dotfiles: b7ba37a

19 files changed, 846 insertions(+), 0 deletions(-)

nix: setup vps

Author: Oleksandr Smirnov olexsmir@gmail.com

Committed at: 2026-01-17 18:45:10 +0200

Authored at: 2026-01-14 21:45:55 +0200

Parent: 028a52d

jump to

A	nix/flake.lock
A	nix/flake.nix
A	nix/hosts/thought/configuration.nix
A	nix/hosts/thought/default.nix
A	nix/hosts/thought/digitalocean.nix
A	nix/hosts/thought/disko-config.nix
A	nix/hosts/thought/hardware-configuration.nix
A	nix/modules/freshrss.nix
A	nix/modules/moviefeed.nix
A	nix/modules/soju.nix
A	nix/modules/tangled.nix
A	nix/modules/wireguard.nix
A	nix/readme.txt
A	nix/secrets/freshrss-olex.age
A	nix/secrets/q-password.age
A	nix/secrets/secrets.nix
A	nix/secrets/wg-private-key.age
A	nix/users/_sshkeys.nix
A	nix/users/q.nix

A nix/flake.lock

···
        
        1
        +{

      
        
        2
        +  "nodes": {

      
        
        3
        +    "actor-typeahead-src": {

      
        
        4
        +      "flake": false,

      
        
        5
        +      "locked": {

      
        
        6
        +        "lastModified": 1762835797,

      
        
        7
        +        "narHash": "sha256-heizoWUKDdar6ymfZTnj3ytcEv/L4d4fzSmtr0HlXsQ=",

      
        
        8
        +        "ref": "refs/heads/main",

      
        
        9
        +        "rev": "677fe7f743050a4e7f09d4a6f87bbf1325a06f6b",

      
        
        10
        +        "revCount": 6,

      
        
        11
        +        "type": "git",

      
        
        12
        +        "url": "https://tangled.org/@jakelazaroff.com/actor-typeahead"

      
        
        13
        +      },

      
        
        14
        +      "original": {

      
        
        15
        +        "type": "git",

      
        
        16
        +        "url": "https://tangled.org/@jakelazaroff.com/actor-typeahead"

      
        
        17
        +      }

      
        
        18
        +    },

      
        
        19
        +    "agenix": {

      
        
        20
        +      "inputs": {

      
        
        21
        +        "darwin": "darwin",

      
        
        22
        +        "home-manager": "home-manager",

      
        
        23
        +        "nixpkgs": [

      
        
        24
        +          "nixpkgs"

      
        
        25
        +        ],

      
        
        26
        +        "systems": "systems"

      
        
        27
        +      },

      
        
        28
        +      "locked": {

      
        
        29
        +        "lastModified": 1762618334,

      
        
        30
        +        "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",

      
        
        31
        +        "owner": "ryantm",

      
        
        32
        +        "repo": "agenix",

      
        
        33
        +        "rev": "fcdea223397448d35d9b31f798479227e80183f6",

      
        
        34
        +        "type": "github"

      
        
        35
        +      },

      
        
        36
        +      "original": {

      
        
        37
        +        "owner": "ryantm",

      
        
        38
        +        "repo": "agenix",

      
        
        39
        +        "type": "github"

      
        
        40
        +      }

      
        
        41
        +    },

      
        
        42
        +    "darwin": {

      
        
        43
        +      "inputs": {

      
        
        44
        +        "nixpkgs": [

      
        
        45
        +          "agenix",

      
        
        46
        +          "nixpkgs"

      
        
        47
        +        ]

      
        
        48
        +      },

      
        
        49
        +      "locked": {

      
        
        50
        +        "lastModified": 1744478979,

      
        
        51
        +        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",

      
        
        52
        +        "owner": "lnl7",

      
        
        53
        +        "repo": "nix-darwin",

      
        
        54
        +        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",

      
        
        55
        +        "type": "github"

      
        
        56
        +      },

      
        
        57
        +      "original": {

      
        
        58
        +        "owner": "lnl7",

      
        
        59
        +        "ref": "master",

      
        
        60
        +        "repo": "nix-darwin",

      
        
        61
        +        "type": "github"

      
        
        62
        +      }

      
        
        63
        +    },

      
        
        64
        +    "disko": {

      
        
        65
        +      "inputs": {

      
        
        66
        +        "nixpkgs": [

      
        
        67
        +          "nixpkgs"

      
        
        68
        +        ]

      
        
        69
        +      },

      
        
        70
        +      "locked": {

      
        
        71
        +        "lastModified": 1766150702,

      
        
        72
        +        "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=",

      
        
        73
        +        "owner": "nix-community",

      
        
        74
        +        "repo": "disko",

      
        
        75
        +        "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378",

      
        
        76
        +        "type": "github"

      
        
        77
        +      },

      
        
        78
        +      "original": {

      
        
        79
        +        "owner": "nix-community",

      
        
        80
        +        "repo": "disko",

      
        
        81
        +        "type": "github"

      
        
        82
        +      }

      
        
        83
        +    },

      
        
        84
        +    "flake-compat": {

      
        
        85
        +      "flake": false,

      
        
        86
        +      "locked": {

      
        
        87
        +        "lastModified": 1751685974,

      
        
        88
        +        "narHash": "sha256-NKw96t+BgHIYzHUjkTK95FqYRVKB8DHpVhefWSz/kTw=",

      
        
        89
        +        "rev": "549f2762aebeff29a2e5ece7a7dc0f955281a1d1",

      
        
        90
        +        "type": "tarball",

      
        
        91
        +        "url": "https://git.lix.systems/api/v1/repos/lix-project/flake-compat/archive/549f2762aebeff29a2e5ece7a7dc0f955281a1d1.tar.gz?rev=549f2762aebeff29a2e5ece7a7dc0f955281a1d1"

      
        
        92
        +      },

      
        
        93
        +      "original": {

      
        
        94
        +        "type": "tarball",

      
        
        95
        +        "url": "https://git.lix.systems/lix-project/flake-compat/archive/main.tar.gz"

      
        
        96
        +      }

      
        
        97
        +    },

      
        
        98
        +    "flake-utils": {

      
        
        99
        +      "inputs": {

      
        
        100
        +        "systems": "systems_2"

      
        
        101
        +      },

      
        
        102
        +      "locked": {

      
        
        103
        +        "lastModified": 1694529238,

      
        
        104
        +        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",

      
        
        105
        +        "owner": "numtide",

      
        
        106
        +        "repo": "flake-utils",

      
        
        107
        +        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",

      
        
        108
        +        "type": "github"

      
        
        109
        +      },

      
        
        110
        +      "original": {

      
        
        111
        +        "owner": "numtide",

      
        
        112
        +        "repo": "flake-utils",

      
        
        113
        +        "type": "github"

      
        
        114
        +      }

      
        
        115
        +    },

      
        
        116
        +    "gomod2nix": {

      
        
        117
        +      "inputs": {

      
        
        118
        +        "flake-utils": "flake-utils",

      
        
        119
        +        "nixpkgs": [

      
        
        120
        +          "tangled",

      
        
        121
        +          "nixpkgs"

      
        
        122
        +        ]

      
        
        123
        +      },

      
        
        124
        +      "locked": {

      
        
        125
        +        "lastModified": 1754078208,

      
        
        126
        +        "narHash": "sha256-YVoIFDCDpYuU3riaDEJ3xiGdPOtsx4sR5eTzHTytPV8=",

      
        
        127
        +        "owner": "nix-community",

      
        
        128
        +        "repo": "gomod2nix",

      
        
        129
        +        "rev": "7f963246a71626c7fc70b431a315c4388a0c95cf",

      
        
        130
        +        "type": "github"

      
        
        131
        +      },

      
        
        132
        +      "original": {

      
        
        133
        +        "owner": "nix-community",

      
        
        134
        +        "repo": "gomod2nix",

      
        
        135
        +        "type": "github"

      
        
        136
        +      }

      
        
        137
        +    },

      
        
        138
        +    "home-manager": {

      
        
        139
        +      "inputs": {

      
        
        140
        +        "nixpkgs": [

      
        
        141
        +          "agenix",

      
        
        142
        +          "nixpkgs"

      
        
        143
        +        ]

      
        
        144
        +      },

      
        
        145
        +      "locked": {

      
        
        146
        +        "lastModified": 1745494811,

      
        
        147
        +        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",

      
        
        148
        +        "owner": "nix-community",

      
        
        149
        +        "repo": "home-manager",

      
        
        150
        +        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",

      
        
        151
        +        "type": "github"

      
        
        152
        +      },

      
        
        153
        +      "original": {

      
        
        154
        +        "owner": "nix-community",

      
        
        155
        +        "repo": "home-manager",

      
        
        156
        +        "type": "github"

      
        
        157
        +      }

      
        
        158
        +    },

      
        
        159
        +    "htmx-src": {

      
        
        160
        +      "flake": false,

      
        
        161
        +      "locked": {

      
        
        162
        +        "narHash": "sha256-nm6avZuEBg67SSyyZUhjpXVNstHHgUxrtBHqJgowU08=",

      
        
        163
        +        "type": "file",

      
        
        164
        +        "url": "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js"

      
        
        165
        +      },

      
        
        166
        +      "original": {

      
        
        167
        +        "type": "file",

      
        
        168
        +        "url": "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js"

      
        
        169
        +      }

      
        
        170
        +    },

      
        
        171
        +    "htmx-ws-src": {

      
        
        172
        +      "flake": false,

      
        
        173
        +      "locked": {

      
        
        174
        +        "narHash": "sha256-2fg6KyEJoO24q0fQqbz9RMaYNPQrMwpZh29tkSqdqGY=",

      
        
        175
        +        "type": "file",

      
        
        176
        +        "url": "https://cdn.jsdelivr.net/npm/htmx-ext-ws@2.0.2"

      
        
        177
        +      },

      
        
        178
        +      "original": {

      
        
        179
        +        "type": "file",

      
        
        180
        +        "url": "https://cdn.jsdelivr.net/npm/htmx-ext-ws@2.0.2"

      
        
        181
        +      }

      
        
        182
        +    },

      
        
        183
        +    "ibm-plex-mono-src": {

      
        
        184
        +      "flake": false,

      
        
        185
        +      "locked": {

      
        
        186
        +        "lastModified": 1731402384,

      
        
        187
        +        "narHash": "sha256-OwUmrPfEehLDz0fl2ChYLK8FQM2p0G1+EMrGsYEq+6g=",

      
        
        188
        +        "type": "tarball",

      
        
        189
        +        "url": "https://github.com/IBM/plex/releases/download/@ibm%2Fplex-mono@1.1.0/ibm-plex-mono.zip"

      
        
        190
        +      },

      
        
        191
        +      "original": {

      
        
        192
        +        "type": "tarball",

      
        
        193
        +        "url": "https://github.com/IBM/plex/releases/download/@ibm%2Fplex-mono@1.1.0/ibm-plex-mono.zip"

      
        
        194
        +      }

      
        
        195
        +    },

      
        
        196
        +    "indigo": {

      
        
        197
        +      "flake": false,

      
        
        198
        +      "locked": {

      
        
        199
        +        "lastModified": 1753693716,

      
        
        200
        +        "narHash": "sha256-DMIKnCJRODQXEHUxA+7mLzRALmnZhkkbHlFT2rCQYrE=",

      
        
        201
        +        "owner": "oppiliappan",

      
        
        202
        +        "repo": "indigo",

      
        
        203
        +        "rev": "5f170569da9360f57add450a278d73538092d8ca",

      
        
        204
        +        "type": "github"

      
        
        205
        +      },

      
        
        206
        +      "original": {

      
        
        207
        +        "owner": "oppiliappan",

      
        
        208
        +        "repo": "indigo",

      
        
        209
        +        "type": "github"

      
        
        210
        +      }

      
        
        211
        +    },

      
        
        212
        +    "inter-fonts-src": {

      
        
        213
        +      "flake": false,

      
        
        214
        +      "locked": {

      
        
        215
        +        "lastModified": 1731687360,

      
        
        216
        +        "narHash": "sha256-5vdKKvHAeZi6igrfpbOdhZlDX2/5+UvzlnCQV6DdqoQ=",

      
        
        217
        +        "type": "tarball",

      
        
        218
        +        "url": "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip"

      
        
        219
        +      },

      
        
        220
        +      "original": {

      
        
        221
        +        "type": "tarball",

      
        
        222
        +        "url": "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip"

      
        
        223
        +      }

      
        
        224
        +    },

      
        
        225
        +    "lucide-src": {

      
        
        226
        +      "flake": false,

      
        
        227
        +      "locked": {

      
        
        228
        +        "lastModified": 1754044466,

      
        
        229
        +        "narHash": "sha256-+exBR2OToB1iv7ZQI2S4B0lXA/QRvC9n6U99UxGpJGs=",

      
        
        230
        +        "type": "tarball",

      
        
        231
        +        "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip"

      
        
        232
        +      },

      
        
        233
        +      "original": {

      
        
        234
        +        "type": "tarball",

      
        
        235
        +        "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip"

      
        
        236
        +      }

      
        
        237
        +    },

      
        
        238
        +    "nixpkgs": {

      
        
        239
        +      "locked": {

      
        
        240
        +        "lastModified": 1768323494,

      
        
        241
        +        "narHash": "sha256-yBXJLE6WCtrGo7LKiB6NOt6nisBEEkguC/lq/rP3zRQ=",

      
        
        242
        +        "owner": "NixOS",

      
        
        243
        +        "repo": "nixpkgs",

      
        
        244
        +        "rev": "2c3e5ec5df46d3aeee2a1da0bfedd74e21f4bf3a",

      
        
        245
        +        "type": "github"

      
        
        246
        +      },

      
        
        247
        +      "original": {

      
        
        248
        +        "owner": "NixOS",

      
        
        249
        +        "ref": "nixos-25.11",

      
        
        250
        +        "repo": "nixpkgs",

      
        
        251
        +        "type": "github"

      
        
        252
        +      }

      
        
        253
        +    },

      
        
        254
        +    "root": {

      
        
        255
        +      "inputs": {

      
        
        256
        +        "agenix": "agenix",

      
        
        257
        +        "disko": "disko",

      
        
        258
        +        "nixpkgs": "nixpkgs",

      
        
        259
        +        "tangled": "tangled"

      
        
        260
        +      }

      
        
        261
        +    },

      
        
        262
        +    "sqlite-lib-src": {

      
        
        263
        +      "flake": false,

      
        
        264
        +      "locked": {

      
        
        265
        +        "lastModified": 1706631843,

      
        
        266
        +        "narHash": "sha256-bJoMjirsBjm2Qk9KPiy3yV3+8b/POlYe76/FQbciHro=",

      
        
        267
        +        "type": "tarball",

      
        
        268
        +        "url": "https://sqlite.org/2024/sqlite-amalgamation-3450100.zip"

      
        
        269
        +      },

      
        
        270
        +      "original": {

      
        
        271
        +        "type": "tarball",

      
        
        272
        +        "url": "https://sqlite.org/2024/sqlite-amalgamation-3450100.zip"

      
        
        273
        +      }

      
        
        274
        +    },

      
        
        275
        +    "systems": {

      
        
        276
        +      "locked": {

      
        
        277
        +        "lastModified": 1681028828,

      
        
        278
        +        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",

      
        
        279
        +        "owner": "nix-systems",

      
        
        280
        +        "repo": "default",

      
        
        281
        +        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",

      
        
        282
        +        "type": "github"

      
        
        283
        +      },

      
        
        284
        +      "original": {

      
        
        285
        +        "owner": "nix-systems",

      
        
        286
        +        "repo": "default",

      
        
        287
        +        "type": "github"

      
        
        288
        +      }

      
        
        289
        +    },

      
        
        290
        +    "systems_2": {

      
        
        291
        +      "locked": {

      
        
        292
        +        "lastModified": 1681028828,

      
        
        293
        +        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",

      
        
        294
        +        "owner": "nix-systems",

      
        
        295
        +        "repo": "default",

      
        
        296
        +        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",

      
        
        297
        +        "type": "github"

      
        
        298
        +      },

      
        
        299
        +      "original": {

      
        
        300
        +        "owner": "nix-systems",

      
        
        301
        +        "repo": "default",

      
        
        302
        +        "type": "github"

      
        
        303
        +      }

      
        
        304
        +    },

      
        
        305
        +    "tangled": {

      
        
        306
        +      "inputs": {

      
        
        307
        +        "actor-typeahead-src": "actor-typeahead-src",

      
        
        308
        +        "flake-compat": "flake-compat",

      
        
        309
        +        "gomod2nix": "gomod2nix",

      
        
        310
        +        "htmx-src": "htmx-src",

      
        
        311
        +        "htmx-ws-src": "htmx-ws-src",

      
        
        312
        +        "ibm-plex-mono-src": "ibm-plex-mono-src",

      
        
        313
        +        "indigo": "indigo",

      
        
        314
        +        "inter-fonts-src": "inter-fonts-src",

      
        
        315
        +        "lucide-src": "lucide-src",

      
        
        316
        +        "nixpkgs": [

      
        
        317
        +          "nixpkgs"

      
        
        318
        +        ],

      
        
        319
        +        "sqlite-lib-src": "sqlite-lib-src"

      
        
        320
        +      },

      
        
        321
        +      "locked": {

      
        
        322
        +        "lastModified": 1763627666,

      
        
        323
        +        "narHash": "sha256-t8UQ85/bPXrbFs3V/paFtQvv4lSrr2lszrdcgspuAaA=",

      
        
        324
        +        "ref": "refs/tags/v1.11.0-alpha",

      
        
        325
        +        "rev": "12ef7f8f63ee4a14a552ebed603802c79e4d72f8",

      
        
        326
        +        "revCount": 1678,

      
        
        327
        +        "type": "git",

      
        
        328
        +        "url": "https://tangled.org/@tangled.org/core"

      
        
        329
        +      },

      
        
        330
        +      "original": {

      
        
        331
        +        "ref": "refs/tags/v1.11.0-alpha",

      
        
        332
        +        "type": "git",

      
        
        333
        +        "url": "https://tangled.org/@tangled.org/core"

      
        
        334
        +      }

      
        
        335
        +    }

      
        
        336
        +  },

      
        
        337
        +  "root": "root",

      
        
        338
        +  "version": 7

      
        
        339
        +}

A nix/flake.nix

···
        
        1
        +{

      
        
        2
        +  description = "my nix";

      
        
        3
        +  inputs = {

      
        
        4
        +    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";

      
        
        5
        +    agenix = {

      
        
        6
        +      url = "github:ryantm/agenix";

      
        
        7
        +      inputs.nixpkgs.follows = "nixpkgs";

      
        
        8
        +    };

      
        
        9
        +    disko = {

      
        
        10
        +      url = "github:nix-community/disko";

      
        
        11
        +      inputs.nixpkgs.follows = "nixpkgs";

      
        
        12
        +    };

      
        
        13
        +    tangled = {

      
        
        14
        +      url = "git+https://tangled.org/@tangled.org/core?ref=refs/tags/v1.11.0-alpha";

      
        
        15
        +      inputs.nixpkgs.follows = "nixpkgs";

      
        
        16
        +    };

      
        
        17
        +  };

      
        
        18
        +

      
        
        19
        +  outputs =

      
        
        20
        +    {

      
        
        21
        +      nixpkgs,

      
        
        22
        +      agenix,

      
        
        23
        +      disko,

      
        
        24
        +      tangled,

      
        
        25
        +      ...

      
        
        26
        +    }:

      
        
        27
        +    {

      
        
        28
        +      nixosConfigurations."thought" = nixpkgs.lib.nixosSystem {

      
        
        29
        +        system = "x86_64-linux";

      
        
        30
        +        modules = [

      
        
        31
        +          ./hosts/thought

      
        
        32
        +          agenix.nixosModules.default

      
        
        33
        +          disko.nixosModules.disko

      
        
        34
        +          tangled.nixosModules.knot

      
        
        35
        +          tangled.nixosModules.spindle

      
        
        36
        +        ];

      
        
        37
        +      };

      
        
        38
        +    };

      
        
        39
        +}

A nix/hosts/thought/configuration.nix

···
        
        1
        +{ pkgs, ... }:

      
        
        2
        +{

      
        
        3
        +  imports = [

      
        
        4
        +    ./disko-config.nix

      
        
        5
        +    ./hardware-configuration.nix

      
        
        6
        +  ];

      
        
        7
        +

      
        
        8
        +  system.stateVersion = "24.05";

      
        
        9
        +

      
        
        10
        +  swapDevices = [

      
        
        11
        +    {

      
        
        12
        +      device = "/swapfile";

      
        
        13
        +      size = 2048; # MB

      
        
        14
        +    }

      
        
        15
        +  ];

      
        
        16
        +

      
        
        17
        +  boot.loader.grub = {

      
        
        18
        +    efiSupport = true;

      
        
        19
        +    efiInstallAsRemovable = true;

      
        
        20
        +  };

      
        
        21
        +

      
        
        22
        +  time.timeZone = "Europe/Kyiv";

      
        
        23
        +  i18n.defaultLocale = "en_US.UTF-8";

      
        
        24
        +

      
        
        25
        +  networking = {

      
        
        26
        +    hostName = "vps";

      
        
        27
        +    useDHCP = true;

      
        
        28
        +    # Interface names will be auto-detected in hardware-configuration.nix

      
        
        29
        +    # Using generic DHCP setting

      
        
        30
        +    interfaces = { };

      
        
        31
        +    firewall = {

      
        
        32
        +      enable = true;

      
        
        33
        +      allowedTCPPorts = [

      
        
        34
        +        80

      
        
        35
        +        443

      
        
        36
        +        2222

      
        
        37
        +      ];

      
        
        38
        +    };

      
        
        39
        +  };

      
        
        40
        +

      
        
        41
        +  environment.systemPackages = with pkgs; [

      
        
        42
        +    neovim

      
        
        43
        +    git

      
        
        44
        +    htop

      
        
        45
        +    tmux

      
        
        46
        +  ];

      
        
        47
        +

      
        
        48
        +  age.identityPaths = [ "/keys.txt" ]; # TODO: i dont like that i overwrites literally everything

      
        
        49
        +

      
        
        50
        +  services = {

      
        
        51
        +    caddy = {

      
        
        52
        +      enable = true;

      
        
        53
        +      package = pkgs.caddy.withPlugins {

      
        
        54
        +        plugins = [ "github.com/mholt/caddy-l4@v0.0.0-20260116154418-93f52b6a03ba" ];

      
        
        55
        +        hash = "sha256-s8D9p8k/Gote8s4fk0pv35R7aIwRi5ze7gbBHj+Fm8U=";

      
        
        56
        +      };

      
        
        57
        +    };

      
        
        58
        +    openssh = {

      
        
        59
        +      enable = true;

      
        
        60
        +      settings = {

      
        
        61
        +        PasswordAuthentication = false;

      
        
        62
        +        PermitRootLogin = "no";

      
        
        63
        +      };

      
        
        64
        +    };

      
        
        65
        +  };

      
        
        66
        +

      
        
        67
        +  nix = {

      
        
        68
        +    gc = {

      
        
        69
        +      automatic = true;

      
        
        70
        +      dates = "weekly";

      
        
        71
        +      options = "--delete-older-than 30d";

      
        
        72
        +    };

      
        
        73
        +    settings = {

      
        
        74
        +      auto-optimise-store = true;

      
        
        75
        +      experimental-features = [

      
        
        76
        +        "nix-command"

      
        
        77
        +        "flakes"

      
        
        78
        +      ];

      
        
        79
        +    };

      
        
        80
        +  };

      
        
        81
        +}

A nix/hosts/thought/default.nix

···
        
        1
        +{ ... }:

      
        
        2
        +{

      
        
        3
        +  imports = [

      
        
        4
        +    ./digitalocean.nix

      
        
        5
        +    ./configuration.nix

      
        
        6
        +    ./hardware-configuration.nix

      
        
        7
        +

      
        
        8
        +    ../../users/q.nix

      
        
        9
        +

      
        
        10
        +    ../../modules/freshrss.nix

      
        
        11
        +    ../../modules/tangled.nix

      
        
        12
        +    ../../modules/moviefeed.nix

      
        
        13
        +    ../../modules/wireguard.nix

      
        
        14
        +    ../../modules/soju.nix

      
        
        15
        +  ];

      
        
        16
        +}

A nix/hosts/thought/digitalocean.nix

···
        
        1
        +{ lib, modulesPath, ... }:

      
        
        2
        +{

      
        
        3
        +  imports = [

      
        
        4
        +    "${modulesPath}/virtualisation/digital-ocean-config.nix"

      
        
        5
        +  ];

      
        
        6
        +

      
        
        7
        +  # do not use DHCP, as DigitalOcean provisions IPs using cloud-init

      
        
        8
        +  networking.useDHCP = lib.mkForce false;

      
        
        9
        +

      
        
        10
        +  # Disables all modules that do not work with NixOS

      
        
        11
        +  services.cloud-init = {

      
        
        12
        +    enable = true;

      
        
        13
        +    network.enable = true;

      
        
        14
        +    settings = {

      
        
        15
        +      datasource_list = [

      
        
        16
        +        "ConfigDrive"

      
        
        17
        +        "Digitalocean"

      
        
        18
        +      ];

      
        
        19
        +      datasource.ConfigDrive = { };

      
        
        20
        +      datasource.Digitalocean = { };

      
        
        21
        +      # Based on https://github.com/canonical/cloud-init/blob/main/config/cloud.cfg.tmpl

      
        
        22
        +      cloud_init_modules = [

      
        
        23
        +        "seed_random"

      
        
        24
        +        "bootcmd"

      
        
        25
        +        "write_files"

      
        
        26
        +        "growpart"

      
        
        27
        +        "resizefs"

      
        
        28
        +        "set_hostname"

      
        
        29
        +        "update_hostname"

      
        
        30
        +        # Not support on NixOS

      
        
        31
        +        #"update_etc_hosts"

      
        
        32
        +        # throws error

      
        
        33
        +        #"users-groups"

      
        
        34
        +        # tries to edit /etc/ssh/sshd_config

      
        
        35
        +        #"ssh"

      
        
        36
        +        "set_password"

      
        
        37
        +      ];

      
        
        38
        +      cloud_config_modules = [

      
        
        39
        +        "ssh-import-id"

      
        
        40
        +        "keyboard"

      
        
        41
        +        # doesn't work with nixos

      
        
        42
        +        #"locale"

      
        
        43
        +        "runcmd"

      
        
        44
        +        "disable_ec2_metadata"

      
        
        45
        +      ];

      
        
        46
        +      ## The modules that run in the 'final' stage

      
        
        47
        +      cloud_final_modules = [

      
        
        48
        +        "write_files_deferred"

      
        
        49
        +        "puppet"

      
        
        50
        +        "chef"

      
        
        51
        +        "ansible"

      
        
        52
        +        "mcollective"

      
        
        53
        +        "salt_minion"

      
        
        54
        +        "reset_rmc"

      
        
        55
        +        # install dotty agent fails

      
        
        56
        +        #"scripts_vendor"

      
        
        57
        +        "scripts_per_once"

      
        
        58
        +        "scripts_per_boot"

      
        
        59
        +        # /var/lib/cloud/scripts/per-instance/machine_id.sh has broken shebang

      
        
        60
        +        #"scripts_per_instance"

      
        
        61
        +        "scripts_user"

      
        
        62
        +        "ssh_authkey_fingerprints"

      
        
        63
        +        "keys_to_console"

      
        
        64
        +        "install_hotplug"

      
        
        65
        +        "phone_home"

      
        
        66
        +        "final_message"

      
        
        67
        +      ];

      
        
        68
        +    };

      
        
        69
        +  };

      
        
        70
        +}

A nix/hosts/thought/disko-config.nix

···
        
        1
        +{ lib, ... }:

      
        
        2
        +{

      
        
        3
        +  disko.devices = {

      
        
        4
        +    disk.disk1 = {

      
        
        5
        +      device = lib.mkDefault "/dev/vda";

      
        
        6
        +      type = "disk";

      
        
        7
        +      content = {

      
        
        8
        +        type = "gpt";

      
        
        9
        +        partitions = {

      
        
        10
        +          boot = {

      
        
        11
        +            name = "boot";

      
        
        12
        +            size = "1M";

      
        
        13
        +            type = "EF02";

      
        
        14
        +          };

      
        
        15
        +          esp = {

      
        
        16
        +            name = "ESP";

      
        
        17
        +            size = "500M";

      
        
        18
        +            type = "EF00";

      
        
        19
        +            content = {

      
        
        20
        +              type = "filesystem";

      
        
        21
        +              format = "vfat";

      
        
        22
        +              mountpoint = "/boot";

      
        
        23
        +            };

      
        
        24
        +          };

      
        
        25
        +          root = {

      
        
        26
        +            name = "root";

      
        
        27
        +            size = "100%";

      
        
        28
        +            content = {

      
        
        29
        +              type = "lvm_pv";

      
        
        30
        +              vg = "pool";

      
        
        31
        +            };

      
        
        32
        +          };

      
        
        33
        +        };

      
        
        34
        +      };

      
        
        35
        +    };

      
        
        36
        +    lvm_vg = {

      
        
        37
        +      pool = {

      
        
        38
        +        type = "lvm_vg";

      
        
        39
        +        lvs = {

      
        
        40
        +          root = {

      
        
        41
        +            size = "100%FREE";

      
        
        42
        +            content = {

      
        
        43
        +              type = "filesystem";

      
        
        44
        +              format = "ext4";

      
        
        45
        +              mountpoint = "/";

      
        
        46
        +              mountOptions = [

      
        
        47
        +                "defaults"

      
        
        48
        +              ];

      
        
        49
        +            };

      
        
        50
        +          };

      
        
        51
        +        };

      
        
        52
        +      };

      
        
        53
        +    };

      
        
        54
        +  };

      
        
        55
        +}

A nix/hosts/thought/hardware-configuration.nix

···
        
        1
        +# Do not modify this file!  It was generated by ‘nixos-generate-config’

      
        
        2
        +# and may be overwritten by future invocations.  Please make changes

      
        
        3
        +# to /etc/nixos/configuration.nix instead.

      
        
        4
        +{ config, lib, pkgs, modulesPath, ... }:

      
        
        5
        +

      
        
        6
        +{

      
        
        7
        +  imports =

      
        
        8
        +    [ (modulesPath + "/profiles/qemu-guest.nix")

      
        
        9
        +    ];

      
        
        10
        +

      
        
        11
        +  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "virtio_blk" ];

      
        
        12
        +  boot.initrd.kernelModules = [ ];

      
        
        13
        +  boot.kernelModules = [ "kvm-intel" ];

      
        
        14
        +  boot.extraModulePackages = [ ];

      
        
        15
        +

      
        
        16
        +  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking

      
        
        17
        +  # (the default) this is the recommended approach. When using systemd-networkd it's

      
        
        18
        +  # still possible to use this option, but it's recommended to use it in conjunction

      
        
        19
        +  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.

      
        
        20
        +  networking.useDHCP = lib.mkDefault true;

      
        
        21
        +  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;

      
        
        22
        +  # networking.interfaces.ens4.useDHCP = lib.mkDefault true;

      
        
        23
        +

      
        
        24
        +  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

      
        
        25
        +}

A nix/modules/freshrss.nix

···
        
        1
        +{ config, pkgs, ... }:

      
        
        2
        +{

      
        
        3
        +  age.secrets.freshrss-olex = {

      
        
        4
        +    file = ../secrets/freshrss-olex.age;

      
        
        5
        +    owner = "freshrss";

      
        
        6
        +    group = "freshrss";

      
        
        7
        +  };

      
        
        8
        +

      
        
        9
        +  services.freshrss = {

      
        
        10
        +    enable = true;

      
        
        11
        +    defaultUser = "olex";

      
        
        12
        +    passwordFile = config.age.secrets.freshrss-olex.path;

      
        
        13
        +    webserver = "caddy";

      
        
        14
        +    virtualHost = "rss.olexsmir.xyz";

      
        
        15
        +    baseUrl = "https://rss.olexsmir.xyz";

      
        
        16
        +    extensions = [

      
        
        17
        +      pkgs.freshrss-extensions.reddit-image

      
        
        18
        +      (pkgs.stdenv.mkDerivation {

      
        
        19
        +        pname = "freshrss-official-extensions";

      
        
        20
        +        version = "unstable-2025-01-16";

      
        
        21
        +        src = pkgs.fetchFromGitHub {

      
        
        22
        +          owner = "FreshRSS";

      
        
        23
        +          repo = "Extensions";

      
        
        24
        +          rev = "3605f65b65e13ad818d4acbe337f7147feeb0970";

      
        
        25
        +          hash = "sha256-1c0d0szF21JHm/Sw16iSLPik3HIv2xjxKmvuAkLKqM0=";

      
        
        26
        +        };

      
        
        27
        +        installPhase = ''

      
        
        28
        +          mkdir -p $out/share/freshrss/extensions

      
        
        29
        +          cp -r xExtension-* $out/share/freshrss/extensions/

      
        
        30
        +        '';

      
        
        31
        +      })

      
        
        32
        +    ];

      
        
        33
        +  };

      
        
        34
        +}

A nix/modules/moviefeed.nix

···
        
        1
        +{ pkgs, ... }:

      
        
        2
        +let

      
        
        3
        +  configFile = "/home/q/moviedfeed.yml";

      
        
        4
        +  version = "2bda86db";

      
        
        5
        +  moviefeed = pkgs.buildGoModule {

      
        
        6
        +    pname = "moviefeed";

      
        
        7
        +    inherit version;

      
        
        8
        +    vendorHash = "sha256-FWkYhhX/cZhF+ctgbYPhPRYcQZSLIL3zoaxqrbWZCcU=";

      
        
        9
        +    src = pkgs.fetchFromGitHub {

      
        
        10
        +      owner = "olexsmir";

      
        
        11
        +      repo = "moviefeed";

      
        
        12
        +      rev = version;

      
        
        13
        +      hash = "sha256-g05iqKH3g6Q536AF3Xb2zYx3jiLXybaavM7UB9Hu5Dg=";

      
        
        14
        +    };

      
        
        15
        +  };

      
        
        16
        +in

      
        
        17
        +{

      
        
        18
        +  services.caddy.virtualHosts."moviefeed.olexsmir.xyz".extraConfig = ''

      
        
        19
        +    reverse_proxy localhost:8000

      
        
        20
        +  '';

      
        
        21
        +

      
        
        22
        +  systemd.services.moviefeed = {

      
        
        23
        +    description = "moviefeed API server";

      
        
        24
        +    wantedBy = [ "multi-user.target" ];

      
        
        25
        +    after = [ "network-online.target" ];

      
        
        26
        +    wants = [ "network-online.target" ];

      
        
        27
        +

      
        
        28
        +    serviceConfig = {

      
        
        29
        +      Type = "simple";

      
        
        30
        +      User = "q";

      
        
        31
        +      Restart = "on-failure";

      
        
        32
        +      RestartSec = 2;

      
        
        33
        +      ExecStart = "${moviefeed}/bin/moviefeed --config ${configFile}";

      
        
        34
        +      NoNewPrivileges = true;

      
        
        35
        +      ProtectSystem = "strict";

      
        
        36
        +      ReadOnlyPaths = [ configFile ];

      
        
        37
        +    };

      
        
        38
        +  };

      
        
        39
        +}

A nix/modules/soju.nix

···
        
        1
        +{ ... }:

      
        
        2
        +let

      
        
        3
        +  domain = "irc.olexsmir.xyz";

      
        
        4
        +in

      
        
        5
        +{

      
        
        6
        +  networking.firewall.allowedTCPPorts = [ 6697 ];

      
        
        7
        +  services.caddy = {

      
        
        8
        +    virtualHosts.${domain}.extraConfig = ''

      
        
        9
        +      respond "irc bouncer"

      
        
        10
        +    '';

      
        
        11
        +    globalConfig = ''

      
        
        12
        +      layer4 {

      
        
        13
        +        :6697 {

      
        
        14
        +          route {

      
        
        15
        +            tls

      
        
        16
        +            proxy {

      
        
        17
        +              proxy_protocol v2

      
        
        18
        +              upstream localhost:6667

      
        
        19
        +            }

      
        
        20
        +          }

      
        
        21
        +        }

      
        
        22
        +      }

      
        
        23
        +    '';

      
        
        24
        +  };

      
        
        25
        +

      
        
        26
        +  services.soju = {

      
        
        27
        +    enable = true;

      
        
        28
        +    hostName = domain;

      
        
        29
        +    listen = [ "irc+insecure://localhost:6667" ];

      
        
        30
        +    acceptProxyIP = [ "localhost" ];

      
        
        31
        +  };

      
        
        32
        +}

A nix/modules/tangled.nix

···
        
        1
        +{ ... }:

      
        
        2
        +{

      
        
        3
        +  services.caddy.virtualHosts."knot.olexsmir.xyz".extraConfig = ''

      
        
        4
        +    reverse_proxy localhost:5555

      
        
        5
        +  '';

      
        
        6
        +

      
        
        7
        +  services.tangled.knot = {

      
        
        8
        +    enable = true;

      
        
        9
        +    openFirewall = false;

      
        
        10
        +    motd = "i use arch btw\n";

      
        
        11
        +    server = {

      
        
        12
        +      owner = "did:plc:slhnamqkslwa5e5e5hrznbxr";

      
        
        13
        +      hostname = "knot.olexsmir.xyz";

      
        
        14
        +    };

      
        
        15
        +  };

      
        
        16
        +}

A nix/modules/wireguard.nix

···
        
        1
        +{ config, pkgs, ... }:

      
        
        2
        +{

      
        
        3
        +  boot.kernel.sysctl = {

      
        
        4
        +    "net.ipv4.ip_forward" = 1;

      
        
        5
        +  };

      
        
        6
        +

      
        
        7
        +  networking.firewall.allowedUDPPorts = [ 51820 ];

      
        
        8
        +  networking.nat = {

      
        
        9
        +    enable = true;

      
        
        10
        +    externalInterface = "ens3";

      
        
        11
        +    internalInterfaces = [ "wg0" ];

      
        
        12
        +  };

      
        
        13
        +

      
        
        14
        +  age.secrets.wg-private-key = {

      
        
        15
        +    file = ../secrets/wg-private-key.age;

      
        
        16
        +  };

      
        
        17
        +

      
        
        18
        +  networking.wireguard.interfaces.wg0 = {

      
        
        19
        +    ips = [ "10.100.0.1/24" ];

      
        
        20
        +    listenPort = 51820;

      
        
        21
        +    privateKeyFile = config.age.secrets.wg-private-key.path;

      
        
        22
        +

      
        
        23
        +    # This allows the wireguard server to route your traffic to the internet and hence be like a VPN

      
        
        24
        +    # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients

      
        
        25
        +    postSetup = ''

      
        
        26
        +      ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE

      
        
        27
        +    '';

      
        
        28
        +    postShutdown = ''

      
        
        29
        +      ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE

      
        
        30
        +    '';

      
        
        31
        +

      
        
        32
        +    peers = [

      
        
        33
        +      {

      
        
        34
        +        # laptop

      
        
        35
        +        publicKey = "cF0abpqZiMrofQUgFHS4D+FuXq3ZoCPBQUlr6WuvBwM=";

      
        
        36
        +        allowedIPs = [ "10.100.0.2/32" ];

      
        
        37
        +      }

      
        
        38
        +      {

      
        
        39
        +        # phone

      
        
        40
        +        publicKey = "GodHMXUBh/0aEyz+XBJID7pm/Hi8xnZv6YzkQbl/Uwc=";

      
        
        41
        +        allowedIPs = [ "10.100.0.3/32" ];

      
        
        42
        +      }

      
        
        43
        +    ];

      
        
        44
        +  };

      
        
        45
        +}

A nix/readme.txt

···
        
        1
        +nix

      
        
        2
        +---

      
        
        3
        +

      
        
        4
        +install:

      
        
        5
        +  nix run github:nix-community/nixos-anywhere -- ./hosts/thought/hardware-configuration.nix --flake .#thought --target-host root@<IP>

      
        
        6
        +  ssh q@IP

      
        
        7
        +  git clone https://github.com/olexsmir/dotfiles.git

      
        
        8
        +  cd dotfiles/nix

      
        
        9
        +  sudo nixos-rebuild switch --flake .#thought

A nix/secrets/freshrss-olex.age

···
        
        1
        +age-encryption.org/v1

      
        
        2
        +-> ssh-ed25519 jgjvUw dIOnVUmbf9R0pl92JrlTDWa/htZQEUUPdTbNCKTa+S4

      
        
        3
        +R4unw/VGqtrNG/otzW3HjvgMtZK+RT7tqs6dZkLh3pc

      
        
        4
        +-> X25519 E3+gKkjH6LkkYhnwE+9QbPiSYOEF3GJhbVXy2+mCDTM

      
        
        5
        +IcwPmVZ8IOLhzJNUeMicC0cPmDym0TjFb7P8MHBwDNI

      
        
        6
        +--- JF/k9Wyj6kIEX7F1SjkqiFlv8UFngZ4lJvVwWQ8425c

      
        
        7
        +��m��r8��M�}2�;�	-�D����~vMa9"�T

      
        
        8
        +:ڔV�9�

A nix/secrets/q-password.age

···
        
        1
        +age-encryption.org/v1

      
        
        2
        +-> ssh-ed25519 jgjvUw Yy4VmBRoL5acIbY+GMmg5qW9iTp9U/XZSvx12r3SzRU

      
        
        3
        +rNNYDN0ikwrSJf8kKi0uLczMY39rg0Xi3MSvR9fAzYU

      
        
        4
        +-> X25519 t9640/amrr9kdgjY9ALE0n6yoaqMGTCjjk0OxPmHwwM

      
        
        5
        +x6nm6fXvrrRngMJVY8oGh8QJU0K5TBkl7S+v5E3k8iw

      
        
        6
        +--- kM18cW1nk37CnZlFmdS0XAuCt6gHzazZ83X9iNuzb5w

      
        
        7
        +���X�O�b^����Y�e]�y��G-��d�����M�

A nix/secrets/secrets.nix

···
        
        1
        +let

      
        
        2
        +  laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLLJdkVYKZgsayw+sHanKPKZbI0RMS2CakqBCEi5Trz";

      
        
        3
        +  infra = "age1k4e6mm0whyjzfaqlhahu2pst4vxvzul53xs3ff0tk8uty459zgzqk3965k";

      
        
        4
        +  allKeys = [

      
        
        5
        +    laptop

      
        
        6
        +    infra

      
        
        7
        +  ];

      
        
        8
        +in

      
        
        9
        +{

      
        
        10
        +  "q-password.age".publicKeys = allKeys;

      
        
        11
        +  "freshrss-olex.age".publicKeys = allKeys;

      
        
        12
        +  "wg-private-key.age".publicKeys = allKeys;

      
        
        13
        +}

A nix/secrets/wg-private-key.age

Not showing binary file.

A nix/users/_sshkeys.nix

···
        
        1
        +[

      
        
        2
        +  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLLJdkVYKZgsayw+sHanKPKZbI0RMS2CakqBCEi5Trz" # laptop

      
        
        3
        +  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINeXccmMQ9jfLG2Z8CITaZZ+pUgYVNVYDFtmdkBHd3xk u0_a930@localhost" # phone

      
        
        4
        +]

A nix/users/q.nix

···
        
        1
        +{ config, ... }:

      
        
        2
        +{

      
        
        3
        +  age.secrets.q-password.file = ../secrets/q-password.age;

      
        
        4
        +

      
        
        5
        +  users.users.q = {

      
        
        6
        +    isNormalUser = true;

      
        
        7
        +    extraGroups = [

      
        
        8
        +      "wheel"

      
        
        9
        +      "headscale"

      
        
        10
        +    ];

      
        
        11
        +    hashedPasswordFile = config.age.secrets.q-password.path;

      
        
        12
        +    openssh.authorizedKeys.keys = import ./_sshkeys.nix;

      
        
        13
        +  };

      
        
        14
        +}