servius/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: servius:ddb034558732a8f4f51b9482a2fd3bcb18e51ce1
Branches Tags
servius:master servius:matrix-rtc
...
compare: servius:matrix-rtc
Branches Tags
servius:master servius:matrix-rtc

69 Commits
ddb0345587 ... matrix-rtc

Author SHA1 Message Date
servius
1ac96316ea feat: re-enable affine service
All checks were successful
Flake checker / Build Nix targets (pull_request) Successful in 9m32s
Details
2026-02-23 17:05:03 +05:30
servius
8d636ce194 refactor(matrix): simplify LiveKit configuration to use services.livekit and services.lk-jwt-service 2026-02-23 16:32:14 +05:30
servius
bbeed99f43 refactor(affine): use Docker network option instead of --network flag 2026-02-23 16:05:09 +05:30
servius
7e6ece1b0d feat(matrix): add LiveKit support with firewall and systemd services 2026-02-23 15:49:50 +05:30
servius
60952a0e7f feat(programs): add yq package to home programs 2026-02-23 14:43:49 +05:30
servius
738013df66 refactor: update mbsync settings for Fastmail and Neomutt 2026-02-22 15:32:38 +05:30
servius
34160d0de4 feat: Updated notifications
All checks were successful
Flake checker / Build Nix targets (push) Successful in 9m27s
Details
2026-02-22 15:16:10 +05:30
servius
02b8a16f41 feat(cargo): add pkgs metadata alias
All checks were successful
Flake checker / Build Nix targets (push) Successful in 9m33s
Details
2026-02-20 03:42:46 +05:30
servius
684f6fdea5 fix(apps): make playerctl conditional to ryu device only 2026-02-20 03:42:44 +05:30
servius
7ef1785a0f feat: Added caldav 2026-02-20 03:08:24 +05:30
servius
49c0c607d8 feat: Added stuff 2026-02-20 02:01:24 +05:30
servius
ab52b423ee feat: Move stuff into programs / apps in ryu 2026-02-19 23:03:52 +05:30
servius
f852a73d47 feat: Updated to latest nixpkgs-unstable 2026-02-19 21:16:08 +05:30
servius
998ebc1164 feat(programs): add jujutsu(jj) package
All checks were successful
Flake checker / Build Nix targets (push) Successful in 9m41s
Details
2026-02-19 13:51:12 +05:30
servius
9acb378e5f feat: disable some services and disable root login from ssh altogether 2026-02-19 13:41:40 +05:30
servius
dca434c0ba Enable Audacity and add local Ollama provider configuration 
- Remove comment from audacity.nix to enable Audacity application
- Add Ollama provider configuration for local LLM access
- Configure glm-4.7-flash model with custom base URL
 2026-02-19 00:19:08 +05:30
servius
c22ff38874 feat: Added affine 2026-02-18 18:03:06 +05:30
servius
0591868be3 feat: Added affine server 2026-02-18 17:23:05 +05:30
servius
e249f13313 feat: Vertical to horizontal secondary monitor 3
All checks were successful
Flake checker / Build Nix targets (push) Successful in 9m37s
Details
2026-02-16 03:17:34 +05:30
servius
4ecf045deb feat: Added ip target for ignore ip 2026-02-16 02:48:03 +05:30
servius
05d1890b01 feat: Added steamdeck deploy target
All checks were successful
Flake checker / Build Nix targets (push) Successful in 9m35s
Details
2026-02-16 02:21:06 +05:30
servius
2babff5576 feat: Added cloudflare cli to add / remove dns entries from cli 2026-02-12 19:04:13 +05:30
servius
aa7c26516c feat: Added gitea runner
All checks were successful
Flake checker / Build Nix targets (push) Successful in 9m33s
Details
2026-02-12 16:21:36 +05:30
servius
a1369cbb41 feat(attic): Use env variable for attic login
All checks were successful
Flake checker / Build Nix targets (push) Successful in 29m34s
Details
2026-02-11 19:53:05 +05:30
servius
54c5cf932d feat: Added attic-client 2026-02-11 17:53:27 +05:30
servius
bb68711814 fix: use tcp instead of unix sockets for attic
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-11 17:07:40 +05:30
servius
6b31922615 feat: Added attic ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-11 16:56:23 +05:30
servius
21e779c304 fix: Macos fixes
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-11 16:30:38 +05:30
servius
e718da413b feat: Replace deprecated options from navidrome
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-11 04:48:39 +05:30
servius
98989afdec feat: upgrade to excalidraw-full 2026-02-11 04:27:14 +05:30
servius
3a97de6af2 fix: Matrix server fix
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-11 03:55:29 +05:30
servius
66b7a31943 feat: Update to latest nix 2026-02-10 23:14:12 +05:30
servius
ddb53d879e feat: Added matrix 2026-02-10 22:25:37 +05:30
servius
e403e47c28 feat: Added tuwunel 2026-02-10 14:24:39 +05:30
servius
d8b3d6fb09 chore: Update flake.nix
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-07 02:42:39 +05:30
servius
91d6863d60 feat: Change wallpapers
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-06 12:46:33 +05:30
servius
618e5593e7 feat: Update hyprland.conf 2026-02-06 10:46:10 +05:30
servius
e1c9a27ca3 feat: added libnotify
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-05 13:56:34 +05:30
servius
7a58571c03 feat: disable default.clock.rate use allowed-rates 2026-02-05 12:48:21 +05:30
servius
768caf9882 feat: Unify all of the nixos substituters
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-04 23:33:40 +05:30
servius
e07d6a44a3 feat: Update to latest nixos 2026-02-04 23:21:42 +05:30
servius
97d8c17436 feat: auto generate remmina desktop entries 2026-02-04 22:37:11 +05:30
servius
89fd861c20 feat: Re-enable retroarch
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-04 02:51:32 +05:30
servius
cf30dc9f6c feat: Remove pipewire from configuration 2026-02-03 23:40:24 +05:30
servius
b88704bf1f feat: Update AGENTS.md
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-03 22:15:52 +05:30
servius
eb63ef2585 feat: Use lower latency for pipewire 64 48000
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-03 22:05:20 +05:30
servius
d688fc0eef feat: Added audio stuff
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-03 21:10:47 +05:30
servius
63a4fba675 feat: added stuff 2026-02-03 21:10:47 +05:30
servius
8fedc57570 feat(opencode): add support for kuro device
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-03 13:24:11 +05:30
servius
dd322cb71c docs: add example of how to add secrets
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-02 04:42:32 +05:30
servius
23b5917620 refactor: update monitoring target labels and jellyfin caddy config 2026-02-02 02:34:28 +05:30
servius
5cecce74e8 chore(config): reduce ironbar favorites, disable cadvisor, update pihole hostname for the extractor
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-02 01:07:00 +05:30
servius
15853f918a chore(services): delete command-runner.nix and its entry in default.nix
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-01 22:01:37 +05:30
servius
22d619b3ce refactor(monitoring): dashboard provisioning, sops secret, exportarr off 2026-02-01 21:09:52 +05:30
servius
d5396917c3 chore: fmt 2026-02-01 19:52:48 +05:30
servius
a7d4a88741 feat: Update ironbar 2026-02-01 19:52:06 +05:30
servius
2f901052f1 feat: Added grafana 2026-02-01 19:51:51 +05:30
servius
56f1ba896c feat: Added opencode.nvim 2026-02-01 18:59:00 +05:30
servius
9607e8f3a4 feat: Added agents.md
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-01 18:30:57 +05:30
servius
41f5da953a feat: Disable terraria 2026-02-01 18:07:19 +05:30
servius
a444694054 fix: Don't remove resolved.enable = false else it'll fuck up ssh into tsuba
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details 
This is a dns issue where if we dont explicitly disable it then it
conflicts with the 53 port from the pihole container and we can't ssh
into the device anymore
 2026-02-01 02:53:38 +05:30
servius
62dd4d3713 feat: comment out resolved for tsuba
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-02-01 02:22:23 +05:30
servius
da8f61ca5d feat: Disable ssh enableDefaultConfig 2026-02-01 02:17:24 +05:30
servius
1bb14d4c62 feat: Update resolved configuration 2026-02-01 02:12:30 +05:30
servius
d25ad73b3b feat: Added blobdrop
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-01-29 20:21:18 +05:30
servius
2913f0c8e1 fix(scripts): correct aichat role syntax
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-01-28 14:34:31 +05:30
servius
fb7c219cf2 feat: Disable mpv on macos
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-01-28 13:49:31 +05:30
servius
581fa74f19 feat: Add embedding model and extraPackages to aichat
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-01-27 16:37:57 +05:30
servius
3f1f23391a feat: Disable nixvim grammarPackages for now because of is-not treesitter
Some checks failed
Flake checker / Build Nix targets (push) Has been cancelled
Details
2026-01-26 23:54:38 +05:30
101 changed files with 2674 additions and 4841 deletions
Expand all files Collapse all files

1
.ignore Normal file
View File

@@ -0,0 +1 @@
*.lock

198
AGENTS.md Normal file
View File

@@ -0,0 +1,198 @@
# Agent Guidelines for NixOS/nix-darwin Dotfiles
This repository contains NixOS, nix-darwin, and Home Manager configurations in Nix. You are a sysadmin managing server configurations and deployments.
## Build, Test, and Deployment Commands
### Build and Apply Configurations
**Linux (NixOS):**
```bash
just build # Build configuration
just install cores='32' # Apply with 32 cores
sudo nixos-rebuild test --fast --flake . # Test without activation
sudo nixos-rebuild switch --rollback --flake . # Rollback
```
**macOS (nix-darwin):**
```bash
just build # Build configuration
just install # Apply configuration
```
**Home Manager:**
```bash
just home
```
### Deploy to Remote Machines (deploy-rs)
```bash
deploy -s .#ryu # Desktop (x86_64-linux)
deploy -s .#tako # Server (x86_64-linux)
deploy -s .#tsuba # Raspberry Pi (aarch64-linux)
deploy -s .#kuro # MacBook M4 Pro (aarch64-darwin)
deploy -s .#shiro # Mac Mini M4 (aarch64-darwin)
```
### Validation and Formatting
```bash
nix flake check --show-trace # Check flake for errors
alejandra fmt . # Format all files
alejandra fmt <file>.nix # Format single file
```
## Directory Structure
- `flake.nix` - Main entry point, device definitions
- `nixos/` - NixOS machine configs (ryu, tako, tsuba)
- `darwin/` - macOS machine configs (kuro, shiro)
- `home/` - Home Manager modules (programs/, services/, apps/)
- `modules/` - Custom modules (nixos/, darwin/, home/)
- `secrets/` - SOPS encrypted secrets
- `overlays.nix`, `deploy.nix`, `sops.nix`, `stylix.nix` - Config files
## Code Style Guidelines
### Nix Language Conventions
**File Structure:**
```nix
{inputs, config, pkgs, lib, device, ...}: {
# Configuration here
}
```
**Imports:**
- Order: `inputs`, `config`, `pkgs`, `lib`, `device`, custom params, `...`
- Use set destructuring for clarity
**Formatting:**
- Use `alejandra` formatter (run before committing)
- 2-space indentation
- Trailing commas in lists and attribute sets
**Naming Conventions:**
- Files: lowercase-with-hyphens (e.g., `my-module.nix`)
- Attributes: camelCase (e.g., `enableMyFeature`)
- Functions: camelCase (e.g., `mkDevice`)
- Constants: UPPER_SNAKE_CASE (e.g., `API_KEY`)
- Device names: lowercase (e.g., `ryu`, `tako`)
**Let Expressions:**
```nix
with lib; let
cfg = config.programs.myProgram;
in {
options = { ... };
config = mkIf cfg.enable { ... };
}
```
**Conditionals:**
- Use `mkIf` for config options
- Use `lib.optionalAttrs` for attribute sets
- Use `lib.optionals` for lists
### Module Patterns
**Simple Package Module:**
```nix
{pkgs, ...}: {
home.packages = [pkgs.myPackage];
}
```
**Program Configuration Module:**
```nix
{config, pkgs, lib, ...}:
with lib; let
cfg = config.programs.myProgram;
in {
options.programs.myProgram = {
enable = mkEnableOption "myProgram";
};
config = mkIf cfg.enable {
home.packages = [pkgs.myProgram];
};
}
```
**Device-Specific Logic:**
```nix
home.packages = lib.optionals device.isLinux [pkgs.linuxPackage]
++ lib.optionals device.isDarwin [pkgs.macPackage];
sessionVariables.BROWSER = if device.isDarwin then "open" else "xdg-open";
```
## Important Rules
1. **NEVER create markdown files** unless explicitly requested
2. **DO NOT add shell scripts** - use Nix expressions
3. **All configurations must use Nix expressions** when possible
4. **Follow existing naming conventions** and directory structure
5. Create custom application entries in `~/.local/share/applications/{appname}.desktop`
## Secrets Management
- Secrets are managed with SOPS in `secrets/` directory
- Encrypted secrets in `secrets/` directory
- Configuration in `.sops.yaml`
- Access via `config.sops.secrets."secret/value".path`
```yaml
foo:
bar: somesecret
```
The path is the file that contains `somesecret`
- Add new secrets using `sops set`
Example
```bash
openssl rand -hex 32 | tr -d '\n' | jq -sR | sops set --value-stdin secrets/secrets.yaml '["foo"]["bar"]'
```
This will add a randomly generated secret to the sops file
## Common Patterns
### Adding a New Program
```bash
just add program myprogram # Creates home/programs/myprogram.nix and adds import
```
### Adding a new dns entry
```bash
cfcli add --type A foobar.bazbar.biz 192.168.0.1
```
### Creating a Module
1. Determine location: `modules/nixos/`, `modules/darwin/`, or `modules/home/`
2. Create file with proper structure
3. Add to `modules/default.nix` imports
### Device Configuration
Devices are defined in `flake.nix` using `mkDevice`. Properties available:
- `device.isLinux`, `device.isDarwin`, `device.isArm`
- `device.isServer`, `device.hasGui`, `device.isDesktopLinux`
- `device.name`, `device.user`, `device.home`
## Error Handling
- Use `mkIf` to conditionally enable configurations
- Handle both Linux and macOS cases when adding cross-platform features
## Testing Changes
1. Build first: `just build` or `nixos-rebuild build --flake .`
2. Check for errors with `--show-trace` flag
## Version Information
- Nix Version: 2.32+
- Flakes: Enabled (required)
- Formatter: alejandra
- State Version: (varies by machine & never change this)

7
builders/mirai.nix
View File

@@ -1,7 +0,0 @@
# {
# hostName = "mirai.darksailor.dev";
# sshUser = "remotebuilder";
# systems = ["x86_64-linux" "aarch64-linux"];
# protocol = "ssh-ng";
# supportedFeatures = ["nixos-test" "benchmark" "big-parallel" "kvm"];
# }

16
deploy.nix
View File

@@ -55,13 +55,13 @@
user = "root"; user = "root";
}; };
}; };
# deck = { deck = {
# hostname = "steamdeck"; hostname = "sdeck";
# profiles.system = { profiles.system = {
# sshUser = "deck"; sshUser = "deck";
# path = deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurations.deck; path = deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurations.deck;
# user = "deck"; user = "deck";
# }; };
# }; };
}; };
} }

609
flake.lock generated
View File

File diff suppressed because it is too large Load Diff

4
flake.nix
View File

@@ -155,9 +155,9 @@
}; };
zen-browser = { zen-browser = {
url = "github:0xc000022070/zen-browser-flake"; url = "github:0xc000022070/zen-browser-flake";
# IMPORTANT: we're using "libgbm" and is only available in unstable so ensure # IMPORTANT: To ensure compatibility with the latest Firefox version, use nixpkgs-unstable.
# to have it up-to-date or simply don't specify the nixpkgs input
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
inputs.home-manager.follows = "home-manager";
}; };
anyrun = { anyrun = {

80
home/accounts/fastmail.nix
View File

@@ -5,43 +5,61 @@
}: { }: {
sops = { sops = {
secrets."accounts/mail/fastmail" = {}; secrets."accounts/mail/fastmail" = {};
secrets."accounts/calendar/fastmail" = {};
}; };
accounts.email = { accounts = {
maildirBasePath = "Mail"; email = {
accounts = { maildirBasePath = "Mail";
fastmail = rec { accounts = {
maildir = { fastmail = rec {
path = "fastmail"; maildir = {
path = "fastmail";
};
primary = true;
address = "email@uttarayan.me";
aliases = ["servius@darksailor.dev"];
userName = address;
realName = "Uttarayan Mondal";
imap = {
host = "imap.fastmail.com";
port = 993;
tls.enable = true;
# authentication = "login";
};
smtp = {
host = "smtp.fastmail.com";
port = 465;
tls.enable = true;
};
passwordCommand = ["cat" "${config.sops.secrets."accounts/mail/fastmail".path}"];
mbsync = {
enable = true;
create = "both";
};
}; };
primary = true; };
address = "email@uttarayan.me"; };
aliases = ["servius@darksailor.dev"]; calendar = {
userName = address; basePath = "Calendar";
realName = "Uttarayan Mondal"; accounts = {
imap = { fastmail = {
host = "imap.fastmail.com"; remote = {
port = 993; url = "https://caldav.fastmail.com/dav/calendars/user/email@uttarayan.me";
tls.enable = true; userName = "email@uttarayan.me";
# authentication = "login"; passwordCommand = ["cat" "${config.sops.secrets."accounts/calendar/fastmail".path}"];
}; type = "caldav";
smtp = { };
host = "smtp.fastmail.com"; khal = {
port = 465; enable = true;
tls.enable = true; addresses = ["email@uttarayan.me"];
}; };
imapnotify = { vdirsyncer = {
enable = true; enable = true;
}; };
passwordCommand = ["cat" "${config.sops.secrets."accounts/mail/fastmail".path}"];
mbsync = {
enable = true;
create = "both";
}; };
}; };
}; };
}; };
programs.mbsync.enable = true;
services.mbsync.enable = pkgs.stdenv.isLinux;
# accounts.email.accounts.<name>.mbsync.create # accounts.email.accounts.<name>.mbsync.create
# services.mbsync.enable = true; # services.mbsync.enable = true;
} }

9
home/apps/affine.nix Normal file
View File

@@ -0,0 +1,9 @@
{
pkgs,
lib,
...
}: {
home.packages = lib.optionals pkgs.stdenv.isLinux [
pkgs.affine
];
}

37
home/apps/default.nix
View File

@@ -6,38 +6,41 @@
lib.optionalAttrs device.hasGui { lib.optionalAttrs device.hasGui {
imports = [ imports = [
# ./audacity.nix # ./audacity.nix
# ./blueman.nix
# ./bottles.nix # ./bottles.nix
./chromium.nix
# ./cursor.nix # ./cursor.nix
./discord.nix
./firefox.nix
./ghostty.nix
# ./gimp.nix # ./gimp.nix
# ./guitarix.nix # ./guitarix.nix
./hyprpicker.nix
# ./ida.nix # ./ida.nix
# ./jellyflix.nix # ./jellyflix.nix
# ./kicad.nix # ./kicad.nix
./kitty.nix # ./lmstudio.nix
./lmstudio.nix
./mpv.nix
# ./neovide.nix # ./neovide.nix
./nextcloud.nix
./obs-studio.nix
# ./openscad.nix # ./openscad.nix
./orcaslicer.nix # ./orcaslicer.nix
# ./pcsx2.nix # ./pcsx2.nix
./prismlauncher.nix # ./prismlauncher.nix
# ./rpcs3.nix # ./rpcs3.nix
./shadps4.nix # ./shadps4.nix
./slack.nix
# ./thunderbird.nix # ./thunderbird.nix
# ./tsukimi.nix # ./tsukimi.nix
# ./vial.nix # ./vial.nix
./vicinae.nix # ./vlc.nix
./vlc.nix
# ./vscode.nix # ./vscode.nix
./affine.nix
./blueman.nix
./chromium.nix
./discord.nix
./firefox.nix
./ghostty.nix
./hyprpicker.nix
./kitty.nix
./matrix.nix
./mpv.nix
./nextcloud.nix
./obs-studio.nix
./slack.nix
./vicinae.nix
./wezterm.nix ./wezterm.nix
./zathura.nix ./zathura.nix
./zed.nix ./zed.nix

12
home/apps/matrix.nix Normal file
View File

@@ -0,0 +1,12 @@
{
pkgs,
lib,
device,
...
}: {
home.packages = lib.optionals (device.is "ryu") [
pkgs.fluffychat
pkgs.fractal
# pkgs.quaternion
];
}

32
home/apps/mpv.nix
View File

@@ -1,6 +1,6 @@
{...}: { {pkgs, ...}: {
programs.mpv = { programs.mpv = {
enable = true; enable = pkgs.stdenv.isLinux;
config = { config = {
vo = "gpu-next"; vo = "gpu-next";
gpu-api = "vulkan"; gpu-api = "vulkan";
@@ -8,20 +8,20 @@
loop-playlist = "inf"; loop-playlist = "inf";
}; };
profiles = { profiles = {
hdr = { # hdr = {
vo = "gpu-next"; # vo = "gpu-next";
gpu-api = "vulkan"; # gpu-api = "vulkan";
hdr-compute-peak = "yes"; # hdr-compute-peak = "yes";
hdr-peak-detect = "yes"; # hdr-peak-detect = "yes";
target-peak = 400; # target-peak = 400;
target-prim = "bt.2020"; # target-prim = "bt.2020";
target-trc = "pq"; # target-trc = "pq";
inverse-tone-mapping = "yes"; # inverse-tone-mapping = "yes";
tone-mapping = "spline"; # tone-mapping = "spline";
tone-mapping-mode = "auto"; # tone-mapping-mode = "auto";
target-colorspace-hint = "auto"; # target-colorspace-hint = "auto";
gamut-mapping = "desaturate"; # gamut-mapping = "desaturate";
}; # };
}; };
}; };
} }

8
home/apps/vicinae.nix
View File

@@ -12,7 +12,9 @@
autoStart = true; autoStart = true;
}; };
}; };
home.packages = with pkgs; [ home.packages = with pkgs;
pulseaudio lib.optionals (device.is "ryu") [
]; # pulseaudio
playerctl
];
} }

43
home/apps/zen.nix
View File

@@ -2,6 +2,7 @@
pkgs, pkgs,
inputs, inputs,
device, device,
config,
... ...
}: { }: {
imports = [ imports = [
@@ -10,6 +11,47 @@
programs.zen-browser = { programs.zen-browser = {
enable = device.isLinux; enable = device.isLinux;
profiles.default = { profiles.default = {
containersForce = true;
containers = {
Personal = {
color = "purple";
icon = "fingerprint";
id = 1;
};
Work = {
color = "blue";
icon = "briefcase";
id = 2;
};
Shopping = {
color = "yellow";
icon = "dollar";
id = 3;
};
};
spacesForce = true;
spaces = let
containers = config.programs.zen-browser.profiles."default".containers;
in {
"Personal" = {
id = "";
icon = "👤";
container = containers."Personal".id;
position = 1000;
};
"Work" = {
id = "00bdd434-e31b-4e2b-b8f5-fa7055631a64";
icon = "💼";
container = containers."Work".id;
position = 2000;
};
"Shopping" = {
id = "77452260-56e6-4c9e-8d5f-417958bc4fa4";
icon = "💸";
container = containers."Shopping".id;
position = 3000;
};
};
extensions.packages = with pkgs.nur.repos.rycee.firefox-addons; [ extensions.packages = with pkgs.nur.repos.rycee.firefox-addons; [
privacy-badger privacy-badger
violentmonkey violentmonkey
@@ -42,5 +84,6 @@
Fingerprinting = true; Fingerprinting = true;
}; };
}; };
suppressXdgMigrationWarning = true;
}; };
} }

1
home/default.nix
View File

@@ -27,6 +27,7 @@
home-manager = { home-manager = {
enable = true; enable = true;
}; };
man.generateCaches = true;
}; };
fonts.fontconfig.enable = true; fonts.fontconfig.enable = true;

43
home/programs/aichat.nix
View File

@@ -1,4 +1,8 @@
{config, ...}: { {
pkgs,
config,
...
}: {
sops = { sops = {
secrets."llama/api_key" = {}; secrets."llama/api_key" = {};
secrets."openai/api_key" = {}; secrets."openai/api_key" = {};
@@ -17,7 +21,7 @@
settings = { settings = {
save_session = true; save_session = true;
model = "ryu:qwen3:30b-a3b"; model = "ryu:qwen3:30b-a3b";
rag_embedding_model = "ollama:RobinBially/nomic-embed-text-8k"; rag_embedding_model = "ryu:RobinBially/nomic-embed-text-8k";
clients = [ clients = [
{ {
type = "openai-compatible"; type = "openai-compatible";
@@ -29,15 +33,27 @@
name = "gpt-oss:20b"; name = "gpt-oss:20b";
type = "chat"; type = "chat";
} }
# {
# name = "gpt-oss:20b-instruct";
# type = "chat";
# real_name = "gpt-oss:20b";
# patch = {
# body = {
# think = "low";
# };
# };
# }
{ {
name = "qwen3:30b-a3b"; name = "qwen3:30b-a3b";
type = "chat"; type = "chat";
} }
# { {
# name = "RobinBially/nomic-embed-text-8k"; name = "RobinBially/nomic-embed-text-8k";
# type = "embedding"; type = "embedding";
# default_chunk_size = 8000; default_chunk_size = 1000;
# } max_tokens_per_chunk = 8192;
max_batch_size = 100;
}
# { # {
# name = "deepseek-r1:14b"; # name = "deepseek-r1:14b";
# type = "chat"; # type = "chat";
@@ -133,9 +149,16 @@
}; };
} }
]; ];
document_loaders = {
git =
/*
sh
*/
''sh -c "yek $1 --json | jq '[.[] | { path: .filename, contents: .content }]'"'';
};
}; };
roles = { roles = {
"%git-commit%" = "git-commit" =
/* /*
md md
*/ */
@@ -146,5 +169,9 @@
Your task is to generate a concise and informative commit message based on the provided diff. Use the conventional commit format, which includes a type (feat, fix, chore, docs, style, refactor, perf, test) and an optional scope. The message should be in the imperative mood and should not exceed 72 characters in the subject line. Do not under any circumstance include any additional text or explanations, just add the commit message. Your task is to generate a concise and informative commit message based on the provided diff. Use the conventional commit format, which includes a type (feat, fix, chore, docs, style, refactor, perf, test) and an optional scope. The message should be in the imperative mood and should not exceed 72 characters in the subject line. Do not under any circumstance include any additional text or explanations, just add the commit message.
''; '';
}; };
extraPackages = with pkgs; [
jq
yek
];
}; };
} }

35
home/programs/attic.nix Normal file
View File

@@ -0,0 +1,35 @@
{
pkgs,
lib,
config,
...
}: let
attic-unwrapped = pkgs.attic-client.overrideAttrs (oldAttrs: {
patches =
(oldAttrs.patches or [])
++ [
# PR #309: Add environment variable support for login
# https://github.com/zhaofengli/attic/pull/309
(pkgs.fetchpatch {
url = "https://github.com/zhaofengli/attic/pull/309.patch";
hash = "sha256-mDoxA+e2bBZDvERp03SyYvkEdtH/bfWtZqKZv0uCS0M=";
})
];
});
in {
sops.secrets."attic/token" = {};
home.packages = [
(pkgs.stdenv.mkDerivation {
pname = "attic-client";
version = "0.1.0";
src = attic-unwrapped;
buildInputs = [];
nativeBuildInputs = [pkgs.makeWrapper];
installPhase = ''
install -Dm755 $src/bin/attic $out/bin/attic
wrapProgram $out/bin/attic \
--run "export ATTIC_LOGIN_TOKEN=\`cat -v ${config.sops.secrets."attic/token".path}\`"
'';
})
];
}

8
home/programs/blobdrop.nix Normal file
View File

@@ -0,0 +1,8 @@
{
pkgs,
device,
lib,
...
}: {
home.packages = lib.optionals (device.name == "ryu") [pkgs.blobdrop];
}

6
home/programs/calendar.nix Normal file
View File

@@ -0,0 +1,6 @@
{pkgs, ...}: {
programs.khal.enable = true;
programs.qcal.enable = true;
programs.vdirsyncer.enable = true;
accounts.calendar.accounts.fastmail.qcal.enable = true;
}

9
home/programs/carapace.nix
View File

@@ -1,13 +1,8 @@
{ {...}: {
pkgs,
lib,
device,
...
}: {
programs. programs.
carapace = { carapace = {
enable = false; enable = false;
enableFishIntegration = true; enableFishIntegration = false;
enableNushellIntegration = true; enableNushellIntegration = true;
}; };
} }

41
home/programs/cargo.nix
View File

@@ -3,25 +3,28 @@
device, device,
cratesNix, cratesNix,
... ...
}: }: let
lib.mkIf (!device.isServer) { cargo-credential-1password = cratesNix.buildCrate "cargo-credential-1password" {};
home.file.".cargo/config.toml".text = in
# toml lib.mkIf (!device.isServer) {
'' home.file.".cargo/config.toml".text =
[alias] # toml
lldb = ["with", "rust-lldb", "--"] ''
t = ["nextest", "run"] [alias]
lldb = ["with", "rust-lldb", "--"]
t = ["nextest", "run"]
pkgs = ["metadata", "--no-deps", "--format-version", "1"]
[net] [net]
git-fetch-with-cli = true git-fetch-with-cli = true
[registries.kellnr] [registries.kellnr]
index = "sparse+https://crates.darksailor.dev/api/v1/crates/" index = "sparse+https://crates.darksailor.dev/api/v1/crates/"
[registry] [registry]
global-credential-providers = ["cargo:token", "/etc/profiles/per-user/fs0c131y/bin/cargo-credential-1password --account my.1password.com"] global-credential-providers = ["cargo:token", "${lib.getExe cargo-credential-1password} --account my.1password.com"]
''; '';
home.packages = [ home.packages = [
(cratesNix.buildCrate "cargo-credential-1password" {}) cargo-credential-1password
]; ];
} }

27
home/programs/cfcli.nix Normal file
View File

@@ -0,0 +1,27 @@
{
pkgs,
lib,
config,
...
}: {
sops.secrets."cloudflare/darksailor_dev_api_key" = {};
home.packages = [
# (pkgs.stdenv.mkDerivation {
# pname = "cfcli";
# version = "0.1.0";
# buildInputs = [pkgs.cloudflare-cli];
# nativeBuildInputs = [pkgs.makeWrapper];
# installPhase = ''
# $out/bin/cfcli \
# --run "export CF_API_KEY=\`cat -v ${config.sops.secrets."cloudflare/darksailor_dev_api_key".path}\`"
# '';
# })
(pkgs.writeShellScriptBin
"cfcli"
''
#!/bin/sh
export CF_API_KEY="$(cat -v ${config.sops.secrets."cloudflare/darksailor_dev_api_key".path})"
exec ${pkgs.cloudflare-cli}/bin/cfcli "$@"
'')
];
}

50
home/programs/default.nix
View File

@@ -4,22 +4,47 @@
... ...
}: { }: {
imports = [ imports = [
# ./bluetui.nix
# ./goread.nix
# ./helix.nix
# ./magika.nix
# ./mpd.nix
# ./mpris-scrobbler.nix
# ./ncmpcpp.nix
# ./newsboat.nix
# ./nh.nix
# ./ryujinx.nix
# ./sxiv.nix
# ./tea.nix
# ./template.nix
# ./tuifeed.nix
# ./xh.nix
# ./zellij.nix
../../modules ../../modules
./1password-cli.nix ./1password-cli.nix
./aichat.nix ./aichat.nix
./alejandra.nix ./alejandra.nix
./aria2.nix ./aria2.nix
./ast-grep.nix ./ast-grep.nix
./attic.nix
./atuin.nix ./atuin.nix
./bat.nix ./bat.nix
./binwalk.nix
./blobdrop.nix
./bottom.nix ./bottom.nix
./btop.nix ./btop.nix
./cachix.nix ./cachix.nix
./calendar.nix
./carapace.nix ./carapace.nix
./cargo.nix
./cfcli.nix
./ddcbacklight.nix ./ddcbacklight.nix
./deploy-rs.nix ./deploy-rs.nix
./direnv.nix ./direnv.nix
./dust.nix ./dust.nix
./dysk.nix
./eilmeldung.nix ./eilmeldung.nix
./eza.nix ./eza.nix
./fastfetch.nix ./fastfetch.nix
@@ -33,15 +58,18 @@
./himalaya.nix ./himalaya.nix
./hyprshade.nix ./hyprshade.nix
./jq.nix ./jq.nix
./jujutsu.nix
./just.nix ./just.nix
./ncpamixer.nix ./ncpamixer.nix
./neomutt.nix ./neomutt.nix
./neovim.nix ./neovim.nix
./nix-index.nix ./nix-index.nix
./nushell.nix ./nushell.nix
./omnix.nix
./opencode.nix ./opencode.nix
./p7zip.nix ./p7zip.nix
./pkg-config.nix ./pkg-config.nix
./retroarch.nix
./ripgrep.nix ./ripgrep.nix
./rustup.nix ./rustup.nix
./sd.nix ./sd.nix
@@ -54,26 +82,6 @@
./yazi.nix ./yazi.nix
./yt-dlp.nix ./yt-dlp.nix
./zoxide.nix ./zoxide.nix
# ./bluetui.nix ./yq.nix
# ./goread.nix
# ./helix.nix
# ./magika.nix
# ./mpd.nix
# ./mpris-scrobbler.nix
# ./ncmpcpp.nix
# ./newsboat.nix
# ./nh.nix
# ./omnix.nix
# ./retroarch.nix
# ./ryujinx.nix
# ./sxiv.nix
# ./tea.nix
# ./template.nix
# ./tuifeed.nix
# ./xh.nix
# ./zellij.nix
./dysk.nix
./binwalk.nix
./cargo.nix
]; ];
} }

1
home/programs/fish.nix
View File

@@ -43,6 +43,7 @@
''} ''}
''; '';
}; };
home.shell.enableFishIntegration = true;
} }
// lib.optionalAttrs (!(device.is "tsuba")) { // lib.optionalAttrs (!(device.is "tsuba")) {
stylix.targets.fish.enable = false; stylix.targets.fish.enable = false;

2
home/programs/fzf.nix
View File

@@ -1 +1 @@
{pkgs, ...}: { home.packages = [pkgs.fzf];} {pkgs, ...}: {home.packages = [pkgs.fzf];}

1
home/programs/jujutsu.nix Normal file
View File

@@ -0,0 +1 @@
{pkgs, ...}: {home.packages = [pkgs.jujutsu];}

44
home/programs/neomutt.nix
View File

@@ -1,4 +1,9 @@
{pkgs, ...}: { {pkgs, ...}: let
theme = builtins.fetchurl {
url = "https://raw.githubusercontent.com/catppuccin/neomutt/refs/heads/main/neomuttrc";
sha256 = "sha256:1q086p5maqwxa4gh6z8g7h3nfavdmkbql025ibdhglpz46hsq0hs";
};
in {
programs.neomutt = { programs.neomutt = {
enable = true; enable = true;
vimKeys = true; vimKeys = true;
@@ -6,6 +11,9 @@
sidebar = { sidebar = {
enable = true; enable = true;
}; };
extraConfig = ''
source ${theme}
'';
}; };
programs.notmuch = { programs.notmuch = {
enable = true; enable = true;
@@ -17,4 +25,38 @@
enable = true; enable = true;
neomutt.enable = true; neomutt.enable = true;
}; };
services.imapnotify = {
enable = true;
path = [pkgs.coreutils pkgs.isync pkgs.libnotify];
};
accounts.email.accounts.fastmail.imapnotify = {
enable = true;
boxes = ["Inbox"];
onNotify = "${pkgs.writeShellScript "mbsync-notify" ''
${pkgs.isync}/bin/mbsync $1
${pkgs.libnotify}/bin/notify-send "New Mail" "New email in $1"
''} %s";
};
programs.mbsync.enable = true;
services.mbsync.enable = pkgs.stdenv.isLinux;
# launchd.agents.mbsync = {
# enable = true;
# config = {
# # A label for the service
# Label = "dev.darksailor.atuin-daemon";
# # The command to run
# ProgramArguments = [
# "${pkgs.atuin}/bin/atuin"
# "daemon"
# ];
# # Run the service when you log in
# RunAtLoad = true;
# # Keep the process alive, or restart if it dies
# KeepAlive = true;
# # Log files
# StandardOutPath = "${device.home}/Library/Logs/atuin-daemon.log";
# StandardErrorPath = "${device.home}/Library/Logs/atuin-daemon.error.log";
# };
# };
} }

1
home/programs/nushell.nix
View File

@@ -26,4 +26,5 @@
} }
''; '';
}; };
home.shell.enableNushellIntegration = true;
} }

17
home/programs/opencode.nix
View File

@@ -3,8 +3,23 @@
lib, lib,
... ...
}: }:
lib.optionalAttrs (device.is "ryu") { lib.optionalAttrs (device.is "ryu" || device.is "kuro") {
programs.opencode = { programs.opencode = {
enable = true; enable = true;
settings.provider = {
ollama = {
models = {
"glm-4.7-flash" = {
# "_launch" = true;
name = "glm-4.7-flash";
};
};
name = "Ollama (local)";
npm = "@ai-sdk/openai-compatible";
options = {
baseURL = "https://ollama.darksailor.dev/v1";
};
};
};
}; };
} }

15
home/programs/ssh.nix
View File

@@ -6,6 +6,7 @@
}: { }: {
programs.ssh = { programs.ssh = {
enable = true; enable = true;
enableDefaultConfig = false;
matchBlocks = { matchBlocks = {
tsuba = { tsuba = {
user = "servius"; user = "servius";
@@ -45,13 +46,13 @@
hostname = "steamdeck"; hostname = "steamdeck";
forwardAgent = true; forwardAgent = true;
}; };
# "*" = { "*" = {
# forwardAgent = false; forwardAgent = false;
# addKeysToAgent = "no"; addKeysToAgent = "no";
# # compression = true; # compression = true;
# # HashKnownHosts = "no"; # HashKnownHosts = "no";
# serverAliveInterval = 60; serverAliveInterval = 60;
# }; };
}; };
extraConfig = extraConfig =
lib.strings.optionalString (pkgs.stdenv.isDarwin && !device.isServer) lib.strings.optionalString (pkgs.stdenv.isDarwin && !device.isServer)

1
home/programs/yazi.nix
View File

@@ -17,5 +17,6 @@
cache_dir = config.home.homeDirectory + "/.cache/yazi/previews"; cache_dir = config.home.homeDirectory + "/.cache/yazi/previews";
}; };
}; };
shellWrapperName = "yy";
}; };
} }

1
home/programs/yq.nix Normal file
View File

@@ -0,0 +1 @@
{pkgs, ...}: {home.packages = [pkgs.yq];}

17
home/services/hyprland.nix
View File

@@ -61,9 +61,9 @@
{ {
output = device.monitors.secondary; output = device.monitors.secondary;
mode = "2560x1440@170"; mode = "2560x1440@170";
position = "-1440x-1120"; position = "-2560x0";
scale = 1; scale = 1;
transform = 1; transform = 0;
} }
{ {
output = device.monitors.tertiary; output = device.monitors.tertiary;
@@ -156,21 +156,20 @@
# windowrulev2 = float,class:^(kitty)$,title:^(kitty)$ # windowrulev2 = float,class:^(kitty)$,title:^(kitty)$
# See https://wiki.hyprland.org/Configuring/Window-Rules/ for more # See https://wiki.hyprland.org/Configuring/Window-Rules/ for more
windowrulev2 = [ windowrule = [
# "float, title:^(Steam)$" # "match:title ^(Steam)$ float"
"float, title:^(Archetype.*)$" "match:title ^(Archetype.*)$ float"
"float, class:(.*nextcloud.*)" "match:class (.*nextcloud.*) float"
"float, class:org.kde.kdeconnect.app" "match:class org.kde.kdeconnect.app float"
]; ];
# "misc:vfr" = true;
env = [ env = [
"XCURSOR_SIZE,24" "XCURSOR_SIZE,24"
"XDG_SESSION_TYPE,wayland" "XDG_SESSION_TYPE,wayland"
"MOZ_ENABLE_WAYLAND,1" "MOZ_ENABLE_WAYLAND,1"
"QT_QPA_PLATFORM,wayland" "QT_QPA_PLATFORM,wayland"
]; ];
exec-once = [ exec-once = [
# "${pkgs.polkit-kde-agent}/libexec/polkit-kde-authentication-agent-1" # "${pkgs.polkit-kde-agent}/libexec/polkit-kde-authentication-agent-1"
"${pkgs.mate.mate-polkit}/libexec/polkit-mate-authentication-agent-1" "${pkgs.mate.mate-polkit}/libexec/polkit-mate-authentication-agent-1"

6
home/services/hyprpaper.nix
View File

@@ -7,11 +7,13 @@
services.hyprpaper = let services.hyprpaper = let
wallpapers = import ../../utils/wallhaven.nix {inherit pkgs;}; wallpapers = import ../../utils/wallhaven.nix {inherit pkgs;};
nextcloudWallpapers = name: config.home.homeDirectory + "/Nextcloud/Wallpapers/" + name; nextcloudWallpapers = name: config.home.homeDirectory + "/Nextcloud/Wallpapers/" + name;
silksongFleas = nextcloudWallpapers "silksong-fleas.jpg"; # silksongFleas = nextcloudWallpapers "silksong-fleas.jpg";
bocchiVertical = nextcloudWallpapers "bocchi-vertical.jpg";
silksongShadeLord = nextcloudWallpapers "silksong-shadelord.jpg"; silksongShadeLord = nextcloudWallpapers "silksong-shadelord.jpg";
in { in {
enable = device.is "ryu"; enable = device.is "ryu";
settings = { settings = {
splash = false;
wallpaper = [ wallpaper = [
{ {
monitor = device.monitors.primary; monitor = device.monitors.primary;
@@ -25,7 +27,7 @@
} }
{ {
monitor = device.monitors.tertiary; monitor = device.monitors.tertiary;
path = silksongFleas; path = bocchiVertical;
fit_mode = "cover"; fit_mode = "cover";
} }
]; ];

94
home/services/ironbar/default.nix
View File

@@ -13,13 +13,14 @@
"${device.monitors.secondary}" = { "${device.monitors.secondary}" = {
position = "bottom"; position = "bottom";
start = [ start = [
{ {type = "tray";}
type = "launcher"; # {
favourites = ["firefox" "discord"]; # type = "launcher";
show_names = false; # favourites = ["firefox" "discord"];
show_icons = true; # show_names = false;
} # show_icons = true;
{type = "focused";} # }
# {type = "focused";}
]; ];
end = [ end = [
{ {
@@ -35,46 +36,45 @@
{type = "clock";} {type = "clock";}
]; ];
}; };
"${device.monitors.primary}" = { # "${device.monitors.primary}" = {
position = "bottom"; # position = "bottom";
icon_theme = "Papirus-Dark"; # icon_theme = "Papirus-Dark";
end = [ # end = [
{ # {
type = "sys_info"; # type = "sys_info";
format = [ # format = [
" CPU {cpu_percent}% | {temp_c:coretemp-Package-id-0}°C" # " CPU {cpu_percent}% | {temp_c:coretemp-Package-id-0}°C"
" RAM {memory_used}GB/{memory_total}GB" # " RAM {memory_used}GB/{memory_total}GB"
]; # ];
interval = { # interval = {
cpu = 1; # cpu = 1;
temps = 5; # temps = 5;
memory = 30; # memory = 30;
# disks= 300; # # disks= 300;
# networks= 3; # # networks= 3;
}; # };
} # }
{type = "tray";} # ];
]; # start = [
start = [ # {
{ # type = "workspaces";
type = "workspaces"; # name_map = {
name_map = { # "1" = "icon:kitty";
"1" = "icon:foot"; # "2" = "icon:code";
"2" = "icon:code"; # "3" = "icon:firefox";
"3" = "icon:firefox"; # "4" = "icon:slack";
"4" = "icon:slack"; # # "5" = "icon:steam";
"5" = "icon:steam"; # # "6" = "icon:foot";
"6" = "icon:foot"; # # "7" = "icon:foot";
"7" = "icon:foot"; # # "8" = "icon:firefox";
"8" = "icon:firefox"; # # "9" = "icon:discord";
"9" = "icon:discord"; # # "10" = "icon:spotify";
"10" = "icon:spotify"; # };
}; # favorites = ["1" "2" "3" "4"];
favorites = ["1" "2" "3" "4" "5" "6" "7" "8" "9" "10"]; # all_monitors = false;
all_monitors = true; # }
} # ];
]; # };
};
"${device.monitors.tertiary}" = { "${device.monitors.tertiary}" = {
position = "bottom"; position = "bottom";
icon_theme = "Papirus-Dark"; icon_theme = "Papirus-Dark";

63
home/services/remmina.nix
View File

@@ -1,7 +1,68 @@
{device, ...}: { {
device,
pkgs,
lib,
config,
...
}:
with lib; let
remminaDir = "${config.home.homeDirectory}/.local/share/remmina";
applicationsDir = "${config.home.homeDirectory}/.local/share/applications";
# Script to generate desktop entries for Remmina connections
generateRemminaDesktopEntries = pkgs.writeShellScript "generate-remmina-desktop-entries" ''
REMMINA_DIR="${remminaDir}"
APPS_DIR="${applicationsDir}"
# Create applications directory if it doesn't exist
mkdir -p "$APPS_DIR"
# Remove old remmina desktop entries
rm -f "$APPS_DIR"/remmina-*.desktop
# Exit if remmina directory doesn't exist
[[ ! -d "$REMMINA_DIR" ]] && exit 0
# Generate desktop entries for each .remmina file
find "$REMMINA_DIR" -name "*.remmina" -type f | while read -r file; do
# Extract connection details
name=$(${pkgs.gnugrep}/bin/grep "^name=" "$file" | ${pkgs.coreutils}/bin/cut -d'=' -f2-)
server=$(${pkgs.gnugrep}/bin/grep "^server=" "$file" | ${pkgs.coreutils}/bin/cut -d'=' -f2-)
protocol=$(${pkgs.gnugrep}/bin/grep "^protocol=" "$file" | ${pkgs.coreutils}/bin/cut -d'=' -f2-)
# Use filename as fallback if name is empty
[[ -z "$name" ]] && name=$(${pkgs.coreutils}/bin/basename "$file" .remmina)
[[ -z "$protocol" ]] && protocol="Unknown"
# Generate desktop entry filename
desktop_name=$(${pkgs.coreutils}/bin/basename "$file" .remmina | ${pkgs.gnused}/bin/sed 's/[^a-zA-Z0-9_-]/-/g')
desktop_file="$APPS_DIR/remmina-$desktop_name.desktop"
# Create desktop entry
cat > "$desktop_file" <<EOF
[Desktop Entry]
Type=Application
Name=Remmina - $name
GenericName=$protocol Connection to $server
Comment=Connect to $server via $protocol
Exec=${pkgs.remmina}/bin/remmina -c "$file"
Icon=org.remmina.Remmina
Terminal=false
Categories=Network;RemoteAccess;
EOF
done
'';
in {
services.remmina = { services.remmina = {
enable = device.is "ryu"; enable = device.is "ryu";
systemdService.enable = true; systemdService.enable = true;
addRdpMimeTypeAssoc = true; addRdpMimeTypeAssoc = true;
}; };
# Activation script to generate desktop entries
home.activation.generateRemminaDesktopEntries = mkIf (device.is "ryu") (
lib.hm.dag.entryAfter ["writeBoundary"] ''
run ${generateRemminaDesktopEntries}
''
);
} }

48
home/services/wallpaperengine.nix
View File

@@ -5,28 +5,28 @@
... ...
}: }:
lib.mkIf (device.is "ryu") { lib.mkIf (device.is "ryu") {
# systemd.user.services.wallpaperengine = { systemd.user.services.wallpaperengine = {
# Unit = { Unit = {
# Description = "Linux Wallpaper Engine"; Description = "Linux Wallpaper Engine";
# After = ["hyprland-session.target"]; After = ["hyprland-session.target"];
# Wants = ["hyprland-session.target"]; Wants = ["hyprland-session.target"];
# PartOf = ["hyprland-session.target"]; PartOf = ["hyprland-session.target"];
# }; };
#
# Service = { Service = {
# Environment = [ Environment = [
# "XDG_SESSION_TYPE=wayland" "XDG_SESSION_TYPE=wayland"
# ]; ];
# Type = "simple"; Type = "simple";
# ExecStartPre = "${pkgs.coreutils}/bin/sleep 3"; ExecStartPre = "${pkgs.coreutils}/bin/sleep 3";
# ExecStart = "${pkgs.linux-wallpaperengine}/bin/linux-wallpaperengine --silent --no-audio-processing -f 15 --scaling fill --screen-root HDMI-A-1 --bg 2780316434"; ExecStart = "${pkgs.linux-wallpaperengine}/bin/linux-wallpaperengine --silent --no-audio-processing -f 15 --scaling fill --screen-root HDMI-A-1 --bg 2780316434";
# Restart = "on-failure"; Restart = "on-failure";
# RestartSec = 5; RestartSec = 5;
# TimeoutStartSec = 30; TimeoutStartSec = 30;
# }; };
#
# Install = { Install = {
# WantedBy = ["hyprland-session.target"]; WantedBy = ["hyprland-session.target"];
# }; };
# }; };
} }

2
justfile
View File

@@ -41,3 +41,5 @@ add program:
alejandra fmt home/programs/{{program}}.nix home/programs/default.nix alejandra fmt home/programs/{{program}}.nix home/programs/default.nix
git add home/programs/{{program}}.nix git add home/programs/{{program}}.nix
# add-secret secret:
# openssl rand -hex 32 | tr -d '\n' | jq -sR | sops set --value-stdin secrets/secrets.yaml {{secret}}

10
modules/aichat.nix
View File

@@ -81,6 +81,14 @@ in {
type = lib.types.attrsOf lib.types.str; type = lib.types.attrsOf lib.types.str;
description = "Roles for the AI chat clients"; description = "Roles for the AI chat clients";
}; };
extraPackages = mkOption {
type = lib.types.listOf lib.types.package;
default = [];
example = literalExpression "with pkgs; [ jq yek ];";
description = ''
Additional packages to install.
'';
};
}; };
}; };
@@ -99,7 +107,7 @@ in {
''; '';
}; };
in { in {
home.packages = mkIf cfg.enable [aichat-wrapped]; home.packages = mkIf cfg.enable ([aichat-wrapped] ++ cfg.extraPackages);
programs.fish.interactiveShellInit = mkIf cfg.enableFishIntegration fishIntegration; programs.fish.interactiveShellInit = mkIf cfg.enableFishIntegration fishIntegration;
programs.bash.initExtra = mkIf cfg.enableBashIntegration bashIntegration; programs.bash.initExtra = mkIf cfg.enableBashIntegration bashIntegration;

162
modules/nixos/affine.nix Normal file
View File

@@ -0,0 +1,162 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.services.affine;
dbName = "affine";
dbUser = "affine";
in {
options.services.affine = {
enable = mkEnableOption "AFFiNE self-hosted workspace";
port = mkOption {
type = types.port;
default = 3010;
description = "Port for the AFFiNE server to listen on";
};
domain = mkOption {
type = types.str;
description = "Public domain for AFFiNE (e.g. notes.darksailor.dev)";
};
imageTag = mkOption {
type = types.str;
default = "stable";
description = "Docker image tag for AFFiNE (stable, beta, canary)";
};
dataDir = mkOption {
type = types.str;
default = "/var/lib/affine";
description = "Base data directory for AFFiNE storage";
};
environmentFiles = mkOption {
type = types.listOf types.path;
default = [];
description = "Environment files containing secrets (DB password, etc.)";
};
};
config = mkIf cfg.enable {
# Create data directories
systemd.tmpfiles.rules = [
"d ${cfg.dataDir} 0755 root root -"
"d ${cfg.dataDir}/storage 0755 root root -"
"d ${cfg.dataDir}/config 0755 root root -"
"d ${cfg.dataDir}/postgres 0700 root root -"
"d ${cfg.dataDir}/redis 0755 root root -"
];
virtualisation.oci-containers = {
backend = "docker";
containers = {
affine-postgres = {
image = "pgvector/pgvector:pg16";
volumes = [
"${cfg.dataDir}/postgres:/var/lib/postgresql/data"
];
environment = {
POSTGRES_USER = dbUser;
POSTGRES_DB = dbName;
POSTGRES_INITDB_ARGS = "--data-checksums";
POSTGRES_HOST_AUTH_METHOD = "trust";
};
environmentFiles = cfg.environmentFiles;
extraOptions = [
"--health-cmd=pg_isready -U ${dbUser} -d ${dbName}"
"--health-interval=10s"
"--health-timeout=5s"
"--health-retries=5"
];
networks = ["affine-net"];
};
affine-redis = {
image = "redis:7";
volumes = [
"${cfg.dataDir}/redis:/data"
];
networks = ["affine-net"];
extraOptions = [
"--health-cmd=redis-cli --raw incr ping"
"--health-interval=10s"
"--health-timeout=5s"
"--health-retries=5"
];
};
affine = {
image = "ghcr.io/toeverything/affine:${cfg.imageTag}";
ports = ["127.0.0.1:${toString cfg.port}:3010"];
dependsOn = [
"affine-postgres"
"affine-redis"
"affine-migration"
];
volumes = [
"${cfg.dataDir}/storage:/root/.affine/storage"
"${cfg.dataDir}/config:/root/.affine/config"
];
environment = {
AFFINE_SERVER_PORT = "3010";
AFFINE_SERVER_HOST = cfg.domain;
AFFINE_SERVER_HTTPS = "true";
AFFINE_SERVER_EXTERNAL_URL = "https://${cfg.domain}";
REDIS_SERVER_HOST = "affine-redis";
DATABASE_URL = "postgresql://${dbUser}:$${AFFINE_DB_PASSWORD:-affine}@affine-postgres:5432/${dbName}";
AFFINE_INDEXER_ENABLED = "false";
};
environmentFiles = cfg.environmentFiles;
networks = ["affine-net"];
};
affine-migration = {
image = "ghcr.io/toeverything/affine:${cfg.imageTag}";
dependsOn = [
"affine-postgres"
"affine-redis"
];
volumes = [
"${cfg.dataDir}/storage:/root/.affine/storage"
"${cfg.dataDir}/config:/root/.affine/config"
];
cmd = ["sh" "-c" "node ./scripts/self-host-predeploy.js"];
environment = {
REDIS_SERVER_HOST = "affine-redis";
DATABASE_URL = "postgresql://${dbUser}:$${AFFINE_DB_PASSWORD:-affine}@affine-postgres:5432/${dbName}";
AFFINE_INDEXER_ENABLED = "false";
};
environmentFiles = cfg.environmentFiles;
networks = ["affine-net"];
};
};
};
# Create the Docker network
# systemd.services.affine-network = {
# description = "Create AFFiNE Docker network";
# after = ["docker.service"];
# wantedBy = ["multi-user.target"];
# serviceConfig = {
# Type = "oneshot";
# RemainAfterExit = true;
# # ExecStart = "${config.virtualisation.docker.package}/bin/docker network create affine-net";
# # ExecStop = "${config.virtualisation.docker.package}/bin/docker network remove affine-net";
# };
# };
#
# Ensure containers start after the network is created
# systemd.services.docker-affine.after = ["affine-network.service"];
# systemd.services.docker-affine.requires = ["affine-network.service"];
# systemd.services.docker-affine-postgres.after = ["affine-network.service"];
# systemd.services.docker-affine-postgres.requires = ["affine-network.service"];
# systemd.services.docker-affine-redis.after = ["affine-network.service"];
# systemd.services.docker-affine-redis.requires = ["affine-network.service"];
# systemd.services.docker-affine-migration.after = ["affine-network.service"];
# systemd.services.docker-affine-migration.requires = ["affine-network.service"];
};
}

480
modules/nixos/caddy/default.nix
View File

@@ -1,480 +0,0 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.services.caddy;
certs = config.security.acme.certs;
virtualHosts = attrValues cfg.virtualHosts;
acmeEnabledVhosts = filter (hostOpts: hostOpts.useACMEHost != null) virtualHosts;
vhostCertNames = unique (map (hostOpts: hostOpts.useACMEHost) acmeEnabledVhosts);
dependentCertNames = filter (cert: certs.${cert}.dnsProvider == null) vhostCertNames; # those that might depend on the HTTP server
independentCertNames = filter (cert: certs.${cert}.dnsProvider != null) vhostCertNames; # those that don't depend on the HTTP server
mkVHostConf = hostOpts: let
sslCertDir = config.security.acme.certs.${hostOpts.useACMEHost}.directory;
in ''
${hostOpts.hostName} ${concatStringsSep " " hostOpts.serverAliases} {
${optionalString (
hostOpts.listenAddresses != []
) "bind ${concatStringsSep " " hostOpts.listenAddresses}"}
${optionalString (
hostOpts.useACMEHost != null
) "tls ${sslCertDir}/cert.pem ${sslCertDir}/key.pem"}
log {
${hostOpts.logFormat}
}
${hostOpts.extraConfig}
}
'';
settingsFormat = pkgs.formats.json {};
configFile =
if cfg.settings != {}
then settingsFormat.generate "caddy.json" cfg.settings
else let
Caddyfile = pkgs.writeTextDir "Caddyfile" ''
{
${cfg.globalConfig}
}
${cfg.extraConfig}
${concatMapStringsSep "\n" mkVHostConf virtualHosts}
'';
Caddyfile-formatted = pkgs.runCommand "Caddyfile-formatted" {} ''
mkdir -p $out
cp --no-preserve=mode ${Caddyfile}/Caddyfile $out/Caddyfile
${lib.getExe cfg.package} fmt --overwrite $out/Caddyfile
'';
in "${
if pkgs.stdenv.buildPlatform == pkgs.stdenv.hostPlatform
then Caddyfile-formatted
else Caddyfile
}/Caddyfile";
etcConfigFile = "caddy/caddy_config";
configPath = "/etc/${etcConfigFile}";
mkCertOwnershipAssertion = import ../../../security/acme/mk-cert-ownership-assertion.nix lib;
in {
imports = [
(mkRemovedOptionModule [
"services"
"caddy"
"agree"
] "this option is no longer necessary for Caddy 2")
(mkRenamedOptionModule ["services" "caddy" "ca"] ["services" "caddy" "acmeCA"])
(mkRenamedOptionModule ["services" "caddy" "config"] ["services" "caddy" "extraConfig"])
];
# interface
options.services.caddy = {
enable = mkEnableOption "Caddy web server";
user = mkOption {
default = "caddy";
type = types.str;
description = ''
User account under which caddy runs.
::: {.note}
If left as the default value this user will automatically be created
on system activation, otherwise you are responsible for
ensuring the user exists before the Caddy service starts.
:::
'';
};
group = mkOption {
default = "caddy";
type = types.str;
description = ''
Group under which caddy runs.
::: {.note}
If left as the default value this group will automatically be created
on system activation, otherwise you are responsible for
ensuring the group exists before the Caddy service starts.
:::
'';
};
package = mkPackageOption pkgs "caddy" {};
dataDir = mkOption {
type = types.path;
default = "/var/lib/caddy";
description = ''
The data directory for caddy.
::: {.note}
If left as the default value this directory will automatically be created
before the Caddy server starts, otherwise you are responsible for ensuring
the directory exists with appropriate ownership and permissions.
Caddy v2 replaced `CADDYPATH` with XDG directories.
See <https://caddyserver.com/docs/conventions#file-locations>.
:::
'';
};
logDir = mkOption {
type = types.path;
default = "/var/log/caddy";
description = ''
Directory for storing Caddy access logs.
::: {.note}
If left as the default value this directory will automatically be created
before the Caddy server starts, otherwise the sysadmin is responsible for
ensuring the directory exists with appropriate ownership and permissions.
:::
'';
};
logFormat = mkOption {
type = types.lines;
default = ''
level ERROR
'';
example = literalExpression ''
mkForce "level INFO";
'';
description = ''
Configuration for the default logger. See
<https://caddyserver.com/docs/caddyfile/options#log>
for details.
'';
};
configFile = mkOption {
type = types.path;
default = configFile;
defaultText = "A Caddyfile automatically generated by values from services.caddy.*";
example = literalExpression ''
pkgs.writeText "Caddyfile" '''
example.com
root * /var/www/wordpress
php_fastcgi unix//run/php/php-version-fpm.sock
file_server
''';
'';
description = ''
Override the configuration file used by Caddy. By default,
NixOS generates one automatically.
The configuration file is exposed at {file}`${configPath}`.
'';
};
adapter = mkOption {
default =
if ((cfg.configFile != configFile) || (builtins.baseNameOf cfg.configFile) == "Caddyfile")
then "caddyfile"
else null;
defaultText = literalExpression ''
if ((cfg.configFile != configFile) || (builtins.baseNameOf cfg.configFile) == "Caddyfile") then "caddyfile" else null
'';
example = literalExpression "nginx";
type = with types; nullOr str;
description = ''
Name of the config adapter to use.
See <https://caddyserver.com/docs/config-adapters>
for the full list.
If `null` is specified, the `--adapter` argument is omitted when
starting or restarting Caddy. Notably, this allows specification of a
configuration file in Caddy's native JSON format, as long as the
filename does not start with `Caddyfile` (in which case the `caddyfile`
adapter is implicitly enabled). See
<https://caddyserver.com/docs/command-line#caddy-run> for details.
::: {.note}
Any value other than `null` or `caddyfile` is only valid when providing
your own `configFile`.
:::
'';
};
resume = mkOption {
default = false;
type = types.bool;
description = ''
Use saved config, if any (and prefer over any specified configuration passed with `--config`).
'';
};
globalConfig = mkOption {
type = types.lines;
default = "";
example = ''
debug
servers {
protocol {
experimental_http3
}
}
'';
description = ''
Additional lines of configuration appended to the global config section
of the `Caddyfile`.
Refer to <https://caddyserver.com/docs/caddyfile/options#global-options>
for details on supported values.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
example = ''
example.com {
encode gzip
log
root /srv/http
}
'';
description = ''
Additional lines of configuration appended to the automatically
generated `Caddyfile`.
'';
};
virtualHosts = mkOption {
type = with types; attrsOf (submodule (import ./vhost-options.nix {inherit cfg;}));
default = {};
example = literalExpression ''
{
"hydra.example.com" = {
serverAliases = [ "www.hydra.example.com" ];
extraConfig = '''
encode gzip
root * /srv/http
''';
};
};
'';
description = ''
Declarative specification of virtual hosts served by Caddy.
'';
};
acmeCA = mkOption {
default = null;
example = "https://acme-v02.api.letsencrypt.org/directory";
type = with types; nullOr str;
description = ''
::: {.note}
Sets the [`acme_ca` option](https://caddyserver.com/docs/caddyfile/options#acme-ca)
in the global options block of the resulting Caddyfile.
:::
The URL to the ACME CA's directory. It is strongly recommended to set
this to `https://acme-staging-v02.api.letsencrypt.org/directory` for
Let's Encrypt's [staging endpoint](https://letsencrypt.org/docs/staging-environment/)
while testing or in development.
Value `null` should be prefered for production setups,
as it omits the `acme_ca` option to enable
[automatic issuer fallback](https://caddyserver.com/docs/automatic-https#issuer-fallback).
'';
};
email = mkOption {
default = null;
type = with types; nullOr str;
description = ''
Your email address. Mainly used when creating an ACME account with your
CA, and is highly recommended in case there are problems with your
certificates.
'';
};
enableReload = mkOption {
default = true;
type = types.bool;
description = ''
Reload Caddy instead of restarting it when configuration file changes.
Note that enabling this option requires the [admin API](https://caddyserver.com/docs/caddyfile/options#admin)
to not be turned off.
If you enable this option, consider setting [`grace_period`](https://caddyserver.com/docs/caddyfile/options#grace-period)
to a non-infinite value in {option}`services.caddy.globalConfig`
to prevent Caddy waiting for active connections to finish,
which could delay the reload essentially indefinitely.
'';
};
settings = mkOption {
type = settingsFormat.type;
default = {};
description = ''
Structured configuration for Caddy to generate a Caddy JSON configuration file.
See <https://caddyserver.com/docs/json/> for available options.
::: {.warning}
Using a [Caddyfile](https://caddyserver.com/docs/caddyfile) instead of a JSON config is highly recommended by upstream.
There are only very few exception to this.
Please use a Caddyfile via {option}`services.caddy.configFile`, {option}`services.caddy.virtualHosts` or
{option}`services.caddy.extraConfig` with {option}`services.caddy.globalConfig` instead.
:::
::: {.note}
Takes presence over most `services.caddy.*` options, such as {option}`services.caddy.configFile` and {option}`services.caddy.virtualHosts`, if specified.
:::
'';
};
environmentFile = mkOption {
type = with types; nullOr path;
default = null;
example = "/run/secrets/caddy.env";
description = ''
Environment file as defined in {manpage}`systemd.exec(5)`.
You can use environment variables to pass secrets to the service without adding
them to the world-redable nix store.
```
# in configuration.nix
services.caddy.environmentFile = "/run/secrets/caddy.env";
services.caddy.globalConfig = '''
{
acme_ca https://acme.zerossl.com/v2/DV90
acme_eab {
key_id {$EAB_KEY_ID}
mac_key {$EAB_MAC_KEY}
}
}
''';
```
```
# in /run/secrets/caddy.env
EAB_KEY_ID=secret
EAB_MAC_KEY=secret
```
Find more examples
[here](https://caddyserver.com/docs/caddyfile/concepts#environment-variables)
'';
};
};
# implementation
config = mkIf cfg.enable {
assertions =
[
{
assertion = cfg.configFile == configFile -> cfg.adapter == "caddyfile" || cfg.adapter == null;
message = "To specify an adapter other than 'caddyfile' please provide your own configuration via `services.caddy.configFile`";
}
]
++ map (
name:
mkCertOwnershipAssertion {
cert = config.security.acme.certs.${name};
groups = config.users.groups;
services = [config.systemd.services.caddy];
}
)
vhostCertNames;
services.caddy.globalConfig = ''
${optionalString (cfg.email != null) "email ${cfg.email}"}
${optionalString (cfg.acmeCA != null) "acme_ca ${cfg.acmeCA}"}
log {
${cfg.logFormat}
}
'';
# https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
boot.kernel.sysctl."net.core.rmem_max" = mkDefault 2500000;
boot.kernel.sysctl."net.core.wmem_max" = mkDefault 2500000;
systemd.packages = [cfg.package];
systemd.services.caddy = {
wants = map (certName: "acme-finished-${certName}.target") vhostCertNames;
after =
map (certName: "acme-selfsigned-${certName}.service") vhostCertNames
++ map (certName: "acme-${certName}.service") independentCertNames; # avoid loading self-signed key w/ real cert, or vice-versa
before = map (certName: "acme-${certName}.service") dependentCertNames;
wantedBy = ["multi-user.target"];
startLimitIntervalSec = 14400;
startLimitBurst = 10;
reloadTriggers = optional cfg.enableReload cfg.configFile;
restartTriggers = optional (!cfg.enableReload) cfg.configFile;
serviceConfig = let
runOptions = ''--config ${configPath} ${
optionalString (cfg.adapter != null) "--adapter ${cfg.adapter}"
}'';
in {
# Override the `ExecStart` line from upstream's systemd unit file by our own:
# https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart=
# If the empty string is assigned to this option, the list of commands to start is reset, prior assignments of this option will have no effect.
ExecStart = [
""
''${lib.getExe cfg.package} run ${runOptions} ${optionalString cfg.resume "--resume"}''
];
# Validating the configuration before applying it ensures well get a proper error that will be reported when switching to the configuration
ExecReload =
[
""
]
++ lib.optional cfg.enableReload "${lib.getExe cfg.package} reload ${runOptions} --force";
User = cfg.user;
Group = cfg.group;
ReadWritePaths = [cfg.dataDir];
StateDirectory = mkIf (cfg.dataDir == "/var/lib/caddy") ["caddy"];
LogsDirectory = mkIf (cfg.logDir == "/var/log/caddy") ["caddy"];
Restart = "on-failure";
RestartPreventExitStatus = 1;
RestartSec = "5s";
EnvironmentFile = optional (cfg.environmentFile != null) cfg.environmentFile;
# TODO: attempt to upstream these options
NoNewPrivileges = true;
PrivateDevices = true;
ProtectHome = true;
};
};
users.users = optionalAttrs (cfg.user == "caddy") {
caddy = {
group = cfg.group;
uid = config.ids.uids.caddy;
home = cfg.dataDir;
};
};
users.groups = optionalAttrs (cfg.group == "caddy") {
caddy.gid = config.ids.gids.caddy;
};
security.acme.certs = let
certCfg =
map (
certName:
nameValuePair certName {
group = mkDefault cfg.group;
reloadServices = ["caddy.service"];
}
)
vhostCertNames;
in
listToAttrs certCfg;
environment.etc.${etcConfigFile}.source = cfg.configFile;
};
}

83
modules/nixos/caddy/vhost-options.nix
View File

@@ -1,83 +0,0 @@
{cfg}: {
config,
lib,
name,
...
}: let
inherit (lib) literalExpression mkOption types;
in {
options = {
hostName = mkOption {
type = types.str;
default = name;
description = "Canonical hostname for the server.";
};
serverAliases = mkOption {
type = with types; listOf str;
default = [];
example = [
"www.example.org"
"example.org"
];
description = ''
Additional names of virtual hosts served by this virtual host configuration.
'';
};
listenAddresses = mkOption {
type = with types; listOf str;
description = ''
A list of host interfaces to bind to for this virtual host.
'';
default = [];
example = [
"127.0.0.1"
"::1"
];
};
useACMEHost = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
A host of an existing Let's Encrypt certificate to use.
This is mostly useful if you use DNS challenges but Caddy does not
currently support your provider.
*Note that this option does not create any certificates, nor
does it add subdomains to existing ones you will need to create them
manually using [](#opt-security.acme.certs).*
'';
};
logFormat = mkOption {
type = types.lines;
default = ''
output file ${cfg.logDir}/access-${lib.replaceStrings ["/" " "] ["_" "_"] config.hostName}.log
'';
defaultText = ''
output file ''${config.services.caddy.logDir}/access-''${hostName}.log
'';
example = literalExpression ''
mkForce '''
output discard
''';
'';
description = ''
Configuration for HTTP request logging (also known as access logs). See
<https://caddyserver.com/docs/caddyfile/directives/log#log>
for details.
'';
};
extraConfig = mkOption {
type = types.lines;
default = "";
description = ''
Additional lines of configuration appended to this virtual host in the
automatically generated `Caddyfile`.
'';
};
};
}

50
modules/nixos/substituters.nix Normal file
View File

@@ -0,0 +1,50 @@
{
config,
lib,
...
}:
with lib; let
cfg = config.nix.substituters;
in {
options.nix.substituters = {
enableCuda = mkOption {
type = types.bool;
default = false;
description = "Enable NixOS CUDA cache";
};
enableLlamaCpp = mkOption {
type = types.bool;
default = false;
description = "Enable llama-cpp cache";
};
};
config = {
nix.settings = {
trusted-substituters =
[
"https://nix-community.cachix.org"
"https://nixos-raspberrypi.cachix.org"
]
++ optionals cfg.enableLlamaCpp [
"https://llama-cpp.cachix.org"
]
++ optionals cfg.enableCuda [
"https://cache.nixos-cuda.org"
];
trusted-public-keys =
[
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nixos-raspberrypi.cachix.org-1:4iMO9LXa8BqhU+Rpg6LQKiGa2lsNh/j2oiYLNOQ5sPI="
]
++ optionals cfg.enableLlamaCpp [
"llama-cpp.cachix.org-1:H75X+w83wUKTIPSO1KWy9ADUrzThyGs8P5tmAbkWhQc="
]
++ optionals cfg.enableCuda [
"cache.nixos-cuda.org:74DUi4Ye579gUqzH4ziL9IyiJBlDpMRn9MBN8oNan9M="
];
};
};
}

73
neovim/default.nix
View File

@@ -20,6 +20,7 @@
}; };
in { in {
opts = { opts = {
autoread = true;
completeopt = "menu,menuone,popup,noselect"; completeopt = "menu,menuone,popup,noselect";
expandtab = true; expandtab = true;
foldenable = true; foldenable = true;
@@ -106,7 +107,7 @@ in {
"<C-q>x" = "[[<cmd>tabclose<cr>]]"; "<C-q>x" = "[[<cmd>tabclose<cr>]]";
"<C-q>n" = "[[<cmd>tabnext<cr>]]"; "<C-q>n" = "[[<cmd>tabnext<cr>]]";
"<C-q>p" = "[[<cmd>tabprevious<cr>]]"; "<C-q>p" = "[[<cmd>tabprevious<cr>]]";
"<c-.>" = "require('sidekick.cli').toggle"; "<C-.>" = "require('opencode').toggle";
}; };
terminal = { terminal = {
"<C-\\>" = "require('FTerm').toggle"; "<C-\\>" = "require('FTerm').toggle";
@@ -177,16 +178,19 @@ in {
trouble.enable = true; trouble.enable = true;
ts-context-commentstring.enable = true; ts-context-commentstring.enable = true;
which-key.enable = true; which-key.enable = true;
opencode = {
sidekick = {
enable = true; enable = true;
settings = {
nes = {
enabled = false;
};
};
}; };
# sidekick = {
# enable = true;
# settings = {
# nes = {
# enabled = false;
# };
# };
# };
conform-nvim = { conform-nvim = {
enable = true; enable = true;
settings = { settings = {
@@ -358,17 +362,17 @@ in {
}; };
}; };
folding.enable = true; folding.enable = true;
grammarPackages = # grammarPackages =
(with pkgs.tree-sitter-grammars; [ # (with pkgs.tree-sitter-grammars; [
tree-sitter-norg # tree-sitter-norg
tree-sitter-norg-meta # tree-sitter-norg-meta
tree-sitter-just # tree-sitter-just
tree-sitter-nu # tree-sitter-nu
tree-sitter-pest # tree-sitter-pest
tree-sitter-slint # tree-sitter-slint
]) # ])
++ pkgs.vimPlugins.nvim-treesitter.allGrammars; # ++ pkgs.vimPlugins.nvim-treesitter.allGrammars;
nixGrammars = true; # nixGrammars = true;
}; };
telescope = { telescope = {
@@ -616,6 +620,21 @@ in {
}; };
sources = { sources = {
cmdline = []; cmdline = [];
# default =
# rawLua
# /*
# lua
# */
# ''
# function(ctx)
# local success, node = pcall(vim.treesitter.get_node)
# if success and node and vim.tbl_contains({ 'comment', 'line_comment', 'block_comment' }, node:type()) then
# return { 'buffer' }
# else
# return { 'git', 'lsp', 'path', 'snippets', 'buffer', 'dictionary', 'ripgrep', 'tmux' }
# end
# end
# '';
default = [ default = [
"git" "git"
"lsp" "lsp"
@@ -624,6 +643,7 @@ in {
"path" "path"
"buffer" "buffer"
"ripgrep" "ripgrep"
# "tmux"
]; ];
providers = { providers = {
buffer = { buffer = {
@@ -635,23 +655,30 @@ in {
path = {}; path = {};
dictionary = { dictionary = {
module = "blink-cmp-dictionary"; module = "blink-cmp-dictionary";
name = "Dict"; name = "dict";
min_keyword_length = 3; min_keyword_length = 3;
opts = { opts = {
}; };
}; };
git = { git = {
module = "blink-cmp-git"; module = "blink-cmp-git";
name = "Git"; name = "git";
opts = { opts = {
# -- options for the blink-cmp-git # -- options for the blink-cmp-git
}; };
}; };
ripgrep = { ripgrep = {
module = "blink-ripgrep"; module = "blink-ripgrep";
name = "Ripgrep"; name = "ripgrep";
opts = {}; opts = {};
}; };
# tmux = {
# module = "blink-cmp-tmux";
# name = "tmux";
# opts = {
# triggered_only = false;
# };
# };
}; };
}; };
}; };
@@ -661,6 +688,7 @@ in {
blink-cmp-dictionary.enable = true; blink-cmp-dictionary.enable = true;
blink-cmp-copilot.enable = true; blink-cmp-copilot.enable = true;
blink-cmp-spell.enable = true; blink-cmp-spell.enable = true;
blink-cmp-tmux.enable = true;
blink-compat = { blink-compat = {
enable = true; enable = true;
settings.impersonate_nvim_cmp = true; settings.impersonate_nvim_cmp = true;
@@ -857,5 +885,6 @@ in {
pkgs.lua pkgs.lua
pkgs.ripgrep pkgs.ripgrep
pkgs.nodejs-slim pkgs.nodejs-slim
pkgs.lsof
]; ];
} }

1
nixos/documentation.nix
View File

@@ -4,4 +4,5 @@
documentation.dev.enable = true; documentation.dev.enable = true;
documentation.doc.enable = true; documentation.doc.enable = true;
documentation.nixos.enable = true; documentation.nixos.enable = true;
documentation.man.generateCaches = true;
} }

6
nixos/ryu/apps/default.nix
View File

@@ -7,5 +7,11 @@
# ./alvr.nix # ./alvr.nix
./easyeffects.nix ./easyeffects.nix
./vr.nix ./vr.nix
./helvum.nix
# ./wine.nix
# ./virt.nix
./gparted.nix
./nvtop.nix
# ./qpwgraph.nix
]; ];
} }

3
nixos/ryu/apps/gparted.nix Normal file
View File

@@ -0,0 +1,3 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [gparted];
}

3
nixos/ryu/apps/helvum.nix Normal file
View File

@@ -0,0 +1,3 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [helvum];
}

3
nixos/ryu/apps/nvtop.nix Normal file
View File

@@ -0,0 +1,3 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [nvtopPackages.nvidia];
}

3
nixos/ryu/apps/qpwgraph.nix Normal file
View File

@@ -0,0 +1,3 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [qpwgraph];
}

6
nixos/ryu/apps/virt.nix Normal file
View File

@@ -0,0 +1,6 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
virt-manager
quickemu
];
}

7
nixos/ryu/apps/wine.nix Normal file
View File

@@ -0,0 +1,7 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
wine-wayland
winetricks
wineWowPackages.waylandFull
];
}

86
nixos/ryu/configuration.nix
View File

@@ -2,6 +2,7 @@
pkgs, pkgs,
lib, lib,
device, device,
config,
... ...
}: { }: {
imports = [ imports = [
@@ -12,6 +13,7 @@
./apps ./apps
./vms ./vms
./games ./games
../../modules/nixos/substituters.nix
]; ];
security.tpm2 = { security.tpm2 = {
@@ -46,18 +48,7 @@
auto-optimise-store = true; auto-optimise-store = true;
extra-experimental-features = "nix-command flakes auto-allocate-uids"; extra-experimental-features = "nix-command flakes auto-allocate-uids";
trusted-users = [device.user]; trusted-users = [device.user];
trusted-substituters = [ extra-sandbox-paths = [config.programs.ccache.cacheDir];
"https://nix-community.cachix.org"
"https://nixos-raspberrypi.cachix.org"
"https://llama-cpp.cachix.org"
"https://cuda-maintainers.cachix.org"
];
trusted-public-keys = [
"cuda-maintainers.cachix.org-1:0dq3bujKpuEPMCX6U4WylrUDZ9JyUG0VpVZa7CNfq5E="
"llama-cpp.cachix.org-1:H75X+w83wUKTIPSO1KWy9ADUrzThyGs8P5tmAbkWhQc="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nixos-raspberrypi.cachix.org-1:4iMO9LXa8BqhU+Rpg6LQKiGa2lsNh/j2oiYLNOQ5sPI="
];
}; };
extraOptions = '' extraOptions = ''
build-users-group = nixbld build-users-group = nixbld
@@ -76,12 +67,17 @@
# ../../builders/tsuba.nix # ../../builders/tsuba.nix
]; ];
distributedBuilds = true; distributedBuilds = true;
# Enable CUDA and llama-cpp caches
substituters = {
enableCuda = true;
enableLlamaCpp = true;
};
}; };
users.users.${device.user} = { users.users.${device.user} = {
uid = device.uid; uid = device.uid;
isNormalUser = true; isNormalUser = true;
extraGroups = ["wheel" "audio" "i2c" "media" "video" "tss"]; extraGroups = ["wheel" "audio" "i2c" "media" "video" "tss" "plugdev"];
openssh.authorizedKeys.keyFiles = [ openssh.authorizedKeys.keyFiles = [
../../secrets/id_ed25519.pub ../../secrets/id_ed25519.pub
../../secrets/id_ios.pub ../../secrets/id_ios.pub
@@ -111,12 +107,6 @@
}; };
displayManager.gdm.enable = true; displayManager.gdm.enable = true;
# desktopManager.gnome.enable = true; # desktopManager.gnome.enable = true;
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
}; };
boot = { boot = {
@@ -169,12 +159,31 @@
Name = "Ryu"; Name = "Ryu";
Enable = "Source,Sink,Media,Socket"; Enable = "Source,Sink,Media,Socket";
ControllerMode = "dual"; ControllerMode = "dual";
FactConnectable = "true"; FactConnectable = true;
Experimental = "true"; Experimental = true;
}; };
}; };
}; };
}; };
boot.extraModprobeConfig = ''
# Keep Bluetooth coexistence disabled for better BT audio stability
options iwlwifi bt_coex_active=0
# Enable software crypto (helps BT coexistence sometimes)
options iwlwifi swcrypto=1
# Disable power saving on Wi-Fi module to reduce radio state changes that might disrupt BT
options iwlwifi power_save=0
# Disable Unscheduled Automatic Power Save Delivery (U-APSD) to improve BT audio stability
options iwlwifi uapsd_disable=1
# Disable D0i3 power state to avoid problematic power transitions
options iwlwifi d0i3_disable=1
# Set power scheme for performance (iwlmvm)
options iwlmvm power_scheme=1
'';
networking = { networking = {
interfaces.eno1.wakeOnLan = { interfaces.eno1.wakeOnLan = {
@@ -284,41 +293,6 @@
fonts.fontconfig.enable = true; fonts.fontconfig.enable = true;
fonts.fontDir.enable = true; fonts.fontDir.enable = true;
environment = { environment = {
# List packages installed in system profile. To search, run:
# $ nix search wget
systemPackages = with pkgs; [
v4l-utils
polychromatic
openrazer-daemon
cudatoolkit
# Wine
wine-wayland
winetricks
wineWowPackages.waylandFull
virt-manager
gparted
nvtopPackages.nvidia
quickemu
# (nixvim.makeNixvim (import ../../neovim))
qpwgraph
hyprland
xorg.xhost
foot
git
fish
nushell
# (pkgs.wrapFirefox
# (pkgs.firefox-unwrapped.override {pipewireSupport = true;})
# {})
gnumake
python3
nerd-fonts.fira-code
nerd-fonts.hasklug
nerd-fonts.symbols-only
monaspace
ddcutil
];
sessionVariables = { sessionVariables = {
WLR_NO_HARDWARE_CURSORS = "1"; WLR_NO_HARDWARE_CURSORS = "1";
NIXOS_OZONE_WL = "1"; NIXOS_OZONE_WL = "1";

2
nixos/ryu/games/default.nix
View File

@@ -1,5 +1,5 @@
{...}: { {...}: {
imports = [ imports = [
./hytale.nix # ./hytale.nix
]; ];
} }

0
nixos/tako/services/games/hytale.nix → nixos/ryu/hardware/default.nix
View File

6
nixos/ryu/programs/ccache.nix Normal file
View File

@@ -0,0 +1,6 @@
{...}: {
programs.ccache = {
enable = true;
packageNames = ["ollama" "orca-slicer" "opencv" "onnxruntime" "obs-studio" "llama-cpp"];
};
}

3
nixos/ryu/programs/cuda.nix Normal file
View File

@@ -0,0 +1,3 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [cudatoolkit];
}

3
nixos/ryu/programs/ddcutil.nix Normal file
View File

@@ -0,0 +1,3 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [ddcutil];
}

12
nixos/ryu/programs/default.nix
View File

@@ -4,7 +4,7 @@
./steam.nix ./steam.nix
./1password.nix ./1password.nix
./localsend.nix ./localsend.nix
./appimage.nix # ./appimage.nix
./obs-studio.nix ./obs-studio.nix
./gnome-disks.nix ./gnome-disks.nix
./nix-ld.nix ./nix-ld.nix
@@ -12,5 +12,15 @@
./droidcam.nix ./droidcam.nix
./wireshark.nix ./wireshark.nix
./flatpak.nix ./flatpak.nix
./v4l-utils.nix
./razer.nix
./cuda.nix
./fonts.nix
./dev.nix
./shells.nix
./hyprland.nix
./foot.nix
./ddcutil.nix
./libnotify.nix
]; ];
} }

7
nixos/ryu/programs/dev.nix Normal file
View File

@@ -0,0 +1,7 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
git
gnumake
python3
];
}

8
nixos/ryu/programs/fonts.nix Normal file
View File

@@ -0,0 +1,8 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
nerd-fonts.fira-code
nerd-fonts.hasklug
nerd-fonts.symbols-only
monaspace
];
}

3
nixos/ryu/programs/foot.nix Normal file
View File

@@ -0,0 +1,3 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [foot];
}

6
nixos/ryu/programs/hyprland.nix Normal file
View File

@@ -0,0 +1,6 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
hyprland
xorg.xhost
];
}

3
nixos/ryu/programs/libnotify.nix Normal file
View File

@@ -0,0 +1,3 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [libnotify];
}

6
nixos/ryu/programs/razer.nix Normal file
View File

@@ -0,0 +1,6 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
polychromatic
openrazer-daemon
];
}

6
nixos/ryu/programs/shells.nix Normal file
View File

@@ -0,0 +1,6 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [
fish
nushell
];
}

3
nixos/ryu/programs/v4l-utils.nix Normal file
View File

@@ -0,0 +1,3 @@
{pkgs, ...}: {
environment.systemPackages = with pkgs; [v4l-utils];
}

5
nixos/ryu/services/caddy.nix
View File

@@ -14,6 +14,11 @@
services = { services = {
caddy = { caddy = {
enable = true; enable = true;
globalConfig = ''
servers {
metrics
}
'';
extraConfig = '' extraConfig = ''
(cloudflare) { (cloudflare) {
tls { tls {

27
nixos/ryu/services/command-runner.nix
View File

@@ -1,27 +0,0 @@
{
config,
lib,
pkgs,
...
}: {
# services.command-runner = {
# enable = false;
# port = 5599;
# user = "servius";
# commands = let
# hyprctl = "${pkgs.hyprland}/bin/hyprctl";
# in
# {
# "display_on" = [hyprctl "-i" "{instance}" "dispatch" "dpms" "on"];
# "display_off" = [hyprctl "-i" "{instance}" "dispatch" "dpms" "off"];
# "display_toggle" = [hyprctl "-i" "{instance}" "dispatch" "dpms" "toggle"];
# "display_status" = [hyprctl "-i" "{instance}" "-j" "monitors"];
# "hyprland_instance" = [hyprctl "-j" "instances"];
# }
# // (builtins.foldl' (acc: elem: acc // elem) {} (lib.map (name: {
# "display_on_${name}" = [hyprctl "-i" "{instance}" "dispatch" "dpms" "on" name];
# "display_off_${name}" = [hyprctl "-i" "{instance}" "dispatch" "dpms" "off" name];
# "display_toggle_${name}" = [hyprctl "-i" "{instance}" "dispatch" "dpms" "toggle" name];
# }) ["HDMI-A-1" "DP-3" "DP-1"]));
# };
}

2
nixos/ryu/services/default.nix
View File

@@ -4,7 +4,6 @@
# ./zerotier.nix # ./zerotier.nix
# ./dnscrypt.nix # ./dnscrypt.nix
./caddy.nix ./caddy.nix
./command-runner.nix
./dualsense.nix ./dualsense.nix
./fprintd.nix ./fprintd.nix
./fwupd.nix ./fwupd.nix
@@ -22,5 +21,6 @@
# ./sunshine.nix # ./sunshine.nix
./tailscale.nix ./tailscale.nix
./wivrn.nix ./wivrn.nix
./pipewire.nix
]; ];
} }

54
nixos/ryu/services/monitoring.nix
View File

@@ -1,11 +1,28 @@
{...}: { {pkgs, ...}: let
# Port configurations
ports = {
# System exporters
node = 9100;
systemd = 9558;
process = 9256;
nvidiagpu = 9835;
# Infrastructure exporters
cadvisor = 8080;
caddy = 2019;
};
in {
services = { services = {
prometheus = { prometheus = {
exporters = { exporters = {
systemd = { systemd = {
enable = true; enable = true;
port = ports.systemd;
};
nvidia-gpu = {
enable = true;
port = ports.nvidiagpu;
}; };
nvidia-gpu.enable = true;
node = { node = {
enable = true; enable = true;
enabledCollectors = [ enabledCollectors = [
@@ -19,7 +36,10 @@
"time" "time"
"uname" "uname"
"vmstat" "vmstat"
"diskstats"
"cpu"
]; ];
port = ports.node;
}; };
process = { process = {
enable = true; enable = true;
@@ -33,4 +53,34 @@
}; };
}; };
}; };
# Docker cAdvisor for container metrics
# virtualisation.oci-containers.containers.cadvisor = {
# image = "gcr.io/cadvisor/cadvisor:v0.49.1";
# ports = ["${toString ports.cadvisor}:8080"];
# volumes = [
# "/:/rootfs:ro"
# "/var/run:/var/run:ro"
# "/sys:/sys:ro"
# "/var/lib/docker/:/var/lib/docker:ro"
# "/dev/disk/:/dev/disk:ro"
# ];
# extraOptions = [
# "--privileged"
# "--device=/dev/kmsg"
# ];
# };
# Open firewall ports for Prometheus exporters
networking.firewall = {
# Allow from Tailscale network
interfaces."tailscale0".allowedTCPPorts = [
ports.node
ports.systemd
ports.process
ports.nvidiagpu
ports.cadvisor
ports.caddy
];
};
} }

19
nixos/ryu/services/pipewire.nix Normal file
View File

@@ -0,0 +1,19 @@
{...}: {
services.pipewire = {
enable = true;
audio.enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
extraConfig = {
pipewire = {
"10-clock-rate" = {
"context.properties" = {
"default.clock.quantum" = 32;
"default.clock.allowed-rates" = [44100 48000 88200 96000];
};
};
};
};
};
}

12
nixos/ryu/services/resolved.nix
View File

@@ -2,10 +2,14 @@
# Disable all the dns stuff in favour of tailscale's DNS # Disable all the dns stuff in favour of tailscale's DNS
services.resolved = { services.resolved = {
enable = true; enable = true;
dnssec = "true"; settings = {
dnsovertls = "true"; Resolve = {
domains = ["lemur-newton.ts.net"]; DNSSEC = "true";
fallbackDns = []; DNSoverTLS = "true";
Domains = ["lemur-newton.ts.net"];
FallbackDNS = [];
};
};
}; };
networking.nameservers = []; networking.nameservers = [];
} }

15
nixos/tako/configuration.nix
View File

@@ -9,6 +9,7 @@
./services ./services
./tako.nix ./tako.nix
# ./docker.nix # ./docker.nix
../../modules/nixos/substituters.nix
]; ];
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
@@ -35,7 +36,6 @@
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true; boot.loader.efi.canTouchEfiVariables = true;
nix = { nix = {
settings = { settings = {
max-jobs = 1; max-jobs = 1;
@@ -43,16 +43,6 @@
auto-optimise-store = true; auto-optimise-store = true;
extra-experimental-features = "nix-command flakes auto-allocate-uids"; extra-experimental-features = "nix-command flakes auto-allocate-uids";
trusted-users = [device.user "remotebuilder"]; trusted-users = [device.user "remotebuilder"];
trusted-substituters = [
"https://nix-community.cachix.org"
"https://nixos-raspberrypi.cachix.org"
# "https://sh.darksailor.dev"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nixos-raspberrypi.cachix.org-1:4iMO9LXa8BqhU+Rpg6LQKiGa2lsNh/j2oiYLNOQ5sPI="
# "tako:bcVPoFGBZ0i7JAKMXIqLj2GY3CulLC4kP7rQyqes1RM="
];
}; };
extraOptions = '' extraOptions = ''
build-users-group = nixbld build-users-group = nixbld
@@ -67,6 +57,9 @@
}; };
package = pkgs.nixVersions.nix_2_32; # deploy-rs doesn't work with nix >= 2.32 package = pkgs.nixVersions.nix_2_32; # deploy-rs doesn't work with nix >= 2.32
distributedBuilds = true; distributedBuilds = true;
substituters = {
enableCuda = true;
};
}; };
users.users.${device.user} = { users.users.${device.user} = {

89
nixos/tako/services/affine.nix Normal file
View File

@@ -0,0 +1,89 @@
{config, ...}: let
domain = "notes.darksailor.dev";
in {
imports = [
../../../modules/nixos/affine.nix
];
# SOPS secrets
sops = {
secrets = {
"affine/db_password" = {};
"authelia/oidc/affine/client_id" = {
owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
mode = "0440";
restartUnits = ["authelia-darksailor.service"];
};
"authelia/oidc/affine/client_secret" = {
owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
mode = "0440";
restartUnits = ["authelia-darksailor.service"];
};
};
templates."affine.env".content = ''
AFFINE_DB_PASSWORD=${config.sops.placeholder."affine/db_password"}
POSTGRES_PASSWORD=${config.sops.placeholder."affine/db_password"}
AFFINE_SERVER_EXTERNAL_URL=https://${domain}
'';
};
# Enable AFFiNE service
services.affine = {
enable = true;
inherit domain;
environmentFiles = [
config.sops.templates."affine.env".path
];
};
# Caddy reverse proxy with SSO forward auth
services.caddy.virtualHosts."${domain}".extraConfig = ''
reverse_proxy localhost:${toString config.services.affine.port}
'';
# Authelia access control rules
services.authelia.instances.darksailor.settings = {
access_control.rules = [
{
inherit domain;
policy = "bypass";
resources = [
"^/api/(sync|awareness)([/?].*)?$"
"^/socket\\.io([/?].*)?$"
];
}
{
inherit domain;
policy = "one_factor";
}
];
# OIDC client for AFFiNE
identity_providers.oidc.clients = [
{
client_name = "AFFiNE: Darksailor";
client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/affine/client_id".path}" }}'';
client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/affine/client_secret".path}" }}'';
public = false;
authorization_policy = "one_factor";
require_pkce = false;
redirect_uris = [
"https://${domain}/oauth/callback"
];
scopes = [
"openid"
"email"
"profile"
];
response_types = ["code"];
grant_types = ["authorization_code"];
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_post";
}
];
};
# Ensure containers start after secrets are available
systemd.services.docker-affine.after = ["sops-install-secrets.service"];
systemd.services.docker-affine-migration.after = ["sops-install-secrets.service"];
systemd.services.docker-affine-postgres.after = ["sops-install-secrets.service"];
}

21
nixos/tako/services/attic.nix
View File

@@ -1,16 +1,21 @@
{...}: { {config, ...}: let
address = "127.0.0.1:8052";
in {
sops = {
secrets."attic/jwt_secret" = {};
templates."attic.env".content = ''
ATTIC_SERVER_TOKEN_RS256_SECRET_BASE64=${config.sops.placeholder."attic/jwt_secret"}
'';
};
services = { services = {
atticd = { atticd = {
enable = false; enable = true;
listen = "/run/attic.sock"; settings.listen = address;
environmentFile = config.sops.templates."attic.env".path;
}; };
caddy = { caddy = {
virtualHosts."cache.darksailor.dev".extraConfig = '' virtualHosts."cache.darksailor.dev".extraConfig = ''
reverse_proxy /run/attic.sock { reverse_proxy ${address}
transport http {
protocol = "fd"
}
}
''; '';
}; };
}; };

5
nixos/tako/services/caddy.nix
View File

@@ -2,6 +2,11 @@
services = { services = {
caddy = { caddy = {
enable = true; enable = true;
globalConfig = ''
servers {
metrics
}
'';
extraConfig = '' extraConfig = ''
(auth) { (auth) {
forward_auth localhost:5555 { forward_auth localhost:5555 {

30
nixos/tako/services/default.nix
View File

@@ -1,29 +1,33 @@
{...}: { {...}: {
imports = [ imports = [
./games
# ./headscale.nix
./llms.nix
# ./monitoring.nix
# ./paperless.nix
./navidrome.nix
./shitpost.nix
./atuin.nix ./atuin.nix
./authelia.nix ./authelia.nix
./caddy.nix ./caddy.nix
./excalidraw.nix
./fail2ban.nix ./fail2ban.nix
./flaresolverr.nix
./gitea.nix
./homepage.nix ./homepage.nix
./immich.nix
./lldap.nix ./lldap.nix
./navidrome.nix
./nextcloud.nix ./nextcloud.nix
./openssh.nix ./openssh.nix
./prowlarr.nix
./resolved.nix ./resolved.nix
./searxng.nix
./tailscale.nix ./tailscale.nix
./gitea.nix
./affine.nix
./attic.nix
./excalidraw.nix
./flaresolverr.nix
# ./games
# ./headscale.nix
./immich.nix
./kellnr.nix ./kellnr.nix
# ./llms.nix
./matrix
# ./monitoring.nix
# ./paperless.nix
./prowlarr.nix
# ./searxng.nix
# ./shitpost.nix
]; ];
services = { services = {
nix-serve = { nix-serve = {

97
nixos/tako/services/excalidraw.nix
View File

@@ -1,29 +1,90 @@
{...}: { {config, ...}: let
dataDir = "/var/lib/excalidraw";
base_domain = "darksailor.dev";
in {
# SOPS secrets and templates
sops = {
secrets = {
"excalidraw/jwt_secret" = {};
"authelia/oidc/excalidraw/client_id" = {
owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
mode = "0440";
restartUnits = ["authelia-darksailor.service"];
};
"authelia/oidc/excalidraw/client_secret" = {
owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
mode = "0440";
restartUnits = ["authelia-darksailor.service"];
};
};
templates."excalidraw.env".content = ''
OIDC_ISSUER_URL=https://auth.${base_domain}
OIDC_CLIENT_ID=${config.sops.placeholder."authelia/oidc/excalidraw/client_id"}
OIDC_CLIENT_SECRET=${config.sops.placeholder."authelia/oidc/excalidraw/client_secret"}
OIDC_REDIRECT_URL=https://draw.${base_domain}/auth/callback
JWT_SECRET=${config.sops.placeholder."excalidraw/jwt_secret"}
STORAGE_TYPE=sqlite
DATA_SOURCE_NAME=excalidraw.db
LOCAL_STORAGE_PATH=/root/data
'';
};
# Create data directory and initialize SQLite DB
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 root root -"
"d ${dataDir}/data 0755 root root -"
"f ${dataDir}/excalidraw.db 0644 root root -"
];
virtualisation.oci-containers = { virtualisation.oci-containers = {
backend = "docker"; backend = "docker";
containers = { containers = {
# Excalidraw Full backend
excalidraw = { excalidraw = {
image = "excalidraw/excalidraw:latest"; image = "ghcr.io/betterandbetterii/excalidraw-full:latest";
ports = ["127.0.0.1:5959:80"]; ports = ["127.0.0.1:3002:3002"];
volumes = []; environmentFiles = [
config.sops.templates."excalidraw.env".path
];
volumes = [
"${dataDir}/data:/root/data"
"${dataDir}/excalidraw.db:/root/excalidraw.db"
];
}; };
}; };
}; };
services.caddy.virtualHosts."draw.darksailor.dev".extraConfig = ''
import auth # Caddy reverse proxy
reverse_proxy localhost:5959 services.caddy.virtualHosts."draw.${base_domain}".extraConfig = ''
reverse_proxy localhost:3002
''; '';
services.authelia = {
instances.darksailor = { # Configure Authelia OIDC for Excalidraw
settings = { services.authelia.instances.darksailor.settings = {
access_control = { identity_providers = {
rules = [ oidc = {
{ clients = [
domain = "draw.darksailor.dev"; {
policy = "one_factor"; client_name = "Excalidraw: Darksailor";
} client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/excalidraw/client_id".path}" }}'';
]; client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/excalidraw/client_secret".path}" }}'';
}; public = false;
authorization_policy = "one_factor";
require_pkce = false;
redirect_uris = [
"https://draw.${base_domain}/auth/callback"
];
scopes = [
"openid"
"email"
"profile"
];
response_types = ["code"];
grant_types = ["authorization_code"];
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_post";
}
];
}; };
}; };
}; };

1
nixos/tako/services/fail2ban.nix
View File

@@ -16,6 +16,7 @@
ignoreIP = [ ignoreIP = [
"106.219.121.52" "106.219.121.52"
"106.219.122.125" "106.219.122.125"
"106.219.122.221"
]; ];
}; };
}; };

2
nixos/tako/services/games/default.nix
View File

@@ -2,7 +2,7 @@
imports = [ imports = [
# ./minecraft.nix # ./minecraft.nix
# ./satisfactory.nix # ./satisfactory.nix
./terraria.nix # ./terraria.nix
]; ];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

36
nixos/tako/services/gitea.nix
View File

@@ -63,6 +63,10 @@
# LFS_START_SERVER = true; # LFS_START_SERVER = true;
LFS_ALLOW_PURE_SSH = true; LFS_ALLOW_PURE_SSH = true;
}; };
metrics = {
ENABLED = true;
TOKEN = "";
};
oauth2_client = { oauth2_client = {
ENABLE_AUTO_REGISTRATION = true; ENABLE_AUTO_REGISTRATION = true;
ACCOUNT_LINKING = "auto"; ACCOUNT_LINKING = "auto";
@@ -75,22 +79,22 @@
}; };
}; };
}; };
# gitea-actions-runner = { gitea-actions-runner = {
# instances = { instances = {
# tako = { tako = {
# enable = true; enable = true;
# name = "tako"; name = "tako";
# url = "https://git.darksailor.dev"; url = "https://git.darksailor.dev";
# labels = [ labels = [
# "ubuntu-latest:docker://catthehacker/ubuntu:full-latest" "ubuntu-latest:docker://catthehacker/ubuntu:full-latest"
# "ubuntu-22.04:docker://catthehacker/ubuntu:full-22.04" "ubuntu-22.04:docker://catthehacker/ubuntu:full-22.04"
# "ubuntu-20.04:docker://catthehacker/ubuntu:full-20.04" "ubuntu-20.04:docker://catthehacker/ubuntu:full-20.04"
# "native:host" "native:host"
# ]; ];
# tokenFile = "${config.sops.templates."GITEA_REGISTRATION_TOKEN.env".path}"; tokenFile = "${config.sops.templates."GITEA_REGISTRATION_TOKEN.env".path}";
# }; };
# }; };
# }; };
caddy = { caddy = {
virtualHosts."git.darksailor.dev".extraConfig = '' virtualHosts."git.darksailor.dev".extraConfig = ''
reverse_proxy localhost:3000 reverse_proxy localhost:3000

12
nixos/tako/services/headscale.nix
View File

@@ -34,12 +34,12 @@
}; };
}; };
}; };
# headplane = { headplane = {
# enable = true; enable = true;
# settings = { settings = {
# server.port = 42562; server.port = 42562;
# }; };
# }; };
caddy = { caddy = {
virtualHosts."headscale.darksailor.dev".extraConfig = '' virtualHosts."headscale.darksailor.dev".extraConfig = ''
reverse_proxy localhost:${toString config.services.headplane.settings.server.port} reverse_proxy localhost:${toString config.services.headplane.settings.server.port}

8
nixos/tako/services/homepage.nix
View File

@@ -87,6 +87,14 @@
siteMonitor = "https://git.darksailor.dev"; siteMonitor = "https://git.darksailor.dev";
}; };
} }
{
"Grafana" = {
icon = "grafana.png";
description = "Grafana Monitoring & Metrics";
href = "https://grafana.darksailor.dev";
siteMonitor = "https://grafana.darksailor.dev";
};
}
{ {
"Nextcloud" = { "Nextcloud" = {
icon = "nextcloud.png"; icon = "nextcloud.png";

7
nixos/tako/services/matrix/default.nix Normal file
View File

@@ -0,0 +1,7 @@
{...}: {
imports = [
./tuwunel.nix
# ./signal.nix // libolm deprecated
# ./discord.nix
];
}

19
nixos/tako/services/matrix/discord.nix Normal file
View File

@@ -0,0 +1,19 @@
{...}: {
services.mautrix-discord = {
enable = true;
settings = {
homeserver = {
address = "http://localhost:6167";
domain = "darksailor.dev";
};
appservice.public = {
prefix = "/public";
external = "https://matrix.darksailor.dev/public";
};
bridge.permissions = {
"darksailor.dev" = "user";
"@servius:darksailor.dev" = "admin";
};
};
};
}

5
nixos/tako/services/matrix/signal.nix Normal file
View File

@@ -0,0 +1,5 @@
{...}: {
services.mautrix-signal = {
enable = true;
};
}

193
nixos/tako/services/matrix/tuwunel.nix Normal file
View File

@@ -0,0 +1,193 @@
{
config,
pkgs,
...
}: let
port = 6167;
base_domain = "darksailor.dev";
client_id = "tuwunel";
rtc_domain = "matrix-rtc.${base_domain}";
jwt_port = 8081;
elementConfig = builtins.toJSON {
default_server_config = {
"m.homeserver" = {
base_url = "https://matrix.${base_domain}";
};
};
sso_redirect_options = {
immediate = false;
on_welcome_page = true;
on_login_page = true;
};
};
elementConfigFile = pkgs.writeText "element-config.json" elementConfig;
in {
sops = {
secrets."tuwunel/client_id" = {
owner = config.services.matrix-tuwunel.user;
group = config.systemd.services.authelia-darksailor.serviceConfig.Group;
mode = "0440";
};
secrets."tuwunel/client_secret" = {
owner = config.services.matrix-tuwunel.user;
group = config.systemd.services.authelia-darksailor.serviceConfig.Group;
mode = "0440";
};
secrets."tuwunel/registration_token".owner = config.services.matrix-tuwunel.user;
secrets."livekit/key_name" = {};
secrets."livekit/key_secret" = {};
templates."livekit-keys".content = ''
${config.sops.placeholder."livekit/key_name"}: ${config.sops.placeholder."livekit/key_secret"}
'';
};
services.matrix-tuwunel = {
enable = true;
settings.global = {
server_name = "${base_domain}";
address = ["127.0.0.1"];
port = [port];
allow_registration = true;
registration_token_file = config.sops.secrets."tuwunel/registration_token".path;
single_sso = true;
identity_provider = [
{
inherit client_id;
brand = "Authelia";
name = "Authelia";
default = true;
issuer_url = "https://auth.${base_domain}";
client_secret_file = config.sops.secrets."tuwunel/client_secret".path;
callback_url = "https://matrix.${base_domain}/_matrix/client/unstable/login/sso/callback/${client_id}";
}
];
well_known = {
client = "https://matrix.${base_domain}";
server = "matrix.${base_domain}:443";
rtc_transports = [
{
type = "livekit";
livekit_service_url = "https://${rtc_domain}";
}
];
};
};
package = pkgs.matrix-tuwunel;
};
services.caddy.virtualHosts = {
"matrix.${base_domain}".extraConfig = ''
reverse_proxy /_matrix/* localhost:${toString port}
handle_path /config.json {
file_server
root ${elementConfigFile}
}
root * ${pkgs.element-web}
file_server
'';
"${base_domain}".extraConfig = ''
reverse_proxy /.well-known/* localhost:${toString port}
'';
"${rtc_domain}".extraConfig = ''
@jwt_service {
path /sfu/get* /healthz*
}
handle @jwt_service {
reverse_proxy localhost:${toString jwt_port}
}
handle {
reverse_proxy localhost:${toString config.services.livekit.settings.port} {
header_up Connection "upgrade"
header_up Upgrade {http.request.header.Upgrade}
}
}
'';
};
networking.firewall = {
allowedTCPPorts = [8448 7881];
allowedUDPPorts = [3478];
allowedUDPPortRanges = [
{
from = 50300;
to = 65535;
}
];
};
users.users.${config.services.caddy.user}.extraGroups = [config.services.matrix-tuwunel.group];
services.livekit = {
enable = true;
keyFile = config.sops.templates."livekit-keys".path;
openFirewall = true;
settings = {
rtc = {
tcp_port = 7881;
port_range_start = 50100;
port_range_end = 50200;
use_external_ip = true;
enable_loopback_candidate = false;
};
turn = {
enabled = true;
udp_port = 3478;
relay_range_start = 50300;
relay_range_end = 65535;
domain = rtc_domain;
};
};
};
services.lk-jwt-service = {
enable = true;
port = jwt_port;
livekitUrl = "wss://${rtc_domain}";
keyFile = config.sops.templates."livekit-keys".path;
};
services = {
authelia = {
instances.darksailor = {
settings = {
identity_providers = {
oidc = {
claims_policies = {
tuwunel = {
id_token = [
"email"
"name"
"groups"
"preferred_username"
];
};
};
clients = [
{
inherit client_id;
client_name = "Matrix: Darksailor";
client_secret = ''{{ secret "${config.sops.secrets."tuwunel/client_secret".path}" }}'';
public = false;
authorization_policy = "one_factor";
require_pkce = false;
# pkce_challenge_method = "S256";
redirect_uris = [
"https://matrix.${base_domain}/_matrix/client/unstable/login/sso/callback/${client_id}"
];
scopes = [
"openid"
"groups"
"email"
"profile"
];
response_types = ["code"];
response_modes = ["form_post"];
grant_types = ["refresh_token" "authorization_code"];
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_post";
}
];
};
};
};
};
};
};
}

483
nixos/tako/services/monitoring.nix Normal file
View File

@@ -0,0 +1,483 @@
{
config,
pkgs,
lib,
...
}: let
# Port configurations
ports = {
grafana = 3001; # Changed from 3000 to avoid clash with Gitea
prometheus = 9090;
# System exporters
node = 9100;
systemd = 9558;
process = 9256;
# Infrastructure exporters
postgres = 9187;
redis = 9121;
cadvisor = 8080;
# Application exporters
caddy = 2019;
};
in {
# Grafana configuration with Authelia integration
services.grafana = {
enable = true;
settings = {
server = {
http_addr = "127.0.0.1";
http_port = ports.grafana;
domain = "grafana.darksailor.dev";
root_url = "https://grafana.darksailor.dev";
};
# Disable Grafana's own auth since we use Authelia
auth.disable_login_form = true;
"auth.basic".enabled = false;
"auth.anonymous".enabled = false;
"auth.proxy" = {
enabled = true;
header_name = "REMOTE-USER";
header_property = "username";
auto_sign_up = true;
};
users = {
allow_sign_up = false;
auto_assign_org = true;
auto_assign_org_role = "Admin";
};
security = {
disable_gravatar = true;
cookie_secure = true;
};
analytics = {
reporting_enabled = false;
check_for_updates = false;
};
};
provision = {
enable = true;
datasources.settings.datasources = [
{
name = "Prometheus";
type = "prometheus";
access = "proxy";
url = "http://localhost:${toString ports.prometheus}";
isDefault = true;
jsonData = {
timeInterval = "30s";
};
}
];
# Provision popular community dashboards
dashboards = {
settings = {
apiVersion = 1;
providers = [
{
name = "default";
orgId = 1;
folder = "";
type = "file";
disableDeletion = false;
updateIntervalSeconds = 10;
allowUiUpdates = true;
options.path = "/var/lib/grafana/dashboards";
}
];
};
};
};
};
# Caddy virtual host for Grafana with Authelia
services.caddy.virtualHosts."grafana.darksailor.dev".extraConfig = ''
import auth
reverse_proxy localhost:${toString ports.grafana}
'';
# Central Prometheus server
services.prometheus = {
enable = true;
port = ports.prometheus;
# Retention settings (90 days)
retentionTime = "90d";
# Global scrape config
globalConfig = {
scrape_interval = "30s";
evaluation_interval = "30s";
};
# System exporters for tako
exporters = {
node = {
enable = true;
port = ports.node;
enabledCollectors = [
"systemd"
"textfile"
"filesystem"
"loadavg"
"meminfo"
"netdev"
"netstat"
"stat"
"time"
"uname"
"vmstat"
"diskstats"
"cpu"
];
};
systemd = {
enable = true;
port = ports.systemd;
};
process = {
enable = true;
settings.process_names = [
{
name = "{{.Comm}}";
cmdline = [".*"];
}
];
};
postgres = {
enable = true;
port = ports.postgres;
runAsLocalSuperUser = true;
};
redis = {
enable = true;
port = ports.redis;
};
};
# Scrape configurations for all targets
scrapeConfigs = [
# System metrics - tako (local)
{
job_name = "tako-system";
static_configs = [
{
targets = [
"localhost:${toString ports.node}"
"localhost:${toString ports.systemd}"
"localhost:${toString ports.process}"
];
labels = {
instance = "tako";
machine = "tako";
role = "server";
};
}
];
}
# Infrastructure - tako
{
job_name = "tako-infrastructure";
static_configs = [
{
targets = [
"localhost:${toString ports.postgres}"
"localhost:${toString ports.redis}"
"localhost:${toString ports.cadvisor}"
];
labels = {
instance = "tako";
machine = "tako";
};
}
];
}
# Caddy metrics - tako
{
job_name = "tako-caddy";
static_configs = [
{
targets = ["localhost:${toString ports.caddy}"];
labels = {
instance = "tako";
machine = "tako";
service = "caddy";
};
}
];
}
# Application metrics - tako
{
job_name = "tako-applications";
static_configs = [
{
targets = [
"localhost:3000" # gitea
"localhost:5555" # authelia (if metrics enabled)
];
labels = {
instance = "tako";
machine = "tako";
};
}
];
}
# System metrics - tsuba (remote via Tailscale)
{
job_name = "tsuba-system";
static_configs = [
{
targets = [
"tsuba:9100" # node
"tsuba:9558" # systemd
"tsuba:9256" # process
];
labels = {
instance = "tsuba";
machine = "tsuba";
role = "server";
};
}
];
}
# Infrastructure - tsuba
{
job_name = "tsuba-infrastructure";
static_configs = [
{
targets = [
"tsuba:8080" # cadvisor
"tsuba:2019" # caddy
];
labels = {
instance = "tsuba";
machine = "tsuba";
};
}
];
}
# Media services - tsuba
{
job_name = "tsuba-media";
static_configs = [
{
targets = [
"tsuba:8096" # jellyfin (built-in /metrics endpoint)
"tsuba:8123" # homeassistant (configure prometheus integration)
"tsuba:9617" # pihole-exporter
];
labels = {
instance = "tsuba";
machine = "tsuba";
};
}
];
metrics_path = "/metrics";
relabel_configs = [
{
source_labels = ["__address__"];
regex = "tsuba:8096";
target_label = "__metrics_path__";
replacement = "/metrics";
}
{
source_labels = ["__address__"];
regex = "tsuba:8123";
target_label = "__metrics_path__";
replacement = "/api/prometheus";
}
];
}
# Servarr stack - tsuba (exportarr)
{
job_name = "tsuba-servarr";
static_configs = [
{
targets = [
"tsuba:9707" # sonarr
"tsuba:9708" # radarr
"tsuba:9709" # lidarr
"tsuba:9710" # bazarr
];
labels = {
instance = "tsuba";
machine = "tsuba";
stack = "servarr";
};
}
];
}
# Deluge - tsuba
{
job_name = "tsuba-deluge";
static_configs = [
{
targets = ["tsuba:9354"];
labels = {
instance = "tsuba";
machine = "tsuba";
service = "deluge";
};
}
];
}
# System metrics - ryu (remote via Tailscale)
{
job_name = "ryu-system";
static_configs = [
{
targets = [
"ryu:9100"
"ryu:9558"
"ryu:9256"
"ryu:9835" # nvidia-gpu
];
labels = {
instance = "ryu";
machine = "ryu";
role = "desktop";
};
}
];
}
# Infrastructure - ryu
{
job_name = "ryu-infrastructure";
static_configs = [
{
targets = [
"ryu:8080" # cadvisor
"ryu:2019" # caddy
];
labels = {
instance = "ryu";
machine = "ryu";
};
}
];
}
];
};
# Docker cAdvisor for container metrics
# virtualisation.oci-containers.containers.cadvisor = {
# image = "gcr.io/cadvisor/cadvisor:v0.49.1";
# ports = ["127.0.0.1:${toString ports.cadvisor}:8080"];
# volumes = [
# "/:/rootfs:ro"
# "/var/run:/var/run:ro"
# "/sys:/sys:ro"
# "/var/lib/docker/:/var/lib/docker:ro"
# "/dev/disk/:/dev/disk:ro"
# ];
# extraOptions = [
# "--privileged"
# "--device=/dev/kmsg"
# ];
# };
# Link dashboard files from Nix store to Grafana's expected location
systemd.tmpfiles.rules = let
# Define dashboard files with proper hashes
nodeExporterFull = pkgs.fetchurl {
url = "https://grafana.com/api/dashboards/1860/revisions/37/download";
sha256 = "0qza4j8lywrj08bqbww52dgh2p2b9rkhq5p313g72i57lrlkacfl";
};
nvidiaDashboardRaw = pkgs.fetchurl {
url = "https://grafana.com/api/dashboards/14574/revisions/9/download";
sha256 = "170ijap5i99sapkxlf3k0lnvwmb6g9jkk7q66nwjwswkj2a7rqbr";
};
# Fix NVIDIA dashboard to use our Prometheus datasource
nvidiaDashboard = pkgs.runCommand "nvidia-gpu-fixed.json" {} ''
${pkgs.gnused}/bin/sed 's/\''${DS_PROMETHEUS}/Prometheus/g' ${nvidiaDashboardRaw} > $out
'';
postgresqlDashboardRaw = pkgs.fetchurl {
url = "https://grafana.com/api/dashboards/9628/revisions/7/download";
sha256 = "0xmk68kqb9b8aspjj2f8wxv2mxiqk9k3xs0yal4szmzbv65c6k66";
};
# Fix PostgreSQL dashboard to use our Prometheus datasource
postgresqlDashboard = pkgs.runCommand "postgresql-fixed.json" {} ''
${pkgs.gnused}/bin/sed 's/\''${DS_PROMETHEUS}/Prometheus/g' ${postgresqlDashboardRaw} > $out
'';
redisDashboard = pkgs.fetchurl {
url = "https://grafana.com/api/dashboards/11835/revisions/1/download";
sha256 = "15lbn4i8j5hiypl4dsg0d72jgrgjwpagkf5kcwx66gyps17jcrxx";
};
dockerDashboardRaw = pkgs.fetchurl {
url = "https://grafana.com/api/dashboards/193/revisions/1/download";
sha256 = "1lxbbl91fh0yfh8x53205b7nw5ivghlpfb0m308z2p6fzvz2iq2m";
};
# Fix Docker dashboard to use our Prometheus datasource
dockerDashboard = pkgs.runCommand "docker-cadvisor-fixed.json" {} ''
${pkgs.gnused}/bin/sed 's/\''${DS_PROMETHEUS}/Prometheus/g' ${dockerDashboardRaw} > $out
'';
caddyDashboardRaw = pkgs.fetchurl {
url = "https://grafana.com/api/dashboards/14280/revisions/1/download";
sha256 = "0j3q68cq1nj8gcxkqz5h1kn1ds5kgq4jlkw73xp6yc88mbm5nyh4";
};
# Fix Caddy dashboard to use our Prometheus datasource
caddyDashboard = pkgs.runCommand "caddy-fixed.json" {} ''
${pkgs.gnused}/bin/sed 's/\''${DS_PROMETHEUS}/Prometheus/g' ${caddyDashboardRaw} > $out
'';
piholeDashboardRaw = pkgs.fetchurl {
url = "https://grafana.com/api/dashboards/10176/revisions/3/download";
sha256 = "18f8w3l5k178agipfbimg29lkf2i32xynin1g1v5abiac3ahj7ih";
};
# Fix Pi-hole dashboard to use our Prometheus datasource
piholeDashboard = pkgs.runCommand "pihole-fixed.json" {} ''
${pkgs.gnused}/bin/sed 's/\''${DS_PROMETHEUS}/Prometheus/g' ${piholeDashboardRaw} > $out
'';
in [
"d /var/lib/grafana/dashboards 0755 grafana grafana -"
"L+ /var/lib/grafana/dashboards/node-exporter-full.json - - - - ${nodeExporterFull}"
"L+ /var/lib/grafana/dashboards/nvidia-gpu.json - - - - ${nvidiaDashboard}"
"L+ /var/lib/grafana/dashboards/postgresql.json - - - - ${postgresqlDashboard}"
"L+ /var/lib/grafana/dashboards/redis.json - - - - ${redisDashboard}"
"L+ /var/lib/grafana/dashboards/docker-cadvisor.json - - - - ${dockerDashboard}"
"L+ /var/lib/grafana/dashboards/caddy.json - - - - ${caddyDashboard}"
"L+ /var/lib/grafana/dashboards/pihole.json - - - - ${piholeDashboard}"
];
# Open firewall ports for Prometheus to scrape exporters
networking.firewall = {
# allowedTCPPorts = [
# ports.node
# ports.systemd
# ports.process
# ];
# Allow Prometheus and Grafana access from Tailscale network
interfaces."tailscale0".allowedTCPPorts = [
ports.prometheus
ports.grafana
ports.node
ports.systemd
ports.process
ports.postgres
ports.redis
ports.cadvisor
];
};
}

4
nixos/tako/services/navidrome.nix
View File

@@ -18,8 +18,8 @@ in {
enable = true; enable = true;
settings = { settings = {
MusicFolder = "/media/music"; MusicFolder = "/media/music";
ReverseProxyUserHeader = "Remote-User"; "ExtAuth.TrustedSources" = "@";
ReverseProxyWhitelist = "@"; "ExtAuth.UserHeader" = "Remote-User";
Address = "unix:${socket}"; Address = "unix:${socket}";
BaseUrl = "https://music.darksailor.dev"; BaseUrl = "https://music.darksailor.dev";
}; };

2
nixos/tako/services/openssh.nix
View File

@@ -2,6 +2,6 @@
services.openssh = { services.openssh = {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;
settings.PermitRootLogin = "prohibit-password"; settings.PermitRootLogin = "no";
}; };
} }

12
nixos/tako/services/resolved.nix
View File

@@ -1,9 +1,13 @@
{...}: { {...}: {
services.resolved = { services.resolved = {
enable = true; enable = true;
dnssec = "true"; settings = {
dnsovertls = "true"; Resolve = {
domains = ["lemur-newton.ts.net"]; DNSSEC = "true";
fallbackDns = ["1.1.1.1"]; DNSoverTLS = "true";
Domains = ["lemur-newton.ts.net"];
FallbackDNS = [];
};
};
}; };
} }

12
nixos/tsuba/configuration.nix
View File

@@ -5,6 +5,10 @@
device, device,
... ...
}: { }: {
imports = [
../../modules/nixos/substituters.nix
];
users.extraUsers.servius.extraGroups = ["docker"]; users.extraUsers.servius.extraGroups = ["docker"];
networking.firewall.enable = false; networking.firewall.enable = false;
services.openssh.enable = true; services.openssh.enable = true;
@@ -16,14 +20,6 @@
auto-optimise-store = true; auto-optimise-store = true;
extra-experimental-features = "nix-command flakes auto-allocate-uids"; extra-experimental-features = "nix-command flakes auto-allocate-uids";
trusted-users = ["root" "remotebuilder" device.user]; trusted-users = ["root" "remotebuilder" device.user];
trusted-substituters = [
"https://nix-community.cachix.org"
"https://nixos-raspberrypi.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"nixos-raspberrypi.cachix.org-1:4iMO9LXa8BqhU+Rpg6LQKiGa2lsNh/j2oiYLNOQ5sPI="
];
}; };
extraOptions = '' extraOptions = ''
build-users-group = nixbld build-users-group = nixbld

5
nixos/tsuba/services/caddy.nix
View File

@@ -14,6 +14,11 @@
services = { services = {
caddy = { caddy = {
enable = true; enable = true;
globalConfig = ''
servers {
metrics
}
'';
extraConfig = '' extraConfig = ''
(cloudflare) { (cloudflare) {
tls { tls {

10
nixos/tsuba/services/jellyfin.nix
View File

@@ -27,20 +27,12 @@
users.groups.jellyfin = {}; users.groups.jellyfin = {};
services = { services = {
# jellyseerr = {
# enable = true;
# package = unstablePkgs.jellyseerr;
# };
caddy = { caddy = {
# virtualHosts."jellyseerr.tsuba.darksailor.dev".extraConfig = ''
# import cloudflare
# reverse_proxy localhost:${builtins.toString config.services.jellyseerr.port}
# '';
virtualHosts."jellyfin.tsuba.darksailor.dev".extraConfig = '' virtualHosts."jellyfin.tsuba.darksailor.dev".extraConfig = ''
import cloudflare import cloudflare
reverse_proxy localhost:8096 reverse_proxy localhost:8096
''; '';
virtualHosts."media.darksailor.dev".extraConfig = '' virtualHosts."jellyfin.darksailor.dev".extraConfig = ''
import cloudflare import cloudflare
reverse_proxy localhost:8096 reverse_proxy localhost:8096
''; '';

178
nixos/tsuba/services/monitoring.nix
View File

@@ -1,10 +1,40 @@
{...}: { {
pkgs,
config,
...
}: let
# Port configurations
ports = {
# System exporters
node = 9100;
systemd = 9558;
process = 9256;
# Infrastructure exporters
cadvisor = 8080;
caddy = 2019;
# Media exporters
jellyfin = 9220;
pihole = 9617;
# Servarr exporters (via exportarr)
sonarr = 9707;
radarr = 9708;
lidarr = 9709;
bazarr = 9710;
# Torrent
deluge = 9354;
};
in {
sops.secrets."pihole/password" = {};
services = { services = {
prometheus = { prometheus = {
exporters = { exporters = {
systemd = { systemd = {
enable = true; enable = true;
port = 9558; port = ports.systemd;
}; };
node = { node = {
enable = true; enable = true;
@@ -19,8 +49,10 @@
"time" "time"
"uname" "uname"
"vmstat" "vmstat"
"diskstats"
"cpu"
]; ];
port = 9100; port = ports.node;
}; };
process = { process = {
enable = true; enable = true;
@@ -35,14 +67,142 @@
}; };
}; };
# Docker cAdvisor for container metrics
virtualisation.oci-containers.containers.cadvisor = {
image = "gcr.io/cadvisor/cadvisor:v0.49.1";
ports = ["${toString ports.cadvisor}:8080"];
volumes = [
"/:/rootfs:ro"
"/var/run:/var/run:ro"
"/sys:/sys:ro"
"/var/lib/docker/:/var/lib/docker:ro"
"/dev/disk/:/dev/disk:ro"
];
extraOptions = [
"--privileged"
"--device=/dev/kmsg"
];
};
# Jellyfin - use built-in metrics endpoint at http://localhost:8096/metrics
# No separate exporter needed - Prometheus will scrape directly
# Home Assistant - has built-in Prometheus integration
# Configure in Home Assistant configuration.yaml:
# prometheus:
# namespace: homeassistant
# Pi-hole exporter
# Uses sops-managed API token for authentication with Pi-hole v6
# To set the token: edit secrets/secrets.yaml and replace the placeholder at pihole.api_token
systemd.services.pihole-exporter = {
description = "Pi-hole Prometheus Exporter";
wantedBy = ["multi-user.target"];
after = ["network.target" "sops-nix.service"];
serviceConfig = {
Type = "simple";
DynamicUser = true;
# Load API token from sops secret file
LoadCredential = "ppassword:${config.sops.secrets."pihole/password".path}";
ExecStart = ''
${pkgs.bash}/bin/bash -c '${pkgs.prometheus-pihole-exporter}/bin/pihole-exporter \
-pihole_hostname localhost \
-pihole_port 8053 \
-port ${toString ports.pihole} \
-pihole_password $(cat ''${CREDENTIALS_DIRECTORY}/ppassword)'
'';
Restart = "on-failure";
};
};
# Exportarr for Sonarr
# Disabled: needs API key configuration
# systemd.services.exportarr-sonarr = {
# description = "Exportarr Prometheus Exporter for Sonarr";
# wantedBy = ["multi-user.target"];
# after = ["network.target"];
# serviceConfig = {
# Type = "simple";
# DynamicUser = true;
# ExecStart = "${pkgs.exportarr}/bin/exportarr sonarr --port ${toString ports.sonarr} --url http://localhost:8989";
# Restart = "on-failure";
# };
# };
# Exportarr for Radarr
# Disabled: needs API key configuration
# systemd.services.exportarr-radarr = {
# description = "Exportarr Prometheus Exporter for Radarr";
# wantedBy = ["multi-user.target"];
# after = ["network.target"];
# serviceConfig = {
# Type = "simple";
# DynamicUser = true;
# ExecStart = "${pkgs.exportarr}/bin/exportarr radarr --port ${toString ports.radarr} --url http://localhost:7878";
# Restart = "on-failure";
# };
# };
# Exportarr for Lidarr
# Disabled: needs API key configuration
# systemd.services.exportarr-lidarr = {
# description = "Exportarr Prometheus Exporter for Lidarr";
# wantedBy = ["multi-user.target"];
# after = ["network.target"];
# serviceConfig = {
# Type = "simple";
# DynamicUser = true;
# ExecStart = "${pkgs.exportarr}/bin/exportarr lidarr --port ${toString ports.lidarr} --url http://localhost:8686";
# Restart = "on-failure";
# };
# };
# Exportarr for Bazarr
# Disabled: needs API key configuration
# systemd.services.exportarr-bazarr = {
# description = "Exportarr Prometheus Exporter for Bazarr";
# wantedBy = ["multi-user.target"];
# after = ["network.target"];
# serviceConfig = {
# Type = "simple";
# DynamicUser = true;
# ExecStart = "${pkgs.exportarr}/bin/exportarr bazarr --port ${toString ports.bazarr} --url http://localhost:6767";
# Restart = "on-failure";
# };
# };
# Deluge exporter
systemd.services.deluge-exporter = {
description = "Deluge Prometheus Exporter";
wantedBy = ["multi-user.target"];
after = ["network.target"];
serviceConfig = {
Type = "simple";
DynamicUser = true;
ExecStart = "${pkgs.prometheus-deluge-exporter}/bin/deluge-exporter localhost:58846 --addr :${toString ports.deluge}";
Restart = "on-failure";
};
};
# Samba exporter - using a simple script to expose smbstatus metrics
# For now, we'll skip this and can add later if needed
# Open firewall ports for Prometheus exporters # Open firewall ports for Prometheus exporters
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ # Allow from Tailscale network
9100 # node exporter interfaces."tailscale0".allowedTCPPorts = [
9256 # process exporter ports.node
9558 # systemd exporter ports.systemd
9134 # zfs exporter ports.process
9633 # smartctl exporter ports.cadvisor
ports.caddy
ports.jellyfin
ports.pihole
# ports.sonarr # Disabled - needs API key
# ports.radarr # Disabled - needs API key
# ports.lidarr # Disabled - needs API key
# ports.bazarr # Disabled - needs API key
ports.deluge
]; ];
}; };
} }

7
nixos/tsuba/services/resolved.nix
View File

@@ -1,11 +1,6 @@
{lib, ...}: { {...}: {
services.resolved = { services.resolved = {
enable = false; enable = false;
# dnssec = "true";
# domains = ["~." "lemur-newton.ts.net"];
# fallbackDns = ["1.1.1.1#one.one.one.one" "1.0.0.1#one.one.one.one"];
fallbackDns = [];
# dnsovertls = "true";
}; };
networking.nameservers = []; networking.nameservers = [];
} }

4
nixos/tsuba/tsuba.nix
View File

@@ -12,10 +12,10 @@
systemd.network.wait-online.enable = false; systemd.network.wait-online.enable = false;
fileSystems."/home".neededForBoot = true; fileSystems."/home".neededForBoot = true;
boot.loader.raspberryPi.bootloader = "kernel"; boot.loader.raspberry-pi.bootloader = "kernel";
system.nixos.tags = let system.nixos.tags = let
cfg = config.boot.loader.raspberryPi; cfg = config.boot.loader.raspberry-pi;
in [ in [
"raspberry-pi-${cfg.variant}" "raspberry-pi-${cfg.variant}"
cfg.bootloader cfg.bootloader

73
patches/430171.patch
View File

@@ -1,73 +0,0 @@
From 3f49f2d9783151520ac0b9a588581454b60fd2ad Mon Sep 17 00:00:00 2001
From: Lin Xianyi <iynaix@gmail.com>
Date: Sat, 2 Aug 2025 01:15:23 +0800
Subject: [PATCH] orca-slicer: remove dependency on libsoup2
---
pkgs/by-name/or/orca-slicer/package.nix | 13 +++++++++++--
...stream-CMakeLists-Link-against-webkit2gtk-.patch | 7 +++----
2 files changed, 14 insertions(+), 6 deletions(-)
diff --git a/pkgs/by-name/or/orca-slicer/package.nix b/pkgs/by-name/or/orca-slicer/package.nix
index 7e817859988acd..e1376110dcd38e 100644
--- a/pkgs/by-name/or/orca-slicer/package.nix
+++ b/pkgs/by-name/or/orca-slicer/package.nix
@@ -35,7 +35,7 @@
pcre,
systemd,
tbb_2021,
- webkitgtk_4_0,
+ webkitgtk_4_1,
wxGTK31,
xorg,
libnoise,
@@ -47,8 +47,17 @@ let
withCurl = true;
withPrivateFonts = true;
withWebKit = true;
+ webkitgtk_4_0 = webkitgtk_4_1;
}).overrideAttrs
(old: {
+ src = fetchFromGitHub {
+ owner = "SoftFever";
+ repo = "Orca-deps-wxWidgets";
+ rev = "acdc6db5064274405c323c3823eedf559bbe0474";
+ hash = "sha256-Rt03VK0AzZyROkya0zRKpckS/OSa74pLTNbZoJiitfo=";
+ fetchSubmodules = true;
+ };
+
configureFlags = old.configureFlags ++ [
# Disable noisy debug dialogs
"--enable-debug=no"
@@ -112,7 +121,7 @@ stdenv.mkDerivation (finalAttrs: {
openvdb
pcre
tbb_2021
- webkitgtk_4_0
+ webkitgtk_4_1
wxGTK'
xorg.libX11
opencv.cxxdev
diff --git a/pkgs/by-name/or/orca-slicer/patches/0001-not-for-upstream-CMakeLists-Link-against-webkit2gtk-.patch b/pkgs/by-name/or/orca-slicer/patches/0001-not-for-upstream-CMakeLists-Link-against-webkit2gtk-.patch
index 15f1bf8f0b59e1..8cf3345131449f 100644
--- a/pkgs/by-name/or/orca-slicer/patches/0001-not-for-upstream-CMakeLists-Link-against-webkit2gtk-.patch
+++ b/pkgs/by-name/or/orca-slicer/patches/0001-not-for-upstream-CMakeLists-Link-against-webkit2gtk-.patch
@@ -20,15 +20,14 @@ index 9c5cb96..e92a0e3 100644
@@ -175,6 +175,11 @@ if (WIN32)
target_link_libraries(BambuStudio_app_gui PRIVATE boost_headeronly)
endif ()
-
+
+# We link against webkit2gtk symbols in src/slic3r/GUI/Widgets/WebView.cpp
+if (CMAKE_SYSTEM_NAME STREQUAL "Linux")
-+ target_link_libraries(libslic3r_gui "-lwebkit2gtk-4.0")
++ target_link_libraries(libslic3r_gui "-lwebkit2gtk-4.1")
+endif ()
+
# Link the resources dir to where Slic3r GUI expects it
set(output_dlls_Release "")
set(output_dlls_Debug "")
---
+--
2.38.1
-

3400
patches/markdown-preview.patch
View File

File diff suppressed because one or more lines are too long

2
scripts/prepare-commit-msg
View File

@@ -7,7 +7,7 @@ SHA1=$3
if [[ -z "$COMMIT_SOURCE" ]] if [[ -z "$COMMIT_SOURCE" ]]
then then
DIFF_OUTPUT=$(git diff --cached) DIFF_OUTPUT=$(git diff --cached)
AI_CHAT_OUTPUT=$(echo "$DIFF_OUTPUT" | aichat --role %git-commit%) AI_CHAT_OUTPUT=$(echo "$DIFF_OUTPUT" | aichat --role git-commit)
CURRENT_MSG=$(cat "$COMMIT_MSG_FILE") CURRENT_MSG=$(cat "$COMMIT_MSG_FILE")
{ {

Some files were not shown because too many files have changed in this diff Show More