dev/nixfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Compare commits

base: dev/nixfiles:installer
Branches Tags
dev/nixfiles:master dev/nixfiles:docs dev/nixfiles:fastback-ssh
dev/nixfiles:installer
...
compare: dev/nixfiles:docs
Branches Tags
dev/nixfiles:docs dev/nixfiles:master dev/nixfiles:fastback-ssh
dev/nixfiles:installer

90 Commits
installer ... docs

Author SHA1 Message Date
jackos1998 a7ea91f529 docs: Document the boxes 
Add a top-level `README.md` mapping the boxes and per-machine docs under
`docs/boxes/` (grouped `colony/`, `home/`, `misc/`), one file per host, VM and
container documenting role, services and networking with source pointers.

Also point `AGENTS.md` at the new docs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-14 22:45:20 +01:00
jackos1998 90cc2d53f1 Update CI workflow to Ubuntu 26.04
CI / Check, build and cache nixfiles (push) Successful in 46m23s
Details
2026-06-14 20:37:53 +01:00
jackos1998 b044504938 nixos/git: Update Gitea Actions runner 
Bump runner labels to node 24 / Trixie and Ubuntu 26.04. The upstream
module now generates the runner config from the `settings` option and
wires `ExecStart` itself, so drop the hand-written config file and
`ExecStart` override.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-14 20:37:36 +01:00
jackos1998 98ccc23ef5 devshell: Add check-system and ssh-machine utilities 
`check-system` evaluates a NixOS config without building it; `ssh-machine`
SSHs to a system or home by name, resolving the target and ssh options
from its `deploy-rs` node. Document both in `AGENTS.md`.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-14 20:36:15 +01:00
jackos1998 d7e8ca52a0 Add AGENTS.md 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
 2026-06-14 19:31:59 +01:00
jackos1998 f1cc0fa25c nixos/estuary: Add Meta NL-ix peering
CI / Check, build and cache nixfiles (push) Has been cancelled
Details
2026-06-14 03:15:28 +01:00
jackos1998 43828ad34c nixos/hass: Add West Wood integration
CI / Check, build and cache nixfiles (push) Has been cancelled
Details
2026-06-14 03:08:33 +01:00
jackos1998 36d7e4a7e3 home-manager/gui: Add Claude status line 2026-06-14 03:08:00 +01:00
jackos1998 2f7d5d3908 nixos/castle: Add claude... 2026-06-14 00:24:05 +01:00
jackos1998 f3a0ca3f57 devshell: Allow deploy-multi without options
CI / Check, build and cache nixfiles (push) Has been cancelled
Details
2026-06-13 22:11:23 +01:00
jackos1998 023b3f6605 nixos/tmproot: Add manpage cache 2026-06-13 21:53:29 +01:00
jackos1998 ecd3a46591 home-manager/gui: Add easyeffects
CI / Check, build and cache nixfiles (push) Failing after 1h52m48s
Details
2026-06-13 20:42:12 +01:00
jackos1998 6bcca599e2 devshell: Fix json2nix warning 2026-06-13 20:36:46 +01:00
jackos1998 93529c578b "Release" 26.06 Irritating
CI / Check, build and cache nixfiles (push) Successful in 2h20m51s
Details
2026-06-13 16:00:18 +01:00
jackos1998 bb32784962 nixos/jackflix: Update external port
CI / Check, build and cache nixfiles (push) Successful in 1h11m55s
Details
2026-06-06 19:48:02 +01:00
jackos1998 6ffa35c414 nixos/chatterbox: Bump mautrix bridges
CI / Check, build and cache nixfiles (push) Successful in 1h14m35s
Details
2026-06-01 20:19:51 +01:00
jackos1998 3cc5448410 nixos/user: Add to group disk
CI / Check, build and cache nixfiles (push) Successful in 1h4m36s
Details
2026-04-18 21:50:36 +01:00
jackos1998 ee4178ee2d nixos/chatterbox: Update mautrix-whatsapp to 26.03
CI / Check, build and cache nixfiles (push) Successful in 1h7m26s
Details
2026-04-12 18:36:06 +01:00
jackos1998 2bf18319c9 nixos/routing-common: Fix keepalived link-local addresses
CI / Check, build and cache nixfiles (push) Successful in 1h17m1s
Details
2026-03-16 15:12:46 +00:00
jackos1998 a394b9124a nixos/routing-common: Fix Cloudflare 2026-03-16 13:37:16 +00:00
jackos1998 5bc48d33a3 nixos: Add tcpdump on all machines 2026-03-16 13:33:08 +00:00
jackos1998 365ef5d49d Update nixpkgs for terraria-server
CI / Check, build and cache nixfiles (push) Successful in 1h3m49s
Details
2026-03-10 21:27:14 +00:00
jackos1998 0206d52fa2 nixos/netboot: Remove pinned iPXE
CI / Check, build and cache nixfiles (push) Successful in 1h15m47s
Details
2026-03-08 14:36:07 +00:00
jackos1998 5526e07e65 Update harmonia
CI / Check, build and cache nixfiles (push) Failing after 2h25m26s
Details
2026-03-07 17:09:50 +00:00
jackos1998 dde682390f nixos/castle: Add lan-lo
CI / Check, build and cache nixfiles (push) Failing after 6m27s
Details
2026-03-04 21:30:53 +00:00
jackos1998 4ec59a64ce nixos/home/routing-common: Add DHCP pool for untrusted LAN 2026-03-03 20:15:45 +00:00
jackos1998 c9c788e261 nixos/estuary: Add john-valorant
CI / Check, build and cache nixfiles (push) Failing after 6m15s
Details
2026-03-01 22:57:03 +00:00
jackos1998 21c24216b4 nixos/whale2: Update Graeme difficulty
CI / Check, build and cache nixfiles (push) Failing after 6m28s
Details
2026-02-17 22:47:25 +00:00
jackos1998 2ecd350fcc nixos/whale2: Update graeme whitelist 2026-02-17 21:54:02 +00:00
jackos1998 3aa873d52a nixos/whale2: Add graeme
CI / Check, build and cache nixfiles (push) Failing after 6m31s
Details
2026-02-16 22:49:22 +00:00
jackos1998 0a8ad18de8 nixos/jackflix: Add ffmpeg
CI / Check, build and cache nixfiles (push) Failing after 6m16s
Details
2026-02-15 19:56:54 +00:00
jackos1998 b6b94fea5a Update nixpkgs-mine for Terraria 1.4.5.5
CI / Check, build and cache nixfiles (push) Failing after 6m18s
Details
2026-02-11 22:16:07 +00:00
jackos1998 de9762b272 shill: Add Terraria server
CI / Check, build and cache nixfiles (push) Failing after 7m4s
Details
2026-02-09 00:06:13 +00:00
jackos1998 8d1f4d51d0 nixos/deploy-rs: Fix systemd-util shellcheck 2026-02-08 21:17:00 +00:00
jackos1998 f1dc04ec4b Update inputs
CI / Check, build and cache nixfiles (push) Failing after 6m18s
Details
2026-01-20 15:13:27 +00:00
jackos1998 7951c777cb nixos/sfh: Disable unifi
CI / Check, build and cache nixfiles (push) Successful in 1h13m56s
Details
2025-12-06 21:59:34 +00:00
jackos1998 b031840f81 nixos/object: Fix harmonia
CI / Check, build and cache nixfiles (push) Failing after 3h13m40s
Details
2025-12-06 15:39:47 +00:00
jackos1998 45861bef08 "Release" 25.11 Hooray 2025-12-06 15:18:36 +00:00
jackos1998 4433395125 nixos/chatterbox: Restore old WhatsApp display name template
CI / Check, build and cache nixfiles (push) Failing after 19s
Details
2025-12-04 10:06:06 +00:00
jackos1998 3306aaab5e nixos/chatterbox: Upgrade mautrix bridges to v25.11 2025-12-04 10:06:06 +00:00
jackos1998 4480302c65 nixos/estuary: Remove old Frys-IX subnet
CI / Check, build and cache nixfiles (push) Failing after 21s
Details
2025-12-01 22:41:13 +00:00
jackos1998 be7fb5a243 home-manager/common: Fix overlays
CI / Check, build and cache nixfiles (push) Successful in 2h39m0s
Details
2025-10-06 10:54:12 +01:00
jackos1998 25758bae08 nixos/middleman: SNAT IPv6 to assigned address
CI / Check, build and cache nixfiles (push) Successful in 2h38m2s
Details
2025-10-01 11:10:41 +01:00
jackos1998 7bfe9ad697 nixos/estuary: Add hillcrest WireGuard
CI / Check, build and cache nixfiles (push) Successful in 2h27m17s
Details
2025-09-27 02:24:35 +01:00
jackos1998 7db5e18974 nixos/jackflix: copyparty: Move /pub to / and put stuff at /priv
CI / Check, build and cache nixfiles (push) Successful in 2h25m8s
Details
2025-09-09 14:34:54 +01:00
jackos1998 20b7da74bf nixos/jackflix: Remove unnecessary insecure packages exception
CI / Check, build and cache nixfiles (push) Successful in 2h28m59s
Details
2025-09-08 23:29:51 +01:00
jackos1998 adaf8b6a83 nixos/jackflix: Add copyparty 2025-09-08 23:28:31 +01:00
jackos1998 1f145334f3 nixos/britway: Disable override_local_dns for headscale
CI / Check, build and cache nixfiles (push) Failing after 12m38s
Details
2025-09-08 21:29:20 +01:00
jackos1998 abf9f1b465 home-manager/gui: Add ffmpeg
CI / Check, build and cache nixfiles (push) Successful in 2h30m16s
Details
2025-09-06 21:56:19 +01:00
jackos1998 f0740741a4 nixos/home/routing-common: Fix mstpd shellcheck
CI / Check, build and cache nixfiles (push) Successful in 2h44m21s
Details
2025-09-06 21:40:05 +01:00
jackos1998 0c0b66b8db nixos/jackflix: Add FlareSolverr 2025-09-06 19:49:12 +01:00
jackos1998 bdf3c04595 nixos/git: Add NAT rules 2025-09-06 19:35:33 +01:00
jackos1998 02795a6ee4 nixos/nvme: Specify Host NQN on command line
CI / Check, build and cache nixfiles (push) Failing after 2h24m47s
Details
2025-09-06 18:02:18 +01:00
jackos1998 8fa4a7ee60 "Release" 25.09 Giving
CI / Check, build and cache nixfiles (push) Failing after 31m46s
Details
2025-09-06 17:14:09 +01:00
jackos1998 773674d879 nixos/chatterbox: Add adzerq to Instagram bridge
CI / Check, build and cache nixfiles (push) Failing after 29m47s
Details
2025-07-23 19:42:35 +01:00
jackos1998 12c5ca126d nixos/middleman: kinkcraft Bluemap
CI / Check, build and cache nixfiles (push) Failing after 30m2s
Details
2025-06-07 23:28:20 +01:00
jackos1998 b38a2a07e2 nixos/estuary: Update FrysIX BGP config to new /23
CI / Check, build and cache nixfiles (push) Failing after 30m16s
Details
2025-06-03 11:06:58 +01:00
jackos1998 0dc474887f Add kinkcraft Minecraft server
CI / Check, build and cache nixfiles (push) Failing after 30m20s
Details
2025-05-29 20:51:56 +01:00
jackos1998 c8bd63ec3e nixos: Add nixlight static IP and WLED hass integration
CI / Check, build and cache nixfiles (push) Failing after 29m45s
Details
2025-05-26 23:25:05 +01:00
jackos1998 d7522f3f97 nixos/whale2: Op kev in kevcraft
CI / Check, build and cache nixfiles (push) Failing after 30m31s
Details
2025-04-24 22:04:45 +01:00
jackos1998 58c76f822f home-manager/gui: Use tmux kill-session in brainrot screensavers
CI / Check, build and cache nixfiles (push) Failing after 29m19s
Details
2025-04-14 13:27:01 +01:00
jackos1998 31bcde23b8 nixos/gui: Enable udisks2
CI / Check, build and cache nixfiles (push) Failing after 5m13s
Details
2025-04-07 23:18:29 +01:00
jackos1998 fc2fa0666e nixos/middleman: Increase worker_processes
CI / Check, build and cache nixfiles (push) Failing after 5m10s
Details
2025-03-28 16:42:54 +00:00
jackos1998 854cc48479 home-manager/gui: Add Brainrot story mode screensaver
CI / Check, build and cache nixfiles (push) Failing after 29m6s
Details
2025-03-28 11:01:46 +00:00
jackos1998 85a4b124e5 pkgs: Remove own terminaltexteffects
CI / Check, build and cache nixfiles (push) Failing after 5m7s
Details
2025-03-27 11:58:36 +00:00
jackos1998 f322f3ebac home-manager/gui: Longer and looping brainrot screensavers
CI / Check, build and cache nixfiles (push) Failing after 29m7s
Details
2025-03-25 10:56:08 +00:00
jackos1998 bc74fb4968 home-manager/gui: Add brainrot screensavers
CI / Check, build and cache nixfiles (push) Failing after 30m15s
Details
2025-03-24 15:09:46 +00:00
jackos1998 584abd4991 nixos/home/hass: Add USB webcam
CI / Check, build and cache nixfiles (push) Successful in 1h12m19s
Details
2025-03-15 01:43:44 +00:00
jackos1998 05074a1fd9 nixos/home/hass: Basic Reolink camera setup
CI / Check, build and cache nixfiles (push) Has been cancelled
Details
2025-03-15 01:07:12 +00:00
jackos1998 69060dfbff nixos/home/routing-common: Add static lease for hass-panel 2025-03-14 22:53:36 +00:00
jackos1998 8e288a9e2a nixos/home/hass: Include scenes.yaml
CI / Check, build and cache nixfiles (push) Successful in 1h17m11s
Details
2025-03-14 17:48:18 +00:00
jackos1998 bb03b6fa76 nixos/home/hass: Add HEOS
CI / Check, build and cache nixfiles (push) Successful in 1h0m24s
Details
2025-03-12 01:55:46 +00:00
jackos1998 fd92cfae6e nixos/home/hass: Include scripts.yaml
CI / Check, build and cache nixfiles (push) Successful in 1h1m12s
Details
2025-03-11 14:35:10 +00:00
jackos1998 25267d09a2 nixos/home/hass: Add androidtv_remote and alarmo
CI / Check, build and cache nixfiles (push) Successful in 59m46s
Details
2025-03-11 02:12:16 +00:00
jackos1998 f02f538ab2 nixos/home/routing-common: Add media DHCP reservations 2025-03-10 22:33:48 +00:00
jackos1998 d319657680 nixos/netboot: Use older iPXE with patch
CI / Check, build and cache nixfiles (push) Successful in 1h3m31s
Details
2025-03-10 22:23:08 +00:00
jackos1998 dff5a4e6d8 nixos/home/hass: Add Irish Rail integration
CI / Check, build and cache nixfiles (push) Successful in 1h9m21s
Details
2025-03-10 14:04:22 +00:00
jackos1998 2a8ced0fec nixos/home/routing-common: Add DNS blocklist
CI / Check, build and cache nixfiles (push) Successful in 1h6m52s
Details
2025-03-10 10:46:21 +00:00
jackos1998 36c7096120 nixos/home/hass: Home Assistant CLI and automation fix
CI / Check, build and cache nixfiles (push) Successful in 2h47m3s
Details
2025-03-10 01:28:14 +00:00
jackos1998 adfcf2f848 nixos/home/hass: Initial Home Assistant setup
CI / Check, build and cache nixfiles (push) Has been cancelled
Details
2025-03-09 22:59:59 +00:00
jackos1998 a3870a4293 nixos/home/sfh: Introduce hass container
CI / Check, build and cache nixfiles (push) Has been cancelled
Details
2025-03-09 20:07:28 +00:00
jackos1998 8f4b61fc2b Update inputs 2025-03-09 20:00:35 +00:00
jackos1998 44e3a3011a nixos/stream: Disable octoprint for now
CI / Check, build and cache nixfiles (push) Failing after 3m16s
Details
2025-03-02 14:21:31 +00:00
jackos1998 45c972cca9 lib: Update public IPs 2025-03-02 13:40:22 +00:00
jackos1998 7bd5b8cbdf nixos/whale2: Add kevcraft
CI / Check, build and cache nixfiles (push) Failing after 2m33s
Details
2025-02-18 17:15:03 +00:00
jackos1998 d1eb9cc981 nixos/toot: Add BlueSky PDS
CI / Check, build and cache nixfiles (push) Failing after 3m4s
Details
2025-01-31 14:54:40 +00:00
jackos1998 7a2ebf6872 nixos: Add ADB stuff
CI / Check, build and cache nixfiles (push) Successful in 1h3m46s
Details
2025-01-26 18:33:04 +00:00
jackos1998 72b8bd089c nixos/uk: Add WireGuard VPN for access
CI / Check, build and cache nixfiles (push) Successful in 1h15m33s
Details
2025-01-22 19:19:03 +00:00
jackos1998 cff229f487 nixos: Add britway
CI / Check, build and cache nixfiles (push) Successful in 1h3m58s
Details
2025-01-19 23:58:51 +00:00
jackos1998 f3ac3cd67f nixos/middleman: Add pubkey and HTTP access to p.nul.ie
CI / Check, build and cache nixfiles (push) Successful in 51m34s
Details
2025-01-16 15:20:57 +00:00
125 changed files with 5316 additions and 2156 deletions
Expand all files Collapse all files
.gitea/workflows/ci.yaml
+3 -3
View File
@@ -7,10 +7,10 @@ on:
jobs:
check:
name: Check, build and cache nixfiles
runs-on: ubuntu-22.04
runs-on: ubuntu-26.04
steps:
- uses: actions/checkout@v4
- uses: cachix/install-nix-action@v27
- uses: actions/checkout@v6
- uses: cachix/install-nix-action@v31
with:
# Gitea will supply a token in GITHUB_TOKEN, which this action will
# try to pass to Nix when downloading from GitHub
AGENTS.md
+118
View File
@@ -0,0 +1,118 @@
# AGENTS.md
This file provides guidance to coding agents when working with code in this repository.
## Overview
Personal Nix flake managing NixOS systems and home-manager configurations for a set of
machines ("boxes": servers, home machines, routers). It is built around a **custom module system** layered
on top of NixOS/home-manager, not the stock flake `nixosConfigurations` pattern.
## Commands
This repo provides a `numtide/devshell` (entered via `direnv` / `use flake`). The shell defines
named commands — prefer them over raw `nix` invocations. Run a bare command name with no args to
see its help, or browse `devshell/commands.nix` / `devshell/install.nix` / `devshell/vm-tasks.nix`.
Common ones:
- `fmt` — format Nix with `nixpkgs-fmt` (the canonical formatter here).
- `build-system <host> [nix args]` — build a NixOS system's `toplevel`.
- `build-n-switch <args>` — wraps `doas nixos-rebuild --flake .`.
- `build-home <name>` / `home-switch` — build / switch a home-manager config.
- `run-vm <host>` — build & boot a system as a dev VM (installs `.keys/dev.key` into the VM).
- `build-iso` / `build-kexec` / `build-netboot <host>` — alternate build outputs via `config.my.buildAs.*`.
- `check-system <host> [nix args]` — evaluate a system (catches eval errors without a full build).
**Prefer this over `build-system` to validate a config change** — evaluation surfaces module/option
errors quickly and cheaply; only do a full build when you specifically need the built artifact.
- `deploy <host>` and `deploy-multi <hosts...>` — deploy-rs deployment (uses `.keys/deploy.key`, `--skip-checks`).
Pass the flake-qualified node, e.g. `deploy .#git`. The deploy node name is **always** the system
name (`deploy-rs.nix` keys nodes directly off `nixos.systems` / `home-manager.homes`); a system is
only a deploy target when `config.my.deploy.enable` is true (defaults true; auto-disabled for dev
VMs and containers).
- `ssh-machine <name> [cmd]` — SSH to a NixOS system or home-manager config by name. Resolves the
target and ssh options (identity, port) from its deploy-rs node, so it needs `my.deploy.enable`
(same gate as `deploy`).
- `ragenix` — edit age secrets using `.keys/dev.key` as identity (see Secrets).
- `repl``nix repl .#`.
- `update-nixpkgs` / `update-home-manager` — bump pinned inputs.
Check everything (what CI runs): `nix flake check --no-build`.
CI builds each attr of `.#ci.x86_64-linux` (systems, homes, packages, shell) and pushes to the
Harmonia binary cache; see `.gitea/workflows/ci.yaml` and `ci/push-to-cache.sh`.
## Architecture
### The custom module system
`flake.nix` does **not** call `nixosSystem` per host directly. Instead it `evalModules` over
`./nixos`, `./home-manager`, `./deploy-rs.nix`, and the per-host files listed in the `configs`
list in `flake.nix`. That evaluation produces a top-level config (`self.nixfiles`) from which the
real flake outputs are derived:
- `nixos.systems.<name>``nixosConfigurations.<name>`
- `home-manager.homes.<name>``homeConfigurations.<name>`
- `nixos.modules` / `home-manager.modules``nixosModules` / `homeModules`
- `deploy-rs.rendered``deploy`
`nixos/default.nix` and `home-manager/default.nix` define the `systemOpts` / `homeOpts` submodules
and the `mkSystem` / `mkHome` functions that actually invoke `eval-config.nix` /
`homeManagerConfiguration`. **To add a new host:** create a box file that sets
`nixos.systems.<name> = { ... }`, then add its path to the `configs` list in `flake.nix`.
### Multiple nixpkgs channels
Four pkgs sets are threaded everywhere as `pkgsFlakes` / `pkgs'` (and `hmFlakes` for home-manager):
`unstable`, `stable`, `mine` (a personal nixpkgs fork), `mine-stable`. Each system/home picks its
channel via `nixpkgs` / `home-manager` / `hmNixpkgs` options (e.g. `nixpkgs = "mine-stable"`).
Modules receive `pkgs'` = an attrset of all channels for the current system.
### `lib.my` and the `my` option namespace
`lib/default.nix` extends `lib` with a `my` attrset (helpers like `mkOpt'`, `mkBoolOpt'`,
`mkDefault'`, `inlineModule'`, `mkDefaultSystemsPkgs`, `homeStateVersion`). It also pulls in:
- `lib.my.net` — network/CIDR helpers from the `libnetRepo` input. Used heavily for IP math.
- `lib.my.c` — shared constants from `lib/constants.nix` (UIDs/GIDs, kernel package selection,
nginx snippets, per-network domains/prefixes, etc.). Reuse these rather than hardcoding.
- `lib.my.dns` — DNS helpers (`lib/dns.nix`).
Custom modules add options under the `my.*` namespace (e.g. `my.secrets`, `my.build`,
`my.tmproot`, `my.server`). Use `mkOpt'`/`mkBoolOpt'` for option declarations to match style.
### Modules and module lists
Module sets are registered in `nixos/modules/_list.nix` and `home-manager/modules/_list.nix`
(name → path), which become `nixos.modules` / `home-manager.modules` and are applied to every
system/home. To add a shared module, drop the file in `nixos/modules/` (or `home-manager/modules/`)
and add an entry to the relevant `_list.nix`.
### Network assignments
Each system declares `assignments.<name>` (in its `nixos.systems.<host>` block) with IPv4/IPv6
addresses, gateways, domains, MTU, etc. These are aggregated into `allAssignments` (passed to every
module) and there is an assertion that fails on duplicate IPs. Host networking
(`networking.hostName`, `domain`) defaults from the `internal` assignment.
### Hosts / "boxes"
Per-host configs live under `nixos/boxes/<host>` (some are single `.nix` files, some directories
with nested VMs/containers under e.g. `colony/vms`). Many "systems" are VMs or containers managed
via the `vms` / `containers` modules and the `l2mesh` VXLAN module.
For a human-readable map of what is actually deployed (per-machine roles, services and networking),
see `README.md` and the per-machine docs under `docs/boxes/` (grouped `docs/boxes/colony/`,
`docs/boxes/home/`, `docs/boxes/misc/`). Keep these in sync when adding, removing or repurposing
a machine or service.
## Secrets
age-encrypted secrets in `secrets/`, managed with **ragenix**. Each module declares
`my.secrets.files.<name>` and `my.secrets.key` (the host pubkey to encrypt for). `secrets.nix`
(the ragenix rules file) is generated by reading every system's declared secrets and computing the
recipient key list (always including `.keys/dev.pub`). Edit secrets with the `ragenix` devshell
command, which supplies `.keys/dev.key` as the identity. The `.keys/` directory (dev + deploy
private keys) is required for editing secrets, deploying, and running dev VMs.
## Conventions
- Format with `nixpkgs-fmt` (`fmt`). 2-space indent, `inherit (...)` blocks at the top of `let`.
- Prefer `lib.my` helpers (`mkOpt'`, `mkBoolOpt'`, `mkDefault'`) and `lib.my.c` constants over
reimplementing.
- New shared functionality → a module in `*/modules/` + entry in `_list.nix`, options under `my.*`.
- New host → box file under `nixos/boxes/` + entry in the `configs` list in `flake.nix`.
- Custom packages live in `pkgs/` and are registered in `pkgs/default.nix`; the overlay is exposed
as `overlays.default`.
- In prose and commit messages, quote code-like identifiers (commands, options, paths, package and
attribute names) in backticks.
README.md
+80
View File
@@ -0,0 +1,80 @@
# nixfiles
Personal Nix flake managing every machine I run: hosted servers, home
infrastructure, routers, a remote site, VPSes and personal workstations. It is
built around a **custom module system** layered on top of NixOS and
home-manager rather than the stock per-host `nixosConfigurations` pattern.
For day-to-day commands and a deeper explanation of the module system,
conventions and secrets, see [`AGENTS.md`](AGENTS.md). This README is the map of
**what is actually deployed**; the per-machine details live under [`docs/boxes/`](docs/boxes).
> **Note:** This documentation (the README and everything under `docs/`) is a
> work in progress and was **agent-generated** from the repository. It may be
> incomplete or out of date — treat the Nix configuration as the source of truth.
## The boxes at a glance
Machines are grouped by deployment/location. Each group has its own directory
under `docs/boxes/` with a `README.md` overview and one file per machine.
| Group | What it is | Docs |
| --- | --- | --- |
| **colony** | Hosted dedicated server in Amsterdam (`ams1`). A VM host running the public-facing infrastructure: routing, web, git, media, object storage, chat, game servers. | [`docs/boxes/colony/`](docs/boxes/colony) |
| **home** | Home network: a VM host (`palace`), the home routers, storage, Home Assistant, and personal desktops. | [`docs/boxes/home/`](docs/boxes/home) |
| **misc** | Everything else: edge VPSes (`britway`, `britnet`), the remote `kelder` site, the `tower` workstation, and the installer image. | [`docs/boxes/misc/`](docs/boxes/misc) |
## The "big machine" pattern
The larger sites (`colony`, `home`) all follow the same shape:
```
physical host (VM host)
├── VM ── thing impractical to containerise (router, storage, podman host, …)
├── VM ── container host ──┬── NixOS container ── application
│ ├── NixOS container ──┬── application
│ │ ├── application
│ │ └── application
│ └── …
└── VM ── …
```
- A **physical host** (`colony`, `palace`) does little itself beyond running
**VMs** via the custom `my.vms` module (QEMU + systemd units, LVM-backed
disks).
- **VMs** exist for things that are impractical to put in a container — kernel
features, separate networking, podman/OCI workloads, foreign OSes.
- One VM is usually a **container host** (`shill` on colony, `sfh` on home; and
`kelder` directly). It runs **NixOS containers** via the custom `my.containers`
module (systemd-nspawn based, each with its own address on a bridge).
- **Most applications live in those NixOS containers.** A container isn't limited
to a single application — it commonly hosts a **group of related applications**
that belong together (e.g. `jackflix` runs Jellyfin, the *arr stack,
Transmission, PhotoPrism and copyparty; `object` runs MinIO, Harmonia, HedgeDoc
and wastebin). Each container is a first-class entry in `docs/boxes/`.
Networking between everything is largely defined by per-system `assignments`
(IPs/prefixes) plus an L2 VXLAN mesh (`my.vpns.l2`, AS211024) that ties the edge
routers together. See [`AGENTS.md`](AGENTS.md) for the mechanics.
## Repo layout
```
README.md <- you are here
nixos/
boxes/ per-machine configuration ("boxes")
colony/ colony host + its VMs (vms/) + shill's containers
home/ palace host + its VMs, plus stream, castle
britway/ britnet.nix, kelder/, tower/, installer.nix …
modules/ shared NixOS modules (my.* options); registered in _list.nix
home-manager/ home-manager modules + configs
lib/ lib.my helpers, constants (lib.my.c), net/dns helpers
pkgs/ custom packages (overlays.default)
secrets/ age-encrypted secrets (ragenix)
devshell/ devshell commands (build/deploy/check/ssh helpers)
docs/boxes/ per-machine documentation (colony/, home/, misc/)
```
A machine is wired into the flake by adding its box file to the `configs` list
in `flake.nix`. See [`AGENTS.md`](AGENTS.md#architecture) for how `evalModules`
turns these into `nixosConfigurations`, `homeConfigurations` and `deploy` nodes.
devshell/commands.nix
+31 -2
View File
@@ -48,11 +48,30 @@ in
help = "Print the ed25519 pubkey for a host";
command = "${pkgs.openssh}/bin/ssh-keyscan -t ed25519 \"$1\" 2> /dev/null | awk '{ print $2 \" \" $3 }'";
}
{
name = "ssh-machine";
category = "utilities";
help = "SSH to a machine by NixOS system or home-manager config name";
command = ''
name="$1"
shift
# Run from the project root so deploy's relative identity path (.keys/deploy.key) resolves
cd "$PRJ_ROOT"
# deploy-rs node names are the system/home name, with `@` mangled to `-at-`
node="''${name//@/-at-}"
# Single eval: resolve `user@host` plus merged (global + node) deploy-rs ssh options
info="$(nix eval --raw .#deploy --apply 'd: let n = d.nodes."'"$node"'"; in "''${n.sshUser}@''${n.hostname} ''${builtins.concatStringsSep " " (d.sshOpts ++ n.sshOpts)}"')"
target="''${info%% *}"
opts="''${info#* }"
# shellcheck disable=SC2086
exec ${pkgs.openssh}/bin/ssh $opts "$target" "$@"
'';
}
{
name = "json2nix";
category = "utilities";
help = "Convert JSON to formatted Nix";
command = "nix eval --impure --expr 'builtins.fromJSON (builtins.readFile /dev/stdin)' | ${pkgs.nixfmt-rfc-style}/bin/nixfmt";
command = "nix eval --impure --expr 'builtins.fromJSON (builtins.readFile /dev/stdin)' | ${pkgs.nixfmt}/bin/nixfmt -";
}
{
@@ -73,6 +92,12 @@ in
help = "Build NixOS configuration";
command = ''nix build "''${@:2}" ".#nixosConfigurations.\"$1\".config.system.build.toplevel"'';
}
{
name = "check-system";
category = "utilities";
help = "Evaluate NixOS configuration (check validity without building)";
command = ''nix eval "''${@:2}" ".#nixosConfigurations.\"$1\".config.system.build.toplevel.drvPath"'';
}
{
name = "build-n-switch";
category = "tasks";
@@ -144,7 +169,11 @@ in
help = "Deploy multiple flakes at once";
command = ''
for f in $@; do
deploy "$O" $f
if [ -n "''${O:-}" ]; then
deploy "$O" $f
else
deploy $f
fi
done
'';
}
docs/boxes/colony/README.md
+68
View File
@@ -0,0 +1,68 @@
# colony
The hosted dedicated server in Amsterdam (`ams1`). This is the public-facing
half of the boxes: almost everything reachable from the internet lives here.
- **Internal domain:** `ams1.int.nul.ie`
- **Public domain:** `nul.ie` (public services are published as `*.nul.ie`)
- **Source:** [`nixos/boxes/colony/`](../../../nixos/boxes/colony)
## Shape
`colony` is the physical VM host. It runs the VMs below; one of them (`shill`)
is itself a NixOS container host where most applications run.
```
colony (physical VM host)
├── estuary ── edge router / firewall / DNS / BGP
├── shill ──── NixOS container host ──┬── middleman (reverse proxy, ACME, SSO)
│ ├── colony-psql (shared PostgreSQL)
│ ├── vaultwarden (password manager)
│ ├── chatterbox (Matrix + bridges)
│ ├── toot (Mastodon)
│ ├── jackflix (media stack)
│ ├── object (MinIO, Nix cache, …)
│ ├── waffletail (Tailscale subnet router)
│ ├── qclk (clock service)
│ └── gam (game servers)
├── whale2 ─── podman/OCI host (game servers)
├── git ────── Gitea + Actions runner
├── mail ───── Debian VM running Mailcow (not NixOS — configured out of repo)
└── darts ──── third-party/customer VM (opaque to this repo)
```
## Machines
| Machine | Role | Docs |
| --- | --- | --- |
| `colony` | Physical VM host (AMD, LVM-thin, borgthin backups → rsync.net) | [colony.md](colony.md) |
| `estuary` | Edge router: WAN, firewall/NAT, DNS, BGP, IXP peering, WireGuard | [estuary.md](estuary.md) |
| `shill` | NixOS container host (see containers below) | [shill.md](shill.md) |
| `whale2` | podman/OCI host for game servers | [whale2.md](whale2.md) |
| `git` | Gitea + Gitea Actions runner | [git.md](git.md) |
### shill containers
| Container | Role | Docs |
| --- | --- | --- |
| `middleman` | Front-end nginx reverse proxy, ACME certs, nginx-sso, librespeed | [middleman.md](middleman.md) |
| `colony-psql` | Shared PostgreSQL (14) for colony services | [colony-psql.md](colony-psql.md) |
| `vaultwarden` | Vaultwarden (Bitwarden-compatible password manager) | [vaultwarden.md](vaultwarden.md) |
| `chatterbox` | Matrix homeserver + bridges (heisenbridge, mautrix-*) | [chatterbox.md](chatterbox.md) |
| `toot` | Bluesky PDS (Mastodon disabled) | [toot.md](toot.md) |
| `jackflix` | Media: Jellyfin, *arr stack, Transmission, PhotoPrism, copyparty | [jackflix.md](jackflix.md) |
| `object` | MinIO (S3), Harmonia (Nix cache), HedgeDoc, wastebin | [object.md](object.md) |
| `waffletail` | Tailscale subnet router (advertises colony prefixes into the tailnet) | [waffletail.md](waffletail.md) |
| `qclk` | `qclk` clock service (reachable over WireGuard) | [qclk.md](qclk.md) |
| `gam` | Game servers (Terraria, …) | [gam.md](gam.md) |
## Non-NixOS VMs
These run on `colony` but are **not** managed by this repo (no NixOS config). The
QEMU instances are still declared in `colony`'s `my.vms.instances`, and colony's
networking routes/firewalls traffic to them:
- **`mail`** — a Debian VM running [Mailcow](https://mailcow.email/) (`mail.nul.ie`).
ACME certs are pushed to it from `middleman` (see [middleman.md](middleman.md)).
- **`darts`** — a third-party/customer VM; opaque to this repo, given a routed
prefix and otherwise left alone.
docs/boxes/colony/chatterbox.md
+19
View File
@@ -0,0 +1,19 @@
# chatterbox
The Matrix homeserver (`nul.ie`) and its chat-network bridges.
- **Source:** [`shill/containers/chatterbox.nix`](../../../nixos/boxes/colony/vms/shill/containers/chatterbox.nix)
- **Host:** NixOS container on `shill`
## Role
- **Matrix homeserver** for `server_name = "nul.ie"`.
- **Bridges** to other chat networks:
- `heisenbridge` (IRC),
- `mautrix-whatsapp` (WhatsApp),
- `mautrix-meta` / `mautrix-messenger` (Facebook Messenger / Instagram).
- Fronted by `middleman` (federation on `:8448`).
## Networking
- `internal` assignment on the `ctrs` network (alt name `chatterbox-ctr`).
docs/boxes/colony/colony-psql.md
+18
View File
@@ -0,0 +1,18 @@
# colony-psql
The shared PostgreSQL instance for colony. Several other containers
(`middleman`, `chatterbox`, `toot`, `git`, …) connect here rather than each
running their own database.
- **Source:** [`shill/containers/colony-psql.nix`](../../../nixos/boxes/colony/vms/shill/containers/colony-psql.nix)
- **Host:** NixOS container on `shill`
## Role
- **PostgreSQL 14** serving the other colony services over the `ctrs` network.
Consumers wait for it to be ready via the `systemdAwaitPostgres` helper.
- netdata for monitoring.
## Networking
- `internal` assignment on the `ctrs` network (alt name `colony-psql-ctr`).
docs/boxes/colony/colony.md
+39
View File
@@ -0,0 +1,39 @@
# colony (host)
The physical dedicated server in Amsterdam and the VM host for everything in
this group.
- **Source:** [`nixos/boxes/colony/default.nix`](../../../nixos/boxes/colony/default.nix)
(VM instances in [`nixos/boxes/colony/vms/default.nix`](../../../nixos/boxes/colony/vms/default.nix))
- **nixpkgs:** `mine-stable`
## Role
Bare-metal AMD host. It does little application work itself — its job is to run
the VMs and provide them with storage, networking and backups.
- **Virtualisation:** QEMU/KVM (`kvm-amd`, IOMMU on) via the `my.vms` module. VM
disks are LVM logical volumes (`vm-<name>-<disk>`) in the `main` volume group;
`estuary` additionally gets a WAN NIC by PCI passthrough.
- **Storage:** LVM-thin (`services.lvm.boot.thin`), `/persist` for state,
`/mnt/backup` for the local borg repo. `smartd` + `rasdaemon` for health.
- **Backups:** `my.borgthin` snapshots the persist/data LVs of the host and its
VMs into `/mnt/backup/main`, which is then `rsync`'d (along with LVM metadata)
to rsync.net (`zh2855.rsync.net`).
- **Monitoring:** netdata (with freeipmi), smartd.
## Networking
- Two bridges: `base` (the colony "base" network, shared with `estuary`) and
`vms` (the VM network). Dummy interfaces keep the bridges up so dependent VMs
can start.
- Default gateway / edge is `estuary`; `colony` itself holds the `routing` and
`internal` (a.k.a. `vm`) assignments and routes container/OCI/Tailscale
prefixes to `shill` and `whale2`.
- `my.firewall` trusts the `vms` interface and forwards customer prefixes
(`vm-mail`, `vm-darts`) through.
## VMs hosted here
`estuary`, `shill`, `whale2`, `git` (all NixOS, documented in this directory),
plus the non-NixOS `mail` and `darts` (see [README](README.md#non-nixos-vms)).
docs/boxes/colony/estuary.md
+41
View File
@@ -0,0 +1,41 @@
# estuary
The colony edge router and firewall — the machine that holds colony's public
IPs and connects everything else to the internet.
- **Source:** [`nixos/boxes/colony/vms/estuary/`](../../../nixos/boxes/colony/vms/estuary)
(`default.nix`, `bgp.nix`, `dns.nix`, `bandwidth.nix`)
- **nixpkgs:** `mine`
- **Host:** VM on `colony` (gets the WAN NIC by PCI passthrough)
## Role
- **Edge routing / firewall / NAT:** owns the colony public IPv4/IPv6
(`94.142.241.x` / `2a02:898:0:20::`), does NAT and port-forwarding for the
internal services (`my.firewall.nat.forwardPorts` driven by
`firewallForwards`). Forwards HTTP/S to `middleman`, git to `git`, game ports
to the OCI game servers on `whale2`, etc.
- **BGP:** runs BIRD2 ([`bgp.nix`](../../../nixos/boxes/colony/vms/estuary/bgp.nix))
announcing AS211024, over VLANs on the WAN link:
- peers at the IXPs **Frys-IX**, **NL-ix** and **FogIXP**;
- plus **iFog transit** (`ifog-transit`) — an upstream transit provider from
iFog, **not** an IXP.
- **DNS:** authoritative/recursive DNS ([`dns.nix`](../../../nixos/boxes/colony/vms/estuary/dns.nix)),
redirected to port 5353 locally.
- **VPNs:**
- Part of the AS211024 **L2 VXLAN mesh** (`my.vpns.l2`) with `river`, `stream`
and `britway`.
- WireGuard endpoints for the remote `kelder` site, `hillcrest`, and
`john-valorant`.
- **Misc:** iperf3 server. (A bandwidth-accounting script,
[`bandwidth.py`](../../../nixos/boxes/colony/vms/estuary/bandwidth.py), exists but
is **legacy and not currently used**.)
## Networking
- `wan` — the passed-through igb NIC (9000 MTU), carrying the upstream uplink and
tagged IXP VLANs (`ifog` 409 → `frys-ix`/`nl-ix`/`fogixp`/`ifog-transit`).
- `base` — colony base network; sends RAs and provides DNS to the base prefix,
routes the VM/container/OCI/Tailscale prefixes back to `colony`.
- `as211024` — the L2 mesh interface.
- Assignments: `internal` (public, alt name `fw`), `base`, `as211024`.
docs/boxes/colony/gam.md
+17
View File
@@ -0,0 +1,17 @@
# gam
A game-server container (the lightweight counterpart to the OCI game servers on
`whale2`).
- **Source:** [`shill/containers/gam.nix`](../../../nixos/boxes/colony/vms/shill/containers/gam.nix)
- **Host:** NixOS container on `shill`
## Role
- Hosts game servers run directly as NixOS services — currently **Terraria**
(config/world from secrets). Exposed to the internet via `estuary`'s port
forwards (`:7777`).
## Networking
- `internal` assignment on the `ctrs` network (alt name `gam-ctr`).
docs/boxes/colony/git.md
+38
View File
@@ -0,0 +1,38 @@
# git
The Gitea VM — source hosting and CI for the boxes (`git.nul.ie`).
- **Source:** [`nixos/boxes/colony/vms/git/`](../../../nixos/boxes/colony/vms/git)
(`default.nix`, `gitea.nix`, `gitea-actions.nix`)
- **nixpkgs:** `mine`
- **Host:** VM on `colony`
## Role
- **Gitea** ([`gitea.nix`](../../../nixos/boxes/colony/vms/git/gitea.nix)) — the Git
forge (`git.nul.ie`). PostgreSQL-backed (the shared `colony-psql`), LFS
enabled, with object storage backed by MinIO on `object` (a MinIO secret is
spliced into `app.ini` at startup).
- **Gitea Actions runner**
([`gitea-actions.nix`](../../../nixos/boxes/colony/vms/git/gitea-actions.nix)) — a
Docker-mode runner (`main-docker`) using podman. Labels provide Debian/node-24
(Trixie) and Ubuntu 26.04 images; runner config comes from the upstream
module's `settings` option. The Actions cache lives on a dedicated disk
(`/var/cache/gitea-runner`). Runs as a fixed `gitea-runner` user (not
`DynamicUser`) so it can read its token.
- **nginx** — terminates TLS for `git.nul.ie` and proxies to Gitea on `:3000`.
ACME certs for `nul.ie` / `*.nul.ie` via the Cloudflare DNS challenge.
- **podman** — also hosts the OCI registry/build images; `/var/lib/containers`
is an XFS data disk.
## Networking
- `vms` interface with `routing` / `internal` assignments.
- HTTP/HTTPS forwarded in from `estuary`; podman default subnet `10.88.0.0/16` is
allowed to forward.
## CI
This runner is what executes the repo's own `.gitea/workflows/ci.yaml`, building
each `.#ci.x86_64-linux` attribute and pushing to the Harmonia binary cache. See
[`AGENTS.md`](../../../AGENTS.md#commands).
docs/boxes/colony/jackflix.md
+25
View File
@@ -0,0 +1,25 @@
# jackflix
The media stack — acquisition, library and streaming.
- **Source:** [`shill/containers/jackflix/`](../../../nixos/boxes/colony/vms/shill/containers/jackflix)
(`default.nix`, `networking.nix`)
- **Host:** NixOS container on `shill`
## Role
- **Streaming:** Jellyfin.
- **Acquisition (*arr stack):** Transmission, Jackett, FlareSolverr, Radarr,
Sonarr, and Jellyseerr (`seerr`) for requests.
- **Photos:** PhotoPrism (`photos.nul.ie`).
- **File sharing:** copyparty (`:3923`) serving public + private media volumes.
- Media lives on the shared `/mnt/media` volume (bind-mounted read-write from
`shill`). Downloaders bind to a VPN interface
([`networking.nix`](../../../nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix)),
so torrent traffic only flows while `systemd-networkd-wait-online@vpn` is up.
- A shared `media` group (gid 2000) gives the apps coordinated access.
## Networking
- `internal` assignment on the `ctrs` network (alt name `jackflix-ctr`), plus its
own VPN interface for the download clients.
docs/boxes/colony/middleman.md
+63
View File
@@ -0,0 +1,63 @@
# middleman
The front-end reverse proxy for all public colony web services — the single
ingress that `estuary` forwards HTTP/HTTPS to.
- **Source:** [`shill/containers/middleman/`](../../../nixos/boxes/colony/vms/shill/containers/middleman)
(`default.nix`, `vhosts.nix`)
- **Host:** NixOS container on `shill`
## Role
- **nginx** reverse proxy ([`vhosts.nix`](../../../nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix)
holds the per-service vhosts) with VTS stats, fancyindex, brotli, caching, and
a dynamic resolver pointed at `estuary` so upstreams can be re-resolved at
runtime. It is the single public ingress for almost every web service — colony,
home, and beyond.
- **ACME** — issues the wildcard certificates that **its own** vhosts are served
with (it is not a shared CA for the other boxes; `git`, `britway`, `kelder-spoder`, etc. each
run their own ACME):
- `nul.ie` / `*.nul.ie` (+ `*.s3.nul.ie`) via the Cloudflare DNS challenge,
- the internal `ams1.int.nul.ie` / `*` via an `exec` challenge that calls
`estuary`'s pdns over SSH.
- As a one-off consumer, it then pushes the public cert to the `mail` (Mailcow)
VM via `scp` + a remote `mailcow-ssl-reload`.
- **nginx-sso** — single-sign-on (`sso.nul.ie`) with Google OAuth and a simple
username/password provider; protects the SSO-gated vhosts below.
- **librespeed** — speed-test frontend + backend (`librespeed.${domain}` /
`speed.nul.ie`).
## Published vhosts
All under `*.nul.ie` with the wildcard cert unless noted. Upstreams are addressed
by their internal container/VM hostnames. "SSO" = gated behind nginx-sso.
| Host(s) | Upstream | Notes |
| --- | --- | --- |
| `nul.ie` (default `_`) | static | landing page (CV, SSH pubkey) + Matrix/atproto `.well-known` |
| `sso.nul.ie` | nginx-sso | SSO endpoint |
| `pass.nul.ie` | `vaultwarden` | password manager |
| `matrix.nul.ie` (+`:8448`) | `chatterbox` | Matrix client + federation |
| `element.nul.ie` | element-web | Matrix web client |
| `toot.nul.ie` | `toot` :80 | Mastodon (currently disabled — see [toot.md](toot.md)) |
| `pds.nul.ie` | `toot` :3000 | Bluesky PDS |
| `jackflix.nul.ie` | `jackflix` Jellyfin | streaming |
| `torrents` / `jackett` / `radarr` / `sonarr` `.nul.ie` | `jackflix` | *arr stack (**SSO**) |
| `gib.nul.ie` | `jackflix` Jellyseerr | requests |
| `photos.nul.ie` | `jackflix` PhotoPrism | |
| `stuff` / `public` / `p.nul.ie` | `jackflix` copyparty + `/mnt/media` | file sharing / index |
| `share.nul.ie` | `object` :9090 | |
| `minio` / `s3` / `*.s3.nul.ie` | `object` MinIO | S3 + console (Docker manifest MIME hack) |
| `nix-cache.nul.ie` | `object` Harmonia | Nix binary cache (immutable cache headers) |
| `md.nul.ie` / `pb.nul.ie` | `object` | HedgeDoc / wastebin |
| `mc-map` / `mc-rail` / `mc-map-kink` `.nul.ie` | `whale2` OCI | Minecraft maps |
| `netdata-colony.nul.ie` | many hosts :19999 | netdata fan-out (**SSO**) |
| `pront.nul.ie` | `stream-hi` (home) | print/webcam (**SSO**) |
| `hass.nul.ie` | `hass` (home) | Home Assistant |
| `hass-john.nul.ie` | `john-valorant-tun` | remote HASS over WireGuard tunnel |
## Networking
- `internal` assignment on the `ctrs` network; bind-mounts `/mnt/media` for
serving static/media content.
- nginx waits for `colony-psql` before starting (DNS bootstrap hack).
docs/boxes/colony/object.md
+24
View File
@@ -0,0 +1,24 @@
# object
Object storage and Nix binary cache, plus a couple of small self-hosted web
apps.
- **Source:** [`shill/containers/object.nix`](../../../nixos/boxes/colony/vms/shill/containers/object.nix)
- **Host:** NixOS container on `shill`
## Role
- **MinIO** — S3-compatible object storage (`s3.nul.ie` / `*.s3.nul.ie`). Backs
several other services (Gitea LFS/artifacts, social-media uploads, …). Stored on the
`/mnt/minio` volume (XFS, bind-mounted from `shill`).
- **Harmonia** — serves the Nix binary cache for all the boxes (`nix-cache.nul.ie`), backed
by the `/mnt/nix-cache` volume.
- **atticd** — an alternative Nix cache (stores into MinIO/S3). **Currently
disabled** — present in the config but not running.
- **HedgeDoc** — collaborative markdown notes.
- **wastebin** — pastebin.
## Networking
- `internal` assignment on the `ctrs` network (alt name `object-ctr`).
- `/mnt/minio` and `/mnt/nix-cache` bind-mounted read-write from `shill`.
docs/boxes/colony/qclk.md
+22
View File
@@ -0,0 +1,22 @@
# qclk
The `qclk` service container.
- **Source:** [`shill/containers/qclk/`](../../../nixos/boxes/colony/vms/shill/containers/qclk)
- **Host:** NixOS container on `shill`
## Role
- Runs the custom `qclk` service, exposing an API that is reached over a
dedicated WireGuard **`management`** network. Managed devices are configured as
WireGuard peers (each gets an address in the `qclk` prefix), and AS211024
trusted hosts are allowed to reach the API.
- `shill` routes the `qclk` prefix to this container.
## Networking
- `internal` assignment on the `ctrs` network (alt name `qclk-ctr`), plus the
`management` WireGuard interface carrying the `qclk` prefix.
> Check `qclk/default.nix` for the current peer list and exactly what the service
> does — this entry intentionally stays high-level.
docs/boxes/colony/shill.md
+48
View File
@@ -0,0 +1,48 @@
# shill
The colony **NixOS container host**. Most colony applications run as
systemd-nspawn containers on `shill`.
- **Source:** [`nixos/boxes/colony/vms/shill/`](../../../nixos/boxes/colony/vms/shill)
(`default.nix`, `containers-ext.nix`, `hercules.nix`, `containers/`)
- **nixpkgs:** `mine`
- **Host:** VM on `colony` (large: 12 cores, 40 GiB RAM)
## Role
- Runs the colony NixOS containers via `my.containers.instances`, each attached
to the `ctrs` bridge with its own address.
- Provides shared data volumes to those containers via bind mounts from
LVM-backed disks: `/mnt/media` (→ `middleman`, `jackflix`), `/mnt/minio` and
`/mnt/nix-cache` (→ `object`).
- Acts as the router between the `vms` network and the `ctrs` container network
(sends RAs on `ctrs`, routes Tailscale prefixes via `waffletail` and the
`qclk` prefix via `qclk`). Includes an nftables `ct mark` hack to make
internal DNAT return paths work.
- Tuned sysctls for high connection counts / torrent traffic; netdata.
## Containers
Defined in [`shill/containers/`](../../../nixos/boxes/colony/vms/shill/containers)
and wired up in `shill`'s `my.containers.instances`:
| Container | Role |
| --- | --- |
| [`middleman`](middleman.md) | Front-end nginx reverse proxy, ACME, nginx-sso, librespeed |
| [`colony-psql`](colony-psql.md) | Shared PostgreSQL |
| [`vaultwarden`](vaultwarden.md) | Password manager |
| [`chatterbox`](chatterbox.md) | Matrix homeserver + bridges |
| [`toot`](toot.md) | Bluesky PDS (Mastodon disabled) |
| [`jackflix`](jackflix.md) | Media stack |
| [`object`](object.md) | MinIO / Harmonia / HedgeDoc / wastebin |
| [`waffletail`](waffletail.md) | Tailscale subnet router |
| [`qclk`](qclk.md) | Clock service |
| [`gam`](gam.md) | Game servers |
## Notes
- Container systems set `my.deploy.enable = false` (they are deployed as part of
`shill`'s container profiles, not as standalone deploy nodes) and render via
`my.asContainer`.
- `hercules.nix` configures Hercules CI agent bits;
`containers-ext.nix` holds extra per-container host wiring.
docs/boxes/colony/toot.md
+19
View File
@@ -0,0 +1,19 @@
# toot
A federated-social container. Despite the name (Mastodon = "toots"), it currently
hosts a **Bluesky PDS**; the Mastodon instance is disabled.
- **Source:** [`shill/containers/toot.nix`](../../../nixos/boxes/colony/vms/shill/containers/toot.nix)
- **Host:** NixOS container on `shill`
## Role
- **Bluesky PDS** (Personal Data Server) — the active service, published as
`pds.nul.ie` (proxied by `middleman` to `:3000`).
- **Mastodon** — **currently disabled**. The config is still present and
`toot.nul.ie` still maps to `:80`, but the instance is not running. (It was
backed by the shared `colony-psql` and MinIO/S3 on `object`.)
## Networking
- `internal` assignment on the `ctrs` network (alt name `toot-ctr`).
docs/boxes/colony/vaultwarden.md
+15
View File
@@ -0,0 +1,15 @@
# vaultwarden
[Vaultwarden](https://github.com/dani-garcia/vaultwarden), a Bitwarden-compatible
password manager.
- **Source:** [`shill/containers/vaultwarden.nix`](../../../nixos/boxes/colony/vms/shill/containers/vaultwarden.nix)
- **Host:** NixOS container on `shill`
## Role
- Runs Vaultwarden, fronted by `middleman` and published under `nul.ie`.
## Networking
- `internal` assignment on the `ctrs` network (alt name `vaultwarden-ctr`).
docs/boxes/colony/waffletail.md
+19
View File
@@ -0,0 +1,19 @@
# waffletail
The colony Tailscale node / subnet router.
- **Source:** [`shill/containers/waffletail.nix`](../../../nixos/boxes/colony/vms/shill/containers/waffletail.nix)
- **Host:** NixOS container on `shill`
## Role
- Joins the Tailscale tailnet (auth key from secrets) and **advertises the colony
prefixes** into it, acting as the subnet router so tailnet clients can reach
colony services and vice-versa.
- nftables rules SNAT/forward between `host0` and `tailscale0` for the colony
v4/v6 ranges. `shill` routes the Tailscale prefixes here.
## Networking
- `internal` assignment on the `ctrs` network (alt name `waffletail-ctr`); owns
the `tailscale0` interface.
docs/boxes/colony/whale2.md
+27
View File
@@ -0,0 +1,27 @@
# whale2
A podman/OCI host on colony dedicated to game servers (kept off `shill` so the
container churn and resource use stay isolated).
- **Source:** [`nixos/boxes/colony/vms/whale2/`](../../../nixos/boxes/colony/vms/whale2)
(`default.nix`, `valheim.nix`, `minecraft/`, `enshrouded.nix`)
- **nixpkgs:** `mine`
- **Host:** VM on `colony`
## Role
- Runs OCI containers via **podman** (`virtualisation.oci-containers`, netavark
backend) on a dedicated `colony` bridge network (`oci`) with both IPv4 and
IPv6, so each game server gets its own routable address.
- Game servers configured in-repo: **Valheim**, **Minecraft** (several worlds —
see `extraAssignments`: `simpcraft`, `simpcraft-staging`, `kevcraft`,
`kinkcraft`, `graeme`), and **Enshrouded** (currently commented out).
- `/var/lib/containers` is an XFS data disk (project quotas).
## Networking
- `vms` interface with `routing` / `internal` (alt name `oci`) assignments.
- An `oci` bridge carrying the `prefixes.oci` v4/v6 ranges; per-game addresses
are handed out via `extraAssignments` (`valheim-oci`, `simpcraft-oci`, …) and
exposed to the internet through `estuary`'s port forwards.
- Firewall trusts the `oci` interface and forwards `vms → oci`.
docs/boxes/home/README.md
+44
View File
@@ -0,0 +1,44 @@
# home
The home network. A VM host (`palace`), a redundant pair of routers, a storage
server, Home Assistant, and personal desktops.
- **Domain:** `h.nul.ie`
- **Source:** [`nixos/boxes/home/`](../../../nixos/boxes/home)
## Shape
```
palace (physical VM host)
├── river ──── home router (HA pair with stream)
├── cellar ── NVMe-oF storage server (SPDK)
└── sfh ───── NixOS container host ──┬── hass (Home Assistant)
└── unifi (UniFi controller — defined, currently disabled)
stream ── standalone home router (HA pair with river)
castle ── desktop workstation (boots its disks over NVMe-oF from cellar)
```
The two routers `river` (a VM on `palace`) and `stream` (standalone hardware)
share the [`routing-common`](../../../nixos/boxes/home/routing-common) config and
form a **keepalived/VRRP high-availability pair**: DHCP (kea), router
advertisements (radvd), DNS with blocklists, NAT, and the AS211024 L2 mesh link
back to colony.
## Machines
| Machine | Role | Docs |
| --- | --- | --- |
| `palace` | Physical VM host | [palace.md](palace.md) |
| `river` | Home router (VM; VRRP pair with `stream`) | [river.md](river.md) |
| `cellar` | NVMe-oF storage server (SPDK) | [cellar.md](cellar.md) |
| `sfh` | NixOS container host | [sfh.md](sfh.md) |
| `stream` | Home router (standalone hardware; VRRP pair with `river`) | [stream.md](stream.md) |
| `castle` | Desktop workstation | [castle.md](castle.md) |
### sfh containers
| Container | Role | Docs |
| --- | --- | --- |
| `hass` | Home Assistant | [hass.md](hass.md) |
| `unifi` | UniFi network controller (defined, **currently not imported**) | [unifi.md](unifi.md) |
docs/boxes/home/castle.md
+19
View File
@@ -0,0 +1,19 @@
# castle
A desktop workstation.
- **Source:** [`nixos/boxes/home/castle/default.nix`](../../../nixos/boxes/home/castle/default.nix)
## Role
- AMD desktop running the GUI environment (`my.gui.enable`, Sway / Wayland via
home-manager).
- **Diskless-style boot:** its `/nix`, `/persist` and `/home` are NVMe-oF volumes
served by [`cellar`](cellar.md) (`/dev/nvmeof/{nix,persist,home}`). The
networking is careful not to drop the IP used for the NVMe-oF connection.
- Uses the `my.nvme` module for the NVMe-oF client setup.
## Networking
- Sits on the home network; depends on the high-speed link to `cellar` for its
root storage.
docs/boxes/home/cellar.md
+39
View File
@@ -0,0 +1,39 @@
# cellar
The home storage server. Exports fast NVMe storage over the network so other
machines (notably `castle`) can boot and run from it.
- **Source:** [`nixos/boxes/home/palace/vms/cellar/`](../../../nixos/boxes/home/palace/vms/cellar)
(`default.nix`, `spdk.nix`)
- **Host:** VM on `palace` (NVMe drives passed through)
- **Deploy address:** `192.168.68.80`
## Role
- Runs **SPDK** ([`spdk.nix`](../../../nixos/boxes/home/palace/vms/cellar/spdk.nix)) as
a userspace storage target. The kernel `nvme` driver is blacklisted so SPDK can
drive the NVMe devices directly (attached by PCI BDF).
- Builds a **RAID0** (`NVMeRaid`) across three NVMe drives, partitioned into three
namespaces, and exports each as an **NVMe-oF target over RDMA** (port 4420) on
the high-speed home network — one namespace per consumer:
| Namespace | NQN | Consumer |
| --- | --- | --- |
| `NVMeRaidp1` | `nqn.2016-06.io.spdk:river` | [`river`](river.md) |
| `NVMeRaidp2` | `nqn.2016-06.io.spdk:castle` | [`castle`](castle.md) |
| `NVMeRaidp3` | `nqn.2016-06.io.spdk:sfh` | [`sfh`](sfh.md) |
Each client is pinned by `hostnqn`, so `river`, `castle` and `sfh` all run their
storage off `cellar` over the network.
## Networking
- Exports on the high-speed home network (`lan-hi` / the `hi` assignment) over
RDMA; the SPDK target waits for that link to be online before starting.
## Notes
- The `ublk_*` calls in `my.spdk.debugCommands` are **only a debugging script**
they let you create a local ublk block device to mount and inspect the RAID on
`cellar` itself. They are **not** how storage is exported to clients; that is the
`nvmf` config above.
docs/boxes/home/hass.md
+18
View File
@@ -0,0 +1,18 @@
# hass
[Home Assistant](https://www.home-assistant.io/) — home automation.
- **Source:** [`sfh/containers/hass.nix`](../../../nixos/boxes/home/palace/vms/sfh/containers/hass.nix)
- **Host:** NixOS container on `sfh`
## Role
- Runs Home Assistant plus supporting services in the container. The `hass-cli`
is wired up against the local server for convenience.
- Integrations/automations are configured here (see commit history for things
like the "West Wood" integration).
## Networking
- `internal` assignment (alt name `hass-ctr`), plus a loopback assignment
(`hass-ctr-lo`) used internally.
docs/boxes/home/palace.md
+21
View File
@@ -0,0 +1,21 @@
# palace (host)
The physical VM host for the home network — the home equivalent of `colony`.
- **Source:** [`nixos/boxes/home/palace/default.nix`](../../../nixos/boxes/home/palace/default.nix)
(VM instances in [`palace/vms/default.nix`](../../../nixos/boxes/home/palace/vms/default.nix))
## Role
- Bare-metal host whose job is to run the home VMs via the `my.vms` module:
`river` (router), `cellar` (storage), `sfh` (container host).
- Provides the bridged networking those VMs sit on and passes through hardware
where needed (e.g. NVMe drives to `cellar`, NICs to `river`).
## VMs hosted here
| VM | Role | Docs |
| --- | --- | --- |
| `river` | Home router (VRRP pair with `stream`) | [river.md](river.md) |
| `cellar` | NVMe-oF storage server | [cellar.md](cellar.md) |
| `sfh` | NixOS container host (Home Assistant, …) | [sfh.md](sfh.md) |
docs/boxes/home/river.md
+25
View File
@@ -0,0 +1,25 @@
# river
One of the two home routers. `river` is a VM on `palace`; it forms a
high-availability pair with the standalone `stream`.
- **Source:** [`nixos/boxes/home/palace/vms/river.nix`](../../../nixos/boxes/home/palace/vms/river.nix),
built from [`routing-common`](../../../nixos/boxes/home/routing-common) (instance `0`)
- **Host:** VM on `palace`
- **Deploy address:** `192.168.68.1`
## Role
Everything in [`routing-common`](../../../nixos/boxes/home/routing-common):
- **VRRP/keepalived** failover with `stream` (`keepalived.nix`) — one router is
master at a time, sharing virtual IPs.
- **DHCP** via kea (`kea.nix`), **router advertisements** via radvd
(`radvd.nix`).
- **DNS** (`dns.nix`) — local resolver with a blocklist
(`dns-blocklist.txt`) and a periodic update script.
- **NAT / firewall** for the home LAN, with policy routing.
- **AS211024 L2 mesh** link back to colony/`estuary` (and the other edge
routers), so home and colony networks interconnect.
See [stream.md](stream.md) for the other half of the pair.
docs/boxes/home/sfh.md
+24
View File
@@ -0,0 +1,24 @@
# sfh
The home **NixOS container host** ("smart from home" / home services).
- **Source:** [`nixos/boxes/home/palace/vms/sfh/`](../../../nixos/boxes/home/palace/vms/sfh)
(`default.nix`, `containers/`)
- **Host:** VM on `palace`
## Role
- Runs the home NixOS containers via `my.containers.instances`, in the same way
`shill` does on colony.
- Sits on the home network and connects to NVMe-oF storage (`cellar`) where
needed.
## Containers
Defined in [`sfh/containers/`](../../../nixos/boxes/home/palace/vms/sfh/containers)
and imported from its `containers/default.nix`:
| Container | Role | Docs |
| --- | --- | --- |
| `hass` | Home Assistant | [hass.md](hass.md) |
| `unifi` | UniFi controller — **defined but currently commented out** of `containers/default.nix` | [unifi.md](unifi.md) |
docs/boxes/home/stream.md
+19
View File
@@ -0,0 +1,19 @@
# stream
One of the two home routers. `stream` is standalone hardware; it forms a
high-availability pair with `river` (a VM on `palace`).
- **Source:** [`nixos/boxes/home/stream.nix`](../../../nixos/boxes/home/stream.nix),
built from [`routing-common`](../../../nixos/boxes/home/routing-common) (instance `1`)
- **Deploy address:** `192.168.68.2`
## Role
- Same [`routing-common`](../../../nixos/boxes/home/routing-common) role as
[`river`](river.md): keepalived/VRRP, kea DHCP, radvd, DNS + blocklist, NAT and
the AS211024 L2 mesh link to colony.
- Additionally pulls in `mstpd` (`routing-common/mstpd.nix`) for spanning-tree on
its bridged ports — `stream` is the one wired into the physical switching, so
it manages the L2 topology.
See [river.md](river.md) for the other half of the pair.
docs/boxes/home/unifi.md
+23
View File
@@ -0,0 +1,23 @@
# unifi
The UniFi network controller.
- **Source:** [`sfh/containers/unifi.nix`](../../../nixos/boxes/home/palace/vms/sfh/containers/unifi.nix)
- **Host:** NixOS container on `sfh`
## Status
> **Currently disabled.** The system is still defined (`nixos.systems.unifi`),
> but its import is commented out in
> [`sfh/containers/default.nix`](../../../nixos/boxes/home/palace/vms/sfh/containers/default.nix),
> so it is not deployed as a container right now. Re-enable by uncommenting
> `./unifi.nix` there.
## Role
- Runs the UniFi controller (`services.unifi`) to manage the home UniFi network
gear.
## Networking
- `internal` assignment (alt name `unifi-ctr`).
docs/boxes/misc/README.md
+21
View File
@@ -0,0 +1,21 @@
# misc
Everything that isn't part of the `colony` or `home` sites: the edge VPSes, the
remote `kelder` site, a workstation, and the installer image.
| Machine | What it is | Docs |
| --- | --- | --- |
| `britway` | Vultr VPS (London, `lon1`): Headscale, Tailscale exit node, BGP edge, nginx | [britway.md](britway.md) |
| `britnet` | VPS (Birmingham, `bhx1`): Tailscale/WireGuard gateway | [britnet.md](britnet.md) |
| `kelder` | Remote site host (`hentai.engineer`): NixOS container host | [kelder.md](kelder.md) |
| `tower` | Framework Laptop 13 (12th-gen Intel) workstation | [tower.md](tower.md) |
| `installer` | Custom NixOS installer image | [installer.md](installer.md) |
## kelder containers
`kelder` is itself a container host (like `shill`/`sfh`):
| Container | Role | Docs |
| --- | --- | --- |
| `kelder-acquisition` | Media stack (Jellyfin + *arr + Transmission) | [kelder-acquisition.md](kelder-acquisition.md) |
| `kelder-spoder` | nginx web host | [kelder-spoder.md](kelder-spoder.md) |
docs/boxes/misc/britnet.md
+21
View File
@@ -0,0 +1,21 @@
# britnet
A VPS in Birmingham (`bhx1`) acting as a Tailscale/WireGuard gateway node.
- **Source:** [`nixos/boxes/britnet.nix`](../../../nixos/boxes/britnet.nix)
- **Internal domain:** `bhx1.int.nul.ie`
## Role
- **Tailscale node** + **WireGuard** (`wg0`) gateway: provides a second egress /
entry point into the boxes' overlay networks.
- nftables SNATs traffic arriving on `tailscale0` / `wg0` out of the provider
interface (`veth0`), using the `allhost` assignment addresses.
## Networking
- Provider uplink with gateways `77.74.199.1` (v4) / `2a12:ab46:5344::1` (v6).
- `tailscale0` and `wg0` overlay interfaces; `allhost` assignment for SNAT.
> `britnet` is a separate machine from [`britway`](britway.md) — different
> provider/site, narrower role (gateway rather than control plane + BGP edge).
docs/boxes/misc/britway.md
+27
View File
@@ -0,0 +1,27 @@
# britway
A Vultr VPS in London (`lon1`) acting as a network edge node: the Tailscale
control plane, an exit node, and a BGP speaker in the AS211024 mesh.
- **Source:** [`nixos/boxes/britway/`](../../../nixos/boxes/britway)
(`default.nix`, `bgp.nix`, `nginx.nix`, `tailscale.nix`)
- **Internal domain:** `lon1.int.nul.ie`
## Role
- **Headscale** ([`tailscale.nix`](../../../nixos/boxes/britway/tailscale.nix)) — the
self-hosted Tailscale control server (`hs.nul.ie`) the rest of the boxes log
into.
- **Tailscale node** — advertises itself as an **exit node** and advertises the
tailnet routes, so tailnet clients can egress / reach internal prefixes via
britway.
- **BGP** ([`bgp.nix`](../../../nixos/boxes/britway/bgp.nix)) — part of the AS211024
L2 VXLAN mesh (`my.vpns.l2`) alongside `estuary`, `river` and `stream`.
- **nginx** ([`nginx.nix`](../../../nixos/boxes/britway/nginx.nix)) — reverse proxy /
web front-end with ACME certs.
## Networking
- `vultr` assignment on the provider interface; `as211024` on the mesh.
- A `veth0`/`tailscale0` setup with SNAT so tailnet traffic egresses via the VPS
public IP.
docs/boxes/misc/installer.md
+19
View File
@@ -0,0 +1,19 @@
# installer
The custom NixOS installer image used to bootstrap new boxes.
- **Source:** [`nixos/installer.nix`](../../../nixos/installer.nix)
## Role
- Defines `nixos.systems.installer`, a minimal system whose `my.buildAs.*`
outputs produce installable artifacts — primarily a bootable **ISO**
(`isoImage`), and the same base is reused for kexec/netboot trees.
- Build it with the devshell commands (see [`AGENTS.md`](../../../AGENTS.md#commands)):
- `build-iso installer`
- `build-kexec installer` / `build-netboot installer`
- A released ISO is what `colony`'s VM definitions reference as install media; the
`update-installer` devshell command tags a release to trigger a rebuild.
This is a build target rather than a deployed machine — there is no running
`installer` host.
docs/boxes/misc/kelder-acquisition.md
+20
View File
@@ -0,0 +1,20 @@
# kelder-acquisition
The media stack for the `kelder` site — a slimmer cousin of colony's
[`jackflix`](../colony/jackflix.md).
- **Source:** [`kelder/containers/acquisition/`](../../../nixos/boxes/kelder/containers/acquisition)
(`default.nix`, `networking.nix`)
- **Host:** NixOS container on `kelder`
## Role
- **Jellyfin** for streaming (with hardware transcoding — the `jellyfin` user is
in the `render` group, `jellyfin-ffmpeg`).
- **Acquisition:** Transmission, Jackett, Radarr, Sonarr.
- Runs under the site's shared `kontent` user.
## Networking
- `internal` assignment (alt name `acquisition-ctr`) on the kelder container
network; download client networking in `networking.nix`.
docs/boxes/misc/kelder-spoder.md
+17
View File
@@ -0,0 +1,17 @@
# kelder-spoder
An nginx web host on the `kelder` site.
- **Source:** [`kelder/containers/spoder/`](../../../nixos/boxes/kelder/containers/spoder)
(`default.nix`, `nginx.nix`)
- **Host:** NixOS container on `kelder`
## Role
- Serves web content via **nginx** ([`nginx.nix`](../../../nixos/boxes/kelder/containers/spoder/nginx.nix)),
with ACME-managed certificates (nginx in the `acme` group, reloads on renewal).
- Runs under the site's shared `kontent` user.
## Networking
- `internal` assignment (alt name `spoder-ctr`) on the kelder container network.
docs/boxes/misc/kelder.md
+24
View File
@@ -0,0 +1,24 @@
# kelder
A host at a remote site ("kelder" = cellar/basement), linked back to the rest of
the other boxes over WireGuard. It is itself a **NixOS container host**.
- **Source:** [`nixos/boxes/kelder/`](../../../nixos/boxes/kelder)
(`default.nix`, `boot.nix`, `containers/`, `plymouth/`)
- **Domain:** `hentai.engineer`
## Role
- **Site uplink:** connects to colony's `estuary` over **WireGuard**
(`kelder` peer; see [estuary.md](../colony/estuary.md)), so the remote site is
reachable through the colony edge. A periodic `dns_update.py` keeps DNS current.
- **Container host:** runs NixOS containers via `my.containers.instances`
(`acquisition`, `spoder`).
- Custom boot/splash (`boot.nix`, Plymouth theme in `plymouth/`).
## Containers
| Container | Role | Docs |
| --- | --- | --- |
| `kelder-acquisition` | Media stack (Jellyfin + *arr + Transmission) | [kelder-acquisition.md](kelder-acquisition.md) |
| `kelder-spoder` | nginx web host | [kelder-spoder.md](kelder-spoder.md) |
docs/boxes/misc/tower.md
+16
View File
@@ -0,0 +1,16 @@
# tower
A laptop workstation — a Framework Laptop 13 (12th-gen Intel).
- **Source:** [`nixos/boxes/tower/default.nix`](../../../nixos/boxes/tower/default.nix)
## Role
- Framework Laptop 13 (12th-gen Intel) running the GUI environment
(`my.gui.enable`) with home-manager on the `mine` channel.
- Joins the tailnet via the self-hosted Headscale on [`britway`](britway.md)
(`tailscale up --login-server=https://hs.nul.ie --accept-routes`).
- Local virtualisation enabled (`kvm-intel`, IOMMU on).
> Unlike [`castle`](../home/castle.md), `tower` lives outside the `home/` box
> tree and boots from local disks rather than NVMe-oF.
flake.lock
Generated
+313 -184
View File
@@ -11,11 +11,11 @@
"systems": "systems_7"
},
"locked": {
"lastModified": 1723293904,
"narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
"lastModified": 1761656077,
"narHash": "sha256-lsNWuj4Z+pE7s0bd2OKicOFq9bK86JE0ZGeKJbNqb94=",
"owner": "ryantm",
"repo": "agenix",
"rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
"rev": "9ba0d85de3eaa7afeab493fed622008b6e4924f5",
"type": "github"
},
"original": {
@@ -31,29 +31,27 @@
"nixpkgs": [
"nixpkgs-unstable"
],
"poetry2nix": "poetry2nix"
"pyproject-nix": "pyproject-nix"
},
"locked": {
"lastModified": 1718746012,
"narHash": "sha256-sp9vGl3vWXvD/C2JeMDi5nbW6CkKIC3Q2JMGKwexYEs=",
"ref": "refs/heads/master",
"rev": "ea24100bd4a914b9e044a2085a3785a6bd3a3833",
"revCount": 5,
"type": "git",
"url": "https://git.nul.ie/dev/boardie"
"lastModified": 1757170758,
"narHash": "sha256-FyO+Brz5eInmdAkG8B2rJAfrNGMCsDQ8BPflKV2+r5g=",
"owner": "devplayer0",
"repo": "boardie",
"rev": "ed5fd520d5bf122871b5508dd3c1eda28d6e515d",
"type": "github"
},
"original": {
"type": "git",
"url": "https://git.nul.ie/dev/boardie"
"owner": "devplayer0",
"repo": "boardie",
"type": "github"
}
},
"borgthin": {
"inputs": {
"devshell": "devshell_2",
"flake-utils": "flake-utils_5",
"nixpkgs": [
"nixpkgs-mine"
]
"flake-utils": "flake-utils_4",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1732994213,
@@ -69,13 +67,49 @@
"type": "github"
}
},
"copyparty": {
"inputs": {
"flake-utils": "flake-utils_5",
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1781351267,
"narHash": "sha256-86HFs1K+LRlx8t4AjaMdU5qlg4O7kLz1VlnNapKZIuY=",
"owner": "9001",
"repo": "copyparty",
"rev": "90639de9840d7dcc2d9000026fe547f666c1d550",
"type": "github"
},
"original": {
"owner": "9001",
"repo": "copyparty",
"type": "github"
}
},
"crane": {
"locked": {
"lastModified": 1725409566,
"narHash": "sha256-PrtLmqhM6UtJP7v7IGyzjBFhbG4eOAHT6LPYOFmYfbk=",
"lastModified": 1780532242,
"narHash": "sha256-D+BsdpxmtUwtqGoY0IXPhHgTlmqgcZKCEo1oMyn7ep0=",
"owner": "ipetkov",
"repo": "crane",
"rev": "7e4586bad4e3f8f97a9271def747cf58c4b68f3c",
"rev": "59a82a1222dd3b2080b5cc52a1a2e8d5f1b77f37",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"crane_2": {
"locked": {
"lastModified": 1760924934,
"narHash": "sha256-tuuqY5aU7cUkR71sO2TraVKK2boYrdW3gCSXUkF4i44=",
"owner": "ipetkov",
"repo": "crane",
"rev": "c6b4d5308293d0d04fcfeee92705017537cad02f",
"type": "github"
},
"original": {
@@ -93,11 +127,11 @@
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"lastModified": 1744478979,
"narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github"
},
"original": {
@@ -116,11 +150,11 @@
"utils": "utils"
},
"locked": {
"lastModified": 1727447169,
"narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
"lastModified": 1781023725,
"narHash": "sha256-Gt+qFANcrDRjl3xzidLYrAUQCd3808iuAsLwZbYYAEU=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
"rev": "2ce9051767ee4d1a3c43b52ba327431783bfd463",
"type": "github"
},
"original": {
@@ -150,8 +184,8 @@
},
"devshell-tools": {
"inputs": {
"flake-utils": "flake-utils_9",
"nixpkgs": "nixpkgs_4"
"flake-utils": "flake-utils_10",
"nixpkgs": "nixpkgs_5"
},
"locked": {
"lastModified": 1710099997,
@@ -169,8 +203,8 @@
},
"devshell_2": {
"inputs": {
"flake-utils": "flake-utils_4",
"nixpkgs": "nixpkgs_3"
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1671489820,
@@ -193,11 +227,11 @@
]
},
"locked": {
"lastModified": 1728330715,
"narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
"lastModified": 1768818222,
"narHash": "sha256-460jc0+CZfyaO8+w8JNtlClB2n4ui1RbHfPTLkpwhU8=",
"owner": "numtide",
"repo": "devshell",
"rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
"rev": "255a2b1725a20d060f566e4755dbf571bbbb5f76",
"type": "github"
},
"original": {
@@ -209,11 +243,11 @@
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"lastModified": 1733328505,
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
"type": "github"
},
"original": {
@@ -241,6 +275,24 @@
}
},
"flake-utils_10": {
"inputs": {
"systems": "systems_9"
},
"locked": {
"lastModified": 1709126324,
"narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "d465f4819400de7c8d874d50b982301f28a84605",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_11": {
"inputs": {
"systems": "systems_10"
},
@@ -258,7 +310,7 @@
"type": "github"
}
},
"flake-utils_11": {
"flake-utils_12": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@@ -292,24 +344,6 @@
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"locked": {
"lastModified": 1642700792,
"narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=",
@@ -324,7 +358,7 @@
"type": "github"
}
},
"flake-utils_5": {
"flake-utils_4": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@@ -339,7 +373,58 @@
"type": "github"
}
},
"flake-utils_5": {
"locked": {
"lastModified": 1678901627,
"narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_6": {
"inputs": {
"systems": "systems_4"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_7": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_8": {
"inputs": {
"systems": "systems_6"
},
@@ -357,31 +442,16 @@
"type": "github"
}
},
"flake-utils_7": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_8": {
"flake-utils_9": {
"inputs": {
"systems": "systems_8"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
@@ -390,21 +460,47 @@
"type": "github"
}
},
"flake-utils_9": {
"harmonia": {
"inputs": {
"systems": "systems_9"
"crane": "crane",
"nix": "nix",
"nixpkgs": [
"nixpkgs-unstable"
],
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1709126324,
"narHash": "sha256-q6EQdSeUZOG26WelxqkmR7kArjgWCdw5sfJVHPH/7j8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "d465f4819400de7c8d874d50b982301f28a84605",
"lastModified": 1781128165,
"narHash": "sha256-97WpKZkaNAL5g7MtASLwqnrJrvrLpQRr6cXWiRNLiXQ=",
"owner": "nix-community",
"repo": "harmonia",
"rev": "f0dd1094cdc8d72e038cf9347cacfa9272a8f72d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"owner": "nix-community",
"repo": "harmonia",
"type": "github"
}
},
"hass-west-wood": {
"inputs": {
"flake-utils": "flake-utils_7",
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1781402797,
"narHash": "sha256-pBdDca7xv1nuP0kj+gC5g5AcR/DV+9Zy3CS6uDOMdJ4=",
"owner": "devplayer0",
"repo": "hass-west-wood",
"rev": "3e6ef7a9084e4053c82dea20127a775e7bcf77a5",
"type": "github"
},
"original": {
"owner": "devplayer0",
"repo": "hass-west-wood",
"type": "github"
}
},
@@ -417,11 +513,11 @@
]
},
"locked": {
"lastModified": 1703113217,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"lastModified": 1745494811,
"narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github"
},
"original": {
@@ -437,16 +533,16 @@
]
},
"locked": {
"lastModified": 1732466619,
"narHash": "sha256-T1e5oceypZu3Q8vzICjv1X/sGs9XfJRMW5OuXHgpB3c=",
"lastModified": 1781319724,
"narHash": "sha256-ZGuxexEMo4Xv28KJ0dX/m/PHN4oZIOnxHZpNTyrvx4M=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "f3111f62a23451114433888902a55cf0692b408d",
"rev": "8355f0a16b2dbb06a97959a918af5b239bbe05ae",
"type": "github"
},
"original": {
"id": "home-manager",
"ref": "release-24.11",
"ref": "release-26.05",
"type": "indirect"
}
},
@@ -457,11 +553,11 @@
]
},
"locked": {
"lastModified": 1732884235,
"narHash": "sha256-r8j6R3nrvwbT1aUp4EPQ1KC7gm0pu9VcV1aNaB+XG6Q=",
"lastModified": 1781305496,
"narHash": "sha256-g8Vv4Qfc7n+lgov97REu3X6BeJtvYY0hlSUZR1GrGQQ=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "819f682269f4e002884702b87e445c82840c68f2",
"rev": "c87a39aa979acc4848016d2220c6238390d84779",
"type": "github"
},
"original": {
@@ -470,12 +566,18 @@
}
},
"impermanence": {
"inputs": {
"home-manager": [
"home-manager-unstable"
],
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1731242966,
"narHash": "sha256-B3C3JLbGw0FtLSWCjBxU961gLNv+BOOBC6WvstKLYMw=",
"lastModified": 1769548169,
"narHash": "sha256-03+JxvzmfwRu+5JafM0DLbxgHttOQZkUtDWBmeUkN8Y=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "3ed3f0eaae9fcc0a8331e77e9319c8a4abd8a71a",
"rev": "7b1d382faf603b6d264f58627330f9faa5cba149",
"type": "github"
},
"original": {
@@ -484,41 +586,51 @@
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"boardie",
"poetry2nix",
"nixpkgs"
]
},
"libnetRepo": {
"flake": false,
"locked": {
"lastModified": 1703863825,
"narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
"lastModified": 1776595118,
"narHash": "sha256-6bIEi8q5hXCHU9nApTbQXvpljMWldg3QipCD+jkOGK8=",
"owner": "oddlama",
"repo": "nixos-extra-modules",
"rev": "84207afebb794be7b53cfc9768730f37c64f4a13",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"owner": "oddlama",
"repo": "nixos-extra-modules",
"type": "github"
}
},
"nix": {
"flake": false,
"locked": {
"lastModified": 1780652321,
"narHash": "sha256-o/6YXRB6AbeL4SYtSHlJ9oEROl6Wmf7yheJNa3fAv2I=",
"owner": "nixos",
"repo": "nix",
"rev": "d1f04a798cf4276da59567c07a3bf4a628669288",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nix",
"type": "github"
}
},
"nixGL": {
"inputs": {
"flake-utils": "flake-utils_7",
"flake-utils": "flake-utils_8",
"nixpkgs": [
"nixpkgs-unstable"
]
},
"locked": {
"lastModified": 1713543440,
"narHash": "sha256-lnzZQYG0+EXl/6NkGpyIz+FEOc/DSEG57AP1VsdeNrM=",
"lastModified": 1762090880,
"narHash": "sha256-fbRQzIGPkjZa83MowjbD2ALaJf9y6KMDdJBQMKFeY/8=",
"owner": "nix-community",
"repo": "nixGL",
"rev": "310f8e49a149e4c9ea52f1adf70cdc768ec53f8a",
"rev": "b6105297e6f0cd041670c3e8628394d4ee247ed5",
"type": "github"
},
"original": {
@@ -545,11 +657,11 @@
},
"nixpkgs-mine": {
"locked": {
"lastModified": 1732985787,
"narHash": "sha256-6rSJ9L4QywpHLi/xvpOHdTuPm6/eOJcXxnYzDbP3U1k=",
"lastModified": 1781356656,
"narHash": "sha256-Ygkl3ZBJ434/WhwdK1FyvPMeHvNPAopg3KE/1HtcJuk=",
"owner": "devplayer0",
"repo": "nixpkgs",
"rev": "a28c46933ef5038fb7a2dd483b85152a539c7969",
"rev": "a15e20705db295f621cb5bb63613f03a9373323f",
"type": "github"
},
"original": {
@@ -561,11 +673,11 @@
},
"nixpkgs-mine-stable": {
"locked": {
"lastModified": 1732985894,
"narHash": "sha256-YYuQQCcSF6KjgtAenZJiBmqt5jqP3UvYgC424VQ+22s=",
"lastModified": 1781356876,
"narHash": "sha256-s8ed+zuk5wrbyhtDQpkxycAcLmhQH9umGRuVRBNKUbU=",
"owner": "devplayer0",
"repo": "nixpkgs",
"rev": "e0a3f4e2bbc5f7b681e344b389dcbab23f2e92a8",
"rev": "2eb8bacf9f641d4510fc43ba7fc0eea7dfdf5b24",
"type": "github"
},
"original": {
@@ -577,26 +689,26 @@
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1732824227,
"narHash": "sha256-fYNXgpu1AEeLyd3fQt4Ym0tcVP7cdJ8wRoqJ+CtTRyY=",
"lastModified": 1780902259,
"narHash": "sha256-q8yYEC5f1mFlQO9RGna4LTc9QrcvWunX6FYp83munkQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c71ad5c34d51dcbda4c15f44ea4e4aa6bb6ac1e9",
"rev": "bd0ff2d3eac24699c3664d5966b9ef36f388e2ca",
"type": "github"
},
"original": {
"id": "nixpkgs",
"ref": "nixos-24.11",
"ref": "nixos-26.05",
"type": "indirect"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1732758367,
"narHash": "sha256-RzaI1RO0UXqLjydtz3GAXSTzHkpb/lLD1JD8a0W4Wpo=",
"lastModified": 1781074563,
"narHash": "sha256-md8WlXOlfnIeHeOScMTTHFyf2d6iaTwPl2apR5EQ3P4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fa42b5a5f401aab8a32bd33c9a4de0738180dc59",
"rev": "9ae611a455b90cf061d8f332b977e387bda8e1ca",
"type": "github"
},
"original": {
@@ -606,22 +718,6 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1718632497,
"narHash": "sha256-YtlyfqOdYMuu7gumZtK0Kg7jr4OKfHUhJkZfNUryw68=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c58b4a9118498c1055c5908a5bbe666e56abe949",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1643381941,
"narHash": "sha256-pHTwvnN4tTsEKkWlXQ8JMY423epos8wUOhthpwJjtpc=",
@@ -637,7 +733,37 @@
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1673606088,
"narHash": "sha256-wdYD41UwNwPhTdMaG0AIe7fE1bAdyHe6bB4HLUqUvck=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "37b97ae3dd714de9a17923d004a2c5b5543dfa6d",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1768564909,
"narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_5": {
"locked": {
"lastModified": 1709309926,
"narHash": "sha256-VZFBtXGVD9LWTecGi6eXrE0hJ/mVB3zGUlHImUs2Qak=",
@@ -653,7 +779,7 @@
"type": "github"
}
},
"nixpkgs_5": {
"nixpkgs_6": {
"locked": {
"lastModified": 1674990008,
"narHash": "sha256-4zOyp+hFW2Y7imxIpZqZGT8CEqKmDjwgfD6BzRUE0mQ=",
@@ -669,44 +795,43 @@
"type": "github"
}
},
"poetry2nix": {
"pyproject-nix": {
"inputs": {
"flake-utils": "flake-utils_3",
"nix-github-actions": "nix-github-actions",
"nixpkgs": "nixpkgs_2",
"systems": "systems_4",
"treefmt-nix": "treefmt-nix"
"nixpkgs": [
"boardie",
"nixpkgs"
]
},
"locked": {
"lastModified": 1718726452,
"narHash": "sha256-w4hJSYvACz0i5XHtxc6XNyHwbxpisN13M2kA2Y7937o=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "53e534a08c0cd2a9fa7587ed1c3e7f6aeb804a2c",
"lastModified": 1756395552,
"narHash": "sha256-5aJM14MpoLk2cdZAetu60OkLQrtFLWTICAyn1EP7ZpM=",
"owner": "pyproject-nix",
"repo": "pyproject.nix",
"rev": "030dffc235dcf240d918c651c78dc5f158067b51",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"owner": "pyproject-nix",
"repo": "pyproject.nix",
"type": "github"
}
},
"ragenix": {
"inputs": {
"agenix": "agenix",
"crane": "crane",
"flake-utils": "flake-utils_8",
"crane": "crane_2",
"flake-utils": "flake-utils_9",
"nixpkgs": [
"nixpkgs-unstable"
],
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1731774781,
"narHash": "sha256-vwsUUYOIs8J6weeSK1n1mbZf8fgvygGUMsadx0JmG70=",
"lastModified": 1764843533,
"narHash": "sha256-ovPNJh3Yws59Z8QHXAK+JkoftpdsUh1Ifxu2k+A/xxM=",
"owner": "devplayer0",
"repo": "ragenix",
"rev": "ec4115da7b67c783b1091811e17dbcba50edd1c6",
"rev": "e1a7bce819be6966ff369b7c0100c2713f8a9b32",
"type": "github"
},
"original": {
@@ -720,12 +845,16 @@
"inputs": {
"boardie": "boardie",
"borgthin": "borgthin",
"copyparty": "copyparty",
"deploy-rs": "deploy-rs",
"devshell": "devshell_3",
"flake-utils": "flake-utils_6",
"harmonia": "harmonia",
"hass-west-wood": "hass-west-wood",
"home-manager-stable": "home-manager-stable",
"home-manager-unstable": "home-manager-unstable",
"impermanence": "impermanence",
"libnetRepo": "libnetRepo",
"nixGL": "nixGL",
"nixpkgs-mine": "nixpkgs-mine",
"nixpkgs-mine-stable": "nixpkgs-mine-stable",
@@ -743,11 +872,11 @@
]
},
"locked": {
"lastModified": 1725675754,
"narHash": "sha256-hXW3csqePOcF2e/PYnpXj72KEYyNj2HzTrVNmS/F7Ug=",
"lastModified": 1761791894,
"narHash": "sha256-myRIDh+PxaREz+z9LzbqBJF+SnTFJwkthKDX9zMyddY=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "8cc45e678e914a16c8e224c3237fb07cf21e5e54",
"rev": "59c45eb69d9222a4362673141e00ff77842cd219",
"type": "github"
},
"original": {
@@ -758,8 +887,8 @@
},
"sbt": {
"inputs": {
"flake-utils": "flake-utils_11",
"nixpkgs": "nixpkgs_5"
"flake-utils": "flake-utils_12",
"nixpkgs": "nixpkgs_6"
},
"locked": {
"lastModified": 1698464090,
@@ -778,18 +907,18 @@
"sharry": {
"inputs": {
"devshell-tools": "devshell-tools",
"flake-utils": "flake-utils_10",
"flake-utils": "flake-utils_11",
"nixpkgs": [
"nixpkgs-unstable"
],
"sbt": "sbt"
},
"locked": {
"lastModified": 1720592125,
"narHash": "sha256-vR89LefkY8mBPWxDTQ8SNg6Z7/J6Yga80T4kSb6MNdk=",
"lastModified": 1741328331,
"narHash": "sha256-OtsHm9ykxfAOMRcgFDsqFBBy5Wu0ag7eq1qmTIluVcw=",
"owner": "eikek",
"repo": "sharry",
"rev": "604b20517150599cb05dbe178cd35cd10659aa4c",
"rev": "6203b90f9a76357d75c108a27ad00f323d45c1d0",
"type": "github"
},
"original": {
@@ -868,8 +997,9 @@
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_5": {
@@ -950,17 +1080,16 @@
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"boardie",
"poetry2nix",
"harmonia",
"nixpkgs"
]
},
"locked": {
"lastModified": 1718522839,
"narHash": "sha256-ULzoKzEaBOiLRtjeY3YoGFJMwWSKRYOic6VNw2UyTls=",
"lastModified": 1780220602,
"narHash": "sha256-eynAfOmbmxJnkp7YewvCEbShNnnYJ9gLLqkzsYtBPeM=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "68eb1dc333ce82d0ab0c0357363ea17c31ea1f81",
"rev": "db947814a175b7ca6ded66e21383d938df01c227",
"type": "github"
},
"original": {
@@ -971,14 +1100,14 @@
},
"utils": {
"inputs": {
"systems": "systems_5"
"systems": "systems_3"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
flake.nix
+24 -7
View File
@@ -3,17 +3,22 @@
inputs = {
flake-utils.url = "github:numtide/flake-utils";
# libnet.url = "github:reo101/nix-lib-net";
libnetRepo = {
url = "github:oddlama/nixos-extra-modules";
flake = false;
};
devshell.url = "github:numtide/devshell";
devshell.inputs.nixpkgs.follows = "nixpkgs-unstable";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
nixpkgs-stable.url = "nixpkgs/nixos-24.11";
nixpkgs-stable.url = "nixpkgs/nixos-26.05";
nixpkgs-mine.url = "github:devplayer0/nixpkgs/devplayer0";
nixpkgs-mine-stable.url = "github:devplayer0/nixpkgs/devplayer0-stable";
home-manager-unstable.url = "home-manager";
home-manager-unstable.inputs.nixpkgs.follows = "nixpkgs-unstable";
home-manager-stable.url = "home-manager/release-24.11";
home-manager-stable.url = "home-manager/release-26.05";
home-manager-stable.inputs.nixpkgs.follows = "nixpkgs-stable";
# Stuff used by the flake for build / deployment
@@ -25,16 +30,25 @@
# Stuff used by systems
impermanence.url = "github:nix-community/impermanence";
boardie.url = "git+https://git.nul.ie/dev/boardie";
impermanence.inputs.home-manager.follows = "home-manager-unstable";
boardie.url = "github:devplayer0/boardie";
boardie.inputs.nixpkgs.follows = "nixpkgs-unstable";
nixGL.url = "github:nix-community/nixGL";
nixGL.inputs.nixpkgs.follows = "nixpkgs-unstable";
harmonia.url = "github:nix-community/harmonia";
# harmonia.url = "github:devplayer0/harmonia/cache-config-daemon-store";
harmonia.inputs.nixpkgs.follows = "nixpkgs-unstable";
# Packages not in nixpkgs
sharry.url = "github:eikek/sharry";
sharry.inputs.nixpkgs.follows = "nixpkgs-unstable";
borgthin.url = "github:devplayer0/borg";
borgthin.inputs.nixpkgs.follows = "nixpkgs-mine";
# TODO: Update borgthin so this works
# borgthin.inputs.nixpkgs.follows = "nixpkgs-mine";
copyparty.url = "github:9001/copyparty";
copyparty.inputs.nixpkgs.follows = "nixpkgs-unstable";
hass-west-wood.url = "github:devplayer0/hass-west-wood";
hass-west-wood.inputs.nixpkgs.follows = "nixpkgs-unstable";
};
outputs =
@@ -57,7 +71,7 @@
# Extend a lib with extras that _must not_ internally reference private nixpkgs. flake-utils doesn't, but many
# other flakes (e.g. home-manager) probably do internally.
libOverlay = final: prev: {
my = import ./lib { lib = final; };
my = import ./lib { inherit inputs; lib = final; };
flake = flake-utils.lib;
};
pkgsLibOverlay = final: prev: { lib = prev.lib.extend libOverlay; };
@@ -88,10 +102,11 @@
(_: path: mkDefaultSystemsPkgs path (system: {
overlays = [
pkgsLibOverlay
myPkgsOverlay
inputs.devshell.overlays.default
inputs.ragenix.overlays.default
inputs.deploy-rs.overlay
inputs.deploy-rs.overlays.default
(flakePackageOverlay inputs.home-manager-unstable system)
];
}))
@@ -102,6 +117,7 @@
(_: path: mkDefaultSystemsPkgs path (_: {
overlays = [
pkgsLibOverlay
myPkgsOverlay
];
@@ -126,6 +142,7 @@
nixos/boxes/home/palace
nixos/boxes/home/castle
nixos/boxes/britway
nixos/boxes/britnet.nix
nixos/boxes/kelder
# Homes
@@ -156,7 +173,7 @@
# Platform independent stuff
{
nixpkgs = pkgs';
inherit lib nixfiles;
inherit inputs lib nixfiles;
overlays.default = myPkgsOverlay;
home-manager/modules/common.nix
+23 -23
View File
@@ -66,7 +66,7 @@ in
lsd = {
enable = mkDefault true;
enableAliases = mkDefault true;
enableFishIntegration = mkDefault true;
};
starship = {
@@ -132,38 +132,38 @@ in
ssh = {
enable = mkDefault true;
matchBlocks = {
enableDefaultConfig = false;
settings = {
nix-dev-vm = {
user = "dev";
hostname = "localhost";
port = 2222;
extraOptions = {
StrictHostKeyChecking = "no";
UserKnownHostsFile = "/dev/null";
};
User = "dev";
HostName = "localhost";
Port = 2222;
StrictHostKeyChecking = "no";
UserKnownHostsFile = "/dev/null";
};
"rsync.net" = {
host = "rsyncnet";
user = "16413";
hostname = "ch-s010.rsync";
Host = "rsyncnet";
User = "16413";
HostName = "ch-s010.rsync";
};
shoe = {
host = "shoe.netsoc.tcd.ie shoe";
user = "netsoc";
Host = "shoe.netsoc.tcd.ie shoe";
User = "netsoc";
};
netsocBoxes = {
host = "cube spoon napalm gandalf saruman";
user = "root";
Host = "cube spoon napalm gandalf saruman";
User = "root";
};
"*" = {
IdentityFile = [
"~/.ssh/id_rsa"
"~/.ssh/borg"
];
};
};
extraConfig =
''
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/netsoc
IdentityFile ~/.ssh/borg
'';
};
direnv = {
@@ -226,7 +226,7 @@ in
# Note: If globalPkgs mode is on, then these will be overridden by the NixOS equivalents of these options
nixpkgs = {
overlays = [
inputs.deploy-rs.overlay
inputs.deploy-rs.overlays.default
inputs.boardie.overlays.default
inputs.nixGL.overlays.default
];
home-manager/modules/gui/claude-statusline.sh
Executable
+520
View File
@@ -0,0 +1,520 @@
#!/usr/bin/env bash
# Source: https://github.com/daniel3303/ClaudeCodeStatusLine
# Single line: Model | tokens | %used | %remain | think | 5h bar @reset | 7d bar @reset | extra
set -f # disable globbing
VERSION="1.4.4"
input=$(cat)
if [ -z "$input" ]; then
printf "Claude"
exit 0
fi
# ANSI colors matching oh-my-posh theme
blue='\033[38;2;0;153;255m'
orange='\033[38;2;255;176;85m'
green='\033[38;2;0;160;0m'
cyan='\033[38;2;46;149;153m'
red='\033[38;2;255;85;85m'
yellow='\033[38;2;230;200;0m'
purple='\033[38;2;167;139;250m'
white='\033[38;2;220;220;220m'
dim='\033[2m'
reset='\033[0m'
# Format token counts (e.g., 50k / 200k)
format_tokens() {
local num=$1
if [ "$num" -ge 1000000 ]; then
awk "BEGIN {v=sprintf(\"%.1f\",$num/1000000)+0; if(v==int(v)) printf \"%dm\",v; else printf \"%.1fm\",v}"
elif [ "$num" -ge 1000 ]; then
awk "BEGIN {printf \"%.0fk\", $num / 1000}"
else
printf "%d" "$num"
fi
}
# Format number with commas (e.g., 134,938)
format_commas() {
printf "%'d" "$1"
}
# Return color escape based on usage percentage
# Usage: usage_color <pct>
usage_color() {
local pct=$1
if [ "$pct" -ge 90 ]; then echo "$red"
elif [ "$pct" -ge 70 ]; then echo "$orange"
elif [ "$pct" -ge 50 ]; then echo "$yellow"
else echo "$green"
fi
}
# Resolve config directory: CLAUDE_CONFIG_DIR (set by alias) or default ~/.claude
claude_config_dir="${CLAUDE_CONFIG_DIR:-$HOME/.claude}"
# Return 0 (true) if $1 > $2 using semantic versioning
version_gt() {
local a="${1#v}" b="${2#v}"
local IFS='.'
read -r a1 a2 a3 <<< "$a"
read -r b1 b2 b3 <<< "$b"
a1=${a1:-0}; a2=${a2:-0}; a3=${a3:-0}
b1=${b1:-0}; b2=${b2:-0}; b3=${b3:-0}
[ "$a1" -gt "$b1" ] 2>/dev/null && return 0
[ "$a1" -lt "$b1" ] 2>/dev/null && return 1
[ "$a2" -gt "$b2" ] 2>/dev/null && return 0
[ "$a2" -lt "$b2" ] 2>/dev/null && return 1
[ "$a3" -gt "$b3" ] 2>/dev/null && return 0
return 1
}
# ===== Extract data from JSON =====
model_name=$(echo "$input" | jq -r '.model.display_name // "Claude"')
model_name=$(echo "$model_name" | sed 's/ *(\([0-9.]*[kKmM]*\) context)/ \1/') # "(1M context)" → "1M"
# Context window
size=$(echo "$input" | jq -r '.context_window.context_window_size // 200000')
[ "$size" -eq 0 ] 2>/dev/null && size=200000
# Token usage
input_tokens=$(echo "$input" | jq -r '.context_window.current_usage.input_tokens // 0')
cache_create=$(echo "$input" | jq -r '.context_window.current_usage.cache_creation_input_tokens // 0')
cache_read=$(echo "$input" | jq -r '.context_window.current_usage.cache_read_input_tokens // 0')
current=$(( input_tokens + cache_create + cache_read ))
used_tokens=$(format_tokens $current)
total_tokens=$(format_tokens $size)
if [ "$size" -gt 0 ]; then
pct_used=$(( current * 100 / size ))
else
pct_used=0
fi
pct_remain=$(( 100 - pct_used ))
used_comma=$(format_commas $current)
remain_comma=$(format_commas $(( size - current )))
settings_path="$claude_config_dir/settings.json"
effort_level=""
stdin_effort=$(echo "$input" | jq -r '.effort.level // empty' 2>/dev/null)
if [ -n "$stdin_effort" ]; then
effort_level="$stdin_effort"
elif [ -n "$CLAUDE_CODE_EFFORT_LEVEL" ]; then
effort_level="$CLAUDE_CODE_EFFORT_LEVEL"
elif [ -f "$settings_path" ]; then
effort_val=$(jq -r '.effortLevel // empty' "$settings_path" 2>/dev/null)
[ -n "$effort_val" ] && effort_level="$effort_val"
fi
[ -z "$effort_level" ] && effort_level="medium"
# ===== Claude CLI version (cached, 1h TTL) =====
cli_version_cache="/tmp/claude/statusline-cli-version"
cli_version=""
cli_version_max_age=3600
if [ -f "$cli_version_cache" ]; then
cv_mtime=$(stat -c %Y "$cli_version_cache" 2>/dev/null || stat -f %m "$cli_version_cache" 2>/dev/null)
cv_now=$(date +%s)
cv_age=$(( cv_now - cv_mtime ))
if [ "$cv_age" -lt "$cli_version_max_age" ]; then
cli_version=$(cat "$cli_version_cache" 2>/dev/null)
fi
fi
if [ -z "$cli_version" ]; then
cli_version=$(claude --version 2>/dev/null | awk '{print $1}')
if [ -n "$cli_version" ]; then
mkdir -p /tmp/claude 2>/dev/null
echo "$cli_version" > "$cli_version_cache"
fi
fi
# ===== Build single-line output =====
out=""
out+="${blue}${model_name}${reset}"
# Current working directory
cwd=$(echo "$input" | jq -r '.cwd // empty')
if [ -n "$cwd" ]; then
display_dir="${cwd##*/}"
git_branch=$(git -C "${cwd}" rev-parse --abbrev-ref HEAD 2>/dev/null)
out+=" ${dim}|${reset} "
out+="${cyan}${display_dir}${reset}"
if [ -n "$git_branch" ]; then
out+="${dim}@${reset}${green}${git_branch}${reset}"
git_stat=$(git -C "${cwd}" diff --numstat 2>/dev/null | awk '{a+=$1; d+=$2} END {if (a+d>0) printf "+%d -%d", a, d}')
[ -n "$git_stat" ] && out+=" ${dim}(${reset}${green}${git_stat%% *}${reset} ${red}${git_stat##* }${reset}${dim})${reset}"
fi
fi
out+=" ${dim}|${reset} "
out+="${orange}${used_tokens}/${total_tokens}${reset} ${dim}(${reset}${green}${pct_used}%${reset}${dim})${reset}"
out+=" ${dim}|${reset} "
out+="effort: "
case "$effort_level" in
low) out+="${dim}${effort_level}${reset}" ;;
medium) out+="${orange}med${reset}" ;;
high) out+="${green}${effort_level}${reset}" ;;
xhigh) out+="${purple}${effort_level}${reset}" ;;
max) out+="${red}${effort_level}${reset}" ;;
*) out+="${green}${effort_level}${reset}" ;;
esac
# ===== Cross-platform OAuth token resolution (from statusline.sh) =====
# Tries credential sources in order: env var → macOS Keychain → Linux creds file → GNOME Keyring
get_oauth_token() {
local token=""
# 1. Explicit env var override
if [ -n "$CLAUDE_CODE_OAUTH_TOKEN" ]; then
echo "$CLAUDE_CODE_OAUTH_TOKEN"
return 0
fi
# 2. macOS Keychain (Claude Code appends a SHA256 hash of CLAUDE_CONFIG_DIR to the service name)
if command -v security >/dev/null 2>&1; then
local keychain_svc="Claude Code-credentials"
if [ -n "$CLAUDE_CONFIG_DIR" ]; then
local dir_hash
dir_hash=$(echo -n "$CLAUDE_CONFIG_DIR" | shasum -a 256 | cut -c1-8)
keychain_svc="Claude Code-credentials-${dir_hash}"
fi
local blob
blob=$(security find-generic-password -s "$keychain_svc" -w 2>/dev/null)
if [ -n "$blob" ]; then
token=$(echo "$blob" | jq -r '.claudeAiOauth.accessToken // empty' 2>/dev/null)
if [ -n "$token" ] && [ "$token" != "null" ]; then
echo "$token"
return 0
fi
fi
fi
# 3. Linux credentials file
local creds_file="${claude_config_dir}/.credentials.json"
if [ -f "$creds_file" ]; then
token=$(jq -r '.claudeAiOauth.accessToken // empty' "$creds_file" 2>/dev/null)
if [ -n "$token" ] && [ "$token" != "null" ]; then
echo "$token"
return 0
fi
fi
# 4. GNOME Keyring via secret-tool
if command -v secret-tool >/dev/null 2>&1; then
local blob
blob=$(timeout 2 secret-tool lookup service "Claude Code-credentials" 2>/dev/null)
if [ -n "$blob" ]; then
token=$(echo "$blob" | jq -r '.claudeAiOauth.accessToken // empty' 2>/dev/null)
if [ -n "$token" ] && [ "$token" != "null" ]; then
echo "$token"
return 0
fi
fi
fi
echo ""
}
# ===== LINE 2 & 3: Usage limits with progress bars =====
# First, try to use rate_limits data provided directly by Claude Code in the JSON input.
# This is the most reliable source — no OAuth token or API call required.
builtin_five_hour_pct=$(echo "$input" | jq -r '.rate_limits.five_hour.used_percentage // empty')
builtin_five_hour_reset=$(echo "$input" | jq -r '.rate_limits.five_hour.resets_at // empty')
builtin_seven_day_pct=$(echo "$input" | jq -r '.rate_limits.seven_day.used_percentage // empty')
builtin_seven_day_reset=$(echo "$input" | jq -r '.rate_limits.seven_day.resets_at // empty')
use_builtin=false
if [ -n "$builtin_five_hour_pct" ] || [ -n "$builtin_seven_day_pct" ]; then
use_builtin=true
fi
# Cache setup — shared across all Claude Code instances to avoid rate limits
claude_config_dir_hash=$(echo -n "$claude_config_dir" | shasum -a 256 2>/dev/null || echo -n "$claude_config_dir" | sha256sum 2>/dev/null)
claude_config_dir_hash=$(echo "$claude_config_dir_hash" | cut -c1-8)
cache_file="/tmp/claude/statusline-usage-cache-${claude_config_dir_hash}.json"
cache_max_age=60 # seconds between API calls
mkdir -p /tmp/claude
needs_refresh=true
usage_data=""
# Always load cache — used as primary source for API path, and as fallback when builtin reports zero
if [ -f "$cache_file" ] && [ -s "$cache_file" ]; then
cache_mtime=$(stat -c %Y "$cache_file" 2>/dev/null || stat -f %m "$cache_file" 2>/dev/null)
now=$(date +%s)
cache_age=$(( now - cache_mtime ))
if [ "$cache_age" -lt "$cache_max_age" ]; then
needs_refresh=false
fi
usage_data=$(cat "$cache_file" 2>/dev/null)
fi
# When builtin values are all zero AND reset timestamps are missing, it likely indicates
# an API failure on Claude's side — fall through to cached data instead of displaying
# misleading 0%. Genuine zero responses (after a billing reset) still include valid
# resets_at timestamps, so we trust those.
effective_builtin=false
if $use_builtin; then
# Trust builtin if any percentage is non-zero
if { [ -n "$builtin_five_hour_pct" ] && [ "$(printf '%.0f' "$builtin_five_hour_pct" 2>/dev/null)" != "0" ]; } || \
{ [ -n "$builtin_seven_day_pct" ] && [ "$(printf '%.0f' "$builtin_seven_day_pct" 2>/dev/null)" != "0" ]; }; then
effective_builtin=true
fi
# Also trust if reset timestamps are present — genuine zero responses include valid reset times
if ! $effective_builtin; then
if { [ -n "$builtin_five_hour_reset" ] && [ "$builtin_five_hour_reset" != "null" ] && [ "$builtin_five_hour_reset" != "0" ]; } || \
{ [ -n "$builtin_seven_day_reset" ] && [ "$builtin_seven_day_reset" != "null" ] && [ "$builtin_seven_day_reset" != "0" ]; }; then
effective_builtin=true
fi
fi
fi
# Refresh API cache when stale — runs regardless of builtin rate_limits because
# extra_usage is only exposed through the OAuth usage endpoint (not stdin JSON).
# Throttled to cache_max_age and stampede-locked via touch for shared panes.
if $needs_refresh; then
touch "$cache_file" # stampede lock: prevent parallel panes from fetching simultaneously
token=$(get_oauth_token)
if [ -n "$token" ] && [ "$token" != "null" ]; then
response=$(curl -s --max-time 10 \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $token" \
-H "anthropic-beta: oauth-2025-04-20" \
-H "User-Agent: claude-code/2.1.34" \
"https://api.anthropic.com/api/oauth/usage" 2>/dev/null)
# Only cache valid usage responses (not error/rate-limit JSON)
if [ -n "$response" ] && echo "$response" | jq -e '.five_hour' >/dev/null 2>&1; then
usage_data="$response"
echo "$response" > "$cache_file"
fi
fi
# Remove the stampede sentinel if the fetch failed to produce valid JSON —
# otherwise an empty cache file would suppress retries for a full cache_max_age window.
[ -f "$cache_file" ] && [ ! -s "$cache_file" ] && rm -f "$cache_file"
fi
# Cross-platform ISO to epoch conversion
# Converts ISO 8601 timestamp (e.g. "2025-06-15T12:30:00Z" or "2025-06-15T12:30:00.123+00:00") to epoch seconds.
# Properly handles UTC timestamps and converts to local time.
iso_to_epoch() {
local iso_str="$1"
# Try GNU date first (Linux) — handles ISO 8601 format automatically
local epoch
epoch=$(date -d "${iso_str}" +%s 2>/dev/null)
if [ -n "$epoch" ]; then
echo "$epoch"
return 0
fi
# BSD date (macOS) - handle various ISO 8601 formats
local stripped="${iso_str%%.*}" # Remove fractional seconds (.123456)
stripped="${stripped%%Z}" # Remove trailing Z
stripped="${stripped%%+*}" # Remove timezone offset (+00:00)
stripped="${stripped%%-[0-9][0-9]:[0-9][0-9]}" # Remove negative timezone offset
# Check if timestamp is UTC (has Z or +00:00 or -00:00)
if [[ "$iso_str" == *"Z"* ]] || [[ "$iso_str" == *"+00:00"* ]] || [[ "$iso_str" == *"-00:00"* ]]; then
# For UTC timestamps, parse with timezone set to UTC
epoch=$(env TZ=UTC date -j -f "%Y-%m-%dT%H:%M:%S" "$stripped" +%s 2>/dev/null)
else
epoch=$(date -j -f "%Y-%m-%dT%H:%M:%S" "$stripped" +%s 2>/dev/null)
fi
if [ -n "$epoch" ]; then
echo "$epoch"
return 0
fi
return 1
}
# Format ISO reset time to compact local time
# Usage: format_reset_time <iso_string> <style: time|datetime|date>
format_reset_time() {
local iso_str="$1"
local style="$2"
{ [ -z "$iso_str" ] || [ "$iso_str" = "null" ]; } && return
# Parse ISO datetime and convert to local time (cross-platform)
local epoch
epoch=$(iso_to_epoch "$iso_str")
[ -z "$epoch" ] && return
# Format based on style
# Try GNU date first (Linux), then BSD date (macOS)
# Previous implementation piped BSD date through sed/tr, which always returned
# exit code 0 from the last pipe stage, preventing the GNU date fallback from
# ever executing on Linux.
local formatted=""
case "$style" in
time)
formatted=$(date -d "@$epoch" +"%H:%M" 2>/dev/null) || \
formatted=$(date -j -r "$epoch" +"%H:%M" 2>/dev/null)
;;
datetime)
formatted=$(date -d "@$epoch" +"%a %b %-d, %H:%M" 2>/dev/null) || \
formatted=$(date -j -r "$epoch" +"%a %b %-d, %H:%M" 2>/dev/null)
;;
*)
formatted=$(date -d "@$epoch" +"%b %-d" 2>/dev/null) || \
formatted=$(date -j -r "$epoch" +"%b %-d" 2>/dev/null)
;;
esac
[ -n "$formatted" ] && echo "$formatted"
}
sep=" ${dim}|${reset} "
# Render extra_usage segment from API usage data (not available via stdin rate_limits).
# Appends to the global $out. No-op when data is missing or is_enabled is false.
render_extra_usage() {
local data="$1"
[ -z "$data" ] && return
local enabled
enabled=$(echo "$data" | jq -r '.extra_usage.is_enabled // false' 2>/dev/null)
[ "$enabled" != "true" ] && return
local pct used limit
pct=$(echo "$data" | jq -r '.extra_usage.utilization // 0' | awk '{printf "%.0f", $1}')
used=$(echo "$data" | jq -r '.extra_usage.used_credits // 0' | LC_NUMERIC=C awk '{printf "%.2f", $1/100}')
limit=$(echo "$data" | jq -r '.extra_usage.monthly_limit // 0' | LC_NUMERIC=C awk '{printf "%.2f", $1/100}')
if [ -n "$used" ] && [ -n "$limit" ] && [[ "$used" != *'$'* ]] && [[ "$limit" != *'$'* ]]; then
local color
color=$(usage_color "$pct")
out+="${sep}${white}extra${reset} ${color}\$${used}/\$${limit}${reset}"
else
out+="${sep}${white}extra${reset} ${green}enabled${reset}"
fi
}
if $effective_builtin; then
# ---- Use rate_limits data provided directly by Claude Code in JSON input ----
# resets_at values are Unix epoch integers in this source
if [ -n "$builtin_five_hour_pct" ]; then
five_hour_pct=$(printf "%.0f" "$builtin_five_hour_pct")
five_hour_color=$(usage_color "$five_hour_pct")
out+="${sep}${white}5h${reset} ${five_hour_color}${five_hour_pct}%${reset}"
if [ -n "$builtin_five_hour_reset" ] && [ "$builtin_five_hour_reset" != "null" ]; then
five_hour_reset=$(date -j -r "$builtin_five_hour_reset" +"%H:%M" 2>/dev/null || date -d "@$builtin_five_hour_reset" +"%H:%M" 2>/dev/null)
[ -n "$five_hour_reset" ] && out+=" ${dim}@${five_hour_reset}${reset}"
fi
fi
if [ -n "$builtin_seven_day_pct" ]; then
seven_day_pct=$(printf "%.0f" "$builtin_seven_day_pct")
seven_day_color=$(usage_color "$seven_day_pct")
out+="${sep}${white}7d${reset} ${seven_day_color}${seven_day_pct}%${reset}"
if [ -n "$builtin_seven_day_reset" ] && [ "$builtin_seven_day_reset" != "null" ]; then
seven_day_reset=$(date -j -r "$builtin_seven_day_reset" +"%a %b %-d, %H:%M" 2>/dev/null || date -d "@$builtin_seven_day_reset" +"%a %b %-d, %H:%M" 2>/dev/null)
[ -n "$seven_day_reset" ] && out+=" ${dim}@${seven_day_reset}${reset}"
fi
fi
# Render extra_usage from API cache (stdin rate_limits doesn't expose it)
render_extra_usage "$usage_data"
# Cache builtin values so they're available as fallback when API is unavailable.
# Convert epoch resets_at to ISO 8601 for compatibility with the API-format cache parser.
# Preserve extra_usage from prior API response so we don't clobber it.
_fh_reset_json="null"
if [ -n "$builtin_five_hour_reset" ] && [ "$builtin_five_hour_reset" != "null" ] && [ "$builtin_five_hour_reset" != "0" ]; then
_fh_iso=$(date -u -r "$builtin_five_hour_reset" +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || \
date -u -d "@$builtin_five_hour_reset" +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null)
[ -n "$_fh_iso" ] && _fh_reset_json="\"$_fh_iso\""
fi
_sd_reset_json="null"
if [ -n "$builtin_seven_day_reset" ] && [ "$builtin_seven_day_reset" != "null" ] && [ "$builtin_seven_day_reset" != "0" ]; then
_sd_iso=$(date -u -r "$builtin_seven_day_reset" +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null || \
date -u -d "@$builtin_seven_day_reset" +"%Y-%m-%dT%H:%M:%SZ" 2>/dev/null)
[ -n "$_sd_iso" ] && _sd_reset_json="\"$_sd_iso\""
fi
_extra_json=$(echo "$usage_data" | jq -c '.extra_usage // null' 2>/dev/null)
[ -z "$_extra_json" ] && _extra_json="null"
printf '{"five_hour":{"utilization":%s,"resets_at":%s},"seven_day":{"utilization":%s,"resets_at":%s},"extra_usage":%s}' \
"${builtin_five_hour_pct:-0}" "$_fh_reset_json" \
"${builtin_seven_day_pct:-0}" "$_sd_reset_json" \
"$_extra_json" > "$cache_file" 2>/dev/null
elif [ -n "$usage_data" ] && echo "$usage_data" | jq -e '.five_hour' >/dev/null 2>&1; then
# ---- Fall back: API-fetched usage data ----
# ---- 5-hour (current) ----
five_hour_pct=$(echo "$usage_data" | jq -r '.five_hour.utilization // 0' | awk '{printf "%.0f", $1}')
five_hour_reset_iso=$(echo "$usage_data" | jq -r '.five_hour.resets_at // empty')
five_hour_reset=$(format_reset_time "$five_hour_reset_iso" "time")
five_hour_color=$(usage_color "$five_hour_pct")
out+="${sep}${white}5h${reset} ${five_hour_color}${five_hour_pct}%${reset}"
[ -n "$five_hour_reset" ] && out+=" ${dim}@${five_hour_reset}${reset}"
# ---- 7-day (weekly) ----
seven_day_pct=$(echo "$usage_data" | jq -r '.seven_day.utilization // 0' | awk '{printf "%.0f", $1}')
seven_day_reset_iso=$(echo "$usage_data" | jq -r '.seven_day.resets_at // empty')
seven_day_reset=$(format_reset_time "$seven_day_reset_iso" "datetime")
seven_day_color=$(usage_color "$seven_day_pct")
out+="${sep}${white}7d${reset} ${seven_day_color}${seven_day_pct}%${reset}"
[ -n "$seven_day_reset" ] && out+=" ${dim}@${seven_day_reset}${reset}"
render_extra_usage "$usage_data"
else
# No valid usage data — show placeholders
out+="${sep}${white}5h${reset} ${dim}-${reset}"
out+="${sep}${white}7d${reset} ${dim}-${reset}"
fi
# ===== Update check (cached, 24h TTL) =====
# Set STATUSLINE_CHECK_UPDATES=false to disable the update check (no network calls).
update_line=""
if [ "${STATUSLINE_CHECK_UPDATES:-true}" != "false" ]; then
version_cache_file="/tmp/claude/statusline-version-cache.json"
version_cache_max_age=86400 # 24 hours
version_needs_refresh=true
version_data=""
if [ -f "$version_cache_file" ]; then
vc_mtime=$(stat -c %Y "$version_cache_file" 2>/dev/null || stat -f %m "$version_cache_file" 2>/dev/null)
vc_now=$(date +%s)
vc_age=$(( vc_now - vc_mtime ))
if [ "$vc_age" -lt "$version_cache_max_age" ]; then
version_needs_refresh=false
fi
version_data=$(cat "$version_cache_file" 2>/dev/null)
fi
if $version_needs_refresh; then
touch "$version_cache_file" 2>/dev/null
vc_response=$(curl -s --max-time 5 \
-H "Accept: application/vnd.github+json" \
"https://api.github.com/repos/daniel3303/ClaudeCodeStatusLine/releases/latest" 2>/dev/null)
if [ -n "$vc_response" ] && echo "$vc_response" | jq -e '.tag_name' >/dev/null 2>&1; then
version_data="$vc_response"
echo "$vc_response" > "$version_cache_file"
elif [ ! -s "$version_cache_file" ]; then
rm -f "$version_cache_file" 2>/dev/null
fi
fi
if [ -n "$version_data" ]; then
latest_tag=$(echo "$version_data" | jq -r '.tag_name // empty')
if [ -n "$latest_tag" ] && version_gt "$latest_tag" "$VERSION"; then
update_line="\n${dim}Update available: ${latest_tag} → Tell Claude: \"Find my installed status bar and update it\"${reset}"
fi
fi
fi
# Append CLI version as last segment
if [ -n "$cli_version" ]; then
out+=" ${dim}|${reset} ${orange}v${cli_version}${reset}"
fi
# Output
printf "%b" "$out$update_line"
exit 0
home-manager/modules/gui/default.nix
+78 -22
View File
@@ -1,7 +1,8 @@
{ lib, pkgs', pkgs, config, ... }:
let
inherit (lib) genAttrs mkIf mkMerge mkForce mapAttrs mkOptionDefault;
inherit (lib.my) mkBoolOpt';
inherit (lib) genAttrs mkIf mkMerge mkForce mapAttrs mkOptionDefault mkDefault;
inherit (lib.my) mkOpt' mkBoolOpt';
inherit (lib.my.c) pubDomain;
cfg = config.my.gui;
@@ -15,24 +16,42 @@ let
url = "https://distro.ibiblio.org/slitaz/sources/packages/d/doom1.wad";
hash = "sha256-HX1DvlAeZ9kn5BXguPPinDvzMHXoWXIYFvZSpSbKx3E=";
};
subwaySurfers = pkgs.fetchurl {
url = "https://p.${pubDomain}/video/subway-surfers-smol.mkv";
hash = "sha256-fMe7TDRNTymRHIJOi7qG3trzu4GP8a3gCDz+FMkX1dY=";
};
minecraftParkour = pkgs.fetchurl {
url = "https://p.${pubDomain}/video/minecraft-parkour-smol.mkv";
hash = "sha256-723pRm4AsIjY/WFUyAHzTJp+JvH4Pn5hvzF9wHTnOPA=";
};
doomsaver = pkgs.runCommand "doomsaver" {
inherit (pkgs) windowtolayer;
genLipsum = pkgs.writeScript "lipsum" ''
#!${pkgs.python3.withPackages (ps: [ ps.python-lorem ])}/bin/python
import lorem
print(lorem.get_paragraph(count=5, sep='\n\n'))
'';
doomsaver' = brainrotTextCommand: pkgs.runCommand "doomsaver" {
inherit (pkgs) windowtolayer tmux terminaltexteffects;
chocoDoom = pkgs.chocolate-doom2xx;
ffmpeg = pkgs.ffmpeg-full;
python = pkgs.python3.withPackages (ps: [ ps.filelock ]);
inherit doomWad;
enojy = ./enojy.jpg;
inherit brainrotTextCommand subwaySurfers minecraftParkour;
} ''
mkdir -p "$out"/bin
substituteAll ${./screensaver.py} "$out"/bin/doomsaver
chmod +x "$out"/bin/doomsaver
'';
doomsaver = doomsaver' cfg.screensaver.brainrotTextCommand;
in
{
options.my.gui = {
options.my.gui = with lib.types; {
enable = mkBoolOpt' true "Enable settings and packages meant for graphical systems";
manageGraphical = mkBoolOpt' false "Configure the graphical session";
standalone = mkBoolOpt' false "Enable settings for fully Nix managed systems";
screensaver.brainrotTextCommand = mkOpt' (either path str) genLipsum "Command to generate brainrot text.";
};
config = mkIf cfg.enable (mkMerge [
@@ -44,7 +63,7 @@ in
font.package
nerd-fonts.sauce-code-pro
nerd-fonts.droid-sans-mono
noto-fonts-emoji
noto-fonts-color-emoji
grim
slurp
@@ -60,10 +79,11 @@ in
jp2a
terminaltexteffects
screenfetch
neofetch
fastfetch
cmatrix
doomsaver
ffmpeg-full
xournalpp
];
};
@@ -102,12 +122,6 @@ in
};
};
termite = {
enable = true;
font = "${font.name} ${toString font.size}";
backgroundColor = "rgba(0, 0, 0, 0.8)";
};
foot = {
enable = true;
settings = {
@@ -141,6 +155,19 @@ in
};
};
};
claude-code = {
enable = true;
settings = {
model = "opus";
theme = "auto";
statusLine = {
type = "command";
command = ./claude-statusline.sh;
padding = 0;
};
};
};
};
}
@@ -367,6 +394,10 @@ in
name = "Numix";
package = pkgs.numix-gtk-theme;
};
gtk4.theme = {
name = "Numix";
package = pkgs.numix-gtk-theme;
};
iconTheme = {
name = "Numix";
package = pkgs.numix-icon-theme;
@@ -395,29 +426,53 @@ in
device_type = "computer";
};
};
easyeffects = {
enable = mkDefault false;
preset = mkDefault "moar-bass";
extraPresets = {
moar-bass = {
output = {
"bass_enhancer#0" = {
amount = 3;
blend = 0;
bypass = false;
floor = 20;
floor-active = false;
harmonics = 8.5;
input-gain = 0;
output-gain = 0;
scope = 100;
};
blocklist = [ ];
plugins_order = [ "bass_enhancer#0" ];
};
};
};
};
};
programs = {
git = {
enable = true;
diff-so-fancy.enable = true;
userEmail = "jackos1998@gmail.com";
userName = "Jack O'Sullivan";
lfs.enable = true;
extraConfig = {
settings = {
user = {
email = "jackos1998@gmail.com";
name = "Jack O'Sullivan";
};
pull.rebase = true;
};
lfs.enable = true;
};
diff-so-fancy.enable = true;
waybar = import ./waybar.nix { inherit lib pkgs config font; };
rofi = {
package = pkgs.rofi-wayland;
enable = true;
font = "${font.name} ${toString font.size}";
plugins = with pkgs; (map (p: p.override { rofi-unwrapped = rofi-wayland-unwrapped; }) [
plugins = with pkgs; [
rofi-calc
]) ++ [
rofi-emoji-wayland
rofi-emoji
];
extraConfig = {
modes = "window,run,ssh,filebrowser,calc,emoji";
@@ -474,6 +529,7 @@ in
userDirs = {
enable = true;
createDirectories = true;
setSessionVariables = true;
desktop = "$HOME/desktop";
documents = "$HOME/documents";
download = "$HOME/downloads";
home-manager/modules/gui/screensaver.py
+49 -1
View File
@@ -73,7 +73,7 @@ class TTESaver(Screensaver):
def wait(self):
while self.running:
effect_cmd = ['tte', random.choice(self.effects)]
effect_cmd = ['@terminaltexteffects@/bin/tte', random.choice(self.effects)]
print(f"$ {self.cmd} | {' '.join(effect_cmd)}")
content = subprocess.check_output(self.cmd, shell=True, env=self.env, stderr=subprocess.DEVNULL)
@@ -86,6 +86,51 @@ class TTESaver(Screensaver):
self.running = False
self.proc.terminate()
class FFmpegCACASaver(Screensaver):
@staticmethod
def command(video, size):
return ['@ffmpeg@/bin/ffmpeg', '-hide_banner', '-loglevel', 'error',
'-stream_loop', '-1', '-i', video,
'-pix_fmt', 'rgb24', '-window_size', f'{size}x{size}',
'-f', 'caca', '-']
def __init__(self, video, weight=2):
cols, lines = os.get_terminal_size()
# IDK if it's reasonable to do this as "1:1"
size = lines - 4
super().__init__(
self.command(video, size),
env={'CACA_DRIVER': 'ncurses'},
weight=weight,
)
def stop(self):
super().stop(kill=True)
class BrainrotStorySaver(Screensaver):
def __init__(self, video, text_command, weight=2):
cols, lines = os.get_terminal_size()
video_size = lines - 1
video_command = ' '.join(FFmpegCACASaver.command(video, video_size))
text_command = (
f'while true; do {text_command} | '
f'@terminaltexteffects@/bin/tte --wrap-text --canvas-width=80 --canvas-height={video_size//2} --anchor-canvas=c '
'print --final-gradient-stops=ffffff; clear; done' )
self.tmux_session = f'screensaver-{os.urandom(4).hex()}'
super().__init__(
['@tmux@/bin/tmux', 'new-session', '-s', self.tmux_session, '-n', 'brainrot',
text_command, ';', 'split-window', '-hbl', str(lines), video_command],
# ['sh', '-c', text_command],
env={
'CACA_DRIVER': 'ncurses',
'SHELL': '/bin/sh',
},
weight=weight,
)
def stop(self):
subprocess.check_call(['@tmux@/bin/tmux', 'kill-session', '-t', self.tmux_session])
class MultiSaver:
savers = [
DoomSaver(0),
@@ -100,6 +145,9 @@ class MultiSaver:
TTESaver('ss -nltu'),
TTESaver('ss -ntu'),
TTESaver('jp2a --width=100 @enojy@'),
BrainrotStorySaver('@subwaySurfers@', '@brainrotTextCommand@'),
BrainrotStorySaver('@minecraftParkour@', '@brainrotTextCommand@'),
]
state_filename = 'screensaver.json'
lib/constants.nix
+81 -6
View File
@@ -13,6 +13,7 @@ rec {
kea = 404;
keepalived_script = 405;
photoprism = 406;
copyparty = 408;
};
gids = {
matrix-syncv3 = 400;
@@ -22,12 +23,14 @@ rec {
kea = 404;
keepalived_script = 405;
photoprism = 406;
adbusers = 407;
copyparty = 408;
};
};
kernel = {
lts = pkgs: pkgs.linuxKernel.packages.linux_6_6;
latest = pkgs: pkgs.linuxKernel.packages.linux_6_12;
lts = pkgs: pkgs.linuxKernel.packages.linux_6_18;
latest = pkgs: pkgs.linuxKernel.packages.linux_7_0;
};
nginx = rec {
@@ -139,6 +142,16 @@ rec {
v4 = subnet 8 4 all.v4;
};
p2pTunnels = {
v4 = subnet 8 5 all.v4;
};
hillcrest = {
v4 = subnet 6 0 p2pTunnels.v4;
};
john-valorant = {
v4 = subnet 6 1 p2pTunnels.v4;
};
cust = {
v4 = subnet 8 100 all.v4; # single ip for routing only
v6 = "2a0e:97c0:4d2:2000::/56";
@@ -199,10 +212,28 @@ rec {
port = 25566;
dst = aa.simpcraft-staging-oci.internal.ipv4.address;
}
{
port = 25567;
dst = aa.kevcraft-oci.internal.ipv4.address;
}
{
port = 25568;
dst = aa.kinkcraft-oci.internal.ipv4.address;
}
{
port = 25569;
dst = aa.graeme-oci.internal.ipv4.address;
}
# RCON... unsafe?
# {
# port = 25575;
# dst = aa.simpcraft-oci.internal.ipv4.address;
# }
{
port = 25575;
dst = aa.simpcraft-oci.internal.ipv4.address;
port = 7777;
dst = aa.gam.internal.ipv4.address;
}
{
@@ -227,6 +258,21 @@ rec {
dst = aa.simpcraft-oci.internal.ipv4.address;
proto = "udp";
}
{
port = 25567;
dst = aa.kevcraft-oci.internal.ipv4.address;
proto = "udp";
}
{
port = 25568;
dst = aa.kinkcraft-oci.internal.ipv4.address;
proto = "udp";
}
{
port = 25569;
dst = aa.graeme-oci.internal.ipv4.address;
proto = "udp";
}
{
port = 15636;
@@ -244,6 +290,12 @@ rec {
dst = aa.qclk.internal.ipv4.address;
proto = "udp";
}
{
port = 7777;
dst = aa.gam.internal.ipv4.address;
proto = "udp";
}
];
fstrimConfig = {
@@ -267,8 +319,8 @@ rec {
"stream"
];
routersPubV4 = [
"109.255.31.155"
"109.255.252.63"
"109.255.108.88"
"109.255.108.121"
];
prefixes = with lib.my.net.cidr; rec {
@@ -334,6 +386,20 @@ rec {
assignedV6 = "2001:19f0:7402:128b:5400:04ff:feac:6e06";
};
britnet = {
domain = "bhx1.int.${pubDomain}";
pubV4 = "77.74.199.67";
vpn = {
port = 51820;
};
prefixes = with lib.my.net.cidr; rec {
vpn = {
v4 = "10.200.0.0/24";
v6 = "fdfb:5ebf:6e84::/64";
};
};
};
tailscale = {
prefix = {
v4 = "100.64.0.0/10";
@@ -378,6 +444,15 @@ rec {
ctrs.v4 = subnet 4 0 all.v4;
};
};
hillcrest = {
vpn.port = 51822;
};
john-valorant = {
vpn.port = 51823;
};
sshKeyFiles = {
me = ../.keys/me.pub;
deploy = ../.keys/deploy.pub;
lib/default.nix
+7 -6
View File
@@ -1,11 +1,11 @@
{ lib }:
{ inputs, lib }:
let
inherit (builtins) length match elemAt filter replaceStrings substring;
inherit (lib)
genAttrs mapAttrsToList filterAttrsRecursive nameValuePair types
mkOption mkOverride mkForce mkIf mergeEqualOption optional
showWarnings concatStringsSep flatten unique optionalAttrs
mkBefore toLower;
mkBefore toLower splitString last;
inherit (lib.flake) defaultSystems;
in
rec {
@@ -23,7 +23,7 @@ rec {
attrsToNVList = mapAttrsToList nameValuePair;
inherit (import ./net.nix { inherit lib; }) net;
inherit ((import "${inputs.libnetRepo}/lib/netu.nix" { inherit lib; }).lib) net;
dns = import ./dns.nix { inherit lib; };
c = import ./constants.nix { inherit lib; };
@@ -53,7 +53,7 @@ rec {
in mkApp "${app}/bin/${app.meta.mainProgram}";
flakePackageOverlay' = flake: pkg: system: (final: prev:
let
pkg' = if pkg != null then flake.packages.${system}.${pkg} else flake.defaultPackage.${system};
pkg' = if pkg != null then flake.packages.${system}.${pkg} else flake.packages.${system}.default;
name = if pkg != null then pkg else pkg'.name;
in
{
@@ -248,12 +248,13 @@ rec {
in
{
trivial = prev.trivial // {
release = "24.12:u-${prev.trivial.release}";
codeName = "Epic";
release = "26.06:u-${prev.trivial.release}";
codeName = "Irritating";
revisionWithDefault = default: self.rev or default;
versionSuffix = ".${date}.${revCode self}:u-${revCode pkgsFlake}";
};
};
upstreamRelease = last (splitString "-" lib.trivial.release);
netbootKeaClientClasses = { tftpIP, hostname, systems }:
let
lib/net.nix
-1322
View File
File diff suppressed because it is too large Load Diff
nixos/boxes/britnet.nix
+191
View File
@@ -0,0 +1,191 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.britnet) domain pubV4 prefixes;
in
{
nixos.systems.britnet = {
system = "x86_64-linux";
nixpkgs = "mine";
assignments = {
allhost = {
inherit domain;
ipv4 = {
address = pubV4;
mask = 24;
gateway = "77.74.199.1";
};
ipv6 = {
address = "2a12:ab46:5344:99::a";
gateway = "2a12:ab46:5344::1";
};
};
vpn = {
ipv4 = {
address = net.cidr.host 1 prefixes.vpn.v4;
gateway = null;
};
ipv6.address = net.cidr.host 1 prefixes.vpn.v6;
};
};
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
let
inherit (lib) mkMerge mkForce;
inherit (lib.my) networkdAssignment;
in
{
imports = [
"${modulesPath}/profiles/qemu-guest.nix"
];
config = mkMerge [
{
boot = {
initrd.availableKernelModules = [
"ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "ahci" "sr_mod" "virtio_blk"
];
loader = {
systemd-boot.enable = false;
grub = {
enable = true;
device = "/dev/vda";
};
};
};
fileSystems = {
"/boot" = {
device = "/dev/disk/by-uuid/457444a1-81dd-4934-960c-650ad16c92b5";
fsType = "ext4";
};
"/nix" = {
device = "/dev/disk/by-uuid/992c0c79-5be6-45b6-bc30-dc82e3ec082a";
fsType = "ext4";
};
"/persist" = {
device = "/dev/disk/by-uuid/f020a955-54d5-4098-98ba-d3615781d96a";
fsType = "ext4";
neededForBoot = true;
};
};
environment = {
systemPackages = with pkgs; [
wireguard-tools
];
};
services = {
iperf3 = {
enable = true;
openFirewall = true;
};
tailscale = {
enable = true;
authKeyFile = config.age.secrets."tailscale-auth.key".path;
openFirewall = true;
interfaceName = "tailscale0";
extraUpFlags = [
"--operator=${config.my.user.config.name}"
"--login-server=https://hs.nul.ie"
"--netfilter-mode=off"
"--advertise-exit-node"
"--accept-routes=false"
];
};
};
networking = { inherit domain; };
systemd.network = {
netdevs = {
"30-wg0" = {
netdevConfig = {
Name = "wg0";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."britnet/wg.key".path;
ListenPort = lib.my.c.britnet.vpn.port;
};
wireguardPeers = [
{
PublicKey = "EfPwREfZ/q3ogHXBIqFZh4k/1NRJRyq4gBkBXtegNkE=";
AllowedIPs = [
(net.cidr.host 10 prefixes.vpn.v4)
(net.cidr.host 10 prefixes.vpn.v6)
];
}
];
};
};
links = {
"10-veth0" = {
matchConfig.PermanentMACAddress = "00:db:d9:62:68:1a";
linkConfig.Name = "veth0";
};
};
networks = {
"20-veth0" = mkMerge [
(networkdAssignment "veth0" assignments.allhost)
{
dns = [ "1.1.1.1" "1.0.0.1" ];
routes = [
{
# Gateway is on a different network for some reason...
Destination = "2a12:ab46:5344::1";
Scope = "link";
}
];
}
];
"30-wg0" = mkMerge [
(networkdAssignment "wg0" assignments.vpn)
{
networkConfig.IPv6AcceptRA = mkForce false;
}
];
};
};
my = {
server.enable = true;
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJIEx+1EC/lN6WKIaOB+O5LJgVHRK962YpZEPQg/m78O";
files = {
"tailscale-auth.key" = {};
"britnet/wg.key" = {
owner = "systemd-network";
};
};
};
firewall = {
udp.allowed = [ lib.my.c.britnet.vpn.port ];
trustedInterfaces = [ "tailscale0" ];
extraRules = ''
table inet filter {
chain forward {
iifname wg0 oifname veth0 accept
}
}
table inet nat {
chain postrouting {
iifname { tailscale0, wg0 } oifname veth0 snat ip to ${assignments.allhost.ipv4.address}
iifname { tailscale0, wg0 } oifname veth0 snat ip6 to ${assignments.allhost.ipv6.address}
}
}
'';
};
};
}
];
};
};
}
nixos/boxes/britway/bgp.nix
+5 -4
View File
@@ -11,23 +11,24 @@ in
config = {
my = {
secrets.files."britway/bgp-password-vultr.conf" = {
owner = "bird2";
group = "bird2";
owner = "bird";
group = "bird";
};
};
environment.etc."bird/vultr-password.conf".source = config.age.secrets."britway/bgp-password-vultr.conf".path;
systemd = {
services.bird2.after = [ "systemd-networkd-wait-online@veth0.service" ];
services.bird.after = [ "systemd-networkd-wait-online@veth0.service" ];
network = {
config.networkConfig.ManageForeignRoutes = false;
};
};
services = {
bird2 = {
bird = {
enable = true;
package = pkgs.bird2;
preCheckConfig = ''
echo '"dummy"' > vultr-password.conf
'';
nixos/boxes/britway/nginx.nix
+1 -7
View File
@@ -9,11 +9,6 @@ in
config = {
my = {
secrets.files = {
"dhparams.pem" = {
owner = "acme";
group = "acme";
mode = "440";
};
"britway/cloudflare-credentials.conf" = {
owner = "acme";
group = "acme";
@@ -45,7 +40,7 @@ in
"*.${pubDomain}"
];
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."britway/cloudflare-credentials.conf".path;
environmentFile = config.age.secrets."britway/cloudflare-credentials.conf".path;
};
};
};
@@ -58,7 +53,6 @@ in
logError = "stderr info";
recommendedTlsSettings = true;
serverTokens = true;
sslDhparam = config.age.secrets."dhparams.pem".path;
# Based on recommended*Settings, but probably better to be explicit about these
appendHttpConfig = ''
nixos/boxes/britway/tailscale.nix
+1 -16
View File
@@ -4,22 +4,6 @@ let
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.britway) prefixes domain;
# Can't use overrideAttrs because we need to override `vendorHash` within `buildGoModule`
headscale' = (pkgs.headscale.override {
buildGoModule = args: pkgs.buildGoModule (args // rec {
version = "0.23.0-alpha12";
src = pkgs.fetchFromGitHub {
owner = "juanfont";
repo = "headscale";
rev = "v${version}";
hash = "sha256-kZZK0cXnFARxblSMz01TDcBbTorkHGAwGpR+a4/mYfU=";
};
patches = [];
vendorHash = "sha256-EorT2AVwA3usly/LcNor6r5UIhLCdj3L4O4ilgTIC2o=";
doCheck = false;
});
});
advRoutes = concatStringsSep "," [
lib.my.c.home.prefixes.all.v4
lib.my.c.home.prefixes.all.v6
@@ -52,6 +36,7 @@ in
noise.private_key_path = "/var/lib/headscale/noise_private.key";
prefixes = with lib.my.c.tailscale.prefix; { inherit v4 v6; };
dns = {
override_local_dns = false;
# Use IPs that will route inside the VPN to prevent interception
# (e.g. DNS rebinding filtering)
nameservers.split = {
nixos/boxes/colony/vms/estuary/bgp.nix
+83 -53
View File
@@ -8,8 +8,9 @@ in
{
config = {
services = {
bird2 = {
bird = {
enable = true;
package = pkgs.bird2;
# TODO: Clean up and modularise
config = ''
define OWNAS = 211024;
@@ -232,59 +233,88 @@ in
neighbor 2a07:cd40:1::9 as 202413;
}
protocol bgp ixp4_frysix_rs1 from ixp_bgp4 {
description "Frys-IX route server 1 (IPv4)";
neighbor 185.1.203.253 as 56393;
protocol bgp ixp4_frysix_rs3 from ixp_bgp4 {
description "Frys-IX route server 3 (IPv4)";
neighbor 185.1.160.255 as 56393;
}
protocol bgp ixp6_frysix_rs1 from ixp_bgp6 {
description "Frys-IX route server 1 (IPv6)";
neighbor 2001:7f8:10f::dc49:253 as 56393;
protocol bgp ixp6_frysix_rs3 from ixp_bgp6 {
description "Frys-IX route server 3 (IPv6)";
neighbor 2001:7f8:10f::dc49:1 as 56393;
}
protocol bgp ixp4_frysix_rs2 from ixp_bgp4 {
description "Frys-IX route server 2 (IPv4)";
neighbor 185.1.203.254 as 56393;
protocol bgp ixp4_frysix_rs4 from ixp_bgp4 {
description "Frys-IX route server 4 (IPv4)";
neighbor 185.1.161.0 as 56393;
}
protocol bgp ixp6_frysix_rs2 from ixp_bgp6 {
description "Frys-IX route server 2 (IPv6)";
neighbor 2001:7f8:10f::dc49:254 as 56393;
protocol bgp ixp6_frysix_rs4 from ixp_bgp6 {
description "Frys-IX route server 4 (IPv6)";
neighbor 2001:7f8:10f::dc49:2 as 56393;
}
protocol bgp peer4_frysix_luje from peer_bgp4 {
description "LUJE.net (on Frys-IX, IPv4)";
neighbor 185.1.203.152 as 212855;
neighbor 185.1.160.152 as 212855;
}
protocol bgp peer6_frysix_luje from peer_bgp6 {
description "LUJE.net (on Frys-IX, IPv6)";
neighbor 2001:7f8:10f::3:3f95:152 as 212855;
}
protocol bgp peer4_frysix_he from peer_bgp4 {
description "Hurricane Electric (on Frys-IX, IPv4)";
neighbor 185.1.203.154 as 6939;
neighbor 185.1.160.154 as 6939;
}
protocol bgp peer4_frysix_cloudflare from peer_bgp4 {
description "Cloudflare (on Frys-IX, IPv4)";
neighbor 185.1.203.217 as 13335;
protocol bgp peer4_frysix_cloudflare1 from peer_bgp4 {
description "Cloudflare 1 (on Frys-IX, IPv4)";
neighbor 185.1.160.217 as 13335;
}
protocol bgp peer6_frysix_cloudflare from peer_bgp6 {
description "Cloudflare (on Frys-IX, IPv6)";
protocol bgp peer4_frysix_cloudflare2 from peer_bgp4 {
description "Cloudflare 2 (on Frys-IX, IPv4)";
neighbor 185.1.160.109 as 13335;
}
protocol bgp peer6_frysix_cloudflare1 from peer_bgp6 {
description "Cloudflare 1 (on Frys-IX, IPv6)";
neighbor 2001:7f8:10f::3417:217 as 13335;
}
protocol bgp peer6_frysix_cloudflare2 from peer_bgp6 {
description "Cloudflare 2 (on Frys-IX, IPv6)";
neighbor 2001:7f8:10f::3417:109 as 13335;
}
protocol bgp peer4_frysix_jurrian from peer_bgp4 {
description "AS212635 aka jurrian (on Frys-IX, IPv4)";
neighbor 185.1.203.134 as 212635;
neighbor 185.1.160.134 as 212635;
}
protocol bgp peer6_frysix_jurrian from peer_bgp6 {
description "AS212635 aka jurrian (on Frys-IX, IPv6)";
neighbor 2001:7f8:10f::3:3e9b:134 as 212635;
}
protocol bgp peer4_nlix_meta1 from peer_bgp4 {
description "Meta 1 (on NL-ix, IPv4)";
neighbor 193.239.116.147 as 32934;
}
protocol bgp peer4_nlix_meta2 from peer_bgp4 {
description "Meta 2 (on NL-ix, IPv4)";
neighbor 193.239.116.148 as 32934;
}
protocol bgp peer6_nlix_meta1 from peer_bgp6 {
description "Meta 1 (on NL-ix, IPv6)";
neighbor 2001:7f8:13::a503:2934:1 as 32934;
}
protocol bgp peer6_nlix_meta2 from peer_bgp6 {
description "Meta 2 (on NL-ix, IPv6)";
neighbor 2001:7f8:13::a503:2934:2 as 32934;
}
protocol bgp peer4_frysix_meta1 from peer_bgp4 {
description "Meta 1 (on Frys-IX, IPv4)";
neighbor 185.1.203.225 as 32934;
neighbor 185.1.160.225 as 32934;
}
protocol bgp peer4_frysix_meta2 from peer_bgp4 {
description "Meta 2 (on Frys-IX, IPv4)";
neighbor 185.1.203.226 as 32934;
neighbor 185.1.160.226 as 32934;
}
protocol bgp peer6_frysix_meta1 from peer_bgp6 {
description "Meta 1 (on Frys-IX, IPv6)";
@@ -317,36 +347,36 @@ in
ipv6 { preference (PREFIXP-1); };
}
protocol bgp peer4_nlix_cloudflare1 from peer_bgp4 {
description "Cloudflare NL-ix 1 (IPv4)";
neighbor 193.239.117.14 as 13335;
ipv4 { preference (PREFPEER-1); };
}
protocol bgp peer4_nlix_cloudflare2 from peer_bgp4 {
description "Cloudflare NL-ix 2 (IPv4)";
neighbor 193.239.117.114 as 13335;
ipv4 { preference (PREFPEER-1); };
}
protocol bgp peer4_nlix_cloudflare3 from peer_bgp4 {
description "Cloudflare NL-ix 3 (IPv4)";
neighbor 193.239.118.138 as 13335;
ipv4 { preference (PREFPEER-1); };
}
protocol bgp peer6_nlix_cloudflare1 from peer_bgp6 {
description "Cloudflare NL-ix 1 (IPv6)";
neighbor 2001:7f8:13::a501:3335:1 as 13335;
ipv6 { preference (PREFPEER-1); };
}
protocol bgp peer6_nlix_cloudflare2 from peer_bgp6 {
description "Cloudflare NL-ix 2 (IPv6)";
neighbor 2001:7f8:13::a501:3335:2 as 13335;
ipv6 { preference (PREFPEER-1); };
}
protocol bgp peer6_nlix_cloudflare3 from peer_bgp6 {
description "Cloudflare NL-ix 3 (IPv6)";
neighbor 2001:7f8:13::a501:3335:3 as 13335;
ipv6 { preference (PREFPEER-1); };
}
# protocol bgp peer4_nlix_cloudflare1 from peer_bgp4 {
# description "Cloudflare NL-ix 1 (IPv4)";
# neighbor 193.239.117.14 as 13335;
# ipv4 { preference (PREFPEER-1); };
# }
# protocol bgp peer4_nlix_cloudflare2 from peer_bgp4 {
# description "Cloudflare NL-ix 2 (IPv4)";
# neighbor 193.239.117.114 as 13335;
# ipv4 { preference (PREFPEER-1); };
# }
# protocol bgp peer4_nlix_cloudflare3 from peer_bgp4 {
# description "Cloudflare NL-ix 3 (IPv4)";
# neighbor 193.239.118.138 as 13335;
# ipv4 { preference (PREFPEER-1); };
# }
# protocol bgp peer6_nlix_cloudflare1 from peer_bgp6 {
# description "Cloudflare NL-ix 1 (IPv6)";
# neighbor 2001:7f8:13::a501:3335:1 as 13335;
# ipv6 { preference (PREFPEER-1); };
# }
# protocol bgp peer6_nlix_cloudflare2 from peer_bgp6 {
# description "Cloudflare NL-ix 2 (IPv6)";
# neighbor 2001:7f8:13::a501:3335:2 as 13335;
# ipv6 { preference (PREFPEER-1); };
# }
# protocol bgp peer6_nlix_cloudflare3 from peer_bgp6 {
# description "Cloudflare NL-ix 3 (IPv6)";
# neighbor 2001:7f8:13::a501:3335:3 as 13335;
# ipv6 { preference (PREFPEER-1); };
# }
protocol bgp peer4_nlix_jurrian from peer_bgp4 {
description "AS212635 aka jurrian (on NL-ix, IPv4)";
neighbor 193.239.117.55 as 212635;
nixos/boxes/colony/vms/estuary/default.nix
+87 -9
View File
@@ -104,11 +104,9 @@ in
lvm = {
dmeventd.enable = true;
};
resolved = {
llmnr = "false";
extraConfig = ''
MulticastDNS=false
'';
resolved.settings.Resolve = {
LLMNR = false;
MulticastDNS = false;
};
netdata.enable = true;
@@ -171,6 +169,44 @@ in
];
};
}
{
"30-hillcrest" = {
netdevConfig = {
Name = "hillcrest";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."estuary/hillcrest-wg.key".path;
ListenPort = lib.my.c.hillcrest.vpn.port;
};
wireguardPeers = [
{
PublicKey = "+67Ks+ZRk1ssNCfg5BFKmIE9NtLasAxRE6XMqufx5GY=";
AllowedIPs = [ (net.cidr.host 2 prefixes.hillcrest.v4) ];
PersistentKeepalive = 25;
}
];
};
}
{
"30-john-valorant" = {
netdevConfig = {
Name = "john-valorant";
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = config.age.secrets."estuary/john-valorant-wg.key".path;
ListenPort = lib.my.c.john-valorant.vpn.port;
};
wireguardPeers = [
{
PublicKey = "xyqKF0yOAv1bObN1paL2vATFh77pdFfvN+JmuAxaTCk=";
AllowedIPs = [ (net.cidr.host 2 prefixes.john-valorant.v4) ];
PersistentKeepalive = 25;
}
];
};
}
];
links = {
@@ -218,7 +254,7 @@ in
in
mkMerge
[
(mkIXPConfig "frys-ix" "185.1.203.196/24" "2001:7f8:10f::3:3850:196/64")
(mkIXPConfig "frys-ix" "185.1.160.196/23" "2001:7f8:10f::3:3850:196/64")
(mkIXPConfig "nl-ix" "193.239.116.145/22" "2001:7f8:13::a521:1024:1/64")
(mkIXPConfig "fogixp" "185.1.147.159/24" "2001:7f8:ca:1::159/64")
{
@@ -346,6 +382,26 @@ in
}
];
};
"95-hillcrest" = {
matchConfig.Name = "hillcrest";
address = [ "${net.cidr.host 1 prefixes.hillcrest.v4}/32" ];
routes = [
{
Destination = net.cidr.host 2 prefixes.hillcrest.v4;
Scope = "link";
}
];
};
"95-john-valorant" = {
matchConfig.Name = "john-valorant";
address = [ "${net.cidr.host 1 prefixes.john-valorant.v4}/32" ];
routes = [
{
Destination = net.cidr.host 2 prefixes.john-valorant.v4;
Scope = "link";
}
];
};
} ];
};
@@ -356,6 +412,12 @@ in
"estuary/kelder-wg.key" = {
owner = "systemd-network";
};
"estuary/hillcrest-wg.key" = {
owner = "systemd-network";
};
"estuary/john-valorant-wg.key" = {
owner = "systemd-network";
};
"l2mesh/as211024.key" = {};
};
};
@@ -367,7 +429,13 @@ in
};
};
firewall = {
udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ];
udp.allowed = [
5353
lib.my.c.kelder.vpn.port
lib.my.c.hillcrest.vpn.port
lib.my.c.john-valorant.vpn.port
];
tcp.allowed = [ 5353 "bgp" ];
nat = {
enable = true;
@@ -399,8 +467,12 @@ in
ip6 daddr ${aa.middleman.internal.ipv6.address} tcp dport { http, https, 8448 } accept
${matchInet "tcp dport { http, https } accept" "git"}
ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} tcp dport { 25565, 25575 } accept
ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} tcp dport 25565 accept
ip6 daddr ${aa.simpcraft-staging-oci.internal.ipv6.address} tcp dport 25565 accept
ip6 daddr ${aa.kevcraft-oci.internal.ipv6.address} tcp dport 25567 accept
ip6 daddr ${aa.kinkcraft-oci.internal.ipv6.address} tcp dport 25568 accept
ip6 daddr ${aa.graeme-oci.internal.ipv6.address} tcp dport 25569 accept
ip6 daddr ${aa.gam.internal.ipv6.address} tcp dport 7777 accept
return
}
chain routing-udp {
@@ -408,6 +480,10 @@ in
ip6 daddr ${aa.waffletail.internal.ipv6.address} udp dport 41641 accept
ip6 daddr ${aa.simpcraft-oci.internal.ipv6.address} udp dport 25565 accept
ip6 daddr ${aa.enshrouded-oci.internal.ipv6.address} udp dport { 15636-15637 } accept
ip6 daddr ${aa.kevcraft-oci.internal.ipv6.address} udp dport 25567 accept
ip6 daddr ${aa.kinkcraft-oci.internal.ipv6.address} udp dport 25568 accept
ip6 daddr ${aa.graeme-oci.internal.ipv6.address} udp dport 25569 accept
ip6 daddr ${aa.gam.internal.ipv6.address} udp dport 7777 accept
return
}
chain filter-routing {
@@ -428,7 +504,7 @@ in
iifname { wan, as211024, $ixps } oifname base jump filter-routing
oifname $ixps jump ixp
iifname base oifname { base, wan, $ixps } accept
oifname { as211024, kelder } accept
oifname { as211024, kelder, hillcrest, john-valorant } accept
}
chain output {
oifname ifog ether type != vlan reject
@@ -440,6 +516,8 @@ in
${matchInet "meta l4proto { udp, tcp } th dport domain redirect to :5353" "estuary"}
}
chain postrouting {
oifname hillcrest snat ip to ${net.cidr.host 1 prefixes.hillcrest.v4}
oifname john-valorant snat ip to ${net.cidr.host 1 prefixes.john-valorant.v4}
ip saddr ${prefixes.all.v4} oifname != as211024 snat to ${assignments.internal.ipv4.address}
}
}
nixos/boxes/colony/vms/estuary/dns.nix
+56 -35
View File
@@ -14,7 +14,7 @@ in
owner = "pdns";
group = "pdns";
};
"estuary/pdns/recursor.conf" = {
"estuary/pdns/recursor.yml" = {
owner = "pdns-recursor";
group = "pdns-recursor";
};
@@ -31,7 +31,7 @@ in
pdns.recursor = {
enable = true;
extraSettingsFile = config.age.secrets."estuary/pdns/recursor.conf".path;
extraSettingsFile = config.age.secrets."estuary/pdns/recursor.yml".path;
};
};
@@ -44,45 +44,55 @@ in
};
pdns-recursor = {
dns = {
address = [
"127.0.0.1" "::1"
assignments.base.ipv4.address assignments.base.ipv6.address
];
allowFrom = [
"127.0.0.0/8" "::1/128"
prefixes.all.v4 prefixes.all.v6
] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
};
settings = {
query-local-address = [
assignments.internal.ipv4.address
assignments.internal.ipv6.address
assignments.base.ipv6.address
];
forward-zones = map (z: "${z}=127.0.0.1:5353") authZones;
incoming = {
listen = [
"127.0.0.1" "::1"
assignments.base.ipv4.address assignments.base.ipv6.address
];
allow_from = [
"127.0.0.0/8" "::1/128"
prefixes.all.v4 prefixes.all.v6
] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
# DNS NOTIFY messages override TTL
allow-notify-for = authZones;
allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
# DNS NOTIFY messages override TTL
allow_notify_for = authZones;
allow_notify_from = [ "127.0.0.0/8" "::1/128" ];
};
webserver = true;
webserver-address = "::";
webserver-allow-from = [ "127.0.0.1" "::1" ];
outgoing = {
source_address = [
assignments.internal.ipv4.address
assignments.internal.ipv6.address
assignments.base.ipv6.address
];
};
lua-dns-script = pkgs.writeText "pdns-script.lua" ''
function preresolve(dq)
if dq.qname:equal("nix-cache.nul.ie") then
dq:addAnswer(pdns.CNAME, "http.${config.networking.domain}.")
dq.rcode = 0
dq.followupFunction = "followCNAMERecords"
return true
recursor = {
forward_zones = map (z: {
zone = z;
forwarders = [ "127.0.0.1:5353" ];
}) authZones;
lua_dns_script = pkgs.writeText "pdns-script.lua" ''
function preresolve(dq)
if dq.qname:equal("nix-cache.nul.ie") then
dq:addAnswer(pdns.CNAME, "http.${config.networking.domain}.")
dq.rcode = 0
dq.followupFunction = "followCNAMERecords"
return true
end
return false
end
'';
};
return false
end
'';
webservice = {
webserver = true;
address = "::";
allow_from = [ "127.0.0.1" "::1" ];
};
};
};
};
@@ -154,6 +164,14 @@ in
simpcraft-staging IN A ${assignments.internal.ipv4.address}
simpcraft-staging IN AAAA ${allAssignments.simpcraft-staging-oci.internal.ipv6.address}
enshrouded IN A ${assignments.internal.ipv4.address}
kevcraft IN A ${assignments.internal.ipv4.address}
kevcraft IN AAAA ${allAssignments.kevcraft-oci.internal.ipv6.address}
kinkcraft IN A ${assignments.internal.ipv4.address}
kinkcraft IN AAAA ${allAssignments.kinkcraft-oci.internal.ipv6.address}
graeme IN A ${assignments.internal.ipv4.address}
graeme IN AAAA ${allAssignments.graeme-oci.internal.ipv6.address}
terraria IN A ${assignments.internal.ipv4.address}
terraria IN AAAA ${allAssignments.gam.internal.ipv6.address}
mail-vm IN A ${net.cidr.host 0 prefixes.mail.v4}
mail-vm IN AAAA ${net.cidr.host 1 prefixes.mail.v6}
@@ -167,6 +185,9 @@ in
jam-fwd IN A ${allAssignments.shill.internal.ipv4.address}
jam-cust IN AAAA ${net.cidr.host 1 prefixes.jam.v6}
hillcrest-tun IN A ${net.cidr.host 2 prefixes.hillcrest.v4}
john-valorant-tun IN A ${net.cidr.host 2 prefixes.john-valorant.v4}
$TTL 3
_acme-challenge IN LUA TXT @@FILE@@
nixos/boxes/colony/vms/git/default.nix
+3 -8
View File
@@ -4,7 +4,7 @@ let
inherit (lib) mkMerge mkDefault;
inherit (lib.my) net;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.colony) domain prefixes;
inherit (lib.my.c.colony) domain prefixes firewallForwards;
inherit (lib.my.c.nginx) baseHttpConfig proxyHeaders;
in
{
@@ -95,7 +95,7 @@ in
"*.${pubDomain}"
];
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
environmentFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
};
};
};
@@ -111,7 +111,6 @@ in
recommendedTlsSettings = true;
clientMaxBodySize = "0";
serverTokens = true;
sslDhparam = config.age.secrets."dhparams.pem".path;
# Based on recommended*Settings, but probably better to be explicit about these
appendHttpConfig = ''
@@ -182,11 +181,6 @@ in
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP+KINpHLMduBuW96JzfSRDLUzkI+XaCBghu5/wHiW5R";
files = {
"dhparams.pem" = {
owner = "acme";
group = "acme";
mode = "440";
};
"middleman/cloudflare-credentials.conf" = {
owner = "acme";
group = "acme";
@@ -197,6 +191,7 @@ in
firewall = {
tcp.allowed = [ 19999 "http" "https" ];
nat.forwardPorts."${allAssignments.estuary.internal.ipv4.address}" = firewallForwards allAssignments;
extraRules = ''
table inet filter {
chain forward {
nixos/boxes/colony/vms/git/gitea-actions.nix
+10 -15
View File
@@ -1,19 +1,7 @@
{ lib, pkgs, config, ... }:
let
inherit (builtins) toJSON;
inherit (lib) mkForce;
inherit (lib.my.c) pubDomain;
cfgFile = pkgs.writeText "gitea-actions-runner.yaml" (toJSON {
container = {
network = "podman";
privileged = true;
};
cache = {
enabled = true;
dir = "/var/cache/gitea-runner";
};
});
in
{
config = {
@@ -30,8 +18,8 @@ in
enable = true;
name = "main-docker";
labels = [
"debian-node-bullseye:docker://node:18-bullseye"
"ubuntu-22.04:docker://git.nul.ie/dev/actions-ubuntu:22.04"
"debian-node-trixie:docker://node:24-trixie"
"ubuntu-26.04:docker://git.nul.ie/dev/actions-ubuntu:26.04"
];
url = "https://git.${pubDomain}";
tokenFile = config.age.secrets."gitea/actions-runner.env".path;
@@ -39,6 +27,14 @@ in
runner = {
timeout = "8h";
};
container = {
network = "podman";
privileged = true;
};
cache = {
enabled = true;
dir = "/var/cache/gitea-runner";
};
};
};
};
@@ -66,7 +62,6 @@ in
DynamicUser = mkForce false;
User = "gitea-runner";
Group = "gitea-runner";
ExecStart = mkForce "${config.services.gitea-actions-runner.package}/bin/act_runner -c ${cfgFile} daemon";
};
};
};
nixos/boxes/colony/vms/shill/containers-ext.nix
+1
View File
@@ -13,6 +13,7 @@ in
"/var/lib/machines/jam" = {
device = "/mnt/jam";
options = [ "bind" ];
fsType = "none";
};
};
nixos/boxes/colony/vms/shill/containers/chatterbox.nix
+80 -43
View File
@@ -198,44 +198,72 @@ in
mautrix-whatsapp = {
enable = true;
# package = pkgs.mautrix-whatsapp.overrideAttrs (o: rec {
# version = "26.05";
# tag = "v0.2605.0";
# src = pkgs.fetchFromGitHub {
# owner = "mautrix";
# repo = "whatsapp";
# inherit tag;
# hash = "sha256-WlVfGQoP9e/wl98hUJei8O2JMcOKijoEY8XuU/z69Qk=";
# };
# vendorHash = "sha256-Hi/dZHJHoTTCnxLXgbkcYzuzis4fl5kxb5wMd9fKTY8=";
# });
environmentFile = config.age.secrets."chatterbox/mautrix-whatsapp.env".path;
settings = {
database = {
type = "postgres";
uri = "$MAU_WAPP_PSQL_URI";
};
homeserver = {
address = "http://localhost:8008";
domain = "nul.ie";
};
appservice = {
database = {
type = "postgres";
uri = "$MAU_WAPP_PSQL_URI";
};
id = "whatsapp2";
bot = {
username = "whatsapp2";
displayname = "WhatsApp Bridge Bot";
};
username_template = "wapp2_{{.}}";
};
bridge = {
username_template = "wapp2_{{.}}";
displayname_template = "{{or .BusinessName .PushName .JID}} (WA)";
personal_filtering_spaces = true;
delivery_receipts = true;
allow_user_invite = true;
url_previews = true;
command_prefix = "!wa";
login_shared_secret_map."nul.ie" = "$MAU_WAPP_DOUBLE_PUPPET_TOKEN";
encryption = {
allow = true;
default = true;
require = true;
};
permissions = {
"@dev:nul.ie" = "admin";
};
};
double_puppet = {
secrets."nul.ie" = "$MAU_WAPP_DOUBLE_PUPPET_TOKEN";
};
encryption = {
allow = true;
default = true;
require = true;
pickle_key = "maunium.net/go/mautrix-whatsapp";
};
matrix = {
delivery_receipts = true;
};
network = {
displayname_template = ''{{or .BusinessName .PushName .FullName .Phone "Unknown user"}} (WA)'';
url_previews = true;
};
};
};
# mautrix-meta.package = pkgs.mautrix-meta.overrideAttrs (o: rec {
# version = "26.05.1";
# tag = "v0.2605.1";
# src = pkgs.fetchFromGitHub {
# owner = "mautrix";
# repo = "meta";
# inherit tag;
# hash = "sha256-zpolDtwGulDTiojJPnkj9O0D5b4rgPYQX6A28rvuvM0=";
# };
# vendorHash = "sha256-+i45bXBhlXPXX24VMS9IJLLX+i4VPnqy5RAH4j88sTA=";
# });
mautrix-meta.instances = {
messenger = {
enable = true;
@@ -243,45 +271,49 @@ in
dataDir = "mautrix-messenger";
environmentFile = config.age.secrets."chatterbox/mautrix-messenger.env".path;
settings = {
database = {
type = "postgres";
uri = "$MAU_FBM_PSQL_URI";
};
homeserver = {
address = "http://localhost:8008";
domain = "nul.ie";
};
appservice = {
database = {
type = "postgres";
uri = "$MAU_FBM_PSQL_URI";
};
id = "fbm2";
bot = {
username = "messenger2";
displayname = "Messenger Bridge Bot";
avatar = "mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak";
};
username_template = "fbm2_{{.}}";
};
network = {
mode = "messenger";
displayname_template = ''{{or .DisplayName .Username "Unknown user"}} (FBM)'';
};
bridge = {
username_template = "fbm2_{{.}}";
personal_filtering_spaces = true;
delivery_receipts = true;
management_room_text.welcome = "Hello, I'm a Messenger bridge bot.";
# management_room_text.welcome = "Hello, I'm a Messenger bridge bot.";
command_prefix = "!fbm";
login_shared_secret_map."nul.ie" = "$MAU_FBM_DOUBLE_PUPPET_TOKEN";
backfill = {
history_fetch_pages = 5;
};
encryption = {
allow = true;
default = true;
require = true;
enabled = true;
};
permissions = {
"@dev:nul.ie" = "admin";
};
};
double_puppet = {
secrets."nul.ie" = "$MAU_FBM_DOUBLE_PUPPET_TOKEN";
};
encryption = {
allow = true;
default = true;
require = true;
};
matrix = {
delivery_receipts = true;
};
};
};
@@ -291,45 +323,50 @@ in
dataDir = "mautrix-instagram";
environmentFile = config.age.secrets."chatterbox/mautrix-instagram.env".path;
settings = {
database = {
type = "postgres";
uri = "$MAU_IG_PSQL_URI";
};
homeserver = {
address = "http://localhost:8008";
domain = "nul.ie";
};
appservice = {
database = {
type = "postgres";
uri = "$MAU_IG_PSQL_URI";
};
id = "instagram";
bot = {
username = "instagram";
displayname = "Instagram Bridge Bot";
avatar = "mxc://maunium.net/JxjlbZUlCPULEeHZSwleUXQv";
};
username_template = "ig_{{.}}";
};
network = {
mode = "instagram";
displayname_template = ''{{or .DisplayName .Username "Unknown user"}} (IG)'';
};
bridge = {
username_template = "ig_{{.}}";
personal_filtering_spaces = true;
delivery_receipts = true;
management_room_text.welcome = "Hello, I'm an Instagram bridge bot.";
# management_room_text.welcome = "Hello, I'm an Instagram bridge bot.";
command_prefix = "!ig";
login_shared_secret_map."nul.ie" = "$MAU_IG_DOUBLE_PUPPET_TOKEN";
backfill = {
history_fetch_pages = 5;
};
encryption = {
allow = true;
default = true;
require = true;
enabled = true;
};
permissions = {
"@dev:nul.ie" = "admin";
"@adzerq:nul.ie" = "user";
};
};
double_puppet = {
secrets."nul.ie" = "$MAU_IG_DOUBLE_PUPPET_TOKEN";
};
encryption = {
allow = true;
default = true;
require = true;
};
matrix = {
delivery_receipts = true;
};
};
};
};
nixos/boxes/colony/vms/shill/containers/default.nix
+1
View File
@@ -9,5 +9,6 @@
./toot.nix
./waffletail.nix
./qclk
./gam.nix
];
}
nixos/boxes/colony/vms/shill/containers/gam.nix
+72
View File
@@ -0,0 +1,72 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.colony) domain prefixes;
in
{
nixos.systems.gam = { config, ... }: {
system = "x86_64-linux";
nixpkgs = "mine";
rendered = config.configuration.config.my.asContainer;
assignments = {
internal = {
name = "gam-ctr";
inherit domain;
ipv4.address = net.cidr.host 11 prefixes.ctrs.v4;
ipv6 = {
iid = "::11";
address = net.cidr.host 11 prefixes.ctrs.v6;
};
};
};
configuration = { lib, pkgs, config, assignments, allAssignments, ... }:
let
inherit (lib) mkMerge mkIf mkForce;
inherit (lib.my) networkdAssignment;
in
{
config = mkMerge [
{
my = {
deploy.enable = false;
server.enable = true;
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvDlH3nT1kve741gBluYmn5KQs8yz7FAEt8qLt+f0K6";
files = {
"gam/terraria.conf" = {
owner = "terraria";
group = "terraria";
};
};
};
};
systemd = {
network.networks."80-container-host0" = networkdAssignment "host0" assignments.internal;
};
services = {
terraria = {
enable = true;
noUPnP = true;
messageOfTheDay = "sup gamers";
autoCreatedWorldSize = "large";
worldPath = "/var/lib/terraria/NotWorld.wld";
configFile = config.age.secrets."gam/terraria.conf".path;
openFirewall = true;
};
};
}
(mkIf config.my.build.isDevVM {
virtualisation = {
forwardPorts = [ ];
};
})
];
};
};
}
nixos/boxes/colony/vms/shill/containers/jackflix/default.nix
+73 -18
View File
@@ -23,7 +23,7 @@ in
};
};
configuration = { lib, pkgs, config, ... }:
configuration = { lib, pkgs, config, allAssignments, ... }:
let
inherit (lib) mkForce;
in
@@ -39,8 +39,18 @@ in
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUv1ntVrZv5ripsKpcOAnyDQX2PHjowzyhqWK10Ml53";
files = {
"jackflix/photoprism-pass.txt" = {};
"jackflix/copyparty-pass.txt" = {
owner = "copyparty";
group = "copyparty";
};
};
};
firewall = {
tcp.allowed = [
3923
];
};
};
users = with lib.my.c.ids; {
@@ -50,21 +60,26 @@ in
transmission.extraGroups = [ "media" ];
radarr.extraGroups = [ "media" ];
sonarr.extraGroups = [ "media" ];
jellyseerr = {
seerr = {
isSystemUser = true;
uid = uids.jellyseerr;
group = "jellyseerr";
group = "seerr";
};
photoprism = {
isSystemUser = true;
uid = uids.photoprism;
group = "photoprism";
};
copyparty = {
uid = uids.copyparty;
extraGroups = [ "media" ];
};
};
groups = {
media.gid = 2000;
jellyseerr.gid = gids.jellyseerr;
seerr.gid = gids.jellyseerr;
photoprism.gid = gids.photoprism;
copyparty.gid = gids.copyparty;
};
};
@@ -73,13 +88,15 @@ in
jackett.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
transmission.bindsTo = [ "systemd-networkd-wait-online@vpn.service" ];
radarr.serviceConfig.UMask = "0002";
sonarr.serviceConfig.UMask = "0002";
jellyseerr.serviceConfig = {
radarr.serviceConfig.UMask = mkForce "0002";
radarr.path = with pkgs; [ ffmpeg ];
sonarr.serviceConfig.UMask = mkForce "0002";
sonarr.path = with pkgs; [ ffmpeg ];
seerr.serviceConfig = {
# Needs to be able to read its secrets
DynamicUser = mkForce false;
User = "jellyseerr";
Group = "jellyseerr";
User = "seerr";
Group = "seerr";
};
# https://github.com/NixOS/nixpkgs/issues/258793#issuecomment-1748168206
@@ -94,19 +111,12 @@ in
};
};
nixpkgs.config.permittedInsecurePackages = [
# FIXME: This is needed for Sonarr
"aspnetcore-runtime-wrapped-6.0.36"
"aspnetcore-runtime-6.0.36"
"dotnet-sdk-wrapped-6.0.428"
"dotnet-sdk-6.0.428"
];
services = {
netdata.enable = true;
transmission = {
enable = true;
package = pkgs.transmission_4;
downloadDirPermissions = null;
performanceNetParameters = true;
settings = {
@@ -131,10 +141,11 @@ in
};
};
flaresolverr.enable = true;
jackett.enable = true;
radarr.enable = true;
sonarr.enable = true;
jellyseerr = {
seerr = {
enable = true;
openFirewall = true;
};
@@ -158,6 +169,50 @@ in
PHOTOPRISM_DATABASE_DRIVER = "sqlite";
};
};
copyparty = {
enable = true;
package = pkgs.copyparty.override {
withMagic = true;
};
settings = {
name = "dev-stuff";
no-reload = true;
j = 8; # cores
http-only = true;
xff-src =
with allAssignments.middleman.internal;
[ "${ipv4.address}/32" prefixes.ctrs.v6 ];
rproxy = 1; # get if from x-forwarded-for
magic = true; # enable checking file magic on upload
hist = "/var/cache/copyparty";
shr = "/share"; # enable share creation
ed = true; # enable dotfiles
chmod-f = "664";
chmod-d = "775";
e2dsa = true; # file indexing
e2t = true; # metadata indexing
og-ua = "(Discord|Twitter|Slack)bot"; # embeds
theme = 6;
};
accounts.dev.passwordFile = config.age.secrets."jackflix/copyparty-pass.txt".path;
volumes = {
"/" = {
path = "/mnt/media/public";
access = {
A = "dev";
"r." = "*";
};
flags = {
shr_who = "no"; # no reason to have shares here
};
};
"/priv" = {
path = "/mnt/media/stuff";
access.A = "dev"; # dev has admin access
};
};
};
};
};
};
nixos/boxes/colony/vms/shill/containers/jackflix/networking.nix
+1 -1
View File
@@ -12,7 +12,7 @@ let
};
# Forwarded in AirVPN config
transmissionPeerPort = 47016;
transmissionPeerPort = 28457;
in
{
config = mkMerge [
nixos/boxes/colony/vms/shill/containers/middleman/default.nix
+12 -8
View File
@@ -40,11 +40,6 @@ in
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAQM9U1e/XcUCyMJITrpAHjAGahpqkZCmtX6pJkYzuks";
files = {
"dhparams.pem" = {
owner = "acme";
group = "acme";
mode = "440";
};
"pdns-file-records.key" = {
owner = "acme";
group = "acme";
@@ -72,6 +67,13 @@ in
firewall = {
tcp.allowed = [ "http" "https" 8448 ];
extraRules = ''
table inet nat {
chain postrouting {
oifname host0 snat ip6 to ${assignments.internal.ipv6.address}
}
}
'';
};
nginx-sso = {
@@ -169,7 +171,7 @@ in
"*.${config.networking.domain}"
];
dnsProvider = "exec";
credentialsFile =
environmentFile =
let
script = pkgs.writeShellScript "lego-update-int.sh" ''
case "$1" in
@@ -200,7 +202,7 @@ in
"*.s3.${pubDomain}"
];
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
environmentFile = config.age.secrets."middleman/cloudflare-credentials.conf".path;
postRun =
let
sshKey = config.age.secrets."middleman/mailcow-ssh.key".path;
@@ -249,8 +251,10 @@ in
valid = "5s";
};
proxyResolveWhileRunning = true;
sslDhparam = config.age.secrets."dhparams.pem".path;
appendConfig = ''
worker_processes auto;
'';
# Based on recommended*Settings, but probably better to be explicit about these
appendHttpConfig = ''
${baseHttpConfig}
nixos/boxes/colony/vms/shill/containers/middleman/vhosts.nix
+38 -6
View File
@@ -49,6 +49,7 @@ let
"/.well-known/webfinger".return = "301 https://toot.nul.ie$request_uri";
"/.well-known/nodeinfo".return = "301 https://toot.nul.ie$request_uri";
"/.well-known/host-meta".return = "301 https://toot.nul.ie$request_uri";
"/.well-known/atproto-did".return = "301 https://pds.nul.ie$request_uri";
};
in
{
@@ -79,6 +80,10 @@ in
sha256 = "018wh6ps19n7323fi44njzj9yd4wqslc90dykbwfyscv7bgxhlar";
};
}
{
name = "ssh.pub";
path = lib.my.c.sshKeyFiles.me;
}
];
}
wellKnown
@@ -322,6 +327,15 @@ in
useACMEHost = pubDomain;
};
"pds.nul.ie" = {
locations."/" = {
proxyPass = "http://toot-ctr.${domain}:3000";
proxyWebsockets = true;
extraConfig = proxyHeaders;
};
useACMEHost = pubDomain;
};
"share.${pubDomain}" = {
locations."/" = {
proxyPass = "http://object-ctr.${domain}:9090";
@@ -333,16 +347,13 @@ in
"stuff.${pubDomain}" = {
locations."/" = {
basicAuthFile = config.age.secrets."middleman/htpasswd".path;
root = "/mnt/media/stuff";
extraConfig = ''
fancyindex on;
fancyindex_show_dotfiles on;
'';
proxyPass = "http://jackflix-ctr.${domain}:3923";
};
useACMEHost = pubDomain;
};
"public.${pubDomain}" = {
onlySSL = false;
addSSL = true;
serverAliases = [ "p.${pubDomain}" ];
locations."/" = {
root = "/mnt/media/public";
@@ -363,6 +374,11 @@ in
useACMEHost = pubDomain;
};
"mc-map-kink.${pubDomain}" = {
locations."/".proxyPass = "http://kinkcraft-oci.${domain}:8100";
useACMEHost = pubDomain;
};
"librespeed.${domain}" = {
locations."/".proxyPass = "http://localhost:8989";
};
@@ -413,6 +429,22 @@ in
}
(ssoServer "generic")
];
"hass.${pubDomain}" = {
locations."/" = {
proxyPass = "http://hass-ctr.${home.domain}:8123";
proxyWebsockets = true;
extraConfig = proxyHeaders;
};
useACMEHost = pubDomain;
};
"hass-john.${pubDomain}" = {
locations."/" = {
proxyPass = "http://john-valorant-tun.${domain}:8123";
proxyWebsockets = true;
extraConfig = proxyHeaders;
};
useACMEHost = pubDomain;
};
};
minio =
nixos/boxes/colony/vms/shill/containers/object.nix
+37 -8
View File
@@ -35,6 +35,7 @@ in
"/var/lib/harmonia" = {
device = "/mnt/nix-cache";
options = [ "bind" ];
fsType = "none";
};
};
@@ -89,12 +90,17 @@ in
{
users = {
harmonia = {
isSystemUser = true;
group = "harmonia";
shell = pkgs.bashInteractive;
openssh.authorizedKeys.keyFiles = [
lib.my.c.sshKeyFiles.harmonia
];
};
};
groups = {
harmonia = { };
};
}
];
@@ -127,13 +133,24 @@ in
};
}
];
harmonia = {
environment.NIX_REMOTE = "/var/lib/harmonia";
harmonia-dev = {
# environment.RUST_LOG = mkForce "trace";
# serviceConfig = {
# StateDirectory = "harmonia";
# DynamicUser = mkForce false;
# };
};
harmonia-daemon = {
# environment.RUST_LOG = mkForce "trace";
preStart = ''
${config.nix.package}/bin/nix store ping
${config.nix.package}/bin/nix store info --store /var/lib/harmonia
'';
serviceConfig = {
User = "harmonia";
Group = "harmonia";
StateDirectory = "harmonia";
DynamicUser = mkForce false;
};
};
};
@@ -145,6 +162,9 @@ in
];
};
# TODO/FIXME: this is bad...
nixpkgs.config.permittedInsecurePackages = [ "minio-2025-10-15T17-29-55Z" ];
services = {
minio = {
enable = true;
@@ -235,11 +255,20 @@ in
};
};
harmonia = {
enable = true;
signKeyPaths = [ config.age.secrets."nix-cache.key".path ];
settings = {
priority = 30;
harmonia-dev = {
daemon = {
enable = true;
storeDir = "/nix/store";
dbPath = "/var/lib/harmonia/nix/var/nix/db/db.sqlite";
};
cache = {
enable = true;
signKeyPaths = [ config.age.secrets."nix-cache.key".path ];
settings = {
priority = 30;
virtual_nix_store = "/nix/store";
real_nix_store = "/var/lib/harmonia/nix/store";
};
};
};
nixos/boxes/colony/vms/shill/containers/toot.nix
+40 -4
View File
@@ -26,6 +26,8 @@ in
let
inherit (lib) mkMerge mkIf genAttrs;
inherit (lib.my) networkdAssignment systemdAwaitPostgres;
pdsPort = 3000;
in
{
config = mkMerge [
@@ -36,7 +38,7 @@ in
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSslLkDe54AKYzxdtKD70zcU72W0EpYsfbdJ6UFq0QK";
files = genAttrs
files = (genAttrs
(map (f: "toot/${f}") [
"postgres-password.txt"
"secret-key.txt"
@@ -48,7 +50,12 @@ in
(_: with config.services.mastodon; {
owner = user;
inherit group;
});
})) // {
"toot/pds.env" = {
owner = "pds";
group = "pds";
};
};
};
firewall = {
@@ -56,6 +63,7 @@ in
19999
"http"
pdsPort
];
};
};
@@ -79,7 +87,7 @@ in
netdata.enable = true;
mastodon = mkMerge [
rec {
enable = true;
enable = false;
localDomain = extraConfig.WEB_DOMAIN; # for nginx config
extraConfig = {
LOCAL_DOMAIN = "nul.ie";
@@ -87,7 +95,9 @@ in
};
secretKeyBaseFile = config.age.secrets."toot/secret-key.txt".path;
otpSecretFile = config.age.secrets."toot/otp-secret.txt".path;
# TODO: This was removed at some point.
# If we want to bring Mastodon back, this will probably need to be addressd.
# otpSecretFile = config.age.secrets."toot/otp-secret.txt".path;
vapidPrivateKeyFile = config.age.secrets."toot/vapid-key.txt".path;
vapidPublicKeyFile = toString (pkgs.writeText
"vapid-pubkey.txt"
@@ -155,6 +165,32 @@ in
};
};
};
bluesky-pds = {
enable = true;
environmentFiles = [ config.age.secrets."toot/pds.env".path ];
settings = {
PDS_HOSTNAME = "pds.nul.ie";
PDS_PORT = pdsPort;
PDS_BLOBSTORE_DISK_LOCATION = null;
PDS_BLOBSTORE_S3_BUCKET = "pds";
PDS_BLOBSTORE_S3_ENDPOINT = "https://s3.nul.ie/";
PDS_BLOBSTORE_S3_REGION = "eu-central-1";
PDS_BLOBSTORE_S3_ACCESS_KEY_ID = "pds";
PDS_BLOB_UPLOAD_LIMIT = "52428800";
PDS_EMAIL_FROM_ADDRESS = "pds@nul.ie";
PDS_DID_PLC_URL = "https://plc.directory";
PDS_INVITE_REQUIRED = "true";
PDS_BSKY_APP_VIEW_URL = "https://api.bsky.app";
PDS_BSKY_APP_VIEW_DID = "did:web:api.bsky.app";
PDS_REPORT_SERVICE_URL = "https://mod.bsky.app";
PDS_REPORT_SERVICE_DID = "did:plc:ar7c4by46qjdydhdevvrndac";
PDS_CRAWLERS = "https://bsky.network";
};
};
};
}
(mkIf config.my.build.isDevVM {
nixos/boxes/colony/vms/shill/default.nix
+1
View File
@@ -217,6 +217,7 @@ in
toot = {};
waffletail = {};
qclk = {};
gam = {};
};
in
mkMerge [
nixos/boxes/colony/vms/whale2/default.nix
+4 -1
View File
@@ -53,6 +53,9 @@ in
simpcraft-oci = 3;
simpcraft-staging-oci = 4;
enshrouded-oci = 5;
kevcraft-oci = 6;
kinkcraft-oci = 7;
graeme-oci = 8;
};
configuration = { lib, pkgs, modulesPath, config, assignments, allAssignments, ... }:
@@ -112,7 +115,7 @@ in
};
containers.containersConf.settings.network = {
network_backend = "netavark";
firewall_driver = "none";
firewall_driver = mkForce "none";
};
};
nixos/boxes/colony/vms/whale2/minecraft/default.nix
+126 -1
View File
@@ -5,12 +5,13 @@ let
# devplayer0
op = "6d7d971b-ce10-435b-85c5-c99c0d8d288c";
kev = "703b378a-09f9-4c1d-9876-1c9305728c49";
whitelist = concatStringsSep "," [
op
"dcd2ecb9-2b5e-49cb-9d4f-f5a76162df56" # Elderlypug
"fcb26db2-c3ce-41aa-b588-efec79d37a8a" # Jesthral_
"1d366062-12c0-4e29-aba7-6ab5d8c6bb05" # shr3kas0ras
"703b378a-09f9-4c1d-9876-1c9305728c49" # OROURKEIRE
kev
"f105bbe6-eda6-4a13-a8cf-894e77cab77b" # Adzerq
"1fc94979-41fb-497a-81e9-34ae24ca537a" # johnnyscrims
"d53c91df-b6e6-4463-b106-e8427d7a8d01" # BossLonus
@@ -104,6 +105,130 @@ in
# ''--network=colony:${dockerNetAssignment allAssignments "simpcraft-staging-oci"}''
# ];
# };
kevcraft = {
# 2025.2.1-java21-alpine
image = "itzg/minecraft-server@sha256:57e319c15e9fee63f61029a65a33acc3de85118b21a2b4bb29f351cf4a915027";
environment = {
TYPE = "VANILLA";
VERSION = "1.20.1";
SERVER_PORT = "25567";
QUERY_PORT = "25567";
EULA = "true";
ENABLE_QUERY = "true";
ENABLE_RCON = "true";
MOTD = "§4§k----- §9K§ae§bv§cc§dr§ea§ff§6t §4§k-----";
ICON = "/ext/icon.png";
EXISTING_WHITELIST_FILE = "SYNCHRONIZE";
WHITELIST = whitelist;
EXISTING_OPS_FILE = "SYNCHRONIZE";
OPS = concatStringsSep "," [ op kev ];
DIFFICULTY = "normal";
SPAWN_PROTECTION = "0";
# VIEW_DISTANCE = "20";
MAX_MEMORY = "4G";
TZ = "Europe/Dublin";
};
environmentFiles = [ config.age.secrets."whale2/simpcraft.env".path ];
volumes = [
"kevcraft_data:/data"
"${./kev.png}:/ext/icon.png:ro"
];
extraOptions = [
''--network=colony:${dockerNetAssignment allAssignments "kevcraft-oci"}''
];
};
kinkcraft = {
# 2025.5.1-java21-alpine
image = "itzg/minecraft-server@sha256:de26c7128e3935f3be48fd30283f0b5a6da1b3d9f1a10c9f92502ee1ba072f7b";
environment = {
TYPE = "MODRINTH";
SERVER_PORT = "25568";
QUERY_PORT = "25568";
EULA = "true";
ENABLE_QUERY = "true";
ENABLE_RCON = "true";
MOTD = "§4§k----- §9K§ai§bn§ck§dc§er§fa§6f§5t §4§k-----";
ICON = "/ext/icon.png";
EXISTING_WHITELIST_FILE = "SYNCHRONIZE";
WHITELIST = whitelist;
EXISTING_OPS_FILE = "SYNCHRONIZE";
OPS = op;
DIFFICULTY = "normal";
SPAWN_PROTECTION = "0";
VIEW_DISTANCE = "20";
MAX_MEMORY = "6G";
MODRINTH_MODPACK = "https://cdn.modrinth.com/data/CIYf3Hk8/versions/NGutsQSd/Simpcraft-0.2.1.mrpack";
TZ = "Europe/Dublin";
};
environmentFiles = [ config.age.secrets."whale2/simpcraft.env".path ];
volumes = [
"kinkcraft_data:/data"
"${./icon.png}:/ext/icon.png:ro"
];
extraOptions = [
''--network=colony:${dockerNetAssignment allAssignments "kinkcraft-oci"}''
];
};
graeme = {
# 2026.2.1-java21-alpine
image = "itzg/minecraft-server@sha256:82adaddfe0156f07c34228f1c1065cdbd298abc174de0a9961abb068b11beebb";
environment = {
TYPE = "VANILLA";
SERVER_PORT = "25569";
QUERY_PORT = "25569";
EULA = "true";
ENABLE_QUERY = "true";
ENABLE_RCON = "false";
MOTD = "§4§k----- §9G§ar§ba§ce§dm§ee §4§k-----";
ICON = "/ext/icon.png";
EXISTING_WHITELIST_FILE = "SYNCHRONIZE";
WHITELIST = concatStringsSep "," [
op
"fffa146c-0bc8-421c-9e3a-3635c0aca2ea" # Scarlehh
"1ea05f48-76cc-4034-bcd3-2fa1fc5a7375" # Dario
"4bf837b1-01db-4491-a0e0-700d98542833" # JoeSpencer
"d07a9554-1b05-4b0b-b558-27e4a86e1f53" # AmyClover
];
EXISTING_OPS_FILE = "SYNCHRONIZE";
OPS = op;
DIFFICULTY = "hard";
SPAWN_PROTECTION = "0";
VIEW_DISTANCE = "20";
MAX_MEMORY = "4G";
TZ = "Europe/Dublin";
};
volumes = [
"graeme_data:/data"
"${./graeme.png}:/ext/icon.png:ro"
];
extraOptions = [
''--network=colony:${dockerNetAssignment allAssignments "graeme-oci"}''
];
};
};
services = {
nixos/boxes/colony/vms/whale2/minecraft/graeme.png
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.9 KiB

nixos/boxes/colony/vms/whale2/minecraft/kev.png
BIN
View File
Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

nixos/boxes/home/castle/default.nix
+29 -7
View File
@@ -109,11 +109,7 @@ in
};
fstrim.enable = true;
resolved = {
enable = true;
extraConfig = mkForce "";
dnssec = "false";
};
resolved.settings.Resolve.LLMNR = mkForce true;
pipewire.extraConfig.pipewire = {
"10-buffer"."context.properties" = {
@@ -122,13 +118,14 @@ in
};
};
blueman.enable = true;
avahi.enable = true;
};
programs = {
virt-manager.enable = true;
wireshark = {
enable = true;
package = pkgs.wireshark-qt;
package = pkgs.wireshark;
};
};
virtualisation.libvirtd.enable = true;
@@ -150,6 +147,7 @@ in
mstflint
qperf
ethtool
android-tools
];
nix = {
@@ -164,6 +162,7 @@ in
network = {
netdevs = mkMerge [
(mkVLAN "lan-hi" vlans.hi)
(mkVLAN "lan-lo" vlans.lo)
];
links = {
"10-et2.5g" = {
@@ -185,7 +184,7 @@ in
networks = {
"30-et100g" = {
matchConfig.Name = "et100g";
vlan = [ "lan-hi" ];
vlan = [ "lan-hi" "lan-lo" ];
networkConfig.IPv6AcceptRA = false;
};
"40-lan-hi" = mkMerge [
@@ -193,6 +192,22 @@ in
# So we don't drop the IP we use to connect to NVMe-oF!
{ networkConfig.KeepConfiguration = "static"; }
];
"45-lan-lo" = {
matchConfig.Name = "lan-lo";
networkConfig = {
DHCP = "ipv4";
IPv6AcceptRA = true;
UseDomains = false;
};
dhcpV4Config = {
UseDNS = false;
UseGateway = false;
};
ipv6AcceptRAConfig = {
UseDNS = false;
UseGateway = false;
};
};
};
};
};
@@ -215,8 +230,15 @@ in
];
};
programs = {
claude-code = {
enable = true;
};
};
services = {
blueman-applet.enable = true;
easyeffects.enable = true;
};
wayland.windowManager.sway = {
nixos/boxes/home/palace/vms/default.nix
+7
View File
@@ -188,6 +188,13 @@
hostBDF = "44:00.4";
};
};
qemuFlags = [
"device qemu-xhci,id=xhci"
# Front-right port?
"device usb-host,hostbus=1,hostport=4"
# Front-left port
"device usb-host,hostbus=1,hostport=3"
];
};
};
};
nixos/boxes/home/palace/vms/sfh/containers/default.nix
+2 -1
View File
@@ -1,5 +1,6 @@
{
imports = [
./unifi.nix
# ./unifi.nix
./hass.nix
];
}
nixos/boxes/home/palace/vms/sfh/containers/hass.nix
+263
View File
@@ -0,0 +1,263 @@
{ lib, ... }:
let
inherit (lib.my) net;
inherit (lib.my.c) pubDomain;
inherit (lib.my.c.home) domain prefixes vips hiMTU;
in
{
nixos.systems.hass = { config, ... }: {
system = "x86_64-linux";
nixpkgs = "mine";
rendered = config.configuration.config.my.asContainer;
assignments = {
hi = {
name = "hass-ctr";
altNames = [ "frigate" ];
inherit domain;
mtu = hiMTU;
ipv4 = {
address = net.cidr.host 103 prefixes.hi.v4;
mask = 22;
gateway = vips.hi.v4;
};
ipv6 = {
iid = "::5:3";
address = net.cidr.host (65536*5+3) prefixes.hi.v6;
};
};
lo = {
name = "hass-ctr-lo";
inherit domain;
mtu = 1500;
ipv4 = {
address = net.cidr.host 103 prefixes.lo.v4;
mask = 21;
gateway = null;
};
ipv6 = {
iid = "::5:3";
address = net.cidr.host (65536*5+3) prefixes.lo.v6;
};
};
};
configuration = { lib, config, pkgs, assignments, allAssignments, ... }:
let
inherit (lib) mkMerge mkIf mkForce;
inherit (lib.my) networkdAssignment;
hassCli = pkgs.writeShellScriptBin "hass-cli" ''
export HASS_SERVER="http://localhost:${toString config.services.home-assistant.config.http.server_port}"
export HASS_TOKEN="$(< ${config.age.secrets."hass/cli-token.txt".path})"
exec ${pkgs.home-assistant-cli}/bin/hass-cli "$@"
'';
in
{
config = {
my = {
deploy.enable = false;
server.enable = true;
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGpYX2WbYwUqHp8bFFf0eHFrqrR8xp8IheguA054F8V4";
files = {
"hass/cli-token.txt" = {
owner = config.my.user.config.name;
};
};
};
firewall = {
tcp.allowed = [ "http" 1883 ];
};
};
environment = {
systemPackages = with pkgs; [
usbutils
hassCli
];
};
systemd = {
network.networks = {
"80-container-host0" = networkdAssignment "host0" assignments.hi;
"80-container-lan-lo" = networkdAssignment "lan-lo" assignments.lo;
};
};
services = {
mosquitto = {
enable = true;
listeners = [
{
omitPasswordAuth = true;
settings = {
allow_anonymous = true;
};
}
];
};
go2rtc = {
enable = true;
settings = {
streams = {
reolink_living_room = [
# "http://reolink-living-room.${domain}/flv?port=1935&app=bcs&stream=channel0_main.bcs&user=admin#video=copy#audio=copy#audio=opus"
"rtsp://admin:@reolink-living-room:554/h264Preview_01_main"
];
webcam_office = [
"ffmpeg:device?video=/dev/video0&video_size=1024x576#video=h264"
];
};
};
};
frigate = {
enable = true;
hostname = "frigate.${domain}";
settings = {
mqtt = {
enabled = true;
host = "localhost";
topic_prefix = "frigate";
};
cameras = {
reolink_living_room = {
ffmpeg.inputs = [
{
path = "rtsp://127.0.0.1:8554/reolink_living_room";
input_args = "preset-rtsp-restream";
roles = [ "record" "detect" ];
}
];
detect = {
enabled = false;
};
record = {
enabled = true;
retain.days = 1;
};
};
webcam_office = {
ffmpeg.inputs = [
{
path = "rtsp://127.0.0.1:8554/webcam_office";
input_args = "preset-rtsp-restream";
roles = [ "record" "detect" ];
}
];
detect.enabled = false;
record = {
enabled = true;
retain.days = 1;
};
};
};
};
};
home-assistant =
let
cfg = config.services.home-assistant;
pyirishrail = ps: ps.buildPythonPackage rec {
pname = "pyirishrail";
version = "0.0.2";
src = pkgs.fetchFromGitHub {
owner = "ttroy50";
repo = "pyirishrail";
tag = version;
hash = "sha256-NgARqhcXP0lgGpgBRiNtQaSn9JcRNtCcZPljcL7t3Xc=";
};
dependencies = with ps; [
requests
];
pyproject = true;
build-system = [ ps.setuptools ];
};
in
{
enable = true;
extraComponents = [
"default_config"
"esphome"
"google_translate"
"met"
"zha"
"denonavr"
"webostv"
"androidtv_remote"
"heos"
"mqtt"
"wled"
];
extraPackages = python3Packages: with python3Packages; [
zlib-ng
isal
gtts
(pyirishrail python3Packages)
];
customComponents = with pkgs.home-assistant-custom-components; [
alarmo
frigate
west_wood_club
];
configWritable = false;
openFirewall = true;
config = {
default_config = {};
homeassistant = {
name = "Home";
unit_system = "metric";
currency = "EUR";
country = "IE";
time_zone = "Europe/Dublin";
external_url = "https://hass.${pubDomain}";
internal_url = "http://hass-ctr.${domain}:${toString cfg.config.http.server_port}";
};
http = {
use_x_forwarded_for = true;
trusted_proxies = with allAssignments.middleman.internal; [
ipv4.address
ipv6.address
];
ip_ban_enabled = false;
};
automation = "!include automations.yaml";
script = "!include scripts.yaml";
scene = "!include scenes.yaml";
sensor = [
{
platform = "irish_rail_transport";
name = "To Work from Home";
station = "Glenageary";
stops_at = "Dublin Connolly";
direction = "Northbound";
}
{
platform = "irish_rail_transport";
name = "To Home from Work";
station = "Dublin Connolly";
stops_at = "Glenageary";
direction = "Southbound";
}
];
};
};
};
};
};
};
}
nixos/boxes/home/palace/vms/sfh/containers/unifi.nix
+2 -2
View File
@@ -55,8 +55,8 @@ in
unifi = {
enable = true;
openFirewall = true;
unifiPackage = pkgs.unifi8;
mongodbPackage = pkgs.mongodb-6_0;
unifiPackage = pkgs.unifi;
mongodbPackage = pkgs.mongodb-7_0;
};
};
};
nixos/boxes/home/palace/vms/sfh/default.nix
+45 -2
View File
@@ -29,7 +29,7 @@ in
configuration = { lib, modulesPath, pkgs, config, assignments, allAssignments, ... }:
let
inherit (lib) mapAttrs mkMerge;
inherit (lib) mapAttrs mkMerge mkForce;
inherit (lib.my) networkdAssignment;
inherit (lib.my.c) networkd;
inherit (lib.my.c.home) domain;
@@ -83,6 +83,12 @@ in
};
};
environment = {
systemPackages = with pkgs; [
usbutils
];
};
systemd.network = {
links = {
"10-lan-hi" = {
@@ -105,6 +111,13 @@ in
MTUBytes = toString lib.my.c.home.hiMTU;
};
};
"10-lan-lo-ctrs" = {
matchConfig = {
Driver = "virtio_net";
PermanentMACAddress = "52:54:00:a5:7e:93";
};
linkConfig.Name = "lan-lo-ctrs";
};
};
networks = {
@@ -118,9 +131,29 @@ in
linkConfig.RequiredForOnline = "no";
networkConfig = networkd.noL3;
};
"30-lan-lo-ctrs" = {
matchConfig.Name = "lan-lo-ctrs";
linkConfig.RequiredForOnline = "no";
networkConfig = networkd.noL3;
};
};
};
systemd.nspawn = {
hass = {
networkConfig = {
MACVLAN = mkForce "lan-hi-ctrs:host0 lan-lo-ctrs:lan-lo";
};
};
};
systemd.services = {
"systemd-nspawn@hass".serviceConfig.DeviceAllow = [
"char-ttyUSB rw"
"char-video4linux rw"
];
};
my = {
secrets = {
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAAaav5Se1E/AbqEXmADryVszYfNDscyP6jrWioN57R7";
@@ -141,7 +174,17 @@ in
containers.instances =
let
instances = {
unifi = {};
# unifi = {};
hass = {
bindMounts = {
"/dev/bus/usb/001/002".readOnly = false;
"/dev/video0".readOnly = false;
"/dev/serial/by-id/usb-Nabu_Casa_Home_Assistant_Connect_ZBT-1_ce549704fe38ef11a2c2e5d154516304-if00-port0" = {
readOnly = false;
mountPoint = "/dev/ttyUSB0";
};
};
};
};
in
mkMerge [
nixos/boxes/home/routing-common/default.nix
+5 -7
View File
@@ -121,11 +121,9 @@ in
};
services = {
resolved = {
llmnr = "false";
extraConfig = ''
MulticastDNS=false
'';
resolved.settings.Resolve = {
LLMNR = false;
MulticastDNS = false;
};
iperf3 = {
@@ -141,8 +139,8 @@ in
onState = [ "configured" ];
script = ''
#!${pkgs.runtimeShell}
if [ $IFACE = "wan-ifb" ]; then
${pkgs.iproute2}/bin/tc filter add dev wan parent ffff: matchall action mirred egress redirect dev $IFACE
if [ "$IFACE" = "wan-ifb" ]; then
${pkgs.iproute2}/bin/tc filter add dev wan parent ffff: matchall action mirred egress redirect dev "$IFACE"
fi
'';
};
nixos/boxes/home/routing-common/dns-blocklist.txt
+74
View File
@@ -0,0 +1,74 @@
# Blocklist for LG WebOS Services (US)
ad.lgappstv.com
ibis.lgappstv.com
info.lgsmartad.com
lgtvsdp.com
ngfts.lge.com
rdx2.lgtvsdp.com
smartshare.lgtvsdp.com
lgappstv.com
us.ad.lgsmartad.com
us.ibs.lgappstv.com
us.info.lgsmartad.com
us.lgtvsdp.com
# Community Contributions
lgad.cjpowercast.com
edgesuite.net
yumenetworks.com
smartclip.net
smartclip.com
# Non-US Entries
rdx2.lgtvsdp.com
info.lgsmartad.com
ibs.lgappstv.com
lgtvsdp.com
lgappstv.com
smartshare.lgtvsdp.com
# Full Block for Europe and Other Regions
de.ad.lgsmartad.com
de.emp.lgsmartplatform.com
de.ibs.lgappstv.com
de.info.lgsmartad.com
de.lgeapi.com
de.lgtvsdp.com
de.rdx2.lgtvsdp.com
eu.ad.lgsmartad.com
eu.ibs.lgappstv.com
eu.info.lgsmartad.com
app-lgwebos.pluto.tv
it.lgtvsdp.com
it.lgeapi.com
it.emp.lgsmartplatform.com
# LG ThinQ Services
eic.common.lgthinq.com
eic.iotservice.lgthinq.com
eic.service.lgthinq.com
eic.ngfts.lge.com
eic.svc-lgthinq-com.aws-thinq-prd.net
eic.cdpsvc.lgtvcommon.com
eic.cdpbeacon.lgtvcommon.com
eic.cdplauncher.lgtvcommon.com
eic.homeprv.lgtvcommon.com
eic.lgtviot.com
eic.nudge.lgtvcommon.com
eic.rdl.lgtvcommon.com
eic.recommend.lgtvcommon.com
eic.service.lgtvcommon.com
gb-lgeapi-com.esi-prd.net
gb.lgeapi.com
lgtvonline.lge.com
lg-channelplus-de-beacons.xumo.com
lg-channelplus-de-mds.xumo.com
lg-channelplus-eu-beacons.xumo.com
lg-channelplus-eu-mds.xumo.com
kr-op-v2.lgthinqhome.com
ngfts.lge.com
noti.lgthinq.com
objectcontent.lgthinq.com
# Update Server Block
#snu.lge.com
nixos/boxes/home/routing-common/dns.nix
+65 -36
View File
@@ -19,7 +19,7 @@ in
owner = "pdns";
group = "pdns";
};
"home/pdns/recursor.conf" = {
"home/pdns/recursor.yml" = {
owner = "pdns-recursor";
group = "pdns-recursor";
};
@@ -28,52 +28,78 @@ in
pdns.recursor = {
enable = true;
extraSettingsFile = config.age.secrets."home/pdns/recursor.conf".path;
extraSettingsFile = config.age.secrets."home/pdns/recursor.yml".path;
};
};
services = {
pdns-recursor = {
dns = {
address = [
"127.0.0.1" "::1"
assignments.hi.ipv4.address assignments.hi.ipv6.address
assignments.lo.ipv4.address assignments.lo.ipv6.address
];
allowFrom = [
"127.0.0.0/8" "::1/128"
prefixes.hi.v4 prefixes.hi.v6
prefixes.lo.v4 prefixes.lo.v6
] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
};
settings = {
query-local-address = [
"0.0.0.0"
"::"
];
forward-zones = map (z: "${z}=127.0.0.1:5353") authZones;
incoming = {
listen = [
"127.0.0.1" "::1"
assignments.hi.ipv4.address assignments.hi.ipv6.address
assignments.lo.ipv4.address assignments.lo.ipv6.address
];
allow_from = [
"127.0.0.0/8" "::1/128"
prefixes.hi.v4 prefixes.hi.v6
prefixes.lo.v4 prefixes.lo.v6
] ++ (with lib.my.c.tailscale.prefix; [ v4 v6 ]);
# DNS NOTIFY messages override TTL
allow-notify-for = authZones;
allow-notify-from = [ "127.0.0.0/8" "::1/128" ];
# DNS NOTIFY messages override TTL
allow_notify_for = authZones;
allow_notify_from = [ "127.0.0.0/8" "::1/128" ];
};
webserver = true;
webserver-address = "::";
webserver-allow-from = [ "127.0.0.1" "::1" ];
outgoing = {
source_address = [ "0.0.0.0" "::" ];
};
lua-dns-script = pkgs.writeText "pdns-script.lua" ''
-- Disney+ doesn't like our IP space...
function preresolve(dq)
local name = dq.qname:toString()
if dq.qtype == pdns.AAAA and (string.find(name, "disneyplus") or string.find(name, "disney-plus") or string.find(name , "disney.api")) then
dq.rcode = 0
return true
recursor = {
forward_zones = map (z: {
zone = z;
forwarders = [ "127.0.0.1:5353" ];
}) authZones;
lua_dns_script = pkgs.writeText "pdns-script.lua" ''
blocklist = newDS()
function preresolve(dq)
local name = dq.qname:toString()
-- Disney+ doesn't like our IP space...
if dq.qtype == pdns.AAAA and (string.find(name, "disneyplus") or string.find(name, "disney-plus") or string.find(name , "disney.api")) then
dq.rcode = 0
return true
end
if blocklist:check(dq.qname) then
if dq.qtype == pdns.A then
dq:addAnswer(dq.qtype, "127.0.0.1")
elseif dq.qtype == pdns.AAAA then
dq:addAnswer(dq.qtype, "::1")
end
return true
end
return false
end
return false
end
'';
for line in io.lines("${./dns-blocklist.txt}") do
entry = line:gsub("%s+", "")
if entry ~= "" and string.sub(entry, 1, 1) ~= "#" then
blocklist:add(entry)
end
end
'';
};
webservice = {
webserver = true;
address = "::";
allow_from = [ "127.0.0.1" "::1" ];
};
};
};
};
@@ -206,6 +232,9 @@ in
ups IN A ${net.cidr.host 20 prefixes.lo.v4}
palace-kvm IN A ${net.cidr.host 21 prefixes.lo.v4}
reolink-living-room IN A ${net.cidr.host 45 prefixes.lo.v4}
nixlight IN A ${net.cidr.host 46 prefixes.lo.v4}
${lib.my.dns.fwdRecords {
inherit allAssignments names;
domain = config.networking.domain;
nixos/boxes/home/routing-common/dns_update.py
+12 -7
View File
@@ -2,7 +2,7 @@
import argparse
import subprocess
import CloudFlare
import cloudflare
def main():
parser = argparse.ArgumentParser(description='Cloudflare DNS update script')
@@ -19,17 +19,22 @@ def main():
if args.api_token_file:
with open(args.api_token_file) as f:
cf_token = f.readline().strip()
cf = cloudflare.Cloudflare(api_token=cf_token)
cf = CloudFlare.CloudFlare(token=cf_token)
zones = cf.zones.get(params={'name': args.zone})
zones = list(cf.zones.list(name=args.zone))
assert zones, f'Zone {args.zone} not found'
records = cf.zones.dns_records.get(zones[0]['id'], params={'name': args.record})
assert len(zones) == 1, f'More than one zone found for {args.zone}'
zone = zones[0]
records = list(cf.dns.records.list(zone_id=zone.id, name=args.record, type='A'))
assert records, f'Record {args.record} not found in zone {args.zone}'
assert len(records) == 1, f'More than one record found for {args.record}'
record = records[0]
print(f'Updating {args.record} -> {address}')
cf.zones.dns_records.patch(
zones[0]['id'], records[0]['id'],
data={'type': 'A', 'name': args.record, 'content': address})
cf.dns.records.edit(
zone_id=zone.id, dns_record_id=record.id, name=args.record,
type='A', content=address)
if __name__ == '__main__':
main()
nixos/boxes/home/routing-common/kea.nix
+53
View File
@@ -132,6 +132,59 @@ in
hw-address = "24:8a:07:a8:fe:3a";
ip-address = net.cidr.host 40 prefixes.lo.v4;
}
{
# avr
hw-address = "8c:a9:6f:30:03:6b";
ip-address = net.cidr.host 41 prefixes.lo.v4;
}
{
# tv
hw-address = "00:a1:59:b8:4d:86";
ip-address = net.cidr.host 42 prefixes.lo.v4;
}
{
# android tv
hw-address = "b8:7b:d4:95:c6:74";
ip-address = net.cidr.host 43 prefixes.lo.v4;
}
{
# hass-panel
hw-address = "80:30:49:cd:d7:51";
ip-address = net.cidr.host 44 prefixes.lo.v4;
}
{
# reolink-living-room
hw-address = "ec:71:db:30:69:a4";
ip-address = net.cidr.host 45 prefixes.lo.v4;
}
{
# nixlight
hw-address = "00:4b:12:3b:d3:14";
ip-address = net.cidr.host 46 prefixes.lo.v4;
}
];
}
{
id = 3;
subnet = prefixes.untrusted.v4;
interface = "lan-untrusted";
option-data = [
{
name = "routers";
data = vips.untrusted.v4;
}
{
name = "domain-name-servers";
data = "1.1.1.1, 1.0.0.1";
}
];
pools = [
{
pool = if index == 0
then "192.168.80.10 - 192.168.80.127"
else "192.168.80.128 - 192.168.80.250";
}
];
}
];
nixos/boxes/home/routing-common/keepalived.nix
+4 -4
View File
@@ -20,10 +20,7 @@ let
};
vlanIface = vlan: if vlan == "as211024" then vlan else "lan-${vlan}";
vrrpIPs = family: concatMap (vlan: (optional (family == "v6") {
addr = "fe80::1/64";
dev = vlanIface vlan;
}) ++ [
vrrpIPs = family: concatMap (vlan: [
{
addr = "${vips.${vlan}.${family}}/${toString (net.cidr.length prefixes.${vlan}.${family})}";
dev = vlanIface vlan;
@@ -64,6 +61,9 @@ in
v4 = mkVRRP "v4" 51;
v6 = (mkVRRP "v6" 52) // {
extraConfig = ''
virtual_ipaddress_excluded {
${concatMapStringsSep "\n" (vlan: "fe80::1/64 dev ${vlanIface vlan}") (attrNames vips)}
}
notify_master "${config.systemd.package}/bin/systemctl start radvd.service" root
notify_backup "${config.systemd.package}/bin/systemctl stop radvd.service" root
'';
nixos/boxes/home/routing-common/mstpd.nix
+2 -2
View File
@@ -24,8 +24,8 @@ in
onState = [ "routable" ];
script = ''
#!${pkgs.runtimeShell}
if [ $IFACE = "lan" ]; then
${mstpd}/sbin/mstpctl setforcevers $IFACE rstp
if [ "$IFACE" = "lan" ]; then
${mstpd}/sbin/mstpctl setforcevers "$IFACE" rstp
fi
'';
};
nixos/boxes/home/stream.nix
+2 -2
View File
@@ -45,12 +45,12 @@
services = {
mjpg-streamer = {
enable = true;
enable = false;
inputPlugin = "input_uvc.so";
outputPlugin = "output_http.so -w @www@ -n -p 5050";
};
octoprint = {
enable = true;
enable = false;
host = "::";
extraConfig = {
plugins = {
nixos/boxes/kelder/containers/acquisition/default.nix
+4 -3
View File
@@ -29,7 +29,7 @@ in
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
vaapiIntel
intel-vaapi-driver
intel-ocl
];
};
@@ -73,8 +73,8 @@ in
RootDirectory = lib.mkForce "";
};
radarr.serviceConfig.UMask = "0002";
sonarr.serviceConfig.UMask = "0002";
radarr.serviceConfig.UMask = lib.mkForce "0002";
sonarr.serviceConfig.UMask = lib.mkForce "0002";
};
};
@@ -89,6 +89,7 @@ in
services = {
transmission = {
enable = true;
package = pkgs.transmission_4;
downloadDirPermissions = null;
performanceNetParameters = true;
settings = {
nixos/boxes/kelder/containers/spoder/default.nix
+5 -3
View File
@@ -60,7 +60,7 @@ in
"*.${domain}"
];
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets."kelder/cloudflare-credentials.conf".path;
environmentFile = config.age.secrets."kelder/cloudflare-credentials.conf".path;
};
};
};
@@ -88,16 +88,18 @@ in
};
services = {
resolved.extraConfig = mkForce "";
resolved.settings.Resolve = mkForce { };
nextcloud = {
enable = true;
package = pkgs.nextcloud29;
# TODO: Might need to do some bullshit to go from Nextcloud 28 (?) to 32
package = pkgs.nextcloud32;
datadir = "/mnt/storage/nextcloud";
hostName = "cloud.${domain}";
https = true;
config = {
adminpassFile = config.age.secrets."kelder/nextcloud-root.txt".path;
dbtype = "sqlite";
};
settings = {
updatechecker = false;
nixos/boxes/kelder/containers/spoder/nginx.nix
-6
View File
@@ -13,11 +13,6 @@ in
owner = "nginx";
group = "nginx";
};
"dhparams.pem" = {
owner = "acme";
group = "acme";
mode = "440";
};
};
firewall = {
@@ -35,7 +30,6 @@ in
recommendedTlsSettings = true;
clientMaxBodySize = "0";
serverTokens = true;
sslDhparam = config.age.secrets."dhparams.pem".path;
# Based on recommended*Settings, but probably better to be explicit about these
appendHttpConfig = ''
nixos/boxes/tower/default.nix
+1 -7
View File
@@ -99,12 +99,6 @@
};
};
resolved = {
enable = true;
extraConfig = mkForce "";
dnssec = "false";
};
fprintd.enable = true;
blueman.enable = true;
@@ -118,7 +112,7 @@
steam.enable = true;
wireshark = {
enable = true;
package = pkgs.wireshark-qt;
package = pkgs.wireshark;
};
};
nixos/default.nix
+1 -1
View File
@@ -23,7 +23,7 @@ let
pkgs = pkgs'.${config'.nixpkgs}.${config'.system};
allPkgs = mapAttrs (_: p: p.${config'.system}) pkgs';
modules' = [ hmFlakes.${config'.home-manager}.nixosModule ] ++ (attrValues cfg.modules);
modules' = [ hmFlakes.${config'.home-manager}.nixosModules.default ] ++ (attrValues cfg.modules);
in
# Import eval-config ourselves since the flake now force-sets lib
import "${pkgsFlake}/nixos/lib/eval-config.nix" {
nixos/installer.nix
+4 -2
View File
@@ -31,8 +31,10 @@
server.enable = true;
};
image = {
baseName = "jackos-installer";
};
isoImage = {
isoBaseName = "jackos-installer";
volumeID = "jackos-${config.system.nixos.release}-${pkgs.stdenv.hostPlatform.uname.processor}";
edition = "devplayer0";
appendToMenuLabel = " /dev/player0 Installer";
@@ -97,7 +99,7 @@
# Enable wpa_supplicant, but don't start it by default.
networking.wireless.enable = mkDefault true;
networking.wireless.userControlled.enable = true;
networking.wireless.userControlled = true;
systemd.services.wpa_supplicant.wantedBy = mkForce [];
# Tell the Nix evaluator to garbage collect more aggressively.
nixos/modules/_list.nix
+1 -1
View File
@@ -14,7 +14,7 @@
network = ./network.nix;
pdns = ./pdns.nix;
nginx-sso = ./nginx-sso.nix;
gui = ./gui.nix;
gui = ./gui;
l2mesh = ./l2mesh.nix;
borgthin = ./borgthin.nix;
nvme = ./nvme;
nixos/modules/borgthin.nix
+4 -2
View File
@@ -1,4 +1,4 @@
{ lib, pkgs, config, ... }:
{ inputs, lib, pkgs, config, ... }:
let
inherit (builtins) substring match;
inherit (lib)
@@ -127,7 +127,9 @@ in
enable = mkBoolOpt' false "Whether to enable borgthin jobs";
lvmPackage = mkOpt' package pkgs.lvm2 "Packge containing LVM tools";
thinToolsPackage = mkOpt' package pkgs.thin-provisioning-tools "Package containing thin-provisioning-tools";
package = mkOpt' package pkgs.borgthin "borgthin package";
# Really we should use the version from the overlay, but the package is quite far behind...
# Not bothering to update until Borg 2.0 releases
package = mkOpt' package inputs.borgthin.packages.${config.nixpkgs.system}.borgthin "borgthin package";
jobs = mkOpt' (attrsOf jobType) { } "borgthin jobs";
};
nixos/modules/build.nix
+1 -1
View File
@@ -221,8 +221,8 @@ in
memorySize = dummyOption;
qemu.options = dummyOption;
};
image.baseName = dummyOption;
isoImage = {
isoBaseName = dummyOption;
volumeID = dummyOption;
edition = dummyOption;
appendToMenuLabel = dummyOption;
nixos/modules/common.nix
+26 -13
View File
@@ -9,9 +9,11 @@ in
};
imports = [
inputs.impermanence.nixosModule
inputs.impermanence.nixosModules.default
inputs.ragenix.nixosModules.age
inputs.sharry.nixosModules.default
inputs.copyparty.nixosModules.default
inputs.harmonia.nixosModules.harmonia
];
config = mkMerge [
@@ -36,6 +38,15 @@ in
enable = mkDefault true;
wheelNeedsPassword = mkDefault false;
};
# TODO: Add this to fix login
# pam = {
# services = {
# kmscon.rules. = mkIf config.services.kmscon.config.libseat {
# };
# };
# };
};
nix = {
@@ -65,10 +76,13 @@ in
};
nixpkgs = {
overlays = [
inputs.deploy-rs.overlay
inputs.deploy-rs.overlays.default
inputs.sharry.overlays.default
inputs.borgthin.overlays.default
# TODO: Re-enable when borgthin is updated
# inputs.borgthin.overlays.default
inputs.boardie.overlays.default
inputs.copyparty.overlays.default
inputs.hass-west-wood.overlays.default
];
config = {
allowUnfree = true;
@@ -135,6 +149,7 @@ in
bash-completion
git
unzip
tcpdump
]
(mkIf config.services.netdata.enable [ netdata ])
];
@@ -152,16 +167,14 @@ in
};
services = {
kmscon = {
# As it turns out, kmscon hasn't been updated in years and has some bugs...
# TODO: Remove if-else when 26.11 releases
kmscon = if (config.system.nixos.release == "26.06:u-26.11") then {
enable = mkDefault false;
hwRender = mkDefault true;
extraOptions = "--verbose";
extraConfig =
''
font-name=SauceCodePro Nerd Font Mono
'';
};
config = {
hwaccel = config.hardware.graphics.enable;
font-name = "SauceCodePro Nerd Font Mono";
};
} else { };
getty.greetingLine = mkDefault' ''<<< Welcome to ${config.system.nixos.distroName} ${config.system.nixos.label} (\m) - \l >>>'';
openssh = {
@@ -242,7 +255,7 @@ in
};
}
(mkIf config.services.kmscon.enable {
fonts.fonts = with pkgs; [
fonts.packages = with pkgs; [
nerd-fonts.sauce-code-pro
];
})
nixos/modules/containers.nix
+1
View File
@@ -15,6 +15,7 @@ let
passAsFile = [ "code" ];
code = ''
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <unistd.h>
#include <systemd/sd-daemon.h>
nixos/modules/deploy-rs.nix
+2 -1
View File
@@ -45,8 +45,9 @@ let
journalctl -o cat --no-pager -n 0 -f -u "$unit" &
jPid=$!
# shellcheck disable=SC2329
cleanup() {
# shellcheck disable=SC2317
kill "$jPid"
}
trap cleanup EXIT
nixos/modules/gui/android-udev.rules
+1101
View File
File diff suppressed because it is too large Load Diff
nixos/modules/gui.nix → nixos/modules/gui/default.nix
+37 -2
View File
@@ -1,9 +1,15 @@
{ lib, pkgs, config, ... }:
let
inherit (lib) optional mkIf mkDefault mkMerge;
inherit (lib) optional mkIf mkDefault mkMerge mkOverride;
inherit (lib.my) mkBoolOpt';
cfg = config.my.gui;
androidUdevRules = pkgs.runCommand "udev-rules-android" {
rulesFile = ./android-udev.rules;
} ''
install -D "$rulesFile" "$out"/lib/udev/rules.d/51-android.rules
'';
in
{
options.my.gui = with lib.types; {
@@ -26,12 +32,29 @@ in
pam.services.swaylock-plugin = {};
};
users = {
groups = {
adbusers.gid = lib.my.c.ids.gids.adbusers;
};
};
environment.systemPackages = with pkgs; [
# for pw-jack
pipewire.jack
swaylock-plugin
];
services = {
resolved = {
settings.Resolve = {
FallbackDNS = mkOverride 99 (
"1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google " +
"1.0.0.1#cloudflare-dns.com 8.8.4.4#dns.google " +
"2606:4700:4700::1111#cloudflare-dns.com 2001:4860:4860::8888#dns.google " +
"2606:4700:4700::1001#cloudflare-dns.com 2001:4860:4860::8844#dns.google" );
LLMNR = "resolve";
};
};
pipewire = {
enable = true;
alsa.enable = true;
@@ -44,8 +67,12 @@ in
gnome = {
gnome-keyring.enable = true;
};
udisks2.enable = true;
udev = {
packages = [
androidUdevRules
];
extraRules = ''
# Nvidia
SUBSYSTEM=="usb", ATTR{idVendor}=="0955", MODE="0664", GROUP="wheel"
@@ -67,7 +94,7 @@ in
gyre-fonts # TrueType substitutes for standard PostScript fonts
liberation_ttf
unifont
noto-fonts-emoji
noto-fonts-color-emoji
];
xdg = {
@@ -88,5 +115,13 @@ in
];
};
};
my = {
user = {
config = {
extraGroups = [ "adbusers" ];
};
};
};
};
}
nixos/modules/netboot/default.nix
+16 -23
View File
@@ -5,19 +5,10 @@ let
cfg = config.my.netboot;
ipxe = pkgs.ipxe.overrideAttrs (o: rec {
version = "1.21.1-unstable-2024-06-27";
src = pkgs.fetchFromGitHub {
owner = "ipxe";
repo = "ipxe";
rev = "b66e27d9b29a172a097c737ab4d378d60fe01b05";
hash = "sha256-TKZ4WjNV2oZIYNefch7E7m1JpeoC/d7O1kofoNv8G40=";
};
});
tftpRoot = pkgs.linkFarm "tftp-root" [
{
name = "ipxe-x86_64.efi";
path = "${ipxe}/ipxe.efi";
path = "${pkgs.ipxe}/ipxe.efi";
}
];
menuFile = pkgs.runCommand "menu.ipxe" {
@@ -26,23 +17,25 @@ let
substituteAll ${./menu.ipxe} "$out"
'';
bootBuilder = pkgs.substituteAll {
bootBuilder = pkgs.replaceVarsWith {
src = ./netboot-loader-builder.py;
isExecutable = true;
inherit (pkgs) python3;
bootspecTools = pkgs.bootspec;
nix = config.nix.package.out;
replacements = {
inherit (pkgs) python3;
bootspecTools = pkgs.bootspec;
nix = config.nix.package.out;
inherit (config.system.nixos) distroName;
systemName = config.system.name;
inherit (cfg.client) configurationLimit;
checkMountpoints = pkgs.writeShellScript "check-mountpoints" ''
if ! ${pkgs.util-linuxMinimal}/bin/findmnt /boot > /dev/null; then
echo "/boot is not a mounted partition. Is the path configured correctly?" >&2
exit 1
fi
'';
inherit (config.system.nixos) distroName;
systemName = config.system.name;
inherit (cfg.client) configurationLimit;
checkMountpoints = pkgs.writeShellScript "check-mountpoints" ''
if ! ${pkgs.util-linuxMinimal}/bin/findmnt /boot > /dev/null; then
echo "/boot is not a mounted partition. Is the path configured correctly?" >&2
exit 1
fi
'';
};
};
in
{
nixos/modules/netboot/fix-uninitialised-var.patch
+48
View File
@@ -0,0 +1,48 @@
From 7f75d320f6d8ac7ec5185b2145da87f698aec273 Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Mon, 2 Sep 2024 12:24:57 +0100
Subject: [PATCH] [etherfabric] Fix use of uninitialised variable in
falcon_xaui_link_ok()
The link status check in falcon_xaui_link_ok() reads from the
FCN_XX_CORE_STAT_REG_MAC register only on production hardware (where
the FPGA version reads as zero), but modifies the value and writes
back to this register unconditionally. This triggers an uninitialised
variable warning on newer versions of gcc.
Fix by assuming that the register exists only on production hardware,
and so moving the "modify-write" portion of the "read-modify-write"
operation to also be covered by the same conditional check.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
src/drivers/net/etherfabric.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/src/drivers/net/etherfabric.c b/src/drivers/net/etherfabric.c
index b40596beae7..be30b71f79f 100644
--- a/src/drivers/net/etherfabric.c
+++ b/src/drivers/net/etherfabric.c
@@ -2225,13 +2225,16 @@ falcon_xaui_link_ok ( struct efab_nic *efab )
sync = ( sync == FCN_XX_SYNC_STAT_DECODE_SYNCED );
link_ok = align_done && sync;
- }
- /* Clear link status ready for next read */
- EFAB_SET_DWORD_FIELD ( reg, FCN_XX_COMMA_DET, FCN_XX_COMMA_DET_RESET );
- EFAB_SET_DWORD_FIELD ( reg, FCN_XX_CHARERR, FCN_XX_CHARERR_RESET);
- EFAB_SET_DWORD_FIELD ( reg, FCN_XX_DISPERR, FCN_XX_DISPERR_RESET);
- falcon_xmac_writel ( efab, &reg, FCN_XX_CORE_STAT_REG_MAC );
+ /* Clear link status ready for next read */
+ EFAB_SET_DWORD_FIELD ( reg, FCN_XX_COMMA_DET,
+ FCN_XX_COMMA_DET_RESET );
+ EFAB_SET_DWORD_FIELD ( reg, FCN_XX_CHARERR,
+ FCN_XX_CHARERR_RESET );
+ EFAB_SET_DWORD_FIELD ( reg, FCN_XX_DISPERR,
+ FCN_XX_DISPERR_RESET );
+ falcon_xmac_writel ( efab, &reg, FCN_XX_CORE_STAT_REG_MAC );
+ }
has_phyxs = ( efab->phy_op->mmds & ( 1 << MDIO_MMD_PHYXS ) );
if ( link_ok && has_phyxs ) {

Some files were not shown because too many files have changed in this diff Show More