME mta-sts.tutanota.de. 174 174 + mta-sts IN CNAME mta-sts.tutanota.de. 175 175 + 176 176 + ; Domain verificaitons 177 177 + 178 178 + _atproto IN TXT "did=did:plc:e6e4lgy3nzdshjbpmjvnkbfd" 179 179 + _fluxer IN TXT "fluxer-verification=a83d4bbb46d22050a732b4ea17b0ecba76589d60e9abcc9a2d727e021e53d435" 180 180 + 181 181 + auth IN A ${pm.net.ipv4.sand-archives.addr} 182 182 + auth IN AAAA ${pm.net.ipv6.sand-archives.addr} 183 183 + 184 184 + git IN A ${pm.net.ipv4.sand-archives.addr} 185 185 + git IN AAAA ${pm.net.ipv6.sand-archives.addr} 186 186 + 187 187 + rss IN A ${pm.net.ipv4.sand-archives.addr} 188 188 + rss IN AAAA ${pm.net.ipv6.sand-archives.addr} 189 189 + 190 190 + incus IN A ${pm.net.ipv4.sand-archives.addr} 191 191 + incus IN AAAA ${pm.net.ipv6.sand-archives.addr} 192 192 + ''; 193 193 + }; 194 194 + }; 195 195 + }; 39 196 unbound = { 40 197 enable = true; 41 198 resolveLocalQueries = false; ··· 60 217 use-caps-for-id = "no"; 61 218 edns-buffer-size = "1232"; 62 219 220 220 + do-not-query-localhost = "no"; 63 221 prefetch = "yes"; 64 222 num-threads = 2; 65 223 so-rcvbuf = "1m"; 224 224 + 66 225 private-address = [ 226 226 + "10.0.0.0/8" 227 227 + "172.16.0.0/12" 67 228 "192.168.0.0/16" 68 229 "169.254.0.0/16" 69 69 - "172.16.0.0/12" 70 230 "100.64.0.0/10" 71 71 - "10.0.0.0/8" 231 231 + "127.0.0.0/8" 72 232 "fd00::/8" 73 233 "fe80::/10" 74 74 - 234 234 + "::1/128" 75 235 "192.0.2.0/24" 76 236 "198.51.100.0/24" 77 237 "203.0.113.0/24" 238 238 + "198.18.0.0/15" 78 239 "255.255.255.255/32" 79 240 "2001:db8::/32" 80 80 - ]; 81 81 - local-zone = [ 82 82 - "\"killuaa.dev.\" static" 83 83 - ]; 84 84 - local-data = [ 85 85 - # Main zone setup 86 86 - "\"killuaa.dev. IN SOA ns.killuaa.dev. roufpup.killuaa.dev. ( 20250211 10800 3600 604800 300)\"" 87 87 - "\"killuaa.dev. IN NS ns.killuaa.dev.\"" 88 88 - 89 89 - "\"ns.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 90 90 - "\"killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 91 91 - 92 92 - # DNS records 93 93 - 94 94 - "\"killuaa.dev. IN MX 10 mail.tutanota.de.\"" 95 95 - "'killuaa.dev. IN TXT \"t-verify=3971cf62a080f647ea848e037ac87776\"'" 96 96 - "'killuaa.dev. IN TXT \"v=spf1 include:spf.tutanota.de -all\"'" 97 97 - "'_dmarc.killuaa.dev. IN TXT \"v=DMARC1; p=quarantine; adkim=s\"'" 98 98 - "\"s1._domainkey.killuaa.dev. IN CNAME s1.domainkey.tutanota.de.\"" 99 99 - "\"s2._domainkey.killuaa.dev. IN CNAME s2.domainkey.tutanota.de.\"" 100 100 - "\"_mta-sts.killuaa.dev. IN CNAME mta-sts.tutanota.de.\"" 101 101 - "\"mta-sts.killuaa.dev. IN CNAME mta-sts.tutanota.de.\"" 102 102 - 103 103 - "\"git.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 104 104 - 105 105 - "\"netbird.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 106 106 - "\"auth.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 107 107 - 108 108 - "\"ente.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 109 109 - "\"api.ente.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 110 110 - "\"albums.ente.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 111 111 - "\"s3.garage.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 112 112 - 113 113 - "\"media.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 114 114 - "\"seerr.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 115 115 - "\"anisonarr.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 116 116 - "\"aniradarr.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 117 117 - "\"showsonarr.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 118 118 - "\"movieradarr.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 119 119 - "\"prowlarr.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 120 120 - "\"torrent.killuaa.dev. IN A ${pm.net.hosts.vulpes.ip}\"" 121 121 - 122 122 - "\"yap.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 123 123 - 124 124 - "\"ntfy.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 125 125 - "\"mollysocket.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 126 126 - 127 127 - "\"zerda.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 128 128 - 129 129 - "\"vaultwarden.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 130 130 - 131 131 - "\"syncthing.killuaa.dev. IN A ${pm.net.hosts.sand-archives.ip}\"" 241 241 + "fc00::/7" 132 242 ]; 133 243 access-control = [ 244 244 + "127.0.0.1/32 allow" 245 245 + "::1/128 allow" 246 246 + "10.0.0.0/8 allow" 247 247 + "172.16.0.0/12 allow" 248 248 + "192.168.0.0/16 allow" 134 249 "100.0.0.0/8 allow" 250 250 + "169.254.0.0/16 allow" 135 251 ]; 136 252 }; 253 253 + # stub-zone = [ 254 254 + # { 255 255 + # name = "killuaa.dev"; 256 256 + # stub-addr = "127.0.0.1@5300"; 257 257 + # } 258 258 + # ]; 137 259 }; 138 260 }; 261 261 + }; 262 262 + systemd = { 263 263 + services.bind = { 264 264 + serviceConfig = { 265 265 + ReadWritePaths = [ 266 266 + "/var/lib/named" 267 267 + "/run/named" 268 268 + "-/nix/store" 269 269 + ]; 270 270 + }; 271 271 + }; 272 272 + tmpfiles.rules = [ 273 273 + "d /var/lib/named 0755 named named -" 274 274 + ]; 139 275 }; 140 276 }

+3 -3

hosts/vulpes/infra/forgejo.nix

reviewed

··· 65 65 DESCRIPTION = ""; 66 66 }; 67 67 server = { 68 68 - DOMAIN = "git.killuaa.dev"; 69 69 - SSH_DOMAIN = "git.killuaa.dev"; 68 68 + DOMAIN = "git.awoo.ren"; 69 69 + SSH_DOMAIN = "git.awoo.ren"; 70 70 HTTP_PORT = 3000; 71 71 - ROOT_URL = "https://git.killuaa.dev/"; 71 71 + ROOT_URL = "https://git.awoo.ren/"; 72 72 DISABLE_SSH = false; 73 73 SSH_PORT = 5858; 74 74 SSH_LISTEN_PORT = 5858;

-14

hosts/vulpes/infra/matrix.nix

reviewed

··· 1 1 - { ... }: 2 2 - { 3 3 - services.matrix-continuwuity = { 4 4 - enable = true; 5 5 - settings = { 6 6 - global = { 7 7 - address = [ "0.0.0.0" ]; 8 8 - server_name = "killuaa.dev"; 9 9 - allow_registration = false; 10 10 - enable_lightning_bolt = false; 11 11 - }; 12 12 - }; 13 13 - }; 14 14 - }

-104

hosts/vulpes/infra/minecraft.nix

reviewed

··· 1 1 - { pkgs, ... }: 2 2 - let 3 3 - modpack = pkgs.fetchPackwizModpack { 4 4 - url = "https://git.killuaa.dev/roufpup/ATR10/raw/branch/trunk/pack/pack.toml"; 5 5 - packHash = "sha256-dM2+2ItZQtBR/tG+4EZ7zo1NpUXD8t2mqHpr8nnV2JQ="; 6 6 - prefetch_mods = [ 7 7 - { 8 8 - url = "https://edge.forgecdn.net/files/6172/735/bwncr-neoforge-1.21.1-3.20.3.jar"; 9 9 - sha256 = "sha256-LVBuxh2AL+7yoDJ59zqVKDcq9q5dDsBOqGd866q/5q8="; 10 10 - name = "bwncr-neoforge-1.21.1-3.20.3.jar"; 11 11 - } 12 12 - { 13 13 - url = "https://edge.forgecdn.net/files/6919/850/tombstone-neoforge-1.21.1-9.4.8.jar"; 14 14 - sha256 = "sha256-kXXeDSk0FJ9dfhwaWpS4RqBKbnpWDfh1cJh/L3e42XA="; 15 15 - name = "tombstone-neoforge-1.21.1-9.4.8.jar"; 16 16 - } 17 17 - { 18 18 - url = "https://edge.forgecdn.net/files/5991/453/imfast-NEOFORGE-1.0.2.jar"; 19 19 - sha256 = "sha256-tDX8IWUYg+3jdq2mhNGWock6ro8kC81NVR+w2DhNt/o="; 20 20 - name = "imfast-NEOFORGE-1.0.2.jar"; 21 21 - } 22 22 - { 23 23 - url = "https://edge.forgecdn.net/files/6981/252/moreoverlays-1.24.2-mc1.21.1-neoforge.jar"; 24 24 - sha256 = "sha256-GrDRpJ4xu+XPDN/luin9kj7KWsYM21EWR4CqPbMXxLE="; 25 25 - name = "moreoverlays-1.24.2-mc1.21.1-neoforge.jar"; 26 26 - } 27 27 - { 28 28 - url = "https://edge.forgecdn.net/files/7129/314/notenoughanimations-neoforge-1.10.6-mc1.21.1.jar"; 29 29 - sha256 = "sha256-odUKM+Dv50C3X/1XTMLYGZK7jDxCHNMk7fFbwkvwLgE="; 30 30 - name = "notenoughanimations-neoforge-1.10.6-mc1.21.1.jar"; 31 31 - } 32 32 - { 33 33 - url = "https://edge.forgecdn.net/files/7078/283/Structory_Towers_1.21.x_v1.0.14.jar"; 34 34 - sha256 = "sha256-TzAeyMhlQo7y4zKnbBTPv3944aOfSmAywNrnnGYPzB8="; 35 35 - name = "Structory_Towers_1.21.x_v1.0.14.jar"; 36 36 - } 37 37 - { 38 38 - url = "https://edge.forgecdn.net/files/7078/278/Structory_1.21.x_v1.3.12.jar"; 39 39 - sha256 = "sha256-K/R8JXsDG1Dz/mqqumow2eMKCg6ou85j4qhd7h8WRLE="; 40 40 - name = "Structory_1.21.x_v1.3.12.jar"; 41 41 - } 42 42 - ]; 43 43 - prefetch_resourcepacks = [ 44 44 - { 45 45 - url = "https://edge.forgecdn.net/files/5995/726/Create%20Immersive%20Aircraft%20Warship%20ResoucePack%20v1.2.zip"; 46 46 - sha256 = "sha256-3BW8dHyYGy6yODUmgTkqPjHJeiWfN0hBChNMZ6XbjfI="; 47 47 - name = "Create Immersive Aircraft Warship ResoucePack v1.2.zip"; 48 48 - } 49 49 - { 50 50 - url = "https://edge.forgecdn.net/files/5375/282/Create%20Immersive%20Aircrafts%20Warship%20Recipe%20DataPack%20v1.0.zip"; 51 51 - sha256 = "sha256-7FEWJ61vgzEvvwAyAs7KKBpucQS5rHsG5bKy0BzUOR8="; 52 52 - name = "Create Immersive Aircrafts Warship Recipe DataPack v1.0.zip"; 53 53 - } 54 54 - { 55 55 - url = "https://edge.forgecdn.net/files/6117/616/Visual%20Titles%201.1.zip"; 56 56 - sha256 = "sha256-mQ/qnTCIPrcpgkiMZNWAwgJdqSOOZfo+tU2H2AcKxUk="; 57 57 - name = "Visual Titles 1.1.zip"; 58 58 - } 59 59 - { 60 60 - url = "https://edge.forgecdn.net/files/5050/834/IAF-DE4THR4SH-Dragonsteel-Weaponry-V-3.5-%5B1.20.X%5D.zip"; 61 61 - sha256 = "sha256-Z1Jlp1ublj0gehCNuMfzXhQJZRgli+5EiuA8MfRJnSA="; 62 62 - name = "IAF-DE4THR4SH-Dragonsteel-Weaponry-V-3.5-[1.20.X].zip"; 63 63 - } 64 64 - { 65 65 - url = "https://edge.forgecdn.net/files/5982/488/enderio-refrubished-preview.zip"; 66 66 - sha256 = "sha256-dAa2ueyX6yf00xPf0A6dNpdnYdNqxRGJRvZCi5lMuS0="; 67 67 - name = "enderio-refrubished-preview.zip"; 68 68 - } 69 69 - ]; 70 70 - }; 71 71 - in 72 72 - { 73 73 - services.minecraft-servers = { 74 74 - enable = true; 75 75 - eula = true; 76 76 - dataDir = "/var/lib/minecraft"; 77 77 - managementSystem = { 78 78 - tmux.enable = false; 79 79 - systemd-socket.enable = true; 80 80 - }; 81 81 - servers = { 82 82 - atr10 = { 83 83 - enable = false; 84 84 - autoStart = true; 85 85 - serverProperties = { 86 86 - server-port = 2755; 87 87 - "query.port" = 2755; 88 88 - allow-flight = true; 89 89 - }; 90 90 - jvmOpts = "-Xms12288M -Xmx12288M"; 91 91 - package = pkgs.neoforgeServers.neoforge-1_21_1-21_1_217; 92 92 - files = { 93 93 - "config" = "${modpack}/config"; 94 94 - "mods" = "${modpack}/mods"; 95 95 - "kubejs" = "${modpack}/kubejs"; 96 96 - "local" = "${modpack}/local"; 97 97 - "defaultconfigs" = "${modpack}/defaultconfigs"; 98 98 - "datapacks" = "${modpack}/datapacks"; 99 99 - "shaderpacks" = "${modpack}/shaderpacks"; 100 100 - }; 101 101 - }; 102 102 - }; 103 103 - }; 104 104 - }

+37 -14

hosts/vulpes/infra/misc.nix

reviewed

··· 1 1 - { args, pkgs, ... }: 1 1 + { 2 2 + args, 3 3 + pkgs, 4 4 + config, 5 5 + ... 6 6 + }: 2 7 let 3 8 pm = (args.mods.priv_mod.get_data args); 4 9 in 5 10 { 6 11 services = { 7 7 - redis = { 8 8 - package = pkgs.valkey; 9 9 - servers = { 10 10 - zerda = { 11 11 - enable = true; 12 12 - port = 6375; 13 13 - bind = "0.0.0.0"; 14 14 - settings = { 15 15 - protected-mode = "no"; 16 16 - }; 12 12 + cockpit = { 13 13 + enable = true; 14 14 + plugins = with pkgs; [ 15 15 + cockpit-podman 16 16 + cockpit-files 17 17 + ]; 18 18 + allowed-origins = [ 19 19 + "https://cockpit.killuaa.dev" 20 20 + "wss://cockpit.killuaa.dev" 21 21 + ]; 22 22 + settings = { 23 23 + WebService = { 24 24 + AllowUnencrypted = true; 25 25 + ProtocolHeader = "X-Forwarded-Proto"; 17 26 }; 18 27 }; 19 28 }; ··· 31 40 host = "0.0.0.0"; 32 41 }; 33 42 }; 34 34 - murmur = { 43 43 + vaultwarden = { 35 44 enable = true; 36 36 - bandwidth = 800000; 37 45 }; 38 38 - vaultwarden = { 46 46 + miniflux = { 39 47 enable = true; 48 48 + createDatabaseLocally = false; 49 49 + config = { 50 50 + DATABASE_URL = pm.srv.miniflux.db_connection_url; 51 51 + LISTEN_ADDR = "127.0.0.1:4678"; 52 52 + OAUTH2_PROVIDER = "oidc"; 53 53 + OAUTH2_CLIENT_ID = "miniflux"; 54 54 + OAUTH2_CLIENT_SECRET = "${pm.srv.miniflux.oauth2_secret}"; 55 55 + OAUTH2_REDIRECT_URL = "https://rss.awoo.ren/oauth2/oidc/callback"; 56 56 + OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.awoo.ren/oauth2/openid/miniflux"; 57 57 + }; 58 58 + adminCredentialsFile = config.sops.secrets.miniflux_admin_credentials.path; 40 59 }; 41 60 }; 61 61 + environment.systemPackages = with pkgs; [ 62 62 + cockpit 63 63 + sosreport 64 64 + ]; 42 65 systemd.services = { 43 66 vaultwarden = { 44 67 serviceConfig = {

+25 -11

hosts/vulpes/infra/postgres.nix

reviewed

··· 1 1 - { args, config, pkgs, ... }: 1 1 + { 2 2 + args, 3 3 + config, 4 4 + pkgs, 5 5 + ... 6 6 + }: 2 7 let 3 8 pm = (args.mods.priv_mod.get_data args); 4 9 in ··· 7 12 postgresql = { 8 13 enable = true; 9 14 enableTCPIP = true; 10 10 - package = pkgs.postgresql_17_jit; 15 15 + package = pkgs.postgresql_18_jit; 11 16 ensureUsers = [ 12 17 { 13 18 name = "roufpup"; ··· 36 41 }; 37 42 } 38 43 { 39 39 - name = "zerda"; 44 44 + name = "coder"; 45 45 + ensureDBOwnership = true; 46 46 + ensureClauses = { 47 47 + login = true; 48 48 + }; 49 49 + } 50 50 + { 51 51 + name = "miniflux"; 40 52 ensureDBOwnership = true; 41 53 ensureClauses = { 42 54 login = true; ··· 47 59 "roufpup" 48 60 "forgejo" 49 61 "ente" 50 50 - "zerda" 62 62 + "coder" 63 63 + "miniflux" 51 64 ]; 52 65 settings = { 53 66 listen_addresses = "*"; 54 67 }; 55 68 authentication = pkgs.lib.mkForce '' 56 56 - local postgres postgres trust 57 57 - local all roufpup trust 69 69 + local all all trust 58 70 host all roufpup 127.0.0.1/8 trust 59 59 - host forgejo forgejo 127.0.0.1/8 md5 60 60 - host ente ente 127.0.0.1/8 md5 61 61 - host ente ente ::1/8 md5 62 62 - host zerda zerda 127.0.0.1/8 md5 71 71 + host forgejo forgejo 127.0.0.1/8 scram-sha-256 72 72 + host ente ente 127.0.0.1/8 scram-sha-256 73 73 + host ente ente ::1/8 scram-sha-256 74 74 + host coder coder 127.0.0.1/8 scram-sha-256 75 75 + host miniflux miniflux 127.0.0.1/8 scram-sha-256 76 76 + host miniflux miniflux ::1/8 scram-sha-256 63 77 ''; 64 78 }; 65 79 ··· 70 84 settings = { 71 85 DEFAULT_SERVER = "0.0.0.0"; 72 86 FIXED_BINARY_PATHS = { 73 73 - pg-17 = "${pkgs.postgresql_17_jit}/bin"; 87 87 + pg-18 = "${pkgs.postgresql_18_jit}/bin"; 74 88 }; 75 89 }; 76 90 };

-78

hosts/vulpes/infra/zerda.nix

reviewed

··· 1 1 - { 2 2 - utils, 3 3 - config, 4 4 - args, 5 5 - ... 6 6 - }: 7 7 - let 8 8 - secrets_dir = "/run/secrets"; 9 9 - zerda_config = { 10 10 - url = "https://zerda.killuaa.dev"; 11 11 - address = "0.0.0.0"; 12 12 - port = 3232; 13 13 - mediaDirectory = "/var/lib/zerda"; 14 14 - socket = null; 15 15 - db = { 16 16 - host = "127.0.0.1"; 17 17 - port = 5432; 18 18 - db = "zerda"; 19 19 - user = "zerda"; 20 20 - pass._secret = config.sops.secrets.zerda_db_pass.path; 21 21 - }; 22 22 - dbReplications = false; 23 23 - redis = { 24 24 - host = "127.0.0.1"; 25 25 - port = 6375; 26 26 - }; 27 27 - fulltextSearch = { 28 28 - provider = "sqlLike"; 29 29 - }; 30 30 - id = "aidx"; 31 31 - proxyBypassHosts = [ 32 32 - "api.deepl.com" 33 33 - "api-free.deepl.com" 34 34 - "www.recaptcha.net" 35 35 - "hcaptcha.com" 36 36 - "challenges.cloudflare.com" 37 37 - ]; 38 38 - proxyRemoteFiles = true; 39 39 - signToActivityPubGet = true; 40 40 - attachLdSignatureForRelays = true; 41 41 - websocketCompression = false; 42 42 - }; 43 43 - in 44 44 - { 45 45 - systemd.services = { 46 46 - zerda-setup = { 47 47 - enable = true; 48 48 - wantedBy = [ "zerda.service" ]; 49 49 - before = [ "zerda.service" ]; 50 50 - script = '' 51 51 - ${utils.genJqSecretsReplacementSnippet zerda_config "${secrets_dir}/zerda_default.yml"} 52 52 - ''; 53 53 - }; 54 54 - zerda = { 55 55 - enable = true; 56 56 - description = "Zerda"; 57 57 - wantedBy = [ "default.target" ]; 58 58 - wants = [ 59 59 - "zerda-setup.service" 60 60 - ]; 61 61 - after = [ 62 62 - "zerda-setup.service" 63 63 - ]; 64 64 - script = '' 65 65 - ${args.pkgs-master.sharkey}/bin/sharkey migrateandstart 66 66 - ''; 67 67 - serviceConfig = { 68 68 - EnvironmentFile = "${secrets_dir}/zerda_env"; 69 69 - Restart = "always"; 70 70 - SyslogIdentifier = "zerda"; 71 71 - RuntimeDirectory = "zerda"; 72 72 - StateDirectory = "zerda"; 73 73 - User = "zerda"; 74 74 - Group = "zerda"; 75 75 - }; 76 76 - }; 77 77 - }; 78 78 - }

+4 -1

hosts/work/core/boot.nix

reviewed

··· 8 8 ]; 9 9 10 10 kernelPackages = pkgs.linuxPackages_latest; 11 11 - kernelParams = [ "preempt=full" ]; 11 11 + kernelParams = [ 12 12 + "preempt=full" 13 13 + "amdgpu.ppfeaturemask=0xffffffff" 14 14 + ]; 12 15 13 16 loader = { 14 17 systemd-boot = {

+2 -10

hosts/work/core/networking.nix

reviewed

··· 25 25 }; 26 26 27 27 hosts = { 28 28 - "${pm.net.hosts.sand-archives.ip}" = [ 28 28 + "${pm.net.ipv4.sand-archives.addr}" = [ 29 29 "sand-archives" 30 30 "netbird.killuaa.dev" 31 31 + "auth.awoo.ren" 31 32 ]; 32 33 }; 33 34 }; 34 34 - # services.resolved = { 35 35 - # enable = true; 36 36 - # extraConfig = '' 37 37 - # DNSStubListener=no 38 38 - # ''; 39 39 - # fallbackDns = [ 40 40 - # "127.0.0.1" 41 41 - # ]; 42 42 - # }; 43 35 }

+12 -3

hosts/work/core/packages.nix

reviewed

··· 23 23 zellij 24 24 calc-rs 25 25 xdg-utils 26 26 - rocmPackages.rocminfo 27 27 - rocmPackages.rocm-smi 28 26 clinfo 29 27 ripgrep 30 28 eza ··· 49 47 stash 50 48 (lib.hiPrio wl-clipboard-rs) 51 49 yubikey-manager 50 50 + android-tools 52 51 53 52 # GUI apps 54 53 dconf-editor ··· 59 58 seahorse 60 59 tauon 61 60 virt-manager 61 61 + mullvad-vpn 62 62 63 63 # Social 64 64 signal-desktop ··· 67 67 telegram-desktop 68 68 element-desktop 69 69 fluxer 70 70 + (fluxer.override { 71 71 + instance_name = "killuaa.dev"; 72 72 + instance_url = "https://fluxer.killuaa.dev"; 73 73 + canary_instance_url = "https://fluxer.killuaa.dev"; 74 74 + channel = "canary"; 75 75 + }) 70 76 71 77 # Gaming 72 78 lact 79 79 + corectrl 73 80 prismlauncher 74 81 (vintagestory.override { 75 82 # waylandSupport = true; ··· 116 123 mpv 117 124 tutanota-desktop 118 125 mako 119 119 - librewolf-bin 126 126 + # librewolf-bin 120 127 syncplay 121 128 kdePackages.gwenview 122 129 kdePackages.kimageformats ··· 134 141 args.pins.wire.packages.${builtins.currentSystem}.wire 135 142 jellyfin-desktop 136 143 args.pins.dune.packages.default 144 144 + # args.pins.nur.legacyPackages.x86_64-linux.repos.lonerOrz.helium 145 145 + args.pins.helium.packages.x86_64-linux.default 137 146 138 147 # For work 139 148 safenet_authentication_client

+20 -20

hosts/work/core/services.nix

reviewed

··· 13 13 gnome-keyring.enable = true; 14 14 }; 15 15 16 16 - tailscale = { 17 17 - enable = false; 18 18 - interfaceName = "userspace-networking"; 19 19 - authKeyFile = "${config.sops.secrets.pupscale_key.path}"; 20 20 - extraUpFlags = [ "--login-server=https://pupscale.killuaa.dev" ]; 21 21 - extraSetFlags = [ 22 22 - "--operator=roufpup" 23 23 - "--accept-dns=true" 24 24 - ]; 25 25 - extraDaemonFlags = [ 26 26 - "--socks5-server=0.0.0.0:1055" 27 27 - "--outbound-http-proxy-listen=0.0.0.0:1055" 28 28 - ]; 16 16 + wivrn = { 17 17 + enable = true; 18 18 + defaultRuntime = true; 19 19 + autoStart = true; 20 20 + highPriority = true; 21 21 + steam = { 22 22 + importOXRRuntimes = true; 23 23 + }; 29 24 }; 30 25 31 26 pipewire = { ··· 36 31 "99-custom-quantum.conf" = { 37 32 "context.properties" = { 38 33 "default.clock.rate" = 48000; 39 39 - "default.clock.allowed-rates" = [ 48000 ]; 40 40 - "default.clock.quantum" = 4096; 41 41 - "default.clock.min-quantum" = 4096; 34 34 + "default.clock.allowed-rates" = [ 35 35 + 44100 36 36 + 48000 37 37 + 96000 38 38 + ]; 39 39 + "default.clock.quantum" = 1024; 40 40 + "default.clock.min-quantum" = 512; 42 41 "default.clock.max-quantum" = 8192; 43 42 }; 44 43 "context.modules" = [ ··· 67 66 ]; 68 67 actions = { 69 68 update-props = { 70 70 - 69 69 + "session.suspend-timeout-seconds" = 0; 70 70 + "api.alsa.soft-mixer" = true; 71 71 + "api.alsa.period-size" = 512; 72 72 + "api.alsa.headroom" = 0; 71 73 }; 72 74 }; 73 75 } ··· 117 119 118 120 netbird = { 119 121 clients.work = { 120 120 - ui = { 121 121 - enable = true; 122 122 - }; 123 122 port = 51820; 124 123 environment = { 125 124 NB_MANAGEMENT_URL = "https://netbird.killuaa.dev"; ··· 137 136 "flathub:app/com.collaboraoffice.Office//stable" 138 137 "flathub:app/com.github.tchx84.Flatseal//stable" 139 138 "flathub:app/page.codeberg.JakobDev.jdDBusDebugger//stable" 139 139 + "flathub:app/io.github.vani_tty1.memerist//stable" 140 140 ]; 141 141 }; 142 142 };

+1 -1

hosts/work/core/virtualization.nix

reviewed

··· 28 28 enable = true; 29 29 }; 30 30 libvirtd = { 31 31 - enable = true; 31 31 + enable = false; 32 32 33 33 qemu = { 34 34 swtpm = {

+1 -1

hosts/work/core/xdg.nix

reviewed

··· 1 1 { pkgs, lib, ... }: 2 2 let 3 3 - browser_desktop = "librewolf.desktop"; 3 3 + browser_desktop = "helium.desktop"; 4 4 media_player_desktop = "mpv.desktop"; 5 5 image_viewer_desktop = "org.kde.gwenview.desktop"; 6 6 text_editor_desktop = "dev.zed.Zed.desktop";

+13 -2

hosts/work/default.nix

reviewed

··· 53 53 pam = { 54 54 services = { 55 55 sudo.rssh = true; 56 56 - greetd.enableGnomeKeyring = true; 56 56 + greetd = { 57 57 + enableGnomeKeyring = true; 58 58 + text = lib.mkForce '' 59 59 + auth substack login 60 60 + account include login 61 61 + password substack login 62 62 + session include login 63 63 + ''; 64 64 + }; 65 65 + login.enableGnomeKeyring = true; 57 66 }; 58 67 rssh = { 59 68 enable = true; ··· 84 93 nixpkgs = { 85 94 config = { 86 95 allowUnfree = true; 87 87 - rocmSupport = true; 88 96 android_sdk.accept_license = true; 89 97 permittedInsecurePackages = [ 90 98 "librewolf-bin-147.0.2-1" ··· 94 102 hostPlatform = lib.mkDefault "x86_64-linux"; 95 103 overlays = [ 96 104 overlays.default 105 105 + args.pins.nixpkgs-xr.overlays.default 97 106 ]; 98 107 }; 99 108 ··· 122 131 ]; 123 132 substituters = [ 124 133 "https://cache.garnix.io" 134 134 + "https://nix-community.cachix.org" 125 135 ]; 126 136 127 137 trusted-public-keys = [ 128 138 "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" 139 139 + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" 129 140 ]; 130 141 }; 131 142 gc = {

+7 -1

hosts/work/hjem-rum/niri.nix

reviewed

··· 96 96 default-window-height { fixed 545; } 97 97 } 98 98 window-rule { 99 99 + match app-id="com.mitchellh.ghostty" 100 100 + open-floating true 101 101 + default-column-width { fixed 1299; } 102 102 + default-window-height { fixed 756; } 103 103 + } 104 104 + window-rule { 99 105 opacity 0.97 100 106 draw-border-with-background false 101 107 clip-to-geometry true ··· 132 138 # }; 133 139 }; 134 140 "Mod+Q" = { 135 135 - spawn = [ "foot" ]; 141 141 + spawn = [ "${pkgs.ghostty}/bin/ghostty" ]; 136 142 }; 137 143 "Mod+Shift+Down" = { 138 144 action = "move-window-down-or-to-workspace-down";

+1 -4

hosts/work/hjem-rum/programs/fish.nix

reviewed

··· 10 10 fish = { 11 11 enable = true; 12 12 functions = { 13 13 - fish_greeting = ''''; 13 13 + fish_greeting = ""; 14 14 docker = '' 15 15 if test (count $argv) -eq 1; and test \"$argv[1]\" = ps 16 16 docker ps --format \"table {{.Names}}\\t{{.Image}}\\t{{.Status}}\\t{{.ID}}\" ··· 57 57 docd = "docker compose down"; 58 58 search = "nh search"; 59 59 img = "${pkgs.chafa}/bin/chafa --format sixels"; 60 60 - qw-coder = "cd $HOME/Documents/Projects/LLM/models && llama-cli -m ./Qwen3-Coder-30B-A3B-Instruct-Q4_K_M.gguf --n-gpu-layers 20 --device ROCm0"; 61 61 - qw-standard = "cd $HOME/Documents/Projects/LLM/models && llama-cli -m ./Qwen3-30B-A3B-Instruct-2507-Q4_K_M.gguf --n-gpu-layers 20 --device ROCm0"; 62 62 - 63 60 }; 64 61 config = '' 65 62 set -xg fish_color_command blue

+85 -1

hosts/work/hjem-rum/programs/misc.nix

reviewed

··· 34 34 }; 35 35 }; 36 36 37 37 + ghostty = { 38 38 + enable = true; 39 39 + package = pkgs.ghostty; 40 40 + settings = { 41 41 + "quit-after-last-window-closed" = false; 42 42 + "theme" = "Monokai Soda"; 43 43 + "window-padding-x" = 15; 44 44 + "window-padding-y" = 15; 45 45 + "font-family" = "FiraCode Nerd Font"; 46 46 + "font-size" = 14; 47 47 + "font-style" = "Regular"; 48 48 + }; 49 49 + }; 50 50 + 51 51 + fastfetch = { 52 52 + enable = true; 53 53 + settings = { 54 54 + "$schema" = "https://github.com/fastfetch-cli/fastfetch/raw/dev/doc/json_schema.json"; 55 55 + logo = { 56 56 + type = "kitty"; 57 57 + source = "~/Pictures/pfp/fennec_eep_pfp.jpg"; 58 58 + width = 40; 59 59 + height = 19; 60 60 + }; 61 61 + display = { 62 62 + separator = " > "; 63 63 + }; 64 64 + modules = [ 65 65 + "break" 66 66 + { 67 67 + type = "custom"; 68 68 + format = " If i die here, then I'm a man that"; 69 69 + } 70 70 + { 71 71 + type = "custom"; 72 72 + format = " could only make it this far."; 73 73 + } 74 74 + "break" 75 75 + "break" 76 76 + { 77 77 + type = "os"; 78 78 + key = "{#34}  OS"; 79 79 + } 80 80 + { 81 81 + type = "kernel"; 82 82 + key = "{#33}  Kernel"; 83 83 + } 84 84 + { 85 85 + type = "packages"; 86 86 + key = "{#35} 󰏗 Packages"; 87 87 + } 88 88 + { 89 89 + type = "wm"; 90 90 + key = "{#36} 󰇄 WM"; 91 91 + } 92 92 + { 93 93 + type = "uptime"; 94 94 + key = "{#33}  Uptime"; 95 95 + } 96 96 + { 97 97 + type = "terminal"; 98 98 + key = "{#34}  Terminal"; 99 99 + } 100 100 + "break" 101 101 + { 102 102 + type = "gpu"; 103 103 + format = "{2}"; 104 104 + key = "{#37}  GPU"; 105 105 + } 106 106 + { 107 107 + type = "cpu"; 108 108 + format = "{1}"; 109 109 + key = "{#35}  CPU"; 110 110 + } 111 111 + { 112 112 + type = "memory"; 113 113 + key = "{#39}  Memory"; 114 114 + } 115 115 + "break" 116 116 + "break" 117 117 + ]; 118 118 + }; 119 119 + }; 120 120 + 37 121 foot = { 38 122 enable = true; 39 123 settings = { ··· 95 179 settings = { 96 180 user = { 97 181 name = "roufpup"; 98 98 - email = "roufpup@killuaa.dev"; 182 182 + email = "pup@awoo.ren"; 99 183 signingKey = "20B7409613D59319"; 100 184 }; 101 185 commit = {

+28

hosts/work/hjem-rum/programs/vscodium.nix

reviewed

··· 1 1 + { pkgs, ... }: 2 2 + { 3 3 + vscode = { 4 4 + enable = true; 5 5 + package = pkgs.vscodium; 6 6 + configPath = "VSCodium"; 7 7 + settings = { 8 8 + "workbench.sideBar.location" = "right"; 9 9 + "workbench.settings.editor" = "json"; 10 10 + "workbench.settings.useSplitJSON" = true; 11 11 + "workbench.activityBar.location" = "bottom"; 12 12 + "terminal.integrated.stickyScroll.enabled" = false; 13 13 + "editor.minimap.enabled" = false; 14 14 + "terminal.integrated.shellIntegration.decorationsEnabled" = "never"; 15 15 + "terminal.integrated.shellIntegration.enabled" = false; 16 16 + "nix.enableLanguageServer" = true; 17 17 + "nix.formatterPath" = "${pkgs.nixfmt}/bin/nixfmt"; 18 18 + "nix.serverPath" = "${pkgs.nixd}/bin/nixd"; 19 19 + "editor.formatOnSave" = true; 20 20 + "rust-analyzer.server.path" = "rust-analyzer"; 21 21 + "rust-analyzer.check.command" = "clippy"; 22 22 + "rust-analyzer.procMacro.enable" = true; 23 23 + "editor.suggest.showWords" = false; 24 24 + "files.autoSave" = "afterDelay"; 25 25 + "files.autoSaveDelay" = 500; 26 26 + }; 27 27 + }; 28 28 + }

+1 -1

modules/pub/arr.nix

reviewed

··· 105 105 Restart = "always"; 106 106 }; 107 107 environment = { 108 108 - "${lib.toUpper arrs."${arr-name}".service-type}__SERVER__PORT" = "${builtins.toString 108 108 + "${lib.toUpper arrs."${arr-name}".service-type}__SERVER__PORT" = "${toString 109 109 arrs."${arr-name}".port 110 110 }"; 111 111 };

+70 -31

npins/sources.json

reviewed

··· 9 9 }, 10 10 "branch": "main", 11 11 "submodules": false, 12 12 - "revision": "cfec6b8371038868748370ed38c59ec35e49b62e", 13 13 - "url": "https://github.com/mrshmllow/affinity-nix/archive/cfec6b8371038868748370ed38c59ec35e49b62e.tar.gz", 14 14 - "hash": "sha256-imdu7ueh6PZcUG1+/H4+JJbaeAuO+v0BYJtVVlAeqjc=" 12 12 + "revision": "cd7bed5b72ceeb50b862c550cc16c6f1b11a2d84", 13 13 + "url": "https://github.com/mrshmllow/affinity-nix/archive/cd7bed5b72ceeb50b862c550cc16c6f1b11a2d84.tar.gz", 14 14 + "hash": "sha256-JoXciqQCwHdIvENurNwgc6jH1e/d5xcjn9ybYNe+YQI=" 15 15 }, 16 16 "dune": { 17 17 "type": "Git", ··· 55 55 "url": "https://api.github.com/repos/in-a-dil-emma/declarative-flatpak/tarball/refs/tags/v4.1.6", 56 56 "hash": "sha256-J0n+J/qfU3xTf5iaMcQrEK4dA5GSYQcw8XJuhZsM1Pc=" 57 57 }, 58 58 + "helium": { 59 59 + "type": "Git", 60 60 + "repository": { 61 61 + "type": "GitHub", 62 62 + "owner": "amaanq", 63 63 + "repo": "helium-flake" 64 64 + }, 65 65 + "branch": "master", 66 66 + "submodules": false, 67 67 + "revision": "9d3ef138f70b3540397320d25ead6aa96101371d", 68 68 + "url": "https://github.com/amaanq/helium-flake/archive/9d3ef138f70b3540397320d25ead6aa96101371d.tar.gz", 69 69 + "hash": "sha256-OxeMEMxRJ6dF3UGXVJoNRwxU/F1nOVbdcyX9n8S3Mxk=" 70 70 + }, 58 71 "helix-nix": { 59 72 "type": "Git", 60 73 "repository": { ··· 76 89 }, 77 90 "branch": "main", 78 91 "submodules": false, 79 79 - "revision": "9d0c8d4b44f661910595b07e6480557644c1431c", 80 80 - "url": "https://github.com/feel-co/hjem/archive/9d0c8d4b44f661910595b07e6480557644c1431c.tar.gz", 81 81 - "hash": "sha256-cKETEBrseo7Iz+bOzflwy1xTpDuUj3QaLA+P49yJw8k=" 92 92 + "revision": "f484cac67cfaa6329e1d1fe00be57929ae744b25", 93 93 + "url": "https://github.com/feel-co/hjem/archive/f484cac67cfaa6329e1d1fe00be57929ae744b25.tar.gz", 94 94 + "hash": "sha256-erwV+kMqRX/KhopMRq1B0MuyAGip4OkDG1nVJdW0nv8=" 82 95 }, 83 96 "hjem-rum": { 84 97 "type": "Git", 85 98 "repository": { 86 86 - "type": "GitHub", 87 87 - "owner": "snugnug", 88 88 - "repo": "hjem-rum" 99 99 + "type": "Git", 100 100 + "url": "file:///home/roufpup/Documents/projects/hjem-rum" 89 101 }, 90 102 "branch": "main", 91 103 "submodules": false, 92 92 - "revision": "edac54b7d57ad72cc4b124da2f44e7b2e584f3c6", 93 93 - "url": "https://github.com/snugnug/hjem-rum/archive/edac54b7d57ad72cc4b124da2f44e7b2e584f3c6.tar.gz", 94 94 - "hash": "sha256-P+59TbVusYqdx2Jt2liwvQ+hslUzU6M1ezRDy6c66Tc=" 104 104 + "revision": "1a4d8b2f2f936127c768c95a860b9d5cdb3eaa86", 105 105 + "url": null, 106 106 + "hash": "sha256-CfzkXQwbCggKMMoCelLFeRj7dpR9xm2zjkHItQWrkDI=" 95 107 }, 96 96 - "hjem-rum-local": { 108 108 + "lanzaboote": { 97 109 "type": "Git", 98 110 "repository": { 99 99 - "type": "Git", 100 100 - "url": "file:///home/roufpup/Documents/projects/hjem-rum" 111 111 + "type": "GitHub", 112 112 + "owner": "nix-community", 113 113 + "repo": "lanzaboote" 101 114 }, 102 102 - "branch": "main", 115 115 + "branch": "master", 103 116 "submodules": false, 104 104 - "revision": "7c931af837c79d03275188e874e03ede10ce6183", 105 105 - "url": null, 106 106 - "hash": "sha256-OTmC/wDxW+2aTC93xAJK3jmBJyTwNfc+irLmD6kPEPc=" 117 117 + "revision": "d21013305ef39e1d9d2d06b161c3785ffad82281", 118 118 + "url": "https://github.com/nix-community/lanzaboote/archive/d21013305ef39e1d9d2d06b161c3785ffad82281.tar.gz", 119 119 + "hash": "sha256-JSsXufJy2zdg5XS5pRGlkwF1dqN+sWPmCgrvJsnhEzg=" 107 120 }, 108 121 "nix-index": { 109 122 "type": "Git", ··· 114 127 }, 115 128 "branch": "main", 116 129 "submodules": false, 117 117 - "revision": "2684bb8080a6f2ca5f9d494de5ef875bc1c4ecdb", 118 118 - "url": "https://github.com/nix-community/nix-index-database/archive/2684bb8080a6f2ca5f9d494de5ef875bc1c4ecdb.tar.gz", 119 119 - "hash": "sha256-hy0gcAgAcxrnSWKGuNO+Ob0x6jQ2xkR6hoaR0qJBHYs=" 130 130 + "revision": "1c1d8ea87b047788fd7567adf531418c5da321ec", 131 131 + "url": "https://github.com/nix-community/nix-index-database/archive/1c1d8ea87b047788fd7567adf531418c5da321ec.tar.gz", 132 132 + "hash": "sha256-PMt48sEQ8cgCeljQ9I/32uoBq/8t8y+7W/nAZhf72TQ=" 120 133 }, 121 134 "nix-minecraft": { 122 135 "type": "Git", ··· 139 152 }, 140 153 "branch": "nixos-unstable", 141 154 "submodules": false, 142 142 - "revision": "00c21e4c93d963c50d4c0c89bfa84ed6e0694df2", 143 143 - "url": "https://github.com/NixOS/nixpkgs/archive/00c21e4c93d963c50d4c0c89bfa84ed6e0694df2.tar.gz", 144 144 - "hash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=" 155 155 + "revision": "9dcb002ca1690658be4a04645215baea8b95f31d", 156 156 + "url": "https://github.com/NixOS/nixpkgs/archive/9dcb002ca1690658be4a04645215baea8b95f31d.tar.gz", 157 157 + "hash": "sha256-9jVDGZnvCckTGdYT53d/EfznygLskyLQXYwJLKMPsZs=" 145 158 }, 146 159 "nixpkgs-master": { 147 160 "type": "Git", ··· 152 165 }, 153 166 "branch": "master", 154 167 "submodules": false, 155 155 - "revision": "73fbc5be130687799017d5b28233748dbe0de539", 156 156 - "url": "https://github.com/NixOS/nixpkgs/archive/73fbc5be130687799017d5b28233748dbe0de539.tar.gz", 157 157 - "hash": "sha256-7E7LaEf3OwqfwpVVBoJAU5ESPcb5+YHGTNcelLDpprs=" 168 168 + "revision": "743644663cab232c634de034f1a9f015a905ab67", 169 169 + "url": "https://github.com/NixOS/nixpkgs/archive/743644663cab232c634de034f1a9f015a905ab67.tar.gz", 170 170 + "hash": "sha256-ivls7Lgl+31Z/OxplPHYoAqYS/QTqQVaaQrjaLOyMIg=" 171 171 + }, 172 172 + "nixpkgs-xr": { 173 173 + "type": "Git", 174 174 + "repository": { 175 175 + "type": "GitHub", 176 176 + "owner": "nix-community", 177 177 + "repo": "nixpkgs-xr" 178 178 + }, 179 179 + "branch": "main", 180 180 + "submodules": false, 181 181 + "revision": "390bd6961152a4ae1802a20f5d61bc876d3d255e", 182 182 + "url": "https://github.com/nix-community/nixpkgs-xr/archive/390bd6961152a4ae1802a20f5d61bc876d3d255e.tar.gz", 183 183 + "hash": "sha256-NzeoTOG8HVsn2RM/SyC9NSoK1f+rUQUTwfbB5ZvdcRE=" 184 184 + }, 185 185 + "nur": { 186 186 + "type": "Git", 187 187 + "repository": { 188 188 + "type": "GitHub", 189 189 + "owner": "nix-community", 190 190 + "repo": "NUR" 191 191 + }, 192 192 + "branch": "main", 193 193 + "submodules": false, 194 194 + "revision": "00b462568165e5be619ad76c1bde0df65266ea78", 195 195 + "url": "https://github.com/nix-community/NUR/archive/00b462568165e5be619ad76c1bde0df65266ea78.tar.gz", 196 196 + "hash": "sha256-dKafwJGBdbDhBtIYDLcX38RjACwMlnId+glJSGlONrI=" 158 197 }, 159 198 "sops-nix": { 160 199 "type": "Git", ··· 165 204 }, 166 205 "branch": "master", 167 206 "submodules": false, 168 168 - "revision": "17eea6f3816ba6568b8c81db8a4e6ca438b30b7c", 169 169 - "url": "https://github.com/Mic92/sops-nix/archive/17eea6f3816ba6568b8c81db8a4e6ca438b30b7c.tar.gz", 170 170 - "hash": "sha256-ktjWTq+D5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY=" 207 207 + "revision": "c8e69670b316d6788e435a3aa0bda74eb1b82cc0", 208 208 + "url": "https://github.com/Mic92/sops-nix/archive/c8e69670b316d6788e435a3aa0bda74eb1b82cc0.tar.gz", 209 209 + "hash": "sha256-xTzsSd3r5HBeufSZ3fszAn0ldfKctvsYG7tT2YJg5gY=" 171 210 }, 172 211 "stash": { 173 212 "type": "Git",

+1 -1

packages/configarr/default.nix

reviewed

··· 5 5 6 6 src = fetchTarball { 7 7 url = "https://github.com/raydak-labs/configarr/releases/download/v${version}/configarr-linux-x64.tar.xz"; 8 8 - sha256 = "sha256-0zHvDQLZcqvth/evOXxGBs1WheVnxu6Xo8TNsiK+pV8="; 8 8 + sha256 = "sha256:1ghv7yyg1phv78y3x6la1ixqhbfpmx9k4bqn47hzba2mk00ca8mr"; 9 9 }; 10 10 11 11 dontUnpack = true;

+52 -33

packages/fluxer/default.nix

reviewed

··· 36 36 python3, 37 37 esbuild, 38 38 fetchFromGitHub, 39 39 + instance_name ? "fluxer", 40 40 + instance_url ? "https://web.fluxer.app", 41 41 + canary_instance_url ? "https://web.canary.fluxer.app", 42 42 + channel ? "canary", 39 43 ... 40 44 }: 41 45 stdenv.mkDerivation rec { 42 42 - pname = "fluxer"; 46 46 + pname = "fluxer${if instance_name != "fluxer" then "_${instance_name}" else ""}"; 43 47 version = "1.0.0-canary"; 44 48 45 49 src = "${ ··· 47 51 owner = "fluxerapp"; 48 52 repo = "fluxer"; 49 53 rev = "refactor"; 50 50 - sha256 = "sha256-scjvBAZ2c3dBOD/GRjcWpEjScD/XpNEeIjs1Rdmy9yE="; 54 54 + sha256 = "sha256-gHziJbueqVYrC+34xJ5AKsGLdPJrhWgXKDwq+jcRFkA="; 51 55 } 52 56 }/fluxer_desktop"; 53 57 ··· 99 103 alsa-lib 100 104 ]; 101 105 102 102 - installPhase = '' 103 103 - pnpm run set-channel stable 104 104 - pnpm build 106 106 + installPhase = 107 107 + let 108 108 + desktop_file = "fluxer${if instance_name != "fluxer" then "_${instance_name}" else ""}.desktop"; 109 109 + instance_folder = if instance_name != "fluxer" then "_${instance_name}" else ""; 110 110 + in 111 111 + '' 112 112 + substituteInPlace src/common/Constants.tsx \ 113 113 + --replace-fail "https://web.fluxer.app" "${instance_url}" \ 114 114 + --replace-fail "https://web.canary.fluxer.app" "${canary_instance_url}" 115 115 + 116 116 + substituteInPlace src/common/UserDataPath.tsx \ 117 117 + --replace-fail "stable: 'fluxer'," "stable: 'fluxer${instance_folder}'," \ 118 118 + --replace-fail "canary: 'fluxercanary'," "canary: 'fluxercanary${instance_folder}'," 119 119 + 120 120 + export BUILD_CHANNEL="${channel}" 121 121 + pnpm build 105 122 106 106 - pnpm exec electron-builder --config electron-builder.config.cjs --linux \ 107 107 - --dir \ 108 108 - -c.electronDist=${electron_40}/libexec/electron \ 109 109 - -c.electronVersion=${electron_40.version} \ 110 110 - -c.npmRebuild=false \ 123 123 + pnpm exec electron-builder --config electron-builder.config.cjs --linux \ 124 124 + --dir \ 125 125 + -c.electronDist=${electron_40}/libexec/electron \ 126 126 + -c.electronVersion=${electron_40.version} \ 127 127 + -c.npmRebuild=false 111 128 112 112 - mkdir -p $out/share/fluxer 113 113 - mkdir -p $out/bin 129 129 + mkdir -p $out/share/fluxer 130 130 + mkdir -p $out/bin 114 131 115 115 - cp -r ./dist-electron/linux-unpacked/resources/* $out/share/fluxer 132 132 + cp -r ./dist-electron/linux-unpacked/resources/* $out/share/fluxer 116 133 117 117 - ls -la ./dist-electron/linux-unpacked/fluxer_desktop 118 118 - ls -la ./dist-electron/linux-unpacked/resources 134 134 + ls -la ./dist-electron/linux-unpacked/${ 135 135 + if channel == "canary" then "fluxer_desktop_canary" else "fluxer_desktop" 136 136 + } 137 137 + ls -la ./dist-electron/linux-unpacked/resources 119 138 120 120 - makeWrapper ${electron_40}/bin/electron $out/bin/fluxer \ 121 121 - --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ libGL ]}" \ 122 122 - --add-flags "$out/share/fluxer/app.asar" 139 139 + makeWrapper ${electron_40}/bin/electron $out/bin/fluxer \ 140 140 + --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ libGL ]}" \ 141 141 + --add-flags "$out/share/fluxer/app.asar" 123 142 124 124 - mkdir -p $out/share/applications/ 125 125 - substitute ${writeText "fluxer.desktop" '' 126 126 - [Desktop Entry] 127 127 - Name=Fluxer 128 128 - Comment=OSS messaging platform 129 129 - Exec=@out@/bin/fluxer 130 130 - Icon=fluxer 131 131 - Terminal=false 132 132 - Type=Application 133 133 - StartupNotify=true 134 134 - StartupWMClass=fluxer 135 135 - ''} $out/share/applications/fluxer.desktop --subst-var out 143 143 + mkdir -p $out/share/applications/ 144 144 + substitute ${writeText "${desktop_file}" '' 145 145 + [Desktop Entry] 146 146 + Name=Fluxer Desktop ${if instance_name != "fluxer" then "(${instance_name})" else ""} 147 147 + Comment=OSS messaging platform 148 148 + Exec=@out@/bin/fluxer 149 149 + Icon=fluxer 150 150 + Terminal=false 151 151 + Type=Application 152 152 + StartupNotify=true 153 153 + StartupWMClass=fluxer 154 154 + ''} $out/share/applications/${desktop_file} --subst-var out 136 155 137 137 - mkdir -p $out/share/icons/hicolor/512x512/ 138 138 - cp build_resources/icons-stable/512x512.png $out/share/icons/hicolor/512x512/fluxer.png 139 139 - ''; 156 156 + mkdir -p $out/share/icons/hicolor/512x512/ 157 157 + cp build_resources/icons-canary/512x512.png $out/share/icons/hicolor/512x512/fluxer.png 158 158 + ''; 140 159 }