yemou.pink / nix-configs
Nix configurations for my homelab
fork atom

cleanup: Formatting changes as well as removal of unused modules

Notable changes include:
- remove references to fly-agaric and dandelion hosts
- remove syncthing module
- remove binary-cache module
- remove unused development modules
- remove eturnal module
- remove kde module
- remove nfs module
- remove sss modules
- remove dendrite module
- remove dufs module
- remove ejabberd module
- remove libvirt module
- remove redundant smartd configuration from lily
- remove remove packages module from lily and lutea
- move flake management utilities into nix module
- remove unused patches and packages
- adjust domains we get certs for using cp-certs
- remove netbird firewall rule

yemou.pink 899cfc5b 3f4316f6

verified
options
unified split
Changed files
+96 -1988
.sops.yaml
dandelion
config.nix
hardware.nix
home.nix
packages.nix
flake.lock
flake.nix
fly-agaric
config.nix
hardware.nix
home.nix
packages.nix
hidden
network.json
syncthing.json
lily
config.nix
packages.nix
lutea
config.nix
packages.nix
modules
basic.nix
binary-cache.nix
browsers.nix
development
c.nix
default.nix
go.nix
graphics.nix
nix.nix
python.nix
sqlite.nix
zig.nix
email.nix
eturnal.nix
fail2ban.nix
games.nix
gui.nix
kde.nix
nfs.nix
nix.nix
packages
kakoune
01-typst-kak.patch
02-typst-comments.patch
mesa
opencl.patch
nixos-rebuild-tmpdir.nix
remote-builder.nix
services
caddy
cp-certs.nix
matrix.nix
mumble.nix
xmpp.nix
dendrite.nix
dufs.nix
ejabberd.nix
eturnal.nix
libvirt.nix
openssh.nix
pds.nix
sss-mount.nix
sss.nix
syncthing.nix
readme.md
secrets
dali.yaml
dandelion.yaml
fly-agaric.yaml
lily.yaml
-22
.sops.yaml
··· 1 1 keys: 2 - - &dandelion age1p5y7px4qnlgxgxd6j5vg4wtpzs24fnh4808ws7gah3x89j66muasxz7ck2 3 - - &fly-agaric age1tmfn7f2j8rhlg0gz3hcfjrwta3f0ecctc4dhpp6y8thtgta97c7q2vxnyl 4 2 - &lily age1amaa55e7nusv904a9ucfvtnjlw4srtet42suehey6u3yc4t2xc5sdldepj 5 3 - &lutea age1p55em5e3uk3fprj2mpum7ulrslcqgly63pjsyw2yv6hx99trdsnsvvv9ex 6 4 creation_rules: 7 5 - path_regex: hidden/network.json$ 8 6 key_groups: 9 7 - age: 10 - - *dandelion 11 8 - *lily 12 9 - *lutea 13 - - path_regex: hidden/syncthing.json$ 14 - key_groups: 15 - - age: 16 - - *dandelion 17 - - *lily 18 - - *lutea 19 - - path_regex: secrets/dali.yaml$ 20 - key_groups: 21 - - age: 22 - - *dandelion 23 - - *lily 24 - - path_regex: secrets/dandelion.yaml$ 25 - key_groups: 26 - - age: 27 - - *dandelion 28 - - path_regex: secrets/fly-agaric.yaml$ 29 - key_groups: 30 - - age: 31 - - *fly-agaric 32 10 - path_regex: secrets/lily.yaml$ 33 11 key_groups: 34 12 - age:
-72
dandelion/config.nix
··· 1 - { ... }: 2 - { 3 - imports = [ 4 - ./hardware.nix 5 - ./packages.nix 6 - 7 - ../modules/basic.nix 8 - ../modules/caddy.nix 9 - ../modules/development/nix.nix 10 - ../modules/development/sh.nix 11 - ../modules/editor.nix 12 - ../modules/fail2ban.nix 13 - ../modules/machine-id.nix 14 - ../modules/machine-info.nix 15 - ../modules/netbird.nix 16 - ../modules/network-info.nix 17 - ../modules/nfs.nix 18 - ../modules/nix.nix 19 - ../modules/remote-build-machines.nix 20 - 21 - ../modules/services/caddy 22 - ../modules/services/caddy/atproto-did.nix 23 - ../modules/services/caddy/cp-certs.nix 24 - # ../modules/services/caddy/matrix.nix 25 - ../modules/services/caddy/nextcloud.nix 26 - ../modules/services/caddy/pds.nix 27 - ../modules/services/caddy/soju.nix 28 - ../modules/services/caddy/tangled-knot.nix 29 - ../modules/services/caddy/websites/boo-b77.nix 30 - ../modules/services/caddy/websites/boo-y6d.nix 31 - ../modules/services/caddy/websites/org-biotabit.nix 32 - ../modules/services/caddy/websites/org-butwho.nix 33 - ../modules/services/caddy/websites/pink-lilac.nix 34 - ../modules/services/caddy/websites/pink-yemou.nix 35 - ../modules/services/caddy/xmpp.nix 36 - ../modules/services/eturnal.nix 37 - ../modules/services/openssh.nix 38 - ../modules/services/soju.nix 39 - ]; 40 - 41 - sops = { 42 - defaultSopsFile = ../secrets/dandelion.yaml; 43 - defaultSopsFormat = "yaml"; 44 - age.keyFile = "/data/keys.txt"; 45 - }; 46 - 47 - networking.hostName = "dandelion"; 48 - nix.settings.max-jobs = 0; 49 - 50 - garden = { 51 - caddy.package = { 52 - plugins = [ 53 - "github.com/mholt/caddy-events-exec@v0.1.0" 54 - "github.com/mholt/caddy-l4@v0.0.0-20250530154005-4d3c80e89c5f" 55 - ]; 56 - hash = "sha256-o6FTkx9u7Bds8FKuw1quT3lX4Kyc30s/XBkcKJkOVJY="; 57 - }; 58 - info.host.vps = true; 59 - }; 60 - 61 - # This option defines the first version of NixOS you have installed on this particular machine, 62 - # and is used to maintain compatibility with application data (e.g. databases) created on older 63 - # NixOS versions. Most users should NEVER change this value after the initial install, for any 64 - # reason, even if you've upgraded your system to a new NixOS release. This value does NOT affect 65 - # the Nixpkgs version your packages and OS are pulled from, so changing it will NOT upgrade your 66 - # system. This value being lower than the current NixOS release does NOT mean your system is out 67 - # of date, out of support, or vulnerable. Do NOT change this value unless you have manually 68 - # inspected all the changes it would make to your configuration, and migrated your data 69 - # accordingly. For more information, see `man configuration.nix` or 70 - # https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . 71 - system.stateVersion = "24.05"; # Did you read the comment? 72 - }
-114
dandelion/hardware.nix
··· 1 - { 2 - config, 3 - lib, 4 - modulesPath, 5 - ... 6 - }: 7 - { 8 - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; 9 - 10 - boot = { 11 - initrd = { 12 - availableKernelModules = [ 13 - "ahci" 14 - "xhci_pci" 15 - "virtio_pci" 16 - "virtio_scsi" 17 - "sd_mod" 18 - "sr_mod" 19 - ]; 20 - kernelModules = [ ]; 21 - }; 22 - kernelModules = [ ]; 23 - loader = { 24 - grub = { 25 - enable = true; 26 - configurationLimit = 50; 27 - device = "/dev/sda"; 28 - copyKernels = true; 29 - }; 30 - timeout = 0; 31 - }; 32 - tmp.useTmpfs = true; 33 - }; 34 - 35 - fileSystems = { 36 - "/" = { 37 - device = "none"; 38 - fsType = "tmpfs"; 39 - options = [ 40 - "defaults" 41 - "mode=755" 42 - ]; 43 - }; 44 - "/nix" = { 45 - device = "/dev/disk/by-uuid/1b032448-bc11-4d13-9f5b-c6e980288325"; 46 - fsType = "btrfs"; 47 - options = [ 48 - "subvol=@nixos/nix" 49 - "compress=zstd" 50 - ]; 51 - }; 52 - "/config" = { 53 - device = "/dev/disk/by-uuid/1b032448-bc11-4d13-9f5b-c6e980288325"; 54 - fsType = "btrfs"; 55 - options = [ 56 - "subvol=@nixos/config" 57 - "compress=zstd" 58 - ]; 59 - }; 60 - "/data" = { 61 - device = "/dev/disk/by-uuid/1b032448-bc11-4d13-9f5b-c6e980288325"; 62 - fsType = "btrfs"; 63 - options = [ 64 - "subvol=@nixos/data" 65 - "compress=zstd" 66 - ]; 67 - neededForBoot = true; 68 - }; 69 - "/home/mou" = { 70 - device = "/dev/disk/by-uuid/1b032448-bc11-4d13-9f5b-c6e980288325"; 71 - fsType = "btrfs"; 72 - options = [ 73 - "subvol=@home/mou" 74 - "compress=zstd" 75 - ]; 76 - }; 77 - "/swap" = { 78 - device = "/dev/disk/by-uuid/1b032448-bc11-4d13-9f5b-c6e980288325"; 79 - fsType = "btrfs"; 80 - options = [ "subvol=@swap" ]; 81 - }; 82 - "/boot" = { 83 - device = "/dev/disk/by-uuid/5cde8da8-fe2c-4177-90b3-000c32874610"; 84 - fsType = "ext4"; 85 - }; 86 - }; 87 - 88 - swapDevices = [ { device = "/swap/swapfile"; } ]; 89 - 90 - # FIXME: A better solution may be coming soon: https://github.com/NixOS/nixpkgs/issues/119244 91 - systemd.tmpfiles.settings."zswap" = { 92 - "/sys/module/zswap/parameters/accept_threshold_percent"."w-".argument = "90"; 93 - "/sys/module/zswap/parameters/compressor "."w-".argument = "zstd"; 94 - "/sys/module/zswap/parameters/enabled"."w-".argument = "Y"; 95 - "/sys/module/zswap/parameters/max_pool_percent"."w-".argument = "50"; 96 - "/sys/module/zswap/parameters/shrinker_enabled"."w-".argument = "N"; 97 - "/sys/module/zswap/parameters/zpool"."w-".argument = "zsmalloc"; 98 - }; 99 - 100 - hardware.enableRedistributableFirmware = true; 101 - 102 - networking.useDHCP = lib.mkDefault false; 103 - systemd.network = { 104 - enable = true; 105 - networks."10-wan" = { 106 - matchConfig.Name = "enp1s0"; 107 - networkConfig.DHCP = "ipv4"; 108 - address = [ "${config.garden.info.network.${config.networking.hostName}.ipv6}/64" ]; 109 - routes = [ { Gateway = "fe80::1"; } ]; 110 - }; 111 - }; 112 - 113 - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 114 - }
-8
dandelion/home.nix
··· 1 - { ... }: 2 - { 3 - imports = [ 4 - ../modules/dotfiles.nix 5 - ../modules/home.nix 6 - ]; 7 - home.stateVersion = "24.05"; 8 - }
-4
dandelion/packages.nix
··· 1 - { ... }: 2 - { 3 - users.users.mou.packages = [ ]; 4 - }
+56 -20
flake.lock
··· 1 1 { 2 2 "nodes": { 3 + "blender-bin": { 4 + "inputs": { 5 + "nixpkgs": "nixpkgs" 6 + }, 7 + "locked": { 8 + "dir": "blender", 9 + "lastModified": 1754037902, 10 + "narHash": "sha256-d9hAFy/R8o5UM/mrgCBm+xE8NbtgkXYPHLVza07xGgE=", 11 + "owner": "edolstra", 12 + "repo": "nix-warez", 13 + "rev": "e8b2b3214f07970e45ec3fc98d957b0507a3564a", 14 + "type": "github" 15 + }, 16 + "original": { 17 + "dir": "blender", 18 + "owner": "edolstra", 19 + "repo": "nix-warez", 20 + "type": "github" 21 + } 22 + }, 3 23 "flake-compat": { 4 24 "flake": false, 5 25 "locked": { ··· 102 122 ] 103 123 }, 104 124 "locked": { 105 - "lastModified": 1754263839, 106 - "narHash": "sha256-ck7lILfCNuunsLvExPI4Pw9OOCJksxXwozum24W8b+8=", 125 + "lastModified": 1754365350, 126 + "narHash": "sha256-NLWIkn1qM0wxtZu/2NXRaujWJ4Y1PSZlc7h0y6pOzOQ=", 107 127 "owner": "nix-community", 108 128 "repo": "home-manager", 109 - "rev": "1d7abbd5454db97e0af51416f4960b3fb64a4773", 129 + "rev": "c5d7e957397ecb7d48b99c928611c6e780db1b56", 110 130 "type": "github" 111 131 }, 112 132 "original": { ··· 211 231 }, 212 232 "nixpkgs": { 213 233 "locked": { 214 - "lastModified": 1754284898, 215 - "narHash": "sha256-wzM6HN0xxyooekXfl7p5P4Bn0LieOKOfsLg4DqY7XLk=", 234 + "lastModified": 1733808091, 235 + "narHash": "sha256-KWwINTQelKOoQgrXftxoqxmKFZb9pLVfnRvK270nkVk=", 216 236 "owner": "NixOS", 217 237 "repo": "nixpkgs", 218 - "rev": "114484ca7213ac06fa7907e58dd8ef9d801d39f0", 238 + "rev": "a0f3e10d94359665dba45b71b4227b0aeb851f8e", 239 + "type": "github" 240 + }, 241 + "original": { 242 + "id": "nixpkgs", 243 + "ref": "nixos-24.11", 244 + "type": "indirect" 245 + } 246 + }, 247 + "nixpkgs_2": { 248 + "locked": { 249 + "lastModified": 1754330460, 250 + "narHash": "sha256-L5eUA2YptCeQn3IKcJXCKZ8Vb97BCG/SgxnHpNLSEi0=", 251 + "owner": "NixOS", 252 + "repo": "nixpkgs", 253 + "rev": "23c58a9c308f6652ab64a27595d75861a5f51fa6", 219 254 "type": "github" 220 255 }, 221 256 "original": { ··· 225 260 "type": "github" 226 261 } 227 262 }, 228 - "nixpkgs_2": { 263 + "nixpkgs_3": { 229 264 "locked": { 230 265 "lastModified": 1722403750, 231 266 "narHash": "sha256-tRmn6UiFAPX0m9G1AVcEPjWEOc9BtGsxGcs7Bz3MpsM=", ··· 241 276 "type": "github" 242 277 } 243 278 }, 244 - "nixpkgs_3": { 279 + "nixpkgs_4": { 245 280 "locked": { 246 281 "lastModified": 1744868846, 247 282 "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=", ··· 257 292 "type": "github" 258 293 } 259 294 }, 260 - "nixpkgs_4": { 295 + "nixpkgs_5": { 261 296 "locked": { 262 297 "lastModified": 1751984180, 263 298 "narHash": "sha256-LwWRsENAZJKUdD3SpLluwDmdXY9F45ZEgCb0X+xgOL0=", ··· 277 312 "inputs": { 278 313 "flake-compat": "flake-compat", 279 314 "flake-utils": "flake-utils", 280 - "nixpkgs": "nixpkgs_2", 315 + "nixpkgs": "nixpkgs_3", 281 316 "rust-overlay": "rust-overlay" 282 317 }, 283 318 "locked": { ··· 296 331 }, 297 332 "root": { 298 333 "inputs": { 334 + "blender-bin": "blender-bin", 299 335 "home-manager": "home-manager", 300 336 "impermanence": "impermanence", 301 - "nixpkgs": "nixpkgs", 337 + "nixpkgs": "nixpkgs_2", 302 338 "roc-lang": "roc-lang", 303 339 "sops-nix": "sops-nix", 304 340 "tangled-sh": "tangled-sh", ··· 329 365 }, 330 366 "sops-nix": { 331 367 "inputs": { 332 - "nixpkgs": "nixpkgs_3" 368 + "nixpkgs": "nixpkgs_4" 333 369 }, 334 370 "locked": { 335 - "lastModified": 1752544651, 336 - "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", 371 + "lastModified": 1754328224, 372 + "narHash": "sha256-glPK8DF329/dXtosV7YSzRlF4n35WDjaVwdOMEoEXHA=", 337 373 "owner": "Mic92", 338 374 "repo": "sops-nix", 339 - "rev": "2c8def626f54708a9c38a5861866660395bb3461", 375 + "rev": "49021900e69812ba7ddb9e40f9170218a7eca9f4", 340 376 "type": "github" 341 377 }, 342 378 "original": { ··· 398 434 "indigo": "indigo", 399 435 "inter-fonts-src": "inter-fonts-src", 400 436 "lucide-src": "lucide-src", 401 - "nixpkgs": "nixpkgs_4", 437 + "nixpkgs": "nixpkgs_5", 402 438 "sqlite-lib-src": "sqlite-lib-src" 403 439 }, 404 440 "locked": { ··· 419 455 "yemou-dotfiles": { 420 456 "flake": false, 421 457 "locked": { 422 - "lastModified": 1751154273, 423 - "narHash": "sha256-UmSxoyPe7n5aga3e/nUbGRAiBPNL6Qx9ajBme3fwp7o=", 458 + "lastModified": 1754330523, 459 + "narHash": "sha256-K2VZlNCtPdYpirf8EFYNqbM3I226OfEH6VJZ/TVJinc=", 424 460 "ref": "refs/heads/main", 425 - "rev": "7c4b87bd891ed51ef7eb0630433424760a93f107", 426 - "revCount": 99, 461 + "rev": "e707438e1157ac7b085c48c44bab3948d07825a6", 462 + "revCount": 102, 427 463 "type": "git", 428 464 "url": "https://tangled.sh/@yemou.pink/dotfiles" 429 465 },
+12 -16
flake.nix
··· 1 1 { 2 2 inputs = { 3 - home-manager = { 4 - url = "github:nix-community/home-manager"; 5 - inputs.nixpkgs.follows = "nixpkgs"; 6 - }; 3 + nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-unstable-small"; 7 4 impermanence.url = "github:nix-community/impermanence"; 8 - nixpkgs.url = "github:NixOS/nixpkgs?ref=nixos-unstable-small"; 9 - roc-lang.url = "github:roc-lang/roc"; 10 5 sops-nix.url = "github:Mic92/sops-nix"; 11 - tangled-sh.url = "git+https://tangled.sh/@tangled.sh/core?ref=refs/tags/v1.7.0-alpha"; 12 - # tangled-sh.url = "path:/data/local-flakes/tangled.sh"; 6 + 13 7 yemou-dotfiles = { 14 8 url = "git+https://tangled.sh/@yemou.pink/dotfiles"; 15 9 flake = false; ··· 18 12 url = "git+https://tangled.sh/@yemou.pink/scripts"; 19 13 inputs.nixpkgs.follows = "nixpkgs"; 20 14 }; 21 - # nix-affine.url = "github:yemouu/nix-affine"; 22 - # nix-affine.url = "path:/data/local-flakes/nix-affine"; 15 + home-manager = { 16 + url = "github:nix-community/home-manager"; 17 + inputs.nixpkgs.follows = "nixpkgs"; 18 + }; 19 + 20 + roc-lang.url = "github:roc-lang/roc"; 21 + tangled-sh.url = "git+https://tangled.sh/@tangled.sh/core?ref=refs/tags/v1.7.0-alpha"; 23 22 }; 24 23 25 24 outputs = ··· 33 32 }@inputs: 34 33 let 35 34 genSystemConfigs = nixpkgs.lib.genAttrs [ 36 - "dandelion" 37 - "fly-agaric" 38 35 "lily" 39 36 "lutea" 40 37 ]; 41 - supportedSystems = [ "x86_64-linux" ]; 42 - forSupportedSystems = 43 - function: nixpkgs.lib.genAttrs supportedSystems (system: function (import nixpkgs { inherit system; })); 38 + systems = [ "x86_64-linux" ]; 39 + forSystems = func: nixpkgs.lib.genAttrs systems (system: func (import nixpkgs { inherit system; })); 44 40 in 45 41 { 46 - formatter = forSupportedSystems (pkgs: pkgs.nixfmt-tree.override { settings.formatter.nixfmt.options = [ "-w 120" ]; }); 42 + formatter = forSystems (p: p.nixfmt-tree.override { settings.formatter.nixfmt.options = [ "-w 120" ]; }); 47 43 nixosConfigurations = genSystemConfigs ( 48 44 hostname: 49 45 nixpkgs.lib.nixosSystem {
-37
fly-agaric/config.nix
··· 1 - { ... }: 2 - { 3 - imports = [ 4 - ./hardware.nix 5 - ./packages.nix 6 - 7 - ../modules/basic.nix 8 - ../modules/development 9 - ../modules/editor.nix 10 - ../modules/fail2ban.nix 11 - ../modules/nix.nix 12 - ../modules/remote-build-machines.nix 13 - 14 - ../modules/services/openssh.nix 15 - ]; 16 - 17 - sops = { 18 - defaultSopsFile = ../secrets/fly-agaric.yaml; 19 - defaultSopsFormat = "yaml"; 20 - age.keyFile = "/data/keys.txt"; 21 - }; 22 - 23 - networking.hostName = "fly-agaric"; 24 - nix.settings.max-jobs = 0; 25 - 26 - # This option defines the first version of NixOS you have installed on this particular machine, 27 - # and is used to maintain compatibility with application data (e.g. databases) created on older 28 - # NixOS versions. Most users should NEVER change this value after the initial install, for any 29 - # reason, even if you've upgraded your system to a new NixOS release. This value does NOT affect 30 - # the Nixpkgs version your packages and OS are pulled from, so changing it will NOT upgrade your 31 - # system. This value being lower than the current NixOS release does NOT mean your system is out 32 - # of date, out of support, or vulnerable. Do NOT change this value unless you have manually 33 - # inspected all the changes it would make to your configuration, and migrated your data 34 - # accordingly. For more information, see `man configuration.nix` or 35 - # https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . 36 - system.stateVersion = "24.05"; # Did you read the comment? 37 - }
-96
fly-agaric/hardware.nix
··· 1 - { lib, modulesPath, ... }: 2 - { 3 - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; 4 - 5 - boot = { 6 - initrd = { 7 - availableKernelModules = [ 8 - "ahci" 9 - "xhci_pci" 10 - "virtio_pci" 11 - "virtio_scsi" 12 - "sd_mod" 13 - "sr_mod" 14 - ]; 15 - kernelModules = [ ]; 16 - }; 17 - kernelModules = [ ]; 18 - loader = { 19 - grub = { 20 - enable = true; 21 - configurationLimit = 50; 22 - device = "/dev/sda"; 23 - copyKernels = true; 24 - }; 25 - timeout = 0; 26 - }; 27 - tmp.useTmpfs = true; 28 - }; 29 - 30 - zramSwap.enable = true; 31 - 32 - fileSystems = { 33 - "/" = { 34 - device = "none"; 35 - fsType = "tmpfs"; 36 - options = [ 37 - "defaults" 38 - "mode=755" 39 - ]; 40 - }; 41 - "/nix" = { 42 - device = "/dev/disk/by-uuid/e224cad1-1ea2-435b-b914-b16eb400cd36"; 43 - fsType = "btrfs"; 44 - options = [ 45 - "subvol=@nixos/nix" 46 - "compress=zstd" 47 - ]; 48 - }; 49 - "/config" = { 50 - device = "/dev/disk/by-uuid/e224cad1-1ea2-435b-b914-b16eb400cd36"; 51 - fsType = "btrfs"; 52 - options = [ 53 - "subvol=@nixos/config" 54 - "compress=zstd" 55 - ]; 56 - }; 57 - "/data" = { 58 - device = "/dev/disk/by-uuid/e224cad1-1ea2-435b-b914-b16eb400cd36"; 59 - fsType = "btrfs"; 60 - options = [ 61 - "subvol=@nixos/data" 62 - "compress=zstd" 63 - ]; 64 - neededForBoot = true; 65 - }; 66 - "/home/mou" = { 67 - device = "/dev/disk/by-uuid/e224cad1-1ea2-435b-b914-b16eb400cd36"; 68 - fsType = "btrfs"; 69 - options = [ 70 - "subvol=@home/mou" 71 - "compress=zstd" 72 - ]; 73 - }; 74 - "/boot" = { 75 - device = "/dev/disk/by-uuid/00e4dfc3-8bf9-4075-92fa-3da33ef09704"; 76 - fsType = "ext4"; 77 - }; 78 - }; 79 - 80 - hardware.enableRedistributableFirmware = true; 81 - 82 - swapDevices = [ ]; 83 - 84 - networking.useDHCP = lib.mkDefault false; 85 - systemd.network = { 86 - enable = true; 87 - networks."10-wan" = { 88 - matchConfig.Name = "enp1s0"; 89 - networkConfig.DHCP = "ipv4"; 90 - address = [ "2a01:4ff:f0:348a::1/64" ]; 91 - routes = [ { Gateway = "fe80::1"; } ]; 92 - }; 93 - }; 94 - 95 - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; 96 - }
-5
fly-agaric/home.nix
··· 1 - { ... }: 2 - { 3 - imports = [ ../modules/home.nix ]; 4 - home.stateVersion = "24.05"; 5 - }
-4
fly-agaric/packages.nix
··· 1 - { ... }: 2 - { 3 - users.users.mou.packages = [ ]; 4 - }
+4 -14
hidden/network.json
··· 1 1 { 2 - "dandelion": { 3 - "ipv4": "ENC[AES256_GCM,data:6c22J7C4qIRimsRThw==,iv:eaqVkq6BirCXX6dzMck+iDyBu3PdGJa3KtNsV9rimvM=,tag:iAi/yPjBcDErOHvPTFm2/A==,type:str]", 4 - "ipv6": "ENC[AES256_GCM,data:PVrT/MhkUmNBMyKj1LCFSGtlrA==,iv:zVGsawxhvT2Hms10eQdSLSee8QdImKoz1gaKe9CJaPg=,tag:QTBtumVVu6cfNWEHeBw8xg==,type:str]", 5 - "netbird-ip": "ENC[AES256_GCM,data:z9HzINKJ/AYbswnmew==,iv:MpQs7cLJHSWd7vIUlslrPgxF0De055C41QciWZ/PIDs=,tag:/I6ZB/aXivFDcbqJTI0tNw==,type:str]" 6 - }, 7 2 "lily": { 8 3 "ipv4": "ENC[AES256_GCM,data:1tD7RqSMvuIUPDqT,iv:oAA4T3vt1nlgr+g8ftRCwsSF2/bZEEs9ECtDd/xlQOw=,tag:2LBddZVlRcvVs8aAxvXdUQ==,type:str]", 9 4 "ipv4-local": "ENC[AES256_GCM,data:19k/8bA6AoqrW1s0,iv:Mqpifh7/26ZjgtnJQO7dUf7/XpVicq2j6IdwlRlXei0=,tag:7jRfp/sDrNB4DBE/sfJOwQ==,type:str]", ··· 17 12 "netbird-ip": "ENC[AES256_GCM,data:nnD509LlXnAEBJEibAo=,iv:fv+Onoy1wLaAqw+FXjAJyZIMywsbWvQ8/FlHN9YOwuw=,tag:hWQ5ZMGsDDxivRlYkgwmUA==,type:str]" 18 13 }, 19 14 "sops": { 20 - "kms": null, 21 - "gcp_kms": null, 22 - "azure_kv": null, 23 - "hc_vault": null, 24 15 "age": [ 25 16 { 26 17 "recipient": "age1p5y7px4qnlgxgxd6j5vg4wtpzs24fnh4808ws7gah3x89j66muasxz7ck2", ··· 35 26 "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTERzaDRwK2hoVmJ1OGEy\nakVReWF0N3hNZWx4RUYwSmhOYzNCOXNxUEhFCkFtdWw3NzU1QXFDYXZ3clI0SVg5\nNHQrRjl4RHJ4cHZaSlFqS21SWEhHN00KLS0tIDFPZWJDOUdYbUxxQ2FhMGJ6T0xW\nT1pnblJXMHBaUEpQdTRXT1A1QTB4T1kKutihXIcitNESH57xnBUADl4kzYyWDrSG\nylakRRVBr+y2DsndV8UUkUnCXr5OCN5bpPpb82w3UTOV+yZ8s3wMMQ==\n-----END AGE ENCRYPTED FILE-----\n" 36 27 } 37 28 ], 38 - "lastmodified": "2025-03-17T01:36:54Z", 39 - "mac": "ENC[AES256_GCM,data:nqh2y24GNSlkNOViW3DHHoYnB53ADRIKIF3n3CV0AK4ZFzcWN3zBQItEWMizIj4OwBtQVucqrO28YpNAuT6d0d1/5InaBDPRcMamdvOhGpF6s9CVWUkTZv1Jb/wvHV8kJh98utpLKC9VYPdG2noKTt7Wsh9SEIiDhVDFyowTs5g=,iv:+qQBNxdeVmd5/rXkf+0cW6rRDf5Eyq9NWQMjhZXHdEI=,tag:q9u29fU09YvhRefLtjowWQ==,type:str]", 40 - "pgp": null, 29 + "lastmodified": "2025-08-04T18:50:30Z", 30 + "mac": "ENC[AES256_GCM,data:MGEbqF/n9jCoHIPryzfDIvu6UIuJdLixrCCbTls34qCrhtV6H4oQVNtUA8iifipoPwmhsFQlZgQ09+1pxiLGKZPpNAjDZimhQvX+0Dr3qAe2Xkk3eiccX0SJbYsopYjjt7UCzfu0aGkr8c/xwXZvcHTMS4qMMbEW0MHVjFEFFAE=,iv:nhpgohqagLJc9GN6sjqgjf+SxiEc0KYZ0MpGHJfMj2o=,tag:5fnj5LcxkDPVvyZEkxH8VQ==,type:str]", 41 31 "unencrypted_suffix": "_unencrypted", 42 - "version": "3.9.4" 32 + "version": "3.10.2" 43 33 } 44 - } 34 + }
-28
hidden/syncthing.json
··· 1 - { 2 - "dandelion": { 3 - "device-id": "ENC[AES256_GCM,data:9cQ0UcJPHf3cWT6ABbSGA7yXjFx259lY88ZNbwwJjzMLF2fg/O5wU3qV9zbhhvClTkOepDSYKT1vSSGUT2U6,iv:evUyvt0VfnE/7KWGjI5cwmf7sIODuU/xfozAJJV3qIk=,tag:oYZlKJuRDoEh6vzGJFkpNA==,type:str]" 4 - }, 5 - "lily": { 6 - "device-id": "ENC[AES256_GCM,data:QBoqthsC94CjSh5ZnmtkMJjdHVaNeop/rCfraEPMh4nGUqpy3PS2vRmPu3OfK4Avw02y3EPyoP8plqBXBRbc,iv:ZDCCequtiX9Bk0NF3hP4h/GGkbu6sBSKCXOFIcL3U/E=,tag:XZqzbasSBWo472YPIugklA==,type:str]" 7 - }, 8 - "sops": { 9 - "age": [ 10 - { 11 - "recipient": "age1p5y7px4qnlgxgxd6j5vg4wtpzs24fnh4808ws7gah3x89j66muasxz7ck2", 12 - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWa0JpcEhYTytSZEFMWnMr\nRXo1TGozd0o5MUpIZ2kyTXFneWszRVRoMVd3CkJYOUZhRzR5b3kzbmxHcVByalFP\nRzJlMG0yQjNYVHEydDAvQ2dvSUZwR2sKLS0tIGU3OFRYdml5YmNyK0hzZFRmWnpJ\nTGdnUW9MUTVBRmRSSVplMHVKSUUyVUkKt/qajgJ2+CSZexX9Syzpzuowl36Otk+F\nXOlD3LUEIciza6sCsTuIi6PSAt1Ro6GgSw128AegO2YUG3zEe5DFGA==\n-----END AGE ENCRYPTED FILE-----\n" 13 - }, 14 - { 15 - "recipient": "age1amaa55e7nusv904a9ucfvtnjlw4srtet42suehey6u3yc4t2xc5sdldepj", 16 - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUWE5aNkxFOE1ZdXRTNTVv\naXJmSkU4YXJ1SUQxQkZNQW1EWHFaR1dScGtRClhGc2VLUFA5T1NlMFMvU1VveC93\nb1AzSHNDVXNtMldHczQ4TG85dEV5dmMKLS0tIGh0SFdwbktxR25Ja2s0dTJaTnlM\nczZhTDhzWTNpRnQ3ZVhHQWtWbXpCWE0KEg9F/2NVATX1pQjmC1cNmJAtqVsIOhtl\n8jU2FuaBwukrlB92iAsJIgi0YTLiEC/y6KRLXfBW7Qmf1ePnvrqstw==\n-----END AGE ENCRYPTED FILE-----\n" 17 - }, 18 - { 19 - "recipient": "age1p55em5e3uk3fprj2mpum7ulrslcqgly63pjsyw2yv6hx99trdsnsvvv9ex", 20 - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzT3g4cXowbyt6UXZJa0Uw\nU2JmQWFFOGNGekcrcDVIWWM5azVnTHdnYUVjCnpXMmV3RXNQei9XaTcvamVDWlhR\neFZYbC9qM2dJS21UbHFaSnE2TXpUSjgKLS0tIDlDRzBaTjFQVXRsVXFXWng2VExu\nZUNzaVdnSG9qaE93cHNvZHg4OHJEaFEKBZ4+MAMbzu49WZfac0m0rvBGwjN5WKge\ncz0/GqBOjcHzOo1Bc0UkM4SMjD/7l7cUZxLw8IO1LiTx4kJgxk7OZw==\n-----END AGE ENCRYPTED FILE-----\n" 21 - } 22 - ], 23 - "lastmodified": "2025-05-14T11:07:45Z", 24 - "mac": "ENC[AES256_GCM,data:NyH9pU3bAxOgeXxGOeGXGgchUZ4pNINVBznzCMv1WsfeIRORh/w7VmsflqPFZxkbE/XKtmPZG+wFB9QQaUcCIQB9SW1fqlnlpygHFpTcAjqz+gfGFYRtFmNKAaveuLYpA02wluXxSHZCzRW8JgqVVjyMsEBm5ifm8sq7NrtJt8k=,iv:Yq2LW3b1EKQtIFB/eUuOtuiEX6F7yZe2ZE7uCbreImY=,tag:jQxspW81i4Ysm8cnuaKYAA==,type:str]", 25 - "unencrypted_suffix": "_unencrypted", 26 - "version": "3.10.2" 27 - } 28 - }
+1 -6
lily/config.nix
··· 2 2 { 3 3 imports = [ 4 4 ./hardware.nix 5 - ./packages.nix 6 5 ./services/fail2ban.nix 7 6 8 7 ../modules/basic.nix ··· 59 58 }; 60 59 61 60 networking.hostName = "lily"; 62 - 63 - services = { 64 - smartd.enable = true; 65 - thermald.enable = true; 66 - }; 61 + services.thermald.enable = true; 67 62 68 63 nix.settings = { 69 64 cores = 6;
-4
lily/packages.nix
··· 1 - { ... }: 2 - { 3 - users.users.mou.packages = [ ]; 4 - }
-8
lutea/config.nix
··· 2 2 { 3 3 imports = [ 4 4 ./hardware.nix 5 - ./packages.nix 6 5 7 6 ../modules/audio.nix 8 7 ../modules/basic.nix 9 - # ../modules/binary-cache.nix 10 8 ../modules/browsers.nix 11 9 ../modules/cloud-storage.nix 12 10 ../modules/creation.nix ··· 26 24 ../modules/network-info.nix 27 25 ../modules/nix.nix 28 26 ../modules/printing.nix 29 - # There isn't a way to prefer local builds yet, and my desktop is more powerful than my servers at the moment so 30 - # disable this for now and revisit it later. It would also be cool if I could specify specific packages to be built 31 - # on specific machines (I always want the linux kernel and firefox to be built on this machine if possible for 32 - # example). Other machines will still be able to use my desktop to help compile packages 33 - # ../modules/remote-build-machines.nix 34 27 ../modules/remote-builder.nix 35 28 ../modules/tools.nix 36 - # ../modules/vpn.nix 37 29 ]; 38 30 39 31 sops = {
-4
lutea/packages.nix
··· 1 - { pkgs, ... }: 2 - { 3 - users.users.mou.packages = with pkgs; [ intel-gpu-tools ]; 4 - }
+1 -7
modules/basic.nix
··· 40 40 XDG_STATE_HOME = "$HOME/.local/state"; 41 41 }; 42 42 systemPackages = with pkgs; [ 43 - # general packages 44 43 htop 45 44 lsof 46 45 magic-wormhole-rs 47 46 man-pages 48 47 man-pages-posix 49 - thm # make colorschemes work properly 50 - 51 - # flake management 52 - age 53 - git 54 - sops 48 + thm 55 49 ]; 56 50 }; 57 51
-27
modules/binary-cache.nix
··· 1 - { config, lib, ... }: 2 - { 3 - nix = { 4 - settings = { 5 - substituters = [ 6 - (lib.mkIf ( 7 - config.networking.hostName != "dandelion" 8 - ) "ssh-ng://nix-ssh@${config.garden.info.network.dandelion.netbird-ip}") 9 - (lib.mkIf (config.networking.hostName != "lily") "ssh-ng://nix-ssh@${config.garden.info.network.lily.netbird-ip}") 10 - (lib.mkIf (config.networking.hostName != "lutea") "ssh-ng://nix-ssh@${config.garden.info.network.lutea.netbird-ip}") 11 - ]; 12 - }; 13 - sshServe = { 14 - enable = true; 15 - keys = [ 16 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAc3gwdLqoDPeAPLT8YuIamg0v6WHPFZIaQ4RWoCvt0K lily" 17 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFuJaCiwaXH6O7WDSmDsj1jRBzw+CJkRi1lBcdn7sON1 nixremote" 18 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGAMmyW1RafzNf5riuGeYlbMvv4iTgp8w3dc9r2/ESCe dandelion" 19 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIISgpNEPVjZUXydvTYrReIPVPxcN4vT87Yi+c7Q3bNcO root@lutea" 20 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKnyBRVRLKrlsAlMFXimvcF/mBjmSfixdzUX4yCZsYvE lutea" 21 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO/jmicQ5HZ2qGnw99PW14Gngv6fS2GM9ZtT+5zbGztN root@dandelion" 22 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO5oBFe2PeUMBOXmP/ON36CviNjPtD/iHS07k4TqrII2 root@lily" 23 - ]; 24 - protocol = "ssh-ng"; 25 - }; 26 - }; 27 - }
+1
modules/browsers.nix
··· 5 5 "firefox-bin-unwrapped" 6 6 "google-chrome" 7 7 ]; 8 + 8 9 users.users.mou.packages = with pkgs; [ 9 10 firefox-bin 10 11 google-chrome
-8
modules/development/c.nix
··· 1 - { pkgs, ... }: 2 - { 3 - users.users.mou.packages = with pkgs; [ 4 - bear 5 - clang-tools 6 - gdb 7 - ]; 8 - }
-7
modules/development/default.nix
··· 1 1 { ... }: 2 2 { 3 3 imports = [ 4 - ./c.nix 5 - ./go.nix 6 - ./graphics.nix 7 - ./nix.nix 8 - ./python.nix 9 4 ./roc.nix 10 5 ./sh.nix 11 - ./sqlite.nix 12 6 ./typst.nix 13 - ./zig.nix 14 7 ]; 15 8 }
-4
modules/development/go.nix
··· 1 - { pkgs, ... }: 2 - { 3 - users.users.mou.packages = with pkgs; [ gopls ]; 4 - }
-8
modules/development/graphics.nix
··· 1 - { pkgs, ... }: 2 - { 3 - users.users.mou.packages = with pkgs; [ 4 - apitrace 5 - gfxreconstruct 6 - renderdoc 7 - ]; 8 - }
-7
modules/development/nix.nix
··· 1 - { pkgs, ... }: 2 - { 3 - users.users.mou.packages = with pkgs; [ 4 - nixd 5 - nixfmt-rfc-style 6 - ]; 7 - }
-7
modules/development/python.nix
··· 1 - { pkgs, ... }: 2 - { 3 - users.users.mou.packages = with pkgs; [ 4 - ruff 5 - ty 6 - ]; 7 - }
-4
modules/development/sqlite.nix
··· 1 - { pkgs, ... }: 2 - { 3 - users.users.mou.packages = with pkgs; [ sqlitebrowser ]; 4 - }
-4
modules/development/zig.nix
··· 1 - { pkgs, ... }: 2 - { 3 - users.users.mou.packages = with pkgs; [ zls ]; 4 - }
-1
modules/email.nix
··· 1 1 { pkgs, ... }: 2 2 { 3 - 4 3 nixpkgs.overlays = [ 5 4 (final: prev: { 6 5 sieve-editor-gui = prev.sieve-editor-gui.override { electron = final.electron-bin; };
-132
modules/eturnal.nix
··· 1 - { 2 - config, 3 - lib, 4 - pkgs, 5 - ... 6 - }: 7 - let 8 - cfg = config.services.eturnal; 9 - settingsFormat = pkgs.formats.yaml { }; 10 - configurationYaml = settingsFormat.generate "eturnal.yml" cfg.settings; 11 - in 12 - { 13 - options.services.eturnal = { 14 - enable = lib.mkOption { 15 - type = lib.types.bool; 16 - default = false; 17 - description = "Enable eturnal"; 18 - }; 19 - package = lib.mkPackageOption pkgs "eturnal" { }; 20 - user = lib.mkOption { 21 - type = lib.types.str; 22 - default = "eturnal"; 23 - description = "User that runs the eturnal service"; 24 - }; 25 - group = lib.mkOption { 26 - type = lib.types.str; 27 - default = "eturnal"; 28 - description = "User that runs the eturnal service"; 29 - }; 30 - dataDir = lib.mkOption { 31 - type = lib.types.path; 32 - default = "/var/lib/eturnal"; 33 - description = "Path to store data"; 34 - }; 35 - settings = lib.mkOption { 36 - type = lib.types.submodule { 37 - freeformType = settingsFormat.type; 38 - }; 39 - default = { }; 40 - description = "Path to the eturnal configuration file"; 41 - }; 42 - secret = lib.mkOption { 43 - type = lib.types.nullOr lib.types.path; 44 - default = null; 45 - description = "Environment file containing the ETURNAL_SECRET variable"; 46 - }; 47 - }; 48 - 49 - config = lib.mkIf cfg.enable { 50 - nixpkgs.overlays = [ 51 - (final: prev: { 52 - eturnal = prev.beamPackages.rebar3Relx rec { 53 - pname = "eturnal"; 54 - version = "1.12.2"; 55 - 56 - src = prev.fetchFromGitHub { 57 - owner = "processone"; 58 - repo = "eturnal"; 59 - rev = version; 60 - hash = "sha256-DEIYlryzkGVOTqel41STWGo7KCw3BEjEpVUboftbLHw="; 61 - }; 62 - 63 - checkouts = prev.beamPackages.fetchRebar3Deps { 64 - inherit version src; 65 - name = "pname"; 66 - sha256 = "sha256-vc/gM2eKSDfr1XfsNRREA1Mo16wuZyGZXstnEmBKg6E="; 67 - }; 68 - 69 - releaseType = "release"; 70 - profile = "prod"; 71 - 72 - buildInputs = [ prev.libyaml ]; 73 - buildPlugins = [ prev.beamPackages.pc ]; 74 - 75 - patchPhase = '' 76 - runHook prePatch 77 - substituteInPlace build.config \ 78 - --replace /opt/eturnal $out/rel/${pname} \ 79 - --replace /etc $out/rel/${pname}/etc \ 80 - --replace static dynamic 81 - runHook postPatch 82 - ''; 83 - }; 84 - }) 85 - ]; 86 - 87 - environment.systemPackages = [ cfg.package ]; 88 - 89 - users = { 90 - users.${cfg.user} = { 91 - isSystemUser = true; 92 - group = cfg.group; 93 - home = "/var/lib/eturnal"; 94 - createHome = true; 95 - }; 96 - groups.${cfg.user} = { }; 97 - }; 98 - 99 - systemd.tmpfiles.settings."eturnal-config"."${cfg.dataDir}/eturnal.yml"."L+".argument = "${configurationYaml}"; 100 - 101 - systemd.services.eturnal = { 102 - path = with pkgs; [ gawk ]; 103 - description = "eturnal STUN/TURN server"; 104 - after = [ "network.target" ]; 105 - environment.ETURNAL_ETC_DIR = cfg.dataDir; 106 - serviceConfig = { 107 - Type = "notify"; 108 - User = cfg.user; 109 - Group = cfg.group; 110 - ExecStart = "${cfg.package}/bin/eturnalctl foreground"; 111 - ExecReload = "${cfg.package}/bin/eturnalctl reload"; 112 - ExecStop = "${cfg.package}/bin/eturnalctl stop"; 113 - Restart = "on-failure"; 114 - RestartSec = 3; 115 - WatchdogSec = 30; 116 - LimitNOFILE = 50000; 117 - RuntimeDirectory = "eturnal"; 118 - LogsDirectory = "eturnal"; 119 - ProtectSystem = "full"; 120 - NoNewPrivileges = true; 121 - AmbientCapabilities = "CAP_NET_BIND_SERVICE"; 122 - EnvironmentFile = lib.mkIf (cfg.secret != null) cfg.secret; 123 - }; 124 - wantedBy = [ "multi-user.target" ]; 125 - reloadTriggers = [ config.systemd.tmpfiles.settings."eturnal-config"."${cfg.dataDir}/eturnal.yml"."L+".argument ]; 126 - }; 127 - 128 - # [Unit] 129 - # Wants=epmd.service 130 - # After=epmd.service network.target 131 - }; 132 - }
-1
modules/fail2ban.nix
··· 12 12 rndtime = "1h"; 13 13 }; 14 14 ignoreIP = [ 15 - (lib.mkIf (config.networking.hostName != "dandelion") config.garden.info.network.dandelion.netbird-ip) 16 15 (lib.mkIf (config.networking.hostName != "lily") config.garden.info.network.lily.netbird-ip) 17 16 (lib.mkIf (config.networking.hostName != "lutea") config.garden.info.network.lutea.netbird-ip) 18 17 ];
+1
modules/games.nix
··· 1 1 { lib, pkgs, ... }: 2 2 { 3 3 imports = [ ./unfree.nix ]; 4 + 4 5 garden.unfree = [ 5 6 "modrinth-app" 6 7 "modrinth-app-unwrapped"
-1
modules/gui.nix
··· 44 44 }; 45 45 46 46 qt.enable = true; 47 - 48 47 security.polkit.enable = true; 49 48 50 49 services = {
-18
modules/kde.nix
··· 1 - { pkgs, ... }: 2 - { 3 - services = { 4 - desktopManager.plasma6.enable = true; 5 - xserver.enable = true; # Without this set plasma6 will fail to start even when using wayland 6 - }; 7 - 8 - environment.plasma6.excludePackages = with pkgs.kdePackages; [ 9 - konsole 10 - oxygen 11 - pkgs.aha 12 - plasma-browser-integration 13 - plasma-workspace-wallpapers 14 - qtvirtualkeyboard 15 - ]; 16 - 17 - users.users.mou.packages = with pkgs; [ xwaylandvideobridge ]; 18 - }
-44
modules/nfs.nix
··· 1 - { config, lib, ... }: 2 - { 3 - systemd.tmpfiles.settings."nfs" = lib.mkMerge [ 4 - (lib.mkIf (config.networking.hostName == "dandelion") { 5 - "/nfs".d = { 6 - user = "nobody"; 7 - group = "nogroup"; 8 - mode = "0755"; 9 - }; 10 - }) 11 - (lib.mkIf (config.networking.hostName == "lily") { 12 - "/mnt/certs".d = { 13 - user = "nobody"; 14 - group = "nogroup"; 15 - mode = "0755"; 16 - }; 17 - }) 18 - ]; 19 - 20 - boot.supportedFilesystems = [ "nfs" ]; 21 - 22 - fileSystems = lib.mkMerge [ 23 - # (lib.mkIf (config.networking.hostName == "dandelion") { }) 24 - (lib.mkIf (config.networking.hostName == "lily") { 25 - "/mnt/certs" = { 26 - device = "${config.garden.info.network.dandelion.netbird-ip}:/caddy-certs"; 27 - fsType = "nfs"; 28 - }; 29 - }) 30 - ]; 31 - 32 - networking.firewall.interfaces.${config.services.netbird.clients.homelab.interface}.allowedTCPPorts = lib.mkIf ( 33 - config.networking.hostName == "dandelion" 34 - ) [ 2049 ]; 35 - 36 - services.nfs = lib.mkIf (config.networking.hostName == "dandelion") { 37 - server = { 38 - enable = true; 39 - exports = '' 40 - /nfs ${config.garden.info.network.lily.netbird-ip}(ro,fsid=0,no_subtree_check) 41 - ''; 42 - }; 43 - }; 44 - }
+8 -3
modules/nix.nix
··· 9 9 }; 10 10 }; 11 11 12 - users.users.mou.packages = [ 13 - # (pkgs.callPackage ./packages/nixos-rebuild-tmpdir.nix { }) 14 - (pkgs.callPackage ./packages/buildConfig { }) 12 + users.users.mou.packages = with pkgs; [ 13 + age 14 + git 15 + nixd 16 + nixfmt-rfc-style 17 + sops 18 + 19 + (callPackage ./packages/buildConfig { }) 15 20 ]; 16 21 17 22 nix = {
-85
modules/packages/kakoune/01-typst-kak.patch
··· 1 - From 6a853716c98f8099c6c81cd706a29ff17aafad11 Mon Sep 17 00:00:00 2001 2 - From: =?UTF-8?q?Micha=C5=82=20Kruszewski?= <mkru@protonmail.com> 3 - Date: Thu, 23 May 2024 15:01:26 +0200 4 - Subject: [PATCH] typst: Add typst.kak for typst markup highlighting 5 - 6 - --- 7 - rc/filetype/typst.kak | 69 +++++++++++++++++++++++++++++++++++++++++++ 8 - 1 file changed, 69 insertions(+) 9 - create mode 100644 rc/filetype/typst.kak 10 - 11 - diff --git a/rc/filetype/typst.kak b/rc/filetype/typst.kak 12 - new file mode 100644 13 - index 0000000000..5353ea6a6b 14 - --- /dev/null 15 - +++ b/rc/filetype/typst.kak 16 - @@ -0,0 +1,69 @@ 17 - +# Detection 18 - +# ‾‾‾‾‾‾‾‾‾ 19 - + 20 - +hook global BufCreate .*[.](typ) %{ 21 - + set-option buffer filetype typst 22 - +} 23 - + 24 - +# Initialization 25 - +# ‾‾‾‾‾‾‾‾‾‾‾‾‾‾ 26 - + 27 - +hook -group typst-highlight global WinSetOption filetype=typst %{ 28 - + require-module typst 29 - + 30 - + add-highlighter window/typst ref typst 31 - + hook -once -always window WinSetOption filetype=.* %{ remove-highlighter window/typst } 32 - + hook window InsertChar \n -group typst typst-on-new-line 33 - +} 34 - + 35 - +provide-module typst %§ 36 - + 37 - +# Highlighters 38 - +# ‾‾‾‾‾‾‾‾‾‾‾‾ 39 - + 40 - +add-highlighter shared/typst group 41 - + 42 - +# Comments 43 - +add-highlighter shared/typst/ regex ^//(?:[^\n/][^\n]*|)$ 0:comment 44 - + 45 - +# Strings 46 - +add-highlighter shared/typst/ regex '"[^"]*"' 0:string 47 - + 48 - +# Headings 49 - +add-highlighter shared/typst/ regex ^=+\h+[^\n]+$ 0:header 50 - + 51 - +# Code blocks 52 - +# Raw with optional syntax highlighting 53 - +add-highlighter shared/typst/ regex '^```[^(```)]*```' 0:mono 54 - +# Multiline monospace 55 - +add-highlighter shared/typst/ regex '^`[^(`)]*`' 0:mono 56 - + 57 - +# Monospace text 58 - +add-highlighter shared/typst/ regex \B(`[^\n]+?`)\B 0:mono 59 - +add-highlighter shared/typst/ regex \B(```[^\n]+?```)\B 0:mono 60 - + 61 - +# Bold text 62 - +add-highlighter shared/typst/ regex \s\*[^\*]+\*\B 0:+b 63 - + 64 - +# Italic text 65 - +add-highlighter shared/typst/ regex \b_.*?_\b 0:+i 66 - + 67 - +# Code expressions: functions, variables 68 - +add-highlighter shared/typst/ regex (^|\h)#(\w|\.|-)+ 0:meta 69 - + 70 - +# Bold terms in term lists 71 - +add-highlighter shared/typst/ regex ^/\h[^:]*: 0:+b 72 - + 73 - 74 - + 75 - +# Commands 76 - +# ‾‾‾‾‾‾‾‾ 77 - + 78 - +define-command -hidden typst-on-new-line %< 79 - + evaluate-commands -draft -itersel %< 80 - + # Preserve previous line indent 81 - + try %{ execute-keys -draft <semicolon> K <a-&> } 82 - + # Cleanup trailing whitespaces from previous line 83 - + try %{ execute-keys -draft k x s \h+$ <ret> d } 84 - + > 85 - +>
-22
modules/packages/kakoune/02-typst-comments.patch
··· 1 - From 15d4f7585fdac03e460e59b0508aecd636bd2660 Mon Sep 17 00:00:00 2001 2 - From: yemou <dev@lilac.pink> 3 - Date: Sun, 15 Dec 2024 19:35:56 -0500 4 - Subject: [PATCH] typst: fix comment_line and comment_block* options for typst 5 - 6 - --- 7 - rc/tools/comment.kak | 2 +- 8 - 1 file changed, 1 insertion(+), 1 deletion(-) 9 - 10 - diff --git a/rc/tools/comment.kak b/rc/tools/comment.kak 11 - index 3521b82ca7..ae33b82a98 100644 12 - --- a/rc/tools/comment.kak 13 - +++ b/rc/tools/comment.kak 14 - @@ -16,7 +16,7 @@ hook global BufSetOption filetype=asciidoc %{ 15 - set-option buffer comment_block_end '////' 16 - } 17 - 18 - -hook global BufSetOption filetype=(c|cpp|dart|gluon|go|java|javascript|objc|odin|php|pony|protobuf|rust|sass|scala|scss|swift|typescript|groovy) %{ 19 - +hook global BufSetOption filetype=(c|cpp|dart|gluon|go|java|javascript|objc|odin|php|pony|protobuf|rust|sass|scala|scss|swift|typescript|typst|groovy) %{ 20 - set-option buffer comment_line '//' 21 - set-option buffer comment_block_begin '/*' 22 - set-option buffer comment_block_end '*/'
-41
modules/packages/mesa/opencl.patch
··· 1 - diff --git a/meson.build b/meson.build 2 - index c150bff74ff..37fa7f0531b 100644 3 - --- a/meson.build 4 - +++ b/meson.build 5 - @@ -1850,7 +1850,7 @@ endif 6 - 7 - dep_clang = null_dep 8 - if with_clc 9 - - llvm_libdir = dep_llvm.get_variable(cmake : 'LLVM_LIBRARY_DIR', configtool: 'libdir') 10 - + llvm_libdir = get_option('clang-libdir') 11 - 12 - dep_clang = cpp.find_library('clang-cpp', dirs : llvm_libdir, required : false) 13 - 14 - diff --git a/meson.options b/meson.options 15 - index 82324617884..4bde97a8568 100644 16 - --- a/meson.options 17 - +++ b/meson.options 18 - @@ -738,3 +738,10 @@ option( 19 - 'none', 'dri2' 20 - ], 21 - ) 22 - + 23 - +option( 24 - + 'clang-libdir', 25 - + type : 'string', 26 - + value : '', 27 - + description : 'Locations to search for clang libraries.' 28 - +) 29 - diff --git a/src/gallium/targets/rusticl/meson.build b/src/gallium/targets/rusticl/meson.build 30 - index 35833dc7423..41a95927cab 100644 31 - --- a/src/gallium/targets/rusticl/meson.build 32 - +++ b/src/gallium/targets/rusticl/meson.build 33 - @@ -63,7 +63,7 @@ configure_file( 34 - configuration : _config, 35 - input : 'rusticl.icd.in', 36 - output : 'rusticl.icd', 37 - - install : true, 38 - + install : false, 39 - install_tag : 'runtime', 40 - install_dir : join_paths(get_option('sysconfdir'), 'OpenCL', 'vendors'), 41 - )
-18
modules/packages/nixos-rebuild-tmpdir.nix
··· 1 - # TODO: If I am keeping this, it should be in nixpkgs.overlays 2 - # nixos-rebuild is a shellscript and inside that shellscript they create a tmpdir using mktemp. 3 - # This is fine, but TMPDIR environment variable isn't available at this point, so mktemp puts the 4 - # directory in the wrong place. 5 - { 6 - makeWrapper, 7 - nixos-rebuild, 8 - symlinkJoin, 9 - }: 10 - symlinkJoin { 11 - name = "nixos-rebuild-tmpdir"; 12 - paths = [ nixos-rebuild ]; 13 - buildInputs = [ makeWrapper ]; 14 - postBuild = '' 15 - wrapProgram $out/bin/nixos-rebuild \ 16 - --set TMPDIR /nix/tmp 17 - ''; 18 - }
-1
modules/remote-builder.nix
··· 19 19 20 20 nix.settings.trusted-users = [ "nixremote" ]; 21 21 22 - services.openssh.settings.AllowUsers = [ "nixremote@${config.garden.info.network.dandelion.netbird-ip}" ]; 23 22 }
+1 -1
modules/services/caddy/cp-certs.nix
··· 8 8 certs_dir="/var/ssl" 9 9 10 10 case $1 in 11 - "proxy.butwho.org" | "pubsub.butwho.org" | "upload.butwho.org" | "muc.butwho.org" | "mumble.butwho.org" | "butwho.org" ) 11 + "mumble.butwho.org" ) 12 12 caddy_path="/var/lib/caddy/.local/share/caddy" 13 13 printf '%s\n' "$prog_name: Copying certs for '$1' to $certs_dir/$1" 14 14
-19
modules/services/caddy/matrix.nix
··· 1 - { config, ... }: 2 - { 3 - services.caddy.virtualHosts = { 4 - "butwho.org".extraConfig = '' 5 - header /.well-known/matrix/* Access-Control-Allow-Origin * 6 - header /.well-known/matrix/* Content-Type application/json 7 - respond /.well-known/matrix/client <<JSON 8 - { 9 - "m.homeserver": { "base_url": "https://matrix.butwho.org" } 10 - } 11 - JSON 12 - respond /.well-known/matrix/server `{"m.server": "matrix.butwho.org:443"}` 13 - ''; 14 - "matrix.butwho.org".extraConfig = '' 15 - encode 16 - reverse_proxy ${config.garden.info.network.lily.netbird-ip}:8008 17 - ''; 18 - }; 19 - }
+4 -6
modules/services/caddy/mumble.nix
··· 1 1 { ... }: 2 2 { 3 - services.caddy.virtualHosts = { 4 - "mumble.butwho.org".extraConfig = '' 5 - encode 6 - redir https://butwho.org{uri} 7 - ''; 8 - }; 3 + services.caddy.virtualHosts."mumble.butwho.org".extraConfig = '' 4 + encode 5 + redir https://butwho.org{uri} 6 + ''; 9 7 }
-43
modules/services/caddy/xmpp.nix
··· 1 - { ... }: 2 - { 3 - services.caddy.virtualHosts = { 4 - "butwho.org".extraConfig = '' 5 - header /.well-known/host-meta Access-Control-Allow-Origin * 6 - header /.well-known/host-meta Content-Type text/xml 7 - respond /.well-known/host-meta <<XML 8 - <?xml version='1.0' encoding='utf-8'?> 9 - <XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'> 10 - <Link rel="urn:xmpp:alt-connections:xbosh" href="https://butwho.org:5443/bosh" /> 11 - <Link rel="urn:xmpp:alt-connections:websocket" href="wss://butwho.org:5443/ws" /> 12 - </XRD> 13 - XML 14 - 15 - header /.well-known/host-meta.json Access-Control-Allow-Origin * 16 - header /.well-known/host-meta.json Content-Type application/json 17 - respond /.well-known/host-meta.json <<JSON 18 - { 19 - "links": [ 20 - { "rel": "urn:xmpp:alt-connections:xbosh", "href": "https://butwho.org:5443/bosh" }, 21 - { "rel": "urn:xmpp:alt-connections:websocket", "href": "wss://butwho.org:5443/ws" } 22 - ] 23 - } 24 - JSON 25 - ''; 26 - "muc.butwho.org".extraConfig = '' 27 - encode 28 - redir https://butwho.org{uri} 29 - ''; 30 - "proxy.butwho.org".extraConfig = '' 31 - encode 32 - redir https://butwho.org{uri} 33 - ''; 34 - "pubsub.butwho.org".extraConfig = '' 35 - encode 36 - redir https://butwho.org{uri} 37 - ''; 38 - "upload.butwho.org".extraConfig = '' 39 - encode 40 - redir https://butwho.org{uri} 41 - ''; 42 - }; 43 - }
-91
modules/services/dendrite.nix
··· 1 - { config, ... }: 2 - { 3 - imports = [ ./postgresql.nix ]; 4 - 5 - sops = { 6 - secrets."dendrite/registration_shared_secret" = { }; 7 - templates.dendrite-env.content = '' 8 - REGISTRATION_SHARED_SECRET=${config.sops.placeholder."dendrite/registration_shared_secret"} 9 - ''; 10 - }; 11 - 12 - environment.persistence."/data/persistent".directories = [ 13 - { 14 - directory = "/var/lib/private/dendrite"; 15 - mode = "0700"; 16 - } 17 - ]; 18 - 19 - networking.firewall.interfaces.${config.services.netbird.clients.homelab.interface}.allowedTCPPorts = [ 8008 ]; 20 - 21 - services.postgresql = { 22 - ensureDatabases = [ "dendrite" ]; 23 - ensureUsers = [ 24 - { 25 - name = "dendrite"; 26 - ensureDBOwnership = true; 27 - } 28 - ]; 29 - }; 30 - 31 - systemd.services.dendrite.requires = [ "postgresql.service" ]; 32 - 33 - services.dendrite = { 34 - enable = true; 35 - environmentFile = config.sops.templates.dendrite-env.path; 36 - settings = { 37 - global = { 38 - private_key = "$CREDENTIALS_DIRECTORY/private_key"; 39 - server_name = "butwho.org"; 40 - database.connection_string = "postgresql:///dendrite?host=/run/postgresql"; 41 - presence = { 42 - enable_inbound = true; 43 - enable_outbound = true; 44 - }; 45 - dns_cache.enable = true; 46 - }; 47 - app_service_api.database.connection_string = ""; 48 - client_api = { 49 - registration_disabled = true; 50 - guests_disabled = true; 51 - registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; 52 - enable_registration_captcha = false; # I need keys for this. Use hcaptcha? 53 - }; 54 - federation_api.database.connection_string = ""; 55 - media_api = { 56 - max_file_size_bytes = 104857600; 57 - dynamic_thumbnails = true; 58 - database.connection_string = ""; 59 - }; 60 - mscs = { 61 - mscs = [ "msc2836" ]; 62 - database.connection_string = ""; 63 - }; 64 - sync_api = { 65 - real_ip_header = "X-Forwarded-For"; 66 - search.enabled = true; 67 - database.connection_string = ""; 68 - }; 69 - user_api = { 70 - device_database.connection_string = ""; 71 - account_database.connection_string = ""; 72 - }; 73 - room_server.database.connection_string = ""; 74 - relay_api.database.connection_string = ""; 75 - key_server.database.connection_string = ""; 76 - logging = [ 77 - { 78 - type = "std"; 79 - level = "warn"; 80 - } 81 - { 82 - type = "file"; 83 - level = "info"; 84 - params.path = "./logs"; 85 - } 86 - ]; 87 - }; 88 - openRegistration = false; 89 - loadCredential = [ "private_key:/var/lib/private/dendrite/matrix_key.pem" ]; 90 - }; 91 - }
-50
modules/services/dufs.nix
··· 1 - { 2 - config, 3 - lib, 4 - pkgs, 5 - ... 6 - }: 7 - let 8 - servePath = "/data/dufs"; 9 - dufsConfig = pkgs.writeText "config.yaml" ( 10 - lib.generators.toYAML { } { 11 - allow-all = true; 12 - compress = "high"; 13 - serve-path = "${servePath}"; 14 - } 15 - ); 16 - startDufs = pkgs.writeShellScript "dufsStart" '' 17 - export DUFS_AUTH="mou:$(${pkgs.coreutils}/bin/cat ${config.sops.secrets."dufs/mouPW".path})@/:rw" 18 - exec ${pkgs.dufs}/bin/dufs -c ${dufsConfig} 19 - ''; 20 - in 21 - { 22 - sops.secrets."dufs/mouPW".owner = "dufs"; 23 - 24 - users = { 25 - users.dufs = { 26 - description = "dufs service user"; 27 - isSystemUser = true; 28 - group = "dufs"; 29 - }; 30 - groups.dufs = { }; 31 - }; 32 - 33 - networking.firewall.allowedTCPPorts = [ 5000 ]; 34 - 35 - system.activationScripts.dufsDir.text = '' 36 - mkdir -p ${servePath} 37 - chown -R dufs:dufs ${servePath} 38 - chmod -R 760 ${servePath} 39 - ''; 40 - 41 - systemd.services.dufs = { 42 - enable = true; 43 - after = [ "network.target" ]; 44 - serviceConfig = { 45 - ExecStart = "${startDufs}"; 46 - User = "dufs"; 47 - }; 48 - wantedBy = [ "multi-user.target" ]; 49 - }; 50 - }
-519
modules/services/ejabberd.nix
··· 1 - { 2 - config, 3 - lib, 4 - pkgs, 5 - ... 6 - }: 7 - { 8 - imports = [ ./postgresql.nix ]; 9 - 10 - environment.persistence."/data/persistent".directories = [ 11 - { 12 - directory = "/var/lib/ejabberd"; 13 - user = "ejabberd"; 14 - group = "ejabberd"; 15 - mode = "0700"; 16 - } 17 - ]; 18 - 19 - networking.firewall = { 20 - allowedTCPPorts = [ 21 - # 1883 # MQTT 22 - 5222 # Jabberd/XMPP client connections 23 - 5223 # Jabberd client SSL 24 - 5269 # Jabber/XMPP incoming server connections 25 - 5270 # Jabberd server SSL 26 - # 5280 # HTTP for Web Admin 27 - # NOTE: ejabberd doesn't support either HTTP/2 or HTTP/3, consider running caddy infront of ejabberd 28 - 5349 # STUN/TURN 29 - 5443 # HTTPS for Web Admin and File Upload 30 - 7777 # mod_proxy65 31 - ]; 32 - allowedUDPPorts = [ 33 - 3478 # STUN/TURN 34 - ]; 35 - allowedUDPPortRanges = [ 36 - { 37 - from = 49152; 38 - to = 65535; 39 - } 40 - ]; 41 - }; 42 - 43 - services.postgresql = { 44 - ensureDatabases = [ "ejabberd" ]; 45 - ensureUsers = [ 46 - { 47 - name = "ejabberd"; 48 - ensureDBOwnership = true; 49 - } 50 - ]; 51 - }; 52 - 53 - services.ejabberd = { 54 - enable = true; 55 - package = pkgs.ejabberd.override { 56 - withPgsql = true; 57 - withImagemagick = true; 58 - imagemagick = pkgs.imagemagickBig; # The captcha script require ghostscript 59 - }; 60 - configFile = pkgs.writeText "ejabberd.yaml" ( 61 - lib.generators.toYAML { } { 62 - hosts = [ "butwho.org" ]; 63 - include_config_file = [ 64 - # NOTE: When using the yaml generators provided by nixos, the numeric keys are strings (nix doesn't support 65 - # numeric keys). ejabberd doesn't attempt to convert the string to an integer so it doesn't recognize the 66 - # numeric key causing a configuration error. 67 - # TODO: Submit an issue to ejabberd 68 - # TODO: Look to see if there is some way I can tell the yaml generator that the key is an integer 69 - (pkgs.writeText "ejabberd-shaper_rules.yaml" '' 70 - shaper_rules: 71 - c2s_shaper: 72 - none: admin 73 - normal: all 74 - max_user_offline_messages: 75 - 2500: all 76 - 5000: admin 77 - max_user_sessions: 10 78 - s2s_shaper: fast 79 - '') 80 - ]; 81 - loglevel = "info"; 82 - hide_sensitive_log_data = true; 83 - acme.auto = false; 84 - certfiles = [ 85 - # butwho.org 86 - "/var/ssl/butwho.org/butwho.org.crt" 87 - "/var/ssl/butwho.org/butwho.org.key" 88 - 89 - # muc.butwho.org 90 - "/var/ssl/muc.butwho.org/muc.butwho.org.crt" 91 - "/var/ssl/muc.butwho.org/muc.butwho.org.key" 92 - 93 - # proxy.butwho.org 94 - "/var/ssl/proxy.butwho.org/proxy.butwho.org.crt" 95 - "/var/ssl/proxy.butwho.org/proxy.butwho.org.key" 96 - 97 - # pubsub.butwho.org 98 - "/var/ssl/pubsub.butwho.org/pubsub.butwho.org.crt" 99 - "/var/ssl/pubsub.butwho.org/pubsub.butwho.org.key" 100 - 101 - # upload.butwho.org 102 - "/var/ssl/upload.butwho.org/upload.butwho.org.crt" 103 - "/var/ssl/upload.butwho.org/upload.butwho.org.key" 104 - ]; 105 - trusted_proxies = [ config.garden.info.network.dandelion.netbird-ip ]; 106 - listen = [ 107 - { 108 - port = 5222; 109 - ip = "::"; 110 - module = "ejabberd_c2s"; 111 - max_stanza_size = 262144; 112 - shaper = "c2s_shaper"; 113 - access = "c2s"; 114 - starttls_required = true; 115 - } 116 - { 117 - port = 5223; 118 - ip = "::"; 119 - module = "ejabberd_c2s"; 120 - max_stanza_size = 262144; 121 - shaper = "c2s_shaper"; 122 - access = "c2s"; 123 - allow_unencrypted_sasl2 = true; 124 - } 125 - { 126 - port = 5269; 127 - ip = "::"; 128 - module = "ejabberd_s2s_in"; 129 - max_stanza_size = 524288; 130 - shaper = "s2s_shaper"; 131 - } 132 - { 133 - port = 5270; 134 - ip = "::"; 135 - module = "ejabberd_s2s_in"; 136 - max_stanza_size = 524288; 137 - shaper = "s2s_shaper"; 138 - } 139 - { 140 - port = 5280; 141 - ip = "::"; 142 - module = "ejabberd_http"; 143 - request_handlers = { 144 - "/admin" = "ejabberd_web_admin"; 145 - }; 146 - } 147 - { 148 - port = 5443; 149 - ip = "::"; 150 - module = "ejabberd_http"; 151 - tls = true; 152 - request_handlers = { 153 - "/admin" = "ejabberd_web_admin"; 154 - "/api" = "mod_http_api"; 155 - "/bosh" = "mod_bosh"; 156 - "/captcha" = "ejabberd_captcha"; 157 - "/upload" = "mod_http_upload"; 158 - "/ws" = "ejabberd_http_ws"; 159 - }; 160 - } 161 - { 162 - port = 3478; 163 - transport = "udp"; 164 - module = "ejabberd_stun"; 165 - use_turn = true; 166 - turn_min_port = 49152; 167 - turn_max_port = 65535; 168 - turn_ipv4_address = config.garden.info.network.lily.ipv4; 169 - turn_ipv6_address = config.garden.info.network.lily.ipv6; 170 - } 171 - { 172 - port = 5349; 173 - transport = "tcp"; 174 - module = "ejabberd_stun"; 175 - use_turn = true; 176 - tls = true; 177 - turn_min_port = 49152; 178 - turn_max_port = 65535; 179 - turn_ipv4_address = config.garden.info.network.lily.ipv4; 180 - turn_ipv6_address = config.garden.info.network.lily.ipv6; 181 - } 182 - # NOTE: This (mqtt) may be more useful when I do more IoT stuff but it doesn't seem to have much use for 183 - # internet messaging at the moment 184 - # { 185 - # port = 1883; 186 - # ip = "::"; 187 - # module = "mod_mqtt"; 188 - # backlog = 1000; 189 - # } 190 - ]; 191 - s2s_use_starttls = "optional"; 192 - acl = { 193 - local.user_regexp = ""; 194 - loopback.ip = [ 195 - "127.0.0.0/8" 196 - "::1/128" 197 - "::ffff:127.0.0.1/128" 198 - ]; 199 - admin.user = [ "yemou@butwho.org" ]; 200 - }; 201 - access_rules = { 202 - local.allow = "local"; 203 - c2s = { 204 - deny = "blocked"; 205 - allow = "all"; 206 - }; 207 - announce.allow = "admin"; 208 - configure.allow = "admin"; 209 - muc_create.allow = "local"; 210 - mix_create.allow = "local"; 211 - pubsub_createnode.allow = "local"; 212 - trusted_network.allow = "loopback"; 213 - }; 214 - api_permissions = { 215 - "console commands" = { 216 - from = "ejabberd_ctl"; 217 - who = "all"; 218 - what = "*"; 219 - }; 220 - "webadmin commands" = { 221 - from = "ejabberd_web_admin"; 222 - who = "admin"; 223 - what = "*"; 224 - }; 225 - "adhoc commands" = { 226 - from = "mod_adhoc_api"; 227 - who = "admin"; 228 - what = "*"; 229 - }; 230 - "http access" = { 231 - from = "mod_http_api"; 232 - who = { 233 - access.allow = [ 234 - { acl = "lookback"; } 235 - { acl = "admin"; } 236 - ]; 237 - oauth = { 238 - scope = "ejabberd:admin"; 239 - access.allow = [ 240 - { acl = "loopback"; } 241 - { acl = "admin"; } 242 - ]; 243 - }; 244 - }; 245 - what = [ 246 - "*" 247 - "!stop" 248 - "!start" 249 - ]; 250 - }; 251 - "public commands" = { 252 - who.ip = "127.0.0.1/8"; 253 - what = [ 254 - "status" 255 - "connected_users_number" 256 - ]; 257 - }; 258 - }; 259 - captcha_cmd = "${config.services.ejabberd.package}/lib/ejabberd-@VERSION@/priv/bin/captcha.sh"; 260 - # captcha_limit = 10; 261 - auth_method = "sql"; 262 - auth_password_format = "scram"; 263 - auth_scram_hash = "sha512"; 264 - default_db = "sql"; 265 - default_ram_db = "mnesia"; 266 - update_sql_schema = true; 267 - new_sql_schema = true; 268 - sql_type = "pgsql"; 269 - sql_server = "unix:/run/postgresql/.s.PGSQL.5432"; 270 - # host_config."butwho.org" = { }; 271 - shaper = { 272 - normal = { 273 - rate = 3000; 274 - burst_size = 20000; 275 - }; 276 - fast = 100000; 277 - }; 278 - # shaper_rules = { 279 - # max_user_sessions = 10; 280 - # max_user_offline_messages = { 281 - # "2500" = "all"; 282 - # "5000" = "admin"; 283 - # }; 284 - # c2s_shaper = { 285 - # none = "admin"; 286 - # normal = "all"; 287 - # }; 288 - # s2s_shaper = "fast"; 289 - # }; 290 - modules = { 291 - mod_adhoc = { }; 292 - mod_adhoc_api = { }; 293 - mod_admin_extra = { }; 294 - mod_announce.access = "announce"; 295 - # mod_auth_fast = { }; # I don't think this is yet supported by any client, also I may need to setup SASL 296 - mod_avatar = { }; 297 - # mod_block_strangers = { }; 298 - mod_blocking = { }; 299 - mod_bosh = { }; 300 - mod_caps = { }; 301 - mod_carboncopy = { }; 302 - mod_client_state = { }; 303 - mod_configure = { }; 304 - mod_disco = { 305 - server_info = [ 306 - { 307 - modules = "all"; 308 - name = "abuse-addresses"; 309 - urls = [ 310 - "mailto:abuse-xmpp@butwho.org" 311 - "xmpp:yemou@butwho.org" 312 - ]; 313 - } 314 - { 315 - modules = [ 316 - "mod_disco" 317 - "mod_vcard" 318 - ]; 319 - name = "admin-addresses"; 320 - urls = [ 321 - "mailto:admin-xmpp@butwho.org" 322 - "xmpp:yemou@butwho.org" 323 - ]; 324 - } 325 - ]; 326 - }; 327 - # The documentation for this module says that it shouldn't be used behind a reverse proxy, but the 328 - # `trusted_proxies` option documentation says it can provide the real ip address to this module. I will leave 329 - # this on for now but if it causes issues later I will disable it. 330 - mod_fail2ban = { }; 331 - mod_http_api = { }; 332 - mod_http_upload = { 333 - custom_headers = { 334 - Access-Control-Allow-Origin = "https://@HOST@"; 335 - Access-Control-Allow-Methods = "GET,HEAD,PUT,OPTIONS"; 336 - Access-Control-Allow-Headers = "Content-Type"; 337 - }; 338 - docroot = "/var/lib/ejabberd/upload"; 339 - put_url = "https://@HOST@:5443/upload"; 340 - thumbnail = true; 341 - }; 342 - # mod_http_upload_quota = { }; 343 - mod_last = { }; 344 - mod_mam = { 345 - assume_mam_usage = true; 346 - compress_xml = true; 347 - default = "always"; 348 - }; 349 - # mod_matrix_gw = { }; # Once e2ee is implemented I may consider this 350 - # mod_mix.access_create = "mix_create"; # This seems like it will replace MUC in the future 351 - # mod_mix_pam = { }; 352 - # mod_mqtt = { }; 353 - # mod_mqtt_bridge = { }; 354 - mod_muc = { 355 - access = [ "allow" ]; 356 - access_admin = [ { allow = "admin"; } ]; 357 - access_create = "muc_create"; 358 - access_persistent = "muc_create"; 359 - access_mam = [ "allow" ]; 360 - default_room_options = { 361 - allow_subscription = true; 362 - mam = true; 363 - persistent = true; 364 - public = false; 365 - }; 366 - history_size = 50; 367 - hosts = [ "muc.@HOST@" ]; 368 - }; 369 - mod_muc_admin = { }; 370 - # mod_muc_log = { }; 371 - mod_muc_occupantid = { }; 372 - mod_muc_rtbl = { }; 373 - # mod_multicast = { }; 374 - mod_offline.access_max_user_messages = "max_user_offline_messages"; 375 - mod_ping = { }; 376 - # mod_pres_counter = { }; 377 - mod_privacy = { }; 378 - mod_private = { }; 379 - mod_proxy65 = { 380 - access = "local"; 381 - hostname = "proxy.@HOST@"; 382 - ip = "::"; 383 - # max_connections = 5; 384 - }; 385 - mod_pubsub = { 386 - access_createnode = "pubsub_createnode"; 387 - force_node_config."storage:bookmarks".access_model = "whitelist"; 388 - plugins = [ 389 - "flat" 390 - "pep" 391 - ]; 392 - }; 393 - mod_push = { }; 394 - mod_push_keepalive = { }; 395 - mod_register = { 396 - ip_access = "trusted_network"; 397 - welcome_message = { 398 - subject = "Welcome to the butwho XMPP server!"; 399 - body = '' 400 - A public room is available at xmpp:hello@muc.butwho.org?join 401 - Have fun! 402 - 403 - This server is managed by yemou. 404 - If you need help with something you can reach me via email or xmpp. 405 - mailto:admin-xmpp@butwho.org 406 - xmpp:yemou@butwho.org 407 - ''; 408 - }; 409 - }; 410 - # mod_register_web = { }; 411 - mod_roster = { 412 - store_current_id = true; 413 - versioning = true; 414 - }; 415 - mod_s2s_bidi = { }; 416 - # NOTE: It looks like this module is only recomended for backwards compatibility. If I enable it, it should be 417 - # done for servers I've verified aren't compromised. 418 - mod_s2s_dialback = { }; 419 - mod_scram_upgrade = { 420 - offered_upgrades = [ "sha512" ]; 421 - }; 422 - # mod_service_log = { }; 423 - # mod_shared_roster = { }; 424 - # mod_shared_roster_ldap = { }; 425 - # TODO: Setup mod_sip 426 - # https://docs.ejabberd.im/admin/configuration/listen/#ejabberd_sip 427 - # https://docs.ejabberd.im/admin/configuration/modules/#mod_sip 428 - # NOTE: I cannot setup mod_sip since it doesn't support SCRAM passwords 429 - # mod_sip = { }; 430 - mod_stream_mgmt.resend_on_timeout = "if_offline"; 431 - mod_stun_disco = { 432 - services = [ 433 - { 434 - host = config.garden.info.network.lily.ipv4; 435 - port = 3478; 436 - type = "stun"; 437 - transport = "udp"; 438 - restricted = false; 439 - } 440 - { 441 - host = config.garden.info.network.lily.ipv4; 442 - port = 3478; 443 - type = "turn"; 444 - transport = "udp"; 445 - restricted = true; 446 - } 447 - { 448 - host = config.garden.info.network.lily.ipv6; 449 - port = 3478; 450 - type = "stun"; 451 - transport = "udp"; 452 - restricted = false; 453 - } 454 - { 455 - host = config.garden.info.network.lily.ipv6; 456 - port = 3478; 457 - type = "turn"; 458 - transport = "udp"; 459 - restricted = true; 460 - } 461 - { 462 - host = config.garden.info.network.lily.ipv4; 463 - port = 3478; 464 - type = "stun"; 465 - transport = "tcp"; 466 - restricted = false; 467 - } 468 - { 469 - host = config.garden.info.network.lily.ipv4; 470 - port = 3478; 471 - type = "turn"; 472 - transport = "tcp"; 473 - restricted = true; 474 - } 475 - { 476 - host = config.garden.info.network.lily.ipv6; 477 - port = 3478; 478 - type = "stun"; 479 - transport = "tcp"; 480 - restricted = false; 481 - } 482 - { 483 - host = config.garden.info.network.lily.ipv6; 484 - port = 3478; 485 - type = "turn"; 486 - transport = "tcp"; 487 - restricted = true; 488 - } 489 - { 490 - host = "butwho.org"; 491 - port = 5349; 492 - type = "stuns"; 493 - transport = "tcp"; 494 - restricted = false; 495 - } 496 - { 497 - host = "butwho.org"; 498 - port = 5349; 499 - type = "turns"; 500 - transport = "tcp"; 501 - restricted = true; 502 - } 503 - ]; 504 - }; 505 - mod_time = { }; 506 - mod_vcard = { }; 507 - mod_vcard_xupdate = { }; 508 - mod_version.show_os = false; 509 - }; 510 - } 511 - ); 512 - imagemagick = true; 513 - }; 514 - 515 - systemd.services.ejabberd = { 516 - path = with pkgs; [ inotify-tools ]; 517 - requires = [ "postgresql.service" ]; 518 - }; 519 - }
-73
modules/services/eturnal.nix
··· 1 - { config, ... }: 2 - { 3 - imports = [ ../eturnal.nix ]; 4 - 5 - sops = { 6 - secrets."eturnal/secret".sopsFile = ../../secrets/dali.yaml; 7 - templates.eturnal-secret = { 8 - owner = "eturnal"; 9 - group = "eturnal"; 10 - content = '' 11 - ETURNAL_SECRET=${config.sops.placeholder."eturnal/secret"} 12 - ''; 13 - }; 14 - }; 15 - 16 - networking.firewall.interfaces."enp1s0" = { 17 - allowedTCPPorts = [ 18 - 3478 19 - 5349 20 - ]; 21 - allowedUDPPorts = [ 3478 ]; 22 - allowedUDPPortRanges = [ 23 - { 24 - from = 49152; 25 - to = 65535; 26 - } 27 - ]; 28 - }; 29 - 30 - services.eturnal = { 31 - enable = true; 32 - secret = config.sops.templates.eturnal-secret.path; 33 - settings = { 34 - eturnal = { 35 - listen = [ 36 - { 37 - ip = "::"; 38 - port = 3478; 39 - transport = "udp"; 40 - enable_turn = true; 41 - } 42 - { 43 - ip = "::"; 44 - port = 3478; 45 - transport = "tcp"; 46 - enable_turn = true; 47 - } 48 - { 49 - ip = "::"; 50 - port = 5349; 51 - transport = "tls"; 52 - enable_turn = true; 53 - } 54 - ]; 55 - relay_ipv4_addr = config.garden.info.network.dandelion.ipv4; 56 - relay_ipv6_addr = config.garden.info.network.dandelion.ipv6; 57 - relay_min_port = 49152; 58 - relay_max_port = 65535; 59 - blacklist_peers = [ "recommended" ]; 60 - strict_expiry = false; 61 - tls_crt_file = "/nfs/caddy-certs/butwho.org/butwho.org.crt"; 62 - tls_key_file = "/nfs/caddy-certs/butwho.org/butwho.org.key"; 63 - log_level = "info"; 64 - # log_rotate_size = 10485760; 65 - # log_rotate_count = 10; 66 - log_dir = "stdout"; 67 - modules = { 68 - mod_log_stun = { }; 69 - }; 70 - }; 71 - }; 72 - }; 73 - }
-25
modules/services/libvirt.nix
··· 1 - { pkgs, ... }: 2 - { 3 - hardware.graphics.enable = true; 4 - users.users.mou.extraGroups = [ 5 - "libvirtd" 6 - "kvm" 7 - ]; 8 - environment.persistence."/data/persistent".directories = [ "/var/lib/libvirt" ]; 9 - 10 - virtualisation.libvirtd = { 11 - enable = true; 12 - qemu = { 13 - swtpm.enable = true; 14 - ovmf = { 15 - enable = true; 16 - packages = [ 17 - (pkgs.OVMF.override { 18 - secureBoot = true; 19 - tpmSupport = true; 20 - }).fd 21 - ]; 22 - }; 23 - }; 24 - }; 25 - }
+3 -10
modules/services/openssh.nix
··· 2 2 { 3 3 imports = [ ../openssh.nix ]; 4 4 5 - users.users = { 6 - mou.openssh.authorizedKeys.keys = [ 7 - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKnyBRVRLKrlsAlMFXimvcF/mBjmSfixdzUX4yCZsYvE lutea" 8 - ]; 9 - # TODO: Either move this somewhere into sss or just remove it completly along with sss 10 - # seedling.openssh.authorizedKeys.keys = [ 11 - # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBZ1NlSJbQPkMxk+jW2Gh2DWBDGZ5mRvROqwbCrdrui seedling@dandelion" 12 - # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDAyk3iOL/ax+EV1Ubo0SQy6kPwcjVCxwRQb9g0IKj6Z seedling@lily" 13 - # ]; 14 - }; 5 + users.users.mou.openssh.authorizedKeys.keys = [ 6 + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKnyBRVRLKrlsAlMFXimvcF/mBjmSfixdzUX4yCZsYvE lutea" 7 + ]; 15 8 16 9 services.openssh.settings.AllowUsers = [ 17 10 "mou@${config.garden.info.network.lutea.netbird-ip}"
-2
modules/services/pds.nix
··· 33 33 ''; 34 34 }; 35 35 36 - networking.firewall.interfaces.${config.services.netbird.clients.homelab.interface}.allowedTCPPorts = [ 3000 ]; 37 - 38 36 services.pds = { 39 37 enable = true; 40 38 pdsadmin.enable = true;
-37
modules/sss-mount.nix
··· 1 - { 2 - config, 3 - lib, 4 - pkgs, 5 - ... 6 - }: 7 - lib.mkIf (config.garden.info.host.sss-mount == true) { 8 - environment.systemPackages = [ pkgs.rclone ]; 9 - 10 - fileSystems."/sss" = { 11 - device = "sss:/data/sss"; 12 - fsType = "rclone"; 13 - depends = [ "/home/mou" ]; # Why does this depend on my home dir? 14 - options = [ 15 - "allow_non_empty" 16 - "allow_other" 17 - "args2env" 18 - "config=${pkgs.writeText "rclone-mnt.conf" '' 19 - [sss] 20 - type = sftp 21 - host = ${config.garden.info.network.lily.netbird-ip} 22 - port = 2222 23 - user = seedling 24 - key_file = /data/seedling/id_ed25519 25 - ''}" 26 - "dir_cache_time=1m" 27 - "gid=1001" 28 - "nodev" 29 - "nofail" 30 - "poll_interval=30s" 31 - "sftp_md5sum_command=${pkgs.coreutils}/bin/md5sum" 32 - "sftp_sha1sum_command=${pkgs.coreutils}/bin/sha1sum" 33 - "uid=1000" 34 - "vfs_cache_mode=full" 35 - ]; 36 - }; 37 - }
-19
modules/sss.nix
··· 1 - # TODO: replace this with a better solution that doesn't rely on ssh 2 - # - Preferablly peer-to-peer 3 - { config, ... }: 4 - { 5 - imports = [ ./sss-mount.nix ]; 6 - 7 - services.openssh.settings.AllowUsers = [ "seedling@${config.garden.info.network.dandelion.netbird-ip}" ]; 8 - 9 - # TODO: seedling shouldn't be a "real" user 10 - users = { 11 - groups.seedling.gid = 1001; 12 - users.seedling = { 13 - isNormalUser = true; 14 - uid = 1001; 15 - group = "seedling"; 16 - extraGroups = [ "users" ]; 17 - }; 18 - }; 19 - }
-90
modules/syncthing.nix
··· 1 - { config, lib, ... }: 2 - { 3 - options.garden.info.syncthing = lib.mkOption { 4 - description = "Information about the syncthing network"; 5 - type = 6 - with lib.types; 7 - attrsOf ( 8 - submodule ( 9 - { name, ... }: 10 - { 11 - options = { 12 - name = lib.mkOption { 13 - type = str; 14 - description = "Name of the device"; 15 - }; 16 - device-id = lib.mkOption { 17 - type = str; 18 - description = "Syncthing ID for the device"; 19 - }; 20 - }; 21 - 22 - config.name = name; 23 - } 24 - ) 25 - ); 26 - }; 27 - 28 - config = { 29 - garden.info.syncthing = builtins.fromJSON (builtins.readFile ../hidden/syncthing.json); 30 - 31 - environment.persistence."/data/persistent".directories = [ 32 - { 33 - directory = "/var/lib/syncthing"; 34 - user = "syncthing"; 35 - group = "syncthing"; 36 - mode = "0750"; 37 - } 38 - ]; 39 - 40 - sops.secrets = { 41 - "syncthing/cert" = { }; 42 - "syncthing/key" = { }; 43 - }; 44 - 45 - networking.firewall.interfaces.${config.services.netbird.clients.homelab.interface} = { 46 - allowedTCPPorts = [ 22000 ]; 47 - allowedUDPPorts = [ 22000 ]; 48 - }; 49 - 50 - services.syncthing = { 51 - enable = true; 52 - cert = config.sops.secrets."syncthing/cert".path; 53 - key = config.sops.secrets."syncthing/key".path; 54 - overrideFolders = true; 55 - overrideDevices = true; 56 - settings = { 57 - devices = lib.mkMerge [ 58 - (lib.mkIf (config.networking.hostName != "dandelion") { 59 - "dandelion" = { 60 - id = config.garden.info.syncthing.dandelion.device-id; 61 - addresses = [ 62 - "tcp://${config.garden.info.network.dandelion.netbird-ip}" 63 - "quic://${config.garden.info.network.dandelion.netbird-ip}" 64 - ]; 65 - }; 66 - }) 67 - (lib.mkIf (config.networking.hostName != "lily") { 68 - "lily" = { 69 - id = config.garden.info.syncthing.lily.device-id; 70 - addresses = [ 71 - "tcp://${config.garden.info.network.lily.netbird-ip}" 72 - "quic://${config.garden.info.network.lily.netbird-ip}" 73 - ]; 74 - }; 75 - }) 76 - ]; 77 - options = { 78 - urAccepted = -1; 79 - relaysEnabled = false; 80 - globalAnnounceEnabled = false; 81 - localAnnounceEnabled = false; 82 - startBrowser = false; 83 - stunServer = "butwho.org:3478"; 84 - }; 85 - }; 86 - }; 87 - 88 - users.users.syncthing.homeMode = "750"; 89 - }; 90 - }
+2 -15
readme.md
··· 3 3 4 4 | Hostname | Machine Type | 5 5 | ---------- | ------------ | 6 - | dandelion | VPS | 7 6 | lily | Home Server | 8 7 | lutea | Desktop | 9 8 ··· 17 16 edit configuration files. 18 17 19 18 # Services 20 - ## dandelion 21 - This machine is mostly used to proxy into my home server. 22 - This gives me a stable IP with the added benefit that I don't need to open ports on my home router to expose services to 23 - the internet. 24 - 25 - This machine hosts: 19 + - [atproto-pds](https://github.com/bluesky-social/pds) 26 20 - [Caddy](https://caddyserver.com) 27 - - [eturnal](https://eturnal.net) 28 - - [soju](https://soju.im) 29 - 30 - ## lily 31 - This machine is where most of my services are hosted. 32 - 33 - This machine hosts: 34 - - [atproto-pds](https://github.com/bluesky-social/pds) 35 21 - [ejabberd](https://www.ejabberd.im) 36 22 - [Nextcloud](https://nextcloud.com) 23 + - [soju](https://soju.im) 37 24 - [tangled-knot](https://tangled.sh/@tangled.sh/core)
-26
secrets/dali.yaml
··· 1 - eturnal: 2 - secret: ENC[AES256_GCM,data:rC9/wYmR6N6Es5/0MdmGBIkWIxJMIJ8ULeOZ1foe8JHbRwhf7UeYzMJfSsbnS1Gg1Vq9RD5JuBO+tsQlA34I3w==,iv:MnDnY6jvzYvsgKz3vrV3bnvrAc0vJ/LFxC5hlCZgAL8=,tag:areKVtVopvpHWQVbCuAZQQ==,type:str] 3 - sops: 4 - age: 5 - - recipient: age1p5y7px4qnlgxgxd6j5vg4wtpzs24fnh4808ws7gah3x89j66muasxz7ck2 6 - enc: | 7 - -----BEGIN AGE ENCRYPTED FILE----- 8 - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZVA3N3Ivc0V4Ukl5TE5I 9 - NmdsRFB0Z1BicHFjWU55MFM4amZWa1l4NXpJCkVnemF0N0VSVzZXVEM4bUErQjlD 10 - eXFtVXRmSnNFaVZ0NHNBZEhOSFFmMjQKLS0tIFREc2xIcmFIbWpXVG9OSzZEaGxT 11 - Y2loSzVRZzc5d3M1Ti9xL1V0ekJEV2MKypKYYVVORwRuqTXF5jO+x2F2ENTJkhR+ 12 - UOXBeMqYM2tcXYjEGk1NvnZJBFyqEFK56TEUy/Gtn80HFO3G/pXTfQ== 13 - -----END AGE ENCRYPTED FILE----- 14 - - recipient: age1amaa55e7nusv904a9ucfvtnjlw4srtet42suehey6u3yc4t2xc5sdldepj 15 - enc: | 16 - -----BEGIN AGE ENCRYPTED FILE----- 17 - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SmZSS1dPRitNOXp6S1lB 18 - K2NvNzFWcWJ5REZOQ0tCbzFESlZwL1U3QWpVCmJBVDBwd3VBcCtjQ2JFWEdQU3Ni 19 - M3NWanJHNjJ5K05oUWZBWGtqdVYvUHMKLS0tIDIxWnkwVG5MTTZrSmIrSnZTRXVT 20 - VkVnMG5kZWVUZEVJRHJUU0hRcWZWV2cK22iJgZdKJlsrb8bnqbdsbBG6VP7Z4Nwv 21 - MVsj271gk1wBN7PqBY8ttECAAt3fD0BqZLQ6BKxdpvy/DLEcCncfJg== 22 - -----END AGE ENCRYPTED FILE----- 23 - lastmodified: "2025-05-12T21:30:30Z" 24 - mac: ENC[AES256_GCM,data:+yUDYdPP3qRis/qJSrAUL2Q6VHuhadvJ8zPkoBrXfkfAVErADXAk6htV4G0mL1CfCVN+5M6++s1HASWPr+Rx6mMxQLoJomHv1Wpr84lfwOnJUCFNreOCMzt8Q0ZwN4FURQHTz3VAAJXHoPPUmhFdw8BUXZDlB1KKJES33terHaU=,iv:xu6i90s0HweUrAp0qPBS99Eg1jqhtcxcHLWc/mp4X4s=,tag:Z3NrYk0SP1ojvZej4IszNg==,type:str] 25 - unencrypted_suffix: _unencrypted 26 - version: 3.10.2
-22
secrets/dandelion.yaml
··· 1 - machine-id: ENC[AES256_GCM,data:wIOxj262TN2DlMcbaa1FrjV1VUWfOol61DCwDMFAZk0=,iv:GwWgBhmzX0QiDx7i8GqccdRO3gpO0DaSQUUgoDwTEv0=,tag:0NYsxLXlGrn3gnXbVQaW1w==,type:str] 2 - passwordHashes: 3 - root: ENC[AES256_GCM,data:Sd7brLDa9QLKBUrPMPMDDMG1rZc1jklLXjDprhK/X27ZPg/T6hDFvfc0buWoY8Rbidw9WoT3oA8Me9SQF6U70Mr1HNUHYlT2zA==,iv:1z2SgWdghTk5dp+OCWdj1h5KWMXgO8gjDKoG1FljMy8=,tag:T4nkg2jJudq8JOsf8w06zA==,type:str] 4 - mou: ENC[AES256_GCM,data:xKNnwWsLSh41U7n8aGa7kkO8ylo2hcCpuZ7tptZKm132eyH5rUk1poVqqqoxQSMdiWQKrTlLAXZuQJM/lG9xr62Yfvy4mhz1sA==,iv:UL1+u/Beilym5sL5AeqVky/o7q332Hm0nDJ9CJ1lVec=,tag:LuO4dqTERugIap6oOsNokA==,type:str] 5 - syncthing: 6 - cert: ENC[AES256_GCM,data:o7yV7nSqMKqpJ5zZ9s6CmQYgm4L8KyntdlJ2gQedmSocR3UYjkwJkQflrEORiTOJR6DJGjdyFhg37k8cfNApIK2aDyVD8pKbH6iUcFF0asg+aUlkr0X6MZh6B+NAOfz1qHpFDrE8hbn2rqMNC1+eanV85ROYVrEuWNDo1u4G1jLhRzqi4gzKNCOl0D6+3ol8sgkaZAPtRO0IBh3UUmgrGwmVGQMyavpS2tcqlJ3E6icjSWepX0UzRYUBmSermQeIZDO5W+BpU4hkmrPfWrMGeEWEumIBPxxLuWHMoossOq10NVJ6FjS5z9ud2AwXMngWZ5p9p6+f1azWqSp6cLh8rD03ZnfztJQw9/J/nEsF9O1OqDRIG1uhEOD7URrvhRl51hDbwOm6lFNonmbKFi2JUyxKLK/uVQABx7zsslcGuCU/xPgi3XFngYgYwnj9rNAfD+ImaogPmIW7XMU/NTgG/P3+9eMjR0XEzeZXMT0MVk/RT3+XWzOjTePCC7fOUCoAcN0CFT3vx/HsOLX/h4HpLLVmqz9u7qjG3/6GcNA2NRx9AOkjsLd8BcTzoTfwX/hYrQXpMyOHIjmI1Y29bWEmeecbiz+kZpnI0BsXYpCICqvPGxoMQo/T3hYDLdTDIAmtsUTgqjPbudGKeM/fxjDY8kOpmcOjf2GEBGLfe8w500vb/QYlbALXD+PpuwQgS6sPtsXdEnw7d5Sw6+9AEPPGzeTe6U2xONS6H+aTwpfWqS1RwwJCXZpc9sP5I4AQzaVUk/j6uLmyOKGwXdbt+T5G7yUD/PRnYPriDi4ruKj5jtHEEAQdhDLnUqCZGfX+3/qwB9BTyQdx13bNaYmOPrkfy9MY4mMoBVnkk1M3wFtv+XTXKMkDk2CbRPH2t7ifnkVxKYWnwWSdGR4MC+1VC7YvutMZB5/pE26BA685IVGxNjyQ/cF0x0Bw3To5ft4edS/89V3k46ty9XTnjDsPJZwrj+SJ586EzX9Pzlo9s4zCW7xjry7OxB81ZMLlI6WOivd2umZNomL2hl/ld0sFEkl2CIiQahBDA/l2HA==,iv:GGQrllOl1zM3euq+Lffq/BrEM+D/Xso2AfKBGMDSPIk=,tag:PYp0THpNq9ZQhxmrB/WNyw==,type:str] 7 - key: ENC[AES256_GCM,data:PsOpgifBULla8rCdxFPzujl0YHYY8s+r/Pd7GYMZqe+Jybni9roHlVsfqGChBPBvvHhE4EDFGo+vfncjGGUjlhGGIIuJstyepoYaU7k2t480NdJ5j1lDH/ualuzD4Vvvo3gqRS9SMYxes1bKOP9a8PJ1m1zEcBCH6qn4DvI0yqsZhf53km46b/EBTZjeLrt/p0tSM6WdRP8wArDsn3Myb15bwVF4Qs4oPlS5Dm8K+dYbksphxe/Exod0b2ZRIiDuSF6bLwdM6nEBC46oF7qUsD/3XpzmmbRCGY/3UrbOzRhyuhDB4ze3baEjeNwJQVzgBsJMSE8bX7vDcWGBD3S/hqSrp3BCrnKTN38Dw+y4baaMSpIAsQx7Wy3Q2GCBorg=,iv:5OrV6odFEreWrUjczCGI4r2kUuG+FumqqiybeAeoV2c=,tag:+DXZ/0RcoqeIbew3S/MDXA==,type:str] 8 - sops: 9 - age: 10 - - recipient: age1p5y7px4qnlgxgxd6j5vg4wtpzs24fnh4808ws7gah3x89j66muasxz7ck2 11 - enc: | 12 - -----BEGIN AGE ENCRYPTED FILE----- 13 - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0YzlrS0wyUm5EcEFycVFQ 14 - cjE5dGh1eXFtSE9kRXpldW5id1kvbWNpc0drCkRVZk14ZlJCaTlxNng5M3NPTzBl 15 - Q1BjNldnM2JpdTRDTmtnWXJ1MWx5VDAKLS0tIFdzemhWeHlOVjNiWGxIRXlrRk8r 16 - bFpBYWRMYi9wcXlvSkExNVEzNldMZ2MKSfrbClrpiSz4ZPlScIY3EpTyZMa9aiaY 17 - 6UhOvLwesOKm7TCFyKbSR+xFmro6kOCt0VpcxXtRBQ6Je0bo6HvuSA== 18 - -----END AGE ENCRYPTED FILE----- 19 - lastmodified: "2025-05-14T10:44:55Z" 20 - mac: ENC[AES256_GCM,data:iUYApCuh0T3vzhn4oebX1NaGgMsQF+U7q3mSdx5/IAPLxnv2++0w1+hZ3Yv4S8ij1OyL9sAedOsEt/3kCwXf3GblxofstbTO0srhQRvRjF16URmzjGj18ts8OdDDSUWdwRktGYEqlDeGetA75KAo/S2Zewx72MJCq0mOLyIqH8A=,iv:Mn+qTHaVQDFDbrykVUmPkjPjjfTXWoTZ0IF3KOskC6g=,tag:E5bO9sIsomAPfEB3PWziKQ==,type:str] 21 - unencrypted_suffix: _unencrypted 22 - version: 3.10.2
-23
secrets/fly-agaric.yaml
··· 1 - passwordHashes: 2 - root: ENC[AES256_GCM,data:yZ1irRkBL0HEM/fPxIA7KrG3HM4WhYeGzY4G/HFa5CejB6Z2fN3TVKrCuw347FCHMKEEIUsB7+ihStMrDYI14bQ1TuKG4x+rUA==,iv:fK9cru+Hsxlg17ipcIaCfuW6WrB4AB/Ccy+63BVD5dk=,tag:ibH08f6Tpo8DsB17WhPT1A==,type:str] 3 - mou: ENC[AES256_GCM,data:pRdU6/M4W5CnvmT86tTxJs/nRg4opmD3LQ1XTCmhZWZu7ErdRzpZmHg7tjOkITFBQ8J+nzZJ92RLeIVGadb3XoH/XE2TE2Y5EQ==,iv:iZIkcRKrly9SDbX2yXXt6bMdd4oIgUo79jANYPXUKGg=,tag:BKBcBJU58KcfWK9AIWNDPA==,type:str] 4 - sops: 5 - kms: [] 6 - gcp_kms: [] 7 - azure_kv: [] 8 - hc_vault: [] 9 - age: 10 - - recipient: age1tmfn7f2j8rhlg0gz3hcfjrwta3f0ecctc4dhpp6y8thtgta97c7q2vxnyl 11 - enc: | 12 - -----BEGIN AGE ENCRYPTED FILE----- 13 - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTEJnbTFZTForU0djK2dt 14 - U0tUMVgvY1FEME5TUWtuNFRUZExwaHQ0SWdVCnBCRUpxT2tRTzYyVFRmT0h4dXpP 15 - OEQ5TVlHdjIyM2QyMlA2SmE1QS9XZzgKLS0tIExwSXNIaUZEYnZvdXRnZzR5S2pu 16 - WE5FS3JGM3I4MWM3anNqUUYxRlFtdW8KH7OgurKrAmCgWpzsC+WPGSQ/hJ2kbEp9 17 - ZVqxDtQk6jk07T7jy0anoOKvXM1dE1dJ5/rUKemPOyO5khCZN/f39g== 18 - -----END AGE ENCRYPTED FILE----- 19 - lastmodified: "2024-06-16T03:12:40Z" 20 - mac: ENC[AES256_GCM,data:e5R7iBd+GZKt+UmdEHLK/BLJjJwRXGMTvgbU5p2Vl08mB/aq/s/4BmoiSWL1NPoNUDmtmU7l+8P3XnvwgYrOexSGi1XXaRVFZ34/F1NQU9YIaBeRMTpjfTQudibdkyrDH9lLq6vz4nGX9ckbHC8GXyBbHAB5K8SGkVOJbcpigy0=,iv:kJ0Qrgok7EI/CEYuS4awbWC6LcwyIIjGmyC9/5iJMO4=,tag:qqBxaBJIALhCF6jrC2kueg==,type:str] 21 - pgp: [] 22 - unencrypted_suffix: _unencrypted 23 - version: 3.8.1
+2 -5
secrets/lily.yaml
··· 21 21 plcRotationKeyK256PrivateKeyHex: ENC[AES256_GCM,data:2tpAI5RGc2fz09KoOeMr9OVheo34zhttaiYwhQHVPKvRz9p/PLtSxnkSHdiKyeqPT046kgq0+GJphxATRDweGA==,iv:ETfC1h10k2QS9tCO2t0874UNw57kJIwECJp8AH0bWWI=,tag:Chd1nRVE75jakFL2Uw/frA==,type:str] 22 22 tangled-knot: 23 23 secret: ENC[AES256_GCM,data:nFvN+4cXheWJwczJEQGBFpk92qjG8HaYrA2hN2w1VIV8rMiUCqypfTIJ904FE7Hq7AyewvcYYIBKMel+hpx2hA==,iv:jQ9JI+Jc57W+me6Q/ZLLmsif0Dovz/WQuUsXmJ6G4pk=,tag:54xtX8T9XzNCx4w7HzSrhg==,type:str] 24 - syncthing: 25 - cert: ENC[AES256_GCM,data:Ipu/5wCYgC/6uKVVGy+MudPJjG2mmoxnfkOEFzEAzqfK67w4se6dfGzd0CQ4fWvornKEX5lUb/O484tKyyq1Go/Z10HiZdbyyxYJGR3H16HietiK+X5RB3Asj9v6YcvTBoV9bTmaIzaWJKDOTgflapRDwnIy48fIVTSBeKCbugiiByY4cO2f30ygyoHky5BVVrYJF+fzAGwpzDgzO16rrdNfMVNxtpLWRa9l5SmmiIWUsEjs/exNu/QZm7O35ynBU2EAtUaP3zL6DocBsWNqLwzQo1Ym3g470P3nBTVHrMNoioblo9rliFiB6UtUyofIPdr9K0qIZJgfna/oufLJqR3OLTFx1OOOx20YlJJDHZbW2XaMS2ikQSOsH9R7vAxvuf1m/mJZ0261+exV+ArEIr12AeW+3eQG8CzSy8e4bzGClOpI9GttZzUiK4ZS/jrgRj6i+Qnj2XFn7gIs9ruzMVdSmI4UVkr44cH65/y6aS6q4h0pDXQGakgwCBmRZH9p7PVkR43x5mmedxfJPVQZs1idgv6RDry3r9iXWx7rkhFa1XuOYPhNL6LKrgCu3E6YhrdoPlZnMolY3LBys5u12mvMbwyaqA9de/Jb5e+LxDfglIp9iEGuh53WBSCEVZRXta1sqbPvlJgYZQY0oJTpJOfcFj4E43nwfG8JD9SLrKK/QH5Ji/vyc1UVYZGQRBnd0h0p5LfnEMXr2Vu87UjfDBAqS9MpfgW8r1CgErOCU9GlygxXv81pgbO4RVdq4SNFpjIOby4bg4bwSYF4EPTsTEc90zDygzqZTiNYTHRhqcQrp1NmjzqluPRmKykGELFZwAOuHT0rNwlNTsFY5myB9I7QP2fQkyiecTWZApKauR8GTEWi7/5tQH9F0sMDaPMq3Wf5up+K0UGaurPB8exXNiOXe21hej0yd8WJsytVN8lT6Ff0xhra1zcTVe3Iitgxht10rcsZbxfLJm+CKiUTDGTt9U9867FcBHawj0bPp55iP4Q5gxcP0eDuOs9Gq4ZT9xZvfVa656ipYw7Ze6XG7l/vAqVpSGX7ig==,iv:jiT/ElmxZzjLNN1wmb8503Gue37Ki/icIjnGdvI/Z9w=,tag:EzHFlozw937NLIGxX1e2Ng==,type:str] 26 - key: ENC[AES256_GCM,data:6pn7Mo65P3D29l0KPtngIZ17xNkpXO4UpdMdx0EFBX3AipfYYJ5Em2dUCrGEc3Ggm1WMCh96mmEJMiZU3Cvoyj31vKovx4CHQDsDR4whgbWBRm5ThMP4u6+XHtrak+coZreNS4uOLWvslbt4LOVQ2fkJddVRt3/Jb3p7gzvVHh6x/2lUcEGOqEc4ighAuqN6SXQrdP1uugTd+Fco/MuLYY/XQHCOT7TXCeHg6jSncOub2FiPWzh7oV+tB6LbWs5EK4vMa3yDg9I6xEnVBaNWn4jnKDNhX3FygBKc7C8GRzCzozWj21+ceJixY7EFIW+iElC9D63KnzK9mpoyBBUcKIJpSBEmOAM7sB9qINtm4C9TR6tUh9xWgdU+q0YkCkE=,iv:Mg6UwacV9NBCobk75lcklL7XBDHyL90Bh9wJiqsvdME=,tag:r4KubPJNqdJ93Hg+R4Ib1Q==,type:str] 27 24 sops: 28 25 age: 29 26 - recipient: age1amaa55e7nusv904a9ucfvtnjlw4srtet42suehey6u3yc4t2xc5sdldepj ··· 35 32 cHlWQjF3ZkU5NUs0Y1hodUlabkxpdzAK91EV34EhJMrxxdVrRCwZlGKuRs7AU7v3 36 33 dU8XRhjAzJs2Vu5UnCVOGB5Zl6w7FkXICYY0IP2dA0b477dI5rXNBg== 37 34 -----END AGE ENCRYPTED FILE----- 38 - lastmodified: "2025-05-15T08:35:06Z" 39 - mac: ENC[AES256_GCM,data:WKQjyG6H7dA/OpY7UesET2mlWyBhZr0jLJ72SL4N2p/5QM0YiJQgybgzqwE1cc5368KMrJilAci4YkYdIZLcGun0M8ku0ataWZBfzbFkO88XbDfM8O+wehNpYUwSfWzySJV/3QharBIEJvDh1Ov86RTu0/mffS/VaaXWCo8kMF4=,iv:QHYwkEM+LEkBUJ+pXqY0PgmzJKDpEvHImgTH7Poqzzc=,tag:oR508w0XSq79n/pjlS++7A==,type:str] 35 + lastmodified: "2025-08-04T19:37:42Z" 36 + mac: ENC[AES256_GCM,data:fa975Ma/nOLbw5VRiTFlHikz6xsWJWCzRmd7MbySrOUIzoE59BokUQuiiA4Rg803nN2rB3wL8EP7lBZgoDSKfiYmkOm71Fi60n+qAsUW6Ryt8RqGqYYyKNPwrQlHfGAlh2Ag92kGa+X9noZgVquQdsGxQahxe3Q5nKPiIgr+ZTk=,iv:zaEuNYyNcmlfDsM6Qns+yoUGWiCj1Ji75SRE1fclvJ8=,tag:u+OyJrzswB/NjY16UILKQQ==,type:str] 40 37 unencrypted_suffix: _unencrypted 41 38 version: 3.10.2