diff --git a/.forgejo/workflows/build.yaml b/.forgejo/workflows/build.yaml
new file mode 100644
index 0000000..89693ab
--- /dev/null
+++ b/.forgejo/workflows/build.yaml
@@ -0,0 +1,11 @@
+on:
+ push:
+ pull_request:
+ types: [opened, synchronize, reopened]
+
+jobs:
+ check:
+ runs-on: native
+ steps:
+ - uses: actions/checkout@v4
+ - run: nix flake check --all-systems
diff --git a/assets/ssh.nix b/assets/ssh.nix
index fb8a04d..afdc92c 100644
--- a/assets/ssh.nix
+++ b/assets/ssh.nix
@@ -15,6 +15,7 @@
kogata = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGK7H4Z29d72HJlI69Vt0YLOyuPcn9XxYjvMZfql80z0 nikodem@rabulinski.com";
hijiri = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFXVPUBYAMn9H3efG/ldWl/ySmZV0CXleyH7E5nKf/N7 nikodem@rabulinski.com";
tsukasa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPKXcihNVgsStMstnZYvh+Ai+JsydX3vu4O0yhlN+zw niko@tsukasa";
+ youko = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKAGBazVVFr1+beFxpC701IPz4JwdPIyFJybVVZ9kTkr niko@youko";
};
system = {
@@ -25,5 +26,6 @@
kogata = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPN/SXBcIB1WN8GIhYrQrqzFGuVkEP4o0E+x0uQ4f2l";
hijiri = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILsTkICNuUwGqrToisTViFCBoql39+DFYVZSWj7vfbXK";
tsukasa = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDKy32XGCkB0KOUm4f0ybrutfAzR7+baifM2yv5KuYV7 root@tsukasa";
+ youko = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPSbIjEo28aB2TACkvLY+VRKElZEdH9qFlTTfxCrblGZ root@youko";
};
}
diff --git a/flake.lock b/flake.lock
index f409834..c260a9c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -47,11 +47,11 @@
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
- "lastModified": 1738514772,
- "narHash": "sha256-ng38xM+7MfmoWYcQj6/Ejgt732nbFIDx14QvWVpG0d4=",
+ "lastModified": 1742497754,
+ "narHash": "sha256-fCM/cnenyg+HQ3Ek7uXu04UX/aXrHBD6BW93/rYWZHE=",
"ref": "refs/heads/main",
- "rev": "b691dd3a7746afd73e944db98c0b000c1424cd5e",
- "revCount": 362,
+ "rev": "af9d18efe24894a63c39d37bc0d2ddbea413aaa8",
+ "revCount": 366,
"type": "git",
"url": "https://git.lix.systems/nrabulinski/attic.git"
},
@@ -79,11 +79,11 @@
"conduit-src": {
"flake": false,
"locked": {
- "lastModified": 1730678249,
- "narHash": "sha256-Xn1BnCbwbRFhqcFJ4GvSmB+H509fiHFhTJcpi4G+2oo=",
+ "lastModified": 1742005420,
+ "narHash": "sha256-v4LCx7VUZ+8Hy1+6ziREVY/QEADjZbo8c0h9eU7nMVY=",
"owner": "famedly",
"repo": "conduit",
- "rev": "e952522a39883e4431e74c42cef3d9bc562752f8",
+ "rev": "063d13a0e10619f17bc21f0dd291c5a733581394",
"type": "gitlab"
},
"original": {
@@ -95,11 +95,11 @@
},
"crane": {
"locked": {
- "lastModified": 1737689766,
- "narHash": "sha256-ivVXYaYlShxYoKfSo5+y5930qMKKJ8CLcAoIBPQfJ6s=",
+ "lastModified": 1742394900,
+ "narHash": "sha256-vVOAp9ahvnU+fQoKd4SEXB2JG2wbENkpqcwlkIXgUC0=",
"owner": "ipetkov",
"repo": "crane",
- "rev": "6fe74265bbb6d016d663b1091f015e2976c4a527",
+ "rev": "70947c1908108c0c551ddfd73d4f750ff2ea67cd",
"type": "github"
},
"original": {
@@ -115,15 +115,16 @@
]
},
"locked": {
- "lastModified": 1738277753,
- "narHash": "sha256-iyFcCOk0mmDiv4ut9mBEuMxMZIym3++0qN1rQBg8FW0=",
+ "lastModified": 1742382197,
+ "narHash": "sha256-5OtFbbdKAkWDVuzjs1J9KwdFuDxsEvz0FZX3xR2jEUM=",
"owner": "lnl7",
"repo": "nix-darwin",
- "rev": "49b807fa7c37568d7fbe2aeaafb9255c185412f9",
+ "rev": "643b57fd32135769f809913663130a95fe6db49e",
"type": "github"
},
"original": {
"owner": "lnl7",
+ "ref": "refs/pull/1335/merge",
"repo": "nix-darwin",
"type": "github"
}
@@ -135,11 +136,11 @@
]
},
"locked": {
- "lastModified": 1738148035,
- "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=",
+ "lastModified": 1741786315,
+ "narHash": "sha256-VT65AE2syHVj6v/DGB496bqBnu1PXrrzwlw07/Zpllc=",
"owner": "nix-community",
"repo": "disko",
- "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54",
+ "rev": "0d8c6ad4a43906d14abd5c60e0ffe7b587b213de",
"type": "github"
},
"original": {
@@ -156,11 +157,11 @@
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
- "lastModified": 1738564312,
- "narHash": "sha256-awAp1Qe+c95PQxP7v+Zfse+w3URaP3UQLCRlaPMzYtE=",
+ "lastModified": 1742452566,
+ "narHash": "sha256-sVuLDQ2UIWfXUBbctzrZrXM2X05YjX08K7XHMztt36E=",
"owner": "nix-community",
"repo": "fenix",
- "rev": "d99d2a562b9c9d5f0e4399e5bb677b37a791c7eb",
+ "rev": "7d9ba794daf5e8cc7ee728859bc688d8e26d5f06",
"type": "github"
},
"original": {
@@ -176,11 +177,11 @@
]
},
"locked": {
- "lastModified": 1738544198,
- "narHash": "sha256-bdGeUx6SBs37wQ6gHo5m+apn5Uze2fVz/oYfkD6DKUA=",
+ "lastModified": 1742432361,
+ "narHash": "sha256-FlqTrkzSn6oPR5iJTPsCQDd0ioMGzzxnPB+2wve9W2w=",
"owner": "bandithedoge",
"repo": "nixpkgs-firefox-darwin",
- "rev": "6a14fbdbc697c7f1c93376ecbed4b095ccc55f00",
+ "rev": "c868ff433ea5123e837a62ae689543045187d7a4",
"type": "github"
},
"original": {
@@ -245,11 +246,11 @@
]
},
"locked": {
- "lastModified": 1738453229,
- "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
+ "lastModified": 1741352980,
+ "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
"owner": "hercules-ci",
"repo": "flake-parts",
- "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
+ "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
"type": "github"
},
"original": {
@@ -265,11 +266,11 @@
]
},
"locked": {
- "lastModified": 1738453229,
- "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=",
+ "lastModified": 1741352980,
+ "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
"owner": "hercules-ci",
"repo": "flake-parts",
- "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd",
+ "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
"type": "github"
},
"original": {
@@ -386,9 +387,6 @@
},
"helix": {
"inputs": {
- "crane": [
- "crane"
- ],
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
@@ -396,11 +394,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
- "lastModified": 1738547365,
- "narHash": "sha256-4GrVwyIZKx14eVG8TZMKmgyw8v3TuETPrLvYkFNqlyc=",
+ "lastModified": 1742479163,
+ "narHash": "sha256-YC0zdGyZMu7seA2Jm1mxtcxE4lSeVwvCPMfWzJ8+o/c=",
"owner": "helix-editor",
"repo": "helix",
- "rev": "066e938ba083c0259ff411b681eca7bad30980df",
+ "rev": "b7d735ffe66a03ab5970e5f860923aada50d4e4c",
"type": "github"
},
"original": {
@@ -416,11 +414,11 @@
]
},
"locked": {
- "lastModified": 1738448366,
- "narHash": "sha256-4ATtQqBlgsGqkHTemta0ydY6f7JBRXz4Hf574NHQpkg=",
+ "lastModified": 1742501496,
+ "narHash": "sha256-LYwyZmhckDKK7i4avmbcs1pBROpOaHi98lbjX1fmVpU=",
"owner": "nix-community",
"repo": "home-manager",
- "rev": "18fa9f323d8adbb0b7b8b98a8488db308210ed93",
+ "rev": "d725df5ad8cee60e61ee6fe3afb735e4fbc1ff41",
"type": "github"
},
"original": {
@@ -432,11 +430,11 @@
"lix": {
"flake": false,
"locked": {
- "lastModified": 1738446528,
- "narHash": "sha256-NYL/r7EXSyYP7nXuYGvGYMI9QtztGjVaKKofBt/pCv8=",
+ "lastModified": 1742411066,
+ "narHash": "sha256-8vXOKPQFRzTjapsRnTJ1nuFjUfC+AGI2ybdK5cAEHZ8=",
"ref": "refs/heads/main",
- "rev": "a51380645f61b33d37a536b596d16c481f7b84a6",
- "revCount": 17342,
+ "rev": "2491b7cc2128ee440d24768c4521c38b1859fc28",
+ "revCount": 17705,
"type": "git",
"url": "https://git.lix.systems/lix-project/lix.git"
},
@@ -457,11 +455,11 @@
]
},
"locked": {
- "lastModified": 1738176840,
- "narHash": "sha256-NG3IRvRs3u3btVCN861FqHvgOwqcNT/Oy6PBG86F5/E=",
+ "lastModified": 1741894565,
+ "narHash": "sha256-2FD0NDJbEjUHloVrtEIms5miJsj1tvQCc/0YK5ambyc=",
"ref": "refs/heads/main",
- "rev": "621aae0f3cceaffa6d73a4fb0f89c08d338d729e",
- "revCount": 133,
+ "rev": "a6da43f8193d9e329bba1795c42590c27966082e",
+ "revCount": 136,
"type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module.git"
},
@@ -480,11 +478,11 @@
"nixpkgs-24_11": "nixpkgs-24_11"
},
"locked": {
- "lastModified": 1737736848,
- "narHash": "sha256-VrUfCXBXYV+YmQ2OvVTeML9EnmaPRtH+POrNIcJp6yo=",
+ "lastModified": 1742413977,
+ "narHash": "sha256-NkhM9GVu3HL+MiXtGD0TjuPCQ4GFVJPBZ8KyI2cFDGU=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
- "rev": "6b425d13f5a9d73cb63973d3609acacef4d1e261",
+ "rev": "b4fbffe79c00f19be94b86b4144ff67541613659",
"type": "gitlab"
},
"original": {
@@ -609,11 +607,11 @@
},
"nixpkgs_2": {
"locked": {
- "lastModified": 1738452225,
- "narHash": "sha256-Qmwx3FXM0x0pdjibwTk/uRbayqDrs3EwmRJe7tQWu48=",
+ "lastModified": 1742395137,
+ "narHash": "sha256-WWNNjCSzQCtATpCFEijm81NNG1xqlLMVbIzXAiZysbs=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "6c4e0724e0a785a20679b1bca3a46bfce60f05b6",
+ "rev": "2a725d40de138714db4872dc7405d86457aa17ad",
"type": "github"
},
"original": {
@@ -632,11 +630,11 @@
"nvidia-patch-src": "nvidia-patch-src"
},
"locked": {
- "lastModified": 1736930913,
- "narHash": "sha256-f7v5s924/CiDCW7j/SEvefwm6Jb07zQWYShJ+FIYS0A=",
+ "lastModified": 1742460640,
+ "narHash": "sha256-Qks0TRMOiuVKjcSPkg251Q2/wdU5ooMt4b2f2numPzg=",
"owner": "arcnmx",
"repo": "nvidia-patch.nix",
- "rev": "6ca6f8dd2139b9c01049de29979c1c0db157a647",
+ "rev": "c85990250376300fe11413e22458911f408f64d0",
"type": "github"
},
"original": {
@@ -648,11 +646,11 @@
"nvidia-patch-src": {
"flake": false,
"locked": {
- "lastModified": 1736882949,
- "narHash": "sha256-s1qtdm0UGd4uImNts42W5hT6W1nOVz8eTyBF37QlUfc=",
+ "lastModified": 1742384429,
+ "narHash": "sha256-5O0TXVrLsFrULXli2vB2iJ7TECUckMHKvJZYmdkcnGE=",
"owner": "keylase",
"repo": "nvidia-patch",
- "rev": "0837f46dfe25b6e750abc7e601032bdd12c70be0",
+ "rev": "07080317245ac30c38001d2149810b2dee3cce1f",
"type": "github"
},
"original": {
@@ -710,11 +708,11 @@
"rust-analyzer-src": {
"flake": false,
"locked": {
- "lastModified": 1738488035,
- "narHash": "sha256-sLLW0S7OGlFYgNvAQnqWK1Ws5V1YNGvfXHdWoZ91CeI=",
+ "lastModified": 1742296961,
+ "narHash": "sha256-gCpvEQOrugHWLimD1wTFOJHagnSEP6VYBDspq96Idu0=",
"owner": "rust-lang",
"repo": "rust-analyzer",
- "rev": "f3998f7f8a197596c5edf72e937996e6674b423b",
+ "rev": "15d87419f1a123d8f888d608129c3ce3ff8f13d4",
"type": "github"
},
"original": {
@@ -732,11 +730,11 @@
]
},
"locked": {
- "lastModified": 1737599167,
- "narHash": "sha256-S2rHCrQWCDVp63XxL/AQbGr1g5M8Zx14C7Jooa4oM8o=",
+ "lastModified": 1740623427,
+ "narHash": "sha256-3SdPQrZoa4odlScFDUHd4CUPQ/R1gtH4Mq9u8CBiK8M=",
"owner": "oxalica",
"repo": "rust-overlay",
- "rev": "38374302ae9edf819eac666d1f276d62c712dd06",
+ "rev": "d342e8b5fd88421ff982f383c853f0fc78a847ab",
"type": "github"
},
"original": {
@@ -753,11 +751,11 @@
]
},
"locked": {
- "lastModified": 1737166965,
- "narHash": "sha256-vlDROBAgq+7PEVM0vaS2zboY6DXs3oKK0qW/1dVuFs4=",
+ "lastModified": 1739240901,
+ "narHash": "sha256-YDtl/9w71m5WcZvbEroYoWrjECDhzJZLZ8E68S3BYok=",
"owner": "oxalica",
"repo": "rust-overlay",
- "rev": "fc839c9d5d1ebc789b4657c43c4d54838c7c01de",
+ "rev": "03473e2af8a4b490f4d2cdb2e4d3b75f82c8197c",
"type": "github"
},
"original": {
@@ -851,11 +849,11 @@
]
},
"locked": {
- "lastModified": 1738070913,
- "narHash": "sha256-j6jC12vCFsTGDmY2u1H12lMr62fnclNjuCtAdF1a4Nk=",
+ "lastModified": 1742370146,
+ "narHash": "sha256-XRE8hL4vKIQyVMDXykFh4ceo3KSpuJF3ts8GKwh5bIU=",
"owner": "numtide",
"repo": "treefmt-nix",
- "rev": "bebf27d00f7d10ba75332a0541ac43676985dea3",
+ "rev": "adc195eef5da3606891cedf80c0d9ce2d3190808",
"type": "github"
},
"original": {
@@ -923,11 +921,11 @@
"rust-overlay": "rust-overlay_2"
},
"locked": {
- "lastModified": 1738084440,
- "narHash": "sha256-sARyUquyuNapFbICL/PJEhcDgBzpxTcHUNw8R/xL1iA=",
+ "lastModified": 1741803511,
+ "narHash": "sha256-DcCGBWvAvt+OWI+EcPRO+/IXZHkFgPxZUmxf2VLl8no=",
"owner": "dj95",
"repo": "zjstatus",
- "rev": "096dc72a909fd0fb34768a98354aad6207002671",
+ "rev": "df9c77718f7023de8406e593eda6b5b0bc09cddd",
"type": "github"
},
"original": {
diff --git a/flake.nix b/flake.nix
index f2007c6..217b7cc 100644
--- a/flake.nix
+++ b/flake.nix
@@ -86,7 +86,9 @@
inputs.nixpkgs.follows = "nixpkgs";
};
darwin = {
- url = "github:lnl7/nix-darwin";
+ # TODO: Move back once https://github.com/LnL7/nix-darwin/issues/1392 is resolved
+ # url = "github:lnl7/nix-darwin";
+ url = "github:lnl7/nix-darwin?ref=refs/pull/1335/merge";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix = {
@@ -147,7 +149,6 @@
helix = {
url = "github:helix-editor/helix";
inputs.nixpkgs.follows = "nixpkgs";
- inputs.crane.follows = "crane";
};
zjstatus = {
url = "github:dj95/zjstatus";
diff --git a/hosts/default.nix b/hosts/default.nix
index a245e1c..03d464d 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -14,6 +14,7 @@
# ./installer
./ude
./kogata
+ ./youko
];
builders =
diff --git a/hosts/kazuki/default.nix b/hosts/kazuki/default.nix
index df92f1c..8464cb5 100644
--- a/hosts/kazuki/default.nix
+++ b/hosts/kazuki/default.nix
@@ -15,7 +15,6 @@
./storage.nix
./ntfy.nix
./zitadel.nix
- ./forgejo.nix
./prometheus.nix
];
diff --git a/hosts/kazuki/forgejo.nix b/hosts/kazuki/forgejo.nix
deleted file mode 100644
index 9f200e2..0000000
--- a/hosts/kazuki/forgejo.nix
+++ /dev/null
@@ -1,62 +0,0 @@
-{ config, ... }:
-{
- age.secrets.rab-lol-cf = {
- file = ../../secrets/rab-lol-cf.age;
- owner = config.services.nginx.user;
- };
-
- services.forgejo = {
- enable = true;
- settings = {
- server = {
- DOMAIN = "git.rab.lol";
- ROOT_URL = "https://git.rab.lol/";
- };
- oauth2_client = {
- REGISTER_EMAIL_CONFIRM = false;
- ENABLE_AUTO_REGISTRATION = true;
- ACCOUNT_LINKING = "auto";
- UPDATE_AVATAR = true;
- };
- service = {
- DISABLE_REGISTRATION = false;
- ALLOW_ONLY_INTERNAL_REGISTRATION = false;
- ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
- };
- federation.ENABLED = true;
- };
- repositoryRoot = "/storage-box/forgejo/repos";
- lfs = {
- enable = true;
- contentDir = "/storage-box/forgejo/lfs";
- };
- };
-
- services.nginx = {
- enable = true;
- recommendedProxySettings = true;
- recommendedGzipSettings = true;
- recommendedOptimisation = true;
- recommendedTlsSettings = true;
- virtualHosts."git.rab.lol" = {
- forceSSL = true;
- enableACME = true;
- acmeRoot = null;
- locations."/" = {
- proxyPass = "http://127.0.0.1:3000";
- extraConfig = ''
- proxy_set_header Connection $http_connection;
- proxy_set_header Upgrade $http_upgrade;
- '';
- };
- };
- };
-
- users.users.nginx.extraGroups = [ "acme" ];
- security.acme.acceptTerms = true;
- security.acme.certs."git.rab.lol" = {
- dnsProvider = "cloudflare";
- credentialsFile = config.age.secrets.rab-lol-cf.path;
- email = "nikodem@rabulinski.com";
- };
-}
diff --git a/hosts/youko/default.nix b/hosts/youko/default.nix
new file mode 100644
index 0000000..3a2fe49
--- /dev/null
+++ b/hosts/youko/default.nix
@@ -0,0 +1,48 @@
+{
+ configurations.nixos.youko =
+ {
+ config,
+ lib,
+ username,
+ ...
+ }:
+ {
+ imports = [
+ ./disks.nix
+ ./hardware.nix
+ ./sway.nix
+ ./msmtp.nix
+ ./nas.nix
+ ];
+
+ nixpkgs.hostPlatform = "x86_64-linux";
+
+ boot = {
+ loader.systemd-boot.enable = true;
+ loader.efi.canTouchEfiVariables = true;
+ };
+
+ networking.networkmanager.enable = true;
+
+ age.secrets.niko-pass.file = ../../secrets/youko-niko-pass.age;
+ users.users.${username}.hashedPasswordFile = config.age.secrets.niko-pass.path;
+
+ settei.user.config = {
+ settei.desktop.enable = true;
+ };
+
+ services.udisks2.enable = true;
+ settei.incus.enable = true;
+ virtualisation.podman.enable = true;
+ hardware.keyboard.qmk.enable = true;
+
+ settei.unfree.allowedPackages = [ "vmware-workstation" ];
+ virtualisation.vmware.host.enable = true;
+ environment.etc."vmware/config" = lib.mkForce {
+ source = "${config.virtualisation.vmware.host.package}/etc/vmware/config";
+ text = null;
+ };
+
+ networking.hostId = "b49ee8de";
+ };
+}
diff --git a/hosts/youko/disks.nix b/hosts/youko/disks.nix
new file mode 100644
index 0000000..3156235
--- /dev/null
+++ b/hosts/youko/disks.nix
@@ -0,0 +1,58 @@
+{
+ disko.devices.disk.main = {
+ type = "disk";
+ device = "/dev/nvme0n1";
+ content = {
+ type = "gpt";
+ partitions = {
+ esp = {
+ size = "512M";
+ type = "EF00";
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/boot";
+ mountOptions = [ "umask=0077" ];
+ };
+ };
+ luks = {
+ size = "100%";
+ content = {
+ type = "luks";
+ name = "crypted";
+ settings.allowDiscards = true;
+ content = {
+ type = "btrfs";
+ extraArgs = [ "-f" ];
+ subvolumes =
+ let
+ mountOptions = [
+ "noatime"
+ "compress=zstd"
+ ];
+ in
+ {
+ "/root" = {
+ inherit mountOptions;
+ mountpoint = "/";
+ };
+ "/home" = {
+ inherit mountOptions;
+ mountpoint = "/home";
+ };
+ "/nix" = {
+ inherit mountOptions;
+ mountpoint = "/nix";
+ };
+ "/swap" = {
+ mountpoint = "/.swapvol";
+ swap.swapfile.size = "16G";
+ };
+ };
+ };
+ };
+ };
+ };
+ };
+ };
+}
diff --git a/hosts/youko/hardware.nix b/hosts/youko/hardware.nix
new file mode 100644
index 0000000..0f1386d
--- /dev/null
+++ b/hosts/youko/hardware.nix
@@ -0,0 +1,25 @@
+{ config, ... }:
+{
+ boot = {
+ extraModulePackages = with config.boot.kernelPackages; [ it87 ];
+ initrd.availableKernelModules = [
+ "nvme"
+ "xhci_pci"
+ "ahci"
+ "usb_storage"
+ "usbhid"
+ "sd_mod"
+ ];
+ kernelModules = [
+ "kvm-amd"
+ "i2c-dev"
+ "it87"
+ ];
+ extraModprobeConfig = ''
+ options it87 ignore_resource_conflict=1
+ '';
+ };
+
+ services.smartd.enable = true;
+ hardware.cpu.amd.updateMicrocode = true;
+}
diff --git a/hosts/youko/msmtp.nix b/hosts/youko/msmtp.nix
new file mode 100644
index 0000000..dc51c15
--- /dev/null
+++ b/hosts/youko/msmtp.nix
@@ -0,0 +1,36 @@
+# TODO: Potentially make this a common module?
+{
+ pkgs,
+ config,
+ username,
+ ...
+}:
+let
+ mail = "alert@nrab.lol";
+ aliases = pkgs.writeText "mail-aliases" ''
+ ${username}: nikodem@rabulinski.com
+ root: ${mail}
+ '';
+in
+{
+ age.secrets.alert-plaintext.file = ../../secrets/alert-plain-pass.age;
+
+ programs.msmtp = {
+ enable = true;
+ setSendmail = true;
+ defaults = {
+ inherit aliases;
+ tls = "on";
+ auth = "login";
+ tls_starttls = "off";
+ };
+ accounts = {
+ default = {
+ host = "mail.nrab.lol";
+ passwordeval = "cat ${config.age.secrets.alert-plaintext.path}";
+ user = mail;
+ from = mail;
+ };
+ };
+ };
+}
diff --git a/hosts/youko/nas.nix b/hosts/youko/nas.nix
new file mode 100644
index 0000000..2e83912
--- /dev/null
+++ b/hosts/youko/nas.nix
@@ -0,0 +1,122 @@
+{
+ username,
+ lib,
+ pkgs,
+ ...
+}:
+{
+ boot = {
+ supportedFilesystems = [ "zfs" ];
+ zfs.extraPools = [ "yottapool" ];
+ };
+
+ services.zfs = {
+ autoScrub.enable = true;
+ zed.settings = {
+ ZED_DEBUG_LOG = "/tmp/zed.debug.log";
+ ZED_EMAIL_ADDR = [ username ];
+ ZED_EMAIL_PROG = lib.getExe pkgs.msmtp;
+ ZED_EMAIL_OPTS = "@ADDRESS@";
+
+ ZED_NOTIFY_INTERVAL_SECS = 3600;
+ ZED_NOTIFY_VERBOSE = true;
+
+ ZED_USE_ENCLOSURE_LEDS = true;
+ ZED_SCRUB_AFTER_RESILVER = true;
+ };
+ };
+
+ services.samba-wsdd = {
+ enable = true;
+ openFirewall = true;
+ };
+
+ # TODO: Clean up. Potentially make it a separate module
+ services.avahi = {
+ publish.enable = true;
+ publish.userServices = true;
+ nssmdns4 = true;
+ enable = true;
+ openFirewall = true;
+ extraServiceFiles = {
+ timemachine = ''
+
+
+
+ %h
+
+ _smb._tcp
+ 445
+
+
+ _device-info._tcp
+ 0
+ model=TimeCapsule8,119
+
+
+ _adisk._tcp
+ dk0=adVN=tm_share,adVF=0x82
+ sys=waMa=0,adVF=0x100
+
+
+ '';
+ };
+ };
+
+ services.samba = {
+ enable = true;
+ openFirewall = true;
+ settings = {
+ global = {
+ "workgroup" = "WORKGROUP";
+ "hosts allow" = "0.0.0.0/0";
+ "guest account" = "nobody";
+ "map to guest" = "bad user";
+ "getwd cache" = "true";
+ "strict sync" = "no";
+ "use sendfile" = "true";
+ };
+ "tm_share" = {
+ "path" = "/media/data/tm_share";
+ "valid users" = "niko";
+ "public" = "no";
+ "writeable" = "yes";
+ "force user" = "niko";
+ "fruit:aapl" = "yes";
+ "fruit:time machine" = "yes";
+ "vfs objects" = "catia fruit streams_xattr";
+ };
+ };
+ };
+
+ services.jellyfin = {
+ enable = true;
+ openFirewall = true;
+ };
+ services.radarr.enable = true;
+ # TODO: Remove once https://github.com/Sonarr/Sonarr/pull/7443 is merged
+ nixpkgs.config.permittedInsecurePackages = [
+ "dotnet-sdk-6.0.428"
+ "aspnetcore-runtime-6.0.36"
+ ];
+ services.sonarr.enable = true;
+ services.prowlarr.enable = true;
+ services.jellyseerr.enable = true;
+ services.deluge = {
+ enable = true;
+ web.enable = true;
+ config.download_location = "/media/deluge";
+ };
+
+ users = {
+ users = {
+ jellyfin.extraGroups = [
+ "radarr"
+ "sonarr"
+ ];
+ radarr.extraGroups = [ "deluge" ];
+ sonarr.extraGroups = [ "deluge" ];
+ ${username}.extraGroups = [ "deluge" ];
+ };
+ };
+}
diff --git a/hosts/youko/sway.nix b/hosts/youko/sway.nix
new file mode 100644
index 0000000..9402602
--- /dev/null
+++ b/hosts/youko/sway.nix
@@ -0,0 +1,137 @@
+{
+ config,
+ lib,
+ pkgs,
+ ...
+}:
+{
+ services.greetd = {
+ enable = true;
+ vt = 2;
+ settings.default_session =
+ let
+ swayWrapper = pkgs.writeShellScript "sway-wrapper" ''
+ export XCURSOR_THEME=volantes_cursors
+ exec ${lib.getExe config.programs.sway.package}
+ '';
+ in
+ {
+ command = "${lib.getExe pkgs.greetd.tuigreet} --time --cmd ${swayWrapper}";
+ user = "niko";
+ };
+ };
+
+ programs.sway = {
+ enable = true;
+ wrapperFeatures.base = true;
+ wrapperFeatures.gtk = true;
+ };
+
+ security.pam.services.swaylock = { };
+ xdg.portal.config.common.default = "*";
+
+ settei.user.config =
+ { config, ... }:
+ {
+ home.pointerCursor = {
+ name = "volantes_cursors";
+ package = pkgs.volantes-cursors;
+ };
+
+ home.packages = with pkgs; [
+ (writeShellApplication {
+ name = "lock";
+ text = ''
+ swaymsg output '*' power off
+ swaylock -c 000000
+ swaymsg output '*' power on
+ '';
+ })
+ (writeShellApplication {
+ name = "screenshot";
+ runtimeInputs = [
+ slurp
+ grim
+ wl-clipboard
+ ];
+ text = ''
+ grim -g "$(slurp)" - | \
+ wl-copy -t image/png
+ '';
+ })
+ # Bitwarden stuff, move to separate module or properly package?
+ # Maybe use some other input method?
+ (rofi-rbw.override { waylandSupport = true; })
+ rbw
+ pinentry-rofi
+ ];
+
+ wayland.windowManager.sway =
+ let
+ mod = config.wayland.windowManager.sway.config.modifier;
+ in
+ {
+ enable = true;
+ package = null;
+ config.workspaceAutoBackAndForth = true;
+ config.terminal = "wezterm";
+ config.modifier = "Mod4";
+ config.fonts.names = [ "IosevkaTerm Nerd Font" ];
+ config.keybindings = lib.mkOptionDefault {
+ "${mod}+b" = "exec rofi-rbw --selector rofi";
+ "${mod}+d" = "exec rofi -show drun";
+ "${mod}+Shift+s" = "exec screenshot";
+ };
+ config.keycodebindings = {
+ "${mod}+Shift+60" = "exec lock";
+ };
+ config.window.commands =
+ let
+ alwaysFloating = [
+ { window_role = "pop-up"; }
+ { window_role = "bubble"; }
+ { window_role = "dialog"; }
+ { window_type = "dialog"; }
+ { window_role = "task_dialog"; }
+ { window_type = "menu"; }
+ { app_id = "floating"; }
+ { app_id = "floating_update"; }
+ { class = "(?i)pinentry"; }
+ { title = "Administrator privileges required"; }
+ { title = "About Mozilla Firefox"; }
+ { window_role = "About"; }
+ {
+ app_id = "firefox";
+ title = "Library";
+ }
+ ];
+ in
+ map (criteria: {
+ inherit criteria;
+ command = "floating enable";
+ }) alwaysFloating;
+ config.input = {
+ "type:pointer" = {
+ accel_profile = "flat";
+ pointer_accel = "0.2";
+ };
+ "type:keyboard" = {
+ xkb_layout = "pl";
+ };
+ };
+ config.seat."*" = {
+ xcursor_theme = "volantes_cursors 24";
+ };
+ config.startup = [
+ {
+ command = "${lib.getExe' pkgs.glib "gsettings"} set org.gnome.desktop.interface cursor-theme 'volantes_cursors'";
+ always = true;
+ }
+ ];
+ };
+ programs.rofi = {
+ enable = true;
+ package = pkgs.rofi-wayland;
+ };
+ };
+}
diff --git a/modules/home/desktop/zellij.nix b/modules/home/desktop/zellij.nix
index b5c34d0..3a4a025 100644
--- a/modules/home/desktop/zellij.nix
+++ b/modules/home/desktop/zellij.nix
@@ -3,7 +3,12 @@
# TODO: Move zellij to a wrapper
programs.zellij = {
enable = true;
+ enableBashIntegration = false;
+ enableFishIntegration = false;
+ enableZshIntegration = false;
settings = {
+ default_layout = "compacter";
+ show_startup_tips = false;
keybinds = {
shared_except = {
_args = [ "locked" ];
diff --git a/modules/home/unfree.nix b/modules/home/unfree.nix
index cd2060c..b551f32 100644
--- a/modules/home/unfree.nix
+++ b/modules/home/unfree.nix
@@ -1,5 +1,5 @@
# Copy of modules/system/unfree.nix
-{ config, lib, ... }:
+args@{ config, lib, ... }:
{
_file = ./unfree.nix;
@@ -11,7 +11,7 @@
};
};
- config = {
+ config = lib.mkIf (!args ? osConfig) {
nixpkgs.config.allowUnfreePredicate = lib.mkForce (
pkg: builtins.elem (lib.getName pkg) config.settei.unfree.allowedPackages
);
diff --git a/modules/system/containers.nix b/modules/system/containers.nix
index a0942f9..26e7e7e 100644
--- a/modules/system/containers.nix
+++ b/modules/system/containers.nix
@@ -85,6 +85,12 @@ let
services.openssh.hostKeys = [ ];
system.stateVersion = lib.mkDefault config.system.stateVersion;
+
+ networking.useHostResolvConf = false;
+ networking.nameservers = [
+ "1.1.1.1"
+ "1.0.0.1"
+ ];
};
bindMounts = {
@@ -95,6 +101,11 @@ let
privateNetwork = lib.mkForce true;
}
) config.settei.containers;
+
+ networking.nat = lib.mkIf (config.settei.containers != { }) {
+ enable = true;
+ internalInterfaces = [ "ve-+" ];
+ };
};
darwinConfig = lib.optionalAttrs (!isLinux) {
diff --git a/modules/system/incus.nix b/modules/system/incus.nix
index 4313573..b46ab37 100644
--- a/modules/system/incus.nix
+++ b/modules/system/incus.nix
@@ -49,6 +49,23 @@ let
};
}
];
+ profiles = [
+ {
+ devices = {
+ eth0 = {
+ name = "eth0";
+ network = "incusbr0";
+ type = "nic";
+ };
+ root = {
+ path = "/";
+ pool = "default";
+ type = "disk";
+ };
+ };
+ name = "default";
+ }
+ ];
};
};
networking = {
diff --git a/modules/system/sane-defaults.nix b/modules/system/sane-defaults.nix
index fcd1cde..ae4a097 100644
--- a/modules/system/sane-defaults.nix
+++ b/modules/system/sane-defaults.nix
@@ -52,7 +52,6 @@ let
experimental-features = [
"nix-command"
"flakes"
- "repl-flake"
"auto-allocate-uids"
];
trusted-users = lib.optionals (!adminNeedsPassword) [ username ];
@@ -92,7 +91,10 @@ let
isNormalUser = true;
home = "/home/${username}";
group = username;
- extraGroups = [ "wheel" ];
+ extraGroups = lib.mkMerge [
+ [ "wheel" ]
+ (lib.mkIf config.networking.networkmanager.enable [ "networkmanager" ])
+ ];
};
groups.${username} = { };
};
@@ -114,9 +116,8 @@ let
darwinConfig = lib.optionalAttrs (!isLinux) {
system.stateVersion = 4;
- services.nix-daemon.enable = true;
- security.pam.enableSudoTouchIdAuth = true;
+ security.pam.services.sudo_local.touchIdAuth = true;
users.users.${username}.home = "/Users/${username}";
# Every macOS ARM machine can emulate x86.
diff --git a/secrets/alert-nrab-lol-pass.age b/secrets/alert-nrab-lol-pass.age
index 4e34281..85d17ab 100644
Binary files a/secrets/alert-nrab-lol-pass.age and b/secrets/alert-nrab-lol-pass.age differ
diff --git a/secrets/alert-plain-pass.age b/secrets/alert-plain-pass.age
index 0204c32..032dbb2 100644
Binary files a/secrets/alert-plain-pass.age and b/secrets/alert-plain-pass.age differ
diff --git a/secrets/attic-creds.age b/secrets/attic-creds.age
index 557c86a..6d72b95 100644
Binary files a/secrets/attic-creds.age and b/secrets/attic-creds.age differ
diff --git a/secrets/forgejo-token.age b/secrets/forgejo-token.age
new file mode 100644
index 0000000..13f30a6
--- /dev/null
+++ b/secrets/forgejo-token.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 rA7dkQ tnp92QTb/uXAEizZuUrnaGcJCCkCSjIcE4RiQiYVdw8
+HXsRlqJSrDYaAeYslcR+g5KIQC1SUxFp+QdSHpKT61s
+-> ssh-ed25519 IFuY+w LI7kx/XwfF0JU8tSmW75nxpeLTUkEfY8NunAZljafCc
+f+WEjASZzP9ISv+7kPIMVNgEjdHUxVnLzUkqFHo4byY
+-> ssh-ed25519 GKhvwg EZDwzHfhaY0iHHeIDvm6BIY64kPPUgKjZnNuuwwqoAw
+FvZEeIqnsFA1fQka4R7sax1O13UZWoVbksSMLP3eEaA
+--- XBBcs7w5J7w01fKGoAXVTgOffS9ajheUMz3vDsxHgTo
+�gؤRnlgÒ�A*%Yr
�9�}=L~f7Zg��x
>��R�}hQz`r�Z�
\ No newline at end of file
diff --git a/secrets/github-token.age b/secrets/github-token.age
index 25e333e..03ad19e 100644
--- a/secrets/github-token.age
+++ b/secrets/github-token.age
@@ -1,13 +1,13 @@
age-encryption.org/v1
--> ssh-ed25519 IFuY+w nyBEszEusqQE6jM7y9G4KCyzNHawdyy+hTfm9LsuRCY
-1bbg4kmmv9m2Gwp+3x8zvqFOkmTKt898/sGCUK9rpGE
--> ssh-ed25519 84j9mw 5s2PNoIOMWf2gBwzmRHmssMOuvu2kv43316E20McKh8
-FyA+VjPgPynvMQfxm3d2+SOEpsJFIKJE8pbXeIkOfGI
--> ssh-ed25519 ioPMHA 4N9PsYYaeqJDbxpQpyCgvR/JWwLPDCAi65YB6M0uT0U
-mFCqo1htPi2WRKiJz/t8Y7TMD/p7X81HsHGG0KIsROQ
--> ssh-ed25519 5A7peQ ZjRTqjDou2xS638dR8AWKCv5uKTSmOSJ/4rkfFckhjY
-yUJABvMDLN0C15XBmnZJZ88khXAXLUP+aEqH5DlJcKY
--> ssh-ed25519 GKhvwg w1OKhVPY89J/pbrrXIHVifV++5e1tLqlSL9yM/2rqX0
-VF0cvmdtCZAlPgIqcNZYp7ANPhvDqlFE7h018lCbWyg
---- YWa0wXlaYVF+g06+w/u/h+NURlfMY8lauf5ZtrrhrF4
-3��ͅ�P׆?4)�mf.�²�`aFCj"Jwd鱇Bƌ+{dK
\ No newline at end of file
+-> ssh-ed25519 IFuY+w hrfVBxFIiDTvbm7OMYbme2+97WI3nqxYbjBNRXRS9H4
+SaKftmSA+8LitXnkqaw67xw378sNeGs/ENxmMsOVdvQ
+-> ssh-ed25519 84j9mw opGXl7a35TsSj2/ADgdbS5bp6/EDTsUDkS/IjIgjUBA
+Cw5O6wt9vzqCgbWxxCrzmXJQH+/Ae1wwyHCcHLfpEck
+-> ssh-ed25519 ioPMHA 5fAg0NsD/KlXSAJg1UQYsJEzZMy/wCHfwmv19cbWRyQ
+OhDaO75k9xEdCE0GdyJ6iK6B11ie/l4yCfVKp6py31I
+-> ssh-ed25519 5A7peQ pqvZetDuRh5pesWPZ9725h7i+XuvSNMn7810ukhNjyM
+96JlWRIyIZ07siNa1kk0HtHhiB4NQbSKQ4KXsDJGGdE
+-> ssh-ed25519 GKhvwg Ba5tOdWUlE9qs1tPb7t+0ZtHN82a6RmMHP1tzGe/VSg
+wLWBaFUkWkB5lMEKX0ISEQTGx/RDTF1vbvuGo9w8Qm4
+--- yVc69z1O1UOM+93dnjV0wkeqb4StW4HcBYi00z+0dIQ
+"�49�bW5v WjsUڲoO��#S%\qn[hAjEhޢtjC
\ No newline at end of file
diff --git a/secrets/hercules-cache.age b/secrets/hercules-cache.age
index 615b2c2..783c7f3 100644
Binary files a/secrets/hercules-cache.age and b/secrets/hercules-cache.age differ
diff --git a/secrets/hercules-secrets.age b/secrets/hercules-secrets.age
index f63b958..8b55761 100644
--- a/secrets/hercules-secrets.age
+++ b/secrets/hercules-secrets.age
@@ -1,13 +1,16 @@
age-encryption.org/v1
--> ssh-ed25519 84j9mw P7StDsdpmJLp0ni5ZwdhVy2lx5TSfVlIqFAF9y4Zn34
-UksAEE1WWb2xWgHM8h4lhTW2pwqF8ydgGtFnqcp1KUo
--> ssh-ed25519 ioPMHA roPhy0I+dRtPuWsnFSxl2m7Uh7GgXkupwHSgL+LHrzs
-8rUE3mr9dukcAeR1213wjSm6Bme9ExpGX6TjEhHRYnc
--> ssh-ed25519 IFuY+w crwMCw/ElBMNFhUMHLAg+ZxpsutBwV7hhG79bXEmCDE
-7rnOVAVI/HgGbaswauWxCqB7Tkzx3hCxB2RZOi4aIpQ
--> ssh-ed25519 5A7peQ bcqPb+IVrI8BKlcpIrZ/qnbnG3p/mLsk/iSCVYlvwmY
-2q9KmMmyeYey9txiYrmxM5T86qXw7arKZSAbxszgxVo
--> ssh-ed25519 GKhvwg H9Pka72t6kmmxGcoAaRtyn8m9xlP9DJSeBrE6jVtRh4
-w/lcxBFd5w9mMn/sarr+7yCY+IGJzMJUgvi+KrQA4s4
---- wO1f52ZjrCtOdgOrnkKWPao5ZS2BhmWFQmvLGliosyM
-S]luG �c�U LHb/(f� $&XmݒFPt�.n,)t8 �9g~3.h`0i|Zi�9S�߫��ޔ~vf,~\;�IۮF�V�O)uj:u[&��6�`OZ|y�V�ɥ_Pe��K.vꪹ^2�-�Ҁ<\^m!.y��s���
l
��K`fbDcdb�D��<_6zR?g̮`H ,5�h$\Xl
\ No newline at end of file
+-> ssh-ed25519 84j9mw qVTbaORT1Ouwq1uA0cWQ3Q85tLYcq6xuZ9UhcMOTTSk
+PE0VZp1P9K4IAnm/BIDusGsp4dtLvaN0/m9q9gNnfx4
+-> ssh-ed25519 ioPMHA +m127XNN1vH6Tg6XGuHDbND0giQgGsMLE7YUKagZbXk
+tKyYRNLt1UgnQR//64yAunpHjE7JyB/Mkdmc4gkMTWw
+-> ssh-ed25519 IFuY+w x4WynTbStig1Ay9gyaplDcNlLQT0kMOFOJwVvcco1i0
+i8M7n2tfBJoFNmQHs5jEaZdfKc1UmjL5y6oBCos1mDk
+-> ssh-ed25519 5A7peQ +XJDHQntGS+FcrFgy9X/9RDOrBMNCI8rHsicV4Z5sBo
+i6xfceBN4DE9EYF8Q4PaJjX7qbELJaJ5dxMGoAIE8xU
+-> ssh-ed25519 GKhvwg fzJcotOtNhVeNwOdMQIwPT9GmgbE13HYmCkwbFlCCkQ
+mNtYtoX8IUDgHKAQRA5e7HLZgYVI9wCF8QMm530eFEo
+--- EIWU+anFU1NSYiu3O+xncDnVvJVrwHzwaAX1YhsaOj4
+%DJ#��0A�D
+q�z�,3sH����V�b��Tުˇ8[ �?VgNVd
+ĝȗL=̵g%ι[md�6oqE4ŏ�F3�@P\(MDM;%^ܫ�px��p�):O9,iBT
+s�ǚ-�JWE\0£y>0;y�L{t.g%W,X} JJdg3\�#�)�0h=lhBB�Xb$^
�BM[~�u? hl��c;zk
\ No newline at end of file
diff --git a/secrets/hercules-token.age b/secrets/hercules-token.age
index 66500a1..54dd108 100644
Binary files a/secrets/hercules-token.age and b/secrets/hercules-token.age differ
diff --git a/secrets/kanidm-admin-pass.age b/secrets/kanidm-admin-pass.age
new file mode 100644
index 0000000..2b229b2
--- /dev/null
+++ b/secrets/kanidm-admin-pass.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 84j9mw W4+Z4WjOyUl4mWPqVykNWRhf2/8qfVOSM7QCFPNMZTA
+0ndQjslMwjQqguN25nBQtCchpCLhoD/vrxh1yNVeTNw
+-> ssh-ed25519 GKhvwg H8XcFJDZTA3IzxmK6wbB+PVM2gCZ4ysAPjL5j0LgeE0
+kehTMRIVOZ5ubtO7w8WF+gU3sjYXMQtd5hH+wcv3uSE
+--- 72ntrRbWq8pdkk/GrsVupTttfY9t+w3l+2KQbQyNn/I
+iyd�$vVl TK$4G[�M�I[#tz:��r9~�ES�A6}
\ No newline at end of file
diff --git a/secrets/kanidm-idm-admin-pass.age b/secrets/kanidm-idm-admin-pass.age
new file mode 100644
index 0000000..0eac321
--- /dev/null
+++ b/secrets/kanidm-idm-admin-pass.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 84j9mw 8zYeVXx36dpC8TxMdoM1GdERoNNj902KwTF4h/r4inM
+n3mYra0BeM4gWsZ7Roilu14o/GajX1iWw0fcy0q31yc
+-> ssh-ed25519 GKhvwg cqd7YmVpbxqZxaVluHDZ8Yw0gNfJCKMmoWa4mEoXym8
+Gbcj+PJaqyPRRGX4olr7mmJ5IoEGlQaogYbj7i9E/98
+--- LoQPWI+m8s3NjalUh0+xdW54c8lgddBmhPoIiPbmR8I
+���Җ��܉Y
+9��!4��2DVP9N]G;?ЉS '
\ No newline at end of file
diff --git a/secrets/leet-nrab-lol-pass.age b/secrets/leet-nrab-lol-pass.age
index 28c300e..fbf07ad 100644
--- a/secrets/leet-nrab-lol-pass.age
+++ b/secrets/leet-nrab-lol-pass.age
@@ -1,8 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 84j9mw ZuGILSHnMIMy/GDEjkAriTBKBykkytcIVo63DPd4MhA
-aa/sGLpf+GrLzo8Jf3JWAPI0Uk96SH/CvGhynNJVx6E
--> ssh-ed25519 GKhvwg STHVqp1zYhQzu73INk2Cmkuf8X8kJPLtGSY8LJze/Tc
-Ny1C5CAnqSCcunIbM8if8oQ2VlerIIW5Dqds/Ztektw
---- gaHP+odPfw8A4f5NJkYOuvvYRWwo5EzRZVkXp6E7dfI
-N�fO=�+T3T 0w ssh-ed25519 84j9mw qRlII1WyhanH2pNwSnl01iMlPWQ7tsyiNNOHPLNMflo
+ZMtYsPCDsgcbN1qoAYWTBQtfBWGHzi4WKbGtpJSzKRA
+-> ssh-ed25519 GKhvwg Fck+71BDUxko70r43pDKCYaa5OKZipR4iNveNrJaiC0
+uZZhlsckmE+mi7Oq8+gtisDFmLEoy0Pm/9BKgRi9VHo
+--- i/jgJHw3pEnMDGSjdK47mOkt87oI8szIHiIqimXVyXY
+ߵSAѶ��Bzwg@"PY^+E['����,K[X~Xg{��2c4
\ No newline at end of file
diff --git a/secrets/legion-niko-pass.age b/secrets/legion-niko-pass.age
index 20ed0ff..455628d 100644
Binary files a/secrets/legion-niko-pass.age and b/secrets/legion-niko-pass.age differ
diff --git a/secrets/miyagi-niko-pass.age b/secrets/miyagi-niko-pass.age
index 17e59da..460e357 100644
--- a/secrets/miyagi-niko-pass.age
+++ b/secrets/miyagi-niko-pass.age
@@ -1,8 +1,8 @@
age-encryption.org/v1
--> ssh-ed25519 g2vRWw //TMaNWwTNS5wE3Hg/SEwqriIaOiOUE5remdVF449Vk
-8K3isM05ep9HJ58TlNE9bmiIuqJPoq3lI/3AbUrLw8Q
--> ssh-ed25519 GKhvwg GANoFnELye0945KaMuS7xw6CGPhI5vigD+vScnpbQxI
-CSx0E7fOB8A5MSc1ySywNFj5mkkdi6DDUc+ObaW/kew
---- +BiFZI/o5loCYZ95bkY4zQYr2y6SYc2bmnRuAMg2MPM
-"D1Mh��`dclU;�]Puռ /?�5\\D�1l6ø�zNS
-N;<+^Bpm՚���y���
��sZ;�Vj
\ No newline at end of file
+-> ssh-ed25519 g2vRWw Pdv9mU1heeteeLbLFVUAIyZxmCWHNmhnw0TphSVMczg
+xks6yrF0BziJFp1QHSJdv5Svo1bCu9DF6s3wa2h0Xmg
+-> ssh-ed25519 GKhvwg H2DeS0HP/vWKRrBszwCffNgIZo8nVymGSkWEH26Y/2k
+2y9DCIwpFsFXpgOwOrrD9+HpRzEuno1fW2upd2FLbZc
+--- LNHsLxE4XBziNhnXmARcxB7UWhcKNvon1sDdX6mfZaw
+-�1dm
+���fR,[#[-;M}vi4x�~=)o��N^n"X���B}W583惍f�v:��uZ�ɶ
\ No newline at end of file
diff --git a/secrets/nrab-lol-cf.age b/secrets/nrab-lol-cf.age
index d1672d7..d3b9015 100644
Binary files a/secrets/nrab-lol-cf.age and b/secrets/nrab-lol-cf.age differ
diff --git a/secrets/ntfy-alert-pass.age b/secrets/ntfy-alert-pass.age
index 7819217..27558ca 100644
Binary files a/secrets/ntfy-alert-pass.age and b/secrets/ntfy-alert-pass.age differ
diff --git a/secrets/ntfy-niko-pass.age b/secrets/ntfy-niko-pass.age
index cca1985..276c72f 100644
--- a/secrets/ntfy-niko-pass.age
+++ b/secrets/ntfy-niko-pass.age
@@ -1,7 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 84j9mw tR4gg/XeVdS8xCIuHxN25uaRKu6a09DSW26SI3AWDlM
-uC2gJ9UWDE6uVXkUDlaVZlWAH5iLDgagkN+54msvyoY
--> ssh-ed25519 GKhvwg q27QskTYhI5gjIKKpNHn5V2FRmhIg8QFJ8m0TPZiwSY
-/0RIbiG/nwxKDJ613BLoCNvjej6f65mr1xwCN7/aueI
---- XU82wFZVE+zTZ/mGhnoxqWrdUOv3n6VOwQizZSHPLfw
-"�1KĽ.� �J'!nlO]>�Y
E�X
\ No newline at end of file
+-> ssh-ed25519 84j9mw VodL+EHOjoXj8R/F0vMQzEcnnCFzzes0QByGCDCgVQw
+tZLaDA1FLFwbK0AGo8lpTJjMUnPhJh1czYVLIYjkcEc
+-> ssh-ed25519 GKhvwg gHaR4I4l0I+/XrbjTMp/mevEzxPJXNLB1eHs33WKwGw
+GTAzrhyyDylZgExteDGpGbcS/TFX1q+NhF1FWHzNV0s
+--- QS1dAgdS96KwIprDjzz6OD4qSIZs4/m9JEIsi3+kgPk
+�zPCSx�f �-��i�c7_2��~�jA
\ No newline at end of file
diff --git a/secrets/rab-lol-cf.age b/secrets/rab-lol-cf.age
index 00a6556..4b5734a 100644
--- a/secrets/rab-lol-cf.age
+++ b/secrets/rab-lol-cf.age
@@ -1,10 +1,9 @@
age-encryption.org/v1
--> ssh-ed25519 ioPMHA efHpBvtB+mXXa7RoRdqePHGOmsY5BXVOgGsfOhPm30w
-2GvumVVuuLGEarpdauTCrB61aLtVtrkM3/pPlWIODnk
--> ssh-ed25519 84j9mw rqj6xvESlvrfcjhVEWCbpd//vvdKjrTjt3ZDPeLHowQ
-dcUD131zvVQGiUYQWt9A51CnIpLGNSGinSZk7HSGHoc
--> ssh-ed25519 GKhvwg cIji8zRSGWEbC/xxS8C4jyDCpQsFv05j2Yo8UjaHSAk
-+c/tIYPigZdPQWKvGYaoA6AYRAB83XlEEdfucihB984
---- TEQTQ/lm/JqyyWU2sC10qHl4AL/2IP9yCUfhXG4LdP4
-�ȮS�F-dcD�\?h Qg@��W
-xA|M*rt0ű�~ѰXa{y/WUѸ�Y렬�{װ}TA�xD
\ No newline at end of file
+-> ssh-ed25519 ioPMHA ftS+6CMGsySkp/KbDBLPKeWNDK83bZ2VB8ZKMRijkkY
+U+2wopG3G2AvI4KUD9tZGIrHZSM3UdyDdYmbbkllWPo
+-> ssh-ed25519 84j9mw xek41MX1ETVgRZa24I7n5U/XkJOqItQWK3Qz1FfkDCc
+40CWzCUmxsjgmiObbqKuSieifZ2vNo965jOeTrZ8hT8
+-> ssh-ed25519 GKhvwg X2YSREIPjoaWaku9qrVu04hOlZjUF3LFEUZaIMgg02s
+jbjT6qoIFGXRv2wrkzf2GHx3tcku/tgWfK6Sns3uFVc
+--- B/FIIz8dDg9YXbtDxfAQFZj9PCLHwI/mboBJQBuFmJg
+4�L�7H3F
�̈́"fU(�L~%sbԀ~Z}Z>2KO�'Q�\W[�όe1�^I���
\ No newline at end of file
diff --git a/secrets/rabulinski-com-cf.age b/secrets/rabulinski-com-cf.age
index 2a15532..6e80a30 100644
--- a/secrets/rabulinski-com-cf.age
+++ b/secrets/rabulinski-com-cf.age
@@ -1,7 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 84j9mw LuZiZnebklpoXQ6RPZSrELwY4CzwY+Qb/LrlVPFiSC4
-QVi6XyetJxwvOB+v+CyKEdcq96ykcK3wfWh3i75Dq1o
--> ssh-ed25519 GKhvwg V3iEXNodDDKKKrHSfNYVKTphsMQfgl3Z/LUwTyArx3A
-FQJLg7uHWzc6/U+/QOCYwrkwvvw8rQNG+h+PJ1rRKXA
---- FVExbzlz8e7moZFIkpMR+sj4Kurv+Ge6yMW/uJLr5H4
-ѠI-iO�Jbzk1"KxI{Bƚd#71ܮm-�0D��f\y}���=ڸ
4�ݣ
\ No newline at end of file
+-> ssh-ed25519 84j9mw d9KZV9S1hRXBvVcFe40S0NqWKlQ/AdRgAqdYXKicXR8
+SgTn9MXrft+sRr4I96fqQHzAdm0b21Bd0eSoYFfq7/4
+-> ssh-ed25519 GKhvwg B9qTfegTwDH/X0nQMGvTKCsK2GyzJ7yWgFIo+nKhsGc
+Is4Hi8B2/9s0pz/quvNER2hTkabPbr7qeILL4PhQO1c
+--- 1BhfbNEwYq0ra5slik651qbC8jffR2FmnDHV3FDtom0
+-�oSԐ-?�{r�]5;+0
G�oE9tHX�jqj2@�3�@� mmkyQ;_�W϶Q~
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index fc8ce14..552e4e3 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -33,9 +33,8 @@ in
keys.other.bootstrap
];
"alert-plain-pass.age".publicKeys = [
- keys.system.legion
keys.other.bootstrap
- ];
+ ] ++ builtins.attrValues keys.system;
"legion-niko-pass.age".publicKeys = [
keys.system.legion
keys.other.bootstrap
@@ -89,4 +88,21 @@ in
keys.system.ude
keys.other.bootstrap
];
+ "youko-niko-pass.age".publicKeys = [
+ keys.system.youko
+ keys.other.bootstrap
+ ];
+ "forgejo-token.age".publicKeys = [
+ keys.system.youko
+ keys.system.ude
+ keys.other.bootstrap
+ ];
+ "kanidm-admin-pass.age".publicKeys = [
+ keys.system.kazuki
+ keys.other.bootstrap
+ ];
+ "kanidm-idm-admin-pass.age".publicKeys = [
+ keys.system.kazuki
+ keys.other.bootstrap
+ ];
}
diff --git a/secrets/storage-box-creds.age b/secrets/storage-box-creds.age
index 02e128e..8b0a272 100644
--- a/secrets/storage-box-creds.age
+++ b/secrets/storage-box-creds.age
@@ -1,9 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 84j9mw voingQjX/CjAjo63KLaRPFaG74IpxcRb0qv+r2b5wzo
-ccWzQQSJW7cc8RiS9PzN2U5Xj0+Z7804tPsaGrq09KA
--> ssh-ed25519 GKhvwg 2z8J0YRxQ4WP1G/W7DxRK7z1b6UBjodvN8ECP4fLg1U
-wRG4U9oAJ2KtPUHg5l0yDmmHatmwXOrn2nJlOQJMlpE
---- qs7kR5AIkwQ8NtDjYnmKZmCl4+1G6MFBNB3Mu3J9Y1M
-
-8[WѕS��]&Zaؼu��EB��!pϴ��4pYݱ"
-QYqSƬ`
\ No newline at end of file
+-> ssh-ed25519 84j9mw auP2WgwsaWjyocQkSzoYShO2kSLjn2UArvAVEhKgDiY
+4Uh423ZjS7/Xo6TxLJzWqXgHZAu0xouH0UvFZuJuEz4
+-> ssh-ed25519 GKhvwg JHtyTS12OXspSKP9r/a61cfp+ubYbsAXFmEijMTex3Q
+wZYrJ8yIZ3v5cdBzpiI9ocaTpHbtmebEpbr59Bz3rhc
+--- koWJ57H+ErMJDxW6JDNL2ImmZb6o9v2BJtaFi2OL+dc
+I��o5q&CU*�[T.HɊʺ��kkpOY�s,g49ʼn$^l-A/�QX�
\ No newline at end of file
diff --git a/secrets/storage-box-webdav.age b/secrets/storage-box-webdav.age
index 8a7f3b8..93a739a 100644
Binary files a/secrets/storage-box-webdav.age and b/secrets/storage-box-webdav.age differ
diff --git a/secrets/ude-deluge.age b/secrets/ude-deluge.age
index f0269c2..f9cdd04 100644
--- a/secrets/ude-deluge.age
+++ b/secrets/ude-deluge.age
@@ -1,7 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 IFuY+w +zbPYKlvvfaIQl+PnnZlEai/TAgzsQ7s/1bLXNXnXEw
-BTQQRxlaRFbWnV6e+QBPDfN+lyg9URj+2h85tDKZ19k
--> ssh-ed25519 GKhvwg DzWYIGY0CNdA5wp7PkV1gpWmtYG28or8XeNZ7DkLz1c
-ELQVeuyaIOWVH6+oMDDlI3CikDLe5jijwVPbaRBL2NQ
---- vCU0PryisDG8cOKr6CmPcUwjIdThsRjrty/fowZNwOk
-h�+Ѯ>�HV�`w|e/]k�yS�~dm�&9Y))�T
n��S8@ۿzsS�g'
\ No newline at end of file
+-> ssh-ed25519 IFuY+w EOJQpXxn+NL/BJjpdo8mIGfOYxcMElkVIiGx7KftrQ4
+OcglvGhSgb1mxH8M19ZMf3m6lSF0clzH7Mjikf7cilM
+-> ssh-ed25519 GKhvwg cr+0J59wCjYBONBcDulN8lpvZiCvULHqnwDu+eKQRAo
+9q87PSfr4kq8lCDrw5Od3D1xJjSSmVv2/TXBWEBtBpU
+--- FmVR9tb8wjYFb/FBTrblXMCUAMw5KQ7sX8WojcxCrbk
+C<\}J�f|6�G@WXc-"ϐ�A�GZ'x�_�Ԡz�,@n"�3[?
Lb@e
\ No newline at end of file
diff --git a/secrets/youko-niko-pass.age b/secrets/youko-niko-pass.age
new file mode 100644
index 0000000..4c85947
--- /dev/null
+++ b/secrets/youko-niko-pass.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 rA7dkQ etmPKjKz102knTx/qQAihC9bFvRENB0Q1DtnaQyjfm4
+GPt9OCIwT+/Q/UUDtkHB8d7T6znHy1y1NEUeI+SCeMg
+-> ssh-ed25519 GKhvwg qdCxGyXrdD+WQa/il8fIlV7OKdREqd40Qk0PKITHxlk
+OBJ9gg+KBHi2s1HYLazy3K+yh8tvnUvmuH+riWU7K8c
+--- V3FRy0/TcUdUaBDUK+93r5rH26Is/KVuNJC+1vFMsOI
+wO�.➌a�A�&ޝz [�oXĂu������,ajxGƜu/������eL̛/6S[SU
\ No newline at end of file
diff --git a/secrets/zitadel-master.age b/secrets/zitadel-master.age
index 68a374a..6dbbbf4 100644
Binary files a/secrets/zitadel-master.age and b/secrets/zitadel-master.age differ
diff --git a/services/default.nix b/services/default.nix
index d588ede..6da3b28 100644
--- a/services/default.nix
+++ b/services/default.nix
@@ -1,5 +1,8 @@
{
imports = [
./attic.nix
+ ./forgejo-runner.nix
+ ./kanidm.nix
+ ./forgejo.nix
];
}
diff --git a/services/forgejo-runner.nix b/services/forgejo-runner.nix
new file mode 100644
index 0000000..693d1d1
--- /dev/null
+++ b/services/forgejo-runner.nix
@@ -0,0 +1,49 @@
+{
+ services.forgejo-runner = {
+ hosts = [
+ "ude"
+ "youko"
+ ];
+ config =
+ {
+ config,
+ lib,
+ pkgs,
+ ...
+ }:
+ {
+ age.secrets.forgejo-runner-token.file = ../secrets/forgejo-token.age;
+
+ services.gitea-actions-runner = {
+ package = pkgs.forgejo-actions-runner;
+ instances.default = {
+ enable = true;
+ name = config.networking.hostName;
+ url = "https://git.rab.lol";
+ tokenFile = config.age.secrets.forgejo-runner-token.path;
+ settings = {
+ container.network = "bridge";
+ };
+ hostPackages = lib.mkOptionDefault [
+ pkgs.nix
+ ];
+ labels = [
+ "ubuntu-latest:docker://node:16-bullseye"
+ "ubuntu-22.04:docker://node:16-bullseye"
+ "ubuntu-20.04:docker://node:16-bullseye"
+ "ubuntu-18.04:docker://node:16-buster"
+ "native:host"
+ "native-${pkgs.system}:host"
+ ];
+ };
+ };
+
+ virtualisation.podman = {
+ enable = true;
+ defaultNetwork.settings.dns_enabled = true;
+ };
+
+ networking.firewall.trustedInterfaces = [ "podman+" ];
+ };
+ };
+}
diff --git a/services/forgejo.nix b/services/forgejo.nix
new file mode 100644
index 0000000..2f69a55
--- /dev/null
+++ b/services/forgejo.nix
@@ -0,0 +1,69 @@
+{
+ services.forgejo = {
+ host = "kazuki";
+ ports = [ 3000 ];
+ config =
+ { config, ... }:
+ {
+ age.secrets.rab-lol-cf = {
+ file = ../secrets/rab-lol-cf.age;
+ owner = config.services.nginx.user;
+ };
+
+ services.forgejo = {
+ enable = true;
+ settings = {
+ server = {
+ DOMAIN = "git.rab.lol";
+ ROOT_URL = "https://git.rab.lol/";
+ };
+ oauth2_client = {
+ REGISTER_EMAIL_CONFIRM = false;
+ ENABLE_AUTO_REGISTRATION = true;
+ ACCOUNT_LINKING = "auto";
+ UPDATE_AVATAR = true;
+ };
+ service = {
+ DISABLE_REGISTRATION = false;
+ ALLOW_ONLY_INTERNAL_REGISTRATION = false;
+ ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+ };
+ federation.ENABLED = true;
+ };
+ repositoryRoot = "/storage-box/forgejo/repos";
+ lfs = {
+ enable = true;
+ contentDir = "/storage-box/forgejo/lfs";
+ };
+ };
+
+ services.nginx = {
+ enable = true;
+ recommendedProxySettings = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedTlsSettings = true;
+ virtualHosts."git.rab.lol" = {
+ forceSSL = true;
+ enableACME = true;
+ acmeRoot = null;
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:3000";
+ extraConfig = ''
+ proxy_set_header Connection $http_connection;
+ proxy_set_header Upgrade $http_upgrade;
+ '';
+ };
+ };
+ };
+
+ users.users.nginx.extraGroups = [ "acme" ];
+ security.acme.acceptTerms = true;
+ security.acme.certs."git.rab.lol" = {
+ dnsProvider = "cloudflare";
+ credentialsFile = config.age.secrets.rab-lol-cf.path;
+ email = "nikodem@rabulinski.com";
+ };
+ };
+ };
+}
diff --git a/services/kanidm.nix b/services/kanidm.nix
new file mode 100644
index 0000000..b288e14
--- /dev/null
+++ b/services/kanidm.nix
@@ -0,0 +1,85 @@
+{
+ services.kanidm =
+ let
+ port = 8443;
+ domain = "auth.rabulinski.com";
+ in
+ {
+ host = "kazuki";
+ ports = [ port ];
+ config =
+ { config, pkgs, ... }:
+ let
+ cert = config.security.acme.certs.${domain};
+ in
+ {
+ age.secrets.rabulinski-com-cf = {
+ file = ../secrets/rabulinski-com-cf.age;
+ owner = config.services.nginx.user;
+ };
+ age.secrets.kanidm-admin-pass = {
+ file = ../secrets/kanidm-admin-pass.age;
+ owner = "kanidm";
+ };
+ age.secrets.kanidm-idm-admin-pass = {
+ file = ../secrets/kanidm-idm-admin-pass.age;
+ owner = "kanidm";
+ };
+
+ services.kanidm = {
+ enableServer = true;
+ package = pkgs.kanidmWithSecretProvisioning;
+ serverSettings = {
+ bindaddress = "127.0.0.1:${toString port}";
+ inherit domain;
+ origin = "https://${domain}";
+ trust_x_forward_for = true;
+ tls_chain = "${cert.directory}/fullchain.pem";
+ tls_key = "${cert.directory}/key.pem";
+ };
+ provision = {
+ enable = true;
+ idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-pass.path;
+ adminPasswordFile = config.age.secrets.kanidm-admin-pass.path;
+ };
+ };
+
+ systemd.services.kanidm.serviceConfig = {
+ SupplementaryGroups = [ cert.group ];
+ };
+
+ users.users.nginx.extraGroups = [ "acme" ];
+ networking.firewall.allowedTCPPorts = [
+ 80
+ 443
+ ];
+
+ services.nginx = {
+ enable = true;
+ recommendedProxySettings = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+ recommendedTlsSettings = true;
+ virtualHosts."auth.rabulinski.com" = {
+ forceSSL = true;
+ enableACME = true;
+ acmeRoot = null;
+ locations."/" = {
+ proxyPass = "https://localhost:${toString port}";
+ proxyWebsockets = true;
+ extraConfig = ''
+ proxy_ssl_verify off;
+ proxy_ssl_name ${domain};
+ '';
+ };
+ };
+ };
+
+ security.acme.certs.${domain} = {
+ dnsProvider = "cloudflare";
+ credentialsFile = config.age.secrets.rabulinski-com-cf.path;
+ reloadServices = [ "kanidm" ];
+ };
+ };
+ };
+}