Old setup for pentablet

.gitattributes

@@ -0,0 +1 @@
+*.deb filter=lfs diff=lfs merge=lfs -text

flake.lock

@@ -4,30 +4,30 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "utils": "utils"
       },
       "locked": {
-        "lastModified": 1747556789,
+        "lastModified": 1671459164,
-        "narHash": "sha256-7uHyVw9mhvTB6RS1WcIRsebBxj8SZAnlXxZarx7Xk7M=",
+        "narHash": "sha256-RbkDnvLV7WjbiF4Dpiezrf8kXxwieQXAVtY8ciRQj6Q=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e08e6e2389234000b0447e57abf61d8ccd59a68e",
+        "rev": "e7eba9cc46547ae86642ad3c6a9a4fb22c07bc26",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e08e6e2389234000b0447e57abf61d8ccd59a68e",
         "type": "github"
       }
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1769086393,
+        "lastModified": 1671467847,
-        "narHash": "sha256-3ymIZ8s3+hu7sDl/Y48o6bwMxorfKrmn97KuWiw1vjY=",
+        "narHash": "sha256-eIeZIQbbW0QYDW0nhDaieokw6VakPO3TyJ3RmxqGHOs=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "9f7ba891ea5fc3ededd7804f1a23fafadbcb26ca",
+        "rev": "25010a042c23695ae457a97aad60e9b1d49f2ecc",
         "type": "github"
       },
       "original": {
@@ -38,17 +38,33 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1768649915,
+        "lastModified": 1669833724,
-        "narHash": "sha256-jc21hKogFnxU7KXSVTRmxC7u5D4RHwm9BAvDf5/Z1Uo=",
+        "narHash": "sha256-/HEZNyGbnQecrgJnfE8d0WC5c1xuPSD2LUpB6YXlg4c=",
-        "owner": "NixOS",
+        "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3e3f3c7f9977dc123c23ee21e8085ed63daf8c37",
+        "rev": "4d2b37a84fad1091b9de401eb450aae66f1a741e",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
+        "owner": "nixos",
-        "ref": "release-25.05",
+        "repo": "nixpkgs",
-        "type": "indirect"
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1671459584,
+        "narHash": "sha256-6wRK7xmeHfClJ0ICOkax1avLZVGTDqBodQlkl/opccY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "87b58217c9a05edcf7630b9be32570f889217aef",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-22.11",
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "root": {
@@ -63,14 +79,15 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ]
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1768863606,
+        "lastModified": 1671472949,
-        "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
+        "narHash": "sha256-9iHSGpljCX+RypahQssBXPwkru9onfKfceCTeVrMpH4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
+        "rev": "32840f16ffa0856cdf9503a8658f2dd42bf70342",
         "type": "github"
       },
       "original": {
@@ -78,6 +95,21 @@
         "repo": "sops-nix",
         "type": "github"
       }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -2,13 +2,12 @@
   description = "NixOS configurations for my machines";
 
   inputs = {
-    nixpkgs.url = "nixpkgs/release-25.05";
+    nixpkgs.url = github:nixos/nixpkgs;
     nixos-hardware = {
       url = github:nixos/nixos-hardware;
     };
     home-manager = {
-      # url = github:nix-community/home-manager;
+      url = github:nix-community/home-manager;
-      url = github:nix-community/home-manager/e08e6e2389234000b0447e57abf61d8ccd59a68e;
       inputs.nixpkgs.follows = "nixpkgs";
     };
     sops-nix = {
@@ -59,7 +58,7 @@
       ];
       # ThinkCentre M700 mini-pc (server)
       cj = mkNixosSystem [
-        #nixos-hardware.nixosModules.common-pc-hdd
+        nixos-hardware.nixosModules.common-pc-hdd
         nixos-hardware.nixosModules.common-cpu-intel-cpu-only
         ./machines/cj/configuration.nix 
       ];

home/jacob.nix

@@ -40,6 +40,7 @@
       inconsolata
       jq
       keyutils  # for keyctl, used by some bitwarden scripts like qute-bitwarden
+      krita
       libreoffice
       logseq
       mupdf
@@ -47,7 +48,6 @@
       #openscad
       #pandoc
       pavucontrol
-      qalculate-qt
       ripgrep
       rofi
       scli
@@ -56,12 +56,13 @@
       sops
       speedcrunch
       spotify
-      #spotify-tui  # this has been removed as of 2024.05
+      spotify-tui
       sxiv
       #texlive.combined.scheme-full
       tree
       unzip
       xclip
+      xournal
       xpra
       zathura
       zoom-us
@@ -153,7 +154,11 @@
     };
     firefox = {
       enable = true;
-      #nativeMessagingHosts.packages = [ pkgs.tridactyl-native ];
+      package = pkgs.firefox.override {
+        cfg = {
+          enableTridactylNative = true;
+        };
+      };
     };
     git = {
       enable = true;
@@ -201,7 +206,39 @@
       enable = true;
       settings.email = "jacob.hinkle@gmail.com";
     };
-    ssh = import ./ssh.nix;
+    ssh = {
+      enable = true;
+      matchBlocks = {
+        login1 = {
+          hostname = "login1.ornl.gov";
+          user = "4jh";
+        };
+        lucky = {
+          hostname = "lucky.ornl.gov";
+          user = "4jh";
+          proxyJump = "login1";
+        };
+        murdock = {
+          hostname = "murdock.ornl.gov";
+          user = "4jh";
+          proxyJump = "login1";
+        };
+        penny = {
+          hostname = "192.168.88.18";
+          user = "jhinkle";
+        };
+        dlcluster = {
+          hostname = "dlcluster.nvidia.com";
+          user = "jhinkle";
+          proxyJump = "penny";
+        };
+        router ={
+          hostname = "192.168.88.1";
+          user = "jacob";
+          port = 2200;
+        };
+      };
+    };
     tmux = import ./tmux.nix;
     xmobar = {
       enable = true;
@@ -229,7 +266,7 @@
         ];
         theme = "michelebologna"; # nice clean theme that shows jobs
       };
-      initContent = ''
+      initExtra = ''
         # michelebologna theme doesn't have an RPROMPT, but I like the one from
         # the clean theme
         RPROMPT='[%*]'
@@ -257,12 +294,14 @@
         "--fx ''"  # don't apply effects
       ];
     };
+    dunst = {
+      enable = true;
+    };
     flameshot.enable = true;
     mbsync = {
       enable = true;
       verbose = true;
     };
-    network-manager-applet.enable = true;
     spotifyd = {
       enable = false;
       settings = {
@@ -277,7 +316,7 @@
       };
     };
     syncthing = {
-      enable = false;
+      enable = true;
       # cause the tray command to wait for the service and tray manager to start
       extraOptions = [ "--wait" ];
       tray.enable = true;
@@ -320,5 +359,9 @@
         config = ./xmonad.hs;
       };
     };
+    initExtra = ''
+      xinput --map-to-output 'HANVON UGEE Artist 16(2nd Gen) Mouse' DP-1
+      xinput --map-to-output 'HANVON UGEE Artist 16(2nd Gen)' DP-1
+      '';
   };
 }

home/ssh.nix

@@ -1,34 +0,0 @@
-{
-  enable = true;
-  matchBlocks = {
-    login1 = {
-      hostname = "login1.ornl.gov";
-      user = "4jh";
-    };
-    lucky = {
-      hostname = "lucky.ornl.gov";
-      user = "4jh";
-      proxyJump = "login1";
-    };
-    murdock = {
-      hostname = "murdock.ornl.gov";
-      user = "4jh";
-      proxyJump = "login1";
-    };
-    penny = {
-      #hostname = "192.168.88.18";
-      hostname = "192.168.88.13";
-      user = "jhinkle";
-    };
-    dlcluster = {
-      hostname = "dlcluster.nvidia.com";
-      user = "jhinkle";
-      proxyJump = "penny";
-    };
-    router ={
-      hostname = "192.168.88.1";
-      user = "jacob";
-      port = 2200;
-    };
-  };
-}

home/xmobarrc

@@ -34,12 +34,12 @@ Config { overrideRedirect = False
                         , "--"
                         , "--on", ""
                         ]
-                    , Run Memory ["--template", "<usedratio>"] 10
+                    , Run Memory ["--template", "Mem: <usedratio>%"] 10
                     , Run Swap [] 10
-                    , Run Date "%Y%m%d <fc=#8be9fd>%H:%M</fc>" "date" 10
+                    , Run Date "%a %Y-%m-%d <fc=#8be9fd>%H:%M</fc>" "date" 10
                     , Run XMonadLog
                     ]
        , sepChar  = "%"
        , alignSep = "}{"
-       , template = "%XMonadLog% }{A%alsa:default:Master%M%memory%%cpu%B%battery% %date%"
+       , template = "%XMonadLog% }{ Sound: %alsa:default:Master% | %cpu% | %memory% * %swap% | BAT1: %battery% | %date% "
        }

home/xmonad.hs

@@ -78,29 +78,28 @@ myXmobarPP = def
     { ppSep             = magenta " • "
     , ppTitleSanitize   = xmobarStrip
     , ppCurrent         = wrap " " "" . xmobarBorder "Top" "#8be9fd" 2
-    , ppHidden          = lightGreen . wrap " " ""
+    , ppHidden          = white . wrap " " ""
-    , ppHiddenNoWindows = gray . wrap " " ""
+    , ppHiddenNoWindows = lowWhite . wrap " " ""
     , ppUrgent          = red . wrap (yellow "!") (yellow "!")
     , ppOrder           = \[ws, l, _, wins] -> [ws, l, wins]
     , ppExtras          = [logTitles formatFocused formatUnfocused]
     }
   where
     formatFocused   = wrap (white    "[") (white    "]") . magenta . ppWindow
-    formatUnfocused = wrap (gray "[") (gray "]") . blue    . ppWindow
+    formatUnfocused = wrap (lowWhite "[") (lowWhite "]") . blue    . ppWindow
 
     -- | Windows should have *some* title, which should not not exceed a
     -- sane length.
     ppWindow :: String -> String
     ppWindow = xmobarRaw . (\w -> if null w then "untitled" else w) . shorten 30
 
-    blue, gray, magenta, lightGreen, red, white, yellow :: String -> String
+    blue, lowWhite, magenta, red, white, yellow :: String -> String
     magenta  = xmobarColor "#ff79c6" ""
-    lightGreen = xmobarColor "#bbffbb" ""
+    blue     = xmobarColor "#bd93f9" ""
-    blue     = xmobarColor "#bdbdf9" ""
     white    = xmobarColor "#f8f8f2" ""
     yellow   = xmobarColor "#f1fa8c" ""
     red      = xmobarColor "#ff5555" ""
-    gray = xmobarColor "#888888" ""
+    lowWhite = xmobarColor "#bbbbbb" ""
 
 addlWorkspaces :: [String]
 addlWorkspaces = ["0", "-", "=", "i"]

machines/buck/configuration.nix

@@ -8,17 +8,16 @@
   inputs,
   sops,
   ...
-}: {
+}:
+let
+  xp_pen_pentablet = pkgs.callPackage ./xp_pen_pentablet.nix {};
+in
+{
   imports = [
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
   ];
 
-  nixpkgs.config.permittedInsecurePackages = [
-      "electron-25.9.0"
-    ];
-
-
   # This lets us pin the nixpkgs registry by default to the nixpkgs used to build this system.
   # Doing this means we are less likely to require the 30+MB download when
   # running commands like nix search or nix run
@@ -61,9 +60,8 @@
   networking = {
     hostName = "buck"; # Define your hostname.
     enableIPv6 = true;
-    networkmanager.enable = true;
+    wireless = {
-    wireless = { # wpa_supplicant
+      enable = true;
-      enable = false;
       userControlled.enable = true;
       environmentFile = "/run/secrets/wifi/env";
       networks = {
@@ -97,6 +95,7 @@
     networkmanagerapplet
     vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
     wget
+    xp_pen_pentablet
   ];
 
   # Some programs need SUID wrappers, can be configured further or are
@@ -170,20 +169,26 @@
       enable = true;
     };
 
-    rpcbind.enable = true;  # for NFS
-
     syncthing = import ./syncthing.nix;
 
     udev.extraRules = ''
     ACTION=="add", SUBSYSTEM=="backlight", KERNEL=="intel_backlight", MODE="0666", RUN+="${pkgs.coreutils}/bin/chmod a+w /sys/class/backlight/%k/brightness"
-  '';
+    KERNEL=="hidraw", SUBSYSTEM=="hidraw", MODE="0664", GROUP="plugdev"
 
-    tailscale.enable = true;
+    # For XP-PEN tablet
+    # From the official driver
+    KERNEL=="uinput",MODE:="0666",OPTIONS+="static_node=uinput"
+    SUBSYSTEMS=="usb",ATTRS{idVendor}=="28bd",MODE:="0666"
+j
+    #KERNEL=="event[0-9]*", SUBSYSTEM=="input", SUBSYSTEMS=="usb", ATTRS{idVendor}=="28bd", ATTRS{idProduct}=="094c", MODE="0664", GROUP="plugdev"
+    #KERNEL=="mouse[0-9]*", SUBSYSTEM=="input", SUBSYSTEMS=="usb", ATTRS{idVendor}=="28bd", ATTRS{idProduct}=="094c", MODE="0664", GROUP="plugdev"
+  '';
 
     # Enable the X11 windowing system. services.xserver.enable = true;
     xserver = {
       enable = true;
       dpi = 112;  # t470 has a 14" 16:9 monitor at native res 1366x768
+      digimend.enable = true;
       displayManager = {
         defaultSession = "none+i3";
         autoLogin = {
@@ -202,6 +207,7 @@
           disableWhileTyping = true;
         };
       };
+      #wacom.enable = true;
       windowManager.i3 = {
         enable = true;
         extraPackages = with pkgs; [
@@ -218,31 +224,6 @@
   services.thermald.enable = true;
   services.fwupd.enable = true;
 
-  systemd.mounts = let
-    nfsOpts = {
-      type = "nfs";
-      mountConfig = {
-        Options = "noatime";
-      };
-    };
-    nas = "100.64.0.5";  # synnas over tailscale
-  in [
-    (nfsOpts // {
-      what = "${nas}:/homes/jacob/Photos";
-      where = "/nas/photos";
-    })
-  ];
-  systemd.automounts = let
-    autoMountOpts = {
-      wantedBy = [ "multi-user.target" ];
-      automountConfig = {
-        TimeoutIdleSec = "600";
-      };
-    };
-  in [
-    (autoMountOpts // { where = "/nas/photos"; })
-  ];
-
   # Enable the OpenSSH daemon.
   # services.openssh.enable = true;
 

machines/buck/hardware-configuration.nix

@@ -18,13 +18,12 @@
   boot.extraModulePackages = [];
 
   fileSystems."/" = {
-    #device = "/dev/disk/by-uuid/cc13728f-a446-49db-98fc-51db875bba20";
+    device = "/dev/disk/by-uuid/cc13728f-a446-49db-98fc-51db875bba20";
-    device = "/dev/disk/by-uuid/a04773e7-3ccd-4d10-908d-53896b910f61";
     fsType = "ext4";
   };
 
   fileSystems."/boot/efi" = {
-    device = "/dev/disk/by-uuid/0EB1-1189";
+    device = "/dev/disk/by-uuid/164F-882B";
     fsType = "vfat";
   };
 
@@ -47,4 +46,10 @@
 
   powerManagement.cpuFreqGovernor = "powersave";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  # for XP-Pen tablet
+  #hardware.opentabletdriver = {
+    #enable = true;
+    #package = patchedOTD;
+  #};
 }

machines/buck/syncthing.nix

@@ -1,5 +1,5 @@
 {
-  enable = false;
+  enable = true;
   user = "jacob";
   dataDir = "/home/jacob/Sync";
   #guiAddress = "0.0.0.0:8234";  # for headless

machines/buck/xp_pen_pentablet.nix

@@ -25,7 +25,7 @@
 , lib
 , fetchurl
 , glib
-, dbus_libs
+, dbus
 , dpkg
 , autoPatchelfHook
 , writeShellScript
@@ -44,7 +44,7 @@
 
 stdenv.mkDerivation rec {
   pname = "xp_pen_driver";
-  version = "3.2.0.210804-1";
+  version = "3.3.9.230222-1";
   
   src = fetchurl {
     #url = "https://github.com/peterwilli/XP-Pen-Pentablet-Driver-for-Nixos/releases/download/3.2.0.210804-1/XP-PEN-pentablet-3.2.0.210804-1.x86_64.deb";
@@ -59,7 +59,7 @@ stdenv.mkDerivation rec {
     zlib
     libGL
     libusb
-    dbus_libs
+    dbus
     fontconfig
     glib
     freetype
@@ -81,6 +81,7 @@ stdenv.mkDerivation rec {
     chmod 755 "$out"
 
     chmod a+x $out/usr/lib/pentablet/pentablet.sh
+    chmod a+x $out/usr/lib/pentablet/pentablet
     runHook postInstall
     mkdir -p $out/bin
     makeWrapper $out/usr/lib/pentablet/pentablet.sh $out/bin/pentablet

machines/cj/configuration.nix

@@ -7,10 +7,6 @@
       ./hardware-configuration-zfs.nix
     ];
 
-  nixpkgs.config.permittedInsecurePackages = [
-    "electron-27.3.11"
-  ];
-
   # This lets us pin the nixpkgs registry by default to the nixpkgs used to build this system.
   # Doing this means we are less likely to require the 30+MB download when
   # running commands like nix search or nix run
@@ -61,9 +57,9 @@
     # Aliases subdomains we serve here. Since we bypass pihole locally to avoid
     # circular lookups, we can set local addresses here instead of using local
     # dns in pihole (or global dns which would resolve to our WAN ips).
-    #extraHosts = ''
+    extraHosts = ''
-    #  127.0.0.1 git.jhink.org home.jhink.org
+      127.0.0.1 git.jhink.org vault.jhink.org home.jhink.org
-    #  '';
+      '';
 
 
     # The global useDHCP flag is deprecated, therefore explicitly set to false here. Per-interface useDHCP will be mandatory in the future, so this generated config replicates the default behaviour.
@@ -79,20 +75,18 @@
     wireless = {
       enable = false; # turn of wifi until needed
       userControlled.enable = true;
-      #environmentFile = "/run/secrets/wifi/env";
+      environmentFile = "/run/secrets/wifi/env";
-      secretsFile = "/run/secrets/wifi/env";
       networks = {
-        home.pskRaw = "ext:PSKRAW_HOME";
+        "@SSID_HOME@" = {
-        #"@SSID_HOME@" = {
+          pskRaw = "@PSKRAW_HOME@";
-          #pskRaw = "@PSKRAW_HOME@";
+        };
-        #};
       };
     };
     firewall = import ./firewall.nix;
     timeServers = [ "192.168.88.1" ] ++ options.networking.timeServers.default;
   };
 
-  #hardware.video.hidpi.enable = false;
+  hardware.video.hidpi.enable = false;
   hardware.enableRedistributableFirmware = true;
   #hardware.pulseaudio = {
   #enable = true;
@@ -101,6 +95,9 @@
   #};
   hardware.bluetooth.enable = false;
 
+  # Enable sound.
+  sound.enable = false;
+
   # Define a user account. Don't forget to set a password with ‘passwd’.
   users.users.jacob = {
     isNormalUser = true;
@@ -121,41 +118,36 @@
   #   enable = true; enableSSHSupport = true;
   # };
 
-  programs.zsh.enable = true;
-
   security.rtkit.enable = true; # recommended for pipewire
 
   # enable acme for certbot
-  #security.acme = {
+  security.acme = {
-    #acceptTerms = true;
+    acceptTerms = true;
-    #defaults = {
+    defaults = {
-      #email = "jacob.hinkle@gmail.com";
+      email = "jacob.hinkle@gmail.com";
-    #};
+    };
-  #};
+  };
 
   virtualisation.oci-containers.containers = let
     ips = {
-      # tailscale IP for IPV4 services
+      serverIP = "192.168.88.21";  # v4 address
-      serverIP = "100.102.82.27";  # v4 address
 
       # link-local IP = fe80:${suffix}
       # external IP = ${externalprefix}:${suffix}
       #externalprefix = "2601:843:c200:20b";
       #ipv6suffix = "223:24ff:fea9:a97";
-      # IPV6 external IP should not need to use tailscale
       serverIP6 = "2601:843:c200:20b:223:24ff:fea9:a97";  # external IP
       #serverIP6 = "fe80::223:24ff:fea9:a97";  # link-local IP
     };
   in {
     home-assistant = import ./home-assistant.nix ips;
-    open-webui = import ./open-webui.nix ips;
     pihole = import ./pihole.nix ips;
-    unifi = import ./unifi.nix ips;
-    vaultwarden = import ./vaultwarden.nix ips;
   };
 
   # List services that you want to enable:
   services = {
+    chrony.enable = true;
+
     fail2ban = {
       enable = true;
       maxretry = 5;
@@ -163,7 +155,6 @@
         "127.0.0.0/8"     # localhost
         "192.168.0.0/16"  # LAN
         "160.91.241.229"  # lucky
-        "100.64.0.0"      # tailscale
       ];
     };
 
@@ -174,23 +165,6 @@
     # Enable the OpenSSH daemon.
     openssh.enable = true;
 
-    # This is an ollama frontend. Formerly called ollama-webui
-    open-webui = {
-      # We now use docker instead
-      enable = false;
-      environment = {
-        ANONYMIZED_TELEMETRY = "False";
-        DO_NOT_TRACK = "True";
-        SCARF_NO_ANALYTICS = "True";
-        OLLAMA_API_BASE_URL = "http://192.168.88.18:11434";
-        OLLAMA_BASE_URL = "http://192.168.88.18:11434";
-        DATA_DIR = "/serverdata/open-webui/data";
-      };
-      host = "cj.monster-squeaker.ts.net";
-      port = 8687;
-      stateDir = "/serverdata/open-webui/state";
-    };
-
     pipewire = {
       enable = true;
       alsa.enable = true;
@@ -204,37 +178,16 @@
       #media-session.enable = true;
     };
 
-    searx = {
-      enable = false;
-      redisCreateLocally = true;
-      settings.server = {
-        bind_address = "::1";
-        port = 6789;
-        secret_key = config.sops.secrets.searxng.key;
-      };
-    };
-
     syncthing = import ./syncthing.nix;
 
-    tailscale = {
-      enable = true;
-      extraUpFlags = "--accept-dns=false";
-      openFirewall = true;
-    };
-
-    timesyncd.enable = true;
-
     unifi = {
-      # This was causing a full build of mongodb on every nixos-rebuild.
+      enable = true;
-      # Instead, let's migrate to using the docker image
-      enable = false;
       openFirewall = true;
       unifiPackage = pkgs.unifiStable;
     };
 
     vaultwarden = {
-      # We use a docker container for vaultwarden now
+      enable = true;
-      enable = false;
       config = {  # https://github.com/dani-garcia/vaultwarden/blob/1.25.2/.env.template
         DOMAIN = "https://vault.jhink.org";
         ROCKET_ADDRESS = "0.0.0.0";
@@ -246,14 +199,20 @@
     # Enable the X11 windowing system.
     xserver = {
       enable = true;
+      dpi = 180;
       displayManager = {
+        defaultSession = "none+i3";
+        autoLogin = {
+          enable = true;
+          user = "jacob";
+        };
         lightdm = {
           enable = true;
           greeter.enable = false;
         };
       };
-      dpi = 180;
+      layout = "us";
-      xkb.layout = "us";
+      libinput.enable = true;
       windowManager.i3 = {
         enable = true;
         extraPackages = with pkgs; [
@@ -265,15 +224,6 @@
       };
     };
 
-    libinput.enable = true;
-    displayManager = {
-      defaultSession = "none+i3";
-      autoLogin = {
-        enable = true;
-        user = "jacob";
-      };
-    };
-
     # ZFS services
     zfs = {
       trim.enable = true;
@@ -289,20 +239,6 @@
     };
   };
 
-  power.ups = {
-    enable = false;
-    mode = "netserver";
-    ups."myups" = {
-      driver = "usbhid-ups";
-      description = "CJ UPS";
-      port = "auto";
-    };
-  };
-
-  #environment.etc."nut/upsd.conf".source = ./config/upsd.conf;
-  #environment.etc."nut/upsd.users".source = ./config/upsd.users;
-  #environment.etc."nut/upsmon.conf".source = ./config/upsmon.conf;
-
   # Due to bug in home assistant, this workaround is suggested temporarily as of May 6, 2022
   # https://github.com/nix-community/home-manager/issues/2942#issuecomment-1119760100
   #nixpkgs.config.allowUnfree = true;

machines/cj/firewall.nix

@@ -4,13 +4,13 @@
     8080 8443 6789 8880 8843 27117  # unifi controller: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Network-Required-Ports-Reference
     8585  # pihole web
     53 # pihole
-    8123  # home-assistant
+    #8123  # home-assistant
-    3000  # gitea
+    #3000  # gitea
-    8022  # vaultwarden
+    8081  # vaultwarden
     80 443  # reverse proxy
   ];
   allowedUDPPorts = [
-    #22000 21027  # syncthing
+    22000 21027  # syncthing
     3478 5514 10001 1900 123 # unifi
     53  # pihole
     80 443  # reverse proxy
@@ -18,8 +18,4 @@
   allowedUDPPortRanges = [
     { from = 5656; to = 5699; }  # unifi
   ];
-
-  # This should not really be necessary unless we use an exit node or subnet
-  # with tailscale I think.
-  checkReversePath = "loose";
 }

machines/cj/gitea.nix

@@ -1,5 +1,9 @@
 {
   enable = true;
+  domain = "git.jhink.org";
+  rootUrl = "https://git.jhink.org";
+  httpPort = 3000;
+  httpAddress = "127.0.0.1";
   lfs = {
     enable = true;
     contentDir = "/serverdata/gitea/lfs_content";
@@ -9,13 +13,5 @@
     repository = {
       DEFAULT_BRANCH = "main";
     };
-    server = {
-      DOMAIN = "git.jhink.org";
-      ROOT_URL = "https://git.jhink.org";
-      HTTP_PORT = 3000;
-      HTTP_ADDR = "0.0.0.0";
-      START_SSH_SERVER = "true";
-      SSH_PORT = 22222;
-    };
   };
 }

machines/cj/hardware-configuration-zfs.nix

@@ -20,7 +20,7 @@
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
   # high-resolution display
-  #hardware.video.hidpi.enable = lib.mkDefault true;
+  hardware.video.hidpi.enable = lib.mkDefault true;
 
   fileSystems."/" = {
     device = "none";
@@ -51,12 +51,6 @@
       neededForBoot = true;
     };
 
-  fileSystems."/tmp" =
-    { device = "rpool/nixos/tmp";
-      fsType = "zfs";
-      neededForBoot = true;
-    };
-
   fileSystems."/var/lib" =
     { device = "rpool/nixos/var/lib";
       fsType = "zfs";
@@ -86,11 +80,6 @@
       fsType = "zfs";
       neededForBoot = true;
     };
-  fileSystems."/serverdata/open-webui" =
-    { device = "rpool/serverdata/open-webui";
-      fsType = "zfs";
-      neededForBoot = true;
-    };
   fileSystems."/serverdata/pihole" =
     { device = "rpool/serverdata/pihole";
       fsType = "zfs";
@@ -101,16 +90,6 @@
       fsType = "zfs";
       neededForBoot = true;
     };
-  fileSystems."/serverdata/unifi" =
-    { device = "rpool/serverdata/unifi";
-      fsType = "zfs";
-      neededForBoot = true;
-    };
-  fileSystems."/serverdata/vaultwarden" =
-    { device = "rpool/serverdata/vaultwarden";
-      fsType = "zfs";
-      neededForBoot = true;
-    };
 
   fileSystems."/home" =
     { device = "rpool/userdata/home";
@@ -130,18 +109,6 @@
       neededForBoot = true;
     };
 
-  fileSystems."/nfs/homes" =
-    { device = "192.168.88.88:/volume1/homes";
-      fsType = "nfs";
-      neededForBoot = false;
-    };
-
-  fileSystems."/nfs/shared_photos" =
-    { device = "192.168.88.88:/volume1/photo";
-      fsType = "nfs";
-      neededForBoot = false;
-    };
-
   swapDevices = [
     {
       device = "/dev/disk/by-partuuid/6bf463d0-107f-489e-be29-704442ea3150";

machines/cj/home-assistant.nix

@@ -1,6 +1,6 @@
 serverIP :
 {
-  image = "ghcr.io/home-assistant/home-assistant:2024.11.0";
+  image = "ghcr.io/home-assistant/home-assistant:2023.6.3";
   #ports = [
     #"8123:8123"
   #];

machines/cj/nginx.nix

@@ -1,10 +1,10 @@
 {
-  enable = false;
+  enable = true;
   recommendedProxySettings = true;
   virtualHosts = let
     simpleProxy = ip: {
-      forceSSL = false;
+      forceSSL = true;
-      enableACME = false;
+      enableACME = true;
       extraConfig = ''
         proxy_buffering off;
       '';

machines/cj/open-webui.nix

@@ -1,19 +0,0 @@
-{ serverIP, serverIP6 } : {
-  image = "ghcr.io/open-webui/open-webui:0.6.26";
-  ports = [
-    "8687:8080"
-  ];
-  environment = {
-    TZ = "America/New_York";
-
-    WEBUI_URL = "http://cj.monster-squeaker.ts.net:8687";
-    ANONYMIZED_TELEMETRY = "False";
-    DO_NOT_TRACK = "True";
-    SCARF_NO_ANALYTICS = "True";
-    USE_OLLAMA = "False";
-    OLLAMA_BASE_URL = "http://192.168.88.18:11434";
-  };
-  volumes = [
-    "/serverdata/open-webui/data:/app/backend/data"
-  ];
-}

machines/cj/pihole.nix

@@ -1,9 +1,9 @@
 { serverIP, serverIP6 } : {
-  image = "pihole/pihole:2025.06.2";
+  image = "pihole/pihole:2023.05.2";
   ports = [
     "53:53/tcp"
     "53:53/udp"
-    "8585:80"
+    #"8088:80"
     #"4438:443"
   ];
   environment = {
@@ -24,7 +24,7 @@
   ];
   extraOptions = [
     #"--cap-add=NET_ADMIN"
-    #"--network=host"
+    "--network=host"
     "--no-hosts" # do not populate internal /etc/hosts with container host's
   ];
 }

machines/cj/syncthing.nix

@@ -1,5 +1,5 @@
 {
-  enable = false;
+  enable = true;
   dataDir = "/serverdata/syncthing/";
   user = "jacob";
   group = "users";

machines/cj/unifi.nix

@@ -1,19 +0,0 @@
-{ serverIP, serverIP6 } : {
-  image = "jacobalberty/unifi:v10.0";
-  ports = [
-    "8080:8080"
-    "8443:8443"
-    "3478:3478/udp"
-  ];
-  environment = {
-    TZ = "America/New_York";
-  };
-  volumes = [
-    "/serverdata/unifi:/unifi"
-  ];
-  extraOptions = [
-    "--cap-add=NET_ADMIN"
-    "--network=host"
-    #"--no-hosts" # do not populate internal /etc/hosts with container host's
-  ];
-}

machines/cj/vaultwarden.nix

@@ -1,18 +0,0 @@
-{ serverIP, serverIP6 } : {
-  image = "vaultwarden/server:1.32.6";
-  ports = [
-    "8022:80"
-  ];
-  environment = {
-    TZ = "America/New_York";
-  };
-  volumes = [
-    "/serverdata/vaultwarden:/data"
-  ];
-  extraOptions = [
-    #"--cap-add=NET_ADMIN"
-    #"--network=host"
-    #"--no-hosts" # do not populate internal /etc/hosts with container host's
-  ];
-}
-

secrets.yaml

@@ -8,8 +8,6 @@ email:
         password: ENC[AES256_GCM,data:db0Wll4B8eXYc70dsIuYbw==,iv:2g4fE2GQyKxiVMkOQqOCPjAISdlXElvWYt0XKPEOWv0=,tag:73ymkTNGUlVccJFXjT40EA==,type:str]
 pihole:
     webpassword: ENC[AES256_GCM,data:bqBbGE5M4LUukMh7vQA=,iv:YhKaO2WQq5Ar9aKitgRTbDU2Ld2Cdc0wmrcQZ92lztY=,tag:UGnerGhtQBjO+n4LobdSyg==,type:str]
-searxng:
-    key: ENC[AES256_GCM,data:RayEL/8Pi7+j3T6fWRV142uw0P7Vlm15FWB14Lcfg/5xz+TpB6W4d8ivAM9ZTNG3CZGUwziAoP8qApYjxOeTqA==,iv:IecQ9nHuUaXa8B2y9Y/FryIbdq/oi5EbEuaZ4XaR4wg=,tag:cDJr1AVqG4tgtvPe6ujtxQ==,type:str]
 spotify:
     username: ENC[AES256_GCM,data:EXLRJXrHsP+k,iv:5pvHLVnrtG+oZEPZsBY/4/+b9QQEBTT7jiPvmkBHAWY=,tag:gcCJqgBd7b2+e2k0oIVY8w==,type:str]
     password: ENC[AES256_GCM,data:DHj06DfPU98C,iv:wxinj4sLt8rQ6hW4NtxIHQPnAJ3acXRXQHRsRaoiGR8=,tag:b7ota0m1gpwSZYSDY1Uj+A==,type:str]
@@ -21,6 +19,10 @@ wifi:
         PSKRAW_HOME=base64 output from wpa_passphrase
     env: ENC[AES256_GCM,data:a2m3FI0SmpbM2hhNbEdNhWWxgNyhXRDN9/LFiRMyFEr9Nf3NvkteZCdf/CCc81GAl/aKqqqCt49HQEiSRwzw2wc3XKmbQPxw6tmK4mCd4pP7YmPpg6tacLd8CzjtCG9J248W0qqTYUIU3+kuDcY6Tdp97KxJDINVbA==,iv:kXltdSsKkXwhIaWywFYMUGJCmMgaxv8FqhdBbjuyVSU=,tag:GvkevELXFKU31mmRGsFjDw==,type:str]
 sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
     age:
         - recipient: age16k5tturaeszpxugxawmfsxkrce2cfvp06s00eaxcee243anu4qysnjfr70
           enc: |
@@ -58,7 +60,8 @@ sops:
             WVUwaEIwWTFFTExyT3hLSC9wODhJdGcKWsNIUsT06qYA9vUVeFHQrCdcn2MkHt+w
             Rr7W+4uaNb8Qxo/NUp9kodE9m/fg9XVd8wM7HUP4wJC0rE4GSnFvGg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-09-03T12:29:15Z"
+    lastmodified: "2022-09-27T13:16:21Z"
-    mac: ENC[AES256_GCM,data:K7Q4h102XDk6s0jy6X3sRzIESbFnu8Z1I8u82yC2Xbfh8gHvQ+rqTjEC9sh+tmUpB9P8sQHA08FwPsQkiScY7CNVxXXeCzALJVS/qhLlOEC4PEOqUH2PZZHsDVslQtZT6JmB9mixCl69Ihx+CKt2+ddesXdGxuTGaH9cldORNQQ=,iv:RheBWo3bG9z+JAq2kg79ifaMRgRDNGyxHnCmMi7v/+U=,tag:CJUHJC68Cfi+whhy4McBqA==,type:str]
+    mac: ENC[AES256_GCM,data:UkvaiVtsbMKNeMKlf6N6N0dxQWAUxT2VMQrhMJFqwdyRoFvTQ+4a27sXHIQgr+G+BAnsFBeWFjA3SS+YhHcDYCx1boXMhdoFeNjVZ2TUURX/KazcIwJNGmrt4qMK7BkfUu1mLa58pxie+XSY1MBRwByg7rnLaSJzNiWgqgLRGy0=,iv:7kBE0EKhvesWToa6+At0yWt1IzTWipv0fSvopA2PUXg=,tag:0e+5Gu5Ajw7r3AgeJLg+EQ==,type:str]
+    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.7.3