ringofstorms/dotfiles
ringofstorms/dotfiles
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'master' of ssh://git.joshuabell.xyz:3032/ringofstorms/dotfiles

Browse source
This commit is contained in:
RingOfStorms (Joshua Bell) 2025-11-09 23:54:08 -06:00
commit 023f3b5e18
23 changed files with 549 additions and 848 deletions
Download patch file Download diff file Expand all files Collapse all files

3
flakes/common/hm_modules/de_i3/default.nix
View file

@ -1,4 +1,5 @@
{ ... }: { ... }:
{ {
imports = [ ./i3.nix ./polybar.nix ]; imports = [ ./i3.nix ./polybar.nix ./theme.nix ];
} }

6
flakes/common/hm_modules/de_i3/i3.nix
View file

@ -9,6 +9,12 @@
default_border pixel 1 default_border pixel 1
default_floating_border pixel 1 default_floating_border pixel 1
floating_modifier Mod4 floating_modifier Mod4
# Dark mode colors
client.focused #2e3440 #4c566a #eceff4 #4c566a #2e3440
client.unfocused #2e3440 #2e3440 #d8dee9 #2e3440 #2e3440
client.focused_inactive #2e3440 #3b4252 #e5e9f0 #3b4252 #2e3440
client.urgent #2e3440 #bf616a #eceff4 #bf616a #2e3440
''; '';
config = rec { config = rec {
modifier = "Mod4"; modifier = "Mod4";

27
flakes/common/hm_modules/de_i3/theme.nix Normal file
View file

@ -0,0 +1,27 @@
{ pkgs, ... }:
{
home.pointerCursor = {
gtk.enable = true;
x11.enable = true;
package = pkgs.bibata-cursors;
name = "Bibata-Modern-Classic";
size = 14;
};
# Ensure all X11 apps see the same cursor settings
xresources.properties = {
"Xcursor.theme" = "Bibata-Modern-Classic";
"Xcursor.size" = 14;
};
home.sessionVariables = {
XCURSOR_THEME = "Bibata-Modern-Classic";
XCURSOR_SIZE = "14";
};
gtk = {
enable = true;
theme = { package = pkgs.flat-remix-gtk; name = "Flat-Remix-GTK-Grey-Darkest"; };
iconTheme = { package = pkgs.adwaita-icon-theme; name = "Adwaita"; };
font = { name = "Sans"; size = 11; };
};
}

2
flakes/common/hm_modules/launcher_rofi.nix
View file

@ -10,7 +10,7 @@
modi = "drun,run,ssh,window,calc"; modi = "drun,run,ssh,window,calc";
terminal = "alacritty"; terminal = "alacritty";
}; };
theme = "glue_pro_blue"; theme = "Arc-Dark";
}; };
programs.wofi = { programs.wofi = {
enable = true; enable = true;

5
flakes/common/hm_modules/ssh.nix
View file

@ -129,6 +129,11 @@ in
user = "luser"; user = "luser";
}; };
"h003" = lib.mkIf (hasSecret "nix2h003") { "h003" = lib.mkIf (hasSecret "nix2h003") {
identityFile = age.secrets.nix2h003.path;
hostname = "10.12.14.1";
user = "luser";
};
"h003_" = lib.mkIf (hasSecret "nix2h003") {
identityFile = age.secrets.nix2h003.path; identityFile = age.secrets.nix2h003.path;
user = "luser"; user = "luser";
}; };

1
flakes/common/nix_modules/de_i3.nix
View file

@ -24,6 +24,7 @@
dmenu dmenu
maim maim
xclip xclip
xfce.thunar
]; ];
}; };
displayManager = { displayManager = {

1
flakes/common/nix_modules/essentials/default.nix
View file

@ -53,5 +53,6 @@ with lib;
environment.shellInit = lib.concatStringsSep "\n\n" [ environment.shellInit = lib.concatStringsSep "\n\n" [
(builtins.readFile ./unix_utils.func.sh) (builtins.readFile ./unix_utils.func.sh)
(builtins.readFile ./nixpkg.func.sh) (builtins.readFile ./nixpkg.func.sh)
(builtins.readFile ./envrc-import.func.sh)
]; ];
} }

51
flakes/common/nix_modules/essentials/envrc-import.func.sh Normal file
View file

@ -0,0 +1,51 @@
# Function to import a .envrc from a central repository of flake wrappers
# It finds all subdirectories in a configured path that contain a .envrc file,
# lets you choose one with fzf, and appends its content to the local .envrc.
envrc() {
# --- CONFIGURATION ---
# Set this to the path where your flake wrapper projects are stored.
local FLAKE_WRAPPERS_DIR="$HOME/projects/flake_wrappers"
# Check if the source directory exists
if [ ! -d "$FLAKE_WRAPPERS_DIR" ]; then
echo "Error: Directory not found: $FLAKE_WRAPPERS_DIR" >&2
echo "Please configure the FLAKE_WRAPPERS_DIR variable in the import_envrc function." >&2
return 1
fi
# Find all subdirectories that contain a .envrc file.
# -mindepth 1 and -maxdepth 1 ensure we only search the immediate children.
# The `-exec test -f {}/.envrc \;` part checks for the existence of the file.
# We use `fzf` to create an interactive menu.
# The --preview shows the content of the .envrc file for the highlighted entry.
# `bat` is used for preview if available, otherwise it falls back to `cat`.
local selected_dir=$(find "$FLAKE_WRAPPERS_DIR" -mindepth 1 -maxdepth 1 -type d -exec test -f {}/.envrc \; -print | \
fzf --prompt="Select a Flake Wrapper to import > " \
--header="[CTRL-C or ESC to quit]" \
--preview="([[ -x \"$(command -v bat)\" ]] && bat --color=always --plain {}/.envrc) || cat {}/.envrc" \
--preview-window="right:60%:wrap")
# If the user pressed ESC or CTRL-C, fzf returns an empty string.
# The `[ -z "$selected_dir" ]` check handles this case.
if [ -z "$selected_dir" ]; then
echo "No selection made. Operation cancelled."
return 1
fi
local source_envrc="$selected_dir/.envrc"
# Check if the selected .envrc file is readable
if [ ! -r "$source_envrc" ]; then
echo "Error: Cannot read file: $source_envrc" >&2
return 1
fi
# Append the contents of the selected .envrc to the local .envrc file.
# The `>>` operator will create the file if it doesn't exist, or append if it does.
# We add a newline before appending to ensure separation if the local file doesn't end with one.
printf "\n# Imported from %s\n" "$source_envrc" >> ./.envrc
cat "$source_envrc" >> ./.envrc
echo "✅ Successfully appended '$source_envrc' to the local .envrc file."
ndr
}

4
hosts/h001/configuration.nix
View file

@ -1,4 +0,0 @@
{ ... }:
{
system.stateVersion = "24.11"; # Did you read the comment?
}

844
hosts/h001/flake.lock generated
View file

File diff suppressed because it is too large Load diff

144
hosts/h001/flake.nix
View file

@ -1,15 +1,20 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
home-manager.url = "github:rycee/home-manager/release-25.05";
# nixpkgs-unstable.url = "github:wrvsrx/nixpkgs/fix-open-webui"; # nixpkgs-unstable.url = "github:wrvsrx/nixpkgs/fix-open-webui";
open-webui-nixpkgs.url = "github:nixos/nixpkgs/e9f00bd893984bc8ce46c895c3bf7cac95331127"; open-webui-nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
litellm-nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; litellm-nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
trilium-nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; trilium-nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
oauth2-proxy-nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; oauth2-proxy-nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
pinchflat-nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
# Use relative to get current version for testing # Use relative to get current version for testing
# common.url = "path:../../common"; # common.url = "path:../../flakes/common";
common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles"; common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common";
# secrets.url = "path:../../flakes/secrets";
secrets.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets";
ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim"; ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim";
@ -19,93 +24,110 @@
outputs = outputs =
{ {
nixpkgs, nixpkgs,
home-manager,
common, common,
secrets,
ros_neovim, ros_neovim,
nixarr, nixarr,
... ...
}@inputs: }@inputs:
let let
configuration_name = "h001"; configuration_name = "h001";
system = "x86_64-linux";
stateVersion = "24.11";
primaryUser = "luser";
lib = nixpkgs.lib; lib = nixpkgs.lib;
in in
{ {
nixosConfigurations = { nixosConfigurations = {
"${configuration_name}" = ( "${configuration_name}" = (
lib.nixosSystem { lib.nixosSystem {
inherit system;
specialArgs = { specialArgs = {
inherit inputs; inherit inputs;
}; };
modules = [ modules = [
common.nixosModules.default home-manager.nixosModules.default
secrets.nixosModules.default
ros_neovim.nixosModules.default ros_neovim.nixosModules.default
common.nixosModules.essentials
common.nixosModules.git
common.nixosModules.boot_systemd
common.nixosModules.hardening
common.nixosModules.nix_options
common.nixosModules.podman
common.nixosModules.tailnet
common.nixosModules.timezone_auto
common.nixosModules.tty_caps_esc
common.nixosModules.zsh
nixarr.nixosModules.default nixarr.nixosModules.default
./configuration.nix
./hardware-configuration.nix ./hardware-configuration.nix
./mods ./mods
./nginx.nix ./nginx.nix
./containers ./containers
( (
{ config, pkgs, ... }: { config, pkgs, ... }:
{ rec {
# Home Manager
home-manager = {
useUserPackages = true;
useGlobalPkgs = true;
backupFileExtension = "bak";
# add all normal users to home manager so it applies to them
users = lib.mapAttrs (name: user: {
home.stateVersion = stateVersion;
programs.home-manager.enable = true;
}) (lib.filterAttrs (name: user: user.isNormalUser or false) users.users);
sharedModules = [
common.homeManagerModules.tmux
common.homeManagerModules.atuin
common.homeManagerModules.direnv
common.homeManagerModules.git
common.homeManagerModules.postgres_cli_options
common.homeManagerModules.ssh
common.homeManagerModules.starship
common.homeManagerModules.zoxide
common.homeManagerModules.zsh
];
};
# System configuration
system.stateVersion = stateVersion;
networking.hostName = configuration_name;
programs.nh.flake = "/home/${primaryUser}/.config/nixos-config/hosts/${configuration_name}";
nixpkgs.config.allowUnfree = true;
users.users = {
"${primaryUser}" = {
isNormalUser = true;
initialPassword = "password1";
shell = pkgs.zsh;
extraGroups = [
"wheel"
"networkmanager"
"video"
"input"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILZigrRMF/HHMhjBIwiOnS2pqbOz8Az19tch680BGvmu nix2h001"
];
};
root = {
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILZigrRMF/HHMhjBIwiOnS2pqbOz8Az19tch680BGvmu nix2h001"
];
};
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
lua lua
sqlite sqlite
ttyd
]; ];
ringofstorms_common = {
systemName = configuration_name;
boot.systemd.enable = true;
secrets.enable = true;
general = {
reporting.enable = true;
};
programs = {
tailnet.enable = true;
ssh.enable = true;
podman.enable = true;
};
users = {
admins = [ "luser" ]; # First admin is also the primary user owning nix config
users = {
root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILZigrRMF/HHMhjBIwiOnS2pqbOz8Az19tch680BGvmu nix2h001"
];
shell = pkgs.zsh;
};
luser = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILZigrRMF/HHMhjBIwiOnS2pqbOz8Az19tch680BGvmu nix2h001"
];
extraGroups = [
"networkmanager"
"video"
"input"
];
shell = pkgs.zsh;
};
};
};
homeManager = {
users = {
luser = {
imports = with common.homeManagerModules; [
kitty
tmux
atuin
direnv
git
nix_deprecations
postgres
ssh
starship
zoxide
zsh
];
};
};
};
};
} }
) )
]; ];

60
hosts/h001/mods/litellm.nix
View file

@ -43,16 +43,33 @@ in
drop_params = true; drop_params = true;
}; };
model_list = [ model_list = [
# 宙 Proxy
# { # NOTE model discovery not working yet? https://canary.discord.com/channels/1123360753068540065/1409974123987210350/1427864010241609752
# model_name = "litellm_proxy/*";
# litellm_params = {
# model = "litellm_proxy/*";
# api_base = "http://100.64.0.8:9010/air_key";
# api_key = "os.environ/LITELLM_PROXY_API_KEY";
# };
# }
] ]
# Copilot
++ (builtins.map
(m: {
model_name = "copilot-${m}";
litellm_params = {
model = "github_copilot/${m}";
extra_headers = {
editor-version = "vscode/${pkgs.vscode.version}";
editor-plugin-version = "copilot/${pkgs.vscode-extensions.github.copilot.version}";
Copilot-Integration-Id = "vscode-chat";
Copilot-Vision-Request = "true";
user-agent = "GithubCopilot/${pkgs.vscode-extensions.github.copilot.version}";
};
};
})
# List from https://github.com/settings/copilot/features enabled models
[
"claude-sonnet-3.5"
"claude-sonnet-4"
"claude-sonnet-4.5"
"gemini-2.5-pro"
"openai-gpt-5"
"openai-gpt-5-mini"
]
)
# Azure # Azure
++ (builtins.map ++ (builtins.map
(m: { (m: {
@ -74,36 +91,13 @@ in
# "gpt-5-codex-2025-09-15" # "gpt-5-codex-2025-09-15"
] ]
) )
# Copilot
++ (builtins.map
(m: {
model_name = "copilot-${m}";
litellm_params = {
model = "github_copilot/${m}";
extra_headers = {
editor-version = "vscode/${pkgs.vscode.version}";
editor-plugin-version = "copilot/${pkgs.vscode-extensions.github.copilot.version}";
Copilot-Integration-Id = "vscode-chat";
Copilot-Vision-Request = "true";
user-agent = "GithubCopilot/${pkgs.vscode-extensions.github.copilot.version}";
};
};
})
# List from https://github.com/settings/copilot/features enabled models
[
"claude-sonnet-4.5"
"claude-sonnet-4"
"gemini-2.5-pro"
]
)
# 宙 Proxy # 宙 Proxy
++ (builtins.map ++ (builtins.map
(m: { (m: {
model_name = "air-${m}"; model_name = "air-${m}";
litellm_params = { litellm_params = {
model = "litellm_proxy/${m}"; model = "litellm_proxy/${m}";
api_base = "http://100.64.0.8:9010/air_key"; api_base = "http://100.64.0.8:9010/air_prd";
api_key = "os.environ/LITELLM_PROXY_API_KEY"; api_key = "os.environ/LITELLM_PROXY_API_KEY";
}; };
}) })

25
hosts/h001/mods/openbao.nix
View file

@ -5,23 +5,38 @@
... ...
}: }:
{ {
services.nginx = {
virtualHosts = {
"sec.joshuabell.xyz" = {
addSSL = true;
sslCertificate = "/var/lib/acme/joshuabell.xyz/fullchain.pem";
sslCertificateKey = "/var/lib/acme/joshuabell.xyz/key.pem";
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://localhost:8200";
recommendedProxySettings = true;
};
};
};
};
services.openbao = { services.openbao = {
enable = true; enable = true;
package = pkgs.openbao; package = pkgs.openbao;
settings = { settings = {
ui = true; ui = true;
listener.default = { listener.default = {
type = "tcp"; type = "tcp";
address = "127.0.0.1:8200"; address = "127.0.0.1:8200";
tls_disable = true; # nginx will handle TLS tls_disable = true; # nginx will handle TLS
}; };
storage.file = { storage.file = {
path = "/var/lib/openbao"; path = "/var/lib/openbao";
}; };
# Disable mlock requirement for development # Disable mlock requirement for development
# In production, you may want to enable this # In production, you may want to enable this
disable_mlock = true; disable_mlock = true;
@ -42,7 +57,7 @@
ProtectSystem = "strict"; ProtectSystem = "strict";
ProtectHome = true; ProtectHome = true;
ReadWritePaths = [ "/var/lib/openbao" ]; ReadWritePaths = [ "/var/lib/openbao" ];
# Resource limits # Resource limits
LimitNOFILE = 65536; LimitNOFILE = 65536;
LimitNPROC = 4096; LimitNPROC = 4096;

12
hosts/h001/mods/pinchflat.nix
View file

@ -1,10 +1,22 @@
{ {
lib, lib,
inputs,
... ...
}: }:
let
declaration = "services/misc/pinchflat.nix";
nixpkgs = inputs.pinchflat-nixpkgs;
pkgs = import nixpkgs {
system = "x86_64-linux";
config.allowUnfree = true;
};
in
{ {
disabledModules = [ declaration ];
imports = [ "${nixpkgs}/nixos/modules/${declaration}" ];
config = { config = {
services.pinchflat = { services.pinchflat = {
package = pkgs.pinchflat;
enable = true; enable = true;
port = 8945; port = 8945;
selfhosted = true; selfhosted = true;

1
hosts/h001/nginx.nix
View file

@ -17,6 +17,7 @@ let
in in
{ {
# TODO transfer these to o001 to use same certs? # TODO transfer these to o001 to use same certs?
# Will I ever get rate limited by lets encrypt with both doing their own?
security.acme = lib.mkIf (hasSecret "linode_rw_domains") { security.acme = lib.mkIf (hasSecret "linode_rw_domains") {
acceptTerms = true; acceptTerms = true;
defaults.email = "admin@joshuabell.xyz"; defaults.email = "admin@joshuabell.xyz";

1
hosts/h001/readme.md
View file

@ -1 +0,0 @@
Main media server and run things server, has a bunch of stuff on it I am self hosting

145
hosts/h003/flake.nix
View file

@ -1,10 +1,13 @@
{ {
inputs = { inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
home-manager.url = "github:rycee/home-manager/release-25.05";
# Use relative to get current version for testing # Use relative to get current version for testing
# common.url = "path:../../common"; # common.url = "path:../../flakes/common";
common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles"; common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/common";
# secrets.url = "path:../../flakes/secrets";
secrets.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles?dir=flakes/secrets";
ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim"; ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim";
}; };
@ -12,89 +15,109 @@
outputs = outputs =
{ {
nixpkgs, nixpkgs,
home-manager,
common, common,
secrets,
ros_neovim, ros_neovim,
... ...
}: }@inputs:
let let
configuration_name = "h003"; configuration_name = "h003";
system = "x86_64-linux";
stateVersion = "24.11";
primaryUser = "luser";
lib = nixpkgs.lib; lib = nixpkgs.lib;
in in
{ {
nixosConfigurations = { nixosConfigurations = {
"${configuration_name}" = ( "${configuration_name}" = (
lib.nixosSystem { lib.nixosSystem {
inherit system;
specialArgs = {
inherit inputs;
};
modules = [ modules = [
common.nixosModules.default home-manager.nixosModules.default
secrets.nixosModules.default
ros_neovim.nixosModules.default ros_neovim.nixosModules.default
common.nixosModules.essentials
common.nixosModules.git
common.nixosModules.boot_systemd
common.nixosModules.hardening
common.nixosModules.nix_options
common.nixosModules.podman
common.nixosModules.tailnet
common.nixosModules.timezone_auto
common.nixosModules.tty_caps_esc
common.nixosModules.zsh
./configuration.nix ./configuration.nix
./hardware-configuration.nix ./hardware-configuration.nix
./mods ./mods
( (
{ config, pkgs, ... }: { config, pkgs, ... }:
{ rec {
# Home Manager
home-manager = {
useUserPackages = true;
useGlobalPkgs = true;
backupFileExtension = "bak";
# add all normal users to home manager so it applies to them
users = lib.mapAttrs (name: user: {
home.stateVersion = stateVersion;
programs.home-manager.enable = true;
}) (lib.filterAttrs (name: user: user.isNormalUser or false) users.users);
sharedModules = [
common.homeManagerModules.tmux
common.homeManagerModules.atuin
common.homeManagerModules.direnv
common.homeManagerModules.git
common.homeManagerModules.postgres_cli_options
common.homeManagerModules.ssh
common.homeManagerModules.starship
common.homeManagerModules.zoxide
common.homeManagerModules.zsh
];
};
# System configuration
system.stateVersion = stateVersion;
networking.hostName = configuration_name;
programs.nh.flake = "/home/${primaryUser}/.config/nixos-config/hosts/${configuration_name}";
nixpkgs.config.allowUnfree = true;
users.users = {
"${primaryUser}" = {
isNormalUser = true;
initialPassword = "password1";
shell = pkgs.zsh;
extraGroups = [
"wheel"
"networkmanager"
"video"
"input"
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3riAQ8RP5JXj2eO87JpjbM/9SrfFHcN5pEJwQpRcOl nix2h003"
];
};
root = {
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3riAQ8RP5JXj2eO87JpjbM/9SrfFHcN5pEJwQpRcOl nix2h003"
];
};
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
lua lua
sqlite sqlite
# networking tools ttyd
tcpdump tcpdump
dig dig
]; ];
ringofstorms_common = {
systemName = configuration_name;
boot.systemd.enable = true;
secrets.enable = true;
general = {
reporting.enable = true;
};
programs = {
tailnet.enable = true;
ssh.enable = true;
podman.enable = true;
};
users = {
admins = [ "luser" ]; # First admin is also the primary user owning nix config
users = {
root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3riAQ8RP5JXj2eO87JpjbM/9SrfFHcN5pEJwQpRcOl nix2h003"
];
shell = pkgs.zsh;
};
luser = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3riAQ8RP5JXj2eO87JpjbM/9SrfFHcN5pEJwQpRcOl nix2h003"
];
extraGroups = [
"networkmanager"
"video"
"input"
];
shell = pkgs.zsh;
};
};
};
homeManager = {
users = {
luser = {
imports = with common.homeManagerModules; [
kitty
tmux
atuin
direnv
git
nix_deprecations
postgres
ssh
starship
zoxide
zsh
];
};
};
};
};
} }
) )
]; ];

1
hosts/linode/l001/headscale.nix
View file

@ -32,6 +32,7 @@
(h001ARecord "chat") (h001ARecord "chat")
(h001ARecord "sso-proxy") (h001ARecord "sso-proxy")
(h001ARecord "n8n") (h001ARecord "n8n")
(h001ARecord "sec")
(h001ARecord "sso") (h001ARecord "sso")
(h001ARecord "gist") (h001ARecord "gist")
(h001ARecord "git") (h001ARecord "git")

8
hosts/lio/flake.lock generated
View file

@ -1207,11 +1207,11 @@
"rust-overlay": "rust-overlay" "rust-overlay": "rust-overlay"
}, },
"locked": { "locked": {
"lastModified": 1761621645, "lastModified": 1761712156,
"narHash": "sha256-pbwLPnz2WEAJ4K6d/iBy0u/Rko9NLaN8gn8NqsBzUNo=", "narHash": "sha256-4vU7FPZFXSFguQUIPrbLQOk3VSokp6RH8t7zQoqneow=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "26dd42aebb0b2bc218acf2e36113997133f4dbbd", "rev": "04f666dabbaced8d661693cfbe4eb7efa359ce7d",
"revCount": 319, "revCount": 320,
"type": "git", "type": "git",
"url": "https://git.joshuabell.xyz/ringofstorms/nvim" "url": "https://git.joshuabell.xyz/ringofstorms/nvim"
}, },

10
hosts/lio/flake.nix
View file

@ -49,6 +49,12 @@
secrets.nixosModules.default secrets.nixosModules.default
ros_neovim.nixosModules.default ros_neovim.nixosModules.default
(
{ ... }:
{
ringofstorms-nvim.includeAllRuntimeDependencies = true;
}
)
flatpaks.nixosModules.default flatpaks.nixosModules.default
common.nixosModules.essentials common.nixosModules.essentials
@ -150,6 +156,10 @@
"org.blender.Blender" "org.blender.Blender"
"com.rustdesk.RustDesk" "com.rustdesk.RustDesk"
]; ];
networking.firewall.allowedTCPPorts = [
8080
];
} }
) )
]; ];

3
hosts/lio/i3_customizations.nix
View file

@ -14,7 +14,8 @@ let
''; '';
bg1 = ../_shared_assets/wallpapers/pixel_neon.png; bg1 = ../_shared_assets/wallpapers/pixel_neon.png;
bg2 = ../_shared_assets/wallpapers/pixel_neon_v.png; bg2 = ../_shared_assets/wallpapers/pixel_neon_v.png;
xrSetup = "xrandr --output DP-1 --mode 3840x2160 --rate 97.98 --pos 0x0 --primary; sleep 0.2; xrandr --output DP-2 --mode 3440x1440 --rate 99.98 --rotate left --left-of DP-1"; # xrSetup = "xrandr --output DP-1 --mode 3840x2160 --rate 119.88 --pos 0x0 --primary; sleep 0.2; xrandr --output DP-2 --mode 3440x1440 --rate 99.98 --rotate left --left-of DP-1";
xrSetup = "xrandr --output DP-1 --mode 3840x2160 --rate 60 --pos 0x0 --primary; sleep 0.2; xrandr --output DP-2 --mode 3440x1440 --rate 99.98 --rotate left --left-of DP-1";
xwallpaperCmd = "xwallpaper --output DP-1 --zoom ${bg1} --output DP-2 --zoom ${bg2}"; xwallpaperCmd = "xwallpaper --output DP-1 --zoom ${bg1} --output DP-2 --zoom ${bg2}";
startupCmd = "sh -c 'sleep 0.2; i3-msg workspace number 7; sleep 0.2; i3-msg workspace number 1'"; startupCmd = "sh -c 'sleep 0.2; i3-msg workspace number 7; sleep 0.2; i3-msg workspace number 1'";
i3ExtraOptions = { i3ExtraOptions = {

7
hosts/oracle/o001/nginx.nix
View file

@ -187,6 +187,13 @@
proxyPass = "http://100.64.0.13"; proxyPass = "http://100.64.0.13";
}; };
}; };
"sec.joshuabell.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://100.64.0.13";
};
};
"sso.joshuabell.xyz" = { "sso.joshuabell.xyz" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;

36
secrets_epic.md
View file

@ -41,18 +41,20 @@ services.openbao = {
### 1.2 Configure Nginx Reverse Proxy ### 1.2 Configure Nginx Reverse Proxy
**File:** `hosts/h001/nginx.nix` **File:** Put this inside of the openbao.nix file as well above or below the existing configuration.
**Tasks:** **Tasks:**
- [ ] Add virtualHost for `vault.joshuabell.xyz` - [x] Add virtualHost for `sec.joshuabell.xyz`
- [ ] Configure SSL using existing ACME wildcard cert - [x] Configure SSL using existing ACME wildcard cert
- [ ] Set up proxy to `http://127.0.0.1:8200` - [x] Add virtualHost for `sec.joshuabell.xyz`
- [ ] Enable websockets for UI - [x] Configure SSL using existing ACME wildcard cert
- [ ] Add security headers - [x] Set up proxy to `http://127.0.0.1:8200`
- [x] Enable websockets for UI
- [x] Add security headers
**Expected config:** **Expected config:**
```nix ```nix
services.nginx.virtualHosts."vault.joshuabell.xyz" = { services.nginx.virtualHosts."sec.joshuabell.xyz" = {
addSSL = true; addSSL = true;
sslCertificate = "/var/lib/acme/joshuabell.xyz/fullchain.pem"; sslCertificate = "/var/lib/acme/joshuabell.xyz/fullchain.pem";
sslCertificateKey = "/var/lib/acme/joshuabell.xyz/key.pem"; sslCertificateKey = "/var/lib/acme/joshuabell.xyz/key.pem";
@ -74,12 +76,12 @@ services.nginx.virtualHosts."vault.joshuabell.xyz" = {
### 1.4 Initial Deployment ### 1.4 Initial Deployment
**Tasks:** **Tasks:**
- [ ] Deploy to h001 with `nixos-rebuild switch` - [x] Deploy to h001 with `nixos-rebuild switch`
- [ ] Verify OpenBao service is running - [x] Verify OpenBao service is running
- [ ] Access UI at `https://vault.joshuabell.xyz` - [x] Access UI at `https://sec.joshuabell.xyz`
- [ ] Initialize OpenBao (generates root token and unseal keys) - [x] Initialize OpenBao (generates root token and unseal keys)
- [ ] Save unseal keys and root token securely (LastPass/Bitwarden) - [x] Save unseal keys and root token securely (LastPass/Bitwarden)
- [ ] Unseal the vault - [x] Unseal the vault
**Commands:** **Commands:**
```bash ```bash
@ -104,7 +106,7 @@ openbao operator unseal <key3>
**Commands:** **Commands:**
```bash ```bash
export VAULT_ADDR='https://vault.joshuabell.xyz' export VAULT_ADDR='https://sec.joshuabell.xyz'
openbao login <root-token> openbao login <root-token>
openbao secrets enable -version=2 kv openbao secrets enable -version=2 kv
openbao kv put kv/test password=hello openbao kv put kv/test password=hello
@ -275,7 +277,7 @@ in {
**Tasks:** **Tasks:**
- [ ] Import vault-agent module - [ ] Import vault-agent module
- [ ] Configure vault-agent for h001: - [ ] Configure vault-agent for h001:
- vault address: `https://vault.joshuabell.xyz` - vault address: `https://sec.joshuabell.xyz`
- role: `nixos-h001` - role: `nixos-h001`
- JWT path: `/etc/vault/h001-jwt` - JWT path: `/etc/vault/h001-jwt`
- [ ] Define secrets needed by h001 services - [ ] Define secrets needed by h001 services
@ -285,7 +287,7 @@ in {
```nix ```nix
services.vault-agent = { services.vault-agent = {
enable = true; enable = true;
vaultAddress = "https://vault.joshuabell.xyz"; vaultAddress = "https://sec.joshuabell.xyz";
role = "nixos-h001"; role = "nixos-h001";
secrets = { secrets = {
postgres-password = { postgres-password = {
@ -513,7 +515,7 @@ openbao kv put kv/hosts/h001/openwebui \
## Success Criteria ## Success Criteria
- [ ] OpenBao running and accessible at `https://vault.joshuabell.xyz` - [ ] OpenBao running and accessible at `https://sec.joshuabell.xyz`
- [ ] Zitadel OIDC authentication working for machine users - [ ] Zitadel OIDC authentication working for machine users
- [ ] At least 3 secrets migrated from agenix to OpenBao - [ ] At least 3 secrets migrated from agenix to OpenBao
- [ ] Services on h001 starting successfully with vault-agent secrets - [ ] Services on h001 starting successfully with vault-agent secrets