refactor: hjemify foot & keepassxc

flake.lock

@@ -156,6 +156,49 @@
         "type": "github"
       }
     },
+    "hjem": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1737619027,
+        "narHash": "sha256-jEzZs9dHdmVP5X9HCC/7jrv08aWFfqZV5cZ+cZWYGA4=",
+        "owner": "feel-co",
+        "repo": "hjem",
+        "rev": "48cfa21987672a31a358b7e4d582fc174556e633",
+        "type": "github"
+      },
+      "original": {
+        "owner": "feel-co",
+        "repo": "hjem",
+        "type": "github"
+      }
+    },
+    "hjem-rum": {
+      "inputs": {
+        "hjem": [
+          "hjem"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1738790283,
+        "narHash": "sha256-SKz3KfmK7iupR+Ef022pQQZccxXlm/2w5HxpSv+PAGE=",
+        "owner": "nydragon",
+        "repo": "hjem-rum",
+        "rev": "ac4bf585731b813ad37cb3822ad44b1e3bb16a7e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nydragon",
+        "repo": "hjem-rum",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -282,11 +325,11 @@
         "quickshell": "quickshell"
       },
       "locked": {
-        "lastModified": 1739197721,
-        "narHash": "sha256-+EYoZfeHycIH52SJMEkGtmsTddXa8dW06aDJCVg+lcI=",
+        "lastModified": 1739209080,
+        "narHash": "sha256-s1SVaFQ7GSJalxIhVN7aDS7rMcMJ1AUQfjRMYho5yuM=",
         "ref": "refs/heads/main",
-        "rev": "603e1c09b39ee57f6ea94f45b117360736816358",
-        "revCount": 106,
+        "rev": "2ca83819872d82fa0ee8dbfccfbfcf3480c279f1",
+        "revCount": 107,
         "type": "git",
         "url": "https://git.ccnlc.eu/nydragon/nysh.git"
       },
@@ -340,6 +383,8 @@
         "agenix": "agenix",
         "disko": "disko",
         "flake-parts": "flake-parts",
+        "hjem": "hjem",
+        "hjem-rum": "hjem-rum",
         "home-manager": "home-manager",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs_2",

flake.nix

@@ -35,6 +35,16 @@
       url = "git+https://git.ccnlc.eu/nydragon/nur.git";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    hjem = {
+      url = "github:feel-co/hjem";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    hjem-rum = {
+      url = "github:nydragon/hjem-rum";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.hjem.follows = "hjem";
+    };
   };
 
   outputs =

home/default.nix

@@ -7,7 +7,6 @@
     ./hyprland
     ./hyprlock
     ./services
-    ./foot.nix
     ./rofi
     ./sway
     ./waybar

home/graphical/default.nix

@@ -6,7 +6,6 @@
     ./fuzzel.nix
     ./gammastep.nix # default because I need to protect my peepers
     ./swww.nix
-    ./keepassxc.nix
     ./swayidle.nix
     ./swaylock.nix
   ];

home/terminal/default.nix

@@ -5,7 +5,6 @@
     ./git
     ./fish
     ./btop.nix
-    ./hyfetch.nix
     ./beets.nix
   ];
 }

home/terminal/hyfetch.nix

@@ -1,15 +0,0 @@
-{
-  programs.fastfetch.enable = true;
-  programs.hyfetch = {
-    enable = true;
-    settings = {
-      mode = "rgb"; # dunno the other value :sob:
-      lightness = 0.7; # u may change this
-      distro = "nixos";
-      preset = "pansexual"; # sexuality
-      light_dark = "dark"; # u not crazy are u
-      backend = "fastfetch";
-      color_align.mode = "horizontal"; # looks better
-    };
-  };
-}

hosts/brontes/default.nix

@@ -12,6 +12,7 @@ in
   imports = [
     ./hardware-configuration.nix
     ./home.nix
+    ../../users/ny
   ];
 
   boot.loader = {
@@ -37,6 +38,7 @@ in
   modules = {
     system = {
       roles.desktop.enable = true;
+      roles.gaming.enable = true;
 
       outputs = {
         "DP-2" = {

hosts/default.nix

@@ -25,7 +25,11 @@ in
       inherit username;
       hostname = "brontes";
       system = "x86_64-linux";
-      extraModules = [ inputs.agenix.nixosModules.default ];
+      extraModules = [
+        inputs.agenix.nixosModules.default
+        inputs.hjem.nixosModules.default
+        inputs.hjem-rum.nixosModules.default
+      ];
     })
 
     (mkSystem' {

hosts/raptus/headscale/acls.nix

@@ -53,7 +53,7 @@ in
             "tag:server"
             "tag:client"
           ]
-          [ "ny" ]
+          [ "ny" "deck" ]
         ) # client -> {client, server}
       ];
 

hosts/shan/default.nix

@@ -1,6 +1,7 @@
 {
   modulesPath,
   pubkeys,
+  config,
   ...
 }:
 {
@@ -35,12 +36,8 @@
     container = {
       kitchenowl = {
         enable = true;
-        openFirewall = true;
         version = "v0.6.4";
       };
-      nginxproxymanager = {
-        enable = true;
-      };
     };
 
     server = {
@@ -131,6 +128,56 @@
       };
     };
   };
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "contact@ccnlc.eu";
+      dnsProvider = "ovh";
+      environmentFile = "/run/secrets/ovh";
+    };
+
+    certs."ccnlc.eu" = {
+      group = "nginx";
+      extraDomainNames = [ "*.ccnlc.eu" ];
+    };
+  };
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    clientMaxBodySize = "100M";
+    virtualHosts =
+      let
+        mkVHLocal = mkVH "http://localhost";
+        mkVH = domain: port: {
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "${domain}:${toString port}";
+            extraConfig = ''
+              proxy_ssl_server_name on;
+              proxy_pass_header Authorization;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection $http_connection;
+              proxy_http_version 1.1;
+            '';
+          };
+          useACMEHost = "ccnlc.eu";
+        };
+      in
+      {
+        "octoprint.ccnlc.eu" = mkVHLocal config.services.octoprint.port;
+        "immich.ccnlc.eu" = mkVHLocal config.services.immich.port;
+        "jellyfin.ccnlc.eu" = mkVHLocal 8096;
+        "ntfy.ccnlc.eu" = mkVHLocal 9393;
+        "dav.ccnlc.eu" = mkVHLocal 5232;
+        "assistant.ccnlc.eu" = mkVHLocal config.services.home-assistant.config.http.server_port;
+        "kitchenowl.ccnlc.eu" = mkVHLocal config.modules.container.kitchenowl.port;
+        "navidrome.ccnlc.eu" = mkVHLocal config.services.navidrome.settings.Port;
+        "paperless.ccnlc.eu" = mkVHLocal config.modules.server.paperless.port;
+        "fritz.ccnlc.eu" = mkVH "http://192.168.178.1" 80;
+        "truenas.ccnlc.eu" = mkVH "https://192.168.178.21" 443;
+      };
+  };
 
   services = {
     openssh = {
@@ -141,23 +188,15 @@
       };
     };
 
-    jellyfin = {
-      enable = true;
-      openFirewall = true;
-    };
-
-    immich = {
-      enable = true;
-      openFirewall = true;
-      host = "0.0.0.0";
-    };
+    jellyfin.enable = true;
+    immich.enable = true;
 
     radicale = {
       enable = true;
       # Documentation at <https://radicale.org/v3.html#configuration>
       settings = {
         server = {
-          hosts = [ "0.0.0.0:5232" ];
+          hosts = [ "127.0.0.1:5232" ];
         };
         auth = {
           type = "htpasswd";
@@ -178,7 +217,7 @@
         in
         {
           base-url = "https://ntfy.ccnlc.eu";
-          listen-http = "0.0.0.0:9393";
+          listen-http = "127.0.0.1:9393";
           auth-default-access = "deny-all";
           behind-proxy = true;
           attachment-cache-dir = "${root}/attachments";
@@ -189,7 +228,6 @@
 
     octoprint = {
       enable = true;
-      openFirewall = true;
       port = 5000;
     };
 
@@ -225,8 +263,8 @@
   };
 
   networking.firewall.allowedTCPPorts = [
-    5232
-    9393
+    443
+    80
   ];
 
   fileSystems = {

options/container/kitchenowl/default.nix

@@ -77,7 +77,7 @@ in
         ExecStop = "podman network rm -f kitchenowl_default";
       };
       script = ''
-        podman network inspect kitchenowl_default || podman network create kitchenowl_default
+        podman network inspect kitchenowl_default || podman network create kitchenowl_default --disable-dns
       '';
       partOf = [ "podman-compose-kitchenowl-root.target" ];
       wantedBy = [ "podman-compose-kitchenowl-root.target" ];

options/container/nginxproxymanager.nix

@@ -84,7 +84,7 @@ in
             ExecStop = "podman network rm -f nginx_default";
           };
           script = ''
-            podman network inspect nginx_default || podman network create nginx_default
+            podman network inspect nginx_default || podman network create nginx_default --disable-dns
           '';
           partOf = [ "podman-compose-nginx-root.target" ];
           wantedBy = [ "podman-compose-nginx-root.target" ];

users/default.nix

@@ -0,0 +1 @@
+{ imports = [ ./ny ]; }

users/ny/default.nix

@@ -0,0 +1,9 @@
+{
+  hjem = {
+    users.ny = {
+      enable = true;
+      imports = [ ./programs ];
+    };
+    clobberByDefault = true;
+  };
+}

users/ny/programs/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./foot.nix
+    ./keepassxc.nix
+  ];
+}

users/ny/programs/foot.nix

@@ -1,5 +1,5 @@
 {
-  programs.foot = {
+  rum.programs.foot = {
     enable = true;
     settings = {
       main = {

users/ny/programs/keepassxc.nix

@@ -1,12 +1,7 @@
-{ pkgs, ... }:
-let
-  ini = pkgs.formats.ini { };
-in
 {
-  home.file."keepassxc" = {
+  rum.programs.keepassxc = {
     enable = true;
-
-    source = ini.generate "keepassxc.ini" {
+    settings = {
       General = {
         BackupBeforeSave = true;
         ConfigVersion = 2;
@@ -24,7 +19,5 @@ in
         TrayIconAppearance = "colorful";
       };
     };
-
-    target = ".config/keepassxc/keepassxc.ini";
   };
 }