Self host some tangled stuff · mrsnowy.dev/dotfiles@3e75a50

mrsnowy.dev / dotfiles

fork

Configure Feed

Issues Pull Requests Commits Tags

Feed URL

Select the types of activity you want to include in your feed.

My dotfiles for my nixos machines and infra

fork

Configure Feed

Issues Pull Requests Commits Tags

Feed URL

Select the types of activity you want to include in your feed.

Self host some tangled stuff

MrSnowy 2 weeks ago 3e75a50f 479cf774

+357 -188

15 changed files

expand all collapse all

default.nix

hosts

desktop

hjem-rum

snowy.nix

homelab

services

samba.nix

server

default.nix

services

caddy.nix

default.nix

postgres.nix

random.nix

tangled.nix

system

network.nix

ports.nix

modules

npins

sources.json

sops

vps

knotmirror.env

postgres.sql

vps.nix

default.nix

reviewed

··· 92 92 flakes = nlib.gen_flakes [ 93 93 "sops-nix" 94 94 "home-manager" 95 95 + "tangled_core" 95 96 ]; 96 97 }; 97 98 };

+4 -3

hosts/desktop/hjem-rum/snowy.nix

reviewed

··· 9 9 { 10 10 users.users.snowy.packages = with pkgs; [ 11 11 fluxer-desktop 12 12 - 12 12 + nicotine-plus 13 13 + 13 14 # factorio 14 15 # factorio-space-age 15 16 args.flakes.zen-browser.packages."${stdenv.hostPlatform.system}".twilight ··· 32 33 33 34 jetbrains.idea 34 35 # jetbrains.rider 35 35 - orca-slicer 36 36 # unityhub 37 37 38 38 #language servers ··· 67 67 # helvum # deprecated 68 68 crosspipe 69 69 # krita 70 70 - # orca-slicer 70 70 + orca-slicer 71 71 protonplus 72 72 protontricks 73 73 winetricks ··· 75 75 element-desktop 76 76 radio-cli # rust 77 77 heroic 78 78 + bottles 78 79 # hydralauncher 79 80 80 81 wineWow64Packages.stagingFull

+2 -1

hosts/homelab/services/samba.nix

reviewed

··· 1 1 { 2 2 config, 3 3 - # pkgs, 3 3 + pkgs, 4 4 ... 5 5 }: 6 6 { ··· 13 13 # samba 14 14 services.samba = { 15 15 enable = true; 16 16 + package = pkgs.samba4Full; # needed for avahi to work (why?) 16 17 openFirewall = true; 17 18 settings = { 18 19 global = {

hosts/server/default.nix

reviewed

··· 32 32 33 33 args.flakes.home-manager.nixosModules.home-manager 34 34 35 35 + # tangled 36 36 + args.flakes.tangled_core.nixosModules.appview 37 37 + args.flakes.tangled_core.nixosModules.knot 38 38 + args.flakes.tangled_core.nixosModules.knotmirror 39 39 + args.flakes.tangled_core.nixosModules.spindle 40 40 + 35 41 ../../modules/sops/vps.nix 36 42 ../../modules/snownet 37 43 ];

+131 -135

hosts/server/services/caddy.nix

reviewed

··· 14 14 ''; 15 15 16 16 extraConfig = '' 17 17 - mail.mrsnowy.dev, fpps4.net, www.paradijs-in-hongarije.nl, paradijs-in-hongarije.nl, smarty.nl, www.zendojaku.nl, zendojaku.nl { 18 18 - reverse_proxy https://hestia.local { 19 19 - header_up Host {host} 17 17 + mail.mrsnowy.dev, fpps4.net, www.paradijs-in-hongarije.nl, paradijs-in-hongarije.nl, smarty.nl, www.zendojaku.nl, zendojaku.nl { 18 18 + reverse_proxy https://hestia.local { 19 19 + header_up Host {host} 20 20 21 21 - transport http { 22 22 - tls_insecure_skip_verify 23 23 - } 24 24 - } 25 25 - } 21 21 + transport http { 22 22 + tls_insecure_skip_verify 23 23 + } 24 24 + } 25 25 + } 26 26 27 27 - mrsnowy.dev { 28 28 - root * /var/www/mrsnowy.dev/ 27 27 + mrsnowy.dev { 28 28 + root * /var/www/mrsnowy.dev/ 29 29 30 30 - # Regex for allowing these files to be displayed in the browser 31 31 - @inlineFiles { 32 32 - # path *.pub *.gpg 33 33 - path_regexp ^.*\.(pub|gpg)$ 34 34 - } 30 30 + # Regex for allowing these files to be displayed in the browser 31 31 + @inlineFiles { 32 32 + # path *.pub *.gpg 33 33 + path_regexp ^.*\.(pub|gpg)$ 34 34 + } 35 35 36 36 - header @inlineFiles { 37 37 - Content-Type text/plain 38 38 - # Content-Disposition inline 39 39 - } 36 36 + header @inlineFiles { 37 37 + Content-Type text/plain 38 38 + # Content-Disposition inline 39 39 + } 40 40 41 41 - file_server browse { 42 42 - index index.html 43 43 - } 44 44 - } 41 41 + file_server browse { 42 42 + index index.html 43 43 + } 44 44 + } 45 45 46 46 - molly.mrsnowy.dev, rat.mrsnowy.dev { 47 47 - root * /var/www/rat.mrsnowy.dev/ 46 46 + molly.mrsnowy.dev, rat.mrsnowy.dev { 47 47 + root * /var/www/rat.mrsnowy.dev/ 48 48 49 49 - file_server browse { 50 50 - index index.html 51 51 - } 52 52 - } 49 49 + file_server browse { 50 50 + index index.html 51 51 + } 52 52 + } 53 53 54 54 - silly.mrsnowy.dev { 55 55 - root * /var/www/silly.mrsnowy.dev/ 56 56 - file_server browse { 57 57 - index index.html 58 58 - } 59 59 - } 54 54 + silly.mrsnowy.dev { 55 55 + root * /var/www/silly.mrsnowy.dev/ 56 56 + file_server browse { 57 57 + index index.html 58 58 + } 59 59 + } 60 60 61 61 - hestia.mrsnowy.dev { 62 62 - reverse_proxy https://hestia.local:8083 { 63 63 - header_up Host {host} 64 64 - transport http { 65 65 - tls_insecure_skip_verify 66 66 - } 67 67 - } 68 68 - } 61 61 + hestia.mrsnowy.dev { 62 62 + reverse_proxy https://hestia.local:8083 { 63 63 + header_up Host {host} 64 64 + transport http { 65 65 + tls_insecure_skip_verify 66 66 + } 67 67 + } 68 68 + } 69 69 70 70 - api.fpps4.net { 71 71 - encode zstd gzip 72 72 - 73 73 - reverse_proxy https://hestia.local { 74 74 - header_up Host {host} 75 75 - transport http { 76 76 - tls_insecure_skip_verify 77 77 - } 78 78 - } 70 70 + api.fpps4.net { 71 71 + encode zstd gzip 79 72 80 80 - header { 81 81 - Access-Control-Allow-Origin * 82 82 - } 83 83 - } 73 73 + reverse_proxy https://hestia.local { 74 74 + header_up Host {host} 75 75 + transport http { 76 76 + tls_insecure_skip_verify 77 77 + } 78 78 + } 84 79 85 85 - dockge.mrsnowy.dev { 86 86 - reverse_proxy :${toString config.ports.dockge} 87 87 - } 80 80 + header { 81 81 + Access-Control-Allow-Origin * 82 82 + } 83 83 + } 88 84 89 89 - vaultwarden.mrsnowy.dev { 90 90 - reverse_proxy :${toString config.ports.vaultwarden} 91 91 - } 85 85 + dockge.mrsnowy.dev { 86 86 + reverse_proxy :${toString config.ports.dockge} 87 87 + } 92 88 93 93 - stream.mrsnowy.dev { 94 94 - reverse_proxy :${toString config.ports.broadcast_box} 95 95 - } 89 89 + vaultwarden.mrsnowy.dev { 90 90 + reverse_proxy :${toString config.ports.vaultwarden} 91 91 + } 96 92 97 97 - board.mrsnowy.dev { 98 98 - reverse_proxy :${toString config.ports.grafana} 99 99 - } 93 93 + stream.mrsnowy.dev { 94 94 + reverse_proxy :${toString config.ports.broadcast_box} 95 95 + } 100 96 101 101 - adminpg.mrsnowy.dev { 102 102 - reverse_proxy :${toString config.ports.pgadmin} 103 103 - } 97 97 + board.mrsnowy.dev { 98 98 + reverse_proxy :${toString config.ports.grafana} 99 99 + } 104 100 105 105 - obsidian.mrsnowy.dev { 106 106 - reverse_proxy :${toString config.ports.couchdb} 107 107 - } 101 101 + adminpg.mrsnowy.dev { 102 102 + reverse_proxy :${toString config.ports.pgadmin} 103 103 + } 108 104 109 109 - ente.mrsnowy.dev { 110 110 - reverse_proxy :${toString config.ports.ente.web} 111 111 - # header { 112 112 - # Access-Control-Allow-Origin https://s3.mrsnowy.dev 113 113 - # } 114 114 - } 105 105 + obsidian.mrsnowy.dev { 106 106 + reverse_proxy :${toString config.ports.couchdb} 107 107 + } 115 108 116 116 - api.ente.mrsnowy.dev { 117 117 - reverse_proxy :${toString config.ports.ente.api} 118 118 - } 109 109 + ente.mrsnowy.dev { 110 110 + reverse_proxy :${toString config.ports.ente.web} 111 111 + # header { 112 112 + # Access-Control-Allow-Origin https://s3.mrsnowy.dev 113 113 + # } 114 114 + } 119 115 120 120 - accounts.ente.mrsnowy.dev { 121 121 - reverse_proxy :${toString config.ports.ente.accounts} 122 122 - } 116 116 + api.ente.mrsnowy.dev { 117 117 + reverse_proxy :${toString config.ports.ente.api} 118 118 + } 123 119 124 124 - albums.ente.mrsnowy.dev { 125 125 - reverse_proxy :${toString config.ports.ente.albums} 126 126 - } 120 120 + accounts.ente.mrsnowy.dev { 121 121 + reverse_proxy :${toString config.ports.ente.accounts} 122 122 + } 127 123 128 128 - auth.ente.mrsnowy.dev { 129 129 - reverse_proxy :${toString config.ports.ente.auth} 130 130 - } 124 124 + albums.ente.mrsnowy.dev { 125 125 + reverse_proxy :${toString config.ports.ente.albums} 126 126 + } 131 127 132 132 - cast.ente.mrsnowy.dev { 133 133 - reverse_proxy :${toString config.ports.ente.cast} 134 134 - } 128 128 + auth.ente.mrsnowy.dev { 129 129 + reverse_proxy :${toString config.ports.ente.auth} 130 130 + } 135 131 136 136 - embed.ente.mrsnowy.dev { 137 137 - reverse_proxy :${toString config.ports.ente.embed} 138 138 - } 132 132 + cast.ente.mrsnowy.dev { 133 133 + reverse_proxy :${toString config.ports.ente.cast} 134 134 + } 139 135 140 140 - # minio.ente.mrsnowy.dev { 141 141 - # reverse_proxy :${toString config.ports.ente.minio.api} 142 142 - # } 136 136 + embed.ente.mrsnowy.dev { 137 137 + reverse_proxy :${toString config.ports.ente.embed} 138 138 + } 143 139 144 144 - # minio-web.ente.mrsnowy.dev { 145 145 - # reverse_proxy :${toString config.ports.ente.minio.web} 146 146 - # } 140 140 + # minio.ente.mrsnowy.dev { 141 141 + # reverse_proxy :${toString config.ports.ente.minio.api} 142 142 + # } 147 143 148 148 - headscale.mrsnowy.dev { 149 149 - reverse_proxy :${toString config.ports.headscale} 150 150 - } 144 144 + # minio-web.ente.mrsnowy.dev { 145 145 + # reverse_proxy :${toString config.ports.ente.minio.web} 146 146 + # } 151 147 152 152 - syncthing.mrsnowy.dev { 153 153 - reverse_proxy :${toString config.ports.syncthing} 154 154 - } 148 148 + headscale.mrsnowy.dev { 149 149 + reverse_proxy :${toString config.ports.headscale} 150 150 + } 155 151 156 156 - *.garage.mrsnowy.dev, garage.mrsnowy.dev { 157 157 - reverse_proxy :${toString config.ports.garage.web_api} 158 158 - } 152 152 + *.garage.mrsnowy.dev, garage.mrsnowy.dev { 153 153 + reverse_proxy :${toString config.ports.garage.web_api} 154 154 + } 159 155 160 160 - *.s3.mrsnowy.dev, s3.mrsnowy.dev { 161 161 - # log { 162 162 - # output file /var/log/caddy/s3.log 163 163 - # level DEBUG 164 164 - # } 156 156 + *.s3.mrsnowy.dev, s3.mrsnowy.dev { 157 157 + # log { 158 158 + # output file /var/log/caddy/s3.log 159 159 + # level DEBUG 160 160 + # } 165 161 166 166 - reverse_proxy :${toString config.ports.garage.s3_api} { 167 167 - flush_interval -1 # low-latency mode 168 168 - # request_body { 169 169 - # max_size 5GB # raise for large object uploads 170 170 - # } 171 171 - # 162 162 + reverse_proxy :${toString config.ports.garage.s3_api} { 163 163 + flush_interval -1 # low-latency mode 164 164 + # request_body { 165 165 + # max_size 5GB # raise for large object uploads 166 166 + # } 167 167 + # 172 168 173 173 - # transport http { 174 174 - # # compression off 175 175 - # versions 1.1 176 176 - # } 177 177 - } 178 178 - } 169 169 + # transport http { 170 170 + # # compression off 171 171 + # versions 1.1 172 172 + # } 173 173 + } 174 174 + } 179 175 180 180 - http://s4.mrsnowy.dev { 181 181 - # log { 182 182 - # output file /var/log/caddy/s4.log 183 183 - # level DEBUG 184 184 - # } 176 176 + http://s4.mrsnowy.dev { 177 177 + # log { 178 178 + # output file /var/log/caddy/s4.log 179 179 + # level DEBUG 180 180 + # } 185 181 186 182 reverse_proxy :${toString config.ports.garage.s3_api} { 187 183 flush_interval -1 # low-latency mode

hosts/server/services/default.nix

reviewed

··· 6 6 ./garage.nix 7 7 ./postgres.nix 8 8 ./broadcastbox.nix 9 9 + ./tangled.nix 9 10 ]; 10 11 }

+16 -5

hosts/server/services/postgres.nix

reviewed

··· 17 17 port = config.ports.postgres; 18 18 }; 19 19 20 20 - ensureDatabases = [ "ente_db" ]; 20 20 + ensureDatabases = [ 21 21 + "ente_db" 22 22 + "knotmirror_db" 23 23 + ]; 24 24 + 21 25 ensureUsers = [ 22 26 { 23 27 name = "ente"; ··· 25 29 login = true; 26 30 }; 27 31 } 32 32 + { 33 33 + name = "knotmirror"; 34 34 + ensureClauses = { 35 35 + login = true; 36 36 + }; 37 37 + } 28 38 ]; 29 39 30 40 authentication = pkgs.lib.mkOverride 10 '' 31 31 - #type database user auth-method [auth-options] 32 32 - local all postgres trust 41 41 + #type database user auth-method [auth-options] 42 42 + local all postgres trust 33 43 34 34 - #type database user address auth-method [auth-options] 35 35 - host ente_db ente localhost scram-sha-256 44 44 + #type database user address auth-method [auth-options] 45 45 + host ente_db ente localhost scram-sha-256 46 46 + host knotmirror_db knotmirror localhost scram-sha-256 36 47 ''; 37 48 }; 38 49

+22 -12

hosts/server/services/random.nix

reviewed

··· 9 9 enable = true; 10 10 ports = [ 11 11 335 12 12 + 22 12 13 ]; 13 14 allowSFTP = true; 14 15 banner = "meow meow\n"; ··· 24 25 LogLevel = "VERBOSE"; 25 26 AllowUsers = [ 26 27 "snow" 27 27 - "file-backup" 28 28 + # "file-backup" 29 29 + "git" 28 30 ]; 29 31 }; 30 32 extraConfig = '' 31 31 - Match User file-backup 32 32 - ChrootDirectory %h 33 33 - ForceCommand internal-sftp -d /meow -u 700 33 33 + # Match User file-backup 34 34 + # ChrootDirectory %h 35 35 + # ForceCommand internal-sftp -d /meow -u 700 36 36 + # 37 37 + Match LocalPort 22 User *,!git 38 38 + RefuseConnection yes 39 39 + 40 40 + Match User git 41 41 + DisableForwarding yes 42 42 + PermitTTY no 43 43 + PermitUserRC no 34 44 ''; 35 45 }; 36 46 37 47 endlessh-go = { 38 48 enable = true; 39 39 - port = 22; 49 49 + port = 2222; 40 50 prometheus = { 41 51 enable = true; 42 52 port = 2112; ··· 52 62 }; 53 63 }; 54 64 55 55 - syncthing = { 56 56 - enable = false; 57 57 - overrideDevices = true; 58 58 - overrideFolders = false; 59 59 - guiAddress = "127.0.0.1:${toString config.ports.syncthing}"; 60 60 - settings.options.urAccepted = -1; 61 61 - }; 65 65 + # syncthing = { 66 66 + # enable = false; 67 67 + # overrideDevices = true; 68 68 + # overrideFolders = false; 69 69 + # guiAddress = "127.0.0.1:${toString config.ports.syncthing}"; 70 70 + # settings.options.urAccepted = -1; 71 71 + # }; 62 72 63 73 # ntfy-sh = { 64 74 # enable = true;

+93

hosts/server/services/tangled.nix

reviewed

··· 1 1 + { 2 2 + config, 3 3 + # args, 4 4 + lib, 5 5 + ... 6 6 + }: 7 7 + let 8 8 + atproto_did = "did:plc:5fbqdlfpahlht7gu4c6zrdpj"; 9 9 + 10 10 + in 11 11 + { 12 12 + # todo! probably want to put this all in a systemd container... 13 13 + services.tangled = { 14 14 + # appview = { 15 15 + # enable = true; 16 16 + # port = config.ports.tangled.appview; 17 17 + # appviewHost = "tangled.mrsnowy.dev"; 18 18 + # }; 19 19 + 20 20 + # The git server 21 21 + knot = { 22 22 + enable = true; 23 23 + appviewEndpoint = "https://tangled.org"; 24 24 + gitUser = "git"; 25 25 + openFirewall = false; 26 26 + stateDir = "/var/lib/knot"; 27 27 + 28 28 + repo.scanPath = "${config.services.tangled.knot.stateDir}/repos"; 29 29 + 30 30 + motd = '' 31 31 + This knot is hosted by Snow! 32 32 + Federation is cool. 33 33 + ''; 34 34 + 35 35 + knotmirrors = [ 36 36 + "https://mirror.tangled.mrsnowy.dev" 37 37 + "https://mirror.tangled.network" # seems to be dead? 38 38 + ]; 39 39 + 40 40 + server = { 41 41 + listenAddr = "127.0.0.1:${toString config.ports.tangled.knot.outer}"; 42 42 + internalListenAddr = "127.0.0.1:${toString config.ports.tangled.knot.inner}"; 43 43 + owner = atproto_did; 44 44 + hostname = "knot.tangled.mrsnowy.dev"; 45 45 + }; 46 46 + }; 47 47 + 48 48 + # Index for repositories on the tangled network (i think..) 49 49 + knotmirror = { 50 50 + enable = true; 51 51 + listenAddr = "127.0.0.1:${toString config.ports.tangled.knotmirror.public}"; 52 52 + adminListenAddr = "127.0.0.1:${toString config.ports.tangled.knotmirror.admin}"; 53 53 + hostname = "mirror.tangled.mrsnowy.dev"; 54 54 + dbUrl = "mewewe :3"; # black magic 55 55 + fullNetwork = false; 56 56 + tap.port = config.ports.tangled.knotmirror.tap; 57 57 + }; 58 58 + 59 59 + # Spindle is for CI (not really ready yet, requires docker) 60 60 + # spindle = { 61 61 + # enable = true; 62 62 + 63 63 + # server = { 64 64 + # listenAddr = "127.0.0.1:${toString config.ports.tangled.spindle}"; 65 65 + # hostname = "spindle.tangled.mrsnowy.dev"; 66 66 + # owner = atproto_did; 67 67 + # maxJobCount = 2; 68 68 + # queueSize = 5; 69 69 + # }; 70 70 + # }; 71 71 + }; 72 72 + 73 73 + services.caddy.extraConfig = lib.mkAfter '' 74 74 + knot.tangled.mrsnowy.dev { 75 75 + reverse_proxy :${toString config.ports.tangled.knot.outer} { 76 76 + header_up Host {host} 77 77 + } 78 78 + } 79 79 + 80 80 + mirror.tangled.mrsnowy.dev { 81 81 + reverse_proxy :${toString config.ports.tangled.knotmirror.public} { 82 82 + header_up Host {host} 83 83 + } 84 84 + } 85 85 + ''; 86 86 + 87 87 + # harden these bad boys... man 88 88 + systemd.services.tap-knotmirror.serviceConfig.DynamicUser = true; 89 89 + systemd.services.knotmirror.serviceConfig = { 90 90 + DynamicUser = true; 91 91 + EnvironmentFile = "/run/secrets/knotmirror_env"; # overwrites MIRROR_DB_URL 92 92 + }; 93 93 + }

hosts/server/system/network.nix

reviewed

··· 115 115 22 116 116 335 117 117 665 118 118 + 2222 118 119 119 120 config.ports.garage.s3_api 120 121 ··· 154 155 2457 155 156 156 157 # Steam 158 158 + 25564 157 159 27015 158 160 27016 161 161 + 17777 # icaru 159 162 160 163 # mc 161 164 25565 ··· 190 193 # Steam 191 194 27015 192 195 27016 196 196 + 17777 # icaru 193 197 194 198 25565 195 199 25564

+16 -1

hosts/server/system/ports.nix

reviewed

··· 33 33 rpc = 3901; 34 34 }; 35 35 36 36 - syncthing = 3020; 36 36 + # syncthing = 3020; 37 37 + 38 38 + tangled = { 39 39 + # appview = 3020; 40 40 + knot = { 41 41 + outer = 3021; 42 42 + inner = 3022; 43 43 + }; 44 44 + knotmirror = { 45 45 + public = 3023; 46 46 + admin = 3024; 47 47 + tap = 3025; 48 48 + }; 49 49 + # spindle = 3026; 50 50 + }; 51 51 + 37 52 headscale = 3443; 38 53 postgres = 5432; 39 54 incus = 8444;

+39 -27

modules/npins/sources.json

reviewed

··· 23 23 }, 24 24 "branch": "master", 25 25 "submodules": false, 26 26 - "revision": "e90541d0904593bec70fadd6383659ec42cd610b", 27 27 - "url": "https://github.com/amaanq/helium-flake/archive/e90541d0904593bec70fadd6383659ec42cd610b.tar.gz", 28 28 - "hash": "sha256-6FDLz9ydI32uoOJa2qsPpaxQ3T0DB/7Lw/Meos6NjRo=" 26 26 + "revision": "b422c32cbb574728c93e24ce2542806e27993c03", 27 27 + "url": "https://github.com/amaanq/helium-flake/archive/b422c32cbb574728c93e24ce2542806e27993c03.tar.gz", 28 28 + "hash": "sha256-ZK0fQvpYf3e+ty62WHbzK+ZcIJLnfZuyQV2x0PWuyCU=" 29 29 }, 30 30 "hjem": { 31 31 "type": "Git", ··· 36 36 }, 37 37 "branch": "main", 38 38 "submodules": false, 39 39 - "revision": "d51b2e524794a61762453be5bf7b4fe259150191", 40 40 - "url": "https://github.com/feel-co/hjem/archive/d51b2e524794a61762453be5bf7b4fe259150191.tar.gz", 41 41 - "hash": "sha256-hOweDMc/uNFeliSVuNXZ4qa6WC8AbmRV8pNSAD/h4S0=" 39 39 + "revision": "32bd6d54d805a3eb41efa62a940eeceaf263c4a8", 40 40 + "url": "https://github.com/feel-co/hjem/archive/32bd6d54d805a3eb41efa62a940eeceaf263c4a8.tar.gz", 41 41 + "hash": "sha256-W+kpLQ5J/DDaY1nUmvN9aIAfh5ixdyqYM76ZUdcvMBU=" 42 42 }, 43 43 "hjem-rum": { 44 44 "type": "Git", ··· 49 49 }, 50 50 "branch": "main", 51 51 "submodules": false, 52 52 - "revision": "3506a77b5cbb35640f7dac595f98b10bdbe07b15", 53 53 - "url": "https://github.com/snugnug/hjem-rum/archive/3506a77b5cbb35640f7dac595f98b10bdbe07b15.tar.gz", 54 54 - "hash": "sha256-xM7gYCLOUH2fnPgdst7HcPpEn6GlEOf7nelJVxJZ040=" 52 52 + "revision": "fdfb0cd3d735116a0356ce5a856059669a27ae96", 53 53 + "url": "https://github.com/snugnug/hjem-rum/archive/fdfb0cd3d735116a0356ce5a856059669a27ae96.tar.gz", 54 54 + "hash": "sha256-n+hYOHRF5/DWuyd1su/DCD3iFBZ8Np4l0ss9NNqUSiI=" 55 55 }, 56 56 "home-manager": { 57 57 "type": "Git", ··· 62 62 }, 63 63 "branch": "release-25.11", 64 64 "submodules": false, 65 65 - "revision": "cf9686ba26f5ef788226843bc31fda4cf72e373b", 66 66 - "url": "https://github.com/nix-community/home-manager/archive/cf9686ba26f5ef788226843bc31fda4cf72e373b.tar.gz", 67 67 - "hash": "sha256-dnHvv5EMUgTzGZmA+3diYjQU2O6BEpGLEOgJ1Qe9LaY=" 65 65 + "revision": "0d02ec1d0a05f88ef9e74b516842900c41f0f2fe", 66 66 + "url": "https://github.com/nix-community/home-manager/archive/0d02ec1d0a05f88ef9e74b516842900c41f0f2fe.tar.gz", 67 67 + "hash": "sha256-KY6HsebJHEe5nHOWP7ur09mb0drGxYSzE3rQxy62rJo=" 68 68 }, 69 69 "nix-gaming-edge": { 70 70 "type": "Git", ··· 75 75 }, 76 76 "branch": "nightly", 77 77 "submodules": false, 78 78 - "revision": "3e479e75a18f1458b112ee74ae6c0c5b4b75bcf9", 79 79 - "url": "https://github.com/powerofthe69/nix-gaming-edge/archive/3e479e75a18f1458b112ee74ae6c0c5b4b75bcf9.tar.gz", 80 80 - "hash": "sha256-bfjINgmeHk+jWwli/ODZsQFZcR1yZjVXzalR6vvjz9o=" 78 78 + "revision": "4a86b355eb417057fbcaf8791fa8c9059a0337d2", 79 79 + "url": "https://github.com/powerofthe69/nix-gaming-edge/archive/4a86b355eb417057fbcaf8791fa8c9059a0337d2.tar.gz", 80 80 + "hash": "sha256-rlOm9gD6gbfL14UNq16BoNsODfdpJGO0k73T9v6UrtY=" 81 81 }, 82 82 "nixpkgs-stable": { 83 83 "type": "Git", ··· 88 88 }, 89 89 "branch": "nixos-25.11", 90 90 "submodules": false, 91 91 - "revision": "4590696c8693fea477850fe379a01544293ca4e2", 92 92 - "url": "https://github.com/NixOS/nixpkgs/archive/4590696c8693fea477850fe379a01544293ca4e2.tar.gz", 93 93 - "hash": "sha256-4XfMXU0DjN83o6HWZoKG9PegCvKvIhNUnRUI19vzTcQ=" 91 91 + "revision": "54170c54449ea4d6725efd30d719c5e505f1c10e", 92 92 + "url": "https://github.com/NixOS/nixpkgs/archive/54170c54449ea4d6725efd30d719c5e505f1c10e.tar.gz", 93 93 + "hash": "sha256-t+HZK42pB6N+i5RGbuy7Xluez/VvWbembBdvzsc23Ss=" 94 94 }, 95 95 "nixpkgs-unstable": { 96 96 "type": "Git", ··· 101 101 }, 102 102 "branch": "nixos-unstable", 103 103 "submodules": false, 104 104 - "revision": "6c9a78c09ff4d6c21d0319114873508a6ec01655", 105 105 - "url": "https://github.com/NixOS/nixpkgs/archive/6c9a78c09ff4d6c21d0319114873508a6ec01655.tar.gz", 106 106 - "hash": "sha256-US5Tda2sKmjrg2lNHQL3jRQ6p96cgfWh3J1QBliQ8Ws=" 104 104 + "revision": "4c1018dae018162ec878d42fec712642d214fdfa", 105 105 + "url": "https://github.com/NixOS/nixpkgs/archive/4c1018dae018162ec878d42fec712642d214fdfa.tar.gz", 106 106 + "hash": "sha256-ar3rofg+awPB8QXDaFJhJ2jJhu+KqN/PRCXeyuXR76E=" 107 107 }, 108 108 "sops-nix": { 109 109 "type": "Git", ··· 114 114 }, 115 115 "branch": "master", 116 116 "submodules": false, 117 117 - "revision": "614e256310e0a4f8a9ccae3fa80c11844fba7042", 118 118 - "url": "https://github.com/Mic92/sops-nix/archive/614e256310e0a4f8a9ccae3fa80c11844fba7042.tar.gz", 119 119 - "hash": "sha256-fhG4JAcLgjKwt+XHbjs8brpWnyKUfU4LikLm3s0Q/ic=" 117 117 + "revision": "31ac5fe5d015f76b54058c69fcaebb66a55871a4", 118 118 + "url": "https://github.com/Mic92/sops-nix/archive/31ac5fe5d015f76b54058c69fcaebb66a55871a4.tar.gz", 119 119 + "hash": "sha256-VKp9bhVSm0bT6JWctFy06ocqxGGnWHi1NfoE90IgIcY=" 120 120 + }, 121 121 + "tangled_core": { 122 122 + "type": "Git", 123 123 + "repository": { 124 124 + "type": "Git", 125 125 + "url": "https://tangled.org/tangled.org/core" 126 126 + }, 127 127 + "branch": "master", 128 128 + "submodules": false, 129 129 + "revision": "d404bb7633c163b35e61f6bebfc642444247ac9f", 130 130 + "url": null, 131 131 + "hash": "sha256-aYeDY7ruf9MHsI++hpoEHyWIk6jxbItpS5lPRJfwYRE=" 120 132 }, 121 133 "wire": { 122 134 "type": "Git", ··· 140 152 }, 141 153 "branch": "main", 142 154 "submodules": false, 143 143 - "revision": "a0f3d47dbd8f8618a1920d5a5ca09b7993415895", 144 144 - "url": "https://github.com/0xc000022070/zen-browser-flake/archive/a0f3d47dbd8f8618a1920d5a5ca09b7993415895.tar.gz", 145 145 - "hash": "sha256-gibUM0pSnLxEeuFrYA8T1oEaixk+fjQpqXbYaxcEX/4=" 155 155 + "revision": "4f2e98c1125ab4be758cd1b51b526ad998e9618f", 156 156 + "url": "https://github.com/0xc000022070/zen-browser-flake/archive/4f2e98c1125ab4be758cd1b51b526ad998e9618f.tar.gz", 157 157 + "hash": "sha256-Vwmi3P4LAUmOrE2zc9JpnRrNxNwamDN46hqcXpWTkp0=" 146 158 } 147 159 }, 148 160 "version": 7

modules/sops/vps.nix

reviewed

··· 41 41 mode = "0400"; 42 42 owner = "postgres"; 43 43 }; 44 44 + 45 45 + knotmirror_env = { 46 46 + format = "dotenv"; 47 47 + sopsFile = ./vps/knotmirror.env; 48 48 + 49 49 + mode = "0400"; 50 50 + }; 44 51 }; 45 52 }; 46 53 }

+11

modules/sops/vps/knotmirror.env

reviewed

··· 1 1 + #ENC[AES256_GCM,data:7TSD6x8=,iv:7IntObKIbbFiVqADX+SAcEpJRV2sUoS7bcV/ZSyc9l4=,tag:P1JPNntpHXOyQNp9XAztGQ==,type:comment] 2 2 + MIRROR_DB_URL=ENC[AES256_GCM,data:pL4f5vVwalpl+UhuFG7nJmUP0DFvI/Sp5JWtdFFAKP/RGWG1/LC+QAdcN0frwUeU7MTBWbsBbcwe0qj0WZUdWlHo6n+JPOgA0WKLOn9WVWw=,iv:o8PMGx5QpTozcCWmqH3olL8RLehS200gINtC2uY/mcI=,tag:qtMvtrJqnA+yWktRRIP+hQ==,type:str] 3 3 + sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURUNGeVprVG95aWNidHpm\nSHhpUkNFWG5CVGRubEZhYVV3b05NWmJLeEJFCjdzTEhsUElERWhxT3UxT0F0N3FL\nc0pjMjlJRHRYYUtlRTNrdEhaYVA5UkEKLS0tIGowdVpzNlMrNTZ4YVFNNGlTQVh2\nOUhRaElSa1FNakNQUHNtci9hblVOWGsKDxyf9LP1ZSIjKL+NwfPWjnqYR8/FQXgO\n+p3VMWrQjT8gVVlwAbFeQQ3ZCWh90xqNTFL8KdUObaSW7+uKwEcMSQ==\n-----END AGE ENCRYPTED FILE-----\n 4 4 + sops_age__list_0__map_recipient=age16e3uae0sktxmwzlmcdxwn07jpudtjl0s42hnwx2qsdh9h72gc5ssktkazg 5 5 + sops_lastmodified=2026-03-27T01:56:48Z 6 6 + sops_mac=ENC[AES256_GCM,data:40dR0T4w+mc+ErvNdsUQROzEvUuwpqkrQjqIq/0mHoqh4SbDf7P3VfUY+8zbpgTuZVbBZZwZL6BvhG9kXb6dgeFr9GdHtr1TiAZ/CDMt1Yr7ZTDYWugB+bR0nruCoWdeHLNRlCZYu68p4940HX4cFynOBE7BfX4ghC5Rsse2zNs=,iv:xyhpR/O8hyvLQfYifFpHDqFimTUxp2dJ2TP8GE+9svc=,tag:oh6EWOWipCW/voRUDqiymg==,type:str] 7 7 + sops_pgp__list_0__map_created_at=2026-03-27T01:56:38Z 8 8 + sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMA09oKgMfawMUAQ//QRqJvfqT2lbUxEwzXlugSzsvDBc3Z5LBDyl9F6K2LeUQ\nHfPsI6tNpCnNNESL49N8qEsu/YWm32UWwDzLlluFCdKQTfvs9mfhU9XUVyQVf8Gh\nfu33iToNf1kvMce2h+AAxFKlTqOnfqinSMR95qGVSHyeqUZjIzlCeXXQ9lfEJY0t\nQX1gVHbsu0WgRAz5jW9X2+nVMmb/QhSML2thZ0LWyeZ4be6p2TrN5XiUaVneaN8F\n174T9KerysfEPR4P/bWs52UNDWVqXPe5PqzBgKlX8lQQyW0dCqbDKIQnZdlXFsKw\nA7f8ytEX7eKnR+LosQhfUJSzMxqOWOvOvPvxDHKaqWm7N3PAui9QL0lrw7F6KJ9F\nj6IbH9GfNoZ6asc5VTRc1kxg3eNnHuikp1qJX7srQLaeqeUZPozS8PjPb9BydPSM\naJIc7GYLOb1m9kTd87gWprtcDBBtmI+YmZCqbx8bGtsQAE6JILEkUh1eO1d5jqfQ\nukcavuq8ozpE0Rcj4Y5OhD1J36LKe6cV3eQ0pPSO1SgcqT3Vkzd1JpcTplzyjw1w\nhmY1VUGfjIFyGeQ9mS146GDwc/+3jJklhcdvStRXW0ZpNKfpEKp5+8NaCvjLUzYj\nlRDJHzF4gLisOroqbph3SZNFOVIfDj6iRrheMAxk2HrYp9ZYUCYSoE3jVtDUDO/S\nXgHOusR+OFMRW9MBQoR1I9w6lrTyvzaCH6PYD3JSUkDdGyLPtibB9AoWLVOaEa6t\nSx+OX5MzkSSRlR3d3S+d9m6QSdShPflmhhdopTjc2UdXosRqewYk1kWtAEV5Dbk=\n=rHrh\n-----END PGP MESSAGE----- 9 9 + sops_pgp__list_0__map_fp=D40CE1579C09BFD7EF4AB7E631250420834310B5 10 10 + sops_unencrypted_suffix=_unencrypted 11 11 + sops_version=3.12.2

+4 -4

modules/sops/vps/postgres.sql

reviewed

··· 1 1 { 2 2 - "data": "ENC[AES256_GCM,data:Fdzo5TicNuQkpAM43ok+2GhGr4PEwwzYvzWKi3I92FBn7/Cs5t4BVHe3seAkqVLbpBthZlemrpjzmsa3ZiFCXOqNyTyYui/tdkhSRNwncFd6UUaDcaR+PkK3XIjZvKnqOaeFT6KZYqw8SSP5ajU7JHw4gPR485Bh2hCvvECnVig4obZm8XLeGAYI70btQurjz1F26QiiAXCBpTTOP7/N272pIH56lp26ZcEVJPbzwjZ7dfpAEbxxqbpovw==,iv:YJZvRAL3TW+7LihY7wgN0KLIMNAVub6m3qzKlEV3Fhg=,tag:vLv1V2AY49iJBf5QvEsoFQ==,type:str]", 2 2 + "data": "ENC[AES256_GCM,data:cOp1hnXVvO9SLGt2L4O1m/6fpHDDFpPy5alF03zMF2QGmj5isfdPhMVu0jFNY+fgg6Zu1f5Yin9N42WhJyB4p/p9czekiqhTH8nMPpdchQqO1QYptrh+YClv3dN4kbmtYl3QRix0uuwamsCRqqtkY9aI1BB02wqO4md4yJE9V/k1ZNxUM3VeXPUEiRtlLrTIm4lVZogM4c2b3rrpumEII1TjSTdvZJeOgdp7Bp0KQXbXAwo8ev8e7JRIzNEaGVInx31iUcLhsUWSNREuSsfijHZWdjSxR1S5VBKTmMKx3SsL5vGsLbS9h8Sb15iHM2/srzIQtLYVmpxy414lK8IseuxyWbOEVe3umNmYlYO/dxL1dHhynEqnFiIDi5vQhWq/7E9Y3+lZFJ3a8yXhPPDErjK616dV+/q/KRsRZ7iolj52zSc3jQmschfWmsawVgtJzieWGXHcO76cdmmdShC9iSatXIGUbTAoYf6wWF63JeEOSkuo,iv:dBpAsf17rqzpoVli0WSUgoD4uJXNXl4vjWbzuNPRxPo=,tag:VrbNg8j4tixR/FrAbMEdmw==,type:str]", 3 3 "sops": { 4 4 "age": [ 5 5 { ··· 7 7 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPdVpaenUrYVpMeEpRZlBl\nTndhYmkvUEcxQWZ5UjZFUHFUcGpqMXdoZ2xFCkFLUmY4YlhRRTdIUmpQTzNPYSsz\nZ2JaZ0JTM3NHNWNwMHdiR2J2M1RRb1kKLS0tIERXbGtkRUlRSnFybExqYlVoQjVz\ndFdNQ0kxU3FMT0Y1ZnRhZkxWZWcrbEEK8hSNNXzhRXLrqEUHsXnPM6p+2ZynT/is\nLT+kR1IhJjuAB0uFjlGDtL19OsQdwb85TV79i2shQZIxwftqVwYoeg==\n-----END AGE ENCRYPTED FILE-----\n" 8 8 } 9 9 ], 10 10 - "lastmodified": "2026-02-03T13:26:20Z", 11 11 - "mac": "ENC[AES256_GCM,data:NtWhYA2B4hfBHZMEZShWzaeWCGmFCmINV2jhe+fQ03OtPmRG4yVsN/MPOhreRbg69Fu6G81xRnWDa3+o+kFq/qb/oQzzxkfifEJXpD6i24zkF44ezOI6vu5sGVMCSSRo59NZ6lzI7H+IOv8ctlH4bF92O1m8ojmFqJ4dtpVBduQ=,iv:I+s5ukAPu6lpASLypmXO+RBqMIQBvaistcbV2Mi8VL8=,tag:zZ8BXwuMlLv/u+AbNivuuA==,type:str]", 10 10 + "lastmodified": "2026-03-27T01:12:24Z", 11 11 + "mac": "ENC[AES256_GCM,data:gr7cD6ZUjgTjpzHCF8TjY2UQaFpBvNRirseL+ZWCuy5DKdC21srAmgNM1i4hGw2wFVCNoYhVnB2HPp3q5zjWlRsWUF/TcgbYAi0sFM4jM16bSjeT8kJDlcDKf/04M99A7UM7235Ks949fy+Gl9ZOYeR9hIXL5Y2ajbHWVpqgevw=,iv:JVZwzJIHoXl0NwNlPP4mNdD+UjMLJpfNdq+D1aDU/TI=,tag:Ed97R1gIoDzLmTM2+8KbzA==,type:str]", 12 12 "pgp": [ 13 13 { 14 14 "created_at": "2026-01-29T17:28:29Z", ··· 17 17 } 18 18 ], 19 19 "unencrypted_suffix": "_unencrypted", 20 20 - "version": "3.11.0" 20 20 + "version": "3.12.2" 21 21 } 22 22 }