From 447778eb46bafd81477e66857f828b3d09ebaf31 Mon Sep 17 00:00:00 2001 From: William Date: Mon, 3 Nov 2025 11:13:56 -0300 Subject: [PATCH 01/48] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/2f0f812f69f3eb4140157fe15e12739adf82e32a?narHash=sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L%2BVSybPfiIgzU8lbQ%3D' (2025-10-19) → 'github:ryantm/agenix/9ba0d85de3eaa7afeab493fed622008b6e4924f5?narHash=sha256-lsNWuj4Z%2BpE7s0bd2OKicOFq9bK86JE0ZGeKJbNqb94%3D' (2025-10-28) • Updated input 'disko/nixpkgs': 'github:NixOS/nixpkgs/a7fc11be66bdfb5cdde611ee5ce381c183da8386?narHash=sha256-QoJjGd4NstnyOG4mm4KXF%2BweBzA2AH/7gn1Pmpfcb0A%3D' (2025-10-31) → 'github:NixOS/nixpkgs/dab3a6e781554f965bde3def0aa2fda4eb8f1708?narHash=sha256-lFNVsu/mHLq3q11MuGkMhUUoSXEdQjCHvpReaGP1S2k%3D' (2025-07-15) • Updated input 'flake-parts': 'github:hercules-ci/flake-parts/864599284fc7c0ba6357ed89ed5e2cd5040f0c04?narHash=sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4%3D' (2025-10-20) → 'github:hercules-ci/flake-parts/0010412d62a25d959151790968765a70c436598b?narHash=sha256-z5PlZ47j50VNF3R%2BIMS9LmzI5fYRGY/Z5O5tol1c9I4%3D' (2025-11-01) • Updated input 'flake-parts/nixpkgs-lib': 'github:nix-community/nixpkgs.lib/a73b9c743612e4244d865a2fdee11865283c04e6?narHash=sha256-x2rJ%2BOvzq0sCMpgfgGaaqgBSwY%2BLST%2BWbZ6TytnT9Rk%3D' (2025-08-10) → 'github:nix-community/nixpkgs.lib/719359f4562934ae99f5443f20aa06c2ffff91fc?narHash=sha256-b0yj6kfvO8ApcSE%2BQmA6mUfu8IYG6/uU28OFn4PaC8M%3D' (2025-10-29) • Updated input 'home-manager': 'github:nix-community/home-manager/189c21cf879669008ccf06e78a553f17e88d8ef0?narHash=sha256-nZh6uvc71nVNaf/y%2BwesnjwsmJ6IZZUnP2EzpZe48To%3D' (2025-10-20) → 'github:nix-community/home-manager/8c824254b1ed9e797f6235fc3c62f365893c561a?narHash=sha256-I%2B8yE5HVR2SFcHnW0771psQ/zn0qVzsKHY/gUM0nEVM%3D' (2025-11-03) • Updated input 'niri-flake': 'github:sodiboo/niri-flake/f851a923137c0a54719412146fd63d24b3214e60?narHash=sha256-E2ySTu/oK7cYBdAI3tlGP9zVjF4mZgWJ1OZInBCMb00%3D' (2025-10-20) → 'github:sodiboo/niri-flake/df17789929ac80f4157b15724450db6a303a6dc9?narHash=sha256-U3SDbk7tIwLChpvb3FL66o8V0byaQ2RGMiy/3oLdxTI%3D' (2025-11-03) • Updated input 'niri-flake/niri-unstable': 'github:YaLTeR/niri/b3245b81a6ed8edfaf5388a74d2e0a23c24941e5?narHash=sha256-KbM47vD6E0cx%2Bv4jYQZ8mD5N186AKm2CQlyh34TW58U%3D' (2025-10-20) → 'github:YaLTeR/niri/a2ca2b3c866bc781b12c334a9f949b3db6d7c943?narHash=sha256-anRlNG6t7esBbF1%2BALDeathVBSclA0PEL52Vo0WnN5g%3D' (2025-11-03) • Updated input 'niri-flake/nixpkgs': 'github:NixOS/nixpkgs/5e2a59a5b1a82f89f2c7e598302a9cacebb72a67?narHash=sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs%3D' (2025-10-19) → 'github:NixOS/nixpkgs/2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15?narHash=sha256-kJ8lIZsiPOmbkJypG%2BB5sReDXSD1KGu2VEPNqhRa/ew%3D' (2025-10-31) • Updated input 'niri-flake/nixpkgs-stable': 'github:NixOS/nixpkgs/33c6dca0c0cb31d6addcd34e90a63ad61826b28c?narHash=sha256-PXwG0TM7Ek87DNx4LbGWuD93PbFeKAJs4FfALtp7Wo0%3D' (2025-10-19) → 'github:NixOS/nixpkgs/3de8f8d73e35724bf9abef41f1bdbedda1e14a31?narHash=sha256-IYlYnp4O4dzEpL77BD/lj5NnJy2J8qbHkNSFiPBCbqo%3D' (2025-11-01) • Updated input 'niri-flake/xwayland-satellite-unstable': 'github:Supreeeme/xwayland-satellite/a9188e70bd748118b4d56a529871b9de5adb9988?narHash=sha256-0pkftKs6/LReNvxw7DVTN2AJEheZVgyeK0Aarbagi70%3D' (2025-10-05) → 'github:Supreeeme/xwayland-satellite/0728d59ff6463a502e001fb090f6eb92dbc04756?narHash=sha256-fBrUszJXmB4MY%2Bwf3QsCnqWHcz7u7fLq0QMAWCltIQg%3D' (2025-10-28) • Updated input 'nix-index-database': 'github:nix-community/nix-index-database/5024e1901239a76b7bf94a4cd27f3507e639d49e?narHash=sha256-xmU8kAsRprJiTGBTaGrwmjBP3AMA9ltlrxHKFuy5JWc%3D' (2025-10-19) → 'github:nix-community/nix-index-database/359ff6333a7b0b60819d4c20ed05a3a1f726771f?narHash=sha256-Pu1v3mlFhRzZiSxVHb2/i/f5yeYyRNqr0RvEUJ4UgHo%3D' (2025-11-02) • Updated input 'nixos-cli': 'github:nix-community/nixos-cli/c8f5ce1fd9bf151df74328795b6b2720e2e22d75?narHash=sha256-N%2BF4n1WYE3AWc/kmdqIz67GNX7PgyKosnmGYYx8vR9k%3D' (2025-10-19) → 'github:nix-community/nixos-cli/5c259f72ae1eaa00b99354d81130d8fddb7f9a7a?narHash=sha256-IUm2nkbKlDkG94ruTmIYLERpBn6gXydm3scZIKzpcKs%3D' (2025-11-01) • Updated input 'nixos-cli/flake-compat': 'github:edolstra/flake-compat/9100a0f413b0c601e0533d1d94ffd501ce2e7885?narHash=sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX%2BfjA8Xf8PUmqCY%3D' (2025-05-12) → 'github:edolstra/flake-compat/f387cd2afec9419c8ee37694406ca490c3f34ee5?narHash=sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4%3D' (2025-10-27) • Updated input 'nixos-cli/nixpkgs': 'github:NixOS/nixpkgs/647e5c14cbd5067f44ac86b74f014962df460840?narHash=sha256-JVZl8NaVRYb0%2B381nl7LvPE%2BA774/dRpif01FKLrYFQ%3D' (2025-09-28) → 'github:NixOS/nixpkgs/a7fc11be66bdfb5cdde611ee5ce381c183da8386?narHash=sha256-QoJjGd4NstnyOG4mm4KXF%2BweBzA2AH/7gn1Pmpfcb0A%3D' (2025-10-31) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/5e2a59a5b1a82f89f2c7e598302a9cacebb72a67?narHash=sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs%3D' (2025-10-19) → 'github:nixos/nixpkgs/2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15?narHash=sha256-kJ8lIZsiPOmbkJypG%2BB5sReDXSD1KGu2VEPNqhRa/ew%3D' (2025-10-31) • Updated input 'nixpkgs-stable': 'github:nixos/nixpkgs/33c6dca0c0cb31d6addcd34e90a63ad61826b28c?narHash=sha256-PXwG0TM7Ek87DNx4LbGWuD93PbFeKAJs4FfALtp7Wo0%3D' (2025-10-19) → 'github:nixos/nixpkgs/3de8f8d73e35724bf9abef41f1bdbedda1e14a31?narHash=sha256-IYlYnp4O4dzEpL77BD/lj5NnJy2J8qbHkNSFiPBCbqo%3D' (2025-11-01) • Updated input 'noctalia': 'github:noctalia-dev/noctalia-shell/c3439b262c7cb3d57c93197a93a3aa382582bdae?narHash=sha256-XAs/Q4zBJIfK/bwq9KjTUkTH15A%2BPe2rIilyvalEHuM%3D' (2025-10-23) → 'github:noctalia-dev/noctalia-shell/5ca5aa602f58a8e0e73fedbef351f1cdf8cbe981?narHash=sha256-gHfzrTDSnNC5yRJwkZfP55fPHUc8DuB4OQEIBSQSs18%3D' (2025-11-03) • Updated input 'noctalia/quickshell': 'git+https://git.outfoxxed.me/outfoxxed/quickshell?ref=refs/heads/master&rev=a5431dd02dc23d9ef1680e67777fed00fe5f7cda' (2025-07-27) → 'git+https://git.outfoxxed.me/outfoxxed/quickshell?ref=refs/heads/master&rev=db1777c20b936a86528c1095cbcb1ebd92801402' (2025-10-30) • Updated input 'stylix': 'github:danth/stylix/8d008296a1b3be9b57ad570f7acea00dd2fc92db?narHash=sha256-4C3I/ssFsq8EgaUmZP0xv5V7RV0oCHgL/Rx%2BMUkuE%2BE%3D' (2025-10-14) → 'github:danth/stylix/8c0640d5722a02178c8ee80a62c5f019cab4b3c1?narHash=sha256-wGiL2K3kAyBBmIZpJEskaSIgyzzpg0zwfvri%2BSy6/CI%3D' (2025-11-02) • Updated input 'terranix': 'github:terranix/terranix/924573fa6587ac57b0d15037fbd2d3f0fcdf17fb?narHash=sha256-hTMi6oGU%2B6VRnW9SZZ%2BmuFcbfMEf2ajjOp7Z2KM5MMY%3D' (2025-09-07) → 'github:terranix/terranix/a79a47b4617dfb92184e2e5b8f5aa6fc06c659c8?narHash=sha256-J1L1yP29NVBJO04LA/JGM6kwhnjeNhEsX0tLFnuN3FI%3D' (2025-11-03) • Updated input 'zen-browser': 'github:0xc000022070/zen-browser-flake/596c3ac14be576b93f5db9252a1b0581e453ec9f?narHash=sha256-RehxVjBRC9EiBO36EPZROLHhVVSWFe3KEROhaEapboM%3D' (2025-10-20) → 'github:0xc000022070/zen-browser-flake/10e69cb268b1d3dc91135e72f5462b2acfbcc3aa?narHash=sha256-sIPhzkDrfe6ptthZiwoxQyO6rKd9PgJnl%2BLOyythQkI%3D' (2025-11-03) --- flake.lock | 128 ++++++++++++++++++++++++++--------------------------- 1 file changed, 64 insertions(+), 64 deletions(-) diff --git a/flake.lock b/flake.lock index 5993cdf..429e817 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1760836749, - "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=", + "lastModified": 1761656077, + "narHash": "sha256-lsNWuj4Z+pE7s0bd2OKicOFq9bK86JE0ZGeKJbNqb94=", "owner": "ryantm", "repo": "agenix", - "rev": "2f0f812f69f3eb4140157fe15e12739adf82e32a", + "rev": "9ba0d85de3eaa7afeab493fed622008b6e4924f5", "type": "github" }, "original": { @@ -186,11 +186,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "lastModified": 1761588595, + "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=", "owner": "edolstra", "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", "type": "github" }, "original": { @@ -204,11 +204,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1760948891, - "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=", + "lastModified": 1762040540, + "narHash": "sha256-z5PlZ47j50VNF3R+IMS9LmzI5fYRGY/Z5O5tol1c9I4=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04", + "rev": "0010412d62a25d959151790968765a70c436598b", "type": "github" }, "original": { @@ -338,11 +338,11 @@ ] }, "locked": { - "lastModified": 1760929667, - "narHash": "sha256-nZh6uvc71nVNaf/y+wesnjwsmJ6IZZUnP2EzpZe48To=", + "lastModified": 1762178366, + "narHash": "sha256-I+8yE5HVR2SFcHnW0771psQ/zn0qVzsKHY/gUM0nEVM=", "owner": "nix-community", "repo": "home-manager", - "rev": "189c21cf879669008ccf06e78a553f17e88d8ef0", + "rev": "8c824254b1ed9e797f6235fc3c62f365893c561a", "type": "github" }, "original": { @@ -418,11 +418,11 @@ "xwayland-satellite-unstable": "xwayland-satellite-unstable" }, "locked": { - "lastModified": 1760950171, - "narHash": "sha256-E2ySTu/oK7cYBdAI3tlGP9zVjF4mZgWJ1OZInBCMb00=", + "lastModified": 1762152856, + "narHash": "sha256-U3SDbk7tIwLChpvb3FL66o8V0byaQ2RGMiy/3oLdxTI=", "owner": "sodiboo", "repo": "niri-flake", - "rev": "f851a923137c0a54719412146fd63d24b3214e60", + "rev": "df17789929ac80f4157b15724450db6a303a6dc9", "type": "github" }, "original": { @@ -451,11 +451,11 @@ "niri-unstable": { "flake": false, "locked": { - "lastModified": 1760940149, - "narHash": "sha256-KbM47vD6E0cx+v4jYQZ8mD5N186AKm2CQlyh34TW58U=", + "lastModified": 1762146685, + "narHash": "sha256-anRlNG6t7esBbF1+ALDeathVBSclA0PEL52Vo0WnN5g=", "owner": "YaLTeR", "repo": "niri", - "rev": "b3245b81a6ed8edfaf5388a74d2e0a23c24941e5", + "rev": "a2ca2b3c866bc781b12c334a9f949b3db6d7c943", "type": "github" }, "original": { @@ -487,11 +487,11 @@ ] }, "locked": { - "lastModified": 1760846226, - "narHash": "sha256-xmU8kAsRprJiTGBTaGrwmjBP3AMA9ltlrxHKFuy5JWc=", + "lastModified": 1762055842, + "narHash": "sha256-Pu1v3mlFhRzZiSxVHb2/i/f5yeYyRNqr0RvEUJ4UgHo=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "5024e1901239a76b7bf94a4cd27f3507e639d49e", + "rev": "359ff6333a7b0b60819d4c20ed05a3a1f726771f", "type": "github" }, "original": { @@ -528,11 +528,11 @@ "nixpkgs": "nixpkgs_6" }, "locked": { - "lastModified": 1760856139, - "narHash": "sha256-N+F4n1WYE3AWc/kmdqIz67GNX7PgyKosnmGYYx8vR9k=", + "lastModified": 1761970410, + "narHash": "sha256-IUm2nkbKlDkG94ruTmIYLERpBn6gXydm3scZIKzpcKs=", "owner": "nix-community", "repo": "nixos-cli", - "rev": "c8f5ce1fd9bf151df74328795b6b2720e2e22d75", + "rev": "5c259f72ae1eaa00b99354d81130d8fddb7f9a7a", "type": "github" }, "original": { @@ -559,11 +559,11 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1754788789, - "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=", + "lastModified": 1761765539, + "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a73b9c743612e4244d865a2fdee11865283c04e6", + "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc", "type": "github" }, "original": { @@ -574,11 +574,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1760862643, - "narHash": "sha256-PXwG0TM7Ek87DNx4LbGWuD93PbFeKAJs4FfALtp7Wo0=", + "lastModified": 1761999846, + "narHash": "sha256-IYlYnp4O4dzEpL77BD/lj5NnJy2J8qbHkNSFiPBCbqo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "33c6dca0c0cb31d6addcd34e90a63ad61826b28c", + "rev": "3de8f8d73e35724bf9abef41f1bdbedda1e14a31", "type": "github" }, "original": { @@ -590,11 +590,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1760862643, - "narHash": "sha256-PXwG0TM7Ek87DNx4LbGWuD93PbFeKAJs4FfALtp7Wo0=", + "lastModified": 1761999846, + "narHash": "sha256-IYlYnp4O4dzEpL77BD/lj5NnJy2J8qbHkNSFiPBCbqo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "33c6dca0c0cb31d6addcd34e90a63ad61826b28c", + "rev": "3de8f8d73e35724bf9abef41f1bdbedda1e14a31", "type": "github" }, "original": { @@ -606,11 +606,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1761880412, - "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=", + "lastModified": 1752596105, + "narHash": "sha256-lFNVsu/mHLq3q11MuGkMhUUoSXEdQjCHvpReaGP1S2k=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386", + "rev": "dab3a6e781554f965bde3def0aa2fda4eb8f1708", "type": "github" }, "original": { @@ -638,11 +638,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1760878510, - "narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=", + "lastModified": 1761907660, + "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67", + "rev": "2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15", "type": "github" }, "original": { @@ -670,11 +670,11 @@ }, "nixpkgs_6": { "locked": { - "lastModified": 1759070547, - "narHash": "sha256-JVZl8NaVRYb0+381nl7LvPE+A774/dRpif01FKLrYFQ=", + "lastModified": 1761880412, + "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "647e5c14cbd5067f44ac86b74f014962df460840", + "rev": "a7fc11be66bdfb5cdde611ee5ce381c183da8386", "type": "github" }, "original": { @@ -686,11 +686,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1760878510, - "narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=", + "lastModified": 1761907660, + "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67", + "rev": "2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15", "type": "github" }, "original": { @@ -741,11 +741,11 @@ "systems": "systems_4" }, "locked": { - "lastModified": 1761190730, - "narHash": "sha256-XAs/Q4zBJIfK/bwq9KjTUkTH15A+Pe2rIilyvalEHuM=", + "lastModified": 1762156721, + "narHash": "sha256-gHfzrTDSnNC5yRJwkZfP55fPHUc8DuB4OQEIBSQSs18=", "owner": "noctalia-dev", "repo": "noctalia-shell", - "rev": "c3439b262c7cb3d57c93197a93a3aa382582bdae", + "rev": "5ca5aa602f58a8e0e73fedbef351f1cdf8cbe981", "type": "github" }, "original": { @@ -787,11 +787,11 @@ ] }, "locked": { - "lastModified": 1753595452, - "narHash": "sha256-vqkSDvh7hWhPvNjMjEDV4KbSCv2jyl2Arh73ZXe274k=", + "lastModified": 1761821581, + "narHash": "sha256-nLuc6jA7z+H/6bHPEBSOYPbz7RtvNCZiTKmYItJuBmM=", "ref": "refs/heads/master", - "rev": "a5431dd02dc23d9ef1680e67777fed00fe5f7cda", - "revCount": 665, + "rev": "db1777c20b936a86528c1095cbcb1ebd92801402", + "revCount": 699, "type": "git", "url": "https://git.outfoxxed.me/outfoxxed/quickshell" }, @@ -883,11 +883,11 @@ "tinted-zed": "tinted-zed" }, "locked": { - "lastModified": 1760472212, - "narHash": "sha256-4C3I/ssFsq8EgaUmZP0xv5V7RV0oCHgL/Rx+MUkuE+E=", + "lastModified": 1762101397, + "narHash": "sha256-wGiL2K3kAyBBmIZpJEskaSIgyzzpg0zwfvri+Sy6/CI=", "owner": "danth", "repo": "stylix", - "rev": "8d008296a1b3be9b57ad570f7acea00dd2fc92db", + "rev": "8c0640d5722a02178c8ee80a62c5f019cab4b3c1", "type": "github" }, "original": { @@ -995,11 +995,11 @@ "systems": "systems_6" }, "locked": { - "lastModified": 1757278723, - "narHash": "sha256-hTMi6oGU+6VRnW9SZZ+muFcbfMEf2ajjOp7Z2KM5MMY=", + "lastModified": 1762161791, + "narHash": "sha256-J1L1yP29NVBJO04LA/JGM6kwhnjeNhEsX0tLFnuN3FI=", "owner": "terranix", "repo": "terranix", - "rev": "924573fa6587ac57b0d15037fbd2d3f0fcdf17fb", + "rev": "a79a47b4617dfb92184e2e5b8f5aa6fc06c659c8", "type": "github" }, "original": { @@ -1127,11 +1127,11 @@ "xwayland-satellite-unstable": { "flake": false, "locked": { - "lastModified": 1759707084, - "narHash": "sha256-0pkftKs6/LReNvxw7DVTN2AJEheZVgyeK0Aarbagi70=", + "lastModified": 1761622056, + "narHash": "sha256-fBrUszJXmB4MY+wf3QsCnqWHcz7u7fLq0QMAWCltIQg=", "owner": "Supreeeme", "repo": "xwayland-satellite", - "rev": "a9188e70bd748118b4d56a529871b9de5adb9988", + "rev": "0728d59ff6463a502e001fb090f6eb92dbc04756", "type": "github" }, "original": { @@ -1146,11 +1146,11 @@ "nixpkgs": "nixpkgs_9" }, "locked": { - "lastModified": 1760934351, - "narHash": "sha256-RehxVjBRC9EiBO36EPZROLHhVVSWFe3KEROhaEapboM=", + "lastModified": 1762131860, + "narHash": "sha256-sIPhzkDrfe6ptthZiwoxQyO6rKd9PgJnl+LOyythQkI=", "owner": "0xc000022070", "repo": "zen-browser-flake", - "rev": "596c3ac14be576b93f5db9252a1b0581e453ec9f", + "rev": "10e69cb268b1d3dc91135e72f5462b2acfbcc3aa", "type": "github" }, "original": { From fe091504d08430563e0e6c42678ea991df2e3656 Mon Sep 17 00:00:00 2001 From: William Date: Mon, 3 Nov 2025 12:34:40 -0300 Subject: [PATCH 02/48] openssh greeting fixes --- hosts/alexandria/nextcloud.nix | 7 ++++++- hosts/modules/common/openssh.nix | 8 +++----- hosts/modules/common/programs.nix | 12 +++++++++++- users/modules/common/fish.nix | 5 ++++- 4 files changed, 24 insertions(+), 8 deletions(-) diff --git a/hosts/alexandria/nextcloud.nix b/hosts/alexandria/nextcloud.nix index 68d4875..9e606d9 100644 --- a/hosts/alexandria/nextcloud.nix +++ b/hosts/alexandria/nextcloud.nix @@ -24,7 +24,12 @@ in database.createLocally = true; maxUploadSize = "16G"; extraApps = { - inherit (config.services.nextcloud.package.packages.apps) calendar contacts notes; + inherit (config.services.nextcloud.package.packages.apps) + calendar + contacts + notes + tasks + ; }; extraAppsEnable = true; caching = { diff --git a/hosts/modules/common/openssh.nix b/hosts/modules/common/openssh.nix index 63422b3..df70bdd 100644 --- a/hosts/modules/common/openssh.nix +++ b/hosts/modules/common/openssh.nix @@ -4,10 +4,8 @@ services.openssh = { enable = true; settings.PermitRootLogin = "no"; + extraConfig = '' + PrintLastLog no + ''; }; - programs.fish.interactiveShellInit = '' - if set -q SSH_CONNECTION - neofetch - end - ''; } diff --git a/hosts/modules/common/programs.nix b/hosts/modules/common/programs.nix index be57b69..fd10953 100644 --- a/hosts/modules/common/programs.nix +++ b/hosts/modules/common/programs.nix @@ -25,6 +25,16 @@ programs = { command-not-found.enable = false; - fish.enable = true; + fish = { + enable = true; + interactiveShellInit = '' + set fish_greeting + if set -q SSH_CONNECTION + export TERM=xterm-256color + clear + fastfetch + end + ''; + }; }; } diff --git a/users/modules/common/fish.nix b/users/modules/common/fish.nix index d95db24..c753297 100644 --- a/users/modules/common/fish.nix +++ b/users/modules/common/fish.nix @@ -3,7 +3,10 @@ { programs.fish = { enable = true; - interactiveShellInit = "${lib.getExe pkgs.nix-your-shell} fish | source"; + interactiveShellInit = '' + set fish_greeting + ${lib.getExe pkgs.nix-your-shell} fish | source + ''; loginShellInit = "${lib.getExe pkgs.nix-your-shell} fish | source"; plugins = [ { From 4622f2b299704e0458c48c69a27410ba39bd228e Mon Sep 17 00:00:00 2001 From: William Date: Mon, 3 Nov 2025 16:42:18 -0300 Subject: [PATCH 03/48] fix trantor disko config --- disko/trantor.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/disko/trantor.nix b/disko/trantor.nix index db1397e..0791308 100644 --- a/disko/trantor.nix +++ b/disko/trantor.nix @@ -27,8 +27,7 @@ name = "root"; size = "100%"; content = { - type = "filesystem"; - format = "btrfs"; + type = "btrfs"; extraArgs = [ "-f" ]; subvolumes = { "@root" = { From f5f1541aec620f879d7b1768d0b1e18abf96cb0a Mon Sep 17 00:00:00 2001 From: William Date: Mon, 3 Nov 2025 17:19:21 -0300 Subject: [PATCH 04/48] fixing trantor --- hosts/io/hardware-configuration.nix | 5 ++--- hosts/trantor/boot.nix | 5 ++++- hosts/trantor/hardware-configuration.nix | 7 ++++--- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/hosts/io/hardware-configuration.nix b/hosts/io/hardware-configuration.nix index cb114a1..a17fe24 100644 --- a/hosts/io/hardware-configuration.nix +++ b/hosts/io/hardware-configuration.nix @@ -2,15 +2,14 @@ config, lib, modulesPath, - self, + inputs, ... }: { imports = [ (modulesPath + "/installer/scan/not-detected.nix") - self.diskoConfigurations.io - ]; + ] ++ inputs.self.diskoConfigurations.io.modules; boot = { initrd = { diff --git a/hosts/trantor/boot.nix b/hosts/trantor/boot.nix index 67ac124..0498818 100644 --- a/hosts/trantor/boot.nix +++ b/hosts/trantor/boot.nix @@ -1,3 +1,6 @@ { - boot.initrd.systemd.enable = true; + boot = { + initrd.systemd.enable = true; + loader.efi.efiSysMountPoint = "/boot/efi"; + }; } diff --git a/hosts/trantor/hardware-configuration.nix b/hosts/trantor/hardware-configuration.nix index 4a9503f..94568f6 100644 --- a/hosts/trantor/hardware-configuration.nix +++ b/hosts/trantor/hardware-configuration.nix @@ -1,15 +1,16 @@ { lib, modulesPath, - self, + inputs, ... }: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") - self.diskoConfigurations.trantor - ]; + inputs.disko.nixosModules.disko + ] + ++ inputs.self.diskoConfigurations.trantor.modules; boot = { kernelModules = [ ]; From d6f582fffd2df08649cc609f180f9ed5d619e5cd Mon Sep 17 00:00:00 2001 From: William Date: Mon, 3 Nov 2025 21:37:03 -0300 Subject: [PATCH 05/48] no diskoConfirations outputs --- diskoConfigurations.nix | 12 --------- flake.nix | 1 - disko/io.nix => hosts/io/disko.nix | 0 hosts/io/hardware-configuration.nix | 4 +-- hosts/modules/ephemeral.nix | 2 +- disko/trantor.nix => hosts/trantor/disko.nix | 6 ++++- hosts/trantor/hardware-configuration.nix | 26 ++++++-------------- 7 files changed, 14 insertions(+), 37 deletions(-) delete mode 100644 diskoConfigurations.nix rename disko/io.nix => hosts/io/disko.nix (100%) rename disko/trantor.nix => hosts/trantor/disko.nix (90%) diff --git a/diskoConfigurations.nix b/diskoConfigurations.nix deleted file mode 100644 index 511eddc..0000000 --- a/diskoConfigurations.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ inputs, ... }: - -{ - imports = [ - inputs.disko.flakeModule - ]; - - flake.diskoConfigurations = { - io.modules = [ ./disko/io.nix ]; - trantor.modules = [ ./disko/trantor.nix ]; - }; -} diff --git a/flake.nix b/flake.nix index c9d5076..07d4a02 100644 --- a/flake.nix +++ b/flake.nix @@ -62,7 +62,6 @@ imports = [ ./deploy.nix ./devShells.nix - ./diskoConfigurations.nix ./homeConfigurations.nix ./nixosConfigurations.nix ./nixosModules.nix diff --git a/disko/io.nix b/hosts/io/disko.nix similarity index 100% rename from disko/io.nix rename to hosts/io/disko.nix diff --git a/hosts/io/hardware-configuration.nix b/hosts/io/hardware-configuration.nix index a17fe24..8e4dae4 100644 --- a/hosts/io/hardware-configuration.nix +++ b/hosts/io/hardware-configuration.nix @@ -7,9 +7,7 @@ }: { - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ] ++ inputs.self.diskoConfigurations.io.modules; + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; boot = { initrd = { diff --git a/hosts/modules/ephemeral.nix b/hosts/modules/ephemeral.nix index 8ed08bc..cad5f41 100644 --- a/hosts/modules/ephemeral.nix +++ b/hosts/modules/ephemeral.nix @@ -10,7 +10,7 @@ enable = true; rootDevice = if config.networking.hostName == "trantor" then - "/dev/disk/by-id/scsi-36067d367fe184830a89bbe708c7b1066" + "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20-part2" else "/dev/mapper/cryptroot"; rootSubvolume = "@root"; diff --git a/disko/trantor.nix b/hosts/trantor/disko.nix similarity index 90% rename from disko/trantor.nix rename to hosts/trantor/disko.nix index 0791308..0e47058 100644 --- a/disko/trantor.nix +++ b/hosts/trantor/disko.nix @@ -1,7 +1,11 @@ +{ inputs, ... }: + { + imports = [ inputs.disko.nixosModules.default ]; + disko.devices.disk.main = { type = "disk"; - device = "/dev/disk/by-id/scsi-36067d367fe184830a89bbe708c7b1066"; + device = "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20"; content = { type = "gpt"; partitions = { diff --git a/hosts/trantor/hardware-configuration.nix b/hosts/trantor/hardware-configuration.nix index 94568f6..039129e 100644 --- a/hosts/trantor/hardware-configuration.nix +++ b/hosts/trantor/hardware-configuration.nix @@ -1,30 +1,18 @@ { lib, modulesPath, - inputs, ... }: { - imports = [ - (modulesPath + "/profiles/qemu-guest.nix") - inputs.disko.nixosModules.disko - ] - ++ inputs.self.diskoConfigurations.trantor.modules; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot = { - kernelModules = [ ]; - extraModulePackages = [ ]; - initrd = { - availableKernelModules = [ - "xhci_pci" - "virtio_pci" - "virtio_scsi" - "usbhid" - ]; - kernelModules = [ ]; - }; - }; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "virtio_pci" + "virtio_scsi" + "usbhid" + ]; networking.useDHCP = lib.mkDefault true; From 97450f0057a4a4e488ba0f79105105e27697d67b Mon Sep 17 00:00:00 2001 From: William Date: Tue, 4 Nov 2025 08:13:16 -0300 Subject: [PATCH 06/48] no more protonup --- hosts/modules/gaming.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/hosts/modules/gaming.nix b/hosts/modules/gaming.nix index cf6217f..5aef14e 100644 --- a/hosts/modules/gaming.nix +++ b/hosts/modules/gaming.nix @@ -6,7 +6,6 @@ heroic mangohud prismlauncher - protonup steam-run ]; From cb59a911d63f70a6502ffa3e25aee7e2dfb9dd7f Mon Sep 17 00:00:00 2001 From: William Date: Thu, 6 Nov 2025 19:57:04 -0300 Subject: [PATCH 07/48] added ai tag for desktop hosts --- flake.lock | 151 ++++++++++++++++++++++++++++++++-------- flake.nix | 2 + hosts/modules/ai.nix | 9 +++ hosts/modules/dev.nix | 1 - nixosConfigurations.nix | 2 + 5 files changed, 136 insertions(+), 29 deletions(-) create mode 100644 hosts/modules/ai.nix diff --git a/flake.lock b/flake.lock index 429e817..3b994bf 100644 --- a/flake.lock +++ b/flake.lock @@ -91,6 +91,28 @@ "type": "github" } }, + "blueprint": { + "inputs": { + "nixpkgs": [ + "nix-ai-tools", + "nixpkgs" + ], + "systems": "systems_3" + }, + "locked": { + "lastModified": 1761645416, + "narHash": "sha256-wTQzbbQ6XHtvNJVuhJj+ytZDRyNtwUKbrIfIvMvKNfQ=", + "owner": "numtide", + "repo": "blueprint", + "rev": "633af1961cae8e02bc6195e6e599a6b09bf75217", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "blueprint", + "type": "github" + } + }, "darwin": { "inputs": { "nixpkgs": [ @@ -261,7 +283,7 @@ }, "flake-utils": { "inputs": { - "systems": "systems_3" + "systems": "systems_4" }, "locked": { "lastModified": 1731533236, @@ -464,6 +486,26 @@ "type": "github" } }, + "nix-ai-tools": { + "inputs": { + "blueprint": "blueprint", + "nixpkgs": "nixpkgs_5", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1762442079, + "narHash": "sha256-aWt5CgOsQiiq+caxF0iqp56kfHRkv8Tnz0X9DhJeBEE=", + "owner": "numtide", + "repo": "nix-ai-tools", + "rev": "aaee8f2df1325c7f212d769515092162bcac31a7", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nix-ai-tools", + "type": "github" + } + }, "nix-flatpak": { "locked": { "lastModified": 1754777568, @@ -503,7 +545,7 @@ "nix-options-doc": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs_5", + "nixpkgs": "nixpkgs_6", "rust-overlay": "rust-overlay_2" }, "locked": { @@ -525,7 +567,7 @@ "inputs": { "flake-compat": "flake-compat_2", "nix-options-doc": "nix-options-doc", - "nixpkgs": "nixpkgs_6" + "nixpkgs": "nixpkgs_7" }, "locked": { "lastModified": 1761970410, @@ -604,6 +646,22 @@ "type": "github" } }, + "nixpkgs_10": { + "locked": { + "lastModified": 1755615617, + "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "20075955deac2583bb12f07151c2df830ef346b4", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs_2": { "locked": { "lastModified": 1752596105, @@ -653,6 +711,22 @@ } }, "nixpkgs_5": { + "locked": { + "lastModified": 1762111121, + "narHash": "sha256-4vhDuZ7OZaZmKKrnDpxLZZpGIJvAeMtK6FKLJYUtAdw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b3d51a0365f6695e7dd5cdf3e180604530ed33b4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_6": { "locked": { "lastModified": 1740695751, "narHash": "sha256-D+R+kFxy1KsheiIzkkx/6L63wEHBYX21OIwlFV8JvDs=", @@ -668,7 +742,7 @@ "type": "github" } }, - "nixpkgs_6": { + "nixpkgs_7": { "locked": { "lastModified": 1761880412, "narHash": "sha256-QoJjGd4NstnyOG4mm4KXF+weBzA2AH/7gn1Pmpfcb0A=", @@ -684,7 +758,7 @@ "type": "github" } }, - "nixpkgs_7": { + "nixpkgs_8": { "locked": { "lastModified": 1761907660, "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=", @@ -700,7 +774,7 @@ "type": "github" } }, - "nixpkgs_8": { + "nixpkgs_9": { "locked": { "lastModified": 1758690382, "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=", @@ -716,29 +790,13 @@ "type": "github" } }, - "nixpkgs_9": { - "locked": { - "lastModified": 1755615617, - "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "20075955deac2583bb12f07151c2df830ef346b4", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "noctalia": { "inputs": { "nixpkgs": [ "nixpkgs" ], "quickshell": "quickshell", - "systems": "systems_4" + "systems": "systems_5" }, "locked": { "lastModified": 1762156721, @@ -810,10 +868,11 @@ "impermanence": "impermanence", "niri": "niri", "niri-flake": "niri-flake", + "nix-ai-tools": "nix-ai-tools", "nix-flatpak": "nix-flatpak", "nix-index-database": "nix-index-database", "nixos-cli": "nixos-cli", - "nixpkgs": "nixpkgs_7", + "nixpkgs": "nixpkgs_8", "nixpkgs-stable": "nixpkgs-stable_2", "noctalia": "noctalia", "stylix": "stylix", @@ -873,9 +932,9 @@ "firefox-gnome-theme": "firefox-gnome-theme", "flake-parts": "flake-parts_2", "gnome-shell": "gnome-shell", - "nixpkgs": "nixpkgs_8", + "nixpkgs": "nixpkgs_9", "nur": "nur", - "systems": "systems_5", + "systems": "systems_6", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -986,13 +1045,28 @@ "type": "github" } }, + "systems_7": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "terranix": { "inputs": { "flake-parts": "flake-parts_3", "nixpkgs": [ "nixpkgs" ], - "systems": "systems_6" + "systems": "systems_7" }, "locked": { "lastModified": 1762161791, @@ -1089,6 +1163,27 @@ "type": "github" } }, + "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nix-ai-tools", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1762410071, + "narHash": "sha256-aF5fvoZeoXNPxT0bejFUBXeUjXfHLSL7g+mjR/p5TEg=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "97a30861b13c3731a84e09405414398fbf3e109f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "utils": { "inputs": { "systems": "systems_2" @@ -1143,7 +1238,7 @@ "zen-browser": { "inputs": { "home-manager": "home-manager_3", - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_10" }, "locked": { "lastModified": 1762131860, diff --git a/flake.nix b/flake.nix index 07d4a02..af148c1 100644 --- a/flake.nix +++ b/flake.nix @@ -49,6 +49,8 @@ url = "github:terranix/terranix"; inputs.nixpkgs.follows = "nixpkgs"; }; + + nix-ai-tools.url = "github:numtide/nix-ai-tools"; }; outputs = diff --git a/hosts/modules/ai.nix b/hosts/modules/ai.nix new file mode 100644 index 0000000..ddf4fca --- /dev/null +++ b/hosts/modules/ai.nix @@ -0,0 +1,9 @@ +{ inputs, pkgs, ... }: + +{ + environment.systemPackages = with inputs.nix-ai-tools.packages.${pkgs.system}; [ + claude-desktop + claudebox + opencode + ]; +} diff --git a/hosts/modules/dev.nix b/hosts/modules/dev.nix index 82908f2..c4cca78 100644 --- a/hosts/modules/dev.nix +++ b/hosts/modules/dev.nix @@ -3,7 +3,6 @@ { environment.systemPackages = with pkgs; [ bat - claude-code lazygit fd fzf diff --git a/nixosConfigurations.nix b/nixosConfigurations.nix index ced8851..85fd378 100644 --- a/nixosConfigurations.nix +++ b/nixosConfigurations.nix @@ -10,6 +10,7 @@ in hostname = "rotterdam"; tags = [ "desktop" + "ai" "bluetooth" "dev" "ephemeral" @@ -25,6 +26,7 @@ in hostname = "io"; tags = [ "desktop" + "ai" "bluetooth" "dev" "ephemeral" From 6ec815a7668b8af89d2ff800ecee32253c916cfd Mon Sep 17 00:00:00 2001 From: William Date: Thu, 6 Nov 2025 19:59:58 -0300 Subject: [PATCH 08/48] fix disko usage for io --- hosts/io/disko.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/hosts/io/disko.nix b/hosts/io/disko.nix index 37f3160..4e6c9d5 100644 --- a/hosts/io/disko.nix +++ b/hosts/io/disko.nix @@ -1,4 +1,8 @@ +{ inputs, ... }: + { + imports = [ inputs.disko.nixosModules.default ]; + disko.devices.disk.main = { type = "disk"; device = "/dev/disk/by-id/mmc-hDEaP3_0x1041b689"; From 59cda1884dfd49bed2852fca8ca1af82e1fcfcd3 Mon Sep 17 00:00:00 2001 From: William Date: Fri, 7 Nov 2025 06:17:28 -0300 Subject: [PATCH 09/48] add recipient to oci alert --- terranix/oci/trantor.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/terranix/oci/trantor.nix b/terranix/oci/trantor.nix index 37c12ae..2037d87 100644 --- a/terranix/oci/trantor.nix +++ b/terranix/oci/trantor.nix @@ -229,6 +229,7 @@ threshold = 5; threshold_type = "PERCENTAGE"; display_name = "daily-spend-alert"; + recipients = "baduhai@proton.me"; description = "Alert when daily spending exceeds $0.05"; message = "Daily spending has exceeded $0.05 in the trantor compartment"; }; From 45f89a1663187983364c38e04a1f5c857d21a3bb Mon Sep 17 00:00:00 2001 From: William Date: Fri, 7 Nov 2025 07:15:12 -0300 Subject: [PATCH 10/48] add claude-code back --- hosts/modules/ai.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/modules/ai.nix b/hosts/modules/ai.nix index ddf4fca..e2dd9d2 100644 --- a/hosts/modules/ai.nix +++ b/hosts/modules/ai.nix @@ -3,6 +3,7 @@ { environment.systemPackages = with inputs.nix-ai-tools.packages.${pkgs.system}; [ claude-desktop + claude-code claudebox opencode ]; From d3ef56c724a2eed6b0544e0a01f69ceb33adb70d Mon Sep 17 00:00:00 2001 From: William Date: Fri, 7 Nov 2025 11:55:27 -0300 Subject: [PATCH 11/48] add presenterm to desktops --- hosts/modules/desktop/desktop.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/modules/desktop/desktop.nix b/hosts/modules/desktop/desktop.nix index 5258442..f2418ce 100644 --- a/hosts/modules/desktop/desktop.nix +++ b/hosts/modules/desktop/desktop.nix @@ -35,6 +35,7 @@ libreoffice onlyoffice-desktopeditors papers + presenterm rnote ### Graphics & Design ### gimp From 5baff5a68e44900d13e0579a3479cfcf5ab92b2f Mon Sep 17 00:00:00 2001 From: William Date: Fri, 7 Nov 2025 12:13:47 -0300 Subject: [PATCH 12/48] added kanshi to manage displays --- users/modules/desktop/niri.nix | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/users/modules/desktop/niri.nix b/users/modules/desktop/niri.nix index 16955d9..283d940 100644 --- a/users/modules/desktop/niri.nix +++ b/users/modules/desktop/niri.nix @@ -14,19 +14,27 @@ in { imports = [ inputs.noctalia.homeModules.default ]; + services.kanshi = { + enable = true; + settings = [ + { + profile.name = "default"; + profile.outputs = [ + { + criteria = "*"; + scale = 1.0; + } + ]; + } + ]; + }; + home = { packages = with pkgs; [ xwayland-satellite ]; sessionVariables.QT_QPA_PLATFORMTHEME = "gtk3"; }; xdg.configFile."niri/config.kdl".text = '' - output "eDP-1" { - scale 1.0 - } - output "DP-3" { - scale 1.0 - } - input { keyboard { xkb { From 52eaf14b0950fa725e86bfb521a40fbdabe4969f Mon Sep 17 00:00:00 2001 From: William Date: Sat, 8 Nov 2025 13:02:22 -0300 Subject: [PATCH 13/48] noto emoji font name change; niri window/workspace up/down keybind --- users/modules/desktop/niri.nix | 8 ++++---- users/modules/stylix.nix | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/users/modules/desktop/niri.nix b/users/modules/desktop/niri.nix index 283d940..1f6a1bf 100644 --- a/users/modules/desktop/niri.nix +++ b/users/modules/desktop/niri.nix @@ -163,13 +163,13 @@ in Mod+Shift+Q { close-window; } Alt+F4 { close-window; } Mod+Left { focus-column-left; } - Mod+Down { focus-window-down; } - Mod+Up { focus-window-up; } + Mod+Down { focus-window-or-workspace-down; } + Mod+Up { focus-window-or-workspace-up; } Mod+Right { focus-column-right; } Mod+H { focus-column-left; } Mod+L { focus-column-right; } - Mod+J { focus-window-down; } - Mod+K { focus-window-up; } + Mod+J { focus-window-or-workspace-down; } + Mod+K { focus-window-or-workspace-up; } Ctrl+Alt+J { focus-workspace-down; } Ctrl+Alt+K { focus-workspace-up; } Ctrl+Alt+Down { focus-workspace-down; } diff --git a/users/modules/stylix.nix b/users/modules/stylix.nix index 13ba8b6..f1c7e44 100644 --- a/users/modules/stylix.nix +++ b/users/modules/stylix.nix @@ -46,7 +46,7 @@ name = "FiraCode Nerd Font"; }; emoji = { - package = pkgs.noto-fonts-emoji; + package = pkgs.noto-fonts-color-emoji; name = "Noto Color Emoji"; }; sizes = { From a1369e5818cd0bf26ae7dfd5970b81e81272d682 Mon Sep 17 00:00:00 2001 From: William Date: Sat, 8 Nov 2025 20:46:38 -0300 Subject: [PATCH 14/48] rekeyd secrets --- hosts/alexandria/firewall.nix | 11 ----------- secrets/cloudflare.age | 18 ++++++++++-------- secrets/nextcloud-adminpass.age | Bin 465 -> 465 bytes secrets/nextcloud-secrets.json.age | Bin 537 -> 537 bytes secrets/secrets.nix | 3 ++- 5 files changed, 12 insertions(+), 20 deletions(-) delete mode 100644 hosts/alexandria/firewall.nix diff --git a/hosts/alexandria/firewall.nix b/hosts/alexandria/firewall.nix deleted file mode 100644 index f6fded2..0000000 --- a/hosts/alexandria/firewall.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ ... }: - -{ - networking.firewall = { - allowedTCPPorts = [ - 80 - 443 - ]; - allowedUDPPorts = [ ]; - }; -} diff --git a/secrets/cloudflare.age b/secrets/cloudflare.age index 9e989ec..028e964 100644 --- a/secrets/cloudflare.age +++ b/secrets/cloudflare.age @@ -1,9 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 Kfdnog gEZvRtLBhGslmS97VaRqoucgExvOopsHAAne4lCmEEY -NkIeFYuQFntDOBqd3k0/OVYMcM7h73uO0jPXaHzEcZc --> ssh-ed25519 8YSAiw bVV4jIDbBKxsr6mQ4Tv0rP6ylrAEOJWkqjpyvXjnQRU -6kUe5Syw7sd+aF2QEgr6Yj+fOPL5zSJN1PJvY9Kdhlg --> ssh-ed25519 J6tVTA 4JMlJmhHAYUgjiWwB1Q278TSjJypwecALmfnosxan0s -WIubcIFrjMV0GpyU1ZGc48YwrqOtSmJxweonw1KnR+U ---- 78A7re4LLB/0n5AXLRlVqiMNFMAQ2ZvjjK21YGRveRE -_4pkVCKm#~kI8Em3kp|0^tSk s/΅?=l,7~̈́c{ȞAݭ>ZlGTJsGY //B4e'IIc ,"< \ No newline at end of file +-> ssh-ed25519 Kfdnog IHXv4c5we36dCUsB1v8uEF23tIRlDQ/8WR1hX4GQ+Uc +Cwccw64BYBdSZUdkSqKESIU7E17cLNtiAZZ3Y1xV87A +-> ssh-ed25519 8YSAiw Ce3vdMG111ubjcFgd3+q2Qw2+7dsoUz7SiudtuLDr0Y +JUodwFsKfOTZXxFyRrEk/4gxJ4goPkwvYeThi893M0U +-> ssh-ed25519 J6tVTA bExFuITTGXkTvhW25nushN7zT/PJGDoezsqu7fLKemI +4a90v0F4wgcZeqWBQ/EpqOZ9OCgT7qruwVvlGZeFmN8 +-> ssh-ed25519 Qt3Q+A j1oo46pNh1+yPEtxpgj+QPQPf5m82jL0DHGMacY8UFA +vy52Hl1WLTdKNA8+4p7A48Sg9+QkMXbECf/uxVMCLYk +--- 429vzgFnmFbEqDMwdvC0/EYDJlKU64YEGgE0AqPqlBs +b/!8O3Df/&kNQhurt%&]ucjH]_5@D$>N8Ϧ >9:CvѦ69W'X]X^ƻ$}|c/ ߸={uɳs \ No newline at end of file diff --git a/secrets/nextcloud-adminpass.age b/secrets/nextcloud-adminpass.age index 3b6ff2affb50a87f4b2cf91edf585c73272a134f..b4a29fa2568f59e840bde1dbd55ace544626f3b8 100644 GIT binary patch delta 411 zcmcb}e35yAPJLc}VR4C}dq`2WO`Myv3IVvL6L8scd>U?K~-UTm4BX#r?KG0mcUv|0t$UXy zYw%v)XTN@Qb=HR#cxf*wE0#>Rwz7U4vS89VhUCO=pI6L?lj>d;)?c@4p5y5@N3J!G G_5lEIGm+c? delta 411 zcmcb}e35yAPJN=QslG{oagj-?Nm_<^np>o&wn1{HNuFtHy0fQcM1^l?aad@eS6ObB zE0?EFPKckAv5Aqhk6%GbghjAxUT|KOYhhMdaF#`Ju1l7?Q(#0^pm9N1GMBEMLUD11 zZfc5=si~o*f<r!^a)3v8o{zS6 zKu~a&lc%EzS5UTzt3_~G@Up1{UVQPR0R6-rmM3AwdPXK53yI+6Cc`X67NT9$x;r=~;%_j=_;!1t~sx zQQ>8Q9+iHUIZ>s-CRtf!#d+>|soEjFQ3e5t>1AnUfnE__;YQ_Ly1Kdw8D0fp!J(EF zemRNBmX={IMrN4?rQv2?<@%xe&iVeyj^!R+!J*FC28qeVT=(tk|74sxcJ}$9S=Tr| zUC=zrvWa)yQ#P5uo^SfEFZ_L>-MeDyY#FQdRyLBIo4j}xE;xlv{`2(FH{WY-E9QK> HX5a$=F~*Zs diff --git a/secrets/nextcloud-secrets.json.age b/secrets/nextcloud-secrets.json.age index 473f3cb97a38fcb01d2d7512306b9576963b2754..02d170dce9315c545774f3510a4f81541ea6137b 100644 GIT binary patch delta 484 zcmbQqGLvP3PQ6z|j%%7%ieq-3zL8r*x=V;jQD#MOc$%-Lvt?CaMxuU5o>_WoWx0`K zD3@1ZMWTClMs`7Rv1Nuum7{xPxxYtAQGS|5dUjcaafz#^OF?i-Xhm41374*&LUD11 zZfc5=si~o*f< zX0BmgWnNf5SDIx~g^9aSPx`V~&;o}nqJ!ByE@KHC1S zWzH3;5ozv~mZ{oK`X(V&AucJ!kshU9Zk_>&`V}R~X+D<8hIxTpy1KdwQKd;0Ri)a# zzMh5UMyc-Ef&OMCIjIqr&fccJk)h@Rj()!NK_%sep8f^NTp_t{KN=*=`v32=CU@f6 zb#FN=XRdnX61Z;tXEo;=u{B8>C9)d2%j>GzX8&-0mcX=iT4s;Z!JaS{UQVIjmu}Dg`A2*!eD> delta 484 zcmbQqGLvP3PJO0XiLpzFzh#AQNn);vWkgQCr*S~0WqGArij$dviAk_QSZ;`iSz(S_ zI#-&0mVa7ma8X5Kv44tBiiJyNm2*jsN485=q;E!Xfu~WjWoEd0PJym@eV`;dXWol`1s#~N8Yibt+vabaO-L10yezH4OQ z#E;_j>DfLeVL4vq0YAn`FS4cuD+&brAEGP6;8pP7JI(# g=e#`y61#*wLgp)0cI;b{`b%#~@#5{@wobYM08OvE1ONa4 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index d47309f..84b14d6 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -7,7 +7,7 @@ let alexandria = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK95QueW+jp1ZmF299Xr3XkgHJ6dL7aZVsfWxqbOKVKA root@alexandria"; - trantor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkGuGLZPnYJbCGY4BhJ9uTupp6ruuR1NZ7FEYEaLPA7 root@alexandria"; + trantor = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIh/2u5pr/iPVeavlsor5hbTtsgUfP1JpzZVco2YQAo3 root@trantor"; in { @@ -15,6 +15,7 @@ in io-user rotterdam-user alexandria + trantor ]; "nextcloud-adminpass.age".publicKeys = [ io-user From 2289f0e6e46b5adabb087b2dad5b35cb281fd03a Mon Sep 17 00:00:00 2001 From: William Date: Sat, 8 Nov 2025 20:47:21 -0300 Subject: [PATCH 15/48] beginnings of split dns --- devShells.nix | 6 +-- hosts/alexandria/forgejo.nix | 9 +++++ hosts/alexandria/jellyfin.nix | 9 +++++ hosts/alexandria/librespeed.nix | 9 +++++ hosts/alexandria/nextcloud.nix | 9 +++++ hosts/alexandria/nginx.nix | 5 +++ hosts/alexandria/unbound.nix | 67 ++++++++++++++++++++++++++++++++ hosts/alexandria/vaultwarden.nix | 9 +++++ hosts/modules/split-dns.nix | 28 +++++++++++++ utils.nix | 29 ++++++++++++++ 10 files changed, 177 insertions(+), 3 deletions(-) create mode 100644 hosts/alexandria/unbound.nix create mode 100644 hosts/modules/split-dns.nix diff --git a/devShells.nix b/devShells.nix index 72b2695..f7e9627 100644 --- a/devShells.nix +++ b/devShells.nix @@ -1,12 +1,12 @@ -{ ... }: +{ inputs, ... }: { perSystem = - { pkgs, ... }: + { pkgs, system, ... }: { devShells.default = pkgs.mkShell { packages = with pkgs; [ - agenix-cli + inputs.agenix.packages.${system}.default deploy-rs nil nixfmt-rfc-style diff --git a/hosts/alexandria/forgejo.nix b/hosts/alexandria/forgejo.nix index 909d1d1..d9860f6 100644 --- a/hosts/alexandria/forgejo.nix +++ b/hosts/alexandria/forgejo.nix @@ -32,4 +32,13 @@ in domains."git.baduhai.dev".locations."/".proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/"; }; + + # Register this domain for split DNS + services.splitDNS.entries = [ + { + domain = "git.baduhai.dev"; + lanIP = "192.168.15.142"; + tailscaleIP = "100.76.19.50"; + } + ]; } diff --git a/hosts/alexandria/jellyfin.nix b/hosts/alexandria/jellyfin.nix index 9555c89..994f972 100644 --- a/hosts/alexandria/jellyfin.nix +++ b/hosts/alexandria/jellyfin.nix @@ -13,4 +13,13 @@ in acmeHost = "baduhai.dev"; domains."jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:8096/"; }; + + # Register this domain for split DNS + services.splitDNS.entries = [ + { + domain = "jellyfin.baduhai.dev"; + lanIP = "192.168.15.142"; + tailscaleIP = "100.76.19.50"; + } + ]; } diff --git a/hosts/alexandria/librespeed.nix b/hosts/alexandria/librespeed.nix index e36a81d..9b59685 100644 --- a/hosts/alexandria/librespeed.nix +++ b/hosts/alexandria/librespeed.nix @@ -27,4 +27,13 @@ in acmeHost = "baduhai.dev"; domains."speedtest.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:58080/"; }; + + # Register this domain for split DNS + services.splitDNS.entries = [ + { + domain = "speedtest.baduhai.dev"; + lanIP = "192.168.15.142"; + tailscaleIP = "100.76.19.50"; + } + ]; } diff --git a/hosts/alexandria/nextcloud.nix b/hosts/alexandria/nextcloud.nix index 9e606d9..e12d12b 100644 --- a/hosts/alexandria/nextcloud.nix +++ b/hosts/alexandria/nextcloud.nix @@ -79,6 +79,15 @@ in acmeHost = "baduhai.dev"; domains."cloud.baduhai.dev" = { }; }; + + # Register this domain for split DNS + splitDNS.entries = [ + { + domain = "cloud.baduhai.dev"; + lanIP = "192.168.15.142"; + tailscaleIP = "100.76.19.50"; + } + ]; }; age.secrets = { diff --git a/hosts/alexandria/nginx.nix b/hosts/alexandria/nginx.nix index 0a0a261..54640c1 100644 --- a/hosts/alexandria/nginx.nix +++ b/hosts/alexandria/nginx.nix @@ -38,6 +38,11 @@ in users.users.nginx.extraGroups = [ "acme" ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + age.secrets.cloudflare = { file = ../../secrets/cloudflare.age; owner = "nginx"; diff --git a/hosts/alexandria/unbound.nix b/hosts/alexandria/unbound.nix new file mode 100644 index 0000000..e923318 --- /dev/null +++ b/hosts/alexandria/unbound.nix @@ -0,0 +1,67 @@ +{ config, inputs, lib, ... }: + +let + utils = import ../../utils.nix { inherit inputs lib; }; + inherit (utils) mkSplitDNS; +in + +{ + imports = [ ../modules/split-dns.nix ]; + + services.unbound = { + enable = true; + enableRootTrustAnchor = true; + settings = { + server = { + interface = [ + "0.0.0.0" + "::" + ]; + access-control = [ + "127.0.0.0/8 allow" + "192.168.0.0/16 allow" + "100.64.0.0/10 allow" # Tailscale CGNAT range + "::1/128 allow" + "fd7a:115c:a1e0::/48 allow" # Tailscale IPv6 + ]; + + # Enable views for split DNS + access-control-view = [ + "100.64.0.0/10 tailscale" + "fd7a:115c:a1e0::/48 tailscale" + "192.168.0.0/16 lan" + ]; + + num-threads = 2; + msg-cache-size = "50m"; + rrset-cache-size = "100m"; + cache-min-ttl = 300; + cache-max-ttl = 86400; + prefetch = true; + prefetch-key = true; + hide-identity = true; + hide-version = true; + so-rcvbuf = "1m"; + so-sndbuf = "1m"; + }; + # Split DNS views - automatically collected from all service files + view = mkSplitDNS config.services.splitDNS.entries; + + forward-zone = [ + { + name = "."; + forward-addr = [ + "1.1.1.1@853#cloudflare-dns.com" + "1.0.0.1@853#cloudflare-dns.com" + ]; + forward-tls-upstream = true; + } + ]; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; + }; +} diff --git a/hosts/alexandria/vaultwarden.nix b/hosts/alexandria/vaultwarden.nix index fd10d6b..68387ee 100644 --- a/hosts/alexandria/vaultwarden.nix +++ b/hosts/alexandria/vaultwarden.nix @@ -24,4 +24,13 @@ in domains."pass.baduhai.dev".locations."/".proxyPass = "http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; }; + + # Register this domain for split DNS + services.splitDNS.entries = [ + { + domain = "pass.baduhai.dev"; + lanIP = "192.168.15.142"; + tailscaleIP = "100.76.19.50"; + } + ]; } diff --git a/hosts/modules/split-dns.nix b/hosts/modules/split-dns.nix new file mode 100644 index 0000000..0998816 --- /dev/null +++ b/hosts/modules/split-dns.nix @@ -0,0 +1,28 @@ +{ config, lib, ... }: + +{ + options.services.splitDNS = { + entries = lib.mkOption { + type = lib.types.listOf ( + lib.types.submodule { + options = { + domain = lib.mkOption { + type = lib.types.str; + description = "The domain name to configure"; + }; + lanIP = lib.mkOption { + type = lib.types.str; + description = "IP address to return for LAN requests"; + }; + tailscaleIP = lib.mkOption { + type = lib.types.str; + description = "IP address to return for Tailscale requests"; + }; + }; + } + ); + default = [ ]; + description = "List of domains to configure for split DNS"; + }; + }; +} diff --git a/utils.nix b/utils.nix index 38cf968..c803fe5 100644 --- a/utils.nix +++ b/utils.nix @@ -190,4 +190,33 @@ in }; in lib.mapAttrs (_: lib.recursiveUpdate commonVHostConfig) domains; + + # Split DNS utilities for unbound + # Generates unbound view config from a list of DNS entries + mkSplitDNS = + entries: + let + # Generate view entries for a single domain + mkEntry = + { + domain, + lanIP, + tailscaleIP, + }: + [ + { + name = "tailscale"; + view-first = true; + local-zone = ''"baduhai.dev." transparent''; + local-data = ''"${domain}. IN A ${tailscaleIP}"''; + } + { + name = "lan"; + view-first = true; + local-zone = ''"baduhai.dev." transparent''; + local-data = ''"${domain}. IN A ${lanIP}"''; + } + ]; + in + builtins.concatMap mkEntry entries; } From af444584d09eda850d4327af2d74874be3028a75 Mon Sep 17 00:00:00 2001 From: William Date: Sat, 8 Nov 2025 21:35:13 -0300 Subject: [PATCH 16/48] Add shared services infrastructure for cross-host data Created centralized service definitions in shared/services.nix to store service metadata (domains, IPs, ports) that need to be accessible across multiple hosts. This replaces the per-service split DNS module approach with a single source of truth. Services are now exported through utils.nix for easy access in host configs. --- hosts/alexandria/librespeed.nix | 39 ---------------------------- shared/services.nix | 39 ++++++++++++++++++++++++++++ utils.nix | 46 +++++++++++++++++---------------- 3 files changed, 63 insertions(+), 61 deletions(-) delete mode 100644 hosts/alexandria/librespeed.nix create mode 100644 shared/services.nix diff --git a/hosts/alexandria/librespeed.nix b/hosts/alexandria/librespeed.nix deleted file mode 100644 index 9b59685..0000000 --- a/hosts/alexandria/librespeed.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ - config, - lib, - inputs, - ... -}: - -let - utils = import ../../utils.nix { inherit inputs lib; }; - inherit (utils) mkNginxVHosts; -in - -{ - virtualisation.oci-containers.containers."librespeed" = { - image = "lscr.io/linuxserver/librespeed:latest"; - environment = { - TZ = "America/Bahia"; - }; - ports = [ "127.0.0.1:58080:80" ]; - extraOptions = [ - "--pull=newer" - "--label=io.containers.autoupdate=registry" - ]; - }; - - services.nginx.virtualHosts = mkNginxVHosts { - acmeHost = "baduhai.dev"; - domains."speedtest.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:58080/"; - }; - - # Register this domain for split DNS - services.splitDNS.entries = [ - { - domain = "speedtest.baduhai.dev"; - lanIP = "192.168.15.142"; - tailscaleIP = "100.76.19.50"; - } - ]; -} diff --git a/shared/services.nix b/shared/services.nix new file mode 100644 index 0000000..f55e4d2 --- /dev/null +++ b/shared/services.nix @@ -0,0 +1,39 @@ +# Shared service definitions for cross-host configuration +# Used by: +# - alexandria: DNS server (LAN) + service hosting (vaultwarden, nextcloud, jellyfin) +# - trantor: DNS server (Tailnet) + service hosting (forgejo) +{ + services = [ + { + name = "vaultwarden"; + domain = "vault.baduhai.dev"; + host = "alexandria"; + lanIP = "192.168.15.142"; + tailscaleIP = "100.76.19.50"; + port = 8222; + } + { + name = "forgejo"; + domain = "git.baduhai.dev"; + host = "trantor"; + tailscaleIP = "100.108.5.90"; + port = 3000; + } + { + name = "nextcloud"; + domain = "cloud.baduhai.dev"; + host = "alexandria"; + lanIP = "192.168.15.142"; + tailscaleIP = "100.76.19.50"; + port = 443; + } + { + name = "jellyfin"; + domain = "jellyfin.baduhai.dev"; + host = "alexandria"; + lanIP = "192.168.15.142"; + tailscaleIP = "100.76.19.50"; + port = 8096; + } + ]; +} diff --git a/utils.nix b/utils.nix index c803fe5..740bad0 100644 --- a/utils.nix +++ b/utils.nix @@ -8,9 +8,14 @@ let home-manager agenix ; + + # Import shared service definitions + sharedServices = import ./shared/services.nix; in { + # Re-export shared services for use in host configs + inherit (sharedServices) services; # Tag-based host configuration system mkHost = { @@ -196,27 +201,24 @@ in mkSplitDNS = entries: let - # Generate view entries for a single domain - mkEntry = - { - domain, - lanIP, - tailscaleIP, - }: - [ - { - name = "tailscale"; - view-first = true; - local-zone = ''"baduhai.dev." transparent''; - local-data = ''"${domain}. IN A ${tailscaleIP}"''; - } - { - name = "lan"; - view-first = true; - local-zone = ''"baduhai.dev." transparent''; - local-data = ''"${domain}. IN A ${lanIP}"''; - } - ]; + # Generate local-data entries for all domains + tailscaleData = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') entries; + lanData = map (e: ''"${e.domain}. IN A ${e.lanIP}"'') entries; in - builtins.concatMap mkEntry entries; + [ + # Single Tailscale view with all domains + { + name = "tailscale"; + view-first = true; + local-zone = ''"baduhai.dev." transparent''; + local-data = tailscaleData; + } + # Single LAN view with all domains + { + name = "lan"; + view-first = true; + local-zone = ''"baduhai.dev." transparent''; + local-data = lanData; + } + ]; } From 8d8847e2fbbe3a88b8b50e5d050be86c89cb745d Mon Sep 17 00:00:00 2001 From: William Date: Sat, 8 Nov 2025 21:35:33 -0300 Subject: [PATCH 17/48] Remove split DNS module and per-service entries Removed the split-dns.nix module and all service-specific splitDNS.entries configurations. Service DNS records are now sourced from the centralized shared/services.nix file instead of being declared individually in each service configuration. --- hosts/alexandria/forgejo.nix | 9 --------- hosts/alexandria/jellyfin.nix | 9 --------- hosts/alexandria/nextcloud.nix | 9 --------- hosts/alexandria/vaultwarden.nix | 9 --------- hosts/modules/split-dns.nix | 28 ---------------------------- 5 files changed, 64 deletions(-) delete mode 100644 hosts/modules/split-dns.nix diff --git a/hosts/alexandria/forgejo.nix b/hosts/alexandria/forgejo.nix index d9860f6..909d1d1 100644 --- a/hosts/alexandria/forgejo.nix +++ b/hosts/alexandria/forgejo.nix @@ -32,13 +32,4 @@ in domains."git.baduhai.dev".locations."/".proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/"; }; - - # Register this domain for split DNS - services.splitDNS.entries = [ - { - domain = "git.baduhai.dev"; - lanIP = "192.168.15.142"; - tailscaleIP = "100.76.19.50"; - } - ]; } diff --git a/hosts/alexandria/jellyfin.nix b/hosts/alexandria/jellyfin.nix index 994f972..9555c89 100644 --- a/hosts/alexandria/jellyfin.nix +++ b/hosts/alexandria/jellyfin.nix @@ -13,13 +13,4 @@ in acmeHost = "baduhai.dev"; domains."jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:8096/"; }; - - # Register this domain for split DNS - services.splitDNS.entries = [ - { - domain = "jellyfin.baduhai.dev"; - lanIP = "192.168.15.142"; - tailscaleIP = "100.76.19.50"; - } - ]; } diff --git a/hosts/alexandria/nextcloud.nix b/hosts/alexandria/nextcloud.nix index e12d12b..9e606d9 100644 --- a/hosts/alexandria/nextcloud.nix +++ b/hosts/alexandria/nextcloud.nix @@ -79,15 +79,6 @@ in acmeHost = "baduhai.dev"; domains."cloud.baduhai.dev" = { }; }; - - # Register this domain for split DNS - splitDNS.entries = [ - { - domain = "cloud.baduhai.dev"; - lanIP = "192.168.15.142"; - tailscaleIP = "100.76.19.50"; - } - ]; }; age.secrets = { diff --git a/hosts/alexandria/vaultwarden.nix b/hosts/alexandria/vaultwarden.nix index 68387ee..fd10d6b 100644 --- a/hosts/alexandria/vaultwarden.nix +++ b/hosts/alexandria/vaultwarden.nix @@ -24,13 +24,4 @@ in domains."pass.baduhai.dev".locations."/".proxyPass = "http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; }; - - # Register this domain for split DNS - services.splitDNS.entries = [ - { - domain = "pass.baduhai.dev"; - lanIP = "192.168.15.142"; - tailscaleIP = "100.76.19.50"; - } - ]; } diff --git a/hosts/modules/split-dns.nix b/hosts/modules/split-dns.nix deleted file mode 100644 index 0998816..0000000 --- a/hosts/modules/split-dns.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, lib, ... }: - -{ - options.services.splitDNS = { - entries = lib.mkOption { - type = lib.types.listOf ( - lib.types.submodule { - options = { - domain = lib.mkOption { - type = lib.types.str; - description = "The domain name to configure"; - }; - lanIP = lib.mkOption { - type = lib.types.str; - description = "IP address to return for LAN requests"; - }; - tailscaleIP = lib.mkOption { - type = lib.types.str; - description = "IP address to return for Tailscale requests"; - }; - }; - } - ); - default = [ ]; - description = "List of domains to configure for split DNS"; - }; - }; -} From ee1a7c4d180bf9bff5d0261cf3708d1374f78093 Mon Sep 17 00:00:00 2001 From: William Date: Sat, 8 Nov 2025 21:35:53 -0300 Subject: [PATCH 18/48] Split DNS servers: alexandria for LAN, trantor for tailnet Alexandria's unbound now only serves LAN clients (192.168.0.0/16) and returns LAN IPs for service domains. Created new unbound instance on trantor to serve Tailscale clients (100.64.0.0/10) and return tailscale IPs for service domains. Both configurations pull service records from shared/services.nix. --- hosts/alexandria/unbound.nix | 21 ++++--------- hosts/trantor/unbound.nix | 58 ++++++++++++++++++++++++++++++++++++ nixosConfigurations.nix | 1 - 3 files changed, 64 insertions(+), 16 deletions(-) create mode 100644 hosts/trantor/unbound.nix diff --git a/hosts/alexandria/unbound.nix b/hosts/alexandria/unbound.nix index e923318..31363aa 100644 --- a/hosts/alexandria/unbound.nix +++ b/hosts/alexandria/unbound.nix @@ -1,13 +1,10 @@ -{ config, inputs, lib, ... }: +{ inputs, lib, ... }: let utils = import ../../utils.nix { inherit inputs lib; }; - inherit (utils) mkSplitDNS; in { - imports = [ ../modules/split-dns.nix ]; - services.unbound = { enable = true; enableRootTrustAnchor = true; @@ -20,16 +17,7 @@ in access-control = [ "127.0.0.0/8 allow" "192.168.0.0/16 allow" - "100.64.0.0/10 allow" # Tailscale CGNAT range "::1/128 allow" - "fd7a:115c:a1e0::/48 allow" # Tailscale IPv6 - ]; - - # Enable views for split DNS - access-control-view = [ - "100.64.0.0/10 tailscale" - "fd7a:115c:a1e0::/48 tailscale" - "192.168.0.0/16 lan" ]; num-threads = 2; @@ -43,9 +31,12 @@ in hide-version = true; so-rcvbuf = "1m"; so-sndbuf = "1m"; + + # LAN-only DNS records + local-zone = ''"baduhai.dev." transparent''; + local-data = map (e: ''"${e.domain}. IN A ${e.lanIP}"'') + (lib.filter (e: e ? lanIP) utils.services); }; - # Split DNS views - automatically collected from all service files - view = mkSplitDNS config.services.splitDNS.entries; forward-zone = [ { diff --git a/hosts/trantor/unbound.nix b/hosts/trantor/unbound.nix new file mode 100644 index 0000000..46808c6 --- /dev/null +++ b/hosts/trantor/unbound.nix @@ -0,0 +1,58 @@ +{ inputs, lib, ... }: + +let + utils = import ../../utils.nix { inherit inputs lib; }; +in + +{ + services.unbound = { + enable = true; + enableRootTrustAnchor = true; + settings = { + server = { + interface = [ + "0.0.0.0" + "::" + ]; + access-control = [ + "127.0.0.0/8 allow" + "100.64.0.0/10 allow" # Tailscale CGNAT range + "::1/128 allow" + "fd7a:115c:a1e0::/48 allow" # Tailscale IPv6 + ]; + + num-threads = 2; + msg-cache-size = "50m"; + rrset-cache-size = "100m"; + cache-min-ttl = 300; + cache-max-ttl = 86400; + prefetch = true; + prefetch-key = true; + hide-identity = true; + hide-version = true; + so-rcvbuf = "1m"; + so-sndbuf = "1m"; + + # Tailnet DNS records from shared services + local-zone = ''"baduhai.dev." transparent''; + local-data = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') utils.services; + }; + + forward-zone = [ + { + name = "."; + forward-addr = [ + "1.1.1.1@853#cloudflare-dns.com" + "1.0.0.1@853#cloudflare-dns.com" + ]; + forward-tls-upstream = true; + } + ]; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; + }; +} diff --git a/nixosConfigurations.nix b/nixosConfigurations.nix index 85fd378..c4969c1 100644 --- a/nixosConfigurations.nix +++ b/nixosConfigurations.nix @@ -40,7 +40,6 @@ in tags = [ # "server" TODO: uncomment when 25.11 is out. "fwupd" - "podman" ]; }; From 34622a05cbf2308e27f692efc8f3e04aa84b3942 Mon Sep 17 00:00:00 2001 From: William Date: Sat, 8 Nov 2025 21:47:16 -0300 Subject: [PATCH 19/48] Move forgejo from alexandria to trantor Migrated forgejo service and configuration to trantor. Added nginx reverse proxy support on trantor with ACME configuration for SSL certificates. Fixed vaultwarden domain in shared services from vault.baduhai.dev to pass.baduhai.dev to match actual nginx configuration. --- hosts/{alexandria => trantor}/forgejo.nix | 1 - hosts/trantor/nginx.nix | 50 +++++++++++++++++++++++ shared/services.nix | 2 +- 3 files changed, 51 insertions(+), 2 deletions(-) rename hosts/{alexandria => trantor}/forgejo.nix (96%) create mode 100644 hosts/trantor/nginx.nix diff --git a/hosts/alexandria/forgejo.nix b/hosts/trantor/forgejo.nix similarity index 96% rename from hosts/alexandria/forgejo.nix rename to hosts/trantor/forgejo.nix index 909d1d1..c11573e 100644 --- a/hosts/alexandria/forgejo.nix +++ b/hosts/trantor/forgejo.nix @@ -28,7 +28,6 @@ in }; services.nginx.virtualHosts = mkNginxVHosts { - acmeHost = "baduhai.dev"; domains."git.baduhai.dev".locations."/".proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/"; }; diff --git a/hosts/trantor/nginx.nix b/hosts/trantor/nginx.nix new file mode 100644 index 0000000..6879bfc --- /dev/null +++ b/hosts/trantor/nginx.nix @@ -0,0 +1,50 @@ +{ + config, + lib, + inputs, + ... +}: + +let + utils = import ../../utils.nix { inherit inputs lib; }; + inherit (utils) mkNginxVHosts; +in + +{ + security.acme = { + acceptTerms = true; + defaults = { + email = "baduhai@proton.me"; + dnsResolver = "1.1.1.1:53"; + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets.cloudflare.path; + }; + }; + + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts = { + "_" = { + default = true; + locations."/".return = "444"; + }; + }; + }; + + users.users.nginx.extraGroups = [ "acme" ]; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + age.secrets.cloudflare = { + file = ../../secrets/cloudflare.age; + owner = "nginx"; + group = "nginx"; + }; +} diff --git a/shared/services.nix b/shared/services.nix index f55e4d2..fd4e440 100644 --- a/shared/services.nix +++ b/shared/services.nix @@ -6,7 +6,7 @@ services = [ { name = "vaultwarden"; - domain = "vault.baduhai.dev"; + domain = "pass.baduhai.dev"; host = "alexandria"; lanIP = "192.168.15.142"; tailscaleIP = "100.76.19.50"; From 73db53426937916050da864ee45e53520da34294 Mon Sep 17 00:00:00 2001 From: William Date: Sat, 8 Nov 2025 21:47:41 -0300 Subject: [PATCH 20/48] Switch from wildcard to per-domain SSL certificates Updated mkNginxVHosts to use per-domain certificates (enableACME) instead of shared wildcard certificates (useACMEHost). Each service now requests its own certificate, avoiding conflicts between hosts and following the principle of least privilege. Removed wildcard certificate configuration from both alexandria and trantor. Each host now only obtains certificates for domains it actually serves: - Alexandria: pass.baduhai.dev, cloud.baduhai.dev, jellyfin.baduhai.dev - Trantor: git.baduhai.dev --- hosts/alexandria/jellyfin.nix | 1 - hosts/alexandria/nextcloud.nix | 1 - hosts/alexandria/nginx.nix | 11 +++++------ hosts/alexandria/vaultwarden.nix | 1 - utils.nix | 7 ++----- 5 files changed, 7 insertions(+), 14 deletions(-) diff --git a/hosts/alexandria/jellyfin.nix b/hosts/alexandria/jellyfin.nix index 9555c89..6ceac09 100644 --- a/hosts/alexandria/jellyfin.nix +++ b/hosts/alexandria/jellyfin.nix @@ -10,7 +10,6 @@ in }; services.nginx.virtualHosts = mkNginxVHosts { - acmeHost = "baduhai.dev"; domains."jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:8096/"; }; } diff --git a/hosts/alexandria/nextcloud.nix b/hosts/alexandria/nextcloud.nix index 9e606d9..2368a3c 100644 --- a/hosts/alexandria/nextcloud.nix +++ b/hosts/alexandria/nextcloud.nix @@ -76,7 +76,6 @@ in }; nginx.virtualHosts = mkNginxVHosts { - acmeHost = "baduhai.dev"; domains."cloud.baduhai.dev" = { }; }; }; diff --git a/hosts/alexandria/nginx.nix b/hosts/alexandria/nginx.nix index 54640c1..6879bfc 100644 --- a/hosts/alexandria/nginx.nix +++ b/hosts/alexandria/nginx.nix @@ -19,9 +19,6 @@ in dnsProvider = "cloudflare"; credentialsFile = config.age.secrets.cloudflare.path; }; - certs."baduhai.dev" = { - extraDomainNames = [ "*.baduhai.dev" ]; - }; }; services.nginx = { @@ -30,9 +27,11 @@ in recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; - virtualHosts = mkNginxVHosts { - acmeHost = "baduhai.dev"; - domains."_".locations."/".return = "444"; + virtualHosts = { + "_" = { + default = true; + locations."/".return = "444"; + }; }; }; diff --git a/hosts/alexandria/vaultwarden.nix b/hosts/alexandria/vaultwarden.nix index fd10d6b..2335ee0 100644 --- a/hosts/alexandria/vaultwarden.nix +++ b/hosts/alexandria/vaultwarden.nix @@ -20,7 +20,6 @@ in }; services.nginx.virtualHosts = mkNginxVHosts { - acmeHost = "baduhai.dev"; domains."pass.baduhai.dev".locations."/".proxyPass = "http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}/"; }; diff --git a/utils.nix b/utils.nix index 740bad0..7a81af7 100644 --- a/utils.nix +++ b/utils.nix @@ -183,13 +183,10 @@ in # Nginx virtual host utilities mkNginxVHosts = - { - acmeHost, - domains, - }: + { domains }: let commonVHostConfig = { - useACMEHost = acmeHost; + enableACME = true; forceSSL = true; kTLS = true; }; From 952a55f03d392d504728065191f5edddebc453ba Mon Sep 17 00:00:00 2001 From: William Date: Sat, 8 Nov 2025 21:57:27 -0300 Subject: [PATCH 21/48] Add Kanidm identity provider to alexandria Added Kanidm server configuration to serve as central identity provider for all services. Configuration includes: - Server on auth.baduhai.dev with HTTPS - LDAP support on port 636 for legacy integrations - Nginx reverse proxy with SSL termination - Added to shared services for DNS resolution Kanidm will provide OAuth2/OIDC authentication for Nextcloud, Vaultwarden, Forgejo, and other services. --- hosts/alexandria/kanidm.nix | 78 +++++++++++++++++++++++++++++++++++++ shared/services.nix | 10 ++++- 2 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 hosts/alexandria/kanidm.nix diff --git a/hosts/alexandria/kanidm.nix b/hosts/alexandria/kanidm.nix new file mode 100644 index 0000000..ee56bc1 --- /dev/null +++ b/hosts/alexandria/kanidm.nix @@ -0,0 +1,78 @@ +{ + config, + lib, + inputs, + pkgs, + ... +}: + +let + utils = import ../../utils.nix { inherit inputs lib; }; + inherit (utils) mkNginxVHosts; + kanidmCertDir = "/var/lib/kanidm/certs"; +in + +{ + services.kanidm = { + enableServer = true; + package = pkgs.kanidm; + + serverSettings = { + domain = "auth.baduhai.dev"; + origin = "https://auth.baduhai.dev"; + bindaddress = "127.0.0.1:8443"; + ldapbindaddress = "127.0.0.1:636"; + trust_x_forward_for = true; + # Use self-signed certificates for internal TLS + tls_chain = "${kanidmCertDir}/cert.pem"; + tls_key = "${kanidmCertDir}/key.pem"; + }; + }; + + services.nginx.virtualHosts = mkNginxVHosts { + domains."auth.baduhai.dev" = { + locations."/" = { + proxyPass = "https://127.0.0.1:8443"; + extraConfig = '' + proxy_ssl_verify off; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + ''; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 636 ]; + + # Generate self-signed certificates for kanidm's internal TLS + systemd.services.kanidm-generate-certs = { + description = "Generate self-signed TLS certificates for Kanidm"; + wantedBy = [ "multi-user.target" ]; + before = [ "kanidm.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + mkdir -p ${kanidmCertDir} + if [ ! -f ${kanidmCertDir}/key.pem ]; then + ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 \ + -keyout ${kanidmCertDir}/key.pem \ + -out ${kanidmCertDir}/cert.pem \ + -days 3650 -nodes \ + -subj "/CN=localhost" \ + -addext "subjectAltName=DNS:localhost,IP:127.0.0.1" + chown -R kanidm:kanidm ${kanidmCertDir} + chmod 600 ${kanidmCertDir}/key.pem + chmod 644 ${kanidmCertDir}/cert.pem + fi + ''; + }; + + # Ensure certificate generation runs before kanidm starts + systemd.services.kanidm = { + after = [ "kanidm-generate-certs.service" ]; + wants = [ "kanidm-generate-certs.service" ]; + }; +} diff --git a/shared/services.nix b/shared/services.nix index fd4e440..8870258 100644 --- a/shared/services.nix +++ b/shared/services.nix @@ -1,9 +1,17 @@ # Shared service definitions for cross-host configuration # Used by: -# - alexandria: DNS server (LAN) + service hosting (vaultwarden, nextcloud, jellyfin) +# - alexandria: DNS server (LAN) + service hosting (vaultwarden, nextcloud, jellyfin, kanidm) # - trantor: DNS server (Tailnet) + service hosting (forgejo) { services = [ + { + name = "kanidm"; + domain = "auth.baduhai.dev"; + host = "alexandria"; + lanIP = "192.168.15.142"; + tailscaleIP = "100.76.19.50"; + port = 8443; + } { name = "vaultwarden"; domain = "pass.baduhai.dev"; From 58fec035791726b213ac648902513589fa11ab7e Mon Sep 17 00:00:00 2001 From: William Date: Sat, 8 Nov 2025 22:53:18 -0300 Subject: [PATCH 22/48] Switch ACME to DNS-01 challenge with auto-configured certificates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changed certificate generation from HTTP-01 to DNS-01 challenge to support services behind Tailscale/CGNAT IPs. HTTP-01 challenges fail because Let's Encrypt cannot reach private Tailscale IPs (100.x.x.x) that Cloudflare DNS points to. Changes: - Pre-configure certificates in security.acme.certs using DNS-01 via Cloudflare - Auto-generate certificate configs from shared/services.nix - Alexandria: filters services with host == "alexandria" - Trantor: filters services with host == "trantor" - Updated mkNginxVHosts to use useACMEHost instead of enableACME - Each domain gets its own certificate configured with DNS-01 challenge This ensures all services get valid Let's Encrypt certificates even when accessible only through Tailscale or private networks. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- hosts/alexandria/nginx.nix | 11 ++++++++++- hosts/trantor/nginx.nix | 13 ++++++++++++- utils.nix | 14 ++++++++------ 3 files changed, 30 insertions(+), 8 deletions(-) diff --git a/hosts/alexandria/nginx.nix b/hosts/alexandria/nginx.nix index 6879bfc..274f645 100644 --- a/hosts/alexandria/nginx.nix +++ b/hosts/alexandria/nginx.nix @@ -7,7 +7,15 @@ let utils = import ../../utils.nix { inherit inputs lib; }; - inherit (utils) mkNginxVHosts; + inherit (utils) mkNginxVHosts services; + + # Get all unique domains from shared services that have LAN IPs (served by this host) + localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "alexandria") services)); + + # Generate ACME cert configs for all local domains + acmeCerts = lib.genAttrs localDomains (domain: { + group = "nginx"; + }); in { @@ -19,6 +27,7 @@ in dnsProvider = "cloudflare"; credentialsFile = config.age.secrets.cloudflare.path; }; + certs = acmeCerts; }; services.nginx = { diff --git a/hosts/trantor/nginx.nix b/hosts/trantor/nginx.nix index 6879bfc..56eed7c 100644 --- a/hosts/trantor/nginx.nix +++ b/hosts/trantor/nginx.nix @@ -7,7 +7,17 @@ let utils = import ../../utils.nix { inherit inputs lib; }; - inherit (utils) mkNginxVHosts; + inherit (utils) mkNginxVHosts services; + + # Get all unique domains from shared services on trantor (host = "trantor") + localDomains = lib.unique ( + map (s: s.domain) (lib.filter (s: s.host == "trantor") services) + ); + + # Generate ACME cert configs for all local domains + acmeCerts = lib.genAttrs localDomains (domain: { + group = "nginx"; + }); in { @@ -19,6 +29,7 @@ in dnsProvider = "cloudflare"; credentialsFile = config.age.secrets.cloudflare.path; }; + certs = acmeCerts; }; services.nginx = { diff --git a/utils.nix b/utils.nix index 7a81af7..8c20ab9 100644 --- a/utils.nix +++ b/utils.nix @@ -185,13 +185,15 @@ in mkNginxVHosts = { domains }: let - commonVHostConfig = { - enableACME = true; - forceSSL = true; - kTLS = true; - }; + # Extract domain name and apply it as useACMEHost + mkVHostConfig = domain: config: + lib.recursiveUpdate { + useACMEHost = domain; + forceSSL = true; + kTLS = true; + } config; in - lib.mapAttrs (_: lib.recursiveUpdate commonVHostConfig) domains; + lib.mapAttrs mkVHostConfig domains; # Split DNS utilities for unbound # Generates unbound view config from a list of DNS entries From 258bcac59750a5ef585ab28c39d1972b9479326d Mon Sep 17 00:00:00 2001 From: William Date: Sat, 8 Nov 2025 23:56:40 -0300 Subject: [PATCH 23/48] Integrate Kanidm with Nextcloud via OIDC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added Kanidm identity provider integration with Nextcloud: - Enabled Kanidm client in kanidm.nix for CLI access - Added user_oidc app to Nextcloud for OpenID Connect authentication - Configured allow_local_remote_servers to permit Nextcloud to reach Kanidm at auth.baduhai.dev (resolves to local IP 192.168.15.142) OAuth2 client configuration (done via kanidm CLI): - Client ID: nextcloud - Scopes: openid, email, profile mapped to idm_all_accounts group - Redirect URI: https://cloud.baduhai.dev/apps/user_oidc/code - User mapping: name claim maps to Nextcloud username This allows users to authenticate to Nextcloud using their Kanidm credentials, with existing Nextcloud accounts linked via username. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- hosts/alexandria/kanidm.nix | 5 +++++ hosts/alexandria/nextcloud.nix | 2 ++ 2 files changed, 7 insertions(+) diff --git a/hosts/alexandria/kanidm.nix b/hosts/alexandria/kanidm.nix index ee56bc1..eaaa9b9 100644 --- a/hosts/alexandria/kanidm.nix +++ b/hosts/alexandria/kanidm.nix @@ -15,6 +15,7 @@ in { services.kanidm = { enableServer = true; + enableClient = true; package = pkgs.kanidm; serverSettings = { @@ -27,6 +28,10 @@ in tls_chain = "${kanidmCertDir}/cert.pem"; tls_key = "${kanidmCertDir}/key.pem"; }; + + clientSettings = { + uri = "https://auth.baduhai.dev"; + }; }; services.nginx.virtualHosts = mkNginxVHosts { diff --git a/hosts/alexandria/nextcloud.nix b/hosts/alexandria/nextcloud.nix index 2368a3c..c449cce 100644 --- a/hosts/alexandria/nextcloud.nix +++ b/hosts/alexandria/nextcloud.nix @@ -29,6 +29,7 @@ in contacts notes tasks + user_oidc ; }; extraAppsEnable = true; @@ -40,6 +41,7 @@ in trusted_proxies = [ "127.0.0.1" ]; default_phone_region = "BR"; maintenance_window_start = "4"; + allow_local_remote_servers = true; enabledPreviewProviders = [ "OC\\Preview\\BMP" "OC\\Preview\\EMF" From 095d881ad995325d8a1ad1ecd40c510941562df0 Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 00:00:00 -0300 Subject: [PATCH 24/48] no ghostty notifications --- users/modules/desktop/desktop.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users/modules/desktop/desktop.nix b/users/modules/desktop/desktop.nix index ba30852..742a6ea 100644 --- a/users/modules/desktop/desktop.nix +++ b/users/modules/desktop/desktop.nix @@ -22,7 +22,7 @@ url = "https://raw.githubusercontent.com/hackr-sh/ghostty-shaders/cb6eb4b0d1a3101c869c62e458b25a826f9dcde3/cursor_blaze.glsl"; sha256 = "sha256:0g2lgqjdrn3c51glry7x2z30y7ml0y61arl5ykmf4yj0p85s5f41"; }}"; - bell-features = "border"; + bell-features = ""; gtk-titlebar-style = "tabs"; keybind = [ "shift+enter=text:\\x1b\\r" ]; }; From 92f5593611ac78e163ebff7292656759e393218d Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 07:55:42 -0300 Subject: [PATCH 25/48] junction default browser; remove brave --- hosts/modules/desktop/desktop.nix | 1 - users/modules/desktop/desktop.nix | 15 +++++---------- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/hosts/modules/desktop/desktop.nix b/hosts/modules/desktop/desktop.nix index f2418ce..03ec04b 100644 --- a/hosts/modules/desktop/desktop.nix +++ b/hosts/modules/desktop/desktop.nix @@ -20,7 +20,6 @@ systemPackages = with pkgs; [ ### Web ### bitwarden-desktop - brave fragments nextcloud-client tor-browser diff --git a/users/modules/desktop/desktop.nix b/users/modules/desktop/desktop.nix index 742a6ea..df6f380 100644 --- a/users/modules/desktop/desktop.nix +++ b/users/modules/desktop/desktop.nix @@ -41,33 +41,28 @@ enable = true; defaultApplications = { "text/html" = [ - "com.github.timecraft.junction.desktop" + "re.sonny.Junction.desktop" "zen-browser.desktop" - "brave-browser.desktop" "torbrowser.desktop" ]; "x-scheme-handler/http" = [ - "com.github.timecraft.junction.desktop" + "re.sonny.Junction.desktop" "zen-browser.desktop" - "brave-browser.desktop" "torbrowser.desktop" ]; "x-scheme-handler/https" = [ - "com.github.timecraft.junction.desktop" + "re.sonny.Junction.desktop" "zen-browser.desktop" - "brave-browser.desktop" "torbrowser.desktop" ]; "x-scheme-handler/about" = [ - "com.github.timecraft.junction.desktop" + "re.sonny.Junction.desktop" "zen-browser.desktop" - "brave-browser.desktop" "torbrowser.desktop" ]; "x-scheme-handler/unknown" = [ - "com.github.timecraft.junction.desktop" + "re.sonny.Junction.desktop" "zen-browser.desktop" - "brave-browser.desktop" "torbrowser.desktop" ]; "image/jpeg" = "org.gnome.Loupe.desktop"; From 808bccf0a2665dadd303e309d9f061c360723e8b Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 10:29:45 -0300 Subject: [PATCH 26/48] Add Tailscale tailnet DNS configuration via Terranix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Configure global DNS nameservers for the Tailscale tailnet, setting trantor as the primary DNS server with Cloudflare as fallback. This enables custom DNS resolution across the entire tailnet. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- terranix/cloudflare/baduhai.dev.nix | 77 +++++++++++++++++++++++++++++ terranix/tailscale/tailnet.nix | 43 ++++++++++++++++ terranixConfigurations.nix | 8 +++ 3 files changed, 128 insertions(+) diff --git a/terranix/cloudflare/baduhai.dev.nix b/terranix/cloudflare/baduhai.dev.nix index e69de29..56d25ad 100644 --- a/terranix/cloudflare/baduhai.dev.nix +++ b/terranix/cloudflare/baduhai.dev.nix @@ -0,0 +1,77 @@ +# Required environment variables: +# CLOUDFLARE_API_TOKEN - API token with "Edit zone DNS" permissions +# TF_VAR_zone_id - Zone ID for baduhai.dev (find in Cloudflare dashboard) +# AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage +# AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage + +{ config, ... }: + +{ + terraform.required_providers.cloudflare = { + source = "cloudflare/cloudflare"; + version = "~> 5.0"; + }; + + terraform.backend.s3 = { + bucket = "terraform-state"; + key = "cloudflare/baduhai.dev.tfstate"; + region = "auto"; + endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com"; + skip_credentials_validation = true; + skip_metadata_api_check = true; + skip_region_validation = true; + skip_requesting_account_id = true; + use_path_style = true; + }; + + variable = { + zone_id = { + description = "Cloudflare zone ID for baduhai.dev"; + type = "string"; + sensitive = true; + }; + }; + + data = { + terraform_remote_state.trantor = { + backend = "s3"; + config = { + bucket = "terraform-state"; + key = "oci/trantor.tfstate"; + region = "auto"; + endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com"; + skip_credentials_validation = true; + skip_metadata_api_check = true; + skip_region_validation = true; + skip_requesting_account_id = true; + use_path_style = true; + }; + }; + }; + + resource = { + cloudflare_record.root = { + zone_id = config.variable.zone_id; + name = "@"; + type = "A"; + content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip.value"; + proxied = true; + }; + + cloudflare_record.www = { + zone_id = config.variable.zone_id; + name = "www"; + type = "A"; + content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip.value"; + proxied = true; + }; + + cloudflare_record.wildcard = { + zone_id = config.variable.zone_id; + name = "*"; + type = "A"; + content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip.value"; + proxied = true; + }; + }; +} diff --git a/terranix/tailscale/tailnet.nix b/terranix/tailscale/tailnet.nix index e69de29..929e79b 100644 --- a/terranix/tailscale/tailnet.nix +++ b/terranix/tailscale/tailnet.nix @@ -0,0 +1,43 @@ +# Required environment variables: +# TAILSCALE_API_KEY - Tailscale API key with appropriate permissions +# TAILSCALE_TAILNET - Your tailnet name (e.g., "user@example.com" or "example.org.github") +# AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage +# AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage + +{ config, ... }: + +{ + terraform.required_providers.tailscale = { + source = "tailscale/tailscale"; + version = "~> 0.17"; + }; + + terraform.backend.s3 = { + bucket = "terraform-state"; + key = "tailscale/tailnet.tfstate"; + region = "auto"; + endpoint = "https://fcdf920bde00c3d013ee541f984da70e.r2.cloudflarestorage.com"; + skip_credentials_validation = true; + skip_metadata_api_check = true; + skip_region_validation = true; + skip_requesting_account_id = true; + use_path_style = true; + }; + + variable = { + trantor_tailscale_ip = { + default = "100.108.5.90"; + type = "string"; + }; + }; + + resource = { + tailscale_dns_nameservers.global = { + nameservers = [ + config.variable.trantor_tailscale_ip.default + "1.1.1.1" + "1.0.0.1" + ]; + }; + }; +} diff --git a/terranixConfigurations.nix b/terranixConfigurations.nix index fc84f17..12c90d1 100644 --- a/terranixConfigurations.nix +++ b/terranixConfigurations.nix @@ -14,6 +14,14 @@ modules = [ ./terranix/oci/trantor.nix ]; terraformWrapper.package = pkgs.opentofu; }; + cloudflare-baduhaidev = { + modules = [ ./terranix/cloudflare/baduhai.dev.nix ]; + terraformWrapper.package = pkgs.opentofu; + }; + tailscale-tailnet = { + modules = [ ./terranix/tailscale/tailnet.nix ]; + terraformWrapper.package = pkgs.opentofu; + }; }; }; } From 1b1d7896e6c9fbe87d64ea02b5adbc89b34bd685 Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 10:29:54 -0300 Subject: [PATCH 27/48] Document required environment variables for OCI configuration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add documentation about required OCI and AWS credentials for the trantor configuration, clarifying that ~/.oci/config can be used as an alternative to environment variables. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- terranix/oci/trantor.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/terranix/oci/trantor.nix b/terranix/oci/trantor.nix index 2037d87..bb06585 100644 --- a/terranix/oci/trantor.nix +++ b/terranix/oci/trantor.nix @@ -1,3 +1,13 @@ +# Required environment variables: +# instead of OCI variables, ~/.oci/config may also be used +# OCI_TENANCY_OCID - Oracle tenancy OCID (or use TF_VAR_* to override variables) +# OCI_USER_OCID - Oracle user OCID +# OCI_FINGERPRINT - API key fingerprint +# OCI_PRIVATE_KEY_PATH - Path to OCI API private key +# AWS variables are required +# AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage +# AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage + { config, ... }: { From 1921aad1bdd51292baaf18187106b42a874aa28c Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 10:30:02 -0300 Subject: [PATCH 28/48] Update Cloudflare DNS configuration with explicit zone ID MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace sensitive zone_id variable with hardcoded value and update DNS record configuration to use cloudflare_dns_record resource type. Disable proxying and set explicit TTL for better control over DNS propagation. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- terranix/cloudflare/baduhai.dev.nix | 31 +++++++++++++++-------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/terranix/cloudflare/baduhai.dev.nix b/terranix/cloudflare/baduhai.dev.nix index 56d25ad..b74484c 100644 --- a/terranix/cloudflare/baduhai.dev.nix +++ b/terranix/cloudflare/baduhai.dev.nix @@ -1,6 +1,5 @@ # Required environment variables: # CLOUDFLARE_API_TOKEN - API token with "Edit zone DNS" permissions -# TF_VAR_zone_id - Zone ID for baduhai.dev (find in Cloudflare dashboard) # AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage # AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage @@ -26,9 +25,8 @@ variable = { zone_id = { - description = "Cloudflare zone ID for baduhai.dev"; + default = "c63a8332fdddc4a8e5612ddc54557044"; type = "string"; - sensitive = true; }; }; @@ -50,28 +48,31 @@ }; resource = { - cloudflare_record.root = { - zone_id = config.variable.zone_id; + cloudflare_dns_record.root = { + zone_id = config.variable.zone_id.default; name = "@"; type = "A"; - content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip.value"; - proxied = true; + content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip"; + proxied = false; + ttl = 3600; }; - cloudflare_record.www = { - zone_id = config.variable.zone_id; + cloudflare_dns_record.www = { + zone_id = config.variable.zone_id.default; name = "www"; type = "A"; - content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip.value"; - proxied = true; + content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip"; + proxied = false; + ttl = 3600; }; - cloudflare_record.wildcard = { - zone_id = config.variable.zone_id; + cloudflare_dns_record.wildcard = { + zone_id = config.variable.zone_id.default; name = "*"; type = "A"; - content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip.value"; - proxied = true; + content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip"; + proxied = false; + ttl = 3600; }; }; } From 14c4440dd1fa31f0589ed6c3a8f91cfa6fab2f20 Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 10:34:57 -0300 Subject: [PATCH 29/48] forgejo: disable singup; document root password --- hosts/trantor/forgejo.nix | 1 + secrets/forgejo-root-password.age | Bin 0 -> 465 bytes secrets/secrets.nix | 5 +++++ 3 files changed, 6 insertions(+) create mode 100644 secrets/forgejo-root-password.age diff --git a/hosts/trantor/forgejo.nix b/hosts/trantor/forgejo.nix index c11573e..a89526d 100644 --- a/hosts/trantor/forgejo.nix +++ b/hosts/trantor/forgejo.nix @@ -24,6 +24,7 @@ in log.LEVEL = "Warn"; mailer.ENABLED = false; actions.ENABLED = false; + service.DISABLE_REGISTRATION = true; }; }; diff --git a/secrets/forgejo-root-password.age b/secrets/forgejo-root-password.age new file mode 100644 index 0000000000000000000000000000000000000000..90be612af57adcc9b8db836f5f02ed55ff0377b3 GIT binary patch literal 465 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCUlPD{zlPge*@GRiN@ zHVXH)D2u9$DhM{M@-y(LEGW&3(66X4_6rKl3(GSP49cuB_T(z{3yw514D|_h%SlNs ztnlzRGPg7fb#pc;&#KTb&aTSNkF+R{NHj0fH$k_}A~M)9vs|Gf%AnB8#VIu0(=EKn zqd;5R$EncB)6_WIH7YgS$uuv|JkKPoB0xVl!-6X{#XrN(AS=QnDX*%+G$hC@E6*`M zG^jYpJU3t4Ei=p2FW0!ZJkLGQ&jQ`Hz!Kv?ZAXQaLU)6RLf5nsSAYG)l3YhW-w59b zzyEz)TZU*ATZz{cZdy`tCv literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 84b14d6..a90cd74 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -27,4 +27,9 @@ in rotterdam-user alexandria ]; + "forgejo-root-password.age".publicKeys = [ + io-user + rotterdam-user + trantor + ]; } From 6f1aca7b01a825e71bb7db10e9968ade435e57b0 Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 11:11:55 -0300 Subject: [PATCH 30/48] Configure Forgejo OAuth2 and disable public registration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add OAuth2 client configuration to enable auto-registration via SSO with Kanidm, while disabling direct public registration. Users can now authenticate through the identity provider with automatic account creation and avatar syncing. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- hosts/trantor/forgejo.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hosts/trantor/forgejo.nix b/hosts/trantor/forgejo.nix index a89526d..9688458 100644 --- a/hosts/trantor/forgejo.nix +++ b/hosts/trantor/forgejo.nix @@ -25,6 +25,12 @@ in mailer.ENABLED = false; actions.ENABLED = false; service.DISABLE_REGISTRATION = true; + oauth2_client = { + ENABLE_AUTO_REGISTRATION = true; + UPDATE_AVATAR = true; + ACCOUNT_LINKING = "login"; + USERNAME = "preferred_username"; + }; }; }; From 878c4aa3ea7d8c642c2979895c33bf533094f54f Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 11:12:06 -0300 Subject: [PATCH 31/48] Add public visibility flags to service definitions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Mark services as public or private to control external access: - Public: vaultwarden, forgejo, nextcloud - Private: kanidm, jellyfin This enables proper routing and firewall configuration based on intended service visibility. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- shared/services.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/shared/services.nix b/shared/services.nix index 8870258..ebd51de 100644 --- a/shared/services.nix +++ b/shared/services.nix @@ -8,6 +8,7 @@ name = "kanidm"; domain = "auth.baduhai.dev"; host = "alexandria"; + public = false; lanIP = "192.168.15.142"; tailscaleIP = "100.76.19.50"; port = 8443; @@ -16,6 +17,7 @@ name = "vaultwarden"; domain = "pass.baduhai.dev"; host = "alexandria"; + public = true; lanIP = "192.168.15.142"; tailscaleIP = "100.76.19.50"; port = 8222; @@ -24,6 +26,7 @@ name = "forgejo"; domain = "git.baduhai.dev"; host = "trantor"; + public = true; tailscaleIP = "100.108.5.90"; port = 3000; } @@ -31,6 +34,7 @@ name = "nextcloud"; domain = "cloud.baduhai.dev"; host = "alexandria"; + public = true; lanIP = "192.168.15.142"; tailscaleIP = "100.76.19.50"; port = 443; @@ -39,6 +43,7 @@ name = "jellyfin"; domain = "jellyfin.baduhai.dev"; host = "alexandria"; + public = false; lanIP = "192.168.15.142"; tailscaleIP = "100.76.19.50"; port = 8096; From ad9d565a8f365d2530b0889edb15613dc6ea330a Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 11:20:21 -0300 Subject: [PATCH 32/48] Route DNS based on service visibility flags MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace wildcard DNS with dynamic service-based routing that reads from shared/services.nix. Public services (forgejo, vaultwarden, nextcloud) point to trantor's public IP for external access, while private services (kanidm, jellyfin) point to tailscale IPs for internal-only access. This provides granular control over service exposure without manual DNS management. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- shared/services.nix | 2 - terranix/cloudflare/baduhai.dev.nix | 74 +++++++++++++++++++---------- 2 files changed, 49 insertions(+), 27 deletions(-) diff --git a/shared/services.nix b/shared/services.nix index ebd51de..d267792 100644 --- a/shared/services.nix +++ b/shared/services.nix @@ -8,7 +8,6 @@ name = "kanidm"; domain = "auth.baduhai.dev"; host = "alexandria"; - public = false; lanIP = "192.168.15.142"; tailscaleIP = "100.76.19.50"; port = 8443; @@ -43,7 +42,6 @@ name = "jellyfin"; domain = "jellyfin.baduhai.dev"; host = "alexandria"; - public = false; lanIP = "192.168.15.142"; tailscaleIP = "100.76.19.50"; port = 8096; diff --git a/terranix/cloudflare/baduhai.dev.nix b/terranix/cloudflare/baduhai.dev.nix index b74484c..3a5e6ee 100644 --- a/terranix/cloudflare/baduhai.dev.nix +++ b/terranix/cloudflare/baduhai.dev.nix @@ -3,7 +3,38 @@ # AWS_ACCESS_KEY_ID - Cloudflare R2 access key for state storage # AWS_SECRET_ACCESS_KEY - Cloudflare R2 secret key for state storage -{ config, ... }: +{ config, lib, ... }: + +let + inherit (import ../../shared/services.nix) services; + + # Helper to extract subdomain from full domain (e.g., "git.baduhai.dev" -> "git") + getSubdomain = domain: lib.head (lib.splitString "." domain); + + # Generate DNS records for services + # Public services point to trantor's public IP + # Private services point to their tailscale IP + mkServiceRecords = lib.listToAttrs ( + lib.imap0 (i: svc: + let + subdomain = getSubdomain svc.domain; + targetIP = if svc.public or false + then config.data.terraform_remote_state.trantor "outputs.instance_public_ip" + else svc.tailscaleIP; + in { + name = "service_${toString i}"; + value = { + zone_id = config.variable.zone_id.default; + name = subdomain; + type = "A"; + content = targetIP; + proxied = false; + ttl = 3600; + }; + } + ) services + ); +in { terraform.required_providers.cloudflare = { @@ -48,31 +79,24 @@ }; resource = { - cloudflare_dns_record.root = { - zone_id = config.variable.zone_id.default; - name = "@"; - type = "A"; - content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip"; - proxied = false; - ttl = 3600; - }; + cloudflare_dns_record = mkServiceRecords // { + root = { + zone_id = config.variable.zone_id.default; + name = "@"; + type = "A"; + content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip"; + proxied = false; + ttl = 3600; + }; - cloudflare_dns_record.www = { - zone_id = config.variable.zone_id.default; - name = "www"; - type = "A"; - content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip"; - proxied = false; - ttl = 3600; - }; - - cloudflare_dns_record.wildcard = { - zone_id = config.variable.zone_id.default; - name = "*"; - type = "A"; - content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip"; - proxied = false; - ttl = 3600; + www = { + zone_id = config.variable.zone_id.default; + name = "www"; + type = "A"; + content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip"; + proxied = false; + ttl = 3600; + }; }; }; } From cd17bf25617f3922b7ccbdfd5a1bfdb9b7b10002 Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 12:36:43 -0300 Subject: [PATCH 33/48] only forgejo is public for now --- shared/services.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/shared/services.nix b/shared/services.nix index d267792..44f9208 100644 --- a/shared/services.nix +++ b/shared/services.nix @@ -16,7 +16,6 @@ name = "vaultwarden"; domain = "pass.baduhai.dev"; host = "alexandria"; - public = true; lanIP = "192.168.15.142"; tailscaleIP = "100.76.19.50"; port = 8222; @@ -33,7 +32,6 @@ name = "nextcloud"; domain = "cloud.baduhai.dev"; host = "alexandria"; - public = true; lanIP = "192.168.15.142"; tailscaleIP = "100.76.19.50"; port = 443; From f1b6be6f3ff1311d7041b194ebdd3956a70fb71d Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 13:00:17 -0300 Subject: [PATCH 34/48] Add fail2ban configuration for SSH and Forgejo on Trantor MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Configure fail2ban with progressive ban times (1h base, up to 10000h max) - Add SSH jail with password authentication disabled - Add Forgejo jail using systemd journal backend - Ignore private networks and Tailscale IPs - Set Forgejo to 10 retries per hour, 15min initial ban 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- hosts/trantor/fail2ban.nix | 43 +++++++++++++++++++++++++ hosts/trantor/forgejo.nix | 65 ++++++++++++++++++++++++-------------- hosts/trantor/openssh.nix | 23 ++++++++++++++ 3 files changed, 107 insertions(+), 24 deletions(-) create mode 100644 hosts/trantor/fail2ban.nix create mode 100644 hosts/trantor/openssh.nix diff --git a/hosts/trantor/fail2ban.nix b/hosts/trantor/fail2ban.nix new file mode 100644 index 0000000..4ef1bbc --- /dev/null +++ b/hosts/trantor/fail2ban.nix @@ -0,0 +1,43 @@ +{ config, pkgs, ... }: + +{ + services.fail2ban = { + enable = true; + maxretry = 5; + ignoreIP = [ + "127.0.0.0/8" + "::1" + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + "100.64.0.0/10" + ]; + + bantime = "1h"; + bantime-increment = { + enable = true; + multipliers = "1 2 4 8 16 32 64"; + maxtime = "10000h"; + overalljails = true; + }; + + jails.forgejo = { + settings = { + enabled = true; + filter = "forgejo"; + backend = "systemd"; + maxretry = 10; + findtime = "1h"; + bantime = "15m"; + }; + }; + }; + + # Custom fail2ban filter for Forgejo using systemd journal + environment.etc."fail2ban/filter.d/forgejo.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' + [Definition] + journalmatch = _SYSTEMD_UNIT=forgejo.service + failregex = Failed authentication attempt for .+ from :\d+: + ignoreregex = + ''); +} diff --git a/hosts/trantor/forgejo.nix b/hosts/trantor/forgejo.nix index 9688458..227bcb4 100644 --- a/hosts/trantor/forgejo.nix +++ b/hosts/trantor/forgejo.nix @@ -9,33 +9,50 @@ let inherit (utils) mkNginxVHosts; in { - services.forgejo = { - enable = true; - repositoryRoot = "/data/forgejo"; - settings = { - session.COOKIE_SECURE = true; - server = { - PROTOCOL = "http+unix"; - DOMAIN = "git.baduhai.dev"; - ROOT_URL = "https://git.baduhai.dev"; - OFFLINE_MODE = true; # disable use of CDNs - SSH_DOMAIN = "baduhai.dev"; + services = { + forgejo = { + enable = true; + repositoryRoot = "/data/forgejo"; + settings = { + session.COOKIE_SECURE = true; + server = { + PROTOCOL = "http+unix"; + DOMAIN = "git.baduhai.dev"; + ROOT_URL = "https://git.baduhai.dev"; + OFFLINE_MODE = true; # disable use of CDNs + SSH_DOMAIN = "baduhai.dev"; + }; + log.LEVEL = "Warn"; + mailer.ENABLED = false; + actions.ENABLED = false; + service.DISABLE_REGISTRATION = true; + oauth2_client = { + ENABLE_AUTO_REGISTRATION = true; + UPDATE_AVATAR = true; + ACCOUNT_LINKING = "login"; + USERNAME = "preferred_username"; + }; }; - log.LEVEL = "Warn"; - mailer.ENABLED = false; - actions.ENABLED = false; - service.DISABLE_REGISTRATION = true; - oauth2_client = { - ENABLE_AUTO_REGISTRATION = true; - UPDATE_AVATAR = true; - ACCOUNT_LINKING = "login"; - USERNAME = "preferred_username"; + }; + nginx.virtualHosts = mkNginxVHosts { + domains."git.baduhai.dev".locations."/".proxyPass = + "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/"; + }; + fail2ban.jails.forgejo = { + settings = { + enabled = true; + filter = "forgejo"; + logpath = "${config.services.forgejo.stateDir}/log/forgejo.log"; + maxretry = 10; + findtime = "1h"; + bantime = "15m"; }; }; }; - services.nginx.virtualHosts = mkNginxVHosts { - domains."git.baduhai.dev".locations."/".proxyPass = - "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/"; - }; + environment.etc."fail2ban/filter.d/forgejo.conf".text = '' + [Definition] + failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from + ignoreregex = + ''; } diff --git a/hosts/trantor/openssh.nix b/hosts/trantor/openssh.nix new file mode 100644 index 0000000..51d8795 --- /dev/null +++ b/hosts/trantor/openssh.nix @@ -0,0 +1,23 @@ +{ ... }: + +{ + services = { + openssh = { + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + }; + }; + fail2ban.jails.sshd = { + settings = { + enabled = true; + port = "ssh"; + filter = "sshd"; + logpath = "/var/log/auth.log"; + maxretry = 5; + findtime = "10m"; + bantime = "1h"; + }; + }; + }; +} From f979314a3cc34dc37c99f2928cd163f0327907d1 Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 13:15:12 -0300 Subject: [PATCH 35/48] new readme --- readme.md | 184 ++++++++++++++++++++++-------------------------------- 1 file changed, 74 insertions(+), 110 deletions(-) diff --git a/readme.md b/readme.md index 2804237..1f44455 100644 --- a/readme.md +++ b/readme.md @@ -1,123 +1,87 @@ # NixOS Configuration -A declarative, modular NixOS/Home Manager flake configuration managing multiple systems with a tag-based architecture for maximum code reuse and flexibility. +My personal NixOS configuration for multiple hosts, users, resources... too many things to list. If I could put my life in a flake I would. ## Hosts -| Host | Type | System | Version | Description | -|------|------|--------|---------|-------------| -| **rotterdam** | Desktop | x86_64-linux | NixOS Unstable | Primary workstation with gaming, development | -| **io** | Laptop | x86_64-linux | NixOS Unstable | Mobile workstation | -| **alexandria** | Server/NAS | x86_64-linux | NixOS 25.05 | Personal server running Nextcloud, Forgejo, Jellyfin, Vaultwarden | -| **trantor** | VPS | aarch64-linux | NixOS 25.05 | Oracle Cloud instance | +### Desktop Systems +- **rotterdam** - Main desktop workstation (x86_64) + - Features: Desktop, AI tools, Bluetooth, Dev environment, Gaming, Virtualization (libvirtd), Podman + - Storage: Ephemeral root with LUKS encryption -## Key Features +- **io** - Secondary desktop (x86_64) + - Features: Desktop, AI tools, Bluetooth, Dev environment, Podman + - Storage: Ephemeral root with LUKS encryption -### Architecture -- **Tag-based module system** - Compose configurations using tags instead of traditional inheritance -- **Flake-based** - Fully reproducible builds with locked dependencies -- **Multi-platform** - Supports both x86_64 and aarch64 architectures -- **Deployment automation** - Remote deployment via deploy-rs +### Servers +- **alexandria** - Home server (x86_64) + - Hosts: Nextcloud, Vaultwarden, Jellyfin, Kanidm -### Desktop Experience -- **Niri compositor** - Custom fork with auto-centering window columns -- **Unified theming** - Stylix-based theming -- **Wayland-native** - Full Wayland support -- **Ephemeral root** - Impermanent filesystem using BTRFS for atomic rollback capability +- **trantor** - Cloud server (aarch64) + - Hosts: Forgejo + - Cloud provider: Oracle Cloud Infrastructure + - Storage: Ephemeral root with btrfs -### Self-Hosted Services -- **Nextcloud** - Cloud storage with calendar, contacts, and notes -- **Forgejo** - Self-hosted Git server -- **Jellyfin** - Media streaming -- **Vaultwarden** - Password manager backend -- **LibreSpeed** - Network speed testing -- All services behind Nginx and Tailscale with automatic SSL via Let's Encrypt +## Home Manager Configurations + +- **user@rotterdam** - Full desktop setup with gaming, OBS, and complete development environment +- **user@io** - Lightweight desktop setup + +Both configurations include: +- btop, direnv, helix, starship, tmux +- Stylix theme management +- Fish shell with custom configurations + +## Terranix Configurations + +Infrastructure as code using Terranix (NixOS + Terraform/OpenTofu): + +- **oci-trantor** - Oracle Cloud Infrastructure provisioning for Trantor server +- **cloudflare-baduhaidev** - DNS and CDN configuration for baduhai.dev domain +- **tailscale-tailnet** - Tailscale network ACL and device management + +## Services + +All services are accessible via custom domains under baduhai.dev: + +- **Kanidm** (auth.baduhai.dev) - Identity and access management +- **Vaultwarden** (pass.baduhai.dev) - Password manager +- **Forgejo** (git.baduhai.dev) - Git forge (publicly accessible) +- **Nextcloud** (cloud.baduhai.dev) - File sync and collaboration +- **Jellyfin** (jellyfin.baduhai.dev) - Media server + +Services are accessible via: +- LAN for alexandria-hosted services +- Tailscale VPN for all services +- Public internet for Forgejo only + +## Notable Features + +### Ephemeral Root +Rotterdam, io, and trantor use an ephemeral root filesystem that resets on every boot: +- Root filesystem is automatically rolled back using btrfs snapshots +- Old snapshots retained for 30 days +- Persistent data stored in dedicated subvolumes +- Implements truly stateless systems + +### Custom DNS Architecture +- Unbound DNS servers on both alexandria and trantor +- Service routing based on visibility flags (public/LAN/Tailscale) +- Split-horizon DNS for optimal access paths ### Security -- **Agenix** - Encrypted secrets management -- **Tailscale** - Zero-config VPN mesh network -- **Firewall** - Configured on all hosts -- SSH key-based authentication +- LUKS full-disk encryption on desktop systems +- Fail2ban on public-facing servers +- agenix for secrets management +- Tailscale for secure remote access -## Repository Structure +### Desktop Environment +- Custom Niri window manager (Wayland compositor) +- Using forked version with auto-centering feature +- Stylix for consistent theming -``` -. -├── flake.nix # Main flake definition -├── utils.nix # Tag-based module system utilities -├── nixosConfigurations.nix # Host definitions with tags -├── homeConfigurations.nix # User configurations -├── deploy.nix # Remote deployment configuration -├── hosts/ -│ ├── alexandria/ # Server-specific config -│ ├── io/ # Laptop-specific config -│ ├── rotterdam/ # Desktop-specific config -│ ├── trantor/ # VPS-specific config -│ └── modules/ -│ ├── common/ # Shared base configuration -│ ├── desktop/ # Desktop environment setup -│ ├── server/ # Server-specific modules -│ └── [tag].nix # Optional feature modules -├── users/ -│ └── modules/ # Home Manager configurations -│ └── [tag].nix # Optional feature modules -├── packages/ # Custom package definitions -└── secrets/ # Encrypted secrets (agenix) -``` - -## Tag System - -Configurations are composed using tags that map to modules: - -**Common Tags** (all hosts): -- `common` - Base system configuration (automatically applied) - -**General Tags**: -- `desktop` - *Mostly* full desktop environment with Niri WM -- `dev` - Development tools and environments -- `gaming` - Steam, Heroic, gamemode, controller support -- `ephemeral` - Impermanent root filesystem -- `networkmanager` - WiFi and network management -- `libvirtd` - KVM/QEMU virtualization -- `podman` - Container runtime -- `bluetooth` - Bluetooth support -- `fwupd` - Firmware update daemon - -**Server Tags**: -- `server` - Server-specific configuration - -## Usage - -### Rebuilding a Configuration - -```bash -# Local rebuild -sudo nixos-rebuild switch --flake .#hostname - -# Remote deployment -deploy .#hostname -``` - -### Updating Dependencies - -```bash -nix flake update -``` - -### Adding a New Host - -1. Create host directory in `hosts/` -2. Define configuration in `nixosConfigurations.nix` with appropriate tags -3. Add deployment profile in `deploy.nix` if needed - -## Dependencies - -- [nixpkgs](https://github.com/NixOS/nixpkgs) - Stable (25.05) and unstable channels -- [home-manager](https://github.com/nix-community/home-manager) - User configuration -- [agenix](https://github.com/ryantm/agenix) - Secrets management -- [disko](https://github.com/nix-community/disko) - Declarative disk partitioning -- [stylix](https://github.com/danth/stylix) - System-wide theming -- [niri-flake](https://github.com/sodiboo/niri-flake) - Wayland compositor (custom fork) -- [impermanence](https://github.com/nix-community/impermanence) - Ephemeral filesystem support -- [deploy-rs](https://github.com/serokell/deploy-rs) - Remote deployment -- [nix-flatpak](https://github.com/gmodena/nix-flatpak) - Declarative Flatpak management +### Development Setup +- Nix flakes for reproducible builds +- deploy-rs for automated deployments +- Podman for containerization +- Complete AI tooling integration From 0961eb8f767d8be58798df36fbac01522f187745 Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 13:37:04 -0300 Subject: [PATCH 36/48] dns records only for actual services --- .gitignore | 2 ++ terranix/cloudflare/baduhai.dev.nix | 36 ++++++++--------------------- 2 files changed, 12 insertions(+), 26 deletions(-) diff --git a/.gitignore b/.gitignore index b59fd44..73105bb 100644 --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,8 @@ result result-* .direnv/ oci-trantor/ +tailscale-tailnet/ +cloudflare-baduhaidev # Personal notes and temporary files todo.md diff --git a/terranix/cloudflare/baduhai.dev.nix b/terranix/cloudflare/baduhai.dev.nix index 3a5e6ee..1b456f3 100644 --- a/terranix/cloudflare/baduhai.dev.nix +++ b/terranix/cloudflare/baduhai.dev.nix @@ -15,13 +15,17 @@ let # Public services point to trantor's public IP # Private services point to their tailscale IP mkServiceRecords = lib.listToAttrs ( - lib.imap0 (i: svc: + lib.imap0 ( + i: svc: let subdomain = getSubdomain svc.domain; - targetIP = if svc.public or false - then config.data.terraform_remote_state.trantor "outputs.instance_public_ip" - else svc.tailscaleIP; - in { + targetIP = + if svc.public or false then + config.data.terraform_remote_state.trantor "outputs.instance_public_ip" + else + svc.tailscaleIP; + in + { name = "service_${toString i}"; value = { zone_id = config.variable.zone_id.default; @@ -78,25 +82,5 @@ in }; }; - resource = { - cloudflare_dns_record = mkServiceRecords // { - root = { - zone_id = config.variable.zone_id.default; - name = "@"; - type = "A"; - content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip"; - proxied = false; - ttl = 3600; - }; - - www = { - zone_id = config.variable.zone_id.default; - name = "www"; - type = "A"; - content = config.data.terraform_remote_state.trantor "outputs.instance_public_ip"; - proxied = false; - ttl = 3600; - }; - }; - }; + resource.cloudflare_dns_record = mkServiceRecords; } From 3d71b8c1b849fa6b31ae1480a03f66f0a26b3d01 Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 13:41:41 -0300 Subject: [PATCH 37/48] update readme.md --- readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/readme.md b/readme.md index 1f44455..7de1cbe 100644 --- a/readme.md +++ b/readme.md @@ -1,6 +1,6 @@ -# NixOS Configuration +# Nix Configuration -My personal NixOS configuration for multiple hosts, users, resources... too many things to list. If I could put my life in a flake I would. +My personal Nix configuration for multiple NixOS hosts, home-manager users, miscellaneous resources... too many things to list. If I could put my life in a flake I would. ## Hosts From 09a4092b92ad0492d486a893232352775cff3105 Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 13:56:57 -0300 Subject: [PATCH 38/48] better noctalia integration for niri --- users/modules/desktop/niri.nix | 43 ++++++++++++++++------------------ 1 file changed, 20 insertions(+), 23 deletions(-) diff --git a/users/modules/desktop/niri.nix b/users/modules/desktop/niri.nix index 1f6a1bf..4d18e6a 100644 --- a/users/modules/desktop/niri.nix +++ b/users/modules/desktop/niri.nix @@ -8,7 +8,6 @@ let isRotterdam = hostname == "rotterdam"; - noctalia = "${lib.getExe inputs.noctalia.packages.${pkgs.system}.default}"; in { @@ -30,7 +29,10 @@ in }; home = { - packages = with pkgs; [ xwayland-satellite ]; + packages = with pkgs; [ + xwayland-satellite + inputs.noctalia.packages.${pkgs.system}.default + ]; sessionVariables.QT_QPA_PLATFORMTHEME = "gtk3"; }; @@ -91,23 +93,18 @@ in inactive-color "#505050" urgent-color "#9b0000" } - tab-indicator { - width 4 - gap 4 - place-within-column - } - ${lib.optionalString isRotterdam '' - struts { - left 8 - right 8 - }''} + tab-indicator { + width 4 + gap 4 + place-within-column + } } overview { zoom 0.65 } - spawn-at-startup "${noctalia}" + spawn-at-startup "noctalia-shell" "-d" layer-rule { match namespace="^wallpaper$" place-within-backdrop true @@ -143,18 +140,18 @@ in } binds { - Alt+Space { spawn "${noctalia}" "ipc" "call" "launcher" "toggle"; } - XF86AudioRaiseVolume allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "volume" "increase"; } - XF86AudioLowerVolume allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "volume" "decrease"; } - XF86AudioMute allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "volume" "muteOutput"; } - XF86MonBrightnessUp allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "brightness" "increase"; } - XF86MonBrightnessDown allow-when-locked=true { spawn "${noctalia}" "ipc" "call" "brightness" "decrease"; } + Alt+Space { spawn "noctalia-shell" "ipc" "call" "launcher" "toggle"; } + XF86AudioRaiseVolume allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "increase"; } + XF86AudioLowerVolume allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "decrease"; } + XF86AudioMute allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "muteOutput"; } + XF86MonBrightnessUp allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "brightness" "increase"; } + XF86MonBrightnessDown allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "brightness" "decrease"; } XF86AudioPlay allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "play-pause"; } XF86AudioStop allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "stop"; } XF86AudioPrev allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "previous"; } XF86AudioNext allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "next"; } - Mod+V { spawn "${noctalia}" "ipc" "call" "launcher" "clipboard"; } - Mod+Shift+L { spawn "${noctalia}" "ipc" "call" "lockScreen" "toggle"; } + Mod+V { spawn "noctalia-shell" "ipc" "call" "launcher" "clipboard"; } + Mod+Shift+L { spawn "noctalia-shell" "ipc" "call" "lockScreen" "toggle"; } Mod+Return { spawn "ghostty"; } Ctrl+Alt+Shift+A allow-when-locked=true { spawn "toggleaudiosink"; } Mod+W repeat=false { toggle-overview; } @@ -228,8 +225,8 @@ in Mod+Print { screenshot; } Ctrl+Print { screenshot-window; } Mod+Backspace allow-inhibiting=false { toggle-keyboard-shortcuts-inhibit; } - Mod+Alt+E { spawn "${noctalia}" "ipc" "call" "sessionMenu" "toggle"; } - Ctrl+Alt+Delete { spawn "${noctalia}" "ipc" "call" "sessionMenu" "toggle"; } + Mod+Alt+E { spawn "noctalia-shell" "ipc" "call" "sessionMenu" "toggle"; } + Ctrl+Alt+Delete { spawn "noctalia-shell" "ipc" "call" "sessionMenu" "toggle"; } Mod+Ctrl+P { power-off-monitors; } } ''; From 5af6c53d817710c3a26e403b9b9c3d0439311efd Mon Sep 17 00:00:00 2001 From: william Date: Sun, 9 Nov 2025 16:28:17 -0300 Subject: [PATCH 39/48] Update readme.md --- readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme.md b/readme.md index 7de1cbe..a2b815f 100644 --- a/readme.md +++ b/readme.md @@ -9,7 +9,7 @@ My personal Nix configuration for multiple NixOS hosts, home-manager users, misc - Features: Desktop, AI tools, Bluetooth, Dev environment, Gaming, Virtualization (libvirtd), Podman - Storage: Ephemeral root with LUKS encryption -- **io** - Secondary desktop (x86_64) +- **io** - Laptop workstation (x86_64) - Features: Desktop, AI tools, Bluetooth, Dev environment, Podman - Storage: Ephemeral root with LUKS encryption From 5906fa6f3656db778ff9e9e09b510b5091286fa7 Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 16:31:52 -0300 Subject: [PATCH 40/48] fix forgejo's ssh domain --- hosts/trantor/forgejo.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/trantor/forgejo.nix b/hosts/trantor/forgejo.nix index 227bcb4..25acf4e 100644 --- a/hosts/trantor/forgejo.nix +++ b/hosts/trantor/forgejo.nix @@ -20,7 +20,7 @@ in DOMAIN = "git.baduhai.dev"; ROOT_URL = "https://git.baduhai.dev"; OFFLINE_MODE = true; # disable use of CDNs - SSH_DOMAIN = "baduhai.dev"; + SSH_DOMAIN = "git.baduhai.dev"; }; log.LEVEL = "Warn"; mailer.ENABLED = false; From ae6d46012baec67e00c58328fbb5148da6cfad53 Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 16:57:17 -0300 Subject: [PATCH 41/48] fail2ban: fix config; forgejo: repository path and persistency --- hosts/trantor/fail2ban.nix | 20 -------------------- hosts/trantor/forgejo.nix | 34 ++++++++++++++++++++++++---------- hosts/trantor/openssh.nix | 2 +- 3 files changed, 25 insertions(+), 31 deletions(-) diff --git a/hosts/trantor/fail2ban.nix b/hosts/trantor/fail2ban.nix index 4ef1bbc..bc05139 100644 --- a/hosts/trantor/fail2ban.nix +++ b/hosts/trantor/fail2ban.nix @@ -12,7 +12,6 @@ "192.168.0.0/16" "100.64.0.0/10" ]; - bantime = "1h"; bantime-increment = { enable = true; @@ -20,24 +19,5 @@ maxtime = "10000h"; overalljails = true; }; - - jails.forgejo = { - settings = { - enabled = true; - filter = "forgejo"; - backend = "systemd"; - maxretry = 10; - findtime = "1h"; - bantime = "15m"; - }; - }; }; - - # Custom fail2ban filter for Forgejo using systemd journal - environment.etc."fail2ban/filter.d/forgejo.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter '' - [Definition] - journalmatch = _SYSTEMD_UNIT=forgejo.service - failregex = Failed authentication attempt for .+ from :\d+: - ignoreregex = - ''); } diff --git a/hosts/trantor/forgejo.nix b/hosts/trantor/forgejo.nix index 25acf4e..fdfa64a 100644 --- a/hosts/trantor/forgejo.nix +++ b/hosts/trantor/forgejo.nix @@ -4,15 +4,16 @@ inputs, ... }: + let utils = import ../../utils.nix { inherit inputs lib; }; inherit (utils) mkNginxVHosts; in + { services = { forgejo = { enable = true; - repositoryRoot = "/data/forgejo"; settings = { session.COOKIE_SECURE = true; server = { @@ -42,17 +43,30 @@ in settings = { enabled = true; filter = "forgejo"; - logpath = "${config.services.forgejo.stateDir}/log/forgejo.log"; - maxretry = 10; - findtime = "1h"; - bantime = "15m"; + maxretry = 3; + findtime = "10m"; + bantime = "1h"; }; }; }; - environment.etc."fail2ban/filter.d/forgejo.conf".text = '' - [Definition] - failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from - ignoreregex = - ''; + environment = { + etc."fail2ban/filter.d/forgejo.conf".text = '' + [Definition] + failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from + ignoreregex = + journalmatch = _SYSTEMD_UNIT=forgejo.service + ''; + + persistence.main.directories = [ + { + directory = config.services.forgejo.stateDir; + inherit (config.services.forgejo) user group; + mode = "0700"; + } + ]; + }; + + # Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories + systemd.services.forgejo.serviceConfig.PrivateMounts = lib.mkForce false; } diff --git a/hosts/trantor/openssh.nix b/hosts/trantor/openssh.nix index 51d8795..704b3df 100644 --- a/hosts/trantor/openssh.nix +++ b/hosts/trantor/openssh.nix @@ -14,7 +14,7 @@ port = "ssh"; filter = "sshd"; logpath = "/var/log/auth.log"; - maxretry = 5; + maxretry = 3; findtime = "10m"; bantime = "1h"; }; From bb0ea2769656f6278e632ad65310bc57d6569513 Mon Sep 17 00:00:00 2001 From: William Date: Sun, 9 Nov 2025 19:01:37 -0300 Subject: [PATCH 42/48] niri keybinds --- users/modules/desktop/niri.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/users/modules/desktop/niri.nix b/users/modules/desktop/niri.nix index 4d18e6a..08bcc4a 100644 --- a/users/modules/desktop/niri.nix +++ b/users/modules/desktop/niri.nix @@ -167,10 +167,6 @@ in Mod+L { focus-column-right; } Mod+J { focus-window-or-workspace-down; } Mod+K { focus-window-or-workspace-up; } - Ctrl+Alt+J { focus-workspace-down; } - Ctrl+Alt+K { focus-workspace-up; } - Ctrl+Alt+Down { focus-workspace-down; } - Ctrl+Alt+Up { focus-workspace-up; } Mod+Ctrl+Left { move-column-left; } Mod+Ctrl+Down { move-window-down-or-to-workspace-down; } Mod+Ctrl+Up { move-window-up-or-to-workspace-up; } From b602a78bb33f941deaa4d74c911ab9b8e8574f82 Mon Sep 17 00:00:00 2001 From: William Date: Mon, 10 Nov 2025 07:51:29 -0300 Subject: [PATCH 43/48] vicinae as a launcher --- flake.lock | 71 ++++++++++++++++++++++++++++++- flake.nix | 2 + users/modules/desktop/desktop.nix | 8 +++- users/modules/desktop/niri.nix | 4 +- 4 files changed, 81 insertions(+), 4 deletions(-) diff --git a/flake.lock b/flake.lock index 3b994bf..893a87d 100644 --- a/flake.lock +++ b/flake.lock @@ -299,6 +299,24 @@ "type": "github" } }, + "flake-utils_2": { + "inputs": { + "systems": "systems_8" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "fromYaml": { "flake": false, "locked": { @@ -647,6 +665,22 @@ } }, "nixpkgs_10": { + "locked": { + "lastModified": 1762111121, + "narHash": "sha256-4vhDuZ7OZaZmKKrnDpxLZZpGIJvAeMtK6FKLJYUtAdw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b3d51a0365f6695e7dd5cdf3e180604530ed33b4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_11": { "locked": { "lastModified": 1755615617, "narHash": "sha256-HMwfAJBdrr8wXAkbGhtcby1zGFvs+StOp19xNsbqdOg=", @@ -877,6 +911,7 @@ "noctalia": "noctalia", "stylix": "stylix", "terranix": "terranix", + "vicinae": "vicinae", "zen-browser": "zen-browser" } }, @@ -1060,6 +1095,21 @@ "type": "github" } }, + "systems_8": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "terranix": { "inputs": { "flake-parts": "flake-parts_3", @@ -1202,6 +1252,25 @@ "type": "github" } }, + "vicinae": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs_10" + }, + "locked": { + "lastModified": 1762709887, + "narHash": "sha256-8BoGGsWfkS/2ODBSCYd5HJNFGuLY8fFl27rXmWClXQw=", + "owner": "vicinaehq", + "repo": "vicinae", + "rev": "54722e36137d8273ef0a5db37776fb8302c79238", + "type": "github" + }, + "original": { + "owner": "vicinaehq", + "repo": "vicinae", + "type": "github" + } + }, "xwayland-satellite-stable": { "flake": false, "locked": { @@ -1238,7 +1307,7 @@ "zen-browser": { "inputs": { "home-manager": "home-manager_3", - "nixpkgs": "nixpkgs_10" + "nixpkgs": "nixpkgs_11" }, "locked": { "lastModified": 1762131860, diff --git a/flake.nix b/flake.nix index af148c1..c5c3880 100644 --- a/flake.nix +++ b/flake.nix @@ -51,6 +51,8 @@ }; nix-ai-tools.url = "github:numtide/nix-ai-tools"; + + vicinae.url = "github:vicinaehq/vicinae"; }; outputs = diff --git a/users/modules/desktop/desktop.nix b/users/modules/desktop/desktop.nix index df6f380..6940e1f 100644 --- a/users/modules/desktop/desktop.nix +++ b/users/modules/desktop/desktop.nix @@ -1,15 +1,21 @@ { - config, inputs, pkgs, ... }: { + imports = [ inputs.vicinae.homeManagerModules.default ]; + fonts.fontconfig.enable = true; home.packages = with pkgs; [ xwayland-satellite ]; + services.vicinae = { + enable = true; + autoStart = true; + }; + programs = { ghostty = { diff --git a/users/modules/desktop/niri.nix b/users/modules/desktop/niri.nix index 08bcc4a..09767e6 100644 --- a/users/modules/desktop/niri.nix +++ b/users/modules/desktop/niri.nix @@ -140,7 +140,7 @@ in } binds { - Alt+Space { spawn "noctalia-shell" "ipc" "call" "launcher" "toggle"; } + Alt+Space repeat=false { spawn "vicinae" "toggle"; } XF86AudioRaiseVolume allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "increase"; } XF86AudioLowerVolume allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "decrease"; } XF86AudioMute allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "muteOutput"; } @@ -150,7 +150,7 @@ in XF86AudioStop allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "stop"; } XF86AudioPrev allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "previous"; } XF86AudioNext allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "next"; } - Mod+V { spawn "noctalia-shell" "ipc" "call" "launcher" "clipboard"; } + Mod+V repeat=false { spawn "vicinae" "vicinae://extensions/vicinae/clipboard/history"; } Mod+Shift+L { spawn "noctalia-shell" "ipc" "call" "lockScreen" "toggle"; } Mod+Return { spawn "ghostty"; } Ctrl+Alt+Shift+A allow-when-locked=true { spawn "toggleaudiosink"; } From e95ba0215b47cdabb5a05749baea80146bea95ec Mon Sep 17 00:00:00 2001 From: William Date: Mon, 10 Nov 2025 11:04:55 -0300 Subject: [PATCH 44/48] new ssh key for himalia --- hosts/modules/common/users.nix | 3 ++- terranix/oci/trantor.nix | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/hosts/modules/common/users.nix b/hosts/modules/common/users.nix index 0572153..7dd6490 100644 --- a/hosts/modules/common/users.nix +++ b/hosts/modules/common/users.nix @@ -10,8 +10,9 @@ "wheel" ]; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQPkAyy+Du9Omc2WtnUF2TV8jFAF4H6mJi2D4IZ1nzg user@himalia" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam" ]; hashedPassword = "$6$Pj7v/CpstyuWQQV0$cNujVDhfMBdwlGVEnnd8t71.kZPixbo0u25cd.874iaqLTH4V5fa1f98V5zGapjQCz5JyZmsR94xi00sUrntT0"; }; diff --git a/terranix/oci/trantor.nix b/terranix/oci/trantor.nix index bb06585..170ad04 100644 --- a/terranix/oci/trantor.nix +++ b/terranix/oci/trantor.nix @@ -53,6 +53,7 @@ ssh_public_keys = { default = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQPkAyy+Du9Omc2WtnUF2TV8jFAF4H6mJi2D4IZ1nzg user@himalia" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam" ]; From 489af5a79fe4b563018c39b9d1862a816eebec6b Mon Sep 17 00:00:00 2001 From: William Date: Mon, 10 Nov 2025 11:46:54 -0300 Subject: [PATCH 45/48] new noctalia ipc command --- users/modules/desktop/niri.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users/modules/desktop/niri.nix b/users/modules/desktop/niri.nix index 09767e6..0cb5db8 100644 --- a/users/modules/desktop/niri.nix +++ b/users/modules/desktop/niri.nix @@ -151,7 +151,7 @@ in XF86AudioPrev allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "previous"; } XF86AudioNext allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "next"; } Mod+V repeat=false { spawn "vicinae" "vicinae://extensions/vicinae/clipboard/history"; } - Mod+Shift+L { spawn "noctalia-shell" "ipc" "call" "lockScreen" "toggle"; } + Mod+Shift+L repeat=false { spawn "noctalia-shell" "ipc" "call" "lockScreen" "lock"; } Mod+Return { spawn "ghostty"; } Ctrl+Alt+Shift+A allow-when-locked=true { spawn "toggleaudiosink"; } Mod+W repeat=false { toggle-overview; } From 0925a66f2218434b3bb70cd0f14b440db7b5fbc7 Mon Sep 17 00:00:00 2001 From: William Date: Thu, 13 Nov 2025 14:26:35 -0300 Subject: [PATCH 46/48] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nix-ai-tools': 'github:numtide/nix-ai-tools/aaee8f2df1325c7f212d769515092162bcac31a7?narHash=sha256-aWt5CgOsQiiq%2BcaxF0iqp56kfHRkv8Tnz0X9DhJeBEE%3D' (2025-11-06) → 'github:numtide/nix-ai-tools/58d5d222d6802a75c1ed637d049ea438d199051a?narHash=sha256-pQ2XzsB/n8E5FWYnICZu/BzkKy8a50EzmUGTCo5SeHg%3D' (2025-11-13) • Updated input 'nix-ai-tools/nixpkgs': 'github:NixOS/nixpkgs/b3d51a0365f6695e7dd5cdf3e180604530ed33b4?narHash=sha256-4vhDuZ7OZaZmKKrnDpxLZZpGIJvAeMtK6FKLJYUtAdw%3D' (2025-11-02) → 'github:NixOS/nixpkgs/9da7f1cf7f8a6e2a7cb3001b048546c92a8258b4?narHash=sha256-SlybxLZ1/e4T2lb1czEtWVzDCVSTvk9WLwGhmxFmBxI%3D' (2025-11-11) • Updated input 'nix-ai-tools/treefmt-nix': 'github:numtide/treefmt-nix/97a30861b13c3731a84e09405414398fbf3e109f?narHash=sha256-aF5fvoZeoXNPxT0bejFUBXeUjXfHLSL7g%2BmjR/p5TEg%3D' (2025-11-06) → 'github:numtide/treefmt-nix/5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4?narHash=sha256-AlEObg0syDl%2BSpi4LsZIBrjw%2BsnSVU4T8MOeuZJUJjM%3D' (2025-11-12) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 893a87d..1a520bd 100644 --- a/flake.lock +++ b/flake.lock @@ -511,11 +511,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1762442079, - "narHash": "sha256-aWt5CgOsQiiq+caxF0iqp56kfHRkv8Tnz0X9DhJeBEE=", + "lastModified": 1763040477, + "narHash": "sha256-pQ2XzsB/n8E5FWYnICZu/BzkKy8a50EzmUGTCo5SeHg=", "owner": "numtide", "repo": "nix-ai-tools", - "rev": "aaee8f2df1325c7f212d769515092162bcac31a7", + "rev": "58d5d222d6802a75c1ed637d049ea438d199051a", "type": "github" }, "original": { @@ -746,11 +746,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1762111121, - "narHash": "sha256-4vhDuZ7OZaZmKKrnDpxLZZpGIJvAeMtK6FKLJYUtAdw=", + "lastModified": 1762844143, + "narHash": "sha256-SlybxLZ1/e4T2lb1czEtWVzDCVSTvk9WLwGhmxFmBxI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b3d51a0365f6695e7dd5cdf3e180604530ed33b4", + "rev": "9da7f1cf7f8a6e2a7cb3001b048546c92a8258b4", "type": "github" }, "original": { @@ -1221,11 +1221,11 @@ ] }, "locked": { - "lastModified": 1762410071, - "narHash": "sha256-aF5fvoZeoXNPxT0bejFUBXeUjXfHLSL7g+mjR/p5TEg=", + "lastModified": 1762938485, + "narHash": "sha256-AlEObg0syDl+Spi4LsZIBrjw+snSVU4T8MOeuZJUJjM=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "97a30861b13c3731a84e09405414398fbf3e109f", + "rev": "5b4ee75aeefd1e2d5a1cc43cf6ba65eba75e83e4", "type": "github" }, "original": { From eebacb0f1fb1107076f5bd3cebafd95216ab1bad Mon Sep 17 00:00:00 2001 From: William Date: Thu, 13 Nov 2025 19:16:08 -0300 Subject: [PATCH 47/48] add power profiles daemon to io --- hosts/io/services.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/io/services.nix b/hosts/io/services.nix index 90fb737..df41a6f 100644 --- a/hosts/io/services.nix +++ b/hosts/io/services.nix @@ -49,6 +49,7 @@ }; }; upower.enable = true; + power-profiles-daemon.enable = true; }; # TODO: remove once gmodena/nix-flatpak/issues/45 fixed From 1dc55be5e1c4784b14e6eb655029528abf0cdcd1 Mon Sep 17 00:00:00 2001 From: William Date: Tue, 18 Nov 2025 19:09:57 -0300 Subject: [PATCH 48/48] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nix-ai-tools': 'github:numtide/nix-ai-tools/58d5d222d6802a75c1ed637d049ea438d199051a?narHash=sha256-pQ2XzsB/n8E5FWYnICZu/BzkKy8a50EzmUGTCo5SeHg%3D' (2025-11-13) → 'github:numtide/nix-ai-tools/a2dfa932ed37e5b6224b39b4982c85cd8ebcca14?narHash=sha256-n6bChFrCf2/uHzTsZdABUt1%2BUa3n0jinNfamHd5DmBA%3D' (2025-11-17) • Updated input 'nix-ai-tools/blueprint': 'github:numtide/blueprint/633af1961cae8e02bc6195e6e599a6b09bf75217?narHash=sha256-wTQzbbQ6XHtvNJVuhJj%2BytZDRyNtwUKbrIfIvMvKNfQ%3D' (2025-10-28) → 'github:numtide/blueprint/5a9bba070f801d63e2af3c9ef00b86b212429f4f?narHash=sha256-O9Y%2BWer8wOh%2BN%2B4kcCK5p/VLrXyX%2Bktk0/s3HdZvJzk%3D' (2025-11-16) • Updated input 'nix-ai-tools/nixpkgs': 'github:NixOS/nixpkgs/9da7f1cf7f8a6e2a7cb3001b048546c92a8258b4?narHash=sha256-SlybxLZ1/e4T2lb1czEtWVzDCVSTvk9WLwGhmxFmBxI%3D' (2025-11-11) → 'github:NixOS/nixpkgs/85a6c4a07faa12aaccd81b36ba9bfc2bec974fa1?narHash=sha256-3YJkOBrFpmcusnh7i8GXXEyh7qZG/8F5z5%2B717550Hk%3D' (2025-11-16) --- flake.lock | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/flake.lock b/flake.lock index 1a520bd..27c3580 100644 --- a/flake.lock +++ b/flake.lock @@ -100,11 +100,11 @@ "systems": "systems_3" }, "locked": { - "lastModified": 1761645416, - "narHash": "sha256-wTQzbbQ6XHtvNJVuhJj+ytZDRyNtwUKbrIfIvMvKNfQ=", + "lastModified": 1763308703, + "narHash": "sha256-O9Y+Wer8wOh+N+4kcCK5p/VLrXyX+ktk0/s3HdZvJzk=", "owner": "numtide", "repo": "blueprint", - "rev": "633af1961cae8e02bc6195e6e599a6b09bf75217", + "rev": "5a9bba070f801d63e2af3c9ef00b86b212429f4f", "type": "github" }, "original": { @@ -511,11 +511,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1763040477, - "narHash": "sha256-pQ2XzsB/n8E5FWYnICZu/BzkKy8a50EzmUGTCo5SeHg=", + "lastModified": 1763412165, + "narHash": "sha256-n6bChFrCf2/uHzTsZdABUt1+Ua3n0jinNfamHd5DmBA=", "owner": "numtide", "repo": "nix-ai-tools", - "rev": "58d5d222d6802a75c1ed637d049ea438d199051a", + "rev": "a2dfa932ed37e5b6224b39b4982c85cd8ebcca14", "type": "github" }, "original": { @@ -746,16 +746,16 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1762844143, - "narHash": "sha256-SlybxLZ1/e4T2lb1czEtWVzDCVSTvk9WLwGhmxFmBxI=", + "lastModified": 1763312402, + "narHash": "sha256-3YJkOBrFpmcusnh7i8GXXEyh7qZG/8F5z5+717550Hk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "9da7f1cf7f8a6e2a7cb3001b048546c92a8258b4", + "rev": "85a6c4a07faa12aaccd81b36ba9bfc2bec974fa1", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" }