Greenery
Configurations for my devices
Install / Use
/learn @MeeSumee/GreeneryREADME
My Configuration Repository
Consists of multiple devices:
- Greenery: x86-based server with multiple services.
- Verdure: Arm-based server with multiple services.
- Kaolin: Swiss VPS acting as both an exit-node and a DNS Server.
- Beryl: Personal Laptop for offsite provisioning.
- Quartz: Gaming PC hosting Ollama.
- Graphite: Fedora-WSL that I tinker on occasion.
Status Updates
Moved Fedora dots to this repo as dotfiles are fairly transferrable between distributions (with some edits).
Updated lots of actions and reworking most of the repo while I have time.
TODO
- [x] Automate Nix Flake Update to Continuous Integration with build checks.
- [x] Deprecate Brave and fully use Ungoogled-Chromium with Profiles (not declaratively tho).
- [ ] Harden Services used in Greenery to reduce attack surface.
- [ ] Migrate nahida-xcursor dotfiles to a package downloading from source to comply with License.
Greenery
Dell XPS 8940 with i7-11700.
Acts as a home exit-node.
Hosts Jellyfin, Immich, FileBrowser, Suwayomi, & Memos.
Reverse proxied using tailscale serve and tailscale service assignment.
Future Endeavors: Improve functionality of jellyfin.
Verdure
Raspberry Pi 4 Model B with 8GB of RAM.
Hosts Anki Sync, Davis, 2fauth, & Home Assistant.
Future Endeavors: Network UPS Tools?
Kaolin
VPS that routes all traffic via Tailscale Exit-node while using wireguard as a bridge to connect tailscale with Cloudflare-WARP. Also doubles as a DNS Proxy Server with dnscrypt-proxy resolving with Quad9
Infected Infomaniak's Debian with NixOS my beloved.
The system is nearly 100% declarative with the only exception of hardware config.
<details> <summary>Why and How?</summary> <br>VPS IPs are generally blocked by most services online whereas Cloudflare Warp IPs are generally not blocked. However, Cloudflare Warp chooses a server closest to the host machine, making it effectively useless for geolocation.
You may use cloudflare warp on the VPS to effectly connect to a regional server based on the VPS's location enabling you to use your VPS as a VPN. However, using another VPN such as tailscale can conflict with cloudflare warp's configuration.
To solve this problem, we must setup an interface that uniformly passes traffic from Tailscale to Cloudflare. Wireguard is supported by both Tailscale and Cloudflare and can be used to set rules and nftables.
First, configure your own set of IPs and keys using wgcf by executing
$ wgcf register
$ wgcf generate
This will provide the interface and peer information. Take note of them for setting up nftables.
To setup nftables and Wireguard interfaces
# configuration.nix
# Enable nftables
networking.nftables.enable = true;
# Enable IPv4 forwarding
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = true;
"net.ipv4.conf.wgcf.rp_filter" = false;
};
# Wireguard config to not cuck tailscale
networking.wg-quick.interfaces = {
wgcf = {
privateKeyFile = "/path/to/privatekeyfile";
address = [
[Insert IPv4 from wgcf]
[Insert IPv6 from wgcf]
];
table = "off";
postUp = ''
set -e
WG_IFACE=wgcf
ROUTE_TABLE=39
echo "[+] Adding nftables rules..."
nft -f - <<EOF
table inet ts-warp {
chain prerouting {
type filter hook prerouting priority mangle; policy accept;
iifname "tailscale0" counter packets 0 bytes 0 meta mark set mark and 0xff00ffff or 0x0040000
}
chain input {
type filter hook input priority filter; policy accept;
iifname != "tailscale0" ip saddr 100.115.92.0/23 counter packets 0 bytes 0 return
iifname != "tailscale0" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
iifname "tailscale0" counter packets 0 bytes 0 accept
}
chain forward {
type filter hook forward priority filter; policy accept;
oifname "tailscale0" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
meta mark & 0x00ff0000 == 0x00040000 counter packets 0 bytes 0 masquerade
}
}
EOF
echo "[+] Adding routing rule for marked packets..."
ip route add default dev "$WG_IFACE" table $ROUTE_TABLE || true
ip -6 route add default dev "$WG_IFACE" table $ROUTE_TABLE || true
ip rule add fwmark 0x40000/0xff0000 lookup $ROUTE_TABLE || true
ip -6 rule add fwmark 0x40000/0xff0000 lookup $ROUTE_TABLE || true
'';
preDown = ''
set -e
WG_IFACE=wgcf
ROUTE_TABLE=39
echo "[-] Deleting nftables rules..."
nft delete table inet ts-warp || true
echo "[-] Removing routing rules..."
ip rule del fwmark 0x40000/0xff0000 lookup $ROUTE_TABLE || true
ip -6 rule del fwmark 0x40000/0xff0000 lookup $ROUTE_TABLE || true
ip route flush table $ROUTE_TABLE || true
ip -6 route flush table $ROUTE_TABLE || true
'';
peers = [
{
publicKey = [Insert your public key from wgcf];
allowedIPs = [
"0.0.0.0/0"
"::/0"
];
endpoint = "162.159.192.1:2408";
persistentKeepalive = 25;
}
];
};
};
# Advertise Routes
services.tailscale.extraSetFlags = [
"--advertise-exit-node"
"--advertise-routes=[Insert IPv4 from wgcf]"
"--netfilter-mode=nodivert"
];
With this setup, it will enable you to use Tailscale as a way to connect to Cloudflare Warp, enabling your phone to use the machine as an exit node.
</details>Beryl
ASUSTek Zenbook S13 OLED formerly used for college, now is my plaything for managing nix configs whenever I'm not at home.
Problems:
- AMDGPU crash prevelent in mainly hardware-accelerated scenarios. Was also observed when Windows was installed. Due to the issue being a relatively rare scenario (once every month or two), I'm not in a hurry to fix it.
Future Endeavors: Fix random pagefault AMDGPU crashes from Youtube/demanding HWAccel Tasks
<details> <summary>Enabling USB4 on Zenbook S13 OLED (UM5302TA)</summary> <br>This is not recommended for most users as it involves "hacking" the BIOS. DO IT AT YOUR OWN RISK.
UM5302TA is one of the few laptops capable of USB4, but disabled by the manufacturer due to potential instability with specific devices. Despite knowing the risk, I've decided to enable USB4 using UniversalAMDFormBrowser by following this reddit post. Note that there are three options when enabling USB4.
To activate USB4 on NixOS, set services.hardware.bolt.enable to true.
Test your USB4 ports using boltctl, if there's instability, disable bolt service.
Quartz
Custom-built gaming pc intended for workstation and gaming.
Runs ollama with openwebui for locally hosted AI (used primarily for resume/cover letter generation, excel scripts, OCR, and language translation)
<details> <summary>Quartz PC Specifications</summary> <br>- CPU: Intel i9-12900K non-oxidizing edition
- RAM: GSkill Ripjaws S5 32GB DDR5-6000
- MB: Gigabyte Z690 AORUS ELITE AX REV 1.4
- GPU: XFX SPEEDSTER MERC 319 AMD RX 6950 XT
Graphite
Windows Worktop with Fedora-WSL.
Configuration located under dots.
Don't have much to say, I only have lazyvim & fish config that are used.
fedora-install.txt can be used to autodownload all the required programs using:
sudo dnf install $(cat fedora-install.txt)
Credits
Rexcrazy804 for carrying me to the state I am. He also gets a lot of credit for all the code I've stolen with permission.
Eel for his frontend expertise and generally helping me mald through life and code.
NixOS themselves for crafting a declarative environment for automation & deployment. (By making it easy)
Despite me abandoning quickshell development, I've to thank these quickshillers for making me understand wtf is going on: Outfoxxed, Soramane, Ly-sec, end_4 (Hi for swapped.txt), Rexcrazy804 (Hai~), bbedward
Several other gists, discussions & forums that solve problems for anything really.
I also want to thank the folks of UAFB who made USB4 possible.
Licensing
All code in this repository is under the MIT license unless wherever an explicit licensing is included.
Miscellaneous Sources
- xcursor-genshin-nahida
- [User Profile Picture](https://danbooru.don
