rpi4: configure gitea

flake.lock

@@ -1,5 +1,28 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1718371084,
+        "narHash": "sha256-abpBi61mg0g+lFFU0zY4C6oP6fBwPzbHPKBGw676xsA=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "3a56735779db467538fb2e577eda28a9daacaca6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "base16": {
       "inputs": {
         "fromYaml": "fromYaml"
@@ -114,6 +137,28 @@
         "type": "github"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -164,7 +209,7 @@
     },
     "flake-utils": {
       "inputs": {
-        "systems": "systems_4"
+        "systems": "systems_5"
       },
       "locked": {
         "lastModified": 1681202837,
@@ -182,7 +227,7 @@
     },
     "flake-utils_2": {
       "inputs": {
-        "systems": "systems_5"
+        "systems": "systems_6"
       },
       "locked": {
         "lastModified": 1710146030,
@@ -200,7 +245,7 @@
     },
     "flake-utils_3": {
       "inputs": {
-        "systems": "systems_6"
+        "systems": "systems_7"
       },
       "locked": {
         "lastModified": 1705309234,
@@ -252,20 +297,20 @@
     "home-manager": {
       "inputs": {
         "nixpkgs": [
+          "agenix",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1717476296,
-        "narHash": "sha256-ScHe38Tr+TxGURC17kby4mIIxOG3aJvZWXzPM79UnEk=",
+        "lastModified": 1718788307,
+        "narHash": "sha256-SqiOz0sljM0GjyQEVinPXQxaGcbOXw5OgpCWGPgh/vo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "095ef64aa3b2ab4a4f1bf07f29997e21e3a5576a",
+        "rev": "d7830d05421d0ced83a0f007900898bdcaf2a2ca",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-23.11",
         "repo": "home-manager",
         "type": "github"
       }
@@ -290,6 +335,27 @@
         "type": "github"
       }
     },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717476296,
+        "narHash": "sha256-ScHe38Tr+TxGURC17kby4mIIxOG3aJvZWXzPM79UnEk=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "095ef64aa3b2ab4a4f1bf07f29997e21e3a5576a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-23.11",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "hyprcursor": {
       "inputs": {
         "hyprlang": [
@@ -325,7 +391,7 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "systems": "systems_2"
+        "systems": "systems_3"
       },
       "locked": {
         "lastModified": 1716309977,
@@ -347,7 +413,7 @@
         "hyprlang": "hyprlang_2",
         "hyprwayland-scanner": "hyprwayland-scanner",
         "nixpkgs": "nixpkgs",
-        "systems": "systems_3",
+        "systems": "systems_4",
         "xdph": "xdph"
       },
       "locked": {
@@ -399,7 +465,7 @@
           "hypridle",
           "nixpkgs"
         ],
-        "systems": "systems"
+        "systems": "systems_2"
       },
       "locked": {
         "lastModified": 1713121246,
@@ -670,7 +736,8 @@
     },
     "root": {
       "inputs": {
-        "home-manager": "home-manager",
+        "agenix": "agenix",
+        "home-manager": "home-manager_2",
         "home-manager-unstable": "home-manager-unstable",
         "hypridle": "hypridle",
         "hyprland": "hyprland",
@@ -686,7 +753,7 @@
         "pkg-android-tools": "pkg-android-tools",
         "rust-overlay": "rust-overlay",
         "stylix": "stylix",
-        "systems": "systems_7"
+        "systems": "systems_8"
       }
     },
     "rust-overlay": {
@@ -745,16 +812,16 @@
     },
     "systems": {
       "locked": {
-        "lastModified": 1689347949,
-        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
         "owner": "nix-systems",
-        "repo": "default-linux",
-        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
         "type": "github"
       },
       "original": {
         "owner": "nix-systems",
-        "repo": "default-linux",
+        "repo": "default",
         "type": "github"
       }
     },
@@ -790,16 +857,16 @@
     },
     "systems_4": {
       "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "lastModified": 1689347949,
+        "narHash": "sha256-12tWmuL2zgBgZkdoB6qXZsgJEH9LR3oUgpaQq2RbI80=",
         "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "repo": "default-linux",
+        "rev": "31732fcf5e8fea42e59c2488ad31a0e651500f68",
         "type": "github"
       },
       "original": {
         "owner": "nix-systems",
-        "repo": "default",
+        "repo": "default-linux",
         "type": "github"
       }
     },
@@ -848,6 +915,21 @@
         "type": "github"
       }
     },
+    "systems_8": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "xdph": {
       "inputs": {
         "hyprland-protocols": "hyprland-protocols",

flake.nix

@@ -61,6 +61,11 @@
 
     impermanence.url = "github:nix-community/impermanence";
 
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+
     stylix = {
       url = "github:danth/stylix?ref=e8e3304c2f8cf2ca60dcfc736a7422af2f24b8a8";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -307,6 +312,7 @@
       default = pkgs.mkShell {
         buildInputs = with pkgs; [
           nix-update
+          inputs.agenix.packages.${system}.default
         ];
       };
     });
@@ -346,6 +352,14 @@
         stateVersion = "23.11";
         hostname = "nixos-wsl";
       };
+
+      rpi4 = mkSystem {
+        nixpkgs = inputs.nixpkgs-unstable;
+        home-manager = inputs.home-manager-unstable;
+        system = "aarch64-linux";
+        stateVersion = "24.11";
+        hostname = "rpi4";
+      };
     }; # end nixosConfigurations
 
     homeConfigurations = {

hosts/rpi4/configuration.nix

@@ -0,0 +1,169 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ./services.nix
+    ];
+
+  fileSystems = let
+    mounts = [
+      "/nix"
+      "/"
+      "/.btrfsroot"
+      "/home"
+      "/opt/hassio"
+      "/opt/hassio/.snapshots"
+    ];
+    fn = (x: { options = [ "compress=zstd" ];});
+  in lib.genAttrs mounts fn;
+
+  # Use the extlinux boot loader. (NixOS wants to enable GRUB by default)
+  boot.loader.grub.enable = false;
+  # Enables the generation of /boot/extlinux/extlinux.conf
+  boot.loader.generic-extlinux-compatible.enable = true;
+
+  nixfiles = {
+    profile.server.enable = true;
+  };
+
+  # VPN services
+  age.secrets.wg0 = {
+    file = ../../secrets/wireguard-rpi4.age;
+  };
+  services.tailscale.enable = true;
+  networking.wg-quick.interfaces.wg0 = {
+    configFile = config.age.secrets.wg0.path;
+    autostart = true;
+  };
+
+  networking.firewall.trustedInterfaces = [
+    "wg0"
+    "tailscale0"
+  ];
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+  };
+  # networking.hostName = "nixos"; # Define your hostname.
+  networking.hostName = "rpi4";
+  # Pick only one of the below networking options.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+
+  # Set your time zone.
+  # time.timeZone = "Europe/Amsterdam";
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  # Select internationalisation properties.
+  # i18n.defaultLocale = "en_US.UTF-8";
+  # console = {
+  #   font = "Lat2-Terminus16";
+  #   keyMap = "us";
+  #   useXkbConfig = true; # use xkb.options in tty.
+  # };
+
+  # Enable the X11 windowing system.
+  # services.xserver.enable = true;
+
+
+  
+
+  # Configure keymap in X11
+  # services.xserver.xkb.layout = "us";
+  # services.xserver.xkb.options = "eurosign:e,caps:escape";
+
+  # Enable CUPS to print documents.
+  # services.printing.enable = true;
+
+  # Enable sound.
+  # hardware.pulseaudio.enable = true;
+  # OR
+  # services.pipewire = {
+  #   enable = true;
+  #   pulse.enable = true;
+  # };
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  # services.libinput.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  # users.users.alice = {
+  #   isNormalUser = true;
+  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+  #   packages = with pkgs; [
+  #     firefox
+  #     tree
+  #   ];
+  # };
+    users.users.nullbite = {
+        isNormalUser = true;
+        extraGroups = [ "wheel" ];
+        uid = 1000;
+    };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  # environment.systemPackages = with pkgs; [
+  #   vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+  #   wget
+  # ];
+  programs.neovim = {
+    enable = true;
+  };
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  # services.openssh.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # system.copySystemConfiguration = true;
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "24.11"; # Did you read the comment?
+
+}
+

hosts/rpi4/gitea.nix

@@ -0,0 +1,52 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.gitea;
+in
+{
+  config = {
+    services.gitea = {
+      enable = true;
+      lfs.enable = true;
+      settings = {
+        repository = {
+          ENABLE_PUSH_CREATE_USER = true;
+          ENABLE_PUSH_CREATE_ORG = true;
+          DEFAULT_PUSH_CREATE_PRIVATE = true;
+        };
+
+        server = {
+          ROOT_URL = "https://gitea.protogen.io/";
+          LANDING_PAGE = "explore";
+          OFFLINE_MODE = false;
+        };
+
+        service.DISABLE_REGISTRATION = true;
+
+        session = {
+          COOKIE_NAME = "session";
+          COOKIE_SECURE = false;
+          PROVIDER = "file";
+        };
+        # TODO package themes
+        ui = {
+          DEFAULT_THEME = "catppuccin-mocha-pink";
+          THEMES = let
+            ctpAttrs = {
+              flavor = [ "latte" "frappe" "macchiato" "mocha" ];
+              accent = [ "rosewater" "flamingo" "pink" "mauve"
+                "red" "maroon" "peach" "yellow" "green" "teal"
+                "sky" "sapphire" "blue" ];
+            };
+            ctpThemes = lib.mapCartesianProduct
+              ( { flavor, accent }: "catppuccin-${flavor}-${accent}" )
+              ctpAttrs;
+          in lib.concatStringsSep "," ([
+            "gitea"
+            "arc-green"
+            "auto"
+          ] ++ ctpThemes);
+        };
+      };
+    };
+  };
+}

hosts/rpi4/hardware-configuration.nix

@@ -0,0 +1,82 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/.btrfsroot" =
+    { device = "/dev/disk/by-uuid/112535b6-4318-4d26-812b-7baf0d65dae5";
+      fsType = "btrfs";
+      options = [ "subvol=/" ];
+    };
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/112535b6-4318-4d26-812b-7baf0d65dae5";
+      fsType = "btrfs";
+      options = [ "subvol=nixos/@" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "/dev/disk/by-uuid/112535b6-4318-4d26-812b-7baf0d65dae5";
+      fsType = "btrfs";
+      options = [ "subvol=nixos/@nix" ];
+    };
+
+  fileSystems."/home" =
+    { device = "/dev/disk/by-uuid/112535b6-4318-4d26-812b-7baf0d65dae5";
+      fsType = "btrfs";
+      options = [ "subvol=@home" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/18e0dfd8-78bd-478d-9df8-1c28bc0b55df";
+      fsType = "ext4";
+    };
+
+  fileSystems."/srv/syncthing" =
+    { device = "/dev/disk/by-uuid/112535b6-4318-4d26-812b-7baf0d65dae5";
+      fsType = "btrfs";
+      options = [ "subvol=/@syncthing" ];
+    };
+
+  fileSystems."/srv/media" =
+    { device = "/dev/disk/by-uuid/112535b6-4318-4d26-812b-7baf0d65dae5";
+      fsType = "btrfs";
+      options = [ "subvol=/@media" ];
+    };
+
+  fileSystems."/opt/hassio" =
+    { device = "/dev/disk/by-uuid/112535b6-4318-4d26-812b-7baf0d65dae5";
+      fsType = "btrfs";
+      options = [ "subvol=/@hassio" ];
+    };
+
+  fileSystems."/opt/hassio/.snapshots" =
+    { device = "/dev/disk/by-uuid/112535b6-4318-4d26-812b-7baf0d65dae5";
+      fsType = "btrfs";
+      options = [ "subvol=/snapshots/@hassio" ];
+    };
+
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.end0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}
+

hosts/rpi4/home.nix

@@ -0,0 +1,7 @@
+{ config, ... }:
+{
+  config = {
+    nixfiles.profile.base.enable = true;
+    programs.keychain.enable = false;
+  };
+}

hosts/rpi4/reddit-subscriptions.txt

@@ -0,0 +1,42 @@
+Addons4Kodi
+archlinux
+AreTheStraightsOK
+autism
+beatsaber
+Bitwarden
+boykisser
+ConservativeRap
+crackheadcraigslist
+crackwatch
+DataHoarder
+Destiny2
+DestinyMemes
+DestinyTheGame
+duolingo
+ennnnnnnnnnnnbbbbbby
+evilautism
+femboymemes
+feminineboys
+flatpak
+geometrydash
+homeassistant
+ihaveihaveihavereddit
+linux
+linux_gaming
+NixOS
+NonBinaryTalk
+okbuddyhetero
+peepeeshart
+prismlauncher
+rust
+rustjerk
+selfhosted
+steam
+SteamDeck
+talesfromtechsupport
+techsupport
+termux
+theamazingdigitalciru
+Ultrakill
+VaushV
+whenthe

hosts/rpi4/services.nix

@@ -0,0 +1,137 @@
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    ./gitea.nix
+  ];
+  config = {
+
+    age.secrets.cloudflaredns = {
+      file = ../../secrets/cloudflare-dns.age;
+      group = "secrets";
+    };
+
+    users.groups.secrets = {};
+    users.users.acme.extraGroups = [ "secrets" ];
+
+    security.acme = {
+      acceptTerms = true;
+      maxConcurrentRenewals = 1;
+
+      defaults.email = "iancoguz@gmail.com";
+
+      certs = {
+        "protogen.io" = {
+          credentialFiles = {
+            "CLOUDFLARE_EMAIL_FILE" = pkgs.writeText "email" "iancoguz@gmail.com";
+            "CLOUDFLARE_API_KEY_FILE" = config.age.secrets.cloudflaredns.path;
+          };
+
+          dnsProvider = "cloudflare";
+          domain = "protogen.io";
+          extraDomainNames = [
+            "*.protogen.io"
+            "nullbite.com"
+            "*.nullbite.com"
+            "nullbite.dev"
+            "*.nullbite.dev"
+            "nbt.sh"
+            "*.nbt.sh"
+          ];
+        };
+      };
+    };
+
+    users.users.nginx.extraGroups = [ "acme" ];
+
+    networking.firewall.allowedTCPPorts = [
+      80 443
+      # this is needed for node to work for some reason
+      8123
+    ];
+
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+
+      commonHttpConfig = ''
+        port_in_redirect off;
+      '';
+
+      virtualHosts = let
+        mkReverseProxy = port: {
+          useACMEHost = "protogen.io";
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:${builtins.toString port}";
+            proxyWebsockets = true;
+          };
+        };
+      in {
+        # TODO change all these with a vim macro when i learn how to extend submodules
+        "changedetection.protogen.io" = mkReverseProxy 5000;
+        "firefly.protogen.io" = mkReverseProxy 8083;
+        # firefly-import auth 8084
+        "gitea.protogen.io" = mkReverseProxy 3000;
+        # home assistant
+        "hass.protogen.io" = mkReverseProxy 8123;
+        "node.protogen.io" = mkReverseProxy 1880;
+        # z2m auth 8124
+        "room.protogen.io" = mkReverseProxy 8096;
+        # deemix auth 8096
+        # libreddit auth 8087
+        "rss.protogen.io" = mkReverseProxy 8082;
+        "blahaj.protogen.io" = mkReverseProxy 8086;
+        # octoprint (proxy_addr is 10.10.1.8)
+        # searx auth 8088 (none for /favicon.ico, /autocompleter, /opensearch.xml)
+        # nbt.sh alias proot.link 8090
+        # admin.nbt.sh alias admin.proot.link 8091 auth
+        # create track map todo later
+        "uptime.protogen.io" = mkReverseProxy 3001;
+        "kuma.protogen.io".locations."/".return = "301 https://uptime.protogen.io";
+        "vsc-hass.protogen.io" = mkReverseProxy 1881;
+
+
+        "localhost" = {
+          default = true;
+          addSSL = true;
+          useACMEHost = "protogen.io";
+          locations."/" = {
+            return = "302 https://protogen.io$request_uri";
+          };
+        };
+        "protogen.io" = {
+          serverAliases = [ "x.protogen.io" ];
+          useACMEHost = "protogen.io";
+          forceSSL = true;
+          locations."/" = {
+            root = "/srv/http";
+            extraConfig = ''
+              autoindex on;
+            '';
+          };
+        };
+      };
+    };
+
+    virtualisation.docker = {
+      enable = true;
+      storageDriver = "btrfs";
+    };
+
+    systemd.services.libreddit.environment = {
+      LIBREDDIT_DEFAULT_SUBSCRIPTIONS = lib.pipe ./reddit-subscriptions.txt [
+        builtins.readFile
+        (lib.splitString "\n")
+        (lib.filter (x: x != ""))
+        (lib.concatStringsSep "+")
+      ];
+    };
+    services.libreddit = {
+      enable = true;
+      port = 8087;
+      package = pkgs.redlib;
+    };
+  };
+}

overlays/mitigations.nix

@@ -19,6 +19,12 @@ in {
   in if ((builtins.compareVersions "2024.5.27" prev.yt-dlp.version) == 1)
     then (final.python3Packages.toPythonApplication pkgs-y.python3Packages.yt-dlp)
     else prev.yt-dlp;
+
+  redlib = let
+    redlib-new = final.callPackage nixfiles.packages.${prev.system}.redlib.override {};
+    inherit (prev) redlib;
+    notOlder = (builtins.compareVersions redlib-new.version redlib.version) >= 0;
+  in if notOlder then redlib-new else redlib;
 }
   # # can't optionalAttrs for version checks because it breaks lazy eval and causes infinite recursion
   # // {

pkgs/default.nix

@@ -12,4 +12,5 @@ in
   wm-helpers = callPackage ./wm-helpers { };
   atool = callPackage ./atool-wrapped { };
   nixfiles-assets = callPackage ./nixfiles-assets { };
+  redlib = callPackage ./redlib { };
 }

pkgs/redlib/auth-fix.patch

@@ -0,0 +1,30 @@
+From bd47c206a1d94c8382570b69730d72562d777454 Mon Sep 17 00:00:00 2001
+From: Matthew Esposito <matt@matthew.science>
+Date: Thu, 30 May 2024 18:08:45 -0400
+Subject: [PATCH] fix(oauth): Make Android user-agent patching unconditional
+
+---
+ src/client.rs | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/src/client.rs b/src/client.rs
+index 5b8fe8f..5ea9d1c 100644
+--- a/src/client.rs
++++ b/src/client.rs
+@@ -181,11 +181,12 @@ fn request(method: &'static Method, path: String, redirect: bool, quarantine: bo
+ 		)
+ 	};
+ 
+-	// Check if multi sub requested, or if submitted was requested. If so, replace "Android" with a tricky word.
++	// Replace "Android" with a tricky word.
+ 	// Issues: #78/#115, #116
+-	if path.contains('+') || path.contains("/submitted") {
+-		user_agent = user_agent.replace("Android", "Andr\u{200B}oid");
+-	}
++	// If you include the word "Android", you will get a number of different errors
++	// I guess they don't expect mobile traffic on the endpoints we use
++	// Scrawled on wall for next poor soul: Run the test suite.
++	user_agent = user_agent.replace("Android", "Andr\u{200B}oid");
+ 
+ 	// Build request to Reddit. When making a GET, request gzip compression.
+ 	// (Reddit doesn't do brotli yet.)

pkgs/redlib/default.nix

@@ -0,0 +1,65 @@
+{ lib
+, stdenv
+, cacert
+, nixosTests
+, rustPlatform
+, fetchFromGitHub
+, darwin
+}:
+rustPlatform.buildRustPackage rec {
+  pname = "redlib";
+  version = "0.34.0";
+
+  src = fetchFromGitHub {
+    owner = "redlib-org";
+    repo = "redlib";
+    rev = "refs/tags/v${version}";
+    hash = "sha256-JpuCX2ae9me+zHxQj5jqQlgDci2NV+TEVUAqnuTn3cA=";
+  };
+
+  patches = [
+    ./auth-fix.patch
+  ];
+
+  cargoHash = "sha256-gkRblCHUFiprZeYtu43GIGBZqCq5l/HEGaQN91XbfSs=";
+
+  buildInputs = lib.optionals stdenv.isDarwin [
+    darwin.apple_sdk.frameworks.Security
+  ];
+
+  checkFlags = [
+    # All these test try to connect to Reddit.
+    "--skip=test_fetching_subreddit_quarantined"
+    "--skip=test_fetching_nsfw_subreddit"
+    "--skip=test_fetching_ws"
+
+    "--skip=test_obfuscated_share_link"
+    "--skip=test_share_link_strip_json"
+
+    "--skip=test_localization_popular"
+    "--skip=test_fetching_subreddit"
+    "--skip=test_fetching_user"
+
+    # These try to connect to the oauth client
+    "--skip=test_oauth_client"
+    "--skip=test_oauth_client_refresh"
+    "--skip=test_oauth_token_exists"
+  ];
+
+  env = {
+    SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";
+  };
+
+  passthru.tests = {
+    inherit (nixosTests) redlib;
+  };
+
+  meta = {
+    changelog = "https://github.com/redlib-org/redlib/releases/tag/v${version}";
+    description = "Private front-end for Reddit (Continued fork of Libreddit)";
+    homepage = "https://github.com/redlib-org/redlib";
+    license = lib.licenses.agpl3Only;
+    mainProgram = "redlib";
+    maintainers = with lib.maintainers; [ soispha ];
+  };
+}

secrets/secrets.nix

@@ -0,0 +1,18 @@
+let
+  pkgs = import <nixpkgs> {};
+  lib = pkgs.lib;
+
+  rpi4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG0FSLInClzASv4Ul0bZ5Rxa59M7ExyCYt1emHOwztGr";
+
+  all-user = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC6HOSwsMvNtv6iOxDLhSTnjREyAIGXoQ5IgC/mXfAIT9vA59fbI74wjdzbIUd9sZLd4mIExhdKw5ihaSOmsIb2x4tokjIHvjsdWJVBXqwqoYCd+9S4aoi5Nc0YHLCqTQM7LqJTCbE6HzLqkiZNhocgAnEIXpgcpnf0kB7suFXSKY/XY2ALFYXVohPfZTQsJqfkGkkVTgzglFV8kaVUeas0vLsDVU73lQjZ1oO4n2Ps+O9jbjFp3Zk/5txcKO3rVEqEy8vJLHIHFXnqo/2WOiM/ZagwoDXBwGZjH++klVwBb1Bu6MKbahI986gamVrWPgoRr/AaeC/WkVXIG3Yi4BG6sxhTlYoO3MwfnaQNetAAfT6XmzifTxtCGxIM5MdwC0n19C2qLwAU6EXhW0/W7RPqdsA5BcsQX9Fg+3yJX/xVwAeiRE5DzyI8aCkemXn7y7BAAbXG+e3YEetUrNjdRNWIeMrGv8LckE5z5sfifbwks5+++K+1X256bGX93m7Nn7U="
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4eg1TMjggwqdur1bsBqz4wzLchxAfcVl9XPJQ/Z4NCjKD+/lqmUQNt1n5ld5w/fRirkcsOIcoWSW1ioisvoZEtv5I5clQLLHA4sNIO2hXnNP3+XF+pB/eBZ6my4/nySl1QkDBEFE7HDTw0S6aZAkk3xoD08W2mU4xcVnVUeBUGyOy2Wt8NESYqwfw0qcIyRd37YmlOk22v/aVlMAsBSI73ug7/qTsVFp8G1py2BLi0ZwA5MfiZ8LZ6Y9gXFVGAA1pi2TiG+PVRMe9HsVHrxYX7crx6XnWmaa2o1KmxqWXriTd8zO2OGgoCW8klIeKnsJ3fGXJlLpcgxOXwg9vkE3EjWyihRrzooQdcfgrdxs7CY4D9OY2HrJ66h/bOtQgQCjI6/jN8SB+thhktj8fF5kSpB2hnquZPddVaRl83EmDqx03eqPVWtoGfEFi5/M6LGcqu8dYVoKioFnMFWaZVxlIn0goNCF6eV4+xPtFn/Wt6o4twYKJVEVXbhFQbiebUgk="
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0enlNbo1V5q0yq6n90gRPsNznoQ/KLEjeo1yOAUyJwPi35cw+b3p4DRN7T55DcSivKKE9Hyh6bpaQWFJSLyP5jAtDrYkuUfNx5GkgrquMwMvwzk3Z+h2/J/WgDyKQZXtm9LHYTgiW8jDU1lBiks39IqCAGrCTLAmAHSaJ39A4ZpJwu6zZ9sQqT22E/UpFm5MBezdZbm8V0G+beX+y3+pp8Kag7goGNY+rgTgx7REDz3jzZz3FBP+CxKoo1H8HHz78RDqBb8HKpVQYNQkwvIBeczKawRHIkJO2Mk+1mc6Ta6beA9+Uyf+puxco2xl6BOnDInvnhWJIRXOJuR5P8/YWprE1o4ixF2N95D2GlJ618V7faEovu/sNj8qIvfA66OF1gG+LOfNAl+u2+3V8ewATF493F0q04zhenoH1ZdrsACJfL8tK9Ev9056ImR6aSJ5BjqCk0tMmnLKTZ7q3R2LoKnB1r/TXe10OH7rx5BDAt4OmD8a5QS0RvVgK3O/iMW0="
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDSAD3bCc9ZHGqU+HoCtp69uU3Px5bbVYYrHbLS3AS1Xku9rPKE/oUU/fz8/AZxp6dLuKhPjQjLzgbFjM0rK57fiOPqBnlw3eAiIymrlB03ALLV3y+GF2OhVf2rkcPkUxjK978dwS9bxgty6WzPAoSjNwilzgf2CcLcHyIzDwwzWCndM9jtpXbUbLhOH6CvsvygBD7j06wakLOorTS+cAFecUvaUkDr6gSu6zpM29DcFiq8T1VoWhBzwC/9IKnxV/XqaZBM3Em7NfPQIzYWcD9A5+Holj2I6jcTSd9xIdMhD4Miqm8IdojPkP2NuVfD9AMxn0ccwbROG/zliyXtcxRj8b3jEquBKuN+yGqF5hexmKlhHmHua9NwhsWnGWjOWWSaPtsp3WOM/fEc7cWpVWZ+W8V5LbdWEY3Ke52Cz35QbOSml09H/gIzsMxZbiZvkJB4PvWKf0FoyZ8ojJWIaGP1/LQdXNMWorqy7tWp3sAw3JcMsR0ezJ3YoI6Y6FOIdL0="
+  ];
+in
+{
+  "cloudflare-dns.age".publicKeys = [ rpi4 ] ++ all-user;
+  "wireguard-rpi4.age".publicKeys = [ rpi4 ] ++ all-user;
+}
+

system/default.nix

@@ -18,6 +18,7 @@ in
     # modules
     inputs.nix-minecraft.nixosModules.minecraft-servers
     inputs.impermanence.nixosModules.impermanence
+    inputs.agenix.nixosModules.default
     ./stylix.nix # imports inputs.stylix
   ];
   config = {};

system/profile/base.nix

@@ -42,12 +42,6 @@ in
         ];
       };
 
-      # networking.hostName = "nixos"; # Define your hostname.
-      # Pick only one of the below networking options.
-      # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
-      # FIXME find somewhere else to put this
-      networking.networkmanager.enable = lib.mkDefault true;  # Easiest to use and most distros use this by default.
-
       # List packages installed in system profile. To search, run:
       # $ nix search wget
       environment.systemPackages = with pkgs; let

system/profile/default.nix

@@ -3,5 +3,6 @@
   imports = [
     ./base.nix
     ./pc.nix
+    ./server.nix
   ];
 }

system/profile/pc.nix

@@ -7,5 +7,11 @@ in
   config = lib.mkIf cfg.enable {
     nixfiles.profile.base.enable = lib.mkDefault true;
     nixfiles.binfmt.enable = lib.mkDefault true;
+
+    # networking.hostName = "nixos"; # Define your hostname.
+    # Pick only one of the below networking options.
+    # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+    # FIXME find somewhere else to put this
+    networking.networkmanager.enable = lib.mkDefault true;  # Easiest to use and most distros use this by default.
   };
 }

system/profile/server.nix

@@ -0,0 +1,13 @@
+{ config, lib, ... }:
+let
+  cfg = config.nixfiles.profile.server;
+  inherit (lib) mkEnableOption mkDefault;
+  inherit (lib.types) bool int str;
+in
+{
+  options.nixfiles.profile.server.enable = mkEnableOption "server profile";
+
+  config = lib.mkIf cfg.enable {
+    nixfiles.profile.base.enable = lib.mkDefault true;
+  };
+}