jacob/nix_config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

merge into: jacob:pentablet
Branches Tags
jacob:main
jacob:pentablet
...
pull from: jacob:main
Branches Tags
jacob:main
jacob:pentablet

41 Commits
pentablet ... main

Author SHA1 Message Date
Jacob Hinkle
653c9a3a73 Update versions 2026-01-28 09:19:32 -05:00
Jacob Hinkle
4df2ae8c36 Committing some old changes 2026-01-24 15:17:50 -05:00
Jacob Hinkle
121f7b4f7e initExtra -> initContent 2025-09-01 11:15:17 -04:00
Jacob Hinkle
ff1d06a513 Bump open-webui version 2025-09-01 11:15:04 -04:00
Jacob Hinkle
64cf9fa5d5 flake update 2025-09-01 11:14:55 -04:00
Jacob Hinkle
14513e894a Update open-webui 2025-09-01 10:31:19 -04:00
Jacob Hinkle
719511cee4 Upgrade to 25.05 2025-08-25 09:26:04 -04:00
Jacob Hinkle
0daf378156 nix flake update 2025-08-25 08:55:43 -04:00
Jacob Hinkle
b2b899b67a Flake update (old) 2025-08-25 08:20:16 -04:00
Jacob Hinkle
99feef450c Set up pihole. Updates 2025-08-25 08:19:57 -04:00
Jacob Hinkle
d22a5f0db1 Add open-webui. Perms on data dir might be wrong 2025-08-25 08:19:25 -04:00
Jacob Hinkle
ecaa0e698c Upgrade pihole to 2025.04.0 2025-05-12 07:11:08 -04:00
Jacob Hinkle
ec401a182c Update flake.lock again (today's version) 2024-12-13 08:34:02 -05:00
Jacob Hinkle
9c4ba91586 Update flake.lock 2024-12-13 08:33:35 -05:00
Jacob Hinkle
b17fb9ca92 Bump vaultwarden docker version 2024-12-13 08:33:24 -05:00
Jacob Hinkle
0d816ce410 Update home-assistant docker version 2024-12-13 08:33:12 -05:00
Jacob Hinkle
76016688a4 Update to 2024.11-pre 2024-09-05 08:25:56 -04:00
Jacob Hinkle
bd15f1ea02 Add qalculate-qt 2024-05-24 08:44:00 -04:00
Jacob Hinkle
61b5585057 Update tailscale IPs for cj 2024-05-24 08:43:58 -04:00
Jacob Hinkle
c0cbf36122 Change colors in xmobar 2024-05-24 08:43:32 -04:00
Jacob Hinkle
a6b0c7264f Move ssh config to home/ssh.nix 2024-05-24 08:43:32 -04:00
Jacob Hinkle
113127e7aa update port and address for gitea 2024-03-29 19:25:45 -04:00
Jacob Hinkle
516c6ab493 Switch unifi and vaultwarden to docker images 2024-03-28 13:14:58 -04:00
Jacob Hinkle
88975f0003 Bump versions, disable some stuff for vps reverse-proxy setup 2024-03-27 07:17:59 -04:00
Jacob Hinkle
9080b1bd8d nix flake update 2024-02-11 07:04:59 -05:00
Jacob Hinkle
578c06f284 Merge branch 'main' of 100.102.82.27:jacob/nix_config 2024-02-11 07:03:36 -05:00
Jacob Hinkle
d8eb616480 Add electron insecure package 2024-02-11 07:02:40 -05:00
Jacob Hinkle
99a4f869ed nix flake update 2024-02-11 07:02:29 -05:00
Jacob Hinkle
1e6833fe3c Add NFS mounts and update home-assistant 2024-01-23 12:52:04 -05:00
Jacob Hinkle
f58dd6da01 Switch to tailscale 2024-01-23 12:51:40 -05:00
Jacob Hinkle
8c55b64b21 Switch from chrony to timesyncd 2024-01-23 12:50:10 -05:00
Jacob Hinkle
427783c6e3 Compact xmobar (still ugly) 2023-11-20 11:54:11 -05:00
Jacob Hinkle
5fd9f40f5f Enable nm-applet 2023-11-20 11:54:03 -05:00
Jacob Hinkle
f003703ee3 Fix zsh updated option 2023-11-20 11:46:35 -05:00
Jacob Hinkle
8aeb88c0a6 Upgrade to nixos 23.11 2023-11-20 11:46:11 -05:00
Jacob Hinkle
4a0d01a460 Set up NFS and tailscale on buck 2023-11-20 11:45:56 -05:00
Jacob Hinkle
3193cad85f Remove windows partitions on buck. Resize EFI partition 2023-11-20 11:45:30 -05:00
Jacob Hinkle
9bf1e96e3d Disable syncthing on buck 2023-11-20 11:45:14 -05:00
Jacob Hinkle
c899dc8b2e Enable tailscale client on cj 2023-11-05 13:38:17 -05:00
Jacob Hinkle
d73d5c5f90 Switch to networkmanager with applet 2023-09-14 07:45:56 -04:00
Jacob Hinkle
bced09acc2 Fix zsh syntax hightlighting setting 2023-09-13 07:58:41 -04:00
21 changed files with 330 additions and 167 deletions
Show Stats Expand all files Collapse all files

70
flake.lock generated
View File

@ -4,30 +4,30 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
]
},
"locked": {
"lastModified": 1671459164,
"narHash": "sha256-RbkDnvLV7WjbiF4Dpiezrf8kXxwieQXAVtY8ciRQj6Q=",
"lastModified": 1747556789,
"narHash": "sha256-7uHyVw9mhvTB6RS1WcIRsebBxj8SZAnlXxZarx7Xk7M=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "e7eba9cc46547ae86642ad3c6a9a4fb22c07bc26",
"rev": "e08e6e2389234000b0447e57abf61d8ccd59a68e",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"rev": "e08e6e2389234000b0447e57abf61d8ccd59a68e",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1671467847,
"narHash": "sha256-eIeZIQbbW0QYDW0nhDaieokw6VakPO3TyJ3RmxqGHOs=",
"lastModified": 1769086393,
"narHash": "sha256-3ymIZ8s3+hu7sDl/Y48o6bwMxorfKrmn97KuWiw1vjY=",
"owner": "nixos",
"repo": "nixos-hardware",
"rev": "25010a042c23695ae457a97aad60e9b1d49f2ecc",
"rev": "9f7ba891ea5fc3ededd7804f1a23fafadbcb26ca",
"type": "github"
},
"original": {
@ -38,33 +38,17 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1669833724,
"narHash": "sha256-/HEZNyGbnQecrgJnfE8d0WC5c1xuPSD2LUpB6YXlg4c=",
"owner": "nixos",
"lastModified": 1768649915,
"narHash": "sha256-jc21hKogFnxU7KXSVTRmxC7u5D4RHwm9BAvDf5/Z1Uo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4d2b37a84fad1091b9de401eb450aae66f1a741e",
"rev": "3e3f3c7f9977dc123c23ee21e8085ed63daf8c37",
"type": "github"
},
"original": {
"owner": "nixos",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1671459584,
"narHash": "sha256-6wRK7xmeHfClJ0ICOkax1avLZVGTDqBodQlkl/opccY=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "87b58217c9a05edcf7630b9be32570f889217aef",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-22.11",
"repo": "nixpkgs",
"type": "github"
"id": "nixpkgs",
"ref": "release-25.05",
"type": "indirect"
}
},
"root": {
@ -79,15 +63,14 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
]
},
"locked": {
"lastModified": 1671472949,
"narHash": "sha256-9iHSGpljCX+RypahQssBXPwkru9onfKfceCTeVrMpH4=",
"lastModified": 1768863606,
"narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "32840f16ffa0856cdf9503a8658f2dd42bf70342",
"rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
"type": "github"
},
"original": {
@ -95,21 +78,6 @@
"repo": "sops-nix",
"type": "github"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

7
flake.nix
View File

@ -2,12 +2,13 @@
description = "NixOS configurations for my machines";
inputs = {
nixpkgs.url = github:nixos/nixpkgs;
nixpkgs.url = "nixpkgs/release-25.05";
nixos-hardware = {
url = github:nixos/nixos-hardware;
};
home-manager = {
url = github:nix-community/home-manager;
# url = github:nix-community/home-manager;
url = github:nix-community/home-manager/e08e6e2389234000b0447e57abf61d8ccd59a68e;
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix = {
@ -58,7 +59,7 @@
];
# ThinkCentre M700 mini-pc (server)
cj = mkNixosSystem [
nixos-hardware.nixosModules.common-pc-hdd
#nixos-hardware.nixosModules.common-pc-hdd
nixos-hardware.nixosModules.common-cpu-intel-cpu-only
./machines/cj/configuration.nix
];

51
home/jacob.nix
View File

@ -47,6 +47,7 @@
#openscad
#pandoc
pavucontrol
qalculate-qt
ripgrep
rofi
scli
@ -55,7 +56,7 @@
sops
speedcrunch
spotify
spotify-tui
#spotify-tui # this has been removed as of 2024.05
sxiv
#texlive.combined.scheme-full
tree
@ -152,11 +153,7 @@
};
firefox = {
enable = true;
package = pkgs.firefox.override {
cfg = {
enableTridactylNative = true;
};
};
#nativeMessagingHosts.packages = [ pkgs.tridactyl-native ];
};
git = {
enable = true;
@ -204,39 +201,7 @@
enable = true;
settings.email = "jacob.hinkle@gmail.com";
};
ssh = {
enable = true;
matchBlocks = {
login1 = {
hostname = "login1.ornl.gov";
user = "4jh";
};
lucky = {
hostname = "lucky.ornl.gov";
user = "4jh";
proxyJump = "login1";
};
murdock = {
hostname = "murdock.ornl.gov";
user = "4jh";
proxyJump = "login1";
};
penny = {
hostname = "192.168.88.18";
user = "jhinkle";
};
dlcluster = {
hostname = "dlcluster.nvidia.com";
user = "jhinkle";
proxyJump = "penny";
};
router ={
hostname = "192.168.88.1";
user = "jacob";
port = 2200;
};
};
};
ssh = import ./ssh.nix;
tmux = import ./tmux.nix;
xmobar = {
enable = true;
@ -264,7 +229,7 @@
];
theme = "michelebologna"; # nice clean theme that shows jobs
};
initExtra = ''
initContent = ''
# michelebologna theme doesn't have an RPROMPT, but I like the one from
# the clean theme
RPROMPT='[%*]'
@ -292,14 +257,12 @@
"--fx ''" # don't apply effects
];
};
dunst = {
enable = true;
};
flameshot.enable = true;
mbsync = {
enable = true;
verbose = true;
};
network-manager-applet.enable = true;
spotifyd = {
enable = false;
settings = {
@ -314,7 +277,7 @@
};
};
syncthing = {
enable = true;
enable = false;
# cause the tray command to wait for the service and tray manager to start
extraOptions = [ "--wait" ];
tray.enable = true;

34
home/ssh.nix Normal file
View File

@ -0,0 +1,34 @@
{
enable = true;
matchBlocks = {
login1 = {
hostname = "login1.ornl.gov";
user = "4jh";
};
lucky = {
hostname = "lucky.ornl.gov";
user = "4jh";
proxyJump = "login1";
};
murdock = {
hostname = "murdock.ornl.gov";
user = "4jh";
proxyJump = "login1";
};
penny = {
#hostname = "192.168.88.18";
hostname = "192.168.88.13";
user = "jhinkle";
};
dlcluster = {
hostname = "dlcluster.nvidia.com";
user = "jhinkle";
proxyJump = "penny";
};
router ={
hostname = "192.168.88.1";
user = "jacob";
port = 2200;
};
};
}

6
home/xmobarrc
View File

@ -34,12 +34,12 @@ Config { overrideRedirect = False
, "--"
, "--on", ""
]
, Run Memory ["--template", "Mem: <usedratio>%"] 10
, Run Memory ["--template", "<usedratio>"] 10
, Run Swap [] 10
, Run Date "%a %Y-%m-%d <fc=#8be9fd>%H:%M</fc>" "date" 10
, Run Date "%Y%m%d <fc=#8be9fd>%H:%M</fc>" "date" 10
, Run XMonadLog
]
, sepChar = "%"
, alignSep = "}{"
, template = "%XMonadLog% }{ Sound: %alsa:default:Master% | %cpu% | %memory% * %swap% | BAT1: %battery% | %date% "
, template = "%XMonadLog% }{A%alsa:default:Master%M%memory%%cpu%B%battery% %date%"
}

13
home/xmonad.hs
View File

@ -78,28 +78,29 @@ myXmobarPP = def
{ ppSep = magenta ""
, ppTitleSanitize = xmobarStrip
, ppCurrent = wrap " " "" . xmobarBorder "Top" "#8be9fd" 2
, ppHidden = white . wrap " " ""
, ppHiddenNoWindows = lowWhite . wrap " " ""
, ppHidden = lightGreen . wrap " " ""
, ppHiddenNoWindows = gray . wrap " " ""
, ppUrgent = red . wrap (yellow "!") (yellow "!")
, ppOrder = \[ws, l, _, wins] -> [ws, l, wins]
, ppExtras = [logTitles formatFocused formatUnfocused]
}
where
formatFocused = wrap (white "[") (white "]") . magenta . ppWindow
formatUnfocused = wrap (lowWhite "[") (lowWhite "]") . blue . ppWindow
formatUnfocused = wrap (gray "[") (gray "]") . blue . ppWindow
-- | Windows should have *some* title, which should not not exceed a
-- sane length.
ppWindow :: String -> String
ppWindow = xmobarRaw . (\w -> if null w then "untitled" else w) . shorten 30
blue, lowWhite, magenta, red, white, yellow :: String -> String
blue, gray, magenta, lightGreen, red, white, yellow :: String -> String
magenta = xmobarColor "#ff79c6" ""
blue = xmobarColor "#bd93f9" ""
lightGreen = xmobarColor "#bbffbb" ""
blue = xmobarColor "#bdbdf9" ""
white = xmobarColor "#f8f8f2" ""
yellow = xmobarColor "#f1fa8c" ""
red = xmobarColor "#ff5555" ""
lowWhite = xmobarColor "#bbbbbb" ""
gray = xmobarColor "#888888" ""
addlWorkspaces :: [String]
addlWorkspaces = ["0", "-", "=", "i"]

41
machines/buck/configuration.nix
View File

@ -14,6 +14,11 @@
./hardware-configuration.nix
];
nixpkgs.config.permittedInsecurePackages = [
"electron-25.9.0"
];
# This lets us pin the nixpkgs registry by default to the nixpkgs used to build this system.
# Doing this means we are less likely to require the 30+MB download when
# running commands like nix search or nix run
@ -56,8 +61,9 @@
networking = {
hostName = "buck"; # Define your hostname.
enableIPv6 = true;
wireless = {
enable = true;
networkmanager.enable = true;
wireless = { # wpa_supplicant
enable = false;
userControlled.enable = true;
environmentFile = "/run/secrets/wifi/env";
networks = {
@ -87,6 +93,8 @@
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
networkmanager
networkmanagerapplet
vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
wget
];
@ -162,12 +170,16 @@
enable = true;
};
rpcbind.enable = true; # for NFS
syncthing = import ./syncthing.nix;
udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="backlight", KERNEL=="intel_backlight", MODE="0666", RUN+="${pkgs.coreutils}/bin/chmod a+w /sys/class/backlight/%k/brightness"
'';
tailscale.enable = true;
# Enable the X11 windowing system. services.xserver.enable = true;
xserver = {
enable = true;
@ -206,6 +218,31 @@
services.thermald.enable = true;
services.fwupd.enable = true;
systemd.mounts = let
nfsOpts = {
type = "nfs";
mountConfig = {
Options = "noatime";
};
};
nas = "100.64.0.5"; # synnas over tailscale
in [
(nfsOpts // {
what = "${nas}:/homes/jacob/Photos";
where = "/nas/photos";
})
];
systemd.automounts = let
autoMountOpts = {
wantedBy = [ "multi-user.target" ];
automountConfig = {
TimeoutIdleSec = "600";
};
};
in [
(autoMountOpts // { where = "/nas/photos"; })
];
# Enable the OpenSSH daemon.
# services.openssh.enable = true;

5
machines/buck/hardware-configuration.nix
View File

@ -18,12 +18,13 @@
boot.extraModulePackages = [];
fileSystems."/" = {
device = "/dev/disk/by-uuid/cc13728f-a446-49db-98fc-51db875bba20";
#device = "/dev/disk/by-uuid/cc13728f-a446-49db-98fc-51db875bba20";
device = "/dev/disk/by-uuid/a04773e7-3ccd-4d10-908d-53896b910f61";
fsType = "ext4";
};
fileSystems."/boot/efi" = {
device = "/dev/disk/by-uuid/164F-882B";
device = "/dev/disk/by-uuid/0EB1-1189";
fsType = "vfat";
};

2
machines/buck/syncthing.nix
View File

@ -1,5 +1,5 @@
{
enable = true;
enable = false;
user = "jacob";
dataDir = "/home/jacob/Sync";
#guiAddress = "0.0.0.0:8234"; # for headless

124
machines/cj/configuration.nix
View File

@ -7,6 +7,10 @@
./hardware-configuration-zfs.nix
];
nixpkgs.config.permittedInsecurePackages = [
"electron-27.3.11"
];
# This lets us pin the nixpkgs registry by default to the nixpkgs used to build this system.
# Doing this means we are less likely to require the 30+MB download when
# running commands like nix search or nix run
@ -57,9 +61,9 @@
# Aliases subdomains we serve here. Since we bypass pihole locally to avoid
# circular lookups, we can set local addresses here instead of using local
# dns in pihole (or global dns which would resolve to our WAN ips).
extraHosts = ''
127.0.0.1 git.jhink.org vault.jhink.org home.jhink.org
'';
#extraHosts = ''
# 127.0.0.1 git.jhink.org home.jhink.org
# '';
# The global useDHCP flag is deprecated, therefore explicitly set to false here. Per-interface useDHCP will be mandatory in the future, so this generated config replicates the default behaviour.
@ -75,18 +79,20 @@
wireless = {
enable = false; # turn of wifi until needed
userControlled.enable = true;
environmentFile = "/run/secrets/wifi/env";
#environmentFile = "/run/secrets/wifi/env";
secretsFile = "/run/secrets/wifi/env";
networks = {
"@SSID_HOME@" = {
pskRaw = "@PSKRAW_HOME@";
};
home.pskRaw = "ext:PSKRAW_HOME";
#"@SSID_HOME@" = {
#pskRaw = "@PSKRAW_HOME@";
#};
};
};
firewall = import ./firewall.nix;
timeServers = [ "192.168.88.1" ] ++ options.networking.timeServers.default;
};
hardware.video.hidpi.enable = false;
#hardware.video.hidpi.enable = false;
hardware.enableRedistributableFirmware = true;
#hardware.pulseaudio = {
#enable = true;
@ -95,9 +101,6 @@
#};
hardware.bluetooth.enable = false;
# Enable sound.
sound.enable = false;
# Define a user account. Don't forget to set a password with passwd.
users.users.jacob = {
isNormalUser = true;
@ -118,36 +121,41 @@
# enable = true; enableSSHSupport = true;
# };
programs.zsh.enable = true;
security.rtkit.enable = true; # recommended for pipewire
# enable acme for certbot
security.acme = {
acceptTerms = true;
defaults = {
email = "jacob.hinkle@gmail.com";
};
};
#security.acme = {
#acceptTerms = true;
#defaults = {
#email = "jacob.hinkle@gmail.com";
#};
#};
virtualisation.oci-containers.containers = let
ips = {
serverIP = "192.168.88.21"; # v4 address
# tailscale IP for IPV4 services
serverIP = "100.102.82.27"; # v4 address
# link-local IP = fe80:${suffix}
# external IP = ${externalprefix}:${suffix}
#externalprefix = "2601:843:c200:20b";
#ipv6suffix = "223:24ff:fea9:a97";
# IPV6 external IP should not need to use tailscale
serverIP6 = "2601:843:c200:20b:223:24ff:fea9:a97"; # external IP
#serverIP6 = "fe80::223:24ff:fea9:a97"; # link-local IP
};
in {
home-assistant = import ./home-assistant.nix ips;
open-webui = import ./open-webui.nix ips;
pihole = import ./pihole.nix ips;
unifi = import ./unifi.nix ips;
vaultwarden = import ./vaultwarden.nix ips;
};
# List services that you want to enable:
services = {
chrony.enable = true;
fail2ban = {
enable = true;
maxretry = 5;
@ -155,6 +163,7 @@
"127.0.0.0/8" # localhost
"192.168.0.0/16" # LAN
"160.91.241.229" # lucky
"100.64.0.0" # tailscale
];
};
@ -165,6 +174,23 @@
# Enable the OpenSSH daemon.
openssh.enable = true;
# This is an ollama frontend. Formerly called ollama-webui
open-webui = {
# We now use docker instead
enable = false;
environment = {
ANONYMIZED_TELEMETRY = "False";
DO_NOT_TRACK = "True";
SCARF_NO_ANALYTICS = "True";
OLLAMA_API_BASE_URL = "http://192.168.88.18:11434";
OLLAMA_BASE_URL = "http://192.168.88.18:11434";
DATA_DIR = "/serverdata/open-webui/data";
};
host = "cj.monster-squeaker.ts.net";
port = 8687;
stateDir = "/serverdata/open-webui/state";
};
pipewire = {
enable = true;
alsa.enable = true;
@ -178,16 +204,37 @@
#media-session.enable = true;
};
searx = {
enable = false;
redisCreateLocally = true;
settings.server = {
bind_address = "::1";
port = 6789;
secret_key = config.sops.secrets.searxng.key;
};
};
syncthing = import ./syncthing.nix;
unifi = {
tailscale = {
enable = true;
extraUpFlags = "--accept-dns=false";
openFirewall = true;
};
timesyncd.enable = true;
unifi = {
# This was causing a full build of mongodb on every nixos-rebuild.
# Instead, let's migrate to using the docker image
enable = false;
openFirewall = true;
unifiPackage = pkgs.unifiStable;
};
vaultwarden = {
enable = true;
# We use a docker container for vaultwarden now
enable = false;
config = { # https://github.com/dani-garcia/vaultwarden/blob/1.25.2/.env.template
DOMAIN = "https://vault.jhink.org";
ROCKET_ADDRESS = "0.0.0.0";
@ -199,20 +246,14 @@
# Enable the X11 windowing system.
xserver = {
enable = true;
dpi = 180;
displayManager = {
defaultSession = "none+i3";
autoLogin = {
enable = true;
user = "jacob";
};
lightdm = {
enable = true;
greeter.enable = false;
};
};
layout = "us";
libinput.enable = true;
dpi = 180;
xkb.layout = "us";
windowManager.i3 = {
enable = true;
extraPackages = with pkgs; [
@ -224,6 +265,15 @@
};
};
libinput.enable = true;
displayManager = {
defaultSession = "none+i3";
autoLogin = {
enable = true;
user = "jacob";
};
};
# ZFS services
zfs = {
trim.enable = true;
@ -239,6 +289,20 @@
};
};
power.ups = {
enable = false;
mode = "netserver";
ups."myups" = {
driver = "usbhid-ups";
description = "CJ UPS";
port = "auto";
};
};
#environment.etc."nut/upsd.conf".source = ./config/upsd.conf;
#environment.etc."nut/upsd.users".source = ./config/upsd.users;
#environment.etc."nut/upsmon.conf".source = ./config/upsmon.conf;
# Due to bug in home assistant, this workaround is suggested temporarily as of May 6, 2022
# https://github.com/nix-community/home-manager/issues/2942#issuecomment-1119760100
#nixpkgs.config.allowUnfree = true;

12
machines/cj/firewall.nix
View File

@ -4,13 +4,13 @@
8080 8443 6789 8880 8843 27117 # unifi controller: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Network-Required-Ports-Reference
8585 # pihole web
53 # pihole
#8123 # home-assistant
#3000 # gitea
8081 # vaultwarden
8123 # home-assistant
3000 # gitea
8022 # vaultwarden
80 443 # reverse proxy
];
allowedUDPPorts = [
22000 21027 # syncthing
#22000 21027 # syncthing
3478 5514 10001 1900 123 # unifi
53 # pihole
80 443 # reverse proxy
@ -18,4 +18,8 @@
allowedUDPPortRanges = [
{ from = 5656; to = 5699; } # unifi
];
# This should not really be necessary unless we use an exit node or subnet
# with tailscale I think.
checkReversePath = "loose";
}

12
machines/cj/gitea.nix
View File

@ -1,9 +1,5 @@
{
enable = true;
domain = "git.jhink.org";
rootUrl = "https://git.jhink.org";
httpPort = 3000;
httpAddress = "127.0.0.1";
lfs = {
enable = true;
contentDir = "/serverdata/gitea/lfs_content";
@ -13,5 +9,13 @@
repository = {
DEFAULT_BRANCH = "main";
};
server = {
DOMAIN = "git.jhink.org";
ROOT_URL = "https://git.jhink.org";
HTTP_PORT = 3000;
HTTP_ADDR = "0.0.0.0";
START_SSH_SERVER = "true";
SSH_PORT = 22222;
};
};
}

35
machines/cj/hardware-configuration-zfs.nix
View File

@ -20,7 +20,7 @@
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# high-resolution display
hardware.video.hidpi.enable = lib.mkDefault true;
#hardware.video.hidpi.enable = lib.mkDefault true;
fileSystems."/" = {
device = "none";
@ -51,6 +51,12 @@
neededForBoot = true;
};
fileSystems."/tmp" =
{ device = "rpool/nixos/tmp";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/var/lib" =
{ device = "rpool/nixos/var/lib";
fsType = "zfs";
@ -80,6 +86,11 @@
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/serverdata/open-webui" =
{ device = "rpool/serverdata/open-webui";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/serverdata/pihole" =
{ device = "rpool/serverdata/pihole";
fsType = "zfs";
@ -90,6 +101,16 @@
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/serverdata/unifi" =
{ device = "rpool/serverdata/unifi";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/serverdata/vaultwarden" =
{ device = "rpool/serverdata/vaultwarden";
fsType = "zfs";
neededForBoot = true;
};
fileSystems."/home" =
{ device = "rpool/userdata/home";
@ -109,6 +130,18 @@
neededForBoot = true;
};
fileSystems."/nfs/homes" =
{ device = "192.168.88.88:/volume1/homes";
fsType = "nfs";
neededForBoot = false;
};
fileSystems."/nfs/shared_photos" =
{ device = "192.168.88.88:/volume1/photo";
fsType = "nfs";
neededForBoot = false;
};
swapDevices = [
{
device = "/dev/disk/by-partuuid/6bf463d0-107f-489e-be29-704442ea3150";

2
machines/cj/home-assistant.nix
View File

@ -1,6 +1,6 @@
serverIP :
{
image = "ghcr.io/home-assistant/home-assistant:2023.6.3";
image = "ghcr.io/home-assistant/home-assistant:2024.11.0";
#ports = [
#"8123:8123"
#];

6
machines/cj/nginx.nix
View File

@ -1,10 +1,10 @@
{
enable = true;
enable = false;
recommendedProxySettings = true;
virtualHosts = let
simpleProxy = ip: {
forceSSL = true;
enableACME = true;
forceSSL = false;
enableACME = false;
extraConfig = ''
proxy_buffering off;
'';

19
machines/cj/open-webui.nix Normal file
View File

@ -0,0 +1,19 @@
{ serverIP, serverIP6 } : {
image = "ghcr.io/open-webui/open-webui:0.6.26";
ports = [
"8687:8080"
];
environment = {
TZ = "America/New_York";
WEBUI_URL = "http://cj.monster-squeaker.ts.net:8687";
ANONYMIZED_TELEMETRY = "False";
DO_NOT_TRACK = "True";
SCARF_NO_ANALYTICS = "True";
USE_OLLAMA = "False";
OLLAMA_BASE_URL = "http://192.168.88.18:11434";
};
volumes = [
"/serverdata/open-webui/data:/app/backend/data"
];
}

6
machines/cj/pihole.nix
View File

@ -1,9 +1,9 @@
{ serverIP, serverIP6 } : {
image = "pihole/pihole:2023.05.2";
image = "pihole/pihole:2025.06.2";
ports = [
"53:53/tcp"
"53:53/udp"
#"8088:80"
"8585:80"
#"4438:443"
];
environment = {
@ -24,7 +24,7 @@
];
extraOptions = [
#"--cap-add=NET_ADMIN"
"--network=host"
#"--network=host"
"--no-hosts" # do not populate internal /etc/hosts with container host's
];
}

2
machines/cj/syncthing.nix
View File

@ -1,5 +1,5 @@
{
enable = true;
enable = false;
dataDir = "/serverdata/syncthing/";
user = "jacob";
group = "users";

19
machines/cj/unifi.nix Normal file
View File

@ -0,0 +1,19 @@
{ serverIP, serverIP6 } : {
image = "jacobalberty/unifi:v10.0";
ports = [
"8080:8080"
"8443:8443"
"3478:3478/udp"
];
environment = {
TZ = "America/New_York";
};
volumes = [
"/serverdata/unifi:/unifi"
];
extraOptions = [
"--cap-add=NET_ADMIN"
"--network=host"
#"--no-hosts" # do not populate internal /etc/hosts with container host's
];
}

18
machines/cj/vaultwarden.nix Normal file
View File

@ -0,0 +1,18 @@
{ serverIP, serverIP6 } : {
image = "vaultwarden/server:1.32.6";
ports = [
"8022:80"
];
environment = {
TZ = "America/New_York";
};
volumes = [
"/serverdata/vaultwarden:/data"
];
extraOptions = [
#"--cap-add=NET_ADMIN"
#"--network=host"
#"--no-hosts" # do not populate internal /etc/hosts with container host's
];
}

13
secrets.yaml
View File

@ -8,6 +8,8 @@ email:
password: ENC[AES256_GCM,data:db0Wll4B8eXYc70dsIuYbw==,iv:2g4fE2GQyKxiVMkOQqOCPjAISdlXElvWYt0XKPEOWv0=,tag:73ymkTNGUlVccJFXjT40EA==,type:str]
pihole:
webpassword: ENC[AES256_GCM,data:bqBbGE5M4LUukMh7vQA=,iv:YhKaO2WQq5Ar9aKitgRTbDU2Ld2Cdc0wmrcQZ92lztY=,tag:UGnerGhtQBjO+n4LobdSyg==,type:str]
searxng:
key: ENC[AES256_GCM,data:RayEL/8Pi7+j3T6fWRV142uw0P7Vlm15FWB14Lcfg/5xz+TpB6W4d8ivAM9ZTNG3CZGUwziAoP8qApYjxOeTqA==,iv:IecQ9nHuUaXa8B2y9Y/FryIbdq/oi5EbEuaZ4XaR4wg=,tag:cDJr1AVqG4tgtvPe6ujtxQ==,type:str]
spotify:
username: ENC[AES256_GCM,data:EXLRJXrHsP+k,iv:5pvHLVnrtG+oZEPZsBY/4/+b9QQEBTT7jiPvmkBHAWY=,tag:gcCJqgBd7b2+e2k0oIVY8w==,type:str]
password: ENC[AES256_GCM,data:DHj06DfPU98C,iv:wxinj4sLt8rQ6hW4NtxIHQPnAJ3acXRXQHRsRaoiGR8=,tag:b7ota0m1gpwSZYSDY1Uj+A==,type:str]
@ -19,10 +21,6 @@ wifi:
PSKRAW_HOME=base64 output from wpa_passphrase
env: ENC[AES256_GCM,data:a2m3FI0SmpbM2hhNbEdNhWWxgNyhXRDN9/LFiRMyFEr9Nf3NvkteZCdf/CCc81GAl/aKqqqCt49HQEiSRwzw2wc3XKmbQPxw6tmK4mCd4pP7YmPpg6tacLd8CzjtCG9J248W0qqTYUIU3+kuDcY6Tdp97KxJDINVbA==,iv:kXltdSsKkXwhIaWywFYMUGJCmMgaxv8FqhdBbjuyVSU=,tag:GvkevELXFKU31mmRGsFjDw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16k5tturaeszpxugxawmfsxkrce2cfvp06s00eaxcee243anu4qysnjfr70
enc: |
@ -60,8 +58,7 @@ sops:
WVUwaEIwWTFFTExyT3hLSC9wODhJdGcKWsNIUsT06qYA9vUVeFHQrCdcn2MkHt+w
Rr7W+4uaNb8Qxo/NUp9kodE9m/fg9XVd8wM7HUP4wJC0rE4GSnFvGg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-27T13:16:21Z"
mac: ENC[AES256_GCM,data:UkvaiVtsbMKNeMKlf6N6N0dxQWAUxT2VMQrhMJFqwdyRoFvTQ+4a27sXHIQgr+G+BAnsFBeWFjA3SS+YhHcDYCx1boXMhdoFeNjVZ2TUURX/KazcIwJNGmrt4qMK7BkfUu1mLa58pxie+XSY1MBRwByg7rnLaSJzNiWgqgLRGy0=,iv:7kBE0EKhvesWToa6+At0yWt1IzTWipv0fSvopA2PUXg=,tag:0e+5Gu5Ajw7r3AgeJLg+EQ==,type:str]
pgp: []
lastmodified: "2025-09-03T12:29:15Z"
mac: ENC[AES256_GCM,data:K7Q4h102XDk6s0jy6X3sRzIESbFnu8Z1I8u82yC2Xbfh8gHvQ+rqTjEC9sh+tmUpB9P8sQHA08FwPsQkiScY7CNVxXXeCzALJVS/qhLlOEC4PEOqUH2PZZHsDVslQtZT6JmB9mixCl69Ihx+CKt2+ddesXdGxuTGaH9cldORNQQ=,iv:RheBWo3bG9z+JAq2kg79ifaMRgRDNGyxHnCmMi7v/+U=,tag:CJUHJC68Cfi+whhy4McBqA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.7.3
version: 3.10.2