From e8aece3f478aec69d07558ade9eb6f1fb833187e Mon Sep 17 00:00:00 2001 From: uttarayan21 Date: Tue, 30 Dec 2025 04:32:13 +0530 Subject: [PATCH] feat(nixos): update flake.lock and configure services for ryu and tako feat(home): adjust vicinae and eilmeldung configurations feat(neovim): enable folding in neovim configuration fix(nixos): disable resolved dns and remove fallback dns on tako chore(nixos): add pihole and resolved services to tsuba chore(home): remove unused packages from programs chore(nixos): add gamescope-wsi and vulkan-tools to steam configuration chore(nixos): update navidrome service with sops integration and systemd tmpfiles chore(darwin): use dynamic user in shiro configuration chore(secrets): add lastfm and pihole secrets to secrets.yaml --- darwin/shiro/configuration.nix | 2 +- flake.lock | 157 +++++++++++++++--------------- home/apps/vicinae.nix | 5 +- home/programs/default.nix | 7 -- home/programs/eilmeldung.nix | 8 +- neovim/default.nix | 2 +- nixos/ryu/configuration.nix | 2 +- nixos/ryu/programs/steam.nix | 5 + nixos/ryu/services/resolved.nix | 4 +- nixos/tako/services/homepage.nix | 14 +-- nixos/tako/services/navidrome.nix | 39 +++++++- nixos/tsuba/services/default.nix | 2 + nixos/tsuba/services/pihole.nix | 70 +++++++++++++ nixos/tsuba/services/resolved.nix | 14 +-- secrets/secrets.yaml | 9 +- 15 files changed, 229 insertions(+), 111 deletions(-) create mode 100644 nixos/tsuba/services/pihole.nix diff --git a/darwin/shiro/configuration.nix b/darwin/shiro/configuration.nix index 11b23517..3256454b 100644 --- a/darwin/shiro/configuration.nix +++ b/darwin/shiro/configuration.nix @@ -35,7 +35,7 @@ distributedBuilds = true; }; - users.users.servius = { + users.users.${device.user} = { # isNormalUser = true; openssh.authorizedKeys.keyFiles = [ ../../secrets/id_ed25519.pub diff --git a/flake.lock b/flake.lock index d18ea475..cab3ef8e 100644 --- a/flake.lock +++ b/flake.lock @@ -494,11 +494,11 @@ }, "crane_4": { "locked": { - "lastModified": 1766194365, - "narHash": "sha256-4AFsUZ0kl6MXSm4BaQgItD0VGlEKR3iq7gIaL7TjBvc=", + "lastModified": 1766774972, + "narHash": "sha256-8qxEFpj4dVmIuPn9j9z6NTbU+hrcGjBOvaxTzre5HmM=", "owner": "ipetkov", "repo": "crane", - "rev": "7d8ec2c71771937ab99790b45e6d9b93d15d9379", + "rev": "01bc1d404a51a0a07e9d8759cd50a7903e218c82", "type": "github" }, "original": { @@ -777,11 +777,11 @@ ] }, "locked": { - "lastModified": 1766847905, - "narHash": "sha256-zlqhCO6IBAaNtrs+p6E0eOFKYRjPS3OiEIpcv6Ka+fA=", + "lastModified": 1767041062, + "narHash": "sha256-YYtxrnIxljusx/4AP5KDgTD/t/vbSlngrhV68wFj2oM=", "owner": "christo-auer", "repo": "eilmeldung", - "rev": "97d432b29d7c4409b94e9fbb9268336c2877a9ff", + "rev": "62710ae3aeb8165371a4ea5acf95f33abda444a9", "type": "github" }, "original": { @@ -1034,7 +1034,7 @@ "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", "revCount": 69, "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz?rev=ff81ac966bb2cae68946d5ed5fc4994f96d0ffec&revCount=69" + "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz" }, "original": { "type": "tarball", @@ -1656,11 +1656,11 @@ "zon2nix": "zon2nix" }, "locked": { - "lastModified": 1766784567, - "narHash": "sha256-fpRgcNFEGRidNTDk3CVsvKxWIgB9Ph5EM+q5DGe6CI8=", + "lastModified": 1767039136, + "narHash": "sha256-unPtIKK1yfb2S2k3rbyvd2K5eX9DAjyPbZKdKy5oTZ8=", "owner": "ghostty-org", "repo": "ghostty", - "rev": "c00d7fc5c4dc28bfa14935a84c70591d7103c284", + "rev": "b9ad1f05ef1e070d230019201248362ebb5ed91b", "type": "github" }, "original": { @@ -1874,11 +1874,11 @@ ] }, "locked": { - "lastModified": 1766682973, - "narHash": "sha256-GKO35onS711ThCxwWcfuvbIBKXwriahGqs+WZuJ3v9E=", + "lastModified": 1767045600, + "narHash": "sha256-OAnTZWHhE7J2g9SfIzmLmxYeZHg6Kvs6TnNnFjT8/Y0=", "owner": "nix-community", "repo": "home-manager", - "rev": "91cdb0e2d574c64fae80d221f4bf09d5592e9ec2", + "rev": "64f4dadb80d0dd4d6d8879d8651143f3949423af", "type": "github" }, "original": { @@ -2014,11 +2014,11 @@ "xdph": "xdph" }, "locked": { - "lastModified": 1766835825, - "narHash": "sha256-ecv/KG2vtAiQY2awx6dr+Fe6BCfmjpVa7QwJQifvbf4=", + "lastModified": 1767021696, + "narHash": "sha256-q365S7ePBQStSDPEzssCU14TzRqdKzEdh0+0rR2KDnU=", "owner": "hyprwm", "repo": "Hyprland", - "rev": "42447a50d6840c5e28bd58db1225bae2fd7d5ed0", + "rev": "ea444c35bb23b6e34505ab6753e069de7801cc25", "type": "github" }, "original": { @@ -2392,11 +2392,11 @@ ] }, "locked": { - "lastModified": 1766820436, - "narHash": "sha256-nlh3dAI+pU5ez5ZMeNFWnCOLKQJZVic7lY3wGhIMmHI=", + "lastModified": 1767014307, + "narHash": "sha256-JeHZoSYzss2S/YUrB9uMf7y67bQ5qgXyvsGDm5uBpXg=", "owner": "ikawrakow", "repo": "ik_llama.cpp", - "rev": "fc3be34ead0198029de1839394320fcede933906", + "rev": "5a206e3cef36b3a99daec71a66ee7c0a78a27baf", "type": "github" }, "original": { @@ -2415,11 +2415,11 @@ ] }, "locked": { - "lastModified": 1766755594, - "narHash": "sha256-tdBw+Z1czCHOIHhb0XM+CpEE2fruCzDUl7eX8sN8C14=", + "lastModified": 1767018623, + "narHash": "sha256-AZe3f+SH8uc1WOKTCi51hwtbaDaGWXjIivoaHuPjqB8=", "owner": "JakeStanger", "repo": "ironbar", - "rev": "25d6e95578085ef1422bf65427740fdedca37356", + "rev": "cce35665c40a93ae4fafa4b5f1f0325810205593", "type": "github" }, "original": { @@ -2438,11 +2438,11 @@ "rust-overlay": "rust-overlay_6" }, "locked": { - "lastModified": 1766582277, - "narHash": "sha256-mUZRMKId7Uycwnt31RytPwhmY/8UTbk92ckZWHoS0Eg=", + "lastModified": 1767013031, + "narHash": "sha256-p8ANXBakAtfX/aEhLbU6w0tuQe3nrBvLdHbKirJP7ug=", "owner": "nix-community", "repo": "lanzaboote", - "rev": "4c78502846c1ef668eedbd4f55d818ebac5388ac", + "rev": "c2a82339373daee8cbbcad5f51f22ae6b71069e0", "type": "github" }, "original": { @@ -2613,11 +2613,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1766717208, - "narHash": "sha256-iuWKRjSW50pxqpW3JJp13KRYNUe94ShCo9taNjBHWWk=", + "lastModified": 1766976975, + "narHash": "sha256-kS1zZw42JnbAx+ZJEhQqCbp7diRoDSji4aUfyhtbiB0=", "owner": "numtide", "repo": "nix-auth", - "rev": "eacb72b7ab43c311251ce22022a7874e8e99bff8", + "rev": "c7b37c1a0e03f5d6700217a4fca8bbdbf817734b", "type": "github" }, "original": { @@ -2633,11 +2633,11 @@ ] }, "locked": { - "lastModified": 1766784396, - "narHash": "sha256-rIlgatT0JtwxsEpzq+UrrIJCRfVAXgbYPzose1DmAcM=", + "lastModified": 1767028240, + "narHash": "sha256-0/fLUqwJ4Z774muguUyn5t8AQ6wyxlNbHexpje+5hRo=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "f0c8e1f6feb562b5db09cee9fb566a2f989e6b55", + "rev": "c31afa6e76da9bbc7c9295e39c7de9fca1071ea1", "type": "github" }, "original": { @@ -2776,11 +2776,11 @@ "nixpkgs": "nixpkgs_6" }, "locked": { - "lastModified": 1766801229, - "narHash": "sha256-8XPf3xnbbdjebe+2fqkNgvL2rBuoRWjv9+BGfQMN1sQ=", + "lastModified": 1766975172, + "narHash": "sha256-cxBO7AN4kZJu2zwgX23fKYKLsxgzft36y8ShSQiSRkk=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "62ff64bbe571c427981a942a884a1e6f32912f30", + "rev": "a0f29488bed0b2cd7f2111b41f56145cef7cc148", "type": "github" }, "original": { @@ -2939,11 +2939,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1766847971, - "narHash": "sha256-A3EpW8cAdvTzU/k1XiXHgIyKefk8wPwlnWEbUbq1CC4=", + "lastModified": 1767048408, + "narHash": "sha256-4BljnBz1sHgdvuf+YcYROVFuB5nAdRnki6vy+dgO7f0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "42b253418694062c49efa7c1e6910b486fc4f94e", + "rev": "7267b84c21dbf72ab05356b75d64c1899aca6cd4", "type": "github" }, "original": { @@ -2981,11 +2981,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1766538331, - "narHash": "sha256-biwvZsCGC4vCXS6rzs3tUkELqqEXPko0E3R9IhYKavE=", + "lastModified": 1767009828, + "narHash": "sha256-Io/kwhM4ImImCPXcD2QML70lsCFj45xGDiInR7t61X4=", "owner": "nix-community", "repo": "nixpkgs-xr", - "rev": "9e8efcd2c4ea906772dea99204a9819284a29b81", + "rev": "e7a3f91bcfac7ebf7a625201b64aab195006adb6", "type": "github" }, "original": { @@ -3028,11 +3028,11 @@ }, "nixpkgs_12": { "locked": { - "lastModified": 1766651565, - "narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=", + "lastModified": 1766902085, + "narHash": "sha256-coBu0ONtFzlwwVBzmjacUQwj3G+lybcZ1oeNSQkgC0M=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539", + "rev": "c0b0e0fddf73fd517c3471e546c0df87a42d53f4", "type": "github" }, "original": { @@ -3153,11 +3153,11 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1766651565, - "narHash": "sha256-QEhk0eXgyIqTpJ/ehZKg9IKS7EtlWxF3N7DXy42zPfU=", + "lastModified": 1766902085, + "narHash": "sha256-coBu0ONtFzlwwVBzmjacUQwj3G+lybcZ1oeNSQkgC0M=", "owner": "nixos", "repo": "nixpkgs", - "rev": "3e2499d5539c16d0d173ba53552a4ff8547f4539", + "rev": "c0b0e0fddf73fd517c3471e546c0df87a42d53f4", "type": "github" }, "original": { @@ -3169,11 +3169,11 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1766471942, - "narHash": "sha256-Wv+xrUNXgtxAXAMZE3EDzzeRgN1MEw+PnKr8zDozeLU=", + "lastModified": 1766840161, + "narHash": "sha256-Ss/LHpJJsng8vz1Pe33RSGIWUOcqM1fjrehjUkdrWio=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cfc52a405c6e85462364651a8f11e28ae8065c91", + "rev": "3edc4a30ed3903fdf6f90c837f961fa6b49582d1", "type": "github" }, "original": { @@ -3190,11 +3190,11 @@ "systems": "systems_19" }, "locked": { - "lastModified": 1766789373, - "narHash": "sha256-tG1iqWV4jxdn9sQPfp2aLTUBi0JS736drwoxeipqlqQ=", + "lastModified": 1767002962, + "narHash": "sha256-HGFRwMRUwt56E+SiVX9YQOzpOwHy0/rtEqMoEbkF8Yg=", "owner": "nix-community", "repo": "nixvim", - "rev": "2a3eece6afe262d690b608dc43547ec3a33abee9", + "rev": "63c957603751f0a107c4d9c2cbaff1c8749fc9f1", "type": "github" }, "original": { @@ -3215,11 +3215,11 @@ "norg-meta": "norg-meta" }, "locked": { - "lastModified": 1766766183, - "narHash": "sha256-Mh+LMsKIzq2ycXlDiUxcfT5ZoEKJyxpkeiBoxXMebAU=", + "lastModified": 1767039769, + "narHash": "sha256-5Yj9GtPuThRx/B+ANrgaJvyrhw2sbJ9y40OUqZEe9mc=", "owner": "nvim-neorg", "repo": "nixpkgs-neorg-overlay", - "rev": "5005684c432e5331c8f0e7121c85f97e4718a688", + "rev": "3a201a3e1e424fb6cf7e7a48bd5754b44fa49428", "type": "github" }, "original": { @@ -3275,11 +3275,11 @@ "nixpkgs": "nixpkgs_12" }, "locked": { - "lastModified": 1766846886, - "narHash": "sha256-ze8vZb04OkaRfTBzqSVlw5ypBxvq6TOXmrZOk4jObmI=", + "lastModified": 1767047953, + "narHash": "sha256-jarajO4YJV+AZGW+t4Xx32sCqESVSwsbBS+dDqQ1Bgo=", "owner": "nix-community", "repo": "nur", - "rev": "019accb238eabd9b1aea2ee60fa4638e3c1ffb17", + "rev": "2168e7e84bac48f8fa60d4b991899fffb5615ee3", "type": "github" }, "original": { @@ -3355,16 +3355,17 @@ ] }, "locked": { - "lastModified": 1765698311, - "narHash": "sha256-78sPqekEDJiol2YD3Hx2zHu5E4AtrbNrUKi0032HMHo=", - "owner": "berberman", + "lastModified": 1766178214, + "narHash": "sha256-tKDXreDwrRkdjvfot5fr1++ed6oOq3+/hW/Dj8WfTgs=", + "owner": "Red-M", "repo": "nvfetcher", - "rev": "dbae9626c46b93d9fd6b85c8b292939ae569c4fc", + "rev": "a84b3ce67f1d7acd85b3aa2b9967ab91ed6e7a71", "type": "github" }, "original": { - "owner": "berberman", + "owner": "Red-M", "repo": "nvfetcher", + "rev": "a84b3ce67f1d7acd85b3aa2b9967ab91ed6e7a71", "type": "github" } }, @@ -3719,11 +3720,11 @@ ] }, "locked": { - "lastModified": 1766285238, - "narHash": "sha256-DqVXFZ4ToiFHgnxebMWVL70W+U+JOxpmfD37eWD/Qc8=", + "lastModified": 1766976750, + "narHash": "sha256-w+o3AIBI56tzfMJRqRXg9tSXnpQRN5hAT15o2t9rxYw=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "c4249d0c370d573d95e33b472014eae4f2507c2f", + "rev": "9fe44e7f05b734a64a01f92fc51ad064fb0a884f", "type": "github" }, "original": { @@ -3766,11 +3767,11 @@ ] }, "locked": { - "lastModified": 1766803264, - "narHash": "sha256-eGK6He8BR6L7N73kyyjz/vGxZX1Usnr8Gwfs3D18KgE=", + "lastModified": 1766976750, + "narHash": "sha256-w+o3AIBI56tzfMJRqRXg9tSXnpQRN5hAT15o2t9rxYw=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "6b5c52313aaf3f3e1a0a6757bb89846edfb5195c", + "rev": "9fe44e7f05b734a64a01f92fc51ad064fb0a884f", "type": "github" }, "original": { @@ -3807,11 +3808,11 @@ ] }, "locked": { - "lastModified": 1766289575, - "narHash": "sha256-BOKCwOQQIP4p9z8DasT5r+qjri3x7sPCOq+FTjY8Z+o=", + "lastModified": 1766894905, + "narHash": "sha256-pn8AxxfajqyR/Dmr1wnZYdUXHgM3u6z9x0Z1Ijmz2UQ=", "owner": "Mic92", "repo": "sops-nix", - "rev": "9836912e37aef546029e48c8749834735a6b9dad", + "rev": "61b39c7b657081c2adc91b75dd3ad8a91d6f07a7", "type": "github" }, "original": { @@ -4662,11 +4663,11 @@ "systems": "systems_25" }, "locked": { - "lastModified": 1766796267, - "narHash": "sha256-X0BnS+bb7pj8LwIaTkJeU9CZ8Nqh4sNjyN5JQXggOvc=", + "lastModified": 1766947253, + "narHash": "sha256-bzdD637oY/d23QH7CKbyndBmmTBIM19HsnPtj49xCM0=", "owner": "vicinaehq", "repo": "vicinae", - "rev": "b6229556c2cbabda6ce9c63863b11265b2dba134", + "rev": "68faea42c62862614e071cee329486d907b3641a", "type": "github" }, "original": { @@ -4777,11 +4778,11 @@ ] }, "locked": { - "lastModified": 1766697593, - "narHash": "sha256-mGZBEN67mxeOsBhplBRLm6L+y++8jU46EEUYgemG1aQ=", + "lastModified": 1766897152, + "narHash": "sha256-mD1GDg1eIHYUwk536j4uJX1IfQArsLQm2SL7rTQwAPI=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "98d8f48ba80a4b6e3b56addad850d57132301075", + "rev": "fe8d1a61a904b336f453d7ab5ae7d691a21c5cbf", "type": "github" }, "original": { diff --git a/home/apps/vicinae.nix b/home/apps/vicinae.nix index 86304e2e..8a3ed285 100644 --- a/home/apps/vicinae.nix +++ b/home/apps/vicinae.nix @@ -7,7 +7,10 @@ imports = [inputs.vicinae.homeManagerModules.default]; services.vicinae = { enable = device.is "ryu"; - systemd.autoStart = true; + systemd = { + enable = true; + autoStart = true; + }; extensions = []; # package = pkgs.vicinae.overrideAttrs (old: { # patches = [../../patches/vicinae-ctrl-np.patch]; diff --git a/home/programs/default.nix b/home/programs/default.nix index 22827377..d116a925 100644 --- a/home/programs/default.nix +++ b/home/programs/default.nix @@ -60,10 +60,8 @@ home.packages = with pkgs; [ _1password-cli - asciidoctor alejandra aria2 - ast-grep bottom btop cachix @@ -73,19 +71,14 @@ file fzf gnupg - gpg-tui jq just macchina - nb p7zip - pandoc pfetch-rs pkg-config ripgrep sd - tldr - # vcpkg-tool ] ++ lib.optionals (!device.isServer) [ monaspace diff --git a/home/programs/eilmeldung.nix b/home/programs/eilmeldung.nix index 6df3e1b3..34268017 100644 --- a/home/programs/eilmeldung.nix +++ b/home/programs/eilmeldung.nix @@ -1,9 +1,13 @@ -{inputs, ...}: { +{ + inputs, + device, + ... +}: { imports = [ inputs.eilmeldung.homeManager.default ]; programs.eilmeldung = { - enable = true; + enable = device.is "ryu"; settings = { refresh_fps = 60; diff --git a/neovim/default.nix b/neovim/default.nix index 158820a6..e1a9b339 100644 --- a/neovim/default.nix +++ b/neovim/default.nix @@ -362,7 +362,7 @@ in { additional_vim_regex_highlighting = true; }; }; - folding = true; + folding.enable = true; grammarPackages = (with pkgs.tree-sitter-grammars; [ tree-sitter-norg diff --git a/nixos/ryu/configuration.nix b/nixos/ryu/configuration.nix index cd81875e..fdcab517 100644 --- a/nixos/ryu/configuration.nix +++ b/nixos/ryu/configuration.nix @@ -176,7 +176,7 @@ }; hostName = "ryu"; # Define your hostname. # nameservers = ["1.1.1.1" "8.8.8.8"]; - nameservers = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"]; + # nameservers = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"]; # Configure network proxy if necessary # proxy.default = "http://user:password@proxy:port/"; diff --git a/nixos/ryu/programs/steam.nix b/nixos/ryu/programs/steam.nix index 7b39ab00..4cbaceca 100644 --- a/nixos/ryu/programs/steam.nix +++ b/nixos/ryu/programs/steam.nix @@ -8,7 +8,9 @@ extraCompatPackages = [ pkgs.proton-ge-bin pkgs.gamescope + pkgs.gamescope-wsi pkgs.mangohud + pkgs.vulkan-tools ]; }; programs.gamescope = { @@ -17,5 +19,8 @@ }; environment.systemPackages = [ pkgs.protonup-qt + pkgs.vulkan-tools + pkgs.gamescope + pkgs.gamescope-wsi ]; } diff --git a/nixos/ryu/services/resolved.nix b/nixos/ryu/services/resolved.nix index e5a1ef14..69850d9f 100644 --- a/nixos/ryu/services/resolved.nix +++ b/nixos/ryu/services/resolved.nix @@ -1,9 +1,11 @@ {...}: { + # Disable all the dns stuff in favour of tailscale's DNS services.resolved = { enable = true; dnssec = "true"; dnsovertls = "true"; domains = ["lemur-newton.ts.net"]; - fallbackDns = ["1.1.1.1"]; + fallbackDns = []; }; + networking.nameservers = []; } diff --git a/nixos/tako/services/homepage.nix b/nixos/tako/services/homepage.nix index de136fc9..2a42d68a 100644 --- a/nixos/tako/services/homepage.nix +++ b/nixos/tako/services/homepage.nix @@ -86,13 +86,6 @@ href = "https://cloud.darksailor.dev"; }; } - # { - # "Open WebUI" = { - # icon = "open-webui.png"; - # description = "Open WebUI for self hosted llms"; - # href = "https://llama.darksailor.dev"; - # }; - # } { "Immich" = { icon = "immich.png"; @@ -107,6 +100,13 @@ href = "https://draw.darksailor.dev"; }; } + { + "Navidrome" = { + icon = "navidrome.png"; + description = "A self-hosted music server and streamer."; + href = "https://music.darksailor.dev"; + }; + } ]; } ]; diff --git a/nixos/tako/services/navidrome.nix b/nixos/tako/services/navidrome.nix index 9447ccd3..66ab933b 100644 --- a/nixos/tako/services/navidrome.nix +++ b/nixos/tako/services/navidrome.nix @@ -1,4 +1,18 @@ -{...}: { +{ + device, + config, + ... +}: let + socket = "/run/navidrome/navidrome.sock"; +in { + sops = { + secrets."lastfm/api_key" = {}; + secrets."lastfm/shared_secret" = {}; + templates."lastfm.env".content = '' + ND_LASTFM_APIKEY=${config.sops.placeholder."lastfm/api_key"} + ND_LASTFM_SECRET=${config.sops.placeholder."lastfm/shared_secret"} + ''; + }; services = { navidrome = { enable = true; @@ -6,14 +20,15 @@ MusicFolder = "/media/music"; ReverseProxyUserHeader = "Remote-User"; ReverseProxyWhitelist = "@"; - Address = "/var/run/navidrome/navidrome.sock"; + Address = "unix:${socket}"; + BaseUrl = "https://music.darksailor.dev"; }; + environmentFile = config.sops.templates."lastfm.env".path; }; caddy = { virtualHosts."music.darksailor.dev".extraConfig = '' import auth - # reverse_proxy localhost:4533 - reverse_proxy unix//var/run/navidrome/navidrome.sock + reverse_proxy unix/${socket} ''; }; authelia = { @@ -38,4 +53,20 @@ }; }; }; + systemd.services.navidrome.requires = ["systemd-tmpfiles-setup.service"]; + systemd.tmpfiles.settings = { + navidromeDirs = { + "/run/navidrome".d = { + mode = "775"; + user = "navidrome"; + group = "navidrome"; + }; + }; + }; + users.users.${device.user} = { + extraGroups = ["navidrome"]; + }; + users.users.caddy = { + extraGroups = ["navidrome"]; + }; } diff --git a/nixos/tsuba/services/default.nix b/nixos/tsuba/services/default.nix index a130a6f6..fafe5021 100644 --- a/nixos/tsuba/services/default.nix +++ b/nixos/tsuba/services/default.nix @@ -10,5 +10,7 @@ ./flaresolverr.nix ./caddy.nix ./monitoring.nix + ./pihole.nix + ./resolved.nix ]; } diff --git a/nixos/tsuba/services/pihole.nix b/nixos/tsuba/services/pihole.nix new file mode 100644 index 00000000..b9aac98a --- /dev/null +++ b/nixos/tsuba/services/pihole.nix @@ -0,0 +1,70 @@ +{ + pkgs, + config, + ... +}: { + sops = { + secrets."pihole/password" = {}; + templates."pihole.env".content = '' + FTLCONF_webserver_api_password=${config.sops.placeholder."pihole/password"} + ''; + }; + virtualisation.oci-containers = { + containers = { + pihole = { + image = "pihole/pihole:latest"; + ports = [ + "53:53/tcp" + "53:53/udp" + "127.0.0.1:8053:80/tcp" + ]; + privileged = true; + environment = { + TZ = config.time.timeZone; + FTLCONF_dns_listeningMode = "ALL"; + }; + environmentFiles = [ + config.sops.templates."pihole.env".path + ]; + volumes = [ + "/etc/pihole:/etc/pihole" + ]; + capabilities = { + "NET_ADMIN" = true; + "SYS_TIME" = true; + "SYS_NICE" = true; + }; + }; + }; + }; + + services.caddy = { + virtualHosts."pihole.darksailor.dev".extraConfig = '' + import cloudflare + redir / /admin permanent + reverse_proxy localhost:8053 + ''; + }; + + # Systemd service to pull latest Home Assistant image + systemd.services.pihole-image-update = { + description = "Pull latest Pi Hole Docker image"; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.docker}/bin/docker pull pihole/pihole:latest"; + ExecStartPost = "${pkgs.systemd}/bin/systemctl restart docker-pihole.service"; + }; + }; + + # Systemd timer to run the update service every 5 days + systemd.timers.pihole-image-update = { + description = "Timer for Pi-Hole image updates"; + wantedBy = ["timers.target"]; + timerConfig = { + OnCalendar = "Mon *-*-* 02:00:00"; + OnUnitInactiveSec = "5d"; + Persistent = true; + RandomizedDelaySec = "1h"; + }; + }; +} diff --git a/nixos/tsuba/services/resolved.nix b/nixos/tsuba/services/resolved.nix index f5bf04cc..ec66fa41 100644 --- a/nixos/tsuba/services/resolved.nix +++ b/nixos/tsuba/services/resolved.nix @@ -1,9 +1,11 @@ -{...}: { +{lib, ...}: { services.resolved = { - enable = true; - dnssec = "true"; - domains = ["~." "lemur-newton.ts.net"]; - fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"]; - dnsovertls = "true"; + enable = false; + # dnssec = "true"; + # domains = ["~." "lemur-newton.ts.net"]; + # fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"]; + fallbackDns = []; + # dnsovertls = "true"; }; + networking.nameservers = []; } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 0295d0a8..5b0f17cc 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -73,6 +73,11 @@ grafana: secretKey: ENC[AES256_GCM,data:LD0x8Fa6SU1+6mwxLkKa/o+ZqeuRIr7o/AKS7EmrDYj0vzrA3/FjViVJNfkOJDch9TbVyjIpk2ZLwxHXOZx7MA==,iv:t6UwZj2JZpMIDsDDeJ4rZah4aBoMIKaoiu9VU2VhViE=,tag:MIz/b8JWYtOpUCcg6gYhJg==,type:str] discord: token: ENC[AES256_GCM,data:M6TayHpIa0J1w3zVRKPPU0P/f18UXOpxzU7fjKNCx8YxzSAaQfY52S5XpiqDgjPWfWdSxzG2VVDqu1708Vwofa8IRKwWafam,iv:x0ySoaS68aLRVUcQin096RoeQGRELvNwdFJxezPj/cA=,tag:Omv5uL97y7ZTI8juVJFNug==,type:str] +lastfm: + shared_secret: ENC[AES256_GCM,data:F5jKgUXcssteGYukS3eCJkBsSN1qHZzrH2pvZCFC2ac=,iv:c1YiTd26sxSv3PO2dtKgC1Zvk3W1x4U1C1+x3PG79IM=,tag:boeLy29lukY5pp+sij8cgA==,type:str] + api_key: ENC[AES256_GCM,data:5sFOaTAeiinetn8NfUBOFTcfuZmnnRNDTbuxVzAT4MU=,iv:RUmZ0PQpON3wkwj6GrSo7FHADM2pr4bavHT1omgR+Xw=,tag:ST7v4R8Scp+9ikYkiZ8Vtw==,type:str] +pihole: + password: ENC[AES256_GCM,data:xOpsEFN6zbgPwYnSudmFqlYOghY=,iv:isO0RtKgi8G8noumyhIfLLfmH9w5ybt9NVxh7bRVykM=,tag:17UcPypyqquJDTFZAc5iyA==,type:str] sops: age: - recipient: age1pw7kluxp7872c63ne4jecq75glj060jkmqwzkk6esatuyck9egfswufdpk @@ -84,7 +89,7 @@ sops: VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-27T16:07:40Z" - mac: ENC[AES256_GCM,data:uoEAPUETfHQHnuvP1Mv4OqLUmWqMZxEr4VAElMwaOoYmkMR2blr6htMY5A3y1Qzc1CDv9o5p7cUUNdkYU1VoCj/bGwKgASYjZKM7gZDmrivyl0/XXcdA56pmgPfmO5PCkml1SJwQwwty4uwGNruKfUDrhMH5fIfS4KbS/GmnFeQ=,iv:IIQNHJOoMY9WrWEw2blenTv7RDGRVN8dXxYwMDyZPg8=,tag:vTP8Zv3TOoacVs8JqgMi3A==,type:str] + lastmodified: "2025-12-29T22:55:29Z" + mac: ENC[AES256_GCM,data:eEYsNcqFKFRS2wb5dht6AI86d7IWJGKGBdKVF4hk87ieVpZ6UaflgPbjAUYHMNFB7PCvhx3gjIPscb2oNZ/sYx8aTx9zFeexosQ8C8OqCWxGEEn3OxVGEqVNvIEQ7HvTg/2Dj5644IAIKD5bltAMPtfdfBzUm7KrA+nc8BMuPVk=,iv:i1EufRekIBASVf+EAphtJsHDnlwKLVSZKeC4RE0w2ac=,tag:efFizvzVBEXvE5ly25rsvA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0