steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'staging' into 'master'

Browse source 
Merge staging to master

See merge request steveeJ/infra!6
This commit is contained in:
steveej 2018-11-10 11:10:55 +00:00
commit 097d8dfd35
46 changed files with 628 additions and 623 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.envrc Normal file
View file

@ -0,0 +1 @@
use nix

1
.gitignore vendored
View file

@ -1,2 +1,3 @@
*.swp
*.qcow2
.*.log

116
Justfile
View file

@ -1,16 +1,110 @@
devices action dir +moreargs="":
_usage:
just -l
_device action dir +moreargs="":
#!/usr/bin/env bash
set -x
sudo $(nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A {{action}} --argstr dir {{dir}} {{moreargs}} )
set -ex
sudo $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A {{action}} --argstr dir {{dir}} {{moreargs}})
diskMount dir:
just -v devices diskMount {{dir}}
_rebuild-device dir rebuildarg="dry-activate" +moreargs="":
#!/usr/bin/env bash
nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix
just -v _device rebuild {{dir}} --argstr rebuildarg {{rebuildarg}} {{moreargs}}
diskUmount dir:
just -v devices diskUmount {{dir}}
# Rebulid this device's NixOS
rebuild-this-device rebuildarg="dry-activate":
#!/usr/bin/env bash
set -e
diskInstall dir:
just -v devices diskInstall {{dir}}
function parse_hm_rebuildarg() {
case $1 in
switch)
echo switch
;;
*)
echo build
;;
esac
}
device-rebuild dir rebuildarg="build":
just -v devices rebuild {{dir}} --argstr rebuildarg {{rebuildarg}}
export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log
export HOMEREBUILD_LOG=.$(hostname -s)_homerebuild.log
echo Rebuilding system in {{rebuildarg}}-mode...
if just -v _rebuild-device nix/os/devices/$(hostname -s) {{rebuildarg}} > ${SYSREBUILD_LOG} 2>&1 ; then
echo System rebuild successful
else
cat ${SYSREBUILD_LOG}
echo System rebuild failed
fi
if type home-manager > /dev/null 2>&1; then
echo Rebuilding home in $(parse_hm_rebuildarg {{rebuildarg}})-mode...
if home-manager -v $(parse_hm_rebuildarg {{rebuildarg}}) > ${HOMEREBUILD_LOG} 2>&1 ; then
echo Home rebuild successful
else
cat ${HOMEREBUILD_LOG}
echo Home rebuild failed
fi
fi
# This could be used to inject another channel
# --argstr moreargs "\'-I nixos-unstable=https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz\'"
# Update nix-channels and switch to updated NixOS and home environments
update-this-device:
#!/usr/bin/env bash
set -e
export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log
echo Updating system channels...
sudo nix-channel --update
just -v rebuild-this-device switch
hm-iterate-qtile:
#!/usr/bin/env bash
set -xe
home-manager switch || just -v rebuild-this-device switch
Xephyr -ac -br -resizeable :1 &
XEPHYR_PID=$!
echo ${XEPHYR_PID}
DISPLAY=:1 $(grep qtile ~/.xsession) &
wait $!
kill ${XEPHYR_PID}
# Sorry, this is a manual step for now. Please see nix/os/modules/encryptedDisk.nix for the layout
disk-prepare:
echo NOT IMPLEMENTED
# GPT partition table
# part1: size: 1MiB type: 4 BIOS BOOT
# part2: size: 512MiB label: 2-DISKID (36 char limit?)
# part3: size: * label: 3-DISKID (36 char limit?)
# cryptsetup format part3
# vgcreate DISKID part3
# lvcreate DISKID -L 8G -n swap
# lvcreate DISKID -l 100%FREE -n root
# sudo mkfs.vfat -F32 part2
# sudo mkfs.btrfs /dev/DISKID/root
# sudo mkswap /dev/DISKID/swap
# sudo mount /dev/DISKID/root /mnt
# sudo btrfs subvolume create nixos
# sudo btrfs subvolume create home
# sudo mount /dev/disk/by-partlabel/3-DISKID /mnt/DISKID-root
# pushd /dev/disk/by-partlabel/3-DISKID /mnt/DISKID-root
# sudo btrfs subvolume create nixos
# sudo mkdir nixos/{boot,home}
# sudo btrfs subvolume create home
#
# Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6'
disk-mount dir:
just -v _device diskMount {{dir}} --argstr rebuildarg "dummy"
# Unmount target disk, specified by device configuration directory
disk-umount dir:
just -v _device diskUmount {{dir}} --argstr rebuildarg "dummy"
# Perform an offline installation on the mounted the target disk, specified by device configuration directory
disk-install dir:
just -v _device diskInstall {{dir}} --argstr rebuildarg "dummy"

23
README.md
View file

@ -5,12 +5,13 @@ This is mostly achieved with the help of [Nix](https://nixos.org).
In the unlikely case that you actually read this and have any questions please don't hesitate to reach out.
## Roadmap
- All graphical systems (incl. install media) must have
- [x] Full-disk encryption by default
- [x] Yubikey support with SSH auth
- [ ] Migrate all devices to new structure
- [x] Encrypted Install media
- [ ] steveej-laptop
- [x] steveej-laptop
- [ ] steveej-laptop-work
- [ ] Migrate home environment to new structure
- [x] home-manager
@ -25,21 +26,33 @@ In the unlikely case that you actually read this and have any questions please d
- [x] mount/umount disks
- [x] install to mounted disk
- [x] rebuild running system
- [ ] update running system
- [x] update running system
- [x] annotate recipes with some documentation
- [x] declare shell.nix with runtime deps
- [ ] partition/encrypt/format disks
- [ ] annotate recipes with some documentation
- [ ] declare shell.nix with runtime deps
- [ ] Document bootstrap process
- [ ] a new machine
- [ ] an install media
- [ ] Design disaster recovery
- [ ] Automatic backups
- [ ] tracked dotfiles
- [ ] detect new and untracked dotfiles?
- [ ] Design disaster recovery
- [ ] Recycle *\_archived*
- [ ] Maybe make this a nix-overlay
## Bugs
- [ ] home-manager leaves ~/.gnupg at 0755
## Usage
*(These are reminders for my future self)*
```
just --list
```
## Bootstrap
### A new machine
1. boot with an install media
2. clone infra repository

394
nix/home-manager/configuration/fullblown-workstation.nix
View file

@ -1,394 +0,0 @@
{ pkgs
, config,
... }:
let
# gitpkgs = import /home/steveej/src/github/NixOS/nixpkgs {};
unstablepkgs = import <nixos-unstable> {};
in {
imports = [
../profiles/common.nix
../profiles/qtile-desktop.nix
../programs/emacs.nix
../programs/firefox.nix
../programs/chromium.nix
../programs/homeshick.nix
../programs/libreoffice.nix
../programs/neovim.nix
../programs/pass.nix
../programs/zsh.nix
];
nixpkgs.config = {
pidgin = {
openssl = true;
gnutls = true;
};
packageOverrides = pkgs: with pkgs; {
busyboxStatic = busybox.override {
enableStatic = true;
extraConfig = ''
CONFIG_STATIC y
CONFIG_INSTALL_APPLET_DONT y
CONFIG_INSTALL_APPLET_SYMLINKS n
'';
};
dropbearStatic = dropbear.override {
enableStatic = true;
};
myPython36 = python36Full.withPackages (ps: with ps; [
pylint pep8 yapf flake8
# autopep8 (broken)
# pylint (broken)
ipython
llfuse
dugong
defusedxml
wheel
pip
virtualenv
pypi2nix
cffi
pyopenssl
urllib3
mistune
flask
pyaml
] ++ [
pkgs.libffi
]);
staruml = callPackage ../../pkgs/staruml.nix { inherit (gnome2) GConf; libgcrypt = libgcrypt_1_5; };
};
};
home.sessionVariables = {
GOPATH="$HOME/src/go";
PATH=pkgs.lib.concatStringsSep ":" [
"$HOME/.local/bin"
"$HOME/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/bin"
"$HOME/.cargo/bin"
"$HOME/.gem/ruby/2.3.0/bin"
"$HOME/.npm-packages/bin"
"$GOPATH/bin"
"$PATH"
];
};
home.packages = []
++ (with pkgs; [
# Authentication
cacert
fprintd
openssl
mkpasswd
# Nix package related tools
patchelf
nix-index
nox
nix-prefetch-scripts
# Version Control Systems
git-crypt
unstablepkgs.pijul
gitFull
gitless
mr
gitRepo
# Cloud/Remote System Management
google-cloud-sdk
ansible
nixops
unstablepkgs.terraform
awscli
hcloud
# Process/System Administration
htop
gnome3.gnome-tweak-tool
xorg.xhost
dmidecode
python36Packages.glances
evtest
# Archive Managers
sshfsFuse
xarchive
p7zip
zip
unzip
gzip
lzop
# Password Management
gnupg
yubikey-neo-manager
yubikey-personalization
yubikey-personalization-gui
gnome3.gnome_keyring
gnome3.seahorse
# Security
tpm-tools
tpmmanager
# Web Browsers
links2
# Language Support
hunspellDicts.en-us
hunspellDicts.de-de
# Messaging/Communication
pidgin
hexchat
aspellDicts.en
aspellDicts.de
unstablepkgs.skype
zoom-us
unstablepkgs.bluejeans-gui
thunderbird
gnome3.evolution # gnome4.glib_networking
tdesktop
gnome3.cheese
# Virtualization
virtmanager
qemu
# virtualbox
vagrant
unstablepkgs.rkt
python27Packages.docker_compose
# unstablepkgs.kubernetes
unstablepkgs.minikube
unstablepkgs.openshift
# (unstablepkgs.minikube.overrideAttrs (oldAttrs: {
# patches = oldAttrs.patches ++ [
# (builtins.fetchurl { url ="https://patch-diff.githubusercontent.com/raw/kubernetes/minikube/pull/2517.diff"; })
# ];
# }))
# Remote Control Tools
remmina
freerdp
x2goclient
teamviewer
# Audio/Video Players
ffmpeg
vlc
audacity
spotify
smtube
python27Packages.youtube-dl-light
screenkey
quvi
# Network Tools
openvpn
tcpdump
iftop
iperf
bind
socat
# samba
iptables
nftables
wireshark
# Code Editors
xclip
xsel
unstablepkgs.vscode
# (vscode-with-extensions.override {
# # When the extension is already available in the default extensions set.
# vscodeExtensions = with vscode-extensions; [
# ]
# # Concise version from the vscode market place when not available in the default set.
# ++ vscode-utils.extensionsFromVscodeMarketplace [
# {
# name = "vsliveshare";
# publisher = "MS-vsliveshare";
# version = "0.3.198";
# sha256 = "019ffyxca3qnqyz1fr7vh0plfdkc3ikr8v295z846lghvwlzjqdh";
# }
# ];
# })
unstablepkgs.atom
# Image/Graphic/Design Tools
gnome3.eog
gimp
imagemagick
exiv2
graphviz
inkscape
## barcode
qrencode
zbar
feh
# digikam
# Modelling Tools
plantuml
umlet
staruml
eclipses.eclipse-modeling
dia
astah-community
# Misc Development Tools
qrcode
travis
jq
prometheus
cdrtools
# Document Processing and Management
unstablepkgs.zathura
mendeley
jabref
zotero
hugo
pandoc
# LaTeX
perlPackages.YAMLTiny
perlPackages.FileHomeDir
perlPackages.UnicodeLineBreak
(texlive.combine {
inherit (texlive)
scheme-small
texlive-de
texlive-en
texlive-scripts
collection-langgerman
latexindent
latexmk
algorithms
cm-super
preprint
enumitem
draftwatermark
everypage
ulem
placeins
minted ifplatform fvextra xstring framed
;
})
pdftk
masterpdfeditor
# File Synchronzation
seafile-client
syncthing
grive2
dropbox
# gocryptfs
# hubicfuse
# s3ql
# rclone
rsync
# Filesystem Tools
ntfs3g
ddrescue
ncdu
unstablepkgs.woeusb
unetbootin
pcmanfm
hdparm
testdisk
python27Packages.binwalk
gptfdisk
# games
zeroad
# Compilers & Toolchains
autoconf
automake
libtool
gcc
pkgconfig
binutils
valgrind
gdb
cgdb
man-pages
gnumake
shellcheck
bazel
## Android
androidsdk
## Java
jre
openjdk
## Ruby
ruby
## Python
myPython36
pypi2nix
## Webdev
nodejs-8_x
npm2nix
emscripten
etcd
sigal
# Code generators
unstablepkgs.swagger-codegen
# Misc Desktop Tools
ltunify
solaar
dex
roxterm
# kitty
busyboxStatic
xorg.xbacklight
coreutils
lsof
pavucontrol
x11_ssh_askpass
xdotool
xdg_utils
xdg-user-dirs
gnome3.dconf
picocom
glib.dev # contains gdbus tool
# Screen recording
gtk-recordmydesktop # can't select the window
qt-recordmydesktop
vokoscreen
shutter
# kazam # doesn't start
# xvidcap # doesn't keep the recording rectangle
obs-studio
shotcut
openshot-qt
]);
}

18
nix/home-manager/configuration/steveej-qtile-desktop.nix → nix/home-manager/configuration/graphical-fullblown.nix
View file

@ -1,15 +1,16 @@
{ pkgs
, config,
... }:
, config
, ... }:
let
# gitpkgs = import /home/steveej/src/github/NixOS/nixpkgs {};
unstablepkgs = import <nixos-unstable> {};
unstablepkgs = import <nixos-unstable> { config = config.nixpkgs.config; };
in {
imports = [
../profiles/common.nix
../profiles/qtile-desktop.nix
../profiles/dotfiles.nix
../programs/emacs.nix
../programs/firefox.nix
../programs/chromium.nix
@ -56,6 +57,10 @@ in {
};
home.sessionVariables = {
# TODO: find a way to prevent using a store path for the current file
# HM_CONFIG_PATH=builtins.toString "${./.}";
HM_CONFIG="graphical-fullblown";
GOPATH="$HOME/src/go";
PATH=pkgs.lib.concatStringsSep ":" [
@ -84,12 +89,8 @@ in {
nix-prefetch-scripts
# Version Control Systems
git-crypt
unstablepkgs.pijul
gitFull
gitless
mr
gitRepo
# Cloud/Remote System Management
@ -245,7 +246,7 @@ in {
cdrtools
# Document Processing and Management
unstablepkgs.zathura
zathura
mendeley
jabref
zotero
@ -358,7 +359,6 @@ in {
xorg.xbacklight
coreutils
lsof
pavucontrol
x11_ssh_askpass
xdotool
xdg_utils

24
nix/home-manager/configuration/removable-desktop.nix → nix/home-manager/configuration/graphical-removable.nix
View file

@ -3,13 +3,12 @@
... }:
let
# gitpkgs = import /home/steveej/src/github/NixOS/nixpkgs {};
unstablepkgs = import <nixos-unstable> {};
unstablepkgs = import <nixos-unstable> { config = config.nixpkgs.config; };
in {
imports = [
../profiles/common.nix
../profiles/qtile-desktop.nix
../profiles/dotfiles.nix
../programs/emacs.nix
../programs/firefox.nix
../programs/chromium.nix
@ -53,30 +52,22 @@ in {
};
};
# gitpkgs = import /home/steveej/src/github/NixOS/nixpkgs {};
# unstablepkgs = import <nixos-unstable> { config = { allowUnfree = true; }; };
home.sessionVariables = {
};
home.packages = []
++ (with pkgs; [
# Authentication
cacert
fprintd
openssl
mkpasswd
home.packages =
[] ++ (with pkgs; [
# Nix package related tools
patchelf
nix-index
nox
nix-prefetch-scripts
# Version Control Systems
git-crypt
unstablepkgs.pijul
gitFull
gitless
mr
gitRepo
# Process/System Administration
htop
@ -96,7 +87,6 @@ in {
lzop
# Password Management
gnupg
gnome3.gnome_keyring
gnome3.seahorse

26
nix/home-manager/configuration/text-minimal.txt Normal file
View file

@ -0,0 +1,26 @@
{ pkgs
, config,
... }:
let
in {
imports = [
../profiles/common.nix
../profiles/nix-channels.nix
../programs/neovim.nix
../programs/zsh.nix
];
nixpkgs.config = {
packageOverrides = pkgs: with pkgs; {
};
};
home.sessionVariables = {
};
home.packages = []
++ (with pkgs; [
]);
}

18
nix/home-manager/profiles/common.nix
View file

@ -25,6 +25,8 @@ in {
dropbearStatic = dropbear.override {
enableStatic = true;
};
just = pkgs.callPackage ../../pkgs/just.nix {};
};
};
@ -43,10 +45,22 @@ in {
NIXPKGS_ALLOW_UNFREE = "1";
# Don't create .pyc files.
PYTHONDONTWRITEBYTECODE = "1";
HOMESHICK_DIR="${pkgs.homeshick}";
};
programs.command-not-found.enable = true;
programs.fzf.enable = true;
home.packages =
[] ++ (with pkgs; [
# git helpers
git-crypt
vcsh
# Authentication
cacert
openssl
mkpasswd
just
]);
}

13
nix/home-manager/profiles/dotfiles.nix Normal file
View file

@ -0,0 +1,13 @@
{ pkgs
, config
, ...
}:
let
vcshActivationScript = pkgs.callPackage ./dotfiles/vcsh.nix {};
in {
home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] ''
$DRY_RUN_CMD ${vcshActivationScript}
'';
}

1
nix/home-manager/profiles/dotfiles/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
vcsh.nix

38
nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix Normal file
View file

@ -0,0 +1,38 @@
{ pkgs
, repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git"
, repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git"
, ...
}:
let
repoHttps = "https://gitlab.com/steveeJ/dotfiles.git";
repoSsh = "git@gitlab.com:/steveeJ/dotfiles.git";
repoBareLocal = pkgs.runCommand "fetchbare" {
outputHashMode = "recursive";
outputHashAlgo = "sha256";
outputHash = "0000000000000000000000000000000000000000000000000000";
} ''
export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
${pkgs.git}/bin/git clone --mirror ${repoHttps} $out
'';
in pkgs.writeScript "activation-script" ''
export HOST=$(hostname -s)
function set_remotes {
${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1
${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2
}
if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then
echo Cloning dotfiles for $HOST...
${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal}
set_remotes ${repoHttps} ${repoSsh}
else
set_remotes ${repoBareLocal} ${repoSsh}
echo Updating dotfiles for $HOST...
${pkgs.vcsh}/bin/vcsh pull $HOST || true
set_remotes ${repoHttps} ${repoSsh}
fi
''

24
nix/home-manager/profiles/nix-channels.nix Normal file
View file

@ -0,0 +1,24 @@
{ pkgs
, config
, ...
}:
let
in {
home.file.".nix-channels".text = ''
https://nixos.org/channels/nixos-18.09 nixos
https://nixos.org/channels/nixos-unstable nixos-unstable
'';
home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] ''
$DRY_RUN_CMD ${pkgs.writeScript "activation-script" ''
set -ex
if test -f $HOME/.nix-channels; then
echo Moving existing file away...
touch $HOME/.nix-channels.dummy
mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels
rm $HOME/.nix-channels
fi
''};
'';
}

125
nix/home-manager/profiles/qtile-desktop.nix
View file

@ -7,7 +7,34 @@ let
mkSimpleTrayService
;
qtileConfig = pkgs.writeScript "config.py" ''
audio = pkgs.writeScript "audio" ''
#!${pkgs.bash}/bin/bash
export PATH=${with pkgs; lib.makeBinPath [
pulseaudio findutils gnugrep
]}:$PATH
export MUTEFILE=''${TEMPDIR:-/tmp}./.qtilemute
case $1 in
mute)
newstate=$(( $(cat $MUTEFILE || echo 0 ) ^ 1 ))
echo -n $newstate > $MUTEFILE
pactl list short sinks | awk '{ print $1 }' | xargs -L1 -I {} pactl set-sink-mute {} $newstate
;;
lower)
pactl list short sinks | awk '{ print $1 }' | xargs -L1 -I {} pactl set-sink-volume {} -10%
;;
raise)
pactl list short sinks | awk '{ print $1 }' | xargs -L1 -I {} pactl set-sink-volume {} +10%
;;
*)
echo Unknown command: $1
exit 1
;;
esac
'';
qtileConfig = pkgs.writeScript "qtile_config.py" ''
from libqtile.config import Key, Screen, Group, Drag, Click
from libqtile.command import lazy
from libqtile import layout, bar, widget
@ -18,51 +45,51 @@ logger = logging.getLogger()
logger.setLevel(logging.WARN)
handler = logging.handlers.RotatingFileHandler(
os.path.join(os.getenv('HOME'), '.qtilelog'), maxBytes=10240000,
os.path.join(os.getenv('TEMPDIR', default="/tmp"), '.qtilelog'), maxBytes=10240000,
backupCount=7
)
handler.setLevel(logging.WARN)
logger.addHandler(handler)
@hook.subscribe.screen_change
def restart_on_randr(qtile, ev):
import time
with open(os.path.join(os.environ['HOME'], ".qtilelastrestart"), "w"):
pass
lastRestart = 0
with open(os.path.join(os.environ['HOME'], ".qtilelastrestart"), "r+") as lastRestartFile:
lastRestartStr = lastRestartFile.read()
if len(lastRestartStr) > 0:
lastRestart = float(lastRestartStr)
print("screen changed. (last change: %s)" % lastRestart)
delta=time.time()-lastRestart
if delta > 3:
import subprocess
lastRestartFile.seek(0)
lastRestartFile.write("%s" % time.time())
lastRestartFile.truncate()
subprocess.call(["autorandr","-c"])
qtile.cmd_restart()
else:
print("screen is changing too fast: %s" % delta)
active_screen = 0
@hook.subscribe.client_focus
def focus_changed(window):
global active_screen
pass
active_screen = window.group.screen.index
@hook.subscribe.current_screen_change
def move_widget():
global active_screen
systray = widget.Systray()
logging.warn("Screen changed to %i" % active_screen)
# @hook.subscribe.screen_change
# def restart_on_randr(qtile, ev):
# import time
#
# with open(os.path.join(os.environ['TEMPDIR', default="/tmp"], ".qtilelastrestart"), "w"):
# pass
#
# lastRestart = 0
# with open(os.path.join(os.environ['TEMPDIR', default="/tmp"], ".qtilelastrestart"), "r+") as lastRestartFile:
# lastRestartStr = lastRestartFile.read()
# if len(lastRestartStr) > 0:
# lastRestart = float(lastRestartStr)
#
# print("screen changed. (last change: %s)" % lastRestart)
#
# delta=time.time()-lastRestart
# if delta > 3:
# import subprocess
# lastRestartFile.seek(0)
# lastRestartFile.write("%s" % time.time())
# lastRestartFile.truncate()
#
# subprocess.call(["autorandr","-c"])
# qtile.cmd_restart()
# else:
# print("screen is changing too fast: %s" % delta)
#
# active_screen = 0
# @hook.subscribe.client_focus
# def focus_changed(window):
# global active_screen
# pass
# active_screen = window.group.screen.index
#
# @hook.subscribe.current_screen_change
# def move_widget():
# global active_screen
# systray = widget.Systray()
# logging.warn("Screen changed to %i" % active_screen)
key_super = "mod4"
key_alt = "mod1"
@ -76,14 +103,11 @@ keys = [
Key([key_super], "r", lazy.spawncmd()),
Key([key_super], "w", lazy.window.kill()),
# Key([key_alt, key_super], "l", lazy.spawn("xscreensaver-command -lock")),
# Key([key_alt, key_super], "l", lazy.spawn("sh -c '(sleep 1; xset dpms force off) & xautolock -locknow'")),
# Key([key_alt, key_super], "l", lazy.spawn("light-locker-command -l")),
# Key([key_alt, key_super], "l", lazy.spawn("dm-tool lock")),
Key([key_alt, key_super], "l", lazy.spawn('${pkgs.bash}/bin/sh -c "loginctl lock-session $XDG_SESSION_ID"')),
Key([key_alt, key_super], "s", lazy.spawn("${pkgs.systemd}/bin/systemctl suspend")),
Key([key_super, key_control], "r", lazy.restart()),
# Key([key_super, key_control], "r", lazy.restart()),
Key([key_super, key_control], "r", lazy.spawn("${pkgs.autorandr}/bin/autorandr -c"), lazy.restart()),
Key([key_super, key_control], "q", lazy.shutdown()),
# Toggle between different layouts as defined below
@ -137,11 +161,9 @@ keys = [
## Microsoft Comfort Curve specific
Key([key_super, "shift"], "XF86TouchpadToggle", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Previous")),
Key([key_alt, key_super], "XF86TouchpadToggle", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Next")),
# FIXME: Backlight currently broken
# Key([], "XF86MonBrightnessDown", lazy.spawn("xbacklight -inc -5")),
# Key([], "XF86MonBrightnessUp", lazy.spawn("xbacklight -inc 5")),
Key([], "XF86AudioMute", lazy.spawn("${audio} mute")),
Key([], "XF86AudioLowerVolume", lazy.spawn("${audio} lower")),
Key([], "XF86AudioRaiseVolume", lazy.spawn("${audio} raise")),
Key([], "Print", lazy.spawn("${pkgs.flameshot}/bin/flameshot gui")),
]
groups = [Group(i) for i in "1234567890"]
@ -274,5 +296,6 @@ in {
gnome3.adwaita-icon-theme
lxappearance
xorg.xcursorthemes
pavucontrol
];
}

19
nix/home-manager/programs/homeshick.nix
View file

@ -4,7 +4,14 @@
}:
let
bootstrapRepos = pkgs.writeScript "bootstrapRepos" ''
in {
home.sessionVariables = {
HOMESHICK_DIR="${pkgs.homeshick}";
};
home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] ''
$DRY_RUN_CMD ${pkgs.writeScript "activation-script" ''
set -e
echo home-manager path is ${config.home.path}
echo home is $HOME
@ -15,15 +22,7 @@ let
# echo Updating homeshick
# ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick
# mv -Tf "$HOMESICK_REPOS"/{.,}homeshick
'';
in {
home.sessionVariables = {
HOMESHICK_DIR="${pkgs.homeshick}";
};
home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] ''
$DRY_RUN_CMD ${bootstrapRepos}
''};
'';
nixpkgs.config = {

1
nix/home-manager/programs/pass.nix
View file

@ -19,6 +19,7 @@
pass-otp
qtpass
rofi-pass
gnupg
];
}

7
nix/home-manager/programs/zsh.nix
View file

@ -23,8 +23,11 @@ in {
. $HOME/.shrc.d/sh_aliases
fi
source ${pkgs.homeshick}/homeshick.sh
fpath=(${pkgs.homeshick}/completions $fpath)
${if builtins.hasAttr "homeshick" pkgs then ''
source ${pkgs.homeshick}/homeshick.sh
fpath=(${pkgs.homeshick}/completions $fpath)
'' else ''
''}
# Disable intercepting of ctrl-s and ctrl-q as flow control.
stty stop ''' -ixoff -ixon

14
nix/os/devices/default.nix
View file

@ -1,23 +1,25 @@
{ pkgs ? import <nixpkgs> {}
, dir
, rebuildarg ? null
, rebuildarg
, moreargs ? ""
}:
let
diskId = (import ((builtins.getEnv "PWD")+"/${dir}/hw.nix") {}).hardware.encryptedDisk.diskId;
GIT_ROOT=''''$(git rev-parse --show-toplevel)'';
in {
rebuild = pkgs.writeScript "script" ''
#!/usr/bin/env bash
set -xe
pushd ${dir}
pushd ${GIT_ROOT}/${dir}
export NIXOS_CONFIG="$PWD"/configuration.nix
export INSTALL_ROOT="/mnt/$ID-root"
[[ -e "''${NIXOS_CONFIG}" ]]
nixos-rebuild -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg}
nixos-rebuild -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs}
if test -L result; then
rm result
fi
@ -29,12 +31,12 @@ in {
ID=${diskId}
echo Mounting $ID
set -xe
cryptsetup luksOpen /dev/disk/by-partlabel/$ID-part3 $ID-part3
cryptsetup luksOpen /dev/disk/by-id/$ID-part3 $ID-part3
vgchange -ay $ID
mkdir -p /mnt/$ID-root
mount /dev/$ID/root /mnt/$ID-root -o subvol=nixos
mount /dev/$ID/root /mnt/$ID-root/home -o subvol=home
mount /dev/disk/by-partlabel/$ID-part2 /mnt/$ID-root/boot
mount /dev/disk/by-id/$ID-part2 /mnt/$ID-root/boot
'';
diskUmount = pkgs.writeScript "script" ''
@ -52,7 +54,7 @@ in {
#!/usr/bin/env bash
set -xe
ID=${diskId}
pushd ${dir}
pushd ${GIT_ROOT}/${dir}
export NIXOS_CONFIG="$PWD"/configuration.nix
export INSTALL_ROOT="/mnt/$ID-root"

6
nix/os/devices/steveej-laptop/boot.nix
View file

@ -4,10 +4,4 @@
# workaround to disable CPU wining
# current CPU has 9 idle cstates.
boot.kernelParams = [ "intel_idle.max_cstate=9" ];
# Workaround for nm-pptp to enforce module load
boot.kernelModules = [
"nf_conntrack_proto_gre"
"nf_conntrack_pptp"
];
}

17
nix/os/devices/steveej-laptop/hw.nix
View file

@ -4,25 +4,20 @@
{ config, lib, pkgs, ... }:
{
nix.maxJobs = 3;
nix.buildCores = 3;
boot.initrd.availableKernelModules = [
"aesni_intel"
"kvm-intel"
"aes_x86_64"
];
hardware.enableAllFirmware = true;
hardware.trackpoint.emulateWheel = true;
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModprobeConfig = ''
options kvm-intel nested=1
options kvm-intel enable_shadow_vmcs=1
options kvm-intel enable_apicv=1
options kvm-intel ept=1
'';
boot.extraModulePackages = [ ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# TODO: migrate this to the encryptedDisk module
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/445D-DBAA";
fsType = "vfat";

5
nix/os/devices/steveej-laptop/pkg.nix
View file

@ -3,11 +3,8 @@
... }:
let
gitpkgs = import /home/steveej/src/github/NixOS/nixpkgs {};
unstablepkgs = import <nixos-unstable> {};
in
{
in {
nixpkgs.config = {
allowBroken = false;
allowUnfree = true;

15
nix/os/devices/steveej-laptop/system.nix
View file

@ -5,9 +5,9 @@
}:
let
unstablepkgs = import <nixos-unstable> {};
unstablepkgs = import <nixos-unstable> { config = config.nixpkgs; };
in rec {
in {
# The NixOS release to be compatible with for stateful data such as databases.
# system.stateVersion = "unstable";
@ -19,6 +19,7 @@ in rec {
server=/tectonic-ci.de/192.168.124.1
server=/tectonic-ci.lan/192.168.124.1
'';
networking.firewall.enable = lib.mkForce false;
networking.firewall.checkReversePath = false;
networking.bridges."virbr1".interfaces = [];
@ -28,11 +29,11 @@ in rec {
services.printing = {
enable = true;
drivers = [
pkgs.hplip
unstablepkgs.cups-kyodialog3
unstablepkgs.mfcj6510dwlpr
unstablepkgs.mfcj6510dw-cupswrapper
drivers = with pkgs; [
hplip
cups-kyodialog3
mfcj6510dwlpr
mfcj6510dw-cupswrapper
];
};

5
nix/os/devices/steveej-live-mmc-SL32G_0x259093f6/hw.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
hardware.encryptedDisk.diskId = "mmc-SL32G_0x259093f6";
}

5
nix/os/devices/steveej-live-mmc-SL32G_0x259093f6/system.nix
View file

@ -1,5 +0,0 @@
{ ... }:
{
networking.hostName = "mmc-sandiskultra32gb"; # Define your hostname.
}

0
nix/os/devices/steveej-live-mmc-SL32G_0x259093f6/configuration.nix → nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix
View file

9
nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix Normal file
View file

@ -0,0 +1,9 @@
{ ... }:
{
# TASK: new device
hardware.encryptedDisk = {
enable = true;
diskId = "mmc-SL32G_0x259093f6";
};
}

5
nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix Normal file
View file

@ -0,0 +1,5 @@
{ ... }:
{
networking.hostName = "steveej-rmvbl-mmc-SL32G_0x259093f6"; # Define your hostname.
}

13
nix/os/devices/steveej-t480s-work/configuration.nix Normal file
View file

@ -0,0 +1,13 @@
{ ... }:
{
imports = [
../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix
../../modules/encryptedDisk.nix
./system.nix
./hw.nix
./pkg.nix
];
}

28
nix/os/devices/steveej-t480s-work/hw.nix Normal file
View file

@ -0,0 +1,28 @@
{ ... }:
let
stage1Modules = [
"aesni_intel"
"kvm-intel"
"aes_x86_64"
"nvme"
"nvme_core"
];
in
{
# TASK: new device
hardware.encryptedDisk = {
enable = true;
diskId = "nvme-SAMSUNG_MZVLW256HEHP-000L7_S35ENX0K827498";
};
# boot.initrd.availableKernelModules = stage1Modules;
boot.initrd.kernelModules = stage1Modules;
boot.extraModprobeConfig = ''
options kvm-intel nested=1
options kvm-intel enable_shadow_vmcs=1
options kvm-intel enable_apicv=1
options kvm-intel ept=1
'';
}

7
nix/os/devices/steveej-t480s-work/pkg.nix Normal file
View file

@ -0,0 +1,7 @@
{
...
}:
{
home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix;
}

50
nix/os/devices/steveej-t480s-work/system.nix Normal file
View file

@ -0,0 +1,50 @@
{ pkgs
, lib
, ... }:
{
# TASK: new device
networking.hostName = "steveej-t480s-work"; # Define your hostname.
# Used for testing local Tectonic clusters
environment.etc."NetworkManager/dnsmasq.d/tectonic.conf".text = ''
server=/tt.testing/192.168.124.1
server=/tectonic-ci.de/192.168.124.1
server=/tectonic-ci.lan/192.168.124.1
'';
networking.firewall.enable = lib.mkForce false;
networking.firewall.checkReversePath = false;
networking.bridges."virbr1".interfaces = [];
networking.interfaces."virbr1".ipv4.addresses = [
{ address = "10.254.254.254"; prefixLength = 24; }
];
services.printing = {
enable = true;
drivers = with pkgs; [
hplip
cups-kyodialog3
mfcj6510dwlpr
mfcj6510dw-cupswrapper
];
};
# TODO: get external fingerprint reader
# services.fprintd.enable = true;
# security.pam.services = {
# login.fprintAuth = true;
# sudo.fprintAuth = true;
# };
# Kubernetes
# services.kubernetes.roles = ["master" "node"];
# virtualization
virtualisation = {
libvirtd.enable = true;
virtualbox.host.enable = true;
virtualbox.host.addNetworkInterface = true;
docker.enable = true;
};
}

14
nix/os/modules/encryptedDisk.nix
View file

@ -6,13 +6,23 @@ with lib;
let
cfg = config.hardware.encryptedDisk;
volumeGroup = cfg.diskId;
# This is important at install-time
bootGrubDevice = lib.concatStrings [ "/dev/disk/by-id/" cfg.diskId ];
bootFsDevice = lib.concatStrings [ "/dev/disk/by-partlabel/" cfg.diskId "-part2" ];
bootLuksDevice = lib.concatStrings [ "/dev/disk/by-partlabel/" cfg.diskId "-part3" ];
# These are guaranteed by LVM
rootFsDevice = lib.concatStrings [ "/dev/" volumeGroup "/root" ];
swapFsDevice = lib.concatStrings [ "/dev/" volumeGroup "/swap" ];
# TODO: verify the GPT PARTLABEL cap at 36 chars
shortenPartlabel = name: (builtins.substring 0 36 name);
# Cannot use the disk ID here because might be different at install vs. runtime.
# Example: MMC card which is used in the internal reader vs. USB reader
bootFsDevice = lib.concatStrings [ "/dev/disk/by-partlabel/" (shortenPartlabel ("2-"+cfg.diskId))];
bootLuksDevice = lib.concatStrings [ "/dev/disk/by-partlabel/" (shortenPartlabel ("3-"+cfg.diskId))];
in {
options.hardware.encryptedDisk = {
enable = mkEnableOption "Enable encrypted filesystem layout";

7
nix/os/profiles/common/boot.nix
View file

@ -11,7 +11,14 @@
version = 2;
};
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.tmpOnTmpfs = true;
# Workaround for nm-pptp to enforce module load
boot.kernelModules = [
"nf_conntrack_proto_gre"
"nf_conntrack_pptp"
];
}

1
nix/os/profiles/common/configuration.nix
View file

@ -6,5 +6,6 @@
./pkg.nix
./user.nix
./system.nix
./hw.nix
];
}

14
nix/os/profiles/common/hw.nix Normal file
View file

@ -0,0 +1,14 @@
{ ... }:
{
hardware.trackpoint.emulateWheel = true;
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usb_storage"
"sd_mod"
"rtsx_pci_sdmmc"
"cryptd"
];
}

25
nix/os/profiles/common/pkg.nix
View file

@ -1,7 +1,27 @@
{ config, pkgs, ... }:
{
# Package configuration
imports = [
"${builtins.fetchGit { url = "https://github.com/rycee/home-manager.git"; ref = "master"; }}/nixos"
];
home-manager.users.root = import ../../../home-manager/configuration/text-minimal.txt;
nixpkgs.config = {
allowBroken = false;
allowUnfree = true;
packageOverrides = pkgs: with pkgs; {
busyboxStatic = busybox.override {
enableStatic = true;
extraConfig = ''
CONFIG_STATIC y
CONFIG_INSTALL_APPLET_DONT y
CONFIG_INSTALL_APPLET_SYMLINKS n
'';
};
};
};
environment.systemPackages = with pkgs; [
elfutils
exfat
@ -16,9 +36,10 @@
wget
curl
git
gitFull
pastebinit
gist
mr
usbutils
pciutils

1
nix/os/profiles/common/system.nix
View file

@ -48,6 +48,7 @@
# Activation scripts for impure set up of paths in /
system.activationScripts.bin = ''
echo "setting up /bin..."
mkdir -p /bin
ln -sfT ${pkgs.bash}/bin/bash /bin/.bash
mv -Tf /bin/.bash /bin/bash
'';

7
nix/os/profiles/graphical/boot.nix Normal file
View file

@ -0,0 +1,7 @@
{ lib
, ...
}:
{
}

2
nix/os/profiles/graphical/configuration.nix
View file

@ -4,6 +4,8 @@
{
imports = [
./boot.nix
./system.nix
./hw.nix
];
}

7
nix/os/profiles/graphical/hw.nix Normal file
View file

@ -0,0 +1,7 @@
{
...
}:
{
hardware.enableAllFirmware = true;
}

28
nix/os/profiles/removable-medium/boot.nix
View file

@ -5,33 +5,5 @@
{
boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usb_storage"
"sd_mod"
"rtsx_pci_sdmmc"
"aes_x86_64"
"aesni_intel"
"cryptd"
];
boot.kernelModules = [
"kvm-intel"
# Workaround for nm-pptp to enforce module load
"nf_conntrack_proto_gre"
"nf_conntrack_pptp"
];
boot.extraModprobeConfig = ''
options kvm-intel nested=1
options kvm-intel enable_shadow_vmcs=1
options kvm-intel enable_apicv=1
options kvm-intel ept=1
'';
boot.extraModulePackages = [ ];
boot.loader.systemd-boot.enable = true;
}

1
nix/os/profiles/removable-medium/hw.nix
View file

@ -3,5 +3,4 @@
{
hardware.encryptedDisk.enable = true;
hardware.enableAllFirmware = true;
hardware.trackpoint.emulateWheel = true;
}

22
nix/os/profiles/removable-medium/pkg.nix
View file

@ -3,25 +3,5 @@
}:
{
imports = [
"${builtins.fetchGit { url = "https://github.com/rycee/home-manager.git"; ref = "master"; }}/nixos"
];
nixpkgs.config = {
allowBroken = false;
allowUnfree = true;
packageOverrides = pkgs: with pkgs; {
busyboxStatic = busybox.override {
enableStatic = true;
extraConfig = ''
CONFIG_STATIC y
CONFIG_INSTALL_APPLET_DONT y
CONFIG_INSTALL_APPLET_SYMLINKS n
'';
};
};
};
home-manager.users.steveej = import ../../../home-manager/configuration/removable-desktop.nix;
home-manager.users.steveej = import ../../../home-manager/configuration/graphical-removable.nix;
}

24
nix/pkgs/just.nix Normal file
View file

@ -0,0 +1,24 @@
{ rustPlatform
, stdenv
}:
rustPlatform.buildRustPackage rec {
name = "just-${version}";
version = "849cdcb37fb42feb5e8724ec9fb3b34027e0da4f";
src = builtins.fetchGit {
url = "https://github.com/casey/just.git";
rev = version;
};
cargoSha256 = "0awfq9fhcin2q6mvv54xw6i6pxhdp9xa1cpx3jmpf3a6h8l6s9wp";
doCheck = false;
meta = with stdenv.lib; {
description = "Just a command runner ";
homepage = https://github.com/casey/just;
license = licenses.unlicense;
maintainers = [ ];
platforms = platforms.all;
};
}

5
nix/scripts/pre-eval-fixed.sh Executable file
View file

@ -0,0 +1,5 @@
#!/usr/bin/env bash
INFILE="${1:?Please set arg1 to INFILE}"
OUTFILE="${2:?Please set arg2 to OUTFILE}"
hash=$(nix-build ${INFILE} --arg pkgs 'import <nixpkgs> {}' --arg config 'null' 2>&1 | grep -oE '[0-9a-z]{52}' | head -n1)
sed -E "s/0{52}/${hash}/" ${INFILE} > ${OUTFILE}

17
shell.nix Normal file
View file

@ -0,0 +1,17 @@
with import <nixpkgs> {};
let
in
stdenv.mkDerivation {
name = "infra-env";
buildInputs = [
(pkgs.callPackage ./nix/pkgs/just.nix {})
git-crypt
vcsh
gnupg
];
# Set Environment Variables
RUST_BACKTRACE = 1;
}