kris/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' of tangled.org:did:plc:s7cesz7cr6ybltaryy4meb6y/nix

Browse Source
This commit is contained in:
Kris
2026-03-28 00:09:54 +02:00
parent 15bc9617a4 099ef7b987
commit 6df4dbab3a
33 changed files with 1517 additions and 296 deletions
Download Patch File Download Diff File Expand all files Collapse all files

296
flake.lock generated
View File

@@ -264,6 +264,42 @@
"inputs": {
"systems": "systems_7"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_8"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_9"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
@@ -325,7 +361,7 @@
},
"gomod2nix": {
"inputs": {
"flake-utils": "flake-utils",
"flake-utils": "flake-utils_3",
"nixpkgs": [
"tangled",
"nixpkgs"
@@ -392,11 +428,11 @@
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1774626137,
"narHash": "sha256-1WelwA45Xm4glTG8R9IX9jYeFKDG2HbR79jAauLezUE=",
"lastModified": 1774647770,
"narHash": "sha256-UNNi14XiqRWWjO8ykbFwA5wRwx7EscsC+GItOVpuGjc=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "9df3a639007cfe0d074433f7fc225ea94f877d08",
"rev": "02371c05a04a2876cf92e2d67a259e8f87399068",
"type": "github"
},
"original": {
@@ -406,6 +442,27 @@
}
},
"home-manager_4": {
"inputs": {
"nixpkgs": [
"openclaw",
"nixpkgs"
]
},
"locked": {
"lastModified": 1767909183,
"narHash": "sha256-u/bcU0xePi5bgNoRsiqSIwaGBwDilKKFTz3g0hqOBAo=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "cd6e96d56ed4b2a779ac73a1227e0bb1519b3509",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"home-manager_5": {
"inputs": {
"nixpkgs": [
"zen-browser",
@@ -1275,6 +1332,24 @@
"type": "github"
}
},
"nix-steipete-tools": {
"inputs": {
"nixpkgs": "nixpkgs_9"
},
"locked": {
"lastModified": 1773561580,
"narHash": "sha256-wT0bKTp45YnMkc4yXQvk943Zz/rksYiIjEXGdWzxnic=",
"owner": "openclaw",
"repo": "nix-steipete-tools",
"rev": "cd4c429ff3b3aaef9f92e59812cf2baf5704b86f",
"type": "github"
},
"original": {
"owner": "openclaw",
"repo": "nix-steipete-tools",
"type": "github"
}
},
"nixos-hardware": {
"locked": {
"lastModified": 1774567711,
@@ -1308,6 +1383,38 @@
}
},
"nixpkgs_10": {
"locked": {
"lastModified": 1767767207,
"narHash": "sha256-Mj3d3PfwltLmukFal5i3fFt27L6NiKXdBezC1EBuZs4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5912c1772a44e31bf1c63c0390b90501e5026886",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_11": {
"locked": {
"lastModified": 1771848320,
"narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "2fc6539b481e1d2569f25f8799236694180c0993",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_12": {
"locked": {
"lastModified": 1682134069,
"narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
@@ -1321,7 +1428,23 @@
"type": "indirect"
}
},
"nixpkgs_11": {
"nixpkgs_13": {
"locked": {
"lastModified": 1771419570,
"narHash": "sha256-bxAlQgre3pcQcaRUm/8A0v/X8d2nhfraWSFqVmMcBcU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6d41bc27aaf7b6a3ba6b169db3bd5d6159cfaa47",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_14": {
"locked": {
"lastModified": 1773389992,
"narHash": "sha256-wvfdLLWJ2I9oEpDd9PfMA8osfIZicoQ5MT1jIwNs9Tk=",
@@ -1448,16 +1571,16 @@
},
"nixpkgs_9": {
"locked": {
"lastModified": 1771848320,
"narHash": "sha256-0MAd+0mun3K/Ns8JATeHT1sX28faLII5hVLq0L3BdZU=",
"owner": "nixos",
"lastModified": 1767364772,
"narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2fc6539b481e1d2569f25f8799236694180c0993",
"rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
@@ -1485,6 +1608,52 @@
"type": "github"
}
},
"openclaw": {
"inputs": {
"flake-utils": "flake-utils",
"home-manager": "home-manager_4",
"nix-steipete-tools": "nix-steipete-tools",
"nixpkgs": "nixpkgs_10"
},
"locked": {
"lastModified": 1773851886,
"narHash": "sha256-+3ygZuf5K8mtSGMMEZ/h+vxGvXCu1CmiB+531KMagH8=",
"owner": "openclaw",
"repo": "nix-openclaw",
"rev": "64d410666821866c565e048a4d07d6cf5d8e494e",
"type": "github"
},
"original": {
"owner": "openclaw",
"repo": "nix-openclaw",
"type": "github"
}
},
"pion-webrtc": {
"inputs": {
"flake-utils": [
"spacebar",
"flake-utils"
],
"nixpkgs": [
"spacebar",
"nixpkgs"
]
},
"locked": {
"lastModified": 1773624569,
"narHash": "sha256-CKfTu9nDD85yv7hHxCKl8tGv4R+/Yj44ANAwvqSO2q4=",
"owner": "spacebarchat",
"repo": "pion-webrtc",
"rev": "5382e83ccbb0305a91b9ae92eae2ee9f5ac39398",
"type": "github"
},
"original": {
"owner": "spacebarchat",
"repo": "pion-webrtc",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
@@ -1521,8 +1690,11 @@
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs_7",
"nvf": "nvf",
"openclaw": "openclaw",
"spacebar": "spacebar",
"tangled": "tangled",
"vscode-server": "vscode-server",
"wafrn": "wafrn",
"zen-browser": "zen-browser"
}
},
@@ -1564,6 +1736,28 @@
"type": "github"
}
},
"spacebar": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
],
"pion-webrtc": "pion-webrtc"
},
"locked": {
"lastModified": 1774630159,
"narHash": "sha256-jWYPNoab9rqCM0Gb+RtTpXfrJ/g4XsnOoy2JwjWhSno=",
"owner": "spacebarchat",
"repo": "server",
"rev": "7c07c9b6fde0d539c5c3a6cf7afc022a9d3b7da6",
"type": "github"
},
"original": {
"owner": "spacebarchat",
"repo": "server",
"type": "github"
}
},
"sqlite-lib-src": {
"flake": false,
"locked": {
@@ -1683,6 +1877,36 @@
"type": "github"
}
},
"systems_8": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_9": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"tangled": {
"inputs": {
"actor-typeahead-src": "actor-typeahead-src",
@@ -1696,7 +1920,7 @@
"inter-fonts-src": "inter-fonts-src",
"lucide-src": "lucide-src",
"mermaid-src": "mermaid-src",
"nixpkgs": "nixpkgs_9",
"nixpkgs": "nixpkgs_11",
"sqlite-lib-src": "sqlite-lib-src"
},
"locked": {
@@ -1706,17 +1930,17 @@
"rev": "5a17af77bf13448e49a3b0b00cf93baa7821ce30",
"revCount": 2120,
"type": "git",
"url": "https://tangled.sh/@tangled.sh/core"
"url": "https://tangled.sh/tangled.sh/core"
},
"original": {
"type": "git",
"url": "https://tangled.sh/@tangled.sh/core"
"url": "https://tangled.sh/tangled.sh/core"
}
},
"vscode-server": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs_10"
"flake-utils": "flake-utils_4",
"nixpkgs": "nixpkgs_12"
},
"locked": {
"lastModified": 1770124655,
@@ -1732,6 +1956,42 @@
"type": "github"
}
},
"wafrn": {
"inputs": {
"nixpkgs": "nixpkgs_13",
"wafrn-src": "wafrn-src"
},
"locked": {
"lastModified": 1771530828,
"narHash": "sha256-U9gTyZILNGjK4kbSKsR6xPGFV/sjvzDFRreDXWyg5hE=",
"ref": "refs/heads/main",
"rev": "715d83e0a1730b2bb4e649941863ed67d964ad65",
"revCount": 11,
"type": "git",
"url": "https://git.ocbwoy3.dev/kris/wafrn-nix"
},
"original": {
"type": "git",
"url": "https://git.ocbwoy3.dev/kris/wafrn-nix"
}
},
"wafrn-src": {
"flake": false,
"locked": {
"lastModified": 1770394446,
"narHash": "sha256-yUGn0HjwEDJOLlwcNP+ZfCjU04x9Y6PkmeahdcEP23A=",
"ref": "main",
"rev": "01e89d8fd0ba56d5781e4671a54531563d1a46c6",
"revCount": 6083,
"type": "git",
"url": "https://codeberg.org/wafrn/wafrn"
},
"original": {
"ref": "main",
"type": "git",
"url": "https://codeberg.org/wafrn/wafrn"
}
},
"xdph": {
"inputs": {
"hyprland-protocols": [
@@ -1775,8 +2035,8 @@
},
"zen-browser": {
"inputs": {
"home-manager": "home-manager_4",
"nixpkgs": "nixpkgs_11"
"home-manager": "home-manager_5",
"nixpkgs": "nixpkgs_14"
},
"locked": {
"lastModified": 1774605342,

36
flake.nix
View File

@@ -24,16 +24,17 @@
nvf.url = "github:notashelf/nvf";
# Extras
tangled.url = "git+https://tangled.sh/@tangled.sh/core";
tangled.url = "git+https://tangled.sh/tangled.sh/core";
wafrn.url = "git+https://git.ocbwoy3.dev/kris/wafrn-nix";
vscode-server.url = "github:nix-community/nixos-vscode-server";
spacebar = {
url = "github:spacebarchat/server";
inputs.nixpkgs.follows = "nixpkgs";
};
# Required by NixOS:
# ./hardware-configuration.nix
# inputs.home-manager.nixosModules.default
# catppuccin.nixosModules.catppuccin
# nix-flatpak.nixosModules.nix-flatpak
# slop
openclaw.url = "github:openclaw/nix-openclaw";
};
outputs = { self, nixpkgs, ... }@inputs: {
nixosConfigurations.default = nixpkgs.lib.nixosSystem {
@@ -41,22 +42,17 @@
inherit inputs;
};
modules = [
# inputs.nixos-hardware.nixosModules.common-gpu-nvidia
inputs.home-manager.nixosModules.default
inputs.catppuccin.nixosModules.catppuccin
inputs.nix-flatpak.nixosModules.nix-flatpak
# inputs.chaotic.nixosModules.default
inputs.chaotic.nixosModules.nyx-cache
inputs.chaotic.nixosModules.nyx-overlay
inputs.chaotic.nixosModules.nyx-registry
# ./hosts/default/hardware-configuration.nix
# lil hack to not use --impure when rebuilding nixos >:3
"/etc/nixos/hardware-configuration.nix"
./hosts/default/configuration.nix
];
};
nixosConfigurations.server = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs;
@@ -64,19 +60,23 @@
modules = [
inputs.catppuccin.nixosModules.catppuccin
inputs.tangled.nixosModules.knot
inputs.wafrn.nixosModules.default
inputs.tangled.nixosModules.spindle
inputs.vscode-server.nixosModules.default
inputs.chaotic.nixosModules.nyx-cache
inputs.chaotic.nixosModules.nyx-overlay
inputs.chaotic.nixosModules.nyx-registry
# lil hack to not use --impure when rebuilding nixos >:3
"/etc/nixos/hardware-configuration.nix"
./modules/openclaw-user.nix
./modules/openclaw-sudo.nix
./modules/openclaw-fs.nix
./modules/openclaw-docker.nix
./modules/openclaw-docker-env.nix
./modules/openclaw-watchdog.nix
./hosts/server/configuration.nix
./hosts/server/hardware-configuration.nix
];
};
nixosConfigurations.fix_nixpkgs = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit inputs;

39
hosts/default/packages.nix
View File

@@ -1,14 +1,12 @@
{ inputs, config, pkgs, lib, ... }:
{
fonts.packages = with pkgs; [
noto-fonts
noto-fonts-cjk-sans
noto-fonts-emoji
monaspace
geist-font
# nerdfonts
nerd-fonts.geist-mono
nerd-fonts.monaspace
nerd-fonts.symbols-only
@@ -19,37 +17,36 @@
environment.sessionVariables.LD_LIBRARY_PATH = "${pkgs.gcc15}/lib";
security.polkit = {
enable = true;
};
security.polkit.enable = true;
security.soteria.enable = true;
# surely they should add programs.discord!!
environment.systemPackages = with pkgs; [
mosh
(discord.override {
withEquicord = true;
})
# hyprland stuff
inputs.hyprlock.packages.${pkgs.stdenv.hostPlatform.system}.hyprlock
inputs.hyprsysteminfo.packages.${pkgs.stdenv.hostPlatform.system}.hyprsysteminfo
# minecraft
qemu
(writeShellScriptBin "qemu-system-x86_64-uefi" ''
qemu-system-x86_64 \
-bios ${OVMF.fd}/FV/OVMF.fd \
"$@"
'')
(writeShellScriptBin "regretevator" ''xdg-open roblox://placeId=4972273297'')
(writeShellScriptBin "kaijuparadise" ''xdg-open roblox://placeId=6456351776'')
(writeShellScriptBin "sewh" ''xdg-open roblox://placeId=16991287194'')
(writeShellScriptBin "regretevator" "xdg-open roblox://placeId=4972273297")
(writeShellScriptBin "kaijuparadise" "xdg-open roblox://placeId=6456351776")
(writeShellScriptBin "sewh" "xdg-open roblox://placeId=16991287194")
(writeShellScriptBin "fix-gtk" ''${inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland}/bin/hyprctl dispatch exec "${pkgs.xdg-desktop-portal-gtk}/libexec/xdg-desktop-portal-gtk -r"'')
(writeShellScriptBin "fix-gtk" ''${
inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland
}/bin/hyprctl dispatch exec "${pkgs.xdg-desktop-portal-gtk}/libexec/xdg-desktop-portal-gtk -r"'')
(callPackage ./apps/wl-shimeji.nix {})
(writeShellScriptBin "stop-shimejis" ''${inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland}/bin/hyprctl dispatch exec "shimejictl stop"'')
# (writeShellScriptBin "partynoob" ''shimejictl summon PartyNoob'')
(writeShellScriptBin "stop-shimejis" ''${
inputs.hyprland.packages.${pkgs.stdenv.hostPlatform.system}.hyprland
}/bin/hyprctl dispatch exec "shimejictl stop"'')
quickshell
kdePackages.qtdeclarative
catppuccin-gtk
@@ -58,7 +55,6 @@
catppuccin-catwalk
catppuccin-whiskers
mission-center
# nvtopPackages.full
libxkbcommon
ffmpeg-full
gnupg
@@ -92,7 +88,6 @@
pypresence
pygobject3
]))
# wrangler
fontforge
xclip
gamescope
@@ -122,17 +117,14 @@
playerctl
mangohud
jq
github-cli
file
nwg-look
# rhythmbox
hyprpolkitagent
# important
glib
openssl
nss
glibc # C LIBRARY DO NOT REMOVE VERY IMPORTANT
glibc
gobject-introspection
gimp3
mpv
@@ -140,9 +132,6 @@
kdePackages.kdialog
(writeShellScriptBin "roblox-studio-patcher" ''${pkgs.bun}/bin/bun run /etc/nixos/scripts/bin/patchInternalRobloxStudio.ts'')
# firefox-devedition
(writeShellScriptBin "roblox-studio-patcher" "${pkgs.bun}/bin/bun run /etc/nixos/scripts/bin/patchInternalRobloxStudio.ts")
];
}

215
hosts/server/configuration.nix
View File

@@ -1,11 +1,64 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
mkUserService = pkgs.writeShellScriptBin "mk-user-service" ''
set -euo pipefail
if [ "$#" -lt 2 ]; then
echo "Usage: mk-user-service <name> <exec command...>" >&2
exit 1
fi
name="$1"
shift
unitDir="''${XDG_CONFIG_HOME:-$HOME/.config}/systemd/user"
unitFile="$unitDir/$name.service"
mkdir -p "$unitDir"
if [ -e "$unitFile" ]; then
echo "Refusing to overwrite existing unit: $unitFile" >&2
exit 2
fi
cat > "$unitFile" <<EOF
[Unit]
Description=$name
[Service]
Type=simple
ExecStart=$*
Restart=on-failure
RestartSec=2
[Install]
WantedBy=default.target
EOF
echo "Created $unitFile"
echo "Next steps:"
echo " systemctl --user daemon-reload"
echo " systemctl --user enable --now $name.service"
'';
in
{
imports = [
./modules/atproto-pds.nix
./modules/wafrn.nix
./modules/cloudflare.nix
./modules/tangled.nix
../../modules/force.nix
./modules/gitea.nix
./modules/vaultwarden.nix
./modules/zipline.nix
./slop/openclaw.nix
./slop/brave.nix
];
# gcc. shit breaks. wtf
@@ -13,30 +66,11 @@
services.vscode-server.enable = true;
systemd.services.ocbwoy3-start-pm2 = {
enable = true;
description = "Start PM2";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "forking";
User = "ocbwoy3";
LimitNOFILE = "infinity";
LimitNPROC = "infinity";
LimitCORE = "infinity";
Environment = "PM2_HOME=/home/ocbwoy3/.pm2";
PIDFile = "/home/ocbwoy3/.pm2/pm2.pid";
Restart = "on-failure";
ExecStart = "${pkgs.pm2}/bin/pm2 resurrect";
ExecReload = "${pkgs.pm2}/bin/pm2 reload all";
ExecStop = "${pkgs.pm2}/bin/pm2 kill";
};
};
services.openssh.settings = {
services.openssh.settings = lib.mkDefault {
PubkeyAuthentication = "yes";
TrustedUserCAKeys = "/etc/ssh/ca.pub";
PermitRootLogin = lib.mkDefault "prohibit-password";
KbdInteractiveAuthentication = lib.mkDefault false;
};
services.openssh = {
@@ -44,20 +78,113 @@
};
environment.systemPackages = with pkgs; [
mosh
fastfetch
hyfetch
pm2
bash
jdk
steam-run
opencode
bun
nodejs
node-gyp
playwright
chromium
brave
(pkgs.callPackage ./slop/rocksky-cli.nix { })
];
users.users.ocbwoy3 = {
initialPassword = "thisisapassword42069!"; # not the type passwords i use
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" ];
extraGroups = [
"wheel"
"networkmanager"
"docker"
];
shell = pkgs.zsh;
};
virtualisation.docker.enable = true;
users.users.kris = {
initialPassword = "thisisapassword42069!";
isNormalUser = true;
extraGroups = [
"wheel"
"networkmanager"
"docker"
];
shell = pkgs.zsh;
packages = [
pkgs.mrpack-install
mkUserService
];
};
system.activationScripts.enableKrisLinger.text = ''
${pkgs.systemd}/bin/loginctl enable-linger kris || true
'';
nixpkgs.overlays = [
(final: prev: {
nixos-rebuild = prev.writeShellScriptBin "nixos-rebuild" ''
set -euo pipefail
action="''${1:-}"
case "$action" in
switch|boot|test|build|dry-activate)
needs_flake=1
;;
*)
needs_flake=0
;;
esac
has_flake=0
for arg in "$@"; do
case "$arg" in
--flake|--flake=*)
has_flake=1
break
;;
esac
done
if [ "$needs_flake" -eq 1 ] && [ "$has_flake" -eq 0 ]; then
cat >&2 <<'EOF'
🚨🚨🚨 WARNING: DANGEROUS SYSTEM REBUILD 🚨🚨🚨
This host is FLAKE-MANAGED. Do not attempt to rebuild the system from /etc/nixos.
Please ensure you are running THIS EXACT COMMAND inside /home/ocbwoy3/config:
sudo nixos-rebuild switch --flake /home/ocbwoy3/config#server --impure --cores 4 -L --upgrade
Aborting unsafe nixos-rebuild invocation.
EOF
exit 64
fi
exec ${prev.nixos-rebuild}/bin/nixos-rebuild "$@"
'';
})
];
virtualisation.docker = {
enable = true;
daemon.settings = {
"log-driver" = "local";
"log-opts" = {
"max-size" = "10m";
"max-file" = "3";
};
"live-restore" = true;
};
};
systemd.services.docker.serviceConfig = {
CPUQuota = "200%";
MemoryMax = "12G";
};
services.mongodb = {
enable = true;
@@ -69,14 +196,46 @@
networking.firewall = {
enable = true;
allowedTCPPorts = [ 22 443 3000 3001 8080 25565 ];
allowedUDPPorts = [ 22 443 3000 3001 8080 25565 ];
allowedTCPPorts = [
22
443
3000
3001
4067
8080
25565
];
allowedUDPPorts = [
22
443
3000
3001
4067
8080
25565
];
};
# Lock /etc/nixos to read-only mode (config lives in /home/ocbwoy3/config).
systemd.tmpfiles.rules = [
"z /etc/nixos 0555 root root - -"
];
# Force resolver config to Cloudflare only.
networking.nameservers = lib.mkForce [
"1.1.1.1"
"1.0.0.1"
];
environment.etc."resolv.conf".text = lib.mkForce ''
nameserver 1.1.1.1
nameserver 1.0.0.1
'';
catppuccin = {
enable = true;
flavor = "mocha";
accent = "blue";
gitea.enable = false;
};
system.stateVersion = "23.05"; # DO NOT TOUCH

51
hosts/server/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,51 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/5ca305a1-d705-4c99-913c-a2d1c3447282";
fsType = "btrfs";
options = [ "subvol=root" ];
};
fileSystems."/home" =
{ device = "/dev/disk/by-uuid/5ca305a1-d705-4c99-913c-a2d1c3447282";
fsType = "btrfs";
options = [ "subvol=home" ];
};
fileSystems."/nix" =
{ device = "/dev/disk/by-uuid/5ca305a1-d705-4c99-913c-a2d1c3447282";
fsType = "btrfs";
options = [ "subvol=nix" ];
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/732D-084E";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
# swapDevices = [ { device = "/swap/swapfile"; } ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

62
hosts/server/modules/Caddyfile Normal file
View File

@@ -0,0 +1,62 @@
@favicon path /favicon.ico
handle @favicon {
root * /lib/system-utdr-assets
rewrite * /tenna.ico
header Content-Type "image/vnd.microsoft.icon" # <-- microslop
file_server
}
@root path /
handle @root {
header Content-Type "text/plain; charset=utf-8"
respond "
This is an AT Protocol Personal Data Server (aka, an atproto PDS)
Most API routes are under /xrpc/
Code: https://github.com/bluesky-social/atproto
Self-Host: https://github.com/bluesky-social/pds
Protocol: https://atproto.com
As foretold in the prophecy.
" 200
}
@robots path /robots.txt
handle @robots {
header Content-Type "text/plain; charset=utf-8"
respond "User-agent: *
Disallow: /
" 200
}
handle {
reverse_proxy localhost:3000 {
header_up Host castletown.darkworld.download
}
}

35
hosts/server/modules/atproto-pds.nix
View File

@@ -1,4 +1,13 @@
{ config, inputs, pkgs, ... }:
{
config,
inputs,
pkgs,
...
}:
let
systemUtdrAssets = pkgs.callPackage ./system-utdr-assets { };
in
{
@@ -13,14 +22,28 @@
settings = {
PDS_CRAWLERS = "https://bsky.network";
LOG_ENABLED = "true";
PDS_HOSTNAME = "pds.ocbwoy3.dev";
# PDS_VERSION = "\"ATProto PDS v69420\"";
PDS_HOSTNAME = "castletown.darkworld.download";
PDS_VERSION = "\"That feeling when Deltarune........ tomorrow! :3\"";
PDS_DID_PLC_URL = "https://plc.directory";
PDS_CONTACT_EMAIL_ADDRESS = "ocbwoy3@ocbwoy3.dev";
PDS_PRIVACY_POLICY_URL = "https://ocbwoy3.dev";
PDS_TERMS_OF_SERVICE_URL = "https://ocbwoy3.dev";
PDS_CONTACT_EMAIL_ADDRESS = "kris@darkworld.download";
# PDS_PRIVACY_POLICY_URL = "https://bsky.social/about/support/privacy-policy";
# PDS_TERMS_OF_SERVICE_URL = "https://bsky.social/about/support/tos";
PDS_ACCEPTING_REPO_IMPORTS = "true";
};
};
# Set host header to `localhost` in tunnel settings otherwise you'll end up wasting countless hours of your life
systemd.tmpfiles.rules = [
"L+ /lib/system-utdr-assets - - - - ${systemUtdrAssets}/lib/system-utdr-assets"
];
services.caddy = {
enable = true;
globalConfig = ''
auto_https off
'';
virtualHosts."localhost:80".extraConfig = builtins.readFile ./Caddyfile;
};
}

7
hosts/server/modules/cloudflare.nix
View File

@@ -1,4 +1,9 @@
{ config, inputs, pkgs, ... }:
{
config,
inputs,
pkgs,
...
}:
{

34
hosts/server/modules/gitea.nix Normal file
View File

@@ -0,0 +1,34 @@
{
config,
pkgs,
lib,
...
}:
{
services.gitea = {
enable = true;
database = {
type = "postgres";
};
settings = {
server = {
DOMAIN = "git.ocbwoy3.dev";
ROOT_URL = "https://git.ocbwoy3.dev/";
HTTP_PORT = 2222;
DISABLE_SSH = true;
MAX_UPLOAD_FILE_SIZE = 5242880;
};
attachment = {
MAX_SIZE = 5; # MB (this is the one causing the 1024 KiB error)
};
service = {
DISABLE_REGISTRATION = true;
};
};
};
}

21
hosts/server/modules/system-utdr-assets/default.nix Normal file
View File

@@ -0,0 +1,21 @@
{ stdenvNoCC, lib }:
stdenvNoCC.mkDerivation {
pname = "system-utdr-assets";
version = "1.0.0";
src = ./.;
installPhase = ''
mkdir -p "$out/lib/system-utdr-assets"
cp "$src/tenna.ico" "$out/lib/system-utdr-assets/tenna.ico"
cp "$src/logo.png" "$out/lib/system-utdr-assets/logo.png"
cp "$src/favicon.png" "$out/lib/system-utdr-assets/favicon.png"
'';
meta = with lib; {
description = "System Undertale & Deltarune assets";
license = licenses.unfree;
maintainers = with maintainers; [ ];
};
}

BIN
hosts/server/modules/system-utdr-assets/favicon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
hosts/server/modules/system-utdr-assets/logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 864 KiB

BIN
hosts/server/modules/system-utdr-assets/tenna.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

11
hosts/server/modules/tangled.nix
View File

@@ -1,7 +1,12 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
{
services.tangled-knot = {
services.tangled.knot = {
enable = true;
server = {
listenAddr = "0.0.0.0:3003";
@@ -10,7 +15,7 @@
};
};
services.tangled-spindle = {
services.tangled.spindle = {
enable = true;
server = {
listenAddr = "0.0.0.0:3004";

44
hosts/server/modules/vaultwarden.nix Normal file
View File

@@ -0,0 +1,44 @@
{
config,
pkgs,
lib,
...
}:
{
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
environmentFile = "/var/lib/vaultwarden/vaultwarden.env";
config = {
# Keep data alongside the secret env file so we can back it up together.
DATA_FOLDER = "/var/lib/vaultwarden/data";
PUSH_RELAY_URI = "https://api.bitwarden.eu";
PUSH_IDENTITY_URI = "https://identity.bitwarden.eu";
DOMAIN = "https://vault.ocbwoy3.dev";
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = 8222;
WEBSOCKET_ENABLED = true;
WEBSOCKET_ADDRESS = "0.0.0.0";
WEBSOCKET_PORT = 3012;
SIGNUPS_ALLOWED = false;
};
};
# Allow vaultwarden to write under /var/lib/vaultwarden and ensure the directories exist.
systemd.services.vaultwarden.serviceConfig = {
ReadWritePaths = [ "/var/lib/vaultwarden" ];
};
# Create parent/data directories with proper ownership before startup.
systemd.tmpfiles.rules = [
"d /var/lib/vaultwarden 0750 vaultwarden vaultwarden -"
"d /var/lib/vaultwarden/data 0750 vaultwarden vaultwarden -"
];
# cloudflared!!
# networking.firewall.allowedTCPPorts = [
# 8222
# 3012
# ];
}

32
hosts/server/modules/wafrn.nix Normal file
View File

@@ -0,0 +1,32 @@
{
config,
inputs,
pkgs,
...
}:
{
# DONT ENABLE YET!!
services.wafrn = {
enable = false;
stateDir = "/var/lib/wafrn";
secretsFile = "/private/wafrn/secrets.env";
caddyConfigDir = "/private/wafrn/caddy";
# cloudflared doesnt need https
httpPort = 6767;
httpsPort = null;
environment = {
DOMAIN_NAME = "cyberworld.darkworld.download";
CACHE_DOMAIN = "cyberworld-cache.darkworld.download";
MEDIA_DOMAIN = "cyberworld-media.darkworld.download";
FRONTEND_MEDIA_URL = "https://cyberworld-media.darkworld.download";
FRONTEND_CACHE_URL = "https://cyberworld-cache.darkworld.download/api/cache?media=";
FRONTEND_FQDN_URL = "https://cyberworld.darkworld.download";
ACME_EMAIL = "kris@darkworld.download";
};
};
}

17
hosts/server/modules/zipline.nix Normal file
View File

@@ -0,0 +1,17 @@
{
config,
pkgs,
lib,
...
}:
{
services.zipline = {
enable = true;
environmentFiles = [ "/private/zipline/zipline.env" ];
settings = {
CORE_HOSTNAME = "127.0.0.1";
CORE_PORT = 3015;
};
};
}

201
hosts/server/slop/brave-shim.nix Normal file
View File

@@ -0,0 +1,201 @@
{ pkgs }:
let
pythonEnv = pkgs.python3.withPackages (ps: with ps; [
fastapi
uvicorn
ddgs
pyyaml
]);
in
pkgs.stdenvNoCC.mkDerivation {
pname = "brave-shim";
version = "0.1.0";
dontUnpack = true;
installPhase = ''
mkdir -p $out/bin $out/share/brave-shim
cat > $out/share/brave-shim/brave_shim.conf <<'CONF'
server:
host: "127.0.0.1"
port: 8000
ssl:
use_custom_ca: false
ca_bundle_path: "/etc/ssl/certs/ca-certificates.crt"
verify_ssl: true
logging:
file_path: "/home/openclaw/.local/state/brave-shim/brave_shim.log"
level: "INFO"
bot_protection:
cache_expiration: 3600
min_delay: 1.0
max_delay: 2.5
search:
default_count: 10
local_count: 5
CONF
cat > $out/share/brave-shim/brave_shim.py <<'PY'
import time
import random
import yaml
import uvicorn
import logging
import os
import ssl
from fastapi import FastAPI, Query
from ddgs import DDGS
from pathlib import Path
config_path = Path(os.environ.get("BRAVE_SHIM_CONF", "brave_shim.conf"))
if not config_path.exists():
raise FileNotFoundError(f"Config not found: {config_path}")
with open(config_path, "r") as f:
config = yaml.safe_load(f)
os.makedirs(os.path.dirname(config["logging"]["file_path"]), exist_ok=True)
logging.basicConfig(
level=config['logging']['level'],
format="%(asctime)s [%(levelname)s] %(message)s",
handlers=[logging.FileHandler(config['logging']['file_path'])]
)
logger = logging.getLogger("brave_shim")
ssl_cfg = config.get('ssl', {})
verify_ssl = ssl_cfg.get('verify_ssl', True)
custom_ca_status = "System Default"
if ssl_cfg.get('use_custom_ca'):
ca_path = ssl_cfg['ca_bundle_path']
if os.path.exists(ca_path):
os.environ["SSL_CERT_FILE"] = ca_path
os.environ["REQUESTS_CA_BUNDLE"] = ca_path
os.environ["CURL_CA_BUNDLE"] = ca_path
if not verify_ssl:
ssl._create_default_https_context = ssl._create_unverified_context
custom_ca_status = f"Active (Verify=OFF, Path={ca_path})"
logger.warning("SSL verification disabled")
else:
try:
context = ssl.create_default_context(cafile=ca_path)
ssl._create_default_https_context = lambda: context
custom_ca_status = f"Active (Path={ca_path})"
except Exception as e:
logger.error(f"SSL bundle load error: {e}")
else:
logger.error(f"SSL CA bundle not found: {ca_path}")
custom_ca_status = "Error: File not found"
app = FastAPI(title="Brave Search API Shim", docs_url=None, redoc_url=None)
search_cache = {}
def get_from_cache(q):
expiration = config['bot_protection']['cache_expiration']
if q in search_cache:
timestamp, data = search_cache[q]
if time.time() - timestamp < expiration:
return data
return None
@app.get("/status")
async def health_check():
return {
"status": "online",
"cache_entries": len(search_cache),
"ssl_verify": verify_ssl,
"ca_bundle": custom_ca_status
}
@app.get("/res/v1/web/search")
async def search_proxy(q: str = Query(...), count: int = None):
res_count = count or config['search']['default_count']
cached_res = get_from_cache(q)
if cached_res:
logger.info(f"CACHE HIT: {q}")
return cached_res
time.sleep(random.uniform(config['bot_protection']['min_delay'], config['bot_protection']['max_delay']))
logger.info(f"FETCH WEB: {q}")
try:
with DDGS(verify=verify_ssl) as ddgs:
results = []
for r in ddgs.text(q, max_results=res_count):
results.append({
"title": r.get("title"),
"url": r.get("href"),
"description": r.get("body"),
"meta_url": {"path": r.get("href")}
})
response_data = {"web": {"results": results}}
search_cache[q] = (time.time(), response_data)
return response_data
except Exception as e:
logger.error(f"WEB search error for '{q}': {e}")
return {"web": {"results": []}, "error": str(e)}
@app.get("/res/v1/local/pois")
async def local_proxy(q: str = Query(...), count: int = None):
res_count = count or config['search']['local_count']
logger.info(f"FETCH LOCAL: {q}")
try:
with DDGS(verify=verify_ssl) as ddgs:
res = [
{
"id": str(i),
"name": r["title"],
"address": r["body"][:100],
"phone": "",
"coordinates": {"latitude": 0.0, "longitude": 0.0}
}
for i, r in enumerate(ddgs.text(f"place {q}", max_results=res_count))
]
return {"results": res}
except Exception as e:
logger.error(f"LOCAL search error for '{q}': {e}")
return {"results": []}
@app.get("/res/v1/local/descriptions")
async def local_descriptions(id: str = Query(...)):
return {"descriptions": {id: "Data from DDGS proxy."}}
@app.get("/res/v1/summarizer/summary")
async def summarizer_proxy(key: str = Query(...)):
return {"summary": "Summary ready.", "status": "complete"}
if __name__ == "__main__":
logger.info(f"Starting brave-shim on {config['server']['host']}:{config['server']['port']}")
uvicorn.run(
app,
host=config['server']['host'],
port=config['server']['port'],
access_log=False,
log_level="critical"
)
PY
cat > $out/bin/brave-shim <<EOF
#!${pkgs.bash}/bin/bash
set -euo pipefail
export BRAVE_SHIM_CONF=\"\
s h\
\"
EOF
# simpler wrapper (avoid quoting bugs)
cat > $out/bin/brave-shim <<EOF
#!${pkgs.bash}/bin/bash
set -euo pipefail
export BRAVE_SHIM_CONF="''${BRAVE_SHIM_CONF:-$out/share/brave-shim/brave_shim.conf}"
exec ${pythonEnv}/bin/python $out/share/brave-shim/brave_shim.py
EOF
chmod +x $out/bin/brave-shim
'';
}

21
hosts/server/slop/brave.nix Normal file
View File

@@ -0,0 +1,21 @@
{ pkgs, ... }:
let
braveShim = pkgs.callPackage ./brave-shim.nix { };
in
{
# Local Brave API shim as a user service
systemd.user.services.brave-shim = {
description = "Brave Search API shim (DDGS)";
wantedBy = [ "default.target" ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${braveShim}/bin/brave-shim";
Restart = "always";
RestartSec = "3";
};
};
}

36
hosts/server/slop/gogcli.nix Normal file
View File

@@ -0,0 +1,36 @@
{
lib,
buildGo125Module,
fetchFromGitHub,
}:
buildGo125Module rec {
pname = "gogcli";
version = "0.11.0";
src = fetchFromGitHub {
owner = "steipete";
repo = "gogcli";
rev = "v${version}";
hash = "sha256-hJU40ysjRx4p9SWGmbhhpToYCpk3DcMAWCnKqxHRmh0=";
};
vendorHash = "sha256-WGRlv3UsK3SVBQySD7uZ8+FiRl03p0rzjBm9Se1iITs=";
subPackages = [ "cmd/gog" ];
ldflags = [
"-s"
"-w"
"-X github.com/steipete/gogcli/internal/cmd.version=${version}"
"-X github.com/steipete/gogcli/internal/cmd.commit=v${version}"
];
meta = with lib; {
description = "Google workspace CLI client";
homepage = "https://github.com/steipete/gogcli";
license = licenses.mit;
mainProgram = "gog";
platforms = platforms.linux ++ platforms.darwin;
};
}

1
hosts/server/slop/nix-openclaw Submodule

Submodule hosts/server/slop/nix-openclaw added at fbef208719

69
hosts/server/slop/openclaw.nix Normal file
View File

@@ -0,0 +1,69 @@
{
inputs,
pkgs,
...
}:
let
openclawPatched = inputs.openclaw.packages.${pkgs.system}.openclaw-gateway.overrideAttrs (old: {
installPhase =
old.installPhase
+ "\n"
+ ''
# Point Brave web-search endpoint to local shim.
# NOTE: upstream installPhase script does not run postInstall hooks,
# so patch directly at the end of installPhase.
if [ -d "$out/lib/openclaw/dist" ]; then
# Web-search tool hardcodes Brave endpoint in bundled JS.
# No runtime config option exists for Brave base URL in this OpenClaw version.
grep -RIl "https://api.search.brave.com" "$out/lib/openclaw/dist" | while read -r f; do
substituteInPlace "$f" \
--replace "https://api.search.brave.com/res/v1/web/search" "http://127.0.0.1:8000/res/v1/web/search" \
--replace "https://api.search.brave.com/res/v1/" "http://127.0.0.1:8000/res/v1/" \
--replace "https://api.search.brave.com/" "http://127.0.0.1:8000/" \
--replace "https://api.search.brave.com" "http://127.0.0.1:8000"
done
fi
'';
});
in
{
imports = [ inputs.openclaw.nixosModules.openclaw-gateway ];
users.users.openclaw = {
isSystemUser = false;
isNormalUser = true;
home = "/home/openclaw";
createHome = true;
group = "openclaw";
extraGroups = [ "docker" ];
shell = pkgs.bash;
description = "OpenClaw agent sandboxed user";
packages = [
openclawPatched
(pkgs.callPackage ./gogcli.nix { })
(pkgs.callPackage ./brave-shim.nix { })
pkgs.uv
pkgs.python3
];
};
users.groups.openclaw = { };
# Keep the openclaw user's systemd --user instance running so the gateway stays up.
# Using activation script because services.logind.lingerUsers isn't available in this release.
system.activationScripts.enableOpenclawLinger.text = ''
${pkgs.systemd}/bin/loginctl enable-linger openclaw || true
'';
# Run OpenClaw gateway as a NixOS system service under the dedicated user.
services.openclaw-gateway = {
enable = true;
package = openclawPatched;
createUser = false;
user = "openclaw";
group = "openclaw";
stateDir = "/home/openclaw/.local/share/openclaw";
};
}

9
hosts/server/slop/rocksky-cli.nix Normal file
View File

@@ -0,0 +1,9 @@
{ pkgs }:
pkgs.writeShellApplication {
name = "rocksky";
runtimeInputs = [ pkgs.bun ];
text = ''
exec ${pkgs.bun}/bin/bun x @rocksky/cli "$@"
'';
}

4
modules/force.nix
View File

@@ -13,6 +13,8 @@
./stuff/zsh.nix
];
services.tailscale.enable = true;
environment.systemPackages = with pkgs; [
tmux
gh
@@ -21,6 +23,7 @@
openssl
nss
glibc
kitty
nixfmt-rfc-style
killall
deno
@@ -34,5 +37,6 @@
nixd
ffmpeg-full
gnupg
codex
];
}

7
modules/nixos/network.nix
View File

@@ -3,9 +3,12 @@
{
#! Disable default nameservers to prevent ISP espionage
networking.nameservers = [ "1.1.1.1" "1.0.0.1" ];
networking.nameservers = [
"1.1.1.1"
"1.0.0.1"
];
networking.hostName = "ralsei-pc";
networking.hostName = "kris-server";
networking.networkmanager.enable = true;
networking.resolvconf.enable = false;

24
modules/nixos/nvidia.nix
View File

@@ -1,4 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}:
{
@@ -33,13 +38,14 @@
# obs moment
# nixpkgs.config.cudaSupport = true;
hardware.graphics = { # hardware.graphics since NixOS 24.11
hardware.graphics = {
# hardware.graphics since NixOS 24.11
enable = true;
# driSupport = true;
extraPackages = with pkgs; [
nvidia-vaapi-driver
libvdpau-va-gl
vaapiVdpau
libva-vdpau-driver
libvdpau
];
};
@@ -53,11 +59,17 @@
package = config.boot.kernelPackages.nvidiaPackages.beta;
};
boot.kernelModules = [ "nvidia-uvm" "nvidia-drm" ];
boot.kernelModules = [
"nvidia-uvm"
"nvidia-drm"
];
boot.blacklistedKernelModules = [ "nouveau" ];
boot.kernelParams = [ "nvidia-drm.modeset=1" "nvidia-drm.fbdev=1" ];
boot.kernelParams = [
"nvidia-drm.modeset=1"
"nvidia-drm.fbdev=1"
];
services.xserver.videoDrivers = ["nvidia"];
services.xserver.videoDrivers = [ "nvidia" ];
}

6
modules/openclaw-docker-env.nix Normal file
View File

@@ -0,0 +1,6 @@
{ ... }:
{
environment.variables = {
DOCKER_HOST = "tcp://127.0.0.1:2375";
};
}

32
modules/openclaw-docker.nix Normal file
View File

@@ -0,0 +1,32 @@
{ pkgs, ... }:
{
virtualisation.oci-containers.containers.docker-socket-proxy = {
image = "tecnativa/docker-socket-proxy:latest";
autoStart = true;
volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
environment = {
CONTAINERS = "1";
IMAGES = "1";
NETWORKS = "1";
VOLUMES = "1";
INFO = "1";
POST = "1";
BUILD = "1";
COMMIT = "0";
CONFIGS = "0";
DISTRIBUTION = "0";
EXEC = "0";
GRPC = "0";
PLUGINS = "0";
SECRETS = "0";
SERVICES = "0";
SESSION = "0";
SWARM = "0";
SYSTEM = "0";
TASKS = "0";
AUTH = "0";
ALLOW_RESTARTS = "1";
};
ports = [ "127.0.0.1:2375:2375" ];
};
}

14
modules/openclaw-fs.nix Normal file
View File

@@ -0,0 +1,14 @@
{ ... }:
{
systemd.tmpfiles.rules = [
"d /private 0750 root root -"
"z /private/AT\x20Protocol 0700 root root -"
"z /private/cloudflared 0700 root root -"
"z /private/cloudflared.pem 0600 root root -"
"z /private/wafrn 0700 root root -"
"z /private/tangled.env 0600 root root -"
"z /private/vaultwarden 0700 root root -"
"d /private/zipline 0700 root root -"
"z /protected 0700 root root -"
];
}

17
modules/openclaw-sudo.nix Normal file
View File

@@ -0,0 +1,17 @@
{
security.sudo.extraRules = [
{
users = [ "openclaw" ];
commands = [
{
command = "/run/current-system/sw/bin/cat";
options = [ "NOPASSWD" ];
}
{
command = "/run/current-system/sw/bin/docker";
options = [ "NOPASSWD" ];
}
];
}
];
}

3
modules/openclaw-user.nix Normal file
View File

@@ -0,0 +1,3 @@
{ pkgs, ... }:
{
}

82
modules/openclaw-watchdog.nix Normal file
View File

@@ -0,0 +1,82 @@
{ pkgs, ... }:
{
systemd.services.openclaw-watchdog = {
description = "Post-rebuild health watchdog";
after = [ "network.target" ];
serviceConfig = {
Type = "oneshot";
ExecStart = "/etc/openclaw/nixos-rollback.sh check";
};
onFailure = [ "nixos-rollback.service" ];
};
systemd.services.nixos-rollback = {
description = "Autonomous NixOS rollback";
serviceConfig = {
Type = "oneshot";
ExecStart = "/etc/openclaw/nixos-rollback.sh rollback";
};
};
environment.etc."openclaw/nixos-rollback.sh" = {
mode = "0750";
text = ''
#!/usr/bin/env bash
set -euo pipefail
WEBHOOK="$(cat /run/secrets/discord-webhook 2>/dev/null || echo "")"
UNITS=("sshd" "docker" "bluesky-pds" "cloudflared" "zipline")
HOSTNAME="$(hostname)"
notify() {
[ -z "$WEBHOOK" ] && return
curl -s -X POST "$WEBHOOK" \
-H "Content-Type: application/json" \
-d "{\"content\": \"$1\"}"
}
check_units() {
for unit in "''${UNITS[@]}"; do
if ! systemctl is-active --quiet "$unit"; then
return 1
fi
done
return 0
}
check_ssh() {
timeout 5 bash -c 'echo > /dev/tcp/127.0.0.1/22' 2>/dev/null
}
do_check() {
for i in $(seq 1 6); do
sleep 10
if check_units && check_ssh; then
notify "**[$HOSTNAME] NixOS switch healthy** all units OK after rebuild."
exit 0
fi
done
exit 1
}
do_rollback() {
notify "**[$HOSTNAME] ROLLBACK TRIGGERED** health check failed. Rolling back..."
if nixos-rebuild switch --rollback; then
sleep 15
if check_units && check_ssh; then
notify "**[$HOSTNAME] Rollback successful** previous generation restored."
else
notify "**[$HOSTNAME] URGENT rollback also failed.** Manual intervention needed."
fi
else
notify "**[$HOSTNAME] URGENT rollback command failed.** Manual intervention needed."
fi
}
case "''${1:-check}" in
check) do_check ;;
rollback) do_rollback ;;
esac
'';
};
}

15
modules/stuff/zsh.nix
View File

@@ -1,4 +1,10 @@
{ config, inputs, pkgs, lib, ... }:
{
config,
inputs,
pkgs,
lib,
...
}:
{
@@ -14,13 +20,16 @@
syntaxHighlighting.enable = true;
ohMyZsh = {
enable = true;
plugins = [ "git" "direnv" ];
plugins = [
"git"
"direnv"
];
theme = "robbyrussell";
};
shellAliases = {
# ultimate cpu killer 3000
nixrebuild = "sudo nixos-rebuild switch --flake .#default --impure --cores 20 -L --upgrade";
dangerous-nixrebuild-server = "sudo nixos-rebuild switch --flake .#server --impure --cores 4 -L --upgrade";
dangerous-nixrebuild-server = "sudo nixos-rebuild switch --flake /home/ocbwoy3/config#server --impure --cores 4 -L --upgrade";
neofetch = "fastfetch";
};
};