diff --git a/system/modules/sops-nix/secrets.yaml b/system/modules/sops-nix/secrets.yaml index 2cb198fb..023f64db 100644 --- a/system/modules/sops-nix/secrets.yaml +++ b/system/modules/sops-nix/secrets.yaml @@ -8,10 +8,8 @@ docker-password: ENC[AES256_GCM,data:mK5YWEQPKWBtVCgRBZvwWTdVAi8MEGbLnLeP7hfDkcc # #ENC[AES256_GCM,data:y5dlZFhK38dR+Q==,iv:1JYizUeyWeMR4KUblkj7kVSHPCL5l8mFpaQdo774BcM=,tag:kUTnBZb46KYQyi8bgIYSOQ==,type:comment] # -kagi-api-key: ENC[AES256_GCM,data:54N717EDbqMkg6O0SM3z15vWikD8fSRx2auk9pzRnlhqEq7BTvTkfYgIljr1VgL2OgWFm0IKKoGNXWqJg121zjWZABh/qyqEougRv67Kq6MVieNW2t8f,iv:lCPme9wlQXI3XtvhKd9XwfJsxj/mqNKSDl9kV137xg4=,tag:L2mKVw6VOLeTMl6mXcxvHA==,type:str] -google-pse-id: ENC[AES256_GCM,data:fxMVccflFndoVhTJflxHelg=,iv:MkzEOtfP7x/1PYx0ytYUrKU+VBiyfKIZSbPhXb47SC0=,tag:s5ew0kJNIVJCGFH4J8980w==,type:str] -google-pse-key: ENC[AES256_GCM,data:qb6pqGlX+yMMUrscab27q+w5FWwMoik5rGJzjGzOMrelEVUuSErw,iv:8pWr0BNjL2Iw+7hDzrSyuE3reR51Jz+CIToEUkuYpyU=,tag:+7l+0X+1zWwDG3nJmP2ugA==,type:str] makemkv-app-key: ENC[AES256_GCM,data:/pTxr4q4ucJLx5VI8ySzOgd4g1s+6lcZNe4crxRmidTYrhJ0I6V3CIhm4wLC105W+Xka6HIZTqPn8SbqcMC4Dt3wSus=,iv:aYsGobD+Vl/VUNAHcAxQb7HEmLT8aXyKNOELgzvKDH4=,tag:xhnVb/ns6VZEnTuoUv9w5A==,type:str] +restic-repo-key: ENC[AES256_GCM,data:lSFuhjbhdQq4cabAVFGQ4kuaJxb7EhXgBDlgoEQWJhs=,iv:7IhGDBYEwY1TwLvc/4DOkUBQ3eqSszZcKwnT7Lllfps=,tag:yJVlMi9X0W+Kh3zMkb0QuA==,type:str] # #ENC[AES256_GCM,data:Raagjz1qPvXC,iv:OSWTKaIlmo1paU2ZZn20XMeZ2gdM52pHmVZ3m2ngCdI=,tag:bPCdvjOFjpxxkrwA7Mhl5Q==,type:comment] # @@ -35,7 +33,7 @@ sops: SURMTmh1TGIrRmtENzc0Sk4rNFJNUE0KOpjN6jkEHO+lvdWdp4P++r9SNSPWaT0h FAbbvZZ/EdIk/njLEcayFN7B4ftTcD/f4XJZiyosilZnIkk76bMOHA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-15T18:57:57Z" - mac: ENC[AES256_GCM,data:IMVTkcb+gRIHJILw1wEa4MWZ+KMsVBIhpm4wVfDJI3+sh2hVcs/k6nsUlNDo/uTi33noXGKnzuVQLdMMuQcqMUYW7N6C+HbZxsab9nZFiKRyfsrFGyip+v36ffB+C0Dslpc8WkeVUglx5rw1DYlnRwRrDjtZG876pnB8f8poJXs=,iv:sm58Vucybz4n4DzDKVzHI/GXuLdCD4cOpUgMxqBESng=,tag:JtnyqWwKAw9Org7XG6o2+Q==,type:str] + lastmodified: "2025-07-19T01:29:00Z" + mac: ENC[AES256_GCM,data:IzLYRuOlkUpry37sw7OB5MglntVflMjCcNiWpi7rvT2suOivLX9IT36qZFfYIbVIFXDmfsi1hsTvsPyekD7vVWQ1vkajAlGQYYTVpnO2cFrK3+TfWCyYjiD01rQBiRikybrR11zWRq6atieurDIxMUMEI7ypiqFOwpYaqSePAFc=,iv:9bc6rc4gjuiJWNjg1g0KfySqxnPjpzmlzDi/R+Iv2g4=,tag:tEwthVZAmdXbwRtoNykGrQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/system/nixinator/default.nix b/system/nixinator/default.nix index eda2671f..4d12da81 100644 --- a/system/nixinator/default.nix +++ b/system/nixinator/default.nix @@ -80,10 +80,8 @@ }; sops-nix.secrets.${username} = [ - "kagi-api-key" - "google-pse-id" - "google-pse-key" "makemkv-app-key" + "restic-repo-key" ]; }; @@ -95,12 +93,6 @@ ''; }; - sops.templates."open-webui-secrets.env".content = '' - KAGI_SEARCH_API_KEY=${config.sops.placeholder.kagi-api-key} - GOOGLE_PSE_ENGINE_ID=${config.sops.placeholder.google-pse-id} - GOOGLE_PSE_API_KEY=${config.sops.placeholder.google-pse-key} - ''; - boot = { kernelPackages = pkgs.linuxPackages_zen; @@ -108,10 +100,7 @@ # plymouth.enable = true; }; - environment.systemPackages = with pkgs; [ - # TODO: Not found by docling - tesseract # For services.docling-serve - ]; + # environment.systemPackages = with pkgs; []; programs = { ausweisapp = { @@ -127,90 +116,59 @@ fileSystems = ["/"]; }; - # TODO: Docling doesn't find tesseract OCR engine... Probably use docker? - docling-serve = { - enable = false; - stateDir = "/var/lib/docling-serve"; + # Keep this as a system service because we're backing up /persist as root + restic.backups."synology" = { + # user = "${username}"; # Keep default (root), so restic can read everything - host = "127.0.0.1"; - port = 11111; - openFirewall = false; - }; + repository = "/home/${username}/Restic"; + initialize = true; + passwordFile = config.sops.secrets.restic-repo-key.path; + createWrapper = true; - # TODO: To AI module - ollama = { - enable = true; - acceleration = "cuda"; - home = "/var/lib/ollama"; - - # TODO: This slows down booting although models are present? - # Maybe because it's waiting for /persist/var/lib/private/ollama? - # loadModels = [ - # "deepseek-r1:8b" # Default - # "deepseek-r1:14b" - # ]; - - # https://github.com/ollama/ollama/blob/main/docs/faq.md#how-do-i-configure-ollama-server - environmentVariables = { - # Flash Attention is a feature of most modern models - # that can significantly reduce memory usage as the context size grows. - OLLAMA_FLASH_ATTENTION = "1"; - - # The K/V context cache can be quantized to significantly - # reduce memory usage when Flash Attention is enabled. - OLLAMA_KV_CACHE_TYPE = "q8_0"; # f16, q8_0 q4_0 - - # To improve Retrieval-Augmented Generation (RAG) performance, you should increase - # the context length to 8192+ tokens in your Ollama model settings. - OLLAMA_CONTEXT_LENGTH = "8192"; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + RandomizedDelaySec = "5h"; }; - host = "127.0.0.1"; - port = 11434; - openFirewall = false; - }; + runCheck = true; + checkOpts = [ + "--with-cache" + ]; - # TODO: To AI module - # TODO: WebSearch + RAG issues - open-webui = { - enable = false; - stateDir = "/var/lib/open-webui"; + pruneOpts = [ + "--keep-daily 3" + "--keep-weekly 2" + # "--keep-monthly 0" + # "--keep-yearly 0" - # https://docs.openwebui.com/getting-started/env-configuration - environment = { - DEFAULT_MODELS = builtins.head config.services.ollama.loadModels; - TASK_MODEL = builtins.head config.services.ollama.loadModels; + "--prune" # Automatically remove dangling files not referenced by any snapshot + "--repack-uncompressed" + ]; - ENABLE_OPENAI_API = "False"; - ENABLE_OLLAMA_API = "True"; - OLLAMA_BASE_URL = "http://${config.services.ollama.host}:${builtins.toString config.services.ollama.port}"; + paths = ["/persist"]; + exclude = [ + # The backup is just supposed to allow a system restore + "/persist/old_homes" + "/persist/old_roots" - ENABLE_EVALUATION_ARENA_MODELS = "False"; - ENABLE_COMMUNITY_SHARING = "False"; + # Those are synced by nextcloud, no need to backup them 50 times + "/persist/home/${username}/Documents" + "/persist/home/${username}/NixFlake" + "/persist/home/${username}/Notes" + "/persist/home/${username}/Projects" + "/persist/home/${username}/Public" - CONTENT_EXTRACTION_ENGINE = "docling"; - DOCLING_SERVER_URL = "http://${config.services.docling-serve.host}:${builtins.toString config.services.docling-serve.port}"; - - ENABLE_RAG_HYBRID_SEARCH = "False"; - ENABLE_RAG_LOCAL_WEB_FETCH = "True"; - - ENABLE_WEB_SEARCH = "True"; - WEB_SEARCH_ENGINE = "google_pse"; - # GOOGLE_PSE_ENGINE_ID = ""; # Use environmentFile - # GOOGLE_PSE_API_KEY = ""; # Use environmentFile - # KAGI_SEARCH_API_KEY = ""; # Use environmentFile - - WEBUI_AUTH = "False"; - ANONYMIZED_TELEMETRY = "False"; - DO_NOT_TRACK = "True"; - SCARF_NO_ANALYTICS = "True"; - }; - - environmentFile = config.sops.templates."open-webui-secrets.env".path; - - host = "127.0.0.1"; - port = 11435; - openFirewall = false; + # Some more caches + ".cache" + "cache2" # firefox + "Cache" + ]; + extraBackupArgs = [ + "--exclude-caches" # Excludes marked cache directories + "--one-file-system" # Only stay on /persist (in case symlinks lead elsewhere) + "--cleanup-cache" # Auto remove old cache directories + ]; }; xserver = {