millironx/nix-dotfiles
1
0
Fork 0
Code Issues Pull requests Releases Packages Activity Actions

Compare commits

merge into: millironx:feat/nixos-25.11
Branches Tags
millironx:master
millironx:feat/nixos-25.11
millironx:feat/mcentire-crowdsec
...
pull from: millironx:master
Branches Tags
millironx:master
millironx:feat/nixos-25.11
millironx:feat/mcentire-crowdsec
Sign in to create a new pull request.

12 commits
feat/nixos ... master

Author SHA1 Message Date
Thomas A. Christensen II
6fbf0f2b7d
fix (freshrss): OIDC config mounting 
After much troubleshooting, I figured out that FreshRSS does not actually support OIDC with the use of the environment variables for configuration. Instead, the config files actually have to be set with the web wizard and persisted with a volume mount. Do that.
 2025-12-09 08:47:04 -06:00
Thomas A. Christensen II
1fc358b482
fix (freshrss): Networking stack fixes 2025-12-08 20:40:27 -06:00
Thomas A. Christensen II
3f35901fd3
fix (freshrss): Uncomment required variables 2025-12-08 17:29:00 -06:00
Thomas A. Christensen II
1eebebdeb0
fix (freshrss): Bind port 2025-12-08 17:25:48 -06:00
Thomas A. Christensen II
335fed99f3
fix (freshrss): Set OIDC variables 2025-12-08 17:22:33 -06:00
Thomas A. Christensen II
7145bf01ed
service (freshrss): Add freshrss service 2025-12-08 16:44:12 -06:00
Thomas A. Christensen II
a0175f565b
secrets! (pihole): Remove pihole secrets 2025-12-08 08:11:43 -06:00
Thomas A. Christensen II
0571d801ed
services (bosephus): Remove pihole service 2025-12-04 09:07:16 -06:00
Thomas A. Christensen II
9108361964
pkgs (desktop): add nixos-rebuild package 2025-12-04 09:00:54 -06:00
Thomas A. Christensen II
ac837750c9
nix-builder (corianne): Add rosetta builder 2025-12-04 09:00:37 -06:00
Thomas A. Christensen II
24d7b7d533
programs (zed): Add build+preview on demand support for LaTeX 2025-12-04 08:59:53 -06:00
Thomas A. Christensen II
c49474d8ce
flake: Upgrade nixpkgs to nixos-25.11 family 
This commit upgrades nixpkgs to nixos-25.11, and all other management
systems (home-manager, nix-darwin, etc.) to the equivalent tag, and also
upgrades any syntax within the modules to follow new syntax.

1. Upgrades nixpkgs to nixos-25.11
2. Upgrades nixpkgs-darwin to nixpkgs-25.11-darwin
3. Upgrades home-manger to release-25.11
4. Upgrades nix-darwin to 25.11
5. Implements conditional to use nixpkgs on Linux and nixpkgs-darwin on
   Darwin
6. Replace micromamba with mamba-cpp and set alias, see
   <https://github.com/NixOS/nixpkgs/issues/456288#issuecomment-3584844923>
7. Replace asitop with its new name: macpm
8. Remove ollama package and launchd service. ollama was removed from
   Linux in 275270cef7, but remained in Darwin. The build process
   technically did not fail, but it did extend build time and is unused,
   so it was removed.
9. Switch git program module to use new syntax
10. Switch to NixOS-provided Crowdsec module
11. Switch logind lidSwitch settings to use new syntax
12. Switch sabma module to use new syntax
 2025-12-02 22:25:55 -06:00
18 changed files with 355 additions and 253 deletions
Download patch file Download diff file Expand all files Collapse all files

181
flake.lock generated
View file

@ -14,11 +14,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1754433428,
"narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
"lastModified": 1762618334,
"narHash": "sha256-wyT7Pl6tMFbFrs8Lk/TlEs81N6L+VSybPfiIgzU8lbQ=",
"owner": "ryantm",
"repo": "agenix",
"rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
"rev": "fcdea223397448d35d9b31f798479227e80183f6",
"type": "github"
},
"original": {
@ -27,27 +27,6 @@
"type": "github"
}
},
"crowdsec": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1752497357,
"narHash": "sha256-9epXn1+T6U4Kfyw8B9zMzbERxDB3VfaPXhVebtai6CE=",
"ref": "refs/heads/main",
"rev": "84db7dcea77f7f477d79e69e35fb0bb560232667",
"revCount": 42,
"type": "git",
"url": "https://codeberg.org/kampka/nix-flake-crowdsec.git"
},
"original": {
"type": "git",
"url": "https://codeberg.org/kampka/nix-flake-crowdsec.git"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
@ -69,23 +48,6 @@
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -93,16 +55,16 @@
]
},
"locked": {
"lastModified": 1756679287,
"narHash": "sha256-Xd1vOeY9ccDf5VtVK12yM0FS6qqvfUop8UQlxEB+gTQ=",
"lastModified": 1764613336,
"narHash": "sha256-L979az28t/+SXvYw9qhOno5HLlDwkZOpz6LzCLnjmRM=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "07fc025fe10487dd80f2ec694f1cd790e752d0e8",
"rev": "f3902b5d8767985680875ad86d028371100faeb3",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-25.05",
"ref": "release-25.11",
"repo": "home-manager",
"type": "github"
}
@ -114,59 +76,117 @@
]
},
"locked": {
"lastModified": 1757432263,
"narHash": "sha256-qHn+/0+IOz5cG68BZUwL9BV3EO/e9eNKCjH3+N7wMdI=",
"lastModified": 1764161084,
"narHash": "sha256-HN84sByg9FhJnojkGGDSrcjcbeioFWoNXfuyYfJ1kBE=",
"owner": "LnL7",
"repo": "nix-darwin",
"rev": "1fef4404de4d1596aa5ab2bd68078370e1b9dcdb",
"rev": "e95de00a471d07435e0527ff4db092c84998698e",
"type": "github"
},
"original": {
"owner": "LnL7",
"ref": "nix-darwin-25.05",
"ref": "nix-darwin-25.11",
"repo": "nix-darwin",
"type": "github"
}
},
"nix-rosetta-builder": {
"inputs": {
"nixos-generators": "nixos-generators",
"nixpkgs": [
"nixpkgs-darwin"
]
},
"locked": {
"lastModified": 1756177999,
"narHash": "sha256-aSbB7/jrt7ujiJ55f2uGhOo+usGxVSkqbAMVgg2jDls=",
"owner": "cpick",
"repo": "nix-rosetta-builder",
"rev": "ebb7162a975074fb570a2c3ac02bc543ff2e9df4",
"type": "github"
},
"original": {
"owner": "cpick",
"repo": "nix-rosetta-builder",
"type": "github"
}
},
"nixlib": {
"locked": {
"lastModified": 1736643958,
"narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
"rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixpkgs.lib",
"type": "github"
}
},
"nixos-generators": {
"inputs": {
"nixlib": "nixlib",
"nixpkgs": [
"nix-rosetta-builder",
"nixpkgs"
]
},
"locked": {
"lastModified": 1737057290,
"narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
"owner": "nix-community",
"repo": "nixos-generators",
"rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixos-generators",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1757545623,
"narHash": "sha256-mCxPABZ6jRjUQx3bPP4vjA68ETbPLNz9V2pk9tO7pRQ=",
"lastModified": 1764522689,
"narHash": "sha256-SqUuBFjhl/kpDiVaKLQBoD8TLD+/cTUzzgVFoaHrkqY=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "8cd5ce828d5d1d16feff37340171a98fc3bf6526",
"rev": "8bb5646e0bed5dbd3ab08c7a7cc15b75ab4e1d0f",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-25.05",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-darwin": {
"locked": {
"lastModified": 1757590060,
"narHash": "sha256-EWwwdKLMZALkgHFyKW7rmyhxECO74+N+ZO5xTDnY/5c=",
"lastModified": 1764572236,
"narHash": "sha256-hLp6T/vKdrBQolpbN3EhJOKTXZYxJZPzpnoZz+fEGlE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "0ef228213045d2cdb5a169a95d63ded38670b293",
"rev": "b0924ea1889b366de6bb0018a9db70b2c43a15f8",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixpkgs-25.05-darwin",
"ref": "nixpkgs-25.11-darwin",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1757034884,
"narHash": "sha256-PgLSZDBEWUHpfTRfFyklmiiLBE1i1aGCtz4eRA3POao=",
"lastModified": 1764642553,
"narHash": "sha256-mvbFFzVBhVK1FjyPHZGMAKpNiqkr7k++xIwy+p/NQvA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ca77296380960cd497a765102eeb1356eb80fed0",
"rev": "f720de59066162ee879adcc8c79e15c51fe6bfb4",
"type": "github"
},
"original": {
@ -184,11 +204,11 @@
]
},
"locked": {
"lastModified": 1757647720,
"narHash": "sha256-qf/utP3d1qBDl5R4yWUCt7E7CHTkw2NY8BEsS7lJ0dc=",
"lastModified": 1764683664,
"narHash": "sha256-Mr5HKf/bjAJ8H7/H0qJSk2BEV/OILkDIFKrGK0dUVUk=",
"owner": "nix-community",
"repo": "NUR",
"rev": "ef767aa25f9f917fe25d3848051f0e54ae42349f",
"rev": "b8b40e258cf4c959b06b7322648c87674633629b",
"type": "github"
},
"original": {
@ -207,11 +227,11 @@
]
},
"locked": {
"lastModified": 1756632588,
"narHash": "sha256-ydam6eggXf3ZwRutyCABwSbMAlX+5lW6w1SVZQ+kfSo=",
"lastModified": 1763909441,
"narHash": "sha256-56LwV51TX/FhgX+5LCG6akQ5KrOWuKgcJa+eUsRMxsc=",
"owner": "nix-community",
"repo": "plasma-manager",
"rev": "d47428e5390d6a5a8f764808a4db15929347cd77",
"rev": "b24ed4b272256dfc1cc2291f89a9821d5f9e14b4",
"type": "github"
},
"original": {
@ -222,11 +242,11 @@
},
"quadlet-nix": {
"locked": {
"lastModified": 1754008153,
"narHash": "sha256-MYT1mDtSkiVg343agxgBFsnuNU3xS8vRy399JXX1Vw0=",
"lastModified": 1763141753,
"narHash": "sha256-XAHkOkLEWbRQZ6t/SowwOukrUfIneNQOC/UEQlTaPBU=",
"owner": "SEIAROTg",
"repo": "quadlet-nix",
"rev": "1b2d27d460d8c7e4da5ba44ede463b427160b5c4",
"rev": "211b5c626cf9ea91403b510e2ac5ca03a7194566",
"type": "github"
},
"original": {
@ -238,9 +258,9 @@
"root": {
"inputs": {
"agenix": "agenix",
"crowdsec": "crowdsec",
"home-manager": "home-manager",
"nix-darwin": "nix-darwin",
"nix-rosetta-builder": "nix-rosetta-builder",
"nixpkgs": "nixpkgs",
"nixpkgs-darwin": "nixpkgs-darwin",
"nixpkgs-unstable": "nixpkgs-unstable",
@ -258,11 +278,11 @@
},
"locked": {
"dir": "pkgs/firefox-addons",
"lastModified": 1757591399,
"narHash": "sha256-OlvNzfsqDok0y5PDY+2dK5T53GsxAdm1YGdYHjxAiHM=",
"lastModified": 1764648280,
"narHash": "sha256-xniOnxIx/qhm+maO4mb9BZ7FytcUhNeTm1Y/QBjNf8o=",
"owner": "rycee",
"repo": "nur-expressions",
"rev": "b7d4f61ce9db44ba82859e15f6e1c175959948e3",
"rev": "119826bd51ad1a8012e0585f3a073571a35a812e",
"type": "gitlab"
},
"original": {
@ -286,21 +306,6 @@
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

33
flake.nix
View file

@ -3,8 +3,8 @@
inputs = {
# Specify the source of Home Manager and Nixpkgs.
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-25.05-darwin";
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-25.11-darwin";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
# Inputs for both darwin and linux systems
@ -17,7 +17,7 @@
};
};
home-manager = {
url = "github:nix-community/home-manager/release-25.05";
url = "github:nix-community/home-manager/release-25.11";
inputs.nixpkgs.follows = "nixpkgs";
};
nur = {
@ -30,10 +30,6 @@
};
# Linux-specific inputs
crowdsec = {
url = "git+https://codeberg.org/kampka/nix-flake-crowdsec.git";
inputs.nixpkgs.follows = "nixpkgs";
};
plasma-manager = {
url = "github:nix-community/plasma-manager";
inputs = {
@ -45,20 +41,25 @@
# Darwin-specific inputs
nix-darwin = {
url = "github:LnL7/nix-darwin/nix-darwin-25.05";
url = "github:LnL7/nix-darwin/nix-darwin-25.11";
inputs.nixpkgs.follows = "nixpkgs-darwin";
};
nix-rosetta-builder = {
url = "github:cpick/nix-rosetta-builder";
inputs.nixpkgs.follows = "nixpkgs-darwin";
};
};
outputs = { self, nix-darwin, nixpkgs, nixpkgs-darwin, nixpkgs-unstable
, home-manager, agenix, rycee-nurpkgs, nur, crowdsec, plasma-manager
, quadlet-nix, ... }:
, home-manager, agenix, rycee-nurpkgs, nur, plasma-manager, quadlet-nix
, nix-rosetta-builder, ... }:
let
mkHomeConfiguration = { hostname, arch ? "x86_64", os ? "linux"
, desktop ? false, extraModules ? [ ] }:
let
system = "${arch}-${os}";
pkgs = import nixpkgs {
syspkg = if os == "darwin" then nixpkgs-darwin else nixpkgs;
pkgs = import syspkg {
inherit system;
config.allowUnfree = true;
overlays = [ nur.overlays.default agenix.overlays.default ];
@ -122,8 +123,11 @@
};
agenix = agenix;
};
modules =
[ ./systems/darwin/corianne.nix agenix.darwinModules.default ];
modules = [
./systems/darwin/corianne.nix
agenix.darwinModules.default
nix-rosetta-builder.darwinModules.default
];
};
nixosConfigurations = {
@ -146,9 +150,6 @@
agenix.nixosModules.default
home-manager.nixosModules.home-manager
quadlet-nix.nixosModules.quadlet
crowdsec.nixosModules.crowdsec
crowdsec.nixosModules.crowdsec-firewall-bouncer
{ nixpkgs.overlays = [ crowdsec.overlays.default ]; }
];
};
};

3
homes/common.nix
View file

@ -45,7 +45,7 @@ in {
jq
julia-bin
lynx
micromamba
mamba-cpp
most
nextflow
p7zip
@ -84,6 +84,7 @@ in {
"tailscale set --exit-node=$(tailscale exit-node suggest | awk '{print $4}' | head -n1)";
# tsed - TailScale Exit node Disconnect
tsed = "tailscale set --exit-node=";
micromamba = "mamba";
};
sessionPath = [ "$HOME/.local/bin" ];
activation = {

18
homes/darwin.nix
View file

@ -7,7 +7,7 @@
];
home = {
packages = with pkgs; [
asitop
macpm
pinentry_mac
(pkgs.writeShellScriptBin "uq" ''
xattr -rdv com.apple.quarantine "/Applications/$1.app"
@ -34,22 +34,6 @@
launchd = {
enable = true;
agents = {
ollama = {
enable = true;
config = {
Label = "local.home-manager.ollama";
ProgramArguments = [ "${pkgs.ollama}/bin/ollama" "serve" ];
RunAtLoad = true;
KeepAlive = true;
StandardOutPath =
"${config.home.homeDirectory}/Library/Logs/ollama.log";
StandardErrorPath =
"${config.home.homeDirectory}/Library/Logs/ollama-error.log";
EnvironmentVariables = {
PATH = "${lib.makeBinPath [ pkgs.ollama ]}:$PATH";
};
};
};
freetube-sync = {
enable = true;

2
homes/desktop.nix
View file

@ -22,7 +22,7 @@
nil
nixd
nixfmt-classic
ollama
nixos-rebuild
quarto
roboto-slab
shellcheck

8
programs/git.nix
View file

@ -1,9 +1,11 @@
{ ... }: {
programs.git = {
enable = true;
userName = "Thomas A. Christensen II";
userEmail = "25492070+MillironX@users.noreply.github.com";
extraConfig = {
settings = {
user = {
name = "Thomas A. Christensen II";
email = "25492070+MillironX@users.noreply.github.com";
};
core = { editor = "nvim"; };
credential = { helper = "store"; };
color = { ui = "auto"; };

2
programs/shells.nix
View file

@ -1,7 +1,7 @@
{ pkgs, ... }:
let
conda_init = shell: ''
eval "$(${pkgs.micromamba}/bin/micromamba shell hook --shell ${shell})"
eval "$(${pkgs.mamba-cpp}/bin/mamba shell hook --shell ${shell})"
'';
nd_bash_function = ''

25
programs/zed.nix
View file

@ -1,4 +1,4 @@
{ ... }: {
{ pkgs, ... }: {
programs.zed-editor = {
enable = true;
extensions = [
@ -58,6 +58,22 @@
initialization_options.formatting.command = [ "nixfmt" ];
settings.nix.flake.autoArchive = true;
};
texlab = {
settings = {
build = {
onSave = false;
forwardSearchAfter = true;
};
forwardSearch = if pkgs.stdenv.hostPlatform.isDarwin then {
executable =
"/Applications/Skim.app/Contents/SharedSupport/displayline";
args = [ "-r" "%l" "%p" "%f" "-g" ];
} else {
executable = "/usr/bin/okular";
args = [ "--unique" "file:%p#src:%l%f" ];
};
};
};
tinymist = {
settings = {
exportPdf = "onSave";
@ -81,5 +97,12 @@
ui_font_size = 16;
wrap_guides = [ 80 92 120 ];
};
userTasks = [{
label = "latexmk (project)";
command = "latexmk";
args = [ "-synctex=1" "-pdf" "-recorder" ];
cwd = "$ZED_DIRNAME";
tags = [ "latex-build" ];
}];
};
}

3
secrets.nix
View file

@ -34,7 +34,8 @@ in {
++ [ mcentire-host ];
"secrets/darwin-policies-json.age".publicKeys = system-administrators
++ [ corianne-host ];
"secrets/freshrss.toml.age".publicKeys = system-administrators
++ [ mcentire-host ];
"secrets/network-information.age".publicKeys = system-administrators
++ [ bosephus-host ];
"secrets/pihole.age".publicKeys = system-administrators ++ [ bosephus-host ];
}

BIN
secrets/freshrss.toml.age Normal file
View file

Binary file not shown.

BIN
secrets/pihole.age
View file

Binary file not shown.

128
services/crowdsec.nix
View file

@ -1,101 +1,49 @@
{ pkgs, config, ... }:
let
crowdsec-port = "2763";
firewall-bouncer-name = "fw-bouncer";
# Although this key can be reproduced by anyone who actually cares to, the
# Crowdsec API will not be exposed to the outside world, so keeping this key
# super secret really isn't that important to me. Still make it look random
# so that hungry botnets can't just slurp up the password in plaintext.
firewall-bouncer-key = builtins.hashString "sha256"
"${config.networking.hostName}-crowdsec-bouncer-salt";
toMultiYAML = items:
pkgs.lib.concatMapStrings (item:
''
---
'' + (pkgs.lib.generators.toYAML { } item) + "\n") items;
in {
{ pkgs, config, ... }: {
services = {
crowdsec = {
enable = true;
allowLocalJournalAccess = true;
settings = {
api.server = { listen_uri = "127.0.0.1:${crowdsec-port}"; };
crowdsec_service.acquisition_path = pkgs.writeText "acquisitions.yaml"
(toMultiYAML [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
labels.type = "syslog";
}
{
filenames = [ "/var/log/auth.log" ];
labels.type = "syslog";
}
{
filenames = [ "/var/log/syslog" "/var/log/kern.log" ];
labels.type = "syslog";
}
]);
localConfig = {
acquisitions = [
{
source = "journalctl";
journalctl_filter = [ "_SYSTEMD_UNIT=sshd.service" ];
labels.type = "syslog";
}
{
filenames = [ "/var/log/auth.log" ];
labels.type = "syslog";
}
{
filenames = [ "/var/log/syslog" "/var/log/kern.log" ];
labels.type = "syslog";
}
];
};
hub = {
collections = [
"crowdsecurity/base-http-scenarios"
"crowdsecurity/http-cve"
"crowdsecurity/http-dos"
"crowdsecurity/iptables"
"crowdsecurity/linux"
"crowdsecurity/sshd"
"crowdsecurity/whitelist-good-actors"
];
};
settings = {
general = { api.server.enable = true; };
# See https://github.com/NixOS/nixpkgs/issues/445342
lapi.credentialsFile = "/var/lib/crowdsec/lapi-credentials.yaml";
};
autoUpdateService = true;
};
crowdsec-firewall-bouncer = {
enable = true;
settings = {
api_url = "http://localhost:${crowdsec-port}";
api_key = firewall-bouncer-key;
};
registerBouncer.enable = true;
};
};
systemd.services.crowdsec.serviceConfig = {
ExecStartPre = let
bouncer-script = pkgs.writeScriptBin "register-bouncer" ''
#!${pkgs.runtimeShell}
set -eu
set -o pipefail
if ! cscli bouncers list | grep -q "${firewall-bouncer-name}"; then
cscli bouncers add "${firewall-bouncer-name}" --key "${firewall-bouncer-key}"
fi
'';
collection-check = collection: ''
if ! cscli collections list | grep -q "${collection}"; then
cscli collections --trace install "${collection}"
sleep 1
fi
'';
collections = [
"crowdsecurity/base-http-scenarios"
"crowdsecurity/http-cve"
"crowdsecurity/http-dos"
"crowdsecurity/iptables"
"crowdsecurity/linux"
"crowdsecurity/sshd"
"crowdsecurity/whitelist-good-actors"
];
collection-script = pkgs.writeScriptBin "install-collections" ''
#!${pkgs.runtimeShell}
set -eu
set -o pipefail
# I had to run these commands in order to manually install collections
# using cscli.
# Not sure how often they should actually be run, but I would rather
# include this here.
# https://discourse.crowdsec.net/t/solved-cant-find-collections-appsec/1830
cscli capi register
sleep 1
cscli hub update
sleep 1
${pkgs.lib.concatMapStrings collection-check collections}
'';
in [
"${bouncer-script}/bin/register-bouncer"
"${collection-script}/bin/install-collections"
];
};
systemd.tmpfiles.rules = let cfg = config.services.crowdsec;
in [ "d /var/lib/crowdsec 0755 ${cfg.user} ${cfg.group}" ];
}

146
services/freshrss.nix Normal file
View file

@ -0,0 +1,146 @@
{ config, pkgs, home-manager-quadlet-nix, ... }:
let
user = "freshrss";
port = "37374";
stateDirectory = "/var/lib/freshrss";
serviceContainer = "freshrss";
stateSubDir = subDir: "${stateDirectory}/${subDir}";
createTmpfilesRule = subDir: "d ${stateSubDir subDir} 1755 ${user} ${user}";
dbDirectories = [ "database" ];
serviceDirectories = [ "data" "extensions" ];
in {
age.secrets = {
"freshrss.toml" = {
file = ./../secrets/freshrss.toml.age;
owner = "${user}";
};
};
millironx.podman-secrets.freshrss = {
user = "${user}";
secrets-files = [ config.age.secrets."freshrss.toml".path ];
};
services.caddy.virtualHosts."feeds.millironx.com".extraConfig = ''
reverse_proxy http://127.0.0.1:${port} {
header_up X-Forwarded-Port 443
}
'';
systemd.tmpfiles.rules = builtins.map createTmpfilesRule
([ stateDirectory ] ++ dbDirectories ++ serviceDirectories);
services.borgmatic.configurations."${config.networking.hostName}" = {
source_directories = builtins.map stateSubDir dbDirectories;
postgresql_databases = [{
name = serviceContainer;
psql_command =
"/run/wrappers/bin/sudo -iu ${user} ${pkgs.podman}/bin/podman exec ${serviceContainer}-db psql --username=${user}";
pg_dump_command =
"/run/wrappers/bin/sudo -iu ${user} ${pkgs.podman}/bin/podman exec ${serviceContainer}-db pg_dump --username=${user}";
pg_restore_command =
"/run/wrappers/bin/sudo -iu ${user} ${pkgs.podman}/bin/podman exec ${serviceContainer}-db pg_restore --username=${user}";
}];
};
users.users."${user}" = {
group = "${user}";
isNormalUser = true;
home = "${stateDirectory}";
createHome = true;
linger = true;
autoSubUidGidRange = true;
};
users.groups."${user}" = { };
home-manager.users."${user}" = { config, osConfig, ... }: {
imports = [ home-manager-quadlet-nix ];
home.stateVersion = "25.05";
virtualisation.quadlet = let
inherit (config.virtualisation.quadlet) containers;
inherit (config.virtualisation.quadlet) networks;
secrets = osConfig.millironx.podman-secrets.freshrss;
in {
containers = {
"${serviceContainer}-db" = {
autoStart = true;
containerConfig = {
image = "docker.io/library/postgres:16";
environments = {
POSTGRES_DB = "${user}";
POSTGRES_USER = "${user}";
};
secrets = [
"POSTGRES_PASSWORD,type=env"
"POSTGRES_PASSWORD,type=env,target=PGPASSWORD"
];
healthCmd = "pg_isready -d $\${POSTGRES_DB} -U $\${POSTGRES_USER}";
healthInterval = "30s";
healthRetries = 5;
healthStartPeriod = "20s";
volumes =
[ "${stateDirectory}/database:/var/lib/postgresql/data:U" ];
networks = [ networks."${serviceContainer}".ref ];
};
unitConfig.Requires = [ secrets.ref ];
unitConfig.After = [ secrets.ref ];
};
"${serviceContainer}" = {
autoStart = true;
containerConfig = {
image = "docker.io/freshrss/freshrss:1";
# Required to allow the container to talk to the host ports, in
# other words, to resolve Authentik correctly
addHosts = [ "auth.millironx.com:host-gateway" ];
environments = {
TZ = osConfig.time.timeZone;
CRON_MIN = "2,32";
LISTEN = "0.0.0.0:${port}";
TRUSTED_PROXY = "172.16.0.1/12 192.168.0.1/16";
OIDC_ENABLED = "1";
OIDC_PROVIDER_METADATA_URL =
"https://auth.millironx.com/application/o/freshrss/.well-known/openid-configuration";
OIDC_REMOTE_USER_CLAIM = "preferred_username";
OIDC_SCOPES = "openid email profile";
OIDC_X_FORWARDED_HEADERS =
"X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto";
};
secrets = [
"OIDC_CLIENT_ID,type=env"
"OIDC_CLIENT_SECRET,type=env"
"OIDC_CLIENT_CRYPTO_KEY,type=env"
];
healthCmd = "cli/health.php";
healthTimeout = "10s";
healthStartPeriod = "60s";
healthStartupInterval = "11s";
healthInterval = "75s";
healthRetries = 3;
networks = [ networks."${serviceContainer}".ref ];
publishPorts = [ "127.0.0.1:${port}:${port}" ];
volumes = [
"${stateDirectory}/data:/var/www/FreshRSS/data:U"
"${stateDirectory}/extensions:/var/www/FreshRSS/extensions:U"
];
};
unitConfig.Requires =
[ secrets.ref containers."${serviceContainer}-db".ref ];
unitConfig.After =
[ secrets.ref containers."${serviceContainer}-db".ref ];
};
};
networks."${serviceContainer}" = { };
autoUpdate.enable = true;
autoEscape = true;
};
};
}

27
services/pihole.nix
View file

@ -1,27 +0,0 @@
{ config, ... }:
{
age.secrets = {
pihole-credentials = {
file = ./../secrets/pihole.age;
owner = "root";
group = "root";
};
};
virtualisation = {
quadlet = {
containers = {
pihole = {
containerConfig = {
image = "docker.io/pihole/pihole:2025.06.2";
publishPorts =
[ "53:53/tcp" "53:53/udp" "80:80/tcp" "443:443/tcp" ];
environmentFiles = [ config.age.secrets.pihole-credentials.path ];
networks = [ "bridge" ];
dns = [ "127.0.0.1" "194.242.2.9" "9.9.9.9" ];
};
};
};
};
};
}

1
services/samba.nix
View file

@ -2,7 +2,6 @@
services.samba = {
enable = true;
package = pkgs.sambaFull;
securityType = "user";
openFirewall = true;
settings = {
global = {

25
systems/darwin/corianne.nix
View file

@ -26,9 +26,27 @@ in {
};
# Auto upgrade nix package and the daemon service.
nix.enable = true;
#services.nix-daemon.tempDir = "/nix/tmp";
nix.package = pkgs.nix;
nix = {
enable = true;
gc = {
automatic = true;
interval = { Weekday = 1; };
options = ''
--delete-older-than 14d
'';
};
# Needed for rosetta-builder, see
# <https://github.com/cpick/nix-rosetta-builder/issues/40#issuecomment-3368602687>
# <https://github.com/cpick/nix-rosetta-builder/issues/37>
linux-builder = {
enable = true;
ephemeral = true;
};
extraOptions = ''
extra-platforms = x86_64-darwin
'';
};
nix-rosetta-builder.onDemand = true;
# Create /etc/zshrc that loads the nix-darwin environment.
programs.zsh.enable = true; # default shell on catalina
@ -206,6 +224,7 @@ in {
"rig"
"rstudio"
"signal"
"skim"
"slack"
"stats"
"steam"

5
systems/linux/bosephus.nix
View file

@ -9,7 +9,6 @@
./hardware-configuration/bosephus.nix
./hardware-configuration/bosephus-external-drives.nix
./../../services/samba.nix
./../../services/pihole.nix
];
# Bootloader.
@ -17,8 +16,8 @@
boot.loader.efi.canTouchEfiVariables = true;
# Ignore lid - so I can close without having the system go into sleep mode
services.logind.lidSwitch = "ignore";
services.logind.lidSwitchDocked = "ignore";
services.logind.settings.Login.HandleLidSwitch = "ignore";
services.logind.settings.Login.HandleLidSwitchDocked = "ignore";
# Secrets
age.secrets = {

1
systems/linux/mcentire.nix
View file

@ -7,6 +7,7 @@
./../../services/borgmatic.nix
./../../services/crowdsec.nix
./../../services/authentik.nix
./../../services/freshrss.nix
];
# Use the GRUB 2 boot loader.