AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

update flake, move to new vps... again

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-12-23 01:26:18 +03:00
parent e3d4eeb4dc
commit 9720a12cc5
21 changed files with 1489 additions and 165 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.sops.yaml
View File

@ -1,14 +1,21 @@
keys:
- &ataraxia ad382d058c964607b7bbf01b071a8131bf166e80
- &suomi-vps d286fd9431753cb455537070235ec7bc757002ca
- &nixos-vps 20d2e2b90c6aa179585b6b6b34cafb9db82f1d40
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *ataraxia
- *suomi-vps
- *nixos-vps
- path_regex: secrets/suomi-vps/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *ataraxia
- *suomi-vps
- path_regex: secrets/nixos-vps/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *ataraxia
- *nixos-vps

291
flake.lock generated
View File

@ -6,11 +6,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1701295343,
"narHash": "sha256-SgIudU8ju74krGDa3hZlUfPGim16KHnAKi91TMXwTac=",
"lastModified": 1702787014,
"narHash": "sha256-grrM/VPfBY3KwR1tLFcTPbEpRcTYpDrzRGd7PBgKKpw=",
"owner": "ezKEa",
"repo": "aagl-gtk-on-nix",
"rev": "21a0f2059afbae7267f913ac3727bb1205db2a2b",
"rev": "ae7257ea176bded057343bb64e6998523fd1959d",
"type": "github"
},
"original": {
@ -165,11 +165,11 @@
"utils": "utils"
},
"locked": {
"lastModified": 1698921442,
"narHash": "sha256-7KmvhQ7FuXlT/wG4zjTssap6maVqeAMBdtel+VjClSM=",
"lastModified": 1702460489,
"narHash": "sha256-H6s6oVLvx7PCjUcvfkB89Bb+kbaiJxTAgWfMjiQTjA0=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "660180bbbeae7d60dad5a92b30858306945fd427",
"rev": "915327515f5fd1b7719c06e2f1eb304ee0bdd803",
"type": "github"
},
"original": {
@ -186,11 +186,11 @@
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1701187605,
"narHash": "sha256-NctguPdUeDVLXFsv6vI1RlEiHLsXkeW3pgZe/mwn1BU=",
"lastModified": 1702549996,
"narHash": "sha256-mEN+8gjWUXRxBCcixeth+jlDNuzxbpFwZNOEc4K22vw=",
"owner": "cachix",
"repo": "devenv",
"rev": "a7c4dd8f4eb1f98a6b8f04bf08364954e1e73e4f",
"rev": "e681a99ffe2d2882f413a5d771129223c838ddce",
"type": "github"
},
"original": {
@ -206,11 +206,11 @@
]
},
"locked": {
"lastModified": 1700927249,
"narHash": "sha256-iqmIWiEng890/ru7ZBf4nUezFPyRm2fjRTvuwwxqk2o=",
"lastModified": 1702569759,
"narHash": "sha256-Ze3AdEEsVZBRJ4wn13EZpV1Uubkzi59TkC4j2G9xoFI=",
"owner": "nix-community",
"repo": "disko",
"rev": "3cb78c93e6a02f494aaf6aeb37481c27a2e2ee22",
"rev": "98ab91109716871f50ea8cb0e0ac7cc1e1e14714",
"type": "github"
},
"original": {
@ -254,11 +254,11 @@
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
@ -370,11 +370,11 @@
]
},
"locked": {
"lastModified": 1698882062,
"narHash": "sha256-HkhafUayIqxXyHH1X8d9RDl1M2CkFgZLjKD3MzabiEo=",
"lastModified": 1701473968,
"narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8c9fa2545007b49a5db5f650ae91f227672c3877",
"rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
"type": "github"
},
"original": {
@ -406,11 +406,11 @@
"nixpkgs-lib": "nixpkgs-lib_2"
},
"locked": {
"lastModified": 1696343447,
"narHash": "sha256-B2xAZKLkkeRFG5XcHHSXXcP7To9Xzr59KXeZiRf4vdQ=",
"lastModified": 1701473968,
"narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "c9afaba3dfa4085dbd2ccb38dfade5141e33d9d4",
"rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
"type": "github"
},
"original": {
@ -504,7 +504,7 @@
},
"flake-utils_3": {
"inputs": {
"systems": "systems"
"systems": "systems_2"
},
"locked": {
"lastModified": 1685518550,
@ -522,7 +522,7 @@
},
"flake-utils_4": {
"inputs": {
"systems": "systems_2"
"systems": "systems_3"
},
"locked": {
"lastModified": 1694529238,
@ -555,14 +555,14 @@
},
"flake-utils_6": {
"inputs": {
"systems": "systems_4"
"systems": "systems_5"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
@ -573,7 +573,7 @@
},
"flake-utils_7": {
"inputs": {
"systems": "systems_5"
"systems": "systems_6"
},
"locked": {
"lastModified": 1681202837,
@ -591,7 +591,7 @@
},
"flake-utils_8": {
"inputs": {
"systems": "systems_6"
"systems": "systems_7"
},
"locked": {
"lastModified": 1685518550,
@ -609,7 +609,7 @@
},
"flake-utils_9": {
"inputs": {
"systems": "systems_7"
"systems": "systems_8"
},
"locked": {
"lastModified": 1681202837,
@ -676,11 +676,11 @@
]
},
"locked": {
"lastModified": 1701433070,
"narHash": "sha256-Gf9JStfENaUQ7YWFz3V7x/srIwr4nlnVteqaAxtwpgM=",
"lastModified": 1702814335,
"narHash": "sha256-Qck7BAMi3eydzT1WFOzp/SgECetyPpOn1dLgmxH2ebQ=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "4a8545f5e737a6338814a4676dc8e18c7f43fc57",
"rev": "e4dba0bd01956170667458be7b45f68170a63651",
"type": "github"
},
"original": {
@ -695,16 +695,16 @@
"nixpkgs": [
"nixpkgs"
],
"systems": "systems_3",
"systems": "systems_4",
"wlroots": "wlroots",
"xdph": "xdph"
},
"locked": {
"lastModified": 1701528705,
"narHash": "sha256-SJENLaYS4hIuvQMgupKlclGZ5Mz40OvUc2Vu8vFBSow=",
"lastModified": 1703271271,
"narHash": "sha256-q6bb5S6l/fEIpO4QRmxACgNfVdTvWktEvKVKWtygzx8=",
"owner": "hyprwm",
"repo": "Hyprland",
"rev": "80b9b21f9f24b6e8db2fc6f7705cd124f436ffba",
"rev": "c416880cf96aee783b6a00f356512e5d758e6056",
"type": "github"
},
"original": {
@ -745,15 +745,16 @@
]
},
"locked": {
"lastModified": 1701083219,
"narHash": "sha256-0j4Poy2OEZ55GWagfj6ookxG6jXdsDHZLh6vU3DBuz4=",
"owner": "hyprwm",
"lastModified": 1702857059,
"narHash": "sha256-sBT4wvRMWNeGXTC/MdMjE65SxqOAzrWdPcR0V2qhSiA=",
"owner": "AtaraxiaSjel",
"repo": "hyprpaper",
"rev": "b94f84605d6d6d8d3c17a42a72fc3b01df69ab7f",
"rev": "8516a0799cb19c2685086ff94261d6e294f4f351",
"type": "github"
},
"original": {
"owner": "hyprwm",
"owner": "AtaraxiaSjel",
"ref": "fix-nix",
"repo": "hyprpaper",
"type": "github"
}
@ -776,11 +777,11 @@
"libnbtplusplus": {
"flake": false,
"locked": {
"lastModified": 1690036783,
"narHash": "sha256-A5kTgICnx+Qdq3Fir/bKTfdTt/T1NQP2SC+nhN1ENug=",
"lastModified": 1699286814,
"narHash": "sha256-yy0q+bky80LtK1GWzz7qpM+aAGrOqLuewbid8WT1ilk=",
"owner": "PrismLauncher",
"repo": "libnbtplusplus",
"rev": "a5e8fd52b8bf4ab5d5bcc042b2a247867589985f",
"rev": "23b955121b8217c1c348a9ed2483167a6f3ff4ad",
"type": "github"
},
"original": {
@ -898,11 +899,11 @@
]
},
"locked": {
"lastModified": 1700033161,
"narHash": "sha256-CHD4T1dS+Z+2MX4Ox1EhNgsM6J+RVFU/jzvIfO8DKJs=",
"lastModified": 1702639936,
"narHash": "sha256-Fz5KsFVXB1xu2J4Hmr514vK3eir16/z1Mrv60HjzFtA=",
"owner": "thiagokokada",
"repo": "nix-alien",
"rev": "d37ba197c51addb2979a042769c5fd1e2b76412a",
"rev": "7d36757ddef3c2fb1805126e0da9abc9d88060f8",
"type": "github"
},
"original": {
@ -918,11 +919,11 @@
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1701295404,
"narHash": "sha256-06mOq9MP5D3ZSSiZJENsuHEHjLq3GDG6ZgZ/dkDTFgQ=",
"lastModified": 1702677673,
"narHash": "sha256-BPcLfyyXinIyya48fTl3sg3bXhgN6hXx5xfQVLm4hO0=",
"owner": "nix-community",
"repo": "nix-direnv",
"rev": "adeced79808f2e8689be55e287cf24a145dc0638",
"rev": "499255d0189982b93d1e9aa9297823132d95a86c",
"type": "github"
},
"original": {
@ -940,11 +941,11 @@
"treefmt-nix": "treefmt-nix_2"
},
"locked": {
"lastModified": 1700146408,
"narHash": "sha256-T9hcGGGQv1Br9sm7oaEMs2OCDEBro5IU2i/dpTKSrQ4=",
"lastModified": 1701604846,
"narHash": "sha256-m0MxxMIy8at5CtCgoiBIHUez9+Dsh6XoifvOvlbSwBM=",
"owner": "Mic92",
"repo": "nix-fast-build",
"rev": "96805cafb2bc678ce15eda386989f9e79b28868b",
"rev": "25e19950f019adea4ca1b490e116a6acc0669e31",
"type": "github"
},
"original": {
@ -955,11 +956,11 @@
},
"nix-filter": {
"locked": {
"lastModified": 1694857738,
"narHash": "sha256-bxxNyLHjhu0N8T3REINXQ2ZkJco0ABFPn6PIe2QUfqo=",
"lastModified": 1701697642,
"narHash": "sha256-L217WytWZHSY8GW9Gx1A64OnNctbuDbfslaTEofXXRw=",
"owner": "numtide",
"repo": "nix-filter",
"rev": "41fd48e00c22b4ced525af521ead8792402de0ea",
"rev": "c843418ecfd0344ecb85844b082ff5675e02c443",
"type": "github"
},
"original": {
@ -970,11 +971,11 @@
},
"nix-filter_2": {
"locked": {
"lastModified": 1694857738,
"narHash": "sha256-bxxNyLHjhu0N8T3REINXQ2ZkJco0ABFPn6PIe2QUfqo=",
"lastModified": 1701697642,
"narHash": "sha256-L217WytWZHSY8GW9Gx1A64OnNctbuDbfslaTEofXXRw=",
"owner": "numtide",
"repo": "nix-filter",
"rev": "41fd48e00c22b4ced525af521ead8792402de0ea",
"rev": "c843418ecfd0344ecb85844b082ff5675e02c443",
"type": "github"
},
"original": {
@ -988,11 +989,11 @@
"nixpkgs": "nixpkgs_8"
},
"locked": {
"lastModified": 1699760693,
"narHash": "sha256-u/gkNUHQR/q23voqE5J4xmEWQIAqR+g3lUnCtzn0k7Y=",
"lastModified": 1702291765,
"narHash": "sha256-kfxavgLKPIZdYVPUPcoDZyr5lleymrqbr5G9PVfQ2NY=",
"owner": "Mic92",
"repo": "nix-index-database",
"rev": "8aff4ca3dee60d1422489fe8d52c2f837b3ad113",
"rev": "45d82e0a8b9dd6c5dd9da835ac0c072239af7785",
"type": "github"
},
"original": {
@ -1010,11 +1011,11 @@
]
},
"locked": {
"lastModified": 1701479904,
"narHash": "sha256-uJKkBZIUQkxyNLn806QAuOqwJqhIbsSJQ3kzGFN9qgA=",
"lastModified": 1702776244,
"narHash": "sha256-kM4c4N1Six84GfLLV+nk+kq6bNH8OkEy5JHqg9IgqAE=",
"owner": "nix-community",
"repo": "nix-vscode-extensions",
"rev": "079f5a9444ad5630772c81652fdfe55544094961",
"rev": "831450b20e2225b80e8453163f82eb495bee3b08",
"type": "github"
},
"original": {
@ -1066,11 +1067,11 @@
]
},
"locked": {
"lastModified": 1696058303,
"narHash": "sha256-eNqKWpF5zG0SrgbbtljFOrRgFgRzCc4++TMFADBMLnc=",
"lastModified": 1701689616,
"narHash": "sha256-ewnfgvRy73HoP5KnYmy1Rcr4m4yShvsb6TCCaKoW8pc=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "150f38bd1e09e20987feacb1b0d5991357532fb5",
"rev": "246219bc21b943c6f6812bb7744218ba0df08600",
"type": "github"
},
"original": {
@ -1146,11 +1147,11 @@
"nixpkgs-lib_2": {
"locked": {
"dir": "lib",
"lastModified": 1696019113,
"narHash": "sha256-X3+DKYWJm93DRSdC5M6K5hLqzSya9BjibtBsuARoPco=",
"lastModified": 1701253981,
"narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "f5892ddac112a1e9b3612c39af1b72987ee5783a",
"rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
"type": "github"
},
"original": {
@ -1163,11 +1164,11 @@
},
"nixpkgs-master": {
"locked": {
"lastModified": 1701535283,
"narHash": "sha256-Z2I64Sg1e3sDuLogi6byWaqBL9VtNPGDprJ8uQvAUlA=",
"lastModified": 1702854629,
"narHash": "sha256-296u+BzB+S3d9lNH9P882usCsfgUGyXyhftXA7Qj9OY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "044109cfd464a6c520f861917d9ceaf87012a4c8",
"rev": "0f92e92565be5eae288d819292b49f49ffd16c36",
"type": "github"
},
"original": {
@ -1259,27 +1260,27 @@
},
"nixpkgs-stable_3": {
"locked": {
"lastModified": 1701362232,
"narHash": "sha256-GVdzxL0lhEadqs3hfRLuj+L1OJFGiL/L7gCcelgBlsw=",
"lastModified": 1702645756,
"narHash": "sha256-qKI6OR3TYJYQB3Q8mAZ+DG4o/BR9ptcv9UnRV2hzljc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "d2332963662edffacfddfad59ff4f709dde80ffe",
"rev": "40c3c94c241286dd2243ea34d3aef8a488f9e4d0",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-23.05",
"ref": "nixos-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable_4": {
"locked": {
"lastModified": 1700905716,
"narHash": "sha256-w1vHn2MbGfdC+CrP3xLZ3scsI06N0iQLU7eTHIVEFGw=",
"lastModified": 1702777222,
"narHash": "sha256-/SYmqgxTYzqZnQEfbOCHCN4GzqB9uAIsR9IWLzo0/8I=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "dfb95385d21475da10b63da74ae96d89ab352431",
"rev": "a19a71d1ee93226fd71984359552affbc1cd3dc3",
"type": "github"
},
"original": {
@ -1291,11 +1292,11 @@
},
"nixpkgs_10": {
"locked": {
"lastModified": 1701253981,
"narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
"lastModified": 1702312524,
"narHash": "sha256-gkZJRDBUCpTPBvQk25G0B7vfbpEYM5s5OZqghkjZsnE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
"rev": "a9bf124c46ef298113270b1f84a164865987a91c",
"type": "github"
},
"original": {
@ -1307,11 +1308,11 @@
},
"nixpkgs_11": {
"locked": {
"lastModified": 1697886341,
"narHash": "sha256-AdE67xPty9M9wn36nPVp6aDntIdigrs7UbyaGv1VAaM=",
"lastModified": 1701998057,
"narHash": "sha256-gAJGhcTO9cso7XDfAScXUlPcva427AUT2q02qrmXPdo=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "44881e03af1c730cbb1d72a4d41274a2c957813a",
"rev": "09dc04054ba2ff1f861357d0e7e76d021b273cd7",
"type": "github"
},
"original": {
@ -1355,11 +1356,11 @@
},
"nixpkgs_4": {
"locked": {
"lastModified": 1671417167,
"narHash": "sha256-JkHam6WQOwZN1t2C2sbp1TqMv3TVRjzrdoejqfefwrM=",
"lastModified": 1702272962,
"narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "bb31220cca6d044baa6dc2715b07497a2a7c4bc7",
"rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
"type": "github"
},
"original": {
@ -1419,11 +1420,11 @@
},
"nixpkgs_8": {
"locked": {
"lastModified": 1699099776,
"narHash": "sha256-X09iKJ27mGsGambGfkKzqvw5esP1L/Rf8H3u3fCqIiU=",
"lastModified": 1701718080,
"narHash": "sha256-6ovz0pG76dE0P170pmmZex1wWcQoeiomUZGggfH9XPs=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "85f1ba3e51676fa8cc604a3d863d729026a6b8eb",
"rev": "2c7f3c0fb7c08a0814627611d9d7d45ab6d75335",
"type": "github"
},
"original": {
@ -1435,11 +1436,11 @@
},
"nixpkgs_9": {
"locked": {
"lastModified": 1700856099,
"narHash": "sha256-RnEA7iJ36Ay9jI0WwP+/y4zjEhmeN6Cjs9VOFBH7eVQ=",
"lastModified": 1702272962,
"narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0bd59c54ef06bc34eca01e37d689f5e46b3fe2f1",
"rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
"type": "github"
},
"original": {
@ -1451,11 +1452,11 @@
},
"nur": {
"locked": {
"lastModified": 1701528264,
"narHash": "sha256-h+U4YBiEBGohPe0//JQhhyRCMs+r1cwRuPY8gjPB/Tk=",
"lastModified": 1702849536,
"narHash": "sha256-kGYoCw+KyLx5PpsCI3p2LxgyOsWYJon6ghq8Iq0XU6c=",
"owner": "nix-community",
"repo": "NUR",
"rev": "e14b77401d63ba75aa9523f7ad9d327ee5085479",
"rev": "452bdab51c4eebec9aa2db7b84da63340dacb52d",
"type": "github"
},
"original": {
@ -1510,11 +1511,11 @@
]
},
"locked": {
"lastModified": 1697746376,
"narHash": "sha256-gu77VkgdfaHgNCVufeb6WP9oqFLjwK4jHcoPZmBVF3E=",
"lastModified": 1700922917,
"narHash": "sha256-ej2fch/T584b5K9sk1UhmZF7W6wEfDHuoUYpFN8dtvM=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "8cc349bfd082da8782b989cad2158c9ad5bd70fd",
"rev": "e5ee5c5f3844550c01d2131096c7271cec5e9b78",
"type": "github"
},
"original": {
@ -1533,11 +1534,11 @@
"pre-commit-hooks": "pre-commit-hooks_2"
},
"locked": {
"lastModified": 1698510926,
"narHash": "sha256-clplRTWw19/VS7E16hkcVNgV930sDE1xI6vIiVTd/Z0=",
"lastModified": 1702781971,
"narHash": "sha256-8MaZy0ewEG7yZfD/l14BNmvv8kJ932Mv0WyB+3MHcjI=",
"owner": "AtaraxiaSjel",
"repo": "PrismLauncher",
"rev": "083a2145539b4ac0dfb45d9ee750b13de184d5fe",
"rev": "a4d314de3eb6fb8ef1fa58ec4be1b700c470627a",
"type": "github"
},
"original": {
@ -1635,11 +1636,11 @@
"rycee": {
"flake": false,
"locked": {
"lastModified": 1701511889,
"narHash": "sha256-r1s4LjtiFFZXEs+fXT2n6ULZVtezzv8uHVg5rSW76vo=",
"lastModified": 1702814246,
"narHash": "sha256-8aOoykO7+4BDmV5QvpSLyoBaSmDmmKcHSz7I/gMAPv0=",
"owner": "rycee",
"repo": "nur-expressions",
"rev": "a72f098480eee3dc9609a11a4872d44747ce4cc8",
"rev": "8d2075876b1a0d167d0387c661ec7f5d27254c5e",
"type": "gitlab"
},
"original": {
@ -1681,11 +1682,11 @@
"nixpkgs-stable": "nixpkgs-stable_4"
},
"locked": {
"lastModified": 1701518298,
"narHash": "sha256-5t8yqKe0oVusV4xgfA+wW58hQJXFMmq0mmaR1gKES+Y=",
"lastModified": 1702812162,
"narHash": "sha256-18cKptpAAfkatdQgjO5SZXZsbc1IVPRoYx2AxaiooL4=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "e19071f9958c8da4f4347d3d78790d97e98ba22f",
"rev": "21f2b8f123a1601fef3cf6bbbdf5171257290a77",
"type": "github"
},
"original": {
@ -1725,21 +1726,6 @@
}
},
"systems_3": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
@ -1754,6 +1740,21 @@
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1689347949,
"narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
"owner": "nix-systems",
"repo": "default-linux",
"rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default-linux",
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
@ -1799,6 +1800,21 @@
"type": "github"
}
},
"systems_8": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
@ -1807,11 +1823,11 @@
]
},
"locked": {
"lastModified": 1699786194,
"narHash": "sha256-3h3EH1FXQkIeAuzaWB+nK0XK54uSD46pp+dMD3gAcB4=",
"lastModified": 1702461037,
"narHash": "sha256-ssyGxfGHRuuLHuMex+vV6RMOt7nAo07nwufg9L5GkLg=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "e82f32aa7f06bbbd56d7b12186d555223dc399d1",
"rev": "d06b70e5163a903f19009c3f97770014787a080f",
"type": "github"
},
"original": {
@ -1842,12 +1858,15 @@
}
},
"utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
@ -1942,11 +1961,11 @@
]
},
"locked": {
"lastModified": 1700508250,
"narHash": "sha256-X4o/mifI7Nhu0UKYlxx53wIC+gYDo3pVM9L2u3PE2bE=",
"lastModified": 1702334919,
"narHash": "sha256-ibOZ3TLjqndGMcj2f+07NFwDWoum4IbzF58byZuJJNg=",
"owner": "hyprwm",
"repo": "xdg-desktop-portal-hyprland",
"rev": "eb120ff25265ecacd0fc13d7dab12131b60d0f47",
"rev": "f5c3576c3b6cb1c31a8dfa3e4113f59bfe40cd71",
"type": "github"
},
"original": {

19
flake.nix
View File

@ -7,7 +7,7 @@
# 6.1.55 kernel breaks podman. wait for fix
nixpkgs-pinned.url = "github:nixos/nixpkgs/9eebdbb7182caf58dbbc11a4c221c23e867cca08";
nixpkgs-master.url = "github:nixos/nixpkgs/master";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.11";
flake-registry = {
url = "github:nixos/flake-registry";
flake = false;
@ -43,7 +43,9 @@
inputs.nixpkgs.follows = "nixpkgs"; # MESA/OpenGL HW workaround
};
hyprpaper = {
url = "github:hyprwm/hyprpaper";
# TODO: return to upstream after fix merge
url = "github:AtaraxiaSjel/hyprpaper/fix-nix";
# url = "github:hyprwm/hyprpaper";
inputs.nixpkgs.follows = "nixpkgs";
};
mms.url = "github:mkaito/nixos-modded-minecraft-servers";
@ -126,7 +128,7 @@
sharedOverlays = [ flake-utils-plus.overlay inputs.sops-nix.overlays.default ];
channelsConfig = { allowUnfree = true; android_sdk.accept_license = true; };
channels.unstable.input = nixpkgs;
channels.unstable.patches = patchesPath [ "zen-kernels.patch" "ydotoold.patch" ] ++ sharedPatches;
channels.unstable.patches = patchesPath [ "zen-kernels.patch" "ydotoold.patch" "273564.patch" ] ++ sharedPatches;
channels.stable.input = inputs.nixpkgs-stable;
channels.stable.patches = sharedPatches;
channels.server.input = inputs.nixpkgs-pinned;
@ -168,6 +170,15 @@
specialArgs = { inherit inputs; };
channelName = "vps";
};
NixOS-VPS = {
system = builtins.readFile (./machines/NixOS-VPS/system);
modules = [
(import (./machines/NixOS-VPS))
{ device = "NixOS-VPS"; mainuser = "ataraxia"; }
];
specialArgs = { inherit inputs; };
channelName = "stable";
};
};
nixosHostsCI = builtins.listToAttrs (map (name: {
@ -291,8 +302,8 @@
in builtins.mapAttrs mkDeploy {
Home-Hypervisor = { hostname = "192.168.0.10"; };
Dell-Laptop = { hostname = "192.168.0.101"; };
NixOS-VPS = { hostname = "nixos-vps"; };
} // builtins.mapAttrs mkDeploy-arm {
Suomi-VPS = { hostname = "65.21.2.254"; };
};
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;

28
keys/hosts/nixos-vps.asc Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEAC2DRA/vbUMnKYjp/EiDr0BalgHlHKwd9W6V2OGbQm/QKaLIBTs
qxsaAYMMy396+kxOl2GyzEFqgbWwGioAAmUDZY+IF/EjWTFVxUt8uZsx2G+WeInQ
OudSuedmq7KsVJ8TVLjfaDhqIsu+HDNn4/AXlrQtq7Jp4nHOsD5/ooIRfTGdH6wd
dUrxulld0r9S8Oa24+SLnGYJHGSB5o86hdA/HA7XIvDDA81amXsFYF1bjkXP43Sm
So6CDZ5iWfTNEB6OBJRD50qEl3jC0HpmZFMSYVGUwfp38mBdpK3uS7byqzFQ2NTM
BoktwPseXq/Y4Xt4fb3aFeMhANdiVLsj4tuYTdHZbht5dH8v92AeGdcjy8+JFeN0
bTdYXXQKi5vN+ghEz6iq+fSTXLIQkcNBn/Hy3NMl/9oUuMb3ILOk8Ob6HCRP+ROa
qMF7t+iRC18065Wwo0bHZcPHUrd/bFSmYEND9x2RutK5ilMVPpoQmfugUIla9DR5
dzSASZkHooe3uX7EuuNyJlAgnVSkofQROUvOWVBy58QlLU3QBSMBJJEmoRGXDjZF
maGOTTdMumiNmLjSrnS7t9LRDfHINQbmjAG+eAICW3OEafFhujjK9Mj57F+eyLVx
sXzGXsMMRb8i36/hDUHhmBapBGPok+romlnWrMsNrjbPb89YaJGV73R3eQARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQNMr7nbgvHUACGw8CGQEAAC4QEAALmykKqbgs77U4ud6IMSW2
TZ9QW4nw+Oye6kF5ip95Xq2VsqZP0AuthILXUxYkfWI6xLwXoL0NWZzZGXqomrJf
nGegLuisSMUarQEx9CIcInmZJ1FYXh5AOIpNmk+bwaLLs0eWmvRMUOXFtXqxoveN
WH2/G9fOLyrWStLYV5i6xBLQ/WEW/2hkAvgIzwZ9QB2mCqFwvfFVDM+s66zmysuW
GbLPbgtXKSC9uYs4ue6ok8Z9jy9y/sd9bpRgHoCG61sf5Wy6ENbrQcgsDnDg67ep
2F53c2b9BCfNy4xolEvtUxj/2UlCqMQ/GyJsw+41GpX9exKw7puAs6AAi0VbKgBc
bwoMPziojYlXu2wjBL4ijkXsOirO9JS1JKFvaDBDQG4Rk+bh6kFVygI5A6oZHxzN
+DQNfzbd7TpdidQMm+bmu3Bj71yAx8zS+xzV7/+Oy7zvgCo5xUMeBYCjVmx+j+mf
XGLBQp89QtTFuvvP+a7t9JN1oQTeSnEmQqb2dqNksZUbL++l7wY4i3TQ0VzUttaw
o62Qnp8wjU3SltTsCJGc0RiV29XZlhE4vQWZSzAL//oxI924tDf4jwnD1jsRZfWy
9MvUoXPjWG3bNAYkQwMTOgjGQMQcy7IeYdXMcESetO0IFW8NDs/gqM1kAp2lb1Bg
t6g8A6SpKf2sA/W/6Wu6vg==
=nAU7
-----END PGP PUBLIC KEY BLOCK-----

240
machines/NixOS-VPS/default.nix Normal file
View File

@ -0,0 +1,240 @@
{ modulesPath, inputs, lib, pkgs, config, ... }: {
imports = with inputs.self; [
(modulesPath + "/profiles/qemu-guest.nix")
(modulesPath + "/profiles/minimal.nix")
inputs.disko.nixosModules.disko
inputs.sops-nix.nixosModules.sops
./disk-config.nix
./network.nix
./nix.nix
customModules.devices
customModules.persist
customModules.rustic
customModules.users
customProfiles.hardened
./services/backups.nix
./services/dns.nix
./services/tailscale.nix
./services/tor-bridge.nix
./services/wireguard.nix
./services/xtls.nix
];
# Impermanence
boot.initrd = {
# hardware
availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
# reset rootfs on reboot
postDeviceCommands = pkgs.lib.mkBefore ''
mkdir -p /mnt
mount -o subvol=/ /dev/sda4 /mnt
btrfs subvolume list -o /mnt/rootfs |
cut -f9 -d' ' |
while read subvolume; do
echo "deleting /$subvolume subvolume..."
btrfs subvolume delete "/mnt/$subvolume"
done &&
echo "deleting /root subvolume..."
btrfs subvolume delete /mnt/rootfs
echo "restoring blank /root subvolume..."
btrfs subvolume snapshot /mnt/snapshots/rootfs-blank /mnt/rootfs
umount /mnt
'';
};
fileSystems."/home".neededForBoot = true;
fileSystems."/persist".neededForBoot = true;
persist = {
enable = true;
cache.clean.enable = true;
state = {
files = [
"/etc/machine-id"
"/etc/ssh/ssh_host_ed25519_key"
"/etc/ssh/ssh_host_ed25519_key.pub"
"/etc/ssh/ssh_host_rsa_key"
"/etc/ssh/ssh_host_rsa_key.pub"
];
directories = [
"/var/lib/nixos"
"/var/lib/systemd"
];
};
};
# TODO: write all needed modules in boot.kernelModules
security.lockKernelModules = lib.mkForce false;
# Misc
boot = {
supportedFilesystems = [ "vfat" "btrfs" ];
kernelModules = [
"kvm-amd" "tcp_bbr" "veth"
# podman
"nft_chain_nat" "xt_addrtype" "xt_comment" "xt_mark" "xt_MASQUERADE"
];
kernelParams = [
"scsi_mod.use_blk_mq=1"
"kvm.ignore_msrs=1"
"kvm.report_ignored_msrs=0"
];
kernel.sysctl = {
"vm.swappiness" = 50;
"vm.vfs_cache_pressure" = 200;
"vm.dirty_background_ratio" = 1;
"vm.dirty_ratio" = 40;
"vm.page-cluster" = 0;
# proxy tuning
"net.ipv4.tcp_congestion_control" = "bbr";
"net.ipv4.tcp_slow_start_after_idle" = 0;
"net.core.default_qdisc" = "cake";
# "net.core.default_qdisc" = "fq";
"net.core.rmem_max" = 67108864;
"net.core.wmem_max" = 67108864;
"net.core.netdev_max_backlog" = 10000;
"net.core.somaxconn" = 4096;
"net.ipv4.tcp_syncookies" = 1;
"net.ipv4.tcp_tw_reuse" = 1;
"net.ipv4.tcp_fin_timeout" = 30;
"net.ipv4.tcp_keepalive_time" = 1200;
"net.ipv4.tcp_keepalive_probes" = 5;
"net.ipv4.tcp_keepalive_intvl" = 30;
"net.ipv4.tcp_max_syn_backlog" = 8192;
"net.ipv4.tcp_max_tw_buckets" = 5000;
"net.ipv4.tcp_fastopen" = 3;
"net.ipv4.tcp_mem" = "25600 51200 102400";
"net.ipv4.udp_mem" = "25600 51200 102400";
"net.ipv4.tcp_rmem" = "4096 87380 67108864";
"net.ipv4.tcp_wmem" = "4096 65536 67108864";
"net.ipv4.tcp_mtu_probing" = 1;
};
loader.grub = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;
};
};
zramSwap = {
enable = true;
algorithm = "zstd";
memoryPercent = 100;
};
deviceSpecific.isServer = true;
services.journald.extraConfig = "Compress=false";
nix.optimise.automatic = false;
nix.distributedBuilds = lib.mkForce false;
environment.noXlibs = lib.mkForce false;
fonts.enableDefaultPackages = lib.mkForce false;
security.polkit.enable = true;
# security.pam.enableSSHAgentAuth = true;
environment.systemPackages = with pkgs; [
bat
bottom
comma
git
kitty
micro
pwgen
inputs.nix-alien.packages.${pkgs.hostPlatform.system}.nix-index-update
rsync
];
# Locale
i18n.defaultLocale = "en_GB.UTF-8";
i18n.extraLocaleSettings = {
LANGUAGE = "en_GB.UTF-8";
LC_ALL = "en_GB.UTF-8";
LC_TIME = "en_GB.UTF-8";
LC_ADDRESS = "ru_RU.UTF-8";
LC_MONETARY = "ru_RU.UTF-8";
LC_PAPER = "ru_RU.UTF-8";
};
time.timeZone = "Europe/Helsinki";
environment.sessionVariables = {
XKB_DEFAULT_LAYOUT = "us,ru";
XKB_DEFAULT_OPTIONS = "grp:win_space_toggle";
LANGUAGE = "en_GB.UTF-8";
LC_ALL = "en_GB.UTF-8";
};
# Hardened
networking.firewall = {
enable = true;
allowPing = false;
allowedTCPPorts = lib.mkDefault [ ];
allowedUDPPorts = lib.mkDefault [ ];
};
systemd.coredump.enable = false;
# Users
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
settings.PermitRootLogin = lib.mkForce "prohibit-password";
settings.X11Forwarding = false;
extraConfig = "StreamLocalBindUnlink yes";
ports = [ 22 ];
};
users.mutableUsers = false;
users.users = {
${config.mainuser} = {
isNormalUser = true;
extraGroups = [ "disk" "systemd-journal" "wheel" ];
uid = 1000;
hashedPassword =
"$y$j9T$ZC44T3XYOPapB26cyPsA4.$8wlYEbwXFszC9nrg0vafqBZFLMPabXdhnzlT3DhUit6";
shell = pkgs.bash;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+xd8ClJPvJuAdYC9HlNnjiubEtYfvnKjYr9ROV+UmPVvI3ZITF24OaMI+fxgR0EqGfcUzSGom8528IB53Q3aFMIAaA0vKjW+jrByyB2l/k/+ttpLbH75c9WyOpAcUDTen8BhHKPyXOHoJ1jLu7GFmtPZ+mZo8thFB/VIRrwECHd8DnF0drsSCorkRp1bZC7bAHgztaYHNBUoAVGgJ7nLwW7DotlgbUEDiPJHXOxd/c/ZlXIB/cfUUqF+L5ThbMPhMcwRMspLy+nQdmHhih9k6SkvYqJoNqHT5/XeShb0RkIzvUWT2CYTPop5kAY5mMnatVTOY1FZPhHzk3G8MhOQ3r/elM/ecZxmjL8uozMN9kRGf1IL4DgQZfVqQRILdNSQGb0tfeiyirNZe1RlDw9UvMnZJOw0EkiC9lSSRhBWXXxAmxRrbNFTPQSp+/kiIGDmp2AsGhD11CfTDEU3wcLEUPBUqp1FYSzHncJyEKGy2Dpa5xaUJ0cuyGL4W3WHDXa4sTfY+AIXbQTD88Ujdsbfzyd6lrikG4D/crCurXissrh7q9DuYKWRI24cp5bw9lG33U1EXisnZqFyZNwMAmSj2QEGsHCwSevn0FgyRa2WYXgpZ9hfgY4le+ZSMo2JTosQ6DjGyxMDyQAHJ/ismTTzL67Q2p6U+73toYm62Qqdspw== (none)"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDP0/DReYSAfkucroMTdELzTORsGhhbEa+W0FDFBnwViHuoqoKvetCOkW657icexc5v/j6Ghy3+Li9twbHnEDzUJVtNtauhGMjOcUYt6pTbeJ09CGSAh+orxzeY4vXp7ANb91xW8yRn/EE4ALxqbLsc/D7TUMl11fmf0UW+kLgU5TcUYVSLMjQqBpD1Lo7lXLrImloDxe5fwoBDT09E59r9tq6+/3aHz8mpKRLsIQIV0Av00BRJ+/OVmZuBd9WS35rfkpUYmpEVInSJy3G4O6kCvY/zc9Bnh67l4kALZZ0+6W23kBGrzaRfaOtCEcscwfIu+6GXiHOL33rrMNNinF0T2942jGc18feL6P/LZCzqz8bGdFNxT43jAGPeDDcrJEWAJZFO3vVTP65dTRTHQG2KlQMzS7tcif6YUlY2JLJIb61ZfLoShH/ini/tqsGT0Be1f3ndOFt48h4XMW1oIF+EXaHYeO2UJ6855m8Wpxs4bP/jX6vMV38IvvnHy4tWD50= alukard@AMD-Workstation"
];
};
deploy = {
description = "The administrator account for the servers.";
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys =
config.users.users.${config.mainuser}.openssh.authorizedKeys.keys;
};
root.openssh.authorizedKeys.keys =
config.users.users.${config.mainuser}.openssh.authorizedKeys.keys;
};
# Passwordless sudo for deploy user
security.sudo = {
extraRules = [{
users = [ "deploy" ];
commands = [{
command = "ALL";
options = [ "NOPASSWD" ];
}];
}];
extraConfig = ''
Defaults lecture = never
'';
};
# Podman
virtualisation = {
oci-containers.backend = lib.mkForce "podman";
podman.enable = true;
podman.dockerSocket.enable = true;
containers.registries.search = [
"docker.io" "gcr.io" "quay.io"
];
containers.storage.settings = {
storage = {
driver = "overlay";
graphroot = "/var/lib/podman/storage";
runroot = "/run/containers/storage";
};
};
};
networking.firewall.interfaces."podman+".allowedUDPPorts = [ 53 ];
security.unprivilegedUsernsClone = true;
system.stateVersion = "23.11";
nixpkgs.hostPlatform = lib.mkForce "x86_64-linux";
}

100
machines/NixOS-VPS/disk-config.nix Normal file
View File

@ -0,0 +1,100 @@
{ lib, ... }: {
disko.devices.disk.disk1 = {
device = lib.mkDefault "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
boot = {
name = "boot";
size = "1M";
type = "EF02";
};
esp = {
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
swap = {
name = "swap";
size = "4G";
content = {
type = "swap";
randomEncryption = true;
};
};
root = {
name = "root";
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-f" ];
postCreateHook = ''
mount -t btrfs /dev/sda4 /mnt
btrfs subvolume snapshot -r /mnt/rootfs /mnt/snapshots/rootfs-blank
btrfs subvolume snapshot -r /mnt/persistent/home /mnt/snapshots/home-blank
btrfs subvolume snapshot -r /mnt/persistent/docker /mnt/snapshots/docker-blank
btrfs subvolume snapshot -r /mnt/persistent/podman /mnt/snapshots/podman-blank
btrfs subvolume snapshot -r /mnt/persistent/containers /mnt/snapshots/containers-blank
btrfs subvolume snapshot -r /mnt/persistent/libvirt /mnt/snapshots/libvirt-blank
btrfs subvolume snapshot -r /mnt/persistent/log /mnt/snapshots/log-blank
btrfs subvolume snapshot -r /mnt/persistent/impermanence /mnt/snapshots/impermanence-blank
btrfs subvolume snapshot -r /mnt/persistent/srv /mnt/snapshots/srv-blank
umount /mnt
'';
subvolumes = {
"/snapshots" = { };
"/rootfs" = {
mountpoint = "/";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent" = { };
"/persistent/nix" = {
mountpoint = "/nix";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/home" = {
mountpoint = "/home";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/srv" = {
mountpoint = "/srv";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/docker" = {
mountpoint = "/var/lib/docker";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/podman" = {
mountpoint = "/var/lib/podman";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/containers" = {
mountpoint = "/var/lib/containers";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/libvirt" = {
mountpoint = "/var/lib/libvirt";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/log" = {
mountpoint = "/var/log";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
"/persistent/impermanence" = {
mountpoint = "/persist";
mountOptions = [ "compress=zstd" "noatime" "autodefrag" "ssd" ];
};
};
};
};
};
};
};
}

95
machines/NixOS-VPS/hardware/networks.nix Normal file
View File

@ -0,0 +1,95 @@
rec {
privateIPv6Prefix = "fd3a:900e:8e74:ffff";
domain = "wg.ataraxiadev.com";
interfaces = {
# This is the public-facing interface. Any interface name with a prime
# symbol means it's a public-facing interface.
main' = {
bridgeName = "br0";
ifname = "enp0s18";
IPv4 = {
address = "83.138.55.118/26";
gateway = "83.138.55.65";
dns = [ "46.102.157.27" "46.102.157.42" ];
};
IPv6 = {
address = "2a0d:f302:109:3487::1/48";
gateway = "2a0d:f302:109::1";
dns = [ "2a0d:f302:99::99" "2a0d:f302:100::100" ];
};
};
wireguard0 = {
ifname = "wg0";
dns = [ "${privateIPv6Prefix}::0:53" ];
IPv4 = {
address = "10.100.0.1";
subnet = "10.100.0.0/16";
};
IPv6 = {
address = "${privateIPv6Prefix}::1";
subnet = "${privateIPv6Prefix}::0/64";
};
};
};
# Wireguard-related things.
wireguardPort = 40820;
wireguardIPv4Prefix = "10.100.0";
wireguardIPv6Prefix = "${privateIPv6Prefix}::0";
wireguardPeers = {
server = with interfaces.wireguard0; {
IPv4 = IPv4.address;
IPv6 = IPv6.address;
};
ataraxia = {
IPv4 = "${wireguardIPv4Prefix}.2";
IPv6 = "${wireguardIPv6Prefix}:2";
};
hypervisor = {
IPv4 = "${wireguardIPv4Prefix}.3";
IPv6 = "${wireguardIPv6Prefix}:3";
};
mikrotik = {
IPv4 = "${wireguardIPv4Prefix}.4";
IPv6 = "${wireguardIPv6Prefix}:4";
};
poco = {
IPv4 = "${wireguardIPv4Prefix}.5";
IPv6 = "${wireguardIPv6Prefix}:5";
};
kpoxa = {
IPv4 = "${wireguardIPv4Prefix}.6";
IPv6 = "${wireguardIPv6Prefix}:6";
};
kpoxa2 = {
IPv4 = "${wireguardIPv4Prefix}.7";
IPv6 = "${wireguardIPv6Prefix}:7";
};
faysss = {
IPv4 = "${wireguardIPv4Prefix}.8";
IPv6 = "${wireguardIPv6Prefix}:8";
};
faysss2 = {
IPv4 = "${wireguardIPv4Prefix}.9";
IPv6 = "${wireguardIPv6Prefix}:9";
};
faysss3 = {
IPv4 = "${wireguardIPv4Prefix}.10";
IPv6 = "${wireguardIPv6Prefix}:a";
};
doste = {
IPv4 = "${wireguardIPv4Prefix}.11";
IPv6 = "${wireguardIPv6Prefix}:b";
};
dell = {
IPv4 = "${wireguardIPv4Prefix}.12";
IPv6 = "${wireguardIPv6Prefix}:c";
};
hypervisor-dns = {
IPv4 = "${wireguardIPv4Prefix}.13";
IPv6 = "${wireguardIPv6Prefix}:d";
};
};
}

60
machines/NixOS-VPS/network.nix Normal file
View File

@ -0,0 +1,60 @@
{ config, ... }:
let
inherit (import ./hardware/networks.nix) interfaces domain;
in {
services.resolved.enable = true;
networking = {
enableIPv6 = true;
usePredictableInterfaceNames = true;
useDHCP = false;
dhcpcd.enable = false;
nftables.enable = false; # incompatible with tailscale and docker
hostName = config.device;
domain = domain;
};
systemd.network = with interfaces.main'; {
enable = true;
wait-online.ignoredInterfaces = [ "lo" ];
networks = {
"40-${ifname}" = {
matchConfig.Name = ifname;
linkConfig.RequiredForOnline = "enslaved";
networkConfig.Bridge = bridgeName;
networkConfig.DHCP = "no";
};
"60-${bridgeName}" = {
matchConfig.Name = bridgeName;
address = [
IPv4.address
IPv6.address
"192.168.0.1/24"
"fc00::1/64"
];
linkConfig.RequiredForOnline = "routable";
networkConfig = {
DHCP = "no";
IPForward = true;
IPv6PrivacyExtensions = "kernel";
DNS = IPv4.dns ++ IPv6.dns;
};
routes = [{
routeConfig.Gateway = IPv4.gateway;
routeConfig.GatewayOnLink = true;
} {
routeConfig.Gateway = IPv6.gateway;
routeConfig.GatewayOnLink = true;
}];
};
};
netdevs = {
"60-${bridgeName}" = {
netdevConfig = {
Kind = "bridge";
Name = bridgeName;
MACAddress = "72:df:16:d2:1b:d7";
};
};
};
};
}

38
machines/NixOS-VPS/nix.nix Normal file
View File

@ -0,0 +1,38 @@
{ config, lib, inputs, ... }: {
nix = {
nixPath = lib.mkForce [ "self=/etc/self/compat" "nixpkgs=/etc/nixpkgs" ];
registry.self.flake = inputs.self;
registry.nixpkgs.flake = inputs.nixpkgs;
optimise.automatic = lib.mkDefault true;
extraOptions = ''
builders-use-substitutes = true
experimental-features = nix-command flakes
flake-registry = ${inputs.flake-registry}/flake-registry.json
'';
settings = {
auto-optimise-store = false;
require-sigs = true;
substituters = [
"https://cache.nixos.org"
"https://nix-community.cachix.org"
"https://ataraxiadev-foss.cachix.org"
"https://cache.ataraxiadev.com/ataraxiadev"
"https://numtide.cachix.org"
"https://devenv.cachix.org"
"https://ezkea.cachix.org"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"ataraxiadev-foss.cachix.org-1:ws/jmPRUF5R8TkirnV1b525lP9F/uTBsz2KraV61058="
"ataraxiadev:/V5bNjSzHVGx6r2XA2fjkgUYgqoz9VnrAHq45+2FJAs="
"numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
"devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
"ezkea.cachix.org-1:ioBmUbJTZIKsHmWWXPe1FSFbeVe+afhfgqgTSNd34eI="
];
trusted-users = [ "root" config.mainuser "@wheel" ];
};
};
environment.etc.nixpkgs.source = inputs.nixpkgs;
environment.etc.self.source = inputs.self;
}

50
machines/NixOS-VPS/services/backups.nix Normal file
View File

@ -0,0 +1,50 @@
{ config, inputs, ... }: {
sops.secrets.rustic-repo-pass.sopsFile = inputs.self.secretsDir + /rustic-b2.yaml;
sops.secrets.rclone-backup-config.sopsFile = inputs.self.secretsDir + /rustic-b2.yaml;
services.rustic.backups = let
label = "vps-containers";
in rec {
vps-backup = {
backup = true;
prune = false;
rcloneConfigFile = config.sops.secrets.rclone-backup-config.path;
timerConfig = {
OnCalendar = "01:00";
Persistent = true;
};
settings = {
repository = {
repository = "rclone:rustic-b2:ataraxia-nas-backup";
password-file = config.sops.secrets.rustic-repo-pass.path;
};
repository.options = {
timeout = "10min";
};
backup = {
label = label;
ignore-devid = true;
sources = [{
source = "/srv/marzban /srv/nextcloud/config /srv/nextcloud/data";
}];
};
forget = {
filter-label = [ label ];
prune = true;
keep-daily = 7;
keep-weekly = 5;
keep-monthly = 2;
};
};
};
vps-prune = vps-backup // {
backup = false;
prune = true;
createWrapper = false;
timerConfig = {
OnCalendar = "Tue, 02:00";
Persistent = true;
};
};
};
}

232
machines/NixOS-VPS/services/dns.nix Normal file
View File

@ -0,0 +1,232 @@
{ config, lib, pkgs, ... }:
let
inherit (import ../hardware/networks.nix) interfaces;
wg = interfaces.wireguard0;
wgIfname = wg.ifname;
brIfname = interfaces.main'.bridgeName;
tailscaleIfname = config.services.tailscale.interfaceName;
in {
# For debugging purposes
environment.systemPackages = with pkgs; [ tcpdump dnsutils ];
services.resolved.extraConfig = ''
DNSStubListener=off
'';
systemd.network.networks."20-${brIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1";
systemd.network.networks."90-${wgIfname}".networkConfig.DNS = lib.mkForce "127.0.0.1";
networking.firewall.interfaces = let
ports = {
allowedTCPPorts = [
config.services.blocky.settings.ports.dns
config.services.grafana.settings.server.http_port
];
allowedUDPPorts = [
config.services.blocky.settings.ports.dns
];
};
in {
${wgIfname} = ports;
${tailscaleIfname} = ports;
};
# TODO: DoH (https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html)
services.unbound = {
enable = true;
package = pkgs.unbound-full;
settings = {
server = {
root-hints = "${config.services.unbound.stateDir}/root.hints";
port = "553";
interface = [
"127.0.0.1"
"::1"
];
access-control = [
"0.0.0.0/0 refuse"
"127.0.0.0/8 allow"
"::0/0 refuse"
"::1 allow"
];
private-address = [
"127.0.0.0/8"
"::1"
];
hide-version = "yes";
aggressive-nsec = "yes";
cache-max-ttl = "86400";
cache-min-ttl = "600";
deny-any = "yes";
do-ip4 = "yes";
do-ip6 = "yes";
do-tcp = "yes";
do-udp = "yes";
harden-algo-downgrade = "yes";
harden-dnssec-stripped = "yes";
harden-glue = "yes";
harden-large-queries = "yes";
harden-referral-path = "yes";
harden-short-bufsize = "yes";
hide-identity = "yes";
minimal-responses = "yes";
msg-cache-size = "128m";
neg-cache-size = "4m";
prefer-ip6 = "no";
prefetch = "yes";
prefetch-key = "yes";
qname-minimisation = "yes";
rrset-cache-size = "256m";
rrset-roundrobin = "yes";
serve-expired = "yes";
so-rcvbuf = "4m";
so-reuseport = "yes";
so-sndbuf = "4m";
unwanted-reply-threshold = "100000";
use-caps-for-id = "yes";
};
cachedb = {
backend = "redis";
redis-server-host = "127.0.0.1";
redis-server-port = toString config.services.redis.servers.unbound.port;
redis-timeout = "300";
redis-expire-records = "no";
};
};
};
services.redis.vmOverCommit = true;
services.redis.servers.unbound = {
enable = true;
port = 7379;
databases = 1;
save = [ [ 3600 1 ] [ 1800 10 ] [ 600 100 ] ];
settings = {
maxmemory = "16mb";
protected-mode = true;
rdbchecksum = false;
stop-writes-on-bgsave-error = false;
tcp-keepalive = 300;
timeout = 0;
};
};
# TODO: maybe set internic ip address to hosts?
systemd.services.root-hints = {
script = ''
${pkgs.wget}/bin/wget -O ${config.services.unbound.stateDir}/root.hints https://www.internic.net/domain/named.root
'';
serviceConfig.Type = "oneshot";
startAt = "1 0 1 */1 *";
};
# Blocky + prometheus + grafana
services.blocky = {
enable = true;
settings = {
upstream.default = [ "127.0.0.1:553" "[::1]:553" ];
upstreamTimeout = "10s";
bootstrapDns = [{
upstream = "https://dns.quad9.net/dns-query";
ips = [ "9.9.9.9" "149.112.112.112" ];
}];
blocking = {
blackLists = {
ads = [
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
"https://github.com/RPiList/specials/raw/master/Blocklisten/malware"
];
telemetry = [
"https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt"
"https://github.com/RPiList/specials/raw/master/Blocklisten/MS-Office-Telemetry"
"https://github.com/RPiList/specials/raw/master/Blocklisten/Win10Telemetry"
];
};
clientGroupsBlock.default = [ "ads" "telemetry" ];
};
# disable caching (use unbound)
caching = {
minTime = -1;
maxTime = -1;
cacheTimeNegative = -1;
prefetching = false;
};
ports = {
dns = 53;
http = "127.0.0.1:4000";
};
prometheus.enable = true;
queryLog = {
type = "console";
};
};
};
services.prometheus = {
enable = true;
listenAddress = "127.0.0.1";
globalConfig.scrape_interval = "15s";
globalConfig.evaluation_interval = "15s";
scrapeConfigs = [{
job_name = "blocky";
static_configs = [{
targets = [ config.services.blocky.settings.ports.http ];
}];
}];
};
services.grafana = {
enable = true;
settings = {
analytics.reporting_enabled = false;
server = {
enable_gzip = true;
domain = "localhost";
http_addr = "0.0.0.0";
http_port = 3000;
};
# Grafana can be accessed only through wireguard, so it's secure enough
security = {
admin_user = "admin";
admin_password = "admin";
};
panels.disable_sanitize_html = true;
};
provision = {
enable = true;
datasources.settings = {
datasources = [{
name = "Prometheus";
type = "prometheus";
access = "proxy";
orgId = 1;
uid = "Y4SSG429DWCGDQ3R";
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
isDefault = true;
jsonData = {
graphiteVersion = "1.1";
tlsAuth = false;
tlsAuthWithCACert = false;
};
version = 1;
editable = true;
}];
};
dashboards = {
settings = {
providers = [{
name = "My Dashboards";
options.path = "/etc/grafana-dashboards";
}];
};
};
};
};
environment.etc = {
"grafana-dashboards/blocky_rev3.json" = {
source = ../../../misc/grafana_blocky_rev3.json;
group = "grafana";
user = "grafana";
};
};
persist.state.directories = [
"/var/lib/grafana"
"/var/lib/prometheus2"
"/var/lib/redis-unbound"
"/var/lib/unbound"
];
}

23
machines/NixOS-VPS/services/tailscale.nix Normal file
View File

@ -0,0 +1,23 @@
{ config, pkgs, lib, ... }:
let
bridgeName = (import ../hardware/networks.nix).interfaces.main'.bridgeName;
tailscalePort = config.services.tailscale.port;
tailscaleIfname = config.services.tailscale.interfaceName;
in {
networking.firewall.interfaces.${bridgeName}.allowedUDPPorts = [ tailscalePort ];
networking.firewall.trustedInterfaces = [ tailscaleIfname ];
systemd.network.networks."50-tailscale" = {
matchConfig.Name = tailscaleIfname;
linkConfig.Unmanaged = true;
linkConfig.ActivationPolicy = "manual";
};
services.tailscale = {
enable = true;
port = 18491;
useRoutingFeatures = "both";
};
persist.state.directories = [ "/var/lib/tailscale" ];
}

45
machines/NixOS-VPS/services/tor-bridge.nix Normal file
View File

@ -0,0 +1,45 @@
{ config, pkgs, lib, ... }:
let
inherit (import ../hardware/networks.nix) interfaces;
bridgeName = interfaces.main'.bridgeName;
obfs4Port = 18371;
in {
networking.firewall.interfaces.${bridgeName} = {
allowedTCPPorts = [ obfs4Port ];
};
# We can get bridge cert from file: /var/lib/tor/pt_state/obfs4_bridgeline.txt
# Fingerprint can be obtained from tor.service logs
services.tor = {
enable = true;
enableGeoIP = true;
client.enable = false;
relay.enable = true;
relay.role = "private-bridge";
settings = {
BridgeDistribution = "none";
BridgeRelay = true;
ContactInfo = "admin@ataraxiadev.com";
ORPort = [ 17429 ];
ServerTransportListenAddr = "obfs4 0.0.0.0:${toString obfs4Port}";
Nickname = "Ataraxia";
};
};
services.networkd-dispatcher = {
enable = true;
rules."restart-tor" = {
onState = [ "routable" "off" ];
script = ''
#!${pkgs.runtimeShell}
if [[ $IFACE == "${bridgeName}" && $AdministrativeState == "configured" ]]; then
echo "Restarting Tor ..."
systemctl restart tor
fi
exit 0
'';
};
};
persist.state.directories = [ "/var/lib/tor" ];
}

131
machines/NixOS-VPS/services/wireguard.nix Normal file
View File

@ -0,0 +1,131 @@
{ config, lib, pkgs, ... }:
let
inherit (import ../hardware/networks.nix) interfaces wireguardPort wireguardPeers;
wireguardIFName = interfaces.wireguard0.ifname;
in {
# Sometimes we need to disable checksum validation
# ethtool -K br0 tx off rx off
# ethtool -K enp0s1 tx off rx off
environment.systemPackages = [ pkgs.wireguard-tools ];
networking.firewall = {
allowedUDPPorts = [ wireguardPort ];
checkReversePath = lib.mkForce false;
};
boot.kernelModules = [ "wireguard" ];
systemd.network = {
wait-online.ignoredInterfaces = [ wireguardIFName ];
networks."90-${wireguardIFName}" = with interfaces.wireguard0; {
matchConfig.Name = wireguardIFName;
address = [
"${IPv4.address}/16"
"${IPv6.address}/64"
];
DHCP = "no";
networkConfig = {
IPForward = true;
IPMasquerade = "both";
DNS = interfaces.main'.IPv4.dns ++ interfaces.main'.IPv6.dns;
};
};
netdevs."90-${wireguardIFName}" = {
netdevConfig = {
Name = wireguardIFName;
Kind = "wireguard";
};
wireguardConfig = {
PrivateKeyFile = "/srv/wireguard/private";
ListenPort = wireguardPort;
};
wireguardPeers = [
{
wireguardPeerConfig = with wireguardPeers.ataraxia; {
PublicKey = "qjkV4V0on7H3hXG7udKOv4Qu/IUBrsDcXNZt3MupP3o=";
PresharedKeyFile = "/srv/wireguard/ataraxia/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.hypervisor; {
PublicKey = "oKQ3HXZ1wwWyVgmA4RoCXscImohqB8hdMzP1FRArw0o=";
PresharedKeyFile = "/srv/wireguard/hypervisor/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.mikrotik; {
PublicKey = "amReLTZgu6pwtKCnk1q8EG5uZSgUNxRoh5m3w1D3rQo=";
PresharedKeyFile = "/srv/wireguard/mikrotik/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.poco; {
PublicKey = "ZbBJziuMjyHJNcgrLYIQtio7l3fEOJ4GXW4ST+N9V34=";
PresharedKeyFile = "/srv/wireguard/poco/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.kpoxa; {
PublicKey = "U1wtbS8/yQGkBnBQUZs7KxxmvAajKb9jh83dDd2LdgE=";
PresharedKeyFile = "/srv/wireguard/kpoxa/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.kpoxa2; {
PublicKey = "ghU3Puwz5PeXmnDlxyh+IeuwFK44V3rXlMiFGs5YnwI=";
PresharedKeyFile = "/srv/wireguard/kpoxa2/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.faysss; {
PublicKey = "JLvKyFwI7b9MsiZsnNAt3qs5ob18b3mrOZKR5HZCORY=";
PresharedKeyFile = "/srv/wireguard/faysss/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.faysss2; {
PublicKey = "S6k9l0K5/YmO5BPETQludC1CBHsKLsk9+n6kwSjx4n8=";
PresharedKeyFile = "/srv/wireguard/faysss2/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.faysss3; {
PublicKey = "ka42gE67gShu88Ko7iQ/pK8zusod6bNIrIN8fkxVkC4=";
PresharedKeyFile = "/srv/wireguard/faysss3/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.doste; {
PublicKey = "KVbEaO4DSpTb941zxOPQLWq2Glm9CDgK/9MwW95WuC0=";
PresharedKeyFile = "/srv/wireguard/doste/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.dell; {
PublicKey = "//ss9UEHRFEZL4LbZaA1HiRUrMrn97kc7CmblUORXTc=";
PresharedKeyFile = "/srv/wireguard/dell/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
{
wireguardPeerConfig = with wireguardPeers.hypervisor-dns; {
PublicKey = "x4uavQEEfhdqNC4FCOPfKlEDRJiwOz4dy2W1KhJtnwc=";
PresharedKeyFile = "/srv/wireguard/hypervisor-dns/preshared";
AllowedIPs = [ "${IPv4}/32" "${IPv6}/128" ];
};
}
];
};
};
}

65
machines/NixOS-VPS/services/xtls.nix Normal file
View File

@ -0,0 +1,65 @@
{ config, pkgs, lib, inputs, ... }:
let
cert-key = config.sops.secrets."cert.key".path;
cert-pem = config.sops.secrets."cert.pem".path;
nginx-conf = config.sops.secrets."nginx.conf".path;
marzban-env = config.sops.secrets.marzban.path;
in {
networking.firewall.allowedTCPPorts = [ 80 443 ];
sops.secrets = let
nginx = {
sopsFile = inputs.self.secretsDir + /nixos-vps/nginx.yaml;
restartUnits = [ "podman-nginx.service" ];
};
marzban = {
format = "dotenv";
sopsFile = inputs.self.secretsDir + /nixos-vps/marzban.env;
restartUnits = [ "podman-marzban.service" ];
};
in {
"cert.key" = nginx;
"cert.pem" = nginx;
"nginx.conf" = nginx;
marzban = marzban;
};
virtualisation.oci-containers.containers = {
nextcloud = {
autoStart = true;
image = "docker.io/nextcloud:stable";
ports = [ "9765:80" ];
volumes = [
"/srv/nextcloud/html:/var/www/html"
"/srv/nextcloud/config:/var/www/html/config"
"/srv/nextcloud/data:/var/www/html/data"
];
};
marzban = {
autoStart = true;
image = "ghcr.io/gozargah/marzban:v0.4.1";
environmentFiles = [ marzban-env ];
extraOptions = [ "--network=host" ];
volumes = [
"/srv/marzban:/var/lib/marzban"
];
};
nginx = {
autoStart = true;
image = "docker.io/nginx:latest";
extraOptions = [ "--network=host" ];
volumes = [
"${cert-key}:/etc/ssl/certs/cert.key:ro"
"${cert-pem}:/etc/ssl/certs/cert.pem:ro"
"${nginx-conf}:/etc/nginx/nginx.conf:ro"
];
};
};
systemd.tmpfiles.rules = [
"d /srv/marzban 0755 root root -"
"d /srv/nextcloud/html 0755 33 33 -"
"d /srv/nextcloud/config 0755 33 33 -"
"d /srv/nextcloud/data 0755 33 33 -"
];
}

1
machines/NixOS-VPS/system Normal file
View File

@ -0,0 +1 @@
x86_64-linux

30
patches/269584.patch Normal file
View File

@ -0,0 +1,30 @@
From 369c508fae6ab9909c943e5e078e524ea58cb227 Mon Sep 17 00:00:00 2001
From: Sascha Grunert <sgrunert@redhat.com>
Date: Fri, 24 Nov 2023 08:59:05 +0100
Subject: [PATCH] crun: 1.11.1 -> 1.12
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
---
pkgs/applications/virtualization/crun/default.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pkgs/applications/virtualization/crun/default.nix b/pkgs/applications/virtualization/crun/default.nix
index 77c36d3f81c069..6b513dae9e1e92 100644
--- a/pkgs/applications/virtualization/crun/default.nix
+++ b/pkgs/applications/virtualization/crun/default.nix
@@ -39,13 +39,13 @@ let
in
stdenv.mkDerivation rec {
pname = "crun";
- version = "1.11.1";
+ version = "1.12";
src = fetchFromGitHub {
owner = "containers";
repo = pname;
rev = version;
- hash = "sha256-D4Y+n/6R2v3U/BhYQitsHd6ckda1vfAzciFbTM/1J80=";
+ hash = "sha256-61E/71axlN5H1KpAkWFm7jOETlmmy2qh7R+JrVZlMIQ=";
fetchSubmodules = true;
};

64
patches/273564.patch Normal file
View File

@ -0,0 +1,64 @@
From 94d828a5033b688af09b02983aad37ecf529bf3c Mon Sep 17 00:00:00 2001
From: K900 <me@0upti.me>
Date: Mon, 11 Dec 2023 17:59:40 +0300
Subject: [PATCH] corectrl: 1.3.6 -> 1.3.8
Diff: https://gitlab.com/corectrl/corectrl/-/compare/v1.3.6...v1.3.8
---
pkgs/applications/misc/corectrl/default.nix | 4 ++--
pkgs/applications/misc/corectrl/polkit-dir.patch | 14 +++++++-------
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/pkgs/applications/misc/corectrl/default.nix b/pkgs/applications/misc/corectrl/default.nix
index 0771737eb266e3..99c2ce866db39d 100644
--- a/pkgs/applications/misc/corectrl/default.nix
+++ b/pkgs/applications/misc/corectrl/default.nix
@@ -23,13 +23,13 @@
stdenv.mkDerivation rec{
pname = "corectrl";
- version = "1.3.6";
+ version = "1.3.8";
src = fetchFromGitLab {
owner = "corectrl";
repo = "corectrl";
rev = "v${version}";
- sha256 = "sha256-a8cLtmv9nLtvN9o/aIwveTAT36XmTN1j85ZxVGIXO6E=";
+ sha256 = "sha256-lc6yWzJiSzGKMzJIpgOtirJONsh49vXWDWrhLV/erwQ=";
};
patches = [
./polkit-dir.patch
diff --git a/pkgs/applications/misc/corectrl/polkit-dir.patch b/pkgs/applications/misc/corectrl/polkit-dir.patch
index 85b0f765bebe62..beaef3b5097eb4 100644
--- a/pkgs/applications/misc/corectrl/polkit-dir.patch
+++ b/pkgs/applications/misc/corectrl/polkit-dir.patch
@@ -1,5 +1,5 @@
diff --git a/src/helper/CMakeLists.txt b/src/helper/CMakeLists.txt
-index 1b7ed7c..757748c 100644
+index 3fe2ace..2542ea1 100644
--- a/src/helper/CMakeLists.txt
+++ b/src/helper/CMakeLists.txt
@@ -22,15 +22,7 @@ message("D-Bus files will be installed into ${DBUS_DATADIR_PREFIX_DIR}/dbus-1")
@@ -7,15 +7,15 @@ index 1b7ed7c..757748c 100644
# Find polkit
pkg_check_modules(POLKIT REQUIRED polkit-gobject-1)
-execute_process(
-- COMMAND pkg-config --variable=policydir polkit-gobject-1
-- RESULT_VARIABLE POLKIT_POLICY_INSTALL_DIR_RESULT
-- OUTPUT_VARIABLE POLKIT_POLICY_INSTALL_DIR
-- OUTPUT_STRIP_TRAILING_WHITESPACE
+- COMMAND pkg-config --variable=policydir polkit-gobject-1
+- RESULT_VARIABLE POLKIT_POLICY_INSTALL_DIR_RESULT
+- OUTPUT_VARIABLE POLKIT_POLICY_INSTALL_DIR
+- OUTPUT_STRIP_TRAILING_WHITESPACE
-)
-if(NOT POLKIT_POLICY_INSTALL_DIR_RESULT EQUAL "0")
- message(FATAL_ERROR "Failed to retrieve Polkit `policydir` variable using pkg-config")
-endif()
+option(POLKIT_POLICY_INSTALL_DIR "Polkit policy directory")
- list(APPEND PROCESS_MONITOR_SRC
- pmon/processmonitor.cpp
+ list(APPEND HELPER_COMPILE_DEFINITIONS
+ ELPP_THREAD_SAFE

16
secrets/nixos-vps/marzban.env Normal file
View File

@ -0,0 +1,16 @@
SUDO_USERNAME=ENC[AES256_GCM,data:4QMSmmaPB10=,iv:KveMQ+EdfltGzQRRA+cm1MaRlsLypOhlWHdCumHLQS4=,tag:v30WjSutCxO9LDv3wFZHMA==,type:str]
SUDO_PASSWORD=ENC[AES256_GCM,data:IPJGUQiB6jMObUsUdw==,iv:N9cw9aGkmgIYmmrNkQYQ5PFdrmYKC8Tdgr4yb/96U5A=,tag:/yYIC/rKCttSgBBGvjCe2A==,type:str]
TELEGRAM_API_TOKEN=ENC[AES256_GCM,data:8PySjalQnpADCd+3Yt+Iax3DdGq6sxR0PHntgAzKpI+iXsB8TsMqsm6ElORoOw==,iv:y7tmr1jIs/JtMnBcEkGiCxrKkPcgUt6RBSq4GiKXNZ8=,tag:TcdxtPkO4Pvfcku72XCFIg==,type:str]
TELEGRAM_ADMIN_ID=ENC[AES256_GCM,data:nH/VUQNoRqwj,iv:AdBRZqyBVeze8SGn0pmxaBB8CWyo3D1TTaVx7NsEPHI=,tag:MyJwnQhuBCQ7XMS74TevRg==,type:str]
SQLALCHEMY_DATABASE_URL=ENC[AES256_GCM,data:bQJGB/c/pTuAPev2zxcLu1cNg2TmlHH9iY2kQH4qfqRwh/Fcjg==,iv:CeQZ8qcNLiVgtGI/4Egod6VaXamCfAKHi4jrgzXKl9Q=,tag:VX0J3r6RjnS5utJ/UDK1hQ==,type:str]
XRAY_JSON=ENC[AES256_GCM,data:28Wkv4CG4hpG9h51d2ge3AUO2MdVuRBjPuw1bxFwYqhT,iv:MooWqI5QCmk0JXWdKxA40UIFaaIxG3EakMQ1jBH8TVI=,tag:Fmnqdg9mvRVvm/0O7VNFGw==,type:str]
sops_lastmodified=2023-11-22T23:09:38Z
sops_mac=ENC[AES256_GCM,data:m9TLulK7igJtvtuu1Leag5Ky28qxKyELOKGTFZmX8O/VaVwu1EHC07awgf9HJjFlAcIWT6+fkRcnpwse6t4Thh//Yc4YIu8ryJjsRZBLezaR26SOWis41HR/uek/lSLLMMrdIyiU/5RX9i3/rhUjZwCDYzM1yg+rDsxfGIdERCM=,iv:+TXcgj9MsmQmZzYi4JKbgPVLcX0VLKtheq5/ckPRDcY=,tag:Ku+43ZiVCOeUxN3pimv7JQ==,type:str]
sops_pgp__list_0__map_created_at=2023-12-18T03:44:26Z
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQEMAwcagTG/Fm6AAQf5ASzl4f+fyxYF+y0QZMfKrqHmpIZaqKdoUXKI+LIc1otu\nIsX4ETEExvXeylcRKu/A6xhmCqiUJ//KpS3NRtdlrEQssG8ERsmKJgtr821fpGds\nsr0lsnojT0HEq5dmkdbrbT8lWEzQ5ZXAy0plurcLMYUw75x/DhPGNqEwlwtTX5Nn\nSfcpNBZcrhqoRAXa37D4jkqagikvvxF6EFNAXcUmJOTGiiM8yPbzXhRfpuYrI3jW\nBmssZZ3ern+P5Q3xfyXNe2Ue5BFx40BX4d8V/kj3996loKmWtYwJmaap4vQYZFHB\nmp8/BtUYfKMC/A3JKCvO98e9Po69P+cwIWdCxUyHINJYAQGTNyFJdpssqMSfNNxP\n4POT+EU7KEZWjOH/yCxteHsCnGEnwIlXJXotevxYesDQiAA55Q3xG1A9GkNHPEXt\n0yInyHK7FVgR5tSMsn8sV32gQkYb0FACLw==\n=HIWc\n-----END PGP MESSAGE-----
sops_pgp__list_0__map_fp=ad382d058c964607b7bbf01b071a8131bf166e80
sops_pgp__list_1__map_created_at=2023-12-18T03:44:26Z
sops_pgp__list_1__map_enc=-----BEGIN PGP MESSAGE-----\n\nhQIMAzTK+524Lx1AARAAnQxvussbq9bJvC8EcAGosXz5aWBmZey4zhLPuB6Msgru\niSivk2Rjq4+oM8PntOlXqpPk9Kt8eUcnT2MjxSpsvDqk+SOGuRK5svPa47W1kEG0\nUgiydAMuKHDsdZqpC0UdURqlLMMylGkRlLB4t7emGGfSBIp4agpYnxyRFkoEX+Oo\n7RrtQ+CcVX7CP9sr1iU0NztcQVrwRxmhoYAhg/KOnvBrv8FKZKF7/7u/GUSAJam2\nz4cHfHPDFDDeRUtH3aSrEGGJQLu0KQ+wKsYXsesB17hCig4eMkhXjE9R9ZGwSibv\nCIrShAPIWgEIMOHND20gKwywnJePHP6yzBXI6b2rCbRHppL9xjH3EI+ETjj6Lf0U\n+yBI4DneyPacOrabQdZmisaV6NdYJVhaTTmT47rvOwL2zvFfwUnn9yPGqKUhu0Aa\nZLddI9OQA23AxnH2opddrW/5WzVt02ii+0DBSOtRxQ+bYrd8GWFnCC/sZbI9YkFa\nHK7js9J2kUTuDbkwE6/zvzlRj8YHsdkimycL2bbs4zRa5bQpuFqmD3XNqpDU4sgN\nnhGEsoYd3T/Kt/rWF6D+eCPgaOEyKzePaoZH29MKoapXniTz/5ZJLpvrg3hoO6Pv\ndxe8TOsCNAXFHEmZ8/pR68x756Rq2sBLy/AyyIoUpzbPyKrsO2+w8vWLSgCZ1bLS\nWAGGoumywz8thnvXG/pNgE41ytTUH8nFSugsYv/wYVxEgckEENQ+P/tvk90VyZYm\n47l/Wkm2ebyjARVCniRHMbPVIPOu28/lGHBSxJWg53mvaIYhmfjyhzA=\n=ZSjd\n-----END PGP MESSAGE-----
sops_pgp__list_1__map_fp=20d2e2b90c6aa179585b6b6b34cafb9db82f1d40
sops_unencrypted_suffix=_unencrypted
sops_version=3.8.1

49
secrets/nixos-vps/nginx.yaml Normal file
View File

File diff suppressed because one or more lines are too long

70
secrets/rustic-b2.yaml
View File

@ -9,40 +9,60 @@ sops:
lastmodified: "2023-11-23T20:51:04Z"
mac: ENC[AES256_GCM,data:UQ1EnSQGeURqpafzyS88ZmeEU+QEimWzL1TwzpNtOC7QojaPve05RfiCw7dPZnkH7FJblAkDjHSCrT71f8EQuRSSwLSC9xmQYpihctRGh+0Cg8tY09xUQbHj9TtqJvYj9dOYXj4YfjXpwBr1zts31WlX5tCNSLKVO4Wmx84s1Ic=,iv:G54KDYEs/mJsjyC/CUWmK4QDSY/zw4jseKv6pTZkk/o=,tag:ZO2wo1WccIznidbdXUf8dA==,type:str]
pgp:
- created_at: "2023-11-23T21:08:56Z"
- created_at: "2023-12-18T03:46:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMAwcagTG/Fm6AAQf/bF7ome2n9IP1CCq1q7RuDhEUtgqV3NvgKnUGYezoZQrL
dwe6FIM1gY0v9pItEfntRBCUQZ5pEtMGUrcJ3RidlLZZar4WUFONqQQPRBq3/tGC
m763Gz9jOFBilqDQ7tzEaZ3zHZHZ0ypEY0VzEUlO7uHWwPP6tFuAG4GWWxf72KeR
ys+fR0tW0ghjDWyxaoRoT9yDdnuLZOWRwVSN7SaBm4hhuQjVkffmghrLge25mXd+
ixmYw+FKg/UaZFz+UpoGhYunDt+kb13mmc2yg2q/OBe8oVjZucD1dBgaMqvLXkpl
vzG6m8TiZ3la5MvNh+z8L5aeIKg41+S1e1v1EtYaxdJYAcr1ewYs5DrbB+XfF2QP
Oe90qki5W1jKvxruOM/ljSfDIjpzEq/9mCZk7R5oIn1SZP2iBk8DgC03sC5O9KDH
g0f9ZxJrFnxUsq8yDoXtmqRytyywMbH6dw==
=vWso
hQEMAwcagTG/Fm6AAQf/Qx0seTeR0SzvNGgC159nPX+iM6zO6GfVPyq2DYlzPBav
roF+g6mT+3j7d7IC38MigyNlAtHYehIxjpJsxOTqa7FeENaiB6A5VCfJAyr6WBYS
l4pha7635j4YqV06R3uPNn1QZHoBFrYJUha8CYhUXXHE+RNs5jviVx8YrGU1HIbP
C1JFNK3xQjHi3UlYfy1goPPZ1F1gJb5oNLPEM1AZEuOwNJPkIyKzfmt96VsbWujA
4a5zha606K8AElp1uhtsTco5sWrw9I3FNR59W3VRXdYDrriXIWSSUNbwU2RZuFVK
fpRt5o+iLsZoSS6xwHhTOFic+wFsyqmFtiKp5bs1DdJYAU81dl3PTsFY4DSsncWD
+4TWmGXIf4QIvIkMiYPf+2x4ztJJTsrPuVbnl2hJe5R1FbxQxg5wfUaTeNbnH/5J
AslH++tb+o42OCg08ZFU/Tg3s8LawNWXdw==
=2kxp
-----END PGP MESSAGE-----
fp: ad382d058c964607b7bbf01b071a8131bf166e80
- created_at: "2023-11-23T21:08:56Z"
- created_at: "2023-12-18T03:46:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAyNex7x1cALKARAAoMGMnpzYVGnD71dBlrfMVLY3aZ+0v0hpjzPiGMkc4P43
9h4GuHdFffhl/02DkmEy6+pzfCi/LUj2TN6ZawymjaaDc/j3mfFzqgnbQwUGino4
b+eiw4Ou5fLGPtEqDx0yDziHGzZj25q707uzmomd7M0KrXGW7MYZmlQ758pzaen9
0z4dqKnPpN4b9tleza3pcHFPKJxia+6acCkr7nPJWMqGTZ4H2+vJRSK+yy9Yuo2j
pXY3b/h0QQxT8TfwQ9i/rfAIpWeT3Dkr/hg2Xm10/mXp3JoN4l9mvADH7C0AGC8o
OJI2euxSjJgNdVLR/NUOIosfEuadxGNUk2CM7CyOxmau1i1r7w9sb2nHTGIcTe38
k7bAA38sPDVAruGJoifyFB7sh+A9s8egwqUa1IsXLKLbEoa4plEO+TEqopZNrKPd
7k3x9c/58yLtUfNDkrQcsL9ihYpQ58xHHX60YWJNPdyQB/8R3nk4vGtIe1railol
92jom/Olfu/DBXt5ZK3riCI5CKv99iftHXUUYiolFobs3R05ZKTkX7eQUTcRoEwm
TQ2wCRYbIt7FDjALuM5UOVI9COKZ6+OV2yP8pzJaI4hlJlnjxVVkCaOJF+tlJbD0
gcPbwi9drry0Dqanb74WQFOxjit/e79kMo2ZZAoY+ICGeH3WC6R6mMCY9Zps+lTS
WAFhB0aNaW+H8MootlQzYfs27wDF5Vmj8aWPStVPqwXJlIICFyQUSlWT+Hgw3cJM
khfEh2JsIW6qpypmXJ+LMDp4lOmXh1UD1Pnklcu+gSNT7d3TnsY+BPs=
=bKVR
hQIMAyNex7x1cALKAQ/8D50TIw2O6twaO44mLPW9dmIkJ/GiPjZp+S5+jrlCI12N
vIDl+MWooesawOR9OrHFH21j9ev6/HplNCX7hupwnBa5KEtdAA+SPBUAySBQiWMk
f3SGiJ8zFkOmjeO/Fy8bQmt5j445SxRluZB3ZCbdKItOb5unP3fOZZRA+MPlHf2O
GyBJm9kDtqBJxmm6JWhvUzQVRZMyR5Nt9c7QUDPLxGFXS+s32eT9zVhkIiVBFXOs
WmkAVJCoQGs/7YqBdfxPAWGHZfEcgZw6y4m+qVEjGjJLYz4wcH5oSFKoLQtQmcXc
V22nu2F+HRzJ3TgB1s7BMjbEwwX1cPsiQCNBUVtC8mL7P70Rby7gr6TDRoIogO9h
ffv5vCodcDv6nMSjl3E4a7FFAqN+H+H7pFOBdQNnAFpdGVKR3LlyEzXlViUCjsG5
gEa904DgFE9F6znjhnvoWOcL0xvz55mMfaGnln1QSXK5IF27cDGwf2QO6kd7DCuP
DkrkvzfVSM1OsIfN7U3BQosIPpGsx2XFYSQhSCBfsTMdsg39kuhVMM5awAREmPFh
VmsWBllqPP2xYOL9PbFVAHRXEs1f1GE2RD2VVpPtIQo4qoHPYvlSm/1eRqItgwN6
m7GFKfU3MrJ/hqqlex+DxROecxv8b1dPtBnd17UUVSQ51MmGyeBtZE9vv+lrqGzS
WAHz+4uenFiIj27KhXhSrRGxA4RIyZ1x64rOF8dh7vEwgcSjLkZ8wHgGCHXAR6/X
ReEXlRYZ05a0R/SKnfUo6FEH/eaERQzH2TY1V6KIJKsfRij8At+R+Bg=
=fR0e
-----END PGP MESSAGE-----
fp: d286fd9431753cb455537070235ec7bc757002ca
- created_at: "2023-12-18T03:46:49Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAzTK+524Lx1AARAAtL+t7jpuowt0inwTSojEdg+AocUdLopI222jst190Fy0
b4JfEtx8VRwJ4CIbyTqasKpKzVdzVaQXM+YnITrvxupIC+RIbUXQDjrpt+Ze9eLh
JFhKh9SDGJ4PTM6dfx/crjvMX9V0yufAEltFY3MRyA0zUIXoehh0TNLMX6DA9S5P
MalJfDXaPQtzBN3bNUCVVlKjX9Tp/BA6Ukow5WjAd4kGEgcGC0i1Z05gpftAdxtN
2wrwK14jVhoJpeeFrtwP/AHnvSKiy0HzP2qddJFMN2pqLbnB9uYYIWT4DCGt+OxE
GHaDjOwTg53Xg1fTb8eouOafXLxf8XfI2JQdX7FDAK68pHiOC/uZ6Dc5IvgvUjLP
b6BrAPmPeeKkWVR9D8LqyWrHwL9KJSEV+tVc2+o+YgWVPX4wtyWz4rYqus7e0TAF
PQBOOA1VgG033YCMtaYlSeFKhkmAfKgVpfrqfa8JC1M3x7pEIf04sVDiTeeY06rd
uzg/5ioQxwmtsI9M2Ns01NUL7w12TCli61Hl75MnxY9evLEDWIdyvuT1mRvhFNuL
ZMMae4rHrH09UZSiVGSAyhE7gDVeyggrQg/ZCIY38OQ7VVvwVAfZsMUak4SoRZwy
g94Id1NCxwTAKfrNv/97AmAFyr4af8OZZB74uhU78C2lWmKX2xSbymqSXwY/rrTS
WAGYGu0je07QYBVvUH44b8yHwegYRZpAU7JlIuDhyl6WlgadAOT4GP5YxRQVDMjG
waiPRGD3KECFhYW/4DzFD0jaD/nuzROKZiqTMRqKKt90NV1IBl1GmdE=
=Bnwr
-----END PGP MESSAGE-----
fp: 20d2e2b90c6aa179585b6b6b34cafb9db82f1d40
unencrypted_suffix: _unencrypted
version: 3.8.1