Compare commits

...

561 Commits

Author SHA1 Message Date
a783b89cec Update roles/home/zsh.nix 2025-03-10 13:48:40 +00:00
6ad39dfd3b Update roles/home/aichat/config.yaml 2025-03-10 12:58:08 +00:00
Giulio De Pasquale
c5542b5ca1 lock 2025-03-10 12:34:28 +00:00
Giulio De Pasquale
e98f915103 architect: enable searx 2025-03-10 12:31:18 +00:00
Giulio De Pasquale
068a42db62 feat(searx): expose JSON 2025-03-10 12:31:03 +00:00
Giulio De Pasquale
1542d67202 feat(llm): openwebui 2025-03-10 12:30:55 +00:00
Giulio De Pasquale
d7a3a3bcf3 refactor(architect/llm.nix): update configuration to use config for host and port 2025-03-09 14:31:50 +00:00
Giulio De Pasquale
4285da55bf sunshine 2025-03-01 11:33:08 +00:00
Giulio De Pasquale
4f6d409e85 Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2025-02-02 11:30:22 +00:00
Giulio De Pasquale
403518a625 chore: update lock 2025-02-02 11:29:48 +00:00
Giulio De Pasquale
ba01b6fb7e feat(sunshine.nix): add Heroic to system packages and configure game session 2025-02-02 11:29:40 +00:00
Giulio De Pasquale
f4813cb281 refactor(sunshine.nix): update display manager and X server configuration 2025-02-01 18:47:27 +00:00
Giulio De Pasquale
183b3b682c chore: bump lock 2025-02-01 10:24:15 +00:00
Giulio De Pasquale
7a8a235430 fix(sunshine.nix): specify latest NVIDIA package 2025-02-01 10:24:08 +00:00
Giulio De Pasquale
3187fedfb6 fix(sunshine.nix): update sunshinePkg to use unstablePkgs 2025-01-31 17:58:49 +00:00
f1b38b4085 Update roles/home/aichat/roles/commitmessage.md 2025-01-22 12:22:30 +00:00
328dc4f7f8 Update roles/home/aichat/roles/documentfunction.md 2025-01-21 17:37:23 +00:00
b9dc684c3f Add roles/home/aichat/roles/documentfunction.md 2025-01-21 17:33:31 +00:00
1443282f8f Update roles/home/helix.nix 2025-01-16 10:05:50 +00:00
Giulio De Pasquale
15256e49d2 fix(architect/llm.nix): update ollamaPkg to use ollama-cuda 2025-01-15 17:20:07 +00:00
8c301096ea Update roles/home/helix/languages.toml 2025-01-15 12:08:25 +00:00
f5d6979a88 Update roles/home/helix.nix 2025-01-15 12:05:36 +00:00
8a5300a7cc Update roles/home/helix/languages.toml 2025-01-15 12:05:22 +00:00
fc5519e6d2 Update roles/home/helix.nix 2025-01-15 12:03:43 +00:00
Giulio De Pasquale
bd7b6de3ce Revert "chore: update lock"
This reverts commit 5b7fb4c77b.
2025-01-15 11:37:50 +00:00
Giulio De Pasquale
946083ddb5 Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2025-01-14 12:38:03 +00:00
Giulio De Pasquale
5b7fb4c77b chore: update lock 2025-01-14 12:37:13 +00:00
7a2ac84649 Update roles/home/zsh.nix 2025-01-14 12:15:13 +00:00
d9a40c1a94 Update roles/home/zsh.nix 2025-01-14 12:07:25 +00:00
07a4a7e0be Update roles/home/aichat/roles/createpr.md 2025-01-02 16:59:49 +00:00
48cd242684 Update roles/home/aichat/roles/createpr.md 2025-01-02 16:44:39 +00:00
dfbcb83427 Update roles/home/aichat/roles/commitmessage.md 2025-01-02 16:33:19 +00:00
Giulio De Pasquale
95d8b8405e Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2025-01-01 15:21:15 +00:00
Giulio De Pasquale
3b651d5dc1 feat: added pepeflake 2025-01-01 15:20:48 +00:00
Giulio De Pasquale
f40cc64b59 feat(sunshine.nix): add Steam with Hue Lights app configuration 2025-01-01 15:20:29 +00:00
Giulio De Pasquale
c95a59028a fix(sunshine.nix): improve error messages and add checks 2024-12-28 12:21:49 +00:00
Giulio De Pasquale
e5dca361d2 refactor(sunshine.nix): remove hardcoded Modeline configurations 2024-12-28 12:13:34 +00:00
Giulio De Pasquale
e450732d3a bump: update lock 2024-12-27 22:31:46 +00:00
Giulio De Pasquale
ab7c0c3f07 refactor(homeassistant.nix): comment out unused extraPackages 2024-12-27 22:31:41 +00:00
ec0899fed3 Update roles/home/scripts/commits.sh 2024-12-23 14:35:32 +00:00
Giulio De Pasquale
cb75e914cc feat(homeassistant.nix): enable WAN access for Home Assistant 2024-12-20 12:45:50 +00:00
Giulio De Pasquale
f8184fbd87 bump: update lock 2024-12-19 12:26:30 +00:00
Giulio De Pasquale
145f84415a refactor(sunshine.nix): switch from XFCE to GNOME and modify display manager settings
- Replaced XFCE with GNOME as the desktop manager
- Updated `displayManager` configuration to use GDM instead of SDDM
- Added `autoSuspend = false` for GDM
- Set `defaultSession` to "gnome-xorg"
- Disabled `NetworkManager-wait-online` service using `mkForce`
2024-12-18 14:07:39 +00:00
Giulio De Pasquale
5925e20119 fix(sunshine.nix): add -pipewire flag to Steam command 2024-12-17 17:19:36 +00:00
Giulio De Pasquale
6198e4bca1 fix(sunshine.nix): update cudaPackages to version 12.4 2024-12-16 13:38:46 +00:00
Giulio De Pasquale
049174c54c Revert "fix/feat(sunshine.nix): update CUDA version and refactor gamescope arguments"
This reverts commit 3424fb4b9f.
2024-12-16 13:37:09 +00:00
Giulio De Pasquale
3424fb4b9f fix/feat(sunshine.nix): update CUDA version and refactor gamescope arguments 2024-12-16 13:21:39 +00:00
Giulio De Pasquale
4d6a5292d9 Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2024-12-16 10:38:02 +00:00
Giulio De Pasquale
1219b42ba0 fix(sunshine.nix): update gamescope command with additional flags 2024-12-16 10:35:25 +00:00
Giulio De Pasquale
5f79653e0b fix(jellyseer.nix): add "lan" to dnsInterfaces 2024-12-16 10:35:09 +00:00
Giulio De Pasquale
884932435c fix(architect/prowlarr.nix): add "lan" to dnsInterfaces 2024-12-16 10:34:50 +00:00
Giulio De Pasquale
18670f96e8 refactor(homeassistant.nix): comment out unused Wyoming services 2024-12-16 10:31:17 +00:00
Giulio De Pasquale
07e7e53663 feat(homeassistant.nix): add go2rtc service and new integrations 2024-12-16 10:29:40 +00:00
165fa5f3ce Update roles/home/scripts/commits.sh 2024-12-11 16:56:19 +00:00
a62e0f2869 Update roles/home/scripts/commits.sh 2024-12-11 16:33:12 +00:00
Giulio De Pasquale
2758be3937 Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2024-12-11 14:22:22 +00:00
a6df154f43 Update roles/home/aichat/roles/createpr.md 2024-12-11 11:40:42 +00:00
Giulio De Pasquale
832761b32f feat(flake.nix, homeassistant.nix): enable CUDA for ctranslate2 and set device to cuda 2024-12-11 00:49:55 +00:00
Giulio De Pasquale
0f18c6ec87 feat(homeassistant.nix): include themes directory for frontend 2024-12-11 00:11:48 +00:00
Giulio De Pasquale
4f299b0ca3 feat(flake): add cachix overlay to extOverlays 2024-12-10 23:59:28 +00:00
Giulio De Pasquale
44f757f535 feat(cachix): add cachix configuration files and update host.nix
- Added `cachix.nix` for configuring Cachix substituters
- Added `cachix/nix-community.nix` for Nix Community Cachix settings
- Updated `lib/host.nix` to include `pkgs.nixosModules.cachixConfig` in the list of NixOS modules
2024-12-10 23:58:47 +00:00
Giulio De Pasquale
2f23f3db9e fix(radarr.nix): add "lan" to dnsInterfaces 2024-12-10 21:58:07 +00:00
Giulio De Pasquale
e910399750 feat(homeassistant.nix): add new integrations and packages 2024-12-10 21:37:02 +00:00
Giulio De Pasquale
c50e278db7 fix(config): update max_input_tokens for pino-coder to 16000 2024-12-10 12:04:50 +00:00
Giulio De Pasquale
914a26a0ba refactor(firewall.nix): remove redundant docker network rules 2024-12-10 12:01:45 +00:00
Giulio De Pasquale
cca80288ed refactor(flake.nix): simplify and consolidate package imports
- Simplified the import statements for `unstablePkgs`, `masterPkgs`, `localPkgs`, `teslamatePkgs`, and `agenixPkgs` by using a helper function `importNixpkgs`.
- Consolidated overlays into `additionalOverlays` and combined them with `extOverlays` in the final import statement.
- Improved readability and maintainability of the flake configuration.
2024-12-10 12:01:30 +00:00
Giulio De Pasquale
b72d5c9d6b feat(homeassistant.nix): include automations from separate YAML file 2024-12-10 11:54:19 +00:00
Giulio De Pasquale
d19d2ce3a0 refactor(architect/default.nix): comment out docker.nix 2024-12-10 11:53:05 +00:00
Giulio De Pasquale
873d2bd1c8 bump: update lock 2024-12-10 11:52:24 +00:00
Giulio De Pasquale
abb672ea9e refactor(flake.nix): update nixos-unstable and add nixos-master
- Updated `nixos-unstable.url` to point to the correct branch (`nixpkgs-unstable`)
- Added `nixos-master` input pointing to the `master` branch of nixpkgs
- Imported `nixos-master` in the outputs and created `masterPkgs` variable for potential use
2024-12-10 11:52:15 +00:00
Giulio De Pasquale
bd4c7e80d5 feat(homeassistant.nix): add Wyoming services and update Home Assistant package 2024-12-09 17:05:06 +00:00
Giulio De Pasquale
1206a18e22 feat(home-assistant): add MQTT support and Teslamate connection 2024-12-09 14:17:06 +00:00
Giulio De Pasquale
c95d66caab refactor(home-assistant.nix): remove home-assistant configuration 2024-12-09 10:36:37 +00:00
Giulio De Pasquale
0fb70b7ff8 fix(sonarr.nix): add "lan" to dnsInterfaces 2024-12-09 10:36:22 +00:00
Giulio De Pasquale
1443218ae7 fix(nextcloud.nix): add group "nginx" to nextcloud-admin and nextcloud-database secrets 2024-12-09 10:36:10 +00:00
Giulio De Pasquale
203a4edcd6 feat(architect): add Home Assistant configuration
- Added `homeassistant.nix` to the list of services in `default.nix`
- Configured Home Assistant with basic settings and extra components
- Set up vhost for Home Assistant with specified domain and network interfaces
- Included necessary Python packages for Home Assistant components
2024-12-09 10:35:38 +00:00
Giulio De Pasquale
29c2526e6a feat(architect/llm.nix): add OLLAMA_KV_CACHE_TYPE environment variable
- Added `OLLAMA_KV_CACHE_TYPE` with value `"q8_0"` to the environment variables in `llm.nix`
2024-12-08 12:01:01 +00:00
Giulio De Pasquale
109c738594 bump: flake lock 2024-12-08 11:53:26 +00:00
Giulio De Pasquale
5a6bd41afd feat(architect/dns.nix): add configuration for adguard.giugl.io
- Added configuration for `adguard.giugl.io` with specified DNS interfaces and location settings
- Configured to use the port from `config.services.adguardhome.port`
- Allowed LAN access and specified allowed networks (`tailscale.net`)
2024-12-07 17:10:04 +00:00
Giulio De Pasquale
c14ae459ff feat(roles/acme.nix): add DNS provider configuration for OVH 2024-12-07 10:52:52 +00:00
Giulio De Pasquale
1cc6cf9f95 feat(architect): add netdata monitoring service 2024-12-06 23:30:35 +00:00
Giulio De Pasquale
d971ab334e fix(backup.nix): remove /secrets from backup paths 2024-12-06 22:59:34 +00:00
Giulio De Pasquale
0b4b32c290 feat(restic): switch to age-protected secrets 2024-12-06 22:58:46 +00:00
Giulio De Pasquale
b4f4c69c42 feat(nextcloud): switch to age-protected secrets 2024-12-06 21:17:00 +00:00
Giulio De Pasquale
273b694e4f feat(secrets): added host key for architect and rekeyed secrets 2024-12-06 21:11:16 +00:00
Giulio De Pasquale
0348df9a1e fix(secrets): rekeyed secrets with new pubkeys 2024-12-06 21:08:06 +00:00
Giulio De Pasquale
0622417fec refactor(architect/default.nix): centralize public keys in pubkeys.nix 2024-12-06 21:06:17 +00:00
Giulio De Pasquale
b0df5717b5 Deleted deluge and keycloak 2024-12-06 20:57:03 +00:00
Giulio De Pasquale
3f3b3d0604 refactor(teslamate.nix): update secrets file path and add age secret configuration 2024-12-06 20:55:44 +00:00
Giulio De Pasquale
847677fc2f refactor(matrix.nix): centralize matrix-synapse secrets and remove hardcoded database name
- Added `age.secrets.matrix` to manage secrets in a centralized `.age` file
- Removed hardcoded `db_name` and used `extraConfigFiles` to include the database configuration from the `.age` file
- Updated comments to reflect changes
2024-12-06 20:50:09 +00:00
Giulio De Pasquale
9b1cef61f2 feat(secrets): add initial secrets.nix configuration 2024-12-06 20:49:18 +00:00
Giulio De Pasquale
8fbd2cc84a Revert "hello"
This reverts commit 6c6a9aa447.
2024-12-06 17:40:57 +00:00
Giulio De Pasquale
6c6a9aa447 hello 2024-12-06 17:40:31 +00:00
Giulio De Pasquale
82c3dd24b3 Revert "hello"
This reverts commit 19a029156c.
2024-12-06 17:40:02 +00:00
Giulio De Pasquale
19a029156c hello 2024-12-06 17:39:54 +00:00
Giulio De Pasquale
586529e23d Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2024-12-06 17:34:41 +00:00
5a95a015e8 Update roles/home/scripts/commits.sh 2024-12-06 12:03:58 +00:00
Giulio De Pasquale
4ecc45a4bd feat(git.nix): add ais alias for staged diffs
- Introduced `ais` alias to generate commit messages from staged diffs using `aichat`
- The alias runs `git diff --staged HEAD` and pipes the output to `aichat` with the specified model and request type
2024-12-06 12:02:35 +00:00
5ebc68ad80 fix(create_pr_from_files): improved robustness che prima faceva schifo 2024-12-05 15:02:19 +00:00
d91b3bc9a9 scripts(zsh): update create_pr_from_files 2024-12-04 16:13:24 +00:00
91d7bcbab1 Update roles/home/scripts/commits.sh 2024-12-04 11:34:05 +00:00
b0080ad5e9 Update roles/home/aichat/roles/commitmessage.md 2024-11-26 12:55:41 +00:00
Giulio De Pasquale
adea686a35 bump: flake bump 2024-11-24 00:14:58 +00:00
Giulio De Pasquale
6ecb3ff1d0 fix(flake): update teslamate-flake to v1.32.0 2024-11-24 00:14:53 +00:00
Giulio De Pasquale
3b28f09e04 Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2024-11-18 20:02:51 +00:00
Giulio De Pasquale
b4e03a9dc2 feat: bump to 24.11 2024-11-18 19:58:44 +00:00
Giulio De Pasquale
9abf353f88 fix(nix): update stateVersion and remove adb plugin
- Updated `stateVersion` to "24.11"
- Removed `adb` from the list of oh-my-zsh plugins in `zsh.nix`
2024-11-18 19:58:32 +00:00
Giulio De Pasquale
1630bfb8fb fix(sunshine.nix): update CUDA package and disable pulseaudio
- Updated `cudaPackages` to `pkgs.cudaPackages_12_3`
- Changed `boost` version from `pkgs.unstablePkgs.boost186` to `pkgs.boost186`
- Disabled `pulseaudio.enable` and removed redundant `sound.enable`
2024-11-18 19:58:12 +00:00
Giulio De Pasquale
cc77cab961 feat(architect/redlib.nix): add configuration for redlib service
- Added `redlib` systemd service environment variables and settings
- Enabled `redlib` service with specified port and package
- Configured virtual host for `reddit.giugl.io` to forward requests to the `redlib` service
2024-11-18 19:57:49 +00:00
Giulio De Pasquale
949b5f8f21 refactor(headscale.nix): update settings structure and add comments
- Updated `dns_config` to `dns` and adjusted nested fields accordingly.
- Commented out default log level and base domain for clarity.
- Changed `ip_prefixes` to `prefixes.v4` to match expected configuration format.
2024-11-18 19:57:06 +00:00
Giulio De Pasquale
2b17b0b463 refactor(architect/llm.nix): simplify and clean up configuration
- Removed unused frontend domain, port, and listen address variables
- Centralized `ollamaHost` and `ollamaPort` usage
- Cleaned up commented-out sections for future reference or removal
- Ensured consistent placement of `acceleration` in the `services.ollama` block
2024-11-18 19:56:48 +00:00
36c8e99d7e Update roles/home/helix.nix 2024-11-18 11:41:55 +00:00
45971753fd Update roles/home/aichat/roles/commitmessage.md 2024-11-18 10:59:52 +00:00
ad180a2890 Update roles/home/aichat/roles/commitmessage.md 2024-11-18 10:56:59 +00:00
Giulio De Pasquale
47495b845a chore: formatting TOML files 2024-11-17 20:52:45 +00:00
Giulio De Pasquale
49913ef5e8 feat(home/helix): add taplo to the list of packages 2024-11-17 20:52:27 +00:00
Giulio De Pasquale
bd130216e8 chore: update lock 2024-11-17 20:31:50 +00:00
Giulio De Pasquale
5c7bbda59e feat(flake): add TeslaMate flake and import NixOS module
- Added `teslamate-flake` input to the flake configuration
- Imported TeslaMate's NixOS module in the system configuration
- Updated function signatures to remove unused `system` parameter where applicable
2024-11-17 20:31:45 +00:00
Giulio De Pasquale
38644cc57f feat(architect/options.nix): add recommendedProxySettings option
- Introduced `recommendedProxySettings` to force the use of recommended proxy configuration.
- Updated location configuration to include `recommendedProxySettings`.
2024-11-17 20:31:13 +00:00
Giulio De Pasquale
5d090a32bd fix(headscale.nix): update domain and package reference
- Updated `domain` to use a single string "vipienne.giugl.io"
- Changed `headscalePkg` to use the stable `pkgs.headscale` instead of `pkgs.unstablePkgs.headscale`
- Corrected `base_domain` in `dns_config` to use the updated `domain` variable
2024-11-17 20:30:42 +00:00
Giulio De Pasquale
15448ebc67 fix(nextcloud.nix): update Nextcloud package to version 30 2024-11-17 20:30:21 +00:00
Giulio De Pasquale
4cbf34f0bf feat(architect/default.nix): add teslamate and postgres services 2024-11-17 20:30:11 +00:00
Giulio De Pasquale
48f370d9a4 refactor(architect/llm.nix): comment out frontend vhost and container configurations
- Commented out the `frontendDomain` vhost configuration
- Updated backend port to use `ollamaPort`
- Added `recommendedProxySettings = false;` for backend vhost
- Commented out the entire OCI containers section for `ollama-webui`
2024-11-17 20:29:57 +00:00
Giulio De Pasquale
2602da324e refactor(matrix.nix): remove unused PostgreSQL configuration
- Removed the commented-out and unused `postgresql` service configuration from `matrix.nix`.
2024-11-17 20:29:37 +00:00
Giulio De Pasquale
3dc81c6c49 fix(nginx.nix): enable recommended proxy settings
- Enabled `recommendedProxySettings` in the Nginx configuration
2024-11-17 20:29:23 +00:00
Giulio De Pasquale
9f01055530 fix(postgres.nix): update configuration path to use services.postgresql
- Changed the configuration path from `postgresql` to `services.postgresql` for consistency and correctness.
2024-11-17 20:29:10 +00:00
Giulio De Pasquale
2dc8e1b1a3 factor(teslamate.nix): update domain, ports, and service configuration
- Updated domain to `tesla.giugl.io`
- Added separate ports for TeslaMate (`11234`) and Grafana (`11334`)
- Configured proxy settings for websockets in `/` and `/live/websocket` locations
- Added `/grafana` location with appropriate configuration
- Updated `services.teslamate` to include port, listen address, secrets file, virtual host, PostgreSQL server, and Grafana settings
2024-11-17 20:28:53 +00:00
Giulio De Pasquale
23ee309b8f refactor(home/aichat): update configuration and roles handling
- Removed inline `config` and `roles` definitions
- Used `lib.readFile` to load external files for configuration and roles
- Organized role files into separate markdown documents
2024-11-17 20:28:08 +00:00
Giulio De Pasquale
8b467e073e chore(commits.sh): remove unnecessary trailing newlines
- Removed two trailing newline characters at the end of the file
2024-11-17 20:16:14 +00:00
Giulio De Pasquale
227c289967 fix(home/zsh.nix): correct path for commitFunctions
- Updated the path to correctly place `commits.sh` inside the `bin` directory
2024-11-17 20:16:01 +00:00
Giulio De Pasquale
58e2b8dab7 feat(home/git.nix): enable Git LFS and add aliases
- Enabled Git Large File Storage (LFS)
- Added `ai` alias to generate diff with AI chat
2024-11-17 20:15:47 +00:00
Giulio De Pasquale
72167fd861 refactor(config.yaml): update client configuration for openai-compatible
- Updated `type` to `openai-compatible`
- Added `name` field for clarity
- Adjusted `api_base` URL to include `/v1`
- Simplified and updated model configurations for consistency
2024-11-17 20:15:18 +00:00
Giulio De Pasquale
bd9329a9ed Add files 2024-11-17 20:10:06 +00:00
Giulio De Pasquale
251d38d411 Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2024-11-17 14:17:56 +00:00
Giulio De Pasquale
d9e6d1acd4 feat: load helix files from files 2024-11-17 14:15:29 +00:00
Giulio De Pasquale
71f4de2804 feat: teslamate 2024-11-16 13:19:23 +00:00
2db9c318a1 Update roles/home/zsh.nix 2024-11-14 11:17:26 +00:00
Giulio De Pasquale
60eccadaa8 Stabilize sunshine 2024-10-31 12:48:45 +00:00
Giulio De Pasquale
f7f1da25ed refactor: use sunshine service 2024-10-31 08:33:56 +00:00
e084734e4a Update roles/home/helix.nix 2024-10-08 12:27:27 +01:00
a24e261521 Update roles/home/helix.nix 2024-10-08 12:21:12 +01:00
Giulio De Pasquale
2487717aaf fix(ollama): DNS resolution in LAN 2024-10-07 13:05:45 +01:00
Giulio De Pasquale
777e32601d Update lock 2024-10-07 12:58:01 +01:00
Giulio De Pasquale
8f288db067 fix(prowlarr): enable websockets 2024-10-07 12:10:50 +01:00
Giulio De Pasquale
c6a0389845 fix(docker): use correct field after 24.05 2024-10-07 12:09:38 +01:00
Giulio De Pasquale
74efccbdb6 refactor(dns): simplify DNS config and associate architect domain to every interface 2024-10-07 12:09:12 +01:00
Giulio De Pasquale
e10d9a4d5a bump: flake 2024-09-17 16:53:52 +01:00
Giulio De Pasquale
485b1f6b33 feat(architect): enable jellyseer 2024-09-10 15:44:04 +01:00
Giulio De Pasquale
7bb975598c bump: flake.lock 2024-09-10 15:43:40 +01:00
Giulio De Pasquale
ec75c4451d feat: added jellyseer 2024-09-10 15:43:33 +01:00
Giulio De Pasquale
84b014fdac fix(aichat): max input tokens 8192 and remove example in createpr 2024-07-25 23:26:40 +01:00
Giulio De Pasquale
8d80114fe8 feat(helix): use nixd and mypy for pylsp 2024-07-17 00:41:43 +01:00
Giulio De Pasquale
f571e82c28 Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2024-07-16 23:49:33 +01:00
Giulio De Pasquale
2baae66b09 fix(helix): fixed python lsp, golangci-lint use repo defaults 2024-07-16 23:47:08 +01:00
Giulio De Pasquale
6e48cac798 Bump lock 2024-07-16 22:59:01 +01:00
Giulio De Pasquale
7859115187 fix(architect): removed junk 2024-07-16 22:01:33 +01:00
Giulio De Pasquale
fa66653655 fix(flake): apply overalays to each pkg group 2024-07-16 22:01:14 +01:00
Giulio De Pasquale
1ebd0a3975 Bump lock 2024-07-13 14:30:22 +01:00
Giulio De Pasquale
f433081a8e fix(nvidia): remove nvidia patch (upcoming sunshine doesn't need it) 2024-07-13 14:27:43 +01:00
Giulio De Pasquale
12eb35233f Revert "Bump lock"
This reverts commit 23d55f00f5.
2024-07-13 14:15:28 +01:00
Giulio De Pasquale
23d55f00f5 Bump lock 2024-07-13 01:19:44 +01:00
55f370c9d1 Update roles/home/aichat.nix 2024-07-03 10:18:00 +01:00
29692c5f29 Update roles/home/aichat.nix 2024-07-03 10:13:02 +01:00
abb0002c4c Update roles/home/aichat.nix 2024-07-02 15:20:14 +01:00
897b7eb644 Update roles/home/aichat.nix 2024-07-02 15:07:16 +01:00
22bc7e809c Update roles/home/aichat.nix 2024-07-01 18:40:29 +01:00
1459444d6c Update roles/home/aichat.nix 2024-07-01 18:34:08 +01:00
180556cf45 Update roles/home/aichat.nix 2024-07-01 18:30:11 +01:00
866a5de2b8 Update roles/home/aichat.nix 2024-07-01 18:26:31 +01:00
047c36f1ca Update roles/home/aichat.nix 2024-07-01 18:20:31 +01:00
fe6d156580 Update roles/home/aichat.nix 2024-07-01 18:19:40 +01:00
e3013a77b7 Update roles/home/aichat.nix 2024-07-01 18:18:39 +01:00
Giulio De Pasquale
42f12f6714 fix(flake): revert to master nixpkgs for unstable 2024-06-30 17:45:54 +01:00
Giulio De Pasquale
26eaa20559 fix(helix): add missing language server for Python development
- Added `pyright` to the list of language servers in the Helix configuration
2024-06-30 17:45:40 +01:00
Giulio De Pasquale
63bf91a95a fix(sunshine): error out on scripts 2024-06-30 17:44:43 +01:00
Giulio De Pasquale
e231bb701a fix(libreddit): configure service with default settings and use unstable redlib package 2024-06-30 17:44:30 +01:00
c756fc15b2 Update roles/home/aichat.nix 2024-06-07 13:22:22 +01:00
e109349112 Update roles/home/aichat.nix 2024-06-07 11:58:32 +01:00
89cc2be685 Update roles/home/aichat.nix 2024-06-07 11:58:18 +01:00
771c2c0e65 Update roles/home/aichat.nix 2024-06-07 10:04:16 +01:00
6a4c95010c Update roles/home/helix.nix 2024-06-05 15:23:58 +01:00
f8ce135e8e Update roles/home/helix.nix 2024-06-05 15:22:01 +01:00
c002fadb44 Update roles/home/helix.nix 2024-06-05 15:21:14 +01:00
e5b806cdde Update roles/home/helix.nix 2024-06-05 15:18:35 +01:00
9977b89d90 Update roles/home/helix.nix 2024-06-05 15:14:35 +01:00
ac7315ff59 Update roles/home/helix.nix 2024-06-05 13:37:51 +01:00
50156120cd Update roles/home/helix.nix 2024-06-05 11:48:21 +01:00
Giulio De Pasquale
b960883c00 Flake bump 2024-06-04 22:55:30 +01:00
Giulio De Pasquale
e5703ed0c2 feat(aichat): update AIChat configuration and add new roles
- Renamed `aichatConfigDir` to `configDir`
- Updated the content of `config.yaml` with new models and types, increased maximum tokens for some models, and removed unnecessary configurations
- Added `roles.yaml` file with new roles for generating commit messages and pull request descriptions based on git diffs and commit messages
2024-06-04 22:52:51 +01:00
Giulio De Pasquale
d76ccbe564 feat(ollama): configure environment variables for ollama service
- Updated `services.ollama` to include `environmentVariables` object
- Configured `OLLAMA_ORIGINS`, `OLLAMA_FLASH_ATTENTION`, and `OLLAMA_NUM_PARALLEL` variables
- Changed the value of `OLLAMA_NUM_PARALLEL` to "2" from "3"
2024-06-04 22:50:49 +01:00
Giulio De Pasquale
f8a716f8ba Use aichat flake 2024-06-02 01:39:58 +01:00
Giulio De Pasquale
e06abe1474 Bump to 24.05 2024-06-01 11:41:26 +01:00
Giulio De Pasquale
2bad3c7b70 fix(helix): fixed golangci-lint-langserver config 2024-05-28 13:00:05 +01:00
Giulio De Pasquale
537107283a helix: added init commands for golangci-lint-langserver 2024-05-28 12:48:24 +01:00
Giulio De Pasquale
22856c31a4 helix: added golangci-lint-langserver in addition to gopls as langserver for go 2024-05-28 12:11:54 +01:00
Giulio De Pasquale
e0379b40d9 user: added aichat to HMuser 2024-05-27 14:24:24 +01:00
Giulio De Pasquale
714b23b902 lib/user: added aichat by default 2024-05-27 13:39:39 +01:00
Giulio De Pasquale
8a5ab606e6 helix: removed aichat part and general cleanup 2024-05-27 13:39:25 +01:00
Giulio De Pasquale
86689e4bc6 ollama: removed commented-out docker 2024-05-27 13:39:06 +01:00
Giulio De Pasquale
a889960107 added separate aichat role 2024-05-27 13:38:59 +01:00
Giulio De Pasquale
3e2e530d49 llm: re-use ollama upstream 2024-05-23 23:45:48 +01:00
Giulio De Pasquale
854f818f23 Updated lock 2024-05-23 23:45:35 +01:00
Giulio De Pasquale
404a53135c ollama: use docker 2024-05-14 17:09:45 +01:00
Giulio De Pasquale
8ab9cd67f7 flake bump 2024-05-14 17:09:24 +01:00
Giulio De Pasquale
689f339225 Deleted sunshine-ui.patch 2024-05-14 17:06:51 +01:00
Giulio De Pasquale
d73befc2ee sunshine: use upstream 2024-05-14 17:06:11 +01:00
Giulio De Pasquale
8795b45fb1 aichat: added more providers 2024-04-30 12:00:47 +01:00
Giulio De Pasquale
5c7e9b67b5 helix: add aichat to env 2024-04-28 01:29:55 +01:00
Giulio De Pasquale
6a4c92334f llm: fixed webui ollama uri 2024-04-28 01:29:48 +01:00
Giulio De Pasquale
97f38fd16e helix: remove ai role 2024-04-24 16:07:06 +01:00
Giulio De Pasquale
6eefd2410f flake update 2024-04-24 16:05:05 +01:00
Giulio De Pasquale
68d094f29b helix: added pino models 2024-04-24 16:01:04 +01:00
Giulio De Pasquale
d5abd4efa8 nginx: ignore proxy settings to allow streaming ollama 2024-04-17 17:02:22 +01:00
Giulio De Pasquale
45fe5111d2 navidrome: open to WAN 2024-04-17 17:01:59 +01:00
Giulio De Pasquale
0e82ac644b llm: remove unused config arg 2024-04-17 17:01:45 +01:00
Giulio De Pasquale
fb3fda66eb flake update 2024-04-11 14:21:12 +01:00
Giulio De Pasquale
1d5a05271c helix: add aichat 2024-04-11 14:19:47 +01:00
Giulio De Pasquale
8eafc911fe helix: add aichat 2024-04-11 12:55:08 +01:00
Giulio De Pasquale
fe22704b14 helix: add aichat 2024-04-11 12:32:58 +01:00
Giulio De Pasquale
57f5b0a4e2 ollama: fix proxying 2024-04-02 22:56:17 +01:00
Giulio De Pasquale
ed70646087 sunshine: fixed resolution script invocation, use fixed fork for framepacing 2024-04-02 16:41:15 +01:00
Giulio De Pasquale
16a70daa33 flake update 2024-04-02 13:23:59 +01:00
Giulio De Pasquale
794974dd09 sunshine: set env vars for DXVK 2024-03-27 19:04:32 +00:00
Giulio De Pasquale
567b384537 sunshine: fixed paths for nvidia tools 2024-03-15 10:44:57 +00:00
Giulio De Pasquale
6219046bbe sunshine: more modelines 2024-03-14 16:22:30 +00:00
Giulio De Pasquale
09d2d8ed52 sunshine: added 1440p modelines 2024-03-14 16:18:19 +00:00
Giulio De Pasquale
42c0b804fb sunshine: use nvidia-smi and settings from nvidia-x11 2024-03-14 15:55:37 +00:00
Giulio De Pasquale
73ed58dbdc sunshine: refactor module, reorder things around 2024-03-14 15:49:02 +00:00
Giulio De Pasquale
c1c2a75ac4 sunshine: move pkgs use in resolution script and remove them from path of systemd service 2024-03-14 15:41:14 +00:00
Giulio De Pasquale
3b0e625c1a sunshine: disable triple buffer, ignore edid freqs 2024-03-14 15:12:01 +00:00
Giulio De Pasquale
32dc2af002 ollama: use native ollama 2024-03-14 11:55:56 +00:00
Giulio De Pasquale
b785fe04aa flake update 2024-03-14 11:15:06 +00:00
Giulio De Pasquale
8768e555df navidrome: reenable beets-import and update 2024-03-14 11:07:35 +00:00
Giulio De Pasquale
5d27c4829e navidrome: use music.giugl.io 2024-03-14 11:07:18 +00:00
Giulio De Pasquale
0fb14ce253 lidarr: move to architect options 2024-03-14 11:06:51 +00:00
Giulio De Pasquale
c0ceb7729a architect: enabled navidrome, disabled lidarr 2024-03-14 11:05:57 +00:00
Giulio De Pasquale
5c81aa0ad9 architect: commented out nvidia in main 2024-03-14 11:05:41 +00:00
Giulio De Pasquale
00973bfc59 flake: add nvidia-patch flake 2024-03-13 18:38:32 +00:00
Giulio De Pasquale
04f1d5a42b sunshine: use nvfbc 2024-03-13 18:37:35 +00:00
Giulio De Pasquale
98d2e39d28 architect: remove vdpau as default libva driver 2024-03-13 13:22:39 +00:00
Giulio De Pasquale
f68a48e38b flake: use nixpkgs master for unstable 2024-03-12 18:43:48 +00:00
Giulio De Pasquale
f2875d76e0 flake: removed galuminum config 2024-03-12 18:43:21 +00:00
Giulio De Pasquale
925502ccc4 flake: added cudaSupport for config. Enable cuda on Architect 2024-03-12 18:43:00 +00:00
Giulio De Pasquale
d76b08a80d flake: simplify passing of config, remove wrapUnstablePkgs 2024-03-12 18:41:03 +00:00
Giulio De Pasquale
b7c465073e host: remove unstablePkgs dependency 2024-03-12 18:37:52 +00:00
Giulio De Pasquale
63a5b3f384 lib: formatting 2024-03-12 18:28:24 +00:00
Giulio De Pasquale
5d881826d1 sunshine: something something 2024-03-12 17:34:58 +00:00
Giulio De Pasquale
23e5723ccb sunshine: disable vsync at start 2024-02-26 16:05:09 +00:00
Giulio De Pasquale
fa5d2bcc76 helix: switch to pyright and ruff-lsp 2024-02-21 15:13:20 +00:00
Giulio De Pasquale
2bd240a4e1 flake update 2024-02-21 11:43:26 +00:00
Giulio De Pasquale
60534b7b05 architect: add modelines and resolution switching script to sunshine 2024-02-21 11:34:27 +00:00
Giulio De Pasquale
9b21c7d2ef architect: use docker ollama 2024-02-21 11:33:54 +00:00
Giulio De Pasquale
31a41642bb architect: set port 1194 for headscale 2024-02-21 11:33:08 +00:00
Giulio De Pasquale
3b9da24177 architect: update hardware mounts after nvme switch 2024-02-21 11:32:42 +00:00
Giulio De Pasquale
ab02bf1d41 architect: add nvidia support for docker 2024-02-21 11:31:57 +00:00
Giulio De Pasquale
ef949684f0 architect: disabled services, updated network interface after hw change 2024-02-21 11:30:59 +00:00
Giulio De Pasquale
02c0984a3f dns: do not overlap with avahi (sunshine). switch to port 5354 for dnscrypt-proxy2 2024-02-19 00:54:28 +00:00
Giulio De Pasquale
a004535b0b sunshine: added service 2024-02-19 00:53:51 +00:00
Giulio De Pasquale
376819301d common: added poetry 2024-02-07 22:13:37 +00:00
Giulio De Pasquale
7cf37954ef headscale: use architect options 2024-01-31 00:33:56 +01:00
Giulio De Pasquale
946e185c99 prowlarr: use unstable pkg 2024-01-31 00:23:11 +01:00
Giulio De Pasquale
64e4f375a9 nginx: do not use openTCPVPN 2024-01-31 00:22:55 +01:00
Giulio De Pasquale
8c0a902945 options: cleanup, move dns into dns 2024-01-31 00:22:24 +01:00
Giulio De Pasquale
8ce5e14da2 radarr: use unstable pkg 2024-01-31 00:21:07 +01:00
Giulio De Pasquale
76c5783fe8 sonarr: use unstable pkg 2024-01-31 00:20:47 +01:00
Giulio De Pasquale
ffe2289c0d tailscale: update hosts 2024-01-31 00:20:27 +01:00
Giulio De Pasquale
aa12bece7f dns: use coredns for https records 2024-01-31 00:20:07 +01:00
Giulio De Pasquale
ba39859e01 helix: added gopls 2024-01-09 17:33:23 +01:00
Giulio De Pasquale
3519e92d05 flake: update lock 2024-01-09 14:59:33 +01:00
Giulio De Pasquale
a30d0f2e68 llm: fixed upstream image for big-agi. use ollama with GPU support 2024-01-09 14:59:25 +01:00
Giulio De Pasquale
8436e03e88 flake: update lock 2023-12-21 16:12:43 +01:00
Giulio De Pasquale
4e63ebed38 helix: added shfmt 2023-12-21 16:11:01 +01:00
Giulio De Pasquale
66aa5ee5e2 helix: added bash LSP and shellcheck 2023-12-21 16:09:55 +01:00
Giulio De Pasquale
ad0a767caf helix: group node packages under nodePackages 2023-12-21 16:09:11 +01:00
Giulio De Pasquale
f14ddf7f5a flake: update lock 2023-12-19 00:38:14 +01:00
Giulio De Pasquale
babcf42051 flake: remove openssl 1.1.1 from permitted insecure packages 2023-12-19 00:38:08 +01:00
Giulio De Pasquale
d41f6a3410 architect: enabled photoprism 2023-12-19 00:37:17 +01:00
Giulio De Pasquale
685cf7cde9 prowlarr: allow tailscale 2023-12-19 00:36:58 +01:00
Giulio De Pasquale
b0ff55ef36 photoprism: use unstable pkg 2023-12-19 00:36:45 +01:00
Giulio De Pasquale
d40e192dd1 nzbget: allow tailscale 2023-12-19 00:36:26 +01:00
Giulio De Pasquale
c729cde5db nextcloud: bump to 28 2023-12-19 00:36:05 +01:00
Giulio De Pasquale
fca7f8878a flake: update lock 2023-12-09 20:08:39 +01:00
Giulio De Pasquale
ad1e1ff6c8 matrix: removed OIDC auth 2023-12-09 20:07:42 +01:00
Giulio De Pasquale
2bb530b378 Bump to 23.11 2023-12-02 18:41:15 +01:00
Giulio De Pasquale
bb026f9a6d architect: disabled a few unused services 2023-12-02 18:41:08 +01:00
Giulio De Pasquale
660307a862 zsh: add homebrew path on macos 2023-11-29 21:20:20 +01:00
Giulio De Pasquale
989152c7bc flake: update lock 2023-11-21 13:32:59 +01:00
Giulio De Pasquale
304231cabc sonarr: allow Tailscale net 2023-11-21 13:32:07 +01:00
Giulio De Pasquale
a445dc1250 common: pipenv, python3, htop, glances and tree 2023-11-21 13:31:43 +01:00
Giulio De Pasquale
6c6806f5ee helix: yaml and typescript LSP 2023-11-21 13:31:15 +01:00
Giulio De Pasquale
353cc6cc31 helix: use ruff 2023-11-21 13:30:43 +01:00
Giulio De Pasquale
5e6f60b8d5 flake: lock update 2023-11-17 13:18:41 +01:00
Giulio De Pasquale
3eee95dbba plex: allow LAN and Tailscale traffic 2023-11-17 13:18:22 +01:00
Giulio De Pasquale
dd7189cca0 libreddit: allow WAN traffic 2023-11-16 17:42:55 +01:00
Giulio De Pasquale
a427ea4272 ssh: include config.d for custom configs 2023-11-16 13:37:43 +01:00
Giulio De Pasquale
190bff3ac0 helix: remove completion-replace 2023-11-16 13:32:40 +01:00
Giulio De Pasquale
e715a7bf3c gitea: allow WAN traffic 2023-11-16 13:28:06 +01:00
Giulio De Pasquale
5eb5613d71 invidious: allow WAN 2023-11-16 13:27:33 +01:00
Giulio De Pasquale
cb3fe8f147 architect: enabled LLM 2023-11-16 13:26:06 +01:00
Giulio De Pasquale
b2cf092f78 architect: added LLM module 2023-11-16 13:25:58 +01:00
Giulio De Pasquale
0da9f7ab9d architect: add allowWAN option, correctly blocking WAN traffic 2023-11-16 13:25:43 +01:00
Giulio De Pasquale
03939c0061 architect: re-enable searxng 2023-10-29 16:16:08 +01:00
Giulio De Pasquale
269e736f47 sonarr: changed port to 8989 2023-10-21 15:12:01 +02:00
Giulio De Pasquale
a66b5edf78 flake: update lock 2023-10-21 15:01:06 +02:00
Giulio De Pasquale
5d93c40c8f architect: removed wireguard 2023-10-21 15:00:58 +02:00
Giulio De Pasquale
08d5181da8 helix: added autoflake 2023-10-02 22:16:44 +02:00
Giulio De Pasquale
4bab1438d1 flake: lock update 2023-10-02 22:16:33 +02:00
Giulio De Pasquale
9b309a53de helix: added additional python pkgs 2023-10-01 02:32:30 +02:00
Giulio De Pasquale
ea85596695 flake: lock update 2023-10-01 02:32:00 +02:00
Giulio De Pasquale
799ff54f1f zsh: remove autosuggestions 2023-09-26 21:17:56 +02:00
Giulio De Pasquale
9c16feab68 flake: lock update 2023-09-25 19:02:32 +02:00
Giulio De Pasquale
c2f774cdb4 shell: use zsh 2023-09-23 19:33:18 +02:00
Giulio De Pasquale
a9060b0047 shell: make fish default in lib.user 2023-09-22 00:56:09 +02:00
Giulio De Pasquale
0008e1bc15 shell: add fzf to fish 2023-09-22 00:51:26 +02:00
Giulio De Pasquale
e40f70d16d shell: switch to fish 2023-09-22 00:41:57 +02:00
Giulio De Pasquale
3b6fae08e4 shell: switch to fish 2023-09-22 00:41:53 +02:00
Giulio De Pasquale
2772acee39 flake: lock update 2023-09-20 20:51:53 +02:00
Giulio De Pasquale
a1b0b31011 ssh: added UCSB reynolds 2023-09-12 21:09:13 +02:00
Giulio De Pasquale
b4e080f4a7 flake: lock update 2023-09-08 20:40:08 +02:00
Giulio De Pasquale
d4ffe96b2e invidious: add hmac_key config value 2023-09-08 20:30:44 +02:00
Giulio De Pasquale
fac3081a3e helix: replace entire word on autocompletion, modified statusbar 2023-09-08 20:28:45 +02:00
Giulio De Pasquale
0b1f3ba8e3 matrix: enable password login 2023-09-04 01:35:00 +02:00
Giulio De Pasquale
157763d3d5 Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2023-08-24 20:21:58 +02:00
Giulio De Pasquale
e810fada6c Flake lock update 2023-08-24 04:04:10 +02:00
78683f3cdf Source nix_daemon to avoid macOS breakages 2023-08-14 14:08:11 +02:00
Giulio De Pasquale
a680860b94 Flake lock update 2023-07-25 20:27:08 +02:00
Giulio De Pasquale
a7c894b3c0 headscale: add binary to path 2023-07-07 02:16:40 +02:00
Giulio De Pasquale
581397ef92 dns: re-enable dnscrypt-proxy 2023-06-27 05:15:39 +02:00
Giulio De Pasquale
6b9a066fed Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2023-06-26 23:24:49 +02:00
Giulio De Pasquale
e0a3df6a39 nextcloud: push to 27 2023-06-26 23:24:04 +02:00
Giulio De Pasquale
bb658291e3 architect: disable jellyfin, enable plex 2023-06-26 23:20:34 +02:00
Giulio De Pasquale
0893feb26d options: added path to nginx server service 2023-06-26 21:00:40 +02:00
Giulio De Pasquale
8de07dad91 Flake lock 2023-06-26 21:00:08 +02:00
Giulio De Pasquale
2a04e3d41c helix: remove souffle 2023-06-26 20:50:33 +02:00
Giulio De Pasquale
559d02720b plex: port to new options 2023-06-26 20:49:52 +02:00
Giulio De Pasquale
b95096efcb helix: removed souffle grammar and syntax hl 2023-06-15 13:20:33 -07:00
Giulio De Pasquale
8cde2f28fb Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2023-06-12 20:24:25 +02:00
Giulio De Pasquale
a263496047 zsh: enable autosuggestions, added dotDir 2023-06-11 01:31:02 +02:00
Giulio De Pasquale
29cf6fece7 nextcloud: fixed mariadb 10.11. add nodejs, ffmpeg and libtensorflow in system packages for recognize, the plugin 2023-06-11 01:30:34 +02:00
Giulio De Pasquale
44e991b35f Update lock 2023-06-10 03:47:31 +02:00
Giulio De Pasquale
4a9c3cf246 deluge: port to vhost 2023-06-10 03:15:26 +02:00
Giulio De Pasquale
c805cc3dcb Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2023-06-06 13:33:06 -07:00
Giulio De Pasquale
184bc63164 ssh: Update config 2023-06-06 13:32:55 -07:00
Giulio De Pasquale
127bcfa2f5 Update lock 2023-06-06 22:32:15 +02:00
Giulio De Pasquale
cba8f451d6 librephotos: add module 2023-06-06 22:32:02 +02:00
Giulio De Pasquale
1304289db6 navidrome: commented out scripts. ported to vhost 2023-06-05 05:00:55 +02:00
Giulio De Pasquale
b95afdd471 libreddit: vhost 2023-06-05 04:54:30 +02:00
Giulio De Pasquale
cd6c3e75ed invidious: vhost 2023-06-05 04:50:44 +02:00
Giulio De Pasquale
7f2c129ea9 vhost: added host 2023-06-05 04:44:33 +02:00
Giulio De Pasquale
6389d1950a nextcloud: switched to mariadb. increased max upload size to 50GB 2023-06-05 04:43:42 +02:00
Giulio De Pasquale
842b3f0ac7 firewall: give docker more freedom 2023-06-05 04:43:07 +02:00
Giulio De Pasquale
2c387448ba gitea: vhost 2023-06-05 04:41:10 +02:00
Giulio De Pasquale
1df031965a photoprism: use vhost 2023-06-05 03:22:41 +02:00
Giulio De Pasquale
6d72359353 gitea: reenable gitea 2023-06-05 03:16:19 +02:00
Giulio De Pasquale
d1d0793e2c photoprism: use vhost 2023-06-05 03:15:23 +02:00
Giulio De Pasquale
d423200c59 bazarr: add lan to dnsinterface 2023-06-05 03:12:59 +02:00
Giulio De Pasquale
0698f9b8db nzbget: vhost 2023-06-05 03:12:34 +02:00
Giulio De Pasquale
edf4ba07ee nginx: switch to nginx as package 2023-06-05 03:12:09 +02:00
Giulio De Pasquale
f2e33628c0 jellyfin: vhost 2023-06-05 03:11:46 +02:00
Giulio De Pasquale
2f43745162 Move to vhost 2023-06-05 03:10:13 +02:00
Giulio De Pasquale
b378975769 sonarr: port to vhost 2023-06-05 03:02:26 +02:00
Giulio De Pasquale
65ba588d8e vhost: added attributes 2023-06-05 03:02:02 +02:00
Giulio De Pasquale
9aeacafbb2 docker: use docker as default backend for containers. disable iptables 2023-06-05 03:01:37 +02:00
Giulio De Pasquale
17d2e10345 bazarr: use vhost 2023-06-05 00:50:31 +02:00
Giulio De Pasquale
da1b08c44a radarr: use vhost 2023-06-05 00:46:39 +02:00
Giulio De Pasquale
acb47f5a73 dns: moved config to vhost 2023-06-05 00:30:07 +02:00
Giulio De Pasquale
78fc53024f options: added vhost attributes 2023-06-05 00:29:43 +02:00
Giulio De Pasquale
3bc816b665 gitea: move LFS setting into gitea.lfs 2023-06-03 01:46:08 +02:00
Giulio De Pasquale
708687d258 Update lock 2023-06-01 21:09:36 +02:00
Giulio De Pasquale
0747c0ebf4 openssl: Ignore 1.1.1u being vulnerable along with 1.1.1t 2023-06-01 21:09:30 +02:00
Giulio De Pasquale
6cb4fa08d2 Add nix-index and command-not-found 2023-06-01 21:09:04 +02:00
Giulio De Pasquale
2c906d715e architect: Disable gitea 2023-06-01 21:08:42 +02:00
Giulio De Pasquale
fef4b471f0 minio: Use legacy package 2023-06-01 21:08:28 +02:00
Giulio De Pasquale
f7609a7ee6 tanta roba 2023-05-28 22:45:49 +02:00
Giulio De Pasquale
9f819d1357 helix: remove swiProlog 2023-05-28 07:21:31 +02:00
Giulio De Pasquale
b479c748e0 flake: allow openssl1.1.1t 2023-05-28 07:21:04 +02:00
Giulio De Pasquale
ef96a959f6 acme: change default email 2023-05-28 07:14:48 +02:00
Giulio De Pasquale
229e92222e architect: switch to nextdns 2023-05-28 06:22:56 +02:00
Giulio De Pasquale
08c898ed46 Initial move to 23.05 2023-05-28 00:16:46 +02:00
Giulio De Pasquale
84df2e348d architect: removed network.nix 2023-05-15 19:51:50 +02:00
Giulio De Pasquale
4dde4f68d8 Update lock 2023-05-15 19:50:51 +02:00
Giulio De Pasquale
aa9d2a5e03 tailscale: remove openUDP (moved to headscale) 2023-05-13 14:11:07 +02:00
Giulio De Pasquale
6d51a10659 headscale: DO NOT bind vipienne.giugl.io to avoid in-vpn lock 2023-05-13 14:10:40 +02:00
Giulio De Pasquale
ccd57040df tailscale: use unstable pkg 2023-05-13 00:54:24 +02:00
Giulio De Pasquale
4eca8e4bb5 plex: disabled 2023-05-13 00:53:17 +02:00
Giulio De Pasquale
3840386d32 dns: do not expand hosts 2023-05-13 00:53:03 +02:00
Giulio De Pasquale
9bf85c00cf architect: services use new networking attrset 2023-05-12 23:05:10 +02:00
Giulio De Pasquale
7c00b8bf0b wireguard: remove devices 2023-05-12 14:34:49 +02:00
Giulio De Pasquale
39c2fe2c6b Update lock 2023-05-12 14:31:04 +02:00
Giulio De Pasquale
ac5176e731 docker: port to networking attrset 2023-05-12 14:29:17 +02:00
Giulio De Pasquale
e5aab58be7 architect: port firewall to networking attrset 2023-05-12 14:28:58 +02:00
Giulio De Pasquale
1e19a08665 tailscale: Use networking attrset 2023-05-12 14:28:39 +02:00
Giulio De Pasquale
3a4d4e9c4f architect: Use networking options 2023-05-12 13:48:45 +02:00
Giulio De Pasquale
65c76f5a6a architect: Moved tailscale config to new network attribute set 2023-05-12 12:50:20 +02:00
Giulio De Pasquale
26a07a20e5 architect: Moved wireguard config to new network attribute set 2023-05-12 12:32:48 +02:00
Giulio De Pasquale
ce8efa3371 architect: Added architect.networks option attribute set 2023-05-12 12:32:29 +02:00
Giulio De Pasquale
dc9dfd66ed Revert "dnsmasq: domain -> local"
This reverts commit 098e0a6147.
2023-05-06 15:04:31 +02:00
Giulio De Pasquale
b644b9d684 headscale: init 2023-05-06 15:04:25 +02:00
Giulio De Pasquale
098e0a6147 dnsmasq: domain -> local 2023-05-06 15:03:20 +02:00
Giulio De Pasquale
d3255fdb47 Update lock 2023-05-01 06:32:55 +02:00
Giulio De Pasquale
4557b3ad27 dns: added search domains 2023-05-01 06:31:48 +02:00
Giulio De Pasquale
e439068b1d architect: enable plex 2023-05-01 06:05:25 +02:00
Giulio De Pasquale
77699945b5 architect: disable unused services 2023-05-01 06:05:06 +02:00
Giulio De Pasquale
f1f52b0154 nextcloud: push to v26 2023-05-01 05:51:06 +02:00
Giulio De Pasquale
6bdaacbc08 plex: update module 2023-05-01 05:50:42 +02:00
Giulio De Pasquale
aa55bb115c Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2023-04-19 05:57:28 +02:00
Giulio De Pasquale
6297268c8a Update lock 2023-04-19 05:57:21 +02:00
Giulio De Pasquale
d19048f2a3 helix: Added souffle support 2023-04-18 20:56:38 -07:00
Giulio De Pasquale
2893674f45 zsh: Added any-nix-shell. Removed bashrc handling 2023-04-10 20:17:08 +02:00
Giulio De Pasquale
3eea13b718 flake: Update lock 2023-04-10 20:16:37 +02:00
Giulio De Pasquale
ac52491299 matrix: Removed webUI. Cleaned up module. 2023-04-10 19:34:46 +02:00
Giulio De Pasquale
705c254da2 Lock update 2023-03-29 20:00:52 +02:00
Giulio De Pasquale
99a634cef3 go: Use correct attribute to set GOPATH 2023-03-29 19:59:57 +02:00
Giulio De Pasquale
811aa664a0 architect: Delete lezzo module 2023-03-28 18:08:46 +02:00
Giulio De Pasquale
1bb71f7466 architect: Enable c2c for Francesco 2023-03-28 18:07:53 +02:00
Giulio De Pasquale
b57c039f70 architect: Disable lezzo 2023-03-28 18:07:14 +02:00
Giulio De Pasquale
4bafb2fda8 zsh: Do not source bashrc when writing bashrc 2023-03-27 18:03:14 +02:00
Giulio De Pasquale
96fb40da39 Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2023-03-27 17:49:33 +02:00
Giulio De Pasquale
48be921be6 Update lock 2023-03-27 17:49:17 +02:00
Giulio De Pasquale
6b0e3567be zsh: Remove _nr function 2023-03-27 17:48:21 +02:00
Giulio De Pasquale
6e60fa98b2 common: Add ydiff to packages 2023-03-25 14:23:23 -07:00
Giulio De Pasquale
2b287cfbbf common: Fixed pastebinit being passed as a list 2023-03-25 18:24:53 +01:00
Giulio De Pasquale
a3a7252552 Update lock 2023-03-22 18:31:20 +01:00
Giulio De Pasquale
00f7d7506e architect: Disable lidarr 2023-03-22 17:07:03 +01:00
Giulio De Pasquale
1864b729a6 searx: Disable several search engines enabled by default 2023-03-22 16:30:49 +01:00
Giulio De Pasquale
85f4ea2314 Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2023-03-21 16:35:29 +01:00
Giulio De Pasquale
469d13372e architect: Added additional FraMecca devices 2023-03-21 16:35:13 +01:00
Giulio De Pasquale
fcfded4893 common: pastebinit optional on Darwin 2023-03-19 12:23:48 -07:00
73f5f403f7 common: Add ripgrep and pastebinit to default packages 2023-03-19 18:31:32 +01:00
Giulio De Pasquale
54c46cee32 architect: Re-enable docker 2023-03-18 17:48:05 +01:00
Giulio De Pasquale
438e66dd51 Update lock 2023-03-18 17:47:56 +01:00
Giulio De Pasquale
9dadddd37c Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2023-03-16 16:39:17 +01:00
Giulio De Pasquale
f5ada69bf9 Update lock 2023-03-16 16:39:09 +01:00
Giulio De Pasquale
19e317cc5e architect: Disable calibre and docker 2023-03-16 16:38:58 +01:00
Giulio De Pasquale
256a07ba71 Update lock 2023-03-15 00:54:58 +01:00
Giulio De Pasquale
40921b860a flake: Add Go to X64NoSSH 2023-03-03 10:04:12 -08:00
Giulio De Pasquale
e645c632cf flake: Add Go to X64 2023-03-03 10:03:26 -08:00
Giulio De Pasquale
b41bb668e6 home.go: Added go role 2023-03-03 09:43:59 -08:00
Giulio De Pasquale
08a2c3c493 nginx: Remove TLS version limitation 2023-02-27 21:26:36 +01:00
Giulio De Pasquale
7c195babbb nginx: Fix SSL handshake errors 2023-02-27 21:18:13 +01:00
Giulio De Pasquale
7144947b5d jellyfin: Remove module, override StateDirectory and follow upstream 2023-02-27 20:01:01 +01:00
Giulio De Pasquale
ca0179e662 searx: Dark theme as default 2023-02-24 22:30:26 +01:00
Giulio De Pasquale
c6e5b04fff Update lock 2023-02-24 22:22:52 +01:00
Giulio De Pasquale
2b854f5fa3 architect: Re-enable searxng 2023-02-24 22:22:42 +01:00
Giulio De Pasquale
b9dfa67309 Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2023-02-21 01:29:05 +01:00
Giulio De Pasquale
b9060ba7c2 prosody: Opened c2s and s2s ports. Cleaned up config 2023-02-21 01:28:58 +01:00
Giulio De Pasquale
83c741a107 nginx: Force TLS 1.3 2023-02-21 01:28:13 +01:00
Giulio De Pasquale
e935efbc9d zsh: Write .bash_profile if not a NixOS host 2023-02-20 10:14:49 -08:00
Giulio De Pasquale
d13bf9e990 lib: Sugar syntax 2023-02-19 07:02:55 +01:00
Giulio De Pasquale
662f02aae2 lib: Removed nix registry handling (wrt nixpkgs and nixos-unstable) 2023-02-19 07:02:00 +01:00
Giulio De Pasquale
cc9aa1e3a9 architect: Removed scripts 2023-02-19 06:36:20 +01:00
Giulio De Pasquale
1e0a70db62 architect: Removed unused modules 2023-02-19 06:35:36 +01:00
Giulio De Pasquale
f924307e64 backup: Postponed backups 2023-02-19 06:31:24 +01:00
Giulio De Pasquale
9adb3e051f flake: Added description to basicShell template 2023-02-19 06:26:38 +01:00
Giulio De Pasquale
b82e97466a Followed NixOS wiki to set ZSH as default shell 2023-02-19 06:08:51 +01:00
Giulio De Pasquale
6d974d7d96 Revert "flake: Some functions are anonymous now"
This reverts commit b616b33c2f.
2023-02-19 06:02:59 +01:00
Giulio De Pasquale
88583bcb82 Revert "Added this flake to hosts registry in mkHost"
This reverts commit 1ff83d84c7.
2023-02-19 06:01:34 +01:00
Giulio De Pasquale
7c3f8c55f9 Revert "Revert "flake: Some functions are anonymous now""
This reverts commit 2082c5e16e.
2023-02-19 05:58:00 +01:00
Giulio De Pasquale
2082c5e16e Revert "flake: Some functions are anonymous now"
This reverts commit b616b33c2f.
2023-02-19 05:57:46 +01:00
Giulio De Pasquale
b616b33c2f flake: Some functions are anonymous now 2023-02-19 05:40:52 +01:00
Giulio De Pasquale
d06cf1298b Removed unused role 2023-02-19 03:02:48 +01:00
Giulio De Pasquale
5b962cde64 Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2023-02-19 02:47:51 +01:00
Giulio De Pasquale
1ff83d84c7 Added this flake to hosts registry in mkHost 2023-02-19 02:47:42 +01:00
Giulio De Pasquale
b44084028f flake: Added description to basicShell template 2023-02-19 02:41:37 +01:00
Giulio De Pasquale
4b8e9bc93d Revert "zsh: Write .bash_profile to set zsh as default"
This reverts commit f4d67b9af7.
2023-02-18 17:25:31 -08:00
Giulio De Pasquale
da79b76e8d Merge branch 'master' of ssh://git.giugl.io/peperunas/nixos 2023-02-18 17:21:27 -08:00
Giulio De Pasquale
f4d67b9af7 zsh: Write .bash_profile to set zsh as default 2023-02-18 11:50:40 -08:00
Giulio De Pasquale
9827b88f34 templates: basicShell inherits packages and not buildInputs. Default package is hello 2023-02-18 20:30:40 +01:00
Giulio De Pasquale
aa6dd43783 flake: Added basicShell template 2023-02-17 09:04:32 -08:00
Giulio De Pasquale
483a3d6d65 flake: Added basicShell template 2023-02-17 09:02:16 -08:00
8cac8dc915 Thank you ChatGPT 2023-02-17 17:54:57 +01:00
Giulio De Pasquale
c3d56f0f90 helix: Added black python formatter 2023-02-15 12:49:01 -08:00
Giulio De Pasquale
69903f42d7 flake: Added giulioX64NoSSH config 2023-02-15 12:38:50 -08:00
Giulio De Pasquale
05eea814ef acme: Make module a function 2023-02-15 06:06:10 +01:00
Giulio De Pasquale
e8dd1ca4d4 roles.common: Cleanup, removed variables argument 2023-02-15 06:05:48 +01:00
Giulio De Pasquale
e542886345 network: changed name for manduria router to router-manduria 2023-02-15 06:02:34 +01:00
Giulio De Pasquale
9b046959d0 Lock update 2023-02-15 00:53:42 +01:00
Giulio De Pasquale
743691255a architect: Removed dodino from wireguard 2023-02-15 00:49:21 +01:00
Giulio De Pasquale
650db37686 Removed old and unused VPN configs. Cleanup of firewall rules. Removed Giulio devices from WG 2023-02-15 00:30:26 +01:00
Giulio De Pasquale
3321ec122a architect: Refactored firewall settings. Added architect.firewall option 2023-02-15 00:19:52 +01:00
Giulio De Pasquale
47d937e12d helix: Fixed typo 2023-02-14 22:35:01 +01:00
Giulio De Pasquale
f5668462eb Renamed unstable to unstablePkgs to avoid confusion with nixos-unstable flake 2023-02-14 21:30:37 +01:00
Giulio De Pasquale
be0755bcfe lib.user: Removed unused argument 2023-02-14 21:21:07 +01:00
Giulio De Pasquale
fb74112c15 lib.host: Minor cleanup and formatting 2023-02-14 21:20:01 +01:00
Giulio De Pasquale
51d961484e lib/ cleanup, introduced utils to reduce code duplication 2023-02-14 21:14:30 +01:00
Giulio De Pasquale
be0a1be47d architect: Module cleanup 2023-02-14 18:15:12 +01:00
Giulio De Pasquale
0fec9adf7c architect: Module cleanup 2023-02-14 18:14:06 +01:00
Giulio De Pasquale
4cc4067510 git: Modified email 2023-02-14 17:35:40 +01:00
Giulio De Pasquale
1c8c86bfa3 lib.host: Use callPackage when calling roles 2023-02-14 17:30:31 +01:00
Giulio De Pasquale
9e67978f6e flake: Inherit scope utilities in wrapUtils 2023-02-14 17:20:55 +01:00
Giulio De Pasquale
608fd46eb4 Formatting 2023-02-11 03:29:48 +01:00
Giulio De Pasquale
a015dc2a89 Removed wireguard devices, cleanup of network names 2023-02-11 03:28:35 +01:00
Giulio De Pasquale
1990ed8a65 Revert "jellyfin: Cleanup derivation"
This reverts commit 554e5651a7.
2023-02-11 03:26:30 +01:00
Giulio De Pasquale
554e5651a7 jellyfin: Cleanup derivation 2023-02-11 03:18:52 +01:00
Giulio De Pasquale
b341bee052 architect: Enable SearxNG 2023-02-11 03:16:28 +01:00
Giulio De Pasquale
40d0b5f55c searx: Add service. WIP: use git version 2023-02-11 03:15:49 +01:00
Giulio De Pasquale
7dc674f24f flake: Removed lib/default.nix. Use callPackage to clean up use of lib utilities 2023-02-11 03:09:42 +01:00
Giulio De Pasquale
c3c61f0248 flake: formatting 2023-02-11 02:32:17 +01:00
Giulio De Pasquale
0d3b2888fe helix: Add nixpkgs-fmt as formatter 2023-02-11 02:23:24 +01:00
Giulio De Pasquale
1913b60db3 flake: Refactored architectures names. Added wrapUtil function to reduce code dup 2023-02-10 23:29:44 +01:00
Giulio De Pasquale
99cf228d80 wireguard: Removed unused if. Renamed personal devices 2023-02-08 08:42:33 +01:00
Giulio De Pasquale
dc8aa8406f tailscale: Added additional DNS entries 2023-02-08 08:41:59 +01:00
Giulio De Pasquale
b191ea3f42 network: Added IPs of some tailscale devices 2023-02-08 08:41:21 +01:00
Giulio De Pasquale
394d0d6b48 firewall: Accept all incoming connections from tailscale 2023-02-08 08:40:58 +01:00
Giulio De Pasquale
9aea844ccb ssh: Added ucsb-workstation 2023-02-07 14:08:42 -08:00
Giulio De Pasquale
389162518f helix: Add swiProlog 2023-02-07 14:08:30 -08:00
902bf56a03 flake: Added giulioX64 homeConfiguration 2023-02-07 21:49:10 +01:00
Giulio De Pasquale
f1e0a1cb14 flake: Fixed linux aarch architecture name 2023-02-06 14:38:00 -08:00
Giulio De Pasquale
4fc4be1b28 flake: Added Linux Aarch HM user 2023-02-06 14:34:39 -08:00
Giulio De Pasquale
d6f2b35cd5 flake: Renamed systems 2023-02-06 14:30:35 -08:00
Giulio De Pasquale
51b714c159 architect: Add manduria.devs.giugl.io name 2023-02-01 21:56:13 +01:00
Giulio De Pasquale
4414011c95 network: Added router-lan 2023-02-01 21:55:55 +01:00
Giulio De Pasquale
1881025faa architect: Add tailscale IP to hosts for every service 2023-02-01 21:55:32 +01:00
Giulio De Pasquale
d41001dfe7 Update lock 2023-02-01 21:54:20 +01:00
Giulio De Pasquale
79116ae1a7 architect: Added initial support for Tailscale 2023-01-30 09:46:20 +01:00
Giulio De Pasquale
f221f5e2b3 helix: Replace rnix-lsp with nil 2023-01-01 16:48:58 +01:00
Giulio De Pasquale
955f9ccb39 Update lock 2023-01-01 13:34:17 +01:00
Giulio De Pasquale
63b2a4aa4b minio: Allow body of 500M. Allow manduria-wg 2023-01-01 13:33:52 +01:00
Giulio De Pasquale
9fa04584cc runas.rocks: Fix branch. master -> main 2023-01-01 13:33:11 +01:00
Giulio De Pasquale
9d6474a302 runas.rocks: Pull hourly 2023-01-01 13:32:14 +01:00
Giulio De Pasquale
da8e5572b5 lezzo: Pull hourly 2023-01-01 13:31:48 +01:00
Giulio De Pasquale
d111743509 architect: Removed parisa from network config 2022-12-22 18:25:32 +01:00
Giulio De Pasquale
6a6dbb135d architect: Removed ropfuscator's cachix 2022-12-22 15:18:20 +01:00
Giulio De Pasquale
565aab853c Update lock 2022-12-22 15:13:48 +01:00
Giulio De Pasquale
2c8c26112b architect: Disable navidrome module 2022-12-22 15:13:14 +01:00
Giulio De Pasquale
0177ed496b wireguard: Add framecca 2022-12-22 15:12:57 +01:00
Giulio De Pasquale
e36ebc4322 network: Add germano and framecca to WAN 2022-12-22 15:12:24 +01:00
Giulio De Pasquale
4662a61e71 jellyfin: Whitelist gdevices 2022-12-22 15:11:49 +01:00
Giulio De Pasquale
be4584aa08 gitea: Open gitea to public 2022-12-22 15:11:23 +01:00
Giulio De Pasquale
d287b55eff Lock update 2022-12-09 15:41:45 +01:00
Giulio De Pasquale
6a5552b56e architect: Enable runas and lezzo nix modules 2022-12-09 15:39:24 +01:00
Giulio De Pasquale
c5cf59c32c nginx: Removed service skeleton as multiple domains are not needed anymore 2022-12-09 15:38:55 +01:00
Giulio De Pasquale
b64b8ae792 matrix: Remove 404 on root because runas.rocks is online 2022-12-09 15:36:52 +01:00
Giulio De Pasquale
735f1c2bae jellyfin: Add giulio pc to whitelisted devices 2022-12-09 15:36:32 +01:00
Giulio De Pasquale
449813fb5f helix: Added svelte and web langservers 2022-12-09 15:35:57 +01:00
Giulio De Pasquale
82ea0222f3 Runas and lezzo websites 2022-12-09 15:35:32 +01:00
Giulio De Pasquale
7a8bacb5df wireguard: Changed germano public key 2022-12-05 12:40:59 +01:00
Giulio De Pasquale
9036134313 Merge remote-tracking branch 'origin/nixos-21.11' 2022-12-01 14:35:47 +01:00
Giulio De Pasquale
2ca262a113 Update lock 2022-12-01 14:33:15 +01:00
Giulio De Pasquale
e360aac9e6 user: Remove stateVersion 2022-12-01 14:30:31 +01:00
Giulio De Pasquale
6a6d7640a7 host: Set stateVersion to 22.11 2022-12-01 14:30:14 +01:00
Giulio De Pasquale
68c1ee4869 Removed domains nix file 2022-12-01 14:28:32 +01:00
Giulio De Pasquale
932378b309 flake: Removed proxy host 2022-12-01 14:28:10 +01:00
Giulio De Pasquale
f759f44024 gitea: Renamed property to SSH_PORT 2022-12-01 14:27:05 +01:00
Giulio De Pasquale
76a0da7dea roles.common: autoOptimiseStore -> settings.auto-optimise-store 2022-12-01 14:23:22 +01:00
Giulio De Pasquale
b46cf0ff6d roles.home.common: set stateVersion to 22.11 2022-12-01 14:21:40 +01:00
Giulio De Pasquale
a546edc30d Lock update 2022-11-29 14:53:35 +01:00
Giulio De Pasquale
30fd214734 nginx, openid: Allow IP whitelist to bypass OpenID auth 2022-11-29 14:53:17 +01:00
Giulio De Pasquale
ae4c55fdee gitea: Enable OpenID signin 2022-11-29 13:24:48 +01:00
Giulio De Pasquale
74fd09cb16 openid: Extend access token validity to one day 2022-11-29 13:03:26 +01:00
Giulio De Pasquale
b244bfad7d openid: Revoke tokens on logout 2022-11-29 12:56:40 +01:00
Giulio De Pasquale
7ffddeca09 nginx: Add default runas.rocks virtualhost 2022-11-27 11:24:35 +01:00
Giulio De Pasquale
b93d3a33b0 Rename giulio devices, add Steam deck to Wireguard 2022-11-27 11:24:12 +01:00
Giulio De Pasquale
6568784680 matrix: Add OpenID connection and transfer to runas.rocks 2022-11-27 11:23:09 +01:00
Giulio De Pasquale
2ed81fcfe3 flake: Formatting 2022-11-22 13:05:53 +01:00
Giulio De Pasquale
ea53e09c1a flake: Use correct wrapper function for unstable packages 2022-11-22 13:02:39 +01:00
Giulio De Pasquale
7e61526538 calibre: Add OpenID auth 2022-11-22 12:59:27 +01:00
Giulio De Pasquale
75b51d24e9 firewall: Allow connections to Minecraft from WAN 2022-11-20 14:56:32 +01:00
Giulio De Pasquale
3c4caaaea5 jellyfin: Go through SSO auth 2022-11-20 14:55:59 +01:00
Giulio De Pasquale
9efea759e4 navidrome: Move beets-import script execution from daily to weekly 2022-11-15 01:12:54 +01:00
Giulio De Pasquale
1122be76bb nginx: Fix indentation 2022-11-15 01:11:39 +01:00
100 changed files with 5275 additions and 2136 deletions

15
README.md Normal file
View File

@ -0,0 +1,15 @@
# Nix Flake README
This Nix Flake defines the NixOS configurations and Home-Manager configurations for my personal systems.
## NixOS Configurations
- `architect`
- `gAluminum`
## Home-Manager Configurations
- `giulioMac`
- `giulioAarch`
- `giulioX64`
- `giulioX64NoSSH`

View File

@ -9,5 +9,5 @@ let
imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder));
in { in {
inherit imports; inherit imports;
nix.binaryCaches = ["https://cache.nixos.org/"]; nix.settings.substituters = ["https://cache.nixos.org/"];
} }

13
cachix/nix-community.nix Normal file
View File

@ -0,0 +1,13 @@
{
nix = {
settings = {
substituters = [
"https://nix-community.cachix.org"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
};
};
}

View File

@ -1,11 +0,0 @@
{
nix = {
binaryCaches = [
"https://ropfuscator.cachix.org"
];
binaryCachePublicKeys = [
"ropfuscator.cachix.org-1:LZ03aJ1yqFlxpU+wfGhLlOkA3MwXqnntd2Wk7u2LnHQ="
];
};
}

586
flake.lock generated
View File

@ -1,13 +1,121 @@
{ {
"nodes": { "nodes": {
"agenix-flake": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs",
"systems": "systems"
},
"locked": {
"lastModified": 1736955230,
"narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
"owner": "ryantm",
"repo": "agenix",
"rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"cachix": {
"inputs": {
"devenv": [
"teslamate-flake",
"devenv"
],
"flake-compat": [
"teslamate-flake",
"devenv"
],
"git-hooks": [
"teslamate-flake",
"devenv"
],
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1728672398,
"narHash": "sha256-KxuGSoVUFnQLB2ZcYODW7AVPAh9JqRlD5BrfsC/Q4qs=",
"owner": "cachix",
"repo": "cachix",
"rev": "aac51f698309fd0f381149214b7eee213c66ef0a",
"type": "github"
},
"original": {
"owner": "cachix",
"ref": "latest",
"repo": "cachix",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix-flake",
"nixpkgs"
]
},
"locked": {
"lastModified": 1700795494,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"devenv": {
"inputs": {
"cachix": "cachix",
"flake-compat": "flake-compat",
"git-hooks": "git-hooks",
"nix": "nix",
"nixpkgs": "nixpkgs_6"
},
"locked": {
"lastModified": 1732298876,
"narHash": "sha256-WXlcDNMaMJeI4JO4VfQM2ZZCBJBds7j7N04tS9UjiYU=",
"owner": "cachix",
"repo": "devenv",
"rev": "741e23a22f3dc9e53075be3eaa795ea9ed6f5129",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "devenv",
"type": "github"
}
},
"devenv-root": {
"flake": false,
"locked": {
"narHash": "sha256-d6xi4mKdjkX2JFicDIv5niSzpyI0m/Hnm8GGAIU04kY=",
"type": "file",
"url": "file:///dev/null"
},
"original": {
"type": "file",
"url": "file:///dev/null"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1650374568, "lastModified": 1696426674,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra", "owner": "edolstra",
"repo": "flake-compat", "repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8", "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -16,34 +124,117 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils": { "flake-parts": {
"inputs": {
"nixpkgs-lib": [
"teslamate-flake",
"devenv",
"nix",
"nixpkgs"
]
},
"locked": { "locked": {
"lastModified": 1656928814, "lastModified": 1712014858,
"narHash": "sha256-RIFfgBuKz6Hp89yRr7+NR5tzIAbn52h8vT6vXkYjZoM=", "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
"owner": "numtide", "owner": "hercules-ci",
"repo": "flake-utils", "repo": "flake-parts",
"rev": "7e2a3b3dfd9af950a856d66b0a7d01e3c18aa249", "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "numtide", "owner": "hercules-ci",
"repo": "flake-utils", "repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": [
"teslamate-flake",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"git-hooks": {
"inputs": {
"flake-compat": [
"teslamate-flake",
"devenv"
],
"gitignore": "gitignore",
"nixpkgs": [
"teslamate-flake",
"devenv",
"nixpkgs"
],
"nixpkgs-stable": [
"teslamate-flake",
"devenv"
]
},
"locked": {
"lastModified": 1730302582,
"narHash": "sha256-W1MIJpADXQCgosJZT8qBYLRuZls2KSiKdpnTVdKBuvU=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "af8a16fe5c264f5e9e18bcee2859b40a656876cf",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "git-hooks.nix",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"teslamate-flake",
"devenv",
"git-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github" "type": "github"
} }
}, },
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"agenix-flake",
"nixpkgs" "nixpkgs"
], ]
"utils": "utils"
}, },
"locked": { "locked": {
"lastModified": 1665655007, "lastModified": 1703113217,
"narHash": "sha256-34ZMJlgqJb73RY/gJz8B4cjdM5ukas2crMYQpmyRGeQ=", "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "8cbc6500dfca22d907054f68c564019b3b6cf295", "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -52,13 +243,99 @@
"type": "github" "type": "github"
} }
}, },
"nixos-unstable": { "home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": { "locked": {
"lastModified": 1665746835, "lastModified": 1739757849,
"narHash": "sha256-XpfvzR5wl6wTUaGQBx98i/yvxOrDKhibD1Tfl2GwHuY=", "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-24.11",
"repo": "home-manager",
"type": "github"
}
},
"libgit2": {
"flake": false,
"locked": {
"lastModified": 1697646580,
"narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=",
"owner": "libgit2",
"repo": "libgit2",
"rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5",
"type": "github"
},
"original": {
"owner": "libgit2",
"repo": "libgit2",
"type": "github"
}
},
"local-unstable": {
"locked": {
"lastModified": 0,
"narHash": "sha256-uewgkTWbDOpOP+wEA3f03XEKsPHsJi0iDqBGQnxWQo0=",
"path": "/home/giulio/dev/nixpkgs",
"type": "path"
},
"original": {
"path": "/home/giulio/dev/nixpkgs",
"type": "path"
}
},
"nix": {
"inputs": {
"flake-compat": [
"teslamate-flake",
"devenv"
],
"flake-parts": "flake-parts",
"libgit2": "libgit2",
"nixpkgs": "nixpkgs_5",
"nixpkgs-23-11": [
"teslamate-flake",
"devenv"
],
"nixpkgs-regression": [
"teslamate-flake",
"devenv"
],
"pre-commit-hooks": [
"teslamate-flake",
"devenv"
]
},
"locked": {
"lastModified": 1727438425,
"narHash": "sha256-X8ES7I1cfNhR9oKp06F6ir4Np70WGZU5sfCOuNBEwMg=",
"owner": "domenkozar",
"repo": "nix",
"rev": "f6c5ae4c1b2e411e6b1e6a8181cc84363d6a7546",
"type": "github"
},
"original": {
"owner": "domenkozar",
"ref": "devenv-2.24",
"repo": "nix",
"type": "github"
}
},
"nixos-master": {
"locked": {
"lastModified": 1741609898,
"narHash": "sha256-2WBG7YPJRxEVEekvux7ut6/lBxkwyNmu54hVRbUx2Ts=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "5e66f427c661955f08d55f654e82bab1b1a7abc1", "rev": "23aebfa4550ef6b2f755286f13b68aababf2ea03",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -68,13 +345,29 @@
"type": "github" "type": "github"
} }
}, },
"nixpkgs": { "nixos-unstable": {
"locked": { "locked": {
"lastModified": 1665643254, "lastModified": 1741462378,
"narHash": "sha256-IBVWNJxGCsshwh62eRfR6+ry3bSXmulB3VQRzLQo3hk=", "narHash": "sha256-ZF3YOjq+vTcH51S+qWa1oGA9FgmdJ67nTNPG2OIlXDc=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ba187fbdc5e35322c7dff556ef2c47bddfd6e8d7", "rev": "2d9e4457f8e83120c9fdf6f1707ed0bc603e5ac9",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1703013332,
"narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -86,60 +379,241 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1659190188, "lastModified": 1741607077,
"narHash": "sha256-LudYrDFPFaQMW0l68TYkPWRPKmqpxIFU1nWfylIp9AQ=", "narHash": "sha256-dVBOW6Hhc8dMvQMi/DrGQuaZOJRmOGX6Ps0+QkdW6cM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a3fddd46a7f3418d7e3940ded94701aba569161d", "rev": "1b47a1dbffce177e49d6174e540a5472432bffe2",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixpkgs-unstable", "ref": "release-24.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
}, },
"nixpkgs_3": {
"locked": {
"lastModified": 1735264675,
"narHash": "sha256-MgdXpeX2GuJbtlBrH9EdsUeWl/yXEubyvxM1G+yO4Ak=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "d49da4c08359e3c39c4e27c74ac7ac9b70085966",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1730531603,
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_5": {
"locked": {
"lastModified": 1717432640,
"narHash": "sha256-+f9c4/ZX5MWDOuB1rKoWj+lBNm0z0rs4CK47HBLxy1o=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "88269ab3044128b7c2f4c7d68448b2fb50456870",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_6": {
"locked": {
"lastModified": 1716977621,
"narHash": "sha256-Q1UQzYcMJH4RscmpTkjlgqQDX5yi1tZL0O345Ri6vXQ=",
"owner": "cachix",
"repo": "devenv-nixpkgs",
"rev": "4267e705586473d3e5c8d50299e71503f16a6fb6",
"type": "github"
},
"original": {
"owner": "cachix",
"ref": "rolling",
"repo": "devenv-nixpkgs",
"type": "github"
}
},
"nixpkgs_7": {
"locked": {
"lastModified": 1732014248,
"narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nvidia-patch": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1741330828,
"narHash": "sha256-Vj5UBTlVRWGX3T0EAI6pVWTMmi8SpAeMuRMMVz/Hgz0=",
"owner": "icewind1991",
"repo": "nvidia-patch-nixos",
"rev": "0cc22a482f2aa4c13daeac0935a787d868122ff0",
"type": "github"
},
"original": {
"owner": "icewind1991",
"repo": "nvidia-patch-nixos",
"type": "github"
}
},
"pepeflake": {
"inputs": {
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1739457875,
"narHash": "sha256-ak7EyrCKa79mZjr98PE1lFBj3UuDDIIpaYtky1MN2a0=",
"ref": "refs/heads/master",
"rev": "249e02c5c915fed09c448092d9066257317a4d68",
"revCount": 10,
"type": "git",
"url": "https://git.giugl.io/peperunas/pepeflake"
},
"original": {
"type": "git",
"url": "https://git.giugl.io/peperunas/pepeflake"
}
},
"root": { "root": {
"inputs": { "inputs": {
"home-manager": "home-manager", "agenix-flake": "agenix-flake",
"home-manager": "home-manager_2",
"local-unstable": "local-unstable",
"nixos-master": "nixos-master",
"nixos-unstable": "nixos-unstable", "nixos-unstable": "nixos-unstable",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2",
"vim-extra-plugins": "vim-extra-plugins" "nvidia-patch": "nvidia-patch",
"pepeflake": "pepeflake",
"teslamate-flake": "teslamate-flake"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"teslamate-flake": {
"inputs": {
"devenv": "devenv",
"devenv-root": "devenv-root",
"flake-parts": "flake-parts_2",
"nixpkgs": "nixpkgs_7",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1732358620,
"narHash": "sha256-diQRtJYfzGIVLxrdBad3XKWCtR97rj9Q1ZJ9MmvJGRk=",
"owner": "teslamate-org",
"repo": "teslamate",
"rev": "0ec408c8e182fe64e9568b6f137cbfb528717e8e",
"type": "github"
},
"original": {
"owner": "teslamate-org",
"ref": "v1.32.0",
"repo": "teslamate",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"teslamate-flake",
"nixpkgs"
]
},
"locked": {
"lastModified": 1732292307,
"narHash": "sha256-5WSng844vXt8uytT5djmqBCkopyle6ciFgteuA9bJpw=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "705df92694af7093dfbb27109ce16d828a79155f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
} }
}, },
"utils": { "utils": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"vim-extra-plugins": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "systems": "systems_2"
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1665671907, "lastModified": 1710146030,
"narHash": "sha256-+YXxqH7OROLJ9G4va5BZb4a8aIzulaUZbnH+R1iWoaw=", "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "m15a", "owner": "numtide",
"repo": "nixpkgs-vim-extra-plugins", "repo": "flake-utils",
"rev": "6c1624b0942cdecf7f30aa4d411cb3578bc29a38", "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "m15a", "owner": "numtide",
"repo": "nixpkgs-vim-extra-plugins", "repo": "flake-utils",
"type": "github" "type": "github"
} }
} }

179
flake.nix
View File

@ -1,77 +1,158 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nixpkgs.url = "github:NixOS/nixpkgs/release-24.11";
nixos-unstable.url = "github:NixOS/nixpkgs/master"; nixos-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
nixos-master.url = "github:NixOS/nixpkgs/master";
local-unstable.url = "path:///home/giulio/dev/nixpkgs";
pepeflake.url = "git+https://git.giugl.io/peperunas/pepeflake";
teslamate-flake.url = "github:teslamate-org/teslamate/v1.32.0";
agenix-flake.url = "github:ryantm/agenix";
home-manager = { home-manager = {
url = "github:nix-community/home-manager"; url = "github:nix-community/home-manager/release-24.11";
inputs.nixpkgs.follows = "nixpkgs";
};
nvidia-patch = {
url = "github:icewind1991/nvidia-patch-nixos";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
}; };
outputs = outputs =
inputs@{ self, nixpkgs, nixos-unstable, home-manager }: { self
, nixpkgs
, nixos-unstable
, nixos-master
, local-unstable
, home-manager
, teslamate-flake
, nvidia-patch
, agenix-flake
, pepeflake
}:
let let
x64System = "x86_64-linux"; sysLinuxX64 = "x86_64-linux";
darwinSystem = "aarch64-darwin"; sysDarwin = "aarch64-darwin";
sysLinuxAarch = "aarch64-linux";
wrapPkgsSystem = { system }: wrapPkgsSystem = { system, cudaSupport ? false }:
import nixpkgs rec { let
inherit system; config = {
unstable = wrapUnstablePkgsSystem { inherit system; }; inherit cudaSupport;
config.allowUnfree = true;
overlays = [ allowUnfree = true;
(final: prev: { inherit unstable; }) };
cachixOverlay = final: prev: {
nixosModules = (prev.nixosModules or { }) // {
cachixConfig = import ./cachix.nix;
};
};
extOverlays = [
(nvidia-patch.overlays.default)
cachixOverlay
];
importNixpkgs = { flake }:
import flake {
inherit system config;
overlays = extOverlays;
};
unstablePkgs = importNixpkgs { flake = nixos-unstable; };
masterPkgs = importNixpkgs { flake = nixos-master; };
localPkgs = importNixpkgs { flake = local-unstable; };
teslamatePkgs = importNixpkgs { flake = teslamate-flake; };
agenixPkgs = importNixpkgs { flake = agenix-flake; };
pepePkgs = pepeflake.packages.${system} // pepeflake.legacyPackages.${system} or { };
additionalOverlays = [
(final: prev: { inherit unstablePkgs; })
(final: prev: { inherit localPkgs; })
(final: prev: { inherit teslamatePkgs; })
(final: prev: { inherit agenixPkgs; })
(final: prev: { inherit masterPkgs; })
(final: prev: { inherit pepePkgs; })
];
in
import nixpkgs {
inherit system config;
overlays = additionalOverlays ++ extOverlays ++ [
(final: prev: {
ctranslate2 = prev.ctranslate2.override {
withCUDA = true;
withCuDNN = true;
};
})
]; ];
}; };
wrapUnstablePkgsSystem = { system }: wrapUtils = { pkgs }:
import nixos-unstable { let
inherit system; inherit (pkgs.lib) makeScope;
config.allowUnfree = true; inherit (pkgs) newScope;
}; in
makeScope newScope (self: rec {
inherit nixpkgs home-manager nixos-unstable;
inherit (self.callPackage ./lib/utils.nix { }) mkSysRole mkHomeRole;
inherit (user) mkUser;
pkgsX64 = wrapPkgsSystem { system = x64System; }; user = self.callPackage ./lib/user.nix { };
unstableX64 = wrapPkgsSystem { system = x64System; }; host = self.callPackage ./lib/host.nix { };
utilsX64 = import ./lib { });
inherit nixpkgs nixos-unstable home-manager;
pkgs = pkgsX64;
unstable = unstableX64;
system = x64System;
};
pkgsDarwin = wrapPkgsSystem { system = darwinSystem; };
unstableDarwin = wrapPkgsSystem { system = darwinSystem; }; pkgsLinuxX64Cuda = wrapPkgsSystem { system = sysLinuxX64; };
utilsDarwin = import ./lib { utilsLinuxX64Cuda = wrapUtils { pkgs = pkgsLinuxX64Cuda; };
inherit nixpkgs nixos-unstable home-manager;
pkgs = pkgsDarwin; pkgsLinuxAarch = wrapPkgsSystem { system = sysLinuxAarch; };
unstable = unstableDarwin; utilsLinuxAarch = wrapUtils { pkgs = pkgsLinuxAarch; };
system = darwinSystem;
}; pkgsDarwin = wrapPkgsSystem { system = sysDarwin; };
in { utilsDarwin = wrapUtils { pkgs = pkgsDarwin; };
in
{
nixosConfigurations = { nixosConfigurations = {
architect = utilsX64.host.mkHost { architect = utilsLinuxX64Cuda.host.mkHost {
name = "architect"; name = "architect";
users = [{ users = [{
user = "giulio"; user = "giulio";
roles = [ ]; roles = [ ];
}]; }];
}; imports = [
gAluminum = utilsX64.host.mkHost { teslamate-flake.nixosModules.default
name = "gAluminum"; agenix-flake.nixosModules.default
users = [{ ];
user = "giulio";
roles = [ "desktop" "ssh" "git" ];
}];
roles = [ "gnome" ];
};
proxy = utilsX64.host.mkHost {
name = "proxy";
users = [ ];
}; };
}; };
homeConfigurations.giulioMac = utilsDarwin.user.mkHMUser {
homeConfigurations = {
giulioMac = utilsDarwin.user.mkHMUser {
name = "giulio"; name = "giulio";
roles = [ "ssh" ]; roles = [ "ssh" ];
}; };
giulioAarch = utilsLinuxAarch.user.mkHMUser {
name = "giulio";
roles = [ "ssh" ];
};
giulioX64 = utilsLinuxX64Cuda.user.mkHMUser {
name = "giulio";
roles = [ "ssh" "go" ];
};
giulioX64NoSSH = utilsLinuxX64Cuda.user.mkHMUser {
name = "giulio";
roles = [ "go" ];
};
};
defaultTemplate = self.templates.basicShell;
templates = {
basicShell = {
path = ./templates/basicShell;
description = "A barebone shell with custom defined packages";
};
};
}; };
} }

View File

@ -1,13 +1,22 @@
{ config, lib, ... }: { config, ... }:
{ {
age.secrets = {
restic-passwords = {
file = ../../secrets/restic-passwords.age;
};
restic-environment = {
file = ../../secrets/restic-environment.age;
};
};
services.restic.backups = { services.restic.backups = {
backblaze = { backblaze = {
initialize = true; initialize = true;
passwordFile = "/secrets/restic/data.key"; passwordFile = config.age.secrets.restic-passwords.path;
environmentFile = "/secrets/restic/credentials.txt"; environmentFile = config.age.secrets.restic-environment.path;
repository = "b2:architect:/"; repository = "b2:architect:/";
paths = [ "/var/lib" "/secrets" "/services" ]; paths = [ "/var/lib" "/services" ];
pruneOpts = [ pruneOpts = [
"--keep-daily 45" "--keep-daily 45"
"--keep-weekly 12" "--keep-weekly 12"
@ -15,7 +24,7 @@
"--keep-yearly 3" "--keep-yearly 3"
]; ];
timerConfig = { timerConfig = {
OnCalendar = "monday 03:00"; OnCalendar = "monday 09:00";
RandomizedDelaySec = "1h"; RandomizedDelaySec = "1h";
}; };
}; };

View File

@ -1,33 +1,25 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "htbaz.giugl.io"; domain = "htbaz.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in in
{ {
services = { services.bazarr = {
bazarr = {
enable = true; enable = true;
group = "media"; group = "media";
}; };
nginx.virtualHosts.${domain} = { architect.vhost.${domain} = with config.architect.networks; {
forceSSL = true; dnsInterfaces = [ "tailscale" ];
enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:6767"; allowLan = true;
extraConfig = auth_block { port = 6767;
access_role = "bazarr";
};
};
};
};
networking.extraHosts = '' allow = [
${network.architect-lan} ${domain} tailscale.net
${network.architect-wg} ${domain} ];
''; };
};
users.groups.media.members = [ "bazarr" ]; users.groups.media.members = [ "bazarr" ];
} }

View File

@ -1,9 +1,13 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "books.giugl.io"; domain = "books.giugl.io";
network = import ./network.nix; auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in {
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
services = { services = {
calibre-web = { calibre-web = {
enable = true; enable = true;
@ -21,14 +25,14 @@ in {
proxyPass = "http://127.0.0.1:8083"; proxyPass = "http://127.0.0.1:8083";
extraConfig = '' extraConfig = ''
client_max_body_size 500M; client_max_body_size 500M;
''; '' + auth_block { access_role = "calibre"; };
}; };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups.media.members = [ "calibre-web" ]; users.groups.media.members = [ "calibre-web" ];

View File

@ -1,6 +0,0 @@
{
programs.ccache.enable = true;
nix.extraOptions = ''
extra-sandbox-paths = /nix/var/cache/ccache
'';
}

View File

@ -1,13 +1,16 @@
{ config, pkgs, ... }: { config, pkgs, lib, ... }:
let let
pubkeys = [ macbookPubkey = (import ../pubkeys.nix).macbook;
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230" pubkeys = [ macbookPubkey ];
]; domain = "devs.giugl.io";
hostname = "architect";
network = import ./network.nix; utilities = import ./utilities.nix { inherit lib config; };
in { inherit (utilities) generateDeviceStrings;
imports = [ # Include the results of the hardware scan. in
{
imports = [
./options.nix
./backup.nix ./backup.nix
./hardware.nix ./hardware.nix
./firewall.nix ./firewall.nix
@ -18,29 +21,48 @@ in {
./bazarr.nix ./bazarr.nix
./nzbget.nix ./nzbget.nix
./nextcloud.nix ./nextcloud.nix
./wireguard.nix
./minio.nix ./minio.nix
./matrix.nix ./matrix.nix
./fail2ban.nix ./fail2ban.nix
./dns.nix ./dns.nix
./minecraft.nix # ./minecraft.nix
./prowlarr.nix ./prowlarr.nix
./libreddit.nix ./redlib.nix
./invidious.nix # ./invidious.nix
./nitter.nix
./lidarr.nix
./navidrome.nix
./jellyfin.nix ./jellyfin.nix
./prosody.nix # ./docker.nix
./deluge.nix ./tailscale.nix
./calibre.nix ./headscale.nix
../../cachix.nix ./llm.nix
./docker.nix # ./photoprism.nix
./keycloak.nix ./sunshine.nix
./jellyseer.nix
./teslamate.nix
./postgres.nix
./netdata.nix
./homeassistant.nix
./searx.nix
]; ];
time.timeZone = "Europe/Rome"; age.identityPaths = [ "/root/.ssh/id_ed25519" ];
system.stateVersion = "21.11";
architect = {
networks.lan = {
interface = "enp6s0";
net = "10.0.0.0/24";
devices = {
architect = { address = "10.0.0.250"; hostname = "architect.${domain}"; };
router = { address = "10.0.0.1"; hostname = "router.${domain}"; };
dvr = { address = "10.0.0.3"; hostname = "dvr.${domain}"; };
};
};
firewall = {
openTCP = [ 22 ];
};
};
time.timeZone = "Europe/London";
users.users.giulio.openssh.authorizedKeys.keys = pubkeys; users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
boot = { boot = {
initrd = { initrd = {
@ -55,15 +77,9 @@ in {
}; };
}; };
}; };
};
services.fwupd.enable = true; kernelParams = with config.architect.networks.lan; [
boot = { "ip=${devices.architect.address}::${devices.router.address}:255.255.255.0::${interface}:off"
kernelParams = [
"ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off"
"nvme_core.default_ps_max_latency_us=5500"
"zfs_arc_max=1073741824"
"memmap=32M$0x4ca6f9478"
]; ];
kernel.sysctl = { "net.ipv4.ip_forward" = 1; }; kernel.sysctl = { "net.ipv4.ip_forward" = 1; };
@ -78,31 +94,22 @@ in {
supportedFilesystems = [ "zfs" ]; supportedFilesystems = [ "zfs" ];
zfs.requestEncryptionCredentials = true; zfs.requestEncryptionCredentials = true;
tmpOnTmpfsSize = "50%"; tmp.tmpfsSize = "50%";
}; };
networking = { networking = with config.architect.networks.lan; {
hostName = hostname; hostName = "architect";
hostId = "49350853"; hostId = "49350853";
useDHCP = false; useDHCP = false;
defaultGateway = "10.0.0.1"; defaultGateway = devices.router.address;
interfaces = { interfaces = {
enp5s0.ipv4.addresses = [{ ${interface}.ipv4.addresses = [{
address = network.architect-lan; address = devices.architect.address;
prefixLength = 24; prefixLength = 24;
}]; }];
enp6s0.useDHCP = false;
wlp4s0.useDHCP = false;
}; };
extraHosts = '' extraHosts = (generateDeviceStrings config.architect.networks.lan.devices) + ''
127.0.0.1 ${hostname}.devs.giugl.io localhost
# LAN
${network.architect-lan} ${hostname}.devs.giugl.io
${network.dvr-lan} dvr.devs.giugl.io
${network.nas-lan} nas.devs.giugl.io
192.168.1.1 vodafone.station
# Blacklist # Blacklist
0.0.0.0 metrics.plex.tv 0.0.0.0 metrics.plex.tv
0.0.0.0 analytics.plex.tv 0.0.0.0 analytics.plex.tv
@ -123,29 +130,29 @@ in {
''; '';
}; };
environment.systemPackages = with pkgs; [ cachix ]; hardware.opengl = {
enable = true;
hardware = { extraPackages = with pkgs; [ vaapiVdpau ];
opengl.enable = true;
opengl.extraPackages = with pkgs; [ vaapiVdpau ];
opengl.driSupport = true;
}; };
services.das_watchdog.enable = true;
services = { services = {
fwupd.enable = true;
das_watchdog.enable = true;
zfs.autoScrub.enable = true; zfs.autoScrub.enable = true;
xserver.videoDrivers = [ "nvidia" ];
openssh = { openssh = {
enable = true; enable = true;
passwordAuthentication = false;
kbdInteractiveAuthentication = false; settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
extraConfig = '' extraConfig = ''
MaxAuthTries 15 MaxAuthTries 15
''; '';
}; };
smartd.enable = true; smartd.enable = true;
}; };
environment.variables = { LIBVA_DRIVER_NAME = "vdpau"; };
} }

View File

@ -1,54 +0,0 @@
{ lib, config, pkgs, ... }:
let
domain = "htdel.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in {
services = {
deluge = {
enable = true;
group = "media";
declarative = true;
config = {
download_location = "/media/deluge";
max_upload_speed = 20;
# full-stream
enc_level = 1;
# forced
enc_in_policy = 0;
# forced
enc_out_policy = 0;
max_active_seeding = 100;
max_connections_global = 1000;
max_active_limit = 100;
max_active_downloading = 100;
listen_ports = [ 51413 51414 ];
random_port = false;
enabled_plugins = [ "Label" "Extractor" ];
};
web.enable = true;
authFile = "/secrets/deluge/auth";
extraPackages = [ pkgs.unrar ];
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8112";
extraConfig = auth_block {
access_role = "deluge";
};
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "deluge" ];
}

View File

@ -1,32 +1,90 @@
{ config, pkgs, lib, ... }: { config, lib, ... }:
with lib;
let let
adguard_webui_port = 3031; generateCoreDNSConfig = domains:
adguard_dns_port = "5300"; let
dnscrypt_listen_port = "5353"; generateForDomain = domain: conf:
concatMapStrings
(iface:
let
architectIP = config.architect.networks.${iface}.devices.architect.address;
interfaceNet = config.architect.networks.${iface}.net;
in
''
${domain} {
view ${iface} {
expr incidr(client_ip(), '${interfaceNet}')
}
template IN A ${domain} {
answer "${domain}. 60 IN A ${architectIP}"
}
template IN HTTPS ${domain} {
answer "${domain}. 60 IN HTTPS 1 . ipv4hint=\"${architectIP}\""
}
cache
log
}
''
)
conf.dnsInterfaces;
in
concatStrings (mapAttrsToList generateForDomain domains);
# Combine vhosts and the single domain
allDomains = config.architect.vhost // {
"architect.devs.giugl.io" = { dnsInterfaces = [ "lan" "tailscale" ]; };
};
domain = "adguard.giugl.io";
in in
{ {
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "tailscale" "lan" ];
locations."/" = {
port = config.services.adguardhome.port;
allowLan = true;
allow = [
tailscale.net
];
};
};
services = { services = {
dnsmasq = { coredns = {
enable = true; enable = true;
# adguard port config = ''
servers = [ "127.0.0.1#${adguard_dns_port}" ]; ${generateCoreDNSConfig allDomains}
extraConfig = ''
localise-queries . {
min-cache-ttl=120 cache
max-cache-ttl=2400 forward . 127.0.0.1:${toString config.services.adguardhome.settings.dns.port}
}
''; '';
}; };
adguardhome = { adguardhome = {
enable = true; enable = true;
port = adguard_webui_port; settings = {
port = 5354;
dns = {
port = 5300;
};
upstream_dns = [
"tls://architect.d65174.dns.nextdns.io"
"https://dns.nextdns.io/d65174/architect"
];
};
}; };
dnscrypt-proxy2 = { dnscrypt-proxy2 = {
enable = true; enable = true;
settings = { settings = {
listen_addresses = [ "127.0.0.1:${dnscrypt_listen_port}" ]; listen_addresses = [ "127.0.0.1:5354" ];
ipv4_servers = true; ipv4_servers = true;
ipv6_servers = false; ipv6_servers = false;
block_ipv6 = true; block_ipv6 = true;
@ -39,8 +97,8 @@ in
lb_estimator = true; lb_estimator = true;
ignore_system_dns = true; ignore_system_dns = true;
fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ]; fallback_resolvers = [ "1.1.1.1:53" "9.9.9.9:53" ];
cache_min_ttl = 450; cache_min_ttl = 60;
cache_max_ttl = 2400; cache_max_ttl = 360;
}; };
}; };
}; };

View File

@ -1,10 +1,25 @@
{ config, ... }:
{ {
virtualisation.docker = { architect.networks.docker = {
interface = "docker0";
net = "172.17.0.0/16";
};
hardware.nvidia-container-toolkit.enable = true;
virtualisation = {
oci-containers.backend = "docker";
docker = {
enable = true; enable = true;
extraOptions = '' extraOptions = ''
--dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker --dns 127.0.0.1 --dns ${config.architect.networks.lan.devices.architect.address} --data-root /docker
''; '';
enableOnBoot = false; enableOnBoot = false;
daemon.settings.iptables = false;
}; };
};
users.users.giulio.extraGroups = [ "docker" ]; users.users.giulio.extraGroups = [ "docker" ];
} }

View File

@ -1,9 +1,14 @@
{ config, pkgs, ... }: { { config, pkgs, ... }:
{
services.fail2ban = { services.fail2ban = {
enable = true; enable = true;
package = pkgs.fail2ban; package = pkgs.fail2ban;
packageFirewall = pkgs.nftables; packageFirewall = pkgs.nftables;
bantime-increment.enable = true; bantime-increment.enable = true;
ignoreIP = [ "10.0.0.0/24" "10.3.0.0/24" ]; ignoreIP = [
config.architect.networks.lan.net
config.architect.networks.tailscale.net
];
}; };
} }

View File

@ -1,53 +1,23 @@
{ config, lib, ... }: { config, lib, ... }:
with import ./network.nix;
let let
# TCP services openTCP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCP;
ssh_tcp = 22; openUDP = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDP;
http_tcp = 80; openTCPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openTCPVPN;
https_tcp = 443; openUDPVPN = lib.concatMapStringsSep "," (x: toString x) config.architect.firewall.openUDPVPN;
synapse_tcp = 8448;
gitea_tcp = 10022;
prosody_tcp = 5222;
minecraft_tcp = 25565;
# UDP services deviceAddress = interface: device:
dns_udp = 53; config.architect.networks.${interface}.devices.${device}.address;
wireguard_udp = 1194;
# TCP/UDP services gdevices = [
torrent_a = 51413; (deviceAddress "tailscale" "architect")
torrent_b = 51414; (deviceAddress "tailscale" "dodino")
(deviceAddress "tailscale" "manduria")
# grouping (deviceAddress "tailscale" "kmerr")
open_tcp_ports = lib.concatMapStringsSep "," (x: toString x) [ (deviceAddress "tailscale" "chuck")
ssh_tcp
http_tcp
https_tcp
synapse_tcp
gitea_tcp
torrent_a
torrent_b
]; ];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [ in
wireguard_udp {
torrent_a
torrent_b
];
open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
ssh_tcp
http_tcp
https_tcp
prosody_tcp
minecraft_tcp
];
open_udp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [
dns_udp
wireguard_udp
];
in {
networking = { networking = {
# needed to use nftables # needed to use nftables
firewall.enable = false; firewall.enable = false;
@ -55,7 +25,7 @@ in {
nftables = { nftables = {
enable = true; enable = true;
ruleset = '' ruleset = with config.architect.networks; ''
table ip raw { table ip raw {
chain PREROUTING { chain PREROUTING {
type filter hook prerouting priority raw; policy accept; type filter hook prerouting priority raw; policy accept;
@ -67,6 +37,9 @@ in {
} }
table ip nat { table ip nat {
chain DOCKER {
type nat hook prerouting priority dstnat; policy accept;
}
chain PREROUTING { chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept; type nat hook prerouting priority dstnat; policy accept;
} }
@ -81,10 +54,7 @@ in {
chain POSTROUTING { chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname ${wan-if} ip saddr {${ oifname ${lan.interface} ip saddr ${tailscale.net} masquerade
lib.concatStringsSep "," towan-wg
}} masquerade
oifname ${wan-if} ip saddr ${docker-net} masquerade
} }
} }
@ -94,12 +64,10 @@ in {
ct state invalid,untracked drop comment "drop invalid" ct state invalid,untracked drop comment "drop invalid"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
iifname ${wan-if} ip saddr ${vpn-net} drop comment "bind any ip to intf ${wan-if}" iifname ${lan.interface} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${lan.interface}"
iifname ${wan-if} ip saddr 127.0.0.0/8 drop comment "bind any ip to intf ${wan-if}" iifname ${lan.interface} accept comment "bind any ip to intf ${lan.interface}"
iifname ${wan-if} accept comment "bind any ip to intf ${wan-if}" iifname ${tailscale.interface} ip saddr ${tailscale.net} accept
iifname ${proxy-if} ip saddr ${proxy-net} accept comment "bind ip ${proxy-net} to intf ${proxy-if}" iifname ${tailscale.interface} ip saddr 100.100.100.100/32 accept
iifname ${vpn-if} ip saddr ${vpn-net} accept comment "bind ip ${vpn-net} to intf ${vpn-if}"
iifname ${docker-if} ip saddr ${docker-net} accept comment "bind ip ${docker-net} to intf ${docker-if}"
iifname "lo" accept comment "bind any ip to intf lo" iifname "lo" accept comment "bind any ip to intf lo"
jump mangle_drop jump mangle_drop
} }
@ -152,16 +120,12 @@ in {
iifname "lo" accept comment "loopback" iifname "lo" accept comment "loopback"
ip daddr 255.255.255.255 accept comment "allow broadcast traffic" ip daddr 255.255.255.255 accept comment "allow broadcast traffic"
ip daddr 224.0.0.0/4 accept comment "allow multicast traffic" ip daddr 224.0.0.0/4 accept comment "allow multicast traffic"
ip saddr ${lan-net} accept comment "lan > local" ip saddr ${lan.net} accept comment "lan > local"
ip saddr ${proxy-wg} accept comment "proxy > local" ip saddr ${tailscale.net} accept comment "tailscale > local"
ip saddr {${lib.concatStringsSep "," gdevices-wg}} accept comment "vpn > local" ip saddr {${lib.concatStringsSep "," gdevices}} accept comment "vpn > local"
iifname ${wan-if} tcp dport {${open_tcp_ports}} accept iifname ${lan.interface} tcp dport {${openTCP}} accept
iifname ${wan-if} udp dport {${open_udp_ports}} accept iifname ${lan.interface} udp dport {${openUDP}} accept
iifname ${vpn-if} tcp dport {${open_tcp_ports_vpn}} accept
iifname ${vpn-if} udp dport {${open_udp_ports_vpn}} accept
iifname ${vpn-if} icmp type echo-request accept
iifname ${docker-if} udp dport 53 accept
jump filter_drop jump filter_drop
} }
@ -169,25 +133,7 @@ in {
type filter hook forward priority filter; policy drop; type filter hook forward priority filter; policy drop;
ct state established,related accept ct state established,related accept
# client to client oifname ${lan.interface} ip saddr ${tailscale.net} accept
ip saddr {${lib.concatStringsSep "," c2c-wg}} ip daddr {${
lib.concatStringsSep "," c2c-wg
}} accept
# gdevices talking to everyone in VPN
ip saddr {${
lib.concatStringsSep "," gdevices-wg
}} ip daddr ${vpn-net} accept
ip saddr {${
lib.concatStringsSep "," gamenet-wg
}} ip daddr {${lib.concatStringsSep "," gamenet-wg}} accept
# nat to wan
oifname ${wan-if} ip saddr {${
lib.concatStringsSep "," towan-wg
}} accept
oifname ${wan-if} ip saddr ${docker-net} accept
jump filter_drop jump filter_drop
} }

View File

@ -1,37 +1,34 @@
{ lib, ... }: { config, lib, ... }:
let let
domain = "git.giugl.io"; domain = "git.giugl.io";
network = import ./network.nix; in
in { {
architect = {
firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" ];
locations."/" = {
port = config.services.gitea.settings.server.HTTP_PORT;
allowWAN = true;
};
};
};
services.gitea = { services.gitea = {
enable = true; enable = true;
database.type = "sqlite3"; database.type = "sqlite3";
domain = domain;
appName = "Gitea"; appName = "Gitea";
rootUrl = "https://${domain}"; # https://github.com/NixOS/nixpkgs/issues/235442#issuecomment-1574329453
ssh.clonePort = 22; lfs.enable = true;
settings.server.LFS_START_SERVER = true; settings = {
server = {
DOMAIN = domain;
ROOT_URL = "https://${domain}";
SSH_PORT = 22;
HTTP_PORT = 3001;
}; };
openid.enable_openid_signin = true;
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
extraConfig = ''
allow 127.0.0.1;
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
allow 10.4.0.0/24;
deny all;
'';
}; };
}; };
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
} }

View File

@ -1,15 +0,0 @@
{ ... }:
{
services.github-runner = {
enable = true;
url = "https://github.com/ropfuscator";
tokenFile = "/secrets/github-runner/token";
replace = true;
};
nix.extraOptions = ''
tarball-ttl = 0
access-tokens = github.com=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
'';
}

View File

@ -1,48 +1,24 @@
# Do not modify this file! It was generated by nixos-generate-config { config, lib, modulesPath, ... }:
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{ {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/28ce6650-de21-4c1d-ae42-95d1e3507740";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/B790-869D";
fsType = "vfat";
};
hardware.cpu.amd.updateMicrocode = hardware.cpu.amd.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware; lib.mkDefault config.hardware.enableRedistributableFirmware;
fileSystems."/media" = { environment.etc."crypttab".text = ''
device = "datapool/media"; backedNvme /dev/disk/by-uuid/92cfaa4a-82a1-4336-b552-b7f4f3c68613 /newdrive.key
fsType = "zfs"; '';
};
fileSystems."/secrets" = {
device = "backedpool/secrets";
fsType = "zfs";
};
fileSystems."/services" = {
device = "backedpool/services";
fsType = "zfs";
};
swapDevices = [{
device = "/swapfile";
size = 1024 * 64;
}];
boot = { boot = {
initrd.luks.devices = { kernelModules = [ "kvm-amd" "dm-snapshot" ];
initrd = {
luks.devices = {
# backedNvme = {
# device = "/dev/disk/by-uuid/92cfaa4a-82a1-4336-b552-b7f4f3c68613";
# keyFile = "/newdrive.key";
# allowDiscards = true;
# };
root = { root = {
device = "/dev/disk/by-uuid/bdd5f111-ecec-48d8-861f-94083098c724"; device = "/dev/disk/by-uuid/bdd5f111-ecec-48d8-861f-94083098c724";
preLVM = true; preLVM = true;
@ -50,8 +26,44 @@
fallbackToPassword = true; fallbackToPassword = true;
}; };
}; };
initrd.availableKernelModules = availableKernelModules =
[ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ "dm-snapshot" ];
}; };
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/28ce6650-de21-4c1d-ae42-95d1e3507740";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/B790-869D";
fsType = "vfat";
};
"/backednvme" = {
device = "/dev/mapper/backedNvme";
};
"/services" = {
device = "/backednvme/services";
options = [ "bind" ];
};
"/secrets" = {
device = "/backednvme/secrets";
options = [ "bind" ];
};
"/media" = {
device = "nvmedata/media";
fsType = "zfs";
};
};
swapDevices = [{
device = "/swapfile";
size = 1024 * 64;
}];
} }

View File

@ -0,0 +1,49 @@
{ config, pkgs, ... }:
let
domain = "vipienne.giugl.io";
headscalePkg = pkgs.headscale;
in
{
environment.systemPackages = [ headscalePkg ];
architect = {
firewall = {
openUDP = [ config.services.tailscale.port ];
};
vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" ];
locations."/" = {
port = config.services.headscale.port;
allowWAN = true;
proxyWebsockets = true;
};
};
};
services.headscale = {
enable = true;
package = headscalePkg;
port = 1194;
settings = {
server_url = "https://${domain}";
# log.level = "debug";
dns = {
magic_dns = false;
# base_domain = domain;
override_local_dns = true;
global = [
config.architect.networks.tailscale.devices.architect.address
];
nameservers.global = [
config.architect.networks.tailscale.devices.architect.address
];
};
logtail.enabled = false;
prefixes.v4 = config.architect.networks.tailscale.net;
noise.private_key_path = "/var/lib/headscale/noise_private.key";
};
};
}

View File

@ -1,66 +0,0 @@
{ lib, config, pkgs, ... }:
let
domain = "home.giugl.io";
network = import ./network.nix;
host = "127.0.0.1";
port = 8123;
in {
services = {
mosquitto = {
enable = true;
listeners = [{
acl = [ "pattern readwrite #" ];
omitPasswordAuth = true;
settings.allow_anonymous = true;
}];
};
home-assistant = {
enable = true;
extraComponents = [
# Components required to complete the onboarding
"met"
"radio_browser"
];
config = {
default_config = { };
http = {
server_port = port;
server_host = host;
trusted_proxies = [ host ];
use_x_forwarded_for = true;
};
homeassistant = {
name = "Manduria";
latitude = 40.4;
longitude = 17.63;
unit_system = "metric";
time_zone = "Europe/Rome";
external_url = "http://${domain}";
};
};
};
nginx.virtualHosts.${domain} = {
# forceSSL = true;
# enableACME = true;
locations."/" = {
proxyPass = "http://${host}:${toString port}";
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
}

File diff suppressed because it is too large Load Diff

View File

@ -1,26 +1,22 @@
{ lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
domain = "tube.giugl.io"; domain = "tube.giugl.io";
network = import ./network.nix;
in in
{ {
services = { services.invidious = {
invidious = {
enable = true; enable = true;
port = 9092; package = pkgs.unstablePkgs.invidious;
package = pkgs.unstable.invidious; settings = {
}; hmac_key = "a2a91eca269d26de1221285e8981879834045bff";
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:9092"; };
}; };
}; };
networking.extraHosts = '' architect.vhost.${domain} = {
${network.architect-lan} ${domain} dnsInterfaces = [ "lan" "tailscale" ];
${network.architect-wg} ${domain} locations."/" = {
''; port = config.services.invidious.port;
allowWAN = true;
};
};
} }

View File

@ -1,59 +1,48 @@
{ pkgs, ... }: { config, pkgs, lib, ... }:
let let
network = import ./network.nix;
domain = "media.giugl.io"; domain = "media.giugl.io";
in { port = 8096;
disabledModules = [ "services/misc/jellyfin.nix" ]; allowLan = true;
imports = [ ./modules/jellyfin.nix ]; in
{
# needed since StateDirectory does not accept symlinks
systemd.services.jellyfin.serviceConfig.StateDirectory = lib.mkForce "";
services = { architect.vhost.${domain} = with config.architect.networks; {
jellyfin = { dnsInterfaces = [ "lan" "tailscale" ];
locations = {
"/" = {
inherit port allowLan;
allow = [
tailscale.net
];
};
"/socket" = {
inherit port allowLan;
proxyWebsockets = true;
allow = [
tailscale.net
];
};
};
};
services.jellyfin = {
enable = true; enable = true;
group = "media"; group = "media";
package = pkgs.unstable.jellyfin; package = pkgs.unstablePkgs.jellyfin;
}; };
nginx.virtualHosts.${domain} = { users.groups = {
forceSSL = true; media.members = [ "jellyfin" ];
enableACME = true; video.members = [ "jellyfin" ];
extraConfig = '' render.members = [ "jellyfin" ];
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:8096";
# extraConfig = ''
# allow 10.0.0.0/24;
# allow 10.3.0.0/24;
# deny all;
# '';
}; };
locations."/socket" = {
proxyPass = "http://127.0.0.1:8096";
proxyWebsockets = true;
# extraConfig = ''
# allow 10.0.0.0/24;
# allow 10.3.0.0/24;
# deny all;
# '';
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "jellyfin" ];
users.groups.video.members = [ "jellyfin" ];
users.groups.render.members = [ "jellyfin" ];
fileSystems."/tmp/jellyfin" = { fileSystems."/tmp/jellyfin" = {
device = "none"; device = "none";
fsType = "tmpfs"; fsType = "tmpfs";

View File

@ -0,0 +1,23 @@
{ config, pkgs, ... }:
let
domain = "aumm-aumm.giugl.io";
in
{
services.jellyseerr = {
enable = true;
# package = pkgs.unstablePkgs.jellyseerr;
};
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "lan" ];
locations."/" = {
port = config.services.jellyseerr.port;
allowLan = true;
allow = [
config.architect.networks.tailscale.net
];
};
};
}

View File

@ -1,78 +0,0 @@
{ pkgs, config, ... }:
let
network = import ./network.nix;
domain = "auth.giugl.io";
in {
services = {
keycloak = {
enable = true;
initialAdminPassword = "giulio";
database.passwordFile = "/secrets/keycloak/database.key";
settings = {
hostname = domain;
proxy = "edge";
http-port = 6654;
https-port = 6655;
hostname-strict-backchannel = true;
};
};
postgresql = {
ensureDatabases =
[ "${toString config.services.keycloak.database.name}" ];
ensureUsers = [{
name = "${toString config.services.keycloak.database.username}";
ensurePermissions = {
"DATABASE ${toString config.services.keycloak.database.name}" =
"ALL PRIVILEGES";
};
}];
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations = {
"/" = { return = "301 https://${domain}/realms/master/account"; };
"/admin" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/js" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/realms" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/resources" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/robots.txt" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
}

View File

@ -1,25 +0,0 @@
{ lib, pkgs, ... }:
let
domain = "reddit.giugl.io";
network = import ./network.nix;
in
{
services = {
libreddit = {
enable = true;
port = 9090;
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:9090"; };
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
}

View File

@ -0,0 +1,82 @@
{ config, lib, ... }:
let
domain = "photos.giugl.io";
backendPort = 8001;
frontendPort = 3000;
in
{
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" ];
locations."/" = {
host = "172.17.0.1";
port = frontendPort;
# allowLan = true;
# allow = [ config.architect.networks."tailscale".net ];
};
locations."~ ^/(api|media)/" = {
host = "172.17.0.1";
port = backendPort;
# allowLan = true;
# allow = [ config.architect.networks."tailscale".net ];
};
locations."/ws" = {
host = "172.17.0.1";
port = backendPort;
proxyWebsockets = true;
# allowLan = true;
# allow = [ config.architect.networks."tailscale".net ];
};
};
services.redis.servers."librephotos" = {
enable = true;
port = 1233;
bind = "172.17.0.1";
extraParams = [ "--protected-mode no" ];
};
virtualisation.oci-containers = {
containers = {
librephotos-front = {
image = "reallibrephotos/librephotos-frontend:latest";
autoStart = true;
ports = [
"172.17.0.1:${toString frontendPort}:${toString frontendPort}"
];
};
librephotos-back = {
image = "reallibrephotos/librephotos:latest";
autoStart = true;
ports = [
"172.17.0.1:${toString backendPort}:${toString backendPort}"
];
environment = {
SECRET_KEY = "LOLOL";
BACKEND_HOST = domain;
ADMIN_EMAIL = "me@giugl.io";
ADMIN_USERNAME = "giulio";
ADMIN_PASSWORD = "giulio";
ALLOWED_HOSTS = domain;
DB_BACKEND = "mysql";
DB_NAME = "librephotos";
DB_USER = "librephotos";
DB_PASS = "librephotos";
DB_HOST = "172.17.0.1";
DB_PORT = toString config.services.mysql.settings.mysqld.port;
REDIS_HOST = "172.17.0.1";
REDIS_PORT = toString config.services.redis.servers."librephotos".port;
MAPBOX_API_KEY = "SOME_KEY";
WEB_CONCURRENCY = "24";
DEBUG = "0";
};
};
};
};
}

View File

@ -1,32 +1,25 @@
{ lib, ... }: { config, ... }:
let let
domain = "htlid.giugl.io"; domain = "htlid.giugl.io";
network = import ./network.nix; in
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; {
in {
services = { services = {
lidarr = { lidarr = {
enable = true; enable = true;
group = "media"; group = "media";
}; };
};
nginx.virtualHosts.${domain} = { architect.vhost.${domain} = {
forceSSL = true; dnsInterfaces = [ "lan" "tailscale" ];
enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:8686"; port = 8686;
extraConfig = auth_block { allowLan = true;
access_role = "lidarr"; allowWAN = false;
allow = [ config.architect.networks."tailscale".net ];
}; };
}; };
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "lidarr" ]; users.groups.media.members = [ "lidarr" ];
} }

56
hosts/architect/llm.nix Normal file
View File

@ -0,0 +1,56 @@
{ config, pkgs, ... }:
let
backendDomain = "ollama.giugl.io";
frontendDomain = "llm.giugl.io";
ollamaPkg = pkgs.unstablePkgs.ollama-cuda;
in
{
environment = {
systemPackages = [ ollamaPkg ];
};
services = {
ollama = {
enable = true;
package = ollamaPkg;
acceleration = "cuda";
environmentVariables = {
OLLAMA_FLASH_ATTENTION = "1";
OLLAMA_NUM_PARALLEL = "2";
OLLAMA_KV_CACHE_TYPE = "q8_0";
};
};
open-webui.enable = true;
};
architect.vhost.${backendDomain} = {
dnsInterfaces = [ "tailscale" "lan" ];
locations."/" = {
host = config.services.ollama.host;
port = config.services.ollama.port;
allowLan = true;
allowWAN = true;
recommendedProxySettings = false;
extraConfig = ''
proxy_buffering off;
proxy_read_timeout 600s;
proxy_set_header Host localhost:${toString config.services.ollama.host};
'';
};
};
architect.vhost.${frontendDomain} = {
dnsInterfaces = [ "tailscale" "lan" ];
locations."/" = {
host = config.services.open-webui.host;
port = config.services.open-webui.port;
allowLan = true;
allowWAN = true;
};
};
}

View File

@ -1,28 +1,33 @@
{ pkgs, ... }: { config, pkgs, lib, ... }:
let let
domain = "matrix.giugl.io"; domain = "runas.rocks";
webui_domain = "chat.giugl.io"; utilities = import ./utilities.nix { inherit lib config; };
network = import ./network.nix; inherit (utilities) architectInterfaceAddress;
db_name = "matrix-synapse"; in
in { {
age.secrets.matrix = {
file = ../../secrets/matrix-synapse.age;
owner = "matrix-synapse";
};
services = { services = {
matrix-synapse = { matrix-synapse = {
enable = true; enable = true;
# Database config is in the .age file
extraConfigFiles = [ config.age.secrets.matrix.path ];
settings = { settings = {
server_name = "${domain}"; server_name = "${domain}";
database_name = db_name;
public_baseurl = "https://${domain}"; public_baseurl = "https://${domain}";
registration_shared_secret = "runas!"; registration_shared_secret = "runas!";
url_preview_enabled = true; url_preview_enabled = true;
dynamic_thumbnails = true; dynamic_thumbnails = true;
withJemalloc = true; withJemalloc = true;
# enable_registration = true; enable_registration = false;
app_service_config_files = [ password_config.enabled = true;
"/var/lib/matrix-synapse/discord-registration.yaml"
# "/var/lib/matrix-synapse/hookshot-registration.yml" auto_join_rooms = [ "#general:${domain}" "#music:${domain}" "#movies:${domain}" ];
# "/var/lib/matrix-synapse/telegram-registration.yaml"
];
listeners = [{ listeners = [{
port = 8008; port = 8008;
bind_addresses = [ "127.0.0.1" ]; bind_addresses = [ "127.0.0.1" ];
@ -35,22 +40,6 @@ in {
}]; }];
}]; }];
}; };
#extraConfig = ''
# auto_join_rooms:
# - "#general:matrix.giugl.io"
# max_upload_size: "50M"
#'';
};
postgresql = {
enable = true;
package = pkgs.postgresql;
ensureDatabases = [ db_name ];
ensureUsers = [{
name = db_name;
ensurePermissions = { "DATABASE \"${db_name}\"" = "ALL PRIVILEGES"; };
}];
}; };
nginx.virtualHosts = { nginx.virtualHosts = {
@ -63,67 +52,44 @@ in {
''; '';
locations."= /.well-known/matrix/server".extraConfig = locations."= /.well-known/matrix/server".extraConfig =
let server = { "m.server" = "${domain}:443"; }; let server = { "m.server" = "${domain}:443"; };
in '' in
''
add_header Content-Type application/json; add_header Content-Type application/json;
return 200 '${builtins.toJSON server}'; return 200 '${builtins.toJSON server}';
''; '';
locations."= /.well-known/matrix/client".extraConfig = let locations."= /.well-known/matrix/client".extraConfig =
let
client = { client = {
"m.homeserver" = { "base_url" = "https://${domain}:443"; }; "m.homeserver" = { "base_url" = "https://${domain}:443"; };
"m.identity_server" = { "base_url" = "https://vector.im"; }; "m.identity_server" = { "base_url" = "https://vector.im"; };
}; };
# ACAO required to allow element-web on any URL to request this json file # ACAO required to allow element-web on any URL to request this json file
in '' in
''
add_header Content-Type application/json; add_header Content-Type application/json;
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}'; return 200 '${builtins.toJSON client}';
''; '';
locations."/".extraConfig = '' # locations."/".extraConfig = ''
return 404; # return 404;
''; # '';
# forward all Matrix API calls to the synapse Matrix homeserver # forward all Matrix API calls to the synapse Matrix homeserver
locations."/_matrix" = { locations."/_matrix" = {
proxyPass = "http://127.0.0.1:8008"; # without a trailing / proxyPass = "http://127.0.0.1:8008"; # without a trailing /
}; };
};
# web client locations."/_synapse" = {
"${webui_domain}" = { proxyPass = "http://127.0.0.1:8008"; # without a trailing /
enableACME = true;
forceSSL = true;
root = pkgs.element-web.override {
conf = {
default_server_config."m.homeserver" = {
"base_url" = "https://${domain}";
"server_name" = "${domain}";
};
};
};
};
};
# discord bridge
matrix-appservice-discord = {
enable = true;
environmentFile = /secrets/matrix-appservice-discord/tokens.env;
# The appservice is pre-configured to use SQLite by default.
# It's also possible to use PostgreSQL.
settings = {
bridge = {
domain = domain;
homeserverUrl = "https://${domain}";
}; };
}; };
}; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${webui_domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${webui_domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

View File

@ -1,20 +1,24 @@
{ config, pkgs, ... }: { lib, config, pkgs, ... }:
let let
domain = "minecraft.giugl.io"; domain = "minecraft.giugl.io";
network = import ./network.nix;
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in in
{ {
architect.firewall.openTCP = [ 25565 ];
services.minecraft-server = { services.minecraft-server = {
enable = true; enable = true;
eula = true; eula = true;
declarative = true; declarative = true;
package = pkgs.unstable.minecraft-server; package = pkgs.unstablePkgs.minecraft-server;
serverProperties = { motd = "Welcome on the RuNas server!"; }; serverProperties = { motd = "Welcome on the RuNas server!"; };
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

View File

@ -1,11 +1,17 @@
{ lib, ... }: { config, lib, pkgs, ... }:
let let
domain = "s3.giugl.io"; domain = "s3.giugl.io";
network = import ./network.nix;
in { utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
services = { services = {
minio.enable = true; minio = {
enable = true;
package = pkgs.minio_legacy_fs;
};
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
@ -13,8 +19,9 @@ in {
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:9000"; proxyPass = "http://127.0.0.1:9000";
extraConfig = '' extraConfig = ''
allow 10.0.0.0/24; client_max_body_size 500M;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg} allow ${config.architect.networks.lan.net};
allow ${config.architect.networks.tailscale.net};
deny all; deny all;
''; '';
}; };
@ -22,7 +29,7 @@ in {
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
} }

View File

@ -1,128 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let cfg = config.services.jellyfin;
in {
options = {
services.jellyfin = {
enable = mkEnableOption "Jellyfin Media Server";
user = mkOption {
type = types.str;
default = "jellyfin";
description = "User account under which Jellyfin runs.";
};
package = mkOption {
type = types.package;
default = pkgs.jellyfin;
example = literalExample "pkgs.jellyfin";
description = ''
Jellyfin package to use.
'';
};
group = mkOption {
type = types.str;
default = "jellyfin";
description = "Group under which jellyfin runs.";
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = ''
Open the default ports in the firewall for the media server. The
HTTP/HTTPS ports can be changed in the Web UI, so this option should
only be used if they are unchanged.
'';
};
};
};
config = mkIf cfg.enable {
systemd.services.jellyfin = {
description = "Jellyfin Media Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = rec {
User = cfg.user;
Group = cfg.group;
StateDirectory = "/jellyfin";
CacheDirectory = "/jellyfin/cache";
ExecStart =
"${cfg.package}/bin/jellyfin --datadir '/jellyfin' --cachedir '/jellyfin/cache'";
Restart = "on-failure";
# Security options:
NoNewPrivileges = true;
AmbientCapabilities = "";
CapabilityBoundingSet = "";
# # ProtectClock= adds DeviceAllow=char-rtc r
# DeviceAllow = [
# "char-drm r"
# "/dev/nvidia0 r"
# "/dev/nvidiactl r"
# "/dev/nvidia-uvm r"
# "/dev/nvidia-uvm-tools r"
# ];
DeviceAllow = "";
LockPersonality = true;
PrivateTmp = true;
PrivateUsers = true;
# ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RemoveIPC = true;
RestrictNamespaces = true;
# # AF_NETLINK needed because Jellyfin monitors the network connection
RestrictAddressFamilies = [ "AF_NETLINK" "AF_INET" "AF_INET6" "AF_UNIX" ];
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallErrorNumber = "EPERM";
SystemCallFilter = [
"@system-service"
"~@cpu-emulation"
"~@debug"
"~@keyring"
"~@memlock"
"~@obsolete"
"~@privileged"
"~@setuid"
];
};
};
users.users = mkIf (cfg.user == "jellyfin") {
jellyfin = {
group = cfg.group;
isSystemUser = true;
};
};
users.groups = mkIf (cfg.group == "jellyfin") { jellyfin = { }; };
networking.firewall = mkIf cfg.openFirewall {
# from https://jellyfin.org/docs/general/networking/index.html
allowedTCPPorts = [ 8096 8920 ];
allowedUDPPorts = [ 1900 7359 ];
};
};
meta.maintainers = with lib.maintainers; [ minijackson ];
}

View File

@ -1,13 +1,12 @@
{ lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
domain = "music.giugl.io"; domain = "music.giugl.io";
network = import ./network.nix;
library_path = "/media/Music"; library_path = "/media/Music";
beets_config = "/media/beets.conf"; beets_config = "/media/beets.conf";
in { in
services = { {
navidrome = { services.navidrome = {
enable = true; enable = true;
settings = { settings = {
@ -22,17 +21,13 @@ in {
}; };
}; };
nginx.virtualHosts.${domain} = { architect.vhost.${domain} = {
forceSSL = true; dnsInterfaces = [ "lan" "tailscale" ];
enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:4533"; port = 4533;
# extraConfig = '' allowLan = true;
# allow 10.0.0.0/24; allowWAN = true;
# ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg} # allow = [ config.architect.networks."tailscale".net ];
# deny all;
# '';
};
}; };
}; };
@ -57,36 +52,32 @@ in {
ExecStart = ExecStart =
"${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}"; "${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}";
}; };
startAt = "daily"; startAt = "weekly";
};
"remove-badmp3" = {
enable = true;
before = [ "beets-import.service" "beets-update.service" ];
serviceConfig = {
Type = "oneshot";
ExecStart = ''
${pkgs.findutils}/bin/find ${library_path} -name "*.mp3" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.mp3val}/bin/mp3val "{}" | grep -Pi error 1>/dev/null && ${pkgs.busybox}/bin/rm "{}"' \;
'';
}; };
}; };
"remove-badflac" = { # "remove-badmp3" = {
enable = true; # enable = true;
before = [ "beets-import.service" "beets-update.service" ]; # before = [ "beets-import.service" "beets-update.service" ];
serviceConfig = { # serviceConfig = {
Type = "oneshot"; # Type = "oneshot";
ExecStart = '' # ExecStart = ''
${pkgs.findutils}/bin/find ${library_path} -name "*.flac" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.flac}/bin/flac -st "{}" || ${pkgs.busybox}/bin/rm "{}"' \; # ${pkgs.findutils}/bin/find ${library_path} -name "*.mp3" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.mp3val}/bin/mp3val "{}" | grep -Pi error 1>/dev/null && ${pkgs.busybox}/bin/rm "{}"' \;
''; # '';
}; # };
}; # };
};
networking.extraHosts = '' # "remove-badflac" = {
${network.architect-lan} ${domain} # enable = true;
${network.architect-wg} ${domain} # before = [ "beets-import.service" "beets-update.service" ];
''; # serviceConfig = {
# Type = "oneshot";
# ExecStart = ''
# ${pkgs.findutils}/bin/find ${library_path} -name "*.flac" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.flac}/bin/flac -st "{}" || ${pkgs.busybox}/bin/rm "{}"' \;
# '';
# };
# };
# };
users.groups.media.members = [ "navidrome" ]; users.groups.media.members = [ "navidrome" ];
} }

View File

@ -0,0 +1,26 @@
{ config, pkgs, ... }:
let
domain = "monitor.giugl.io";
in
{
services.netdata = {
enable = true;
package = pkgs.unstablePkgs.netdata;
config = {
db.mode = "dbengine";
};
};
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "tailscale" "lan" ];
locations."/" = {
port = 19999;
allowLan = true;
allow = [
tailscale.net
];
};
};
}

View File

@ -1,75 +0,0 @@
rec {
# interfaces
wan-if = "enp5s0";
vpn-if = "wg0";
proxy-if = "proxy";
docker-if = "docker0";
# nets
lan-net = "10.0.0.0/24";
vpn-net = "10.3.0.0/24";
proxy-net = "10.4.0.0/24";
external_lan-net = "192.168.1.0/24";
docker-net = "172.17.0.0/16";
# ips
dvr-lan = "10.0.0.2";
nas-lan = "10.0.0.3";
architect-lan = "10.0.0.250";
proxy-wg = "10.4.0.1";
architect-wg = "10.3.0.1";
galuminum-wg = "10.3.0.2";
oneplus-wg = "10.3.0.3";
ipad-wg = "10.3.0.4";
manduria-wg = "10.3.0.5";
antonio-wg = "10.3.0.6";
gbeast-wg = "10.3.0.7";
parisaphone-wg = "10.3.0.8";
parisapc-wg = "10.3.0.9";
peppiniell-wg = "10.3.0.10";
padulino-wg = "10.3.0.11";
shield-wg = "10.3.0.12";
pepos-wg = "10.3.0.15";
salvatore-wg = "10.3.0.16";
papa-wg = "10.3.0.17";
defy-wg = "10.3.0.18";
germano-wg = "10.3.0.19";
flavio-wg = "10.3.0.20";
tommy-wg = "10.3.0.21";
alain-wg = "10.3.0.22";
dima-wg = "10.3.0.23";
mikey-wg = "10.3.0.24";
andrew-wg = "10.3.0.25";
mikeylaptop-wg = "10.3.0.26";
andrewdesktop-wg = "10.3.0.27";
jacopo-wg = "10.3.0.28";
frznn-wg = "10.3.0.29";
ludo-wg = "10.3.0.30";
parina-wg = "10.3.0.31";
nilo-wg = "10.3.0.32";
parina-ipad-wg = "10.3.0.33";
kclvm-wg = "10.3.0.34";
eleonora-wg = "10.3.0.100";
angellane-wg = "10.3.0.203";
hotpottino-wg = "10.3.0.201";
dodino-wg = "10.3.0.202";
# groups
gdevices-wg =
[ galuminum-wg oneplus-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ]
++ gdevices-wg ++ routers-wg;
gamenet-wg = [
andrew-wg
galuminum-wg
gbeast-wg
mikey-wg
andrewdesktop-wg
mikeylaptop-wg
flavio-wg
salvatore-wg
];
}

View File

@ -1,14 +1,51 @@
{ pkgs, ... }: { pkgs, config, lib, ... }:
let let
domain = "cloud.giugl.io"; domain = "cloud.giugl.io";
network = import ./network.nix;
redis_port = 6379; redis_port = 6379;
in {
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
age.secrets = {
nextcloud-admin = {
file = ../../secrets/nextcloud-admin.age;
owner = "nextcloud";
group ="nginx";
};
nextcloud-database = {
file = ../../secrets/nextcloud-database.age;
owner = "nextcloud";
group = "nginx";
};
};
environment.systemPackages = with pkgs; [
nodejs-18_x
libtensorflow
ffmpeg
];
services = { services = {
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
extraConfig = ''
aio threads;
directio 1M;
output_buffers 3 1M;
sendfile on;
sendfile_max_chunk 0;
autoindex on;
'';
};
mysql = { mysql = {
enable = true; enable = true;
package = pkgs.unstable.mysql80; package = pkgs.mariadb_1011;
}; };
redis = { redis = {
@ -23,8 +60,9 @@ in {
enable = true; enable = true;
hostName = domain; hostName = domain;
https = true; https = true;
package = pkgs.unstable.nextcloud25; package = pkgs.nextcloud30;
datadir = "/services/nextcloud";
configureRedis = true;
caching = { caching = {
redis = true; redis = true;
}; };
@ -32,16 +70,19 @@ in {
autoUpdateApps.enable = true; autoUpdateApps.enable = true;
autoUpdateApps.startAt = "05:00:00"; autoUpdateApps.startAt = "05:00:00";
maxUploadSize = "50G";
settings = {
overwriteprotocol = "https";
};
config = { config = {
overwriteProtocol = "https";
dbtype = "mysql"; dbtype = "mysql";
dbuser = "oc_giulio2"; dbuser = "nextcloud";
dbhost = "localhost"; dbhost = "localhost";
dbname = "nextcloud_final"; dbname = "nextcloud";
dbpassFile = "/secrets/nextcloud/dbpass.txt"; dbpassFile = config.age.secrets.nextcloud-database.path;
adminpassFile = "/secrets/nextcloud/adminpass.txt"; adminpassFile = config.age.secrets.nextcloud-admin.path;
adminuser = "giulio";
extraTrustedDomains = [ "${domain}" ];
}; };
}; };
}; };
@ -52,12 +93,8 @@ in {
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
};
} }

View File

@ -1,9 +1,13 @@
{ services, pkgs, lib, ... }: { services, pkgs, lib, ... }:
{ {
architect.firewall = {
openTCP = [ 80 443 ];
};
services.nginx = { services.nginx = {
enable = true; enable = true;
package = pkgs.openresty; package = pkgs.nginx;
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedProxySettings = true; recommendedProxySettings = true;
@ -12,7 +16,7 @@
virtualHosts."architect.devs.giugl.io" = { virtualHosts."architect.devs.giugl.io" = {
default = true; default = true;
enableACME = true; enableACME = true;
addSSL = true; forceSSL = true;
root = "/var/lib/nginx/error_pages"; root = "/var/lib/nginx/error_pages";
extraConfig = "error_page 404 /index.htm;"; extraConfig = "error_page 404 /index.htm;";
@ -26,48 +30,65 @@
"/wat.jpg" = { }; "/wat.jpg" = { };
}; };
}; };
appendHttpConfig = let
extraPureLuaPackages = with pkgs.luajitPackages; [
lua-resty-openidc
lua-resty-http
lua-resty-session
lua-resty-jwt
lua-resty-openssl
];
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
makeLuaPath = lib.concatMapStringsSep ";" luaPath;
in ''
lua_package_path '${makeLuaPath extraPureLuaPackages};;';
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
# cache for OIDC discovery metadata # appendHttpConfig =
lua_shared_dict discovery 1m; # let
lua_shared_dict jwks 1m; # extraPureLuaPackages = with pkgs.luajitPackages; [
# lua-resty-openidc
# lua-resty-http
# lua-resty-session
# lua-resty-jwt
# lua-resty-openssl
# ];
# luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
# makeLuaPath = lib.concatMapStringsSep ";" luaPath;
# in
# ''
# # https://stackoverflow.com/questions/38931468/nginx-reverse-proxy-error14077438ssl-ssl-do-handshake-failed
# proxy_ssl_server_name on;
# https://github.com/openresty/lua-resty-redis/issues/159 # lua_package_path '${makeLuaPath extraPureLuaPackages};;';
resolver local=on ipv6=off; # lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
# lua_ssl_verify_depth 5;
init_worker_by_lua_block { # # cache for OIDC discovery metadata
function check_role (res, role) # lua_shared_dict discovery 1m;
if res.user.roles == nil then # lua_shared_dict jwks 1m;
return false
end
for _,v in pairs(res.user.roles) do # # https://github.com/openresty/lua-resty-redis/issues/159
if string.lower(v) == role then # resolver local=on ipv6=off;
return true
end
end
return false # init_worker_by_lua_block {
end # function check_role (res, role)
} # if res.user.roles == nil then
''; # return false
# end
# for _,v in pairs(res.user.roles) do
# if string.lower(v) == role then
# return true
# end
# end
# return false
# end
# function is_ip_whitelisted(ip, whitelist)
# for _, x in ipairs(whitelist) do
# if ip == x then
# return true
# end
# end
# return false
# end
# }
# '';
appendConfig = '' appendConfig = ''
worker_processes 24; worker_processes 24;
''; '';
}; };
users.groups.acme.members = [ "nginx" ]; users.groups.acme.members = [ "nginx" ];
} }

View File

@ -1,33 +0,0 @@
{ lib, pkgs, ... }:
let
domain = "tweet.giugl.io";
network = import ./network.nix;
in {
services = {
nitter = {
enable = true;
redisCreateLocally = false;
server = {
port = 9093;
hostname = domain;
staticDir = "${pkgs.unstable.nitter}/share/nitter/public";
};
preferences = {
replaceYouTube = "tube.giugl.io";
replaceTwitter = "tweet.giugl.io";
};
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = { proxyPass = "http://127.0.0.1:9093"; };
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
}

View File

@ -1,32 +1,24 @@
{ lib, ... }: { config, ... }:
let let
domain = "htnzb.giugl.io"; domain = "htnzb.giugl.io";
network = import ./network.nix; in
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; {
in { services.nzbget = {
services = {
nzbget = {
enable = true; enable = true;
group = "media"; group = "media";
}; };
nginx.virtualHosts.${domain} = { architect.vhost.${domain} = with config.architect.networks; {
forceSSL = true; dnsInterfaces = [ "tailscale" "lan" ];
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:6789";
extraConfig = auth_block {
access_role = "nzbget";
};
};
};
};
networking.extraHosts = '' locations."/" = {
${network.architect-lan} ${domain} port = 6789;
${network.architect-wg} ${domain} allowLan = true;
'';
allow = [ tailscale.net ];
};
};
users.groups.media.members = [ "nzbget" ]; users.groups.media.members = [ "nzbget" ];
} }

View File

@ -2,36 +2,49 @@
{ {
openresty_oidc_block = openresty_oidc_block =
{ access_role ? "" }: '' { access_role ? "", whitelisted_ips ? [ ] }: ''
access_by_lua_block {
local opts = {
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
client_id = "nginx",
client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
logout_path = "/logout",
redirect_after_logout_uri = "/",
redirect_uri = "/redirect_uri",
keepalive = "yes",
accept_none_alg = true
}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
${lib.optionalString (access_role != "") ''
if not check_role(res, "${access_role}") then
ngx.status = 401
ngx.header.content_type = 'text/html';
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
''}
}
''; '';
# access_by_lua_block {
# local opts = {
# discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
# client_id = "nginx",
# client_secret = "9C6BYxPhTbrRS4DIwd3Smk7e11ABmnt8",
# logout_path = "/logout",
# redirect_after_logout_uri = "/",
# redirect_uri = "/redirect_uri",
# keepalive = "yes",
# accept_none_alg = true,
# revoke_tokens_on_logout = true,
# -- access token valid for a day
# access_token_expires_in = 86400
# }
# ${lib.optionalString (whitelisted_ips != []) ''
# local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
# if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
# return
# end
# ''}
# -- call introspect for OAuth 2.0 Bearer Access Token validation
# local res, err = require("resty.openidc").authenticate(opts)
# if err then
# ngx.status = 403
# ngx.say(err)
# ngx.exit(ngx.HTTP_FORBIDDEN)
# end
# ${lib.optionalString (access_role != "") ''
# if not check_role(res, "${access_role}") then
# ngx.status = 401
# ngx.header.content_type = 'text/html';
# ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
# ngx.exit(ngx.HTTP_UNAUTHORIZED)
# end
# ''}
# }
# '';
} }

148
hosts/architect/options.nix Normal file
View File

@ -0,0 +1,148 @@
{ config, lib, ... }:
with lib;
{
options.architect = {
firewall = {
openTCP = mkOption {
type = types.listOf types.int;
default = [ ];
};
openUDP = mkOption {
type = types.listOf types.int;
default = [ ];
};
};
networks = mkOption {
type = types.attrsOf (types.submodule {
options = {
interface = mkOption {
type = types.str;
description = "The network interface name.";
};
net = mkOption {
type = types.str;
description = "The network address in CIDR format.";
};
devices = mkOption {
type = types.attrsOf (types.submodule {
options = {
address = mkOption {
type = types.str;
description = "The IP address of the device.";
};
hostname = mkOption {
type = types.str;
description = "The hostname of the device.";
};
};
});
default = { };
description = "An attribute set of devices with their configurations.";
};
};
});
default = { };
description = "An attribute set of networks with their configurations.";
};
vhost = mkOption {
type = types.attrsOf (types.submodule {
options = {
dnsInterfaces = mkOption {
type = types.listOf types.str;
default = [ ];
description = "List of interfaces to add extra DNS hosts for this vhost.";
};
locations = mkOption {
type = types.attrsOf (types.submodule {
options = {
extraConfig = mkOption {
type = types.str;
description = "Extra configuration for the location.";
default = "";
};
allowLan = mkOption {
type = types.bool;
default = false;
};
proxyWebsockets = mkOption {
type = types.bool;
default = false;
};
host = mkOption {
type = types.str;
description = "The host for the location.";
default = "127.0.0.1";
};
port = mkOption {
type = types.int;
description = "The port number for the location.";
};
allow = mkOption {
type = types.listOf types.str;
default = [ ];
description = "IP address or CIDR block to allow.";
};
path = mkOption {
type = types.str;
default = "";
};
recommendedProxySettings = mkOption {
type = types.bool;
default = true;
description = "Force the use of recommended proxy configuration.";
};
allowWAN = mkOption {
type = types.bool;
default = false;
description = "If set to false, deny all WAN traffic.";
};
};
});
default = { };
description = "An attribute set of location configurations.";
};
};
});
default = { };
description = "An attribute set of domain configurations.";
};
};
# TODO: move to nginx
config = {
services.nginx.virtualHosts = mapAttrs
(domain: conf: {
forceSSL = true;
useACMEHost= "giugl.io";
locations = mapAttrs
(path: location: {
proxyPass = "http://${location.host}:${toString location.port}${location.path}";
proxyWebsockets = location.proxyWebsockets;
recommendedProxySettings = location.recommendedProxySettings;
extraConfig = ''
${concatMapStringsSep "\n" (allowCIDR: "allow ${allowCIDR};") location.allow}
${optionalString location.allowLan ''allow ${config.architect.networks."lan".net};''}
${optionalString (!location.allowWAN) "deny all;"}
'' + location.extraConfig;
})
conf.locations;
})
config.architect.vhost;
};
}

View File

@ -1,13 +0,0 @@
{ ... }:
{
virtualisation.oci-containers.containers."overseerr" = {
image = "sctx/overseerr:latest";
volumes = [ "/var/lib/overseerr:/app/config" ];
environment = {
"LOG_LEVEL" = "debug";
"TZ" = "Europe/Rome";
};
#ports = [ "5055:5055" ];
};
}

View File

@ -0,0 +1,37 @@
{ config, pkgs, lib, ... }:
let
domain = "photos.giugl.io";
in
{
services.photoprism = {
enable = true;
package = pkgs.unstablePkgs.photoprism;
originalsPath = "/var/lib/private/photoprism/originals";
address = "0.0.0.0";
settings = {
PHOTOPRISM_DEFAULT_LOCALE = "en";
PHOTOPRISM_DATABASE_DRIVER = "mysql";
PHOTOPRISM_DATABASE_NAME = "photoprism";
PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock";
PHOTOPRISM_DATABASE_USER = "photoprism";
PHOTOPRISM_SITE_URL = "https://${domain}";
PHOTOPRISM_SITE_TITLE = "PePrism";
PHOTOPRISM_FFMPEG_ENCODER = "nvidia";
PHOTOPRISM_INIT = "tensorflow";
NVIDIA_VISIBLE_DEVICES = "all";
NVIDIA_DRIVER_CAPABILITIES = "compute,video,utility";
PHOTOPRISM_FFMPEG_BIN = "${pkgs.ffmpeg}/bin/ffmpeg";
};
};
architect.vhost.${domain} = {
dnsInterfaces = [ "tailscale" "lan" ];
locations."/" = {
port = config.services.photoprism.port;
allowLan = true;
allow = [ config.architect.networks."tailscale".net ];
proxyWebsockets = true;
};
};
}

View File

@ -1,39 +1,36 @@
{ pkgs, lib, ... }: { pkgs, config, ... }:
let let
domain = "media.giugl.io"; domain = "media.giugl.io";
network = import ./network.nix; port = 32400;
in { in
{
architect.firewall = {
openTCP = [ 32400 3005 8324 32469 ];
openUDP = [ 1900 5353 32410 32412 32413 32414 ];
};
services.plex = { services.plex = {
enable = true; enable = true;
package = pkgs.unstable.plex; package = pkgs.unstablePkgs.plex;
dataDir = "/plex"; dataDir = "/plex";
}; };
services.nginx = { architect.vhost.${domain} = with config.architect.networks; {
enable = true; dnsInterfaces = [ "lan" "tailscale" ];
# give a name to the virtual host. It also becomes the server name. locations = {
virtualHosts.${domain} = { "/" = {
forceSSL = true; inherit port;
enableACME = true;
http2 = true;
extraConfig = ''
allow 10.3.0.0/24;
allow 10.0.0.0/24;
deny all;
proxyWebsockets = true;
allowLan = true;
allow = [
tailscale.net
];
extraConfig = ''
#Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
send_timeout 100m; send_timeout 100m;
# Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# Forward real ip and host to Plex # Forward real ip and host to Plex
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -68,24 +65,15 @@ in {
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model; proxy_set_header X-Plex-Model $http_x_plex_model;
# Websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Buffering off send to the client as soon as the data is received from Plex. # Buffering off send to the client as soon as the data is received from Plex.
proxy_redirect off; proxy_redirect off;
proxy_buffering off; proxy_buffering off;
'';
locations."/" = { proxyPass = "http://127.0.0.1:32400"; };
};
};
networking.extraHosts = '' add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
''; '';
};
};
};
users.groups.media.members = [ "plex" ]; users.groups.media.members = [ "plex" ];
} }

View File

@ -0,0 +1,8 @@
{ pkgs, lib, ... }:
{
services.postgresql = {
enable = true;
package = lib.mkForce pkgs.postgresql;
};
}

View File

@ -4,20 +4,26 @@ let
domain = "xmpp.giugl.io"; domain = "xmpp.giugl.io";
conference_domain = "conference.${domain}"; conference_domain = "conference.${domain}";
upload_domain = "uploads.${domain}"; upload_domain = "uploads.${domain}";
network = import ./network.nix;
in { utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
architect.firewall = {
openTCP = [ 5222 5269 ];
};
services = { services = {
prosody = { prosody = {
enable = true; enable = true;
virtualHosts = { virtualHosts.${domain} = {
"${domain}" = { inherit domain;
domain = domain;
enabled = true; enabled = true;
ssl.key = "${config.security.acme.certs.${domain}.directory}/key.pem"; ssl.key = "${config.security.acme.certs.${domain}.directory}/key.pem";
ssl.cert = ssl.cert =
"${config.security.acme.certs.${domain}.directory}/fullchain.pem"; "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
}; };
};
muc = [{ domain = conference_domain; }]; muc = [{ domain = conference_domain; }];
uploadHttp = { domain = upload_domain; }; uploadHttp = { domain = upload_domain; };
@ -26,15 +32,20 @@ in {
#httpInterfaces = [ "wg0" ]; #httpInterfaces = [ "wg0" ];
#httpsInterfaces = [ "wg0" ]; #httpsInterfaces = [ "wg0" ];
}; };
nginx.virtualHosts = {
"${domain}" = {
enableACME = true;
forceSSL = true;
};
# "${conference_domain}".enableACME = true;
# "${upload_domain}".enableACME = true;
};
}; };
services.nginx.virtualHosts."${domain}".enableACME = true;
#services.nginx.virtualHosts."${conference_domain}".enableACME = true;
#services.nginx.virtualHosts."${upload_domain}".enableACME = true;
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${architectInterfaceAddress "lan"} ${domain}
${network.architect-wg} ${domain} ${architectInterfaceAddress "tailscale"} ${domain}
''; '';
users.groups = { users.groups = {

View File

@ -1,38 +1,28 @@
{ lib, ... }: { config, pkgs, ... }:
let let
domain = "htpro.giugl.io"; domain = "htpro.giugl.io";
network = import ./network.nix; in
in { {
services = { services.prowlarr = {
prowlarr.enable = true; enable = true;
package = pkgs.unstablePkgs.prowlarr;
};
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "tailscale" "lan" ];
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:9696"; port = 9696;
extraConfig = '' allowLan = true;
allow 10.0.0.0/24; proxyWebsockets=true;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all; allow = [
''; tailscale.net
];
}; };
# locations."/api" = {
# proxyPass = "http://127.0.0.1:9696/prowlarr/api";
# };
#
# locations."/Content" = {
# proxyPass = "http://127.0.0.1:9696/prowlarr/Content";
# };
}; };
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "prowlarr" ]; users.groups.media.members = [ "prowlarr" ];
} }

View File

@ -1,32 +1,26 @@
{ lib, ... }: { config, pkgs, ... }:
let let
domain = "htrad.giugl.io"; domain = "htrad.giugl.io";
network = import ./network.nix; in
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; {
in { services.radarr = {
services = {
radarr = {
enable = true; enable = true;
package = pkgs.unstablePkgs.radarr;
group = "media"; group = "media";
}; };
nginx.virtualHosts.${domain} = { architect.vhost.${domain} = with config.architect.networks; {
forceSSL = true; dnsInterfaces = [ "tailscale" "lan" ];
enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:7878"; port = 7878;
extraConfig = auth_block { allowLan = true;
access_role = "radarr";
};
};
};
};
networking.extraHosts = '' allow = [
${network.architect-lan} ${domain} tailscale.net
${network.architect-wg} ${domain} ];
''; };
};
users.groups.media.members = [ "radarr" ]; users.groups.media.members = [ "radarr" ];
} }

View File

@ -0,0 +1,29 @@
{ config, pkgs, ... }:
let
domain = "reddit.giugl.io";
in
{
systemd.services.redlib.environment = {
REDLIB_ROBOTS_DISABLE_INDEXING = "on";
REDLIB_DEFAULT_THEME = "dracula";
REDLIB_DEFAULT_SHOW_NSFW = "on";
REDLIB_DEFAULT_BLUR_NSFW = "off";
REDLIB_DEFAULT_USE_HLS = "on";
REDLIB_DEFAULT_HIDE_HLS_NOTIFICATION = "on";
};
services.redlib = {
enable = true;
port = 9090;
package = pkgs.unstablePkgs.redlib;
};
architect.vhost.${domain} = {
dnsInterfaces = [ "lan" "tailscale" ];
locations."/" = {
port = config.services.redlib.port;
allowWAN = true;
};
};
}

48
hosts/architect/runas.nix Normal file
View File

@ -0,0 +1,48 @@
{ config, pkgs, lib, ... }:
let
domain = "runas.rocks";
runas_root = "/var/lib/runas.rocks/dist";
service_name = "runas.rocks-pull";
mkStartScript = name: pkgs.writeShellScript "${name}.sh" ''
set -euo pipefail
cd ${runas_root}
git pull origin main --rebase
'';
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) architectInterfaceAddress;
in
{
services.nginx.virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/".root = runas_root;
locations."/.git" = { return = "404"; };
};
systemd = {
services.${service_name} = {
path = [ pkgs.git ];
enable = true;
serviceConfig = {
Type = "oneshot";
ExecStart = mkStartScript "${service_name}";
};
};
timers.${service_name} = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "hourly";
Unit = "${service_name}.service";
};
};
};
networking.extraHosts = ''
${architectInterfaceAddress "lan"} ${domain}
${architectInterfaceAddress "tailscale"} ${domain}
'';
}

View File

@ -1,49 +0,0 @@
#!/bin/sh
EASYLIST_HOSTSNAME="easylist_hosts.txt"
EASYPRIVACY_HOSTSNAME="easyprivacy_hosts.txt"
STEVENBLACK_HOSTSNAME="stevenblack_hosts.txt"
get_easylist() {
EASYLIST_URL="https://raw.githubusercontent.com/easylist/easylist/master/easylist/easylist_adservers.txt"
tmpfile=`mktemp`
# download easylist
${pkgs.wget}/bin/wget $EASYLIST_URL -O $tmpfile
# remove IP addresses and prepend 0.0.0.0 to create hosts file
cat $tmpfile | egrep -v "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep -oP "^\|\|(\K[a-zA-Z0-9\.\-]+)" | ${pkgs.gawk}/bin/gawk '{print "0.0.0.0 " $0}' > $EASYLIST_HOSTSNAME
}
get_easyprivacy() {
EASYLIST_URL="https://raw.githubusercontent.com/easylist/easylist/master/easyprivacy/easyprivacy_trackingservers.txt"
tmpfile=`mktemp`
# download easylist
${pkgs.wget}/bin/wget $EASYLIST_URL -O $tmpfile
# remove IP addresses and prepend 0.0.0.0 to create hosts file
cat $tmpfile | egrep -v "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep -oP "^\|\|(\K[a-zA-Z0-9\.\-]+)" | ${pkgs.gawk}/bin/gawk '{print "0.0.0.0 " $0}' > $EASYPRIVACY_HOSTSNAME
}
get_stevenblack() {
STEVENBLACK_URL="https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts"
${pkgs.wget}/bin/wget $STEVENBLACK_URL -O $STEVENBLACK_HOSTSNAME
}
get_easylist
get_easyprivacy
get_stevenblack
# create unified file
cat *hosts.txt | sort | uniq | grep "^0" > /etc/adblock_hosts
rm $EASYLIST_HOSTSNAME $STEVENBLACK_HOSTSNAME

64
hosts/architect/searx.nix Normal file
View File

@ -0,0 +1,64 @@
{ config, pkgs, ... }:
let
domain = "search.giugl.io";
in
{
services = {
redis.servers."searx" = { enable = true; port = 4456; };
searx = {
enable = true;
package = pkgs.unstablePkgs.searxng;
environmentFile = /secrets/searx/env;
settings = {
server = {
secret_key = "@SEARX_SECRET_KEY@";
port = 4455;
};
general = {
instance_name = "PepoSearch";
contact_url = "mailto:search@depasquale.giugl.io";
enable_metrics = true;
};
search = {
safe_search = 0;
autocomplete = "google";
prefer_configured_language = false;
formats = [ "html" "json"];
};
ui = {
infinite_scroll = true;
query_in_title = true;
results_on_new_tab = true;
theme_args.simple_style = "dark";
};
redis.url = "redis://127.0.0.1:${toString config.services.redis.servers."searx".port}";
engines = [
{ name = "google"; disabled = false; }
{ name = "bing"; disabled = false; }
{ name = "qwant"; disabled = true; }
{ name = "brave"; disabled = true; }
{ name = "duckduckgo"; disabled = false; }
];
};
};
};
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "tailscale" ];
locations."/" = {
port = config.services.searx.settings.server.port;
allowLan = true;
allowWAN = true;
allow = [
tailscale.net
];
};
};
}

View File

@ -1,32 +1,26 @@
{ lib, ... }: { config, pkgs, ... }:
let let
domain = "htson.giugl.io"; domain = "htson.giugl.io";
network = import ./network.nix; in
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block; {
in { services.sonarr = {
services = {
sonarr = {
enable = true; enable = true;
group = "media"; group = "media";
package = pkgs.unstablePkgs.sonarr;
}; };
nginx.virtualHosts.${domain} = { architect.vhost.${domain} = with config.architect.networks; {
forceSSL = true; dnsInterfaces = [ "tailscale" "lan" ];
enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:8989"; port = 8989;
extraConfig = auth_block { allowLan = true;
access_role = "sonarr"; allow = [
tailscale.net
];
}; };
}; };
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "sonarr" ]; users.groups.media.members = [ "sonarr" ];
} }

View File

@ -0,0 +1,210 @@
{ config, pkgs, ... }:
let
user = "sunshine";
resolutionScript = pkgs.writeTextFile {
name = "sunshine-resolution-script";
text = ''
#!${pkgs.bash}/bin/bash
width=''${1:-1280}
height=''${2:-720}
refresh_rate=''${3:-120}
# Get the modeline info from the 2nd row in the cvt output
modeline=$(${pkgs.xorg.libxcvt}/bin/cvt ''${width} ''${height} ''${refresh_rate} | ${pkgs.gawk}/bin/gawk 'FNR == 2')
xrandr_mode_str=''${modeline//Modeline \"*\" /}
mode_alias="''${width}x''${height}"
echo "xrandr setting new mode ''${mode_alias} ''${xrandr_mode_str}"
# Check if mode exists before trying to remove it
if ${pkgs.xorg.xrandr}/bin/xrandr --listmodes | grep -q "^''${mode_alias}"; then
${pkgs.xorg.xrandr}/bin/xrandr --rmmode ''${mode_alias} || echo "Failed to remove existing mode"
fi
${pkgs.xorg.xrandr}/bin/xrandr --newmode ''${mode_alias} ''${xrandr_mode_str} || echo "Failed to create new mode"
${pkgs.xorg.xrandr}/bin/xrandr --addmode DP-0 ''${mode_alias} || echo "Failed to add mode to output"
# Apply new xrandr mode
${pkgs.xorg.xrandr}/bin/xrandr --output DP-0 --primary --mode ''${mode_alias} --pos 0x0 --rotate normal || echo "Failed to apply mode"
${config.boot.kernelPackages.nvidia_x11.settings}/bin/nvidia-settings -a 'SyncToVBlank=0' || echo "Failed to disable VSync"
${config.boot.kernelPackages.nvidia_x11.bin}/bin/nvidia-smi --persistence-mode=ENABLED || echo "Failed to enable persistence mode"
'';
executable = true;
destination = "/bin/resolution.sh";
};
sunshinePkg = (pkgs.unstablePkgs.sunshine.override { cudaSupport = true; });
in
{
boot.kernelModules = [ "uinput" ];
environment.systemPackages = with pkgs.unstablePkgs; [ gamemode heroic ];
hardware = {
pulseaudio.enable = false;
nvidia = {
modesetting.enable = true;
powerManagement.enable = false;
powerManagement.finegrained = false;
open = false;
nvidiaSettings = true;
package = config.boot.kernelPackages.nvidiaPackages.latest;
};
};
systemd.services.NetworkManager-wait-online.enable = pkgs.lib.mkForce false;
programs.steam = {
enable = true;
gamescopeSession.enable = true;
};
security = {
polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.login1.suspend" ||
action.id == "org.freedesktop.login1.suspend-multiple-sessions" ||
action.id == "org.freedesktop.login1.hibernate" ||
action.id == "org.freedesktop.login1.hibernate-multiple-sessions")
{
return polkit.Result.NO;
}
});
'';
rtkit.enable = true;
};
systemd.user.services.sunshine = {
serviceConfig = {
Restart = pkgs.lib.mkForce "always";
};
};
services = {
sunshine = {
enable = true;
autoStart = true;
package = sunshinePkg;
settings = {
sunshine_name = "The Architect";
capture = "nvfbc";
encoder = "nvenc";
wan_encryption_mode = 0;
lan_encryption_mode = 0;
origin_web_ui_allowed = "lan";
min_threads = 12;
log_path = "sunshine.log";
back_button_timeout = 2500;
};
applications = {
env = {
VDPAU_DRIVER = "nvidia";
LIBVA_DRIVER_NAME = "nvidia";
NVD_BACKEND = "direct";
__GL_SYNC_TO_VBLANK = "0";
__GL_VRR_ALLOWED = "0";
DXVK_ASYNC = "1";
};
apps = [
{
name = "Steam w/ Hue Lights";
cmd = ''${pkgs.bash}/bin/bash -c "${pkgs.gamescope}/bin/gamescope --adaptive-sync --force-composition --immediate-flips --rt -C 3000 -f -e -W ''${SUNSHINE_CLIENT_WIDTH} -H ''${SUNSHINE_CLIENT_HEIGHT} -r ''${SUNSHINE_CLIENT_FPS} -- ${pkgs.steam}/bin/steam -pipewire"'';
detached = [
"${pkgs.pepePkgs.huenicorn}/bin/huenicorn"
];
prep-cmd = [
{
do = ''${pkgs.bash}/bin/bash -c "${resolutionScript}/bin/resolution.sh ''${SUNSHINE_CLIENT_WIDTH} ''${SUNSHINE_CLIENT_HEIGHT}" ''${SUNSHINE_CLIENT_FPS}"'';
undo = ''${pkgs.bash}/bin/bash -c "${pkgs.procps}/bin/pkill gamescope; ${pkgs.procps}/bin/pkill sunshine; ${pkgs.procps}/bin/pkill -KILL huenicorn"'';
}
];
}
{
name = "Steam";
cmd = ''${pkgs.bash}/bin/bash -c "${pkgs.gamescope}/bin/gamescope --adaptive-sync --force-composition --immediate-flips --rt -C 3000 -f -e -W ''${SUNSHINE_CLIENT_WIDTH} -H ''${SUNSHINE_CLIENT_HEIGHT} -r ''${SUNSHINE_CLIENT_FPS} -- ${pkgs.steam}/bin/steam -pipewire"'';
prep-cmd = [
{
do = ''${pkgs.bash}/bin/bash -c "${resolutionScript}/bin/resolution.sh ''${SUNSHINE_CLIENT_WIDTH} ''${SUNSHINE_CLIENT_HEIGHT}" ''${SUNSHINE_CLIENT_FPS}"'';
undo = ''${pkgs.bash}/bin/bash -c "${pkgs.procps}/bin/pkill gamescope; ${pkgs.procps}/bin/pkill sunshine"'';
}
];
}
{
name = "Heroic";
cmd = ''${pkgs.bash}/bin/bash -c "${pkgs.unstablePkgs.heroic}/bin/heroic"'';
prep-cmd = [
{
do = ''${pkgs.bash}/bin/bash -c "${resolutionScript}/bin/resolution.sh ''${SUNSHINE_CLIENT_WIDTH} ''${SUNSHINE_CLIENT_HEIGHT}" ''${SUNSHINE_CLIENT_FPS}"'';
undo = ''${pkgs.bash}/bin/bash -c "${pkgs.procps}/bin/pkill heroic; ${pkgs.procps}/bin/pkill sunshine"'';
}
];
}
];
};
};
displayManager = {
autoLogin = {
inherit user;
enable = true;
};
sddm = {
enable = true;
wayland.enable = false;
};
};
xserver = {
enable = true;
videoDrivers = [ "nvidia" ];
desktopManager.xfce.enable = true;
monitorSection = ''
HorizSync 5.0 - 1000.0
VertRefresh 5.0 - 1000.0
Option "DPMS"
'';
deviceSection = ''
VendorName "NVIDIA Corporation"
Option "CustomEDID" "DFP-1:/etc/X11/120edid.bin"
Option "ConnectedMonitor" "DFP-1"
'';
screenSection = ''
Monitor "Configured Monitor"
DefaultDepth 24
Option "ModeValidation" "NoVertRefreshCheck, NoHorizSyncCheck, NoMaxSizeCheck, NoMaxPClkCheck, AllowNonEdidModes, NoEdidMaxPClkCheck"
Option "UseEdidfreqs" "False"
Option "TripleBuffer" "False"
SubSection "Display"
Depth 24
EndSubSection
'';
};
};
systemd.targets = {
sleep.enable = false;
suspend.enable = false;
hibernate.enable = false;
hybrid-sleep.enable = false;
};
users = {
users.${user} = {
isNormalUser = true;
home = "/home/${user}";
description = "Sunshine Server";
extraGroups = [ "wheel" "networkmanager" "input" "video" "sound" ];
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230" ];
};
groups.media.members = [ user ];
};
}

View File

@ -0,0 +1,41 @@
{ pkgs, config, lib, ... }:
let
domain = "devs.giugl.io";
utilities = import ./utilities.nix { inherit lib config; };
inherit (utilities) generateDeviceStrings;
in
{
architect = {
networks.tailscale = {
interface = "ts0";
net = "100.64.0.0/10";
devices = {
architect = { address = "100.64.0.1"; hostname = "architect.${domain}"; };
kmerr = { address = "100.64.0.2"; hostname = "kmerr.${domain}"; };
parallels = { address = "100.64.0.3"; hostname = "parallels.${domain}"; };
chuck = { address = "100.64.0.4"; hostname = "chuck.${domain}"; };
dodino = { address = "100.64.0.5"; hostname = "dodino.${domain}"; };
manduria = { address = "100.64.0.6"; hostname = "manduria.${domain}"; };
tommy = { address = "100.64.0.7"; hostname = "tommy.${domain}"; };
ucsb-workstation = { address = "100.64.0.8"; hostname = "ucsb-workstation.${domain}"; };
alfredo = { address = "100.64.0.9"; hostname = "alfredo.${domain}"; };
appletv = { address = "100.64.0.13"; hostname = "appletv.${domain}"; };
watkinshouse = { address = "100.64.0.14"; hostname = "watkinshouse.${domain}"; };
afsun = { address = "100.64.0.15"; hostname = "afsun.${domain}"; };
};
};
};
services = {
tailscale = {
enable = true;
interfaceName = config.architect.networks.tailscale.interface;
package = pkgs.unstablePkgs.tailscale;
};
};
networking.extraHosts = generateDeviceStrings config.architect.networks.tailscale.devices;
}

View File

@ -0,0 +1,64 @@
{ config, ... }:
let
domain = "tesla.giugl.io";
teslamatePort = 11234;
grafanaPort = 11334;
allowLan = true;
allowWAN = false;
in
{
age.secrets.teslamate = {
file = ../../secrets/teslamate.age;
owner = "teslamate";
};
architect.vhost.${domain} = with config.architect.networks; {
dnsInterfaces = [ "lan" "tailscale" ];
locations = {
"/" = {
inherit allowLan allowWAN;
port = teslamatePort;
proxyWebsockets = true;
allow = [
tailscale.net
];
};
"/live/websocket" = {
inherit allowLan allowWAN;
port = teslamatePort;
proxyWebsockets = true;
allow = [
tailscale.net
];
};
"/grafana" = {
inherit allowLan allowWAN;
port = grafanaPort;
proxyWebsockets = true;
allow = [
tailscale.net
];
};
};
};
services.teslamate = {
enable = true;
port = teslamatePort;
listenAddress = "127.0.0.1";
secretsFile = config.age.secrets.teslamate.path;
virtualHost = domain;
postgres.enable_server = true;
grafana = {
enable = true;
port = grafanaPort;
listenAddress = "127.0.0.1";
urlPath = "/grafana";
};
mqtt = {
enable = true;
};
};
}

View File

@ -1,43 +0,0 @@
{ lib, config, ... }:
let
domain = "httra.giugl.io";
network = import ./network.nix;
in {
services = {
transmission = {
enable = true;
group = "media";
settings = {
download-dir = "/media/transmission";
incomplete-dir = "/media/transmission/.incomplete";
rpc-host-whitelist = "${domain}";
encryption = 2;
speed-limit-up = 10;
speed-limit-up-enabled = true;
peer-port = 51413;
};
performanceNetParameters = true;
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:9091";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
users.groups.media.members = [ "transmission" ];
}

View File

@ -0,0 +1,13 @@
{ config, lib, ... }:
{
# device.address device.hostname
generateDeviceStrings = devices: lib.concatStringsSep "\n"
(lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices);
getDeviceAddress = interface: device:
config.architect.networks.${interface}.devices.${device}.address;
architectInterfaceAddress = interface:
config.architect.networks.${interface}.devices.architect.address;
}

View File

@ -1,270 +0,0 @@
with import ./network.nix; {
networking = {
extraHosts = ''
${architect-wg} architect.devs.giugl.io
${galuminum-wg} galuminum.devs.giugl.io
${oneplus-wg} oneplus.devs.giugl.io
${ipad-wg} ipad.devs.giugl.io
${manduria-wg} manduria.devs.giugl.io
${antonio-wg} antonio.devs.giugl.io
${gbeast-wg} gbeast.devs.giugl.io
${parisaphone-wg} parisa-phone.devs.giugl.io
${parisapc-wg} parisa-pc.devs.giugl.io
${peppiniell-wg} peppiniell.devs.giugl.io
${padulino-wg} padulino.devs.giugl.io
${shield-wg} shield.devs.giugl.io
${pepos-wg} pepos.devs.giugl.io
${eleonora-wg} eleonora.devs.giugl.io
${angellane-wg} angellane.devs.giugl.io
${hotpottino-wg} hotpottino.devs.giugl.io
${salvatore-wg} salvatore.devs.giugl.io
${papa-wg} papa.devs.giugl.io
${defy-wg} defy.devs.giugl.io
${germano-wg} germano.devs.giugl.io
${dodino-wg} dodino.devs.giugl.io
${tommy-wg} tommy.devs.giugl.io
${alain-wg} alain.devs.giugl.io
${dima-wg} dima.devs.giugl.io
${mikey-wg} mikey.devs.giugl.io
${andrew-wg} andrew.devs.giugl.io
${mikeylaptop-wg} mikeylaptop.devs.giugl.io
${frznn-wg} frznn.devs.giugl.io
${ludo-wg} ludo.devs.giugl.io
${parina-wg} parina.devs.giugl.io
${parina-ipad-wg} parinaipad.devs.giugl.io
${nilo-wg} nilo.devs.giugl.io
${kclvm-wg} kclvm.devs.giugl.io
'';
wireguard = {
# interfaces.${proxy-if} = {
# ips = [ "10.4.0.2/32" ];
# privateKeyFile = "/secrets/wireguard/proxy.key";
# peers = [{
# publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs=";
# allowedIPs = [ "10.4.0.1/32" ];
# endpoint = "giugl.io:1195";
# persistentKeepalive = 21;
# }];
# };
interfaces.${vpn-if} = {
listenPort = 1194;
ips = [ "10.3.0.1/24" ];
privateKeyFile = "/secrets/wireguard/server.key";
peers = [
{
# gAluminum
allowedIPs = [ galuminum-wg ];
publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw=";
}
{
# OnePlus
allowedIPs = [ oneplus-wg ];
publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs=";
}
{
# iPad
allowedIPs = [ ipad-wg ];
publicKey = "DPpd+P/hV1XLuvdcrCRv1sgz8BeZt1y5D6VehNuhjSQ=";
}
{
# Manduria
allowedIPs = [ manduria-wg ];
publicKey = "wT38oXvDQ8g0hI+pAXQobOWf/Wott2zhwo8TLvXK400=";
}
{
# Antonio
allowedIPs = [ antonio-wg ];
publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc=";
}
{
# Eleonora
allowedIPs = [ eleonora-wg ];
publicKey = "SL54f1ZeieFyn5X5UAPmypP10GV/c419O94vCzGHFhg=";
}
{
# padulino
allowedIPs = [ padulino-wg ];
publicKey = "sk2Wr2OesND9jcuP/8k7BirSpR4pNNbS9gBkbOxZxwg=";
}
{
# GBEAST
allowedIPs = [ gbeast-wg ];
publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI=";
}
{
# parisa-phone
allowedIPs = [ parisaphone-wg ];
publicKey = "MGdaRMmsik7SLRUsijS0TctcKUD6Tnr7XugGJClTCC4=";
}
{
# parisa-pc
allowedIPs = [ parisapc-wg ];
publicKey = "b2QzZDTgGQbNXSCLYB4KUzq0/099pH2T8H5BckfNSTQ=";
}
{
# peppiniell
allowedIPs = [ peppiniell-wg ];
publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc=";
}
{
# hotpottino
allowedIPs = [ hotpottino-wg ];
publicKey = "YqtzTWqGBs2GwSPNO0aRSV4nvJDW3UHHt6fV4UC7vnU=";
}
{
# shield
allowedIPs = [ shield-wg ];
publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
}
{
# pepos
allowedIPs = [ pepos-wg ];
publicKey = "mb1VaMLML5J24oCMBuhqvBrT6S4tAqWERn30z+h/LwM=";
}
{
# salvatore
allowedIPs = [ salvatore-wg ];
publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs=";
}
{
# papa
allowedIPs = [ papa-wg ];
publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA=";
}
{
# defy
allowedIPs = [ defy-wg ];
publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4=";
}
{
# germano
allowedIPs = [ germano-wg ];
publicKey = "gi4o+pZWKItzVs7vY8fvXh98jX6CNeCwc1YDzhc3mA4=";
}
{
# flavio
allowedIPs = [ flavio-wg ];
publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg=";
}
{
# dodino
allowedIPs = [ dodino-wg ];
publicKey = "JHkqlADQpY1CUcivraG9i6rIzCzLVFcl8HP5uIk35lk=";
}
{
# tommy
allowedIPs = [ tommy-wg ];
publicKey = "tytknU7wql1d0A2provX3RP7CNcEIajfgBJKoSyVLgo=";
}
{
# alain
allowedIPs = [ alain-wg ];
publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno=";
}
{
# dima
allowedIPs = [ dima-wg ];
publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0=";
}
{
# angel-lane
allowedIPs = [ angellane-wg ];
publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ=";
}
{
# mikey
allowedIPs = [ mikey-wg ];
publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI=";
}
{
# andrew
allowedIPs = [ andrew-wg ];
publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM=";
}
{
# mikey laptop
allowedIPs = [ mikeylaptop-wg ];
publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk=";
}
{
# andrew desktop
allowedIPs = [ andrewdesktop-wg ];
publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI=";
}
{
# laptop desktop
allowedIPs = [ jacopo-wg ];
publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0=";
}
{
# frznn
allowedIPs = [ frznn-wg ];
publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o=";
}
{
# ludo
allowedIPs = [ ludo-wg ];
publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM=";
}
{
# parina
allowedIPs = [ parina-wg ];
publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA=";
}
{
# nilo
allowedIPs = [ nilo-wg ];
publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0=";
}
{
# parina ipad
allowedIPs = [ parina-ipad-wg ];
publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU=";
}
{
# kcl vm
allowedIPs = [ kclvm-wg ];
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
}
];
};
};
};
}

View File

@ -9,7 +9,8 @@ let
export __VK_LAYER_NV_optimus=NVIDIA_only export __VK_LAYER_NV_optimus=NVIDIA_only
exec -a "$0" "$@" exec -a "$0" "$@"
''; '';
in { in
{
imports = [ ./hardware.nix ./wireguard.nix ./sound.nix ]; imports = [ ./hardware.nix ./wireguard.nix ./sound.nix ];
boot = { boot = {
@ -70,5 +71,5 @@ in {
programs.steam.enable = true; programs.steam.enable = true;
environment.systemPackages = with pkgs; [ efibootmgr nvidia-offload ]; environment.systemPackages = with pkgs; [ efibootmgr nvidia-offload ];
system.stateVersion = "21.05"; # Did you read the comment? # system.stateVersion = "21.05"; # Did you read the comment?
} }

View File

@ -1,73 +0,0 @@
{ pkgs, config, ... }:
let
public_ip = "23.88.108.216";
realm = "turn.giugl.io";
static-auth-secret = "69duck duck fuck420";
in {
services.coturn = rec {
inherit realm static-auth-secret;
secure-stun = true;
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
relay-ips = [ public_ip ];
listening-ips = [ public_ip ];
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = ''
verbose
cipher-list=\"HIGH\"
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
networking.firewall = {
interfaces.ens3 = let
range = with config.services.coturn; [{
from = min-port;
to = max-port;
}];
in {
allowedUDPPortRanges = range;
allowedUDPPorts = [ 5349 ];
#allowedTCPPortRanges = range;
allowedTCPPorts = [ 80 443 5349 ];
};
};
services.nginx.enable = true;
services.nginx.virtualHosts.${realm} = {
addSSL = true;
enableACME = true;
};
# to access the ACME files
users.groups.nginx.members = [ "turnserver" ];
}

View File

@ -1,26 +0,0 @@
{ config, pkgs, ... }:
{
imports =
[ ./hardware-configuration.nix ./coturn.nix ./wireguard.nix ./ssh.nix ];
boot.loader.grub = {
enable = true;
version = 2;
devices = [ "/dev/sda" ];
};
system.stateVersion = "21.05";
networking = {
useDHCP = false;
hostName = "proxy";
nameservers = [ "10.4.0.2" "1.1.1.1" ];
interfaces.ens3.useDHCP = true;
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuURERnIFe2XbNu6AsPe2DO11RuaHxVGUcaoJUsIB1F+VOggOVLhxSenOPYLm6NvvGeXVi95G5Sm1UZRcJEEkvxus4bSViV4t/Q2azfYFE27yRH/IeMMoWNPGYNm5Bok2qFb4vHifra9FffwXnOzr0nDDTdHXCft4TO5nsenLJwqu5zOO1CR7J52otY7LheNPyzbGxgIkB3Y7LeOj1+/xXSOJ379NOL2RQBobsg7k442WCX7tU6AC1ct3W+93tcJUUdzJKTT9TJ+XmhdjXNWhDd+QZUNAMr+nKoEdExHp0H40/wIhcLD2OV95gX4i/YBzCg4OQOqZqWiibiEQfGTSAh5aD+nX/PqjXf0XSLEUOA81biLFu28oO8gocjwnhgqmlghvO4SG1rs6uZ8EyPyWsrVMjy8B9FX4aloKqua3aicgC+upjLl3x+KkMJizlMB5Ew7KOjPsjXwMqeJmeBOEd6TSEctttR+lIp+/368FtwXeBxzx9MBT4620mnjWtVKM= giulio@gAluminum"
];
}

View File

@ -1,22 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.initrd.availableKernelModules =
[ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/8b5bcd4a-02b8-4e11-b856-eda792b8b7b8";
fsType = "ext4";
};
swapDevices = [ ];
}

View File

@ -1,15 +0,0 @@
{ config, ... }:
{
services = {
fail2ban.enable = true;
openssh = {
permitRootLogin = "prohibit-password";
passwordAuthentication = false;
enable = true;
};
};
networking.firewall.allowedTCPPorts = [ 22 ];
}

View File

@ -1,42 +0,0 @@
{ config, ... }:
let
wg_if = "wg0";
wan_if = "ens3";
in {
networking = {
firewall.allowedUDPPorts = [ 1195 ];
nat = {
enable = true;
externalInterface = wan_if;
internalInterfaces = [ wg_if ];
forwardPorts = [{
destination = "10.4.0.2:1194";
proto = "udp";
sourcePort = 1194;
}];
};
wireguard = {
interfaces.${wg_if} = {
listenPort = 1195;
ips = [ "10.4.0.1/24" ];
privateKeyFile = "/secrets/wireguard/server.key";
postSetup = ''
/run/current-system/sw/bin/iptables -t nat -A POSTROUTING -o ${wg_if} -j MASQUERADE
'';
postShutdown = ''
/run/current-system/sw/bin/iptables -t nat -D POSTROUTING -o ${wg_if} -j MASQUERADE
'';
peers = [{
allowedIPs = [ "10.4.0.2" "10.3.0.0/24" ];
publicKey = "73oFhyQA3mgX4GmN6ul5HuOsgxa4INlzCPsyuXna0AA=";
}];
};
};
};
}

7
hosts/pubkeys.nix Normal file
View File

@ -0,0 +1,7 @@
rec {
architect = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICu7rSsZ+d3BkppimNHJj8xL5jfl5RxMU0+Q5cue0LUu root@architect";
architectHostKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGLLAtRzLtCExHLhpsC+vH1nXcla3wibbMOFRCwXfXjtn2A9DjewHBwcbQbYQa6yuaEa3vmvUyrUtW6RUAiGSNhDMUPz7swr5tujgO/6ToPf0vKDDeOCwK5wqmNoUlDf7qzkxwCiI0dPYuCr7uGt00/ebSGfp+F1zmgC9MxuefYMdX5Q5I7HoHOYbBC9q9ue5mc0g+F8GnmD+Pd2pDDiHpCflT+iOzLJH0gCcW/0e5q7XYKGs09Cm/L1zroHIb14Borndu0Mby7x2FlnSeap5KXr9rkKVyr3amX0mksb4N0T36MMJwLYcrvE0S8utFdHEusoYEkP3fjSgsKKHKEgiZbqaeA0oZHddG49JNBsCLmmrN8T142t1fftP4NdFyKpcI9gYsbXhZf6bheV1wQ/cpv3KkLGG7JlZeORRAc4xgT33BHvVXTcWCE2EYcNmdscrMOEw3mcDESu7S14iXZgGIUgYISZ3GTZ5+mNB6OoEwxqK+eYzYMyDpNBxv6/LlEvc= root@architect";
macbook = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230";
groups.architect = [ architect architectHostKey ];
}

View File

@ -1,6 +0,0 @@
{ pkgs, unstable, nixpkgs, nixos-unstable, home-manager, system, ... }: rec {
user = import ./user.nix { inherit pkgs unstable system home-manager; };
host = import ./host.nix {
inherit pkgs nixpkgs unstable nixos-unstable home-manager user system;
};
}

View File

@ -1,42 +1,48 @@
{ pkgs, nixpkgs, nixos-unstable, unstable, home-manager, user, system, ... }: { pkgs
, nixpkgs
, home-manager
, system
, mkSysRole
, mkUser
, ...
}:
{ {
mkHost = { name, users, roles ? [ ], imports ? [ ] }: mkHost = { name, users, roles ? [ ], imports ? [ ] }:
let let
mkRole = role: import (../roles + "/${role}.nix"); users_mod = (map
(u:
users_mod = (map (u: mkUser {
user.mkUser {
name = u.user; name = u.user;
roles = u.roles; roles = u.roles;
}) users); })
roles_mod = (map (r: mkRole r) roles); users);
roles_mod = (map (r: mkSysRole r) roles);
add_imports = imports; add_imports = imports;
in nixpkgs.lib.nixosSystem { in
inherit system; nixpkgs.lib.nixosSystem {
inherit system pkgs;
modules = [ modules = [
{ {
imports = users_mod ++ roles_mod ++ add_imports; imports = users_mod ++
nixpkgs = { inherit pkgs; }; roles_mod ++
add_imports ++ [
nix.nixPath = [ "nixpkgs=${nixpkgs}" "unstable=${nixos-unstable}" ]; (mkSysRole "common")
nix.registry.nixpkgs.flake = nixpkgs; (mkSysRole "acme")
nix.registry.unstable.flake = nixos-unstable; (mkUser { name = "root"; roles = [ ]; })
];
users.users.root = { shell = pkgs.zsh; };
home-manager = { home-manager = {
users.root.imports = [ ../roles/home/common.nix ];
extraSpecialArgs.unstable = unstable;
useGlobalPkgs = true; useGlobalPkgs = true;
}; };
system.stateVersion = "24.11";
} }
home-manager.nixosModules.home-manager home-manager.nixosModules.home-manager
../roles/common.nix
../roles/acme.nix
../hosts/${name}/default.nix ../hosts/${name}/default.nix
pkgs.nixosModules.cachixConfig
]; ];
}; };
} }

View File

@ -1,44 +1,55 @@
{ pkgs, unstable, home-manager, ... }: { pkgs
, stdenv
, home-manager
, mkHomeRole
, ...
}:
{ {
mkUser = { name, roles ? [ ] }: mkUser = { name, roles ? [ ] }:
let let
mkRole = role: import (../roles/home + "/${role}.nix"); roles_mod = (map (r: mkHomeRole r) roles);
roles_mod = (map (r: mkRole r) roles); in
in { {
users.groups.plugdev = { };
fileSystems."/home/${name}/Downloads" = { fileSystems."/home/${name}/Downloads" = {
device = "tmpfs"; device = "tmpfs";
fsType = "tmpfs"; fsType = "tmpfs";
options = [ "size=3G" ]; options = [ "size=3G" ];
}; };
users.users.${name} = { users = {
isNormalUser = true; users.${name} = {
shell = pkgs.zsh; isNormalUser = name != "root";
extraGroups = [ "wheel" "plugdev" ]; extraGroups = [ "wheel" "plugdev" ];
shell = pkgs.zsh;
};
}; };
home-manager.users.${name}.imports = [ (mkRole "common") ] ++ roles_mod; programs.zsh.enable = true;
home-manager.users.${name}.imports = [
(mkHomeRole "common")
(mkHomeRole "zsh")
(mkHomeRole "aichat")
] ++ roles_mod;
}; };
mkHMUser = { name, roles }: mkHMUser = { name, roles ? [ ] }:
let let
mkRole = role: import (../roles/home + "/${role}.nix"); roles_mod = (map (r: mkHomeRole r) roles);
roles_mod = (map (r: mkRole r) roles); in
in home-manager.lib.homeManagerConfiguration { home-manager.lib.homeManagerConfiguration {
inherit pkgs; inherit pkgs;
modules = [ modules = [
{ {
home = { home = {
username = name; username = name;
homeDirectory = homeDirectory =
if pkgs.stdenv.isLinux then "/home/${name}" else "/Users/${name}"; if stdenv.isLinux then "/home/${name}" else "/Users/${name}";
stateVersion = "22.05";
}; };
} }
(mkRole "common") (mkHomeRole "common")
(mkHomeRole "aichat")
] ++ roles_mod; ] ++ roles_mod;
}; };
} }

6
lib/utils.nix Normal file
View File

@ -0,0 +1,6 @@
{ ... }:
{
mkSysRole = role: import (../roles/${role}.nix);
mkHomeRole = role: import (../roles/home/${role}.nix);
}

View File

@ -1,8 +1,25 @@
{ config, ... }:
let
giuglioDomain = "giugl.io";
in
{ {
age.secrets.ovh = {
file = ../secrets/ovh.age;
owner = "acme";
};
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
certs.${giuglioDomain} =
{
dnsProvider = "ovh";
environmentFile = config.age.secrets.ovh.path;
extraDomainNames = [ "*.${giuglioDomain}" ];
};
defaults = { defaults = {
email = "sysadmin@giugl.io"; email = "letsencrypt@depasquale.giugl.io";
dnsProvider = "ovh";
environmentFile = config.age.secrets.ovh.path;
}; };
}; };
} }

View File

@ -1,7 +1,9 @@
{ config, pkgs, variables, lib, ... }: { config, pkgs, lib, ... }:
{ {
boot.tmpOnTmpfs = true; boot.tmp = {
useTmpfs = true;
};
console = { console = {
keyMap = "us"; keyMap = "us";
@ -11,8 +13,7 @@
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
nix = { nix = {
autoOptimiseStore = true; settings.auto-optimise-store = true;
package = pkgs.nixUnstable;
extraOptions = '' extraOptions = ''
experimental-features = nix-command flakes experimental-features = nix-command flakes
''; '';
@ -24,10 +25,11 @@
}; };
}; };
nixpkgs = { config = { allowUnfree = true; }; };
fonts.fontconfig.enable = true; fonts = {
fonts.fonts = with pkgs; [ cascadia-code victor-mono ]; fontconfig.enable = true;
packages = with pkgs; [ cascadia-code victor-mono ];
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
file file
@ -40,7 +42,6 @@
glances glances
tcpdump tcpdump
restic restic
neovim
tmux tmux
parted parted
unzip unzip
@ -49,5 +50,7 @@
nmap nmap
ripgrep ripgrep
jq jq
helix
poetry
]; ];
} }

View File

@ -22,7 +22,7 @@
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
gnomeExtensions.appindicator gnomeExtensions.appindicator
gnomeExtensions.sound-output-device-chooser gnomeExtensions.sound-output-device-chooser
pkgs.unstable.gnomeExtensions.pop-shell pkgs.unstablePkgs.gnomeExtensions.pop-shell
]; ];
security.pam.services.gdm.enableGnomeKeyring = true; security.pam.services.gdm.enableGnomeKeyring = true;
} }

17
roles/home/aichat.nix Normal file
View File

@ -0,0 +1,17 @@
{ pkgs, ... }:
let
lib = pkgs.lib;
configDir = "$HOME/.config/aichat";
in
{
home = {
sessionVariables = {
AICHAT_CONFIG_DIR = configDir;
};
packages = [ pkgs.unstablePkgs.aichat ];
file.".config/aichat/config.yaml".text = lib.readFile ./aichat/config.yaml;
file.".config/aichat/roles/commitmessage.md".text = lib.readFile ./aichat/roles/commitmessage.md;
file.".config/aichat/roles/createpr.md".text = lib.readFile ./aichat/roles/createpr.md;
};
}

View File

@ -0,0 +1,20 @@
clients:
- type: openai-compatible
name: ollama
api_base: https://ollama.giugl.io/v1
models:
- name: pino
max_input_tokens: 8192
max_output_tokens: 16000
- name: pino-coder
max_input_tokens: 16000
max_output_tokens: 16000
- name: pino-embed
type: embedding
default_chunk_size: 512
max_batch_size: 100
rag_embedding_model: ollama:pino-embed
rag_top_k: 5

View File

@ -0,0 +1,204 @@
---
model: ollama:pino-coder
temperature: 0
---
You are a panel of three expert developers specializing in commit message generation:
- A (Version Control Specialist): Expert in Git workflows and commit conventions
- B (Code Review Expert): Specializes in code change analysis and impact assessment
- C (Technical Writer): Focuses on clarity, consistency, and documentation standards
Commit Convention Format:
<type>(<scope>): <description>
[body description]
Types:
- feat: New feature
- fix: Bug fix
- docs: Documentation changes
- style: Code style changes (non-functional)
- refactor: Code restructuring (non-functional)
- test: Test-related changes
- chore: Build process or tool changes
- perf: Performance improvements
Panel Analysis Process:
1. Initial Assessment:
- Alex: Analyzes commit convention compliance and change scope
- Blake: Reviews technical changes and their impact
- Casey: Evaluates message clarity and completeness
2. Message Components:
- Type Selection: Panel agrees on the most appropriate type
- Scope Definition: Identify affected components/systems
- Description: Craft clear, concise summary, bullet points only
3. Quality Criteria:
- Conventional commits compliance
- Technical accuracy
- Clear and concise language
- Meaningful context
- Future maintainer consideration
- Breaking change identification
Guidelines:
- Exclude trivial changes (imports, formatting)
- Focus on functional and behavioral changes
- Include breaking changes prominently
- Reference relevant issue numbers
- Keep first line under 72 characters
- Use imperative mood ("add" not "added")
### INPUT:
diff --git a/src/utils/date-formatter.js b/src/utils/date-formatter.js
index 2345678..3456789 100644
--- a/src/utils/date-formatter.js
+++ b/src/utils/date-formatter.js
@@ -5,7 +5,7 @@ export function formatDate(date) {
const month = String(date.getMonth() + 1).padStart(2, '0');
const day = String(date.getDate()).padStart(2, '0');
- return `$${year}-$${month}-$${day}`;
+ return `$${year}/$${month}/$${day}`;
}
### OUTPUT:
fix(date-formatter): modified `formatDate()` to use '/' instead of '-' as the separator
### INPUT:
diff --git a/src/app.js b/src/app.js
index 83d2e7a..b6a1c3f 100644
--- a/src/app.js
+++ b/src/app.js
@@ -10,6 +10,10 @@ function initialize() {
setupEventListeners();
}
+// TODO: add other listeners
+// https://github.com/user/project/issue/123
+function setupEventListeners() {
+ document.getElementById('submit').addEventListener('click', handleSubmit);
+ document.getElementById('reset').addEventListener('click', handleReset);
+}
+
function handleSubmit(event) {
event.preventDefault();
const data = new FormData(event.target);
@@ -20,6 +24,10 @@ function handleSubmit(event) {
console.log('Form submitted:', data);
}
+function handleReset(event) {
+ event.preventDefault();
+ event.target.form.reset();
+ console.log('Form reset');
}
### OUTPUT:
feat(app): implement form event listeners
- Added `setupEventListeners()` to handle form interactions
- Implemented `handleReset()` for form reset functionality
- Added event listeners for submit and reset buttons
- Track TODO comment for future listener additions (https://github.com/user/project/issue/123)
### INPUT:
diff --git a/pkg/database/client.go b/pkg/database/client.go
index 003740f..6fc4861 100644
--- a/pkg/database/client.go
+++ b/pkg/database/client.go
@@ -24,9 +24,12 @@ var ErrNilDatabaseClient = errors.New("database client is nil after setup")
// InitDB initializes the database with the given application name and optional dbpath for SQLite.
func InitDB(appName string, dbpath ...string) error {
- cfg := config.New()
+ var (
+ psqlReadReplica string
+ err error
+ )
- var err error
+ cfg := config.New()
// Set up a new logger with your required configuration.
newLogger := logger.New(
@@ -38,9 +41,8 @@ func InitDB(appName string, dbpath ...string) error {
},
)
- // Load PostgreSQL configurations
- var psqlReadReplica string
psqlSource, err := cfg.Load(config.PSQL.String())
+
if err != nil {
log.Println("PSQL not set, using SQLite instead.")
} else {
### OUTPUT:
style(database/client): group together `psqlReadReplica` and `err` in function's prologue
### INPUT:
diff --git a/pkg/khttp/client.go b/pkg/khttp/client.go
index a53064c..3aff938 100644
--- a/pkg/khttp/client.go
+++ b/pkg/khttp/client.go
@@ -11,14 +11,17 @@ import (
"github.pie.apple.com/kerosene/Core/structs"
)
+// TODO: https://github.pie.apple.com/Kerosene/Core/issues/43
+// feat: Centralise and remove over use of os.Environment
const (
- // Environment variables and file names.
authFilesDirEnvVar = "WHISPER_AUTH_FILES_DIR"
keyName = "decrypted_key.pem"
certName = "cert.pem"
)
// Error for missing environment variable.
+// TODO: refactor: move errors into centralized errors.go files
+// https://github.pie.apple.com/Kerosene/Core/issues/57
var errMissingEnvironmentVariable = fmt.Errorf("%s environment variable is not set", authFilesDirEnvVar)
// AuthConfig holds authentication file paths.
@@ -31,9 +34,11 @@ type AuthConfig struct {
// NewAuthConfig creates an AuthConfig from environment variables.
func NewAuthConfig() (*AuthConfig, error) {
dir := os.Getenv(authFilesDirEnvVar)
+
if dir == "" {
return nil, errMissingEnvironmentVariable
}
+
return &AuthConfig{
Dir: dir,
CertFile: filepath.Join(dir, certName),
@@ -211,7 +216,7 @@ func setupMTLSOnlyTransport(certData string, keyData string) (*http.Transport, e
// Make scheme and Auth Type separate and load from DB.
func parseProxyURL(scheme string, routing structs.Routing) (*url.URL, error) {
- return url.Parse(fmt.Sprintf("%s://%s:%s", scheme, routing.Proxy, routing.Port))
+ return url.Parse(fmt.Sprintf("%s://%s:%d", scheme, routing.Proxy, routing.Port))
}
// loadX509KeyPair loads an X509 key pair from the specified cert and key files.
### OUTPUT:
fix/refactor(khttp/client): use correct format specifier for and add TODOs
- Parsed proxy URL using `fmt.Sprintf()` with correct format specifier for port
- Added TODOs to centralize errors and remove overuse of `os.Environment` (#43, #57)

View File

@ -0,0 +1,626 @@
You are a technical documentation assistant specializing in creating clear, concise PR messages. Given a git diff, you will:
1. Analyze the structural changes to identify:
- New components/interfaces
- Architectural changes
- Behavioral modifications
- Impact on existing systems
2. Create a PR message following this format:
<type>(<scope>): <description>
[PROSE DESCRIPTION explaining the changes and their purpose]
---
[OPTIONAL SECTIONS like "Structs:", "Interfaces:", "Methods:", etc. when relevant]
Each section should:
- Use bullet points for clarity
- Bold key terms
- Include brief descriptions
- Focus on significant changes
- Exclude trivial details (imports, formatting)
### INPUT:
```
diff --git a/pkg/cli/cli.go b/pkg/cli/cli.go
index 9aee19c..9863f0b 100644
--- a/pkg/cli/cli.go
+++ b/pkg/cli/cli.go
@@ -1,21 +1,13 @@
package cli
import (
- "context"
- "net/http"
"strings"
- "time"
"github.com/sanity-io/litter"
"github.com/spf13/cobra"
- "github.com/org/Core/pkg/logging"
"github.com/org/Core/pkg/structs"
- "github.com/org/example/internal/storage"
- "github.com/org/example/pkg/browser"
"github.com/org/example/pkg/config"
- "github.com/org/example/pkg/crawler"
"github.com/org/example/pkg/errors"
- "github.com/org/example/pkg/models"
cookieflags "github.com/org/example/pkg/plugins/cookieflags"
cookiescope "github.com/org/example/pkg/plugins/cookiescope"
corsmisconfig "github.com/org/example/pkg/plugins/cors"
@@ -124,7 +116,18 @@ func NewRootCmd() (*cobra.Command, error) {
logger.Tracef("Crawler Configuration:
=============
%s
=============
", litter.Sdump(crawlConfig))
logger.Tracef("Vulnerability Scan Configuration:
=============
%s
=============
", litter.Sdump(pluginsConfig))
- return StartScan(sysConfig, crawlConfig, pluginsConfig)
+ manager, err := NewManagerBuilder(sysConfig, crawlConfig, pluginsConfig).Build()
+
+ if err != nil {
+ return err
+ }
+
+ err = manager.Start()
+ if err != nil {
+ return err
+ }
+
+ return manager.Stop()
},
}
@@ -186,113 +189,6 @@ func parseConfigFiles(crawlConfPath, systemConfPath, pluginConfPath string) (*co
return crawlConfig, sysConfig, vulnConfig, nil
}
-func StartScan(sysCfg *config.SystemConfiguration, //nolint:cyclop
- crawlCfg *config.CrawlConfiguration,
- pluginCfg *config.PluginsConfiguration,
-) error {
- // Initialize shared components
- logger := logging.NewLoggerBuilder().Build()
- metrics := &models.Metrics{}
- // Initialize the browser session
- browserSession, err := browser.New(logger, crawlCfg)
- if err != nil {
- return errors.ErrFailedExecution.WrapWithNoMessage(err)
- }
- defer browserSession.Close()
- if err := browserSession.Start(context.Background()); err != nil {
- return errors.ErrFailedExecution.WrapWithNoMessage(err)
- }
- // Create custom HTTP client if needed
- // TODO: Change and centralise
- // see https://github.com/org/example/issues/436
- customClient := &http.Client{
- Timeout: time.Second * 30,
- // Add other custom configurations...
- }
- // Iniialize storage once
- scanStorage, err := storage.NewScanStorage(sysCfg, metrics, logger)
- if err != nil {
- return errors.ErrStorageSetup.WrapWithNoMessage(err)
- }
- // Start batch session before any operations
- err = scanStorage.BatchSession.Start()
- if err != nil {
- return errors.ErrStorageSetup.WrapWithNoMessage(err)
- }
- // Initialize crawler with all options
- crawler, err := crawler.New(
- crawlCfg,
- sysCfg,
- crawler.WithStorage(scanStorage.Database, scanStorage.BatchSession),
- crawler.WithLogger(logger),
- crawler.WithMetrics(metrics),
- crawler.WithHTTPClient(customClient),
- crawler.WithBrowser(browserSession),
- )
- if err != nil {
- return errors.ErrFailedExecution.WrapWithNoMessage(err)
- }
- // Initialize scanner with shared components
- scan, err := scanner.NewScanner(
- sysCfg,
- crawlCfg,
- pluginCfg,
- browserSession,
- scanner.WithStorage(scanStorage),
- scanner.WithLogger(logger),
- scanner.WithHTTPClient(customClient),
- )
- if err != nil {
- return errors.ErrFailedExecution.WrapWithNoMessage(err)
- }
- err = initializePluginsFromConfig(scan, pluginCfg)
- if err != nil {
- return errors.ErrInitialisePlugin.WrapWithNoMessage(err)
- }
- output, err := crawler.Start()
- if err != nil {
- crawler.Close()
- return errors.ErrFailedExecution.WrapWithNoMessage(err)
- }
- // Add this: Stop scanner before waiting for batch operations
- scan.Stop()
- logger.Debugf("Crawl completed with metrics: %+v", output.Metrics)
- if sysCfg.ShouldExportMetrics() {
- err := output.Metrics.ToJSONFile()
- if err != nil {
- return errors.ErrJSONMarshalling.WrapWithNoMessage(err)
- }
- }
- if output.BenchmarkResults != nil {
- logger.Debugf("Benchmark results: %+v", output.BenchmarkResults)
- }
- scanStorage.BatchSession.Wait()
- err = scanStorage.BatchSession.Stop()
- if err != nil {
- return errors.ErrStorageSetup.WrapWithNoMessage(err)
- }
- crawler.Close()
- return nil
-}
// BuildPluginsFromConfig creates plugin instances based on configuration
func BuildPluginsFromConfig(config *config.PluginsConfiguration) []*structs.Plugin {
enabledPlugins := []*structs.Plugin{}
diff --git a/pkg/cli/interface.go b/pkg/cli/interface.go
new file mode 100644
index 0000000..4d68a45
--- /dev/null
+++ b/pkg/cli/interface.go
@@ -0,0 +1,10 @@
+package cli
+
+// Scanner represents the core scanning operations lifecycle
+type ScanManagerInterface interface {
+ // Start initializes and begins the scanning process
+ Start() error
+
+ // Stop gracefully terminates all scanning operations
+ Stop() error
+}
diff --git a/pkg/cli/manager.go b/pkg/cli/manager.go
new file mode 100644
index 0000000..3f2a8fc
--- /dev/null
+++ b/pkg/cli/manager.go
@@ -0,0 +1,277 @@
+package cli
+
+import (
+ "context"
+ "net/http"
+
+ "github.com/org/Core/pkg/logging"
+ "github.com/org/example/internal/storage"
+ "github.com/org/example/pkg/browser"
+ "github.com/org/example/pkg/config"
+ "github.com/org/example/pkg/crawler"
+ "github.com/org/example/pkg/errors"
+ "github.com/org/example/pkg/models"
+ "github.com/org/example/pkg/scanner"
+)
+
+var _ ScanManagerInterface = (*ScanManager)(nil)
+
+type ScanManager struct {
+ browser *browser.Session
+ crawler *crawler.Crawler
+ scanner *scanner.Scanner
+ storage *storage.ScanStorage
+ logger *logging.Logger
+ metrics *models.Metrics
+ httpClient *http.Client
+
+ sysCfg *config.SystemConfiguration
+ crawlCfg *config.CrawlConfiguration
+ pluginCfg *config.PluginsConfiguration
+}
+
+// ScanManagerBuilder handles the construction of a ScanManager
+type ScanManagerBuilder struct {
+ manager *ScanManager
+ err error
+}
+
+// NewManagerBuilder creates a new builder for ScanManager
+func NewManagerBuilder(sysCfg *config.SystemConfiguration,
+ crawlCfg *config.CrawlConfiguration,
+ pluginCfg *config.PluginsConfiguration,
+) *ScanManagerBuilder {
+ builder := &ScanManagerBuilder{
+ manager: &ScanManager{
+ logger: logging.NewLoggerBuilder().Build(),
+ metrics: &models.Metrics{},
+ httpClient: &http.Client{},
+ },
+ }
+
+ if sysCfg == nil || crawlCfg == nil || pluginCfg == nil {
+ builder.err = errors.ErrInvalidArgument.New("configurations cannot be nil")
+
+ return builder
+ }
+
+ builder.manager.sysCfg = sysCfg
+ builder.manager.crawlCfg = crawlCfg
+ builder.manager.pluginCfg = pluginCfg
+
+ return builder
+}
+
+// WithLogger sets a custom logger
+func (b *ScanManagerBuilder) WithLogger(logger *logging.Logger) *ScanManagerBuilder {
+ if b.err != nil {
+ return b
+ }
+
+ if logger == nil {
+ b.err = errors.ErrInvalidArgument.New("logger cannot be nil")
+
+ return b
+ }
+
+ b.manager.logger = logger
+
+ return b
+}
+
+// WithMetrics sets custom metrics
+func (b *ScanManagerBuilder) WithMetrics(metrics *models.Metrics) *ScanManagerBuilder {
+ if b.err != nil {
+ return b
+ }
+
+ if metrics == nil {
+ b.err = errors.ErrInvalidArgument.New("metrics cannot be nil")
+
+ return b
+ }
+
+ b.manager.metrics = metrics
+
+ return b
+}
+
+// Build creates the ScanManager instance
+func (b *ScanManagerBuilder) Build() (*ScanManager, error) {
+ if b.err != nil {
+ return nil, b.err
+ }
+
+ return b.manager, nil
+}
+
+func (sm *ScanManager) initBrowser(crawlCfg *config.CrawlConfiguration) error {
+ var err error
+
+ sm.browser, err = browser.New(sm.logger, crawlCfg)
+ if err != nil {
+ return errors.ErrFailedExecution.WrapWithNoMessage(err)
+ }
+
+ if err := sm.browser.Start(context.Background()); err != nil {
+ sm.browser.Close()
+
+ return errors.ErrFailedExecution.WrapWithNoMessage(err)
+ }
+
+ return nil
+}
+
+func (sm *ScanManager) initStorage(sysCfg *config.SystemConfiguration) error {
+ var err error
+
+ storage, err := storage.NewScanStorage(sysCfg, sm.metrics, sm.logger)
+ if err != nil {
+ return errors.ErrStorageSetup.WrapWithNoMessage(err)
+ }
+
+ sm.storage = &storage
+
+ err = sm.storage.BatchSession.Start()
+ if err != nil {
+ return errors.ErrStorageSetup.WrapWithNoMessage(err)
+ }
+
+ return nil
+}
+
+func (sm *ScanManager) initCrawler(sysCfg *config.SystemConfiguration, crawlCfg *config.CrawlConfiguration) error {
+ var err error
+
+ sm.crawler, err = crawler.New(
+ crawlCfg,
+ sysCfg,
+ crawler.WithStorage(sm.storage.Database, sm.storage.BatchSession),
+ crawler.WithLogger(sm.logger),
+ crawler.WithMetrics(sm.metrics),
+ crawler.WithHTTPClient(sm.httpClient),
+ crawler.WithBrowser(sm.browser),
+ )
+
+ if err != nil {
+ return errors.ErrFailedExecution.WrapWithNoMessage(err)
+ }
+
+ return nil
+}
+
+func (sm *ScanManager) initScanner() error {
+ var err error
+
+ sm.scanner, err = scanner.NewScanner(
+ sm.sysCfg,
+ sm.crawlCfg,
+ sm.pluginCfg,
+ sm.browser,
+ scanner.WithStorage(*sm.storage),
+ scanner.WithLogger(sm.logger),
+ scanner.WithHTTPClient(sm.httpClient),
+ )
+
+ if err != nil {
+ return errors.ErrFailedExecution.WrapWithNoMessage(err)
+ }
+
+ err = initializePluginsFromConfig(sm.scanner, sm.pluginCfg)
+ if err != nil {
+ return errors.ErrInitialisePlugin.WrapWithNoMessage(err)
+ }
+
+ return nil
+}
+
+func (sm *ScanManager) cleanup() error {
+ var errs []error
+
+ if sm.crawler != nil {
+ sm.crawler.Close()
+ }
+
+ if sm.scanner != nil {
+ sm.scanner.Stop()
+ }
+
+ if sm.storage != nil && sm.storage.BatchSession != nil {
+ sm.storage.BatchSession.Wait()
+
+ err := sm.storage.BatchSession.Stop()
+ if err != nil {
+ errs = append(errs, errors.ErrStorageSetup.WrapWithNoMessage(err))
+ }
+ }
+
+ if sm.browser != nil {
+ sm.browser.Close()
+ }
+
+ if len(errs) > 0 {
+ return errors.ErrFailedExecution.New("multiple cleanup errors occurred: %v", errs)
+ }
+
+ return nil
+}
+
+func (sm *ScanManager) Start() error {
+ err := sm.initBrowser(sm.crawlCfg)
+ if err != nil {
+ return err
+ }
+
+ err = sm.initStorage(sm.sysCfg)
+ if err != nil {
+ _ = sm.cleanup()
+
+ return err
+ }
+
+ err = sm.initCrawler(sm.sysCfg, sm.crawlCfg)
+ if err != nil {
+ _ = sm.cleanup()
+
+ return err
+ }
+
+ err = sm.initScanner()
+ if err != nil {
+ _ = sm.cleanup()
+
+ return err
+ }
+
+ // Start the crawl
+ output, err := sm.crawler.Start()
+ if err != nil {
+ _ = sm.cleanup()
+
+ return errors.ErrFailedExecution.WrapWithNoMessage(err)
+ }
+
+ sm.logger.Debugf("Crawl completed with metrics: %+v", output.Metrics)
+
+ if sm.sysCfg.ShouldExportMetrics() {
+ err := output.Metrics.ToJSONFile()
+
+ if err != nil {
+ return errors.ErrJSONMarshalling.WrapWithNoMessage(err)
+ }
+ }
+
+ if output.BenchmarkResults != nil {
+ sm.logger.Debugf("Benchmark results: %+v", output.BenchmarkResults)
+ }
+
+ return nil
+}
+
+func (sm *ScanManager) Stop() error {
+ if sm == nil {
+ return nil
+ }
+
+ return sm.cleanup()
+}
diff --git a/pkg/scanner/scanner.go b/pkg/scanner/scanner.go
index c0a104f..6ef620a 100644
--- a/pkg/scanner/scanner.go
+++ b/pkg/scanner/scanner.go
@@ -676,6 +676,8 @@ func (s *Scanner) Stop() {
s.wg.Wait()
close(s.initialRequestQueue)
close(s.processedRequestQueue)
+
+ instance = nil
}
// Wait blocks until all workers have finished processing.
diff --git a/tests/e2e/wallace_test.go b/tests/e2e/wallace_test.go
index 0e899e9..b8de5c8 100644
--- a/tests/e2e/wallace_test.go
+++ b/tests/e2e/wallace_test.go
@@ -550,31 +550,26 @@ type scanResults struct {
// }
// TestPlugins verifies that each plugin detects at least one vulnerability for each test path
-func TestPlugins(t *testing.T) { //nolint: paralleltest
- // Retrieve all available plugins without specific configurations
+func TestPlugins(t *testing.T) {
plugins := cli.BuildAllPlugins()
if len(plugins) == 0 {
t.Fatal("No plugins available to test")
}
- // Ensure that there are test paths to scan
if len(SiteURLs) == 0 {
t.Fatal("No site URLs available for scanning")
}
- // Iterate over each plugin and perform the test
- for _, plugin := range plugins { //nolint: paralleltest
+ for _, plugin := range plugins {
pluginName := plugin.Name()
t.Run(pluginName, func(t *testing.T) {
- // t.Parallel()
// Setup test environment for the current plugin
resultDir, dbPath, cleanup := setupTestEnvironment(t, pluginName)
defer cleanup()
- // Initialize plugin-specific configuration if needed
- // Currently, using default configurations
+ // Initialize plugin-specific configuration
pluginConfig := coreStructs.NewPluginConfigBuilder(pluginName).
WithCustomConfiguration(coreStructs.CustomPluginConfig{"name": pluginName}).
Build()
@@ -595,7 +590,6 @@ func TestPlugins(t *testing.T) { //nolint: paralleltest
// Collect test URLs from initialized plugins' metadata
testURLs := collectTestURLs(pluginInstances)
- // Skip the test if no test URLs are defined for the plugin
if len(testURLs) == 0 {
t.Skipf("No test URLs defined for plugin '%s'. Skipping test.", pluginName)
}
@@ -606,11 +600,26 @@ func TestPlugins(t *testing.T) { //nolint: paralleltest
t.Fatalf("Failed to get default test config: %v", err)
}
- // Run the scan
- if err := cli.StartScan(sysConfig, crawlConfig, vulnConfig); err != nil {
+ // Create and start scanner using the new interface
+ scanner, err := cli.NewManagerBuilder(sysConfig, crawlConfig, vulnConfig).
+ Build()
+ if err != nil {
+ t.Fatalf("Failed to create scanner: %v", err)
+ }
+
+ // Start the scan
+ if err := scanner.Start(); err != nil {
t.Fatalf("Failed to start scan: %v", err)
}
+ // Ensure scanner is stopped after test
+ defer func() {
+ if err := scanner.Stop(); err != nil {
+ t.Errorf("Failed to stop scanner: %v", err)
+ }
+ }()
+
+ // Allow time for processing
time.Sleep(2 * time.Second)
// Verify results in the database
@@ -621,11 +630,11 @@ func TestPlugins(t *testing.T) { //nolint: paralleltest
// Assert that at least one vulnerability was found per test path
expectedVulns := len(testURLs)
- assert.GreaterOrEqual(t, vulnCount, expectedVulns, "Expected at least %d vulnerabilities", expectedVulns)
- time.Sleep(5 * time.Second)
+ assert.GreaterOrEqual(t, vulnCount, expectedVulns,
+ "Expected at least %d vulnerabilities", expectedVulns)
+
// Verify that result files are present
results := readScanResults(sysConfig.GetOutputDirectory())
assert.True(t, results.resultsFound, "Expected at least one result file")
})
}
```
### OUTPUT:
```
refactor(cli): introduce ScanManager for scan lifecycle management
Introduced `ScanManager` which simplifies the scan initiation process and makes the scan modular (instead of a monolithic function that bubbles everything). The manager implements the `ScanManagerInterface`:
- **Start():** Initializes and starts the scan process.
- **Stop():** Gracefully terminates the scan process.
---
Structs:
- **ScanManager:** A new struct that manages the lifecycle of scanning components such as browser, crawler, scanner, storage, logger, and metrics.
- **ScanManagerBuilder:** A builder pattern implementation to construct a `ScanManager` with custom configurations.
```
Guidelines:
- Title should follow commit convention
- Description should be clear and business-focused
- Technical details should be organized in sections
- Use markdown formatting for readability
- Focus on architectural and behavioral changes
- Exclude trivial changes
- Keep descriptions concise but complete

View File

@ -0,0 +1,77 @@
---
model: ollama:pino-coder
temperature: 0
---
You are a documentation assistant skilled in writing professional, high-quality function documentation. Your task is to write top-level documentation for a given function, following these guidelines:
1. **High-Level Description**:
- Start with a concise, high-level summary of what the function does.
- Focus on *what* the function achieves rather than *how* it works internally.
- Avoid mentioning specific internal functions, algorithms, or implementation details.
2. **Parameters**:
- List all parameters with their names, types (if applicable), and purposes.
- Clearly describe what each parameter represents and how it is used.
3. **Return Values**:
- Explain what the function returns, including the type and purpose of each return value.
- If applicable, describe any errors or exceptions that might be returned and under what conditions.
4. **Notes**:
- Highlight any important behaviors, constraints, or side effects of the function.
- Mention whether the function modifies its inputs or is side-effect free.
5. **Style**:
- Use concise, professional language suitable for technical audiences.
- Structure the documentation clearly and logically for easy readability.
### INPUT:
```
func ReplaceAllRequestParameters(
req models.CrawlRequest, payload string,
) ([]models.CrawlRequest, error) {
requests := make([]models.CrawlRequest, 0, len(req.Path.Parameters))
for _, param := range req.Path.Parameters {
var modifiedParams []models.CrawlParameter
var err error
modifiedParams, err = ReplaceParameterValue(payload, &req, param.Name, "")
if err != nil {
return nil, err
}
modPluginRequest := SetParameters(req, modifiedParams)
requests = append(requests, modPluginRequest)
}
return requests, nil
}
```
### OUTPUT:
```
// ReplaceAllRequestParameters generates a new set of requests by replacing
// each parameter's value with the provided payload.
//
// This function iterates over all parameters in the given request and creates a new request for each parameter,
// replacing its value with the specified payload. The resulting requests are returned as a slice, leaving the original
// request unmodified.
//
// Parameters:
// - req (models.CrawlRequest): The original CrawlRequest containing parameters to be processed.
// - payload (string): The value to replace each parameter's value.
//
// Returns:
// - ([]models.CrawlRequest): A slice of new CrawlRequest instances, each with one parameter's value replaced by the payload.
// - (error): An error if any issue occurs during processing.
//
// Notes:
// - A new request is created for every parameter in the original request.
// - The function is side-effect free and does not modify the original `CrawlRequest`.
```

View File

@ -1,7 +1,28 @@
{ config, pkgs, ... }: { pkgs, ... }:
{ {
imports = [ ./zsh.nix ./git.nix ./helix.nix ]; imports = [
./zsh.nix
./git.nix
./helix.nix
];
home = { packages = with pkgs; [ rizin sshfs victor-mono home-manager ]; }; home = {
packages = with pkgs; [
rizin
sshfs
victor-mono
home-manager
ripgrep
ydiff
nix-index
pipenv
htop
glances
tree
]
++ lib.optional (!pkgs.stdenv.isDarwin) pastebinit;
stateVersion = "24.11";
};
} }

View File

@ -9,7 +9,8 @@ let
name = "guake"; name = "guake";
package = pkgs.guake; package = pkgs.guake;
}); });
in { in
{
imports = [ ./gnome.nix ]; imports = [ ./gnome.nix ];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;

27
roles/home/fish.nix Normal file
View File

@ -0,0 +1,27 @@
{ config, pkgs, lib, ... }:
{
home.packages = with pkgs; [ any-nix-shell fishPlugins.tide fishPlugins.bass fishPlugins.fzf-fish ];
programs.fish = {
enable = true;
shellAbbrs = {
"_" = "sudo";
};
shellInit = ''
# avoid macOS updates to destroy nix
# if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
# source '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh'
# end
any-nix-shell fish --info-right | source
# source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh
# disable autosuggestions
set -g fish_autosuggestion_enabled 0
'';
};
}

View File

@ -1,8 +1,8 @@
{ config, pkgs, lib, ... }: { { pkgs, ... }: {
programs.git = { programs.git = {
enable = true; enable = true;
userName = "Giulio De Pasquale"; userName = "Giulio De Pasquale";
userEmail = "depasquale+git@giugl.io"; userEmail = "git@depasquale.giugl.io";
extraConfig = { extraConfig = {
filter."lfs" = { filter."lfs" = {
process = "git-lfs filter-process"; process = "git-lfs filter-process";
@ -12,6 +12,11 @@
}; };
}; };
delta.enable = true; delta.enable = true;
lfs.enable = true;
aliases = {
ai = ''! cd -- "''${GIT_PREFIX:-.}" && git diff HEAD -- "$@" | aichat -m ollama:pino-coder -r commitmessage #'';
ais = ''! cd -- "''${GIT_PREFIX:-.}" && git diff --staged HEAD -- "$@" | aichat -m ollama:pino-coder -r commitmessage #'';
};
}; };
home.packages = [ pkgs.git-lfs ]; home.packages = [ pkgs.git-lfs ];
} }

6
roles/home/go.nix Normal file
View File

@ -0,0 +1,6 @@
{ config, pkgs, lib, ... }: {
programs.go = {
enable = true;
goPath = ".local/share/go";
};
}

View File

@ -1,39 +1,61 @@
{ config, pkgs, ... }: { pkgs, ... }:
let
actualPkgs = pkgs.unstablePkgs;
lib = actualPkgs.lib;
nodePkgs = with actualPkgs.nodePackages; [
vscode-langservers-extracted
typescript
svelte-language-server
yaml-language-server
typescript-language-server
bash-language-server
];
py3 = actualPkgs.python3.withPackages (ps: with ps; [
python-lsp-server
python-lsp-ruff
pylsp-rope
rope
mypy
pylsp-mypy
]);
in
{ {
home = { home = {
packages = with actualPkgs; [
black
helix
clang-tools
rust-analyzer
nixd
texlab
nixpkgs-fmt
shellcheck
shfmt
gopls
golangci-lint
golangci-lint-langserver
py3
ruff
gh
gofumpt
taplo
docker-compose-language-service
mdformat
marksman
dockerfile-language-server-nodejs
] ++ nodePkgs;
sessionVariables = { sessionVariables = {
EDITOR = "hx"; EDITOR = "hx";
VISUAL = "hx"; VISUAL = "hx";
}; };
file.".config/helix/config.toml".text = '' file = {
theme = "monokai_pro_spectrum" ".config/helix/config.toml".text = lib.readFile ./helix/config.toml;
".config/helix/languages.toml".text = lib.readFile ./helix/languages.toml;
[editor] };
cursorline = true
true-color = true
[editor.cursor-shape]
insert = "bar"
normal = "block"
select = "underline"
[editor.lsp]
display-messages = true
[editor.indent-guides]
render = true
'';
packages = with pkgs.unstable; [
helix
clang-tools
rust-analyzer
rnix-lsp
python310Packages.python-lsp-server
texlab
nodePackages.typescript
];
}; };
} }

View File

@ -0,0 +1,21 @@
theme = "monokai_pro_spectrum"
[editor]
cursorline = true
true-color = true
gutters = ["diff", "diagnostics", "line-numbers", "spacer"]
[editor.cursor-shape]
insert = "bar"
normal = "block"
select = "underline"
[editor.lsp]
display-messages = true
[editor.indent-guides]
render = true
[editor.statusline]
left = ["mode", "spinner"]
center = ["file-name"]

View File

@ -0,0 +1,36 @@
[[language]]
name = "nix"
formatter = { command = "nixpkgs-fmt" }
language-servers = ["nixd"]
[language-server.nixd]
command = "nixd"
[language-server.pylsp.config.pylsp.plugins]
ruff = { enabled = true }
rope = { enabled = true }
mypy = { enabled = true }
[[language]]
name = "bash"
formatter = { command = "shfmt", args = ["-s", "-ci", "-sr"] }
[[language]]
name = "go"
language-servers = ["gopls", "golangci-lint-langserver"]
[language-server.golangci-lint-langserver]
command = "golangci-lint-langserver"
[language-server.golangci-lint-langserver.config]
command = [
"golangci-lint",
"run",
"--out-format",
"json",
"--issues-exit-code=1",
]
[[language]]
name = "markdown"
formatter = { command = "mdformat", args = ["-"]}

View File

@ -0,0 +1,203 @@
create_pr_from_files() {
local TIMESTAMP=$(date +%Y%m%d%H%M%S)
local temp_branch="pr-${TIMESTAMP}-temp"
local pr_branch="pr-${TIMESTAMP}"
local base_branch="development"
local working_branch=$(git rev-parse --abbrev-ref HEAD)
local files=()
local expanded_files=()
local temp_branch_created=false
cleanup() {
git checkout "${working_branch}"
if [ "$temp_branch_created" = true ]; then
git checkout "${temp_branch}" -- "${expanded_files[@]}"
git restore --staged .
git branch -D "${temp_branch}"
fi
git branch -D "${pr_branch}"
}
handle_error() {
local error_msg="$1"
echo "Error: ${error_msg}"
cleanup
return 1
}
# Parse arguments
while [[ $# -gt 0 ]]; do
case $1 in
-b | --base)
base_branch="$2"
shift 2
;;
*)
files+=("$1")
shift
;;
esac
done
if [ ${#files[@]} -eq 0 ]; then
echo "Usage: create_pr_from_files <file1> [<file2> ...] [-b <base-branch>]"
return 1
fi
# Expand files and directories
for file in "${files[@]}"; do
if [ -d "$file" ]; then
while IFS= read -r line; do
expanded_files+=("$line")
done < <(find "$file" -type f)
else
expanded_files+=("$file")
fi
done
# Check if there are any uncommitted changes
if [ -n "$(git status -s)" ]; then
# Only create temp branch and backup if there are uncommitted changes
git checkout -b "$temp_branch" || (
handle_error "Failed to create temporary branch"
return $?
)
git commit -am "Backup changes" || (
handle_error "Failed to commit changes to temporary branch"
return $?
)
temp_branch_created=true
fi
# Get current branch and switch to base branch if needed
current_branch=$(git rev-parse --abbrev-ref HEAD)
if [ "$current_branch" != "$base_branch" ]; then
git checkout "$base_branch" || (
handle_error "Failed to checkout base branch"
return $?
)
git pull || (
handle_error "Failed to sync base branch"
return $?
)
fi
git checkout -b "$pr_branch" || (
handle_error "Failed to create PR branch"
return $?
)
# Restore files either from temp branch or original branch
if [ "$temp_branch_created" = true ]; then
git checkout "$temp_branch" -- "${expanded_files[@]}" || (
handle_error "Failed to restore specified files"
return $?
)
else
git checkout "$working_branch" -- "${expanded_files[@]}" || (
handle_error "Failed to restore specified files"
return $?
)
fi
# Verify files were staged
if [ -z "$(git diff --staged)" ]; then
handle_error "No files were staged. Aborting PR creation."
return $?
fi
# Generate commit message
echo "Generating commit message..."
local commit_message=$(git ais || handle_error "Failed to generate commit message.")
local commit_subject=$(echo "$commit_message" | head -n 1)
local commit_body=$(echo "$commit_message" | tail -n +2)
# Commit the specified files
git commit --edit -m "$commit_subject"$'\n\n'"$commit_body" || handle_error "Committing files failed."
if [ $? -ne 0 ]; then
handle_error "Committing files failed."
fi
# Push the PR branch to the remote repository
git push origin "$pr_branch" || handle_error "Failed to push PR branch"
# Create the pull request
gh pr create \
--base "$base_branch" \
--head "$pr_branch" || handle_error "Failed to create pull request"
echo "Pull request created successfully."
# Cleanup
cleanup
}
create_pr_from_commit() {
local commit_hash="$1"
local base_branch="${2:-development}"
if [ -z "$commit_hash" ]; then
echo "Usage: create_pr_from_commit <commit-hash> [<base-branch>]"
return 1
fi
# Check for uncommitted changes and stash them if any
local has_changes=false
if ! git diff --quiet || ! git diff --cached --quiet; then
echo "Stashing uncommitted changes..."
git stash push -u
has_changes=true
fi
# Create a new branch name based on the commit hash
local new_branch="pr-${commit_hash}"
# Checkout to the new branch and cherry-pick the commit
git checkout "$base_branch" && git checkout -b "$new_branch"
if ! git cherry-pick "$commit_hash"; then
echo "Cherry-picking failed. Cleaning up."
git checkout -
git branch -D "$new_branch"
if $has_changes; then
echo "Restoring stashed changes..."
git stash pop
fi
return 1
fi
git push origin "$new_branch"
local commit_message=$(git show -s --format=%B "$commit_hash")
local commit_subject=$(echo "$commit_message" | head -n 1)
local commit_body=$(echo "$commit_message" | tail -n +2)
gh pr create --base "$base_branch" --head "$new_branch" --title "$commit_subject" --body "$commit_body"
echo "Pull request created successfully."
if $has_changes; then
echo "Restoring stashed changes..."
git stash pop
fi
}
anonymize_multiple() {
while IFS= read -r line; do
result="$line"
# Simple sed with multiple patterns
echo "$result" | sed '
s/github.pie.apple.com/github.com/g;
s/Kerosene/org/g;
s/kerosene/org/g;
s/Shelob/example/g;
s/shelob/example/g;
'
done
}

View File

@ -13,7 +13,13 @@
"192.35.222.32" = { "192.35.222.32" = {
user = "giulio"; user = "giulio";
identityFile = "~/.ssh/gitlab-ucsb"; identityFile = "~/.ssh/ucsb";
};
"ucsb-reynolds" = {
hostname = "128.111.49.76";
user = "giulio";
identityFile = "~/.ssh/ucsb";
}; };
"tommy.devs.giugl.io" = { "tommy.devs.giugl.io" = {
@ -114,7 +120,7 @@
"git.seclab.cs.ucsb.edu" = { "git.seclab.cs.ucsb.edu" = {
user = "peperunas"; user = "peperunas";
identityFile = "~/.ssh/gitlab-ucsb"; identityFile = "~/.ssh/ucsb";
}; };
"architect.devs.giugl.io" = { "architect.devs.giugl.io" = {
@ -141,6 +147,11 @@
identityFile = "~/.ssh/github"; identityFile = "~/.ssh/github";
}; };
"code.iti.illinois.edu" = {
user = "gitlab";
identityFile = "~/.ssh/github";
};
"git.ctf.necst.it" = { "git.ctf.necst.it" = {
user = "ctf"; user = "ctf";
identityFile = "~/.ssh/gitlab_necst"; identityFile = "~/.ssh/gitlab_necst";
@ -168,15 +179,24 @@
user = "aur"; user = "aur";
identityFile = "~/.ssh/aur"; identityFile = "~/.ssh/aur";
}; };
"ucsb-workstation.devs.giugl.io" = {
user = "giulio";
identityFile = "~/.ssh/ucsb";
forwardAgent = true;
};
}; };
extraConfig = '' extraConfig = ''
IdentitiesOnly yes IdentitiesOnly yes
ServerAliveInterval 3600 ServerAliveInterval 3600
'' + lib.optionalString pkgs.stdenv.isDarwin '' Include config.d/*
${if pkgs.stdenv.isDarwin then
''
AddKeysToAgent yes AddKeysToAgent yes
UseKeychain yes UseKeychain yes
TCPKeepAlive no TCPKeepAlive no
'' else ""}
''; '';
}; };
} }

View File

@ -1,11 +1,35 @@
{ config, pkgs, lib, ... }: { { pkgs, ... }:
let
commitFunctions = pkgs.writeTextDir "bin/commits.sh" (builtins.readFile ./scripts/commits.sh);
in
{
home.packages = with pkgs; [ any-nix-shell ];
programs.zsh = { programs.zsh = {
enable = true; enable = true;
oh-my-zsh = { oh-my-zsh = {
enable = true; enable = true;
plugins = [ "git" "sudo" "docker" "docker-compose" "adb" "systemd" ]; plugins = [ "git" "sudo" "docker" "docker-compose" "systemd" ];
theme = "bira"; theme = "bira";
}; };
autosuggestion.enable = false;
dotDir = ".config/zsh";
initExtra = ''
# avoid macOS updates to destroy nix
if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
source '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh'
fi
any-nix-shell zsh --info-right | source /dev/stdin
source ${pkgs.nix-index}/etc/profile.d/command-not-found.sh
${if pkgs.stdenv.isDarwin then "export PATH=/opt/homebrew/opt/ruby/bin:/opt/homebrew/bin:/opt/homebrew/sbin:$PATH" else ""}
recap() { aichat -f "$@" ;}
source ${commitFunctions}/bin/commits.sh
'';
}; };
} }

View File

@ -1,8 +0,0 @@
{ ... }:
{
programs.zsh = {
enableBashCompletion = true;
enableCompletion = true;
};
}

BIN
secrets/matrix-synapse.age Normal file

Binary file not shown.

BIN
secrets/nextcloud-admin.age Normal file

Binary file not shown.

View File

@ -0,0 +1,27 @@
age-encryption.org/v1
-> ssh-rsa QXZdow
JFZ512g1V5fHSCDuxPcpFGSSAzI6326lbmmQaepxfPyTzZpK5Qo7WaUeF0dCmwi1
mwS038cbo57hPnuGapJtrqggiVm8B53rli7xlwFQCydVkxnKPSvcERI8KphEn1K5
1YGeU6XdqqNyv1NSV9V8A4Y74LMk1H+igWR5sWZnO6sQi7LLAwfL+BsskdwY0ZuW
9TOzkeZtgU5qy9IbN6liouEMliO660q1sb+OxQFP8pVIS3xt9mD2IE4W3hP9aZyF
JHUZPizwF+HvspR8oMV4R7JI4gexBwnMVeu4HVu+ayY2udQvr2DNxQNHM66zClPo
7G67rblH6IfCOrOieqIVvYrbJQuSZip4npnQyXVXzg/wQ6CGu0k4E8wF1xHFYKAO
LGWK8uUxffC1ITEfNMaSs/3AKMuqBsJcDXYYe4yq4lJYxSfwXbu+G6aqOgHYAe7p
LBQgl5Dn19r/7zKRLJTK4eJ0ah8bnWWTU9FcHAJbqKFYK6DW+syqFYinXfwt9AQI
g0w5apgPm/B3PX0wKiabci8c4AZ6n2JVWvI9sJkhcL5t93JS9uBsgxzc3Hv4nu3E
zD1Skp648In+oQ+6xuDmIuEuu8xIhGwU3jhJeIiTZwX54wj35v/gNLU2sH1hK/90
vyJcZClmpGDsOu/vHeKPSfP29MEzlahA5dZS0DDkt58
-> ssh-ed25519 7eGqHw AJlmB4Up3Zs4gNdfRRt8zZ5r1M8DcXSdj7B09VUlYCk
Vteh5QnSqhIrXm10zdOjP+Lhm3qwABqGgQFHfrnrjH4
-> ssh-rsa tO3rGg
VPAsazrTmffI7Y0LOsLwAoeOtz9lnDm3vYTDcFi8DoJcHsXDh2cYib1hET4noWLf
gFQiP30rNKTvkBDeThdH5opyZbO9BfDX1IgJo5Fm7yO3LdSWB44fL3Mn8HoMKGkn
d6TKM0ZxDZAkApTMcKHjHlcnWgy5sGxW0pHDnBvCCqsQHqRywcGDZTVhmxshLxQw
giQo3ZI8fzD436bY+rWYJtqWKcOnBLGEiFoWJr9qfLcG2FwB0xLppfX7S6htLQpn
btqafMtA8HgGVkVGC+uADqghPGzO/rN/z571xvZ6F4GyeB1/2RbVX62N4jN8FlPc
+6UWe3kgxM9cOedpwYPqte3gIETWBxlfpspOfVaRv6qMx6ZM1mPsP1qTpQNUabm2
2Ale/EkLnfYzwXmaiql0/oEuqq7Dp806XP5AcKxZHNUJeZHRdqOUHGCNJzfAO3H4
uazZGDtZR+pSq0QwEZqp1GoodtzCbBnbko5ZwVYXIXc1gSbwvP6ZW/5HiPEM0jaM
--- TXLi+4AqW9L3grKPVMBDb75OHyjatQzBxUlI4Xe1eMw
ÛÞÁ }ccn‡ó…¹'ÏF¥At«5ËT Ƶ E]Òx7írÑ|kô§ÿ<C2A7><C3BF>µI°¼ú×%}´¿‰<C2BF>¬#=<3D>J.

29
secrets/ovh.age Normal file
View File

@ -0,0 +1,29 @@
age-encryption.org/v1
-> ssh-rsa QXZdow
aYgowxTfdGOqTYOZBbkg/dH7f+m6nvVF/8qZX0DE4hazln/QS9maWbkOwD7FLldm
HRNV/YwZZEhbujHbDqgxnXk7Q11KOA72864B6mF2VZUruyo0cnACqo7OyzwApqv/
+LPjGb9h/gCJpQ3a5Jdh202FfaNGAh358fZVDyd37XPSOykiIAAxgMlDyn+96OiM
P2vsyduWXDsqzCqtiNQrKVjryI5CIGOTAcYTgQ35S3uXFD8Gu27KfagUwZp2hdyp
3WmGl+ZTrPNdOwzLWGj/RXaeTslABn1Owmq1naASRvJpp97ToynRzkDA50rBqUyR
vGVB9IJxSjkSm3BJ4UAI6rpoz/6t2jkfNNE1cPix4AYjPAMyU+uiUSaZ/UBkwlXw
08rM1eGcBaErB1ExcDV5+jUCdJBfi6Q9vIG7Ty4wbN1PfztAhzEyzT0L1bTn1AKC
4S9n5lqFa1CdraK9eh2A+o9CNlkta+Z24ctPTVqBYtImBTKHOTofhr0omQdFV6M2
bhxsOoAAoNhwn/lWC2fAcgfPQrUOW524+eHyPjsvf4rNNv0bk5EP1J4vMrWr9rqJ
v5GEQ77YVXYQthiyg74XYc3Eo8sbtE+ncDoOquzdT385POd870qi1ht+JMY6OEmj
q8lxVau2SFTKPkkmZKmtoNrYdKp5+DsB3nOUKcIXofs
-> ssh-ed25519 7eGqHw cCrhq1kfav4TYAUOpP4O6fQ958O37Uad2jX9SUrnxn4
TSiMyrYsdblB5SFwZpw7HhmicWX1vNomhBP4HtlvHJo
-> ssh-rsa tO3rGg
J6oPMt6hiry6ks3hlAjUAY1AzEYU+7voto5XC+I6Fmyfabz9zaJ3TtbCPVF5BRNR
DOYLiD24EbcVoqECn2A2MRK1xH4owBD5YaE3Il2NwSJHhC+ZhROaMTu5mHxbzK/u
BF2MLRZ0Bwwq4szaHoFf12TFwNtIRZXS9m6l4jHdsxWj6x0iui18p3JLxij1cVwE
03rSWz+9c8bpZ6LHuPJAhatBZHSZwkKwH8Dn8NOxCLmVNRM4PyvJsj9lRn7fMwRY
64QI2z6bRAry6oINbVAAOsPlM0Ix+7hbFs/UstnENFqfcDvPzrrhALDhuDLIJpGu
WgAaMStZGjydy0oqHJceuduxVreqTlfiki7yruRFqRBgjMopwOsw5i9UPWR6SZ+E
cUCFeEynUMrmFSp5qvDX0WtkU2G/GRFEPaB+k+UN+JduIRb2RBCLt2uG0249TwO8
T4sq098XTM8wARgOv6n51lHFCPpM3iSbP5KMCYH9FhsJV0Qu9Q7157McNZuVL9Ie
--- KYLAPCcTkg/tF2c2ni4UaBTV5AhUleg8GgJH0oRQSK0
½;¬jŒ<6A>a羄ïÓÄ<C393>5`hÂŒø»æy;JúãÈå³C¢µ‡£ÏwX:eßøw³ù»ÜH
L<EFBFBD>he­jCÓ2¨ì"#˵„=Î/Dzˆ1ÒÅÿ¼™^Nû$ÃéM·úqN…v1µØÁÇ”ç¸T¦ÌñÙ—Ç0FsÕ(WeõöË…¡˜Ý8|^iYFQæ3œ ¡Õ­
A¤1­ïEÜÂÚM_=;•¸×jFÜVý[Ýät°¬{© w×…Ê<E280A6>Ö)

View File

@ -0,0 +1,29 @@
age-encryption.org/v1
-> ssh-rsa QXZdow
muUhcAzcKFoopF3H69fYU/CzBezvnBhgBKUqmFqjWVpLpzU/h75DPUMZcpT59dP1
rjJw8KEevEn6wnEG6KM5X1qKlQGKNYv1Ei8bFZ2KkIHQol77KA4UwfJOkZ75miNI
ZqYN2YT1acBtZVQn4Z1nsg3BKMKBFQVEvBmNh2tV38Zgnw3bPU06BKX07/gbaYvd
JGFWDik92eVkgHO5LPiIgQEhP/blCv28ELZ9CkRJXmz6Z+r7AINfSUwhRTLSG3E9
D5mYFcFF7mdmH7BFEvuk1kJiIxlrQoMgDa/8csmAYr/ma8jAb0fUK1vih4vdYPGL
Q2lHQPXJ7eJoYtn9mP3Bo8mRVuwYHyaSyKMxt3UEgCPJ4QI6N23Z7+7j9hJw9rNK
z9yheUaw8srCDz+ZLeSFvZ/gNLT7moTBYnjYPnsx3kYqKLNHyzTBKtbtQhI0PIkO
9ezOmH6GBqocEjA8XZ49VgB9+NWr/UVXI9qx+TNUTTzFyAZstcqOn32xCaRzPSBw
cpgPyIgWJ7wVOAWsevBSNqSntew0PCrStWKODiHGen3Z3lOCKeQloD9ANuF90iT8
7Ub0aGHMSlb3V6vX6lexc6mLF//ybtpvZ2FSyZfnj2iJRu8FAGdYpN5Ci9pfaTgF
v5CcQ+PqyyvPTgWBY4R244Vg4WKfvua65GAL8oxTERs
-> ssh-ed25519 7eGqHw I5j3zjd1QQzfFQXjZx8bC+wH3HkGOx2tJHlYax8pfTI
0+fXs8fEBjTXvLaTZH2QDWUIOT6+ZakpVyWGhOIm5Z0
-> ssh-rsa tO3rGg
OjfxuSAoX27FdTmDHfx7lYwYLP526SHbwNMuLwg2jdQlBbHZ3jsIDrTwTBpm2Q8R
K4T5wOUlicWvHz2RLQmjlrU9F0ksElhE6ZaqjgvBa1fIFFPNDm3Pl01Zs/NHnNGn
tetIDCkgWHqS/LtQv/RNzHlqb1H360fQLwPNamxR+kECpR7jy2aujsQxcilzPW+h
+s29T1CRTFd3kksW0cmiEXAH+nz8Orhz4GdJfFiIYmzUD/U/XsfF7V81ABrYBtxG
DxVqk5zwjYlCckyegMhjkKkpcJuZgkF0OpC9znxgy1s49irgJ1LNHuL9XvuSn81Z
U8/7qIXwumpx8hl2Fp52/qfu+z/Sgb4sNGdDwDabryVMM0iA44sW3A8968aEnU4+
ij4+MHuoiif9Gjd1OzxIpugg565hmbrpJHmLz/bwxSVuj/Q7EqfN4Q6WoXA4LPm+
D4U74W1rCqUY2lidiLG9xHjh48WVCyPaMMDTm/fryfUmbDU6tfgl+HedMQShFuut
--- AOqar+uICSyq8I8qWgkRiMW2dY73yezKi0RHaTmsbC4
 Qcv"àð·i;ïÕ`6Ï?]ÎÐ…èǹ# {œÛ¡<C39B>ËÎ^Q†Y<E280A0>;<¯ª:¬³~Þr~bœ¨Á_ÈÊÅ#š>é­3¨`RtYk™“”†»è~Cú<43>S÷tô5Êt<C38A>Úå1}ÊBQññ
Ç †l
²Ý„›!87ùP

View File

@ -0,0 +1,28 @@
age-encryption.org/v1
-> ssh-rsa QXZdow
tEqh6kH9Ctbirf94dBBvdYkYABBvkQYqoZEo7a3/EnFlwvkDxZoo9O8WiQ+fLhOI
jrAmdezC11UcvZK0D4KN34S1VgnQWwChTuOMWy5oTl9195GJm/1PQq8iyHFmCK63
DdZXE+MPbawlA/T+rsQghBX3TwNMYhfPw8+qfMC4A+5KhWzDPLYVidUvM2QwnoDZ
Zthek8bAOhwF/wZH7SI7QTQwe3x3kUyP3SbVipwguctRP7mNtRj/roVrfUoig7/L
SywHYmeBG6Z3kuWABoQIjF6TKS4No5NH5VKdJCtGlsSRUqJHa1GojSZUzgu0ARRK
v/Z/E6b64CnDZ1E+nZLr54PmrgjRbStqyvMxoQwYzu01TE6NU0h7aAgvk+S0AncK
AYgEkmsXxkYMSM0qUFvcGILNU5ZtyvhwS61Q13bZNM3+0CGcSv8lhQmJFrZbePmV
A1Jh+8JCxVJnNyEXLGPoofM8ds5Gtc35Iu5it5z2ZzJ3V1pRwTPzVlSuY1AygSvh
OTKg9kH4V3J311M0HJfG8CkOp8W1AvAfWagB9Y+E2KsL9riKpd9W+Rz6qB+u+q6r
bjKNy8oBEJ2xp9RAihQASeaBjK7v5bsgKy7L5GVVs9505pcKFOyWTVnbNdKsYYKs
sHW/dTVAGxf/SYz1cEpsp3ZPUe15h5+CuLf7OhI1RzI
-> ssh-ed25519 7eGqHw ws0TYpN8wBvtmJE2EsFF0Oz0v0kp/SN8nrc9eibd6m4
JKrIKa7Qescecpw5jkFcW4SgTaTtW3CocEg57rdS3A8
-> ssh-rsa tO3rGg
rn6k067Nol861dqxTId9zzWeupTMHik0597AR1vfyHJ+kBJhwNgj9bBPQYePoXcq
Ll91m0dX8TDN2RAcbl+ddxqkoedrCqa9RX7GxNG4nkAkVLAzIR3+B7cCjX06m+Mm
iI817kBXgIfy46HUtdft4D9R9y8G3RlnoPkV2msvlAAlps+tAkAsvIcMaWyWZF4U
fxOChL+RcRHUJ6mWzPU3EOES9pwmK+B+fI/25NRoWMlZDUWEJ8BEstDuQ6IORxbC
+DRGiQQCSVLyHkPI7KkXUxPeYjmitNdfAw5Cl0kn8rdXUn1AhceTfUsausqZMUOh
pSL6L8swiByy/vxO3HaNeSSVPyPVM8L9Cr9kqDTOoLJY2l1wSpNjbZrLoVunouIG
w8MyFxPxxpbPS7jPBI90kyrRfSyoDO6Va2EIW/YsVfOhYXIlA7qYe3Bo0xoT3B9R
awPedZO/qBzXVd3p+BwNwSxIRaBi5qchXn5B0kvv84tOtAlawrnKGly4mU0H42gN
--- cnd5/PWhWOHduSN+0fU4D3V2iLQE70ZSwBN8dW+YCw8
üÂTˆç"ÌHI+Ø ã‡ó^qmÆtê³Ý Y6_é½& %`ɱÝúâ­/ý¹æÅbd‡œ‡ãy4kˆ
YՌ

15
secrets/secrets.nix Normal file
View File

@ -0,0 +1,15 @@
let
pubkeyModule = import ../hosts/pubkeys.nix;
pubkeys = [
pubkeyModule.macbook
] ++ pubkeyModule.groups.architect;
in
{
"matrix-synapse.age".publicKeys = pubkeys;
"teslamate.age".publicKeys = pubkeys;
"nextcloud-admin.age".publicKeys = pubkeys;
"nextcloud-database.age".publicKeys = pubkeys;
"restic-environment.age".publicKeys = pubkeys;
"restic-passwords.age".publicKeys = pubkeys;
"ovh.age".publicKeys = pubkeys;
}

27
secrets/teslamate.age Normal file
View File

@ -0,0 +1,27 @@
age-encryption.org/v1
-> ssh-rsa QXZdow
IyHp/kqk6u/HazW25tlI9YykJ3AHySgPWFmQzIjh+BXyqo4qSKdNfQr1rIYFQGCJ
liIaMto8CWtbZUOiBXWtB/q3Z++Q0Qy8N1woYqVJ7gSlSbz1jKyDk2ZIrWCQ0CbT
zimI2gsdLEn5nkpV/NrkltH0/1aCW7HHzOo6UYp5YCQAwPO4eii636CYN9pFY8aD
wGuusZVsdEiP9+ETpxL8X0YDS6qWXAjrufEVSMmipxODGY9F9BncgrBXf6vNj4zv
/SudTaE4e1tfEQ8PjL+qE+aPMCVHITJsYWARiKIcUB4A2yLPxK4hEPuY+ikaV5nb
u2YBndS7RHA0c0xYAME1QZ2GOgFe995N+qgWM2pPmFhlFM7blzHLZPgNPQvQhaF1
dwv5mRnRhtLF27GWjtcPL0AaX2qWoVgWmjI03HY4m2RAXr+kPhs4asIb10iL5Zz2
I4GyupuX/yvds7ckTiVNc6HGPYgfN2re4ml0Lsgu+qMu6qkSSPwe4gdB8PRnlil4
JZS/rKXzLlqHW1P5PQLLaSO9DtiRIitbvNuWbTHdUK5bjEu8mjVzjT/u4JwHip7j
MpuWsSKEN6I+0hCfYfEwAWD4h6oTF+ckrRUXWg/p+K6IXBx4txCVHEZXymdBwf8I
eedRo2unHui7oT512HMXqx6DIIAPg/7Jr2/MWX+J6F8
-> ssh-ed25519 7eGqHw 9InUXz9Z8OvxNqVYckohNJYgFndSU5WH9VO9f4KnjhQ
lfE8tuSjZ5xJ19xzONy78dOzqZjqAk8RENdhBXoAXKY
-> ssh-rsa tO3rGg
t0P8ve/N9fxcBdIqmFajtIfQGTHXnwwaRRKJOoz/0PlH52Iat76P7IhdBipU9aJz
4lj2aFxYePD9Qz6+sLA4IibArW0Ej/XAehOwMiXU5NcD5ICcuc9dpBMekBzHTH6F
Z9fsz9ogKjBgfCulCDlf7XwQgXXx1+I2ar82y8Qix2esqO4fY4wXl7xQTONpKg0l
5Nethgwy6Xji2CBAsQDKm5xZ2FynUNWzk404pfDIkLvsU9NL53SHZwM8dzWiKxlq
g+uPlNYetfyFNWM1m018ev63adlrrBdzTwNBv+QTXF2fACarBxkqSPHLPrVn+DvM
mDPcXQJiORtMyOLJze2nt6ikZB/AqZWhGKFUpawI8MHx1HPlibG/cwKxLdmxexJz
Fk+EaGDeInyr7UflYjTQt2WlnaenittVwyIs08tqeJ/7mA/9uft6ThySIM/Cxsj0
sa85Pa6AnZhl5dpT7CIU3n1ZJIgk+ZLniMfZQdGxTVvZ2eqWhXqRhj9go0Obmk5G
--- fbeSdbhIc1G8BtYb99EUWMDa5Zgu2Pd1b2EL9mEs80Y
å‡; ÅÞøg üâ’gÔ1jìÔ·bý* g1<H<>/ -»óœ3¸Yøxó,oCÿ#^Nó<4E>Šý…€‰ˆ]¯ˆ$Çô«í½e· ãóPÿ\¦)X- Pþÿ¶Ê I•´Êä/íD]Bz¦ùB<C3B9>à ¾¶ôg¨rÓòž÷šT<>ý>ÁRéîæÌ…òå3½6