steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat: introduce treefmt and fmt all

Browse source
This commit is contained in:
steveej 2024-11-15 10:17:56 +01:00
parent 80250b0179
commit 27c6c4f9fa
237 changed files with 5440 additions and 5214 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.gitignore vendored
View file

@ -4,3 +4,6 @@
.env .env
**/result **/result
.direnv/ .direnv/
# nixago: ignore-linked-files
/treefmt.toml

140
.sops.yaml
View file

@ -18,105 +18,105 @@ keys:
- &router0-dmz0 age1vr69hfmjgkqu47g5hjacet6n2tq4rhwnvdrmfa6n6l7fkqvvafnsaccf8u - &router0-dmz0 age1vr69hfmjgkqu47g5hjacet6n2tq4rhwnvdrmfa6n6l7fkqvvafnsaccf8u
- &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00
- &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4
- &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 - &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0
creation_rules: creation_rules:
- path_regex: ^(.+/|)secrets/[^/]+$ - path_regex: ^(.+/|)secrets/[^/]+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *steveej-t14 - *steveej-t14
- *steveej-x13s - *steveej-x13s
- *elias-e525 - *elias-e525
- *justyna-p300 - *justyna-p300
- *srv0-dmz0 - *srv0-dmz0
- *router0-dmz0 - *router0-dmz0
- *sj-vps-htz0 - *sj-vps-htz0
- *sj-srv1 - *sj-srv1
- *hstk0 - *hstk0
- *router0-ifog - *router0-ifog
- *router0-hosthatch - *router0-hosthatch
- path_regex: ^secrets/steveej-t14/.+$ - path_regex: ^secrets/steveej-t14/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *steveej-t14 - *steveej-t14
- path_regex: ^secrets/desktop/.+$ - path_regex: ^secrets/desktop/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *steveej-t14 - *steveej-t14
- *steveej-x13s - *steveej-x13s
- path_regex: ^secrets/servers/.+$ - path_regex: ^secrets/servers/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *sj-vps-htz0 - *sj-vps-htz0
- *sj-srv1 - *sj-srv1
- path_regex: ^nix/os/containers/.+_secrets.+$ - path_regex: ^nix/os/containers/.+_secrets.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *sj-vps-htz0 - *sj-vps-htz0
- *sj-srv1 - *sj-srv1
- path_regex: ^secrets/holochain-infra/.+$ - path_regex: ^secrets/holochain-infra/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *srv0-dmz0 - *srv0-dmz0
- path_regex: ^secrets/router0-dmz0/.+$ - path_regex: ^secrets/router0-dmz0/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *router0-dmz0 - *router0-dmz0
- path_regex: ^secrets/router0-ifog/.+$ - path_regex: ^secrets/router0-ifog/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *router0-ifog - *router0-ifog
- path_regex: ^secrets/router0-hosthatch/.+$ - path_regex: ^secrets/router0-hosthatch/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *router0-hosthatch - *router0-hosthatch
- path_regex: ^secrets/sj-vps-htz0/.+$ - path_regex: ^secrets/sj-vps-htz0/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *sj-vps-htz0 - *sj-vps-htz0
- path_regex: ^secrets/sj-srv1/.+$ - path_regex: ^secrets/sj-srv1/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *sj-srv1 - *sj-srv1
- path_regex: ^secrets/hstk0/.+$ - path_regex: ^secrets/hstk0/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *hstk0 - *hstk0
- path_regex: ^secrets/steveej-x13s/.+$ - path_regex: ^secrets/steveej-x13s/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *steveej-x13s - *steveej-x13s
- path_regex: ^secrets/work-holo/.+$ - path_regex: ^secrets/work-holo/.+$
key_groups: key_groups:
- pgp: - pgp:
- *steveej - *steveej
age: age:
- *steveej-x13s - *steveej-x13s

36
.vscode/settings.json vendored
View file

@ -1,19 +1,21 @@
{ {
"nix.serverSettings": { "editor.defaultFormatter": "ibecker.treefmt-vscode",
// settings for 'nil' LSP "editor.formatOnSave": true,
"nil": { "nix.enableLanguageServer": true,
"autoArchive": true, "nix.serverPath": "nil",
"diagnostics": { "nix.serverSettings": {
"ignored": [ // settings for 'nil' LSP
"unused_binding", "nil": {
"unused_with" "autoArchive": true,
] "diagnostics": {
}, "ignored": ["unused_binding", "unused_with"]
"formatting": { },
"command": [ "formatting": {
"treefmt-nix", "command": ["treefmt-nix", "--stdin", ".nil.nix"]
] }
} }
} },
}, "[nix]": {
"editor.defaultFormatter": "jnoortheen.nix-ide"
}
} }

56
README.md
View file

@ -1,4 +1,5 @@
# steveej's infra # steveej's infra
This repository helps me to manage all computer infrastructure. This repository helps me to manage all computer infrastructure.
This is mostly achieved with the help of [Nix](https://nixos.org). This is mostly achieved with the help of [Nix](https://nixos.org).
@ -19,7 +20,7 @@ In the unlikely case that you actually read this and have any questions please d
- [ ] development environments - [ ] development environments
- [x] (Semi-) automatic synchronization of important repositories - [x] (Semi-) automatic synchronization of important repositories
- [x] Modification strategy - [x] Modification strategy
The approach is to use vcsh for the dotfiles The approach is to use vcsh for the dotfiles
- [x] dotfiles - [x] dotfiles
- [x] Toplevel Justfile for simple actions - [x] Toplevel Justfile for simple actions
- [x] mount/umount disks - [x] mount/umount disks
@ -39,39 +40,46 @@ In the unlikely case that you actually read this and have any questions please d
- [x] sj-pve0 - [x] sj-pve0
- [x] use an existing secret management framework - [x] use an existing secret management framework
- [x] adapt (or abandon?) _just_ recipes - [x] adapt (or abandon?) _just_ recipes
- [x] `rebuild-this-device`
- [x] `update-this-device`
- [x] `rebuild-remote-device`
- [x] `update-remote-device`
evaluate, and understand a path to using these tools in a pull-based fashion: - [x] `rebuild-this-device`
- [x] `update-this-device`
- [x] `rebuild-remote-device`
- [x] `update-remote-device`
evaluate, and understand a path to using these tools in a pull-based fashion:
- [x] [colmena](https://github.com/zhaofengli/colmena) - [x] [colmena](https://github.com/zhaofengli/colmena)
* bootstrapping: https://github.com/zhaofengli/colmena/issues/68 - bootstrapping: https://github.com/zhaofengli/colmena/issues/68
- [ ] deploy-rs - [ ] deploy-rs
- [x] 🚧 find a better alternative for the qtile-desktop
current issues:
- floating windows often get lost in the background
- plugging in-/out- screen crashes the desktop
evaluate: - [x] 🚧 find a better alternative for the qtile-desktop
- [x] ~~🚧 gnome3 + pop-shell~~ current issues:
- [x] ~~leftwm + eww (+ wayland?)~~
- floating windows often get lost in the background
- plugging in-/out- screen crashes the desktop
evaluate:
- [x] ~~🚧 gnome3 + pop-shell~~
- [x] ~~leftwm + eww (+ wayland?)~~
- [ ] (Re-)document bootstrap process - [ ] (Re-)document bootstrap process
- [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine
- [ ] a new machine - [ ] a new machine
- [ ] an install media - [ ] an install media
- [ ] Design disaster recovery - [ ] Design disaster recovery
- [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2 - [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2
- [ ] Recycle *\_archived* - [ ] Recycle _\_archived_
- [ ] container migrations - [ ] container migrations
- [ ] ensure DDNS is updated _before_ the containers are started - [ ] ensure DDNS is updated _before_ the containers are started
## Bugs ## Bugs
- [ ] home-manager leaves ~/.gnupg at 0755 - [ ] home-manager leaves ~/.gnupg at 0755
## Usage ## Usage
*(These are reminders for my future self)*
_(These are reminders for my future self)_
``` ```
just --list just --list
@ -80,15 +88,17 @@ just --list
## Bootstrap ## Bootstrap
### A new machine ### A new machine
* ensure the dotfiles repo has a branch with the new machine's hostname
* boot with an install media and go through setup - ensure the dotfiles repo has a branch with the new machine's hostname
- boot with an install media and go through setup
#### Post-Install Setup #### Post-Install Setup
* `chmod --recursive g-rwx,o-rwx ~/.gnupg`
* `gpg2 --edit-card; fetch` - `chmod --recursive g-rwx,o-rwx ~/.gnupg`
* clone password-manager and infra repositories - `gpg2 --edit-card; fetch`
* gpg2: ultimately trust my own key - clone password-manager and infra repositories
- gpg2: ultimately trust my own key
## Swapping out a disk ## Swapping out a disk

7
default.nix
View file

@ -4,6 +4,9 @@
# Having pkgs default to <nixpkgs> is fine though, and it lets you use short # Having pkgs default to <nixpkgs> is fine though, and it lets you use short
# commands such as: # commands such as:
# nix-build -A mypackage # nix-build -A mypackage
{pkgs ? import <nixpkgs> {}}: { {
pkgs = import ./nix/pkgs {inherit pkgs;}; pkgs ? import <nixpkgs> { },
}:
{
pkgs = import ./nix/pkgs { inherit pkgs; };
} }

208
flake.lock generated
View file

@ -346,6 +346,81 @@
} }
}, },
"flake-utils_3": { "flake-utils_3": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_5": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_6": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_7": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_8": {
"inputs": { "inputs": {
"systems": "systems_3" "systems": "systems_3"
}, },
@ -363,7 +438,7 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_4": { "flake-utils_9": {
"inputs": { "inputs": {
"systems": "systems_4" "systems": "systems_4"
}, },
@ -485,7 +560,7 @@
}, },
"lib-aggregate": { "lib-aggregate": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_3", "flake-utils": "flake-utils_8",
"nixpkgs-lib": "nixpkgs-lib_2" "nixpkgs-lib": "nixpkgs-lib_2"
}, },
"locked": { "locked": {
@ -639,6 +714,126 @@
"type": "github" "type": "github"
} }
}, },
"nixago": {
"inputs": {
"flake-utils": "flake-utils_3",
"nixago-exts": "nixago-exts",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1714086354,
"narHash": "sha256-yKVQMxL9p7zCWUhnGhDzRVT8sDgHoI3V595lBK0C2YA=",
"owner": "jmgilman",
"repo": "nixago",
"rev": "5133633e9fe6b144c8e00e3b212cdbd5a173b63d",
"type": "github"
},
"original": {
"owner": "jmgilman",
"repo": "nixago",
"type": "github"
}
},
"nixago-exts": {
"inputs": {
"flake-utils": "flake-utils_4",
"nixago": "nixago_2",
"nixpkgs": [
"nixago",
"nixpkgs"
]
},
"locked": {
"lastModified": 1676070308,
"narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=",
"owner": "nix-community",
"repo": "nixago-extensions",
"rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixago-extensions",
"type": "github"
}
},
"nixago-exts_2": {
"inputs": {
"flake-utils": "flake-utils_6",
"nixago": "nixago_3",
"nixpkgs": [
"nixago",
"nixago-exts",
"nixago",
"nixpkgs"
]
},
"locked": {
"lastModified": 1655508669,
"narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=",
"owner": "nix-community",
"repo": "nixago-extensions",
"rev": "3022a932ce109258482ecc6568c163e8d0b426aa",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixago-extensions",
"type": "github"
}
},
"nixago_2": {
"inputs": {
"flake-utils": "flake-utils_5",
"nixago-exts": "nixago-exts_2",
"nixpkgs": [
"nixago",
"nixago-exts",
"nixpkgs"
]
},
"locked": {
"lastModified": 1676070010,
"narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=",
"owner": "nix-community",
"repo": "nixago",
"rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "rename-config-data",
"repo": "nixago",
"type": "github"
}
},
"nixago_3": {
"inputs": {
"flake-utils": "flake-utils_7",
"nixpkgs": [
"nixago",
"nixago-exts",
"nixago",
"nixago-exts",
"nixpkgs"
]
},
"locked": {
"lastModified": 1655405483,
"narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=",
"owner": "nix-community",
"repo": "nixago",
"rev": "e6a9566c18063db5b120e69e048d3627414e327d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixago",
"type": "github"
}
},
"nixos-anywhere": { "nixos-anywhere": {
"inputs": { "inputs": {
"disko": "disko", "disko": "disko",
@ -847,11 +1042,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1730531603, "lastModified": 1731319897,
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", "narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", "rev": "dc460ec76cbff0e66e269457d7b728432263166c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -1058,6 +1253,7 @@
"logseq_0_10_9_aarch64_appimage": "logseq_0_10_9_aarch64_appimage", "logseq_0_10_9_aarch64_appimage": "logseq_0_10_9_aarch64_appimage",
"nix-vscode-extensions": "nix-vscode-extensions", "nix-vscode-extensions": "nix-vscode-extensions",
"nix4vscode": "nix4vscode", "nix4vscode": "nix4vscode",
"nixago": "nixago",
"nixos-anywhere": "nixos-anywhere", "nixos-anywhere": "nixos-anywhere",
"nixpkgs": [ "nixpkgs": [
"nixpkgs-2405" "nixpkgs-2405"
@ -1351,7 +1547,7 @@
}, },
"yofi": { "yofi": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_4", "flake-utils": "flake-utils_9",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
] ]

471
flake.nix
View file

@ -43,10 +43,7 @@
url = "github:nix-community/fenix"; url = "github:nix-community/fenix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
crane = { crane.url = "github:ipetkov/crane";
url = "github:ipetkov/crane";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix.url = "github:Mic92/sops-nix"; sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs"; sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@ -129,218 +126,276 @@
url = "github:numtide/treefmt-nix"; url = "github:numtide/treefmt-nix";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
nixago.url = "github:jmgilman/nixago";
nixago.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = inputs @ { outputs =
self, inputs@{
flake-parts, self,
nixpkgs, flake-parts,
... nixpkgs,
}: let ...
inherit (nixpkgs) lib; }:
let
inherit (nixpkgs) lib;
systems = [ systems = [
"x86_64-linux" "x86_64-linux"
"aarch64-linux" "aarch64-linux"
]; ];
in in
flake-parts.lib.mkFlake {inherit inputs;} flake-parts.lib.mkFlake { inherit inputs; } (
({withSystem, ...}: { { withSystem, ... }:
flake.colmena = {
lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) flake.colmena =
{ lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur)
meta.nixpkgs = import inputs.nixpkgs.outPath { { meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; }
system = builtins.elemAt systems 0; # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import
}; # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861
}
# FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import
# try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861
(builtins.map
(nodeName:
import ./nix/os/devices/${nodeName} {
inherit nodeName;
repoFlake = self;
repoFlakeWithSystem = withSystem;
nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName};
}) [
"steveej-t14"
"steveej-x13s"
"steveej-x13s-rmvbl"
# "elias-e525"
# "justyna-p300"
# "srv0-dmz0"
# "router0-dmz0"
"router0-ifog"
"router0-hosthatch"
"sj-srv1"
"hstk0"
]);
flake.lib = {
inherit withSystem;
};
# this makes nixos-anywhere work
flake.nixosConfigurations = let
colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes;
router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations;
in (
colmenaHive
// {
router0-dmz0 = router0-dmz0.native;
# for now deploy directly with:
# nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1
router0-dmz0_cross = router0-dmz0.cross;
steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross;
steveej-x13s-rmvbl_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross;
}
);
inherit systems;
perSystem = {
self',
inputs',
system,
config,
lib,
pkgs,
...
}: {
imports = [
./nix/modules/flake-parts/perSystem/default.nix
];
packages = let
dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) {};
craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain;
craneLib =
craneLibFn
inputs'.fenix.packages.stable.toolchain;
craneLibOfiPass =
craneLibFn
( (
inputs'.fenix.packages.stable.toolchain builtins.map
# .override { (
# date = "1.60.0"; nodeName:
# } import ./nix/os/devices/${nodeName} {
inherit nodeName;
repoFlake = self;
repoFlakeWithSystem = withSystem;
nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName};
}
)
[
"steveej-t14"
"steveej-x13s"
"steveej-x13s-rmvbl"
# "elias-e525"
# "justyna-p300"
# "srv0-dmz0"
# "router0-dmz0"
"router0-ifog"
"router0-hosthatch"
"sj-srv1"
"hstk0"
]
); );
in {
dcpj4110dwDriver = dcpj4110dw.driver;
dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper;
inherit (inputs'.colmena.packages) colmena; flake.lib = {
inherit withSystem;
prs =
pkgs.callPackage
({
pkgs,
dbus,
glib,
gpgme,
gtk3,
libxcb,
libxkbcommon,
installShellFiles,
pkg-config,
python3,
}:
craneLib.buildPackage {
pname = "prs";
version = inputs.prs.shortRev;
src = inputs.prs;
nativeBuildInputs = [gpgme installShellFiles pkg-config python3];
buildInputs = [
dbus
glib
gpgme
gtk3
libxcb
libxkbcommon
];
cargoExtraArgs = "--features backend-gpgme";
postInstall = ''
for shell in bash fish zsh; do
installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout)
done
'';
})
{};
nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6;
ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" ''
set -x
pkill -9 wayland-proxy-v
export NIXOS_OZONE_WL=""
${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \
--wayland-display=wayland-3 \
--xwayland-binary=${pkgs.xwayland}/bin/Xwayland \
--x-display=3 \
&
# --x-unscale=3 \
#--verbose \
export PROXYPID="$!"
trap "kill -9 \$PROXYPID" EXIT
# trap "pkill -9 wayland-proxy-v" EXIT
env \
WAYLAND_DISPLAY=wayland-3 \
DISPLAY=:3 \
ledger-live-desktop
'';
syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" ''
ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384
'';
rperf = craneLib.buildPackage {
src = inputs.rperf;
nativeBuildInputs = [
pkgs.pkg-config
];
buildInputs = [
];
};
x13s-bt-firmware = pkgs.runCommand "x13s-bt-firmware" {} ''
mkdir -p $out/lib/firmware/qca
cp -v ${self}/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw $out/lib/firmware/qca/hpnv21.bin
cp -v ${inputs.x13s-bt-firmware} $out/lib/firmware/qca//hpbtfw21.tlv
'';
x13s-ath11k-firmware = pkgs.runCommand "x13s-ath11k-firmware-before" {} ''
mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/
cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/
cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/
'';
}; };
formatter = inputs.treefmt-nix.formatter.${system}; # this makes nixos-anywhere work
flake.nixosConfigurations =
let
colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes;
router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations;
in
colmenaHive
// {
router0-dmz0 = router0-dmz0.native;
devShells = let # for now deploy directly with:
all = import ./nix/devShells.nix { # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1
inherit router0-dmz0_cross = router0-dmz0.cross;
self
self' steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross;
inputs' steveej-x13s-rmvbl_cross =
pkgs (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross;
;
}; };
in (all // {default = all.develop;});
}; inherit systems;
});
perSystem =
{
self',
inputs',
system,
config,
lib,
pkgs,
...
}:
{
imports = [ ./nix/modules/flake-parts/perSystem/default.nix ];
packages =
let
dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { };
craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain;
craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain;
in
{
dcpj4110dwDriver = dcpj4110dw.driver;
dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper;
inherit (inputs'.colmena.packages) colmena;
prs = pkgs.callPackage (
{
dbus,
glib,
gpgme,
gtk3,
libxcb,
libxkbcommon,
installShellFiles,
pkg-config,
python3,
}:
craneLib.buildPackage {
pname = "prs";
version = inputs.prs.shortRev;
src = inputs.prs;
nativeBuildInputs = [
gpgme
installShellFiles
pkg-config
python3
];
buildInputs = [
dbus
glib
gpgme
gtk3
libxcb
libxkbcommon
];
cargoExtraArgs = "--features backend-gpgme";
postInstall = ''
for shell in bash fish zsh; do
installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout)
done
'';
}
) { };
nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6;
ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" ''
set -x
pkill -9 wayland-proxy-v
export NIXOS_OZONE_WL=""
${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \
--wayland-display=wayland-3 \
--xwayland-binary=${pkgs.xwayland}/bin/Xwayland \
--x-display=3 \
&
# --x-unscale=3 \
#--verbose \
export PROXYPID="$!"
trap "kill -9 \$PROXYPID" EXIT
# trap "pkill -9 wayland-proxy-v" EXIT
env \
WAYLAND_DISPLAY=wayland-3 \
DISPLAY=:3 \
ledger-live-desktop
'';
syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" ''
ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384
'';
rperf = craneLib.buildPackage {
src = inputs.rperf;
nativeBuildInputs = [ pkgs.pkg-config ];
buildInputs = [ ];
};
x13s-bt-firmware = pkgs.runCommand "x13s-bt-firmware" { } ''
mkdir -p $out/lib/firmware/qca
cp -v ${self}/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw $out/lib/firmware/qca/hpnv21.bin
cp -v ${inputs.x13s-bt-firmware} $out/lib/firmware/qca//hpbtfw21.tlv
'';
x13s-ath11k-firmware = pkgs.runCommand "x13s-ath11k-firmware-before" { } ''
mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/
cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/
cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/
'';
};
formatter =
let
settingsNix = {
projectRootFile = ".git/config";
package = inputs'.nixpkgs-unstable.legacyPackages.treefmt2;
programs = {
nixfmt.enable = true;
deadnix.enable = true;
statix.enable = true;
shfmt.enable = true;
shellcheck.enable = true;
prettier.enable = true;
} // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; };
settings = {
global.excludes = [
"LICENSE"
"secrets/"
".git-crypt/"
# unsupported extensions
"*.{enc,gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,gitignore}"
];
formatter = {
deadnix = {
priority = 1;
};
nixfmt = {
priority = 2;
};
statix = {
priority = 3;
};
prettier = {
options = [
"--tab-width"
"2"
];
includes = [ "*.{css,html,js,json,jsx,md,mdx,scss,ts,yaml}" ];
};
};
};
};
eval = inputs.treefmt-nix.lib.evalModule pkgs settingsNix;
in
eval.config.build.wrapper.overrideAttrs (_: {
passthru = {
inherit (eval.config) package settings;
};
});
devShells =
let
all = import ./nix/devShells.nix {
inherit
self
self'
inputs'
pkgs
;
};
in
all // { default = all.develop; };
};
}
);
} }

2
nix/container-images/build.sh
View file

@ -1,6 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
[ ! -z "$NAME" ] [ -n "$NAME" ]
nix-build . --show-trace -A "$NAME" nix-build . --show-trace -A "$NAME"
docker image rm "$NAME":latest --force docker image rm "$NAME":latest --force

176
nix/container-images/default.nix
View file

@ -1,6 +1,10 @@
{pkgs ? import <nixpkgs> {}}: let {
baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; pkgs ? import <nixpkgs> { },
in rec { }:
let
baseEnv = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
in
rec {
base = pkgs.dockerTools.buildImage rec { base = pkgs.dockerTools.buildImage rec {
name = "base"; name = "base";
@ -21,59 +25,70 @@ in rec {
interactive_base = pkgs.dockerTools.buildImage { interactive_base = pkgs.dockerTools.buildImage {
name = "interactive_base"; name = "interactive_base";
fromImage = base; fromImage = base;
contents = with pkgs; [procps zsh coreutils neovim]; contents = with pkgs; [
procps
zsh
coreutils
neovim
];
config = {Cmd = ["/bin/zsh"];}; config = {
Cmd = [ "/bin/zsh" ];
};
}; };
s3ql = let s3ql =
entrypoint = pkgs.writeScript "entrypoint" '' let
#!${pkgs.stdenv.shell} entrypoint = pkgs.writeScript "entrypoint" ''
#!${pkgs.stdenv.shell}
if [ -z "$S3QL_BUCKET" ]; then if [ -z "$S3QL_BUCKET" ]; then
echo S3QL_BUCKET not set echo S3QL_BUCKET not set
exit 1 exit 1
fi fi
if [ -z "$S3QL_STORAGE_URL" ]; then if [ -z "$S3QL_STORAGE_URL" ]; then
echo S3QL_STORAGE_URL not set echo S3QL_STORAGE_URL not set
exit 1 exit 1
fi fi
if [ -z "$S3QL_CACHESIZE" ]; then if [ -z "$S3QL_CACHESIZE" ]; then
echo S3QL_CACHESIZE not set echo S3QL_CACHESIZE not set
exit 1 exit 1
fi fi
set -x set -x
if [ "$S3QL_SKIP_FSCK" != "1" ]; then if [ "$S3QL_SKIP_FSCK" != "1" ]; then
fsck.s3ql \ fsck.s3ql \
--authfile $S3QL_AUTHINFO2 \ --authfile $S3QL_AUTHINFO2 \
--log none \
--cachedir $S3QL_CACHE_DIR \
$S3QL_STORAGE_URL
fi
exec mount.s3ql \
--cachedir "$S3QL_CACHE_DIR" \
--authfile "$S3QL_AUTHINFO2" \
--cachesize "$S3QL_CACHESIZE" \
--fg \
--compress lzma-6 \
--threads 4 \
--log none \ --log none \
--cachedir $S3QL_CACHE_DIR \ --allow-root \
$S3QL_STORAGE_URL "$S3QL_STORAGE_URL" \
fi /bucket
exec mount.s3ql \ # FIXME: touch .isbucket after mount
--cachedir "$S3QL_CACHE_DIR" \ '';
--authfile "$S3QL_AUTHINFO2" \ in
--cachesize "$S3QL_CACHESIZE" \
--fg \
--compress lzma-6 \
--threads 4 \
--log none \
--allow-root \
"$S3QL_STORAGE_URL" \
/bucket
# FIXME: touch .isbucket after mount
'';
in
pkgs.dockerTools.buildImage { pkgs.dockerTools.buildImage {
name = "s3ql"; name = "s3ql";
fromImage = interactive_base; fromImage = interactive_base;
contents = [pkgs.s3ql pkgs.fuse]; contents = [
pkgs.s3ql
pkgs.fuse
];
runAsRoot = '' runAsRoot = ''
#!${pkgs.stdenv.shell} #!${pkgs.stdenv.shell}
@ -84,57 +99,58 @@ in rec {
''; '';
config = { config = {
Env = Env = baseEnv ++ [
baseEnv "HOME=/home/s3ql"
++ [ "S3QL_CACHE_DIR=/var/cache/s3ql"
"HOME=/home/s3ql" "S3QL_AUTHINFO2=/etc/s3ql/authinfo2"
"S3QL_CACHE_DIR=/var/cache/s3ql" "CONTAINER_ENTRYPOINT=${entrypoint}"
"S3QL_AUTHINFO2=/etc/s3ql/authinfo2" ];
"CONTAINER_ENTRYPOINT=${entrypoint}" Cmd = [ entrypoint ];
];
Cmd = [entrypoint];
Volumes = { Volumes = {
"/var/cache/s3ql" = {}; "/var/cache/s3ql" = { };
"/etc/s3ql/authinfo2" = {}; "/etc/s3ql/authinfo2" = { };
"/buckets" = {}; "/buckets" = { };
"/tmp" = {}; "/tmp" = { };
}; };
}; };
}; };
syncthing = let syncthing =
entrypoint = pkgs.writeScript "entrypoint" '' let
#!${pkgs.stdenv.shell} entrypoint = pkgs.writeScript "entrypoint" ''
set -x #!${pkgs.stdenv.shell}
if [ ! -e /data/.isbucket ]; then set -x
echo ERROR: Bucket not mounted at /data if [ ! -e /data/.isbucket ]; then
exit 1 echo ERROR: Bucket not mounted at /data
fi exit 1
fi
if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then
echo ERROR: SYNCTHING_GUI_ADDRESS is not set echo ERROR: SYNCTHING_GUI_ADDRESS is not set
exit 1 exit 1
fi fi
if [ ! -w "$SYNCTHING_HOME" ]; then if [ ! -w "$SYNCTHING_HOME" ]; then
echo ERROR : SYNCTHING_HOME is not writable echo ERROR : SYNCTHING_HOME is not writable
fi fi
exec syncthing \ exec syncthing \
-home $SYNCTHING_HOME \ -home $SYNCTHING_HOME \
-gui-address=$SYNCTHING_GUI_ADDRESS \ -gui-address=$SYNCTHING_GUI_ADDRESS \
-no-browser -no-browser
''; '';
in in
pkgs.dockerTools.buildImage { pkgs.dockerTools.buildImage {
name = "syncthing"; name = "syncthing";
fromImage = interactive_base; fromImage = interactive_base;
contents = pkgs.syncthing; contents = pkgs.syncthing;
config = { config = {
Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"]; Env = baseEnv ++ [ "SYNCTHING_HOME=/home/syncthing" ];
Cmd = [entrypoint]; Cmd = [ entrypoint ];
Volumes = {"/data" = {};}; Volumes = {
"/data" = { };
};
}; };
}; };
} }

42
nix/default.nix
View file

@ -1,26 +1,34 @@
{versionsPath}: let { versionsPath }:
let
channelVersions = import versionsPath; channelVersions = import versionsPath;
mkChannelSource = name: let mkChannelSource =
channelVersion = builtins.getAttr name channelVersions; name:
in let
channelVersion = builtins.getAttr name channelVersions;
in
builtins.fetchGit { builtins.fetchGit {
# Descriptive name to make the store path easier to identify # Descriptive name to make the store path easier to identify
inherit name; inherit name;
inherit (channelVersion) url ref rev; inherit (channelVersion) url ref rev;
}; };
nixPath = builtins.concatStringsSep ":" (builtins.map nixPath = builtins.concatStringsSep ":" (
(elemName: let builtins.map (
elem = builtins.getAttr elemName channelVersions; elemName:
elemPath = mkChannelSource elemName; let
suffix = elem = builtins.getAttr elemName channelVersions;
if builtins.hasAttr "suffix" elem elemPath = mkChannelSource elemName;
then elem.suffix suffix = if builtins.hasAttr "suffix" elem then elem.suffix else "";
else ""; in
in builtins.concatStringsSep "=" [
builtins.concatStringsSep "=" [elemName elemPath] + suffix) elemName
(builtins.attrNames channelVersions)); elemPath
pkgs = import (mkChannelSource "nixpkgs") {}; ]
in { + suffix
) (builtins.attrNames channelVersions)
);
pkgs = import (mkChannelSource "nixpkgs") { };
in
{
inherit nixPath; inherit nixPath;
channelSources = pkgs.writeText "channels.rc" '' channelSources = pkgs.writeText "channels.rc" ''
export NIX_PATH=${nixPath} export NIX_PATH=${nixPath}

22
nix/devShells.nix
View file

@ -3,9 +3,8 @@
self', self',
inputs', inputs',
pkgs, pkgs,
}: let }:
pkgsUnstable = inputs'.nixpkgs-unstable.legacyPackages; {
in {
install = pkgs.mkShell { install = pkgs.mkShell {
name = "infra-install"; name = "infra-install";
packages = with pkgs; [ packages = with pkgs; [
@ -20,11 +19,9 @@ in {
develop = pkgs.mkShell { develop = pkgs.mkShell {
name = "infra-develop"; name = "infra-develop";
inputsFrom = [ inputsFrom = [ self'.devShells.install ];
self'.devShells.install
];
packages = with pkgs; [ packages = with pkgs; [
self'.formatter self'.formatter # .package
inputs'.colmena.packages.colmena inputs'.colmena.packages.colmena
dconf2nix dconf2nix
inputs'.nixos-anywhere.packages.nixos-anywhere inputs'.nixos-anywhere.packages.nixos-anywhere
@ -92,6 +89,15 @@ in {
# Set Environment Variables # Set Environment Variables
RUST_BACKTRACE = 1; RUST_BACKTRACE = 1;
KANIDM_URL = self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin; KANIDM_URL =
self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin;
shellHook =
(self.inputs.nixago.lib.${pkgs.system}.make {
data = self'.formatter.settings;
output = "treefmt.toml";
format = "toml";
}).shellHook
+ '''';
}; };
} }

49
nix/home-manager/configuration/graphical-fullblown.nix
View file

@ -5,13 +5,14 @@
# these come in via home-manager.extraSpecialArgs and are specific to each node # these come in via home-manager.extraSpecialArgs and are specific to each node
nodeFlake, nodeFlake,
repoFlake, repoFlake,
packages',
... ...
}: let }:
let
pkgsUnstable = pkgsUnstable =
pkgs.pkgsUnstable pkgs.pkgsUnstable
or (import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config overlays;}); or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; });
in { in
{
imports = [ imports = [
../profiles/common.nix ../profiles/common.nix
# ../profiles/dotfiles.nix # ../profiles/dotfiles.nix
@ -34,18 +35,18 @@ in {
../programs/libreoffice.nix ../programs/libreoffice.nix
../programs/neovim.nix ../programs/neovim.nix
../programs/vscode ../programs/vscode
{ { home.packages = [ pkgsUnstable.markdown-oxide ]; }
home.packages = [
pkgsUnstable.markdown-oxide
];
}
]; ];
home.sessionVariables.HM_CONFIG = "graphical-fullblown"; home.sessionVariables.HM_CONFIG = "graphical-fullblown";
home.sessionVariables.GOPATH = "$HOME/src/go"; home.sessionVariables.GOPATH = "$HOME/src/go";
home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"]; home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [
"$HOME/.local/bin"
"$PATH"
];
nixpkgs.config.allowInsecurePredicate = pkg: nixpkgs.config.allowInsecurePredicate =
pkg:
builtins.elem (lib.getName pkg) [ builtins.elem (lib.getName pkg) [
"electron-28.3.3" "electron-28.3.3"
"electron-27.3.11" "electron-27.3.11"
@ -68,8 +69,7 @@ in {
# ]; # ];
home.packages = home.packages =
[] (with pkgs; [
++ (with pkgs; [
# Authentication # Authentication
# cacert # cacert
# fprintd # fprintd
@ -246,19 +246,15 @@ in {
# libretro.snes9x2010 # libretro.snes9x2010
# retroarchFull # retroarchFull
( (pkgs.logseq.overrideAttrs (
pkgs.logseq.overrideAttrs ( attrs:
attrs: lib.attrsets.recursiveUpdate attrs (
lib.attrsets.recursiveUpdate lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 {
attrs src = repoFlake.inputs.logseq_0_10_9_aarch64_appimage;
( meta.platforms = [ "aarch64-linux" ];
lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 { }
src = repoFlake.inputs.logseq_0_10_9_aarch64_appimage;
meta.platforms = ["aarch64-linux"];
}
)
) )
) ))
# ( # (
# pkgsUnstable.callPackage (repoFlake + "/nix/pkgs/logseq") # pkgsUnstable.callPackage (repoFlake + "/nix/pkgs/logseq")
@ -267,8 +263,7 @@ in {
# }) # })
# ) # )
]) ])
++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ ])
])
++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [
pkgsUnstable.ledger-live-desktop pkgsUnstable.ledger-live-desktop

17
nix/home-manager/configuration/graphical-gnome3.nix
View file

@ -1,13 +1,8 @@
{ pkgs, ... }:
{ {
pkgs, home.packages = with pkgs; [
config, gnome.gnome-tweaks
... gnome.gnome-keyring
}: { gnome.seahorse
home.packages = ];
[]
++ (with pkgs; [
gnome.gnome-tweaks
gnome.gnome-keyring
gnome.seahorse
]);
} }

143
nix/home-manager/configuration/graphical-removable.nix
View file

@ -1,8 +1,5 @@
{ pkgs, ... }:
{ {
pkgs,
config,
...
}: {
imports = [ imports = [
../profiles/common.nix ../profiles/common.nix
../profiles/qtile-desktop.nix ../profiles/qtile-desktop.nix
@ -16,89 +13,87 @@
../programs/pass.nix ../programs/pass.nix
]; ];
home.packages = home.packages = with pkgs; [
[] # Nix package related tools
++ (with pkgs; [ patchelf
# Nix package related tools nix-index
patchelf nix-prefetch-scripts
nix-index
nix-prefetch-scripts
# Version Control Systems # Version Control Systems
gitless gitless
# Process/System Administration # Process/System Administration
htop htop
gnome.gnome-tweaks gnome.gnome-tweaks
xorg.xhost xorg.xhost
dmidecode dmidecode
evtest evtest
# Archive Managers # Archive Managers
sshfs-fuse sshfs-fuse
xarchive xarchive
p7zip p7zip
zip zip
unzip unzip
gzip gzip
lzop lzop
# Password Management # Password Management
gnome.gnome-keyring gnome.gnome-keyring
gnome.seahorse gnome.seahorse
# Remote Control Tools # Remote Control Tools
remmina remmina
freerdp freerdp
# Network Tools # Network Tools
openvpn openvpn
tcpdump tcpdump
iftop iftop
iperf iperf
bind bind
socat socat
# samba # samba
iptables iptables
nftables nftables
wireshark wireshark
# Code Editors # Code Editors
xclip xclip
xsel xsel
# Image/Graphic/Design Tools # Image/Graphic/Design Tools
gnome.eog gnome.eog
gimp gimp
inkscape inkscape
# Misc Development Tools # Misc Development Tools
qrcode qrcode
jq jq
cdrtools cdrtools
# Document Processing and Management # Document Processing and Management
zathura zathura
# File Synchronzation # File Synchronzation
rsync rsync
# Filesystem Tools # Filesystem Tools
ntfs3g ntfs3g
ddrescue ddrescue
ncdu ncdu
woeusb woeusb
unetbootin unetbootin
pcmanfm pcmanfm
hdparm hdparm
testdisk testdisk
binwalk binwalk
gptfdisk gptfdisk
packages'.myPython packages'.myPython
# Virtualization # Virtualization
virtmanager virtmanager
]); ];
} }

29
nix/home-manager/lib.nix
View file

@ -1,14 +1,19 @@
{}: let _: {
in { mkSimpleTrayService =
mkSimpleTrayService = {execStart}: { { execStart }:
Unit = { {
Description = ""; Unit = {
After = ["graphical-session-pre.target"]; Description = "";
PartOf = ["graphical-session.target"]; After = [ "graphical-session-pre.target" ];
PartOf = [ "graphical-session.target" ];
};
Install = {
WantedBy = [ "graphical-session.target" ];
};
Service = {
ExecStart = execStart;
};
}; };
Install = {WantedBy = ["graphical-session.target"];};
Service = {ExecStart = execStart;};
};
} }

79
nix/home-manager/profiles/common.nix
View file

@ -1,8 +1,5 @@
{ pkgs, lib, ... }:
{ {
pkgs,
lib,
...
}: {
home.stateVersion = lib.mkDefault "23.11"; home.stateVersion = lib.mkDefault "23.11";
# TODO: re-enable this with the appropriate version? # TODO: re-enable this with the appropriate version?
@ -15,7 +12,8 @@
allowUnfree = true; allowUnfree = true;
allowUnsupportedSystem = true; allowUnsupportedSystem = true;
allowInsecurePredicate = pkg: allowInsecurePredicate =
pkg:
builtins.elem (lib.getName pkg) [ builtins.elem (lib.getName pkg) [
"electron-28.3.3" "electron-28.3.3"
"electron-27.3.11" "electron-27.3.11"
@ -28,7 +26,8 @@
"electron" "electron"
]; ];
allowUnfreePredicate = pkg: allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [ builtins.elem (lib.getName pkg) [
"obsidian" "obsidian"
"vivaldi" "vivaldi"
@ -56,47 +55,45 @@
programs.command-not-found.enable = true; programs.command-not-found.enable = true;
programs.fzf.enable = true; programs.fzf.enable = true;
home.packages = home.packages = with pkgs; [
[] coreutils
++ (with pkgs; [
coreutils
vcsh vcsh
htop htop
iperf3 iperf3
nethogs nethogs
# Authentication # Authentication
cacert cacert
openssl openssl
mkpasswd mkpasswd
just just
ripgrep ripgrep
du-dust du-dust
elfutils elfutils
exfat exfat
file file
tree tree
pwgen pwgen
proot proot
parted parted
pv pv
tmux tmux
wget wget
curl curl
# git helpers # git helpers
git-crypt git-crypt
gitFull gitFull
pastebinit pastebinit
gist gist
mr mr
usbutils usbutils
pciutils pciutils
]); ];
} }

43
nix/home-manager/profiles/dotfiles.nix
View file

@ -1,45 +1,4 @@
{ _: {
repoFlake,
pkgs,
config,
repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git",
repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git",
...
}: let
repoBareLocal =
pkgs.runCommand "fetchbare"
{
outputHashMode = "recursive";
outputHashAlgo = "sha256";
outputHash = "0000000000000000000000000000000000000000000000000000";
} ''
(
set -xe
export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
${pkgs.git}/bin/git clone --mirror ${repoHttps} $out
)
'';
vcshActivationScript = pkgs.writeScript "activation-script" ''
export HOST=$(hostname -s)
function set_remotes {
${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1
${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2
}
if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then
echo Cloning dotfiles for $HOST...
${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles
set_remotes ${repoHttps} ${repoSsh}
else
set_remotes ${repoBareLocal} ${repoSsh}
echo Updating dotfiles for $HOST...
${pkgs.vcsh}/bin/vcsh pull $HOST || true
set_remotes ${repoHttps} ${repoSsh}
fi
'';
in {
# TODO: fix the dotfiles # TODO: fix the dotfiles
# home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] ''
# $DRY_RUN_CMD ${vcshActivationScript} # $DRY_RUN_CMD ${vcshActivationScript}

62
nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix
View file

@ -3,38 +3,40 @@
repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git",
repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git",
... ...
}: let }:
let
repoBareLocal = repoBareLocal =
pkgs.runCommand "fetchbare" pkgs.runCommand "fetchbare"
{ {
outputHashMode = "recursive"; outputHashMode = "recursive";
outputHashAlgo = "sha256"; outputHashAlgo = "sha256";
outputHash = "0000000000000000000000000000000000000000000000000000"; outputHash = "0000000000000000000000000000000000000000000000000000";
} '' }
( ''
set -xe (
export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt set -xe
export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
${pkgs.git}/bin/git clone --mirror ${repoHttps} $out export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
) ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out
''; )
'';
in in
pkgs.writeScript "activation-script" '' pkgs.writeScript "activation-script" ''
export HOST=$(hostname -s) export HOST=$(hostname -s)
function set_remotes { function set_remotes {
${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1
${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2
} }
if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then
echo Cloning dotfiles for $HOST... echo Cloning dotfiles for $HOST...
${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles
set_remotes ${repoHttps} ${repoSsh} set_remotes ${repoHttps} ${repoSsh}
else else
set_remotes ${repoBareLocal} ${repoSsh} set_remotes ${repoBareLocal} ${repoSsh}
echo Updating dotfiles for $HOST... echo Updating dotfiles for $HOST...
${pkgs.vcsh}/bin/vcsh pull $HOST || true ${pkgs.vcsh}/bin/vcsh pull $HOST || true
set_remotes ${repoHttps} ${repoSsh} set_remotes ${repoHttps} ${repoSsh}
fi fi
'' ''

14
nix/home-manager/profiles/experimental-desktop.nix
View file

@ -1,16 +1,6 @@
{ packages', ... }:
{ {
pkgs, imports = [ ../profiles/wayland-desktop.nix ];
config,
lib,
nodeFlake,
packages',
...
}: let
pkgsUnstable = pkgs.callPackage nodeFlake.inputs.nixpkgs-unstable.outPath {};
in {
imports = [
../profiles/wayland-desktop.nix
];
home.packages = [ home.packages = [
# experimental WMs # experimental WMs

115
nix/home-manager/profiles/gnome-desktop.nix
View file

@ -1,13 +1,6 @@
{ pkgs, ... }:
{ {
pkgs, imports = [ ../profiles/wayland-desktop.nix ];
config,
lib,
...
}: let
in {
imports = [
../profiles/wayland-desktop.nix
];
services = { services = {
gnome-keyring.enable = false; gnome-keyring.enable = false;
@ -25,85 +18,83 @@ in {
services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3;
dconf.settings = let dconf.settings =
manualKeybindings = [ let
{ manualKeybindings = [
binding = "Print"; {
command = "flameshot gui"; binding = "Print";
name = "flameshot"; command = "flameshot gui";
} name = "flameshot";
}
{ {
binding = "<Super>t"; binding = "<Super>t";
command = "alacritty"; command = "alacritty";
name = "alacritty"; name = "alacritty";
} }
]; ];
numWorkspaces = 10; numWorkspaces = 10;
customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom";
customKeybindingsNames = customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") (
builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") (builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace
(
(builtins.length manualKeybindings)
+ numWorkspaces # for sending to the workspace
); );
workspacesKeyBindingsOffset = builtins.length manualKeybindings; workspacesKeyBindingsOffset = builtins.length manualKeybindings;
# with this we can make use of all number keys [0-9] # with this we can make use of all number keys [0-9]
mapToNumber = i: mapToNumber =
if i < 10 i:
then i if i < 10 then
else if i == 10 i
then 0 else if i == 10 then
else throw "i exceeds 10: ${i}"; 0
in else
throw "i exceeds 10: ${i}";
in
{ {
"org/gnome/settings-daemon/plugins/media-keys" = { "org/gnome/settings-daemon/plugins/media-keys" = {
custom-keybindings = customKeybindingsNames; custom-keybindings = customKeybindingsNames;
screenreader = "@as []"; screenreader = "@as []";
screensaver = ["<Alt><Super>l"]; screensaver = [ "<Alt><Super>l" ];
}; };
# disable the builtin <Super>[1-9] functionality # disable the builtin <Super>[1-9] functionality
"org/gnome/shell/keybindings" = builtins.listToAttrs ((builtins.genList "org/gnome/shell/keybindings" = builtins.listToAttrs (
(i: { (builtins.genList (i: {
name = "switch-to-application-${toString (i + 1)}"; name = "switch-to-application-${toString (i + 1)}";
value = []; value = [ ];
}) }) numWorkspaces)
numWorkspaces)
++ [ ++ [
{ {
name = "toggle-overview"; name = "toggle-overview";
value = []; value = [ ];
} }
]); ]
);
# remap it to switching to the workspaces # remap it to switching to the workspaces
"org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (builtins.genList "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (
(i: { builtins.genList (i: {
name = "switch-to-workspace-${toString (i + 1)}"; name = "switch-to-workspace-${toString (i + 1)}";
value = [ value = [ "<Super>${toString (mapToNumber (i + 1))}" ];
"<Super>${toString (mapToNumber (i + 1))}" }) numWorkspaces
]; );
})
numWorkspaces);
} }
// builtins.listToAttrs (builtins.genList // builtins.listToAttrs (
(i: { builtins.genList (i: {
name = "${customKeybindingBaseName}${toString i}"; name = "${customKeybindingBaseName}${toString i}";
value = builtins.elemAt manualKeybindings i; value = builtins.elemAt manualKeybindings i;
}) }) (builtins.length manualKeybindings)
(builtins.length manualKeybindings)) )
// builtins.listToAttrs (builtins.genList // builtins.listToAttrs (
(i: { builtins.genList (i: {
name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}"; name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}";
value = { value = {
binding = "<Control><Super>${toString (mapToNumber (i + 1))}"; binding = "<Control><Super>${toString (mapToNumber (i + 1))}";
command = "wmctrl -r :ACTIVE: -t ${toString i}"; command = "wmctrl -r :ACTIVE: -t ${toString i}";
name = "Send to workspace ${toString (i + 1)}"; name = "Send to workspace ${toString (i + 1)}";
}; };
}) }) numWorkspaces
numWorkspaces); );
} }

38
nix/home-manager/profiles/nix-channels.nix
View file

@ -1,28 +1,22 @@
{ pkgs, config, ... }:
{ {
pkgs,
config,
...
}: let
in {
home.file.".nix-channels".text = ""; home.file.".nix-channels".text = "";
home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] '' home.activation.removeExistingNixChannels = config.lib.dag.entryBefore [ "checkLinkTargets" ] ''
$DRY_RUN_CMD ${ $DRY_RUN_CMD ${pkgs.writeScript "activation-script" ''
pkgs.writeScript "activation-script" '' set -ex
set -ex if test -f $HOME/.nix-channels; then
if test -f $HOME/.nix-channels; then echo Uninstalling available channels...
echo Uninstalling available channels... if test -f $HOME/.nix-channel; then
if test -f $HOME/.nix-channel; then while read url channel; do
while read url channel; do nix-channel --remove $channel
nix-channel --remove $channel done < $HOME/.nix-channel
done < $HOME/.nix-channel
fi
echo Moving existing file away...
touch $HOME/.nix-channels.dummy
mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels
rm $HOME/.nix-channels
fi fi
'' echo Moving existing file away...
}; touch $HOME/.nix-channels.dummy
mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels
rm $HOME/.nix-channels
fi
''};
''; '';
} }

21
nix/home-manager/profiles/qtile-desktop.nix
View file

@ -1,14 +1,14 @@
{ { pkgs, ... }:
pkgs, let
config,
...
}: let
inherit (import ../lib.nix {}) mkSimpleTrayService;
audio = pkgs.writeShellScript "audio" '' audio = pkgs.writeShellScript "audio" ''
export PATH=${ export PATH=${
with pkgs; with pkgs;
lib.makeBinPath [pulseaudio findutils gnugrep] lib.makeBinPath [
pulseaudio
findutils
gnugrep
]
}:$PATH }:$PATH
export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute
@ -33,7 +33,7 @@
terminalCommand = "${pkgs.alacritty}/bin/alacritty"; terminalCommand = "${pkgs.alacritty}/bin/alacritty";
dpmsScript = pkgs.writeShellScript "dpmsScript" '' dpmsScript = pkgs.writeShellScript "dpmsScript" ''
export PATH=${with pkgs; lib.makeBinPath [xorg.xset]}:$PATH export PATH=${with pkgs; lib.makeBinPath [ xorg.xset ]}:$PATH
set -xe set -xe
@ -56,7 +56,7 @@
''; '';
screenLockCommand = pkgs.writeShellScript "screenLock" '' screenLockCommand = pkgs.writeShellScript "screenLock" ''
export PATH=${with pkgs; lib.makeBinPath [i3lock]}:$PATH export PATH=${with pkgs; lib.makeBinPath [ i3lock ]}:$PATH
revert() { revert() {
${dpmsScript} default ${dpmsScript} default
@ -251,7 +251,8 @@
def print_new_window(window): def print_new_window(window):
print("new window: ", window) print("new window: ", window)
''; '';
in { in
{
services = { services = {
gnome-keyring.enable = true; gnome-keyring.enable = true;
blueman-applet.enable = true; blueman-applet.enable = true;

235
nix/home-manager/profiles/sway-desktop.nix
View file

@ -1,35 +1,35 @@
/* /*
TODO: create helper scripts for sharing of a screen portion TODO: create helper scripts for sharing of a screen portion
``` ```
# this will create a new output named HEADLESS-<n>. <n> increments by 1 with each invocation even if the output is `unplug`ged. # this will create a new output named HEADLESS-<n>. <n> increments by 1 with each invocation even if the output is `unplug`ged.
swaymsg create_output swaymsg create_output
# find the name and the workspace number # find the name and the workspace number
swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)' swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)'
swaymsg output HEADLESS-1 mode 1920@108060Hz swaymsg output HEADLESS-1 mode 1920@108060Hz
# mirror the headless workspace on the current one # mirror the headless workspace on the current one
nix run nixpkgs\#wl-mirror -- HEADLESS-1 nix run nixpkgs\#wl-mirror -- HEADLESS-1
# shift windows to the workspace and switch the focus to it # shift windows to the workspace and switch the focus to it
*/ */
{ {
pkgs, pkgs,
config, config,
lib, lib,
# packages', # packages',
repoFlakeInputs',
... ...
}: let }:
inherit (import ../lib.nix {}) mkSimpleTrayService; let
lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'"; lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'";
displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'";
displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'";
swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh;
in { in
{
imports = [ imports = [
../profiles/wayland-desktop.nix ../profiles/wayland-desktop.nix
../programs/waybar.nix ../programs/waybar.nix
@ -98,112 +98,121 @@ in {
systemd.enable = true; systemd.enable = true;
xwayland = false; xwayland = false;
config = let config =
modifier = "Mod4"; let
inherit (config.wayland.windowManager.sway.config) left right up down; modifier = "Mod4";
in { inherit (config.wayland.windowManager.sway.config)
inherit modifier; left
bars = []; right
up
down
;
in
{
inherit modifier;
bars = [ ];
input = { input = {
"type:keyboard" = "type:keyboard" =
{ {
xkb_layout = config.home.keyboard.layout; xkb_layout = config.home.keyboard.layout;
xkb_variant = config.home.keyboard.variant; xkb_variant = config.home.keyboard.variant;
} }
// lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) { // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) {
xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; xkb_options = builtins.concatStringsSep "," config.home.keyboard.options;
};
"type:touchpad" = {
natural_scroll = "enabled";
}; };
"type:touchpad" = { # alternatively run this command
natural_scroll = "enabled"; # swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative"
# and then switch to a different VT (alt+ctrl+f2) and back
"1386:914:Wacom_Intuos_Pro_S_Pen" = {
tool_mode = "* relative";
};
}; };
# alternatively run this command keybindings = lib.mkOptionDefault {
# swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative" # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi
# and then switch to a different VT (alt+ctrl+f2) and back # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps";
"1386:914:Wacom_Intuos_Pro_S_Pen" = { "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions";
tool_mode = "* relative";
# only 1-9 exist on the default config
"${modifier}+0" = "workspace number 0";
"${modifier}+Shift+0" = "move container to workspace number 0";
# disable splitting for now as i sometimes trigger it accidentally and then get stuck with it
"${modifier}+b" = "nop";
"${modifier}+v" = "nop";
# move workspace to output
"${modifier}+Control+Shift+${left}" = "move workspace to output left";
"${modifier}+Control+Shift+${right}" = "move workspace to output right";
"${modifier}+Control+Shift+${up}" = "move workspace to output up";
"${modifier}+Control+Shift+${down}" = "move workspace to output down";
# move workspace to output with arrow keys
"${modifier}+Control+Shift+Left" = "move workspace to output left";
"${modifier}+Control+Shift+Right" = "move workspace to output right";
"${modifier}+Control+Shift+Up" = "move workspace to output up";
"${modifier}+Control+Shift+Down" = "move workspace to output down";
# TODO: i've been hitting this one accidentally way too often. find a better place.
# "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit";
"${modifier}+q" = "kill";
"${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9";
"${modifier}+x" = "exec ${swapOutputWorkspaces}";
"${modifier}+Ctrl+l" = "exec ${lockCmd}";
"--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause";
"XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous";
"XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next";
"XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
"XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
"--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
"Print" = "exec ${pkgs.shotman}/bin/shotman --capture region";
}; };
terminal = "alacritty";
startup =
[
{
command = builtins.toString (
pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
) &
''
);
}
]
++ lib.optionals config.services.swayidle.enable [
{
command = builtins.toString (
pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart swayidle
) &
''
);
}
];
colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; };
window.titlebar = false;
window.border = 4;
# this maps to focus_on_window_activation
focus.newWindow = "urgent";
}; };
keybindings = lib.mkOptionDefault {
# as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi
# "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps";
"${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions";
# only 1-9 exist on the default config
"${modifier}+0" = "workspace number 0";
"${modifier}+Shift+0" = "move container to workspace number 0";
# disable splitting for now as i sometimes trigger it accidentally and then get stuck with it
"${modifier}+b" = "nop";
"${modifier}+v" = "nop";
# move workspace to output
"${modifier}+Control+Shift+${left}" = "move workspace to output left";
"${modifier}+Control+Shift+${right}" = "move workspace to output right";
"${modifier}+Control+Shift+${up}" = "move workspace to output up";
"${modifier}+Control+Shift+${down}" = "move workspace to output down";
# move workspace to output with arrow keys
"${modifier}+Control+Shift+Left" = "move workspace to output left";
"${modifier}+Control+Shift+Right" = "move workspace to output right";
"${modifier}+Control+Shift+Up" = "move workspace to output up";
"${modifier}+Control+Shift+Down" = "move workspace to output down";
# TODO: i've been hitting this one accidentally way too often. find a better place.
# "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit";
"${modifier}+q" = "kill";
"${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9";
"${modifier}+x" = "exec ${swapOutputWorkspaces}";
"${modifier}+Ctrl+l" = "exec ${lockCmd}";
"--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause";
"XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous";
"XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next";
"XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5";
"XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
"--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
"Print" = "exec ${pkgs.shotman}/bin/shotman --capture region";
};
terminal = "alacritty";
startup =
[
{
command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
) &
'');
}
]
++ lib.optionals config.services.swayidle.enable [
{
command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart swayidle
) &
'');
}
];
colors.focused = lib.mkOptionDefault {
childBorder = lib.mkForce "#ffa500";
};
window.titlebar = false;
window.border = 4;
# this maps to focus_on_window_activation
focus.newWindow = "urgent";
};
}; };
services.swayidle = { services.swayidle = {

21
nix/home-manager/profiles/wayland-desktop.nix
View file

@ -1,16 +1,14 @@
{ {
pkgs, pkgs,
config,
lib, lib,
repoFlake, repoFlake,
nodeFlake,
... ...
}: let }:
inherit (import ../lib.nix {}) mkSimpleTrayService; let
nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system};
wayprompt = nixpkgs-wayland'.wayprompt; in
in { {
fonts.fontconfig.enable = true; fonts.fontconfig.enable = true;
# services.gpg-agent.pinentryFlavor = lib.mkForce null; # services.gpg-agent.pinentryFlavor = lib.mkForce null;
@ -26,11 +24,12 @@ in {
systemd.user.targets.tray = { systemd.user.targets.tray = {
Unit = { Unit = {
Description = "Home Manager System Tray"; Description = "Home Manager System Tray";
Requires = ["graphical-session-pre.target"]; Requires = [ "graphical-session-pre.target" ];
}; };
}; };
home.packages = with pkgs; home.packages =
with pkgs;
[ [
# required by network-manager-applet # required by network-manager-applet
networkmanagerapplet networkmanagerapplet
@ -62,11 +61,9 @@ in {
waypipe waypipe
] ]
++ ( ++ (lib.lists.optionals (!pkgs.stdenv.isAarch64)
lib.lists.optionals (!pkgs.stdenv.isAarch64)
# TODO: broken on aarch64 # TODO: broken on aarch64
[ [ ]
]
); );
home.sessionVariables = { home.sessionVariables = {

38
nix/home-manager/programs/chromium.nix
View file

@ -3,14 +3,15 @@
lib, lib,
pkgs, pkgs,
... ...
}: let }:
let
extensions = extensions =
[ [
#undetectable adblocker #undetectable adblocker
{id = "gcfcpohokifjldeandkfjoboemihipmb";} { id = "gcfcpohokifjldeandkfjoboemihipmb"; }
# ublock origin # ublock origin
{id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";} { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; }
# # YT ad block # # YT ad block
# {id = "cmedhionkhpnakcndndgjdbohmhepckk";} # {id = "cmedhionkhpnakcndndgjdbohmhepckk";}
@ -19,15 +20,15 @@
# {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";}
# Cookie Notice Blocker # Cookie Notice Blocker
{id = "odhmfmnoejhihkmfebnolljiibpnednn";} { id = "odhmfmnoejhihkmfebnolljiibpnednn"; }
# i don't care about cookies # i don't care about cookies
{id = "fihnjjcciajhdojfnbdddfaoknhalnja";} { id = "fihnjjcciajhdojfnbdddfaoknhalnja"; }
# NopeCHA # NopeCHA
{id = "dknlfmjaanfblgfdfebhijalfmhmjjjo";} { id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; }
# h264ify # h264ify
{id = "aleakchihdccplidncghkekgioiakgal";} { id = "aleakchihdccplidncghkekgioiakgal"; }
# clippy # clippy
# {id = "honbeilkanbghjimjoniipnnehlmhggk"} # {id = "honbeilkanbghjimjoniipnnehlmhggk"}
@ -38,31 +39,32 @@
} }
# cookie autodelete # cookie autodelete
{id = "fhcgjolkccmbidfldomjliifgaodjagh";} { id = "fhcgjolkccmbidfldomjliifgaodjagh"; }
# unhook # unhook
{id = "khncfooichmfjbepaaaebmommgaepoid";} { id = "khncfooichmfjbepaaaebmommgaepoid"; }
] ]
++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [
# polkadotjs # polkadotjs
{id = "mopnmbcafieddcagagdcbnhejhlodfdd";} { id = "mopnmbcafieddcagagdcbnhejhlodfdd"; }
# rabby wallet # rabby wallet
{id = "acmacodkjbdgmoleebolmdjonilkdbch";} { id = "acmacodkjbdgmoleebolmdjonilkdbch"; }
# phantom wallet # phantom wallet
{id = "bfnaelmomeimhlpmgjnjophhpkkoljpa";} { id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; }
# Vimium C # Vimium C
{id = "hfjbmagddngcpeloejdejnfgbamkjaeg";} { id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; }
# always right # always right
{id = "npjpaghfnndnnmjiliibnkmdfgbojokj";} { id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; }
# shazam music # shazam music
{id = "mmioliijnhnoblpgimnlajmefafdfilb";} { id = "mmioliijnhnoblpgimnlajmefafdfilb"; }
]); ]);
in { in
{
programs.chromium = { programs.chromium = {
enable = true; enable = true;
inherit extensions; inherit extensions;
@ -72,9 +74,7 @@ in {
programs.brave = { programs.brave = {
# TODO: enable this on aarch64-linux # TODO: enable this on aarch64-linux
enable = enable = true && !pkgs.stdenv.targetPlatform.isAarch64;
true
&& !pkgs.stdenv.targetPlatform.isAarch64;
inherit extensions; inherit extensions;
}; };
} }

115
nix/home-manager/programs/espanso.nix
View file

@ -1,8 +1,5 @@
{ pkgs, ... }:
{ {
pkgs,
repoFlake,
...
}: {
services.espanso = { services.espanso = {
package = pkgs.espanso-wayland; package = pkgs.espanso-wayland;
# package = pkgs.espanso-wayland.overrideAttrs (_: { # package = pkgs.espanso-wayland.overrideAttrs (_: {
@ -24,64 +21,62 @@
# backend = "Clipboard"; # backend = "Clipboard";
}; };
}; };
matches = let matches =
playerctl = '' let
${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl'';
in { in
default = { {
matches = [ default = {
{ matches = [
trigger = ":vpos"; {
replace = "{{output}}"; trigger = ":vpos";
vars = [ replace = "{{output}}";
{ vars = [
name = "output"; {
type = "script"; name = "output";
params = { type = "script";
args = [ params = {
(pkgs.writeScript "espanso" '' args = [
#! ${pkgs.python3}/bin/python (pkgs.writeScript "espanso" ''
import subprocess, os, math, datetime #! ${pkgs.python3}/bin/python
import subprocess, os, math, datetime
id=str(os.getuid()) id=str(os.getuid())
result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True)
result.check_returncode() result.check_returncode()
position_secs = math.trunc(float(result.stdout)) position_secs = math.trunc(float(result.stdout))
position_human = datetime.timedelta(seconds=position_secs) position_human = datetime.timedelta(seconds=position_secs)
print("%s - %s" % (position_human, position_secs)) print("%s - %s" % (position_human, position_secs))
'') '')
]; ];
}; };
} }
]; ];
} }
{ {
trigger = ":vtit"; trigger = ":vtit";
replace = "{{output}}"; replace = "{{output}}";
vars = [ vars = [
{ {
name = "output"; name = "output";
type = "script"; type = "script";
params = { params = {
args = [ args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ];
(pkgs.writeShellScript "espanso" };
"${playerctl} metadata title") }
]; ];
}; }
} {
]; trigger = ":dunno";
} replace = "¯\\_()_/¯";
{ }
trigger = ":dunno"; {
replace = "¯\\_()_/¯"; trigger = ":shrug";
} replace = "¯\\_()_/¯";
{ }
trigger = ":shrug"; ];
replace = "¯\\_()_/¯"; };
}
];
}; };
};
}; };
} }

7
nix/home-manager/programs/firefox.nix
View file

@ -1,5 +1,8 @@
{pkgs, ...}: { { pkgs, ... }:
programs.librewolf = {enable = false;}; {
programs.librewolf = {
enable = false;
};
programs.firefox = { programs.firefox = {
enable = true; enable = true;
package = pkgs.firefox-esr-128; package = pkgs.firefox-esr-128;

10
nix/home-manager/programs/gpg-agent.nix
View file

@ -1,12 +1,6 @@
{ lib, pkgs, ... }:
{ {
lib, home.packages = [ pkgs.gcr ];
pkgs,
config,
...
}: {
home.packages = [
pkgs.gcr
];
programs.gpg.enable = true; programs.gpg.enable = true;
services.gpg-agent = { services.gpg-agent = {

35
nix/home-manager/programs/homeshick.nix
View file

@ -1,32 +1,25 @@
{ pkgs, config, ... }:
{ {
pkgs,
config,
...
}: let
# TODO: clean up the impurity in here
in {
home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}"; home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}";
home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] '' home.activation.bootstrapRepos = config.lib.dag.entryAfter [ "writeBoundary" ] ''
$DRY_RUN_CMD ${ $DRY_RUN_CMD ${pkgs.writeScript "activation-script" ''
pkgs.writeScript "activation-script" '' set -e
set -e echo home-manager path is ${config.home.path}
echo home-manager path is ${config.home.path} echo home is $HOME
echo home is $HOME
source ${pkgs.homeshick}/homeshick.sh source ${pkgs.homeshick}/homeshick.sh
type homeshick type homeshick
# echo Updating homeshick # echo Updating homeshick
# ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick
# mv -Tf "$HOMESICK_REPOS"/{.,}homeshick # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick
'' ''};
};
''; '';
nixpkgs.config = { nixpkgs.config = {
packageOverrides = pkgs: packageOverrides =
with pkgs; { pkgs: with pkgs; {
homeshick = builtins.fetchGit { homeshick = builtins.fetchGit {
url = "https://github.com/andsens/homeshick.git"; url = "https://github.com/andsens/homeshick.git";
ref = "master"; ref = "master";

5
nix/home-manager/programs/libreoffice.nix
View file

@ -1,3 +1,4 @@
{pkgs, ...}: { { pkgs, ... }:
home.packages = [pkgs.libreoffice]; {
home.packages = [ pkgs.libreoffice ];
} }

12
nix/home-manager/programs/neovim.nix
View file

@ -1,12 +1,6 @@
{ repoFlake, pkgs, ... }:
{ {
repoFlake, imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ];
pkgs,
lib,
...
}: {
imports = [
repoFlake.inputs.nixvim.homeManagerModules.nixvim
];
programs.nixvim = { programs.nixvim = {
enable = true; enable = true;
@ -14,7 +8,7 @@
vimdiffAlias = true; vimdiffAlias = true;
vimAlias = true; vimAlias = true;
extraPython3Packages = ps: with ps; []; extraPython3Packages = ps: with ps; [ ];
# extraConfigVim = builtins.readFile ./neovim/vimrc; # extraConfigVim = builtins.readFile ./neovim/vimrc;

34
nix/home-manager/programs/obs-studio.nix
View file

@ -1,21 +1,25 @@
{ pkgs, lib, ... }:
{ {
pkgs,
lib,
...
}: {
programs.obs-studio = { programs.obs-studio = {
enable = true; enable = true;
plugins = plugins =
builtins.map (plugin: (plugin.overrideAttrs (attrs: { builtins.map
meta = lib.mkMerge [ (
{inherit (attrs) meta;} plugin:
{meta.platforms = [pkgs.stdenv.system];} (plugin.overrideAttrs (attrs: {
]; meta = lib.mkMerge [
}))) { inherit (attrs) meta; }
(with pkgs.obs-studio-plugins; [ { meta.platforms = [ pkgs.stdenv.system ]; }
# wlrobs ];
obs-backgroundremoval }))
obs-pipewire-audio-capture )
]); (
with pkgs.obs-studio-plugins;
[
# wlrobs
obs-backgroundremoval
obs-pipewire-audio-capture
]
);
}; };
} }

32
nix/home-manager/programs/openvscode-server.nix
View file

@ -1,12 +1,8 @@
{ pkgs, repoFlake, ... }:
let
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; };
in
{ {
pkgs,
nodeFlake,
repoFlake,
...
}: let
pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config;};
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;};
in {
home.packages = [ home.packages = [
pkgs.nil pkgs.nil
pkgs.nixd pkgs.nixd
@ -20,20 +16,22 @@ in {
# 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/ # 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/
/* /*
e.g.: e.g.:
``` ```
( (
set -e set -e
export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$') export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$')
ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/" ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/"
) )
``` ```
*/ */
(pkgsVscodium.openvscode-server.overrideAttrs (attrs: { (pkgsVscodium.openvscode-server.overrideAttrs (attrs: {
src = repoFlake.inputs.openvscode-server; src = repoFlake.inputs.openvscode-server;
version = "1.94.2"; version = "1.94.2";
yarnCache = attrs.yarnCache.overrideAttrs (_: {outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt=";}); yarnCache = attrs.yarnCache.overrideAttrs (_: {
outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt=";
});
})) }))
pkgs.waypipe pkgs.waypipe

5
nix/home-manager/programs/pass.nix
View file

@ -1,8 +1,5 @@
{ repoFlake, pkgs, ... }:
{ {
repoFlake,
pkgs,
...
}: {
# required by pass-otp # required by pass-otp
# home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions";
# home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true";

80
nix/home-manager/programs/radicale.nix
View file

@ -4,7 +4,8 @@
pkgs, pkgs,
osConfig, osConfig,
... ...
}: let }:
let
libdecsync = pkgs.python3Packages.buildPythonPackage rec { libdecsync = pkgs.python3Packages.buildPythonPackage rec {
pname = "libdecsync"; pname = "libdecsync";
version = "2.2.1"; version = "2.2.1";
@ -38,50 +39,51 @@
# pkgs.libxcrypt # pkgs.libxcrypt
]; ];
propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools]; propagatedBuildInputs = [
libdecsync
pkgs.python3Packages.setuptools
];
}; };
radicale-decsync = pkgs.radicale.overrideAttrs (old: { radicale-decsync = pkgs.radicale.overrideAttrs (old: {
propagatedBuildInputs = propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ];
old.propagatedBuildInputs
++ [radicale-storage-decsync];
}); });
mkRadicaleService = { mkRadicaleService =
suffix, { suffix, port }:
port, let
}: let radicale-config = pkgs.writeText "radicale-config-${suffix}" ''
radicale-config = pkgs.writeText "radicale-config-${suffix}" '' [server]
[server] hosts = localhost:${builtins.toString port}
hosts = localhost:${builtins.toString port}
[auth] [auth]
type = htpasswd type = htpasswd
htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path}
htpasswd_encryption = bcrypt htpasswd_encryption = bcrypt
[storage] [storage]
type = radicale_storage_decsync type = radicale_storage_decsync
filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix}
decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix}
''; '';
in { in
systemd.user.services."radicale-${suffix}" = { {
Unit.Description = "Radicale with DecSync (${suffix})"; systemd.user.services."radicale-${suffix}" = {
Service = { Unit.Description = "Radicale with DecSync (${suffix})";
ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; Service = {
Restart = "on-failure"; ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}";
Restart = "on-failure";
};
Install.WantedBy = [ "default.target" ];
}; };
Install.WantedBy = ["default.target"];
}; };
};
in in
builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [ builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [
{ {
suffix = "personal"; suffix = "personal";
port = 5232; port = 5232;
} }
{ {
suffix = "family"; suffix = "family";
port = 5233; port = 5233;
} }
] ]

10
nix/home-manager/programs/redshift.nix
View file

@ -1,10 +1,8 @@
{ _:
pkgs, let
config,
...
}: let
passwords = import ../../variables/passwords.crypt.nix; passwords = import ../../variables/passwords.crypt.nix;
in { in
{
services.gammastep = { services.gammastep = {
enable = true; enable = true;
provider = "manual"; provider = "manual";

21
nix/home-manager/programs/salut.nix
View file

@ -1,18 +1,11 @@
{ { pkgs, packages', ... }:
pkgs,
config,
lib,
packages',
...
}:
# useful testing command: # useful testing command:
# for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done # for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done
let let
inherit (import ../lib.nix {}) mkSimpleTrayService; inherit (import ../lib.nix { }) mkSimpleTrayService;
in { in
home.packages = [ {
packages'.salut home.packages = [ packages'.salut ];
];
xdg.configFile."salut/config.ini" = { xdg.configFile."salut/config.ini" = {
enable = true; enable = true;
@ -34,7 +27,5 @@ in {
onChange = "${pkgs.systemd}/bin/systemctl --user restart salut"; onChange = "${pkgs.systemd}/bin/systemctl --user restart salut";
}; };
systemd.user.services.salut = mkSimpleTrayService { systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; };
execStart = "${packages'.salut}/bin/salut";
};
} }

49
nix/home-manager/programs/vscode/default.nix
View file

@ -1,24 +1,14 @@
{ pkgs, repoFlake, ... }:
let
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; };
in
{ {
pkgs,
nodeFlake,
repoFlake,
...
}: let
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;};
in {
programs.vscode = { programs.vscode = {
enable = true; enable = true;
package = pkgsVscodium.vscodium; package = pkgsVscodium.vscodium;
extensions = extensions =
[ (
# TODO: how can i install (this) vsix(s) directly? with pkgsVscodium.vscode-extensions;
# (builtins.fetchurl {
# # https://open-vsx.org/extension/jeanp413/open-remote-ssh
# url = "https://open-vsx.org/api/jeanp413/open-remote-ssh/0.0.45/file/jeanp413.open-remote-ssh-0.0.45.vsix";
# sha256 = "1qc1qsahfx1nvznq4adplx63w5d94xhafngv76vnqjjbzhv991v2";
# })
]
++ (with pkgsVscodium.vscode-extensions;
[ [
eamodio.gitlens eamodio.gitlens
mkhl.direnv mkhl.direnv
@ -43,11 +33,13 @@ in {
# TODO: not compatible with vscodium # TODO: not compatible with vscodium
# ms-vscode-remote.remote-ssh # ms-vscode-remote.remote-ssh
] ]
++ (let ++ (
extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system}; let
in ( extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system};
in
with extensions.vscode-marketplace; with extensions.vscode-marketplace;
with extensions.vscode-marketplace-release; [ with extensions.vscode-marketplace-release;
[
tamasfe.even-better-toml tamasfe.even-better-toml
serayuzgur.crates serayuzgur.crates
@ -59,15 +51,15 @@ in {
ibecker.treefmt-vscode ibecker.treefmt-vscode
] ]
))) )
)
++ [ ++ [
(pkgsVscodium.vscode-utils.extensionFromVscodeMarketplace (pkgsVscodium.vscode-utils.extensionFromVscodeMarketplace {
{ name = "markdown-oxide";
name = "markdown-oxide"; publisher = "felixzeller";
publisher = "felixzeller"; version = "1.1.0";
version = "1.1.0"; sha256 = "07l37hkg106m3nl9530l7i39iw1kibckv1zi4n23gbp7srdrwbs3";
sha256 = "07l37hkg106m3nl9530l7i39iw1kibckv1zi4n23gbp7srdrwbs3"; })
})
]; ];
mutableExtensionsDir = true; mutableExtensionsDir = true;
}; };
@ -151,4 +143,3 @@ in {
# xyz.plsql-language # xyz.plsql-language
# yzane.markdown-pdf # yzane.markdown-pdf
# zxh404.vscode-proto3 # zxh404.vscode-proto3

72
nix/home-manager/programs/vscode/nix4vscode/default.nix
View file

@ -1,12 +1,17 @@
{ { pkgs, lib }:
pkgs, let
lib, inherit (pkgs.stdenv)
}: let isDarwin
inherit (pkgs.stdenv) isDarwin isLinux isi686 isx86_64 isAarch32 isAarch64; isLinux
vscode-utils = pkgs.vscode-utils; isi686
isx86_64
isAarch32
isAarch64
;
inherit (pkgs) vscode-utils;
merge = lib.attrsets.recursiveUpdate; merge = lib.attrsets.recursiveUpdate;
in in
merge merge
(merge (merge
(merge (merge
(merge (merge
@ -18,39 +23,50 @@ in
sha256 = "07l37hkg106m3nl9530l7i39iw1kibckv1zi4n23gbp7srdrwbs3"; sha256 = "07l37hkg106m3nl9530l7i39iw1kibckv1zi4n23gbp7srdrwbs3";
}; };
} }
(lib.attrsets.optionalAttrs (isLinux && (isi686 || isx86_64)) { (
lib.attrsets.optionalAttrs (isLinux && (isi686 || isx86_64)) {
"ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace {
name = "treefmt-vscode";
publisher = "ibecker";
version = "2.1.0";
sha256 = "1r17wjpw8xiha5r9h3146facxghpcp416zf8551sw93cmam9ky6j";
arch = "linux-x64";
};
}
)
)
(
lib.attrsets.optionalAttrs (isLinux && (isAarch32 || isAarch64)) {
"ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace {
name = "treefmt-vscode"; name = "treefmt-vscode";
publisher = "ibecker"; publisher = "ibecker";
version = "2.1.0"; version = "2.1.0";
sha256 = "1r17wjpw8xiha5r9h3146facxghpcp416zf8551sw93cmam9ky6j"; sha256 = "0swvl7fkjcwp43grnrhnmy60a5m3hfwawk204byi8hhbczy131li";
arch = "linux-x64"; arch = "linux-arm64";
}; };
})) }
(lib.attrsets.optionalAttrs (isLinux && (isAarch32 || isAarch64)) { )
)
(
lib.attrsets.optionalAttrs (isDarwin && (isi686 || isx86_64)) {
"ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace {
name = "treefmt-vscode"; name = "treefmt-vscode";
publisher = "ibecker"; publisher = "ibecker";
version = "2.1.0"; version = "2.1.0";
sha256 = "0swvl7fkjcwp43grnrhnmy60a5m3hfwawk204byi8hhbczy131li"; sha256 = "1swq9hy6a9nzkrn07j21g59pyk2m7aqsfi1pphl9l9y8p4zwiaqm";
arch = "linux-arm64"; arch = "darwin-x64";
}; };
})) }
(lib.attrsets.optionalAttrs (isDarwin && (isi686 || isx86_64)) { )
)
(
lib.attrsets.optionalAttrs (isDarwin && (isAarch32 || isAarch64)) {
"ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace {
name = "treefmt-vscode"; name = "treefmt-vscode";
publisher = "ibecker"; publisher = "ibecker";
version = "2.1.0"; version = "2.1.0";
sha256 = "1swq9hy6a9nzkrn07j21g59pyk2m7aqsfi1pphl9l9y8p4zwiaqm"; sha256 = "1xg3wnn3f1kvsz5a09l0cjpzfm3l9va73cahbvl14mx3n6734r2m";
arch = "darwin-x64"; arch = "darwin-arm64";
}; };
})) }
(lib.attrsets.optionalAttrs (isDarwin && (isAarch32 || isAarch64)) { )
"ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace {
name = "treefmt-vscode";
publisher = "ibecker";
version = "2.1.0";
sha256 = "1xg3wnn3f1kvsz5a09l0cjpzfm3l9va73cahbvl14mx3n6734r2m";
arch = "darwin-arm64";
};
})

7
nix/home-manager/programs/waybar.css
View file

@ -1,6 +1,5 @@
#custom-cputemp { #custom-cputemp {
padding: 0 10px; padding: 0 10px;
background-color: #f0932b; background-color: #f0932b;
color: #ffffff; color: #ffffff;
} }

20
nix/home-manager/programs/waybar.nix
View file

@ -1,9 +1,5 @@
{ pkgs, repoFlake, ... }:
{ {
pkgs,
config,
repoFlake,
...
}: {
home.packages = [ home.packages = [
# required by any bar that has a tray plugin # required by any bar that has a tray plugin
pkgs.libappindicator-gtk3 pkgs.libappindicator-gtk3
@ -12,10 +8,9 @@
programs.waybar = { programs.waybar = {
enable = true; enable = true;
package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; package =
style = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar;
pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css;
+ pkgs.lib.readFile ./waybar.css;
systemd.enable = true; systemd.enable = true;
settings = { settings = {
mainBar = { mainBar = {
@ -24,12 +19,7 @@
height = 30; height = 30;
output = output =
# hide the bar on HEADDLESS displays as i use them only for screensharing # hide the bar on HEADDLESS displays as i use them only for screensharing
( (builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ];
builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99
)
++ [
"*"
];
# output = [ # output = [
# "eDP-1" # "eDP-1"
# "DP-*" # "DP-*"

125
nix/home-manager/programs/zsh.nix
View file

@ -3,27 +3,29 @@
lib, lib,
pkgs, pkgs,
... ...
}: let }:
just-plugin = let let
plugin_file = pkgs.writeText "_just" '' just-plugin =
#compdef just let
#autload plugin_file = pkgs.writeText "_just" ''
#compdef just
#autload
alias justl="\just --list" alias justl="\just --list"
alias juste="\just --evaluate" alias juste="\just --evaluate"
local subcmds=() local subcmds=()
while read -r line ; do while read -r line ; do
if [[ ! $line == Available* ]] ; if [[ ! $line == Available* ]] ;
then then
subcmds+=(''${line/[[:space:]]*\#/:}) subcmds+=(''${line/[[:space:]]*\#/:})
fi fi
done < <(just --list) done < <(just --list)
_describe 'command' subcmds _describe 'command' subcmds
''; '';
in in
pkgs.stdenv.mkDerivation { pkgs.stdenv.mkDerivation {
name = "just-completions"; name = "just-completions";
version = "0.1.0"; version = "0.1.0";
@ -35,7 +37,8 @@
chmod --recursive a-w $out chmod --recursive a-w $out
''; '';
}; };
in { in
{
programs.zsh = { programs.zsh = {
enable = true; enable = true;
@ -46,56 +49,59 @@ in {
# will be called again by oh-my-zsh # will be called again by oh-my-zsh
enableCompletion = false; enableCompletion = false;
enableAutosuggestions = true; enableAutosuggestions = true;
initExtra = let initExtra =
inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; let
in '' inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")'';
if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then in
unset TMPDIR ''
fi if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then
unset TMPDIR
fi
if test ! -n "$TMP" -a -z "$TMP"; then if test ! -n "$TMP" -a -z "$TMP"; then
unset TMP unset TMP
fi fi
PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}%f.%F{red} ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}%f.%F{red} ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f '
RPROMPT="" RPROMPT=""
# Automatic rehash # Automatic rehash
zstyle ':completion:*' rehash true zstyle ':completion:*' rehash true
if [ -f $HOME/.shrc.d/sh_aliases ]; then if [ -f $HOME/.shrc.d/sh_aliases ]; then
. $HOME/.shrc.d/sh_aliases . $HOME/.shrc.d/sh_aliases
fi fi
${ ${
if builtins.hasAttr "homeshick" pkgs if builtins.hasAttr "homeshick" pkgs then
then '' ''
source ${pkgs.homeshick}/homeshick.sh source ${pkgs.homeshick}/homeshick.sh
fpath=(${pkgs.homeshick}/completions $fpath) fpath=(${pkgs.homeshick}/completions $fpath)
'' ''
else "" else
} ""
}
# Disable intercepting of ctrl-s and ctrl-q as flow control. # Disable intercepting of ctrl-s and ctrl-q as flow control.
stty stop ''' -ixoff -ixon stty stop ''' -ixoff -ixon
# don't cd into directories when executed # don't cd into directories when executed
unsetopt AUTO_CD unsetopt AUTO_CD
# print lines without termination # print lines without termination
setopt PROMPT_CR setopt PROMPT_CR
setopt PROMPT_SP setopt PROMPT_SP
export PROMPT_EOL_MARK="" export PROMPT_EOL_MARK=""
${lib.optionalString config.services.gpg-agent.enable '' ${lib.optionalString config.services.gpg-agent.enable ''
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh"
''} ''}
${lib.optionalString config.programs.neovim.enable '' ${lib.optionalString config.programs.neovim.enable ''
export EDITOR="nvim" export EDITOR="nvim"
''} ''}
''; '';
plugins = [ plugins = [
{ {
@ -128,7 +134,10 @@ in {
oh-my-zsh = { oh-my-zsh = {
enable = true; enable = true;
theme = "tjkirch"; theme = "tjkirch";
plugins = ["git" "sudo"]; plugins = [
"git"
"sudo"
];
}; };
}; };
} }

5
nix/modules/flake-parts/colmena.nix
View file

@ -1,7 +1,8 @@
{lib, ...}: { { lib, ... }:
{
options.flake.colmena = lib.mkOption { options.flake.colmena = lib.mkOption {
# type = lib.types.attrsOf lib.types.unspecified; # type = lib.types.attrsOf lib.types.unspecified;
type = lib.types.raw; type = lib.types.raw;
default = {}; default = { };
}; };
} }

61
nix/modules/flake-parts/perSystem/default.nix
View file

@ -1,38 +1,37 @@
{ pkgs, ... }:
{ {
inputs',
system,
config,
lib,
pkgs,
...
}: {
packages = { packages = {
myPython = pkgs.python310.withPackages (ps: myPython = pkgs.python310.withPackages (
ps:
with ps; with ps;
[ [
pep8 pep8
yapf yapf
flake8 flake8
# autopep8 (broken) # autopep8 (broken)
# pylint (broken) # pylint (broken)
ipython ipython
llfuse llfuse
dugong dugong
defusedxml defusedxml
wheel wheel
pip pip
virtualenv virtualenv
cffi cffi
# pyopenssl # pyopenssl
urllib3 urllib3
# mistune (insecure) # mistune (insecure)
sympy sympy
flask flask
pyaml pyaml
requests requests
] ]
++ [pkgs.pypi2nix pkgs.libffi]); ++ [
pkgs.pypi2nix
pkgs.libffi
]
);
}; };
} }

14
nix/os/cachix.nix
View file

@ -1,14 +1,12 @@
# WARN: this file will get overwritten by $ cachix use <name> # WARN: this file will get overwritten by $ cachix use <name>
{ { lib, ... }:
pkgs, let
lib,
...
}: let
folder = ./cachix; folder = ./cachix;
toImport = name: value: folder + ("/" + name); toImport = name: _value: folder + ("/" + name);
filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key;
imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder));
in { in
{
inherit imports; inherit imports;
nix.settings.substituters = ["https://cache.nixos.org/"]; nix.settings.substituters = [ "https://cache.nixos.org/" ];
} }

4
nix/os/cachix/nixpkgs-wayland.nix
View file

@ -1,8 +1,6 @@
{ {
nix = { nix = {
settings.substituters = [ settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ];
"https://nixpkgs-wayland.cachix.org"
];
settings.trusted-public-keys = [ settings.trusted-public-keys = [
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
]; ];

157
nix/os/containers/backup.nix
View file

@ -5,88 +5,107 @@
subvolumes, subvolumes,
targetPathSuffix ? "", targetPathSuffix ? "",
autoStart ? false, autoStart ? false,
}: let }:
let
passwords = import ../../variables/passwords.crypt.nix; passwords = import ../../variables/passwords.crypt.nix;
subvolumeParentDir = "/var/lib/container-volumes"; subvolumeParentDir = "/var/lib/container-volumes";
in { in
config = {pkgs, ...}: { {
system.stateVersion = "20.03"; # Did you read the comment? config =
{ pkgs, ... }:
{
system.stateVersion = "20.03"; # Did you read the comment?
imports = [../profiles/containers/configuration.nix]; imports = [ ../profiles/containers/configuration.nix ];
environment.systemPackages = with pkgs; [btrfs-progs btrbk]; environment.systemPackages = with pkgs; [
btrfs-progs
btrbk
];
networking.firewall.enable = true; networking.firewall.enable = true;
systemd.services."bkp-sync" = { systemd.services."bkp-sync" = {
enable = true; enable = true;
description = "bkp-sync service"; description = "bkp-sync service";
serviceConfig = {Type = "oneshot";}; serviceConfig = {
Type = "oneshot";
};
after = ["bkp-run.service"]; after = [ "bkp-run.service" ];
requires = ["bkp-run.service"]; requires = [ "bkp-run.service" ];
path = with pkgs; [utillinux]; path = with pkgs; [ utillinux ];
script = '' script = ''
set -x set -x
true true
'';
};
systemd.services."bkp-run" = {
enable = true;
description = "bkp-run";
serviceConfig = {Type = "oneshot";};
partOf = ["bkp-sync.service"];
path = with pkgs; [btrfs-progs btrbk coreutils];
script = let
btrbkConf = pkgs.writeText "cfg" ''
timestamp_format long
ssh_identity ${passwords.storage.backupTarget.keyPath}
ssh_user ${passwords.storage.backupTarget.user}
ssh_compression no
backend_remote btrfs-progs-sudo
compat_remote busybox
btrfs_commit_delete each
snapshot_create onchange
snapshot_preserve_min latest
snapshot_preserve 7d 4w
target_preserve_min latest
target_preserve 7d 4w 12m *y
volume ${subvolumeParentDir}
target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") ""
subvolumes}
''; '';
in '' };
#! ${pkgs.bash}/bin/bash
set -Eeuxo pipefail
btrbk -c ${btrbkConf} --progress ''${@:-run} systemd.services."bkp-run" = {
''; enable = true;
}; description = "bkp-run";
systemd.timers."bkp" = { serviceConfig = {
description = "Timer to trigger bkp periodically"; Type = "oneshot";
enable = true; };
wantedBy = ["timer.target" "multi-user.target"];
timerConfig = { partOf = [ "bkp-sync.service" ];
# Obtained using `systemd-analyze calendar "Wed 23:00"`
# OnCalendar = "Wed *-*-* 23:00:00"; path = with pkgs; [
OnStartupSec = "1m"; btrfs-progs
Unit = "bkp-sync.service"; btrbk
OnUnitInactiveSec = "2h"; coreutils
Persistent = "true"; ];
script =
let
btrbkConf = pkgs.writeText "cfg" ''
timestamp_format long
ssh_identity ${passwords.storage.backupTarget.keyPath}
ssh_user ${passwords.storage.backupTarget.user}
ssh_compression no
backend_remote btrfs-progs-sudo
compat_remote busybox
btrfs_commit_delete each
snapshot_create onchange
snapshot_preserve_min latest
snapshot_preserve 7d 4w
target_preserve_min latest
target_preserve 7d 4w 12m *y
volume ${subvolumeParentDir}
target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes}
'';
in
''
#! ${pkgs.bash}/bin/bash
set -Eeuxo pipefail
btrbk -c ${btrbkConf} --progress ''${@:-run}
'';
};
systemd.timers."bkp" = {
description = "Timer to trigger bkp periodically";
enable = true;
wantedBy = [
"timer.target"
"multi-user.target"
];
timerConfig = {
# Obtained using `systemd-analyze calendar "Wed 23:00"`
# OnCalendar = "Wed *-*-* 23:00:00";
OnStartupSec = "1m";
Unit = "bkp-sync.service";
OnUnitInactiveSec = "2h";
Persistent = "true";
};
}; };
}; };
};
inherit autoStart; inherit autoStart;
@ -114,10 +133,10 @@ in {
} }
]; ];
extraFlags = ["--resolv-conf=bind-host"]; extraFlags = [ "--resolv-conf=bind-host" ];
privateNetwork = true; privateNetwork = true;
forwardPorts = []; forwardPorts = [ ];
inherit hostAddress localAddress; inherit hostAddress localAddress;
} }

358
nix/os/containers/mailserver.nix
View file

@ -6,198 +6,206 @@
imapsPort ? 993, imapsPort ? 993,
sievePort ? 4190, sievePort ? 4190,
autoStart ? false, autoStart ? false,
}: { }:
{
inherit specialArgs; inherit specialArgs;
config = { config =
pkgs, {
config, pkgs,
lib, config,
repoFlake, repoFlake,
... ...
}: { }:
system.stateVersion = "22.05"; # Did you read the comment? {
system.stateVersion = "22.05"; # Did you read the comment?
imports = [ imports = [
../profiles/containers/configuration.nix ../profiles/containers/configuration.nix
repoFlake.inputs.sops-nix.nixosModules.sops repoFlake.inputs.sops-nix.nixosModules.sops
../profiles/common/user.nix ../profiles/common/user.nix
]; ];
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
imapsPort imapsPort
sievePort sievePort
]; ];
# FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately
# sops.defaultSopsFile = ./mailserver_secrets.yaml; # sops.defaultSopsFile = ./mailserver_secrets.yaml;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.email_mailStefanjunkerDe = { sops.secrets.email_mailStefanjunkerDe = {
sopsFile = ./mailserver_secrets.yaml; sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name; owner = config.users.users.steveej.name;
}; };
sops.secrets.email_mailStefanjunkerDeHetzner = { sops.secrets.email_mailStefanjunkerDeHetzner = {
sopsFile = ./mailserver_secrets.yaml; sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name; owner = config.users.users.steveej.name;
}; };
sops.secrets.email_schtifATwebDe = { sops.secrets.email_schtifATwebDe = {
sopsFile = ./mailserver_secrets.yaml; sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name; owner = config.users.users.steveej.name;
}; };
sops.secrets.email_dovecot_steveej = { sops.secrets.email_dovecot_steveej = {
sopsFile = ./mailserver_secrets.yaml; sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.dovecot2.name; owner = config.users.users.dovecot2.name;
}; };
# TODO: switch to something other than ddclient as it's no longer maintained # TODO: switch to something other than ddclient as it's no longer maintained
# TODO: switch to a let's encrypt certificate # TODO: switch to a let's encrypt certificate
sops.secrets.dovecotSslServerCert = { sops.secrets.dovecotSslServerCert = {
sopsFile = ./mailserver_secrets.yaml; sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.dovecot2.name; owner = config.users.users.dovecot2.name;
}; };
sops.secrets.dovecotSslServerKey = { sops.secrets.dovecotSslServerKey = {
sopsFile = ./mailserver_secrets.yaml; sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.dovecot2.name; owner = config.users.users.dovecot2.name;
}; };
services.dovecot2 = { services.dovecot2 = {
enable = true; enable = true;
modules = [pkgs.dovecot_pigeonhole]; modules = [ pkgs.dovecot_pigeonhole ];
protocols = ["sieve"]; protocols = [ "sieve" ];
enableImap = true; enableImap = true;
enableLmtp = true; enableLmtp = true;
enablePAM = true; enablePAM = true;
showPAMFailure = true; showPAMFailure = true;
mailLocation = "maildir:~/.maildir"; mailLocation = "maildir:~/.maildir";
sslServerCert = config.sops.secrets.dovecotSslServerCert.path; sslServerCert = config.sops.secrets.dovecotSslServerCert.path;
sslServerKey = config.sops.secrets.dovecotSslServerKey.path; sslServerKey = config.sops.secrets.dovecotSslServerKey.path;
#configFile = "/etc/dovecot/dovecot2_manual.conf"; #configFile = "/etc/dovecot/dovecot2_manual.conf";
extraConfig = '' extraConfig = ''
auth_mechanisms = cram-md5 digest-md5 auth_mechanisms = cram-md5 digest-md5
auth_verbose = yes auth_verbose = yes
passdb { passdb {
driver = passwd-file driver = passwd-file
args = scheme=CRYPT username_format=%u /etc/dovecot/users args = scheme=CRYPT username_format=%u /etc/dovecot/users
} }
protocol lda { protocol lda {
postmaster_address = "mail@stefanjunker.de" postmaster_address = "mail@stefanjunker.de"
mail_plugins = $mail_plugins sieve mail_plugins = $mail_plugins sieve
} }
protocol imap { protocol imap {
mail_max_userip_connections = 64 mail_max_userip_connections = 64
} }
'';
};
environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;
systemd.services.steveej-getmail-stefanjunker = {
enable = true;
wantedBy = ["multi-user.target"];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
serviceConfig.RestartSec = 600;
serviceConfig.Restart = "always";
description = "Getmail service";
path = [pkgs.getmail6];
script = let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
verbose = 1
read_all = 0
delete_after = 30
[retriever]
type = SimpleIMAPSSLRetriever
server = ssl0.ovh.net
port = 993
username = mail@stefanjunker.de
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}")
mailboxes = ('INBOX',)
[destination]
type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
''; '';
in '' };
getmail --idle=INBOX --rcfile=${rc}
''; environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;
systemd.services.steveej-getmail-stefanjunker = {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
serviceConfig.RestartSec = 600;
serviceConfig.Restart = "always";
description = "Getmail service";
path = [ pkgs.getmail6 ];
script =
let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
verbose = 1
read_all = 0
delete_after = 30
[retriever]
type = SimpleIMAPSSLRetriever
server = ssl0.ovh.net
port = 993
username = mail@stefanjunker.de
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}")
mailboxes = ('INBOX',)
[destination]
type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
'';
in
''
getmail --idle=INBOX --rcfile=${rc}
'';
};
systemd.services.steveej-getmail-stefanjunker-hetzner = {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
serviceConfig.RestartSec = 60;
serviceConfig.Restart = "always";
description = "Getmail service";
path = [ pkgs.getmail6 ];
script =
let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
verbose = 2
read_all = 0
delete_after = 30
[retriever]
type = SimpleIMAPSSLRetriever
server = mail.your-server.de
port = 993
username = mail@stefanjunker.de
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}")
mailboxes = ('INBOX',)
[destination]
type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
'';
in
''
getmail --rcfile=${rc} --idle=INBOX
'';
};
systemd.services.steveej-getmail-webde = {
enable = true;
wantedBy = [ "multi-user.target" ];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
description = "Getmail service";
path = [ pkgs.getmail6 ];
serviceConfig.RestartSec = 1000;
serviceConfig.Restart = "always";
script =
let
rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
[options]
verbose = 1
read_all = 0
delete_after = 30
[retriever]
type = SimpleIMAPSSLRetriever
server = imap.web.de
port = 993
username = schtif
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}")
mailboxes = ('INBOX',)
[destination]
type = Maildir
path = ~/.maildir/
'';
in
''
getmail --rcfile=${rc} --idle=INBOX
'';
};
}; };
systemd.services.steveej-getmail-stefanjunker-hetzner = {
enable = true;
wantedBy = ["multi-user.target"];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
serviceConfig.RestartSec = 60;
serviceConfig.Restart = "always";
description = "Getmail service";
path = [pkgs.getmail6];
script = let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
verbose = 2
read_all = 0
delete_after = 30
[retriever]
type = SimpleIMAPSSLRetriever
server = mail.your-server.de
port = 993
username = mail@stefanjunker.de
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}")
mailboxes = ('INBOX',)
[destination]
type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
'';
in ''
getmail --rcfile=${rc} --idle=INBOX
'';
};
systemd.services.steveej-getmail-webde = {
enable = true;
wantedBy = ["multi-user.target"];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
description = "Getmail service";
path = [pkgs.getmail6];
serviceConfig.RestartSec = 1000;
serviceConfig.Restart = "always";
script = let
rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
[options]
verbose = 1
read_all = 0
delete_after = 30
[retriever]
type = SimpleIMAPSSLRetriever
server = imap.web.de
port = 993
username = schtif
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}")
mailboxes = ('INBOX',)
[destination]
type = Maildir
path = ~/.maildir/
'';
in ''
getmail --rcfile=${rc} --idle=INBOX
'';
};
};
inherit autoStart; inherit autoStart;
bindMounts = { bindMounts = {

66
nix/os/containers/mailserver_secrets.yaml
View file

@ -7,37 +7,37 @@ dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2r
dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str] dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str]
hetznerDnsApiToken: ENC[AES256_GCM,data:JfL4Xg9TZu4Og35g0SwfrI1uxiqgdFa7p5AQcfiPwLY=,iv:yOak3uXX7CNglu8O2UW/1sOI7BGZxpRQAFJCvRbzU0Y=,tag:6orkQIy7BxACziLWpYoS5Q==,type:str] hetznerDnsApiToken: ENC[AES256_GCM,data:JfL4Xg9TZu4Og35g0SwfrI1uxiqgdFa7p5AQcfiPwLY=,iv:yOak3uXX7CNglu8O2UW/1sOI7BGZxpRQAFJCvRbzU0Y=,tag:6orkQIy7BxACziLWpYoS5Q==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn
R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2 R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2
dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj
bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl
T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ== T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-17T12:01:21Z" lastmodified: "2023-07-17T12:01:21Z"
mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str] mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str]
pgp: pgp:
- created_at: "2023-07-02T20:30:30Z" - created_at: "2023-07-02T20:30:30Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds
0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf 0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf
SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb
5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc 5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc
Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc
RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx
44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5 44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5
uGcEfsNiUXPngkNrh/Nvhh9w uGcEfsNiUXPngkNrh/Nvhh9w
=yHDZ =yHDZ
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.7.3

641
nix/os/containers/mycelium/flake.nix
View file

@ -11,350 +11,361 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
}; };
outputs = { outputs =
self, { self, nixpkgs, ... }:
nixpkgs, let
nixos-generators, systems = [
... "aarch64-linux"
}: let "x86_64-linux"
systems = [ ];
"aarch64-linux" forAllSystems = nixpkgs.lib.genAttrs systems;
"x86_64-linux" in
]; {
forAllSystems = nixpkgs.lib.genAttrs systems; nixosConfigurations.default = nixpkgs.lib.nixosSystem {
in {
nixosConfigurations.default =
nixpkgs.lib.nixosSystem
{
system = "aarch64-linux"; system = "aarch64-linux";
specialArgs = {}; specialArgs = { };
modules = [ modules = [
({ (
config, {
modulesPath, config,
pkgs, modulesPath,
lib, pkgs,
... lib,
}: { ...
nixpkgs.overlays = [ }:
(final: previous: { {
# inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal; nixpkgs.overlays = [
# systemd = (_final: _previous: {
# self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: { # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal;
# src = /home/steveej/src/others/systemd; # systemd =
# self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: {
# src = /home/steveej/src/others/systemd;
# withAppArmor = false; # withAppArmor = false;
# withRepart = false; # withRepart = false;
# withHomed = false; # withHomed = false;
# withAcl = false; # withAcl = false;
# withEfi = false; # withEfi = false;
# withBootloader = false; # withBootloader = false;
# withCryptsetup = false; # withCryptsetup = false;
# withLibBPF = false; # withLibBPF = false;
# withOomd = false; # withOomd = false;
# withFido2 = false; # withFido2 = false;
# withApparmor = false; # withApparmor = false;
# withDocumentation = false; # withDocumentation = false;
# withUtmp = false; # withUtmp = false;
# withQrencode = false; # withQrencode = false;
# withVmspawn = false; # withVmspawn = false;
# withMachined = false; # withMachined = false;
# withLogTrace = true; # withLogTrace = true;
# withArchive = false; # withArchive = false;
# # don't need these but cause errors for exampel files not found # # don't need these but cause errors for exampel files not found
# # withLogind = false; # # withLogind = false;
# }) # })
# pkgs.systemdMinimal.override { # pkgs.systemdMinimal.override {
# # getting errors with these disabled # # getting errors with these disabled
# withCoredump = true; # withCoredump = true;
# withCompression = true; # withCompression = true;
# withLogind = true; # withLogind = true;
# withSysusers = true; # withSysusers = true;
# withUserDb = true; # withUserDb = true;
# } # }
# pkgs.systemdMinimal # pkgs.systemdMinimal
# pkgs.systemd.override { # pkgs.systemd.override {
# withRepart = false; # withRepart = false;
# withHomed = false; # withHomed = false;
# withAcl = false; # withAcl = false;
# withEfi = false; # withEfi = false;
# withBootloader = false; # withBootloader = false;
# withCryptsetup = false; # withCryptsetup = false;
# withLibBPF = false; # withLibBPF = false;
# withOomd = false; # withOomd = false;
# withFido2 = false; # withFido2 = false;
# withApparmor = false; # withApparmor = false;
# withDocumentation = false; # withDocumentation = false;
# withUtmp = false; # withUtmp = false;
# withQrencode = false; # withQrencode = false;
# withVmspawn = false; # withVmspawn = false;
# withMachined = false; # withMachined = false;
# withLogTrace = true; # withLogTrace = true;
# # don't need these but cause errors for exampel files not found # # don't need these but cause errors for exampel files not found
# # withLogind = false; # # withLogind = false;
# } # }
# ; # ;
}) })
]; ];
imports = [ imports = [ (modulesPath + "/profiles/minimal.nix") ];
(modulesPath + "/profiles/minimal.nix") system.stateVersion = "24.11";
];
system.stateVersion = "24.11";
# https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix
boot.isContainer = true; boot.isContainer = true;
# boot.tmp.useTmpfs = true; # boot.tmp.useTmpfs = true;
boot.loader.grub.enable = lib.mkForce false; boot.loader.grub.enable = lib.mkForce false;
boot.loader.systemd-boot.enable = lib.mkForce false; boot.loader.systemd-boot.enable = lib.mkForce false;
services.journald.console = "/dev/console"; services.journald.console = "/dev/console";
services.journald.storage = "none"; services.journald.storage = "none";
# boot.specialFileSystems = lib.mkForce {}; # boot.specialFileSystems = lib.mkForce {};
services.nscd.enable = false; services.nscd.enable = false;
system.nssModules = lib.mkForce []; system.nssModules = lib.mkForce [ ];
systemd.services.systemd-logind.enable = false; systemd.services.systemd-logind.enable = false;
systemd.services.console-getty.enable = false; systemd.services.console-getty.enable = false;
systemd.sockets.nix-daemon.enable = false; systemd.sockets.nix-daemon.enable = false;
systemd.services.nix-daemon.enable = false; systemd.services.nix-daemon.enable = false;
systemd.oomd.enable = false; systemd.oomd.enable = false;
networking.useDHCP = false; networking.useDHCP = false;
networking.firewall.enable = false; networking.firewall.enable = false;
# system.build.earlyMountScript = # system.build.earlyMountScript =
# lib.mkForce '' # lib.mkForce ''
# ''; # '';
# system.activationScripts.specialfs = # system.activationScripts.specialfs =
# lib.mkForce '' # lib.mkForce ''
# ''; # '';
boot.postBootCommands = '' boot.postBootCommands = ''
ls -lha /run ls -lha /run
mkdir -p /run/wrappers mkdir -p /run/wrappers
''; '';
boot.kernelParams = [ boot.kernelParams = [ "systemd.log_level=debug" ];
"systemd.log_level=debug"
];
# services.udev.enable = false; # services.udev.enable = false;
# TODO: this is only needed because `/run/current-system` is missing # TODO: this is only needed because `/run/current-system` is missing
# environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH"; # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH";
systemd.mounts = lib.mkForce []; systemd.mounts = lib.mkForce [ ];
fileSystems = lib.mkForce {}; fileSystems = lib.mkForce { };
services.mycelium.enable = false; services.mycelium.enable = false;
services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile"; services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile";
systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false; systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false;
systemd.services.mycelium.serviceConfig.User = lib.mkForce "root"; systemd.services.mycelium.serviceConfig.User = lib.mkForce "root";
systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce (pkgs.writeShellScript "mycelium" '' systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce (
while true; do pkgs.writeShellScript "mycelium" ''
ls -lha $CREDENTIALS_DIRECTORY
sleep 5
done
'');
systemd.services.testing-credentials = {
wantedBy = ["multi-user.target"];
path = [pkgs.coreutils];
serviceConfig = {
# SyslogIdentifier = "testing-credentials";
# StateDirectory = "testing-credentials";
# DynamicUser = true;
# User = "tc";
# ProtectHome = true;
# ProtectSystem = true;
# LoadCredential = [
# "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}"
# "hosts:/etc/hosts"
# ];
SetCredential = "mycelium-keyfile:not secret string";
ExecStart = lib.mkForce (pkgs.writeShellScript "mycelium" ''
cd $STATE_DIRECTORY
pwd
env
while true; do while true; do
ls -lha $CREDENTIALS_DIRECTORY ls -lha $CREDENTIALS_DIRECTORY
sleep 5 sleep 5
done done
''); ''
}; );
};
services.caddy = { systemd.services.testing-credentials = {
enable = true; wantedBy = [ "multi-user.target" ];
globalConfig = '' path = [ pkgs.coreutils ];
auto_https off
''; serviceConfig = {
virtualHosts.":80" = { # SyslogIdentifier = "testing-credentials";
extraConfig = '' # StateDirectory = "testing-credentials";
respond "hello from ${config.networking.hostName}" # DynamicUser = true;
# User = "tc";
# ProtectHome = true;
# ProtectSystem = true;
# LoadCredential = [
# "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}"
# "hosts:/etc/hosts"
# ];
SetCredential = "mycelium-keyfile:not secret string";
ExecStart = lib.mkForce (
pkgs.writeShellScript "mycelium" ''
cd $STATE_DIRECTORY
pwd
env
while true; do
ls -lha $CREDENTIALS_DIRECTORY
sleep 5
done
''
);
};
};
services.caddy = {
enable = true;
globalConfig = ''
auto_https off
''; '';
virtualHosts.":80" = {
extraConfig = ''
respond "hello from ${config.networking.hostName}"
'';
};
}; };
};
})
];
};
packages = forAllSystems (system: let
name = "mycelium";
inherit (self.inputs) nix-snapshotter;
config = {
entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init";
# port = 2379;
args = [
];
# nodePort = 30001;
};
myceliumPorts = {
tcp = [9651];
udp = [9650 9651];
};
inherit
(config)
entrypoint
# port
args
# nodePort
;
pkgs = import nixpkgs {
overlays = [nix-snapshotter.overlays.default];
};
image = pkgs.nix-snapshotter.buildImage {
inherit name;
resolvedByNix = true;
config = {
entrypoint = [entrypoint];
env = [
# this is read by the `/init` script and prevents various incompatible commands like mount, etc.
# the value of this doesn't seem to matter as long as it's not an empty string.
"container=nerd"
"SYSTEMD_LOG_LEVEL=debug"
];
volumes = {
# "/var/lib/private/mycelium/key.bin" = {};
# "/run" = {};
# "/tmp" = {};
# "/etc" = {};
};
copyToRoot = [
# self.nixosConfigurations.default.config.system.build.toplevel
];
};
};
in {
k8s = let
pod = pkgs.writeText "${name}-pod.json" (builtins.toJSON {
apiVersion = "v1";
kind = "Pod";
metadata = {
inherit name;
labels = {inherit name;};
};
spec.containers = [
{
inherit name args;
image = "nix:0${image}";
ports = [
{
name = "mycelium-tcp-0";
containerPort = builtins.elemAt myceliumPorts.tcp 0;
}
{
name = "mycelium-udp-0";
protocol = "UDP";
containerPort = builtins.elemAt myceliumPorts.udp 0;
}
{
name = "mycelium-udp-1";
protocol = "UDP";
containerPort = builtins.elemAt myceliumPorts.udp 1;
}
];
} }
]; )
}); ];
};
packages = forAllSystems (
system:
let
name = "mycelium";
inherit (self.inputs) nix-snapshotter;
service = pkgs.writeText "${name}-service.json" (builtins.toJSON { config = {
apiVersion = "v1"; entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init";
kind = "Service"; # port = 2379;
metadata.name = "${name}-service"; args = [ ];
spec = { # nodePort = 30001;
type = "NodePort"; };
selector = {inherit name;};
ports = [ myceliumPorts = {
{ tcp = [ 9651 ];
name = "mycelium-tcp-0"; udp = [
port = builtins.elemAt myceliumPorts.tcp 0 + 50000; 9650
targetPort = "mycelium-tcp-0"; 9651
}
{
name = "mycelium-udp-0";
protocol = "UDP";
port = builtins.elemAt myceliumPorts.udp 0 + 50000;
targetPort = "mycelium-udp-0";
}
{
name = "mycelium-udp-1";
protocol = "UDP";
port = builtins.elemAt myceliumPorts.udp 1 + 50000;
targetPort = "mycelium-udp-1";
}
]; ];
}; };
});
in
pkgs.runCommand "declarative-k8s" {} ''
mkdir -p $out/share/k8s
cp ${pod} $out/share/k8s/
cp ${service} $out/share/k8s/
'';
inherit image; inherit (config)
entrypoint
# port
start = pkgs.writeShellApplication { args
name = "start"; # nodePort
text = ''
set -x
rm -rf ./result
nix build --impure .#image
sudo nix2container load ./result
sudo -E nerdctl run --name ${name} --privileged -dt \
--cgroup-manager cgroupfs \
--volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \
"nix:0$(readlink result):latest"
'';
};
stop = pkgs.writeShellApplication { ;
name = "stop";
text = ''
set +e
sudo -E nerdctl stop -t 60 ${name}
sudo -E nerdctl rm --force ${name}
sudo -E nerdctl system prune --all --force
sudo systemctl stop nix-snapshotter
sudo systemctl stop containerd
mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l
sudo systemctl start containerd
sudo systemctl start nix-snapshotter
'';
# tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap) pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; };
# mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap image = pkgs.nix-snapshotter.buildImage {
}; inherit name;
}); resolvedByNix = true;
}; config = {
entrypoint = [ entrypoint ];
env = [
# this is read by the `/init` script and prevents various incompatible commands like mount, etc.
# the value of this doesn't seem to matter as long as it's not an empty string.
"container=nerd"
"SYSTEMD_LOG_LEVEL=debug"
];
volumes = {
# "/var/lib/private/mycelium/key.bin" = {};
# "/run" = {};
# "/tmp" = {};
# "/etc" = {};
};
copyToRoot = [
# self.nixosConfigurations.default.config.system.build.toplevel
];
};
};
in
{
k8s =
let
pod = pkgs.writeText "${name}-pod.json" (
builtins.toJSON {
apiVersion = "v1";
kind = "Pod";
metadata = {
inherit name;
labels = {
inherit name;
};
};
spec.containers = [
{
inherit name args;
image = "nix:0${image}";
ports = [
{
name = "mycelium-tcp-0";
containerPort = builtins.elemAt myceliumPorts.tcp 0;
}
{
name = "mycelium-udp-0";
protocol = "UDP";
containerPort = builtins.elemAt myceliumPorts.udp 0;
}
{
name = "mycelium-udp-1";
protocol = "UDP";
containerPort = builtins.elemAt myceliumPorts.udp 1;
}
];
}
];
}
);
service = pkgs.writeText "${name}-service.json" (
builtins.toJSON {
apiVersion = "v1";
kind = "Service";
metadata.name = "${name}-service";
spec = {
type = "NodePort";
selector = {
inherit name;
};
ports = [
{
name = "mycelium-tcp-0";
port = builtins.elemAt myceliumPorts.tcp 0 + 50000;
targetPort = "mycelium-tcp-0";
}
{
name = "mycelium-udp-0";
protocol = "UDP";
port = builtins.elemAt myceliumPorts.udp 0 + 50000;
targetPort = "mycelium-udp-0";
}
{
name = "mycelium-udp-1";
protocol = "UDP";
port = builtins.elemAt myceliumPorts.udp 1 + 50000;
targetPort = "mycelium-udp-1";
}
];
};
}
);
in
pkgs.runCommand "declarative-k8s" { } ''
mkdir -p $out/share/k8s
cp ${pod} $out/share/k8s/
cp ${service} $out/share/k8s/
'';
inherit image;
start = pkgs.writeShellApplication {
name = "start";
text = ''
set -x
rm -rf ./result
nix build --impure .#image
sudo nix2container load ./result
sudo -E nerdctl run --name ${name} --privileged -dt \
--cgroup-manager cgroupfs \
--volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \
"nix:0$(readlink result):latest"
'';
};
stop = pkgs.writeShellApplication {
name = "stop";
text = ''
set +e
sudo -E nerdctl stop -t 60 ${name}
sudo -E nerdctl rm --force ${name}
sudo -E nerdctl system prune --all --force
sudo systemctl stop nix-snapshotter
sudo systemctl stop containerd
mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l
sudo systemctl start containerd
sudo systemctl start nix-snapshotter
'';
# tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap)
# mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap
};
}
);
};
} }

33
nix/os/containers/syncthing.nix
View file

@ -6,28 +6,27 @@
syncthingPort ? 22000, syncthingPort ? 22000,
syncthingLocalAnnouncePort ? 21027, syncthingLocalAnnouncePort ? 21027,
autoStart ? false, autoStart ? false,
}: { }:
{
inherit specialArgs; inherit specialArgs;
config = { config =
config, { ... }:
pkgs, {
... system.stateVersion = "20.05"; # Did you read the comment?
}: {
system.stateVersion = "20.05"; # Did you read the comment?
imports = [../profiles/containers/configuration.nix]; imports = [ ../profiles/containers/configuration.nix ];
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
# syncthing gui # syncthing gui
8384 8384
]; ];
services.syncthing = { services.syncthing = {
enable = true; enable = true;
openDefaultPorts = true; openDefaultPorts = true;
guiAddress = "0.0.0.0:8384"; guiAddress = "0.0.0.0:8384";
};
}; };
};
inherit autoStart; inherit autoStart;

778
nix/os/containers/webserver.nix
View file

@ -7,405 +7,417 @@
httpsPort, httpsPort,
forgejoSshPort, forgejoSshPort,
autoStart ? false, autoStart ? false,
}: let }:
let
domain = "www.stefanjunker.de"; domain = "www.stefanjunker.de";
in { in
{
inherit specialArgs; inherit specialArgs;
config = { config =
config, {
pkgs, config,
lib, pkgs,
repoFlake, lib,
nodeFlake, repoFlake,
system, nodeFlake,
... system,
}: { ...
system.stateVersion = "22.05"; # Did you read the comment? }:
{
system.stateVersion = "22.05"; # Did you read the comment?
disabledModules = [ disabledModules = [
"services/misc/forgejo.nix" "services/misc/forgejo.nix"
"services/security/kanidm.nix" "services/security/kanidm.nix"
];
imports = [
"${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix"
"${repoFlake.inputs.nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix"
../profiles/containers/configuration.nix
repoFlake.inputs.sops-nix.nixosModules.sops
];
sops.defaultSopsFile = ./webserver_secrets.yaml;
networking.firewall.allowedTCPPorts = [
httpPort
httpsPort
forgejoSshPort
];
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.secrets.hedgedoc_environment_file = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.hedgedoc.name;
};
services.caddy = {
enable = true;
logFormat = ''
level ERROR
'';
virtualHosts."${domain}" = {
extraConfig = ''
redir /hedgedoc* https://hedgedoc.${domain}
file_server /*/* {
browse
root /var/www/stefanjunker.de/htdocs/caddy
pass_thru
}
# respond "Hi"
# respond (not /*/*) "Hi"
'';
};
virtualHosts."hedgedoc.${domain}" = {
extraConfig = ''
reverse_proxy http://[::1]:3000
'';
};
virtualHosts."authelia.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port}
'';
};
virtualHosts."lldap.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port}
'';
};
virtualHosts."forgejo.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}
'';
};
virtualHosts."kanidm.${domain}" = {
extraConfig = ''
reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} {
transport http {
tls_server_name ${config.services.kanidm.serverSettings.domain}
}
}
'';
};
};
services.hedgedoc = {
enable = true;
settings = {
domain = "hedgedoc.${domain}";
urlPath = "";
protocolUseSSL = true;
db = {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
};
allowAnonymous = false;
allowAnonymousEdits = false;
allowGravatar = false;
allowFreeURL = false;
defaultPermission = "private";
allowEmailRegister = false;
email = false;
ldap = {
url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}";
bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de";
# these are set via the `environmentFile`
# bindCredentials = "$LDAP_ADMIN_PASSWORD";
searchBase = "ou=people,dc=stefanjunker,dc=de";
searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))";
useridField = "uid";
};
oauth2 = let
originURL = config.services.kanidm.serverSettings.origin;
in {
providerName = "kanidm (${originURL})";
authorizationURL = "${originURL}/ui/oauth2";
tokenURL = "${originURL}/oauth2/token";
userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo";
scope = "openid email profile";
# rolesClaim = "roles";
# accessRole = "role/hedgedoc";
userProfileUsernameAttr = "name";
userProfileDisplayNameAttr = "displayname";
userProfileEmailAttr = "email";
clientID = "hedgedoc";
# set via the `environmentFile`
# clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
};
uploadsPath = "/var/lib/hedgedoc/uploads";
};
environmentFile = config.sops.secrets.hedgedoc_environment_file.path;
};
services.jitsi-meet = {
enable = false;
hostName = "meet.${domain}";
config = {
prejoinPageEnabled = true;
};
caddy.enable = true;
nginx.enable = false;
};
sops.secrets.authelia_storageEncryptionKey = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.authelia-default.name;
};
sops.secrets.authelia_jwtSecret = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.authelia-default.name;
};
services.authelia.instances.default = let
baseDir = "/var/lib/authelia-default";
in {
enable = true;
secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path;
secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path;
settings = {
theme = "auto";
default_2fa_method = "totp";
log.level = "debug";
server = {
disable_healthcheck = true;
host = "127.0.0.1";
port = 9091;
# path = "authelia";
};
storage = {
local.path = "${baseDir}/authelia.sqlite";
};
authentication_backend = {
file.path = "${baseDir}/first_factor.yaml";
file.search.email = true;
file.search.case_insensitive = false;
};
access_control = {
default_policy = "one_factor";
};
session.domain = "stefanjunker.de";
notifier = {
disable_startup_check = true;
filesystem.filename = "${baseDir}/notification.txt";
};
};
};
users.groups.lldap = {};
users.users.lldap = {
isSystemUser = true;
group = "lldap";
};
sops.secrets.lldap_jwtSecret = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
sops.secrets.lldap_adminPassword = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
sops.secrets.lldap_environmentFile = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
services.lldap = {
enable = true;
environment = {
LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path;
LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path;
};
environmentFile = config.sops.secrets.lldap_environmentFile.path;
settings = {
verbose = true;
ldap_base_dn = "dc=stefanjunker,dc=de";
http_url = "https://lldap.${domain}";
## Options to configure SMTP parameters, to send password reset emails.
## To set these options from environment variables, use the following format
## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
smtp_options = {
## Whether to enabled password reset via email, from LLDAP.
enable_password_reset = true;
# port = 465;
## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
# smtp_encryption = "TLS";
};
# database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc";
};
};
sops.secrets.FORGEJO_JWT_SECRET = {};
sops.secrets.FORGEJO_INTERNAL_TOKEN = {};
sops.secrets.FORGEJO_SECRET_KEY = {};
services.forgejo = {
enable = true;
package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo;
settings = {
service.DISABLE_REGISTRATION = true;
server.HTTP_ADDR = "127.0.0.1";
server.START_SSH_SERVER = true;
server.SSH_PORT = forgejoSshPort;
server.ROOT_URL = "https://forgejo.${domain}";
server.HTTP_PORT = 3001;
# TODO: how do i get a 3072 length SSH key with the yubikey?
"ssh.minimum_key_sizes".RSA = 2048;
};
secrets = {
oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path;
security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path;
security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path;
};
};
systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name;
systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name;
systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false;
# combine a path watcher with a service that transfers the certs by caddy to kanidm
systemd.paths.kanidm-tls-watch = {
enable = true;
requiredBy = ["kanidm.service"];
pathConfig = {
PathChanged = [
"${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
"${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
];
Unit = "kanidm-tls-update.service";
};
};
systemd.services.kanidm-tls-update = let
dbDir =
builtins.dirOf
config.services.kanidm.serverSettings.db_path;
in {
enable = true;
requiredBy = ["kanidm.service"];
unitConfig = {
# ConditionPathExists = [
# "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
# "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
# ];
};
serviceConfig.Type = "oneshot";
script = let
tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key;
in ''
set -xe
cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key
cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain
chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain}
chmod 400 tls.{key,chain}
# create the kanidm directory in case it's missing
if [[ ! -d ${tlsDir} ]]; then
mkdir -p ${tlsDir}
chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir}
chmod 700 ${tlsDir}
fi
mv tls.key ${config.services.kanidm.serverSettings.tls_key}
mv tls.chain ${config.services.kanidm.serverSettings.tls_chain}
if [[ ! -d ${dbDir} ]]; then
mkdir -p ${dbDir}
chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir}
chmod 700 ${dbDir}
fi
'';
};
systemd.services.kanidm.serviceConfig = let
dbDir =
builtins.dirOf
config.services.kanidm.serverSettings.db_path;
# stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}";
in {
# ExecStartPre = ''
# mkdir -p ${dbDir}
# '';
BindPaths = [
dbDir
# stateDir
]; ];
};
services.kanidm = let imports = [
dataDir = "/var/lib/kanidm"; "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix"
in { "${repoFlake.inputs.nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix"
package = repoFlake.inputs.nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm;
enablePam = false; ../profiles/containers/configuration.nix
enableClient = false;
enableServer = true; repoFlake.inputs.sops-nix.nixosModules.sops
serverSettings = { ];
role = "WriteReplica";
log_level = "debug";
domain = "kanidm.${domain}"; sops.defaultSopsFile = ./webserver_secrets.yaml;
origin = "https://kanidm.${domain}";
db_path = "${dataDir}/db/kanidm.db"; networking.firewall.allowedTCPPorts = [
httpPort
httpsPort
forgejoSshPort
];
bindaddress = "127.0.0.1:8444"; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.hedgedoc_environment_file = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.hedgedoc.name;
};
# don't expose ldap services.caddy = {
# ldapbindaddress = "[::1]:6636"; enable = true;
logFormat = ''
level ERROR
'';
virtualHosts."${domain}" = {
extraConfig = ''
redir /hedgedoc* https://hedgedoc.${domain}
tls_key = "${dataDir}/tls/tls.key"; file_server /*/* {
tls_chain = "${dataDir}/tls/tls.chain"; browse
root /var/www/stefanjunker.de/htdocs/caddy
pass_thru
}
online_backup = { # respond "Hi"
schedule = "00 06 * * *"; # respond (not /*/*) "Hi"
'';
};
virtualHosts."hedgedoc.${domain}" = {
extraConfig = ''
reverse_proxy http://[::1]:3000
'';
};
virtualHosts."authelia.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port}
'';
};
virtualHosts."lldap.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port}
'';
};
virtualHosts."forgejo.${domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}
'';
};
virtualHosts."kanidm.${domain}" = {
extraConfig = ''
reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} {
transport http {
tls_server_name ${config.services.kanidm.serverSettings.domain}
}
}
'';
}; };
}; };
services.hedgedoc = {
enable = true;
settings = {
domain = "hedgedoc.${domain}";
urlPath = "";
protocolUseSSL = true;
db = {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
};
allowAnonymous = false;
allowAnonymousEdits = false;
allowGravatar = false;
allowFreeURL = false;
defaultPermission = "private";
allowEmailRegister = false;
email = false;
ldap = {
url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}";
bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de";
# these are set via the `environmentFile`
# bindCredentials = "$LDAP_ADMIN_PASSWORD";
searchBase = "ou=people,dc=stefanjunker,dc=de";
searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))";
useridField = "uid";
};
oauth2 =
let
originURL = config.services.kanidm.serverSettings.origin;
in
{
providerName = "kanidm (${originURL})";
authorizationURL = "${originURL}/ui/oauth2";
tokenURL = "${originURL}/oauth2/token";
userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo";
scope = "openid email profile";
# rolesClaim = "roles";
# accessRole = "role/hedgedoc";
userProfileUsernameAttr = "name";
userProfileDisplayNameAttr = "displayname";
userProfileEmailAttr = "email";
clientID = "hedgedoc";
# set via the `environmentFile`
# clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
};
uploadsPath = "/var/lib/hedgedoc/uploads";
};
environmentFile = config.sops.secrets.hedgedoc_environment_file.path;
};
services.jitsi-meet = {
enable = false;
hostName = "meet.${domain}";
config = {
prejoinPageEnabled = true;
};
caddy.enable = true;
nginx.enable = false;
};
sops.secrets.authelia_storageEncryptionKey = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.authelia-default.name;
};
sops.secrets.authelia_jwtSecret = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.authelia-default.name;
};
services.authelia.instances.default =
let
baseDir = "/var/lib/authelia-default";
in
{
enable = true;
secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path;
secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path;
settings = {
theme = "auto";
default_2fa_method = "totp";
log.level = "debug";
server = {
disable_healthcheck = true;
host = "127.0.0.1";
port = 9091;
# path = "authelia";
};
storage = {
local.path = "${baseDir}/authelia.sqlite";
};
authentication_backend = {
file.path = "${baseDir}/first_factor.yaml";
file.search.email = true;
file.search.case_insensitive = false;
};
access_control = {
default_policy = "one_factor";
};
session.domain = "stefanjunker.de";
notifier = {
disable_startup_check = true;
filesystem.filename = "${baseDir}/notification.txt";
};
};
};
users.groups.lldap = { };
users.users.lldap = {
isSystemUser = true;
group = "lldap";
};
sops.secrets.lldap_jwtSecret = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
sops.secrets.lldap_adminPassword = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
sops.secrets.lldap_environmentFile = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
services.lldap = {
enable = true;
environment = {
LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path;
LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path;
};
environmentFile = config.sops.secrets.lldap_environmentFile.path;
settings = {
verbose = true;
ldap_base_dn = "dc=stefanjunker,dc=de";
http_url = "https://lldap.${domain}";
## Options to configure SMTP parameters, to send password reset emails.
## To set these options from environment variables, use the following format
## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
smtp_options = {
## Whether to enabled password reset via email, from LLDAP.
enable_password_reset = true;
# port = 465;
## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
# smtp_encryption = "TLS";
};
# database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc";
};
};
sops.secrets.FORGEJO_JWT_SECRET = { };
sops.secrets.FORGEJO_INTERNAL_TOKEN = { };
sops.secrets.FORGEJO_SECRET_KEY = { };
services.forgejo = {
enable = true;
package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo;
settings = {
service.DISABLE_REGISTRATION = true;
server.HTTP_ADDR = "127.0.0.1";
server.START_SSH_SERVER = true;
server.SSH_PORT = forgejoSshPort;
server.ROOT_URL = "https://forgejo.${domain}";
server.HTTP_PORT = 3001;
# TODO: how do i get a 3072 length SSH key with the yubikey?
"ssh.minimum_key_sizes".RSA = 2048;
};
secrets = {
oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path;
security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path;
security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path;
};
};
systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name;
systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name;
systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false;
# combine a path watcher with a service that transfers the certs by caddy to kanidm
systemd.paths.kanidm-tls-watch = {
enable = true;
requiredBy = [ "kanidm.service" ];
pathConfig = {
PathChanged = [
"${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
"${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
];
Unit = "kanidm-tls-update.service";
};
};
systemd.services.kanidm-tls-update =
let
dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
in
{
enable = true;
requiredBy = [ "kanidm.service" ];
unitConfig = {
# ConditionPathExists = [
# "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
# "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt"
# ];
};
serviceConfig.Type = "oneshot";
script =
let
tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key;
in
''
set -xe
cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key
cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain
chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain}
chmod 400 tls.{key,chain}
# create the kanidm directory in case it's missing
if [[ ! -d ${tlsDir} ]]; then
mkdir -p ${tlsDir}
chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir}
chmod 700 ${tlsDir}
fi
mv tls.key ${config.services.kanidm.serverSettings.tls_key}
mv tls.chain ${config.services.kanidm.serverSettings.tls_chain}
if [[ ! -d ${dbDir} ]]; then
mkdir -p ${dbDir}
chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir}
chmod 700 ${dbDir}
fi
'';
};
systemd.services.kanidm.serviceConfig =
let
dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
in
# stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}";
{
# ExecStartPre = ''
# mkdir -p ${dbDir}
# '';
BindPaths = [
dbDir
# stateDir
];
};
services.kanidm =
let
dataDir = "/var/lib/kanidm";
in
{
package = repoFlake.inputs.nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm;
enablePam = false;
enableClient = false;
enableServer = true;
serverSettings = {
role = "WriteReplica";
log_level = "debug";
domain = "kanidm.${domain}";
origin = "https://kanidm.${domain}";
db_path = "${dataDir}/db/kanidm.db";
bindaddress = "127.0.0.1:8444";
# don't expose ldap
# ldapbindaddress = "[::1]:6636";
tls_key = "${dataDir}/tls/tls.key";
tls_chain = "${dataDir}/tls/tls.chain";
online_backup = {
schedule = "00 06 * * *";
};
};
};
}; };
};
inherit autoStart; inherit autoStart;

66
nix/os/containers/webserver_secrets.yaml
View file

@ -9,37 +9,37 @@ FORGEJO_JWT_SECRET: ENC[AES256_GCM,data:nVz9x7+K+rBIZxuQP7o0WNFHUz89eR9cwBjfSAx9
FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str] FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str]
FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str] FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh
U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh
YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP
eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc
KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-16T12:28:51Z" lastmodified: "2024-10-16T12:28:51Z"
mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str] mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str]
pgp: pgp:
- created_at: "2023-07-09T17:51:27Z" - created_at: "2023-07-09T17:51:27Z"
enc: |- enc: |-
-----BEGIN PGP MESSAGE----- -----BEGIN PGP MESSAGE-----
wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD
gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO
8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+ 8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+
XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w
YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku
bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI
F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i
g+ZF+9NNqOTKsBzEnuGsZRnI g+ZF+9NNqOTKsBzEnuGsZRnI
=iXfo =iXfo
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

58
nix/os/devices/default.nix
View file

@ -1,20 +1,25 @@
{ {
dir, dir,
pkgs ? import <channels-nixos-stable> {}, pkgs ? import <channels-nixos-stable> { },
ownLib ? import ../lib/default.nix {inherit (pkgs) lib;}, ownLib ? import ../lib/default.nix { inherit (pkgs) lib; },
gitRoot ? "$(git rev-parse --show-toplevel)", gitRoot ? "$(git rev-parse --show-toplevel)",
# FIXME: why do these need explicit mentioning? # FIXME: why do these need explicit mentioning?
moreargs ? "", moreargs ? "",
rebuildarg ? "", rebuildarg ? "",
... ...
} @ args: let }@args:
rebuildargsSudo = ["switch" "boot"]; let
rebuild = { rebuildargsSudo = [
gitRoot, "switch"
rebuildarg ? "dry-activate", "boot"
moreargs ? "", ];
... rebuild =
}: {
gitRoot,
rebuildarg ? "dry-activate",
moreargs ? "",
...
}:
pkgs.writeScript "script" '' pkgs.writeScript "script" ''
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
@ -30,25 +35,24 @@
${ ${
if if
(builtins.elem rebuildarg rebuildargsSudo) (builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null
&& (builtins.match ".*--target-host.*" moreargs) == null then
then "sudo -E \\" "sudo -E \\"
else "" else
""
} }
nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs}
''; '';
in { in
recipes = {
{ recipes = {
rebuild = rebuild = rebuild {
rebuild { inherit gitRoot;
inherit gitRoot; inherit moreargs;
inherit moreargs; inherit rebuildarg;
inherit rebuildarg;
}
# // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; }
# // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; }
;
} }
// (import ./disk.nix (args // {inherit pkgs ownLib gitRoot;})); # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; }
# // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; }
;
} // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; }));
} }

53
nix/os/devices/disk.nix
View file

@ -3,40 +3,29 @@
ownLib, ownLib,
dir, dir,
gitRoot, gitRoot,
diskId ? diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId,
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix")
{})
.hardware
.opinionatedDisk
.diskId,
encrypted ? encrypted ?
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted,
{})
.hardware
.opinionatedDisk
.encrypted,
previousDiskId ? "", previousDiskId ? "",
... ...
}: let }:
let
mntRootVol = "/mnt/${diskId}-root"; mntRootVol = "/mnt/${diskId}-root";
in rec { in
rec {
diskMount = pkgs.writeScript "script" '' diskMount = pkgs.writeScript "script" ''
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
echo Mounting ${diskId} echo Mounting ${diskId}
${pkgs.lib.strings.optionalString encrypted '' ${pkgs.lib.strings.optionalString encrypted ''
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
ownLib.disk.luksName diskId
}
''} ''}
sleep 1 sleep 1
sudo vgchange -ay ${ownLib.disk.volumeGroup diskId} sudo vgchange -ay ${ownLib.disk.volumeGroup diskId}
sudo mkdir -p /mnt sudo mkdir -p /mnt
sudo mkdir ${mntRootVol} sudo mkdir ${mntRootVol}
sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol} sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}
sudo mount ${ sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home
ownLib.disk.rootFsDevice diskId
} ${mntRootVol}/nixos/home -o subvol=home
sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot
''; '';
@ -73,9 +62,7 @@ in rec {
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
read -p "Continue to format ${ read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice
ownLib.disk.bootGrubDevice diskId
} (YES/n)? " choice
case "$choice" in case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;; YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;; n|N ) echo "Exiting..."; exit 0;;
@ -122,15 +109,11 @@ in rec {
${pkgs.lib.strings.optionalString encrypted '' ${pkgs.lib.strings.optionalString encrypted ''
# Encrypt # Encrypt
sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} - sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} -
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
ownLib.disk.luksName diskId
}
''} ''}
# LVM # LVM
sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted}
ownLib.disk.lvmPv diskId encrypted
}
sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap
sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root
@ -154,9 +137,7 @@ in rec {
#!/usr/bin/env bash #!/usr/bin/env bash
set -xe set -xe
read -p "Continue to relabel ${ read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice
ownLib.disk.bootGrubDevice diskId
} (YES/n)?" choice
case "$choice" in case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;; YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;; n|N ) echo "Exiting..."; exit 0;;
@ -187,13 +168,9 @@ in rec {
if test "${previousDiskId}"; then if test "${previousDiskId}"; then
${ ${pkgs.lib.strings.optionalString encrypted ''
pkgs.lib.strings.optionalString encrypted '' sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ ''}
ownLib.disk.luksName diskId
}
''
}
sync sync
sleep 1 sleep 1
if sudo vgs ${previousDiskId}; then if sudo vgs ${previousDiskId}; then

3
nix/os/devices/elias-e525/boot.nix
View file

@ -1,4 +1,5 @@
{lib, ...}: { { lib, ... }:
{
boot.loader.grub.efiSupport = lib.mkForce false; boot.loader.grub.efiSupport = lib.mkForce false;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
} }

3
nix/os/devices/elias-e525/configuration.nix
View file

@ -1,4 +1,5 @@
{...}: { { ... }:
{
imports = [ imports = [
../../profiles/common/configuration.nix ../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix ../../profiles/graphical/configuration.nix

10
nix/os/devices/elias-e525/default.nix
View file

@ -3,17 +3,17 @@
repoFlake, repoFlake,
nodeFlake, nodeFlake,
... ...
}: let }:
let
system = "x86_64-linux"; system = "x86_64-linux";
in { in
{
meta.nodeSpecialArgs.${nodeName} = { meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake; inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system}; packages' = repoFlake.packages.${system};
}; };
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
inherit system;
};
${nodeName} = { ${nodeName} = {
deployment.targetHost = "elias-e525.lan"; deployment.targetHost = "elias-e525.lan";

2
nix/os/devices/elias-e525/flake.nix
View file

@ -6,5 +6,5 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = _: {}; outputs = _: { };
} }

2
nix/os/devices/elias-e525/hw.nix
View file

@ -1,4 +1,4 @@
{...}: { _: {
# TASK: new device # TASK: new device
hardware.opinionatedDisk = { hardware.opinionatedDisk = {
enable = true; enable = true;

18
nix/os/devices/elias-e525/pkg.nix
View file

@ -1,8 +1,5 @@
{ { pkgs, lib, ... }:
pkgs, let
lib,
...
}: let
homeEnv = keyboard: { homeEnv = keyboard: {
imports = [ imports = [
../../../home-manager/profiles/common.nix ../../../home-manager/profiles/common.nix
@ -22,26 +19,27 @@
rustdesk rustdesk
]; ];
}; };
in { in
services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { {
services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) {
gnome-remote-desktop.enable = true; gnome-remote-desktop.enable = true;
}; };
home-manager.users.steveej = homeEnv { home-manager.users.steveej = homeEnv {
layout = "en"; layout = "en";
options = ["nodeadkey"]; options = [ "nodeadkey" ];
variant = "altgr-intl"; variant = "altgr-intl";
}; };
home-manager.users.elias = homeEnv { home-manager.users.elias = homeEnv {
layout = "de"; layout = "de";
options = []; options = [ ];
variant = ""; variant = "";
}; };
home-manager.users.justyna = homeEnv { home-manager.users.justyna = homeEnv {
layout = "de"; layout = "de";
options = []; options = [ ];
variant = ""; variant = "";
}; };

15
nix/os/devices/elias-e525/system.nix
View file

@ -1,10 +1,5 @@
{ pkgs, lib, ... }:
{ {
pkgs,
lib,
config,
...
}: let
in {
# TASK: new device # TASK: new device
networking.hostName = "elias-e525"; # Define your hostname. networking.hostName = "elias-e525"; # Define your hostname.
@ -38,11 +33,13 @@ in {
# udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ];
}; };
security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
services.xserver.videoDrivers = ["modesetting"]; services.xserver.videoDrivers = [ "modesetting" ];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
nix.gc = {automatic = true;}; nix.gc = {
automatic = true;
};
} }

13
nix/os/devices/elias-e525/user.nix
View file

@ -1,12 +1,9 @@
{ { config, pkgs, ... }:
config, let
pkgs,
lib,
...
}: let
keys = import ../../../variables/keys.nix; keys = import ../../../variables/keys.nix;
inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser;
in { in
{
sops.secrets.sharedUsers-elias = { sops.secrets.sharedUsers-elias = {
sopsFile = ../../../../secrets/shared-users.yaml; sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true; neededForUsers = true;

3
nix/os/devices/fwhost1/boot.nix
View file

@ -1,4 +1,5 @@
{lib, ...}: { { lib, ... }:
{
boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
} }

3
nix/os/devices/fwhost1/configuration.nix
View file

@ -1,4 +1,5 @@
{...}: { { ... }:
{
imports = [ imports = [
../../profiles/common/configuration.nix ../../profiles/common/configuration.nix
../../modules/opinionatedDisk.nix ../../modules/opinionatedDisk.nix

3
nix/os/devices/fwhost1/hw.nix
View file

@ -1,5 +1,4 @@
{...}: let _: {
in {
# TASK: new device # TASK: new device
hardware.opinionatedDisk = { hardware.opinionatedDisk = {
enable = true; enable = true;

18
nix/os/devices/fwhost1/pkg.nix
View file

@ -1,17 +1,17 @@
{pkgs, ...}: { { pkgs, ... }:
nixpkgs.config.packageOverrides = pkgs: {
with pkgs; { nixpkgs.config.packageOverrides =
nixPath = pkgs: with pkgs; {
(import ../../../default.nix { inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath;
versionsPath = ./versions.nix;
})
.nixPath;
}; };
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
inherit pkgs; inherit pkgs;
}; };
environment.systemPackages = with pkgs; [iw wirelesstools]; environment.systemPackages = with pkgs; [
iw
wirelesstools
];
system.stateVersion = "21.11"; system.stateVersion = "21.11";
} }

19
nix/os/devices/fwhost1/system.nix
View file

@ -1,12 +1,8 @@
{ { pkgs, lib, ... }:
pkgs, let
lib,
config,
...
}: let
keys = import ../../../variables/keys.nix;
passwords = import ../../../variables/passwords.crypt.nix; passwords = import ../../../variables/passwords.crypt.nix;
in { in
{
# TASK: new device # TASK: new device
networking.hostName = "fwhost1"; # Define your hostname. networking.hostName = "fwhost1"; # Define your hostname.
@ -21,11 +17,14 @@ in {
networking.firewall.logRefusedConnections = false; networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false; networking.usePredictableInterfaceNames = false;
networking.bridges.breth.interfaces = ["eth0" "eth1"]; networking.bridges.breth.interfaces = [
"eth0"
"eth1"
];
networking.bridges.breth.rstp = true; networking.bridges.breth.rstp = true;
networking.defaultGateway.address = "172.172.171.10"; networking.defaultGateway.address = "172.172.171.10";
networking.nameservers = ["172.172.171.10"]; networking.nameservers = [ "172.172.171.10" ];
# WAN interfaces, currently unused because the OPNsense guest acts as a router. # WAN interfaces, currently unused because the OPNsense guest acts as a router.
networking.vlans.wan1.id = 3; networking.vlans.wan1.id = 3;

10
nix/os/devices/fwhost1/user.nix
View file

@ -1,9 +1 @@
{ _: { }
config,
pkgs,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
in {}

7
nix/os/devices/fwhost1/versions.nix
View file

@ -4,9 +4,12 @@ let
ref = "nixos-21.11"; ref = "nixos-21.11";
rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb";
}; };
in { in
{
inherit nixpkgs; inherit nixpkgs;
nixos = nixpkgs // {suffix = "/nixos";}; nixos = nixpkgs // {
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs; "channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = { "channels-nixos-unstable" = {

7
nix/os/devices/fwhost1/versions.tmpl.nix
View file

@ -6,9 +6,12 @@ let
<% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '
' -%>''; ' -%>'';
}; };
in { in
{
inherit nixpkgs; inherit nixpkgs;
nixos = nixpkgs // {suffix = "/nixos";}; nixos = nixpkgs // {
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs; "channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = { "channels-nixos-unstable" = {

3
nix/os/devices/fwhost2/boot.nix
View file

@ -1,4 +1,5 @@
{lib, ...}: { { lib, ... }:
{
boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
} }

3
nix/os/devices/fwhost2/configuration.nix
View file

@ -1,4 +1,5 @@
{...}: { { ... }:
{
imports = [ imports = [
../../profiles/common/configuration.nix ../../profiles/common/configuration.nix
../../modules/opinionatedDisk.nix ../../modules/opinionatedDisk.nix

3
nix/os/devices/fwhost2/hw.nix
View file

@ -1,5 +1,4 @@
{...}: let _: {
in {
# TASK: new device # TASK: new device
hardware.opinionatedDisk = { hardware.opinionatedDisk = {
enable = true; enable = true;

18
nix/os/devices/fwhost2/pkg.nix
View file

@ -1,17 +1,17 @@
{pkgs, ...}: { { pkgs, ... }:
nixpkgs.config.packageOverrides = pkgs: {
with pkgs; { nixpkgs.config.packageOverrides =
nixPath = pkgs: with pkgs; {
(import ../../../default.nix { inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath;
versionsPath = ./versions.nix;
})
.nixPath;
}; };
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
inherit pkgs; inherit pkgs;
}; };
environment.systemPackages = with pkgs; [iw wirelesstools]; environment.systemPackages = with pkgs; [
iw
wirelesstools
];
system.stateVersion = "21.11"; system.stateVersion = "21.11";
} }

20
nix/os/devices/fwhost2/system.nix
View file

@ -1,13 +1,8 @@
{ { pkgs, lib, ... }:
pkgs, let
lib,
config,
utils,
...
}: let
keys = import ../../../variables/keys.nix;
passwords = import ../../../variables/passwords.crypt.nix; passwords = import ../../../variables/passwords.crypt.nix;
in { in
{
# TASK: new device # TASK: new device
networking.hostName = "fwhost2"; # Define your hostname. networking.hostName = "fwhost2"; # Define your hostname.
@ -22,11 +17,14 @@ in {
networking.firewall.logRefusedConnections = false; networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false; networking.usePredictableInterfaceNames = false;
networking.bridges.breth.interfaces = ["eth0" "eth1"]; networking.bridges.breth.interfaces = [
"eth0"
"eth1"
];
networking.bridges.breth.rstp = true; networking.bridges.breth.rstp = true;
networking.defaultGateway.address = "172.172.171.10"; networking.defaultGateway.address = "172.172.171.10";
networking.nameservers = ["172.172.171.10"]; networking.nameservers = [ "172.172.171.10" ];
# WAN interfaces, currently unused because the OPNsense guest acts as a router. # WAN interfaces, currently unused because the OPNsense guest acts as a router.
networking.vlans.wan1.id = 3; networking.vlans.wan1.id = 3;

10
nix/os/devices/fwhost2/user.nix
View file

@ -1,12 +1,4 @@
{ _: {
config,
pkgs,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
# users.extraUsers.steveej2 = mkUser { # users.extraUsers.steveej2 = mkUser {
# uid = 1001; # uid = 1001;
# openssh.authorizedKeys.keys = keys.users.steveej.openssh; # openssh.authorizedKeys.keys = keys.users.steveej.openssh;

7
nix/os/devices/fwhost2/versions.nix
View file

@ -4,9 +4,12 @@ let
ref = "nixos-21.11"; ref = "nixos-21.11";
rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb";
}; };
in { in
{
inherit nixpkgs; inherit nixpkgs;
nixos = nixpkgs // {suffix = "/nixos";}; nixos = nixpkgs // {
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs; "channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = { "channels-nixos-unstable" = {

7
nix/os/devices/fwhost2/versions.tmpl.nix
View file

@ -6,9 +6,12 @@ let
<% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '
' -%>''; ' -%>'';
}; };
in { in
{
inherit nixpkgs; inherit nixpkgs;
nixos = nixpkgs // {suffix = "/nixos";}; nixos = nixpkgs // {
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs; "channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = { "channels-nixos-unstable" = {

1
nix/os/devices/hstk0/README.md
View file

@ -4,4 +4,3 @@
# TODO: generate an SSH host-key and deploy it via --extra-files # TODO: generate an SSH host-key and deploy it via --extra-files
nixos-anywhere --flake .\#sj-bm-hostkey0 root@185.130.227.252 nixos-anywhere --flake .\#sj-bm-hostkey0 root@185.130.227.252
``` ```

99
nix/os/devices/hstk0/configuration.nix
View file

@ -1,17 +1,14 @@
{ {
modulesPath,
repoFlake, repoFlake,
packages',
pkgs, pkgs,
lib, lib,
config,
nodeFlake, nodeFlake,
nodeName, nodeName,
system, system,
... ...
}: { }:
disabledModules = [ {
]; disabledModules = [ ];
imports = [ imports = [
nodeFlake.inputs.disko.nixosModules.disko nodeFlake.inputs.disko.nixosModules.disko
@ -28,9 +25,7 @@
} }
../../snippets/nix-settings.nix ../../snippets/nix-settings.nix
{ { nix.settings.sandbox = lib.mkForce "relaxed"; }
nix.settings.sandbox = lib.mkForce "relaxed";
}
../../snippets/mycelium.nix ../../snippets/mycelium.nix
@ -80,60 +75,58 @@
nat.enable = true; nat.enable = true;
firewall.enable = true; firewall.enable = true;
firewall.allowedTCPPorts = [ firewall.allowedTCPPorts = [ 5201 ];
5201 firewall.allowedUDPPorts = [ 5201 ];
];
firewall.allowedUDPPorts = [
5201
];
}; };
disko.devices = let disko.devices =
disk = id: { let
type = "disk"; disk = id: {
device = "/dev/${id}"; type = "disk";
content = { device = "/dev/${id}";
type = "gpt"; content = {
partitions = { type = "gpt";
boot = { partitions = {
size = "1M"; boot = {
type = "EF02"; # for grub MBR size = "1M";
}; type = "EF02"; # for grub MBR
mdadm = { };
size = "100%"; mdadm = {
content = { size = "100%";
type = "mdraid"; content = {
name = "raid0"; type = "mdraid";
name = "raid0";
};
}; };
}; };
}; };
}; };
}; in
in { {
disk = { disk = {
sda = disk "sda"; sda = disk "sda";
sdb = disk "sdb"; sdb = disk "sdb";
}; };
mdadm = { mdadm = {
raid0 = { raid0 = {
type = "mdadm"; type = "mdadm";
level = 0; level = 0;
content = { content = {
type = "gpt"; type = "gpt";
partitions = { partitions = {
primary = { primary = {
size = "100%"; size = "100%";
content = { content = {
type = "filesystem"; type = "filesystem";
format = "btrfs"; format = "btrfs";
mountpoint = "/"; mountpoint = "/";
};
}; };
}; };
}; };
}; };
}; };
}; };
};
system.stateVersion = "24.05"; system.stateVersion = "24.05";
@ -149,7 +142,5 @@
virtualisation.libvirtd.enable = true; virtualisation.libvirtd.enable = true;
boot.binfmt.emulatedSystems = [ boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
"aarch64-linux"
];
} }

19
nix/os/devices/hstk0/default.nix
View file

@ -3,19 +3,22 @@
repoFlake, repoFlake,
nodeFlake, nodeFlake,
... ...
}: let }:
let
system = "x86_64-linux"; system = "x86_64-linux";
in { in
{
meta.nodeSpecialArgs.${nodeName} = { meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake system; inherit
repoFlake
nodeName
nodeFlake
system
;
packages' = repoFlake.packages.${system}; packages' = repoFlake.packages.${system};
}; };
meta.nodeNixpkgs.${nodeName} = meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
${nodeName} = { ${nodeName} = {
deployment.targetHost = "185.130.224.33"; deployment.targetHost = "185.130.224.33";

57
nix/os/devices/hstk0/flake.nix
View file

@ -16,38 +16,37 @@
# outputs = _: {}; # outputs = _: {};
outputs = { outputs =
self, {
get-flake, self,
nixpkgs, get-flake,
... nixpkgs,
} @ attrs: let ...
system = "x86_64-linux"; }:
nodeName = "hostkey-0"; let
system = "x86_64-linux";
nodeName = "hostkey-0";
mkNixosConfiguration = {extraModules ? [], ...} @ attrs: mkNixosConfiguration =
nixpkgs.lib.nixosSystem (
nixpkgs.lib.attrsets.recursiveUpdate
attrs
{ {
specialArgs = { extraModules ? [ ],
nodeFlake = self; ...
repoFlake = get-flake ../../../..; }@attrs:
inherit nodeName; nixpkgs.lib.nixosSystem (
}; nixpkgs.lib.attrsets.recursiveUpdate attrs {
specialArgs = {
nodeFlake = self;
repoFlake = get-flake ../../../..;
inherit nodeName;
};
modules = modules = [ ./configuration.nix ] ++ extraModules;
[ }
./configuration.nix );
] in
++ extraModules; {
} nixosConfigurations = {
); native = mkNixosConfiguration { inherit system; };
in {
nixosConfigurations = {
native = mkNixosConfiguration {
inherit system;
}; };
}; };
};
} }

34
nix/os/devices/hydra.json
View file

@ -1,16 +1,24 @@
{ {
"enabled": 1, "enabled": 1,
"hidden": false, "hidden": false,
"description": "Jobsets", "description": "Jobsets",
"nixexprinput": "src", "nixexprinput": "src",
"nixexprpath": "default.nix", "nixexprpath": "default.nix",
"checkinterval": 300, "checkinterval": 300,
"schedulingshares": 100, "schedulingshares": 100,
"enableemail": false, "enableemail": false,
"emailoverride": "", "emailoverride": "",
"keepnr": 3, "keepnr": 3,
"inputs": { "inputs": {
"src": { "type": "git", "value": "git://github.com/shlevy/declarative-hydra-example.git", "emailresponsible": false }, "src": {
"nixpkgs": { "type": "git", "value": "git://github.com/NixOS/nixpkgs.git release-16.03", "emailresponsible": false } "type": "git",
"value": "git://github.com/shlevy/declarative-hydra-example.git",
"emailresponsible": false
},
"nixpkgs": {
"type": "git",
"value": "git://github.com/NixOS/nixpkgs.git release-16.03",
"emailresponsible": false
} }
}
} }

3
nix/os/devices/justyna-p300/boot.nix
View file

@ -1,4 +1,5 @@
{lib, ...}: { { lib, ... }:
{
boot.loader.grub.efiInstallAsRemovable = lib.mkForce false; boot.loader.grub.efiInstallAsRemovable = lib.mkForce false;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
boot.loader.grub.efiSupport = lib.mkForce false; boot.loader.grub.efiSupport = lib.mkForce false;

3
nix/os/devices/justyna-p300/configuration.nix
View file

@ -1,4 +1,5 @@
{...}: { { ... }:
{
imports = [ imports = [
../../profiles/common/configuration.nix ../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix ../../profiles/graphical/configuration.nix

10
nix/os/devices/justyna-p300/default.nix
View file

@ -3,17 +3,17 @@
repoFlake, repoFlake,
nodeFlake, nodeFlake,
... ...
}: let }:
let
system = "x86_64-linux"; system = "x86_64-linux";
in { in
{
meta.nodeSpecialArgs.${nodeName} = { meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake; inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system}; packages' = repoFlake.packages.${system};
}; };
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
inherit system;
};
${nodeName} = { ${nodeName} = {
deployment.targetHost = nodeName; deployment.targetHost = nodeName;

4
nix/os/devices/justyna-p300/flake.nix
View file

@ -6,8 +6,8 @@
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };
inputs.disko.url = github:nix-community/disko; inputs.disko.url = "github:nix-community/disko";
inputs.disko.inputs.nixpkgs.follows = "nixpkgs"; inputs.disko.inputs.nixpkgs.follows = "nixpkgs";
outputs = _: {}; outputs = _: { };
} }

16
nix/os/devices/justyna-p300/hw.nix
View file

@ -1,12 +1,6 @@
{ nodeFlake, ... }:
{ {
repoFlake, imports = [ nodeFlake.inputs.disko.nixosModules.disko ];
nodeFlake,
lib,
...
}: {
imports = [
nodeFlake.inputs.disko.nixosModules.disko
];
disko.devices.disk.sda = { disko.devices.disk.sda = {
device = "/dev/sda"; device = "/dev/sda";
@ -20,7 +14,7 @@
start = "0"; start = "0";
end = "1M"; end = "1M";
part-type = "primary"; part-type = "primary";
flags = ["bios_grub"]; flags = [ "bios_grub" ];
} }
{ {
name = "root"; name = "root";
@ -30,14 +24,14 @@
bootable = true; bootable = true;
content = { content = {
type = "btrfs"; type = "btrfs";
extraArgs = ["-f"]; # Override existing partition extraArgs = [ "-f" ]; # Override existing partition
subvolumes = { subvolumes = {
# Subvolume name is different from mountpoint # Subvolume name is different from mountpoint
"/rootfs" = { "/rootfs" = {
mountpoint = "/"; mountpoint = "/";
}; };
"/nix" = { "/nix" = {
mountOptions = ["noatime"]; mountOptions = [ "noatime" ];
}; };
}; };
}; };

45
nix/os/devices/justyna-p300/pkg.nix
View file

@ -3,7 +3,8 @@
lib, lib,
packages', packages',
... ...
}: let }:
let
homeEnv = keyboard: { homeEnv = keyboard: {
imports = [ imports = [
../../../home-manager/profiles/common.nix ../../../home-manager/profiles/common.nix
@ -23,15 +24,19 @@
rustdesk rustdesk
]; ];
}; };
in { in
services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { {
services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) {
gnome-remote-desktop.enable = true; gnome-remote-desktop.enable = true;
}; };
services.printing.drivers = lib.mkForce (with packages'; [ services.printing.drivers = lib.mkForce (
dcpj4110dwDriver with packages';
dcpj4110dwCupswrapper [
]); dcpj4110dwDriver
dcpj4110dwCupswrapper
]
);
services.printing.extraConf = '' services.printing.extraConf = ''
LogLevel debug LogLevel debug
@ -39,31 +44,29 @@ in {
home-manager.users.steveej = homeEnv { home-manager.users.steveej = homeEnv {
layout = "en"; layout = "en";
options = ["nodeadkey"]; options = [ "nodeadkey" ];
variant = "altgr-intl"; variant = "altgr-intl";
}; };
home-manager.users.elias = homeEnv { home-manager.users.elias = homeEnv {
layout = "de"; layout = "de";
options = []; options = [ ];
variant = ""; variant = "";
}; };
home-manager.users.justyna = home-manager.users.justyna =
lib.attrsets.recursiveUpdate lib.attrsets.recursiveUpdate
(homeEnv { (homeEnv {
layout = "de"; layout = "de";
options = []; options = [ ];
variant = ""; variant = "";
}) })
{ {
services.syncthing.enable = true; services.syncthing.enable = true;
services.syncthing.tray = true; services.syncthing.tray = true;
home.packages = with pkgs; [ home.packages = with pkgs; [ session-desktop ];
session-desktop };
];
};
system.stateVersion = "21.11"; system.stateVersion = "21.11";
} }

19
nix/os/devices/justyna-p300/system.nix
View file

@ -1,11 +1,8 @@
{ { pkgs, lib, ... }:
pkgs, let
lib,
config,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix; passwords = import ../../../variables/passwords.crypt.nix;
in { in
{
networking.firewall.enable = true; networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
# iperf3 # iperf3
@ -39,11 +36,13 @@ in {
# udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ];
}; };
security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
services.xserver.videoDrivers = ["modesetting"]; services.xserver.videoDrivers = [ "modesetting" ];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
nix.gc = {automatic = true;}; nix.gc = {
automatic = true;
};
} }

12
nix/os/devices/justyna-p300/user.nix
View file

@ -1,11 +1,9 @@
{ { config, pkgs, ... }:
config, let
pkgs,
...
}: let
keys = import ../../../variables/keys.nix; keys = import ../../../variables/keys.nix;
inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser;
in { in
{
sops.secrets.sharedUsers-elias = { sops.secrets.sharedUsers-elias = {
sopsFile = ../../../../secrets/shared-users.yaml; sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true; neededForUsers = true;

1145
nix/os/devices/router0-dmz0/configuration.nix
View file

File diff suppressed because it is too large Load diff

21
nix/os/devices/router0-dmz0/default.nix
View file

@ -5,25 +5,24 @@
nodeFlake, nodeFlake,
localDomainName ? "internal", localDomainName ? "internal",
... ...
}: { }:
{
meta.nodeSpecialArgs.${nodeName} = { meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake system; inherit
repoFlake
nodeName
nodeFlake
system
;
packages' = repoFlake.packages.${system}; packages' = repoFlake.packages.${system};
nodePackages' = nodeFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system};
inherit inherit (nodeFlake.inputs.bpir3.packages.${system}) armTrustedFirmwareMT7986;
(nodeFlake.inputs.bpir3.packages.${system})
armTrustedFirmwareMT7986
;
inherit localDomainName; inherit localDomainName;
}; };
meta.nodeNixpkgs.${nodeName} = meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
${nodeName} = { ${nodeName} = {
deployment.targetHost = "${nodeName}.${localDomainName}"; deployment.targetHost = "${nodeName}.${localDomainName}";

107
nix/os/devices/router0-dmz0/flake.nix
View file

@ -18,8 +18,8 @@
# "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile" # "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile"
# "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile" # "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile"
"github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile_mtkbump" "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile_mtkbump"
# "git+file:///home/steveej/src/others/nakato_nixos-sbc/" # "git+file:///home/steveej/src/others/nakato_nixos-sbc/"
; ;
nixos-sbc.inputs.nixpkgs.follows = "nixpkgs"; nixos-sbc.inputs.nixpkgs.follows = "nixpkgs";
nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall";
@ -39,43 +39,34 @@
# }; # };
}; };
outputs = { outputs =
self, {
get-flake, self,
nixpkgs, get-flake,
nixos-sbc, nixpkgs,
... ...
}: let }:
nativeSystem = "aarch64-linux"; let
nodeName = "router0-dmz0"; nativeSystem = "aarch64-linux";
nodeName = "router0-dmz0";
pkgs = nixpkgs.legacyPackages.${nativeSystem}; mkNixosConfiguration =
pkgsCross = import self.inputs.nixpkgs {
system = "x86_64-linux";
crossSystem = {
config = "aarch64-unknown-linux-gnu";
};
};
mkNixosConfiguration = {extraModules ? [], ...} @ attrs:
nixpkgs.lib.nixosSystem (
nixpkgs.lib.attrsets.recursiveUpdate
attrs
{ {
specialArgs = extraModules ? [ ],
(import ./default.nix { ...
system = nativeSystem; }@attrs:
inherit nodeName; nixpkgs.lib.nixosSystem (
nixpkgs.lib.attrsets.recursiveUpdate attrs {
specialArgs =
(import ./default.nix {
system = nativeSystem;
inherit nodeName;
repoFlake = get-flake ../../../..; repoFlake = get-flake ../../../..;
nodeFlake = self; nodeFlake = self;
}) }).meta.nodeSpecialArgs.${nodeName};
.meta
.nodeSpecialArgs
.${nodeName};
modules = modules = [
[
./configuration.nix ./configuration.nix
# flake registry # flake registry
@ -83,34 +74,30 @@
nixpkgs.overlays = builtins.attrValues self.overlays; nixpkgs.overlays = builtins.attrValues self.overlays;
nix.registry.nixpkgs.flake = nixpkgs; nix.registry.nixpkgs.flake = nixpkgs;
} }
] ] ++ extraModules;
++ extraModules;
}
);
in {
nixosConfigurations = {
native = mkNixosConfiguration {
system = nativeSystem;
};
cross = mkNixosConfiguration {
extraModules = [
{
nixpkgs.buildPlatform.system = "x86_64-linux";
nixpkgs.hostPlatform.system = nativeSystem;
} }
]; );
}; in
}; {
nixosConfigurations = {
native = mkNixosConfiguration { system = nativeSystem; };
overlays.default = final: previous: { cross = mkNixosConfiguration {
hostapd = previous.hostapd.overrideDerivation (attrs: { extraModules = [
patches = {
attrs.patches nixpkgs.buildPlatform.system = "x86_64-linux";
++ [ nixpkgs.hostPlatform.system = nativeSystem;
}
];
};
};
overlays.default = _final: previous: {
hostapd = previous.hostapd.overrideDerivation (attrs: {
patches = attrs.patches ++ [
"${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"
]; ];
}); });
};
}; };
};
} }

35
nix/os/devices/router0-hosthatch/configuration.nix
View file

@ -5,11 +5,11 @@
config, config,
nodeFlake, nodeFlake,
nodeName, nodeName,
localDomainName,
system, system,
variables, variables,
... ...
}: { }:
{
system.stateVersion = "24.05"; system.stateVersion = "24.05";
imports = [ imports = [
@ -48,7 +48,7 @@
boot.loader.grub.efiSupport = false; boot.loader.grub.efiSupport = false;
# forcing seems required or else there's an error about duplicated devices # forcing seems required or else there's an error about duplicated devices
boot.loader.grub.devices = lib.mkForce ["/dev/vda"]; boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ];
disko.devices.disk.vda = { disko.devices.disk.vda = {
device = "/dev/vda"; device = "/dev/vda";
@ -64,14 +64,14 @@
size = "100%"; size = "100%";
content = { content = {
type = "btrfs"; type = "btrfs";
extraArgs = ["-f"]; # Override existing partition extraArgs = [ "-f" ]; # Override existing partition
subvolumes = { subvolumes = {
# Subvolume name is different from mountpoint # Subvolume name is different from mountpoint
"/rootfs" = { "/rootfs" = {
mountpoint = "/"; mountpoint = "/";
}; };
"/nix" = { "/nix" = {
mountOptions = ["noatime"]; mountOptions = [ "noatime" ];
mountpoint = "/nix"; mountpoint = "/nix";
}; };
"/boot" = { "/boot" = {
@ -156,9 +156,7 @@
interface = "eth0"; interface = "eth0";
address = variables.ipv4gateway; address = variables.ipv4gateway;
}; };
nameservers = [ nameservers = [ variables.ipv4dns ];
variables.ipv4dns
];
# these will be configured via nftables # these will be configured via nftables
nat.enable = lib.mkForce false; nat.enable = lib.mkForce false;
@ -176,17 +174,20 @@
snippets.nnf-common.enable = true; snippets.nnf-common.enable = true;
zones.wan = { zones.wan = {
interfaces = ["eth0"]; interfaces = [ "eth0" ];
}; };
zones.vpn = { zones.vpn = {
interfaces = ["wg0" "wg1"]; interfaces = [
"wg0"
"wg1"
];
}; };
rules = { rules = {
to-fw = { to-fw = {
from = "all"; from = "all";
to = ["fw"]; to = [ "fw" ];
verdict = "drop"; verdict = "drop";
allowedTCPPorts = [ allowedTCPPorts = [
@ -202,8 +203,8 @@
}; };
vpn-to-wan-nat = { vpn-to-wan-nat = {
from = ["vpn"]; from = [ "vpn" ];
to = ["wan"]; to = [ "wan" ];
masquerade = true; masquerade = true;
verdict = "accept"; verdict = "accept";
}; };
@ -283,9 +284,7 @@
systemd.network.networks.wg0 = { systemd.network.networks.wg0 = {
enable = true; enable = true;
matchConfig.Name = "wg0"; matchConfig.Name = "wg0";
address = [ address = [ "10.0.1.0/31" ];
"10.0.1.0/31"
];
routes = [ routes = [
{ {
@ -299,9 +298,7 @@
systemd.network.networks.wg1 = { systemd.network.networks.wg1 = {
enable = true; enable = true;
matchConfig.Name = "wg1"; matchConfig.Name = "wg1";
address = [ address = [ "10.0.1.2/31" ];
"10.0.1.2/31"
];
routes = [ routes = [
{ {

20
nix/os/devices/router0-hosthatch/default.nix
View file

@ -4,20 +4,24 @@
repoFlake, repoFlake,
nodeFlake, nodeFlake,
... ...
}: let }:
let
variables = import ./variables.crypt.nix; variables = import ./variables.crypt.nix;
in { in
{
meta.nodeSpecialArgs.${nodeName} = { meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake system variables; inherit
repoFlake
nodeName
nodeFlake
system
variables
;
packages' = repoFlake.packages.${system}; packages' = repoFlake.packages.${system};
nodePackages' = nodeFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system};
}; };
meta.nodeNixpkgs.${nodeName} = meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
${nodeName} = { ${nodeName} = {
deployment.targetHost = variables.ipv4; deployment.targetHost = variables.ipv4;

2
nix/os/devices/router0-hosthatch/flake.nix
View file

@ -15,5 +15,5 @@
nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs";
}; };
outputs = _: {}; outputs = _: { };
} }

35
nix/os/devices/router0-ifog/configuration.nix
View file

@ -5,11 +5,11 @@
config, config,
nodeFlake, nodeFlake,
nodeName, nodeName,
localDomainName,
system, system,
variables, variables,
... ...
}: { }:
{
system.stateVersion = "23.11"; system.stateVersion = "23.11";
imports = [ imports = [
@ -48,7 +48,7 @@
boot.loader.grub.efiSupport = false; boot.loader.grub.efiSupport = false;
# forcing seems required or else there's an error about duplicated devices # forcing seems required or else there's an error about duplicated devices
boot.loader.grub.devices = lib.mkForce ["/dev/vda"]; boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ];
disko.devices.disk.vda = { disko.devices.disk.vda = {
device = "/dev/vda"; device = "/dev/vda";
@ -64,14 +64,14 @@
size = "100%"; size = "100%";
content = { content = {
type = "btrfs"; type = "btrfs";
extraArgs = ["-f"]; # Override existing partition extraArgs = [ "-f" ]; # Override existing partition
subvolumes = { subvolumes = {
# Subvolume name is different from mountpoint # Subvolume name is different from mountpoint
"/rootfs" = { "/rootfs" = {
mountpoint = "/"; mountpoint = "/";
}; };
"/nix" = { "/nix" = {
mountOptions = ["noatime"]; mountOptions = [ "noatime" ];
mountpoint = "/nix"; mountpoint = "/nix";
}; };
"/boot" = { "/boot" = {
@ -156,9 +156,7 @@
interface = "eth0"; interface = "eth0";
address = variables.ipv4gateway; address = variables.ipv4gateway;
}; };
nameservers = [ nameservers = [ variables.ipv4dns ];
variables.ipv4dns
];
# these will be configured via nftables # these will be configured via nftables
nat.enable = lib.mkForce false; nat.enable = lib.mkForce false;
@ -176,17 +174,20 @@
snippets.nnf-common.enable = true; snippets.nnf-common.enable = true;
zones.wan = { zones.wan = {
interfaces = ["eth0"]; interfaces = [ "eth0" ];
}; };
zones.vpn = { zones.vpn = {
interfaces = ["wg0" "wg1"]; interfaces = [
"wg0"
"wg1"
];
}; };
rules = { rules = {
to-fw = { to-fw = {
from = "all"; from = "all";
to = ["fw"]; to = [ "fw" ];
verdict = "drop"; verdict = "drop";
allowedTCPPorts = [ allowedTCPPorts = [
@ -202,8 +203,8 @@
}; };
vpn-to-wan-nat = { vpn-to-wan-nat = {
from = ["vpn"]; from = [ "vpn" ];
to = ["wan"]; to = [ "wan" ];
masquerade = true; masquerade = true;
verdict = "accept"; verdict = "accept";
}; };
@ -283,9 +284,7 @@
systemd.network.networks.wg0 = { systemd.network.networks.wg0 = {
enable = true; enable = true;
matchConfig.Name = "wg0"; matchConfig.Name = "wg0";
address = [ address = [ "10.0.0.0/31" ];
"10.0.0.0/31"
];
routes = [ routes = [
{ {
@ -299,9 +298,7 @@
systemd.network.networks.wg1 = { systemd.network.networks.wg1 = {
enable = true; enable = true;
matchConfig.Name = "wg1"; matchConfig.Name = "wg1";
address = [ address = [ "10.0.0.2/31" ];
"10.0.0.2/31"
];
routes = [ routes = [
{ {

20
nix/os/devices/router0-ifog/default.nix
View file

@ -4,20 +4,24 @@
repoFlake, repoFlake,
nodeFlake, nodeFlake,
... ...
}: let }:
let
variables = import ./variables.crypt.nix; variables = import ./variables.crypt.nix;
in { in
{
meta.nodeSpecialArgs.${nodeName} = { meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake system variables; inherit
repoFlake
nodeName
nodeFlake
system
variables
;
packages' = repoFlake.packages.${system}; packages' = repoFlake.packages.${system};
nodePackages' = nodeFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system};
}; };
meta.nodeNixpkgs.${nodeName} = meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
${nodeName} = { ${nodeName} = {
deployment.targetHost = variables.ipv4; deployment.targetHost = variables.ipv4;

Some files were not shown because too many files have changed in this diff Show more