add TODO.md

progress flake
add default nixpkgs.nix
2026-02-16 09:36:01 +10:00 · 2026-02-16 09:35:57 +10:00 · 2026-02-16 09:35:47 +10:00 · 2026-02-16 09:35:29 +10:00 · 2026-02-16 09:34:17 +10:00 · 2026-02-16 09:33:33 +10:00
17 changed files with 217 additions and 227 deletions
--- a/TODO.md
+++ b/TODO.md
@ -0,0 +1,10 @@
 - [ ] Update the README.md
 - [ ] switch ssh keys to ECC (fuck RSA)
 - [ ] migrate forge.dobutterfliescry.net -> tearforge.net
 - [ ] rename forgejo user to git
 - [ ] setup my own VPN
 - [ ] connect match to my VPN
 - [ ] use matcha to build stuff instead of using my laptop
 - [ ] make `ceru` do local and remote deployments
--- a/flake.lock
+++ b/flake.lock
@ -3,12 +3,11 @@
    "cerulean": {
      "inputs": {
        "deploy-rs": "deploy-rs",
        "home-manager": "home-manager",
        "microvm": "microvm",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-unstable": [
          "nixpkgs-unstable"
        ],
        "nt": [
          "nt"
        ],
@ -17,20 +16,26 @@
        ]
      },
      "locked": {
-        "lastModified": 1770984845,
+        "lastModified": 1771194110,
-        "narHash": "sha256-si6XCx0xGq3z7dZSVCx5NgVxgFdnTc1qaKro5IemG70=",
+        "narHash": "sha256-x6rijGWmPL5FTpkr+8vpcKKCOT33QHEV8bP6ibEAXFE=",
-        "path": "/home/me/cry/mk/Cerulean",
+        "owner": "cry128",
-        "type": "path"
+        "repo": "Cerulean",
        "rev": "d527937829dec0f410f126a2f85e374cb99a2fbb",
        "type": "github"
      },
      "original": {
-        "path": "/home/me/cry/mk/Cerulean",
+        "owner": "cry128",
-        "type": "path"
+        "repo": "Cerulean",
        "type": "github"
      }
    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": [
          "cerulean",
          "nixpkgs"
        ],
        "utils": "utils"
      },
      "locked": {
@ -166,6 +171,7 @@
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "cerulean",
          "nixpkgs"
        ]
      },
@ -184,6 +190,49 @@
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1770260404,
        "narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "release-25.11",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "microvm": {
      "inputs": {
        "nixpkgs": [
          "cerulean",
          "nixpkgs"
        ],
        "spectrum": "spectrum"
      },
      "locked": {
        "lastModified": 1770310890,
        "narHash": "sha256-lyWAs4XKg3kLYaf4gm5qc5WJrDkYy3/qeV5G733fJww=",
        "owner": "microvm-nix",
        "repo": "microvm.nix",
        "rev": "68c9f9c6ca91841f04f726a298c385411b7bfcd5",
        "type": "github"
      },
      "original": {
        "owner": "microvm-nix",
        "repo": "microvm.nix",
        "type": "github"
      }
    },
    "nix-flatpak": {
      "locked": {
        "lastModified": 1767983141,
@ -270,16 +319,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1743014863,
+        "lastModified": 1770770419,
-        "narHash": "sha256-jAIUqsiN2r3hCuHji80U7NNEafpIMBXiwKlSrjWMlpg=",
+        "narHash": "sha256-iKZMkr6Cm9JzWlRYW/VPoL0A9jVKtZYiU4zSrVeetIs=",
-        "owner": "NixOS",
+        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "bd3bac8bfb542dbde7ffffb6987a1a1f9d41699f",
+        "rev": "6c5e707c6b5339359a9a9e215c5e66d6d802fd7a",
        "type": "github"
      },
      "original": {
-        "owner": "NixOS",
+        "owner": "nixos",
-        "ref": "nixpkgs-unstable",
+        "ref": "nixos-25.11",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -316,22 +365,6 @@
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1770770419,
        "narHash": "sha256-iKZMkr6Cm9JzWlRYW/VPoL0A9jVKtZYiU4zSrVeetIs=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "6c5e707c6b5339359a9a9e215c5e66d6d802fd7a",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-25.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1767313136,
        "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=",
@ -350,18 +383,21 @@
    "nt": {
      "inputs": {
        "nix-unit": "nix-unit",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_2",
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1770975061,
+        "lastModified": 1770975056,
-        "narHash": "sha256-dedEcQSEzur2/pBcxFFygkSrMuKGOUWThOUD2LXMCsA=",
+        "narHash": "sha256-ZXTz/P3zUbbM6lNXzt91u8EwfNqhXpYMu8+wvFZqQHE=",
-        "path": "/home/me/cry/mk/nt",
+        "owner": "cry128",
-        "type": "path"
+        "repo": "nt",
        "rev": "f42dcdd49a7921a7f433512e83d5f93696632412",
        "type": "github"
      },
      "original": {
-        "path": "/home/me/cry/mk/nt",
+        "owner": "cry128",
-        "type": "path"
+        "repo": "nt",
        "type": "github"
      }
    },
    "root": {
@ -369,15 +405,31 @@
        "cerulean": "cerulean",
        "dobutterfliescry-net": "dobutterfliescry-net",
        "grub2-themes": "grub2-themes",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
        "nix-flatpak": "nix-flatpak",
        "nixcord": "nixcord",
-        "nixpkgs": "nixpkgs_2",
+        "nixpkgs": "nixpkgs",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "nt": "nt",
        "systems": "systems_3"
      }
    },
    "spectrum": {
      "flake": false,
      "locked": {
        "lastModified": 1759482047,
        "narHash": "sha256-H1wiXRQHxxPyMMlP39ce3ROKCwI5/tUn36P8x6dFiiQ=",
        "ref": "refs/heads/main",
        "rev": "c5d5786d3dc938af0b279c542d1e43bce381b4b9",
        "revCount": 996,
        "type": "git",
        "url": "https://spectrum-os.org/git/spectrum"
      },
      "original": {
        "type": "git",
        "url": "https://spectrum-os.org/git/spectrum"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -12,16 +12,15 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    # nt.url = "github:cry128/nt";
+    nt.url = "github:cry128/nt";
-    nt.url = "/home/me/cry/mk/nt";
+    # nt.url = "/home/me/cry/mk/nt";
    cerulean = {
-      # url = "github:cry128/Cerulean";
+      url = "github:cry128/Cerulean";
-      url = "/home/me/cry/mk/Cerulean";
+      # url = "/home/me/cry/mk/Cerulean";
      inputs = {
        systems.follows = "systems";
        nixpkgs.follows = "nixpkgs";
        nixpkgs-unstable.follows = "nixpkgs-unstable";
        nt.follows = "nt";
      };
    };
--- a/groups/all/default.nix
+++ b/groups/all/default.nix
@ -24,6 +24,13 @@
    ];
  };
  programs.nh = {
    enable = true;
    clean.enable = true;
    clean.extraArgs = "--keep-since 7d --keep 3";
    flake = "/home/me/flake"; # sets NH_OS_FLAKE variable for you
  };
  nix.settings = {
    # make wheel group trusted users allows my "ae" user
    # to import packages not signed by a trusted key
--- a/groups/all/modules/flatpak.nix
+++ b/groups/all/modules/flatpak.nix
@ -1,12 +1,12 @@
 {...}: {
  services.flatpak = {
-    remotes = [
+    # DEBUG: remotes = [
-      {
+    # DEBUG:   {
-        location = "https://dl.flathub.org/repo/flathub.flatpakrepo";
+    # DEBUG:     location = "https://dl.flathub.org/repo/flathub.flatpakrepo";
-        name = "flathub";
+    # DEBUG:     name = "flathub";
-      }
+    # DEBUG:   }
-    ];
+    # DEBUG: ];
-    uninstallUnmanaged = true;
+    # DEBUG: uninstallUnmanaged = true;
  };
 }
--- a/groups/cryde/default.nix
+++ b/groups/cryde/default.nix
@ -109,9 +109,6 @@
    };
    systemPackages = with pkgs; [
      sddm-theme-corners
      # dependencies for my sddm theme:
      # XXX: add these as a buildInput
      # pkgs.libsForQt5.qt5.qtgraphicaleffects
    ];
  };
--- a/groups/cryos/programs.nix
+++ b/groups/cryos/programs.nix
@ -19,7 +19,7 @@
    hexyl
    # ASM
    nasm
-    # x86-manpages # DEBUG
+    x86-manpages
    # C Family
    gcc
    clang
--- a/groups/server/default.nix
+++ b/groups/server/default.nix
@ -1,7 +1,7 @@
 {lib, ...}: {
  networking.firewall = {
    allowedTCPPorts = [
-      22
+      42069 # ssh
    ];
  };
@ -9,7 +9,7 @@
    # accept Lets Encrypt's security policy
    acme = {
      acceptTerms = true;
-      defaults.email = "them@dobutterfliescry.net";
+      defaults.email = "eclarkboman@gmail.com";
    };
    sudo = {
@ -26,7 +26,7 @@
  services = {
    openssh = {
      enable = true;
-      ports = [22];
+      ports = [42069];
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "no";
@ -37,6 +37,22 @@
    };
  };
  # simple fail2ban config (not production ready or anything though)
  # refer to: https://nixos.wiki/wiki/Fail2Ban
  services.fail2ban = {
    enable = true;
    maxretry = 5;
    bantime = "10m"; # 10 minute ban
    bantime-increment = {
      enable = true;
      formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
      # multipliers = "1 2 4 8 16 32 64";
      maxtime = "168h"; # dont ban for more than 1 week
      overalljails = true;
    };
  };
  users = {
    users = {
      # primary user
--- a/homes/me/default.nix
+++ b/homes/me/default.nix
@ -106,42 +106,30 @@
    };
    # set ssh profiles
-    # NOTE: (IMPORTANT) this DOES NOT start the ssh-agent
+    # WARNING: this DOES NOT start the ssh-agent
-    #       for that you need to use `services.ssh-agent.enable`
+    # WARNING: for that you need to use `services.ssh-agent.enable`
    ssh = {
      enable = true;
      forwardAgent = false;
-      addKeysToAgent = "no";
+      addKeysToAgent = "yes";
      matchBlocks = {
-        hyrule = {
+        butterfly = {
-          hostname = "imbored.dev";
+          hostname = "dobutterfliescry.net";
-          user = "ae";
+          user = "cry";
-          port = 22;
+          port = 42069;
-          identityFile = "~/.ssh/id_hyrule";
+          identityFile = "~/.ssh/id_butterfly";
          setEnv = {
            TERM = "linux";
          };
        };
        clocktown = {
-          hostname = "clocktown.dobutterfliescry.net";
+          hostname = "hyrule.dobutterfliescry.net";
-          user = "root";
+          user = "cry";
-          port = 22;
+          port = 42069;
-          identityFile = "~/.ssh/id_clocktown";
+          identityFile = "~/.ssh/id_hyrule";
        };
        subspace = {
          hostname = "imbored.dev";
          user = "subspace";
          port = 22;
          identityFile = "~/.ssh/id_subspace";
        };
        dead = {
          hostname = "deadlyserver.com";
          user = "emile";
          port = 29843;
          identityFile = "~/.ssh/id_deadlyserver";
          setEnv = {
-            TERM = "xterm-256color";
+            TERM = "linux";
          };
        };
        youcue = {
--- a/homes/modules/git.nix
+++ b/homes/modules/git.nix
@ -7,24 +7,24 @@
    enable = true;
    lfs.enable = true;
    userName = "_cry64";
    userEmail = "them@dobutterfliescry.net";
    signing = {
      # key = "F68745A836CA0412";
      # format = "openpgp";
      # signByDefault = true;
    };
-    aliases = {
+    settings = {
-      s = "status";
+      user.name = "_cry64";
-      d = "diff";
+      user.email = "them@dobutterfliescry.net";
-      l = "log";
+
-      c = "commit";
+      alias = {
-      p = "push";
+        s = "status";
-    };
+        d = "diff";
        l = "log";
        c = "commit";
        p = "push";
      };
    extraConfig = {
      color.ui = true;
      core.editor = "hx";
      github.user = "cry128";
@ -51,7 +51,7 @@
            "codeberg:"
          ];
        };
-        "forgejo@forge.dobutterfliescry.net:2222/" = {
+        "git@tearforge.net/" = {
          insteadOf = [
            "cry:"
            "forge:"
--- a/homes/modules/server/fail2ban.nix
+++ b/homes/modules/server/fail2ban.nix
@ -1,17 +0,0 @@
 {...}: {
  # simple fail2ban config (not production ready or anything though)
  # refer to: https://nixos.wiki/wiki/Fail2Ban
  services.fail2ban = {
    enable = true;
    maxretry = 5;
    bantime = "10m"; # 10 minute ban
    bantime-increment = {
      enable = true;
      formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
      multipliers = "1 2 4 8 16 32 64";
      maxtime = "168h"; # dont ban for more than 1 week
      overalljails = true;
    };
  };
 }
--- a/homes/modules/server/nginx.nix
+++ b/homes/modules/server/nginx.nix
@ -1,35 +0,0 @@
 {...}: {
  services = {
    # use nginx as the reverse proxy
    # (also will use certbot and Let's Encrypt)
    # refer to: https://nixos.wiki/wiki/Nginx
    nginx = {
      enable = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      recommendedGzipSettings = true;
      recommendedOptimisation = true;
      # https://imbored.dev
      virtualHosts = {
        "imbored.dev" = {
          forceSSL = true;
          enableACME = true;
          # config reverse proxy paths
          locations = {
            "/" = {
              # TODO
              proxyPass = "http://127.0.0.1:12345";
            };
          };
        };
      };
    };
  };
  security.acme = {
    acceptTerms = true;
    defaults.email = "eclarkboman@gmail.com";
  };
 }
--- a/homes/modules/server/ssh.nix
+++ b/homes/modules/server/ssh.nix
@ -1,13 +0,0 @@
 {...}: {
  services.openssh = {
    enable = true;
    ports = [22];
    settings = {
      PasswordAuthentication = true;
      PermitRootLogin = "no";
      AllowUsers = null; # allow all users by default
      UseDns = true;
      X11Forwarding = false;
    };
  };
 }
--- a/hosts/butterfly/services/nginx.nix
+++ b/hosts/butterfly/services/nginx.nix
@ -1,30 +1,13 @@
-{
+{pkgs, ...}: {
  inputs,
  pkgs,
  ...
 }: {
  nixpkgs.overlays = [
    (self: super: {
      # in wake of CVE-2022-3602/CVE-2022-3786
      nginxStable = super.nginxStable.override {openssl = pkgs.libressl;};
    })
    inputs.dobutterfliescry-net.overlays.default
  ];
  # simple nginx instance to host static construction page
  # TODO: I want sshd and forgejo's ssh server to both be bound to port 22
  #       So change sshd to listen on a different address/port (ie 2222 or 127.0.0.3:22, etc)
  #       and change forgejo to use 127.0.0.2:22 (use port 22, ONLY change loopback address)
  services.nginx = {
    enable = true;
-    # XXX: TODO: this should auto use the nginxStable overlay no?
+    # NOTE: in wake of CVE-2022-3602/CVE-2022-3786 nginxStable is overlayed
-    # in wake of CVE-2022-3602/CVE-2022-3786
+    package = pkgs.nginx;
    # package = pkgs.nginxStable.override {openssl = pkgs.libressl;};
-    recommendedGzipSettings = true;
+    # recommendedGzipSettings = true;
-    recommendedOptimisation = true;
+    # recommendedOptimisation = true;
-    recommendedProxySettings = true;
+    # recommendedProxySettings = true;
-    recommendedTlsSettings = true;
+    # recommendedTlsSettings = true;
    # streamConfig = ''
    #   server {
@ -43,40 +26,33 @@
        enableACME = true;
        # kTLS = true; # offload TLS to the linux kernel
      };
      vault =
        {
          forceSSL = true;
          locations."/".proxyPass = "${localhost}:8222";
        }
        // std;
      forge =
        {
          forceSSL = true;
          extraConfig = ''
            client_max_body_size 512M;
          '';
          locations."/".proxyPass = "${localhost}:3000";
        }
        // std;
    in {
      "dobutterfliescry.net" =
        {
          default = true;
-          addSSL = true; # not strictly enforced <3
+          addSSL = true; # addSSL NOT forceSSL <3
          # root = "/var/www/cry";
          root = "${pkgs.dobutterfliescry-net}/www";
          # extraConfig = ''
          #   error_page 404 /custom_404.html;
          # '';
        }
        // std;
-      # Route "vault" subdomain to vaultwarden
+      "vault.imbored.dev" =
-      "vault.imbored.dev" = vault;
+        {
-      # Route "forge" subdomain to forgejo
+          forceSSL = true;
-      # TODO: use `forgejo.settings.server.ENABLE_ACME` instead?
+          locations."/".proxyPass = "${localhost}:8222";
        }
        // std;
      # "tearforge.net" =
      #   {
      #     forceSSL = true;
      #     extraConfig = ''
      #       client_max_body_size 512M;
      #     '';
      #     locations."/".proxyPass = "${localhost}:3000";
      #   }
      #   // std;
      # "tearforge.net" = forge;
      "forge.dobutterfliescry.net" = forge;
    };
  };
 }
--- a/nixpkgs.nix
+++ b/nixpkgs.nix
@ -3,15 +3,17 @@
  inputs,
  system,
  ...
-}: {
+} @ args: {
-  nixpkgs.channels.default = {
+  nixpkgs.channels.default = rec {
    default = pkgs;
    # nixpkgs (stable branch)
    pkgs = {
      inherit system;
      source = inputs.nixpkgs;
-      overlays =
+      overlays = [
-        [inputs.dobutterfliescry-net.overlays.default]
+        inputs.dobutterfliescry-net.overlays.default
-        ++ import ./overlays/default.nix;
+        (import ./overlays/default.nix args)
      ];
      config = {
        # allowUnfree = false;
        allowBroken = false;
@ -31,9 +33,10 @@
    upkgs = {
      inherit system;
      source = inputs.nixpkgs-unstable;
-      overlays =
+      overlays = [
-        [inputs.dobutterfliescry-net.overlays.default]
+        inputs.dobutterfliescry-net.overlays.default
-        ++ import ./overlays/default.nix;
+        (import ./overlays/default.nix args)
      ];
      config = {
        allowUnfree = false;
        allowBroken = false;
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -1,5 +1,5 @@
-[
+{inputs, ...}: (
-  (self: super: {
+  self: super: {
    angry-oxide = import ../packages/angryoxide {
      pkgs = super;
      inherit
@ -18,6 +18,10 @@
      pkgs = super;
    };
    # in wake of CVE-2022-3602/CVE-2022-3786
    nginxStable = super.nginxStable.override {openssl = super.libressl;};
    nginx = super.nginx.override {openssl = super.libressl;};
    element-desktop = super.element-desktop.overrideAttrs (final: prev: {
      desktopItems = [
        ((builtins.elemAt prev.desktopItems 0).override {
@ -25,5 +29,5 @@
        })
      ];
    });
-  })
+  }
-]
+)
--- a/snow.nix
+++ b/snow.nix
@ -13,10 +13,6 @@ cerulean.mkNexus ./. (self: {
      server = {};
    };
    extraModules = with inputs; [
      home-manager.nixosModules.default
    ];
    nodes = let
      inherit
        (self.nexus)
@ -47,14 +43,21 @@ cerulean.mkNexus ./. (self: {
      butterfly = {
        system = "x86_64-linux";
        groups = [groups.server];
-        deploy.ssh.host = "dobutterfliescry.net";
+        deploy.ssh = {
          host = "dobutterfliescry.net";
          user = "cry";
          port = 42069;
        };
      };
      # pls dont sue me im broke
      hyrule = {
        system = "x86_64-linux";
        groups = [groups.server];
-        deploy.ssh.host = "hyrule.dobutterfliescry.net";
+        deploy.ssh = {
          host = "hyrule.dobutterfliescry.net";
          user = "cry";
        };
      };
      # call me a statistician the way she spreads in my sheets
Author	SHA1	Message	Date
_cry64	648f53ae75	add TODO.md	2026-02-16 09:36:01 +10:00
_cry64	4ecb9ad03a	progress flake	2026-02-16 09:35:57 +10:00
_cry64	ed8618c8a6	add default nixpkgs.nix	2026-02-16 09:35:47 +10:00
_cry64	b6202ad56a	update hosts (+ update sshPort)	2026-02-16 09:35:29 +10:00
_cry64	821349be71	add flatpak + nh	2026-02-16 09:34:17 +10:00
_cry64	921741546e	remove modules/server	2026-02-16 09:33:33 +10:00
_cry64	b22bb3217e	update git config	2026-02-16 09:33:25 +10:00
_cry64	3b2e3ddaab	add nginx overlay to overlays.nix	2026-02-16 09:32:40 +10:00