felixalb/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: felixalb:fbfb89280bb31d53d1653c221edf3bff2abcf327
Branches Tags
felixalb:main felixalb:nixos-25.11
...
compare: felixalb:main
Branches Tags
felixalb:main felixalb:nixos-25.11

91 Commits
fbfb89280b ... main

Author SHA1 Message Date
Felix Albrigtsen
0ffb502f68 defiant/wireguard: deprecate old peers 2025-12-31 20:59:58 +01:00
Felix Albrigtsen
27596cfcee defiant/dyndns: change domain name 2025-12-31 20:21:01 +01:00
Felix Albrigtsen
ec9811bf31 prometheus: add constellation 2025-12-16 07:48:24 +01:00
Felix Albrigtsen
7c9efc9638 leonard: update amalie-mansaker-no 2025-12-12 20:18:06 +01:00
Felix Albrigtsen
ad36469dd2 Merge pull request 'nixos-25.11' (#6) from nixos-25.11 into main 
Reviewed-on: #6
 2025-12-08 21:07:41 +01:00
Felix Albrigtsen
bd05773d1a auto-upgrade: point back to the main branch 2025-12-08 21:05:23 +01:00
Felix Albrigtsen
77cdedf958 defiant: update to nixos 25.11 2025-12-08 20:59:46 +01:00
Felix Albrigtsen
b4b8fa2309 worf: fix 25.11. Clean flake. 2025-12-04 17:22:33 +01:00
Felix Albrigtsen
aca430fb18 challenger/audiobookshelf: fix mount order 2025-12-02 19:38:08 +01:00
Felix Albrigtsen
8aa123303c challenger: update to nixos 25.11. Update to nextcloud 32 2025-12-02 00:14:36 +01:00
Felix Albrigtsen
f7ce8585b5 burnham: remove host 2025-12-01 23:22:05 +01:00
Felix Albrigtsen
1af2ea3552 malcolm: remove host (superceded by leonard) 2025-12-01 23:17:25 +01:00
Felix Albrigtsen
d9b62f7c0a sisko: Update to nixos 25.11 2025-12-01 00:24:11 +01:00
Felix Albrigtsen
774bd0c0d8 morn: update to 25.11 2025-12-01 00:02:06 +01:00
Felix Albrigtsen
9c0ea93934 flake: update to 25.11. Breaks worf/darwin. 2025-11-30 23:54:27 +01:00
Felix Albrigtsen
520a96878b leonard: Add amalie-mansaker-no 2025-11-23 18:56:03 +01:00
Felix Albrigtsen
9eed01bb4a defiant: enable cloud backups 2025-11-17 21:30:04 +01:00
Felix Albrigtsen
f5cc555c1b challenger: cleanup, remove ersatztv 2025-11-14 23:49:56 +01:00
Felix Albrigtsen
b4ca418a34 defiant: cleanup, remove flame, remove koillection 2025-11-14 23:38:46 +01:00
Felix Albrigtsen
261b19f7c3 challenger: add audiobookshelf 2025-11-13 23:12:05 +01:00
Felix Albrigtsen
c0e19e7c21 morn: add thelounge 2025-11-06 22:05:31 +01:00
Felix Albrigtsen
c601ed7d39 flake: update 2025-11-03 20:17:40 +01:00
Felix Albrigtsen
4b922cd23d defiant/nginx: wiki-wackattac-eu has moved to leonard 2025-11-02 15:06:10 +01:00
Felix Albrigtsen
68950a4507 leonard: Add wiki-wackattack-eu 2025-11-02 15:05:43 +01:00
Felix Albrigtsen
0c08f92444 defiant/matrix-synapse: Fix oidc provider mapping typo 2025-11-02 12:23:19 +01:00
Felix Albrigtsen
f4630467f6 defiant/matrix-synapse: require matrix-user role in keycloak 2025-11-01 19:50:55 +01:00
Felix Albrigtsen
ee4bb0ee2d defiant/monitoring: update prometheus target list 2025-10-19 00:36:51 +02:00
Felix Albrigtsen
410e673673 sops: add recovery key 2025-10-18 23:59:13 +02:00
Felix Albrigtsen
492bd530d3 challenger/backup: add hostBackups 2025-10-18 23:46:32 +02:00
Felix Albrigtsen
14483e95e7 defiant/nginx: Move www.feal.no and www.kinealbrigtsen.no to leonard 2025-10-18 22:33:08 +02:00
Felix Albrigtsen
483f30229f leonard: add www-feal-no. add www-kinealbrigtsen-no. configure outgoing firewall 2025-10-18 22:25:05 +02:00
Felix Albrigtsen
49a3c0211e leonard: init host 2025-10-17 21:02:28 +02:00
Felix Albrigtsen
b1fed06b7d worf: add mpv 2025-10-17 19:39:04 +02:00
Felix Albrigtsen
9c24a7bfa5 wireguard: add Amalies phone. Disable burnham endpoint 2025-10-16 23:04:06 +02:00
Felix Albrigtsen
64777e4caf flake: update 2025-10-12 18:12:47 +02:00
Felix Albrigtsen
36574ed5b0 worf: rebuild needs sudo now 2025-09-16 19:21:26 +02:00
Felix Albrigtsen
b438b63306 defiant/nginx: temporarily add forwards for mccoy 2025-09-14 20:46:26 +02:00
Felix Albrigtsen
4e8156139b defiant/gitea: Disable default theme 2025-09-14 20:46:26 +02:00
Felix Albrigtsen
4a25256ee6 flake: update 2025-09-09 22:35:27 +02:00
Felix Albrigtsen
5633f4b551 sisko: add rtl-sdr, gqrx, hashcat, immersed. Remove bambu-studio 2025-09-09 22:25:07 +02:00
Felix Albrigtsen
d30b0b1a97 sisko: add lutris 2025-08-22 19:08:21 +02:00
Felix Albrigtsen
5c07d9540b sisko: add docker 2025-08-22 19:08:21 +02:00
Felix Albrigtsen
8d3d918c94 My friendship with github education is over 2025-08-22 09:56:11 +02:00
Felix Albrigtsen
fc7e3decc6 fa-t14-2025: Minor adjustments 2025-08-21 15:43:28 +02:00
Felix Albrigtsen
0490048a14 fa-t14-2025: Add docker, minor adjustments. home: improve tmux config 2025-08-21 15:43:28 +02:00
Felix Albrigtsen
74b7feb043 sisko: minor changes 2025-08-03 17:51:59 +02:00
Felix Albrigtsen
5701615d29 base: remove manual nixpkgs registry/nix-path override, not needed since 24.05 2025-08-02 17:22:27 +02:00
Felix Albrigtsen
4e2f1cb44d flake: update all inputs. Remove deprecated matrix-synapse options 2025-07-31 00:24:22 +02:00
Felix Albrigtsen
73e2ee8fa7 flake: remove hyprswitch input 2025-07-31 00:24:22 +02:00
Felix Albrigtsen
03fbccbbd2 defiant: stop minecraft server 2025-07-31 00:24:22 +02:00
Felix Albrigtsen
3ecca821d0 defiant: Generalize wireguard config 2025-07-31 00:24:22 +02:00
Felix Albrigtsen
ee23a6eb75 sisko: various minor changes 2025-07-31 00:07:40 +02:00
Felix Albrigtsen
5dcd4c11bb challenger/backup: cleanup, add books/music 2025-07-31 00:04:51 +02:00
Felix Albrigtsen
eb4b58bed7 morn: add miniflux 2025-07-06 23:59:16 +02:00
Felix Albrigtsen
c9efb5c1dd remove old hosts voyager and felixalbpc 2025-07-06 23:32:29 +02:00
Felix Albrigtsen
ac1e8d2f3f challenger/backup: Add remote cloud backups 2025-07-03 23:41:23 +02:00
Felix Albrigtsen
dc5b6f9915 flake: update. sisko: add bambu studio/orcaslicer, fix updates 2025-07-03 23:26:02 +02:00
Felix Albrigtsen
03c4f8ca88 fa-t14-2025: Minor adjustments, add SecureCRT(WIP) 2025-06-16 09:40:56 +02:00
Felix Albrigtsen
126473d75d fa-t14-2025: Add swap and power management 2025-06-16 09:40:48 +02:00
Felix Albrigtsen
08ca7edf69 Merge pull request 'Upgrade to nixos 25.05' (#4) from nixos-25.05 into main 
Reviewed-on: #4
 2025-06-08 22:12:40 +02:00
Felix Albrigtsen
f72393cc25 defiant: re-enable backups 2025-06-08 22:07:28 +02:00
Felix Albrigtsen
c4ea7efc9c challenger: update to nixos 25.05. Update to nextcloud 31 2025-06-08 22:00:06 +02:00
Felix Albrigtsen
3f814a9d50 challenger/jellyfin: fix GPU access, remove DeviceAllow 2025-06-08 18:27:14 +02:00
Felix Albrigtsen
75212dc4bf defiant: update homeassistant 2025-06-08 18:20:06 +02:00
Felix Albrigtsen
d40e8b6898 defiant: disable some unused services 2025-06-08 18:20:06 +02:00
Felix Albrigtsen
c73d9761bc defiant: temporarily move/disable backups when moving house 2025-06-08 18:20:06 +02:00
Felix Albrigtsen
d380110543 sisko: Update to nixos 25.05 2025-06-08 17:38:32 +02:00
Felix Albrigtsen
cf6a836f80 sisko: Change to NetworkManager. Add misc. packages 2025-06-08 17:27:33 +02:00
Felix Albrigtsen
7f892fa284 sisko: add cantata 2025-06-08 17:19:59 +02:00
Felix Albrigtsen
9d9644dff7 fa-t14-2025: Add fake-stable microsoft edge 2025-06-04 13:00:52 +02:00
Felix Albrigtsen
e545add397 worf: Update to nixos 25.05 2025-06-03 22:26:01 +02:00
Felix Albrigtsen
de319def43 flake: Start switching to NixOS 25.05 2025-06-03 22:26:01 +02:00
Felix Albrigtsen
4f99ff9c1e Configure fa-t14 2025-06-03 22:26:01 +02:00
Felix Albrigtsen
7c10e96035 malcolm: WIP CTF tools 2025-06-03 22:25:41 +02:00
Felix Albrigtsen
73c0eda7cf malcolm/kinealbrigtsen: Remove CSP to fix awful WP plugins 2025-06-03 22:25:41 +02:00
Felix Albrigtsen
2c36272339 WIP: new host fa-t14-2025 2025-06-03 08:37:13 +02:00
Felix Albrigtsen
277a650098 flake: bump inputs. challenger: add feal-syn2 backup mount 2025-05-20 23:00:58 +02:00
Felix Albrigtsen
e289cab72f base: add some utilities 2025-05-20 23:00:58 +02:00
Felix Albrigtsen
9d86516046 wireguard: add Turtle 2025-05-16 01:23:42 +02:00
Felix Albrigtsen
bca8a78af9 morn: configure glance 2025-04-22 18:34:37 +02:00
Felix Albrigtsen
93783fe482 auto-upgrade: init attempt at auto upgrade 2025-04-22 18:33:42 +02:00
Felix Albrigtsen
f2e408c338 flake: update 2025-04-20 10:56:20 +02:00
Felix Albrigtsen
8425654777 defiant/minecraft: disable online-mode 2025-04-20 10:33:36 +02:00
Felix Albrigtsen
54546d512f sisko: Add some CTF tools 2025-04-05 13:42:13 +02:00
Felix Albrigtsen
2fbc6223e1 felixalbpc: Update python 2025-04-01 09:57:15 +02:00
Felix Albrigtsen
0fd4b10b1c felixalbpc: try to disable ipv6 temporary addresses. Add sl2 shell alias 2025-04-01 09:57:15 +02:00
Felix Albrigtsen
ff99371792 sisko/firefox: add tridactyl support 2025-03-26 20:45:52 +01:00
Felix Albrigtsen
017b500180 sisko: minor additions; xfce, alvr 2025-03-22 15:35:06 +01:00
Felix Albrigtsen
2b4254952a home: Add fzf 2025-03-19 20:08:35 +01:00
Felix Albrigtsen
4ec8b69cde morn: Init new host 2025-03-19 17:37:57 +01:00
Felix Albrigtsen
ed47f7b1bf home/neovim: Fix lightline, disable coc 2025-03-19 17:22:31 +01:00
88 changed files with 1210 additions and 1351 deletions
Expand all files Collapse all files

15
.sops.yaml
View File

@@ -1,8 +1,9 @@
keys: keys:
- &bw_recovery age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur
- &host_burnham age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct - &host_burnham age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct
- &host_challenger age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773 - &host_challenger age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773
- &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64 - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
- &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu - &host_morn age14ar8q5454khxxf5ur2nxwk533nzycz2lh3635qwz35wh8yq0jpqskj2ksx
- &user_felixalb_sisko age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl - &user_felixalb_sisko age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
- &user_felixalb_worf age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf - &user_felixalb_worf age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
@@ -11,6 +12,7 @@ creation_rules:
- path_regex: secrets/[^/]+\.yaml$ - path_regex: secrets/[^/]+\.yaml$
key_groups: key_groups:
- age: - age:
- *bw_recovery
- *user_felixalb_sisko - *user_felixalb_sisko
- *user_felixalb_worf - *user_felixalb_worf
@@ -19,6 +21,7 @@ creation_rules:
key_groups: key_groups:
- age: - age:
- *host_burnham - *host_burnham
- *bw_recovery
- *user_felixalb_sisko - *user_felixalb_sisko
- *user_felixalb_worf - *user_felixalb_worf
@@ -26,6 +29,7 @@ creation_rules:
key_groups: key_groups:
- age: - age:
- *host_challenger - *host_challenger
- *bw_recovery
- *user_felixalb_sisko - *user_felixalb_sisko
- *user_felixalb_worf - *user_felixalb_worf
@@ -33,5 +37,14 @@ creation_rules:
key_groups: key_groups:
- age: - age:
- *host_defiant - *host_defiant
- *bw_recovery
- *user_felixalb_sisko
- *user_felixalb_worf
- path_regex: secrets/morn/[^/]+\.yaml$
key_groups:
- age:
- *host_morn
- *bw_recovery
- *user_felixalb_sisko - *user_felixalb_sisko
- *user_felixalb_worf - *user_felixalb_worf

3
README.md
View File

@@ -37,8 +37,9 @@ Other installed packages and tools are described in the config files (like ./hos
## Networking ## Networking
- I use *nginx* as a web server and reverse proxy. The configuration is mostly distributed throughout the services that use it ([example](https://git.feal.no/felixalb/nixos-config/src/commit/3a05681d10a6999f73cbef59c3999742b81947a6/hosts/defiant/services/hedgedoc.nix#L98)). - I use *nginx* as a web server and reverse proxy. The configuration is mostly distributed throughout the services that use it ([example](https://git.feal.no/felixalb/nixos-config/src/commit/3a05681d10a6999f73cbef59c3999742b81947a6/hosts/defiant/services/hedgedoc.nix#L98)).
- I recently switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix) and [here](./hosts/burnham/services/wireguard.nix). - A long time ago, I switched from Tailscale(actually [headscale](https://github.com/juanfont/headscale)) to *WireGuard*, configured [here](./hosts/defiant/services/wireguard.nix).
- PiHole ([source](./hosts/defiant/services/pihole.nix)) run my internal DNS (\*.home.feal.no) and ad blocking. - PiHole ([source](./hosts/defiant/services/pihole.nix)) run my internal DNS (\*.home.feal.no) and ad blocking.
- A simple custom DynDNS thing is defined [here](./common/domeneshop-dyndns.nix) and used [here](./hosts/defiant/services/dyndns.nix).
## Monitoring ## Monitoring

11
base.nix
View File

@@ -29,19 +29,12 @@
trusted-users = [ "felixalb" ]; trusted-users = [ "felixalb" ];
builders-use-substitutes = true; builders-use-substitutes = true;
}; };
registry= {
nixpkgs.flake = inputs.nixpkgs;
};
nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
}; };
programs.zsh.enable = true; programs.zsh.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
bottom bottom
duf
eza eza
file file
git git
@@ -61,6 +54,10 @@
vim vim
wget wget
zip zip
] ++ lib.optionals (pkgs.stdenv.isLinux) [
dmidecode
lm_sensors
pciutils
]; ];
services.openssh = { services.openssh = {

15
common/auto-upgrade.nix Normal file
View File

@@ -0,0 +1,15 @@
{ config, pkgs, lib, ... }:
{
system.autoUpgrade = {
enable = true;
flake = "git+https://git.feal.no/felixalb/nixos-config.git";
flags = [
# Override nixpkgs (only). Notably does not include home-manager, sops or other utility/application flake inputs.
"--refresh"
"--override-input" "nixpkgs" "github:NixOS/nixpkgs/nixos-25.11"
"--override-input" "nixpkgs-unstable" "github:nixos/nixpkgs/nixos-unstable"
"--no-write-lock-file"
];
};
}

8
common/pwndbg-gdb-alias.nix Normal file
View File

@@ -0,0 +1,8 @@
{ pwndbg }:
# "$ coredumpctl gdb" always runs "gdb" from your path.
pwndbg.overrideAttrs ({ installPhase ? "", ... }: {
installPhase = installPhase + ''
ln -s $out/bin/pwndbg $out/bin/gdb
'';
})

81
common/securecrt.nix Normal file
View File

@@ -0,0 +1,81 @@
{
lib,
stdenv,
fetchurl,
autoPatchelfHook,
dpkg,
cups,
gtkmm3,
icu74,
krb5,
makeWrapper,
openssl,
pango,
python312,
xcb-util-cursor,
xorg,
}:
let
packageId = "scrt_ubuntu2464_deb_963";
in stdenv.mkDerivation rec {
pname = "securecrt";
version = "9.6.3";
src = fetchurl {
url = "https://www.vandyke.com/cgi-bin/download_1.php";
name = "${pname}-${version}.deb";
curlOpts = "-X POST --data 'pid=${packageId}&export_check=accept&country=no&su";
sha256 = "sha256-PsFuxJ7H0rJCWWi+rvzrlRUJlp9R4MG14d883/kl9Lo=";
};
unpackCmd = "dpkg -x $curSrc source";
nativeBuildInputs = [
dpkg
autoPatchelfHook
];
buildInputs = [
cups
gtkmm3
icu74
krb5
makeWrapper
openssl
pango
python312
xcb-util-cursor
xorg.xcbutilkeysyms
xorg.xcbutilwm
];
dontConfigure = true;
dontBuild = true;
dontWrapQTApps = true;
installPhase = ''
runhook preInstall
mkdir -p "$out"
cp -R usr/* "$out/"
wrapProgram "$out/bin/SecureCRT" --set QT_QPA_PLATFORM_PLUGIN_PATH "$out/lib/scrt/plugins/platforms"
runhook postInstall
'';
meta = with lib; {
homepage = "https://www.vandyke.com/products/securecrt/unix.html";
description = "Terminal emulator for computing professionals, with advanced session management";
license = {
free = false;
fullName = "Unknown / Custom";
};
platforms = with lib.platforms; linux ++ darwin ++ windows;
broken = !(stdenv.hostPlatform.isLinux && stdenv.hostPlatform.isx86_64);
};
mainProgram = "SecureCRT";
}

38
common/wireguard-peers.nix Normal file
View File

@@ -0,0 +1,38 @@
[
{ # Worf
publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
allowedIPs = [
"10.100.0.4/32"
];
}
{ # Phone
publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
allowedIPs = [
"10.100.0.5/32"
];
}
{ # Riker
publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
allowedIPs = [
"10.100.0.6/32"
];
}
{ # fa-t14-2025
publicKey = "UPpUVWQqOKT65MFym1sFDTstNmuynDYE4LOOtbWqEng=";
allowedIPs = [
"10.100.0.7/32"
];
}
{ # Turtle
publicKey = "mDzAtRPv+O5TDHa9DGodF/KKuFXRBYwSqfPyeWfdfRI=";
allowedIPs = [
"10.100.0.8/32"
];
}
{ # Amalies phone
publicKey = "Iqoq00e5rUNygmjOKmSPzvDTzvUdpxkpwVrD6UJXG2w=";
allowedIPs = [
"10.100.0.9/32"
];
}
]

183
flake.lock generated
View File

@@ -2,11 +2,11 @@
"nodes": { "nodes": {
"extra-config": { "extra-config": {
"locked": { "locked": {
"lastModified": 1729545170, "lastModified": 1745649002,
"narHash": "sha256-IrjXBAGiJKyIHxjVHPke1RbkqZ5yWTNHLfo8//LP9bM=", "narHash": "sha256-XNBExt3+U3o4lip+yj6oorCEPZ9Qe8PzBSFM5ZzVtSA=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "7a64446cecca25a8f7df089ea04557727e5dc041", "rev": "50c9c15db2b309d299b1c19089c962979e01f45b",
"revCount": 10, "revCount": 13,
"type": "git", "type": "git",
"url": "file:///home/felixalb/nix-extra-config" "url": "file:///home/felixalb/nix-extra-config"
}, },
@@ -18,11 +18,11 @@
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1673956053, "lastModified": 1747046372,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -31,34 +31,16 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1733312601,
"narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": { "flake-utils": {
"inputs": { "inputs": {
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1681202837, "lastModified": 1731533236,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401", "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -74,57 +56,36 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1739757849, "lastModified": 1764776959,
"narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=", "narHash": "sha256-d+5CGloq7Lo1u2SkzhF8oiOdUc6Z5emh22nTXUB9CFA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe", "rev": "e1680d594a9281651cbf7d126941a8c8e2396183",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nix-community", "owner": "nix-community",
"ref": "release-24.11", "ref": "release-25.11",
"repo": "home-manager", "repo": "home-manager",
"type": "github" "type": "github"
} }
}, },
"hyprswitch": {
"inputs": {
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1732716329,
"narHash": "sha256-e/t8CD7HXnRziDgA+iT2eMzj2VypvFoZeTILngHFet0=",
"owner": "H3rmt",
"repo": "hyprswitch",
"rev": "8e1d741aa0cca12f5920c77adf3dc784f20456cc",
"type": "github"
},
"original": {
"owner": "H3rmt",
"ref": "v3.1.3",
"repo": "hyprswitch",
"type": "github"
}
},
"matrix-synapse-next": { "matrix-synapse-next": {
"inputs": { "inputs": {
"nixpkgs": "nixpkgs" "nixpkgs": [
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1717234745, "lastModified": 1765214213,
"narHash": "sha256-MFyKRdw4WQD6V3vRGbP6MYbtJhZp712zwzjW6YiOBYM=", "narHash": "sha256-WSk8CTdIDFFP5VMJj9beve19nPMMdTsWnkCHVXqO/3E=",
"owner": "dali99", "owner": "dali99",
"repo": "nixos-matrix-modules", "repo": "nixos-matrix-modules",
"rev": "d7dc42c9bbb155c5e4aa2f0985d0df75ce978456", "rev": "82959f612ffd523a49c92f84358a9980a851747b",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "dali99", "owner": "dali99",
"ref": "v0.6.0",
"repo": "nixos-matrix-modules", "repo": "nixos-matrix-modules",
"type": "github" "type": "github"
} }
@@ -132,20 +93,20 @@
"nix-darwin": { "nix-darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs-darwin"
] ]
}, },
"locked": { "locked": {
"lastModified": 1739553546, "lastModified": 1764161084,
"narHash": "sha256-L4ou3xfOr17EAe836djRoQ7auVkYOREMtiQa82wVGqU=", "narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=",
"owner": "lnl7", "owner": "nix-darwin",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "353846417f985e74fdc060555f17939e4472ea2c", "rev": "e95de00a471d07435e0527ff4db092c84998698e",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "lnl7", "owner": "nix-darwin",
"ref": "nix-darwin-24.11", "ref": "nix-darwin-25.11",
"repo": "nix-darwin", "repo": "nix-darwin",
"type": "github" "type": "github"
} }
@@ -154,14 +115,16 @@
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_2" "nixpkgs": [
"nixpkgs"
]
}, },
"locked": { "locked": {
"lastModified": 1734314370, "lastModified": 1764813963,
"narHash": "sha256-9PhjDAAuXP4tuJg+kM1AozKwBFyHHJ8ZqhQD+peqGtg=", "narHash": "sha256-Vs7Mamto+T8r1evk9myHepgHGNJkS2Kr0BF64NIei94=",
"owner": "Infinidoge", "owner": "Infinidoge",
"repo": "nix-minecraft", "repo": "nix-minecraft",
"rev": "616634de04e87b621bc3d495af114c4e9c6ccd36", "rev": "491200d6848402bbab1421cccbc15a46f08c7f78",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -172,22 +135,22 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1706098335, "lastModified": 1764677808,
"narHash": "sha256-r3dWjT8P9/Ah5m5ul4WqIWD8muj5F+/gbCdjiNVBKmU=", "narHash": "sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a77ab169a83a4175169d78684ddd2e54486ac651", "rev": "1aab89277eb2d87823d5b69bae631a2496cff57a",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "owner": "NixOS",
"ref": "nixos-23.11", "ref": "nixos-25.11",
"type": "indirect" "repo": "nixpkgs",
"type": "github"
} }
}, },
"nixpkgs-2211": { "nixpkgs-2211": {
"locked": { "locked": {
"lastModified": 1658083977,
"narHash": "sha256-yqLXI+viN5+Vx5YpG9gNapKL3/+P6Pkprc36xNdyqSU=", "narHash": "sha256-yqLXI+viN5+Vx5YpG9gNapKL3/+P6Pkprc36xNdyqSU=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
@@ -197,25 +160,29 @@
"url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"
} }
}, },
"nixpkgs-lib": { "nixpkgs-darwin": {
"locked": { "locked": {
"lastModified": 1733096140, "lastModified": 1764806471,
"narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", "narHash": "sha256-NsPsz003eWD8wp8vj5BnQzPoDyeQKRUfS2dvan2Y30M=",
"type": "tarball", "owner": "NixOS",
"url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" "repo": "nixpkgs",
"rev": "6707b1809330d0f912f5813963bb29f6f194ee81",
"type": "github"
}, },
"original": { "original": {
"type": "tarball", "owner": "NixOS",
"url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" "ref": "nixpkgs-25.11-darwin",
"repo": "nixpkgs",
"type": "github"
} }
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1740828860, "lastModified": 1764667669,
"narHash": "sha256-cjbHI+zUzK5CPsQZqMhE3npTyYFt9tJ3+ohcfaOF/WM=", "narHash": "sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "303bd8071377433a2d8f76e684ec773d70c5b642", "rev": "418468ac9527e799809c900eda37cbff999199b6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -225,48 +192,16 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs_2": {
"locked": {
"lastModified": 1715266358,
"narHash": "sha256-doPgfj+7FFe9rfzWo1siAV2mVCasW+Bh8I1cToAXEE4=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "f1010e0469db743d14519a1efd37e23f8513d714",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1740865531,
"narHash": "sha256-h00vGIh/jxcGl8aWdfnVRD74KuLpyY3mZgMFMy7iKIc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5ef6c425980847c78a80d759abc476e941a9bf42",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"root": { "root": {
"inputs": { "inputs": {
"extra-config": "extra-config", "extra-config": "extra-config",
"home-manager": "home-manager", "home-manager": "home-manager",
"hyprswitch": "hyprswitch",
"matrix-synapse-next": "matrix-synapse-next", "matrix-synapse-next": "matrix-synapse-next",
"nix-darwin": "nix-darwin", "nix-darwin": "nix-darwin",
"nix-minecraft": "nix-minecraft", "nix-minecraft": "nix-minecraft",
"nixpkgs": "nixpkgs_3", "nixpkgs": "nixpkgs",
"nixpkgs-2211": "nixpkgs-2211", "nixpkgs-2211": "nixpkgs-2211",
"nixpkgs-darwin": "nixpkgs-darwin",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
} }
@@ -278,11 +213,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1734546875, "lastModified": 1764483358,
"narHash": "sha256-6OvJbqQ6qPpNw3CA+W8Myo5aaLhIJY/nNFDk3zMXLfM=", "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "ed091321f4dd88afc28b5b4456e0a15bd8374b4d", "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
"type": "github" "type": "github"
}, },
"original": { "original": {

52
flake.nix
View File

@@ -2,20 +2,22 @@
description = "Felixalb System flake"; description = "Felixalb System flake";
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; # Remember to update ./common/auto-upgrade.nix
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs-darwin.url = "github:NixOS/nixpkgs/nixpkgs-25.11-darwin";
nixpkgs-2211.url = "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"; # old nixpgks for e.g. remmina nixpkgs-2211.url = "https://github.com/NixOS/nixpkgs/archive/34bfa9403e42eece93d1a3740e9d8a02fceafbca.tar.gz"; # old nixpgks for e.g. remmina
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
nix-darwin.url = "github:lnl7/nix-darwin/nix-darwin-24.11"; nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.11";
nix-darwin.inputs.nixpkgs.follows = "nixpkgs"; nix-darwin.inputs.nixpkgs.follows = "nixpkgs-darwin";
home-manager.url = "github:nix-community/home-manager/release-24.11"; home-manager.url = "github:nix-community/home-manager/release-25.11";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
matrix-synapse-next.url = "github:dali99/nixos-matrix-modules/v0.6.0"; matrix-synapse-next.url = "github:dali99/nixos-matrix-modules"; # TODO: Lock to release
matrix-synapse-next.inputs.nixpkgs.follows = "nixpkgs";
nix-minecraft.url = "github:Infinidoge/nix-minecraft"; nix-minecraft.url = "github:Infinidoge/nix-minecraft";
hyprswitch.url = "github:H3rmt/hyprswitch/v3.1.3"; nix-minecraft.inputs.nixpkgs.follows = "nixpkgs";
hyprswitch.inputs.nixpkgs.follows = "nixpkgs";
extra-config.url = "git+file:///home/felixalb/nix-extra-config"; extra-config.url = "git+file:///home/felixalb/nix-extra-config";
@@ -26,12 +28,12 @@
outputs = { outputs = {
self self
, home-manager , home-manager
, hyprswitch
, matrix-synapse-next , matrix-synapse-next
, nix-minecraft , nix-minecraft
, nix-darwin , nix-darwin
, nixpkgs , nixpkgs
, nixpkgs-2211 , nixpkgs-2211
, nixpkgs-darwin
, nixpkgs-unstable , nixpkgs-unstable
, sops-nix , sops-nix
, extra-config , extra-config
@@ -48,20 +50,21 @@
config.allowUnfree = true; config.allowUnfree = true;
}; };
hyprswitch = hyprswitch.packages.${prev.system}.default; pwndbg-gdb-alias = prev.callPackage ./common/pwndbg-gdb-alias.nix { };
securecrt = prev.callPackage ./common/securecrt.nix { };
}; };
in in
{ {
nixosConfigurations = let nixosConfigurations = let
normalSys = name: config: nixpkgs.lib.nixosSystem { normalSys = name: hostConfig: nixpkgs.lib.nixosSystem {
system = "x86_64-linux"; system = "x86_64-linux"; # TODO - Handle
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
}; };
modules = [ modules = [
({ config, pkgs, ... }: { ({ config, pkgs, ... }: {
# Make "pkgs.unstable" etc. available # Make "pkgs.unstable" etc. available
nixpkgs.overlays = [ pkgs-overlay ] ++ config.overlays or [ ]; nixpkgs.overlays = [ pkgs-overlay ] ++ hostConfig.overlays or [ ];
}) })
./hosts/${name}/configuration.nix ./hosts/${name}/configuration.nix
@@ -71,19 +74,12 @@
home-manager.useUserPackages = true; home-manager.useUserPackages = true;
home-manager.users = { home-manager.users = {
"felixalb" = import ./hosts/${name}/home.nix; "felixalb" = import ./hosts/${name}/home.nix;
} // config.home-manager-users or { }; } // hostConfig.home-manager-users or { };
} }
] ++ config.modules or [ ]; ] ++ hostConfig.modules or [ ];
}; };
in { in {
# Networking / VPN Gateway
burnham = normalSys "burnham" {
modules = [
./common/domeneshop-dyndns.nix
];
};
# Media / storage server # Media / storage server
challenger = normalSys "challenger" { challenger = normalSys "challenger" {
modules = [ modules = [
@@ -99,15 +95,17 @@
]; ];
}; };
# Work desktop # Work laptop
felixalbpc = normalSys "felixalbpc" { }; fa-t14-2025 = normalSys "fa-t14-2025" { };
# Web host # Web host
malcolm = normalSys "malcolm" { }; leonard = normalSys "leonard" { };
# General application server
morn = normalSys "morn" { };
# Home desktop # Home desktop
sisko = normalSys "sisko" { sisko = normalSys "sisko" { };
};
}; };
# Daily driver macbook # Daily driver macbook

1
home/amalieem/default.nix
View File

@@ -36,7 +36,6 @@
settings.window.opacity = 0.92; settings.window.opacity = 0.92;
}; };
firefox.enable = true; firefox.enable = true;
neovim.plugins = with pkgs.vimPlugins; [ copilot-vim ];
wofi.enable = true; wofi.enable = true;
}; };

16
home/base.nix
View File

@@ -14,7 +14,6 @@
pwgen pwgen
sshfs sshfs
sshuttle sshuttle
tmux
]; ];
sessionVariables = { sessionVariables = {
@@ -28,10 +27,12 @@
enableZshIntegration = true; enableZshIntegration = true;
}; };
programs.fzf.enable = true;
programs.git = { programs.git = {
enable = true; enable = true;
extraConfig = { settings = {
pull.rebase = true; pull.rebase = true;
push.autoSetupRemote = true; push.autoSetupRemote = true;
color.ui = "auto"; color.ui = "auto";
@@ -54,4 +55,15 @@
]; ];
}; };
programs.tmux = {
enable = true;
sensibleOnTop = true;
baseIndex = 1;
clock24 = true;
keyMode = "vi";
mouse = true;
terminal = "screen-256color";
};
} }

8
home/neovim.nix
View File

@@ -50,7 +50,7 @@ in {
" Integrate status with lightline " Integrate status with lightline
let g:lightline = { let g:lightline = {
\ 'active': { \ 'active': {
\ 'left': [[ 'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status' ]] \ 'left': [[ 'mode', 'paste', 'filename', 'readonly', 'coc_info', 'coc_hints', 'coc_errors', 'coc_warnings', 'coc_ok' ], [ 'coc_status' ]]
\ } \ }
\ } \ }
@@ -100,7 +100,7 @@ in {
" Close vim is Nerdtree is the only buffer left " Close vim is Nerdtree is the only buffer left
autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif autocmd bufenter * if (winnr("$") == 1 && exists("b:NERDTree") && b:NERDTree.isTabTree()) | q | endif
if empty($AERC_ACCOUNT) if empty($AERC_ACCOUNT) && empty($MOZ_APP_LAUNCHER)
autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup autocmd VimEnter * NERDTree " Autostart nerdtree on vim startup
autocmd VimEnter * wincmd p " Unselect nerdtree window autocmd VimEnter * wincmd p " Unselect nerdtree window
endif endif
@@ -130,8 +130,8 @@ in {
" Disable search highlights " Disable search highlights
map <Leader><Space> :noh<CR> map <Leader><Space> :noh<CR>
" Start with copilot disabled " Start with Coc disabled
let g:copilot_enabled = 0 " autocmd VimEnter * CocDisable
''; '';
}; };

2
home/zsh.nix
View File

@@ -34,7 +34,7 @@
]; ];
}; };
initExtra = '' initContent = ''
# Autocomplete ../ # Autocomplete ../
zstyle ':completion:*' special-dirs true zstyle ':completion:*' special-dirs true
export PATH="$HOME/.config/emacs/bin:$HOME/.cargo/bin:$PATH" export PATH="$HOME/.config/emacs/bin:$HOME/.cargo/bin:$PATH"

40
hosts/burnham/configuration.nix
View File

@@ -1,40 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
# Infrastructure
./services/wireguard.nix
# Other
./services/dyndns.nix
./services/nginx.nix
./services/thelounge.nix
];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking = {
hostName = "burnham";
defaultGateway = "192.168.11.1";
interfaces.ens18.ipv4 = {
addresses = [
{ address = "192.168.11.109"; prefixLength = 24; }
];
};
hostId = "8e24f235";
};
sops.defaultSopsFile = ../../secrets/burnham/burnham.yaml;
environment.variables = { EDITOR = "vim"; };
system.stateVersion = "23.11";
}

12
hosts/burnham/home.nix
View File

@@ -1,12 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
./../../home/base.nix
];
programs = {
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
};
home.stateVersion = "23.05";
}

11
hosts/burnham/services/dyndns.nix
View File

@@ -1,11 +0,0 @@
{ config, pkgs, lib, ... }:
{
sops.secrets."domeneshop/netrc" = { };
services.domeneshop-dyndns = {
enable = true;
domain = "site2.feal.no";
netrcFile = config.sops.secrets."domeneshop/netrc".path;
};
}

62
hosts/burnham/services/wireguard.nix
View File

@@ -1,62 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.networking.wireguard.interfaces."wg0";
in {
networking = {
nat = {
enable = true;
externalInterface = "ens18";
internalInterfaces = [ "wg0" ];
};
firewall.allowedUDPPorts = [ cfg.listenPort ];
wireguard.interfaces."wg0" = {
ips = [ "10.100.0.2/24" ];
listenPort = 51820;
privateKeyFile = "/etc/wireguard/burnham.private";
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.11.0/24 -o eth0 -j MASQUERADE
'';
peers = [
{ # Defiant
publicKey = "8/711GhmN9+NcduHF4JPkfoZPE0qsDLuwhABcPyjNxI=";
persistentKeepalive = 120;
allowedIPs = [
"10.100.0.1/32"
"192.168.10.0/24"
];
endpoint = "site3.feal.no:51902";
}
{ # Worf
publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
allowedIPs = [
"10.100.0.4/32"
];
}
{ # Phone
publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
allowedIPs = [
"10.100.0.5/32"
];
}
{ # Riker
publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
allowedIPs = [
"10.100.0.6/32"
];
}
{ # Work-laptop
publicKey = "px4YstB16lFjgdLQkH55wz8gQRupX/LTxg8dNFijDTA=";
allowedIPs = [
"10.100.0.7/32"
];
}
];
};
};
}

61
hosts/challenger/backup.nix
View File

@@ -13,30 +13,67 @@
"--keep-yearly 10" "--keep-yearly 10"
]; ];
}; };
in { cloudJob = name: paths: {
postgres = (localJob "postgres" [ "/var/backup/postgres" ]) // { inherit paths;
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup # "rsyncnet" connection details specified in /root/.ssh/config
repository = "sftp://rsyncnet/restic/challenger/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
# rsync.net keeps daily snapshots
"--keep-weekly 4"
"--keep-monthly 36"
];
}; };
in {
# Transmission _metadata_ # Calibre metadata and config
transmission = localJob "transmission" [ "/var/lib/transmission" ];
# Calibre metadata and books
calibre = localJob "calibre" [ calibre = localJob "calibre" [
"/var/lib/calibre-web" "/var/lib/calibre-web"
"/var/lib/calibre-server" "/var/lib/calibre-server"
"/tank/media/books" ];
# Other system backups (NB: Large!)
hostBackups = localJob "hostBackups" [
"/tank/backup"
] // { ] // {
pruneOpts = [ "--keep-daily 1" ]; pruneOpts = [ "--keep-monthly 12" ];
}; };
# Nextcloud data media = localJob "media" [
nextcloud = localJob "nextcloud" [ "/tank/nextcloud" ]; "/tank/media/books"
"/tank/media/komga"
"/tank/media/music"
];
media-remote = cloudJob "media" [
"/tank/media/books"
"/tank/media/komga"
"/tank/media/music"
] // {
pruneOpts = [ "--keep-monthly 12" ];
};
# TODO: timemachine, komga # Nextcloud config and data
nextcloud = localJob "nextcloud" [ "/tank/nextcloud" ];
nextcloud-remote = cloudJob "nextcloud" [ "/tank/nextcloud" ];
# Postgresql databases
postgres = (localJob "postgres" [ "/var/backup/postgres" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
postgres-remote = (cloudJob "postgres" [ "/var/backup/postgres" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
# Transmission metadata/config
transmission = localJob "transmission" [ "/var/lib/transmission" ];
# TODO: timemachine
}; };
sops.secrets."restic/calibre" = { }; sops.secrets."restic/calibre" = { };
sops.secrets."restic/hostBackups" = { };
sops.secrets."restic/media" = { };
sops.secrets."restic/nextcloud" = { }; sops.secrets."restic/nextcloud" = { };
sops.secrets."restic/postgres" = { }; sops.secrets."restic/postgres" = { };
sops.secrets."restic/transmission" = { }; sops.secrets."restic/transmission" = { };

4
hosts/challenger/configuration.nix
View File

@@ -13,8 +13,8 @@
./filesystems.nix ./filesystems.nix
# ./services/archivebox.nix # ./services/archivebox.nix
./services/audiobookshelf.nix
./services/calibre.nix ./services/calibre.nix
# ./services/ersatztv.nix
./services/jellyfin.nix ./services/jellyfin.nix
./services/komga.nix ./services/komga.nix
./services/nextcloud.nix ./services/nextcloud.nix
@@ -45,6 +45,8 @@
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker"; virtualisation.oci-containers.backend = "docker";
security.polkit.enable = true; # Required for nextcloud
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"nvidia-x11" "nvidia-x11"
"nvidia-settings" "nvidia-settings"

13
hosts/challenger/filesystems.nix
View File

@@ -31,5 +31,18 @@
"noauto" "noauto"
]; ];
}; };
"/mnt/feal-syn2/backup" = {
# device = "feal-syn1.home.feal.no:/volume2/backup";
device = "192.168.11.163:/volume1/challenger";
fsType = "nfs";
options = [
"defaults"
"noatime"
"rw"
"nfsvers=3"
"x-systemd.automount"
"noauto"
];
};
}; };
} }

57
hosts/challenger/services/audiobookshelf.nix Normal file
View File

@@ -0,0 +1,57 @@
{ config, lib, pkgs, ... }:
let
domain = "audiobooks.home.feal.no";
host = "127.0.1.2";
port = 5016;
in {
fileSystems = {
"/var/lib/audiobookshelf" = {
device = "/tank/media/audiobookshelf/config";
options = [ "bind" ];
};
};
services.audiobookshelf = {
enable = true;
dataDir = "audiobookshelf";
inherit host port;
};
systemd.services.audiobookshelf = {
requires = [ "var-lib-audiobookshelf.mount" ];
serviceConfig = {
# Better safe than sorry :)
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [
"/var/lib/audiobookshelf"
"/tank/media/audiobookshelf"
];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
};
};
services.nginx.virtualHosts.${domain} = {
locations."/" = {
proxyPass = "http://${host}:${toString port}";
proxyWebsockets = true;
};
};
}

27
hosts/challenger/services/ersatztv.nix
View File

@@ -1,27 +0,0 @@
{ config, lib, pkgs, ... }:
let
domain = "etv.home.feal.no";
bind = "127.0.0.1:8409";
in {
virtualisation.oci-containers.containers.ersatztv = {
autoStart = true;
image = "jasongdove/ersatztv:latest-nvidia";
volumes = [
"/var/lib/ersatztv:/root/.local/share/ersatztv"
"/tank/media/other/ersatztv:/media" # Filler, watermarks, etc.
];
ports = [
"${bind}:8409"
];
environment = {
TZ = "Europe/Oslo";
};
extraOptions = [
"--device=/dev/dri"
];
};
services.nginx.virtualHosts.${domain} = {
locations."/".proxyPass = "http://${bind}";
};
}

4
hosts/challenger/services/jellyfin.nix
View File

@@ -6,10 +6,6 @@
users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" ]; users.users.${config.services.jellyfin.user}.extraGroups = [ "video" "render" ];
systemd.services.jellyfin.serviceConfig = {
DeviceAllow = lib.mkForce [ "/dev/dri/card0" "/dev/dri/card1" ];
};
services.nginx.virtualHosts."jellyfin.home.feal.no" = { services.nginx.virtualHosts."jellyfin.home.feal.no" = {
serverAliases = [ "jf.feal.no" ]; serverAliases = [ "jf.feal.no" ];
locations = { locations = {

8
hosts/challenger/services/komga.nix
View File

@@ -1,16 +1,18 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
domain = "komga.home.feal.no"; domain = "komga.home.feal.no";
cfg = config.services.komga; port = 5001;
in { in {
services.komga = { services.komga = {
enable = true; enable = true;
stateDir = "/tank/media/komga"; stateDir = "/tank/media/komga";
port = 5001; settings.server = {
inherit port;
};
}; };
services.nginx.virtualHosts.${domain} = { services.nginx.virtualHosts.${domain} = {
locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}"; locations."/".proxyPass = "http://127.0.0.1:${toString port}";
extraConfig = '' extraConfig = ''
client_max_body_size 512M; client_max_body_size 512M;

6
hosts/challenger/services/nextcloud.nix
View File

@@ -5,7 +5,7 @@ let
in { in {
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = pkgs.nextcloud30; package = pkgs.nextcloud32;
inherit hostName; inherit hostName;
home = "/tank/nextcloud"; home = "/tank/nextcloud";
https = true; https = true;
@@ -46,7 +46,9 @@ in {
oidc_login_filter_allowed_values = [ "nextcloud-user" ]; oidc_login_filter_allowed_values = [ "nextcloud-user" ];
oidc_login_disable_registration = false; oidc_login_disable_registration = false;
"memories.exiftool" = "${cfg.home}/store-apps/memories/bin-ext/exiftool-amd64-glibc"; "memories.exiftool" = pkgs.writeShellScript "exiftool-perl" ''
${lib.getExe pkgs.perl} ${cfg.home}/store-apps/memories/bin-ext/exiftool/exiftool "$@"
'';
"memories.exiftool_no_local" = false; "memories.exiftool_no_local" = false;
"memories.vod.disable" = false; "memories.vod.disable" = false;
"memories.vod.ffmpeg" = "${lib.getExe pkgs.ffmpeg-headless}"; "memories.vod.ffmpeg" = "${lib.getExe pkgs.ffmpeg-headless}";

20
hosts/defiant/backup.nix
View File

@@ -12,14 +12,34 @@
"--keep-monthly 3" "--keep-monthly 3"
]; ];
}; };
cloudJob = name: paths: {
inherit paths;
# "rsyncnet" connection details specified in /root/.ssh/config
repository = "sftp://rsyncnet/restic/defiant/${name}";
passwordFile = config.sops.secrets."restic/${name}".path;
initialize = true;
pruneOpts = [
# rsync.net keeps daily snapshots
"--keep-weekly 4"
"--keep-monthly 36"
];
};
in { in {
postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // { postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
}; };
postgres-remote = (cloudJob "postgres" [ "/tank/backup/postgresql" ]) // {
timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
};
gitea = (localJob "gitea" [ "/tank/services/gitea" ]); gitea = (localJob "gitea" [ "/tank/services/gitea" ]);
gitea-remote = (cloudJob "gitea" [ "/tank/services/gitea" ]);
matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]); matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
matrix-synapse-remote = (cloudJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]); vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
vaultwarden-remote = (cloudJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
}; };
# TODO: home-assistant, pihole # TODO: home-assistant, pihole

8
hosts/defiant/configuration.nix
View File

@@ -18,18 +18,16 @@
./services/wireguard.nix ./services/wireguard.nix
# Services # Services
./services/flame.nix
./services/gitea.nix ./services/gitea.nix
./services/hedgedoc.nix ./services/hedgedoc.nix
./services/home-assistant.nix ./services/home-assistant.nix
./services/keycloak.nix ./services/keycloak.nix
./services/koillection.nix
./services/matrix ./services/matrix
./services/microbin.nix ./services/microbin.nix
./services/minecraft/home.nix # ./services/minecraft/home.nix
./services/monitoring ./services/monitoring
./services/rtl-tcp.nix # ./services/rtl-tcp.nix
./services/searx.nix # ./services/searx.nix
./services/vaultwarden.nix ./services/vaultwarden.nix
]; ];

4
hosts/defiant/filesystems.nix
View File

@@ -15,13 +15,15 @@
fileSystems = { fileSystems = {
"/mnt/feal-syn1/backup" = { "/mnt/feal-syn1/backup" = {
device = "feal-syn1.home.feal.no:/volume2/backup"; device = "192.168.10.162:/volume2/backup";
fsType = "nfs"; fsType = "nfs";
options = [ options = [
"defaults" "defaults"
"noatime" "noatime"
"rw" "rw"
"nfsvers=3" "nfsvers=3"
"x-systemd.automount"
"noauto"
]; ];
}; };
}; };

2
hosts/defiant/services/dyndns.nix
View File

@@ -5,7 +5,7 @@
services.domeneshop-dyndns = { services.domeneshop-dyndns = {
enable = true; enable = true;
domain = "site3.feal.no"; domain = "site2.feal.no";
netrcFile = config.sops.secrets."domeneshop/netrc".path; netrcFile = config.sops.secrets."domeneshop/netrc".path;
}; };
} }

22
hosts/defiant/services/flame.nix
View File

@@ -1,22 +0,0 @@
{ config, pkgs, lib, ... }:
let
domain = "flame.home.feal.no";
host = "127.0.1.2";
port = "5005";
in {
# Flame - Homelab dashboard/linktree
virtualisation.oci-containers.containers = {
flame = {
image = "pawelmalak/flame";
ports = [ "${host}:${port}:5005" ];
volumes = [
"/var/lib/flame/data:/app/data/"
];
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://${host}:${port}";
};
}

2
hosts/defiant/services/gitea.nix
View File

@@ -44,7 +44,7 @@ in {
ui = { ui = {
THEMES="gitea,arc-green,nord"; THEMES="gitea,arc-green,nord";
DEFAULT_THEME="nord"; #DEFAULT_THEME="nord";
}; };
}; };

2
hosts/defiant/services/home-assistant.nix
View File

@@ -8,7 +8,7 @@ in {
virtualisation.oci-containers.containers = { virtualisation.oci-containers.containers = {
homeassistant = { homeassistant = {
image = "ghcr.io/home-assistant/home-assistant:2024.1"; image = "ghcr.io/home-assistant/home-assistant:2025.5.3";
extraOptions = [ extraOptions = [
"--network=host" "--network=host"
"--device=/dev/ttyUSB0" # Sonoff Zigbee 3.0 USB "--device=/dev/ttyUSB0" # Sonoff Zigbee 3.0 USB

59
hosts/defiant/services/koillection.nix
View File

@@ -1,59 +0,0 @@
{ config, pkgs, lib, ... }:
let
domain = "koillection.home.feal.no";
port = 5023;
in {
virtualisation.oci-containers.containers = {
koillection = {
image = "koillection/koillection";
ports = [
"127.0.1.2:${toString port}:80"
];
environment = {
APP_DEBUG = "0";
APP_ENV = "prod";
HTTPS_ENABLED = "0";
UPLOAD_MAX_FILESIZE = "512M";
PHP_MEMORY_LIMIT = "512M";
PHP_TZ = "Europe/Oslo";
CORS_ALLOW_ORIGIN = "https?://(localhost|koillection\\.home\\.feal\\.no)(:[0-9]+)?$";
JWT_SECRET_KEY = "%kernel.project_dir%/config/jwt/private.pem";
JWT_PUBLIC_KEY = "%kernel.project_dir%/config/jwt/public.pem";
DB_DRIVER = "pdo_pgsql";
DB_NAME = "koillection";
DB_HOST = "host.docker.internal";
DB_USER = "koillection";
# DB_PASSWORD = "koillection"; # Set in sops envfile
DB_PORT = "5432";
DB_VERSION = "16";
};
environmentFiles = [
config.sops.secrets."koillection/envfile".path
];
extraOptions = [
"--add-host=host.docker.internal:host-gateway"
];
};
};
sops.secrets."koillection/envfile" = { };
services.postgresql = {
ensureDatabases = [ "koillection" ];
ensureUsers = [ {
name = "koillection";
ensureDBOwnership = true;
} ];
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://127.0.1.2:${toString port}";
};
}

14
hosts/defiant/services/matrix/synapse.nix
View File

@@ -12,12 +12,6 @@
group = "matrix-synapse"; group = "matrix-synapse";
}; };
sops.secrets."matrix/slidingsyncsecret" = {
restartUnits = [ "matrix-synapse.service" ];
owner = "matrix-synapse";
group = "matrix-synapse";
};
services.matrix-synapse-next = { services.matrix-synapse-next = {
enable = true; enable = true;
enableNginx = true; enableNginx = true;
@@ -90,10 +84,14 @@
issuer = "https://iam.feal.no/realms/feal.no"; issuer = "https://iam.feal.no/realms/feal.no";
client_id = "matrix-synapse"; client_id = "matrix-synapse";
client_secret_path = config.sops.secrets."matrix/synapse/oidcsecret".path; client_secret_path = config.sops.secrets."matrix/synapse/oidcsecret".path;
user_mapping_provicer.config = { user_mapping_provider.config = {
localpart_template = "{{ user.preferred_username }}"; localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.name }}"; display_name_template = "{{ user.name }}";
}; };
attribute_requirements = [{
attribute = "matrix-roles";
value = "matrix-user";
}];
backchannel_logout_enabled = true; backchannel_logout_enabled = true;
enable_registration = false; enable_registration = false;
} }
@@ -101,8 +99,6 @@
}; };
}; };
services.matrix-synapse.sliding-sync.environmentFile = config.sops.secrets."matrix/slidingsyncsecret".path;
services.redis.servers."".enable = true; services.redis.servers."".enable = true;
services.postgresqlBackup.databases = [ "matrix-synapse" ]; services.postgresqlBackup.databases = [ "matrix-synapse" ];

1
hosts/defiant/services/minecraft/home.nix
View File

@@ -22,6 +22,7 @@
simulation-distance = 16; simulation-distance = 16;
enable-command-block = true; enable-command-block = true;
enable-rcon = true; enable-rcon = true;
online-mode = false;
"rcon.password" = "wack"; "rcon.password" = "wack";
}; };

10
hosts/defiant/services/monitoring/prometheus.nix
View File

@@ -17,14 +17,12 @@ in {
static_configs = [ static_configs = [
{ {
targets = [ targets = [
"burnham.home.feal.no:9100"
"challenger.home.feal.no:9100" "challenger.home.feal.no:9100"
"constellation.home.feal.no:9100"
"defiant.home.feal.no:9100" "defiant.home.feal.no:9100"
"edison.home.feal.no:9100" "leonard.home.feal.no:9100"
"malcolm.home.feal.no:9100" "morn.home.feal.no:9100"
"mccoy.home.feal.no:9100" "sisko.home.feal.no:9100"
"scotty.home.feal.no:9100"
"sulu.home.feal.no:9100"
]; ];
} }
]; ];

10
hosts/defiant/services/nginx.nix
View File

@@ -54,6 +54,7 @@ in {
''; '';
} // overrides; } // overrides;
in { in {
"amalie.mansaker.no" = publicProxy "http://leonard.home.feal.no/" { };
"cloud.feal.no" = publicProxy "" { "cloud.feal.no" = publicProxy "" {
locations."/" = { locations."/" = {
proxyPass = "http://challenger.home.feal.no"; proxyPass = "http://challenger.home.feal.no";
@@ -62,10 +63,11 @@ in {
''; '';
}; };
}; };
"git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { "feal.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.feal.no" ]; };
default = true; "git.feal.no" = publicProxy "http://unix:${gitea.server.HTTP_ADDR}" { default = true; };
};
"jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/" { };
"iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { }; "iam.feal.no" = publicProxy "http://${keycloak.http-host}:${toString keycloak.http-port}" { };
"jf.feal.no" = publicProxy "http://jellyfin.home.feal.no/" { };
"kinealbrigtsen.no" = publicProxy "http://leonard.home.feal.no/" { serverAliases = [ "www.kinealbrigtsen.no" ]; };
"wiki.wackattack.eu" = publicProxy "http://leonard.home.feal.no/" { };
}; };
} }

42
hosts/defiant/services/wireguard.nix
View File

@@ -22,47 +22,7 @@ in {
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
''; '';
peers = [ peers = (import ../../../common/wireguard-peers.nix);
{ # Burnham
publicKey = "JcfyrMoZmnbibVLaIKuGSARAX2alFv4kwLbJaLBNbzo=";
persistentKeepalive = 60;
allowedIPs = [
"10.100.0.2/32"
"192.168.11.0/24"
];
endpoint = "site2.feal.no:51902";
}
{ # Sulu
publicKey = "j6YVekgGS4nhL5zUiOTeK2BVQkYGlTQaiUpwcqQyfRk=";
allowedIPs = [
"10.100.0.3/32"
];
}
{ # Worf
publicKey = "kW8SyzCh2tw8GzZV6bPn+IQVNUoUhseNfEm3rHnR1So=";
allowedIPs = [
"10.100.0.4/32"
];
}
{ # Phone
publicKey = "axFXtcTYtW6m1FT9Czn9DRvG+b05D7j+0yRMjn/FJEk=";
allowedIPs = [
"10.100.0.5/32"
];
}
{ # Riker
publicKey = "r715vpgH1H0zvN+Z5wcNKcOo5e6UM3fBfh9BZwTBjmA=";
allowedIPs = [
"10.100.0.6/32"
];
}
{ # Work-laptop
publicKey = "px4YstB16lFjgdLQkH55wz8gQRupX/LTxg8dNFijDTA=";
allowedIPs = [
"10.100.0.7/32"
];
}
];
}; };
}; };
} }

59
hosts/fa-t14-2025/configuration.nix Normal file
View File

@@ -0,0 +1,59 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
./hardware-configuration.nix
./desktop.nix
];
networking = {
networkmanager.enable = true;
wireguard.enable = true;
tempAddresses = "disabled";
hostName = "fa-t14-2025";
nameservers = [ "9.9.9.9" ];
domain = "it.hime.no";
hostId = "f458d6aa";
search = [
"mktv.no"
"mktv.local"
];
};
services.openssh.openFirewall = false;
environment.systemPackages = with pkgs; [
inetutils
wireguard-tools
];
virtualisation.docker = {
enable = true;
rootless = {
enable = true;
setSocketVariable = true;
};
};
users.users.felixalb = {
uid = 1000;
openssh.authorizedKeys.keys = [ ];
extraGroups = [ "networkmanager" ];
};
console.keyMap = "no";
nixpkgs.config = {
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"securecrt"
"securefx"
];
};
system.stateVersion = "25.05";
}

51
hosts/fa-t14-2025/desktop.nix Normal file
View File

@@ -0,0 +1,51 @@
{ config, pkgs, lib, ... }:
{
hardware.graphics.enable = true;
services.xserver = {
enable = true;
xkb = {
options = "ctrl:nocaps";
layout = "no";
};
};
services.displayManager.ly.enable = true;
services.gnome.gnome-keyring.enable = true;
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
# Audio
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
# Fonts
fonts = {
fontDir.enable = true;
packages = with pkgs; [
noto-fonts
noto-fonts-color-emoji
noto-fonts-cjk-sans
font-awesome
fira-code
hack-font
nerd-fonts.hack
];
};
# Misc:
xdg.portal = {
enable = true;
wlr.enable = true;
};
location.provider = "geoclue2";
security.polkit.enable = true;
services.dbus.packages = [ pkgs.gcr ];
services.openssh.settings.X11Forwarding = true;
programs.nm-applet.enable = true;
}

51
hosts/fa-t14-2025/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,51 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
boot.kernelParams = [ "resume_offset=3037184" "mem_sleep_default=deep" ];
boot.resumeDevice = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
powerManagement.enable = true;
services.power-profiles-daemon.enable = true;
services.logind.lidSwitch = "suspend-then-hibernate";
services.logind.lidSwitchDocked = "ignore";
services.logind.powerKey = "suspend-then-hibernate";
services.logind.powerKeyLongPress = "poweroff";
fileSystems."/" =
{ device = "/dev/disk/by-uuid/75dd0e39-9411-48c9-822d-bf3c897d0f61";
fsType = "ext4";
};
boot.initrd.luks.devices."cryptroot".device = "/dev/disk/by-uuid/3ecaedab-415c-4cce-a3a9-9f3782acb682";
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0800-59D9";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [
{
device = "/var/lib/swapfile";
size = 32*1024;
}
];
networking.useDHCP = lib.mkDefault false;
# networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

43
hosts/felixalbpc/home.nix → hosts/fa-t14-2025/home.nix
View File

@@ -1,6 +1,6 @@
{ pkgs, lib, ... }: { pkgs, lib, ... }:
let let
emailAddress = "felix.albrigtsen@ntnu.no"; emailAddress = "felix.albrigtsen@mktv.no";
in { in {
imports = [ imports = [
./../../home/base.nix ./../../home/base.nix
@@ -11,52 +11,49 @@ in {
bc bc
catimg catimg
chromium chromium
dante
dig dig
element-desktop element-desktop
hunspellDicts.en_US hunspellDicts.en_US
hunspellDicts.nb_NO hunspellDicts.nb_NO
iperf3
jq jq
keymapp
libreoffice libreoffice
maim
mpv mpv
nixpkgs-2211.remmina
oauth2ms oauth2ms
openssl openssl
puppet-lint openvpn
pavucontrol
pwgen pwgen
rofi-rbw-x11
tlclient
traceroute traceroute
virt-manager virt-manager
w3m w3m
nixpkgs-2211.remmina
(unstable.microsoft-edge.overrideAttrs ({ installPhase ? "", ... }: {
installPhase = installPhase + ''
ln -s $out/bin/microsoft-edge $out/bin/microsoft-edge-stable
'';
}))
# Window Manager Extras # Window Manager Extras
bibata-cursors bibata-cursors
brightnessctl
cliphist
hyprcursor hyprcursor
hypridle hypridle
hyprlock hyprlock
hyprpaper hyprpaper
hyprshot hyprshot
hyprswitch
nautilus nautilus
# rofi-rbw-wayland rofi-rbw-wayland
swaynotificationcenter swaynotificationcenter
waybar waybar
wl-clipboard wl-clipboard
cliphist
(python311.withPackages (ps: with ps; [ (python312.withPackages (ps: with ps; [
numpy numpy
pycryptodome pycryptodome
requests requests
python-designateclient
python-heatclient
python-magnumclient
python-novaclient
python-openstackclient
])) ]))
]; ];
@@ -65,27 +62,25 @@ in {
enable = true; enable = true;
package = pkgs.aerc; package = pkgs.aerc;
}; };
alacritty.enable = true;
firefox.enable = true; firefox.enable = true;
git.extraConfig.user.email = emailAddress; git.extraConfig.user.email = emailAddress;
rbw = { rbw = {
enable = true; enable = true;
settings = { settings = {
base_url = "https://bitwarden.it.ntnu.no"; base_url = "https://vault.mktv.no";
email = emailAddress; email = emailAddress;
pinentry = pkgs.pinentry-rofi; pinentry = pkgs.pinentry-rofi;
}; };
}; };
rofi = { rofi = {
enable = true; enable = true;
theme = "iggy"; # theme = "iggy";
theme = "Arc-Dark";
}; };
zsh = { zsh = {
shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config"; shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
prezto.pmodules = [ "ssh" ]; prezto.pmodules = [ "ssh" ];
}; };
neovim.plugins = with pkgs.vimPlugins; [ copilot-vim ];
}; };
xdg.mimeApps = { xdg.mimeApps = {
@@ -100,5 +95,5 @@ in {
}; };
}; };
home.stateVersion = "24.05"; home.stateVersion = "25.05";
} }

72
hosts/felixalbpc/configuration.nix
View File

@@ -1,72 +0,0 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
./hardware-configuration.nix
./desktop
];
networking = {
interfaces.eno1 = {
useDHCP = true;
ipv6.addresses = [
{ address = "2001:700:300:22::15"; prefixLength = 64; }
];
};
tempAddresses = "disabled";
hostName = "felixalbpc";
nameservers = [ "129.241.0.200" "129.241.0.201" "2001:700:300::200" "2001:700:300::201" ];
domain = "it.ntnu.no";
hostId = "f458d6aa";
search = [
"it.ntnu.no"
"ntnu.no"
];
# Allow SSH from IT and SSH gateways
firewall.extraCommands = ''
# IT VPN
iptables -I nixos-fw -p tcp -m tcp --dport 22 --source 129.241.117.0/24 -j nixos-fw-accept
ip6tables -I nixos-fw -p tcp -m tcp --dport 22 --source 2001:700:301:12::/63 -j nixos-fw-accept
# SSHGW
iptables -I nixos-fw -p tcp -m tcp --dport 22 --source 129.241.160.72/32 -j nixos-fw-accept
ip6tables -I nixos-fw -p tcp -m tcp --dport 22 --source 2001:700:300:6::72/128 -j nixos-fw-accept
# SSHGW
iptables -I nixos-fw -p tcp -m tcp --dport 22 --source 129.241.210.217/32 -j nixos-fw-accept
ip6tables -I nixos-fw -p tcp -m tcp --dport 22 --source 2001:700:300:1900::1:217/128 -j nixos-fw-accept
'';
firewall.extraStopCommands = ''
iptables -F nixos-fw
ip6tables -F nixos-fw
'';
};
console.keyMap = "no";
nixpkgs.config = {
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"copilot.vim"
"keymapp"
"tlclient"
];
};
services.openssh.openFirewall = false;
users.users.felixalb = {
uid = 1328256;
openssh.authorizedKeys.keys = [ ];
};
hardware.keyboard.zsa.enable = true;
system.stateVersion = "24.05";
}

112
hosts/felixalbpc/desktop/default.nix
View File

@@ -1,112 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.xserver = {
enable = true;
# displayManager.lightdm = {
# enable = true;
# };
xkb = {
# options = "ctrl:nocaps";
options = "nodeakeys";
variant = "altgr-intl";
layout = "us";
};
windowManager.qtile.enable = true;
};
services.displayManager.ly.enable = true;
programs.hyprland = {
enable = true;
xwayland.enable = true;
};
hardware.keyboard.zsa.enable = true;
environment.sessionVariables = {
NIXOS_OZONE_WL = "1";
SSH_AUTH_SOCK = "/run/user/${toString config.users.users.felixalb.uid}/keyring/ssh";
};
home-manager.users.felixalb = {
services = {
dunst.enable = true;
};
home.packages = with pkgs; [
i3lock
libnotify
pamixer
pavucontrol
picom
sxhkd
xclip
xss-lock
];
programs.alacritty.settings = {
font.size = lib.mkForce 11;
};
};
services.gnome.gnome-keyring.enable = true;
hardware.graphics.enable = true;
# Audio
services.pipewire = {
enable = true;
alsa.enable = true;
pulse.enable = true;
jack.enable = true;
};
hardware.pulseaudio.enable = false;
# Fonts
fonts = {
fontDir.enable = true;
packages = with pkgs; [
noto-fonts
noto-fonts-emoji
noto-fonts-cjk-sans
font-awesome
fira-code
hack-font
(nerdfonts.override {
fonts = [
"Hack"
];
})
];
};
# # Dark mode
# home-manager.users.felixalb = {
# dconf.settings = {
# "org/gnome/desktop/interface" = {
# color-scheme = "prefer-dark";
# };
# };
# gtk = {
# enable = true;
# theme = {
# name = "Adwaita-dark";
# package = pkgs.gnome.gnome-themes-extra;
# };
# };
# };
# qt = {
# enable = true;
# platformTheme = "gnome";
# style = "adwaita-dark";
# };
# Misc:
xdg.portal = {
enable = true;
wlr.enable = true;
};
location.provider = "geoclue2";
security.polkit.enable = true;
services.dbus.packages = [ pkgs.gcr ];
services.openssh.settings.X11Forwarding = true;
}

35
hosts/felixalbpc/hardware-configuration.nix
View File

@@ -1,35 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.initrd.luks.devices."cryptlvm".device = "/dev/disk/by-uuid/7516ebdb-14c3-4cb5-9d06-5e9d0e34b798";
fileSystems."/" =
{ device = "/dev/disk/by-uuid/02ac773e-31ff-4579-ad9a-859ba74f2a9e";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/77ED-720D";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices =
[ { device = "/dev/disk/by-label/swap"; }
];
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp0s20f3.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

53
hosts/leonard/configuration.nix Normal file
View File

@@ -0,0 +1,53 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
../../common/auto-upgrade.nix
./hardware-configuration.nix
./services/mysql.nix
./services/nginx.nix
./services/postgresql.nix
./services/wiki-wackattack-eu.nix
./services/www-feal-no
./services/www-kinealbrigtsen-no.nix
./services/www-amalie-mansaker-no
];
boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking = {
hostName = "leonard";
defaultGateway = "192.168.10.1";
interfaces.ens18.ipv4 = {
addresses = [
{ address = "192.168.10.207"; prefixLength = 24; }
];
};
hostId = "b99c12d1";
# Prepend the following output rules to disallow talking to other devices on LAN
firewall.extraCommands = lib.strings.concatLines ([
"iptables -F OUTPUT"
] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
"iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
"iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
"iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
"iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
]);
};
sops.defaultSopsFile = ../../secrets/leonard/leonard.yaml;
environment.variables = { EDITOR = "vim"; };
system.stateVersion = "25.05";
}

14
hosts/malcolm/hardware-configuration.nix → hosts/leonard/hardware-configuration.nix
View File

@@ -1,6 +1,3 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
@@ -14,17 +11,14 @@
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/7240554f-d9d9-457a-91d5-c70c09d96595"; { device = "/dev/disk/by-uuid/4a70c1d5-9d72-4581-8f75-733b91c10669";
fsType = "ext4"; fsType = "ext4";
}; };
fileSystems."/boot" = swapDevices = [ ]; # TODO
{ device = "/dev/disk/by-uuid/88C2-BAC8";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ ]; networking.useDHCP = lib.mkDefault false;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
} }

2
hosts/voyager/home.nix → hosts/leonard/home.nix
View File

@@ -8,5 +8,5 @@
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config"; zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
}; };
home.stateVersion = "23.05"; home.stateVersion = "25.05";
} }

0
hosts/malcolm/services/mysql.nix → hosts/leonard/services/mysql.nix
View File

0
hosts/burnham/services/nginx.nix → hosts/leonard/services/nginx.nix
View File

20
hosts/leonard/services/postgresql.nix Normal file
View File

@@ -0,0 +1,20 @@
{ config, pkgs, lib, ... }:
{
services.postgresql = {
enable = true;
enableTCPIP = false;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all trust
'';
};
services.postgresqlBackup = {
enable = true;
location = "/backup/postgresql/";
startAt = "*-*-* 03:15:00";
backupAll = true;
};
environment.systemPackages = [ config.services.postgresql.package ];
}

38
hosts/leonard/services/wiki-wackattack-eu.nix Normal file
View File

@@ -0,0 +1,38 @@
{ config, ... }:
let
bindIP = "127.0.1.2";
port = 5051;
cfg = config.services.wiki-js;
in {
# sops.secrets."wikijs/envfile" = {
# restartUnits = [ "wiki-js.service" ];
# };
services.wiki-js = {
enable = true;
# environmentFile = config.sops.secrets."wikijs/envfile".path;
settings = {
inherit bindIP port;
db = {
type = "postgres";
host = "/run/postgresql";
db = "wiki-js";
user = "wiki-js";
};
};
};
services.postgresql = {
ensureDatabases = [ "wiki-js" ];
ensureUsers = [{
name = "wiki-js";
ensureDBOwnership = true;
}];
};
services.nginx.virtualHosts."wiki.wackattack.eu" = {
locations."/" = {
proxyPass = "http://${bindIP}:${toString port}";
};
};
}

11
hosts/leonard/services/www-amalie-mansaker-no/default.nix Normal file
View File

@@ -0,0 +1,11 @@
{ config, pkgs, lib, ... }:
{
services.nginx.virtualHosts."amalie.mansaker.no" = let
siteContent = pkgs.callPackage ./site.nix { };
in {
locations = {
"/".root = siteContent;
};
};
}

26
hosts/leonard/services/www-amalie-mansaker-no/site.nix Normal file
View File

@@ -0,0 +1,26 @@
{ stdenv, fetchgit, hugo }:
stdenv.mkDerivation {
name = "www-amalie-mansaker-no";
src = fetchgit {
url = "https://git.feal.no/amalieem/amalie.mansaker.no.git";
fetchSubmodules = true;
rev = "15142c93da33414a0be49384a03b704ad95e31be";
hash = "sha256-oq5NC11UDYjYKToPsEXovCiIBD5adamVwi3scOFzpHM=";
};
nativeBuildInputs = [ hugo ];
buildPhase = ''
cp -r $src/* .
${hugo}/bin/hugo
'';
installPhase = ''
runHook preInstall
mkdir -p $out
cp -r public/* $out/
runHook postInstall
'';
}

26
hosts/leonard/services/www-feal-no/default.nix Normal file
View File

@@ -0,0 +1,26 @@
{ config, pkgs, lib, ... }:
{
services.nginx.virtualHosts."feal.no" = {
default = true;
serverAliases = [
"www.feal.no"
];
locations = {
# TODO: Reinstate actual website
"/".return = "302 https://git.feal.no/";
"^~ /.well-known/" = {
alias = (toString ./well-known) + "/";
};
"/cc/" = {
alias = "${pkgs.cyberchef}/share/cyberchef/";
index = "index.html";
};
"= /cc".return = "302 /cc/";
};
};
}

5
hosts/leonard/services/www-feal-no/well-known/matrix/client Normal file
View File

@@ -0,0 +1,5 @@
{
"m.homeserver": {
"base_url": "https://matrix.feal.no:443"
}
}

1
hosts/leonard/services/www-feal-no/well-known/matrix/server Normal file
View File

@@ -0,0 +1 @@
{"m.server": "matrix.feal.no:443"}

1
hosts/malcolm/services/www-kinealbrigtsen-no.nix → hosts/leonard/services/www-kinealbrigtsen-no.nix
View File

@@ -83,7 +83,6 @@
set_real_ip_from 192.168.11.0/24; set_real_ip_from 192.168.11.0/24;
real_ip_header X-Forwarded-For; real_ip_header X-Forwarded-For;
add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header 'Referrer-Policy' 'origin-when-cross-origin';
add_header X-Frame-Options DENY; add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff; add_header X-Content-Type-Options nosniff;

47
hosts/malcolm/configuration.nix
View File

@@ -1,47 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../base.nix
../../common/metrics-exporters.nix
./services/mysql.nix
./services/nginx.nix
./services/www-kinealbrigtsen-no.nix
];
networking = {
hostName = "malcolm";
bridges.br0.interfaces = [ "ens18" ];
interfaces.br0.useDHCP = false;
interfaces.br0.ipv4.addresses = [
{ address = "192.168.11.106"; prefixLength = 24; }
];
hostId = "620c42d0";
defaultGateway = "192.168.11.1";
# Prepend the following output rules to disallow talking to other devices on LAN
firewall.extraCommands = lib.strings.concatLines ([
"iptables -F OUTPUT"
] ++ (map (addr: "iptables -A OUTPUT -p udp --dport 53 -d ${addr} -j nixos-fw-accept") config.networking.nameservers) ++ [ # Exception for DNS
"iptables -A OUTPUT -p tcp --dport 3100 -d 192.168.10.175 -j nixos-fw-accept" # Exception for loki logging
"iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
"iptables -A OUTPUT -d 192.168.10.0/24 -j nixos-fw-refuse"
"iptables -A OUTPUT -d 192.168.11.0/24 -j nixos-fw-refuse"
]);
};
# virtualisation.oci-containers.backend = "docker";
# systemd.services.docker.postStart = lib.concatMapStringsSep "\n" (rule: "${pkgs.iptables}/bin/iptables ${rule}") ([
# "-F DOCKER-USER"
# ] ++ (map (addr: "-A DOCKER-USER -p udp --dport 53 -d ${addr} -j RETURN") config.networking.nameservers) ++ [
# "-A DOCKER-USER -d 192.168.10.0/24 -j REJECT"
# "-A DOCKER-USER -d 192.168.11.0/24 -j REJECT"
# "-A DOCKER-USER -j RETURN"
# ]);
system.stateVersion = "24.05";
}

35
hosts/morn/configuration.nix Normal file
View File

@@ -0,0 +1,35 @@
{ config, pkgs, lib, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
../../common/auto-upgrade.nix
./hardware-configuration.nix
./services/nginx.nix
./services/glance
./services/miniflux.nix
./services/thelounge.nix
];
networking = {
hostName = "morn";
defaultGateway = "192.168.10.1";
interfaces.ens18.ipv4 = {
addresses = [
{ address = "192.168.10.203"; prefixLength = 24; }
];
};
hostId = "89b7722d";
};
sops.defaultSopsFile = ../../secrets/morn/morn.yaml;
environment.variables = { EDITOR = "vim"; };
system.stateVersion = "24.11";
}

17
hosts/burnham/hardware-configuration.nix → hosts/morn/hardware-configuration.nix
View File

@@ -1,3 +1,6 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
@@ -11,13 +14,17 @@
boot.extraModulePackages = [ ]; boot.extraModulePackages = [ ];
fileSystems."/" = fileSystems."/" =
{ device = "/dev/disk/by-uuid/31ff6d37-52d6-43c3-a214-5d38a6c38b0e"; { device = "/dev/disk/by-uuid/93307186-cbc3-4748-859f-0013a1e36def";
fsType = "ext4"; fsType = "ext4";
}; };
swapDevices = fileSystems."/boot" =
[ { device = "/dev/disk/by-uuid/cce59ee7-7c83-4165-a9b0-f950cd2e3273"; } { device = "/dev/disk/by-uuid/FFCD-993A";
]; fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -26,5 +33,5 @@
# networking.useDHCP = lib.mkDefault true; # networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true; # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
} }

2
hosts/malcolm/home.nix → hosts/morn/home.nix
View File

@@ -8,5 +8,5 @@
zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config"; zsh.shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";
}; };
home.stateVersion = "24.05"; home.stateVersion = "24.11";
} }

15
hosts/morn/services/glance/default.nix Normal file
View File

@@ -0,0 +1,15 @@
{ config, values, ... }:
{
services.glance = {
enable = true;
settings = import ./settings.nix;
};
services.nginx.virtualHosts."glance.home.feal.no" = let
inherit (config.services.glance.settings.server) host port;
in {
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
}

83
hosts/morn/services/glance/settings.nix Normal file
View File

@@ -0,0 +1,83 @@
{ config, ... }:
{
server = {
port = 5001;
host = "127.0.1.2";
};
pages =
let
fullCol = widgets: {
size = "full";
inherit widgets;
};
in
[
{
name = "Home";
columns = [
(fullCol [
{
type = "search";
search-engine = "http://search.home.feal.no/search?q={QUERY}";
}
{
type = "weather";
units = "metric";
location = "Trondheim, Norway";
}
])
(fullCol [
{
type = "hacker-news";
limit = 20;
collapse-after = 5;
}
{
type = "monitor";
cache = "5m";
sites =
let
site = title: url: { inherit title url; };
in
[
(site "Jellyfin" "http://jellyfin.home.feal.no")
(site "Gitea" "https://git.feal.no")
(site "VaultWarden" "https://pw.feal.no")
];
}
])
];
}
{
name = "News";
columns =
let
feed = title: url: { inherit title url; };
rss = title: feeds: {
type = "rss";
inherit title feeds;
};
in
[
(fullCol [
(rss "Norway" [
(feed "NRK" "https://www.nrk.no/toppsaker.rss")
(feed "Bygdeposten" "https://www.bygdeposten.no/service/rss")
(feed "Nidaros" "https://www.nidaros.no/service/rss")
])
])
(fullCol [
(rss "NTNU" [
(feed "OmegaV" "https://omegav.no/newsrss")
(feed "PVV" "https://www.pvv.ntnu.no/w/api.php?hidebots=1&urlversion=1&days=7&limit=50&action=feedrecentchanges&feedformat=atom")
(feed "IT-Varsel" "https://varsel.it.ntnu.no/subscribe/rss/")
])
])
];
}
];
}

23
hosts/morn/services/miniflux.nix Normal file
View File

@@ -0,0 +1,23 @@
{ config, pkgs, lib, ... }:
let
domain = "rss.home.feal.no";
listen_addr = "127.0.1.2:5051";
in {
sops.secrets."miniflux/env" = { };
services.miniflux = {
enable = true;
adminCredentialsFile = config.sops.secrets."miniflux/env".path;
config = {
CREATE_ADMIN = true;
LISTEN_ADDR = listen_addr;
BASE_URL = "http://${domain}";
};
};
services.nginx.virtualHosts."${domain}" = {
locations."/".proxyPass = "http://${listen_addr}";
};
}

10
hosts/malcolm/services/nginx.nix → hosts/morn/services/nginx.nix
View File

@@ -2,16 +2,18 @@
{ {
services.nginx = { services.nginx = {
enable = true; enable = true;
enableReload = true;
clientMaxBodySize = "100m";
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
virtualHosts."kinealbrigtsen.no".default = true;
}; };
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = "felix@albrigtsen.it";
};
} }

0
hosts/burnham/services/thelounge.nix → hosts/morn/services/thelounge.nix
View File

51
hosts/sisko/configuration.nix
View File

@@ -11,6 +11,7 @@
networking = { networking = {
hostName = "sisko"; hostName = "sisko";
# networkmanager.enable = true;
defaultGateway = "192.168.10.1"; defaultGateway = "192.168.10.1";
interfaces.enp14s0 = { interfaces.enp14s0 = {
ipv4 = { ipv4 = {
@@ -24,28 +25,66 @@
}; };
hardware.bluetooth.enable = true; hardware.bluetooth.enable = true;
hardware.rtl-sdr.enable = true;
sops.defaultSopsFile = ../../secrets/sisko/sisko.yaml; sops.defaultSopsFile = ../../secrets/sisko/sisko.yaml;
environment.variables = { EDITOR = "vim"; }; environment.variables = { EDITOR = "vim"; };
programs.gamemode.enable = true; users.users.felixalb.extraGroups = [
programs.steam = { "dialout"
"libvirtd"
"networkmanager"
"plugdev"
];
programs = {
alvr = {
enable = true;
openFirewall = true;
};
firefox = {
enable = true;
nativeMessagingHosts.packages = with pkgs; [ tridactyl-native ];
};
gamemode.enable = true;
immersed.enable = true;
steam = {
enable = true; enable = true;
remotePlay.openFirewall = true; remotePlay.openFirewall = true;
}; };
virt-manager.enable = true;
};
virtualisation = {
libvirtd.enable = true;
spiceUSBRedirection.enable = true;
};
environment.systemPackages = with pkgs; [
virtiofsd
];
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
nixpkgs.config = { nixpkgs.config = {
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"copilot.vim"
"discord" "discord"
"immersed"
"spotify" "spotify"
"steam" "steam"
"steam-unwrapped" "steam-unwrapped"
"tlclient"
]; ];
permittedInsecurePackages = [
"openssl-1.1.1w"
];
rocmSupport = true;
}; };
services.fwupd.enable = true; services.fwupd.enable = true;
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }

17
hosts/sisko/desktop.nix
View File

@@ -9,6 +9,8 @@
services.displayManager.ly.enable = true; services.displayManager.ly.enable = true;
services.xserver.enable = true; services.xserver.enable = true;
services.xserver.desktopManager.xfce.enable = true;
programs.hyprland = { programs.hyprland = {
enable = true; enable = true;
xwayland.enable = true; xwayland.enable = true;
@@ -21,23 +23,18 @@
pulse.enable = true; pulse.enable = true;
jack.enable = true; jack.enable = true;
}; };
hardware.pulseaudio.enable = false;
# Misc # Misc
fonts = { fonts = {
fontDir.enable = true; fontDir.enable = true;
packages = with pkgs; [ packages = with pkgs; [
noto-fonts
noto-fonts-emoji
noto-fonts-cjk-sans
font-awesome
fira-code fira-code
font-awesome
hack-font hack-font
(nerdfonts.override { nerd-fonts.hack
fonts = [ noto-fonts
"Hack" noto-fonts-cjk-sans
]; noto-fonts-color-emoji
})
]; ];
}; };

31
hosts/sisko/home.nix
View File

@@ -8,41 +8,55 @@
home.packages = with pkgs; [ home.packages = with pkgs; [
# GUI Applications # GUI Applications
cantata
chromium chromium
discord discord
easyeffects easyeffects
element-desktop element-desktop
emacs-gtk emacs-gtk
papers feishin
jellyfin-media-player gqrx
kitty kitty
libreoffice libreoffice
lutris
mpv mpv
mumble mumble
orca-slicer
papers
pavucontrol pavucontrol
picard picard
pkgsRocm.hashcat
prismlauncher prismlauncher
swayimg restic
runelite
spotify spotify
swayimg
thunderbird thunderbird
tor-browser
bolt-launcher
exiftool
ghidra
# pwndbg-gdb-alias # Broken in 25.05
snicat
# Window Manager Extras # Window Manager Extras
bibata-cursors bibata-cursors
cliphist
hyprcursor hyprcursor
hypridle hypridle
hyprlock hyprlock
hyprpaper hyprpaper
hyprshot hyprshot
hyprswitch
nautilus nautilus
networkmanager networkmanager
rofi-rbw-wayland rofi-rbw-wayland
swaynotificationcenter swaynotificationcenter
waybar waybar
wl-clipboard wl-clipboard
cliphist
# Misc tools # Misc tools
abcde
bc bc
catimg catimg
dante dante
@@ -56,10 +70,12 @@
openssl openssl
playerctl playerctl
pwgen pwgen
restic
rocmPackages.clang
traceroute traceroute
w3m w3m
(python312.withPackages (ps: with ps; [ (python313.withPackages (ps: with ps; [
numpy numpy
pycryptodome pycryptodome
requests requests
@@ -75,9 +91,7 @@
enable = true; enable = true;
settings.window.opacity = 0.92; settings.window.opacity = 0.92;
}; };
firefox.enable = true;
ncmpcpp.enable = true; ncmpcpp.enable = true;
neovim.plugins = with pkgs.vimPlugins; [ copilot-vim ];
rbw = { rbw = {
enable = true; enable = true;
settings = { settings = {
@@ -89,7 +103,6 @@
rofi = { rofi = {
enable = true; enable = true;
theme = "iggy"; theme = "iggy";
package = pkgs.rofi-wayland;
}; };
zsh = { zsh = {
shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config"; shellAliases."rebuild" = "sudo nixos-rebuild switch --flake /config";

47
hosts/voyager/backup.nix
View File

@@ -1,47 +0,0 @@
{ config, pkgs, lib, ... }:
{
services.borgbackup.jobs =
let
borgJob = name: {
environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/voyager/${name}";
compression = "auto,zstd";
};
in {
postgresDaily = borgJob "postgres::daily" // {
paths = "/var/backup/postgres";
startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
};
};
postgresWeekly = borgJob "postgres::weekly" // {
paths = "/var/backup/postgres";
startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
};
};
transmission = borgJob "transmission::weekly" // {
paths = "/var/lib/transmission";
startAt = "weekly";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/transmission".path}";
};
};
# TODO: timemachine, nextcloud, komga, calibre
};
sops.secrets."borg/postgres" = { };
sops.secrets."borg/transmission" = { };
}

51
hosts/voyager/configuration.nix
View File

@@ -1,51 +0,0 @@
{ config, pkgs, ... }:
{
imports =
[
../../base.nix
../../common/metrics-exporters.nix
./hardware-configuration.nix
./backup.nix
./exports.nix
./filesystems.nix
./services/fancontrol.nix
./services/podgrab.nix
./services/snappymail.nix
./services/timemachine.nix
];
networking = {
hostName = "voyager";
bridges.br0.interfaces = [ "eno1" ];
interfaces.br0.useDHCP = false;
interfaces.br0.ipv4.addresses = [
{ address = "192.168.10.165"; prefixLength = 24; }
];
hostId = "8e84b235";
defaultGateway = "192.168.10.1";
};
sops.defaultSopsFile = ../../secrets/voyager/voyager.yaml;
environment.variables = { EDITOR = "vim"; };
environment.systemPackages = with pkgs; [
zfs
];
virtualisation.docker.enable = true;
virtualisation.oci-containers.backend = "docker";
users.users."amalieem" = {
isNormalUser = true;
home = "/home/amalieem";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7e+BAoXIFmTeeBYAVImQAcyx6SCoYCErA7h16OGL70 amalieem@wentworth"
];
};
system.stateVersion = "22.11";
}

27
hosts/voyager/exports.nix
View File

@@ -1,27 +0,0 @@
{ config, pkgs, lib, ... }:
{
fileSystems = {
"/export/riker-backup" = {
device = "/tank/backup/riker";
options = [ "bind" ];
};
"/export/defiant-backup" = {
device = "/tank/backup/defiant";
options = [ "bind" ];
};
};
# Enable nfs4 only
services.nfs.server = {
enable = true;
exports = ''
/export 192.168.10.4(rw,fsid=0,no_subtree_check) 192.168.10.5(rw,fsid=0,no_subtree_check) 192.168.10.2(rw,fsid=0,no_subtree_check) 192.168.10.175(rw,fsid=0,no_subtree_check)
/export/riker-backup 192.168.10.2(rw,nohide,no_subtree_check,no_root_squash)
/export/doyle-backup 192.168.10.2(rw,nohide,no_subtree_check,no_root_squash)
/export/defiant-backup 192.168.10.175(rw,nohide,no_subtree_check,async,no_root_squash)
'';
};
networking.firewall.allowedTCPPorts = [ 111 2049 20048 ];
networking.firewall.allowedUDPPorts = [ 111 20048];
}

42
hosts/voyager/filesystems.nix
View File

@@ -1,42 +0,0 @@
{ config, pkgs, lib, ... }:
{
# Boot drives are defined in ./hardware-configuration.nix
environment.systemPackages = with pkgs; [ cifs-utils ];
# Local zfs
boot = {
zfs.extraPools = [ "tank" ];
supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
};
services.zfs.autoScrub = {
enable = true;
interval = "Wed *-*-8..14 00:00:00";
};
# Network mounts (import)
fileSystems = {
"/mnt/feal-syn1/media" = {
device = "feal-syn1.home.feal.no:/volume2/media";
fsType = "nfs";
options = [ "vers=3" ];
#options = [ "x-systemd.automount" "noauto" ];
};
"/mnt/feal-syn1/nfs_proxmox" = {
device = "//feal-syn1.home.feal.no/nfs_proxmox";
fsType = "cifs";
options = let
# this line prevents hanging on network split
automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
in ["${automount_opts},credentials=/etc/feal-syn1-credentials"];
};
"/var/backup" = {
device = "/tank/backup/voyager";
options = [ "bind "];
};
};
}

38
hosts/voyager/hardware-configuration.nix
View File

@@ -1,38 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/a6465c1c-4c93-423d-84a9-e4ecb9520741";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/D0C1-97CE";
fsType = "vfat";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.eno2.useDHCP = lib.mkDefault true;
# networking.interfaces.idrac.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

102
hosts/voyager/modules/snappymail.nix
View File

@@ -1,102 +0,0 @@
{ config, pkgs, lib, ... }:
let
inherit (lib) mkDefault mkEnableOption mkForce mkIf mkOption mkPackageOption generators types;
cfg = config.services.snappymail;
maxUploadSize = "256M";
in {
options.services.snappymail = {
enable = mkEnableOption "Snappymail";
package = mkPackageOption pkgs "snappymail" { };
dataDir = mkOption {
type = types.str;
default = "/var/lib/snappymail";
description = "State directory for snappymail";
};
hostname = mkOption {
type = types.nullOr types.str;
default = null;
example = "mail.example.com";
description = "Enable nginx with this hostname, null disables nginx";
};
user = mkOption {
type = types.str;
default = "snappymail";
description = "System user under which snappymail runs";
};
group = mkOption {
type = types.str;
default = "snappymail";
description = "System group under which snappymail runs";
};
};
config = mkIf cfg.enable {
users.users = mkIf (cfg.user == "snappymail") {
snappymail = {
description = "Snappymail service";
group = cfg.group;
home = cfg.dataDir;
isSystemUser = true;
};
};
users.groups = mkIf (cfg.group == "snappymail") {
snappymail = {};
};
services.phpfpm.pools.snappymail = {
user = cfg.user;
group = cfg.group;
phpOptions = generators.toKeyValue {} {
upload_max_filesize = maxUploadSize;
post_max_size = maxUploadSize;
memory_limit = maxUploadSize;
};
settings = {
"listen.owner" = config.services.nginx.user;
"listen.group" = config.services.nginx.group;
"pm" = "ondemand";
"pm.max_children" = 32;
"pm.process_idle_timeout" = "10s";
"pm.max_requests" = 500;
};
};
services.nginx = mkIf (cfg.hostname != null) {
virtualHosts."${cfg.hostname}" = {
locations."/".extraConfig = ''
index index.php;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
'';
locations."^~ /data".extraConfig = ''
deny all;
'';
locations."~ \\.php$".extraConfig = ''
include ${config.services.nginx.package}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass unix:${config.services.phpfpm.pools.snappymail.socket};
'';
extraConfig = ''
client_max_body_size ${maxUploadSize};
'';
root = if (cfg.package == pkgs.snappymail) then
pkgs.snappymail.override {
dataPath = cfg.dataDir;
}
else cfg.package;
};
};
};
}

63
hosts/voyager/services/fancontrol.nix
View File

@@ -1,63 +0,0 @@
{ config, lib, pkgs, ... }:
{
systemd.timers."fancontrol" = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar="*:0/3";
Unit = "fancontrol.service";
};
};
systemd.services."fancontrol" = {
environment = {
TEMP_MIN_FALLING = "50";
TEMP_MAX_RISING = "56";
TEMP_CRIT = "70";
LOW_FAN_SPEED = "0x10";
};
script = ''
SET_FAN_MANUAL="0x30 0x30 0x01 0x00" # Enable manual control
SET_FAN_AUTO="0x30 0x30 0x01 0x01" # Disable manual control
SET_FAN_LOW="0x30 0x30 0x02 0xff $LOW_FAN_SPEED"
SET_FAN_MAX="0x30 0x30 0x02 0xff 0x64" # force 100%
# Get all temperatures readings starting with "Temp ", find all two digit numbers followed by spaces, find the largest one, trim the trailing space
maxcoretemp=$(${pkgs.ipmitool}/bin/ipmitool sdr type temperature | grep '^Temp ' | grep -Po '\d{2} ' | sort -nr | head -n1 | xargs)
# Verify that we read a valid number
ISNUMBER='^[0-9]+$'
if ! [[ $maxcoretemp =~ $ISNUMBER ]] ; then
echo "Error: could not read temperature" >&2
exit 2
fi
echo "Highest measured CPU temperature: '$maxcoretemp'"
if [ "$maxcoretemp" -gt "$TEMP_CRIT" ]; then
echo "TOO HOT, CRITICAL CPU TEMP"
${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_MANUAL
${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_MAX
exit 1
fi
if [ "$maxcoretemp" -gt "$TEMP_MAX_RISING" ]; then
echo "TOO HOT, switching to IDRAC fan controL"
${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_AUTO
exit 0
fi
if [ "$maxcoretemp" -lt "$TEMP_MIN_FALLING" ]; then
echo "Sufficiently cooled, stepping down fans"
${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_MANUAL
${pkgs.ipmitool}/bin/ipmitool raw $SET_FAN_LOW
exit 0
fi
echo "Temperature is between limits, doing nothing..."
'';
};
}

22
hosts/voyager/services/podgrab.nix
View File

@@ -1,22 +0,0 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.podgrab;
domain = "podgrab.home.feal.no";
in {
sops.secrets."podgrab/password" = { };
services.podgrab = {
enable = true;
port = 5104;
passwordFile = config.sops.secrets."podgrab/password".path;
};
services.nginx.virtualHosts.${domain} = {
locations."/".proxyPass = "http://localhost:${toString cfg.port}";
};
fileSystems."/tank/media/jellyfin/Podcasts" = {
device = "/var/lib/podgrab/data";
options = [ "bind "];
};
}

17
hosts/voyager/services/snappymail.nix
View File

@@ -1,17 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [ ../modules/snappymail.nix ];
services.snappymail = {
enable = true;
hostname = "mail.home.feal.no";
};
services.nginx.virtualHosts."${config.services.snappymail.hostname}" = let
certPath = "/etc/ssl-snakeoil/home.feal.no";
in {
addSSL = true;
sslCertificate = "${certPath}.crt";
sslCertificateKey = "${certPath}.key";
};
}

10
hosts/voyager/vms.nix
View File

@@ -1,10 +0,0 @@
{ config, pkgs, lib, ... }:
{
# WIP
security.polkit.enable = true; # Required for libvirt
virtualisation.libvirtd.enable = true;
programs.dconf.enable = true;
environment.systemPackages = with pkgs; [ virt-manager ];
users.users.felixalb.extraGroups = [ "libvirtd" ];
}

32
hosts/worf/configuration.nix
View File

@@ -8,6 +8,8 @@
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
nix = { nix = {
enable = true;
# gc = { # gc = {
# automatic = true; # automatic = true;
# options = "--delete-older-than 2d"; # options = "--delete-older-than 2d";
@@ -74,6 +76,8 @@
}; };
}; };
ids.gids.nixbld = 30000;
system.primaryUser = "felixalb";
users.users.felixalb = { users.users.felixalb = {
home = "/Users/felixalb"; home = "/Users/felixalb";
shell = pkgs.zsh; shell = pkgs.zsh;
@@ -84,16 +88,11 @@
fonts.packages = with pkgs; [ fonts.packages = with pkgs; [
noto-fonts
font-awesome
fira-code fira-code
font-awesome
hack-font hack-font
nerd-fonts.hack
(nerdfonts.override { noto-fonts
fonts = [
"Hack"
];
})
]; ];
system.defaults = { system.defaults = {
@@ -112,13 +111,6 @@
}; };
# firewall settings
alf = {
# 0 = disabled 1 = enabled 2 = blocks all connections except for essential services
globalstate = 1;
loggingenabled = 0;
};
# dock settings # dock settings
dock = { dock = {
autohide = true; autohide = true;
@@ -134,14 +126,16 @@
}; };
}; };
# firewall settings
networking.applicationFirewall = {
enable = true;
blockAllIncoming = true;
};
system.keyboard = { system.keyboard = {
enableKeyMapping = true; enableKeyMapping = true;
remapCapsLockToControl = true; remapCapsLockToControl = true;
}; };
# Auto upgrade nix package and the daemon service.
services.nix-daemon.enable = true;
nix.package = pkgs.nix;
system.stateVersion = 5; system.stateVersion = 5;
} }

17
hosts/worf/home.nix
View File

@@ -11,8 +11,7 @@
]; ];
home.packages = with pkgs; [ home.packages = with pkgs; [
prismlauncher aerc
# borgbackup
bore-cli bore-cli
catimg catimg
cocoapods cocoapods
@@ -21,12 +20,14 @@
gnutar gnutar
iterm2 iterm2
mosh mosh
mpv
nix-index nix-index
nodejs nodejs
spotify prismlauncher
tldr restic
aerc
snicat snicat
# spotify # TODO - broken in 25.11
tldr
w3m w3m
zellij zellij
@@ -38,13 +39,13 @@
]; ];
programs.zsh = { programs.zsh = {
shellAliases."rebuild" = "darwin-rebuild switch --flake /Users/felixalb/nix"; shellAliases."rebuild" = "sudo darwin-rebuild switch --flake /Users/felixalb/nix";
prezto.pmodules = [ "ssh" ]; prezto.pmodules = [ "ssh" ];
}; };
programs.neovim.plugins = with pkgs.vimPlugins; [ programs.neovim.plugins = with pkgs.vimPlugins; [
coc-clangd
coc-emmet coc-emmet
copilot-vim
emmet-vim # Ctrl+y + , emmet-vim # Ctrl+y + ,
]; ];
@@ -60,7 +61,7 @@
apps = pkgs.buildEnv { apps = pkgs.buildEnv {
name = "home-manager-applications"; name = "home-manager-applications";
paths = config.home.packages; paths = config.home.packages;
pathsToLink = "/Applications"; pathsToLink = [ "/Applications" ] ;
}; };
in in
lib.hm.dag.entryAfter [ "writeBoundary" ] '' lib.hm.dag.entryAfter [ "writeBoundary" ] ''

1
hosts/worf/yabai.nix
View File

@@ -5,7 +5,6 @@ let
in { in {
services.yabai = { services.yabai = {
enable = true; enable = true;
package = pkgs.unstable.yabai;
enableScriptingAddition = true; enableScriptingAddition = true;
config = { config = {

44
secrets/burnham/burnham.yaml
View File

@@ -1,40 +1,44 @@
domeneshop: domeneshop:
netrc: ENC[AES256_GCM,data:iN9TEMRQpEUbq5kQRXKNG1pFr2rtQtCBXuK1w/7Wn6FAiWkGmCu8GIjPSDnMkZ4+l3kxJhNSix3AzIQwp6oayV1hIoFTWgz/OHKrq2TtQIFy5gs0u0Ump2tmQZFP3GgxSEagfp+c6MbQkjCh0t/PKiPE5MRJJnOJ4/0D,iv:Ta7T5lnQQpMwO+zYgFE9izs78+gtleolk6l7DDnrMoo=,tag:UXeoR+tW5t4DMazb26FsHw==,type:str] netrc: ENC[AES256_GCM,data:iN9TEMRQpEUbq5kQRXKNG1pFr2rtQtCBXuK1w/7Wn6FAiWkGmCu8GIjPSDnMkZ4+l3kxJhNSix3AzIQwp6oayV1hIoFTWgz/OHKrq2TtQIFy5gs0u0Ump2tmQZFP3GgxSEagfp+c6MbQkjCh0t/PKiPE5MRJJnOJ4/0D,iv:Ta7T5lnQQpMwO+zYgFE9izs78+gtleolk6l7DDnrMoo=,tag:UXeoR+tW5t4DMazb26FsHw==,type:str]
sops: sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: age:
- recipient: age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct - recipient: age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSGdKelVWY29UbXQvZzdv YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArTkptaHV0QVRIR3l2MmhG
RmM3cnhUUzNDVXowcHEzWjYxalFRcUdqckhrCldQRDJEOFNBOUtYSG44QUwxQkdv OE4rTitWMDQxaFVmVW9YNDdNSDNFZFRUYVhjClhQNVNSN1daMGJTcGxhN3NDM2lm
N1Iwa0J3Zys1Mi9BS0Jwc3VxcEpEQjQKLS0tIEhLZE9JNyswT0dhdmlJWEkyblpZ RmFQL0t1MWwycWRjNGZ2RjAxWTQrWkEKLS0tIG1VREFJWE9SZjdFamN5bzB3R2hK
RCs1ejl0NXJNcEpXRDlCa3VYZkpSWU0KHO1KGqLZ6FRUNCi7sK+YpbeSTCYfnCOc bEZpNXh4SENwMHcxYWZRajFCc3BGMDQKXzZCHsdK5cDWf6NszonfMcZBTI1z0fvn
ruNPNxW7/WPRzsL3xnqGLtiFUm9x36j4apTHcTxns5xtsLPlBx1QBA== wod71wiDaJV9pO8Za+9aKrE7V3SnKnO1F7Vjz8SjEYtNPd5wNV6vaQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0Qm8weVQxQXd5RTlGVk1w
NHoraisrUElKMUMvVFZkckF3U2llQVNScUdZCmRwWjlXT2MzUmFrb3l4UDQxOEta
QmtXM2NCbmRVN3hlVkkvZHgyb0xvWVEKLS0tIFdla25GcndNTGN0U0djSmZHaFZr
YXI2aGJzZkZvZ1FHY3d2WnZHSVZrc1kK1qJN+uLLwMQteaHILB68PXIqhh4fPCZn
V+NrCUKyCkxAWdr10oXnswdaqwEpwlsm/ZzingrWN6cVIFC2DiYArQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl - recipient: age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBZkMzOFlZaDN5a3pIclYw YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWmEvb2dZRFJEczl4YlVP
dlphY1NYb2JBaVBvL1dlYW1GNlNRTlIxL2lRCmlVUXlSeXBYeTAzY1J0V1JONVNF YnNFdWYvZitzLzNaR1NHK0lhYktoR3QwNWlvCnZ6QjZDNWU3aDJpZm5DYVBvSEpB
UlQ0WVpYVXd2MkM0aXY2YkJIRkJWdDQKLS0tIDJ3cnNYdG1XYk4zR0RWMmZqd1BN akVTTCtoZTlMVGNnN2o5ODZFY3pXa0EKLS0tIFpLRENwb2hXR2RCYk96UTF3cnFQ
bGd2NXBEM25OUkZ3SzYrUEROTEYzQ3cK7zPaaoJwQ8SBMM8MKFhMMq2WB3R7E7lh UXczQWdMcnZuaUxyUFMxYTd0UHVrTGcKW4b7Bdr1gFZDSQtW3WAy1c1LRJhZijSM
VxksH4/6+5FAg0skiZi2dzUhJ0qqL5C5AR+vPW4qJIWWo34Gv45CQg== wcLl4SHtiaLKwtulOaH5jx6T2pbbMRztDK9LJ/7qc/hVT80kFNgrGA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2OVlIUUpsTDVWOXFXSGts YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRb0lNdW5ITXN4a2RSRjdp
SExkSEFRa1E0YzhiYnkxclZzQTk1bXA1M0RrCm54V1pzblhDbnV5RncwSVJXQ1VC ZHl2dzI4bjZGQUhEYzZiUkV6QTloU0xOQUZVCk5YMmVObW1vL0lQKzhCaktoMk0y
UGhORXl2a0w0OER2YUdnYUFJN2RKcTQKLS0tIDB4MWVGbmhvakVSMEl5NndrWHpi OUtrTTBRTzlqaEhKOEdxZy80QnRoUDQKLS0tIGR6NHlkQzRDMXpQdDc5eEpkSEpL
TFprZS8zckJJOEhqQVhUc0RXNGdhRFUKHxGMfEUJA2sN7Lw1YrV2s0hx3iwKrpKq OXFLenpUNUhyek5ZRm0wUWFnaGNxeDgKw3TZWAA7rc2gRv74NVXrdDbQrBBah4ZH
oV6X4CYZ92w2tPqgRrZ59DNXNEdVR7U/dEy2Ta+5jIA+cnnKu48BFw== 4bS5+2kXdE+UINw9OZtuDYeXWr1NWP707R+JFuyKRSrFOUk0913y0Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-08T00:11:46Z" lastmodified: "2024-09-08T00:11:46Z"
mac: ENC[AES256_GCM,data:/LgohCkIf5CSHdKVsBWzVbTwul7+HtFeG5a+qA9gjhTzdBaV985IeVPB0Vithmwu+h7BgsL3AGy2EADxGy7UtyhB7+UbcdDoPxHOFtiqv0Rjp4mNMirwjHcMSk42DWMw6+Wgfdy0FZlRkz4pOutZ2bRgehpQP2IYqlm8pjs9TiE=,iv:21wgEwUVRZvqW7uNjeANK8MJLbzy6LOb+iBXcHsp/H4=,tag:lV2qPE6gMNQsS1zom54sgg==,type:str] mac: ENC[AES256_GCM,data:/LgohCkIf5CSHdKVsBWzVbTwul7+HtFeG5a+qA9gjhTzdBaV985IeVPB0Vithmwu+h7BgsL3AGy2EADxGy7UtyhB7+UbcdDoPxHOFtiqv0Rjp4mNMirwjHcMSk42DWMw6+Wgfdy0FZlRkz4pOutZ2bRgehpQP2IYqlm8pjs9TiE=,iv:21wgEwUVRZvqW7uNjeANK8MJLbzy6LOb+iBXcHsp/H4=,tag:lV2qPE6gMNQsS1zom54sgg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

58
secrets/challenger/challenger.yaml
View File

@@ -4,45 +4,51 @@ nextcloud:
adminpass: ENC[AES256_GCM,data:DL5SnyPPUxiVjfIHZ/ZYJi2pNu6x,iv:/bThFVYgHsN3Yr2EJf0+YWhAVIei9ENaHfAH1ADC5Ws=,tag:bNp+2trtwFNYOqruvqPRGw==,type:str] adminpass: ENC[AES256_GCM,data:DL5SnyPPUxiVjfIHZ/ZYJi2pNu6x,iv:/bThFVYgHsN3Yr2EJf0+YWhAVIei9ENaHfAH1ADC5Ws=,tag:bNp+2trtwFNYOqruvqPRGw==,type:str]
secretsjson: ENC[AES256_GCM,data:xmdwWBe8LWsSEI64KhSeXbA1B0ahfoGwNmgl33JWteF4AakdI73zfbdIhUBqqlqfbL0uCGlqCiOyRA02h8197mk=,iv:ncKz9ObwoFoVjT0qMzBJ0BqVBNx0ScdMRl82ZNQp4FI=,tag:6S8fqHhvE/gaknxsb+q3Jg==,type:str] secretsjson: ENC[AES256_GCM,data:xmdwWBe8LWsSEI64KhSeXbA1B0ahfoGwNmgl33JWteF4AakdI73zfbdIhUBqqlqfbL0uCGlqCiOyRA02h8197mk=,iv:ncKz9ObwoFoVjT0qMzBJ0BqVBNx0ScdMRl82ZNQp4FI=,tag:6S8fqHhvE/gaknxsb+q3Jg==,type:str]
restic: restic:
transmission: ENC[AES256_GCM,data:UUf8/WV7Q7vbs05lEeqflcSj0uH9abilFF1daATyrwU=,iv:WQZ7hGRQ3/3t34aO7K5Az1AOZtR6qG4p1CqZTdsEqZA=,tag:2ELh2bYVi1sgW66FbSnVHg==,type:str]
postgres: ENC[AES256_GCM,data:AZv28LIbGC2oAKjbU1H4gaCZF28utJJFXlKNO/BkL0U=,iv:xOJCIoFGtnEqV80rmiBBMa3dMZnPjaDIce+MAZkGZdo=,tag:dLTwE004KGfP3z9EoMVCCw==,type:str]
nextcloud: ENC[AES256_GCM,data:O7qT07ns9FodnZu63cPwBqHGslfMIafFvyPPrTrYEdk=,iv:fJ7A5gLThuVumnteL1P82Gq1EtiSAPGXoCZgzJKqVQs=,tag:Hp/kI3TeZQCaM+gP1W1i7w==,type:str]
calibre: ENC[AES256_GCM,data:wAvhB303cUm0rJKwQ31pd8lYHJSlOzBW8BiCygF3JC8=,iv:kUFEiP8sTcaiAIW4QZ7ZfA4aqjJsIIA5mq+gVzgryaU=,tag:STHLWF+T4XeQIDSt4F63Lw==,type:str] calibre: ENC[AES256_GCM,data:wAvhB303cUm0rJKwQ31pd8lYHJSlOzBW8BiCygF3JC8=,iv:kUFEiP8sTcaiAIW4QZ7ZfA4aqjJsIIA5mq+gVzgryaU=,tag:STHLWF+T4XeQIDSt4F63Lw==,type:str]
hostBackups: ENC[AES256_GCM,data:lUK1oi+efynRbweO7sg6ayr3LI3G4aXyx5s4n+rtw3A=,iv:oPZLmCXh2G0xnFrmOokx8yixbRSwlmz5NY1s9pJGDgs=,tag:imKUkCfPGeOjRh6reODG7g==,type:str]
media: ENC[AES256_GCM,data:JwIX2r/ebE+LMS49s1xqbRjA8yfMRDEAnln5eN57L4o=,iv:zqxeEv7ogujMqBPZnRF7STDjVlKqMa1rGLjMY5iusgU=,tag:O9PofkyovSYH7qlX6r97DQ==,type:str]
nextcloud: ENC[AES256_GCM,data:O7qT07ns9FodnZu63cPwBqHGslfMIafFvyPPrTrYEdk=,iv:fJ7A5gLThuVumnteL1P82Gq1EtiSAPGXoCZgzJKqVQs=,tag:Hp/kI3TeZQCaM+gP1W1i7w==,type:str]
postgres: ENC[AES256_GCM,data:AZv28LIbGC2oAKjbU1H4gaCZF28utJJFXlKNO/BkL0U=,iv:xOJCIoFGtnEqV80rmiBBMa3dMZnPjaDIce+MAZkGZdo=,tag:dLTwE004KGfP3z9EoMVCCw==,type:str]
transmission: ENC[AES256_GCM,data:UUf8/WV7Q7vbs05lEeqflcSj0uH9abilFF1daATyrwU=,iv:WQZ7hGRQ3/3t34aO7K5Az1AOZtR6qG4p1CqZTdsEqZA=,tag:2ELh2bYVi1sgW66FbSnVHg==,type:str]
sops: sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: age:
- recipient: age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773 - recipient: age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxK2JPa1lKejhtTWl6QWdC YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIOFI2QUZFNHVIcVM0QzRP
VE1hRWpZRW84Sm56TEZVejVEVE9oamFRejM4Ci9tTTFhTVRUUEVybmYvVzNldDZ2 V2o3cmJGcUVPakYzdmNrMzBvRFJtTWdZczJRClpETzVMdUlaQ2NmdndYMFkvbCtw
eCtDSURVQVpkblJ3T0VSR3NZSzZZV3cKLS0tIHVncTVEMlhGSHU0RFNkWGJNUWwx eThKOG1nZ1pyQVhZRHVaTllId2lqZ00KLS0tIDdDYmkzOUZacE5KRjIvT1pqRjBy
TmhsZ2VMSkNCdFU4MDZtb1hQU1dhYjgKjZRvO8LCey5cBwNYUra1ZHq/gwcvT9yl bVh2Sm9jbnUzMnRiamJUTHdDd1d3SlUK3CZ4aIkXcz3HG/Wyo901H7pMtG9g/3PX
2VsJa5ayEycFjyC9lcS6D+A5VrlKLHwc3r++QWx0Ab2GNfj6VOvoXA== +Ug+1oZaUovfb9isYcKX7KeTY8sF0G2VeFCunHwjR6K0FyW8CY0eWg==
-----END AGE ENCRYPTED FILE-----
- recipient: age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVQzVuYWhoSEIrR2twR0tE
Ri9acHErS3dlZUYxWGRWeE5VeitvRk1mZHdBCjh2SEtQZ3pMNzFzamQ2MjJZaWpF
ZVNvOHNnYkZ1aFFtb2ovdWJQK1A3dVEKLS0tIFdoVzZURDlFTk5wUGlzK24wZ255
VTlybXUyeHlqakdaRW9vcFpIRGNvVzQKmp8mEAdoaNPYyqVMj0VLnibEXTaYOWRC
see+8vrIjQRVePvHbb4jMzH4/pqQ2BEnbh4p5MVDsYd2Od/tfjaLhA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl - recipient: age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRTV4SzJ5VHdjckRmM0pT YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJVUtLS2hpVUtwM3FiTDZl
eXZiQmxWZFZJZllWVkJ3VytmM2ZQZURoTXdzCkFTTFhoTkhPeUlyenV1R01yTld3 cmY3cWV3MXJ0ODJzRkFnVExESmkwY3lRWHc0CnhKVWR5YThaRnljbitsWWh2am43
RCthTjlpR3Z2R00wNGlzSHBUVFhCaEkKLS0tIERYa0g4TEJKTG9pNEgzbzgwbXFj S3NpakVld3VqNlNxUi9lcDZvWDlDTkkKLS0tIEhpL0xOK2I3SEhHeGtDL0ErcVlz
TlpiT0N3VTFscHh0dVA4Q0NTb3p1Q0kKdRNi6JfIXqw/CmQtFBXtwphR9SiL/0Hd WlpUZWV2MmJORWpNQ3hoSzlRWnNOVmMKbFX/mlFp2uMoRcdptQvV36D2yoDK9u5m
RMDMVDeGRoJHhlK6ml1/NLk8ygar1fwWzg5Ff/2xL40ZL9AsoLsFGA== 6fcg6rcXa3BLVSQa81dhSFUrWZtWeW1pLV27k3iF3/zJ6FtL826Qvw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnSGJPS2VPOGxQR0tWSWgr YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZGdsbUttSG80RFpyRmkv
bm84dTNITFlzdWdRNDJzQTRqRTk2aTI2a2k4CnBLdTJLTStvaFBKaWk1NkZBdzBK T1lFc2hJTXlGdlFBdHFxZEZ1eUhjT3RmazMwCmo5em56eG9rRmhkSkIyeGRsbEhz
T0o4UDBJVHRQVStOQXpsRldhQU9jREEKLS0tIFRPc3hPaEkwN0JBcG4ySUkxZHUr OW5rVjlERWlNYndySVlHWFVtUk0xb1kKLS0tIDl5NnY2QnA3TEtvK2VsWG0zRk1X
QUFVam5VSkxLVmhsdU02eWtoWmdoeG8KXnixIU8SaD1DCe9Z1doBdwGs1sqv5k8W aXkxd2s2WUV0WnV6TGFodXhyNmN1eE0KfOnhI4/4rS5cD+UXuGV4AyZm32LoUw5O
WLNGcfKXW4sMU712nYSz05SVl99sCJSzUMJFEQWjdVAaR9TRO6Qz8w== PVdfXxuksQl5jQ7BJv4cyBe7F/cb+Knd8F37T/5OqxEbtm3bBUfmyw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-04T22:55:35Z" lastmodified: "2025-10-18T21:43:12Z"
mac: ENC[AES256_GCM,data:KQHfywMQ3WkmIW7UaLjAKkM5v4+1yagJik+63G2pSKCtbsCq1uFWSheeRIPObVfnsu3qUHoxq943jVR17krjnsIZIzXjr6f5SNMyNo0RCcnhvlWy/cKzVU0/7ut0TMd6ZJsCZyOBgJOSxc8i0G/wgRreMEGicwifI5m8KWSpBU0=,iv:1+98COoItw2PAlJtGBA4Qx7TmNRB++FqeKJnsF1/j6w=,tag:iHzWy5AnXBXxtGnqiTfNnA==,type:str] mac: ENC[AES256_GCM,data:Bt5CrMY2Etl3iSZRVl58PN1ogYpLn3eXhuVCB0j4MKMphyLVJP1qxiQimpa5wriycJKqwBwvCDzJ7pLTxpHDOZaG6R3YfNYPEZlLAIiyOjZvF1ZBTbnF7cFp0thDuzPoFlEHeTFmY6Pe5GwXmSeUFo4ijghvbsFQ5IYXfWNoYz0=,iv:NCwLoI9g7poYbCME0/fUOZegMNOhc3ZvGpAhYoVeLMc=,tag:fiops2KveC/u3Nrmrftk/Q==,type:str]
pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.11.0

52
secrets/defiant/defiant.yaml
View File

@@ -18,45 +18,47 @@ restic:
vaultwarden: ENC[AES256_GCM,data:tZKf1jeQPBASruDP67NrVfwFoAZ20whQIHf1SWIQz0s=,iv:kyfqvEf/DiAGHAU99HVGri15kluewijkSPOCGKjxIaQ=,tag:tmDQPH2IjjUV5wLegXXybg==,type:str] vaultwarden: ENC[AES256_GCM,data:tZKf1jeQPBASruDP67NrVfwFoAZ20whQIHf1SWIQz0s=,iv:kyfqvEf/DiAGHAU99HVGri15kluewijkSPOCGKjxIaQ=,tag:tmDQPH2IjjUV5wLegXXybg==,type:str]
keycloak: keycloak:
postgres: ENC[AES256_GCM,data:OYvpSyBAQfAJg4/syz1r,iv:Ge6m63YPl+gJPepIRmBz747bXqUo65MHQaRn1S/8m2I=,tag:18bFwYtmcslXlgflfYqM8w==,type:str] postgres: ENC[AES256_GCM,data:OYvpSyBAQfAJg4/syz1r,iv:Ge6m63YPl+gJPepIRmBz747bXqUo65MHQaRn1S/8m2I=,tag:18bFwYtmcslXlgflfYqM8w==,type:str]
koillection:
envfile: ENC[AES256_GCM,data:3wq6xiULzELDxtDsBfPbKrnEsAEoG9oQREyaEoe0AVpJziVMrhEQruLCl1F/,iv:IscSmKD8nwQ2HmNnC+54rZrWMimdYPLCArmt/ToTdNM=,tag:J3QYTUtJhpn+R8hpqkA9zg==,type:str]
searx: searx:
envfile: ENC[AES256_GCM,data:BlLVb7C2z/kFxULQnNsGucFZg/R57i0GGMZ6PUhkG1fmYGdY0q31948Z1NoMMaEcwQEdOX6Z8+m96o/RjRTt7K3V+n5+cI1OX9pfoTBwDcJ7/w==,iv:MM+t38IZFdzCXM4jG7jH0uZZP8Zs8kyH8Xe3bPiVmUM=,tag:0ezofl1dDXm1o974f2wRrw==,type:str] envfile: ENC[AES256_GCM,data:BlLVb7C2z/kFxULQnNsGucFZg/R57i0GGMZ6PUhkG1fmYGdY0q31948Z1NoMMaEcwQEdOX6Z8+m96o/RjRTt7K3V+n5+cI1OX9pfoTBwDcJ7/w==,iv:MM+t38IZFdzCXM4jG7jH0uZZP8Zs8kyH8Xe3bPiVmUM=,tag:0ezofl1dDXm1o974f2wRrw==,type:str]
sops: sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: age:
- recipient: age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64 - recipient: age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3YUtSSkNIRlV3ek44bzFq YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxSS82bDZyaTJ4WldUd29U
OEtjM3FiWEVjeDV4YWFHcVpHTXhzejdISUNjCnU3RFl4bWdLd0JHYWZOS2drck14 akY5Z2ZaeDJldHFQUXlRbUdSeTFRR3VCYjJJCkZ1UXZreG51Yi8xMGh5N0I1ZVhE
WG1HM3JjcCt4V3hJRE5vYkxINjI3NzAKLS0tIFlTRjRQU245YlpPbk9OVVBoTTNy WVpHbjdCRmMvNHZGN1VQdXdQdllxOFkKLS0tIFowdzk4d0RkYXJrdUFGTjF3bGJE
MWNsNVphclByb2lYWWJ6aFRnVFd1czQKMNHrQtWQy6cqXyb0wJBYYoULfZjAV+vn NFdGMkwxbVMrb0NjZXUwVUpRWXl6REEKWLriQM+2Fp64v3r1HJQu5gKR+SY+qa40
9Qz2t6qF+klTxY25TkDFBF+Jcmojn1rfTeT4/c39bE3spf/XgBYw7Q== 0lI7gsQj01WMpTb8sja2K5QN7cQOauMQUU6ceVQtzY4LMDLTxDz92g==
-----END AGE ENCRYPTED FILE-----
- recipient: age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxR0liazVRR0JaUW03TG5T
MVR4UzM3V3ZTbVRkYzdFTFNWdmhIVFBKK2t3CmRmNmF6WjZoZUt6WkpwMUVla2FF
OHBYdkFaWHI0bzRyUVhmN2dzdlJuYXMKLS0tIFNOUEUydXNRR252QzJKOUJhMU1D
RXdlMG1Lc00yaDY4b1N3SU1NdkIzN0kKaRGpGQUcq45DHuyb+6WQ+tMuDikt+Bra
pEwiB3gXODDyRw+vB3NPoOvno6QGzt4tqPFgx3qEUT37tESrOZXOhQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl - recipient: age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBESExuSFl2SUJYTzIvbEp4 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQnFVc3VwTDNDbW0rQkJX
a00rNGo4VnpvVkl5cit4NnBqQTA2TW1sL2k4ClMrUFNMS1QzY2NQVlR6Vk1oZE5L UVFZaXVGR2d3SklqWUQyWHVCZlFOckQ1czBFCmNSQ2ZkVENmZ2RpY2MydmorWDFD
SGdaWThMZ2FKYVZyRWl6YzZrMXRoRUUKLS0tIDRBNUZMRW9Jb0h1bXZ2WTBmU3NU WGs1K3NIZUxDZVROVUx3Vm85QlRLRzQKLS0tIDNXd1E5WkpUMVpXYml1Z0svQk0z
dDNUWVVaSHBRTHg3MGJNSlpBeVBPS1EKPwtufnjNTMVqDJlthcFEmdmdLpwiLLrT RVpCUDVSclNTdEVWOU5UbGdhclo1K1kKbSECXCnCxsAJUcbz1/64FBtkVGRA6oWO
o+68EGQDTZtzzZunfMHEecl8lOylgIdoVDU4J8Q2TOPaI7mUBd1B3A== qL0g67gyIV5ycd0s9f8sz+r54zxwdQXiJ1BFyewGPZD4CzepeM6SBA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
- recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlR0ZOakd0bkxCSG4zbkFJ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsU0VRUDhqZjJhSkl5dk41
ejZ1ZEkxODRBckpLV3p0eVNFa3JHYkhHcVZZCk11RjlmL2pqLzNNL1Q0bHhmK0Jy U292RXNOUlUvcjhwM09zZlpOejhiWFg1WjJVCmFlSzJWb0dhQk45U3dBY0dOS0F6
YkpIdlN2KzdGaFlTdlNCNVRJZmZ4ZHMKLS0tIHR4UzFsNUcyVytxY0FPYVhSZmpn OFBrNlFNNG9rZDJLajVaaVA3c0lkNGMKLS0tIGc0blBuMzRMbmdxU2VTc1pNenlY
VVpkM0dwMnRwMlZhbGRWaE1tRVZLbWMKhDnvP1GLD6LqXJ4PnQFF8TsVzVAeAvQ7 ZVp5RHU2U1ppakJCMFozWUNGSXhvNkkKDVPJGjPDaX+n3v27PBdMyk9kuzXnRIop
W2QzaoZGysaO06NMqJg1039RVJ7Tm7ZdEfqZLavYxk/tS4Wt3EGr4A== h5XGRkJHTC4emo8zgKpBfByEb2fkBSL3k2ffZbVYtxrpupVBmT1Uqw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-31T11:50:02Z" lastmodified: "2025-11-14T22:36:00Z"
mac: ENC[AES256_GCM,data:skTdbNg8f9c0YiSzv8v9j5duCqcd2sR/tmomeZz8iWM9FQHHs9EO/SMjGQBWIlYjIJS5Pv9g6/yI5WT8L3D/vK+Ajih32397X6noqSjTFv7yfJCaQh8NxNOC6Q8RRyPT5mNjB76HQb6IxHnQYg74zi5CUjMLXwsCAIOBJvcFyiE=,iv:wZtw3DN+g/2zjDpLGkwHLFnsZQ4zQY3oifOFWhsPTE4=,tag:aDeTeCxl7I132jhRrtpVMg==,type:str] mac: ENC[AES256_GCM,data:H//LCiMw1wE7IDFvKf/QEhOlAjx83R4bxGCE9g4lG0dg2V9LD2bWOq2FVGUrMxw350Rj8CFIWaS5ZolGOvUetbDiQTlqayXi7OArGKBkJphoAdr2rskGYVULmB90a4wp1Fq9oIW2ZjbeURQkwybGJzBTCXFRNWp1VcY1STxzlR8=,iv:DWNLKAcscWIUZ9n46I3dssCM7416oGdsY/mPy1YzrJA=,tag:Q03jAMKSDJw5HmFb9i3Hxg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.2 version: 3.11.0

44
secrets/morn/morn.yaml Normal file
View File

@@ -0,0 +1,44 @@
miniflux:
env: ENC[AES256_GCM,data:JnpUwtRDT92u+GZFsBu3Igw13GXYu1NhfWyEDacP7LshfgP9zxclYipCbdzbMDdSf7Ml715b7jRUoKpnSCQcdW9H/c4t,iv:KxfehvNVq1UFp7v6gE95m0bKT2+0dde6wdyNtGiH7UE=,tag:NFbqJlz+wFd+R2EBG8BWKg==,type:str]
sops:
age:
- recipient: age14ar8q5454khxxf5ur2nxwk533nzycz2lh3635qwz35wh8yq0jpqskj2ksx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNVnNjRlZCdkZFZnN3dkcv
UmF4Zi9SZzM2bi9IRWJIMHlHOGVTMmx2dm5VCkdGc015dXlDVUV5d0NnQlRCNXlQ
N2lsYkR5N2E5RUprdlBHNitNQmpSK0kKLS0tIEJYSzZ3M1lBY3QremY0Y0dLd05Z
V0xJQWRJbkpOQ00wa3ZHOXZxdFN2UDAKrFMAg+Di9aF4TEqDlPgsAi1635CfRIIg
ryyL44l38QPz5CBhh7JPbl7g54l8/jksPOOF0DCmglRnsL+2obur5Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age146z3h3flw7spy5thznak8k5jh6yd68k9qrrehg8sdcwmyjv3vd7qvahdur
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGbDUxL2xaaVNaK2FadHVK
ODZNY2tlOVVuZFlkQUVsZzlqaER2ZXFIK0c0CkR5eVdGM3laS0JkeDdYQzh5VW84
Q1NVclJyeEhabUhId3NWdnB0aDVZQzQKLS0tIGlsTVdFOHV5eUgyeVNrUXRCNXRO
TWw2aC91ZmJieHhma1NndGJDTktSUFEKZBn9zXNmtx768QUENvAero8KJqK9CA4F
DESvmF2ewLSes0bHVsDNTMdchr+TH29jSzHvDbvP50r0v393JhXu7A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1phc4fkt25n4wtzg88sg3fhvmy6tv8pguyxp5c9js83ae3z374adsxfpqkl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOMXVUV3NOUXZXaWtNdmFx
MzRDZE9PSU5GTlNyTnNYdWdKa1R3UjJvSDBFCjFLd2QwdVJPakt5aGF6OHViQm1l
S2pabnRPVUxFNmtsQWJETU1TVHV1SHcKLS0tIDZrUmlQbGtxWjV5bTE5bzk1ditP
VTZONVdCR29YYUxNUmlJNmJhZS9yQ1EKXD9V8ExQ3Pi1FafzQpq+P88V5/ZG0Tkc
uZSngEfhkd4r4wqUozwYvKR2cMKo6v7tvYTU8D4KevIx11QtSylGcQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAveWM1VGVNYjdaTWFPUFBO
Q0J4bFlaSE5SallBdFRTZUF1VU9uQVI0TGpZCnE1L08rMm9WNVhyREtDaHc5N1o2
ZmxwSHdiK2tla3B0d3djRzBzMjZZNTAKLS0tIHRnOG1hRFc2SFFDZUs3SjhVM1Bm
bEt2SktTaU1xY2NNSnR3N0VldlFiV2MKmmAeQab5dehY8FpXcusXf9KVFqS4M67Y
ITX0N8pASmDxevvNOBl0cTJ5WCg/22/22Yq8hXuUvnqBZqA0P05Wpw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-06T21:55:46Z"
mac: ENC[AES256_GCM,data:GQ6c/T5eEXmN/exfzi7YJx8GIpN9hAPL1obJ/RSs2UEOhPKhzp5wrsUYAVMmowMDMswjJ995GhonWcMoBfw2tXymBeZ4lcutqtu3i8awTRAV3VrdXmk2Hvi2Kv6bNYh+rZtKKU5a9rAmZAENBomjOM8C/u7ykWG2Iqk46bc/UuM=,iv:hoaYUguhuECsDjYQQ9tHugoIiBvjP8PlQV4+IjgnfSQ=,tag:u+W7P8MzYOx8/OD7K/Lh7w==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

3
shell.nix
View File

@@ -1,8 +1,9 @@
{ pkgs ? import <nixpkgs> {} }: { pkgs ? import <nixpkgs> {} }:
pkgs.mkShell { pkgs.mkShell {
nativeBuildInputs = with pkgs; [ nativeBuildInputs = with pkgs; [
sops
gnupg gnupg
sops
ssh-to-age
]; ];
} }