coolneng/zion
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: coolneng:f9a04a44924770a7664da18afcb9e4bdd7e6d304
Branches Tags
coolneng:master
...
compare: coolneng:master
Branches Tags
coolneng:master

25 Commits
f9a04a4492 ... master

Author SHA1 Message Date
coolneng
c7eefea616 Set up PiGallery2 2025-12-23 14:19:27 +01:00
coolneng
7608249b0b Monitor all relevant services in the MOTD script 2025-12-22 08:01:38 +01:00
coolneng
61b35e5f4a Allow NAT loopback via DNS server 2025-12-22 07:58:38 +01:00
coolneng
1ccc0041d6 Add kafthretis as a wireguard peer 2025-12-21 23:40:04 +01:00
coolneng
2856e30cbf flake.lock: Update 
Flake lock file updates:

• Updated input 'determinate':
    'https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.13.2/019a9b01-c0c6-7e1c-959e-98ac5b7675de/source.tar.gz' (2025-11-19)
  → 'https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.15.0/019b3865-57a1-7d80-98c5-962fac29c404/source.tar.gz' (2025-12-19)
• Updated input 'determinate/determinate-nixd-aarch64-darwin':
    'https://install.determinate.systems/determinate-nixd/tag/v3.13.2/macOS'
  → 'https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS'
• Updated input 'determinate/determinate-nixd-aarch64-linux':
    'https://install.determinate.systems/determinate-nixd/tag/v3.13.2/aarch64-linux'
  → 'https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux'
• Updated input 'determinate/determinate-nixd-x86_64-linux':
    'https://install.determinate.systems/determinate-nixd/tag/v3.13.2/x86_64-linux'
  → 'https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux'
• Updated input 'determinate/nix':
    'https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.13.2/019a9af6-3d7b-71bc-bccd-8b18e147ad77/source.tar.gz' (2025-11-19)
  → 'https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.15.0/019b3854-cca6-7298-a91c-0fd8551a7270/source.tar.gz' (2025-12-19)
• Updated input 'determinate/nixpkgs':
    'https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.897465%2Brev-8b6600824693a9c706ef09bd86711ca393703466/019a9577-b407-75dd-b18b-3308def1c215/source.tar.gz' (2025-11-17)
  → 'https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.911985%2Brev-09b8fda8959d761445f12b55f380d90375a1d6bb/019b25ab-7c11-79e0-a0b0-c94d455b7190/source.tar.gz' (2025-12-15)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/c97c47f' (2025-12-04)
  → 'github:NixOS/nixpkgs/b3aad46' (2025-12-20)
 2025-12-21 23:04:10 +01:00
coolneng
3e577066c1 Migrate to Determinate Nix 2025-12-06 05:18:46 +01:00
coolneng
3f10536deb flake.lock: Update 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/1aab89277eb2d87823d5b69bae631a2496cff57a?narHash=sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0%3D' (2025-12-02)
  → 'github:NixOS/nixpkgs/c97c47f2bac4fa59e2cbdeba289686ae615f8ed4?narHash=sha256-OtzF5wBvO0jgW1WW1rQU9cMGx7zuvkF7CAVJ1ypzkxA%3D' (2025-12-04)
 2025-12-05 23:51:49 +01:00
coolneng
25e995dfb3 Adapt dnscrypt-proxy config to upstream changes 2025-12-04 17:31:29 +01:00
coolneng
f2faa9047b flake.lock: Update 
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/9edb1787864c4f59ae5074ad498b6272b3ec308d?narHash=sha256-NA/FT2hVhKDftbHSwVnoRTFhes62%2B7dxZbxj5Gxvghs%3D' (2025-08-05)
  → 'github:ryantm/agenix/fcdea223397448d35d9b31f798479227e80183f6?narHash=sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L%2BVSybPfiIgzU8lbQ%3D' (2025-11-08)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/a65b650d6981e23edd1afa1f01eb942f19cdcbb7?narHash=sha256-9bHzrVbjAudbO8q4vYFBWlEkDam31fsz0J7GB8k4AsI%3D' (2025-08-26)
  → 'github:NixOS/nixos-hardware/9154f4569b6cdfd3c595851a6ba51bfaa472d9f3?narHash=sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x%2B6XUJ4YdFRjtO4%3D' (2025-11-29)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f?narHash=sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD%2B/cTUzzgVFoaHrkqY%3D' (2025-11-30)
  → 'github:NixOS/nixpkgs/1aab89277eb2d87823d5b69bae631a2496cff57a?narHash=sha256-H3lC7knbXOBrHI9hITQ7modLuX20mYJVhZORL5ioms0%3D' (2025-12-02)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5?narHash=sha256-XexyKZpf46cMiO5Vbj%2BdWSAXOnr285GHsMch8FBoHbc%3D' (2025-08-25)
  → 'github:NixOS/nixpkgs/418468ac9527e799809c900eda37cbff999199b6?narHash=sha256-7WUCZfmqLAssbDqwg9cUDAXrSoXN79eEEq17qhTNM/Y%3D' (2025-12-02)
 2025-12-04 17:21:24 +01:00
coolneng
22fc403563 Use Brotli instead of ZSTD for Nginx 2025-12-01 09:26:14 +01:00
coolneng
d5e11e4909 Remove redundant secret injection for oink 2025-12-01 09:25:15 +01:00
coolneng
bcc764dd50 Upgrade to NixOS 25.11 2025-12-01 09:24:18 +01:00
coolneng
4e317cfd81 Specify auto upgrade flags correctly 2025-11-23 17:12:55 +01:00
coolneng
2ad5372267 Use inputs attribute to import modules 2025-11-23 17:03:54 +01:00
coolneng
6e93e251d6 Use correct Flake URL scheme for Auto Upgrade 2025-08-29 01:01:24 +02:00
coolneng
770ecc6c02 Adapt Makefile to new CLI flags of nixos-rebuild 2025-08-27 08:16:38 +02:00
coolneng
86fb493a80 Disable systemd-resolved DNS stub causing conflict 2025-08-27 08:12:57 +02:00
coolneng
3057f13858 Reboot after Auto Upgrade if necessary 2025-08-27 06:20:52 +02:00
coolneng
155c4f3525 Use Git repository as Flake URL for Auto Upgrade 2025-08-27 06:17:48 +02:00
coolneng
3abfa5cb84 Remove Matrix bridges users 2025-08-27 06:14:36 +02:00
coolneng
5d1b075adb flake.lock: Update 
Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/e600439ec4c273cf11e06fe4d9d906fb98fa097c?narHash=sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA%3D' (2025-01-15)
  → 'github:ryantm/agenix/9edb1787864c4f59ae5074ad498b6272b3ec308d?narHash=sha256-NA/FT2hVhKDftbHSwVnoRTFhes62%2B7dxZbxj5Gxvghs%3D' (2025-08-05)
• Updated input 'agenix/darwin':
    'github:lnl7/nix-darwin/4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d?narHash=sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0%3D' (2023-11-24)
  → 'github:lnl7/nix-darwin/43975d782b418ebf4969e9ccba82466728c2851b?narHash=sha256-dyN%2BteG9G82G%2Bm%2BPX/aSAagkC%2BvUv0SgUw3XkPhQodQ%3D' (2025-04-12)
• Updated input 'agenix/home-manager':
    'github:nix-community/home-manager/3bfaacf46133c037bb356193bd2f1765d9dc82c1?narHash=sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE%3D' (2023-12-20)
  → 'github:nix-community/home-manager/abfad3d2958c9e6300a883bd443512c55dfeb1be?narHash=sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs%3D' (2025-04-24)
• Updated input 'nixos-hardware':
    'github:NixOS/nixos-hardware/009b764ac98a3602d41fc68072eeec5d24fc0e49?narHash=sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE%3D' (2025-02-27)
  → 'github:NixOS/nixos-hardware/a65b650d6981e23edd1afa1f01eb942f19cdcbb7?narHash=sha256-9bHzrVbjAudbO8q4vYFBWlEkDam31fsz0J7GB8k4AsI%3D' (2025-08-26)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/a59eb7800787c926045d51b70982ae285faa2346?narHash=sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY%3D' (2025-05-31)
  → 'github:NixOS/nixpkgs/b1b3291469652d5a2edb0becc4ef0246fff97a7c?narHash=sha256-wY1%2B2JPH0ZZC4BQefoZw/k%2B3%2BDowFyfOxv17CN/idKs%3D' (2025-08-23)
• Updated input 'nixpkgs-unstable':
    'github:NixOS/nixpkgs/18536bf04cd71abd345f9579158841376fdd0c5a?narHash=sha256-RP%2BOQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM%3D' (2024-10-25)
  → 'github:NixOS/nixpkgs/3b9f00d7a7bf68acd4c4abb9d43695afb04e03a5?narHash=sha256-XexyKZpf46cMiO5Vbj%2BdWSAXOnr285GHsMch8FBoHbc%3D' (2025-08-25)
 2025-08-27 03:05:54 +02:00
coolneng
6a3fbf2d80 Migrate from Wallabag to Readeck 2025-06-02 17:14:44 +02:00
coolneng
9a35cefd62 Set Wallabag container version to 2.5.4 2025-06-02 15:47:03 +02:00
coolneng
0fa3b9de30 Enable Prometheus admin API 2025-06-02 12:34:46 +02:00
coolneng
4e56c58d7a Increase retention time of Prometheus metrics 2025-06-02 12:34:32 +02:00
14 changed files with 345 additions and 121 deletions
Expand all files Collapse all files

2
Makefile
View File

@@ -1,7 +1,7 @@
DIR=$(HOME)/Projects/zion DIR=$(HOME)/Projects/zion
switch: switch:
nixos-rebuild switch --fast --target-host root@zion \ nixos-rebuild switch --no-reexec --target-host root@zion \
--build-host root@zion --flake path://$(DIR)#zion --build-host root@zion --flake path://$(DIR)#zion
.DEFAULT_GOAL := switch .DEFAULT_GOAL := switch

24
configuration.nix
View File

@@ -99,6 +99,8 @@ with pkgs;
"root" "root"
"coolneng" "coolneng"
]; ];
lazy-trees = true;
eval-cores = 2;
}; };
gc = { gc = {
automatic = true; automatic = true;
@@ -183,8 +185,6 @@ with pkgs;
}; };
secrets.telegram = { secrets.telegram = {
file = secrets/telegram.age; file = secrets/telegram.age;
owner = "matrix-as-telegram";
group = "matrix-as-telegram";
}; };
secrets.mqtt-sender = { secrets.mqtt-sender = {
file = secrets/mqtt-sender.age; file = secrets/mqtt-sender.age;
@@ -198,13 +198,9 @@ with pkgs;
}; };
secrets.facebook = { secrets.facebook = {
file = secrets/facebook.age; file = secrets/facebook.age;
owner = "matrix-as-facebook";
group = "matrix-as-facebook";
}; };
secrets.signal = { secrets.signal = {
file = secrets/signal.age; file = secrets/signal.age;
owner = "matrix-as-signal";
group = "matrix-as-signal";
}; };
secrets.inadyn-duckdns = { secrets.inadyn-duckdns = {
file = secrets/inadyn-duckdns.age; file = secrets/inadyn-duckdns.age;
@@ -216,6 +212,11 @@ with pkgs;
owner = "inadyn"; owner = "inadyn";
group = "inadyn"; group = "inadyn";
}; };
secrets.inadyn-porkbun-secret = {
file = secrets/inadyn-porkbun-secret.age;
owner = "inadyn";
group = "inadyn";
};
secrets.acme-duckdns = { secrets.acme-duckdns = {
file = secrets/acme-duckdns.age; file = secrets/acme-duckdns.age;
owner = "acme"; owner = "acme";
@@ -226,22 +227,27 @@ with pkgs;
owner = "acme"; owner = "acme";
group = "nginx"; group = "nginx";
}; };
secrets.wallabag.file = secrets/wallabag.age;
secrets.wallabag-postgres.file = secrets/wallabag-postgres.age;
secrets.microbin = { secrets.microbin = {
file = secrets/microbin.age; file = secrets/microbin.age;
owner = "63026"; owner = "63026";
group = "63026"; group = "63026";
}; };
secrets.readeck = {
file = secrets/readeck.age;
owner = "63026";
group = "63026";
};
identityPaths = [ "/etc/ssh/id_ed25519" ]; identityPaths = [ "/etc/ssh/id_ed25519" ];
}; };
# Auto-upgrade the system # Auto-upgrade the system
system.autoUpgrade = { system.autoUpgrade = {
enable = true; enable = true;
allowReboot = true;
flake = "/home/coolneng/system"; flake = "/home/coolneng/system";
flags = [ flags = [
"--update-input agenix --update-input nixpkgs" "--update-input"
"nixpkgs"
"--commit-lock-file" "--commit-lock-file"
]; ];
}; };

249
flake.lock generated
View File

@@ -10,11 +10,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1736955230, "lastModified": 1762618334,
"narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=", "narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c", "rev": "fcdea223397448d35d9b31f798479227e80183f6",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -31,11 +31,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1700795494, "lastModified": 1744478979,
"narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=", "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d", "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -45,6 +45,63 @@
"type": "github" "type": "github"
} }
}, },
"determinate": {
"inputs": {
"determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin",
"determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux",
"determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux",
"nix": "nix",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1766177528,
"narHash": "sha256-Bl+p766mM7qNCZtMqmTz13RuUbOMKsFa+/vnGYoxgPk=",
"rev": "b159c082f0f9bdefa6c386189a13c5fa0734d8d8",
"revCount": 317,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.15.0/019b3865-57a1-7d80-98c5-962fac29c404/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/determinate/%2A"
}
},
"determinate-nixd-aarch64-darwin": {
"flake": false,
"locked": {
"narHash": "sha256-vDaEQ5T4eA7kEPREmm68IVWGR6zT0aDL5slZxA6dkSc=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/macOS"
}
},
"determinate-nixd-aarch64-linux": {
"flake": false,
"locked": {
"narHash": "sha256-Hf4JsIv5G3IR0Q0RHGLSNdmDzFv97sVQQKwzY6A0vV4=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/aarch64-linux"
}
},
"determinate-nixd-x86_64-linux": {
"flake": false,
"locked": {
"narHash": "sha256-J+J4E02XpEl0ZkpzMbUmGCf6S4yk0gYCYmiGzZ058ik=",
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux"
},
"original": {
"type": "file",
"url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.0/x86_64-linux"
}
},
"devshell": { "devshell": {
"locked": { "locked": {
"lastModified": 1642188268, "lastModified": 1642188268,
@@ -61,6 +118,22 @@
} }
}, },
"flake-compat": { "flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1641205782, "lastModified": 1641205782,
@@ -76,6 +149,53 @@
"type": "github" "type": "github"
} }
}, },
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"determinate",
"nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1748821116,
"narHash": "sha256-F82+gS044J1APL0n4hH50GYdPRv/5JWm34oCJYmVKdE=",
"rev": "49f0870db23e8c1ca0b5259734a02cd9e1e371a1",
"revCount": 377,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/hercules-ci/flake-parts/0.1.377%2Brev-49f0870db23e8c1ca0b5259734a02cd9e1e371a1/01972f28-554a-73f8-91f4-d488cc502f08/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/hercules-ci/flake-parts/0.1"
}
},
"git-hooks-nix": {
"inputs": {
"flake-compat": "flake-compat",
"gitignore": [
"determinate",
"nix"
],
"nixpkgs": [
"determinate",
"nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1747372754,
"narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=",
"rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46",
"revCount": 1026,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/cachix/git-hooks.nix/0.1.1026%2Brev-80479b6ec16fefd9c1db3ea13aeb038c60530f46/0196d79a-1b35-7b8e-a021-c894fb62163d/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941"
}
},
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@@ -84,11 +204,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1703113217, "lastModified": 1745494811,
"narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=", "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1", "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -97,10 +217,31 @@
"type": "github" "type": "github"
} }
}, },
"nix": {
"inputs": {
"flake-parts": "flake-parts",
"git-hooks-nix": "git-hooks-nix",
"nixpkgs": "nixpkgs",
"nixpkgs-23-11": "nixpkgs-23-11",
"nixpkgs-regression": "nixpkgs-regression"
},
"locked": {
"lastModified": 1766174426,
"narHash": "sha256-0ZofAQZNgg5nfIKsVb7g4It6ufmIyLtfFRPOf+6WRkk=",
"rev": "15d6091194b5b90d292e8d6283db77f09c303b1e",
"revCount": 24285,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.15.0/019b3854-cca6-7298-a91c-0fd8551a7270/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/nix-src/%2A"
}
},
"nix-matrix-appservices": { "nix-matrix-appservices": {
"inputs": { "inputs": {
"devshell": "devshell", "devshell": "devshell",
"flake-compat": "flake-compat", "flake-compat": "flake-compat_2",
"nixlib": "nixlib", "nixlib": "nixlib",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@@ -137,11 +278,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1740646007, "lastModified": 1764440730,
"narHash": "sha256-dMReDQobS3kqoiUCQIYI9c0imPXRZnBubX20yX/G5LE=", "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "009b764ac98a3602d41fc68072eeec5d24fc0e49", "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -153,41 +294,87 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1748708770, "lastModified": 1761597516,
"narHash": "sha256-q8jG2HJWgooWa9H0iatZqBPF3bp0504e05MevFmnFLY=", "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
"owner": "NixOS", "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
"repo": "nixpkgs", "revCount": 811874,
"rev": "a59eb7800787c926045d51b70982ae285faa2346", "type": "tarball",
"type": "github" "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz"
}, },
"original": { "original": {
"id": "nixpkgs", "type": "tarball",
"ref": "nixos-25.05", "url": "https://flakehub.com/f/NixOS/nixpkgs/0.2505"
"type": "indirect"
} }
}, },
"nixpkgs-unstable": { "nixpkgs-23-11": {
"locked": { "locked": {
"lastModified": 1729880355, "lastModified": 1717159533,
"narHash": "sha256-RP+OQ6koQQLX5nw0NmcDrzvGL8HDLnyXt/jHhL1jwjM=", "narHash": "sha256-oamiKNfr2MS6yH64rUn99mIZjc45nGJlj9eGth/3Xuw=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "18536bf04cd71abd345f9579158841376fdd0c5a", "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
"type": "github" "type": "github"
}, },
"original": { "original": {
"id": "nixpkgs", "owner": "NixOS",
"ref": "nixos-unstable", "repo": "nixpkgs",
"type": "indirect" "rev": "a62e6edd6d5e1fa0329b8653c801147986f8d446",
"type": "github"
}
},
"nixpkgs-regression": {
"locked": {
"lastModified": 1643052045,
"narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1765772535,
"narHash": "sha256-aq+dQoaPONOSjtFIBnAXseDm9TUhIbe215TPmkfMYww=",
"rev": "09b8fda8959d761445f12b55f380d90375a1d6bb",
"revCount": 911985,
"type": "tarball",
"url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.911985%2Brev-09b8fda8959d761445f12b55f380d90375a1d6bb/019b25ab-7c11-79e0-a0b0-c94d455b7190/source.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://flakehub.com/f/DeterminateSystems/nixpkgs-weekly/0.1"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1766201043,
"narHash": "sha256-eplAP+rorKKd0gNjV3rA6+0WMzb1X1i16F5m5pASnjA=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "b3aad468604d3e488d627c0b43984eb60e75e782",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
} }
}, },
"root": { "root": {
"inputs": { "inputs": {
"agenix": "agenix", "agenix": "agenix",
"determinate": "determinate",
"nix-matrix-appservices": "nix-matrix-appservices", "nix-matrix-appservices": "nix-matrix-appservices",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_3"
"nixpkgs-unstable": "nixpkgs-unstable"
} }
}, },
"systems": { "systems": {

25
flake.nix
View File

@@ -1,9 +1,16 @@
{ {
description = "System configuration for zion"; description = "System configuration for zion";
nixConfig = {
extra-substituters = "https://install.determinate.systems";
extra-trusted-public-keys = ''
cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM=
'';
};
inputs = { inputs = {
nixpkgs.url = "nixpkgs/nixos-25.05"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*";
agenix = { agenix = {
url = "github:ryantm/agenix"; url = "github:ryantm/agenix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
@@ -16,14 +23,7 @@
}; };
outputs = outputs =
{ { self, nixpkgs, ... }@inputs:
self,
nixpkgs,
nixpkgs-unstable,
agenix,
nixos-hardware,
...
}@inputs:
let let
system = "x86_64-linux"; system = "x86_64-linux";
@@ -37,8 +37,9 @@
inherit system; inherit system;
modules = [ modules = [
(import ./configuration.nix) (import ./configuration.nix)
agenix.nixosModules.age inputs.agenix.nixosModules.age
nixos-hardware.nixosModules.aoostar-r1-n100 inputs.nixos-hardware.nixosModules.aoostar-r1-n100
inputs.determinate.nixosModules.default
]; ];
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;

35
modules/containers.nix
View File

@@ -44,31 +44,24 @@
ports = [ "127.0.0.1:9090:8080" ]; ports = [ "127.0.0.1:9090:8080" ];
volumes = [ "/vault/opodsync:/var/www/server/data" ]; volumes = [ "/vault/opodsync:/var/www/server/data" ];
}; };
# Wallabag # Photo gallery
wallabag = { pigallery2 = {
image = "wallabag/wallabag@sha256:a87160e4445e11f9bcec0f4b201c31e1eb0d201d7bcd1aac421e8f3c2b8f553c"; image = "bpatrik/pigallery2@sha256:c936e4504cfe7158198542a8db794b24afb0301155d89e911f13bd04e0b406c2";
environmentFiles = [ config.age.secrets.wallabag.path ]; ports = [ "127.0.0.1:9191:80" ];
dependsOn = [ "postgresql" ]; volumes = [
extraOptions = [ "--pod=wallabag-pod" ]; "/vault/pigallery2/config:/app/data/config"
}; "/vault/pigallery2/db:/app/data/db"
# Wallabag database "/vault/pigallery2/tmp:/app/data/tmp"
postgresql = { "/vault/syncthing/Photos:/app/data/images"
image = "postgres:16.8@sha256:e95b0cb95f719e0ce156c2bc5545c89fbd98a1a692845a5331ddc79ea61f1b1e"; ];
environmentFiles = [ config.age.secrets.wallabag-postgres.path ]; cmd = [
extraOptions = [ "--pod=wallabag-pod" ]; "-e"
volumes = [ "/var/lib/postgresql-wallabag:/var/lib/postgresql/data" ]; "NODE_ENV=production"
];
}; };
}; };
}; };
}; };
# Allow networking between Wallabag and Postgresql
systemd.services.create-wallabag-pod = {
serviceConfig.Type = "oneshot";
wantedBy = [ "podman-postgresql.service" ];
script = with pkgs; ''
${podman}/bin/podman pod exists wallabag-pod || ${podman}/bin/podman pod create -n wallabag-pod -p '127.0.0.1:8090:80'
'';
};
# Start services after ZFS mount # Start services after ZFS mount
systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = [ /vault/mqtt2prometheus ]; systemd.services.podman-mqtt2prometheus.unitConfig.RequiresMountsFor = [ /vault/mqtt2prometheus ];

17
modules/information.nix
View File

@@ -24,4 +24,21 @@
}; };
}; };
# Readeck configuration
services.readeck = {
enable = true;
settings = {
server = {
host = "127.0.0.1";
port = 9092;
allowed_hosts = [ "read.psydnd.org" ];
trusted_proxies = [ "127.0.0.1" ];
environmentFile = config.age.secrets.readeck.path;
};
};
};
# NOTE Load credentials using environment variables
systemd.services.readeck.serviceConfig.EnvironmentFile = config.age.secrets.readeck.path;
} }

3
modules/monitoring.nix
View File

@@ -51,7 +51,8 @@ with pkgs;
services.prometheus = { services.prometheus = {
enable = true; enable = true;
port = 9001; port = 9001;
retentionTime = "1y"; retentionTime = "10y";
extraFlags = [ "--web.enable-admin-api" ];
exporters = { exporters = {
node = { node = {
enable = true; enable = true;

35
modules/networking.nix
View File

@@ -27,8 +27,8 @@ in
address = [ "192.168.128.2/23" ]; address = [ "192.168.128.2/23" ];
gateway = [ "192.168.128.1" ]; gateway = [ "192.168.128.1" ];
dns = [ dns = [
"1.1.1.1" "127.0.0.1"
"9.9.9.9" "::1"
]; ];
networkConfig.DNSSEC = "no"; networkConfig.DNSSEC = "no";
}; };
@@ -47,11 +47,9 @@ in
# NOTE Temporary workaround until Inadyn fixes the Porkbun module # NOTE Temporary workaround until Inadyn fixes the Porkbun module
services.oink = { services.oink = {
enable = true; enable = true;
settings = { apiKeyFile = config.age.secrets.inadyn-porkbun.path;
apiKey = "PLACEHOLDER"; secretApiKeyFile = config.age.secrets.inadyn-porkbun-secret.path;
secretApiKey = "PLACEHOLDER"; settings.interval = 1800;
interval = 1800;
};
domains = [ domains = [
{ {
domain = "psydnd.org"; domain = "psydnd.org";
@@ -59,8 +57,6 @@ in
} }
]; ];
}; };
# NOTE Load credentials using environment variables
systemd.services.oink.serviceConfig.EnvironmentFile = config.age.secrets.inadyn-porkbun.path;
# Firewall configuration # Firewall configuration
networking.firewall = { networking.firewall = {
@@ -112,6 +108,14 @@ in
"fd00::3/128" "fd00::3/128"
]; ];
} }
# kathreftis
{
PublicKey = "qfHtv6LSZjtxvH46d8pysr+/yPo2tV9cZumgIpxBNF4=";
AllowedIPs = [
"10.8.0.4/32"
"fd00::4/128"
];
}
]; ];
}; };
@@ -127,6 +131,16 @@ in
}; };
}; };
# Disable systemd-resolved DNS stub
services.resolved = {
enable = true;
llmnr = "false";
extraConfig = ''
MulticastDNS=yes
DNSStubListener=no
'';
};
# DNS server with ad-block # DNS server with ad-block
services.dnsmasq = { services.dnsmasq = {
enable = true; enable = true;
@@ -150,11 +164,12 @@ in
conf-file = "${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf"; conf-file = "${pkgs.dnsmasq}/share/dnsmasq/trust-anchors.conf";
dnssec = false; dnssec = false;
address = "/psydnd.org/192.168.128.2";
}; };
}; };
# Encrypted DNS # Encrypted DNS
services.dnscrypt-proxy2 = { services.dnscrypt-proxy = {
enable = true; enable = true;
upstreamDefaults = true; upstreamDefaults = true;
settings = { settings = {

24
modules/webstack.nix
View File

@@ -11,7 +11,7 @@
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
recommendedZstdSettings = true; recommendedBrotliSettings = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
clientMaxBodySize = "0"; clientMaxBodySize = "0";
@@ -134,18 +134,6 @@
}; };
}; };
}; };
"wallabag.psydnd.org" = {
useACMEHost = "psydnd.org";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:8090/";
extraConfig = ''
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $remote_addr;
'';
};
};
"books.psydnd.org" = { "books.psydnd.org" = {
useACMEHost = "psydnd.org"; useACMEHost = "psydnd.org";
forceSSL = true; forceSSL = true;
@@ -176,6 +164,16 @@
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://localhost:9091/"; locations."/".proxyPass = "http://localhost:9091/";
}; };
"read.psydnd.org" = {
useACMEHost = "psydnd.org";
forceSSL = true;
locations."/".proxyPass = "http://localhost:9092/";
};
"photos.psydnd.org" = {
useACMEHost = "psydnd.org";
forceSSL = true;
locations."/".proxyPass = "http://localhost:9191/";
};
}; };
}; };

43
scripts/motd.sh
View File

@@ -20,30 +20,31 @@ echo "============================================================
- System uptime.......: $upDays days $upHours hours $upMins minutes $upSecs seconds - System uptime.......: $upDays days $upHours hours $upMins minutes $upSecs seconds
============================================================" ============================================================"
services=( services=(
"syncthing.service" "syncthing.service"
"radicale.service" "radicale.service"
"miniflux.service" "miniflux.service"
"gitea.service" "gitea.service"
"dendrite.service" "dendrite.service"
"nginx.service" "nginx.service"
"dnsmasq.service" "dnsmasq.service"
"podman-openbooks.service" "dnscrypt-proxy.service"
"mosquitto.service" "podman-openbooks.service"
"podman-mqtt2prometheus.service" "mosquitto.service"
"prometheus.service" "podman-mqtt2prometheus.service"
"grafana.service" "prometheus.service"
"grafana.service"
) )
for var in "${services[@]}"; do for var in "${services[@]}"; do
if [[ -z $var ]]; then if [[ -z $var ]]; then
printf "\n" printf "\n"
else else
if systemctl -q is-active "${var}"; then if systemctl -q is-active "${var}"; then
printf "%-40s [\e[32mOK\e[39m]\n" "$var" printf "%-40s [\e[32mOK\e[39m]\n" "$var"
else else
printf "%-40s [\e[31mFAIL\e[39m]\n" "$var" printf "%-40s [\e[31mFAIL\e[39m]\n" "$var"
fi fi
fi fi
done done
echo "============================================================" echo "============================================================"

5
secrets/inadyn-porkbun-secret.age Normal file
View File

@@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 iUaRGg paS5BxWWicriSLAZyCBKd2xylLAp4/LcHmogO7me8yQ
MWW/Pkvn+4G4YeYXY9ZPXC92TbcFXQMyHJ2ltFzXpZs
--- ZdFfQ7tHfEo+u/0MmigCNh6OIxkd2bimRN30rMUs1ks
<EFBFBD>9<EFBFBD>7Y<EFBFBD>$B<>sX<0E>ʽb<CABD>O'J<><4A>S'<27>5!<21><>UMʯ-v<>m<EFBFBD><6D><EFBFBD><EFBFBD><EFBFBD>8%|R,<2C>~I<><14><>G<EFBFBD><47>VQE<0E>0D<30>:Qv<<1E><>)<29> <0B><>%fc<66><63>XZչ 7+yB

BIN
secrets/inadyn-porkbun.age
View File

Binary file not shown.

BIN
secrets/readeck.age Normal file
View File

Binary file not shown.

4
secrets/secrets.nix
View File

@@ -17,9 +17,9 @@ in
"signal.age".publicKeys = [ zion ]; "signal.age".publicKeys = [ zion ];
"inadyn-duckdns.age".publicKeys = [ zion ]; "inadyn-duckdns.age".publicKeys = [ zion ];
"inadyn-porkbun.age".publicKeys = [ zion ]; "inadyn-porkbun.age".publicKeys = [ zion ];
"inadyn-porkbun-secret.age".publicKeys = [ zion ];
"acme-duckdns.age".publicKeys = [ zion ]; "acme-duckdns.age".publicKeys = [ zion ];
"acme-porkbun.age".publicKeys = [ zion ]; "acme-porkbun.age".publicKeys = [ zion ];
"wallabag.age".publicKeys = [ zion ];
"wallabag-postgres.age".publicKeys = [ zion ];
"microbin.age".publicKeys = [ zion ]; "microbin.age".publicKeys = [ zion ];
"readeck.age".publicKeys = [ zion ];
} }