Update versions

.gitattributes

@@ -1 +0,0 @@
-*.deb filter=lfs diff=lfs merge=lfs -text

flake.lock

@@ -4,30 +4,30 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "utils": "utils"
+        ]
       },
       "locked": {
-        "lastModified": 1671459164,
-        "narHash": "sha256-RbkDnvLV7WjbiF4Dpiezrf8kXxwieQXAVtY8ciRQj6Q=",
+        "lastModified": 1747556789,
+        "narHash": "sha256-7uHyVw9mhvTB6RS1WcIRsebBxj8SZAnlXxZarx7Xk7M=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e7eba9cc46547ae86642ad3c6a9a4fb22c07bc26",
+        "rev": "e08e6e2389234000b0447e57abf61d8ccd59a68e",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
         "repo": "home-manager",
+        "rev": "e08e6e2389234000b0447e57abf61d8ccd59a68e",
         "type": "github"
       }
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1671467847,
-        "narHash": "sha256-eIeZIQbbW0QYDW0nhDaieokw6VakPO3TyJ3RmxqGHOs=",
+        "lastModified": 1769086393,
+        "narHash": "sha256-3ymIZ8s3+hu7sDl/Y48o6bwMxorfKrmn97KuWiw1vjY=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "25010a042c23695ae457a97aad60e9b1d49f2ecc",
+        "rev": "9f7ba891ea5fc3ededd7804f1a23fafadbcb26ca",
         "type": "github"
       },
       "original": {
@@ -38,33 +38,17 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1669833724,
-        "narHash": "sha256-/HEZNyGbnQecrgJnfE8d0WC5c1xuPSD2LUpB6YXlg4c=",
-        "owner": "nixos",
+        "lastModified": 1768649915,
+        "narHash": "sha256-jc21hKogFnxU7KXSVTRmxC7u5D4RHwm9BAvDf5/Z1Uo=",
+        "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4d2b37a84fad1091b9de401eb450aae66f1a741e",
+        "rev": "3e3f3c7f9977dc123c23ee21e8085ed63daf8c37",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable": {
-      "locked": {
-        "lastModified": 1671459584,
-        "narHash": "sha256-6wRK7xmeHfClJ0ICOkax1avLZVGTDqBodQlkl/opccY=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "87b58217c9a05edcf7630b9be32570f889217aef",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-22.11",
-        "repo": "nixpkgs",
-        "type": "github"
+        "id": "nixpkgs",
+        "ref": "release-25.05",
+        "type": "indirect"
       }
     },
     "root": {
@@ -79,15 +63,14 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        ]
       },
       "locked": {
-        "lastModified": 1671472949,
-        "narHash": "sha256-9iHSGpljCX+RypahQssBXPwkru9onfKfceCTeVrMpH4=",
+        "lastModified": 1768863606,
+        "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "32840f16ffa0856cdf9503a8658f2dd42bf70342",
+        "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
         "type": "github"
       },
       "original": {
@@ -95,21 +78,6 @@
         "repo": "sops-nix",
         "type": "github"
       }
-    },
-    "utils": {
-      "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
     }
   },
   "root": "root",

flake.nix

@@ -2,12 +2,13 @@
   description = "NixOS configurations for my machines";
 
   inputs = {
-    nixpkgs.url = github:nixos/nixpkgs;
+    nixpkgs.url = "nixpkgs/release-25.05";
     nixos-hardware = {
       url = github:nixos/nixos-hardware;
     };
     home-manager = {
-      url = github:nix-community/home-manager;
+      # url = github:nix-community/home-manager;
+      url = github:nix-community/home-manager/e08e6e2389234000b0447e57abf61d8ccd59a68e;
       inputs.nixpkgs.follows = "nixpkgs";
     };
     sops-nix = {
@@ -58,7 +59,7 @@
       ];
       # ThinkCentre M700 mini-pc (server)
       cj = mkNixosSystem [
-        nixos-hardware.nixosModules.common-pc-hdd
+        #nixos-hardware.nixosModules.common-pc-hdd
         nixos-hardware.nixosModules.common-cpu-intel-cpu-only
         ./machines/cj/configuration.nix 
       ];

home/jacob.nix

@@ -40,7 +40,6 @@
       inconsolata
       jq
       keyutils  # for keyctl, used by some bitwarden scripts like qute-bitwarden
-      krita
       libreoffice
       logseq
       mupdf
@@ -48,6 +47,7 @@
       #openscad
       #pandoc
       pavucontrol
+      qalculate-qt
       ripgrep
       rofi
       scli
@@ -56,13 +56,12 @@
       sops
       speedcrunch
       spotify
-      spotify-tui
+      #spotify-tui  # this has been removed as of 2024.05
       sxiv
       #texlive.combined.scheme-full
       tree
       unzip
       xclip
-      xournal
       xpra
       zathura
       zoom-us
@@ -154,11 +153,7 @@
     };
     firefox = {
       enable = true;
-      package = pkgs.firefox.override {
-        cfg = {
-          enableTridactylNative = true;
-        };
-      };
+      #nativeMessagingHosts.packages = [ pkgs.tridactyl-native ];
     };
     git = {
       enable = true;
@@ -206,39 +201,7 @@
       enable = true;
       settings.email = "jacob.hinkle@gmail.com";
     };
-    ssh = {
-      enable = true;
-      matchBlocks = {
-        login1 = {
-          hostname = "login1.ornl.gov";
-          user = "4jh";
-        };
-        lucky = {
-          hostname = "lucky.ornl.gov";
-          user = "4jh";
-          proxyJump = "login1";
-        };
-        murdock = {
-          hostname = "murdock.ornl.gov";
-          user = "4jh";
-          proxyJump = "login1";
-        };
-        penny = {
-          hostname = "192.168.88.18";
-          user = "jhinkle";
-        };
-        dlcluster = {
-          hostname = "dlcluster.nvidia.com";
-          user = "jhinkle";
-          proxyJump = "penny";
-        };
-        router ={
-          hostname = "192.168.88.1";
-          user = "jacob";
-          port = 2200;
-        };
-      };
-    };
+    ssh = import ./ssh.nix;
     tmux = import ./tmux.nix;
     xmobar = {
       enable = true;
@@ -266,7 +229,7 @@
         ];
         theme = "michelebologna"; # nice clean theme that shows jobs
       };
-      initExtra = ''
+      initContent = ''
         # michelebologna theme doesn't have an RPROMPT, but I like the one from
         # the clean theme
         RPROMPT='[%*]'
@@ -294,14 +257,12 @@
         "--fx ''"  # don't apply effects
       ];
     };
-    dunst = {
-      enable = true;
-    };
     flameshot.enable = true;
     mbsync = {
       enable = true;
       verbose = true;
     };
+    network-manager-applet.enable = true;
     spotifyd = {
       enable = false;
       settings = {
@@ -316,7 +277,7 @@
       };
     };
     syncthing = {
-      enable = true;
+      enable = false;
       # cause the tray command to wait for the service and tray manager to start
       extraOptions = [ "--wait" ];
       tray.enable = true;
@@ -359,9 +320,5 @@
         config = ./xmonad.hs;
       };
     };
-    initExtra = ''
-      xinput --map-to-output 'HANVON UGEE Artist 16(2nd Gen) Mouse' DP-1
-      xinput --map-to-output 'HANVON UGEE Artist 16(2nd Gen)' DP-1
-      '';
   };
 }

home/ssh.nix

@@ -0,0 +1,34 @@
+{
+  enable = true;
+  matchBlocks = {
+    login1 = {
+      hostname = "login1.ornl.gov";
+      user = "4jh";
+    };
+    lucky = {
+      hostname = "lucky.ornl.gov";
+      user = "4jh";
+      proxyJump = "login1";
+    };
+    murdock = {
+      hostname = "murdock.ornl.gov";
+      user = "4jh";
+      proxyJump = "login1";
+    };
+    penny = {
+      #hostname = "192.168.88.18";
+      hostname = "192.168.88.13";
+      user = "jhinkle";
+    };
+    dlcluster = {
+      hostname = "dlcluster.nvidia.com";
+      user = "jhinkle";
+      proxyJump = "penny";
+    };
+    router ={
+      hostname = "192.168.88.1";
+      user = "jacob";
+      port = 2200;
+    };
+  };
+}

home/xmobarrc

@@ -34,12 +34,12 @@ Config { overrideRedirect = False
                         , "--"
                         , "--on", ""
                         ]
-                    , Run Memory ["--template", "Mem: <usedratio>%"] 10
+                    , Run Memory ["--template", "<usedratio>"] 10
                     , Run Swap [] 10
-                    , Run Date "%a %Y-%m-%d <fc=#8be9fd>%H:%M</fc>" "date" 10
+                    , Run Date "%Y%m%d <fc=#8be9fd>%H:%M</fc>" "date" 10
                     , Run XMonadLog
                     ]
        , sepChar  = "%"
        , alignSep = "}{"
-       , template = "%XMonadLog% }{ Sound: %alsa:default:Master% | %cpu% | %memory% * %swap% | BAT1: %battery% | %date% "
+       , template = "%XMonadLog% }{A%alsa:default:Master%M%memory%%cpu%B%battery% %date%"
        }

home/xmonad.hs

@@ -78,28 +78,29 @@ myXmobarPP = def
     { ppSep             = magenta " • "
     , ppTitleSanitize   = xmobarStrip
     , ppCurrent         = wrap " " "" . xmobarBorder "Top" "#8be9fd" 2
-    , ppHidden          = white . wrap " " ""
-    , ppHiddenNoWindows = lowWhite . wrap " " ""
+    , ppHidden          = lightGreen . wrap " " ""
+    , ppHiddenNoWindows = gray . wrap " " ""
     , ppUrgent          = red . wrap (yellow "!") (yellow "!")
     , ppOrder           = \[ws, l, _, wins] -> [ws, l, wins]
     , ppExtras          = [logTitles formatFocused formatUnfocused]
     }
   where
     formatFocused   = wrap (white    "[") (white    "]") . magenta . ppWindow
-    formatUnfocused = wrap (lowWhite "[") (lowWhite "]") . blue    . ppWindow
+    formatUnfocused = wrap (gray "[") (gray "]") . blue    . ppWindow
 
     -- | Windows should have *some* title, which should not not exceed a
     -- sane length.
     ppWindow :: String -> String
     ppWindow = xmobarRaw . (\w -> if null w then "untitled" else w) . shorten 30
 
-    blue, lowWhite, magenta, red, white, yellow :: String -> String
+    blue, gray, magenta, lightGreen, red, white, yellow :: String -> String
     magenta  = xmobarColor "#ff79c6" ""
-    blue     = xmobarColor "#bd93f9" ""
+    lightGreen = xmobarColor "#bbffbb" ""
+    blue     = xmobarColor "#bdbdf9" ""
     white    = xmobarColor "#f8f8f2" ""
     yellow   = xmobarColor "#f1fa8c" ""
     red      = xmobarColor "#ff5555" ""
-    lowWhite = xmobarColor "#bbbbbb" ""
+    gray = xmobarColor "#888888" ""
 
 addlWorkspaces :: [String]
 addlWorkspaces = ["0", "-", "=", "i"]

machines/buck/configuration.nix

@@ -8,16 +8,17 @@
   inputs,
   sops,
   ...
-}:
-let
-  xp_pen_pentablet = pkgs.callPackage ./xp_pen_pentablet.nix {};
-in
-{
+}: {
   imports = [
     # Include the results of the hardware scan.
     ./hardware-configuration.nix
   ];
 
+  nixpkgs.config.permittedInsecurePackages = [
+      "electron-25.9.0"
+    ];
+
+
   # This lets us pin the nixpkgs registry by default to the nixpkgs used to build this system.
   # Doing this means we are less likely to require the 30+MB download when
   # running commands like nix search or nix run
@@ -60,8 +61,9 @@ in
   networking = {
     hostName = "buck"; # Define your hostname.
     enableIPv6 = true;
-    wireless = {
-      enable = true;
+    networkmanager.enable = true;
+    wireless = { # wpa_supplicant
+      enable = false;
       userControlled.enable = true;
       environmentFile = "/run/secrets/wifi/env";
       networks = {
@@ -95,7 +97,6 @@ in
     networkmanagerapplet
     vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
     wget
-    xp_pen_pentablet
   ];
 
   # Some programs need SUID wrappers, can be configured further or are
@@ -169,26 +170,20 @@ in
       enable = true;
     };
 
+    rpcbind.enable = true;  # for NFS
+
     syncthing = import ./syncthing.nix;
 
     udev.extraRules = ''
     ACTION=="add", SUBSYSTEM=="backlight", KERNEL=="intel_backlight", MODE="0666", RUN+="${pkgs.coreutils}/bin/chmod a+w /sys/class/backlight/%k/brightness"
-    KERNEL=="hidraw", SUBSYSTEM=="hidraw", MODE="0664", GROUP="plugdev"
-
-    # For XP-PEN tablet
-    # From the official driver
-    KERNEL=="uinput",MODE:="0666",OPTIONS+="static_node=uinput"
-    SUBSYSTEMS=="usb",ATTRS{idVendor}=="28bd",MODE:="0666"
-j
-    #KERNEL=="event[0-9]*", SUBSYSTEM=="input", SUBSYSTEMS=="usb", ATTRS{idVendor}=="28bd", ATTRS{idProduct}=="094c", MODE="0664", GROUP="plugdev"
-    #KERNEL=="mouse[0-9]*", SUBSYSTEM=="input", SUBSYSTEMS=="usb", ATTRS{idVendor}=="28bd", ATTRS{idProduct}=="094c", MODE="0664", GROUP="plugdev"
   '';
 
+    tailscale.enable = true;
+
     # Enable the X11 windowing system. services.xserver.enable = true;
     xserver = {
       enable = true;
       dpi = 112;  # t470 has a 14" 16:9 monitor at native res 1366x768
-      digimend.enable = true;
       displayManager = {
         defaultSession = "none+i3";
         autoLogin = {
@@ -207,7 +202,6 @@ j
           disableWhileTyping = true;
         };
       };
-      #wacom.enable = true;
       windowManager.i3 = {
         enable = true;
         extraPackages = with pkgs; [
@@ -224,6 +218,31 @@ j
   services.thermald.enable = true;
   services.fwupd.enable = true;
 
+  systemd.mounts = let
+    nfsOpts = {
+      type = "nfs";
+      mountConfig = {
+        Options = "noatime";
+      };
+    };
+    nas = "100.64.0.5";  # synnas over tailscale
+  in [
+    (nfsOpts // {
+      what = "${nas}:/homes/jacob/Photos";
+      where = "/nas/photos";
+    })
+  ];
+  systemd.automounts = let
+    autoMountOpts = {
+      wantedBy = [ "multi-user.target" ];
+      automountConfig = {
+        TimeoutIdleSec = "600";
+      };
+    };
+  in [
+    (autoMountOpts // { where = "/nas/photos"; })
+  ];
+
   # Enable the OpenSSH daemon.
   # services.openssh.enable = true;
 

machines/buck/hardware-configuration.nix

@@ -18,12 +18,13 @@
   boot.extraModulePackages = [];
 
   fileSystems."/" = {
-    device = "/dev/disk/by-uuid/cc13728f-a446-49db-98fc-51db875bba20";
+    #device = "/dev/disk/by-uuid/cc13728f-a446-49db-98fc-51db875bba20";
+    device = "/dev/disk/by-uuid/a04773e7-3ccd-4d10-908d-53896b910f61";
     fsType = "ext4";
   };
 
   fileSystems."/boot/efi" = {
-    device = "/dev/disk/by-uuid/164F-882B";
+    device = "/dev/disk/by-uuid/0EB1-1189";
     fsType = "vfat";
   };
 
@@ -46,10 +47,4 @@
 
   powerManagement.cpuFreqGovernor = "powersave";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-
-  # for XP-Pen tablet
-  #hardware.opentabletdriver = {
-    #enable = true;
-    #package = patchedOTD;
-  #};
 }

machines/buck/syncthing.nix

@@ -1,5 +1,5 @@
 {
-  enable = true;
+  enable = false;
   user = "jacob";
   dataDir = "/home/jacob/Sync";
   #guiAddress = "0.0.0.0:8234";  # for headless

machines/buck/xp_pen_pentablet.nix

@@ -25,7 +25,7 @@
 , lib
 , fetchurl
 , glib
-, dbus
+, dbus_libs
 , dpkg
 , autoPatchelfHook
 , writeShellScript
@@ -44,7 +44,7 @@
 
 stdenv.mkDerivation rec {
   pname = "xp_pen_driver";
-  version = "3.3.9.230222-1";
+  version = "3.2.0.210804-1";
   
   src = fetchurl {
     #url = "https://github.com/peterwilli/XP-Pen-Pentablet-Driver-for-Nixos/releases/download/3.2.0.210804-1/XP-PEN-pentablet-3.2.0.210804-1.x86_64.deb";
@@ -59,7 +59,7 @@ stdenv.mkDerivation rec {
     zlib
     libGL
     libusb
-    dbus
+    dbus_libs
     fontconfig
     glib
     freetype
@@ -81,7 +81,6 @@ stdenv.mkDerivation rec {
     chmod 755 "$out"
 
     chmod a+x $out/usr/lib/pentablet/pentablet.sh
-    chmod a+x $out/usr/lib/pentablet/pentablet
     runHook postInstall
     mkdir -p $out/bin
     makeWrapper $out/usr/lib/pentablet/pentablet.sh $out/bin/pentablet

machines/cj/configuration.nix

@@ -7,6 +7,10 @@
       ./hardware-configuration-zfs.nix
     ];
 
+  nixpkgs.config.permittedInsecurePackages = [
+    "electron-27.3.11"
+  ];
+
   # This lets us pin the nixpkgs registry by default to the nixpkgs used to build this system.
   # Doing this means we are less likely to require the 30+MB download when
   # running commands like nix search or nix run
@@ -57,9 +61,9 @@
     # Aliases subdomains we serve here. Since we bypass pihole locally to avoid
     # circular lookups, we can set local addresses here instead of using local
     # dns in pihole (or global dns which would resolve to our WAN ips).
-    extraHosts = ''
-      127.0.0.1 git.jhink.org vault.jhink.org home.jhink.org
-      '';
+    #extraHosts = ''
+    #  127.0.0.1 git.jhink.org home.jhink.org
+    #  '';
 
 
     # The global useDHCP flag is deprecated, therefore explicitly set to false here. Per-interface useDHCP will be mandatory in the future, so this generated config replicates the default behaviour.
@@ -75,18 +79,20 @@
     wireless = {
       enable = false; # turn of wifi until needed
       userControlled.enable = true;
-      environmentFile = "/run/secrets/wifi/env";
+      #environmentFile = "/run/secrets/wifi/env";
+      secretsFile = "/run/secrets/wifi/env";
       networks = {
-        "@SSID_HOME@" = {
-          pskRaw = "@PSKRAW_HOME@";
-        };
+        home.pskRaw = "ext:PSKRAW_HOME";
+        #"@SSID_HOME@" = {
+          #pskRaw = "@PSKRAW_HOME@";
+        #};
       };
     };
     firewall = import ./firewall.nix;
     timeServers = [ "192.168.88.1" ] ++ options.networking.timeServers.default;
   };
 
-  hardware.video.hidpi.enable = false;
+  #hardware.video.hidpi.enable = false;
   hardware.enableRedistributableFirmware = true;
   #hardware.pulseaudio = {
   #enable = true;
@@ -95,9 +101,6 @@
   #};
   hardware.bluetooth.enable = false;
 
-  # Enable sound.
-  sound.enable = false;
-
   # Define a user account. Don't forget to set a password with ‘passwd’.
   users.users.jacob = {
     isNormalUser = true;
@@ -118,36 +121,41 @@
   #   enable = true; enableSSHSupport = true;
   # };
 
+  programs.zsh.enable = true;
+
   security.rtkit.enable = true; # recommended for pipewire
 
   # enable acme for certbot
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      email = "jacob.hinkle@gmail.com";
-    };
-  };
+  #security.acme = {
+    #acceptTerms = true;
+    #defaults = {
+      #email = "jacob.hinkle@gmail.com";
+    #};
+  #};
 
   virtualisation.oci-containers.containers = let
     ips = {
-      serverIP = "192.168.88.21";  # v4 address
+      # tailscale IP for IPV4 services
+      serverIP = "100.102.82.27";  # v4 address
 
       # link-local IP = fe80:${suffix}
       # external IP = ${externalprefix}:${suffix}
       #externalprefix = "2601:843:c200:20b";
       #ipv6suffix = "223:24ff:fea9:a97";
+      # IPV6 external IP should not need to use tailscale
       serverIP6 = "2601:843:c200:20b:223:24ff:fea9:a97";  # external IP
       #serverIP6 = "fe80::223:24ff:fea9:a97";  # link-local IP
     };
   in {
     home-assistant = import ./home-assistant.nix ips;
+    open-webui = import ./open-webui.nix ips;
     pihole = import ./pihole.nix ips;
+    unifi = import ./unifi.nix ips;
+    vaultwarden = import ./vaultwarden.nix ips;
   };
 
   # List services that you want to enable:
   services = {
-    chrony.enable = true;
-
     fail2ban = {
       enable = true;
       maxretry = 5;
@@ -155,6 +163,7 @@
         "127.0.0.0/8"     # localhost
         "192.168.0.0/16"  # LAN
         "160.91.241.229"  # lucky
+        "100.64.0.0"      # tailscale
       ];
     };
 
@@ -165,6 +174,23 @@
     # Enable the OpenSSH daemon.
     openssh.enable = true;
 
+    # This is an ollama frontend. Formerly called ollama-webui
+    open-webui = {
+      # We now use docker instead
+      enable = false;
+      environment = {
+        ANONYMIZED_TELEMETRY = "False";
+        DO_NOT_TRACK = "True";
+        SCARF_NO_ANALYTICS = "True";
+        OLLAMA_API_BASE_URL = "http://192.168.88.18:11434";
+        OLLAMA_BASE_URL = "http://192.168.88.18:11434";
+        DATA_DIR = "/serverdata/open-webui/data";
+      };
+      host = "cj.monster-squeaker.ts.net";
+      port = 8687;
+      stateDir = "/serverdata/open-webui/state";
+    };
+
     pipewire = {
       enable = true;
       alsa.enable = true;
@@ -178,16 +204,37 @@
       #media-session.enable = true;
     };
 
+    searx = {
+      enable = false;
+      redisCreateLocally = true;
+      settings.server = {
+        bind_address = "::1";
+        port = 6789;
+        secret_key = config.sops.secrets.searxng.key;
+      };
+    };
+
     syncthing = import ./syncthing.nix;
 
-    unifi = {
+    tailscale = {
       enable = true;
+      extraUpFlags = "--accept-dns=false";
+      openFirewall = true;
+    };
+
+    timesyncd.enable = true;
+
+    unifi = {
+      # This was causing a full build of mongodb on every nixos-rebuild.
+      # Instead, let's migrate to using the docker image
+      enable = false;
       openFirewall = true;
       unifiPackage = pkgs.unifiStable;
     };
 
     vaultwarden = {
-      enable = true;
+      # We use a docker container for vaultwarden now
+      enable = false;
       config = {  # https://github.com/dani-garcia/vaultwarden/blob/1.25.2/.env.template
         DOMAIN = "https://vault.jhink.org";
         ROCKET_ADDRESS = "0.0.0.0";
@@ -199,20 +246,14 @@
     # Enable the X11 windowing system.
     xserver = {
       enable = true;
-      dpi = 180;
       displayManager = {
-        defaultSession = "none+i3";
-        autoLogin = {
-          enable = true;
-          user = "jacob";
-        };
         lightdm = {
           enable = true;
           greeter.enable = false;
         };
       };
-      layout = "us";
-      libinput.enable = true;
+      dpi = 180;
+      xkb.layout = "us";
       windowManager.i3 = {
         enable = true;
         extraPackages = with pkgs; [
@@ -224,6 +265,15 @@
       };
     };
 
+    libinput.enable = true;
+    displayManager = {
+      defaultSession = "none+i3";
+      autoLogin = {
+        enable = true;
+        user = "jacob";
+      };
+    };
+
     # ZFS services
     zfs = {
       trim.enable = true;
@@ -239,6 +289,20 @@
     };
   };
 
+  power.ups = {
+    enable = false;
+    mode = "netserver";
+    ups."myups" = {
+      driver = "usbhid-ups";
+      description = "CJ UPS";
+      port = "auto";
+    };
+  };
+
+  #environment.etc."nut/upsd.conf".source = ./config/upsd.conf;
+  #environment.etc."nut/upsd.users".source = ./config/upsd.users;
+  #environment.etc."nut/upsmon.conf".source = ./config/upsmon.conf;
+
   # Due to bug in home assistant, this workaround is suggested temporarily as of May 6, 2022
   # https://github.com/nix-community/home-manager/issues/2942#issuecomment-1119760100
   #nixpkgs.config.allowUnfree = true;

machines/cj/firewall.nix

@@ -4,13 +4,13 @@
     8080 8443 6789 8880 8843 27117  # unifi controller: https://help.ui.com/hc/en-us/articles/218506997-UniFi-Network-Required-Ports-Reference
     8585  # pihole web
     53 # pihole
-    #8123  # home-assistant
-    #3000  # gitea
-    8081  # vaultwarden
+    8123  # home-assistant
+    3000  # gitea
+    8022  # vaultwarden
     80 443  # reverse proxy
   ];
   allowedUDPPorts = [
-    22000 21027  # syncthing
+    #22000 21027  # syncthing
     3478 5514 10001 1900 123 # unifi
     53  # pihole
     80 443  # reverse proxy
@@ -18,4 +18,8 @@
   allowedUDPPortRanges = [
     { from = 5656; to = 5699; }  # unifi
   ];
+
+  # This should not really be necessary unless we use an exit node or subnet
+  # with tailscale I think.
+  checkReversePath = "loose";
 }

machines/cj/gitea.nix

@@ -1,9 +1,5 @@
 {
   enable = true;
-  domain = "git.jhink.org";
-  rootUrl = "https://git.jhink.org";
-  httpPort = 3000;
-  httpAddress = "127.0.0.1";
   lfs = {
     enable = true;
     contentDir = "/serverdata/gitea/lfs_content";
@@ -13,5 +9,13 @@
     repository = {
       DEFAULT_BRANCH = "main";
     };
+    server = {
+      DOMAIN = "git.jhink.org";
+      ROOT_URL = "https://git.jhink.org";
+      HTTP_PORT = 3000;
+      HTTP_ADDR = "0.0.0.0";
+      START_SSH_SERVER = "true";
+      SSH_PORT = 22222;
+    };
   };
 }

machines/cj/hardware-configuration-zfs.nix

@@ -20,7 +20,7 @@
   powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
   # high-resolution display
-  hardware.video.hidpi.enable = lib.mkDefault true;
+  #hardware.video.hidpi.enable = lib.mkDefault true;
 
   fileSystems."/" = {
     device = "none";
@@ -51,6 +51,12 @@
       neededForBoot = true;
     };
 
+  fileSystems."/tmp" =
+    { device = "rpool/nixos/tmp";
+      fsType = "zfs";
+      neededForBoot = true;
+    };
+
   fileSystems."/var/lib" =
     { device = "rpool/nixos/var/lib";
       fsType = "zfs";
@@ -80,6 +86,11 @@
       fsType = "zfs";
       neededForBoot = true;
     };
+  fileSystems."/serverdata/open-webui" =
+    { device = "rpool/serverdata/open-webui";
+      fsType = "zfs";
+      neededForBoot = true;
+    };
   fileSystems."/serverdata/pihole" =
     { device = "rpool/serverdata/pihole";
       fsType = "zfs";
@@ -90,6 +101,16 @@
       fsType = "zfs";
       neededForBoot = true;
     };
+  fileSystems."/serverdata/unifi" =
+    { device = "rpool/serverdata/unifi";
+      fsType = "zfs";
+      neededForBoot = true;
+    };
+  fileSystems."/serverdata/vaultwarden" =
+    { device = "rpool/serverdata/vaultwarden";
+      fsType = "zfs";
+      neededForBoot = true;
+    };
 
   fileSystems."/home" =
     { device = "rpool/userdata/home";
@@ -109,6 +130,18 @@
       neededForBoot = true;
     };
 
+  fileSystems."/nfs/homes" =
+    { device = "192.168.88.88:/volume1/homes";
+      fsType = "nfs";
+      neededForBoot = false;
+    };
+
+  fileSystems."/nfs/shared_photos" =
+    { device = "192.168.88.88:/volume1/photo";
+      fsType = "nfs";
+      neededForBoot = false;
+    };
+
   swapDevices = [
     {
       device = "/dev/disk/by-partuuid/6bf463d0-107f-489e-be29-704442ea3150";

machines/cj/home-assistant.nix

@@ -1,6 +1,6 @@
 serverIP :
 {
-  image = "ghcr.io/home-assistant/home-assistant:2023.6.3";
+  image = "ghcr.io/home-assistant/home-assistant:2024.11.0";
   #ports = [
     #"8123:8123"
   #];

machines/cj/nginx.nix

@@ -1,10 +1,10 @@
 {
-  enable = true;
+  enable = false;
   recommendedProxySettings = true;
   virtualHosts = let
     simpleProxy = ip: {
-      forceSSL = true;
-      enableACME = true;
+      forceSSL = false;
+      enableACME = false;
       extraConfig = ''
         proxy_buffering off;
       '';

machines/cj/open-webui.nix

@@ -0,0 +1,19 @@
+{ serverIP, serverIP6 } : {
+  image = "ghcr.io/open-webui/open-webui:0.6.26";
+  ports = [
+    "8687:8080"
+  ];
+  environment = {
+    TZ = "America/New_York";
+
+    WEBUI_URL = "http://cj.monster-squeaker.ts.net:8687";
+    ANONYMIZED_TELEMETRY = "False";
+    DO_NOT_TRACK = "True";
+    SCARF_NO_ANALYTICS = "True";
+    USE_OLLAMA = "False";
+    OLLAMA_BASE_URL = "http://192.168.88.18:11434";
+  };
+  volumes = [
+    "/serverdata/open-webui/data:/app/backend/data"
+  ];
+}

machines/cj/pihole.nix

@@ -1,9 +1,9 @@
 { serverIP, serverIP6 } : {
-  image = "pihole/pihole:2023.05.2";
+  image = "pihole/pihole:2025.06.2";
   ports = [
     "53:53/tcp"
     "53:53/udp"
-    #"8088:80"
+    "8585:80"
     #"4438:443"
   ];
   environment = {
@@ -24,7 +24,7 @@
   ];
   extraOptions = [
     #"--cap-add=NET_ADMIN"
-    "--network=host"
+    #"--network=host"
     "--no-hosts" # do not populate internal /etc/hosts with container host's
   ];
 }

machines/cj/syncthing.nix

@@ -1,5 +1,5 @@
 {
-  enable = true;
+  enable = false;
   dataDir = "/serverdata/syncthing/";
   user = "jacob";
   group = "users";

machines/cj/unifi.nix

@@ -0,0 +1,19 @@
+{ serverIP, serverIP6 } : {
+  image = "jacobalberty/unifi:v10.0";
+  ports = [
+    "8080:8080"
+    "8443:8443"
+    "3478:3478/udp"
+  ];
+  environment = {
+    TZ = "America/New_York";
+  };
+  volumes = [
+    "/serverdata/unifi:/unifi"
+  ];
+  extraOptions = [
+    "--cap-add=NET_ADMIN"
+    "--network=host"
+    #"--no-hosts" # do not populate internal /etc/hosts with container host's
+  ];
+}

machines/cj/vaultwarden.nix

@@ -0,0 +1,18 @@
+{ serverIP, serverIP6 } : {
+  image = "vaultwarden/server:1.32.6";
+  ports = [
+    "8022:80"
+  ];
+  environment = {
+    TZ = "America/New_York";
+  };
+  volumes = [
+    "/serverdata/vaultwarden:/data"
+  ];
+  extraOptions = [
+    #"--cap-add=NET_ADMIN"
+    #"--network=host"
+    #"--no-hosts" # do not populate internal /etc/hosts with container host's
+  ];
+}
+

secrets.yaml

@@ -8,6 +8,8 @@ email:
         password: ENC[AES256_GCM,data:db0Wll4B8eXYc70dsIuYbw==,iv:2g4fE2GQyKxiVMkOQqOCPjAISdlXElvWYt0XKPEOWv0=,tag:73ymkTNGUlVccJFXjT40EA==,type:str]
 pihole:
     webpassword: ENC[AES256_GCM,data:bqBbGE5M4LUukMh7vQA=,iv:YhKaO2WQq5Ar9aKitgRTbDU2Ld2Cdc0wmrcQZ92lztY=,tag:UGnerGhtQBjO+n4LobdSyg==,type:str]
+searxng:
+    key: ENC[AES256_GCM,data:RayEL/8Pi7+j3T6fWRV142uw0P7Vlm15FWB14Lcfg/5xz+TpB6W4d8ivAM9ZTNG3CZGUwziAoP8qApYjxOeTqA==,iv:IecQ9nHuUaXa8B2y9Y/FryIbdq/oi5EbEuaZ4XaR4wg=,tag:cDJr1AVqG4tgtvPe6ujtxQ==,type:str]
 spotify:
     username: ENC[AES256_GCM,data:EXLRJXrHsP+k,iv:5pvHLVnrtG+oZEPZsBY/4/+b9QQEBTT7jiPvmkBHAWY=,tag:gcCJqgBd7b2+e2k0oIVY8w==,type:str]
     password: ENC[AES256_GCM,data:DHj06DfPU98C,iv:wxinj4sLt8rQ6hW4NtxIHQPnAJ3acXRXQHRsRaoiGR8=,tag:b7ota0m1gpwSZYSDY1Uj+A==,type:str]
@@ -19,10 +21,6 @@ wifi:
         PSKRAW_HOME=base64 output from wpa_passphrase
     env: ENC[AES256_GCM,data:a2m3FI0SmpbM2hhNbEdNhWWxgNyhXRDN9/LFiRMyFEr9Nf3NvkteZCdf/CCc81GAl/aKqqqCt49HQEiSRwzw2wc3XKmbQPxw6tmK4mCd4pP7YmPpg6tacLd8CzjtCG9J248W0qqTYUIU3+kuDcY6Tdp97KxJDINVbA==,iv:kXltdSsKkXwhIaWywFYMUGJCmMgaxv8FqhdBbjuyVSU=,tag:GvkevELXFKU31mmRGsFjDw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age16k5tturaeszpxugxawmfsxkrce2cfvp06s00eaxcee243anu4qysnjfr70
           enc: |
@@ -60,8 +58,7 @@ sops:
             WVUwaEIwWTFFTExyT3hLSC9wODhJdGcKWsNIUsT06qYA9vUVeFHQrCdcn2MkHt+w
             Rr7W+4uaNb8Qxo/NUp9kodE9m/fg9XVd8wM7HUP4wJC0rE4GSnFvGg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-09-27T13:16:21Z"
-    mac: ENC[AES256_GCM,data:UkvaiVtsbMKNeMKlf6N6N0dxQWAUxT2VMQrhMJFqwdyRoFvTQ+4a27sXHIQgr+G+BAnsFBeWFjA3SS+YhHcDYCx1boXMhdoFeNjVZ2TUURX/KazcIwJNGmrt4qMK7BkfUu1mLa58pxie+XSY1MBRwByg7rnLaSJzNiWgqgLRGy0=,iv:7kBE0EKhvesWToa6+At0yWt1IzTWipv0fSvopA2PUXg=,tag:0e+5Gu5Ajw7r3AgeJLg+EQ==,type:str]
-    pgp: []
+    lastmodified: "2025-09-03T12:29:15Z"
+    mac: ENC[AES256_GCM,data:K7Q4h102XDk6s0jy6X3sRzIESbFnu8Z1I8u82yC2Xbfh8gHvQ+rqTjEC9sh+tmUpB9P8sQHA08FwPsQkiScY7CNVxXXeCzALJVS/qhLlOEC4PEOqUH2PZZHsDVslQtZT6JmB9mixCl69Ihx+CKt2+ddesXdGxuTGaH9cldORNQQ=,iv:RheBWo3bG9z+JAq2kg79ifaMRgRDNGyxHnCmMi7v/+U=,tag:CJUHJC68Cfi+whhy4McBqA==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.10.2