Merge branch 'main' of tangled.org:did:plc:s7cesz7cr6ybltaryy4meb6y/nix

2026-03-28 00:09:54 +02:00
parent 15bc9617a4 099ef7b987
commit 6df4dbab3a
33 changed files with 1517 additions and 296 deletions
--- a/modules/force.nix
+++ b/modules/force.nix
@@ -1,38 +1,42 @@
 { config, pkgs, ... }:

 {
-	imports = [
-		./nixos/bootloader.nix
-		./nixos/hardware.nix
-		./nixos/i18n.nix
-		./nixos/network.nix
-		./nixos/nixpkgs.nix
-		./nixos/nvidia.nix
-		./nixos/programs.nix
-		./stuff/nvim.nix
-		./stuff/zsh.nix
-	];
+  imports = [
+    ./nixos/bootloader.nix
+    ./nixos/hardware.nix
+    ./nixos/i18n.nix
+    ./nixos/network.nix
+    ./nixos/nixpkgs.nix
+    ./nixos/nvidia.nix
+    ./nixos/programs.nix
+    ./stuff/nvim.nix
+    ./stuff/zsh.nix
+  ];

-	environment.systemPackages = with pkgs; [
-		tmux
-		gh
-		file
-		glib
-		openssl
-		nss
-		glibc
-		nixfmt-rfc-style
-		killall
-		deno
-		bun
-		imagemagick
-		unzip
-		libwebp
-		nix-direnv
-		htop
-		nixpkgs-fmt
-		nixd
-		ffmpeg-full
-		gnupg
-	];
+  services.tailscale.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    tmux
+    gh
+    file
+    glib
+    openssl
+    nss
+    glibc
+    kitty
+    nixfmt-rfc-style
+    killall
+    deno
+    bun
+    imagemagick
+    unzip
+    libwebp
+    nix-direnv
+    htop
+    nixpkgs-fmt
+    nixd
+    ffmpeg-full
+    gnupg
+    codex
+  ];
 }
--- a/modules/nixos/network.nix
+++ b/modules/nixos/network.nix
@@ -2,11 +2,14 @@

 {

-	#! Disable default nameservers to prevent ISP espionage
-	networking.nameservers = [ "1.1.1.1" "1.0.0.1" ];
+  #! Disable default nameservers to prevent ISP espionage
+  networking.nameservers = [
+    "1.1.1.1"
+    "1.0.0.1"
+  ];

-	networking.hostName = "ralsei-pc";
-	networking.networkmanager.enable = true;
-	networking.resolvconf.enable = false;
+  networking.hostName = "kris-server";
+  networking.networkmanager.enable = true;
+  networking.resolvconf.enable = false;

 }
--- a/modules/nixos/nvidia.nix
+++ b/modules/nixos/nvidia.nix
@@ -1,63 +1,75 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:

 {

-	# options nvidia NVreg_PreserveVideoMemoryAllocations=1
-	boot.extraModprobeConfig = ''
-		options nvidia_drm modeset=1 fbdev=1
-	'';
+  # options nvidia NVreg_PreserveVideoMemoryAllocations=1
+  boot.extraModprobeConfig = ''
+    		options nvidia_drm modeset=1 fbdev=1
+    	'';

-	environment.variables = {
-		LIBVA_DRIVER_NAME = "nvidia";
-		GBM_BACKEND = "nvidia-drm";
-		__GLX_VENDOR_LIBRARY_NAME = "nvidia";
-		NVD_BACKEND = "direct";
-		EGL_PLATFORM = "wayland";
-		VDPAU_DRIVER = "va_gl";
-		WAYLAND_DISPLAY = "wayland-1";
-		DISPLAY = ":0";
-		XDG_CURRENT_DESKTOP = "Hyprland";
-		MOZ_ENABLE_WAYLAND = "1"; # Enable Wayland for Firefox
-		CHROMIUM_FLAGS = "--enable-features=UseOzonePlatform --ozone-platform=wayland --enable-gpu-rasterization --enable-zero-copy"; # Enable Wayland and hardware acceleration for Chromium
-	};
+  environment.variables = {
+    LIBVA_DRIVER_NAME = "nvidia";
+    GBM_BACKEND = "nvidia-drm";
+    __GLX_VENDOR_LIBRARY_NAME = "nvidia";
+    NVD_BACKEND = "direct";
+    EGL_PLATFORM = "wayland";
+    VDPAU_DRIVER = "va_gl";
+    WAYLAND_DISPLAY = "wayland-1";
+    DISPLAY = ":0";
+    XDG_CURRENT_DESKTOP = "Hyprland";
+    MOZ_ENABLE_WAYLAND = "1"; # Enable Wayland for Firefox
+    CHROMIUM_FLAGS = "--enable-features=UseOzonePlatform --ozone-platform=wayland --enable-gpu-rasterization --enable-zero-copy"; # Enable Wayland and hardware acceleration for Chromium
+  };

-	environment.sessionVariables = {
-		NIXOS_OZONE_WL = 1;
-		LIBVA_DRIVER_NAME = "nvidia";
-		GBM_BACKEND = "nvidia-drm";
-		__GLX_VENDOR_LIBRARY_NAME = "nvidia";
-		NVD_BACKEND = "direct";
-		EGL_PLATFORM = "wayland";
-	};
+  environment.sessionVariables = {
+    NIXOS_OZONE_WL = 1;
+    LIBVA_DRIVER_NAME = "nvidia";
+    GBM_BACKEND = "nvidia-drm";
+    __GLX_VENDOR_LIBRARY_NAME = "nvidia";
+    NVD_BACKEND = "direct";
+    EGL_PLATFORM = "wayland";
+  };

-	# obs moment
-	# nixpkgs.config.cudaSupport = true;
+  # obs moment
+  # nixpkgs.config.cudaSupport = true;

-	hardware.graphics = { # hardware.graphics since NixOS 24.11
-		enable = true;
-		# driSupport = true;
-		extraPackages = with pkgs; [
-			nvidia-vaapi-driver
-			libvdpau-va-gl
-			vaapiVdpau
-			libvdpau
-		];
-	};
+  hardware.graphics = {
+    # hardware.graphics since NixOS 24.11
+    enable = true;
+    # driSupport = true;
+    extraPackages = with pkgs; [
+      nvidia-vaapi-driver
+      libvdpau-va-gl
+      libva-vdpau-driver
+      libvdpau
+    ];
+  };

-	hardware.nvidia = {
-		modesetting.enable = true;
-		powerManagement.enable = false;
-		powerManagement.finegrained = false;
-		open = true;
-		nvidiaSettings = true;
-		package = config.boot.kernelPackages.nvidiaPackages.beta;
-	};
+  hardware.nvidia = {
+    modesetting.enable = true;
+    powerManagement.enable = false;
+    powerManagement.finegrained = false;
+    open = true;
+    nvidiaSettings = true;
+    package = config.boot.kernelPackages.nvidiaPackages.beta;
+  };

-	boot.kernelModules = [ "nvidia-uvm" "nvidia-drm" ];
-	boot.blacklistedKernelModules = [ "nouveau" ];
+  boot.kernelModules = [
+    "nvidia-uvm"
+    "nvidia-drm"
+  ];
+  boot.blacklistedKernelModules = [ "nouveau" ];

-	boot.kernelParams = [ "nvidia-drm.modeset=1" "nvidia-drm.fbdev=1" ];
+  boot.kernelParams = [
+    "nvidia-drm.modeset=1"
+    "nvidia-drm.fbdev=1"
+  ];

-	services.xserver.videoDrivers = ["nvidia"];
+  services.xserver.videoDrivers = [ "nvidia" ];

 }
--- a/modules/openclaw-docker-env.nix
+++ b/modules/openclaw-docker-env.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+  environment.variables = {
+    DOCKER_HOST = "tcp://127.0.0.1:2375";
+  };
+}
--- a/modules/openclaw-docker.nix
+++ b/modules/openclaw-docker.nix
@@ -0,0 +1,32 @@
+{ pkgs, ... }:
+{
+  virtualisation.oci-containers.containers.docker-socket-proxy = {
+    image = "tecnativa/docker-socket-proxy:latest";
+    autoStart = true;
+    volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
+    environment = {
+      CONTAINERS = "1";
+      IMAGES = "1";
+      NETWORKS = "1";
+      VOLUMES = "1";
+      INFO = "1";
+      POST = "1";
+      BUILD = "1";
+      COMMIT = "0";
+      CONFIGS = "0";
+      DISTRIBUTION = "0";
+      EXEC = "0";
+      GRPC = "0";
+      PLUGINS = "0";
+      SECRETS = "0";
+      SERVICES = "0";
+      SESSION = "0";
+      SWARM = "0";
+      SYSTEM = "0";
+      TASKS = "0";
+      AUTH = "0";
+      ALLOW_RESTARTS = "1";
+    };
+    ports = [ "127.0.0.1:2375:2375" ];
+  };
+}
--- a/modules/openclaw-fs.nix
+++ b/modules/openclaw-fs.nix
@@ -0,0 +1,14 @@
+{ ... }:
+{
+  systemd.tmpfiles.rules = [
+    "d /private 0750 root root -"
+    "z /private/AT\x20Protocol 0700 root root -"
+    "z /private/cloudflared 0700 root root -"
+    "z /private/cloudflared.pem 0600 root root -"
+    "z /private/wafrn 0700 root root -"
+    "z /private/tangled.env 0600 root root -"
+    "z /private/vaultwarden 0700 root root -"
+    "d /private/zipline 0700 root root -"
+    "z /protected 0700 root root -"
+  ];
+}
--- a/modules/openclaw-sudo.nix
+++ b/modules/openclaw-sudo.nix
@@ -0,0 +1,17 @@
+{
+  security.sudo.extraRules = [
+    {
+      users = [ "openclaw" ];
+      commands = [
+        {
+          command = "/run/current-system/sw/bin/cat";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+  ];
+}
--- a/modules/openclaw-user.nix
+++ b/modules/openclaw-user.nix
@@ -0,0 +1,3 @@
+{ pkgs, ... }:
+{
+}
--- a/modules/openclaw-watchdog.nix
+++ b/modules/openclaw-watchdog.nix
@@ -0,0 +1,82 @@
+{ pkgs, ... }:
+{
+  systemd.services.openclaw-watchdog = {
+    description = "Post-rebuild health watchdog";
+    after = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "/etc/openclaw/nixos-rollback.sh check";
+    };
+    onFailure = [ "nixos-rollback.service" ];
+  };
+
+  systemd.services.nixos-rollback = {
+    description = "Autonomous NixOS rollback";
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "/etc/openclaw/nixos-rollback.sh rollback";
+    };
+  };
+
+  environment.etc."openclaw/nixos-rollback.sh" = {
+    mode = "0750";
+    text = ''
+      #!/usr/bin/env bash
+      set -euo pipefail
+
+      WEBHOOK="$(cat /run/secrets/discord-webhook 2>/dev/null || echo "")"
+      UNITS=("sshd" "docker" "bluesky-pds" "cloudflared" "zipline")
+      HOSTNAME="$(hostname)"
+
+      notify() {
+        [ -z "$WEBHOOK" ] && return
+        curl -s -X POST "$WEBHOOK" \
+          -H "Content-Type: application/json" \
+          -d "{\"content\": \"$1\"}"
+      }
+
+      check_units() {
+        for unit in "''${UNITS[@]}"; do
+          if ! systemctl is-active --quiet "$unit"; then
+            return 1
+          fi
+        done
+        return 0
+      }
+
+      check_ssh() {
+        timeout 5 bash -c 'echo > /dev/tcp/127.0.0.1/22' 2>/dev/null
+      }
+
+      do_check() {
+        for i in $(seq 1 6); do
+          sleep 10
+          if check_units && check_ssh; then
+            notify "**[$HOSTNAME] NixOS switch healthy** — all units OK after rebuild."
+            exit 0
+          fi
+        done
+        exit 1
+      }
+
+      do_rollback() {
+        notify "**[$HOSTNAME] ROLLBACK TRIGGERED** — health check failed. Rolling back..."
+        if nixos-rebuild switch --rollback; then
+          sleep 15
+          if check_units && check_ssh; then
+            notify "**[$HOSTNAME] Rollback successful** — previous generation restored."
+          else
+            notify "**[$HOSTNAME] URGENT — rollback also failed.** Manual intervention needed."
+          fi
+        else
+          notify "**[$HOSTNAME] URGENT — rollback command failed.** Manual intervention needed."
+        fi
+      }
+
+      case "''${1:-check}" in
+        check) do_check ;;
+        rollback) do_rollback ;;
+      esac
+    '';
+  };
+}
--- a/modules/stuff/zsh.nix
+++ b/modules/stuff/zsh.nix
@@ -1,28 +1,37 @@
-{ config, inputs, pkgs, lib, ... }:
+{
+  config,
+  inputs,
+  pkgs,
+  lib,
+  ...
+}:

 {

-	programs.direnv = {
-		enable = true;
-		enableZshIntegration = true;
-	};
+  programs.direnv = {
+    enable = true;
+    enableZshIntegration = true;
+  };

-	programs.zsh = {
-		enable = true;
-		autosuggestions.enable = true;
-		zsh-autoenv.enable = true;
-		syntaxHighlighting.enable = true;
-		ohMyZsh = {
-			enable = true;
-			plugins = [ "git" "direnv" ];
-			theme = "robbyrussell";
-		};
-		shellAliases = {
-			# ultimate cpu killer 3000
-			nixrebuild = "sudo nixos-rebuild switch --flake .#default --impure --cores 20 -L --upgrade";
-			dangerous-nixrebuild-server = "sudo nixos-rebuild switch --flake .#server --impure --cores 4 -L --upgrade";
-			neofetch = "fastfetch";
-		};
-	};
+  programs.zsh = {
+    enable = true;
+    autosuggestions.enable = true;
+    zsh-autoenv.enable = true;
+    syntaxHighlighting.enable = true;
+    ohMyZsh = {
+      enable = true;
+      plugins = [
+        "git"
+        "direnv"
+      ];
+      theme = "robbyrussell";
+    };
+    shellAliases = {
+      # ultimate cpu killer 3000
+      nixrebuild = "sudo nixos-rebuild switch --flake .#default --impure --cores 20 -L --upgrade";
+      dangerous-nixrebuild-server = "sudo nixos-rebuild switch --flake /home/ocbwoy3/config#server --impure --cores 4 -L --upgrade";
+      neofetch = "fastfetch";
+    };
+  };

 }