17 changed files with 227 additions and 217 deletions
--- a/TODO.md
+++ b/TODO.md
@ -1,10 +0,0 @@
 - [ ] Update the README.md
 - [ ] switch ssh keys to ECC (fuck RSA)
 - [ ] migrate forge.dobutterfliescry.net -> tearforge.net
 - [ ] rename forgejo user to git
 - [ ] setup my own VPN
 - [ ] connect match to my VPN
 - [ ] use matcha to build stuff instead of using my laptop
 - [ ] make `ceru` do local and remote deployments
--- a/flake.lock
+++ b/flake.lock
@ -3,11 +3,12 @@
    "cerulean": {
      "inputs": {
        "deploy-rs": "deploy-rs",
        "home-manager": "home-manager",
        "microvm": "microvm",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-unstable": [
          "nixpkgs-unstable"
        ],
        "nt": [
          "nt"
        ],
@ -16,26 +17,20 @@
        ]
      },
      "locked": {
-        "lastModified": 1771194110,
+        "lastModified": 1770984845,
-        "narHash": "sha256-x6rijGWmPL5FTpkr+8vpcKKCOT33QHEV8bP6ibEAXFE=",
+        "narHash": "sha256-si6XCx0xGq3z7dZSVCx5NgVxgFdnTc1qaKro5IemG70=",
-        "owner": "cry128",
+        "path": "/home/me/cry/mk/Cerulean",
-        "repo": "Cerulean",
+        "type": "path"
        "rev": "d527937829dec0f410f126a2f85e374cb99a2fbb",
        "type": "github"
      },
      "original": {
-        "owner": "cry128",
+        "path": "/home/me/cry/mk/Cerulean",
-        "repo": "Cerulean",
+        "type": "path"
        "type": "github"
      }
    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat",
-        "nixpkgs": [
+        "nixpkgs": "nixpkgs",
          "cerulean",
          "nixpkgs"
        ],
        "utils": "utils"
      },
      "locked": {
@ -171,7 +166,6 @@
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "cerulean",
          "nixpkgs"
        ]
      },
@ -190,49 +184,6 @@
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1770260404,
        "narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "release-25.11",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "microvm": {
      "inputs": {
        "nixpkgs": [
          "cerulean",
          "nixpkgs"
        ],
        "spectrum": "spectrum"
      },
      "locked": {
        "lastModified": 1770310890,
        "narHash": "sha256-lyWAs4XKg3kLYaf4gm5qc5WJrDkYy3/qeV5G733fJww=",
        "owner": "microvm-nix",
        "repo": "microvm.nix",
        "rev": "68c9f9c6ca91841f04f726a298c385411b7bfcd5",
        "type": "github"
      },
      "original": {
        "owner": "microvm-nix",
        "repo": "microvm.nix",
        "type": "github"
      }
    },
    "nix-flatpak": {
      "locked": {
        "lastModified": 1767983141,
@ -319,16 +270,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1770770419,
+        "lastModified": 1743014863,
-        "narHash": "sha256-iKZMkr6Cm9JzWlRYW/VPoL0A9jVKtZYiU4zSrVeetIs=",
+        "narHash": "sha256-jAIUqsiN2r3hCuHji80U7NNEafpIMBXiwKlSrjWMlpg=",
-        "owner": "nixos",
+        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "6c5e707c6b5339359a9a9e215c5e66d6d802fd7a",
+        "rev": "bd3bac8bfb542dbde7ffffb6987a1a1f9d41699f",
        "type": "github"
      },
      "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
-        "ref": "nixos-25.11",
+        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -365,6 +316,22 @@
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1770770419,
        "narHash": "sha256-iKZMkr6Cm9JzWlRYW/VPoL0A9jVKtZYiU4zSrVeetIs=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "6c5e707c6b5339359a9a9e215c5e66d6d802fd7a",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-25.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1767313136,
        "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=",
@ -383,21 +350,18 @@
    "nt": {
      "inputs": {
        "nix-unit": "nix-unit",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs_3",
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1770975056,
+        "lastModified": 1770975061,
-        "narHash": "sha256-ZXTz/P3zUbbM6lNXzt91u8EwfNqhXpYMu8+wvFZqQHE=",
+        "narHash": "sha256-dedEcQSEzur2/pBcxFFygkSrMuKGOUWThOUD2LXMCsA=",
-        "owner": "cry128",
+        "path": "/home/me/cry/mk/nt",
-        "repo": "nt",
+        "type": "path"
        "rev": "f42dcdd49a7921a7f433512e83d5f93696632412",
        "type": "github"
      },
      "original": {
-        "owner": "cry128",
+        "path": "/home/me/cry/mk/nt",
-        "repo": "nt",
+        "type": "path"
        "type": "github"
      }
    },
    "root": {
@ -405,31 +369,15 @@
        "cerulean": "cerulean",
        "dobutterfliescry-net": "dobutterfliescry-net",
        "grub2-themes": "grub2-themes",
-        "home-manager": "home-manager_2",
+        "home-manager": "home-manager",
        "nix-flatpak": "nix-flatpak",
        "nixcord": "nixcord",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "nt": "nt",
        "systems": "systems_3"
      }
    },
    "spectrum": {
      "flake": false,
      "locked": {
        "lastModified": 1759482047,
        "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=",
        "ref": "refs/heads/main",
        "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9",
        "revCount": 996,
        "type": "git",
        "url": "https://spectrum-os.org/git/spectrum"
      },
      "original": {
        "type": "git",
        "url": "https://spectrum-os.org/git/spectrum"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -12,15 +12,16 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    nt.url = "github:cry128/nt";
+    # nt.url = "github:cry128/nt";
-    # nt.url = "/home/me/cry/mk/nt";
+    nt.url = "/home/me/cry/mk/nt";
    cerulean = {
-      url = "github:cry128/Cerulean";
+      # url = "github:cry128/Cerulean";
-      # url = "/home/me/cry/mk/Cerulean";
+      url = "/home/me/cry/mk/Cerulean";
      inputs = {
        systems.follows = "systems";
        nixpkgs.follows = "nixpkgs";
        nixpkgs-unstable.follows = "nixpkgs-unstable";
        nt.follows = "nt";
      };
    };
--- a/groups/all/default.nix
+++ b/groups/all/default.nix
@ -24,13 +24,6 @@
    ];
  };
  programs.nh = {
    enable = true;
    clean.enable = true;
    clean.extraArgs = "--keep-since 7d --keep 3";
    flake = "/home/me/flake"; # sets NH_OS_FLAKE variable for you
  };
  nix.settings = {
    # make wheel group trusted users allows my "ae" user
    # to import packages not signed by a trusted key
--- a/groups/all/modules/flatpak.nix
+++ b/groups/all/modules/flatpak.nix
@ -1,12 +1,12 @@
 {...}: {
  services.flatpak = {
-    # DEBUG: remotes = [
+    remotes = [
-    # DEBUG:   {
+      {
-    # DEBUG:     location = "https://dl.flathub.org/repo/flathub.flatpakrepo";
+        location = "https://dl.flathub.org/repo/flathub.flatpakrepo";
-    # DEBUG:     name = "flathub";
+        name = "flathub";
-    # DEBUG:   }
+      }
-    # DEBUG: ];
+    ];
-    # DEBUG: uninstallUnmanaged = true;
+    uninstallUnmanaged = true;
  };
 }
--- a/groups/cryde/default.nix
+++ b/groups/cryde/default.nix
@ -109,6 +109,9 @@
    };
    systemPackages = with pkgs; [
      sddm-theme-corners
      # dependencies for my sddm theme:
      # XXX: add these as a buildInput
      # pkgs.libsForQt5.qt5.qtgraphicaleffects
    ];
  };
--- a/groups/cryos/programs.nix
+++ b/groups/cryos/programs.nix
@ -19,7 +19,7 @@
    hexyl
    # ASM
    nasm
-    x86-manpages
+    # x86-manpages # DEBUG
    # C Family
    gcc
    clang
--- a/groups/server/default.nix
+++ b/groups/server/default.nix
@ -1,7 +1,7 @@
 {lib, ...}: {
  networking.firewall = {
    allowedTCPPorts = [
-      42069 # ssh
+      22
    ];
  };
@ -9,7 +9,7 @@
    # accept Lets Encrypt's security policy
    acme = {
      acceptTerms = true;
-      defaults.email = "eclarkboman@gmail.com";
+      defaults.email = "them@dobutterfliescry.net";
    };
    sudo = {
@ -26,7 +26,7 @@
  services = {
    openssh = {
      enable = true;
-      ports = [42069];
+      ports = [22];
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "no";
@ -37,22 +37,6 @@
    };
  };
  # simple fail2ban config (not production ready or anything though)
  # refer to: https://nixos.wiki/wiki/Fail2Ban
  services.fail2ban = {
    enable = true;
    maxretry = 5;
    bantime = "10m"; # 10 minute ban
    bantime-increment = {
      enable = true;
      formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
      # multipliers = "1 2 4 8 16 32 64";
      maxtime = "168h"; # dont ban for more than 1 week
      overalljails = true;
    };
  };
  users = {
    users = {
      # primary user
--- a/homes/me/default.nix
+++ b/homes/me/default.nix
@ -106,30 +106,42 @@
    };
    # set ssh profiles
-    # WARNING: this DOES NOT start the ssh-agent
+    # NOTE: (IMPORTANT) this DOES NOT start the ssh-agent
-    # WARNING: for that you need to use `services.ssh-agent.enable`
+    #       for that you need to use `services.ssh-agent.enable`
    ssh = {
      enable = true;
      forwardAgent = false;
-      addKeysToAgent = "yes";
+      addKeysToAgent = "no";
      matchBlocks = {
-        butterfly = {
+        hyrule = {
-          hostname = "dobutterfliescry.net";
+          hostname = "imbored.dev";
-          user = "cry";
+          user = "ae";
-          port = 42069;
+          port = 22;
-          identityFile = "~/.ssh/id_butterfly";
+          identityFile = "~/.ssh/id_hyrule";
          setEnv = {
            TERM = "linux";
          };
        };
        clocktown = {
-          hostname = "hyrule.dobutterfliescry.net";
+          hostname = "clocktown.dobutterfliescry.net";
-          user = "cry";
+          user = "root";
-          port = 42069;
+          port = 22;
-          identityFile = "~/.ssh/id_hyrule";
+          identityFile = "~/.ssh/id_clocktown";
        };
        subspace = {
          hostname = "imbored.dev";
          user = "subspace";
          port = 22;
          identityFile = "~/.ssh/id_subspace";
        };
        dead = {
          hostname = "deadlyserver.com";
          user = "emile";
          port = 29843;
          identityFile = "~/.ssh/id_deadlyserver";
          setEnv = {
-            TERM = "linux";
+            TERM = "xterm-256color";
          };
        };
        youcue = {
--- a/homes/modules/git.nix
+++ b/homes/modules/git.nix
@ -7,24 +7,24 @@
    enable = true;
    lfs.enable = true;
    userName = "_cry64";
    userEmail = "them@dobutterfliescry.net";
    signing = {
      # key = "F68745A836CA0412";
      # format = "openpgp";
      # signByDefault = true;
    };
-    settings = {
+    aliases = {
-      user.name = "_cry64";
+      s = "status";
-      user.email = "them@dobutterfliescry.net";
+      d = "diff";
-
+      l = "log";
-      alias = {
+      c = "commit";
-        s = "status";
+      p = "push";
-        d = "diff";
+    };
        l = "log";
        c = "commit";
        p = "push";
      };
    extraConfig = {
      color.ui = true;
      core.editor = "hx";
      github.user = "cry128";
@ -51,7 +51,7 @@
            "codeberg:"
          ];
        };
-        "git@tearforge.net/" = {
+        "forgejo@forge.dobutterfliescry.net:2222/" = {
          insteadOf = [
            "cry:"
            "forge:"
--- a/homes/modules/server/fail2ban.nix
+++ b/homes/modules/server/fail2ban.nix
@ -0,0 +1,17 @@
 {...}: {
  # simple fail2ban config (not production ready or anything though)
  # refer to: https://nixos.wiki/wiki/Fail2Ban
  services.fail2ban = {
    enable = true;
    maxretry = 5;
    bantime = "10m"; # 10 minute ban
    bantime-increment = {
      enable = true;
      formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
      multipliers = "1 2 4 8 16 32 64";
      maxtime = "168h"; # dont ban for more than 1 week
      overalljails = true;
    };
  };
 }
--- a/homes/modules/server/nginx.nix
+++ b/homes/modules/server/nginx.nix
@ -0,0 +1,35 @@
 {...}: {
  services = {
    # use nginx as the reverse proxy
    # (also will use certbot and Let's Encrypt)
    # refer to: https://nixos.wiki/wiki/Nginx
    nginx = {
      enable = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      # https://imbored.dev
      virtualHosts = {
        "imbored.dev" = {
          forceSSL = true;
          enableACME = true;
          # config reverse proxy paths
          locations = {
            "/" = {
              # TODO
              proxyPass = "http://127.0.0.1:12345";
            };
          };
        };
      };
    };
  };
  security.acme = {
    acceptTerms = true;
    defaults.email = "eclarkboman@gmail.com";
  };
 }
--- a/homes/modules/server/ssh.nix
+++ b/homes/modules/server/ssh.nix
@ -0,0 +1,13 @@
 {...}: {
  services.openssh = {
    enable = true;
    ports = [22];
    settings = {
      PasswordAuthentication = true;
      PermitRootLogin = "no";
      AllowUsers = null; # allow all users by default
      UseDns = true;
      X11Forwarding = false;
    };
  };
 }
--- a/hosts/butterfly/services/nginx.nix
+++ b/hosts/butterfly/services/nginx.nix
@ -1,13 +1,30 @@
-{pkgs, ...}: {
+{
  inputs,
  pkgs,
  ...
 }: {
  nixpkgs.overlays = [
    (self: super: {
      # in wake of CVE-2022-3602/CVE-2022-3786
      nginxStable = super.nginxStable.override {openssl = pkgs.libressl;};
    })
    inputs.dobutterfliescry-net.overlays.default
  ];
  # simple nginx instance to host static construction page
  # TODO: I want sshd and forgejo's ssh server to both be bound to port 22
  #       So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc)
  #       and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address)
  services.nginx = {
    enable = true;
-    # NOTE: in wake of CVE-2022-3602/CVE-2022-3786 nginxStable is overlayed
+    # XXX: TODO: this should auto use the nginxStable overlay no?
-    package = pkgs.nginx;
+    # in wake of CVE-2022-3602/CVE-2022-3786
    # package = pkgs.nginxStable.override {openssl = pkgs.libressl;};
-    # recommendedGzipSettings = true;
+    recommendedGzipSettings = true;
-    # recommendedOptimisation = true;
+    recommendedOptimisation = true;
-    # recommendedProxySettings = true;
+    recommendedProxySettings = true;
-    # recommendedTlsSettings = true;
+    recommendedTlsSettings = true;
    # streamConfig = ''
    #   server {
@ -26,33 +43,40 @@
        enableACME = true;
        # kTLS = true; # offload TLS to the linux kernel
      };
      vault =
        {
          forceSSL = true;
          locations."/".proxyPass = "${localhost}:8222";
        }
        // std;
      forge =
        {
          forceSSL = true;
          extraConfig = ''
            client_max_body_size 512M;
          '';
          locations."/".proxyPass = "${localhost}:3000";
        }
        // std;
    in {
      "dobutterfliescry.net" =
        {
          default = true;
-          addSSL = true; # addSSL NOT forceSSL <3
+          addSSL = true; # not strictly enforced <3
          # root = "/var/www/cry";
          root = "${pkgs.dobutterfliescry-net}/www";
          # extraConfig = ''
          #   error_page 404 /custom_404.html;
          # '';
        }
        // std;
-      "vault.imbored.dev" =
+      # Route "vault" subdomain to vaultwarden
-        {
+      "vault.imbored.dev" = vault;
-          forceSSL = true;
+      # Route "forge" subdomain to forgejo
-          locations."/".proxyPass = "${localhost}:8222";
+      # TODO: use `forgejo.settings.server.ENABLE_ACME` instead?
        }
        // std;
      # "tearforge.net" =
      #   {
      #     forceSSL = true;
      #     extraConfig = ''
      #       client_max_body_size 512M;
      #     '';
      #     locations."/".proxyPass = "${localhost}:3000";
      #   }
      #   // std;
      # "tearforge.net" = forge;
      "forge.dobutterfliescry.net" = forge;
    };
  };
 }
--- a/nixpkgs.nix
+++ b/nixpkgs.nix
@ -3,17 +3,15 @@
  inputs,
  system,
  ...
-} @ args: {
+}: {
-  nixpkgs.channels.default = rec {
+  nixpkgs.channels.default = {
    default = pkgs;
    # nixpkgs (stable branch)
    pkgs = {
      inherit system;
      source = inputs.nixpkgs;
-      overlays = [
+      overlays =
-        inputs.dobutterfliescry-net.overlays.default
+        [inputs.dobutterfliescry-net.overlays.default]
-        (import ./overlays/default.nix args)
+        ++ import ./overlays/default.nix;
      ];
      config = {
        # allowUnfree = false;
        allowBroken = false;
@ -33,10 +31,9 @@
    upkgs = {
      inherit system;
      source = inputs.nixpkgs-unstable;
-      overlays = [
+      overlays =
-        inputs.dobutterfliescry-net.overlays.default
+        [inputs.dobutterfliescry-net.overlays.default]
-        (import ./overlays/default.nix args)
+        ++ import ./overlays/default.nix;
      ];
      config = {
        allowUnfree = false;
        allowBroken = false;
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -1,5 +1,5 @@
-{inputs, ...}: (
+[
-  self: super: {
+  (self: super: {
    angry-oxide = import ../packages/angryoxide {
      pkgs = super;
      inherit
@ -18,10 +18,6 @@
      pkgs = super;
    };
    # in wake of CVE-2022-3602/CVE-2022-3786
    nginxStable = super.nginxStable.override {openssl = super.libressl;};
    nginx = super.nginx.override {openssl = super.libressl;};
    element-desktop = super.element-desktop.overrideAttrs (final: prev: {
      desktopItems = [
        ((builtins.elemAt prev.desktopItems 0).override {
@ -29,5 +25,5 @@
        })
      ];
    });
-  }
+  })
-)
+]
--- a/snow.nix
+++ b/snow.nix
@ -13,6 +13,10 @@ cerulean.mkNexus ./. (self: {
      server = {};
    };
    extraModules = with inputs; [
      home-manager.nixosModules.default
    ];
    nodes = let
      inherit
        (self.nexus)
@ -43,21 +47,14 @@ cerulean.mkNexus ./. (self: {
      butterfly = {
        system = "x86_64-linux";
        groups = [groups.server];
-        deploy.ssh = {
+        deploy.ssh.host = "dobutterfliescry.net";
          host = "dobutterfliescry.net";
          user = "cry";
          port = 42069;
        };
      };
      # pls dont sue me im broke
      hyrule = {
        system = "x86_64-linux";
        groups = [groups.server];
-        deploy.ssh = {
+        deploy.ssh.host = "hyrule.dobutterfliescry.net";
          host = "hyrule.dobutterfliescry.net";
          user = "cry";
        };
      };
      # call me a statistician the way she spreads in my sheets