fuckwit/nix-config
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Activity

Compare commits

base: fuckwit:master
Branches Tags
fuckwit:master
fuckwit:renovate/lock-file-maintenance
..
compare: fuckwit:renovate/lock-file-maintenance
Branches Tags
fuckwit:master
fuckwit:renovate/lock-file-maintenance

No commits in common. "master" and "renovate/lock-file-maintenance" have entirely different histories.
master ... renovate/l

12 changed files with 527 additions and 432 deletions
Show Stats Expand all files Collapse all files

375
flake.lock generated
View File

@ -18,11 +18,11 @@
},
"crane": {
"locked": {
"lastModified": 1741148495,
"narHash": "sha256-EV8KUaIZ2/CdBXlutXrHoZYbWPeB65p5kKZk71gvDRI=",
"lastModified": 1731098351,
"narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "75390a36cd0c2cdd5f1aafd8a9f827d7107f2e53",
"rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
"type": "github"
},
"original": {
@ -31,14 +31,58 @@
"type": "github"
}
},
"deploy": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1727447169,
"narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "deploy-rs",
"type": "github"
}
},
"devshell": {
"inputs": {
"nixpkgs": [
"nixvim",
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1735644329,
"narHash": "sha256-tO3HrHriyLvipc4xr+Ewtdlo7wM1OjXNjlWRgmM7peY=",
"owner": "numtide",
"repo": "devshell",
"rev": "f7795ede5b02664b57035b3b757876703e2c3eac",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "devshell",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
@ -63,6 +107,36 @@
"type": "github"
}
},
"flake-compat_3": {
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"revCount": 57,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
}
},
"flake-compat_4": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
@ -71,11 +145,11 @@
]
},
"locked": {
"lastModified": 1740872218,
"narHash": "sha256-ZaMw0pdoUKigLpv9HiNDH2Pjnosg7NBYMJlHTIsHEUo=",
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "3876f6b87db82f33775b1ef5ea343986105db764",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
@ -89,11 +163,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1743550720,
"narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "c621e8422220273271f52058f618c94e405bb0f5",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"type": "github"
},
"original": {
@ -111,11 +185,11 @@
]
},
"locked": {
"lastModified": 1743550720,
"narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
"lastModified": 1736143030,
"narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "c621e8422220273271f52058f618c94e405bb0f5",
"rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"type": "github"
},
"original": {
@ -147,7 +221,7 @@
},
"flake-utils": {
"inputs": {
"systems": "systems"
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
@ -165,7 +239,7 @@
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
"systems": "systems_3"
},
"locked": {
"lastModified": 1731533236,
@ -181,6 +255,34 @@
"type": "github"
}
},
"git-hooks": {
"inputs": {
"flake-compat": [
"nixvim",
"nixvim",
"flake-compat"
],
"gitignore": "gitignore_2",
"nixpkgs": [
"nixvim",
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1735882644,
"narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "a5a961387e75ae44cc20f0a57ae463da5e959656",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
@ -203,6 +305,29 @@
"type": "github"
}
},
"gitignore_2": {
"inputs": {
"nixpkgs": [
"nixvim",
"nixvim",
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -210,11 +335,33 @@
]
},
"locked": {
"lastModified": 1743717835,
"narHash": "sha256-LJm6FoIcUoBw3w25ty12/sBfut4zZuNGdN0phYj/ekU=",
"lastModified": 1737299337,
"narHash": "sha256-0NBrY2A7buujKmeCbieopOMSbLxTu8TFcTLqAbTnQDw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "66a6ec65f84255b3defb67ff45af86c844dd451b",
"rev": "f8ef4541bb8a54a8b52f19b52912119e689529b3",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixvim",
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1736508663,
"narHash": "sha256-ZOaGwa+WnB7Zn3YXimqjmIugAnHePdXCmNu+AHkq808=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "2532b500c3ed2b8940e831039dcec5a5ea093afc",
"type": "github"
},
"original": {
@ -256,7 +403,7 @@
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-compat": "flake-compat_2",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
@ -265,11 +412,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1741442524,
"narHash": "sha256-tVcxLDLLho8dWcO81Xj/3/ANLdVs0bGyCPyKjp70JWk=",
"lastModified": 1737299073,
"narHash": "sha256-hOydnO9trHDo3qURqLSDdmE/pHNWDzlhkmyZ/gcBX2s=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "d8099586d9a84308ffedac07880e7f07a0180ff4",
"rev": "64d20cb2afaad8b73f4e38de41d27fb30a782bb5",
"type": "github"
},
"original": {
@ -278,13 +425,35 @@
"type": "github"
}
},
"nix-darwin": {
"inputs": {
"nixpkgs": [
"nixvim",
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1736370755,
"narHash": "sha256-iWcjToBpx4PUd74uqvIGAfqqVfyrvRLRauC/SxEKIF0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "57733bd1dc81900e13438e5b4439239f1b29db0e",
"type": "github"
},
"original": {
"owner": "lnl7",
"repo": "nix-darwin",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1743583204,
"narHash": "sha256-F7n4+KOIfWrwoQjXrL2wD9RhFYLs2/GGe/MQY1sSdlE=",
"lastModified": 1737062831,
"narHash": "sha256-Tbk1MZbtV2s5aG+iM99U8FqwxU/YNArMcWAv6clcsBc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2c8d3f48d33929642c1c12cd243df4cc7d2ce434",
"rev": "5df43628fdf08d642be8ba5b3625a6c70731c19c",
"type": "github"
},
"original": {
@ -311,16 +480,29 @@
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1743296961,
"narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
"lastModified": 1735774519,
"narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
@ -333,34 +515,40 @@
"nixvim": "nixvim_2"
},
"locked": {
"lastModified": 1743725280,
"narHash": "sha256-msBvGXu5Ziqo4aRG/CgcSJA1aibCYWOSWd3z9O697IM=",
"lastModified": 1736708502,
"narHash": "sha256-QgFG5yf9MAgPox2s8XINt9nQPISyMKT7hxGlm6zdWMM=",
"ref": "refs/heads/master",
"rev": "dd99bc9a3ee59977cf32d108ddcebb84b0f594ae",
"revCount": 11,
"rev": "a11cb5e30e74cdb654db3e4df4c245931859490b",
"revCount": 14,
"type": "git",
"url": "https://gitlab.fuckwit.dev/fuckwit/nixvim"
"url": "https://git.fuckwit.dev/fuckwit/nixvim"
},
"original": {
"type": "git",
"url": "https://gitlab.fuckwit.dev/fuckwit/nixvim"
"url": "https://git.fuckwit.dev/fuckwit/nixvim"
}
},
"nixvim_2": {
"inputs": {
"devshell": "devshell",
"flake-compat": "flake-compat_3",
"flake-parts": "flake-parts_3",
"git-hooks": "git-hooks",
"home-manager": "home-manager_2",
"nix-darwin": "nix-darwin",
"nixpkgs": [
"nixvim",
"nixpkgs"
],
"nuschtosSearch": "nuschtosSearch"
"nuschtosSearch": "nuschtosSearch",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1743723573,
"narHash": "sha256-yxONmoimNU0hy0s8pF5lKCSZNqxVmbIHuag3sdk3R30=",
"lastModified": 1736707115,
"narHash": "sha256-3LEJqX4v9BU/sJPy7G7x3D1kW1/Yz+SgByWS/uUJUbg=",
"owner": "nix-community",
"repo": "nixvim",
"rev": "9f495dda930ceca1653813ded11859d6b1342803",
"rev": "4527abba5870b5650604eece6020a5d0361fe4cf",
"type": "github"
},
"original": {
@ -375,14 +563,14 @@
"nixpkgs": [
"nixpkgs"
],
"treefmt-nix": "treefmt-nix"
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1743740629,
"narHash": "sha256-m2hEv0YzNbhK+TBBC46+pQkMWn4aiRHTDfbBS4lkf3g=",
"lastModified": 1737309681,
"narHash": "sha256-x4tb/Iq5ROg0V43OXilzdlDcsVTu3p/HbJi7le2jrKo=",
"owner": "nix-community",
"repo": "NUR",
"rev": "a38bb37f72ac6f4e5b8d3a5e7dcc87499238feb9",
"rev": "e9c18ee9e75a33a75b5739764561d9d474983cd9",
"type": "github"
},
"original": {
@ -402,11 +590,11 @@
]
},
"locked": {
"lastModified": 1743201766,
"narHash": "sha256-bb/dqoIjtIWtJRzASOe8g4m8W2jUIWtuoGPXdNjM/Tk=",
"lastModified": 1735854821,
"narHash": "sha256-Iv59gMDZajNfezTO0Fw6LHE7uKAShxbvMidmZREit7c=",
"owner": "NuschtOS",
"repo": "search",
"rev": "2651dbfad93d6ef66c440cbbf23238938b187bde",
"rev": "836908e3bddd837ae0f13e215dd48767aee355f0",
"type": "github"
},
"original": {
@ -425,14 +613,15 @@
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1740915799,
"narHash": "sha256-JvQvtaphZNmeeV+IpHgNdiNePsIpHD5U/7QN5AeY44A=",
"lastModified": 1731363552,
"narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "42b1ba089d2034d910566bf6b40830af6b8ec732",
"rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
"type": "github"
},
"original": {
@ -443,6 +632,7 @@
},
"root": {
"inputs": {
"deploy": "deploy",
"flake-utils": "flake-utils",
"home-manager": "home-manager",
"lanzaboote": "lanzaboote",
@ -461,11 +651,11 @@
]
},
"locked": {
"lastModified": 1741228283,
"narHash": "sha256-VzqI+k/eoijLQ5am6rDFDAtFAbw8nltXfLBC6SIEJAE=",
"lastModified": 1731897198,
"narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "38e9826bc4296c9daf18bc1e6aa299f3e932a403",
"rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
"type": "github"
},
"original": {
@ -477,18 +667,18 @@
"simple-nixos-mailserver": {
"inputs": {
"blobs": "blobs",
"flake-compat": "flake-compat_2",
"flake-compat": "flake-compat_4",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-24_11": "nixpkgs-24_11"
},
"locked": {
"lastModified": 1742413977,
"narHash": "sha256-NkhM9GVu3HL+MiXtGD0TjuPCQ4GFVJPBZ8KyI2cFDGU=",
"lastModified": 1735230346,
"narHash": "sha256-zgR8NTiNDPVNrfaiOlB9yHSmCqFDo7Ks2IavaJ2dZo4=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "b4fbffe79c00f19be94b86b4144ff67541613659",
"rev": "dc0569066e79ae96184541da6fa28f35a33fbf7b",
"type": "gitlab"
},
"original": {
@ -505,11 +695,11 @@
]
},
"locked": {
"lastModified": 1743750430,
"narHash": "sha256-ZwEpd2ZqimTaFUNkapLWVsNvSEBTIPOq2W2z2aMFC+k=",
"lastModified": 1737107480,
"narHash": "sha256-GXUE9+FgxoZU8v0p6ilBJ8NH7k8nKmZjp/7dmMrCv3o=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "9bc9b59644585aa2f6c96a1abf50d937b433be83",
"rev": "4c4fb93f18b9072c6fa1986221f9a3d7bf1fe4b6",
"type": "github"
},
"original": {
@ -548,7 +738,44 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixvim",
"nixvim",
"nixpkgs"
]
},
"locked": {
"lastModified": 1736154270,
"narHash": "sha256-p2r8xhQZ3TYIEKBoiEhllKWQqWNJNoT9v64Vmg4q8Zw=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "13c913f5deb3a5c08bb810efd89dc8cb24dd968b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"nur",
@ -568,6 +795,24 @@
"repo": "treefmt-nix",
"type": "github"
}
},
"utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

7
flake.nix
View File

@ -20,6 +20,11 @@
inputs.nixpkgs.follows = "nixpkgs";
};
deploy = {
url = "github:serokell/deploy-rs";
inputs.nixpkgs.follows = "nixpkgs";
};
home-manager = {
url = "github:nix-community/home-manager";
inputs.nixpkgs.follows = "nixpkgs";
@ -31,7 +36,7 @@
};
nixvim = {
url = "git+https://gitlab.fuckwit.dev/fuckwit/nixvim";
url = "git+https://git.fuckwit.dev/fuckwit/nixvim";
inputs.nixpkgs.follows = "nixpkgs";
};
};

253
nixos/celestia/configuration.nix
View File

@ -2,7 +2,6 @@
config,
lib,
pkgs,
mypkgs,
...
}: let
makeVirtualHost = {
@ -39,8 +38,6 @@ in {
sops.secrets."restic_ssh_key" = {};
sops.secrets."restic_documents_repository_password" = {};
sops.secrets."restic_images_repository_password" = {};
sops.secrets."protonvpn_wg_private_key" = {};
sops.secrets."telegraf_api_token" = {};
imports = [
./hardware-configuration.nix
@ -79,7 +76,7 @@ in {
firewall = {
enable = true;
allowedTCPPorts = [22 111 443 2049 4000 4001 4002 9999 20048];
allowedTCPPorts = [22 111 443 2049 4000 4001 4002 20048];
allowedUDPPorts = [53 111 2049 4000 4001 4002 20048];
};
};
@ -98,7 +95,6 @@ in {
rtl_433
dump1090
rtl-sdr
mypkgs.nixvim
];
users.users."root".openssh.authorizedKeys.keys = [
@ -202,15 +198,6 @@ in {
# "force create mode" = "0666";
# "force directory mode" = "0777";
};
all = {
path = "/tank";
browsable = "yes";
public = "yes";
"guest only" = "yes";
writable = "no";
# "force create mode" = "0666";
# "force directory mode" = "0777";
};
};
};
@ -218,6 +205,26 @@ in {
autoScrub.enable = true;
};
gitea-actions-runner.instances = {
runner1 = {
enable = true;
name = "celestia";
url = "https://git.fuckwit.dev";
tokenFile = config.sops.secrets."act-runner-token".path;
labels = [
"nix:docker://nixos/nix:latest"
];
# hostPackages = with pkgs; [
# bash
# coreutils
# curl
# wget
# gnused
# gitMinimal
# ];
};
};
restic = let
mkBackup = repo: paths: exclude: pruneOpts: {
repository = "sftp:u169497-sub5@u169497.your-storagebox.de:${repo}";
@ -241,121 +248,43 @@ in {
};
};
prometheus.exporters = {
zfs.enable = true;
smartctl = {
enable = true;
devices =
[
"/dev/disk/by-id/ata-Samsung_SSD_840_PRO_Series_S1ATNSAF213446M"
]
++ disks;
};
systemd.enable = true;
node.enable = true;
};
telegraf = {
enable = true;
environmentFiles = [config.sops.secrets."telegraf_api_token".path];
extraConfig = {
inputs = {
influxdb_v2_listener = {
service_address = "127.0.0.1:9998";
};
prometheus = {
urls = [
"http://127.0.0.1:${builtins.toString config.services.prometheus.exporters.zfs.port}"
"http://127.0.0.1:${builtins.toString config.services.prometheus.exporters.smartctl.port}"
"http://127.0.0.1:${builtins.toString config.services.prometheus.exporters.systemd.port}"
"http://127.0.0.1:${builtins.toString config.services.prometheus.exporters.node.port}"
];
};
};
outputs = {
influxdb_v2 = {
urls = ["https://influx.fuckwit.dev"];
token = "\${TELEGRAF_API_TOKEN}";
organization = "fuckwit.dev";
bucket = "world";
timeout = "60s";
};
};
};
};
nginx = {
enable = true;
clientMaxBodySize = "500m";
virtualHosts =
# Tasmota devices check /health of the influxdb2 server.
# Telegraf does not provide this endpoint so we fake it via nginx
# https://github.com/influxdata/telegraf/issues/16321
virtualHosts = makeVirtualHosts [
{
"influxdb-proxy.fuckwit.dev" = {
listen = [
{
port = 9999;
addr = "0.0.0.0";
}
];
locations = {
"/health".return = "200 ''";
"/".proxyPass = "http://127.0.0.1:9998";
};
};
subdomain = "jdownloader";
port = 8000;
}
// makeVirtualHosts [
{
subdomain = "jdownloader";
port = 5800;
}
{
subdomain = "jellyfin";
port = 8096;
}
{
subdomain = "sonarr";
port = 8989;
}
{
subdomain = "radarr";
port = 7878;
}
{
subdomain = "lidarr";
port = 8686;
}
{
subdomain = "prowlarr";
port = 9696;
}
{
subdomain = "paperless";
port = 28981;
}
{
subdomain = "homepage";
port = 8082;
}
{
subdomain = "photoprism";
port = 2342;
}
{
subdomain = "immich";
port = 2283;
}
{
subdomain = "qbittorrent";
port = 8080;
}
{
subdomain = "shimmie";
port = 8000;
}
];
{
subdomain = "jellyfin";
port = 8096;
}
{
subdomain = "sonarr";
port = 8989;
}
{
subdomain = "radarr";
port = 7878;
}
{
subdomain = "lidarr";
port = 8686;
}
{
subdomain = "paperless";
port = 28981;
}
{
subdomain = "homepage";
port = 8082;
}
{
subdomain = "photoprism";
port = 2342;
}
];
};
paperless = {
@ -397,8 +326,6 @@ in {
dataDir = "/var/lib/sonarr";
};
prowlarr.enable = true;
jellyfin.enable = true;
photoprism = {
@ -414,13 +341,6 @@ in {
};
};
immich = {
enable = true;
host = "127.0.0.1";
mediaLocation = "/tank/images/immich";
settings.server.externalDomain = "https://immich.fuckwit.dev";
};
homepage-dashboard = {
enable = true;
@ -547,75 +467,15 @@ in {
backend = "podman";
containers = {
shimmie = {
image = "docker.io/shish2k/shimmie2:latest";
volumes = ["/tank/dump/shimmie:/app/data"];
ports = ["127.0.0.1:8000:8000"];
};
jdownloader = {
image = "docker.io/jlesage/jdownloader-2:latest";
autoStart = true;
networks = ["container:gluetun"];
dependsOn = ["gluetun"];
ports = ["0.0.0.0:8000:5800"];
volumes = [
"jdownloader_config:/config"
"/tank/dump:/output"
];
};
gluetun = {
image = "docker.io/qmcgaw/gluetun";
autoStart = true;
environment = {
VPN_SERVICE_PROVIDER = "protonvpn";
VPN_TYPE = "wireguard";
VPN_PORT_FORWARDING = "on";
SERVER_COUNTRIES = "Switzerland";
PORT_FORWARD_ONLY = "on";
VPN_PORT_FORWARDING_UP_COMMAND = ''
/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":{{PORTS}}}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1'
'';
};
environmentFiles = [
config.sops.secrets."protonvpn_wg_private_key".path
];
capabilities = {
NET_ADMIN = true;
};
devices = ["/dev/net/tun"];
ports = [
"127.0.0.1:8080:8080"
"127.0.0.1:5800:5800"
"127.0.0.1:8123:8123"
];
};
qbittorrent = {
image = "lscr.io/linuxserver/qbittorrent:latest";
autoStart = true;
networks = ["container:gluetun"];
environment = {
WEBUI_PORT = "8080";
};
dependsOn = ["gluetun"];
volumes = [
"/var/lib/qbittorrent:/config"
"/tank/dump/torrent:/downloads"
];
};
# qbittorrent-exporter = {
# image = "docker.io/esanchezm/prometheus-qbittorrent-exporter";
# autoStart = true;
# networks = ["container:gluetun"];
# dependsOn = ["qbittorrent"];
# environment = {
# QBITTORRENT_PORT = "8080";
# QBITTORRENT_HOST = "127.0.0.1";
# EXPORTER_PORT = "8123";
# };
# };
};
};
};
@ -633,7 +493,6 @@ in {
script = ''
while read -r evt file; do
printf "handling $evt for $file"
${pkgs.coreutils}/bin/chown ${user}:${group} "$file"
${pkgs.coreutils}/bin/chmod 775 "$file"
done < <(${pkgs.inotify-tools}/bin/inotifywait -e create,move -m -r --format '%e %w%f' ${path})
@ -644,10 +503,6 @@ in {
StateDirectory = "dnscrypt-proxy";
};
podman-qbittorrent.serviceConfig = {
StateDirectory = "qbittorrent";
};
ensure-radarr-perms = ensure-perms "/tank/video/movie" "radarr" "nas";
ensure-sonarr-perms = ensure-perms "/tank/video/series" "sonarr" "nas";
ensure-lidarr-perms = ensure-perms "/tank/audio" "lidarr" "nas";

8
nixos/celestia/secrets.yaml
View File

@ -5,8 +5,6 @@ photoprism-password-file: ENC[AES256_GCM,data:a0fqrjRDc2M=,iv:H/kLPIJsti8QsOJjwP
restic_ssh_key: ENC[AES256_GCM,data:NK7WXhnnueZ6kVZJnjShZ/QaNXINrJ6+youN3EPBmNjiLBTJHFg4LVR3MCU1GaK2HJpbz3qEJa/kto9LPONRR0F6LO6/7U17O0fdzF7Ca7u4xHI7uKBE6x9/dhd5MHJ2yQpEUwJnTB6i/++OcbSfTJmp062jTgWxdarngt6skx0m5JIlu6lhLKyFzGa+cBIesFItredQ2SJroUC4rK3CiQLutuaBlhw90wys3T2uTtRRgzQ08AF90+JY5jqflZposQPT0ox+xEegOyZ4UJxX2WToxD998N7/eETxo2E94zL/5f2mGoubDxwPTZp8cPX+1g85tFjhn361OSgHBwgRRT3rs/js1xZkQQO2McKPyGZVHOzQ0GSrpvxiSiUZk8/49eynEkWUsY2YXQxvl3/s6r/Toh9Wbr9mo3X67A2phTx1beEnU8XMwWS/5ZnqtFNHvxC6tfkAIwblNvCc9mTigSYhOji9TBpcZNOCumY/MYzGSCzxSFXcOnsKZKjxdE3ByHFKcMvJ+uiaav000MbdplOOsYLCSpdQAAZH,iv:JFcu2GO8k7awfB8RV17tcFj5KhXmUxnzjnoEdmMaqxc=,tag:awy4njmuS/l5CCFqWdsy3A==,type:str]
restic_documents_repository_password: ENC[AES256_GCM,data:rcQ5PsvJW2i3e2v1FqbqCOoqiblqFDsqRifzY6YxIKZTNSNrRPgqUduqei/0aSGJTNG+zYS4YRCooCZ/E7mYFg==,iv:IO6OGY+Dfai0Hl/NWT7bqqhTkfhXlUqqnJyQjm87fSw=,tag:K3D112tm+kC5OpEF2t+oZQ==,type:str]
restic_images_repository_password: ENC[AES256_GCM,data:yNWUqZ9ddkfD15mO7NocUYwqNWPaTHXfLkMNq7yy5xgSG4I3G01mFTt5qCPbZ0n+Y6DFlhDQBLAC5SwOvVNggA==,iv:LqA7TG9TS7eyHZ/xqF+L1w5imPdogQGH0DyokaQj4Bc=,tag:1OLRp7VO8Lfy1nQcUr3OWA==,type:str]
protonvpn_wg_private_key: ENC[AES256_GCM,data:cm4ytBg2lMDDppx50JxmEX8lC+x5bessRmIk60iSuYYCtb7DTlkcwROivz7oG/x1DXjvxjLPW9Y5wEE3GxXD8xo1,iv:B6TeBVC0d6S3XNhv7nSiuVI7nr3M1LeqYMuv0AxvG2c=,tag:RvhSLKRv1FDNntHFvtrelw==,type:str]
telegraf_api_token: ENC[AES256_GCM,data:pCNHkdKlBhYW+IJuvdLgAsk2oXVIowvCVwy2uvJIJQ8DdtRgYgR4JIMcz4l8u+yTPyRPGSqdXnkojNeB9O7T8FM25lklrcRfeKL3ofSY8RJ1FiovcEGYjESi/A7sgrETFMD2QIO0kmZ+3qM=,iv:PKm2hp6+aInR2+AglHImjxIPBFU0FRjpMklranVgjiM=,tag:T/88jJJjkgYxisKZtZAyQg==,type:str]
sops:
kms: []
gcp_kms: []
@ -22,8 +20,8 @@ sops:
K0RaVVNSczZBcDNtaXhGem5iQnlVTDAK+XogkPQD2xYQ7sW8DwAXaaLA/ftw6vZM
wsNs0uun9dgGjZIXcU6AIsrJeUiWBl5zgc6CCd/ad/3QxpmKj1p9Mg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-29T14:12:23Z"
mac: ENC[AES256_GCM,data:5og1eH8IKVj0UHPgv1qVyC+VgjL1uf7uuJR3w0Y8qqAwNjhyifCTLVRxIg+3EPKQH+w5H0uIovmnlPdRCdwDbkysBkFL6xAlDszouEDX5F+S5ZOZkpONSieeCNG+obVO1PLstLffb+Rh2OR4hhi0xH6D8ryH0yqe7o0tZROBaqo=,iv:Tw6EC4pZcrF4k2H89ZVKlDPT40x02cOrNVH6e57bIGU=,tag:luYMemQCAjHu9D9JgfvpCw==,type:str]
lastmodified: "2024-11-18T18:21:19Z"
mac: ENC[AES256_GCM,data:3QqYfYJpIb1kcd6Kh92BbfQIBrsniet3HYVR56V5g/eHRwJpy526A8Gpntc0vdu7Adpv/bbaaPzmCTeanhEXwXB38iXnEsWSsUBn/KyT0bhIi7HcXNfRM6al7cWA6YBwSyy12ElD0Bf/fX2ptUId39tOj3yr7Rg4VaXMr9gEsMk=,iv:s5LlkeHcjoqWeQDBQmoOTZWI7L18bJi/yz3yv8uGoSM=,tag:FH/CbzCyqBp1ebeKIPox8g==,type:str]
pgp:
- created_at: "2024-01-25T08:00:56Z"
enc: |-
@ -38,4 +36,4 @@ sops:
-----END PGP MESSAGE-----
fp: 5FA64909521A5C85992F26E0F819AEFF941BB849
unencrypted_suffix: _unencrypted
version: 3.9.4
version: 3.9.1

3
nixos/configurations.nix
View File

@ -4,7 +4,6 @@
sops-nix,
lanzaboote,
simple-nixos-mailserver,
nixvim,
inputs,
...
}: let
@ -51,7 +50,7 @@
}:
np.lib.nixosSystem {
inherit system;
specialArgs = {mypkgs = customPkgs."${system}" // { nixvim = nixvim.packages.${system}.default;};};
specialArgs = {mypkgs = customPkgs."${system}";};
modules =
defaultModules
++ [

1
nixos/framework/configuration.nix
View File

@ -16,6 +16,7 @@
pkiBundle = "/etc/secureboot";
};
boot.loader.efi.canTouchEfiVariables = true;
boot.kernelPackages = pkgs.linuxPackages_6_11;
nixpkgs.config.allowUnfree = true;

267
nixos/primordial/configuration.nix
View File

@ -1,45 +1,20 @@
{
config,
pkgs,
lib,
...
}: let
makeVirtualHost = {
subdomain,
port,
}: {
name = "${subdomain}.fuckwit.dev";
value = {
forceSSL = true;
useACMEHost = "fuckwit.dev";
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
proxyWebsockets = true;
};
};
};
makeVirtualHosts = sites: builtins.listToAttrs (builtins.map makeVirtualHost sites);
mkWellKnown = data: ''
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON data}';
'';
secretFile = name: config.sops.secrets.${name}.path;
in {
sops.defaultSopsFile = ./secrets.yaml;
sops.secrets."acme.env" = {};
sops.secrets."gitea.env" = {};
sops.secrets."keycloak_db_pw" = {};
sops.secrets."restic_mail_repository_password" = {};
sops.secrets."restic_ssh_key" = {};
sops.secrets."act-runner-token" = {};
sops.secrets."gitlab-db-password".owner = config.users.users.gitlab.name;
sops.secrets."gitlab-initial-root-pw".owner = config.users.users.gitlab.name;
sops.secrets."gitlab-db-key-base".owner = config.users.users.gitlab.name;
sops.secrets."gitlab-secret-key-base".owner = config.users.users.gitlab.name;
sops.secrets."gitlab-otp-key-base".owner = config.users.users.gitlab.name;
sops.secrets."gitlab-jws-key-pem".owner = config.users.users.gitlab.name;
sops.secrets."gitlab-runner-authentication-file" = {};
imports = [
./mail.nix
@ -48,7 +23,6 @@ in {
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
networking = {
hostName = "primordial";
@ -77,20 +51,8 @@ in {
i18n.defaultLocale = "en_US.UTF-8";
security.acme = {
acceptTerms = true;
defaults = {
email = "acme@fuckwit.dev";
dnsProvider = "cloudflare";
environmentFile = secretFile "acme.env";
dnsPropagationCheck = true;
};
certs."fuckwit.dev" = {
extraDomainNames = ["*.fuckwit.dev"];
};
};
users.users.nginx.extraGroups = ["acme"];
security.acme.acceptTerms = true;
security.acme.defaults.email = "huanzodev@gmail.com";
services = {
openssh = {
@ -119,41 +81,6 @@ in {
'';
};
gitlab = {
enable = true;
https = true;
host = "gitlab.fuckwit.dev";
port = 443;
databasePasswordFile = secretFile "gitlab-db-password";
initialRootPasswordFile = secretFile "gitlab-initial-root-pw";
secrets = {
secretFile = secretFile "gitlab-secret-key-base";
otpFile = secretFile "gitlab-otp-key-base";
dbFile = secretFile "gitlab-db-key-base";
jwsFile = secretFile "gitlab-jws-key-pem";
};
registry = {
enable = true;
package = pkgs.gitlab-container-registry;
defaultForProjects = true;
externalAddress = "https://registry-git.fuckwit.dev";
externalPort = 443;
keyFile = "/run/gitlab/registry.pem";
certFile = "/run/gitlab/registry.crt";
};
};
gitlab-runner = {
enable = true;
services = {
default = {
authenticationTokenConfigFile = secretFile "gitlab-runner-authentication-file";
dockerImage = "debian:stable";
};
};
};
matrix-synapse = {
enable = true;
settings.server_name = "fuckwit.dev";
@ -187,73 +114,97 @@ in {
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts =
{
"fuckwit.dev" = let
serverConfig."m.server" = "matrix.fuckwit.dev:443";
clientConfig."m.homeserver".base_url = "https://matrix.fuckwit.dev:443";
in {
useACMEHost = "fuckwit.dev";
forceSSL = true;
# This section is not needed if the server_name of matrix-synapse is equal to
# the domain (i.e. example.org from @foo:example.org) and the federation port
# is 8448.
# Further reference can be found in the docs about delegation under
# https://element-hq.github.io/synapse/latest/delegate.html
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
# This is usually needed for homeserver discovery (from e.g. other Matrix clients).
# Further reference can be found in the upstream docs at
# https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
virtualHosts."fuckwit.dev" = let
serverConfig."m.server" = "matrix.fuckwit.dev:443";
clientConfig."m.homeserver".base_url = "https://matrix.fuckwit.dev:443";
in {
enableACME = true;
forceSSL = true;
# This section is not needed if the server_name of matrix-synapse is equal to
# the domain (i.e. example.org from @foo:example.org) and the federation port
# is 8448.
# Further reference can be found in the docs about delegation under
# https://element-hq.github.io/synapse/latest/delegate.html
locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
# This is usually needed for homeserver discovery (from e.g. other Matrix clients).
# Further reference can be found in the upstream docs at
# https://spec.matrix.org/latest/client-server-api/#getwell-knownmatrixclient
locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
};
"matrix.fuckwit.dev" = {
useACMEHost = "fuckwit.dev";
forceSSL = true;
# It's also possible to do a redirect here or something else, this vhost is not
# needed for Matrix. It's recommended though to *not put* element
# here, see also the section about Element.
locations."/".extraConfig = ''
return 404;
'';
# Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
# *must not* be used here.
locations."/_matrix".proxyPass = "http://127.0.0.1:8005";
# Forward requests for e.g. SSO and password-resets.
locations."/_synapse/client".proxyPass = "http://127.0.0.1:8005";
};
virtualHosts."matrix.fuckwit.dev" = {
enableACME = true;
forceSSL = true;
# It's also possible to do a redirect here or something else, this vhost is not
# needed for Matrix. It's recommended though to *not put* element
# here, see also the section about Element.
locations."/".extraConfig = ''
return 404;
'';
# Forward all Matrix API calls to the synapse Matrix homeserver. A trailing slash
# *must not* be used here.
locations."/_matrix".proxyPass = "http://127.0.0.1:8005";
# Forward requests for e.g. SSO and password-resets.
locations."/_synapse/client".proxyPass = "http://127.0.0.1:8005";
};
"gitlab.fuckwit.dev" = {
useACMEHost = "fuckwit.dev";
forceSSL = true;
virtualHosts."vault.fuckwit.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
};
}
// makeVirtualHosts [
{
subdomain = "vault";
port = 8000;
}
{
subdomain = "git";
port = 8001;
}
{
subdomain = "grafana";
port = 8002;
}
{
subdomain = "influx";
port = 8003;
}
{
subdomain = "registry-git";
port = 4567;
}
];
locations."/" = {
proxyPass = "http://127.0.0.1:8000";
};
};
virtualHosts."git.fuckwit.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8001";
};
};
virtualHosts."grafana.fuckwit.dev" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8002";
proxyWebsockets = true;
};
};
virtualHosts."influx.fuckwit.dev" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8003";
proxyWebsockets = true;
};
};
virtualHosts."sso.fuckwit.dev" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8004";
proxyWebsockets = true;
};
};
# virtualHosts."drone.fuckwit.dev" = {
# enableACME = true;
# addSSL = true;
# locations."/" = {
# proxyPass = "http://127.0.0.1:8004";
# proxyWebsockets = true;
# };
# };
};
vaultwarden = {
@ -333,13 +284,37 @@ in {
};
};
};
# keycloak = {
# enable = true;
#
# database = {
# type = "postgresql";
# createLocally = true;
# passwordFile = config.sops.secrets."keycloak_db_pw".path;
# };
#
# settings = {
# hostname = "sso.fuckwit.dev";
# http-host = "127.0.0.1";
# http-port = 8004;
# proxy = "edge";
# };
# };
# drone-server = {
# enable = true;
# config = {
# giteaServer = "https://git.fuckwit.dev";
# serverHost = "drone.fuckwit.dev";
# serverPort = ":8004";
# serverProto = "https";
# };
# environmentFile = config.sops.secrets."gitea.env".path;
# };
};
virtualisation.podman = {
enable = true;
dockerSocket.enable = true;
};
virtualisation.docker.enable = lib.mkForce false;
virtualisation.podman.enable = true;
users.users."root".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8zNAXScQ4FoWNxF4+ALJXMSi3EbpqZP5pO9kfg9t8o patrick@NBG1-DC3-PC20-2017-10-24"

3
nixos/primordial/mail.nix
View File

@ -16,7 +16,6 @@
};
};
certificateScheme = "acme";
acmeCertificateName = "fuckwit.dev";
certificateScheme = "acme-nginx";
};
}

20
nixos/primordial/secrets.yaml
View File

@ -1,15 +1,13 @@
acme.env: ENC[AES256_GCM,data:+EwmrLsjjOvvXOBgbI5T2e98pJ+PImvbaCd5/9cvqmPWurzGe1H2fjBOguDf5Mb64eZXaL7jbZxeTqT1T/w32+Y=,iv:tBuFM3V6jW7M3eXb2cwK8ZoKqfEfMxHC31GvF0GTOJs=,tag:Z/vDDFAp2cY7UarPWT/ykg==,type:str]
gitea.env: ENC[AES256_GCM,data:wkSPzLQtL3vGNIjG+jG6I3+R7wLBBdXeaCHbKxMbpVOldo8zrPLu8HdoryneRro58d7D9Cao9x+n5SvYNfGwHPgDJG8saXTeyEffIWIKNC+5+8fjiWwIkAvstckmZjSLitVxcwhifs49jmZgW/xQBPEPiAHzVkjeueV7p/Jm9WgyD2ycPrKUvNEYJ6DWZqQq9r10Y/KsRZsvRzF2cp6YeX7YGjW7E2wuQz9yy8gOFHxmoJxAc4zM7XaKZWKtow1UPCjTtxiY7qRkWK7KQt21Xf3FCsU=,iv:qQv7hbqh3Kl6sE/XW37D9AbYt4gLJw5BnfbbLIkzOd4=,tag:g6Cecvdb67W01HvIULNzsQ==,type:str]
keycloak_db_pw: ENC[AES256_GCM,data:1oBqzpFokAmjkT770YKYwzCllaGTprtDR9W4B/+V6ZUXPhJ1R9DNWZHqpQ==,iv:dK36GBiDj12HVjUkZqTVk/rR6s1sf6dmQTk1ZJQwi+I=,tag:6Ix9QSf+A0U82sG0z8wSmw==,type:str]
restic_mail_repository_password: ENC[AES256_GCM,data:B2XAP9tnztl/c7HB7bHywfJcwV9sLahfqCfI0TajWaWHPhRsZow4yxhn813FN4pINb5i1kYyiRG/sMXMKAFo9g==,iv:pQnVRVtuhcVtH/Kot9hcx8DSA4qlkksuUiY8HaOawfk=,tag:4lbmh8bQDSVNbI06/gNUlQ==,type:str]
restic_ssh_key: ENC[AES256_GCM,data:HpS73OEFvqSLYg8Qh1syJEjCfv5og5VxxzK2VPmAFRk5BzM4xF3Dn0cmJtQpwMMwaRGRWFdCTMrQCBWRrLgDt7wUyMpBn1HivLr4nwEOU4oDStv+1zKmrNbWLSYw3TbHoNJ2K+C46lfpV9CBdb+8dmv2vto6HoKFrOYc5/ftYd7lD9zMhueAMCc3q7aPsIFGb2TRGNz1wrF6Cn9ew1Oqh/P7xlUuIgS0kAKRrybhiIO9IUgQsTV3qqZIXogP4Yy2OLSyhbtDuvtLAncL2pJ/ZsGme47G8HoFomyqEIf0eq7YKqlpTqKPbbnxfWSlWYGg+l9OtCJOeyp5oEZ6sjPNdTUYjpcVZpHNEEa2zkaZzRj5Jo/GIiJfCu4F0kk4opbqEUTeDQHgesylxwpd/v5zaplGEqpYZ7y/DAud+YUw7XWYWjy60kjlZdkbKwrL/Cg4dxWY8Cc7v42Ve7aADgSEpEhwo5rHxM3JSVHHHunfC6y+/Qin26wQZhF1w+d8/yqSaJidx6FsDSipGCJtXa9liIG7oG2vUlmYm4rE,iv:d/AFzPAJGSGv1WzQY4+p8mImFoWKkaoMRtIBNAYiU0E=,tag:mdE/e2VX5zdrFT43NZaYNQ==,type:str]
act-runner-token: ENC[AES256_GCM,data:QEiYYYg8fZQIwVPT+vG2Eo8JO9y5PgVJBm5E1UlujANigQKvVkhPbVtulIB1Fg==,iv:V88x7xqYlbZuawPFU824bZtvM/b44BBVIjhnmtdYCwo=,tag:PgQcH1nkRpHCiBBMCSXfxg==,type:str]
gitlab-db-password: ENC[AES256_GCM,data:2TEOCeTjbD+SddZej0Bt2nXiJO032IT4Z43I49ChW18=,iv:65G3bjLO+ebhJfG8DEWG7EImsLheR7YUxikU6x+xj0M=,tag:GoQBrYPAlzdz7oscL2ie6A==,type:str]
gitlab-initial-root-pw: ENC[AES256_GCM,data:Q+0cg6lNctY=,iv:Z+9AlxlQ5YsEWg+ff1rPWfiBDJM/wAqvNKPHQ+s8CiA=,tag:1PVqV8qXLyiKDwr02sg9tA==,type:str]
gitlab-db-key-base: ENC[AES256_GCM,data:zzuYk07Tk4ti4k0y/lSDqrhDxdr5YqqKP5DUl0nCO1s=,iv:nKC3OkOxo+CrGTBvDPQkjps5OYrO/QPtGTY6uQsAUi4=,tag:tgRK3oUD9ZJy/DtKVkawDg==,type:str]
gitlab-secret-key-base: ENC[AES256_GCM,data:wXaad/yooHobhuKS+BFxiy29g0iUmFn5rLRmEMWchoQ=,iv:6JFjgkfgfTNr59v+PvIKItYJXtycGffmc7gJtyeHzMg=,tag:Nll20xSIXd2DoWcd1MJojw==,type:str]
gitlab-otp-key-base: ENC[AES256_GCM,data:3LGpjpqaQdeO7v3waFCZDVVKtgXl3h0N/XiBcqlW2Kc=,iv:Kk1Af6FoTs+kejHmTL3FXoQJ9XAV+2J5+xC+heGbKu4=,tag:EI0agVoGUVEqphCCFfRwLA==,type:str]
gitlab-jws-key-pem: ENC[AES256_GCM,data:LUyY4Ri2Ky7LRnx5azAM6xCMolZbBskHQIwBax3wwOy8QROP5tsK+ABZYVkPNjmooNrdSBECjBfy//TI4qauYJoresMK0rnQbwJQSAmmMmDHxBT7Qt0oY2sUZ2Ohf2mx2lsmzCCesJX2mXOKyOQR/P4xmrGcE64km5e9q6wU3wkKECg72BCpUAIOkpDHtq6f87rtGSKnXLjXItw7A6IuK75s0nGJUH6zomocuWPbNVE44QAfR1Ib2UZrl1Vk20hQWhAaAZajYrGIshaHKvm0K+DpgMu7qca0HNV1fKtcuMM5s2XXpUZS97pHBXjhdGigHQ+zPm4paajQqtffXUdiO7vui+kNW/p+gCON3dmYEMXv35Q/VpinVhahnNM7y3xKIHTl2O1jdUtwJLWeBTfiul2dt/143wIsasr0qW3lx4eSmg8oKK6CJsA6Ujbo5w5Oifso5MMxKJ7kQzcVNAHM2sWn9b2G8iVZ/o1158CMv1Sz5zhfintIwoTjbcOOrk3Njchcq8RVGRaE4A0hdPLFk+MNFw3CenZNe5aBY/1sOFoL4r6GGl5p+1Bvjm84OHDbXvSaA/tBVDvjw3LXLi5OTHlahcdMrxVhMxy4OY7A5EKfrN0KkoSYg3U8nw7fcgI9bUgp53H0mQafGHY+2I9b7k6o3v6kbYy8TyPrk06tBOISj3MwO9S4GT195i5sI9NMQwE2pOl1gzWXa4wBoLHu8zWWr1UHuQLbfH9ipbVehB2uwp7LU6xm5PIW43S9zcAOMM/p3cFLjSc/qBeSktvetzw9ucFeCOm9eTuq8fgImd+DzzwGkHy7mFJJQE/dvV4yAbNiGHDqlBMYuwxd3vdKCVcGCH3cBveusXILj53QL3FKAHFaoASKpgFCWD1BrBeLwhb3kdZqtTacS9EEqUxG1jzURcpA3vJVG62vKbcZ0GWuZvDlYh+EwEGcAEQWeP3impO1kn77TU3st+ZcUP7HINB+n4WRxCNvI67T6rfAtr/s7+8oGZLiD+1wtSip7to7rbHAj8ZiMDN1r5EGnelGfPpohRTrapIfwHu3mIHYceEdywqe2odY+MrUrMUuFgVaXgIN4xGMyiHhW3IKPVHT5ujJU/Qqark/9wiXAMBiDVHxHdJK/xeYq18hIYqXImdqMaK1nzZYa2rUnRWuFZnZELuiuvaYs6VumF8NJKhBamzjiQt4JdohQIzln8nqkA5Qf3pWGitmMDXp7FlbRQgPh84V/sBE+2aur1oLAPAa07oarOsjXity3eUhCjdwtgLIcCGph+8/srFy7BcYR6bu+qIEesaxBKw1HEGWkPctMk8bW8iYqgP3BmGru6SQqDPofISBxRJWhjrrrd3plmk9vBv8xcVehZ6nrCbvsgIku3kIqaBbbHTXCCoJeKm6aHkOkt+YCPEsroAONz3gYG4FwRKTeIh2ICqmqK0JjYj6jHVXUubOVwFTlEfrj4lr8hBNpIzAdIprzh5jCsSVjkBSrQqKcpNAB2oQReAZqxnnqCVfjc7LotagSvsPeuan5h3sx/RikqrK47EvpDk6QguoCOBO43yyBx9uGW8pmyvytR+6LzGQA2WS2o8mQyDxGsnfVO5iCY8e9XRWvoF4srjzFe1Zu/2ah7VaDpe8302PUV8oh6l1gFi9NAq7tkD3qAdvE8X7TEnN0bcXsDte80zjpY+pVdsvWpTU8ojl0YeHkuqeCijJ+iikJCbwwhYDE3DsiDvPH39O+twaTLjQ/9tAQiOOrVWrU3dXilqcBY41qsbCbtKquRv6wu6Wh4mSJnRDYqQUYDMLFMr5i0xqVK6nwx1sDecJ7iRCOI0gHsu2AquzK1KQ4dv3zkiXmRbeWgntKu8PnLhz4S4sj055DH/Lo5OxfKhkcZV2g3awThLzKGd8NTtR9oiqKuIOrLsqd0UzfWMIWP4BCeKcTi9FV359uhUO646/Fon65vbqu3Ej32ueA/4D10a2cFnk9aO3EFlihMS6XSENPbkXafrQsNleZJvd267RpprVDxQFGmASEU1sMcoPVY481OeDcQPb+xq4spUc0TpsU249yYXjrzclzx9pluwpQy6/pxH+eACybqHg3OixPxfKhoYwJ+nCdoQWRHA53thU4VcCnVbInESE9hs0OfxCuA4XkTFIxn93T8VrPiIAQZlTdd4mEW/8zlWPbwZMJAIuFgPpd3hRhch9mC19wpM/AxBoVKEy63kPRv7AHhBITXXLJJa6cLybxF/ioj3w81vFHzsMiBbSM/I9B2SINidvtI/NuWEx2/EdRL29ahKbmXkGLZ0eUUp0Vci1FFZkV+4gR6W5HQDHc34Upxgd0q8FEgmw3MT+QMaDSVZ4DNT207sHFQgcpfuXzjioA2DDG62qa7HXinm0brCIIq0qpmtavIMFS+ycqqUGO4fSA/LAQT6AvzV51gC84cU1pMgW5bjFq9MlNC+kGp4VGS34Dv1QxuUFepgQGMQgqpStNIB25QSVo8R59+8PmhZTT8jl0j5Vx7fhDJNnIsvN+0EcbITlB4CXjW5T5O+ju8uFELeavxm0imYYIdVnrT4MRZrIn8+yIxqZhLv5SF3ZtKZOb2Ij/R4CePWjrVoRU1Uzo04MZOYz3q9Fv+P2fnZVJB725tTehLUWy423ARQtFarB6REoaTY58z5ggoHrNW/Pb8JpS8kNsSS+PtSGP1NLcLtAlBXjt1TfyrLMBfatu13ww70yS/4CGok1GmLIhE5NVdM1xcUvhvNqnY6UpALcwrRr4jUTR9pH81Cb7i2YwduGbfvdn0I+BwauAhArlI3n8Z88lbqMJ3/OPHbDq9DvD9hGH1qZrj7WaX8Fd22u3F3cxAOusOv7to3pjhG4IZQYaV5WMc1WtOspowG7O5R2ZHxLJR2o05VJde9dGI79WJcLhIcm7rETGFm2iHc/X4PqsZKFHXqNWJDlYW+K2uwZXHO0m2XpF1pkHu8iCdEIofxfFT3LGPq6iUxCCXifj3pC+FPA/1F+fxAJp8TkE3ATrZu2hdAhZgmG1Q/2AQo4aZiaTc6oQhnXwheuIpF0XAzgtnMPRlHkEoxr+NdjSpPbSuEWDN3lAC4ZSa5hF03No+9nQmuPVl+k9hdch+rd+iIih/MB3MTqMm6E11wk/Nj09BJnhiudTo0htSo2rFOLhWz9GsHauxwONWTzpFsJzp3US8DtZXQQ+UDAASmAyJharVrfhY/vyD7JXeakAqWMcP5oFzAZwzmQS2lrg/DMT9fXvPNCUGPvwcGeYqm0403OItOQInysdh1pugwlERNBSbaP4EfA0KIH9SyjuOBz23rEKI1CZPrzRCUTRSDLJFvIuYzlsZ/+s0bhvvyuKonKU+28DQBUYdV1T9cTFRei0Y1LDPuicutzT4wCNKCg/8iqqH6jWHVHhy9U/So6AZBqvMZSvAwdn5vCUuc0KcB7VgA5OKE6Dmt5NF8daoRpzSNECWNEhiTHd6T+9Ktbriae66mfrO0QbFn92NJT4xunreRsmXnUQKb1Rsboswzy6bDHucgFHBY2GiP95ckw17MxTDLwi4nym/tR2XG7ml2iseTwByraFhX8DTPNMu5d8pgi0SfI4bwxwXdLW4kpFXaH3nbkgal5MkfkdWKH8ve+fXozQm9hkiFH3rYNYlXzgPm0pPZVZCh9+xIbnbKjVT9/22iNwu1XIzIDh2soo9/FX9yN+VwCZHwtOJ0qUSk6SP3ts1a6Q1v2K6etfDGzfbQXlT7TC2/imW+ifF60+k2KepaYeqRSG7tDtc+QATg7d7arNBYKB1pDaVId6jeO6oa72KZ1UH08ypGjH6lwFnqWRC2p+hXDTpq0yLg4c+0cHmIxtcSDDdlIFFkXkjp84OZ0ciZ4c8zFVMulFDzHndeOx72Dv+uf8MSq6w4Aqq9bO4v+7U62oI0sFo6IHzVUVVWVxo8KY44w60JP0iKDdy3LoKm2MA+bfIiaZYHEqkv3LDf17ng290aerGKemDPdO0fNTb8jHKklwbxs7q6YabZOuOwccB5losdXjhWzprCq2vYDSLiQHlPuCF5RNd86PvUhTbMhhDotU92TdwO5QxMqQjw3pdoEBTgq5gY7YMBpu/iMxMjmMaghI++R46CZ/a1od75kTtRF886Fl8IZHxOpVnTyJIfAM0cCQQaMiGG6SewMWpgJ7P8+0wsow9WIsfEZfzGST7AVA+Rqnsoz6i5XhUu0GtolftefpKwWoWzXGnClPx1B/jo7Ev6QpVw7a/5tMF8be5y7J2Yiz+Et49nAGrih9RCGIqgpofT2Ez6xm+XNBqB7ZKHTYorlHW1oHbBLn53+yv6TR7wf4kfMRGaRzzCigl2gyukaKVsHymkV2AwNHnraA6+AXIU=,iv:/+l13lQ/8tvLt+SHO03H8dBsUyoIDVhfas1v2n1RYPc=,tag:3Q91nWeZT8PQo/EWq8/6DQ==,type:str]
gitlab-runner-authentication-file: ENC[AES256_GCM,data:M0dn62YNywEs08eHM0EcLJJfldsqlxrdeyJJSzp7yS3EO1umQPoPrlNnrZpwjLH2EDyMP81M/S5kPoR70ckB0LYt4w2d7Iao+6/WCvIGrhhN5WPejvg=,iv:qopX16X0dfrzjQ1vMuxWIouV96dig70iDU6dX4Y4Lc0=,tag:ZVac+M3OyMtLbJWM/1CPMA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age12u7ayy2q5dps2pcpc6z7962pz07jxv3tt03hna6jyumlu4fdjvtqdg2n3e
enc: |
@ -20,8 +18,8 @@ sops:
V1h2NGxyNVc3WnF2ZFBpQm1oK1AzeGcK4GoD2E8nwOl/WKtgMgs0Y1Q8abRX4mpy
GdHGDQUWvySCisJo4JXsooYkLjOyKvir+vcVbX4nDd4L1W2OMULkrg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-05T16:20:30Z"
mac: ENC[AES256_GCM,data:eofNTFKPcT8oyhhjyEXtoLsNpaXZh+cinYARB6+cgNQiDSmrT4nO8V4VS6EWcL6RAqGLtd0UkEhHJN05JMrwyS3teCeC+/2opqJa0XN8OeYZSSUfDEW5ilN7Ms7UW1+2N/7FkJgvEkpAA08HCUoDdruRb0HPYG74RmTy2Q2Wz/Q=,iv:Nffwz6l1qBHvsMri3JhNY1xJqgcB/LGjZ6tDQeG8n50=,tag:/LDX2/MWvpaLwfJuqZ0zQQ==,type:str]
lastmodified: "2025-01-10T21:24:52Z"
mac: ENC[AES256_GCM,data:8zOgUn3QPUk6pZxaAVYN+yxIBRAihG9UpHEWSR37gQUT2hYG6ddHDBF56u0G0Hmpa2jUHUNw7hKe2YH7UVxc84Gmsv2oAQL6TPhgtwDBazViF0N9imt3+SEphx0t9Is58pzgFNp7uqy45GaoFtuQ1DIQOG090mHTLHZpnf1YL8o=,iv:EDNwgcGDqAZK4ZSQHxTjyLGhwKkK/TriyeL1FJ6J/Cs=,tag:5WZk+MnZb0kLrVrs601SiA==,type:str]
pgp:
- created_at: "2024-01-25T11:10:44Z"
enc: |-
@ -36,4 +34,4 @@ sops:
-----END PGP MESSAGE-----
fp: 5FA64909521A5C85992F26E0F819AEFF941BB849
unencrypted_suffix: _unencrypted
version: 3.10.1
version: 3.9.2

16
outputs.nix
View File

@ -2,6 +2,7 @@
self,
flake-utils,
nixpkgs,
deploy,
home-manager,
...
} @ inputs:
@ -11,6 +12,7 @@ in {
packages = import ./pkgs {inherit pkgs;};
devShell = pkgs.callPackage ./shell.nix {
# inherit (deploy.packages.${system}) deploy-rs;
inherit (home-manager.packages.${system}) home-manager;
};
@ -42,4 +44,18 @@ in {
imports = value._module.args.modules;
})
self.nixosConfigurations;
# deploy.nodes =
# builtins.mapAttrs (name: value: {
# hostname = value.config.remote.ip;
# profiles.system = {
# sshUser = value.config.remote.sshUser;
# sshOpts = ["-p" (builtins.toString value.config.remote.sshPort)];
# remoteBuild = value.config.remote.remoteBuild;
# path = deploy.lib.x86_64-linux.activate.nixos value;
# };
# })
# self.nixosConfigurations;
# checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy.lib;
}

2
renovate.json
View File

@ -5,7 +5,7 @@
"lockFileMaintenance": {
"enabled": true,
"schedule": [
"0 10 * * 0"
"at any time"
]
},
"automerge": true

4
shell.nix
View File

@ -2,6 +2,8 @@
mkShell,
sops,
colmena,
# deploy-rs,
nixpkgs-fmt,
nil,
alejandra,
home-manager,
@ -10,6 +12,8 @@ mkShell {
nativeBuildInputs = [
sops
colmena
# deploy-rs
nixpkgs-fmt
nil
alejandra
home-manager