From 27c6c4f9fac615341df0d673c5f233c358bccdf3 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 15 Nov 2024 10:17:56 +0100 Subject: [PATCH] feat: introduce treefmt and fmt all --- .gitignore | 3 + .sops.yaml | 140 +- .vscode/settings.json | 36 +- README.md | 56 +- default.nix | 7 +- flake.lock | 208 ++- flake.nix | 471 ++++--- nix/container-images/build.sh | 4 +- nix/container-images/default.nix | 176 +-- nix/default.nix | 42 +- nix/devShells.nix | 22 +- .../configuration/graphical-fullblown.nix | 49 +- .../configuration/graphical-gnome3.nix | 17 +- .../configuration/graphical-removable.nix | 143 +- nix/home-manager/lib.nix | 29 +- nix/home-manager/profiles/common.nix | 79 +- nix/home-manager/profiles/dotfiles.nix | 43 +- .../profiles/dotfiles/vcsh.tmpl.nix | 62 +- .../profiles/experimental-desktop.nix | 14 +- nix/home-manager/profiles/gnome-desktop.nix | 115 +- nix/home-manager/profiles/nix-channels.nix | 38 +- nix/home-manager/profiles/qtile-desktop.nix | 21 +- nix/home-manager/profiles/sway-desktop.nix | 235 ++-- nix/home-manager/profiles/wayland-desktop.nix | 21 +- nix/home-manager/programs/chromium.nix | 38 +- nix/home-manager/programs/espanso.nix | 115 +- nix/home-manager/programs/firefox.nix | 7 +- nix/home-manager/programs/gpg-agent.nix | 10 +- nix/home-manager/programs/homeshick.nix | 35 +- nix/home-manager/programs/libreoffice.nix | 5 +- nix/home-manager/programs/neovim.nix | 12 +- nix/home-manager/programs/obs-studio.nix | 34 +- .../programs/openvscode-server.nix | 32 +- nix/home-manager/programs/pass.nix | 5 +- nix/home-manager/programs/radicale.nix | 80 +- nix/home-manager/programs/redshift.nix | 10 +- nix/home-manager/programs/salut.nix | 21 +- nix/home-manager/programs/vscode/default.nix | 49 +- .../programs/vscode/nix4vscode/default.nix | 72 +- nix/home-manager/programs/waybar.css | 7 +- nix/home-manager/programs/waybar.nix | 20 +- nix/home-manager/programs/zsh.nix | 125 +- nix/modules/flake-parts/colmena.nix | 5 +- nix/modules/flake-parts/perSystem/default.nix | 61 +- nix/os/cachix.nix | 14 +- nix/os/cachix/nixpkgs-wayland.nix | 4 +- nix/os/containers/backup.nix | 157 ++- nix/os/containers/mailserver.nix | 358 +++--- nix/os/containers/mailserver_secrets.yaml | 66 +- nix/os/containers/mycelium/flake.nix | 641 ++++----- nix/os/containers/syncthing.nix | 33 +- nix/os/containers/webserver.nix | 778 +++++------ nix/os/containers/webserver_secrets.yaml | 66 +- nix/os/devices/default.nix | 58 +- nix/os/devices/disk.nix | 53 +- nix/os/devices/elias-e525/boot.nix | 3 +- nix/os/devices/elias-e525/configuration.nix | 3 +- nix/os/devices/elias-e525/default.nix | 10 +- nix/os/devices/elias-e525/flake.nix | 2 +- nix/os/devices/elias-e525/hw.nix | 2 +- nix/os/devices/elias-e525/pkg.nix | 18 +- nix/os/devices/elias-e525/system.nix | 15 +- nix/os/devices/elias-e525/user.nix | 13 +- nix/os/devices/fwhost1/boot.nix | 3 +- nix/os/devices/fwhost1/configuration.nix | 3 +- nix/os/devices/fwhost1/hw.nix | 3 +- nix/os/devices/fwhost1/pkg.nix | 18 +- nix/os/devices/fwhost1/system.nix | 19 +- nix/os/devices/fwhost1/user.nix | 10 +- nix/os/devices/fwhost1/versions.nix | 7 +- nix/os/devices/fwhost1/versions.tmpl.nix | 7 +- nix/os/devices/fwhost2/boot.nix | 3 +- nix/os/devices/fwhost2/configuration.nix | 3 +- nix/os/devices/fwhost2/hw.nix | 3 +- nix/os/devices/fwhost2/pkg.nix | 18 +- nix/os/devices/fwhost2/system.nix | 20 +- nix/os/devices/fwhost2/user.nix | 10 +- nix/os/devices/fwhost2/versions.nix | 7 +- nix/os/devices/fwhost2/versions.tmpl.nix | 7 +- nix/os/devices/hstk0/README.md | 3 +- nix/os/devices/hstk0/configuration.nix | 99 +- nix/os/devices/hstk0/default.nix | 19 +- nix/os/devices/hstk0/flake.nix | 57 +- nix/os/devices/hydra.json | 34 +- nix/os/devices/justyna-p300/boot.nix | 3 +- nix/os/devices/justyna-p300/configuration.nix | 3 +- nix/os/devices/justyna-p300/default.nix | 10 +- nix/os/devices/justyna-p300/flake.nix | 4 +- nix/os/devices/justyna-p300/hw.nix | 16 +- nix/os/devices/justyna-p300/pkg.nix | 45 +- nix/os/devices/justyna-p300/system.nix | 19 +- nix/os/devices/justyna-p300/user.nix | 12 +- nix/os/devices/router0-dmz0/configuration.nix | 1145 ++++++++--------- nix/os/devices/router0-dmz0/default.nix | 21 +- nix/os/devices/router0-dmz0/flake.nix | 107 +- .../router0-hosthatch/configuration.nix | 35 +- nix/os/devices/router0-hosthatch/default.nix | 20 +- nix/os/devices/router0-hosthatch/flake.nix | 2 +- nix/os/devices/router0-ifog/configuration.nix | 35 +- nix/os/devices/router0-ifog/default.nix | 20 +- nix/os/devices/router0-ifog/flake.nix | 2 +- nix/os/devices/sj-srv1/boot.nix | 4 +- nix/os/devices/sj-srv1/configuration.nix | 8 +- nix/os/devices/sj-srv1/default.nix | 10 +- nix/os/devices/sj-srv1/flake.nix | 2 +- nix/os/devices/sj-srv1/hw.nix | 6 +- nix/os/devices/sj-srv1/system.nix | 116 +- nix/os/devices/sj-vps-htz0/boot.nix | 5 +- nix/os/devices/sj-vps-htz0/configuration.nix | 8 +- nix/os/devices/sj-vps-htz0/default.nix | 10 +- nix/os/devices/sj-vps-htz0/flake.nix | 2 +- nix/os/devices/sj-vps-htz0/hw.nix | 6 +- nix/os/devices/sj-vps-htz0/system.nix | 42 +- nix/os/devices/srv0-dmz0/README.md | 3 +- nix/os/devices/srv0-dmz0/configuration.nix | 26 +- nix/os/devices/srv0-dmz0/default.nix | 10 +- nix/os/devices/srv0-dmz0/flake.nix | 2 +- .../srv0.home-ch.stefanjunker.de/boot.nix | 4 +- .../configuration.nix | 5 +- .../srv0.home-ch.stefanjunker.de/hw.nix | 6 +- .../srv0.home-ch.stefanjunker.de/pkg.nix | 23 +- .../srv0.home-ch.stefanjunker.de/system.nix | 25 +- .../srv0.home-ch.stefanjunker.de/versions.nix | 3 +- .../versions.tmpl.nix | 3 +- .../steveej-nuc7pjyh-work/configuration.nix | 3 +- nix/os/devices/steveej-nuc7pjyh-work/hw.nix | 2 +- .../devices/steveej-nuc7pjyh-work/system.nix | 8 +- nix/os/devices/steveej-nuc7pjyh-work/user.nix | 15 +- nix/os/devices/steveej-pa600/boot.nix | 3 +- .../devices/steveej-pa600/configuration.nix | 3 +- nix/os/devices/steveej-pa600/hw.nix | 6 +- nix/os/devices/steveej-pa600/pkg.nix | 13 +- nix/os/devices/steveej-pa600/system.nix | 18 +- nix/os/devices/steveej-pa600/user.nix | 13 +- nix/os/devices/steveej-pa600/versions.nix | 7 +- .../devices/steveej-pa600/versions.tmpl.nix | 7 +- .../configuration.nix | 3 +- .../steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix | 2 +- .../system.nix | 2 +- .../steveej-rmvbl-sdep0/configuration.nix | 13 +- nix/os/devices/steveej-rmvbl-sdep0/hw.nix | 2 +- nix/os/devices/steveej-rmvbl-sdep0/system.nix | 2 +- .../devices/steveej-rmvbl-sdep0/versions.nix | 22 +- .../steveej-rmvbl-sdep0/versions.tmpl.nix | 7 +- nix/os/devices/steveej-t14/boot.nix | 5 +- nix/os/devices/steveej-t14/configuration.nix | 5 +- nix/os/devices/steveej-t14/default.nix | 16 +- nix/os/devices/steveej-t14/flake.nix | 2 +- nix/os/devices/steveej-t14/hw.nix | 63 +- nix/os/devices/steveej-t14/pkg.nix | 54 +- nix/os/devices/steveej-t14/system.nix | 34 +- nix/os/devices/steveej-t14/user.nix | 15 +- .../steveej-utilitepro/configuration.nix | 41 +- .../hardware-configuration.nix | 16 +- .../steveej-x13s-rmvbl/configuration.nix | 26 +- nix/os/devices/steveej-x13s-rmvbl/default.nix | 22 +- nix/os/devices/steveej-x13s-rmvbl/disko.nix | 23 +- nix/os/devices/steveej-x13s-rmvbl/flake.nix | 115 +- nix/os/devices/steveej-x13s/configuration.nix | 80 +- nix/os/devices/steveej-x13s/default.nix | 22 +- nix/os/devices/steveej-x13s/disko.nix | 23 +- nix/os/devices/steveej-x13s/flake.nix | 241 ++-- .../vmd102066.contaboserver.net/boot.nix | 5 +- .../configuration.nix | 5 +- .../vmd102066.contaboserver.net/default.nix | 10 +- .../vmd102066.contaboserver.net/flake.nix | 2 +- .../vmd102066.contaboserver.net/hw.nix | 6 +- .../vmd102066.contaboserver.net/pkg.nix | 25 +- .../vmd102066.contaboserver.net/system.nix | 33 +- nix/os/lib/default.nix | 25 +- nix/os/modules/ddclient-hetzner.nix | 13 +- nix/os/modules/ddclient-ovh.nix | 9 +- nix/os/modules/initrd-network.nix | 12 +- nix/os/modules/natrouter.nix | 7 +- nix/os/modules/opinionatedDisk.nix | 39 +- nix/os/profiles/common/configuration.nix | 11 +- nix/os/profiles/common/hw.nix | 11 +- nix/os/profiles/common/system.nix | 13 +- nix/os/profiles/common/user.nix | 90 +- nix/os/profiles/containers/configuration.nix | 13 +- nix/os/profiles/graphical-gnome-xorg.nix | 12 +- nix/os/profiles/graphical/boot.nix | 7 +- nix/os/profiles/graphical/configuration.nix | 9 +- nix/os/profiles/graphical/hw.nix | 4 +- nix/os/profiles/graphical/system.nix | 20 +- nix/os/profiles/install-medium/iso/iso.nix | 48 +- nix/os/profiles/removable-medium/boot.nix | 5 +- .../removable-medium/configuration.nix | 3 +- nix/os/profiles/removable-medium/hw.nix | 2 +- nix/os/profiles/removable-medium/pkg.nix | 3 +- nix/os/profiles/removable-medium/system.nix | 12 +- nix/os/snippets/bluetooth.nix | 7 +- nix/os/snippets/holo-zerotier.nix | 48 +- nix/os/snippets/home-manager-with-zsh.nix | 21 +- nix/os/snippets/k3s-w-nix-snapshotter.nix | 16 +- nix/os/snippets/mycelium.nix | 19 +- nix/os/snippets/nix-settings-holo-chain.nix | 2 +- nix/os/snippets/nix-settings.nix | 14 +- nix/os/snippets/obs-studio.nix | 16 +- nix/os/snippets/radicale.nix | 19 +- nix/os/snippets/sway-desktop.nix | 66 +- nix/os/snippets/systemd-resolved.nix | 7 +- nix/os/snippets/timezone.nix | 6 +- nix/pkgs/browserpass/default.nix | 44 +- nix/pkgs/dcpj4110dw/default.nix | 63 +- nix/pkgs/default.nix | 5 +- nix/pkgs/duplicacy/default.nix | 5 +- nix/pkgs/duplicacy/shell.nix | 24 +- nix/pkgs/jay.nix | 2 +- nix/pkgs/logseq/README.md | 27 +- nix/pkgs/logseq/default.nix | 156 +-- nix/pkgs/magmawm.nix | 7 +- nix/pkgs/mfcl3770cdw.nix | 48 +- nix/pkgs/nozbe/default.nix | 104 +- nix/pkgs/posh.nix | 166 +-- nix/pkgs/slirp4netns.nix | 10 +- nix/pkgs/staruml.nix | 92 +- nix/scripts/pre-eval-fixed.sh | 6 +- nix/tests/buildvmwithbootloader/build-vm.nix | 30 +- nix/tests/buildvmwithbootloader/build-vm.sh | 12 +- .../buildvmwithbootloader/configuration.nix | 22 +- nix/tests/buildvmwithbootloader/debug-vm.sh | 7 +- nix/tests/test-vm.nix | 8 +- nix/variables/passwords.crypt.nix | Bin 548 -> 614 bytes nix/variables/versions.nix | 19 +- nix/variables/versions.tmpl.nix | 7 +- scripts/sway-swapoutputworkspaces.sh | 52 +- secrets/holochain-infra/nomad.yaml | 66 +- secrets/hstk0/secrets.yaml | 66 +- secrets/router0-dmz0/secrets.yaml | 66 +- secrets/router0-hosthatch/secrets.yaml | 66 +- secrets/router0-ifog/secrets.yaml | 66 +- secrets/servers/dyndns.yaml | 66 +- secrets/shared-users.yaml | 246 ++-- secrets/sj-srv1/secrets.yaml | 66 +- secrets/sj-vps-htz0/secrets.yaml | 66 +- secrets/steveej-x13s/secrets.yaml | 66 +- 237 files changed, 5440 insertions(+), 5214 deletions(-) diff --git a/.gitignore b/.gitignore index 92102e5..fbfe182 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,6 @@ .env **/result .direnv/ + +# nixago: ignore-linked-files +/treefmt.toml \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml index b807986..10ba410 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -18,105 +18,105 @@ keys: - &router0-dmz0 age1vr69hfmjgkqu47g5hjacet6n2tq4rhwnvdrmfa6n6l7fkqvvafnsaccf8u - &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - - &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 + - &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 creation_rules: - path_regex: ^(.+/|)secrets/[^/]+$ key_groups: - - pgp: - - *steveej - age: - - *steveej-t14 - - *steveej-x13s - - *elias-e525 - - *justyna-p300 + - pgp: + - *steveej + age: + - *steveej-t14 + - *steveej-x13s + - *elias-e525 + - *justyna-p300 - - *srv0-dmz0 - - *router0-dmz0 + - *srv0-dmz0 + - *router0-dmz0 - - *sj-vps-htz0 - - *sj-srv1 - - *hstk0 - - *router0-ifog - - *router0-hosthatch + - *sj-vps-htz0 + - *sj-srv1 + - *hstk0 + - *router0-ifog + - *router0-hosthatch - path_regex: ^secrets/steveej-t14/.+$ key_groups: - - pgp: - - *steveej - age: - - *steveej-t14 + - pgp: + - *steveej + age: + - *steveej-t14 - path_regex: ^secrets/desktop/.+$ key_groups: - - pgp: - - *steveej - age: - - *steveej-t14 - - *steveej-x13s + - pgp: + - *steveej + age: + - *steveej-t14 + - *steveej-x13s - path_regex: ^secrets/servers/.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-vps-htz0 - - *sj-srv1 + - pgp: + - *steveej + age: + - *sj-vps-htz0 + - *sj-srv1 - path_regex: ^nix/os/containers/.+_secrets.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-vps-htz0 - - *sj-srv1 + - pgp: + - *steveej + age: + - *sj-vps-htz0 + - *sj-srv1 - path_regex: ^secrets/holochain-infra/.+$ key_groups: - - pgp: - - *steveej - age: - - *srv0-dmz0 + - pgp: + - *steveej + age: + - *srv0-dmz0 - path_regex: ^secrets/router0-dmz0/.+$ key_groups: - - pgp: - - *steveej - age: - - *router0-dmz0 + - pgp: + - *steveej + age: + - *router0-dmz0 - path_regex: ^secrets/router0-ifog/.+$ key_groups: - - pgp: - - *steveej - age: - - *router0-ifog + - pgp: + - *steveej + age: + - *router0-ifog - path_regex: ^secrets/router0-hosthatch/.+$ key_groups: - - pgp: - - *steveej - age: - - *router0-hosthatch + - pgp: + - *steveej + age: + - *router0-hosthatch - path_regex: ^secrets/sj-vps-htz0/.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-vps-htz0 + - pgp: + - *steveej + age: + - *sj-vps-htz0 - path_regex: ^secrets/sj-srv1/.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-srv1 + - pgp: + - *steveej + age: + - *sj-srv1 - path_regex: ^secrets/hstk0/.+$ key_groups: - - pgp: - - *steveej - age: - - *hstk0 + - pgp: + - *steveej + age: + - *hstk0 - path_regex: ^secrets/steveej-x13s/.+$ key_groups: - - pgp: - - *steveej - age: - - *steveej-x13s + - pgp: + - *steveej + age: + - *steveej-x13s - path_regex: ^secrets/work-holo/.+$ key_groups: - - pgp: - - *steveej - age: - - *steveej-x13s + - pgp: + - *steveej + age: + - *steveej-x13s diff --git a/.vscode/settings.json b/.vscode/settings.json index 79eb182..28f81bc 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,19 +1,21 @@ { - "nix.serverSettings": { - // settings for 'nil' LSP - "nil": { - "autoArchive": true, - "diagnostics": { - "ignored": [ - "unused_binding", - "unused_with" - ] - }, - "formatting": { - "command": [ - "treefmt-nix", - ] - } - } - }, + "editor.defaultFormatter": "ibecker.treefmt-vscode", + "editor.formatOnSave": true, + "nix.enableLanguageServer": true, + "nix.serverPath": "nil", + "nix.serverSettings": { + // settings for 'nil' LSP + "nil": { + "autoArchive": true, + "diagnostics": { + "ignored": ["unused_binding", "unused_with"] + }, + "formatting": { + "command": ["treefmt-nix", "--stdin", ".nil.nix"] + } + } + }, + "[nix]": { + "editor.defaultFormatter": "jnoortheen.nix-ide" + } } diff --git a/README.md b/README.md index d59de56..5d32951 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ # steveej's infra + This repository helps me to manage all computer infrastructure. This is mostly achieved with the help of [Nix](https://nixos.org). @@ -19,7 +20,7 @@ In the unlikely case that you actually read this and have any questions please d - [ ] development environments - [x] (Semi-) automatic synchronization of important repositories - [x] Modification strategy - The approach is to use vcsh for the dotfiles + The approach is to use vcsh for the dotfiles - [x] dotfiles - [x] Toplevel Justfile for simple actions - [x] mount/umount disks @@ -39,39 +40,46 @@ In the unlikely case that you actually read this and have any questions please d - [x] sj-pve0 - [x] use an existing secret management framework - [x] adapt (or abandon?) _just_ recipes - - [x] `rebuild-this-device` - - [x] `update-this-device` - - [x] `rebuild-remote-device` - - [x] `update-remote-device` - evaluate, and understand a path to using these tools in a pull-based fashion: + - [x] `rebuild-this-device` + - [x] `update-this-device` + - [x] `rebuild-remote-device` + - [x] `update-remote-device` + + evaluate, and understand a path to using these tools in a pull-based fashion: + - [x] [colmena](https://github.com/zhaofengli/colmena) - * bootstrapping: https://github.com/zhaofengli/colmena/issues/68 + - bootstrapping: https://github.com/zhaofengli/colmena/issues/68 - [ ] deploy-rs -- [x] 🚧 find a better alternative for the qtile-desktop - current issues: - - floating windows often get lost in the background - - plugging in-/out- screen crashes the desktop - evaluate: - - [x] ~~🚧 gnome3 + pop-shell~~ - - [x] ~~leftwm + eww (+ wayland?)~~ +- [x] 🚧 find a better alternative for the qtile-desktop + current issues: + + - floating windows often get lost in the background + - plugging in-/out- screen crashes the desktop + + evaluate: + + - [x] ~~🚧 gnome3 + pop-shell~~ + - [x] ~~leftwm + eww (+ wayland?)~~ + - [ ] (Re-)document bootstrap process - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine - [ ] a new machine - [ ] an install media - [ ] Design disaster recovery - [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2 -- [ ] Recycle *\_archived* +- [ ] Recycle _\_archived_ - [ ] container migrations - [ ] ensure DDNS is updated _before_ the containers are started - ## Bugs + - [ ] home-manager leaves ~/.gnupg at 0755 ## Usage -*(These are reminders for my future self)* + +_(These are reminders for my future self)_ ``` just --list @@ -80,15 +88,17 @@ just --list ## Bootstrap ### A new machine -* ensure the dotfiles repo has a branch with the new machine's hostname -* boot with an install media and go through setup +- ensure the dotfiles repo has a branch with the new machine's hostname + +- boot with an install media and go through setup #### Post-Install Setup -* `chmod --recursive g-rwx,o-rwx ~/.gnupg` -* `gpg2 --edit-card; fetch` -* clone password-manager and infra repositories -* gpg2: ultimately trust my own key + +- `chmod --recursive g-rwx,o-rwx ~/.gnupg` +- `gpg2 --edit-card; fetch` +- clone password-manager and infra repositories +- gpg2: ultimately trust my own key ## Swapping out a disk diff --git a/default.nix b/default.nix index 75e1dbb..6aba02e 100644 --- a/default.nix +++ b/default.nix @@ -4,6 +4,9 @@ # Having pkgs default to is fine though, and it lets you use short # commands such as: # nix-build -A mypackage -{pkgs ? import {}}: { - pkgs = import ./nix/pkgs {inherit pkgs;}; +{ + pkgs ? import { }, +}: +{ + pkgs = import ./nix/pkgs { inherit pkgs; }; } diff --git a/flake.lock b/flake.lock index 4ea2cd8..10413b3 100644 --- a/flake.lock +++ b/flake.lock @@ -346,6 +346,81 @@ } }, "flake-utils_3": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_5": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_6": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_7": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_8": { "inputs": { "systems": "systems_3" }, @@ -363,7 +438,7 @@ "type": "github" } }, - "flake-utils_4": { + "flake-utils_9": { "inputs": { "systems": "systems_4" }, @@ -485,7 +560,7 @@ }, "lib-aggregate": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_8", "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { @@ -639,6 +714,126 @@ "type": "github" } }, + "nixago": { + "inputs": { + "flake-utils": "flake-utils_3", + "nixago-exts": "nixago-exts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1714086354, + "narHash": "sha256-yKVQMxL9p7zCWUhnGhDzRVT8sDgHoI3V595lBK0C2YA=", + "owner": "jmgilman", + "repo": "nixago", + "rev": "5133633e9fe6b144c8e00e3b212cdbd5a173b63d", + "type": "github" + }, + "original": { + "owner": "jmgilman", + "repo": "nixago", + "type": "github" + } + }, + "nixago-exts": { + "inputs": { + "flake-utils": "flake-utils_4", + "nixago": "nixago_2", + "nixpkgs": [ + "nixago", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676070308, + "narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=", + "owner": "nix-community", + "repo": "nixago-extensions", + "rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago-extensions", + "type": "github" + } + }, + "nixago-exts_2": { + "inputs": { + "flake-utils": "flake-utils_6", + "nixago": "nixago_3", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixago", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1655508669, + "narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=", + "owner": "nix-community", + "repo": "nixago-extensions", + "rev": "3022a932ce109258482ecc6568c163e8d0b426aa", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago-extensions", + "type": "github" + } + }, + "nixago_2": { + "inputs": { + "flake-utils": "flake-utils_5", + "nixago-exts": "nixago-exts_2", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676070010, + "narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=", + "owner": "nix-community", + "repo": "nixago", + "rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "rename-config-data", + "repo": "nixago", + "type": "github" + } + }, + "nixago_3": { + "inputs": { + "flake-utils": "flake-utils_7", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixago", + "nixago-exts", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1655405483, + "narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=", + "owner": "nix-community", + "repo": "nixago", + "rev": "e6a9566c18063db5b120e69e048d3627414e327d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago", + "type": "github" + } + }, "nixos-anywhere": { "inputs": { "disko": "disko", @@ -847,11 +1042,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1730531603, - "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", + "lastModified": 1731319897, + "narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", + "rev": "dc460ec76cbff0e66e269457d7b728432263166c", "type": "github" }, "original": { @@ -1058,6 +1253,7 @@ "logseq_0_10_9_aarch64_appimage": "logseq_0_10_9_aarch64_appimage", "nix-vscode-extensions": "nix-vscode-extensions", "nix4vscode": "nix4vscode", + "nixago": "nixago", "nixos-anywhere": "nixos-anywhere", "nixpkgs": [ "nixpkgs-2405" @@ -1351,7 +1547,7 @@ }, "yofi": { "inputs": { - "flake-utils": "flake-utils_4", + "flake-utils": "flake-utils_9", "nixpkgs": [ "nixpkgs" ] diff --git a/flake.nix b/flake.nix index d1d4106..e36297d 100644 --- a/flake.nix +++ b/flake.nix @@ -43,10 +43,7 @@ url = "github:nix-community/fenix"; inputs.nixpkgs.follows = "nixpkgs"; }; - crane = { - url = "github:ipetkov/crane"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + crane.url = "github:ipetkov/crane"; sops-nix.url = "github:Mic92/sops-nix"; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; @@ -129,218 +126,276 @@ url = "github:numtide/treefmt-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + nixago.url = "github:jmgilman/nixago"; + nixago.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = inputs @ { - self, - flake-parts, - nixpkgs, - ... - }: let - inherit (nixpkgs) lib; + outputs = + inputs@{ + self, + flake-parts, + nixpkgs, + ... + }: + let + inherit (nixpkgs) lib; - systems = [ - "x86_64-linux" - "aarch64-linux" - ]; - in - flake-parts.lib.mkFlake {inherit inputs;} - ({withSystem, ...}: { - flake.colmena = - lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) - { - meta.nixpkgs = import inputs.nixpkgs.outPath { - system = builtins.elemAt systems 0; - }; - } - # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import - # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 - (builtins.map - (nodeName: - import ./nix/os/devices/${nodeName} { - inherit nodeName; - repoFlake = self; - repoFlakeWithSystem = withSystem; - nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName}; - }) [ - "steveej-t14" - "steveej-x13s" - "steveej-x13s-rmvbl" - # "elias-e525" - # "justyna-p300" - - # "srv0-dmz0" - # "router0-dmz0" - "router0-ifog" - "router0-hosthatch" - - "sj-srv1" - - "hstk0" - ]); - - flake.lib = { - inherit withSystem; - }; - - # this makes nixos-anywhere work - flake.nixosConfigurations = let - colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; - router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; - in ( - colmenaHive - // { - router0-dmz0 = router0-dmz0.native; - - # for now deploy directly with: - # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 - router0-dmz0_cross = router0-dmz0.cross; - - steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross; - steveej-x13s-rmvbl_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; - } - ); - - inherit systems; - - perSystem = { - self', - inputs', - system, - config, - lib, - pkgs, - ... - }: { - imports = [ - ./nix/modules/flake-parts/perSystem/default.nix - ]; - - packages = let - dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) {}; - - craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain; - - craneLib = - craneLibFn - inputs'.fenix.packages.stable.toolchain; - - craneLibOfiPass = - craneLibFn + systems = [ + "x86_64-linux" + "aarch64-linux" + ]; + in + flake-parts.lib.mkFlake { inherit inputs; } ( + { withSystem, ... }: + { + flake.colmena = + lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) + { meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; } + # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import + # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 ( - inputs'.fenix.packages.stable.toolchain - # .override { - # date = "1.60.0"; - # } + builtins.map + ( + nodeName: + import ./nix/os/devices/${nodeName} { + inherit nodeName; + repoFlake = self; + repoFlakeWithSystem = withSystem; + nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName}; + } + ) + [ + "steveej-t14" + "steveej-x13s" + "steveej-x13s-rmvbl" + # "elias-e525" + # "justyna-p300" + + # "srv0-dmz0" + # "router0-dmz0" + "router0-ifog" + "router0-hosthatch" + + "sj-srv1" + + "hstk0" + ] ); - in { - dcpj4110dwDriver = dcpj4110dw.driver; - dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; - inherit (inputs'.colmena.packages) colmena; - - prs = - pkgs.callPackage - ({ - pkgs, - dbus, - glib, - gpgme, - gtk3, - libxcb, - libxkbcommon, - installShellFiles, - pkg-config, - python3, - }: - craneLib.buildPackage { - pname = "prs"; - version = inputs.prs.shortRev; - src = inputs.prs; - nativeBuildInputs = [gpgme installShellFiles pkg-config python3]; - - buildInputs = [ - dbus - glib - gpgme - gtk3 - libxcb - libxkbcommon - ]; - - cargoExtraArgs = "--features backend-gpgme"; - - postInstall = '' - for shell in bash fish zsh; do - installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout) - done - ''; - }) - {}; - - nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; - - ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' - set -x - pkill -9 wayland-proxy-v - export NIXOS_OZONE_WL="" - ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ - --wayland-display=wayland-3 \ - --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ - --x-display=3 \ - & - # --x-unscale=3 \ - #--verbose \ - - export PROXYPID="$!" - - trap "kill -9 \$PROXYPID" EXIT - # trap "pkill -9 wayland-proxy-v" EXIT - - env \ - WAYLAND_DISPLAY=wayland-3 \ - DISPLAY=:3 \ - ledger-live-desktop - ''; - - syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' - ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 - ''; - - rperf = craneLib.buildPackage { - src = inputs.rperf; - nativeBuildInputs = [ - pkgs.pkg-config - ]; - buildInputs = [ - ]; - }; - - x13s-bt-firmware = pkgs.runCommand "x13s-bt-firmware" {} '' - mkdir -p $out/lib/firmware/qca - cp -v ${self}/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw $out/lib/firmware/qca/hpnv21.bin - cp -v ${inputs.x13s-bt-firmware} $out/lib/firmware/qca//hpbtfw21.tlv - ''; - - x13s-ath11k-firmware = pkgs.runCommand "x13s-ath11k-firmware-before" {} '' - mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/ - cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ - cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ - ''; + flake.lib = { + inherit withSystem; }; - formatter = inputs.treefmt-nix.formatter.${system}; + # this makes nixos-anywhere work + flake.nixosConfigurations = + let + colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; + router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; + in + colmenaHive + // { + router0-dmz0 = router0-dmz0.native; - devShells = let - all = import ./nix/devShells.nix { - inherit - self - self' - inputs' - pkgs - ; + # for now deploy directly with: + # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 + router0-dmz0_cross = router0-dmz0.cross; + + steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross; + steveej-x13s-rmvbl_cross = + (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; }; - in (all // {default = all.develop;}); - }; - }); + + inherit systems; + + perSystem = + { + self', + inputs', + system, + config, + lib, + pkgs, + ... + }: + { + imports = [ ./nix/modules/flake-parts/perSystem/default.nix ]; + + packages = + let + dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { }; + + craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain; + + craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain; + in + { + dcpj4110dwDriver = dcpj4110dw.driver; + dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; + + inherit (inputs'.colmena.packages) colmena; + + prs = pkgs.callPackage ( + { + dbus, + glib, + gpgme, + gtk3, + libxcb, + libxkbcommon, + installShellFiles, + pkg-config, + python3, + }: + craneLib.buildPackage { + pname = "prs"; + version = inputs.prs.shortRev; + src = inputs.prs; + nativeBuildInputs = [ + gpgme + installShellFiles + pkg-config + python3 + ]; + + buildInputs = [ + dbus + glib + gpgme + gtk3 + libxcb + libxkbcommon + ]; + + cargoExtraArgs = "--features backend-gpgme"; + + postInstall = '' + for shell in bash fish zsh; do + installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout) + done + ''; + } + ) { }; + + nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; + + ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' + set -x + pkill -9 wayland-proxy-v + export NIXOS_OZONE_WL="" + ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ + --wayland-display=wayland-3 \ + --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ + --x-display=3 \ + & + # --x-unscale=3 \ + #--verbose \ + + export PROXYPID="$!" + + trap "kill -9 \$PROXYPID" EXIT + # trap "pkill -9 wayland-proxy-v" EXIT + + env \ + WAYLAND_DISPLAY=wayland-3 \ + DISPLAY=:3 \ + ledger-live-desktop + ''; + + syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' + ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 + ''; + + rperf = craneLib.buildPackage { + src = inputs.rperf; + nativeBuildInputs = [ pkgs.pkg-config ]; + buildInputs = [ ]; + }; + + x13s-bt-firmware = pkgs.runCommand "x13s-bt-firmware" { } '' + mkdir -p $out/lib/firmware/qca + cp -v ${self}/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw $out/lib/firmware/qca/hpnv21.bin + cp -v ${inputs.x13s-bt-firmware} $out/lib/firmware/qca//hpbtfw21.tlv + ''; + + x13s-ath11k-firmware = pkgs.runCommand "x13s-ath11k-firmware-before" { } '' + mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/ + cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ + cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ + ''; + }; + + formatter = + let + settingsNix = { + projectRootFile = ".git/config"; + + package = inputs'.nixpkgs-unstable.legacyPackages.treefmt2; + + programs = { + nixfmt.enable = true; + deadnix.enable = true; + statix.enable = true; + + shfmt.enable = true; + shellcheck.enable = true; + + prettier.enable = true; + } // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; }; + + settings = { + global.excludes = [ + "LICENSE" + "secrets/" + ".git-crypt/" + + # unsupported extensions + "*.{enc,gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,gitignore}" + ]; + + formatter = { + deadnix = { + priority = 1; + }; + + nixfmt = { + priority = 2; + }; + + statix = { + priority = 3; + }; + + prettier = { + options = [ + "--tab-width" + "2" + ]; + includes = [ "*.{css,html,js,json,jsx,md,mdx,scss,ts,yaml}" ]; + }; + }; + }; + }; + eval = inputs.treefmt-nix.lib.evalModule pkgs settingsNix; + in + eval.config.build.wrapper.overrideAttrs (_: { + passthru = { + inherit (eval.config) package settings; + }; + }); + + devShells = + let + all = import ./nix/devShells.nix { + inherit + self + self' + inputs' + pkgs + ; + }; + in + all // { default = all.develop; }; + }; + } + ); } diff --git a/nix/container-images/build.sh b/nix/container-images/build.sh index 6cfab1a..1025cb4 100755 --- a/nix/container-images/build.sh +++ b/nix/container-images/build.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -xe -[ ! -z "$NAME" ] +[ -n "$NAME" ] nix-build . --show-trace -A "$NAME" -docker image rm "$NAME":latest --force +docker image rm "$NAME":latest --force docker load -i result diff --git a/nix/container-images/default.nix b/nix/container-images/default.nix index 7dcab2a..67f516d 100644 --- a/nix/container-images/default.nix +++ b/nix/container-images/default.nix @@ -1,6 +1,10 @@ -{pkgs ? import {}}: let - baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; -in rec { +{ + pkgs ? import { }, +}: +let + baseEnv = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; +in +rec { base = pkgs.dockerTools.buildImage rec { name = "base"; @@ -21,59 +25,70 @@ in rec { interactive_base = pkgs.dockerTools.buildImage { name = "interactive_base"; fromImage = base; - contents = with pkgs; [procps zsh coreutils neovim]; + contents = with pkgs; [ + procps + zsh + coreutils + neovim + ]; - config = {Cmd = ["/bin/zsh"];}; + config = { + Cmd = [ "/bin/zsh" ]; + }; }; - s3ql = let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} + s3ql = + let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} - if [ -z "$S3QL_BUCKET" ]; then - echo S3QL_BUCKET not set - exit 1 - fi + if [ -z "$S3QL_BUCKET" ]; then + echo S3QL_BUCKET not set + exit 1 + fi - if [ -z "$S3QL_STORAGE_URL" ]; then - echo S3QL_STORAGE_URL not set - exit 1 - fi + if [ -z "$S3QL_STORAGE_URL" ]; then + echo S3QL_STORAGE_URL not set + exit 1 + fi - if [ -z "$S3QL_CACHESIZE" ]; then - echo S3QL_CACHESIZE not set - exit 1 - fi + if [ -z "$S3QL_CACHESIZE" ]; then + echo S3QL_CACHESIZE not set + exit 1 + fi - set -x + set -x - if [ "$S3QL_SKIP_FSCK" != "1" ]; then - fsck.s3ql \ - --authfile $S3QL_AUTHINFO2 \ + if [ "$S3QL_SKIP_FSCK" != "1" ]; then + fsck.s3ql \ + --authfile $S3QL_AUTHINFO2 \ + --log none \ + --cachedir $S3QL_CACHE_DIR \ + $S3QL_STORAGE_URL + fi + + exec mount.s3ql \ + --cachedir "$S3QL_CACHE_DIR" \ + --authfile "$S3QL_AUTHINFO2" \ + --cachesize "$S3QL_CACHESIZE" \ + --fg \ + --compress lzma-6 \ + --threads 4 \ --log none \ - --cachedir $S3QL_CACHE_DIR \ - $S3QL_STORAGE_URL - fi + --allow-root \ + "$S3QL_STORAGE_URL" \ + /bucket - exec mount.s3ql \ - --cachedir "$S3QL_CACHE_DIR" \ - --authfile "$S3QL_AUTHINFO2" \ - --cachesize "$S3QL_CACHESIZE" \ - --fg \ - --compress lzma-6 \ - --threads 4 \ - --log none \ - --allow-root \ - "$S3QL_STORAGE_URL" \ - /bucket - - # FIXME: touch .isbucket after mount - ''; - in + # FIXME: touch .isbucket after mount + ''; + in pkgs.dockerTools.buildImage { name = "s3ql"; fromImage = interactive_base; - contents = [pkgs.s3ql pkgs.fuse]; + contents = [ + pkgs.s3ql + pkgs.fuse + ]; runAsRoot = '' #!${pkgs.stdenv.shell} @@ -84,57 +99,58 @@ in rec { ''; config = { - Env = - baseEnv - ++ [ - "HOME=/home/s3ql" - "S3QL_CACHE_DIR=/var/cache/s3ql" - "S3QL_AUTHINFO2=/etc/s3ql/authinfo2" - "CONTAINER_ENTRYPOINT=${entrypoint}" - ]; - Cmd = [entrypoint]; + Env = baseEnv ++ [ + "HOME=/home/s3ql" + "S3QL_CACHE_DIR=/var/cache/s3ql" + "S3QL_AUTHINFO2=/etc/s3ql/authinfo2" + "CONTAINER_ENTRYPOINT=${entrypoint}" + ]; + Cmd = [ entrypoint ]; Volumes = { - "/var/cache/s3ql" = {}; - "/etc/s3ql/authinfo2" = {}; - "/buckets" = {}; - "/tmp" = {}; + "/var/cache/s3ql" = { }; + "/etc/s3ql/authinfo2" = { }; + "/buckets" = { }; + "/tmp" = { }; }; }; }; - syncthing = let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} - set -x - if [ ! -e /data/.isbucket ]; then - echo ERROR: Bucket not mounted at /data - exit 1 - fi + syncthing = + let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} + set -x + if [ ! -e /data/.isbucket ]; then + echo ERROR: Bucket not mounted at /data + exit 1 + fi - if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then - echo ERROR: SYNCTHING_GUI_ADDRESS is not set - exit 1 - fi + if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then + echo ERROR: SYNCTHING_GUI_ADDRESS is not set + exit 1 + fi - if [ ! -w "$SYNCTHING_HOME" ]; then - echo ERROR : SYNCTHING_HOME is not writable - fi + if [ ! -w "$SYNCTHING_HOME" ]; then + echo ERROR : SYNCTHING_HOME is not writable + fi - exec syncthing \ - -home $SYNCTHING_HOME \ - -gui-address=$SYNCTHING_GUI_ADDRESS \ - -no-browser - ''; - in + exec syncthing \ + -home $SYNCTHING_HOME \ + -gui-address=$SYNCTHING_GUI_ADDRESS \ + -no-browser + ''; + in pkgs.dockerTools.buildImage { name = "syncthing"; fromImage = interactive_base; contents = pkgs.syncthing; config = { - Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"]; - Cmd = [entrypoint]; - Volumes = {"/data" = {};}; + Env = baseEnv ++ [ "SYNCTHING_HOME=/home/syncthing" ]; + Cmd = [ entrypoint ]; + Volumes = { + "/data" = { }; + }; }; }; } diff --git a/nix/default.nix b/nix/default.nix index 888a4e9..f8947e0 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,26 +1,34 @@ -{versionsPath}: let +{ versionsPath }: +let channelVersions = import versionsPath; - mkChannelSource = name: let - channelVersion = builtins.getAttr name channelVersions; - in + mkChannelSource = + name: + let + channelVersion = builtins.getAttr name channelVersions; + in builtins.fetchGit { # Descriptive name to make the store path easier to identify inherit name; inherit (channelVersion) url ref rev; }; - nixPath = builtins.concatStringsSep ":" (builtins.map - (elemName: let - elem = builtins.getAttr elemName channelVersions; - elemPath = mkChannelSource elemName; - suffix = - if builtins.hasAttr "suffix" elem - then elem.suffix - else ""; - in - builtins.concatStringsSep "=" [elemName elemPath] + suffix) - (builtins.attrNames channelVersions)); - pkgs = import (mkChannelSource "nixpkgs") {}; -in { + nixPath = builtins.concatStringsSep ":" ( + builtins.map ( + elemName: + let + elem = builtins.getAttr elemName channelVersions; + elemPath = mkChannelSource elemName; + suffix = if builtins.hasAttr "suffix" elem then elem.suffix else ""; + in + builtins.concatStringsSep "=" [ + elemName + elemPath + ] + + suffix + ) (builtins.attrNames channelVersions) + ); + pkgs = import (mkChannelSource "nixpkgs") { }; +in +{ inherit nixPath; channelSources = pkgs.writeText "channels.rc" '' export NIX_PATH=${nixPath} diff --git a/nix/devShells.nix b/nix/devShells.nix index 1358f30..d6c55f6 100644 --- a/nix/devShells.nix +++ b/nix/devShells.nix @@ -3,9 +3,8 @@ self', inputs', pkgs, -}: let - pkgsUnstable = inputs'.nixpkgs-unstable.legacyPackages; -in { +}: +{ install = pkgs.mkShell { name = "infra-install"; packages = with pkgs; [ @@ -20,11 +19,9 @@ in { develop = pkgs.mkShell { name = "infra-develop"; - inputsFrom = [ - self'.devShells.install - ]; + inputsFrom = [ self'.devShells.install ]; packages = with pkgs; [ - self'.formatter + self'.formatter # .package inputs'.colmena.packages.colmena dconf2nix inputs'.nixos-anywhere.packages.nixos-anywhere @@ -92,6 +89,15 @@ in { # Set Environment Variables RUST_BACKTRACE = 1; - KANIDM_URL = self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin; + KANIDM_URL = + self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin; + + shellHook = + (self.inputs.nixago.lib.${pkgs.system}.make { + data = self'.formatter.settings; + output = "treefmt.toml"; + format = "toml"; + }).shellHook + + ''''; }; } diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index ac0914d..0f1eda9 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -5,13 +5,14 @@ # these come in via home-manager.extraSpecialArgs and are specific to each node nodeFlake, repoFlake, - packages', ... -}: let +}: +let pkgsUnstable = pkgs.pkgsUnstable - or (import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config overlays;}); -in { + or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; }); +in +{ imports = [ ../profiles/common.nix # ../profiles/dotfiles.nix @@ -34,18 +35,18 @@ in { ../programs/libreoffice.nix ../programs/neovim.nix ../programs/vscode - { - home.packages = [ - pkgsUnstable.markdown-oxide - ]; - } + { home.packages = [ pkgsUnstable.markdown-oxide ]; } ]; home.sessionVariables.HM_CONFIG = "graphical-fullblown"; home.sessionVariables.GOPATH = "$HOME/src/go"; - home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"]; + home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [ + "$HOME/.local/bin" + "$PATH" + ]; - nixpkgs.config.allowInsecurePredicate = pkg: + nixpkgs.config.allowInsecurePredicate = + pkg: builtins.elem (lib.getName pkg) [ "electron-28.3.3" "electron-27.3.11" @@ -68,8 +69,7 @@ in { # ]; home.packages = - [] - ++ (with pkgs; [ + (with pkgs; [ # Authentication # cacert # fprintd @@ -246,19 +246,15 @@ in { # libretro.snes9x2010 # retroarchFull - ( - pkgs.logseq.overrideAttrs ( - attrs: - lib.attrsets.recursiveUpdate - attrs - ( - lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 { - src = repoFlake.inputs.logseq_0_10_9_aarch64_appimage; - meta.platforms = ["aarch64-linux"]; - } - ) + (pkgs.logseq.overrideAttrs ( + attrs: + lib.attrsets.recursiveUpdate attrs ( + lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 { + src = repoFlake.inputs.logseq_0_10_9_aarch64_appimage; + meta.platforms = [ "aarch64-linux" ]; + } ) - ) + )) # ( # pkgsUnstable.callPackage (repoFlake + "/nix/pkgs/logseq") @@ -267,8 +263,7 @@ in { # }) # ) ]) - ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ - ]) + ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ ]) ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ pkgsUnstable.ledger-live-desktop diff --git a/nix/home-manager/configuration/graphical-gnome3.nix b/nix/home-manager/configuration/graphical-gnome3.nix index 12e1948..5eaebd1 100644 --- a/nix/home-manager/configuration/graphical-gnome3.nix +++ b/nix/home-manager/configuration/graphical-gnome3.nix @@ -1,13 +1,8 @@ +{ pkgs, ... }: { - pkgs, - config, - ... -}: { - home.packages = - [] - ++ (with pkgs; [ - gnome.gnome-tweaks - gnome.gnome-keyring - gnome.seahorse - ]); + home.packages = with pkgs; [ + gnome.gnome-tweaks + gnome.gnome-keyring + gnome.seahorse + ]; } diff --git a/nix/home-manager/configuration/graphical-removable.nix b/nix/home-manager/configuration/graphical-removable.nix index faac0d5..d6296a2 100644 --- a/nix/home-manager/configuration/graphical-removable.nix +++ b/nix/home-manager/configuration/graphical-removable.nix @@ -1,8 +1,5 @@ +{ pkgs, ... }: { - pkgs, - config, - ... -}: { imports = [ ../profiles/common.nix ../profiles/qtile-desktop.nix @@ -16,89 +13,87 @@ ../programs/pass.nix ]; - home.packages = - [] - ++ (with pkgs; [ - # Nix package related tools - patchelf - nix-index - nix-prefetch-scripts + home.packages = with pkgs; [ + # Nix package related tools + patchelf + nix-index + nix-prefetch-scripts - # Version Control Systems - gitless + # Version Control Systems + gitless - # Process/System Administration - htop - gnome.gnome-tweaks - xorg.xhost - dmidecode - evtest + # Process/System Administration + htop + gnome.gnome-tweaks + xorg.xhost + dmidecode + evtest - # Archive Managers - sshfs-fuse - xarchive - p7zip - zip - unzip - gzip - lzop + # Archive Managers + sshfs-fuse + xarchive + p7zip + zip + unzip + gzip + lzop - # Password Management - gnome.gnome-keyring - gnome.seahorse + # Password Management + gnome.gnome-keyring + gnome.seahorse - # Remote Control Tools - remmina - freerdp + # Remote Control Tools + remmina + freerdp - # Network Tools - openvpn - tcpdump - iftop - iperf - bind - socat + # Network Tools + openvpn + tcpdump + iftop + iperf + bind + socat - # samba - iptables - nftables - wireshark + # samba + iptables + nftables + wireshark - # Code Editors - xclip - xsel + # Code Editors + xclip + xsel - # Image/Graphic/Design Tools - gnome.eog - gimp - inkscape + # Image/Graphic/Design Tools + gnome.eog + gimp + inkscape - # Misc Development Tools - qrcode - jq - cdrtools + # Misc Development Tools + qrcode + jq + cdrtools - # Document Processing and Management - zathura + # Document Processing and Management + zathura - # File Synchronzation - rsync + # File Synchronzation + rsync - # Filesystem Tools - ntfs3g - ddrescue - ncdu - woeusb - unetbootin - pcmanfm - hdparm - testdisk - binwalk - gptfdisk + # Filesystem Tools + ntfs3g + ddrescue + ncdu + woeusb + unetbootin + pcmanfm + hdparm + testdisk + binwalk + gptfdisk - packages'.myPython + packages'.myPython - # Virtualization - virtmanager - ]); + # Virtualization + virtmanager + ]; } diff --git a/nix/home-manager/lib.nix b/nix/home-manager/lib.nix index b731c1d..7436034 100644 --- a/nix/home-manager/lib.nix +++ b/nix/home-manager/lib.nix @@ -1,14 +1,19 @@ -{}: let -in { - mkSimpleTrayService = {execStart}: { - Unit = { - Description = ""; - After = ["graphical-session-pre.target"]; - PartOf = ["graphical-session.target"]; +_: { + mkSimpleTrayService = + { execStart }: + { + Unit = { + Description = ""; + After = [ "graphical-session-pre.target" ]; + PartOf = [ "graphical-session.target" ]; + }; + + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + + Service = { + ExecStart = execStart; + }; }; - - Install = {WantedBy = ["graphical-session.target"];}; - - Service = {ExecStart = execStart;}; - }; } diff --git a/nix/home-manager/profiles/common.nix b/nix/home-manager/profiles/common.nix index d5b0c7e..e51dd7b 100644 --- a/nix/home-manager/profiles/common.nix +++ b/nix/home-manager/profiles/common.nix @@ -1,8 +1,5 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - ... -}: { home.stateVersion = lib.mkDefault "23.11"; # TODO: re-enable this with the appropriate version? @@ -15,7 +12,8 @@ allowUnfree = true; allowUnsupportedSystem = true; - allowInsecurePredicate = pkg: + allowInsecurePredicate = + pkg: builtins.elem (lib.getName pkg) [ "electron-28.3.3" "electron-27.3.11" @@ -28,7 +26,8 @@ "electron" ]; - allowUnfreePredicate = pkg: + allowUnfreePredicate = + pkg: builtins.elem (lib.getName pkg) [ "obsidian" "vivaldi" @@ -56,47 +55,45 @@ programs.command-not-found.enable = true; programs.fzf.enable = true; - home.packages = - [] - ++ (with pkgs; [ - coreutils + home.packages = with pkgs; [ + coreutils - vcsh + vcsh - htop - iperf3 - nethogs + htop + iperf3 + nethogs - # Authentication - cacert - openssl - mkpasswd + # Authentication + cacert + openssl + mkpasswd - just - ripgrep - du-dust + just + ripgrep + du-dust - elfutils - exfat - file - tree - pwgen - proot + elfutils + exfat + file + tree + pwgen + proot - parted - pv - tmux - wget - curl + parted + pv + tmux + wget + curl - # git helpers - git-crypt - gitFull - pastebinit - gist - mr + # git helpers + git-crypt + gitFull + pastebinit + gist + mr - usbutils - pciutils - ]); + usbutils + pciutils + ]; } diff --git a/nix/home-manager/profiles/dotfiles.nix b/nix/home-manager/profiles/dotfiles.nix index 670ea75..a7bddd9 100644 --- a/nix/home-manager/profiles/dotfiles.nix +++ b/nix/home-manager/profiles/dotfiles.nix @@ -1,45 +1,4 @@ -{ - repoFlake, - pkgs, - config, - repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", - repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", - ... -}: let - repoBareLocal = - pkgs.runCommand "fetchbare" - { - outputHashMode = "recursive"; - outputHashAlgo = "sha256"; - outputHash = "0000000000000000000000000000000000000000000000000000"; - } '' - ( - set -xe - export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out - ) - ''; - vcshActivationScript = pkgs.writeScript "activation-script" '' - export HOST=$(hostname -s) - - function set_remotes { - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 - } - - if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then - echo Cloning dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles - set_remotes ${repoHttps} ${repoSsh} - else - set_remotes ${repoBareLocal} ${repoSsh} - echo Updating dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh pull $HOST || true - set_remotes ${repoHttps} ${repoSsh} - fi - ''; -in { +_: { # TODO: fix the dotfiles # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' # $DRY_RUN_CMD ${vcshActivationScript} diff --git a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix index 84d629f..2a866f2 100644 --- a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix +++ b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix @@ -3,38 +3,40 @@ repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", ... -}: let +}: +let repoBareLocal = pkgs.runCommand "fetchbare" - { - outputHashMode = "recursive"; - outputHashAlgo = "sha256"; - outputHash = "0000000000000000000000000000000000000000000000000000"; - } '' - ( - set -xe - export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out - ) - ''; + { + outputHashMode = "recursive"; + outputHashAlgo = "sha256"; + outputHash = "0000000000000000000000000000000000000000000000000000"; + } + '' + ( + set -xe + export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out + ) + ''; in - pkgs.writeScript "activation-script" '' - export HOST=$(hostname -s) +pkgs.writeScript "activation-script" '' + export HOST=$(hostname -s) - function set_remotes { - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 - } + function set_remotes { + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 + } - if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then - echo Cloning dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles - set_remotes ${repoHttps} ${repoSsh} - else - set_remotes ${repoBareLocal} ${repoSsh} - echo Updating dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh pull $HOST || true - set_remotes ${repoHttps} ${repoSsh} - fi - '' + if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then + echo Cloning dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles + set_remotes ${repoHttps} ${repoSsh} + else + set_remotes ${repoBareLocal} ${repoSsh} + echo Updating dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh pull $HOST || true + set_remotes ${repoHttps} ${repoSsh} + fi +'' diff --git a/nix/home-manager/profiles/experimental-desktop.nix b/nix/home-manager/profiles/experimental-desktop.nix index 13d87d7..d57a051 100644 --- a/nix/home-manager/profiles/experimental-desktop.nix +++ b/nix/home-manager/profiles/experimental-desktop.nix @@ -1,16 +1,6 @@ +{ packages', ... }: { - pkgs, - config, - lib, - nodeFlake, - packages', - ... -}: let - pkgsUnstable = pkgs.callPackage nodeFlake.inputs.nixpkgs-unstable.outPath {}; -in { - imports = [ - ../profiles/wayland-desktop.nix - ]; + imports = [ ../profiles/wayland-desktop.nix ]; home.packages = [ # experimental WMs diff --git a/nix/home-manager/profiles/gnome-desktop.nix b/nix/home-manager/profiles/gnome-desktop.nix index b803ea5..5051205 100644 --- a/nix/home-manager/profiles/gnome-desktop.nix +++ b/nix/home-manager/profiles/gnome-desktop.nix @@ -1,13 +1,6 @@ +{ pkgs, ... }: { - pkgs, - config, - lib, - ... -}: let -in { - imports = [ - ../profiles/wayland-desktop.nix - ]; + imports = [ ../profiles/wayland-desktop.nix ]; services = { gnome-keyring.enable = false; @@ -25,85 +18,83 @@ in { services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; - dconf.settings = let - manualKeybindings = [ - { - binding = "Print"; - command = "flameshot gui"; - name = "flameshot"; - } + dconf.settings = + let + manualKeybindings = [ + { + binding = "Print"; + command = "flameshot gui"; + name = "flameshot"; + } - { - binding = "t"; - command = "alacritty"; - name = "alacritty"; - } - ]; + { + binding = "t"; + command = "alacritty"; + name = "alacritty"; + } + ]; - numWorkspaces = 10; - customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; - customKeybindingsNames = - builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") - ( - (builtins.length manualKeybindings) - + numWorkspaces # for sending to the workspace + numWorkspaces = 10; + customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; + customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") ( + (builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace ); - workspacesKeyBindingsOffset = builtins.length manualKeybindings; + workspacesKeyBindingsOffset = builtins.length manualKeybindings; - # with this we can make use of all number keys [0-9] - mapToNumber = i: - if i < 10 - then i - else if i == 10 - then 0 - else throw "i exceeds 10: ${i}"; - in + # with this we can make use of all number keys [0-9] + mapToNumber = + i: + if i < 10 then + i + else if i == 10 then + 0 + else + throw "i exceeds 10: ${i}"; + in { "org/gnome/settings-daemon/plugins/media-keys" = { custom-keybindings = customKeybindingsNames; screenreader = "@as []"; - screensaver = ["l"]; + screensaver = [ "l" ]; }; # disable the builtin [1-9] functionality - "org/gnome/shell/keybindings" = builtins.listToAttrs ((builtins.genList - (i: { - name = "switch-to-application-${toString (i + 1)}"; - value = []; - }) - numWorkspaces) + "org/gnome/shell/keybindings" = builtins.listToAttrs ( + (builtins.genList (i: { + name = "switch-to-application-${toString (i + 1)}"; + value = [ ]; + }) numWorkspaces) ++ [ { name = "toggle-overview"; - value = []; + value = [ ]; } - ]); + ] + ); # remap it to switching to the workspaces - "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (builtins.genList - (i: { + "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs ( + builtins.genList (i: { name = "switch-to-workspace-${toString (i + 1)}"; - value = [ - "${toString (mapToNumber (i + 1))}" - ]; - }) - numWorkspaces); + value = [ "${toString (mapToNumber (i + 1))}" ]; + }) numWorkspaces + ); } - // builtins.listToAttrs (builtins.genList - (i: { + // builtins.listToAttrs ( + builtins.genList (i: { name = "${customKeybindingBaseName}${toString i}"; value = builtins.elemAt manualKeybindings i; - }) - (builtins.length manualKeybindings)) - // builtins.listToAttrs (builtins.genList - (i: { + }) (builtins.length manualKeybindings) + ) + // builtins.listToAttrs ( + builtins.genList (i: { name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}"; value = { binding = "${toString (mapToNumber (i + 1))}"; command = "wmctrl -r :ACTIVE: -t ${toString i}"; name = "Send to workspace ${toString (i + 1)}"; }; - }) - numWorkspaces); + }) numWorkspaces + ); } diff --git a/nix/home-manager/profiles/nix-channels.nix b/nix/home-manager/profiles/nix-channels.nix index 68f21c7..fc52ec6 100644 --- a/nix/home-manager/profiles/nix-channels.nix +++ b/nix/home-manager/profiles/nix-channels.nix @@ -1,28 +1,22 @@ +{ pkgs, config, ... }: { - pkgs, - config, - ... -}: let -in { home.file.".nix-channels".text = ""; - home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] '' - $DRY_RUN_CMD ${ - pkgs.writeScript "activation-script" '' - set -ex - if test -f $HOME/.nix-channels; then - echo Uninstalling available channels... - if test -f $HOME/.nix-channel; then - while read url channel; do - nix-channel --remove $channel - done < $HOME/.nix-channel - fi - echo Moving existing file away... - touch $HOME/.nix-channels.dummy - mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels - rm $HOME/.nix-channels + home.activation.removeExistingNixChannels = config.lib.dag.entryBefore [ "checkLinkTargets" ] '' + $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' + set -ex + if test -f $HOME/.nix-channels; then + echo Uninstalling available channels... + if test -f $HOME/.nix-channel; then + while read url channel; do + nix-channel --remove $channel + done < $HOME/.nix-channel fi - '' - }; + echo Moving existing file away... + touch $HOME/.nix-channels.dummy + mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels + rm $HOME/.nix-channels + fi + ''}; ''; } diff --git a/nix/home-manager/profiles/qtile-desktop.nix b/nix/home-manager/profiles/qtile-desktop.nix index da12f62..7aa492f 100644 --- a/nix/home-manager/profiles/qtile-desktop.nix +++ b/nix/home-manager/profiles/qtile-desktop.nix @@ -1,14 +1,14 @@ -{ - pkgs, - config, - ... -}: let - inherit (import ../lib.nix {}) mkSimpleTrayService; +{ pkgs, ... }: +let audio = pkgs.writeShellScript "audio" '' export PATH=${ with pkgs; - lib.makeBinPath [pulseaudio findutils gnugrep] + lib.makeBinPath [ + pulseaudio + findutils + gnugrep + ] }:$PATH export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute @@ -33,7 +33,7 @@ terminalCommand = "${pkgs.alacritty}/bin/alacritty"; dpmsScript = pkgs.writeShellScript "dpmsScript" '' - export PATH=${with pkgs; lib.makeBinPath [xorg.xset]}:$PATH + export PATH=${with pkgs; lib.makeBinPath [ xorg.xset ]}:$PATH set -xe @@ -56,7 +56,7 @@ ''; screenLockCommand = pkgs.writeShellScript "screenLock" '' - export PATH=${with pkgs; lib.makeBinPath [i3lock]}:$PATH + export PATH=${with pkgs; lib.makeBinPath [ i3lock ]}:$PATH revert() { ${dpmsScript} default @@ -251,7 +251,8 @@ def print_new_window(window): print("new window: ", window) ''; -in { +in +{ services = { gnome-keyring.enable = true; blueman-applet.enable = true; diff --git a/nix/home-manager/profiles/sway-desktop.nix b/nix/home-manager/profiles/sway-desktop.nix index 8cfe85a..8924a3a 100644 --- a/nix/home-manager/profiles/sway-desktop.nix +++ b/nix/home-manager/profiles/sway-desktop.nix @@ -1,35 +1,35 @@ /* -TODO: create helper scripts for sharing of a screen portion -``` + TODO: create helper scripts for sharing of a screen portion + ``` -# this will create a new output named HEADLESS-. increments by 1 with each invocation even if the output is `unplug`ged. -swaymsg create_output + # this will create a new output named HEADLESS-. increments by 1 with each invocation even if the output is `unplug`ged. + swaymsg create_output -# find the name and the workspace number -swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)' + # find the name and the workspace number + swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)' -swaymsg output HEADLESS-1 mode 1920@108060Hz + swaymsg output HEADLESS-1 mode 1920@108060Hz -# mirror the headless workspace on the current one -nix run nixpkgs\#wl-mirror -- HEADLESS-1 + # mirror the headless workspace on the current one + nix run nixpkgs\#wl-mirror -- HEADLESS-1 -# shift windows to the workspace and switch the focus to it + # shift windows to the workspace and switch the focus to it */ { pkgs, config, lib, # packages', - repoFlakeInputs', ... -}: let - inherit (import ../lib.nix {}) mkSimpleTrayService; +}: +let lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'"; displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; -in { +in +{ imports = [ ../profiles/wayland-desktop.nix ../programs/waybar.nix @@ -98,112 +98,121 @@ in { systemd.enable = true; xwayland = false; - config = let - modifier = "Mod4"; - inherit (config.wayland.windowManager.sway.config) left right up down; - in { - inherit modifier; - bars = []; + config = + let + modifier = "Mod4"; + inherit (config.wayland.windowManager.sway.config) + left + right + up + down + ; + in + { + inherit modifier; + bars = [ ]; - input = { - "type:keyboard" = - { - xkb_layout = config.home.keyboard.layout; - xkb_variant = config.home.keyboard.variant; - } - // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) { - xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; + input = { + "type:keyboard" = + { + xkb_layout = config.home.keyboard.layout; + xkb_variant = config.home.keyboard.variant; + } + // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) { + xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; + }; + + "type:touchpad" = { + natural_scroll = "enabled"; }; - "type:touchpad" = { - natural_scroll = "enabled"; + # alternatively run this command + # swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative" + # and then switch to a different VT (alt+ctrl+f2) and back + "1386:914:Wacom_Intuos_Pro_S_Pen" = { + tool_mode = "* relative"; + }; }; - # alternatively run this command - # swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative" - # and then switch to a different VT (alt+ctrl+f2) and back - "1386:914:Wacom_Intuos_Pro_S_Pen" = { - tool_mode = "* relative"; + keybindings = lib.mkOptionDefault { + # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi + # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; + "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; + + # only 1-9 exist on the default config + "${modifier}+0" = "workspace number 0"; + "${modifier}+Shift+0" = "move container to workspace number 0"; + + # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it + "${modifier}+b" = "nop"; + "${modifier}+v" = "nop"; + + # move workspace to output + "${modifier}+Control+Shift+${left}" = "move workspace to output left"; + "${modifier}+Control+Shift+${right}" = "move workspace to output right"; + "${modifier}+Control+Shift+${up}" = "move workspace to output up"; + "${modifier}+Control+Shift+${down}" = "move workspace to output down"; + # move workspace to output with arrow keys + "${modifier}+Control+Shift+Left" = "move workspace to output left"; + "${modifier}+Control+Shift+Right" = "move workspace to output right"; + "${modifier}+Control+Shift+Up" = "move workspace to output up"; + "${modifier}+Control+Shift+Down" = "move workspace to output down"; + + # TODO: i've been hitting this one accidentally way too often. find a better place. + # "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; + "${modifier}+q" = "kill"; + "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; + + "${modifier}+x" = "exec ${swapOutputWorkspaces}"; + + "${modifier}+Ctrl+l" = "exec ${lockCmd}"; + + "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; + "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; + "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; + + "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; + "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; + "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; + + "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; }; + + terminal = "alacritty"; + startup = + [ + { + command = builtins.toString ( + pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target + ) & + '' + ); + } + ] + ++ lib.optionals config.services.swayidle.enable [ + { + command = builtins.toString ( + pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart swayidle + ) & + '' + ); + } + ]; + + colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; }; + + window.titlebar = false; + window.border = 4; + + # this maps to focus_on_window_activation + focus.newWindow = "urgent"; }; - - keybindings = lib.mkOptionDefault { - # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi - # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; - "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; - - # only 1-9 exist on the default config - "${modifier}+0" = "workspace number 0"; - "${modifier}+Shift+0" = "move container to workspace number 0"; - - # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it - "${modifier}+b" = "nop"; - "${modifier}+v" = "nop"; - - # move workspace to output - "${modifier}+Control+Shift+${left}" = "move workspace to output left"; - "${modifier}+Control+Shift+${right}" = "move workspace to output right"; - "${modifier}+Control+Shift+${up}" = "move workspace to output up"; - "${modifier}+Control+Shift+${down}" = "move workspace to output down"; - # move workspace to output with arrow keys - "${modifier}+Control+Shift+Left" = "move workspace to output left"; - "${modifier}+Control+Shift+Right" = "move workspace to output right"; - "${modifier}+Control+Shift+Up" = "move workspace to output up"; - "${modifier}+Control+Shift+Down" = "move workspace to output down"; - - # TODO: i've been hitting this one accidentally way too often. find a better place. - # "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; - "${modifier}+q" = "kill"; - "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; - - "${modifier}+x" = "exec ${swapOutputWorkspaces}"; - - "${modifier}+Ctrl+l" = "exec ${lockCmd}"; - - "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; - "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; - "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; - - "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; - "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; - "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; - - "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; - }; - - terminal = "alacritty"; - startup = - [ - { - command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target - ) & - ''); - } - ] - ++ lib.optionals config.services.swayidle.enable [ - { - command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart swayidle - ) & - ''); - } - ]; - - colors.focused = lib.mkOptionDefault { - childBorder = lib.mkForce "#ffa500"; - }; - - window.titlebar = false; - window.border = 4; - - # this maps to focus_on_window_activation - focus.newWindow = "urgent"; - }; }; services.swayidle = { diff --git a/nix/home-manager/profiles/wayland-desktop.nix b/nix/home-manager/profiles/wayland-desktop.nix index 73fc23a..4f8fc22 100644 --- a/nix/home-manager/profiles/wayland-desktop.nix +++ b/nix/home-manager/profiles/wayland-desktop.nix @@ -1,16 +1,14 @@ { pkgs, - config, lib, repoFlake, - nodeFlake, ... -}: let - inherit (import ../lib.nix {}) mkSimpleTrayService; +}: +let nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; - wayprompt = nixpkgs-wayland'.wayprompt; -in { +in +{ fonts.fontconfig.enable = true; # services.gpg-agent.pinentryFlavor = lib.mkForce null; @@ -26,11 +24,12 @@ in { systemd.user.targets.tray = { Unit = { Description = "Home Manager System Tray"; - Requires = ["graphical-session-pre.target"]; + Requires = [ "graphical-session-pre.target" ]; }; }; - home.packages = with pkgs; + home.packages = + with pkgs; [ # required by network-manager-applet networkmanagerapplet @@ -62,11 +61,9 @@ in { waypipe ] - ++ ( - lib.lists.optionals (!pkgs.stdenv.isAarch64) + ++ (lib.lists.optionals (!pkgs.stdenv.isAarch64) # TODO: broken on aarch64 - [ - ] + [ ] ); home.sessionVariables = { diff --git a/nix/home-manager/programs/chromium.nix b/nix/home-manager/programs/chromium.nix index 712eb42..8d12110 100644 --- a/nix/home-manager/programs/chromium.nix +++ b/nix/home-manager/programs/chromium.nix @@ -3,14 +3,15 @@ lib, pkgs, ... -}: let +}: +let extensions = [ #undetectable adblocker - {id = "gcfcpohokifjldeandkfjoboemihipmb";} + { id = "gcfcpohokifjldeandkfjoboemihipmb"; } # ublock origin - {id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";} + { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # # YT ad block # {id = "cmedhionkhpnakcndndgjdbohmhepckk";} @@ -19,15 +20,15 @@ # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} # Cookie Notice Blocker - {id = "odhmfmnoejhihkmfebnolljiibpnednn";} + { id = "odhmfmnoejhihkmfebnolljiibpnednn"; } # i don't care about cookies - {id = "fihnjjcciajhdojfnbdddfaoknhalnja";} + { id = "fihnjjcciajhdojfnbdddfaoknhalnja"; } # NopeCHA - {id = "dknlfmjaanfblgfdfebhijalfmhmjjjo";} + { id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; } # h264ify - {id = "aleakchihdccplidncghkekgioiakgal";} + { id = "aleakchihdccplidncghkekgioiakgal"; } # clippy # {id = "honbeilkanbghjimjoniipnnehlmhggk"} @@ -38,31 +39,32 @@ } # cookie autodelete - {id = "fhcgjolkccmbidfldomjliifgaodjagh";} + { id = "fhcgjolkccmbidfldomjliifgaodjagh"; } # unhook - {id = "khncfooichmfjbepaaaebmommgaepoid";} + { id = "khncfooichmfjbepaaaebmommgaepoid"; } ] ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ # polkadotjs - {id = "mopnmbcafieddcagagdcbnhejhlodfdd";} + { id = "mopnmbcafieddcagagdcbnhejhlodfdd"; } # rabby wallet - {id = "acmacodkjbdgmoleebolmdjonilkdbch";} + { id = "acmacodkjbdgmoleebolmdjonilkdbch"; } # phantom wallet - {id = "bfnaelmomeimhlpmgjnjophhpkkoljpa";} + { id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; } # Vimium C - {id = "hfjbmagddngcpeloejdejnfgbamkjaeg";} + { id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; } # always right - {id = "npjpaghfnndnnmjiliibnkmdfgbojokj";} + { id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; } # shazam music - {id = "mmioliijnhnoblpgimnlajmefafdfilb";} + { id = "mmioliijnhnoblpgimnlajmefafdfilb"; } ]); -in { +in +{ programs.chromium = { enable = true; inherit extensions; @@ -72,9 +74,7 @@ in { programs.brave = { # TODO: enable this on aarch64-linux - enable = - true - && !pkgs.stdenv.targetPlatform.isAarch64; + enable = true && !pkgs.stdenv.targetPlatform.isAarch64; inherit extensions; }; } diff --git a/nix/home-manager/programs/espanso.nix b/nix/home-manager/programs/espanso.nix index 86d6371..8297183 100644 --- a/nix/home-manager/programs/espanso.nix +++ b/nix/home-manager/programs/espanso.nix @@ -1,8 +1,5 @@ +{ pkgs, ... }: { - pkgs, - repoFlake, - ... -}: { services.espanso = { package = pkgs.espanso-wayland; # package = pkgs.espanso-wayland.overrideAttrs (_: { @@ -24,64 +21,62 @@ # backend = "Clipboard"; }; }; - matches = let - playerctl = '' - ${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; - in { - default = { - matches = [ - { - trigger = ":vpos"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeScript "espanso" '' - #! ${pkgs.python3}/bin/python - import subprocess, os, math, datetime + matches = + let + playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; + in + { + default = { + matches = [ + { + trigger = ":vpos"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeScript "espanso" '' + #! ${pkgs.python3}/bin/python + import subprocess, os, math, datetime - id=str(os.getuid()) - result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) - result.check_returncode() + id=str(os.getuid()) + result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) + result.check_returncode() - position_secs = math.trunc(float(result.stdout)) - position_human = datetime.timedelta(seconds=position_secs) - print("%s - %s" % (position_human, position_secs)) - '') - ]; - }; - } - ]; - } - { - trigger = ":vtit"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeShellScript "espanso" - "${playerctl} metadata title") - ]; - }; - } - ]; - } - { - trigger = ":dunno"; - replace = "¯\\_(ツ)_/¯"; - } - { - trigger = ":shrug"; - replace = "¯\\_(ツ)_/¯"; - } - ]; + position_secs = math.trunc(float(result.stdout)) + position_human = datetime.timedelta(seconds=position_secs) + print("%s - %s" % (position_human, position_secs)) + '') + ]; + }; + } + ]; + } + { + trigger = ":vtit"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ]; + }; + } + ]; + } + { + trigger = ":dunno"; + replace = "¯\\_(ツ)_/¯"; + } + { + trigger = ":shrug"; + replace = "¯\\_(ツ)_/¯"; + } + ]; + }; }; - }; }; } diff --git a/nix/home-manager/programs/firefox.nix b/nix/home-manager/programs/firefox.nix index 993cbc4..d07f3aa 100644 --- a/nix/home-manager/programs/firefox.nix +++ b/nix/home-manager/programs/firefox.nix @@ -1,5 +1,8 @@ -{pkgs, ...}: { - programs.librewolf = {enable = false;}; +{ pkgs, ... }: +{ + programs.librewolf = { + enable = false; + }; programs.firefox = { enable = true; package = pkgs.firefox-esr-128; diff --git a/nix/home-manager/programs/gpg-agent.nix b/nix/home-manager/programs/gpg-agent.nix index 069c7ca..41ab604 100644 --- a/nix/home-manager/programs/gpg-agent.nix +++ b/nix/home-manager/programs/gpg-agent.nix @@ -1,12 +1,6 @@ +{ lib, pkgs, ... }: { - lib, - pkgs, - config, - ... -}: { - home.packages = [ - pkgs.gcr - ]; + home.packages = [ pkgs.gcr ]; programs.gpg.enable = true; services.gpg-agent = { diff --git a/nix/home-manager/programs/homeshick.nix b/nix/home-manager/programs/homeshick.nix index cbd4964..4ba0dfe 100644 --- a/nix/home-manager/programs/homeshick.nix +++ b/nix/home-manager/programs/homeshick.nix @@ -1,32 +1,25 @@ +{ pkgs, config, ... }: { - pkgs, - config, - ... -}: let - # TODO: clean up the impurity in here -in { home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}"; - home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] '' - $DRY_RUN_CMD ${ - pkgs.writeScript "activation-script" '' - set -e - echo home-manager path is ${config.home.path} - echo home is $HOME + home.activation.bootstrapRepos = config.lib.dag.entryAfter [ "writeBoundary" ] '' + $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' + set -e + echo home-manager path is ${config.home.path} + echo home is $HOME - source ${pkgs.homeshick}/homeshick.sh - type homeshick + source ${pkgs.homeshick}/homeshick.sh + type homeshick - # echo Updating homeshick - # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick - # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick - '' - }; + # echo Updating homeshick + # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick + # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick + ''}; ''; nixpkgs.config = { - packageOverrides = pkgs: - with pkgs; { + packageOverrides = + pkgs: with pkgs; { homeshick = builtins.fetchGit { url = "https://github.com/andsens/homeshick.git"; ref = "master"; diff --git a/nix/home-manager/programs/libreoffice.nix b/nix/home-manager/programs/libreoffice.nix index 17d0a24..1e846d4 100644 --- a/nix/home-manager/programs/libreoffice.nix +++ b/nix/home-manager/programs/libreoffice.nix @@ -1,3 +1,4 @@ -{pkgs, ...}: { - home.packages = [pkgs.libreoffice]; +{ pkgs, ... }: +{ + home.packages = [ pkgs.libreoffice ]; } diff --git a/nix/home-manager/programs/neovim.nix b/nix/home-manager/programs/neovim.nix index be7e02b..fcc299f 100644 --- a/nix/home-manager/programs/neovim.nix +++ b/nix/home-manager/programs/neovim.nix @@ -1,12 +1,6 @@ +{ repoFlake, pkgs, ... }: { - repoFlake, - pkgs, - lib, - ... -}: { - imports = [ - repoFlake.inputs.nixvim.homeManagerModules.nixvim - ]; + imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ]; programs.nixvim = { enable = true; @@ -14,7 +8,7 @@ vimdiffAlias = true; vimAlias = true; - extraPython3Packages = ps: with ps; []; + extraPython3Packages = ps: with ps; [ ]; # extraConfigVim = builtins.readFile ./neovim/vimrc; diff --git a/nix/home-manager/programs/obs-studio.nix b/nix/home-manager/programs/obs-studio.nix index b053e24..d99747d 100644 --- a/nix/home-manager/programs/obs-studio.nix +++ b/nix/home-manager/programs/obs-studio.nix @@ -1,21 +1,25 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - ... -}: { programs.obs-studio = { enable = true; plugins = - builtins.map (plugin: (plugin.overrideAttrs (attrs: { - meta = lib.mkMerge [ - {inherit (attrs) meta;} - {meta.platforms = [pkgs.stdenv.system];} - ]; - }))) - (with pkgs.obs-studio-plugins; [ - # wlrobs - obs-backgroundremoval - obs-pipewire-audio-capture - ]); + builtins.map + ( + plugin: + (plugin.overrideAttrs (attrs: { + meta = lib.mkMerge [ + { inherit (attrs) meta; } + { meta.platforms = [ pkgs.stdenv.system ]; } + ]; + })) + ) + ( + with pkgs.obs-studio-plugins; + [ + # wlrobs + obs-backgroundremoval + obs-pipewire-audio-capture + ] + ); }; } diff --git a/nix/home-manager/programs/openvscode-server.nix b/nix/home-manager/programs/openvscode-server.nix index 6e74406..165ff4e 100644 --- a/nix/home-manager/programs/openvscode-server.nix +++ b/nix/home-manager/programs/openvscode-server.nix @@ -1,12 +1,8 @@ +{ pkgs, repoFlake, ... }: +let + pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; +in { - pkgs, - nodeFlake, - repoFlake, - ... -}: let - pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config;}; - pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;}; -in { home.packages = [ pkgs.nil pkgs.nixd @@ -20,20 +16,22 @@ in { # 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/ /* - e.g.: - ``` - ( - set -e - export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$') - ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/" - ) - ``` + e.g.: + ``` + ( + set -e + export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$') + ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/" + ) + ``` */ (pkgsVscodium.openvscode-server.overrideAttrs (attrs: { src = repoFlake.inputs.openvscode-server; version = "1.94.2"; - yarnCache = attrs.yarnCache.overrideAttrs (_: {outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt=";}); + yarnCache = attrs.yarnCache.overrideAttrs (_: { + outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt="; + }); })) pkgs.waypipe diff --git a/nix/home-manager/programs/pass.nix b/nix/home-manager/programs/pass.nix index 2d533c9..056d08d 100644 --- a/nix/home-manager/programs/pass.nix +++ b/nix/home-manager/programs/pass.nix @@ -1,8 +1,5 @@ +{ repoFlake, pkgs, ... }: { - repoFlake, - pkgs, - ... -}: { # required by pass-otp # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; diff --git a/nix/home-manager/programs/radicale.nix b/nix/home-manager/programs/radicale.nix index 207b9e6..be31268 100644 --- a/nix/home-manager/programs/radicale.nix +++ b/nix/home-manager/programs/radicale.nix @@ -4,7 +4,8 @@ pkgs, osConfig, ... -}: let +}: +let libdecsync = pkgs.python3Packages.buildPythonPackage rec { pname = "libdecsync"; version = "2.2.1"; @@ -38,50 +39,51 @@ # pkgs.libxcrypt ]; - propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools]; + propagatedBuildInputs = [ + libdecsync + pkgs.python3Packages.setuptools + ]; }; radicale-decsync = pkgs.radicale.overrideAttrs (old: { - propagatedBuildInputs = - old.propagatedBuildInputs - ++ [radicale-storage-decsync]; + propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ]; }); - mkRadicaleService = { - suffix, - port, - }: let - radicale-config = pkgs.writeText "radicale-config-${suffix}" '' - [server] - hosts = localhost:${builtins.toString port} + mkRadicaleService = + { suffix, port }: + let + radicale-config = pkgs.writeText "radicale-config-${suffix}" '' + [server] + hosts = localhost:${builtins.toString port} - [auth] - type = htpasswd - htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} - htpasswd_encryption = bcrypt + [auth] + type = htpasswd + htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} + htpasswd_encryption = bcrypt - [storage] - type = radicale_storage_decsync - filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} - decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} - ''; - in { - systemd.user.services."radicale-${suffix}" = { - Unit.Description = "Radicale with DecSync (${suffix})"; - Service = { - ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; - Restart = "on-failure"; + [storage] + type = radicale_storage_decsync + filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} + decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} + ''; + in + { + systemd.user.services."radicale-${suffix}" = { + Unit.Description = "Radicale with DecSync (${suffix})"; + Service = { + ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; + Restart = "on-failure"; + }; + Install.WantedBy = [ "default.target" ]; }; - Install.WantedBy = ["default.target"]; }; - }; in - builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [ - { - suffix = "personal"; - port = 5232; - } - { - suffix = "family"; - port = 5233; - } - ] +builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [ + { + suffix = "personal"; + port = 5232; + } + { + suffix = "family"; + port = 5233; + } +] diff --git a/nix/home-manager/programs/redshift.nix b/nix/home-manager/programs/redshift.nix index 6fb73d0..9e45594 100644 --- a/nix/home-manager/programs/redshift.nix +++ b/nix/home-manager/programs/redshift.nix @@ -1,10 +1,8 @@ -{ - pkgs, - config, - ... -}: let +_: +let passwords = import ../../variables/passwords.crypt.nix; -in { +in +{ services.gammastep = { enable = true; provider = "manual"; diff --git a/nix/home-manager/programs/salut.nix b/nix/home-manager/programs/salut.nix index 6a2894d..415e3be 100644 --- a/nix/home-manager/programs/salut.nix +++ b/nix/home-manager/programs/salut.nix @@ -1,18 +1,11 @@ -{ - pkgs, - config, - lib, - packages', - ... -}: +{ pkgs, packages', ... }: # useful testing command: # for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done let - inherit (import ../lib.nix {}) mkSimpleTrayService; -in { - home.packages = [ - packages'.salut - ]; + inherit (import ../lib.nix { }) mkSimpleTrayService; +in +{ + home.packages = [ packages'.salut ]; xdg.configFile."salut/config.ini" = { enable = true; @@ -34,7 +27,5 @@ in { onChange = "${pkgs.systemd}/bin/systemctl --user restart salut"; }; - systemd.user.services.salut = mkSimpleTrayService { - execStart = "${packages'.salut}/bin/salut"; - }; + systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; }; } diff --git a/nix/home-manager/programs/vscode/default.nix b/nix/home-manager/programs/vscode/default.nix index 1318aaf..d6f3f8f 100644 --- a/nix/home-manager/programs/vscode/default.nix +++ b/nix/home-manager/programs/vscode/default.nix @@ -1,24 +1,14 @@ +{ pkgs, repoFlake, ... }: +let + pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; +in { - pkgs, - nodeFlake, - repoFlake, - ... -}: let - pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;}; -in { programs.vscode = { enable = true; package = pkgsVscodium.vscodium; extensions = - [ - # TODO: how can i install (this) vsix(s) directly? - # (builtins.fetchurl { - # # https://open-vsx.org/extension/jeanp413/open-remote-ssh - # url = "https://open-vsx.org/api/jeanp413/open-remote-ssh/0.0.45/file/jeanp413.open-remote-ssh-0.0.45.vsix"; - # sha256 = "1qc1qsahfx1nvznq4adplx63w5d94xhafngv76vnqjjbzhv991v2"; - # }) - ] - ++ (with pkgsVscodium.vscode-extensions; + ( + with pkgsVscodium.vscode-extensions; [ eamodio.gitlens mkhl.direnv @@ -43,11 +33,13 @@ in { # TODO: not compatible with vscodium # ms-vscode-remote.remote-ssh ] - ++ (let - extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system}; - in ( + ++ ( + let + extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system}; + in with extensions.vscode-marketplace; - with extensions.vscode-marketplace-release; [ + with extensions.vscode-marketplace-release; + [ tamasfe.even-better-toml serayuzgur.crates @@ -59,15 +51,15 @@ in { ibecker.treefmt-vscode ] - ))) + ) + ) ++ [ - (pkgsVscodium.vscode-utils.extensionFromVscodeMarketplace - { - name = "markdown-oxide"; - publisher = "felixzeller"; - version = "1.1.0"; - sha256 = "07l37hkg106m3nl9530l7i39iw1kibckv1zi4n23gbp7srdrwbs3"; - }) + (pkgsVscodium.vscode-utils.extensionFromVscodeMarketplace { + name = "markdown-oxide"; + publisher = "felixzeller"; + version = "1.1.0"; + sha256 = "07l37hkg106m3nl9530l7i39iw1kibckv1zi4n23gbp7srdrwbs3"; + }) ]; mutableExtensionsDir = true; }; @@ -151,4 +143,3 @@ in { # xyz.plsql-language # yzane.markdown-pdf # zxh404.vscode-proto3 - diff --git a/nix/home-manager/programs/vscode/nix4vscode/default.nix b/nix/home-manager/programs/vscode/nix4vscode/default.nix index 5cc0669..3c5a268 100644 --- a/nix/home-manager/programs/vscode/nix4vscode/default.nix +++ b/nix/home-manager/programs/vscode/nix4vscode/default.nix @@ -1,12 +1,17 @@ -{ - pkgs, - lib, -}: let - inherit (pkgs.stdenv) isDarwin isLinux isi686 isx86_64 isAarch32 isAarch64; - vscode-utils = pkgs.vscode-utils; +{ pkgs, lib }: +let + inherit (pkgs.stdenv) + isDarwin + isLinux + isi686 + isx86_64 + isAarch32 + isAarch64 + ; + inherit (pkgs) vscode-utils; merge = lib.attrsets.recursiveUpdate; in - merge +merge (merge (merge (merge @@ -18,39 +23,50 @@ in sha256 = "07l37hkg106m3nl9530l7i39iw1kibckv1zi4n23gbp7srdrwbs3"; }; } - (lib.attrsets.optionalAttrs (isLinux && (isi686 || isx86_64)) { + ( + lib.attrsets.optionalAttrs (isLinux && (isi686 || isx86_64)) { + "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { + name = "treefmt-vscode"; + publisher = "ibecker"; + version = "2.1.0"; + sha256 = "1r17wjpw8xiha5r9h3146facxghpcp416zf8551sw93cmam9ky6j"; + arch = "linux-x64"; + }; + } + ) + ) + ( + lib.attrsets.optionalAttrs (isLinux && (isAarch32 || isAarch64)) { "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { name = "treefmt-vscode"; publisher = "ibecker"; version = "2.1.0"; - sha256 = "1r17wjpw8xiha5r9h3146facxghpcp416zf8551sw93cmam9ky6j"; - arch = "linux-x64"; + sha256 = "0swvl7fkjcwp43grnrhnmy60a5m3hfwawk204byi8hhbczy131li"; + arch = "linux-arm64"; }; - })) - (lib.attrsets.optionalAttrs (isLinux && (isAarch32 || isAarch64)) { + } + ) + ) + ( + lib.attrsets.optionalAttrs (isDarwin && (isi686 || isx86_64)) { "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { name = "treefmt-vscode"; publisher = "ibecker"; version = "2.1.0"; - sha256 = "0swvl7fkjcwp43grnrhnmy60a5m3hfwawk204byi8hhbczy131li"; - arch = "linux-arm64"; + sha256 = "1swq9hy6a9nzkrn07j21g59pyk2m7aqsfi1pphl9l9y8p4zwiaqm"; + arch = "darwin-x64"; }; - })) - (lib.attrsets.optionalAttrs (isDarwin && (isi686 || isx86_64)) { + } + ) + ) + ( + lib.attrsets.optionalAttrs (isDarwin && (isAarch32 || isAarch64)) { "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { name = "treefmt-vscode"; publisher = "ibecker"; version = "2.1.0"; - sha256 = "1swq9hy6a9nzkrn07j21g59pyk2m7aqsfi1pphl9l9y8p4zwiaqm"; - arch = "darwin-x64"; + sha256 = "1xg3wnn3f1kvsz5a09l0cjpzfm3l9va73cahbvl14mx3n6734r2m"; + arch = "darwin-arm64"; }; - })) - (lib.attrsets.optionalAttrs (isDarwin && (isAarch32 || isAarch64)) { - "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { - name = "treefmt-vscode"; - publisher = "ibecker"; - version = "2.1.0"; - sha256 = "1xg3wnn3f1kvsz5a09l0cjpzfm3l9va73cahbvl14mx3n6734r2m"; - arch = "darwin-arm64"; - }; - }) + } + ) diff --git a/nix/home-manager/programs/waybar.css b/nix/home-manager/programs/waybar.css index 60eff50..664a47f 100644 --- a/nix/home-manager/programs/waybar.css +++ b/nix/home-manager/programs/waybar.css @@ -1,6 +1,5 @@ - #custom-cputemp { - padding: 0 10px; - background-color: #f0932b; - color: #ffffff; + padding: 0 10px; + background-color: #f0932b; + color: #ffffff; } diff --git a/nix/home-manager/programs/waybar.nix b/nix/home-manager/programs/waybar.nix index b6137e1..a559dfc 100644 --- a/nix/home-manager/programs/waybar.nix +++ b/nix/home-manager/programs/waybar.nix @@ -1,9 +1,5 @@ +{ pkgs, repoFlake, ... }: { - pkgs, - config, - repoFlake, - ... -}: { home.packages = [ # required by any bar that has a tray plugin pkgs.libappindicator-gtk3 @@ -12,10 +8,9 @@ programs.waybar = { enable = true; - package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; - style = - pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" - + pkgs.lib.readFile ./waybar.css; + package = + repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; + style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css; systemd.enable = true; settings = { mainBar = { @@ -24,12 +19,7 @@ height = 30; output = # hide the bar on HEADDLESS displays as i use them only for screensharing - ( - builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99 - ) - ++ [ - "*" - ]; + (builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ]; # output = [ # "eDP-1" # "DP-*" diff --git a/nix/home-manager/programs/zsh.nix b/nix/home-manager/programs/zsh.nix index 40e603d..333d3d7 100644 --- a/nix/home-manager/programs/zsh.nix +++ b/nix/home-manager/programs/zsh.nix @@ -3,27 +3,29 @@ lib, pkgs, ... -}: let - just-plugin = let - plugin_file = pkgs.writeText "_just" '' - #compdef just - #autload +}: +let + just-plugin = + let + plugin_file = pkgs.writeText "_just" '' + #compdef just + #autload - alias justl="\just --list" - alias juste="\just --evaluate" + alias justl="\just --list" + alias juste="\just --evaluate" - local subcmds=() + local subcmds=() - while read -r line ; do - if [[ ! $line == Available* ]] ; - then - subcmds+=(''${line/[[:space:]]*\#/:}) - fi - done < <(just --list) + while read -r line ; do + if [[ ! $line == Available* ]] ; + then + subcmds+=(''${line/[[:space:]]*\#/:}) + fi + done < <(just --list) - _describe 'command' subcmds - ''; - in + _describe 'command' subcmds + ''; + in pkgs.stdenv.mkDerivation { name = "just-completions"; version = "0.1.0"; @@ -35,7 +37,8 @@ chmod --recursive a-w $out ''; }; -in { +in +{ programs.zsh = { enable = true; @@ -46,56 +49,59 @@ in { # will be called again by oh-my-zsh enableCompletion = false; enableAutosuggestions = true; - initExtra = let - inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; - in '' - if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then - unset TMPDIR - fi + initExtra = + let + inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; + in + '' + if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then + unset TMPDIR + fi - if test ! -n "$TMP" -a -z "$TMP"; then - unset TMP - fi + if test ! -n "$TMP" -a -z "$TMP"; then + unset TMP + fi - PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' - RPROMPT="" + PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' + RPROMPT="" - # Automatic rehash - zstyle ':completion:*' rehash true + # Automatic rehash + zstyle ':completion:*' rehash true - if [ -f $HOME/.shrc.d/sh_aliases ]; then - . $HOME/.shrc.d/sh_aliases - fi + if [ -f $HOME/.shrc.d/sh_aliases ]; then + . $HOME/.shrc.d/sh_aliases + fi - ${ - if builtins.hasAttr "homeshick" pkgs - then '' - source ${pkgs.homeshick}/homeshick.sh - fpath=(${pkgs.homeshick}/completions $fpath) - '' - else "" - } + ${ + if builtins.hasAttr "homeshick" pkgs then + '' + source ${pkgs.homeshick}/homeshick.sh + fpath=(${pkgs.homeshick}/completions $fpath) + '' + else + "" + } - # Disable intercepting of ctrl-s and ctrl-q as flow control. - stty stop ''' -ixoff -ixon + # Disable intercepting of ctrl-s and ctrl-q as flow control. + stty stop ''' -ixoff -ixon - # don't cd into directories when executed - unsetopt AUTO_CD + # don't cd into directories when executed + unsetopt AUTO_CD - # print lines without termination - setopt PROMPT_CR - setopt PROMPT_SP - export PROMPT_EOL_MARK="" + # print lines without termination + setopt PROMPT_CR + setopt PROMPT_SP + export PROMPT_EOL_MARK="" - ${lib.optionalString config.services.gpg-agent.enable '' - export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" - ''} + ${lib.optionalString config.services.gpg-agent.enable '' + export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" + ''} - ${lib.optionalString config.programs.neovim.enable '' - export EDITOR="nvim" - ''} - ''; + ${lib.optionalString config.programs.neovim.enable '' + export EDITOR="nvim" + ''} + ''; plugins = [ { @@ -128,7 +134,10 @@ in { oh-my-zsh = { enable = true; theme = "tjkirch"; - plugins = ["git" "sudo"]; + plugins = [ + "git" + "sudo" + ]; }; }; } diff --git a/nix/modules/flake-parts/colmena.nix b/nix/modules/flake-parts/colmena.nix index ee885cf..136a5a1 100644 --- a/nix/modules/flake-parts/colmena.nix +++ b/nix/modules/flake-parts/colmena.nix @@ -1,7 +1,8 @@ -{lib, ...}: { +{ lib, ... }: +{ options.flake.colmena = lib.mkOption { # type = lib.types.attrsOf lib.types.unspecified; type = lib.types.raw; - default = {}; + default = { }; }; } diff --git a/nix/modules/flake-parts/perSystem/default.nix b/nix/modules/flake-parts/perSystem/default.nix index a752173..da1e42a 100644 --- a/nix/modules/flake-parts/perSystem/default.nix +++ b/nix/modules/flake-parts/perSystem/default.nix @@ -1,38 +1,37 @@ +{ pkgs, ... }: { - inputs', - system, - config, - lib, - pkgs, - ... -}: { packages = { - myPython = pkgs.python310.withPackages (ps: + myPython = pkgs.python310.withPackages ( + ps: with ps; - [ - pep8 - yapf - flake8 - # autopep8 (broken) - # pylint (broken) - ipython - llfuse - dugong - defusedxml - wheel - pip - virtualenv - cffi - # pyopenssl - urllib3 - # mistune (insecure) - sympy + [ + pep8 + yapf + flake8 + # autopep8 (broken) + # pylint (broken) + ipython + llfuse + dugong + defusedxml + wheel + pip + virtualenv + cffi + # pyopenssl + urllib3 + # mistune (insecure) + sympy - flask + flask - pyaml - requests - ] - ++ [pkgs.pypi2nix pkgs.libffi]); + pyaml + requests + ] + ++ [ + pkgs.pypi2nix + pkgs.libffi + ] + ); }; } diff --git a/nix/os/cachix.nix b/nix/os/cachix.nix index d888840..0d14a2f 100644 --- a/nix/os/cachix.nix +++ b/nix/os/cachix.nix @@ -1,14 +1,12 @@ # WARN: this file will get overwritten by $ cachix use -{ - pkgs, - lib, - ... -}: let +{ lib, ... }: +let folder = ./cachix; - toImport = name: value: folder + ("/" + name); + toImport = name: _value: folder + ("/" + name); filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); -in { +in +{ inherit imports; - nix.settings.substituters = ["https://cache.nixos.org/"]; + nix.settings.substituters = [ "https://cache.nixos.org/" ]; } diff --git a/nix/os/cachix/nixpkgs-wayland.nix b/nix/os/cachix/nixpkgs-wayland.nix index 499e6e0..1c0cca7 100644 --- a/nix/os/cachix/nixpkgs-wayland.nix +++ b/nix/os/cachix/nixpkgs-wayland.nix @@ -1,8 +1,6 @@ { nix = { - settings.substituters = [ - "https://nixpkgs-wayland.cachix.org" - ]; + settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ]; settings.trusted-public-keys = [ "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" ]; diff --git a/nix/os/containers/backup.nix b/nix/os/containers/backup.nix index 864aa20..2c2c171 100644 --- a/nix/os/containers/backup.nix +++ b/nix/os/containers/backup.nix @@ -5,88 +5,107 @@ subvolumes, targetPathSuffix ? "", autoStart ? false, -}: let +}: +let passwords = import ../../variables/passwords.crypt.nix; subvolumeParentDir = "/var/lib/container-volumes"; -in { - config = {pkgs, ...}: { - system.stateVersion = "20.03"; # Did you read the comment? +in +{ + config = + { pkgs, ... }: + { + system.stateVersion = "20.03"; # Did you read the comment? - imports = [../profiles/containers/configuration.nix]; + imports = [ ../profiles/containers/configuration.nix ]; - environment.systemPackages = with pkgs; [btrfs-progs btrbk]; + environment.systemPackages = with pkgs; [ + btrfs-progs + btrbk + ]; - networking.firewall.enable = true; + networking.firewall.enable = true; - systemd.services."bkp-sync" = { - enable = true; - description = "bkp-sync service"; + systemd.services."bkp-sync" = { + enable = true; + description = "bkp-sync service"; - serviceConfig = {Type = "oneshot";}; + serviceConfig = { + Type = "oneshot"; + }; - after = ["bkp-run.service"]; + after = [ "bkp-run.service" ]; - requires = ["bkp-run.service"]; + requires = [ "bkp-run.service" ]; - path = with pkgs; [utillinux]; - script = '' - set -x - true - ''; - }; - - systemd.services."bkp-run" = { - enable = true; - description = "bkp-run"; - - serviceConfig = {Type = "oneshot";}; - - partOf = ["bkp-sync.service"]; - - path = with pkgs; [btrfs-progs btrbk coreutils]; - - script = let - btrbkConf = pkgs.writeText "cfg" '' - timestamp_format long - ssh_identity ${passwords.storage.backupTarget.keyPath} - ssh_user ${passwords.storage.backupTarget.user} - ssh_compression no - backend_remote btrfs-progs-sudo - compat_remote busybox - btrfs_commit_delete each - snapshot_create onchange - snapshot_preserve_min latest - snapshot_preserve 7d 4w - target_preserve_min latest - target_preserve 7d 4w 12m *y - - volume ${subvolumeParentDir} - target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} - ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" - subvolumes} + path = with pkgs; [ utillinux ]; + script = '' + set -x + true ''; - in '' - #! ${pkgs.bash}/bin/bash - set -Eeuxo pipefail + }; - btrbk -c ${btrbkConf} --progress ''${@:-run} - ''; - }; + systemd.services."bkp-run" = { + enable = true; + description = "bkp-run"; - systemd.timers."bkp" = { - description = "Timer to trigger bkp periodically"; - enable = true; - wantedBy = ["timer.target" "multi-user.target"]; - timerConfig = { - # Obtained using `systemd-analyze calendar "Wed 23:00"` - # OnCalendar = "Wed *-*-* 23:00:00"; - OnStartupSec = "1m"; - Unit = "bkp-sync.service"; - OnUnitInactiveSec = "2h"; - Persistent = "true"; + serviceConfig = { + Type = "oneshot"; + }; + + partOf = [ "bkp-sync.service" ]; + + path = with pkgs; [ + btrfs-progs + btrbk + coreutils + ]; + + script = + let + btrbkConf = pkgs.writeText "cfg" '' + timestamp_format long + ssh_identity ${passwords.storage.backupTarget.keyPath} + ssh_user ${passwords.storage.backupTarget.user} + ssh_compression no + backend_remote btrfs-progs-sudo + compat_remote busybox + btrfs_commit_delete each + snapshot_create onchange + snapshot_preserve_min latest + snapshot_preserve 7d 4w + target_preserve_min latest + target_preserve 7d 4w 12m *y + + volume ${subvolumeParentDir} + target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} + ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes} + ''; + in + '' + #! ${pkgs.bash}/bin/bash + set -Eeuxo pipefail + + btrbk -c ${btrbkConf} --progress ''${@:-run} + ''; + }; + + systemd.timers."bkp" = { + description = "Timer to trigger bkp periodically"; + enable = true; + wantedBy = [ + "timer.target" + "multi-user.target" + ]; + timerConfig = { + # Obtained using `systemd-analyze calendar "Wed 23:00"` + # OnCalendar = "Wed *-*-* 23:00:00"; + OnStartupSec = "1m"; + Unit = "bkp-sync.service"; + OnUnitInactiveSec = "2h"; + Persistent = "true"; + }; }; }; - }; inherit autoStart; @@ -114,10 +133,10 @@ in { } ]; - extraFlags = ["--resolv-conf=bind-host"]; + extraFlags = [ "--resolv-conf=bind-host" ]; privateNetwork = true; - forwardPorts = []; + forwardPorts = [ ]; inherit hostAddress localAddress; } diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index c821bf4..0be078c 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -6,198 +6,206 @@ imapsPort ? 993, sievePort ? 4190, autoStart ? false, -}: { +}: +{ inherit specialArgs; - config = { - pkgs, - config, - lib, - repoFlake, - ... - }: { - system.stateVersion = "22.05"; # Did you read the comment? + config = + { + pkgs, + config, + repoFlake, + ... + }: + { + system.stateVersion = "22.05"; # Did you read the comment? - imports = [ - ../profiles/containers/configuration.nix + imports = [ + ../profiles/containers/configuration.nix - repoFlake.inputs.sops-nix.nixosModules.sops - ../profiles/common/user.nix - ]; + repoFlake.inputs.sops-nix.nixosModules.sops + ../profiles/common/user.nix + ]; - networking.firewall.allowedTCPPorts = [ - imapsPort - sievePort - ]; + networking.firewall.allowedTCPPorts = [ + imapsPort + sievePort + ]; - # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately - # sops.defaultSopsFile = ./mailserver_secrets.yaml; + # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately + # sops.defaultSopsFile = ./mailserver_secrets.yaml; - sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; - sops.secrets.email_mailStefanjunkerDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_mailStefanjunkerDeHetzner = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_schtifATwebDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_dovecot_steveej = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.secrets.email_mailStefanjunkerDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_mailStefanjunkerDeHetzner = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_schtifATwebDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_dovecot_steveej = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; - # TODO: switch to something other than ddclient as it's no longer maintained + # TODO: switch to something other than ddclient as it's no longer maintained - # TODO: switch to a let's encrypt certificate - sops.secrets.dovecotSslServerCert = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - sops.secrets.dovecotSslServerKey = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - services.dovecot2 = { - enable = true; + # TODO: switch to a let's encrypt certificate + sops.secrets.dovecotSslServerCert = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + sops.secrets.dovecotSslServerKey = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + services.dovecot2 = { + enable = true; - modules = [pkgs.dovecot_pigeonhole]; - protocols = ["sieve"]; + modules = [ pkgs.dovecot_pigeonhole ]; + protocols = [ "sieve" ]; - enableImap = true; - enableLmtp = true; - enablePAM = true; - showPAMFailure = true; - mailLocation = "maildir:~/.maildir"; - sslServerCert = config.sops.secrets.dovecotSslServerCert.path; - sslServerKey = config.sops.secrets.dovecotSslServerKey.path; + enableImap = true; + enableLmtp = true; + enablePAM = true; + showPAMFailure = true; + mailLocation = "maildir:~/.maildir"; + sslServerCert = config.sops.secrets.dovecotSslServerCert.path; + sslServerKey = config.sops.secrets.dovecotSslServerKey.path; - #configFile = "/etc/dovecot/dovecot2_manual.conf"; - extraConfig = '' - auth_mechanisms = cram-md5 digest-md5 - auth_verbose = yes + #configFile = "/etc/dovecot/dovecot2_manual.conf"; + extraConfig = '' + auth_mechanisms = cram-md5 digest-md5 + auth_verbose = yes - passdb { - driver = passwd-file - args = scheme=CRYPT username_format=%u /etc/dovecot/users - } + passdb { + driver = passwd-file + args = scheme=CRYPT username_format=%u /etc/dovecot/users + } - protocol lda { - postmaster_address = "mail@stefanjunker.de" - mail_plugins = $mail_plugins sieve - } + protocol lda { + postmaster_address = "mail@stefanjunker.de" + mail_plugins = $mail_plugins sieve + } - protocol imap { - mail_max_userip_connections = 64 - } - ''; - }; - - environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; - - systemd.services.steveej-getmail-stefanjunker = { - enable = true; - wantedBy = ["multi-user.target"]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 600; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [pkgs.getmail6]; - script = let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = ssl0.ovh.net - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") - mailboxes = ('INBOX',) - - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + protocol imap { + mail_max_userip_connections = 64 + } ''; - in '' - getmail --idle=INBOX --rcfile=${rc} - ''; + }; + + environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; + + systemd.services.steveej-getmail-stefanjunker = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 600; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [ pkgs.getmail6 ]; + script = + let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = ssl0.ovh.net + port = 993 + username = mail@stefanjunker.de + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") + mailboxes = ('INBOX',) + + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in + '' + getmail --idle=INBOX --rcfile=${rc} + ''; + }; + + systemd.services.steveej-getmail-stefanjunker-hetzner = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 60; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [ pkgs.getmail6 ]; + script = + let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 2 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = mail.your-server.de + port = 993 + username = mail@stefanjunker.de + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") + mailboxes = ('INBOX',) + + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in + '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; + + systemd.services.steveej-getmail-webde = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + description = "Getmail service"; + path = [ pkgs.getmail6 ]; + serviceConfig.RestartSec = 1000; + serviceConfig.Restart = "always"; + script = + let + rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = imap.web.de + port = 993 + username = schtif + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") + mailboxes = ('INBOX',) + + [destination] + type = Maildir + path = ~/.maildir/ + ''; + in + '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; }; - systemd.services.steveej-getmail-stefanjunker-hetzner = { - enable = true; - wantedBy = ["multi-user.target"]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 60; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [pkgs.getmail6]; - script = let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 2 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = mail.your-server.de - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") - mailboxes = ('INBOX',) - - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda - ''; - in '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; - - systemd.services.steveej-getmail-webde = { - enable = true; - wantedBy = ["multi-user.target"]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - description = "Getmail service"; - path = [pkgs.getmail6]; - serviceConfig.RestartSec = 1000; - serviceConfig.Restart = "always"; - script = let - rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = imap.web.de - port = 993 - username = schtif - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") - mailboxes = ('INBOX',) - - [destination] - type = Maildir - path = ~/.maildir/ - ''; - in '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; - }; - inherit autoStart; bindMounts = { diff --git a/nix/os/containers/mailserver_secrets.yaml b/nix/os/containers/mailserver_secrets.yaml index ffb595a..f519b36 100644 --- a/nix/os/containers/mailserver_secrets.yaml +++ b/nix/os/containers/mailserver_secrets.yaml @@ -7,37 +7,37 @@ dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2r dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str] hetznerDnsApiToken: ENC[AES256_GCM,data:JfL4Xg9TZu4Og35g0SwfrI1uxiqgdFa7p5AQcfiPwLY=,iv:yOak3uXX7CNglu8O2UW/1sOI7BGZxpRQAFJCvRbzU0Y=,tag:6orkQIy7BxACziLWpYoS5Q==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn - R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2 - dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj - bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl - T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-17T12:01:21Z" - mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str] - pgp: - - created_at: "2023-07-02T20:30:30Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn + R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2 + dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj + bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl + T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-17T12:01:21Z" + mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str] + pgp: + - created_at: "2023-07-02T20:30:30Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds - 0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf - SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb - 5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc - Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc - RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx - 44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5 - uGcEfsNiUXPngkNrh/Nvhh9w - =yHDZ - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds + 0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf + SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb + 5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc + Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc + RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx + 44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5 + uGcEfsNiUXPngkNrh/Nvhh9w + =yHDZ + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nix/os/containers/mycelium/flake.nix b/nix/os/containers/mycelium/flake.nix index fa8340a..1527acf 100644 --- a/nix/os/containers/mycelium/flake.nix +++ b/nix/os/containers/mycelium/flake.nix @@ -11,350 +11,361 @@ inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = { - self, - nixpkgs, - nixos-generators, - ... - }: let - systems = [ - "aarch64-linux" - "x86_64-linux" - ]; - forAllSystems = nixpkgs.lib.genAttrs systems; - in { - nixosConfigurations.default = - nixpkgs.lib.nixosSystem - { + outputs = + { self, nixpkgs, ... }: + let + systems = [ + "aarch64-linux" + "x86_64-linux" + ]; + forAllSystems = nixpkgs.lib.genAttrs systems; + in + { + nixosConfigurations.default = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; - specialArgs = {}; + specialArgs = { }; modules = [ - ({ - config, - modulesPath, - pkgs, - lib, - ... - }: { - nixpkgs.overlays = [ - (final: previous: { - # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal; - # systemd = - # self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: { - # src = /home/steveej/src/others/systemd; + ( + { + config, + modulesPath, + pkgs, + lib, + ... + }: + { + nixpkgs.overlays = [ + (_final: _previous: { + # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal; + # systemd = + # self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: { + # src = /home/steveej/src/others/systemd; - # withAppArmor = false; - # withRepart = false; - # withHomed = false; - # withAcl = false; - # withEfi = false; - # withBootloader = false; - # withCryptsetup = false; - # withLibBPF = false; - # withOomd = false; - # withFido2 = false; - # withApparmor = false; - # withDocumentation = false; - # withUtmp = false; - # withQrencode = false; - # withVmspawn = false; - # withMachined = false; - # withLogTrace = true; - # withArchive = false; - # # don't need these but cause errors for exampel files not found - # # withLogind = false; - # }) - # pkgs.systemdMinimal.override { - # # getting errors with these disabled - # withCoredump = true; - # withCompression = true; - # withLogind = true; - # withSysusers = true; - # withUserDb = true; - # } - # pkgs.systemdMinimal - # pkgs.systemd.override { - # withRepart = false; - # withHomed = false; - # withAcl = false; - # withEfi = false; - # withBootloader = false; - # withCryptsetup = false; - # withLibBPF = false; - # withOomd = false; - # withFido2 = false; - # withApparmor = false; - # withDocumentation = false; - # withUtmp = false; - # withQrencode = false; - # withVmspawn = false; - # withMachined = false; - # withLogTrace = true; - # # don't need these but cause errors for exampel files not found - # # withLogind = false; - # } - # ; - }) - ]; + # withAppArmor = false; + # withRepart = false; + # withHomed = false; + # withAcl = false; + # withEfi = false; + # withBootloader = false; + # withCryptsetup = false; + # withLibBPF = false; + # withOomd = false; + # withFido2 = false; + # withApparmor = false; + # withDocumentation = false; + # withUtmp = false; + # withQrencode = false; + # withVmspawn = false; + # withMachined = false; + # withLogTrace = true; + # withArchive = false; + # # don't need these but cause errors for exampel files not found + # # withLogind = false; + # }) + # pkgs.systemdMinimal.override { + # # getting errors with these disabled + # withCoredump = true; + # withCompression = true; + # withLogind = true; + # withSysusers = true; + # withUserDb = true; + # } + # pkgs.systemdMinimal + # pkgs.systemd.override { + # withRepart = false; + # withHomed = false; + # withAcl = false; + # withEfi = false; + # withBootloader = false; + # withCryptsetup = false; + # withLibBPF = false; + # withOomd = false; + # withFido2 = false; + # withApparmor = false; + # withDocumentation = false; + # withUtmp = false; + # withQrencode = false; + # withVmspawn = false; + # withMachined = false; + # withLogTrace = true; + # # don't need these but cause errors for exampel files not found + # # withLogind = false; + # } + # ; + }) + ]; - imports = [ - (modulesPath + "/profiles/minimal.nix") - ]; - system.stateVersion = "24.11"; + imports = [ (modulesPath + "/profiles/minimal.nix") ]; + system.stateVersion = "24.11"; - # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix - boot.isContainer = true; - # boot.tmp.useTmpfs = true; - boot.loader.grub.enable = lib.mkForce false; - boot.loader.systemd-boot.enable = lib.mkForce false; - services.journald.console = "/dev/console"; - services.journald.storage = "none"; - # boot.specialFileSystems = lib.mkForce {}; + # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix + boot.isContainer = true; + # boot.tmp.useTmpfs = true; + boot.loader.grub.enable = lib.mkForce false; + boot.loader.systemd-boot.enable = lib.mkForce false; + services.journald.console = "/dev/console"; + services.journald.storage = "none"; + # boot.specialFileSystems = lib.mkForce {}; - services.nscd.enable = false; - system.nssModules = lib.mkForce []; - systemd.services.systemd-logind.enable = false; - systemd.services.console-getty.enable = false; + services.nscd.enable = false; + system.nssModules = lib.mkForce [ ]; + systemd.services.systemd-logind.enable = false; + systemd.services.console-getty.enable = false; - systemd.sockets.nix-daemon.enable = false; - systemd.services.nix-daemon.enable = false; - systemd.oomd.enable = false; - networking.useDHCP = false; - networking.firewall.enable = false; + systemd.sockets.nix-daemon.enable = false; + systemd.services.nix-daemon.enable = false; + systemd.oomd.enable = false; + networking.useDHCP = false; + networking.firewall.enable = false; - # system.build.earlyMountScript = - # lib.mkForce '' - # ''; - # system.activationScripts.specialfs = - # lib.mkForce '' - # ''; - boot.postBootCommands = '' - ls -lha /run - mkdir -p /run/wrappers - ''; + # system.build.earlyMountScript = + # lib.mkForce '' + # ''; + # system.activationScripts.specialfs = + # lib.mkForce '' + # ''; + boot.postBootCommands = '' + ls -lha /run + mkdir -p /run/wrappers + ''; - boot.kernelParams = [ - "systemd.log_level=debug" - ]; + boot.kernelParams = [ "systemd.log_level=debug" ]; - # services.udev.enable = false; + # services.udev.enable = false; - # TODO: this is only needed because `/run/current-system` is missing - # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH"; + # TODO: this is only needed because `/run/current-system` is missing + # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH"; - systemd.mounts = lib.mkForce []; - fileSystems = lib.mkForce {}; + systemd.mounts = lib.mkForce [ ]; + fileSystems = lib.mkForce { }; - services.mycelium.enable = false; - services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile"; - systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false; - systemd.services.mycelium.serviceConfig.User = lib.mkForce "root"; - systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce (pkgs.writeShellScript "mycelium" '' - while true; do - ls -lha $CREDENTIALS_DIRECTORY - sleep 5 - done - ''); - - systemd.services.testing-credentials = { - wantedBy = ["multi-user.target"]; - path = [pkgs.coreutils]; - - serviceConfig = { - # SyslogIdentifier = "testing-credentials"; - # StateDirectory = "testing-credentials"; - # DynamicUser = true; - # User = "tc"; - # ProtectHome = true; - # ProtectSystem = true; - # LoadCredential = [ - # "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}" - # "hosts:/etc/hosts" - # ]; - SetCredential = "mycelium-keyfile:not secret string"; - ExecStart = lib.mkForce (pkgs.writeShellScript "mycelium" '' - cd $STATE_DIRECTORY - pwd - env + services.mycelium.enable = false; + services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile"; + systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false; + systemd.services.mycelium.serviceConfig.User = lib.mkForce "root"; + systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce ( + pkgs.writeShellScript "mycelium" '' while true; do ls -lha $CREDENTIALS_DIRECTORY sleep 5 done - ''); - }; - }; + '' + ); - services.caddy = { - enable = true; - globalConfig = '' - auto_https off - ''; - virtualHosts.":80" = { - extraConfig = '' - respond "hello from ${config.networking.hostName}" + systemd.services.testing-credentials = { + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.coreutils ]; + + serviceConfig = { + # SyslogIdentifier = "testing-credentials"; + # StateDirectory = "testing-credentials"; + # DynamicUser = true; + # User = "tc"; + # ProtectHome = true; + # ProtectSystem = true; + # LoadCredential = [ + # "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}" + # "hosts:/etc/hosts" + # ]; + SetCredential = "mycelium-keyfile:not secret string"; + ExecStart = lib.mkForce ( + pkgs.writeShellScript "mycelium" '' + cd $STATE_DIRECTORY + pwd + env + while true; do + ls -lha $CREDENTIALS_DIRECTORY + sleep 5 + done + '' + ); + }; + }; + + services.caddy = { + enable = true; + globalConfig = '' + auto_https off ''; + virtualHosts.":80" = { + extraConfig = '' + respond "hello from ${config.networking.hostName}" + ''; + }; }; - }; - }) - ]; - }; - packages = forAllSystems (system: let - name = "mycelium"; - inherit (self.inputs) nix-snapshotter; - - config = { - entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init"; - # port = 2379; - args = [ - ]; - # nodePort = 30001; - }; - - myceliumPorts = { - tcp = [9651]; - udp = [9650 9651]; - }; - - inherit - (config) - entrypoint - # port - - args - # nodePort - - ; - - pkgs = import nixpkgs { - overlays = [nix-snapshotter.overlays.default]; - }; - - image = pkgs.nix-snapshotter.buildImage { - inherit name; - resolvedByNix = true; - config = { - entrypoint = [entrypoint]; - env = [ - # this is read by the `/init` script and prevents various incompatible commands like mount, etc. - # the value of this doesn't seem to matter as long as it's not an empty string. - "container=nerd" - "SYSTEMD_LOG_LEVEL=debug" - ]; - volumes = { - # "/var/lib/private/mycelium/key.bin" = {}; - # "/run" = {}; - # "/tmp" = {}; - # "/etc" = {}; - }; - copyToRoot = [ - # self.nixosConfigurations.default.config.system.build.toplevel - ]; - }; - }; - in { - k8s = let - pod = pkgs.writeText "${name}-pod.json" (builtins.toJSON { - apiVersion = "v1"; - kind = "Pod"; - metadata = { - inherit name; - labels = {inherit name;}; - }; - spec.containers = [ - { - inherit name args; - image = "nix:0${image}"; - ports = [ - { - name = "mycelium-tcp-0"; - containerPort = builtins.elemAt myceliumPorts.tcp 0; - } - { - name = "mycelium-udp-0"; - protocol = "UDP"; - containerPort = builtins.elemAt myceliumPorts.udp 0; - } - { - name = "mycelium-udp-1"; - protocol = "UDP"; - containerPort = builtins.elemAt myceliumPorts.udp 1; - } - ]; } - ]; - }); + ) + ]; + }; + packages = forAllSystems ( + system: + let + name = "mycelium"; + inherit (self.inputs) nix-snapshotter; - service = pkgs.writeText "${name}-service.json" (builtins.toJSON { - apiVersion = "v1"; - kind = "Service"; - metadata.name = "${name}-service"; - spec = { - type = "NodePort"; - selector = {inherit name;}; - ports = [ - { - name = "mycelium-tcp-0"; - port = builtins.elemAt myceliumPorts.tcp 0 + 50000; - targetPort = "mycelium-tcp-0"; - } - { - name = "mycelium-udp-0"; - protocol = "UDP"; - port = builtins.elemAt myceliumPorts.udp 0 + 50000; - targetPort = "mycelium-udp-0"; - } - { - name = "mycelium-udp-1"; - protocol = "UDP"; - port = builtins.elemAt myceliumPorts.udp 1 + 50000; - targetPort = "mycelium-udp-1"; - } + config = { + entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init"; + # port = 2379; + args = [ ]; + # nodePort = 30001; + }; + + myceliumPorts = { + tcp = [ 9651 ]; + udp = [ + 9650 + 9651 ]; }; - }); - in - pkgs.runCommand "declarative-k8s" {} '' - mkdir -p $out/share/k8s - cp ${pod} $out/share/k8s/ - cp ${service} $out/share/k8s/ - ''; - inherit image; + inherit (config) + entrypoint + # port - start = pkgs.writeShellApplication { - name = "start"; - text = '' - set -x - rm -rf ./result - nix build --impure .#image - sudo nix2container load ./result - sudo -E nerdctl run --name ${name} --privileged -dt \ - --cgroup-manager cgroupfs \ - --volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \ - "nix:0$(readlink result):latest" - ''; - }; + args + # nodePort - stop = pkgs.writeShellApplication { - name = "stop"; - text = '' - set +e - sudo -E nerdctl stop -t 60 ${name} - sudo -E nerdctl rm --force ${name} - sudo -E nerdctl system prune --all --force - sudo systemctl stop nix-snapshotter - sudo systemctl stop containerd - mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l - sudo systemctl start containerd - sudo systemctl start nix-snapshotter - ''; + ; - # tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap) + pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; }; - # mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap - }; - }); - }; + image = pkgs.nix-snapshotter.buildImage { + inherit name; + resolvedByNix = true; + config = { + entrypoint = [ entrypoint ]; + env = [ + # this is read by the `/init` script and prevents various incompatible commands like mount, etc. + # the value of this doesn't seem to matter as long as it's not an empty string. + "container=nerd" + "SYSTEMD_LOG_LEVEL=debug" + ]; + volumes = { + # "/var/lib/private/mycelium/key.bin" = {}; + # "/run" = {}; + # "/tmp" = {}; + # "/etc" = {}; + }; + copyToRoot = [ + # self.nixosConfigurations.default.config.system.build.toplevel + ]; + }; + }; + in + { + k8s = + let + pod = pkgs.writeText "${name}-pod.json" ( + builtins.toJSON { + apiVersion = "v1"; + kind = "Pod"; + metadata = { + inherit name; + labels = { + inherit name; + }; + }; + spec.containers = [ + { + inherit name args; + image = "nix:0${image}"; + ports = [ + { + name = "mycelium-tcp-0"; + containerPort = builtins.elemAt myceliumPorts.tcp 0; + } + { + name = "mycelium-udp-0"; + protocol = "UDP"; + containerPort = builtins.elemAt myceliumPorts.udp 0; + } + { + name = "mycelium-udp-1"; + protocol = "UDP"; + containerPort = builtins.elemAt myceliumPorts.udp 1; + } + ]; + } + ]; + } + ); + + service = pkgs.writeText "${name}-service.json" ( + builtins.toJSON { + apiVersion = "v1"; + kind = "Service"; + metadata.name = "${name}-service"; + spec = { + type = "NodePort"; + selector = { + inherit name; + }; + ports = [ + { + name = "mycelium-tcp-0"; + port = builtins.elemAt myceliumPorts.tcp 0 + 50000; + targetPort = "mycelium-tcp-0"; + } + { + name = "mycelium-udp-0"; + protocol = "UDP"; + port = builtins.elemAt myceliumPorts.udp 0 + 50000; + targetPort = "mycelium-udp-0"; + } + { + name = "mycelium-udp-1"; + protocol = "UDP"; + port = builtins.elemAt myceliumPorts.udp 1 + 50000; + targetPort = "mycelium-udp-1"; + } + ]; + }; + } + ); + in + pkgs.runCommand "declarative-k8s" { } '' + mkdir -p $out/share/k8s + cp ${pod} $out/share/k8s/ + cp ${service} $out/share/k8s/ + ''; + + inherit image; + + start = pkgs.writeShellApplication { + name = "start"; + text = '' + set -x + rm -rf ./result + nix build --impure .#image + sudo nix2container load ./result + sudo -E nerdctl run --name ${name} --privileged -dt \ + --cgroup-manager cgroupfs \ + --volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \ + "nix:0$(readlink result):latest" + ''; + }; + + stop = pkgs.writeShellApplication { + name = "stop"; + text = '' + set +e + sudo -E nerdctl stop -t 60 ${name} + sudo -E nerdctl rm --force ${name} + sudo -E nerdctl system prune --all --force + sudo systemctl stop nix-snapshotter + sudo systemctl stop containerd + mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l + sudo systemctl start containerd + sudo systemctl start nix-snapshotter + ''; + + # tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap) + + # mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap + }; + } + ); + }; } diff --git a/nix/os/containers/syncthing.nix b/nix/os/containers/syncthing.nix index 8c0ba82..51b7dcf 100644 --- a/nix/os/containers/syncthing.nix +++ b/nix/os/containers/syncthing.nix @@ -6,28 +6,27 @@ syncthingPort ? 22000, syncthingLocalAnnouncePort ? 21027, autoStart ? false, -}: { +}: +{ inherit specialArgs; - config = { - config, - pkgs, - ... - }: { - system.stateVersion = "20.05"; # Did you read the comment? + config = + { ... }: + { + system.stateVersion = "20.05"; # Did you read the comment? - imports = [../profiles/containers/configuration.nix]; + imports = [ ../profiles/containers/configuration.nix ]; - networking.firewall.allowedTCPPorts = [ - # syncthing gui - 8384 - ]; + networking.firewall.allowedTCPPorts = [ + # syncthing gui + 8384 + ]; - services.syncthing = { - enable = true; - openDefaultPorts = true; - guiAddress = "0.0.0.0:8384"; + services.syncthing = { + enable = true; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; + }; }; - }; inherit autoStart; diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index 456ef59..b20fa28 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -7,405 +7,417 @@ httpsPort, forgejoSshPort, autoStart ? false, -}: let +}: +let domain = "www.stefanjunker.de"; -in { +in +{ inherit specialArgs; - config = { - config, - pkgs, - lib, - repoFlake, - nodeFlake, - system, - ... - }: { - system.stateVersion = "22.05"; # Did you read the comment? + config = + { + config, + pkgs, + lib, + repoFlake, + nodeFlake, + system, + ... + }: + { + system.stateVersion = "22.05"; # Did you read the comment? - disabledModules = [ - "services/misc/forgejo.nix" - "services/security/kanidm.nix" - ]; - - imports = [ - "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix" - "${repoFlake.inputs.nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix" - - ../profiles/containers/configuration.nix - - repoFlake.inputs.sops-nix.nixosModules.sops - ]; - - sops.defaultSopsFile = ./webserver_secrets.yaml; - - networking.firewall.allowedTCPPorts = [ - httpPort - httpsPort - forgejoSshPort - ]; - - sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; - sops.secrets.hedgedoc_environment_file = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.hedgedoc.name; - }; - - services.caddy = { - enable = true; - logFormat = '' - level ERROR - ''; - virtualHosts."${domain}" = { - extraConfig = '' - redir /hedgedoc* https://hedgedoc.${domain} - - file_server /*/* { - browse - root /var/www/stefanjunker.de/htdocs/caddy - pass_thru - } - - # respond "Hi" - # respond (not /*/*) "Hi" - ''; - }; - - virtualHosts."hedgedoc.${domain}" = { - extraConfig = '' - reverse_proxy http://[::1]:3000 - ''; - }; - - virtualHosts."authelia.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} - ''; - }; - - virtualHosts."lldap.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} - ''; - }; - - virtualHosts."forgejo.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT} - ''; - }; - - virtualHosts."kanidm.${domain}" = { - extraConfig = '' - reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} { - transport http { - tls_server_name ${config.services.kanidm.serverSettings.domain} - } - } - ''; - }; - }; - - services.hedgedoc = { - enable = true; - settings = { - domain = "hedgedoc.${domain}"; - urlPath = ""; - protocolUseSSL = true; - db = { - dialect = "sqlite"; - storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; - }; - - allowAnonymous = false; - allowAnonymousEdits = false; - allowGravatar = false; - allowFreeURL = false; - defaultPermission = "private"; - - allowEmailRegister = false; - email = false; - - ldap = { - url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; - bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; - # these are set via the `environmentFile` - # bindCredentials = "$LDAP_ADMIN_PASSWORD"; - searchBase = "ou=people,dc=stefanjunker,dc=de"; - searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; - useridField = "uid"; - }; - - oauth2 = let - originURL = config.services.kanidm.serverSettings.origin; - in { - providerName = "kanidm (${originURL})"; - - authorizationURL = "${originURL}/ui/oauth2"; - tokenURL = "${originURL}/oauth2/token"; - userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo"; - - scope = "openid email profile"; - # rolesClaim = "roles"; - # accessRole = "role/hedgedoc"; - - userProfileUsernameAttr = "name"; - userProfileDisplayNameAttr = "displayname"; - userProfileEmailAttr = "email"; - - clientID = "hedgedoc"; - # set via the `environmentFile` - # clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; - }; - - uploadsPath = "/var/lib/hedgedoc/uploads"; - }; - - environmentFile = config.sops.secrets.hedgedoc_environment_file.path; - }; - - services.jitsi-meet = { - enable = false; - hostName = "meet.${domain}"; - config = { - prejoinPageEnabled = true; - }; - caddy.enable = true; - nginx.enable = false; - }; - - sops.secrets.authelia_storageEncryptionKey = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - sops.secrets.authelia_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - services.authelia.instances.default = let - baseDir = "/var/lib/authelia-default"; - in { - enable = true; - secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; - secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; - settings = { - theme = "auto"; - default_2fa_method = "totp"; - log.level = "debug"; - - server = { - disable_healthcheck = true; - host = "127.0.0.1"; - port = 9091; - # path = "authelia"; - }; - - storage = { - local.path = "${baseDir}/authelia.sqlite"; - }; - - authentication_backend = { - file.path = "${baseDir}/first_factor.yaml"; - file.search.email = true; - file.search.case_insensitive = false; - }; - - access_control = { - default_policy = "one_factor"; - }; - - session.domain = "stefanjunker.de"; - - notifier = { - disable_startup_check = true; - filesystem.filename = "${baseDir}/notification.txt"; - }; - }; - }; - - users.groups.lldap = {}; - users.users.lldap = { - isSystemUser = true; - group = "lldap"; - }; - - sops.secrets.lldap_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - sops.secrets.lldap_adminPassword = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - sops.secrets.lldap_environmentFile = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - services.lldap = { - enable = true; - environment = { - LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; - LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; - }; - environmentFile = config.sops.secrets.lldap_environmentFile.path; - - settings = { - verbose = true; - - ldap_base_dn = "dc=stefanjunker,dc=de"; - http_url = "https://lldap.${domain}"; - - ## Options to configure SMTP parameters, to send password reset emails. - ## To set these options from environment variables, use the following format - ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD - smtp_options = { - ## Whether to enabled password reset via email, from LLDAP. - enable_password_reset = true; - - # port = 465; - ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". - # smtp_encryption = "TLS"; - }; - - # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; - }; - }; - - sops.secrets.FORGEJO_JWT_SECRET = {}; - sops.secrets.FORGEJO_INTERNAL_TOKEN = {}; - sops.secrets.FORGEJO_SECRET_KEY = {}; - - services.forgejo = { - enable = true; - package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo; - settings = { - service.DISABLE_REGISTRATION = true; - server.HTTP_ADDR = "127.0.0.1"; - server.START_SSH_SERVER = true; - server.SSH_PORT = forgejoSshPort; - server.ROOT_URL = "https://forgejo.${domain}"; - server.HTTP_PORT = 3001; - - # TODO: how do i get a 3072 length SSH key with the yubikey? - "ssh.minimum_key_sizes".RSA = 2048; - }; - secrets = { - oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path; - security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path; - security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path; - }; - }; - - systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; - systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; - systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; - - # combine a path watcher with a service that transfers the certs by caddy to kanidm - systemd.paths.kanidm-tls-watch = { - enable = true; - requiredBy = ["kanidm.service"]; - pathConfig = { - PathChanged = [ - "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" - "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" - ]; - Unit = "kanidm-tls-update.service"; - }; - }; - systemd.services.kanidm-tls-update = let - dbDir = - builtins.dirOf - config.services.kanidm.serverSettings.db_path; - in { - enable = true; - requiredBy = ["kanidm.service"]; - unitConfig = { - # ConditionPathExists = [ - # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" - # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" - # ]; - }; - serviceConfig.Type = "oneshot"; - script = let - tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key; - in '' - set -xe - - cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key - cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain - - chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain} - chmod 400 tls.{key,chain} - - # create the kanidm directory in case it's missing - if [[ ! -d ${tlsDir} ]]; then - mkdir -p ${tlsDir} - chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir} - chmod 700 ${tlsDir} - fi - - mv tls.key ${config.services.kanidm.serverSettings.tls_key} - mv tls.chain ${config.services.kanidm.serverSettings.tls_chain} - - if [[ ! -d ${dbDir} ]]; then - mkdir -p ${dbDir} - chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir} - chmod 700 ${dbDir} - fi - ''; - }; - - systemd.services.kanidm.serviceConfig = let - dbDir = - builtins.dirOf - config.services.kanidm.serverSettings.db_path; - # stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}"; - in { - # ExecStartPre = '' - # mkdir -p ${dbDir} - # ''; - BindPaths = [ - dbDir - # stateDir + disabledModules = [ + "services/misc/forgejo.nix" + "services/security/kanidm.nix" ]; - }; - services.kanidm = let - dataDir = "/var/lib/kanidm"; - in { - package = repoFlake.inputs.nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm; + imports = [ + "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix" + "${repoFlake.inputs.nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix" - enablePam = false; - enableClient = false; + ../profiles/containers/configuration.nix - enableServer = true; - serverSettings = { - role = "WriteReplica"; - log_level = "debug"; + repoFlake.inputs.sops-nix.nixosModules.sops + ]; - domain = "kanidm.${domain}"; - origin = "https://kanidm.${domain}"; + sops.defaultSopsFile = ./webserver_secrets.yaml; - db_path = "${dataDir}/db/kanidm.db"; + networking.firewall.allowedTCPPorts = [ + httpPort + httpsPort + forgejoSshPort + ]; - bindaddress = "127.0.0.1:8444"; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.secrets.hedgedoc_environment_file = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.hedgedoc.name; + }; - # don't expose ldap - # ldapbindaddress = "[::1]:6636"; + services.caddy = { + enable = true; + logFormat = '' + level ERROR + ''; + virtualHosts."${domain}" = { + extraConfig = '' + redir /hedgedoc* https://hedgedoc.${domain} - tls_key = "${dataDir}/tls/tls.key"; - tls_chain = "${dataDir}/tls/tls.chain"; + file_server /*/* { + browse + root /var/www/stefanjunker.de/htdocs/caddy + pass_thru + } - online_backup = { - schedule = "00 06 * * *"; + # respond "Hi" + # respond (not /*/*) "Hi" + ''; + }; + + virtualHosts."hedgedoc.${domain}" = { + extraConfig = '' + reverse_proxy http://[::1]:3000 + ''; + }; + + virtualHosts."authelia.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} + ''; + }; + + virtualHosts."lldap.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} + ''; + }; + + virtualHosts."forgejo.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT} + ''; + }; + + virtualHosts."kanidm.${domain}" = { + extraConfig = '' + reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} { + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} + } + } + ''; }; }; + + services.hedgedoc = { + enable = true; + settings = { + domain = "hedgedoc.${domain}"; + urlPath = ""; + protocolUseSSL = true; + db = { + dialect = "sqlite"; + storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; + }; + + allowAnonymous = false; + allowAnonymousEdits = false; + allowGravatar = false; + allowFreeURL = false; + defaultPermission = "private"; + + allowEmailRegister = false; + email = false; + + ldap = { + url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; + bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; + # these are set via the `environmentFile` + # bindCredentials = "$LDAP_ADMIN_PASSWORD"; + searchBase = "ou=people,dc=stefanjunker,dc=de"; + searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; + useridField = "uid"; + }; + + oauth2 = + let + originURL = config.services.kanidm.serverSettings.origin; + in + { + providerName = "kanidm (${originURL})"; + + authorizationURL = "${originURL}/ui/oauth2"; + tokenURL = "${originURL}/oauth2/token"; + userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo"; + + scope = "openid email profile"; + # rolesClaim = "roles"; + # accessRole = "role/hedgedoc"; + + userProfileUsernameAttr = "name"; + userProfileDisplayNameAttr = "displayname"; + userProfileEmailAttr = "email"; + + clientID = "hedgedoc"; + # set via the `environmentFile` + # clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; + }; + + uploadsPath = "/var/lib/hedgedoc/uploads"; + }; + + environmentFile = config.sops.secrets.hedgedoc_environment_file.path; + }; + + services.jitsi-meet = { + enable = false; + hostName = "meet.${domain}"; + config = { + prejoinPageEnabled = true; + }; + caddy.enable = true; + nginx.enable = false; + }; + + sops.secrets.authelia_storageEncryptionKey = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + sops.secrets.authelia_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + services.authelia.instances.default = + let + baseDir = "/var/lib/authelia-default"; + in + { + enable = true; + secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; + secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; + settings = { + theme = "auto"; + default_2fa_method = "totp"; + log.level = "debug"; + + server = { + disable_healthcheck = true; + host = "127.0.0.1"; + port = 9091; + # path = "authelia"; + }; + + storage = { + local.path = "${baseDir}/authelia.sqlite"; + }; + + authentication_backend = { + file.path = "${baseDir}/first_factor.yaml"; + file.search.email = true; + file.search.case_insensitive = false; + }; + + access_control = { + default_policy = "one_factor"; + }; + + session.domain = "stefanjunker.de"; + + notifier = { + disable_startup_check = true; + filesystem.filename = "${baseDir}/notification.txt"; + }; + }; + }; + + users.groups.lldap = { }; + users.users.lldap = { + isSystemUser = true; + group = "lldap"; + }; + + sops.secrets.lldap_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_adminPassword = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_environmentFile = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + services.lldap = { + enable = true; + environment = { + LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; + LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; + }; + environmentFile = config.sops.secrets.lldap_environmentFile.path; + + settings = { + verbose = true; + + ldap_base_dn = "dc=stefanjunker,dc=de"; + http_url = "https://lldap.${domain}"; + + ## Options to configure SMTP parameters, to send password reset emails. + ## To set these options from environment variables, use the following format + ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD + smtp_options = { + ## Whether to enabled password reset via email, from LLDAP. + enable_password_reset = true; + + # port = 465; + ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". + # smtp_encryption = "TLS"; + }; + + # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; + }; + }; + + sops.secrets.FORGEJO_JWT_SECRET = { }; + sops.secrets.FORGEJO_INTERNAL_TOKEN = { }; + sops.secrets.FORGEJO_SECRET_KEY = { }; + + services.forgejo = { + enable = true; + package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo; + settings = { + service.DISABLE_REGISTRATION = true; + server.HTTP_ADDR = "127.0.0.1"; + server.START_SSH_SERVER = true; + server.SSH_PORT = forgejoSshPort; + server.ROOT_URL = "https://forgejo.${domain}"; + server.HTTP_PORT = 3001; + + # TODO: how do i get a 3072 length SSH key with the yubikey? + "ssh.minimum_key_sizes".RSA = 2048; + }; + secrets = { + oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path; + security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path; + security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path; + }; + }; + + systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; + systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; + systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; + + # combine a path watcher with a service that transfers the certs by caddy to kanidm + systemd.paths.kanidm-tls-watch = { + enable = true; + requiredBy = [ "kanidm.service" ]; + pathConfig = { + PathChanged = [ + "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" + "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" + ]; + Unit = "kanidm-tls-update.service"; + }; + }; + systemd.services.kanidm-tls-update = + let + dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; + in + { + enable = true; + requiredBy = [ "kanidm.service" ]; + unitConfig = { + # ConditionPathExists = [ + # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" + # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" + # ]; + }; + serviceConfig.Type = "oneshot"; + script = + let + tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key; + in + '' + set -xe + + cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key + cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain + + chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain} + chmod 400 tls.{key,chain} + + # create the kanidm directory in case it's missing + if [[ ! -d ${tlsDir} ]]; then + mkdir -p ${tlsDir} + chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir} + chmod 700 ${tlsDir} + fi + + mv tls.key ${config.services.kanidm.serverSettings.tls_key} + mv tls.chain ${config.services.kanidm.serverSettings.tls_chain} + + if [[ ! -d ${dbDir} ]]; then + mkdir -p ${dbDir} + chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir} + chmod 700 ${dbDir} + fi + ''; + }; + + systemd.services.kanidm.serviceConfig = + let + dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; + in + # stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}"; + { + # ExecStartPre = '' + # mkdir -p ${dbDir} + # ''; + BindPaths = [ + dbDir + # stateDir + ]; + }; + + services.kanidm = + let + dataDir = "/var/lib/kanidm"; + in + { + package = repoFlake.inputs.nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm; + + enablePam = false; + enableClient = false; + + enableServer = true; + serverSettings = { + role = "WriteReplica"; + log_level = "debug"; + + domain = "kanidm.${domain}"; + origin = "https://kanidm.${domain}"; + + db_path = "${dataDir}/db/kanidm.db"; + + bindaddress = "127.0.0.1:8444"; + + # don't expose ldap + # ldapbindaddress = "[::1]:6636"; + + tls_key = "${dataDir}/tls/tls.key"; + tls_chain = "${dataDir}/tls/tls.chain"; + + online_backup = { + schedule = "00 06 * * *"; + }; + }; + }; }; - }; inherit autoStart; diff --git a/nix/os/containers/webserver_secrets.yaml b/nix/os/containers/webserver_secrets.yaml index 033e618..62dc6e8 100644 --- a/nix/os/containers/webserver_secrets.yaml +++ b/nix/os/containers/webserver_secrets.yaml @@ -9,37 +9,37 @@ FORGEJO_JWT_SECRET: ENC[AES256_GCM,data:nVz9x7+K+rBIZxuQP7o0WNFHUz89eR9cwBjfSAx9 FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str] FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh - U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh - YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP - eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc - KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-16T12:28:51Z" - mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str] - pgp: - - created_at: "2023-07-09T17:51:27Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh + U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh + YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP + eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc + KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-16T12:28:51Z" + mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str] + pgp: + - created_at: "2023-07-09T17:51:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD - gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO - 8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+ - XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w - YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku - bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI - F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i - g+ZF+9NNqOTKsBzEnuGsZRnI - =iXfo - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 + wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD + gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO + 8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+ + XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w + YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku + bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI + F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i + g+ZF+9NNqOTKsBzEnuGsZRnI + =iXfo + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index bc8e0ad..02b0212 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -1,20 +1,25 @@ { dir, - pkgs ? import {}, - ownLib ? import ../lib/default.nix {inherit (pkgs) lib;}, + pkgs ? import { }, + ownLib ? import ../lib/default.nix { inherit (pkgs) lib; }, gitRoot ? "$(git rev-parse --show-toplevel)", # FIXME: why do these need explicit mentioning? moreargs ? "", rebuildarg ? "", ... -} @ args: let - rebuildargsSudo = ["switch" "boot"]; - rebuild = { - gitRoot, - rebuildarg ? "dry-activate", - moreargs ? "", - ... - }: +}@args: +let + rebuildargsSudo = [ + "switch" + "boot" + ]; + rebuild = + { + gitRoot, + rebuildarg ? "dry-activate", + moreargs ? "", + ... + }: pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe @@ -30,25 +35,24 @@ ${ if - (builtins.elem rebuildarg rebuildargsSudo) - && (builtins.match ".*--target-host.*" moreargs) == null - then "sudo -E \\" - else "" + (builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null + then + "sudo -E \\" + else + "" } nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} ''; -in { - recipes = - { - rebuild = - rebuild { - inherit gitRoot; - inherit moreargs; - inherit rebuildarg; - } - # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } - # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } - ; +in +{ + recipes = { + rebuild = rebuild { + inherit gitRoot; + inherit moreargs; + inherit rebuildarg; } - // (import ./disk.nix (args // {inherit pkgs ownLib gitRoot;})); + # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } + # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } + ; + } // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; })); } diff --git a/nix/os/devices/disk.nix b/nix/os/devices/disk.nix index f62c6a9..f639344 100644 --- a/nix/os/devices/disk.nix +++ b/nix/os/devices/disk.nix @@ -3,40 +3,29 @@ ownLib, dir, gitRoot, - diskId ? - (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") - {}) - .hardware - .opinionatedDisk - .diskId, + diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId, encrypted ? - (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") - {}) - .hardware - .opinionatedDisk - .encrypted, + (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted, previousDiskId ? "", ... -}: let +}: +let mntRootVol = "/mnt/${diskId}-root"; -in rec { +in +rec { diskMount = pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe echo Mounting ${diskId} ${pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ - ownLib.disk.luksName diskId - } + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} ''} sleep 1 sudo vgchange -ay ${ownLib.disk.volumeGroup diskId} sudo mkdir -p /mnt sudo mkdir ${mntRootVol} sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol} - sudo mount ${ - ownLib.disk.rootFsDevice diskId - } ${mntRootVol}/nixos/home -o subvol=home + sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot ''; @@ -73,9 +62,7 @@ in rec { #!/usr/bin/env bash set -xe - read -p "Continue to format ${ - ownLib.disk.bootGrubDevice diskId - } (YES/n)? " choice + read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -122,15 +109,11 @@ in rec { ${pkgs.lib.strings.optionalString encrypted '' # Encrypt sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} - - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ - ownLib.disk.luksName diskId - } + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} ''} # LVM - sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ - ownLib.disk.lvmPv diskId encrypted - } + sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted} sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root @@ -154,9 +137,7 @@ in rec { #!/usr/bin/env bash set -xe - read -p "Continue to relabel ${ - ownLib.disk.bootGrubDevice diskId - } (YES/n)?" choice + read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -187,13 +168,9 @@ in rec { if test "${previousDiskId}"; then - ${ - pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ - ownLib.disk.luksName diskId - } - '' - } + ${pkgs.lib.strings.optionalString encrypted '' + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + ''} sync sleep 1 if sudo vgs ${previousDiskId}; then diff --git a/nix/os/devices/elias-e525/boot.nix b/nix/os/devices/elias-e525/boot.nix index ab6c098..6698046 100644 --- a/nix/os/devices/elias-e525/boot.nix +++ b/nix/os/devices/elias-e525/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiSupport = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/elias-e525/configuration.nix b/nix/os/devices/elias-e525/configuration.nix index d39da6f..ea92869 100644 --- a/nix/os/devices/elias-e525/configuration.nix +++ b/nix/os/devices/elias-e525/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/elias-e525/default.nix b/nix/os/devices/elias-e525/default.nix index 4b4d676..ba02693 100644 --- a/nix/os/devices/elias-e525/default.nix +++ b/nix/os/devices/elias-e525/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "elias-e525.lan"; diff --git a/nix/os/devices/elias-e525/flake.nix b/nix/os/devices/elias-e525/flake.nix index 3f73b91..d5bd2c5 100644 --- a/nix/os/devices/elias-e525/flake.nix +++ b/nix/os/devices/elias-e525/flake.nix @@ -6,5 +6,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/elias-e525/hw.nix b/nix/os/devices/elias-e525/hw.nix index 269281c..23d4edb 100644 --- a/nix/os/devices/elias-e525/hw.nix +++ b/nix/os/devices/elias-e525/hw.nix @@ -1,4 +1,4 @@ -{...}: { +_: { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/elias-e525/pkg.nix b/nix/os/devices/elias-e525/pkg.nix index e119032..57d813e 100644 --- a/nix/os/devices/elias-e525/pkg.nix +++ b/nix/os/devices/elias-e525/pkg.nix @@ -1,8 +1,5 @@ -{ - pkgs, - lib, - ... -}: let +{ pkgs, lib, ... }: +let homeEnv = keyboard: { imports = [ ../../../home-manager/profiles/common.nix @@ -22,26 +19,27 @@ rustdesk ]; }; -in { - services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { +in +{ + services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) { gnome-remote-desktop.enable = true; }; home-manager.users.steveej = homeEnv { layout = "en"; - options = ["nodeadkey"]; + options = [ "nodeadkey" ]; variant = "altgr-intl"; }; home-manager.users.elias = homeEnv { layout = "de"; - options = []; + options = [ ]; variant = ""; }; home-manager.users.justyna = homeEnv { layout = "de"; - options = []; + options = [ ]; variant = ""; }; diff --git a/nix/os/devices/elias-e525/system.nix b/nix/os/devices/elias-e525/system.nix index 6763062..d2a3efe 100644 --- a/nix/os/devices/elias-e525/system.nix +++ b/nix/os/devices/elias-e525/system.nix @@ -1,10 +1,5 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - config, - ... -}: let -in { # TASK: new device networking.hostName = "elias-e525"; # Define your hostname. @@ -38,11 +33,13 @@ in { # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; }; - security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; - services.xserver.videoDrivers = ["modesetting"]; + services.xserver.videoDrivers = [ "modesetting" ]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; } diff --git a/nix/os/devices/elias-e525/user.nix b/nix/os/devices/elias-e525/user.nix index 196c96a..c4690cf 100644 --- a/nix/os/devices/elias-e525/user.nix +++ b/nix/os/devices/elias-e525/user.nix @@ -1,12 +1,9 @@ -{ - config, - pkgs, - lib, - ... -}: let +{ config, pkgs, ... }: +let keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; -in { + inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; +in +{ sops.secrets.sharedUsers-elias = { sopsFile = ../../../../secrets/shared-users.yaml; neededForUsers = true; diff --git a/nix/os/devices/fwhost1/boot.nix b/nix/os/devices/fwhost1/boot.nix index 4d8c1d1..639698f 100644 --- a/nix/os/devices/fwhost1/boot.nix +++ b/nix/os/devices/fwhost1/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/fwhost1/configuration.nix b/nix/os/devices/fwhost1/configuration.nix index ed238cb..fbdc4c0 100644 --- a/nix/os/devices/fwhost1/configuration.nix +++ b/nix/os/devices/fwhost1/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/fwhost1/hw.nix b/nix/os/devices/fwhost1/hw.nix index 6c1aaaf..43334ed 100644 --- a/nix/os/devices/fwhost1/hw.nix +++ b/nix/os/devices/fwhost1/hw.nix @@ -1,5 +1,4 @@ -{...}: let -in { +_: { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/fwhost1/pkg.nix b/nix/os/devices/fwhost1/pkg.nix index 6650ad9..aacf501 100644 --- a/nix/os/devices/fwhost1/pkg.nix +++ b/nix/os/devices/fwhost1/pkg.nix @@ -1,17 +1,17 @@ -{pkgs, ...}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +{ pkgs, ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - environment.systemPackages = with pkgs; [iw wirelesstools]; + environment.systemPackages = with pkgs; [ + iw + wirelesstools + ]; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/fwhost1/system.nix b/nix/os/devices/fwhost1/system.nix index abe1717..548caec 100644 --- a/nix/os/devices/fwhost1/system.nix +++ b/nix/os/devices/fwhost1/system.nix @@ -1,12 +1,8 @@ -{ - pkgs, - lib, - config, - ... -}: let - keys = import ../../../variables/keys.nix; +{ pkgs, lib, ... }: +let passwords = import ../../../variables/passwords.crypt.nix; -in { +in +{ # TASK: new device networking.hostName = "fwhost1"; # Define your hostname. @@ -21,11 +17,14 @@ in { networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.bridges.breth.interfaces = ["eth0" "eth1"]; + networking.bridges.breth.interfaces = [ + "eth0" + "eth1" + ]; networking.bridges.breth.rstp = true; networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = ["172.172.171.10"]; + networking.nameservers = [ "172.172.171.10" ]; # WAN interfaces, currently unused because the OPNsense guest acts as a router. networking.vlans.wan1.id = 3; diff --git a/nix/os/devices/fwhost1/user.nix b/nix/os/devices/fwhost1/user.nix index 98f59ba..958608a 100644 --- a/nix/os/devices/fwhost1/user.nix +++ b/nix/os/devices/fwhost1/user.nix @@ -1,9 +1 @@ -{ - config, - pkgs, - ... -}: let - passwords = import ../../../variables/passwords.crypt.nix; - keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {}) mkUser; -in {} +_: { } diff --git a/nix/os/devices/fwhost1/versions.nix b/nix/os/devices/fwhost1/versions.nix index c6dac79..276eb87 100644 --- a/nix/os/devices/fwhost1/versions.nix +++ b/nix/os/devices/fwhost1/versions.nix @@ -4,9 +4,12 @@ let ref = "nixos-21.11"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost1/versions.tmpl.nix b/nix/os/devices/fwhost1/versions.tmpl.nix index c9dc8a9..d3d0c19 100644 --- a/nix/os/devices/fwhost1/versions.tmpl.nix +++ b/nix/os/devices/fwhost1/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost2/boot.nix b/nix/os/devices/fwhost2/boot.nix index 4d8c1d1..639698f 100644 --- a/nix/os/devices/fwhost2/boot.nix +++ b/nix/os/devices/fwhost2/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/fwhost2/configuration.nix b/nix/os/devices/fwhost2/configuration.nix index ed238cb..fbdc4c0 100644 --- a/nix/os/devices/fwhost2/configuration.nix +++ b/nix/os/devices/fwhost2/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/fwhost2/hw.nix b/nix/os/devices/fwhost2/hw.nix index c207b8c..a8891e3 100644 --- a/nix/os/devices/fwhost2/hw.nix +++ b/nix/os/devices/fwhost2/hw.nix @@ -1,5 +1,4 @@ -{...}: let -in { +_: { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/fwhost2/pkg.nix b/nix/os/devices/fwhost2/pkg.nix index 6650ad9..aacf501 100644 --- a/nix/os/devices/fwhost2/pkg.nix +++ b/nix/os/devices/fwhost2/pkg.nix @@ -1,17 +1,17 @@ -{pkgs, ...}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +{ pkgs, ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - environment.systemPackages = with pkgs; [iw wirelesstools]; + environment.systemPackages = with pkgs; [ + iw + wirelesstools + ]; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/fwhost2/system.nix b/nix/os/devices/fwhost2/system.nix index 54da0ba..652347f 100644 --- a/nix/os/devices/fwhost2/system.nix +++ b/nix/os/devices/fwhost2/system.nix @@ -1,13 +1,8 @@ -{ - pkgs, - lib, - config, - utils, - ... -}: let - keys = import ../../../variables/keys.nix; +{ pkgs, lib, ... }: +let passwords = import ../../../variables/passwords.crypt.nix; -in { +in +{ # TASK: new device networking.hostName = "fwhost2"; # Define your hostname. @@ -22,11 +17,14 @@ in { networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.bridges.breth.interfaces = ["eth0" "eth1"]; + networking.bridges.breth.interfaces = [ + "eth0" + "eth1" + ]; networking.bridges.breth.rstp = true; networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = ["172.172.171.10"]; + networking.nameservers = [ "172.172.171.10" ]; # WAN interfaces, currently unused because the OPNsense guest acts as a router. networking.vlans.wan1.id = 3; diff --git a/nix/os/devices/fwhost2/user.nix b/nix/os/devices/fwhost2/user.nix index d7dc0dc..47efa02 100644 --- a/nix/os/devices/fwhost2/user.nix +++ b/nix/os/devices/fwhost2/user.nix @@ -1,12 +1,4 @@ -{ - config, - pkgs, - ... -}: let - passwords = import ../../../variables/passwords.crypt.nix; - keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; -in { +_: { # users.extraUsers.steveej2 = mkUser { # uid = 1001; # openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/devices/fwhost2/versions.nix b/nix/os/devices/fwhost2/versions.nix index c6dac79..276eb87 100644 --- a/nix/os/devices/fwhost2/versions.nix +++ b/nix/os/devices/fwhost2/versions.nix @@ -4,9 +4,12 @@ let ref = "nixos-21.11"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost2/versions.tmpl.nix b/nix/os/devices/fwhost2/versions.tmpl.nix index c9dc8a9..d3d0c19 100644 --- a/nix/os/devices/fwhost2/versions.tmpl.nix +++ b/nix/os/devices/fwhost2/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/hstk0/README.md b/nix/os/devices/hstk0/README.md index d70e379..60ee180 100644 --- a/nix/os/devices/hstk0/README.md +++ b/nix/os/devices/hstk0/README.md @@ -1,7 +1,6 @@ ## bootstrapping ``` -# TODO: generate an SSH host-key and deploy it via --extra-files +# TODO: generate an SSH host-key and deploy it via --extra-files nixos-anywhere --flake .\#sj-bm-hostkey0 root@185.130.227.252 ``` - diff --git a/nix/os/devices/hstk0/configuration.nix b/nix/os/devices/hstk0/configuration.nix index ea3c795..32fad43 100644 --- a/nix/os/devices/hstk0/configuration.nix +++ b/nix/os/devices/hstk0/configuration.nix @@ -1,17 +1,14 @@ { - modulesPath, repoFlake, - packages', pkgs, lib, - config, nodeFlake, nodeName, system, ... -}: { - disabledModules = [ - ]; +}: +{ + disabledModules = [ ]; imports = [ nodeFlake.inputs.disko.nixosModules.disko @@ -28,9 +25,7 @@ } ../../snippets/nix-settings.nix - { - nix.settings.sandbox = lib.mkForce "relaxed"; - } + { nix.settings.sandbox = lib.mkForce "relaxed"; } ../../snippets/mycelium.nix @@ -80,60 +75,58 @@ nat.enable = true; firewall.enable = true; - firewall.allowedTCPPorts = [ - 5201 - ]; - firewall.allowedUDPPorts = [ - 5201 - ]; + firewall.allowedTCPPorts = [ 5201 ]; + firewall.allowedUDPPorts = [ 5201 ]; }; - disko.devices = let - disk = id: { - type = "disk"; - device = "/dev/${id}"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - mdadm = { - size = "100%"; - content = { - type = "mdraid"; - name = "raid0"; + disko.devices = + let + disk = id: { + type = "disk"; + device = "/dev/${id}"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + mdadm = { + size = "100%"; + content = { + type = "mdraid"; + name = "raid0"; + }; }; }; }; }; - }; - in { - disk = { - sda = disk "sda"; - sdb = disk "sdb"; - }; - mdadm = { - raid0 = { - type = "mdadm"; - level = 0; - content = { - type = "gpt"; - partitions = { - primary = { - size = "100%"; - content = { - type = "filesystem"; - format = "btrfs"; - mountpoint = "/"; + in + { + disk = { + sda = disk "sda"; + sdb = disk "sdb"; + }; + mdadm = { + raid0 = { + type = "mdadm"; + level = 0; + content = { + type = "gpt"; + partitions = { + primary = { + size = "100%"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/"; + }; }; }; }; }; }; }; - }; system.stateVersion = "24.05"; @@ -149,7 +142,5 @@ virtualisation.libvirtd.enable = true; - boot.binfmt.emulatedSystems = [ - "aarch64-linux" - ]; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; } diff --git a/nix/os/devices/hstk0/default.nix b/nix/os/devices/hstk0/default.nix index 86b5f1a..62e6cc1 100644 --- a/nix/os/devices/hstk0/default.nix +++ b/nix/os/devices/hstk0/default.nix @@ -3,19 +3,22 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake system; + inherit + repoFlake + nodeName + nodeFlake + system + ; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = - import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "185.130.224.33"; diff --git a/nix/os/devices/hstk0/flake.nix b/nix/os/devices/hstk0/flake.nix index 8f0a7f4..6c9b22f 100644 --- a/nix/os/devices/hstk0/flake.nix +++ b/nix/os/devices/hstk0/flake.nix @@ -16,38 +16,37 @@ # outputs = _: {}; - outputs = { - self, - get-flake, - nixpkgs, - ... - } @ attrs: let - system = "x86_64-linux"; - nodeName = "hostkey-0"; + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + system = "x86_64-linux"; + nodeName = "hostkey-0"; - mkNixosConfiguration = {extraModules ? [], ...} @ attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate - attrs + mkNixosConfiguration = { - specialArgs = { - nodeFlake = self; - repoFlake = get-flake ../../../..; - inherit nodeName; - }; + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = { + nodeFlake = self; + repoFlake = get-flake ../../../..; + inherit nodeName; + }; - modules = - [ - ./configuration.nix - ] - ++ extraModules; - } - ); - in { - nixosConfigurations = { - native = mkNixosConfiguration { - inherit system; + modules = [ ./configuration.nix ] ++ extraModules; + } + ); + in + { + nixosConfigurations = { + native = mkNixosConfiguration { inherit system; }; }; }; - }; } diff --git a/nix/os/devices/hydra.json b/nix/os/devices/hydra.json index 3723c24..a0204bc 100644 --- a/nix/os/devices/hydra.json +++ b/nix/os/devices/hydra.json @@ -1,16 +1,24 @@ { - "enabled": 1, - "hidden": false, - "description": "Jobsets", - "nixexprinput": "src", - "nixexprpath": "default.nix", - "checkinterval": 300, - "schedulingshares": 100, - "enableemail": false, - "emailoverride": "", - "keepnr": 3, - "inputs": { - "src": { "type": "git", "value": "git://github.com/shlevy/declarative-hydra-example.git", "emailresponsible": false }, - "nixpkgs": { "type": "git", "value": "git://github.com/NixOS/nixpkgs.git release-16.03", "emailresponsible": false } + "enabled": 1, + "hidden": false, + "description": "Jobsets", + "nixexprinput": "src", + "nixexprpath": "default.nix", + "checkinterval": 300, + "schedulingshares": 100, + "enableemail": false, + "emailoverride": "", + "keepnr": 3, + "inputs": { + "src": { + "type": "git", + "value": "git://github.com/shlevy/declarative-hydra-example.git", + "emailresponsible": false + }, + "nixpkgs": { + "type": "git", + "value": "git://github.com/NixOS/nixpkgs.git release-16.03", + "emailresponsible": false } + } } diff --git a/nix/os/devices/justyna-p300/boot.nix b/nix/os/devices/justyna-p300/boot.nix index 85006ed..9d6bbe7 100644 --- a/nix/os/devices/justyna-p300/boot.nix +++ b/nix/os/devices/justyna-p300/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.grub.efiSupport = lib.mkForce false; diff --git a/nix/os/devices/justyna-p300/configuration.nix b/nix/os/devices/justyna-p300/configuration.nix index f2cb3f7..e636106 100644 --- a/nix/os/devices/justyna-p300/configuration.nix +++ b/nix/os/devices/justyna-p300/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/justyna-p300/default.nix b/nix/os/devices/justyna-p300/default.nix index 907e60b..427ce7e 100644 --- a/nix/os/devices/justyna-p300/default.nix +++ b/nix/os/devices/justyna-p300/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = nodeName; diff --git a/nix/os/devices/justyna-p300/flake.nix b/nix/os/devices/justyna-p300/flake.nix index 3e68abe..9b8b8ed 100644 --- a/nix/os/devices/justyna-p300/flake.nix +++ b/nix/os/devices/justyna-p300/flake.nix @@ -6,8 +6,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - inputs.disko.url = github:nix-community/disko; + inputs.disko.url = "github:nix-community/disko"; inputs.disko.inputs.nixpkgs.follows = "nixpkgs"; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/justyna-p300/hw.nix b/nix/os/devices/justyna-p300/hw.nix index 0924dd2..b68e082 100644 --- a/nix/os/devices/justyna-p300/hw.nix +++ b/nix/os/devices/justyna-p300/hw.nix @@ -1,12 +1,6 @@ +{ nodeFlake, ... }: { - repoFlake, - nodeFlake, - lib, - ... -}: { - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - ]; + imports = [ nodeFlake.inputs.disko.nixosModules.disko ]; disko.devices.disk.sda = { device = "/dev/sda"; @@ -20,7 +14,7 @@ start = "0"; end = "1M"; part-type = "primary"; - flags = ["bios_grub"]; + flags = [ "bios_grub" ]; } { name = "root"; @@ -30,14 +24,14 @@ bootable = true; content = { type = "btrfs"; - extraArgs = ["-f"]; # Override existing partition + extraArgs = [ "-f" ]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = ["noatime"]; + mountOptions = [ "noatime" ]; }; }; }; diff --git a/nix/os/devices/justyna-p300/pkg.nix b/nix/os/devices/justyna-p300/pkg.nix index e780b7e..d23cfb0 100644 --- a/nix/os/devices/justyna-p300/pkg.nix +++ b/nix/os/devices/justyna-p300/pkg.nix @@ -3,7 +3,8 @@ lib, packages', ... -}: let +}: +let homeEnv = keyboard: { imports = [ ../../../home-manager/profiles/common.nix @@ -23,15 +24,19 @@ rustdesk ]; }; -in { - services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { +in +{ + services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) { gnome-remote-desktop.enable = true; }; - services.printing.drivers = lib.mkForce (with packages'; [ - dcpj4110dwDriver - dcpj4110dwCupswrapper - ]); + services.printing.drivers = lib.mkForce ( + with packages'; + [ + dcpj4110dwDriver + dcpj4110dwCupswrapper + ] + ); services.printing.extraConf = '' LogLevel debug @@ -39,31 +44,29 @@ in { home-manager.users.steveej = homeEnv { layout = "en"; - options = ["nodeadkey"]; + options = [ "nodeadkey" ]; variant = "altgr-intl"; }; home-manager.users.elias = homeEnv { layout = "de"; - options = []; + options = [ ]; variant = ""; }; home-manager.users.justyna = lib.attrsets.recursiveUpdate - (homeEnv { - layout = "de"; - options = []; - variant = ""; - }) - { - services.syncthing.enable = true; - services.syncthing.tray = true; + (homeEnv { + layout = "de"; + options = [ ]; + variant = ""; + }) + { + services.syncthing.enable = true; + services.syncthing.tray = true; - home.packages = with pkgs; [ - session-desktop - ]; - }; + home.packages = with pkgs; [ session-desktop ]; + }; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/justyna-p300/system.nix b/nix/os/devices/justyna-p300/system.nix index 44c3db9..82a7b02 100644 --- a/nix/os/devices/justyna-p300/system.nix +++ b/nix/os/devices/justyna-p300/system.nix @@ -1,11 +1,8 @@ -{ - pkgs, - lib, - config, - ... -}: let +{ pkgs, lib, ... }: +let passwords = import ../../../variables/passwords.crypt.nix; -in { +in +{ networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -39,11 +36,13 @@ in { # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; }; - security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; - services.xserver.videoDrivers = ["modesetting"]; + services.xserver.videoDrivers = [ "modesetting" ]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; } diff --git a/nix/os/devices/justyna-p300/user.nix b/nix/os/devices/justyna-p300/user.nix index 6d86c59..c4690cf 100644 --- a/nix/os/devices/justyna-p300/user.nix +++ b/nix/os/devices/justyna-p300/user.nix @@ -1,11 +1,9 @@ -{ - config, - pkgs, - ... -}: let +{ config, pkgs, ... }: +let keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; -in { + inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; +in +{ sops.secrets.sharedUsers-elias = { sopsFile = ../../../../secrets/shared-users.yaml; neededForUsers = true; diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 8507ade..7395600 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -9,33 +9,33 @@ localDomainName, system, ... -}: let - inherit - (nodeFlake.inputs) - nixos-nftables-firewall - nixos-sbc - ; +}: +let + inherit (nodeFlake.inputs) nixos-nftables-firewall nixos-sbc; vlanRangeStart = builtins.head vlanRange; vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1); vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans); - vlanRangeWith0 = [0] ++ vlanRange; + vlanRangeWith0 = [ 0 ] ++ vlanRange; - mkVlanIpv4HostAddr = { - vlanid, - host, - thirdIpv4SegmentMin ? 20, - cidr ? true, - }: let - # reserve the first subnet for vlanid == 0 - # number the other subnets continously from there - offset = - if vlanid == 0 - then thirdIpv4SegmentMin - else thirdIpv4SegmentMin + 1 - vlanRangeStart; - in - builtins.concatStringsSep "." - ["192" "168" (toString (vlanid + offset)) "${toString host}${lib.strings.optionalString cidr "/24"}"]; + mkVlanIpv4HostAddr = + { + vlanid, + host, + thirdIpv4SegmentMin ? 20, + cidr ? true, + }: + let + # reserve the first subnet for vlanid == 0 + # number the other subnets continously from there + offset = if vlanid == 0 then thirdIpv4SegmentMin else thirdIpv4SegmentMin + 1 - vlanRangeStart; + in + builtins.concatStringsSep "." [ + "192" + "168" + (toString (vlanid + offset)) + "${toString host}${lib.strings.optionalString cidr "/24"}" + ]; defaultVlan = { name = "${localDomainName}"; @@ -62,30 +62,25 @@ "15".packet_priority = -10; }; - vlansByName = - lib.attrsets.mapAttrs' - ( - vlanid': attrs: - lib.attrsets.nameValuePair - attrs.name - (attrs - // { - id = lib.strings.toInt vlanid'; - id' = vlanid'; - }) + vlansByName = lib.attrsets.mapAttrs' ( + vlanid': attrs: + lib.attrsets.nameValuePair attrs.name ( + attrs + // { + id = lib.strings.toInt vlanid'; + id' = vlanid'; + } ) - vlans; + ) vlans; - getVlanDomain = {vlanid}: - if vlanid == 0 - then defaultVlan.name - else vlans."${toString vlanid}".name + "." + defaultVlan.name; + getVlanDomain = + { vlanid }: + if vlanid == 0 then defaultVlan.name else vlans."${toString vlanid}".name + "." + defaultVlan.name; bridgeInterfaceName = "br-lan"; - mkInterfaceName = {vlanid}: - if vlanid == 0 - then bridgeInterfaceName - else "${bridgeInterfaceName}.${toString vlanid}"; + mkInterfaceName = + { vlanid }: + if vlanid == 0 then bridgeInterfaceName else "${bridgeInterfaceName}.${toString vlanid}"; dmzExposedHost = "sj-srv1"; dmzExposedHostDomain = "dmz.internal"; @@ -96,8 +91,10 @@ cidr = false; }; - dmzExposedHostMACaddr = repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress; -in { + dmzExposedHostMACaddr = + repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress; +in +{ imports = [ nixos-sbc.nixosModules.default nixos-sbc.nixosModules.boards.bananapi.bpir3 @@ -130,7 +127,7 @@ in { sops.secrets.passwords-root.neededForUsers = true; # sops.secrets.wlan0_saePasswordsFile = {}; - sops.secrets.wlan0_wpaPskFile = {}; + sops.secrets.wlan0_wpaPskFile = { }; } ]; @@ -193,13 +190,15 @@ in { chains = { prerouting = { "exposeHost" = { - after = ["hook"]; - rules = let - wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; - in [ - "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" - "iifname { ${wanInterfaces} } dnat ip to ${dmzExposedHostIpv4}" - ]; + after = [ "hook" ]; + rules = + let + wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; + in + [ + "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" + "iifname { ${wanInterfaces} } dnat ip to ${dmzExposedHostIpv4}" + ]; }; }; }; @@ -211,149 +210,157 @@ in { # snippets.nnf-conntrack.enable = true; zones = { - lan.interfaces = [(mkInterfaceName {vlanid = 0;})]; - vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange; + lan.interfaces = [ (mkInterfaceName { vlanid = 0; }) ]; + vlan.interfaces = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; # lan.ipv4Addresses = ["192.168.0.0/16"]; - wan.interfaces = ["wan" "lan0"]; - vpn.interfaces = ["wg0" "wg1" "wg2"]; + wan.interfaces = [ + "wan" + "lan0" + ]; + vpn.interfaces = [ + "wg0" + "wg1" + "wg2" + ]; } // # generate a zone for each vlan - lib.attrsets.mapAttrs - (key: value: { - interfaces = [(mkInterfaceName {vlanid = value.id;})]; - }) - vlansByName; - rules = let - ipv6IcmpTypes = [ - "destination-unreachable" - "echo-reply" - "echo-request" - "packet-too-big" - "parameter-problem" - "time-exceeded" + lib.attrsets.mapAttrs (_key: value: { + interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; + }) vlansByName; + rules = + let + ipv6IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "packet-too-big" + "parameter-problem" + "time-exceeded" - # Without the nd-* ones ipv6 will not work. - "nd-neighbor-solicit" - "nd-router-advert" - "nd-neighbor-advert" - ]; - ipv4IcmpTypes = [ - "destination-unreachable" - "echo-reply" - "echo-request" - "source-quench" - "time-exceeded" - "router-advertisement" - ]; - allowIcmpLines = [ - "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" - "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" - ]; - in { - fw = { - from = ["fw"]; - verdict = "accept"; - }; - - office-to-dmz = { - from = ["office"]; - to = ["dmz"]; - verdict = "accept"; - }; - - lan-to-fw = { - from = ["lan"]; - to = ["fw" "lan"]; - verdict = "accept"; - }; - - lan-to-wan = { - from = ["lan"]; - to = ["wan"]; - verdict = "accept"; - }; - - vlan-to-wan = { - from = ["vlan"]; - to = ["wan"]; - verdict = "accept"; - }; - - vlan-to-fw = { - allowedUDPPortRanges = [ - { - from = 53; - to = 53; - } - { - from = 67; - to = 68; - } - { - from = 5201; - to = 5201; - } + # Without the nd-* ones ipv6 will not work. + "nd-neighbor-solicit" + "nd-router-advert" + "nd-neighbor-advert" ]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - { - from = 53; - to = 53; - } - { - from = 5201; - to = 5201; - } + ipv4IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "source-quench" + "time-exceeded" + "router-advertisement" ]; - from = ["vlan"]; - to = ["fw"]; - extraLines = - allowIcmpLines - ++ [ - "drop" + allowIcmpLines = [ + "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" + "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" + ]; + in + { + fw = { + from = [ "fw" ]; + verdict = "accept"; + }; + + office-to-dmz = { + from = [ "office" ]; + to = [ "dmz" ]; + verdict = "accept"; + }; + + lan-to-fw = { + from = [ "lan" ]; + to = [ + "fw" + "lan" ]; - }; + verdict = "accept"; + }; - to-wan-nat = { - from = ["lan" "vlan"]; - to = ["wan"]; - masquerade = true; - verdict = "accept"; - }; + lan-to-wan = { + from = [ "lan" ]; + to = [ "wan" ]; + verdict = "accept"; + }; - wan-to-dmz = { - from = ["wan"]; - to = ["dmz"]; - verdict = "accept"; - }; + vlan-to-wan = { + from = [ "vlan" ]; + to = [ "wan" ]; + verdict = "accept"; + }; - wan-to-fw = { - from = ["wan"]; - to = ["fw"]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - ]; - extraLines = - allowIcmpLines - ++ [ - "drop" + vlan-to-fw = { + allowedUDPPortRanges = [ + { + from = 53; + to = 53; + } + { + from = 67; + to = 68; + } + { + from = 5201; + to = 5201; + } ]; - }; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + { + from = 53; + to = 53; + } + { + from = 5201; + to = 5201; + } + ]; + from = [ "vlan" ]; + to = [ "fw" ]; + extraLines = allowIcmpLines ++ [ "drop" ]; + }; - to-vpn-nat = { - from = ["lan" "vlan"]; - to = ["vpn"]; - masquerade = false; - verdict = "accept"; + to-wan-nat = { + from = [ + "lan" + "vlan" + ]; + to = [ "wan" ]; + masquerade = true; + verdict = "accept"; + }; + + wan-to-dmz = { + from = [ "wan" ]; + to = [ "dmz" ]; + verdict = "accept"; + }; + + wan-to-fw = { + from = [ "wan" ]; + to = [ "fw" ]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + ]; + extraLines = allowIcmpLines ++ [ "drop" ]; + }; + + to-vpn-nat = { + from = [ + "lan" + "vlan" + ]; + to = [ "vpn" ]; + masquerade = false; + verdict = "accept"; + }; }; - }; }; }; }; @@ -377,49 +384,14 @@ in { systemd.network = { wait-online.anyInterface = true; - netdevs = let - router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${ - builtins.toString - repoFlake - .nixosConfigurations - .router0-ifog - .config - .systemd - .network - .netdevs - .wg0 - .wireguardConfig - .ListenPort - }"; + netdevs = + let + router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; - router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${ - builtins.toString - repoFlake - .nixosConfigurations - .router0-ifog - .config - .systemd - .network - .netdevs - .wg1 - .wireguardConfig - .ListenPort - }"; + router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort}"; - router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${ - builtins.toString - repoFlake - .nixosConfigurations - .router0-hosthatch - .config - .systemd - .network - .netdevs - .wg0 - .wireguardConfig - .ListenPort - }"; - in + router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-hosthatch.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; + in { # Create the bridge interface "20-${bridgeInterfaceName}" = { @@ -536,75 +508,71 @@ in { }; } # generate the vlan devices. these will be tagged on the main bridge - // builtins.foldl' - (acc: cur: acc // cur) - {} - ( + // builtins.foldl' (acc: cur: acc // cur) { } ( builtins.map - ({ - vlanid, - vlanid', - }: { - "20-${mkInterfaceName {inherit vlanid;}}" = { - netdevConfig = { - Kind = "vlan"; - Name = "${mkInterfaceName {inherit vlanid;}}"; - }; - vlanConfig.Id = vlanid; - }; - }) - ( - builtins.map - (vlanid: { - inherit vlanid; - vlanid' = builtins.toString vlanid; - }) - vlanRange - ) + ( + { vlanid, vlanid' }: + { + "20-${mkInterfaceName { inherit vlanid; }}" = { + netdevConfig = { + Kind = "vlan"; + Name = "${mkInterfaceName { inherit vlanid; }}"; + }; + vlanConfig.Id = vlanid; + }; + } + ) + ( + builtins.map (vlanid: { + inherit vlanid; + vlanid' = builtins.toString vlanid; + }) vlanRange + ) ); - networks = let - commonWanOptions = { - networkConfig = { - # start a DHCP Client for IPv4/6 Addressing/Routing - DHCP = true; - DNSOverTLS = true; - DNSSEC = true; - IPForward = true; + networks = + let + commonWanOptions = { + networkConfig = { + # start a DHCP Client for IPv4/6 Addressing/Routing + DHCP = true; + DNSOverTLS = true; + DNSSEC = true; + IPForward = true; - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - IPv6PrivacyExtensions = false; - DHCPPrefixDelegation = true; - }; - dhcpV4Config = { - UseDNS = false; - UseDomains = false; - UseHostname = false; - }; - dhcpV6Config = { - UseDNS = false; - UseDomains = false; - UseHostname = false; - PrefixDelegationHint = "::/56"; - UseDelegatedPrefix = true; - WithoutRA = "solicit"; - }; - ipv6AcceptRAConfig = { - UseDNS = false; - UseDomains = false; - }; + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + IPv6PrivacyExtensions = false; + DHCPPrefixDelegation = true; + }; + dhcpV4Config = { + UseDNS = false; + UseDomains = false; + UseHostname = false; + }; + dhcpV6Config = { + UseDNS = false; + UseDomains = false; + UseHostname = false; + PrefixDelegationHint = "::/56"; + UseDelegatedPrefix = true; + WithoutRA = "solicit"; + }; + ipv6AcceptRAConfig = { + UseDNS = false; + UseDomains = false; + }; - # TODO: enable these somehow - # extraConfig = '' - # [IPv6AcceptRA] - # # FIXME: supported in nixos-24.11 - # DHCPv6Client=solicit + # TODO: enable these somehow + # extraConfig = '' + # [IPv6AcceptRA] + # # FIXME: supported in nixos-24.11 + # DHCPv6Client=solicit - # # FIXME: not supported at all yet - # UsePREF64=true - # ''; - }; - in + # # FIXME: not supported at all yet + # UsePREF64=true + # ''; + }; + in { # places options here that should always exist "lo" = { @@ -771,7 +739,7 @@ in { # Configure the bridge for its desired function "40-${bridgeInterfaceName}" = { matchConfig.Name = bridgeInterfaceName; - bridgeConfig = {}; + bridgeConfig = { }; address = [ (mkVlanIpv4HostAddr { vlanid = 0; @@ -793,19 +761,13 @@ in { } ]; - vlan = ( - builtins.map - (vlanid: (mkInterfaceName {inherit vlanid;})) - vlanRange - ); + vlan = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; }; "50-wg0" = { enable = true; matchConfig.Name = "wg0"; - address = [ - "10.0.0.1/31" - ]; + address = [ "10.0.0.1/31" ]; routes = [ # { @@ -820,9 +782,7 @@ in { "50-wg1" = { enable = true; matchConfig.Name = "wg1"; - address = [ - "10.0.0.3/31" - ]; + address = [ "10.0.0.3/31" ]; routes = [ # { # routeConfig = { @@ -836,9 +796,7 @@ in { "50-wg2" = { enable = true; matchConfig.Name = "wg2"; - address = [ - "10.0.1.1/31" - ]; + address = [ "10.0.1.1/31" ]; routes = [ # TODO: add a testing route here @@ -849,280 +807,278 @@ in { # * netdev type vlan # * host address for vlan # * vlan config for wlan interface - // builtins.foldl' - (acc: cur: acc // cur) - {} - (builtins.map - ({ - vlanid, - vlanid', - }: { - # configure the tagged vlan device with an address and vlan filtering. - # dnsmasq is configured to serve the respective /24 range on each tagged device. - # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. - "41-${mkInterfaceName {inherit vlanid;}}" = { - matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; - address = [ - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 1; - }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; + // builtins.foldl' (acc: cur: acc // cur) { } ( + builtins.map + ( + { vlanid, vlanid' }: + { + # configure the tagged vlan device with an address and vlan filtering. + # dnsmasq is configured to serve the respective /24 range on each tagged device. + # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. + "41-${mkInterfaceName { inherit vlanid; }}" = { + matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; + address = [ + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 1; + }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; - # the client shouldn't be allowed to send us RAs, that would be weird. - IPv6AcceptRA = false; + # the client shouldn't be allowed to send us RAs, that would be weird. + IPv6AcceptRA = false; - DHCPPrefixDelegation = true; - IPv6SendRA = true; - }; - - dhcpPrefixDelegationConfig = { - UplinkInterface = "wan"; - Assign = true; - SubnetId = vlanid; - Announce = true; - }; - - linkConfig.RequiredForOnline = "no"; - linkConfig.ActivationPolicy = "always-up"; - - bridgeVLANs = [ - { - bridgeVLANConfig = { - VLAN = vlanid; + DHCPPrefixDelegation = true; + IPv6SendRA = true; }; - } - ]; - }; - # configure the wlan interface as a bridge member that - # * only gets traffic for vid 15 - # * untags traffic after receiving it - # * tags traffic that comes out of it - "41-wlan0.${vlanid'}" = { - matchConfig.Name = "wlan0.${vlanid'}"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - - linkConfig.RequiredForOnline = "no"; - - bridgeVLANs = [ - { - bridgeVLANConfig = { - VLAN = vlanid; - PVID = vlanid; - EgressUntagged = vlanid; + dhcpPrefixDelegationConfig = { + UplinkInterface = "wan"; + Assign = true; + SubnetId = vlanid; + Announce = true; }; - } - ]; - }; - # "50-${mkInterfaceName {inherit vlanid;}}" = { - # matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; - # address = [ - # (mkVlanIpv4HostAddr { - # inherit vlanid; - # host = 1; - # }) - # ]; - # networkConfig = { - # ConfigureWithoutCarrier = true; - # }; - # linkConfig.RequiredForOnline = "no"; - # }; - }) - ( - builtins.map - (vlanid: { - inherit vlanid; - vlanid' = builtins.toString vlanid; - }) - vlanRange - )); + linkConfig.RequiredForOnline = "no"; + linkConfig.ActivationPolicy = "always-up"; + + bridgeVLANs = [ + { + bridgeVLANConfig = { + VLAN = vlanid; + }; + } + ]; + }; + + # configure the wlan interface as a bridge member that + # * only gets traffic for vid 15 + # * untags traffic after receiving it + # * tags traffic that comes out of it + "41-wlan0.${vlanid'}" = { + matchConfig.Name = "wlan0.${vlanid'}"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + + linkConfig.RequiredForOnline = "no"; + + bridgeVLANs = [ + { + bridgeVLANConfig = { + VLAN = vlanid; + PVID = vlanid; + EgressUntagged = vlanid; + }; + } + ]; + }; + + # "50-${mkInterfaceName {inherit vlanid;}}" = { + # matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; + # address = [ + # (mkVlanIpv4HostAddr { + # inherit vlanid; + # host = 1; + # }) + # ]; + # networkConfig = { + # ConfigureWithoutCarrier = true; + # }; + # linkConfig.RequiredForOnline = "no"; + # }; + } + ) + ( + builtins.map (vlanid: { + inherit vlanid; + vlanid' = builtins.toString vlanid; + }) vlanRange + ) + ); }; # wireless access point services.hostapd = { enable = true; # package = nodeFlake.packages.${system}.hostapd_patched; - radios = let - # generated with https://miniwebtool.com/mac-address-generator/ - mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; - in { - wlan0 = { - band = "2g"; - # FIXME: apparently setting this could cause bugs, testing disabling it for a while. - # countryCode = "CH"; - channel = 0; # 0 would mean Automatic Channel Selection + radios = + let + # generated with https://miniwebtool.com/mac-address-generator/ + mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; + in + { + wlan0 = { + band = "2g"; + # FIXME: apparently setting this could cause bugs, testing disabling it for a while. + # countryCode = "CH"; + channel = 0; # 0 would mean Automatic Channel Selection - settings = { - # TODO: this would be faster but x13s on windows can't connect when it's enabled. - # ieee80211n = 1; + settings = { + # TODO: this would be faster but x13s on windows can't connect when it's enabled. + # ieee80211n = 1; - # Exclude DFS channels from ACS - # This option can be used to exclude all DFS channels from the ACS channel list - # in cases where the driver supports DFS channels. - acs_exclude_dfs = 0; - }; + # Exclude DFS channels from ACS + # This option can be used to exclude all DFS channels from the ACS channel list + # in cases where the driver supports DFS channels. + acs_exclude_dfs = 0; + }; - # use 'iw phy#1 info' to determine your VHT capabilities - wifi4 = { - enable = true; - require = false; - capabilities = [ - "HT20" - "HT40+" - "LDPC" - "SHORT-GI-20" - "SHORT-GI-40" - "TX-STBC" - "RX-STBC1" - "MAX-AMSDU-7935" + # use 'iw phy#1 info' to determine your VHT capabilities + wifi4 = { + enable = true; + require = false; + capabilities = [ + "HT20" + "HT40+" + "LDPC" + "SHORT-GI-20" + "SHORT-GI-40" + "TX-STBC" + "RX-STBC1" + "MAX-AMSDU-7935" - "40-INTOLERANT" + "40-INTOLERANT" - # not supported by BPI-R3 module - # "DELAYED-BA" - # "DSSS_CCK-40" - ]; - }; + # not supported by BPI-R3 module + # "DELAYED-BA" + # "DSSS_CCK-40" + ]; + }; - wifi5 = { - enable = false; - require = false; - }; + wifi5 = { + enable = false; + require = false; + }; - wifi6 = { - enable = false; - require = false; - }; + wifi6 = { + enable = false; + require = false; + }; - networks = { - wlan0 = let - iface = "wlan0"; - in { - ssid = "mlsia"; - bssid = mkBssid 0; - - # enables debug logging - logLevel = 0; - - authentication.mode = - "wpa2-sha256" - # "wpa3-sae-transition" - # "wpa3-sae" - ; - - authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; - - # TODO: unfortunately SAE passwords don't work per VLAN like PSKs do - # authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; - - # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference - settings = { - # disable syslog because it duplicates stdout - logger_syslog = lib.mkForce 0; - - # bridge = bridgeInterfaceName; - - # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; - # not yet supported on hostapd 2.10 - # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; - - # resources on vlan tagging - # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging - # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 - - dynamic_vlan = 1; - # this option currently requires a patch to hostapd - vlan_no_bridge = 1; - - /* - not used due to the above vlan_no_bridge setting - vlan_tagged_interface = bridgeInterfaceName; - vlan_naming = 1; - vlan_bridge = "br-${iface}."; - */ - - vlan_file = let - generated = - builtins.map - ( - vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" - ) - vlanRange; - - wildcard = [ - # Optional wildcard entry matching all VLAN IDs. The first # in the interface - # name will be replaced with the VLAN ID. The network interfaces are created - # (and removed) dynamically based on the use. - # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan - "* ${iface}.#" - ]; - - file = - pkgs.writeText "hostapd.vlan" - (builtins.concatStringsSep "\n" (generated ++ wildcard)); - filePath = toString file; + networks = { + wlan0 = + let + iface = "wlan0"; in - filePath; + { + ssid = "mlsia"; + bssid = mkBssid 0; - wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [ - "WPA-PSK" + # enables debug logging + logLevel = 0; - # TODO: the printer can't connect when this is on - # "WPA-PSK-SHA256" + authentication.mode = "wpa2-sha256" + # "wpa3-sae-transition" + # "wpa3-sae" + ; - # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them - # "SAE" - ]); + authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; - # wpa_psk_radius = 0; - wpa_pairwise = "CCMP"; - wmm_enabled = 1; + # TODO: unfortunately SAE passwords don't work per VLAN like PSKs do + # authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; - # IEEE 802.11i (authentication) related configuration - # Encrypt management frames to protect against deauthentication and similar attacks. - # 0 := disabled; 1 := optional; 2 := required - ieee80211w = 1; - # sae_require_mfp = 1; - # sae_groups = "19 20 21"; + # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference + settings = { + # disable syslog because it duplicates stdout + logger_syslog = lib.mkForce 0; - # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) - tls_flags = "[ENABLE-TLSv1.3]"; + # bridge = bridgeInterfaceName; - # TODO: debugging for wifi drops happens below here - # Require IEEE 802.1X authorization - ieee8021x = 0; + # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; + # not yet supported on hostapd 2.10 + # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; - # Optionally, hostapd can be configured to use an integrated EAP server - # to process EAP authentication locally without need for an external RADIUS - # server. This functionality can be used both as a local authentication server - # for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. + # resources on vlan tagging + # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging + # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 - # Use integrated EAP server instead of external RADIUS authentication - # server. This is also needed if hostapd is configured to act as a RADIUS - # authentication server. - eap_server = 0; + dynamic_vlan = 1; + # this option currently requires a patch to hostapd + vlan_no_bridge = 1; - # Disassociate stations based on excessive transmission failures or other - # indications of connection loss. This depends on the driver capabilities and - # may not be available with all drivers. - disassoc_low_ack = 0; + /* + not used due to the above vlan_no_bridge setting + vlan_tagged_interface = bridgeInterfaceName; + vlan_naming = 1; + vlan_bridge = "br-${iface}."; + */ - skip_inactivity_poll = 1; + vlan_file = + let + generated = builtins.map ( + vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" + ) vlanRange; - # TODO: check if this is required. multicast can be more efficient so it'd be nice to disable this. - multicast_to_unicast = 0; - }; + wildcard = [ + # Optional wildcard entry matching all VLAN IDs. The first # in the interface + # name will be replaced with the VLAN ID. The network interfaces are created + # (and removed) dynamically based on the use. + # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan + "* ${iface}.#" + ]; + + file = pkgs.writeText "hostapd.vlan" (builtins.concatStringsSep "\n" (generated ++ wildcard)); + filePath = toString file; + in + filePath; + + wpa_key_mgmt = lib.mkForce ( + builtins.concatStringsSep " " [ + "WPA-PSK" + + # TODO: the printer can't connect when this is on + # "WPA-PSK-SHA256" + + # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them + # "SAE" + ] + ); + + # wpa_psk_radius = 0; + wpa_pairwise = "CCMP"; + wmm_enabled = 1; + + # IEEE 802.11i (authentication) related configuration + # Encrypt management frames to protect against deauthentication and similar attacks. + # 0 := disabled; 1 := optional; 2 := required + ieee80211w = 1; + # sae_require_mfp = 1; + # sae_groups = "19 20 21"; + + # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) + tls_flags = "[ENABLE-TLSv1.3]"; + + # TODO: debugging for wifi drops happens below here + # Require IEEE 802.1X authorization + ieee8021x = 0; + + # Optionally, hostapd can be configured to use an integrated EAP server + # to process EAP authentication locally without need for an external RADIUS + # server. This functionality can be used both as a local authentication server + # for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. + + # Use integrated EAP server instead of external RADIUS authentication + # server. This is also needed if hostapd is configured to act as a RADIUS + # authentication server. + eap_server = 0; + + # Disassociate stations based on excessive transmission failures or other + # indications of connection loss. This depends on the driver capabilities and + # may not be available with all drivers. + disassoc_low_ack = 0; + + skip_inactivity_poll = 1; + + # TODO: check if this is required. multicast can be more efficient so it'd be nice to disable this. + multicast_to_unicast = 0; + }; + }; }; }; }; - }; }; services.resolved.enable = false; @@ -1150,38 +1106,35 @@ in { # v6 config enable-ra = true; - dhcp-range = let - mkDhcpRange = { - tag, - vlanid, - }: - builtins.concatStringsSep "," [ - tag - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 100; - cidr = false; - }) - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 199; - cidr = false; - }) - "12h" - # "slaac" - # "ra-stateless" - # "ra-names" - ]; - in - builtins.map - ( + dhcp-range = + let + mkDhcpRange = + { tag, vlanid }: + builtins.concatStringsSep "," [ + tag + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 100; + cidr = false; + }) + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 199; + cidr = false; + }) + "12h" + # "slaac" + # "ra-stateless" + # "ra-names" + ]; + in + builtins.map ( vlanid: - mkDhcpRange { - tag = mkInterfaceName {inherit vlanid;}; - inherit vlanid; - } - ) - vlanRangeWith0; + mkDhcpRange { + tag = mkInterfaceName { inherit vlanid; }; + inherit vlanid; + } + ) vlanRangeWith0; dhcp-host = builtins.concatStringsSep "," [ dmzExposedHostMACaddr @@ -1211,39 +1164,33 @@ in { ]; domain = - [ - "/${getVlanDomain {vlanid = 0;}}/,local" - ] - ++ builtins.map - ( - vlanid: "${getVlanDomain {inherit vlanid;}},${mkVlanIpv4HostAddr { - inherit vlanid; - host = 0; - cidr = true; - }},local" - ) - vlanRangeWith0; + [ "/${getVlanDomain { vlanid = 0; }}/,local" ] + ++ builtins.map ( + vlanid: + "${getVlanDomain { inherit vlanid; }},${ + mkVlanIpv4HostAddr { + inherit vlanid; + host = 0; + cidr = true; + } + },local" + ) vlanRangeWith0; # TODO: compare this to using `interface-name` - dynamic-host = - [ + dynamic-host = builtins.map ( + vlanid: + builtins.concatStringsSep "," [ + # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) + "${nodeName}.${getVlanDomain { inherit vlanid; }}" + "0.0.0.1" + (mkInterfaceName { inherit vlanid; }) ] - ++ builtins.map - ( - vlanid: - builtins.concatStringsSep "," [ - # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) - "${nodeName}.${getVlanDomain {inherit vlanid;}}" - "0.0.0.1" - (mkInterfaceName {inherit vlanid;}) - ] - ) - vlanRangeWith0; + ) vlanRangeWith0; - dhcp-option-force = - builtins.map - (vlanid: "${mkInterfaceName {inherit vlanid;}},option:domain-search,${getVlanDomain {inherit vlanid;}}") - vlanRangeWith0; + dhcp-option-force = builtins.map ( + vlanid: + "${mkInterfaceName { inherit vlanid; }},option:domain-search,${getVlanDomain { inherit vlanid; }}" + ) vlanRangeWith0; # auth-server = [ # (builtins.concatStringsSep "," [ diff --git a/nix/os/devices/router0-dmz0/default.nix b/nix/os/devices/router0-dmz0/default.nix index 9dd8d5e..a0520dc 100644 --- a/nix/os/devices/router0-dmz0/default.nix +++ b/nix/os/devices/router0-dmz0/default.nix @@ -5,25 +5,24 @@ nodeFlake, localDomainName ? "internal", ... -}: { +}: +{ meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake system; + inherit + repoFlake + nodeName + nodeFlake + system + ; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; - inherit - (nodeFlake.inputs.bpir3.packages.${system}) - armTrustedFirmwareMT7986 - ; + inherit (nodeFlake.inputs.bpir3.packages.${system}) armTrustedFirmwareMT7986; inherit localDomainName; }; - meta.nodeNixpkgs.${nodeName} = - import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; diff --git a/nix/os/devices/router0-dmz0/flake.nix b/nix/os/devices/router0-dmz0/flake.nix index 41f2f35..fc8504b 100644 --- a/nix/os/devices/router0-dmz0/flake.nix +++ b/nix/os/devices/router0-dmz0/flake.nix @@ -18,8 +18,8 @@ # "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile" # "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile" "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile_mtkbump" - # "git+file:///home/steveej/src/others/nakato_nixos-sbc/" - ; + # "git+file:///home/steveej/src/others/nakato_nixos-sbc/" + ; nixos-sbc.inputs.nixpkgs.follows = "nixpkgs"; nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; @@ -39,43 +39,34 @@ # }; }; - outputs = { - self, - get-flake, - nixpkgs, - nixos-sbc, - ... - }: let - nativeSystem = "aarch64-linux"; - nodeName = "router0-dmz0"; + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + nativeSystem = "aarch64-linux"; + nodeName = "router0-dmz0"; - pkgs = nixpkgs.legacyPackages.${nativeSystem}; - pkgsCross = import self.inputs.nixpkgs { - system = "x86_64-linux"; - crossSystem = { - config = "aarch64-unknown-linux-gnu"; - }; - }; - - mkNixosConfiguration = {extraModules ? [], ...} @ attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate - attrs + mkNixosConfiguration = { - specialArgs = - (import ./default.nix { - system = nativeSystem; - inherit nodeName; + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = + (import ./default.nix { + system = nativeSystem; + inherit nodeName; - repoFlake = get-flake ../../../..; - nodeFlake = self; - }) - .meta - .nodeSpecialArgs - .${nodeName}; + repoFlake = get-flake ../../../..; + nodeFlake = self; + }).meta.nodeSpecialArgs.${nodeName}; - modules = - [ + modules = [ ./configuration.nix # flake registry @@ -83,34 +74,30 @@ nixpkgs.overlays = builtins.attrValues self.overlays; nix.registry.nixpkgs.flake = nixpkgs; } - ] - ++ extraModules; - } - ); - in { - nixosConfigurations = { - native = mkNixosConfiguration { - system = nativeSystem; - }; - - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = "x86_64-linux"; - nixpkgs.hostPlatform.system = nativeSystem; + ] ++ extraModules; } - ]; - }; - }; + ); + in + { + nixosConfigurations = { + native = mkNixosConfiguration { system = nativeSystem; }; - overlays.default = final: previous: { - hostapd = previous.hostapd.overrideDerivation (attrs: { - patches = - attrs.patches - ++ [ + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.system = nativeSystem; + } + ]; + }; + }; + + overlays.default = _final: previous: { + hostapd = previous.hostapd.overrideDerivation (attrs: { + patches = attrs.patches ++ [ "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" ]; - }); + }); + }; }; - }; } diff --git a/nix/os/devices/router0-hosthatch/configuration.nix b/nix/os/devices/router0-hosthatch/configuration.nix index b6b2146..af02b3d 100644 --- a/nix/os/devices/router0-hosthatch/configuration.nix +++ b/nix/os/devices/router0-hosthatch/configuration.nix @@ -5,11 +5,11 @@ config, nodeFlake, nodeName, - localDomainName, system, variables, ... -}: { +}: +{ system.stateVersion = "24.05"; imports = [ @@ -48,7 +48,7 @@ boot.loader.grub.efiSupport = false; # forcing seems required or else there's an error about duplicated devices - boot.loader.grub.devices = lib.mkForce ["/dev/vda"]; + boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; disko.devices.disk.vda = { device = "/dev/vda"; @@ -64,14 +64,14 @@ size = "100%"; content = { type = "btrfs"; - extraArgs = ["-f"]; # Override existing partition + extraArgs = [ "-f" ]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = ["noatime"]; + mountOptions = [ "noatime" ]; mountpoint = "/nix"; }; "/boot" = { @@ -156,9 +156,7 @@ interface = "eth0"; address = variables.ipv4gateway; }; - nameservers = [ - variables.ipv4dns - ]; + nameservers = [ variables.ipv4dns ]; # these will be configured via nftables nat.enable = lib.mkForce false; @@ -176,17 +174,20 @@ snippets.nnf-common.enable = true; zones.wan = { - interfaces = ["eth0"]; + interfaces = [ "eth0" ]; }; zones.vpn = { - interfaces = ["wg0" "wg1"]; + interfaces = [ + "wg0" + "wg1" + ]; }; rules = { to-fw = { from = "all"; - to = ["fw"]; + to = [ "fw" ]; verdict = "drop"; allowedTCPPorts = [ @@ -202,8 +203,8 @@ }; vpn-to-wan-nat = { - from = ["vpn"]; - to = ["wan"]; + from = [ "vpn" ]; + to = [ "wan" ]; masquerade = true; verdict = "accept"; }; @@ -283,9 +284,7 @@ systemd.network.networks.wg0 = { enable = true; matchConfig.Name = "wg0"; - address = [ - "10.0.1.0/31" - ]; + address = [ "10.0.1.0/31" ]; routes = [ { @@ -299,9 +298,7 @@ systemd.network.networks.wg1 = { enable = true; matchConfig.Name = "wg1"; - address = [ - "10.0.1.2/31" - ]; + address = [ "10.0.1.2/31" ]; routes = [ { diff --git a/nix/os/devices/router0-hosthatch/default.nix b/nix/os/devices/router0-hosthatch/default.nix index 202e206..fd2c485 100644 --- a/nix/os/devices/router0-hosthatch/default.nix +++ b/nix/os/devices/router0-hosthatch/default.nix @@ -4,20 +4,24 @@ repoFlake, nodeFlake, ... -}: let +}: +let variables = import ./variables.crypt.nix; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake system variables; + inherit + repoFlake + nodeName + nodeFlake + system + variables + ; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = - import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = variables.ipv4; diff --git a/nix/os/devices/router0-hosthatch/flake.nix b/nix/os/devices/router0-hosthatch/flake.nix index 6e7501b..3057b9a 100644 --- a/nix/os/devices/router0-hosthatch/flake.nix +++ b/nix/os/devices/router0-hosthatch/flake.nix @@ -15,5 +15,5 @@ nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/router0-ifog/configuration.nix b/nix/os/devices/router0-ifog/configuration.nix index 6aadabb..9bc91ee 100644 --- a/nix/os/devices/router0-ifog/configuration.nix +++ b/nix/os/devices/router0-ifog/configuration.nix @@ -5,11 +5,11 @@ config, nodeFlake, nodeName, - localDomainName, system, variables, ... -}: { +}: +{ system.stateVersion = "23.11"; imports = [ @@ -48,7 +48,7 @@ boot.loader.grub.efiSupport = false; # forcing seems required or else there's an error about duplicated devices - boot.loader.grub.devices = lib.mkForce ["/dev/vda"]; + boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; disko.devices.disk.vda = { device = "/dev/vda"; @@ -64,14 +64,14 @@ size = "100%"; content = { type = "btrfs"; - extraArgs = ["-f"]; # Override existing partition + extraArgs = [ "-f" ]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = ["noatime"]; + mountOptions = [ "noatime" ]; mountpoint = "/nix"; }; "/boot" = { @@ -156,9 +156,7 @@ interface = "eth0"; address = variables.ipv4gateway; }; - nameservers = [ - variables.ipv4dns - ]; + nameservers = [ variables.ipv4dns ]; # these will be configured via nftables nat.enable = lib.mkForce false; @@ -176,17 +174,20 @@ snippets.nnf-common.enable = true; zones.wan = { - interfaces = ["eth0"]; + interfaces = [ "eth0" ]; }; zones.vpn = { - interfaces = ["wg0" "wg1"]; + interfaces = [ + "wg0" + "wg1" + ]; }; rules = { to-fw = { from = "all"; - to = ["fw"]; + to = [ "fw" ]; verdict = "drop"; allowedTCPPorts = [ @@ -202,8 +203,8 @@ }; vpn-to-wan-nat = { - from = ["vpn"]; - to = ["wan"]; + from = [ "vpn" ]; + to = [ "wan" ]; masquerade = true; verdict = "accept"; }; @@ -283,9 +284,7 @@ systemd.network.networks.wg0 = { enable = true; matchConfig.Name = "wg0"; - address = [ - "10.0.0.0/31" - ]; + address = [ "10.0.0.0/31" ]; routes = [ { @@ -299,9 +298,7 @@ systemd.network.networks.wg1 = { enable = true; matchConfig.Name = "wg1"; - address = [ - "10.0.0.2/31" - ]; + address = [ "10.0.0.2/31" ]; routes = [ { diff --git a/nix/os/devices/router0-ifog/default.nix b/nix/os/devices/router0-ifog/default.nix index 202e206..fd2c485 100644 --- a/nix/os/devices/router0-ifog/default.nix +++ b/nix/os/devices/router0-ifog/default.nix @@ -4,20 +4,24 @@ repoFlake, nodeFlake, ... -}: let +}: +let variables = import ./variables.crypt.nix; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake system variables; + inherit + repoFlake + nodeName + nodeFlake + system + variables + ; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = - import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = variables.ipv4; diff --git a/nix/os/devices/router0-ifog/flake.nix b/nix/os/devices/router0-ifog/flake.nix index 6e7501b..3057b9a 100644 --- a/nix/os/devices/router0-ifog/flake.nix +++ b/nix/os/devices/router0-ifog/flake.nix @@ -15,5 +15,5 @@ nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/sj-srv1/boot.nix b/nix/os/devices/sj-srv1/boot.nix index 59a5051..974f788 100644 --- a/nix/os/devices/sj-srv1/boot.nix +++ b/nix/os/devices/sj-srv1/boot.nix @@ -1,3 +1 @@ -{lib, ...}: { - boot.extraModulePackages = []; -} +_: { boot.extraModulePackages = [ ]; } diff --git a/nix/os/devices/sj-srv1/configuration.nix b/nix/os/devices/sj-srv1/configuration.nix index bada0c3..9f49bd1 100644 --- a/nix/os/devices/sj-srv1/configuration.nix +++ b/nix/os/devices/sj-srv1/configuration.nix @@ -1,10 +1,6 @@ +{ nodeName, config, ... }: { - nodeName, - config, - pkgs, - ... -}: { - disabledModules = []; + disabledModules = [ ]; imports = [ ../../profiles/common/configuration.nix { diff --git a/nix/os/devices/sj-srv1/default.nix b/nix/os/devices/sj-srv1/default.nix index 94458cb..6ec896d 100644 --- a/nix/os/devices/sj-srv1/default.nix +++ b/nix/os/devices/sj-srv1/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "${nodeName}.dmz.internal"; diff --git a/nix/os/devices/sj-srv1/flake.nix b/nix/os/devices/sj-srv1/flake.nix index 5d25964..20a919c 100644 --- a/nix/os/devices/sj-srv1/flake.nix +++ b/nix/os/devices/sj-srv1/flake.nix @@ -12,5 +12,5 @@ inputs.nixpkgs_forgejo.url = "github:NixOS/nixpkgs/af4ac075a3e97cb239078e187112afdf380cd47b"; # nixpkgs_forgejo.url = "github:steveej-forks/nixpkgs/9c3519ab3beb11b8d997281f8922330f707df419"; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/sj-srv1/hw.nix b/nix/os/devices/sj-srv1/hw.nix index 65a001d..328266b 100644 --- a/nix/os/devices/sj-srv1/hw.nix +++ b/nix/os/devices/sj-srv1/hw.nix @@ -1,4 +1,5 @@ -{...}: let +_: +let stage1Modules = [ "virtio_balloon" "virtio_scsi" @@ -38,7 +39,8 @@ "cdc_ether" "uas" ]; -in { +in +{ hardware.opinionatedDisk = { enable = true; encrypted = false; diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix index 978ce76..5aea904 100644 --- a/nix/os/devices/sj-srv1/system.nix +++ b/nix/os/devices/sj-srv1/system.nix @@ -6,29 +6,29 @@ nodeFlake, nodeName, ... -}: let +}: +let hostBridgeAddress = "192.168.101.1"; -in { +in +{ imports = [ ../../snippets/systemd-resolved.nix { # make sure it uses the DNS that comes in via DHCP - networking.nameservers = lib.mkForce []; + networking.nameservers = lib.mkForce [ ]; services.resolved.enable = true; # provide DNS to the containers services.resolved.extraConfig = '' DNSStubListenerExtra=${hostBridgeAddress} ''; - networking.firewall.interfaces.br0.allowedTCPPorts = [53]; - networking.firewall.interfaces.br0.allowedUDPPorts = [53]; + networking.firewall.interfaces.br0.allowedTCPPorts = [ 53 ]; + networking.firewall.interfaces.br0.allowedUDPPorts = [ 53 ]; } ]; programs.wireshark.enable = true; - environment.systemPackages = [ - pkgs.dnsutils - ]; + environment.systemPackages = [ pkgs.dnsutils ]; networking.firewall.enable = true; networking.nftables.enable = true; @@ -48,13 +48,13 @@ in { networking.nat = { enable = true; - internalInterfaces = ["br0"]; + internalInterfaces = [ "br0" ]; externalInterface = "dmz0"; }; networking.bridges = { br0 = { - interfaces = []; + interfaces = [ ]; }; }; networking.interfaces = { @@ -89,9 +89,7 @@ in { networkConfig.LinkLocalAddressing = "no"; # TODO: i'm not sure if and if so why this is required - macvlan = [ - "dmz0" - ]; + macvlan = [ "dmz0" ]; DHCP = "no"; }; @@ -111,45 +109,49 @@ in { }; # virtualization - virtualisation = {docker.enable = false;}; + virtualisation = { + docker.enable = false; + }; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; # adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix - services.restic.backups.${nodeName} = let - btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; - in { - initialize = true; - repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; + services.restic.backups.${nodeName} = + let + btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; + in + { + initialize = true; + repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; - paths = [ - "/backup" - ]; + paths = [ "/backup" ]; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 5" - "--keep-monthly 12" - "--keep-yearly 2" - ]; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 2" + ]; - timerConfig = { - OnCalendar = lib.mkDefault "daily"; - Persistent = true; + timerConfig = { + OnCalendar = lib.mkDefault "daily"; + Persistent = true; + }; + + passwordFile = config.sops.secrets.restic-password.path; + + backupPrepareCommand = '' + ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes + ''; + backupCleanupCommand = '' + ${btrfs} su delete /backup/container-volumes + ''; }; - passwordFile = config.sops.secrets.restic-password.path; - - backupPrepareCommand = '' - ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes - ''; - backupCleanupCommand = '' - ${btrfs} su delete /backup/container-volumes - ''; - }; - containers = { mailserver = import ../../containers/mailserver.nix { specialArgs = { @@ -167,25 +169,23 @@ in { sievePort = 4190; }; - webserver = - import ../../containers/webserver.nix - { - specialArgs = { - inherit repoFlake nodeFlake; - hostAddress = hostBridgeAddress; - }; - - autoStart = true; - - hostBridge = "br0"; + webserver = import ../../containers/webserver.nix { + specialArgs = { + inherit repoFlake nodeFlake; hostAddress = hostBridgeAddress; - localAddress = "192.168.101.11/24"; - - httpPort = 80; - httpsPort = 443; - forgejoSshPort = 2222; }; + autoStart = true; + + hostBridge = "br0"; + hostAddress = hostBridgeAddress; + localAddress = "192.168.101.11/24"; + + httpPort = 80; + httpsPort = 443; + forgejoSshPort = 2222; + }; + syncthing = import ../../containers/syncthing.nix { specialArgs = { inherit repoFlake nodeFlake; diff --git a/nix/os/devices/sj-vps-htz0/boot.nix b/nix/os/devices/sj-vps-htz0/boot.nix index 5713789..ed21f9c 100644 --- a/nix/os/devices/sj-vps-htz0/boot.nix +++ b/nix/os/devices/sj-vps-htz0/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiSupport = lib.mkForce false; - boot.extraModulePackages = []; + boot.extraModulePackages = [ ]; } diff --git a/nix/os/devices/sj-vps-htz0/configuration.nix b/nix/os/devices/sj-vps-htz0/configuration.nix index b734123..0f9e008 100644 --- a/nix/os/devices/sj-vps-htz0/configuration.nix +++ b/nix/os/devices/sj-vps-htz0/configuration.nix @@ -1,10 +1,6 @@ +{ nodeName, config, ... }: { - nodeName, - config, - pkgs, - ... -}: { - disabledModules = []; + disabledModules = [ ]; imports = [ ../../profiles/common/configuration.nix { diff --git a/nix/os/devices/sj-vps-htz0/default.nix b/nix/os/devices/sj-vps-htz0/default.nix index 12e0271..7683a53 100644 --- a/nix/os/devices/sj-vps-htz0/default.nix +++ b/nix/os/devices/sj-vps-htz0/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "${nodeName}.infra.stefanjunker.de"; diff --git a/nix/os/devices/sj-vps-htz0/flake.nix b/nix/os/devices/sj-vps-htz0/flake.nix index c315b8e..f8ca24f 100644 --- a/nix/os/devices/sj-vps-htz0/flake.nix +++ b/nix/os/devices/sj-vps-htz0/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/sj-vps-htz0/hw.nix b/nix/os/devices/sj-vps-htz0/hw.nix index 7566a02..080bb40 100644 --- a/nix/os/devices/sj-vps-htz0/hw.nix +++ b/nix/os/devices/sj-vps-htz0/hw.nix @@ -1,4 +1,5 @@ -{...}: let +_: +let stage1Modules = [ "virtio_balloon" "virtio_scsi" @@ -14,7 +15,8 @@ "pata_acpi" "ata_generic" ]; -in { +in +{ hardware.opinionatedDisk = { enable = true; encrypted = false; diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix index 7efcbbd..7380a35 100644 --- a/nix/os/devices/sj-vps-htz0/system.nix +++ b/nix/os/devices/sj-vps-htz0/system.nix @@ -1,16 +1,14 @@ { pkgs, - lib, config, - repoFlake, nodeName, ... -}: let +}: +let wireguardPort = 51820; -in { - imports = [ - ../../snippets/systemd-resolved.nix - ]; +in +{ + imports = [ ../../snippets/systemd-resolved.nix ]; networking.firewall.enable = true; networking.nftables.enable = true; @@ -19,9 +17,7 @@ in { # iperf3 5201 ]; - networking.firewall.allowedUDPPorts = [ - wireguardPort - ]; + networking.firewall.allowedUDPPorts = [ wireguardPort ]; networking.firewall.logRefusedConnections = false; @@ -38,7 +34,7 @@ in { "prefixLength" = 29; } ]; - ipv6.addresses = []; + ipv6.addresses = [ ]; }; networking.defaultGateway = { @@ -53,7 +49,10 @@ in { networking.nat = { enable = true; - internalInterfaces = ["ve-*" "wg*"]; + internalInterfaces = [ + "ve-*" + "wg*" + ]; externalInterface = "eth0"; }; @@ -70,15 +69,12 @@ in { networking.wireguard.interfaces.wg0 = { # eth0 MTU (1400) - 80 mtu = 1320; - ips = [ - "192.168.99.1/31" - ]; - listenPort = - wireguardPort; + ips = [ "192.168.99.1/31" ]; + listenPort = wireguardPort; privateKeyFile = config.sops.secrets.wg0-private.path; peers = [ { - allowedIPs = ["192.168.99.2/32"]; + allowedIPs = [ "192.168.99.2/32" ]; publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0="; presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path; } @@ -86,14 +82,18 @@ in { }; # virtualization - virtualisation = {docker.enable = false;}; + virtualisation = { + docker.enable = false; + }; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; - containers = {}; + containers = { }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; diff --git a/nix/os/devices/srv0-dmz0/README.md b/nix/os/devices/srv0-dmz0/README.md index 92893b6..c76c8a0 100644 --- a/nix/os/devices/srv0-dmz0/README.md +++ b/nix/os/devices/srv0-dmz0/README.md @@ -1,7 +1,6 @@ ## bootstrapping ``` -# TODO: generate an SSH host-key and deploy it via --extra-files +# TODO: generate an SSH host-key and deploy it via --extra-files nixos-anywhere --flake .\#srv0-dmz0 root@srv0.dmz0.noosphere.life ``` - diff --git a/nix/os/devices/srv0-dmz0/configuration.nix b/nix/os/devices/srv0-dmz0/configuration.nix index b59afac..83c38ab 100644 --- a/nix/os/devices/srv0-dmz0/configuration.nix +++ b/nix/os/devices/srv0-dmz0/configuration.nix @@ -1,14 +1,14 @@ { modulesPath, repoFlake, - packages', - pkgs, config, ... -}: let +}: +let disk = "/dev/disk/by-id/ata-INTEL_SSDSC2BW240A4_PHDA435602332403GN"; -in { - disabledModules = []; +in +{ + disabledModules = [ ]; imports = [ repoFlake.inputs.disko.nixosModules.disko repoFlake.inputs.srvos.nixosModules.server @@ -23,7 +23,7 @@ in { ]; ## bare-metal machines - srvos.boot.consoles = ["tty0"]; + srvos.boot.consoles = [ "tty0" ]; boot.loader.grub.enable = false; boot.loader.efi.canTouchEfiVariables = false; @@ -39,7 +39,7 @@ in { start = "0"; end = "1M"; part-type = "primary"; - flags = ["bios_grub"]; + flags = [ "bios_grub" ]; } { name = "ESP"; @@ -60,14 +60,14 @@ in { bootable = true; content = { type = "btrfs"; - extraArgs = ["-f"]; # Override existing partition + extraArgs = [ "-f" ]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = ["noatime"]; + mountOptions = [ "noatime" ]; }; }; }; @@ -109,7 +109,7 @@ in { networking.nat = { enable = true; - internalInterfaces = ["ve-+"]; + internalInterfaces = [ "ve-+" ]; externalInterface = "eth0"; }; @@ -119,9 +119,11 @@ in { # virtualization # virtualisation = {docker.enable = true;}; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; - containers = {}; + containers = { }; # sops.secrets.holochain-nomad-agent-ca = { # sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; diff --git a/nix/os/devices/srv0-dmz0/default.nix b/nix/os/devices/srv0-dmz0/default.nix index 5c0b7bb..3af624b 100644 --- a/nix/os/devices/srv0-dmz0/default.nix +++ b/nix/os/devices/srv0-dmz0/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "srv0.dmz0.noosphere.life"; diff --git a/nix/os/devices/srv0-dmz0/flake.nix b/nix/os/devices/srv0-dmz0/flake.nix index f2af929..2f27989 100644 --- a/nix/os/devices/srv0-dmz0/flake.nix +++ b/nix/os/devices/srv0-dmz0/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix index fe0b621..9ddbde9 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix @@ -1,4 +1,4 @@ -{lib, ...}: { +_: { boot.loader.grub.efiSupport = true; - boot.extraModulePackages = []; + boot.extraModulePackages = [ ]; } diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix index 28a63fb..b29548c 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix @@ -1,5 +1,6 @@ -{...}: { - disabledModules = []; +{ ... }: +{ + disabledModules = [ ]; imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix index 8815036..a89e29a 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix @@ -1,4 +1,5 @@ -{...}: let +_: +let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -17,7 +18,8 @@ "xhci_hcd" "xhci_pci" ]; -in { +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix index b6c8038..607e7f3 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix @@ -1,16 +1,8 @@ +{ config, pkgs, ... }: { - config, - pkgs, - lib, - ... -}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; @@ -20,7 +12,12 @@ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + supportedFeatures = [ + "kvm" + "nixos-test" + "big-parallel" + "benchmark" + ]; maxJobs = 4; } ]; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix index e677958..84bb74d 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix @@ -1,11 +1,4 @@ -{ - pkgs, - lib, - config, - ... -}: let - keys = import ../../../variables/keys.nix; -in { +_: { # TASK: new device networking.hostName = "srv0"; # Define your hostname. # networking.domain = "home-ch.stefanjunker.de"; @@ -37,7 +30,7 @@ in { networking.nat = { enable = true; - internalInterfaces = ["ve-+"]; + internalInterfaces = [ "ve-+" ]; externalInterface = "eth0"; }; @@ -45,14 +38,20 @@ in { # services.kubernetes.roles = ["master" "node"]; # virtualization - virtualisation = {docker.enable = true;}; + virtualisation = { + docker.enable = true; + }; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; networking.useHostResolvConf = false; - services.resolved = {enable = true;}; + services.resolved = { + enable = true; + }; - containers = {}; + containers = { }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix index bb546e6..1bc2086 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix @@ -4,7 +4,8 @@ let ref = "nixos-22.05"; rev = "040c6d8374d090f46ab0e99f1f7c27a4529ecffd"; }; -in { +in +{ inherit nixpkgs; "channels-nixos-stable" = nixpkgs; "nixpkgs-master" = { diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix index 511138c..5817e21 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix @@ -6,7 +6,8 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.05 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; "channels-nixos-stable" = nixpkgs; "nixpkgs-master" = { diff --git a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix index a15e1aa..d009275 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix index 6d8eadd..76ab1b9 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix @@ -1,4 +1,4 @@ -{...}: { +_: { # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-nuc7pjyh-work/system.nix b/nix/os/devices/steveej-nuc7pjyh-work/system.nix index 73d39d9..efe0db2 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/system.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/system.nix @@ -1,11 +1,7 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - ... -}: let -in { services.udev.extraRules = ''SUBSYSTEM=="sgx", MODE="0660", GROUP="sgx"''; - users.groups.sgx = {}; + users.groups.sgx = { }; networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname. boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest; } diff --git a/nix/os/devices/steveej-nuc7pjyh-work/user.nix b/nix/os/devices/steveej-nuc7pjyh-work/user.nix index 2b72309..e37d392 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/user.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/user.nix @@ -1,12 +1,9 @@ -{ - config, - pkgs, - ... -}: let - passwords = import ../../../variables/passwords.crypt.nix; +{ pkgs, ... }: +let keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; -in { + inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; +in +{ users.extraUsers.sjunker = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; @@ -14,7 +11,7 @@ in { image = "quay.io/enarx/fedora"; run_args = "-v /dev/sgx:/dev/sgx"; }; - extraGroups = ["sgx"]; + extraGroups = [ "sgx" ]; subUidRanges = [ { diff --git a/nix/os/devices/steveej-pa600/boot.nix b/nix/os/devices/steveej-pa600/boot.nix index 4d8c1d1..639698f 100644 --- a/nix/os/devices/steveej-pa600/boot.nix +++ b/nix/os/devices/steveej-pa600/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/steveej-pa600/configuration.nix b/nix/os/devices/steveej-pa600/configuration.nix index 37f4c61..68ad190 100644 --- a/nix/os/devices/steveej-pa600/configuration.nix +++ b/nix/os/devices/steveej-pa600/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-pa600/hw.nix b/nix/os/devices/steveej-pa600/hw.nix index a563c1a..651a6e2 100644 --- a/nix/os/devices/steveej-pa600/hw.nix +++ b/nix/os/devices/steveej-pa600/hw.nix @@ -1,4 +1,5 @@ -{...}: let +_: +let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -7,7 +8,8 @@ "xhci_pci" "hxci_hcd" ]; -in { +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/steveej-pa600/pkg.nix b/nix/os/devices/steveej-pa600/pkg.nix index 1db742a..360c17b 100644 --- a/nix/os/devices/steveej-pa600/pkg.nix +++ b/nix/os/devices/steveej-pa600/pkg.nix @@ -1,11 +1,8 @@ -{pkgs, ...}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +{ pkgs, ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix { inherit pkgs; diff --git a/nix/os/devices/steveej-pa600/system.nix b/nix/os/devices/steveej-pa600/system.nix index 02256d8..2a4551a 100644 --- a/nix/os/devices/steveej-pa600/system.nix +++ b/nix/os/devices/steveej-pa600/system.nix @@ -1,11 +1,5 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - config, - ... -}: let - keys = import ../../../variables/keys.nix; -in { # TASK: new device networking.hostName = "steveej-pa600"; # Define your hostname. @@ -20,7 +14,11 @@ in { services.printing = { enable = true; - drivers = with pkgs; [hplip mfcl3770cdw.driver mfcl3770cdw.cupswrapper]; + drivers = with pkgs; [ + hplip + mfcl3770cdw.driver + mfcl3770cdw.cupswrapper + ]; }; services.fprintd.enable = true; @@ -29,9 +27,9 @@ in { sudo.fprintAuth = true; }; - security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; - services.xserver.videoDrivers = ["modesetting"]; + services.xserver.videoDrivers = [ "modesetting" ]; services.xserver.serverFlagsSection = '' Option "BlankTime" "0" Option "StandbyTime" "0" diff --git a/nix/os/devices/steveej-pa600/user.nix b/nix/os/devices/steveej-pa600/user.nix index 4b85fea..bb94098 100644 --- a/nix/os/devices/steveej-pa600/user.nix +++ b/nix/os/devices/steveej-pa600/user.nix @@ -1,12 +1,9 @@ -{ - config, - pkgs, - ... -}: let - passwords = import ../../../variables/passwords.crypt.nix; +{ pkgs, ... }: +let keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; -in { + inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; +in +{ users.extraUsers.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/devices/steveej-pa600/versions.nix b/nix/os/devices/steveej-pa600/versions.nix index ce6b116..e7d4567 100644 --- a/nix/os/devices/steveej-pa600/versions.nix +++ b/nix/os/devices/steveej-pa600/versions.nix @@ -4,9 +4,12 @@ let ref = "nixos-20.09"; rev = "e065200fc90175a8f6e50e76ef10a48786126e1c"; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-pa600/versions.tmpl.nix b/nix/os/devices/steveej-pa600/versions.tmpl.nix index 96f7be3..08f1a43 100644 --- a/nix/os/devices/steveej-pa600/versions.tmpl.nix +++ b/nix/os/devices/steveej-pa600/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix index b32a198..9682eb6 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix index 14df96a..4af1def 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix @@ -1,4 +1,4 @@ -{...}: { +_: { # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix index 4329e5c..7f69ec0 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix @@ -1,3 +1,3 @@ -{...}: { +_: { networking.hostName = "steveej-rmvbl-mmc-SL32G_0x259093f6"; # Define your hostname. } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix index d49dbd3..861a9ea 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix @@ -1,11 +1,8 @@ -{...}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +{ ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; }; imports = [ diff --git a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix index 408b2a9..c42f909 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix @@ -1,4 +1,4 @@ -{...}: { +_: { # TASK: new device hardware.opinionatedDisk.diskId = "usb-SanDisk_Extreme_Pro_12345978EC62-0:0"; hardware.opinionatedDisk.encrypted = true; diff --git a/nix/os/devices/steveej-rmvbl-sdep0/system.nix b/nix/os/devices/steveej-rmvbl-sdep0/system.nix index 5bad73f..d409681 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/system.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/system.nix @@ -1,4 +1,4 @@ -{...}: { +_: { networking.hostName = "steveej-rmvbl-sdep0"; # Define your hostname. system.stateVersion = "21.05"; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix index f8759b8..3771f25 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix @@ -2,35 +2,33 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.11"; - rev = '' - 0040164e473509b4aee6aedb3b923e400d6df10b''; + rev = ''0040164e473509b4aee6aedb3b923e400d6df10b''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = '' - d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; + rev = ''d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; }; "channels-nixos-unstable-small" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable-small"; - rev = '' - 9c34c8adba80180608794cce600b10183b048942''; + rev = ''9c34c8adba80180608794cce600b10183b048942''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = '' - f9adb566707a492bd3d17fee1e223695d939b52a''; + rev = ''f9adb566707a492bd3d17fee1e223695d939b52a''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.11"; - rev = '' - d6f3ba090ed090ae664ab5bac329654093aae725''; + rev = ''d6f3ba090ed090ae664ab5bac329654093aae725''; }; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix index a0fa34a..92abc4a 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-t14/boot.nix b/nix/os/devices/steveej-t14/boot.nix index 281d09e..d3ff0b5 100644 --- a/nix/os/devices/steveej-t14/boot.nix +++ b/nix/os/devices/steveej-t14/boot.nix @@ -1,8 +1,5 @@ +{ lib, pkgs, ... }: { - lib, - pkgs, - ... -}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix index a094278..f5ccca0 100644 --- a/nix/os/devices/steveej-t14/configuration.nix +++ b/nix/os/devices/steveej-t14/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../snippets/home-manager-with-zsh.nix ../../snippets/nix-settings-holo-chain.nix @@ -19,7 +20,7 @@ ./boot.nix # samba seerver - ({lib, ...}: { + (_: { # networking.firewall.enable = lib.mkForce false; services.samba-wsdd.enable = true; # make shares visible for windows 10 clients networking.firewall.allowedTCPPorts = [ diff --git a/nix/os/devices/steveej-t14/default.nix b/nix/os/devices/steveej-t14/default.nix index bcb5e94..d7e6d28 100644 --- a/nix/os/devices/steveej-t14/default.nix +++ b/nix/os/devices/steveej-t14/default.nix @@ -4,26 +4,24 @@ repoFlakeWithSystem, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = nodeName; deployment.replaceUnknownProfiles = false; deployment.allowLocalDeployment = true; - imports = [ - (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") - ]; + imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; }; } diff --git a/nix/os/devices/steveej-t14/flake.nix b/nix/os/devices/steveej-t14/flake.nix index d2a549b..504ce45 100644 --- a/nix/os/devices/steveej-t14/flake.nix +++ b/nix/os/devices/steveej-t14/flake.nix @@ -12,5 +12,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix index 1b905e0..0fa593a 100644 --- a/nix/os/devices/steveej-t14/hw.nix +++ b/nix/os/devices/steveej-t14/hw.nix @@ -1,5 +1,4 @@ -{lib, ...}: let -in { +_: { # TASK: new device hardware.opinionatedDisk = { enable = true; @@ -66,16 +65,56 @@ in { enable = false; levels = [ # ["level auto" 0 60] - [0 0 60] - [1 60 65] - [1 65 75] - [2 75 78] - [3 78 80] - [4 80 82] - [5 82 84] - [6 84 86] - [7 86 88] - ["level full-speed" 88 999] + [ + 0 + 0 + 60 + ] + [ + 1 + 60 + 65 + ] + [ + 1 + 65 + 75 + ] + [ + 2 + 75 + 78 + ] + [ + 3 + 78 + 80 + ] + [ + 4 + 80 + 82 + ] + [ + 5 + 82 + 84 + ] + [ + 6 + 84 + 86 + ] + [ + 7 + 86 + 88 + ] + [ + "level full-speed" + 88 + 999 + ] ]; extraArgs = [ diff --git a/nix/os/devices/steveej-t14/pkg.nix b/nix/os/devices/steveej-t14/pkg.nix index 0cc3c04..4e53eaf 100644 --- a/nix/os/devices/steveej-t14/pkg.nix +++ b/nix/os/devices/steveej-t14/pkg.nix @@ -1,14 +1,7 @@ +{ pkgs, ... }: { - pkgs, - lib, - repoFlake, - nodeFlake, - ... -}: { system.stateVersion = "23.05"; - home-manager.users.root = _: { - home.stateVersion = "22.05"; - }; + home-manager.users.root = _: { home.stateVersion = "22.05"; }; home-manager.users.steveej = _: { home.stateVersion = "22.05"; imports = [ @@ -21,10 +14,9 @@ }) ]; - home.sessionVariables = {}; + home.sessionVariables = { }; - home.packages = with pkgs; [ - ]; + home.packages = with pkgs; [ ]; }; # TODO: fix the following errors with regreet @@ -38,26 +30,28 @@ # # (regreet:505614): Gtk-WARNING **: 10:31:42.532: Theme parser warning: :6:17-18: Empty declaration # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. - services.greetd = let - # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" - swayConfig = pkgs.writeText "greetd-sway-config" '' - # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. - exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" - bindsym Mod4+shift+e exec swaynag \ - -t warning \ - -m 'What do you want to do?' \ - -b 'Poweroff' 'systemctl poweroff' \ - -b 'Reboot' 'systemctl reboot' - ''; - in { - enable = false; - settings = { - vt = 1; - default_session = { - command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; + services.greetd = + let + # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" + swayConfig = pkgs.writeText "greetd-sway-config" '' + # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. + exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" + bindsym Mod4+shift+e exec swaynag \ + -t warning \ + -m 'What do you want to do?' \ + -b 'Poweroff' 'systemctl poweroff' \ + -b 'Reboot' 'systemctl reboot' + ''; + in + { + enable = false; + settings = { + vt = 1; + default_session = { + command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; + }; }; }; - }; environment.etc."greetd/environments".text = '' sway diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index 04fb60a..db19a3b 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -2,10 +2,10 @@ pkgs, lib, config, - nodeName, repoFlake, ... -}: let +}: +let localTcpPorts = [ 22 @@ -21,12 +21,11 @@ 22000 21027 ]; -in { +in +{ nix.settings = { - substituters = [ - ]; - trusted-public-keys = [ - ]; + substituters = [ ]; + trusted-public-keys = [ ]; }; nix.distributedBuilds = true; @@ -39,7 +38,7 @@ in { system = "x86_64-linux"; maxJobs = 32; speedFactor = 100; - supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features ++ []; + supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features; } { @@ -50,16 +49,15 @@ in { system = "aarch64-linux"; maxJobs = 32; speedFactor = 100; - supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ []; + supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features; } ]; networking.networkmanager.enable = true; - networking.extraHosts = '' - ''; + networking.extraHosts = ''''; - networking.bridges."virbr1".interfaces = []; + networking.bridges."virbr1".interfaces = [ ]; networking.interfaces."virbr1".ipv4.addresses = [ { address = "10.254.254.254"; @@ -92,7 +90,9 @@ in { # virtualization virtualisation = { - libvirtd = {enable = true;}; + libvirtd = { + enable = true; + }; virtualbox.host = { enable = false; @@ -110,13 +110,11 @@ in { # client min protocol = NT1 ''; - security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; - services.xserver.videoDrivers = lib.mkForce ["amdgpu"]; + services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ]; hardware.ledger.enable = true; - boot.binfmt.emulatedSystems = [ - "aarch64-linux" - ]; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; } diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix index 6068f93..dacf1f4 100644 --- a/nix/os/devices/steveej-t14/user.nix +++ b/nix/os/devices/steveej-t14/user.nix @@ -1,19 +1,16 @@ -{ - config, - pkgs, - lib, - ... -}: let +{ config, pkgs, ... }: +let keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; -in { + inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; +in +{ users.users.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; }; - nix.settings.trusted-users = ["steveej"]; + nix.settings.trusted-users = [ "steveej" ]; security.pam.u2f.enable = true; security.pam.services.steveej.u2fAuth = true; diff --git a/nix/os/devices/steveej-utilitepro/configuration.nix b/nix/os/devices/steveej-utilitepro/configuration.nix index 06cc7d1..76a34c8 100644 --- a/nix/os/devices/steveej-utilitepro/configuration.nix +++ b/nix/os/devices/steveej-utilitepro/configuration.nix @@ -1,13 +1,11 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ - config, - pkgs, - ... -}: let +{ config, pkgs, ... }: +let passwords = import ../common/passwords.crypt.nix; -in { +in +{ # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "16.03"; nix.maxJobs = 4; @@ -19,22 +17,18 @@ in { ''; nixpkgs.config = { - packageOverrides = super: let - self = super.pkgs; - in { + packageOverrides = super: { linux_4_1 = super.linux_4_1.override { - kernelPatches = - super.linux_4_1.kernelPatches - ++ [ - { - patch = ./patches/utilitepro-kernel-dts.patch; - name = "utilitepro-dts"; - } - { - patch = ./patches/utilitepro-kernel-dts-Makefile.patch; - name = "utilitepro-dts-Makefile"; - } - ]; + kernelPatches = super.linux_4_1.kernelPatches ++ [ + { + patch = ./patches/utilitepro-kernel-dts.patch; + name = "utilitepro-dts"; + } + { + patch = ./patches/utilitepro-kernel-dts-Makefile.patch; + name = "utilitepro-dts-Makefile"; + } + ]; # add "CONFIG_PPP_FILTER y" option to the set of kernel options extraConfig = '' BTRFS_FS y @@ -279,7 +273,10 @@ in { uid = 1000; isNormalUser = true; home = "/home/steveej"; - extraGroups = ["wheel" "libvirtd"]; + extraGroups = [ + "wheel" + "libvirtd" + ]; # FIXME: this is deprecated but so is this device probably hashedPassword = passwords.users.steveej; openssh.authorizedKeys.keys = [ diff --git a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix index a325b30..1d3e463 100644 --- a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix +++ b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix @@ -1,17 +1,13 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. +{ ... }: { - config, - lib, - pkgs, - ... -}: { - imports = []; + imports = [ ]; - boot.initrd.availableKernelModules = []; - boot.kernelModules = []; - boot.extraModulePackages = []; + boot.initrd.availableKernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; hardware.enableAllFirmware = true; @@ -24,5 +20,5 @@ device = "/dev/disk/by-uuid/f1e7e913-93a0-4258-88f9-f65041d91d66"; }; - swapDevices = []; + swapDevices = [ ]; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix index 9aec1e2..39e93de 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix @@ -5,10 +5,10 @@ lib, config, nodeName, - localDomainName, system, ... -}: { +}: +{ nixos-x13s = { enable = true; # TODO: use hardware address @@ -41,8 +41,8 @@ echo $? ) ''; - requiredBy = ["bluetooth.service"]; - before = ["bluetooth.service"]; + requiredBy = [ "bluetooth.service" ]; + before = [ "bluetooth.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -103,20 +103,15 @@ ]; system.stateVersion = "23.11"; - home-manager.users.root = _: { - home.stateVersion = "23.11"; - }; + home-manager.users.root = _: { home.stateVersion = "23.11"; }; home-manager.users.steveej = _: { home.stateVersion = "23.11"; - imports = [ - ../../../home-manager/configuration/graphical-fullblown.nix - ]; + imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; - home.sessionVariables = {}; + home.sessionVariables = { }; - home.packages = with pkgs; [ - ]; + home.packages = with pkgs; [ ]; # TODO: currently unsupported services.gammastep.enable = lib.mkForce false; @@ -127,7 +122,7 @@ loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = lib.mkForce false; loader.efi.efiSysMountPoint = "/boot"; - blacklistedKernelModules = ["wwan"]; + blacklistedKernelModules = [ "wwan" ]; initrd.kernelModules = [ "uas" @@ -153,7 +148,8 @@ "firmware/qcom/sc8280xp/LENOVO/21BX/qccdsp8280.mbn".source = pkgs.linux-firmware; "firmware/qcom/sc8280xp/LENOVO/21BX/qcdxkmsuc8280.mbn".source = pkgs.linux-firmware; "firmware/qcom/sc8280xp/LENOVO/21BX/qcslpi8280.mbn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = + nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"; }; }; diff --git a/nix/os/devices/steveej-x13s-rmvbl/default.nix b/nix/os/devices/steveej-x13s-rmvbl/default.nix index fa66cf4..2ba48d2 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/default.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/default.nix @@ -6,21 +6,23 @@ nodeFlake, localDomainName ? "internal", ... -}: { +}: +{ meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake system; + inherit + repoFlake + nodeName + nodeFlake + system + ; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); inherit localDomainName; }; - meta.nodeNixpkgs.${nodeName} = - import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; @@ -29,8 +31,6 @@ # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - imports = [ - (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") - ]; + imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; }; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/disko.nix b/nix/os/devices/steveej-x13s-rmvbl/disko.nix index e56b0d1..2eb097a 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/disko.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/disko.nix @@ -14,9 +14,7 @@ type = "filesystem"; format = "vfat"; mountpoint = "/boot"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; luks = { @@ -24,7 +22,7 @@ content = { type = "luks"; name = "x13s-usb-crypt"; - extraOpenArgs = []; + extraOpenArgs = [ ]; # disable settings.keyFile if you want to use interactive password entry #passwordFile = "/tmp/secret.key"; # Interactive settings = { @@ -36,19 +34,28 @@ # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; content = { type = "btrfs"; - extraArgs = ["-f"]; + extraArgs = [ "-f" ]; subvolumes = { "/root" = { mountpoint = "/"; - mountOptions = ["compress=zstd" "noatime"]; + mountOptions = [ + "compress=zstd" + "noatime" + ]; }; "/home" = { mountpoint = "/home"; - mountOptions = ["compress=zstd" "noatime"]; + mountOptions = [ + "compress=zstd" + "noatime" + ]; }; "/nix" = { mountpoint = "/nix"; - mountOptions = ["compress=zstd" "noatime"]; + mountOptions = [ + "compress=zstd" + "noatime" + ]; }; "/swap" = { mountpoint = "/.swapvol"; diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.nix b/nix/os/devices/steveej-x13s-rmvbl/flake.nix index bcc82bb..043907d 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.nix @@ -22,71 +22,66 @@ nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = { - self, - get-flake, - nixpkgs, - ... - }: let - system = "aarch64-linux"; - buildPlatform = "x86_64-linux"; - repoFlake = get-flake ../../../..; - in { - lib = { - mkNixosConfiguration = { - nodeName, - extraModules ? [], - ... - } @ attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate - attrs + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + system = "aarch64-linux"; + buildPlatform = "x86_64-linux"; + repoFlake = get-flake ../../../..; + in + { + lib = { + mkNixosConfiguration = { - specialArgs = - (import ./default.nix { - inherit system; - inherit nodeName repoFlake; + nodeName, + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = + (import ./default.nix { + inherit system; + inherit nodeName repoFlake; - nodeFlake = self; - }) - .meta - .nodeSpecialArgs - .${nodeName}; + nodeFlake = self; + }).meta.nodeSpecialArgs.${nodeName}; - modules = - [ - # repoFlake.nixosModules.hardware-x13s - ] - ++ extraModules; - } - ); - }; - - nixosConfigurations = let - nodeName = "steveej-x13s-rmvbl"; - in { - native = self.lib.mkNixosConfiguration { - inherit system nodeName; - extraModules = [ - ./configuration.nix - - { - users.commonUsers.installPassword = "install"; - } - ]; + modules = extraModules; + } + ); }; - cross = self.lib.mkNixosConfiguration { - inherit nodeName; - extraModules = [ - ./configuration.nix + nixosConfigurations = + let + nodeName = "steveej-x13s-rmvbl"; + in + { + native = self.lib.mkNixosConfiguration { + inherit system nodeName; + extraModules = [ + ./configuration.nix - { - nixpkgs.buildPlatform.system = buildPlatform; - nixpkgs.hostPlatform.system = system; - } - ]; - }; + { users.commonUsers.installPassword = "install"; } + ]; + }; + + cross = self.lib.mkNixosConfiguration { + inherit nodeName; + extraModules = [ + ./configuration.nix + + { + nixpkgs.buildPlatform.system = buildPlatform; + nixpkgs.hostPlatform.system = system; + } + ]; + }; + }; }; - }; } diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index 831f1f0..21462e0 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -5,12 +5,12 @@ lib, config, nodeName, - localDomainName, system, packages', ... -}: { - nixpkgs.overlays = [nodeFlake.overlays.default]; +}: +{ + nixpkgs.overlays = [ nodeFlake.overlays.default ]; nixos-x13s = { enable = true; @@ -23,7 +23,7 @@ # printint and autodiscovery of printers services.printing.enable = true; - services.printing.drivers = [pkgs.hplip]; + services.printing.drivers = [ pkgs.hplip ]; services.avahi = { enable = true; nssmdns4 = true; @@ -57,8 +57,8 @@ echo $? ) ''; - requiredBy = ["bluetooth.service"]; - before = ["bluetooth.service"]; + requiredBy = [ "bluetooth.service" ]; + before = [ "bluetooth.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -98,7 +98,7 @@ enableNonRoot = true; }; - sops.secrets.builder-private-key = {}; + sops.secrets.builder-private-key = { }; nix.distributedBuilds = true; nix.buildMachines = [ # test these with: sudo nix store ping --store 'ssh-ng://nix-remote-builder@?ssh-key=/run/secrets/builder-private-key' @@ -107,9 +107,7 @@ sshUser = "nix-remote-builder"; sshKey = config.sops.secrets.builder-private-key.path; protocol = "ssh-ng"; - systems = [ - "x86_64-linux" - ]; + systems = [ "x86_64-linux" ]; supportedFeatures = [ "big-parallel" "kvm" @@ -123,9 +121,7 @@ sshUser = "nix-remote-builder"; sshKey = config.sops.secrets.builder-private-key.path; protocol = "ssh-ng"; - systems = [ - "aarch64-linux" - ]; + systems = [ "aarch64-linux" ]; supportedFeatures = [ "big-parallel" "kvm" @@ -154,24 +150,27 @@ } # TODO: create syncthing os snippet - (let - tcp = [22000]; - udp = [ - 22000 - 21027 - ]; - in { - # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` - networking.firewall.interfaces."en+".allowedTCPPorts = tcp; - networking.firewall.interfaces."en+".allowedUDPPorts = udp; - networking.firewall.interfaces."wl+".allowedTCPPorts = tcp; - networking.firewall.interfaces."wl+".allowedUDPPorts = udp; + ( + let + tcp = [ 22000 ]; + udp = [ + 22000 + 21027 + ]; + in + { + # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` + networking.firewall.interfaces."en+".allowedTCPPorts = tcp; + networking.firewall.interfaces."en+".allowedUDPPorts = udp; + networking.firewall.interfaces."wl+".allowedTCPPorts = tcp; + networking.firewall.interfaces."wl+".allowedUDPPorts = udp; - networking.firewall.allowedTCPPorts = [ - # iperf3 - 5201 - ]; - }) + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + } + ) ../../snippets/home-manager-with-zsh.nix ../../snippets/sway-desktop.nix @@ -201,22 +200,17 @@ ]; system.stateVersion = "23.11"; - home-manager.users.root = _: { - home.stateVersion = "23.11"; - }; + home-manager.users.root = _: { home.stateVersion = "23.11"; }; home-manager.users.steveej = _: { home.stateVersion = "23.11"; - imports = [ - ../../../home-manager/configuration/graphical-fullblown.nix - ]; + imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; - nixpkgs.overlays = [nodeFlake.overlays.default]; + nixpkgs.overlays = [ nodeFlake.overlays.default ]; - home.sessionVariables = {}; + home.sessionVariables = { }; - home.packages = with pkgs; [ - ]; + home.packages = with pkgs; [ ]; # TODO(upstream): currently unsupported on x13s services.gammastep.enable = true; @@ -228,7 +222,7 @@ loader.efi.canTouchEfiVariables = lib.mkForce false; loader.efi.efiSysMountPoint = "/boot"; - blacklistedKernelModules = ["wwan"]; + blacklistedKernelModules = [ "wwan" ]; }; hardware.firmware = lib.mkBefore [ @@ -258,9 +252,7 @@ autostart = false; }; - services.udev.packages = [ - pkgs.android-udev-rules - ]; + services.udev.packages = [ pkgs.android-udev-rules ]; programs.adb.enable = true; nix.settings.sandbox = lib.mkForce "relaxed"; diff --git a/nix/os/devices/steveej-x13s/default.nix b/nix/os/devices/steveej-x13s/default.nix index e6d8ece..bb170b2 100644 --- a/nix/os/devices/steveej-x13s/default.nix +++ b/nix/os/devices/steveej-x13s/default.nix @@ -6,21 +6,23 @@ nodeFlake, localDomainName ? "internal", ... -}: { +}: +{ meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake system; + inherit + repoFlake + nodeName + nodeFlake + system + ; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); inherit localDomainName; }; - meta.nodeNixpkgs.${nodeName} = - import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; @@ -29,8 +31,6 @@ # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - imports = [ - ./configuration.nix - ]; + imports = [ ./configuration.nix ]; }; } diff --git a/nix/os/devices/steveej-x13s/disko.nix b/nix/os/devices/steveej-x13s/disko.nix index 89f6dd8..40b2118 100644 --- a/nix/os/devices/steveej-x13s/disko.nix +++ b/nix/os/devices/steveej-x13s/disko.nix @@ -15,9 +15,7 @@ type = "filesystem"; format = "vfat"; mountpoint = "/boot"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; luks = { @@ -25,7 +23,7 @@ content = { type = "luks"; name = "x13s-nvme-crypt"; - extraOpenArgs = []; + extraOpenArgs = [ ]; # disable settings.keyFile if you want to use interactive password entry #passwordFile = "/tmp/secret.key"; # Interactive settings = { @@ -37,19 +35,28 @@ # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; content = { type = "btrfs"; - extraArgs = ["-f"]; + extraArgs = [ "-f" ]; subvolumes = { "/root" = { mountpoint = "/"; - mountOptions = ["compress=zstd" "noatime"]; + mountOptions = [ + "compress=zstd" + "noatime" + ]; }; "/home" = { mountpoint = "/home"; - mountOptions = ["compress=zstd" "noatime"]; + mountOptions = [ + "compress=zstd" + "noatime" + ]; }; "/nix" = { mountpoint = "/nix"; - mountOptions = ["compress=zstd" "noatime"]; + mountOptions = [ + "compress=zstd" + "noatime" + ]; }; "/swap" = { mountpoint = "/.swapvol"; diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix index 09b27a1..e9c58e1 100644 --- a/nix/os/devices/steveej-x13s/flake.nix +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -14,16 +14,15 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nixos-x13s.url = - "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump" - # 6.11.0 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=6b9efe77ca80653354981c720af3c4241ac71490" - # 6.12.0-rc6 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=bd580ee9c35fcb8a720122d5bb2f903f1b7395ee" - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=1286d20be2321a1a2d27f5d09257ebaf54ce0630" - #"/home/steveej/src/others/nixos-x13s" - # - ; + nixos-x13s.url = "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump" + # 6.11.0 + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=6b9efe77ca80653354981c720af3c4241ac71490" + # 6.12.0-rc6 + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=bd580ee9c35fcb8a720122d5bb2f903f1b7395ee" + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=1286d20be2321a1a2d27f5d09257ebaf54ce0630" + #"/home/steveej/src/others/nixos-x13s" + # + ; # nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s?ref=refs/tags/2024-02-28"; # nixos-x13s.url = "path:/home/steveej/src/others/nixos-x13s"; @@ -39,127 +38,125 @@ }; }; - outputs = { - self, - get-flake, - nixpkgs, - ... - }: let - nativeSystem = "aarch64-linux"; - nodeName = "steveej-x13s"; + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + nativeSystem = "aarch64-linux"; + nodeName = "steveej-x13s"; - repoFlake = get-flake ../../../..; + repoFlake = get-flake ../../../..; - mkNixosConfiguration = {extraModules ? [], ...} @ attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate - attrs + mkNixosConfiguration = { - specialArgs = - (import ./default.nix { - system = nativeSystem; - inherit nodeName; + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = + (import ./default.nix { + system = nativeSystem; + inherit nodeName; - inherit repoFlake; - repoFlakeWithSystem = repoFlake.lib.withSystem; - nodeFlake = self; - }) - .meta - .nodeSpecialArgs - .${nodeName}; + inherit repoFlake; + repoFlakeWithSystem = repoFlake.lib.withSystem; + nodeFlake = self; + }).meta.nodeSpecialArgs.${nodeName}; - modules = - [ + modules = [ ./configuration.nix # flake registry - { - nix.registry.nixpkgs.flake = nixpkgs; - } - ] - ++ extraModules; - } - ); - in { - lib = { - inherit mkNixosConfiguration; - }; - - overlays.libcamera = final: previous: let - webkitgtkPreConfigure = '' - export NIX_BUILD_CORES="$((NIX_BUILD_CORES > 2 ? 2 : NIX_BUILD_CORES))" - export NUMBER_OF_PROCESSORS="$NIX_BUILD_CORES" - ''; - in { - wireplumber = previous.wireplumber.overrideAttrs (_: { - version = "git"; - src = previous.fetchFromGitLab { - domain = "gitlab.freedesktop.org"; - owner = "pipewire"; - repo = "wireplumber"; - rev = "71f868233792f10848644319dbdc97a4f147d554"; - hash = "sha256-VX3OFsBK9AbISm/XTx8p05ak+z/VcKXfUXhB9aI9ev8="; - }; - }); - - libcamera = previous.libcamera.overrideAttrs (_: { - postFixup = '' - ../src/ipa/ipa-sign-install.sh src/ipa-priv-key.pem $out/lib/libcamera/ipa_*.so - ''; - }); - - libcamera-qcam = previous.libcamera-qcam.overrideAttrs (_: { - postFixup = '' - ../src/ipa/ipa-sign-install.sh src/ipa-priv-key.pem $out/lib/libcamera/ipa_*.so - ''; - }); - - webkitgtk = previous.webkitgtk.overrideAttrs (attrs: { - preConfigure = - attrs.preConfigure + webkitgtkPreConfigure; - }); - - webkitgtk_4_1 = previous.webkitgtk_4_1.overrideAttrs (attrs: { - preConfigure = - attrs.preConfigure + webkitgtkPreConfigure; - }); - - webkitgtk_6_0 = previous.webkitgtk_6_0.overrideAttrs (attrs: { - preConfigure = - attrs.preConfigure + webkitgtkPreConfigure; - }); - }; - - overlays.default = final: previous: let - inherit (previous.stdenv) system; - pkgsUnstable = import self.inputs.nixpkgs-unstable.outPath { - inherit system; - overlays = [self.overlays.libcamera]; - }; - in { - inherit pkgsUnstable; - inherit - (pkgsUnstable) - libcamera - webkitgtk - webkitgtk_4_1 - webkitgtk_6_0 - ; - }; - - nixosConfigurations = { - native = mkNixosConfiguration { - system = nativeSystem; - }; - - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = "x86_64-linux"; - nixpkgs.hostPlatform.system = nativeSystem; + { nix.registry.nixpkgs.flake = nixpkgs; } + ] ++ extraModules; } - ]; + ); + in + { + lib = { + inherit mkNixosConfiguration; + }; + + overlays.libcamera = + _final: previous: + let + webkitgtkPreConfigure = '' + export NIX_BUILD_CORES="$((NIX_BUILD_CORES > 2 ? 2 : NIX_BUILD_CORES))" + export NUMBER_OF_PROCESSORS="$NIX_BUILD_CORES" + ''; + in + { + wireplumber = previous.wireplumber.overrideAttrs (_: { + version = "git"; + src = previous.fetchFromGitLab { + domain = "gitlab.freedesktop.org"; + owner = "pipewire"; + repo = "wireplumber"; + rev = "71f868233792f10848644319dbdc97a4f147d554"; + hash = "sha256-VX3OFsBK9AbISm/XTx8p05ak+z/VcKXfUXhB9aI9ev8="; + }; + }); + + libcamera = previous.libcamera.overrideAttrs (_: { + postFixup = '' + ../src/ipa/ipa-sign-install.sh src/ipa-priv-key.pem $out/lib/libcamera/ipa_*.so + ''; + }); + + libcamera-qcam = previous.libcamera-qcam.overrideAttrs (_: { + postFixup = '' + ../src/ipa/ipa-sign-install.sh src/ipa-priv-key.pem $out/lib/libcamera/ipa_*.so + ''; + }); + + webkitgtk = previous.webkitgtk.overrideAttrs (attrs: { + preConfigure = attrs.preConfigure + webkitgtkPreConfigure; + }); + + webkitgtk_4_1 = previous.webkitgtk_4_1.overrideAttrs (attrs: { + preConfigure = attrs.preConfigure + webkitgtkPreConfigure; + }); + + webkitgtk_6_0 = previous.webkitgtk_6_0.overrideAttrs (attrs: { + preConfigure = attrs.preConfigure + webkitgtkPreConfigure; + }); + }; + + overlays.default = + _final: previous: + let + inherit (previous.stdenv) system; + pkgsUnstable = import self.inputs.nixpkgs-unstable.outPath { + inherit system; + overlays = [ self.overlays.libcamera ]; + }; + in + { + inherit pkgsUnstable; + inherit (pkgsUnstable) + libcamera + webkitgtk + webkitgtk_4_1 + webkitgtk_6_0 + ; + }; + + nixosConfigurations = { + native = mkNixosConfiguration { system = nativeSystem; }; + + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.system = nativeSystem; + } + ]; + }; }; }; - }; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/boot.nix b/nix/os/devices/vmd102066.contaboserver.net/boot.nix index 5713789..ed21f9c 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/boot.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiSupport = lib.mkForce false; - boot.extraModulePackages = []; + boot.extraModulePackages = [ ]; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix index 28a63fb..b29548c 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix @@ -1,5 +1,6 @@ -{...}: { - disabledModules = []; +{ ... }: +{ + disabledModules = [ ]; imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/vmd102066.contaboserver.net/default.nix b/nix/os/devices/vmd102066.contaboserver.net/default.nix index db025f1..958331e 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/default.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/default.nix @@ -1,17 +1,17 @@ -{repoFlake, ...}: let +{ repoFlake, ... }: +let nodeName = "vmd102066.contaboserver.net"; system = "x86_64-linux"; nodeFlake = repoFlake.inputs.get-flake ./.; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = nodeName; diff --git a/nix/os/devices/vmd102066.contaboserver.net/flake.nix b/nix/os/devices/vmd102066.contaboserver.net/flake.nix index d432f24..0547466 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/flake.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/hw.nix b/nix/os/devices/vmd102066.contaboserver.net/hw.nix index e09b10e..392bb1b 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/hw.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/hw.nix @@ -1,4 +1,5 @@ -{...}: let +_: +let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -11,7 +12,8 @@ "virtio" "scsi_mod" ]; -in { +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix index 96cfc55..2857a30 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix @@ -1,9 +1,5 @@ +{ config, pkgs, ... }: { - config, - pkgs, - lib, - ... -}: { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; @@ -12,7 +8,12 @@ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + supportedFeatures = [ + "kvm" + "nixos-test" + "big-parallel" + "benchmark" + ]; maxJobs = 4; } ]; @@ -22,7 +23,7 @@ hydraURL = "http://localhost:3000"; # externally visible URL notificationSender = "hydra@${config.networking.hostName}.stefanjunker.de"; # e-mail of hydra service # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines - buildMachinesFiles = []; + buildMachinesFiles = [ ]; # you will probably also want, otherwise *everything* will be built from scratch useSubstitutes = true; }; @@ -30,7 +31,13 @@ services.gitlab-runner = { enable = false; - extraPackages = with pkgs; [bash gitlab-runner nix gitFull git-crypt]; + extraPackages = with pkgs; [ + bash + gitlab-runner + nix + gitFull + git-crypt + ]; concurrent = 2; checkInterval = 0; @@ -39,7 +46,7 @@ executor = "shell"; runUntagged = true; registrationConfigFile = "/etc/secrets/gitlab-runner/nix-runner.registration"; - tagList = ["nix"]; + tagList = [ "nix" ]; }; }; }; diff --git a/nix/os/devices/vmd102066.contaboserver.net/system.nix b/nix/os/devices/vmd102066.contaboserver.net/system.nix index 45c6b0c..cebed6a 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/system.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/system.nix @@ -1,13 +1,9 @@ -{ - pkgs, - lib, - config, - nodeName, - ... -}: let +{ pkgs, config, ... }: +let keys = import ../../../variables/keys.nix; passwords = import ../../../variables/passwords.crypt.nix; -in { +in +{ networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -37,7 +33,7 @@ in { networking.nat = { enable = true; - internalInterfaces = ["ve-+"]; + internalInterfaces = [ "ve-+" ]; externalInterface = "eth0"; }; @@ -45,7 +41,9 @@ in { # services.kubernetes.roles = ["master" "node"]; # virtualization - virtualisation = {docker.enable = true;}; + virtualisation = { + docker.enable = true; + }; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; @@ -53,7 +51,7 @@ in { systemd.services."sshd-status" = { enable = true; description = "sshd-status service"; - path = [pkgs.systemd]; + path = [ pkgs.systemd ]; script = '' systemctl status sshd | grep -i tasks ''; @@ -73,11 +71,13 @@ in { # }; # }; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; boot.initrd.network = { enable = true; - udhcpc.extraArgs = ["-x hostname:${config.networking.hostName}"]; + udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ]; ssh = { enable = true; @@ -104,7 +104,12 @@ in { inherit config; hostAddress = "192.168.100.16"; localAddress = "192.168.100.17"; - subvolumes = ["mailserver" "webserver" "backup" "syncthing"]; + subvolumes = [ + "mailserver" + "webserver" + "backup" + "syncthing" + ]; }; bkpTarget = import ../../containers/backup-target.nix { diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index 03bf5e7..b4f4dcc 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -1,10 +1,10 @@ -{ - lib, - config, -}: let +{ lib, config }: +let keys = import ../../variables/keys.nix; -in { - mkUser = args: +in +{ + mkUser = + args: lib.mkMerge [ { isNormalUser = true; @@ -45,7 +45,7 @@ in { # LVM doesn't allow most characters in VG names # TODO: replace this with a whitelist for: [a-zA-Z0-9.-_+] - volumeGroup = diskId: builtins.replaceStrings [":"] [""] diskId; + volumeGroup = diskId: builtins.replaceStrings [ ":" ] [ "" ] diskId; # This is important at install-time bootGrubDevice = diskId: "/dev/disk/by-id/" + diskId; @@ -56,15 +56,10 @@ in { # Cannot use the disk ID here because might be different at install vs. runtime. # Example: MMC card which is used in the internal reader vs. USB reader - bootFsDevice = diskId: - "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); - bootLuksDevice = diskId: - "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); + bootFsDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); + bootLuksDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); luksName = diskId: (volumeGroup diskId) + "pv"; luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId); - lvmPv = diskId: encrypted: - if encrypted == true - then luksPhysicalVolume diskId - else bootLuksDevice diskId; + lvmPv = diskId: encrypted: if encrypted then luksPhysicalVolume diskId else bootLuksDevice diskId; }; } diff --git a/nix/os/modules/ddclient-hetzner.nix b/nix/os/modules/ddclient-hetzner.nix index 893620a..622ae62 100644 --- a/nix/os/modules/ddclient-hetzner.nix +++ b/nix/os/modules/ddclient-hetzner.nix @@ -1,14 +1,9 @@ +{ lib, ... }: { - lib, - config, - ... -}: let - cfg = config.services.ddclient-hetzner; -in { options.services.ddclient-hetzner = with lib; { enable = mkEnableOption "Enable ddclient-hetzner"; - zone = mkOption {type = types.str;}; - domains = mkOption {type = types.listOf types.str;}; - passwordFile = mkOption {type = types.path;}; + zone = mkOption { type = types.str; }; + domains = mkOption { type = types.listOf types.str; }; + passwordFile = mkOption { type = types.path; }; }; } diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix index 9b0321d..150d688 100644 --- a/nix/os/modules/ddclient-ovh.nix +++ b/nix/os/modules/ddclient-ovh.nix @@ -1,12 +1,7 @@ +{ lib, ... }: { - lib, - config, - ... -}: let - cfg = config.services.ddclientovh; -in { options.services.ddclientovh = with lib; { enable = mkEnableOption "Enable ddclient-ovh"; - domain = mkOption {type = types.str;}; + domain = mkOption { type = types.str; }; }; } diff --git a/nix/os/modules/initrd-network.nix b/nix/os/modules/initrd-network.nix index e517d62..4ca89cf 100644 --- a/nix/os/modules/initrd-network.nix +++ b/nix/os/modules/initrd-network.nix @@ -4,7 +4,8 @@ pkgs, ... }: -with lib; let +with lib; +let cfg = config.boot.initrd.network; udhcpcScript = pkgs.writeScript "udhcp-script" '' @@ -25,7 +26,8 @@ with lib; let ''; udhcpcArgs = toString cfg.udhcpc.extraArgs; -in { +in +{ options = { boot.initrd.network.enable = mkOption { type = types.bool; @@ -46,7 +48,7 @@ in { }; boot.initrd.network.udhcpc.extraArgs = mkOption { - default = []; + default = [ ]; type = types.listOf types.str; description = '' Additional command-line arguments passed verbatim to udhcpc if @@ -74,9 +76,9 @@ in { }; config = mkIf cfg.enable { - warnings = ["Enabled SSH for stage1"]; + warnings = [ "Enabled SSH for stage1" ]; - boot.initrd.kernelModules = ["af_packet"]; + boot.initrd.kernelModules = [ "af_packet" ]; boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.mkinitcpio-nfs-utils}/bin/ipconfig diff --git a/nix/os/modules/natrouter.nix b/nix/os/modules/natrouter.nix index 62af2a8..d853c28 100644 --- a/nix/os/modules/natrouter.nix +++ b/nix/os/modules/natrouter.nix @@ -1,9 +1,6 @@ +{ lib, ... }: +with lib; { - lib, - config, - ... -}: -with lib; { # TODO # Provide a NAT/DHCP Router # diff --git a/nix/os/modules/opinionatedDisk.nix b/nix/os/modules/opinionatedDisk.nix index dbe449b..db2bbbf 100644 --- a/nix/os/modules/opinionatedDisk.nix +++ b/nix/os/modules/opinionatedDisk.nix @@ -4,18 +4,17 @@ pkgs, ... }: -with lib; let +with lib; +let cfg = config.hardware.opinionatedDisk; - ownLib = pkgs.callPackage ../lib/default.nix {}; + ownLib = pkgs.callPackage ../lib/default.nix { }; - earlyDiskId = cfg: - if cfg.earlyDiskIdOverride != "" - then cfg.earlyDiskIdOverride - else cfg.diskId; -in { + earlyDiskId = cfg: if cfg.earlyDiskIdOverride != "" then cfg.earlyDiskIdOverride else cfg.diskId; +in +{ options.hardware.opinionatedDisk = { enable = mkEnableOption "Enable opinionated filesystem layout"; - diskId = mkOption {type = types.str;}; + diskId = mkOption { type = types.str; }; encrypted = mkOption { default = true; type = types.bool; @@ -36,31 +35,30 @@ in { fileSystems."/" = { device = ownLib.disk.rootFsDevice cfg.diskId; fsType = "btrfs"; - options = ["subvol=nixos"]; + options = [ "subvol=nixos" ]; }; fileSystems."/home" = { device = ownLib.disk.rootFsDevice cfg.diskId; fsType = "btrfs"; - options = ["subvol=home"]; + options = [ "subvol=home" ]; }; - swapDevices = [{device = ownLib.disk.swapFsDevice cfg.diskId;}]; + swapDevices = [ { device = ownLib.disk.swapFsDevice cfg.diskId; } ]; boot.loader.grub = { device = ownLib.disk.bootGrubDevice (earlyDiskId cfg); enableCryptodisk = cfg.encrypted; }; - boot.initrd.luks.devices = - lib.optionalAttrs cfg.encrypted - (builtins.listToAttrs [ + boot.initrd.luks.devices = lib.optionalAttrs cfg.encrypted ( + builtins.listToAttrs [ { - name = let - splitstring = - builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); - lastelem = (builtins.length splitstring) - 1; - in + name = + let + splitstring = builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); + lastelem = (builtins.length splitstring) - 1; + in builtins.elemAt splitstring lastelem; value = { device = ownLib.disk.bootLuksDevice cfg.diskId; @@ -69,6 +67,7 @@ in { allowDiscards = true; }; } - ]); + ] + ); }; } diff --git a/nix/os/profiles/common/configuration.nix b/nix/os/profiles/common/configuration.nix index 7c1f786..61b4cb8 100644 --- a/nix/os/profiles/common/configuration.nix +++ b/nix/os/profiles/common/configuration.nix @@ -2,11 +2,9 @@ config, pkgs, repoFlake, - nodeFlake, - repoFlakeInputs', - packages', ... -}: { +}: +{ imports = [ repoFlake.inputs.sops-nix.nixosModules.sops @@ -30,7 +28,10 @@ boot.tmp.useTmpfs = true; # Workaround for nm-pptp to enforce module load - boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"]; + boot.kernelModules = [ + "nf_conntrack_proto_gre" + "nf_conntrack_pptp" + ]; nixpkgs.config = { allowBroken = false; diff --git a/nix/os/profiles/common/hw.nix b/nix/os/profiles/common/hw.nix index 80bdc31..4d6eb74 100644 --- a/nix/os/profiles/common/hw.nix +++ b/nix/os/profiles/common/hw.nix @@ -1,5 +1,12 @@ -{...}: { +_: { hardware.trackpoint.emulateWheel = true; - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" "cryptd"]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + "cryptd" + ]; } diff --git a/nix/os/profiles/common/system.nix b/nix/os/profiles/common/system.nix index f576a28..edf8717 100644 --- a/nix/os/profiles/common/system.nix +++ b/nix/os/profiles/common/system.nix @@ -1,10 +1,5 @@ +{ pkgs, nodeName, ... }: { - config, - pkgs, - lib, - nodeName, - ... -}: { networking.hostName = builtins.elemAt (builtins.split "\\." nodeName) 0; # Define your hostname. networking.domain = builtins.elemAt (builtins.split "(^[^\\.]+\.)" nodeName) 2; @@ -15,11 +10,13 @@ ''; # Fonts, I18N, Date ... - fonts.packages = [pkgs.corefonts]; + fonts.packages = [ pkgs.corefonts ]; console.font = "lat9w-16"; - i18n = {defaultLocale = "en_US.UTF-8";}; + i18n = { + defaultLocale = "en_US.UTF-8"; + }; time.timeZone = "Etc/UTC"; services.gpm.enable = true; diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index 27b7427..6c799c9 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -3,7 +3,8 @@ pkgs, lib, ... -}: let +}: +let keys = import ../../../variables/keys.nix; inherit (import ../../lib/default.nix { @@ -16,7 +17,8 @@ inherit (lib) types; cfg = config.users.commonUsers; -in { +in +{ options.users.commonUsers = { enable = lib.mkOption { default = true; @@ -39,57 +41,53 @@ in { type = types.str; }; }; - config = lib.mkIf cfg.enable (lib.mkMerge [ - (lib.mkIf (cfg.installPassword == "") { - sops.secrets.sharedUsers-root = { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + (lib.mkIf (cfg.installPassword == "") { + sops.secrets.sharedUsers-root = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; + sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - # neededForUsers = true; - format = "yaml"; - }; - }) + sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + # neededForUsers = true; + format = "yaml"; + }; + }) - { - users.mutableUsers = cfg.installPassword != ""; + { + users.mutableUsers = cfg.installPassword != ""; - users.users.root = lib.mkMerge [ - { - openssh.authorizedKeys.keys = keys.users.steveej.openssh; - } + users.users.root = lib.mkMerge [ + { openssh.authorizedKeys.keys = keys.users.steveej.openssh; } - (lib.mkIf (cfg.installPassword != "") { - password = cfg.installPassword; - }) + (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) - (lib.mkIf (cfg.installPassword == "") { - hashedPasswordFile = cfg.rootPasswordFile; - }) - ]; + (lib.mkIf (cfg.installPassword == "") { hashedPasswordFile = cfg.rootPasswordFile; }) + ]; - users.users.steveej = lib.mkIf cfg.enableNonRoot (mkUser (lib.mkMerge [ - { - uid = 1000; - } + users.users.steveej = lib.mkIf cfg.enableNonRoot ( + mkUser ( + lib.mkMerge [ + { uid = 1000; } - (lib.mkIf (cfg.installPassword != "") { - password = cfg.installPassword; - }) + (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) - (lib.mkIf (cfg.installPassword == "") { - hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; - }) - ])); - } - ]); + (lib.mkIf (cfg.installPassword == "") { + hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; + }) + ] + ) + ); + } + ] + ); } diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix index 28ebb64..40fd3f4 100644 --- a/nix/os/profiles/containers/configuration.nix +++ b/nix/os/profiles/containers/configuration.nix @@ -3,26 +3,23 @@ pkgs, lib, ... -}: { +}: +{ networking.useHostResolvConf = false; networking.firewall.enable = true; networking.nftables.enable = true; networking.nftables.flushRuleset = true; - networking.nameservers = lib.mkForce [hostAddress]; + networking.nameservers = lib.mkForce [ hostAddress ]; - environment.systemPackages = [ - pkgs.dnsutils - ]; + environment.systemPackages = [ pkgs.dnsutils ]; imports = [ { # keep DNS set up to a minimum: only query the container host services.resolved.enable = lib.mkForce false; - networking.nameservers = [ - hostAddress - ]; + networking.nameservers = [ hostAddress ]; } ../../snippets/nix-settings.nix # ../../modules/ddclient-ovh.nix diff --git a/nix/os/profiles/graphical-gnome-xorg.nix b/nix/os/profiles/graphical-gnome-xorg.nix index bfd4036..a13dd07 100644 --- a/nix/os/profiles/graphical-gnome-xorg.nix +++ b/nix/os/profiles/graphical-gnome-xorg.nix @@ -1,8 +1,5 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - ... -}: { services.xserver = { enable = true; libinput.enable = true; @@ -98,8 +95,11 @@ support32Bit = true; }; - services.dbus.packages = with pkgs; [dconf]; + services.dbus.packages = with pkgs; [ dconf ]; # More Services - environment.systemPackages = [pkgs.gnome.adwaita-icon-theme pkgs.gnomeExtensions.appindicator]; + environment.systemPackages = [ + pkgs.gnome.adwaita-icon-theme + pkgs.gnomeExtensions.appindicator + ]; } diff --git a/nix/os/profiles/graphical/boot.nix b/nix/os/profiles/graphical/boot.nix index 91b4ae9..4bf6ca4 100644 --- a/nix/os/profiles/graphical/boot.nix +++ b/nix/os/profiles/graphical/boot.nix @@ -1,5 +1,4 @@ -{config, ...}: { - boot.extraModulePackages = [ - config.boot.kernelPackages.v4l2loopback - ]; +{ config, ... }: +{ + boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ]; } diff --git a/nix/os/profiles/graphical/configuration.nix b/nix/os/profiles/graphical/configuration.nix index b9cf53e..477a93d 100644 --- a/nix/os/profiles/graphical/configuration.nix +++ b/nix/os/profiles/graphical/configuration.nix @@ -1,3 +1,8 @@ -{pkgs, ...}: { - imports = [./boot.nix ./system.nix ./hw.nix]; +{ ... }: +{ + imports = [ + ./boot.nix + ./system.nix + ./hw.nix + ]; } diff --git a/nix/os/profiles/graphical/hw.nix b/nix/os/profiles/graphical/hw.nix index abb1e68..821f5bf 100644 --- a/nix/os/profiles/graphical/hw.nix +++ b/nix/os/profiles/graphical/hw.nix @@ -1,3 +1 @@ -{...}: { - hardware.enableAllFirmware = true; -} +_: { hardware.enableAllFirmware = true; } diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index ce49500..42eccfb 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -1,11 +1,6 @@ +{ pkgs, ... }: { - pkgs, - lib, - ... -}: { - imports = [ - ../../snippets/bluetooth.nix - ]; + imports = [ ../../snippets/bluetooth.nix ]; networking.networkmanager = { enable = true; @@ -26,7 +21,11 @@ services.pcscd.enable = true; hardware.opengl.enable = true; - services.udev.packages = [pkgs.libu2f-host pkgs.yubikey-personalization pkgs.android-udev-rules]; + services.udev.packages = [ + pkgs.libu2f-host + pkgs.yubikey-personalization + pkgs.android-udev-rules + ]; services.udev.extraRules = '' # OnePlusOne ATTR{idVendor}=="05c6", ATTR{idProduct}=="6764", SYMLINK+="libmtp-%k", MODE="660", GROUP="audio", ENV{ID_MTP_DEVICE}="1", ENV{ID_MEDIA_PLAYER}="1", TAG+="uaccess" @@ -53,6 +52,9 @@ services.printing = { enable = true; - drivers = with pkgs; [mfcl3770cdwlpr mfcl3770cdwcupswrapper]; + drivers = with pkgs; [ + mfcl3770cdwlpr + mfcl3770cdwcupswrapper + ]; }; } diff --git a/nix/os/profiles/install-medium/iso/iso.nix b/nix/os/profiles/install-medium/iso/iso.nix index 394aece..a32f3f6 100644 --- a/nix/os/profiles/install-medium/iso/iso.nix +++ b/nix/os/profiles/install-medium/iso/iso.nix @@ -5,25 +5,26 @@ pkgs, lib, ... -}: let +}: +let nixos-init-script = '' #!${pkgs.stdenv.shell} export HOME=/root export PATH=${ - pkgs.lib.makeBinPath [ - config.nix.package - pkgs.systemd - pkgs.gnugrep - pkgs.gnused - config.system.build.nixos-rebuild - config.system.build.nixos-install - pkgs.utillinux - pkgs.e2fsprogs - pkgs.coreutils - pkgs.hdparm - ] - }:$PATH + pkgs.lib.makeBinPath [ + config.nix.package + pkgs.systemd + pkgs.gnugrep + pkgs.gnused + config.system.build.nixos-rebuild + config.system.build.nixos-install + pkgs.utillinux + pkgs.e2fsprogs + pkgs.coreutils + pkgs.hdparm + ] + }:$PATH export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels set -xe @@ -61,7 +62,8 @@ nixos-install reboot ''; -in { +in +{ imports = [ @@ -70,13 +72,11 @@ in { # ]; - isoImage.isoName = - lib.mkForce - "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; + isoImage.isoName = lib.mkForce "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; boot.loader.timeout = lib.mkForce 0; boot.postBootCommands = ""; - environment.systemPackages = []; + environment.systemPackages = [ ]; users.users.root = { openssh.authorizedKeys.keys = [ @@ -85,18 +85,18 @@ in { }; services.gpm.enable = true; - systemd.services.sshd.wantedBy = lib.mkForce ["multi-user.target"]; + systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ]; systemd.services.nixos-init = { script = nixos-init-script; - path = with pkgs; []; + path = with pkgs; [ ]; description = "Initialize /dev/vda from configuration.nix found at /dev/vdb"; enable = true; - wantedBy = ["multi-user.target"]; - after = ["multi-user.target"]; - requires = ["network-online.target"]; + wantedBy = [ "multi-user.target" ]; + after = [ "multi-user.target" ]; + requires = [ "network-online.target" ]; restartIfChanged = false; unitConfig.X-StopOnRemoval = false; diff --git a/nix/os/profiles/removable-medium/boot.nix b/nix/os/profiles/removable-medium/boot.nix index e0938bd..17a1dba 100644 --- a/nix/os/profiles/removable-medium/boot.nix +++ b/nix/os/profiles/removable-medium/boot.nix @@ -1,5 +1,6 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; - boot.extraModulePackages = []; + boot.extraModulePackages = [ ]; } diff --git a/nix/os/profiles/removable-medium/configuration.nix b/nix/os/profiles/removable-medium/configuration.nix index 95ca049..ad7def0 100644 --- a/nix/os/profiles/removable-medium/configuration.nix +++ b/nix/os/profiles/removable-medium/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../modules/opinionatedDisk.nix diff --git a/nix/os/profiles/removable-medium/hw.nix b/nix/os/profiles/removable-medium/hw.nix index 17c16b0..0f7cbec 100644 --- a/nix/os/profiles/removable-medium/hw.nix +++ b/nix/os/profiles/removable-medium/hw.nix @@ -1,4 +1,4 @@ -{...}: { +_: { hardware.opinionatedDisk.enable = true; hardware.enableAllFirmware = true; } diff --git a/nix/os/profiles/removable-medium/pkg.nix b/nix/os/profiles/removable-medium/pkg.nix index 5a54115..d27081f 100644 --- a/nix/os/profiles/removable-medium/pkg.nix +++ b/nix/os/profiles/removable-medium/pkg.nix @@ -1,4 +1,5 @@ -{pkgs, ...}: { +{ pkgs, ... }: +{ home-manager.users.steveej = import ../../../home-manager/configuration/graphical-removable.nix { inherit pkgs; }; diff --git a/nix/os/profiles/removable-medium/system.nix b/nix/os/profiles/removable-medium/system.nix index 7586a85..243edf7 100644 --- a/nix/os/profiles/removable-medium/system.nix +++ b/nix/os/profiles/removable-medium/system.nix @@ -1,13 +1,9 @@ -{ - config, - lib, - pkgs, - ... -}: let -in { +_: { services.illum.enable = true; - services.printing = {enable = false;}; + services.printing = { + enable = false; + }; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; diff --git a/nix/os/snippets/bluetooth.nix b/nix/os/snippets/bluetooth.nix index a4cfeca..090217e 100644 --- a/nix/os/snippets/bluetooth.nix +++ b/nix/os/snippets/bluetooth.nix @@ -1,10 +1,7 @@ +{ pkgs, ... }: { - pkgs, - lib, - ... -}: { # required for running blueman-applet in user sessions - services.dbus.packages = with pkgs; [blueman]; + services.dbus.packages = with pkgs; [ blueman ]; hardware.bluetooth.enable = true; services.blueman.enable = true; } diff --git a/nix/os/snippets/holo-zerotier.nix b/nix/os/snippets/holo-zerotier.nix index 8ea2be5..4371b78 100644 --- a/nix/os/snippets/holo-zerotier.nix +++ b/nix/os/snippets/holo-zerotier.nix @@ -1,48 +1,48 @@ -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.steveej.holo-zerotier; -in { +in +{ options.steveej.holo-zerotier = { enable = lib.mkEnableOption "Enable holo-zerotier"; - autostart = lib.mkOption {default = false;}; + autostart = lib.mkOption { default = false; }; }; config = { - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) ["zerotierone"]; + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "zerotierone" ]; services.zerotierone = { - enable = cfg.enable; + inherit (cfg) enable; joinNetworks = [ # moved to the service below as it's now secret ]; }; - systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce []); + systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); systemd.services.zerotieroneSecretNetworks = { - enable = cfg.enable; - requiredBy = ["zerotierone.service"]; - partOf = ["zerotierone.service"]; + inherit (cfg) enable; + requiredBy = [ "zerotierone.service" ]; + partOf = [ "zerotierone.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; - script = let - secret = config.sops.secrets.zerotieroneNetworks; - in '' - # include the secret's hash to trigger a restart on change - # ${builtins.hashString "sha256" (builtins.toJSON secret)} + script = + let + secret = config.sops.secrets.zerotieroneNetworks; + in + '' + # include the secret's hash to trigger a restart on change + # ${builtins.hashString "sha256" (builtins.toJSON secret)} - ${config.systemd.services.zerotierone.preStart} + ${config.systemd.services.zerotierone.preStart} - rm -rf /var/lib/zerotier-one/networks.d/*.conf - for network in `grep -v '#' ${secret.path}`; do - touch /var/lib/zerotier-one/networks.d/''${network}.conf - done - ''; + rm -rf /var/lib/zerotier-one/networks.d/*.conf + for network in `grep -v '#' ${secret.path}`; do + touch /var/lib/zerotier-one/networks.d/''${network}.conf + done + ''; }; sops.secrets.zerotieroneNetworks = { diff --git a/nix/os/snippets/home-manager-with-zsh.nix b/nix/os/snippets/home-manager-with-zsh.nix index 266a125..47ddd8a 100644 --- a/nix/os/snippets/home-manager-with-zsh.nix +++ b/nix/os/snippets/home-manager-with-zsh.nix @@ -4,9 +4,9 @@ repoFlakeInputs', packages', pkgs, - lib, ... -}: let +}: +let # TODO: make this configurable homeUser = "steveej"; commonHomeImports = [ @@ -14,10 +14,9 @@ ../../home-manager/programs/neovim.nix ../../home-manager/programs/zsh.nix ]; -in { - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - ]; +in +{ + imports = [ nodeFlake.inputs.home-manager.nixosModules.home-manager ]; # TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager # home-manager.extraSpecialArgs = specialArgs; @@ -34,15 +33,11 @@ in { home-manager.useGlobalPkgs = false; home-manager.useUserPackages = true; - home-manager.users.root = _: { - imports = commonHomeImports; - }; + home-manager.users.root = _: { imports = commonHomeImports; }; - home-manager.users."${homeUser}" = _: { - imports = commonHomeImports; - }; + home-manager.users."${homeUser}" = _: { imports = commonHomeImports; }; programs.zsh.enable = true; users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = ["/share/zsh"]; + environment.pathsToLink = [ "/share/zsh" ]; } diff --git a/nix/os/snippets/k3s-w-nix-snapshotter.nix b/nix/os/snippets/k3s-w-nix-snapshotter.nix index d6f1279..1774650 100644 --- a/nix/os/snippets/k3s-w-nix-snapshotter.nix +++ b/nix/os/snippets/k3s-w-nix-snapshotter.nix @@ -1,18 +1,18 @@ # experiment with k3s, nix-snapshotter, and nixos images { nodeFlake, - nodeFlakeInputs', pkgs, lib, system, config, ... -}: let +}: +let cfg = config.steveej.k3s; - # TODO: make this configurable - homeUser = "steveej"; -in { +in +# TODO: make this configurable +{ options.steveej.k3s = { enable = lib.mkOption { description = "steveej's k3s distro"; @@ -22,13 +22,11 @@ in { }; # (1) Import nixos module. - imports = [ - nodeFlake.inputs.nix-snapshotter.nixosModules.default - ]; + imports = [ nodeFlake.inputs.nix-snapshotter.nixosModules.default ]; config = lib.mkIf cfg.enable { # (2) Add overlay. - nixpkgs.overlays = [nodeFlake.inputs.nix-snapshotter.overlays.default]; + nixpkgs.overlays = [ nodeFlake.inputs.nix-snapshotter.overlays.default ]; # (3) Enable service. virtualisation.containerd = { diff --git a/nix/os/snippets/mycelium.nix b/nix/os/snippets/mycelium.nix index 6d211cf..990477e 100644 --- a/nix/os/snippets/mycelium.nix +++ b/nix/os/snippets/mycelium.nix @@ -1,16 +1,15 @@ { repoFlake, - nodeFlake, nodeName, config, - system, lib, ... -}: let +}: +let cfg.autostart = false; -in { - imports = [ - ]; +in +{ + imports = [ ]; sops.secrets.mycelium-key = { format = "binary"; @@ -22,14 +21,12 @@ in { # package = nodeFlake.inputs.mycelium.packages.${system}.myceliumd; keyFile = config.sops.secrets.mycelium-key.path; addHostedPublicNodes = true; - peers = [ - ]; + peers = [ ]; # tunName = "mycelium-pub"; - extraArgs = [ - ]; + extraArgs = [ ]; }; - systemd.services.mycelium.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce []); + systemd.services.mycelium.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); } diff --git a/nix/os/snippets/nix-settings-holo-chain.nix b/nix/os/snippets/nix-settings-holo-chain.nix index d975cea..b660f1c 100644 --- a/nix/os/snippets/nix-settings-holo-chain.nix +++ b/nix/os/snippets/nix-settings-holo-chain.nix @@ -1,4 +1,4 @@ -{pkgs, ...}: { +_: { nix.settings = { substituters = [ "https://holochain-ci.cachix.org" diff --git a/nix/os/snippets/nix-settings.nix b/nix/os/snippets/nix-settings.nix index 4b7104e..6daaaef 100644 --- a/nix/os/snippets/nix-settings.nix +++ b/nix/os/snippets/nix-settings.nix @@ -3,17 +3,17 @@ pkgs, lib, ... -}: let - pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config;}; -in { +}: +let + pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config; }; +in +{ nix.daemonCPUSchedPolicy = "idle"; nix.daemonIOSchedClass = "idle"; nix.settings.max-jobs = lib.mkDefault "auto"; nix.settings.cores = lib.mkDefault 0; nix.settings.sandbox = true; - nix.nixPath = [ - "nixpkgs=${pkgs.path}" - ]; + nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; nix.settings.experimental-features = [ "nix-command" @@ -32,7 +32,7 @@ in { nix.registry.nixpkgs.to = { type = "path"; path = nodeFlake.inputs.nixpkgs.outPath; - narHash = nodeFlake.inputs.nixpkgs.narHash; + inherit (nodeFlake.inputs.nixpkgs) narHash; }; nix.package = pkgsUnstable.nixVersions.latest; diff --git a/nix/os/snippets/obs-studio.nix b/nix/os/snippets/obs-studio.nix index c46305e..8a99fcb 100644 --- a/nix/os/snippets/obs-studio.nix +++ b/nix/os/snippets/obs-studio.nix @@ -1,10 +1,10 @@ -{config, ...}: let +{ config, ... }: +let # TODO: make configurable homeUser = "steveej"; -in { - boot.extraModulePackages = [ - config.boot.kernelPackages.v4l2loopback.out - ]; +in +{ + boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback.out ]; # Activate kernel modules (choose from built-ins and extra ones) boot.kernelModules = [ @@ -23,9 +23,5 @@ in { security.polkit.enable = true; - home-manager.users.${homeUser} = _: { - imports = [ - ../../home-manager/programs/obs-studio.nix - ]; - }; + home-manager.users.${homeUser} = _: { imports = [ ../../home-manager/programs/obs-studio.nix ]; }; } diff --git a/nix/os/snippets/radicale.nix b/nix/os/snippets/radicale.nix index 69628bf..709b601 100644 --- a/nix/os/snippets/radicale.nix +++ b/nix/os/snippets/radicale.nix @@ -1,13 +1,14 @@ { config, - lib, pkgs, repoFlakeInputs', ... -}: let +}: +let # TODO: make configurable homeUser = "steveej"; -in { +in +{ sops.secrets.radicale_htpasswd = { sopsFile = ../../../secrets/desktop/radicale_htpasswd; format = "binary"; @@ -19,11 +20,13 @@ in { # TODO: bump these to latest and make it work ( args: - import ../../home-manager/programs/radicale.nix (args - // { - osConfig = config; - pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; - }) + import ../../home-manager/programs/radicale.nix ( + args + // { + osConfig = config; + pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; + } + ) ) ]; }; diff --git a/nix/os/snippets/sway-desktop.nix b/nix/os/snippets/sway-desktop.nix index f8d21b0..a40eb85 100644 --- a/nix/os/snippets/sway-desktop.nix +++ b/nix/os/snippets/sway-desktop.nix @@ -3,10 +3,12 @@ lib, config, ... -}: let +}: +let # TODO: make this configurable homeUser = "steveej"; -in { +in +{ services.xserver.serverFlagsSection = '' Option "BlankTime" "0" Option "StandbyTime" "0" @@ -28,7 +30,7 @@ in { # required by swaywm security.polkit.enable = true; - security.pam.services.swaylock = {}; + security.pam.services.swaylock = { }; # test these on https://mozilla.github.io/webrtc-landing/gum_test.html xdg.portal = { @@ -44,18 +46,20 @@ in { screencast = { chooser_type = "dmenu"; # display the output as a list in favor of the default mouse selection - chooser_cmd = lib.getExe (pkgs.writeShellApplication { - name = "chooser_cmd"; - runtimeInputs = [ - pkgs.sway - pkgs.jq - pkgs.fuzzel - pkgs.gnused - ]; - text = '' - swaymsg -t get_outputs | jq '.[] | "\(.name)@\(.current_mode.width)x\(.current_mode.height) on \(.model)"' | sed 's/"//g' | fuzzel -d | sed 's/@.*//' - ''; - }); + chooser_cmd = lib.getExe ( + pkgs.writeShellApplication { + name = "chooser_cmd"; + runtimeInputs = [ + pkgs.sway + pkgs.jq + pkgs.fuzzel + pkgs.gnused + ]; + text = '' + swaymsg -t get_outputs | jq '.[] | "\(.name)@\(.current_mode.width)x\(.current_mode.height) on \(.model)"' | sed 's/"//g' | fuzzel -d | sed 's/@.*//' + ''; + } + ); max_fps = 30; }; }; @@ -101,8 +105,8 @@ in { # autologin steveej on tty1 # TODO: make user configurable systemd.services."autovt@tty1".description = "Autologin at the TTY1"; - systemd.services."autovt@tty1".after = ["systemd-logind.service"]; # without it user session not started and xorg can't be run from this tty - systemd.services."autovt@tty1".wantedBy = ["multi-user.target"]; + systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty + systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ]; systemd.services."autovt@tty1".serviceConfig = { ExecStart = [ "" # override upstream default with an empty ExecStart @@ -112,21 +116,21 @@ in { Type = "idle"; }; - programs = let - steveejSwayOnTty1 = '' - if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then - exec sway - fi - ''; - in { - bash.loginShellInit = steveejSwayOnTty1; - # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion - zsh.loginShellInit = steveejSwayOnTty1; - }; + programs = + let + steveejSwayOnTty1 = '' + if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then + exec sway + fi + ''; + in + { + bash.loginShellInit = steveejSwayOnTty1; + # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion + zsh.loginShellInit = steveejSwayOnTty1; + }; home-manager.users."${homeUser}" = _: { - imports = [ - ../../home-manager/profiles/sway-desktop.nix - ]; + imports = [ ../../home-manager/profiles/sway-desktop.nix ]; }; } diff --git a/nix/os/snippets/systemd-resolved.nix b/nix/os/snippets/systemd-resolved.nix index 3b8c145..f7c2301 100644 --- a/nix/os/snippets/systemd-resolved.nix +++ b/nix/os/snippets/systemd-resolved.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ networking.nameservers = [ # https://dnsforge.de/ "176.9.93.198" @@ -12,12 +13,12 @@ services.resolved = { enable = true; dnssec = "true"; - domains = ["~."]; + domains = [ "~." ]; # TODO: figure out why "true" doesn't work dnsovertls = "opportunistic"; - fallbackDns = lib.mkForce []; + fallbackDns = lib.mkForce [ ]; # TODO: IPv6 # extraConfig = '' diff --git a/nix/os/snippets/timezone.nix b/nix/os/snippets/timezone.nix index 25aee48..67db1e8 100644 --- a/nix/os/snippets/timezone.nix +++ b/nix/os/snippets/timezone.nix @@ -1,5 +1,7 @@ -{lib, ...}: let +{ lib, ... }: +let passwords = import ../../variables/passwords.crypt.nix; -in { +in +{ time.timeZone = lib.mkDefault passwords.timeZone.stefan; } diff --git a/nix/pkgs/browserpass/default.nix b/nix/pkgs/browserpass/default.nix index 5b13732..34a6977 100644 --- a/nix/pkgs/browserpass/default.nix +++ b/nix/pkgs/browserpass/default.nix @@ -1,27 +1,27 @@ -with import {}; - stdenv.mkDerivation rec { - broken = true; +with import { }; +stdenv.mkDerivation rec { + broken = true; - name = "browserpass"; - version = "2.0.9"; + name = "browserpass"; + version = "2.0.9"; - src = fetchzip { - url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; - sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; - stripRoot = false; - }; + src = fetchzip { + url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; + sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; + stripRoot = false; + }; - buildPhase = ":"; + buildPhase = ":"; - libPath = lib.makeLibraryPath []; - installPhase = '' - set -x - patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 + libPath = lib.makeLibraryPath [ ]; + installPhase = '' + set -x + patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 - mkdir -p $out/bin - cp -a * $out/bin/ - # wrapProgram $out/bin/browserpass-linux64 \ - # --prefix LD_LIBRARY_PATH : "${libPath}" - # - ''; - } + mkdir -p $out/bin + cp -a * $out/bin/ + # wrapProgram $out/bin/browserpass-linux64 \ + # --prefix LD_LIBRARY_PATH : "${libPath}" + # + ''; +} diff --git a/nix/pkgs/dcpj4110dw/default.nix b/nix/pkgs/dcpj4110dw/default.nix index 8a4f6a6..93f59c7 100644 --- a/nix/pkgs/dcpj4110dw/default.nix +++ b/nix/pkgs/dcpj4110dw/default.nix @@ -16,7 +16,8 @@ file, proot, bash, -}: let +}: +let model = "dcpj4110dw"; version = "3.0.1-1"; src = fetchurl { @@ -24,12 +25,16 @@ sha256 = "sha256-ryKDsSkabAD2X3WLmeqjdB3+4DXdJ0qUz3O64DV+ixw="; }; reldir = "opt/brother/Printers/${model}/"; -in rec { +in +rec { driver = pkgsi686Linux.stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [dpkg makeWrapper]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; unpackPhase = "dpkg-deb -x $src $out"; @@ -45,7 +50,18 @@ in rec { mv $out/${reldir}/lpd/filter${model} $out/${reldir}/lpd/.wrapped_filter${model} cat <<-EOF >$out/${reldir}/lpd/.wrapper_inner_filter${model} - export PATH=\$PATH:${lib.makeBinPath [gawk file a2ps coreutils ghostscript gnugrep gnused which]} + export PATH=\$PATH:${ + lib.makeBinPath [ + gawk + file + a2ps + coreutils + ghostscript + gnugrep + gnused + which + ] + } exec $out/${reldir}/lpd/.wrapped_filter${model} EOF chmod +x $out/${reldir}/lpd/.wrapper_inner_filter${model} @@ -64,10 +80,13 @@ in rec { meta = { description = "Brother ${lib.strings.toUpper model} driver"; homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; + sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; # license = lib.licenses.unfree; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = [lib.maintainers.steveej]; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; @@ -81,14 +100,29 @@ in rec { name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [dpkg makeWrapper]; - buildInputs = [cups ghostscript a2ps gawk]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; + buildInputs = [ + cups + ghostscript + a2ps + gawk + ]; unpackPhase = "dpkg-deb -x $src $out"; installPhase = '' wrapProgram $out/${reldir}/cupswrapper/cupswrapper${model} \ - --prefix PATH : ${lib.makeBinPath [coreutils ghostscript gnugrep gnused]} + --prefix PATH : ${ + lib.makeBinPath [ + coreutils + ghostscript + gnugrep + gnused + ] + } patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ $out/${reldir}/cupswrapper/brcupsconfpt1 @@ -100,10 +134,13 @@ in rec { meta = { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; + sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; license = lib.licenses.gpl2; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = [lib.maintainers.steveej]; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; } diff --git a/nix/pkgs/default.nix b/nix/pkgs/default.nix index 6f114b2..78b37a6 100644 --- a/nix/pkgs/default.nix +++ b/nix/pkgs/default.nix @@ -1,5 +1,6 @@ -{pkgs}: { - duplicacy = pkgs.callPackage ../pkgs/duplicacy {}; +{ pkgs }: +{ + duplicacy = pkgs.callPackage ../pkgs/duplicacy { }; staruml = pkgs.callPackage ../pkgs/staruml.nix { inherit (pkgs.gnome2) GConf; libgcrypt = pkgs.libgcrypt_1_5; diff --git a/nix/pkgs/duplicacy/default.nix b/nix/pkgs/duplicacy/default.nix index 7a3fc19..b961a17 100644 --- a/nix/pkgs/duplicacy/default.nix +++ b/nix/pkgs/duplicacy/default.nix @@ -1,7 +1,4 @@ -{ - buildGoPackage, - fetchFromGitHub, -}: +{ buildGoPackage, fetchFromGitHub }: buildGoPackage rec { name = "duplicay-${version}"; version = "2.1.2"; diff --git a/nix/pkgs/duplicacy/shell.nix b/nix/pkgs/duplicacy/shell.nix index 051e832..045572c 100644 --- a/nix/pkgs/duplicacy/shell.nix +++ b/nix/pkgs/duplicacy/shell.nix @@ -1,12 +1,12 @@ -with import {}; - stdenv.mkDerivation { - name = "env"; - buildInputs = [ - zsh - go - go2nix - dep2nix - nix-prefetch-github - (callPackage ./default.nix {}) - ]; - } +with import { }; +stdenv.mkDerivation { + name = "env"; + buildInputs = [ + zsh + go + go2nix + dep2nix + nix-prefetch-github + (callPackage ./default.nix { }) + ]; +} diff --git a/nix/pkgs/jay.nix b/nix/pkgs/jay.nix index a4c2db4..9a7b0e5 100644 --- a/nix/pkgs/jay.nix +++ b/nix/pkgs/jay.nix @@ -31,6 +31,6 @@ rustPlatform.buildRustPackage rec { homepage = "https://github.com/mahkoh/jay"; license = licenses.gpl3; platforms = platforms.linux; - maintainers = with maintainers; [dit7ya]; + maintainers = with maintainers; [ dit7ya ]; }; } diff --git a/nix/pkgs/logseq/README.md b/nix/pkgs/logseq/README.md index c6f46bd..0c596b6 100644 --- a/nix/pkgs/logseq/README.md +++ b/nix/pkgs/logseq/README.md @@ -4,20 +4,19 @@ this is pseudocode that serves as a reminder 1. podman build -f Containerfile -t logseq 2. CONTAINER_ID=$(podman container create logseq) -2. podman unshare -3. podman mount $CONTAINER_ID -4. copy and upload the AppImage. e.g. - ``` - cp /home/steveej/.local/share/containers/storage/overlay/f932ca9f11ea2bfd6b221118eb54775a623bc519bfe38188afcbad51dda2777f/merged/Logseq-0.10.9.AppImage . - exit - scp Logseq-0.10.9.AppImage root@www.stefanjunker.de:/var/lib/container-volumes/webserver/var-www/stefanjunker.de/htdocs/caddy/downloads/ - ``` -5. podman unshare -6. podman unmount - +3. podman unshare +4. podman mount $CONTAINER_ID +5. copy and upload the AppImage. e.g. + ``` + cp /home/steveej/.local/share/containers/storage/overlay/f932ca9f11ea2bfd6b221118eb54775a623bc519bfe38188afcbad51dda2777f/merged/Logseq-0.10.9.AppImage . + exit + scp Logseq-0.10.9.AppImage root@www.stefanjunker.de:/var/lib/container-volumes/webserver/var-www/stefanjunker.de/htdocs/caddy/downloads/ + ``` +6. podman unshare +7. podman unmount # resources -* https://github.com/logseq/logseq/blob/dc5127b48a7874627bd9ab63696f7ddf821b90a7/docs/develop-logseq.md?plain=1#L90 -* https://github.com/logseq/logseq/blob/master/Dockerfile -* https://github.com/randomwangran/logseq-nix-flake +- https://github.com/logseq/logseq/blob/dc5127b48a7874627bd9ab63696f7ddf821b90a7/docs/develop-logseq.md?plain=1#L90 +- https://github.com/logseq/logseq/blob/master/Dockerfile +- https://github.com/randomwangran/logseq-nix-flake diff --git a/nix/pkgs/logseq/default.nix b/nix/pkgs/logseq/default.nix index 159d03b..b3c2c0c 100644 --- a/nix/pkgs/logseq/default.nix +++ b/nix/pkgs/logseq/default.nix @@ -14,85 +14,93 @@ nix-update-script, overrideSrc ? null, }: -stdenv.mkDerivation (finalAttrs: let - inherit (finalAttrs) pname version src appimageContents; -in { - pname = "logseq"; - version = "0.10.9"; +stdenv.mkDerivation ( + finalAttrs: + let + inherit (finalAttrs) pname version src; + in + { + pname = "logseq"; + version = "0.10.9"; - src = - if overrideSrc != null - then overrideSrc - else - (fetchurl { - url = "https://github.com/logseq/logseq/releases/download/${version}/logseq-linux-x64-${version}.AppImage"; - hash = "sha256-F3YbqgvL04P0nXaIVkJlCq/z8hUE0M0UutkBs2omuBe="; - name = "${pname}-${version}.AppImage"; - }); + src = + if overrideSrc != null then + overrideSrc + else + (fetchurl { + url = "https://github.com/logseq/logseq/releases/download/${version}/logseq-linux-x64-${version}.AppImage"; + hash = "sha256-F3YbqgvL04P0nXaIVkJlCq/z8hUE0M0UutkBs2omuBe="; + name = "${pname}-${version}.AppImage"; + }); - nativeBuildInputs = - [makeWrapper] - ++ lib.optionals stdenv.hostPlatform.isLinux [autoPatchelfHook] - ++ lib.optionals stdenv.hostPlatform.isDarwin [unzip]; - buildInputs = [stdenv.cc.cc.lib]; + nativeBuildInputs = + [ makeWrapper ] + ++ lib.optionals stdenv.hostPlatform.isLinux [ autoPatchelfHook ] + ++ lib.optionals stdenv.hostPlatform.isDarwin [ unzip ]; + buildInputs = [ stdenv.cc.cc.lib ]; - dontUnpack = stdenv.hostPlatform.isLinux; - dontConfigure = true; - dontBuild = true; + dontUnpack = stdenv.hostPlatform.isLinux; + dontConfigure = true; + dontBuild = true; - installPhase = - '' - runHook preInstall - '' - + lib.optionalString stdenv.hostPlatform.isLinux ( - let - appimageContents = appimageTools.extract {inherit pname src version;}; - in '' - mkdir -p $out/bin $out/share/logseq $out/share/applications - cp -a ${appimageContents}/{locales,resources} $out/share/logseq - cp -a ${appimageContents}/Logseq.desktop $out/share/applications/logseq.desktop - - # remove the `git` in `dugite` because we want the `git` in `nixpkgs` - chmod +w -R $out/share/logseq/resources/app/node_modules/dugite/git - chmod +w $out/share/logseq/resources/app/node_modules/dugite - rm -rf $out/share/logseq/resources/app/node_modules/dugite/git - chmod -w $out/share/logseq/resources/app/node_modules/dugite - - mkdir -p $out/share/pixmaps - ln -s $out/share/logseq/resources/app/icons/logseq.png $out/share/pixmaps/logseq.png - - substituteInPlace $out/share/applications/logseq.desktop \ - --replace Exec=Logseq Exec=logseq \ - --replace Icon=Logseq Icon=logseq + installPhase = '' - ) - + lib.optionalString stdenv.hostPlatform.isDarwin '' - mkdir -p $out/{Applications/Logseq.app,bin} - cp -R . $out/Applications/Logseq.app - makeWrapper $out/Applications/Logseq.app/Contents/MacOS/Logseq $out/bin/logseq - '' - + '' - runHook postInstall + runHook preInstall + '' + + lib.optionalString stdenv.hostPlatform.isLinux ( + let + appimageContents = appimageTools.extract { inherit pname src version; }; + in + '' + mkdir -p $out/bin $out/share/logseq $out/share/applications + cp -a ${appimageContents}/{locales,resources} $out/share/logseq + cp -a ${appimageContents}/Logseq.desktop $out/share/applications/logseq.desktop + + # remove the `git` in `dugite` because we want the `git` in `nixpkgs` + chmod +w -R $out/share/logseq/resources/app/node_modules/dugite/git + chmod +w $out/share/logseq/resources/app/node_modules/dugite + rm -rf $out/share/logseq/resources/app/node_modules/dugite/git + chmod -w $out/share/logseq/resources/app/node_modules/dugite + + mkdir -p $out/share/pixmaps + ln -s $out/share/logseq/resources/app/icons/logseq.png $out/share/pixmaps/logseq.png + + substituteInPlace $out/share/applications/logseq.desktop \ + --replace Exec=Logseq Exec=logseq \ + --replace Icon=Logseq Icon=logseq + '' + ) + + lib.optionalString stdenv.hostPlatform.isDarwin '' + mkdir -p $out/{Applications/Logseq.app,bin} + cp -R . $out/Applications/Logseq.app + makeWrapper $out/Applications/Logseq.app/Contents/MacOS/Logseq $out/bin/logseq + '' + + '' + runHook postInstall + ''; + + postFixup = lib.optionalString stdenv.hostPlatform.isLinux '' + # set the env "LOCAL_GIT_DIRECTORY" for dugite so that we can use the git in nixpkgs + makeWrapper ${electron_27}/bin/electron $out/bin/logseq \ + --set "LOCAL_GIT_DIRECTORY" ${git} \ + --add-flags $out/share/logseq/resources/app \ + --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" ''; - postFixup = lib.optionalString stdenv.hostPlatform.isLinux '' - # set the env "LOCAL_GIT_DIRECTORY" for dugite so that we can use the git in nixpkgs - makeWrapper ${electron_27}/bin/electron $out/bin/logseq \ - --set "LOCAL_GIT_DIRECTORY" ${git} \ - --add-flags $out/share/logseq/resources/app \ - --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" - ''; + passthru.updateScript = nix-update-script { }; - passthru.updateScript = nix-update-script {}; - - meta = { - description = "Local-first, non-linear, outliner notebook for organizing and sharing your personal knowledge base"; - homepage = "https://github.com/logseq/logseq"; - changelog = "https://github.com/logseq/logseq/releases/tag/${version}"; - license = lib.licenses.agpl3Plus; - sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; - maintainers = with lib.maintainers; [cheeseecake]; - platforms = ["x86_64-linux" "aarch64-linux"] ++ lib.platforms.darwin; - mainProgram = "logseq"; - }; -}) + meta = { + description = "Local-first, non-linear, outliner notebook for organizing and sharing your personal knowledge base"; + homepage = "https://github.com/logseq/logseq"; + changelog = "https://github.com/logseq/logseq/releases/tag/${version}"; + license = lib.licenses.agpl3Plus; + sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; + maintainers = with lib.maintainers; [ cheeseecake ]; + platforms = [ + "x86_64-linux" + "aarch64-linux" + ] ++ lib.platforms.darwin; + mainProgram = "logseq"; + }; + } +) diff --git a/nix/pkgs/magmawm.nix b/nix/pkgs/magmawm.nix index 2d4c335..c1850c1 100644 --- a/nix/pkgs/magmawm.nix +++ b/nix/pkgs/magmawm.nix @@ -8,7 +8,6 @@ libinput, libxkbcommon, mesa, - pango, udev, dbus, libGL, @@ -18,9 +17,7 @@ craneLib.buildPackage { pname = "magmawm"; version = src.rev; - nativeBuildInputs = [ - pkg-config - ]; + nativeBuildInputs = [ pkg-config ]; buildInputs = [ wayland @@ -45,6 +42,6 @@ craneLib.buildPackage { homepage = "https://github.com/MagmaWM/MagmaWM"; license = licenses.gpl3; platforms = platforms.linux; - maintainers = with maintainers; []; + maintainers = with maintainers; [ ]; }; } diff --git a/nix/pkgs/mfcl3770cdw.nix b/nix/pkgs/mfcl3770cdw.nix index 5c04cbf..142c1c0 100644 --- a/nix/pkgs/mfcl3770cdw.nix +++ b/nix/pkgs/mfcl3770cdw.nix @@ -11,7 +11,8 @@ which, perl, lib, -}: let +}: +let model = "mfcl3770cdw"; version = "1.0.2-0"; src = fetchurl { @@ -19,12 +20,16 @@ sha256 = "09fhbzhpjymhkwxqyxzv24b06ybmajr6872yp7pri39595mhrvay"; }; reldir = "opt/brother/Printers/${model}/"; -in rec { +in +rec { driver = stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [dpkg makeWrapper]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; unpackPhase = "dpkg-deb -x $src $out"; @@ -36,8 +41,14 @@ in rec { --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/lpd/filter_${model} \ --prefix PATH : ${ - lib.makeBinPath [coreutils ghostscript gnugrep gnused which] - } + lib.makeBinPath [ + coreutils + ghostscript + gnugrep + gnused + which + ] + } # need to use i686 glibc here, these are 32bit proprietary binaries interpreter=${pkgsi686Linux.glibc}/lib/ld-linux.so.2 patchelf --set-interpreter "$interpreter" $dir/lpd/brmfcl3770cdwfilter @@ -47,8 +58,11 @@ in rec { description = "Brother ${lib.strings.toUpper model} driver"; homepage = "http://www.brother.com/"; license = lib.licenses.unfree; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = [lib.maintainers.steveej]; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; @@ -56,7 +70,10 @@ in rec { inherit version src; name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [dpkg makeWrapper]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; unpackPhase = "dpkg-deb -x $src $out"; @@ -68,7 +85,13 @@ in rec { --replace "basedir =~" "basedir = \"$basedir\"; #" \ --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/cupswrapper/brother_lpdwrapper_${model} \ - --prefix PATH : ${lib.makeBinPath [coreutils gnugrep gnused]} + --prefix PATH : ${ + lib.makeBinPath [ + coreutils + gnugrep + gnused + ] + } mkdir -p $out/lib/cups/filter mkdir -p $out/share/cups/model ln $dir/cupswrapper/brother_lpdwrapper_${model} $out/lib/cups/filter @@ -79,8 +102,11 @@ in rec { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; homepage = "http://www.brother.com/"; license = lib.licenses.gpl2; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = [lib.maintainers.steveej]; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; } diff --git a/nix/pkgs/nozbe/default.nix b/nix/pkgs/nozbe/default.nix index 368add8..e5ac519 100644 --- a/nix/pkgs/nozbe/default.nix +++ b/nix/pkgs/nozbe/default.nix @@ -1,60 +1,60 @@ -with import {}; - stdenv.mkDerivation rec { - name = "nozbe"; - version = "3.6.3"; +with import { }; +stdenv.mkDerivation rec { + name = "nozbe"; + version = "3.6.3"; - src = fetchzip { - url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; - sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; - stripRoot = false; - }; + src = fetchzip { + url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; + sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; + stripRoot = false; + }; - buildInputs = [makeWrapper]; + buildInputs = [ makeWrapper ]; - buildPhase = ":"; + buildPhase = ":"; - libPath = lib.makeLibraryPath [ - alsaLib - atk - cairo - cups - dbus - expat - freetype - fontconfig - gnome3.gconf - gcc.cc - gdk_pixbuf - gtk2-x11 - glib - pango - nss - nspr - systemd.lib - xorg.libX11 - xorg.libXcursor - xorg.libXcomposite - xorg.libXext - xorg.libXfixes - xorg.libXdamage - xorg.libXi - xorg.libXrandr - xorg.libXrender - xorg.libXtst - xorg.libXScrnSaver - ]; - installPhase = '' - pushd Nozbe-${version} - ls -lha + libPath = lib.makeLibraryPath [ + alsaLib + atk + cairo + cups + dbus + expat + freetype + fontconfig + gnome3.gconf + gcc.cc + gdk_pixbuf + gtk2-x11 + glib + pango + nss + nspr + systemd.lib + xorg.libX11 + xorg.libXcursor + xorg.libXcomposite + xorg.libXext + xorg.libXfixes + xorg.libXdamage + xorg.libXi + xorg.libXrandr + xorg.libXrender + xorg.libXtst + xorg.libXScrnSaver + ]; + installPhase = '' + pushd Nozbe-${version} + ls -lha - patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe + patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe - mkdir -p $out/bin - cp -a * $out/ + mkdir -p $out/bin + cp -a * $out/ - wrapProgram $out/Nozbe \ - --prefix LD_LIBRARY_PATH : "${libPath}" + wrapProgram $out/Nozbe \ + --prefix LD_LIBRARY_PATH : "${libPath}" - ln -sf ../Nozbe $out/bin/ - ''; - } + ln -sf ../Nozbe $out/bin/ + ''; +} diff --git a/nix/pkgs/posh.nix b/nix/pkgs/posh.nix index 4d993ba..b7ad5cb 100644 --- a/nix/pkgs/posh.nix +++ b/nix/pkgs/posh.nix @@ -1,42 +1,44 @@ # posh makes use of podman to run an encapsulated shell session -{pkgs, ...}: let - cniConfigDir = let - loopback = pkgs.writeText "00-loopback.conf" '' - { - "cniVersion": "0.3.0", - "type": "loopback" - } - ''; - - podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' - { +{ pkgs, ... }: +let + cniConfigDir = + let + loopback = pkgs.writeText "00-loopback.conf" '' + { "cniVersion": "0.3.0", - "name": "podman", - "plugins": [ - { - "type": "bridge", - "bridge": "cni0", - "isGateway": true, - "ipMasq": true, - "ipam": { - "type": "host-local", - "subnet": "10.88.0.0/16", - "routes": [ - { "dst": "0.0.0.0/0" } - ] + "type": "loopback" + } + ''; + + podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } - } - ] - } - ''; - in - pkgs.runCommand "cniConfig" {} '' + ] + } + ''; + in + pkgs.runCommand "cniConfig" { } '' set -x mkdir $out; ln -s ${loopback} $out/${loopback.name} @@ -125,54 +127,58 @@ } ''; in - { - image, - pull ? "always", - global_args ? "", - run_args ? "", - userns ? "keep-id", - }: - (pkgs.writeScriptBin "posh" '' - #! ${pkgs.bash}/bin/bash - source /etc/profile +{ + image, + pull ? "always", + global_args ? "", + run_args ? "", + userns ? "keep-id", +}: +(pkgs.writeScriptBin "posh" '' + #! ${pkgs.bash}/bin/bash + source /etc/profile - test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK" - tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q" + test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK" + tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q" - # define these as variables so we can override them at runtime - POSH_IMAGE=${image} - POSH_PULL=${pull} + # define these as variables so we can override them at runtime + POSH_IMAGE=${image} + POSH_PULL=${pull} - if [ "$1" == "-c" ]; then - # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string - shift - # TODO parse the beginning of the command for POSH_* overrides - fi + if [ "$1" == "-c" ]; then + # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string + shift + # TODO parse the beginning of the command for POSH_* overrides + fi - test "$@" && cmd=( -c "$@") + test "$@" && cmd=( -c "$@") - HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" - HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" - test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR - ln -sf ${policy-json} $HOME_POLICY_JSON + HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" + HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" + test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR + ln -sf ${policy-json} $HOME_POLICY_JSON - set -x - exec ${pkgs.podman}/bin/podman \ - --cgroup-manager=cgroupfs \ - ${global_args} \ - run \ - --annotation=io.crun.keep_original_groups=1 \ - --config ${podmanConfig} \ - --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ - --rm -i --network host --pull=''${POSH_PULL} \ - $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ - ${ - if userns != null - then "--userns=" + userns - else "" - } \ - ${run_args} \ - ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" - '') - .overrideAttrs (attrs: attrs // {passthru = {shellPath = "/bin/posh";};}) + set -x + exec ${pkgs.podman}/bin/podman \ + --cgroup-manager=cgroupfs \ + ${global_args} \ + run \ + --annotation=io.crun.keep_original_groups=1 \ + --config ${podmanConfig} \ + --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ + --rm -i --network host --pull=''${POSH_PULL} \ + $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ + ${if userns != null then "--userns=" + userns else ""} \ + ${run_args} \ + ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" +'').overrideAttrs + ( + attrs: + attrs + // { + passthru = { + shellPath = "/bin/posh"; + }; + } + ) diff --git a/nix/pkgs/slirp4netns.nix b/nix/pkgs/slirp4netns.nix index ffcc730..5e50ecf 100644 --- a/nix/pkgs/slirp4netns.nix +++ b/nix/pkgs/slirp4netns.nix @@ -18,7 +18,13 @@ stdenv.mkDerivation rec { sha256 = "0kqncza4kgqkqiki569j7ym9pvp7879i6q2z0djvda9y0i6b80w4"; }; - buildInputs = [autoconf automake libtool gnumake gcc]; + buildInputs = [ + autoconf + automake + libtool + gnumake + gcc + ]; configurePhase = '' ./autogen.sh @@ -37,7 +43,7 @@ stdenv.mkDerivation rec { description = "User-mode networking for unprivileged network namespaces"; homepage = "https://github.com/rootless-containers/slirp4netns"; license = null; - maintainers = [maintainers.steveej]; + maintainers = [ maintainers.steveej ]; platforms = platforms.all; }; } diff --git a/nix/pkgs/staruml.nix b/nix/pkgs/staruml.nix index a0e9d90..35399ad 100644 --- a/nix/pkgs/staruml.nix +++ b/nix/pkgs/staruml.nix @@ -15,7 +15,8 @@ libgcrypt, dbus, systemd, -}: let +}: +let inherit (stdenv) lib; LD_LIBRARY_PATH = lib.makeLibraryPath [ glib @@ -30,55 +31,56 @@ dbus ]; in - stdenv.mkDerivation rec { - version = "2.8.1"; - name = "staruml-${version}"; +stdenv.mkDerivation rec { + version = "2.8.1"; + name = "staruml-${version}"; - src = - if stdenv.system == "i686-linux" - then - fetchurl - { - url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; - sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; - } - else - fetchurl { - url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; - sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; - }; + src = + if stdenv.system == "i686-linux" then + fetchurl { + url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; + sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; + } + else + fetchurl { + url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; + sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; + }; - buildInputs = [dpkg]; + buildInputs = [ dpkg ]; - nativeBuildInputs = [makeWrapper]; + nativeBuildInputs = [ makeWrapper ]; - unpackPhase = '' - mkdir pkg - dpkg-deb -x $src pkg - sourceRoot=pkg - ''; + unpackPhase = '' + mkdir pkg + dpkg-deb -x $src pkg + sourceRoot=pkg + ''; - installPhase = '' - mkdir $out - mv opt/staruml $out/bin + installPhase = '' + mkdir $out + mv opt/staruml $out/bin - mkdir -p $out/lib - ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/ - ln -s ${systemd.lib}/lib/libudev.so.1 $out/lib/libudev.so.0 + mkdir -p $out/lib + ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/ + ln -s ${systemd.lib}/lib/libudev.so.1 $out/lib/libudev.so.0 - for binary in StarUML Brackets-node; do - ${patchelf}/bin/patchelf \ - --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - $out/bin/$binary - wrapProgram $out/bin/$binary \ - --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH} - done - ''; + for binary in StarUML Brackets-node; do + ${patchelf}/bin/patchelf \ + --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ + $out/bin/$binary + wrapProgram $out/bin/$binary \ + --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH} + done + ''; - meta = with stdenv.lib; { - description = "A sophisticated software modeler"; - homepage = "http://staruml.io/"; - license = licenses.unfree; - platforms = ["i686-linux" "x86_64-linux"]; - }; - } + meta = with stdenv.lib; { + description = "A sophisticated software modeler"; + homepage = "http://staruml.io/"; + license = licenses.unfree; + platforms = [ + "i686-linux" + "x86_64-linux" + ]; + }; +} diff --git a/nix/scripts/pre-eval-fixed.sh b/nix/scripts/pre-eval-fixed.sh index 25a3e36..ec7b14e 100755 --- a/nix/scripts/pre-eval-fixed.sh +++ b/nix/scripts/pre-eval-fixed.sh @@ -3,7 +3,7 @@ set -xe INFILE="${1:?Please set arg1 to INFILE}" OUTFILE="${2:?Please set arg2 to OUTFILE}" # sha256-1fm94N2Y9ptXVN6ni0nJyPRK+nsvoeliqBcFyjlaTH4= -# sha256:0zjcb8wwl18pm1ifk89gggx4mx68r54qp9yyaibrpxlqvphbvyfm -hash=$(nix-build ${INFILE} --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*(sha256[:-].+)$' -r '$1') +# sha256:0zjcb8wwl18pm1ifk89gggx4mx68r54qp9yyaibrpxlqvphbvyfm +hash=$(nix-build "${INFILE}" --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*(sha256[:-].+)$' -r '$1') -sed -E "s/0{52}/${hash}/" ${INFILE} > ${OUTFILE} +sed -E "s/0{52}/${hash}/" "${INFILE}" >"${OUTFILE}" diff --git a/nix/tests/buildvmwithbootloader/build-vm.nix b/nix/tests/buildvmwithbootloader/build-vm.nix index be819b6..a085713 100644 --- a/nix/tests/buildvmwithbootloader/build-vm.nix +++ b/nix/tests/buildvmwithbootloader/build-vm.nix @@ -3,20 +3,14 @@ vmPkgsPath, buildPkgsPath, nixosConfigPath, -}: let - buildPkgs = import buildPkgsPath {}; - vmPkgs' = import vmPkgsPath {}; - vmPkgs = - vmPkgs' - // { - runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; - }; +}: +let + vmPkgs' = import vmPkgsPath { }; + vmPkgs = vmPkgs' // { + runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; + }; - importWithPkgs = { - path, - pkgs, - }: args: - import path (args // {inherit pkgs;}); + importWithPkgs = { path, pkgs }: args: import path (args // { inherit pkgs; }); nixosConfig = importWithPkgs { path = "${nixosConfigPath}"; @@ -36,8 +30,10 @@ modules = [ nixosConfig vmConfig - {virtualisation.useBootLoader = true;} + { virtualisation.useBootLoader = true; } ]; - }) - .config; -in {vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm;} + }).config; +in +{ + vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm; +} diff --git a/nix/tests/buildvmwithbootloader/build-vm.sh b/nix/tests/buildvmwithbootloader/build-vm.sh index 520e0c8..3ee6ee0 100755 --- a/nix/tests/buildvmwithbootloader/build-vm.sh +++ b/nix/tests/buildvmwithbootloader/build-vm.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash set -x -rm *.qcow2 +rm ./*.qcow2 rm result* set -e @@ -8,9 +8,9 @@ BUILD_NIXPKGS="${BUILD_NIXPKGS:-${HOME}/src/github/NixOS/nixpkgs.dev}" NIXOS_CONFIG="${NIXOS_CONFIG_OVERRIDE:-${PWD}/configuration.nix}" nix-build -K --show-trace build-vm.nix \ - --arg vmPkgsPath '' \ - --argstr buildPkgsPath "${BUILD_NIXPKGS}" \ - --argstr nixosConfigPath "${NIXOS_CONFIG}" \ - -A vmWithBootLoaderMixed + --arg vmPkgsPath '' \ + --argstr buildPkgsPath "${BUILD_NIXPKGS}" \ + --argstr nixosConfigPath "${NIXOS_CONFIG}" \ + -A vmWithBootLoaderMixed -./result/bin/run-*-vm +"./result/bin/run-*-vm" diff --git a/nix/tests/buildvmwithbootloader/configuration.nix b/nix/tests/buildvmwithbootloader/configuration.nix index 92072fe..49dc463 100644 --- a/nix/tests/buildvmwithbootloader/configuration.nix +++ b/nix/tests/buildvmwithbootloader/configuration.nix @@ -1,9 +1,5 @@ +{ lib, ... }: { - pkgs, - lib, - ... -}: let -in { boot.loader.grub = { enable = true; version = 2; @@ -22,13 +18,23 @@ in { allowDiscards = true; } ]; - fileSystems."/" = {label = "root";}; + fileSystems."/" = { + label = "root"; + }; - fileSystems."/boot" = {label = "boot";}; + fileSystems."/boot" = { + label = "boot"; + }; boot.tmpOnTmpfs = true; - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + ]; users.extraUsers.root.initialPassword = lib.mkForce "toorroot"; users.mutableUsers = false; diff --git a/nix/tests/buildvmwithbootloader/debug-vm.sh b/nix/tests/buildvmwithbootloader/debug-vm.sh index 0d11067..8e3bdce 100755 --- a/nix/tests/buildvmwithbootloader/debug-vm.sh +++ b/nix/tests/buildvmwithbootloader/debug-vm.sh @@ -1,3 +1,5 @@ +#!/usr/bin/env bash + # /nix/store/lya9qyl9z5xb4vzdzh4vzcr7gfssk47z-qemu-host-cpu-only-for-vm-tests-2.12.0/bin/qemu-kvm \ # -cpu \ # kvm64 \ @@ -24,7 +26,6 @@ # -drive \ # index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/nixos.qcow2,cache=writeback,werror=report,if=virtio \ - /nix/store/0i6fr8vv559a50w0vipvd22r0kkg1kx1-qemu-host-cpu-only-for-vm-tests-3.0.0/bin/qemu-kvm -cpu kvm64 -name nixos -m 384 -smp 1 -device virtio-rng-pci -net nic,netdev=user.0,model=virtio -netdev user,id=user.0 -virtfs local,path=/nix/store,security_model=none,mount_tag=store -virtfs local,path=/tmp/nix-vm.BXlbOnli8K/xchg,security_model=none,mount_tag=xchg -virtfs local,path=/tmp/nix-vm.BXlbOnli8K/xchg,security_model=none,mount_tag=shared \ - -drive index=1,id=drive2,file=/tmp/nix-vm.BXlbOnli8K/disk.img,media=disk,if=virtio \ - -drive index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/tests/nixos.qcow2,cache=writeback,werror=report,if=virtio \ + -drive index=1,id=drive2,file=/tmp/nix-vm.BXlbOnli8K/disk.img,media=disk,if=virtio \ + -drive index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/tests/nixos.qcow2,cache=writeback,werror=report,if=virtio diff --git a/nix/tests/test-vm.nix b/nix/tests/test-vm.nix index 55053e2..fc956b6 100644 --- a/nix/tests/test-vm.nix +++ b/nix/tests/test-vm.nix @@ -1,10 +1,4 @@ -{ - lib, - config, - pkgs, - fetchgit, - ... -}: { +_: { boot.consoleLogLevel = 6; users.users.root.initialPassword = "root"; systemd.services."serial-getty@ttyS0".enable = true; diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index 3edf90a0be7fbfab297ca26ede15d1e2e2a3d59a..91d2eb6f7622aac0161301d74855d603090caaa7 100644 GIT binary patch literal 614 zcmZQ@_Y83kiVO&0u;bf4-6U*1TUXbV<<_e*V{be@biRkR?To(vw55W z=4ocpZF3hbXF5{n{K461!>Kl-)$2E}?KJwFqUTuTSr}+EQ(nn{>-IjM%TFVkU!}tj*M#}$?1KFvA*oSSzYzo!(Rx_%IY>AttF$IjfU7jETX&yLt_UZ*^cjNVkLX6j%Wli)d-j><#cjV-k z;K|{Gt6o^7 z;9GE|cG6+BOZ%K!H=ds}qiJ(csM!4JRw^~zYg2sHE$5}2W!8QhHuK2>mcXsoZCW!+ zmd@SyUFY@ng9o3#)Vuvihd0m9rN&}aEg%0bkI(ikm)Io28u_P4{%bLMJt1Z;+c|%6 zCd1GT4=?^W z;V*Z-eWfm|`Edu6EejGKewyaGG^XhJI|;6D>u0SwC*AOS`JY`sCajH-Kjohy&$IYh z%bh5NnbWP-1U%24c>hGnC9#s9o?EW2t#4pouj+lByW@%D_gSe%uRq+MS=v8&*PF9R zD+5m?{IRw9(4Z5y`t8jFa=xd#ll(8UDqJ*Coc8Cq=-K^yj%}OQwW4m#n*@a@zkf>q zKYjG5SP&^3yLn^1Sy%a~UOv$`))$wWH|J#DuV(uhxT#DzH-gW?Ij1&Z+na`?$9h#G zZ+hsT4Y}a=eS_PC?V;%}Hq3c+`kmANd>$JX`_QX_~Xs&=+OK!Q*U8h&BYa)e_TGf{6L-Kp&7gUI_D@FD$a4)WSb*dQ60|daCz%y zC4-_P&wlxuNt$lk#9DXf>dn50?pqCaubg$sd+Q_FpR=09?co*C2{Qc|SEhXqV0``U zS6BHrg}4gQ6yrNHbN*ZD2)Ql$Xt%;g2}go53*U>ee%MvQ`=_M#TW5sy zjmHw_zn?3Aop~t0UVCFf{RIPgr`hKhuJw#N8B{5lSCKCld}Qg%rn>2z8$U1a_&aT$ N+H}3!E%#j2jR8UQ8(9DV diff --git a/nix/variables/versions.nix b/nix/variables/versions.nix index 535d7d3..6d441a6 100644 --- a/nix/variables/versions.nix +++ b/nix/variables/versions.nix @@ -2,29 +2,28 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.11"; - rev = '' - 5b7cd5c39befee629be284970415b6eb3b0ff000''; + rev = ''5b7cd5c39befee629be284970415b6eb3b0ff000''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = '' - 4bb072f0a8b267613c127684e099a70e1f6ff106''; + rev = ''4bb072f0a8b267613c127684e099a70e1f6ff106''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = '' - a8636efe2df64047cd58898010a72f73efd56722''; + rev = ''a8636efe2df64047cd58898010a72f73efd56722''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.11"; - rev = '' - 83110c259889230b324bb2d35bef78bf5f214a1f''; + rev = ''83110c259889230b324bb2d35bef78bf5f214a1f''; }; } diff --git a/nix/variables/versions.tmpl.nix b/nix/variables/versions.tmpl.nix index e0734f1..66e90e3 100644 --- a/nix/variables/versions.tmpl.nix +++ b/nix/variables/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/scripts/sway-swapoutputworkspaces.sh b/scripts/sway-swapoutputworkspaces.sh index 9f8f637..6ed8d64 100755 --- a/scripts/sway-swapoutputworkspaces.sh +++ b/scripts/sway-swapoutputworkspaces.sh @@ -9,33 +9,33 @@ workspace_active=$(swaymsg -t get_workspaces | jq -r '.[] | select(.focused==tru # If any of the outputs doesn't have a workspace, do nothing if [ "$workspace1" = null ] || [ "$workspace2" = null ]; then - exit 0 + exit 0 else - # If script is provided with `follow` argument, then follow focused workspace - if [ "$1" = "follow" ]; then - if [ "$workspace1" = "$workspace_active" ]; then - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - swaymsg workspace "$workspace2" - else - swaymsg workspace "$workspace1" - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - fi - # Else focus stays with focused output + # If script is provided with `follow` argument, then follow focused workspace + if [ "$1" = "follow" ]; then + if [ "$workspace1" = "$workspace_active" ]; then + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + swaymsg workspace "$workspace2" else - if [ "$workspace1" = "$workspace_active" ]; then - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - else - swaymsg workspace "$workspace1" - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - swaymsg workspace "$workspace1" - fi + swaymsg workspace "$workspace1" + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" fi + # Else focus stays with focused output + else + if [ "$workspace1" = "$workspace_active" ]; then + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + else + swaymsg workspace "$workspace1" + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + swaymsg workspace "$workspace1" + fi + fi fi diff --git a/secrets/holochain-infra/nomad.yaml b/secrets/holochain-infra/nomad.yaml index 89bcb33..f0fe5cd 100644 --- a/secrets/holochain-infra/nomad.yaml +++ b/secrets/holochain-infra/nomad.yaml @@ -4,37 +4,37 @@ holochain-nomad-cli-key: ENC[AES256_GCM,data:Kl7EJI1V5HGeE9nogY5rujwe8MQYA6tIc3b holochain-global-nomad-client-cert: ENC[AES256_GCM,data:eiPqZA5kCi5HPa5AlCTKmOD9r0uU5DlSClNTvg6asWybYZcipiQ6Md+cXxMl3VnemwBbxS8KxjuPg6k63SA+gypEW+XZP7VtCdHl4d65MOfIT6CpzTDVi0FUj58z2v7W6XfgAu33uDxTy+e4+SX69duUmmKicwe+CLK2ckfR3U32s39GKBDKYBZ8DTsAJmex45hf17rwcKsaMM142zgBcn2wbuNF46US8iWf4pKXJ4827pgD1HZ2Ry/IgFcRdSXGdsuAU9FcsuwTNfVftOtf/XGxrIJsvCoC7t/SalQSH4eg5s1N9N68vruKlV6AfVNIiQwfwdJ9ldeTOT3of/Fmu0ftiLaq5ZZ97zxd9Bean49EmJw5VEf63+cWKPonLxls1CV02dy1ua9zrjyX37Jz4dQiS02lZF/ljfcaGL+5TOQaX0oEIAA5tl7uaR/UIV7lqfFMZDUtQMHkYAkPkV/VF8wgyE8mD88KqKU+AdsL2yEyKo7VBAe/pYtGWsbyYhemmmpfPnUkt3wz+YQc7zs+MzaI/Z36BIGtY6ObNUfg++4dYXdoMrHufeRbihsLJ69m/bjF0qYtGCjrEPqTwF7WuWSz28to/ZOVrUKZgH8MOMoKKedzZ+kbzs9+hPDawCHs9VtiFo4d/roHBKMquDZVc6+VYtCjj8xjG8TJoJVWlKQogKa3zoWA0ZPwywwWb2V2ehocOk7MRxFZcek4gjvIJ7Ud6aom7dq3HIJJJYxwdVh7pJO9tJhW1T5R/n9g8zrANzXUvMyt55zUZytjF3pPFfaE7en+9LCf4h7AUocI1gOToUC9hlv/uhTOLCYU5S1xAtrlvvX4QSkmTyBTHe9XeOIZbI7LjzINRuO/XFKN/4dqz5/q195OprOBxg2fv1ETPJUwSN66PFYGh6VqhZZf/NokW1qYyrC0kW8lP/EZN6YGhQTyDRrSn3Y+U3nJuVEcydAKTSwzafR4pO4V6U02/CnBH8IqMsNMIhPPPwC1Wntqne3Rabdbx6ZWOxHQuv3cEPEronKGeeU4ADLBPSWnvGcVZuwgxzVpvVwCWtF59Aiew4pmWd8sqLnTOKrxY9BsV9nwRv0ZGE8l0NwiRGw2YIGWaXup0kwl6UVkSOgSuKqvIff09t3XXRINcwIh13jSAipsDpDjqT59qE0Uoc6/lV63eQKkqYs0wFTwc/XXZ2RJusNX+PDDCRW8xykmu4HC+rX7EMeF53xfDEi4wJGoSCySn3idt33A/QotnjDOl385/lkXwgVz4RjCiiCY016fje+78j7RBH3q,iv:nSXO+1ALy6Ie5aNIEm1ZZgZwOdJLrHjO+BwKVbbZQ7c=,tag:n4V165c86IQ3QHzYb1ThJA==,type:str] holochain-global-client-nomad-key: ENC[AES256_GCM,data:9w+1CYOXgm+xvg9iER+cLJBlKLyYmanr93tZ8xTl63ZIKho6DJLqGPCYdjlG4sHWyQUM6/Dpaa490yC4CToLX5MuUnSvqiaSgugcGqPa1DhlRYVsa8j5rdp90EDMoarN7xKe0ShIRW2GTT9S5EEyF2qdZUAFybpDPX2laZZ44UBz1QvlCp7gzs0duO4b95WPTHmlhfaw0BVF7FhFqkAHtH6qg24qEtwB3I4NmW5UsTKR+tbUCEyQcADQr1CrXhIHkQ8yZ52rc42H6gRQXoVrJomJgtiXf28ARY5K1oZMmICLDw==,iv:FSiRHgbqpKEYINVBLYp1A9YgroLT07GMDFqT/k8Vyqs=,tag:XX7oQhllDmrRLCEiMMYsfA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQmFtWk8vSHYydmt5OW5I - Z2JCVFJ0MHRoWkU1QXpzY1NGOFU5NHF1SkNzCkN6SEVXUlhnRHZKVXcrVStYRHFL - R2g5WG5tbExSVkVYMFlFL2tnWHlCNW8KLS0tIG5CaURNSjQ3QkRUS1FkdjljbmNB - YUwvY0hIZkhJcEZLUkFMWXBjMW1VSFUKBDDoDAbVaex00VRjuWKifbTrtKaHz7m8 - M3nrwfIcjsJiMs9vJXWh5J/dhRTWQp0kEZRaCtxN6gDz+dDE3TVAiw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-12T09:51:29Z" - mac: ENC[AES256_GCM,data:Eq/hdaWf9+CG2jLQsL2Sw+IHy0vef7cC0IR5xL3jooYbmilRYS2Lj+lRckVcLKTRHjLBlJmnY20wbL/iNwlyTsY3MkCTEMAg1aY2GVPq3/gL0Gl0/Em4pktfVLZGVTZLt6mKzAJMWM9RdTapW5sRlywZ4/fa1YQwoQQ3tFVWm4U=,iv:+Oy+dBT0B5k5eItscLlXrRzbPO1u8eQNBwoDLnZC06I=,tag:hVwJwd6m6oCOlQ0jC8H+Ew==,type:str] - pgp: - - created_at: "2023-07-12T10:09:31Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQmFtWk8vSHYydmt5OW5I + Z2JCVFJ0MHRoWkU1QXpzY1NGOFU5NHF1SkNzCkN6SEVXUlhnRHZKVXcrVStYRHFL + R2g5WG5tbExSVkVYMFlFL2tnWHlCNW8KLS0tIG5CaURNSjQ3QkRUS1FkdjljbmNB + YUwvY0hIZkhJcEZLUkFMWXBjMW1VSFUKBDDoDAbVaex00VRjuWKifbTrtKaHz7m8 + M3nrwfIcjsJiMs9vJXWh5J/dhRTWQp0kEZRaCtxN6gDz+dDE3TVAiw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-12T09:51:29Z" + mac: ENC[AES256_GCM,data:Eq/hdaWf9+CG2jLQsL2Sw+IHy0vef7cC0IR5xL3jooYbmilRYS2Lj+lRckVcLKTRHjLBlJmnY20wbL/iNwlyTsY3MkCTEMAg1aY2GVPq3/gL0Gl0/Em4pktfVLZGVTZLt6mKzAJMWM9RdTapW5sRlywZ4/fa1YQwoQQ3tFVWm4U=,iv:+Oy+dBT0B5k5eItscLlXrRzbPO1u8eQNBwoDLnZC06I=,tag:hVwJwd6m6oCOlQ0jC8H+Ew==,type:str] + pgp: + - created_at: "2023-07-12T10:09:31Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAlXTAMih9lsxCEvh3UyK8vxuhnmnlluf22D+oz/e0JabE - DirPEM4FUlCV+8j+Hia5mKpgWJFDcMK0FqxIQvUwTj/I9AnIB740kcr5TVPcOWOU - 9TPmhjLT8RRhQWu8/URUnjdiF1YypOHYfUItSw/agTJa89T4ZJFsaA9IjNdZBUq8 - e0eTF+7Ha0wfll+V+veOPfL53uYuuIoDXoi5wwAjYa2433QsdLwUTKrRi4dNrQyo - dYnYltYRAe/4w/sFCkMlLRpo47J5m7SEggXrM8wni8QpTOJzOIqCP7XTm8MX3MKE - pU25kh0iCsBaNfwD34NF2Ti5l9aUuRWmy0EI+wcTKtJRAaMojKInR/TB8Tj4OD2O - p2IVFwZlPGgOOwZUTn5wyWWSuZD8JRJHxrYETpejXtPIGtnSkiVgphYlD/bagPA5 - eHRQH6uDdKM+/6FXnNMiu50G - =itdA - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQgAlXTAMih9lsxCEvh3UyK8vxuhnmnlluf22D+oz/e0JabE + DirPEM4FUlCV+8j+Hia5mKpgWJFDcMK0FqxIQvUwTj/I9AnIB740kcr5TVPcOWOU + 9TPmhjLT8RRhQWu8/URUnjdiF1YypOHYfUItSw/agTJa89T4ZJFsaA9IjNdZBUq8 + e0eTF+7Ha0wfll+V+veOPfL53uYuuIoDXoi5wwAjYa2433QsdLwUTKrRi4dNrQyo + dYnYltYRAe/4w/sFCkMlLRpo47J5m7SEggXrM8wni8QpTOJzOIqCP7XTm8MX3MKE + pU25kh0iCsBaNfwD34NF2Ti5l9aUuRWmy0EI+wcTKtJRAaMojKInR/TB8Tj4OD2O + p2IVFwZlPGgOOwZUTn5wyWWSuZD8JRJHxrYETpejXtPIGtnSkiVgphYlD/bagPA5 + eHRQH6uDdKM+/6FXnNMiu50G + =itdA + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/hstk0/secrets.yaml b/secrets/hstk0/secrets.yaml index 7b6c7fe..044372c 100644 --- a/secrets/hstk0/secrets.yaml +++ b/secrets/hstk0/secrets.yaml @@ -1,36 +1,36 @@ tf-eval-minio-root: ENC[AES256_GCM,data:83SacYkxLHU2fHbHNiLG9owDgakOY/nrZBnlDgltRlQDTSW9HkKejVrKtTaixjbxKCgsy9sgJBv8LZtqwthgZ6MI942YU2pJHL8le1wBsuY=,iv:uXbOw/9ljYjWCdafhupVJA7tIvcL801xszI8lrQnQIA=,tag:yolnZdYD1KZJFnH2gs8zzw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVXBDSTgwVWtpN01ldjdv - UWIxNEZFVVowbFk4bnRNSEl6M1pHcUdIelFFClVHK211enBkODljWHVYNmFYM0gx - L01hVFFSeExtQmFXbytzSEMrbVMxYTAKLS0tIG9lMnBTMXJMMUZUcTRFcThrd1Ny - bEhlUzFqU2hkbXBZaldzeTdCbnhOdTgKsCcLlqcl+fnvZ8EGKNWlbSbLQvzx099E - fC/QlagRvdmVfsFpOQnd0cFzQ1X0EDAx6XcGF8mHBrAKqCS9GCAIyA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-08T16:59:30Z" - mac: ENC[AES256_GCM,data:VIA7UaP1c2kli+BuppPl4LH1jiU9qAfqvfejZ0Mv0E8CxQ0eLAMJVkZIzSygLCx00cPbqAkESrniCeLYagyEP4tS/cff2ngplzig4uFbZzniYMXcYF9VIAyBhGgQGEZlZPgh4r4wmBdUFfhc0CPzmYt0obJ1LXElGdAoeM4OcPs=,iv:KPFJX2qJaxMwvrw/R8xrw5Fk5FRyTQdxq7DnszToy88=,tag:/H7iPZlWk2qMrWbwZdeF5w==,type:str] - pgp: - - created_at: "2024-06-26T19:27:08Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVXBDSTgwVWtpN01ldjdv + UWIxNEZFVVowbFk4bnRNSEl6M1pHcUdIelFFClVHK211enBkODljWHVYNmFYM0gx + L01hVFFSeExtQmFXbytzSEMrbVMxYTAKLS0tIG9lMnBTMXJMMUZUcTRFcThrd1Ny + bEhlUzFqU2hkbXBZaldzeTdCbnhOdTgKsCcLlqcl+fnvZ8EGKNWlbSbLQvzx099E + fC/QlagRvdmVfsFpOQnd0cFzQ1X0EDAx6XcGF8mHBrAKqCS9GCAIyA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-08T16:59:30Z" + mac: ENC[AES256_GCM,data:VIA7UaP1c2kli+BuppPl4LH1jiU9qAfqvfejZ0Mv0E8CxQ0eLAMJVkZIzSygLCx00cPbqAkESrniCeLYagyEP4tS/cff2ngplzig4uFbZzniYMXcYF9VIAyBhGgQGEZlZPgh4r4wmBdUFfhc0CPzmYt0obJ1LXElGdAoeM4OcPs=,iv:KPFJX2qJaxMwvrw/R8xrw5Fk5FRyTQdxq7DnszToy88=,tag:/H7iPZlWk2qMrWbwZdeF5w==,type:str] + pgp: + - created_at: "2024-06-26T19:27:08Z" + enc: |- + -----BEGIN PGP MESSAGE----- - hQEMA0SHG/zF3227AQgA1qnWMAoXFJsx0A9dX2qFhRUHOlO+VKOi678pGQu4Pwld - wUdqAylrtaLDsr+kFwLvsGUKKHzfvaQH/EfEChQb2L9njzQjwNwmgZPAq6NqZAmB - EhudaY7R12Lb507Fsh/k7dgOFTuH0/ceKtW+QKF3SVVa+DwgOx8VRP3LJwGW4PQq - mRmPkyjnuFmepziTULe0ZPvO6PaH8FvLISBvMkBH+IGXat98OVgqGFzxHkpA3pey - 8w7mKDEi6i6g72GrrjuWFuh5JjSSb3og1ziO4O8XQ7mHqbUYwc4NfeVTYD7thdyh - OsijkXHvvHkRidTjTn4ZEzxFaNgTvzRB0V7r/jEu3tJcASfyDt4sXkKv84xu29Pp - BYZLj9xUrS30bmI8NOP77sy/3++ppX96oKhi91S7F0HZcznJPOhS+YtomXCCGvS9 - qaN8kkDXt5k5dkLd2+eft7CCF8+lwf6XX/qEjPw= - =+0h1 - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 + hQEMA0SHG/zF3227AQgA1qnWMAoXFJsx0A9dX2qFhRUHOlO+VKOi678pGQu4Pwld + wUdqAylrtaLDsr+kFwLvsGUKKHzfvaQH/EfEChQb2L9njzQjwNwmgZPAq6NqZAmB + EhudaY7R12Lb507Fsh/k7dgOFTuH0/ceKtW+QKF3SVVa+DwgOx8VRP3LJwGW4PQq + mRmPkyjnuFmepziTULe0ZPvO6PaH8FvLISBvMkBH+IGXat98OVgqGFzxHkpA3pey + 8w7mKDEi6i6g72GrrjuWFuh5JjSSb3og1ziO4O8XQ7mHqbUYwc4NfeVTYD7thdyh + OsijkXHvvHkRidTjTn4ZEzxFaNgTvzRB0V7r/jEu3tJcASfyDt4sXkKv84xu29Pp + BYZLj9xUrS30bmI8NOP77sy/3++ppX96oKhi91S7F0HZcznJPOhS+YtomXCCGvS9 + qaN8kkDXt5k5dkLd2+eft7CCF8+lwf6XX/qEjPw= + =+0h1 + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/router0-dmz0/secrets.yaml b/secrets/router0-dmz0/secrets.yaml index d2ef8f6..113f950 100644 --- a/secrets/router0-dmz0/secrets.yaml +++ b/secrets/router0-dmz0/secrets.yaml @@ -16,37 +16,37 @@ wg1-privatekey: ENC[AES256_GCM,data:Q3zb6oLhBqW+D063S37O2vZD3PSn3yIYWWkOtZwvpmMm wg1-publickey: ENC[AES256_GCM,data:7svFjRVdWBmrUt2qzHSmgBo4HPwJR6I6p3rZg2U+h1uVhQwCnUCH6JATVZs=,iv:xWUKpjmmrf/U8T8XmdL4Ox+aqkftnh8oeORCkhtJoBU=,tag:+k+E13X+EbZxfiq0MoGIEg==,type:str] wg1-peer0-psk: ENC[AES256_GCM,data:egtyccOYD4NAUTunpvVXTJwjtSdJJT8v5O9Wl7NoCKy2eDzrQvrEEK8Zzts=,iv:D7EQkj2Oz2JJIF6slTLq3A4esKN6VfkOA+odHvjSeUE=,tag:z/blOUXX1JOyqtXgMldnlg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1vr69hfmjgkqu47g5hjacet6n2tq4rhwnvdrmfa6n6l7fkqvvafnsaccf8u - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2RTBvZEFjNDRhOUl4Rkd3 - cm5FWHpIUUlMZDl5dStlb3J2eGNndDZNNGh3CnJFcWFSSDlpY1hycWpxN1Z0OVkz - T0hTV20vNnFGQzhNVDNhMlF1d2FMNFEKLS0tIEZaajFqTjk1NjlqcE82eXVDekhL - NUhhK2oxUTAxeGxVSlBkUzdHbUpuaGMKYNvJWkKoNbdrwXHyoih22+aV+6F1yhTl - 9RplfG43PTV6tNJUScthRnCHo0CLNHwF39sb9y2kt7y8fVs2vuPzzg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-26T07:56:29Z" - mac: ENC[AES256_GCM,data:vNe8pUFhcZyeh/T1o1PQGvpQEEV4pEXSqC+Ssi7RXZfHe33hmhJoOyfj1KytJnUAE22BWXzuNQdwMj+mmuUP8bAdgLZPWZjU3g2H7O6NTOUHHBymZSXnMvzzPBlHZDw9GzUkgEdbze/SLzEL6ZjplBIr+DOEDfkC9TsDokie+f4=,iv:HhHJXk+mo6WxKIs41wtCVwxG2j3C+em3dR6fDNnhMn4=,tag:Wzr21Rk7hB7+6zK6XfWbig==,type:str] - pgp: - - created_at: "2024-07-13T14:51:09Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vr69hfmjgkqu47g5hjacet6n2tq4rhwnvdrmfa6n6l7fkqvvafnsaccf8u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2RTBvZEFjNDRhOUl4Rkd3 + cm5FWHpIUUlMZDl5dStlb3J2eGNndDZNNGh3CnJFcWFSSDlpY1hycWpxN1Z0OVkz + T0hTV20vNnFGQzhNVDNhMlF1d2FMNFEKLS0tIEZaajFqTjk1NjlqcE82eXVDekhL + NUhhK2oxUTAxeGxVSlBkUzdHbUpuaGMKYNvJWkKoNbdrwXHyoih22+aV+6F1yhTl + 9RplfG43PTV6tNJUScthRnCHo0CLNHwF39sb9y2kt7y8fVs2vuPzzg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-26T07:56:29Z" + mac: ENC[AES256_GCM,data:vNe8pUFhcZyeh/T1o1PQGvpQEEV4pEXSqC+Ssi7RXZfHe33hmhJoOyfj1KytJnUAE22BWXzuNQdwMj+mmuUP8bAdgLZPWZjU3g2H7O6NTOUHHBymZSXnMvzzPBlHZDw9GzUkgEdbze/SLzEL6ZjplBIr+DOEDfkC9TsDokie+f4=,iv:HhHJXk+mo6WxKIs41wtCVwxG2j3C+em3dR6fDNnhMn4=,tag:Wzr21Rk7hB7+6zK6XfWbig==,type:str] + pgp: + - created_at: "2024-07-13T14:51:09Z" + enc: |- + -----BEGIN PGP MESSAGE----- - hQEMA0SHG/zF3227AQf/T6Q1PsQ+qH2gGRrF29Ng9LehcKu2UMjTN3uKCgy7klPm - Pd5qLxQA94GNz/70AL0sOUdc04R7pWWsswBuhNj1semefH/DAMRDfCt9+DpV23Lz - bswCQXWqpDy0CUKULwLoMRbcM5PZcsnRsa5xky07uub7GyZ8m+UFzD1ISzn9bbIQ - Sg5MTIegQC1QDYZLWFpP/kSf1AvZUG3HfMee9tapyMgEaMVW7XAy+C/DrIIEdnAk - 6m/QWD+PyDfJf2RA9URoezpSgi4foCuc1PAX4k8Oq71YRjBZWSrBtVa6sfCvsfdF - cEKvXJk3X2/glYRiQrIfib9QRjewWwOcfEV4R2knZtJeAa8ppOZQAfO0YFAzZPd/ - yIBsHXBG3gXRBUe+dGF3nKaA2mFuktK2GRI78lON0oDrHm2a02n9dwyYG/HnvgNZ - sEc6lNHEV2ERedCeaTfAgCg6kWTWgP1ckkY3IAdHgg== - =nn0o - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 + hQEMA0SHG/zF3227AQf/T6Q1PsQ+qH2gGRrF29Ng9LehcKu2UMjTN3uKCgy7klPm + Pd5qLxQA94GNz/70AL0sOUdc04R7pWWsswBuhNj1semefH/DAMRDfCt9+DpV23Lz + bswCQXWqpDy0CUKULwLoMRbcM5PZcsnRsa5xky07uub7GyZ8m+UFzD1ISzn9bbIQ + Sg5MTIegQC1QDYZLWFpP/kSf1AvZUG3HfMee9tapyMgEaMVW7XAy+C/DrIIEdnAk + 6m/QWD+PyDfJf2RA9URoezpSgi4foCuc1PAX4k8Oq71YRjBZWSrBtVa6sfCvsfdF + cEKvXJk3X2/glYRiQrIfib9QRjewWwOcfEV4R2knZtJeAa8ppOZQAfO0YFAzZPd/ + yIBsHXBG3gXRBUe+dGF3nKaA2mFuktK2GRI78lON0oDrHm2a02n9dwyYG/HnvgNZ + sEc6lNHEV2ERedCeaTfAgCg6kWTWgP1ckkY3IAdHgg== + =nn0o + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/router0-hosthatch/secrets.yaml b/secrets/router0-hosthatch/secrets.yaml index 9891362..c0606da 100644 --- a/secrets/router0-hosthatch/secrets.yaml +++ b/secrets/router0-hosthatch/secrets.yaml @@ -7,37 +7,37 @@ wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFx wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRzJxaGJVclFwZE9ZT3BP - OHNEaVg5ZVl0Nm9YTWo3Q1lmSEw5dnRoRVY0CkpCeWxXU0RybU45Y3RvVkxJYkEv - TjJsb3AyNVR6QmJVbnJsZzE3S0VmQjgKLS0tIHVHSTZVOHc4R0E1TWNETWNlWEty - czc2YUdudGdnVlZteXBmaHZaV1NWbGcK6jWSkOEBYN+1HQ+IZdBKknYo96Aydp/s - +hK8V6qEyCkAqWLYEnZ5ErMEc8OcOyYCQnYyCb10SWJvye+uyX8SZg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-09T14:08:09Z" - mac: ENC[AES256_GCM,data:nCwAca0MktoxUb0W+1B7+4UP5IOG4cuj2BhJBxjDV4gjYBSKYJs5gSdYytjOpu76ePXSUHgyiPH0Joe5ESubaUN4zPIWMLpkEk6WjXnmXRTY8B5ZZ+AVR2lxNi7UtiCyx0yjAVZFxuk33MmKR2yXMLEqE6U/70fccJlY+dbTaVU=,iv:QTafba+auq3Zv/xoBzHmnIMmfDAynqApAcr/T0Uh/2g=,tag:RREUDKF4Kruy0AEFDqSVuw==,type:str] - pgp: - - created_at: "2024-06-09T14:07:43Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRzJxaGJVclFwZE9ZT3BP + OHNEaVg5ZVl0Nm9YTWo3Q1lmSEw5dnRoRVY0CkpCeWxXU0RybU45Y3RvVkxJYkEv + TjJsb3AyNVR6QmJVbnJsZzE3S0VmQjgKLS0tIHVHSTZVOHc4R0E1TWNETWNlWEty + czc2YUdudGdnVlZteXBmaHZaV1NWbGcK6jWSkOEBYN+1HQ+IZdBKknYo96Aydp/s + +hK8V6qEyCkAqWLYEnZ5ErMEc8OcOyYCQnYyCb10SWJvye+uyX8SZg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-09T14:08:09Z" + mac: ENC[AES256_GCM,data:nCwAca0MktoxUb0W+1B7+4UP5IOG4cuj2BhJBxjDV4gjYBSKYJs5gSdYytjOpu76ePXSUHgyiPH0Joe5ESubaUN4zPIWMLpkEk6WjXnmXRTY8B5ZZ+AVR2lxNi7UtiCyx0yjAVZFxuk33MmKR2yXMLEqE6U/70fccJlY+dbTaVU=,iv:QTafba+auq3Zv/xoBzHmnIMmfDAynqApAcr/T0Uh/2g=,tag:RREUDKF4Kruy0AEFDqSVuw==,type:str] + pgp: + - created_at: "2024-06-09T14:07:43Z" + enc: |- + -----BEGIN PGP MESSAGE----- - hQEMA0SHG/zF3227AQgAkYv+dSMKF647ApqeslZpv22LmhdphDTSQjaRJdIK4gM4 - kv4aJ4L0K/fDqKtsbszbAnuratJnOxnhGaydTX5Ob9tb5QbFfmC2C4OED6hB/enu - hsP9BpsA945Keqf27NyXgxnLDVr6OXcpZqWZbYqHmWDx+BHrw500hgFb91ejzf3c - 6KF2Rrp4PsUl58D6LcSFxfqcna7l2+Ptx+k2vfInSkyPit/5tjry8SyBbUFWPwz2 - gVj9MN0bLCMqhToFh532GSDmnxNd8d1Sb8G1riJ4JaTHStV3s6KebF90ws3FtC5n - y0f/BbjkSqEqNIKFplPZ4Cx6O7WsXbH1hU1Dgba9G9JeAYVAFyi+OnCV49ugZ93p - uwGhpXmP6RbGVT6JB/beAdUToTdP0EfdVE4LlxkssEFd8HHzO8kD2u7k7glkDEq7 - Ox1QlDrMuz0zRE6D5B4DwXrWvAOw/TjvydWjyS6HCg== - =5YRC - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 + hQEMA0SHG/zF3227AQgAkYv+dSMKF647ApqeslZpv22LmhdphDTSQjaRJdIK4gM4 + kv4aJ4L0K/fDqKtsbszbAnuratJnOxnhGaydTX5Ob9tb5QbFfmC2C4OED6hB/enu + hsP9BpsA945Keqf27NyXgxnLDVr6OXcpZqWZbYqHmWDx+BHrw500hgFb91ejzf3c + 6KF2Rrp4PsUl58D6LcSFxfqcna7l2+Ptx+k2vfInSkyPit/5tjry8SyBbUFWPwz2 + gVj9MN0bLCMqhToFh532GSDmnxNd8d1Sb8G1riJ4JaTHStV3s6KebF90ws3FtC5n + y0f/BbjkSqEqNIKFplPZ4Cx6O7WsXbH1hU1Dgba9G9JeAYVAFyi+OnCV49ugZ93p + uwGhpXmP6RbGVT6JB/beAdUToTdP0EfdVE4LlxkssEFd8HHzO8kD2u7k7glkDEq7 + Ox1QlDrMuz0zRE6D5B4DwXrWvAOw/TjvydWjyS6HCg== + =5YRC + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/router0-ifog/secrets.yaml b/secrets/router0-ifog/secrets.yaml index 96cb8ea..0566d57 100644 --- a/secrets/router0-ifog/secrets.yaml +++ b/secrets/router0-ifog/secrets.yaml @@ -9,37 +9,37 @@ wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFx wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNmRsNDJRbHZmS3JmOVht - c1kyKzBXdGxkQXErQlhXUzBmMm12eXNCVlVVCm9KUCtZeWJWYWVJUFhYRUlLVDdD - Nk9Wdk5WeXl2ZGNybGxnZWtGR2thTDgKLS0tIEovQnU0bzRCdEp6RnVvZCtUTlFL - dFBOcE9leDQrYzVQNUpLZzJBYlBYaE0KyKVh0VDpbA2eIh9d+KhCYKjbl4fHPt07 - fVbbDEz67bWNjaH6Yg6xlNQIhv9prUK2isckVizpUANmOKxPJ2ia2Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-26T17:23:41Z" - mac: ENC[AES256_GCM,data:Ez/79vUHs+9B/v2qlUiPQeuYHRdvjUg1jJOt3C6xEnncDQ2fH0CUxKEIfjgJR7eatwvZSznprv2wCD8Ik0SKunjRI1UGe5JmrVstqoSDbo+MxpdwrqA8zC5unpRUYenvyo9m8ZW/DnjKz0ArorYjA9vid878MdemkHtSjjZzik8=,iv:2CkmPRjYYt7q7HAdEjIbJHaSUG6Yr92pEkk+Dd3E7LE=,tag:S8LPb0mEjRZQqawX310SOg==,type:str] - pgp: - - created_at: "2024-06-08T18:36:55Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNmRsNDJRbHZmS3JmOVht + c1kyKzBXdGxkQXErQlhXUzBmMm12eXNCVlVVCm9KUCtZeWJWYWVJUFhYRUlLVDdD + Nk9Wdk5WeXl2ZGNybGxnZWtGR2thTDgKLS0tIEovQnU0bzRCdEp6RnVvZCtUTlFL + dFBOcE9leDQrYzVQNUpLZzJBYlBYaE0KyKVh0VDpbA2eIh9d+KhCYKjbl4fHPt07 + fVbbDEz67bWNjaH6Yg6xlNQIhv9prUK2isckVizpUANmOKxPJ2ia2Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-26T17:23:41Z" + mac: ENC[AES256_GCM,data:Ez/79vUHs+9B/v2qlUiPQeuYHRdvjUg1jJOt3C6xEnncDQ2fH0CUxKEIfjgJR7eatwvZSznprv2wCD8Ik0SKunjRI1UGe5JmrVstqoSDbo+MxpdwrqA8zC5unpRUYenvyo9m8ZW/DnjKz0ArorYjA9vid878MdemkHtSjjZzik8=,iv:2CkmPRjYYt7q7HAdEjIbJHaSUG6Yr92pEkk+Dd3E7LE=,tag:S8LPb0mEjRZQqawX310SOg==,type:str] + pgp: + - created_at: "2024-06-08T18:36:55Z" + enc: |- + -----BEGIN PGP MESSAGE----- - hQEMA0SHG/zF3227AQf/VntYsys2fb7NslwBbEwQ4VYh8OOWtCGhqbVw045QflFD - 2hS1cT85MDNTwPnnDW4NYbf3UEIq12eXVDFR8+4S4mMun68OmxEf3UhSB6k2cDgh - iwM6HdAh13cC4UfYBpEq/NTr9omdoXPrcjQNYxqm8OBRNf1126L5XmQ4NT2Lg8Yw - 2HcDIxrl9vX1X8OYd7fwc7TIJpVYCmG2UhVrz+gS4q51s1hi1t1BZdeUhU9RpSdZ - Mu2HlB68t597wAXOB88K+zJG4+uUQrpz9V2Xd/lfzFIeQtwLcA/NdoZs+AMEQE+j - wa5FPI08uF68KbwzXYCq2NEPKA4SX9UzlirJjdAukdJeAfqO5woWkuDHmDj+nDDS - fSwL7mVNd43h9uO3PXi7j8kj32dwLcBSjkeuN1+gaTBLixzzp0drLTD1DkeY8kBS - ROvWaNhXsrm+uB9d8aaznqfWS9C+3PE5fY9untPIUA== - =f2HS - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 + hQEMA0SHG/zF3227AQf/VntYsys2fb7NslwBbEwQ4VYh8OOWtCGhqbVw045QflFD + 2hS1cT85MDNTwPnnDW4NYbf3UEIq12eXVDFR8+4S4mMun68OmxEf3UhSB6k2cDgh + iwM6HdAh13cC4UfYBpEq/NTr9omdoXPrcjQNYxqm8OBRNf1126L5XmQ4NT2Lg8Yw + 2HcDIxrl9vX1X8OYd7fwc7TIJpVYCmG2UhVrz+gS4q51s1hi1t1BZdeUhU9RpSdZ + Mu2HlB68t597wAXOB88K+zJG4+uUQrpz9V2Xd/lfzFIeQtwLcA/NdoZs+AMEQE+j + wa5FPI08uF68KbwzXYCq2NEPKA4SX9UzlirJjdAukdJeAfqO5woWkuDHmDj+nDDS + fSwL7mVNd43h9uO3PXi7j8kj32dwLcBSjkeuN1+gaTBLixzzp0drLTD1DkeY8kBS + ROvWaNhXsrm+uB9d8aaznqfWS9C+3PE5fY9untPIUA== + =f2HS + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/servers/dyndns.yaml b/secrets/servers/dyndns.yaml index 94768bd..b93a80f 100644 --- a/secrets/servers/dyndns.yaml +++ b/secrets/servers/dyndns.yaml @@ -1,37 +1,37 @@ dyndns_www.stefanjunker.de: ENC[AES256_GCM,data:xHpC/V9OWCMpTKs1,iv:gW6f6kQedbdxbz1zJAY6xceoeG/LqPG/Ss3DaBm/Ta0=,tag:v2V/hzRg+xgO8zpwyIBVXA==,type:str] dyndns_mailserver.svc.stefanjunker.de: ENC[AES256_GCM,data:auVHa5n4335mNXAy,iv:WZMOA+Z7/w+Jsu5193WwERXZrt/5JDiMUKIZo8ieT7w=,tag:YmEDp/0gjgPY2kg9GNKmxQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWFR1cWJkWFl3SHphNVlt - NmI0eDFJanVLVlFKeWcydDNaclp0VlQveVJnCnRBc0JTUzZkV0l6cWdaNko3YUNM - bWZRaGpYMHZWWkRPMjY4SEF3S200YlUKLS0tIExrWGhjM01YdS85U000Q2o1TjUw - VFpZb0dEL2w5NWErR245MUplZE9xN28KiGaqrH9wYZ2goHKYygLgPZIZmUCosHc0 - RNaMVrIv7I9dPMiqlKdSl1Xp/ePa9gxUhVCpsFIZmlrlhHxv0TLtkQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-14T20:50:30Z" - mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str] - pgp: - - created_at: "2023-11-23T12:05:35Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWFR1cWJkWFl3SHphNVlt + NmI0eDFJanVLVlFKeWcydDNaclp0VlQveVJnCnRBc0JTUzZkV0l6cWdaNko3YUNM + bWZRaGpYMHZWWkRPMjY4SEF3S200YlUKLS0tIExrWGhjM01YdS85U000Q2o1TjUw + VFpZb0dEL2w5NWErR245MUplZE9xN28KiGaqrH9wYZ2goHKYygLgPZIZmUCosHc0 + RNaMVrIv7I9dPMiqlKdSl1Xp/ePa9gxUhVCpsFIZmlrlhHxv0TLtkQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-14T20:50:30Z" + mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str] + pgp: + - created_at: "2023-11-23T12:05:35Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAjfBO/8RSFW5aIhchSLLvhNzhIF+p2f4KZTAiT0uhB5u6 - T10j8i0q5IV9XVDdRXxYZwBn6LDFOJ6WJ7hIv61Ri+jCGZ8N8Mr6OA7HyB+6zQmg - 3PON+5qJC8FHFHiW+bB7NEULdlILS5Q6E3atjGmgOHKYq2O5L+IZgxp5Udt/oXuF - CqIW22M/9ftEipgG2b2Txgq1PTNFWI8gYRVacuSU5UD687EacH4fTDyIdXk01FMW - LmIh9h64kA5b6VALma1C2ztP0uvCUOSfVsvKJEILOb/kTb0qCdSkEM44onXTCHM+ - fBo140l54Cy1aIxFPsU8J/KkVbQ9Q6dOxIxrpaEQP9JRAUrBpLwbVLpWww2WFwG3 - nTplRw3DzGTGoV7CgdzRRhjv7fkb+h5eWLpFqSj6r2MG5PnEjnnDiBaa611sDN// - ijdeSDMnCT93t6BEeNKvmTPS - =60WW - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQgAjfBO/8RSFW5aIhchSLLvhNzhIF+p2f4KZTAiT0uhB5u6 + T10j8i0q5IV9XVDdRXxYZwBn6LDFOJ6WJ7hIv61Ri+jCGZ8N8Mr6OA7HyB+6zQmg + 3PON+5qJC8FHFHiW+bB7NEULdlILS5Q6E3atjGmgOHKYq2O5L+IZgxp5Udt/oXuF + CqIW22M/9ftEipgG2b2Txgq1PTNFWI8gYRVacuSU5UD687EacH4fTDyIdXk01FMW + LmIh9h64kA5b6VALma1C2ztP0uvCUOSfVsvKJEILOb/kTb0qCdSkEM44onXTCHM+ + fBo140l54Cy1aIxFPsU8J/KkVbQ9Q6dOxIxrpaEQP9JRAUrBpLwbVLpWww2WFwG3 + nTplRw3DzGTGoV7CgdzRRhjv7fkb+h5eWLpFqSj6r2MG5PnEjnnDiBaa611sDN// + ijdeSDMnCT93t6BEeNKvmTPS + =60WW + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/shared-users.yaml b/secrets/shared-users.yaml index bc05028..a7e26dd 100644 --- a/secrets/shared-users.yaml +++ b/secrets/shared-users.yaml @@ -8,127 +8,127 @@ sharedUsers-radicale: ENC[AES256_GCM,data:Mn1QIwQDX0ZnZ0Jbk1RYY60k+XbbGPYYf+NG3x sharedUsers-elias: ENC[AES256_GCM,data:RsGDCguYkqegKhkO20lr8HjrTABAaNJmDiGK3DhhbX1sOLMweZwDtESvYjCfAOzWpiAaFh0BqevMkuUcEYQTBubSX+X0EZ0dFrdbVxIe7lq7Dosds98SqKLL4zWqe2y2qsphvj+oAz7Utg==,iv:JXIbyqAUt1OcB+bvgK6H2NU6Ip4nWRJ1/Hje75FfHC4=,tag:kPFALVkf1GbRj1J85SZm6Q==,type:str] sharedUsers-justyna: ENC[AES256_GCM,data:BGVp2QppWWaYHK3rwLlyy7SOWxSqKGsn7lemWe0KUzgiQc6D8ivYvXdGaAhJNvhgVTxlK6BZOacG4NESWf5hi7sN8AkwTT/6pa9WzhQQGNnwZIaVulXeddzFlebbh8pAt0WYV82DRejX3Q==,iv:RMysIp0pMnCLhWogWiGq4IpZA43sd0DPj3jeV0oRkY8=,tag:VvXPzyGAoATlSedvV2prJA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNEhXWDlsNjFIdXdZQkVa - T3RJeWZQOWgva2lMdHZ2MG54QURQK1ZGQnhzCmwvUWZYaGlIeTQ5WStscXU2Y3NM - am9ybGhkdHE5M25uUXVMNmtRRkZlVTgKLS0tIGovcUZFdnkxdjZDck1TczVOTXND - cUdkdEJ0TFBqUmo3US82M0JIZ2ZwcHcKSbLAajoj/GcQIe2LDSTIKy8Ztuw719hF - UIUsPBI8QsUJcLFYm9S47wm6If82Rmj2h4A0wk7dkPj5onSrdFqyiQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWW9kd2tUYTkyaEROMjBK - NmZPZ3ZBRVpjL0VOeDNHS0libndFeE9TQ1NNCisrVFhza1JwYWt1VVBmSWd0VlQ5 - cDd2LzUyUllUQjdBMldlRFl0R1NxWXMKLS0tIEVIQ3RsZUJjUXVURHl2VEtaZ0xM - MFkwbU1RTnNPdHk5cW9laDhuNS9Ua1kK2QRHbLlQuQRHpjLBTNUV9qkn0+3J7AgV - H/WJH2cIjJcloRkV/vllLQA6Xd2V6aYPyWKaj0htnlthvCcDFa+6vA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6M08vb2l0Rmo3WFRBZWRQ - b2crK3VQR3ZRNE53VzY5U3JkSFNYNXFyUkFnCmJXVlEzSTRKUVp5Y2U3SUtOa2Vj - RlA5WVZ6b3VhWnpJdXlkOWV3VjBxSkUKLS0tIExxYWZNNXpXdTR6eUszRU5CWWZv - RTE3aytzYmR6dUxWSktXNE5kUnFOQmMKwnk9/LjT5sMyyVyFCfTjwTN8I493tRky - Pj2y8u/M+d4s6llA+k5zEBB2yYE+VPRqF4dz3XwqDDomHJb98YAh5w== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQMnorb0s4NFpTdmkyVUxl - Q1ZHRi9QWktTTW5xaWYzUnQrUmNzMXZPemxBCnFVZ2lWeUpPd2hlTjJ0VmJNaWFQ - UFdGTHFxQjVZRGlwTjZ5TURPVzF0RGcKLS0tIGVmZExBMWhmV0RhRDVUNXJyUjUz - L2FsWUhGQWlNSUlJVnNLYkdqakhCbmsKAtnEPfI2fPjRPimEVI7yX4VrYzHvNfnS - juJbqMO6cy544O/5r2mkgUgo7VmUtFHmyrUFgmtpx3Hu22fdGmX4vQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRdXFTUFNhZlptSWMvdndq - aisyNFJ0WjIxa2dYYkptS2FwcGRTTktZNUJBCk1ZWC9sbDYwQUxaQVdqeTE3R1VY - NUZSMjlrRW5USGZBaENGdDJSM0prUlUKLS0tIHBXc1dNYXZkL1NBMThrMkJnSTl1 - cUR3dUZKV1FTK2dKK1FTZndtOW9Ed1kKStJ6/ER1SAGrBGJN4gXjTY0otsRoT9jN - 6sMeD82p4Y3OUOz6QhtzLquwa5pV23TVP0CG4ilK8xPX4K/JklNQmg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1vr69hfmjgkqu47g5hjacet6n2tq4rhwnvdrmfa6n6l7fkqvvafnsaccf8u - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4TDJ0VjJGV1RyVmdjSlly - OEpNbCtxN3dBR1dMYms4Q3U4cW1RU0VWRmswCkpORVRHMmpYRUhsaHVCQ1d3Mmhh - TkY2TFdiWnVieENPeXk2R3oxclJtUzAKLS0tIDFEZFBKUUx4OHgycWozRVBkeWFs - YUpBRWU1Mzg0YlVGb3BXUzQ5Q0MxZk0K8SXgkE0Ixo16alXjSE+ILnE/ZoOWyYVL - +u4LvOur6brdVyvkm8tQjkfzFBwUYMJesgLO5Ws3NBj7dAg/ec1kDg== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYV2tnZVBMeHhjVTFoYm9E - V3l2dWhvYlRDQzNnS0RKc0g4L1R5WDZzcDNBCjN6RXhHMzhzOG1BSWgwcWNqa2dO - WTdwSVRXbkhVbjI0R1lrY1Zhbk1qSmsKLS0tIGpVaXd6czI5S3VYTTdqNVhGbjB3 - cVZFdXFqVGtwSURSRENzSWhtSnZQaW8KIn14YKiCs3JupsvbY7NAzc2zMoGS0BM9 - Vp0dPXlEL9iT5H96jpn/W1ODRqbjmIOs4vCmmb2etvytSnoLNqgx8w== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCampiMk9BNGVVWUhRdVAy - aW5Db1BYV1FWMCtmRkhiLzZDWWIyckdTaVFnCktPaXppVk9telNGV00yRGJkeFRE - MkU3R1dtd0ZBWE9IUzEvbGlmWkpXeEEKLS0tIEpDWjk3WVZ4c2RIbVdscTZiSUV0 - RDNsSE1CREhpeG5lM2pPRmhkL1NxdjQK6YQBGQT2LscB4+J3y8zUg+eX67CAfDZ/ - zfi7D4W8z3vJZ49329gc5bmjjvYpauWdo/WDsgRYZbvQMil3ug/7dA== - -----END AGE ENCRYPTED FILE----- - - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZjFUL2pxSkNrRjRhb3RE - dVRqbWJrbXd6Sk8yOHEyN0tKQ3hSNnlROEN3Cm44VkxJMDB0Y2daZm5CWEl2TDJL - cUZjRUtYOFlBRUhMMkRBWWk5a05zV00KLS0tIEJySHY5UGJMSjJVMmxMSWp1UlMr - TnhhNERwaGN3TC95S04ybVhoVWM0N1kK9vAj3s57u+3dWVpAb1ttJUZ8hzFmqgWg - yUHXwwfRphdlNr+53kCbZ8XxT9+doeB1nvlrn/9s0J90Alqv6k/vDQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvSHdiQlFDdHJoQVFwSDNN - UUwxMkJ0cmFPcWZrUlNOUHZvd29hY3dVVEM4CitzRVMyWHhiV2wvaGlwRmczTkRr - YXhqS2JjWWc0QlRQUkVoQ05BMkNpZXcKLS0tIGJwTW1IQmg4T0FYRTJ3UWhzV0l5 - TTBrMnBkZ3JGZ0FVakNTR3A5VzNCd28K3CFTudi0ac6MNFdnr0AASIghZGuGdt+i - owcUnRFuJg87RPgSsAWvh1mRMHyBTUEBBop62Lp44H8hLcTXwVRwFg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwL0JNbmNFUEF0VGlWNk5N - SnRNNStpSDcyQ0N4Qy9UNGtlaXc0YS91dVFNCkhZcEY0L1FvaVl1dHdDamEyVE9r - amJaZUxYQ2tqa0pwVHdHZ2RXTFBGSXcKLS0tIFBSTm5pZ1BFMWhpNUl1M3VuSGli - T1drTFFKUFR2MVVtNGhqYmFCQVduWkUKOLhOpIBiYaOZ7JR1X3WYVUq7IESdu2pw - bAsmmjFymFcLvlm2IdFxb1xEh3hj1c6TdzeKkU1dnUSe8N4wnCQJpg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-06T20:14:22Z" - mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str] - pgp: - - created_at: "2024-07-13T14:51:09Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNEhXWDlsNjFIdXdZQkVa + T3RJeWZQOWgva2lMdHZ2MG54QURQK1ZGQnhzCmwvUWZYaGlIeTQ5WStscXU2Y3NM + am9ybGhkdHE5M25uUXVMNmtRRkZlVTgKLS0tIGovcUZFdnkxdjZDck1TczVOTXND + cUdkdEJ0TFBqUmo3US82M0JIZ2ZwcHcKSbLAajoj/GcQIe2LDSTIKy8Ztuw719hF + UIUsPBI8QsUJcLFYm9S47wm6If82Rmj2h4A0wk7dkPj5onSrdFqyiQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWW9kd2tUYTkyaEROMjBK + NmZPZ3ZBRVpjL0VOeDNHS0libndFeE9TQ1NNCisrVFhza1JwYWt1VVBmSWd0VlQ5 + cDd2LzUyUllUQjdBMldlRFl0R1NxWXMKLS0tIEVIQ3RsZUJjUXVURHl2VEtaZ0xM + MFkwbU1RTnNPdHk5cW9laDhuNS9Ua1kK2QRHbLlQuQRHpjLBTNUV9qkn0+3J7AgV + H/WJH2cIjJcloRkV/vllLQA6Xd2V6aYPyWKaj0htnlthvCcDFa+6vA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6M08vb2l0Rmo3WFRBZWRQ + b2crK3VQR3ZRNE53VzY5U3JkSFNYNXFyUkFnCmJXVlEzSTRKUVp5Y2U3SUtOa2Vj + RlA5WVZ6b3VhWnpJdXlkOWV3VjBxSkUKLS0tIExxYWZNNXpXdTR6eUszRU5CWWZv + RTE3aytzYmR6dUxWSktXNE5kUnFOQmMKwnk9/LjT5sMyyVyFCfTjwTN8I493tRky + Pj2y8u/M+d4s6llA+k5zEBB2yYE+VPRqF4dz3XwqDDomHJb98YAh5w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQMnorb0s4NFpTdmkyVUxl + Q1ZHRi9QWktTTW5xaWYzUnQrUmNzMXZPemxBCnFVZ2lWeUpPd2hlTjJ0VmJNaWFQ + UFdGTHFxQjVZRGlwTjZ5TURPVzF0RGcKLS0tIGVmZExBMWhmV0RhRDVUNXJyUjUz + L2FsWUhGQWlNSUlJVnNLYkdqakhCbmsKAtnEPfI2fPjRPimEVI7yX4VrYzHvNfnS + juJbqMO6cy544O/5r2mkgUgo7VmUtFHmyrUFgmtpx3Hu22fdGmX4vQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRdXFTUFNhZlptSWMvdndq + aisyNFJ0WjIxa2dYYkptS2FwcGRTTktZNUJBCk1ZWC9sbDYwQUxaQVdqeTE3R1VY + NUZSMjlrRW5USGZBaENGdDJSM0prUlUKLS0tIHBXc1dNYXZkL1NBMThrMkJnSTl1 + cUR3dUZKV1FTK2dKK1FTZndtOW9Ed1kKStJ6/ER1SAGrBGJN4gXjTY0otsRoT9jN + 6sMeD82p4Y3OUOz6QhtzLquwa5pV23TVP0CG4ilK8xPX4K/JklNQmg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1vr69hfmjgkqu47g5hjacet6n2tq4rhwnvdrmfa6n6l7fkqvvafnsaccf8u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4TDJ0VjJGV1RyVmdjSlly + OEpNbCtxN3dBR1dMYms4Q3U4cW1RU0VWRmswCkpORVRHMmpYRUhsaHVCQ1d3Mmhh + TkY2TFdiWnVieENPeXk2R3oxclJtUzAKLS0tIDFEZFBKUUx4OHgycWozRVBkeWFs + YUpBRWU1Mzg0YlVGb3BXUzQ5Q0MxZk0K8SXgkE0Ixo16alXjSE+ILnE/ZoOWyYVL + +u4LvOur6brdVyvkm8tQjkfzFBwUYMJesgLO5Ws3NBj7dAg/ec1kDg== + -----END AGE ENCRYPTED FILE----- + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYV2tnZVBMeHhjVTFoYm9E + V3l2dWhvYlRDQzNnS0RKc0g4L1R5WDZzcDNBCjN6RXhHMzhzOG1BSWgwcWNqa2dO + WTdwSVRXbkhVbjI0R1lrY1Zhbk1qSmsKLS0tIGpVaXd6czI5S3VYTTdqNVhGbjB3 + cVZFdXFqVGtwSURSRENzSWhtSnZQaW8KIn14YKiCs3JupsvbY7NAzc2zMoGS0BM9 + Vp0dPXlEL9iT5H96jpn/W1ODRqbjmIOs4vCmmb2etvytSnoLNqgx8w== + -----END AGE ENCRYPTED FILE----- + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCampiMk9BNGVVWUhRdVAy + aW5Db1BYV1FWMCtmRkhiLzZDWWIyckdTaVFnCktPaXppVk9telNGV00yRGJkeFRE + MkU3R1dtd0ZBWE9IUzEvbGlmWkpXeEEKLS0tIEpDWjk3WVZ4c2RIbVdscTZiSUV0 + RDNsSE1CREhpeG5lM2pPRmhkL1NxdjQK6YQBGQT2LscB4+J3y8zUg+eX67CAfDZ/ + zfi7D4W8z3vJZ49329gc5bmjjvYpauWdo/WDsgRYZbvQMil3ug/7dA== + -----END AGE ENCRYPTED FILE----- + - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZjFUL2pxSkNrRjRhb3RE + dVRqbWJrbXd6Sk8yOHEyN0tKQ3hSNnlROEN3Cm44VkxJMDB0Y2daZm5CWEl2TDJL + cUZjRUtYOFlBRUhMMkRBWWk5a05zV00KLS0tIEJySHY5UGJMSjJVMmxMSWp1UlMr + TnhhNERwaGN3TC95S04ybVhoVWM0N1kK9vAj3s57u+3dWVpAb1ttJUZ8hzFmqgWg + yUHXwwfRphdlNr+53kCbZ8XxT9+doeB1nvlrn/9s0J90Alqv6k/vDQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvSHdiQlFDdHJoQVFwSDNN + UUwxMkJ0cmFPcWZrUlNOUHZvd29hY3dVVEM4CitzRVMyWHhiV2wvaGlwRmczTkRr + YXhqS2JjWWc0QlRQUkVoQ05BMkNpZXcKLS0tIGJwTW1IQmg4T0FYRTJ3UWhzV0l5 + TTBrMnBkZ3JGZ0FVakNTR3A5VzNCd28K3CFTudi0ac6MNFdnr0AASIghZGuGdt+i + owcUnRFuJg87RPgSsAWvh1mRMHyBTUEBBop62Lp44H8hLcTXwVRwFg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwL0JNbmNFUEF0VGlWNk5N + SnRNNStpSDcyQ0N4Qy9UNGtlaXc0YS91dVFNCkhZcEY0L1FvaVl1dHdDamEyVE9r + amJaZUxYQ2tqa0pwVHdHZ2RXTFBGSXcKLS0tIFBSTm5pZ1BFMWhpNUl1M3VuSGli + T1drTFFKUFR2MVVtNGhqYmFCQVduWkUKOLhOpIBiYaOZ7JR1X3WYVUq7IESdu2pw + bAsmmjFymFcLvlm2IdFxb1xEh3hj1c6TdzeKkU1dnUSe8N4wnCQJpg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-06T20:14:22Z" + mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str] + pgp: + - created_at: "2024-07-13T14:51:09Z" + enc: |- + -----BEGIN PGP MESSAGE----- - hQEMA0SHG/zF3227AQgA1FWn6ZQmFi4IRZJtOShKpjdHEPGbD2s8PHD3pYv8edkQ - NnAi/vJimCsTHCLUpzW23jF+CIbUet7s8BWhETAcX+UGp29YbYaaqM2R//FISEQX - JcGGMAnsD0oOX69CCZiKaV0/jLUTU/Aiy+nVgKtMCdWrH54lGd4gKcl0uLRTVz6v - VSaS/zvSK8cxz6il6L37evBw+cC378THiUGkSjJhiAaWVO3oyDW+cTjDodcMC4dU - kk9VPkdGie7vHMuZduADtKkHLHrQRfNLl8SVH0oXko/PJVyNgHar0JoZbRfXoPt6 - xUsAUqSz7XFHDB153FAvJpBMW+JtuzOI9b6w4a4ZadJcAf2f/Lj5Ud9WLEumZ9ig - 75b5Phh6HwqnXiaz+gEvQyfcsHzQjWasIiN/JN27UZ9k6IJQ3LYwqYIY2k8Q3wZ7 - IgSFqNlqLyDlI8FPGIlOKU8iqOlNKKziyhFYgNY= - =Ayke - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + hQEMA0SHG/zF3227AQgA1FWn6ZQmFi4IRZJtOShKpjdHEPGbD2s8PHD3pYv8edkQ + NnAi/vJimCsTHCLUpzW23jF+CIbUet7s8BWhETAcX+UGp29YbYaaqM2R//FISEQX + JcGGMAnsD0oOX69CCZiKaV0/jLUTU/Aiy+nVgKtMCdWrH54lGd4gKcl0uLRTVz6v + VSaS/zvSK8cxz6il6L37evBw+cC378THiUGkSjJhiAaWVO3oyDW+cTjDodcMC4dU + kk9VPkdGie7vHMuZduADtKkHLHrQRfNLl8SVH0oXko/PJVyNgHar0JoZbRfXoPt6 + xUsAUqSz7XFHDB153FAvJpBMW+JtuzOI9b6w4a4ZadJcAf2f/Lj5Ud9WLEumZ9ig + 75b5Phh6HwqnXiaz+gEvQyfcsHzQjWasIiN/JN27UZ9k6IJQ3LYwqYIY2k8Q3wZ7 + IgSFqNlqLyDlI8FPGIlOKU8iqOlNKKziyhFYgNY= + =Ayke + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/sj-srv1/secrets.yaml b/secrets/sj-srv1/secrets.yaml index 2303d41..40a927b 100644 --- a/secrets/sj-srv1/secrets.yaml +++ b/secrets/sj-srv1/secrets.yaml @@ -2,37 +2,37 @@ passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] restic-password: ENC[AES256_GCM,data:0cTVlqHCW/xCk7y3ikh0RtVk/5xFOrcrnQmMbIBtfOd7PYbiTUzwBtYXwOaXO4ob7/+KJUEwhl5TzX/Of1J+y7ML7JbpNPtLr8r0gzDYOvBPY5GlmkDGcorz7QTaomuDprJkoD06lJWme/L893u7rxwamF222D2JvGz5FfTuWfaRWb1PcehBkew89gjdAgqFJJwqlX1vwvQDPg6yj+vnk9ZqR/E967bbQeN/G/qGJ9xfVmeuOPYoZH2IrL0Zgif/FLqZWZtlJ1JnRUBXsVN6FZXfT1Q82euLPOpaUHrFJjAF26PuTwVreIjcBLX3wqc8vhAYWfc+RThS3ITwNdNTSA==,iv:KBqME0cqIIX15xPgKi5mBalk01tswj8xVd8rFETX9zU=,tag:V6KltIGVarWXP1R5lY2FAw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v - ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL - dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 - czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 - iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-19T20:25:37Z" - mac: ENC[AES256_GCM,data:gAn4HAJRiejixDApIBZD87JjHLyOnC9LvYR0E4oDa0GVu6/BLVNbie0zG1TdnYl4LAuLa0rf4gkSDCLNvjkBGesGb7oez06WAHJd3VAK6wyFYxQSxKA8U5OZu8nozciuatTCvc/JL1ZjxxGlDFDSHSP2m1PsB6br2e0g8oL1vJw=,iv:7rOU6w+Ly+OYEnF5SikijEpauMp5lhTae74zDi2vF+U=,tag:EURfxNbEe4ZLFF4l19EzFA==,type:str] - pgp: - - created_at: "2023-08-11T16:31:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v + ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL + dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 + czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 + iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-19T20:25:37Z" + mac: ENC[AES256_GCM,data:gAn4HAJRiejixDApIBZD87JjHLyOnC9LvYR0E4oDa0GVu6/BLVNbie0zG1TdnYl4LAuLa0rf4gkSDCLNvjkBGesGb7oez06WAHJd3VAK6wyFYxQSxKA8U5OZu8nozciuatTCvc/JL1ZjxxGlDFDSHSP2m1PsB6br2e0g8oL1vJw=,iv:7rOU6w+Ly+OYEnF5SikijEpauMp5lhTae74zDi2vF+U=,tag:EURfxNbEe4ZLFF4l19EzFA==,type:str] + pgp: + - created_at: "2023-08-11T16:31:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n - TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 - R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ - JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP - kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy - 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT - eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 - C5Jot9exml6467YZkApBm0eM - =HulH - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n + TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 + R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ + JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP + kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy + 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT + eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 + C5Jot9exml6467YZkApBm0eM + =HulH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/sj-vps-htz0/secrets.yaml b/secrets/sj-vps-htz0/secrets.yaml index 5eba76e..09a13a2 100644 --- a/secrets/sj-vps-htz0/secrets.yaml +++ b/secrets/sj-vps-htz0/secrets.yaml @@ -5,37 +5,37 @@ wg0-public: ENC[AES256_GCM,data:AnEK0wlEIlVrz0nubLWr3lv7R1ddzA/RPjP0CosyEJzCJU6c wg0-psk-steveej-psk: ENC[AES256_GCM,data:Z5txIdXKVshlqMBLEnW/ulFiQSmMKj6m1vLE8fuL+zl+tJxh9EX/XvjLaC4=,iv:h4ypudvQAKPM7+5vQNAb69JntdZPNa8Km6wd14ovCHc=,tag:t7ZbbcpRCTAF7zP8vKPpJw==,type:str] wg0-psk-steveej-public: ENC[AES256_GCM,data:KU6aRVK06RkyvvYFzFZaCplz1HyirSfpjW+jjvHP+eTMs3hfhFUnPSZRCN4=,iv:2A019CQD2vjcOmX6PFpDaDCo8yN9oA9kdKxiW1e3Dss=,tag:kfRENOJY7RnwWGN1eOeEhQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v - ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL - dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 - czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 - iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-13T17:03:01Z" - mac: ENC[AES256_GCM,data:AtD2QZsLpOLQB7Jcb0Cn+zGUK/fMzuVhQ2r5f4jL3dttqfaDa4k+bUMP7wQ9RW6cUXm5ps+s1t9TkRUi2P7bkQjtEuyiTGAUiM8OnkJQ26npITWWs8giekKq01m2DlZufWRcrZrQU43EgVNDqRTVlMK1IoVS4zqNwqt4tXG6YWk=,iv:F+BbR5aGg+6/0LBxpC+AoNT4dLutvkgeUJszkMrV5xk=,tag:4Cvd4nG+h1+hXg/NzH0wRg==,type:str] - pgp: - - created_at: "2023-08-11T16:31:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v + ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL + dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 + czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 + iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-13T17:03:01Z" + mac: ENC[AES256_GCM,data:AtD2QZsLpOLQB7Jcb0Cn+zGUK/fMzuVhQ2r5f4jL3dttqfaDa4k+bUMP7wQ9RW6cUXm5ps+s1t9TkRUi2P7bkQjtEuyiTGAUiM8OnkJQ26npITWWs8giekKq01m2DlZufWRcrZrQU43EgVNDqRTVlMK1IoVS4zqNwqt4tXG6YWk=,iv:F+BbR5aGg+6/0LBxpC+AoNT4dLutvkgeUJszkMrV5xk=,tag:4Cvd4nG+h1+hXg/NzH0wRg==,type:str] + pgp: + - created_at: "2023-08-11T16:31:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n - TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 - R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ - JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP - kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy - 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT - eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 - C5Jot9exml6467YZkApBm0eM - =HulH - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n + TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 + R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ + JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP + kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy + 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT + eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 + C5Jot9exml6467YZkApBm0eM + =HulH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/steveej-x13s/secrets.yaml b/secrets/steveej-x13s/secrets.yaml index b69d6fa..a76e0dc 100644 --- a/secrets/steveej-x13s/secrets.yaml +++ b/secrets/steveej-x13s/secrets.yaml @@ -1,36 +1,36 @@ builder-private-key: ENC[AES256_GCM,data:KG5V86SDVM5LfFPZI5rjKGvYwqLZInEqpwdIJPAiF7fMdG3rTq3JgNJCQr0eOhfmLwT3KEN2Fv0mHZS4smMGdh0WCkza8CzRn/KFY8gqEWxxdff1Wqj7+2/5lSI8I7Qp2EW+eaAgU53PPOh/M3Cgm/Rraw2ARmIJNIgtuJC8ZeZlsh3sl0tacF9rgSrP8p4xAH3C/QUs1HW+10eL9F3STtAV+ZBruU68lNmCdiyqKjg3O3qdRFsjdGWAwHNHL42cEm3il4PofyS5fDDF4otQktZa5n8832ukF5Aj6RNgJwubrsxB9+1M9s7hD1UQyKo6oQKJr1GXNK+IPyXAvdxckZ8INhsxP4c4v8GzR0zJK4MfESx0r67ciGLOcYulNBDOMSbD57oW+wRvCI2eZlpB3ugBcUm/rsQbgFVEX8q6jD8WipJ+Q3hz1zWq45s66XooFmnwc2nBhT6cRmtGzTJCcDpiovgj5tKXSXrWfwYO7tWr7lYg8T4zhfplZBtQOaqTUrAOhW7IRT5Lo/310cMRcp1h44TSnpWXZN7l,iv:DOUijPr4wHmjNIniF2IRjinXZ6iyg8Z1Nt5EgFfX5Zw=,tag:VWxHpfpyphtu6XLR1yKugg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZWRvaWFlU25sYkdTejg3 - YXRrVHhHaDN2anR0WWJmcDdCZDNLUFhiU2hrCmZSNWNFbVd3Wm95SU9iNmhqaVE1 - TlFuYzFNOVFEekYvWjlQWEpqbzZCU1UKLS0tIFczTHlsN2lNdlh3clI2VEI4Y0lI - dUQ5ZE9keUtxVU5mMklGODRjSld0TnMKGWu7m6/q6PhS1R8N9YBsxDs9O76U6Bta - wr8Tqr/1JLWoSLbPapltKH8+hKAb84LeILezVS1SrL+mjf2KYa3WQQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-01T16:50:35Z" - mac: ENC[AES256_GCM,data:wDnv7wZLks2EME+JqlBtagVaDZEo9ap3d6xFfnBy2/D4wrJhhYlo8vOYM8GFXEhfa0Jek+9ZlkmXYerLNWLMiUMKWIvk0cvHjxBaR2wcxt9FnynPT9W9hSX7UFhM/eTiJviksOESTI7pqNh9X7ggLSZ0c+O5mBxxEh/bcjz8vIU=,iv:vgvmyvUkZBapCpRbPU3cDgmHsc5NwHzCsMzjHvr/Xc0=,tag:FMI0YrwdCPIFe8tnLQr69w==,type:str] - pgp: - - created_at: "2024-04-04T18:26:01Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZWRvaWFlU25sYkdTejg3 + YXRrVHhHaDN2anR0WWJmcDdCZDNLUFhiU2hrCmZSNWNFbVd3Wm95SU9iNmhqaVE1 + TlFuYzFNOVFEekYvWjlQWEpqbzZCU1UKLS0tIFczTHlsN2lNdlh3clI2VEI4Y0lI + dUQ5ZE9keUtxVU5mMklGODRjSld0TnMKGWu7m6/q6PhS1R8N9YBsxDs9O76U6Bta + wr8Tqr/1JLWoSLbPapltKH8+hKAb84LeILezVS1SrL+mjf2KYa3WQQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-01T16:50:35Z" + mac: ENC[AES256_GCM,data:wDnv7wZLks2EME+JqlBtagVaDZEo9ap3d6xFfnBy2/D4wrJhhYlo8vOYM8GFXEhfa0Jek+9ZlkmXYerLNWLMiUMKWIvk0cvHjxBaR2wcxt9FnynPT9W9hSX7UFhM/eTiJviksOESTI7pqNh9X7ggLSZ0c+O5mBxxEh/bcjz8vIU=,iv:vgvmyvUkZBapCpRbPU3cDgmHsc5NwHzCsMzjHvr/Xc0=,tag:FMI0YrwdCPIFe8tnLQr69w==,type:str] + pgp: + - created_at: "2024-04-04T18:26:01Z" + enc: |- + -----BEGIN PGP MESSAGE----- - hQEMA0SHG/zF3227AQgAn6CqJhclheA82nJm39h/52Ir/gVGRZz1ViK157MxRVs3 - NSrNZCPW+x9vGExPWJ8wnT3KZ7jeo7jEbJ260WSp4xwQtCuUrDR6Oyp0mrtN6SMo - 4hHZo+OwLb3brQGHOng43Hedk6E74ZRMyUr5mmRKLTC1l9GeKtf3HoSvNq+bS7B8 - SrmkemzsS2SrXYE7Qslzhi8QKwby8nsjN2pE5hk12wZKefT4XP3q+lf7n2QeboG0 - 8d4u+706BO4DoxtnXPs1Gop3sJ3TZdAXTdfjnuv+LDMOmIDoVp1tgXRPiAvCfMPV - 9YiFS/WYMD5OA69SPBjCWIMPMw8PIU8OuHjy71eXlNJeAXeVLp70pGQOiPOZSvtl - vmfiPWOZnX+6jSpsSfmEa8FxAZYLgHUayF8YMtHi3kdz3x0kWMx3Pzvjvs4BfIyd - pp7PTfMycrk67Y3lcokNswt/fle0tN6xuqP4Uv4zWw== - =y1Sk - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 + hQEMA0SHG/zF3227AQgAn6CqJhclheA82nJm39h/52Ir/gVGRZz1ViK157MxRVs3 + NSrNZCPW+x9vGExPWJ8wnT3KZ7jeo7jEbJ260WSp4xwQtCuUrDR6Oyp0mrtN6SMo + 4hHZo+OwLb3brQGHOng43Hedk6E74ZRMyUr5mmRKLTC1l9GeKtf3HoSvNq+bS7B8 + SrmkemzsS2SrXYE7Qslzhi8QKwby8nsjN2pE5hk12wZKefT4XP3q+lf7n2QeboG0 + 8d4u+706BO4DoxtnXPs1Gop3sJ3TZdAXTdfjnuv+LDMOmIDoVp1tgXRPiAvCfMPV + 9YiFS/WYMD5OA69SPBjCWIMPMw8PIU8OuHjy71eXlNJeAXeVLp70pGQOiPOZSvtl + vmfiPWOZnX+6jSpsSfmEa8FxAZYLgHUayF8YMtHi3kdz3x0kWMx3Pzvjvs4BfIyd + pp7PTfMycrk67Y3lcokNswt/fle0tN6xuqP4Uv4zWw== + =y1Sk + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1