sprechtl/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'refs/remotes/origin/master'

Browse source
This commit is contained in:
s-prechtl 2025-08-30 15:00:41 +02:00
commit 337573f99c
6 changed files with 78 additions and 264 deletions
Download patch file Download diff file Expand all files Collapse all files

70
flake.lock generated
View file

@ -8,11 +8,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1750173260, "lastModified": 1754433428,
"narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -24,16 +24,16 @@
"brew-src": { "brew-src": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1751910772, "lastModified": 1753461463,
"narHash": "sha256-jQNdIkq2iRDNWskd5f8kX6q9BO/CBSXhMH41WNRft8E=", "narHash": "sha256-kGc7pRH0diLzKmOHsEFA8sZ9NJpgT+tqxAMsuqNd5Po=",
"owner": "Homebrew", "owner": "Homebrew",
"repo": "brew", "repo": "brew",
"rev": "700d67a85e0129ab8a893ff69246943479e33df1", "rev": "4d14be89e99a45181c18e96a5f19a5b43343cc0f",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "Homebrew", "owner": "Homebrew",
"ref": "4.5.9", "ref": "4.5.13",
"repo": "brew", "repo": "brew",
"type": "github" "type": "github"
} }
@ -119,11 +119,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1749396052, "lastModified": 1754613544,
"narHash": "sha256-fJvPyUBat+krIrCrGO0Z40OaCKAluViL1nJ7wBo3dAU=", "narHash": "sha256-ueR1mGX4I4DWfDRRxxMphbKDNisDeMPMusN72VV1+cc=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "f23b0935a3c7a3ec1907359b49962393af248734", "rev": "cc2fa2331aebf9661d22bb507d362b39852ac73f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -140,11 +140,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1751336185, "lastModified": 1752603129,
"narHash": "sha256-ptnVr2x+sl7cZcTuGx/0BOE2qCAIYHTcgfA+/h60ml0=", "narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "96354906f58464605ff81d2f6c2ea23211cbf051", "rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -236,11 +236,11 @@
"brew-src": "brew-src" "brew-src": "brew-src"
}, },
"locked": { "locked": {
"lastModified": 1752160973, "lastModified": 1754250993,
"narHash": "sha256-BCC8KB7TEtwv7vZN1WDu870tRbXtzUcmF9xNr6ws5Wc=", "narHash": "sha256-MEin+qoQKtFC1b0f4tnQ+Z82BQWSCgh6Ef7rpmH9gig=",
"owner": "zhaofengli", "owner": "zhaofengli",
"repo": "nix-homebrew", "repo": "nix-homebrew",
"rev": "69c1aa2f136f3c3326d9b6770e0eb54f12832971", "rev": "314d057294e79bc2596972126b84c6f9f144499a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -251,11 +251,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1749195551, "lastModified": 1754564048,
"narHash": "sha256-W5GKQHgunda/OP9sbKENBZhMBDNu2QahoIPwnsF6CeM=", "narHash": "sha256-dz303vGuzWjzOPOaYkS9xSW+B93PSAJxvBd6CambXVA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "4602f7e1d3f197b3cb540d5accf5669121629628", "rev": "26ed7a0d4b8741fe1ef1ee6fa64453ca056ce113",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -267,16 +267,16 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1745391562, "lastModified": 1754028485,
"narHash": "sha256-sPwcCYuiEopaafePqlG826tBhctuJsLx/mhKKM5Fmjo=", "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8a2f738d9d1f1d986b5a4cd2fd2061a7127237d7", "rev": "59e69648d345d6e8fef86158c555730fa12af9de",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-unstable", "ref": "nixos-25.05",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -299,11 +299,11 @@
}, },
"nixpkgs-stable": { "nixpkgs-stable": {
"locked": { "locked": {
"lastModified": 1750259320, "lastModified": 1754689972,
"narHash": "sha256-H8J4H2XCIMEJ5g6fZ179QfQvsc2dUqhqfBjC8RAHNRY=", "narHash": "sha256-eogqv6FqZXHgqrbZzHnq43GalnRbLTkbBbFtEfm1RSc=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9ba04bda9249d5d5e5238303c9755de5a49a79c5", "rev": "fc756aa6f5d3e2e5666efcf865d190701fef150a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -347,11 +347,11 @@
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1749285348, "lastModified": 1754498491,
"narHash": "sha256-frdhQvPbmDYaScPFiCnfdh3B/Vh81Uuoo0w5TkWmmjU=", "narHash": "sha256-erbiH2agUTD0Z30xcVSFcDHzkRvkRXOQ3lb887bcVrs=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "3e3afe5174c561dee0df6f2c2b2236990146329f", "rev": "c2ae88e026f9525daf89587f3cbee584b92b6134",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -363,11 +363,11 @@
}, },
"nixpkgs_5": { "nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1727348695, "lastModified": 1752480373,
"narHash": "sha256-J+PeFKSDV+pHL7ukkfpVzCOO7mBSrrpJ3svwBFABbhI=", "narHash": "sha256-JHQbm+OcGp32wAsXTE/FLYGNpb+4GLi5oTvCxwSoBOA=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "1925c603f17fc89f4c8f6bf6f631a802ad85d784", "rev": "62e0f05ede1da0d54515d4ea8ce9c733f12d9f08",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -411,11 +411,11 @@
"nixpkgs": "nixpkgs_5" "nixpkgs": "nixpkgs_5"
}, },
"locked": { "locked": {
"lastModified": 1751341208, "lastModified": 1754739276,
"narHash": "sha256-D659vmh5bseh5rB0tH4osXFXimh+QQLBBMKkdMH/DMk=", "narHash": "sha256-HQotJt480NsHIEgkt2ZiuvjGa50sc7cRhhsZXqZIWpU=",
"owner": "0xc000022070", "owner": "0xc000022070",
"repo": "zen-browser-flake", "repo": "zen-browser-flake",
"rev": "97da6393f00eff37d787dcb1447afc65e9b4d57e", "rev": "b5b7136bb6ed82504c3613a7e0cbe6f69b72e7f1",
"type": "github" "type": "github"
}, },
"original": { "original": {

23
hosts/saberofxebec/configuration.nix
View file

@ -12,7 +12,6 @@ in {
imports = [ imports = [
# Include the results of the hardware scan. # Include the results of the hardware scan.
./hardware-configuration.nix ./hardware-configuration.nix
../../modules/nixos/qbittorrent.nix
./secrets.nix ./secrets.nix
]; ];
@ -94,6 +93,16 @@ in {
]; ];
workdir = "/var/lib/pihole/"; workdir = "/var/lib/pihole/";
}; };
containers.homarr = {
image = "ghcr.io/homarr-labs/homarr:v1.34.0";
ports = [
"7575:7575"
];
volumes = [
"/var/lib/homarr/:/appdata"
];
environmentFiles = [config.age.secrets.homarr.path];
};
containers.speedtest-tracker = { containers.speedtest-tracker = {
image = "lscr.io/linuxserver/speedtest-tracker:latest"; image = "lscr.io/linuxserver/speedtest-tracker:latest";
@ -142,6 +151,10 @@ in {
Username = "Spr3eZ"; Username = "Spr3eZ";
Password_PBKDF2 = "@ByteArray(rSRSjyLjKHX4KeDHgtx8qA==:EdZC27+FdG0aFtqVtEsiuqQAA6NROdBRXVSySD6ktgBY7k9ORrq8Kgo2uIkXvAWssmMIFb+C3RZS2PMWAt/Ihw==)"; Password_PBKDF2 = "@ByteArray(rSRSjyLjKHX4KeDHgtx8qA==:EdZC27+FdG0aFtqVtEsiuqQAA6NROdBRXVSySD6ktgBY7k9ORrq8Kgo2uIkXvAWssmMIFb+C3RZS2PMWAt/Ihw==)";
}; };
Scheduler = {
end_time = ''@Variant(\0\0\0\xf\0\x36\xee\x80)'';
start_time = ''@Variant(\0\0\0\xf\x1\xb7t\0)'';
};
}; };
AutoRun = { AutoRun = {
OnTorrentAdded.Enabled = true; OnTorrentAdded.Enabled = true;
@ -152,8 +165,8 @@ in {
BitTorrent = { BitTorrent = {
Session.AddTorrentStopped = false; Session.AddTorrentStopped = false;
Session.AlternativeGlobalDLSpeedLimit = 100000; Session.AlternativeGlobalDLSpeedLimit = 204800;
Session.AlternativeGlobalUPSpeedLimit = 1000; Session.AlternativeGlobalUPSpeedLimit = 10240;
Session.BandwidthSchedulerEnabled = true; Session.BandwidthSchedulerEnabled = true;
Session.ExcludedFileNames = ""; Session.ExcludedFileNames = "";
Session.QueueingSystemEnabled = false; Session.QueueingSystemEnabled = false;
@ -228,6 +241,10 @@ in {
reverse_proxy :5055 reverse_proxy :5055
tls internal tls internal
''; '';
virtualHosts."homarr.saberofxebec".extraConfig = ''
reverse_proxy :7575
tls internal
'';
virtualHosts."pihole.saberofxebec".extraConfig = '' virtualHosts."pihole.saberofxebec".extraConfig = ''
reverse_proxy :12345 reverse_proxy :12345
tls internal tls internal

5
hosts/saberofxebec/secrets.nix
View file

@ -4,4 +4,9 @@
owner = "root"; owner = "root";
group = "root"; group = "root";
}; };
age.secrets.homarr = {
file = ../../secrets/homarr.age;
owner = "root";
group = "root";
};
} }

226
modules/nixos/qbittorrent.nix
View file

@ -1,226 +0,0 @@
# NOTE:
# This file is 1:1 stolen from the latest update of this nixpkgs pull request:
# https://github.com/NixOS/nixpkgs/pull/287923
# If that at any point gets merged I would much rather just use that.
{
config,
pkgs,
lib,
utils,
...
}: let
cfg = config.services.qbittorrent;
inherit (builtins) concatStringsSep isAttrs isString;
inherit
(lib)
literalExpression
getExe
mkEnableOption
mkOption
mkPackageOption
mkIf
maintainers
escape
collect
mapAttrsRecursive
;
inherit
(lib.types)
str
port
path
nullOr
listOf
attrsOf
anything
submodule
;
inherit (lib.generators) toINI mkKeyValueDefault mkValueStringDefault;
gendeepINI = toINI {
mkKeyValue = let
sep = "=";
in
k: v:
if isAttrs v
then
concatStringsSep "\n" (
collect isString (
mapAttrsRecursive (
path: value: "${escape [sep] (concatStringsSep "\\" ([k] ++ path))}${sep}${mkValueStringDefault {} value}"
)
v
)
)
else mkKeyValueDefault {} sep k v;
};
configFile = pkgs.writeText "qBittorrent.conf" (gendeepINI cfg.serverConfig);
in {
options.services.qbittorrent = {
enable = mkEnableOption "qbittorrent, BitTorrent client";
package = mkPackageOption pkgs "qbittorrent-nox" {};
user = mkOption {
type = str;
default = "qbittorrent";
description = "User account under which qbittorrent runs.";
};
group = mkOption {
type = str;
default = "qbittorrent";
description = "Group under which qbittorrent runs.";
};
profileDir = mkOption {
type = path;
default = "/var/lib/qBittorrent/";
description = "the path passed to qbittorrent via --profile.";
};
openFirewall = mkEnableOption "opening both the webuiPort and torrentPort over TCP in the firewall";
webuiPort = mkOption {
default = 8080;
type = nullOr port;
description = "the port passed to qbittorrent via `--webui-port`";
};
torrentingPort = mkOption {
default = null;
type = nullOr port;
description = "the port passed to qbittorrent via `--torrenting-port`";
};
serverConfig = mkOption {
type = submodule {
freeformType = attrsOf (attrsOf anything);
options.Preferences.WebUI.UseUPnP = mkEnableOption "UPnP for access to the qbittorrent WebUI";
};
description = ''
Free-form settings mapped to the `qBittorrent.conf` file in the profile.
Refer to [Explanation-of-Options-in-qBittorrent](https://github.com/qbittorrent/qBittorrent/wiki/Explanation-of-Options-in-qBittorrent)
the Password_PBKDF2 format is oddly unique, you will likely want to use [this tool](https://codeberg.org/feathecutie/qbittorrent_password) to generate the format.
alternatively you can run qBittorrent independently first and use its webUI to generate the format.
'';
example = literalExpression ''
{
LegalNotice.Accepted = true;
Preferences = {
WebUI = {
Username = "user";
Password_PBKDF2 = "generated ByteArray.";
};
General.Locale = "en";
};
}
'';
};
extraArgs = mkOption {
type = listOf str;
default = [];
description = ''
Extra arguments passed to qbittorrent. See `qbittorrent -h`, or the [source code](https://github.com/qbittorrent/qBittorrent/blob/master/src/app/cmdoptions.cpp), for the available arguments.
'';
example = [
"--confirm-legal-notice"
];
};
};
config = mkIf cfg.enable {
systemd = {
tmpfiles.settings = {
qbittorrent = {
"${cfg.profileDir}/qBittorrent/"."d" = {
mode = "775";
inherit (cfg) user group;
};
"${cfg.profileDir}/qBittorrent/config/"."d" = {
mode = "700";
inherit (cfg) user group;
};
"${cfg.profileDir}/qBittorrent/config/qBittorrent.conf"."L+" = lib.mkIf (cfg.serverConfig != null) {
mode = "1400";
inherit (cfg) user group;
argument = "${configFile}";
};
};
};
services.qbittorrent = {
description = "qbittorrent BitTorrent client";
wants = ["network-online.target"];
after = [
"local-fs.target"
"network-online.target"
"nss-lookup.target"
];
wantedBy = ["multi-user.target"];
restartTriggers = lib.optional (cfg.serverConfig != null) configFile;
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
ExecStart = utils.escapeSystemdExecArgs (
[
(getExe cfg.package)
"--profile=${cfg.profileDir}"
]
++ lib.optional (cfg.webuiPort != null) "--webui-port=${toString cfg.webuiPort}"
++ lib.optional (cfg.torrentingPort != null) "--torrenting-port=${toString cfg.torrentingPort}"
++ cfg.extraArgs
);
TimeoutStopSec = 1800;
# https://github.com/qbittorrent/qBittorrent/pull/6806#discussion_r121478661
PrivateTmp = false;
PrivateNetwork = false;
RemoveIPC = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateUsers = true;
ProtectHome = "yes";
ProtectProc = "invisible";
ProcSubset = "pid";
ProtectSystem = "full";
ProtectClock = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_NETLINK"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
LockPersonality = true;
MemoryDenyWriteExecute = true;
SystemCallArchitectures = "native";
CapabilityBoundingSet = "";
SystemCallFilter = ["@system-service"];
};
};
};
users = {
users = mkIf (cfg.user == "qbittorrent") {
qbittorrent = {
inherit (cfg) group;
isSystemUser = true;
};
};
groups = mkIf (cfg.group == "qbittorrent") {qbittorrent = {};};
};
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall (
lib.optional (cfg.webuiPort != null) cfg.webuiPort
++ lib.optional (cfg.torrentingPort != null) cfg.torrentingPort
);
};
meta.maintainers = with maintainers; [fsnkty];
}

17
secrets/homarr.age Normal file
View file

@ -0,0 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 eXAfqw dpl0Wpy5veeULIzJFHCGmZTnl4iB/2tsbnyM2XZ7KWo
s5m5l8noX3zlIbEevz0+hJvVtMru/TVxrHT2XJ4m9wQ
-> ssh-rsa LgF3EQ
pbtNY7vbvFpZ6+lKKRcuN7LMdAqn1t2qcF2GKRFR0yQV2zBhcu3Mdk4uAN2YhqMO
bwqnfR/jwf7RkJka4fhMtZeOjxKWYtLhEM8uD0Zn1/bmE7Djjw+ChagBFwys6sf+
AewCzEdLmz+QoEB3Qnh3qBppuu+q1gG0hEpP284TNwiNftgesQJ0H3uFpKcy2Kqd
cY8wUCQqvMd7Mo7P8DToKxWWToXBstFTH0ULFeaSyWTdCcv3kGpHXqcdOOfqR3AN
pbrEXf6lzyCK1v2E1FiTmtdkosEhCtv3AoiAIB3VQ+AxyG9EsdTcQFW4ky3N7yxF
xbB0/nAcDsKWzSYvwNLMSBsCks/NB3xzW7Fo83vIVP7/q6tTPYZK7294sxhNQvD/
8Qe/SD2nV9EZhVJit+dXsXM2j8AKMdUkegxyLO7y0dDRk43VpmlCIletBu0VnH1K
qZodD763V1O8LoDRqppzAOiK2TVWEaQmUOz0a2GWYaW+A6Ybe0/sjEZ3T5tAVDtt
--- alnSDMRGCOSQ/YO9Q6iNitTzMNNZ2jtDZIeXsYI1mY4
Y1.;À’Ý÷6·u•Pnã>š•;Ù<>³µ<²2œº©  tÅÉ>ÁÒ³ôLêq²<71>ŒJ †·¤À
Š<EFBFBD>S25Cy_²ªQ8A—åz@&ZvÀ]¶®Äo<˜´ ˆt¼²¸¥<C2B8>HÏXß“<13>à
.enžÙ

1
secrets/secrets.nix
View file

@ -9,6 +9,7 @@ in {
"nextcloud-tprechtl.age".publicKeys = [hitsugibune key]; "nextcloud-tprechtl.age".publicKeys = [hitsugibune key];
"onlyoffice.age".publicKeys = [hitsugibune key]; "onlyoffice.age".publicKeys = [hitsugibune key];
"speedtest-tracker.age".publicKeys = [saberofxebec key]; "speedtest-tracker.age".publicKeys = [saberofxebec key];
"homarr.age".publicKeys = [saberofxebec key];
"matrix.age".publicKeys = [hitsugibune key]; "matrix.age".publicKeys = [hitsugibune key];
"mautrix-signal.age".publicKeys = [hitsugibune key]; "mautrix-signal.age".publicKeys = [hitsugibune key];
"mautrix-whatsapp.age".publicKeys = [hitsugibune key]; "mautrix-whatsapp.age".publicKeys = [hitsugibune key];