s0me1newithhand7s/reNixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: s0me1newithhand7s:32f40cac94f0d5c6e0c21bd8cc82b5edae0cbc67
Branches Tags
s0me1newithhand7s:master
...
compare: s0me1newithhand7s:a65cbaee81ef5519ea82d41cc9c6348f227b44ac
Branches Tags
s0me1newithhand7s:master

49 commits
32f40cac94 ... a65cbaee81

Author SHA1 Message Date
s0me1newithhand7s
a65cbaee81 kyra(hardening): removing useless groups 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
76ef25bb08 kyra(hardening): "locking" root 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
a04279affe kyra(hardening): step-ca service secrets managment 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
8894fdb401 kyra(hardening): networkd fixes 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
4d6c618cbc kyra(hardening): resolved is now using hickory selfhosted 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
d5917b3304 kyra(hardening): qemuGuest turned off 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
2dedd6fbc5 kyra(hardening): openssh ??? 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
26237ba6ef kyra(NOT hardening): alloy -> opentelemetry collector 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
6046ff3995 kyra(hardening): ntps-rs init 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
614e2c804a kyra(hardening): hickory-dns init 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
e81f4f0829 kyra(hardening): firewalld masquerading 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
4b768f6a11 kyra(hardening): step-ca init 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
dd7b0cf681 kyra(hardening): sign-box -> mihomo 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
af900ab6c0 kyra(hardening): traefik is now using consul catalog as provider 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
fb737422c1 kyra(hardening): consul catalog init 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
ab2a010175 kyra(hardening): crowdsec init 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
5ff4f78974 kyra(hardening): f2b -> crowdsec 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
02bdb89a62 kyra(NOT hardening): alloy is going to hell. 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
8c03fdb04a kyra(hardening): sudo -> sudo-rs 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
59647629a8 kyra(hardening): polkit init 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
a8c7b87791 kyra(hardening): per-service acme setup 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
c563897f02 kyra(hardening): nh gc timer init 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
f89c5bf96e kyra(hardening): fuse init 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
434e973355 kyra(hardening): no plain "dns" options 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
3577ca0a6e kyra(hardening): persistance in fileSystems 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:55 +03:00
s0me1newithhand7s
90a01233ee kyra(hardening): making nix less bloated with substituters 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:06:51 +03:00
s0me1newithhand7s
0ae9f9d2f7 kyra(hardening): getting rid of home-manager 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:05:49 +03:00
s0me1newithhand7s
84c42d92f8 kyra(hardening): getting rid of packages in systemPackages 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:05:49 +03:00
s0me1newithhand7s
78a98e891e kyra(hardening): Impermanence in "/persist" 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:05:49 +03:00
s0me1newithhand7s
df80d3a16a kyra(hardening): hardened malloc init 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:05:49 +03:00
s0me1newithhand7s
0998e016cd kyra(hardening): using nixos-containers for mihomo core 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:05:49 +03:00
s0me1newithhand7s
d10e04e07c kyra(hardening): tmpfs rootfs init 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:05:49 +03:00
s0me1newithhand7s
fbe9a78856 kyra(hardening): disko LVM subvolume prepare for Impermanence 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:05:49 +03:00
s0me1newithhand7s
72def65f54 kyra(hardening): ESP 1G->128M, LUKS2 volume and options hadrening 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:05:49 +03:00
s0me1newithhand7s
14eea58fbb kyra(hardening): tmp hardening 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:05:49 +03:00
s0me1newithhand7s
6bcb4f2778 kyra(hardening): initrd re-init; systemd, ssh, luks, networkd in initrd 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:05:49 +03:00
s0me1newithhand7s
99f0086358 kyra(hadrdening): kernel hardening (kernel, params, modules, sysctls) 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:05:49 +03:00
s0me1newithhand7s
ff6458ec57 kyra(hardening): now using liminie as boot loader 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:05:49 +03:00
s0me1newithhand7s
92809fec65 kyra(hardening): initrd/ deleted 
Signed-off-by: s0me1newithhand7s <git+me@hand7s.org>
 2026-05-03 16:05:49 +03:00
hand7s
ebcb4dd7a6
Merge pull request #57 from ArisoN-ext/yazi-ouch-fix 
yazi: fix ouch unpack
 2026-04-06 12:40:01 +03:00
hand7s
0a31a71f92
Merge pull request #54 from s0me1newithhand7s/update_flake_lock_action 
Update `flake.lock` GitHub Action
 2026-04-06 12:39:06 +03:00
github-actions[bot]
20323fc916 flake.lock: Update 
Flake lock file updates:

• Updated input 'ayugram-desktop':
    'github:ndfined-crp/ayugram-desktop/a70db0d' (2026-03-26)
  → 'github:ndfined-crp/ayugram-desktop/bcae077' (2026-04-05)
• Updated input 'ayugram-desktop/flake-parts':
    'github:hercules-ci/flake-parts/f20dc5d' (2026-03-01)
  → 'github:hercules-ci/flake-parts/3107b77' (2026-04-01)
• Updated input 'ayugram-desktop/flake-parts/nixpkgs-lib':
    'github:nix-community/nixpkgs.lib/c185c7a' (2026-03-01)
  → 'github:nix-community/nixpkgs.lib/333c4e0' (2026-03-29)
• Updated input 'ayugram-desktop/git-hooks':
    'github:cachix/git-hooks.nix/f799ae9' (2026-03-21)
  → 'github:cachix/git-hooks.nix/4e0eb04' (2026-04-01)
• Updated input 'ayugram-desktop/nixpkgs':
    'github:nixos/nixpkgs/b40629e' (2026-03-18)
  → 'github:nixos/nixpkgs/6201e20' (2026-04-01)
• Updated input 'devenv':
    'github:cachix/devenv/be753ad' (2026-03-29)
  → 'github:cachix/devenv/f30a244' (2026-04-04)
• Updated input 'devenv/crate2nix':
    'github:nix-community/crate2nix/e697d30' (2026-03-13)
  → 'github:rossng/crate2nix/ba5dd39' (2026-02-27)
• Updated input 'fenix':
    'github:nix-community/fenix/e0f5153' (2026-03-28)
  → 'github:nix-community/fenix/2214684' (2026-04-05)
• Updated input 'fenix/nixpkgs':
    'github:nixos/nixpkgs/46db2e0' (2026-03-24)
  → 'github:nixos/nixpkgs/6201e20' (2026-04-01)
• Updated input 'fenix/rust-analyzer-src':
    'github:rust-lang/rust-analyzer/443ddcd' (2026-03-27)
  → 'github:rust-lang/rust-analyzer/f4b77dc' (2026-04-03)
• Updated input 'flake-parts':
    'github:hercules-ci/flake-parts/f20dc5d' (2026-03-01)
  → 'github:hercules-ci/flake-parts/3107b77' (2026-04-01)
• Updated input 'flake-parts/nixpkgs-lib':
    'github:nix-community/nixpkgs.lib/c185c7a' (2026-03-01)
  → 'github:nix-community/nixpkgs.lib/333c4e0' (2026-03-29)
• Updated input 'freesm':
    'github:freesmteam/freesmlauncher/657f100' (2026-03-27)
  → 'github:freesmteam/freesmlauncher/ff52d69' (2026-03-29)
• Updated input 'freesm/nixpkgs':
    'github:NixOS/nixpkgs/b40629e' (2026-03-18)
  → 'github:NixOS/nixpkgs/46db2e0' (2026-03-24)
• Updated input 'git-hooks-nix':
    'github:cachix/git-hooks.nix/f799ae9' (2026-03-21)
  → 'github:cachix/git-hooks.nix/4e0eb04' (2026-04-01)
• Updated input 'home-manager':
    'github:nix-community/home-manager/769e07e' (2026-03-28)
  → 'github:nix-community/home-manager/7e7269a' (2026-04-05)
• Updated input 'homebrew-cask':
    'github:homebrew/homebrew-cask/e55cfa9' (2026-03-29)
  → 'github:homebrew/homebrew-cask/ee0aa69' (2026-04-06)
• Updated input 'homebrew-core':
    'github:homebrew/homebrew-core/4fb743f' (2026-03-29)
  → 'github:homebrew/homebrew-core/1aa7031' (2026-04-06)
• Updated input 'hyprland':
    'github:hyprwm/Hyprland/38a7f03' (2026-03-28)
  → 'github:hyprwm/Hyprland/aaa2fc3' (2026-04-05)
• Updated input 'nix-bwrapper':
    'github:Naxdy/nix-bwrapper/49749a1' (2026-02-26)
  → 'github:Naxdy/nix-bwrapper/024f91d' (2026-03-29)
• Updated input 'nix-bwrapper/nixpkgs':
    'github:nixos/nixpkgs/00c21e4' (2026-02-04)
  → 'github:nixos/nixpkgs/46db2e0' (2026-03-24)
• Updated input 'nix-bwrapper/nuschtosSearch/nixpkgs':
    'github:NixOS/nixpkgs/3497aa5' (2026-01-08)
  → follows 'nix-bwrapper/nixpkgs'
• Updated input 'nix-bwrapper/treefmt-nix':
    'github:numtide/treefmt-nix/337a4fe' (2026-02-04)
  → 'github:numtide/treefmt-nix/71b125c' (2026-03-12)
• Updated input 'nix-bwrapper/treefmt-nix/nixpkgs':
    'github:nixos/nixpkgs/4533d92' (2026-02-03)
  → follows 'nix-bwrapper/nixpkgs'
• Updated input 'nix-cachyos-kernel':
    'github:xddxdd/nix-cachyos-kernel/c137ed3' (2026-03-24)
  → 'github:xddxdd/nix-cachyos-kernel/beaf7a5' (2026-04-03)
• Updated input 'nix-cachyos-kernel/cachyos-kernel':
    'github:CachyOS/linux-cachyos/0bf8e79' (2026-03-24)
  → 'github:CachyOS/linux-cachyos/b91624f' (2026-04-02)
• Updated input 'nix-cachyos-kernel/cachyos-kernel-patches':
    'github:CachyOS/kernel-patches/a4e26fa' (2026-03-20)
  → 'github:CachyOS/kernel-patches/c1ba300' (2026-04-02)
• Updated input 'nix-cachyos-kernel/flake-parts':
    'github:hercules-ci/flake-parts/f20dc5d' (2026-03-01)
  → 'github:hercules-ci/flake-parts/3107b77' (2026-04-01)
• Updated input 'nix-cachyos-kernel/flake-parts/nixpkgs-lib':
    'github:nix-community/nixpkgs.lib/c185c7a' (2026-03-01)
  → 'github:nix-community/nixpkgs.lib/333c4e0' (2026-03-29)
• Updated input 'nix-cachyos-kernel/nixpkgs':
    'github:NixOS/nixpkgs/b0d3faa' (2026-03-24)
  → 'github:NixOS/nixpkgs/0eac666' (2026-04-03)
• Updated input 'nix-darwin':
    'github:LnL7/nix-darwin/da529ac' (2026-03-08)
  → 'github:LnL7/nix-darwin/06648f4' (2026-04-01)
• Updated input 'nix-index-database':
    'github:nix-community/nix-index-database/55b5887' (2026-03-22)
  → 'github:nix-community/nix-index-database/cef5cf8' (2026-04-05)
• Updated input 'nixos-cli':
    'github:nix-community/nixos-cli/23e7540' (2026-03-25)
  → 'github:nix-community/nixos-cli/6947532' (2026-04-05)
• Updated input 'nixos-cli/nixpkgs':
    'github:NixOS/nixpkgs/608d0ca' (2026-03-08)
  → 'github:NixOS/nixpkgs/15c6719' (2026-03-30)
• Updated input 'nixos-cli/optnix':
    'github:water-sucks/optnix/e3a8a63' (2026-02-02)
  → 'github:water-sucks/optnix/853323e' (2026-03-26)
• Updated input 'nixos-wsl':
    'github:nix-community/nixos-wsl/fd0eae9' (2026-03-19)
  → 'github:nix-community/nixos-wsl/d97e078' (2026-03-31)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/46db2e0' (2026-03-24)
  → 'github:nixos/nixpkgs/6201e20' (2026-04-01)
• Updated input 'noctalia':
    'github:noctalia-dev/noctalia-shell/3b9e93a' (2026-03-29)
  → 'github:noctalia-dev/noctalia-shell/ef147f2' (2026-04-06)
• Updated input 'noctalia/noctalia-qs':
    'github:noctalia-dev/noctalia-qs/8e216ba' (2026-03-28)
  → 'github:noctalia-dev/noctalia-qs/736ceb6' (2026-04-05)
• Updated input 'noctalia/noctalia-qs/treefmt-nix':
    'github:numtide/treefmt-nix/3710e0e' (2026-03-04)
  → 'github:numtide/treefmt-nix/7592596' (2026-04-02)
• Updated input 'quickshell':
    'git+https://git.outfoxxed.me/quickshell/quickshell?ref=refs/heads/master&rev=08058326f04e9b5e55c903b3702405a8d3556ac6' (2026-03-25)
  → 'git+https://git.outfoxxed.me/quickshell/quickshell?ref=refs/heads/master&rev=ad5fd9116e25bc502468f4dfa884ee027887c51c' (2026-04-04)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/614e256' (2026-03-23)
  → 'github:Mic92/sops-nix/a4ee2de' (2026-04-05)
• Updated input 'sops-nix/nixpkgs':
    'github:NixOS/nixpkgs/9cf7092' (2026-03-18)
  → 'github:NixOS/nixpkgs/8d8c1fa' (2026-04-02)
• Updated input 'spicetify-nix':
    'github:Gerg-L/spicetify-nix/2e2234c' (2026-03-22)
  → 'github:Gerg-L/spicetify-nix/ec8d730' (2026-04-05)
• Updated input 'stylix':
    'github:nix-community/stylix/e31c79f' (2026-03-21)
  → 'github:nix-community/stylix/d27951a' (2026-04-05)
• Updated input 'stylix/firefox-gnome-theme':
    'github:rafaelmardojai/firefox-gnome-theme/f7ffd91' (2025-12-04)
  → 'github:rafaelmardojai/firefox-gnome-theme/1797040' (2026-04-03)
• Updated input 'stylix/flake-parts':
    'github:hercules-ci/flake-parts/250481a' (2026-01-05)
  → 'github:hercules-ci/flake-parts/3107b77' (2026-04-01)
• Updated input 'stylix/gnome-shell':
    'gitlab:GNOME/gnome-shell/ef02db0?host=gitlab.gnome.org' (2026-01-06)
  → 'github:GNOME/gnome-shell/ef02db0' (2026-01-06)
• Updated input 'stylix/nixpkgs':
    'github:NixOS/nixpkgs/5912c17' (2026-01-07)
  → 'github:NixOS/nixpkgs/6201e20' (2026-04-01)
• Updated input 'stylix/nur':
    'github:nix-community/NUR/dead29c' (2026-01-07)
  → 'github:nix-community/NUR/601971b' (2026-04-03)
• Removed input 'stylix/tinted-foot'
• Updated input 'stylix/tinted-schemes':
    'github:tinted-theming/schemes/2800e2b' (2026-01-06)
  → 'github:tinted-theming/schemes/13b5b0c' (2026-03-04)
• Updated input 'stylix/tinted-tmux':
    'github:tinted-theming/tinted-tmux/3c32729' (2026-01-04)
  → 'github:tinted-theming/tinted-tmux/c352967' (2026-03-08)
• Updated input 'stylix/tinted-zed':
    'github:tinted-theming/base16-zed/11abb0b' (2026-01-04)
  → 'github:tinted-theming/base16-zed/b4d3a1b' (2026-03-07)
• Updated input 'system-manager':
    'github:numtide/system-manager/8b78ce2' (2026-03-24)
  → 'github:numtide/system-manager/7dced48' (2026-04-01)
• Updated input 'treefmt-nix':
    'github:numtide/treefmt-nix/71b125c' (2026-03-12)
  → 'github:numtide/treefmt-nix/7592596' (2026-04-02)
 2026-04-06 01:46:28 +00:00
ArisoN
79300c3bbf yazi: fix ouch unpack 2026-04-05 21:20:50 +03:00
hand7s
fbd7d0bdd7
Merge pull request #56 from ArisoN-ext/sudo-rs 
Hide typed password due to default changes in sudo-rs
 2026-04-01 13:00:44 +03:00
ArisoN
9bbf52f65f Hide typed password due to default changes in sudo-rs. fb51e41919 2026-04-01 11:15:16 +03:00
hand7s
c5feb93877
Merge pull request #55 from shining-tile-epic/yandex-mirror 
Add yandex mirror nixpkgs
 2026-03-31 17:24:36 +03:00
ArisoN
68c878a29e Add yandex mirror nixpkgs 2026-03-31 17:21:00 +03:00
hand7s
27379016c9
Merge pull request #53 from s0me1newithhand7s/update_flake_lock_action 
Update `flake.lock` GitHub Action
 2026-03-29 23:26:13 +03:00
github-actions[bot]
e3f96e68c2 flake.lock: Update 
Flake lock file updates:

• Updated input 'agenix-rekey':
    'github:oddlama/agenix-rekey/4b0b511' (2026-03-02)
  → 'github:oddlama/agenix-rekey/8b9c179' (2026-03-26)
• Updated input 'ayugram-desktop':
    'github:ndfined-crp/ayugram-desktop/0d6745f' (2026-03-22)
  → 'github:ndfined-crp/ayugram-desktop/a70db0d' (2026-03-26)
• Updated input 'ayugram-desktop/git-hooks/nixpkgs':
    'github:NixOS/nixpkgs/4747257' (2026-02-02)
  → follows 'ayugram-desktop/nixpkgs'
• Updated input 'devenv':
    'github:cachix/devenv/957d63f' (2026-03-25)
  → 'github:cachix/devenv/be753ad' (2026-03-29)
• Updated input 'fenix':
    'github:nix-community/fenix/b70d753' (2026-03-25)
  → 'github:nix-community/fenix/e0f5153' (2026-03-28)
• Updated input 'fenix/nixpkgs':
    'github:nixos/nixpkgs/6c9a78c' (2026-03-21)
  → 'github:nixos/nixpkgs/46db2e0' (2026-03-24)
• Updated input 'fenix/rust-analyzer-src':
    'github:rust-lang/rust-analyzer/eabb84b' (2026-03-24)
  → 'github:rust-lang/rust-analyzer/443ddcd' (2026-03-27)
• Updated input 'freesm':
    'github:freesmteam/freesmlauncher/e1af355' (2026-03-22)
  → 'github:freesmteam/freesmlauncher/657f100' (2026-03-27)
• Updated input 'freesm/nixpkgs':
    'github:NixOS/nixpkgs/dd9b079' (2026-02-27)
  → 'github:NixOS/nixpkgs/b40629e' (2026-03-18)
• Updated input 'home-manager':
    'github:nix-community/home-manager/1eb0549' (2026-03-24)
  → 'github:nix-community/home-manager/769e07e' (2026-03-28)
• Updated input 'homebrew-cask':
    'github:homebrew/homebrew-cask/1d4adcf' (2026-03-25)
  → 'github:homebrew/homebrew-cask/e55cfa9' (2026-03-29)
• Updated input 'homebrew-core':
    'github:homebrew/homebrew-core/8132040' (2026-03-25)
  → 'github:homebrew/homebrew-core/4fb743f' (2026-03-29)
• Updated input 'hyprland':
    'github:hyprwm/Hyprland/8196711' (2026-03-25)
  → 'github:hyprwm/Hyprland/38a7f03' (2026-03-28)
• Updated input 'nix-cachyos-kernel':
    'github:xddxdd/nix-cachyos-kernel/c0fcdf5' (2026-03-23)
  → 'github:xddxdd/nix-cachyos-kernel/c137ed3' (2026-03-24)
• Updated input 'nix-cachyos-kernel/cachyos-kernel':
    'github:CachyOS/linux-cachyos/1caa0b7' (2026-03-22)
  → 'github:CachyOS/linux-cachyos/0bf8e79' (2026-03-24)
• Updated input 'nix-cachyos-kernel/nixpkgs':
    'github:NixOS/nixpkgs/1116aed' (2026-03-23)
  → 'github:NixOS/nixpkgs/b0d3faa' (2026-03-24)
• Updated input 'nix-homebrew':
    'github:zhaofengli/nix-homebrew/a5409ab' (2026-01-26)
  → 'github:zhaofengli/nix-homebrew/a7760a3' (2026-03-28)
• Updated input 'nix-homebrew/brew-src':
    'github:Homebrew/brew/d01011c' (2026-01-25)
  → 'github:Homebrew/brew/894a3d2' (2026-03-23)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/6c9a78c' (2026-03-21)
  → 'github:nixos/nixpkgs/46db2e0' (2026-03-24)
• Updated input 'noctalia':
    'github:noctalia-dev/noctalia-shell/c960e17' (2026-03-25)
  → 'github:noctalia-dev/noctalia-shell/3b9e93a' (2026-03-29)
• Updated input 'noctalia/noctalia-qs':
    'github:noctalia-dev/noctalia-qs/066835e' (2026-03-24)
  → 'github:noctalia-dev/noctalia-qs/8e216ba' (2026-03-28)
 2026-03-29 01:30:58 +00:00
52 changed files with 1702 additions and 1023 deletions
Download patch file Download diff file Expand all files Collapse all files

3
ada/security/sudo-rs.nix
View file

@ -4,6 +4,9 @@ _: {
enable = true;
wheelNeedsPassword = true;
execWheelOnly = true;
extraConfig = ''
Defaults !pwfeedback
'';
};
};
}

649
flake.lock generated
View file

File diff suppressed because it is too large Load diff

2
hand7s/nix/settings/substituters.nix
View file

@ -13,6 +13,8 @@ _: {
"https://chaotic-nyx.cachix.org/"
# nix-community
"https://hydra.nix-community.org/"
# yandex mirror
"https://mirror.yandex.ru/nixos/"
];
};
};

2
hand7s/programs/yazi.nix
View file

@ -84,7 +84,7 @@
"exfil" = [
{
run = ''${lib.getExe pkgs.ouch} de "%s"'';
run = ''${lib.getExe pkgs.ouch} d "%s"'';
block = true;
for = "unix";
}

3
isla/security/sudo-rs.nix
View file

@ -4,6 +4,9 @@ _: {
enable = true;
wheelNeedsPassword = true;
execWheelOnly = true;
extraConfig = ''
Defaults !pwfeedback
'';
};
};
}

228
kyra/boot/initrd.nix Normal file
View file

@ -0,0 +1,228 @@
{
lib,
name,
pkgs,
...
}: {
boot = {
initrd = {
availableKernelModules = [
"virtio_rng"
"virtio_pci"
"virtio_net"
"virtio_scsi"
"virtio_blk"
"sd_mod"
"sr_mod"
"dm_crypt"
];
luks = {
mitigateDMAAttacks = true;
cryptoModules = [
"aesni_intel"
"cryptd"
];
};
systemd = {
enable = true;
emergencyAccess = false;
extraBin = {
"pw" = "${lib.getExe' pkgs.systemd "systemd-tty-ask-password-agent"}";
};
network = {
networks = lib.mkMerge [
(
lib.mkIf (
name == "ivy"
)
{
"10-ens3" = {
matchConfig = {
Name = "ens3";
};
addresses = [
{
Address = "93.115.203.92/24";
}
{
Address = "2001:67c:263c::8fa/64";
}
];
routes = [
{
Gateway = "93.115.203.1";
}
{
Gateway = "2001:67c:263c::1";
}
];
};
}
)
(
lib.mkIf (
name == "mel"
)
{
"10-eth0" = {
matchConfig = {
Name = "eth0";
};
addresses = [
{
Address = "45.11.229.245/24";
}
{
Address = "2a0e:97c0:3e3:20a::1/64";
}
];
networkConfig = {
IPv6AcceptRA = false;
};
routes = [
{
Gateway = "45.11.229.1";
}
{
Gateway = "fe80::1";
GatewayOnLink = true;
}
];
};
}
)
(
lib.mkIf (
name == "yara"
)
{
"10-ens3" = {
matchConfig = {
Name = "ens3";
};
addresses = [
{
Address = "138.124.240.75/32";
}
{
Address = "2a0d:d940:1a:1500::2/56";
}
];
networkConfig = {
IPv6AcceptRA = false;
};
routes = [
{
Gateway = "10.0.0.1";
GatewayOnLink = true;
}
{
Gateway = "2a0d:d940:1a:1500::1";
GatewayOnLink = true;
}
];
};
}
)
(
lib.mkIf (
name == "hazel"
)
{
"10-ens3" = {
matchConfig = {
Name = "ens3";
};
addresses = [
{
Address = "90.156.226.152";
}
{
Address = "2a03:6f01:1:2::cb1e";
}
];
routes = [
{
Gateway = "90.156.226.1";
}
{
Gateway = "2a03:6f01:1:2::1";
GatewayOnLink = true;
}
];
networkConfig = {
IPv6AcceptRA = false;
};
};
}
)
(
lib.mkIf (
name == "lynn"
)
{
"10-ens3" = {
matchConfig = {
Name = "ens3";
};
addresses = [
{
Address = "138.124.72.244";
}
];
routes = [
{
Gateway = "138.124.72.1";
}
];
};
}
)
];
};
};
network = {
enable = true;
ssh = {
enable = true;
port = 27485;
hostKeys = [
"/etc/ssh/initrd_ssh_host_ed25519_key"
];
};
};
};
};
}

19
kyra/boot/initrd/availableKernelModules.nix
View file

@ -1,19 +0,0 @@
_: {
boot = {
initrd = {
availableKernelModules = [
"ata_piix"
"uhci_hcd"
"xen_blkfront"
"vmw_pvscsi"
"virtio_net"
"virtio_pci"
"virtio_mmio"
"virtio_blk"
"virtio_scsi"
"9p"
"9pnet_virtio"
];
};
};
}

14
kyra/boot/initrd/kernelModules.nix
View file

@ -1,14 +0,0 @@
_: {
boot = {
initrd = {
kernelModules = [
"virtio_balloon"
"virtio_console"
"virtio_rng"
"virtio_gpu"
"nvme"
"kvm-amd"
];
};
};
}

90
kyra/boot/kernel.nix
View file

@ -1,11 +1,93 @@
_: {
{self, ...}: {
boot = {
kernelPackages = self.inputs."nix-cachyos-kernel".legacyPackages.x86_64-linux.linuxPackages-cachyos-hardened-lto;
kernelParams = [
"slab_nomerge"
"init_on_alloc=1"
"init_on_free=1"
"page_alloc.shuffle=1"
"oops=panic"
"mitigations=all"
"spectre_v2=on"
"spec_store_bypass_disable=on"
"l1tf=full,force"
"mds=full,force"
"tsx=off"
"tsx_async_abort=full,force"
"kvm.nx_huge_pages=force"
"page_poison=1"
"iommu=force"
"intel_iommu=on"
"amd_iommu=on"
"bpf_jit_enable=0"
];
blacklistedKernelModules = [
"dccp"
"sctp"
"rds"
"tipc"
"hfs"
"hfsplus"
"squashfs"
"jfs"
"minix"
"nilfs2"
"omfs"
"qnx4"
"qnx6"
"sysv"
"ufs"
"zfs"
"ntfs"
"bluetooth"
"btusb"
"uvcvideo"
"joydev"
"pcspkr"
"snd_pcsp"
];
kernel = {
sysctl = {
"net.ipv4.ip_forward" = 1;
"vm.mmap_rnd_bits" = 32;
"vm.mmap_rnd_compat_bits" = 16;
"net.ipv6.conf.all.forwarding" = 1;
"net.ipv4.ip_nonlocal_bind" = 1;
"net.ipv6.ip_nonlocal_bind" = 1;
"net.ipv4.ip_forward" = 1;
"net.ipv4.conf.all.rp_filter" = 1;
"net.ipv4.conf.all.accept_redirects" = 0;
"net.ipv4.conf.all.secure_redirects" = 0;
"net.ipv6.conf.all.accept_redirects" = 0;
"net.ipv4.conf.default.rp_filter" = 1;
"net.ipv4.conf.default.accept_redirects" = 0;
"net.ipv4.conf.default.secure_redirects" = 0;
"net.ipv6.conf.default.accept_redirects" = 0;
"net.ipv4.tcp_rfc1337" = 1;
"net.ipv4.tcp_syncookies" = 1;
"net.core.bpf_jit_harden" = 2;
"dev.tty.ldisc_autoload" = 0;
"kernel.yama.ptrace_scope" = 2;
"kernel.core_pattern" = "|/bin/false";
"kernel.kptr_restrict" = 2;
"kernel.dmesg_restrict" = 1;
"kernel.unprivileged_bpf_disabled" = 1;
"kernel.unprivileged_userns_clone" = 0;
"kernel.perf_event_paranoid" = 3;
"kernel.kstack_override" = 0;
"fs.protected_fifos" = 2;
"fs.protected_regular" = 2;
"fs.protected_hardlinks" = 1;
"fs.protected_symlinks" = 1;
};
};
};

2
kyra/boot/loader/grub.nix → kyra/boot/loader/limine.nix
View file

@ -1,7 +1,7 @@
_: {
boot = {
loader = {
grub = {
liminie = {
enable = true;
efiSupport = true;
efiInstallAsRemovable = true;

4
kyra/boot/tmp.nix
View file

@ -2,6 +2,10 @@ _: {
boot = {
tmp = {
cleanOnBoot = true;
useZram = true;
useTmpfs = true;
tmpfsSize = "50%";
tmpfsHugeMemoryPages = "within_size";
};
};
}

126
kyra/containers/mihomo.nix Normal file
View file

@ -0,0 +1,126 @@
_: {
containers = {
"mihomo" = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.101.1";
localAddress = "192.168.101.2";
bindMounts = {
"acme" = {
isReadOnly = true;
hostPath = "/var/lib/acme/hand7s.org";
mountPoint = "/var/lib/acme/hand7s.org";
};
};
config = {
pkgs,
name,
lib,
...
}: {
services = {
mihomo = {
enable = true;
configFile = (pkgs.formats.yaml {}).generate "config.yaml" {
dns = {
enable = true;
enhanced-mode = "fake-ip";
respect-rules = true;
nameserver = [
"tcp://192.168.101.1:8853"
];
};
sniffer = {
enable = true;
sniff = {
quic = {
ports = [
443
];
};
tls = {
override-destination = true;
ports = [
443
8443
];
};
};
};
rules = [
"IP-CIDR,10.0.0.0/8,DIRECT,no-resolve"
"IP-CIDR,127.0.0.0/8,DIRECT,no-resolve"
"MATCH,direct"
];
experimental = {
udp-base-routing = true;
};
profile = {
store-selected = false;
store-fake-ip = false;
};
listeners = [
{
name = "hy2-in";
type = "hysteria2";
listen = "[::]";
port = 443;
masquerade = "https://hand7s.org";
up = "100 Mbps";
down = "100 Mpbs";
obfs = "salamander";
obfs-password = lib.hashString "md5" "password";
certificate = "/var/lib/acme/hand7s.org/cert.pem";
private-key = "/var/lib/acme/hand7s.org/key.pem";
users = [
"hand7s:"
];
}
{
name = "vless-in";
type = "vless";
listen = "[::]";
port = 8443;
udp = true;
reality-config = {
dest = "192.168.101.1:444";
private-key = lib.hasString "md5" "pkb";
short-id = [
"shortie"
];
server-names = [
"${name}.hand7s.org"
];
};
users = [
{
username = "hand7s";
flow = "xtls-rprx-vision";
uuid = "very-real-uuid-btws";
}
];
}
];
};
};
};
};
};
};
}

20
kyra/disko/disk.nix
View file

@ -21,7 +21,7 @@
ESP = {
name = "ESP";
size = "1024M";
size = "128M";
type = "EF00";
content = {
type = "filesystem";
@ -29,15 +29,27 @@
mountpoint = "/boot";
mountOptions = [
"umask=0077"
"noexec"
"nosuid"
"nodev"
"ro"
];
};
};
root = {
luks = {
size = "100%";
content = {
type = "lvm_pv";
vg = "pool";
type = "luks";
name = "crypted";
settings = {
allowDiscards = true;
};
content = {
type = "lvm_pv";
vg = "pool";
};
};
};
};

31
kyra/disko/lvm_vg.nix
View file

@ -1,22 +1,39 @@
{
_: {
disko = {
devices = {
lvm_vg = {
pool = {
"pool" = {
type = "lvm_vg";
lvs = {
root = {
"root" = {
size = "100%FREE";
content = {
type = "btrfs";
mountpoint = "/";
extraArgs = [
"-f"
];
mountOptions = [
"compress=zstd"
];
subvolumes = {
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"compress=zstd"
"noatime"
"nodev"
"nosuid"
];
};
"/persist" = {
mountpoint = "/persist";
mountOptions = [
"compress=zstd"
"noatime"
"nodev"
"nosuid"
];
};
};
};
};
};

18
kyra/disko/nodev.nix Normal file
View file

@ -0,0 +1,18 @@
_: {
disko = {
devices = {
nodev = {
"/" = {
fsType = "tmpfs";
mountOptions = [
"size=1G"
"mode=755"
"nodev"
"nosuid"
"rw"
];
};
};
};
};
}

7
kyra/environment/memoryAllocator.nix Normal file
View file

@ -0,0 +1,7 @@
{pkgs, ...}: {
environment = {
memoryAllocator = {
provider = pkgs.graphene-hardened;
};
};
}

64
kyra/environment/persistence.nix Normal file
View file

@ -0,0 +1,64 @@
_: {
environment = {
persistence = {
"/persist" = {
enable = true;
hideMounts = true;
directories = [
"/var/log"
"/etc/ssh"
"/var/lib/nixos"
"/var/lib/netbird"
"/var/lib/netbird-wt0"
"/var/lib/firewalld"
{
directory = "/var/lib/traefik";
user = "traefik";
group = "traefik";
mode = "0700";
}
{
directory = "/var/lib/crowdsec";
user = "crowdsec";
group = "crowdsec";
mode = "0750";
}
{
directory = "/var/lib/sing-box";
user = "sing-box";
group = "sing-box";
mode = "0700";
}
{
directory = "/var/lib/step-ca";
user = "step-ca";
group = "step-ca";
mode = "0700";
}
{
directory = "/var/lib/acme";
user = "acme";
group = "acme";
mode = "0751";
}
{
directory = "/var/lib/otel-collector";
user = "otel-collector";
group = "otel-collector";
mode = "0700";
}
];
files = [
"/etc/machine-id"
];
};
};
};
}

6
kyra/environment/systemPackages.nix
View file

@ -1,8 +1,8 @@
{pkgs, ...}: {
environment = {
systemPackages = [
pkgs.helix
pkgs.comma
systemPackages = with pkgs; [
# (lib.hiPrio uutils-coreutils-noprefix)
# unless fix
];
enableAllTerminfo = true;

7
kyra/fileSystems/persist.nix Normal file
View file

@ -0,0 +1,7 @@
_: {
fileSystems = {
"/persist" = {
neededForBoot = true;
};
};
}

25
kyra/home-manager/users.nix
View file

@ -1,25 +0,0 @@
{self, ...}: {
home-manager = {
users = {
"hand7s" = {
imports = [
"${self}/hand7s/"
self.inputs.spicetify-nix.homeManagerModules.default
self.inputs.hyprland.homeManagerModules.default
self.inputs.chaotic.homeManagerModules.default
self.inputs.sops-nix.homeManagerModules.sops
self.inputs.nix-index-database.homeModules.nix-index
self.inputs.noctalia.homeModules.default
];
};
};
backupFileExtension = "force";
extraSpecialArgs = {
inherit
self
;
};
};
}

29
kyra/networking/dns.nix
View file

@ -1,29 +0,0 @@
_: {
networking = {
nameservers = [
# cf dns
"1.1.1.1"
"1.0.0.1"
"2606:4700:4700::1111"
"2606:4700:4700::1001"
# google dns
"8.8.8.8"
"8.8.4.4"
"2001:4860:4860::8888"
"2001:4860:4860::8844"
# q9 dns
"9.9.9.9"
"149.112.112.112"
"2620:fe::fe"
"2620:fe::9"
# open dns
"208.67.222.222"
"208.67.220.220"
"2620:119:35::35"
"2620:119:53::53"
];
};
}

9
kyra/nix/settings/substituters.nix
View file

@ -4,15 +4,6 @@ _: {
substituters = [
# cache.nixos.org
"https://cache.nixos.org"
# cache.garnix.org
"https://cache.garnix.io"
# cachix
"https://nix-community.cachix.org/"
"https://chaotic-nyx.cachix.org/"
"https://hyprland.cachix.org"
"https://chaotic-nyx.cachix.org/"
# nix-community
"https://hydra.nix-community.org/"
];
};
};

8
kyra/nix/settings/trusted-public-keys.nix
View file

@ -4,14 +4,6 @@ _: {
trusted-public-keys = [
# cache.nixos.org
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
# cache.garnix.io
"cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
# cachix.org
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
"ags.cachix.org-1:naAvMrz0CuYqeyGNyLgE010iUiuf/qx6kYrUv3NwAJ8="
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"chaotic-nyx.cachix.org-1:HfnXSw4pj95iI/n17rIDy40agHj12WfF+Gqk6SonIT8="
];
};
};

7
kyra/programs/fuse.nix Normal file
View file

@ -0,0 +1,7 @@
_: {
programs = {
fuse = {
userAllowOther = true;
};
};
}

8
kyra/programs/nh.nix
View file

@ -2,6 +2,14 @@ _: {
programs = {
nh = {
enable = true;
clean = {
enable = true;
dates = "daily";
extraArgs = [
"-k 2"
"-K 1d"
];
};
};
};
}

12
kyra/security/acme.nix
View file

@ -3,14 +3,20 @@
acme = {
acceptTerms = true;
defaults = {
email = "litvinovb0@gmail.com";
email = "me@hand7s.org";
};
certs = {
"hand7s.org" = {
dnsProvider = "cloudflare";
credentialsFile = config.sops.templates."acme.env".path;
group = "sing-box";
environmentFile = config.sops.templates."acme.env".path;
group = "mihomo";
};
"ntp.hand7s.org" = {
dnsProvider = "cloudflare";
environmentFile = config.sops.templates."acme.env".path;
group = "ntpd-rs";
};
};
};

10
kyra/security/polkit.nix Normal file
View file

@ -0,0 +1,10 @@
_: {
security = {
polkit = {
enable = true;
adminIdentities = [
"unix-group:wheel"
];
};
};
}

9
kyra/security/sudo-rs.nix Normal file
View file

@ -0,0 +1,9 @@
_: {
security = {
sudo-rs = {
enable = true;
wheelNeedsPassword = true;
execWheelOnly = true;
};
};
}

7
kyra/security/sudo.nix Normal file
View file

@ -0,0 +1,7 @@
{lib, ...}: {
security = {
sudo = {
enable = lib.mkDefault false;
};
};
}

99
kyra/services/alloy.nix
View file

@ -1,99 +0,0 @@
{
config,
pkgs,
...
}: {
services = {
alloy = {
enable = true;
configPath = pkgs.writeText "alloy-config.alloy" ''
loki.source.journal "system" {
max_age = "24h"
forward_to = [loki.process.production.receiver]
labels = {
host = "${config.networking.hostName}",
job = "journalctl",
}
}
loki.process "production" {
forward_to = [loki.write.viola.receiver]
stage.labels {
values = {
unit = "__journal_systemd_unit__",
}
}
stage.label_keep {
values = ["unit"]
}
stage.match {
selector = `{unit=~"(traefik|sing-box|crowdsec|alloy|netbird).*\\.service"}`
action = "drop"
}
}
prometheus.exporter.unix "node" {
enable_collectors = [
"cpu", "diskstats", "filesystem",
"loadavg", "meminfo", "netdev",
"time", "uname",
]
}
prometheus.scrape "node" {
targets = prometheus.exporter.unix.node.targets
forward_to = [prometheus.remote_write.viola.receiver]
scrape_interval = "30s"
job_name = "node"
}
prometheus.scrape "alloy" {
targets = [{"__address__" = "127.0.0.1:12345"}]
forward_to = [prometheus.remote_write.viola.receiver]
job_name = "alloy"
}
loki.write "viola" {
endpoint {
url = "http://100.109.123.164:3100/loki/api/v1/push"
}
}
prometheus.remote_write "viola" {
endpoint {
url = "http://100.109.123.164:9009/api/v1/push"
}
}
otelcol.receiver.otlp "default" {
grpc {
endpoint = "0.0.0.0:4317"
}
http {
endpoint = "0.0.0.0:4318"
}
output {
traces = [otelcol.exporter.otlp.tempo.input]
}
}
otelcol.exporter.otlp "tempo" {
client {
endpoint = "http://100.109.123.164:4317"
tls {
insecure = true
}
}
}
'';
};
};
}

187
kyra/services/consul.nix Normal file
View file

@ -0,0 +1,187 @@
_: {
services = {
consul = {
enable = true;
webUi = false;
interface = {
bind = "nb-wt0";
advertise = "nb-wt0";
};
extraConfig = {
server = false;
retry_join = [
"100.109.123.164"
];
services = [
{
name = "git-svc";
port = 53350;
tags = [
"traefik.enable=true"
"traefik.http.routers.git.rule=Host(`git.hand7s.org`)"
"traefik.http.routers.git.entrypoints=websecure"
];
check = {
http = "http://localhost:3000/api/v1/version";
interval = "10s";
};
}
{
name = "oidc-svc";
port = 8443;
tags = [
"traefik.enable=true"
"traefik.http.routers.oidc.rule=Host(`zitadel.hand7s.org`)"
"traefik.http.routers.oidc.entrypoints=websecure"
];
check = {
http = "http://localhost:3000/api/v1/version";
interval = "10s";
};
}
{
name = "bin-svc";
port = 53352;
tags = [
"traefik.enable=true"
"traefik.http.routers.bin.rule=Host(`bin.hand7s.org`)"
"traefik.http.routers.bin.entrypoints=websecure"
];
check = {
http = "http://localhost:3000/api/v1/version";
interval = "10s";
};
}
{
name = "cicd-svc";
port = 53351;
tags = [
"traefik.enable=true"
"traefik.http.routers.cicd.rule=Host(`woodpecker.hand7s.org`)"
"traefik.http.routers.cicd.entrypoints=websecure"
];
check = {
http = "http://localhost:3000/api/v1/version";
interval = "10s";
};
}
{
name = "lgtm-svc";
port = 3030;
tags = [
"traefik.enable=true"
"traefik.http.routers.lgtm.rule=Host(`grafana.hand7s.org`)"
"traefik.http.routers.lgtm.entrypoints=websecure"
];
check = {
http = "http://localhost:3000/api/v1/version";
interval = "10s";
};
}
{
name = "mc-svc";
port = 25565;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.mc.rule=HostSNI(`mc.hand7s.org`)"
"traefik.tcp.routers.mc.entrypoints=minecraft"
];
}
{
name = "smtp-svc";
port = 25;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.smtp.rule=HostSNI(`*`)"
"traefik.tcp.routers.smtp.entrypoints=smtp"
];
}
{
name = "pop3-svc";
port = 110;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.pop3.rule=HostSNI(`*`)"
"traefik.tcp.routers.pop3.entrypoints=pop3"
];
}
{
name = "imap-svc";
port = 143;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.imap.rule=HostSNI(`*`)"
"traefik.tcp.routers.imap.entrypoints=imap"
];
}
{
name = "submissions-svc";
port = 465;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.submissions.rule=HostSNI(`*`)"
"traefik.tcp.routers.submissions.entrypoints=submissions"
];
}
{
name = "submission-svc";
port = 587;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.submission.rule=HostSNI(`*`)"
"traefik.tcp.routers.submission.entrypoints=submission"
];
}
{
name = "pop3s-svc";
port = 995;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.pop3s.rule=HostSNI(`*`)"
"traefik.tcp.routers.pop3s.entrypoints=pop3s"
];
}
{
name = "imaptls-svc";
port = 993;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.imaptls.rule=HostSNI(`*`)"
"traefik.tcp.routers.imaptls.entrypoints=imaptls"
];
}
{
name = "managesieve-svc";
port = 4190;
tags = [
"traefik.enable=true"
"traefik.tcp.routers.managesieve.rule=HostSNI(`*`)"
"traefik.tcp.routers.managesieve.entrypoints=managesieve"
];
}
];
};
};
};
}

51
kyra/services/crowdsec.nix Normal file
View file

@ -0,0 +1,51 @@
_: {
services = {
crowdsec = {
enable = true;
settings = {
hub = {
collections = [
"crowdsecurity/linux"
"crowdsecurity/traefik"
"crowdsecurity/http-dos"
"crowdsecurity/cloudflare"
];
};
acquisitions = [
{
source = "journalctl";
journalctl_filter = [
"_SYSTEMD_UNIT=traefik.service"
];
labels = {
type = "traefik";
};
}
{
source = "journalctl";
journalctl_filter = [
"_SYSTEMD_UNIT=sshd.service"
];
labels = {
type = "syslog";
};
}
];
};
};
crowdsec-firewall-bouncer = {
enable = true;
settings = {
mode = "firewalld";
};
};
};
}

14
kyra/services/fail2ban.nix
View file

@ -1,14 +0,0 @@
_: {
services = {
fail2ban = {
enable = true;
bantime-increment = {
enable = true;
factor = "10";
formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)";
overalljails = true;
maxtime = "500h";
};
};
};
}

67
kyra/services/firewalld.nix
View file

@ -7,7 +7,48 @@
firewalld = {
enable = true;
settings = {
IPv6_rpfilter = "strict";
CleanupModulesOnExit = true;
StrictForwardPorts = true;
};
services = {
"ntp" = {
short = "ntpd-rs";
ports = [
{
port = 123;
protocol = "udp";
}
{
port = 4460;
protocol = "tcp";
}
];
};
"dns" = {
short = "hickory-dns";
ports = [
{
port = 853;
protocol = "tcp";
}
];
};
"quic" = {
short = "http3";
ports = [
{
port = 443;
protocol = "udp";
}
];
};
"stalwart" = {
short = "Stalwart-mail";
ports =
@ -62,24 +103,28 @@
};
zones = {
"trusted" = {
"netbird" = {
services = [
"ssh"
"consul"
];
};
"wan" = {
ports = [
target = "DROP";
masquerade = true;
forwardPorts = [
{
port = 2053;
port = 443;
protocol = "udp";
to-port = 8443;
to-addr = "192.168.101.2";
}
];
{
port = 8443;
protocol = "tcp";
}
ports = [
{
port = 51820;
protocol = "udp";
@ -119,17 +164,17 @@
services = lib.concatLists [
[
"ssh"
"quic"
"http"
"https"
"ntp"
"dns"
]
(
lib.optionals (
lib.elem name [
"hazel"
"lynn"
"mel"
]
) [
"minecraft"

58
kyra/services/hickory.nix Normal file
View file

@ -0,0 +1,58 @@
_: {
services = {
hickory-dns = {
enable = true;
settings = {
remote_resolvers = [
{
socket_addr = "1.1.1.1:853";
protocol = "tls";
tls_dns_name = "cloudflare-dns.com";
}
{
socket_addr = "1.1.1.1:443";
protocol = "https";
tls_dns_name = "cloudflare-dns.com";
}
{
socket_addr = "9.9.9.9:853";
protocol = "tls";
tls_dns_name = "dns.quad9.net";
}
{
socket_addr = "9.9.9.9:443";
protocol = "https";
tls_dns_name = "dns.quad9.net";
}
{
socket_addr = "8.8.8.8:853";
protocol = "tls";
tls_dns_name = "dns.google";
}
{
socket_addr = "8.8.8.8:443";
protocol = "https";
tls_dns_name = "dns.google";
}
];
listen_addrs_http = [
{
socket_addr = "[::]:8053";
}
];
listen_addrs_tcp = [
{
socket_addr = "[::]:8853";
}
];
};
};
};
}

42
kyra/services/ntpd-rs.nix Normal file
View file

@ -0,0 +1,42 @@
_: {
services = {
ntpd-rs = {
enable = true;
metrics = {
enable = true;
};
settings = {
source = [
{
mode = "nts";
address = "time.cloudflare.com";
}
{
mode = "nts";
address = "nts.ntp.se";
}
];
server = [
{
listen = "[::]:123";
}
];
nts-ke-server = [
{
listen = "[::]:4460";
certificate-chain-path = "/var/lib/acme/ntp.hand7s.org/fullchain.pem";
private-key-path = "/var/lib/acme/ntp.hand7s.org/key.pem";
}
];
synchronization = {
minimum-agreeing-sources = 2;
};
};
};
};
}

1
kyra/services/openssh.nix
View file

@ -2,7 +2,6 @@ _: {
services = {
openssh = {
enable = true;
hostKeys = [
{
path = "/etc/ssh/ssh_host_ed25519_key";

53
kyra/services/otelc.nix Normal file
View file

@ -0,0 +1,53 @@
{lib, ...}: {
services = {
opentelemetry-collector = {
enable = true;
settings = {
receivers = {
otlp = {
protocols = {
grpc = {
endpoint = "127.0.0.1:4317";
};
http = {
endpoint = "127.0.0.1:4318";
};
};
};
};
exporters = {
otlp = {
endpoint = "http://100.109.123.164:4317";
tls = {
insecure = true;
};
};
};
service = {
pipelines =
lib.genAttrs [
"traces"
"metrics"
"logs"
] (
_type: {
receivers = [
"otlp"
];
exporters = [
"otlp"
];
processors = [
"batch"
];
}
);
};
};
};
};
}

2
kyra/services/qemuGuest.nix
View file

@ -1,7 +1,7 @@
_: {
services = {
qemuGuest = {
enable = true;
enable = false;
};
};
}

57
kyra/services/resolved.nix
View file

@ -2,38 +2,39 @@ _: {
services = {
resolved = {
enable = true;
dnsovertls = toString true;
dnssec = toString true;
llmnr = toString true;
domains = [
"~."
];
settings = {
Resolve = {
DNSOverTLS = true;
DNSSEC = true;
Domains = [
"~."
];
fallbackDns = [
# cf dns
"1.1.1.1"
"1.0.0.1"
"2606:4700:4700::1111"
"2606:4700:4700::1001"
DNS = [
# hand7s dns
"127.0.0.1#dns.hand7s.org"
"::1#dns.hand7s.org"
# google dns
"8.8.8.8"
"8.8.4.4"
"2001:4860:4860::8888"
"2001:4860:4860::8844"
# cf dns
"1.1.1.1#cloudflare-dns.com"
"1.0.0.1#cloudflare-dns.com"
"2606:4700:4700::1111#cloudflare-dns.com"
"2606:4700:4700::1001#cloudflare-dns.com"
# q9 dns
"9.9.9.9"
"149.112.112.112"
"2620:fe::fe"
"2620:fe::9"
# google dns
"8.8.8.8#dns.google"
"8.8.4.4#dns.google"
"2001:4860:4860::8888#dns.google"
"2001:4860:4860::8844#dns.google"
# open dns
"208.67.222.222"
"208.67.220.220"
"2620:119:35::35"
"2620:119:53::53"
];
# q9 dns
"9.9.9.9#dns.quad9.net"
"149.112.112.112#dns.quad9.net"
"2620:fe::fe#dns.quad9.net"
"2620:fe::9#dns.quad9.net"
];
};
};
};
};
}

110
kyra/services/sing-box.nix
View file

@ -1,110 +0,0 @@
{lib, ...}: {
services = {
sing-box = {
enable = true;
settings = {
log = {
level = "error";
};
dns = {
servers = [
{
tag = "cloudflare";
type = "quic";
server = "1.1.1.1";
}
{
tag = "local";
type = "local";
}
];
final = "cloudflare";
strategy = "prefer_ipv4";
};
route = {
final = "direct-out";
default_domain_resolver = "cloudflare";
auto_detect_interface = true;
};
outbounds = [
{
tag = "direct-out";
type = "direct";
}
];
inbounds = [
{
type = "hysteria2";
tag = "hy2-in";
listen = "::";
listen_port = 2053;
masquerade = "https://hand7s.org";
up_mbps = 100;
down_mbps = 100;
obfs = {
type = "salamander";
password = lib.hashString "sha512" "randomstring"; # not a real string
};
users = [
{
name = "hand7s";
password = lib.hashString "sha512" "userstring"; # not a real string
}
];
tls = {
enabled = true;
server_name = "hand7s.org";
certificate_path = "/var/lib/acme/hand7s.org/cert.pem";
key_path = "/var/lib/acme/hand7s.org/key.pem";
};
}
{
type = "vless";
tag = "vless-inbound";
listen = "::";
listen_port = 8443;
sniff = true;
users = [
{
name = "hand7s";
uuid = lib.hashString "sha512" "uuidstring"; # not a real string
flow = "xtls-rprx-vision";
}
];
tls = {
enabled = true;
server_name = "hand7s.org";
reality = {
enabled = true;
max_time_difference = "5m";
handshake = {
server = "127.0.0.1";
server_port = 443;
};
private_key = lib.hashString "sha512" "uuidstring"; # not a real string
short_id = [
"shortie"
];
};
};
}
];
};
};
};
}

28
kyra/services/step-ca.nix Normal file
View file

@ -0,0 +1,28 @@
{config, ...}: {
services = {
step-ca = {
enable = true;
address = "[::]";
port = 8443;
intermediatePasswordFile = config.sops.secrets."stepPass".path;
settings = {
dnsNames = [
"ca.hand7s.org"
];
authority = {
provisioners = [
{
type = "ACME";
name = "cloudflare";
claims = {
enable_dns_01 = true;
};
}
];
};
};
};
};
}

384
kyra/services/traefik.nix
View file

@ -1,4 +1,8 @@
{config, ...}: {
{
config,
name,
...
}: {
services = {
traefik = {
enable = true;
@ -8,29 +12,44 @@
];
dynamicConfigOptions = {
providers = {
consulCatalog = {
endpoint = {
address = "127.0.0.1:8500";
exposedByDefault = false;
prefix = "traefik";
};
};
};
udp = {
routers = {
"ntp" = {
service = "ntp-svc";
entryPoints = [
"ntp"
];
};
};
services = {
"ntp-svc" = {
loadBalancer = {
servers = [
{
address = "127.0.0.1:123";
}
];
};
};
};
};
http = {
routers = {
"site" = {
rule = "Host(`hand7s.org`)";
service = "site-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = "*.hand7s.org";
}
];
};
entryPoints = [
"websecure"
];
};
"git" = {
rule = "Host(`git.hand7s.org`)";
service = "git-svc";
tls = {
certResolver = "cloudflare";
domains = [
@ -45,15 +64,16 @@
entryPoints = [
"websecure"
"loopback"
];
};
"cicd" = {
rule = "Host(`woodpecker.hand7s.org`)";
service = "cicd-svc";
"ca" = {
rule = "Host(`ca.hand7s.org`)";
service = "ca-svc";
tls = {
certResolver = "cloudflare";
domains = [
domain = [
{
main = "hand7s.org";
sans = [
@ -62,55 +82,11 @@
}
];
};
entryPoints = [
"websecure"
];
};
"oidc" = {
rule = "Host(`zitadel.hand7s.org`)";
service = "oidc-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
"bin" = {
rule = "Host(`bin.hand7s.org`)";
service = "bin-svc";
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
entryPoints = [
"websecure"
];
};
"lgtm" = {
rule = "Host(`grafana.hand7s.org`)";
service = "lgtm-svc";
"doh" = {
rule = "Host(`dns.hand7s.org`) && PathPrefix(`/dns-query`)";
service = "doh-svc";
tls = {
certResolver = "cloudflare";
domains = [
@ -140,51 +116,21 @@
};
};
"git-svc" = {
"ca-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:53350";
url = "http://127.0.0.1:8443";
}
];
};
};
"oidc-svc" = {
"doh-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:8443";
}
];
};
};
"bin-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:53352";
}
];
};
};
"cicd-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:53351";
}
];
};
};
"lgtm-svc" = {
loadBalancer = {
servers = [
{
url = "http://100.109.123.164:3030";
url = "http://127.0.0.1:8053";
}
];
};
@ -194,160 +140,72 @@
tcp = {
routers = {
"minecraft" = {
rule = "HostSNI(`*`)";
service = "mc-svc";
"nts-ke" = {
rule = "HostSNI(`ntp.hand7s.org`)";
services = "nts-ke-svc";
tls = {
passthrough = true;
};
entryPoints = [
"minecraft"
"nts-ke"
];
};
"smtp" = {
rule = "HostSNI(`*`)";
service = "smtp-svc";
"dot" = {
rule = "HostSNI(`dns.hand7s.org`)";
services = "dot-svc";
entryPoints = [
"smtp"
"dot"
];
tls = {
certResolver = "cloudflare";
};
};
"pop3" = {
rule = "HostSNI(`*`)";
service = "pop-svc";
"vless" = {
rule = "HostSNI(`${name}.hand7s.org`)";
service = "vless-svc";
tls = {
passthrough = true;
};
entryPoints = [
"pop3"
];
};
"submissions" = {
rule = "HostSNI(`mail.hand7s.org`)";
service = "submissions-svc";
entryPoints = [
"submissions"
];
};
"submission" = {
rule = "HostSNI(`*`)";
service = "submission-svc";
entryPoints = [
"submission"
];
};
"imaptls" = {
rule = "HostSNI(`mail.hand7s.org`)";
service = "imaptls-svc";
entryPoints = [
"imaptls"
];
};
"pop3s" = {
rule = "HostSNI(`mail.hand7s.org`)";
service = "pop3s-svc";
entryPoints = [
"pop3s"
];
};
"managesieve" = {
rule = "HostSNI(`*`)";
service = "managesieve-svc";
entryPoints = [
"managesieve"
];
};
};
};
services = {
"mc-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:25565";
}
"websecure"
];
};
};
"smtp-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:25";
}
];
services = {
"vless-svc" = {
loadBalancer = {
servers = [
{
address = "192.168.101.2:8443";
}
];
};
};
};
"pop3-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:110";
}
];
"nts-ke-svc" = {
loadBalancer = {
servers = [
{
address = "127.0.0.1:4460";
}
];
};
};
};
"imap-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:143";
}
];
};
};
"submissions-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:465";
}
];
};
};
"submission-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:587";
}
];
};
};
"imaptls-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:993";
}
];
};
};
"pop3s-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:995";
}
];
};
};
"managesieve-svc" = {
loadBalancer = {
servers = [
{
address = "100.109.123.164:4190";
}
];
"dot-svc" = {
loadBalancer = {
servers = [
{
url = "http://127.0.0.1:8853";
}
];
};
};
};
};
@ -370,17 +228,22 @@
certificatesResolvers = {
"cloudflare" = {
acme = {
email = "litvinovb0@gmail.com";
email = "me@hand7s.com";
storage = "${config.services.traefik.dataDir}/acme.json";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"8.8.8.8:53"
];
};
};
};
"step-ca" = {
caServer = "https://ca.hand7s.org";
acme = {
email = "me@hand7s.com";
storage = "${config.services.traefik.dataDir}/acme.json";
tlsChallenge = {};
};
};
};
log = {
@ -417,6 +280,35 @@
};
};
"loopback" = {
address = "127.0.0.1:444";
http = {
tls = {
certResolver = "cloudflare";
domains = [
{
main = "hand7s.org";
sans = [
"*.hand7s.org"
];
}
];
};
};
};
"ntp" = {
address = ":123";
};
"nts-ke" = {
address = ":4460";
};
"dot" = {
address = ":853";
};
"minecraft" = {
address = ":25565";
};

127
kyra/systemd/networkd.nix
View file

@ -7,33 +7,71 @@
network = {
enable = true;
networks = lib.mkMerge [
(
lib.mkIf (
name == "ivy"
)
{
"10-ens3" = {
matchConfig = {
Name = "ens3";
};
addresses = [
{
Address = "93.115.203.92/24";
}
{
Address = "2001:67c:263c::8fa/64";
}
];
routes = [
{
Gateway = "93.115.203.1";
}
{
Gateway = "2001:67c:263c::1";
}
];
};
}
)
(
lib.mkIf (
name == "mel"
)
{
"10-eth0" = {
matchConfig.Name = "eth0";
matchConfig = {
Name = "eth0";
};
addresses = [
{
Address = "45.11.229.245/24";
}
{
Address = "2a0e:97c0:3e3:20a::1/64";
}
];
networkConfig = {
IPv6AcceptRA = false;
Address = [
"45.11.229.245/24"
"2a0e:97c0:3e3:20a::1/64"
];
};
routes = [
{
routeConfig = {
Gateway = "45.11.229.1";
};
Gateway = "45.11.229.1";
}
{
routeConfig = {
Gateway = "fe80::1";
GatewayOnLink = true;
};
Gateway = "fe80::1";
GatewayOnLink = true;
}
];
};
@ -50,27 +88,29 @@
Name = "ens3";
};
addresses = [
{
Address = "138.124.240.75/32";
}
{
Address = "2a0d:d940:1a:1500::2/56";
}
];
networkConfig = {
IPv6AcceptRA = false;
Address = [
"138.124.240.75/32"
"2a0d:d940:1a:1500::2/56"
];
};
routes = [
{
routeConfig = {
Gateway = "10.0.0.1";
GatewayOnLink = true;
};
Gateway = "10.0.0.1";
GatewayOnLink = true;
}
{
routeConfig = {
Gateway = "2a0d:d940:1a:1500::1";
GatewayOnLink = true;
};
Gateway = "2a0d:d940:1a:1500::1";
GatewayOnLink = true;
}
];
};
@ -87,9 +127,28 @@
Name = "ens3";
};
addresses = [
{
Address = "90.156.226.152";
}
{
Address = "2a03:6f01:1:2::cb1e";
}
];
routes = [
{
Gateway = "90.156.226.1";
}
{
Gateway = "2a03:6f01:1:2::1";
GatewayOnLink = true;
}
];
networkConfig = {
Address = "90.156.226.152/24";
Gateway = "90.156.226.1";
IPv6AcceptRA = false;
};
};
@ -106,11 +165,17 @@
Name = "ens3";
};
networkConfig = {
Address = "138.124.72.244/24";
Gateway = "138.124.72.1";
IPv6AcceptRA = false;
};
addresses = [
{
Address = "138.124.72.244";
}
];
routes = [
{
Gateway = "138.124.72.1";
}
];
};
}
)

13
kyra/systemd/step-ca-service.nix Normal file
View file

@ -0,0 +1,13 @@
{config, ...}: {
systemd = {
services = {
"step-ca" = {
serviceConfig = {
EnvironmentFile = [
config.sops.templates."step-ca.env".path
];
};
};
};
};
}

1
kyra/users/users/alep0u.nix
View file

@ -6,7 +6,6 @@ _: {
isNormalUser = true;
extraGroups = [
"wheel"
"docker"
];
openssh = {

1
kyra/users/users/hand7s.nix
View file

@ -6,7 +6,6 @@ _: {
isNormalUser = true;
extraGroups = [
"wheel"
"docker"
];
openssh = {

1
kyra/users/users/root.nix
View file

@ -3,6 +3,7 @@
users = {
"root" = {
shell = "${pkgs.util-linux}/bin/nologin";
initialHashedPassword = "!";
};
};
};

2
viola/nix/settings/substituters.nix
View file

@ -13,6 +13,8 @@ _: {
"https://chaotic-nyx.cachix.org/"
# nix-community
"https://hydra.nix-community.org/"
# yandex mirror
"https://mirror.yandex.ru/nixos/"
];
};
};

3
viola/security/sudo-rs.nix
View file

@ -4,6 +4,9 @@ _: {
enable = true;
wheelNeedsPassword = true;
execWheelOnly = true;
extraConfig = ''
Defaults !pwfeedback
'';
};
};
}

2
wanda/nix/settings/substituters.nix
View file

@ -13,6 +13,8 @@ _: {
"https://chaotic-nyx.cachix.org/"
# nix-community
"https://hydra.nix-community.org/"
# yandex mirror
"https://mirror.yandex.ru/nixos/"
];
};
};

3
wanda/security/sudo-rs.nix
View file

@ -4,6 +4,9 @@ _: {
enable = true;
wheelNeedsPassword = true;
execWheelOnly = true;
extraConfig = ''
Defaults !pwfeedback
'';
};
};
}