kris/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' of tangled.org:did:plc:s7cesz7cr6ybltaryy4meb6y/nix

Browse Source
This commit is contained in:
Kris
2026-03-28 00:09:54 +02:00
parent 15bc9617a4 099ef7b987
commit 6df4dbab3a
33 changed files with 1517 additions and 296 deletions
Download Patch File Download Diff File Expand all files Collapse all files

296
flake.lock generated
View File

@@ -264,6 +264,42 @@
"inputs": { "inputs": {
"systems": "systems_7" "systems": "systems_7"
}, },
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_8"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_9"
},
"locked": { "locked": {
"lastModified": 1681202837, "lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
@@ -325,7 +361,7 @@
}, },
"gomod2nix": { "gomod2nix": {
"inputs": { "inputs": {
"flake-utils": "flake-utils", "flake-utils": "flake-utils_3",
"nixpkgs": [ "nixpkgs": [
"tangled", "tangled",
"nixpkgs" "nixpkgs"
@@ -392,11 +428,11 @@
"nixpkgs": "nixpkgs_4" "nixpkgs": "nixpkgs_4"
}, },
"locked": { "locked": {
"lastModified": 1774626137, "lastModified": 1774647770,
"narHash": "sha256-1WelwA45Xm4glTG8R9IX9jYeFKDG2HbR79jAauLezUE=", "narHash": "sha256-UNNi14XiqRWWjO8ykbFwA5wRwx7EscsC+GItOVpuGjc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "9df3a639007cfe0d074433f7fc225ea94f877d08", "rev": "02371c05a04a2876cf92e2d67a259e8f87399068",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -406,6 +442,27 @@
} }
}, },
"home-manager_4": { "home-manager_4": {
"inputs": {
"nixpkgs": [
"openclaw",
"nixpkgs"
]
},
"locked": {
"lastModified": 1767909183,
"narHash": "sha256-u/bcU0xePi5bgNoRsiqSIwaGBwDilKKFTz3g0hqOBAo=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "cd6e96d56ed4b2a779ac73a1227e0bb1519b3509",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_5": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"zen-browser", "zen-browser",
@@ -1275,6 +1332,24 @@
"type": "github" "type": "github"
} }
}, },
"nix-steipete-tools": {
"inputs": {
"nixpkgs": "nixpkgs_9"
},
"locked": {
"lastModified": 1773561580,
"narHash": "sha256-wT0bKTp45YnMkc4yXQvk943Zz/rksYiIjEXGdWzxnic=",
"owner": "openclaw",
"repo": "nix-steipete-tools",
"rev": "cd4c429ff3b3aaef9f92e59812cf2baf5704b86f",
"type": "github"
},
"original": {
"owner": "openclaw",
"repo": "nix-steipete-tools",
"type": "github"
}
},
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1774567711, "lastModified": 1774567711,
@@ -1308,6 +1383,38 @@
} }
}, },
"nixpkgs_10": { "nixpkgs_10": {
"locked": {
"lastModified": 1767767207,
"narHash": "sha256-Mj3d3PfwltLmukFal5i3fFt27L6NiKXdBezC1EBuZs4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5912c1772a44e31bf1c63c0390b90501e5026886",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_11": {
"locked": {
"lastModified": 1771848320,
"narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "2fc6539b481e1d2569f25f8799236694180c0993",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_12": {
"locked": { "locked": {
"lastModified": 1682134069, "lastModified": 1682134069,
"narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=", "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
@@ -1321,7 +1428,23 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs_11": { "nixpkgs_13": {
"locked": {
"lastModified": 1771419570,
"narHash": "sha256-bxAlQgre3pcQcaRUm/8A0v/X8d2nhfraWSFqVmMcBcU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6d41bc27aaf7b6a3ba6b169db3bd5d6159cfaa47",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_14": {
"locked": { "locked": {
"lastModified": 1773389992, "lastModified": 1773389992,
"narHash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=", "narHash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=",
@@ -1448,16 +1571,16 @@
}, },
"nixpkgs_9": { "nixpkgs_9": {
"locked": { "locked": {
"lastModified": 1771848320, "lastModified": 1767364772,
"narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=", "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=",
"owner": "nixos", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "2fc6539b481e1d2569f25f8799236694180c0993", "rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "NixOS",
"ref": "nixos-unstable", "ref": "nixpkgs-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@@ -1485,6 +1608,52 @@
"type": "github" "type": "github"
} }
}, },
"openclaw": {
"inputs": {
"flake-utils": "flake-utils",
"home-manager": "home-manager_4",
"nix-steipete-tools": "nix-steipete-tools",
"nixpkgs": "nixpkgs_10"
},
"locked": {
"lastModified": 1773851886,
"narHash": "sha256-+3ygZuf5K8mtSGMMEZ/h+vxGvXCu1CmiB+531KMagH8=",
"owner": "openclaw",
"repo": "nix-openclaw",
"rev": "64d410666821866c565e048a4d07d6cf5d8e494e",
"type": "github"
},
"original": {
"owner": "openclaw",
"repo": "nix-openclaw",
"type": "github"
}
},
"pion-webrtc": {
"inputs": {
"flake-utils": [
"spacebar",
"flake-utils"
],
"nixpkgs": [
"spacebar",
"nixpkgs"
]
},
"locked": {
"lastModified": 1773624569,
"narHash": "sha256-CKfTu9nDD85yv7hHxCKl8tGv4R+/Yj44ANAwvqSO2q4=",
"owner": "spacebarchat",
"repo": "pion-webrtc",
"rev": "5382e83ccbb0305a91b9ae92eae2ee9f5ac39398",
"type": "github"
},
"original": {
"owner": "spacebarchat",
"repo": "pion-webrtc",
"type": "github"
}
},
"pre-commit-hooks": { "pre-commit-hooks": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_2",
@@ -1521,8 +1690,11 @@
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_7", "nixpkgs": "nixpkgs_7",
"nvf": "nvf", "nvf": "nvf",
"openclaw": "openclaw",
"spacebar": "spacebar",
"tangled": "tangled", "tangled": "tangled",
"vscode-server": "vscode-server", "vscode-server": "vscode-server",
"wafrn": "wafrn",
"zen-browser": "zen-browser" "zen-browser": "zen-browser"
} }
}, },
@@ -1564,6 +1736,28 @@
"type": "github" "type": "github"
} }
}, },
"spacebar": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
],
"pion-webrtc": "pion-webrtc"
},
"locked": {
"lastModified": 1774630159,
"narHash": "sha256-jWYPNoab9rqCM0Gb+RtTpXfrJ/g4XsnOoy2JwjWhSno=",
"owner": "spacebarchat",
"repo": "server",
"rev": "7c07c9b6fde0d539c5c3a6cf7afc022a9d3b7da6",
"type": "github"
},
"original": {
"owner": "spacebarchat",
"repo": "server",
"type": "github"
}
},
"sqlite-lib-src": { "sqlite-lib-src": {
"flake": false, "flake": false,
"locked": { "locked": {
@@ -1683,6 +1877,36 @@
"type": "github" "type": "github"
} }
}, },
"systems_8": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_9": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tangled": { "tangled": {
"inputs": { "inputs": {
"actor-typeahead-src": "actor-typeahead-src", "actor-typeahead-src": "actor-typeahead-src",
@@ -1696,7 +1920,7 @@
"inter-fonts-src": "inter-fonts-src", "inter-fonts-src": "inter-fonts-src",
"lucide-src": "lucide-src", "lucide-src": "lucide-src",
"mermaid-src": "mermaid-src", "mermaid-src": "mermaid-src",
"nixpkgs": "nixpkgs_9", "nixpkgs": "nixpkgs_11",
"sqlite-lib-src": "sqlite-lib-src" "sqlite-lib-src": "sqlite-lib-src"
}, },
"locked": { "locked": {
@@ -1706,17 +1930,17 @@
"rev": "5a17af77bf13448e49a3b0b00cf93baa7821ce30", "rev": "5a17af77bf13448e49a3b0b00cf93baa7821ce30",
"revCount": 2120, "revCount": 2120,
"type": "git", "type": "git",
"url": "https://tangled.sh/@tangled.sh/core" "url": "https://tangled.sh/tangled.sh/core"
}, },
"original": { "original": {
"type": "git", "type": "git",
"url": "https://tangled.sh/@tangled.sh/core" "url": "https://tangled.sh/tangled.sh/core"
} }
}, },
"vscode-server": { "vscode-server": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_4",
"nixpkgs": "nixpkgs_10" "nixpkgs": "nixpkgs_12"
}, },
"locked": { "locked": {
"lastModified": 1770124655, "lastModified": 1770124655,
@@ -1732,6 +1956,42 @@
"type": "github" "type": "github"
} }
}, },
"wafrn": {
"inputs": {
"nixpkgs": "nixpkgs_13",
"wafrn-src": "wafrn-src"
},
"locked": {
"lastModified": 1771530828,
"narHash": "sha256-U9gTyZILNGjK4kbSKsR6xPGFV/sjvzDFRreDXWyg5hE=",
"ref": "refs/heads/main",
"rev": "715d83e0a1730b2bb4e649941863ed67d964ad65",
"revCount": 11,
"type": "git",
"url": "https://git.ocbwoy3.dev/kris/wafrn-nix"
},
"original": {
"type": "git",
"url": "https://git.ocbwoy3.dev/kris/wafrn-nix"
}
},
"wafrn-src": {
"flake": false,
"locked": {
"lastModified": 1770394446,
"narHash": "sha256-yUGn0HjwEDJOLlwcNP+ZfCjU04x9Y6PkmeahdcEP23A=",
"ref": "main",
"rev": "01e89d8fd0ba56d5781e4671a54531563d1a46c6",
"revCount": 6083,
"type": "git",
"url": "https://codeberg.org/wafrn/wafrn"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://codeberg.org/wafrn/wafrn"
}
},
"xdph": { "xdph": {
"inputs": { "inputs": {
"hyprland-protocols": [ "hyprland-protocols": [
@@ -1775,8 +2035,8 @@
}, },
"zen-browser": { "zen-browser": {
"inputs": { "inputs": {
"home-manager": "home-manager_4", "home-manager": "home-manager_5",
"nixpkgs": "nixpkgs_11" "nixpkgs": "nixpkgs_14"
}, },
"locked": { "locked": {
"lastModified": 1774605342, "lastModified": 1774605342,

38
flake.nix
View File

@@ -24,39 +24,35 @@
nvf.url = "github:notashelf/nvf"; nvf.url = "github:notashelf/nvf";
# Extras # Extras
tangled.url = "git+https://tangled.sh/@tangled.sh/core"; tangled.url = "git+https://tangled.sh/tangled.sh/core";
wafrn.url = "git+https://git.ocbwoy3.dev/kris/wafrn-nix";
vscode-server.url = "github:nix-community/nixos-vscode-server"; vscode-server.url = "github:nix-community/nixos-vscode-server";
spacebar = {
url = "github:spacebarchat/server";
inputs.nixpkgs.follows = "nixpkgs";
};
# slop
openclaw.url = "github:openclaw/nix-openclaw";
}; };
# Required by NixOS:
# ./hardware-configuration.nix
# inputs.home-manager.nixosModules.default
# catppuccin.nixosModules.catppuccin
# nix-flatpak.nixosModules.nix-flatpak
outputs = { self, nixpkgs, ... }@inputs: { outputs = { self, nixpkgs, ... }@inputs: {
nixosConfigurations.default = nixpkgs.lib.nixosSystem { nixosConfigurations.default = nixpkgs.lib.nixosSystem {
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
}; };
modules = [ modules = [
# inputs.nixos-hardware.nixosModules.common-gpu-nvidia
inputs.home-manager.nixosModules.default inputs.home-manager.nixosModules.default
inputs.catppuccin.nixosModules.catppuccin inputs.catppuccin.nixosModules.catppuccin
inputs.nix-flatpak.nixosModules.nix-flatpak inputs.nix-flatpak.nixosModules.nix-flatpak
# inputs.chaotic.nixosModules.default
inputs.chaotic.nixosModules.nyx-cache inputs.chaotic.nixosModules.nyx-cache
inputs.chaotic.nixosModules.nyx-overlay inputs.chaotic.nixosModules.nyx-overlay
inputs.chaotic.nixosModules.nyx-registry inputs.chaotic.nixosModules.nyx-registry
# ./hosts/default/hardware-configuration.nix
# lil hack to not use --impure when rebuilding nixos >:3
"/etc/nixos/hardware-configuration.nix" "/etc/nixos/hardware-configuration.nix"
./hosts/default/configuration.nix ./hosts/default/configuration.nix
]; ];
}; };
nixosConfigurations.server = nixpkgs.lib.nixosSystem { nixosConfigurations.server = nixpkgs.lib.nixosSystem {
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
@@ -64,19 +60,23 @@
modules = [ modules = [
inputs.catppuccin.nixosModules.catppuccin inputs.catppuccin.nixosModules.catppuccin
inputs.tangled.nixosModules.knot inputs.tangled.nixosModules.knot
inputs.wafrn.nixosModules.default
inputs.tangled.nixosModules.spindle inputs.tangled.nixosModules.spindle
inputs.vscode-server.nixosModules.default inputs.vscode-server.nixosModules.default
inputs.chaotic.nixosModules.nyx-cache inputs.chaotic.nixosModules.nyx-cache
inputs.chaotic.nixosModules.nyx-overlay inputs.chaotic.nixosModules.nyx-overlay
inputs.chaotic.nixosModules.nyx-registry inputs.chaotic.nixosModules.nyx-registry
./modules/openclaw-user.nix
# lil hack to not use --impure when rebuilding nixos >:3 ./modules/openclaw-sudo.nix
"/etc/nixos/hardware-configuration.nix" ./modules/openclaw-fs.nix
./modules/openclaw-docker.nix
./modules/openclaw-docker-env.nix
./modules/openclaw-watchdog.nix
./hosts/server/configuration.nix ./hosts/server/configuration.nix
./hosts/server/hardware-configuration.nix
]; ];
}; };
nixosConfigurations.fix_nixpkgs = nixpkgs.lib.nixosSystem { nixosConfigurations.fix_nixpkgs = nixpkgs.lib.nixosSystem {
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;

39
hosts/default/packages.nix
View File

@@ -1,14 +1,12 @@
{ inputs, config, pkgs, lib, ... }: { inputs, config, pkgs, lib, ... }:
{ {
fonts.packages = with pkgs; [ fonts.packages = with pkgs; [
noto-fonts noto-fonts
noto-fonts-cjk-sans noto-fonts-cjk-sans
noto-fonts-emoji noto-fonts-emoji
monaspace monaspace
geist-font geist-font
# nerdfonts
nerd-fonts.geist-mono nerd-fonts.geist-mono
nerd-fonts.monaspace nerd-fonts.monaspace
nerd-fonts.symbols-only nerd-fonts.symbols-only
@@ -19,37 +17,36 @@
environment.sessionVariables.LD_LIBRARY_PATH = "${pkgs.gcc15}/lib"; environment.sessionVariables.LD_LIBRARY_PATH = "${pkgs.gcc15}/lib";
security.polkit = { security.polkit.enable = true;
enable = true;
};
security.soteria.enable = true; security.soteria.enable = true;
# surely they should add programs.discord!!
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
mosh
(discord.override { (discord.override {
withEquicord = true; withEquicord = true;
}) })
# hyprland stuff
inputs.hyprlock.packages.${pkgs.stdenv.hostPlatform.system}.hyprlock inputs.hyprlock.packages.${pkgs.stdenv.hostPlatform.system}.hyprlock
inputs.hyprsysteminfo.packages.${pkgs.stdenv.hostPlatform.system}.hyprsysteminfo inputs.hyprsysteminfo.packages.${pkgs.stdenv.hostPlatform.system}.hyprsysteminfo
# minecraft
qemu qemu
(writeShellScriptBin "qemu-system-x86_64-uefi" '' (writeShellScriptBin "qemu-system-x86_64-uefi" ''
qemu-system-x86_64 \ qemu-system-x86_64 \
-bios ${OVMF.fd}/FV/OVMF.fd \ -bios ${OVMF.fd}/FV/OVMF.fd \
"$@" "$@"
'') '')
(writeShellScriptBin "regretevator" ''xdg-open roblox://placeId=4972273297'') (writeShellScriptBin "regretevator" "xdg-open roblox://placeId=4972273297")
(writeShellScriptBin "kaijuparadise" ''xdg-open roblox://placeId=6456351776'') (writeShellScriptBin "kaijuparadise" "xdg-open roblox://placeId=6456351776")
(writeShellScriptBin "sewh" ''xdg-open roblox://placeId=16991287194'') (writeShellScriptBin "sewh" "xdg-open roblox://placeId=16991287194")
(writeShellScriptBin "fix-gtk" ''${inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland}/bin/hyprctl dispatch exec "${pkgs.xdg-desktop-portal-gtk}/libexec/xdg-desktop-portal-gtk -r"'') (writeShellScriptBin "fix-gtk" ''${
inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland
}/bin/hyprctl dispatch exec "${pkgs.xdg-desktop-portal-gtk}/libexec/xdg-desktop-portal-gtk -r"'')
(callPackage ./apps/wl-shimeji.nix {}) (callPackage ./apps/wl-shimeji.nix {})
(writeShellScriptBin "stop-shimejis" ''${inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland}/bin/hyprctl dispatch exec "shimejictl stop"'') (writeShellScriptBin "stop-shimejis" ''${
# (writeShellScriptBin "partynoob" ''shimejictl summon PartyNoob'') inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland
}/bin/hyprctl dispatch exec "shimejictl stop"'')
quickshell quickshell
kdePackages.qtdeclarative kdePackages.qtdeclarative
catppuccin-gtk catppuccin-gtk
@@ -58,7 +55,6 @@
catppuccin-catwalk catppuccin-catwalk
catppuccin-whiskers catppuccin-whiskers
mission-center mission-center
# nvtopPackages.full
libxkbcommon libxkbcommon
ffmpeg-full ffmpeg-full
gnupg gnupg
@@ -92,7 +88,6 @@
pypresence pypresence
pygobject3 pygobject3
])) ]))
# wrangler
fontforge fontforge
xclip xclip
gamescope gamescope
@@ -122,17 +117,14 @@
playerctl playerctl
mangohud mangohud
jq jq
github-cli
file file
nwg-look nwg-look
# rhythmbox
hyprpolkitagent hyprpolkitagent
# important
glib glib
openssl openssl
nss nss
glibc # C LIBRARY DO NOT REMOVE VERY IMPORTANT glibc
gobject-introspection gobject-introspection
gimp3 gimp3
mpv mpv
@@ -140,9 +132,6 @@
kdePackages.kdialog kdePackages.kdialog
(writeShellScriptBin "roblox-studio-patcher" ''${pkgs.bun}/bin/bun run /etc/nixos/scripts/bin/patchInternalRobloxStudio.ts'') (writeShellScriptBin "roblox-studio-patcher" "${pkgs.bun}/bin/bun run /etc/nixos/scripts/bin/patchInternalRobloxStudio.ts")
# firefox-devedition
]; ];
} }

295
hosts/server/configuration.nix
View File

@@ -1,84 +1,243 @@
{ config, pkgs, lib, ... }:
{ {
imports = [ config,
./modules/atproto-pds.nix pkgs,
./modules/cloudflare.nix lib,
./modules/tangled.nix ...
../../modules/force.nix }:
];
# gcc. shit breaks. wtf let
environment.sessionVariables.LD_LIBRARY_PATH = "${pkgs.gcc15}/lib"; mkUserService = pkgs.writeShellScriptBin "mk-user-service" ''
set -euo pipefail
services.vscode-server.enable = true; if [ "$#" -lt 2 ]; then
echo "Usage: mk-user-service <name> <exec command...>" >&2
exit 1
fi
systemd.services.ocbwoy3-start-pm2 = { name="$1"
enable = true; shift
description = "Start PM2";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "forking";
User = "ocbwoy3";
LimitNOFILE = "infinity";
LimitNPROC = "infinity";
LimitCORE = "infinity";
Environment = "PM2_HOME=/home/ocbwoy3/.pm2";
PIDFile = "/home/ocbwoy3/.pm2/pm2.pid";
Restart = "on-failure";
ExecStart = "${pkgs.pm2}/bin/pm2 resurrect"; unitDir="''${XDG_CONFIG_HOME:-$HOME/.config}/systemd/user"
ExecReload = "${pkgs.pm2}/bin/pm2 reload all"; unitFile="$unitDir/$name.service"
ExecStop = "${pkgs.pm2}/bin/pm2 kill";
};
};
services.openssh.settings = { mkdir -p "$unitDir"
PubkeyAuthentication = "yes";
TrustedUserCAKeys = "/etc/ssh/ca.pub";
};
services.openssh = { if [ -e "$unitFile" ]; then
enable = lib.mkForce true; echo "Refusing to overwrite existing unit: $unitFile" >&2
}; exit 2
fi
environment.systemPackages = with pkgs; [ cat > "$unitFile" <<EOF
fastfetch [Unit]
hyfetch Description=$name
pm2
steam-run
];
users.users.ocbwoy3 = { [Service]
initialPassword = "thisisapassword42069!"; # not the type passwords i use Type=simple
isNormalUser = true; ExecStart=$*
extraGroups = [ "wheel" "networkmanager" ]; Restart=on-failure
shell = pkgs.zsh; RestartSec=2
};
virtualisation.docker.enable = true; [Install]
WantedBy=default.target
EOF
services.mongodb = { echo "Created $unitFile"
enable = true; echo "Next steps:"
enableAuth = false; echo " systemctl --user daemon-reload"
package = pkgs.mongodb-ce; echo " systemctl --user enable --now $name.service"
replSetName = "rs0"; # dangerous '';
bind_ip = "0.0.0.0"; in
}; {
imports = [
./modules/atproto-pds.nix
./modules/wafrn.nix
./modules/cloudflare.nix
./modules/tangled.nix
../../modules/force.nix
./modules/gitea.nix
./modules/vaultwarden.nix
./modules/zipline.nix
./slop/openclaw.nix
./slop/brave.nix
];
networking.firewall = { # gcc. shit breaks. wtf
enable = true; environment.sessionVariables.LD_LIBRARY_PATH = "${pkgs.gcc15}/lib";
allowedTCPPorts = [ 22 443 3000 3001 8080 25565 ];
allowedUDPPorts = [ 22 443 3000 3001 8080 25565 ];
};
catppuccin = { services.vscode-server.enable = true;
enable = true;
flavor = "mocha";
accent = "blue";
};
system.stateVersion = "23.05"; # DO NOT TOUCH services.openssh.settings = lib.mkDefault {
PubkeyAuthentication = "yes";
TrustedUserCAKeys = "/etc/ssh/ca.pub";
PermitRootLogin = lib.mkDefault "prohibit-password";
KbdInteractiveAuthentication = lib.mkDefault false;
};
services.openssh = {
enable = lib.mkForce true;
};
environment.systemPackages = with pkgs; [
mosh
fastfetch
hyfetch
bash
jdk
steam-run
opencode
bun
nodejs
node-gyp
playwright
chromium
brave
(pkgs.callPackage ./slop/rocksky-cli.nix { })
];
users.users.ocbwoy3 = {
initialPassword = "thisisapassword42069!"; # not the type passwords i use
isNormalUser = true;
extraGroups = [
"wheel"
"networkmanager"
"docker"
];
shell = pkgs.zsh;
};
users.users.kris = {
initialPassword = "thisisapassword42069!";
isNormalUser = true;
extraGroups = [
"wheel"
"networkmanager"
"docker"
];
shell = pkgs.zsh;
packages = [
pkgs.mrpack-install
mkUserService
];
};
system.activationScripts.enableKrisLinger.text = ''
${pkgs.systemd}/bin/loginctl enable-linger kris || true
'';
nixpkgs.overlays = [
(final: prev: {
nixos-rebuild = prev.writeShellScriptBin "nixos-rebuild" ''
set -euo pipefail
action="''${1:-}"
case "$action" in
switch|boot|test|build|dry-activate)
needs_flake=1
;;
*)
needs_flake=0
;;
esac
has_flake=0
for arg in "$@"; do
case "$arg" in
--flake|--flake=*)
has_flake=1
break
;;
esac
done
if [ "$needs_flake" -eq 1 ] && [ "$has_flake" -eq 0 ]; then
cat >&2 <<'EOF'
🚨🚨🚨 WARNING: DANGEROUS SYSTEM REBUILD 🚨🚨🚨
This host is FLAKE-MANAGED. Do not attempt to rebuild the system from /etc/nixos.
Please ensure you are running THIS EXACT COMMAND inside /home/ocbwoy3/config:
sudo nixos-rebuild switch --flake /home/ocbwoy3/config#server --impure --cores 4 -L --upgrade
Aborting unsafe nixos-rebuild invocation.
EOF
exit 64
fi
exec ${prev.nixos-rebuild}/bin/nixos-rebuild "$@"
'';
})
];
virtualisation.docker = {
enable = true;
daemon.settings = {
"log-driver" = "local";
"log-opts" = {
"max-size" = "10m";
"max-file" = "3";
};
"live-restore" = true;
};
};
systemd.services.docker.serviceConfig = {
CPUQuota = "200%";
MemoryMax = "12G";
};
services.mongodb = {
enable = true;
enableAuth = false;
package = pkgs.mongodb-ce;
replSetName = "rs0"; # dangerous
bind_ip = "0.0.0.0";
};
networking.firewall = {
enable = true;
allowedTCPPorts = [
22
443
3000
3001
4067
8080
25565
];
allowedUDPPorts = [
22
443
3000
3001
4067
8080
25565
];
};
# Lock /etc/nixos to read-only mode (config lives in /home/ocbwoy3/config).
systemd.tmpfiles.rules = [
"z /etc/nixos 0555 root root - -"
];
# Force resolver config to Cloudflare only.
networking.nameservers = lib.mkForce [
"1.1.1.1"
"1.0.0.1"
];
environment.etc."resolv.conf".text = lib.mkForce ''
nameserver 1.1.1.1
nameserver 1.0.0.1
'';
catppuccin = {
enable = true;
flavor = "mocha";
accent = "blue";
gitea.enable = false;
};
system.stateVersion = "23.05"; # DO NOT TOUCH
} }

51
hosts/server/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,51 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/5ca305a1-d705-4c99-913c-a2d1c3447282";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/5ca305a1-d705-4c99-913c-a2d1c3447282";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/5ca305a1-d705-4c99-913c-a2d1c3447282";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/732D-084E";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
# swapDevices = [ { device = "/swap/swapfile"; } ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

62
hosts/server/modules/Caddyfile Normal file
View File

@@ -0,0 +1,62 @@
@favicon path /favicon.ico
handle @favicon {
root * /lib/system-utdr-assets
rewrite * /tenna.ico
header Content-Type "image/vnd.microsoft.icon" # <-- microslop
file_server
}
@root path /
handle @root {
header Content-Type "text/plain; charset=utf-8"
respond "
This is an AT Protocol Personal Data Server (aka, an atproto PDS)
Most API routes are under /xrpc/
Code: https://github.com/bluesky-social/atproto
Self-Host: https://github.com/bluesky-social/pds
Protocol: https://atproto.com
As foretold in the prophecy.
" 200
}
@robots path /robots.txt
handle @robots {
header Content-Type "text/plain; charset=utf-8"
respond "User-agent: *
Disallow: /
" 200
}
handle {
reverse_proxy localhost:3000 {
header_up Host castletown.darkworld.download
}
}

63
hosts/server/modules/atproto-pds.nix
View File

@@ -1,26 +1,49 @@
{ config, inputs, pkgs, ... }: {
config,
inputs,
pkgs,
...
}:
let
systemUtdrAssets = pkgs.callPackage ./system-utdr-assets { };
in
{ {
# TODO: # TODO:
# Upload PDS backup to /var/lib/pds # Upload PDS backup to /var/lib/pds
# and specify secrets in /private/atproto-pds.env # and specify secrets in /private/atproto-pds.env
services.bluesky-pds = { services.bluesky-pds = {
enable = true; enable = true;
pdsadmin.enable = true; pdsadmin.enable = true;
environmentFiles = [ "/private/atproto-pds.env" ]; environmentFiles = [ "/private/atproto-pds.env" ];
settings = { settings = {
PDS_CRAWLERS = "https://bsky.network"; PDS_CRAWLERS = "https://bsky.network";
LOG_ENABLED = "true"; LOG_ENABLED = "true";
PDS_HOSTNAME = "pds.ocbwoy3.dev"; PDS_HOSTNAME = "castletown.darkworld.download";
# PDS_VERSION = "\"ATProto PDS v69420\""; PDS_VERSION = "\"That feeling when Deltarune........ tomorrow! :3\"";
PDS_DID_PLC_URL = "https://plc.directory"; PDS_DID_PLC_URL = "https://plc.directory";
PDS_CONTACT_EMAIL_ADDRESS = "ocbwoy3@ocbwoy3.dev"; PDS_CONTACT_EMAIL_ADDRESS = "kris@darkworld.download";
PDS_PRIVACY_POLICY_URL = "https://ocbwoy3.dev"; # PDS_PRIVACY_POLICY_URL = "https://bsky.social/about/support/privacy-policy";
PDS_TERMS_OF_SERVICE_URL = "https://ocbwoy3.dev"; # PDS_TERMS_OF_SERVICE_URL = "https://bsky.social/about/support/tos";
PDS_ACCEPTING_REPO_IMPORTS = "true"; PDS_ACCEPTING_REPO_IMPORTS = "true";
}; };
}; };
# Set host header to `localhost` in tunnel settings otherwise you'll end up wasting countless hours of your life
systemd.tmpfiles.rules = [
"L+ /lib/system-utdr-assets - - - - ${systemUtdrAssets}/lib/system-utdr-assets"
];
services.caddy = {
enable = true;
globalConfig = ''
auto_https off
'';
virtualHosts."localhost:80".extraConfig = builtins.readFile ./Caddyfile;
};
} }

35
hosts/server/modules/cloudflare.nix
View File

@@ -1,21 +1,26 @@
{ config, inputs, pkgs, ... }: {
config,
inputs,
pkgs,
...
}:
{ {
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
cloudflared cloudflared
]; ];
# lib.mkIf (isOCbwoy3 == true) # lib.mkIf (isOCbwoy3 == true)
services.cloudflared = { services.cloudflared = {
enable = true; enable = true;
tunnels = { tunnels = {
"selfhost" = { "selfhost" = {
# 2f83f704-e9f7-49fb-a6c4-d4a8f85d87e4 # 2f83f704-e9f7-49fb-a6c4-d4a8f85d87e4
default = "http_status:404"; default = "http_status:404";
credentialsFile = "/private/cloudflared/selfhost.json"; credentialsFile = "/private/cloudflared/selfhost.json";
}; };
}; };
}; };
} }

34
hosts/server/modules/gitea.nix Normal file
View File

@@ -0,0 +1,34 @@
{
config,
pkgs,
lib,
...
}:
{
services.gitea = {
enable = true;
database = {
type = "postgres";
};
settings = {
server = {
DOMAIN = "git.ocbwoy3.dev";
ROOT_URL = "https://git.ocbwoy3.dev/";
HTTP_PORT = 2222;
DISABLE_SSH = true;
MAX_UPLOAD_FILE_SIZE = 5242880;
};
attachment = {
MAX_SIZE = 5; # MB (this is the one causing the 1024 KiB error)
};
service = {
DISABLE_REGISTRATION = true;
};
};
};
}

21
hosts/server/modules/system-utdr-assets/default.nix Normal file
View File

@@ -0,0 +1,21 @@
{ stdenvNoCC, lib }:
stdenvNoCC.mkDerivation {
pname = "system-utdr-assets";
version = "1.0.0";
src = ./.;
installPhase = ''
mkdir -p "$out/lib/system-utdr-assets"
cp "$src/tenna.ico" "$out/lib/system-utdr-assets/tenna.ico"
cp "$src/logo.png" "$out/lib/system-utdr-assets/logo.png"
cp "$src/favicon.png" "$out/lib/system-utdr-assets/favicon.png"
'';
meta = with lib; {
description = "System Undertale & Deltarune assets";
license = licenses.unfree;
maintainers = with maintainers; [ ];
};
}

BIN
hosts/server/modules/system-utdr-assets/favicon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
hosts/server/modules/system-utdr-assets/logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 864 KiB

BIN
hosts/server/modules/system-utdr-assets/tenna.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

39
hosts/server/modules/tangled.nix
View File

@@ -1,21 +1,26 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
{ {
services.tangled-knot = { services.tangled.knot = {
enable = true; enable = true;
server = { server = {
listenAddr = "0.0.0.0:3003"; listenAddr = "0.0.0.0:3003";
owner = "did:plc:s7cesz7cr6ybltaryy4meb6y"; owner = "did:plc:s7cesz7cr6ybltaryy4meb6y";
hostname = "knot.ocbwoy3.dev"; hostname = "knot.ocbwoy3.dev";
}; };
}; };
services.tangled-spindle = { services.tangled.spindle = {
enable = true; enable = true;
server = { server = {
listenAddr = "0.0.0.0:3004"; listenAddr = "0.0.0.0:3004";
owner = "did:plc:s7cesz7cr6ybltaryy4meb6y"; owner = "did:plc:s7cesz7cr6ybltaryy4meb6y";
hostname = "spindle.ocbwoy3.dev"; hostname = "spindle.ocbwoy3.dev";
}; };
}; };
} }

44
hosts/server/modules/vaultwarden.nix Normal file
View File

@@ -0,0 +1,44 @@
{
config,
pkgs,
lib,
...
}:
{
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
environmentFile = "/var/lib/vaultwarden/vaultwarden.env";
config = {
# Keep data alongside the secret env file so we can back it up together.
DATA_FOLDER = "/var/lib/vaultwarden/data";
PUSH_RELAY_URI = "https://api.bitwarden.eu";
PUSH_IDENTITY_URI = "https://identity.bitwarden.eu";
DOMAIN = "https://vault.ocbwoy3.dev";
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = 8222;
WEBSOCKET_ENABLED = true;
WEBSOCKET_ADDRESS = "0.0.0.0";
WEBSOCKET_PORT = 3012;
SIGNUPS_ALLOWED = false;
};
};
# Allow vaultwarden to write under /var/lib/vaultwarden and ensure the directories exist.
systemd.services.vaultwarden.serviceConfig = {
ReadWritePaths = [ "/var/lib/vaultwarden" ];
};
# Create parent/data directories with proper ownership before startup.
systemd.tmpfiles.rules = [
"d /var/lib/vaultwarden 0750 vaultwarden vaultwarden -"
"d /var/lib/vaultwarden/data 0750 vaultwarden vaultwarden -"
];
# cloudflared!!
# networking.firewall.allowedTCPPorts = [
# 8222
# 3012
# ];
}

32
hosts/server/modules/wafrn.nix Normal file
View File

@@ -0,0 +1,32 @@
{
config,
inputs,
pkgs,
...
}:
{
# DONT ENABLE YET!!
services.wafrn = {
enable = false;
stateDir = "/var/lib/wafrn";
secretsFile = "/private/wafrn/secrets.env";
caddyConfigDir = "/private/wafrn/caddy";
# cloudflared doesnt need https
httpPort = 6767;
httpsPort = null;
environment = {
DOMAIN_NAME = "cyberworld.darkworld.download";
CACHE_DOMAIN = "cyberworld-cache.darkworld.download";
MEDIA_DOMAIN = "cyberworld-media.darkworld.download";
FRONTEND_MEDIA_URL = "https://cyberworld-media.darkworld.download";
FRONTEND_CACHE_URL = "https://cyberworld-cache.darkworld.download/api/cache?media=";
FRONTEND_FQDN_URL = "https://cyberworld.darkworld.download";
ACME_EMAIL = "kris@darkworld.download";
};
};
}

17
hosts/server/modules/zipline.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
pkgs,
lib,
...
}:
{
services.zipline = {
enable = true;
environmentFiles = [ "/private/zipline/zipline.env" ];
settings = {
CORE_HOSTNAME = "127.0.0.1";
CORE_PORT = 3015;
};
};
}

201
hosts/server/slop/brave-shim.nix Normal file
View File

@@ -0,0 +1,201 @@
{ pkgs }:
let
pythonEnv = pkgs.python3.withPackages (ps: with ps; [
fastapi
uvicorn
ddgs
pyyaml
]);
in
pkgs.stdenvNoCC.mkDerivation {
pname = "brave-shim";
version = "0.1.0";
dontUnpack = true;
installPhase = ''
mkdir -p $out/bin $out/share/brave-shim
cat > $out/share/brave-shim/brave_shim.conf <<'CONF'
server:
host: "127.0.0.1"
port: 8000
ssl:
use_custom_ca: false
ca_bundle_path: "/etc/ssl/certs/ca-certificates.crt"
verify_ssl: true
logging:
file_path: "/home/openclaw/.local/state/brave-shim/brave_shim.log"
level: "INFO"
bot_protection:
cache_expiration: 3600
min_delay: 1.0
max_delay: 2.5
search:
default_count: 10
local_count: 5
CONF
cat > $out/share/brave-shim/brave_shim.py <<'PY'
import time
import random
import yaml
import uvicorn
import logging
import os
import ssl
from fastapi import FastAPI, Query
from ddgs import DDGS
from pathlib import Path
config_path = Path(os.environ.get("BRAVE_SHIM_CONF", "brave_shim.conf"))
if not config_path.exists():
raise FileNotFoundError(f"Config not found: {config_path}")
with open(config_path, "r") as f:
config = yaml.safe_load(f)
os.makedirs(os.path.dirname(config["logging"]["file_path"]), exist_ok=True)
logging.basicConfig(
level=config['logging']['level'],
format="%(asctime)s [%(levelname)s] %(message)s",
handlers=[logging.FileHandler(config['logging']['file_path'])]
)
logger = logging.getLogger("brave_shim")
ssl_cfg = config.get('ssl', {})
verify_ssl = ssl_cfg.get('verify_ssl', True)
custom_ca_status = "System Default"
if ssl_cfg.get('use_custom_ca'):
ca_path = ssl_cfg['ca_bundle_path']
if os.path.exists(ca_path):
os.environ["SSL_CERT_FILE"] = ca_path
os.environ["REQUESTS_CA_BUNDLE"] = ca_path
os.environ["CURL_CA_BUNDLE"] = ca_path
if not verify_ssl:
ssl._create_default_https_context = ssl._create_unverified_context
custom_ca_status = f"Active (Verify=OFF, Path={ca_path})"
logger.warning("SSL verification disabled")
else:
try:
context = ssl.create_default_context(cafile=ca_path)
ssl._create_default_https_context = lambda: context
custom_ca_status = f"Active (Path={ca_path})"
except Exception as e:
logger.error(f"SSL bundle load error: {e}")
else:
logger.error(f"SSL CA bundle not found: {ca_path}")
custom_ca_status = "Error: File not found"
app = FastAPI(title="Brave Search API Shim", docs_url=None, redoc_url=None)
search_cache = {}
def get_from_cache(q):
expiration = config['bot_protection']['cache_expiration']
if q in search_cache:
timestamp, data = search_cache[q]
if time.time() - timestamp < expiration:
return data
return None
@app.get("/status")
async def health_check():
return {
"status": "online",
"cache_entries": len(search_cache),
"ssl_verify": verify_ssl,
"ca_bundle": custom_ca_status
}
@app.get("/res/v1/web/search")
async def search_proxy(q: str = Query(...), count: int = None):
res_count = count or config['search']['default_count']
cached_res = get_from_cache(q)
if cached_res:
logger.info(f"CACHE HIT: {q}")
return cached_res
time.sleep(random.uniform(config['bot_protection']['min_delay'], config['bot_protection']['max_delay']))
logger.info(f"FETCH WEB: {q}")
try:
with DDGS(verify=verify_ssl) as ddgs:
results = []
for r in ddgs.text(q, max_results=res_count):
results.append({
"title": r.get("title"),
"url": r.get("href"),
"description": r.get("body"),
"meta_url": {"path": r.get("href")}
})
response_data = {"web": {"results": results}}
search_cache[q] = (time.time(), response_data)
return response_data
except Exception as e:
logger.error(f"WEB search error for '{q}': {e}")
return {"web": {"results": []}, "error": str(e)}
@app.get("/res/v1/local/pois")
async def local_proxy(q: str = Query(...), count: int = None):
res_count = count or config['search']['local_count']
logger.info(f"FETCH LOCAL: {q}")
try:
with DDGS(verify=verify_ssl) as ddgs:
res = [
{
"id": str(i),
"name": r["title"],
"address": r["body"][:100],
"phone": "",
"coordinates": {"latitude": 0.0, "longitude": 0.0}
}
for i, r in enumerate(ddgs.text(f"place {q}", max_results=res_count))
]
return {"results": res}
except Exception as e:
logger.error(f"LOCAL search error for '{q}': {e}")
return {"results": []}
@app.get("/res/v1/local/descriptions")
async def local_descriptions(id: str = Query(...)):
return {"descriptions": {id: "Data from DDGS proxy."}}
@app.get("/res/v1/summarizer/summary")
async def summarizer_proxy(key: str = Query(...)):
return {"summary": "Summary ready.", "status": "complete"}
if __name__ == "__main__":
logger.info(f"Starting brave-shim on {config['server']['host']}:{config['server']['port']}")
uvicorn.run(
app,
host=config['server']['host'],
port=config['server']['port'],
access_log=False,
log_level="critical"
)
PY
cat > $out/bin/brave-shim <<EOF
#!${pkgs.bash}/bin/bash
set -euo pipefail
export BRAVE_SHIM_CONF=\"\
s h\
\"
EOF
# simpler wrapper (avoid quoting bugs)
cat > $out/bin/brave-shim <<EOF
#!${pkgs.bash}/bin/bash
set -euo pipefail
export BRAVE_SHIM_CONF="''${BRAVE_SHIM_CONF:-$out/share/brave-shim/brave_shim.conf}"
exec ${pythonEnv}/bin/python $out/share/brave-shim/brave_shim.py
EOF
chmod +x $out/bin/brave-shim
'';
}

21
hosts/server/slop/brave.nix Normal file
View File

@@ -0,0 +1,21 @@
{ pkgs, ... }:
let
braveShim = pkgs.callPackage ./brave-shim.nix { };
in
{
# Local Brave API shim as a user service
systemd.user.services.brave-shim = {
description = "Brave Search API shim (DDGS)";
wantedBy = [ "default.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${braveShim}/bin/brave-shim";
Restart = "always";
RestartSec = "3";
};
};
}

36
hosts/server/slop/gogcli.nix Normal file
View File

@@ -0,0 +1,36 @@
{
lib,
buildGo125Module,
fetchFromGitHub,
}:
buildGo125Module rec {
pname = "gogcli";
version = "0.11.0";
src = fetchFromGitHub {
owner = "steipete";
repo = "gogcli";
rev = "v${version}";
hash = "sha256-hJU40ysjRx4p9SWGmbhhpToYCpk3DcMAWCnKqxHRmh0=";
};
vendorHash = "sha256-WGRlv3UsK3SVBQySD7uZ8+FiRl03p0rzjBm9Se1iITs=";
subPackages = [ "cmd/gog" ];
ldflags = [
"-s"
"-w"
"-X github.com/steipete/gogcli/internal/cmd.version=${version}"
"-X github.com/steipete/gogcli/internal/cmd.commit=v${version}"
];
meta = with lib; {
description = "Google workspace CLI client";
homepage = "https://github.com/steipete/gogcli";
license = licenses.mit;
mainProgram = "gog";
platforms = platforms.linux ++ platforms.darwin;
};
}

1
hosts/server/slop/nix-openclaw Submodule

Submodule hosts/server/slop/nix-openclaw added at fbef208719

69
hosts/server/slop/openclaw.nix Normal file
View File

@@ -0,0 +1,69 @@
{
inputs,
pkgs,
...
}:
let
openclawPatched = inputs.openclaw.packages.${pkgs.system}.openclaw-gateway.overrideAttrs (old: {
installPhase =
old.installPhase
+ "\n"
+ ''
# Point Brave web-search endpoint to local shim.
# NOTE: upstream installPhase script does not run postInstall hooks,
# so patch directly at the end of installPhase.
if [ -d "$out/lib/openclaw/dist" ]; then
# Web-search tool hardcodes Brave endpoint in bundled JS.
# No runtime config option exists for Brave base URL in this OpenClaw version.
grep -RIl "https://api.search.brave.com" "$out/lib/openclaw/dist" | while read -r f; do
substituteInPlace "$f" \
--replace "https://api.search.brave.com/res/v1/web/search" "http://127.0.0.1:8000/res/v1/web/search" \
--replace "https://api.search.brave.com/res/v1/" "http://127.0.0.1:8000/res/v1/" \
--replace "https://api.search.brave.com/" "http://127.0.0.1:8000/" \
--replace "https://api.search.brave.com" "http://127.0.0.1:8000"
done
fi
'';
});
in
{
imports = [ inputs.openclaw.nixosModules.openclaw-gateway ];
users.users.openclaw = {
isSystemUser = false;
isNormalUser = true;
home = "/home/openclaw";
createHome = true;
group = "openclaw";
extraGroups = [ "docker" ];
shell = pkgs.bash;
description = "OpenClaw agent sandboxed user";
packages = [
openclawPatched
(pkgs.callPackage ./gogcli.nix { })
(pkgs.callPackage ./brave-shim.nix { })
pkgs.uv
pkgs.python3
];
};
users.groups.openclaw = { };
# Keep the openclaw user's systemd --user instance running so the gateway stays up.
# Using activation script because services.logind.lingerUsers isn't available in this release.
system.activationScripts.enableOpenclawLinger.text = ''
${pkgs.systemd}/bin/loginctl enable-linger openclaw || true
'';
# Run OpenClaw gateway as a NixOS system service under the dedicated user.
services.openclaw-gateway = {
enable = true;
package = openclawPatched;
createUser = false;
user = "openclaw";
group = "openclaw";
stateDir = "/home/openclaw/.local/share/openclaw";
};
}

9
hosts/server/slop/rocksky-cli.nix Normal file
View File

@@ -0,0 +1,9 @@
{ pkgs }:
pkgs.writeShellApplication {
name = "rocksky";
runtimeInputs = [ pkgs.bun ];
text = ''
exec ${pkgs.bun}/bin/bun x @rocksky/cli "$@"
'';
}

70
modules/force.nix
View File

@@ -1,38 +1,42 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
imports = [ imports = [
./nixos/bootloader.nix ./nixos/bootloader.nix
./nixos/hardware.nix ./nixos/hardware.nix
./nixos/i18n.nix ./nixos/i18n.nix
./nixos/network.nix ./nixos/network.nix
./nixos/nixpkgs.nix ./nixos/nixpkgs.nix
./nixos/nvidia.nix ./nixos/nvidia.nix
./nixos/programs.nix ./nixos/programs.nix
./stuff/nvim.nix ./stuff/nvim.nix
./stuff/zsh.nix ./stuff/zsh.nix
]; ];
environment.systemPackages = with pkgs; [ services.tailscale.enable = true;
tmux
gh environment.systemPackages = with pkgs; [
file tmux
glib gh
openssl file
nss glib
glibc openssl
nixfmt-rfc-style nss
killall glibc
deno kitty
bun nixfmt-rfc-style
imagemagick killall
unzip deno
libwebp bun
nix-direnv imagemagick
htop unzip
nixpkgs-fmt libwebp
nixd nix-direnv
ffmpeg-full htop
gnupg nixpkgs-fmt
]; nixd
ffmpeg-full
gnupg
codex
];
} }

13
modules/nixos/network.nix
View File

@@ -2,11 +2,14 @@
{ {
#! Disable default nameservers to prevent ISP espionage #! Disable default nameservers to prevent ISP espionage
networking.nameservers = [ "1.1.1.1" "1.0.0.1" ]; networking.nameservers = [
"1.1.1.1"
"1.0.0.1"
];
networking.hostName = "ralsei-pc"; networking.hostName = "kris-server";
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
networking.resolvconf.enable = false; networking.resolvconf.enable = false;
} }

112
modules/nixos/nvidia.nix
View File

@@ -1,63 +1,75 @@
{ config, pkgs, lib, ... }: {
config,
pkgs,
lib,
...
}:
{ {
# options nvidia NVreg_PreserveVideoMemoryAllocations=1 # options nvidia NVreg_PreserveVideoMemoryAllocations=1
boot.extraModprobeConfig = '' boot.extraModprobeConfig = ''
options nvidia_drm modeset=1 fbdev=1 options nvidia_drm modeset=1 fbdev=1
''; '';
environment.variables = { environment.variables = {
LIBVA_DRIVER_NAME = "nvidia"; LIBVA_DRIVER_NAME = "nvidia";
GBM_BACKEND = "nvidia-drm"; GBM_BACKEND = "nvidia-drm";
__GLX_VENDOR_LIBRARY_NAME = "nvidia"; __GLX_VENDOR_LIBRARY_NAME = "nvidia";
NVD_BACKEND = "direct"; NVD_BACKEND = "direct";
EGL_PLATFORM = "wayland"; EGL_PLATFORM = "wayland";
VDPAU_DRIVER = "va_gl"; VDPAU_DRIVER = "va_gl";
WAYLAND_DISPLAY = "wayland-1"; WAYLAND_DISPLAY = "wayland-1";
DISPLAY = ":0"; DISPLAY = ":0";
XDG_CURRENT_DESKTOP = "Hyprland"; XDG_CURRENT_DESKTOP = "Hyprland";
MOZ_ENABLE_WAYLAND = "1"; # Enable Wayland for Firefox MOZ_ENABLE_WAYLAND = "1"; # Enable Wayland for Firefox
CHROMIUM_FLAGS = "--enable-features=UseOzonePlatform --ozone-platform=wayland --enable-gpu-rasterization --enable-zero-copy"; # Enable Wayland and hardware acceleration for Chromium CHROMIUM_FLAGS = "--enable-features=UseOzonePlatform --ozone-platform=wayland --enable-gpu-rasterization --enable-zero-copy"; # Enable Wayland and hardware acceleration for Chromium
}; };
environment.sessionVariables = { environment.sessionVariables = {
NIXOS_OZONE_WL = 1; NIXOS_OZONE_WL = 1;
LIBVA_DRIVER_NAME = "nvidia"; LIBVA_DRIVER_NAME = "nvidia";
GBM_BACKEND = "nvidia-drm"; GBM_BACKEND = "nvidia-drm";
__GLX_VENDOR_LIBRARY_NAME = "nvidia"; __GLX_VENDOR_LIBRARY_NAME = "nvidia";
NVD_BACKEND = "direct"; NVD_BACKEND = "direct";
EGL_PLATFORM = "wayland"; EGL_PLATFORM = "wayland";
}; };
# obs moment # obs moment
# nixpkgs.config.cudaSupport = true; # nixpkgs.config.cudaSupport = true;
hardware.graphics = { # hardware.graphics since NixOS 24.11 hardware.graphics = {
enable = true; # hardware.graphics since NixOS 24.11
# driSupport = true; enable = true;
extraPackages = with pkgs; [ # driSupport = true;
nvidia-vaapi-driver extraPackages = with pkgs; [
libvdpau-va-gl nvidia-vaapi-driver
vaapiVdpau libvdpau-va-gl
libvdpau libva-vdpau-driver
]; libvdpau
}; ];
};
hardware.nvidia = { hardware.nvidia = {
modesetting.enable = true; modesetting.enable = true;
powerManagement.enable = false; powerManagement.enable = false;
powerManagement.finegrained = false; powerManagement.finegrained = false;
open = true; open = true;
nvidiaSettings = true; nvidiaSettings = true;
package = config.boot.kernelPackages.nvidiaPackages.beta; package = config.boot.kernelPackages.nvidiaPackages.beta;
}; };
boot.kernelModules = [ "nvidia-uvm" "nvidia-drm" ]; boot.kernelModules = [
boot.blacklistedKernelModules = [ "nouveau" ]; "nvidia-uvm"
"nvidia-drm"
];
boot.blacklistedKernelModules = [ "nouveau" ];
boot.kernelParams = [ "nvidia-drm.modeset=1" "nvidia-drm.fbdev=1" ]; boot.kernelParams = [
"nvidia-drm.modeset=1"
"nvidia-drm.fbdev=1"
];
services.xserver.videoDrivers = ["nvidia"]; services.xserver.videoDrivers = [ "nvidia" ];
} }

6
modules/openclaw-docker-env.nix Normal file
View File

@@ -0,0 +1,6 @@
{ ... }:
{
environment.variables = {
DOCKER_HOST = "tcp://127.0.0.1:2375";
};
}

32
modules/openclaw-docker.nix Normal file
View File

@@ -0,0 +1,32 @@
{ pkgs, ... }:
{
virtualisation.oci-containers.containers.docker-socket-proxy = {
image = "tecnativa/docker-socket-proxy:latest";
autoStart = true;
volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
environment = {
CONTAINERS = "1";
IMAGES = "1";
NETWORKS = "1";
VOLUMES = "1";
INFO = "1";
POST = "1";
BUILD = "1";
COMMIT = "0";
CONFIGS = "0";
DISTRIBUTION = "0";
EXEC = "0";
GRPC = "0";
PLUGINS = "0";
SECRETS = "0";
SERVICES = "0";
SESSION = "0";
SWARM = "0";
SYSTEM = "0";
TASKS = "0";
AUTH = "0";
ALLOW_RESTARTS = "1";
};
ports = [ "127.0.0.1:2375:2375" ];
};
}

14
modules/openclaw-fs.nix Normal file
View File

@@ -0,0 +1,14 @@
{ ... }:
{
systemd.tmpfiles.rules = [
"d /private 0750 root root -"
"z /private/AT\x20Protocol 0700 root root -"
"z /private/cloudflared 0700 root root -"
"z /private/cloudflared.pem 0600 root root -"
"z /private/wafrn 0700 root root -"
"z /private/tangled.env 0600 root root -"
"z /private/vaultwarden 0700 root root -"
"d /private/zipline 0700 root root -"
"z /protected 0700 root root -"
];
}

17
modules/openclaw-sudo.nix Normal file
View File

@@ -0,0 +1,17 @@
{
security.sudo.extraRules = [
{
users = [ "openclaw" ];
commands = [
{
command = "/run/current-system/sw/bin/cat";
options = [ "NOPASSWD" ];
}
{
command = "/run/current-system/sw/bin/docker";
options = [ "NOPASSWD" ];
}
];
}
];
}

3
modules/openclaw-user.nix Normal file
View File

@@ -0,0 +1,3 @@
{ pkgs, ... }:
{
}

82
modules/openclaw-watchdog.nix Normal file
View File

@@ -0,0 +1,82 @@
{ pkgs, ... }:
{
systemd.services.openclaw-watchdog = {
description = "Post-rebuild health watchdog";
after = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
ExecStart = "/etc/openclaw/nixos-rollback.sh check";
};
onFailure = [ "nixos-rollback.service" ];
};
systemd.services.nixos-rollback = {
description = "Autonomous NixOS rollback";
serviceConfig = {
Type = "oneshot";
ExecStart = "/etc/openclaw/nixos-rollback.sh rollback";
};
};
environment.etc."openclaw/nixos-rollback.sh" = {
mode = "0750";
text = ''
#!/usr/bin/env bash
set -euo pipefail
WEBHOOK="$(cat /run/secrets/discord-webhook 2>/dev/null || echo "")"
UNITS=("sshd" "docker" "bluesky-pds" "cloudflared" "zipline")
HOSTNAME="$(hostname)"
notify() {
[ -z "$WEBHOOK" ] && return
curl -s -X POST "$WEBHOOK" \
-H "Content-Type: application/json" \
-d "{\"content\": \"$1\"}"
}
check_units() {
for unit in "''${UNITS[@]}"; do
if ! systemctl is-active --quiet "$unit"; then
return 1
fi
done
return 0
}
check_ssh() {
timeout 5 bash -c 'echo > /dev/tcp/127.0.0.1/22' 2>/dev/null
}
do_check() {
for i in $(seq 1 6); do
sleep 10
if check_units && check_ssh; then
notify "**[$HOSTNAME] NixOS switch healthy** all units OK after rebuild."
exit 0
fi
done
exit 1
}
do_rollback() {
notify "**[$HOSTNAME] ROLLBACK TRIGGERED** health check failed. Rolling back..."
if nixos-rebuild switch --rollback; then
sleep 15
if check_units && check_ssh; then
notify "**[$HOSTNAME] Rollback successful** previous generation restored."
else
notify "**[$HOSTNAME] URGENT rollback also failed.** Manual intervention needed."
fi
else
notify "**[$HOSTNAME] URGENT rollback command failed.** Manual intervention needed."
fi
}
case "''${1:-check}" in
check) do_check ;;
rollback) do_rollback ;;
esac
'';
};
}

53
modules/stuff/zsh.nix
View File

@@ -1,28 +1,37 @@
{ config, inputs, pkgs, lib, ... }: {
config,
inputs,
pkgs,
lib,
...
}:
{ {
programs.direnv = { programs.direnv = {
enable = true; enable = true;
enableZshIntegration = true; enableZshIntegration = true;
}; };
programs.zsh = { programs.zsh = {
enable = true; enable = true;
autosuggestions.enable = true; autosuggestions.enable = true;
zsh-autoenv.enable = true; zsh-autoenv.enable = true;
syntaxHighlighting.enable = true; syntaxHighlighting.enable = true;
ohMyZsh = { ohMyZsh = {
enable = true; enable = true;
plugins = [ "git" "direnv" ]; plugins = [
theme = "robbyrussell"; "git"
}; "direnv"
shellAliases = { ];
# ultimate cpu killer 3000 theme = "robbyrussell";
nixrebuild = "sudo nixos-rebuild switch --flake .#default --impure --cores 20 -L --upgrade"; };
dangerous-nixrebuild-server = "sudo nixos-rebuild switch --flake .#server --impure --cores 4 -L --upgrade"; shellAliases = {
neofetch = "fastfetch"; # ultimate cpu killer 3000
}; nixrebuild = "sudo nixos-rebuild switch --flake .#default --impure --cores 20 -L --upgrade";
}; dangerous-nixrebuild-server = "sudo nixos-rebuild switch --flake /home/ocbwoy3/config#server --impure --cores 4 -L --upgrade";
neofetch = "fastfetch";
};
};
} }