diff --git a/flake.lock b/flake.lock index 1f5caa6..5e87a86 100644 --- a/flake.lock +++ b/flake.lock @@ -520,8 +520,7 @@ "nixpkgs": "nixpkgs", "noctalia": "noctalia", "noctalia-qs": "noctalia-qs", - "readlater-bot": "readlater-bot", - "steipete-tap": "steipete-tap" + "readlater-bot": "readlater-bot" } }, "rust-analyzer-src": { @@ -541,22 +540,6 @@ "type": "github" } }, - "steipete-tap": { - "flake": false, - "locked": { - "lastModified": 1778750339, - "narHash": "sha256-ZF63K/JuNKo8vWOIhXvsxbisUSVaUIeYqJLGI7uA9g4=", - "owner": "steipete", - "repo": "homebrew-tap", - "rev": "ccc12256eff15e1da74e6701db136e5c81036715", - "type": "github" - }, - "original": { - "owner": "steipete", - "repo": "homebrew-tap", - "type": "github" - } - }, "systems": { "locked": { "lastModified": 1681028828, diff --git a/flake.nix b/flake.nix index dacc6ad..7b4869c 100644 --- a/flake.nix +++ b/flake.nix @@ -23,10 +23,6 @@ url = "github:homebrew/homebrew-cask"; flake = false; }; - steipete-tap = { - url = "github:steipete/homebrew-tap"; - flake = false; - }; agenix = { url = "github:ryantm/agenix"; diff --git a/hosts/thegeneralist-central-mbp/configuration.nix b/hosts/thegeneralist-central-mbp/configuration.nix index 704563d..a6ffb2f 100644 --- a/hosts/thegeneralist-central-mbp/configuration.nix +++ b/hosts/thegeneralist-central-mbp/configuration.nix @@ -29,6 +29,5 @@ }; }; - system.primaryUser = "central"; system.stateVersion = 6; } diff --git a/hosts/thegeneralist-central/configuration.nix b/hosts/thegeneralist-central/configuration.nix index 398cd87..7f720e8 100644 --- a/hosts/thegeneralist-central/configuration.nix +++ b/hosts/thegeneralist-central/configuration.nix @@ -44,7 +44,6 @@ "input" "scanner" "docker" - "nginx" ]; shell = pkgs.zsh; home = "/home/thegeneralist"; diff --git a/hosts/thegeneralist-central/dns.nix b/hosts/thegeneralist-central/dns.nix index 303f4c2..c7a0952 100644 --- a/hosts/thegeneralist-central/dns.nix +++ b/hosts/thegeneralist-central/dns.nix @@ -13,6 +13,7 @@ let ) IN NS ns.thegeneralist01.com. ns IN A 100.86.129.23 + @ IN A 100.86.129.23 ${lib.concatStringsSep "\n" (lib.map (sub: "${sub} IN A 100.86.129.23") subdomains)} ''; diff --git a/hosts/thegeneralist-central/forgejo/default.nix b/hosts/thegeneralist-central/forgejo/default.nix index 4b62cb5..fd196d0 100644 --- a/hosts/thegeneralist-central/forgejo/default.nix +++ b/hosts/thegeneralist-central/forgejo/default.nix @@ -10,6 +10,10 @@ in imports = [ ../../../modules/postgresql.nix ]; age.secrets.forgejoRunnerToken.file = ./forgejo-runner-token.age; + age.secrets.forgejoFamilySiteDeployToken.file = ./forgejo-family-site-deploy-token.age; + age.secrets.forgejoFamilySiteDeployToken.owner = "gitea-runner"; + age.secrets.forgejoFamilySiteDeployToken.group = "gitea-runner"; + age.secrets.forgejoFamilySiteDeployToken.mode = "0400"; services.forgejo = { enable = true; @@ -154,7 +158,15 @@ in systemd.tmpfiles.rules = [ "d /var/lib/gitea-runner 0755 gitea-runner gitea-runner -" "d /var/lib/gitea-runner/central 0755 gitea-runner gitea-runner -" + # Allow gitea-runner (in group users) to write to the blog repo's .git dir. + "d /home/thegeneralist/blog 2770 thegeneralist users -" + "Z /home/thegeneralist/blog/.git - thegeneralist users -" ]; + system.activationScripts.blogGitPerms.text = '' + ${pkgs.coreutils}/bin/chmod -R g+rwX /home/thegeneralist/blog/.git/objects + ${pkgs.acl}/bin/setfacl -R -m g:users:rwx -m d:g:users:rwx /home/thegeneralist/blog/.git/objects + ''; + networking.firewall.allowedTCPPorts = [ 2222 ]; } diff --git a/hosts/thegeneralist-central/plex/default.nix b/hosts/thegeneralist-central/plex/default.nix index acba559..bb77f22 100644 --- a/hosts/thegeneralist-central/plex/default.nix +++ b/hosts/thegeneralist-central/plex/default.nix @@ -9,7 +9,7 @@ let useACMEHost = domain; }; - plexDebUrl = "https://cdn.thegeneralist01.com/plexmediaserver_1.43.0.10492-121068a07_arm64.deb"; + plexDebUrl = "http://thegeneralist01.com/plexmediaserver_1.43.0.10492-121068a07_arm64.deb"; plexDebSha256 = "1fkh09b46q70kicjprxf0v507idhg2jh3pk97nhbxj1jagkhgck2"; plex = pkgs.stdenv.mkDerivation { pname = "plexmediaserver"; diff --git a/hosts/thegeneralist-central/site.nix b/hosts/thegeneralist-central/site.nix index fafa6b0..fbac9ac 100644 --- a/hosts/thegeneralist-central/site.nix +++ b/hosts/thegeneralist-central/site.nix @@ -1,4 +1,13 @@ { config, pkgs, ... }: +let + domain = "thegeneralist01.com"; + family_domain = builtins.getEnv "FAMILY_DOMAIN"; + + ssl = { + quic = true; + useACMEHost = domain; + }; +in { imports = [ ./acme @@ -23,7 +32,56 @@ statusPage = true; validateConfigFile = true; - # Domain-specific virtual hosts live in the service modules below. + virtualHosts."${domain}" = ssl // { + root = "/var/www/${domain}"; + locations."/".tryFiles = "$uri $uri.html $uri/ $uri/index.html =404"; + + extraConfig = '' + if ($http_x_forwarded_proto = "http") { + return 301 https://${domain}$request_uri; + } + + location ~* \.(html|css|js|jpg|jpeg|png|gif|svg|ico|woff2?)$ { + expires 1d; + add_header Cache-Control "public"; + } + + error_page 404 /404.html; + ''; + }; + + virtualHosts."www.${domain}" = ssl // { + locations."/".return = "306 https://${domain}$request_uri"; + }; + + virtualHosts."${family_domain}" = { + root = "/var/www/${family_domain}/dist"; + locations."/".tryFiles = "$uri $uri/index.html $uri.html =404"; + + extraConfig = '' + absolute_redirect off; + + location ~* \.(html|css|js|jpg|jpeg|png|gif|svg|ico)$ { + expires 1d; + add_header Cache-Control "public"; + } + + location ~* \.(ttf|woff2?)$ { + expires 1y; + add_header Cache-Control "public, immutable"; + } + + error_page 404 /404.html; + ''; + }; + + virtualHosts."www.${family_domain}" = { + locations."/".return = "306 https://${family_domain}$request_uri"; + }; + + # virtualHosts._ = ssl // { + # locations."/".return = "307 https://${domain}/404"; + # }; }; # Cloudflare @@ -31,6 +89,7 @@ age.secrets.cftcert.file = ./cert.pem.age; age.secrets.cftcredentials.file = ./credentials.age; + age.secrets.cftcredentials_personal.file = ./credentials_personal.age; services.cloudflared = { enable = true; @@ -39,6 +98,8 @@ tunnels = { "site" = { ingress = { + "thegeneralist01.com" = "http://localhost:80"; + "www.thegeneralist01.com" = "http://localhost:80"; "cache.thegeneralist01.com" = "http://localhost:80"; "git.thegeneralist01.com" = "http://localhost:3000"; }; @@ -47,6 +108,16 @@ credentialsFile = config.age.secrets.cftcredentials.path; certificateFile = config.age.secrets.cftcert.path; }; + "personal" = { + ingress = { + "${family_domain}" = "http://localhost:80"; + "www.${family_domain}" = "http://localhost:80"; + }; + default = "http_status:404"; + + credentialsFile = config.age.secrets.cftcredentials_personal.path; + certificateFile = config.age.secrets.cftcert.path; + }; }; }; } diff --git a/modules/common/amp.nix b/modules/common/amp.nix new file mode 100644 index 0000000..c788a25 --- /dev/null +++ b/modules/common/amp.nix @@ -0,0 +1,32 @@ +{ + config, + lib, + ... +}: +let + enableAmp = (!config.onLinux) || (!config.isServer); + ampHomeModule = + { lib, pkgs, ... }: + { + home.sessionPath = [ "$HOME/.amp/bin" ]; + home.activation.ampInstall = lib.hm.dag.entryAfter [ "writeBoundary" ] '' + amp_bin="$HOME/.amp/bin/amp" + if [ ! -x "$amp_bin" ]; then + export PATH="${ + lib.makeBinPath [ + pkgs.coreutils + pkgs.gnugrep + pkgs.curl + pkgs.bash + ] + }:$PATH" + + # Prevent installer from trying to mutate shell rc files (Home Manager manages those). + SHELL="amp-installer" ${pkgs.curl}/bin/curl -fsSL https://ampcode.com/install.sh | ${pkgs.bash}/bin/bash + fi + ''; + }; +in +lib.mkIf enableAmp { + home-manager.sharedModules = [ ampHomeModule ]; +} diff --git a/modules/common/git.nix b/modules/common/git.nix index 0edf0f0..434004c 100644 --- a/modules/common/git.nix +++ b/modules/common/git.nix @@ -55,8 +55,6 @@ in # https://bernsteinbear.com/git alias.recent = "! git branch --sort=-committerdate --format=\"%(committerdate:relative)%09%(refname:short)\" | head -10"; - - safe.directory = "*"; }; }; }; diff --git a/modules/common/neovim.nix b/modules/common/neovim.nix index 9429af8..82c3716 100644 --- a/modules/common/neovim.nix +++ b/modules/common/neovim.nix @@ -71,7 +71,6 @@ in home.sessionPath = [ "node_modules/.bin" "/opt/homebrew/bin" - "/opt/homebrew/opt" "$HOME/.npm-packages/bin" "$PNPM_HOME" ]; diff --git a/modules/common/shell/0_nushell.nix b/modules/common/shell/0_nushell.nix index 30f7f3b..bd573e6 100644 --- a/modules/common/shell/0_nushell.nix +++ b/modules/common/shell/0_nushell.nix @@ -1,7 +1,6 @@ { config, lib, - nixpkgs, pkgs, ... }: @@ -19,9 +18,10 @@ let replaceStrings ; - # Use the repo's locked nixos-unstable flake input instead of following the - # moving nixos-unstable tarball, which causes frequent refetches. - unstable = import nixpkgs { system = pkgs.stdenv.hostPlatform.system; }; + unstable = import (builtins.fetchTarball { + url = "https://github.com/NixOS/nixpkgs/archive/nixos-unstable.tar.gz"; + sha256 = if (config.isServer) then "sha256:18ggs7jwmpi58k7xza4axy3cjs17c596ihq5y70h6sryz2hypgba" else (if (config.onLinux) then "sha256:03plivnr4cg0h8v7djf9g2jra09r45pmdiirmy4lvl2n1d4yb7ac" else "sha256:16xi1yijq2ccbp8254zc0b5fgz0igxvyf4yn349wj2ggk4cl6dgn"); + }) { system = pkgs.stdenv.hostPlatform.system; }; package = unstable.nushell; in { diff --git a/modules/common/shell/default.nix b/modules/common/shell/default.nix index 6b0e720..80bd437 100644 --- a/modules/common/shell/default.nix +++ b/modules/common/shell/default.nix @@ -179,12 +179,10 @@ in nuExecCondition = if config.isDarwin then '' - [[ $- == *i* ]] && [ -z "$skip" ] && [ -t 0 ] && [ -t 1 ] + [[ $- == *i* ]] && [ -z "$skip" ] && [ -t 1 ] '' else - '' - [[ $- == *i* ]] && [ -z "$INTELLIJ_ENVIRONMENT_READER" ] && [ -z "$skip" ] && [ -z "$SSH_TTY" ] && [ -t 0 ] && [ -t 1 ] - ''; + ''[ -z "$INTELLIJ_ENVIRONMENT_READER" ] && [ -z "$skip" ] && [ -z "$SSH_TTY" ]''; in { programs.fish = { diff --git a/modules/darwin/homebrew.nix b/modules/darwin/homebrew.nix index 252a08f..6961e3f 100644 --- a/modules/darwin/homebrew.nix +++ b/modules/darwin/homebrew.nix @@ -1,7 +1,6 @@ { homebrew-core, homebrew-cask, - steipete-tap, config, ... }: @@ -17,8 +16,7 @@ taps."homebrew/homebrew-core" = homebrew-core; taps."homebrew/homebrew-cask" = homebrew-cask; - taps."steipete/tap" = steipete-tap; - mutableTaps = true; + mutableTaps = false; }; } diff --git a/modules/darwin/karabiner.nix b/modules/darwin/karabiner.nix index 15b8fee..eead1b4 100644 --- a/modules/darwin/karabiner.nix +++ b/modules/darwin/karabiner.nix @@ -8,13 +8,9 @@ let ]; openGhostty = "open -na Ghostty.app"; - openCmux = "open -na cmux.app"; openHelium = "open -na Helium.app"; openHeliumNotifications = "open -na Helium.app --args https://x.com/i/notifications"; openHeliumT3Chat = "open -na Helium.app --args https://t3.chat/"; - openHeliumExaSearch = "open -na Helium.app --args https://exa.ai/search"; - openChatGPT = "open -na Helium.app --args https://chatgpt.com/"; - openClaude = "open -na Helium.app --args https://claude.ai/new"; numbers = [ "1" @@ -106,6 +102,7 @@ let ]; to_if_alone = [ { + hold_down_milliseconds = 500; key_code = "escape"; } ]; @@ -114,7 +111,7 @@ let ]; } { - description = "Hyper+Return opens cmux"; + description = "Hyper+Return opens Ghostty"; manipulators = [ { from = { @@ -125,7 +122,7 @@ let }; to = [ { - shell_command = openCmux; + shell_command = openGhostty; } ]; type = "basic"; @@ -189,25 +186,6 @@ let } ]; } - { - description = "Hyper+E opens Exa Search"; - manipulators = [ - { - from = { - key_code = "e"; - modifiers = { - mandatory = hyperModifiers; - }; - }; - to = [ - { - shell_command = openHeliumExaSearch; - } - ]; - type = "basic"; - } - ]; - } { description = "Toggle Focus Mode with F6"; manipulators = [ @@ -220,82 +198,6 @@ let } ]; } - { - description = "Hyper+Q runs Add Quote shortcut"; - manipulators = [ - { - from = { - key_code = "q"; - modifiers = { - mandatory = hyperModifiers; - }; - }; - to = [ - { - shell_command = "shortcuts run 'Add Quote'"; - } - ]; - type = "basic"; - } - ]; - } - { - description = "Hyper+G runs Shades of Gray shortcut"; - manipulators = [ - { - from = { - key_code = "g"; - modifiers = { - mandatory = hyperModifiers; - }; - }; - to = [ - { - shell_command = "shortcuts run 'Shades of Gray'"; - } - ]; - type = "basic"; - } - ]; - } - { - description = "Hyper+C opens ChatGPT"; - manipulators = [ - { - from = { - key_code = "c"; - modifiers = { - mandatory = hyperModifiers; - }; - }; - to = [ - { - shell_command = openChatGPT; - } - ]; - type = "basic"; - } - ]; - } - { - description = "Hyper+L opens Claude"; - manipulators = [ - { - from = { - key_code = "l"; - modifiers = { - mandatory = hyperModifiers; - }; - }; - to = [ - { - shell_command = openClaude; - } - ]; - type = "basic"; - } - ]; - } ]; }; diff --git a/modules/darwin/packages.nix b/modules/darwin/packages.nix index 194e1b4..6186e0d 100644 --- a/modules/darwin/packages.nix +++ b/modules/darwin/packages.nix @@ -1,6 +1,6 @@ { pkgs, ... }: { homebrew.enable = true; # homebrew.brews = [ "mole" ]; - # homebrew.casks = [ "google-chrome" ]; + homebrew.casks = [ "google-chrome" ]; environment.systemPackages = [ pkgs.iina ]; } diff --git a/secrets.nix b/secrets.nix index 5287776..c8ca474 100644 --- a/secrets.nix +++ b/secrets.nix @@ -8,9 +8,13 @@ in "hosts/thegeneralist-central/acme/acmeEnvironment.age".publicKeys = [ thegeneralist ]; "hosts/thegeneralist-central/cert.pem.age".publicKeys = [ thegeneralist ]; "hosts/thegeneralist-central/credentials.age".publicKeys = [ thegeneralist ]; + "hosts/thegeneralist-central/credentials_personal.age".publicKeys = [ thegeneralist ]; "hosts/thegeneralist-central/cache/key.age".publicKeys = [ thegeneralist ]; "hosts/thegeneralist-central/password.age".publicKeys = [ thegeneralist ]; "hosts/thegeneralist-central/forgejo/forgejo-runner-token.age".publicKeys = [ thegeneralist ]; + "hosts/thegeneralist-central/forgejo/forgejo-family-site-deploy-token.age".publicKeys = [ + thegeneralist + ]; "hosts/thegeneralist-central/readlater-bot-token.age".publicKeys = [ thegeneralist ]; "hosts/thegeneralist-central/readlater-bot-sync-token.age".publicKeys = [ thegeneralist ]; "hosts/thegeneralist-central/readlater-bot-user-id.age".publicKeys = [ thegeneralist ];