steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat: introduce treefmt and fmt all

Browse source
This commit is contained in:
steveej 2024-11-15 10:17:56 +01:00
parent 80250b0179
commit 27c6c4f9fa
237 changed files with 5440 additions and 5214 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.gitignore vendored
View file

@ -4,3 +4,6 @@
.env
**/result
.direnv/
# nixago: ignore-linked-files
/treefmt.toml

16
.vscode/settings.json vendored
View file

@ -1,19 +1,21 @@
{
"editor.defaultFormatter": "ibecker.treefmt-vscode",
"editor.formatOnSave": true,
"nix.enableLanguageServer": true,
"nix.serverPath": "nil",
"nix.serverSettings": {
// settings for 'nil' LSP
"nil": {
"autoArchive": true,
"diagnostics": {
"ignored": [
"unused_binding",
"unused_with"
]
"ignored": ["unused_binding", "unused_with"]
},
"formatting": {
"command": [
"treefmt-nix",
]
"command": ["treefmt-nix", "--stdin", ".nil.nix"]
}
}
},
"[nix]": {
"editor.defaultFormatter": "jnoortheen.nix-ide"
}
}

30
README.md
View file

@ -1,4 +1,5 @@
# steveej's infra
This repository helps me to manage all computer infrastructure.
This is mostly achieved with the help of [Nix](https://nixos.org).
@ -39,39 +40,46 @@ In the unlikely case that you actually read this and have any questions please d
- [x] sj-pve0
- [x] use an existing secret management framework
- [x] adapt (or abandon?) _just_ recipes
- [x] `rebuild-this-device`
- [x] `update-this-device`
- [x] `rebuild-remote-device`
- [x] `update-remote-device`
evaluate, and understand a path to using these tools in a pull-based fashion:
- [x] [colmena](https://github.com/zhaofengli/colmena)
* bootstrapping: https://github.com/zhaofengli/colmena/issues/68
- bootstrapping: https://github.com/zhaofengli/colmena/issues/68
- [ ] deploy-rs
- [x] 🚧 find a better alternative for the qtile-desktop
current issues:
- floating windows often get lost in the background
- plugging in-/out- screen crashes the desktop
evaluate:
- [x] ~~🚧 gnome3 + pop-shell~~
- [x] ~~leftwm + eww (+ wayland?)~~
- [ ] (Re-)document bootstrap process
- [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine
- [ ] a new machine
- [ ] an install media
- [ ] Design disaster recovery
- [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2
- [ ] Recycle *\_archived*
- [ ] Recycle _\_archived_
- [ ] container migrations
- [ ] ensure DDNS is updated _before_ the containers are started
## Bugs
- [ ] home-manager leaves ~/.gnupg at 0755
## Usage
*(These are reminders for my future self)*
_(These are reminders for my future self)_
```
just --list
@ -80,15 +88,17 @@ just --list
## Bootstrap
### A new machine
* ensure the dotfiles repo has a branch with the new machine's hostname
* boot with an install media and go through setup
- ensure the dotfiles repo has a branch with the new machine's hostname
- boot with an install media and go through setup
#### Post-Install Setup
* `chmod --recursive g-rwx,o-rwx ~/.gnupg`
* `gpg2 --edit-card; fetch`
* clone password-manager and infra repositories
* gpg2: ultimately trust my own key
- `chmod --recursive g-rwx,o-rwx ~/.gnupg`
- `gpg2 --edit-card; fetch`
- clone password-manager and infra repositories
- gpg2: ultimately trust my own key
## Swapping out a disk

7
default.nix
View file

@ -4,6 +4,9 @@
# Having pkgs default to <nixpkgs> is fine though, and it lets you use short
# commands such as:
# nix-build -A mypackage
{pkgs ? import <nixpkgs> {}}: {
pkgs = import ./nix/pkgs {inherit pkgs;};
{
pkgs ? import <nixpkgs> { },
}:
{
pkgs = import ./nix/pkgs { inherit pkgs; };
}

208
flake.lock generated
View file

@ -346,6 +346,81 @@
}
},
"flake-utils_3": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_5": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_6": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_7": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_8": {
"inputs": {
"systems": "systems_3"
},
@ -363,7 +438,7 @@
"type": "github"
}
},
"flake-utils_4": {
"flake-utils_9": {
"inputs": {
"systems": "systems_4"
},
@ -485,7 +560,7 @@
},
"lib-aggregate": {
"inputs": {
"flake-utils": "flake-utils_3",
"flake-utils": "flake-utils_8",
"nixpkgs-lib": "nixpkgs-lib_2"
},
"locked": {
@ -639,6 +714,126 @@
"type": "github"
}
},
"nixago": {
"inputs": {
"flake-utils": "flake-utils_3",
"nixago-exts": "nixago-exts",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1714086354,
"narHash": "sha256-yKVQMxL9p7zCWUhnGhDzRVT8sDgHoI3V595lBK0C2YA=",
"owner": "jmgilman",
"repo": "nixago",
"rev": "5133633e9fe6b144c8e00e3b212cdbd5a173b63d",
"type": "github"
},
"original": {
"owner": "jmgilman",
"repo": "nixago",
"type": "github"
}
},
"nixago-exts": {
"inputs": {
"flake-utils": "flake-utils_4",
"nixago": "nixago_2",
"nixpkgs": [
"nixago",
"nixpkgs"
]
},
"locked": {
"lastModified": 1676070308,
"narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=",
"owner": "nix-community",
"repo": "nixago-extensions",
"rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixago-extensions",
"type": "github"
}
},
"nixago-exts_2": {
"inputs": {
"flake-utils": "flake-utils_6",
"nixago": "nixago_3",
"nixpkgs": [
"nixago",
"nixago-exts",
"nixago",
"nixpkgs"
]
},
"locked": {
"lastModified": 1655508669,
"narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=",
"owner": "nix-community",
"repo": "nixago-extensions",
"rev": "3022a932ce109258482ecc6568c163e8d0b426aa",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixago-extensions",
"type": "github"
}
},
"nixago_2": {
"inputs": {
"flake-utils": "flake-utils_5",
"nixago-exts": "nixago-exts_2",
"nixpkgs": [
"nixago",
"nixago-exts",
"nixpkgs"
]
},
"locked": {
"lastModified": 1676070010,
"narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=",
"owner": "nix-community",
"repo": "nixago",
"rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "rename-config-data",
"repo": "nixago",
"type": "github"
}
},
"nixago_3": {
"inputs": {
"flake-utils": "flake-utils_7",
"nixpkgs": [
"nixago",
"nixago-exts",
"nixago",
"nixago-exts",
"nixpkgs"
]
},
"locked": {
"lastModified": 1655405483,
"narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=",
"owner": "nix-community",
"repo": "nixago",
"rev": "e6a9566c18063db5b120e69e048d3627414e327d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixago",
"type": "github"
}
},
"nixos-anywhere": {
"inputs": {
"disko": "disko",
@ -847,11 +1042,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1730531603,
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
"lastModified": 1731319897,
"narHash": "sha256-PbABj4tnbWFMfBp6OcUK5iGy1QY+/Z96ZcLpooIbuEI=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
"rev": "dc460ec76cbff0e66e269457d7b728432263166c",
"type": "github"
},
"original": {
@ -1058,6 +1253,7 @@
"logseq_0_10_9_aarch64_appimage": "logseq_0_10_9_aarch64_appimage",
"nix-vscode-extensions": "nix-vscode-extensions",
"nix4vscode": "nix4vscode",
"nixago": "nixago",
"nixos-anywhere": "nixos-anywhere",
"nixpkgs": [
"nixpkgs-2405"
@ -1351,7 +1547,7 @@
},
"yofi": {
"inputs": {
"flake-utils": "flake-utils_4",
"flake-utils": "flake-utils_9",
"nixpkgs": [
"nixpkgs"
]

175
flake.nix
View file

@ -43,10 +43,7 @@
url = "github:nix-community/fenix";
inputs.nixpkgs.follows = "nixpkgs";
};
crane = {
url = "github:ipetkov/crane";
inputs.nixpkgs.follows = "nixpkgs";
};
crane.url = "github:ipetkov/crane";
sops-nix.url = "github:Mic92/sops-nix";
sops-nix.inputs.nixpkgs.follows = "nixpkgs";
@ -129,14 +126,18 @@
url = "github:numtide/treefmt-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixago.url = "github:jmgilman/nixago";
nixago.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = inputs @ {
outputs =
inputs@{
self,
flake-parts,
nixpkgs,
...
}: let
}:
let
inherit (nixpkgs) lib;
systems = [
@ -144,25 +145,26 @@
"aarch64-linux"
];
in
flake-parts.lib.mkFlake {inherit inputs;}
({withSystem, ...}: {
flake-parts.lib.mkFlake { inherit inputs; } (
{ withSystem, ... }:
{
flake.colmena =
lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur)
{
meta.nixpkgs = import inputs.nixpkgs.outPath {
system = builtins.elemAt systems 0;
};
}
{ meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; }
# FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import
# try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861
(builtins.map
(nodeName:
(
builtins.map
(
nodeName:
import ./nix/os/devices/${nodeName} {
inherit nodeName;
repoFlake = self;
repoFlakeWithSystem = withSystem;
nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName};
}) [
}
)
[
"steveej-t14"
"steveej-x13s"
"steveej-x13s-rmvbl"
@ -177,17 +179,19 @@
"sj-srv1"
"hstk0"
]);
]
);
flake.lib = {
inherit withSystem;
};
# this makes nixos-anywhere work
flake.nixosConfigurations = let
flake.nixosConfigurations =
let
colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes;
router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations;
in (
in
colmenaHive
// {
router0-dmz0 = router0-dmz0.native;
@ -197,13 +201,14 @@
router0-dmz0_cross = router0-dmz0.cross;
steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross;
steveej-x13s-rmvbl_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross;
}
);
steveej-x13s-rmvbl_cross =
(inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross;
};
inherit systems;
perSystem = {
perSystem =
{
self',
inputs',
system,
@ -211,38 +216,26 @@
lib,
pkgs,
...
}: {
imports = [
./nix/modules/flake-parts/perSystem/default.nix
];
}:
{
imports = [ ./nix/modules/flake-parts/perSystem/default.nix ];
packages = let
dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) {};
packages =
let
dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { };
craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain;
craneLib =
craneLibFn
inputs'.fenix.packages.stable.toolchain;
craneLibOfiPass =
craneLibFn
(
inputs'.fenix.packages.stable.toolchain
# .override {
# date = "1.60.0";
# }
);
in {
craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain;
in
{
dcpj4110dwDriver = dcpj4110dw.driver;
dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper;
inherit (inputs'.colmena.packages) colmena;
prs =
pkgs.callPackage
({
pkgs,
prs = pkgs.callPackage (
{
dbus,
glib,
gpgme,
@ -257,7 +250,12 @@
pname = "prs";
version = inputs.prs.shortRev;
src = inputs.prs;
nativeBuildInputs = [gpgme installShellFiles pkg-config python3];
nativeBuildInputs = [
gpgme
installShellFiles
pkg-config
python3
];
buildInputs = [
dbus
@ -275,8 +273,8 @@
installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout)
done
'';
})
{};
}
) { };
nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6;
@ -309,29 +307,84 @@
rperf = craneLib.buildPackage {
src = inputs.rperf;
nativeBuildInputs = [
pkgs.pkg-config
];
buildInputs = [
];
nativeBuildInputs = [ pkgs.pkg-config ];
buildInputs = [ ];
};
x13s-bt-firmware = pkgs.runCommand "x13s-bt-firmware" {} ''
x13s-bt-firmware = pkgs.runCommand "x13s-bt-firmware" { } ''
mkdir -p $out/lib/firmware/qca
cp -v ${self}/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw $out/lib/firmware/qca/hpnv21.bin
cp -v ${inputs.x13s-bt-firmware} $out/lib/firmware/qca//hpbtfw21.tlv
'';
x13s-ath11k-firmware = pkgs.runCommand "x13s-ath11k-firmware-before" {} ''
x13s-ath11k-firmware = pkgs.runCommand "x13s-ath11k-firmware-before" { } ''
mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/
cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/
cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/
'';
};
formatter = inputs.treefmt-nix.formatter.${system};
formatter =
let
settingsNix = {
projectRootFile = ".git/config";
devShells = let
package = inputs'.nixpkgs-unstable.legacyPackages.treefmt2;
programs = {
nixfmt.enable = true;
deadnix.enable = true;
statix.enable = true;
shfmt.enable = true;
shellcheck.enable = true;
prettier.enable = true;
} // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; };
settings = {
global.excludes = [
"LICENSE"
"secrets/"
".git-crypt/"
# unsupported extensions
"*.{enc,gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,gitignore}"
];
formatter = {
deadnix = {
priority = 1;
};
nixfmt = {
priority = 2;
};
statix = {
priority = 3;
};
prettier = {
options = [
"--tab-width"
"2"
];
includes = [ "*.{css,html,js,json,jsx,md,mdx,scss,ts,yaml}" ];
};
};
};
};
eval = inputs.treefmt-nix.lib.evalModule pkgs settingsNix;
in
eval.config.build.wrapper.overrideAttrs (_: {
passthru = {
inherit (eval.config) package settings;
};
});
devShells =
let
all = import ./nix/devShells.nix {
inherit
self
@ -340,7 +393,9 @@
pkgs
;
};
in (all // {default = all.develop;});
in
all // { default = all.develop; };
};
});
}
);
}

2
nix/container-images/build.sh
View file

@ -1,6 +1,6 @@
#!/usr/bin/env bash
set -xe
[ ! -z "$NAME" ]
[ -n "$NAME" ]
nix-build . --show-trace -A "$NAME"
docker image rm "$NAME":latest --force

54
nix/container-images/default.nix
View file

@ -1,6 +1,10 @@
{pkgs ? import <nixpkgs> {}}: let
baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
in rec {
{
pkgs ? import <nixpkgs> { },
}:
let
baseEnv = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
in
rec {
base = pkgs.dockerTools.buildImage rec {
name = "base";
@ -21,12 +25,20 @@ in rec {
interactive_base = pkgs.dockerTools.buildImage {
name = "interactive_base";
fromImage = base;
contents = with pkgs; [procps zsh coreutils neovim];
contents = with pkgs; [
procps
zsh
coreutils
neovim
];
config = {Cmd = ["/bin/zsh"];};
config = {
Cmd = [ "/bin/zsh" ];
};
};
s3ql = let
s3ql =
let
entrypoint = pkgs.writeScript "entrypoint" ''
#!${pkgs.stdenv.shell}
@ -73,7 +85,10 @@ in rec {
pkgs.dockerTools.buildImage {
name = "s3ql";
fromImage = interactive_base;
contents = [pkgs.s3ql pkgs.fuse];
contents = [
pkgs.s3ql
pkgs.fuse
];
runAsRoot = ''
#!${pkgs.stdenv.shell}
@ -84,25 +99,24 @@ in rec {
'';
config = {
Env =
baseEnv
++ [
Env = baseEnv ++ [
"HOME=/home/s3ql"
"S3QL_CACHE_DIR=/var/cache/s3ql"
"S3QL_AUTHINFO2=/etc/s3ql/authinfo2"
"CONTAINER_ENTRYPOINT=${entrypoint}"
];
Cmd = [entrypoint];
Cmd = [ entrypoint ];
Volumes = {
"/var/cache/s3ql" = {};
"/etc/s3ql/authinfo2" = {};
"/buckets" = {};
"/tmp" = {};
"/var/cache/s3ql" = { };
"/etc/s3ql/authinfo2" = { };
"/buckets" = { };
"/tmp" = { };
};
};
};
syncthing = let
syncthing =
let
entrypoint = pkgs.writeScript "entrypoint" ''
#!${pkgs.stdenv.shell}
set -x
@ -132,9 +146,11 @@ in rec {
contents = pkgs.syncthing;
config = {
Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"];
Cmd = [entrypoint];
Volumes = {"/data" = {};};
Env = baseEnv ++ [ "SYNCTHING_HOME=/home/syncthing" ];
Cmd = [ entrypoint ];
Volumes = {
"/data" = { };
};
};
};
}

32
nix/default.nix
View file

@ -1,6 +1,9 @@
{versionsPath}: let
{ versionsPath }:
let
channelVersions = import versionsPath;
mkChannelSource = name: let
mkChannelSource =
name:
let
channelVersion = builtins.getAttr name channelVersions;
in
builtins.fetchGit {
@ -8,19 +11,24 @@
inherit name;
inherit (channelVersion) url ref rev;
};
nixPath = builtins.concatStringsSep ":" (builtins.map
(elemName: let
nixPath = builtins.concatStringsSep ":" (
builtins.map (
elemName:
let
elem = builtins.getAttr elemName channelVersions;
elemPath = mkChannelSource elemName;
suffix =
if builtins.hasAttr "suffix" elem
then elem.suffix
else "";
suffix = if builtins.hasAttr "suffix" elem then elem.suffix else "";
in
builtins.concatStringsSep "=" [elemName elemPath] + suffix)
(builtins.attrNames channelVersions));
pkgs = import (mkChannelSource "nixpkgs") {};
in {
builtins.concatStringsSep "=" [
elemName
elemPath
]
+ suffix
) (builtins.attrNames channelVersions)
);
pkgs = import (mkChannelSource "nixpkgs") { };
in
{
inherit nixPath;
channelSources = pkgs.writeText "channels.rc" ''
export NIX_PATH=${nixPath}

22
nix/devShells.nix
View file

@ -3,9 +3,8 @@
self',
inputs',
pkgs,
}: let
pkgsUnstable = inputs'.nixpkgs-unstable.legacyPackages;
in {
}:
{
install = pkgs.mkShell {
name = "infra-install";
packages = with pkgs; [
@ -20,11 +19,9 @@ in {
develop = pkgs.mkShell {
name = "infra-develop";
inputsFrom = [
self'.devShells.install
];
inputsFrom = [ self'.devShells.install ];
packages = with pkgs; [
self'.formatter
self'.formatter # .package
inputs'.colmena.packages.colmena
dconf2nix
inputs'.nixos-anywhere.packages.nixos-anywhere
@ -92,6 +89,15 @@ in {
# Set Environment Variables
RUST_BACKTRACE = 1;
KANIDM_URL = self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin;
KANIDM_URL =
self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin;
shellHook =
(self.inputs.nixago.lib.${pkgs.system}.make {
data = self'.formatter.settings;
output = "treefmt.toml";
format = "toml";
}).shellHook
+ '''';
};
}

41
nix/home-manager/configuration/graphical-fullblown.nix
View file

@ -5,13 +5,14 @@
# these come in via home-manager.extraSpecialArgs and are specific to each node
nodeFlake,
repoFlake,
packages',
...
}: let
}:
let
pkgsUnstable =
pkgs.pkgsUnstable
or (import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config overlays;});
in {
or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; });
in
{
imports = [
../profiles/common.nix
# ../profiles/dotfiles.nix
@ -34,18 +35,18 @@ in {
../programs/libreoffice.nix
../programs/neovim.nix
../programs/vscode
{
home.packages = [
pkgsUnstable.markdown-oxide
];
}
{ home.packages = [ pkgsUnstable.markdown-oxide ]; }
];
home.sessionVariables.HM_CONFIG = "graphical-fullblown";
home.sessionVariables.GOPATH = "$HOME/src/go";
home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"];
home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [
"$HOME/.local/bin"
"$PATH"
];
nixpkgs.config.allowInsecurePredicate = pkg:
nixpkgs.config.allowInsecurePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"electron-28.3.3"
"electron-27.3.11"
@ -68,8 +69,7 @@ in {
# ];
home.packages =
[]
++ (with pkgs; [
(with pkgs; [
# Authentication
# cacert
# fprintd
@ -246,19 +246,15 @@ in {
# libretro.snes9x2010
# retroarchFull
(
pkgs.logseq.overrideAttrs (
(pkgs.logseq.overrideAttrs (
attrs:
lib.attrsets.recursiveUpdate
attrs
(
lib.attrsets.recursiveUpdate attrs (
lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 {
src = repoFlake.inputs.logseq_0_10_9_aarch64_appimage;
meta.platforms = ["aarch64-linux"];
meta.platforms = [ "aarch64-linux" ];
}
)
)
)
))
# (
# pkgsUnstable.callPackage (repoFlake + "/nix/pkgs/logseq")
@ -267,8 +263,7 @@ in {
# })
# )
])
++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [
])
++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ ])
++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [
pkgsUnstable.ledger-live-desktop

11
nix/home-manager/configuration/graphical-gnome3.nix
View file

@ -1,13 +1,8 @@
{ pkgs, ... }:
{
pkgs,
config,
...
}: {
home.packages =
[]
++ (with pkgs; [
home.packages = with pkgs; [
gnome.gnome-tweaks
gnome.gnome-keyring
gnome.seahorse
]);
];
}

11
nix/home-manager/configuration/graphical-removable.nix
View file

@ -1,8 +1,5 @@
{ pkgs, ... }:
{
pkgs,
config,
...
}: {
imports = [
../profiles/common.nix
../profiles/qtile-desktop.nix
@ -16,9 +13,7 @@
../programs/pass.nix
];
home.packages =
[]
++ (with pkgs; [
home.packages = with pkgs; [
# Nix package related tools
patchelf
nix-index
@ -100,5 +95,5 @@
# Virtualization
virtmanager
]);
];
}

19
nix/home-manager/lib.nix
View file

@ -1,14 +1,19 @@
{}: let
in {
mkSimpleTrayService = {execStart}: {
_: {
mkSimpleTrayService =
{ execStart }:
{
Unit = {
Description = "";
After = ["graphical-session-pre.target"];
PartOf = ["graphical-session.target"];
After = [ "graphical-session-pre.target" ];
PartOf = [ "graphical-session.target" ];
};
Install = {WantedBy = ["graphical-session.target"];};
Install = {
WantedBy = [ "graphical-session.target" ];
};
Service = {ExecStart = execStart;};
Service = {
ExecStart = execStart;
};
};
}

17
nix/home-manager/profiles/common.nix
View file

@ -1,8 +1,5 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
...
}: {
home.stateVersion = lib.mkDefault "23.11";
# TODO: re-enable this with the appropriate version?
@ -15,7 +12,8 @@
allowUnfree = true;
allowUnsupportedSystem = true;
allowInsecurePredicate = pkg:
allowInsecurePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"electron-28.3.3"
"electron-27.3.11"
@ -28,7 +26,8 @@
"electron"
];
allowUnfreePredicate = pkg:
allowUnfreePredicate =
pkg:
builtins.elem (lib.getName pkg) [
"obsidian"
"vivaldi"
@ -56,9 +55,7 @@
programs.command-not-found.enable = true;
programs.fzf.enable = true;
home.packages =
[]
++ (with pkgs; [
home.packages = with pkgs; [
coreutils
vcsh
@ -98,5 +95,5 @@
usbutils
pciutils
]);
];
}

43
nix/home-manager/profiles/dotfiles.nix
View file

@ -1,45 +1,4 @@
{
repoFlake,
pkgs,
config,
repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git",
repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git",
...
}: let
repoBareLocal =
pkgs.runCommand "fetchbare"
{
outputHashMode = "recursive";
outputHashAlgo = "sha256";
outputHash = "0000000000000000000000000000000000000000000000000000";
} ''
(
set -xe
export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
${pkgs.git}/bin/git clone --mirror ${repoHttps} $out
)
'';
vcshActivationScript = pkgs.writeScript "activation-script" ''
export HOST=$(hostname -s)
function set_remotes {
${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1
${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2
}
if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then
echo Cloning dotfiles for $HOST...
${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles
set_remotes ${repoHttps} ${repoSsh}
else
set_remotes ${repoBareLocal} ${repoSsh}
echo Updating dotfiles for $HOST...
${pkgs.vcsh}/bin/vcsh pull $HOST || true
set_remotes ${repoHttps} ${repoSsh}
fi
'';
in {
_: {
# TODO: fix the dotfiles
# home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] ''
# $DRY_RUN_CMD ${vcshActivationScript}

10
nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix
View file

@ -3,14 +3,16 @@
repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git",
repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git",
...
}: let
}:
let
repoBareLocal =
pkgs.runCommand "fetchbare"
{
outputHashMode = "recursive";
outputHashAlgo = "sha256";
outputHash = "0000000000000000000000000000000000000000000000000000";
} ''
}
''
(
set -xe
export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
@ -19,7 +21,7 @@
)
'';
in
pkgs.writeScript "activation-script" ''
pkgs.writeScript "activation-script" ''
export HOST=$(hostname -s)
function set_remotes {
@ -37,4 +39,4 @@ in
${pkgs.vcsh}/bin/vcsh pull $HOST || true
set_remotes ${repoHttps} ${repoSsh}
fi
''
''

14
nix/home-manager/profiles/experimental-desktop.nix
View file

@ -1,16 +1,6 @@
{ packages', ... }:
{
pkgs,
config,
lib,
nodeFlake,
packages',
...
}: let
pkgsUnstable = pkgs.callPackage nodeFlake.inputs.nixpkgs-unstable.outPath {};
in {
imports = [
../profiles/wayland-desktop.nix
];
imports = [ ../profiles/wayland-desktop.nix ];
home.packages = [
# experimental WMs

79
nix/home-manager/profiles/gnome-desktop.nix
View file

@ -1,13 +1,6 @@
{ pkgs, ... }:
{
pkgs,
config,
lib,
...
}: let
in {
imports = [
../profiles/wayland-desktop.nix
];
imports = [ ../profiles/wayland-desktop.nix ];
services = {
gnome-keyring.enable = false;
@ -25,7 +18,8 @@ in {
services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3;
dconf.settings = let
dconf.settings =
let
manualKeybindings = [
{
binding = "Print";
@ -42,68 +36,65 @@ in {
numWorkspaces = 10;
customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom";
customKeybindingsNames =
builtins.genList (i: "/${customKeybindingBaseName}${toString i}/")
(
(builtins.length manualKeybindings)
+ numWorkspaces # for sending to the workspace
customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") (
(builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace
);
workspacesKeyBindingsOffset = builtins.length manualKeybindings;
# with this we can make use of all number keys [0-9]
mapToNumber = i:
if i < 10
then i
else if i == 10
then 0
else throw "i exceeds 10: ${i}";
mapToNumber =
i:
if i < 10 then
i
else if i == 10 then
0
else
throw "i exceeds 10: ${i}";
in
{
"org/gnome/settings-daemon/plugins/media-keys" = {
custom-keybindings = customKeybindingsNames;
screenreader = "@as []";
screensaver = ["<Alt><Super>l"];
screensaver = [ "<Alt><Super>l" ];
};
# disable the builtin <Super>[1-9] functionality
"org/gnome/shell/keybindings" = builtins.listToAttrs ((builtins.genList
(i: {
"org/gnome/shell/keybindings" = builtins.listToAttrs (
(builtins.genList (i: {
name = "switch-to-application-${toString (i + 1)}";
value = [];
})
numWorkspaces)
value = [ ];
}) numWorkspaces)
++ [
{
name = "toggle-overview";
value = [];
value = [ ];
}
]);
]
);
# remap it to switching to the workspaces
"org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (builtins.genList
(i: {
"org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (
builtins.genList (i: {
name = "switch-to-workspace-${toString (i + 1)}";
value = [
"<Super>${toString (mapToNumber (i + 1))}"
];
})
numWorkspaces);
value = [ "<Super>${toString (mapToNumber (i + 1))}" ];
}) numWorkspaces
);
}
// builtins.listToAttrs (builtins.genList
(i: {
// builtins.listToAttrs (
builtins.genList (i: {
name = "${customKeybindingBaseName}${toString i}";
value = builtins.elemAt manualKeybindings i;
})
(builtins.length manualKeybindings))
// builtins.listToAttrs (builtins.genList
(i: {
}) (builtins.length manualKeybindings)
)
// builtins.listToAttrs (
builtins.genList (i: {
name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}";
value = {
binding = "<Control><Super>${toString (mapToNumber (i + 1))}";
command = "wmctrl -r :ACTIVE: -t ${toString i}";
name = "Send to workspace ${toString (i + 1)}";
};
})
numWorkspaces);
}) numWorkspaces
);
}

14
nix/home-manager/profiles/nix-channels.nix
View file

@ -1,14 +1,9 @@
{ pkgs, config, ... }:
{
pkgs,
config,
...
}: let
in {
home.file.".nix-channels".text = "";
home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] ''
$DRY_RUN_CMD ${
pkgs.writeScript "activation-script" ''
home.activation.removeExistingNixChannels = config.lib.dag.entryBefore [ "checkLinkTargets" ] ''
$DRY_RUN_CMD ${pkgs.writeScript "activation-script" ''
set -ex
if test -f $HOME/.nix-channels; then
echo Uninstalling available channels...
@ -22,7 +17,6 @@ in {
mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels
rm $HOME/.nix-channels
fi
''
};
''};
'';
}

21
nix/home-manager/profiles/qtile-desktop.nix
View file

@ -1,14 +1,14 @@
{
pkgs,
config,
...
}: let
inherit (import ../lib.nix {}) mkSimpleTrayService;
{ pkgs, ... }:
let
audio = pkgs.writeShellScript "audio" ''
export PATH=${
with pkgs;
lib.makeBinPath [pulseaudio findutils gnugrep]
lib.makeBinPath [
pulseaudio
findutils
gnugrep
]
}:$PATH
export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute
@ -33,7 +33,7 @@
terminalCommand = "${pkgs.alacritty}/bin/alacritty";
dpmsScript = pkgs.writeShellScript "dpmsScript" ''
export PATH=${with pkgs; lib.makeBinPath [xorg.xset]}:$PATH
export PATH=${with pkgs; lib.makeBinPath [ xorg.xset ]}:$PATH
set -xe
@ -56,7 +56,7 @@
'';
screenLockCommand = pkgs.writeShellScript "screenLock" ''
export PATH=${with pkgs; lib.makeBinPath [i3lock]}:$PATH
export PATH=${with pkgs; lib.makeBinPath [ i3lock ]}:$PATH
revert() {
${dpmsScript} default
@ -251,7 +251,8 @@
def print_new_window(window):
print("new window: ", window)
'';
in {
in
{
services = {
gnome-keyring.enable = true;
blueman-applet.enable = true;

61
nix/home-manager/profiles/sway-desktop.nix
View file

@ -1,35 +1,35 @@
/*
TODO: create helper scripts for sharing of a screen portion
```
TODO: create helper scripts for sharing of a screen portion
```
# this will create a new output named HEADLESS-<n>. <n> increments by 1 with each invocation even if the output is `unplug`ged.
swaymsg create_output
# this will create a new output named HEADLESS-<n>. <n> increments by 1 with each invocation even if the output is `unplug`ged.
swaymsg create_output
# find the name and the workspace number
swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)'
# find the name and the workspace number
swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)'
swaymsg output HEADLESS-1 mode 1920@108060Hz
swaymsg output HEADLESS-1 mode 1920@108060Hz
# mirror the headless workspace on the current one
nix run nixpkgs\#wl-mirror -- HEADLESS-1
# mirror the headless workspace on the current one
nix run nixpkgs\#wl-mirror -- HEADLESS-1
# shift windows to the workspace and switch the focus to it
# shift windows to the workspace and switch the focus to it
*/
{
pkgs,
config,
lib,
# packages',
repoFlakeInputs',
...
}: let
inherit (import ../lib.nix {}) mkSimpleTrayService;
}:
let
lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'";
displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'";
displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'";
swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh;
in {
in
{
imports = [
../profiles/wayland-desktop.nix
../programs/waybar.nix
@ -98,12 +98,19 @@ in {
systemd.enable = true;
xwayland = false;
config = let
config =
let
modifier = "Mod4";
inherit (config.wayland.windowManager.sway.config) left right up down;
in {
inherit (config.wayland.windowManager.sway.config)
left
right
up
down
;
in
{
inherit modifier;
bars = [];
bars = [ ];
input = {
"type:keyboard" =
@ -111,7 +118,7 @@ in {
xkb_layout = config.home.keyboard.layout;
xkb_variant = config.home.keyboard.variant;
}
// lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) {
// lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) {
xkb_options = builtins.concatStringsSep "," config.home.keyboard.options;
};
@ -175,28 +182,30 @@ in {
startup =
[
{
command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
command = builtins.toString (
pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
) &
'');
''
);
}
]
++ lib.optionals config.services.swayidle.enable [
{
command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
command = builtins.toString (
pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart swayidle
) &
'');
''
);
}
];
colors.focused = lib.mkOptionDefault {
childBorder = lib.mkForce "#ffa500";
};
colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; };
window.titlebar = false;
window.border = 4;

21
nix/home-manager/profiles/wayland-desktop.nix
View file

@ -1,16 +1,14 @@
{
pkgs,
config,
lib,
repoFlake,
nodeFlake,
...
}: let
inherit (import ../lib.nix {}) mkSimpleTrayService;
}:
let
nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system};
wayprompt = nixpkgs-wayland'.wayprompt;
in {
in
{
fonts.fontconfig.enable = true;
# services.gpg-agent.pinentryFlavor = lib.mkForce null;
@ -26,11 +24,12 @@ in {
systemd.user.targets.tray = {
Unit = {
Description = "Home Manager System Tray";
Requires = ["graphical-session-pre.target"];
Requires = [ "graphical-session-pre.target" ];
};
};
home.packages = with pkgs;
home.packages =
with pkgs;
[
# required by network-manager-applet
networkmanagerapplet
@ -62,11 +61,9 @@ in {
waypipe
]
++ (
lib.lists.optionals (!pkgs.stdenv.isAarch64)
++ (lib.lists.optionals (!pkgs.stdenv.isAarch64)
# TODO: broken on aarch64
[
]
[ ]
);
home.sessionVariables = {

38
nix/home-manager/programs/chromium.nix
View file

@ -3,14 +3,15 @@
lib,
pkgs,
...
}: let
}:
let
extensions =
[
#undetectable adblocker
{id = "gcfcpohokifjldeandkfjoboemihipmb";}
{ id = "gcfcpohokifjldeandkfjoboemihipmb"; }
# ublock origin
{id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";}
{ id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; }
# # YT ad block
# {id = "cmedhionkhpnakcndndgjdbohmhepckk";}
@ -19,15 +20,15 @@
# {id = "cfhdojbkjhnklbpkdaibdccddilifddb";}
# Cookie Notice Blocker
{id = "odhmfmnoejhihkmfebnolljiibpnednn";}
{ id = "odhmfmnoejhihkmfebnolljiibpnednn"; }
# i don't care about cookies
{id = "fihnjjcciajhdojfnbdddfaoknhalnja";}
{ id = "fihnjjcciajhdojfnbdddfaoknhalnja"; }
# NopeCHA
{id = "dknlfmjaanfblgfdfebhijalfmhmjjjo";}
{ id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; }
# h264ify
{id = "aleakchihdccplidncghkekgioiakgal";}
{ id = "aleakchihdccplidncghkekgioiakgal"; }
# clippy
# {id = "honbeilkanbghjimjoniipnnehlmhggk"}
@ -38,31 +39,32 @@
}
# cookie autodelete
{id = "fhcgjolkccmbidfldomjliifgaodjagh";}
{ id = "fhcgjolkccmbidfldomjliifgaodjagh"; }
# unhook
{id = "khncfooichmfjbepaaaebmommgaepoid";}
{ id = "khncfooichmfjbepaaaebmommgaepoid"; }
]
++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [
# polkadotjs
{id = "mopnmbcafieddcagagdcbnhejhlodfdd";}
{ id = "mopnmbcafieddcagagdcbnhejhlodfdd"; }
# rabby wallet
{id = "acmacodkjbdgmoleebolmdjonilkdbch";}
{ id = "acmacodkjbdgmoleebolmdjonilkdbch"; }
# phantom wallet
{id = "bfnaelmomeimhlpmgjnjophhpkkoljpa";}
{ id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; }
# Vimium C
{id = "hfjbmagddngcpeloejdejnfgbamkjaeg";}
{ id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; }
# always right
{id = "npjpaghfnndnnmjiliibnkmdfgbojokj";}
{ id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; }
# shazam music
{id = "mmioliijnhnoblpgimnlajmefafdfilb";}
{ id = "mmioliijnhnoblpgimnlajmefafdfilb"; }
]);
in {
in
{
programs.chromium = {
enable = true;
inherit extensions;
@ -72,9 +74,7 @@ in {
programs.brave = {
# TODO: enable this on aarch64-linux
enable =
true
&& !pkgs.stdenv.targetPlatform.isAarch64;
enable = true && !pkgs.stdenv.targetPlatform.isAarch64;
inherit extensions;
};
}

19
nix/home-manager/programs/espanso.nix
View file

@ -1,8 +1,5 @@
{ pkgs, ... }:
{
pkgs,
repoFlake,
...
}: {
services.espanso = {
package = pkgs.espanso-wayland;
# package = pkgs.espanso-wayland.overrideAttrs (_: {
@ -24,10 +21,11 @@
# backend = "Clipboard";
};
};
matches = let
playerctl = ''
${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl'';
in {
matches =
let
playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl'';
in
{
default = {
matches = [
{
@ -64,10 +62,7 @@
name = "output";
type = "script";
params = {
args = [
(pkgs.writeShellScript "espanso"
"${playerctl} metadata title")
];
args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ];
};
}
];

7
nix/home-manager/programs/firefox.nix
View file

@ -1,5 +1,8 @@
{pkgs, ...}: {
programs.librewolf = {enable = false;};
{ pkgs, ... }:
{
programs.librewolf = {
enable = false;
};
programs.firefox = {
enable = true;
package = pkgs.firefox-esr-128;

10
nix/home-manager/programs/gpg-agent.nix
View file

@ -1,12 +1,6 @@
{ lib, pkgs, ... }:
{
lib,
pkgs,
config,
...
}: {
home.packages = [
pkgs.gcr
];
home.packages = [ pkgs.gcr ];
programs.gpg.enable = true;
services.gpg-agent = {

19
nix/home-manager/programs/homeshick.nix
View file

@ -1,15 +1,9 @@
{ pkgs, config, ... }:
{
pkgs,
config,
...
}: let
# TODO: clean up the impurity in here
in {
home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}";
home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] ''
$DRY_RUN_CMD ${
pkgs.writeScript "activation-script" ''
home.activation.bootstrapRepos = config.lib.dag.entryAfter [ "writeBoundary" ] ''
$DRY_RUN_CMD ${pkgs.writeScript "activation-script" ''
set -e
echo home-manager path is ${config.home.path}
echo home is $HOME
@ -20,13 +14,12 @@ in {
# echo Updating homeshick
# ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick
# mv -Tf "$HOMESICK_REPOS"/{.,}homeshick
''
};
''};
'';
nixpkgs.config = {
packageOverrides = pkgs:
with pkgs; {
packageOverrides =
pkgs: with pkgs; {
homeshick = builtins.fetchGit {
url = "https://github.com/andsens/homeshick.git";
ref = "master";

5
nix/home-manager/programs/libreoffice.nix
View file

@ -1,3 +1,4 @@
{pkgs, ...}: {
home.packages = [pkgs.libreoffice];
{ pkgs, ... }:
{
home.packages = [ pkgs.libreoffice ];
}

12
nix/home-manager/programs/neovim.nix
View file

@ -1,12 +1,6 @@
{ repoFlake, pkgs, ... }:
{
repoFlake,
pkgs,
lib,
...
}: {
imports = [
repoFlake.inputs.nixvim.homeManagerModules.nixvim
];
imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ];
programs.nixvim = {
enable = true;
@ -14,7 +8,7 @@
vimdiffAlias = true;
vimAlias = true;
extraPython3Packages = ps: with ps; [];
extraPython3Packages = ps: with ps; [ ];
# extraConfigVim = builtins.readFile ./neovim/vimrc;

24
nix/home-manager/programs/obs-studio.nix
View file

@ -1,21 +1,25 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
...
}: {
programs.obs-studio = {
enable = true;
plugins =
builtins.map (plugin: (plugin.overrideAttrs (attrs: {
builtins.map
(
plugin:
(plugin.overrideAttrs (attrs: {
meta = lib.mkMerge [
{inherit (attrs) meta;}
{meta.platforms = [pkgs.stdenv.system];}
{ inherit (attrs) meta; }
{ meta.platforms = [ pkgs.stdenv.system ]; }
];
})))
(with pkgs.obs-studio-plugins; [
}))
)
(
with pkgs.obs-studio-plugins;
[
# wlrobs
obs-backgroundremoval
obs-pipewire-audio-capture
]);
]
);
};
}

16
nix/home-manager/programs/openvscode-server.nix
View file

@ -1,12 +1,8 @@
{ pkgs, repoFlake, ... }:
let
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; };
in
{
pkgs,
nodeFlake,
repoFlake,
...
}: let
pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config;};
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;};
in {
home.packages = [
pkgs.nil
pkgs.nixd
@ -33,7 +29,9 @@ in {
(pkgsVscodium.openvscode-server.overrideAttrs (attrs: {
src = repoFlake.inputs.openvscode-server;
version = "1.94.2";
yarnCache = attrs.yarnCache.overrideAttrs (_: {outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt=";});
yarnCache = attrs.yarnCache.overrideAttrs (_: {
outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt=";
});
}))
pkgs.waypipe

5
nix/home-manager/programs/pass.nix
View file

@ -1,8 +1,5 @@
{ repoFlake, pkgs, ... }:
{
repoFlake,
pkgs,
...
}: {
# required by pass-otp
# home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions";
# home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true";

28
nix/home-manager/programs/radicale.nix
View file

@ -4,7 +4,8 @@
pkgs,
osConfig,
...
}: let
}:
let
libdecsync = pkgs.python3Packages.buildPythonPackage rec {
pname = "libdecsync";
version = "2.2.1";
@ -38,18 +39,18 @@
# pkgs.libxcrypt
];
propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools];
propagatedBuildInputs = [
libdecsync
pkgs.python3Packages.setuptools
];
};
radicale-decsync = pkgs.radicale.overrideAttrs (old: {
propagatedBuildInputs =
old.propagatedBuildInputs
++ [radicale-storage-decsync];
propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ];
});
mkRadicaleService = {
suffix,
port,
}: let
mkRadicaleService =
{ suffix, port }:
let
radicale-config = pkgs.writeText "radicale-config-${suffix}" ''
[server]
hosts = localhost:${builtins.toString port}
@ -64,18 +65,19 @@
filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix}
decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix}
'';
in {
in
{
systemd.user.services."radicale-${suffix}" = {
Unit.Description = "Radicale with DecSync (${suffix})";
Service = {
ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}";
Restart = "on-failure";
};
Install.WantedBy = ["default.target"];
Install.WantedBy = [ "default.target" ];
};
};
in
builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [
builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [
{
suffix = "personal";
port = 5232;
@ -84,4 +86,4 @@ in
suffix = "family";
port = 5233;
}
]
]

10
nix/home-manager/programs/redshift.nix
View file

@ -1,10 +1,8 @@
{
pkgs,
config,
...
}: let
_:
let
passwords = import ../../variables/passwords.crypt.nix;
in {
in
{
services.gammastep = {
enable = true;
provider = "manual";

21
nix/home-manager/programs/salut.nix
View file

@ -1,18 +1,11 @@
{
pkgs,
config,
lib,
packages',
...
}:
{ pkgs, packages', ... }:
# useful testing command:
# for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done
let
inherit (import ../lib.nix {}) mkSimpleTrayService;
in {
home.packages = [
packages'.salut
];
inherit (import ../lib.nix { }) mkSimpleTrayService;
in
{
home.packages = [ packages'.salut ];
xdg.configFile."salut/config.ini" = {
enable = true;
@ -34,7 +27,5 @@ in {
onChange = "${pkgs.systemd}/bin/systemctl --user restart salut";
};
systemd.user.services.salut = mkSimpleTrayService {
execStart = "${packages'.salut}/bin/salut";
};
systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; };
}

37
nix/home-manager/programs/vscode/default.nix
View file

@ -1,24 +1,14 @@
{ pkgs, repoFlake, ... }:
let
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; };
in
{
pkgs,
nodeFlake,
repoFlake,
...
}: let
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;};
in {
programs.vscode = {
enable = true;
package = pkgsVscodium.vscodium;
extensions =
[
# TODO: how can i install (this) vsix(s) directly?
# (builtins.fetchurl {
# # https://open-vsx.org/extension/jeanp413/open-remote-ssh
# url = "https://open-vsx.org/api/jeanp413/open-remote-ssh/0.0.45/file/jeanp413.open-remote-ssh-0.0.45.vsix";
# sha256 = "1qc1qsahfx1nvznq4adplx63w5d94xhafngv76vnqjjbzhv991v2";
# })
]
++ (with pkgsVscodium.vscode-extensions;
(
with pkgsVscodium.vscode-extensions;
[
eamodio.gitlens
mkhl.direnv
@ -43,11 +33,13 @@ in {
# TODO: not compatible with vscodium
# ms-vscode-remote.remote-ssh
]
++ (let
++ (
let
extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system};
in (
in
with extensions.vscode-marketplace;
with extensions.vscode-marketplace-release; [
with extensions.vscode-marketplace-release;
[
tamasfe.even-better-toml
serayuzgur.crates
@ -59,10 +51,10 @@ in {
ibecker.treefmt-vscode
]
)))
)
)
++ [
(pkgsVscodium.vscode-utils.extensionFromVscodeMarketplace
{
(pkgsVscodium.vscode-utils.extensionFromVscodeMarketplace {
name = "markdown-oxide";
publisher = "felixzeller";
version = "1.1.0";
@ -151,4 +143,3 @@ in {
# xyz.plsql-language
# yzane.markdown-pdf
# zxh404.vscode-proto3

46
nix/home-manager/programs/vscode/nix4vscode/default.nix
View file

@ -1,12 +1,17 @@
{
pkgs,
lib,
}: let
inherit (pkgs.stdenv) isDarwin isLinux isi686 isx86_64 isAarch32 isAarch64;
vscode-utils = pkgs.vscode-utils;
{ pkgs, lib }:
let
inherit (pkgs.stdenv)
isDarwin
isLinux
isi686
isx86_64
isAarch32
isAarch64
;
inherit (pkgs) vscode-utils;
merge = lib.attrsets.recursiveUpdate;
in
merge
merge
(merge
(merge
(merge
@ -18,7 +23,8 @@ in
sha256 = "07l37hkg106m3nl9530l7i39iw1kibckv1zi4n23gbp7srdrwbs3";
};
}
(lib.attrsets.optionalAttrs (isLinux && (isi686 || isx86_64)) {
(
lib.attrsets.optionalAttrs (isLinux && (isi686 || isx86_64)) {
"ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace {
name = "treefmt-vscode";
publisher = "ibecker";
@ -26,8 +32,11 @@ in
sha256 = "1r17wjpw8xiha5r9h3146facxghpcp416zf8551sw93cmam9ky6j";
arch = "linux-x64";
};
}))
(lib.attrsets.optionalAttrs (isLinux && (isAarch32 || isAarch64)) {
}
)
)
(
lib.attrsets.optionalAttrs (isLinux && (isAarch32 || isAarch64)) {
"ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace {
name = "treefmt-vscode";
publisher = "ibecker";
@ -35,8 +44,11 @@ in
sha256 = "0swvl7fkjcwp43grnrhnmy60a5m3hfwawk204byi8hhbczy131li";
arch = "linux-arm64";
};
}))
(lib.attrsets.optionalAttrs (isDarwin && (isi686 || isx86_64)) {
}
)
)
(
lib.attrsets.optionalAttrs (isDarwin && (isi686 || isx86_64)) {
"ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace {
name = "treefmt-vscode";
publisher = "ibecker";
@ -44,8 +56,11 @@ in
sha256 = "1swq9hy6a9nzkrn07j21g59pyk2m7aqsfi1pphl9l9y8p4zwiaqm";
arch = "darwin-x64";
};
}))
(lib.attrsets.optionalAttrs (isDarwin && (isAarch32 || isAarch64)) {
}
)
)
(
lib.attrsets.optionalAttrs (isDarwin && (isAarch32 || isAarch64)) {
"ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace {
name = "treefmt-vscode";
publisher = "ibecker";
@ -53,4 +68,5 @@ in
sha256 = "1xg3wnn3f1kvsz5a09l0cjpzfm3l9va73cahbvl14mx3n6734r2m";
arch = "darwin-arm64";
};
})
}
)

1
nix/home-manager/programs/waybar.css
View file

@ -1,4 +1,3 @@
#custom-cputemp {
padding: 0 10px;
background-color: #f0932b;

20
nix/home-manager/programs/waybar.nix
View file

@ -1,9 +1,5 @@
{ pkgs, repoFlake, ... }:
{
pkgs,
config,
repoFlake,
...
}: {
home.packages = [
# required by any bar that has a tray plugin
pkgs.libappindicator-gtk3
@ -12,10 +8,9 @@
programs.waybar = {
enable = true;
package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar;
style =
pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css"
+ pkgs.lib.readFile ./waybar.css;
package =
repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar;
style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css;
systemd.enable = true;
settings = {
mainBar = {
@ -24,12 +19,7 @@
height = 30;
output =
# hide the bar on HEADDLESS displays as i use them only for screensharing
(
builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99
)
++ [
"*"
];
(builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ];
# output = [
# "eDP-1"
# "DP-*"

27
nix/home-manager/programs/zsh.nix
View file

@ -3,8 +3,10 @@
lib,
pkgs,
...
}: let
just-plugin = let
}:
let
just-plugin =
let
plugin_file = pkgs.writeText "_just" ''
#compdef just
#autload
@ -35,7 +37,8 @@
chmod --recursive a-w $out
'';
};
in {
in
{
programs.zsh = {
enable = true;
@ -46,9 +49,11 @@ in {
# will be called again by oh-my-zsh
enableCompletion = false;
enableAutosuggestions = true;
initExtra = let
initExtra =
let
inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")'';
in ''
in
''
if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then
unset TMPDIR
fi
@ -69,12 +74,13 @@ in {
fi
${
if builtins.hasAttr "homeshick" pkgs
then ''
if builtins.hasAttr "homeshick" pkgs then
''
source ${pkgs.homeshick}/homeshick.sh
fpath=(${pkgs.homeshick}/completions $fpath)
''
else ""
else
""
}
# Disable intercepting of ctrl-s and ctrl-q as flow control.
@ -128,7 +134,10 @@ in {
oh-my-zsh = {
enable = true;
theme = "tjkirch";
plugins = ["git" "sudo"];
plugins = [
"git"
"sudo"
];
};
};
}

5
nix/modules/flake-parts/colmena.nix
View file

@ -1,7 +1,8 @@
{lib, ...}: {
{ lib, ... }:
{
options.flake.colmena = lib.mkOption {
# type = lib.types.attrsOf lib.types.unspecified;
type = lib.types.raw;
default = {};
default = { };
};
}

17
nix/modules/flake-parts/perSystem/default.nix
View file

@ -1,13 +1,8 @@
{ pkgs, ... }:
{
inputs',
system,
config,
lib,
pkgs,
...
}: {
packages = {
myPython = pkgs.python310.withPackages (ps:
myPython = pkgs.python310.withPackages (
ps:
with ps;
[
pep8
@ -33,6 +28,10 @@
pyaml
requests
]
++ [pkgs.pypi2nix pkgs.libffi]);
++ [
pkgs.pypi2nix
pkgs.libffi
]
);
};
}

14
nix/os/cachix.nix
View file

@ -1,14 +1,12 @@
# WARN: this file will get overwritten by $ cachix use <name>
{
pkgs,
lib,
...
}: let
{ lib, ... }:
let
folder = ./cachix;
toImport = name: value: folder + ("/" + name);
toImport = name: _value: folder + ("/" + name);
filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key;
imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder));
in {
in
{
inherit imports;
nix.settings.substituters = ["https://cache.nixos.org/"];
nix.settings.substituters = [ "https://cache.nixos.org/" ];
}

4
nix/os/cachix/nixpkgs-wayland.nix
View file

@ -1,8 +1,6 @@
{
nix = {
settings.substituters = [
"https://nixpkgs-wayland.cachix.org"
];
settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ];
settings.trusted-public-keys = [
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
];

57
nix/os/containers/backup.nix
View file

@ -5,16 +5,23 @@
subvolumes,
targetPathSuffix ? "",
autoStart ? false,
}: let
}:
let
passwords = import ../../variables/passwords.crypt.nix;
subvolumeParentDir = "/var/lib/container-volumes";
in {
config = {pkgs, ...}: {
in
{
config =
{ pkgs, ... }:
{
system.stateVersion = "20.03"; # Did you read the comment?
imports = [../profiles/containers/configuration.nix];
imports = [ ../profiles/containers/configuration.nix ];
environment.systemPackages = with pkgs; [btrfs-progs btrbk];
environment.systemPackages = with pkgs; [
btrfs-progs
btrbk
];
networking.firewall.enable = true;
@ -22,13 +29,15 @@ in {
enable = true;
description = "bkp-sync service";
serviceConfig = {Type = "oneshot";};
serviceConfig = {
Type = "oneshot";
};
after = ["bkp-run.service"];
after = [ "bkp-run.service" ];
requires = ["bkp-run.service"];
requires = [ "bkp-run.service" ];
path = with pkgs; [utillinux];
path = with pkgs; [ utillinux ];
script = ''
set -x
true
@ -39,13 +48,20 @@ in {
enable = true;
description = "bkp-run";
serviceConfig = {Type = "oneshot";};
serviceConfig = {
Type = "oneshot";
};
partOf = ["bkp-sync.service"];
partOf = [ "bkp-sync.service" ];
path = with pkgs; [btrfs-progs btrbk coreutils];
path = with pkgs; [
btrfs-progs
btrbk
coreutils
];
script = let
script =
let
btrbkConf = pkgs.writeText "cfg" ''
timestamp_format long
ssh_identity ${passwords.storage.backupTarget.keyPath}
@ -62,10 +78,10 @@ in {
volume ${subvolumeParentDir}
target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") ""
subvolumes}
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes}
'';
in ''
in
''
#! ${pkgs.bash}/bin/bash
set -Eeuxo pipefail
@ -76,7 +92,10 @@ in {
systemd.timers."bkp" = {
description = "Timer to trigger bkp periodically";
enable = true;
wantedBy = ["timer.target" "multi-user.target"];
wantedBy = [
"timer.target"
"multi-user.target"
];
timerConfig = {
# Obtained using `systemd-analyze calendar "Wed 23:00"`
# OnCalendar = "Wed *-*-* 23:00:00";
@ -114,10 +133,10 @@ in {
}
];
extraFlags = ["--resolv-conf=bind-host"];
extraFlags = [ "--resolv-conf=bind-host" ];
privateNetwork = true;
forwardPorts = [];
forwardPorts = [ ];
inherit hostAddress localAddress;
}

46
nix/os/containers/mailserver.nix
View file

@ -6,15 +6,17 @@
imapsPort ? 993,
sievePort ? 4190,
autoStart ? false,
}: {
}:
{
inherit specialArgs;
config = {
config =
{
pkgs,
config,
lib,
repoFlake,
...
}: {
}:
{
system.stateVersion = "22.05"; # Did you read the comment?
imports = [
@ -32,7 +34,7 @@
# FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately
# sops.defaultSopsFile = ./mailserver_secrets.yaml;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.email_mailStefanjunkerDe = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name;
@ -64,8 +66,8 @@
services.dovecot2 = {
enable = true;
modules = [pkgs.dovecot_pigeonhole];
protocols = ["sieve"];
modules = [ pkgs.dovecot_pigeonhole ];
protocols = [ "sieve" ];
enableImap = true;
enableLmtp = true;
@ -100,14 +102,15 @@
systemd.services.steveej-getmail-stefanjunker = {
enable = true;
wantedBy = ["multi-user.target"];
wantedBy = [ "multi-user.target" ];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
serviceConfig.RestartSec = 600;
serviceConfig.Restart = "always";
description = "Getmail service";
path = [pkgs.getmail6];
script = let
path = [ pkgs.getmail6 ];
script =
let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
verbose = 1
@ -126,21 +129,23 @@
type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
'';
in ''
in
''
getmail --idle=INBOX --rcfile=${rc}
'';
};
systemd.services.steveej-getmail-stefanjunker-hetzner = {
enable = true;
wantedBy = ["multi-user.target"];
wantedBy = [ "multi-user.target" ];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
serviceConfig.RestartSec = 60;
serviceConfig.Restart = "always";
description = "Getmail service";
path = [pkgs.getmail6];
script = let
path = [ pkgs.getmail6 ];
script =
let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
verbose = 2
@ -159,21 +164,23 @@
type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
'';
in ''
in
''
getmail --rcfile=${rc} --idle=INBOX
'';
};
systemd.services.steveej-getmail-webde = {
enable = true;
wantedBy = ["multi-user.target"];
wantedBy = [ "multi-user.target" ];
serviceConfig.User = "steveej";
serviceConfig.Group = "dovecot2";
description = "Getmail service";
path = [pkgs.getmail6];
path = [ pkgs.getmail6 ];
serviceConfig.RestartSec = 1000;
serviceConfig.Restart = "always";
script = let
script =
let
rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
[options]
verbose = 1
@ -192,7 +199,8 @@
type = Maildir
path = ~/.maildir/
'';
in ''
in
''
getmail --rcfile=${rc} --idle=INBOX
'';
};

111
nix/os/containers/mycelium/flake.nix
View file

@ -11,35 +11,33 @@
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = {
self,
nixpkgs,
nixos-generators,
...
}: let
outputs =
{ self, nixpkgs, ... }:
let
systems = [
"aarch64-linux"
"x86_64-linux"
];
forAllSystems = nixpkgs.lib.genAttrs systems;
in {
nixosConfigurations.default =
nixpkgs.lib.nixosSystem
in
{
nixosConfigurations.default = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = {};
specialArgs = { };
modules = [
({
(
{
config,
modulesPath,
pkgs,
lib,
...
}: {
}:
{
nixpkgs.overlays = [
(final: previous: {
(_final: _previous: {
# inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal;
# systemd =
# self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: {
@ -99,9 +97,7 @@
})
];
imports = [
(modulesPath + "/profiles/minimal.nix")
];
imports = [ (modulesPath + "/profiles/minimal.nix") ];
system.stateVersion = "24.11";
# https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix
@ -114,7 +110,7 @@
# boot.specialFileSystems = lib.mkForce {};
services.nscd.enable = false;
system.nssModules = lib.mkForce [];
system.nssModules = lib.mkForce [ ];
systemd.services.systemd-logind.enable = false;
systemd.services.console-getty.enable = false;
@ -135,32 +131,32 @@
mkdir -p /run/wrappers
'';
boot.kernelParams = [
"systemd.log_level=debug"
];
boot.kernelParams = [ "systemd.log_level=debug" ];
# services.udev.enable = false;
# TODO: this is only needed because `/run/current-system` is missing
# environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH";
systemd.mounts = lib.mkForce [];
fileSystems = lib.mkForce {};
systemd.mounts = lib.mkForce [ ];
fileSystems = lib.mkForce { };
services.mycelium.enable = false;
services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile";
systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false;
systemd.services.mycelium.serviceConfig.User = lib.mkForce "root";
systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce (pkgs.writeShellScript "mycelium" ''
systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce (
pkgs.writeShellScript "mycelium" ''
while true; do
ls -lha $CREDENTIALS_DIRECTORY
sleep 5
done
'');
''
);
systemd.services.testing-credentials = {
wantedBy = ["multi-user.target"];
path = [pkgs.coreutils];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.coreutils ];
serviceConfig = {
# SyslogIdentifier = "testing-credentials";
@ -174,7 +170,8 @@
# "hosts:/etc/hosts"
# ];
SetCredential = "mycelium-keyfile:not secret string";
ExecStart = lib.mkForce (pkgs.writeShellScript "mycelium" ''
ExecStart = lib.mkForce (
pkgs.writeShellScript "mycelium" ''
cd $STATE_DIRECTORY
pwd
env
@ -182,7 +179,8 @@
ls -lha $CREDENTIALS_DIRECTORY
sleep 5
done
'');
''
);
};
};
@ -197,28 +195,32 @@
'';
};
};
})
}
)
];
};
packages = forAllSystems (system: let
packages = forAllSystems (
system:
let
name = "mycelium";
inherit (self.inputs) nix-snapshotter;
config = {
entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init";
# port = 2379;
args = [
];
args = [ ];
# nodePort = 30001;
};
myceliumPorts = {
tcp = [9651];
udp = [9650 9651];
tcp = [ 9651 ];
udp = [
9650
9651
];
};
inherit
(config)
inherit (config)
entrypoint
# port
@ -227,15 +229,13 @@
;
pkgs = import nixpkgs {
overlays = [nix-snapshotter.overlays.default];
};
pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; };
image = pkgs.nix-snapshotter.buildImage {
inherit name;
resolvedByNix = true;
config = {
entrypoint = [entrypoint];
entrypoint = [ entrypoint ];
env = [
# this is read by the `/init` script and prevents various incompatible commands like mount, etc.
# the value of this doesn't seem to matter as long as it's not an empty string.
@ -253,14 +253,19 @@
];
};
};
in {
k8s = let
pod = pkgs.writeText "${name}-pod.json" (builtins.toJSON {
in
{
k8s =
let
pod = pkgs.writeText "${name}-pod.json" (
builtins.toJSON {
apiVersion = "v1";
kind = "Pod";
metadata = {
inherit name;
labels = {inherit name;};
labels = {
inherit name;
};
};
spec.containers = [
{
@ -284,15 +289,19 @@
];
}
];
});
}
);
service = pkgs.writeText "${name}-service.json" (builtins.toJSON {
service = pkgs.writeText "${name}-service.json" (
builtins.toJSON {
apiVersion = "v1";
kind = "Service";
metadata.name = "${name}-service";
spec = {
type = "NodePort";
selector = {inherit name;};
selector = {
inherit name;
};
ports = [
{
name = "mycelium-tcp-0";
@ -313,9 +322,10 @@
}
];
};
});
}
);
in
pkgs.runCommand "declarative-k8s" {} ''
pkgs.runCommand "declarative-k8s" { } ''
mkdir -p $out/share/k8s
cp ${pod} $out/share/k8s/
cp ${service} $out/share/k8s/
@ -355,6 +365,7 @@
# mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap
};
});
}
);
};
}

13
nix/os/containers/syncthing.nix
View file

@ -6,16 +6,15 @@
syncthingPort ? 22000,
syncthingLocalAnnouncePort ? 21027,
autoStart ? false,
}: {
}:
{
inherit specialArgs;
config = {
config,
pkgs,
...
}: {
config =
{ ... }:
{
system.stateVersion = "20.05"; # Did you read the comment?
imports = [../profiles/containers/configuration.nix];
imports = [ ../profiles/containers/configuration.nix ];
networking.firewall.allowedTCPPorts = [
# syncthing gui

70
nix/os/containers/webserver.nix
View file

@ -7,11 +7,14 @@
httpsPort,
forgejoSshPort,
autoStart ? false,
}: let
}:
let
domain = "www.stefanjunker.de";
in {
in
{
inherit specialArgs;
config = {
config =
{
config,
pkgs,
lib,
@ -19,7 +22,8 @@ in {
nodeFlake,
system,
...
}: {
}:
{
system.stateVersion = "22.05"; # Did you read the comment?
disabledModules = [
@ -44,7 +48,7 @@ in {
forgejoSshPort
];
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.secrets.hedgedoc_environment_file = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.hedgedoc.name;
@ -135,9 +139,11 @@ in {
useridField = "uid";
};
oauth2 = let
oauth2 =
let
originURL = config.services.kanidm.serverSettings.origin;
in {
in
{
providerName = "kanidm (${originURL})";
authorizationURL = "${originURL}/ui/oauth2";
@ -183,9 +189,11 @@ in {
owner = config.users.users.authelia-default.name;
};
services.authelia.instances.default = let
services.authelia.instances.default =
let
baseDir = "/var/lib/authelia-default";
in {
in
{
enable = true;
secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path;
secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path;
@ -224,7 +232,7 @@ in {
};
};
users.groups.lldap = {};
users.groups.lldap = { };
users.users.lldap = {
isSystemUser = true;
group = "lldap";
@ -275,9 +283,9 @@ in {
};
};
sops.secrets.FORGEJO_JWT_SECRET = {};
sops.secrets.FORGEJO_INTERNAL_TOKEN = {};
sops.secrets.FORGEJO_SECRET_KEY = {};
sops.secrets.FORGEJO_JWT_SECRET = { };
sops.secrets.FORGEJO_INTERNAL_TOKEN = { };
sops.secrets.FORGEJO_SECRET_KEY = { };
services.forgejo = {
enable = true;
@ -307,7 +315,7 @@ in {
# combine a path watcher with a service that transfers the certs by caddy to kanidm
systemd.paths.kanidm-tls-watch = {
enable = true;
requiredBy = ["kanidm.service"];
requiredBy = [ "kanidm.service" ];
pathConfig = {
PathChanged = [
"${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
@ -316,13 +324,13 @@ in {
Unit = "kanidm-tls-update.service";
};
};
systemd.services.kanidm-tls-update = let
dbDir =
builtins.dirOf
config.services.kanidm.serverSettings.db_path;
in {
systemd.services.kanidm-tls-update =
let
dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
in
{
enable = true;
requiredBy = ["kanidm.service"];
requiredBy = [ "kanidm.service" ];
unitConfig = {
# ConditionPathExists = [
# "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key"
@ -330,9 +338,11 @@ in {
# ];
};
serviceConfig.Type = "oneshot";
script = let
script =
let
tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key;
in ''
in
''
set -xe
cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key
@ -359,12 +369,12 @@ in {
'';
};
systemd.services.kanidm.serviceConfig = let
dbDir =
builtins.dirOf
config.services.kanidm.serverSettings.db_path;
systemd.services.kanidm.serviceConfig =
let
dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
in
# stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}";
in {
{
# ExecStartPre = ''
# mkdir -p ${dbDir}
# '';
@ -374,9 +384,11 @@ in {
];
};
services.kanidm = let
services.kanidm =
let
dataDir = "/var/lib/kanidm";
in {
in
{
package = repoFlake.inputs.nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm;
enablePam = false;

36
nix/os/devices/default.nix
View file

@ -1,15 +1,20 @@
{
dir,
pkgs ? import <channels-nixos-stable> {},
ownLib ? import ../lib/default.nix {inherit (pkgs) lib;},
pkgs ? import <channels-nixos-stable> { },
ownLib ? import ../lib/default.nix { inherit (pkgs) lib; },
gitRoot ? "$(git rev-parse --show-toplevel)",
# FIXME: why do these need explicit mentioning?
moreargs ? "",
rebuildarg ? "",
...
} @ args: let
rebuildargsSudo = ["switch" "boot"];
rebuild = {
}@args:
let
rebuildargsSudo = [
"switch"
"boot"
];
rebuild =
{
gitRoot,
rebuildarg ? "dry-activate",
moreargs ? "",
@ -30,18 +35,18 @@
${
if
(builtins.elem rebuildarg rebuildargsSudo)
&& (builtins.match ".*--target-host.*" moreargs) == null
then "sudo -E \\"
else ""
(builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null
then
"sudo -E \\"
else
""
}
nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs}
'';
in {
recipes =
{
rebuild =
rebuild {
in
{
recipes = {
rebuild = rebuild {
inherit gitRoot;
inherit moreargs;
inherit rebuildarg;
@ -49,6 +54,5 @@ in {
# // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; }
# // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; }
;
}
// (import ./disk.nix (args // {inherit pkgs ownLib gitRoot;}));
} // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; }));
}

53
nix/os/devices/disk.nix
View file

@ -3,40 +3,29 @@
ownLib,
dir,
gitRoot,
diskId ?
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix")
{})
.hardware
.opinionatedDisk
.diskId,
diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId,
encrypted ?
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix")
{})
.hardware
.opinionatedDisk
.encrypted,
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted,
previousDiskId ? "",
...
}: let
}:
let
mntRootVol = "/mnt/${diskId}-root";
in rec {
in
rec {
diskMount = pkgs.writeScript "script" ''
#!/usr/bin/env bash
set -xe
echo Mounting ${diskId}
${pkgs.lib.strings.optionalString encrypted ''
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
''}
sleep 1
sudo vgchange -ay ${ownLib.disk.volumeGroup diskId}
sudo mkdir -p /mnt
sudo mkdir ${mntRootVol}
sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}
sudo mount ${
ownLib.disk.rootFsDevice diskId
} ${mntRootVol}/nixos/home -o subvol=home
sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home
sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot
'';
@ -73,9 +62,7 @@ in rec {
#!/usr/bin/env bash
set -xe
read -p "Continue to format ${
ownLib.disk.bootGrubDevice diskId
} (YES/n)? " choice
read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice
case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;;
@ -122,15 +109,11 @@ in rec {
${pkgs.lib.strings.optionalString encrypted ''
# Encrypt
sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} -
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
''}
# LVM
sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${
ownLib.disk.lvmPv diskId encrypted
}
sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted}
sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap
sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root
@ -154,9 +137,7 @@ in rec {
#!/usr/bin/env bash
set -xe
read -p "Continue to relabel ${
ownLib.disk.bootGrubDevice diskId
} (YES/n)?" choice
read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice
case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;;
@ -187,13 +168,9 @@ in rec {
if test "${previousDiskId}"; then
${
pkgs.lib.strings.optionalString encrypted ''
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
''
}
${pkgs.lib.strings.optionalString encrypted ''
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
''}
sync
sleep 1
if sudo vgs ${previousDiskId}; then

3
nix/os/devices/elias-e525/boot.nix
View file

@ -1,4 +1,5 @@
{lib, ...}: {
{ lib, ... }:
{
boot.loader.grub.efiSupport = lib.mkForce false;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
}

3
nix/os/devices/elias-e525/configuration.nix
View file

@ -1,4 +1,5 @@
{...}: {
{ ... }:
{
imports = [
../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix

10
nix/os/devices/elias-e525/default.nix
View file

@ -3,17 +3,17 @@
repoFlake,
nodeFlake,
...
}: let
}:
let
system = "x86_64-linux";
in {
in
{
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system};
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
inherit system;
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
${nodeName} = {
deployment.targetHost = "elias-e525.lan";

2
nix/os/devices/elias-e525/flake.nix
View file

@ -6,5 +6,5 @@
inputs.nixpkgs.follows = "nixpkgs";
};
outputs = _: {};
outputs = _: { };
}

2
nix/os/devices/elias-e525/hw.nix
View file

@ -1,4 +1,4 @@
{...}: {
_: {
# TASK: new device
hardware.opinionatedDisk = {
enable = true;

18
nix/os/devices/elias-e525/pkg.nix
View file

@ -1,8 +1,5 @@
{
pkgs,
lib,
...
}: let
{ pkgs, lib, ... }:
let
homeEnv = keyboard: {
imports = [
../../../home-manager/profiles/common.nix
@ -22,26 +19,27 @@
rustdesk
];
};
in {
services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) {
in
{
services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) {
gnome-remote-desktop.enable = true;
};
home-manager.users.steveej = homeEnv {
layout = "en";
options = ["nodeadkey"];
options = [ "nodeadkey" ];
variant = "altgr-intl";
};
home-manager.users.elias = homeEnv {
layout = "de";
options = [];
options = [ ];
variant = "";
};
home-manager.users.justyna = homeEnv {
layout = "de";
options = [];
options = [ ];
variant = "";
};

15
nix/os/devices/elias-e525/system.nix
View file

@ -1,10 +1,5 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
config,
...
}: let
in {
# TASK: new device
networking.hostName = "elias-e525"; # Define your hostname.
@ -38,11 +33,13 @@ in {
# udev.packages = [ pkgs.gnome3.gnome-settings-daemon ];
};
security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
services.xserver.videoDrivers = ["modesetting"];
services.xserver.videoDrivers = [ "modesetting" ];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
nix.gc = {automatic = true;};
nix.gc = {
automatic = true;
};
}

13
nix/os/devices/elias-e525/user.nix
View file

@ -1,12 +1,9 @@
{
config,
pkgs,
lib,
...
}: let
{ config, pkgs, ... }:
let
keys = import ../../../variables/keys.nix;
inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
in {
inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser;
in
{
sops.secrets.sharedUsers-elias = {
sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true;

3
nix/os/devices/fwhost1/boot.nix
View file

@ -1,4 +1,5 @@
{lib, ...}: {
{ lib, ... }:
{
boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
}

3
nix/os/devices/fwhost1/configuration.nix
View file

@ -1,4 +1,5 @@
{...}: {
{ ... }:
{
imports = [
../../profiles/common/configuration.nix
../../modules/opinionatedDisk.nix

3
nix/os/devices/fwhost1/hw.nix
View file

@ -1,5 +1,4 @@
{...}: let
in {
_: {
# TASK: new device
hardware.opinionatedDisk = {
enable = true;

18
nix/os/devices/fwhost1/pkg.nix
View file

@ -1,17 +1,17 @@
{pkgs, ...}: {
nixpkgs.config.packageOverrides = pkgs:
with pkgs; {
nixPath =
(import ../../../default.nix {
versionsPath = ./versions.nix;
})
.nixPath;
{ pkgs, ... }:
{
nixpkgs.config.packageOverrides =
pkgs: with pkgs; {
inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath;
};
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
inherit pkgs;
};
environment.systemPackages = with pkgs; [iw wirelesstools];
environment.systemPackages = with pkgs; [
iw
wirelesstools
];
system.stateVersion = "21.11";
}

19
nix/os/devices/fwhost1/system.nix
View file

@ -1,12 +1,8 @@
{
pkgs,
lib,
config,
...
}: let
keys = import ../../../variables/keys.nix;
{ pkgs, lib, ... }:
let
passwords = import ../../../variables/passwords.crypt.nix;
in {
in
{
# TASK: new device
networking.hostName = "fwhost1"; # Define your hostname.
@ -21,11 +17,14 @@ in {
networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false;
networking.bridges.breth.interfaces = ["eth0" "eth1"];
networking.bridges.breth.interfaces = [
"eth0"
"eth1"
];
networking.bridges.breth.rstp = true;
networking.defaultGateway.address = "172.172.171.10";
networking.nameservers = ["172.172.171.10"];
networking.nameservers = [ "172.172.171.10" ];
# WAN interfaces, currently unused because the OPNsense guest acts as a router.
networking.vlans.wan1.id = 3;

10
nix/os/devices/fwhost1/user.nix
View file

@ -1,9 +1 @@
{
config,
pkgs,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
in {}
_: { }

7
nix/os/devices/fwhost1/versions.nix
View file

@ -4,9 +4,12 @@ let
ref = "nixos-21.11";
rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb";
};
in {
in
{
inherit nixpkgs;
nixos = nixpkgs // {suffix = "/nixos";};
nixos = nixpkgs // {
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = {

7
nix/os/devices/fwhost1/versions.tmpl.nix
View file

@ -6,9 +6,12 @@ let
<% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '
' -%>'';
};
in {
in
{
inherit nixpkgs;
nixos = nixpkgs // {suffix = "/nixos";};
nixos = nixpkgs // {
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = {

3
nix/os/devices/fwhost2/boot.nix
View file

@ -1,4 +1,5 @@
{lib, ...}: {
{ lib, ... }:
{
boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
}

3
nix/os/devices/fwhost2/configuration.nix
View file

@ -1,4 +1,5 @@
{...}: {
{ ... }:
{
imports = [
../../profiles/common/configuration.nix
../../modules/opinionatedDisk.nix

3
nix/os/devices/fwhost2/hw.nix
View file

@ -1,5 +1,4 @@
{...}: let
in {
_: {
# TASK: new device
hardware.opinionatedDisk = {
enable = true;

18
nix/os/devices/fwhost2/pkg.nix
View file

@ -1,17 +1,17 @@
{pkgs, ...}: {
nixpkgs.config.packageOverrides = pkgs:
with pkgs; {
nixPath =
(import ../../../default.nix {
versionsPath = ./versions.nix;
})
.nixPath;
{ pkgs, ... }:
{
nixpkgs.config.packageOverrides =
pkgs: with pkgs; {
inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath;
};
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
inherit pkgs;
};
environment.systemPackages = with pkgs; [iw wirelesstools];
environment.systemPackages = with pkgs; [
iw
wirelesstools
];
system.stateVersion = "21.11";
}

20
nix/os/devices/fwhost2/system.nix
View file

@ -1,13 +1,8 @@
{
pkgs,
lib,
config,
utils,
...
}: let
keys = import ../../../variables/keys.nix;
{ pkgs, lib, ... }:
let
passwords = import ../../../variables/passwords.crypt.nix;
in {
in
{
# TASK: new device
networking.hostName = "fwhost2"; # Define your hostname.
@ -22,11 +17,14 @@ in {
networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false;
networking.bridges.breth.interfaces = ["eth0" "eth1"];
networking.bridges.breth.interfaces = [
"eth0"
"eth1"
];
networking.bridges.breth.rstp = true;
networking.defaultGateway.address = "172.172.171.10";
networking.nameservers = ["172.172.171.10"];
networking.nameservers = [ "172.172.171.10" ];
# WAN interfaces, currently unused because the OPNsense guest acts as a router.
networking.vlans.wan1.id = 3;

10
nix/os/devices/fwhost2/user.nix
View file

@ -1,12 +1,4 @@
{
config,
pkgs,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
_: {
# users.extraUsers.steveej2 = mkUser {
# uid = 1001;
# openssh.authorizedKeys.keys = keys.users.steveej.openssh;

7
nix/os/devices/fwhost2/versions.nix
View file

@ -4,9 +4,12 @@ let
ref = "nixos-21.11";
rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb";
};
in {
in
{
inherit nixpkgs;
nixos = nixpkgs // {suffix = "/nixos";};
nixos = nixpkgs // {
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = {

7
nix/os/devices/fwhost2/versions.tmpl.nix
View file

@ -6,9 +6,12 @@ let
<% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '
' -%>'';
};
in {
in
{
inherit nixpkgs;
nixos = nixpkgs // {suffix = "/nixos";};
nixos = nixpkgs // {
suffix = "/nixos";
};
"channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = {

1
nix/os/devices/hstk0/README.md
View file

@ -4,4 +4,3 @@
# TODO: generate an SSH host-key and deploy it via --extra-files
nixos-anywhere --flake .\#sj-bm-hostkey0 root@185.130.227.252
```

31
nix/os/devices/hstk0/configuration.nix
View file

@ -1,17 +1,14 @@
{
modulesPath,
repoFlake,
packages',
pkgs,
lib,
config,
nodeFlake,
nodeName,
system,
...
}: {
disabledModules = [
];
}:
{
disabledModules = [ ];
imports = [
nodeFlake.inputs.disko.nixosModules.disko
@ -28,9 +25,7 @@
}
../../snippets/nix-settings.nix
{
nix.settings.sandbox = lib.mkForce "relaxed";
}
{ nix.settings.sandbox = lib.mkForce "relaxed"; }
../../snippets/mycelium.nix
@ -80,15 +75,12 @@
nat.enable = true;
firewall.enable = true;
firewall.allowedTCPPorts = [
5201
];
firewall.allowedUDPPorts = [
5201
];
firewall.allowedTCPPorts = [ 5201 ];
firewall.allowedUDPPorts = [ 5201 ];
};
disko.devices = let
disko.devices =
let
disk = id: {
type = "disk";
device = "/dev/${id}";
@ -109,7 +101,8 @@
};
};
};
in {
in
{
disk = {
sda = disk "sda";
sdb = disk "sdb";
@ -149,7 +142,5 @@
virtualisation.libvirtd.enable = true;
boot.binfmt.emulatedSystems = [
"aarch64-linux"
];
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
}

19
nix/os/devices/hstk0/default.nix
View file

@ -3,19 +3,22 @@
repoFlake,
nodeFlake,
...
}: let
}:
let
system = "x86_64-linux";
in {
in
{
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake system;
inherit
repoFlake
nodeName
nodeFlake
system
;
packages' = repoFlake.packages.${system};
};
meta.nodeNixpkgs.${nodeName} =
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
${nodeName} = {
deployment.targetHost = "185.130.224.33";

29
nix/os/devices/hstk0/flake.nix
View file

@ -16,38 +16,37 @@
# outputs = _: {};
outputs = {
outputs =
{
self,
get-flake,
nixpkgs,
...
} @ attrs: let
}:
let
system = "x86_64-linux";
nodeName = "hostkey-0";
mkNixosConfiguration = {extraModules ? [], ...} @ attrs:
nixpkgs.lib.nixosSystem (
nixpkgs.lib.attrsets.recursiveUpdate
attrs
mkNixosConfiguration =
{
extraModules ? [ ],
...
}@attrs:
nixpkgs.lib.nixosSystem (
nixpkgs.lib.attrsets.recursiveUpdate attrs {
specialArgs = {
nodeFlake = self;
repoFlake = get-flake ../../../..;
inherit nodeName;
};
modules =
[
./configuration.nix
]
++ extraModules;
modules = [ ./configuration.nix ] ++ extraModules;
}
);
in {
in
{
nixosConfigurations = {
native = mkNixosConfiguration {
inherit system;
};
native = mkNixosConfiguration { inherit system; };
};
};
}

12
nix/os/devices/hydra.json
View file

@ -10,7 +10,15 @@
"emailoverride": "",
"keepnr": 3,
"inputs": {
"src": { "type": "git", "value": "git://github.com/shlevy/declarative-hydra-example.git", "emailresponsible": false },
"nixpkgs": { "type": "git", "value": "git://github.com/NixOS/nixpkgs.git release-16.03", "emailresponsible": false }
"src": {
"type": "git",
"value": "git://github.com/shlevy/declarative-hydra-example.git",
"emailresponsible": false
},
"nixpkgs": {
"type": "git",
"value": "git://github.com/NixOS/nixpkgs.git release-16.03",
"emailresponsible": false
}
}
}

3
nix/os/devices/justyna-p300/boot.nix
View file

@ -1,4 +1,5 @@
{lib, ...}: {
{ lib, ... }:
{
boot.loader.grub.efiInstallAsRemovable = lib.mkForce false;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
boot.loader.grub.efiSupport = lib.mkForce false;

3
nix/os/devices/justyna-p300/configuration.nix
View file

@ -1,4 +1,5 @@
{...}: {
{ ... }:
{
imports = [
../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix

10
nix/os/devices/justyna-p300/default.nix
View file

@ -3,17 +3,17 @@
repoFlake,
nodeFlake,
...
}: let
}:
let
system = "x86_64-linux";
in {
in
{
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system};
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
inherit system;
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
${nodeName} = {
deployment.targetHost = nodeName;

4
nix/os/devices/justyna-p300/flake.nix
View file

@ -6,8 +6,8 @@
inputs.nixpkgs.follows = "nixpkgs";
};
inputs.disko.url = github:nix-community/disko;
inputs.disko.url = "github:nix-community/disko";
inputs.disko.inputs.nixpkgs.follows = "nixpkgs";
outputs = _: {};
outputs = _: { };
}

16
nix/os/devices/justyna-p300/hw.nix
View file

@ -1,12 +1,6 @@
{ nodeFlake, ... }:
{
repoFlake,
nodeFlake,
lib,
...
}: {
imports = [
nodeFlake.inputs.disko.nixosModules.disko
];
imports = [ nodeFlake.inputs.disko.nixosModules.disko ];
disko.devices.disk.sda = {
device = "/dev/sda";
@ -20,7 +14,7 @@
start = "0";
end = "1M";
part-type = "primary";
flags = ["bios_grub"];
flags = [ "bios_grub" ];
}
{
name = "root";
@ -30,14 +24,14 @@
bootable = true;
content = {
type = "btrfs";
extraArgs = ["-f"]; # Override existing partition
extraArgs = [ "-f" ]; # Override existing partition
subvolumes = {
# Subvolume name is different from mountpoint
"/rootfs" = {
mountpoint = "/";
};
"/nix" = {
mountOptions = ["noatime"];
mountOptions = [ "noatime" ];
};
};
};

25
nix/os/devices/justyna-p300/pkg.nix
View file

@ -3,7 +3,8 @@
lib,
packages',
...
}: let
}:
let
homeEnv = keyboard: {
imports = [
../../../home-manager/profiles/common.nix
@ -23,15 +24,19 @@
rustdesk
];
};
in {
services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) {
in
{
services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) {
gnome-remote-desktop.enable = true;
};
services.printing.drivers = lib.mkForce (with packages'; [
services.printing.drivers = lib.mkForce (
with packages';
[
dcpj4110dwDriver
dcpj4110dwCupswrapper
]);
]
);
services.printing.extraConf = ''
LogLevel debug
@ -39,13 +44,13 @@ in {
home-manager.users.steveej = homeEnv {
layout = "en";
options = ["nodeadkey"];
options = [ "nodeadkey" ];
variant = "altgr-intl";
};
home-manager.users.elias = homeEnv {
layout = "de";
options = [];
options = [ ];
variant = "";
};
@ -53,16 +58,14 @@ in {
lib.attrsets.recursiveUpdate
(homeEnv {
layout = "de";
options = [];
options = [ ];
variant = "";
})
{
services.syncthing.enable = true;
services.syncthing.tray = true;
home.packages = with pkgs; [
session-desktop
];
home.packages = with pkgs; [ session-desktop ];
};
system.stateVersion = "21.11";

19
nix/os/devices/justyna-p300/system.nix
View file

@ -1,11 +1,8 @@
{
pkgs,
lib,
config,
...
}: let
{ pkgs, lib, ... }:
let
passwords = import ../../../variables/passwords.crypt.nix;
in {
in
{
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [
# iperf3
@ -39,11 +36,13 @@ in {
# udev.packages = [ pkgs.gnome3.gnome-settings-daemon ];
};
security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ];
services.xserver.videoDrivers = ["modesetting"];
services.xserver.videoDrivers = [ "modesetting" ];
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
nix.gc = {automatic = true;};
nix.gc = {
automatic = true;
};
}

12
nix/os/devices/justyna-p300/user.nix
View file

@ -1,11 +1,9 @@
{
config,
pkgs,
...
}: let
{ config, pkgs, ... }:
let
keys = import ../../../variables/keys.nix;
inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
in {
inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser;
in
{
sops.secrets.sharedUsers-elias = {
sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true;

373
nix/os/devices/router0-dmz0/configuration.nix
View file

@ -9,33 +9,33 @@
localDomainName,
system,
...
}: let
inherit
(nodeFlake.inputs)
nixos-nftables-firewall
nixos-sbc
;
}:
let
inherit (nodeFlake.inputs) nixos-nftables-firewall nixos-sbc;
vlanRangeStart = builtins.head vlanRange;
vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1);
vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans);
vlanRangeWith0 = [0] ++ vlanRange;
vlanRangeWith0 = [ 0 ] ++ vlanRange;
mkVlanIpv4HostAddr = {
mkVlanIpv4HostAddr =
{
vlanid,
host,
thirdIpv4SegmentMin ? 20,
cidr ? true,
}: let
}:
let
# reserve the first subnet for vlanid == 0
# number the other subnets continously from there
offset =
if vlanid == 0
then thirdIpv4SegmentMin
else thirdIpv4SegmentMin + 1 - vlanRangeStart;
offset = if vlanid == 0 then thirdIpv4SegmentMin else thirdIpv4SegmentMin + 1 - vlanRangeStart;
in
builtins.concatStringsSep "."
["192" "168" (toString (vlanid + offset)) "${toString host}${lib.strings.optionalString cidr "/24"}"];
builtins.concatStringsSep "." [
"192"
"168"
(toString (vlanid + offset))
"${toString host}${lib.strings.optionalString cidr "/24"}"
];
defaultVlan = {
name = "${localDomainName}";
@ -62,30 +62,25 @@
"15".packet_priority = -10;
};
vlansByName =
lib.attrsets.mapAttrs'
(
vlansByName = lib.attrsets.mapAttrs' (
vlanid': attrs:
lib.attrsets.nameValuePair
attrs.name
(attrs
lib.attrsets.nameValuePair attrs.name (
attrs
// {
id = lib.strings.toInt vlanid';
id' = vlanid';
})
}
)
vlans;
) vlans;
getVlanDomain = {vlanid}:
if vlanid == 0
then defaultVlan.name
else vlans."${toString vlanid}".name + "." + defaultVlan.name;
getVlanDomain =
{ vlanid }:
if vlanid == 0 then defaultVlan.name else vlans."${toString vlanid}".name + "." + defaultVlan.name;
bridgeInterfaceName = "br-lan";
mkInterfaceName = {vlanid}:
if vlanid == 0
then bridgeInterfaceName
else "${bridgeInterfaceName}.${toString vlanid}";
mkInterfaceName =
{ vlanid }:
if vlanid == 0 then bridgeInterfaceName else "${bridgeInterfaceName}.${toString vlanid}";
dmzExposedHost = "sj-srv1";
dmzExposedHostDomain = "dmz.internal";
@ -96,8 +91,10 @@
cidr = false;
};
dmzExposedHostMACaddr = repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress;
in {
dmzExposedHostMACaddr =
repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress;
in
{
imports = [
nixos-sbc.nixosModules.default
nixos-sbc.nixosModules.boards.bananapi.bpir3
@ -130,7 +127,7 @@ in {
sops.secrets.passwords-root.neededForUsers = true;
# sops.secrets.wlan0_saePasswordsFile = {};
sops.secrets.wlan0_wpaPskFile = {};
sops.secrets.wlan0_wpaPskFile = { };
}
];
@ -193,10 +190,12 @@ in {
chains = {
prerouting = {
"exposeHost" = {
after = ["hook"];
rules = let
after = [ "hook" ];
rules =
let
wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces;
in [
in
[
"iifname { ${wanInterfaces} } tcp dport 220 redirect to 22"
"iifname { ${wanInterfaces} } dnat ip to ${dmzExposedHostIpv4}"
];
@ -211,20 +210,26 @@ in {
# snippets.nnf-conntrack.enable = true;
zones =
{
lan.interfaces = [(mkInterfaceName {vlanid = 0;})];
vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange;
lan.interfaces = [ (mkInterfaceName { vlanid = 0; }) ];
vlan.interfaces = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange;
# lan.ipv4Addresses = ["192.168.0.0/16"];
wan.interfaces = ["wan" "lan0"];
vpn.interfaces = ["wg0" "wg1" "wg2"];
wan.interfaces = [
"wan"
"lan0"
];
vpn.interfaces = [
"wg0"
"wg1"
"wg2"
];
}
//
# generate a zone for each vlan
lib.attrsets.mapAttrs
(key: value: {
interfaces = [(mkInterfaceName {vlanid = value.id;})];
})
vlansByName;
rules = let
lib.attrsets.mapAttrs (_key: value: {
interfaces = [ (mkInterfaceName { vlanid = value.id; }) ];
}) vlansByName;
rules =
let
ipv6IcmpTypes = [
"destination-unreachable"
"echo-reply"
@ -250,33 +255,37 @@ in {
"ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept"
"ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept"
];
in {
in
{
fw = {
from = ["fw"];
from = [ "fw" ];
verdict = "accept";
};
office-to-dmz = {
from = ["office"];
to = ["dmz"];
from = [ "office" ];
to = [ "dmz" ];
verdict = "accept";
};
lan-to-fw = {
from = ["lan"];
to = ["fw" "lan"];
from = [ "lan" ];
to = [
"fw"
"lan"
];
verdict = "accept";
};
lan-to-wan = {
from = ["lan"];
to = ["wan"];
from = [ "lan" ];
to = [ "wan" ];
verdict = "accept";
};
vlan-to-wan = {
from = ["vlan"];
to = ["wan"];
from = [ "vlan" ];
to = [ "wan" ];
verdict = "accept";
};
@ -309,47 +318,45 @@ in {
to = 5201;
}
];
from = ["vlan"];
to = ["fw"];
extraLines =
allowIcmpLines
++ [
"drop"
];
from = [ "vlan" ];
to = [ "fw" ];
extraLines = allowIcmpLines ++ [ "drop" ];
};
to-wan-nat = {
from = ["lan" "vlan"];
to = ["wan"];
from = [
"lan"
"vlan"
];
to = [ "wan" ];
masquerade = true;
verdict = "accept";
};
wan-to-dmz = {
from = ["wan"];
to = ["dmz"];
from = [ "wan" ];
to = [ "dmz" ];
verdict = "accept";
};
wan-to-fw = {
from = ["wan"];
to = ["fw"];
from = [ "wan" ];
to = [ "fw" ];
allowedTCPPortRanges = [
{
from = 22;
to = 22;
}
];
extraLines =
allowIcmpLines
++ [
"drop"
];
extraLines = allowIcmpLines ++ [ "drop" ];
};
to-vpn-nat = {
from = ["lan" "vlan"];
to = ["vpn"];
from = [
"lan"
"vlan"
];
to = [ "vpn" ];
masquerade = false;
verdict = "accept";
};
@ -377,48 +384,13 @@ in {
systemd.network = {
wait-online.anyInterface = true;
netdevs = let
router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${
builtins.toString
repoFlake
.nixosConfigurations
.router0-ifog
.config
.systemd
.network
.netdevs
.wg0
.wireguardConfig
.ListenPort
}";
netdevs =
let
router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}";
router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${
builtins.toString
repoFlake
.nixosConfigurations
.router0-ifog
.config
.systemd
.network
.netdevs
.wg1
.wireguardConfig
.ListenPort
}";
router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort}";
router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${
builtins.toString
repoFlake
.nixosConfigurations
.router0-hosthatch
.config
.systemd
.network
.netdevs
.wg0
.wireguardConfig
.ListenPort
}";
router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-hosthatch.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}";
in
{
# Create the bridge interface
@ -536,33 +508,29 @@ in {
};
}
# generate the vlan devices. these will be tagged on the main bridge
// builtins.foldl'
(acc: cur: acc // cur)
{}
(
// builtins.foldl' (acc: cur: acc // cur) { } (
builtins.map
({
vlanid,
vlanid',
}: {
"20-${mkInterfaceName {inherit vlanid;}}" = {
(
{ vlanid, vlanid' }:
{
"20-${mkInterfaceName { inherit vlanid; }}" = {
netdevConfig = {
Kind = "vlan";
Name = "${mkInterfaceName {inherit vlanid;}}";
Name = "${mkInterfaceName { inherit vlanid; }}";
};
vlanConfig.Id = vlanid;
};
})
}
)
(
builtins.map
(vlanid: {
builtins.map (vlanid: {
inherit vlanid;
vlanid' = builtins.toString vlanid;
})
vlanRange
}) vlanRange
)
);
networks = let
networks =
let
commonWanOptions = {
networkConfig = {
# start a DHCP Client for IPv4/6 Addressing/Routing
@ -771,7 +739,7 @@ in {
# Configure the bridge for its desired function
"40-${bridgeInterfaceName}" = {
matchConfig.Name = bridgeInterfaceName;
bridgeConfig = {};
bridgeConfig = { };
address = [
(mkVlanIpv4HostAddr {
vlanid = 0;
@ -793,19 +761,13 @@ in {
}
];
vlan = (
builtins.map
(vlanid: (mkInterfaceName {inherit vlanid;}))
vlanRange
);
vlan = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange;
};
"50-wg0" = {
enable = true;
matchConfig.Name = "wg0";
address = [
"10.0.0.1/31"
];
address = [ "10.0.0.1/31" ];
routes = [
# {
@ -820,9 +782,7 @@ in {
"50-wg1" = {
enable = true;
matchConfig.Name = "wg1";
address = [
"10.0.0.3/31"
];
address = [ "10.0.0.3/31" ];
routes = [
# {
# routeConfig = {
@ -836,9 +796,7 @@ in {
"50-wg2" = {
enable = true;
matchConfig.Name = "wg2";
address = [
"10.0.1.1/31"
];
address = [ "10.0.1.1/31" ];
routes = [
# TODO: add a testing route here
@ -849,19 +807,16 @@ in {
# * netdev type vlan
# * host address for vlan
# * vlan config for wlan interface
// builtins.foldl'
(acc: cur: acc // cur)
{}
(builtins.map
({
vlanid,
vlanid',
}: {
// builtins.foldl' (acc: cur: acc // cur) { } (
builtins.map
(
{ vlanid, vlanid' }:
{
# configure the tagged vlan device with an address and vlan filtering.
# dnsmasq is configured to serve the respective /24 range on each tagged device.
# this device only receives traffic for the given vlanid and sends tagged traffic to the bridge.
"41-${mkInterfaceName {inherit vlanid;}}" = {
matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}";
"41-${mkInterfaceName { inherit vlanid; }}" = {
matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}";
address = [
(mkVlanIpv4HostAddr {
inherit vlanid;
@ -934,25 +889,27 @@ in {
# };
# linkConfig.RequiredForOnline = "no";
# };
})
}
)
(
builtins.map
(vlanid: {
builtins.map (vlanid: {
inherit vlanid;
vlanid' = builtins.toString vlanid;
})
vlanRange
));
}) vlanRange
)
);
};
# wireless access point
services.hostapd = {
enable = true;
# package = nodeFlake.packages.${system}.hostapd_patched;
radios = let
radios =
let
# generated with https://miniwebtool.com/mac-address-generator/
mkBssid = i: "34:56:ce:0f:ed:4${toString i}";
in {
in
{
wlan0 = {
band = "2g";
# FIXME: apparently setting this could cause bugs, testing disabling it for a while.
@ -1002,17 +959,18 @@ in {
};
networks = {
wlan0 = let
wlan0 =
let
iface = "wlan0";
in {
in
{
ssid = "mlsia";
bssid = mkBssid 0;
# enables debug logging
logLevel = 0;
authentication.mode =
"wpa2-sha256"
authentication.mode = "wpa2-sha256"
# "wpa3-sae-transition"
# "wpa3-sae"
;
@ -1048,13 +1006,11 @@ in {
vlan_bridge = "br-${iface}.";
*/
vlan_file = let
generated =
builtins.map
(
vlan_file =
let
generated = builtins.map (
vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}"
)
vlanRange;
) vlanRange;
wildcard = [
# Optional wildcard entry matching all VLAN IDs. The first # in the interface
@ -1064,14 +1020,13 @@ in {
"* ${iface}.#"
];
file =
pkgs.writeText "hostapd.vlan"
(builtins.concatStringsSep "\n" (generated ++ wildcard));
file = pkgs.writeText "hostapd.vlan" (builtins.concatStringsSep "\n" (generated ++ wildcard));
filePath = toString file;
in
filePath;
wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [
wpa_key_mgmt = lib.mkForce (
builtins.concatStringsSep " " [
"WPA-PSK"
# TODO: the printer can't connect when this is on
@ -1079,7 +1034,8 @@ in {
# unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them
# "SAE"
]);
]
);
# wpa_psk_radius = 0;
wpa_pairwise = "CCMP";
@ -1150,11 +1106,10 @@ in {
# v6 config
enable-ra = true;
dhcp-range = let
mkDhcpRange = {
tag,
vlanid,
}:
dhcp-range =
let
mkDhcpRange =
{ tag, vlanid }:
builtins.concatStringsSep "," [
tag
(mkVlanIpv4HostAddr {
@ -1173,15 +1128,13 @@ in {
# "ra-names"
];
in
builtins.map
(
builtins.map (
vlanid:
mkDhcpRange {
tag = mkInterfaceName {inherit vlanid;};
tag = mkInterfaceName { inherit vlanid; };
inherit vlanid;
}
)
vlanRangeWith0;
) vlanRangeWith0;
dhcp-host = builtins.concatStringsSep "," [
dmzExposedHostMACaddr
@ -1211,39 +1164,33 @@ in {
];
domain =
[
"/${getVlanDomain {vlanid = 0;}}/,local"
]
++ builtins.map
(
vlanid: "${getVlanDomain {inherit vlanid;}},${mkVlanIpv4HostAddr {
[ "/${getVlanDomain { vlanid = 0; }}/,local" ]
++ builtins.map (
vlanid:
"${getVlanDomain { inherit vlanid; }},${
mkVlanIpv4HostAddr {
inherit vlanid;
host = 0;
cidr = true;
}},local"
)
vlanRangeWith0;
}
},local"
) vlanRangeWith0;
# TODO: compare this to using `interface-name`
dynamic-host =
[
]
++ builtins.map
(
dynamic-host = builtins.map (
vlanid:
builtins.concatStringsSep "," [
# "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;})
"${nodeName}.${getVlanDomain {inherit vlanid;}}"
"${nodeName}.${getVlanDomain { inherit vlanid; }}"
"0.0.0.1"
(mkInterfaceName {inherit vlanid;})
(mkInterfaceName { inherit vlanid; })
]
)
vlanRangeWith0;
) vlanRangeWith0;
dhcp-option-force =
builtins.map
(vlanid: "${mkInterfaceName {inherit vlanid;}},option:domain-search,${getVlanDomain {inherit vlanid;}}")
vlanRangeWith0;
dhcp-option-force = builtins.map (
vlanid:
"${mkInterfaceName { inherit vlanid; }},option:domain-search,${getVlanDomain { inherit vlanid; }}"
) vlanRangeWith0;
# auth-server = [
# (builtins.concatStringsSep "," [

21
nix/os/devices/router0-dmz0/default.nix
View file

@ -5,25 +5,24 @@
nodeFlake,
localDomainName ? "internal",
...
}: {
}:
{
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake system;
inherit
repoFlake
nodeName
nodeFlake
system
;
packages' = repoFlake.packages.${system};
nodePackages' = nodeFlake.packages.${system};
inherit
(nodeFlake.inputs.bpir3.packages.${system})
armTrustedFirmwareMT7986
;
inherit (nodeFlake.inputs.bpir3.packages.${system}) armTrustedFirmwareMT7986;
inherit localDomainName;
};
meta.nodeNixpkgs.${nodeName} =
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
${nodeName} = {
deployment.targetHost = "${nodeName}.${localDomainName}";

49
nix/os/devices/router0-dmz0/flake.nix
View file

@ -39,29 +39,24 @@
# };
};
outputs = {
outputs =
{
self,
get-flake,
nixpkgs,
nixos-sbc,
...
}: let
}:
let
nativeSystem = "aarch64-linux";
nodeName = "router0-dmz0";
pkgs = nixpkgs.legacyPackages.${nativeSystem};
pkgsCross = import self.inputs.nixpkgs {
system = "x86_64-linux";
crossSystem = {
config = "aarch64-unknown-linux-gnu";
};
};
mkNixosConfiguration = {extraModules ? [], ...} @ attrs:
nixpkgs.lib.nixosSystem (
nixpkgs.lib.attrsets.recursiveUpdate
attrs
mkNixosConfiguration =
{
extraModules ? [ ],
...
}@attrs:
nixpkgs.lib.nixosSystem (
nixpkgs.lib.attrsets.recursiveUpdate attrs {
specialArgs =
(import ./default.nix {
system = nativeSystem;
@ -69,13 +64,9 @@
repoFlake = get-flake ../../../..;
nodeFlake = self;
})
.meta
.nodeSpecialArgs
.${nodeName};
}).meta.nodeSpecialArgs.${nodeName};
modules =
[
modules = [
./configuration.nix
# flake registry
@ -83,15 +74,13 @@
nixpkgs.overlays = builtins.attrValues self.overlays;
nix.registry.nixpkgs.flake = nixpkgs;
}
]
++ extraModules;
] ++ extraModules;
}
);
in {
in
{
nixosConfigurations = {
native = mkNixosConfiguration {
system = nativeSystem;
};
native = mkNixosConfiguration { system = nativeSystem; };
cross = mkNixosConfiguration {
extraModules = [
@ -103,11 +92,9 @@
};
};
overlays.default = final: previous: {
overlays.default = _final: previous: {
hostapd = previous.hostapd.overrideDerivation (attrs: {
patches =
attrs.patches
++ [
patches = attrs.patches ++ [
"${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"
];
});

35
nix/os/devices/router0-hosthatch/configuration.nix
View file

@ -5,11 +5,11 @@
config,
nodeFlake,
nodeName,
localDomainName,
system,
variables,
...
}: {
}:
{
system.stateVersion = "24.05";
imports = [
@ -48,7 +48,7 @@
boot.loader.grub.efiSupport = false;
# forcing seems required or else there's an error about duplicated devices
boot.loader.grub.devices = lib.mkForce ["/dev/vda"];
boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ];
disko.devices.disk.vda = {
device = "/dev/vda";
@ -64,14 +64,14 @@
size = "100%";
content = {
type = "btrfs";
extraArgs = ["-f"]; # Override existing partition
extraArgs = [ "-f" ]; # Override existing partition
subvolumes = {
# Subvolume name is different from mountpoint
"/rootfs" = {
mountpoint = "/";
};
"/nix" = {
mountOptions = ["noatime"];
mountOptions = [ "noatime" ];
mountpoint = "/nix";
};
"/boot" = {
@ -156,9 +156,7 @@
interface = "eth0";
address = variables.ipv4gateway;
};
nameservers = [
variables.ipv4dns
];
nameservers = [ variables.ipv4dns ];
# these will be configured via nftables
nat.enable = lib.mkForce false;
@ -176,17 +174,20 @@
snippets.nnf-common.enable = true;
zones.wan = {
interfaces = ["eth0"];
interfaces = [ "eth0" ];
};
zones.vpn = {
interfaces = ["wg0" "wg1"];
interfaces = [
"wg0"
"wg1"
];
};
rules = {
to-fw = {
from = "all";
to = ["fw"];
to = [ "fw" ];
verdict = "drop";
allowedTCPPorts = [
@ -202,8 +203,8 @@
};
vpn-to-wan-nat = {
from = ["vpn"];
to = ["wan"];
from = [ "vpn" ];
to = [ "wan" ];
masquerade = true;
verdict = "accept";
};
@ -283,9 +284,7 @@
systemd.network.networks.wg0 = {
enable = true;
matchConfig.Name = "wg0";
address = [
"10.0.1.0/31"
];
address = [ "10.0.1.0/31" ];
routes = [
{
@ -299,9 +298,7 @@
systemd.network.networks.wg1 = {
enable = true;
matchConfig.Name = "wg1";
address = [
"10.0.1.2/31"
];
address = [ "10.0.1.2/31" ];
routes = [
{

20
nix/os/devices/router0-hosthatch/default.nix
View file

@ -4,20 +4,24 @@
repoFlake,
nodeFlake,
...
}: let
}:
let
variables = import ./variables.crypt.nix;
in {
in
{
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake system variables;
inherit
repoFlake
nodeName
nodeFlake
system
variables
;
packages' = repoFlake.packages.${system};
nodePackages' = nodeFlake.packages.${system};
};
meta.nodeNixpkgs.${nodeName} =
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
${nodeName} = {
deployment.targetHost = variables.ipv4;

2
nix/os/devices/router0-hosthatch/flake.nix
View file

@ -15,5 +15,5 @@
nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = _: {};
outputs = _: { };
}

35
nix/os/devices/router0-ifog/configuration.nix
View file

@ -5,11 +5,11 @@
config,
nodeFlake,
nodeName,
localDomainName,
system,
variables,
...
}: {
}:
{
system.stateVersion = "23.11";
imports = [
@ -48,7 +48,7 @@
boot.loader.grub.efiSupport = false;
# forcing seems required or else there's an error about duplicated devices
boot.loader.grub.devices = lib.mkForce ["/dev/vda"];
boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ];
disko.devices.disk.vda = {
device = "/dev/vda";
@ -64,14 +64,14 @@
size = "100%";
content = {
type = "btrfs";
extraArgs = ["-f"]; # Override existing partition
extraArgs = [ "-f" ]; # Override existing partition
subvolumes = {
# Subvolume name is different from mountpoint
"/rootfs" = {
mountpoint = "/";
};
"/nix" = {
mountOptions = ["noatime"];
mountOptions = [ "noatime" ];
mountpoint = "/nix";
};
"/boot" = {
@ -156,9 +156,7 @@
interface = "eth0";
address = variables.ipv4gateway;
};
nameservers = [
variables.ipv4dns
];
nameservers = [ variables.ipv4dns ];
# these will be configured via nftables
nat.enable = lib.mkForce false;
@ -176,17 +174,20 @@
snippets.nnf-common.enable = true;
zones.wan = {
interfaces = ["eth0"];
interfaces = [ "eth0" ];
};
zones.vpn = {
interfaces = ["wg0" "wg1"];
interfaces = [
"wg0"
"wg1"
];
};
rules = {
to-fw = {
from = "all";
to = ["fw"];
to = [ "fw" ];
verdict = "drop";
allowedTCPPorts = [
@ -202,8 +203,8 @@
};
vpn-to-wan-nat = {
from = ["vpn"];
to = ["wan"];
from = [ "vpn" ];
to = [ "wan" ];
masquerade = true;
verdict = "accept";
};
@ -283,9 +284,7 @@
systemd.network.networks.wg0 = {
enable = true;
matchConfig.Name = "wg0";
address = [
"10.0.0.0/31"
];
address = [ "10.0.0.0/31" ];
routes = [
{
@ -299,9 +298,7 @@
systemd.network.networks.wg1 = {
enable = true;
matchConfig.Name = "wg1";
address = [
"10.0.0.2/31"
];
address = [ "10.0.0.2/31" ];
routes = [
{

20
nix/os/devices/router0-ifog/default.nix
View file

@ -4,20 +4,24 @@
repoFlake,
nodeFlake,
...
}: let
}:
let
variables = import ./variables.crypt.nix;
in {
in
{
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake system variables;
inherit
repoFlake
nodeName
nodeFlake
system
variables
;
packages' = repoFlake.packages.${system};
nodePackages' = nodeFlake.packages.${system};
};
meta.nodeNixpkgs.${nodeName} =
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
${nodeName} = {
deployment.targetHost = variables.ipv4;

2
nix/os/devices/router0-ifog/flake.nix
View file

@ -15,5 +15,5 @@
nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = _: {};
outputs = _: { };
}

4
nix/os/devices/sj-srv1/boot.nix
View file

@ -1,3 +1 @@
{lib, ...}: {
boot.extraModulePackages = [];
}
_: { boot.extraModulePackages = [ ]; }

8
nix/os/devices/sj-srv1/configuration.nix
View file

@ -1,10 +1,6 @@
{ nodeName, config, ... }:
{
nodeName,
config,
pkgs,
...
}: {
disabledModules = [];
disabledModules = [ ];
imports = [
../../profiles/common/configuration.nix
{

Some files were not shown because too many files have changed in this diff Show more