From 6fe7504460c6bd50e2f422ba3da118c7dbb7c3da Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 20 Dec 2024 18:03:12 +0800 Subject: [PATCH 01/60] ci: eval deploy --- .github/workflows/eval.yaml | 51 +++++++++++++++++++++++++++++++++++++ flake.lock | 4 +-- flake.nix | 18 ++++++++----- 3 files changed, 65 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/eval.yaml diff --git a/.github/workflows/eval.yaml b/.github/workflows/eval.yaml new file mode 100644 index 0000000..528dd53 --- /dev/null +++ b/.github/workflows/eval.yaml @@ -0,0 +1,51 @@ +name: Eval NixOS Configurations + +on: + push: + branches: + - deploy + workflow_dispatch: + +permissions: + contents: write + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: deploy + + - name: Install Nix + uses: cachix/install-nix-action@v25 + + - name: Configure Git + run: | + git config --global user.name "GitHub Actions Bot" + git config --global user.email "actions@github.com" + + - name: Process Configurations + run: | + git checkout -b deploy-comin-eval + mkdir -p eval + hosts=$(nix flake show --json | jq -r '.nixosConfigurations | keys[]') + echo "Found hosts: $hosts" + + for host in $hosts; do + echo "Eval derivation for $host" + if ! nix show-derivation -L ".#nixosConfigurations.$host.config.system.build.toplevel" > "eval/$host.json"; then + echo "❌ Failed to evaluate $host" + else + echo "✅ Successfully evaluated $host" + fi + done + + echo "Total hosts: $(echo "$hosts" | wc -w)" + echo "Failed hosts: $failed_hosts" + + git add eval/ + git commit -m "Update deployment configurations for all hosts" + + git push origin deploy-comin-eval diff --git a/flake.lock b/flake.lock index f46f16e..8b8ea79 100644 --- a/flake.lock +++ b/flake.lock @@ -382,11 +382,11 @@ "rev": "a3709a89797ea094f82d38edeb4a538c07c8c3fa", "revCount": 20, "type": "git", - "url": "https://git.xinyang.life/xin/nixvim" + "url": "https://git.xiny.li/xin/nixvim" }, "original": { "type": "git", - "url": "https://git.xinyang.life/xin/nixvim" + "url": "https://git.xiny.li/xin/nixvim" } }, "nix-darwin": { diff --git a/flake.nix b/flake.nix index d01cdba..4da0466 100644 --- a/flake.nix +++ b/flake.nix @@ -43,7 +43,7 @@ }; my-nixvim = { - url = "git+https://git.xinyang.life/xin/nixvim"; + url = "git+https://git.xiny.li/xin/nixvim"; inputs.nixpkgs.follows = "nixpkgs"; }; @@ -286,16 +286,22 @@ { imports = nodeNixosModules.biotite ++ sharedColmenaModules; }; + + osmium = + { ... }: + { + deployment = { + targetHost = "osmium.coho-tet.ts.net"; + buildOnTarget = false; + }; + imports = nodeNixosModules.osmium ++ sharedColmenaModules; + }; }; nixosConfigurations = { calcite = mkNixos { hostname = "calcite"; }; - - osmium = mkNixos { - hostname = "osmium"; - }; } // self.colmenaHive.nodes; } @@ -305,7 +311,7 @@ pkgs = nixpkgs.legacyPackages.${system}; mkHomeConfiguration = user: host: { - name = user; + name = "${user}-${host}"; value = home-manager.lib.homeManagerConfiguration { inherit pkgs; modules = [ From 9b9d923a2537b9e53e68adaeaec94cc4ae8d784a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 20 Dec 2024 18:03:12 +0800 Subject: [PATCH 02/60] ci: eval deploy --- .github/workflows/eval.yaml | 53 +++++++++++++++++++++++++++++++++++++ flake.lock | 4 +-- flake.nix | 18 ++++++++----- 3 files changed, 67 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/eval.yaml diff --git a/.github/workflows/eval.yaml b/.github/workflows/eval.yaml new file mode 100644 index 0000000..90a9897 --- /dev/null +++ b/.github/workflows/eval.yaml @@ -0,0 +1,53 @@ +name: Eval NixOS Configurations + +on: + push: + branches: + - deploy + workflow_dispatch: + +permissions: + contents: write + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: deploy + + - name: Install Nix + uses: cachix/install-nix-action@v25 + + - name: Configure Git + run: | + git config --global user.name "GitHub Actions Bot" + git config --global user.email "actions@github.com" + + - name: Process Configurations + run: | + git checkout -b deploy-comin-eval + mkdir -p eval + hosts=$(nix flake show --json | jq -r '.nixosConfigurations | keys[]') + echo "Found hosts: $hosts" + + failed_hosts="" + for host in $hosts; do + echo "Eval derivation for $host" + if ! nix show-derivation -L ".#nixosConfigurations.$host.config.system.build.toplevel" > "eval/$host.json"; then + echo "❌ Failed to evaluate $host" + failed_hosts+="$host " + rm "eval/$host.json" + else + echo "✅ Successfully evaluated $host" + fi + done + + echo "Failed hosts: $failed_hosts" + + git add eval/ + git commit -m "Update deployment configurations for all hosts" + + git push origin deploy-comin-eval diff --git a/flake.lock b/flake.lock index f46f16e..8b8ea79 100644 --- a/flake.lock +++ b/flake.lock @@ -382,11 +382,11 @@ "rev": "a3709a89797ea094f82d38edeb4a538c07c8c3fa", "revCount": 20, "type": "git", - "url": "https://git.xinyang.life/xin/nixvim" + "url": "https://git.xiny.li/xin/nixvim" }, "original": { "type": "git", - "url": "https://git.xinyang.life/xin/nixvim" + "url": "https://git.xiny.li/xin/nixvim" } }, "nix-darwin": { diff --git a/flake.nix b/flake.nix index d01cdba..4da0466 100644 --- a/flake.nix +++ b/flake.nix @@ -43,7 +43,7 @@ }; my-nixvim = { - url = "git+https://git.xinyang.life/xin/nixvim"; + url = "git+https://git.xiny.li/xin/nixvim"; inputs.nixpkgs.follows = "nixpkgs"; }; @@ -286,16 +286,22 @@ { imports = nodeNixosModules.biotite ++ sharedColmenaModules; }; + + osmium = + { ... }: + { + deployment = { + targetHost = "osmium.coho-tet.ts.net"; + buildOnTarget = false; + }; + imports = nodeNixosModules.osmium ++ sharedColmenaModules; + }; }; nixosConfigurations = { calcite = mkNixos { hostname = "calcite"; }; - - osmium = mkNixos { - hostname = "osmium"; - }; } // self.colmenaHive.nodes; } @@ -305,7 +311,7 @@ pkgs = nixpkgs.legacyPackages.${system}; mkHomeConfiguration = user: host: { - name = user; + name = "${user}-${host}"; value = home-manager.lib.homeManagerConfiguration { inherit pkgs; modules = [ From 2b2aa11c52f0765de7f30ff30df8a3558727992b Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 20 Dec 2024 19:36:28 +0800 Subject: [PATCH 03/60] calcite: test comin --- flake.lock | 21 +++++++++++++++++++++ flake.nix | 7 +++++++ machines/calcite/configuration.nix | 14 +++++++++++++- 3 files changed, 41 insertions(+), 1 deletion(-) diff --git a/flake.lock b/flake.lock index 8b8ea79..4713bdb 100644 --- a/flake.lock +++ b/flake.lock @@ -39,6 +39,26 @@ "type": "github" } }, + "comin": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1734693645, + "narHash": "sha256-Vw3YpuQxwBse5JiTGBH5MSPmqXOXFI4ROs7IF3tRc7k=", + "owner": "xinyangli", + "repo": "comin", + "rev": "c8a66bbd129e88ad916cac59f1ad9f45d39b3190", + "type": "github" + }, + "original": { + "owner": "xinyangli", + "repo": "comin", + "type": "github" + } + }, "devshell": { "inputs": { "nixpkgs": [ @@ -642,6 +662,7 @@ "inputs": { "catppuccin": "catppuccin", "colmena": "colmena", + "comin": "comin", "disko": "disko", "flake-utils": "flake-utils_2", "home-manager": "home-manager", diff --git a/flake.nix b/flake.nix index 4da0466..becf4ba 100644 --- a/flake.nix +++ b/flake.nix @@ -55,6 +55,11 @@ url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; }; + + comin = { + url = "github:xinyangli/comin"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = @@ -72,6 +77,7 @@ colmena, nix-index-database, disko, + comin, ... }: let @@ -114,6 +120,7 @@ catppuccin.nixosModules.catppuccin machines/calcite/configuration.nix (mkHome "xin" "calcite") + comin.nixosModules.comin ]; hk-00 = [ ./machines/dolomite/claw.nix diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index c5afb73..c8e4e4a 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -15,6 +15,18 @@ in ../sops.nix ]; + services.comin = { + enable = true; + remotes = [ + { + name = "origin"; + url = "https://github.com/xinyangli/nixos-config.git"; + branches.main.name = "deploy-comin-eval"; + } + ]; + hostname = config.networking.hostName; + }; + commonSettings = { # auth.enable = true; nix = { @@ -176,7 +188,7 @@ in ]; settings = { main = { - capslock = "overload(control, esc)"; + leftcontrol = "overload(control, esc)"; }; }; }; From 872849c87567adab55573b514bc5f23f4d0611a6 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 20 Dec 2024 20:33:35 +0800 Subject: [PATCH 04/60] calcite: drop flatpak --- home/xin/calcite.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index d90cc4d..c834d39 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -108,10 +108,12 @@ in xdg.systemDirs.data = [ "/usr/share" - "/var/lib/flatpak/exports/share" - "${homeDirectory}/.local/share/flatpak/exports/share" ]; + xdg.configFile."distrobox/distrobox.conf".text = '' + container_additional_volumes="/nix/store:/nix/store:ro /etc/profiles/per-user:/etc/profiles/per-user:ro" + ''; + programs.man.generateCaches = false; programs.atuin = { From ade0694d14775369e1c2c1f0aa93d90ce7203fc6 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 21 Dec 2024 20:51:56 +0800 Subject: [PATCH 05/60] modules/comin: init --- .github/workflows/eval.yaml | 2 +- modules/nixos/common-settings/comin.nix | 32 +++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 modules/nixos/common-settings/comin.nix diff --git a/.github/workflows/eval.yaml b/.github/workflows/eval.yaml index 90a9897..1997213 100644 --- a/.github/workflows/eval.yaml +++ b/.github/workflows/eval.yaml @@ -36,7 +36,7 @@ jobs: failed_hosts="" for host in $hosts; do echo "Eval derivation for $host" - if ! nix show-derivation -L ".#nixosConfigurations.$host.config.system.build.toplevel" > "eval/$host.json"; then + if ! nix derivation show ".#nixosConfigurations.$host.config.system.build.toplevel" > "eval/$host.json"; then echo "❌ Failed to evaluate $host" failed_hosts+="$host " rm "eval/$host.json" diff --git a/modules/nixos/common-settings/comin.nix b/modules/nixos/common-settings/comin.nix new file mode 100644 index 0000000..3d543f2 --- /dev/null +++ b/modules/nixos/common-settings/comin.nix @@ -0,0 +1,32 @@ +{ + config, + lib, + ... +}: +let + inherit (lib) + mkEnableOption + mkIf + ; + + cfg = config.commonSettings.comin; +in +{ + options.commonSettings.comin = { + enable = mkEnableOption "auto updater with comin"; + }; + + config = { + services.comin = mkIf cfg.enable { + enable = true; + remotes = [ + { + name = "origin"; + url = "https://github.com/xinyangli/nixos-config.git"; + branches.main.name = "deploy-comin-eval"; + } + ]; + hostname = config.networking.hostName; + }; + }; +} From 49520149ab8f3c2862e78e64f9f849232c5f5b1e Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 21 Dec 2024 20:52:27 +0800 Subject: [PATCH 06/60] calcite,weilite: use comin to auto update --- .github/workflows/eval.yaml | 6 ++---- flake.nix | 2 +- machines/calcite/configuration.nix | 13 +----------- machines/weilite/default.nix | 29 ++++++++++++++++++++++---- machines/weilite/services/default.nix | 1 + machines/weilite/services/jellyfin.nix | 15 +++++++++++++ modules/nixos/default.nix | 1 + 7 files changed, 46 insertions(+), 21 deletions(-) create mode 100644 machines/weilite/services/jellyfin.nix diff --git a/.github/workflows/eval.yaml b/.github/workflows/eval.yaml index 1997213..494704f 100644 --- a/.github/workflows/eval.yaml +++ b/.github/workflows/eval.yaml @@ -1,10 +1,8 @@ name: Eval NixOS Configurations on: - push: - branches: - - deploy - workflow_dispatch: + check_suite: + types: [completed] permissions: contents: write diff --git a/flake.nix b/flake.nix index becf4ba..a1362f8 100644 --- a/flake.nix +++ b/flake.nix @@ -113,6 +113,7 @@ sharedNixosModules = [ self.nixosModules.default sops-nix.nixosModules.sops + comin.nixosModules.comin ]; nodeNixosModules = { calcite = [ @@ -120,7 +121,6 @@ catppuccin.nixosModules.catppuccin machines/calcite/configuration.nix (mkHome "xin" "calcite") - comin.nixosModules.comin ]; hk-00 = [ ./machines/dolomite/claw.nix diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index c8e4e4a..a3c84c4 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -15,23 +15,12 @@ in ../sops.nix ]; - services.comin = { - enable = true; - remotes = [ - { - name = "origin"; - url = "https://github.com/xinyangli/nixos-config.git"; - branches.main.name = "deploy-comin-eval"; - } - ]; - hostname = config.networking.hostName; - }; - commonSettings = { # auth.enable = true; nix = { signing.enable = true; }; + comin.enable = true; }; # Bootloader. diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index 9d8cd04..bae1b92 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -19,6 +19,7 @@ nix = { enable = true; }; + comin.enable = true; }; boot = { @@ -38,7 +39,10 @@ nixpkgs.config.allowUnfree = true; - environment.systemPackages = [ pkgs.virtiofsd ]; + environment.systemPackages = [ + pkgs.virtiofsd + pkgs.intel-gpu-tools + ]; sops = { defaultSopsFile = ./secrets.yaml; @@ -94,15 +98,32 @@ options = "rw,nodev,nosuid"; wantedBy = [ "restic-rest-server.service" ]; } + # { + # what = "ocis"; + # where = "/var/lib/ocis"; + # type = "virtiofs"; + # options = "rw,nodev,nosuid"; + # wantedBy = [ "ocis.service" ]; + # } { - what = "ocis"; - where = "/var/lib/ocis"; + what = "media"; + where = "/var/lib/jellyfin/media"; type = "virtiofs"; options = "rw,nodev,nosuid"; - wantedBy = [ "ocis.service" ]; } ]; + hardware.graphics = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver + intel-vaapi-driver + vaapiVdpau + intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in) + intel-media-sdk # QSV up to 11th gen + ]; + }; + services.openssh.ports = [ 22 2222 diff --git a/machines/weilite/services/default.nix b/machines/weilite/services/default.nix index 0a6e4ca..5a5cc25 100644 --- a/machines/weilite/services/default.nix +++ b/machines/weilite/services/default.nix @@ -4,5 +4,6 @@ ./restic.nix ./media-download.nix ./immich.nix + ./jellyfin.nix ]; } diff --git a/machines/weilite/services/jellyfin.nix b/machines/weilite/services/jellyfin.nix new file mode 100644 index 0000000..d321de5 --- /dev/null +++ b/machines/weilite/services/jellyfin.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: +{ + services.jellyfin.enable = true; + + environment.systemPackages = with pkgs; [ + jellyfin + jellyfin-web + jellyfin-ffmpeg + ]; + services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:8920".extraConfig = '' + reverse_proxy 127.0.0.1:8096 + ''; + networking.firewall.allowedTCPPorts = [ 8920 ]; # allow on lan + users.users.jellyfin.extraGroups = [ "render" ]; +} diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index d2f210d..33929ce 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -2,6 +2,7 @@ imports = [ ./common-settings/auth.nix ./common-settings/autoupgrade.nix + ./common-settings/comin.nix ./common-settings/nix-conf.nix ./common-settings/proxy-server.nix ./common-settings/mainland.nix From cc9d6c362d67dc79c7c92fd17e351d22640787c0 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 21 Dec 2024 21:13:25 +0800 Subject: [PATCH 07/60] ci: use garnix cache in ci --- .github/workflows/eval.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/eval.yaml b/.github/workflows/eval.yaml index 494704f..63c71ec 100644 --- a/.github/workflows/eval.yaml +++ b/.github/workflows/eval.yaml @@ -18,6 +18,10 @@ jobs: - name: Install Nix uses: cachix/install-nix-action@v25 + with: + extra_nix_conf: | + extra-trusted-public-keys = cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= + extra-substituters = https://cache.garnix.io - name: Configure Git run: | From 3059bdce30bb4bdf78abd419227a24019f37881b Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 21 Dec 2024 21:18:33 +0800 Subject: [PATCH 08/60] home: cleanup profiles --- home/default.nix | 1 + home/xin/raspite/default.nix | 25 ------------------------- 2 files changed, 1 insertion(+), 25 deletions(-) delete mode 100644 home/xin/raspite/default.nix diff --git a/home/default.nix b/home/default.nix index ddd31bf..ea2911a 100644 --- a/home/default.nix +++ b/home/default.nix @@ -1,5 +1,6 @@ { xin = { calcite = import ./xin/calcite.nix; + gold = import ./xin/gold; }; } diff --git a/home/xin/raspite/default.nix b/home/xin/raspite/default.nix deleted file mode 100644 index 888383c..0000000 --- a/home/xin/raspite/default.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, pkgs, ... }: -{ - imports = [ ../common ]; - - home.username = "xin"; - home.homeDirectory = "/home/xin"; - home.stateVersion = "23.05"; - - # Let Home Manager install and manage itself. - programs.home-manager.enable = true; - - accounts.email.accounts.gmail = { - primary = true; - address = "lixinyang411@gmail.com"; - flavor = "gmail.com"; - }; - - accounts.email.accounts.whu = { - address = "lixinyang411@whu.edu.cn"; - }; - - accounts.email.accounts.foxmail = { - address = "lixinyang411@foxmail.com"; - }; -} From c3934c2b56022e8d99a21c1f859c988198babce1 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 21 Dec 2024 21:19:53 +0800 Subject: [PATCH 09/60] hm/waybar: fix missing icon and remove unused tray icon --- modules/home-manager/gui/themes.nix | 4 ++++ modules/home-manager/gui/waybar.nix | 18 ------------------ 2 files changed, 4 insertions(+), 18 deletions(-) diff --git a/modules/home-manager/gui/themes.nix b/modules/home-manager/gui/themes.nix index ad0de1c..6278692 100644 --- a/modules/home-manager/gui/themes.nix +++ b/modules/home-manager/gui/themes.nix @@ -13,6 +13,10 @@ name = "Catppuccin-GTK-Dark"; package = pkgs.magnetic-catppuccin-gtk; }; + iconTheme = { + name = "Qogir"; + package = pkgs.qogir-icon-theme; + }; gtk2.configLocation = "${config.xdg.configHome}/gtk-2.0/gtkrc"; }; }; diff --git a/modules/home-manager/gui/waybar.nix b/modules/home-manager/gui/waybar.nix index 3890a00..66b9ecb 100644 --- a/modules/home-manager/gui/waybar.nix +++ b/modules/home-manager/gui/waybar.nix @@ -44,8 +44,6 @@ in modules-right = [ "network#speed" "custom/separator" - "network#if" - "custom/separator" "pulseaudio" "custom/separator" "memory" @@ -121,22 +119,6 @@ in format = " {percentage}%"; }; - "network#if" = { - format = "{ifname}"; - format-disconnected = "󰌙"; - format-ethernet = "󰌘"; - format-linked = "{ifname} (No IP) 󰈁"; - format-wifi = "{icon}"; - format-icons = [ - "󰤯" - "󰤟" - "󰤢" - "󰤥" - "󰤨" - ]; - interval = 10; - }; - "network#speed" = { format = "{ifname}"; format-disconnected = "󰌙"; From 133e70967fcff465535442585e3ad664f4beb21a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 21 Dec 2024 21:34:44 +0800 Subject: [PATCH 10/60] ci: point branch 'deploy-comin' to successful evaluations --- .github/workflows/eval.yaml | 4 ++++ modules/nixos/common-settings/comin.nix | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/eval.yaml b/.github/workflows/eval.yaml index 63c71ec..1e2d0bd 100644 --- a/.github/workflows/eval.yaml +++ b/.github/workflows/eval.yaml @@ -53,3 +53,7 @@ jobs: git commit -m "Update deployment configurations for all hosts" git push origin deploy-comin-eval + + # After success, reset deploy-comin to new deploy + git checkout -b deploy-comin + git reset --hard deploy diff --git a/modules/nixos/common-settings/comin.nix b/modules/nixos/common-settings/comin.nix index 3d543f2..70a23ee 100644 --- a/modules/nixos/common-settings/comin.nix +++ b/modules/nixos/common-settings/comin.nix @@ -23,7 +23,7 @@ in { name = "origin"; url = "https://github.com/xinyangli/nixos-config.git"; - branches.main.name = "deploy-comin-eval"; + branches.main.name = "deploy-comin"; } ]; hostname = config.networking.hostName; From 5220cceda806929ae5e9fd274ef18e16c61e6f38 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 21 Dec 2024 21:39:25 +0800 Subject: [PATCH 11/60] ci: fix recursive job trigger --- .github/workflows/eval.yaml | 3 ++- garnix.yaml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/eval.yaml b/.github/workflows/eval.yaml index 1e2d0bd..1bc00bd 100644 --- a/.github/workflows/eval.yaml +++ b/.github/workflows/eval.yaml @@ -52,8 +52,9 @@ jobs: git add eval/ git commit -m "Update deployment configurations for all hosts" - git push origin deploy-comin-eval + git push -f origin deploy-comin-eval # After success, reset deploy-comin to new deploy git checkout -b deploy-comin git reset --hard deploy + git push -f origin deploy-comin diff --git a/garnix.yaml b/garnix.yaml index 38563a7..0fc1635 100644 --- a/garnix.yaml +++ b/garnix.yaml @@ -7,4 +7,4 @@ builds: - homeConfigurations.aarch64-linux.* - darwinConfigurations.* - nixosConfigurations.* - + branch: deploy From 8a9e317c14e738acf19d9b7a90abbff516866ddc Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 21 Dec 2024 21:50:05 +0800 Subject: [PATCH 12/60] thorite,dolomite: enable comin --- machines/dolomite/common.nix | 1 + machines/thorite/default.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/machines/dolomite/common.nix b/machines/dolomite/common.nix index 65b10c7..0b80ae4 100644 --- a/machines/dolomite/common.nix +++ b/machines/dolomite/common.nix @@ -37,6 +37,7 @@ commonSettings = { auth.enable = true; + comin.enable = true; proxyServer = { enable = true; users = [ diff --git a/machines/thorite/default.nix b/machines/thorite/default.nix index f2de662..2ea7cf4 100644 --- a/machines/thorite/default.nix +++ b/machines/thorite/default.nix @@ -37,6 +37,7 @@ commonSettings = { auth.enable = true; + comin.enable = true; }; nixpkgs.system = "x86_64-linux"; From 7017421f6afaeb2b2f56bf2e2abeb940dd31db74 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 21 Dec 2024 22:37:32 +0800 Subject: [PATCH 13/60] flake.lock: update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'catppuccin': 'github:catppuccin/nix/a817009ebfd2cca7f70a77884e5098d0a8c83f8e?narHash=sha256-uX/9m0TbdhEzuWA0muM5mI/AaWcLiDLjCCyu5Qr9MRk%3D' (20 24-11-30) → 'github:catppuccin/nix/1e4c3803b8da874ff75224ec8512cb173036bbd8?narHash=sha256-CFX4diEQHKvZYjnhf7TLg20m3ge1O4vqgplsk/Kuaek%3D' (20 24-12-20) • Updated input 'disko': 'github:nix-community/disko/785c1e02c7e465375df971949b8dcbde9ec362e5?narHash=sha256-8dupm9GfK%2BBowGdQd7EHK5V61nneLfr9xR6sc5vtDi0% 3D' (2024-12-02) → 'github:nix-community/disko/2ee76c861af3b895b3b104bae04777b61397485b?narHash=sha256-hk0roBX10j/hospoWIJIJj3i2skd7Oml6yKQBx7mTFk%3D ' (2024-12-20) • Updated input 'home-manager': 'github:nix-community/home-manager/9ebaa80a227eaca9c87c53ed515ade013bc2bca9?narHash=sha256-3JKzIou54yjiMVmvgdJwopekEvZxX3JDT8DpKZs 4oXY%3D' (2024-12-09) → 'github:nix-community/home-manager/1395379a7a36e40f2a76e7b9936cc52950baa1be?narHash=sha256-OOfI0XhSJGHblfdNDhfnn8QnZxng63rWk9eeJ2t CbiI%3D' (2024-12-19) • Updated input 'my-nixvim': 'git+https://git.xiny.li/xin/nixvim?ref=refs/heads/master&rev=a3709a89797ea094f82d38edeb4a538c07c8c3fa' (2024-11-30) → 'git+https://git.xiny.li/xin/nixvim?ref=refs/heads/master&rev=fdf7775c738e2eb6bb8cb707d35a900bc47cd53e' (2024-12-21) • Updated input 'nix-index-database': 'github:Mic92/nix-index-database/f1e477a7dd11e27e7f98b646349cd66bbabf2fb8?narHash=sha256-U0vivjQFAwjNDYt49Krevs1murX9hKBFe2Ye0cHpg bU%3D' (2024-12-08) → 'github:Mic92/nix-index-database/311d6cf3ad3f56cb051ffab1f480b2909b3f754d?narHash=sha256-icEMqBt4HtGH52PU5FHidgBrNJvOfXH6VQKNtnD1a w8%3D' (2024-12-15) • Updated input 'nix-vscode-extensions': 'github:nix-community/nix-vscode-extensions/66ced222ef9235f90dbdd754ede3d6476722aaa9?narHash=sha256-K595Q2PrZv2iiumdBkwM2G456T2lKs LD71bn/fbJiQ0%3D' (2024-12-10) → 'github:nix-community/nix-vscode-extensions/113779a6601d5b5c8ef7c5b5c4ab3f377fd3e2c3?narHash=sha256-rTGDkcbzfcTL7jE4TtxhNQtDssD1QY 8yLo8ApAv3XRs%3D' (2024-12-21) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/e563803af3526852b6b1d77107a81908c66a9fcf?narHash=sha256-IS3bxa4N1VMSh3/P6vhEAHQZecQ3oAlKCDvzCQSO5Is%3 D' (2024-12-06) → 'github:NixOS/nixos-hardware/b12e314726a4226298fe82776b4baeaa7bcf3dcd?narHash=sha256-mfv%2BJ/vO4nqmIOlq8Y1rRW8hVsGH3M%2BI2ESMjhueb Ds%3D' (2024-12-16) • Updated input 'nixpkgs': 'github:xinyangli/nixpkgs/61b1078fca3a097ce06ada68a6f2766347eed02c?narHash=sha256-AQdCeGt3dMV9/cchlWGMcP0Z8qM47V%2BB0p7cSRr%2BHhA% 3D' (2024-12-10) → 'github:xinyangli/nixpkgs/540fcd82c3de04893afaa30051de48871cc428b4?narHash=sha256-//RKBYxuo0PwIlijrnOr57yNpnp6g1opt3zb3xIS30M%3D' (2024-12-21) • Updated input 'nixpkgs-stable': 'github:nixos/nixpkgs/7109b680d161993918b0a126f38bc39763e5a709?narHash=sha256-dlK7n82FEyZlHH7BFHQAM5tua%2BlQO1Iv7aAtglc1O5s%3D' (2 024-12-09) → 'github:nixos/nixpkgs/72d11d40b9878a67c38f003c240c2d2e1811e72a?narHash=sha256-ze3IJksru9dN0keqUxY0WNf8xrwfs8Ty/z9v/keyBbg%3D' (202 4-12-18) • Updated input 'nur': 'github:nix-community/NUR/b54fa3d8c020e077d88be036a12a711b84fe2031?narHash=sha256-5F49/mOzFb40uUZh71uNr7kBXjDCw5ZfHMbpZjjUVBQ%3D' (2024-12-10) → 'github:nix-community/NUR/db4e0d95cd1f9f77113cd9c3c9de5974fa721a98?narHash=sha256-ZRG0vNJHRyKnzyWOFciCzodQlv4Sb2%2BH5I7xKIH2EL0%3D ' (2024-12-21) • Updated input 'nur/nixpkgs': 'github:nixos/nixpkgs/22c3f2cf41a0e70184334a958e6b124fb0ce3e01?narHash=sha256-Qn3nPMSopRQJgmvHzVqPcE3I03zJyl8cSbgnnltfFDY%3D' (202 4-12-07) → 'github:nixos/nixpkgs/d3c42f187194c26d9f0309a8ecc469d6c878ce33?narHash=sha256-cHar1vqHOOyC7f1%2BtVycPoWTfKIaqkoe1Q6TnKzuti4%3D' (2 024-12-17) • Updated input 'sops-nix': 'github:Mic92/sops-nix/a80af8929781b5fe92ddb8ae52e9027fae780d2a?narHash=sha256-pm4cfEcPXripE36PYCl0A2Tu5ruwHEvTee%2BHzNk%2BSQE%3D' (2024-12-09) → 'github:Mic92/sops-nix/ed091321f4dd88afc28b5b4456e0a15bd8374b4d?narHash=sha256-6OvJbqQ6qPpNw3CA%2BW8Myo5aaLhIJY/nNFDk3zMXLfM%3D' (2024-12-18) --- flake.lock | 74 +++++++++++++++++++++++++++--------------------------- flake.nix | 1 - 2 files changed, 37 insertions(+), 38 deletions(-) diff --git a/flake.lock b/flake.lock index 4713bdb..4a533fe 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "catppuccin": { "locked": { - "lastModified": 1733001911, - "narHash": "sha256-uX/9m0TbdhEzuWA0muM5mI/AaWcLiDLjCCyu5Qr9MRk=", + "lastModified": 1734734291, + "narHash": "sha256-CFX4diEQHKvZYjnhf7TLg20m3ge1O4vqgplsk/Kuaek=", "owner": "catppuccin", "repo": "nix", - "rev": "a817009ebfd2cca7f70a77884e5098d0a8c83f8e", + "rev": "1e4c3803b8da874ff75224ec8512cb173036bbd8", "type": "github" }, "original": { @@ -88,11 +88,11 @@ ] }, "locked": { - "lastModified": 1733168902, - "narHash": "sha256-8dupm9GfK+BowGdQd7EHK5V61nneLfr9xR6sc5vtDi0=", + "lastModified": 1734701201, + "narHash": "sha256-hk0roBX10j/hospoWIJIJj3i2skd7Oml6yKQBx7mTFk=", "owner": "nix-community", "repo": "disko", - "rev": "785c1e02c7e465375df971949b8dcbde9ec362e5", + "rev": "2ee76c861af3b895b3b104bae04777b61397485b", "type": "github" }, "original": { @@ -322,11 +322,11 @@ ] }, "locked": { - "lastModified": 1733754861, - "narHash": "sha256-3JKzIou54yjiMVmvgdJwopekEvZxX3JDT8DpKZs4oXY=", + "lastModified": 1734622215, + "narHash": "sha256-OOfI0XhSJGHblfdNDhfnn8QnZxng63rWk9eeJ2tCbiI=", "owner": "nix-community", "repo": "home-manager", - "rev": "9ebaa80a227eaca9c87c53ed515ade013bc2bca9", + "rev": "1395379a7a36e40f2a76e7b9936cc52950baa1be", "type": "github" }, "original": { @@ -396,11 +396,11 @@ "nixvim": "nixvim" }, "locked": { - "lastModified": 1732936640, - "narHash": "sha256-NcluA0L+ZV5MUj3UuQhlkGCj8KoEhX/ObWlMHZ/F/ac=", + "lastModified": 1734791154, + "narHash": "sha256-J/h0nh3iOnOqXnv28NahNH45xZ035tKpabPPKMPFTfo=", "ref": "refs/heads/master", - "rev": "a3709a89797ea094f82d38edeb4a538c07c8c3fa", - "revCount": 20, + "rev": "fdf7775c738e2eb6bb8cb707d35a900bc47cd53e", + "revCount": 24, "type": "git", "url": "https://git.xiny.li/xin/nixvim" }, @@ -459,11 +459,11 @@ ] }, "locked": { - "lastModified": 1733629314, - "narHash": "sha256-U0vivjQFAwjNDYt49Krevs1murX9hKBFe2Ye0cHpgbU=", + "lastModified": 1734234111, + "narHash": "sha256-icEMqBt4HtGH52PU5FHidgBrNJvOfXH6VQKNtnD1aw8=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "f1e477a7dd11e27e7f98b646349cd66bbabf2fb8", + "rev": "311d6cf3ad3f56cb051ffab1f480b2909b3f754d", "type": "github" }, "original": { @@ -483,11 +483,11 @@ ] }, "locked": { - "lastModified": 1733795858, - "narHash": "sha256-K595Q2PrZv2iiumdBkwM2G456T2lKsLD71bn/fbJiQ0=", + "lastModified": 1734745696, + "narHash": "sha256-rTGDkcbzfcTL7jE4TtxhNQtDssD1QY8yLo8ApAv3XRs=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "66ced222ef9235f90dbdd754ede3d6476722aaa9", + "rev": "113779a6601d5b5c8ef7c5b5c4ab3f377fd3e2c3", "type": "github" }, "original": { @@ -498,11 +498,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1733481457, - "narHash": "sha256-IS3bxa4N1VMSh3/P6vhEAHQZecQ3oAlKCDvzCQSO5Is=", + "lastModified": 1734352517, + "narHash": "sha256-mfv+J/vO4nqmIOlq8Y1rRW8hVsGH3M+I2ESMjhuebDs=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "e563803af3526852b6b1d77107a81908c66a9fcf", + "rev": "b12e314726a4226298fe82776b4baeaa7bcf3dcd", "type": "github" }, "original": { @@ -542,11 +542,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1733730953, - "narHash": "sha256-dlK7n82FEyZlHH7BFHQAM5tua+lQO1Iv7aAtglc1O5s=", + "lastModified": 1734529975, + "narHash": "sha256-ze3IJksru9dN0keqUxY0WNf8xrwfs8Ty/z9v/keyBbg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "7109b680d161993918b0a126f38bc39763e5a709", + "rev": "72d11d40b9878a67c38f003c240c2d2e1811e72a", "type": "github" }, "original": { @@ -558,11 +558,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1733805440, - "narHash": "sha256-AQdCeGt3dMV9/cchlWGMcP0Z8qM47V+B0p7cSRr+HhA=", + "lastModified": 1734791212, + "narHash": "sha256-//RKBYxuo0PwIlijrnOr57yNpnp6g1opt3zb3xIS30M=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "61b1078fca3a097ce06ada68a6f2766347eed02c", + "rev": "540fcd82c3de04893afaa30051de48871cc428b4", "type": "github" }, "original": { @@ -574,11 +574,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1733581040, - "narHash": "sha256-Qn3nPMSopRQJgmvHzVqPcE3I03zJyl8cSbgnnltfFDY=", + "lastModified": 1734424634, + "narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "22c3f2cf41a0e70184334a958e6b124fb0ce3e01", + "rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33", "type": "github" }, "original": { @@ -621,11 +621,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1733805328, - "narHash": "sha256-5F49/mOzFb40uUZh71uNr7kBXjDCw5ZfHMbpZjjUVBQ=", + "lastModified": 1734785773, + "narHash": "sha256-ZRG0vNJHRyKnzyWOFciCzodQlv4Sb2+H5I7xKIH2EL0=", "owner": "nix-community", "repo": "NUR", - "rev": "b54fa3d8c020e077d88be036a12a711b84fe2031", + "rev": "db4e0d95cd1f9f77113cd9c3c9de5974fa721a98", "type": "github" }, "original": { @@ -683,11 +683,11 @@ ] }, "locked": { - "lastModified": 1733785344, - "narHash": "sha256-pm4cfEcPXripE36PYCl0A2Tu5ruwHEvTee+HzNk+SQE=", + "lastModified": 1734546875, + "narHash": "sha256-6OvJbqQ6qPpNw3CA+W8Myo5aaLhIJY/nNFDk3zMXLfM=", "owner": "Mic92", "repo": "sops-nix", - "rev": "a80af8929781b5fe92ddb8ae52e9027fae780d2a", + "rev": "ed091321f4dd88afc28b5b4456e0a15bd8374b4d", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index a1362f8..23b83a7 100644 --- a/flake.nix +++ b/flake.nix @@ -334,7 +334,6 @@ packages = with pkgs; [ nix git - colmena.packages.${system}.colmena sops nix-output-monitor nil From a659c3b3974defd5bb3b027fdbda8af13d48c490 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 21 Dec 2024 23:18:27 +0800 Subject: [PATCH 14/60] monitoring: monitor comin status --- machines/thorite/monitoring.nix | 20 +++++++++++++++++++- overlays/my-lib/settings.nix | 2 ++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/machines/thorite/monitoring.nix b/machines/thorite/monitoring.nix index 981fd14..e35fb13 100644 --- a/machines/thorite/monitoring.nix +++ b/machines/thorite/monitoring.nix @@ -12,6 +12,7 @@ let hedgedocDomain grafanaUrl ntfyUrl + internalDomain ; removeHttps = s: lib.removePrefix "https://" s; in @@ -81,7 +82,24 @@ in ]; passwordFile = config.sops.secrets."prometheus/metrics_password".path; in - (mkScrapes [ + [ + { + job_name = "comin"; + scheme = "http"; + static_configs = [ + { + targets = map (host: "${host}.${internalDomain}:4243") [ + "weilite" + "thorite" + "la-00" + "hk-00" + "fra-00" + ]; + } + ]; + } + ] + ++ (mkScrapes [ { name = "immich"; scheme = "http"; diff --git a/overlays/my-lib/settings.nix b/overlays/my-lib/settings.nix index 46bdb04..be97568 100644 --- a/overlays/my-lib/settings.nix +++ b/overlays/my-lib/settings.nix @@ -16,5 +16,7 @@ prometheusCollectors = [ "thorite.coho-tet.ts.net" ]; + + internalDomain = "coho-tet.ts.net"; }; } From f4fe93ae229d7b8e4b2cbf14bd27d720e42beb3e Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 22 Dec 2024 00:00:51 +0800 Subject: [PATCH 15/60] thorite/monitoring: alert comin build failure --- machines/thorite/monitoring.nix | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/machines/thorite/monitoring.nix b/machines/thorite/monitoring.nix index e35fb13..afb0b6e 100644 --- a/machines/thorite/monitoring.nix +++ b/machines/thorite/monitoring.nix @@ -59,7 +59,22 @@ in node.enable = true; }; ruleModules = - (mkCaddyRules [ { host = "thorite"; } ]) + [ + { + name = "comin_rules"; + rules = [ + { + alert = "CominBuildFailed"; + expr = "comin_build_info != 1"; + for = "1m"; + labels = { + severity = "critical"; + }; + } + ]; + } + ] + ++ (mkCaddyRules [ { host = "thorite"; } ]) ++ (mkNodeRules [ { host = "thorite"; } ]) ++ (mkBlackboxRules [ { host = "thorite"; } ]); }; From fde693bfe0f0ede0c837a362abde5b898d9f68a0 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 22 Dec 2024 09:08:41 +0800 Subject: [PATCH 16/60] flake.lock: update nixpkgs for newer ocis --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 4a533fe..3320dcb 100644 --- a/flake.lock +++ b/flake.lock @@ -558,11 +558,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1734791212, - "narHash": "sha256-//RKBYxuo0PwIlijrnOr57yNpnp6g1opt3zb3xIS30M=", + "lastModified": 1734829510, + "narHash": "sha256-hb2GwIHunYTjo8d1zBfSC5v46IEY5UZWQdR5R1omvmE=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "540fcd82c3de04893afaa30051de48871cc428b4", + "rev": "2ad7f9f3c996dd9838a4f68941bcbeed2807b150", "type": "github" }, "original": { From d31c7ad8a79a166129211855672b0fced6bb7c28 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 22 Dec 2024 09:11:41 +0800 Subject: [PATCH 17/60] weilite: add back ocis volume --- machines/weilite/default.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index bae1b92..6d9870a 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -98,13 +98,13 @@ options = "rw,nodev,nosuid"; wantedBy = [ "restic-rest-server.service" ]; } - # { - # what = "ocis"; - # where = "/var/lib/ocis"; - # type = "virtiofs"; - # options = "rw,nodev,nosuid"; - # wantedBy = [ "ocis.service" ]; - # } + { + what = "ocis"; + where = "/var/lib/ocis"; + type = "virtiofs"; + options = "rw,nodev,nosuid"; + wantedBy = [ "ocis.service" ]; + } { what = "media"; where = "/var/lib/jellyfin/media"; From 404badefec2d95903721724e283cbf480d75ef0a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 22 Dec 2024 14:10:58 +0800 Subject: [PATCH 18/60] weilite: fix virtiofs mount --- machines/weilite/default.nix | 39 ++++++++++++++++++++-------- machines/weilite/services/immich.nix | 1 - modules/nixos/monitor/exporters.nix | 2 +- 3 files changed, 29 insertions(+), 13 deletions(-) diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index 6d9870a..c151e1b 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -34,7 +34,10 @@ "usb_storage" "sd_mod" ]; - kernelModules = [ "kvm-intel" ]; + kernelModules = [ + "kvm-intel" + ]; + kernelPackages = pkgs.linuxPackages_6_12; }; nixpkgs.config.allowUnfree = true; @@ -42,6 +45,7 @@ environment.systemPackages = [ pkgs.virtiofsd pkgs.intel-gpu-tools + pkgs.pciutils ]; sops = { @@ -92,18 +96,10 @@ wantedBy = [ "immich-server.service" ]; } { - what = "restic"; - where = "/var/lib/restic"; + what = "nixos"; + where = "/mnt/nixos"; type = "virtiofs"; options = "rw,nodev,nosuid"; - wantedBy = [ "restic-rest-server.service" ]; - } - { - what = "ocis"; - where = "/var/lib/ocis"; - type = "virtiofs"; - options = "rw,nodev,nosuid"; - wantedBy = [ "ocis.service" ]; } { what = "media"; @@ -111,6 +107,27 @@ type = "virtiofs"; options = "rw,nodev,nosuid"; } + { + what = "/mnt/nixos/ocis"; + where = "/var/lib/ocis"; + options = "bind"; + after = [ "mnt-nixos.mount" ]; + wantedBy = [ "ocis.service" ]; + } + { + what = "/mnt/nixos/restic"; + where = "/var/lib/restic"; + options = "bind"; + after = [ "mnt-nixos.mount" ]; + wantedBy = [ "restic-rest-server.service" ]; + } + { + what = "/mnt/nixos/immich"; + where = "/var/lib/immich"; + options = "bind"; + after = [ "mnt-nixos.mount" ]; + wantedBy = [ "immich-server.service" ]; + } ]; hardware.graphics = { diff --git a/machines/weilite/services/immich.nix b/machines/weilite/services/immich.nix index 33a98d3..0b97f5c 100644 --- a/machines/weilite/services/immich.nix +++ b/machines/weilite/services/immich.nix @@ -46,7 +46,6 @@ in services.immich = { enable = true; - mediaLocation = "/mnt/XinPhotos/immich"; host = "127.0.0.1"; port = 3001; openFirewall = true; diff --git a/modules/nixos/monitor/exporters.nix b/modules/nixos/monitor/exporters.nix index 56750ef..d0e006f 100644 --- a/modules/nixos/monitor/exporters.nix +++ b/modules/nixos/monitor/exporters.nix @@ -11,7 +11,7 @@ let in { config = { - systemd.services.tailscaled.after = + systemd.services.tailscaled.before = (lib.optional cfg.node.enable "prometheus-node-exporters.service") ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service") ++ (lib.optional config.services.caddy.enable "caddy.service"); From 533cfbb560b881d34cd9307d49a93478d387b856 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 25 Dec 2024 11:32:34 +0800 Subject: [PATCH 19/60] weilite: add transmission --- machines/weilite/default.nix | 14 +++-- machines/weilite/secrets.yaml | 8 ++- machines/weilite/services/default.nix | 1 + machines/weilite/services/transmission.nix | 67 ++++++++++++++++++++++ 4 files changed, 81 insertions(+), 9 deletions(-) create mode 100644 machines/weilite/services/transmission.nix diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index c151e1b..c3a70d0 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -101,12 +101,7 @@ type = "virtiofs"; options = "rw,nodev,nosuid"; } - { - what = "media"; - where = "/var/lib/jellyfin/media"; - type = "virtiofs"; - options = "rw,nodev,nosuid"; - } + { what = "/mnt/nixos/ocis"; where = "/var/lib/ocis"; @@ -128,6 +123,13 @@ after = [ "mnt-nixos.mount" ]; wantedBy = [ "immich-server.service" ]; } + { + what = "/mnt/nixos/media"; + where = "/var/lib/jellyfin/media"; + options = "bind"; + after = [ "mnt-nixos.mount" ]; + wantedBy = [ "jellyfin.service" ]; + } ]; hardware.graphics = { diff --git a/machines/weilite/secrets.yaml b/machines/weilite/secrets.yaml index 0394a80..b5c3aa5 100644 --- a/machines/weilite/secrets.yaml +++ b/machines/weilite/secrets.yaml @@ -4,6 +4,8 @@ immich: oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str] restic: localpass: ENC[AES256_GCM,data:GIQAmkpDmGu4+sSG5/b5yQ==,iv:dcu6F8NnVjeQzEG2vM3fOV5owI0PWc86ts20UP3vN18=,tag:vsG8x062FG1pH5YNcAajeg==,type:str] +transmission: + rpc-password: ENC[AES256_GCM,data:4dumy0hygGOuwU3ANky3xEKRDRBAJWE=,iv:HVV2J+F8HndHZNsMD2YmkWrJOzk5JIapGd0SuQP8VqU=,tag:xqp5pxh5cYYogA4alrmIfg==,type:str] sops: kms: [] gcp_kms: [] @@ -28,8 +30,8 @@ sops: V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-03T05:59:51Z" - mac: ENC[AES256_GCM,data:0dLbfkm7fJvH5Mmct0/qHulg2AtDCeeeOgWMXfeGRUaX3GlLDiLga0zW4uNPDuahVecdh6ofvYfBOxFaGUdBCHk9vq5GzrwrzBNhqObWQ3AqVuq5rjqSxEKoFM4Eb5qoqaOefFzT/9qC94NDETTsHhjiEeIgd4fgSr2dazNiFPE=,iv:Ggw0FHzkrhKh5Uzo3seHGwwHsWW/tTAgAl0iIq9PVk4=,tag:rJvUI5/wsLJ01XyKmkRghw==,type:str] + lastmodified: "2024-12-25T00:35:15Z" + mac: ENC[AES256_GCM,data:sk4DL+w740RD9A3sPvcGD4fc90Nfw9C8dH11ScGRgt6gS3v4V16pD0Q/bHHZiUCll76phZKjp+sGcZaPw0X7RDlK582WY3uw0pLtqLlm0gejjmvBJYKg47nA0dCD+vDvbMkJlvJG6N3sRuXDBa/7bAe452eXZNS8Xnm7ceDscVc=,iv:Nx4yCfG9rNk0q8akuI1aZr6Wj4GIAxASE8Tc7TH4Vj8=,tag:GodvlMbhIPpPu062spKFxA==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.9.2 diff --git a/machines/weilite/services/default.nix b/machines/weilite/services/default.nix index 5a5cc25..ca5ee33 100644 --- a/machines/weilite/services/default.nix +++ b/machines/weilite/services/default.nix @@ -5,5 +5,6 @@ ./media-download.nix ./immich.nix ./jellyfin.nix + ./transmission.nix ]; } diff --git a/machines/weilite/services/transmission.nix b/machines/weilite/services/transmission.nix new file mode 100644 index 0000000..be7bb39 --- /dev/null +++ b/machines/weilite/services/transmission.nix @@ -0,0 +1,67 @@ +{ config, ... }: +let + cfg = config.services.transmission; +in +{ + sops.secrets = { + "transmission/rpc-password" = { }; + }; + + sops.templates."transmission-cred.json" = { + content = builtins.toJSON { + rpc-password = config.sops.placeholder."transmission/rpc-password"; + }; + }; + + services.transmission = { + enable = true; + openPeerPorts = true; + credentialsFile = config.sops.templates."transmission-cred.json".path; + settings = { + download-dir = "/mnt/nixos/media"; + incomplete-dir = "/mnt/nixos/transmission/incomplete"; + alt-speed-down = 40960; + alt-speed-enabled = false; + alt-speed-time-begin = 60; + alt-speed-time-day = 127; + alt-speed-time-enabled = true; + alt-speed-time-end = 420; + alt-speed-up = 4096; + bind-address-ipv4 = "0.0.0.0"; + bind-address-ipv6 = "::"; + download-queue-enabled = true; + download-queue-size = 5; + incomplete-dir-enabled = true; + lpd-enabled = false; + message-level = 2; + peer-congestion-algorithm = ""; + peer-id-ttl-hours = 6; + peer-limit-global = 200; + peer-limit-per-torrent = 50; + peer-port = 51413; + peer-socket-tos = "cs2"; + pex-enabled = true; + preallocation = 1; + prefetch-enabled = true; + queue-stalled-enabled = true; + queue-stalled-minutes = 30; + rename-partial-files = true; + rpc-bind-address = "127.0.0.1"; + rpc-enabled = true; + rpc-authentication-required = true; + rpc-port = 9092; + rpc-username = "xin"; + rpc-whitelist = "127.0.0.1"; + speed-limit-down = 20480; + speed-limit-down-enabled = true; + speed-limit-up = 3072; + speed-limit-up-enabled = true; + start-added-torrents = true; + watch-dir-enabled = false; + }; + }; + services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:9091".extraConfig = '' + reverse_proxy 127.0.0.1:${toString cfg.settings.rpc-port} + ''; + networking.firewall.allowedTCPPorts = [ 9091 ]; # allow on lan +} From 408ea16f6dedc3cedc1779bbcee4dd74407ccd9e Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 26 Dec 2024 20:26:07 +0800 Subject: [PATCH 20/60] calcite/keyd: global caplock reload --- machines/calcite/configuration.nix | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index a3c84c4..68bd802 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -152,11 +152,14 @@ in services.keyd = { enable = true; keyboards = { + defualt = { + id = [ "*" ]; + capslock = "overload(control, esc)"; + }; "internal" = { ids = [ "0b05:1866" ]; settings = { main = { - capslock = "overload(control, esc)"; leftcontrol = "capslock"; }; }; @@ -170,17 +173,6 @@ in }; }; }; - "keydous" = { - ids = [ - "25a7:fa14" - "3151:4002" - ]; - settings = { - main = { - leftcontrol = "overload(control, esc)"; - }; - }; - }; }; }; @@ -302,7 +294,8 @@ in zotero # onlyoffice-bin - wemeet + # wemeet + config.nur.repos.linyinfeng.wemeet virt-manager wineWowPackages.waylandFull From 6bf9d771a1a66a92811e1e816d75f6aff039b84f Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 26 Dec 2024 20:27:18 +0800 Subject: [PATCH 21/60] weilite/media: add group "media" --- machines/weilite/default.nix | 17 ++++++++++------- machines/weilite/services/jellyfin.nix | 10 ++++++++++ machines/weilite/services/media-download.nix | 7 ++++++- machines/weilite/services/transmission.nix | 12 +++++++----- 4 files changed, 33 insertions(+), 13 deletions(-) diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index c3a70d0..cb5804b 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -12,6 +12,13 @@ ./services ]; + options = { + node = lib.mkOption { + type = lib.types.attrs; + default = { }; + }; + }; + config = { networking.hostName = "weilite"; commonSettings = { @@ -21,6 +28,9 @@ }; comin.enable = true; }; + node = { + mediaDir = "/mnt/nixos/media"; + }; boot = { loader = { @@ -123,13 +133,6 @@ after = [ "mnt-nixos.mount" ]; wantedBy = [ "immich-server.service" ]; } - { - what = "/mnt/nixos/media"; - where = "/var/lib/jellyfin/media"; - options = "bind"; - after = [ "mnt-nixos.mount" ]; - wantedBy = [ "jellyfin.service" ]; - } ]; hardware.graphics = { diff --git a/machines/weilite/services/jellyfin.nix b/machines/weilite/services/jellyfin.nix index d321de5..025386b 100644 --- a/machines/weilite/services/jellyfin.nix +++ b/machines/weilite/services/jellyfin.nix @@ -1,7 +1,16 @@ { config, pkgs, ... }: +let + cfg = config.services.jellyfin; +in { services.jellyfin.enable = true; + systemd.services.jellyfin.serviceConfig = { + BindReadOnlyPaths = [ + "/mnt/nixos/media:${cfg.dataDir}/media" + ]; + }; + environment.systemPackages = with pkgs; [ jellyfin jellyfin-web @@ -12,4 +21,5 @@ ''; networking.firewall.allowedTCPPorts = [ 8920 ]; # allow on lan users.users.jellyfin.extraGroups = [ "render" ]; + users.groups.media.members = [ cfg.user ]; } diff --git a/machines/weilite/services/media-download.nix b/machines/weilite/services/media-download.nix index 6f22744..a161931 100644 --- a/machines/weilite/services/media-download.nix +++ b/machines/weilite/services/media-download.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: { services.jackett = { enable = true; @@ -27,4 +27,9 @@ services.radarr = { enable = true; }; + + users.groups.media.members = [ + config.services.sonarr.user + config.services.radarr.user + ]; } diff --git a/machines/weilite/services/transmission.nix b/machines/weilite/services/transmission.nix index be7bb39..b025819 100644 --- a/machines/weilite/services/transmission.nix +++ b/machines/weilite/services/transmission.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, pkgs, ... }: let cfg = config.services.transmission; in @@ -15,13 +15,14 @@ in services.transmission = { enable = true; + package = pkgs.transmission_4; openPeerPorts = true; credentialsFile = config.sops.templates."transmission-cred.json".path; settings = { download-dir = "/mnt/nixos/media"; incomplete-dir = "/mnt/nixos/transmission/incomplete"; alt-speed-down = 40960; - alt-speed-enabled = false; + alt-speed-enabled = true; alt-speed-time-begin = 60; alt-speed-time-day = 127; alt-speed-time-enabled = true; @@ -30,16 +31,16 @@ in bind-address-ipv4 = "0.0.0.0"; bind-address-ipv6 = "::"; download-queue-enabled = true; - download-queue-size = 5; + download-queue-size = 10; incomplete-dir-enabled = true; lpd-enabled = false; - message-level = 2; + message-level = 4; peer-congestion-algorithm = ""; peer-id-ttl-hours = 6; peer-limit-global = 200; peer-limit-per-torrent = 50; peer-port = 51413; - peer-socket-tos = "cs2"; + peer-socket-tos = "cs1"; pex-enabled = true; preallocation = 1; prefetch-enabled = true; @@ -64,4 +65,5 @@ in reverse_proxy 127.0.0.1:${toString cfg.settings.rpc-port} ''; networking.firewall.allowedTCPPorts = [ 9091 ]; # allow on lan + users.groups.media.members = [ cfg.user ]; } From efbfb72030680eb608e1a12dc740fbe2ef4de48a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 26 Dec 2024 21:32:51 +0800 Subject: [PATCH 22/60] flake.lock: update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'my-nixvim': 'git+https://git.xiny.li/xin/nixvim?ref=refs/heads/master&rev=fdf7775c738e2eb6bb8cb707d35a900bc47cd53e' (2024-12-21) → 'git+https://git.xiny.li/xin/nixvim?ref=refs/heads/master&rev=4439691030d1a28f4ad49c542104e3f880f7c183' (2024-12-26) --- flake.lock | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 3320dcb..f468ae0 100644 --- a/flake.lock +++ b/flake.lock @@ -396,11 +396,11 @@ "nixvim": "nixvim" }, "locked": { - "lastModified": 1734791154, - "narHash": "sha256-J/h0nh3iOnOqXnv28NahNH45xZ035tKpabPPKMPFTfo=", + "lastModified": 1735219902, + "narHash": "sha256-s1aI4l9e0OX861wHsvAPqz/s8B9ZTltAMJzPRXt5Kqo=", "ref": "refs/heads/master", - "rev": "fdf7775c738e2eb6bb8cb707d35a900bc47cd53e", - "revCount": 24, + "rev": "4439691030d1a28f4ad49c542104e3f880f7c183", + "revCount": 25, "type": "git", "url": "https://git.xiny.li/xin/nixvim" }, From 1d106c3d0937e18706c199f537a900bb52d386b3 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 28 Dec 2024 10:14:37 +0800 Subject: [PATCH 23/60] nixos/comin: use unified testing branch --- modules/nixos/common-settings/comin.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/nixos/common-settings/comin.nix b/modules/nixos/common-settings/comin.nix index 70a23ee..97a254b 100644 --- a/modules/nixos/common-settings/comin.nix +++ b/modules/nixos/common-settings/comin.nix @@ -24,6 +24,7 @@ in name = "origin"; url = "https://github.com/xinyangli/nixos-config.git"; branches.main.name = "deploy-comin"; + branches.testing.name = "deploy-comin"; } ]; hostname = config.networking.hostName; From 2e741a8c52d347445834971e7bc0755fce4b61fd Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 28 Dec 2024 09:56:48 +0800 Subject: [PATCH 24/60] flake.lock: update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'catppuccin': 'github:catppuccin/nix/1e4c3803b8da874ff75224ec8512cb173036bbd8?narHash=sha256-CFX4diEQHKvZYjnhf7TLg20m3ge1O4vqgplsk/Kuaek%3D' (2024-12-20) → 'github:catppuccin/nix/a2e641bc6b17129d81d54019e14c9956784c69c6?narHash=sha256-vU7SkHINr%2BNqmZeFLA11plsaUfazKKpdEhI/oTJbK3Q%3D' (2024-12-27) • Added input 'catppuccin/catppuccin-v1_1': 'https://api.flakehub.com/f/pinned/catppuccin/nix/1.1.1/0193bdc0-b045-7eed-bbec-95611a8ecdf5/source.tar.gz?narHash=sha256-pCWJgwo77KD7EJpwynwKrWPZ//dwypHq2TfdzZWqK68%3D' (2024-12-13) • Added input 'catppuccin/catppuccin-v1_2': 'https://api.flakehub.com/f/pinned/catppuccin/nix/1.2.0/0193e5e0-33b7-7149-a362-bfe56b20f64e/source.tar.gz?narHash=sha256-Let3uJo4YDyfqbqaw66dpZxhJB2TrDyZWSFd5rpPLJA%3D' (2024-12-20) • Added input 'catppuccin/home-manager': follows 'home-manager' • Added input 'catppuccin/home-manager-stable': 'github:nix-community/home-manager/80b0fdf483c5d1cb75aaad909bd390d48673857f?narHash=sha256-vykpJ1xsdkv0j8WOVXrRFHUAdp9NXHpxdnn1F4pYgSw%3D' (2024-12-16) • Added input 'catppuccin/home-manager-stable/nixpkgs': follows 'catppuccin/nixpkgs-stable' • Added input 'catppuccin/nixpkgs': follows 'nixpkgs' • Added input 'catppuccin/nixpkgs-stable': 'github:NixOS/nixpkgs/b47fd6fa00c6afca88b8ee46cfdb00e104f50bca?narHash=sha256-nbG9TijTMcfr%2Bau7ZVbKpAhMJzzE2nQBYmRvSdXUD8g%3D' (2024-12-19) • Added input 'catppuccin/nuscht-search': 'github:NuschtOS/search/3051be7f403bff1d1d380e4612f0c70675b44fc9?narHash=sha256-Y47y%2BLesOCkJaLvj%2BdI/Oa6FAKj/T9sKVKDXLNsViPw%3D' (2024-12-09) • Added input 'catppuccin/nuscht-search/flake-utils': 'github:numtide/flake-utils/11707dc2f618dd54ca8739b309ec4fc024de578b?narHash=sha256-l0KFg5HjrsfsO/JpG%2Br7fRrqm12kzFHyUHqHCVpMMbI%3D' (2024-11-13) • Added input 'catppuccin/nuscht-search/flake-utils/systems': 'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e?narHash=sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768%3D' (2023-04-09) • Added input 'catppuccin/nuscht-search/ixx': 'github:NuschtOS/ixx/9fd01aad037f345350eab2cd45e1946cc66da4eb?narHash=sha256-EiOq8jF4Z/zQe0QYVc3%2BqSKxRK//CFHMB84aYrYGwEs%3D' (2024-10-26) • Added input 'catppuccin/nuscht-search/ixx/flake-utils': follows 'catppuccin/nuscht-search/flake-utils' • Added input 'catppuccin/nuscht-search/ixx/nixpkgs': follows 'catppuccin/nuscht-search/nixpkgs' • Added input 'catppuccin/nuscht-search/nixpkgs': follows 'catppuccin/nixpkgs' • Updated input 'colmena': 'github:zhaofengli/colmena/e3ad42138015fcdf2524518dd564a13145c72ea1?narHash=sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8%3D' (2024-11-13) → 'github:zhaofengli/colmena/a6b51f5feae9bfb145daa37fd0220595acb7871e?narHash=sha256-LLpiqfOGBippRax9F33kSJ/Imt8gJXb6o0JwSBiNHCk%3D' (2024-12-22) • Updated input 'disko': 'github:nix-community/disko/2ee76c861af3b895b3b104bae04777b61397485b?narHash=sha256-hk0roBX10j/hospoWIJIJj3i2skd7Oml6yKQBx7mTFk%3D' (2024-12-20) → 'github:nix-community/disko/3a4de9fa3a78ba7b7170dda6bd8b4cdab87c0b21?narHash=sha256-Tc35Y8H%2BkrA6rZeOIczsaGAtobSSBPqR32AfNTeHDRc%3D' (2024-12-24) • Updated input 'home-manager': 'github:nix-community/home-manager/1395379a7a36e40f2a76e7b9936cc52950baa1be?narHash=sha256-OOfI0XhSJGHblfdNDhfnn8QnZxng63rWk9eeJ2tCbiI%3D' (2024-12-19) → 'github:nix-community/home-manager/b7a7cd5dd1a74a9fe86ed4e016f91c78483b527a?narHash=sha256-p7IJP/97zJda/wwCn1T2LJBz4olF5LjNf4uwhuyvARo%3D' (2024-12-27) • Updated input 'nix-index-database': 'github:Mic92/nix-index-database/311d6cf3ad3f56cb051ffab1f480b2909b3f754d?narHash=sha256-icEMqBt4HtGH52PU5FHidgBrNJvOfXH6VQKNtnD1aw8%3D' (2024-12-15) → 'github:Mic92/nix-index-database/7e3246f6ad43b44bc1c16d580d7bf6467f971530?narHash=sha256-kWNi45/mRjQMG%2BUpaZQ7KyPavYrKfle3WgLn9YeBBVg%3D' (2024-12-26) • Updated input 'nix-vscode-extensions': 'github:nix-community/nix-vscode-extensions/113779a6601d5b5c8ef7c5b5c4ab3f377fd3e2c3?narHash=sha256-rTGDkcbzfcTL7jE4TtxhNQtDssD1QY8yLo8ApAv3XRs%3D' (2024-12-21) → 'github:nix-community/nix-vscode-extensions/57719f14beefb91c5b58da26bb9cffbdb4f70bfa?narHash=sha256-rNhcGVh6Xnc0DKWR5RTTD9OxucfAotd41LEuMCGz228%3D' (2024-12-28) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/b12e314726a4226298fe82776b4baeaa7bcf3dcd?narHash=sha256-mfv%2BJ/vO4nqmIOlq8Y1rRW8hVsGH3M%2BI2ESMjhuebDs%3D' (2024-12-16) → 'github:NixOS/nixos-hardware/def1d472c832d77885f174089b0d34854b007198?narHash=sha256-QIhd8/0x30gEv8XEE1iAnrdMlKuQ0EzthfDR7Hwl%2Bfk%3D' (2024-12-23) • Updated input 'nixpkgs-stable': 'github:nixos/nixpkgs/72d11d40b9878a67c38f003c240c2d2e1811e72a?narHash=sha256-ze3IJksru9dN0keqUxY0WNf8xrwfs8Ty/z9v/keyBbg%3D' (2024-12-18) → 'github:nixos/nixpkgs/31ac92f9628682b294026f0860e14587a09ffb4b?narHash=sha256-JMRV2RI58nV1UqLXqm%2Blcea1/dr92fYjWU5S%2BRz3fmE%3D' (2024-12-27) • Updated input 'nur': 'github:nix-community/NUR/db4e0d95cd1f9f77113cd9c3c9de5974fa721a98?narHash=sha256-ZRG0vNJHRyKnzyWOFciCzodQlv4Sb2%2BH5I7xKIH2EL0%3D' (2024-12-21) → 'github:nix-community/NUR/538f624930cdfb852e4e3dd055f79e932d5b3c16?narHash=sha256-B%2BPNIYtTmgnTV/wdA/qrYohmeBHaYrDwVAueODdvtlo%3D' (2024-12-27) • Updated input 'nur/nixpkgs': 'github:nixos/nixpkgs/d3c42f187194c26d9f0309a8ecc469d6c878ce33?narHash=sha256-cHar1vqHOOyC7f1%2BtVycPoWTfKIaqkoe1Q6TnKzuti4%3D' (2024-12-17) → 'github:nixos/nixpkgs/634fd46801442d760e09493a794c4f15db2d0cbb?narHash=sha256-NYVcA06%2BblsLG6wpAbSPTCyLvxD/92Hy4vlY9WxFI1M%3D' (2024-12-27) --- flake.lock | 263 +++++++++++++++++++++++------ flake.nix | 2 + garnix.yaml | 27 ++- machines/calcite/configuration.nix | 2 +- 4 files changed, 234 insertions(+), 60 deletions(-) diff --git a/flake.lock b/flake.lock index f468ae0..a3527f7 100644 --- a/flake.lock +++ b/flake.lock @@ -1,12 +1,25 @@ { "nodes": { "catppuccin": { + "inputs": { + "catppuccin-v1_1": "catppuccin-v1_1", + "catppuccin-v1_2": "catppuccin-v1_2", + "home-manager": [ + "home-manager" + ], + "home-manager-stable": "home-manager-stable", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable", + "nuscht-search": "nuscht-search" + }, "locked": { - "lastModified": 1734734291, - "narHash": "sha256-CFX4diEQHKvZYjnhf7TLg20m3ge1O4vqgplsk/Kuaek=", + "lastModified": 1735263930, + "narHash": "sha256-vU7SkHINr+NqmZeFLA11plsaUfazKKpdEhI/oTJbK3Q=", "owner": "catppuccin", "repo": "nix", - "rev": "1e4c3803b8da874ff75224ec8512cb173036bbd8", + "rev": "a2e641bc6b17129d81d54019e14c9956784c69c6", "type": "github" }, "original": { @@ -15,10 +28,38 @@ "type": "github" } }, + "catppuccin-v1_1": { + "locked": { + "lastModified": 1734055249, + "narHash": "sha256-pCWJgwo77KD7EJpwynwKrWPZ//dwypHq2TfdzZWqK68=", + "rev": "7221d6ca17ac36ed20588e1c3a80177ac5843fa7", + "revCount": 326, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/catppuccin/nix/1.1.1/0193bdc0-b045-7eed-bbec-95611a8ecdf5/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/catppuccin/nix/1.1.%2A.tar.gz" + } + }, + "catppuccin-v1_2": { + "locked": { + "lastModified": 1734728407, + "narHash": "sha256-Let3uJo4YDyfqbqaw66dpZxhJB2TrDyZWSFd5rpPLJA=", + "rev": "23ee86dbf4ed347878115a78971d43025362fab1", + "revCount": 341, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/catppuccin/nix/1.2.0/0193e5e0-33b7-7149-a362-bfe56b20f64e/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/catppuccin/nix/1.2.%2A.tar.gz" + } + }, "colmena": { "inputs": { "flake-compat": "flake-compat", - "flake-utils": "flake-utils", + "flake-utils": "flake-utils_2", "nix-github-actions": "nix-github-actions", "nixpkgs": [ "nixpkgs" @@ -26,11 +67,11 @@ "stable": "stable" }, "locked": { - "lastModified": 1731527002, - "narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=", + "lastModified": 1734897875, + "narHash": "sha256-LLpiqfOGBippRax9F33kSJ/Imt8gJXb6o0JwSBiNHCk=", "owner": "zhaofengli", "repo": "colmena", - "rev": "e3ad42138015fcdf2524518dd564a13145c72ea1", + "rev": "a6b51f5feae9bfb145daa37fd0220595acb7871e", "type": "github" }, "original": { @@ -88,11 +129,11 @@ ] }, "locked": { - "lastModified": 1734701201, - "narHash": "sha256-hk0roBX10j/hospoWIJIJj3i2skd7Oml6yKQBx7mTFk=", + "lastModified": 1735048446, + "narHash": "sha256-Tc35Y8H+krA6rZeOIczsaGAtobSSBPqR32AfNTeHDRc=", "owner": "nix-community", "repo": "disko", - "rev": "2ee76c861af3b895b3b104bae04777b61397485b", + "rev": "3a4de9fa3a78ba7b7170dda6bd8b4cdab87c0b21", "type": "github" }, "original": { @@ -209,21 +250,6 @@ } }, "flake-utils": { - "locked": { - "lastModified": 1659877975, - "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { "inputs": { "systems": "systems" }, @@ -241,10 +267,43 @@ "type": "github" } }, + "flake-utils_2": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "flake-utils_3": { "inputs": { "systems": "systems_2" }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "inputs": { + "systems": "systems_3" + }, "locked": { "lastModified": 1726560853, "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", @@ -322,11 +381,11 @@ ] }, "locked": { - "lastModified": 1734622215, - "narHash": "sha256-OOfI0XhSJGHblfdNDhfnn8QnZxng63rWk9eeJ2tCbiI=", + "lastModified": 1735343815, + "narHash": "sha256-p7IJP/97zJda/wwCn1T2LJBz4olF5LjNf4uwhuyvARo=", "owner": "nix-community", "repo": "home-manager", - "rev": "1395379a7a36e40f2a76e7b9936cc52950baa1be", + "rev": "b7a7cd5dd1a74a9fe86ed4e016f91c78483b527a", "type": "github" }, "original": { @@ -335,6 +394,28 @@ "type": "github" } }, + "home-manager-stable": { + "inputs": { + "nixpkgs": [ + "catppuccin", + "nixpkgs-stable" + ] + }, + "locked": { + "lastModified": 1734366194, + "narHash": "sha256-vykpJ1xsdkv0j8WOVXrRFHUAdp9NXHpxdnn1F4pYgSw=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "80b0fdf483c5d1cb75aaad909bd390d48673857f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.11", + "repo": "home-manager", + "type": "github" + } + }, "home-manager_2": { "inputs": { "nixpkgs": [ @@ -358,6 +439,34 @@ } }, "ixx": { + "inputs": { + "flake-utils": [ + "catppuccin", + "nuscht-search", + "flake-utils" + ], + "nixpkgs": [ + "catppuccin", + "nuscht-search", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729958008, + "narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=", + "owner": "NuschtOS", + "repo": "ixx", + "rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb", + "type": "github" + }, + "original": { + "owner": "NuschtOS", + "ref": "v0.0.6", + "repo": "ixx", + "type": "github" + } + }, + "ixx_2": { "inputs": { "flake-utils": [ "my-nixvim", @@ -459,11 +568,11 @@ ] }, "locked": { - "lastModified": 1734234111, - "narHash": "sha256-icEMqBt4HtGH52PU5FHidgBrNJvOfXH6VQKNtnD1aw8=", + "lastModified": 1735222882, + "narHash": "sha256-kWNi45/mRjQMG+UpaZQ7KyPavYrKfle3WgLn9YeBBVg=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "311d6cf3ad3f56cb051ffab1f480b2909b3f754d", + "rev": "7e3246f6ad43b44bc1c16d580d7bf6467f971530", "type": "github" }, "original": { @@ -483,11 +592,11 @@ ] }, "locked": { - "lastModified": 1734745696, - "narHash": "sha256-rTGDkcbzfcTL7jE4TtxhNQtDssD1QY8yLo8ApAv3XRs=", + "lastModified": 1735350281, + "narHash": "sha256-rNhcGVh6Xnc0DKWR5RTTD9OxucfAotd41LEuMCGz228=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "113779a6601d5b5c8ef7c5b5c4ab3f377fd3e2c3", + "rev": "57719f14beefb91c5b58da26bb9cffbdb4f70bfa", "type": "github" }, "original": { @@ -498,11 +607,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1734352517, - "narHash": "sha256-mfv+J/vO4nqmIOlq8Y1rRW8hVsGH3M+I2ESMjhuebDs=", + "lastModified": 1734954597, + "narHash": "sha256-QIhd8/0x30gEv8XEE1iAnrdMlKuQ0EzthfDR7Hwl+fk=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "b12e314726a4226298fe82776b4baeaa7bcf3dcd", + "rev": "def1d472c832d77885f174089b0d34854b007198", "type": "github" }, "original": { @@ -542,11 +651,27 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1734529975, - "narHash": "sha256-ze3IJksru9dN0keqUxY0WNf8xrwfs8Ty/z9v/keyBbg=", + "lastModified": 1734600368, + "narHash": "sha256-nbG9TijTMcfr+au7ZVbKpAhMJzzE2nQBYmRvSdXUD8g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b47fd6fa00c6afca88b8ee46cfdb00e104f50bca", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1735286948, + "narHash": "sha256-JMRV2RI58nV1UqLXqm+lcea1/dr92fYjWU5S+Rz3fmE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "72d11d40b9878a67c38f003c240c2d2e1811e72a", + "rev": "31ac92f9628682b294026f0860e14587a09ffb4b", "type": "github" }, "original": { @@ -574,11 +699,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1734424634, - "narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=", + "lastModified": 1735291276, + "narHash": "sha256-NYVcA06+blsLG6wpAbSPTCyLvxD/92Hy4vlY9WxFI1M=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33", + "rev": "634fd46801442d760e09493a794c4f15db2d0cbb", "type": "github" }, "original": { @@ -621,11 +746,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1734785773, - "narHash": "sha256-ZRG0vNJHRyKnzyWOFciCzodQlv4Sb2+H5I7xKIH2EL0=", + "lastModified": 1735337462, + "narHash": "sha256-B+PNIYtTmgnTV/wdA/qrYohmeBHaYrDwVAueODdvtlo=", "owner": "nix-community", "repo": "NUR", - "rev": "db4e0d95cd1f9f77113cd9c3c9de5974fa721a98", + "rev": "538f624930cdfb852e4e3dd055f79e932d5b3c16", "type": "github" }, "original": { @@ -634,10 +759,33 @@ "type": "github" } }, + "nuscht-search": { + "inputs": { + "flake-utils": "flake-utils", + "ixx": "ixx", + "nixpkgs": [ + "catppuccin", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733773348, + "narHash": "sha256-Y47y+LesOCkJaLvj+dI/Oa6FAKj/T9sKVKDXLNsViPw=", + "owner": "NuschtOS", + "repo": "search", + "rev": "3051be7f403bff1d1d380e4612f0c70675b44fc9", + "type": "github" + }, + "original": { + "owner": "NuschtOS", + "repo": "search", + "type": "github" + } + }, "nuschtosSearch": { "inputs": { - "flake-utils": "flake-utils_3", - "ixx": "ixx", + "flake-utils": "flake-utils_4", + "ixx": "ixx_2", "nixpkgs": [ "my-nixvim", "nixvim", @@ -664,14 +812,14 @@ "colmena": "colmena", "comin": "comin", "disko": "disko", - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_3", "home-manager": "home-manager", "my-nixvim": "my-nixvim", "nix-index-database": "nix-index-database", "nix-vscode-extensions": "nix-vscode-extensions", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs_2", - "nixpkgs-stable": "nixpkgs-stable", + "nixpkgs-stable": "nixpkgs-stable_2", "nur": "nur", "sops-nix": "sops-nix" } @@ -742,6 +890,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index 23b83a7..27f8265 100644 --- a/flake.nix +++ b/flake.nix @@ -49,6 +49,8 @@ catppuccin = { url = "github:catppuccin/nix"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.home-manager.follows = "home-manager"; }; disko = { diff --git a/garnix.yaml b/garnix.yaml index 0fc1635..630fac6 100644 --- a/garnix.yaml +++ b/garnix.yaml @@ -1,10 +1,19 @@ builds: - include: - - '*.x86_64-linux.*' - - defaultPackage.x86_64-linux - - devShell.x86_64-linux - - homeConfigurations.x86_64-linux.* - - homeConfigurations.aarch64-linux.* - - darwinConfigurations.* - - nixosConfigurations.* - branch: deploy + - include: + - '*.x86_64-linux.*' + - defaultPackage.x86_64-linux + - devShell.x86_64-linux + - homeConfigurations.x86_64-linux.* + - homeConfigurations.aarch64-linux.* + - darwinConfigurations.* + - nixosConfigurations.* + branch: deploy + - include: + - '*.x86_64-linux.*' + - defaultPackage.x86_64-linux + - devShell.x86_64-linux + - homeConfigurations.x86_64-linux.* + - homeConfigurations.aarch64-linux.* + - darwinConfigurations.* + - nixosConfigurations.* + branch: next diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 68bd802..faa968a 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -295,7 +295,7 @@ in # onlyoffice-bin # wemeet - config.nur.repos.linyinfeng.wemeet + wemeet virt-manager wineWowPackages.waylandFull From b8536f580184f4043c2da2d3a427fdd348ceb88a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 28 Dec 2024 10:13:04 +0800 Subject: [PATCH 25/60] calcite: global ctrl overload with keyd --- machines/calcite/configuration.nix | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index faa968a..9a70f52 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -152,9 +152,13 @@ in services.keyd = { enable = true; keyboards = { - defualt = { - id = [ "*" ]; - capslock = "overload(control, esc)"; + default = { + ids = [ "*" ]; + settings = { + main = { + capslock = "overload(control, esc)"; + }; + }; }; "internal" = { ids = [ "0b05:1866" ]; From 40bed6459d12e0152bcc80ef427df262abc3082b Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 28 Dec 2024 10:52:56 +0800 Subject: [PATCH 26/60] Revert "nixos/comin: use unified testing branch" This reverts commit 1d106c3d0937e18706c199f537a900bb52d386b3. --- modules/nixos/common-settings/comin.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/nixos/common-settings/comin.nix b/modules/nixos/common-settings/comin.nix index 97a254b..70a23ee 100644 --- a/modules/nixos/common-settings/comin.nix +++ b/modules/nixos/common-settings/comin.nix @@ -24,7 +24,6 @@ in name = "origin"; url = "https://github.com/xinyangli/nixos-config.git"; branches.main.name = "deploy-comin"; - branches.testing.name = "deploy-comin"; } ]; hostname = config.networking.hostName; From 8b458d684c1c416ae3b15f9573201b1fd9c847c5 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 28 Dec 2024 12:04:13 +0800 Subject: [PATCH 27/60] flake.lock: update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'nixpkgs': 'github:xinyangli/nixpkgs/2ad7f9f3c996dd9838a4f68941bcbeed2807b150?narHash=sha256-hb2GwIHunYTjo8d1zBfSC5v46IEY5UZWQdR5R1omvmE%3D' (2024-12-22) → 'github:xinyangli/nixpkgs/81d86565f2130d14bc36bf2c4e8fab1c4f85e505?narHash=sha256-zcF09G4SuoY/obD0B5PeEcVKM/n9cQnxjFHZZhAchao%3D' (2024-12-28) --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index a3527f7..9c4020a 100644 --- a/flake.lock +++ b/flake.lock @@ -683,11 +683,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1734829510, - "narHash": "sha256-hb2GwIHunYTjo8d1zBfSC5v46IEY5UZWQdR5R1omvmE=", + "lastModified": 1735350617, + "narHash": "sha256-zcF09G4SuoY/obD0B5PeEcVKM/n9cQnxjFHZZhAchao=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "2ad7f9f3c996dd9838a4f68941bcbeed2807b150", + "rev": "81d86565f2130d14bc36bf2c4e8fab1c4f85e505", "type": "github" }, "original": { From 6055afbefe92ac3b26fb4339713525d546450fde Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 28 Dec 2024 13:32:24 +0800 Subject: [PATCH 28/60] biotite,weilite: fix error caused by bump --- machines/biotite/services/synapse.nix | 4 ++++ machines/weilite/default.nix | 14 ++++---------- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/machines/biotite/services/synapse.nix b/machines/biotite/services/synapse.nix index e352495..b4c2f26 100644 --- a/machines/biotite/services/synapse.nix +++ b/machines/biotite/services/synapse.nix @@ -31,6 +31,10 @@ in services.matrix-synapse = { enable = true; + # TODO: Waiting for https://github.com/NixOS/nixpkgs/issues/367976 + package = pkgs.matrix-synapse.override { + matrix-synapse-unwrapped = pkgs.matrix-synapse-unwrapped.overridePythonAttrs { doCheck = false; }; + }; withJemalloc = true; settings = { server_name = "xiny.li"; diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index cb5804b..d3e8de7 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -174,17 +174,11 @@ services.caddy = { enable = true; package = pkgs.caddy.withPlugins { - caddyModules = [ - { - repo = "github.com/caddy-dns/cloudflare"; - version = "89f16b99c18ef49c8bb470a82f895bce01cbaece"; - } - { - repo = "github.com/caddy-dns/dnspod"; - version = "1fd4ce87e919f47db5fa029c31ae74b9737a58af"; - } + plugins = [ + "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e" + "github.com/caddy-dns/dnspod@v0.0.4" ]; - vendorHash = "sha256-OhOeU2+JiJyIW9WdCYq98OKckXQZ9Fn5zULz0aLsXMI="; + hash = "sha256-StgQx4Aqumisk4MYN6f4S/QyAHa37yTmGTdrtEeMTHg="; }; virtualHosts."derper00.namely.icu:8443".extraConfig = '' reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port} From 25cef508c92216587a1bd945f544c696ff2e1bb2 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 28 Dec 2024 13:45:56 +0800 Subject: [PATCH 29/60] biotite: fix matrix-synapse --- machines/biotite/services/synapse.nix | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/machines/biotite/services/synapse.nix b/machines/biotite/services/synapse.nix index b4c2f26..552d31d 100644 --- a/machines/biotite/services/synapse.nix +++ b/machines/biotite/services/synapse.nix @@ -29,12 +29,15 @@ in ''; }; + # TODO: Waiting for https://github.com/NixOS/nixpkgs/issues/367976 + nixpkgs.overlays = [ + (final: prev: { + matrix-synapse-unwrapped = prev.matrix-synapse-unwrapped.overridePythonAttrs { doCheck = false; }; + }) + ]; + services.matrix-synapse = { enable = true; - # TODO: Waiting for https://github.com/NixOS/nixpkgs/issues/367976 - package = pkgs.matrix-synapse.override { - matrix-synapse-unwrapped = pkgs.matrix-synapse-unwrapped.overridePythonAttrs { doCheck = false; }; - }; withJemalloc = true; settings = { server_name = "xiny.li"; From 465fa0e1276f8a6dd376670d67fda702fcb34cc4 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sun, 29 Dec 2024 01:01:38 +0800 Subject: [PATCH 30/60] baryte: prepare initial sd image --- flake.lock | 22 ++++++++++++++++++++++ flake.nix | 14 ++++++++++++++ machines/baryte/default.nix | 22 ++++++++++++++++++++++ 3 files changed, 58 insertions(+) create mode 100644 machines/baryte/default.nix diff --git a/flake.lock b/flake.lock index 9c4020a..c8719e9 100644 --- a/flake.lock +++ b/flake.lock @@ -621,6 +621,27 @@ "type": "github" } }, + "nixos-sbc": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1735186792, + "narHash": "sha256-XIIf8bU1khErw+dm66CdtHKQUGTMXuARWx08FtGNjqo=", + "owner": "nakato", + "repo": "nixos-sbc", + "rev": "0f6fe1d77b3fc2198aabf76453f0a5159c9835c5", + "type": "github" + }, + "original": { + "owner": "nakato", + "ref": "main", + "repo": "nixos-sbc", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1731139594, @@ -818,6 +839,7 @@ "nix-index-database": "nix-index-database", "nix-vscode-extensions": "nix-vscode-extensions", "nixos-hardware": "nixos-hardware", + "nixos-sbc": "nixos-sbc", "nixpkgs": "nixpkgs_2", "nixpkgs-stable": "nixpkgs-stable_2", "nur": "nur", diff --git a/flake.nix b/flake.nix index 27f8265..fa354c6 100644 --- a/flake.nix +++ b/flake.nix @@ -62,6 +62,11 @@ url = "github:xinyangli/comin"; inputs.nixpkgs.follows = "nixpkgs"; }; + + nixos-sbc = { + url = "github:nakato/nixos-sbc/main"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = @@ -80,6 +85,7 @@ nix-index-database, disko, comin, + nixos-sbc, ... }: let @@ -147,6 +153,11 @@ disko.nixosModules.disko ./machines/biotite ]; + baryte = [ + nixos-sbc.nixosModules.default + nixos-sbc.nixosModules.boards.bananapi.bpir4 + ./machines/baryte + ]; }; sharedColmenaModules = [ deploymentModule @@ -311,6 +322,9 @@ calcite = mkNixos { hostname = "calcite"; }; + baryte = mkNixos { + hostname = "baryte"; + }; } // self.colmenaHive.nodes; } diff --git a/machines/baryte/default.nix b/machines/baryte/default.nix new file mode 100644 index 0000000..e9cfdd6 --- /dev/null +++ b/machines/baryte/default.nix @@ -0,0 +1,22 @@ +{ config, lib, ... }: +{ + imports = [ + ]; + config = { + nixpkgs.hostPlatform = "aarch64-linux"; + system.stateVersion = "25.05"; + users.users.root.hashedPassword = "$y$j9T$NToEZWJBONjSgRnMd9Ur9/$o6n7a9b8eUILQz4d37oiHCCVnDJ8hZTZt.c.37zFfU."; + + commonSettings = { + auth.enable = true; + }; + + services.openssh.enable = true; + services.dae = { + enable = true; + configFile = "/var/lib/dae/config.dae"; + }; + services.tailscale.enable = true; + time.timeZone = "Asia/Shanghai"; + }; +} From 36d25d2be98d3f92df286faf794e0d7016c74f48 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 1 Jan 2025 13:14:21 +0800 Subject: [PATCH 31/60] flake.lock: update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'catppuccin': 'github:catppuccin/nix/a2e641bc6b17129d81d54019e14c9956784c69c6?narHash=sha256-vU7SkHINr%2BNqmZeFLA11plsaUfazKKpdEhI/oTJbK3Q%3D' (2024-12-27) → 'github:catppuccin/nix/63290ea1d2a28e65195017ed78a81cfc242ef0df?narHash=sha256-DTcB/kBZULyJztXXnH3OVF5LHLl%2BO670DuLZZNUMnNo%3D' (2024-12-31) • Updated input 'disko': 'github:nix-community/disko/3a4de9fa3a78ba7b7170dda6bd8b4cdab87c0b21?narHash=sha256-Tc35Y8H%2BkrA6rZeOIczsaGAtobSSBPqR32AfNTeHDRc%3D' (2024-12-24) → 'github:nix-community/disko/84a5b93637cc16cbfcc61b6e1684d626df61eb21?narHash=sha256-2dt1nOe9zf9pDkf5Kn7FUFyPRo581s0n90jxYXJ94l0%3D' (2024-12-29) • Updated input 'home-manager': 'github:nix-community/home-manager/b7a7cd5dd1a74a9fe86ed4e016f91c78483b527a?narHash=sha256-p7IJP/97zJda/wwCn1T2LJBz4olF5LjNf4uwhuyvARo%3D' (2024-12-27) → 'github:nix-community/home-manager/10e99c43cdf4a0713b4e81d90691d22c6a58bdf2?narHash=sha256-CyCZFhMUkuYbSD6bxB/r43EdmDE7hYeZZPTCv0GudO4%3D' (2024-12-28) • Updated input 'nix-index-database': 'github:Mic92/nix-index-database/7e3246f6ad43b44bc1c16d580d7bf6467f971530?narHash=sha256-kWNi45/mRjQMG%2BUpaZQ7KyPavYrKfle3WgLn9YeBBVg%3D' (2024-12-26) → 'github:Mic92/nix-index-database/55ab1e1df5daf2476e6b826b69a82862dcbd7544?narHash=sha256-AydPpRBh8%2BNOkrLylG7vTsHrGO2b5L7XkMEL5HlzcA8%3D' (2024-12-29) • Updated input 'nix-vscode-extensions': 'github:nix-community/nix-vscode-extensions/57719f14beefb91c5b58da26bb9cffbdb4f70bfa?narHash=sha256-rNhcGVh6Xnc0DKWR5RTTD9OxucfAotd41LEuMCGz228%3D' (2024-12-28) → 'github:nix-community/nix-vscode-extensions/347788291ac0c12ca94985b0d56ab1a8d0ff8963?narHash=sha256-ujnG10iww5jUevENbBEpJBI2emTlLq%2BudZ/oSMEJ3Hs%3D' (2025-01-01) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/def1d472c832d77885f174089b0d34854b007198?narHash=sha256-QIhd8/0x30gEv8XEE1iAnrdMlKuQ0EzthfDR7Hwl%2Bfk%3D' (2024-12-23) → 'github:NixOS/nixos-hardware/7c674c6734f61157e321db595dbfcd8523e04e19?narHash=sha256-e5IOgjQf0SZcFCEV/gMGrsI0gCJyqOKShBQU0iiM3Kg%3D' (2024-12-28) • Updated input 'nixos-sbc': 'github:nakato/nixos-sbc/0f6fe1d77b3fc2198aabf76453f0a5159c9835c5?narHash=sha256-XIIf8bU1khErw%2Bdm66CdtHKQUGTMXuARWx08FtGNjqo%3D' (2024-12-26) → 'github:nakato/nixos-sbc/2bdf5ca7326861a23edcbea46647ec5e3725daed?narHash=sha256-NxyRlZl/Io0lT5kaSsnlm0KpTVac4sElIbi6V3qL3bk%3D' (2024-12-30) • Updated input 'nixpkgs': 'github:xinyangli/nixpkgs/81d86565f2130d14bc36bf2c4e8fab1c4f85e505?narHash=sha256-zcF09G4SuoY/obD0B5PeEcVKM/n9cQnxjFHZZhAchao%3D' (2024-12-28) → 'github:xinyangli/nixpkgs/51e90df62b8fcd53e80761cbfa568e183a2c3a42?narHash=sha256-2QcaFAbsTS3doNHCvF48WEd1YiOzJKoXnXDMNjzAL4Q%3D' (2025-01-01) • Updated input 'nixpkgs-stable': 'github:nixos/nixpkgs/31ac92f9628682b294026f0860e14587a09ffb4b?narHash=sha256-JMRV2RI58nV1UqLXqm%2Blcea1/dr92fYjWU5S%2BRz3fmE%3D' (2024-12-27) → 'github:nixos/nixpkgs/b134951a4c9f3c995fd7be05f3243f8ecd65d798?narHash=sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8%3D' (2024-12-30) • Updated input 'nur': 'github:nix-community/NUR/538f624930cdfb852e4e3dd055f79e932d5b3c16?narHash=sha256-B%2BPNIYtTmgnTV/wdA/qrYohmeBHaYrDwVAueODdvtlo%3D' (2024-12-27) → 'github:nix-community/NUR/21096db6c9ba41cd300a22ee42b86851366bd94f?narHash=sha256-b7iPAqFGwY1rRv0xdT/vsZjo8UnbJFPf9U9PC2OuU4U%3D' (2025-01-01) • Updated input 'nur/nixpkgs': 'github:nixos/nixpkgs/634fd46801442d760e09493a794c4f15db2d0cbb?narHash=sha256-NYVcA06%2BblsLG6wpAbSPTCyLvxD/92Hy4vlY9WxFI1M%3D' (2024-12-27) → 'github:nixos/nixpkgs/88195a94f390381c6afcdaa933c2f6ff93959cb4?narHash=sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs%3D' (2024-12-29) • Updated input 'sops-nix': 'github:Mic92/sops-nix/ed091321f4dd88afc28b5b4456e0a15bd8374b4d?narHash=sha256-6OvJbqQ6qPpNw3CA%2BW8Myo5aaLhIJY/nNFDk3zMXLfM%3D' (2024-12-18) → 'github:Mic92/sops-nix/bcb8b65aa596866eb7e5c3e1a6cccbf5d1560b27?narHash=sha256-ZjUjbvS06jf4fElOF4ve8EHjbpbRVHHypStoY8HGzk8%3D' (2024-12-29) --- flake.lock | 72 +++++++++++++++++++++++++++--------------------------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/flake.lock b/flake.lock index c8719e9..3d69afe 100644 --- a/flake.lock +++ b/flake.lock @@ -15,11 +15,11 @@ "nuscht-search": "nuscht-search" }, "locked": { - "lastModified": 1735263930, - "narHash": "sha256-vU7SkHINr+NqmZeFLA11plsaUfazKKpdEhI/oTJbK3Q=", + "lastModified": 1735634086, + "narHash": "sha256-DTcB/kBZULyJztXXnH3OVF5LHLl+O670DuLZZNUMnNo=", "owner": "catppuccin", "repo": "nix", - "rev": "a2e641bc6b17129d81d54019e14c9956784c69c6", + "rev": "63290ea1d2a28e65195017ed78a81cfc242ef0df", "type": "github" }, "original": { @@ -129,11 +129,11 @@ ] }, "locked": { - "lastModified": 1735048446, - "narHash": "sha256-Tc35Y8H+krA6rZeOIczsaGAtobSSBPqR32AfNTeHDRc=", + "lastModified": 1735468753, + "narHash": "sha256-2dt1nOe9zf9pDkf5Kn7FUFyPRo581s0n90jxYXJ94l0=", "owner": "nix-community", "repo": "disko", - "rev": "3a4de9fa3a78ba7b7170dda6bd8b4cdab87c0b21", + "rev": "84a5b93637cc16cbfcc61b6e1684d626df61eb21", "type": "github" }, "original": { @@ -381,11 +381,11 @@ ] }, "locked": { - "lastModified": 1735343815, - "narHash": "sha256-p7IJP/97zJda/wwCn1T2LJBz4olF5LjNf4uwhuyvARo=", + "lastModified": 1735381016, + "narHash": "sha256-CyCZFhMUkuYbSD6bxB/r43EdmDE7hYeZZPTCv0GudO4=", "owner": "nix-community", "repo": "home-manager", - "rev": "b7a7cd5dd1a74a9fe86ed4e016f91c78483b527a", + "rev": "10e99c43cdf4a0713b4e81d90691d22c6a58bdf2", "type": "github" }, "original": { @@ -568,11 +568,11 @@ ] }, "locked": { - "lastModified": 1735222882, - "narHash": "sha256-kWNi45/mRjQMG+UpaZQ7KyPavYrKfle3WgLn9YeBBVg=", + "lastModified": 1735443188, + "narHash": "sha256-AydPpRBh8+NOkrLylG7vTsHrGO2b5L7XkMEL5HlzcA8=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "7e3246f6ad43b44bc1c16d580d7bf6467f971530", + "rev": "55ab1e1df5daf2476e6b826b69a82862dcbd7544", "type": "github" }, "original": { @@ -592,11 +592,11 @@ ] }, "locked": { - "lastModified": 1735350281, - "narHash": "sha256-rNhcGVh6Xnc0DKWR5RTTD9OxucfAotd41LEuMCGz228=", + "lastModified": 1735696423, + "narHash": "sha256-ujnG10iww5jUevENbBEpJBI2emTlLq+udZ/oSMEJ3Hs=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "57719f14beefb91c5b58da26bb9cffbdb4f70bfa", + "rev": "347788291ac0c12ca94985b0d56ab1a8d0ff8963", "type": "github" }, "original": { @@ -607,11 +607,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1734954597, - "narHash": "sha256-QIhd8/0x30gEv8XEE1iAnrdMlKuQ0EzthfDR7Hwl+fk=", + "lastModified": 1735388221, + "narHash": "sha256-e5IOgjQf0SZcFCEV/gMGrsI0gCJyqOKShBQU0iiM3Kg=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "def1d472c832d77885f174089b0d34854b007198", + "rev": "7c674c6734f61157e321db595dbfcd8523e04e19", "type": "github" }, "original": { @@ -628,11 +628,11 @@ ] }, "locked": { - "lastModified": 1735186792, - "narHash": "sha256-XIIf8bU1khErw+dm66CdtHKQUGTMXuARWx08FtGNjqo=", + "lastModified": 1735576041, + "narHash": "sha256-NxyRlZl/Io0lT5kaSsnlm0KpTVac4sElIbi6V3qL3bk=", "owner": "nakato", "repo": "nixos-sbc", - "rev": "0f6fe1d77b3fc2198aabf76453f0a5159c9835c5", + "rev": "2bdf5ca7326861a23edcbea46647ec5e3725daed", "type": "github" }, "original": { @@ -688,11 +688,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1735286948, - "narHash": "sha256-JMRV2RI58nV1UqLXqm+lcea1/dr92fYjWU5S+Rz3fmE=", + "lastModified": 1735563628, + "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "31ac92f9628682b294026f0860e14587a09ffb4b", + "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798", "type": "github" }, "original": { @@ -704,11 +704,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1735350617, - "narHash": "sha256-zcF09G4SuoY/obD0B5PeEcVKM/n9cQnxjFHZZhAchao=", + "lastModified": 1735708230, + "narHash": "sha256-2QcaFAbsTS3doNHCvF48WEd1YiOzJKoXnXDMNjzAL4Q=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "81d86565f2130d14bc36bf2c4e8fab1c4f85e505", + "rev": "51e90df62b8fcd53e80761cbfa568e183a2c3a42", "type": "github" }, "original": { @@ -720,11 +720,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1735291276, - "narHash": "sha256-NYVcA06+blsLG6wpAbSPTCyLvxD/92Hy4vlY9WxFI1M=", + "lastModified": 1735471104, + "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "634fd46801442d760e09493a794c4f15db2d0cbb", + "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4", "type": "github" }, "original": { @@ -767,11 +767,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1735337462, - "narHash": "sha256-B+PNIYtTmgnTV/wdA/qrYohmeBHaYrDwVAueODdvtlo=", + "lastModified": 1735705238, + "narHash": "sha256-b7iPAqFGwY1rRv0xdT/vsZjo8UnbJFPf9U9PC2OuU4U=", "owner": "nix-community", "repo": "NUR", - "rev": "538f624930cdfb852e4e3dd055f79e932d5b3c16", + "rev": "21096db6c9ba41cd300a22ee42b86851366bd94f", "type": "github" }, "original": { @@ -853,11 +853,11 @@ ] }, "locked": { - "lastModified": 1734546875, - "narHash": "sha256-6OvJbqQ6qPpNw3CA+W8Myo5aaLhIJY/nNFDk3zMXLfM=", + "lastModified": 1735468296, + "narHash": "sha256-ZjUjbvS06jf4fElOF4ve8EHjbpbRVHHypStoY8HGzk8=", "owner": "Mic92", "repo": "sops-nix", - "rev": "ed091321f4dd88afc28b5b4456e0a15bd8374b4d", + "rev": "bcb8b65aa596866eb7e5c3e1a6cccbf5d1560b27", "type": "github" }, "original": { From 98ad99a867b74228c1468fe6588e2b291a549efb Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 1 Jan 2025 13:15:37 +0800 Subject: [PATCH 32/60] hm/gui: switch to foot --- home/xin/calcite.nix | 7 +------ home/xin/common/gui/foot.nix | 15 +++++++++++++++ machines/calcite/configuration.nix | 1 + 3 files changed, 17 insertions(+), 6 deletions(-) create mode 100644 home/xin/common/gui/foot.nix diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index c834d39..ff95985 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -5,6 +5,7 @@ in { imports = [ ./common + ./common/gui/foot.nix ]; programs.nix-index-database.comma.enable = true; @@ -58,12 +59,6 @@ in xdg.enable = true; custom-hm = { - alacritty = { - enable = true; - }; - cosmic-term = { - enable = true; - }; direnv = { enable = true; }; diff --git a/home/xin/common/gui/foot.nix b/home/xin/common/gui/foot.nix new file mode 100644 index 0000000..0ec411a --- /dev/null +++ b/home/xin/common/gui/foot.nix @@ -0,0 +1,15 @@ +{ pkgs, lib, ... }: +{ + programs.foot = { + enable = true; + settings = { + main = { + font = "monospace:size=14"; + }; + desktop-notifications = { + command = "${lib.getExe pkgs.libnotify} --wait --app-name \${app-id} --icon \${app-id} --category \${category} --urgency \${urgency} --expire-time \${expire-time} --hint STRING:image-path:\${icon} --hint BOOLEAN:suppress-sound:\${muted} --hint STRING:sound-name:\${sound-name} --replace-id \${replace-id} \${action-argument} --print-id -- \${title} \${body}"; + inhibit-when-focused = "yes"; + }; + }; + }; +} diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 9a70f52..c3d0655 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -164,6 +164,7 @@ in ids = [ "0b05:1866" ]; settings = { main = { + capslock = "overload(control, esc)"; leftcontrol = "capslock"; }; }; From 75a780dee133719d7d2fffe3c847f9d9c8fc66e0 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 14 Jan 2025 00:56:10 +0800 Subject: [PATCH 33/60] flake.lock: update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'nixpkgs': 'github:xinyangli/nixpkgs/51e90df62b8fcd53e80761cbfa568e183a2c3a42?narHash=sha256-2QcaFAbsTS3doNHCvF48WEd1YiOzJKoXnXDMNjzAL4Q%3D' (2025-01-01) → 'github:xinyangli/nixpkgs/f1319a1c0e7e4486a9eece0acabb4e73a5457b6a?narHash=sha256-fstRWbBw1vTPLko8WWrBzqFODBXn2OgP9sf/9GeeDL4%3D' (2025-01-13) • Updated input 'catppuccin': 'github:catppuccin/nix/63290ea1d2a28e65195017ed78a81cfc242ef0df?narHash=sha256-DTcB/kBZULyJztXXnH3OVF5LHLl%2BO670DuLZZNUMnNo%3D' (2024-12-31) → 'github:catppuccin/nix/4a5ac694d7f8a63dec75cbe0ac1c84c818b6b789?narHash=sha256-xHe4X4Je/4WjBL3BPlI1KGqA5N7VQpi4x57YYU9ZOlI%3D' (2025-01-13) • Updated input 'catppuccin/catppuccin-v1_2': 'https://api.flakehub.com/f/pinned/catppuccin/nix/1.2.0/0193e5e0-33b7-7149-a362-bfe56b20f64e/source.tar.gz?narHash=sha256-Let3uJo4YDyfqbqaw66dpZxhJB2TrDyZWSFd5rpPLJA%3D' (2024-12-20) → 'https://api.flakehub.com/f/pinned/catppuccin/nix/1.2.1/0193e646-1107-7f69-a402-f2a3988ecf1d/source.tar.gz?narHash=sha256-CFX4diEQHKvZYjnhf7TLg20m3ge1O4vqgplsk/Kuaek%3D' (2024-12-20) • Updated input 'catppuccin/home-manager-stable': 'github:nix-community/home-manager/80b0fdf483c5d1cb75aaad909bd390d48673857f?narHash=sha256-vykpJ1xsdkv0j8WOVXrRFHUAdp9NXHpxdnn1F4pYgSw%3D' (2024-12-16) → 'github:nix-community/home-manager/bd65bc3cde04c16755955630b344bc9e35272c56?narHash=sha256-dinzAqCjenWDxuy%2BMqUQq0I4zUSfaCvN9rzuCmgMZJY%3D' (2025-01-08) • Updated input 'catppuccin/nixpkgs-stable': 'github:NixOS/nixpkgs/b47fd6fa00c6afca88b8ee46cfdb00e104f50bca?narHash=sha256-nbG9TijTMcfr%2Bau7ZVbKpAhMJzzE2nQBYmRvSdXUD8g%3D' (2024-12-19) → 'github:NixOS/nixpkgs/cbd8ec4de4469333c82ff40d057350c30e9f7d36?narHash=sha256-DjkQPnkAfd7eB522PwnkGhOMuT9QVCZspDpJJYyOj60%3D' (2025-01-05) • Updated input 'catppuccin/nuscht-search': 'github:NuschtOS/search/3051be7f403bff1d1d380e4612f0c70675b44fc9?narHash=sha256-Y47y%2BLesOCkJaLvj%2BdI/Oa6FAKj/T9sKVKDXLNsViPw%3D' (2024-12-09) → 'github:NuschtOS/search/836908e3bddd837ae0f13e215dd48767aee355f0?narHash=sha256-Iv59gMDZajNfezTO0Fw6LHE7uKAShxbvMidmZREit7c%3D' (2025-01-02) • Updated input 'disko': 'github:nix-community/disko/84a5b93637cc16cbfcc61b6e1684d626df61eb21?narHash=sha256-2dt1nOe9zf9pDkf5Kn7FUFyPRo581s0n90jxYXJ94l0%3D' (2024-12-29) → 'github:nix-community/disko/f720e64ec37fa16ebba6354eadf310f81555cc07?narHash=sha256-8hKhPQuMtXfJi%2B4lPvw3FBk/zSJVHeb726Zo0uF1PP8%3D' (2025-01-12) • Updated input 'home-manager': 'github:nix-community/home-manager/10e99c43cdf4a0713b4e81d90691d22c6a58bdf2?narHash=sha256-CyCZFhMUkuYbSD6bxB/r43EdmDE7hYeZZPTCv0GudO4%3D' (2024-12-28) → 'github:nix-community/home-manager/fc52a210b60f2f52c74eac41a8647c1573d2071d?narHash=sha256-TY0jUwR3EW0fnS0X5wXMAVy6h4Z7Y6a3m%2BYq%2B%2BC9AyE%3D' (2025-01-13) • Updated input 'nix-index-database': 'github:Mic92/nix-index-database/55ab1e1df5daf2476e6b826b69a82862dcbd7544?narHash=sha256-AydPpRBh8%2BNOkrLylG7vTsHrGO2b5L7XkMEL5HlzcA8%3D' (2024-12-29) → 'github:Mic92/nix-index-database/271e5bd7c57e1f001693799518b10a02d1123b12?narHash=sha256-8uolHABgroXqzs03QdulHp8H9e5kWQZnnhcda1MKbBM%3D' (2025-01-12) • Updated input 'nix-vscode-extensions': 'github:nix-community/nix-vscode-extensions/347788291ac0c12ca94985b0d56ab1a8d0ff8963?narHash=sha256-ujnG10iww5jUevENbBEpJBI2emTlLq%2BudZ/oSMEJ3Hs%3D' (2025-01-01) → 'github:nix-community/nix-vscode-extensions/44474e2ca975af013f1594abd6c922f2c8dba022?narHash=sha256-6232F8et5z7XTxK0RuX6bocT6yYGJhlmlHbFdZuHcP0%3D' (2025-01-13) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/7c674c6734f61157e321db595dbfcd8523e04e19?narHash=sha256-e5IOgjQf0SZcFCEV/gMGrsI0gCJyqOKShBQU0iiM3Kg%3D' (2024-12-28) → 'github:NixOS/nixos-hardware/8870dcaff63dfc6647fb10648b827e9d40b0a337?narHash=sha256-OL7leZ6KBhcDF3nEKe4aZVfIm6xQpb1Kb%2BmxySIP93o%3D' (2025-01-09) • Updated input 'nixos-sbc': 'github:nakato/nixos-sbc/2bdf5ca7326861a23edcbea46647ec5e3725daed?narHash=sha256-NxyRlZl/Io0lT5kaSsnlm0KpTVac4sElIbi6V3qL3bk%3D' (2024-12-30) → 'github:nakato/nixos-sbc/dc96cdfb4805e11aa641f75d21200202a5ed951b?narHash=sha256-iUWzuHgbRXjFkRZ%2BsafF6vCszN8EW59Y%2B//mlF7hTXA%3D' (2025-01-13) • Updated input 'nur': 'github:nix-community/NUR/21096db6c9ba41cd300a22ee42b86851366bd94f?narHash=sha256-b7iPAqFGwY1rRv0xdT/vsZjo8UnbJFPf9U9PC2OuU4U%3D' (2025-01-01) → 'github:nix-community/NUR/16ff3063cb4a4cf6fb5f48ca7dc55c27f2ea4891?narHash=sha256-JaWZU7wFWsI4rGAemVciyhTxadaZyubJpLqupKLZUtI%3D' (2025-01-13) • Updated input 'nur/nixpkgs': 'github:nixos/nixpkgs/88195a94f390381c6afcdaa933c2f6ff93959cb4?narHash=sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs%3D' (2024-12-29) → 'github:nixos/nixpkgs/ed4a395ea001367c1f13d34b1e01aa10290f67d6?narHash=sha256-jG/%2BMvjVY7SlTakzZ2fJ5dC3V1PrKKrUEOEE30jrOKA%3D' (2025-01-12) • Updated input 'sops-nix': 'github:Mic92/sops-nix/bcb8b65aa596866eb7e5c3e1a6cccbf5d1560b27?narHash=sha256-ZjUjbvS06jf4fElOF4ve8EHjbpbRVHHypStoY8HGzk8%3D' (2024-12-29) → 'github:Mic92/sops-nix/0f4744b5a95151a85c4f35010dd2d748228f7f53?narHash=sha256-eON7amRmBl59QH6K9uypewkKveaNbosY6CtUgRcv7YU%3D' (2025-01-13) --- flake.lock | 94 +++++++++++++++++++++++++++--------------------------- 1 file changed, 47 insertions(+), 47 deletions(-) diff --git a/flake.lock b/flake.lock index 3d69afe..fd620f0 100644 --- a/flake.lock +++ b/flake.lock @@ -15,11 +15,11 @@ "nuscht-search": "nuscht-search" }, "locked": { - "lastModified": 1735634086, - "narHash": "sha256-DTcB/kBZULyJztXXnH3OVF5LHLl+O670DuLZZNUMnNo=", + "lastModified": 1736785029, + "narHash": "sha256-xHe4X4Je/4WjBL3BPlI1KGqA5N7VQpi4x57YYU9ZOlI=", "owner": "catppuccin", "repo": "nix", - "rev": "63290ea1d2a28e65195017ed78a81cfc242ef0df", + "rev": "4a5ac694d7f8a63dec75cbe0ac1c84c818b6b789", "type": "github" }, "original": { @@ -44,12 +44,12 @@ }, "catppuccin-v1_2": { "locked": { - "lastModified": 1734728407, - "narHash": "sha256-Let3uJo4YDyfqbqaw66dpZxhJB2TrDyZWSFd5rpPLJA=", - "rev": "23ee86dbf4ed347878115a78971d43025362fab1", - "revCount": 341, + "lastModified": 1734734291, + "narHash": "sha256-CFX4diEQHKvZYjnhf7TLg20m3ge1O4vqgplsk/Kuaek=", + "rev": "1e4c3803b8da874ff75224ec8512cb173036bbd8", + "revCount": 344, "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/catppuccin/nix/1.2.0/0193e5e0-33b7-7149-a362-bfe56b20f64e/source.tar.gz" + "url": "https://api.flakehub.com/f/pinned/catppuccin/nix/1.2.1/0193e646-1107-7f69-a402-f2a3988ecf1d/source.tar.gz" }, "original": { "type": "tarball", @@ -129,11 +129,11 @@ ] }, "locked": { - "lastModified": 1735468753, - "narHash": "sha256-2dt1nOe9zf9pDkf5Kn7FUFyPRo581s0n90jxYXJ94l0=", + "lastModified": 1736711425, + "narHash": "sha256-8hKhPQuMtXfJi+4lPvw3FBk/zSJVHeb726Zo0uF1PP8=", "owner": "nix-community", "repo": "disko", - "rev": "84a5b93637cc16cbfcc61b6e1684d626df61eb21", + "rev": "f720e64ec37fa16ebba6354eadf310f81555cc07", "type": "github" }, "original": { @@ -381,11 +381,11 @@ ] }, "locked": { - "lastModified": 1735381016, - "narHash": "sha256-CyCZFhMUkuYbSD6bxB/r43EdmDE7hYeZZPTCv0GudO4=", + "lastModified": 1736785676, + "narHash": "sha256-TY0jUwR3EW0fnS0X5wXMAVy6h4Z7Y6a3m+Yq++C9AyE=", "owner": "nix-community", "repo": "home-manager", - "rev": "10e99c43cdf4a0713b4e81d90691d22c6a58bdf2", + "rev": "fc52a210b60f2f52c74eac41a8647c1573d2071d", "type": "github" }, "original": { @@ -402,11 +402,11 @@ ] }, "locked": { - "lastModified": 1734366194, - "narHash": "sha256-vykpJ1xsdkv0j8WOVXrRFHUAdp9NXHpxdnn1F4pYgSw=", + "lastModified": 1736373539, + "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", "owner": "nix-community", "repo": "home-manager", - "rev": "80b0fdf483c5d1cb75aaad909bd390d48673857f", + "rev": "bd65bc3cde04c16755955630b344bc9e35272c56", "type": "github" }, "original": { @@ -568,11 +568,11 @@ ] }, "locked": { - "lastModified": 1735443188, - "narHash": "sha256-AydPpRBh8+NOkrLylG7vTsHrGO2b5L7XkMEL5HlzcA8=", + "lastModified": 1736652904, + "narHash": "sha256-8uolHABgroXqzs03QdulHp8H9e5kWQZnnhcda1MKbBM=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "55ab1e1df5daf2476e6b826b69a82862dcbd7544", + "rev": "271e5bd7c57e1f001693799518b10a02d1123b12", "type": "github" }, "original": { @@ -592,11 +592,11 @@ ] }, "locked": { - "lastModified": 1735696423, - "narHash": "sha256-ujnG10iww5jUevENbBEpJBI2emTlLq+udZ/oSMEJ3Hs=", + "lastModified": 1736733107, + "narHash": "sha256-6232F8et5z7XTxK0RuX6bocT6yYGJhlmlHbFdZuHcP0=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "347788291ac0c12ca94985b0d56ab1a8d0ff8963", + "rev": "44474e2ca975af013f1594abd6c922f2c8dba022", "type": "github" }, "original": { @@ -607,11 +607,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1735388221, - "narHash": "sha256-e5IOgjQf0SZcFCEV/gMGrsI0gCJyqOKShBQU0iiM3Kg=", + "lastModified": 1736441705, + "narHash": "sha256-OL7leZ6KBhcDF3nEKe4aZVfIm6xQpb1Kb+mxySIP93o=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "7c674c6734f61157e321db595dbfcd8523e04e19", + "rev": "8870dcaff63dfc6647fb10648b827e9d40b0a337", "type": "github" }, "original": { @@ -628,11 +628,11 @@ ] }, "locked": { - "lastModified": 1735576041, - "narHash": "sha256-NxyRlZl/Io0lT5kaSsnlm0KpTVac4sElIbi6V3qL3bk=", + "lastModified": 1736785579, + "narHash": "sha256-iUWzuHgbRXjFkRZ+safF6vCszN8EW59Y+//mlF7hTXA=", "owner": "nakato", "repo": "nixos-sbc", - "rev": "2bdf5ca7326861a23edcbea46647ec5e3725daed", + "rev": "dc96cdfb4805e11aa641f75d21200202a5ed951b", "type": "github" }, "original": { @@ -672,11 +672,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1734600368, - "narHash": "sha256-nbG9TijTMcfr+au7ZVbKpAhMJzzE2nQBYmRvSdXUD8g=", + "lastModified": 1736061677, + "narHash": "sha256-DjkQPnkAfd7eB522PwnkGhOMuT9QVCZspDpJJYyOj60=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b47fd6fa00c6afca88b8ee46cfdb00e104f50bca", + "rev": "cbd8ec4de4469333c82ff40d057350c30e9f7d36", "type": "github" }, "original": { @@ -704,11 +704,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1735708230, - "narHash": "sha256-2QcaFAbsTS3doNHCvF48WEd1YiOzJKoXnXDMNjzAL4Q=", + "lastModified": 1736787601, + "narHash": "sha256-fstRWbBw1vTPLko8WWrBzqFODBXn2OgP9sf/9GeeDL4=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "51e90df62b8fcd53e80761cbfa568e183a2c3a42", + "rev": "f1319a1c0e7e4486a9eece0acabb4e73a5457b6a", "type": "github" }, "original": { @@ -720,11 +720,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1735471104, - "narHash": "sha256-0q9NGQySwDQc7RhAV2ukfnu7Gxa5/ybJ2ANT8DQrQrs=", + "lastModified": 1736701207, + "narHash": "sha256-jG/+MvjVY7SlTakzZ2fJ5dC3V1PrKKrUEOEE30jrOKA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "88195a94f390381c6afcdaa933c2f6ff93959cb4", + "rev": "ed4a395ea001367c1f13d34b1e01aa10290f67d6", "type": "github" }, "original": { @@ -767,11 +767,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1735705238, - "narHash": "sha256-b7iPAqFGwY1rRv0xdT/vsZjo8UnbJFPf9U9PC2OuU4U=", + "lastModified": 1736786866, + "narHash": "sha256-JaWZU7wFWsI4rGAemVciyhTxadaZyubJpLqupKLZUtI=", "owner": "nix-community", "repo": "NUR", - "rev": "21096db6c9ba41cd300a22ee42b86851366bd94f", + "rev": "16ff3063cb4a4cf6fb5f48ca7dc55c27f2ea4891", "type": "github" }, "original": { @@ -790,11 +790,11 @@ ] }, "locked": { - "lastModified": 1733773348, - "narHash": "sha256-Y47y+LesOCkJaLvj+dI/Oa6FAKj/T9sKVKDXLNsViPw=", + "lastModified": 1735854821, + "narHash": "sha256-Iv59gMDZajNfezTO0Fw6LHE7uKAShxbvMidmZREit7c=", "owner": "NuschtOS", "repo": "search", - "rev": "3051be7f403bff1d1d380e4612f0c70675b44fc9", + "rev": "836908e3bddd837ae0f13e215dd48767aee355f0", "type": "github" }, "original": { @@ -853,11 +853,11 @@ ] }, "locked": { - "lastModified": 1735468296, - "narHash": "sha256-ZjUjbvS06jf4fElOF4ve8EHjbpbRVHHypStoY8HGzk8=", + "lastModified": 1736777442, + "narHash": "sha256-eON7amRmBl59QH6K9uypewkKveaNbosY6CtUgRcv7YU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "bcb8b65aa596866eb7e5c3e1a6cccbf5d1560b27", + "rev": "0f4744b5a95151a85c4f35010dd2d748228f7f53", "type": "github" }, "original": { From 9f56d22b1d2d06730ed4978602c4d8db5596bb30 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 14 Jan 2025 01:02:08 +0800 Subject: [PATCH 34/60] calcite/keyd: fix ctrl overload --- machines/calcite/configuration.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index c3d0655..810399c 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -157,6 +157,7 @@ in settings = { main = { capslock = "overload(control, esc)"; + control = "overload(control, esc)"; }; }; }; From 6991031aff6a2977b22d1b10e75349bfb08208c2 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 15 Jan 2025 11:26:55 +0800 Subject: [PATCH 35/60] calcaite: change nvidia driver to latest Stable nvidia driver now defaults to production due to NixOS/nixpkgs#365454. It's way too old and causes suspend issue. Use latest instead. --- machines/calcite/configuration.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 810399c..1c792b3 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -33,6 +33,7 @@ in "nvidia_modeset" "nvidia_uvm" ]; + hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.latest; boot.supportedFilesystems = [ "ntfs" ]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; @@ -189,6 +190,10 @@ in pkgs.gutenprintBin pkgs.canon-cups-ufr2 ]; + hardware.sane = { + enable = true; + extraBackends = [ pkgs.hplipWithPlugin ]; + }; hardware.pulseaudio.enable = false; security.rtkit.enable = true; @@ -211,6 +216,7 @@ in "wheel" "wireshark" "tss" + "scanner" ]; }; From 39737718a4c6fda0d42207758fbde05ba2c5f07f Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 23 Jan 2025 18:19:04 +0800 Subject: [PATCH 36/60] home/xin: add thunar,zathura,burpsuite --- home/xin/calcite.nix | 9 +++++++++ home/xin/common/gui/default.nix | 12 ++++++++++++ home/xin/common/pentesting.nix | 6 ++++++ modules/home-manager/gui/niri.nix | 4 ---- 4 files changed, 27 insertions(+), 4 deletions(-) create mode 100644 home/xin/common/gui/default.nix create mode 100644 home/xin/common/pentesting.nix diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index ff95985..40b93c9 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -5,7 +5,9 @@ in { imports = [ ./common + ./common/pentesting.nix ./common/gui/foot.nix + ./common/gui/default.nix ]; programs.nix-index-database.comma.enable = true; @@ -116,6 +118,13 @@ in flags = [ "--disable-up-arrow" ]; }; + programs.zathura = { + enable = true; + options = { + recolor = false; + }; + }; + programs.firefox = { enable = true; policies.DefaultDownloadDirectory = "/media/data/Downloads"; diff --git a/home/xin/common/gui/default.nix b/home/xin/common/gui/default.nix new file mode 100644 index 0000000..38af792 --- /dev/null +++ b/home/xin/common/gui/default.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: +{ + home.packages = with pkgs; [ + # File Manager + xfce.thunar + xfce.thunar-archive-plugin + xfce.thunar-media-tags-plugin + xfce.thunar-volman + + swayimg + ]; +} diff --git a/home/xin/common/pentesting.nix b/home/xin/common/pentesting.nix new file mode 100644 index 0000000..92601a6 --- /dev/null +++ b/home/xin/common/pentesting.nix @@ -0,0 +1,6 @@ +{ pkgs, ... }: +{ + home.packages = with pkgs; [ + burpsuite + ]; +} diff --git a/modules/home-manager/gui/niri.nix b/modules/home-manager/gui/niri.nix index d26bf93..527e9e6 100644 --- a/modules/home-manager/gui/niri.nix +++ b/modules/home-manager/gui/niri.nix @@ -34,10 +34,6 @@ in }; config = mkIf cfg.enable { - home.packages = with pkgs; [ - cosmic-files - ]; - systemd.user.services.xwayland-satellite = { Install = { WantedBy = [ "graphical-session.target" ]; From 13bb545ac77da32f0c6693fe28876c4c1f2dc57c Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 23 Jan 2025 18:43:12 +0800 Subject: [PATCH 37/60] modules/nix: disable channel --- modules/nixos/common-settings/nix-conf.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/nixos/common-settings/nix-conf.nix b/modules/nixos/common-settings/nix-conf.nix index 1af1419..f6a7684 100644 --- a/modules/nixos/common-settings/nix-conf.nix +++ b/modules/nixos/common-settings/nix-conf.nix @@ -41,6 +41,8 @@ in nix.optimise.automatic = true; + nix.channel.enable = false; + nix.settings = { experimental-features = [ "nix-command" From 48e1801df6d27f0ae8f86626c44426f6789d988d Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 31 Jan 2025 15:09:45 +0800 Subject: [PATCH 38/60] flake.lock: update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'catppuccin': 'github:catppuccin/nix/4a5ac694d7f8a63dec75cbe0ac1c84c818b6b789?narHash=sha256-xHe4X4Je/4WjBL3BPlI1KGqA5N7VQpi4x57YYU9ZOlI%3D' (2025-01-13) → 'github:catppuccin/nix/06f0ea19334bcc8112e6d671fd53e61f9e3ad63a?narHash=sha256-8kBIYfn8TI9jbffhDNS12SdbQHb9ITXflwcgIJBeGqw%3D' (2025-01-22) • Removed input 'catppuccin/catppuccin-v1_1' • Removed input 'catppuccin/catppuccin-v1_2' • Removed input 'catppuccin/home-manager' • Removed input 'catppuccin/home-manager-stable' • Removed input 'catppuccin/home-manager-stable/nixpkgs' • Removed input 'catppuccin/nixpkgs-stable' • Removed input 'catppuccin/nuscht-search' • Removed input 'catppuccin/nuscht-search/flake-utils' • Removed input 'catppuccin/nuscht-search/flake-utils/systems' • Removed input 'catppuccin/nuscht-search/ixx' • Removed input 'catppuccin/nuscht-search/ixx/flake-utils' • Removed input 'catppuccin/nuscht-search/ixx/nixpkgs' • Removed input 'catppuccin/nuscht-search/nixpkgs' • Updated input 'disko': 'github:nix-community/disko/f720e64ec37fa16ebba6354eadf310f81555cc07?narHash=sha256-8hKhPQuMtXfJi%2B4lPvw3FBk/zSJVHeb726Zo0uF1PP8%3D' (2025-01-12) → 'github:nix-community/disko/18d0a984cc2bc82cf61df19523a34ad463aa7f54?narHash=sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML%2B3TKAo%3D' (2025-01-29) • Updated input 'home-manager': 'github:nix-community/home-manager/fc52a210b60f2f52c74eac41a8647c1573d2071d?narHash=sha256-TY0jUwR3EW0fnS0X5wXMAVy6h4Z7Y6a3m%2BYq%2B%2BC9AyE%3D' (2025-01-13) → 'github:nix-community/home-manager/a8159195bfaef3c64df75d3b1e6a68d49d392be9?narHash=sha256-PM%2BcGduJ05EZ%2BYXulqAwUFjvfKpPmW080mcuN6R1POw%3D' (2025-01-30) • Updated input 'nix-index-database': 'github:Mic92/nix-index-database/271e5bd7c57e1f001693799518b10a02d1123b12?narHash=sha256-8uolHABgroXqzs03QdulHp8H9e5kWQZnnhcda1MKbBM%3D' (2025-01-12) → 'github:Mic92/nix-index-database/79b7b8eae3243fc5aa9aad34ba6b9bbb2266f523?narHash=sha256-LIRtMvAwLGb8pBoamzgEF67oKlNPz4LuXiRPVZf%2BTpE%3D' (2025-01-26) • Updated input 'nix-vscode-extensions': 'github:nix-community/nix-vscode-extensions/44474e2ca975af013f1594abd6c922f2c8dba022?narHash=sha256-6232F8et5z7XTxK0RuX6bocT6yYGJhlmlHbFdZuHcP0%3D' (2025-01-13) → 'github:nix-community/nix-vscode-extensions/529e0a84346f34db86ea24203c0b2e975fefb4f2?narHash=sha256-q8pOnhaA95ZZf%2BCJ4ahScSzt5pbnL7lShFuMwTwiw7I%3D' (2025-01-31) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/8870dcaff63dfc6647fb10648b827e9d40b0a337?narHash=sha256-OL7leZ6KBhcDF3nEKe4aZVfIm6xQpb1Kb%2BmxySIP93o%3D' (2025-01-09) → 'github:NixOS/nixos-hardware/dfad538f751a5aa5d4436d9781ab27a6128ec9d4?narHash=sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4%3D' (2025-01-24) • Updated input 'nixos-sbc': 'github:nakato/nixos-sbc/dc96cdfb4805e11aa641f75d21200202a5ed951b?narHash=sha256-iUWzuHgbRXjFkRZ%2BsafF6vCszN8EW59Y%2B//mlF7hTXA%3D' (2025-01-13) → 'github:nakato/nixos-sbc/21be4ab012197a2eea4bbff8315c40f26f715a18?narHash=sha256-SYpvOn0v/wi8lrgEBhobjKFvFWPlJ3gP7SZPfyw9td0%3D' (2025-01-30) • Updated input 'nur': 'github:nix-community/NUR/16ff3063cb4a4cf6fb5f48ca7dc55c27f2ea4891?narHash=sha256-JaWZU7wFWsI4rGAemVciyhTxadaZyubJpLqupKLZUtI%3D' (2025-01-13) → 'github:nix-community/NUR/663390a62b2986f8ea650de7768c4b4c98d49a96?narHash=sha256-9YcoURYAAbMt7fFd0mBtyNH51a2pgxDu94qKnNIt7Ic%3D' (2025-01-31) • Updated input 'nur/nixpkgs': 'github:nixos/nixpkgs/ed4a395ea001367c1f13d34b1e01aa10290f67d6?narHash=sha256-jG/%2BMvjVY7SlTakzZ2fJ5dC3V1PrKKrUEOEE30jrOKA%3D' (2025-01-12) → 'github:nixos/nixpkgs/9d3ae807ebd2981d593cddd0080856873139aa40?narHash=sha256-NGqpVVxNAHwIicXpgaVqJEJWeyqzoQJ9oc8lnK9%2BWC4%3D' (2025-01-29) • Updated input 'sops-nix': 'github:Mic92/sops-nix/0f4744b5a95151a85c4f35010dd2d748228f7f53?narHash=sha256-eON7amRmBl59QH6K9uypewkKveaNbosY6CtUgRcv7YU%3D' (2025-01-13) → 'github:Mic92/sops-nix/4c1251904d8a08c86ac6bc0d72cc09975e89aef7?narHash=sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320%3D' (2025-01-31) --- flake.lock | 260 +++++++++++------------------------------------------ 1 file changed, 51 insertions(+), 209 deletions(-) diff --git a/flake.lock b/flake.lock index fd620f0..ed7d6fc 100644 --- a/flake.lock +++ b/flake.lock @@ -2,24 +2,16 @@ "nodes": { "catppuccin": { "inputs": { - "catppuccin-v1_1": "catppuccin-v1_1", - "catppuccin-v1_2": "catppuccin-v1_2", - "home-manager": [ - "home-manager" - ], - "home-manager-stable": "home-manager-stable", "nixpkgs": [ "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable", - "nuscht-search": "nuscht-search" + ] }, "locked": { - "lastModified": 1736785029, - "narHash": "sha256-xHe4X4Je/4WjBL3BPlI1KGqA5N7VQpi4x57YYU9ZOlI=", + "lastModified": 1737579274, + "narHash": "sha256-8kBIYfn8TI9jbffhDNS12SdbQHb9ITXflwcgIJBeGqw=", "owner": "catppuccin", "repo": "nix", - "rev": "4a5ac694d7f8a63dec75cbe0ac1c84c818b6b789", + "rev": "06f0ea19334bcc8112e6d671fd53e61f9e3ad63a", "type": "github" }, "original": { @@ -28,38 +20,10 @@ "type": "github" } }, - "catppuccin-v1_1": { - "locked": { - "lastModified": 1734055249, - "narHash": "sha256-pCWJgwo77KD7EJpwynwKrWPZ//dwypHq2TfdzZWqK68=", - "rev": "7221d6ca17ac36ed20588e1c3a80177ac5843fa7", - "revCount": 326, - "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/catppuccin/nix/1.1.1/0193bdc0-b045-7eed-bbec-95611a8ecdf5/source.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://flakehub.com/f/catppuccin/nix/1.1.%2A.tar.gz" - } - }, - "catppuccin-v1_2": { - "locked": { - "lastModified": 1734734291, - "narHash": "sha256-CFX4diEQHKvZYjnhf7TLg20m3ge1O4vqgplsk/Kuaek=", - "rev": "1e4c3803b8da874ff75224ec8512cb173036bbd8", - "revCount": 344, - "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/catppuccin/nix/1.2.1/0193e646-1107-7f69-a402-f2a3988ecf1d/source.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://flakehub.com/f/catppuccin/nix/1.2.%2A.tar.gz" - } - }, "colmena": { "inputs": { "flake-compat": "flake-compat", - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils", "nix-github-actions": "nix-github-actions", "nixpkgs": [ "nixpkgs" @@ -129,11 +93,11 @@ ] }, "locked": { - "lastModified": 1736711425, - "narHash": "sha256-8hKhPQuMtXfJi+4lPvw3FBk/zSJVHeb726Zo0uF1PP8=", + "lastModified": 1738148035, + "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=", "owner": "nix-community", "repo": "disko", - "rev": "f720e64ec37fa16ebba6354eadf310f81555cc07", + "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54", "type": "github" }, "original": { @@ -250,6 +214,21 @@ } }, "flake-utils": { + "locked": { + "lastModified": 1659877975, + "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { "inputs": { "systems": "systems" }, @@ -267,43 +246,10 @@ "type": "github" } }, - "flake-utils_2": { - "locked": { - "lastModified": 1659877975, - "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, "flake-utils_3": { "inputs": { "systems": "systems_2" }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_4": { - "inputs": { - "systems": "systems_3" - }, "locked": { "lastModified": 1726560853, "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", @@ -381,11 +327,11 @@ ] }, "locked": { - "lastModified": 1736785676, - "narHash": "sha256-TY0jUwR3EW0fnS0X5wXMAVy6h4Z7Y6a3m+Yq++C9AyE=", + "lastModified": 1738275749, + "narHash": "sha256-PM+cGduJ05EZ+YXulqAwUFjvfKpPmW080mcuN6R1POw=", "owner": "nix-community", "repo": "home-manager", - "rev": "fc52a210b60f2f52c74eac41a8647c1573d2071d", + "rev": "a8159195bfaef3c64df75d3b1e6a68d49d392be9", "type": "github" }, "original": { @@ -394,28 +340,6 @@ "type": "github" } }, - "home-manager-stable": { - "inputs": { - "nixpkgs": [ - "catppuccin", - "nixpkgs-stable" - ] - }, - "locked": { - "lastModified": 1736373539, - "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "bd65bc3cde04c16755955630b344bc9e35272c56", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.11", - "repo": "home-manager", - "type": "github" - } - }, "home-manager_2": { "inputs": { "nixpkgs": [ @@ -439,34 +363,6 @@ } }, "ixx": { - "inputs": { - "flake-utils": [ - "catppuccin", - "nuscht-search", - "flake-utils" - ], - "nixpkgs": [ - "catppuccin", - "nuscht-search", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729958008, - "narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=", - "owner": "NuschtOS", - "repo": "ixx", - "rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb", - "type": "github" - }, - "original": { - "owner": "NuschtOS", - "ref": "v0.0.6", - "repo": "ixx", - "type": "github" - } - }, - "ixx_2": { "inputs": { "flake-utils": [ "my-nixvim", @@ -568,11 +464,11 @@ ] }, "locked": { - "lastModified": 1736652904, - "narHash": "sha256-8uolHABgroXqzs03QdulHp8H9e5kWQZnnhcda1MKbBM=", + "lastModified": 1737861961, + "narHash": "sha256-LIRtMvAwLGb8pBoamzgEF67oKlNPz4LuXiRPVZf+TpE=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "271e5bd7c57e1f001693799518b10a02d1123b12", + "rev": "79b7b8eae3243fc5aa9aad34ba6b9bbb2266f523", "type": "github" }, "original": { @@ -592,11 +488,11 @@ ] }, "locked": { - "lastModified": 1736733107, - "narHash": "sha256-6232F8et5z7XTxK0RuX6bocT6yYGJhlmlHbFdZuHcP0=", + "lastModified": 1738287944, + "narHash": "sha256-q8pOnhaA95ZZf+CJ4ahScSzt5pbnL7lShFuMwTwiw7I=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "44474e2ca975af013f1594abd6c922f2c8dba022", + "rev": "529e0a84346f34db86ea24203c0b2e975fefb4f2", "type": "github" }, "original": { @@ -607,11 +503,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1736441705, - "narHash": "sha256-OL7leZ6KBhcDF3nEKe4aZVfIm6xQpb1Kb+mxySIP93o=", + "lastModified": 1737751639, + "narHash": "sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "8870dcaff63dfc6647fb10648b827e9d40b0a337", + "rev": "dfad538f751a5aa5d4436d9781ab27a6128ec9d4", "type": "github" }, "original": { @@ -628,11 +524,11 @@ ] }, "locked": { - "lastModified": 1736785579, - "narHash": "sha256-iUWzuHgbRXjFkRZ+safF6vCszN8EW59Y+//mlF7hTXA=", + "lastModified": 1738254353, + "narHash": "sha256-SYpvOn0v/wi8lrgEBhobjKFvFWPlJ3gP7SZPfyw9td0=", "owner": "nakato", "repo": "nixos-sbc", - "rev": "dc96cdfb4805e11aa641f75d21200202a5ed951b", + "rev": "21be4ab012197a2eea4bbff8315c40f26f715a18", "type": "github" }, "original": { @@ -671,22 +567,6 @@ } }, "nixpkgs-stable": { - "locked": { - "lastModified": 1736061677, - "narHash": "sha256-DjkQPnkAfd7eB522PwnkGhOMuT9QVCZspDpJJYyOj60=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "cbd8ec4de4469333c82ff40d057350c30e9f7d36", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-stable_2": { "locked": { "lastModified": 1735563628, "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=", @@ -720,11 +600,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1736701207, - "narHash": "sha256-jG/+MvjVY7SlTakzZ2fJ5dC3V1PrKKrUEOEE30jrOKA=", + "lastModified": 1738142207, + "narHash": "sha256-NGqpVVxNAHwIicXpgaVqJEJWeyqzoQJ9oc8lnK9+WC4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ed4a395ea001367c1f13d34b1e01aa10290f67d6", + "rev": "9d3ae807ebd2981d593cddd0080856873139aa40", "type": "github" }, "original": { @@ -767,11 +647,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1736786866, - "narHash": "sha256-JaWZU7wFWsI4rGAemVciyhTxadaZyubJpLqupKLZUtI=", + "lastModified": 1738305622, + "narHash": "sha256-9YcoURYAAbMt7fFd0mBtyNH51a2pgxDu94qKnNIt7Ic=", "owner": "nix-community", "repo": "NUR", - "rev": "16ff3063cb4a4cf6fb5f48ca7dc55c27f2ea4891", + "rev": "663390a62b2986f8ea650de7768c4b4c98d49a96", "type": "github" }, "original": { @@ -780,33 +660,10 @@ "type": "github" } }, - "nuscht-search": { - "inputs": { - "flake-utils": "flake-utils", - "ixx": "ixx", - "nixpkgs": [ - "catppuccin", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1735854821, - "narHash": "sha256-Iv59gMDZajNfezTO0Fw6LHE7uKAShxbvMidmZREit7c=", - "owner": "NuschtOS", - "repo": "search", - "rev": "836908e3bddd837ae0f13e215dd48767aee355f0", - "type": "github" - }, - "original": { - "owner": "NuschtOS", - "repo": "search", - "type": "github" - } - }, "nuschtosSearch": { "inputs": { - "flake-utils": "flake-utils_4", - "ixx": "ixx_2", + "flake-utils": "flake-utils_3", + "ixx": "ixx", "nixpkgs": [ "my-nixvim", "nixvim", @@ -833,7 +690,7 @@ "colmena": "colmena", "comin": "comin", "disko": "disko", - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_2", "home-manager": "home-manager", "my-nixvim": "my-nixvim", "nix-index-database": "nix-index-database", @@ -841,7 +698,7 @@ "nixos-hardware": "nixos-hardware", "nixos-sbc": "nixos-sbc", "nixpkgs": "nixpkgs_2", - "nixpkgs-stable": "nixpkgs-stable_2", + "nixpkgs-stable": "nixpkgs-stable", "nur": "nur", "sops-nix": "sops-nix" } @@ -853,11 +710,11 @@ ] }, "locked": { - "lastModified": 1736777442, - "narHash": "sha256-eON7amRmBl59QH6K9uypewkKveaNbosY6CtUgRcv7YU=", + "lastModified": 1738291974, + "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=", "owner": "Mic92", "repo": "sops-nix", - "rev": "0f4744b5a95151a85c4f35010dd2d748228f7f53", + "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7", "type": "github" }, "original": { @@ -912,21 +769,6 @@ "type": "github" } }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "treefmt-nix": { "inputs": { "nixpkgs": [ From 068a7fe4e7c2b36038dfef0627ed23ad13b40d95 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 31 Jan 2025 15:11:19 +0800 Subject: [PATCH 39/60] dolomite: add user zx --- machines/dolomite/common.nix | 1 + machines/dolomite/secrets/secrets.yaml | 9 ++++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/machines/dolomite/common.nix b/machines/dolomite/common.nix index 0b80ae4..322786f 100644 --- a/machines/dolomite/common.nix +++ b/machines/dolomite/common.nix @@ -44,6 +44,7 @@ "wyj" "yhb" "xin" + "zx" ]; }; }; diff --git a/machines/dolomite/secrets/secrets.yaml b/machines/dolomite/secrets/secrets.yaml index e0df929..87c4677 100644 --- a/machines/dolomite/secrets/secrets.yaml +++ b/machines/dolomite/secrets/secrets.yaml @@ -9,6 +9,9 @@ sing-box: xin: password: ENC[AES256_GCM,data:SRiPFO+Uwy/PT41SIg7eI68wk4AX6so=,iv:aXwP5wa1IrlnvFo/ZL+DYFFHDdWw2Z83de3ApHUTsXo=,tag:sxXoy1FnDxZBQCDeNxphzQ==,type:str] uuid: ENC[AES256_GCM,data:7xK53SO4x0tOIEIYl6kmmAvnpdsR/tYQoG1t/ytsnO4QqWY3,iv:i694Fnu7g1OA3IGzSaoSGA5/eMPo+I/1TZbYuaQrgNA=,tag:4cUlioJn/IvsvZclgboOSA==,type:str] + zx: + password: ENC[AES256_GCM,data:UkRaj5aadq8Ea3j3wh6YQDzxmew=,iv:vrJ7h97KaWmp7+rkYowdTDI7HIq71ZUIERE3o0BY5Fc=,tag:YEPydn9fLmEBYBDD//6Pfw==,type:str] + uuid: ENC[AES256_GCM,data:W+qXN1Xa5ZMXRQh+7dtZkExFrp6qqEOkoxn8Fj5qQ5U23ytz,iv:559UEoMyY3/RfmwJLFCerkuV0DjTbhaRPbW56toxMEU=,tag:pv706bZgEblyGS7V9mwABA==,type:str] sops: kms: [] gcp_kms: [] @@ -51,8 +54,8 @@ sops: K1F1SzI2NFNIKzlreVBXSjAxaUxQd28KFaf1uu7OlqIe0TirJFgS3iPjhXPyfNDE m2XUjzdXp+chJCzVOFvpYStqz+e08ADEc+jp3YsTLcxyqvXhQdyL/Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-06T04:35:52Z" - mac: ENC[AES256_GCM,data:DAg4UTwNv+rs6hye2z5UUtA1a4yZbFaAWjLoKAXf87tKgBCZzK8C1q6gLyTQOqp07ptYQd5Q951kfE1a/35SFJsubREzJmu6haxznRgq7pO5HDGqgtjYEHsngsWZh3bUSX/aG2dLISdD81VY68nLzTO0r4h/SL6DNG36RzJgL8E=,iv:V0WhENNt/Szi5VWVD2t5AsWP1tOZUGjFjMNYPDq59XI=,tag:ThRstdzVNtSs6E7qlvKPOw==,type:str] + lastmodified: "2025-01-31T07:11:08Z" + mac: ENC[AES256_GCM,data:CYOPIN29pg5ldsLgkMaqSqKmTKusSBKVVifU2eGPIEILcYEwMmmGkvCH7jG8+QnOicfSTIonA0sPBO/g36X5bLhQIcmzUEnImSXVFLXpvHM2haIxPSHG/xvaLbIPcHMKvHbeyIGIhIdfPp7ssyH1Aa/+PgtfTIMUeOFbIWykgfE=,iv:+u7kyGUgmeEJ2T6rnBS9ACAk4Ka2OPJrz4sCZLVTPP8=,tag:d2eimY7wGwoQZZEh3d0UZA==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.9.2 From 68228aca1f000ae1a995a207ce667a1a7a220604 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 31 Jan 2025 15:11:57 +0800 Subject: [PATCH 40/60] weilite: use one virtiofs mount --- machines/weilite/default.nix | 8 -------- 1 file changed, 8 deletions(-) diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index d3e8de7..9d7aee5 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -91,13 +91,6 @@ }; systemd.mounts = [ - { - what = "immich"; - where = "/mnt/XinPhotos/immich"; - type = "virtiofs"; - options = "rw,nodev,nosuid"; - wantedBy = [ "immich-server.service" ]; - } { what = "originals"; where = "/mnt/XinPhotos/originals"; @@ -111,7 +104,6 @@ type = "virtiofs"; options = "rw,nodev,nosuid"; } - { what = "/mnt/nixos/ocis"; where = "/var/lib/ocis"; From 6331a915ac2c4f9ea7b643b3d28c0a9bd6d012bb Mon Sep 17 00:00:00 2001 From: xinyangli Date: Sat, 1 Feb 2025 08:10:39 +0800 Subject: [PATCH 41/60] weilite: drop jackett override, fix caddy hash --- machines/weilite/default.nix | 2 +- machines/weilite/services/media-download.nix | 8 -------- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index 9d7aee5..5e0bb3c 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -170,7 +170,7 @@ "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e" "github.com/caddy-dns/dnspod@v0.0.4" ]; - hash = "sha256-StgQx4Aqumisk4MYN6f4S/QyAHa37yTmGTdrtEeMTHg="; + hash = "sha256-EmBKn6QV5JpLXpez7+Gu91tP/sUZxq2DkGPYoAe+2QM="; }; virtualHosts."derper00.namely.icu:8443".extraConfig = '' reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port} diff --git a/machines/weilite/services/media-download.nix b/machines/weilite/services/media-download.nix index a161931..cc5657e 100644 --- a/machines/weilite/services/media-download.nix +++ b/machines/weilite/services/media-download.nix @@ -2,14 +2,6 @@ { services.jackett = { enable = true; - package = pkgs.jackett.overrideAttrs { - src = pkgs.fetchFromGitHub { - owner = "jackett"; - repo = "jackett"; - rev = "v0.22.998"; - hash = "sha256-CZvgDWxxIAOTkodgmFNuT3VDW6Ln4Mz+Ki7m91f0BgE="; - }; - }; openFirewall = false; }; From a78e9164e9a64af2fc86456b7d5d2b83fc74e28f Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 5 Feb 2025 11:51:04 +0800 Subject: [PATCH 42/60] weilite: alternative domain for immich --- machines/weilite/default.nix | 40 ----------------- machines/weilite/secrets.yaml | 9 ++-- machines/weilite/services/caddy.nix | 63 +++++++++++++++++++++++++++ machines/weilite/services/default.nix | 1 + machines/weilite/services/restic.nix | 3 ++ 5 files changed, 72 insertions(+), 44 deletions(-) create mode 100644 machines/weilite/services/caddy.nix diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index 5e0bb3c..a750205 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -62,14 +62,6 @@ defaultSopsFile = ./secrets.yaml; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; secrets = { - cloudflare_dns_token = { - owner = "caddy"; - mode = "400"; - }; - dnspod_dns_token = { - owner = "caddy"; - mode = "400"; - }; "restic/localpass" = { owner = "restic"; }; @@ -163,38 +155,6 @@ # tailscale derper module use nginx for reverse proxy services.nginx.enable = lib.mkForce false; - services.caddy = { - enable = true; - package = pkgs.caddy.withPlugins { - plugins = [ - "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e" - "github.com/caddy-dns/dnspod@v0.0.4" - ]; - hash = "sha256-EmBKn6QV5JpLXpez7+Gu91tP/sUZxq2DkGPYoAe+2QM="; - }; - virtualHosts."derper00.namely.icu:8443".extraConfig = '' - reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port} - ''; - virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = '' - reverse_proxy 127.0.0.1:${toString config.services.immich.port} - ''; - # API Token must be added in systemd environment file - virtualHosts."immich.xinyang.life:8000".extraConfig = '' - reverse_proxy 127.0.0.1:${toString config.services.immich.port} - ''; - globalConfig = '' - acme_dns dnspod {env.DNSPOD_API_TOKEN} - ''; - }; - - networking.firewall.allowedTCPPorts = [ 8000 ]; - - systemd.services.caddy = { - serviceConfig = { - EnvironmentFile = config.sops.secrets.dnspod_dns_token.path; - }; - }; - time.timeZone = "Asia/Shanghai"; fileSystems."/" = { diff --git a/machines/weilite/secrets.yaml b/machines/weilite/secrets.yaml index b5c3aa5..0e63460 100644 --- a/machines/weilite/secrets.yaml +++ b/machines/weilite/secrets.yaml @@ -1,5 +1,6 @@ -cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str] -dnspod_dns_token: ENC[AES256_GCM,data:uZfr3g103amywxh3NMU+AkwuYb61svzyavvQ4rxJijIMIbfPvERrVNcyivoOrFWYXHpPWkhZFdU=,iv:mArVAcebW9i+u26GmQmfmJTsFkR4ZRMIisTqjpMYan8=,tag:Zsmv1Wzfi3+PHigjReToHQ==,type:str] +caddy: + cf_dns_token: ENC[AES256_GCM,data:7PvP3oYMZ3dAeWaJNiuvEweUf3psDhyu90FT6cP0/AIOa0E40sdIRQ==,iv:IIYnZ35xAm9JJa14oHJi+ddI0u7Pgc4MfPLnKT4IlPc=,tag:V1PGZpaVzdN2cLpktbvTnA==,type:str] + dnspod_dns_token: ENC[AES256_GCM,data:ATed7RqLu1u06B61Irhd4SCzjK/Z823ygAgzROsNixZ2rExpB/Xo,iv:L121CGA+iZhn9V6mG2qEu3FI91/s7JO3cVTAwmAeqGw=,tag:l/7MXMZNqgFBwgCCMeZR2A==,type:str] immich: oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str] restic: @@ -30,8 +31,8 @@ sops: V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-25T00:35:15Z" - mac: ENC[AES256_GCM,data:sk4DL+w740RD9A3sPvcGD4fc90Nfw9C8dH11ScGRgt6gS3v4V16pD0Q/bHHZiUCll76phZKjp+sGcZaPw0X7RDlK582WY3uw0pLtqLlm0gejjmvBJYKg47nA0dCD+vDvbMkJlvJG6N3sRuXDBa/7bAe452eXZNS8Xnm7ceDscVc=,iv:Nx4yCfG9rNk0q8akuI1aZr6Wj4GIAxASE8Tc7TH4Vj8=,tag:GodvlMbhIPpPu062spKFxA==,type:str] + lastmodified: "2025-02-01T15:54:35Z" + mac: ENC[AES256_GCM,data:hDX2lQ5GbBGTqioEqNc/k4NvBW7/3ISOVUk8/6CkuW6ZQHUeMnfziWV7faw+DiMvYmwFUJ4mhY77Je5+gid0Ae5JyNxznBW2uzpXvLcTBsYz8iSZL6Jw5FciPIgkGDN5U5wMkusS6Ok2W/idIgmwlmxf3ACNaf7e0QpypwYwxZw=,iv:mkIQ2rvTpQXRuRarlcl/aIKDY3JmJKVsr1oS4+3vmnk=,tag:of2CSCqZAJaaZ5DvC6+Amg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.2 diff --git a/machines/weilite/services/caddy.nix b/machines/weilite/services/caddy.nix new file mode 100644 index 0000000..6cc22b0 --- /dev/null +++ b/machines/weilite/services/caddy.nix @@ -0,0 +1,63 @@ +{ config, pkgs, ... }: +{ + sops = { + secrets = { + "caddy/cf_dns_token" = { + owner = "caddy"; + mode = "400"; + }; + "caddy/dnspod_dns_token" = { + owner = "caddy"; + mode = "400"; + }; + }; + templates."caddy.env".content = '' + CF_API_TOKEN=${config.sops.placeholder."caddy/cf_dns_token"} + DNSPOD_API_TOKEN=${config.sops.placeholder."caddy/dnspod_dns_token"} + ''; + }; + + services.caddy = + let + acmeCF = "tls { + dns cloudflare {env.CF_API_TOKEN} + }"; + acmeDnspod = "tls { + dns dnspod {env.DNSPOD_API_TOKEN} + }"; + in + { + enable = true; + package = pkgs.caddy.withPlugins { + plugins = [ + "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e" + "github.com/caddy-dns/dnspod@v0.0.4" + ]; + hash = "sha256-EmBKn6QV5JpLXpez7+Gu91tP/sUZxq2DkGPYoAe+2QM="; + }; + virtualHosts."derper00.namely.icu:8443".extraConfig = '' + ${acmeDnspod} + reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port} + ''; + # API Token must be added in systemd environment file + virtualHosts."immich.xinyang.life:8000".extraConfig = '' + ${acmeDnspod} + reverse_proxy 127.0.0.1:${toString config.services.immich.port} + ''; + virtualHosts."immich.xiny.li:8443".extraConfig = '' + ${acmeCF} + reverse_proxy 127.0.0.1:${toString config.services.immich.port} + ''; + }; + + networking.firewall.allowedTCPPorts = [ + 8000 + 8443 + ]; + + systemd.services.caddy = { + serviceConfig = { + EnvironmentFile = config.sops.templates."caddy.env".path; + }; + }; +} diff --git a/machines/weilite/services/default.nix b/machines/weilite/services/default.nix index ca5ee33..649ca08 100644 --- a/machines/weilite/services/default.nix +++ b/machines/weilite/services/default.nix @@ -1,5 +1,6 @@ { imports = [ + ./caddy.nix ./ocis.nix ./restic.nix ./media-download.nix diff --git a/machines/weilite/services/restic.nix b/machines/weilite/services/restic.nix index f62786e..be272eb 100644 --- a/machines/weilite/services/restic.nix +++ b/machines/weilite/services/restic.nix @@ -42,6 +42,9 @@ in networking.firewall.allowedTCPPorts = [ 8443 ]; services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = '' + tls { + dns dnspod {env.DNSPOD_API_TOKEN} + } reverse_proxy ${config.services.restic.server.listenAddress} ''; } From 1462c962841f29c4787a1c5d865a6920f702ad2e Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 5 Feb 2025 11:52:23 +0800 Subject: [PATCH 43/60] monitoring: improve ntfy template --- modules/nixos/monitor/default.nix | 6 +++--- overlays/my-lib/prometheus.nix | 11 +++++++---- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/modules/nixos/monitor/default.nix b/modules/nixos/monitor/default.nix index 71ec05e..d1e09a6 100644 --- a/modules/nixos/monitor/default.nix +++ b/modules/nixos/monitor/default.nix @@ -120,11 +120,11 @@ in webhook_configs = [ { url = "${ntfyUrl}/prometheus-alerts?tpl=yes&m=${lib.escapeURL '' - {{range .alerts}}[{{ if eq .status "resolved" }}✅ RESOLVED{{ else }}{{ if eq .status "firing" }}🔥 FIRING{{end}}{{end}}]{{range $k,$v := .labels}} - {{$k}}={{$v}}{{end}} - + {{range .alerts}}{{ if eq .status "resolved" }}✅{{ else }}{{ if eq .status "firing" }}🔥{{end}}{{end}}{{.labels.alertname}} + {{.annotations.summary}} {{end}}''}"; send_resolved = true; + max_alerts = 5; } ]; } diff --git a/overlays/my-lib/prometheus.nix b/overlays/my-lib/prometheus.nix index c79f131..99854cc 100644 --- a/overlays/my-lib/prometheus.nix +++ b/overlays/my-lib/prometheus.nix @@ -1,6 +1,9 @@ let mkFunction = f: (targets: (map f targets)); mkPort = port: if isNull port then "" else ":${toString port}"; + + # get text before "." in the url + subdomain = url: builtins.elemAt (builtins.elemAt (builtins.split "([a-zA-Z0-9]+)\..*" url) 1) 0; in { mkScrapes = mkFunction ( @@ -228,7 +231,7 @@ in ... }: { - job_name = "blackbox(${hostAddress})"; + job_name = "blackbox(${subdomain hostAddress})"; scrape_interval = "1m"; metrics_path = "/probe"; params = { @@ -268,14 +271,14 @@ in inherit name; rules = [ { - alert = "ProbeError"; - expr = "probe_success != 1"; + alert = "ProbeToError"; + expr = "sum by(instance) (probe_success != 1) > 0"; for = "3m"; labels = { severity = "critical"; }; annotations = { - summary = "Probing {{ $labels.instance }} from {{ $labels.from }} failed"; + summary = "Probing {{ $labels.instance }} failed"; }; } { From 0c29d4c6fc2d7350cb80a95d7827dadd2b4350df Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 5 Feb 2025 12:55:57 +0800 Subject: [PATCH 44/60] monitoring: improve summary --- modules/nixos/monitor/default.nix | 2 +- overlays/my-lib/prometheus.nix | 11 ++++------- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/modules/nixos/monitor/default.nix b/modules/nixos/monitor/default.nix index d1e09a6..5b9d31a 100644 --- a/modules/nixos/monitor/default.nix +++ b/modules/nixos/monitor/default.nix @@ -158,7 +158,7 @@ in severity = "critical"; }; annotations = { - summary = "Job {{ $labels.job }} down for 1m."; + summary = "Instance {{ $labels.instance }} of {{ $labels.job }} is down."; }; } ]; diff --git a/overlays/my-lib/prometheus.nix b/overlays/my-lib/prometheus.nix index 99854cc..c394e4e 100644 --- a/overlays/my-lib/prometheus.nix +++ b/overlays/my-lib/prometheus.nix @@ -132,8 +132,7 @@ in severity = "critical"; }; annotations = { - summary = "Systemd has failed units on {{ $labels.instance }}"; - description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!"; + summary = "{{ $labels.job }} failed on {{ $labels.instance }}."; }; } { @@ -144,7 +143,7 @@ in severity = "warning"; }; annotations = { - summary = "High load average detected on {{ $labels.instance }}"; + summary = "High load average on {{ $labels.instance }}."; description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs."; }; } @@ -167,7 +166,7 @@ in severity = "warning"; }; annotations = { - summary = "High disk usage on {{ $labels.instance }}"; + summary = "Disk usage exceeeds 85% on {{ $labels.instance }}"; }; } { @@ -180,7 +179,6 @@ in }; annotations = { summary = "Disk usage will exceed 95% in 12 hours on {{ $labels.instance }}"; - description = "Disk {{ $labels.mountpoint }} is predicted to exceed 92% usage within 12 hours at current growth rate"; }; } { @@ -191,8 +189,7 @@ in severity = "warning"; }; annotations = { - summary = "High swap usage on {{ $labels.instance }}"; - description = "Swap usage is above 80% for 5 minutes\n Current value: {{ $value }}%"; + summary = "Swap usage above 80% on {{ $labels.instance }}"; }; } { From 750625dfb72942652925f35e4271c17744c8902b Mon Sep 17 00:00:00 2001 From: xinyangli Date: Thu, 6 Feb 2025 11:31:30 +0800 Subject: [PATCH 45/60] osmium/networking: init --- machines/osmium/default.nix | 60 +++++++++++++++++++++++++++++++------ 1 file changed, 51 insertions(+), 9 deletions(-) diff --git a/machines/osmium/default.nix b/machines/osmium/default.nix index 8378b1c..1785582 100644 --- a/machines/osmium/default.nix +++ b/machines/osmium/default.nix @@ -69,7 +69,7 @@ neovim jq iptables - ebtables + nftables tcpdump busybox ethtool @@ -88,15 +88,53 @@ systemd.network = { enable = true; - networks."lan" = { - matchConfig.Name = "enu1"; - networkConfig.DHCP = "no"; - linkConfig.RequiredForOnline = "no"; - }; networks."wan" = { matchConfig.Name = "end0"; networkConfig.DHCP = "yes"; - linkConfig.RequiredForOnline = "yes"; + linkConfig.RequiredForOnline = false; + }; + networks."lan" = { + matchConfig.Name = "enu1"; + networkConfig = { + DHCP = "no"; + DHCPServer = "yes"; + Address = "10.1.1.1/24"; + }; + dhcpServerConfig = { + ServerAddress = "10.1.1.1/24"; + UplinkInterface = "end0"; + EmitDNS = "yes"; + DNS = [ "192.168.1.1" ]; + }; + linkConfig.RequiredForOnline = false; + }; + }; + + networking.firewall.enable = false; + networking.nftables = { + enable = true; + tables = { + filter = { + family = "inet"; + content = '' + chain forward { + iifname { "enu1" } oifname { "end0" } accept comment "Allow trusted LAN to WAN" + iifname { "end0" } oifname { "enu1" } ct state { established, related } accept comment "Allow established back to LANs" + iifname { "enu1" } oifname { "tailscale0" } accept comment "Allow LAN to Tailscale" + } + ''; + }; + + nat = { + family = "ip"; + content = '' + chain postrouting { + type nat hook postrouting priority 100; policy accept; + oifname "end0" masquerade + oifname "tailscale0" masquerade + } + ''; + }; }; }; @@ -105,7 +143,11 @@ configFile = "/var/lib/dae/config.dae"; }; - services.tailscale.enable = true; - + services.tailscale = { + enable = true; + extraSetFlags = [ + "--advertise-routes=10.1.1.0/24" + ]; + }; }; } From fc4a57febce24b36e2b2fa5ddd139bb7651061ca Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 11 Feb 2025 15:27:20 +0800 Subject: [PATCH 46/60] flake.nix: catppuccin does not depends on home-manager anymore --- flake.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/flake.nix b/flake.nix index fa354c6..0981a0c 100644 --- a/flake.nix +++ b/flake.nix @@ -50,7 +50,6 @@ catppuccin = { url = "github:catppuccin/nix"; inputs.nixpkgs.follows = "nixpkgs"; - inputs.home-manager.follows = "home-manager"; }; disko = { From 3247d1edec6bd4b5958c7a67c8202311162b046a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 11 Feb 2025 15:28:12 +0800 Subject: [PATCH 47/60] monitor: wait for tailscale interface --- modules/nixos/monitor/exporters.nix | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/modules/nixos/monitor/exporters.nix b/modules/nixos/monitor/exporters.nix index d0e006f..a178525 100644 --- a/modules/nixos/monitor/exporters.nix +++ b/modules/nixos/monitor/exporters.nix @@ -5,7 +5,7 @@ ... }: let - inherit (lib) mkIf concatStringsSep; + inherit (lib) mkIf getExe; inherit (config.my-lib.settings) prometheusCollectors; cfg = config.custom.prometheus.exporters; in @@ -16,6 +16,30 @@ in ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service") ++ (lib.optional config.services.caddy.enable "caddy.service"); + systemd.services.tailscaled.serviceConfig.ExecStartPost = + pkgs.writers.writePython3Bin "tailscale-wait-online" + { + flakeIgnore = [ + "E401" # import on one line + "E501" # line length limit + ]; + } + '' + import subprocess, json, time + + for _ in range(30): + status = json.loads( + subprocess.run( + ["${getExe config.services.tailscale.package}", "status", "--peers=false", "--json"], capture_output=True + ).stdout + )["Self"]["Online"] + if status: + exit(0) + time.sleep(1) + + exit(1) + ''; + services.prometheus.exporters.node = mkIf cfg.node.enable { enable = true; enabledCollectors = [ From bc55ae7b8b0848e104d91d6e4d37f03f3a69653b Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 11 Feb 2025 15:38:36 +0800 Subject: [PATCH 48/60] monitor: fix wait for tailscale interface --- modules/nixos/monitor/exporters.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/monitor/exporters.nix b/modules/nixos/monitor/exporters.nix index a178525..5e75975 100644 --- a/modules/nixos/monitor/exporters.nix +++ b/modules/nixos/monitor/exporters.nix @@ -17,7 +17,7 @@ in ++ (lib.optional config.services.caddy.enable "caddy.service"); systemd.services.tailscaled.serviceConfig.ExecStartPost = - pkgs.writers.writePython3Bin "tailscale-wait-online" + pkgs.writers.writePython3 "tailscale-wait-online" { flakeIgnore = [ "E401" # import on one line From fe404baad05002750efd7605e9511813223b5974 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 11 Feb 2025 16:47:35 +0800 Subject: [PATCH 49/60] monitoring: add radarr, sonarr and transmission --- machines/thorite/monitoring.nix | 19 ++++++++++++ machines/weilite/secrets.yaml | 8 +++-- machines/weilite/services/media-download.nix | 25 +++++++++++++++ machines/weilite/services/transmission.nix | 30 +++++++++++++++++- overlays/add-pkgs.nix | 2 ++ overlays/my-lib/settings.nix | 2 ++ overlays/pkgs/transmission-exporter.nix | 32 ++++++++++++++++++++ 7 files changed, 115 insertions(+), 3 deletions(-) create mode 100644 overlays/pkgs/transmission-exporter.nix diff --git a/machines/thorite/monitoring.nix b/machines/thorite/monitoring.nix index afb0b6e..e02ecad 100644 --- a/machines/thorite/monitoring.nix +++ b/machines/thorite/monitoring.nix @@ -13,6 +13,7 @@ let grafanaUrl ntfyUrl internalDomain + transmissionExporterUrl ; removeHttps = s: lib.removePrefix "https://" s; in @@ -154,6 +155,24 @@ in address = "thorite.coho-tet.ts.net"; port = 3100; } + { + name = "transmission"; + scheme = "http"; + address = transmissionExporterUrl; + port = 19091; + } + { + name = "sonarr"; + scheme = "http"; + address = "weilite.${internalDomain}"; + port = 21560; + } + { + name = "radarr"; + scheme = "http"; + address = "weilite.${internalDomain}"; + port = 21561; + } ]) ++ (mkCaddyScrapes [ { address = "thorite.coho-tet.ts.net"; } diff --git a/machines/weilite/secrets.yaml b/machines/weilite/secrets.yaml index 0e63460..0fc2813 100644 --- a/machines/weilite/secrets.yaml +++ b/machines/weilite/secrets.yaml @@ -7,6 +7,10 @@ restic: localpass: ENC[AES256_GCM,data:GIQAmkpDmGu4+sSG5/b5yQ==,iv:dcu6F8NnVjeQzEG2vM3fOV5owI0PWc86ts20UP3vN18=,tag:vsG8x062FG1pH5YNcAajeg==,type:str] transmission: rpc-password: ENC[AES256_GCM,data:4dumy0hygGOuwU3ANky3xEKRDRBAJWE=,iv:HVV2J+F8HndHZNsMD2YmkWrJOzk5JIapGd0SuQP8VqU=,tag:xqp5pxh5cYYogA4alrmIfg==,type:str] +sonarr: + api-key: ENC[AES256_GCM,data:/CkApTCLQy8TLHGKSM1saacNi9uQDswAjshRSLJk1hg=,iv:PNX4BZLx7krs12lxgORMSarnt0c/ga8yPtoLSzbQ+sY=,tag:V1pp9OCtX5/5fbwLBMGlOQ==,type:str] +radarr: + api-key: ENC[AES256_GCM,data:AeJArngvgmqnxk2g13QjMa6XS893B+3ZdX2K8OqXRQg=,iv:NrQf3yyqRpHMeWQ3bpPH4fUDdo/x2uB6pQCq0ZrFP5c=,tag:Yj2PSy6zRfe8anW0RGuZAQ==,type:str] sops: kms: [] gcp_kms: [] @@ -31,8 +35,8 @@ sops: V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-01T15:54:35Z" - mac: ENC[AES256_GCM,data:hDX2lQ5GbBGTqioEqNc/k4NvBW7/3ISOVUk8/6CkuW6ZQHUeMnfziWV7faw+DiMvYmwFUJ4mhY77Je5+gid0Ae5JyNxznBW2uzpXvLcTBsYz8iSZL6Jw5FciPIgkGDN5U5wMkusS6Ok2W/idIgmwlmxf3ACNaf7e0QpypwYwxZw=,iv:mkIQ2rvTpQXRuRarlcl/aIKDY3JmJKVsr1oS4+3vmnk=,tag:of2CSCqZAJaaZ5DvC6+Amg==,type:str] + lastmodified: "2025-02-11T08:45:49Z" + mac: ENC[AES256_GCM,data:iObzkfSxKET1kE8yQbSxffG1qDO95SWfIRSdwbYcwP4mHOrl5sOtlGEjexVaLl7uKa0SMCK6BghbMr4EdLatiOmngsAzr8bxe/GsPZiCze04nr0VbKBgHxKr74gT8d14dwV+Y+np/5fgRZea7zxzJ4YaVfeUOG9PBsa7L6RWbx0=,iv:LMM096xLa5cOiLVTiFO20jBUaK1Uw4aOqsz7eH9u9vc=,tag:C1fPHN9KFbydcy1lRAhGvQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.2 diff --git a/machines/weilite/services/media-download.nix b/machines/weilite/services/media-download.nix index cc5657e..97c7110 100644 --- a/machines/weilite/services/media-download.nix +++ b/machines/weilite/services/media-download.nix @@ -1,5 +1,14 @@ { config, pkgs, ... }: +let + inherit (config.my-lib.settings) + internalDomain + ; +in { + sops.secrets = { + "sonarr/api-key" = { }; + "radarr/api-key" = { }; + }; services.jackett = { enable = true; openFirewall = false; @@ -20,6 +29,22 @@ enable = true; }; + services.prometheus.exporters.exportarr-sonarr = { + enable = true; + url = "http://127.0.0.1:8989"; + apiKeyFile = config.sops.secrets."sonarr/api-key".path; + listenAddress = "weilite.${internalDomain}"; + port = 21560; + }; + + services.prometheus.exporters.exportarr-radarr = { + enable = true; + url = "http://127.0.0.1:7878"; + apiKeyFile = config.sops.secrets."radarr/api-key".path; + listenAddress = "weilite.${internalDomain}"; + port = 21561; + }; + users.groups.media.members = [ config.services.sonarr.user config.services.radarr.user diff --git a/machines/weilite/services/transmission.nix b/machines/weilite/services/transmission.nix index b025819..0c1e969 100644 --- a/machines/weilite/services/transmission.nix +++ b/machines/weilite/services/transmission.nix @@ -1,6 +1,12 @@ -{ config, pkgs, ... }: +{ + config, + pkgs, + lib, + ... +}: let cfg = config.services.transmission; + inherit (config.my-lib.settings) transmissionExporterUrl; in { sops.secrets = { @@ -13,6 +19,12 @@ in }; }; + sops.templates."transmission-cred.env" = { + content = '' + TRANSMISSION_PASSWORD=${config.sops.placeholder."transmission/rpc-password"} + ''; + }; + services.transmission = { enable = true; package = pkgs.transmission_4; @@ -64,6 +76,22 @@ in services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:9091".extraConfig = '' reverse_proxy 127.0.0.1:${toString cfg.settings.rpc-port} ''; + + systemd.services.prometheus-transmission-exporter = { + enable = true; + wantedBy = [ "transmission.service" ]; + environment = { + WEB_ADDR = transmissionExporterUrl; + TRANSMISSION_ADDR = "http://127.0.0.1:${toString cfg.settings.rpc-port}"; + TRANSMISSION_USERNAME = "xin"; + }; + after = [ "tailscaled.service" ]; + serviceConfig = { + ExecStart = "${lib.getExe pkgs.transmission-exporter}"; + EnvironmentFile = config.sops.templates."transmission-cred.env".path; + }; + }; + networking.firewall.allowedTCPPorts = [ 9091 ]; # allow on lan users.groups.media.members = [ cfg.user ]; } diff --git a/overlays/add-pkgs.nix b/overlays/add-pkgs.nix index f1b214e..ac76b8e 100644 --- a/overlays/add-pkgs.nix +++ b/overlays/add-pkgs.nix @@ -9,4 +9,6 @@ "idbloader.img" ]; }; + + transmission-exporter = prev.callPackage ./pkgs/transmission-exporter.nix { }; }) diff --git a/overlays/my-lib/settings.nix b/overlays/my-lib/settings.nix index be97568..e4a219f 100644 --- a/overlays/my-lib/settings.nix +++ b/overlays/my-lib/settings.nix @@ -13,6 +13,8 @@ synapseUrl = "https://xiny.li"; synapseDelegateUrl = "https://synapse.xiny.li"; + transmissionExporterUrl = "weilite.coho-tet.ts.net:19091"; + prometheusCollectors = [ "thorite.coho-tet.ts.net" ]; diff --git a/overlays/pkgs/transmission-exporter.nix b/overlays/pkgs/transmission-exporter.nix new file mode 100644 index 0000000..b5e70b8 --- /dev/null +++ b/overlays/pkgs/transmission-exporter.nix @@ -0,0 +1,32 @@ +{ + lib, + fetchFromGitHub, + buildGoModule, +}: +buildGoModule rec { + pname = "transmission-exporter"; + version = "0-unstable-2024-10-09"; + rev = "v${version}"; + + src = fetchFromGitHub { + rev = "a7872aa2975c7a95af680c51198f4a363e226c8f"; + owner = "metalmatze"; + repo = "transmission-exporter"; + sha256 = "sha256-Ky7eCvC1AqHheqGGOGBNKbtVgg4Y8hDG67gCVlpUwZo="; + }; + + vendorHash = "sha256-YhmfrM5iAK0zWcUM7LmbgFnH+k2M/tE+f/QQIQmQlZs="; + + ldflags = [ + "-X github.com/prometheus/common/version.Version=${version}" + "-X github.com/prometheus/common/version.Revision=${rev}" + ]; + + meta = { + description = "Prometheus exporter for Transmission torrent client."; + homepage = "https://github.com/pborzenkov/transmission-exporter"; + mainProgram = "transmission-exporter"; + license = [ lib.licenses.mit ]; + maintainers = [ lib.maintainers.xinyangli ]; + }; +} From 6bf182214110ff57bfadcb12472cd10d5cdae030 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 11 Feb 2025 17:05:27 +0800 Subject: [PATCH 50/60] monitoring: fix transmission url --- machines/thorite/monitoring.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/machines/thorite/monitoring.nix b/machines/thorite/monitoring.nix index e02ecad..8fe05e7 100644 --- a/machines/thorite/monitoring.nix +++ b/machines/thorite/monitoring.nix @@ -152,13 +152,13 @@ in { name = "loki"; scheme = "http"; - address = "thorite.coho-tet.ts.net"; + address = "thorite.${internalDomain}"; port = 3100; } { name = "transmission"; scheme = "http"; - address = transmissionExporterUrl; + address = "weilite.${internalDomain}"; port = 19091; } { From 2e2968360c83bbf8b5e4fa9628864830edbeac32 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 14 Feb 2025 13:51:50 +0800 Subject: [PATCH 51/60] idp: migrate to biotite --- machines/biotite/default.nix | 1 + machines/biotite/services/forgejo.nix | 43 ++-- machines/biotite/services/gotosocial.nix | 2 +- machines/biotite/services/hedgedoc.nix | 8 +- .../biotite/services/kanidm-provision.nix | 242 ++++++++++++++++++ machines/biotite/services/kanidm.nix | 54 ++++ machines/biotite/services/miniflux.nix | 2 +- machines/biotite/services/synapse.nix | 8 +- machines/weilite/services/immich.nix | 7 +- modules/nixos/common-settings/auth.nix | 3 + modules/nixos/monitor/grafana.nix | 6 +- modules/nixos/monitor/loki.nix | 10 +- overlays/my-lib/settings.nix | 2 +- 13 files changed, 347 insertions(+), 41 deletions(-) create mode 100644 machines/biotite/services/kanidm-provision.nix create mode 100644 machines/biotite/services/kanidm.nix diff --git a/machines/biotite/default.nix b/machines/biotite/default.nix index 741e281..13a01f2 100644 --- a/machines/biotite/default.nix +++ b/machines/biotite/default.nix @@ -15,6 +15,7 @@ ./services/hedgedoc.nix ./services/forgejo.nix ./services/vaultwarden.nix + ./services/kanidm.nix ]; networking.hostName = "biotite"; diff --git a/machines/biotite/services/forgejo.nix b/machines/biotite/services/forgejo.nix index 7321b89..b60352f 100644 --- a/machines/biotite/services/forgejo.nix +++ b/machines/biotite/services/forgejo.nix @@ -69,28 +69,29 @@ in systemd.services.forgejo = { serviceConfig = { EnvironmentFile = config.sops.templates."forgejo/env".path; - preStart = - let - providerName = "kanidm"; - args = lib.concatStringsSep " " [ - "--name ${providerName}" - "--provider openidConnect" - "--key forgejo" - "--secret $CLIENT_SECRET" - "--icon-url ${idpUrl}/pkg/img/favicon.png" - "--group-claim-name forgejo_role --admin-group Admin" - ]; - exe = getExe config.services.forgejo.package; - in - '' - provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1) - if [[ -z "$provider_id" ]]; then - ${exe} admin auth add-oauth ${args} - else - ${exe} admin auth update-oauth --id "$provider_id" ${args} - fi - ''; }; + preStart = + let + providerName = "kanidm"; + args = lib.concatStringsSep " " [ + "--name ${providerName}" + "--provider openidConnect" + "--key forgejo" + "--secret $CLIENT_SECRET" + "--auto-discover-url https://${idpUrl}/oauth2/openid/forgejo/.well-known/openid-configuration" + "--icon-url https://${idpUrl}/pkg/img/favicon.png" + "--group-claim-name forgejo_role --admin-group Admin" + ]; + exe = getExe config.services.forgejo.package; + in + '' + provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1) + if [[ -z "$provider_id" ]]; then + ${exe} admin auth add-oauth ${args} + else + ${exe} admin auth update-oauth --id "$provider_id" ${args} + fi + ''; }; users.users.git = { diff --git a/machines/biotite/services/gotosocial.nix b/machines/biotite/services/gotosocial.nix index 3114cf6..e2f4581 100644 --- a/machines/biotite/services/gotosocial.nix +++ b/machines/biotite/services/gotosocial.nix @@ -26,7 +26,7 @@ in instance-expose-public-timeline = true; oidc-enabled = true; oidc-idp-name = "Kanidm"; - oidc-issuer = "${idpUrl}/oauth2/openid/gotosocial"; + oidc-issuer = "https://${idpUrl}/oauth2/openid/gotosocial"; oidc-client-id = "gotosocial"; oidc-link-existing = true; }; diff --git a/machines/biotite/services/hedgedoc.nix b/machines/biotite/services/hedgedoc.nix index c8b33bc..af64be5 100644 --- a/machines/biotite/services/hedgedoc.nix +++ b/machines/biotite/services/hedgedoc.nix @@ -20,10 +20,10 @@ in email = false; allowEmailRegister = false; oauth2 = { - baseURL = "${idpUrl}/oauth2/openid/hedgedoc"; - authorizationURL = "${idpUrl}/ui/oauth2"; - tokenURL = "${idpUrl}/oauth2/token"; - userProfileURL = "${idpUrl}/oauth2/openid/hedgedoc/userinfo"; + baseURL = "https://${idpUrl}/oauth2/openid/hedgedoc"; + authorizationURL = "https://${idpUrl}/ui/oauth2"; + tokenURL = "https://${idpUrl}/oauth2/token"; + userProfileURL = "https://${idpUrl}/oauth2/openid/hedgedoc/userinfo"; userProfileEmailAttr = "email"; userProfileUsernameAttr = "name"; userProfileDisplayNameAttr = "preferred_name"; diff --git a/machines/biotite/services/kanidm-provision.nix b/machines/biotite/services/kanidm-provision.nix new file mode 100644 index 0000000..82bbd49 --- /dev/null +++ b/machines/biotite/services/kanidm-provision.nix @@ -0,0 +1,242 @@ +{ pkgs, config, ... }: +let + inherit (config.my-lib.settings) + gotosocialUrl + minifluxUrl + hedgedocDomain + forgejoDomain + grafanaUrl + synapseDelegateUrl + ; +in +{ + services.kanidm.provision = { + enable = true; + autoRemove = true; + groups = { + forgejo-access = { + members = [ "xin" ]; + }; + forgejo-admin = { + members = [ "xin" ]; + }; + gts-users = { + members = [ "xin" ]; + }; + ocis-users = { + members = [ "xin" ]; + }; + linux_users = { + members = [ "xin" ]; + }; + hedgedoc-users = { + members = [ "xin" ]; + }; + immich-users = { + members = [ + "xin" + "zhuo" + "ycm" + "yzl" + ]; + }; + grafana-superadmins = { + members = [ "xin" ]; + }; + grafana-admins = { + members = [ "xin" ]; + }; + grafana-editors = { + members = [ "xin" ]; + }; + grafana-users = { + members = [ "xin" ]; + }; + miniflux-users = { + members = [ "xin" ]; + }; + synapse-users = { + members = [ "xin" ]; + }; + idm_people_self_mail_write = { + members = [ ]; + }; + }; + persons = { + xin = { + displayName = "Xinyang Li"; + mailAddresses = [ "lixinyang411@gmail.com" ]; + }; + + zhuo = { + displayName = "Zhuo"; + mailAddresses = [ "13681104320@163.com" ]; + }; + + ycm = { + displayName = "Chunming"; + mailAddresses = [ "chunmingyou@gmail.com" ]; + }; + + yzl = { + displayName = "Zhengli Yang"; + mailAddresses = [ "13391935399@189.cn" ]; + }; + }; + systems.oauth2 = { + forgejo = { + displayName = "ForgeJo"; + originUrl = "https://${forgejoDomain}/user/oauth2/kanidm/callback"; + originLanding = "https://${forgejoDomain}/user/oauth2/kanidm"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + forgejo-access = [ + "openid" + "email" + "profile" + "groups" + ]; + }; + claimMaps = { + forgejo_role = { + joinType = "array"; + valuesByGroup = { + forgejo-access = [ "Access" ]; + forgejo-admin = [ "Admin" ]; + }; + }; + }; + }; + gts = { + displayName = "GoToSocial"; + originUrl = "https://xinyang.life/auth/callback"; + originLanding = "https://xinyang.life/auth/callback"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + gts-users = [ + "openid" + "email" + "profile" + "groups" + ]; + }; + }; + gotosocial = { + displayName = "GoToSocial"; + originUrl = "${gotosocialUrl}/auth/callback"; + originLanding = "${gotosocialUrl}/auth/callback"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + gts-users = [ + "openid" + "email" + "profile" + "groups" + ]; + }; + }; + # It's used for all the clients. I'm too lazy to change the name. + owncloud-android = { + displayName = "ownCloud Apps"; + originLanding = "https://drive.xinyang.life:8443/"; + originUrl = [ + "http://localhost:38622/" + "http://localhost:43580/" + "https://drive.xinyang.life:8443/" + # TODO: Should allow mobile redirect url not ending with / + # "oc://android.owncloud.com" + ]; + public = true; + preferShortUsername = true; + scopeMaps = { + ocis-users = [ + "openid" + "email" + "profile" + "offline_access" + ]; + }; + }; + + hedgedoc = { + displayName = "HedgeDoc"; + originUrl = "https://${hedgedocDomain}/auth/oauth2/callback"; + originLanding = "https://${hedgedocDomain}/auth/oauth2"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + hedgedoc-users = [ + "openid" + "email" + "profile" + ]; + }; + }; + immich = { + displayName = "Immich"; + originUrl = [ + "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/" + "https://immich.xinyang.life:8000/auth/login" + "https://immich.xinyang.life:8000/user-settings" + "https://immich.xiny.li:8443/api/oauth/mobile-redirect/" + "https://immich.xiny.li:8443/auth/login" + "https://immich.xiny.li:8443/user-settings" + ]; + originLanding = "https://immich.xiny.li:8443/auth/login?autoLaunch=0"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + immich-users = [ + "openid" + "email" + "profile" + ]; + }; + }; + miniflux = { + displayName = "Miniflux"; + originUrl = "${minifluxUrl}/oauth2/oidc/callback"; + originLanding = "${minifluxUrl}/oauth2/oidc/redirect"; + scopeMaps = { + miniflux-users = [ + "openid" + "email" + "profile" + ]; + }; + }; + grafana = { + displayName = "Grafana"; + originUrl = "${grafanaUrl}/login/generic_oauth"; + originLanding = "${grafanaUrl}/"; + scopeMaps = { + grafana-users = [ + "openid" + "email" + "profile" + "groups" + ]; + }; + claimMaps = { + grafana_role = { + joinType = "array"; + valuesByGroup = { + grafana-superadmins = [ "GrafanaAdmin" ]; + grafana-admins = [ "Admin" ]; + grafana-editors = [ "Editor" ]; + }; + }; + }; + }; + synapse = { + displayName = "Synapse"; + originUrl = "${synapseDelegateUrl}/_synapse/client/oidc/callback"; + originLanding = "${synapseDelegateUrl}/"; + scopeMaps = { + synapse-users = [ + "openid" + "profile" + ]; + }; + }; + }; + }; +} diff --git a/machines/biotite/services/kanidm.nix b/machines/biotite/services/kanidm.nix new file mode 100644 index 0000000..975f31b --- /dev/null +++ b/machines/biotite/services/kanidm.nix @@ -0,0 +1,54 @@ +{ + config, + pkgs, + lib, + ... +}: +let + kanidm_listen_port = 5324; + inherit (config.my-lib.settings) idpUrl; +in +{ + imports = [ + ./kanidm-provision.nix + ]; + + security.acme = { + acceptTerms = true; + certs.${idpUrl} = { + email = "lixinyang411@gmail.com"; + listenHTTP = "127.0.0.1:1360"; + group = "kanidm"; + }; + }; + + services.kanidm = { + package = pkgs.kanidm.withSecretProvisioning; + enableServer = true; + serverSettings = { + domain = idpUrl; + origin = "https://${idpUrl}"; + bindaddress = "[::]:${toString kanidm_listen_port}"; + tls_key = ''${config.security.acme.certs.${idpUrl}.directory}/key.pem''; + tls_chain = ''${config.security.acme.certs.${idpUrl}.directory}/fullchain.pem''; + online_backup.versions = 7; + # db_path = "/var/lib/kanidm/kanidm.db"; + }; + }; + + services.caddy = { + enable = true; + virtualHosts."http://${idpUrl}".extraConfig = '' + reverse_proxy ${config.security.acme.certs.${idpUrl}.listenHTTP} + ''; + virtualHosts."https://${idpUrl}".extraConfig = '' + reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { + header_up Host {upstream_hostport} + header_down Access-Control-Allow-Origin "*" + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} + } + } + ''; + }; +} diff --git a/machines/biotite/services/miniflux.nix b/machines/biotite/services/miniflux.nix index 1bee3dc..7662b7e 100644 --- a/machines/biotite/services/miniflux.nix +++ b/machines/biotite/services/miniflux.nix @@ -17,7 +17,7 @@ in OAUTH2_CLIENT_ID = "miniflux"; OAUTH2_CLIENT_SECRET_FILE = "%d/oauth2_secret"; OAUTH2_REDIRECT_URL = "${minifluxUrl}/oauth2/oidc/callback"; - OAUTH2_OIDC_DISCOVERY_ENDPOINT = "${idpUrl}/oauth2/openid/miniflux"; + OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://${idpUrl}/oauth2/openid/miniflux"; OAUTH2_USER_CREATION = 1; CREATE_ADMIN = 0; }; diff --git a/machines/biotite/services/synapse.nix b/machines/biotite/services/synapse.nix index 552d31d..72e7516 100644 --- a/machines/biotite/services/synapse.nix +++ b/machines/biotite/services/synapse.nix @@ -85,11 +85,11 @@ in oidc_providers = [ { idp_id = "Kanidm"; - idp_name = lib.removePrefix "https://" idpUrl; + idp_name = idpUrl; issuer = "${idpUrl}/oauth2/openid/synapse"; - authorization_endpoint = "${idpUrl}/ui/oauth2"; - token_endpoint = "${idpUrl}/oauth2/token"; - userinfo_endpoint = "${idpUrl}/oauth2/openid/synapse/userinfo"; + authorization_endpoint = "https://${idpUrl}/ui/oauth2"; + token_endpoint = "https://${idpUrl}/oauth2/token"; + userinfo_endpoint = "https://${idpUrl}/oauth2/openid/synapse/userinfo"; client_id = "synapse"; client_secret_path = config.sops.secrets."synapse/oidc_client_secret".path; scopes = [ diff --git a/machines/weilite/services/immich.nix b/machines/weilite/services/immich.nix index 0b97f5c..262f187 100644 --- a/machines/weilite/services/immich.nix +++ b/machines/weilite/services/immich.nix @@ -3,11 +3,14 @@ ... }: let + inherit (config.my-lib.settings) idpUrl; + user = config.systemd.services.immich-server.serviceConfig.User; + immichUrl = "immich.xiny.li:8443"; jsonSettings = { oauth = { enabled = true; - issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/"; + issuerUrl = "https://${idpUrl}/oauth2/openid/immich/"; clientId = "immich"; clientSecret = config.sops.placeholder."immich/oauth_client_secret"; scope = "openid email profile"; @@ -16,7 +19,7 @@ let buttonText = "Login with Kanidm"; autoLaunch = true; mobileOverrideEnabled = true; - mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; + mobileRedirectUri = "https://${immichUrl}/api/oauth/mobile-redirect/"; }; passwordLogin = { enabled = false; diff --git a/modules/nixos/common-settings/auth.nix b/modules/nixos/common-settings/auth.nix index 1cd85ec..d9739fe 100644 --- a/modules/nixos/common-settings/auth.nix +++ b/modules/nixos/common-settings/auth.nix @@ -2,6 +2,7 @@ config, lib, pkgs, + my-lib, ... }: @@ -11,6 +12,8 @@ let mkEnableOption ; + inherit (my-lib) idpUrl; + cfg = config.commonSettings.auth; in { diff --git a/modules/nixos/monitor/grafana.nix b/modules/nixos/monitor/grafana.nix index 9692fb5..7a72603 100644 --- a/modules/nixos/monitor/grafana.nix +++ b/modules/nixos/monitor/grafana.nix @@ -22,9 +22,9 @@ in name = "Kanidm"; client_id = "grafana"; scopes = "openid,profile,email,groups"; - auth_url = "${idpUrl}/ui/oauth2"; - token_url = "${idpUrl}/oauth2/token"; - api_url = "${idpUrl}/oauth2/openid/grafana/userinfo"; + auth_url = "https://${idpUrl}/ui/oauth2"; + token_url = "https://${idpUrl}/oauth2/token"; + api_url = "https://${idpUrl}/oauth2/openid/grafana/userinfo"; use_pkce = true; use_refresh_token = true; allow_sign_up = true; diff --git a/modules/nixos/monitor/loki.nix b/modules/nixos/monitor/loki.nix index 105a33a..d1197d9 100644 --- a/modules/nixos/monitor/loki.nix +++ b/modules/nixos/monitor/loki.nix @@ -15,6 +15,7 @@ let ; inherit (config.my-lib.settings) alertmanagerPort + internalDomain ; cfg = config.custom.monitoring; lokiPort = 3100; @@ -94,16 +95,17 @@ in rulerFile = pkgs.writeText "ruler.yml" (builtins.toJSON rulerConfig); in mkIf cfg.loki.enable { + systemd.services.loki.serviceConfig.After = "tailscaled.service"; services.loki = { enable = true; configuration = { auth_enabled = false; - server.http_listen_address = "${config.networking.hostName}.coho-tet.ts.net"; + server.http_listen_address = "${config.networking.hostName}.${internalDomain}"; server.http_listen_port = lokiPort; common = { ring = { - instance_addr = "${config.networking.hostName}.coho-tet.ts.net"; + instance_addr = "${config.networking.hostName}.${internalDomain}"; kvstore.store = "inmemory"; }; replication_factor = 1; @@ -160,7 +162,7 @@ in configuration = { server = { - http_listen_address = "${config.networking.hostName}.coho-tet.ts.net"; + http_listen_address = "${config.networking.hostName}.${internalDomain}"; http_listen_port = 28183; grpc_listen_port = 0; }; @@ -169,7 +171,7 @@ in clients = [ { - url = "http://thorite.coho-tet.ts.net:${toString lokiPort}/loki/api/v1/push"; + url = "http://thorite.${internalDomain}:${toString lokiPort}/loki/api/v1/push"; } ]; diff --git a/overlays/my-lib/settings.nix b/overlays/my-lib/settings.nix index e4a219f..649640f 100644 --- a/overlays/my-lib/settings.nix +++ b/overlays/my-lib/settings.nix @@ -1,7 +1,7 @@ { settings = { alertmanagerPort = 9093; - idpUrl = "https://auth.xinyang.life"; + idpUrl = "auth.xiny.li"; gotosocialUrl = "https://gts.xiny.li"; minifluxUrl = "https://rss.xiny.li"; hedgedocDomain = "docs.xiny.li"; From 35b19d67d7afafaf70414dbd41766285abab6130 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 14 Feb 2025 14:33:02 +0800 Subject: [PATCH 52/60] auth: switch domain --- machines/calcite/configuration.nix | 3 ++- modules/nixos/common-settings/auth.nix | 9 ++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 1c792b3..e5a74ea 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -6,6 +6,7 @@ }: let inherit (lib) mkForce getExe; + inherit (config.my-lib.settings) idpUrl; in { imports = [ @@ -223,7 +224,7 @@ in services.kanidm = { enableClient = true; clientSettings = { - uri = "https://auth.xinyang.life"; + uri = "https://${idpUrl}"; }; }; diff --git a/modules/nixos/common-settings/auth.nix b/modules/nixos/common-settings/auth.nix index d9739fe..2fae197 100644 --- a/modules/nixos/common-settings/auth.nix +++ b/modules/nixos/common-settings/auth.nix @@ -2,7 +2,6 @@ config, lib, pkgs, - my-lib, ... }: @@ -12,7 +11,7 @@ let mkEnableOption ; - inherit (my-lib) idpUrl; + inherit (config.my-lib.settings) idpUrl; cfg = config.commonSettings.auth; in @@ -25,7 +24,7 @@ in services.kanidm = { enableClient = true; clientSettings = { - uri = "https://auth.xinyang.life"; + uri = "https://${idpUrl}"; }; enablePam = true; unixSettings = { @@ -48,11 +47,11 @@ in environment.etc."ssh/auth" = { mode = "0555"; text = '' - #!${pkgs.stdenv.shell} + #!/bin/sh ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1 ''; }; - users.groups.wheel.members = [ "xin@auth.xinyang.life" ]; + users.groups.wheel.members = [ "xin@${idpUrl}" ]; users.groups.kanidm-ssh-runner = { }; users.users.kanidm-ssh-runner = { isSystemUser = true; From 3c89ca334161146a62ac17b41a433430feab4bd7 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 14 Feb 2025 15:28:33 +0800 Subject: [PATCH 53/60] weilite/network: switch to networkd --- machines/weilite/default.nix | 14 +++++++++++++- machines/weilite/services/transmission.nix | 1 + 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix index a750205..8846704 100644 --- a/machines/weilite/default.nix +++ b/machines/weilite/default.nix @@ -20,7 +20,19 @@ }; config = { - networking.hostName = "weilite"; + networking = { + hostName = "weilite"; + useNetworkd = true; + }; + systemd.network = { + enable = true; + networks = { + "10-wan" = { + matchConfig.MACAddress = "52:54:00:db:23:d0"; + networkConfig.DHCP = "ipv4"; + }; + }; + }; commonSettings = { auth.enable = true; nix = { diff --git a/machines/weilite/services/transmission.nix b/machines/weilite/services/transmission.nix index 0c1e969..58b198c 100644 --- a/machines/weilite/services/transmission.nix +++ b/machines/weilite/services/transmission.nix @@ -86,6 +86,7 @@ in TRANSMISSION_USERNAME = "xin"; }; after = [ "tailscaled.service" ]; + wants = [ "tailscaled.service" ]; serviceConfig = { ExecStart = "${lib.getExe pkgs.transmission-exporter}"; EnvironmentFile = config.sops.templates."transmission-cred.env".path; From bd32a61ffcd037415d9952e108bac01de7d9dc6a Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 14 Feb 2025 15:30:30 +0800 Subject: [PATCH 54/60] massicot: drop --- flake.nix | 12 - machines/massicot/default.nix | 74 ------ machines/massicot/hardware-configuration.nix | 32 --- machines/massicot/kanidm-provision.nix | 239 ------------------- machines/massicot/networking.nix | 14 -- machines/massicot/secrets.yaml | 40 ---- machines/massicot/services.nix | 102 -------- machines/massicot/services/default.nix | 5 - machines/massicot/services/restic.nix | 42 ---- machines/thorite/monitoring.nix | 5 - machines/weilite/services/restic.nix | 1 - 11 files changed, 566 deletions(-) delete mode 100644 machines/massicot/default.nix delete mode 100644 machines/massicot/hardware-configuration.nix delete mode 100644 machines/massicot/kanidm-provision.nix delete mode 100644 machines/massicot/networking.nix delete mode 100644 machines/massicot/secrets.yaml delete mode 100644 machines/massicot/services.nix delete mode 100644 machines/massicot/services/default.nix delete mode 100644 machines/massicot/services/restic.nix diff --git a/flake.nix b/flake.nix index 0981a0c..abd9da6 100644 --- a/flake.nix +++ b/flake.nix @@ -212,18 +212,6 @@ }; }; - massicot = - { ... }: - { - deployment.targetHost = "49.13.13.122"; - deployment.buildOnTarget = true; - - imports = [ - { nixpkgs.system = "aarch64-linux"; } - machines/massicot - ] ++ sharedColmenaModules; - }; - la-00 = { ... }: { diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix deleted file mode 100644 index 7b56e15..0000000 --- a/machines/massicot/default.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ - pkgs, - ... -}: - -{ - imports = [ - ./hardware-configuration.nix - ./networking.nix - ./services.nix - ./services - ]; - - sops = { - defaultSopsFile = ./secrets.yaml; - age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - secrets = { - gts_env = { - owner = "gotosocial"; - }; - }; - }; - - boot.loader.efi.canTouchEfiVariables = true; - boot.loader.efi.efiSysMountPoint = "/boot"; - boot.loader.grub = { - enable = true; - efiSupport = true; - configurationLimit = 5; - }; - environment.systemPackages = with pkgs; [ - cifs-utils - git - ]; - - # Disable docs on servers - documentation.nixos.enable = false; - documentation.man.enable = false; - - system.stateVersion = "22.11"; - - networking = { - hostName = "massicot"; - }; - - services.tailscale.enable = true; - - commonSettings = { - auth.enable = true; - nix = { - enable = true; - }; - }; - - security.sudo = { - execWheelOnly = true; - wheelNeedsPassword = false; - }; - - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - PermitRootLogin = "no"; - GSSAPIAuthentication = "no"; - KerberosAuthentication = "no"; - }; - }; - services.fail2ban.enable = true; - programs.mosh.enable = true; - - systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ]; -} diff --git a/machines/massicot/hardware-configuration.nix b/machines/massicot/hardware-configuration.nix deleted file mode 100644 index 36e673c..0000000 --- a/machines/massicot/hardware-configuration.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ modulesPath, ... }: -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.loader.grub = { - efiSupport = true; - device = "nodev"; - }; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/AC27-D9D6"; - fsType = "vfat"; - }; - boot.initrd.availableKernelModules = [ - "ata_piix" - "uhci_hcd" - "xen_blkfront" - ]; - boot.initrd.kernelModules = [ "nvme" ]; - fileSystems."/" = { - device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_35068215-part1"; - fsType = "ext4"; - }; - - fileSystems."/mnt/storage" = { - device = "/dev/disk/by-id/scsi-0HC_Volume_101302395"; - fsType = "btrfs"; - options = [ - "subvol=storage" - "compress=zstd" - "noatime" - ]; - }; -} diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix deleted file mode 100644 index e44c729..0000000 --- a/machines/massicot/kanidm-provision.nix +++ /dev/null @@ -1,239 +0,0 @@ -{ pkgs, config, ... }: -let - inherit (config.my-lib.settings) - gotosocialUrl - minifluxUrl - hedgedocDomain - forgejoDomain - grafanaUrl - synapseDelegateUrl - ; -in -{ - services.kanidm.provision = { - enable = true; - autoRemove = true; - groups = { - forgejo-access = { - members = [ "xin" ]; - }; - forgejo-admin = { - members = [ "xin" ]; - }; - gts-users = { - members = [ "xin" ]; - }; - ocis-users = { - members = [ "xin" ]; - }; - linux_users = { - members = [ "xin" ]; - }; - hedgedoc-users = { - members = [ "xin" ]; - }; - immich-users = { - members = [ - "xin" - "zhuo" - "ycm" - "yzl" - ]; - }; - grafana-superadmins = { - members = [ "xin" ]; - }; - grafana-admins = { - members = [ "xin" ]; - }; - grafana-editors = { - members = [ "xin" ]; - }; - grafana-users = { - members = [ "xin" ]; - }; - miniflux-users = { - members = [ "xin" ]; - }; - synapse-users = { - members = [ "xin" ]; - }; - idm_people_self_mail_write = { - members = [ ]; - }; - }; - persons = { - xin = { - displayName = "Xinyang Li"; - mailAddresses = [ "lixinyang411@gmail.com" ]; - }; - - zhuo = { - displayName = "Zhuo"; - mailAddresses = [ "13681104320@163.com" ]; - }; - - ycm = { - displayName = "Chunming"; - mailAddresses = [ "chunmingyou@gmail.com" ]; - }; - - yzl = { - displayName = "Zhengli Yang"; - mailAddresses = [ "13391935399@189.cn" ]; - }; - }; - systems.oauth2 = { - forgejo = { - displayName = "ForgeJo"; - originUrl = "https://${forgejoDomain}/user/oauth2/kanidm/callback"; - originLanding = "https://${forgejoDomain}/user/oauth2/kanidm"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - forgejo-access = [ - "openid" - "email" - "profile" - "groups" - ]; - }; - claimMaps = { - forgejo_role = { - joinType = "array"; - valuesByGroup = { - forgejo-access = [ "Access" ]; - forgejo-admin = [ "Admin" ]; - }; - }; - }; - }; - gts = { - displayName = "GoToSocial"; - originUrl = "https://xinyang.life/auth/callback"; - originLanding = "https://xinyang.life/auth/callback"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - gts-users = [ - "openid" - "email" - "profile" - "groups" - ]; - }; - }; - gotosocial = { - displayName = "GoToSocial"; - originUrl = "${gotosocialUrl}/auth/callback"; - originLanding = "${gotosocialUrl}/auth/callback"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - gts-users = [ - "openid" - "email" - "profile" - "groups" - ]; - }; - }; - # It's used for all the clients. I'm too lazy to change the name. - owncloud-android = { - displayName = "ownCloud Apps"; - originLanding = "https://drive.xinyang.life:8443/"; - originUrl = [ - "http://localhost:38622/" - "http://localhost:43580/" - "https://drive.xinyang.life:8443/" - # TODO: Should allow mobile redirect url not ending with / - # "oc://android.owncloud.com" - ]; - public = true; - preferShortUsername = true; - scopeMaps = { - ocis-users = [ - "openid" - "email" - "profile" - "offline_access" - ]; - }; - }; - - hedgedoc = { - displayName = "HedgeDoc"; - originUrl = "https://${hedgedocDomain}/auth/oauth2/callback"; - originLanding = "https://${hedgedocDomain}/auth/oauth2"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - hedgedoc-users = [ - "openid" - "email" - "profile" - ]; - }; - }; - immich = { - displayName = "Immich"; - originUrl = [ - "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/" - "https://immich.xinyang.life:8000/auth/login" - "https://immich.xinyang.life:8000/user-settings" - ]; - originLanding = "https://immich.xinyang.life:8000/auth/login?autoLaunch=0"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - immich-users = [ - "openid" - "email" - "profile" - ]; - }; - }; - miniflux = { - displayName = "Miniflux"; - originUrl = "${minifluxUrl}/oauth2/oidc/callback"; - originLanding = "${minifluxUrl}/oauth2/oidc/redirect"; - scopeMaps = { - miniflux-users = [ - "openid" - "email" - "profile" - ]; - }; - }; - grafana = { - displayName = "Grafana"; - originUrl = "${grafanaUrl}/login/generic_oauth"; - originLanding = "${grafanaUrl}/"; - scopeMaps = { - grafana-users = [ - "openid" - "email" - "profile" - "groups" - ]; - }; - claimMaps = { - grafana_role = { - joinType = "array"; - valuesByGroup = { - grafana-superadmins = [ "GrafanaAdmin" ]; - grafana-admins = [ "Admin" ]; - grafana-editors = [ "Editor" ]; - }; - }; - }; - }; - synapse = { - displayName = "Synapse"; - originUrl = "${synapseDelegateUrl}/_synapse/client/oidc/callback"; - originLanding = "${synapseDelegateUrl}/"; - scopeMaps = { - synapse-users = [ - "openid" - "profile" - ]; - }; - }; - }; - }; -} diff --git a/machines/massicot/networking.nix b/machines/massicot/networking.nix deleted file mode 100644 index 2a4c529..0000000 --- a/machines/massicot/networking.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ pkgs, ... }: -{ - networking.useNetworkd = true; - systemd.network.networks."10-wan" = { - matchConfig.MACAddress = "96:00:02:68:7d:2d"; - networkConfig = { - DHCP = "ipv4"; - Gateway = "fe80::1"; - }; - address = [ - "2a01:4f8:c17:345f::3/64" - ]; - }; -} diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml deleted file mode 100644 index 9393192..0000000 --- a/machines/massicot/secrets.yaml +++ /dev/null @@ -1,40 +0,0 @@ -storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str] -gts_env: ENC[AES256_GCM,data:StggMdJPevrDbrVDrBDETdQYnSOaTESkgSqpGKrSHXhS21nyCE5ya7/X4l0GVTXoGCyfWG7vK+PDW22mJxpYcj2CBaVUYDu/,iv:2fqWDaWAWxTXdG7w5HU6jBcappFEByNtYs0Jd6PaYnA=,tag:KGhrMemao6g4FkEAZmmacg==,type:str] -hedgedoc_env: ENC[AES256_GCM,data:+rjEctM6IJUpn7WcAnBS9TkQi2lCq4wKPxbaOApffH0tFyu56SpECrLpmM749I7th3N+UGb0pLM7+Ywr7fbuuMfUuIWom6Y+CKYw4yMlgjzTaaNqBmstvMxLaPnmA01G9ie1rQ==,iv:YBIyQQ6xiUyxSnR5epE5hV9OqETLKC5CFTEaRJdErGU=,tag:77kHYQ2i2APVyadhMhmvWA==,type:str] -grafana_oauth_secret: ENC[AES256_GCM,data:43+EBnN912eK/08MdJokWPxi2Lxn/D4hSHPhNmHOk9awWQ7ut/el0vaAa+Epqnui3le2p4VuotQT6XlIuDLrixIomrc6Qw5HERAEdZmbrGvDlrrNhw==,iv:Pfn8rL0LtG3hym9EdSZRjaPLMlWlut/nt2FEtRWnULo=,tag:moDWqF3aBbnO4aG0Cysfcw==,type:str] -miniflux: - oauth2_secret: ENC[AES256_GCM,data:jcZR9E9jXNKfkAoGgBI19qQeaz26R6qiAWjP4XrftHSCQV974tjJl+fiU8Xgi0bViA==,iv:/aY0bL/oAAHBhohy3FHB/UEDYryw7A7JOKvEbLtDHJg=,tag:Fn/6NurNkRphXySR+y9S9Q==,type:str] -forgejo: - env: ENC[AES256_GCM,data:TMeguXfanISeyvsay9SBqm3SSGKpp5nCkqhHblf0QHNzHWGQKwpORmWfOtVfgOh9qdDqq8wYBpXznmbvixjV,iv:IR/rMoAIvZCw9FURmau4+g8c3pvI9BRs7v1NJ5ia4jI=,tag:kjwf6RN5HN8I2sUhDcr4UQ==,type:str] -restic: - repo_url: ENC[AES256_GCM,data:GMHbrjgwajnYSiqtoYaKiFT/aDWDwlzEkvMLPzYf7C9PvLr7T4zeWyAA9//8huldyxO3+nk6O9lR9ORZKZfb8/MYB7nRB03sZQ==,iv:6uBhsksOGDjoc13U2xWLz7I+0fzGRhnw0nStACqlnug=,tag:uhH28NYq+ly1bmCV/cpxkQ==,type:str] - repo_password: ENC[AES256_GCM,data:jRHNgOk5ChWdqMKsd/V4Xg==,iv:wrgF5pau/RylG1nmJYmvrZ02o67qkkT5PrZAQlXb6Qo=,tag:X0WVpMqi8xeoATss/sSPMA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aGRvUUtjcDU2bnhaNDJD - K3c5TnFJeHQzM2VpeHphR2dGeS9NYzcyYjJnCnNrQ3dxL1hqR2MyQXhldUZ1VEJp - N25nVHZ1QjRydW9hTWE5d0x2M2pPNkkKLS0tIFpiRW8rZ1Q1R1RCZGN1ZGs3ek45 - UENaRjJPWFJqUlpzd3dHSC9pdnZ6STQKQaaY28FYUk3O9TTkX9LQTzlrqZVojgxY - M+N6LApfdoioQCmXduDbj18i0eUbECTBXR/uEFEIHbn6AJVD/vx7iw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRY0lIeE9tWDA3Q21IWk1E - YnlaQUJybFB2bmFpbG1UZ0UyNG16WkRkZlNVCmUySHVBcXpWekpVN3R5dGs5ODY1 - V1ZlUk4zRSs1NkVjY3JSMVVQSXJ1OEkKLS0tIFMzeUNaYVpoNnV3TE1oamEwTEo2 - dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i - V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-28T03:57:35Z" - mac: ENC[AES256_GCM,data:xjZrlwfWLtZNYfH+KiE2ICt9Jo4nx/LKaEYi/ECN/Od+ZTjety0V6RJ/RfmI6q3K1WMj0sAGc56hCZ0iOn25L8wK6dc14hZVoSwwbIiQ7hTQE5LcK+NbXNmy3r/YC855DHG9kE08eYGHdNcBbckZg3HhkHQ9UYS/Ox/QFFuBa5Q=,iv:N3AW+sr9ET3c/ArXr176haRewYFsfgsNn+hkC0MDJwA=,tag:SCikn+F8btuSBswV+oCdXg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.9.1 diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix deleted file mode 100644 index a4f0d72..0000000 --- a/machines/massicot/services.nix +++ /dev/null @@ -1,102 +0,0 @@ -{ - config, - pkgs, - lib, - ... -}: -let - kanidm_listen_port = 5324; -in -{ - imports = [ - ./kanidm-provision.nix - ]; - networking.firewall.allowedTCPPorts = [ - 80 - 443 - 2222 - 8448 - ]; - networking.firewall.allowedUDPPorts = [ - 80 - 443 - 8448 - ]; - - custom.monitoring = { - promtail.enable = true; - }; - - custom.prometheus.exporters = { - enable = true; - blackbox = { - enable = true; - }; - node = { - enable = true; - }; - }; - - security.acme = { - acceptTerms = true; - certs."auth.xinyang.life" = { - email = "lixinyang411@gmail.com"; - listenHTTP = "127.0.0.1:1360"; - group = "kanidm"; - }; - }; - - services.kanidm = { - package = pkgs.kanidm.withSecretProvisioning; - enableServer = true; - serverSettings = { - domain = "auth.xinyang.life"; - origin = "https://auth.xinyang.life"; - bindaddress = "[::]:${toString kanidm_listen_port}"; - tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem''; - tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; - online_backup.versions = 7; - # db_path = "/var/lib/kanidm/kanidm.db"; - }; - }; - - users.users.conduit = { - isSystemUser = true; - group = "conduit"; - }; - users.groups.conduit = { }; - - services.gotosocial = { - enable = true; - settings = { - log-level = "debug"; - host = "xinyang.life"; - letsencrypt-enabled = false; - bind-address = "localhost"; - instance-expose-public-timeline = true; - oidc-enabled = true; - oidc-idp-name = "Kanidm"; - oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts"; - oidc-client-id = "gts"; - oidc-link-existing = true; - storage-local-base-path = "/mnt/storage/gotosocial/storage"; - }; - environmentFile = config.sops.secrets.gts_env.path; - }; - - services.caddy = { - enable = true; - virtualHosts."http://auth.xinyang.life:80".extraConfig = '' - reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} - ''; - virtualHosts."https://auth.xinyang.life".extraConfig = '' - reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { - header_up Host {upstream_hostport} - header_down Access-Control-Allow-Origin "*" - transport http { - tls_server_name ${config.services.kanidm.serverSettings.domain} - } - } - ''; - }; -} diff --git a/machines/massicot/services/default.nix b/machines/massicot/services/default.nix deleted file mode 100644 index fdf054b..0000000 --- a/machines/massicot/services/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - imports = [ - ./restic.nix - ]; -} diff --git a/machines/massicot/services/restic.nix b/machines/massicot/services/restic.nix deleted file mode 100644 index e8d2501..0000000 --- a/machines/massicot/services/restic.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -let - sqliteBackup = fromPath: toPath: file: '' - mkdir -p ${toPath} - ${lib.getExe pkgs.sqlite} ${fromPath} ".backup '${toPath}/${file}'" - ''; -in -{ - sops.secrets = { - "restic/repo_url" = { - sopsFile = ../secrets.yaml; - }; - "restic/repo_password" = { - sopsFile = ../secrets.yaml; - }; - }; - - custom.restic = { - enable = true; - paths = [ - "/backup" - "/mnt/storage" - ]; - backupPrepareCommand = [ - (sqliteBackup "/var/lib/hedgedoc/db.sqlite" "/backup/hedgedoc" "db.sqlite") - (sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3" "/backup/bitwarden_rs" "db.sqlite3") - (sqliteBackup "/var/lib/gotosocial/database.sqlite" "/backup/gotosocial" "database.sqlite") - (sqliteBackup "/var/lib/kanidm/kanidm.db" "/backup/kanidm" "kanidm.db") - ]; - }; - - services.restic.backups.${config.networking.hostName} = { - extraBackupArgs = [ - "--limit-upload=1024" - ]; - }; -} diff --git a/machines/thorite/monitoring.nix b/machines/thorite/monitoring.nix index 8fe05e7..311ffed 100644 --- a/machines/thorite/monitoring.nix +++ b/machines/thorite/monitoring.nix @@ -181,7 +181,6 @@ in ]) ++ (mkNodeScrapes [ { address = "thorite.coho-tet.ts.net"; } - { address = "massicot.coho-tet.ts.net"; } { address = "weilite.coho-tet.ts.net"; } { address = "biotite.coho-tet.ts.net"; } { address = "hk-00.coho-tet.ts.net"; } @@ -193,10 +192,6 @@ in hostAddress = "thorite.coho-tet.ts.net"; targetAddresses = probeList ++ [ "49.13.13.122:443" ]; } - { - hostAddress = "massicot.coho-tet.ts.net"; - targetAddresses = probeList ++ [ "45.142.178.32:443" ]; - } { hostAddress = "weilite.coho-tet.ts.net"; targetAddresses = [ diff --git a/machines/weilite/services/restic.nix b/machines/weilite/services/restic.nix index be272eb..730266c 100644 --- a/machines/weilite/services/restic.nix +++ b/machines/weilite/services/restic.nix @@ -34,7 +34,6 @@ in services.restic.backups = builtins.listToAttrs [ (mkPrune "xin" "calcite") - (mkPrune "xin" "massicot") (mkPrune "xin" "biotite") (mkPrune "xin" "thorite") ]; From 8739d146943b6a20526aca25726505c9edd81a2c Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 14 Feb 2025 15:44:34 +0800 Subject: [PATCH 55/60] massicot: fix drop --- machines/thorite/monitoring.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/thorite/monitoring.nix b/machines/thorite/monitoring.nix index 311ffed..f1ae160 100644 --- a/machines/thorite/monitoring.nix +++ b/machines/thorite/monitoring.nix @@ -190,7 +190,7 @@ in ++ (mkBlackboxScrapes [ { hostAddress = "thorite.coho-tet.ts.net"; - targetAddresses = probeList ++ [ "49.13.13.122:443" ]; + targetAddresses = probeList; } { hostAddress = "weilite.coho-tet.ts.net"; From 8474972920f2eabd3f29ec4cb10a098ba620a4ff Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 14 Feb 2025 16:04:07 +0800 Subject: [PATCH 56/60] biotite: use comin --- machines/biotite/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/machines/biotite/default.nix b/machines/biotite/default.nix index 13a01f2..e643950 100644 --- a/machines/biotite/default.nix +++ b/machines/biotite/default.nix @@ -37,6 +37,7 @@ commonSettings = { auth.enable = true; + comin.enable = true; }; custom.monitoring = { From 073cb3985d70043b89a5bfad59b1008af37a0cf8 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 14 Feb 2025 16:06:24 +0800 Subject: [PATCH 57/60] flake.lock: update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Updated input 'catppuccin': 'github:catppuccin/nix/06f0ea19334bcc8112e6d671fd53e61f9e3ad63a?narHash=sha256-8kBIYfn8TI9jbffhDNS12SdbQHb9ITXflwcgIJBeGqw%3D' (2025-01-22) → 'github:catppuccin/nix/d4e258e29075a86a82dacaf4f5e0985935ae4658?narHash=sha256-GXJllf1wY7tOF6uei9S3PnSEghFbnJP1vkxM0kkMOoI%3D' (2025-02-11) • Updated input 'disko': 'github:nix-community/disko/18d0a984cc2bc82cf61df19523a34ad463aa7f54?narHash=sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML%2B3TKAo%3D' (2025-01-29) → 'github:nix-community/disko/40da43e8e5620505b9c8aacc4f0d7577ad1aff73?narHash=sha256-CPfA2Wdfxz16CTsPFltFj65T0/HikkOa4pQvcts1df4%3D' (2025-02-14) • Updated input 'home-manager': 'github:nix-community/home-manager/a8159195bfaef3c64df75d3b1e6a68d49d392be9?narHash=sha256-PM%2BcGduJ05EZ%2BYXulqAwUFjvfKpPmW080mcuN6R1POw%3D' (2025-01-30) → 'github:nix-community/home-manager/5031c6d2978109336637977c165f82aa49fa16a7?narHash=sha256-NxNe32VB4XI/xIXrsKmIfrcgtEx5r/5s52pL3CpEcA4%3D' (2025-02-13) • Updated input 'nix-index-database': 'github:Mic92/nix-index-database/79b7b8eae3243fc5aa9aad34ba6b9bbb2266f523?narHash=sha256-LIRtMvAwLGb8pBoamzgEF67oKlNPz4LuXiRPVZf%2BTpE%3D' (2025-01-26) → 'github:Mic92/nix-index-database/895d81b6228bbd50a6ef22f5a58a504ca99763ea?narHash=sha256-/Ak%2BQuinhmdxa9m3shjm4lwwwqmzG8zzGhhhhgR1k9I%3D' (2025-02-09) • Updated input 'nix-vscode-extensions': 'github:nix-community/nix-vscode-extensions/529e0a84346f34db86ea24203c0b2e975fefb4f2?narHash=sha256-q8pOnhaA95ZZf%2BCJ4ahScSzt5pbnL7lShFuMwTwiw7I%3D' (2025-01-31) → 'github:nix-community/nix-vscode-extensions/6113f471097e12ff293e86b36e74aee21c55204e?narHash=sha256-Bfok%2BAZ/iTOmJNndwR7wOZbsuL5/gks3GH2qvWTxpGs%3D' (2025-02-14) • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/dfad538f751a5aa5d4436d9781ab27a6128ec9d4?narHash=sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4%3D' (2025-01-24) → 'github:NixOS/nixos-hardware/2eccff41bab80839b1d25b303b53d339fbb07087?narHash=sha256-5yRlg48XmpcX5b5HesdGMOte%2BYuCy9rzQkJz%2Bimcu6I%3D' (2025-02-06) • Updated input 'nixos-sbc': 'github:nakato/nixos-sbc/21be4ab012197a2eea4bbff8315c40f26f715a18?narHash=sha256-SYpvOn0v/wi8lrgEBhobjKFvFWPlJ3gP7SZPfyw9td0%3D' (2025-01-30) → 'github:nakato/nixos-sbc/d0e87bfd6623cce0b730f8919d6f21e02f917264?narHash=sha256-h1kw65FOtgTbSqhKc/hsvQaqimZ9D0x1FzifuGGbsho%3D' (2025-02-08) • Updated input 'nixpkgs': 'github:xinyangli/nixpkgs/f1319a1c0e7e4486a9eece0acabb4e73a5457b6a?narHash=sha256-fstRWbBw1vTPLko8WWrBzqFODBXn2OgP9sf/9GeeDL4%3D' (2025-01-13) → 'github:xinyangli/nixpkgs/90466175893e2e48b5f660eb90daa7e510c2f1c4?narHash=sha256-9NNxUjwQ4Ty6n8EI1GcMtsEb3Knkho7FZ/QS5crB%2BBc%3D' (2025-02-14) • Updated input 'nur': 'github:nix-community/NUR/663390a62b2986f8ea650de7768c4b4c98d49a96?narHash=sha256-9YcoURYAAbMt7fFd0mBtyNH51a2pgxDu94qKnNIt7Ic%3D' (2025-01-31) → 'github:nix-community/NUR/6ced3aa7dffa39ccfb771ac90c39756f9558d489?narHash=sha256-coB/rCQx3FOIyBSa9nLfchlkGDL7ehHZc8U7CJ7YhP4%3D' (2025-02-14) • Updated input 'nur/nixpkgs': 'github:nixos/nixpkgs/9d3ae807ebd2981d593cddd0080856873139aa40?narHash=sha256-NGqpVVxNAHwIicXpgaVqJEJWeyqzoQJ9oc8lnK9%2BWC4%3D' (2025-01-29) → 'github:nixos/nixpkgs/2ff53fe64443980e139eaa286017f53f88336dd0?narHash=sha256-%2B/bYK3DbPxMIvSL4zArkMX0LQvS7rzBKXnDXLfKyRVc%3D' (2025-02-13) • Updated input 'sops-nix': 'github:Mic92/sops-nix/4c1251904d8a08c86ac6bc0d72cc09975e89aef7?narHash=sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320%3D' (2025-01-31) → 'github:Mic92/sops-nix/07af005bb7d60c7f118d9d9f5530485da5d1e975?narHash=sha256-7JAGezJ0Dn5qIyA2%2BT4Dt/xQgAbhCglh6lzCekTVMeU%3D' (2025-02-11) --- flake.lock | 66 +++++++++++++++++++++++++++--------------------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/flake.lock b/flake.lock index ed7d6fc..12a9f4f 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1737579274, - "narHash": "sha256-8kBIYfn8TI9jbffhDNS12SdbQHb9ITXflwcgIJBeGqw=", + "lastModified": 1739283129, + "narHash": "sha256-GXJllf1wY7tOF6uei9S3PnSEghFbnJP1vkxM0kkMOoI=", "owner": "catppuccin", "repo": "nix", - "rev": "06f0ea19334bcc8112e6d671fd53e61f9e3ad63a", + "rev": "d4e258e29075a86a82dacaf4f5e0985935ae4658", "type": "github" }, "original": { @@ -93,11 +93,11 @@ ] }, "locked": { - "lastModified": 1738148035, - "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=", + "lastModified": 1739517743, + "narHash": "sha256-CPfA2Wdfxz16CTsPFltFj65T0/HikkOa4pQvcts1df4=", "owner": "nix-community", "repo": "disko", - "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54", + "rev": "40da43e8e5620505b9c8aacc4f0d7577ad1aff73", "type": "github" }, "original": { @@ -327,11 +327,11 @@ ] }, "locked": { - "lastModified": 1738275749, - "narHash": "sha256-PM+cGduJ05EZ+YXulqAwUFjvfKpPmW080mcuN6R1POw=", + "lastModified": 1739470101, + "narHash": "sha256-NxNe32VB4XI/xIXrsKmIfrcgtEx5r/5s52pL3CpEcA4=", "owner": "nix-community", "repo": "home-manager", - "rev": "a8159195bfaef3c64df75d3b1e6a68d49d392be9", + "rev": "5031c6d2978109336637977c165f82aa49fa16a7", "type": "github" }, "original": { @@ -464,11 +464,11 @@ ] }, "locked": { - "lastModified": 1737861961, - "narHash": "sha256-LIRtMvAwLGb8pBoamzgEF67oKlNPz4LuXiRPVZf+TpE=", + "lastModified": 1739071773, + "narHash": "sha256-/Ak+Quinhmdxa9m3shjm4lwwwqmzG8zzGhhhhgR1k9I=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "79b7b8eae3243fc5aa9aad34ba6b9bbb2266f523", + "rev": "895d81b6228bbd50a6ef22f5a58a504ca99763ea", "type": "github" }, "original": { @@ -488,11 +488,11 @@ ] }, "locked": { - "lastModified": 1738287944, - "narHash": "sha256-q8pOnhaA95ZZf+CJ4ahScSzt5pbnL7lShFuMwTwiw7I=", + "lastModified": 1739497746, + "narHash": "sha256-Bfok+AZ/iTOmJNndwR7wOZbsuL5/gks3GH2qvWTxpGs=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "529e0a84346f34db86ea24203c0b2e975fefb4f2", + "rev": "6113f471097e12ff293e86b36e74aee21c55204e", "type": "github" }, "original": { @@ -503,11 +503,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1737751639, - "narHash": "sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4=", + "lastModified": 1738816619, + "narHash": "sha256-5yRlg48XmpcX5b5HesdGMOte+YuCy9rzQkJz+imcu6I=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "dfad538f751a5aa5d4436d9781ab27a6128ec9d4", + "rev": "2eccff41bab80839b1d25b303b53d339fbb07087", "type": "github" }, "original": { @@ -524,11 +524,11 @@ ] }, "locked": { - "lastModified": 1738254353, - "narHash": "sha256-SYpvOn0v/wi8lrgEBhobjKFvFWPlJ3gP7SZPfyw9td0=", + "lastModified": 1739031922, + "narHash": "sha256-h1kw65FOtgTbSqhKc/hsvQaqimZ9D0x1FzifuGGbsho=", "owner": "nakato", "repo": "nixos-sbc", - "rev": "21be4ab012197a2eea4bbff8315c40f26f715a18", + "rev": "d0e87bfd6623cce0b730f8919d6f21e02f917264", "type": "github" }, "original": { @@ -584,11 +584,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1736787601, - "narHash": "sha256-fstRWbBw1vTPLko8WWrBzqFODBXn2OgP9sf/9GeeDL4=", + "lastModified": 1739519992, + "narHash": "sha256-9NNxUjwQ4Ty6n8EI1GcMtsEb3Knkho7FZ/QS5crB+Bc=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "f1319a1c0e7e4486a9eece0acabb4e73a5457b6a", + "rev": "90466175893e2e48b5f660eb90daa7e510c2f1c4", "type": "github" }, "original": { @@ -600,11 +600,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1738142207, - "narHash": "sha256-NGqpVVxNAHwIicXpgaVqJEJWeyqzoQJ9oc8lnK9+WC4=", + "lastModified": 1739446958, + "narHash": "sha256-+/bYK3DbPxMIvSL4zArkMX0LQvS7rzBKXnDXLfKyRVc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "9d3ae807ebd2981d593cddd0080856873139aa40", + "rev": "2ff53fe64443980e139eaa286017f53f88336dd0", "type": "github" }, "original": { @@ -647,11 +647,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1738305622, - "narHash": "sha256-9YcoURYAAbMt7fFd0mBtyNH51a2pgxDu94qKnNIt7Ic=", + "lastModified": 1739519565, + "narHash": "sha256-coB/rCQx3FOIyBSa9nLfchlkGDL7ehHZc8U7CJ7YhP4=", "owner": "nix-community", "repo": "NUR", - "rev": "663390a62b2986f8ea650de7768c4b4c98d49a96", + "rev": "6ced3aa7dffa39ccfb771ac90c39756f9558d489", "type": "github" }, "original": { @@ -710,11 +710,11 @@ ] }, "locked": { - "lastModified": 1738291974, - "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=", + "lastModified": 1739262228, + "narHash": "sha256-7JAGezJ0Dn5qIyA2+T4Dt/xQgAbhCglh6lzCekTVMeU=", "owner": "Mic92", "repo": "sops-nix", - "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7", + "rev": "07af005bb7d60c7f118d9d9f5530485da5d1e975", "type": "github" }, "original": { From 96e02e596c701f1a069fbbc8eb663b4abc8df5e5 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Fri, 14 Feb 2025 16:16:22 +0800 Subject: [PATCH 58/60] weilite/caddy: bump plugins --- machines/weilite/services/caddy.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/machines/weilite/services/caddy.nix b/machines/weilite/services/caddy.nix index 6cc22b0..f93efe6 100644 --- a/machines/weilite/services/caddy.nix +++ b/machines/weilite/services/caddy.nix @@ -33,7 +33,7 @@ "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e" "github.com/caddy-dns/dnspod@v0.0.4" ]; - hash = "sha256-EmBKn6QV5JpLXpez7+Gu91tP/sUZxq2DkGPYoAe+2QM="; + hash = "sha256-9DZ58u/Y17njwQKvCZNys8DrCoRNsHQSBD2hV2cm8uU="; }; virtualHosts."derper00.namely.icu:8443".extraConfig = '' ${acmeDnspod} From fb7b44897a584bc46d5e629682fd07312f1abfb8 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 4 Mar 2025 18:32:55 +0800 Subject: [PATCH 59/60] calcite: test comin --- flake.nix | 19 ++++++++----------- home/xin/calcite.nix | 1 + machines/calcite/configuration.nix | 2 +- machines/calcite/network.nix | 30 ++++++++++++++++++++++++++---- 4 files changed, 36 insertions(+), 16 deletions(-) diff --git a/flake.nix b/flake.nix index abd9da6..f81f61a 100644 --- a/flake.nix +++ b/flake.nix @@ -123,6 +123,9 @@ comin.nixosModules.comin ]; nodeNixosModules = { + weilite = [ + ./machines/weilite + ]; calcite = [ nixos-hardware.nixosModules.asus-zephyrus-ga401 catppuccin.nixosModules.catppuccin @@ -269,17 +272,6 @@ ] ++ sharedColmenaModules; }; - weilite = - { ... }: - { - imports = [ machines/weilite ] ++ sharedColmenaModules; - deployment = { - targetHost = "weilite.coho-tet.ts.net"; - targetPort = 22; - buildOnTarget = false; - }; - nixpkgs.system = "x86_64-linux"; - }; thorite = { ... }: { @@ -309,6 +301,11 @@ calcite = mkNixos { hostname = "calcite"; }; + + weilite = mkNixos { + hostname = "weilite"; + }; + baryte = mkNixos { hostname = "baryte"; }; diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix index 40b93c9..8d83d35 100644 --- a/home/xin/calcite.nix +++ b/home/xin/calcite.nix @@ -122,6 +122,7 @@ in enable = true; options = { recolor = false; + selection-clipboard = "clipboard"; }; }; diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index e5a74ea..c9afcd5 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -188,8 +188,8 @@ in services.printing.enable = true; services.printing.drivers = [ pkgs.hplip + pkgs.gutenprint pkgs.gutenprintBin - pkgs.canon-cups-ufr2 ]; hardware.sane = { enable = true; diff --git a/machines/calcite/network.nix b/machines/calcite/network.nix index 27e77ee..0626cc9 100644 --- a/machines/calcite/network.nix +++ b/machines/calcite/network.nix @@ -12,19 +12,41 @@ networking = { networkmanager = { enable = true; - dns = "systemd-resolved"; + dns = "default"; + settings = { + main = { + rc-manager = "resolvconf"; + }; + }; }; }; - services.resolved = { + networking.resolvconf = { enable = true; + dnsExtensionMechanism = false; + useLocalResolver = false; + }; + + services.kresd = { + enable = true; + listenPlain = [ ]; extraConfig = '' - Cache=no + log_level("notice") + net.listen('127.0.0.1', 53) + modules = { 'hints > iterate', 'stats', 'predict' } + cache.size = 100 * MB + trust_anchors.remove(".") + policy.add(policy.all(policy.TLS_FORWARD( { + { "8.8.8.8", hostname="dns.google" } }))) ''; + # policy.add(policy.suffix(policy.FORWARD({ "100.100.100.100" }), policy.todnames({ 'coho-tet.ts.net' }))) }; # Enable Tailscale - services.tailscale.enable = true; + services.tailscale = { + enable = true; + extraUpFlags = [ "--accept-dns=false" ]; + }; # services.tailscale.useRoutingFeatures = "both"; services.dae.enable = true; From 3705b569d912fa0c6a163b21d9fc209eb1933fee Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 4 Mar 2025 19:55:19 +0800 Subject: [PATCH 60/60] flake.lock: bump nixvim --- flake.lock | 8 ++++---- garnix.yaml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 12a9f4f..c207939 100644 --- a/flake.lock +++ b/flake.lock @@ -401,11 +401,11 @@ "nixvim": "nixvim" }, "locked": { - "lastModified": 1735219902, - "narHash": "sha256-s1aI4l9e0OX861wHsvAPqz/s8B9ZTltAMJzPRXt5Kqo=", + "lastModified": 1741086060, + "narHash": "sha256-35fw6MoEXEutctwNS0z7VQ0AX8thHhU2KT0UxD/s3P4=", "ref": "refs/heads/master", - "rev": "4439691030d1a28f4ad49c542104e3f880f7c183", - "revCount": 25, + "rev": "9240bb4db98fe13b3fdaa0e15a06949959df568a", + "revCount": 26, "type": "git", "url": "https://git.xiny.li/xin/nixvim" }, diff --git a/garnix.yaml b/garnix.yaml index 630fac6..f602857 100644 --- a/garnix.yaml +++ b/garnix.yaml @@ -16,4 +16,4 @@ builds: - homeConfigurations.aarch64-linux.* - darwinConfigurations.* - nixosConfigurations.* - branch: next + branch: testing-calcite