mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: update flake and add actual

Browse source
This commit is contained in:
oddlama 2024-10-11 01:49:04 +02:00
parent 4cbbd2f871
commit f535c8d557
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
36 changed files with 845 additions and 208 deletions
Download patch file Download diff file Expand all files Collapse all files

1
config/users.nix
View file

@ -36,5 +36,6 @@
netbird-home = uidGid 973; netbird-home = uidGid 973;
gamemode = uidGid 972; gamemode = uidGid 972;
plausible = uidGid 971; plausible = uidGid 971;
actual = uidGid 970;
}; };
} }

288
flake.lock generated
View file

@ -51,11 +51,11 @@
"pre-commit-hooks": "pre-commit-hooks" "pre-commit-hooks": "pre-commit-hooks"
}, },
"locked": { "locked": {
"lastModified": 1725722682, "lastModified": 1727102360,
"narHash": "sha256-AzBlGNCl20Rb3XQQNcTofntkZnaYolanvMJrADH11vM=", "narHash": "sha256-ZDqf33OAsr46TlP7TXbxmEf48xenYA3iSLs9441fYbQ=",
"owner": "oddlama", "owner": "oddlama",
"repo": "agenix-rekey", "repo": "agenix-rekey",
"rev": "10ea05a0077aefe03b443fdb63b58ab78d0440f3", "rev": "62da71e7eadf6b9b52e831d2e516937c30a5f712",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -98,30 +98,14 @@
"type": "github" "type": "github"
} }
}, },
"base16-foot": {
"flake": false,
"locked": {
"lastModified": 1696725948,
"narHash": "sha256-65bz2bUL/yzZ1c8/GQASnoiGwaF8DczlxJtzik1c0AU=",
"owner": "tinted-theming",
"repo": "base16-foot",
"rev": "eedbcfa30de0a4baa03e99f5e3ceb5535c2755ce",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "base16-foot",
"type": "github"
}
},
"base16-helix": { "base16-helix": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1720809814, "lastModified": 1725860795,
"narHash": "sha256-numb3xigRGnr/deF7wdjBwVg7fpbTH7reFDkJ75AJkY=", "narHash": "sha256-Z2o8VBPW3I+KKTSfe25kskz0EUj7MpUh8u355Z1nVsU=",
"owner": "tinted-theming", "owner": "tinted-theming",
"repo": "base16-helix", "repo": "base16-helix",
"rev": "34f41987bec14c0f3f6b2155c19787b1f6489625", "rev": "7f795bf75d38e0eea9fed287264067ca187b88a9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -130,38 +114,6 @@
"type": "github" "type": "github"
} }
}, },
"base16-kitty": {
"flake": false,
"locked": {
"lastModified": 1665001328,
"narHash": "sha256-aRaizTYPpuWEcvoYE9U+YRX+Wsc8+iG0guQJbvxEdJY=",
"owner": "kdrag0n",
"repo": "base16-kitty",
"rev": "06bb401fa9a0ffb84365905ffbb959ae5bf40805",
"type": "github"
},
"original": {
"owner": "kdrag0n",
"repo": "base16-kitty",
"type": "github"
}
},
"base16-tmux": {
"flake": false,
"locked": {
"lastModified": 1696725902,
"narHash": "sha256-wDPg5elZPcQpu7Df0lI5O8Jv4A3T6jUQIVg63KDU+3Q=",
"owner": "tinted-theming",
"repo": "base16-tmux",
"rev": "c02050bebb60dbb20cb433cd4d8ce668ecc11ba7",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "base16-tmux",
"type": "github"
}
},
"base16-vim": { "base16-vim": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -291,11 +243,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1722113426, "lastModified": 1728330715,
"narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=", "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
"owner": "numtide", "owner": "numtide",
"repo": "devshell", "repo": "devshell",
"rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae", "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -356,11 +308,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1722113426, "lastModified": 1728330715,
"narHash": "sha256-Yo/3loq572A8Su6aY5GP56knpuKYRvM2a1meP9oJZCw=", "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
"owner": "numtide", "owner": "numtide",
"repo": "devshell", "repo": "devshell",
"rev": "67cce7359e4cd3c45296fb4aaf6a19e2a9c757ae", "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -398,11 +350,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1725377834, "lastModified": 1728334376,
"narHash": "sha256-tqoAO8oT6zEUDXte98cvA1saU9+1dLJQe3pMKLXv8ps=", "narHash": "sha256-CTKEKPzD/j8FK6H4DO3EjyixZd3HHvgAgfnCwpGFP5c=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "e55f9a8678adc02024a4877c2a403e3f6daf24fe", "rev": "d39ee334984fcdae6244f5a8e6ab857479cbaefe",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -622,11 +574,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1725234343, "lastModified": 1727826117,
"narHash": "sha256-+ebgonl3NbiKD2UD0x4BszCZQ6sTfL4xioaM49o5B3Y=", "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "567b938d64d4b4112ee253b9274472dc3a346eb6", "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -661,11 +613,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1722555600, "lastModified": 1727826117,
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d", "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -697,11 +649,11 @@
"nixpkgs-lib": "nixpkgs-lib_4" "nixpkgs-lib": "nixpkgs-lib_4"
}, },
"locked": { "locked": {
"lastModified": 1719994518, "lastModified": 1726153070,
"narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -859,11 +811,11 @@
"systems": "systems_11" "systems": "systems_11"
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1726560853,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -926,11 +878,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1724857454, "lastModified": 1728092656,
"narHash": "sha256-Qyl9Q4QMTLZnnBb/8OuQ9LSkzWjBU1T5l5zIzTxkkhk=", "narHash": "sha256-eMeCTJZ5xBeQ0f9Os7K8DThNVSo9gy4umZLDfF5q6OM=",
"owner": "cachix", "owner": "cachix",
"repo": "git-hooks.nix", "repo": "git-hooks.nix",
"rev": "4509ca64f1084e73bc7a721b20c669a8d4c5ebe6", "rev": "1211305a5b237771e13fcca0c51e60ad47326a9a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1138,11 +1090,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1725893417, "lastModified": 1728337164,
"narHash": "sha256-fj2LxTZAncL/s5NrtXe1nLfO0XDvRixtCu3kmV9jDPw=", "narHash": "sha256-VdRTjJFyq4Q9U7Z/UoC2Q5jK8vSo6E86lHc2OanXtvc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "10541f19c584fe9633c921903d8c095d5411e041", "rev": "038630363e7de57c36c417fd2f5d7c14773403e4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1159,11 +1111,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1724435763, "lastModified": 1728337164,
"narHash": "sha256-UNky3lJNGQtUEXT2OY8gMxejakSWPTfWKvpFkpFlAfM=", "narHash": "sha256-VdRTjJFyq4Q9U7Z/UoC2Q5jK8vSo6E86lHc2OanXtvc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "c2cd2a52e02f1dfa1c88f95abeb89298d46023be", "rev": "038630363e7de57c36c417fd2f5d7c14773403e4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1197,11 +1149,11 @@
}, },
"impermanence": { "impermanence": {
"locked": { "locked": {
"lastModified": 1725690722, "lastModified": 1727649413,
"narHash": "sha256-4qWg9sNh5g1qPGO6d/GV2ktY+eDikkBTbWSg5/iD2nY=", "narHash": "sha256-FA53of86DjFdeQzRDVtvgWF9o52rWK70VHGx0Y8fElQ=",
"owner": "nix-community", "owner": "nix-community",
"repo": "impermanence", "repo": "impermanence",
"rev": "63f4d0443e32b0dd7189001ee1894066765d18a5", "rev": "d0b38e550039a72aff896ee65b0918e975e6d48e",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1232,11 +1184,11 @@
"spectrum": "spectrum" "spectrum": "spectrum"
}, },
"locked": { "locked": {
"lastModified": 1725664757, "lastModified": 1728349983,
"narHash": "sha256-kUMgeF3hHJM8aBpdazNgtCeeOTrWext6lHfrYmC6otU=", "narHash": "sha256-VRQm46/W29z87IeITfvxIrS6LUEItgDtEDzqVX59q0E=",
"owner": "astro", "owner": "astro",
"repo": "microvm.nix", "repo": "microvm.nix",
"rev": "caac7808d1e31f8a0fa408338cd3736947cb226d", "rev": "470537e671d743f40812b9c071a4130eabdb3deb",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1293,11 +1245,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1724561770, "lastModified": 1728385805,
"narHash": "sha256-zv8C9RNa86CIpyHwPIVO/k+5TfM8ZbjGwOOpTe1grls=", "narHash": "sha256-mUd38b0vhB7yzgAjNOaFz7VY9xIVzlbn3P2wjGBcVV0=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "ac5694a0b855a981e81b4d9f14052e3ff46ca39e", "rev": "48b50b3b137be5cfb9f4d006835ce7c3fe558ccc",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1313,11 +1265,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1725765290, "lastModified": 1728263287,
"narHash": "sha256-hwX53i24KyWzp2nWpQsn8lfGQNCP0JoW/bvQmcR1DPY=", "narHash": "sha256-GJDtsxz2/zw6g/Nrp4XVWBS5IaZ7ZUkuvxPOBEDe7pg=",
"owner": "Mic92", "owner": "Mic92",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "642275444c5a9defce57219c944b3179bf2adaa9", "rev": "5fce10c871bab6d7d5ac9e5e7efbb3a2783f5259",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1351,11 +1303,11 @@
}, },
"nixlib": { "nixlib": {
"locked": { "locked": {
"lastModified": 1725757153, "lastModified": 1728176478,
"narHash": "sha256-c1a6iLmCVPFI9EUVMrBN8xdmFxFXEjcVwiTSVmqajOs=", "narHash": "sha256-px3Q0W//c+mZ4kPMXq4poztsjtXM1Ja1rN+825YMDUQ=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs.lib", "repo": "nixpkgs.lib",
"rev": "68584f89dd0eb16fea5d80ae127f3f681f6a5df7", "rev": "b61309c3c1b6013d36299bc8285612865b3b9e4c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1375,11 +1327,11 @@
"pre-commit-hooks": "pre-commit-hooks_5" "pre-commit-hooks": "pre-commit-hooks_5"
}, },
"locked": { "locked": {
"lastModified": 1723133809, "lastModified": 1728505352,
"narHash": "sha256-CUx2HOkP6Gsd7Hi+jPgm57P9Kgq0dxRG8UrxLhjDmr8=", "narHash": "sha256-rhiGjMfjMzayx9YJwWl53QXGWGrI9VgurB1eo7mGFm8=",
"owner": "oddlama", "owner": "oddlama",
"repo": "nixos-extra-modules", "repo": "nixos-extra-modules",
"rev": "2dfcc1f7de2cb36566c5f1b48986dd4555a173dc", "rev": "4bcc7dd2a113a7bf71bcc4707f384ac2c34891d4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1396,11 +1348,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1725843519, "lastModified": 1728522165,
"narHash": "sha256-Z6DglUwgFDz6fIvQ89wx/uBVWrGvEGECq0Ypyk/eigE=", "narHash": "sha256-UQpsJ0Ev6JBGsCYRlS2oOVvb+eWcDD0xTV3RVlqbeVU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixos-generators", "repo": "nixos-generators",
"rev": "214efbd73241d72a8f48b8b9a73bb54895cd51a7", "rev": "40c8d30c490414910fc63626ad1b67af7db40cd3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1411,11 +1363,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1725885300, "lastModified": 1728269138,
"narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=", "narHash": "sha256-oKxDImsOvgUZMY4NwXVyUc/c1HiU2qInX+b5BU0yXls=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e", "rev": "ecfcd787f373f43307d764762e139a7cdeb9c22b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1463,14 +1415,14 @@
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1725233747, "lastModified": 1727825735,
"narHash": "sha256-Ss8QWLXdr2JCBPcYChJhz4xJm+h/xjl4G0c0XlP6a74=", "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
} }
}, },
"nixpkgs-lib_2": { "nixpkgs-lib_2": {
@ -1499,14 +1451,14 @@
}, },
"nixpkgs-lib_4": { "nixpkgs-lib_4": {
"locked": { "locked": {
"lastModified": 1719876945, "lastModified": 1725233747,
"narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=", "narHash": "sha256-Ss8QWLXdr2JCBPcYChJhz4xJm+h/xjl4G0c0XlP6a74=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/356624c12086a18f2ea2825fed34523d60ccc4e3.tar.gz"
} }
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
@ -1623,11 +1575,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1725634671, "lastModified": 1728492678,
"narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=", "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c", "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1668,11 +1620,11 @@
"treefmt-nix": "treefmt-nix" "treefmt-nix": "treefmt-nix"
}, },
"locked": { "locked": {
"lastModified": 1725921389, "lastModified": 1728485062,
"narHash": "sha256-RBpN0ToD8O3qniBjqUiB1d2/LQJt5kH5P3Gt6dF91L0=", "narHash": "sha256-+2e9hAM2GVDF3gywdQI/OA7s4f0Z9rvFuiVxePI41QM=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixvim", "repo": "nixvim",
"rev": "facf6b2d0c9e22d858956d1d458eac6baf155a08", "rev": "61ec39764fbe1e4f21cf801ea7b9209d527c8135",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1690,11 +1642,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1724584782, "lastModified": 1728423244,
"narHash": "sha256-7FfHv7b1jwMPSu9SPY9hdxStk8E6EeSwzqdvV69U4BM=", "narHash": "sha256-+YwNsyIFj3dXyLVQd1ry4pCNmtOpbceKUrkNS8wp9Ho=",
"owner": "NuschtOS", "owner": "NuschtOS",
"repo": "search", "repo": "search",
"rev": "5a08d691de30b6fc28d58ce71a5e420f2694e087", "rev": "f276cc3b391493ba3a8b30170776860f9520b7fa",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1871,11 +1823,11 @@
"nixpkgs-stable": "nixpkgs-stable_6" "nixpkgs-stable": "nixpkgs-stable_6"
}, },
"locked": { "locked": {
"lastModified": 1725513492, "lastModified": 1728092656,
"narHash": "sha256-tyMUA6NgJSvvQuzB7A1Sf8+0XCHyfSPRx/b00o6K0uo=", "narHash": "sha256-eMeCTJZ5xBeQ0f9Os7K8DThNVSo9gy4umZLDfF5q6OM=",
"owner": "cachix", "owner": "cachix",
"repo": "pre-commit-hooks.nix", "repo": "pre-commit-hooks.nix",
"rev": "7570de7b9b504cfe92025dd1be797bf546f66528", "rev": "1211305a5b237771e13fcca0c51e60ad47326a9a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -2023,11 +1975,11 @@
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1722391647, "lastModified": 1727663505,
"narHash": "sha256-JTi7l1oxnatF1uX/gnGMlRnyFMtylRw4MqhCUdoN2K4=", "narHash": "sha256-83j/GrHsx8GFUcQofKh+PRPz6pz8sxAsZyT/HCNdey8=",
"owner": "oxalica", "owner": "oxalica",
"repo": "rust-overlay", "repo": "rust-overlay",
"rev": "0fd4a5d2098faa516a9b83022aec7db766cd1de8", "rev": "c2099c6c7599ea1980151b8b6247a8f93e1806ee",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -2080,10 +2032,7 @@
"inputs": { "inputs": {
"base16": "base16", "base16": "base16",
"base16-fish": "base16-fish", "base16-fish": "base16-fish",
"base16-foot": "base16-foot",
"base16-helix": "base16-helix", "base16-helix": "base16-helix",
"base16-kitty": "base16-kitty",
"base16-tmux": "base16-tmux",
"base16-vim": "base16-vim", "base16-vim": "base16-vim",
"flake-compat": "flake-compat_9", "flake-compat": "flake-compat_9",
"flake-utils": "flake-utils_9", "flake-utils": "flake-utils_9",
@ -2094,14 +2043,17 @@
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"systems": "systems_12" "systems": "systems_12",
"tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty",
"tinted-tmux": "tinted-tmux"
}, },
"locked": { "locked": {
"lastModified": 1725290973, "lastModified": 1728487226,
"narHash": "sha256-+jwXF9KI0HfvDgpsoJGvOdfOGGSKOrID1wQB79zjUbo=", "narHash": "sha256-gTOUdO94Y24QgnPVnHTQ/Kch0eM6pHEk/c1WoIxg+qE=",
"owner": "danth", "owner": "danth",
"repo": "stylix", "repo": "stylix",
"rev": "ef81ad9e85e60420cc83d4642619c14b57139d33", "rev": "5699ba97c60455ebafde0fd4e78ca0a2e5a58282",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -2305,6 +2257,54 @@
"type": "github" "type": "github"
} }
}, },
"tinted-foot": {
"flake": false,
"locked": {
"lastModified": 1696725948,
"narHash": "sha256-65bz2bUL/yzZ1c8/GQASnoiGwaF8DczlxJtzik1c0AU=",
"owner": "tinted-theming",
"repo": "tinted-foot",
"rev": "eedbcfa30de0a4baa03e99f5e3ceb5535c2755ce",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "tinted-foot",
"type": "github"
}
},
"tinted-kitty": {
"flake": false,
"locked": {
"lastModified": 1727867815,
"narHash": "sha256-cghdwzPyve13JFeW+Mpqy/sDswlJ4DTffY24R0R7r/U=",
"owner": "tinted-theming",
"repo": "tinted-kitty",
"rev": "81b15cb9eb696247af857808d37122188423f73b",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "tinted-kitty",
"type": "github"
}
},
"tinted-tmux": {
"flake": false,
"locked": {
"lastModified": 1696725902,
"narHash": "sha256-wDPg5elZPcQpu7Df0lI5O8Jv4A3T6jUQIVg63KDU+3Q=",
"owner": "tinted-theming",
"repo": "tinted-tmux",
"rev": "c02050bebb60dbb20cb433cd4d8ce668ecc11ba7",
"type": "github"
},
"original": {
"owner": "tinted-theming",
"repo": "tinted-tmux",
"type": "github"
}
},
"treefmt": { "treefmt": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -2335,11 +2335,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1724833132, "lastModified": 1727984844,
"narHash": "sha256-F4djBvyNRAXGusJiNYInqR6zIMI3rvlp6WiKwsRISos=", "narHash": "sha256-xpRqITAoD8rHlXQafYZOLvUXCF6cnZkPfoq67ThN0Hc=",
"owner": "numtide", "owner": "numtide",
"repo": "treefmt-nix", "repo": "treefmt-nix",
"rev": "3ffd842a5f50f435d3e603312eefa4790db46af5", "rev": "4446c7a6fc0775df028c5a3f6727945ba8400e64",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -2380,11 +2380,11 @@
"rust-overlay": "rust-overlay_3" "rust-overlay": "rust-overlay_3"
}, },
"locked": { "locked": {
"lastModified": 1723726454, "lastModified": 1727849733,
"narHash": "sha256-CdsBLja4rJ7VPvtsivyZm9VFKAt4hzL3jZbKrfiDvsQ=", "narHash": "sha256-mqxs/nyzOEKiBHa94OtcOLYBXd65P8tO4DUVTHWHn6o=",
"owner": "Toqozz", "owner": "Toqozz",
"repo": "wired-notify", "repo": "wired-notify",
"rev": "946adddcb704806195d976b738066f591b41b7d4", "rev": "a1f6965737754e7424f9468f6befef885a9ee0ad",
"type": "github" "type": "github"
}, },
"original": { "original": {

13
hosts/kroma/default.nix
View file

@ -107,10 +107,11 @@
programs.nix-ld.enable = true; programs.nix-ld.enable = true;
topology.self.icon = "devices.desktop"; topology.self.icon = "devices.desktop";
#virtualisation.containers.enable = true; hardware.nvidia-container-toolkit.enable = true;
#virtualisation.podman = { virtualisation.containers.enable = true;
# enable = true; virtualisation.podman = {
# dockerCompat = true; enable = true;
# defaultNetwork.settings.dns_enabled = true; dockerCompat = true;
#}; defaultNetwork.settings.dns_enabled = true;
};
} }

2
hosts/sire/default.nix
View file

@ -26,6 +26,7 @@
nixpkgs.hostPlatform = "x86_64-linux"; nixpkgs.hostPlatform = "x86_64-linux";
boot.mode = "efi"; boot.mode = "efi";
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "e1000e" "alx"]; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "e1000e" "alx"];
systemd.units."dev-tpmrm0.device".enable = false; # https://github.com/systemd/systemd/issues/33412
meta.promtail = { meta.promtail = {
enable = true; enable = true;
@ -121,6 +122,7 @@
in in
lib.mkIf (!minimal) ( lib.mkIf (!minimal) (
{} {}
// mkMicrovm "actual" {}
// mkMicrovm "samba" { // mkMicrovm "samba" {
enableStorageDataset = true; enableStorageDataset = true;
enableBunkerDataset = true; enableBunkerDataset = true;

66
hosts/sire/guests/actual.nix Normal file
View file

@ -0,0 +1,66 @@
{
config,
globals,
nodes,
...
}: let
actualDomain = "finance.${globals.domains.me}";
in {
wireguard.proxy-sentinel = {
client.via = "sentinel";
firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.actual.settings.port];
};
environment.persistence."/persist".directories = [
{
directory = "/var/lib/actual";
mode = "0700";
user = "actual";
group = "actual";
}
];
services.actual = {
enable = true;
settings.trustedProxies = [nodes.sentinel.config.wireguard.proxy-sentinel.ipv4];
};
globals.services.actual.domain = actualDomain;
globals.monitoring.http.actual = {
url = "https://${actualDomain}/";
expectedBodyRegex = "Actual";
network = "internet";
};
nodes.sentinel = {
services.nginx = {
upstreams.actual = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.actual.settings.port}" = {};
extraConfig = ''
zone actual 64k;
keepalive 2;
'';
monitoring = {
enable = true;
expectedBodyRegex = "Actual";
};
};
virtualHosts.${actualDomain} = {
forceSSL = true;
useACMEWildcardHost = true;
# oauth2 = {
# enable = true;
# allowedGroups = ["access_openwebui"];
# X-Email = "\${upstream_http_x_auth_request_preferred_username}@${globals.domains.personal}";
# };
extraConfig = ''
client_max_body_size 256M;
'';
locations."/" = {
proxyPass = "http://actual";
proxyWebsockets = true;
};
};
};
};
}

2
hosts/sire/guests/immich.nix
View file

@ -111,7 +111,7 @@
processedConfigFile = "/run/agenix/immich.config.json"; processedConfigFile = "/run/agenix/immich.config.json";
version = "v1.114.0"; version = "v1.117.0";
environment = { environment = {
DB_DATABASE_NAME = "immich"; DB_DATABASE_NAME = "immich";
DB_HOSTNAME = ipImmichPostgres; DB_HOSTNAME = ipImmichPostgres;

121
hosts/sire/guests/samba.nix
View file

@ -70,6 +70,9 @@
} }
); );
in { in {
# For influxdb communication channel
wireguard.proxy-home.client.via = "ward";
age.secrets."samba-passdb.tdb" = { age.secrets."samba-passdb.tdb" = {
rekeyFile = config.node.secretsDir + "/samba-passdb.tdb.age"; rekeyFile = config.node.secretsDir + "/samba-passdb.tdb.age";
mode = "600"; mode = "600";
@ -145,72 +148,76 @@ in {
# Disable Samba's nmbd, because we don't want to reply to NetBIOS over IP # Disable Samba's nmbd, because we don't want to reply to NetBIOS over IP
# requests, since all of our clients hardcode the server shares. # requests, since all of our clients hardcode the server shares.
enableNmbd = false; nmbd.enable = false;
# Disable Samba's winbindd, which provides a number of services to the Name # Disable Samba's winbindd, which provides a number of services to the Name
# Service Switch capability found in most modern C libraries, to arbitrary # Service Switch capability found in most modern C libraries, to arbitrary
# applications via PAM and ntlm_auth and to Samba itself. # applications via PAM and ntlm_auth and to Samba itself.
enableWinbindd = false; winbindd.enable = false;
extraConfig = lib.concatLines [ settings = lib.mkMerge ([
# Show the server host name in the printer comment box in print manager {
# and next to the IPC connection in net view. global = {
"server string = SambaOelig" # Show the server host name in the printer comment box in print manager
# Set the NetBIOS name by which the Samba server is known. # and next to the IPC connection in net view.
"netbios name = SambaOelig" "server string" = "SambaOelig";
# Disable netbios support. We don't need to support browsing since all # Set the NetBIOS name by which the Samba server is known.
# clients hardcode the host and share names. "netbios name" = "SambaOelig";
"disable netbios = yes" # Disable netbios support. We don't need to support browsing since all
# Deny access to all hosts by default. # clients hardcode the host and share names.
"hosts deny = 0.0.0.0/0" "disable netbios" = "yes";
# Allow access to local network and TODO: wireguard # Deny access to all hosts by default.
"hosts allow = ${globals.net.home-lan.cidrv4} ${globals.net.home-lan.cidrv6}" "hosts deny" = "0.0.0.0/0";
# Don't advertise inaccessible shares to users # Allow access to local network and TODO: wireguard
"access based share enum = yes" "hosts allow" = "${globals.net.home-lan.cidrv4} ${globals.net.home-lan.cidrv6}";
# Don't advertise inaccessible shares to users
"access based share enum" = "yes";
# Set sane logging options # Set sane logging options
"log level = 0 auth:2 passdb:2" "log level" = "0 auth:2 passdb:2";
"log file = /dev/null" "log file" = "/dev/null";
"max log size = 0" "max log size" = "0";
"logging = systemd" "logging" = "systemd";
# TODO: allow based on wireguard ip without username and password # TODO: allow based on wireguard ip without username and password
# Users always have to login with an account and are never mapped # Users always have to login with an account and are never mapped
# to a guest account. # to a guest account.
"passdb backend = tdbsam:${config.age.secrets."samba-passdb.tdb".path}" "passdb backend" = "tdbsam:${config.age.secrets."samba-passdb.tdb".path}";
"server role = standalone" "server role" = "standalone";
"guest account = nobody" "guest account" = "nobody";
"map to guest = never" "map to guest" = "never";
# Clients should only connect using the latest SMB3 protocol (e.g., on # Clients should only connect using the latest SMB3 protocol (e.g., on
# clients running Windows 8 and later). # clients running Windows 8 and later).
"server min protocol = SMB3_11" "server min protocol" = "SMB3_11";
# Require native SMB transport encryption by default. # Require native SMB transport encryption by default.
"server smb encrypt = required" "server smb encrypt" = "required";
# Never map anything to the excutable bit. # Never map anything to the excutable bit.
"map archive = no" "map archive" = "no";
"map system = no" "map system" = "no";
"map hidden = no" "map hidden" = "no";
# Disable printer sharing. By default Samba shares printers configured # Disable printer sharing. By default Samba shares printers configured
# using CUPS. # using CUPS.
"load printers = no" "load printers" = "no";
"printing = bsd" "printing" = "bsd";
"printcap name = /dev/null" "printcap name" = "/dev/null";
"disable spoolss = yes" "disable spoolss" = "yes";
"show add printer wizard = no" "show add printer wizard" = "no";
# Load in modules (order is critical!) and enable AAPL extensions. # Load in modules (order is critical!) and enable AAPL extensions.
"vfs objects = catia fruit streams_xattr" "vfs objects" = "catia fruit streams_xattr";
# Enable Apple's SMB2+ extension. # Enable Apple's SMB2+ extension.
"fruit:aapl = yes" "fruit:aapl" = "yes";
# Clean up unused or empty files created by the OS or Samba. # Clean up unused or empty files created by the OS or Samba.
"fruit:wipe_intentionally_left_blank_rfork = yes" "fruit:wipe_intentionally_left_blank_rfork" = "yes";
"fruit:delete_empty_adfiles = yes" "fruit:delete_empty_adfiles" = "yes";
]; };
shares = lib.mkMerge (lib.flatten ( }
lib.mapAttrsToList mkUserShares smbUsers ]
++ lib.mapAttrsToList mkGroupShares smbGroups ++ lib.flatten (
)); lib.mapAttrsToList mkUserShares smbUsers
++ lib.mapAttrsToList mkGroupShares smbGroups
));
}; };
systemd.tmpfiles.settings = lib.mkMerge ( systemd.tmpfiles.settings = lib.mkMerge (

1
hosts/sire/secrets/actual/host.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARJ59yifkMFmcWWM4sAwhQN6u+H4Bv+VVboPBslHqZj

2
hosts/ward/guests/web-proxy.nix
View file

@ -6,6 +6,8 @@
inherit (config.repo.secrets.local) acme; inherit (config.repo.secrets.local) acme;
fritzboxDomain = "fritzbox.${globals.domains.me}"; fritzboxDomain = "fritzbox.${globals.domains.me}";
in { in {
microvm.mem = 1024 * 4; # Need more /tmp space so nginx can store intermediary files
wireguard.proxy-home = { wireguard.proxy-home = {
client.via = "ward"; client.via = "ward";
firewallRuleForAll.allowedTCPPorts = [80 443]; firewallRuleForAll.allowedTCPPorts = [80 443];

152
modules/actual.nix Normal file
View file

@ -0,0 +1,152 @@
{
lib,
pkgs,
config,
...
}: let
inherit
(lib)
getExe
mkEnableOption
mkIf
mkOption
mkPackageOption
types
;
cfg = config.services.actual;
configFile = formatType.generate "config.json" cfg.settings;
dataDir = "/var/lib/actual";
formatType = pkgs.formats.json {};
in {
options.services.actual = {
enable = mkEnableOption "actual, a privacy focused app for managing your finances";
package = mkPackageOption pkgs "actual-server" {};
user = mkOption {
type = types.str;
default = "actual";
description = ''
User to run actual as.
::: {.note}
If left as the default value this user will automatically be created
on system activation, otherwise the sysadmin is responsible for
ensuring the user exists.
:::
'';
};
group = mkOption {
type = types.str;
default = "actual";
description = ''
Group under which to run.
::: {.note}
If left as the default value this group will automatically be created
on system activation, otherwise the sysadmin is responsible for
ensuring the user exists.
:::
'';
};
openFirewall = mkOption {
default = false;
type = types.bool;
description = "Whether to open the firewall for the specified port.";
};
settings = mkOption {
default = {};
type = types.submodule {
freeformType = formatType.type;
options = {
hostname = mkOption {
type = types.str;
description = "The address to listen on";
default = "::";
};
port = mkOption {
type = types.port;
description = "The port to listen on";
default = 3000;
};
};
config = {
serverFiles = "${dataDir}/server-files";
userFiles = "${dataDir}/user-files";
inherit dataDir;
};
};
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [cfg.settings.port];
users.groups = mkIf (cfg.group == "actual") {
${cfg.group} = {};
};
users.users = mkIf (cfg.user == "actual") {
${cfg.user} = {
isSystemUser = true;
inherit (cfg) group;
home = dataDir;
};
};
systemd.services.actual = {
description = "Actual server, a local-first personal finance app";
after = ["network.target"];
environment.ACTUAL_CONFIG_PATH = configFile;
serviceConfig = {
ExecStart = getExe cfg.package;
User = cfg.user;
Group = cfg.group;
StateDirectory = "actual";
WorkingDirectory = dataDir;
LimitNOFILE = "1048576";
PrivateTmp = true;
PrivateDevices = true;
StateDirectoryMode = "0700";
Restart = "always";
# Hardening
CapabilityBoundingSet = "";
LockPersonality = true;
#MemoryDenyWriteExecute = true; # Leads to coredump because V8 does JIT
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "strict";
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
SystemCallArchitectures = "native";
SystemCallFilter = [
"@system-service"
"@pkey"
];
UMask = "0077";
};
wantedBy = ["multi-user.target"];
};
};
}

1
modules/default.nix
View file

@ -5,6 +5,7 @@
imports = [ imports = [
./acme-wildcard.nix ./acme-wildcard.nix
./actual.nix
./backups.nix ./backups.nix
./deterministic-ids.nix ./deterministic-ids.nix
./distributed-config.nix ./distributed-config.nix

92
pkgs/actual-server.nix Normal file
View file

@ -0,0 +1,92 @@
{
lib,
stdenv,
stdenvNoCC,
fetchFromGitHub,
makeWrapper,
cacert,
gitMinimal,
nodejs,
yarn,
}: let
version = "24.10.1";
src = fetchFromGitHub {
owner = "actualbudget";
repo = "actual-server";
rev = "v${version}";
hash = "sha256-VJAD+lNamwuYmiPJLXkum6piGi5zLOHBp8cUeZagb4s=";
};
# We cannot use fetchYarnDeps because that doesn't support yarn2/berry
# lockfiles (see https://github.com/NixOS/nixpkgs/issues/254369)
offlineCache = stdenvNoCC.mkDerivation {
name = "actual-server-${version}-offline-cache";
inherit src;
nativeBuildInputs = [
cacert # needed for git
gitMinimal # needed to download git dependencies
yarn
];
SUPPORTED_ARCHITECTURES = builtins.toJSON {
os = ["darwin" "linux"];
cpu = ["arm" "arm64" "ia32" "x64"];
libc = ["glibc" "musl"];
};
buildPhase = ''
export HOME=$(mktemp -d)
yarn config set enableTelemetry 0
yarn config set cacheFolder $out
yarn config set --json supportedArchitectures "$SUPPORTED_ARCHITECTURES"
yarn
'';
installPhase = ''
mkdir -p $out
cp -r ./node_modules $out/node_modules
'';
dontFixup = true;
outputHashAlgo = "sha256";
outputHashMode = "recursive";
outputHash = "sha256-eNpOS21pkamugoYVhzsEnstxeVN/J06yDZcshfr0Ek4=";
};
in
stdenv.mkDerivation {
pname = "actual-server";
inherit version src;
nativeBuildInputs = [
makeWrapper
yarn
];
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,lib,lib/actual}
cp -r ${offlineCache}/node_modules/ $out/lib/actual
cp -r ./ $out/lib/actual
makeWrapper ${lib.getExe nodejs} "$out/bin/actual-server" \
--add-flags "$out/app.js" \
--chdir $out/lib/actual \
--set NODE_PATH "$out/node_modules"
runHook postInstall
'';
passthru = {
inherit offlineCache;
};
meta = with lib; {
description = "A super fast privacy-focused app for managing your finances";
homepage = "https://actualbudget.com/";
license = licenses.mit;
mainProgram = "actual-server";
maintainers = with maintainers; [patrickdag oddlama];
};
}

1
pkgs/default.nix
View file

@ -7,6 +7,7 @@ _inputs: [
awakened-poe-trade = prev.callPackage ./awakened-poe-trade.nix {}; awakened-poe-trade = prev.callPackage ./awakened-poe-trade.nix {};
segoe-ui-ttf = prev.callPackage ./segoe-ui-ttf.nix {}; segoe-ui-ttf = prev.callPackage ./segoe-ui-ttf.nix {};
zsh-histdb-skim = prev.callPackage ./zsh-skim-histdb.nix {}; zsh-histdb-skim = prev.callPackage ./zsh-skim-histdb.nix {};
actual-server = prev.callPackage ./actual-server.nix {};
neovim-clean = prev.neovim-unwrapped.overrideAttrs (old: { neovim-clean = prev.neovim-unwrapped.overrideAttrs (old: {
nativeBuildInputs = (old.nativeBuildInputs or []) ++ [prev.makeWrapper]; nativeBuildInputs = (old.nativeBuildInputs or []) ++ [prev.makeWrapper];
postInstall = postInstall =

BIN
secrets/generated/sentinel/loki-basic-auth-hashes.age
View file

Binary file not shown.

BIN
secrets/generated/sire-actual/promtail-loki-basic-auth-password.age Normal file
View file

Binary file not shown.

10
secrets/generated/sire-actual/telegraf-influxdb-token.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> X25519 4WvULDsSwUnj79qPtGG7hHeFxhxnYdvxVOXJQo3aVy4
lmlUMCVk6k0XA0mzqe77sF4mbDmgYu95K7QWhOlZqPY
-> piv-p256 xqSe8Q A24MXG1xn0Os5ZrM8dA/JXJyzTzIKjEyIIwJBob7wCI0
HvjPgXYlj0+ZCOagDmY8CIGHbeVTDXTpKV9wOTl/2SM
-> --grease
2gZkjaxrQDQbMYPUf4zUTERBDmKG/ofEC/cDMw5cmkJj/uwEYv+RrBBlPuvcMyGa
SXmlRg
--- qLxt3oDgW5lnehq7C5bRCEYucdLDmkWkGjclbM8j8LY
Èöbå §fîà´Ì„«Ê'’»µz¿Îè. YJxYŠ‘‘V;˜1láìH‚ˆ¹@UzÂvÑ+Ÿ¦5Kš”òýoH t‰À‚ õó‡xw$e

8
secrets/rekeyed/sentinel/32d5ff5e623268a2d193b5d49ba7539c-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 yV7lcA IFccz3iClZKyPf7EdDWd2MzhrVBKhag9IDWc7XUI5Hc
uatqP7QQJnA5mQP9tsHQFaKEHeoDGLgY2kWJpnal674
-> 7jdci-grease c[y2 alscP1
H2uNfINe/FUPjgudAkD33U2rIb5+L1KoQ0A5lr5iGYfPPCdscexXunFJY48qSn03
WpMBYikmzds
--- uugJJPzxMZwJCWH97I/MTlu9WzD4ZQPYDAMXwE989OY
Œ4ïfI€@ɺxöØû½-³mç©|Q,×ûë·ÓjA*q¶úü2÷Îo®6o9Gj�¥a‡'}yªç×aþwç 1k�Îœù�7K��

BIN
secrets/rekeyed/sentinel/45fcec727e61235564782d3d45463711-loki-basic-auth-hashes.age
View file

Binary file not shown.

BIN
secrets/rekeyed/sentinel/c9a404b7a1241d00c53daf77274a95c3-loki-basic-auth-hashes.age Normal file
View file

Binary file not shown.

9
secrets/rekeyed/sire-actual/0ccf3e904f0f5ea268dcf781bcfe160e-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> ssh-ed25519 11F4Ig gNdfKSW0SI5OHV3WV8Z2gMaIyvpEpKtgEynkBPXO2SU
Atd1AyDvRmX1106aMzZhx9GJEd17nYu9pJiM5/kI3Do
-> ;-grease j+0
cIGZ9KVirP5q/dCKsUjPBzkUXTw+Yo+i8UJ69ndD49smdN2BxmzouELydH5Bva9i
anw8o8lTvqVvso3PDBrgZy7iFcgTJWto
--- jilcU1phIjP8JI2AUkhQbc5Smot9XoJ8t9mGsGtznx0
幃牝�.シ@キ乕テ8MネE]ニッェ+マ�1m鋻<ウ豁ァ排q`セ濮s�アW{@�
�゚゚アH`}ソ)QKーf�狢t_

BIN
secrets/rekeyed/sire-actual/2fd33ed61c4dec36a98e6dc49dd75530-telegraf-influxdb-token.age Normal file
View file

Binary file not shown.

8
secrets/rekeyed/sire-actual/40e86a9c835b1fc304b761baff6e2c72-promtail-loki-basic-auth-password.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 11F4Ig Q/+byIi1VChVqi+Nh3HHAGVHM5TTIUOmiZwH9Dw9tV4
qHOXa+Oe94aB0JEfnXESVcT8EQW4Hs5Ml8Wf6oEAysc
-> &~6vWU.@-grease &l{i5I O1rTi
LU9Mvv5nuRU5IArjaZkbWJqabahPhbiRCMtJsgTE8mpoQpmA+1I5gEBFS7LAAAHU
/WfbRgCbMmMga22vot5Z9M2PYLTcUp5sQoRAOAUUGvDq1Iaa2jcxJHO3uQ
--- YYwZsRvZ61nqaQxAzP87bRFHluC0gOdLpQuEXsEQGpY
_ÃQ‰ø-ZÄŸÿë´µƒ5=+}#ÄuÓiáTÑÐù –Z¤îlflRF4;`ŸÒO,,\Zcͯ®‡nÞ®EE¦qm_.BÐڌǃ² 2·

7
secrets/rekeyed/sire-actual/7e69834a561becd34e58ede8c8dc6dcd-wireguard-proxy-sentinel-priv-sire-actual.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 11F4Ig xNoQ1/f/e3Jv57Npi3I58y7Z/RvK6l3V7Vo5H81d4FA
3/Fb14I4nNObYCbPUNZZdWfa6/+ZaSTAB24NTjLPy8U
-> %>-grease
itFTJfCmI/7Rt9rvPeKLsrbDUR64w390pprq98A2y8gM
--- AbhEcUA9Qn1KwfouM6bRE9xHWaUKesHHrLc5L3bgS0U
éöAQó?-{1o�Ł��yM–î«ßôŠ(zŰţIÔÄ(Ü?ýlĐ`śřěGG�Ó‡K9Ú8‡¶mwwťěJv§ňƧ¨ü;řJ_G6G˘Ű

BIN
secrets/rekeyed/sire-influxdb/8196d12330a68e89f67fbcb713703941-telegraf-influxdb-token-sire-actual.age Normal file
View file

Binary file not shown.

8
secrets/rekeyed/sire-samba/aa84bc3b0cf2b741cb337a7cd5332a8c-wireguard-proxy-home-priv-sire-samba.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 rQrJ/w DWkPhlrCa5T1PSATq4viZ5NIzeqcoIRWd6RLave7NiQ
8RQc28sjhRgEF+RdPSlzlQtEbG5rO8aNythv2MCy0To
-> J-!;ug8-grease yL_ N W"pE $Bjux
XTsz3Lz1yIlotekskrOu1ZQypmLfAsKzBTDswz2jdAYwceWAaNKX2t8Bw8DJKp3L
VOJMryelTENqT6XJPdR7EEg+9SMRCPTcoZOuCwyEL9Wn8WHk3IuqhbxwvOE
--- dXp3JMlVtvtz4v20d3yaGh79+GdfnULhxdo1Bz9hwTk
8«ß!x¬•Ë†XøbÉÉ3m¶\µÇÖ™ìÓÛ¼éZcQþ Ÿj£Ìöת#6âă·›íï Mü¶›ÎzÐù&@¸ Æ%?@r»»‘²4à

7
secrets/rekeyed/sire-samba/de013bc8b46968036521628412618c2d-wireguard-proxy-home-psks-sire-samba+ward.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 rQrJ/w jq2XfdX/2OM/GjQeZYYUcduu+51XU0hurR6lI7OkVhI
NGx48KHWx35o47Iib98j+9KUXa4unsLpZ25nlmiLwNE
-> ]jsC-grease ^6n C15&W5 ufr M48
mMp1PbB+pbm7uRhihpeTiKMHi/kN/8fxu89JehNVMQ
--- 9h4tOHU1KcZYb7hA+W+a5xZbjE1nNWvTSTxyLc/DoqE
aóñsÅ¢HèD?`iÊî—¯ws0#ñ i;Â;d£2x3ͳçõC …œÒ¯PÒøœ®YÈíÇjf]ˆþ¬ `°Ù…eãþ¼Ã`éfí‘û

BIN
secrets/rekeyed/ward-web-proxy/3026df7d8e7b352d8c5b303169330089-loki-basic-auth-hashes.age Normal file
View file

Binary file not shown.

BIN
secrets/rekeyed/ward-web-proxy/b74c1fb0e8aba210e5e5cfe39a4f132d-loki-basic-auth-hashes.age
View file

Binary file not shown.

BIN
secrets/rekeyed/ward/caa682bdbd1bb1ed58dace27b7c30d50-wireguard-proxy-home-psks-sire-samba+ward.age Normal file
View file

Binary file not shown.

10
secrets/wireguard/proxy-home/keys/sire-samba.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> X25519 KQPDZldKPDq+HDPYSVlMoKK1JswRYL9uNUdsWLEhZxQ
N1vlljTAWNbM04ekHBHqWg6Jpr3f9Acw5SxRran9CXE
-> piv-p256 xqSe8Q Ao7fH0BAfwN9xYJ71eWsjdJmvs9UGWi4t+l+YyHI4MzL
AU1OncFGzW1vO9vvBGK7x6r9Ot8+8YbsOZKf+hL3S8U
-> ;S&[\-grease `b>RB6 8_!g
h7Qe0q7hW+JoNA
--- wKEw3pXgd1hI0LrqkmmsAFs5JnY+DC4MHP67Ghjldvc
ØÁÏ
å›Ð�—NzkÍ“>bæ<à™ƒÎÜWTÌIŸ×Xc·¹G+‰¤åÏSÌa‰Tðæ|4³ˆg¥¨ïW{N•ñh<¢îåÅn29

1
secrets/wireguard/proxy-home/keys/sire-samba.pub Normal file
View file

@ -0,0 +1 @@
C79BbRsvGg/Lufn7XFuoh08XTis8KHaAO3FXk/cOXTc=

9
secrets/wireguard/proxy-home/psks/sire-samba+ward.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> X25519 5pyB5fSTo3cjljOw9e2o1m5dn3/ZMzfMZ/tP3fxJhio
3JmOwt8/A5c8ibCJt4tMK2+xWK/VpGB9/uLPhQvxVqg
-> piv-p256 xqSe8Q Aqpf5FhtcQgIMEezNhF50oXyzCrDuS4DsOS7aVCQVvBm
evNoqwVkERacTx6mVVVOlsBCHO3yetcuMH5QJGummGY
-> |l-grease Q0VZ+}%
QQV9kdqsM2MTG/KyWBQJw0N0UsEn9H8trbKirw
--- KSl7XsmKLEutX1PQuwTb2qIqsJVi9jgGWuxUp2Ae1VU
;uØ'êù™:"2ï49¹À¤£¯.›Ÿn\®áÔY‘rfkLƒåä['Bõ×ÖÆß9ì¼ÑCe²¸\W%c,¡ª>ãEZ­¦yb†¿æªß

11
secrets/wireguard/proxy-sentinel/keys/sire-actual.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> X25519 LhqhNeE+yY9Dsqe+eXjg6mOWz+wPZImRPAq2eF/vIFk
mk11yKunIgHwdGpnMwEwf/qAUqWWnGfalX1gceHdqbs
-> piv-p256 xqSe8Q AhVlnmWn4ZT3JRI+TIfyw8frbW16g/umN84Aq2qqBQ+R
UlXnESACrhPdj5ByNQKFaFd8LLzEG9+2EB7pFMPzeAA
-> 7uwu-grease Y+) ^1xRk+\
ECg722RXEJGBhO/HWYB5pVzLHVxZ4fLaDRWbrHQcdyp44yXbdWE49bV7ISauwetd
iEkM+rKNWHtYY+yTafbHfEJiBkLYeGmGmjo22VsrXdef0UE4
--- tTHVM7jJu4Eb7u+BpQIIjMZn+2NUIFsBTNV1XyfBlVQ
²W®P�Œ-VTYz¢R°R˜ÿDt Úfˆˆª6¦¬—ü"EþvupÍnœO«‰‹3L1•Ô9‡,#àÔ/‰k9&Y¢
YC÷V%©¡­2¦‚

1
secrets/wireguard/proxy-sentinel/keys/sire-actual.pub Normal file
View file

@ -0,0 +1 @@
ueK+KbA9vaKOb6bis3nVdSJMPDowMuH6egtsj7C7syA=

10
secrets/wireguard/proxy-sentinel/psks/sentinel+sire-actual.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> X25519 wIVO1yG5oYHdHVFcQbge4HpeuqQkTLIfRHsabifRH24
6cDOSCnJHD6Cxa/fGuqhVSJ51i0uOCbybkS/ZTefBF0
-> piv-p256 xqSe8Q A1YY5e1n/Y9ODm0t6id46gzvDZd+tIhy7Cz2Z7pxZBQS
7BJEwjoCzt0MTOYcMVuL0O2uVMhpWjiTnf6XWFoxFAA
-> "7I[%-grease SqKNL&b $KEMJq=
szY
--- o2LLtf6UCOi70WgdqzH+5PNpwLzRad+U1lCaqcMdYzE
ã ²k÷Mˆy©@Ú߆�Q˜Ì"jyO—cñ0ù’X�ÝÇVÃóž‰KÈG•L�ø‡`@»
S©”�Øde µÐGôxÔ–IL 

212
users/myuser/graphical/firefox.nix
View file

@ -289,6 +289,218 @@ in {
}; };
}; };
}; };
profiles.empty = {
id = 1;
isDefault = false;
};
profiles.onlybetterfox = {
id = 2;
isDefault = false;
extraConfig = builtins.concatStringsSep "\n" [
(builtins.readFile "${betterfox}/Securefox.js")
(builtins.readFile "${betterfox}/Fastfox.js")
(builtins.readFile "${betterfox}/Peskyfox.js")
];
};
profiles.onlysettings = {
id = 3;
isDefault = false;
settings = {
# General
"intl.accept_languages" = "en-US,en";
"browser.startup.page" = 3; # Resume previous session on startup
"browser.aboutConfig.showWarning" = false; # I sometimes know what I'm doing
"browser.ctrlTab.sortByRecentlyUsed" = false; # (default) Who wants that?
"browser.download.useDownloadDir" = false; # Ask where to save stuff
"browser.translations.neverTranslateLanguages" = "de"; # No need :)
"privacy.clearOnShutdown.history" = false; # We want to save history on exit
# Hi-DPI
"layout.css.devPixelsPerPx" = "1.5";
# Allow executing JS in the dev console
"devtools.chrome.enabled" = true;
# Disable browser crash reporting
"browser.tabs.crashReporting.sendReport" = false;
# Why the fuck can my search window make bell sounds
"accessibility.typeaheadfind.enablesound" = false;
# Why the fuck can my search window make bell sounds
"general.autoScroll" = true;
# Hardware acceleration
# See https://github.com/elFarto/nvidia-vaapi-driver?tab=readme-ov-file#firefox
"gfx.webrender.all" = true;
"media.ffmpeg.vaapi.enabled" = true;
"media.rdd-ffmpeg.enabled" = true;
"widget.dmabuf.force-enabled" = true;
"media.av1.enabled" = false; # XXX: change once I've upgraded my GPU
# XXX: what is this?
"media.ffvpx.enabled" = false;
"media.rdd-vpx.enabled" = false;
# Privacy
"privacy.donottrackheader.enabled" = true;
"privacy.trackingprotection.enabled" = true;
"privacy.trackingprotection.socialtracking.enabled" = true;
"privacy.userContext.enabled" = true;
"privacy.userContext.ui.enabled" = true;
"browser.send_pings" = false; # (default) Don't respect <a ping=...>
# This allows firefox devs changing options for a small amount of users to test out stuff.
# Not with me please ...
"app.normandy.enabled" = false;
"app.shield.optoutstudies.enabled" = false;
"beacon.enabled" = false; # No bluetooth location BS in my webbrowser please
"device.sensors.enabled" = false; # This isn't a phone
"geo.enabled" = false; # Disable geolocation alltogether
# ESNI is deprecated ECH is recommended
"network.dns.echconfig.enabled" = true;
# Disable telemetry for privacy reasons
"toolkit.telemetry.archive.enabled" = false;
"toolkit.telemetry.enabled" = false; # enforced by nixos
"toolkit.telemetry.server" = "";
"toolkit.telemetry.unified" = false;
"extensions.webcompat-reporter.enabled" = false; # don't report compability problems to mozilla
"datareporting.policy.dataSubmissionEnabled" = false;
"datareporting.healthreport.uploadEnabled" = false;
"browser.ping-centre.telemetry" = false;
"browser.urlbar.eventTelemetry.enabled" = false; # (default)
# Disable some useless stuff
"extensions.pocket.enabled" = false; # disable pocket, save links, send tabs
"extensions.abuseReport.enabled" = false; # don't show 'report abuse' in extensions
"extensions.formautofill.creditCards.enabled" = false; # don't auto-fill credit card information
"identity.fxaccounts.enabled" = false; # disable firefox login
"identity.fxaccounts.toolbar.enabled" = false;
"identity.fxaccounts.pairing.enabled" = false;
"identity.fxaccounts.commands.enabled" = false;
"browser.contentblocking.report.lockwise.enabled" = false; # don't use firefox password manger
"browser.uitour.enabled" = false; # no tutorial please
"browser.newtabpage.activity-stream.showSponsored" = false;
"browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
# disable EME encrypted media extension (Providers can get DRM
# through this if they include a decryption black-box program)
"browser.eme.ui.enabled" = false;
"media.eme.enabled" = false;
# don't predict network requests
"network.predictor.enabled" = false;
"browser.urlbar.speculativeConnect.enabled" = false;
# disable annoying web features
"dom.push.enabled" = false; # no notifications, really...
"dom.push.connection.enabled" = false;
"dom.battery.enabled" = false; # you don't need to see my battery...
"dom.private-attribution.submission.enabled" = false; # No PPA for me pls
};
};
profiles.same = {
id = 4;
isDefault = false;
extraConfig = builtins.concatStringsSep "\n" [
(builtins.readFile "${betterfox}/Securefox.js")
(builtins.readFile "${betterfox}/Fastfox.js")
(builtins.readFile "${betterfox}/Peskyfox.js")
];
settings = {
# General
"intl.accept_languages" = "en-US,en";
"browser.startup.page" = 3; # Resume previous session on startup
"browser.aboutConfig.showWarning" = false; # I sometimes know what I'm doing
"browser.ctrlTab.sortByRecentlyUsed" = false; # (default) Who wants that?
"browser.download.useDownloadDir" = false; # Ask where to save stuff
"browser.translations.neverTranslateLanguages" = "de"; # No need :)
"privacy.clearOnShutdown.history" = false; # We want to save history on exit
# Hi-DPI
"layout.css.devPixelsPerPx" = "1.5";
# Allow executing JS in the dev console
"devtools.chrome.enabled" = true;
# Disable browser crash reporting
"browser.tabs.crashReporting.sendReport" = false;
# Why the fuck can my search window make bell sounds
"accessibility.typeaheadfind.enablesound" = false;
# Why the fuck can my search window make bell sounds
"general.autoScroll" = true;
# Hardware acceleration
# See https://github.com/elFarto/nvidia-vaapi-driver?tab=readme-ov-file#firefox
"gfx.webrender.all" = true;
"media.ffmpeg.vaapi.enabled" = true;
"media.rdd-ffmpeg.enabled" = true;
"widget.dmabuf.force-enabled" = true;
"media.av1.enabled" = false; # XXX: change once I've upgraded my GPU
# XXX: what is this?
"media.ffvpx.enabled" = false;
"media.rdd-vpx.enabled" = false;
# Privacy
"privacy.donottrackheader.enabled" = true;
"privacy.trackingprotection.enabled" = true;
"privacy.trackingprotection.socialtracking.enabled" = true;
"privacy.userContext.enabled" = true;
"privacy.userContext.ui.enabled" = true;
"browser.send_pings" = false; # (default) Don't respect <a ping=...>
# This allows firefox devs changing options for a small amount of users to test out stuff.
# Not with me please ...
"app.normandy.enabled" = false;
"app.shield.optoutstudies.enabled" = false;
"beacon.enabled" = false; # No bluetooth location BS in my webbrowser please
"device.sensors.enabled" = false; # This isn't a phone
"geo.enabled" = false; # Disable geolocation alltogether
# ESNI is deprecated ECH is recommended
"network.dns.echconfig.enabled" = true;
# Disable telemetry for privacy reasons
"toolkit.telemetry.archive.enabled" = false;
"toolkit.telemetry.enabled" = false; # enforced by nixos
"toolkit.telemetry.server" = "";
"toolkit.telemetry.unified" = false;
"extensions.webcompat-reporter.enabled" = false; # don't report compability problems to mozilla
"datareporting.policy.dataSubmissionEnabled" = false;
"datareporting.healthreport.uploadEnabled" = false;
"browser.ping-centre.telemetry" = false;
"browser.urlbar.eventTelemetry.enabled" = false; # (default)
# Disable some useless stuff
"extensions.pocket.enabled" = false; # disable pocket, save links, send tabs
"extensions.abuseReport.enabled" = false; # don't show 'report abuse' in extensions
"extensions.formautofill.creditCards.enabled" = false; # don't auto-fill credit card information
"identity.fxaccounts.enabled" = false; # disable firefox login
"identity.fxaccounts.toolbar.enabled" = false;
"identity.fxaccounts.pairing.enabled" = false;
"identity.fxaccounts.commands.enabled" = false;
"browser.contentblocking.report.lockwise.enabled" = false; # don't use firefox password manger
"browser.uitour.enabled" = false; # no tutorial please
"browser.newtabpage.activity-stream.showSponsored" = false;
"browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
# disable EME encrypted media extension (Providers can get DRM
# through this if they include a decryption black-box program)
"browser.eme.ui.enabled" = false;
"media.eme.enabled" = false;
# don't predict network requests
"network.predictor.enabled" = false;
"browser.urlbar.speculativeConnect.enabled" = false;
# disable annoying web features
"dom.push.enabled" = false; # no notifications, really...
"dom.push.connection.enabled" = false;
"dom.battery.enabled" = false; # you don't need to see my battery...
"dom.private-attribution.submission.enabled" = false; # No PPA for me pls
};
};
}; };
home.persistence."/state".directories = [ home.persistence."/state".directories = [