Add nvr to nginx

README.md

@@ -11,17 +11,12 @@ cp /mnt/etc/nixos/hardware-configuration.nix hosts/$(hostname)/hardware-configur
 rbw config set email admin@muon.host
 rbw config set base_url https://vault.muon.host
 rbw login
-sudo mkdir -p /mnt/etc/ssh
-nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.data.password' | sudo tee /mnt/etc/ssh/ssh_host_ed25519_key.pub"
-nix-shell -p jq --run "rbw get --raw sopsssh | jq -r '.notes' | sudo tee /mnt/etc/ssh/ssh_host_ed25519_key"
 sudo mkdir -p /mnt{,/persist}/var/lib/sops-nix
-sudo chown muon:users /mnt/var/lib/sops-nix -R
 sudo chown muon:users /mnt/persist/var/lib/sops-nix -R
 rbw get sops > /mnt/var/lib/sops-nix/key.txt
 sudo cp {/mnt,/mnt/persist}/var/lib/sops-nix/key.txt
 sudo nixos-install --root /mnt --no-root-passwd --flake .#$(hostname)
 sudo cp -r /mnt/var/lib/nixos/* /mnt/persist/var/lib/nixos/
-sudo cp -r /mnt/etc/ssh/ssh_host* /mnt/persist/etc/ssh/
 sudo cp {/mnt,/mnt/persist}/etc/machine-id
 ```
 

flake.lock

@@ -193,11 +193,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753595562,
-        "narHash": "sha256-Ci88mAdtiP5RQkYmVhRUq69iYPMM7/lS9/mw+FnC7DE=",
+        "lastModified": 1753983724,
+        "narHash": "sha256-2vlAOJv4lBrE+P1uOGhZ1symyjXTRdn/mz0tZ6faQcg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "710771af3d1c8c3f86a9e5d562616973ed5f3f21",
+        "rev": "7035020a507ed616e2b20c61491ae3eaa8e5462c",
         "type": "github"
       },
       "original": {
@@ -316,11 +316,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1753429684,
-        "narHash": "sha256-9h7+4/53cSfQ/uA3pSvCaBepmZaz/dLlLVJnbQ+SJjk=",
+        "lastModified": 1753694789,
+        "narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "7fd36ee82c0275fb545775cc5e4d30542899511d",
+        "rev": "dc9637876d0dcc8c9e5e22986b857632effeb727",
         "type": "github"
       },
       "original": {
@@ -443,11 +443,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1753553562,
-        "narHash": "sha256-CpTwdsrPU3UFy95Btg56RcVMgNpnw3C0DYTznE5aRq4=",
+        "lastModified": 1753978157,
+        "narHash": "sha256-sVy8hb71VawSOIsLv/hMGzpvbbWszdP9aSKI5Drbt6Q=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "af85565aba0f4749cb18b118a7333a0745920950",
+        "rev": "ded4f29a023e0f14506ec16b0e32d129e56341cc",
         "type": "github"
       },
       "original": {

hosts/muho/configuration.nix

@@ -44,6 +44,7 @@ in {
   mods.server.ntfy.enable = true;
   mods.server.lemmy.enable = true;
   mods.server.audio.enable = true;
+  mods.server.atuin.enable = true;
 
   mods.server.dash.enable = false;
   mods.server.nginx.ports.dash = 3009;

hosts/mups/configuration.nix

@@ -55,6 +55,11 @@ in {
       default = true;
       locations."/" = { proxyPass = "http://localhost:8008"; };
     };
+    "nvr.muon.host" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = { proxyPass = "http://10.0.0.2:8095"; };
+    };
     "tetterodesportcomplex.nl" = {
       enableACME = true;
       forceSSL = true;

hosts/murk/hardware-configuration.nix

@@ -4,64 +4,15 @@
 { config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
 
-  boot.initrd.availableKernelModules =
-    [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-intel" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" = {
-    device = "/dev/mapper/crypted";
-    fsType = "btrfs";
-    options = [ "subvol=root" ];
-  };
-
-  boot.initrd.luks.devices."crypted".device =
-    "/dev/disk/by-uuid/1ca0c5f6-3cb3-4f86-94a5-4376461da227";
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/4BD8-A887";
-    fsType = "vfat";
-    options = [ "fmask=0077" "dmask=0077" ];
-  };
-
-  fileSystems."/home" = {
-    device = "/dev/mapper/crypted";
-    fsType = "btrfs";
-    options = [ "subvol=home" "compress=zstd" "noatime" ];
-  };
-
-  fileSystems."/nix" = {
-    device = "/dev/mapper/crypted";
-    fsType = "btrfs";
-    options = [ "subvol=nix" "compress=zstd" "noatime" ];
-  };
-
-  fileSystems."/persist" = {
-    device = "/dev/mapper/crypted";
-    fsType = "btrfs";
-    options = [ "subvol=persist" "compress=zstd" "noatime" ];
-    neededForBoot = true;
-  };
-
-  fileSystems."/swap" = {
-    device = "/dev/mapper/crypted";
-    fsType = "btrfs";
-    options = [ "subvol=swap" ];
-  };
-
-  fileSystems."/var/log" = {
-    device = "/dev/mapper/crypted";
-    fsType = "btrfs";
-    options = [ "subvol=log" "compress=zstd" "noatime" ];
-    neededForBoot = true;
-  };
-
-  swapDevices = [ ];
-
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.intel.updateMicrocode =
-    lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/ports.nix

@@ -18,6 +18,7 @@
       # dash = 3009;
       ntfy = 3010;
       audio = 3011;
+      atuin = 3012;
 
       search = 8081;
       videos = 8082;

modules/home/impermanence.nix

@@ -8,7 +8,7 @@ let
         # fs-diff.sh
         set -euo pipefail
 
-        sudo mkdir /btrfs_tmp
+        sudo mkdir -p /btrfs_tmp
         sudo mount -o subvol=/ /dev/mapper/crypted /btrfs_tmp
 
         OLD_TRANSID=$(sudo btrfs subvolume find-new /btrfs_tmp/root-blank 9999999)

modules/home/sops/default.nix

@@ -6,5 +6,6 @@ in with lib; {
     age.keyFile = "/persist/var/lib/sops-nix/key.txt";
     defaultSopsFile = ./secrets.yaml;
     secrets.zipline-auth = { };
+    secrets.atuin-auth = { };
   };
 }

modules/home/sops/secrets.yaml

@@ -1,9 +1,6 @@
 zipline-auth: ENC[AES256_GCM,data:RkJI6GuH7RzdcSlKn32gMGojjB6rkdDcnNUvsi/BTfJk2slzoktAaJPzQA==,iv:LIiB3tyqXf/D64aIDSo0AyG3imvI6ZE893KBPlYFr28=,tag:wl8spMBwzfvuKA+Y6JnVyQ==,type:str]
+atuin-auth: ENC[AES256_GCM,data:LDkiXWIwxor8Ro383gonJCyqu+nyxS7DrI2J8uo4Cqu2X61rBUlnpNR6YirUZS/lYAnWYJhZM7sR0G7ZNh9EgQ==,iv:UEs2KW8ImMnaQrSLrIGbVXEq86QiVPAPNIXBZpa3jFI=,tag:N0rhnPbasFzkoI3CJ9CV+Q==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1m97a3eptxwpdd7h5kkqe9gkmhg6rquc64qjmlsfqfhfqv8q72crqrylhgc
           enc: |
@@ -32,8 +29,7 @@ sops:
             cThxTVpmcEMrcG9Lczd3dkdyQ0paSHMKUfkx9jh7zIqBkUjxaH3dVKvNJG3Mipts
             OjmJ5aVVIR5U8MhgSgECb22mGlOgW8SU/x4gxcWgafZwbv2vbON6OA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-19T20:01:35Z"
-    mac: ENC[AES256_GCM,data:jG/1PmWEk8EMvor/QCEhxDzkRufVWCLdDnsfomVy9hbiOl9ndzCFjvMR2OXkxGsTHl8bGaYJ+DqAjtLvgZZW5l+F6HQmQcene1vNFH3DsrtiQ7TC3Lmov6PBND1XCkj3urwaT3zKoydHIuIdIWyo2/RSxyz8G8mQrn8QrKv5SJw=,iv:PIle2A4sd2hVarMIgYu9/obShMe8NnDbfe9FUL/p8HI=,tag:I/2Bt2L+a8ybJUc6Pv3yZw==,type:str]
-    pgp: []
+    lastmodified: "2025-08-01T11:06:26Z"
+    mac: ENC[AES256_GCM,data:bcCDmG+460Y+hUYHg6yVl2E6Oyw2MQcHVLp7sfhJDwWAHCwEPeYKlQLp8yumOTyQQxw6uSgj+vso7JmiAsnJvk/v9BIx6SNmfKK+rz9cwIJY1d8Da99Yn7WUVAjXQyWqxNckrELS+CKSsGXl7nr/PKYM1w87Fpbq9F7x4bp/V28=,iv:/XrjK+qaJCPrqoSEZ+hJQa7jvjWgzJQJXRXn+7Y1m8I=,tag:BruzsbUBC61Hzsx/3k8Vcg==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2

modules/home/terminal/tools.nix

@@ -29,7 +29,23 @@ in with lib; {
       "htop"
       "vifm"
       "rbw"
-    ]);
+    ]) // {
+      atuin = {
+        enable = true;
+        enableZshIntegration = true;
+        flags = [ "--disable-up-arrow" ];
+        settings = {
+          sync_frequency = "5m";
+          sync_address = "https://atuin.muon.host";
+          key_path = config.sops.secrets.atuin-auth.path;
+          keymap_mode = "vim-insert";
+          keymap_cursor = {
+            vim_insert = "blink-bar";
+            vim_normal = "steady-block";
+          };
+        };
+      };
+    };
 
     home.packages = with pkgs; [
       # libraries

modules/nixos/impermanence.nix

@@ -4,7 +4,7 @@ with lib; {
 
   config = mkIf config.mods.impermanence.enable {
     environment.persistence."/persist" = {
-      directories = [ "/var/lib/nixos" "/var/lib/systemd/coredump" "/etc/ssh" ];
+      directories = [ "/var/lib/nixos" "/var/lib/systemd/coredump" ];
       files = [ "/var/lib/sops-nix/key.txt" "/etc/machine-id" ];
     };
 

modules/nixos/server/atuin.nix

@@ -0,0 +1,24 @@
+{ pkgs, lib, config, ... }:
+let
+  cfg = config.mods.server.atuin;
+  port = config.mods.server.nginx.ports.atuin;
+in with lib; {
+  options.mods.server = {
+    atuin = {
+      enable = mkEnableOption {
+        default = false;
+        description = "enables atuin server";
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.atuin = {
+      inherit port;
+      enable = true;
+      host = "0.0.0.0";
+      openRegistration = true;
+    };
+  };
+}
+

modules/nixos/server/default.nix

@@ -24,5 +24,6 @@
     ./ntfy.nix
     ./lemmy.nix
     ./audio.nix
+    ./atuin.nix
   ];
 }

modules/nixos/server/nvr.nix

@@ -13,9 +13,9 @@ in with lib; {
   };
 
   config = mkIf cfg.enable {
-    networking.firewall.allowedTCPPorts = [ 8095 ];
     services.zoneminder = {
       enable = true;
+      openFirewall = true;
       database = {
         createLocally = true;
         username = "zoneminder";