pyrox.dev / nix
My Nix Configuration
fork atom

[meta] format all files

pyrox.dev fc0bf0fd cd45de63

+660 -513
+1 -3
overlays/pyronet-packages/default.nix
··· 1 1 # deadnix: skip 2 - { inputs, ...}: final: prev: { 3 - py = inputs.self.packages.${prev.system}; 4 - } 2 + { inputs, ... }: final: prev: { py = inputs.self.packages.${prev.system}; }
+21 -22
packages/olympus/default.nix
··· 1 - { 2 - pkgs 3 - }: let 1 + { pkgs }: 2 + let 4 3 olympus = pkgs.stdenv.mkDerivation rec { 5 4 pname = "olympus"; 6 5 version = "4085"; ··· 11 10 hash = "sha256-8qHQ59QQvUfm4/2rbPaweh+q6dbzTUMMJ1n5duJ3XpI="; 12 11 }; 13 12 14 - buildInputs = [pkgs.unzip]; 13 + buildInputs = [ pkgs.unzip ]; 15 14 installPhase = '' 16 15 mkdir -p "$out/opt/olympus/" 17 16 mv dist.zip "$out/opt/olympus/" && cd "$out/opt/olympus/" ··· 25 24 ''; 26 25 }; 27 26 in 28 - pkgs.buildFHSUserEnv { 29 - name = "olympus"; 30 - runScript = "${olympus}/opt/olympus/olympus"; 31 - targetPkgs = pkgs: [ 32 - pkgs.freetype 33 - pkgs.zlib 34 - pkgs.SDL2 35 - pkgs.curl 36 - pkgs.libpulseaudio 37 - pkgs.gtk3 38 - pkgs.glib 39 - pkgs.libGL 40 - pkgs.libdrm 41 - ]; 27 + pkgs.buildFHSUserEnv { 28 + name = "olympus"; 29 + runScript = "${olympus}/opt/olympus/olympus"; 30 + targetPkgs = pkgs: [ 31 + pkgs.freetype 32 + pkgs.zlib 33 + pkgs.SDL2 34 + pkgs.curl 35 + pkgs.libpulseaudio 36 + pkgs.gtk3 37 + pkgs.glib 38 + pkgs.libGL 39 + pkgs.libdrm 40 + ]; 42 41 43 - # https://github.com/EverestAPI/Olympus/blob/main/lib-linux/olympus.desktop 44 - # https://stackoverflow.com/questions/8822097/how-to-replace-a-whole-line-with-sed 45 - extraInstallCommands = ''cp -r "${olympus}/share/" $out''; 46 - } 42 + # https://github.com/EverestAPI/Olympus/blob/main/lib-linux/olympus.desktop 43 + # https://stackoverflow.com/questions/8822097/how-to-replace-a-whole-line-with-sed 44 + extraInstallCommands = ''cp -r "${olympus}/share/" $out''; 45 + }
+18 -5
systems/x86_64-linux/marvin/firewall.nix
··· 1 - {networking.firewall = { 2 - allowedTCPPorts = [80 443 6912 34197]; 3 - allowedUDPPorts = [4367 34197]; 4 - trustedInterfaces = ["tailscale0" "wg0"]; 5 - };} 1 + { 2 + networking.firewall = { 3 + allowedTCPPorts = [ 4 + 80 5 + 443 6 + 6912 7 + 34197 8 + ]; 9 + allowedUDPPorts = [ 10 + 4367 11 + 34197 12 + ]; 13 + trustedInterfaces = [ 14 + "tailscale0" 15 + "wg0" 16 + ]; 17 + }; 18 + }
+5 -6
systems/x86_64-linux/marvin/networking.nix
··· 1 + { lib, pkgs, ... }: 1 2 { 2 - lib, 3 - pkgs, 4 - ... 5 - }: { 6 3 networking = { 7 4 hostName = "marvin"; 8 5 hostId = "5711215d"; ··· 12 9 enp42s0.useDHCP = lib.mkDefault true; 13 10 wlp41s0.useDHCP = lib.mkDefault true; 14 11 }; 15 - networkmanager = {enable = true;}; 12 + networkmanager = { 13 + enable = true; 14 + }; 16 15 wireless.enable = false; 17 16 18 17 # Enable NAT for containers 19 18 nat = { 20 19 enable = true; 21 - internalInterfaces = ["ve-+"]; 20 + internalInterfaces = [ "ve-+" ]; 22 21 externalInterface = "wlp41s0"; 23 22 # Lazy IPv6 connectivity for the container 24 23 enableIPv6 = true;
+73 -66
systems/x86_64-linux/marvin/services/authentik.nix
··· 1 - {config, lib, ...}: let 1 + { config, lib, ... }: 2 + let 2 3 d = lib.py.data.services.authentik; 3 - in { 4 - virtualisation.oci-containers.containers = let 5 - authentikVersion = "2024.2"; 6 - base = { 7 - environmentFiles = [config.age.secrets.authentik-env.path]; 8 - extraOptions = ["--network=authentik"]; 9 - }; 10 - authentikBase = base // { 11 - image = "ghcr.io/goauthentik/server:${authentikVersion}"; 12 - environment = { 13 - AUTHENTIK_REDIS__HOST = "authentik-redict"; 4 + in 5 + { 6 + virtualisation.oci-containers.containers = 7 + let 8 + authentikVersion = "2024.2"; 9 + base = { 10 + environmentFiles = [ config.age.secrets.authentik-env.path ]; 11 + extraOptions = [ "--network=authentik" ]; 12 + }; 13 + authentikBase = base // { 14 + image = "ghcr.io/goauthentik/server:${authentikVersion}"; 15 + environment = { 16 + AUTHENTIK_REDIS__HOST = "authentik-redict"; 14 17 15 - # Postgres Settings 16 - AUTHENTIK_POSTGRESQL__HOST = "authentik-db"; 17 - AUTHENTIK_POSTGRESQL__PORT = "5432"; 18 - AUTHENTIK_POSTGRESQL__USER = "authentik"; 19 - AUTHENTIK_POSTGRESQL__NAME = "authentik"; 20 - AUTHENTIK_POSTGRESQL__PASSWORD = "\${PG_PASS}"; 18 + # Postgres Settings 19 + AUTHENTIK_POSTGRESQL__HOST = "authentik-db"; 20 + AUTHENTIK_POSTGRESQL__PORT = "5432"; 21 + AUTHENTIK_POSTGRESQL__USER = "authentik"; 22 + AUTHENTIK_POSTGRESQL__NAME = "authentik"; 23 + AUTHENTIK_POSTGRESQL__PASSWORD = "\${PG_PASS}"; 21 24 22 - # Disable error reporting 23 - AUTHENTIK_ERROR_REPORTING__ENABLED = "false"; 25 + # Disable error reporting 26 + AUTHENTIK_ERROR_REPORTING__ENABLED = "false"; 24 27 25 - # Avatars are an attribute based on an uploaded file 26 - AUTHENTIK_AVATARS = "attributes.user.avatar"; 28 + # Avatars are an attribute based on an uploaded file 29 + AUTHENTIK_AVATARS = "attributes.user.avatar"; 27 30 28 - # Email Settings 29 - AUTHENTIK_EMAIL__HOST = "mail.pyrox.dev"; 30 - AUTHENTIK_EMAIL__USERNAME = "auth@pyrox.dev"; 31 - AUTHENTIK_EMAIL__PORT = "465"; 32 - AUTHENTIK_EMAIL__USE_TLS = "true"; 33 - AUTHENTIK_EMAIL__FROM = "PyroServ Auth <auth@pyrox.dev>"; 31 + # Email Settings 32 + AUTHENTIK_EMAIL__HOST = "mail.pyrox.dev"; 33 + AUTHENTIK_EMAIL__USERNAME = "auth@pyrox.dev"; 34 + AUTHENTIK_EMAIL__PORT = "465"; 35 + AUTHENTIK_EMAIL__USE_TLS = "true"; 36 + AUTHENTIK_EMAIL__FROM = "PyroServ Auth <auth@pyrox.dev>"; 37 + }; 38 + }; 39 + authentikVols = [ 40 + "/var/lib/authentik/media:/media" 41 + "/var/lib/authentik/templates:/templates" 42 + ]; 43 + in 44 + { 45 + authentik-db = base // { 46 + image = "postgres:12-alpine"; 47 + volumes = [ "/var/lib/authentik/db_12:/var/lib/postgresql/data" ]; 48 + environment = { 49 + POSTGRES_PASSWORD = "\${PG_PASS}"; 50 + POSTGRES_USER = "authentik"; 51 + POSTGRES_DB = "authentik"; 52 + }; 53 + }; 54 + authentik-redict = { 55 + image = "registry.redict.io/redict:alpine"; 56 + extraOptions = [ "--network=authentik" ]; 57 + }; 58 + authentik-server = authentikBase // { 59 + cmd = [ "server" ]; 60 + ports = [ 61 + "${toString d.port}:9000" 62 + "6943:9443" 63 + "9301:9300" 64 + ]; 65 + volumes = authentikVols ++ [ "/var/lib/authentik/custom.css:/web/dist/custom.css" ]; 34 66 }; 35 - }; 36 - authentikVols = [ 37 - "/var/lib/authentik/media:/media" 38 - "/var/lib/authentik/templates:/templates" 39 - ]; 40 - in { 41 - authentik-db = base // { 42 - image = "postgres:12-alpine"; 43 - volumes = ["/var/lib/authentik/db_12:/var/lib/postgresql/data"]; 44 - environment = { 45 - POSTGRES_PASSWORD = "\${PG_PASS}"; 46 - POSTGRES_USER = "authentik"; 47 - POSTGRES_DB = "authentik"; 67 + authentik-worker = authentikBase // { 68 + cmd = [ "worker" ]; 69 + volumes = authentikVols ++ [ "/var/lib/authentik/certs:/certs" ]; 48 70 }; 49 - }; 50 - authentik-redict = { 51 - image = "registry.redict.io/redict:alpine"; 52 - extraOptions = ["--network=authentik"]; 53 - }; 54 - authentik-server = authentikBase // { 55 - cmd = ["server"]; 56 - ports = ["${toString d.port}:9000" "6943:9443" "9301:9300"]; 57 - volumes = authentikVols ++ [ 58 - "/var/lib/authentik/custom.css:/web/dist/custom.css" 59 - ]; 60 - }; 61 - authentik-worker = authentikBase // { 62 - cmd = ["worker"]; 63 - volumes = authentikVols ++ [ 64 - "/var/lib/authentik/certs:/certs" 65 - ]; 66 - }; 67 - authentik-ldap = base // { 68 - image = "ghcr.io/goauthentik/ldap:${authentikVersion}"; 69 - ports = ["389:3389" "636:6636"]; 70 - environment = { 71 - AUTHENTIK_HOST = "https://${d.extUrl}"; 72 - AUTHENTIK_INSECURE = "false"; 71 + authentik-ldap = base // { 72 + image = "ghcr.io/goauthentik/ldap:${authentikVersion}"; 73 + ports = [ 74 + "389:3389" 75 + "636:6636" 76 + ]; 77 + environment = { 78 + AUTHENTIK_HOST = "https://${d.extUrl}"; 79 + AUTHENTIK_INSECURE = "false"; 80 + }; 73 81 }; 74 82 }; 75 - }; 76 83 age.secrets.authentik-env = { 77 84 file = ../secrets/authentik-env.age; 78 85 owner = "thehedgehog";
+5 -1
systems/x86_64-linux/marvin/services/bookstack.nix
··· 1 - {services.bookstack = {enable = true;};} 1 + { 2 + services.bookstack = { 3 + enable = true; 4 + }; 5 + }
+39 -38
systems/x86_64-linux/marvin/services/bots.nix
··· 1 + { pkgs, ... }: 1 2 { 2 - pkgs, 3 - ... 4 - }: { 5 3 systemd.services = { 6 - io-bot = { 7 - enable = false; 8 - wantedBy = ["multi-user.target"]; 9 - after = ["network.target" "io-bot-lavalink.service"]; 10 - description = "I/O, my personal bot"; 11 - path = [pkgs.python311]; 12 - serviceConfig = { 13 - ExecStart = "${pkgs.bash}/bin/bash start.sh"; 14 - Restart = "always"; 15 - RestartSec = 3; 16 - WorkingDirectory = "/home/thehedgehog/io-py"; 4 + io-bot = { 5 + enable = false; 6 + wantedBy = [ "multi-user.target" ]; 7 + after = [ 8 + "network.target" 9 + "io-bot-lavalink.service" 10 + ]; 11 + description = "I/O, my personal bot"; 12 + path = [ pkgs.python311 ]; 13 + serviceConfig = { 14 + ExecStart = "${pkgs.bash}/bin/bash start.sh"; 15 + Restart = "always"; 16 + RestartSec = 3; 17 + WorkingDirectory = "/home/thehedgehog/io-py"; 18 + }; 17 19 }; 18 - }; 19 - io-bot-lavalink = { 20 - enable = false; 21 - wantedBy = ["multi-user.target"]; 22 - after = ["network.target"]; 23 - description = "Lavalink server for I/O"; 24 - serviceConfig = { 25 - ExecStart = "${pkgs.openjdk17_headless}/bin/java -jar ../Lavalink.jar"; 26 - Restart = "always"; 27 - RestartSec = 3; 28 - WorkingDirectory = "/home/thehedgehog/io-py/config"; 20 + io-bot-lavalink = { 21 + enable = false; 22 + wantedBy = [ "multi-user.target" ]; 23 + after = [ "network.target" ]; 24 + description = "Lavalink server for I/O"; 25 + serviceConfig = { 26 + ExecStart = "${pkgs.openjdk17_headless}/bin/java -jar ../Lavalink.jar"; 27 + Restart = "always"; 28 + RestartSec = 3; 29 + WorkingDirectory = "/home/thehedgehog/io-py/config"; 30 + }; 29 31 }; 30 - }; 31 - misc-bot = { 32 - enable = false; 33 - wantedBy = ["multi-user.target"]; 34 - after = ["network.target"]; 35 - description = "Random Bot 1"; 36 - path = [pkgs.python311]; 37 - serviceConfig = { 38 - ExecStart = "${pkgs.bash}/bin/bash start.sh"; 39 - Restart = "always"; 40 - RestartSec = 3; 41 - WorkingDirectory = "/home/thehedgehog/bots/bot1"; 32 + misc-bot = { 33 + enable = false; 34 + wantedBy = [ "multi-user.target" ]; 35 + after = [ "network.target" ]; 36 + description = "Random Bot 1"; 37 + path = [ pkgs.python311 ]; 38 + serviceConfig = { 39 + ExecStart = "${pkgs.bash}/bin/bash start.sh"; 40 + Restart = "always"; 41 + RestartSec = 3; 42 + WorkingDirectory = "/home/thehedgehog/bots/bot1"; 43 + }; 42 44 }; 43 - }; 44 45 }; 45 46 }
+30 -28
systems/x86_64-linux/marvin/services/buildbot.nix
··· 1 - {config, lib, ...}: let 1 + { config, lib, ... }: 2 + let 2 3 as = config.age.secrets; 3 4 d = lib.py.data.services.buildbot; 4 5 g = lib.py.data.services.git; ··· 6 7 owner = "buildbot"; 7 8 group = "buildbot"; 8 9 }; 9 - in { 10 + in 11 + { 10 12 services = { 11 - buildbot-nix.master = { 12 - enable = true; 13 - dbUrl = "postgresql://buildbot@localhost/buildbot"; 14 - workersFile = as.buildbot-workers.path; 15 - authBackend = "gitea"; 16 - gitea = { 13 + buildbot-nix.master = { 17 14 enable = true; 18 - tokenFile = as.buildbot-gitea-token.path; 19 - oauthSecretFile = as.buildbot-oauth-secret.path; 20 - instanceUrl = g.extUrl; 21 - oauthId = "2bfd5c46-43a7-4d98-b443-9176dc0a9452"; 22 - topic = "buildbot-enable"; 15 + dbUrl = "postgresql://buildbot@localhost/buildbot"; 16 + workersFile = as.buildbot-workers.path; 17 + authBackend = "gitea"; 18 + gitea = { 19 + enable = true; 20 + tokenFile = as.buildbot-gitea-token.path; 21 + oauthSecretFile = as.buildbot-oauth-secret.path; 22 + instanceUrl = g.extUrl; 23 + oauthId = "2bfd5c46-43a7-4d98-b443-9176dc0a9452"; 24 + topic = "buildbot-enable"; 25 + }; 26 + admins = [ "pyrox" ]; 27 + domain = d.extUrl; 28 + useHttps = true; 23 29 }; 24 - admins = [ 25 - "pyrox" 26 - ]; 27 - domain = d.extUrl; 28 - useHttps = true; 29 - }; 30 - postgresql = { 31 - ensureUsers = [{ 32 - name = "buildbot"; 33 - ensureDBOwnership = true; 34 - ensureClauses.login = true; 35 - }]; 36 - ensureDatabases = [ "buildbot" ]; 37 - }; 38 - buildbot-master.port = 6915; 30 + postgresql = { 31 + ensureUsers = [ 32 + { 33 + name = "buildbot"; 34 + ensureDBOwnership = true; 35 + ensureClauses.login = true; 36 + } 37 + ]; 38 + ensureDatabases = [ "buildbot" ]; 39 + }; 40 + buildbot-master.port = 6915; 39 41 }; 40 42 age.secrets = { 41 43 buildbot-gitea-token = bbSecret // {
+9 -4
systems/x86_64-linux/marvin/services/deemix.nix
··· 1 - {data, lib, ...}: let 1 + { data, lib, ... }: 2 + let 2 3 d = lib.py.data.services.deemix; 3 - in { 4 + in 5 + { 4 6 virtualisation.oci-containers.containers.deemix = { 5 7 image = "registry.gitlab.com/bockiii/deemix-docker"; 6 - volumes = ["/var/lib/deemix:/config" "/var/lib/music:/downloads"]; 7 - ports = ["${toString d.port}:6595"]; 8 + volumes = [ 9 + "/var/lib/deemix:/config" 10 + "/var/lib/music:/downloads" 11 + ]; 12 + ports = [ "${toString d.port}:6595" ]; 8 13 environment = { 9 14 PUID = "1000"; 10 15 PGID = "1000";
+4 -2
systems/x86_64-linux/marvin/services/grafana.nix
··· 1 - {config, lib, ...}: let 1 + { config, lib, ... }: 2 + let 2 3 d = lib.py.data.services.grafana; 3 4 a = lib.py.data.services.authentik; 4 - in { 5 + in 6 + { 5 7 services.grafana = { 6 8 enable = true; 7 9 settings = {
+7 -2
systems/x86_64-linux/marvin/services/jellyfin.nix
··· 1 1 { 2 - services.jellyfin = {enable = true;}; 3 - networking.firewall.allowedUDPPorts = [1900 7359]; 2 + services.jellyfin = { 3 + enable = true; 4 + }; 5 + networking.firewall.allowedUDPPorts = [ 6 + 1900 7 + 7359 8 + ]; 4 9 }
+2 -1
systems/x86_64-linux/marvin/services/minio.nix
··· 1 - {config, ...}: { 1 + { config, ... }: 2 + { 2 3 services.minio = { 3 4 enable = true; 4 5 region = "us-east-1";
+4 -2
systems/x86_64-linux/marvin/services/nextcloud/imaginary.nix
··· 1 - { lib, ...}: let 1 + { lib, ... }: 2 + let 2 3 d = lib.py.data.services.nextcloud-imaginary; 3 - in{ 4 + in 5 + { 4 6 services.imaginary = { 5 7 inherit (d) port; 6 8 enable = true;
+15 -15
systems/x86_64-linux/marvin/services/nextcloud/office.nix
··· 1 - { lib, ...}: let 1 + { lib, ... }: 2 + let 2 3 d = lib.py.data.services.nextcloud-office; 3 - in { 4 + in 5 + { 4 6 virtualisation.oci-containers.containers.collabora-office = { 5 7 image = "collabora/code"; 6 8 ports = [ "${toString d.port}:9980" ]; ··· 10 12 "--cap-add=CHOWN" 11 13 "--cap-add=FOWNER" 12 14 ]; 13 - environment = let 14 - mkAlias = domain: 15 - "https://" + (builtins.replaceStrings [ "." ] [ "\\." ] domain) 16 - + ":443"; 17 - in { 18 - server_name = "office.pyrox.dev"; 19 - aliasgroup1 = mkAlias "office.pyrox.dev"; 20 - aliasgroup2 = mkAlias "cloud.pyrox.dev"; 21 - extra_params = "--o:ssl.enable=false --o:ssl.termination=true"; 22 - }; 23 - volumes = [ 24 - "/var/lib/nextcloud-office/coolwsd.xml:/etc/coolwsd/coolwsd.xml" 25 - ]; 15 + environment = 16 + let 17 + mkAlias = domain: "https://" + (builtins.replaceStrings [ "." ] [ "\\." ] domain) + ":443"; 18 + in 19 + { 20 + server_name = "office.pyrox.dev"; 21 + aliasgroup1 = mkAlias "office.pyrox.dev"; 22 + aliasgroup2 = mkAlias "cloud.pyrox.dev"; 23 + extra_params = "--o:ssl.enable=false --o:ssl.termination=true"; 24 + }; 25 + volumes = [ "/var/lib/nextcloud-office/coolwsd.xml:/etc/coolwsd/coolwsd.xml" ]; 26 26 }; 27 27 }
+10 -3
systems/x86_64-linux/marvin/services/nginx.nix
··· 1 - {lib, ...}: let 1 + { lib, ... }: 2 + let 2 3 n = lib.py.data.services.nextcloud; 3 - in { 4 + in 5 + { 4 6 services.nginx = { 5 7 virtualHosts = { 6 8 "${n.extUrl}" = { 7 - listen = [ { inherit (n) port; addr = "0.0.0.0"; } ]; 9 + listen = [ 10 + { 11 + inherit (n) port; 12 + addr = "0.0.0.0"; 13 + } 14 + ]; 8 15 }; 9 16 }; 10 17 };
+9 -11
systems/x86_64-linux/marvin/services/planka.nix
··· 1 - { config, lib, ... }: let 1 + { config, lib, ... }: 2 + let 2 3 dataDir = "/var/lib/planka"; 3 4 d = lib.py.data.services.planka; 4 - in { 5 + in 6 + { 5 7 virtualisation.oci-containers.containers = { 6 8 planka-server = { 7 9 image = "ghcr.io/plankanban/planka:latest"; 8 - ports = ["${toString d.port}:1337"]; 10 + ports = [ "${toString d.port}:1337" ]; 9 11 environment = { 10 12 BASE_URL = "https://${d.extUrl}"; 11 13 DATABASE_URL = "postgresql://planka@planka-db/planka"; ··· 13 15 DEFAULT_ADMIN_EMAIL = "pyrox@pyrox.dev"; 14 16 DEFAULT_ADMIN_USERNAME = "pyrox"; 15 17 }; 16 - environmentFiles = [ 17 - config.age.secrets.planka-env.path 18 - ]; 18 + environmentFiles = [ config.age.secrets.planka-env.path ]; 19 19 volumes = [ 20 20 "${dataDir}/user-avatars:/app/public/user-avatars" 21 21 "${dataDir}/project-background-images:/app/public/project-background-images" 22 22 "${dataDir}/attachments:/app/private/attachments" 23 23 ]; 24 - extraOptions = ["--network=planka"]; 24 + extraOptions = [ "--network=planka" ]; 25 25 }; 26 26 planka-db = { 27 27 image = "postgres:16-alpine"; 28 - volumes = [ 29 - "${dataDir}/db:/var/lib/postgresql/data" 30 - ]; 28 + volumes = [ "${dataDir}/db:/var/lib/postgresql/data" ]; 31 29 environment = { 32 30 POSTGRES_USER = "planka"; 33 31 POSTGRES_DB = "planka"; 34 32 POSTGRES_HOST_AUTH_METHOD = "trust"; 35 33 }; 36 - extraOptions = ["--network=planka"]; 34 + extraOptions = [ "--network=planka" ]; 37 35 }; 38 36 }; 39 37 age.secrets.planka-env = {
+14 -12
systems/x86_64-linux/marvin/services/podman.nix
··· 1 - {virtualisation = { 2 - oci-containers.backend = "docker"; 3 - docker = { 4 - enable = true; 5 - storageDriver = "zfs"; 6 - autoPrune.enable = true; 7 - liveRestore = true; 8 - daemon.settings = { 9 - experimental = true; 10 - ip6tables = true; 11 - fixed-cidr-v6 = "2001:db8:1::/64"; 1 + { 2 + virtualisation = { 3 + oci-containers.backend = "docker"; 4 + docker = { 5 + enable = true; 6 + storageDriver = "zfs"; 7 + autoPrune.enable = true; 8 + liveRestore = true; 9 + daemon.settings = { 10 + experimental = true; 11 + ip6tables = true; 12 + fixed-cidr-v6 = "2001:db8:1::/64"; 13 + }; 12 14 }; 13 15 }; 14 - };} 16 + }
+7 -7
systems/x86_64-linux/marvin/services/postgres.nix
··· 1 - {pkgs, config, ...}: let 2 - cfg = config.services.postgresql; 3 - in { 1 + { pkgs, config, ... }: 2 + let 3 + cfg = config.services.postgresql; 4 + in 5 + { 4 6 services.postgresql = { 5 7 enable = true; 6 8 package = pkgs.postgresql_16; ··· 35 37 }; 36 38 systemd.services.pg-autovacuum = { 37 39 description = "Vacuum all Postgres databases."; 38 - requisite = [ 39 - "postgresql.service" 40 - ]; 41 - wantedBy = ["multi-user.target"]; 40 + requisite = [ "postgresql.service" ]; 41 + wantedBy = [ "multi-user.target" ]; 42 42 serviceConfig = { 43 43 Type = "oneshot"; 44 44 User = "postgres";
+8 -19
systems/x86_64-linux/marvin/services/prometheus.nix
··· 1 - {config, ...}: { 1 + { config, ... }: 2 + { 2 3 services.prometheus = { 3 4 enable = true; 4 5 port = 6999; 5 6 exporters = { 6 7 node = { 7 8 enable = true; 8 - enabledCollectors = ["systemd"]; 9 + enabledCollectors = [ "systemd" ]; 9 10 port = 6998; 10 11 }; 11 12 }; ··· 13 14 { 14 15 job_name = "marvin"; 15 16 static_configs = [ 16 - { 17 - targets = [ 18 - "127.0.0.1:${ 19 - toString config.services.prometheus.exporters.node.port 20 - }" 21 - ]; 22 - } 17 + { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; } 23 18 ]; 24 19 } 25 20 { 26 21 job_name = "gitea"; 27 22 static_configs = [ 28 - { 29 - targets = [ 30 - "127.0.0.1:${ 31 - toString config.services.gitea.settings.server.HTTP_PORT 32 - }" 33 - ]; 34 - } 23 + { targets = [ "127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}" ]; } 35 24 ]; 36 25 } 37 26 { 38 27 job_name = "jellyfin"; 39 - static_configs = [{targets = ["127.0.0.1:8096"];}]; 28 + static_configs = [ { targets = [ "127.0.0.1:8096" ]; } ]; 40 29 } 41 30 { 42 31 job_name = "authentik"; 43 - static_configs = [{targets = ["127.0.0.1:9301"];}]; 32 + static_configs = [ { targets = [ "127.0.0.1:9301" ]; } ]; 44 33 } 45 34 { 46 35 job_name = "prometheus"; 47 - static_configs = [{targets = ["127.0.0.1:6999"];}]; 36 + static_configs = [ { targets = [ "127.0.0.1:6999" ]; } ]; 48 37 } 49 38 ]; 50 39 };
+6 -1
systems/x86_64-linux/marvin/services/prosody.nix
··· 6 6 # deadnix: skip 7 7 lib, 8 8 ... 9 - }: {services.prosody = {enable = true;};} 9 + }: 10 + { 11 + services.prosody = { 12 + enable = true; 13 + }; 14 + }
+4 -2
systems/x86_64-linux/marvin/services/redlib.nix
··· 1 - { pkgs, lib, ...}: let 1 + { pkgs, lib, ... }: 2 + let 2 3 d = lib.py.data.services.redlib; 3 - in { 4 + in 5 + { 4 6 services.libreddit = { 5 7 inherit (d) port; 6 8 enable = true;
+8 -2
systems/x86_64-linux/marvin/services/syncthing.nix
··· 4 4 guiAddress = "0.0.0.0:8384"; 5 5 }; 6 6 # Open The Ports! 7 - networking.firewall.allowedTCPPorts = [8384 22000]; 8 - networking.firewall.allowedUDPPorts = [22000 21027]; 7 + networking.firewall.allowedTCPPorts = [ 8 + 8384 9 + 22000 10 + ]; 11 + networking.firewall.allowedUDPPorts = [ 12 + 22000 13 + 21027 14 + ]; 9 15 }
+4 -3
systems/x86_64-linux/marvin/services/tailscale.nix
··· 1 - {config, ...}: { 1 + { config, ... }: 2 + { 2 3 services.tailscale = { 3 4 enable = true; 4 5 permitCertUid = "962"; 5 6 }; 6 7 networking.firewall = { 7 - trustedInterfaces = ["tailscale0"]; 8 - allowedUDPPorts = [config.services.tailscale.port]; 8 + trustedInterfaces = [ "tailscale0" ]; 9 + allowedUDPPorts = [ config.services.tailscale.port ]; 9 10 checkReversePath = "loose"; 10 11 }; 11 12 }
+15 -8
systems/x86_64-linux/marvin/services/vaultwarden.nix
··· 1 - {pkgs, config, lib, ...}: let 1 + { 2 + pkgs, 3 + config, 4 + lib, 5 + ... 6 + }: 7 + let 2 8 3 - d = lib.py.data.services.vaultwarden; 9 + d = lib.py.data.services.vaultwarden; 4 10 5 - vaultwardenSecret = { 6 - owner = "vaultwarden"; 7 - group = "vaultwarden"; 8 - }; 9 - in { 11 + vaultwardenSecret = { 12 + owner = "vaultwarden"; 13 + group = "vaultwarden"; 14 + }; 15 + in 16 + { 10 17 services.vaultwarden = { 11 18 enable = true; 12 19 dbBackend = "postgresql"; ··· 101 108 environmentFile = config.age.secrets.vaultwarden-vars.path; 102 109 }; 103 110 systemd.services.vaultwarden.environment.PGPASSFILE = config.age.secrets.vaultwarden-pgpass.path; 104 - environment.systemPackages = with pkgs; [vaultwarden-vault]; 111 + environment.systemPackages = with pkgs; [ vaultwarden-vault ]; 105 112 age.secrets.vaultwarden-vars = vaultwardenSecret // { 106 113 file = ../secrets/vaultwarden-vars.age; 107 114 };
+7 -9
systems/x86_64-linux/marvin/services/webmentiond.nix
··· 1 - { 2 - config, 3 - lib, 4 - ... 5 - }: let 1 + { config, lib, ... }: 2 + let 6 3 d = lib.py.data.services.webmentiond; 7 4 p = toString d.port; 8 - in { 5 + in 6 + { 9 7 virtualisation.oci-containers.containers.webmentiond = { 10 8 image = "zerok/webmentiond:latest"; 11 - volumes = ["/var/lib/webmentiond:/data"]; 12 - environmentFiles = [config.age.secrets.webmentiond-env.path]; 13 - ports = [ "${p}:${p}"]; 9 + volumes = [ "/var/lib/webmentiond:/data" ]; 10 + environmentFiles = [ config.age.secrets.webmentiond-env.path ]; 11 + ports = [ "${p}:${p}" ]; 14 12 cmd = [ 15 13 "--addr 0.0.0.0:${p}" 16 14 "--public-url https://${d.extUrl}"
+1 -1
systems/x86_64-linux/marvin/services/zfs.nix
··· 2 2 services.zfs = { 3 3 trim.enable = true; 4 4 autoScrub.enable = true; 5 - autoScrub.pools = ["tank"]; 5 + autoScrub.pools = [ "tank" ]; 6 6 autoSnapshot.enable = true; 7 7 }; 8 8 }
+6 -2
systems/x86_64-linux/prefect/dn42/default.nix
··· 1 - {pkgs, ...}: { 2 - imports = [./services.nix ./wireguard.nix]; 1 + { pkgs, ... }: 2 + { 3 + imports = [ 4 + ./services.nix 5 + ./wireguard.nix 6 + ]; 3 7 networking.interfaces.lo = { 4 8 ipv4.addresses = [ 5 9 {
+47 -44
systems/x86_64-linux/prefect/dn42/services.nix
··· 1 - { 2 - pkgs, 3 - lib, 4 - ... 5 - }: let 1 + { pkgs, lib, ... }: 2 + let 6 3 script = pkgs.writeShellScriptBin "update-roa" '' 7 4 mkdir -p /etc/bird/ 8 5 ${pkgs.curl}/bin/curl -sfSLR {-o,-z}/etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf ··· 10 7 ${pkgs.bird2}/bin/birdc c 11 8 ${pkgs.bird2}/bin/birdc reload in all 12 9 ''; 13 - bgp = import ./bgp.nix {}; 14 - in { 10 + bgp = import ./bgp.nix { }; 11 + in 12 + { 15 13 systemd = { 16 - timers.dn42-roa = { 17 - description = "Trigger a ROA table update"; 14 + timers.dn42-roa = { 15 + description = "Trigger a ROA table update"; 18 16 19 - timerConfig = { 20 - OnBootSec = "5m"; 21 - OnUnitInactiveSec = "1h"; 22 - Unit = "dn42-roa.service"; 23 - }; 17 + timerConfig = { 18 + OnBootSec = "5m"; 19 + OnUnitInactiveSec = "1h"; 20 + Unit = "dn42-roa.service"; 21 + }; 24 22 25 - wantedBy = ["timers.target"]; 26 - before = ["bird.service"]; 27 - }; 28 - services = { 29 - dn42-roa = { 30 - after = ["network.target"]; 31 - description = "DN42 ROA Updated"; 32 - unitConfig = {Type = "one-shot";}; 33 - serviceConfig = {ExecStart = "${script}/bin/update-roa";}; 23 + wantedBy = [ "timers.target" ]; 24 + before = [ "bird.service" ]; 25 + }; 26 + services = { 27 + dn42-roa = { 28 + after = [ "network.target" ]; 29 + description = "DN42 ROA Updated"; 30 + unitConfig = { 31 + Type = "one-shot"; 32 + }; 33 + serviceConfig = { 34 + ExecStart = "${script}/bin/update-roa"; 35 + }; 36 + }; 34 37 }; 35 - }; 36 - services.bird-lg-proxy.serviceConfig.User = lib.mkForce "bird2"; 37 - services.bird-lg-proxy.serviceConfig.Group = lib.mkForce "bird2"; 38 + services.bird-lg-proxy.serviceConfig.User = lib.mkForce "bird2"; 39 + services.bird-lg-proxy.serviceConfig.Group = lib.mkForce "bird2"; 38 40 }; 39 41 40 42 services = { ··· 53 55 netSpecificMode = "dn42"; 54 56 # protocolFilter = ["bgp" "ospf" "static"]; 55 57 proxyPort = 8000; 56 - servers = ["dn42"]; 58 + servers = [ "dn42" ]; 57 59 whois = "whois.burble.dn42"; 58 60 # titleBrand = "THEHEDGEHOG LG"; 59 61 # navbar.brand = "THEHEDGEHOG LG"; ··· 65 67 checkConfig = false; 66 68 config = 67 69 builtins.readFile ./bird.conf 68 - + lib.concatStrings (builtins.map 69 - (x: "\n protocol bgp ${x.name} from dnpeers {\n ${ 70 - if x.multihop 71 - then "multihop;" 72 - else "" 70 + + lib.concatStrings ( 71 + builtins.map ( 72 + x: 73 + "\n protocol bgp ${x.name} from dnpeers {\n ${ 74 + if x.multihop then "multihop;" else "" 73 75 }\n ${ 74 - if x.gracefulRestart 75 - then "graceful restart on;" 76 - else "" 76 + if x.gracefulRestart then "graceful restart on;" else "" 77 77 }\n neighbor ${x.neigh} as ${x.as};\n ${ 78 - if x.multi || x.v4 79 - then "\n ipv4 {\n extended next hop on;\n import where dn42_import_filter(${x.link},25,34);\n export where dn42_export_filter(${x.link},25,34);\n import keep filtered;\n };\n " 80 - else "" 78 + if x.multi || x.v4 then 79 + "\n ipv4 {\n extended next hop on;\n import where dn42_import_filter(${x.link},25,34);\n export where dn42_export_filter(${x.link},25,34);\n import keep filtered;\n };\n " 80 + else 81 + "" 81 82 }\n ${ 82 - if x.multi || x.v6 83 - then "\n ipv6 {\n extended next hop on;\n import where dn42_import_filter(${x.link},25,34);\n export where dn42_export_filter(${x.link},25,34);\n import keep filtered;\n };\n " 84 - else "" 85 - }\n }\n ") 86 - bgp.sessions) 83 + if x.multi || x.v6 then 84 + "\n ipv6 {\n extended next hop on;\n import where dn42_import_filter(${x.link},25,34);\n export where dn42_export_filter(${x.link},25,34);\n import keep filtered;\n };\n " 85 + else 86 + "" 87 + }\n }\n " 88 + ) bgp.sessions 89 + ) 87 90 + bgp.extraConfig; 88 91 }; 89 92 }; 90 - users.users.thehedgehog.extraGroups = ["bird2"]; 93 + users.users.thehedgehog.extraGroups = [ "bird2" ]; 91 94 }
+47 -47
systems/x86_64-linux/prefect/dn42/wireguard.nix
··· 1 - { 2 - pkgs, 3 - lib, 4 - ... 5 - }: let 1 + { pkgs, lib, ... }: 2 + let 6 3 defaultLocalIPv4 = "172.20.43.96/32"; 7 4 defaultLocalIPv6 = "fe80::1/64"; 8 5 privKeyFile = "/run/agenix/dn42-privkey"; 9 6 # deadnix: skip 10 7 defaultPubKey = "e6kp9sca4XIzncKa9GEQwyOnMjje299Xg9ZdgXWMwHg="; 11 - in { 12 - environment.systemPackages = [pkgs.wireguard-tools]; 8 + in 9 + { 10 + environment.systemPackages = [ pkgs.wireguard-tools ]; 13 11 14 12 networking.wireguard.interfaces = import ./tunnels.nix rec { 15 - customTunnel = listenPort: privKeyFile: peerPubKey: endpoint: name: peerIPv4: peerIPv6: localIPv4: localIPv6: isOspf: { 16 - inherit listenPort; 17 - privateKeyFile = privKeyFile; 18 - allowedIPsAsRoutes = false; 19 - peers = [ 20 - { 21 - inherit endpoint; 22 - publicKey = peerPubKey; 23 - allowedIPs = ["0.0.0.0/0" "::/0"]; 24 - dynamicEndpointRefreshSeconds = 5; 25 - persistentKeepalive = 15; 26 - } 27 - ]; 28 - postSetup = 29 - '' 30 - ${ 31 - if peerIPv4 != "" 32 - then "${pkgs.iproute2}/bin/ip addr add ${localIPv4} peer ${peerIPv4} dev ${name}" 33 - else "" 34 - } 35 - ${ 36 - if peerIPv6 != "" 37 - then "${pkgs.iproute2}/bin/ip -6 addr add ${localIPv6} peer ${peerIPv6} dev ${name}" 38 - else "" 13 + customTunnel = 14 + listenPort: privKeyFile: peerPubKey: endpoint: name: peerIPv4: peerIPv6: localIPv4: localIPv6: isOspf: { 15 + inherit listenPort; 16 + privateKeyFile = privKeyFile; 17 + allowedIPsAsRoutes = false; 18 + peers = [ 19 + { 20 + inherit endpoint; 21 + publicKey = peerPubKey; 22 + allowedIPs = [ 23 + "0.0.0.0/0" 24 + "::/0" 25 + ]; 26 + dynamicEndpointRefreshSeconds = 5; 27 + persistentKeepalive = 15; 39 28 } 40 - '' 41 - + lib.optionalString isOspf 42 - "${pkgs.iproute2}/bin/ip -6 addr add ${defaultLocalIPv6} dev ${name}"; 43 - }; 29 + ]; 30 + postSetup = 31 + '' 32 + ${ 33 + if peerIPv4 != "" then 34 + "${pkgs.iproute2}/bin/ip addr add ${localIPv4} peer ${peerIPv4} dev ${name}" 35 + else 36 + "" 37 + } 38 + ${ 39 + if peerIPv6 != "" then 40 + "${pkgs.iproute2}/bin/ip -6 addr add ${localIPv6} peer ${peerIPv6} dev ${name}" 41 + else 42 + "" 43 + } 44 + '' 45 + + lib.optionalString isOspf "${pkgs.iproute2}/bin/ip -6 addr add ${defaultLocalIPv6} dev ${name}"; 46 + }; 44 47 # deadnix: skip 45 - tunnel = listenPort: privKey: peerPubKey: localIPv4: localIPv6: endpoint: name: peerIPv4: peerIPv6: 46 - customTunnel listenPort privKeyFile peerPubKey endpoint name peerIPv4 47 - peerIPv6 48 - localIPv4 49 - localIPv6 50 - false; 48 + tunnel = 49 + listenPort: privKey: peerPubKey: localIPv4: localIPv6: endpoint: name: peerIPv4: peerIPv6: 50 + customTunnel listenPort privKeyFile peerPubKey endpoint name peerIPv4 peerIPv6 localIPv4 localIPv6 51 + false; 51 52 # deadnix: skip 52 - ospf = listenPort: privKey: peerPubKey: endpoint: name: peerIPv4: peerIPv6: ULAIPv6: 53 - customTunnel listenPort privKeyFile peerPubKey endpoint name peerIPv4 54 - peerIPv6 55 - defaultLocalIPv4 56 - ULAIPv6 57 - true; 53 + ospf = 54 + listenPort: privKey: peerPubKey: endpoint: name: peerIPv4: peerIPv6: ULAIPv6: 55 + customTunnel listenPort privKeyFile peerPubKey endpoint name peerIPv4 peerIPv6 defaultLocalIPv4 56 + ULAIPv6 57 + true; 58 58 }; 59 59 }
+20 -2
systems/x86_64-linux/prefect/firewall.nix
··· 3 3 networking.nftables.enable = true; 4 4 networking.firewall = { 5 5 enable = true; 6 - allowedTCPPorts = [80 143 179 389 443 465 587 636 993 4130 6900 8000]; 7 - allowedUDPPorts = [636 4367 6900 34197]; 6 + allowedTCPPorts = [ 7 + 80 8 + 143 9 + 179 10 + 389 11 + 443 12 + 465 13 + 587 14 + 636 15 + 993 16 + 4130 17 + 6900 18 + 8000 19 + ]; 20 + allowedUDPPorts = [ 21 + 636 22 + 4367 23 + 6900 24 + 34197 25 + ]; 8 26 allowedUDPPortRanges = [ 9 27 { 10 28 from = 480;
+1 -1
systems/x86_64-linux/prefect/hardware.nix
··· 1 - {zramSwap.enable = true;} 1 + { zramSwap.enable = true; }
+1 -3
systems/x86_64-linux/prefect/networking.nix
··· 1 + { lib, ... }: 1 2 { 2 - lib, 3 - ... 4 - }: { 5 3 networking = { 6 4 hostName = "prefect"; 7 5 hostId = "496e5e96";
+4 -1
systems/x86_64-linux/prefect/packages.nix
··· 1 - {pkgs, ...}: {environment.systemPackages = with pkgs; [direnv];} 1 + { pkgs, ... }: 2 + { 3 + environment.systemPackages = with pkgs; [ direnv ]; 4 + }
+28 -7
systems/x86_64-linux/prefect/secrets/secrets.nix
··· 4 4 # deadnix: skip 5 5 backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM="; 6 6 prefect = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP532AB5mkNvE29MkDDY8HEf8ZdktGWiI0PzLrvbmLQe"; 7 - in { 8 - imports = [../../common/secrets/secrets.nix]; 9 - "headscale-oidc-secret.age".publicKeys = [prefect yubi-main yubi-back]; 10 - "dn42-privkey.age".publicKeys = [prefect yubi-main yubi-back]; 11 - "dn42-peerfinder-uuid.age".publicKeys = [prefect yubi-main yubi-back]; 12 - "wireguard-priv-key.age".publicKeys = [prefect yubi-main yubi-back]; 13 - "acme-creds.age".publicKeys = [prefect yubi-main yubi-back]; 7 + in 8 + { 9 + imports = [ ../../common/secrets/secrets.nix ]; 10 + "headscale-oidc-secret.age".publicKeys = [ 11 + prefect 12 + yubi-main 13 + yubi-back 14 + ]; 15 + "dn42-privkey.age".publicKeys = [ 16 + prefect 17 + yubi-main 18 + yubi-back 19 + ]; 20 + "dn42-peerfinder-uuid.age".publicKeys = [ 21 + prefect 22 + yubi-main 23 + yubi-back 24 + ]; 25 + "wireguard-priv-key.age".publicKeys = [ 26 + prefect 27 + yubi-main 28 + yubi-back 29 + ]; 30 + "acme-creds.age".publicKeys = [ 31 + prefect 32 + yubi-main 33 + yubi-back 34 + ]; 14 35 }
+5 -2
systems/x86_64-linux/prefect/services/acme.nix
··· 1 - {config, ...}: { 1 + { config, ... }: 2 + { 2 3 security.acme = { 3 - certs."pyrox.dev" = {domain = "*.pyrox.dev";}; 4 + certs."pyrox.dev" = { 5 + domain = "*.pyrox.dev"; 6 + }; 4 7 defaults = { 5 8 # LE Production Server 6 9 server = "https://acme-v02.api.letsencrypt.org/directory";
+5 -4
systems/x86_64-linux/prefect/services/blog-update.nix
··· 1 - {pkgs, ...}: { 1 + { pkgs, ... }: 2 + { 2 3 systemd.timers.blog-update = { 3 4 enable = false; 4 - after = ["network.target"]; 5 - wantedBy = ["multi-user.target"]; 5 + after = [ "network.target" ]; 6 + wantedBy = [ "multi-user.target" ]; 6 7 description = "Blog Update Timer"; 7 8 timerConfig = { 8 9 Unit = "blog-update.service"; ··· 12 13 13 14 systemd.services.blog-update = { 14 15 enable = false; 15 - wantedBy = ["multi-user.target"]; 16 + wantedBy = [ "multi-user.target" ]; 16 17 description = "Blog Update Service"; 17 18 path = [ 18 19 "${pkgs.hugo}"
+14 -5
systems/x86_64-linux/prefect/services/headscale.nix
··· 14 14 # See https://tailscale.com/kb/1081/magicdns/ for more details 15 15 magicDns = true; 16 16 # I inject DNS.sb as my secondary nameserver, and my adblocking server as primary. 17 - nameservers = ["45.11.45.11"]; 17 + nameservers = [ "45.11.45.11" ]; 18 18 # Domains to inject, so I can type "media/" into my search bar and go to "media.main.hog" 19 19 # You can't tell headscale to not create a namespace, so this is the best that I can do 20 - domains = ["main.hog"]; 20 + domains = [ "main.hog" ]; 21 21 }; 22 22 # Automatic TLS 23 23 tls = { ··· 47 47 # oidc.strip_email_domain = true; 48 48 # NixOS handles our updates 49 49 disable_check_updates = true; 50 - ip_prefixes = ["4349:3909:beef::/48" "100.64.0.0/10"]; 50 + ip_prefixes = [ 51 + "4349:3909:beef::/48" 52 + "100.64.0.0/10" 53 + ]; 51 54 derp = { 52 55 server = { 53 56 enabled = true; ··· 59 62 }; 60 63 }; 61 64 }; 62 - systemd.services.headscale.serviceConfig.CapabilityBoundingSet = ["CAP_CHOWN" "CAP_NET_BIND_SERVICE"]; 63 - systemd.services.headscale.serviceConfig.AmbientCapabilities = ["CAP_CHOWN" "CAP_NET_BIND_SERVICE"]; 65 + systemd.services.headscale.serviceConfig.CapabilityBoundingSet = [ 66 + "CAP_CHOWN" 67 + "CAP_NET_BIND_SERVICE" 68 + ]; 69 + systemd.services.headscale.serviceConfig.AmbientCapabilities = [ 70 + "CAP_CHOWN" 71 + "CAP_NET_BIND_SERVICE" 72 + ]; 64 73 }
+11 -6
systems/x86_64-linux/prefect/services/mailserver/default.nix
··· 1 + { lib, ... }: 1 2 { 2 - lib, 3 - ... 4 - }: { 5 - imports = [./logins.nix ./monitoring.nix ./overrides.nix]; 3 + imports = [ 4 + ./logins.nix 5 + ./monitoring.nix 6 + ./overrides.nix 7 + ]; 6 8 mailserver = { 7 9 enable = true; 8 10 fqdn = "mail.pyrox.dev"; 9 11 openFirewall = true; 10 12 11 13 # All domains this server runs email for 12 - domains = ["pyrox.dev"]; 14 + domains = [ "pyrox.dev" ]; 13 15 14 16 # Enable STARTTLS 15 17 enableImap = true; ··· 29 31 dkimKeyDirectory = "/srv/mail/dkim"; 30 32 31 33 # Set all no-reply addresses 32 - rejectRecipients = [ "no-reply@pyrox.dev" "dmarc-noreply@pyrox.dev" ]; 34 + rejectRecipients = [ 35 + "no-reply@pyrox.dev" 36 + "dmarc-noreply@pyrox.dev" 37 + ]; 33 38 34 39 # DKIM Settings 35 40 dkimBodyCanonicalization = "relaxed";
+6 -1
systems/x86_64-linux/prefect/services/mailserver/logins.nix
··· 2 2 mailserver.loginAccounts = { 3 3 "pyrox@pyrox.dev" = { 4 4 hashedPassword = "$2b$05$8k04quBe6adg8d1yznEp3uNYM54MOVJTwDGIWvzocQFoWbmcCvebC"; 5 - aliases = ["pyrox" "postmaster@pyrox.dev" "abuse@pyrox.dev" "domains@pyrox.dev"]; 5 + aliases = [ 6 + "pyrox" 7 + "postmaster@pyrox.dev" 8 + "abuse@pyrox.dev" 9 + "domains@pyrox.dev" 10 + ]; 6 11 }; 7 12 "social@pyrox.dev" = { 8 13 hashedPassword = "$2b$05$kFDeXvSKU9oXuQXlitA7v.kkbzgCDTrm4O3Nb1kifPe7yAR7.KimO";
+1 -5
systems/x86_64-linux/prefect/services/mailserver/monitoring.nix
··· 1 - { 2 - config, 3 - pkgs, 4 - ... 5 - }: 1 + { config, pkgs, ... }: 6 2 # let 7 3 # cfg = config.mailserver; 8 4 # in
+4 -2
systems/x86_64-linux/prefect/services/mailserver/overrides.nix
··· 1 - {lib, ...}: let 1 + { lib, ... }: 2 + let 2 3 inherit (lib) mkForce; 3 4 tlsProtocols = ">=TLSv1.2"; 4 5 excludeCiphers = "MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL, AES128-SHA, AES256-SHA"; 5 - in { 6 + in 7 + { 6 8 services.postfix.config = { 7 9 # only support TLS 1.3/1.2 8 10 smtpd_tls_protocols = mkForce tlsProtocols;
+2 -3
systems/x86_64-linux/prefect/services/nginx/default.nix
··· 1 - { lib 2 - , ... 3 - }: { 1 + { lib, ... }: 2 + { 4 3 services.nginx = { 5 4 enable = true; 6 5 additionalModules = [ ];
+2 -5
systems/x86_64-linux/prefect/services/php.nix
··· 1 + { lib, pkgs, ... }: 1 2 { 2 - lib, 3 - pkgs, 4 - ... 5 - }: { 6 3 services.phpfpm.pools = { 7 4 littlelink = { 8 5 user = "caddy"; ··· 18 15 "php_admin_flag[log_errors]" = true; 19 16 "catch_workers_output" = true; 20 17 }; 21 - phpEnv."PATH" = lib.makeBinPath [pkgs.php]; 18 + phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; 22 19 }; 23 20 }; 24 21 }
+10 -13
systems/x86_64-linux/prefect/services/prometheus.nix
··· 1 - {config, ...}: { 1 + { config, ... }: 2 + { 2 3 services.prometheus = { 3 4 enable = true; 4 5 port = 6999; 5 6 exporters = { 6 7 node = { 7 8 enable = true; 8 - enabledCollectors = ["systemd"]; 9 + enabledCollectors = [ "systemd" ]; 9 10 port = 6998; 10 11 }; 11 - bird = {enable = true;}; 12 + bird = { 13 + enable = true; 14 + }; 12 15 }; 13 16 scrapeConfigs = [ 14 17 { 15 18 job_name = "prefect"; 16 19 static_configs = [ 17 - { 18 - targets = [ 19 - "127.0.0.1:${ 20 - toString config.services.prometheus.exporters.node.port 21 - }" 22 - ]; 23 - } 20 + { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; } 24 21 ]; 25 22 } 26 23 { 27 24 job_name = "caddy"; 28 - static_configs = [{targets = ["127.0.0.1:6899"];}]; 25 + static_configs = [ { targets = [ "127.0.0.1:6899" ]; } ]; 29 26 } 30 27 { 31 28 job_name = "bird"; 32 - static_configs = [{targets = ["127.0.0.1:9324"];}]; 29 + static_configs = [ { targets = [ "127.0.0.1:9324" ]; } ]; 33 30 } 34 31 { 35 32 job_name = "prometheus"; 36 - static_configs = [{targets = ["127.0.0.1:6999"];}]; 33 + static_configs = [ { targets = [ "127.0.0.1:6999" ]; } ]; 37 34 } 38 35 ]; 39 36 };
+7 -4
systems/x86_64-linux/prefect/services/tailscale.nix
··· 1 - {config, ...}: { 2 - services.tailscale = {enable = true;}; 1 + { config, ... }: 2 + { 3 + services.tailscale = { 4 + enable = true; 5 + }; 3 6 networking.firewall = { 4 - trustedInterfaces = ["tailscale0"]; 5 - allowedUDPPorts = [config.services.tailscale.port]; 7 + trustedInterfaces = [ "tailscale0" ]; 8 + allowedUDPPorts = [ config.services.tailscale.port ]; 6 9 checkReversePath = "loose"; 7 10 }; 8 11 }
+1 -1
systems/x86_64-linux/prefect/services/zerotier.nix
··· 1 1 { 2 2 services.zerotierone = { 3 3 enable = true; 4 - joinNetworks = ["a84ac5c10a3b1d69"]; 4 + joinNetworks = [ "a84ac5c10a3b1d69" ]; 5 5 }; 6 6 }
+2 -2
systems/x86_64-linux/thought/firewall.nix
··· 1 1 { 2 2 networking.firewall = { 3 3 enable = true; 4 - allowedTCPPorts = [8000]; 5 - allowedUDPPorts = [34197]; 4 + allowedTCPPorts = [ 8000 ]; 5 + allowedUDPPorts = [ 34197 ]; 6 6 }; 7 7 services.ferm = { 8 8 enable = true;
+1 -1
systems/x86_64-linux/thought/hardware.nix
··· 1 - {zramSwap.enable = true;} 1 + { zramSwap.enable = true; }
+2 -4
systems/x86_64-linux/thought/networking.nix
··· 1 + { lib, ... }: 1 2 { 2 - lib, 3 - ... 4 - }: { 5 3 networking = { 6 4 hostName = "thought"; 7 5 hostId = "1e22528e"; 8 6 useDHCP = false; 9 - nameservers = lib.mkForce []; 7 + nameservers = lib.mkForce [ ]; 10 8 resolvconf.enable = false; 11 9 interfaces.enp1s0 = { 12 10 ipv6.addresses = [
+4 -1
systems/x86_64-linux/thought/packages.nix
··· 1 - {pkgs, ...}: {environment.systemPackages = with pkgs; [direnv];} 1 + { pkgs, ... }: 2 + { 3 + environment.systemPackages = with pkgs; [ direnv ]; 4 + }
+3 -2
systems/x86_64-linux/thought/secrets/secrets.nix
··· 7 7 backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM="; 8 8 # deadnix: skip 9 9 thought = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGkJcLykggEp427h2IywoiR74Yl3N+FU6Pwx9ZFQ3vjq"; 10 - in { 11 - imports = [../../common/secrets/secrets.nix]; 10 + in 11 + { 12 + imports = [ ../../common/secrets/secrets.nix ]; 12 13 # "headscale-oidc-secret.age".publicKeys = [ prefect yubi-main yubi-back ]; 13 14 }
+10 -13
systems/x86_64-linux/thought/services/prometheus.nix
··· 1 - {config, ...}: { 1 + { config, ... }: 2 + { 2 3 services.prometheus = { 3 4 enable = true; 4 5 port = 6999; 5 6 exporters = { 6 7 node = { 7 8 enable = true; 8 - enabledCollectors = ["systemd"]; 9 + enabledCollectors = [ "systemd" ]; 9 10 port = 6998; 10 11 }; 11 - bird = {enable = true;}; 12 + bird = { 13 + enable = true; 14 + }; 12 15 }; 13 16 scrapeConfigs = [ 14 17 { 15 18 job_name = "prefect"; 16 19 static_configs = [ 17 - { 18 - targets = [ 19 - "127.0.0.1:${ 20 - toString config.services.prometheus.exporters.node.port 21 - }" 22 - ]; 23 - } 20 + { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ]; } 24 21 ]; 25 22 } 26 23 { 27 24 job_name = "caddy"; 28 - static_configs = [{targets = ["127.0.0.1:6899"];}]; 25 + static_configs = [ { targets = [ "127.0.0.1:6899" ]; } ]; 29 26 } 30 27 { 31 28 job_name = "bird"; 32 - static_configs = [{targets = ["127.0.0.1:9324"];}]; 29 + static_configs = [ { targets = [ "127.0.0.1:9324" ]; } ]; 33 30 } 34 31 { 35 32 job_name = "prometheus"; 36 - static_configs = [{targets = ["127.0.0.1:6999"];}]; 33 + static_configs = [ { targets = [ "127.0.0.1:6999" ]; } ]; 37 34 } 38 35 ]; 39 36 };
+7 -4
systems/x86_64-linux/thought/services/tailscale.nix
··· 1 - {config, ...}: { 2 - services.tailscale = {enable = true;}; 1 + { config, ... }: 2 + { 3 + services.tailscale = { 4 + enable = true; 5 + }; 3 6 networking.firewall = { 4 - trustedInterfaces = ["tailscale0"]; 5 - allowedUDPPorts = [config.services.tailscale.port]; 7 + trustedInterfaces = [ "tailscale0" ]; 8 + allowedUDPPorts = [ config.services.tailscale.port ]; 6 9 checkReversePath = "loose"; 7 10 }; 8 11 }
+8 -8
systems/x86_64-linux/zaphod/fonts.nix
··· 1 + { pkgs, lib, ... }: 1 2 { 2 - pkgs, 3 - lib, 4 - ... 5 - }: { 6 3 fonts = { 7 4 fontDir.enable = true; 8 5 fontconfig = { 9 6 enable = lib.mkForce true; 10 7 defaultFonts = { 11 - serif = ["IBM Plex Serif"]; 12 - sansSerif = ["IBM Plex Sans"]; 13 - monospace = ["IBM Plex Mono" "FiraCode Nerd Font Mono"]; 14 - emoji = ["JoyPixels"]; 8 + serif = [ "IBM Plex Serif" ]; 9 + sansSerif = [ "IBM Plex Sans" ]; 10 + monospace = [ 11 + "IBM Plex Mono" 12 + "FiraCode Nerd Font Mono" 13 + ]; 14 + emoji = [ "JoyPixels" ]; 15 15 }; 16 16 }; 17 17 packages = with pkgs; [
+12 -11
systems/x86_64-linux/zaphod/kde.nix
··· 1 - {services.xserver = { 2 - enable = false; 3 - displayManager = { 4 - sddm.enable = false; 5 - defaultSession = "plasmawayland"; 6 - }; 7 - desktopManager.plasma5 = { 1 + { 2 + services.xserver = { 8 3 enable = false; 9 - phononBackend = "vlc"; 10 - runUsingSystemd = true; 11 - useQtScaling = true; 12 - }; 4 + displayManager = { 5 + sddm.enable = false; 6 + defaultSession = "plasmawayland"; 7 + }; 8 + desktopManager.plasma5 = { 9 + enable = false; 10 + phononBackend = "vlc"; 11 + runUsingSystemd = true; 12 + useQtScaling = true; 13 + }; 13 14 }; 14 15 qt = { 15 16 enable = true;
+6 -7
systems/x86_64-linux/zaphod/networking.nix
··· 1 + { lib, pkgs, ... }: 1 2 { 2 - lib, 3 - pkgs, 4 - ... 5 - }: { 6 3 networking = { 7 4 enableB43Firmware = false; 8 5 enableIPv6 = true; ··· 17 14 dns = lib.mkForce "default"; 18 15 wifi.powersave = true; 19 16 }; 20 - wireless = {enable = false;}; 17 + wireless = { 18 + enable = false; 19 + }; 21 20 22 21 # Tailscale fix(not needed, but recommended) 23 22 firewall.checkReversePath = "loose"; 24 23 25 24 # DNS Servers 26 25 # Only use local resolver 27 - nameservers = lib.mkForce []; 26 + nameservers = lib.mkForce [ ]; 28 27 29 28 resolvconf.enable = false; 30 29 }; 31 30 services.resolved = { 32 31 enable = false; 33 32 llmnr = "true"; 34 - fallbackDns = ["158.59.252.11"]; 33 + fallbackDns = [ "158.59.252.11" ]; 35 34 extraConfig = '' 36 35 MulticastDNS=true 37 36 '';
+1 -1
systems/x86_64-linux/zaphod/power.nix
··· 1 - {powerManagement.enable = true;} 1 + { powerManagement.enable = true; }
+7 -2
systems/x86_64-linux/zaphod/programs/sway.nix
··· 1 - {pkgs, ...}: { 1 + { pkgs, ... }: 2 + { 2 3 programs.sway = { 3 4 enable = true; 4 - extraPackages = with pkgs; [swaylock-effects swayidle kitty]; 5 + extraPackages = with pkgs; [ 6 + swaylock-effects 7 + swayidle 8 + kitty 9 + ]; 5 10 wrapperFeatures.base = true; 6 11 wrapperFeatures.gtk = true; 7 12 };
+8 -1
systems/x86_64-linux/zaphod/secrets/secrets.nix
··· 2 2 yubi-back = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTVGi3PItsbUhFgnFZlqo1iUggL4npMg94+9FsyhEPfShcQwJK2/jJzjv5S9KPuk3cY7aoqyVFLbnasSBZPXmscJmOiVNvtWvHoC3QPXvf3IAcVZ5KOLpY2NJlPx/pAb31C6ewtg8v3VlyhL4zEp6M+AGwXX51tFDh2GnYD+7SNF+aMhKCrX63syAhgPy3F8mZ2RIDLAu+lsYlwdpWRkSEv9kcjX/6+3QgUWjfPBaKEeYID22ihSuj7+AiuAt0gM4q0TY/Hpcx+qDLonrIuBnm1hMZDgbv//D0sHIUxJQkGTKTEbkZxoh0Qri7UV/V6l3mETaG40deuemMU7RFY7Khl8RajNZ+9z0FdquS/HCt8+fYQk6eLneJrMIQ1bI4awrtblG3P2Yf2QUu+H3kfCQe44R3WjUugTbNtumVgyQBzl2dzlIVn1pZBeyZy70XCgbaFKkDR8Y/qZiUoZ0afP3vTOXhkn5UBfutTKwUiSGh3S8Ge5YhNgKHWE2eQp1ckEm0IMJV/q5Nsw/yBBXj/kfD8ekz96LQ+gP5JFLq4EaipXI7FM4aZNOBUZU1l/sCEuq7m997nrBucTKqGm7Ho3rq7bgdj4f6GyUJXSMOM1cN61LLrRumZGGTH8WghVL7ligxZyNFcQoudR8jfpf4mrgRxipQOe1A2umvuufMr+l/bw=="; 3 3 yubi-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBBsOIMMZVmleClXfqUMrnmyh8PFuyiJqHKEZ51Xy746"; 4 4 backup = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyTiGctsHaTUlRJn2XQ/745dD0UWGWO8W0en8J5rf7BLI8lL/hPUmbNt45vC5754LXcBjnp1t/1FNgiGhvNZIWJpC+elBmhyMhg8z1exRZPD+as7XaH7scnij2vSbSphQFUqH433ggAGe77x5bc7wKFp9n7vj8G1u0JJxMEe1M7kNFY0+ShNtaHna3LxiQOVcW7qVlNKZP8Ol1V7kZLblRADCJMTYOXDIbktA8bbGRfGhbNjJGkL665qz36haYwb2i6A4sC7Y583N8ro8hIDG/ByJqwbl/Sz4rSxkT6G4+OdBvS6sa7TovNXHjmQCculMIltdog7UhgyBsim1sTzxAen3YyFRi1Cz/kLM0oH39m/W4IoMvJcNZCJ3ItLgy+lEVMd87jVOqfuq/hyjHVI0wJtU2Si2HTxv7aKL8gPzqXwbNH+nhkhlQ0ZH8zKVBunOgLDgsmGIky5X/T3bpWZpIoFkOR7AYrId/5dOeGM3pHhHb6woZ3SRubZ43Ah/VdJM="; 5 - in {"wg-privkey.age".publicKeys = [yubi-back yubi-main backup];} 5 + in 6 + { 7 + "wg-privkey.age".publicKeys = [ 8 + yubi-back 9 + yubi-main 10 + backup 11 + ]; 12 + }
+4 -2
systems/x86_64-linux/zaphod/security/modules.nix
··· 1 1 { 2 - imports = [./pam.nix]; 3 - security = {protectKernelImage = true;}; 2 + imports = [ ./pam.nix ]; 3 + security = { 4 + protectKernelImage = true; 5 + }; 4 6 }
+9 -7
systems/x86_64-linux/zaphod/services/docker.nix
··· 1 - {pkgs, ...}: let 1 + { pkgs, ... }: 2 + let 2 3 3 - betterDocker = pkgs.docker.override { 4 - buildxSupport = false; 5 - composeSupport = false; 6 - sbomSupport = false; 7 - }; 8 - in { 4 + betterDocker = pkgs.docker.override { 5 + buildxSupport = false; 6 + composeSupport = false; 7 + sbomSupport = false; 8 + }; 9 + in 10 + { 9 11 virtualisation.docker = { 10 12 enable = true; 11 13 package = betterDocker;
+2 -1
systems/x86_64-linux/zaphod/services/fprintd.nix
··· 1 - {pkgs, ...}: { 1 + { pkgs, ... }: 2 + { 2 3 services.fprintd = { 3 4 enable = true; 4 5 tod.enable = true;
+1 -1
systems/x86_64-linux/zaphod/services/fwupd.nix
··· 1 1 { 2 2 services.fwupd = { 3 3 enable = true; 4 - extraRemotes = ["lvfs-testing"]; 4 + extraRemotes = [ "lvfs-testing" ]; 5 5 uefiCapsuleSettings = { 6 6 "DisableCapsuleUpdateOnDisk" = true; 7 7 };
+2 -1
systems/x86_64-linux/zaphod/services/greetd.nix
··· 1 - {pkgs, ...}: { 1 + { pkgs, ... }: 2 + { 2 3 services.greetd = { 3 4 enable = true; 4 5 settings = {
+3 -2
systems/x86_64-linux/zaphod/services/kmscon.nix
··· 1 - {pkgs, ...}: { 1 + { pkgs, ... }: 2 + { 2 3 services.kmscon = { 3 4 enable = true; 4 5 hwRender = true; 5 6 fonts = [ 6 7 { 7 8 name = "BlexMono Nerd Font"; 8 - package = pkgs.nerdfonts.override {fonts = ["IBMPlexMono"];}; 9 + package = pkgs.nerdfonts.override { fonts = [ "IBMPlexMono" ]; }; 9 10 } 10 11 ]; 11 12 };
+5 -8
systems/x86_64-linux/zaphod/services/misc.nix
··· 1 + { config, lib, ... }: 1 2 { 2 - config, 3 - lib, 4 - ... 5 - }: { 6 3 services = { 7 4 blueman.enable = true; 8 5 fstrim.enable = lib.mkDefault true; 9 - tlp.enable = 10 - lib.mkDefault 11 - ((lib.versionOlder (lib.versions.majorMinor lib.version) "21.05") 12 - || !config.services.power-profiles-daemon.enable); 6 + tlp.enable = lib.mkDefault ( 7 + (lib.versionOlder (lib.versions.majorMinor lib.version) "21.05") 8 + || !config.services.power-profiles-daemon.enable 9 + ); 13 10 libinput.enable = lib.mkDefault true; 14 11 }; 15 12 }
+5 -1
systems/x86_64-linux/zaphod/services/packagekit.nix
··· 1 - {services = {packagekit.enable = false;};} 1 + { 2 + services = { 3 + packagekit.enable = false; 4 + }; 5 + }
+5 -1
systems/x86_64-linux/zaphod/services/pcscd.nix
··· 1 - {services.pcscd = {enable = true;};} 1 + { 2 + services.pcscd = { 3 + enable = true; 4 + }; 5 + }
+5 -1
systems/x86_64-linux/zaphod/services/tailscale.nix
··· 1 - {services.tailscale = {enable = true;};} 1 + { 2 + services.tailscale = { 3 + enable = true; 4 + }; 5 + }