@ -104,7 +104,8 @@ in {
nets = {
retiolum.ip4.addr = "";
wiregrill = {
# defaults
ip4.addr = "";
aliases = [ "x.w" ];
@ -120,6 +121,12 @@ in {
nets = {
wiregrill = {
aliases = ["omo.w" "hass.omo.w" "jelly.omo.w" "jelly.makefu.w" ];
ip6.addr = (krebs.genipv6 "wiregrill" "makefu" { hostName = "omo"; }).address;
ip4.addr = "";
retiolum = {
ip4.addr = "";
aliases = [
@ -239,6 +246,7 @@ in { IN A ${nets.internet.ip4.addr} IN A ${nets.internet.ip4.addr}
music.euer IN A ${nets.internet.ip4.addr}
ntfy.euer IN A ${nets.internet.ip4.addr}
nets = rec {

@ -1 +1 @@
Ed25519PublicKey = lKMWnuEVjcSoSEUWrj+51pwDQrQj2TqloL3aBKVWBbO

@ -0,0 +1 @@

@ -35,12 +35,13 @@ in
networking = {
firewall.enable = true;
interfaces.et0.ipv4.addresses = [
address = shack-ip;
prefixLength = 20;
interfaces.et0.useDHCP = true;
#interfaces.et0.ipv4.addresses = [
# {
# address = shack-ip;
# prefixLength = 20;
# }
defaultGateway = "";
nameservers = [ "" "" ];

@ -46,10 +46,8 @@
# light.shack web-ui
<stockholm/krebs/2configs/shack/light.shack.nix> #light.shack
# powerraw usb serial to mqtt and raw socket
<stockholm/krebs/2configs/shack/powerraw.nix> # powerraw.shack standby.shack
# send power stats to s3
<stockholm/krebs/2configs/shack/s3-power.nix> # powerraw.shack must be available
# fetch the u300 power stats
{ # do not log to /var/spool/log

@ -7,6 +7,7 @@ in {
SUBSYSTEM=="net", ATTR{address}=="8c:70:5a:b2:84:58", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="${ext-if}"
networking.wireless.enable = true;
networking = {
firewall.enable = true;
firewall.allowedTCPPorts = [ 80 443 8088 8086 8083 5901 ];

imports = [
entity_id = all_covers;

@ -4,7 +4,18 @@ in {
networking.firewall.allowedTCPPorts = [ port ]; # legacy
services.nginx.virtualHosts."grafana.shack" = {
locations."/".proxyPass = "http://localhost:${toString port}";
locations."/" = {
proxyPass = "http://localhost:${toString port}";
extraConfig =''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
services.grafana = {
enable = true;

@ -15,6 +15,16 @@ in
locations."/" = {
proxyPass = "http://localhost:${toString port}/";
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
nixpkgs.overlays = [

@ -0,0 +1,29 @@
{ pkgs, ... }:
src = pkgs.fetchFromGitHub {
repo = "shackstrom";
owner = "samularity";
rev = "adfbdc7d12000fbc9fd9367c8ef0a53b7d0a9fad";
hash = "sha256-77vSX2+1XXaBVgLka+tSEK/XYZASEk9iq+uEuO1aOUQ=";
pkg = pkgs.writers.writePython3 "test_python3" {
libraries = [ pkgs.python3Packages.requests pkgs.python3Packages.paho-mqtt ];
} (builtins.readFile "${src}/");
{ = {
u300-power = {
enable = true;
environment = {
DATA_URL = "";
BROKER = "mqtt.shack";
serviceConfig = {
Restart = "always";
ExecStart = pkg;
RestartSec = "15s";
wantedBy = [ "" ];

@ -1,28 +1,12 @@
{ lib,... }:
disk_free_threshold = "10"; # at least this much free disk percentage
disk_free_threshold = "5"; # at least this much free disk percentage
in {
services.prometheus.rules = [(builtins.toJSON
groups = [
{ name = "shack-env";
rules = [
alert = "Wolf RootPartitionFull";
for = "30m";
expr = ''(node_filesystem_avail_bytes{alias="wolf.shack",mountpoint="/"} * 100) / node_filesystem_size_bytes{alias="wolf.shack",mountpoint="/"} < ${disk_free_threshold}'';
labels.severity = "warning";
annotations.summary = "{{ $labels.alias }} root disk full";
annotations.url = "http://grafana.shack/d/hb7fSE0Zz/shack-system-dashboard?orgId=1&var-job=node&var-hostname=All&var-node=wolf.shack:9100&var-device=All&var-maxmount=%2F&var-show_hostname=wolf";
annotations.description = ''The root disk of {{ $labels.alias }} has {{ $value | printf "%.2f" }}% free disk space (Threshold at ${disk_free_threshold}%). CI for deploying new configuration will seize working. Log in to the system and try to clean up the obsolete files on the machine. There are a couple of things you can do:
1. `nix-collect-garbage -d`
2. clean up the shack share folder in `/home/share`
3. check `du -hs /var/ | sort -h`.
4. run `docker system prune`
5. `find /var/lib/containers/news/var/lib/htgen-go/items -mtime +7 -delete;` to clean up the link shortener data
5. If you are really desperate run `du -hs / | sort -h` and go through the folders recursively until you've found something to delete
6. as a last resort the root disk can be expanded via `lvresize -L +10G /dev/pool/root && btrfs filesystem resize max /` '';
alert = "Puyak RootPartitionFull";
for = "30m";
@ -32,9 +16,8 @@ in {
annotations.url = "http://grafana.shack/d/hb7fSE0Zz/shack-system-dashboard?orgId=1&var-job=node&var-hostname=All&var-node=wolf.shack:9100&var-device=All&var-maxmount=%2F&var-show_hostname=puyak";
annotations.description = ''The root disk of {{ $labels.alias }} has {{ $value | printf "%.2f" }}% free disk space (Threshold at ${disk_free_threshold}%).Prometheus will not be able to create new alerts and CI for deploying new configuration will also seize working. Log in to the system and run `nix-collect-garbage -d` and if this does not help you can check `du -hs /var/ | sort -h`, run `docker system prune` or if you are really desperate run `du -hs / | sort -h` and go through the folders recursively until you've found something to delete'';
# wolf.shack is not worth supervising anymore
alert = "HostDown";
alert = "Infra01 down";
expr = ''up{alias="infra01.shack"} == 0'';
for = "5m";
labels.severity = "page";

@ -0,0 +1,207 @@
import base64
import cgi
import json
import os
import re
import socket
import ssl
import sys
from http.server import BaseHTTPRequestHandler
from typing import List, Optional, Tuple
from urllib.parse import urlparse
DEBUG = os.environ.get("DEBUG") is not None
def _irc_send(
server: str,
nick: str,
channel: str,
sasl_password: Optional[str] = None,
server_password: Optional[str] = None,
tls: bool = True,
port: int = 6697,
messages: List[str] = [],
) -> None:
if not messages:
sock = socket.socket()
if tls:
sock = ssl.wrap_socket(
sock, cert_reqs=ssl.CERT_NONE, ssl_version=ssl.PROTOCOL_TLSv1_2
def _send(command: str) -> int:
return sock.send((f"{command}\r\n").encode())
def _pong(ping: str):
if ping.startswith("PING"):
sock.send(ping.replace("PING", "PONG").encode("ascii"))
recv_file = sock.makefile(mode="r")
print(f"connect {server}:{port}")
sock.connect((server, port))
if server_password:
_send(f"PASS {server_password}")
_send(f"USER {nick} 0 * :{nick}")
_send(f"NICK {nick}")
for line in recv_file.readline():
if re.match(r"^:[^ ]* (MODE|221|376|422) ", line):
if sasl_password:
_send("CAP REQ :sasl")
auth = base64.encodebytes(f"{nick}\0{nick}\0{sasl_password}".encode("utf-8"))
_send(f"AUTHENTICATE {auth.decode('ascii')}")
_send("CAP END")
_send(f"JOIN :{channel}")
for m in messages:
_send(f"PRIVMSG {channel} :{m}")
for line in recv_file:
print(line, end="")
# Assume INFO reply means we are done
if "End of /INFO" in line:
def irc_send(
url: str, notifications: List[str], password: Optional[str] = None
) -> None:
parsed = urlparse(f"{url}")
username = parsed.username or "prometheus"
server = parsed.hostname or ""
if parsed.fragment != "":
channel = f"#{parsed.fragment}"
channel = "#krebs-announce"
port = parsed.port or 6697
if not password:
password = parsed.password
if len(notifications) == 0:
tls=parsed.scheme == "irc+tls",
class PrometheusWebHook(BaseHTTPRequestHandler):
def __init__(
irc_url: str,
conn: socket.socket,
addr: Tuple[str, int],
password: Optional[str] = None,
) -> None:
self.irc_url = irc_url
self.password = password
self.rfile = conn.makefile("rb")
self.wfile = conn.makefile("wb")
self.client_address = addr
# for testing
def do_GET(self) -> None:
print("GET: Request Received")
self.send_header("Content-type", "text/plain")
def do_POST(self) -> None:
print("POST: Request Received")
content_type, _ = cgi.parse_header(self.headers.get("content-type"))
# refuse to receive non-json content
if content_type != "application/json":
print(f"POST: wrong content type {content_type}")
length = int(self.headers.get("content-length"))
payload = json.loads(
messages = []
for alert in payload["alerts"]:
description = alert["annotations"]["description"]
messages.append(f"{alert['status']}: {description}")
irc_send(self.irc_url, messages, password=self.password)
def systemd_socket_response() -> None:
irc_url = os.environ.get("IRC_URL", None)
if irc_url is None:
"IRC_URL environment variable not set: i.e. IRC_URL=irc+tls://",
password = None
irc_password_file = os.environ.get("IRC_PASSWORD_FILE", None)
if irc_password_file:
with open(irc_password_file) as f:
password =
msgs = sys.argv[1:]
if msgs != []:
irc_send(irc_url, msgs, password=password)
nfds = os.environ.get("LISTEN_FDS", None)
if nfds is None:
"LISTEN_FDS not set. Run me with systemd(TM) socket activation?",
fds = range(3, 3 + int(nfds))
for fd in fds:
sock = socket.fromfd(fd, socket.AF_INET, socket.SOCK_STREAM)
while True:
PrometheusWebHook(irc_url, *sock.accept(), password=password)
except BlockingIOError:
# no more connections
if __name__ == "__main__":
print("Starting in DEBUG mode")
if len(sys.argv) == 3:
print(f"{sys.argv[1]} {sys.argv[2]}")
irc_send(sys.argv[1], [sys.argv[2]])

@ -0,0 +1,59 @@
{ config
, lib
, pkgs
, ...
irc-alerts = pkgs.writers.writePython3 "irc-alerts" {
flakeIgnore = [ "E501" ];
} (builtins.readFile ./;
endpoints = {
binaergewitter = {
url = "irc+tls://";
port = 9223;
systemd.sockets =
(name: opts:
lib.nameValuePair "irc-alerts-${name}" {
description = "Receive http hook and send irc message for ${name}";
wantedBy = [ "" ];
listenStreams = [ "[::]:${builtins.toString opts.port}" ];
}) endpoints; =
(name: opts:
serviceName = "irc-alerts-${name}";
hasPassword = opts.passwordFile or null != null;
lib.nameValuePair serviceName {
description = "Receive http hook and send irc message for ${name}";
requires = [ "irc-alerts-${name}.socket" ];
serviceConfig =
Environment =
++ lib.optional hasPassword "IRC_PASSWORD_FILE=/run/${serviceName}/password";
DynamicUser = true;
User = serviceName;
ExecStart = irc-alerts;
// lib.optionalAttrs hasPassword {
PermissionsStartOnly = true;
ExecStartPre =
"${pkgs.coreutils}/bin/install -m400 "
+ "-o ${serviceName} -g ${serviceName} "
+ "${config.sops.secrets.prometheus-irc-password.path} "
+ "/run/${serviceName}/password";
RuntimeDirectory = serviceName;
}) endpoints;

@ -3,6 +3,7 @@
imports = [
networking = {
firewall.allowedTCPPorts = [
@ -129,11 +130,11 @@
"group_wait" = "30s";
"group_interval" = "2m";
"repeat_interval" = "4h";
"receiver" = "team-admins";
"receiver" = "shack-admins";
"receivers" = [
"name" = "team-admins";
"name" = "shack-admins";
"email_configs" = [ ];
"webhook_configs" = [

@ -14,8 +14,15 @@ in {
# <stockholm/makefu/2configs/homeautomation/default.nix>
# <stockholm/makefu/2configs/homeautomation/google-muell.nix>
# <stockholm/makefu/2configs/hw/pseyecam.nix>
# configure your hw:
# <stockholm/makefu/2configs/save-diskspace.nix>
# directly use the alsa device instead of attaching to pulse
krebs = {
enable = true;
@ -28,5 +35,4 @@ in { = false; = false;
documentation.nixos.enable = false;
sound.enable = false;

@ -10,5 +10,6 @@
options = [ "noatime" ];
#hardware.raspberry-pi."4".fkms-3d.enable = true;
hardware.raspberry-pi."4".fkms-3d.enable = true;
hardware.raspberry-pi."4".audio.enable = true;

@ -9,6 +9,12 @@ in {
imports = [
# wait for mount = lib.mkForce []; = lib.mkForce []; = lib.mkForce [];
users.users.lass = {
uid = 19002;
@ -103,6 +109,7 @@ in {
# <stockholm/makefu/2configs/sabnzbd.nix>
# <stockholm/makefu/2configs/mail/mail.euer.nix>
{ krebs.exim.enable = mkDefault true; }
# sharing
<stockholm/makefu/2configs/share/gum.nix> # samba sahre
@ -125,7 +132,7 @@ in {
# <stockholm/makefu/2configs/wireguard/wiregrill.nix>
{ # recent changes mediawiki bot
networking.firewall.allowedUDPPorts = [ 5005 5006 ];
@ -139,6 +146,7 @@ in {
<stockholm/makefu/2configs/deployment/rss/> # postgres backend
<stockholm/makefu/2configs/deployment/owncloud.nix> #postgres backend
### Moving owncloud data dir to /media/cloud/nextcloud-data
@ -173,7 +181,7 @@ in {
# <stockholm/makefu/2configs/nginx/iso.euer.nix>
# <stockholm/makefu/2configs/deployment/>
# <stockholm/makefu/2configs/deployment/graphs.nix>
# <stockholm/makefu/2configs/deployment/>
@ -184,7 +192,7 @@ in {
# <stockholm/makefu/2configs/deployment/systemdultras-rss.nix>
# <stockholm/makefu/2configs/shiori.nix>

@ -3,7 +3,7 @@ let
external-mac = "96:00:01:24:33:f4";
external-gw = "";
external-ip = "";
external-ip6 = "2a01:4f8:1c17:5cdf::2/64";
external-ip6 = "2a01:4f8:1c17:5cdf::2";
external-gw6 = "fe80::1";
external-netmask = 32;
external-netmask6 = 64;
@ -16,19 +16,20 @@ in
SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="${ext-if}"
networking = {
enableIPv6 = true;
nat.enableIPv6 = true;
interfaces."${ext-if}" = {
useDHCP = true;
ipv6.addresses = [{
address = external-ip6;
prefixLength = external-netmask6;
#ipv4.addresses = [{
# address = external-ip;
# prefixLength = external-netmask;
#ipv6.addresses = [{
# address = external-ip6;
# prefixLength = external-netmask6;
# }];
#defaultGateway6 = { address = external-gw6; interface = ext-if; };
defaultGateway6 = { address = external-gw6; interface = ext-if; };
#defaultGateway = external-gw;
nameservers = [ "" ];

@ -32,8 +32,6 @@ in {
# <stockholm/makefu/2configs/share/hetzner-client.nix>
# Services:
# torrent is managed by gum
# <stockholm/makefu/2configs/torrent/rtorrent.nix>

View file

@ -0,0 +1,27 @@
{ config,nixpkgsPath, pkgs, lib, ... }:
krebs = {
enable = true;
dns.providers.lan = "hosts";
build.user = config.krebs.users.makefu;
imports = [
(nixpkgsPath + "/nixos/modules/profiles/minimal.nix")
(nixpkgsPath + "/nixos/modules/profiles/installation-device.nix")
# cifs-utils fails to cross-compile
# Let's simplify this by removing all unneeded filesystems from the image.
boot.supportedFilesystems = lib.mkForce [ "vfat" ];
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
users.users = {
root = {
openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ];
services.openssh.enable = true;

@ -54,17 +54,19 @@ in {
{ krebs.airdcpp.dcpp.shares = let
d = path: "/media/cryptX/${path}";
in {
emu.path = d "emu";
audiobooks.path = lib.mkForce (d "audiobooks");
incoming.path = lib.mkForce (d "torrent");
anime.path = d "anime";
krebs.airdcpp.dcpp.DownloadDirectory = "/media/cryptX/torrent/dcpp";
#{ krebs.airdcpp.dcpp.shares = let
# d = path: "/media/cryptX/${path}";
# in {
# emu.path = d "emu";
# audiobooks.path = lib.mkForce (d "audiobooks");
# incoming.path = lib.mkForce (d "torrent");
# anime.path = d "anime";
# };
# krebs.airdcpp.dcpp.DownloadDirectory = "/media/cryptX/torrent/dcpp";
# copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/
#services.sabnzbd.enable = true;
@ -84,12 +86,12 @@ in {
# <stockholm/makefu/2configs/stats/telegraf/europastats.nix>
# <stockholm/makefu/2configs/stats/arafetch.nix>
# services
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 ];
networking.firewall.allowedTCPPorts = [ 80 8123 ];
# <stockholm/makefu/2configs/syncthing.nix>
@ -100,10 +102,11 @@ in {
# <stockholm/makefu/2configs/home/tonie.nix>
# <stockholm/makefu/2configs/home/metube.nix>
# <stockholm/makefu/2configs/home/ham>
makefu.ps3netsrv = {

View file

krebs = {
    enable = true;
# <stockholm/makefu/2configs/hw/pseyecam.nix>
krebs = {
enable = true;

@ -2,6 +2,8 @@
imports = [
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
@ -18,4 +20,5 @@
boot.kernelParams = [ "net.ifnames=0" ];
networking.hostId = "0123AABB";

@ -0,0 +1,51 @@
{ lib, ... }: {
imports = [
nixpkgs.config.allowUnfree = true;
networking.networkmanager.enable = lib.mkForce false;
# sound.enable = true;
#hardware.pulseaudio = {
# enable = true;
# systemWide = true;
# tcp = {
# enable = true;
# anonymousClients.allowAll = true;
# };
#users.users.makefu = {
# extraGroups = [ "pipewire" "audio" ];
#services.xserver = {
# enable = true;
# # desktopManager.xterm.enable = true;
# desktopManager.xfce = {
# enable = true;
# noDesktop = true;
# };
# displayManager.autoLogin = {
# enable = true;
# user = "makefu";
# };
hardware.pulseaudio.enable = lib.mkForce false;
security.rtkit.enable = true;
#services.pipewire = {
# enable = true;
# systemWide = true;
# socketActivation = false;
# alsa.enable = true;
# alsa.support32Bit = true;
# pulse.enable = true;
# config.pipewire-pulse = {
# ""."server.address" = [ "unix:native" "tcp:4713" ];
# };

@ -3,5 +3,4 @@
full = true;
home-manager = true;
hw = true;
disko = true;

@ -0,0 +1,6 @@
networking.wireless = {
enable = true;
networks = import <secrets/wifi.nix>;

@ -22,7 +22,7 @@ in {
# <stockholm/makefu/2configs/virtualisation/virtualbox.nix>
{ environment.systemPackages = [ pkgs.nano ]; }
{ environment.systemPackages = [ pkgs.brother_ql_web pkgs.nano ]; }
# <stockholm/makefu/2configs/gui/studio-virtual.nix>
# <stockholm/makefu/2configs/audio/jack-on-pulse.nix>
@ -53,6 +53,7 @@ in {
<stockholm/makefu/2configs/bureautomation> # new hass entry point
# <stockholm/makefu/2configs/bureautomation/kalauerbot.nix> now runs in thales
# <stockholm/makefu/2configs/bureautomation/visitor-photostore.nix>
# <stockholm/makefu/2configs/bureautomation/mpd.nix> #mpd is only used for TTS, this is the web interface
@ -100,7 +101,9 @@ in {
# temporary
# <stockholm/makefu/2configs/temp/rst-issue.nix>
{ services.jellyfin.enable = true; }
services.jellyfin.enable = true;
krebs = {

@ -48,6 +48,16 @@
{ bits = 4096; path = (toString <secrets/ssh_host_rsa_key>); type = "rsa";}
# imports = [
# <stockholm/makefu/2configs/bureautomation/rhasspy.nix>
# ];
# services.pipewire.config.pipewire-pulse = {
# ""."server.address" = [ "unix:native" "tcp:4713" ];
# };
# networking.firewall.allowedTCPPorts = [ 4713 ];
# users.users.makefu.packages = with pkgs;[ mpc_cli ncmpcpp ];
@ -130,7 +140,7 @@
# <stockholm/makefu/2configs/deployment/hound>
# <stockholm/makefu/2configs/deployment/>
# <stockholm/makefu/2configs/deployment/bureautomation/hass.nix>
# <stockholm/makefu/2configs/bureautomation/office-radio>
# Krebs
@ -146,7 +156,7 @@
# <stockholm/makefu/2configs/syncthing.nix>
# <stockholm/makefu/2configs/sync>
# Virtualization
# <stockholm/makefu/2configs/virtualisation/libvirt.nix>
@ -179,6 +189,7 @@
# temporary
# { services.redis.enable = true; }
# citadel exporter
# { services.mongodb.enable = true; }
# { services.elasticsearch.enable = true; }
# <stockholm/makefu/2configs/deployment/>
@ -189,27 +200,28 @@
# <stockholm/makefu/2configs/lanparty/lancache-dns.nix>
# <stockholm/makefu/2configs/lanparty/samba.nix>
# <stockholm/makefu/2configs/lanparty/mumble-server.nix>
networking.wireguard.interfaces.wg0 = {
ips = [ "" ];
privateKeyFile = (toString <secrets>) + "/wireguard.key";
allowedIPsAsRoutes = true;
peers = [
# gum
endpoint = "${config.krebs.hosts.gum.nets.internet.ip4.addr}:51820";
allowedIPs = [ "" ];
publicKey = "yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo=";
# # vbob
# allowedIPs = [ "" ];
# publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
# {
# networking.wireguard.interfaces.wg0 = {
# ips = [ "" ];
# privateKeyFile = (toString <secrets>) + "/wireguard.key";
# allowedIPsAsRoutes = true;
# peers = [
# {
# # gum
# endpoint = "${config.krebs.hosts.gum.nets.internet.ip4.addr}:51820";
# allowedIPs = [ "" ];
# publicKey = "yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo=";
# }
# #{
# # # vbob
# # allowedIPs = [ "" ];
# # publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
# #}
# ];
# };
# }

@ -0,0 +1,6 @@
{ pkgs, ... }:
powerManagement.powertop.enable = true;
services.power-profiles-daemon.enable = true;
users.users.makefu.packages = [ pkgs.gnome.gnome-power-manager ];

View file

@ -4,6 +4,7 @@
imports = [
<nixos-hardware/lenovo/thinkpad/l14/amd> # close enough
# <stockholm/makefu/2configs/hw/tpm.nix>
@ -17,23 +18,26 @@
# services.xserver.enable = lib.mkForce false;
services.xserver.videoDrivers = [
services.xserver.videoDrivers = [ "amdgpu" ];
boot.initrd.kernelModules = [ "amdgpu" ];
hardware.opengl.driSupport = true;
hardware.opengl.extraPackages = [ pkgs.amdvlk pkgs.rocm-opencl-icd pkgs.rocm-opencl-runtime ];
# For 32 bit applications
hardware.opengl.driSupport32Bit = true;
hardware.opengl.extraPackages32 = with pkgs; [
hardware.opengl.extraPackages = [ pkgs.amdvlk pkgs.rocm-opencl-icd ];
# is required for amd graphics support ( xorg wont boot otherwise )
#boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelPackages = lib.mkForce pkgs.linuxPackages;
environment.variables.VK_ICD_FILENAMES =
services.fwupd.enable = true;
programs.light.enable = true; = {};
users.users.makefu.extraGroups = [ "video" ];
users.groups.render = {};
users.users.makefu.extraGroups = [ "video" "render" ];
boot.extraModprobeConfig = ''
options thinkpad_acpi fan_control=1

@ -0,0 +1,67 @@
{ disk ? "/dev/sda", ... }: {
disko.devices = {
disk = {
nvme = {
type = "disk";
device = disk;
content = {
type = "table";
format = "gpt";
partitions = [
name = "ESP";
start = "0";
end = "512MiB";
fs-type = "fat32";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
name = "zfs";
start = "512MiB";
end = "100%";
content = {
type = "zfs";
pool = "tank";
zpool = {
tank = {
type = "zpool";
rootFsOptions = {
compression = "lz4";
#reservation = "5G";
"com.sun:auto-snapshot" = "false";
mountpoint = null;
postCreateHook = "zfs snapshot tank@blank";
datasets = {
root = {
type = "zfs_fs";
mountpoint = "/";
options = {
encryption = "aes-256-gcm";
keyformat = "passphrase";
"com.sun:auto-snapshot" = "true";
#keylocation = "file:///tmp/secret.key";
"root/home" = {
type = "zfs_fs";
mountpoint = "/home";

@ -4,14 +4,16 @@
# 1. for pressing insert hold shift+fn+Fin
# scroll by holding middle mouse
services.xserver.displayManager.sessionCommands =''
xinput set-int-prop "ETPS/2 Elantech TrackPoint" "Evdev Wheel Emulation" 8 1
xinput set-int-prop "ETPS/2 Elantech TrackPoint" "Evdev Wheel Emulation Button" 8 2
xinput set-prop "ETPS/2 Elantech TrackPoint" "Evdev Wheel Emulation Axes" 6 7 4 5
# configure timeout of pressing and holding middle button
# xinput set-int-prop "ETPS/2 Elantech TrackPoint" "Evdev Wheel Emulation Timeout" 8 200
xinput disable 'ETPS/2 Elantech Touchpad'
#services.xserver.displayManager.sessionCommands =''
# xinput set-int-prop "ETPS/2 Elantech TrackPoint" "Evdev Wheel Emulation" 8 1
# xinput set-int-prop "ETPS/2 Elantech TrackPoint" "Evdev Wheel Emulation Button" 8 2
# xinput set-prop "ETPS/2 Elantech TrackPoint" "Evdev Wheel Emulation Axes" 6 7 4 5
# # configure timeout of pressing and holding middle button
# # xinput set-int-prop "ETPS/2 Elantech TrackPoint" "Evdev Wheel Emulation Timeout" 8 200
# xinput disable 'ETPS/2 Elantech Touchpad'
services.xserver.libinput.enable = true;
boot.kernelParams = [
@ -27,20 +29,20 @@
{ keys = [ 224 ]; events = [ "key" ]; command = "${pkgs.light}/bin/light -U 10"; } # fn - F6
# fn - 4 => suspend
# fn - d => lcdshadow
{ keys = [ 227 ]; events = [ "key" ]; command = builtins.toString ( # fn - F7
pkgs.writers.writeDash "toggle_touchpad" ''
PATH=${lib.makeBinPath [ pkgs.xorg.xinput pkgs.gnugrep ]}
#{ keys = [ 227 ]; events = [ "key" ]; command = builtins.toString ( # fn - F7
# pkgs.writers.writeDash "toggle_touchpad" ''
# PATH=${lib.makeBinPath [ pkgs.xorg.xinput pkgs.gnugrep ]}
device=$(xinput list --name-only | grep Touchpad)
if [ "$(xinput list-props "$device" | grep -P ".*Device Enabled.*\K.(?=$)" -o)" -eq 1 ];then
xinput disable "$device"
xinput enable "$device"
# device=$(xinput list --name-only | grep Touchpad)
# if [ "$(xinput list-props "$device" | grep -P ".*Device Enabled.*\K.(?=$)" -o)" -eq 1 ];then
# xinput disable "$device"
# else
# xinput enable "$device"
# fi
# '');

@ -0,0 +1,122 @@
{ config, lib, pkgs, ... }:
seeed-voicecard = (pkgs.callPackage ../../5pkgs/seeed-voicecard { kernel = config.boot.kernelPackages.kernel; });
hardware.raspberry-pi."4".i2c1.enable = true;
hardware.raspberry-pi."4".audio.enable = true;
hardware.raspberry-pi."4".apply-overlays-dtmerge.enable = true;
hardware.deviceTree.filter = lib.mkForce "bcm2711-rpi-4-b.dtb";
security.rtkit.enable = true;
environment.systemPackages = with pkgs; [
sound.enable = true;
hardware.pulseaudio.enable = lib.mkForce false;
services.pipewire = {
enable = true;
systemWide = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
services.pipewire.config.pipewire-pulse = {
""."server.address" = [ "unix:native" "tcp:4713" ];
sound.extraConfig = ''
pcm.!default {
type asym
playback.pcm "playback"
capture.pcm "ac108"
pcm.ac108 {
type plug
slave.pcm "hw:seeed4micvoicec"
'' ;
boot.extraModulePackages = [
boot.initrd.kernelModules = [
boot.loader.raspberryPi.firmwareConfig = [
# dtoverlay=seeeed-8mic-voicecard not required because we use hardware.deviceTree
hardware.deviceTree = {
enable = true;
overlays = [
{ name = "respeaker-4mic"; dtsFile = "${seeed-voicecard}/lib/dts/seeed-4mic-voicecard-overlay.dts";}
{ name = "spi"; dtsText = ''
/ {
compatible = "raspberrypi";
fragment@0 {
target = <&spi>;
__overlay__ {
cs-gpios = <&gpio 8 1>, <&gpio 7 1>;
status = "okay";
pinctrl-names = "default";
pinctrl-0 = <&spi0_pins &spi0_cs_pins>;
#address-cells = <1>;
#size-cells = <0>;
spidev@0 {
reg = <0>; // CE0
spi-max-frequency = <500000>;
compatible = "spidev";
spidev@1 {
reg = <1>; // CE1
spi-max-frequency = <500000>;
compatible = "spidev";
fragment@1 {
target = <&alt0>;
__overlay__ {
// Drop GPIO 7, SPI 8-11
brcm,pins = <4 5>;
fragment@2 {
target = <&gpio>;
__overlay__ {
spi0_pins: spi0_pins {
brcm,pins = <9 10 11>;
brcm,function = <4>; // alt0
spi0_cs_pins: spi0_cs_pins {
brcm,pins = <8 7>;
brcm,function = <1>; // out

@ -2,7 +2,7 @@
0. Sendung twittern und mastodieren (eine Woche + eine Stunde vorher) von Ingo/l33tname (wichtig)
1. `eine` Person anrufen (den Host):
- markus
- markus
- Felix1
- L33tFelix
- Ingo

@ -3,6 +3,7 @@
services.bitlbee = {
enable = true;
# libpurple_plugins = [ pkgs.telegram-purple pkgs.pidgin-skypeweb];
plugins = [ pkgs.bitlbee-mastodon ];
users.users.makefu.packages = with pkgs; [ weechat tmux ];
state = [ "/var/lib/bitlbee" ];

@ -0,0 +1,23 @@
{pkgs, ... }:
pkg = pkgs.brother_ql_web;
in { = {
after = [ "" ];
description = "Brother QL Web Interface";
wantedBy = [ "" ];
environment = {
FLASK_PRINTER = "usb://0x04f9:0x209b/000F1Z401759";
serviceConfig = {
ExecStart = "${pkg}/bin/brother_ql_web";
DynamicUser = true;
SupplementaryGroups = "lp";
Restart = "always";

@ -0,0 +1,28 @@
{ pkgs, config, ... }:
mainUser =;
in {
imports = [
services.printing = {
enable = true;
drivers = with pkgs;[
users.users.kiosk.extraGroups = [ "scanner" "lp" ];
state = [ "/var/lib/cups"];
users.users.kiosk.packages = with pkgs;[
services.udev.extraRules = ''
SUBSYSTEMS=="usb", ATTRS{idVendor}=="04f9", ATTRS{idProduct}=="209b", ATTRS{serial}=="000F1Z401759", MODE="0664", GROUP="lp", SYMLINK+="usb/lp0"

@ -31,6 +31,7 @@ with import <stockholm/lib>;
nix.settings.trusted-users = [ ];
nix.settings.experimental-features = [ "flakes" "nix-command" ];
boot.kernelPackages = lib.mkDefault pkgs.linuxPackages;

@ -26,18 +26,6 @@
zipcode: 70378
q: Werkbank
distance: 5
- name: Stirnthermometer
zipcode: 70378
q: Stirnthermometer
distance: 5
- name: Ohrthermometer
zipcode: 70378
q: Ohrthermometer
distance: 5
- name: Fieberthermometer
zipcode: 70378
q: Fieberthermometer
distance: 5
- name: Einhell
zipcode: 70378
q: Einhell

@ -0,0 +1,9 @@
{ config, pkgs, ... }:
imports =
[ ./mediawiki.nix

@ -0,0 +1,481 @@
{ config, pkgs, lib, ... }:
inherit (lib) mkDefault mkEnableOption mkForce mkIf mkMerge mkOption;
inherit (lib) concatStringsSep literalExample mapAttrsToList optional optionals optionalString types;
cfg =;
fpm =;
user = "mediawiki";
group =;
cacheDir = "/var/cache/mediawiki";
stateDir = "/var/lib/mediawiki";
pkg = pkgs.stdenv.mkDerivation rec {
pname = "mediawiki-full";
version = src.version;
src = cfg.package;
installPhase = ''
mkdir -p $out
cp -r * $out/
rm -rf $out/share/mediawiki/skins/*
rm -rf $out/share/mediawiki/extensions/*
${concatStringsSep "\n" (mapAttrsToList (k: v: ''
ln -s ${v} $out/share/mediawiki/skins/${k}
'') cfg.skins)}
${concatStringsSep "\n" (mapAttrsToList (k: v: ''
ln -s ${if v != null then v else "$src/share/mediawiki/extensions/${k}"} $out/share/mediawiki/extensions/${k}
'') cfg.extensions)}
mediawikiScripts = pkgs.runCommand "mediawiki-scripts" {
buildInputs = [ pkgs.makeWrapper ];
preferLocalBuild = true;
} ''
mkdir -p $out/bin
for i in changePassword.php createAndPromote.php userOptions.php edit.php nukePage.php update.php; do
makeWrapper ${pkgs.php}/bin/php $out/bin/mediawiki-$(basename $i .php) \
--set MEDIAWIKI_CONFIG ${mediawikiConfig} \
--add-flags ${pkg}/share/mediawiki/maintenance/$i
mediawikiConfig = pkgs.writeText "LocalSettings.php" ''
# Protect against web entry
if ( !defined( 'MEDIAWIKI' ) ) {
$wgSitename = "${}";
$wgMetaNamespace = false;
## The URL base path to the directory containing the wiki;
## defaults for all runtime URL paths are based off of this.
## For more information on customizing the URLs
## (like /w/index.php/Page_title to /wiki/Page_title) please see:
$wgScriptPath = "${cfg.basePath}";
## The protocol and server name to use in fully-qualified URLs
#$wgServer = "${if cfg.virtualHost.addSSL || cfg.virtualHost.forceSSL || cfg.virtualHost.onlySSL then "https" else "http"}://${cfg.virtualHost.hostName}";
#$wgServer = "";
$wgServer = "http://localhost";
## The URL path to static resources (images, scripts, etc.)
$wgResourceBasePath = $wgScriptPath;
## The URL path to the logo. Make sure you change this from the default,
## or else you'll overwrite your logo when you upgrade!
$wgLogo = "$wgResourceBasePath/resources/assets/wiki.png";
## UPO means: this is also a user preference option
$wgEnableEmail = true;
$wgEnableUserEmail = true; # UPO
$wgEmergencyContact = "${if cfg.virtualHost.adminAddr != null then cfg.virtualHost.adminAddr else}";
$wgPasswordSender = $wgEmergencyContact;
$wgEnotifUserTalk = false; # UPO
$wgEnotifWatchlist = false; # UPO
$wgEmailAuthentication = true;
## Database settings
$wgDBtype = "${cfg.database.type}";
$wgDBserver = "${}:${if cfg.database.socket != null then cfg.database.socket else toString cfg.database.port}";
$wgDBname = "${}";
$wgDBuser = "${cfg.database.user}";
${optionalString (cfg.database.passwordFile != null) "$wgDBpassword = file_get_contents(\"${cfg.database.passwordFile}\");"}
${optionalString (cfg.database.type == "mysql" && cfg.database.tablePrefix != null) ''
# MySQL specific settings
$wgDBprefix = "${cfg.database.tablePrefix}";
${optionalString (cfg.database.type == "mysql") ''
# MySQL table options to use during installation or update
$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";
## Shared memory settings
$wgMainCacheType = CACHE_NONE;
$wgMemCachedServers = [];
${optionalString (cfg.uploadsDir != null) ''
$wgEnableUploads = true;
$wgUploadDirectory = "${cfg.uploadsDir}";
$wgUseImageMagick = true;
$wgImageMagickConvertCommand = "${pkgs.imagemagick}/bin/convert";
# InstantCommons allows wiki to use images from
$wgUseInstantCommons = false;
# Periodically send a pingback to with basic data
# about this MediaWiki instance. The Wikimedia Foundation shares this data
# with MediaWiki developers to help guide future development efforts.
$wgPingback = true;
## If you use ImageMagick (or any other shell command) on a
## Linux server, this will need to be set to the name of an
## available UTF-8 locale
$wgShellLocale = "C.UTF-8";
## Set $wgCacheDirectory to a writable directory on the web server
## to make your wiki go slightly faster. The directory should not
## be publically accessible from the web.
$wgCacheDirectory = "${cacheDir}";
# Site language code, should be one of the list in ./languages/data/Names.php
$wgLanguageCode = "en";
$wgSecretKey = file_get_contents("${stateDir}/secret.key");
# Changing this will log out all existing sessions.
$wgAuthenticationTokenVersion = "";
## For attaching licensing metadata to pages, and displaying an
## appropriate copyright notice / icon. GNU Free Documentation
## License and Creative Commons licenses are supported so far.
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
$wgRightsUrl = "";
$wgRightsText = "";
$wgRightsIcon = "";
# Path to the GNU diff3 utility. Used for conflict resolution.
$wgDiff = "${pkgs.diffutils}/bin/diff";
$wgDiff3 = "${pkgs.diffutils}/bin/diff3";
# Enabled skins.
${concatStringsSep "\n" (mapAttrsToList (k: v: "wfLoadSkin('${k}');") cfg.skins)}
# Enabled extensions.
${concatStringsSep "\n" (mapAttrsToList (k: v: "wfLoadExtension('${k}');") cfg.extensions)}
# End of automatically generated settings.
# Add more configuration options below.
# interface
options = {
services.mediawiki = {
enable = mkEnableOption "MediaWiki";
package = mkOption {
type = types.package;
default = pkgs.mediawiki;
description = "Which MediaWiki package to use.";
basePath = mkOption {
type = types.str;
default = "/";
description = "Base path to Wiki";
name = mkOption {
default = "MediaWiki";
example = "Foobar Wiki";
description = "Name of the wiki.";
uploadsDir = mkOption {
type = types.nullOr types.path;
default = "${stateDir}/uploads";
description = ''
This directory is used for uploads of pictures. The directory passed here is automatically
created and permissions adjusted as required.
passwordFile = mkOption {
type = types.path;
description = "A file containing the initial password for the admin user.";
example = "/run/keys/mediawiki-password";
skins = mkOption {
default = {};
type = types.attrsOf types.path;
description = ''
Attribute set of paths whose content is copied to the <filename>skins</filename>
subdirectory of the MediaWiki installation in addition to the default skins.
extensions = mkOption {
default = {};
type = types.attrsOf (types.nullOr types.path);
description = ''
Attribute set of paths whose content is copied to the <filename>extensions</filename>
subdirectory of the MediaWiki installation and enabled in configuration.
Use <literal>null</literal> instead of path to enable extensions that are part of MediaWiki.
example = literalExample ''
Matomo = pkgs.fetchzip {
url = "";
sha256 = "0g5rd3zp0avwlmqagc59cg9bbkn3r7wx7p6yr80s644mj6dlvs1b";
ParserFunctions = null;
database = {
type = mkOption {
type = types.enum [ "mysql" "postgres" "sqlite" "mssql" "oracle" ];
default = "mysql";
description = "Database engine to use. MySQL/MariaDB is the database of choice by MediaWiki developers.";
host = mkOption {
type = types.str;
default = "localhost";
description = "Database host address.";
port = mkOption {
type = types.port;
default = 3306;
description = "Database host port.";
name = mkOption {
type = types.str;
default = "mediawiki";
description = "Database name.";
user = mkOption {
type = types.str;
default = "mediawiki";
description = "Database user.";
passwordFile = mkOption {
type = types.nullOr types.path;
default = null;
example = "/run/keys/mediawiki-dbpassword";
description = ''
A file containing the password corresponding to
tablePrefix = mkOption {
type = types.nullOr types.str;
default = null;
description = ''
If you only have access to a single database and wish to install more than
one version of MediaWiki, or have other applications that also use the
database, you can give the table names a unique prefix to stop any naming
conflicts or confusion.
See <link xlink:href='$wgDBprefix'/>.
socket = mkOption {
type = types.nullOr types.path;
default = if cfg.database.createLocally then "/run/mysqld/mysqld.sock" else null;
defaultText = "/run/mysqld/mysqld.sock";
description = "Path to the unix socket file to use for authentication.";
createLocally = mkOption {
type = types.bool;
default = cfg.database.type == "mysql";
defaultText = "true";
description = ''
Create the database and database user locally.
This currently only applies if database type "mysql" is selected.
virtualHost = mkOption {
type = types.submodule (import <nixpkgs/nixos/modules/services/web-servers/apache-httpd/vhost-options.nix>);
example = literalExample ''
hostName = "";
adminAddr = "";
forceSSL = true;
enableACME = true;
description = ''
Apache configuration can be done by adapting <option>services.httpd.virtualHosts</option>.
See <xref linkend="opt-services.httpd.virtualHosts"/> for further information.
poolConfig = mkOption {
type = with types; attrsOf (oneOf [ str int bool ]);
default = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
description = ''
Options for the MediaWiki PHP pool. See the documentation on <literal>php-fpm.conf</literal>
for details on configuration directives.
extraConfig = mkOption {
type = types.lines;
description = ''
Any additional text to be appended to MediaWiki's
LocalSettings.php configuration file. For configuration
settings, see <link xlink:href=""/>.
default = "";
example = ''
$wgEnableEmail = false;
# implementation
config = mkIf cfg.enable {
assertions = [
{ assertion = cfg.database.createLocally -> cfg.database.type == "mysql";
message = "services.mediawiki.createLocally is currently only supported for database type 'mysql'";
{ assertion = cfg.database.createLocally -> cfg.database.user == user;
message = "services.mediawiki.database.user must be set to ${user} if services.mediawiki.database.createLocally is set true";
{ assertion = cfg.database.createLocally -> cfg.database.socket != null;
message = "services.mediawiki.database.socket must be set if services.mediawiki.database.createLocally is set to true";
{ assertion = cfg.database.createLocally -> cfg.database.passwordFile == null;
message = "a password cannot be specified if services.mediawiki.database.createLocally is set to true";
services.mediawiki.skins = {
MonoBook = "${cfg.package}/share/mediawiki/skins/MonoBook";
Timeless = "${cfg.package}/share/mediawiki/skins/Timeless";
Vector = "${cfg.package}/share/mediawiki/skins/Vector";
services.mysql = mkIf cfg.database.createLocally {
enable = true;
package = mkDefault pkgs.mariadb;
ensureDatabases = [ ];
ensureUsers = [
{ name = cfg.database.user;
ensurePermissions = { "${}.*" = "ALL PRIVILEGES"; };
services.phpfpm.pools.mediawiki = {
inherit user group;
phpEnv.MEDIAWIKI_CONFIG = "${mediawikiConfig}";
settings = {
"listen.owner" =;
"" =;
} // cfg.poolConfig;
services.httpd = {
enable = true;
extraModules = [ "proxy_fcgi" ];
virtualHosts.${cfg.virtualHost.hostName} = mkMerge [ cfg.virtualHost {
documentRoot = mkForce "${pkg}/share/mediawiki";
extraConfig = ''
<Directory "${pkg}/share/mediawiki">
<FilesMatch "\.php$">
SetHandler "proxy:unix:${fpm.socket}|fcgi://localhost/"
Require all granted
DirectoryIndex index.php
AllowOverride All
'' + optionalString (cfg.uploadsDir != null) ''
Alias "/images" "${cfg.uploadsDir}"
<Directory "${cfg.uploadsDir}">
Require all granted
} ];
systemd.tmpfiles.rules = [
"d '${stateDir}' 0750 ${user} ${group} - -"
"d '${cacheDir}' 0750 ${user} ${group} - -"
] ++ optionals (cfg.uploadsDir != null) [
"d '${cfg.uploadsDir}' 0750 ${user} ${group} - -"
"Z '${cfg.uploadsDir}' 0750 ${user} ${group} - -"
]; = {
wantedBy = [ "" ];
before = [ "phpfpm-mediawiki.service" ];
after = optional cfg.database.createLocally "mysql.service";
script = ''
if ! test -e "${stateDir}/secret.key"; then
tr -dc A-Za-z0-9 </dev/urandom 2>/dev/null | head -c 64 > ${stateDir}/secret.key
echo "exit( wfGetDB( DB_MASTER )->tableExists( 'user' ) ? 1 : 0 );" | \
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/eval.php --conf ${mediawikiConfig} && \
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/install.php \
--confpath /tmp \
--scriptpath ${cfg.basePath} \
--dbserver ${}${optionalString (cfg.database.socket != null) ":${cfg.database.socket}"} \
--dbport ${toString cfg.database.port} \
--dbname ${} \
${optionalString (cfg.database.tablePrefix != null) "--dbprefix ${cfg.database.tablePrefix}"} \
--dbuser ${cfg.database.user} \
${optionalString (cfg.database.passwordFile != null) "--dbpassfile ${cfg.database.passwordFile}"} \
--passfile ${cfg.passwordFile} \
"${}" \
${pkgs.php}/bin/php ${pkg}/share/mediawiki/maintenance/update.php --conf ${mediawikiConfig} --quick
serviceConfig = {
Type = "oneshot";
User = user;
Group = group;
PrivateTmp = true;
}; = optional (cfg.database.createLocally && cfg.database.type == "mysql") "mysql.service";
users.users.${user} = {
group = group;
isSystemUser = true;
environment.systemPackages = [ mediawikiScripts ];

@ -0,0 +1,67 @@
{ config, pkgs, ... }:
hostAddress = "";
localAddress = "";
containers.mediawiki =
{ autoStart = true;
privateNetwork = true;
inherit hostAddress localAddress;
config = { config, pkgs, ... }:
# NOTE: This disabling and importing is so that the basePath can be altered
disabledModules = [ "services/web-apps/mediawiki.nix" ];
imports = [
time.timeZone = "America/New_York";
system.stateVersion = "20.09";
networking.defaultGateway = hostAddress;
# NOTE: you might want to change this namserver address
networking.nameservers = [ "" ];
networking.firewall.allowedTCPPorts = [ 80 ];
services.mediawiki = {
enable = true;
name = "Example Containerized Wiki";
# NOTE: here is where the basePath is specified, which requires the imported mediawiki NixOS module
basePath = "/wiki";
passwordFile = ./mediawiki.password.txt;
extraConfig = ''
$wgRCFeeds['euerkrebsco'] = array(
'formatter' => 'JSONRCFeedFormatter',
'uri' => 'udp://',
'add_interwiki_prefix' => false,
'omit_bots' => true,
$wgRCFeeds['euerkrebscoIRC'] = array(
'formatter' => 'IRCColourfulRCFeedFormatter',
'uri' => 'udp://',
'add_interwiki_prefix' => false,
'omit_bots' => true,
virtualHost = {
hostName = "localhost";
adminAddr = "root@localhost";
forceSSL = false;
addSSL = false;
onlySSL = false;
enableACME = false;
# Put the MediaWiki web page behind an NGINX proxy
services.nginx = {
enable = true;
virtualHosts.localhost.locations."/wiki" = {
# NOTE: the slash at the end of the URI is important. It causes the location base path to be removed when passed onto the proxy
proxyPass = "http://${localAddress}:80/";

@ -0,0 +1 @@

@ -0,0 +1,6 @@
networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "wlan0";

@ -0,0 +1,41 @@
{ lib, config, ... }:
web-port = 19455;
hostn = "";
internal-ip =;
services.ntfy-sh = {
enable = true;
settings = {
listen-http = "${toString web-port}";
auth-file = "/var/lib/ntfy-sh/user.db";
auth-default-access = "deny-all";
behind-proxy = true;
attachment-cache-dir = "/media/cloud/ntfy-sh/attachments";
attachment-file-size-limit = "500m";
attachment-total-size-limit = "100g";
base-url = "";
attachment-expiry-duration = "48h";
}; = {
StateDirectory = "ntfy-sh";
SupplementaryGroups = [ "download" ];
services.nginx = {
enable = lib.mkDefault true;
virtualHosts."${hostn}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${toString web-port}/";
proxyWebsockets = true;
recommendedProxySettings = true;

@ -59,7 +59,7 @@ =
users.users.nextcloud.extraGroups = [ "download" ];
services.nextcloud = {
enable = true;
package = pkgs.nextcloud24;
package = pkgs.nextcloud25;
hostName = "";
# Use HTTPS for links
https = true;
@ -97,5 +97,11 @@ ="nextcloud-setup" = {
requires = ["postgresql.service"];
after = ["postgresql.service"];
serviceConfig.RequiresMountFor = [ "/media/cloud" ];
};"phpfpm-nextcloud".serviceConfig.RequiresMountFor = [
];"phpfpm".serviceConfig.RequiresMountFor = [ "/media/cloud" ];

@ -16,6 +16,10 @@ in {
enable = true;
databases = [ ];
}; = {
Restart = lib.mkForce "always";
}; = [ "download" ];
services.nginx.virtualHosts."${fqdn}" = {

@ -3,5 +3,7 @@

@ -12,7 +12,7 @@
# vim-nix handles indentation better but does not perform sanity
# "vim-addon-nix"

View file

@ -49,7 +49,6 @@ set matchtime=3
set hlsearch
autocmd ColorScheme * highlight ExtraWhitespace ctermbg=red guibg=red
hi MatchParen cterm=none ctermbg=green ctermfg=blue
let g:better_whitespace_enabled=1
let g:strip_whitespace_on_save=1
@ -114,3 +113,5 @@ let g:UltiSnipsExpandTrigger = "<c-j>"
let g:UltiSnipsJumpForwardTrigger = "<c-j>"
let g:UltiSnipsJumpBackwardTrigger = "<c-p>"
let g:UltiSnipsListSnippets = "<c-k>" "List possible snippets based on current file
hi MatchParen cterm=none ctermbg=green ctermfg=blue

@ -18,30 +18,28 @@ in
imports = [
# services.redshift.enable = true;
services.xserver = {
enable = true;
layout = "us";
xkbVariant = "altgr-intl";
xkbOptions = "ctrl:nocaps, eurosign:e";
windowManager = {
awesome.enable = true;
awesome.noArgb = true;
awesome.luaModules = [ pkgs.luaPackages.vicious ];
displayManager.defaultSession = lib.mkDefault "none+awesome";
displayManager.autoLogin = {
enable = true;
user = mainUser;
# windowManager = {
# awesome.enable = true;
# awesome.noArgb = true;
# awesome.luaModules = [ pkgs.luaPackages.vicious ];
# };
# displayManager.defaultSession = lib.mkDefault "none+awesome";
environment.systemPackages = [ pkgs.gnome.adwaita-icon-theme ];
# lid switch is handled via button presses
services.logind.lidSwitch = lib.mkDefault "ignore";
makefu.awesome.enable = true;
# services.logind.lidSwitch = lib.mkDefault "ignore";
#makefu.awesome.enable = true;
console.font = "Lat2-Terminus16";
fonts = {

@ -0,0 +1,63 @@
{ config, lib, pkgs, ... }:
mainUser =;
programs.gnome-terminal.enable = true;
services.xserver = {
desktopManager.gnome.enable = true;
displayManager.gdm.enable = true;
#displayManager.autoLogin = {
# enable = true;
# user = mainUser;
programs.dconf.enable = true;
home-manager.users.${mainUser}.dconf = {
enable = true;
settings = {
"org/gnome/terminal/legacy" = {
mnemonics-enabled = false;
theme-variant = "dark";
"org/gnome/desktop/interface" = {
enable-animations = false;
enable-hot-corners = false;
show-battery-percentage = true;
"org/gnome/desktop/peripherals/touchpad" = {
edge-scrolling-enabled = false;
natural-scroll = false;
send-events = "enabled";
tap-to-click = true;
two-finger-scrolling-enabled = true;
"org/gnome/desktop/session".idle-delay = 900;
"org/gnome/desktop/wm/keybindings" = {
"org/gnome/desktop/wm/preferences".num-workspaces = 4;
"org/gnome/settings-daemon/plugins/color".night-light-enabled = true;
"org/gnome/settings-daemon/plugins/media-keys" = {
custom-keybindings = [ "/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/"];
"org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0" = {
binding = "<Super>Return";
command = "gnome-terminal";
name = "terminal";

@ -12,10 +12,9 @@
services.pipewire = {
enable = true;
systemWide = true;
# systemWide = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;

@ -0,0 +1,44 @@
{ pkgs, lib, ... }:
imports = [
users.users.kiosk = {
# packages = [ pkgs.chromium pkgs.vscode ];
group = "kiosk";
isNormalUser = true;
uid = 1003;
extraGroups = [ "wheel" "audio" "pulse" "pipewire" ];
users.groups.kiosk.gid = 989 ;
services.xserver = {
enable = true;
windowManager = lib.mkForce { awesome.enable = false; };
displayManager.gdm.enable = true;
displayManager.gdm.autoSuspend = false;
displayManager.autoLogin = {
enable = true;
user = lib.mkForce "kiosk";
displayManager.defaultSession = "gnome";
desktopManager.gnome.enable = true;
systemd.targets.sleep.enable = false;
systemd.targets.suspend.enable = false;
systemd.targets.hibernate.enable = false;
systemd.targets.hybrid-sleep.enable = false;
environment.systemPackages = [ pkgs.gnomeExtensions.appindicator ];
services.dbus.packages = with pkgs; [ gnome2.GConf gnome3.gnome-settings-daemon ];
services.pipewire.systemWide = lib.mkForce false;
services.pipewire.config.pipewire-pulse = {
""."server.address" = [ "unix:native" "tcp:4713" ];

@ -5,11 +5,11 @@
users.users.kiosk = {
packages = [ pkgs.chromium pkgs.vscode ];
packages = with pkgs;[ chromium vscode spotify tartube-yt-dlp ];
group = "kiosk";
isNormalUser = true;
uid = 1003;
extraGroups = [ "wheel" "audio" "pulse" ];
extraGroups = [ "wheel" "audio" "pulse" "pipewire" ];
users.groups.kiosk.gid = 989 ;
services.xserver = {
@ -31,7 +31,10 @@
environment.systemPackages = [ pkgs.gnomeExtensions.appindicator ];
environment.systemPackages = [
pkgs.gnomeExtensions.appindicator pkgs.pavucontrol pkgs.jellyfin-media-player pkgs.chromium pkgs.firefox pkgs.kodi
services.dbus.packages = with pkgs; [ gnome2.GConf gnome3.gnome-settings-daemon ]; = {
@ -45,5 +48,9 @@
Restart = "on-failure";
services.pipewire.systemWide = lib.mkForce false;
services.pipewire.config.pipewire-pulse = {
""."server.address" = [ "unix:native" "tcp:4713" ];

@ -61,6 +61,8 @@ direnv allow
size = 900001;
save = 900001;
ignoreDups = true;
ignoreSpace = true;
extended = true;
share = true;
@ -77,31 +79,32 @@ direnv allow
xo = "mimeopen";
nmap = "nmap -oN $HOME/loot/scan-`date +\%s`.nmap -oX $HOME/loot/scan-`date +%s`.xml";
# navi package does not come with the navi.plugin.zsh anymore so we use .src
#zplug = {
# enable = true;
# plugins = [
# { name = "denisidoro/navi" ; }
# { name = "zsh-users/zsh-autosuggestions" ; }
# ];
initExtra = ''
bindkey -e
zle -N edit-command-line
# ctrl-x ctrl-e
bindkey '^xe' edit-command-line
bindkey '^x^e' edit-command-line
# shift-tab
bindkey '^[[Z' reverse-menu-complete
bindkey "\e[3~" delete-char
zstyle ':completion:*' menu select
compdef _pass brain
zstyle ':completion::complete:brain::' prefix "$HOME/brain"
compdef _pass secrets
zstyle ':completion::complete:secrets::' prefix "$HOME/.secrets-pass/"
# navi
. ${pkgs.navi.src}/shell/navi.plugin.zsh
# ctrl-x ctrl-e
autoload -U compinit && compinit
autoload -U edit-command-line
zle -N edit-command-line
bindkey '^xe' edit-command-line
bindkey '^x^e' edit-command-line

@ -1,8 +1,12 @@
{ pkgs, ... }:
#dev = "/dev/web_cam";
dev = "/dev/video0";
services.mjpg-streamer = {
enable = true;
inputPlugin = " -d /dev/web_cam -r 1280x960";
inputPlugin = " -d ${dev} -r 1280x960";
users.users.octoprint.extraGroups = [ "video" ];
# allow octoprint to access /dev/vchiq

@ -1,10 +1,12 @@
inherit (import ../lib) btn_cycle_light;
schlafzimmer_komode = "light.schlafzimmer_komode_osram";
schlafzimmer_button = "sensor.schlafzimmer_btn2_click";
in {
services.home-assistant.config.automation = [
# (btn_cycle_light "light.arbeitszimmerbeleuchtung" "arbeitszimmer_btn1")
(btn_cycle_light "light.schlafzimmer_komode_osram" "schlafzimmer_btn2" 128)
alias = "toggle keller";
trigger = {
@ -32,21 +34,35 @@ in {
service = "light.toggle";
data = {
entity_id = "light.keller_osram";
brightness = 50;
brightness = 25;
# (btn_cycle_light "light.wohnzimmerbeleuchtung" "wohnzimmer_btn3")
alias = "Turn of all lights via schlafzimmer_btn2 double click";
alias = "Dim Toggle schlafzimmer komode";
trigger = {
platform = "state";
entity_id = "sensor.schlafzimmer_btn2_click";
entity_id = schlafzimmer_button;
to = "single";
action = {
service = "light.toggle";
entity_id = schlafzimmer_komode;
brightness = 1;
alias = "Bright Toggle schlafzimmer komode";
trigger = {
platform = "state";
entity_id = schlafzimmer_button;
to = "double";
action = {
service = "light.turn_off";
entity_id = "all";
service = "light.toggle";
entity_id = schlafzimmer_komode;
brightness = 255;

@ -6,7 +6,7 @@
schranklicht = [
# "light.wohnzimmer_komode_osram"
weihnachtslicht = "light.wohnzimmer_fenster_lichterkette_licht";
fernsehlicht = "light.wled";
@ -31,8 +31,8 @@ in
automation =
(turn_on schranklicht "-00:30:00")
#(turn_on weihnachtslicht "-00:30:00")
(turn_on fernsehlicht "-00:00:00")
(turn_on weihnachtslicht "-00:00:00")
#(turn_on fernsehlicht "-00:00:00")
{ alias = "Always turn off the urlaub lights at ${final_off}";
trigger = [

View file

@ -7,7 +7,7 @@ Heute ist {{ weekday }}, du solltest gar nicht arbeiten!
{% else %}
Willkommen auf Arbeit Felix.
{% endif -%}
Das aktuell gewählte Projekt ist {{ states("sensor.felix_project") }}.
Dein Projekt ist {{ states("sensor.felix_project") }}.
{% set inside = states("sensor.wohnzimmer_temp_temperature") | float | round(2) -%}
{% set outside = states("sensor.dark_sky_temperature") | float | round(2) -%}

@ -17,6 +17,7 @@ in {
# ./multi/flurlicht.nix
# ./multi/fliegen-couter.nix
@ -92,6 +93,7 @@ in {
{ type = "homeassistant"; }
tasmota = {};
binary_sensor = [
{ platform = "workday";
name = "Arbeitstag";

@ -0,0 +1,30 @@
{ config, pkgs, lib, ... }:
confdir = "/var/lib/homeassistant-docker";
in {
imports = [
networking.firewall.allowedTCPPorts = [ 8123 ];
state = [ "/var/lib/hass/known_devices.yaml" ];
virtualisation.oci-containers.containers.hass = {
image = "homeassistant/home-assistant:latest";
environment = {
TZ = "Europe/Berlin";
UMASK = "007";
extraOptions = ["--net=host" ];
volumes = [
systemd.tmpfiles.rules = [
#"f ${confdir}/docker-run 0770 kiosk kiosk - -"
"d ${confdir} 0770 kiosk kiosk - -"

@ -0,0 +1,35 @@
services.home-assistant.config = {
intent_script = {
GetTime.speech.text = ''
Es ist {{ now().hour }} Uhr {{ now().minute }}
GutenMorgen.speech.text = ''
Einen wunderschönen Guten Morgen wünsche ich dir
WieGehtEsDir.speech.text = ''
Mir geht es sehr gut, und dir?
Statusreport.speech.text = builtins.readFile ./statusbericht.txt.j2;
StartMusic = {
speech.text = "Spiele {{ music }} musik";
action_async = [
service = "media_player.play_media";
data_template = {
entity_id = "media_player.{{ _intent.siteId }}";
media_content_id = builtins.readFile ./music_chooser.txt.j2;
media_content_type = "music";
GetWeather = {
#speech.text = ''
# {{ states('sensor.openweathermap_weather') }} bei {{ states('sensor.openweathermap_temperature') }} Grad
speech.text = "{{ states('sensor.swr_prognose') }}";

@ -0,0 +1,13 @@
{% if music == "lounge" -%}
{% elif music == "lassulus" -%}
{% elif music == "groove" -%}
{% elif music == "swr3" -%}
{% elif music == "swr1" -%}
{% elif music == "radio" -%}
{% endif %}

@ -0,0 +1,37 @@
{% set arbeit_heute = is_state("binary_sensor.arbeitstag","on") -%}
{% set weekday = ['Montag','Dienstag','Mittwoch','Donnerstag','Freitag','Samstag','Sonntag'][now().weekday()] -%}
{% set is_friday = now().weekday() == 4 %}
Dies ist deine Persönliche Zusammenfassung
{% set inside = states("sensor.wohnzimmer_temp_temperature") | float | round(2) -%}
{% set outside = states("sensor.dark_sky_temperature") | float | round(2) -%}
{% set arbeit_morgen = is_state("binary_sensor.arbeitstag_morgen","on") -%}
Die Wetteraussichten: {{ states("sensor.dark_sky_hourly_summary") | replace(".","")}} bei {{ states("sensor.dark_sky_temperature") }} Grad mit {{ states("sensor.dark_sky_humidity") | round(0) }}% Luftfeuchtigkeit.
{% if states("calendar.abfall_papiermuell") == "on" %}
Heute ist Papiermuell, bring noch schnell dein Papier raus
{% endif %}
{% if states("calendar.abfall_restmuell") == "on" %}
Ausserdem ist heute Restmuell.
{% endif -%}
{% if ( outside < inside ) and ( outside > 18 ) %}
Draussen ist es gerade {{ ((inside - outside) | round(1) )}} gerade kühler
{% endif -%}
{% set current_count = state_attr("sensor.dwd_weather_warnings_current_warning_level", "warning_count") %}
{% for i in range(current_count) %}
{% set idx = i + 1 %}
{% set headline = state_attr("sensor.dwd_weather_warnings_current_warning_level", "warning_" ~ idx ~ "_headline") %}
{% set description = state_attr("sensor.dwd_weather_warnings_current_warning_level", "warning_" ~ idx ~ "_description") %}
{% set level = state_attr("sensor.dwd_weather_warnings_current_warning_level", "warning_" ~ idx ~ "_level") %}
{% set time_start = state_attr("sensor.dwd_weather_warnings_current_warning_level", "warning_" ~ idx ~ "_start") %}
{% set time_end = state_attr("sensor.dwd_weather_warnings_current_warning_level", "warning_" ~ idx ~ "_end") %}
Wetterwarnung {{idx}}: {{ headline }} Stufe {{level}} von {{ time_start.strftime("%H:%M") ~ " bis " ~ time_end.strftime("%H:%M") }} Uhr
{{ description }}
{% endfor %}
{% if is_friday %}
Endlich ist Freitag!
{% endif -%}

@ -27,12 +27,11 @@ in
{ delay.seconds = 1; }
{ delay = ''
{% set duration = state_attr("${entity}","media_duration") %}
{% set seconds = duration % 60 %}
{% set duration = state_attr("${entity}","media_duration") or 0 %}
{% set seconds = (duration % 60 ) %}
{% set minutes = (duration / 60)|int % 60 %}
{% set hours = (duration / 3600)|int %}
{{ "%02i:%02i:%02i"|format(hours, minutes, seconds)}}

View file

@ -6,10 +6,30 @@ let
wohnzimmer_deko = [
"light.wohnzimmer_fernseher_led_strip" # led um fernseher
"light.wohnzimmer_lichterkette_led_strip" # led um fernsehwand
"light.kinderzimmer_lichterkette_licht" # led um fenster
"light.wohnzimmer_fenster_lichterkette_licht" # led um fenster
in {
imports = [ ./tint_wohnzimmer.nix ];
services.home-assistant.config.scene = [
{ name = "Wohnzimmer Abendlicht";
id = "living_room_evening";
entities = {
"light.wohnzimmer_komode_osram_light" = {
state = "on";
brightness = 128;
"light.wohnzimmer_schrank_osram_light" = {
state = "on";
brightness = 128;
"light.wohnzimmer_fenster_lichterkette_licht" = "on";
"light.wohnzimmer_fernseher_led_strip" = {
state = "on";
services.home-assistant.config.wled = {};
services.home-assistant.config.light = [
@ -22,6 +42,11 @@ in {
name = "Wohnzimmer Deko";
entities = wohnzimmer_deko;
platform = "group";
name = "living_room_lights";
entities = wohnzimmerbeleuchtung ++ wohnzimmer_deko;

@ -3,11 +3,11 @@ let
in {
services.home-assistant.config = {
notify = [
platform = "nfandroidtv";
name = "FireTV Wohnzimmer Notification";
host = firetv_stick;
#platform = "nfandroidtv";
#name = "FireTV Wohnzimmer Notification";
#host = firetv_stick;
media_player = [
@ -16,12 +16,12 @@ in {
# host = firetv_stick;
# Configuration needs to be done by hand via web interface "integration"
{ platform = "androidtv";
name = "FireTV Stick Android";
device_class = "firetv";
host = firetv_stick;
port = 5555;
#{ platform = "androidtv";
# name = "FireTV Stick Android";
# device_class = "firetv";
# host = firetv_stick;
# port = 5555;

@ -5,7 +5,7 @@
services.mosquitto = {
enable = true;
persistence = false;
settings.max_keepalive = 60;
settings.max_keepalive = 1060;
listeners = [
port = 1883;

@ -9,128 +9,80 @@
button = "sensor.zigbee_btn2_click";
notify = "notify.signal_home";
# für {{ _intent.siteId }} - name of the rhasspy instance: arbeitszimmer
services.home-assistant.config = {
timer.kurzzeitwecker =
name = "Zigbee Kurzzeitwecker";
duration = 300;
automation = [];
timer.kurzzeitwecker = {
name = "Wecker Wohnung";
script.add_5_minutes_to_kurzzeitwecker =
timer.wecker_arbeitszimmer = {
name = "Wecker Arbeitszimmer";
timer.wecker_wohnzimmer = {
name = "Wecker Wohnzimmer";
intent = {};
intent_script = {
TimerjobStart = {
speech.text = ''
{% set h = hours|default('0')|string %}
{% set m = minutes|default('0')|string %}
{% if h == "0" %}
Wecker gestellt {{ m }} Minuten
{% elif m == "0" %}
Wecker gestellt {{ h }} Stunden
{% else %}
Wecker gestellt {{ h }} Stunden und {{ m }} Minuten
{% endif %}
action = [
alias = "Add 5 minutes to kurzzeitwecker";
sequence = [
{ service = "timer.pause";
entity_id = "timer.kurzzeitwecker";
service = "timer.start";
data.entity_id = "timer.kurzzeitwecker";
data.duration = ''
{% set h = hours|default("0")|int %}
{% set m = minutes|default("0")|int %}
{{ "%02d" | format(h) }}:{{ "%02d" | format(m) }}:00
{ service = "timer.start";
data_template = {
entity_id = "timer.kurzzeitwecker";
duration = ''
{% set r = state_attr('timer.kurzzeitwecker', 'remaining') ~ '-0000' %}
{% set t = strptime(r, '%H:%M:%S.%f%z') %}
{{ (as_timestamp(t) + 300) | timestamp_custom('%H:%M:%S', false) }}
TimerjobRemaining = {
speech.text = ''
{% set timer = states('timer.kurzzeitwecker') %}
{% if timer == 'idle' %}
Wecker läuft nicht
{% elif timer == 'active' %}
{% set remaining = as_timestamp( state_attr('timer.kurzzeitwecker','finishes_at') )-( as_timestamp(now())) %}
{% set s = ((remaining % 60)) | int %}
{% set m = ((remaining % 3600) / 60) | int %}
{% set h = ((remaining % 86400) / 3600) | int %}
{% if h == 0 %}
Es verbleiben {{ m }} Minuten und {{ s }} Sekunden
{% elif m == 0 %}
Es verbleiben {{ h }} Stunden
{% elif m == 0 and h == 0 %}
Es verbleiben {{ s }} Sekunden
{% else %}
Es verbleiben {{ h }} Stunden {{ m }} Minuten
{% endif %}
{% endif %}
automation =
alias = "Start Timer 5min";
trigger = {
platform = "state";
entity_id = button;
to = "single";
condition =
{ condition = "state";
entity_id = "timer.kurzzeitwecker";
state = "idle";
TimerjobStop = {
speech.text = ''
Wecker gestoppt
action = [
{ service = "timer.start";
entity_id = "timer.kurzzeitwecker";
data.duration = "00:05:00";
service = notify;
data.message = "Timer gestartet {{state_attr('timer.kurzzeitwecker', 'remaining') }}, verbleibend ";
{ service = "timer.cancel";
data.entity_id = "timer.kurzzeitwecker";
alias = "Add Timer 5min";
trigger = {
platform = "state";
entity_id = button;
to = "single";
condition =
{ condition = "state";
entity_id = "timer.kurzzeitwecker";
state = "active";
action = [
{ service = "homeassistant.turn_on";
entity_id = "script.add_5_minutes_to_kurzzeitwecker";
service = notify;
data.message = ''Timer um 5 minuten verlängert, {{ state_attr('timer.kurzzeitwecker', 'remaining') | truncate(9,True," ") }} verbleibend '';
alias = "Stop timer on double click";
trigger = [
platform = "state";
entity_id = button;
to = "double";
platform = "state";
entity_id = button;
to = "triple";
condition =
condition = "state";
entity_id = "timer.kurzzeitwecker";
state = "active";
action = [
service = "timer.cancel";
entity_id = "timer.kurzzeitwecker";
service = notify;
data.message = "Timer gestoppt, abgebrochen";
alias = "Timer Finished";
trigger = {
platform = "event";
event_type = "timer.finished";
event_data.entity_id = "timer.kurzzeitwecker";
action = [
service = notify;
data.message = "Timer beendet";

@ -40,5 +40,16 @@
{ platform = "accuweather";
api_key = "!secret accuweather";
{ platform = "scrape";
resource = "";
name = "SWR Prognose";
select = "p[data-refresh=\"weather-headline\"]";
{ platform = "scrape";
resource = "";
name = "SWR Prognose Langtext";
select = "p[data-refresh=\"weather-text\"]";

@ -1,66 +1,34 @@
{ lib, config, ... }:
port = 8096;
services.jellyfin.enable = true;
services.jellyfin.openFirewall = true;
# services.jellyfin.openFirewall = true;
networking.firewall.interfaces.wiregrill = {
allowedTCPPorts = [ 80 port 8920 ];
allowedUDPPorts = [ 1900 7359 ];
state = [ "/var/lib/jellyfin" ];
users.users.${}.extraGroups = [ "download" "video" "render" ]; = {
after = [ "media-cloud.mount" ];
serviceConfig = rec {
RequiresMountFor = [ "/media/cloud" ];
SupplementaryGroups = lib.mkForce [ "video" "render" "download" ];
UMask = lib.mkForce "0077";
Type = lib.mkForce "simple";
StateDirectory = lib.mkForce "jellyfin";
StateDirectoryMode = lib.mkForce "0700";
CacheDirectory = lib.mkForce "jellyfin";
CacheDirectoryMode = lib.mkForce "0700";
WorkingDirectory = lib.mkForce "/var/lib/jellyfin";
Restart = lib.mkForce "on-failure";
TimeoutSec = lib.mkForce 15;
SuccessExitStatus = lib.mkForce ["0" "143"];
# Security options:
NoNewPrivileges = lib.mkForce true;
SystemCallArchitectures = lib.mkForce "native";
# AF_NETLINK needed because Jellyfin monitors the network connection
RestrictAddressFamilies = lib.mkForce [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
RestrictNamespaces = lib.mkForce false;
RestrictRealtime = lib.mkForce true;
RestrictSUIDSGID = lib.mkForce true;
ProtectControlGroups = lib.mkForce false;
ProtectHostname = lib.mkForce true;
ProtectKernelLogs = lib.mkForce false;
ProtectKernelModules = lib.mkForce false;
ProtectKernelTunables = lib.mkForce false;
LockPersonality = lib.mkForce true;
PrivateTmp = lib.mkForce false;
# needed for hardware accelaration
PrivateDevices = lib.mkForce false;
PrivateUsers = lib.mkForce true;
RemoveIPC = lib.mkForce true;
SystemCallFilter = lib.mkForce [
services.nginx.virtualHosts."jelly" = {
serverAliases = [
"jelly.lan" "movies.lan"
"jelly.makefu.w" "makefu.omo.w"
SystemCallErrorNumber = lib.mkForce "EPERM";
locations."/" = {
proxyPass = "http://localhost:${toString port}";
proxyWebsockets = true;

@ -9,8 +9,7 @@ in
MusicFolder = "/media/cryptX/music/kinder";
Address = "";
}; = [ "media-cryptX.mount" ""
"" "" ]; = [ "/media/cryptX" ];
state = [ "/var/lib/navidrome" ];
# networking.firewall.allowedTCPPorts = [ 4040 ];

@ -70,15 +70,18 @@ in
PHOTOPRISM_HTTP_PORT = port; # Built-in Web server port
PHOTOPRISM_HTTP_COMPRESSION = "gzip"; # Improves transfer speed and bandwidth utilization (none or gzip)
PHOTOPRISM_DEBUG = "false"; # Run in debug mode (shows additional log messages)
PHOTOPRISM_PUBLIC = "true"; # No authentication required (disables password protection)
# PHOTOPRISM_PUBLIC = "true"; # No authentication required (disables password protection)
PHOTOPRISM_READONLY = "false"; # Don't modify originals directory (reduced functionality)
PHOTOPRISM_EXPERIMENTAL = "true"; # Enables experimental features
PHOTOPRISM_DISABLE_WEBDAV = "false"; # Disables built-in WebDAV server
# PHOTOPRISM_DISABLE_WEBDAV = "false"; # Disables built-in WebDAV server
PHOTOPRISM_DISABLE_SETTINGS = "false"; # Disables Settings in Web UI
PHOTOPRISM_DISABLE_TENSORFLOW = "false"; # Disables using TensorFlow for image classification
PHOTOPRISM_DARKTABLE_PRESETS = "false"; # Enables Darktable presets and disables concurrent RAW conversion
PHOTOPRISM_DETECT_NSFW = "false"; # Flag photos as private that MAY be offensive (requires TensorFlow)
PHOTOPRISM_UPLOAD_NSFW = "true"; # Allow uploads that MAY be offensive
#PHOTOPRISM_DATABASE_SERVER = "postgres-prism:5432";

@ -0,0 +1,40 @@
{ lib,config, ... }:
# uses alsa instead of pulseaduio server
profiles = "/var/lib/rhasspy";
{ = [ "" ];
virtualisation.oci-containers.containers.rhasspy = {
image = "rhasspy/rhasspy:latest";
environment = {
TZ = "Europe/Berlin";
PULSE_SERVER = "tcp:${ }:4713";
ports = [
volumes = [
cmd = [ "--user-profiles" "/profiles" "--profile" "de" ];
extraOptions = [
systemd.tmpfiles.rules = [
"d ${profiles} 0770 root root - -"
# required to allow rhasspy to connect to pulse server
# hardware.pulseaudio.enable = lib.mkForce false;
networking.firewall.allowedTCPPorts = [ 4713 ];

@ -0,0 +1,23 @@
{ pkgs, ... }:
cfg = pkgs.writeText "hcl-config.json" (builtins.toJSON {
engine = "rhasspy";
pathToConfig = "/var/lib/rhasspy/de/profile.json";
hardware = "respeaker4MicArray";
pattern = "fake-name";
enableDoA = false;
in { = {
description = "Led Server for ReSpeaker 4-array";
after = [ "" "docker-rhasspy.service" ] ;
wantedBy = [ "" ];
serviceConfig = {
# User = "nobody"; # need a user with permissions to run nix-shell
ExecStart = "${pkgs.HermesLedControl}/bin/HermesLedControl --hermesLedControlConfig=${toString cfg}";
Restart = "always";
RestartSec = 10;
PrivateTmp = true;

@ -32,6 +32,10 @@ in
include_device_information = true;
client_id = "zigbee2mqtt";
availability = {
active.timeout = 10;
passive.timeout = 1500;
frontend = {
port = webport;

@ -0,0 +1,7 @@
{ pkgs, ... }:
users.users.makefu = {
extraGroups = [ "cdrom" ];
packages = [ pkgs.glyr pkgs.abcde ];

@ -0,0 +1,6 @@
boot.extraModprobeConfig = ''
options snd_usb_audio ignore_ctl_error=1

@ -37,7 +37,7 @@
emulateWheel = true;
services.tlp.enable = true;
services.tlp.enable = !;
services.tlp.settings = {
# BUG:

Some files were not shown because too many files have changed in this diff Show more