From 851a19842893026b8593329095b282b1458eef83 Mon Sep 17 00:00:00 2001 From: Bryan Ramos Date: Wed, 5 Mar 2025 14:22:41 -0500 Subject: [PATCH 01/10] changed to nvidia 550 --- flake.nix | 1 + src/system/machines/workstation/hardware.nix | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 5f5d66a..be74977 100644 --- a/flake.nix +++ b/flake.nix @@ -24,6 +24,7 @@ inherit system; config = { allowUnfree = true; + nvidia.acceptLicense = true; }; overlays = [ nur.overlays.default diff --git a/src/system/machines/workstation/hardware.nix b/src/system/machines/workstation/hardware.nix index b85333a..0ad7c54 100644 --- a/src/system/machines/workstation/hardware.nix +++ b/src/system/machines/workstation/hardware.nix @@ -83,13 +83,19 @@ enable = true; enable32Bit = true; }; + nvidia = { open = false; powerManagement.enable = false; powerManagement.finegrained = false; modesetting.enable = true; nvidiaSettings = true; - package = config.boot.kernelPackages.nvidiaPackages.stable; + package = config.boot.kernelPackages.nvidiaPackages.mkDriver { + version = "550.120"; + sha256_64bit = "sha256-gBkoJ0dTzM52JwmOoHjMNwcN2uBN46oIRZHAX8cDVpc="; + settingsSha256 = "sha256-fPfIPwpIijoUpNlAUt9C8EeXR5In633qnlelL+btGbU="; + persistencedSha256 = lib.fakeSha256; + }; }; }; From 0a90e2f7b27d68747e091f2fe4cc299d6e284609 Mon Sep 17 00:00:00 2001 From: Bryan Ramos Date: Fri, 13 Mar 2026 17:43:08 -0400 Subject: [PATCH 02/10] sshl --- src/system/modules/forgejo/default.nix | 6 +++++- src/system/modules/nginx/default.nix | 17 ++++++++++++++++- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/src/system/modules/forgejo/default.nix b/src/system/modules/forgejo/default.nix index f9a3eca..f5063ae 100644 --- a/src/system/modules/forgejo/default.nix +++ b/src/system/modules/forgejo/default.nix @@ -40,10 +40,14 @@ in stateDir = "/var/lib/forgejo"; settings = { + service.REQUIRE_SIGNIN_VIEW = false; server = { PROTOCOL = "http+unix"; - DOMAIN = "127.0.0.1"; + DOMAIN = "git.ramos.codes"; HTTP_ADDR = "/run/forgejo/forgejo.sock"; + SSH_DOMAIN = "git.ramos.codes"; + SSH_PORT = 443; + START_SSH_SERVER = false; }; }; diff --git a/src/system/modules/nginx/default.nix b/src/system/modules/nginx/default.nix index bb35cca..587e583 100644 --- a/src/system/modules/nginx/default.nix +++ b/src/system/modules/nginx/default.nix @@ -54,9 +54,20 @@ in }; }; + services.sslh = { + enable = true; + settings = { + listen = [{ host = "0.0.0.0"; port = 443; }]; + protocols = [ + { name = "ssh"; host = "127.0.0.1"; port = 22; probe = "builtin"; } + { name = "tls"; host = "127.0.0.1"; port = 4443; probe = "builtin"; } + ]; + }; + }; + services.nginx = { enable = true; - virtualHosts = + virtualHosts = let certPath = config.security.acme.certs."ramos.codes".directory; sslCertificate = "${certPath}/fullchain.pem"; @@ -64,6 +75,10 @@ in withSSL = hosts: mapAttrs (name: hostConfig: hostConfig // { inherit sslCertificate sslCertificateKey; + listen = [ + { addr = "127.0.0.1"; port = 4443; ssl = true; } + { addr = "0.0.0.0"; port = 80; } + ]; forceSSL = true; }) hosts; From c8d05d51455f3b3d68815db916c6efd0f979fa4e Mon Sep 17 00:00:00 2001 From: Bryan Ramos Date: Fri, 13 Mar 2026 19:08:40 -0400 Subject: [PATCH 03/10] switch nic --- src/system/machines/server/system.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/system/machines/server/system.nix b/src/system/machines/server/system.nix index 20feaed..e85c35e 100644 --- a/src/system/machines/server/system.nix +++ b/src/system/machines/server/system.nix @@ -102,7 +102,7 @@ networking = { hostName = "server"; useDHCP = false; - interfaces.eno1 = { + interfaces.enp2s0f0 = { ipv4.addresses = [{ address = "192.168.0.154"; prefixLength = 24; From 6040b4a1e6cef7e530e013790c53a21cefa37670 Mon Sep 17 00:00:00 2001 From: Bryan Ramos Date: Fri, 13 Mar 2026 19:59:36 -0400 Subject: [PATCH 04/10] fixes --- src/system/machines/desktop/system.nix | 15 ++++++++++++++- src/system/modules/bitcoin/config/bitcoin.conf | 3 +++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/src/system/machines/desktop/system.nix b/src/system/machines/desktop/system.nix index ba97169..35f5605 100644 --- a/src/system/machines/desktop/system.nix +++ b/src/system/machines/desktop/system.nix @@ -94,7 +94,20 @@ in enable = true; allowedTCPPorts = [ 22 80 443 ]; }; - nameservers = [ "192.168.0.154" ]; + }; + + services.dnsmasq = { + enable = true; + settings = { + address = "/.ramos.codes/192.168.0.154"; + server = [ + "/www.ramos.codes/192.168.0.1" + "/http.ramos.codes/192.168.0.1" + "/https.ramos.codes/192.168.0.1" + "/ramos.codes/192.168.0.1" + "192.168.0.1" + ]; + }; }; services = { diff --git a/src/system/modules/bitcoin/config/bitcoin.conf b/src/system/modules/bitcoin/config/bitcoin.conf index 756bfc1..a667d9c 100644 --- a/src/system/modules/bitcoin/config/bitcoin.conf +++ b/src/system/modules/bitcoin/config/bitcoin.conf @@ -16,3 +16,6 @@ listenonion=1 torcontrol=127.0.0.1:9051 txindex=1 + +# Limit memory usage (MB) - default is unbounded during IBD +dbcache=1024 From 3ba1a631240aca494cb3b2efe2610a960f1d4a8d Mon Sep 17 00:00:00 2001 From: Bryan Ramos Date: Fri, 13 Mar 2026 20:11:43 -0400 Subject: [PATCH 05/10] fix sslh --- src/system/modules/nginx/default.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/system/modules/nginx/default.nix b/src/system/modules/nginx/default.nix index fad324a..f60d985 100644 --- a/src/system/modules/nginx/default.nix +++ b/src/system/modules/nginx/default.nix @@ -30,11 +30,12 @@ in services.sslh = { enable = true; + listenAddresses = [ "0.0.0.0" ]; + port = 443; settings = { - listen = [{ host = "0.0.0.0"; port = 443; }]; protocols = [ - { name = "ssh"; host = "127.0.0.1"; port = 22; probe = "builtin"; } - { name = "tls"; host = "127.0.0.1"; port = 4443; probe = "builtin"; } + { name = "ssh"; host = "127.0.0.1"; port = "22"; probe = "builtin"; } + { name = "tls"; host = "127.0.0.1"; port = "4443"; probe = "builtin"; } ]; }; }; From d67a67b5e7a4c899cf8890351b7bb9bae816a79b Mon Sep 17 00:00:00 2001 From: Bryan Ramos Date: Fri, 13 Mar 2026 20:13:12 -0400 Subject: [PATCH 06/10] again --- src/system/modules/nginx/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/system/modules/nginx/default.nix b/src/system/modules/nginx/default.nix index f60d985..4e10513 100644 --- a/src/system/modules/nginx/default.nix +++ b/src/system/modules/nginx/default.nix @@ -34,8 +34,8 @@ in port = 443; settings = { protocols = [ - { name = "ssh"; host = "127.0.0.1"; port = "22"; probe = "builtin"; } - { name = "tls"; host = "127.0.0.1"; port = "4443"; probe = "builtin"; } + { name = "ssh"; host = "127.0.0.1"; port = "22"; } + { name = "tls"; host = "127.0.0.1"; port = "4443"; } ]; }; }; From b4daedf74e96ad49a23fc859358e6839ccf9ce1a Mon Sep 17 00:00:00 2001 From: Bryan Ramos Date: Fri, 13 Mar 2026 20:14:33 -0400 Subject: [PATCH 07/10] fix nginx ssl --- src/system/modules/nginx/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/src/system/modules/nginx/default.nix b/src/system/modules/nginx/default.nix index 4e10513..7f508f0 100644 --- a/src/system/modules/nginx/default.nix +++ b/src/system/modules/nginx/default.nix @@ -46,6 +46,7 @@ in recommendedOptimisation = true; recommendedGzipSettings = true; eventsConfig = "worker_connections 4096;"; + defaultSSLListenPort = 4443; # Catch-all default - friendly error for unknown subdomains virtualHosts."_" = { From 0ff940eb2206bd3e9a095c13ec76756b4f7417e4 Mon Sep 17 00:00:00 2001 From: Bryan Ramos Date: Fri, 13 Mar 2026 20:26:20 -0400 Subject: [PATCH 08/10] dnsmasq --- src/system/machines/desktop/system.nix | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/src/system/machines/desktop/system.nix b/src/system/machines/desktop/system.nix index 35f5605..f0d0539 100644 --- a/src/system/machines/desktop/system.nix +++ b/src/system/machines/desktop/system.nix @@ -99,14 +99,18 @@ in services.dnsmasq = { enable = true; settings = { - address = "/.ramos.codes/192.168.0.154"; - server = [ - "/www.ramos.codes/192.168.0.1" - "/http.ramos.codes/192.168.0.1" - "/https.ramos.codes/192.168.0.1" - "/ramos.codes/192.168.0.1" - "192.168.0.1" + # Explicit subdomains -> local server + address = [ + "/git.ramos.codes/192.168.0.154" + "/ln.ramos.codes/192.168.0.154" + "/photos.ramos.codes/192.168.0.154" + "/test.ramos.codes/192.168.0.154" + "/electrum.ramos.codes/192.168.0.154" + "/immich.ramos.codes/192.168.0.154" + "/forgejo.ramos.codes/192.168.0.154" + "/frigate.ramos.codes/192.168.0.154" ]; + server = [ "192.168.0.1" ]; }; }; From 178d9e9842109c3d2a3313759ebe0010f92d14f0 Mon Sep 17 00:00:00 2001 From: Bryan Ramos Date: Fri, 13 Mar 2026 20:48:02 -0400 Subject: [PATCH 09/10] x --- src/system/modules/bitcoin/config/bitcoin.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/src/system/modules/bitcoin/config/bitcoin.conf b/src/system/modules/bitcoin/config/bitcoin.conf index a667d9c..d3ed9eb 100644 --- a/src/system/modules/bitcoin/config/bitcoin.conf +++ b/src/system/modules/bitcoin/config/bitcoin.conf @@ -17,5 +17,4 @@ torcontrol=127.0.0.1:9051 txindex=1 -# Limit memory usage (MB) - default is unbounded during IBD dbcache=1024 From 887dcaf16ffc7350d8261bd211405f1e02e3b009 Mon Sep 17 00:00:00 2001 From: Bryan Ramos Date: Fri, 13 Mar 2026 21:40:58 -0400 Subject: [PATCH 10/10] camera network --- src/system/machines/server/system.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/system/machines/server/system.nix b/src/system/machines/server/system.nix index e85c35e..5278443 100644 --- a/src/system/machines/server/system.nix +++ b/src/system/machines/server/system.nix @@ -108,6 +108,13 @@ prefixLength = 24; }]; }; + # Camera network - isolated, no gateway + interfaces.enp2s0f1 = { + ipv4.addresses = [{ + address = "192.168.1.1"; + prefixLength = 24; + }]; + }; defaultGateway = "192.168.0.1"; nameservers = [ "1.1.1.1" "8.8.8.8" ]; firewall = { @@ -131,6 +138,12 @@ "8.8.8.8" ]; cache-size = 1000; + + # Camera network DHCP (isolated - no gateway = no internet) + interface = "enp2s0f1"; + bind-interfaces = true; + dhcp-range = "192.168.1.100,192.168.1.200,24h"; + # No gateway option = cameras can't route to internet }; };