cry/flake
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: cry:648f53ae758b1e39acfd06f0270ffb2dc4c834fe
Branches Tags
cry:main
cry:pc/latest
cry:laptop
cry:lolcathost-24.05
cry:myputer
cry:lolcathost
..
compare: cry:f845588d00be1bff0858d98fbc078574c14bd40a
Branches Tags
cry:main
cry:pc/latest
cry:laptop
cry:lolcathost-24.05
cry:myputer
cry:lolcathost

No commits in common. "648f53ae758b1e39acfd06f0270ffb2dc4c834fe" and "f845588d00be1bff0858d98fbc078574c14bd40a" have entirely different histories.
648f53ae75 ... f845588d00

17 changed files with 227 additions and 217 deletions
Download patch file Download diff file Expand all files Collapse all files

10
TODO.md
View file

@ -1,10 +0,0 @@
- [ ] Update the README.md
- [ ] switch ssh keys to ECC (fuck RSA)
- [ ] migrate forge.dobutterfliescry.net -> tearforge.net
- [ ] rename forgejo user to git
- [ ] setup my own VPN
- [ ] connect match to my VPN
- [ ] use matcha to build stuff instead of using my laptop
- [ ] make `ceru` do local and remote deployments

134
flake.lock generated
View file

@ -3,11 +3,12 @@
"cerulean": { "cerulean": {
"inputs": { "inputs": {
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
"home-manager": "home-manager",
"microvm": "microvm",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
], ],
"nixpkgs-unstable": [
"nixpkgs-unstable"
],
"nt": [ "nt": [
"nt" "nt"
], ],
@ -16,26 +17,20 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1771194110, "lastModified": 1770984845,
"narHash": "sha256-x6rijGWmPL5FTpkr+8vpcKKCOT33QHEV8bP6ibEAXFE=", "narHash": "sha256-si6XCx0xGq3z7dZSVCx5NgVxgFdnTc1qaKro5IemG70=",
"owner": "cry128", "path": "/home/me/cry/mk/Cerulean",
"repo": "Cerulean", "type": "path"
"rev": "d527937829dec0f410f126a2f85e374cb99a2fbb",
"type": "github"
}, },
"original": { "original": {
"owner": "cry128", "path": "/home/me/cry/mk/Cerulean",
"repo": "Cerulean", "type": "path"
"type": "github"
} }
}, },
"deploy-rs": { "deploy-rs": {
"inputs": { "inputs": {
"flake-compat": "flake-compat", "flake-compat": "flake-compat",
"nixpkgs": [ "nixpkgs": "nixpkgs",
"cerulean",
"nixpkgs"
],
"utils": "utils" "utils": "utils"
}, },
"locked": { "locked": {
@ -171,7 +166,6 @@
"home-manager": { "home-manager": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
"cerulean",
"nixpkgs" "nixpkgs"
] ]
}, },
@ -190,49 +184,6 @@
"type": "github" "type": "github"
} }
}, },
"home-manager_2": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1770260404,
"narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-25.11",
"repo": "home-manager",
"type": "github"
}
},
"microvm": {
"inputs": {
"nixpkgs": [
"cerulean",
"nixpkgs"
],
"spectrum": "spectrum"
},
"locked": {
"lastModified": 1770310890,
"narHash": "sha256-lyWAs4XKg3kLYaf4gm5qc5WJrDkYy3/qeV5G733fJww=",
"owner": "microvm-nix",
"repo": "microvm.nix",
"rev": "68c9f9c6ca91841f04f726a298c385411b7bfcd5",
"type": "github"
},
"original": {
"owner": "microvm-nix",
"repo": "microvm.nix",
"type": "github"
}
},
"nix-flatpak": { "nix-flatpak": {
"locked": { "locked": {
"lastModified": 1767983141, "lastModified": 1767983141,
@ -319,16 +270,16 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1770770419, "lastModified": 1743014863,
"narHash": "sha256-iKZMkr6Cm9JzWlRYW/VPoL0A9jVKtZYiU4zSrVeetIs=", "narHash": "sha256-jAIUqsiN2r3hCuHji80U7NNEafpIMBXiwKlSrjWMlpg=",
"owner": "nixos", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "6c5e707c6b5339359a9a9e215c5e66d6d802fd7a", "rev": "bd3bac8bfb542dbde7ffffb6987a1a1f9d41699f",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "nixos", "owner": "NixOS",
"ref": "nixos-25.11", "ref": "nixpkgs-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -365,6 +316,22 @@
} }
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": {
"lastModified": 1770770419,
"narHash": "sha256-iKZMkr6Cm9JzWlRYW/VPoL0A9jVKtZYiU4zSrVeetIs=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "6c5e707c6b5339359a9a9e215c5e66d6d802fd7a",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": { "locked": {
"lastModified": 1767313136, "lastModified": 1767313136,
"narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=", "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=",
@ -383,21 +350,18 @@
"nt": { "nt": {
"inputs": { "inputs": {
"nix-unit": "nix-unit", "nix-unit": "nix-unit",
"nixpkgs": "nixpkgs_2", "nixpkgs": "nixpkgs_3",
"systems": "systems_2" "systems": "systems_2"
}, },
"locked": { "locked": {
"lastModified": 1770975056, "lastModified": 1770975061,
"narHash": "sha256-ZXTz/P3zUbbM6lNXzt91u8EwfNqhXpYMu8+wvFZqQHE=", "narHash": "sha256-dedEcQSEzur2/pBcxFFygkSrMuKGOUWThOUD2LXMCsA=",
"owner": "cry128", "path": "/home/me/cry/mk/nt",
"repo": "nt", "type": "path"
"rev": "f42dcdd49a7921a7f433512e83d5f93696632412",
"type": "github"
}, },
"original": { "original": {
"owner": "cry128", "path": "/home/me/cry/mk/nt",
"repo": "nt", "type": "path"
"type": "github"
} }
}, },
"root": { "root": {
@ -405,31 +369,15 @@
"cerulean": "cerulean", "cerulean": "cerulean",
"dobutterfliescry-net": "dobutterfliescry-net", "dobutterfliescry-net": "dobutterfliescry-net",
"grub2-themes": "grub2-themes", "grub2-themes": "grub2-themes",
"home-manager": "home-manager_2", "home-manager": "home-manager",
"nix-flatpak": "nix-flatpak", "nix-flatpak": "nix-flatpak",
"nixcord": "nixcord", "nixcord": "nixcord",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"nt": "nt", "nt": "nt",
"systems": "systems_3" "systems": "systems_3"
} }
}, },
"spectrum": {
"flake": false,
"locked": {
"lastModified": 1759482047,
"narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=",
"ref": "refs/heads/main",
"rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9",
"revCount": 996,
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
},
"original": {
"type": "git",
"url": "https://spectrum-os.org/git/spectrum"
}
},
"systems": { "systems": {
"locked": { "locked": {
"lastModified": 1681028828, "lastModified": 1681028828,

9
flake.nix
View file

@ -12,15 +12,16 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nt.url = "github:cry128/nt"; # nt.url = "github:cry128/nt";
# nt.url = "/home/me/cry/mk/nt"; nt.url = "/home/me/cry/mk/nt";
cerulean = { cerulean = {
url = "github:cry128/Cerulean"; # url = "github:cry128/Cerulean";
# url = "/home/me/cry/mk/Cerulean"; url = "/home/me/cry/mk/Cerulean";
inputs = { inputs = {
systems.follows = "systems"; systems.follows = "systems";
nixpkgs.follows = "nixpkgs"; nixpkgs.follows = "nixpkgs";
nixpkgs-unstable.follows = "nixpkgs-unstable";
nt.follows = "nt"; nt.follows = "nt";
}; };
}; };

7
groups/all/default.nix
View file

@ -24,13 +24,6 @@
]; ];
}; };
programs.nh = {
enable = true;
clean.enable = true;
clean.extraArgs = "--keep-since 7d --keep 3";
flake = "/home/me/flake"; # sets NH_OS_FLAKE variable for you
};
nix.settings = { nix.settings = {
# make wheel group trusted users allows my "ae" user # make wheel group trusted users allows my "ae" user
# to import packages not signed by a trusted key # to import packages not signed by a trusted key

14
groups/all/modules/flatpak.nix
View file

@ -1,12 +1,12 @@
{...}: { {...}: {
services.flatpak = { services.flatpak = {
# DEBUG: remotes = [ remotes = [
# DEBUG: { {
# DEBUG: location = "https://dl.flathub.org/repo/flathub.flatpakrepo"; location = "https://dl.flathub.org/repo/flathub.flatpakrepo";
# DEBUG: name = "flathub"; name = "flathub";
# DEBUG: } }
# DEBUG: ]; ];
# DEBUG: uninstallUnmanaged = true; uninstallUnmanaged = true;
}; };
} }

3
groups/cryde/default.nix
View file

@ -109,6 +109,9 @@
}; };
systemPackages = with pkgs; [ systemPackages = with pkgs; [
sddm-theme-corners sddm-theme-corners
# dependencies for my sddm theme:
# XXX: add these as a buildInput
# pkgs.libsForQt5.qt5.qtgraphicaleffects
]; ];
}; };

2
groups/cryos/programs.nix
View file

@ -19,7 +19,7 @@
hexyl hexyl
# ASM # ASM
nasm nasm
x86-manpages # x86-manpages # DEBUG
# C Family # C Family
gcc gcc
clang clang

22
groups/server/default.nix
View file

@ -1,7 +1,7 @@
{lib, ...}: { {lib, ...}: {
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ allowedTCPPorts = [
42069 # ssh 22
]; ];
}; };
@ -9,7 +9,7 @@
# accept Lets Encrypt's security policy # accept Lets Encrypt's security policy
acme = { acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = "eclarkboman@gmail.com"; defaults.email = "them@dobutterfliescry.net";
}; };
sudo = { sudo = {
@ -26,7 +26,7 @@
services = { services = {
openssh = { openssh = {
enable = true; enable = true;
ports = [42069]; ports = [22];
settings = { settings = {
PasswordAuthentication = false; PasswordAuthentication = false;
PermitRootLogin = "no"; PermitRootLogin = "no";
@ -37,22 +37,6 @@
}; };
}; };
# simple fail2ban config (not production ready or anything though)
# refer to: https://nixos.wiki/wiki/Fail2Ban
services.fail2ban = {
enable = true;
maxretry = 5;
bantime = "10m"; # 10 minute ban
bantime-increment = {
enable = true;
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
# multipliers = "1 2 4 8 16 32 64";
maxtime = "168h"; # dont ban for more than 1 week
overalljails = true;
};
};
users = { users = {
users = { users = {
# primary user # primary user

38
homes/me/default.nix
View file

@ -106,30 +106,42 @@
}; };
# set ssh profiles # set ssh profiles
# WARNING: this DOES NOT start the ssh-agent # NOTE: (IMPORTANT) this DOES NOT start the ssh-agent
# WARNING: for that you need to use `services.ssh-agent.enable` # for that you need to use `services.ssh-agent.enable`
ssh = { ssh = {
enable = true; enable = true;
forwardAgent = false; forwardAgent = false;
addKeysToAgent = "yes"; addKeysToAgent = "no";
matchBlocks = { matchBlocks = {
butterfly = { hyrule = {
hostname = "dobutterfliescry.net"; hostname = "imbored.dev";
user = "cry"; user = "ae";
port = 42069; port = 22;
identityFile = "~/.ssh/id_butterfly"; identityFile = "~/.ssh/id_hyrule";
setEnv = { setEnv = {
TERM = "linux"; TERM = "linux";
}; };
}; };
clocktown = { clocktown = {
hostname = "hyrule.dobutterfliescry.net"; hostname = "clocktown.dobutterfliescry.net";
user = "cry"; user = "root";
port = 42069; port = 22;
identityFile = "~/.ssh/id_hyrule"; identityFile = "~/.ssh/id_clocktown";
};
subspace = {
hostname = "imbored.dev";
user = "subspace";
port = 22;
identityFile = "~/.ssh/id_subspace";
};
dead = {
hostname = "deadlyserver.com";
user = "emile";
port = 29843;
identityFile = "~/.ssh/id_deadlyserver";
setEnv = { setEnv = {
TERM = "linux"; TERM = "xterm-256color";
}; };
}; };
youcue = { youcue = {

12
homes/modules/git.nix
View file

@ -7,17 +7,16 @@
enable = true; enable = true;
lfs.enable = true; lfs.enable = true;
userName = "_cry64";
userEmail = "them@dobutterfliescry.net";
signing = { signing = {
# key = "F68745A836CA0412"; # key = "F68745A836CA0412";
# format = "openpgp"; # format = "openpgp";
# signByDefault = true; # signByDefault = true;
}; };
settings = { aliases = {
user.name = "_cry64";
user.email = "them@dobutterfliescry.net";
alias = {
s = "status"; s = "status";
d = "diff"; d = "diff";
l = "log"; l = "log";
@ -25,6 +24,7 @@
p = "push"; p = "push";
}; };
extraConfig = {
color.ui = true; color.ui = true;
core.editor = "hx"; core.editor = "hx";
github.user = "cry128"; github.user = "cry128";
@ -51,7 +51,7 @@
"codeberg:" "codeberg:"
]; ];
}; };
"git@tearforge.net/" = { "forgejo@forge.dobutterfliescry.net:2222/" = {
insteadOf = [ insteadOf = [
"cry:" "cry:"
"forge:" "forge:"

17
homes/modules/server/fail2ban.nix Executable file
View file

@ -0,0 +1,17 @@
{...}: {
# simple fail2ban config (not production ready or anything though)
# refer to: https://nixos.wiki/wiki/Fail2Ban
services.fail2ban = {
enable = true;
maxretry = 5;
bantime = "10m"; # 10 minute ban
bantime-increment = {
enable = true;
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
multipliers = "1 2 4 8 16 32 64";
maxtime = "168h"; # dont ban for more than 1 week
overalljails = true;
};
};
}

35
homes/modules/server/nginx.nix Executable file
View file

@ -0,0 +1,35 @@
{...}: {
services = {
# use nginx as the reverse proxy
# (also will use certbot and Let's Encrypt)
# refer to: https://nixos.wiki/wiki/Nginx
nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
# https://imbored.dev
virtualHosts = {
"imbored.dev" = {
forceSSL = true;
enableACME = true;
# config reverse proxy paths
locations = {
"/" = {
# TODO
proxyPass = "http://127.0.0.1:12345";
};
};
};
};
};
};
security.acme = {
acceptTerms = true;
defaults.email = "eclarkboman@gmail.com";
};
}

13
homes/modules/server/ssh.nix Executable file
View file

@ -0,0 +1,13 @@
{...}: {
services.openssh = {
enable = true;
ports = [22];
settings = {
PasswordAuthentication = true;
PermitRootLogin = "no";
AllowUsers = null; # allow all users by default
UseDns = true;
X11Forwarding = false;
};
};
}

70
hosts/butterfly/services/nginx.nix
View file

@ -1,13 +1,30 @@
{pkgs, ...}: { {
inputs,
pkgs,
...
}: {
nixpkgs.overlays = [
(self: super: {
# in wake of CVE-2022-3602/CVE-2022-3786
nginxStable = super.nginxStable.override {openssl = pkgs.libressl;};
})
inputs.dobutterfliescry-net.overlays.default
];
# simple nginx instance to host static construction page
# TODO: I want sshd and forgejo's ssh server to both be bound to port 22
# So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc)
# and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address)
services.nginx = { services.nginx = {
enable = true; enable = true;
# NOTE: in wake of CVE-2022-3602/CVE-2022-3786 nginxStable is overlayed # XXX: TODO: this should auto use the nginxStable overlay no?
package = pkgs.nginx; # in wake of CVE-2022-3602/CVE-2022-3786
# package = pkgs.nginxStable.override {openssl = pkgs.libressl;};
# recommendedGzipSettings = true; recommendedGzipSettings = true;
# recommendedOptimisation = true; recommendedOptimisation = true;
# recommendedProxySettings = true; recommendedProxySettings = true;
# recommendedTlsSettings = true; recommendedTlsSettings = true;
# streamConfig = '' # streamConfig = ''
# server { # server {
@ -26,33 +43,40 @@
enableACME = true; enableACME = true;
# kTLS = true; # offload TLS to the linux kernel # kTLS = true; # offload TLS to the linux kernel
}; };
vault =
{
forceSSL = true;
locations."/".proxyPass = "${localhost}:8222";
}
// std;
forge =
{
forceSSL = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/".proxyPass = "${localhost}:3000";
}
// std;
in { in {
"dobutterfliescry.net" = "dobutterfliescry.net" =
{ {
default = true; default = true;
addSSL = true; # addSSL NOT forceSSL <3 addSSL = true; # not strictly enforced <3
# root = "/var/www/cry";
root = "${pkgs.dobutterfliescry-net}/www"; root = "${pkgs.dobutterfliescry-net}/www";
# extraConfig = '' # extraConfig = ''
# error_page 404 /custom_404.html; # error_page 404 /custom_404.html;
# ''; # '';
} }
// std; // std;
"vault.imbored.dev" = # Route "vault" subdomain to vaultwarden
{ "vault.imbored.dev" = vault;
forceSSL = true; # Route "forge" subdomain to forgejo
locations."/".proxyPass = "${localhost}:8222"; # TODO: use `forgejo.settings.server.ENABLE_ACME` instead?
}
// std;
# "tearforge.net" =
# {
# forceSSL = true;
# extraConfig = ''
# client_max_body_size 512M;
# '';
# locations."/".proxyPass = "${localhost}:3000";
# }
# // std;
# "tearforge.net" = forge; # "tearforge.net" = forge;
"forge.dobutterfliescry.net" = forge;
}; };
}; };
} }

19
nixpkgs.nix
View file

@ -3,17 +3,15 @@
inputs, inputs,
system, system,
... ...
} @ args: { }: {
nixpkgs.channels.default = rec { nixpkgs.channels.default = {
default = pkgs;
# nixpkgs (stable branch) # nixpkgs (stable branch)
pkgs = { pkgs = {
inherit system; inherit system;
source = inputs.nixpkgs; source = inputs.nixpkgs;
overlays = [ overlays =
inputs.dobutterfliescry-net.overlays.default [inputs.dobutterfliescry-net.overlays.default]
(import ./overlays/default.nix args) ++ import ./overlays/default.nix;
];
config = { config = {
# allowUnfree = false; # allowUnfree = false;
allowBroken = false; allowBroken = false;
@ -33,10 +31,9 @@
upkgs = { upkgs = {
inherit system; inherit system;
source = inputs.nixpkgs-unstable; source = inputs.nixpkgs-unstable;
overlays = [ overlays =
inputs.dobutterfliescry-net.overlays.default [inputs.dobutterfliescry-net.overlays.default]
(import ./overlays/default.nix args) ++ import ./overlays/default.nix;
];
config = { config = {
allowUnfree = false; allowUnfree = false;
allowBroken = false; allowBroken = false;

12
overlays/default.nix
View file

@ -1,5 +1,5 @@
{inputs, ...}: ( [
self: super: { (self: super: {
angry-oxide = import ../packages/angryoxide { angry-oxide = import ../packages/angryoxide {
pkgs = super; pkgs = super;
inherit inherit
@ -18,10 +18,6 @@
pkgs = super; pkgs = super;
}; };
# in wake of CVE-2022-3602/CVE-2022-3786
nginxStable = super.nginxStable.override {openssl = super.libressl;};
nginx = super.nginx.override {openssl = super.libressl;};
element-desktop = super.element-desktop.overrideAttrs (final: prev: { element-desktop = super.element-desktop.overrideAttrs (final: prev: {
desktopItems = [ desktopItems = [
((builtins.elemAt prev.desktopItems 0).override { ((builtins.elemAt prev.desktopItems 0).override {
@ -29,5 +25,5 @@
}) })
]; ];
}); });
} })
) ]

15
snow.nix
View file

@ -13,6 +13,10 @@ cerulean.mkNexus ./. (self: {
server = {}; server = {};
}; };
extraModules = with inputs; [
home-manager.nixosModules.default
];
nodes = let nodes = let
inherit inherit
(self.nexus) (self.nexus)
@ -43,21 +47,14 @@ cerulean.mkNexus ./. (self: {
butterfly = { butterfly = {
system = "x86_64-linux"; system = "x86_64-linux";
groups = [groups.server]; groups = [groups.server];
deploy.ssh = { deploy.ssh.host = "dobutterfliescry.net";
host = "dobutterfliescry.net";
user = "cry";
port = 42069;
};
}; };
# pls dont sue me im broke # pls dont sue me im broke
hyrule = { hyrule = {
system = "x86_64-linux"; system = "x86_64-linux";
groups = [groups.server]; groups = [groups.server];
deploy.ssh = { deploy.ssh.host = "hyrule.dobutterfliescry.net";
host = "hyrule.dobutterfliescry.net";
user = "cry";
};
}; };
# call me a statistician the way she spreads in my sheets # call me a statistician the way she spreads in my sheets