commit 61ba8a8c85365ac8effbb1690d9eddbce9d11d3b · ngp.computer/nixos

-5

coredns/packetlost.dev.hosts

··· 3 192.168.1.3 plex.packetlost.dev 4 192.168.1.3 jellyfin.packetlost.dev 5 192.168.1.3 nats.packetlost.dev 6 - fe80::9ab7:85ff:fe1e:dfe8 plex.packetlost.dev 7 - fe80::9ab7:85ff:fe1e:dfe8 jellyfin.packetlost.dev 8 - fe80::9ab7:85ff:fe1e:dfe8 nats.packetlost.dev 9 - # Old edge proxy was 192.168.1.15 10 11 # LAN Hosts 12 192.168.1.3 misaki.packetlost.dev misaki 13 192.168.1.3 cache.packetlost.dev cache 14 - #fe80::9ab7:85ff:fe1e:dfe8 misaki.packetlost.dev misaki 15 192.168.1.5 komoe.packetlost.dev komoe 16 192.168.1.6 rainbow.packetlost.dev rainbow 17 192.168.1.10 ichika.packetlost.dev ichika

··· 3 192.168.1.3 plex.packetlost.dev 4 192.168.1.3 jellyfin.packetlost.dev 5 192.168.1.3 nats.packetlost.dev 6 7 # LAN Hosts 8 192.168.1.3 misaki.packetlost.dev misaki 9 192.168.1.3 cache.packetlost.dev cache 10 192.168.1.5 komoe.packetlost.dev komoe 11 192.168.1.6 rainbow.packetlost.dev rainbow 12 192.168.1.10 ichika.packetlost.dev ichika

+109 -13

flake.lock

··· 1 { 2 "nodes": { 3 "determinate-nixd-aarch64-darwin": { 4 "flake": false, 5 "locked": { ··· 162 "home-manager": { 163 "inputs": { 164 "nixpkgs": [ 165 "nixpkgs" 166 ] 167 }, ··· 184 "inputs": { 185 "flake-parts": "flake-parts", 186 "git-hooks-nix": "git-hooks-nix", 187 - "nixpkgs": "nixpkgs", 188 "nixpkgs-23-11": "nixpkgs-23-11", 189 "nixpkgs-regression": "nixpkgs-regression" 190 }, ··· 203 }, 204 "nixpkgs": { 205 "locked": { 206 - "lastModified": 1761597516, 207 - "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=", 208 - "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55", 209 - "revCount": 811874, 210 - "type": "tarball", 211 - "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz" 212 }, 213 "original": { 214 - "type": "tarball", 215 - "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505" 216 } 217 }, 218 "nixpkgs-23-11": { ··· 265 }, 266 "nixpkgs_2": { 267 "locked": { 268 "lastModified": 1764494334, 269 "narHash": "sha256-x2xCEXUlU4Ap56+t5HaoReOQ/bV/bIQ5rzTn/m+V3HQ=", 270 "owner": "nixos", ··· 279 "type": "github" 280 } 281 }, 282 - "nixpkgs_3": { 283 "locked": { 284 "lastModified": 1759417375, 285 "narHash": "sha256-O7eHcgkQXJNygY6AypkF9tFhsoDQjpNEojw3eFs73Ow=", ··· 299 "inputs": { 300 "flake-compat": "flake-compat_2", 301 "gitignore": "gitignore", 302 - "nixpkgs": "nixpkgs_3" 303 }, 304 "locked": { 305 "lastModified": 1763988335, ··· 317 }, 318 "root": { 319 "inputs": { 320 "determinite": "determinite", 321 - "home-manager": "home-manager", 322 - "nixpkgs": "nixpkgs_2", 323 "nixpkgs-unstable": "nixpkgs-unstable", 324 "pre-commit-hooks": "pre-commit-hooks" 325 } 326 } 327 },

··· 1 { 2 "nodes": { 3 + "agenix": { 4 + "inputs": { 5 + "darwin": "darwin", 6 + "home-manager": "home-manager", 7 + "nixpkgs": "nixpkgs", 8 + "systems": "systems" 9 + }, 10 + "locked": { 11 + "lastModified": 1762618334, 12 + "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", 13 + "owner": "ryantm", 14 + "repo": "agenix", 15 + "rev": "fcdea223397448d35d9b31f798479227e80183f6", 16 + "type": "github" 17 + }, 18 + "original": { 19 + "owner": "ryantm", 20 + "repo": "agenix", 21 + "type": "github" 22 + } 23 + }, 24 + "darwin": { 25 + "inputs": { 26 + "nixpkgs": [ 27 + "agenix", 28 + "nixpkgs" 29 + ] 30 + }, 31 + "locked": { 32 + "lastModified": 1744478979, 33 + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", 34 + "owner": "lnl7", 35 + "repo": "nix-darwin", 36 + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", 37 + "type": "github" 38 + }, 39 + "original": { 40 + "owner": "lnl7", 41 + "ref": "master", 42 + "repo": "nix-darwin", 43 + "type": "github" 44 + } 45 + }, 46 "determinate-nixd-aarch64-darwin": { 47 "flake": false, 48 "locked": { ··· 205 "home-manager": { 206 "inputs": { 207 "nixpkgs": [ 208 + "agenix", 209 + "nixpkgs" 210 + ] 211 + }, 212 + "locked": { 213 + "lastModified": 1745494811, 214 + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", 215 + "owner": "nix-community", 216 + "repo": "home-manager", 217 + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", 218 + "type": "github" 219 + }, 220 + "original": { 221 + "owner": "nix-community", 222 + "repo": "home-manager", 223 + "type": "github" 224 + } 225 + }, 226 + "home-manager_2": { 227 + "inputs": { 228 + "nixpkgs": [ 229 "nixpkgs" 230 ] 231 }, ··· 248 "inputs": { 249 "flake-parts": "flake-parts", 250 "git-hooks-nix": "git-hooks-nix", 251 + "nixpkgs": "nixpkgs_2", 252 "nixpkgs-23-11": "nixpkgs-23-11", 253 "nixpkgs-regression": "nixpkgs-regression" 254 }, ··· 267 }, 268 "nixpkgs": { 269 "locked": { 270 + "lastModified": 1754028485, 271 + "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=", 272 + "owner": "NixOS", 273 + "repo": "nixpkgs", 274 + "rev": "59e69648d345d6e8fef86158c555730fa12af9de", 275 + "type": "github" 276 }, 277 "original": { 278 + "owner": "NixOS", 279 + "ref": "nixos-25.05", 280 + "repo": "nixpkgs", 281 + "type": "github" 282 } 283 }, 284 "nixpkgs-23-11": { ··· 331 }, 332 "nixpkgs_2": { 333 "locked": { 334 + "lastModified": 1761597516, 335 + "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=", 336 + "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55", 337 + "revCount": 811874, 338 + "type": "tarball", 339 + "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz" 340 + }, 341 + "original": { 342 + "type": "tarball", 343 + "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505" 344 + } 345 + }, 346 + "nixpkgs_3": { 347 + "locked": { 348 "lastModified": 1764494334, 349 "narHash": "sha256-x2xCEXUlU4Ap56+t5HaoReOQ/bV/bIQ5rzTn/m+V3HQ=", 350 "owner": "nixos", ··· 359 "type": "github" 360 } 361 }, 362 + "nixpkgs_4": { 363 "locked": { 364 "lastModified": 1759417375, 365 "narHash": "sha256-O7eHcgkQXJNygY6AypkF9tFhsoDQjpNEojw3eFs73Ow=", ··· 379 "inputs": { 380 "flake-compat": "flake-compat_2", 381 "gitignore": "gitignore", 382 + "nixpkgs": "nixpkgs_4" 383 }, 384 "locked": { 385 "lastModified": 1763988335, ··· 397 }, 398 "root": { 399 "inputs": { 400 + "agenix": "agenix", 401 "determinite": "determinite", 402 + "home-manager": "home-manager_2", 403 + "nixpkgs": "nixpkgs_3", 404 "nixpkgs-unstable": "nixpkgs-unstable", 405 "pre-commit-hooks": "pre-commit-hooks" 406 + } 407 + }, 408 + "systems": { 409 + "locked": { 410 + "lastModified": 1681028828, 411 + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 412 + "owner": "nix-systems", 413 + "repo": "default", 414 + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 415 + "type": "github" 416 + }, 417 + "original": { 418 + "owner": "nix-systems", 419 + "repo": "default", 420 + "type": "github" 421 } 422 } 423 },

+6 -3

flake.nix

··· 14 inputs.nixpkgs.follows = "nixpkgs"; 15 }; 16 pre-commit-hooks.url = "github:cachix/git-hooks.nix"; 17 }; 18 19 outputs = ··· 23 , determinite 24 , home-manager 25 , pre-commit-hooks 26 , ... 27 }@inputs: 28 let ··· 44 (final: prev: { 45 # Override the version of Plex installed to be the latest 46 plexRaw = prev.plexRaw.overrideAttrs rec { 47 - version = "1.43.0.10346-fc911a729"; 48 src = final.fetchurl { 49 url = "https://downloads.plex.tv/plex-media-server-new/${version}/debian/plexmediaserver_${version}_amd64.deb"; 50 - sha256 = "jfQ11luQoafUYb5sGpvE7jPiErGt2HXVLwn70M/Hqyc="; 51 }; 52 }; 53 ## Override the json object that contains verions and hashes for Immich ··· 71 { 72 nixosConfigurations.${name} = inputs.nixpkgs.lib.nixosSystem { 73 inherit system; 74 - specialArgs = { inherit unstable; }; 75 modules = [ 76 determinite.nixosModules.default 77 ./configuration.nix 78 home-manager.nixosModules.home-manager 79 { 80 home-manager.useGlobalPkgs = true;

··· 14 inputs.nixpkgs.follows = "nixpkgs"; 15 }; 16 pre-commit-hooks.url = "github:cachix/git-hooks.nix"; 17 + agenix.url = "github:ryantm/agenix"; 18 }; 19 20 outputs = ··· 24 , determinite 25 , home-manager 26 , pre-commit-hooks 27 + , agenix 28 , ... 29 }@inputs: 30 let ··· 46 (final: prev: { 47 # Override the version of Plex installed to be the latest 48 plexRaw = prev.plexRaw.overrideAttrs rec { 49 + version = "1.43.0.10389-8be686aa6"; 50 src = final.fetchurl { 51 url = "https://downloads.plex.tv/plex-media-server-new/${version}/debian/plexmediaserver_${version}_amd64.deb"; 52 + sha256 = "0HjB8Ggekwl5dKwM1Kh51Ic25t3V6veKbuzM7czrpeg="; 53 }; 54 }; 55 ## Override the json object that contains verions and hashes for Immich ··· 73 { 74 nixosConfigurations.${name} = inputs.nixpkgs.lib.nixosSystem { 75 inherit system; 76 + specialArgs = { inherit unstable inputs; }; 77 modules = [ 78 determinite.nixosModules.default 79 ./configuration.nix 80 + agenix.nixosModules.default 81 home-manager.nixosModules.home-manager 82 { 83 home-manager.useGlobalPkgs = true;

+2 -1

packages.nix

··· 1 - { pkgs, lib, ... }: 2 let # bash script to let dbus know about important env variables and 3 # propagate them to relevent services run at the end of sway config 4 # see ··· 61 vis 62 rc 63 ncdu 64 65 # ZFS / filesystem stuff 66 zfs

··· 1 + { pkgs, lib, inputs, ... }: 2 let # bash script to let dbus know about important env variables and 3 # propagate them to relevent services run at the end of sway config 4 # see ··· 61 vis 62 rc 63 ncdu 64 + inputs.agenix.packages."${system}".agenix 65 66 # ZFS / filesystem stuff 67 zfs

+6

secrets/porkbun-api-key.age

···

··· 1 + age-encryption.org/v1 2 + -> ssh-ed25519 e6zq8g CdLTZ6uXiJB+xaD+I5NVHD5OxLSH+yAz99j04GiKukU 3 + kQTUR4yK23wHV9QGMlmTmIlMh63nP49g1NrS+sJKfBY 4 + --- H6/xHryPPKmAWW/bDXUN4YBXMKrsFpUAveKxWsT0SH0 5 + �E��,�ήS��P)A.��9O\��2n��U�!��X�a��l�Z�4*(G�[��>�Zl� 6 + :QՅ��o��$=��& ڍ�w�t^�<<E�0p�8��:��G�̉��J#�QR��p�򘐞�kA,�=!��5�KK��0o��nQ��)�\\�ĘN��wQ�҉

+8

secrets/secrets.nix

···

··· 1 + let 2 + noah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDQFlX3hhXxsqAUYLvF+IX1YWQ+k22OHlqMOjgyNBe9e noah@misaki"; 3 + misaki = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO+Rcf4Lr+JPWGKQol6eAml6SMgERkGJWgN7y1qYUUvX root@nixos"; 4 + #users = [noah]; 5 + in 6 + { 7 + "porkbun-api-key.age".publicKeys = [ noah misaki ]; 8 + }

+44 -36

services.nix

··· 2 , lib 3 , pkgs 4 , unstable 5 - , system 6 , ... 7 }: 8 - let 9 - #unstable = import unstable { 10 - # inherit system; 11 - # config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ 12 - # "plexmediaserver" 13 - # "teamspeak-server" 14 - # ]; 15 - # overlays = [ 16 - # (final: prev: { 17 - # # Override the version of Plex installed to be the latest 18 - # plexRaw = prev.plexRaw.overrideAttrs rec { 19 - # version = "1.43.0.10346-fc911a729"; 20 - # src = final.fetchurl { 21 - # url = "https://downloads.plex.tv/plex-media-server-new/${version}/debian/plexmediaserver_${version}_amd64.deb"; 22 - # sha256 = "jfQ11luQoafUYb5sGpvE7jPiErGt2HXVLwn70M/Hqyc="; 23 - # }; 24 - # }; 25 - # ## Override the json object that contains verions and hashes for Immich 26 - # #immich = prev.immich.override { sourcesJSON = ./overrides/immich-sources.json; }; 27 - # ## Fix errors wit numpy version failing to resolve in the immich ML package 28 - # #immich-machine-learning = prev.immich-machine-learning.overrideAttrs 29 - # # (finalAttrs: prevAttrs: { 30 - # # pythonRelaxDeps = prevAttrs.pythonRelaxDeps ++ [ "numpy" ]; 31 - # # }); 32 - # }) 33 - # ]; 34 - #}; 35 - #age = import <agenix/modules/age.nix> { }; 36 - in 37 { 38 39 services.zfs = { ··· 265 settings = builtins.fromJSON (builtins.readFile /home/noah/.step/config/ca.json); 266 }; 267 268 security.acme = { 269 acceptTerms = true; 270 defaults.email = "noah@packetlost.dev"; 271 certs."plex.packetlost.dev" = { 272 group = "httpd"; 273 }; 274 certs."img.ngp.computer" = { 275 group = "httpd"; 276 }; 277 }; 278 ··· 347 # wantedBy = [ "multi-user.target" ]; 348 #}; 349 "update-downstream-src" = { 350 - path = with pkgs; [ rc coreutils git openssh ]; 351 script = "exec ${./scripts/update-src}"; 352 serviceConfig = { 353 Type = "oneshot"; ··· 378 accelerationDevices = [ "/dev/dri/renderD128" ]; 379 mediaLocation = "/srv/shokuhou/pictures/immich"; 380 }; 381 - users.users.immich.extraGroups = [ "video" "render" "nas" ]; 382 383 # Nginx Reverse SSL Proxy 384 services.nginx = { ··· 399 "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; 400 }; 401 virtualHosts."photos.ngp.computer" = { 402 - enableACME = true; 403 forceSSL = true; 404 locations."/" = { 405 proxyPass = "http://[::1]:${toString config.services.immich.port}"; ··· 415 }; 416 virtualHosts."img.ngp.computer" = { 417 forceSSL = true; 418 - enableACME = true; 419 root = "/srv/shokuhou/pictures/public"; 420 extraConfig = '' 421 sendfile on; ··· 443 }; 444 virtualHosts."jellyfin.packetlost.dev" = { 445 forceSSL = true; 446 - enableACME = true; 447 http2 = true; 448 locations."/" = { 449 proxyPass = "http://localhost:8096/"; ··· 454 virtualHosts."plex.packetlost.dev" = { 455 # Since we want a secure connection, we force SSL 456 forceSSL = true; 457 - enableACME = true; 458 459 # http2 can more performant for streaming: https://blog.cloudflare.com/introducing-http2/ 460 http2 = true;

··· 2 , lib 3 , pkgs 4 , unstable 5 , ... 6 }: 7 { 8 9 services.zfs = { ··· 235 settings = builtins.fromJSON (builtins.readFile /home/noah/.step/config/ca.json); 236 }; 237 238 + age.secrets.acme = { 239 + file = ./secrets/porkbun-api-key.age; 240 + owner = "root"; 241 + group = "acme"; 242 + }; 243 + 244 + # TODO: re-enable this once Agenix is set up 245 security.acme = { 246 acceptTerms = true; 247 defaults.email = "noah@packetlost.dev"; 248 certs."plex.packetlost.dev" = { 249 + dnsProvider = "porkbun"; 250 group = "httpd"; 251 + environmentFile = config.age.secrets.acme.path; 252 }; 253 certs."img.ngp.computer" = { 254 group = "httpd"; 255 + dnsProvider = "porkbun"; 256 + environmentFile = config.age.secrets.acme.path; 257 + }; 258 + certs."photos.ngp.computer" = { 259 + group = "httpd"; 260 + dnsProvider = "porkbun"; 261 + environmentFile = config.age.secrets.acme.path; 262 + }; 263 + certs."jellyfin.packetlost.dev" = { 264 + group = "httpd"; 265 + dnsProvider = "porkbun"; 266 + environmentFile = config.age.secrets.acme.path; 267 }; 268 }; 269 ··· 338 # wantedBy = [ "multi-user.target" ]; 339 #}; 340 "update-downstream-src" = { 341 + path = with pkgs; [ 342 + rc 343 + coreutils 344 + git 345 + openssh 346 + ]; 347 script = "exec ${./scripts/update-src}"; 348 serviceConfig = { 349 Type = "oneshot"; ··· 374 accelerationDevices = [ "/dev/dri/renderD128" ]; 375 mediaLocation = "/srv/shokuhou/pictures/immich"; 376 }; 377 + users.users.immich.extraGroups = [ 378 + "video" 379 + "render" 380 + "nas" 381 + ]; 382 383 # Nginx Reverse SSL Proxy 384 services.nginx = { ··· 399 "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}"; 400 }; 401 virtualHosts."photos.ngp.computer" = { 402 + enableACME = false; 403 + useACMEHost = "photos.ngp.computer"; 404 + acmeRoot = null; 405 forceSSL = true; 406 locations."/" = { 407 proxyPass = "http://[::1]:${toString config.services.immich.port}"; ··· 417 }; 418 virtualHosts."img.ngp.computer" = { 419 forceSSL = true; 420 + enableACME = false; 421 + useACMEHost = "img.ngp.computer"; 422 + acmeRoot = null; 423 root = "/srv/shokuhou/pictures/public"; 424 extraConfig = '' 425 sendfile on; ··· 447 }; 448 virtualHosts."jellyfin.packetlost.dev" = { 449 forceSSL = true; 450 + enableACME = false; 451 + useACMEHost = "jellyfin.packetlost.dev"; 452 + acmeRoot = null; 453 http2 = true; 454 locations."/" = { 455 proxyPass = "http://localhost:8096/"; ··· 460 virtualHosts."plex.packetlost.dev" = { 461 # Since we want a secure connection, we force SSL 462 forceSSL = true; 463 + enableACME = false; 464 + useACMEHost = "plex.packetlost.dev"; 465 + acmeRoot = null; 466 467 # http2 can more performant for streaming: https://blog.cloudflare.com/introducing-http2/ 468 http2 = true;