cnst/cnix
1
0
Fork 0
Code Issues Pull Requests Activity

Compare commits

base: cnst:1dd06ef3f568d99f179cc4530e2d269a5fdc8460
Branches Tags
cnst:main cnst:monitors cnst:working cnst:compare_broken cnst:revert cnst:broken
..
compare: cnst:broken
Branches Tags
cnst:main cnst:monitors cnst:working cnst:compare_broken cnst:revert cnst:broken

1 Commits
1dd06ef3f5 ... broken

Author SHA1 Message Date
cnst
123dfd7605 all the broken 2025-10-04 20:35:06 +02:00
88 changed files with 2066 additions and 1889 deletions
Expand all files Collapse all files

220
flake.lock generated
View File

@@ -8,11 +8,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1760836749, "lastModified": 1754433428,
"narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "2f0f812f69f3eb4140157fe15e12739adf82e32a", "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -29,11 +29,11 @@
"systems": "systems_2" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1761238850, "lastModified": 1758874004,
"narHash": "sha256-WGoqR+ULsh1w7yDNAtJiE27HX6zSlGPR4I2pgjAU/SA=", "narHash": "sha256-+RUCBtT01Z595NpGc6Tvms+dJ/C/cn1zdjT9+gE6dbU=",
"owner": "anyrun-org", "owner": "anyrun-org",
"repo": "anyrun", "repo": "anyrun",
"rev": "ae3c499316e9aa568acb3832566a1978ca665748", "rev": "3c571bc1514c4211d1d6c011a1d482f97efd9c5f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -83,11 +83,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760101617, "lastModified": 1755946532,
"narHash": "sha256-8jf/3ZCi+B7zYpIyV04+3wm72BD7Z801IlOzsOACR7I=", "narHash": "sha256-POePremlUY5GyA1zfbtic6XLxDaQcqHN6l+bIxdT5gc=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "aquamarine", "repo": "aquamarine",
"rev": "1826a9923881320306231b1c2090379ebf9fa4f8", "rev": "81584dae2df6ac79f6b6dae0ecb7705e95129ada",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -153,11 +153,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1760986121, "lastModified": 1759348172,
"narHash": "sha256-ilwuwZDPh0pNPTUYKUQQarAnwJwsggr60lQyae5R1vc=", "narHash": "sha256-ZPUJX2ZA0ndcHndIA/S/nRESIJV0rifPr91SUpzJtEM=",
"owner": "chaotic-cx", "owner": "chaotic-cx",
"repo": "nyx", "repo": "nyx",
"rev": "45286364d2570149037013a4fa098709776bdb41", "rev": "dd1af56ad79c965ee20c236ba6adbb2135ac02af",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -212,11 +212,11 @@
"rust-analyzer-src": "rust-analyzer-src" "rust-analyzer-src": "rust-analyzer-src"
}, },
"locked": { "locked": {
"lastModified": 1761201787, "lastModified": 1759473677,
"narHash": "sha256-RQG899vzsoRIMQ6ZR5bi1W9HOomUgID7tk3COQf/OaY=", "narHash": "sha256-9AFDP5AhXe06aXXPsV7bDGH7KA9Wo4uUtK7pRrsxuFQ=",
"owner": "nix-community", "owner": "nix-community",
"repo": "fenix", "repo": "fenix",
"rev": "1ab39eca6ce37b1db23b595c2a754c81ebf49507", "rev": "8532b07ced6a95d57650124c79534a3c770431ab",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -332,11 +332,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760948891, "lastModified": 1759362264,
"narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=", "narHash": "sha256-wfG0S7pltlYyZTM+qqlhJ7GMw2fTF4mLKCIVhLii/4M=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04", "rev": "758cf7296bee11f1706a574c77d072b8a7baa881",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -491,11 +491,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760663237, "lastModified": 1758108966,
"narHash": "sha256-BflA6U4AM1bzuRMR8QqzPXqh8sWVCNDzOdsxXEguJIc=", "narHash": "sha256-ytw7ROXaWZ7OfwHrQ9xvjpUWeGVm86pwnEd1QhzawIo=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37", "rev": "54df955a695a84cd47d4a43e08e1feaf90b1fd9b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -571,11 +571,11 @@
}, },
"hardware": { "hardware": {
"locked": { "locked": {
"lastModified": 1760958188, "lastModified": 1759261527,
"narHash": "sha256-2m1S4jl+GEDtlt2QqeHil8Ny456dcGSKJAM7q3j/BFU=", "narHash": "sha256-wPd5oGvBBpUEzMF0kWnXge0WITNsITx/aGI9qLHgJ4g=",
"owner": "nixos", "owner": "nixos",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "d6645c340ef7d821602fd2cd199e8d1eed10afbc", "rev": "e087756cf4abbe1a34f3544c480fc1034d68742f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -590,11 +590,11 @@
"rust-overlay": "rust-overlay_2" "rust-overlay": "rust-overlay_2"
}, },
"locked": { "locked": {
"lastModified": 1761141169, "lastModified": 1759201995,
"narHash": "sha256-5IZjbTvP5dNTD8CbEYlNbicdGcbCN9SC9ksMm2ZEXH0=", "narHash": "sha256-3STv6fITv8Ar/kl0H7vIA7VV0d2gyLh8UL0BOiVacXg=",
"owner": "helix-editor", "owner": "helix-editor",
"repo": "helix", "repo": "helix",
"rev": "d79cce4e4bfc24dd204f1b294c899ed73f7e9453", "rev": "bfcbef10c513108c7b43317569416c2eefc4ed44",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -610,11 +610,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1761235135, "lastModified": 1759337100,
"narHash": "sha256-cux9xeceLIER1lBxUa1gMafkz7gg5ntcUmJBynWdBWI=", "narHash": "sha256-CcT3QvZ74NGfM+lSOILcCEeU+SnqXRvl1XCRHenZ0Us=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "0adf9ba3f567da2d53af581a857aacf671aaa547", "rev": "004753ae6b04c4b18aa07192c1106800aaacf6c3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -652,11 +652,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760929667, "lastModified": 1759261733,
"narHash": "sha256-nZh6uvc71nVNaf/y+wesnjwsmJ6IZZUnP2EzpZe48To=", "narHash": "sha256-G104PUPKBgJmcu4NWs0LUaPpSOTD4jiq4mamLWu3Oc0=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "189c21cf879669008ccf06e78a553f17e88d8ef0", "rev": "5a21f4819ee1be645f46d6b255d49f4271ef6723",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -710,11 +710,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760445448, "lastModified": 1758192433,
"narHash": "sha256-fXGjL6dw31FPFRrmIemzGiNSlfvEJTJNsmadZi+qNhI=", "narHash": "sha256-CR6RnqEJSTiFgA6KQY4TTLUWbZ8RBnb+hxQqesuQNzQ=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprgraphics", "repo": "hyprgraphics",
"rev": "50fb9f069219f338a11cf0bcccb9e58357d67757", "rev": "c44e749dd611521dee940d00f7c444ee0ae4cfb7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -739,11 +739,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759490292, "lastModified": 1750621377,
"narHash": "sha256-T6iWzDOXp8Wv0KQOCTHpBcmAOdHJ6zc/l9xaztW6Ivc=", "narHash": "sha256-8u6b5oAdX0rCuoR8wFenajBRmI+mzbpNig6hSCuWUzE=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprgraphics", "repo": "hyprgraphics",
"rev": "9431db625cd9bb66ac55525479dce694101d6d7a", "rev": "b3d628d01693fb9bb0a6690cd4e7b80abda04310",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -803,11 +803,11 @@
"xdph": "xdph" "xdph": "xdph"
}, },
"locked": { "locked": {
"lastModified": 1761129162, "lastModified": 1759399554,
"narHash": "sha256-vJYlThaqdSYRKn1HcaMbkHeB95bXQwgG1ugrlSKQjHg=", "narHash": "sha256-FsFugHj7He5siEcmoRUdMKHB8uMzyneK/fynPS57W4E=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprland", "repo": "hyprland",
"rev": "057695bc3f7de5e8841c15252fc51029590895e4", "rev": "3bcfa94ee4189faaa4daf661949e88cf28c00d94",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -824,11 +824,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759613406, "lastModified": 1759238633,
"narHash": "sha256-PzgQJydp+RlKvwDi807pXPlURdIAVqLppZDga3DwPqg=", "narHash": "sha256-4/AtRCQKXuU49ozZZouWuC+T7vCjQh9HAz3N8Tt5OZE=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "contrib", "repo": "contrib",
"rev": "32e1a75b65553daefb419f0906ce19e04815aa3a", "rev": "513d71d3f42c05d6a38e215382c5a6ce971bd77d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -874,11 +874,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759610243, "lastModified": 1749046714,
"narHash": "sha256-+KEVnKBe8wz+a6dTLq8YDcF3UrhQElwsYJaVaHXJtoI=", "narHash": "sha256-kymV5FMnddYGI+UjwIw8ceDjdeg7ToDVjbHCvUlhn14=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprland-protocols", "repo": "hyprland-protocols",
"rev": "bd153e76f751f150a09328dbdeb5e4fab9d23622", "rev": "613878cb6f459c5e323aaafe1e6f388ac8a36330",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -942,11 +942,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759080228, "lastModified": 1757694755,
"narHash": "sha256-RgDoAja0T1hnF0pTc56xPfLfFOO8Utol2iITwYbUhTk=", "narHash": "sha256-j+w5QUUr2QT/jkxgVKecGYV8J7fpzXCMgzEEr6LG9ug=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprland-qtutils", "repo": "hyprland-qtutils",
"rev": "629b15c19fa4082e4ce6be09fdb89e8c3312aed7", "rev": "5ffdfc13ed03df1dae5084468d935f0a3f2c9a4c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -971,11 +971,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1758927902, "lastModified": 1756810301,
"narHash": "sha256-LZgMds7M94+vuMql2bERQ6LiFFdhgsEFezE4Vn+Ys3A=", "narHash": "sha256-wgZ3VW4VVtjK5dr0EiK9zKdJ/SOqGIBXVG85C3LVxQA=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprlang", "repo": "hyprlang",
"rev": "4dafa28d4f79877d67a7d1a654cddccf8ebf15da", "rev": "3d63fb4a42c819f198deabd18c0c2c1ded1de931",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1006,11 +1006,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760023949, "lastModified": 1759492718,
"narHash": "sha256-fu0B4duamVdbkPio/czu1XhsPLRXUJpZLDrSk3nih4U=", "narHash": "sha256-Mxi/LyyHE9VKUnBs4y1hXO+wRqukZJjbx/igqKQxkQk=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprlock", "repo": "hyprlock",
"rev": "36ec73f166d9434a3f27c96c575198906f77644a", "rev": "3cb799b1842016c85cca2db66fa502b8179cf0fe",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1044,11 +1044,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760120448, "lastModified": 1754481642,
"narHash": "sha256-l/OxM4q/nLVv47OuS4bG2J7k0m+G7/3AMtvrV64XLb0=", "narHash": "sha256-e1phd6KwtUsS9C2ShD+fQvfk2Dgr2JQi+rTDQUW15iE=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprpaper", "repo": "hyprpaper",
"rev": "1733e0025b194c9bc083f4cd8782c5f151858a58", "rev": "bcb1ffa322369c4898347ab5a7399a3d18494c8f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1069,11 +1069,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759619523, "lastModified": 1756117388,
"narHash": "sha256-r1ed7AR2ZEb2U8gy321/Xcp1ho2tzn+gG1te/Wxsj1A=", "narHash": "sha256-oRDel6pNl/T2tI+nc/USU9ZP9w08dxtl7hiZxa0C/Wc=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprutils", "repo": "hyprutils",
"rev": "3df7bde01efb3a3e8e678d1155f2aa3f19e177ef", "rev": "b2ae3204845f5f2f79b4703b441252d8ad2ecfd0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1144,11 +1144,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1755184602, "lastModified": 1750371869,
"narHash": "sha256-RCBQN8xuADB0LEgaKbfRqwm6CdyopE1xIEhNc67FAbw=", "narHash": "sha256-lGk4gLjgZQ/rndUkzmPYcgbHr8gKU5u71vyrjnwfpB4=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "hyprwayland-scanner", "repo": "hyprwayland-scanner",
"rev": "b3b0f1f40ae09d4447c20608e5a4faf8bf3c492d", "rev": "aa38edd6e3e277ae6a97ea83a69261a5c3aab9fd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1191,11 +1191,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760534924, "lastModified": 1759217228,
"narHash": "sha256-OIOCC86DxTxp1VG7xAiM+YABtVqp6vTkYIoAiGQMqso=", "narHash": "sha256-P13ExJlhMVkrc5LxZLNkIJZhjNYo3LLXnxDsUNrdnMQ=",
"owner": "Jovian-Experiments", "owner": "Jovian-Experiments",
"repo": "Jovian-NixOS", "repo": "Jovian-NixOS",
"rev": "100b4e000032b865563a9754e5bca189bc544764", "rev": "e52c15ab25f7dc68dde527c8df5bfa9d80d8e64f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1278,11 +1278,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1761184286, "lastModified": 1759455985,
"narHash": "sha256-yK/XQSwkOlgljcxNhlu08Zyp96DzF4eIU1leyWjyNZE=", "narHash": "sha256-8qDv7NXH3fj1CDXed7c7vJLtrRKDZSo0x6TaWSfelVg=",
"owner": "fufexan", "owner": "fufexan",
"repo": "nix-gaming", "repo": "nix-gaming",
"rev": "8ac5469d67b8c197832575db87f6bde38032a947", "rev": "eb5ab503cbd3cb386e8d85a55a9faed73ec7dc37",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1363,11 +1363,11 @@
}, },
"nixpkgs_3": { "nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1760878510, "lastModified": 1759147044,
"narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=", "narHash": "sha256-3ZPFytJOcLjTChljeaGgoaNj+tOqzgEpqZAvRe3bU90=",
"owner": "NixOS", "owner": "PedroHLC",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67", "rev": "18e83bbe13aa50992777832b52bd0e0d8585fb3b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1395,11 +1395,11 @@
}, },
"nixpkgs_5": { "nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1759381078, "lastModified": 1740560979,
"narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=", "narHash": "sha256-Vr3Qi346M+8CjedtbyUevIGDZW8LcA1fTG0ugPY/Hic=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee", "rev": "5135c59491985879812717f4c9fea69604e7f26f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1411,11 +1411,11 @@
}, },
"nixpkgs_6": { "nixpkgs_6": {
"locked": { "locked": {
"lastModified": 1760878510, "lastModified": 1758198701,
"narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=", "narHash": "sha256-7To75JlpekfUmdkUZewnT6MoBANS0XVypW6kjUOXQwc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67", "rev": "0147c2f1d54b30b5dd6d4a8c8542e8d7edf93b5d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1443,11 +1443,11 @@
}, },
"nixpkgs_8": { "nixpkgs_8": {
"locked": { "locked": {
"lastModified": 1761114652, "lastModified": 1759381078,
"narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=", "narHash": "sha256-gTrEEp5gEspIcCOx9PD8kMaF1iEmfBcTbO0Jag2QhQs=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c", "rev": "7df7ff7d8e00218376575f0acdcc5d66741351ee",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1482,11 +1482,11 @@
"systems": "systems_5" "systems": "systems_5"
}, },
"locked": { "locked": {
"lastModified": 1761112426, "lastModified": 1759469269,
"narHash": "sha256-fa3fIyXP3xQhsPaZX4WsFwPM9g64EMOucfDEC4o8Nwc=", "narHash": "sha256-DP833ejGUNRRHsJOB3WRTaWWXLNucaDga2ju/fGe+sc=",
"owner": "notashelf", "owner": "notashelf",
"repo": "nvf", "repo": "nvf",
"rev": "9b3e7bcf68ace2f07eb7478c40e45ce79332482b", "rev": "e48638aef3a95377689de0ef940443c64f870a09",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1505,11 +1505,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760663237, "lastModified": 1758108966,
"narHash": "sha256-BflA6U4AM1bzuRMR8QqzPXqh8sWVCNDzOdsxXEguJIc=", "narHash": "sha256-ytw7ROXaWZ7OfwHrQ9xvjpUWeGVm86pwnEd1QhzawIo=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37", "rev": "54df955a695a84cd47d4a43e08e1feaf90b1fd9b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1626,11 +1626,11 @@
"rust-analyzer-src": { "rust-analyzer-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1761178311, "lastModified": 1759301569,
"narHash": "sha256-M5VeAtfip2zdqHKG9Su+5vlDG8AhtTk1ktxUGXdARc8=", "narHash": "sha256-7StxDed3v2fAWLkl+Hse9FlpjT7Dk7Cn/4vxTFyEhIg=",
"owner": "rust-lang", "owner": "rust-lang",
"repo": "rust-analyzer", "repo": "rust-analyzer",
"rev": "f362735f822fe66ed2e357db53717b3db69dc6c9", "rev": "472037b789cf593172d6adf3b8d9f7a429f6cd9b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1648,11 +1648,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760927964, "lastModified": 1759286284,
"narHash": "sha256-+TjujgwBpeN0aaQ/lZQ8UPsWl9oEaihgbt6FvxTlpZk=", "narHash": "sha256-JLdGGc4XDutzSD1L65Ni6Ye+oTm8kWfm0KTPMcyl7Y4=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "6b1e691089a62d0852f9d3fd6693ee027bc98ac3", "rev": "f6f2da475176bb7cff51faae8b3fe879cd393545",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1669,11 +1669,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1759631821, "lastModified": 1740623427,
"narHash": "sha256-V8A1L0FaU/aSXZ1QNJScxC12uP4hANeRBgI4YdhHeRM=", "narHash": "sha256-3SdPQrZoa4odlScFDUHd4CUPQ/R1gtH4Mq9u8CBiK8M=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "1d7cbdaad90f8a5255a89a6eddd8af24dc89cafe", "rev": "d342e8b5fd88421ff982f383c853f0fc78a847ab",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1815,11 +1815,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760945191, "lastModified": 1758728421,
"narHash": "sha256-ZRVs8UqikBa4Ki3X4KCnMBtBW0ux1DaT35tgsnB1jM4=", "narHash": "sha256-ySNJ008muQAds2JemiyrWYbwbG+V7S5wg3ZVKGHSFu8=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "f56b1934f5f8fcab8deb5d38d42fd692632b47c2", "rev": "5eda4ee8121f97b218f7cc73f5172098d458f1d1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1903,11 +1903,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1760713634, "lastModified": 1755354946,
"narHash": "sha256-5HXelmz2x/uO26lvW7MudnadbAfoBnve4tRBiDVLtOM=", "narHash": "sha256-zdov5f/GcoLQc9qYIS1dUTqtJMeDqmBmo59PAxze6e4=",
"owner": "hyprwm", "owner": "hyprwm",
"repo": "xdg-desktop-portal-hyprland", "repo": "xdg-desktop-portal-hyprland",
"rev": "753bbbdf6a052994da94062e5b753288cef28dfb", "rev": "a10726d6a8d0ef1a0c645378f983b6278c42eaa0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -1923,11 +1923,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1761179366, "lastModified": 1759180079,
"narHash": "sha256-uH/qjlISL4oXjuFTMvOScsPBQPZG1wVEQCFyY3pNZNE=", "narHash": "sha256-5hqTGqAKcLEumY3tqOtHK17CA6RkzS1I0EGKfuoyb58=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "772796d1e5d05e9f2f443f61eb0da70391788053", "rev": "d4a254b38c7ac2b99931220d767610adfa3a57fe",
"revCount": 139, "revCount": 135,
"type": "git", "type": "git",
"url": "https://git.sr.ht/~canasta/zen-browser-flake" "url": "https://git.sr.ht/~canasta/zen-browser-flake"
}, },

39
flake.nix
View File

@@ -1,8 +1,9 @@
{ {
description = "cnix nix"; description = "cnix nix";
outputs = inputs: outputs =
inputs.flake-parts.lib.mkFlake {inherit inputs;} { inputs:
inputs.flake-parts.lib.mkFlake { inherit inputs; } {
systems = [ systems = [
"x86_64-linux" "x86_64-linux"
"aarch64-linux" "aarch64-linux"
@@ -16,23 +17,25 @@
./fmt-hooks.nix ./fmt-hooks.nix
]; ];
perSystem = { perSystem =
config, {
pkgs, config,
... pkgs,
}: { ...
devShells.default = pkgs.mkShell { }:
packages = [ {
pkgs.git devShells.default = pkgs.mkShell {
config.packages.repl packages = [
]; pkgs.git
name = "dots"; config.packages.repl
env.DIRENV_LOG_FORMAT = ""; ];
shellHook = '' name = "dots";
${config.pre-commit.installationScript} env.DIRENV_LOG_FORMAT = "";
''; shellHook = ''
${config.pre-commit.installationScript}
'';
};
}; };
};
}; };
inputs = { inputs = {

10
hosts/bunk/modules.nix
View File

@@ -3,7 +3,7 @@
boot = { boot = {
kernel = { kernel = {
variant = "latest"; variant = "latest";
hardware = ["amd"]; hardware = [ "amd" ];
}; };
loader = { loader = {
default = { default = {
@@ -20,7 +20,7 @@
}; };
graphics = { graphics = {
enable = true; enable = true;
vendors = ["amd"]; vendors = [ "amd" ];
}; };
logitech = { logitech = {
enable = false; enable = false;
@@ -73,8 +73,8 @@
enable = false; enable = false;
}; };
hyprland = { hyprland = {
enable = true; enable = false;
withUWSM = true; withUWSM = false;
}; };
inkscape = { inkscape = {
enable = false; enable = false;
@@ -86,7 +86,7 @@
enable = true; enable = true;
}; };
niri = { niri = {
enable = false; enable = true;
}; };
pkgs = { pkgs = {
enable = true; enable = true;

6
hosts/bunk/settings.nix
View File

@@ -10,7 +10,7 @@
name = "DP-3"; name = "DP-3";
width = 2560; width = 2560;
height = 1440; height = 1440;
refreshRate = "143.99"; refreshRate = 240;
position = "0x0"; position = "0x0";
transform = 0; transform = 0;
bitDepth = 10; bitDepth = 10;
@@ -20,7 +20,7 @@
name = "HDMI-A-1"; name = "HDMI-A-1";
width = 1920; width = 1920;
height = 1080; height = 1080;
refreshRate = "60"; refreshRate = 60;
position = "2560x0"; position = "2560x0";
# transform = 3; # transform = 3;
workspace = "5"; workspace = "5";
@@ -29,7 +29,7 @@
name = "eDP-1"; name = "eDP-1";
width = 1920; width = 1920;
height = 1200; height = 1200;
refreshRate = "60"; refreshRate = 60;
workspace = "1"; workspace = "1";
} }
]; ];

18
hosts/default.nix
View File

@@ -8,7 +8,7 @@
{ {
flake.nixosConfigurations = flake.nixosConfigurations =
let let
clib = import ../lib inputs.nixpkgs.lib; cLib = import ../lib inputs.nixpkgs.lib;
userConfig = "${self}/home"; userConfig = "${self}/home";
systemConfig = "${self}/system"; systemConfig = "${self}/system";
hostConfig = "${self}/hosts"; hostConfig = "${self}/hosts";
@@ -24,6 +24,7 @@
specialArgs = { specialArgs = {
inherit inherit
cLib
inputs inputs
outputs outputs
self self
@@ -36,20 +37,17 @@
smodPath smodPath
; ;
}; };
specialArgsWithClib = specialArgs // {
inherit clib;
};
in in
{ {
kima = nixosSystem { kima = nixosSystem {
specialArgs = specialArgsWithClib; inherit specialArgs;
modules = [ modules = [
./kima ./kima
"${self}/nix" "${self}/nix"
{ {
home-manager = { home-manager = {
users.cnst.imports = homeImports."cnst@kima"; users.cnst.imports = homeImports."cnst@kima";
extraSpecialArgs = specialArgsWithClib; extraSpecialArgs = specialArgs;
}; };
} }
self.nixosModules.nixos self.nixosModules.nixos
@@ -59,14 +57,14 @@
]; ];
}; };
bunk = nixosSystem { bunk = nixosSystem {
specialArgs = specialArgsWithClib; inherit specialArgs;
modules = [ modules = [
./bunk ./bunk
"${self}/nix" "${self}/nix"
{ {
home-manager = { home-manager = {
users.cnst.imports = homeImports."cnst@bunk"; users.cnst.imports = homeImports."cnst@bunk";
extraSpecialArgs = specialArgsWithClib; extraSpecialArgs = specialArgs;
}; };
} }
self.nixosModules.nixos self.nixosModules.nixos
@@ -99,14 +97,14 @@
]; ];
}; };
toothpc = nixosSystem { toothpc = nixosSystem {
specialArgs = specialArgsWithClib; inherit specialArgs;
modules = [ modules = [
./toothpc ./toothpc
"${self}/nix" "${self}/nix"
{ {
home-manager = { home-manager = {
users.toothpick.imports = homeImports."toothpick@toothpc"; users.toothpick.imports = homeImports."toothpick@toothpc";
extraSpecialArgs = specialArgsWithClib; extraSpecialArgs = specialArgs;
}; };
} }
self.nixosModules.nixos self.nixosModules.nixos

15
hosts/kima/modules.nix
View File

@@ -29,13 +29,6 @@
}; };
network = { network = {
enable = true; enable = true;
nameservers = [
"192.168.88.1"
"192.168.88.69"
];
search = [
"taila7448a.ts.net"
];
interfaces = { interfaces = {
"eno1" = { "eno1" = {
allowedTCPPorts = [ allowedTCPPorts = [
@@ -73,7 +66,7 @@
}; };
}; };
gamescope = { gamescope = {
enable = false; enable = true;
}; };
gimp = { gimp = {
enable = true; enable = true;
@@ -82,8 +75,8 @@
enable = false; enable = false;
}; };
hyprland = { hyprland = {
enable = true; enable = false;
withUWSM = true; withUWSM = false;
}; };
inkscape = { inkscape = {
enable = false; enable = false;
@@ -98,7 +91,7 @@
enable = true; enable = true;
}; };
niri = { niri = {
enable = false; enable = true;
}; };
pkgs = { pkgs = {
enable = true; enable = true;

6
hosts/kima/settings.nix
View File

@@ -10,7 +10,7 @@
name = "DP-3"; name = "DP-3";
width = 2560; width = 2560;
height = 1440; height = 1440;
refreshRate = "143.99"; refreshRate = 240;
position = "0x0"; position = "0x0";
transform = 0; transform = 0;
bitDepth = 10; bitDepth = 10;
@@ -20,7 +20,7 @@
name = "HDMI-A-1"; name = "HDMI-A-1";
width = 1920; width = 1920;
height = 1080; height = 1080;
refreshRate = "60"; refreshRate = 60;
position = "2560x0"; position = "2560x0";
transform = 3; transform = 3;
workspace = "5"; workspace = "5";
@@ -29,7 +29,7 @@
name = "eDP-1"; name = "eDP-1";
width = 1920; width = 1920;
height = 1200; height = 1200;
refreshRate = "60"; refreshRate = 60;
workspace = "1"; workspace = "1";
} }
]; ];

5
hosts/sobotka/default.nix
View File

@@ -68,10 +68,7 @@ in {
boot = { boot = {
supportedFilesystems = ["zfs"]; supportedFilesystems = ["zfs"];
zfs = { zfs.extraPools = ["data"];
package = pkgs.zfs_unstable;
extraPools = ["data"];
};
}; };
services.zfs = { services.zfs = {

2
hosts/sobotka/modules.nix
View File

@@ -109,7 +109,7 @@
enable = true; enable = true;
}; };
dev = { dev = {
enable = true; enable = false;
}; };
}; };
mysql-workbench = { mysql-workbench = {

334
hosts/sobotka/server.nix
View File

@@ -3,276 +3,104 @@
enable = true; enable = true;
email = "adam@cnst.dev"; email = "adam@cnst.dev";
domain = "cnix.dev"; domain = "cnix.dev";
ip = "192.168.88.14";
user = "share"; user = "share";
group = "share"; group = "share";
uid = 994; uid = 994;
gid = 993; gid = 993;
infra = { nginx = {
authentik = { enable = true;
enable = true; };
url = "auth.cnst.dev"; gitea = {
port = 9000; enable = true;
cloudflared = { };
tunnelId = "b66f9368-db9e-4302-8b48-527cda34a635"; unbound = {
credentialsFile = config.age.secrets.authentikCloudflared.path; enable = true;
}; };
}; homepage-dashboard = {
traefik = { enable = true;
enable = true; };
}; n8n = {
tailscale = { enable = true;
enable = true; };
}; bazarr = {
unbound = { enable = true;
enable = true; };
}; prowlarr = {
fail2ban = { enable = true;
enable = true; };
apiKeyFile = config.age.secrets.cloudflareFirewallApiKey.path; lidarr = {
zoneId = "0027acdfb8bbe010f55b676ad8698dfb"; enable = true;
}; };
keepalived = { sonarr = {
enable = true; enable = true;
interface = "enp6s0"; };
}; radarr = {
gluetun = { enable = true;
enable = true; };
}; jellyseerr = {
podman = { enable = true;
enable = true; };
}; jellyfin = {
www = { enable = false;
enable = true; cloudflared = {
url = "cnst.dev"; tunnelId = "234811e2-bc86-44b2-9abd-493686e25704";
port = 8283; credentialsFile = config.age.secrets.jellyfinCloudflared.path;
cloudflared = {
tunnelId = "e5076186-efb7-405a-998c-6155af7fb221";
credentialsFile = config.age.secrets.wwwCloudflared.path;
};
}; };
}; };
uptime-kuma = {
services = { enable = true;
homepage-dashboard = { };
enable = true; vaultwarden = {
subdomain = "dash"; enable = true;
exposure = "local"; url = "vault.cnst.dev";
port = 8082; cloudflared = {
tunnelId = "fdd98086-6a4c-44f2-bba0-eb86b833cce5";
credentialsFile = config.age.secrets.vaultwardenCloudflared.path;
}; };
n8n = { };
enable = true; www = {
subdomain = "n8n"; enable = false;
exposure = "local"; url = "cnst.dev";
port = 5678; cloudflared = {
homepage = { tunnelId = "e5076186-efb7-405a-998c-6155af7fb221";
name = "n8n"; credentialsFile = config.age.secrets.wwwCloudflared.path;
description = "A workflow automation platform";
icon = "n8n.svg";
category = "Services";
};
}; };
ollama = { };
enable = true; authentik = {
subdomain = "ai"; enable = true;
exposure = "local"; url = "auth.cnst.dev";
port = 8001; cloudflared = {
homepage = { tunnelId = "b66f9368-db9e-4302-8b48-527cda34a635";
name = "ollama"; credentialsFile = config.age.secrets.authentikCloudflared.path;
description = "AI platform";
icon = "ollama.svg";
category = "Services";
};
};
bazarr = {
enable = true;
subdomain = "bazarr";
exposure = "local";
port = 6767;
homepage = {
name = "Bazarr";
description = "Subtitle manager";
icon = "bazarr.svg";
category = "Arr";
};
};
prowlarr = {
enable = true;
subdomain = "prowlarr";
exposure = "local";
port = 9696;
homepage = {
name = "Prowlarr";
description = "PVR indexer";
icon = "prowlarr.svg";
category = "Arr";
};
};
flaresolverr = {
enable = true;
subdomain = "flaresolverr";
exposure = "local";
port = 8191;
homepage = {
name = "FlareSolverr";
description = "Proxy to bypass Cloudflare/DDoS-GUARD protection";
icon = "flaresolverr.svg";
category = "Arr";
};
};
lidarr = {
enable = true;
subdomain = "lidarr";
exposure = "local";
port = 8686;
homepage = {
name = "Lidarr";
description = "Music collection manager";
icon = "lidarr.svg";
category = "Arr";
};
};
sonarr = {
enable = true;
subdomain = "sonarr";
exposure = "local";
port = 8989;
homepage = {
name = "Sonarr";
description = "Internet PVR for Usenet and Torrents";
icon = "sonarr.svg";
category = "Arr";
};
};
radarr = {
enable = true;
subdomain = "radarr";
exposure = "local";
port = 7878;
homepage = {
name = "Radarr";
description = "Movie collection manager";
icon = "radarr.svg";
category = "Arr";
};
};
jellyseerr = {
enable = true;
subdomain = "jellyseerr";
exposure = "local";
port = 5055;
homepage = {
name = "Jellyseerr";
description = "Media request and discovery manager";
icon = "jellyseerr.svg";
category = "Arr";
};
};
jellyfin = {
enable = true;
subdomain = "fin";
exposure = "tailscale";
port = 8096;
homepage = {
name = "Jellyfin";
description = "The Free Software Media System";
icon = "jellyfin.svg";
category = "Media";
};
};
uptime-kuma = {
enable = true;
subdomain = "uptime";
exposure = "local";
port = 3001;
homepage = {
name = "Uptime Kuma";
description = "Service monitoring tool";
icon = "uptime-kuma.svg";
category = "Services";
};
};
gitea = {
enable = true;
subdomain = "git";
exposure = "tunnel";
port = 5003;
cloudflared = {
tunnelId = "33e2fb8e-ecef-4d42-b845-6d15e216e448";
credentialsFile = config.age.secrets.giteaCloudflared.path;
};
homepage = {
name = "Gitea";
description = "Git with a cup of tea";
icon = "gitea.svg";
category = "Services";
};
};
vaultwarden = {
enable = true;
subdomain = "vault";
exposure = "tunnel";
port = 8222;
cloudflared = {
tunnelId = "fdd98086-6a4c-44f2-bba0-eb86b833cce5";
credentialsFile = config.age.secrets.vaultwardenCloudflared.path;
};
homepage = {
name = "Vaultwarden";
description = "Password manager";
icon = "vaultwarden-light.svg";
category = "Services";
};
};
nextcloud = {
enable = true;
subdomain = "cloud";
exposure = "local";
port = 8182;
homepage = {
name = "Nextcloud";
description = "A safe home for all your data";
icon = "nextcloud.svg";
category = "Services";
};
}; };
};
nextcloud = {
enable = true;
adminpassFile = config.age.secrets.nextcloudAdminPass.path;
};
fail2ban = {
enable = true;
apiKeyFile = config.age.secrets.cloudflareFirewallApiKey.path;
zoneId = "0027acdfb8bbe010f55b676ad8698dfb";
};
keepalived = {
enable = true;
interface = "enp6s0";
};
podman = {
enable = true;
gluetun.enable = true;
qbittorrent = { qbittorrent = {
enable = true; enable = false;
subdomain = "qbt"; port = 8387;
exposure = "local";
port = 8080;
homepage = {
name = "qBittorrent";
description = "Torrent client";
icon = "qbittorrent.svg";
category = "Downloads";
};
}; };
slskd = { slskd = {
enable = true; enable = true;
subdomain = "slskd";
exposure = "local";
port = 5030;
homepage = {
name = "Soulseek";
description = "Web-based Soulseek client";
icon = "slskd.svg";
category = "Downloads";
};
}; };
pihole = { pihole = {
enable = true; enable = false;
subdomain = "pihole";
exposure = "local";
port = 8053; port = 8053;
homepage = {
name = "PiHole";
description = "Adblocking and DNS service";
icon = "pi-hole.svg";
category = "Services";
path = "/admin";
};
}; };
}; };
}; };

4
hosts/sobotka/settings.nix
View File

@@ -4,10 +4,6 @@
username = "cnst"; username = "cnst";
mail = "adam@cnst.dev"; mail = "adam@cnst.dev";
sshUser = "sobotka"; sshUser = "sobotka";
domains = {
local = "cnix.dev";
public = "cnst.dev";
};
}; };
}; };
} }

2
hosts/toothpc/settings.nix
View File

@@ -10,7 +10,7 @@
name = "DVI-D-1"; name = "DVI-D-1";
width = 1920; width = 1920;
height = 1080; height = 1080;
refreshRate = "144"; refreshRate = 144;
position = "0x0"; position = "0x0";
transform = 0; transform = 0;
workspace = "1"; workspace = "1";

26
lib/server/default.nix
View File

@@ -1,26 +0,0 @@
{lib}: let
server = {
mkDomain = config: service: let
localDomain = config.settings.accounts.domains.local;
publicDomain = config.settings.accounts.domains.public;
tailscaleDomain = "ts.${publicDomain}";
in
if service.exposure == "tunnel"
then publicDomain
else if service.exposure == "tailscale"
then tailscaleDomain
else localDomain;
mkFullDomain = config: service: let
domain = server.mkDomain config service;
in "${service.subdomain}.${domain}";
mkHostDomain = config: service: let
domain = server.mkDomain config service;
in "${domain}";
mkSubDomain = config: service: "${service.subdomain}";
};
in {
server = server;
}

21
modules/default.nix
View File

@@ -123,6 +123,27 @@
server = { server = {
imports = [ imports = [
./server ./server
./server/fail2ban
./server/homepage-dashboard
./server/nextcloud
./server/vaultwarden
./server/bazarr
./server/prowlarr
./server/lidarr
./server/radarr
./server/sonarr
./server/jellyseerr
./server/jellyfin
./server/n8n
./server/podman
./server/unbound
./server/uptime-kuma
./server/keepalived
./server/gitea
./server/postgres
./server/nginx
./server/www
./server/authentik
]; ];
}; };
settings = { settings = {

79
modules/home/programs/git/default.nix
View File

@@ -15,54 +15,47 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
home.packages = [ pkgs.gh ]; home.packages = [ pkgs.gh ];
programs = { programs.git = {
git = { enable = true;
enable = true; userName = osConfig.settings.accounts.username;
settings = { userEmail = osConfig.settings.accounts.mail;
# user.signingkey = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";
user = {
name = osConfig.settings.accounts.username;
email = osConfig.settings.accounts.mail;
signingkey = "${config.home.homeDirectory}/.config/git/allowed_signers";
};
signing = {
format = lib.mkDefault "ssh";
key = "${config.home.homeDirectory}/.ssh/id_ed25519";
signByDefault = true;
};
gpg = {
# format = lib.mkDefault "ssh";
ssh.allowedSignersFile =
config.home.homeDirectory + "/" + config.xdg.configFile."git/allowed_signers".target;
};
commit = {
verbose = true;
gpgSign = false;
};
init.defaultBranch = "main";
merge.conflictStyle = "diff3";
diff.algorithm = "histogram";
log.date = "iso";
column.ui = "auto";
branch.sort = "committerdate";
push.autoSetupRemote = true;
rerere.enabled = true;
};
lfs.enable = true;
ignores = [
".direnv"
"result"
".jj"
];
};
delta = { delta = {
enableGitIntegration = true;
enable = true; enable = true;
options.dark = true; options.dark = true;
}; };
extraConfig = {
# user.signingkey = "${config.home.homeDirectory}/.ssh/id_ed25519.pub";
user.signingkey = "${config.home.homeDirectory}/.config/git/allowed_signers";
signing = {
format = lib.mkDefault "ssh";
key = "${config.home.homeDirectory}/.ssh/id_ed25519";
signByDefault = true;
};
gpg = {
# format = lib.mkDefault "ssh";
ssh.allowedSignersFile =
config.home.homeDirectory + "/" + config.xdg.configFile."git/allowed_signers".target;
};
commit = {
verbose = true;
gpgSign = false;
};
init.defaultBranch = "main";
merge.conflictStyle = "diff3";
diff.algorithm = "histogram";
log.date = "iso";
column.ui = "auto";
branch.sort = "committerdate";
push.autoSetupRemote = true;
rerere.enabled = true;
};
lfs.enable = true;
ignores = [
".direnv"
"result"
".jj"
];
}; };
xdg.configFile."git/allowed_signers".text = '' xdg.configFile."git/allowed_signers".text = ''
${osConfig.settings.accounts.mail} namespaces="git" ${osConfig.settings.accounts.sshKey} ${osConfig.settings.accounts.mail} namespaces="git" ${osConfig.settings.accounts.sshKey}
''; '';

18
modules/home/programs/hyprlock/default.nix
View File

@@ -1,18 +1,26 @@
{ {
inputs,
pkgs,
lib, lib,
osConfig, osConfig,
clib, cLib,
... ...
}: let }:
inherit (lib) mkIf; let
inherit (lib) mkIf mkEnableOption;
cfg = osConfig.nixos.programs.hyprland; cfg = osConfig.nixos.programs.hyprland;
hyprlockFlake = inputs.hyprlock.packages.${pkgs.system}.hyprlock;
# hyprlockPkg = pkgs.hyprlock;
#
bg = osConfig.settings.theme.background; bg = osConfig.settings.theme.background;
inherit (clib.theme.bgs) resolve; inherit (cLib.theme.bgs) resolve;
in { in
{
config = mkIf cfg.enable { config = mkIf cfg.enable {
programs.hyprlock = { programs.hyprlock = {
enable = true; enable = true;
package = hyprlockFlake;
settings = { settings = {
general = { general = {
# disable_loading_bar = true; # disable_loading_bar = true;

2
modules/home/programs/pkgs/default.nix
View File

@@ -88,7 +88,7 @@ in
hyprpicker hyprpicker
libnotify libnotify
pamixer pamixer
loupe oculante
adwaita-icon-theme adwaita-icon-theme
qt5.qtwayland qt5.qtwayland
qt6.qtwayland qt6.qtwayland

12
modules/home/programs/waybar/config/config.jsonc
View File

@@ -10,7 +10,7 @@
"group/system" "group/system"
], ],
"modules-center": [ "modules-center": [
"hyprland/workspaces" "niri/workspaces"
], ],
"modules-right": [ "modules-right": [
"custom/progress", "custom/progress",
@@ -126,13 +126,9 @@
"all-outputs": false, "all-outputs": false,
"format": "{icon}", "format": "{icon}",
"format-icons": { "format-icons": {
"1": "1", "urgent": "",
"2": "2", "visible": "",
"3": "3", "empty": ""
"4": "4",
"5": "5",
"active": "_",
"default": "_"
}, },
"on-click": "activate", "on-click": "activate",
"show-special": false, "show-special": false,

6
modules/home/programs/waybar/config/style.css
View File

@@ -28,8 +28,8 @@ tooltip label {
margin: 0 0px; margin: 0 0px;
background-color: transparent; background-color: transparent;
color: #fbf1c7; color: #fbf1c7;
border-top: 2px solid transparent; border-top: 3px solid transparent;
border-bottom: 2px solid transparent; border-bottom: 3px solid transparent;
} }
#workspaces button:hover { #workspaces button:hover {
@@ -45,7 +45,7 @@ tooltip label {
background-image: url("assets/button.svg"); background-image: url("assets/button.svg");
background-position: center; background-position: center;
background-repeat: no-repeat; background-repeat: no-repeat;
background-size: 24px 20px; background-size: 18px 15px;
} }
#custom-trayicon { #custom-trayicon {

12
modules/home/services/hypridle/default.nix
View File

@@ -1,14 +1,22 @@
{ {
osConfig, osConfig,
lib, lib,
pkgs,
inputs,
... ...
}: let }:
let
inherit (lib) mkIf; inherit (lib) mkIf;
cfg = osConfig.nixos.programs.hyprland; cfg = osConfig.nixos.programs.hyprland;
in {
hypridleFlake = inputs.hypridle.packages.${pkgs.system}.hypridle;
# hypridlePkg = pkgs.hypridle;
in
{
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.hypridle = { services.hypridle = {
enable = true; enable = true;
package = hypridleFlake;
settings = { settings = {
general = { general = {
lock_cmd = "hyprlock"; lock_cmd = "hyprlock";

14
modules/home/services/hyprpaper/default.nix
View File

@@ -1,14 +1,18 @@
{ {
lib, lib,
pkgs,
inputs,
osConfig, osConfig,
clib, cLib,
... ...
}: let }:
let
inherit (lib) mkIf; inherit (lib) mkIf;
cfg = osConfig.nixos.programs.hyprland; cfg = osConfig.nixos.programs.hyprland;
hyprpaperFlake = inputs.hyprpaper.packages.${pkgs.system}.default;
bg = osConfig.settings.theme.background; bg = osConfig.settings.theme.background;
bgs = clib.theme.bgs; bgs = cLib.theme.bgs;
monitorMappings = [ monitorMappings = [
{ {
@@ -28,10 +32,12 @@
bg = bg.primary; bg = bg.primary;
} }
]; ];
in { in
{
config = mkIf cfg.enable { config = mkIf cfg.enable {
services.hyprpaper = { services.hyprpaper = {
enable = true; enable = true;
package = hyprpaperFlake;
settings = { settings = {
ipc = "on"; ipc = "on";

18
modules/home/services/xdg/default.nix
View File

@@ -84,15 +84,15 @@ in
"application/pdf" = "org.pwmt.zathura-pdf-mupdf.desktop"; "application/pdf" = "org.pwmt.zathura-pdf-mupdf.desktop";
"inode/directory" = "thunar.desktop"; "inode/directory" = "thunar.desktop";
"image/apng" = "feh.desktop"; "image/apng" = "oculante.desktop";
"image/avif" = "feh.desktop"; "image/avif" = "oculante.desktop";
"image/bmp" = "feh.desktop"; "image/bmp" = "oculante.desktop";
"image/gif" = "feh.desktop"; "image/gif" = "oculante.desktop";
"image/jpeg" = "feh.desktop"; "image/jpeg" = "oculante.desktop";
"image/png" = "feh.desktop"; "image/png" = "oculante.desktop";
"image/svg+xml" = "feh.desktop"; "image/svg+xml" = "oculante.desktop";
"image/tiff" = "feh.desktop"; "image/tiff" = "oculante.desktop";
"image/webp" = "feh.desktop"; "image/webp" = "oculante.desktop";
"video/H264" = [ "video/H264" = [
"mpv.desktop" "mpv.desktop"

33
modules/nixos/hardware/network/default.nix
View File

@@ -2,47 +2,38 @@
config, config,
lib, lib,
... ...
}: let }:
inherit let
(lib) inherit (lib)
mkIf mkIf
mkEnableOption mkEnableOption
mkOption mkOption
types types
; ;
cfg = config.nixos.hardware.network; cfg = config.nixos.hardware.network;
in { in
{
options = { options = {
nixos.hardware.network = { nixos.hardware.network = {
enable = mkEnableOption "Enable the custom networking module"; enable = mkEnableOption "Enable the custom networking module";
nameservers = mkOption {
type = types.listOf types.str;
default = [];
description = "The list of nameservers ";
};
search = mkOption {
type = types.listOf types.str;
default = [];
description = "Domain search paths";
};
interfaces = mkOption { interfaces = mkOption {
type = types.attrsOf ( type = types.attrsOf (
types.submodule { types.submodule {
options = { options = {
allowedTCPPorts = mkOption { allowedTCPPorts = mkOption {
type = types.listOf types.int; type = types.listOf types.int;
default = []; default = [ ];
description = "List of allowed TCP ports for this interface."; description = "List of allowed TCP ports for this interface.";
}; };
allowedUDPPorts = mkOption { allowedUDPPorts = mkOption {
type = types.listOf types.int; type = types.listOf types.int;
default = []; default = [ ];
description = "List of allowed UDP ports for this interface."; description = "List of allowed UDP ports for this interface.";
}; };
}; };
} }
); );
default = {}; default = { };
description = "Network interface configurations."; description = "Network interface configurations.";
}; };
extraHosts = mkOption { extraHosts = mkOption {
@@ -56,7 +47,7 @@ in {
config = mkIf cfg.enable { config = mkIf cfg.enable {
assertions = [ assertions = [
{ {
assertion = cfg.interfaces != {} -> config.networking.networkmanager.enable; assertion = cfg.interfaces != { } -> config.networking.networkmanager.enable;
message = "Network interfaces configured but NetworkManager is not enabled"; message = "Network interfaces configured but NetworkManager is not enabled";
} }
]; ];
@@ -64,8 +55,6 @@ in {
networking = { networking = {
networkmanager.enable = true; networkmanager.enable = true;
nftables.enable = true; nftables.enable = true;
nameservers = cfg.nameservers;
search = cfg.search;
firewall = { firewall = {
enable = true; enable = true;
inherit (cfg) interfaces; inherit (cfg) interfaces;
@@ -74,8 +63,8 @@ in {
}; };
systemd.services.NetworkManager = { systemd.services.NetworkManager = {
wants = ["nftables.service"]; wants = [ "nftables.service" ];
after = ["nftables.service"]; after = [ "nftables.service" ];
}; };
}; };
} }

4
modules/nixos/programs/hyprland/inputs.nix
View File

@@ -37,9 +37,9 @@ in
}; };
gestures = { gestures = {
# workspace_swipe = true; workspace_swipe = true;
workspace_swipe_distance = 400; workspace_swipe_distance = 400;
# workspace_swipe_fingers = 3; workspace_swipe_fingers = 3;
workspace_swipe_cancel_ratio = 0.2; workspace_swipe_cancel_ratio = 0.2;
workspace_swipe_min_speed_to_force = 5; workspace_swipe_min_speed_to_force = 5;
workspace_swipe_direction_lock = true; workspace_swipe_direction_lock = true;

42
modules/nixos/programs/hyprland/keybinds.nix
View File

@@ -49,6 +49,20 @@ in
"$mod, P, pseudo," "$mod, P, pseudo,"
"$mod, J, togglesplit," "$mod, J, togglesplit,"
"$mod, C, exec, hyprctl dispatch exec copyq toggle" "$mod, C, exec, hyprctl dispatch exec copyq toggle"
"$mod, left, movefocus, l"
"$mod, right, movefocus, r"
"$mod, up, movefocus, u"
"$mod, down, movefocus, d"
"$mod, 1, workspace, 1"
"$mod, 2, workspace, 2"
"$mod, 3, workspace, 3"
"$mod, 4, workspace, 4"
"$mod, 5, workspace, 5"
"$mod, 6, workspace, 6"
"$mod, 7, workspace, 7"
"$mod, 8, workspace, 8"
"$mod, 9, workspace, 9"
"$mod, 0, workspace, 10"
"$mod SHIFT, 1, movetoworkspace, 1" "$mod SHIFT, 1, movetoworkspace, 1"
"$mod SHIFT, 2, movetoworkspace, 2" "$mod SHIFT, 2, movetoworkspace, 2"
"$mod SHIFT, 3, movetoworkspace, 3" "$mod SHIFT, 3, movetoworkspace, 3"
@@ -61,30 +75,6 @@ in
"$mod SHIFT, 0, movetoworkspace, 10" "$mod SHIFT, 0, movetoworkspace, 10"
"CTRL SHIFT, Escape, exec, ${runOnce "resources"}" "CTRL SHIFT, Escape, exec, ${runOnce "resources"}"
"$mod, 1, workspace, 1"
"$mod, 2, workspace, 2"
"$mod, 3, workspace, 3"
"$mod, 4, workspace, 4"
"$mod, 5, workspace, 5"
"$mod, 6, workspace, 6"
"$mod, 7, workspace, 7"
"$mod, 8, workspace, 8"
"$mod, 9, workspace, 9"
"$mod, 0, workspace, 10"
"$mod, left, movefocus, l"
"$mod, right, movefocus, r"
"$mod, up, movefocus, u"
"$mod, down, movefocus, d"
"$mod SHIFT, left, resizeactive, -20 0"
"$mod SHIFT, right, resizeactive, 20 0"
"$mod SHIFT, up, resizeactive, 0 -20"
"$mod SHIFT, down, resizeactive, 0 20"
"$mod CTRL, left, swapwindow, l"
"$mod CTRL, right, swapwindow, r"
"$mod CTRL, up, swapwindow, u"
"$mod CTRL, down, swapwindow, d"
",XF86AudioLowerVolume, exec, volume-control.sh --dec" ",XF86AudioLowerVolume, exec, volume-control.sh --dec"
",XF86AudioRaiseVolume, exec, volume-control.sh --inc" ",XF86AudioRaiseVolume, exec, volume-control.sh --inc"
",XF86AudioMute, exec, volume-control.sh --toggle" ",XF86AudioMute, exec, volume-control.sh --toggle"
@@ -109,7 +99,7 @@ in
(mkIf (host == "kima") { (mkIf (host == "kima") {
programs.hyprland.settings = { programs.hyprland.settings = {
"$terminal" = "alacritty"; "$terminal" = "ghostty";
"$browser" = "zen"; "$browser" = "zen";
"$browserinc" = "zen --private-window"; "$browserinc" = "zen --private-window";
"$mod" = "SUPER"; "$mod" = "SUPER";
@@ -121,7 +111,7 @@ in
(mkIf (host == "bunk") { (mkIf (host == "bunk") {
programs.hyprland.settings = { programs.hyprland.settings = {
"$terminal" = "alacritty"; "$terminal" = "foot";
"$browser" = "zen"; "$browser" = "zen";
"$browserinc" = "zen --private-window"; "$browserinc" = "zen --private-window";
"$mod" = "ALT_L"; "$mod" = "ALT_L";

2
modules/nixos/programs/hyprland/layout.nix
View File

@@ -21,7 +21,7 @@ in
let let
resolution = resolution =
if m.width != null && m.height != null then if m.width != null && m.height != null then
"${toString m.width}x${toString m.height}@${m.refreshRate}" "${toString m.width}x${toString m.height}@${toString m.refreshRate}"
else else
"preferred"; "preferred";

24
modules/nixos/programs/pkgs/default.nix
View File

@@ -3,17 +3,16 @@
config, config,
lib, lib,
... ...
}: }: let
let inherit
inherit (lib) (lib)
mkIf mkIf
mkOption mkOption
mkMerge mkMerge
types types
; ;
cfg = config.nixos.programs.pkgs; cfg = config.nixos.programs.pkgs;
in in {
{
options = { options = {
nixos.programs.pkgs = { nixos.programs.pkgs = {
enable = mkOption { enable = mkOption {
@@ -51,8 +50,7 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
environment.systemPackages = environment.systemPackages = with pkgs;
with pkgs;
mkMerge [ mkMerge [
[ [
pciutils pciutils
@@ -78,10 +76,10 @@ in
openssl openssl
xmrig xmrig
ocl-icd ocl-icd
dig
] ]
(mkIf cfg.common.enable [ (mkIf cfg.common.enable [
qt6.full
swappy swappy
wayfreeze wayfreeze
imagemagick imagemagick
@@ -96,6 +94,9 @@ in
]) ])
(mkIf cfg.desktop.enable [ (mkIf cfg.desktop.enable [
protonup
winetricks
wine
geekbench geekbench
unigine-heaven unigine-heaven
]) ])
@@ -106,13 +107,17 @@ in
(mkIf cfg.server.enable [ (mkIf cfg.server.enable [
nvtopPackages.intel nvtopPackages.intel
nvtopPackages.amd
dig
helix helix
zfs
zfstools zfstools
cron
acme-sh
]) ])
(mkIf cfg.dev.enable [ (mkIf cfg.dev.enable [
# lldb_20 # some biuld error atm # lldb_20 # some biuld error atm
sqlite
gemini-cli gemini-cli
nfs-utils nfs-utils
gcc gcc
@@ -139,6 +144,7 @@ in
prettierd prettierd
# php84Packages.php-cs-fixer # php84Packages.php-cs-fixer
shfmt shfmt
luaformatter
black black
]) ])
]; ];

15
modules/nixos/programs/steam/default.nix
View File

@@ -1,7 +1,6 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: }:
let let
@@ -18,20 +17,6 @@ in
enable = true; enable = true;
gamescopeSession.enable = true; gamescopeSession.enable = true;
}; };
gamescope = {
enable = true;
capSysNice = true;
args = [
"--rt"
"--expose-wayland"
];
};
}; };
environment.systemPackages = with pkgs; [
protonup
wine
winetricks
wine-wayland
];
}; };
} }

2
modules/nixos/services/agenix/default.nix
View File

@@ -70,7 +70,7 @@ in {
secrets = { secrets = {
cloudflareFirewallApiKey.file = "${self}/secrets/cloudflareFirewallApiKey.age"; cloudflareFirewallApiKey.file = "${self}/secrets/cloudflareFirewallApiKey.age";
cloudflareDnsApiToken.file = "${self}/secrets/cloudflareDnsApiToken.age"; cloudflareDnsApiToken.file = "${self}/secrets/cloudflareDnsApiToken.age";
cloudflareDnsCredentials.file = "${self}/secrets/cloudflareDnsCredentials.age"; # cloudflareDnsCredentials.file = "${self}/secrets/cloudflareDnsCredentials.age";
wgCredentials.file = "${self}/secrets/wgCredentials.age"; wgCredentials.file = "${self}/secrets/wgCredentials.age";
wgSobotkaPrivateKey.file = "${self}/secrets/wgSobotkaPrivateKey.age"; wgSobotkaPrivateKey.file = "${self}/secrets/wgSobotkaPrivateKey.age";
gluetunEnvironment.file = "${self}/secrets/gluetunEnvironment.age"; gluetunEnvironment.file = "${self}/secrets/gluetunEnvironment.age";

6
modules/nixos/services/kanata/default.nix
View File

@@ -16,10 +16,14 @@ in
services.kanata = { services.kanata = {
enable = true; enable = true;
package = pkgs.kanata-with-cmd; package = pkgs.kanata-with-cmd;
keyboards.default = { keyboards.hhkbse = {
extraDefCfg = '' extraDefCfg = ''
process-unmapped-keys yes process-unmapped-keys yes
''; '';
devices = [
"/dev/input/by-id/usb-PFU_Limited_HHKB-Hybrid-event-kbd"
"/dev/input/event2"
];
config = builtins.readFile (./. + "/hhkbse.kbd"); config = builtins.readFile (./. + "/hhkbse.kbd");
}; };
}; };

1
modules/nixos/system/devpkgs/default.nix
View File

@@ -45,6 +45,7 @@ in
# nodePackages_latest.sql-formatter # nodePackages_latest.sql-formatter
prettierd prettierd
shfmt shfmt
luaformatter
black black
]; ];
}; };

48
modules/server/infra/authentik/default.nix → modules/server/authentik/default.nix
View File

@@ -1,14 +1,15 @@
{ {
config, config,
lib, lib,
pkgs,
self, self,
... ...
}: let }: let
unit = "authentik"; unit = "authentik";
cfg = config.server.infra.${unit}; cfg = config.server.${unit};
srv = config.server.infra.www.domain; srv = config.server;
in { in {
options.server.infra.${unit} = { options.server.${unit} = {
enable = lib.mkEnableOption { enable = lib.mkEnableOption {
description = "Enable ${unit}"; description = "Enable ${unit}";
}; };
@@ -16,10 +17,6 @@ in {
type = lib.types.str; type = lib.types.str;
default = "auth.${srv.www.domain}"; default = "auth.${srv.www.domain}";
}; };
port = lib.mkOption {
type = lib.types.port;
description = "The local port the service runs on";
};
cloudflared = { cloudflared = {
credentialsFile = lib.mkOption { credentialsFile = lib.mkOption {
type = lib.types.str; type = lib.types.str;
@@ -34,11 +31,21 @@ in {
example = "00000000-0000-0000-0000-000000000000"; example = "00000000-0000-0000-0000-000000000000";
}; };
}; };
homepage = { homepage.name = lib.mkOption {
name = "Authentik"; type = lib.types.str;
description = "An open-source IdP for modern SSO"; default = "Authentik";
icon = "authentik.svg"; };
category = "Services"; homepage.description = lib.mkOption {
type = lib.types.str;
default = "An open-source IdP for modern SSO";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "authentik.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
}; };
}; };
@@ -52,12 +59,12 @@ in {
}; };
}; };
server.infra = { server = {
fail2ban = { fail2ban = lib.mkIf cfg.enable {
jails = { jails = {
authentik = { authentik = {
serviceName = "authentik"; serviceName = "authentik";
failRegex = ''^.*Username or password is incorrect.*IP:\s*<HOST>''; failRegex = "^.*Username or password is incorrect.*IP:\s*<HOST>";
}; };
}; };
}; };
@@ -90,21 +97,16 @@ in {
middlewares = { middlewares = {
authentik = { authentik = {
forwardAuth = { forwardAuth = {
# tls.insecureSkipVerify = true;
address = "https://localhost:9443/outpost.goauthentik.io/auth/traefik"; address = "https://localhost:9443/outpost.goauthentik.io/auth/traefik";
trustForwardHeader = true; trustForwardHeader = true;
authResponseHeaders = [ authResponseHeaders = [
"X-authentik-username" "X-authentik-username"
"X-authentik-groups" "X-authentik-groups"
"X-authentik-email" "X-authentik-email"
"X-authentik-name"
"X-authentik-uid"
"X-authentik-jwt" "X-authentik-jwt"
"X-authentik-meta-jwks"
"X-authentik-meta-outpost"
"X-authentik-meta-provider"
"X-authentik-meta-app"
"X-authentik-meta-version"
]; ];
timeout = "10s";
}; };
}; };
}; };
@@ -120,7 +122,7 @@ in {
routers = { routers = {
auth = { auth = {
entryPoints = ["websecure"]; entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`) && PathPrefix(`/outpost.goauthentik.io/`)"; rule = "Host(`${cfg.url}`) || HostRegexp(`{subdomain:[a-z0-9]+}.${srv.www.url}`) && PathPrefix(`/outpost.goauthentik.io/`)";
service = "auth"; service = "auth";
tls.certResolver = "letsencrypt"; tls.certResolver = "letsencrypt";
}; };

62
modules/server/bazarr/default.nix Normal file
View File

@@ -0,0 +1,62 @@
{
config,
lib,
...
}: let
unit = "bazarr";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Bazarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Subtitle manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "bazarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.bazarr.loadBalancer.servers = [{url = "http://127.0.0.1:${toString config.services.${unit}.listenPort}";}];
routers = {
bazarr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "bazarr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
}

110
modules/server/default.nix
View File

@@ -1,16 +1,106 @@
{ {
self,
lib, lib,
config,
pkgs,
... ...
}: let }: let
clib = import "${self}/lib/server" {inherit lib;}; hardDrives = [
in { "/dev/disk/by-label/data"
imports = [
{
_module.args.clib = clib;
}
./options.nix
./infra
./services
]; ];
inherit (lib) mkOption types;
cfg = config.server;
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
in {
options.server = {
enable = lib.mkEnableOption "The server services and configuration variables";
email = mkOption {
default = "";
type = types.str;
description = ''
Email name to be used to access the server services via NGINX reverse proxy
'';
};
domain = mkOption {
default = "";
type = types.str;
description = ''
Domain name to be used to access the server services via NGINX reverse proxy
'';
};
user = lib.mkOption {
default = "share";
type = lib.types.str;
description = ''
User to run the server services as
'';
};
group = lib.mkOption {
default = "share";
type = lib.types.str;
description = ''
Group to run the server services as
'';
};
uid = lib.mkOption {
default = 1000;
type = lib.types.int;
description = ''
UID to run the server services as
'';
};
gid = lib.mkOption {
default = 1000;
type = lib.types.int;
description = ''
GID to run the server services as
'';
};
timeZone = lib.mkOption {
default = "Europe/Stockholm";
type = lib.types.str;
description = ''
Time zone to be used for the server services
'';
};
};
config = lib.mkIf cfg.enable {
_module.args = {
myLib = import ./lib.nix {
inherit lib config pkgs;
};
};
users = {
groups.${cfg.group} = {
gid = cfg.gid;
};
users.${cfg.user} = {
uid = cfg.uid;
isSystemUser = true;
group = cfg.group;
extraGroups = ifTheyExist [
"audio"
"video"
"docker"
"libvirtd"
"qemu-libvirtd"
"rtkit"
"fail2ban"
"vaultwarden"
"qbittorrent"
"lidarr"
"prowlarr"
"bazarr"
"sonarr"
"radarr"
"media"
"share"
"render"
"input"
"authentik"
"nginx"
];
};
};
};
} }

46
modules/server/infra/fail2ban/default.nix → modules/server/fail2ban/default.nix
View File

@@ -5,9 +5,9 @@
pkgs, pkgs,
... ...
}: let }: let
cfg = config.server.infra.fail2ban; cfg = config.server.fail2ban;
in { in {
options.server.infra.fail2ban = { options.server.fail2ban = {
enable = lib.mkEnableOption { enable = lib.mkEnableOption {
description = "Enable cloudflare fail2ban"; description = "Enable cloudflare fail2ban";
}; };
@@ -30,28 +30,14 @@ in {
example = "vaultwarden"; example = "vaultwarden";
type = lib.types.str; type = lib.types.str;
}; };
_groupsre = lib.mkOption {
type = lib.types.lines;
example = ''(?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)'';
default = "";
};
failRegex = lib.mkOption { failRegex = lib.mkOption {
type = lib.types.lines; type = lib.types.str;
example = '' example = "Login failed from IP: <HOST>";
^Login failed from IP: <HOST>$
^Two-factor challenge failed from <HOST>$
'';
}; };
ignoreRegex = lib.mkOption { ignoreRegex = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = ""; default = "";
}; };
datePattern = lib.mkOption {
type = lib.types.str;
default = "";
example = '',?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"'';
description = "Optional datepattern line for the fail2ban filter.";
};
maxRetry = lib.mkOption { maxRetry = lib.mkOption {
type = lib.types.int; type = lib.types.int;
default = 3; default = 3;
@@ -61,7 +47,6 @@ in {
); );
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
@@ -73,14 +58,14 @@ in {
jails = jails =
lib.attrsets.mapAttrs (name: value: { lib.attrsets.mapAttrs (name: value: {
settings = { settings = {
bantime = "24h"; bantime = "168h";
findtime = "10m"; findtime = "30m";
enabled = true; enabled = true;
backend = "systemd"; backend = "systemd";
journalmatch = "_SYSTEMD_UNIT=${value.serviceName}.service"; journalmatch = "_SYSTEMD_UNIT=${value.serviceName}.service";
port = "http,https"; port = "http,https";
filter = "${name}"; filter = "${name}";
maxretry = 3; maxretry = value.maxRetry or 5;
action = "cloudflare-token-agenix"; action = "cloudflare-token-agenix";
}; };
}) })
@@ -90,18 +75,11 @@ in {
environment.etc = lib.attrsets.mergeAttrsList [ environment.etc = lib.attrsets.mergeAttrsList [
(lib.attrsets.mapAttrs' ( (lib.attrsets.mapAttrs' (
name: value: (lib.nameValuePair "fail2ban/filter.d/${name}.conf" { name: value: (lib.nameValuePair "fail2ban/filter.d/${name}.conf" {
text = text = ''
'' [Definition]
[Definition] failregex = ${value.failRegex}
failregex = ${value.failRegex} ignoreregex = ${value.ignoreRegex}
ignoreregex = ${value.ignoreRegex} '';
''
+ lib.optionalString (value.datePattern != "") ''
datepattern = ${value.datePattern}
''
+ lib.optionalString (value._groupsre != "") ''
_groupsre = ${value._groupsre}
'';
}) })
) )
cfg.jails) cfg.jails)

108
modules/server/gitea/default.nix Normal file
View File

@@ -0,0 +1,108 @@
# taken from @jtojnar
{
config,
lib,
...
}: let
unit = "gitea";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "git.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.int;
default = 5003;
description = "The port to host Gitea on.";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Gitea";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Git with a cup of tea";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "gitea.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
appName = "cnix code forge";
database = {
type = "postgres";
socket = "/run/postgresql";
name = "gitea";
user = "gitea";
createDatabase = false;
};
lfs = {
enable = true;
};
settings = {
cors = {
ENABLED = true;
SCHEME = "https";
ALLOW_DOMAIN = cfg.url;
};
log = {
MODE = "console";
};
mailer = {
ENABLED = false;
MAILER_TYPE = "sendmail";
FROM = "noreply+adam@cnst.dev";
SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
};
picture = {
DISABLE_GRAVATAR = true;
};
repository = {
DEFAULT_BRANCH = "main";
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true;
};
indexer = {
REPO_INDEXER_ENABLED = true;
};
server = {
DOMAIN = cfg.url;
LANDING_PAGE = "explore";
HTTP_PORT = cfg.port;
ROOT_URL = "https://${cfg.url}/";
};
security = {
DISABLE_GIT_HOOKS = false;
};
service = {
DISABLE_REGISTRATION = true;
};
session = {
COOKIE_SECURE = true;
};
};
};
server.postgresql.databases = [
{
database = "gitea";
}
];
};
}

217
modules/server/homepage-dashboard/default.nix Normal file
View File

@@ -0,0 +1,217 @@
{
config,
lib,
self,
...
}: let
unit = "homepage-dashboard";
cfg = config.server.homepage-dashboard;
srv = config.server;
in {
options.server.homepage-dashboard = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
misc = lib.mkOption {
default = [];
type = lib.types.listOf (
lib.types.attrsOf (
lib.types.submodule {
options = {
description = lib.mkOption {
type = lib.types.str;
};
href = lib.mkOption {
type = lib.types.str;
};
siteMonitor = lib.mkOption {
type = lib.types.str;
};
icon = lib.mkOption {
type = lib.types.str;
};
};
}
)
);
};
};
config = lib.mkIf cfg.enable {
age.secrets = {
homepageEnvironment = {
file = "${self}/secrets/homepageEnvironment.age";
};
};
services = {
glances.enable = true;
${unit} = {
enable = true;
environmentFile = config.age.secrets.homepageEnvironment.path;
settings = {
layout = [
{
Glances = {
header = false;
style = "row";
columns = 4;
};
}
{
Arr = {
header = true;
style = "column";
};
}
{
Downloads = {
header = true;
style = "column";
};
}
{
Media = {
header = true;
style = "column";
};
}
{
Services = {
header = true;
style = "column";
};
}
];
headerStyle = "clean";
statusStyle = "dot";
hideVersion = "true";
};
widgets = [
{
openmeteo = {
label = "Kalmar";
timezone = "Europe/Stockholm";
units = "metric";
cache = 5;
latitude = 56.707262;
longitude = 16.324541;
};
}
{
resources = {
label = "SYSTEM";
memory = true;
cpu = true;
uptime = true;
};
}
];
services = let
homepageCategories = [
"Arr"
"Media"
"Downloads"
"Services"
];
hl = config.server;
mergedServices = hl // hl.podman;
homepageServices = x: (lib.attrsets.filterAttrs (
name: value: value ? homepage && value.homepage.category == x
)
mergedServices);
in
lib.lists.forEach homepageCategories (cat: {
"${cat}" =
lib.lists.forEach
(lib.attrsets.mapAttrsToList (name: value: {
inherit name;
url = value.url;
homepage = value.homepage;
}) (homepageServices "${cat}"))
(x: {
"${x.homepage.name}" = {
icon = x.homepage.icon;
description = x.homepage.description;
href = "https://${x.url}${x.homepage.path or ""}";
siteMonitor = "https://${x.url}${x.homepage.path or ""}";
};
});
})
++ [{Misc = cfg.misc;}]
++ [
{
Glances = let
port = toString config.services.glances.port;
in [
{
Info = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "info";
chart = false;
version = 4;
};
};
}
{
"CPU Temp" = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "sensor:Tctl";
chart = false;
version = 4;
};
};
}
{
"GPU Radeon" = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "sensor:junction";
chart = false;
version = 4;
};
};
}
{
"GPU Intel" = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "sensor:pkg";
chart = false;
version = 4;
};
};
}
{
Processes = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "process";
chart = false;
version = 4;
};
};
}
{
Network = {
widget = {
type = "glances";
url = "http://localhost:${port}";
metric = "network:enp6s0";
chart = false;
version = 4;
};
};
}
];
}
];
};
};
};
}

13
modules/server/infra/default.nix
View File

@@ -1,13 +0,0 @@
{
imports = [
./authentik
./fail2ban
./keepalived
./podman
./postgres
./tailscale
./traefik
./unbound
./www
];
}

6
modules/server/infra/podman/acquis.yaml
View File

@@ -1,6 +0,0 @@
---
filenames:
- /var/log/traefik/access.log
poll_without_inotify: true
labels:
type: traefik

26
modules/server/infra/tailscale/default.nix
View File

@@ -1,26 +0,0 @@
{
config,
lib,
self,
...
}:
with lib; let
cfg = config.server.infra.tailscale;
in {
options.server.infra.tailscale = {
enable = mkEnableOption "Enable tailscale server configuration";
};
config = mkIf cfg.enable {
age.secrets.sobotkaTsAuth.file = "${self}/secrets/sobotkaTsAuth.age";
services.tailscale = {
enable = true;
openFirewall = true;
useRoutingFeatures = "server";
authKeyFile = config.age.secrets.sobotkaTsAuth.path;
extraSetFlags = [
"--advertise-exit-node"
];
};
};
}

183
modules/server/infra/traefik/default.nix
View File

@@ -1,183 +0,0 @@
{
lib,
clib,
config,
pkgs,
self,
...
}: let
inherit (lib) mkEnableOption mkIf types;
cfg = config.server.infra.traefik;
srv = config.server;
generateRouters = services: config:
lib.mapAttrs' (
name: service:
lib.nameValuePair name {
entryPoints = ["websecure"];
# FIX 3: Use backticks for the Host rule and interpolation
rule = "Host(`${clib.server.mkFullDomain config service}`)";
service = name;
tls.certResolver = "letsencrypt";
}
) (lib.filterAttrs (_: s: s.enable) services);
generateServices = services:
lib.mapAttrs' (name: service:
lib.nameValuePair name {
loadBalancer.servers = [{url = "http://localhost:${toString service.port}";}];
}) (lib.filterAttrs (name: service: service.enable) services);
getCloudflareCredentials = hostname:
if hostname == "ziggy"
then config.age.secrets.cloudflareDnsCredentialsZiggy.path
else if hostname == "sobotka"
then config.age.secrets.cloudflareDnsCredentials.path
else throw "Unknown hostname: ${hostname}";
in {
options.server.infra.traefik = {
enable = mkEnableOption "Enable global Traefik reverse proxy with ACME";
};
config = mkIf cfg.enable {
age.secrets = {
traefikEnv = {
file = "${self}/secrets/traefikEnv.age";
mode = "640";
owner = "traefik";
group = "traefik";
};
crowdsecApi.file = "${self}/secrets/crowdsecApi.age";
};
systemd.services.traefik = {
serviceConfig = {
EnvironmentFile = [config.age.secrets.traefikEnv.path];
};
};
networking.firewall.allowedTCPPorts = [80 443];
services = {
tailscale.permitCertUid = "traefik";
traefik = {
enable = true;
staticConfigOptions = {
log = {
level = "DEBUG";
};
accesslog = {filepath = "/var/lib/traefik/logs/access.log";};
tracing = {};
api = {
dashboard = true;
insecure = false;
};
certificatesResolvers = {
vpn.tailscale = {};
letsencrypt = {
acme = {
email = "adam@cnst.dev";
storage = "/var/lib/traefik/cert.json";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"1.0.0.1:53"
];
};
};
};
};
entryPoints = {
# redis = {
# address = "0.0.0.0:6381";
# };
# postgres = {
# address = "0.0.0.0:5433";
# };
web = {
address = ":80";
forwardedHeaders.insecure = true;
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
permanent = true;
};
# http.middlewares = "crowdsec@file";
};
websecure = {
address = ":443";
forwardedHeaders.insecure = true;
http.tls = {
certResolver = "letsencrypt";
domains = [
{
main = "cnix.dev";
sans = ["*.cnix.dev"];
}
{
main = "ts.cnst.dev";
sans = ["*ts.cnst.dev"];
}
];
};
# http.middlewares = "crowdsec@file";
};
experimental = {
address = ":1111";
forwardedHeaders.insecure = true;
};
};
experimental = {
# Install the Crowdsec Bouncer plugin
plugins = {
#enabled = "true";
bouncer = {
moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
version = "v1.4.5";
};
};
};
};
dynamicConfigOptions = {
http = {
services = generateServices srv.services;
routers =
(generateRouters srv.services config)
// {
api = {
entryPoints = ["websecure"];
rule = "Host(`traefik.${srv.domain}`)";
service = "api@internal";
tls.certResolver = "letsencrypt";
};
};
# middlewares = {
# crowdsec = {
# plugin = {
# bouncer = {
# enabled = "true";
# logLevel = "DEBUG";
# crowdsecLapiKeyFile = config.age.secrets.crowdsecApi.path;
# crowdsecMode = "live";
# crowdsecLapiHost = ":4223";
# };
# };
# };
# };
};
};
};
};
};
}

126
modules/server/jellyfin/default.nix Normal file
View File

@@ -0,0 +1,126 @@
{
config,
lib,
pkgs,
self,
...
}: let
unit = "jellyfin";
cfg = config.server.${unit};
srv = config.server;
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "jellyfin.${srv.www.url}";
};
cloudflared = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Jellyfin";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "The Free Software Media System";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "jellyfin.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Media";
};
};
config = lib.mkIf cfg.enable {
age.secrets = {
jellyfinCloudflared = {
file = "${self}/secrets/jellyfinCloudflared.age";
owner = "${srv.user}";
group = "${srv.group}";
mode = "0400";
};
};
services = {
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${cfg.url}".service = "http://127.0.0.1:8096";
};
};
${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
environment.systemPackages = with pkgs; [
jellyfin-ffmpeg
];
services.traefik = {
dynamicConfigOptions = {
http = {
middlewares = {
secureHeaders = {
headers = {
stsSeconds = 31536000;
forceSTSHeader = true;
stsIncludeSubdomains = true;
stsPreload = true;
browserXssFilter = true;
frameDeny = true;
referrerPolicy = "no-referrer";
contentTypeNosniff = true;
customResponseHeaders = {
"Content-Security-Policy" = "default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";
};
};
};
ratelimit = {
rateLimit = {
average = 10;
burst = 20;
};
};
};
services.jellyfin.loadBalancer.servers = [{url = "http://127.0.0.1:8096";}];
routers = {
jellyfin = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "jellyfin";
tls.certResolver = "letsencrypt";
middlewares = ["authentik" "secureHeaders" "ratelimit"];
};
};
};
};
};
};
}

61
modules/server/jellyseerr/default.nix Normal file
View File

@@ -0,0 +1,61 @@
{
config,
lib,
...
}: let
service = "jellyseerr";
srv = config.server;
cfg = config.server.${service};
in {
options.server.${service} = {
enable = lib.mkEnableOption {
description = "Enable ${service}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.port;
default = 5055;
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Jellyseerr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Media request and discovery manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "jellyseerr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${service} = {
enable = true;
port = cfg.port;
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.jellyseerr.loadBalancer.servers = [{url = "http://127.0.0.1:${toString cfg.port}";}];
routers = {
jellyseerr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "jellyseerr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
}

40
modules/server/infra/keepalived/default.nix → modules/server/keepalived/default.nix
View File

@@ -3,24 +3,27 @@
config, config,
self, self,
... ...
}: let }:
let
unit = "keepalived"; unit = "keepalived";
cfg = config.server.infra.${unit}; cfg = config.server.${unit};
hostCfg = hostname: hostCfg =
if hostname == "sobotka" hostname:
then { if hostname == "sobotka" then
ip = "192.168.88.14"; {
priority = 20; ip = "192.168.88.14";
state = "MASTER"; priority = 20;
} state = "MASTER";
else if hostname == "ziggy" }
then { else if hostname == "ziggy" then
ip = "192.168.88.12"; {
priority = 10; ip = "192.168.88.12";
state = "BACKUP"; priority = 10;
} state = "BACKUP";
else throw "No keepalived config defined for host ${hostname}"; }
else
throw "No keepalived config defined for host ${hostname}";
_self = hostCfg config.networking.hostName; _self = hostCfg config.networking.hostName;
@@ -31,8 +34,9 @@
# Remove self from peers # Remove self from peers
peers = builtins.filter (ip: ip != _self.ip) allPeers; peers = builtins.filter (ip: ip != _self.ip) allPeers;
in { in
options.server.infra.${unit} = { {
options.server.${unit} = {
enable = lib.mkEnableOption { enable = lib.mkEnableOption {
description = "Enable ${unit}"; description = "Enable ${unit}";
}; };

148
modules/server/lib.nix Normal file
View File

@@ -0,0 +1,148 @@
# from @jtojnar
{
config,
lib,
pkgs,
...
}: {
mkVirtualHost = {
path ? null,
config ? "",
acme ? null,
redirect ? null,
...
} @ args:
(
if lib.isString acme
then {
useACMEHost = acme;
forceSSL = true;
}
else {}
)
// (
if lib.isBool acme
then {
enableACME = acme;
forceSSL = true;
}
else {}
)
// (
if redirect != null
then {
globalRedirect = redirect;
}
else {}
)
// (
if path != null
then {
root = "/var/www/" + path;
}
else {}
)
// {
extraConfig = config;
}
// builtins.removeAttrs args [
"path"
"config"
"acme"
"redirect"
];
mkPhpPool = {
user,
debug ? false,
settings ? {},
...
} @ args:
{
inherit user;
settings =
{
"listen.owner" = "nginx";
"listen.group" = "root";
"pm" = "dynamic";
"pm.max_children" = 5;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 1;
"pm.max_spare_servers" = 3;
}
// (
lib.optionalAttrs debug {
# log worker's stdout, but this has a performance hit
"catch_workers_output" = true;
}
// settings
);
}
// builtins.removeAttrs args [
"user"
"debug"
"settings"
];
enablePHP = sockName: ''
fastcgi_pass unix:${config.services.phpfpm.pools.${sockName}.socket};
include ${config.services.nginx.package}/conf/fastcgi.conf;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
'';
/*
Adds extra options to ssh key that will only allow it to be used for rsync.
See sshd(8) manual page for details.
*/
restrictToRsync = directory: key: ''command="${pkgs.rrsync}/bin/rrsync -wo ${directory}",restrict ${key}'';
/*
Emulate systemd credentials.
Those will only be available to the user the service is running under,
not being aware of dropped euid.
http://systemd.io/CREDENTIALS/
*/
emulateCredentials = let
parseCredential = credential: let
matches = builtins.match "(.+):(.+)" credential;
in
assert lib.assertMsg (matches != null) "A credential needs to match id:value format"; {
id = builtins.elemAt matches 0;
value = builtins.elemAt matches 1;
};
parseCredentials = credentials:
builtins.map parseCredential (
if builtins.isList credentials
then credentials
else lib.splitString "," credentials
);
in
serviceConfig:
lib.mkMerge [
(builtins.removeAttrs serviceConfig [
"SetCredential"
"LoadCredential"
])
{
Environment = [
"CREDENTIALS_DIRECTORY=${
pkgs.runCommand "credentials" {} ''
mkdir "$out"
${lib.concatMapStringsSep "\n" ({
id,
value,
}: ''ln -s "${value}" "$out/${id}"'') (
parseCredentials serviceConfig.LoadCredential or []
)}
${lib.concatMapStringsSep "\n" ({
id,
value,
}: ''echo -n "${value}" > "$out/${id}"'') (
parseCredentials serviceConfig.SetCredential or []
)}
''
}"
];
}
];
}

62
modules/server/lidarr/default.nix Normal file
View File

@@ -0,0 +1,62 @@
{
config,
lib,
...
}: let
unit = "lidarr";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Lidarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Music collection manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "lidarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.lidarr.loadBalancer.servers = [{url = "http://127.0.0.1:8686";}];
routers = {
lidarr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "lidarr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
}

64
modules/server/n8n/default.nix Normal file
View File

@@ -0,0 +1,64 @@
{
config,
lib,
...
}: let
unit = "n8n";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "n8n";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "A workflow automation platform";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "n8n.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
};
config = lib.mkIf cfg.enable {
services = {
n8n = {
enable = true;
openFirewall = true;
};
traefik = {
dynamicConfigOptions = {
http = {
services.n8n.loadBalancer.servers = [{url = "http://127.0.0.1:5678";}];
routers = {
n8n = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "n8n";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
};
}

72
modules/server/services/nextcloud/default.nix → modules/server/nextcloud/default.nix
View File

@@ -6,30 +6,64 @@
... ...
}: let }: let
unit = "nextcloud"; unit = "nextcloud";
cfg = config.server.services.${unit}; cfg = config.server.${unit};
srv = config.server; srv = config.server;
in { in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
adminpassFile = lib.mkOption {
type = lib.types.path;
};
adminuser = lib.mkOption {
type = lib.types.str;
default = "cnst";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "cloud.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Nextcloud";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "A safe home for all your data";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "nextcloud.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
};
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
age.secrets = { age.secrets = {
nextcloudAdminPass.file = "${self}/secrets/nextcloudAdminPass.age"; nextcloudAdminPass.file = "${self}/secrets/nextcloudAdminPass.age";
nextcloudCloudflared.file = "${self}/secrets/nextcloudCloudflared.age"; nextcloudCloudflared.file = "${self}/secrets/nextcloudCloudflared.age";
}; };
server.infra.fail2ban.jails.nextcloud = { server.fail2ban = lib.mkIf config.server.fail2ban.enable {
serviceName = "${unit}"; jails = {
_groupsre = ''(?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)''; nextcloud = {
failRegex = '' serviceName = "phpfpm-nextcloud";
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed: failRegex = "^.*Login failed:.*(Remote IP: <HOST>).*$";
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Two-factor challenge failed: };
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error. };
'';
datePattern = '',?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"'';
}; };
services = { services = {
${unit} = { ${unit} = {
enable = true; enable = true;
package = pkgs.nextcloud32; package = pkgs.nextcloud31;
hostName = "nextcloud"; hostName = "nextcloud";
configureRedis = true; configureRedis = true;
caching = { caching = {
@@ -67,7 +101,7 @@ in {
dbhost = "/run/postgresql"; dbhost = "/run/postgresql";
dbname = "nextcloud"; dbname = "nextcloud";
adminuser = "cnst"; adminuser = "cnst";
adminpassFile = config.age.secrets.nextcloudAdminPass.path; adminpassFile = cfg.adminpassFile;
}; };
}; };
@@ -86,9 +120,21 @@ in {
forceSSL = false; forceSSL = false;
}; };
}; };
traefik.dynamicConfigOptions.http = {
routers.nextcloud = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "nextcloud";
tls.certResolver = "letsencrypt";
};
services.nextcloud.loadBalancer.servers = [
{url = "http://127.0.0.1:8182";}
];
};
}; };
server.infra.postgresql.databases = [ server.postgresql.databases = [
{ {
database = "nextcloud"; database = "nextcloud";
} }

79
modules/server/nginx/default.nix Normal file
View File

@@ -0,0 +1,79 @@
{
lib,
config,
pkgs,
self,
myLib,
...
}: let
inherit (myLib) mkVirtualHost;
inherit (lib) mkEnableOption mkIf types;
unit = "nginx";
cfg = config.server.nginx;
srv = config.server;
in {
options.server.nginx = {
enable = mkEnableOption "Enable global NGINX reverse proxy with ACME";
};
config = mkIf cfg.enable {
age.secrets = {
nginxEnv = {
file = "${self}/secrets/nginxEnv.age";
};
};
networking.firewall.allowedTCPPorts = [80 443];
security = {
acme = {
acceptTerms = true;
defaults.email = config.server.email;
certs.${srv.domain} = {
reloadServices = ["nginx.service"];
domain = "${srv.domain}";
extraDomainNames = ["*.${srv.domain}"];
dnsProvider = "cloudflare";
dnsPropagationCheck = true;
group = config.services.nginx.group;
environmentFile = config.age.secrets.nginxEnv.path;
};
};
dhparams = {
enable = true;
params.nginx = {};
};
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
resolver.addresses = config.networking.nameservers;
sslDhparam = config.security.dhparams.params.nginx.path;
appendHttpConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
virtualHosts = let
labDomain = "cnix.dev";
labCert = {
useACMEHost = "cnix.dev";
forceSSL = true;
};
in {
# proxies on domain with https, only accessible within local network
"${labDomain}" =
labCert
// {
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.homepage-dashboard.listenPort}";
};
};
};
users.users.nginx.extraGroups = ["acme"];
};
}

180
modules/server/options.nix
View File

@@ -1,180 +0,0 @@
{
lib,
config,
...
}: let
inherit (lib) mkOption types;
ifTheyExist = groups: builtins.filter (group: builtins.hasAttr group config.users.groups) groups;
cfg = config.server;
in {
options.server = {
enable = lib.mkEnableOption "The server services and configuration variables";
email = mkOption {
default = "";
type = types.str;
description = ''
Email name to be used to access the server services via Caddy reverse proxy
'';
};
domain = mkOption {
default = "";
type = types.str;
description = ''
Domain name to be used to access the server services via Caddy reverse proxy
'';
};
ip = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1";
description = "The local IP of the service.";
};
user = lib.mkOption {
default = "share";
type = lib.types.str;
description = ''
User to run the server services as
'';
};
group = lib.mkOption {
default = "share";
type = lib.types.str;
description = ''
Group to run the server services as
'';
};
uid = lib.mkOption {
default = 1000;
type = lib.types.int;
description = ''
UID to run the server services as
'';
};
gid = lib.mkOption {
default = 1000;
type = lib.types.int;
description = ''
GID to run the server services as
'';
};
timeZone = lib.mkOption {
default = "Europe/Stockholm";
type = lib.types.str;
description = ''
Time zone to be used for the server services
'';
};
services = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
options = {
enable = lib.mkEnableOption "the service";
subdomain = lib.mkOption {
type = lib.types.str;
default = "";
description = "The subdomain for the service (e.g., 'jellyfin')";
};
exposure = lib.mkOption {
type = lib.types.enum ["local" "tunnel" "tailscale"];
default = "local";
description = "Controls where the service is exposed";
};
port = lib.mkOption {
type = lib.types.int;
default = 80;
description = "The port to host service on.";
};
configDir = lib.mkOption {
type = lib.types.path;
default = "/var/lib/${name}";
description = "Configuration directory for ${name}.";
};
cloudflared = lib.mkOption {
type = lib.types.submodule {
options = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret","TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
};
description = "Cloudflare tunnel configuration for this service.";
};
homepage = lib.mkOption {
type = lib.types.submodule {
options = {
name = lib.mkOption {
type = lib.types.str;
default = "";
description = "Display name on the homepage.";
};
description = lib.mkOption {
type = lib.types.str;
default = "";
description = "A short description for the homepage tile.";
};
icon = lib.mkOption {
type = lib.types.str;
default = "Zervices c00l stuff";
description = "Icon file name for the homepage tile.";
};
category = lib.mkOption {
type = lib.types.str;
default = "";
description = "Homepage category grouping.";
};
path = lib.mkOption {
type = lib.types.str;
default = "";
example = "/admin";
description = "Optional path suffix for homepage links (e.g. /admin).";
};
};
};
description = "Homepage metadata for this service.";
};
};
}));
};
};
config = lib.mkIf cfg.enable {
users = {
groups.${cfg.group} = {
gid = cfg.gid;
};
users.${cfg.user} = {
uid = cfg.uid;
isSystemUser = true;
group = cfg.group;
extraGroups = ifTheyExist [
"audio"
"video"
"docker"
"libvirtd"
"qemu-libvirtd"
"rtkit"
"fail2ban"
"vaultwarden"
"qbittorrent"
"lidarr"
"prowlarr"
"bazarr"
"sonarr"
"radarr"
"media"
"share"
"render"
"input"
"authentik"
"traefik"
];
};
};
};
}

153
modules/server/infra/podman/default.nix → modules/server/podman/default.nix
View File

@@ -1,11 +1,19 @@
{ {
config, config,
lib, lib,
pkgs,
self, self,
... ...
}: let }: let
infra = config.server.infra; srv = config.server;
cfg = config.server.services; cfg = config.server.podman;
piholeUrl =
if config.networking.hostName == "sobotka"
then "pihole0"
else if config.networking.hostName == "ziggy"
then "pihole1"
else throw "Unknown hostname";
getPiholeSecret = hostname: getPiholeSecret = hostname:
if hostname == "ziggy" if hostname == "ziggy"
@@ -14,11 +22,106 @@
then [config.age.secrets.pihole.path] then [config.age.secrets.pihole.path]
else throw "Unknown hostname: ${hostname}"; else throw "Unknown hostname: ${hostname}";
in { in {
options.server.infra = { options.server.podman = {
podman.enable = lib.mkEnableOption "Enables Podman"; enable = lib.mkEnableOption "Enables Podman";
gluetun.enable = lib.mkEnableOption "Enables gluetun"; gluetun.enable = lib.mkEnableOption "Enables gluetun";
qbittorrent = {
enable = lib.mkEnableOption "Enable qBittorrent";
url = lib.mkOption {
type = lib.types.str;
default = "qbt.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.int;
default = 8387;
description = "The port to host qBittorrent on.";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "qBittorrent";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Torrent client";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "qbittorrent.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Downloads";
};
};
slskd = {
enable = lib.mkEnableOption "Enable Soulseek";
url = lib.mkOption {
type = lib.types.str;
default = "slskd.${srv.domain}";
};
port = lib.mkOption {
type = lib.types.int;
default = 5030;
description = "The port to host Soulseek webui on.";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "slskd";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Web-based Soulseek client";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "slskd.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Downloads";
};
};
pihole = {
enable = lib.mkEnableOption {
description = "Enable";
};
port = lib.mkOption {
type = lib.types.int;
default = 8053;
description = "The port to host PiHole on.";
};
url = lib.mkOption {
type = lib.types.str;
default = "${piholeUrl}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "PiHole";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Adblocking and DNS service";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "pi-hole.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
homepage.path = lib.mkOption {
type = lib.types.str;
default = "/admin";
description = "Optional path suffix for homepage links (e.g. /admin).";
};
};
}; };
config = lib.mkIf infra.podman.enable {
config = lib.mkIf cfg.enable {
age.secrets = { age.secrets = {
pihole.file = "${self}/secrets/${config.networking.hostName}Pihole.age"; pihole.file = "${self}/secrets/${config.networking.hostName}Pihole.age";
slskd.file = "${self}/secrets/slskd.age"; slskd.file = "${self}/secrets/slskd.age";
@@ -41,13 +144,13 @@ in {
}; };
virtualisation.oci-containers.containers = lib.mkMerge [ virtualisation.oci-containers.containers = lib.mkMerge [
(lib.mkIf infra.gluetun.enable { (lib.mkIf cfg.gluetun.enable {
gluetun = { gluetun = {
image = "qmcgaw/gluetun"; image = "qmcgaw/gluetun";
ports = [ ports = [
"8388:8388" "8388:8388"
"58846:58846" "58846:58846"
"8080:8080" "8387:8387"
"5030:5030" "5030:5030"
"5031:5031" "5031:5031"
"50300:50300" "50300:50300"
@@ -76,7 +179,7 @@ in {
autoStart = true; autoStart = true;
dependsOn = ["gluetun"]; dependsOn = ["gluetun"];
ports = [ ports = [
"8080:8080" "8387:8387"
"58846:58846" "58846:58846"
]; ];
extraOptions = [ extraOptions = [
@@ -134,7 +237,7 @@ in {
(lib.mkIf cfg.pihole.enable { (lib.mkIf cfg.pihole.enable {
pihole = { pihole = {
autoStart = true; autoStart = true;
image = "pihole/pihole:2025.08.0"; image = "pihole/pihole:latest";
volumes = [ volumes = [
"/var/lib/pihole:/etc/pihole/" "/var/lib/pihole:/etc/pihole/"
"/var/lib/dnsmasq.d:/etc/dnsmasq.d/" "/var/lib/dnsmasq.d:/etc/dnsmasq.d/"
@@ -157,38 +260,6 @@ in {
]; ];
}; };
}) })
(lib.mkIf cfg.ollama.enable {
intel-llm = {
autoStart = true;
image = "intelanalytics/ipex-llm-inference-cpp-xpu:latest";
devices = [
"/dev/dri:/dev/dri:rwm"
];
volumes = [
"/var/lib/ollama:/models"
];
environment = {
OLLAMA_ORIGINS = "http://192.168.*";
SYCL_PI_LEVEL_ZERO_USE_IMMEDIATE_COMMANDLISTS = "1";
ONEAPI_DEVICE_SELECTOR = "level_zero:0";
OLLAMA_HOST = "[::]:11434";
no_proxy = "localhost,127.0.0.1";
DEVICE = "Arc";
OLLAMA_NUM_GPU = "999";
ZES_ENABLE_SYSMAN = "1";
};
cmd = [
"/bin/sh"
"-c"
"/llm/scripts/start-ollama.sh && echo 'Startup script finished, container is now idling.' && sleep infinity"
];
extraOptions = [
"--net=host"
"--memory=32G"
"--shm-size=16g"
];
};
})
]; ];
}; };
} }

0
modules/server/infra/postgres/default.nix → modules/server/postgres/default.nix
View File

4
modules/server/infra/postgres/postgres-upgrade.nix → modules/server/postgres/postgres-upgrade.nix
View File

@@ -7,10 +7,10 @@
}: let }: let
inherit (lib) types mkOption; inherit (lib) types mkOption;
cfg = config.server.infra.postgresql; cfg = config.server.postgresql;
in { in {
options = { options = {
server.infra.postgresql = { server.postgresql = {
upgradeTargetPackage = mkOption { upgradeTargetPackage = mkOption {
type = types.nullOr types.package; type = types.nullOr types.package;
default = null; default = null;

4
modules/server/infra/postgres/postgres.nix → modules/server/postgres/postgres.nix
View File

@@ -7,7 +7,7 @@
}: let }: let
inherit (lib) types mkOption; inherit (lib) types mkOption;
cfg = config.server.infra.postgresql; cfg = config.server.postgresql;
database = {name, ...}: { database = {name, ...}: {
options = { options = {
@@ -31,7 +31,7 @@
}; };
in { in {
options = { options = {
server.infra.postgresql = { server.postgresql = {
databases = mkOption { databases = mkOption {
type = types.listOf (types.submodule database); type = types.listOf (types.submodule database);
default = []; default = [];

80
modules/server/prowlarr/default.nix Normal file
View File

@@ -0,0 +1,80 @@
{
config,
lib,
...
}: let
unit = "prowlarr";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Prowlarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "PVR indexer";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "prowlarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
flaresolverr = {
enable = true;
};
traefik = {
dynamicConfigOptions = {
http = {
services = {
prowlarr = {
loadBalancer.servers = [{url = "http://127.0.0.1:9696";}];
};
flaresolverr = {
loadBalancer.servers = [{url = "http://127.0.0.1:8191";}];
};
};
routers = {
prowlarr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "prowlarr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
flaresolverr = {
entryPoints = ["websecure"];
rule = "Host(`flaresolverr.${srv.domain}`)";
service = "flaresolverr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
};
}

62
modules/server/radarr/default.nix Normal file
View File

@@ -0,0 +1,62 @@
{
config,
lib,
...
}: let
unit = "radarr";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Radarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Film collection manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "radarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
services.traefik = {
dynamicConfigOptions = {
http = {
services.radarr.loadBalancer.servers = [{url = "http://127.0.0.1:7878";}];
routers = {
radarr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "radarr";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
}

17
modules/server/services/bazarr/default.nix
View File

@@ -1,17 +0,0 @@
{
config,
lib,
...
}: let
unit = "bazarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

19
modules/server/services/default.nix
View File

@@ -1,19 +0,0 @@
{
imports = [
./bazarr
./flaresolverr
./gitea
./homepage-dashboard
./jellyfin
./jellyseerr
./lidarr
./n8n
./nextcloud
./ollama
./prowlarr
./radarr
./sonarr
./uptime-kuma
./vaultwarden
];
}

16
modules/server/services/flaresolverr/default.nix
View File

@@ -1,16 +0,0 @@
{
config,
lib,
...
}: let
unit = "flaresolverr";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
};
};
}

94
modules/server/services/gitea/default.nix
View File

@@ -1,94 +0,0 @@
{
config,
lib,
self,
...
}: let
unit = "gitea";
cfg = config.server.services.${unit};
domain = "${cfg.subdomain}.${config.server.infra.www.url}";
in {
config = lib.mkIf cfg.enable {
age.secrets.giteaCloudflared.file = "${self}/secrets/giteaCloudflared.age";
server.infra = {
fail2ban.jails.${unit} = {
serviceName = "${unit}";
failRegex = ''.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>'';
};
postgresql.databases = [
{database = "gitea";}
];
};
services = {
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${domain}".service = "http://localhost:${toString cfg.port}";
};
};
gitea = {
enable = true;
appName = "cnix code forge";
database = {
type = "postgres";
socket = "/run/postgresql";
name = "gitea";
user = "gitea";
createDatabase = false;
};
lfs.enable = true;
settings = {
cors = {
ENABLED = true;
SCHEME = "https";
ALLOW_DOMAIN = domain;
};
log.MODE = "console";
mailer = {
ENABLED = false;
MAILER_TYPE = "sendmail";
FROM = "noreply+adam@cnst.dev";
SENDMAIL_PATH = "/run/wrappers/bin/sendmail";
};
picture.DISABLE_GRAVATAR = true;
repository = {
DEFAULT_BRANCH = "main";
DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";
DISABLE_DOWNLOAD_SOURCE_ARCHIVES = true;
};
indexer.REPO_INDEXER_ENABLED = true;
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
ACCOUNT_LINKING = "auto";
};
server = {
DOMAIN = domain;
LANDING_PAGE = "explore";
HTTP_PORT = cfg.port;
ROOT_URL = "https://${domain}/";
};
security.DISABLE_GIT_HOOKS = false;
service.DISABLE_REGISTRATION = true;
session.COOKIE_SECURE = true;
};
};
};
};
}

227
modules/server/services/homepage-dashboard/default.nix
View File

@@ -1,227 +0,0 @@
{
config,
lib,
self,
clib,
...
}: let
unit = "homepage-dashboard";
cfg = config.server.services.${unit};
srv = config.server;
in {
config = lib.mkIf cfg.enable {
age.secrets = {
homepageEnvironment = {
file = "${self}/secrets/homepageEnvironment.age";
};
};
services = {
glances.enable = true;
${unit} = {
enable = true;
environmentFile = config.age.secrets.homepageEnvironment.path;
settings = {
color = "stone";
theme = "dark";
headerStyle = "clean";
statusStyle = "dot";
hideVersion = true;
useEqualHeights = true;
layout = [
{
Glances = {
header = false;
style = "row";
columns = 4;
};
}
{
Arr = {
header = true;
style = "column";
};
}
{
Downloads = {
header = true;
style = "column";
};
}
{
Media = {
header = true;
style = "column";
};
}
{
Services = {
header = true;
style = "column";
};
}
];
};
widgets = [
{
openmeteo = {
label = "Kalmar";
timezone = "Europe/Stockholm";
units = "metric";
cache = 5;
latitude = 56.707262;
longitude = 16.324541;
};
}
{
resources = {
label = "SYSTEM";
memory = true;
cpu = true;
uptime = false;
};
}
];
services = let
homepageCategories = [
"Arr"
"Media"
"Downloads"
"Services"
];
allServices = srv.services;
getDomain = s: clib.server.mkHostDomain config s;
homepageServicesFor = category:
lib.filterAttrs
(
name: value:
name
!= unit
&& value ? homepage
&& value.homepage.category == category
)
allServices;
in
lib.lists.forEach homepageCategories (cat: {
"${cat}" =
lib.lists.forEach
(lib.attrsets.mapAttrsToList (name: _value: name) (homepageServicesFor cat))
(x: let
service = allServices.${x};
domain = getDomain service;
in {
"${service.homepage.name}" = {
icon = service.homepage.icon;
description = service.homepage.description;
href = "https://${service.subdomain}.${domain}${service.homepage.path or ""}";
siteMonitor = "https://${service.subdomain}.${domain}${x.homepage.path or ""}";
};
});
})
++ [
{
Glances = let
glancesShared = {
type = "glances";
url = "http://localhost:${toString config.services.glances.port}";
chart = true;
version = 4;
};
in [
{
Memory = {
widget =
glancesShared
// {
metric = "memory";
refreshInterval = 2000;
pointsLimit = 30;
};
};
}
{
"CPU Usage" = {
widget =
glancesShared
// {
metric = "cpu";
refreshInterval = 2000;
pointsLimit = 30;
};
};
}
{
"CPU Temp" = {
widget =
glancesShared
// {
metric = "sensor:Tctl";
refreshInterval = 5000;
pointsLimit = 20;
};
};
}
{
"GPU Radeon" = {
widget =
glancesShared
// {
metric = "sensor:junction";
};
};
}
{
"GPU Intel" = {
widget =
glancesShared
// {
metric = "sensor:pkg";
};
};
}
{
"ZFS Pool" = {
widget =
glancesShared
// {
metric = "fs:/mnt/data";
refreshInterval = 30000;
pointsLimit = 20;
diskUnits = "bytes";
};
};
}
{
Processes = {
widget =
glancesShared
// {
metric = "process";
};
};
}
{
Network = {
widget =
glancesShared
// {
metric = "network:enp6s0";
};
};
}
];
}
];
};
};
};
}

21
modules/server/services/jellyfin/default.nix
View File

@@ -1,21 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
unit = "jellyfin";
cfg = config.server.services.${unit};
srv = config.server;
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
environment.systemPackages = with pkgs; [
jellyfin-ffmpeg
];
};
}

15
modules/server/services/jellyseerr/default.nix
View File

@@ -1,15 +0,0 @@
{
config,
lib,
...
}: let
unit = "jellyseerr";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
port = cfg.port;
};
};
}

17
modules/server/services/lidarr/default.nix
View File

@@ -1,17 +0,0 @@
{
config,
lib,
...
}: let
unit = "lidarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

17
modules/server/services/n8n/default.nix
View File

@@ -1,17 +0,0 @@
{
config,
lib,
...
}: let
unit = "n8n";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
n8n = {
enable = true;
openFirewall = true;
};
};
};
}

28
modules/server/services/ollama/default.nix
View File

@@ -1,28 +0,0 @@
{
config,
lib,
pkgs,
...
}: let
unit = "ollama";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [
ollama
intel-compute-runtime
intel-graphics-compiler
level-zero
];
services.open-webui = {
enable = true;
host = "0.0.0.0";
port = 8001;
environment = {
ANONYMIZED_TELEMETRY = "False";
BYPASS_MODEL_ACCESS_CONTROL = "True";
OLLAMA_BASE_URL = "http://localhost:11434";
};
};
};
}

16
modules/server/services/prowlarr/default.nix
View File

@@ -1,16 +0,0 @@
{
config,
lib,
...
}: let
unit = "prowlarr";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
};
};
}

17
modules/server/services/radarr/default.nix
View File

@@ -1,17 +0,0 @@
{
config,
lib,
...
}: let
unit = "radarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

17
modules/server/services/sonarr/default.nix
View File

@@ -1,17 +0,0 @@
{
config,
lib,
...
}: let
unit = "sonarr";
srv = config.server;
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
};
}

16
modules/server/services/uptime-kuma/default.nix
View File

@@ -1,16 +0,0 @@
{
config,
lib,
...
}: let
unit = "uptime-kuma";
cfg = config.server.services.${unit};
in {
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
};
};
}

59
modules/server/services/vaultwarden/default.nix
View File

@@ -1,59 +0,0 @@
# from @fufexan & @notthebee
{
config,
lib,
self,
...
}: let
unit = "vaultwarden";
cfg = config.server.services.${unit};
domain = "${cfg.subdomain}.${config.server.infra.www.url}";
in {
config = lib.mkIf cfg.enable {
age.secrets = {
vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
vaultwardenEnvironment.file = "${self}/secrets/vaultwardenEnvironment.age";
};
server.infra.fail2ban.jails.${unit} = {
serviceName = "${unit}";
failRegex = ''^.*?Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$'';
};
services = {
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${domain}".service = "http://localhost:${toString cfg.port}";
};
};
vaultwarden = {
enable = true;
environmentFile = config.age.secrets.vaultwardenEnvironment.path;
backupDir = "/var/backup/vaultwarden";
config = {
DOMAIN = "https://${domain}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = cfg.port;
IP_HEADER = "CF-Connecting-IP";
logLevel = "warn";
extendedLogging = true;
useSyslog = true;
invitationsAllowed = true;
showPasswordHint = false;
};
};
};
systemd.services.backup-vaultwarden.serviceConfig = {
User = "root";
Group = "root";
};
};
}

63
modules/server/sonarr/default.nix Normal file
View File

@@ -0,0 +1,63 @@
{
config,
lib,
...
}: let
unit = "sonarr";
srv = config.server;
cfg = config.server.${unit};
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${unit}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${unit}.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Sonarr";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Series collection manager";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "sonarr.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Arr";
};
};
config = lib.mkIf cfg.enable {
services.${unit} = {
enable = true;
user = srv.user;
group = srv.group;
};
services.traefik = {
# staticConfigOptions.entryPoints.${unit}.address = "127.0.0.1:8989";
dynamicConfigOptions = {
http = {
# services.sonarr.loadBalancer.servers = [{url = "http://127.0.0.1:8989";}];
routers = {
sonarr = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "sonarr";
# tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
}

27
modules/server/infra/unbound/default.nix → modules/server/unbound/default.nix
View File

@@ -5,25 +5,7 @@
... ...
}: let }: let
unit = "unbound"; unit = "unbound";
cfg = config.server.infra.${unit}; cfg = config.server.${unit};
srv = config.server;
svcNames = lib.attrNames srv.services;
localARecords = builtins.concatLists (map (
name: let
s = srv.services.${name};
in
if s != null && s.enable && s.subdomain != null
then [''"${s.subdomain}.${srv.domain}. A ${srv.ip}"'']
else []
)
svcNames);
revParts = lib.lists.reverseList (lib.splitString "." srv.ip);
revName = lib.concatStringsSep "." revParts;
localPTRs = ["${revName}.in-addr.arpa. PTR traefik.${srv.domain}"];
hostIp = hostname: hostIp = hostname:
if hostname == "ziggy" if hostname == "ziggy"
@@ -32,12 +14,11 @@
then "192.168.88.14" then "192.168.88.14"
else throw "No IP defined for host ${hostname}"; else throw "No IP defined for host ${hostname}";
in { in {
options.server.infra.${unit} = { options.server.${unit} = {
enable = lib.mkEnableOption { enable = lib.mkEnableOption {
description = "Enable ${unit}"; description = "Enable ${unit}";
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services = { services = {
# resolved.enable = lib.mkForce false; # resolved.enable = lib.mkForce false;
@@ -116,10 +97,6 @@ in {
"255.255.255.255/32" "255.255.255.255/32"
"2001:db8::/32" "2001:db8::/32"
]; ];
local-data = localARecords;
# Example PTR entry: "14.88.168.192.in-addr.arpa. PTR traefik.cnix.dev."
# local-data-ptr = localPTRs;
}; };
}; };
}; };

62
modules/server/uptime-kuma/default.nix Normal file
View File

@@ -0,0 +1,62 @@
{
config,
lib,
...
}: let
unit = "uptime-kuma";
cfg = config.server.${unit};
srv = config.server;
in {
options.server.${unit} = {
enable = lib.mkEnableOption {
description = "Enable ${unit}";
};
configDir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/uptime-kuma";
};
url = lib.mkOption {
type = lib.types.str;
default = "uptime.${srv.domain}";
};
homepage.name = lib.mkOption {
type = lib.types.str;
default = "Uptime Kuma";
};
homepage.description = lib.mkOption {
type = lib.types.str;
default = "Service monitoring tool";
};
homepage.icon = lib.mkOption {
type = lib.types.str;
default = "uptime-kuma.svg";
};
homepage.category = lib.mkOption {
type = lib.types.str;
default = "Services";
};
};
config = lib.mkIf cfg.enable {
services = {
${unit} = {
enable = true;
};
traefik = {
dynamicConfigOptions = {
http = {
services.uptime-kuma.loadBalancer.servers = [{url = "http://127.0.0.1:3001";}];
routers = {
uptime-kuma = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`)";
service = "uptime-kuma";
tls.certResolver = "letsencrypt";
# middlewares = ["authentik"];
};
};
};
};
};
};
};
}

89
modules/server/vaultwarden/default.nix Normal file
View File

@@ -0,0 +1,89 @@
# from @fufexan & @notthebee
{
config,
lib,
self,
...
}: let
inherit (lib) mkIf mkEnableOption;
vcfg = config.services.vaultwarden.config;
cfg = config.server.vaultwarden;
in {
options = {
server.vaultwarden = {
enable = mkEnableOption "Enables vaultwarden";
url = lib.mkOption {
type = lib.types.str;
default = "${cfg.domain}";
};
cloudflared = {
credentialsFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExpression ''
pkgs.writeText "cloudflare-credentials.json" '''
{"AccountTag":"secret"."TunnelSecret":"secret","TunnelID":"secret"}
'''
'';
};
tunnelId = lib.mkOption {
type = lib.types.str;
example = "00000000-0000-0000-0000-000000000000";
};
};
};
};
config = mkIf cfg.enable {
age.secrets = {
vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
vaultwardenEnvironment.file = "${self}/secrets/vaultwardenEnvironment.age";
};
server = {
fail2ban = lib.mkIf config.server.fail2ban.enable {
jails = {
vaultwarden = {
serviceName = "vaultwarden";
failRegex = "^.*Username or password is incorrect. Try again. IP: <HOST>. Username: <F-USER>.*</F-USER>.$";
};
};
};
};
systemd.services.backup-vaultwarden.serviceConfig = {
User = "root";
Group = "root";
};
services = {
vaultwarden = {
enable = true;
environmentFile = config.age.secrets.vaultwardenEnvironment.path;
backupDir = "/var/backup/vaultwarden";
config = {
DOMAIN = "https://${cfg.url}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
IP_HEADER = "CF-Connecting-IP";
logLevel = "warn";
extendedLogging = true;
useSyslog = true;
invitationsAllowed = false;
showPasswordHint = false;
};
};
cloudflared = {
enable = true;
tunnels.${cfg.cloudflared.tunnelId} = {
credentialsFile = cfg.cloudflared.credentialsFile;
default = "http_status:404";
ingress."${cfg.url}".service = "http://${vcfg.ROCKET_ADDRESS}:${toString vcfg.ROCKET_PORT}";
};
};
};
};
}

33
modules/server/infra/www/default.nix → modules/server/www/default.nix
View File

@@ -1,13 +1,15 @@
{ {
lib, lib,
config, config,
pkgs,
self, self,
... ...
}: let }: let
inherit (lib) mkIf mkEnableOption mkOption types; inherit (lib) mkOption mkEnableOption mkIf types;
cfg = config.server.infra.www; cfg = config.server.www;
srv = config.server;
in { in {
options.server.infra.www = { options.server.www = {
enable = mkEnableOption { enable = mkEnableOption {
description = "Enable personal website"; description = "Enable personal website";
}; };
@@ -18,12 +20,6 @@ in {
Public domain name to be used to access the server services via Traefik reverse proxy Public domain name to be used to access the server services via Traefik reverse proxy
''; '';
}; };
port = lib.mkOption {
type = lib.types.int;
default = 8283;
description = "The port to host webservice on.";
};
cloudflared = { cloudflared = {
credentialsFile = lib.mkOption { credentialsFile = lib.mkOption {
type = lib.types.str; type = lib.types.str;
@@ -45,13 +41,13 @@ in {
wwwCloudflared.file = "${self}/secrets/wwwCloudflared.age"; wwwCloudflared.file = "${self}/secrets/wwwCloudflared.age";
}; };
server.infra = { server = {
fail2ban = { fail2ban = lib.mkIf config.server.www.enable {
jails = { jails = {
nginx-404 = { nginx-404 = {
serviceName = "nginx"; serviceName = "nginx";
failRegex = ''^.*\[error\].*directory index of.* is forbidden.*client: <HOST>.*$''; failRegex = ''^.*\[error\].*directory index of.* is forbidden.*client: <HOST>.*$'';
ignoreRegex = ''''; ignoreRegex = "";
maxRetry = 5; maxRetry = 5;
}; };
}; };
@@ -118,18 +114,5 @@ in {
Disallow: / Disallow: /
''; '';
}; };
services.traefik.dynamicConfigOptions.http = {
routers.webfinger = {
entryPoints = ["websecure"];
rule = "Host(`${cfg.url}`) && Path(`/.well-known/webfinger`)";
service = "webfinger";
tls.certResolver = "letsencrypt";
};
services.webfinger.loadBalancer.servers = [
{url = "http://127.0.0.1:8283";}
];
};
}; };
} }

31
modules/settings/accounts/default.nix
View File

@@ -2,7 +2,8 @@
lib, lib,
config, config,
... ...
}: let }:
let
inherit (lib) mkOption types; inherit (lib) mkOption types;
sshKeys = { sshKeys = {
@@ -15,14 +16,14 @@
keyName = config.settings.accounts.sshUser or null; keyName = config.settings.accounts.sshUser or null;
selectedKey = selectedKey =
if keyName != null if keyName != null then
then
lib.attrByPath [ lib.attrByPath [
keyName keyName
] (builtins.abort "No SSH key defined for hostname/key '${toString keyName}'") ] (builtins.abort "No SSH key defined for hostname/key '${toString keyName}'") sshKeys
sshKeys else
else builtins.abort "No accounts.sshUser provided, cannot select SSH key."; builtins.abort "No accounts.sshUser provided, cannot select SSH key.";
in { in
{
options.settings.accounts = { options.settings.accounts = {
username = mkOption { username = mkOption {
type = types.str; type = types.str;
@@ -45,21 +46,5 @@ in {
default = null; default = null;
description = "Optional override for selecting an SSH key by name"; description = "Optional override for selecting an SSH key by name";
}; };
domains = lib.mkOption {
type = lib.types.submodule {
options = {
local = lib.mkOption {
type = lib.types.str;
default = "127.0.0.1";
description = "The local domain of the host";
};
public = lib.mkOption {
type = lib.types.str;
default = "example.com";
description = "The public domain of the host";
};
};
};
};
}; };
} }

4
modules/settings/monitors/default.nix
View File

@@ -21,8 +21,8 @@ in
example = 1080; example = 1080;
}; };
refreshRate = mkOption { refreshRate = mkOption {
type = types.str; type = types.int;
default = "60"; default = 60;
}; };
transform = mkOption { transform = mkOption {
type = types.int; type = types.int;

12
pkgs/default.nix
View File

@@ -5,10 +5,12 @@
"aarch64-linux" "aarch64-linux"
]; ];
perSystem = {pkgs, ...}: { perSystem =
packages = { { pkgs, ... }:
# instant repl with automatic flake loading {
repl = pkgs.callPackage ./repl {}; packages = {
# instant repl with automatic flake loading
repl = pkgs.callPackage ./repl { };
};
}; };
};
} }

11
secrets/crowdsecApi.age
View File

@@ -1,11 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 t9iOEg lf7aPbZX2v3WGzE/KI/069DBObphqrDtjq7rhNriGl8
Vv+Pqk6DbcE5R1A9135gVKroCex1xKsCLPETZdT3yTg
-> ssh-ed25519 KUYMFA XxtBSmCwrQCZ9G3VcCrbzTdMshTK1pjlHPYj7fke818
9tO2EcnHPD6v3TNeuZdL+zP39SM5R5q7om5sCFDB8lg
-> ssh-ed25519 76RhUQ I6O/fYFRqYxExC9uLijZr6/kFze7uze0cIudCsl2jTo
WAwb822vVj5UtUAdE1oVJ0/q6nQbWqdx0OHuGEogO7M
-> ssh-ed25519 Jf8sqw gWBoe4HhXNw7Ih58lQ/L2vBoQfbU1ht8+ZSLUx/4TWk
xor0ieJ2UI5bK4rSlCM0dX61PVbxYE37FNry0YSmHG4
--- Cp8b3eTb3NfjPFvBE12a2c+Yni2jW6DZUK10IaXmmvo
w<EFBFBD>xq<EFBFBD><EFBFBD>z:<3A>.{<7B>?<3F><><EFBFBD>f<EFBFBD><66><1D><><16><>A<EFBFBD>jT<6A><54>{<7B>J <20><>

12
secrets/giteaCloudflared.age
View File

@@ -1,12 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 t9iOEg RnlIwFO8LSwzj94G0Uru9qibXqOOpCU2kWWdNa2tRFU
lIC3K/jjBMKRfLfepoNYIkBe5rhHuR0l3Uf1Xuk8uZg
-> ssh-ed25519 KUYMFA k16GBRcaaSwJm/8+Vm2QBOu05u6eEro/7YYj7kbuNSU
VCpt918MBBFfFZKKypV9pSwz/Zhsxr+Ob6YjFuJ/oL0
-> ssh-ed25519 76RhUQ FIKn3nuOT1ywu6pmYBbpC54HhpJGeMFejp5c0XibfAY
WDsh/5G4wXYt21yIDxmI6u1l/xPOdZRxgTazf6QLXP8
-> ssh-ed25519 Jf8sqw 2EvD96Ec8h97ACoOBYzn1Ugx4ZyYSHIRnsmtB5lb/XQ
mFY8O8qwWWihsLe5ayB5iGm1JUY2B/9el/XSf5sPe7M
--- uuwibRk7LS4/lUx9gwL+x5NMrxLjGM1Yf55bzjxQTKM
<EFBFBD>H<>Ԅ6K<36>A<01>~<7E><>)!B<08><>^S!Wd<><64>$.:S'c<>d<EFBFBD><64><EFBFBD>_WW<57>Bj<42>,<2C><>l<EFBFBD><6C><EFBFBD><EFBFBD><EFBFBD>V<>S<EFBFBD><53>h<EFBFBD>
h<EFBFBD><EFBFBD><12><>k

BIN
secrets/homepageEnvironment.age
View File

Binary file not shown.

11
secrets/jellyfinCloudflared.age Normal file
View File

@@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 t9iOEg dULaZVrpkeN1HqwM+HSU46XJjQznBOxa+wUDSSciK1w
FxqlulfViojLLoskKu56Utiq57rkDC6TocoaFQOgahc
-> ssh-ed25519 KUYMFA QYnb24Av6Vy17Lb5gC6dzQszOxa5bRP2PgFetmqhfCA
MaIes8V0NkyTAzFzbRuCMzMLwhYljYHwhXPKEZEdlC4
-> ssh-ed25519 76RhUQ NLoyNp/z5MXE3Hrmv7CCDYB1X8R1OORm2MZVMbgNDQs
6U8r3wpXNtQdkIH+lo7cDrnjPw9B6eF/jMeb+iW9T1I
-> ssh-ed25519 Jf8sqw GOWsvhSzrHJGJFOgsXr+O1jq7jnjyzKc82Mu7ntrI2Q
P3n32btGFtUxB28/a0iz6lBTM6UP3EYUrq0y8BR49IM
--- geE2uS2TMspihaNwgzH4FQKYoUFFRhjTS6V7F/cdTE0
%<25>^<5E>E3򿈾<33><F2BF88BE><EFBFBD>gg<67><67>ٸk<D9B8><6B>;<3B>lE+b<>x<EFBFBD>Ҝ-<2D>X<>Et'&^<5E>=c<><63>9<EFBFBD>v*<2A>

11
secrets/mikrotikSecret.age
View File

@@ -1,11 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 t9iOEg MLi7IOM8QlpvlCMSmo4SwZbTwZ9pyysSbiMMuWD/dyU
cotV5TJf7oyyXIaAmu8n9Ie1rl27i8w7hsduwtQFnis
-> ssh-ed25519 KUYMFA BhFQ/RXOH8L7gl/FSabAUv28fbaod+muvTGSV3rYQSs
fWqwAkhSAmg6YB+yEtj0e83Q4XO/r+TBnMTN7vXBNqU
-> ssh-ed25519 76RhUQ b1fDfGPNdJ9c3wtr8ww0mW5K4fKJxpxxTZy/ZCECWzs
qhbvucUrv7dzOPKUmUaRs/AtXtwQfy/qp5HnaYzZ5eQ
-> ssh-ed25519 Jf8sqw 19D2ztjyxJfGQAiUOTdgWyC0ZFso/wrC9VPEkmI34U8
PavT5O8M6Zc2Num9Hb2sY+F3UmMPqRgjUZxuvP6AhyM
--- uYOcbsL7JWoDF2mRUDLhXrbp6ssLFbQ9+a6RhAXNNPA
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> X<><58>PC<50><43>h<EFBFBD>;

12
secrets/nginxEnv.age Normal file
View File

@@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 t9iOEg SCmn/7gQOD3fRn0PKPXxNBDKNSqUcnejG8tPwjoNT1I
vd57xXCQ16PPPMlNysw6BWSIP/EgB3HrWlesBiQUVA0
-> ssh-ed25519 KUYMFA WVn1OhFDxMMEHFa1yHpBmWskbcRgHyBiDWZjPv8NfX8
8BCp/iUFkRsAGnc+0MEfpRXo1/Xla4WO3qYZMSl7LGw
-> ssh-ed25519 76RhUQ ZfdS1EWtBOwd7+hVnJ/JqxUCDTYmfEs1OwyzXajFMmg
eE0ahMgW76RFu9y9Z+PE6IzaLX3ydhhJvjk5vu2EgXo
-> ssh-ed25519 Jf8sqw Pr/LkT5RQysShzjqEZlXFRHim3WpAav04c/GGftDTiA
TWWRURLPnkpsxxSdSQem9sAoUoLt5wQe0CYl1xl1RaA
--- cfGjcdOvwxLDlANhDe44U5JXGAyRYPZMVtC48PuhLNo
<EFBFBD>Zyr<>#*K<><4B><EFBFBD><EFBFBD> <0B><1F>
$<24><>FB<46>$<24>^<5E>BT<42><54>#D<>v<EFBFBD><76>3<EFBFBD><13><f<>dG$<24><><EFBFBD><~<7E><10><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>m<EFBFBD><6D>8^<1A><><EFBFBD>\# Z<>-8<><38><EFBFBD>D<EFBFBD>dM<64><4D>

7
secrets/secrets.nix
View File

@@ -48,7 +48,6 @@ in {
"homepageEnvironment.age".publicKeys = kima ++ sobotka; "homepageEnvironment.age".publicKeys = kima ++ sobotka;
"cloudflareFirewallApiKey.age".publicKeys = kima ++ sobotka; "cloudflareFirewallApiKey.age".publicKeys = kima ++ sobotka;
"vaultwardenCloudflared.age".publicKeys = kima ++ sobotka; "vaultwardenCloudflared.age".publicKeys = kima ++ sobotka;
"giteaCloudflared.age".publicKeys = kima ++ sobotka;
"nextcloudCloudflared.age".publicKeys = kima ++ sobotka; "nextcloudCloudflared.age".publicKeys = kima ++ sobotka;
"nextcloudAdminPass.age".publicKeys = kima ++ sobotka; "nextcloudAdminPass.age".publicKeys = kima ++ sobotka;
"cloudflareDnsApiToken.age".publicKeys = kima ++ sobotka; "cloudflareDnsApiToken.age".publicKeys = kima ++ sobotka;
@@ -59,12 +58,10 @@ in {
"sobotkaPihole.age".publicKeys = kima ++ sobotka; "sobotkaPihole.age".publicKeys = kima ++ sobotka;
"slskd.age".publicKeys = kima ++ sobotka; "slskd.age".publicKeys = kima ++ sobotka;
"authentikEnv.age".publicKeys = kima ++ sobotka; "authentikEnv.age".publicKeys = kima ++ sobotka;
"traefikEnv.age".publicKeys = kima ++ sobotka; "nginxEnv.age".publicKeys = kima ++ sobotka;
"wwwCloudflared.age".publicKeys = kima ++ sobotka; "wwwCloudflared.age".publicKeys = kima ++ sobotka;
"authentikCloudflared.age".publicKeys = kima ++ sobotka; "authentikCloudflared.age".publicKeys = kima ++ sobotka;
"sobotkaTsAuth.age".publicKeys = kima ++ sobotka; "jellyfinCloudflared.age".publicKeys = kima ++ sobotka;
"mikrotikSecret.age".publicKeys = kima ++ sobotka;
"crowdsecApi.age".publicKeys = kima ++ sobotka;
# Ziggy-specific # Ziggy-specific
"cloudflareDnsCredentialsZiggy.age".publicKeys = kima ++ ziggy; "cloudflareDnsCredentialsZiggy.age".publicKeys = kima ++ ziggy;

11
secrets/sobotkaTsAuth.age
View File

@@ -1,11 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 t9iOEg fftdt8orBZoM0sDRAXf0TScDLosNWWWIg7JmmuunuWM
2IfpTH6ptSyLnBtBStkk7SINct6LtBHrL6h22BVNb+k
-> ssh-ed25519 KUYMFA HI04mnVOGPRsRhnqCkbO4My/sBq5v/3UYxDVcfIe4RM
fcSApUYCnJlpzVW5e77CFoSHamEmP+6ztMmzp2WlJvY
-> ssh-ed25519 76RhUQ c2FbmTXGl/F+1acZFEJUoenkxiIGdoXkT67VgxvoFHg
eWExqblEp5VIeXuPEuvj4QAIWtFX5KLfMyh6/fZ9bnA
-> ssh-ed25519 Jf8sqw IAcUf70EufTyjsva8XIlXOfPxwXvtr9AFl0LwrdAMgc
bY098fejLaFbUMX0iF89gz8kiOGZHI8JIg4NzX4ItFw
--- WNqpLyRM2EqISbZky++NbKLw4GCEgwbz2O5+VO7aKzE
<EFBFBD><EFBFBD><1A><>(5<0F>q <09><>m<EFBFBD>C<EFBFBD><43>G<EFBFBD>r<><72><16><><EFBFBD><EFBFBD>ޒ3<DE92><33><17><1F>7<><37><EFBFBD>rG<72>i<EFBFBD>c7<63>i<EFBFBD>P<EFBFBD><50>l<EFBFBD><19>7<EFBFBD><<3C>r?cGo<47><>W<0E>V<EFBFBD><56>f,2<>Qg!<21>t_<74>

11
secrets/traefikEnv.age
View File

@@ -1,11 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 t9iOEg 6LbgQLUp8wKmKVZZGAn5EvNxV2g4abypB3tEIxgUwhs
VFnsZlXZjmqj8rtIsOzEb7iIGL7+JrNZlnousl5ekR0
-> ssh-ed25519 KUYMFA oty0a3Sef9FuefKznWoDiw9zqXvEKOu2Bg/I+dWsICc
J81Edyq8eNrMZy8VHl1v1yeUBkyGSrwtuundzRjHD/Q
-> ssh-ed25519 76RhUQ jCHnm2LOCGN3BAbUrjsX9wFTDCecbcUTYRva7hPlPUs
q9BxGVVpUot7YFkg/+QKTuFtQwyR3Nk0QQuUgBbIR90
-> ssh-ed25519 Jf8sqw kX5+jV/HqPi5Hcv+iE0e1p/nAb8MmLmNY+Y3E6As3SA
C94zq34eFQABnxHoAjvXXf37rzmmEmzPUUrr9qD3Ir8
--- zTcJcdfAEEH6JZY1Fz2s4l3YuAl3B+2l4KkIZ7zqOd0
<EFBFBD><EFBFBD>֒<13> &<26> <0C><11><>W<EFBFBD><57>Ve<14><><EFBFBD>˲_M߾<4D>~<19><>y2<79>z<EFBFBD><7A>m<EFBFBD><6D>"椬<>VR,<2C>li<6C><69>/<2F><><EFBFBD><EFBFBD>YY