diff --git a/.gitignore b/.gitignore index 92102e5..fbfe182 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,6 @@ .env **/result .direnv/ + +# nixago: ignore-linked-files +/treefmt.toml \ No newline at end of file diff --git a/.vscode/settings.json b/.vscode/settings.json index 79eb182..3e061dc 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,4 +1,9 @@ { + "editor.defaultFormatter": "ibecker.treefmt-vscode", + "treefmt.command": "treefmt", + "editor.formatOnSave": true, + "nix.enableLanguageServer": true, + "nix.serverPath": "nil", "nix.serverSettings": { // settings for 'nil' LSP "nil": { @@ -9,11 +14,14 @@ "unused_with" ] }, - "formatting": { - "command": [ - "treefmt-nix", - ] - } + // TODO: this doesn't work because treefmt-nix wants the output path as an argument + // "formatting": { + // "command": [ + // "treefmt-nix", + // "--stdin", + // "/dev/stdout" + // ] + // } } }, } diff --git a/default.nix b/default.nix index 75e1dbb..6aba02e 100644 --- a/default.nix +++ b/default.nix @@ -4,6 +4,9 @@ # Having pkgs default to is fine though, and it lets you use short # commands such as: # nix-build -A mypackage -{pkgs ? import {}}: { - pkgs = import ./nix/pkgs {inherit pkgs;}; +{ + pkgs ? import { }, +}: +{ + pkgs = import ./nix/pkgs { inherit pkgs; }; } diff --git a/flake.lock b/flake.lock index 4ea2cd8..ca784f0 100644 --- a/flake.lock +++ b/flake.lock @@ -346,6 +346,81 @@ } }, "flake-utils_3": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_5": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_6": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_7": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_8": { "inputs": { "systems": "systems_3" }, @@ -363,7 +438,7 @@ "type": "github" } }, - "flake-utils_4": { + "flake-utils_9": { "inputs": { "systems": "systems_4" }, @@ -485,7 +560,7 @@ }, "lib-aggregate": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_8", "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { @@ -639,6 +714,126 @@ "type": "github" } }, + "nixago": { + "inputs": { + "flake-utils": "flake-utils_3", + "nixago-exts": "nixago-exts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1714086354, + "narHash": "sha256-yKVQMxL9p7zCWUhnGhDzRVT8sDgHoI3V595lBK0C2YA=", + "owner": "jmgilman", + "repo": "nixago", + "rev": "5133633e9fe6b144c8e00e3b212cdbd5a173b63d", + "type": "github" + }, + "original": { + "owner": "jmgilman", + "repo": "nixago", + "type": "github" + } + }, + "nixago-exts": { + "inputs": { + "flake-utils": "flake-utils_4", + "nixago": "nixago_2", + "nixpkgs": [ + "nixago", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676070308, + "narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=", + "owner": "nix-community", + "repo": "nixago-extensions", + "rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago-extensions", + "type": "github" + } + }, + "nixago-exts_2": { + "inputs": { + "flake-utils": "flake-utils_6", + "nixago": "nixago_3", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixago", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1655508669, + "narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=", + "owner": "nix-community", + "repo": "nixago-extensions", + "rev": "3022a932ce109258482ecc6568c163e8d0b426aa", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago-extensions", + "type": "github" + } + }, + "nixago_2": { + "inputs": { + "flake-utils": "flake-utils_5", + "nixago-exts": "nixago-exts_2", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676070010, + "narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=", + "owner": "nix-community", + "repo": "nixago", + "rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "rename-config-data", + "repo": "nixago", + "type": "github" + } + }, + "nixago_3": { + "inputs": { + "flake-utils": "flake-utils_7", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixago", + "nixago-exts", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1655405483, + "narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=", + "owner": "nix-community", + "repo": "nixago", + "rev": "e6a9566c18063db5b120e69e048d3627414e327d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago", + "type": "github" + } + }, "nixos-anywhere": { "inputs": { "disko": "disko", @@ -1058,6 +1253,7 @@ "logseq_0_10_9_aarch64_appimage": "logseq_0_10_9_aarch64_appimage", "nix-vscode-extensions": "nix-vscode-extensions", "nix4vscode": "nix4vscode", + "nixago": "nixago", "nixos-anywhere": "nixos-anywhere", "nixpkgs": [ "nixpkgs-2405" @@ -1351,7 +1547,7 @@ }, "yofi": { "inputs": { - "flake-utils": "flake-utils_4", + "flake-utils": "flake-utils_9", "nixpkgs": [ "nixpkgs" ] diff --git a/flake.nix b/flake.nix index d1d4106..655ead0 100644 --- a/flake.nix +++ b/flake.nix @@ -129,218 +129,242 @@ url = "github:numtide/treefmt-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; + nixago.url = "github:jmgilman/nixago"; + nixago.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = inputs @ { - self, - flake-parts, - nixpkgs, - ... - }: let - inherit (nixpkgs) lib; + outputs = + inputs@{ + self, + flake-parts, + nixpkgs, + ... + }: + let + inherit (nixpkgs) lib; - systems = [ - "x86_64-linux" - "aarch64-linux" - ]; - in - flake-parts.lib.mkFlake {inherit inputs;} - ({withSystem, ...}: { - flake.colmena = - lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) - { - meta.nixpkgs = import inputs.nixpkgs.outPath { - system = builtins.elemAt systems 0; - }; - } - # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import - # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 - (builtins.map - (nodeName: - import ./nix/os/devices/${nodeName} { - inherit nodeName; - repoFlake = self; - repoFlakeWithSystem = withSystem; - nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName}; - }) [ - "steveej-t14" - "steveej-x13s" - "steveej-x13s-rmvbl" - # "elias-e525" - # "justyna-p300" - - # "srv0-dmz0" - # "router0-dmz0" - "router0-ifog" - "router0-hosthatch" - - "sj-srv1" - - "hstk0" - ]); - - flake.lib = { - inherit withSystem; - }; - - # this makes nixos-anywhere work - flake.nixosConfigurations = let - colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; - router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; - in ( - colmenaHive - // { - router0-dmz0 = router0-dmz0.native; - - # for now deploy directly with: - # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 - router0-dmz0_cross = router0-dmz0.cross; - - steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross; - steveej-x13s-rmvbl_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; - } - ); - - inherit systems; - - perSystem = { - self', - inputs', - system, - config, - lib, - pkgs, - ... - }: { - imports = [ - ./nix/modules/flake-parts/perSystem/default.nix - ]; - - packages = let - dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) {}; - - craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain; - - craneLib = - craneLibFn - inputs'.fenix.packages.stable.toolchain; - - craneLibOfiPass = - craneLibFn + systems = [ + "x86_64-linux" + "aarch64-linux" + ]; + in + flake-parts.lib.mkFlake { inherit inputs; } ( + { withSystem, ... }: + { + flake.colmena = + lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) + { meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; } + # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import + # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 ( - inputs'.fenix.packages.stable.toolchain - # .override { - # date = "1.60.0"; - # } + builtins.map + ( + nodeName: + import ./nix/os/devices/${nodeName} { + inherit nodeName; + repoFlake = self; + repoFlakeWithSystem = withSystem; + nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName}; + } + ) + [ + "steveej-t14" + "steveej-x13s" + "steveej-x13s-rmvbl" + # "elias-e525" + # "justyna-p300" + + # "srv0-dmz0" + # "router0-dmz0" + "router0-ifog" + "router0-hosthatch" + + "sj-srv1" + + "hstk0" + ] ); - in { - dcpj4110dwDriver = dcpj4110dw.driver; - dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; - inherit (inputs'.colmena.packages) colmena; + flake.lib = { + inherit withSystem; - prs = - pkgs.callPackage - ({ - pkgs, - dbus, - glib, - gpgme, - gtk3, - libxcb, - libxkbcommon, - installShellFiles, - pkg-config, - python3, - }: - craneLib.buildPackage { - pname = "prs"; - version = inputs.prs.shortRev; - src = inputs.prs; - nativeBuildInputs = [gpgme installShellFiles pkg-config python3]; + treefmtEval = + pkgs: + let + settingsNix = { + # Used to find the project root + projectRootFile = ".git/config"; + programs.nixfmt.enable = true; + }; + in + inputs.treefmt-nix.lib.evalModule pkgs settingsNix; - buildInputs = [ - dbus - glib - gpgme - gtk3 - libxcb - libxkbcommon - ]; - - cargoExtraArgs = "--features backend-gpgme"; - - postInstall = '' - for shell in bash fish zsh; do - installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout) - done - ''; - }) - {}; - - nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; - - ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' - set -x - pkill -9 wayland-proxy-v - export NIXOS_OZONE_WL="" - ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ - --wayland-display=wayland-3 \ - --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ - --x-display=3 \ - & - # --x-unscale=3 \ - #--verbose \ - - export PROXYPID="$!" - - trap "kill -9 \$PROXYPID" EXIT - # trap "pkill -9 wayland-proxy-v" EXIT - - env \ - WAYLAND_DISPLAY=wayland-3 \ - DISPLAY=:3 \ - ledger-live-desktop - ''; - - syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' - ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 - ''; - - rperf = craneLib.buildPackage { - src = inputs.rperf; - nativeBuildInputs = [ - pkgs.pkg-config - ]; - buildInputs = [ - ]; - }; - - x13s-bt-firmware = pkgs.runCommand "x13s-bt-firmware" {} '' - mkdir -p $out/lib/firmware/qca - cp -v ${self}/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw $out/lib/firmware/qca/hpnv21.bin - cp -v ${inputs.x13s-bt-firmware} $out/lib/firmware/qca//hpbtfw21.tlv - ''; - - x13s-ath11k-firmware = pkgs.runCommand "x13s-ath11k-firmware-before" {} '' - mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/ - cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ - cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ - ''; + treefmtSettings = pkgs: (self.lib.treefmtEval pkgs).config.settings; }; - formatter = inputs.treefmt-nix.formatter.${system}; + # this makes nixos-anywhere work + flake.nixosConfigurations = + let + colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; + router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; + in + ( + colmenaHive + // { + router0-dmz0 = router0-dmz0.native; - devShells = let - all = import ./nix/devShells.nix { - inherit - self - self' - inputs' - pkgs - ; + # for now deploy directly with: + # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 + router0-dmz0_cross = router0-dmz0.cross; + + steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross; + steveej-x13s-rmvbl_cross = + (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; + } + ); + + inherit systems; + + perSystem = + { + self', + inputs', + system, + config, + lib, + pkgs, + ... + }: + { + imports = [ ./nix/modules/flake-parts/perSystem/default.nix ]; + + packages = + let + dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { }; + + craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain; + + craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain; + + craneLibOfiPass = craneLibFn ( + inputs'.fenix.packages.stable.toolchain + # .override { + # date = "1.60.0"; + # } + ); + in + { + dcpj4110dwDriver = dcpj4110dw.driver; + dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; + + inherit (inputs'.colmena.packages) colmena; + + prs = pkgs.callPackage ( + { + pkgs, + dbus, + glib, + gpgme, + gtk3, + libxcb, + libxkbcommon, + installShellFiles, + pkg-config, + python3, + }: + craneLib.buildPackage { + pname = "prs"; + version = inputs.prs.shortRev; + src = inputs.prs; + nativeBuildInputs = [ + gpgme + installShellFiles + pkg-config + python3 + ]; + + buildInputs = [ + dbus + glib + gpgme + gtk3 + libxcb + libxkbcommon + ]; + + cargoExtraArgs = "--features backend-gpgme"; + + postInstall = '' + for shell in bash fish zsh; do + installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout) + done + ''; + } + ) { }; + + nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; + + ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' + set -x + pkill -9 wayland-proxy-v + export NIXOS_OZONE_WL="" + ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ + --wayland-display=wayland-3 \ + --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ + --x-display=3 \ + & + # --x-unscale=3 \ + #--verbose \ + + export PROXYPID="$!" + + trap "kill -9 \$PROXYPID" EXIT + # trap "pkill -9 wayland-proxy-v" EXIT + + env \ + WAYLAND_DISPLAY=wayland-3 \ + DISPLAY=:3 \ + ledger-live-desktop + ''; + + syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' + ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 + ''; + + rperf = craneLib.buildPackage { + src = inputs.rperf; + nativeBuildInputs = [ pkgs.pkg-config ]; + buildInputs = [ ]; + }; + + x13s-bt-firmware = pkgs.runCommand "x13s-bt-firmware" { } '' + mkdir -p $out/lib/firmware/qca + cp -v ${self}/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw $out/lib/firmware/qca/hpnv21.bin + cp -v ${inputs.x13s-bt-firmware} $out/lib/firmware/qca//hpbtfw21.tlv + ''; + + x13s-ath11k-firmware = pkgs.runCommand "x13s-ath11k-firmware-before" { } '' + mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/ + cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ + cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ + ''; + }; + + formatter = (self.lib.treefmtEval pkgs).config.build.wrapper; + + devShells = + let + all = import ./nix/devShells.nix { + inherit + self + self' + inputs' + pkgs + ; + }; + in + (all // { default = all.develop; }); }; - in (all // {default = all.develop;}); - }; - }); + } + ); } diff --git a/nix/container-images/default.nix b/nix/container-images/default.nix index 7dcab2a..67f516d 100644 --- a/nix/container-images/default.nix +++ b/nix/container-images/default.nix @@ -1,6 +1,10 @@ -{pkgs ? import {}}: let - baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; -in rec { +{ + pkgs ? import { }, +}: +let + baseEnv = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; +in +rec { base = pkgs.dockerTools.buildImage rec { name = "base"; @@ -21,59 +25,70 @@ in rec { interactive_base = pkgs.dockerTools.buildImage { name = "interactive_base"; fromImage = base; - contents = with pkgs; [procps zsh coreutils neovim]; + contents = with pkgs; [ + procps + zsh + coreutils + neovim + ]; - config = {Cmd = ["/bin/zsh"];}; + config = { + Cmd = [ "/bin/zsh" ]; + }; }; - s3ql = let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} + s3ql = + let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} - if [ -z "$S3QL_BUCKET" ]; then - echo S3QL_BUCKET not set - exit 1 - fi + if [ -z "$S3QL_BUCKET" ]; then + echo S3QL_BUCKET not set + exit 1 + fi - if [ -z "$S3QL_STORAGE_URL" ]; then - echo S3QL_STORAGE_URL not set - exit 1 - fi + if [ -z "$S3QL_STORAGE_URL" ]; then + echo S3QL_STORAGE_URL not set + exit 1 + fi - if [ -z "$S3QL_CACHESIZE" ]; then - echo S3QL_CACHESIZE not set - exit 1 - fi + if [ -z "$S3QL_CACHESIZE" ]; then + echo S3QL_CACHESIZE not set + exit 1 + fi - set -x + set -x - if [ "$S3QL_SKIP_FSCK" != "1" ]; then - fsck.s3ql \ - --authfile $S3QL_AUTHINFO2 \ + if [ "$S3QL_SKIP_FSCK" != "1" ]; then + fsck.s3ql \ + --authfile $S3QL_AUTHINFO2 \ + --log none \ + --cachedir $S3QL_CACHE_DIR \ + $S3QL_STORAGE_URL + fi + + exec mount.s3ql \ + --cachedir "$S3QL_CACHE_DIR" \ + --authfile "$S3QL_AUTHINFO2" \ + --cachesize "$S3QL_CACHESIZE" \ + --fg \ + --compress lzma-6 \ + --threads 4 \ --log none \ - --cachedir $S3QL_CACHE_DIR \ - $S3QL_STORAGE_URL - fi + --allow-root \ + "$S3QL_STORAGE_URL" \ + /bucket - exec mount.s3ql \ - --cachedir "$S3QL_CACHE_DIR" \ - --authfile "$S3QL_AUTHINFO2" \ - --cachesize "$S3QL_CACHESIZE" \ - --fg \ - --compress lzma-6 \ - --threads 4 \ - --log none \ - --allow-root \ - "$S3QL_STORAGE_URL" \ - /bucket - - # FIXME: touch .isbucket after mount - ''; - in + # FIXME: touch .isbucket after mount + ''; + in pkgs.dockerTools.buildImage { name = "s3ql"; fromImage = interactive_base; - contents = [pkgs.s3ql pkgs.fuse]; + contents = [ + pkgs.s3ql + pkgs.fuse + ]; runAsRoot = '' #!${pkgs.stdenv.shell} @@ -84,57 +99,58 @@ in rec { ''; config = { - Env = - baseEnv - ++ [ - "HOME=/home/s3ql" - "S3QL_CACHE_DIR=/var/cache/s3ql" - "S3QL_AUTHINFO2=/etc/s3ql/authinfo2" - "CONTAINER_ENTRYPOINT=${entrypoint}" - ]; - Cmd = [entrypoint]; + Env = baseEnv ++ [ + "HOME=/home/s3ql" + "S3QL_CACHE_DIR=/var/cache/s3ql" + "S3QL_AUTHINFO2=/etc/s3ql/authinfo2" + "CONTAINER_ENTRYPOINT=${entrypoint}" + ]; + Cmd = [ entrypoint ]; Volumes = { - "/var/cache/s3ql" = {}; - "/etc/s3ql/authinfo2" = {}; - "/buckets" = {}; - "/tmp" = {}; + "/var/cache/s3ql" = { }; + "/etc/s3ql/authinfo2" = { }; + "/buckets" = { }; + "/tmp" = { }; }; }; }; - syncthing = let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} - set -x - if [ ! -e /data/.isbucket ]; then - echo ERROR: Bucket not mounted at /data - exit 1 - fi + syncthing = + let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} + set -x + if [ ! -e /data/.isbucket ]; then + echo ERROR: Bucket not mounted at /data + exit 1 + fi - if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then - echo ERROR: SYNCTHING_GUI_ADDRESS is not set - exit 1 - fi + if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then + echo ERROR: SYNCTHING_GUI_ADDRESS is not set + exit 1 + fi - if [ ! -w "$SYNCTHING_HOME" ]; then - echo ERROR : SYNCTHING_HOME is not writable - fi + if [ ! -w "$SYNCTHING_HOME" ]; then + echo ERROR : SYNCTHING_HOME is not writable + fi - exec syncthing \ - -home $SYNCTHING_HOME \ - -gui-address=$SYNCTHING_GUI_ADDRESS \ - -no-browser - ''; - in + exec syncthing \ + -home $SYNCTHING_HOME \ + -gui-address=$SYNCTHING_GUI_ADDRESS \ + -no-browser + ''; + in pkgs.dockerTools.buildImage { name = "syncthing"; fromImage = interactive_base; contents = pkgs.syncthing; config = { - Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"]; - Cmd = [entrypoint]; - Volumes = {"/data" = {};}; + Env = baseEnv ++ [ "SYNCTHING_HOME=/home/syncthing" ]; + Cmd = [ entrypoint ]; + Volumes = { + "/data" = { }; + }; }; }; } diff --git a/nix/default.nix b/nix/default.nix index 888a4e9..f8947e0 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,26 +1,34 @@ -{versionsPath}: let +{ versionsPath }: +let channelVersions = import versionsPath; - mkChannelSource = name: let - channelVersion = builtins.getAttr name channelVersions; - in + mkChannelSource = + name: + let + channelVersion = builtins.getAttr name channelVersions; + in builtins.fetchGit { # Descriptive name to make the store path easier to identify inherit name; inherit (channelVersion) url ref rev; }; - nixPath = builtins.concatStringsSep ":" (builtins.map - (elemName: let - elem = builtins.getAttr elemName channelVersions; - elemPath = mkChannelSource elemName; - suffix = - if builtins.hasAttr "suffix" elem - then elem.suffix - else ""; - in - builtins.concatStringsSep "=" [elemName elemPath] + suffix) - (builtins.attrNames channelVersions)); - pkgs = import (mkChannelSource "nixpkgs") {}; -in { + nixPath = builtins.concatStringsSep ":" ( + builtins.map ( + elemName: + let + elem = builtins.getAttr elemName channelVersions; + elemPath = mkChannelSource elemName; + suffix = if builtins.hasAttr "suffix" elem then elem.suffix else ""; + in + builtins.concatStringsSep "=" [ + elemName + elemPath + ] + + suffix + ) (builtins.attrNames channelVersions) + ); + pkgs = import (mkChannelSource "nixpkgs") { }; +in +{ inherit nixPath; channelSources = pkgs.writeText "channels.rc" '' export NIX_PATH=${nixPath} diff --git a/nix/devShells.nix b/nix/devShells.nix index 1358f30..232f59a 100644 --- a/nix/devShells.nix +++ b/nix/devShells.nix @@ -3,9 +3,11 @@ self', inputs', pkgs, -}: let +}: +let pkgsUnstable = inputs'.nixpkgs-unstable.legacyPackages; -in { +in +{ install = pkgs.mkShell { name = "infra-install"; packages = with pkgs; [ @@ -20,11 +22,9 @@ in { develop = pkgs.mkShell { name = "infra-develop"; - inputsFrom = [ - self'.devShells.install - ]; + inputsFrom = [ self'.devShells.install ]; packages = with pkgs; [ - self'.formatter + pkgs.treefmt inputs'.colmena.packages.colmena dconf2nix inputs'.nixos-anywhere.packages.nixos-anywhere @@ -92,6 +92,15 @@ in { # Set Environment Variables RUST_BACKTRACE = 1; - KANIDM_URL = self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin; + KANIDM_URL = + self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin; + + shellHook = + (self.inputs.nixago.lib.${pkgs.stdenv.system}.make { + data = self.lib.treefmtSettings pkgs; + output = "treefmt.toml"; + format = "toml"; + }).shellHook; + }; } diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index ac0914d..135dd22 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -7,11 +7,13 @@ repoFlake, packages', ... -}: let +}: +let pkgsUnstable = pkgs.pkgsUnstable - or (import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config overlays;}); -in { + or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; }); +in +{ imports = [ ../profiles/common.nix # ../profiles/dotfiles.nix @@ -34,18 +36,18 @@ in { ../programs/libreoffice.nix ../programs/neovim.nix ../programs/vscode - { - home.packages = [ - pkgsUnstable.markdown-oxide - ]; - } + { home.packages = [ pkgsUnstable.markdown-oxide ]; } ]; home.sessionVariables.HM_CONFIG = "graphical-fullblown"; home.sessionVariables.GOPATH = "$HOME/src/go"; - home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"]; + home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [ + "$HOME/.local/bin" + "$PATH" + ]; - nixpkgs.config.allowInsecurePredicate = pkg: + nixpkgs.config.allowInsecurePredicate = + pkg: builtins.elem (lib.getName pkg) [ "electron-28.3.3" "electron-27.3.11" @@ -68,7 +70,7 @@ in { # ]; home.packages = - [] + [ ] ++ (with pkgs; [ # Authentication # cacert @@ -246,19 +248,15 @@ in { # libretro.snes9x2010 # retroarchFull - ( - pkgs.logseq.overrideAttrs ( - attrs: - lib.attrsets.recursiveUpdate - attrs - ( - lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 { - src = repoFlake.inputs.logseq_0_10_9_aarch64_appimage; - meta.platforms = ["aarch64-linux"]; - } - ) + (pkgs.logseq.overrideAttrs ( + attrs: + lib.attrsets.recursiveUpdate attrs ( + lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 { + src = repoFlake.inputs.logseq_0_10_9_aarch64_appimage; + meta.platforms = [ "aarch64-linux" ]; + } ) - ) + )) # ( # pkgsUnstable.callPackage (repoFlake + "/nix/pkgs/logseq") @@ -267,8 +265,7 @@ in { # }) # ) ]) - ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ - ]) + ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ ]) ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ pkgsUnstable.ledger-live-desktop diff --git a/nix/home-manager/configuration/graphical-gnome3.nix b/nix/home-manager/configuration/graphical-gnome3.nix index 12e1948..320f102 100644 --- a/nix/home-manager/configuration/graphical-gnome3.nix +++ b/nix/home-manager/configuration/graphical-gnome3.nix @@ -1,10 +1,7 @@ +{ pkgs, config, ... }: { - pkgs, - config, - ... -}: { home.packages = - [] + [ ] ++ (with pkgs; [ gnome.gnome-tweaks gnome.gnome-keyring diff --git a/nix/home-manager/configuration/graphical-removable.nix b/nix/home-manager/configuration/graphical-removable.nix index faac0d5..28dc3e2 100644 --- a/nix/home-manager/configuration/graphical-removable.nix +++ b/nix/home-manager/configuration/graphical-removable.nix @@ -1,8 +1,5 @@ +{ pkgs, config, ... }: { - pkgs, - config, - ... -}: { imports = [ ../profiles/common.nix ../profiles/qtile-desktop.nix @@ -17,7 +14,7 @@ ]; home.packages = - [] + [ ] ++ (with pkgs; [ # Nix package related tools patchelf diff --git a/nix/home-manager/lib.nix b/nix/home-manager/lib.nix index b731c1d..3a5c59e 100644 --- a/nix/home-manager/lib.nix +++ b/nix/home-manager/lib.nix @@ -1,14 +1,22 @@ -{}: let -in { - mkSimpleTrayService = {execStart}: { - Unit = { - Description = ""; - After = ["graphical-session-pre.target"]; - PartOf = ["graphical-session.target"]; +{ }: +let +in +{ + mkSimpleTrayService = + { execStart }: + { + Unit = { + Description = ""; + After = [ "graphical-session-pre.target" ]; + PartOf = [ "graphical-session.target" ]; + }; + + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + + Service = { + ExecStart = execStart; + }; }; - - Install = {WantedBy = ["graphical-session.target"];}; - - Service = {ExecStart = execStart;}; - }; } diff --git a/nix/home-manager/profiles/common.nix b/nix/home-manager/profiles/common.nix index d5b0c7e..9243634 100644 --- a/nix/home-manager/profiles/common.nix +++ b/nix/home-manager/profiles/common.nix @@ -1,8 +1,5 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - ... -}: { home.stateVersion = lib.mkDefault "23.11"; # TODO: re-enable this with the appropriate version? @@ -15,7 +12,8 @@ allowUnfree = true; allowUnsupportedSystem = true; - allowInsecurePredicate = pkg: + allowInsecurePredicate = + pkg: builtins.elem (lib.getName pkg) [ "electron-28.3.3" "electron-27.3.11" @@ -28,7 +26,8 @@ "electron" ]; - allowUnfreePredicate = pkg: + allowUnfreePredicate = + pkg: builtins.elem (lib.getName pkg) [ "obsidian" "vivaldi" @@ -57,7 +56,7 @@ programs.fzf.enable = true; home.packages = - [] + [ ] ++ (with pkgs; [ coreutils diff --git a/nix/home-manager/profiles/dotfiles.nix b/nix/home-manager/profiles/dotfiles.nix index 670ea75..066d0b7 100644 --- a/nix/home-manager/profiles/dotfiles.nix +++ b/nix/home-manager/profiles/dotfiles.nix @@ -5,21 +5,23 @@ repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", ... -}: let +}: +let repoBareLocal = pkgs.runCommand "fetchbare" - { - outputHashMode = "recursive"; - outputHashAlgo = "sha256"; - outputHash = "0000000000000000000000000000000000000000000000000000"; - } '' - ( - set -xe - export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out - ) - ''; + { + outputHashMode = "recursive"; + outputHashAlgo = "sha256"; + outputHash = "0000000000000000000000000000000000000000000000000000"; + } + '' + ( + set -xe + export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out + ) + ''; vcshActivationScript = pkgs.writeScript "activation-script" '' export HOST=$(hostname -s) @@ -39,7 +41,8 @@ set_remotes ${repoHttps} ${repoSsh} fi ''; -in { +in +{ # TODO: fix the dotfiles # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' # $DRY_RUN_CMD ${vcshActivationScript} diff --git a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix index 84d629f..2a866f2 100644 --- a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix +++ b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix @@ -3,38 +3,40 @@ repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", ... -}: let +}: +let repoBareLocal = pkgs.runCommand "fetchbare" - { - outputHashMode = "recursive"; - outputHashAlgo = "sha256"; - outputHash = "0000000000000000000000000000000000000000000000000000"; - } '' - ( - set -xe - export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out - ) - ''; + { + outputHashMode = "recursive"; + outputHashAlgo = "sha256"; + outputHash = "0000000000000000000000000000000000000000000000000000"; + } + '' + ( + set -xe + export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out + ) + ''; in - pkgs.writeScript "activation-script" '' - export HOST=$(hostname -s) +pkgs.writeScript "activation-script" '' + export HOST=$(hostname -s) - function set_remotes { - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 - } + function set_remotes { + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 + } - if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then - echo Cloning dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles - set_remotes ${repoHttps} ${repoSsh} - else - set_remotes ${repoBareLocal} ${repoSsh} - echo Updating dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh pull $HOST || true - set_remotes ${repoHttps} ${repoSsh} - fi - '' + if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then + echo Cloning dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles + set_remotes ${repoHttps} ${repoSsh} + else + set_remotes ${repoBareLocal} ${repoSsh} + echo Updating dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh pull $HOST || true + set_remotes ${repoHttps} ${repoSsh} + fi +'' diff --git a/nix/home-manager/profiles/experimental-desktop.nix b/nix/home-manager/profiles/experimental-desktop.nix index 13d87d7..404ed2a 100644 --- a/nix/home-manager/profiles/experimental-desktop.nix +++ b/nix/home-manager/profiles/experimental-desktop.nix @@ -5,12 +5,12 @@ nodeFlake, packages', ... -}: let - pkgsUnstable = pkgs.callPackage nodeFlake.inputs.nixpkgs-unstable.outPath {}; -in { - imports = [ - ../profiles/wayland-desktop.nix - ]; +}: +let + pkgsUnstable = pkgs.callPackage nodeFlake.inputs.nixpkgs-unstable.outPath { }; +in +{ + imports = [ ../profiles/wayland-desktop.nix ]; home.packages = [ # experimental WMs diff --git a/nix/home-manager/profiles/gnome-desktop.nix b/nix/home-manager/profiles/gnome-desktop.nix index b803ea5..b8435ba 100644 --- a/nix/home-manager/profiles/gnome-desktop.nix +++ b/nix/home-manager/profiles/gnome-desktop.nix @@ -3,11 +3,11 @@ config, lib, ... -}: let -in { - imports = [ - ../profiles/wayland-desktop.nix - ]; +}: +let +in +{ + imports = [ ../profiles/wayland-desktop.nix ]; services = { gnome-keyring.enable = false; @@ -25,85 +25,83 @@ in { services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; - dconf.settings = let - manualKeybindings = [ - { - binding = "Print"; - command = "flameshot gui"; - name = "flameshot"; - } + dconf.settings = + let + manualKeybindings = [ + { + binding = "Print"; + command = "flameshot gui"; + name = "flameshot"; + } - { - binding = "t"; - command = "alacritty"; - name = "alacritty"; - } - ]; + { + binding = "t"; + command = "alacritty"; + name = "alacritty"; + } + ]; - numWorkspaces = 10; - customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; - customKeybindingsNames = - builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") - ( - (builtins.length manualKeybindings) - + numWorkspaces # for sending to the workspace + numWorkspaces = 10; + customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; + customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") ( + (builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace ); - workspacesKeyBindingsOffset = builtins.length manualKeybindings; + workspacesKeyBindingsOffset = builtins.length manualKeybindings; - # with this we can make use of all number keys [0-9] - mapToNumber = i: - if i < 10 - then i - else if i == 10 - then 0 - else throw "i exceeds 10: ${i}"; - in + # with this we can make use of all number keys [0-9] + mapToNumber = + i: + if i < 10 then + i + else if i == 10 then + 0 + else + throw "i exceeds 10: ${i}"; + in { "org/gnome/settings-daemon/plugins/media-keys" = { custom-keybindings = customKeybindingsNames; screenreader = "@as []"; - screensaver = ["l"]; + screensaver = [ "l" ]; }; # disable the builtin [1-9] functionality - "org/gnome/shell/keybindings" = builtins.listToAttrs ((builtins.genList - (i: { - name = "switch-to-application-${toString (i + 1)}"; - value = []; - }) - numWorkspaces) + "org/gnome/shell/keybindings" = builtins.listToAttrs ( + (builtins.genList (i: { + name = "switch-to-application-${toString (i + 1)}"; + value = [ ]; + }) numWorkspaces) ++ [ { name = "toggle-overview"; - value = []; + value = [ ]; } - ]); + ] + ); # remap it to switching to the workspaces - "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (builtins.genList - (i: { + "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs ( + builtins.genList (i: { name = "switch-to-workspace-${toString (i + 1)}"; - value = [ - "${toString (mapToNumber (i + 1))}" - ]; - }) - numWorkspaces); + value = [ "${toString (mapToNumber (i + 1))}" ]; + }) numWorkspaces + ); } - // builtins.listToAttrs (builtins.genList - (i: { + // builtins.listToAttrs ( + builtins.genList (i: { name = "${customKeybindingBaseName}${toString i}"; value = builtins.elemAt manualKeybindings i; - }) - (builtins.length manualKeybindings)) - // builtins.listToAttrs (builtins.genList - (i: { + }) (builtins.length manualKeybindings) + ) + // builtins.listToAttrs ( + builtins.genList (i: { name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}"; value = { binding = "${toString (mapToNumber (i + 1))}"; command = "wmctrl -r :ACTIVE: -t ${toString i}"; name = "Send to workspace ${toString (i + 1)}"; }; - }) - numWorkspaces); + }) numWorkspaces + ); } diff --git a/nix/home-manager/profiles/nix-channels.nix b/nix/home-manager/profiles/nix-channels.nix index 68f21c7..226e624 100644 --- a/nix/home-manager/profiles/nix-channels.nix +++ b/nix/home-manager/profiles/nix-channels.nix @@ -1,28 +1,24 @@ +{ pkgs, config, ... }: +let +in { - pkgs, - config, - ... -}: let -in { home.file.".nix-channels".text = ""; - home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] '' - $DRY_RUN_CMD ${ - pkgs.writeScript "activation-script" '' - set -ex - if test -f $HOME/.nix-channels; then - echo Uninstalling available channels... - if test -f $HOME/.nix-channel; then - while read url channel; do - nix-channel --remove $channel - done < $HOME/.nix-channel - fi - echo Moving existing file away... - touch $HOME/.nix-channels.dummy - mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels - rm $HOME/.nix-channels + home.activation.removeExistingNixChannels = config.lib.dag.entryBefore [ "checkLinkTargets" ] '' + $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' + set -ex + if test -f $HOME/.nix-channels; then + echo Uninstalling available channels... + if test -f $HOME/.nix-channel; then + while read url channel; do + nix-channel --remove $channel + done < $HOME/.nix-channel fi - '' - }; + echo Moving existing file away... + touch $HOME/.nix-channels.dummy + mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels + rm $HOME/.nix-channels + fi + ''}; ''; } diff --git a/nix/home-manager/profiles/qtile-desktop.nix b/nix/home-manager/profiles/qtile-desktop.nix index da12f62..759aaa4 100644 --- a/nix/home-manager/profiles/qtile-desktop.nix +++ b/nix/home-manager/profiles/qtile-desktop.nix @@ -1,14 +1,15 @@ -{ - pkgs, - config, - ... -}: let - inherit (import ../lib.nix {}) mkSimpleTrayService; +{ pkgs, config, ... }: +let + inherit (import ../lib.nix { }) mkSimpleTrayService; audio = pkgs.writeShellScript "audio" '' export PATH=${ with pkgs; - lib.makeBinPath [pulseaudio findutils gnugrep] + lib.makeBinPath [ + pulseaudio + findutils + gnugrep + ] }:$PATH export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute @@ -33,7 +34,7 @@ terminalCommand = "${pkgs.alacritty}/bin/alacritty"; dpmsScript = pkgs.writeShellScript "dpmsScript" '' - export PATH=${with pkgs; lib.makeBinPath [xorg.xset]}:$PATH + export PATH=${with pkgs; lib.makeBinPath [ xorg.xset ]}:$PATH set -xe @@ -56,7 +57,7 @@ ''; screenLockCommand = pkgs.writeShellScript "screenLock" '' - export PATH=${with pkgs; lib.makeBinPath [i3lock]}:$PATH + export PATH=${with pkgs; lib.makeBinPath [ i3lock ]}:$PATH revert() { ${dpmsScript} default @@ -251,7 +252,8 @@ def print_new_window(window): print("new window: ", window) ''; -in { +in +{ services = { gnome-keyring.enable = true; blueman-applet.enable = true; diff --git a/nix/home-manager/profiles/sway-desktop.nix b/nix/home-manager/profiles/sway-desktop.nix index 8cfe85a..0fefe08 100644 --- a/nix/home-manager/profiles/sway-desktop.nix +++ b/nix/home-manager/profiles/sway-desktop.nix @@ -1,19 +1,19 @@ /* -TODO: create helper scripts for sharing of a screen portion -``` + TODO: create helper scripts for sharing of a screen portion + ``` -# this will create a new output named HEADLESS-. increments by 1 with each invocation even if the output is `unplug`ged. -swaymsg create_output + # this will create a new output named HEADLESS-. increments by 1 with each invocation even if the output is `unplug`ged. + swaymsg create_output -# find the name and the workspace number -swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)' + # find the name and the workspace number + swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)' -swaymsg output HEADLESS-1 mode 1920@108060Hz + swaymsg output HEADLESS-1 mode 1920@108060Hz -# mirror the headless workspace on the current one -nix run nixpkgs\#wl-mirror -- HEADLESS-1 + # mirror the headless workspace on the current one + nix run nixpkgs\#wl-mirror -- HEADLESS-1 -# shift windows to the workspace and switch the focus to it + # shift windows to the workspace and switch the focus to it */ { pkgs, @@ -22,14 +22,16 @@ nix run nixpkgs\#wl-mirror -- HEADLESS-1 # packages', repoFlakeInputs', ... -}: let - inherit (import ../lib.nix {}) mkSimpleTrayService; +}: +let + inherit (import ../lib.nix { }) mkSimpleTrayService; lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'"; displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; -in { +in +{ imports = [ ../profiles/wayland-desktop.nix ../programs/waybar.nix @@ -98,112 +100,121 @@ in { systemd.enable = true; xwayland = false; - config = let - modifier = "Mod4"; - inherit (config.wayland.windowManager.sway.config) left right up down; - in { - inherit modifier; - bars = []; + config = + let + modifier = "Mod4"; + inherit (config.wayland.windowManager.sway.config) + left + right + up + down + ; + in + { + inherit modifier; + bars = [ ]; - input = { - "type:keyboard" = - { - xkb_layout = config.home.keyboard.layout; - xkb_variant = config.home.keyboard.variant; - } - // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) { - xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; + input = { + "type:keyboard" = + { + xkb_layout = config.home.keyboard.layout; + xkb_variant = config.home.keyboard.variant; + } + // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) { + xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; + }; + + "type:touchpad" = { + natural_scroll = "enabled"; }; - "type:touchpad" = { - natural_scroll = "enabled"; + # alternatively run this command + # swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative" + # and then switch to a different VT (alt+ctrl+f2) and back + "1386:914:Wacom_Intuos_Pro_S_Pen" = { + tool_mode = "* relative"; + }; }; - # alternatively run this command - # swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative" - # and then switch to a different VT (alt+ctrl+f2) and back - "1386:914:Wacom_Intuos_Pro_S_Pen" = { - tool_mode = "* relative"; + keybindings = lib.mkOptionDefault { + # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi + # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; + "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; + + # only 1-9 exist on the default config + "${modifier}+0" = "workspace number 0"; + "${modifier}+Shift+0" = "move container to workspace number 0"; + + # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it + "${modifier}+b" = "nop"; + "${modifier}+v" = "nop"; + + # move workspace to output + "${modifier}+Control+Shift+${left}" = "move workspace to output left"; + "${modifier}+Control+Shift+${right}" = "move workspace to output right"; + "${modifier}+Control+Shift+${up}" = "move workspace to output up"; + "${modifier}+Control+Shift+${down}" = "move workspace to output down"; + # move workspace to output with arrow keys + "${modifier}+Control+Shift+Left" = "move workspace to output left"; + "${modifier}+Control+Shift+Right" = "move workspace to output right"; + "${modifier}+Control+Shift+Up" = "move workspace to output up"; + "${modifier}+Control+Shift+Down" = "move workspace to output down"; + + # TODO: i've been hitting this one accidentally way too often. find a better place. + # "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; + "${modifier}+q" = "kill"; + "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; + + "${modifier}+x" = "exec ${swapOutputWorkspaces}"; + + "${modifier}+Ctrl+l" = "exec ${lockCmd}"; + + "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; + "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; + "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; + + "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; + "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; + "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; + + "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; }; + + terminal = "alacritty"; + startup = + [ + { + command = builtins.toString ( + pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target + ) & + '' + ); + } + ] + ++ lib.optionals config.services.swayidle.enable [ + { + command = builtins.toString ( + pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart swayidle + ) & + '' + ); + } + ]; + + colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; }; + + window.titlebar = false; + window.border = 4; + + # this maps to focus_on_window_activation + focus.newWindow = "urgent"; }; - - keybindings = lib.mkOptionDefault { - # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi - # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; - "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; - - # only 1-9 exist on the default config - "${modifier}+0" = "workspace number 0"; - "${modifier}+Shift+0" = "move container to workspace number 0"; - - # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it - "${modifier}+b" = "nop"; - "${modifier}+v" = "nop"; - - # move workspace to output - "${modifier}+Control+Shift+${left}" = "move workspace to output left"; - "${modifier}+Control+Shift+${right}" = "move workspace to output right"; - "${modifier}+Control+Shift+${up}" = "move workspace to output up"; - "${modifier}+Control+Shift+${down}" = "move workspace to output down"; - # move workspace to output with arrow keys - "${modifier}+Control+Shift+Left" = "move workspace to output left"; - "${modifier}+Control+Shift+Right" = "move workspace to output right"; - "${modifier}+Control+Shift+Up" = "move workspace to output up"; - "${modifier}+Control+Shift+Down" = "move workspace to output down"; - - # TODO: i've been hitting this one accidentally way too often. find a better place. - # "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; - "${modifier}+q" = "kill"; - "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; - - "${modifier}+x" = "exec ${swapOutputWorkspaces}"; - - "${modifier}+Ctrl+l" = "exec ${lockCmd}"; - - "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; - "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; - "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; - - "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; - "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; - "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; - - "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; - }; - - terminal = "alacritty"; - startup = - [ - { - command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target - ) & - ''); - } - ] - ++ lib.optionals config.services.swayidle.enable [ - { - command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart swayidle - ) & - ''); - } - ]; - - colors.focused = lib.mkOptionDefault { - childBorder = lib.mkForce "#ffa500"; - }; - - window.titlebar = false; - window.border = 4; - - # this maps to focus_on_window_activation - focus.newWindow = "urgent"; - }; }; services.swayidle = { diff --git a/nix/home-manager/profiles/wayland-desktop.nix b/nix/home-manager/profiles/wayland-desktop.nix index 73fc23a..9117de7 100644 --- a/nix/home-manager/profiles/wayland-desktop.nix +++ b/nix/home-manager/profiles/wayland-desktop.nix @@ -5,12 +5,14 @@ repoFlake, nodeFlake, ... -}: let - inherit (import ../lib.nix {}) mkSimpleTrayService; +}: +let + inherit (import ../lib.nix { }) mkSimpleTrayService; nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; wayprompt = nixpkgs-wayland'.wayprompt; -in { +in +{ fonts.fontconfig.enable = true; # services.gpg-agent.pinentryFlavor = lib.mkForce null; @@ -26,11 +28,12 @@ in { systemd.user.targets.tray = { Unit = { Description = "Home Manager System Tray"; - Requires = ["graphical-session-pre.target"]; + Requires = [ "graphical-session-pre.target" ]; }; }; - home.packages = with pkgs; + home.packages = + with pkgs; [ # required by network-manager-applet networkmanagerapplet @@ -62,11 +65,9 @@ in { waypipe ] - ++ ( - lib.lists.optionals (!pkgs.stdenv.isAarch64) + ++ (lib.lists.optionals (!pkgs.stdenv.isAarch64) # TODO: broken on aarch64 - [ - ] + [ ] ); home.sessionVariables = { diff --git a/nix/home-manager/programs/chromium.nix b/nix/home-manager/programs/chromium.nix index 712eb42..8d12110 100644 --- a/nix/home-manager/programs/chromium.nix +++ b/nix/home-manager/programs/chromium.nix @@ -3,14 +3,15 @@ lib, pkgs, ... -}: let +}: +let extensions = [ #undetectable adblocker - {id = "gcfcpohokifjldeandkfjoboemihipmb";} + { id = "gcfcpohokifjldeandkfjoboemihipmb"; } # ublock origin - {id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";} + { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # # YT ad block # {id = "cmedhionkhpnakcndndgjdbohmhepckk";} @@ -19,15 +20,15 @@ # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} # Cookie Notice Blocker - {id = "odhmfmnoejhihkmfebnolljiibpnednn";} + { id = "odhmfmnoejhihkmfebnolljiibpnednn"; } # i don't care about cookies - {id = "fihnjjcciajhdojfnbdddfaoknhalnja";} + { id = "fihnjjcciajhdojfnbdddfaoknhalnja"; } # NopeCHA - {id = "dknlfmjaanfblgfdfebhijalfmhmjjjo";} + { id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; } # h264ify - {id = "aleakchihdccplidncghkekgioiakgal";} + { id = "aleakchihdccplidncghkekgioiakgal"; } # clippy # {id = "honbeilkanbghjimjoniipnnehlmhggk"} @@ -38,31 +39,32 @@ } # cookie autodelete - {id = "fhcgjolkccmbidfldomjliifgaodjagh";} + { id = "fhcgjolkccmbidfldomjliifgaodjagh"; } # unhook - {id = "khncfooichmfjbepaaaebmommgaepoid";} + { id = "khncfooichmfjbepaaaebmommgaepoid"; } ] ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ # polkadotjs - {id = "mopnmbcafieddcagagdcbnhejhlodfdd";} + { id = "mopnmbcafieddcagagdcbnhejhlodfdd"; } # rabby wallet - {id = "acmacodkjbdgmoleebolmdjonilkdbch";} + { id = "acmacodkjbdgmoleebolmdjonilkdbch"; } # phantom wallet - {id = "bfnaelmomeimhlpmgjnjophhpkkoljpa";} + { id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; } # Vimium C - {id = "hfjbmagddngcpeloejdejnfgbamkjaeg";} + { id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; } # always right - {id = "npjpaghfnndnnmjiliibnkmdfgbojokj";} + { id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; } # shazam music - {id = "mmioliijnhnoblpgimnlajmefafdfilb";} + { id = "mmioliijnhnoblpgimnlajmefafdfilb"; } ]); -in { +in +{ programs.chromium = { enable = true; inherit extensions; @@ -72,9 +74,7 @@ in { programs.brave = { # TODO: enable this on aarch64-linux - enable = - true - && !pkgs.stdenv.targetPlatform.isAarch64; + enable = true && !pkgs.stdenv.targetPlatform.isAarch64; inherit extensions; }; } diff --git a/nix/home-manager/programs/espanso.nix b/nix/home-manager/programs/espanso.nix index 86d6371..38522b4 100644 --- a/nix/home-manager/programs/espanso.nix +++ b/nix/home-manager/programs/espanso.nix @@ -1,8 +1,5 @@ +{ pkgs, repoFlake, ... }: { - pkgs, - repoFlake, - ... -}: { services.espanso = { package = pkgs.espanso-wayland; # package = pkgs.espanso-wayland.overrideAttrs (_: { @@ -24,64 +21,62 @@ # backend = "Clipboard"; }; }; - matches = let - playerctl = '' - ${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; - in { - default = { - matches = [ - { - trigger = ":vpos"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeScript "espanso" '' - #! ${pkgs.python3}/bin/python - import subprocess, os, math, datetime + matches = + let + playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; + in + { + default = { + matches = [ + { + trigger = ":vpos"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeScript "espanso" '' + #! ${pkgs.python3}/bin/python + import subprocess, os, math, datetime - id=str(os.getuid()) - result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) - result.check_returncode() + id=str(os.getuid()) + result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) + result.check_returncode() - position_secs = math.trunc(float(result.stdout)) - position_human = datetime.timedelta(seconds=position_secs) - print("%s - %s" % (position_human, position_secs)) - '') - ]; - }; - } - ]; - } - { - trigger = ":vtit"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeShellScript "espanso" - "${playerctl} metadata title") - ]; - }; - } - ]; - } - { - trigger = ":dunno"; - replace = "¯\\_(ツ)_/¯"; - } - { - trigger = ":shrug"; - replace = "¯\\_(ツ)_/¯"; - } - ]; + position_secs = math.trunc(float(result.stdout)) + position_human = datetime.timedelta(seconds=position_secs) + print("%s - %s" % (position_human, position_secs)) + '') + ]; + }; + } + ]; + } + { + trigger = ":vtit"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ]; + }; + } + ]; + } + { + trigger = ":dunno"; + replace = "¯\\_(ツ)_/¯"; + } + { + trigger = ":shrug"; + replace = "¯\\_(ツ)_/¯"; + } + ]; + }; }; - }; }; } diff --git a/nix/home-manager/programs/firefox.nix b/nix/home-manager/programs/firefox.nix index 993cbc4..d07f3aa 100644 --- a/nix/home-manager/programs/firefox.nix +++ b/nix/home-manager/programs/firefox.nix @@ -1,5 +1,8 @@ -{pkgs, ...}: { - programs.librewolf = {enable = false;}; +{ pkgs, ... }: +{ + programs.librewolf = { + enable = false; + }; programs.firefox = { enable = true; package = pkgs.firefox-esr-128; diff --git a/nix/home-manager/programs/gpg-agent.nix b/nix/home-manager/programs/gpg-agent.nix index 069c7ca..ac35d80 100644 --- a/nix/home-manager/programs/gpg-agent.nix +++ b/nix/home-manager/programs/gpg-agent.nix @@ -3,10 +3,9 @@ pkgs, config, ... -}: { - home.packages = [ - pkgs.gcr - ]; +}: +{ + home.packages = [ pkgs.gcr ]; programs.gpg.enable = true; services.gpg-agent = { diff --git a/nix/home-manager/programs/homeshick.nix b/nix/home-manager/programs/homeshick.nix index cbd4964..c12cf00 100644 --- a/nix/home-manager/programs/homeshick.nix +++ b/nix/home-manager/programs/homeshick.nix @@ -1,32 +1,28 @@ +{ pkgs, config, ... }: +let +in +# TODO: clean up the impurity in here { - pkgs, - config, - ... -}: let - # TODO: clean up the impurity in here -in { home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}"; - home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] '' - $DRY_RUN_CMD ${ - pkgs.writeScript "activation-script" '' - set -e - echo home-manager path is ${config.home.path} - echo home is $HOME + home.activation.bootstrapRepos = config.lib.dag.entryAfter [ "writeBoundary" ] '' + $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' + set -e + echo home-manager path is ${config.home.path} + echo home is $HOME - source ${pkgs.homeshick}/homeshick.sh - type homeshick + source ${pkgs.homeshick}/homeshick.sh + type homeshick - # echo Updating homeshick - # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick - # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick - '' - }; + # echo Updating homeshick + # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick + # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick + ''}; ''; nixpkgs.config = { - packageOverrides = pkgs: - with pkgs; { + packageOverrides = + pkgs: with pkgs; { homeshick = builtins.fetchGit { url = "https://github.com/andsens/homeshick.git"; ref = "master"; diff --git a/nix/home-manager/programs/libreoffice.nix b/nix/home-manager/programs/libreoffice.nix index 17d0a24..1e846d4 100644 --- a/nix/home-manager/programs/libreoffice.nix +++ b/nix/home-manager/programs/libreoffice.nix @@ -1,3 +1,4 @@ -{pkgs, ...}: { - home.packages = [pkgs.libreoffice]; +{ pkgs, ... }: +{ + home.packages = [ pkgs.libreoffice ]; } diff --git a/nix/home-manager/programs/neovim.nix b/nix/home-manager/programs/neovim.nix index be7e02b..f8a3655 100644 --- a/nix/home-manager/programs/neovim.nix +++ b/nix/home-manager/programs/neovim.nix @@ -3,10 +3,9 @@ pkgs, lib, ... -}: { - imports = [ - repoFlake.inputs.nixvim.homeManagerModules.nixvim - ]; +}: +{ + imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ]; programs.nixvim = { enable = true; @@ -14,7 +13,7 @@ vimdiffAlias = true; vimAlias = true; - extraPython3Packages = ps: with ps; []; + extraPython3Packages = ps: with ps; [ ]; # extraConfigVim = builtins.readFile ./neovim/vimrc; diff --git a/nix/home-manager/programs/obs-studio.nix b/nix/home-manager/programs/obs-studio.nix index b053e24..d99747d 100644 --- a/nix/home-manager/programs/obs-studio.nix +++ b/nix/home-manager/programs/obs-studio.nix @@ -1,21 +1,25 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - ... -}: { programs.obs-studio = { enable = true; plugins = - builtins.map (plugin: (plugin.overrideAttrs (attrs: { - meta = lib.mkMerge [ - {inherit (attrs) meta;} - {meta.platforms = [pkgs.stdenv.system];} - ]; - }))) - (with pkgs.obs-studio-plugins; [ - # wlrobs - obs-backgroundremoval - obs-pipewire-audio-capture - ]); + builtins.map + ( + plugin: + (plugin.overrideAttrs (attrs: { + meta = lib.mkMerge [ + { inherit (attrs) meta; } + { meta.platforms = [ pkgs.stdenv.system ]; } + ]; + })) + ) + ( + with pkgs.obs-studio-plugins; + [ + # wlrobs + obs-backgroundremoval + obs-pipewire-audio-capture + ] + ); }; } diff --git a/nix/home-manager/programs/openvscode-server.nix b/nix/home-manager/programs/openvscode-server.nix index 6e74406..8341600 100644 --- a/nix/home-manager/programs/openvscode-server.nix +++ b/nix/home-manager/programs/openvscode-server.nix @@ -3,10 +3,12 @@ nodeFlake, repoFlake, ... -}: let - pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config;}; - pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;}; -in { +}: +let + pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config; }; + pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; +in +{ home.packages = [ pkgs.nil pkgs.nixd @@ -20,20 +22,22 @@ in { # 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/ /* - e.g.: - ``` - ( - set -e - export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$') - ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/" - ) - ``` + e.g.: + ``` + ( + set -e + export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$') + ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/" + ) + ``` */ (pkgsVscodium.openvscode-server.overrideAttrs (attrs: { src = repoFlake.inputs.openvscode-server; version = "1.94.2"; - yarnCache = attrs.yarnCache.overrideAttrs (_: {outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt=";}); + yarnCache = attrs.yarnCache.overrideAttrs (_: { + outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt="; + }); })) pkgs.waypipe diff --git a/nix/home-manager/programs/pass.nix b/nix/home-manager/programs/pass.nix index 2d533c9..056d08d 100644 --- a/nix/home-manager/programs/pass.nix +++ b/nix/home-manager/programs/pass.nix @@ -1,8 +1,5 @@ +{ repoFlake, pkgs, ... }: { - repoFlake, - pkgs, - ... -}: { # required by pass-otp # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; diff --git a/nix/home-manager/programs/radicale.nix b/nix/home-manager/programs/radicale.nix index 207b9e6..be31268 100644 --- a/nix/home-manager/programs/radicale.nix +++ b/nix/home-manager/programs/radicale.nix @@ -4,7 +4,8 @@ pkgs, osConfig, ... -}: let +}: +let libdecsync = pkgs.python3Packages.buildPythonPackage rec { pname = "libdecsync"; version = "2.2.1"; @@ -38,50 +39,51 @@ # pkgs.libxcrypt ]; - propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools]; + propagatedBuildInputs = [ + libdecsync + pkgs.python3Packages.setuptools + ]; }; radicale-decsync = pkgs.radicale.overrideAttrs (old: { - propagatedBuildInputs = - old.propagatedBuildInputs - ++ [radicale-storage-decsync]; + propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ]; }); - mkRadicaleService = { - suffix, - port, - }: let - radicale-config = pkgs.writeText "radicale-config-${suffix}" '' - [server] - hosts = localhost:${builtins.toString port} + mkRadicaleService = + { suffix, port }: + let + radicale-config = pkgs.writeText "radicale-config-${suffix}" '' + [server] + hosts = localhost:${builtins.toString port} - [auth] - type = htpasswd - htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} - htpasswd_encryption = bcrypt + [auth] + type = htpasswd + htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} + htpasswd_encryption = bcrypt - [storage] - type = radicale_storage_decsync - filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} - decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} - ''; - in { - systemd.user.services."radicale-${suffix}" = { - Unit.Description = "Radicale with DecSync (${suffix})"; - Service = { - ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; - Restart = "on-failure"; + [storage] + type = radicale_storage_decsync + filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} + decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} + ''; + in + { + systemd.user.services."radicale-${suffix}" = { + Unit.Description = "Radicale with DecSync (${suffix})"; + Service = { + ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; + Restart = "on-failure"; + }; + Install.WantedBy = [ "default.target" ]; }; - Install.WantedBy = ["default.target"]; }; - }; in - builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [ - { - suffix = "personal"; - port = 5232; - } - { - suffix = "family"; - port = 5233; - } - ] +builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [ + { + suffix = "personal"; + port = 5232; + } + { + suffix = "family"; + port = 5233; + } +] diff --git a/nix/home-manager/programs/redshift.nix b/nix/home-manager/programs/redshift.nix index 6fb73d0..474b650 100644 --- a/nix/home-manager/programs/redshift.nix +++ b/nix/home-manager/programs/redshift.nix @@ -1,10 +1,8 @@ -{ - pkgs, - config, - ... -}: let +{ pkgs, config, ... }: +let passwords = import ../../variables/passwords.crypt.nix; -in { +in +{ services.gammastep = { enable = true; provider = "manual"; diff --git a/nix/home-manager/programs/salut.nix b/nix/home-manager/programs/salut.nix index 6a2894d..c23032e 100644 --- a/nix/home-manager/programs/salut.nix +++ b/nix/home-manager/programs/salut.nix @@ -8,11 +8,10 @@ # useful testing command: # for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done let - inherit (import ../lib.nix {}) mkSimpleTrayService; -in { - home.packages = [ - packages'.salut - ]; + inherit (import ../lib.nix { }) mkSimpleTrayService; +in +{ + home.packages = [ packages'.salut ]; xdg.configFile."salut/config.ini" = { enable = true; @@ -34,7 +33,5 @@ in { onChange = "${pkgs.systemd}/bin/systemctl --user restart salut"; }; - systemd.user.services.salut = mkSimpleTrayService { - execStart = "${packages'.salut}/bin/salut"; - }; + systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; }; } diff --git a/nix/home-manager/programs/vscode/default.nix b/nix/home-manager/programs/vscode/default.nix index 1318aaf..5380200 100644 --- a/nix/home-manager/programs/vscode/default.nix +++ b/nix/home-manager/programs/vscode/default.nix @@ -3,9 +3,11 @@ nodeFlake, repoFlake, ... -}: let - pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;}; -in { +}: +let + pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; +in +{ programs.vscode = { enable = true; package = pkgsVscodium.vscodium; @@ -18,7 +20,8 @@ in { # sha256 = "1qc1qsahfx1nvznq4adplx63w5d94xhafngv76vnqjjbzhv991v2"; # }) ] - ++ (with pkgsVscodium.vscode-extensions; + ++ ( + with pkgsVscodium.vscode-extensions; [ eamodio.gitlens mkhl.direnv @@ -43,31 +46,35 @@ in { # TODO: not compatible with vscodium # ms-vscode-remote.remote-ssh ] - ++ (let - extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system}; - in ( - with extensions.vscode-marketplace; - with extensions.vscode-marketplace-release; [ - tamasfe.even-better-toml + ++ ( + let + extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system}; + in + ( + with extensions.vscode-marketplace; + with extensions.vscode-marketplace-release; + [ + tamasfe.even-better-toml - serayuzgur.crates - rust-lang.rust-analyzer - swellaby.vscode-rust-test-adapter + serayuzgur.crates + rust-lang.rust-analyzer + swellaby.vscode-rust-test-adapter - golang.go - jeff-hykin.better-go-syntax + golang.go + jeff-hykin.better-go-syntax - ibecker.treefmt-vscode - ] - ))) + ibecker.treefmt-vscode + ] + ) + ) + ) ++ [ - (pkgsVscodium.vscode-utils.extensionFromVscodeMarketplace - { - name = "markdown-oxide"; - publisher = "felixzeller"; - version = "1.1.0"; - sha256 = "07l37hkg106m3nl9530l7i39iw1kibckv1zi4n23gbp7srdrwbs3"; - }) + (pkgsVscodium.vscode-utils.extensionFromVscodeMarketplace { + name = "markdown-oxide"; + publisher = "felixzeller"; + version = "1.1.0"; + sha256 = "07l37hkg106m3nl9530l7i39iw1kibckv1zi4n23gbp7srdrwbs3"; + }) ]; mutableExtensionsDir = true; }; @@ -151,4 +158,3 @@ in { # xyz.plsql-language # yzane.markdown-pdf # zxh404.vscode-proto3 - diff --git a/nix/home-manager/programs/vscode/nix4vscode/default.nix b/nix/home-manager/programs/vscode/nix4vscode/default.nix index 5cc0669..14bacca 100644 --- a/nix/home-manager/programs/vscode/nix4vscode/default.nix +++ b/nix/home-manager/programs/vscode/nix4vscode/default.nix @@ -1,12 +1,17 @@ -{ - pkgs, - lib, -}: let - inherit (pkgs.stdenv) isDarwin isLinux isi686 isx86_64 isAarch32 isAarch64; +{ pkgs, lib }: +let + inherit (pkgs.stdenv) + isDarwin + isLinux + isi686 + isx86_64 + isAarch32 + isAarch64 + ; vscode-utils = pkgs.vscode-utils; merge = lib.attrsets.recursiveUpdate; in - merge +merge (merge (merge (merge @@ -18,39 +23,50 @@ in sha256 = "07l37hkg106m3nl9530l7i39iw1kibckv1zi4n23gbp7srdrwbs3"; }; } - (lib.attrsets.optionalAttrs (isLinux && (isi686 || isx86_64)) { + ( + lib.attrsets.optionalAttrs (isLinux && (isi686 || isx86_64)) { + "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { + name = "treefmt-vscode"; + publisher = "ibecker"; + version = "2.1.0"; + sha256 = "1r17wjpw8xiha5r9h3146facxghpcp416zf8551sw93cmam9ky6j"; + arch = "linux-x64"; + }; + } + ) + ) + ( + lib.attrsets.optionalAttrs (isLinux && (isAarch32 || isAarch64)) { "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { name = "treefmt-vscode"; publisher = "ibecker"; version = "2.1.0"; - sha256 = "1r17wjpw8xiha5r9h3146facxghpcp416zf8551sw93cmam9ky6j"; - arch = "linux-x64"; + sha256 = "0swvl7fkjcwp43grnrhnmy60a5m3hfwawk204byi8hhbczy131li"; + arch = "linux-arm64"; }; - })) - (lib.attrsets.optionalAttrs (isLinux && (isAarch32 || isAarch64)) { + } + ) + ) + ( + lib.attrsets.optionalAttrs (isDarwin && (isi686 || isx86_64)) { "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { name = "treefmt-vscode"; publisher = "ibecker"; version = "2.1.0"; - sha256 = "0swvl7fkjcwp43grnrhnmy60a5m3hfwawk204byi8hhbczy131li"; - arch = "linux-arm64"; + sha256 = "1swq9hy6a9nzkrn07j21g59pyk2m7aqsfi1pphl9l9y8p4zwiaqm"; + arch = "darwin-x64"; }; - })) - (lib.attrsets.optionalAttrs (isDarwin && (isi686 || isx86_64)) { + } + ) + ) + ( + lib.attrsets.optionalAttrs (isDarwin && (isAarch32 || isAarch64)) { "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { name = "treefmt-vscode"; publisher = "ibecker"; version = "2.1.0"; - sha256 = "1swq9hy6a9nzkrn07j21g59pyk2m7aqsfi1pphl9l9y8p4zwiaqm"; - arch = "darwin-x64"; + sha256 = "1xg3wnn3f1kvsz5a09l0cjpzfm3l9va73cahbvl14mx3n6734r2m"; + arch = "darwin-arm64"; }; - })) - (lib.attrsets.optionalAttrs (isDarwin && (isAarch32 || isAarch64)) { - "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { - name = "treefmt-vscode"; - publisher = "ibecker"; - version = "2.1.0"; - sha256 = "1xg3wnn3f1kvsz5a09l0cjpzfm3l9va73cahbvl14mx3n6734r2m"; - arch = "darwin-arm64"; - }; - }) + } + ) diff --git a/nix/home-manager/programs/waybar.nix b/nix/home-manager/programs/waybar.nix index b6137e1..0d90e23 100644 --- a/nix/home-manager/programs/waybar.nix +++ b/nix/home-manager/programs/waybar.nix @@ -3,7 +3,8 @@ config, repoFlake, ... -}: { +}: +{ home.packages = [ # required by any bar that has a tray plugin pkgs.libappindicator-gtk3 @@ -12,10 +13,9 @@ programs.waybar = { enable = true; - package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; - style = - pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" - + pkgs.lib.readFile ./waybar.css; + package = + repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; + style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css; systemd.enable = true; settings = { mainBar = { @@ -24,12 +24,7 @@ height = 30; output = # hide the bar on HEADDLESS displays as i use them only for screensharing - ( - builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99 - ) - ++ [ - "*" - ]; + (builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ]; # output = [ # "eDP-1" # "DP-*" diff --git a/nix/home-manager/programs/zsh.nix b/nix/home-manager/programs/zsh.nix index 40e603d..333d3d7 100644 --- a/nix/home-manager/programs/zsh.nix +++ b/nix/home-manager/programs/zsh.nix @@ -3,27 +3,29 @@ lib, pkgs, ... -}: let - just-plugin = let - plugin_file = pkgs.writeText "_just" '' - #compdef just - #autload +}: +let + just-plugin = + let + plugin_file = pkgs.writeText "_just" '' + #compdef just + #autload - alias justl="\just --list" - alias juste="\just --evaluate" + alias justl="\just --list" + alias juste="\just --evaluate" - local subcmds=() + local subcmds=() - while read -r line ; do - if [[ ! $line == Available* ]] ; - then - subcmds+=(''${line/[[:space:]]*\#/:}) - fi - done < <(just --list) + while read -r line ; do + if [[ ! $line == Available* ]] ; + then + subcmds+=(''${line/[[:space:]]*\#/:}) + fi + done < <(just --list) - _describe 'command' subcmds - ''; - in + _describe 'command' subcmds + ''; + in pkgs.stdenv.mkDerivation { name = "just-completions"; version = "0.1.0"; @@ -35,7 +37,8 @@ chmod --recursive a-w $out ''; }; -in { +in +{ programs.zsh = { enable = true; @@ -46,56 +49,59 @@ in { # will be called again by oh-my-zsh enableCompletion = false; enableAutosuggestions = true; - initExtra = let - inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; - in '' - if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then - unset TMPDIR - fi + initExtra = + let + inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; + in + '' + if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then + unset TMPDIR + fi - if test ! -n "$TMP" -a -z "$TMP"; then - unset TMP - fi + if test ! -n "$TMP" -a -z "$TMP"; then + unset TMP + fi - PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' - RPROMPT="" + PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' + RPROMPT="" - # Automatic rehash - zstyle ':completion:*' rehash true + # Automatic rehash + zstyle ':completion:*' rehash true - if [ -f $HOME/.shrc.d/sh_aliases ]; then - . $HOME/.shrc.d/sh_aliases - fi + if [ -f $HOME/.shrc.d/sh_aliases ]; then + . $HOME/.shrc.d/sh_aliases + fi - ${ - if builtins.hasAttr "homeshick" pkgs - then '' - source ${pkgs.homeshick}/homeshick.sh - fpath=(${pkgs.homeshick}/completions $fpath) - '' - else "" - } + ${ + if builtins.hasAttr "homeshick" pkgs then + '' + source ${pkgs.homeshick}/homeshick.sh + fpath=(${pkgs.homeshick}/completions $fpath) + '' + else + "" + } - # Disable intercepting of ctrl-s and ctrl-q as flow control. - stty stop ''' -ixoff -ixon + # Disable intercepting of ctrl-s and ctrl-q as flow control. + stty stop ''' -ixoff -ixon - # don't cd into directories when executed - unsetopt AUTO_CD + # don't cd into directories when executed + unsetopt AUTO_CD - # print lines without termination - setopt PROMPT_CR - setopt PROMPT_SP - export PROMPT_EOL_MARK="" + # print lines without termination + setopt PROMPT_CR + setopt PROMPT_SP + export PROMPT_EOL_MARK="" - ${lib.optionalString config.services.gpg-agent.enable '' - export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" - ''} + ${lib.optionalString config.services.gpg-agent.enable '' + export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" + ''} - ${lib.optionalString config.programs.neovim.enable '' - export EDITOR="nvim" - ''} - ''; + ${lib.optionalString config.programs.neovim.enable '' + export EDITOR="nvim" + ''} + ''; plugins = [ { @@ -128,7 +134,10 @@ in { oh-my-zsh = { enable = true; theme = "tjkirch"; - plugins = ["git" "sudo"]; + plugins = [ + "git" + "sudo" + ]; }; }; } diff --git a/nix/modules/flake-parts/colmena.nix b/nix/modules/flake-parts/colmena.nix index ee885cf..136a5a1 100644 --- a/nix/modules/flake-parts/colmena.nix +++ b/nix/modules/flake-parts/colmena.nix @@ -1,7 +1,8 @@ -{lib, ...}: { +{ lib, ... }: +{ options.flake.colmena = lib.mkOption { # type = lib.types.attrsOf lib.types.unspecified; type = lib.types.raw; - default = {}; + default = { }; }; } diff --git a/nix/modules/flake-parts/perSystem/default.nix b/nix/modules/flake-parts/perSystem/default.nix index a752173..c3ad3e0 100644 --- a/nix/modules/flake-parts/perSystem/default.nix +++ b/nix/modules/flake-parts/perSystem/default.nix @@ -5,34 +5,40 @@ lib, pkgs, ... -}: { +}: +{ packages = { - myPython = pkgs.python310.withPackages (ps: + myPython = pkgs.python310.withPackages ( + ps: with ps; - [ - pep8 - yapf - flake8 - # autopep8 (broken) - # pylint (broken) - ipython - llfuse - dugong - defusedxml - wheel - pip - virtualenv - cffi - # pyopenssl - urllib3 - # mistune (insecure) - sympy + [ + pep8 + yapf + flake8 + # autopep8 (broken) + # pylint (broken) + ipython + llfuse + dugong + defusedxml + wheel + pip + virtualenv + cffi + # pyopenssl + urllib3 + # mistune (insecure) + sympy - flask + flask - pyaml - requests - ] - ++ [pkgs.pypi2nix pkgs.libffi]); + pyaml + requests + ] + ++ [ + pkgs.pypi2nix + pkgs.libffi + ] + ); }; } diff --git a/nix/os/cachix.nix b/nix/os/cachix.nix index d888840..d5742c0 100644 --- a/nix/os/cachix.nix +++ b/nix/os/cachix.nix @@ -1,14 +1,12 @@ # WARN: this file will get overwritten by $ cachix use -{ - pkgs, - lib, - ... -}: let +{ pkgs, lib, ... }: +let folder = ./cachix; toImport = name: value: folder + ("/" + name); filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); -in { +in +{ inherit imports; - nix.settings.substituters = ["https://cache.nixos.org/"]; + nix.settings.substituters = [ "https://cache.nixos.org/" ]; } diff --git a/nix/os/cachix/nixpkgs-wayland.nix b/nix/os/cachix/nixpkgs-wayland.nix index 499e6e0..1c0cca7 100644 --- a/nix/os/cachix/nixpkgs-wayland.nix +++ b/nix/os/cachix/nixpkgs-wayland.nix @@ -1,8 +1,6 @@ { nix = { - settings.substituters = [ - "https://nixpkgs-wayland.cachix.org" - ]; + settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ]; settings.trusted-public-keys = [ "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" ]; diff --git a/nix/os/containers/backup.nix b/nix/os/containers/backup.nix index 864aa20..2c2c171 100644 --- a/nix/os/containers/backup.nix +++ b/nix/os/containers/backup.nix @@ -5,88 +5,107 @@ subvolumes, targetPathSuffix ? "", autoStart ? false, -}: let +}: +let passwords = import ../../variables/passwords.crypt.nix; subvolumeParentDir = "/var/lib/container-volumes"; -in { - config = {pkgs, ...}: { - system.stateVersion = "20.03"; # Did you read the comment? +in +{ + config = + { pkgs, ... }: + { + system.stateVersion = "20.03"; # Did you read the comment? - imports = [../profiles/containers/configuration.nix]; + imports = [ ../profiles/containers/configuration.nix ]; - environment.systemPackages = with pkgs; [btrfs-progs btrbk]; + environment.systemPackages = with pkgs; [ + btrfs-progs + btrbk + ]; - networking.firewall.enable = true; + networking.firewall.enable = true; - systemd.services."bkp-sync" = { - enable = true; - description = "bkp-sync service"; + systemd.services."bkp-sync" = { + enable = true; + description = "bkp-sync service"; - serviceConfig = {Type = "oneshot";}; + serviceConfig = { + Type = "oneshot"; + }; - after = ["bkp-run.service"]; + after = [ "bkp-run.service" ]; - requires = ["bkp-run.service"]; + requires = [ "bkp-run.service" ]; - path = with pkgs; [utillinux]; - script = '' - set -x - true - ''; - }; - - systemd.services."bkp-run" = { - enable = true; - description = "bkp-run"; - - serviceConfig = {Type = "oneshot";}; - - partOf = ["bkp-sync.service"]; - - path = with pkgs; [btrfs-progs btrbk coreutils]; - - script = let - btrbkConf = pkgs.writeText "cfg" '' - timestamp_format long - ssh_identity ${passwords.storage.backupTarget.keyPath} - ssh_user ${passwords.storage.backupTarget.user} - ssh_compression no - backend_remote btrfs-progs-sudo - compat_remote busybox - btrfs_commit_delete each - snapshot_create onchange - snapshot_preserve_min latest - snapshot_preserve 7d 4w - target_preserve_min latest - target_preserve 7d 4w 12m *y - - volume ${subvolumeParentDir} - target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} - ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" - subvolumes} + path = with pkgs; [ utillinux ]; + script = '' + set -x + true ''; - in '' - #! ${pkgs.bash}/bin/bash - set -Eeuxo pipefail + }; - btrbk -c ${btrbkConf} --progress ''${@:-run} - ''; - }; + systemd.services."bkp-run" = { + enable = true; + description = "bkp-run"; - systemd.timers."bkp" = { - description = "Timer to trigger bkp periodically"; - enable = true; - wantedBy = ["timer.target" "multi-user.target"]; - timerConfig = { - # Obtained using `systemd-analyze calendar "Wed 23:00"` - # OnCalendar = "Wed *-*-* 23:00:00"; - OnStartupSec = "1m"; - Unit = "bkp-sync.service"; - OnUnitInactiveSec = "2h"; - Persistent = "true"; + serviceConfig = { + Type = "oneshot"; + }; + + partOf = [ "bkp-sync.service" ]; + + path = with pkgs; [ + btrfs-progs + btrbk + coreutils + ]; + + script = + let + btrbkConf = pkgs.writeText "cfg" '' + timestamp_format long + ssh_identity ${passwords.storage.backupTarget.keyPath} + ssh_user ${passwords.storage.backupTarget.user} + ssh_compression no + backend_remote btrfs-progs-sudo + compat_remote busybox + btrfs_commit_delete each + snapshot_create onchange + snapshot_preserve_min latest + snapshot_preserve 7d 4w + target_preserve_min latest + target_preserve 7d 4w 12m *y + + volume ${subvolumeParentDir} + target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} + ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes} + ''; + in + '' + #! ${pkgs.bash}/bin/bash + set -Eeuxo pipefail + + btrbk -c ${btrbkConf} --progress ''${@:-run} + ''; + }; + + systemd.timers."bkp" = { + description = "Timer to trigger bkp periodically"; + enable = true; + wantedBy = [ + "timer.target" + "multi-user.target" + ]; + timerConfig = { + # Obtained using `systemd-analyze calendar "Wed 23:00"` + # OnCalendar = "Wed *-*-* 23:00:00"; + OnStartupSec = "1m"; + Unit = "bkp-sync.service"; + OnUnitInactiveSec = "2h"; + Persistent = "true"; + }; }; }; - }; inherit autoStart; @@ -114,10 +133,10 @@ in { } ]; - extraFlags = ["--resolv-conf=bind-host"]; + extraFlags = [ "--resolv-conf=bind-host" ]; privateNetwork = true; - forwardPorts = []; + forwardPorts = [ ]; inherit hostAddress localAddress; } diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index c821bf4..2ac146e 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -6,198 +6,207 @@ imapsPort ? 993, sievePort ? 4190, autoStart ? false, -}: { +}: +{ inherit specialArgs; - config = { - pkgs, - config, - lib, - repoFlake, - ... - }: { - system.stateVersion = "22.05"; # Did you read the comment? + config = + { + pkgs, + config, + lib, + repoFlake, + ... + }: + { + system.stateVersion = "22.05"; # Did you read the comment? - imports = [ - ../profiles/containers/configuration.nix + imports = [ + ../profiles/containers/configuration.nix - repoFlake.inputs.sops-nix.nixosModules.sops - ../profiles/common/user.nix - ]; + repoFlake.inputs.sops-nix.nixosModules.sops + ../profiles/common/user.nix + ]; - networking.firewall.allowedTCPPorts = [ - imapsPort - sievePort - ]; + networking.firewall.allowedTCPPorts = [ + imapsPort + sievePort + ]; - # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately - # sops.defaultSopsFile = ./mailserver_secrets.yaml; + # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately + # sops.defaultSopsFile = ./mailserver_secrets.yaml; - sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; - sops.secrets.email_mailStefanjunkerDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_mailStefanjunkerDeHetzner = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_schtifATwebDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_dovecot_steveej = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.secrets.email_mailStefanjunkerDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_mailStefanjunkerDeHetzner = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_schtifATwebDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_dovecot_steveej = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; - # TODO: switch to something other than ddclient as it's no longer maintained + # TODO: switch to something other than ddclient as it's no longer maintained - # TODO: switch to a let's encrypt certificate - sops.secrets.dovecotSslServerCert = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - sops.secrets.dovecotSslServerKey = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - services.dovecot2 = { - enable = true; + # TODO: switch to a let's encrypt certificate + sops.secrets.dovecotSslServerCert = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + sops.secrets.dovecotSslServerKey = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + services.dovecot2 = { + enable = true; - modules = [pkgs.dovecot_pigeonhole]; - protocols = ["sieve"]; + modules = [ pkgs.dovecot_pigeonhole ]; + protocols = [ "sieve" ]; - enableImap = true; - enableLmtp = true; - enablePAM = true; - showPAMFailure = true; - mailLocation = "maildir:~/.maildir"; - sslServerCert = config.sops.secrets.dovecotSslServerCert.path; - sslServerKey = config.sops.secrets.dovecotSslServerKey.path; + enableImap = true; + enableLmtp = true; + enablePAM = true; + showPAMFailure = true; + mailLocation = "maildir:~/.maildir"; + sslServerCert = config.sops.secrets.dovecotSslServerCert.path; + sslServerKey = config.sops.secrets.dovecotSslServerKey.path; - #configFile = "/etc/dovecot/dovecot2_manual.conf"; - extraConfig = '' - auth_mechanisms = cram-md5 digest-md5 - auth_verbose = yes + #configFile = "/etc/dovecot/dovecot2_manual.conf"; + extraConfig = '' + auth_mechanisms = cram-md5 digest-md5 + auth_verbose = yes - passdb { - driver = passwd-file - args = scheme=CRYPT username_format=%u /etc/dovecot/users - } + passdb { + driver = passwd-file + args = scheme=CRYPT username_format=%u /etc/dovecot/users + } - protocol lda { - postmaster_address = "mail@stefanjunker.de" - mail_plugins = $mail_plugins sieve - } + protocol lda { + postmaster_address = "mail@stefanjunker.de" + mail_plugins = $mail_plugins sieve + } - protocol imap { - mail_max_userip_connections = 64 - } - ''; - }; - - environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; - - systemd.services.steveej-getmail-stefanjunker = { - enable = true; - wantedBy = ["multi-user.target"]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 600; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [pkgs.getmail6]; - script = let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = ssl0.ovh.net - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") - mailboxes = ('INBOX',) - - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + protocol imap { + mail_max_userip_connections = 64 + } ''; - in '' - getmail --idle=INBOX --rcfile=${rc} - ''; + }; + + environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; + + systemd.services.steveej-getmail-stefanjunker = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 600; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [ pkgs.getmail6 ]; + script = + let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = ssl0.ovh.net + port = 993 + username = mail@stefanjunker.de + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") + mailboxes = ('INBOX',) + + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in + '' + getmail --idle=INBOX --rcfile=${rc} + ''; + }; + + systemd.services.steveej-getmail-stefanjunker-hetzner = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 60; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [ pkgs.getmail6 ]; + script = + let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 2 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = mail.your-server.de + port = 993 + username = mail@stefanjunker.de + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") + mailboxes = ('INBOX',) + + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in + '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; + + systemd.services.steveej-getmail-webde = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + description = "Getmail service"; + path = [ pkgs.getmail6 ]; + serviceConfig.RestartSec = 1000; + serviceConfig.Restart = "always"; + script = + let + rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = imap.web.de + port = 993 + username = schtif + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") + mailboxes = ('INBOX',) + + [destination] + type = Maildir + path = ~/.maildir/ + ''; + in + '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; }; - systemd.services.steveej-getmail-stefanjunker-hetzner = { - enable = true; - wantedBy = ["multi-user.target"]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 60; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [pkgs.getmail6]; - script = let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 2 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = mail.your-server.de - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") - mailboxes = ('INBOX',) - - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda - ''; - in '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; - - systemd.services.steveej-getmail-webde = { - enable = true; - wantedBy = ["multi-user.target"]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - description = "Getmail service"; - path = [pkgs.getmail6]; - serviceConfig.RestartSec = 1000; - serviceConfig.Restart = "always"; - script = let - rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = imap.web.de - port = 993 - username = schtif - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") - mailboxes = ('INBOX',) - - [destination] - type = Maildir - path = ~/.maildir/ - ''; - in '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; - }; - inherit autoStart; bindMounts = { diff --git a/nix/os/containers/mycelium/flake.nix b/nix/os/containers/mycelium/flake.nix index fa8340a..68e11e8 100644 --- a/nix/os/containers/mycelium/flake.nix +++ b/nix/os/containers/mycelium/flake.nix @@ -11,350 +11,366 @@ inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = { - self, - nixpkgs, - nixos-generators, - ... - }: let - systems = [ - "aarch64-linux" - "x86_64-linux" - ]; - forAllSystems = nixpkgs.lib.genAttrs systems; - in { - nixosConfigurations.default = - nixpkgs.lib.nixosSystem - { + outputs = + { + self, + nixpkgs, + nixos-generators, + ... + }: + let + systems = [ + "aarch64-linux" + "x86_64-linux" + ]; + forAllSystems = nixpkgs.lib.genAttrs systems; + in + { + nixosConfigurations.default = nixpkgs.lib.nixosSystem { system = "aarch64-linux"; - specialArgs = {}; + specialArgs = { }; modules = [ - ({ - config, - modulesPath, - pkgs, - lib, - ... - }: { - nixpkgs.overlays = [ - (final: previous: { - # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal; - # systemd = - # self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: { - # src = /home/steveej/src/others/systemd; + ( + { + config, + modulesPath, + pkgs, + lib, + ... + }: + { + nixpkgs.overlays = [ + (final: previous: { + # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal; + # systemd = + # self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: { + # src = /home/steveej/src/others/systemd; - # withAppArmor = false; - # withRepart = false; - # withHomed = false; - # withAcl = false; - # withEfi = false; - # withBootloader = false; - # withCryptsetup = false; - # withLibBPF = false; - # withOomd = false; - # withFido2 = false; - # withApparmor = false; - # withDocumentation = false; - # withUtmp = false; - # withQrencode = false; - # withVmspawn = false; - # withMachined = false; - # withLogTrace = true; - # withArchive = false; - # # don't need these but cause errors for exampel files not found - # # withLogind = false; - # }) - # pkgs.systemdMinimal.override { - # # getting errors with these disabled - # withCoredump = true; - # withCompression = true; - # withLogind = true; - # withSysusers = true; - # withUserDb = true; - # } - # pkgs.systemdMinimal - # pkgs.systemd.override { - # withRepart = false; - # withHomed = false; - # withAcl = false; - # withEfi = false; - # withBootloader = false; - # withCryptsetup = false; - # withLibBPF = false; - # withOomd = false; - # withFido2 = false; - # withApparmor = false; - # withDocumentation = false; - # withUtmp = false; - # withQrencode = false; - # withVmspawn = false; - # withMachined = false; - # withLogTrace = true; - # # don't need these but cause errors for exampel files not found - # # withLogind = false; - # } - # ; - }) - ]; + # withAppArmor = false; + # withRepart = false; + # withHomed = false; + # withAcl = false; + # withEfi = false; + # withBootloader = false; + # withCryptsetup = false; + # withLibBPF = false; + # withOomd = false; + # withFido2 = false; + # withApparmor = false; + # withDocumentation = false; + # withUtmp = false; + # withQrencode = false; + # withVmspawn = false; + # withMachined = false; + # withLogTrace = true; + # withArchive = false; + # # don't need these but cause errors for exampel files not found + # # withLogind = false; + # }) + # pkgs.systemdMinimal.override { + # # getting errors with these disabled + # withCoredump = true; + # withCompression = true; + # withLogind = true; + # withSysusers = true; + # withUserDb = true; + # } + # pkgs.systemdMinimal + # pkgs.systemd.override { + # withRepart = false; + # withHomed = false; + # withAcl = false; + # withEfi = false; + # withBootloader = false; + # withCryptsetup = false; + # withLibBPF = false; + # withOomd = false; + # withFido2 = false; + # withApparmor = false; + # withDocumentation = false; + # withUtmp = false; + # withQrencode = false; + # withVmspawn = false; + # withMachined = false; + # withLogTrace = true; + # # don't need these but cause errors for exampel files not found + # # withLogind = false; + # } + # ; + }) + ]; - imports = [ - (modulesPath + "/profiles/minimal.nix") - ]; - system.stateVersion = "24.11"; + imports = [ (modulesPath + "/profiles/minimal.nix") ]; + system.stateVersion = "24.11"; - # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix - boot.isContainer = true; - # boot.tmp.useTmpfs = true; - boot.loader.grub.enable = lib.mkForce false; - boot.loader.systemd-boot.enable = lib.mkForce false; - services.journald.console = "/dev/console"; - services.journald.storage = "none"; - # boot.specialFileSystems = lib.mkForce {}; + # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix + boot.isContainer = true; + # boot.tmp.useTmpfs = true; + boot.loader.grub.enable = lib.mkForce false; + boot.loader.systemd-boot.enable = lib.mkForce false; + services.journald.console = "/dev/console"; + services.journald.storage = "none"; + # boot.specialFileSystems = lib.mkForce {}; - services.nscd.enable = false; - system.nssModules = lib.mkForce []; - systemd.services.systemd-logind.enable = false; - systemd.services.console-getty.enable = false; + services.nscd.enable = false; + system.nssModules = lib.mkForce [ ]; + systemd.services.systemd-logind.enable = false; + systemd.services.console-getty.enable = false; - systemd.sockets.nix-daemon.enable = false; - systemd.services.nix-daemon.enable = false; - systemd.oomd.enable = false; - networking.useDHCP = false; - networking.firewall.enable = false; + systemd.sockets.nix-daemon.enable = false; + systemd.services.nix-daemon.enable = false; + systemd.oomd.enable = false; + networking.useDHCP = false; + networking.firewall.enable = false; - # system.build.earlyMountScript = - # lib.mkForce '' - # ''; - # system.activationScripts.specialfs = - # lib.mkForce '' - # ''; - boot.postBootCommands = '' - ls -lha /run - mkdir -p /run/wrappers - ''; + # system.build.earlyMountScript = + # lib.mkForce '' + # ''; + # system.activationScripts.specialfs = + # lib.mkForce '' + # ''; + boot.postBootCommands = '' + ls -lha /run + mkdir -p /run/wrappers + ''; - boot.kernelParams = [ - "systemd.log_level=debug" - ]; + boot.kernelParams = [ "systemd.log_level=debug" ]; - # services.udev.enable = false; + # services.udev.enable = false; - # TODO: this is only needed because `/run/current-system` is missing - # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH"; + # TODO: this is only needed because `/run/current-system` is missing + # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH"; - systemd.mounts = lib.mkForce []; - fileSystems = lib.mkForce {}; + systemd.mounts = lib.mkForce [ ]; + fileSystems = lib.mkForce { }; - services.mycelium.enable = false; - services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile"; - systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false; - systemd.services.mycelium.serviceConfig.User = lib.mkForce "root"; - systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce (pkgs.writeShellScript "mycelium" '' - while true; do - ls -lha $CREDENTIALS_DIRECTORY - sleep 5 - done - ''); - - systemd.services.testing-credentials = { - wantedBy = ["multi-user.target"]; - path = [pkgs.coreutils]; - - serviceConfig = { - # SyslogIdentifier = "testing-credentials"; - # StateDirectory = "testing-credentials"; - # DynamicUser = true; - # User = "tc"; - # ProtectHome = true; - # ProtectSystem = true; - # LoadCredential = [ - # "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}" - # "hosts:/etc/hosts" - # ]; - SetCredential = "mycelium-keyfile:not secret string"; - ExecStart = lib.mkForce (pkgs.writeShellScript "mycelium" '' - cd $STATE_DIRECTORY - pwd - env + services.mycelium.enable = false; + services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile"; + systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false; + systemd.services.mycelium.serviceConfig.User = lib.mkForce "root"; + systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce ( + pkgs.writeShellScript "mycelium" '' while true; do ls -lha $CREDENTIALS_DIRECTORY sleep 5 done - ''); - }; - }; + '' + ); - services.caddy = { - enable = true; - globalConfig = '' - auto_https off - ''; - virtualHosts.":80" = { - extraConfig = '' - respond "hello from ${config.networking.hostName}" + systemd.services.testing-credentials = { + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.coreutils ]; + + serviceConfig = { + # SyslogIdentifier = "testing-credentials"; + # StateDirectory = "testing-credentials"; + # DynamicUser = true; + # User = "tc"; + # ProtectHome = true; + # ProtectSystem = true; + # LoadCredential = [ + # "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}" + # "hosts:/etc/hosts" + # ]; + SetCredential = "mycelium-keyfile:not secret string"; + ExecStart = lib.mkForce ( + pkgs.writeShellScript "mycelium" '' + cd $STATE_DIRECTORY + pwd + env + while true; do + ls -lha $CREDENTIALS_DIRECTORY + sleep 5 + done + '' + ); + }; + }; + + services.caddy = { + enable = true; + globalConfig = '' + auto_https off ''; + virtualHosts.":80" = { + extraConfig = '' + respond "hello from ${config.networking.hostName}" + ''; + }; }; - }; - }) - ]; - }; - packages = forAllSystems (system: let - name = "mycelium"; - inherit (self.inputs) nix-snapshotter; - - config = { - entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init"; - # port = 2379; - args = [ - ]; - # nodePort = 30001; - }; - - myceliumPorts = { - tcp = [9651]; - udp = [9650 9651]; - }; - - inherit - (config) - entrypoint - # port - - args - # nodePort - - ; - - pkgs = import nixpkgs { - overlays = [nix-snapshotter.overlays.default]; - }; - - image = pkgs.nix-snapshotter.buildImage { - inherit name; - resolvedByNix = true; - config = { - entrypoint = [entrypoint]; - env = [ - # this is read by the `/init` script and prevents various incompatible commands like mount, etc. - # the value of this doesn't seem to matter as long as it's not an empty string. - "container=nerd" - "SYSTEMD_LOG_LEVEL=debug" - ]; - volumes = { - # "/var/lib/private/mycelium/key.bin" = {}; - # "/run" = {}; - # "/tmp" = {}; - # "/etc" = {}; - }; - copyToRoot = [ - # self.nixosConfigurations.default.config.system.build.toplevel - ]; - }; - }; - in { - k8s = let - pod = pkgs.writeText "${name}-pod.json" (builtins.toJSON { - apiVersion = "v1"; - kind = "Pod"; - metadata = { - inherit name; - labels = {inherit name;}; - }; - spec.containers = [ - { - inherit name args; - image = "nix:0${image}"; - ports = [ - { - name = "mycelium-tcp-0"; - containerPort = builtins.elemAt myceliumPorts.tcp 0; - } - { - name = "mycelium-udp-0"; - protocol = "UDP"; - containerPort = builtins.elemAt myceliumPorts.udp 0; - } - { - name = "mycelium-udp-1"; - protocol = "UDP"; - containerPort = builtins.elemAt myceliumPorts.udp 1; - } - ]; } - ]; - }); + ) + ]; + }; + packages = forAllSystems ( + system: + let + name = "mycelium"; + inherit (self.inputs) nix-snapshotter; - service = pkgs.writeText "${name}-service.json" (builtins.toJSON { - apiVersion = "v1"; - kind = "Service"; - metadata.name = "${name}-service"; - spec = { - type = "NodePort"; - selector = {inherit name;}; - ports = [ - { - name = "mycelium-tcp-0"; - port = builtins.elemAt myceliumPorts.tcp 0 + 50000; - targetPort = "mycelium-tcp-0"; - } - { - name = "mycelium-udp-0"; - protocol = "UDP"; - port = builtins.elemAt myceliumPorts.udp 0 + 50000; - targetPort = "mycelium-udp-0"; - } - { - name = "mycelium-udp-1"; - protocol = "UDP"; - port = builtins.elemAt myceliumPorts.udp 1 + 50000; - targetPort = "mycelium-udp-1"; - } + config = { + entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init"; + # port = 2379; + args = [ ]; + # nodePort = 30001; + }; + + myceliumPorts = { + tcp = [ 9651 ]; + udp = [ + 9650 + 9651 ]; }; - }); - in - pkgs.runCommand "declarative-k8s" {} '' - mkdir -p $out/share/k8s - cp ${pod} $out/share/k8s/ - cp ${service} $out/share/k8s/ - ''; - inherit image; + inherit (config) + entrypoint + # port - start = pkgs.writeShellApplication { - name = "start"; - text = '' - set -x - rm -rf ./result - nix build --impure .#image - sudo nix2container load ./result - sudo -E nerdctl run --name ${name} --privileged -dt \ - --cgroup-manager cgroupfs \ - --volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \ - "nix:0$(readlink result):latest" - ''; - }; + args + # nodePort - stop = pkgs.writeShellApplication { - name = "stop"; - text = '' - set +e - sudo -E nerdctl stop -t 60 ${name} - sudo -E nerdctl rm --force ${name} - sudo -E nerdctl system prune --all --force - sudo systemctl stop nix-snapshotter - sudo systemctl stop containerd - mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l - sudo systemctl start containerd - sudo systemctl start nix-snapshotter - ''; + ; - # tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap) + pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; }; - # mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap - }; - }); - }; + image = pkgs.nix-snapshotter.buildImage { + inherit name; + resolvedByNix = true; + config = { + entrypoint = [ entrypoint ]; + env = [ + # this is read by the `/init` script and prevents various incompatible commands like mount, etc. + # the value of this doesn't seem to matter as long as it's not an empty string. + "container=nerd" + "SYSTEMD_LOG_LEVEL=debug" + ]; + volumes = { + # "/var/lib/private/mycelium/key.bin" = {}; + # "/run" = {}; + # "/tmp" = {}; + # "/etc" = {}; + }; + copyToRoot = [ + # self.nixosConfigurations.default.config.system.build.toplevel + ]; + }; + }; + in + { + k8s = + let + pod = pkgs.writeText "${name}-pod.json" ( + builtins.toJSON { + apiVersion = "v1"; + kind = "Pod"; + metadata = { + inherit name; + labels = { + inherit name; + }; + }; + spec.containers = [ + { + inherit name args; + image = "nix:0${image}"; + ports = [ + { + name = "mycelium-tcp-0"; + containerPort = builtins.elemAt myceliumPorts.tcp 0; + } + { + name = "mycelium-udp-0"; + protocol = "UDP"; + containerPort = builtins.elemAt myceliumPorts.udp 0; + } + { + name = "mycelium-udp-1"; + protocol = "UDP"; + containerPort = builtins.elemAt myceliumPorts.udp 1; + } + ]; + } + ]; + } + ); + + service = pkgs.writeText "${name}-service.json" ( + builtins.toJSON { + apiVersion = "v1"; + kind = "Service"; + metadata.name = "${name}-service"; + spec = { + type = "NodePort"; + selector = { + inherit name; + }; + ports = [ + { + name = "mycelium-tcp-0"; + port = builtins.elemAt myceliumPorts.tcp 0 + 50000; + targetPort = "mycelium-tcp-0"; + } + { + name = "mycelium-udp-0"; + protocol = "UDP"; + port = builtins.elemAt myceliumPorts.udp 0 + 50000; + targetPort = "mycelium-udp-0"; + } + { + name = "mycelium-udp-1"; + protocol = "UDP"; + port = builtins.elemAt myceliumPorts.udp 1 + 50000; + targetPort = "mycelium-udp-1"; + } + ]; + }; + } + ); + in + pkgs.runCommand "declarative-k8s" { } '' + mkdir -p $out/share/k8s + cp ${pod} $out/share/k8s/ + cp ${service} $out/share/k8s/ + ''; + + inherit image; + + start = pkgs.writeShellApplication { + name = "start"; + text = '' + set -x + rm -rf ./result + nix build --impure .#image + sudo nix2container load ./result + sudo -E nerdctl run --name ${name} --privileged -dt \ + --cgroup-manager cgroupfs \ + --volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \ + "nix:0$(readlink result):latest" + ''; + }; + + stop = pkgs.writeShellApplication { + name = "stop"; + text = '' + set +e + sudo -E nerdctl stop -t 60 ${name} + sudo -E nerdctl rm --force ${name} + sudo -E nerdctl system prune --all --force + sudo systemctl stop nix-snapshotter + sudo systemctl stop containerd + mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l + sudo systemctl start containerd + sudo systemctl start nix-snapshotter + ''; + + # tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap) + + # mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap + }; + } + ); + }; } diff --git a/nix/os/containers/syncthing.nix b/nix/os/containers/syncthing.nix index 8c0ba82..0375102 100644 --- a/nix/os/containers/syncthing.nix +++ b/nix/os/containers/syncthing.nix @@ -6,28 +6,27 @@ syncthingPort ? 22000, syncthingLocalAnnouncePort ? 21027, autoStart ? false, -}: { +}: +{ inherit specialArgs; - config = { - config, - pkgs, - ... - }: { - system.stateVersion = "20.05"; # Did you read the comment? + config = + { config, pkgs, ... }: + { + system.stateVersion = "20.05"; # Did you read the comment? - imports = [../profiles/containers/configuration.nix]; + imports = [ ../profiles/containers/configuration.nix ]; - networking.firewall.allowedTCPPorts = [ - # syncthing gui - 8384 - ]; + networking.firewall.allowedTCPPorts = [ + # syncthing gui + 8384 + ]; - services.syncthing = { - enable = true; - openDefaultPorts = true; - guiAddress = "0.0.0.0:8384"; + services.syncthing = { + enable = true; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; + }; }; - }; inherit autoStart; diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index 456ef59..b20fa28 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -7,405 +7,417 @@ httpsPort, forgejoSshPort, autoStart ? false, -}: let +}: +let domain = "www.stefanjunker.de"; -in { +in +{ inherit specialArgs; - config = { - config, - pkgs, - lib, - repoFlake, - nodeFlake, - system, - ... - }: { - system.stateVersion = "22.05"; # Did you read the comment? + config = + { + config, + pkgs, + lib, + repoFlake, + nodeFlake, + system, + ... + }: + { + system.stateVersion = "22.05"; # Did you read the comment? - disabledModules = [ - "services/misc/forgejo.nix" - "services/security/kanidm.nix" - ]; - - imports = [ - "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix" - "${repoFlake.inputs.nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix" - - ../profiles/containers/configuration.nix - - repoFlake.inputs.sops-nix.nixosModules.sops - ]; - - sops.defaultSopsFile = ./webserver_secrets.yaml; - - networking.firewall.allowedTCPPorts = [ - httpPort - httpsPort - forgejoSshPort - ]; - - sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; - sops.secrets.hedgedoc_environment_file = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.hedgedoc.name; - }; - - services.caddy = { - enable = true; - logFormat = '' - level ERROR - ''; - virtualHosts."${domain}" = { - extraConfig = '' - redir /hedgedoc* https://hedgedoc.${domain} - - file_server /*/* { - browse - root /var/www/stefanjunker.de/htdocs/caddy - pass_thru - } - - # respond "Hi" - # respond (not /*/*) "Hi" - ''; - }; - - virtualHosts."hedgedoc.${domain}" = { - extraConfig = '' - reverse_proxy http://[::1]:3000 - ''; - }; - - virtualHosts."authelia.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} - ''; - }; - - virtualHosts."lldap.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} - ''; - }; - - virtualHosts."forgejo.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT} - ''; - }; - - virtualHosts."kanidm.${domain}" = { - extraConfig = '' - reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} { - transport http { - tls_server_name ${config.services.kanidm.serverSettings.domain} - } - } - ''; - }; - }; - - services.hedgedoc = { - enable = true; - settings = { - domain = "hedgedoc.${domain}"; - urlPath = ""; - protocolUseSSL = true; - db = { - dialect = "sqlite"; - storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; - }; - - allowAnonymous = false; - allowAnonymousEdits = false; - allowGravatar = false; - allowFreeURL = false; - defaultPermission = "private"; - - allowEmailRegister = false; - email = false; - - ldap = { - url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; - bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; - # these are set via the `environmentFile` - # bindCredentials = "$LDAP_ADMIN_PASSWORD"; - searchBase = "ou=people,dc=stefanjunker,dc=de"; - searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; - useridField = "uid"; - }; - - oauth2 = let - originURL = config.services.kanidm.serverSettings.origin; - in { - providerName = "kanidm (${originURL})"; - - authorizationURL = "${originURL}/ui/oauth2"; - tokenURL = "${originURL}/oauth2/token"; - userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo"; - - scope = "openid email profile"; - # rolesClaim = "roles"; - # accessRole = "role/hedgedoc"; - - userProfileUsernameAttr = "name"; - userProfileDisplayNameAttr = "displayname"; - userProfileEmailAttr = "email"; - - clientID = "hedgedoc"; - # set via the `environmentFile` - # clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; - }; - - uploadsPath = "/var/lib/hedgedoc/uploads"; - }; - - environmentFile = config.sops.secrets.hedgedoc_environment_file.path; - }; - - services.jitsi-meet = { - enable = false; - hostName = "meet.${domain}"; - config = { - prejoinPageEnabled = true; - }; - caddy.enable = true; - nginx.enable = false; - }; - - sops.secrets.authelia_storageEncryptionKey = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - sops.secrets.authelia_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - services.authelia.instances.default = let - baseDir = "/var/lib/authelia-default"; - in { - enable = true; - secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; - secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; - settings = { - theme = "auto"; - default_2fa_method = "totp"; - log.level = "debug"; - - server = { - disable_healthcheck = true; - host = "127.0.0.1"; - port = 9091; - # path = "authelia"; - }; - - storage = { - local.path = "${baseDir}/authelia.sqlite"; - }; - - authentication_backend = { - file.path = "${baseDir}/first_factor.yaml"; - file.search.email = true; - file.search.case_insensitive = false; - }; - - access_control = { - default_policy = "one_factor"; - }; - - session.domain = "stefanjunker.de"; - - notifier = { - disable_startup_check = true; - filesystem.filename = "${baseDir}/notification.txt"; - }; - }; - }; - - users.groups.lldap = {}; - users.users.lldap = { - isSystemUser = true; - group = "lldap"; - }; - - sops.secrets.lldap_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - sops.secrets.lldap_adminPassword = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - sops.secrets.lldap_environmentFile = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - services.lldap = { - enable = true; - environment = { - LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; - LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; - }; - environmentFile = config.sops.secrets.lldap_environmentFile.path; - - settings = { - verbose = true; - - ldap_base_dn = "dc=stefanjunker,dc=de"; - http_url = "https://lldap.${domain}"; - - ## Options to configure SMTP parameters, to send password reset emails. - ## To set these options from environment variables, use the following format - ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD - smtp_options = { - ## Whether to enabled password reset via email, from LLDAP. - enable_password_reset = true; - - # port = 465; - ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". - # smtp_encryption = "TLS"; - }; - - # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; - }; - }; - - sops.secrets.FORGEJO_JWT_SECRET = {}; - sops.secrets.FORGEJO_INTERNAL_TOKEN = {}; - sops.secrets.FORGEJO_SECRET_KEY = {}; - - services.forgejo = { - enable = true; - package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo; - settings = { - service.DISABLE_REGISTRATION = true; - server.HTTP_ADDR = "127.0.0.1"; - server.START_SSH_SERVER = true; - server.SSH_PORT = forgejoSshPort; - server.ROOT_URL = "https://forgejo.${domain}"; - server.HTTP_PORT = 3001; - - # TODO: how do i get a 3072 length SSH key with the yubikey? - "ssh.minimum_key_sizes".RSA = 2048; - }; - secrets = { - oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path; - security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path; - security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path; - }; - }; - - systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; - systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; - systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; - - # combine a path watcher with a service that transfers the certs by caddy to kanidm - systemd.paths.kanidm-tls-watch = { - enable = true; - requiredBy = ["kanidm.service"]; - pathConfig = { - PathChanged = [ - "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" - "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" - ]; - Unit = "kanidm-tls-update.service"; - }; - }; - systemd.services.kanidm-tls-update = let - dbDir = - builtins.dirOf - config.services.kanidm.serverSettings.db_path; - in { - enable = true; - requiredBy = ["kanidm.service"]; - unitConfig = { - # ConditionPathExists = [ - # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" - # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" - # ]; - }; - serviceConfig.Type = "oneshot"; - script = let - tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key; - in '' - set -xe - - cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key - cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain - - chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain} - chmod 400 tls.{key,chain} - - # create the kanidm directory in case it's missing - if [[ ! -d ${tlsDir} ]]; then - mkdir -p ${tlsDir} - chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir} - chmod 700 ${tlsDir} - fi - - mv tls.key ${config.services.kanidm.serverSettings.tls_key} - mv tls.chain ${config.services.kanidm.serverSettings.tls_chain} - - if [[ ! -d ${dbDir} ]]; then - mkdir -p ${dbDir} - chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir} - chmod 700 ${dbDir} - fi - ''; - }; - - systemd.services.kanidm.serviceConfig = let - dbDir = - builtins.dirOf - config.services.kanidm.serverSettings.db_path; - # stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}"; - in { - # ExecStartPre = '' - # mkdir -p ${dbDir} - # ''; - BindPaths = [ - dbDir - # stateDir + disabledModules = [ + "services/misc/forgejo.nix" + "services/security/kanidm.nix" ]; - }; - services.kanidm = let - dataDir = "/var/lib/kanidm"; - in { - package = repoFlake.inputs.nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm; + imports = [ + "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix" + "${repoFlake.inputs.nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix" - enablePam = false; - enableClient = false; + ../profiles/containers/configuration.nix - enableServer = true; - serverSettings = { - role = "WriteReplica"; - log_level = "debug"; + repoFlake.inputs.sops-nix.nixosModules.sops + ]; - domain = "kanidm.${domain}"; - origin = "https://kanidm.${domain}"; + sops.defaultSopsFile = ./webserver_secrets.yaml; - db_path = "${dataDir}/db/kanidm.db"; + networking.firewall.allowedTCPPorts = [ + httpPort + httpsPort + forgejoSshPort + ]; - bindaddress = "127.0.0.1:8444"; + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.secrets.hedgedoc_environment_file = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.hedgedoc.name; + }; - # don't expose ldap - # ldapbindaddress = "[::1]:6636"; + services.caddy = { + enable = true; + logFormat = '' + level ERROR + ''; + virtualHosts."${domain}" = { + extraConfig = '' + redir /hedgedoc* https://hedgedoc.${domain} - tls_key = "${dataDir}/tls/tls.key"; - tls_chain = "${dataDir}/tls/tls.chain"; + file_server /*/* { + browse + root /var/www/stefanjunker.de/htdocs/caddy + pass_thru + } - online_backup = { - schedule = "00 06 * * *"; + # respond "Hi" + # respond (not /*/*) "Hi" + ''; + }; + + virtualHosts."hedgedoc.${domain}" = { + extraConfig = '' + reverse_proxy http://[::1]:3000 + ''; + }; + + virtualHosts."authelia.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} + ''; + }; + + virtualHosts."lldap.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} + ''; + }; + + virtualHosts."forgejo.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT} + ''; + }; + + virtualHosts."kanidm.${domain}" = { + extraConfig = '' + reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} { + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} + } + } + ''; }; }; + + services.hedgedoc = { + enable = true; + settings = { + domain = "hedgedoc.${domain}"; + urlPath = ""; + protocolUseSSL = true; + db = { + dialect = "sqlite"; + storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; + }; + + allowAnonymous = false; + allowAnonymousEdits = false; + allowGravatar = false; + allowFreeURL = false; + defaultPermission = "private"; + + allowEmailRegister = false; + email = false; + + ldap = { + url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; + bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; + # these are set via the `environmentFile` + # bindCredentials = "$LDAP_ADMIN_PASSWORD"; + searchBase = "ou=people,dc=stefanjunker,dc=de"; + searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; + useridField = "uid"; + }; + + oauth2 = + let + originURL = config.services.kanidm.serverSettings.origin; + in + { + providerName = "kanidm (${originURL})"; + + authorizationURL = "${originURL}/ui/oauth2"; + tokenURL = "${originURL}/oauth2/token"; + userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo"; + + scope = "openid email profile"; + # rolesClaim = "roles"; + # accessRole = "role/hedgedoc"; + + userProfileUsernameAttr = "name"; + userProfileDisplayNameAttr = "displayname"; + userProfileEmailAttr = "email"; + + clientID = "hedgedoc"; + # set via the `environmentFile` + # clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; + }; + + uploadsPath = "/var/lib/hedgedoc/uploads"; + }; + + environmentFile = config.sops.secrets.hedgedoc_environment_file.path; + }; + + services.jitsi-meet = { + enable = false; + hostName = "meet.${domain}"; + config = { + prejoinPageEnabled = true; + }; + caddy.enable = true; + nginx.enable = false; + }; + + sops.secrets.authelia_storageEncryptionKey = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + sops.secrets.authelia_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + services.authelia.instances.default = + let + baseDir = "/var/lib/authelia-default"; + in + { + enable = true; + secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; + secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; + settings = { + theme = "auto"; + default_2fa_method = "totp"; + log.level = "debug"; + + server = { + disable_healthcheck = true; + host = "127.0.0.1"; + port = 9091; + # path = "authelia"; + }; + + storage = { + local.path = "${baseDir}/authelia.sqlite"; + }; + + authentication_backend = { + file.path = "${baseDir}/first_factor.yaml"; + file.search.email = true; + file.search.case_insensitive = false; + }; + + access_control = { + default_policy = "one_factor"; + }; + + session.domain = "stefanjunker.de"; + + notifier = { + disable_startup_check = true; + filesystem.filename = "${baseDir}/notification.txt"; + }; + }; + }; + + users.groups.lldap = { }; + users.users.lldap = { + isSystemUser = true; + group = "lldap"; + }; + + sops.secrets.lldap_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_adminPassword = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_environmentFile = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + services.lldap = { + enable = true; + environment = { + LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; + LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; + }; + environmentFile = config.sops.secrets.lldap_environmentFile.path; + + settings = { + verbose = true; + + ldap_base_dn = "dc=stefanjunker,dc=de"; + http_url = "https://lldap.${domain}"; + + ## Options to configure SMTP parameters, to send password reset emails. + ## To set these options from environment variables, use the following format + ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD + smtp_options = { + ## Whether to enabled password reset via email, from LLDAP. + enable_password_reset = true; + + # port = 465; + ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". + # smtp_encryption = "TLS"; + }; + + # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; + }; + }; + + sops.secrets.FORGEJO_JWT_SECRET = { }; + sops.secrets.FORGEJO_INTERNAL_TOKEN = { }; + sops.secrets.FORGEJO_SECRET_KEY = { }; + + services.forgejo = { + enable = true; + package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo; + settings = { + service.DISABLE_REGISTRATION = true; + server.HTTP_ADDR = "127.0.0.1"; + server.START_SSH_SERVER = true; + server.SSH_PORT = forgejoSshPort; + server.ROOT_URL = "https://forgejo.${domain}"; + server.HTTP_PORT = 3001; + + # TODO: how do i get a 3072 length SSH key with the yubikey? + "ssh.minimum_key_sizes".RSA = 2048; + }; + secrets = { + oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path; + security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path; + security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path; + }; + }; + + systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; + systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; + systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; + + # combine a path watcher with a service that transfers the certs by caddy to kanidm + systemd.paths.kanidm-tls-watch = { + enable = true; + requiredBy = [ "kanidm.service" ]; + pathConfig = { + PathChanged = [ + "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" + "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" + ]; + Unit = "kanidm-tls-update.service"; + }; + }; + systemd.services.kanidm-tls-update = + let + dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; + in + { + enable = true; + requiredBy = [ "kanidm.service" ]; + unitConfig = { + # ConditionPathExists = [ + # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" + # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" + # ]; + }; + serviceConfig.Type = "oneshot"; + script = + let + tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key; + in + '' + set -xe + + cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key + cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain + + chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain} + chmod 400 tls.{key,chain} + + # create the kanidm directory in case it's missing + if [[ ! -d ${tlsDir} ]]; then + mkdir -p ${tlsDir} + chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir} + chmod 700 ${tlsDir} + fi + + mv tls.key ${config.services.kanidm.serverSettings.tls_key} + mv tls.chain ${config.services.kanidm.serverSettings.tls_chain} + + if [[ ! -d ${dbDir} ]]; then + mkdir -p ${dbDir} + chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir} + chmod 700 ${dbDir} + fi + ''; + }; + + systemd.services.kanidm.serviceConfig = + let + dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; + in + # stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}"; + { + # ExecStartPre = '' + # mkdir -p ${dbDir} + # ''; + BindPaths = [ + dbDir + # stateDir + ]; + }; + + services.kanidm = + let + dataDir = "/var/lib/kanidm"; + in + { + package = repoFlake.inputs.nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm; + + enablePam = false; + enableClient = false; + + enableServer = true; + serverSettings = { + role = "WriteReplica"; + log_level = "debug"; + + domain = "kanidm.${domain}"; + origin = "https://kanidm.${domain}"; + + db_path = "${dataDir}/db/kanidm.db"; + + bindaddress = "127.0.0.1:8444"; + + # don't expose ldap + # ldapbindaddress = "[::1]:6636"; + + tls_key = "${dataDir}/tls/tls.key"; + tls_chain = "${dataDir}/tls/tls.chain"; + + online_backup = { + schedule = "00 06 * * *"; + }; + }; + }; }; - }; inherit autoStart; diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index bc8e0ad..02b0212 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -1,20 +1,25 @@ { dir, - pkgs ? import {}, - ownLib ? import ../lib/default.nix {inherit (pkgs) lib;}, + pkgs ? import { }, + ownLib ? import ../lib/default.nix { inherit (pkgs) lib; }, gitRoot ? "$(git rev-parse --show-toplevel)", # FIXME: why do these need explicit mentioning? moreargs ? "", rebuildarg ? "", ... -} @ args: let - rebuildargsSudo = ["switch" "boot"]; - rebuild = { - gitRoot, - rebuildarg ? "dry-activate", - moreargs ? "", - ... - }: +}@args: +let + rebuildargsSudo = [ + "switch" + "boot" + ]; + rebuild = + { + gitRoot, + rebuildarg ? "dry-activate", + moreargs ? "", + ... + }: pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe @@ -30,25 +35,24 @@ ${ if - (builtins.elem rebuildarg rebuildargsSudo) - && (builtins.match ".*--target-host.*" moreargs) == null - then "sudo -E \\" - else "" + (builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null + then + "sudo -E \\" + else + "" } nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} ''; -in { - recipes = - { - rebuild = - rebuild { - inherit gitRoot; - inherit moreargs; - inherit rebuildarg; - } - # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } - # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } - ; +in +{ + recipes = { + rebuild = rebuild { + inherit gitRoot; + inherit moreargs; + inherit rebuildarg; } - // (import ./disk.nix (args // {inherit pkgs ownLib gitRoot;})); + # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } + # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } + ; + } // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; })); } diff --git a/nix/os/devices/disk.nix b/nix/os/devices/disk.nix index f62c6a9..f639344 100644 --- a/nix/os/devices/disk.nix +++ b/nix/os/devices/disk.nix @@ -3,40 +3,29 @@ ownLib, dir, gitRoot, - diskId ? - (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") - {}) - .hardware - .opinionatedDisk - .diskId, + diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId, encrypted ? - (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") - {}) - .hardware - .opinionatedDisk - .encrypted, + (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted, previousDiskId ? "", ... -}: let +}: +let mntRootVol = "/mnt/${diskId}-root"; -in rec { +in +rec { diskMount = pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe echo Mounting ${diskId} ${pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ - ownLib.disk.luksName diskId - } + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} ''} sleep 1 sudo vgchange -ay ${ownLib.disk.volumeGroup diskId} sudo mkdir -p /mnt sudo mkdir ${mntRootVol} sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol} - sudo mount ${ - ownLib.disk.rootFsDevice diskId - } ${mntRootVol}/nixos/home -o subvol=home + sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot ''; @@ -73,9 +62,7 @@ in rec { #!/usr/bin/env bash set -xe - read -p "Continue to format ${ - ownLib.disk.bootGrubDevice diskId - } (YES/n)? " choice + read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -122,15 +109,11 @@ in rec { ${pkgs.lib.strings.optionalString encrypted '' # Encrypt sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} - - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ - ownLib.disk.luksName diskId - } + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} ''} # LVM - sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ - ownLib.disk.lvmPv diskId encrypted - } + sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted} sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root @@ -154,9 +137,7 @@ in rec { #!/usr/bin/env bash set -xe - read -p "Continue to relabel ${ - ownLib.disk.bootGrubDevice diskId - } (YES/n)?" choice + read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -187,13 +168,9 @@ in rec { if test "${previousDiskId}"; then - ${ - pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ - ownLib.disk.luksName diskId - } - '' - } + ${pkgs.lib.strings.optionalString encrypted '' + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + ''} sync sleep 1 if sudo vgs ${previousDiskId}; then diff --git a/nix/os/devices/elias-e525/boot.nix b/nix/os/devices/elias-e525/boot.nix index ab6c098..6698046 100644 --- a/nix/os/devices/elias-e525/boot.nix +++ b/nix/os/devices/elias-e525/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiSupport = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/elias-e525/configuration.nix b/nix/os/devices/elias-e525/configuration.nix index d39da6f..ea92869 100644 --- a/nix/os/devices/elias-e525/configuration.nix +++ b/nix/os/devices/elias-e525/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/elias-e525/default.nix b/nix/os/devices/elias-e525/default.nix index 4b4d676..ba02693 100644 --- a/nix/os/devices/elias-e525/default.nix +++ b/nix/os/devices/elias-e525/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "elias-e525.lan"; diff --git a/nix/os/devices/elias-e525/flake.nix b/nix/os/devices/elias-e525/flake.nix index 3f73b91..d5bd2c5 100644 --- a/nix/os/devices/elias-e525/flake.nix +++ b/nix/os/devices/elias-e525/flake.nix @@ -6,5 +6,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/elias-e525/hw.nix b/nix/os/devices/elias-e525/hw.nix index 269281c..0a67e1e 100644 --- a/nix/os/devices/elias-e525/hw.nix +++ b/nix/os/devices/elias-e525/hw.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/elias-e525/pkg.nix b/nix/os/devices/elias-e525/pkg.nix index e119032..a9483b2 100644 --- a/nix/os/devices/elias-e525/pkg.nix +++ b/nix/os/devices/elias-e525/pkg.nix @@ -1,8 +1,5 @@ -{ - pkgs, - lib, - ... -}: let +{ pkgs, lib, ... }: +let homeEnv = keyboard: { imports = [ ../../../home-manager/profiles/common.nix @@ -22,26 +19,27 @@ rustdesk ]; }; -in { +in +{ services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { gnome-remote-desktop.enable = true; }; home-manager.users.steveej = homeEnv { layout = "en"; - options = ["nodeadkey"]; + options = [ "nodeadkey" ]; variant = "altgr-intl"; }; home-manager.users.elias = homeEnv { layout = "de"; - options = []; + options = [ ]; variant = ""; }; home-manager.users.justyna = homeEnv { layout = "de"; - options = []; + options = [ ]; variant = ""; }; diff --git a/nix/os/devices/elias-e525/system.nix b/nix/os/devices/elias-e525/system.nix index 6763062..b9a20df 100644 --- a/nix/os/devices/elias-e525/system.nix +++ b/nix/os/devices/elias-e525/system.nix @@ -3,8 +3,10 @@ lib, config, ... -}: let -in { +}: +let +in +{ # TASK: new device networking.hostName = "elias-e525"; # Define your hostname. @@ -38,11 +40,13 @@ in { # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; }; - security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; - services.xserver.videoDrivers = ["modesetting"]; + services.xserver.videoDrivers = [ "modesetting" ]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; } diff --git a/nix/os/devices/elias-e525/user.nix b/nix/os/devices/elias-e525/user.nix index 196c96a..d80024f 100644 --- a/nix/os/devices/elias-e525/user.nix +++ b/nix/os/devices/elias-e525/user.nix @@ -3,10 +3,12 @@ pkgs, lib, ... -}: let +}: +let keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; -in { + inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; +in +{ sops.secrets.sharedUsers-elias = { sopsFile = ../../../../secrets/shared-users.yaml; neededForUsers = true; diff --git a/nix/os/devices/fwhost1/boot.nix b/nix/os/devices/fwhost1/boot.nix index 4d8c1d1..639698f 100644 --- a/nix/os/devices/fwhost1/boot.nix +++ b/nix/os/devices/fwhost1/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/fwhost1/configuration.nix b/nix/os/devices/fwhost1/configuration.nix index ed238cb..fbdc4c0 100644 --- a/nix/os/devices/fwhost1/configuration.nix +++ b/nix/os/devices/fwhost1/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/fwhost1/hw.nix b/nix/os/devices/fwhost1/hw.nix index 6c1aaaf..15fd266 100644 --- a/nix/os/devices/fwhost1/hw.nix +++ b/nix/os/devices/fwhost1/hw.nix @@ -1,5 +1,7 @@ -{...}: let -in { +{ ... }: +let +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/fwhost1/pkg.nix b/nix/os/devices/fwhost1/pkg.nix index 6650ad9..99120aa 100644 --- a/nix/os/devices/fwhost1/pkg.nix +++ b/nix/os/devices/fwhost1/pkg.nix @@ -1,17 +1,17 @@ -{pkgs, ...}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +{ pkgs, ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - environment.systemPackages = with pkgs; [iw wirelesstools]; + environment.systemPackages = with pkgs; [ + iw + wirelesstools + ]; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/fwhost1/system.nix b/nix/os/devices/fwhost1/system.nix index abe1717..22bc1e9 100644 --- a/nix/os/devices/fwhost1/system.nix +++ b/nix/os/devices/fwhost1/system.nix @@ -3,10 +3,12 @@ lib, config, ... -}: let +}: +let keys = import ../../../variables/keys.nix; passwords = import ../../../variables/passwords.crypt.nix; -in { +in +{ # TASK: new device networking.hostName = "fwhost1"; # Define your hostname. @@ -21,11 +23,14 @@ in { networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.bridges.breth.interfaces = ["eth0" "eth1"]; + networking.bridges.breth.interfaces = [ + "eth0" + "eth1" + ]; networking.bridges.breth.rstp = true; networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = ["172.172.171.10"]; + networking.nameservers = [ "172.172.171.10" ]; # WAN interfaces, currently unused because the OPNsense guest acts as a router. networking.vlans.wan1.id = 3; diff --git a/nix/os/devices/fwhost1/user.nix b/nix/os/devices/fwhost1/user.nix index 98f59ba..9fd85fb 100644 --- a/nix/os/devices/fwhost1/user.nix +++ b/nix/os/devices/fwhost1/user.nix @@ -1,9 +1,7 @@ -{ - config, - pkgs, - ... -}: let +{ config, pkgs, ... }: +let passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {}) mkUser; -in {} + inherit (import ../../lib/default.nix { }) mkUser; +in +{ } diff --git a/nix/os/devices/fwhost1/versions.nix b/nix/os/devices/fwhost1/versions.nix index c6dac79..276eb87 100644 --- a/nix/os/devices/fwhost1/versions.nix +++ b/nix/os/devices/fwhost1/versions.nix @@ -4,9 +4,12 @@ let ref = "nixos-21.11"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost1/versions.tmpl.nix b/nix/os/devices/fwhost1/versions.tmpl.nix index c9dc8a9..d3d0c19 100644 --- a/nix/os/devices/fwhost1/versions.tmpl.nix +++ b/nix/os/devices/fwhost1/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost2/boot.nix b/nix/os/devices/fwhost2/boot.nix index 4d8c1d1..639698f 100644 --- a/nix/os/devices/fwhost2/boot.nix +++ b/nix/os/devices/fwhost2/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/fwhost2/configuration.nix b/nix/os/devices/fwhost2/configuration.nix index ed238cb..fbdc4c0 100644 --- a/nix/os/devices/fwhost2/configuration.nix +++ b/nix/os/devices/fwhost2/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/fwhost2/hw.nix b/nix/os/devices/fwhost2/hw.nix index c207b8c..a1b9b21 100644 --- a/nix/os/devices/fwhost2/hw.nix +++ b/nix/os/devices/fwhost2/hw.nix @@ -1,5 +1,7 @@ -{...}: let -in { +{ ... }: +let +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/fwhost2/pkg.nix b/nix/os/devices/fwhost2/pkg.nix index 6650ad9..99120aa 100644 --- a/nix/os/devices/fwhost2/pkg.nix +++ b/nix/os/devices/fwhost2/pkg.nix @@ -1,17 +1,17 @@ -{pkgs, ...}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +{ pkgs, ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - environment.systemPackages = with pkgs; [iw wirelesstools]; + environment.systemPackages = with pkgs; [ + iw + wirelesstools + ]; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/fwhost2/system.nix b/nix/os/devices/fwhost2/system.nix index 54da0ba..d923e14 100644 --- a/nix/os/devices/fwhost2/system.nix +++ b/nix/os/devices/fwhost2/system.nix @@ -4,10 +4,12 @@ config, utils, ... -}: let +}: +let keys = import ../../../variables/keys.nix; passwords = import ../../../variables/passwords.crypt.nix; -in { +in +{ # TASK: new device networking.hostName = "fwhost2"; # Define your hostname. @@ -22,11 +24,14 @@ in { networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.bridges.breth.interfaces = ["eth0" "eth1"]; + networking.bridges.breth.interfaces = [ + "eth0" + "eth1" + ]; networking.bridges.breth.rstp = true; networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = ["172.172.171.10"]; + networking.nameservers = [ "172.172.171.10" ]; # WAN interfaces, currently unused because the OPNsense guest acts as a router. networking.vlans.wan1.id = 3; diff --git a/nix/os/devices/fwhost2/user.nix b/nix/os/devices/fwhost2/user.nix index d7dc0dc..78ca58d 100644 --- a/nix/os/devices/fwhost2/user.nix +++ b/nix/os/devices/fwhost2/user.nix @@ -1,12 +1,10 @@ -{ - config, - pkgs, - ... -}: let +{ config, pkgs, ... }: +let passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; -in { + inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; +in +{ # users.extraUsers.steveej2 = mkUser { # uid = 1001; # openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/devices/fwhost2/versions.nix b/nix/os/devices/fwhost2/versions.nix index c6dac79..276eb87 100644 --- a/nix/os/devices/fwhost2/versions.nix +++ b/nix/os/devices/fwhost2/versions.nix @@ -4,9 +4,12 @@ let ref = "nixos-21.11"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost2/versions.tmpl.nix b/nix/os/devices/fwhost2/versions.tmpl.nix index c9dc8a9..d3d0c19 100644 --- a/nix/os/devices/fwhost2/versions.tmpl.nix +++ b/nix/os/devices/fwhost2/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/hstk0/configuration.nix b/nix/os/devices/hstk0/configuration.nix index ea3c795..b844805 100644 --- a/nix/os/devices/hstk0/configuration.nix +++ b/nix/os/devices/hstk0/configuration.nix @@ -9,9 +9,9 @@ nodeName, system, ... -}: { - disabledModules = [ - ]; +}: +{ + disabledModules = [ ]; imports = [ nodeFlake.inputs.disko.nixosModules.disko @@ -28,9 +28,7 @@ } ../../snippets/nix-settings.nix - { - nix.settings.sandbox = lib.mkForce "relaxed"; - } + { nix.settings.sandbox = lib.mkForce "relaxed"; } ../../snippets/mycelium.nix @@ -80,60 +78,58 @@ nat.enable = true; firewall.enable = true; - firewall.allowedTCPPorts = [ - 5201 - ]; - firewall.allowedUDPPorts = [ - 5201 - ]; + firewall.allowedTCPPorts = [ 5201 ]; + firewall.allowedUDPPorts = [ 5201 ]; }; - disko.devices = let - disk = id: { - type = "disk"; - device = "/dev/${id}"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - mdadm = { - size = "100%"; - content = { - type = "mdraid"; - name = "raid0"; + disko.devices = + let + disk = id: { + type = "disk"; + device = "/dev/${id}"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + mdadm = { + size = "100%"; + content = { + type = "mdraid"; + name = "raid0"; + }; }; }; }; }; - }; - in { - disk = { - sda = disk "sda"; - sdb = disk "sdb"; - }; - mdadm = { - raid0 = { - type = "mdadm"; - level = 0; - content = { - type = "gpt"; - partitions = { - primary = { - size = "100%"; - content = { - type = "filesystem"; - format = "btrfs"; - mountpoint = "/"; + in + { + disk = { + sda = disk "sda"; + sdb = disk "sdb"; + }; + mdadm = { + raid0 = { + type = "mdadm"; + level = 0; + content = { + type = "gpt"; + partitions = { + primary = { + size = "100%"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/"; + }; }; }; }; }; }; }; - }; system.stateVersion = "24.05"; @@ -149,7 +145,5 @@ virtualisation.libvirtd.enable = true; - boot.binfmt.emulatedSystems = [ - "aarch64-linux" - ]; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; } diff --git a/nix/os/devices/hstk0/default.nix b/nix/os/devices/hstk0/default.nix index 86b5f1a..62e6cc1 100644 --- a/nix/os/devices/hstk0/default.nix +++ b/nix/os/devices/hstk0/default.nix @@ -3,19 +3,22 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake system; + inherit + repoFlake + nodeName + nodeFlake + system + ; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = - import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "185.130.224.33"; diff --git a/nix/os/devices/hstk0/flake.nix b/nix/os/devices/hstk0/flake.nix index 8f0a7f4..721927c 100644 --- a/nix/os/devices/hstk0/flake.nix +++ b/nix/os/devices/hstk0/flake.nix @@ -16,38 +16,37 @@ # outputs = _: {}; - outputs = { - self, - get-flake, - nixpkgs, - ... - } @ attrs: let - system = "x86_64-linux"; - nodeName = "hostkey-0"; + outputs = + { + self, + get-flake, + nixpkgs, + ... + }@attrs: + let + system = "x86_64-linux"; + nodeName = "hostkey-0"; - mkNixosConfiguration = {extraModules ? [], ...} @ attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate - attrs + mkNixosConfiguration = { - specialArgs = { - nodeFlake = self; - repoFlake = get-flake ../../../..; - inherit nodeName; - }; + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = { + nodeFlake = self; + repoFlake = get-flake ../../../..; + inherit nodeName; + }; - modules = - [ - ./configuration.nix - ] - ++ extraModules; - } - ); - in { - nixosConfigurations = { - native = mkNixosConfiguration { - inherit system; + modules = [ ./configuration.nix ] ++ extraModules; + } + ); + in + { + nixosConfigurations = { + native = mkNixosConfiguration { inherit system; }; }; }; - }; } diff --git a/nix/os/devices/justyna-p300/boot.nix b/nix/os/devices/justyna-p300/boot.nix index 85006ed..9d6bbe7 100644 --- a/nix/os/devices/justyna-p300/boot.nix +++ b/nix/os/devices/justyna-p300/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.grub.efiSupport = lib.mkForce false; diff --git a/nix/os/devices/justyna-p300/configuration.nix b/nix/os/devices/justyna-p300/configuration.nix index f2cb3f7..e636106 100644 --- a/nix/os/devices/justyna-p300/configuration.nix +++ b/nix/os/devices/justyna-p300/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/justyna-p300/default.nix b/nix/os/devices/justyna-p300/default.nix index 907e60b..427ce7e 100644 --- a/nix/os/devices/justyna-p300/default.nix +++ b/nix/os/devices/justyna-p300/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = nodeName; diff --git a/nix/os/devices/justyna-p300/flake.nix b/nix/os/devices/justyna-p300/flake.nix index 3e68abe..9b8b8ed 100644 --- a/nix/os/devices/justyna-p300/flake.nix +++ b/nix/os/devices/justyna-p300/flake.nix @@ -6,8 +6,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - inputs.disko.url = github:nix-community/disko; + inputs.disko.url = "github:nix-community/disko"; inputs.disko.inputs.nixpkgs.follows = "nixpkgs"; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/justyna-p300/hw.nix b/nix/os/devices/justyna-p300/hw.nix index 0924dd2..4cf258f 100644 --- a/nix/os/devices/justyna-p300/hw.nix +++ b/nix/os/devices/justyna-p300/hw.nix @@ -3,10 +3,9 @@ nodeFlake, lib, ... -}: { - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - ]; +}: +{ + imports = [ nodeFlake.inputs.disko.nixosModules.disko ]; disko.devices.disk.sda = { device = "/dev/sda"; @@ -20,7 +19,7 @@ start = "0"; end = "1M"; part-type = "primary"; - flags = ["bios_grub"]; + flags = [ "bios_grub" ]; } { name = "root"; @@ -30,14 +29,14 @@ bootable = true; content = { type = "btrfs"; - extraArgs = ["-f"]; # Override existing partition + extraArgs = [ "-f" ]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = ["noatime"]; + mountOptions = [ "noatime" ]; }; }; }; diff --git a/nix/os/devices/justyna-p300/pkg.nix b/nix/os/devices/justyna-p300/pkg.nix index e780b7e..9982952 100644 --- a/nix/os/devices/justyna-p300/pkg.nix +++ b/nix/os/devices/justyna-p300/pkg.nix @@ -3,7 +3,8 @@ lib, packages', ... -}: let +}: +let homeEnv = keyboard: { imports = [ ../../../home-manager/profiles/common.nix @@ -23,15 +24,19 @@ rustdesk ]; }; -in { +in +{ services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { gnome-remote-desktop.enable = true; }; - services.printing.drivers = lib.mkForce (with packages'; [ - dcpj4110dwDriver - dcpj4110dwCupswrapper - ]); + services.printing.drivers = lib.mkForce ( + with packages'; + [ + dcpj4110dwDriver + dcpj4110dwCupswrapper + ] + ); services.printing.extraConf = '' LogLevel debug @@ -39,31 +44,29 @@ in { home-manager.users.steveej = homeEnv { layout = "en"; - options = ["nodeadkey"]; + options = [ "nodeadkey" ]; variant = "altgr-intl"; }; home-manager.users.elias = homeEnv { layout = "de"; - options = []; + options = [ ]; variant = ""; }; home-manager.users.justyna = lib.attrsets.recursiveUpdate - (homeEnv { - layout = "de"; - options = []; - variant = ""; - }) - { - services.syncthing.enable = true; - services.syncthing.tray = true; + (homeEnv { + layout = "de"; + options = [ ]; + variant = ""; + }) + { + services.syncthing.enable = true; + services.syncthing.tray = true; - home.packages = with pkgs; [ - session-desktop - ]; - }; + home.packages = with pkgs; [ session-desktop ]; + }; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/justyna-p300/system.nix b/nix/os/devices/justyna-p300/system.nix index 44c3db9..19ce3df 100644 --- a/nix/os/devices/justyna-p300/system.nix +++ b/nix/os/devices/justyna-p300/system.nix @@ -3,9 +3,11 @@ lib, config, ... -}: let +}: +let passwords = import ../../../variables/passwords.crypt.nix; -in { +in +{ networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -39,11 +41,13 @@ in { # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; }; - security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; - services.xserver.videoDrivers = ["modesetting"]; + services.xserver.videoDrivers = [ "modesetting" ]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; } diff --git a/nix/os/devices/justyna-p300/user.nix b/nix/os/devices/justyna-p300/user.nix index 6d86c59..c4690cf 100644 --- a/nix/os/devices/justyna-p300/user.nix +++ b/nix/os/devices/justyna-p300/user.nix @@ -1,11 +1,9 @@ -{ - config, - pkgs, - ... -}: let +{ config, pkgs, ... }: +let keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; -in { + inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; +in +{ sops.secrets.sharedUsers-elias = { sopsFile = ../../../../secrets/shared-users.yaml; neededForUsers = true; diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 8507ade..6336562 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -9,33 +9,33 @@ localDomainName, system, ... -}: let - inherit - (nodeFlake.inputs) - nixos-nftables-firewall - nixos-sbc - ; +}: +let + inherit (nodeFlake.inputs) nixos-nftables-firewall nixos-sbc; vlanRangeStart = builtins.head vlanRange; vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1); vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans); - vlanRangeWith0 = [0] ++ vlanRange; + vlanRangeWith0 = [ 0 ] ++ vlanRange; - mkVlanIpv4HostAddr = { - vlanid, - host, - thirdIpv4SegmentMin ? 20, - cidr ? true, - }: let - # reserve the first subnet for vlanid == 0 - # number the other subnets continously from there - offset = - if vlanid == 0 - then thirdIpv4SegmentMin - else thirdIpv4SegmentMin + 1 - vlanRangeStart; - in - builtins.concatStringsSep "." - ["192" "168" (toString (vlanid + offset)) "${toString host}${lib.strings.optionalString cidr "/24"}"]; + mkVlanIpv4HostAddr = + { + vlanid, + host, + thirdIpv4SegmentMin ? 20, + cidr ? true, + }: + let + # reserve the first subnet for vlanid == 0 + # number the other subnets continously from there + offset = if vlanid == 0 then thirdIpv4SegmentMin else thirdIpv4SegmentMin + 1 - vlanRangeStart; + in + builtins.concatStringsSep "." [ + "192" + "168" + (toString (vlanid + offset)) + "${toString host}${lib.strings.optionalString cidr "/24"}" + ]; defaultVlan = { name = "${localDomainName}"; @@ -62,30 +62,25 @@ "15".packet_priority = -10; }; - vlansByName = - lib.attrsets.mapAttrs' - ( - vlanid': attrs: - lib.attrsets.nameValuePair - attrs.name - (attrs - // { - id = lib.strings.toInt vlanid'; - id' = vlanid'; - }) + vlansByName = lib.attrsets.mapAttrs' ( + vlanid': attrs: + lib.attrsets.nameValuePair attrs.name ( + attrs + // { + id = lib.strings.toInt vlanid'; + id' = vlanid'; + } ) - vlans; + ) vlans; - getVlanDomain = {vlanid}: - if vlanid == 0 - then defaultVlan.name - else vlans."${toString vlanid}".name + "." + defaultVlan.name; + getVlanDomain = + { vlanid }: + if vlanid == 0 then defaultVlan.name else vlans."${toString vlanid}".name + "." + defaultVlan.name; bridgeInterfaceName = "br-lan"; - mkInterfaceName = {vlanid}: - if vlanid == 0 - then bridgeInterfaceName - else "${bridgeInterfaceName}.${toString vlanid}"; + mkInterfaceName = + { vlanid }: + if vlanid == 0 then bridgeInterfaceName else "${bridgeInterfaceName}.${toString vlanid}"; dmzExposedHost = "sj-srv1"; dmzExposedHostDomain = "dmz.internal"; @@ -96,8 +91,10 @@ cidr = false; }; - dmzExposedHostMACaddr = repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress; -in { + dmzExposedHostMACaddr = + repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress; +in +{ imports = [ nixos-sbc.nixosModules.default nixos-sbc.nixosModules.boards.bananapi.bpir3 @@ -130,7 +127,7 @@ in { sops.secrets.passwords-root.neededForUsers = true; # sops.secrets.wlan0_saePasswordsFile = {}; - sops.secrets.wlan0_wpaPskFile = {}; + sops.secrets.wlan0_wpaPskFile = { }; } ]; @@ -193,13 +190,15 @@ in { chains = { prerouting = { "exposeHost" = { - after = ["hook"]; - rules = let - wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; - in [ - "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" - "iifname { ${wanInterfaces} } dnat ip to ${dmzExposedHostIpv4}" - ]; + after = [ "hook" ]; + rules = + let + wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; + in + [ + "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" + "iifname { ${wanInterfaces} } dnat ip to ${dmzExposedHostIpv4}" + ]; }; }; }; @@ -211,149 +210,157 @@ in { # snippets.nnf-conntrack.enable = true; zones = { - lan.interfaces = [(mkInterfaceName {vlanid = 0;})]; - vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange; + lan.interfaces = [ (mkInterfaceName { vlanid = 0; }) ]; + vlan.interfaces = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; # lan.ipv4Addresses = ["192.168.0.0/16"]; - wan.interfaces = ["wan" "lan0"]; - vpn.interfaces = ["wg0" "wg1" "wg2"]; + wan.interfaces = [ + "wan" + "lan0" + ]; + vpn.interfaces = [ + "wg0" + "wg1" + "wg2" + ]; } // # generate a zone for each vlan - lib.attrsets.mapAttrs - (key: value: { - interfaces = [(mkInterfaceName {vlanid = value.id;})]; - }) - vlansByName; - rules = let - ipv6IcmpTypes = [ - "destination-unreachable" - "echo-reply" - "echo-request" - "packet-too-big" - "parameter-problem" - "time-exceeded" + lib.attrsets.mapAttrs (key: value: { + interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; + }) vlansByName; + rules = + let + ipv6IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "packet-too-big" + "parameter-problem" + "time-exceeded" - # Without the nd-* ones ipv6 will not work. - "nd-neighbor-solicit" - "nd-router-advert" - "nd-neighbor-advert" - ]; - ipv4IcmpTypes = [ - "destination-unreachable" - "echo-reply" - "echo-request" - "source-quench" - "time-exceeded" - "router-advertisement" - ]; - allowIcmpLines = [ - "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" - "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" - ]; - in { - fw = { - from = ["fw"]; - verdict = "accept"; - }; - - office-to-dmz = { - from = ["office"]; - to = ["dmz"]; - verdict = "accept"; - }; - - lan-to-fw = { - from = ["lan"]; - to = ["fw" "lan"]; - verdict = "accept"; - }; - - lan-to-wan = { - from = ["lan"]; - to = ["wan"]; - verdict = "accept"; - }; - - vlan-to-wan = { - from = ["vlan"]; - to = ["wan"]; - verdict = "accept"; - }; - - vlan-to-fw = { - allowedUDPPortRanges = [ - { - from = 53; - to = 53; - } - { - from = 67; - to = 68; - } - { - from = 5201; - to = 5201; - } + # Without the nd-* ones ipv6 will not work. + "nd-neighbor-solicit" + "nd-router-advert" + "nd-neighbor-advert" ]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - { - from = 53; - to = 53; - } - { - from = 5201; - to = 5201; - } + ipv4IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "source-quench" + "time-exceeded" + "router-advertisement" ]; - from = ["vlan"]; - to = ["fw"]; - extraLines = - allowIcmpLines - ++ [ - "drop" + allowIcmpLines = [ + "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" + "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" + ]; + in + { + fw = { + from = [ "fw" ]; + verdict = "accept"; + }; + + office-to-dmz = { + from = [ "office" ]; + to = [ "dmz" ]; + verdict = "accept"; + }; + + lan-to-fw = { + from = [ "lan" ]; + to = [ + "fw" + "lan" ]; - }; + verdict = "accept"; + }; - to-wan-nat = { - from = ["lan" "vlan"]; - to = ["wan"]; - masquerade = true; - verdict = "accept"; - }; + lan-to-wan = { + from = [ "lan" ]; + to = [ "wan" ]; + verdict = "accept"; + }; - wan-to-dmz = { - from = ["wan"]; - to = ["dmz"]; - verdict = "accept"; - }; + vlan-to-wan = { + from = [ "vlan" ]; + to = [ "wan" ]; + verdict = "accept"; + }; - wan-to-fw = { - from = ["wan"]; - to = ["fw"]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - ]; - extraLines = - allowIcmpLines - ++ [ - "drop" + vlan-to-fw = { + allowedUDPPortRanges = [ + { + from = 53; + to = 53; + } + { + from = 67; + to = 68; + } + { + from = 5201; + to = 5201; + } ]; - }; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + { + from = 53; + to = 53; + } + { + from = 5201; + to = 5201; + } + ]; + from = [ "vlan" ]; + to = [ "fw" ]; + extraLines = allowIcmpLines ++ [ "drop" ]; + }; - to-vpn-nat = { - from = ["lan" "vlan"]; - to = ["vpn"]; - masquerade = false; - verdict = "accept"; + to-wan-nat = { + from = [ + "lan" + "vlan" + ]; + to = [ "wan" ]; + masquerade = true; + verdict = "accept"; + }; + + wan-to-dmz = { + from = [ "wan" ]; + to = [ "dmz" ]; + verdict = "accept"; + }; + + wan-to-fw = { + from = [ "wan" ]; + to = [ "fw" ]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + ]; + extraLines = allowIcmpLines ++ [ "drop" ]; + }; + + to-vpn-nat = { + from = [ + "lan" + "vlan" + ]; + to = [ "vpn" ]; + masquerade = false; + verdict = "accept"; + }; }; - }; }; }; }; @@ -377,49 +384,14 @@ in { systemd.network = { wait-online.anyInterface = true; - netdevs = let - router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${ - builtins.toString - repoFlake - .nixosConfigurations - .router0-ifog - .config - .systemd - .network - .netdevs - .wg0 - .wireguardConfig - .ListenPort - }"; + netdevs = + let + router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; - router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${ - builtins.toString - repoFlake - .nixosConfigurations - .router0-ifog - .config - .systemd - .network - .netdevs - .wg1 - .wireguardConfig - .ListenPort - }"; + router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort}"; - router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${ - builtins.toString - repoFlake - .nixosConfigurations - .router0-hosthatch - .config - .systemd - .network - .netdevs - .wg0 - .wireguardConfig - .ListenPort - }"; - in + router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-hosthatch.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; + in { # Create the bridge interface "20-${bridgeInterfaceName}" = { @@ -536,75 +508,71 @@ in { }; } # generate the vlan devices. these will be tagged on the main bridge - // builtins.foldl' - (acc: cur: acc // cur) - {} - ( + // builtins.foldl' (acc: cur: acc // cur) { } ( builtins.map - ({ - vlanid, - vlanid', - }: { - "20-${mkInterfaceName {inherit vlanid;}}" = { - netdevConfig = { - Kind = "vlan"; - Name = "${mkInterfaceName {inherit vlanid;}}"; - }; - vlanConfig.Id = vlanid; - }; - }) - ( - builtins.map - (vlanid: { - inherit vlanid; - vlanid' = builtins.toString vlanid; - }) - vlanRange - ) + ( + { vlanid, vlanid' }: + { + "20-${mkInterfaceName { inherit vlanid; }}" = { + netdevConfig = { + Kind = "vlan"; + Name = "${mkInterfaceName { inherit vlanid; }}"; + }; + vlanConfig.Id = vlanid; + }; + } + ) + ( + builtins.map (vlanid: { + inherit vlanid; + vlanid' = builtins.toString vlanid; + }) vlanRange + ) ); - networks = let - commonWanOptions = { - networkConfig = { - # start a DHCP Client for IPv4/6 Addressing/Routing - DHCP = true; - DNSOverTLS = true; - DNSSEC = true; - IPForward = true; + networks = + let + commonWanOptions = { + networkConfig = { + # start a DHCP Client for IPv4/6 Addressing/Routing + DHCP = true; + DNSOverTLS = true; + DNSSEC = true; + IPForward = true; - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - IPv6PrivacyExtensions = false; - DHCPPrefixDelegation = true; - }; - dhcpV4Config = { - UseDNS = false; - UseDomains = false; - UseHostname = false; - }; - dhcpV6Config = { - UseDNS = false; - UseDomains = false; - UseHostname = false; - PrefixDelegationHint = "::/56"; - UseDelegatedPrefix = true; - WithoutRA = "solicit"; - }; - ipv6AcceptRAConfig = { - UseDNS = false; - UseDomains = false; - }; + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + IPv6PrivacyExtensions = false; + DHCPPrefixDelegation = true; + }; + dhcpV4Config = { + UseDNS = false; + UseDomains = false; + UseHostname = false; + }; + dhcpV6Config = { + UseDNS = false; + UseDomains = false; + UseHostname = false; + PrefixDelegationHint = "::/56"; + UseDelegatedPrefix = true; + WithoutRA = "solicit"; + }; + ipv6AcceptRAConfig = { + UseDNS = false; + UseDomains = false; + }; - # TODO: enable these somehow - # extraConfig = '' - # [IPv6AcceptRA] - # # FIXME: supported in nixos-24.11 - # DHCPv6Client=solicit + # TODO: enable these somehow + # extraConfig = '' + # [IPv6AcceptRA] + # # FIXME: supported in nixos-24.11 + # DHCPv6Client=solicit - # # FIXME: not supported at all yet - # UsePREF64=true - # ''; - }; - in + # # FIXME: not supported at all yet + # UsePREF64=true + # ''; + }; + in { # places options here that should always exist "lo" = { @@ -771,7 +739,7 @@ in { # Configure the bridge for its desired function "40-${bridgeInterfaceName}" = { matchConfig.Name = bridgeInterfaceName; - bridgeConfig = {}; + bridgeConfig = { }; address = [ (mkVlanIpv4HostAddr { vlanid = 0; @@ -793,19 +761,13 @@ in { } ]; - vlan = ( - builtins.map - (vlanid: (mkInterfaceName {inherit vlanid;})) - vlanRange - ); + vlan = (builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange); }; "50-wg0" = { enable = true; matchConfig.Name = "wg0"; - address = [ - "10.0.0.1/31" - ]; + address = [ "10.0.0.1/31" ]; routes = [ # { @@ -820,9 +782,7 @@ in { "50-wg1" = { enable = true; matchConfig.Name = "wg1"; - address = [ - "10.0.0.3/31" - ]; + address = [ "10.0.0.3/31" ]; routes = [ # { # routeConfig = { @@ -836,9 +796,7 @@ in { "50-wg2" = { enable = true; matchConfig.Name = "wg2"; - address = [ - "10.0.1.1/31" - ]; + address = [ "10.0.1.1/31" ]; routes = [ # TODO: add a testing route here @@ -849,280 +807,278 @@ in { # * netdev type vlan # * host address for vlan # * vlan config for wlan interface - // builtins.foldl' - (acc: cur: acc // cur) - {} - (builtins.map - ({ - vlanid, - vlanid', - }: { - # configure the tagged vlan device with an address and vlan filtering. - # dnsmasq is configured to serve the respective /24 range on each tagged device. - # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. - "41-${mkInterfaceName {inherit vlanid;}}" = { - matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; - address = [ - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 1; - }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; + // builtins.foldl' (acc: cur: acc // cur) { } ( + builtins.map + ( + { vlanid, vlanid' }: + { + # configure the tagged vlan device with an address and vlan filtering. + # dnsmasq is configured to serve the respective /24 range on each tagged device. + # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. + "41-${mkInterfaceName { inherit vlanid; }}" = { + matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; + address = [ + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 1; + }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; - # the client shouldn't be allowed to send us RAs, that would be weird. - IPv6AcceptRA = false; + # the client shouldn't be allowed to send us RAs, that would be weird. + IPv6AcceptRA = false; - DHCPPrefixDelegation = true; - IPv6SendRA = true; - }; - - dhcpPrefixDelegationConfig = { - UplinkInterface = "wan"; - Assign = true; - SubnetId = vlanid; - Announce = true; - }; - - linkConfig.RequiredForOnline = "no"; - linkConfig.ActivationPolicy = "always-up"; - - bridgeVLANs = [ - { - bridgeVLANConfig = { - VLAN = vlanid; + DHCPPrefixDelegation = true; + IPv6SendRA = true; }; - } - ]; - }; - # configure the wlan interface as a bridge member that - # * only gets traffic for vid 15 - # * untags traffic after receiving it - # * tags traffic that comes out of it - "41-wlan0.${vlanid'}" = { - matchConfig.Name = "wlan0.${vlanid'}"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - - linkConfig.RequiredForOnline = "no"; - - bridgeVLANs = [ - { - bridgeVLANConfig = { - VLAN = vlanid; - PVID = vlanid; - EgressUntagged = vlanid; + dhcpPrefixDelegationConfig = { + UplinkInterface = "wan"; + Assign = true; + SubnetId = vlanid; + Announce = true; }; - } - ]; - }; - # "50-${mkInterfaceName {inherit vlanid;}}" = { - # matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; - # address = [ - # (mkVlanIpv4HostAddr { - # inherit vlanid; - # host = 1; - # }) - # ]; - # networkConfig = { - # ConfigureWithoutCarrier = true; - # }; - # linkConfig.RequiredForOnline = "no"; - # }; - }) - ( - builtins.map - (vlanid: { - inherit vlanid; - vlanid' = builtins.toString vlanid; - }) - vlanRange - )); + linkConfig.RequiredForOnline = "no"; + linkConfig.ActivationPolicy = "always-up"; + + bridgeVLANs = [ + { + bridgeVLANConfig = { + VLAN = vlanid; + }; + } + ]; + }; + + # configure the wlan interface as a bridge member that + # * only gets traffic for vid 15 + # * untags traffic after receiving it + # * tags traffic that comes out of it + "41-wlan0.${vlanid'}" = { + matchConfig.Name = "wlan0.${vlanid'}"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + + linkConfig.RequiredForOnline = "no"; + + bridgeVLANs = [ + { + bridgeVLANConfig = { + VLAN = vlanid; + PVID = vlanid; + EgressUntagged = vlanid; + }; + } + ]; + }; + + # "50-${mkInterfaceName {inherit vlanid;}}" = { + # matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; + # address = [ + # (mkVlanIpv4HostAddr { + # inherit vlanid; + # host = 1; + # }) + # ]; + # networkConfig = { + # ConfigureWithoutCarrier = true; + # }; + # linkConfig.RequiredForOnline = "no"; + # }; + } + ) + ( + builtins.map (vlanid: { + inherit vlanid; + vlanid' = builtins.toString vlanid; + }) vlanRange + ) + ); }; # wireless access point services.hostapd = { enable = true; # package = nodeFlake.packages.${system}.hostapd_patched; - radios = let - # generated with https://miniwebtool.com/mac-address-generator/ - mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; - in { - wlan0 = { - band = "2g"; - # FIXME: apparently setting this could cause bugs, testing disabling it for a while. - # countryCode = "CH"; - channel = 0; # 0 would mean Automatic Channel Selection + radios = + let + # generated with https://miniwebtool.com/mac-address-generator/ + mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; + in + { + wlan0 = { + band = "2g"; + # FIXME: apparently setting this could cause bugs, testing disabling it for a while. + # countryCode = "CH"; + channel = 0; # 0 would mean Automatic Channel Selection - settings = { - # TODO: this would be faster but x13s on windows can't connect when it's enabled. - # ieee80211n = 1; + settings = { + # TODO: this would be faster but x13s on windows can't connect when it's enabled. + # ieee80211n = 1; - # Exclude DFS channels from ACS - # This option can be used to exclude all DFS channels from the ACS channel list - # in cases where the driver supports DFS channels. - acs_exclude_dfs = 0; - }; + # Exclude DFS channels from ACS + # This option can be used to exclude all DFS channels from the ACS channel list + # in cases where the driver supports DFS channels. + acs_exclude_dfs = 0; + }; - # use 'iw phy#1 info' to determine your VHT capabilities - wifi4 = { - enable = true; - require = false; - capabilities = [ - "HT20" - "HT40+" - "LDPC" - "SHORT-GI-20" - "SHORT-GI-40" - "TX-STBC" - "RX-STBC1" - "MAX-AMSDU-7935" + # use 'iw phy#1 info' to determine your VHT capabilities + wifi4 = { + enable = true; + require = false; + capabilities = [ + "HT20" + "HT40+" + "LDPC" + "SHORT-GI-20" + "SHORT-GI-40" + "TX-STBC" + "RX-STBC1" + "MAX-AMSDU-7935" - "40-INTOLERANT" + "40-INTOLERANT" - # not supported by BPI-R3 module - # "DELAYED-BA" - # "DSSS_CCK-40" - ]; - }; + # not supported by BPI-R3 module + # "DELAYED-BA" + # "DSSS_CCK-40" + ]; + }; - wifi5 = { - enable = false; - require = false; - }; + wifi5 = { + enable = false; + require = false; + }; - wifi6 = { - enable = false; - require = false; - }; + wifi6 = { + enable = false; + require = false; + }; - networks = { - wlan0 = let - iface = "wlan0"; - in { - ssid = "mlsia"; - bssid = mkBssid 0; - - # enables debug logging - logLevel = 0; - - authentication.mode = - "wpa2-sha256" - # "wpa3-sae-transition" - # "wpa3-sae" - ; - - authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; - - # TODO: unfortunately SAE passwords don't work per VLAN like PSKs do - # authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; - - # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference - settings = { - # disable syslog because it duplicates stdout - logger_syslog = lib.mkForce 0; - - # bridge = bridgeInterfaceName; - - # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; - # not yet supported on hostapd 2.10 - # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; - - # resources on vlan tagging - # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging - # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 - - dynamic_vlan = 1; - # this option currently requires a patch to hostapd - vlan_no_bridge = 1; - - /* - not used due to the above vlan_no_bridge setting - vlan_tagged_interface = bridgeInterfaceName; - vlan_naming = 1; - vlan_bridge = "br-${iface}."; - */ - - vlan_file = let - generated = - builtins.map - ( - vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" - ) - vlanRange; - - wildcard = [ - # Optional wildcard entry matching all VLAN IDs. The first # in the interface - # name will be replaced with the VLAN ID. The network interfaces are created - # (and removed) dynamically based on the use. - # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan - "* ${iface}.#" - ]; - - file = - pkgs.writeText "hostapd.vlan" - (builtins.concatStringsSep "\n" (generated ++ wildcard)); - filePath = toString file; + networks = { + wlan0 = + let + iface = "wlan0"; in - filePath; + { + ssid = "mlsia"; + bssid = mkBssid 0; - wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [ - "WPA-PSK" + # enables debug logging + logLevel = 0; - # TODO: the printer can't connect when this is on - # "WPA-PSK-SHA256" + authentication.mode = "wpa2-sha256" + # "wpa3-sae-transition" + # "wpa3-sae" + ; - # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them - # "SAE" - ]); + authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; - # wpa_psk_radius = 0; - wpa_pairwise = "CCMP"; - wmm_enabled = 1; + # TODO: unfortunately SAE passwords don't work per VLAN like PSKs do + # authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; - # IEEE 802.11i (authentication) related configuration - # Encrypt management frames to protect against deauthentication and similar attacks. - # 0 := disabled; 1 := optional; 2 := required - ieee80211w = 1; - # sae_require_mfp = 1; - # sae_groups = "19 20 21"; + # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference + settings = { + # disable syslog because it duplicates stdout + logger_syslog = lib.mkForce 0; - # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) - tls_flags = "[ENABLE-TLSv1.3]"; + # bridge = bridgeInterfaceName; - # TODO: debugging for wifi drops happens below here - # Require IEEE 802.1X authorization - ieee8021x = 0; + # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; + # not yet supported on hostapd 2.10 + # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; - # Optionally, hostapd can be configured to use an integrated EAP server - # to process EAP authentication locally without need for an external RADIUS - # server. This functionality can be used both as a local authentication server - # for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. + # resources on vlan tagging + # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging + # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 - # Use integrated EAP server instead of external RADIUS authentication - # server. This is also needed if hostapd is configured to act as a RADIUS - # authentication server. - eap_server = 0; + dynamic_vlan = 1; + # this option currently requires a patch to hostapd + vlan_no_bridge = 1; - # Disassociate stations based on excessive transmission failures or other - # indications of connection loss. This depends on the driver capabilities and - # may not be available with all drivers. - disassoc_low_ack = 0; + /* + not used due to the above vlan_no_bridge setting + vlan_tagged_interface = bridgeInterfaceName; + vlan_naming = 1; + vlan_bridge = "br-${iface}."; + */ - skip_inactivity_poll = 1; + vlan_file = + let + generated = builtins.map ( + vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" + ) vlanRange; - # TODO: check if this is required. multicast can be more efficient so it'd be nice to disable this. - multicast_to_unicast = 0; - }; + wildcard = [ + # Optional wildcard entry matching all VLAN IDs. The first # in the interface + # name will be replaced with the VLAN ID. The network interfaces are created + # (and removed) dynamically based on the use. + # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan + "* ${iface}.#" + ]; + + file = pkgs.writeText "hostapd.vlan" (builtins.concatStringsSep "\n" (generated ++ wildcard)); + filePath = toString file; + in + filePath; + + wpa_key_mgmt = lib.mkForce ( + builtins.concatStringsSep " " [ + "WPA-PSK" + + # TODO: the printer can't connect when this is on + # "WPA-PSK-SHA256" + + # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them + # "SAE" + ] + ); + + # wpa_psk_radius = 0; + wpa_pairwise = "CCMP"; + wmm_enabled = 1; + + # IEEE 802.11i (authentication) related configuration + # Encrypt management frames to protect against deauthentication and similar attacks. + # 0 := disabled; 1 := optional; 2 := required + ieee80211w = 1; + # sae_require_mfp = 1; + # sae_groups = "19 20 21"; + + # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) + tls_flags = "[ENABLE-TLSv1.3]"; + + # TODO: debugging for wifi drops happens below here + # Require IEEE 802.1X authorization + ieee8021x = 0; + + # Optionally, hostapd can be configured to use an integrated EAP server + # to process EAP authentication locally without need for an external RADIUS + # server. This functionality can be used both as a local authentication server + # for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. + + # Use integrated EAP server instead of external RADIUS authentication + # server. This is also needed if hostapd is configured to act as a RADIUS + # authentication server. + eap_server = 0; + + # Disassociate stations based on excessive transmission failures or other + # indications of connection loss. This depends on the driver capabilities and + # may not be available with all drivers. + disassoc_low_ack = 0; + + skip_inactivity_poll = 1; + + # TODO: check if this is required. multicast can be more efficient so it'd be nice to disable this. + multicast_to_unicast = 0; + }; + }; }; }; }; - }; }; services.resolved.enable = false; @@ -1150,38 +1106,35 @@ in { # v6 config enable-ra = true; - dhcp-range = let - mkDhcpRange = { - tag, - vlanid, - }: - builtins.concatStringsSep "," [ - tag - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 100; - cidr = false; - }) - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 199; - cidr = false; - }) - "12h" - # "slaac" - # "ra-stateless" - # "ra-names" - ]; - in - builtins.map - ( + dhcp-range = + let + mkDhcpRange = + { tag, vlanid }: + builtins.concatStringsSep "," [ + tag + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 100; + cidr = false; + }) + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 199; + cidr = false; + }) + "12h" + # "slaac" + # "ra-stateless" + # "ra-names" + ]; + in + builtins.map ( vlanid: - mkDhcpRange { - tag = mkInterfaceName {inherit vlanid;}; - inherit vlanid; - } - ) - vlanRangeWith0; + mkDhcpRange { + tag = mkInterfaceName { inherit vlanid; }; + inherit vlanid; + } + ) vlanRangeWith0; dhcp-host = builtins.concatStringsSep "," [ dmzExposedHostMACaddr @@ -1211,39 +1164,35 @@ in { ]; domain = - [ - "/${getVlanDomain {vlanid = 0;}}/,local" - ] - ++ builtins.map - ( - vlanid: "${getVlanDomain {inherit vlanid;}},${mkVlanIpv4HostAddr { - inherit vlanid; - host = 0; - cidr = true; - }},local" - ) - vlanRangeWith0; + [ "/${getVlanDomain { vlanid = 0; }}/,local" ] + ++ builtins.map ( + vlanid: + "${getVlanDomain { inherit vlanid; }},${ + mkVlanIpv4HostAddr { + inherit vlanid; + host = 0; + cidr = true; + } + },local" + ) vlanRangeWith0; # TODO: compare this to using `interface-name` dynamic-host = - [ - ] - ++ builtins.map - ( + [ ] + ++ builtins.map ( vlanid: - builtins.concatStringsSep "," [ - # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) - "${nodeName}.${getVlanDomain {inherit vlanid;}}" - "0.0.0.1" - (mkInterfaceName {inherit vlanid;}) - ] - ) - vlanRangeWith0; + builtins.concatStringsSep "," [ + # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) + "${nodeName}.${getVlanDomain { inherit vlanid; }}" + "0.0.0.1" + (mkInterfaceName { inherit vlanid; }) + ] + ) vlanRangeWith0; - dhcp-option-force = - builtins.map - (vlanid: "${mkInterfaceName {inherit vlanid;}},option:domain-search,${getVlanDomain {inherit vlanid;}}") - vlanRangeWith0; + dhcp-option-force = builtins.map ( + vlanid: + "${mkInterfaceName { inherit vlanid; }},option:domain-search,${getVlanDomain { inherit vlanid; }}" + ) vlanRangeWith0; # auth-server = [ # (builtins.concatStringsSep "," [ diff --git a/nix/os/devices/router0-dmz0/default.nix b/nix/os/devices/router0-dmz0/default.nix index 9dd8d5e..a0520dc 100644 --- a/nix/os/devices/router0-dmz0/default.nix +++ b/nix/os/devices/router0-dmz0/default.nix @@ -5,25 +5,24 @@ nodeFlake, localDomainName ? "internal", ... -}: { +}: +{ meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake system; + inherit + repoFlake + nodeName + nodeFlake + system + ; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; - inherit - (nodeFlake.inputs.bpir3.packages.${system}) - armTrustedFirmwareMT7986 - ; + inherit (nodeFlake.inputs.bpir3.packages.${system}) armTrustedFirmwareMT7986; inherit localDomainName; }; - meta.nodeNixpkgs.${nodeName} = - import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; diff --git a/nix/os/devices/router0-dmz0/flake.nix b/nix/os/devices/router0-dmz0/flake.nix index 41f2f35..d222d2b 100644 --- a/nix/os/devices/router0-dmz0/flake.nix +++ b/nix/os/devices/router0-dmz0/flake.nix @@ -18,8 +18,8 @@ # "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile" # "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile" "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile_mtkbump" - # "git+file:///home/steveej/src/others/nakato_nixos-sbc/" - ; + # "git+file:///home/steveej/src/others/nakato_nixos-sbc/" + ; nixos-sbc.inputs.nixpkgs.follows = "nixpkgs"; nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; @@ -39,43 +39,43 @@ # }; }; - outputs = { - self, - get-flake, - nixpkgs, - nixos-sbc, - ... - }: let - nativeSystem = "aarch64-linux"; - nodeName = "router0-dmz0"; + outputs = + { + self, + get-flake, + nixpkgs, + nixos-sbc, + ... + }: + let + nativeSystem = "aarch64-linux"; + nodeName = "router0-dmz0"; - pkgs = nixpkgs.legacyPackages.${nativeSystem}; - pkgsCross = import self.inputs.nixpkgs { - system = "x86_64-linux"; - crossSystem = { - config = "aarch64-unknown-linux-gnu"; + pkgs = nixpkgs.legacyPackages.${nativeSystem}; + pkgsCross = import self.inputs.nixpkgs { + system = "x86_64-linux"; + crossSystem = { + config = "aarch64-unknown-linux-gnu"; + }; }; - }; - mkNixosConfiguration = {extraModules ? [], ...} @ attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate - attrs + mkNixosConfiguration = { - specialArgs = - (import ./default.nix { - system = nativeSystem; - inherit nodeName; + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = + (import ./default.nix { + system = nativeSystem; + inherit nodeName; - repoFlake = get-flake ../../../..; - nodeFlake = self; - }) - .meta - .nodeSpecialArgs - .${nodeName}; + repoFlake = get-flake ../../../..; + nodeFlake = self; + }).meta.nodeSpecialArgs.${nodeName}; - modules = - [ + modules = [ ./configuration.nix # flake registry @@ -83,34 +83,30 @@ nixpkgs.overlays = builtins.attrValues self.overlays; nix.registry.nixpkgs.flake = nixpkgs; } - ] - ++ extraModules; - } - ); - in { - nixosConfigurations = { - native = mkNixosConfiguration { - system = nativeSystem; - }; - - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = "x86_64-linux"; - nixpkgs.hostPlatform.system = nativeSystem; + ] ++ extraModules; } - ]; - }; - }; + ); + in + { + nixosConfigurations = { + native = mkNixosConfiguration { system = nativeSystem; }; - overlays.default = final: previous: { - hostapd = previous.hostapd.overrideDerivation (attrs: { - patches = - attrs.patches - ++ [ + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.system = nativeSystem; + } + ]; + }; + }; + + overlays.default = final: previous: { + hostapd = previous.hostapd.overrideDerivation (attrs: { + patches = attrs.patches ++ [ "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" ]; - }); + }); + }; }; - }; } diff --git a/nix/os/devices/router0-hosthatch/configuration.nix b/nix/os/devices/router0-hosthatch/configuration.nix index b6b2146..eaad322 100644 --- a/nix/os/devices/router0-hosthatch/configuration.nix +++ b/nix/os/devices/router0-hosthatch/configuration.nix @@ -9,7 +9,8 @@ system, variables, ... -}: { +}: +{ system.stateVersion = "24.05"; imports = [ @@ -48,7 +49,7 @@ boot.loader.grub.efiSupport = false; # forcing seems required or else there's an error about duplicated devices - boot.loader.grub.devices = lib.mkForce ["/dev/vda"]; + boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; disko.devices.disk.vda = { device = "/dev/vda"; @@ -64,14 +65,14 @@ size = "100%"; content = { type = "btrfs"; - extraArgs = ["-f"]; # Override existing partition + extraArgs = [ "-f" ]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = ["noatime"]; + mountOptions = [ "noatime" ]; mountpoint = "/nix"; }; "/boot" = { @@ -156,9 +157,7 @@ interface = "eth0"; address = variables.ipv4gateway; }; - nameservers = [ - variables.ipv4dns - ]; + nameservers = [ variables.ipv4dns ]; # these will be configured via nftables nat.enable = lib.mkForce false; @@ -176,17 +175,20 @@ snippets.nnf-common.enable = true; zones.wan = { - interfaces = ["eth0"]; + interfaces = [ "eth0" ]; }; zones.vpn = { - interfaces = ["wg0" "wg1"]; + interfaces = [ + "wg0" + "wg1" + ]; }; rules = { to-fw = { from = "all"; - to = ["fw"]; + to = [ "fw" ]; verdict = "drop"; allowedTCPPorts = [ @@ -202,8 +204,8 @@ }; vpn-to-wan-nat = { - from = ["vpn"]; - to = ["wan"]; + from = [ "vpn" ]; + to = [ "wan" ]; masquerade = true; verdict = "accept"; }; @@ -283,9 +285,7 @@ systemd.network.networks.wg0 = { enable = true; matchConfig.Name = "wg0"; - address = [ - "10.0.1.0/31" - ]; + address = [ "10.0.1.0/31" ]; routes = [ { @@ -299,9 +299,7 @@ systemd.network.networks.wg1 = { enable = true; matchConfig.Name = "wg1"; - address = [ - "10.0.1.2/31" - ]; + address = [ "10.0.1.2/31" ]; routes = [ { diff --git a/nix/os/devices/router0-hosthatch/default.nix b/nix/os/devices/router0-hosthatch/default.nix index 202e206..fd2c485 100644 --- a/nix/os/devices/router0-hosthatch/default.nix +++ b/nix/os/devices/router0-hosthatch/default.nix @@ -4,20 +4,24 @@ repoFlake, nodeFlake, ... -}: let +}: +let variables = import ./variables.crypt.nix; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake system variables; + inherit + repoFlake + nodeName + nodeFlake + system + variables + ; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = - import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = variables.ipv4; diff --git a/nix/os/devices/router0-hosthatch/flake.nix b/nix/os/devices/router0-hosthatch/flake.nix index 6e7501b..3057b9a 100644 --- a/nix/os/devices/router0-hosthatch/flake.nix +++ b/nix/os/devices/router0-hosthatch/flake.nix @@ -15,5 +15,5 @@ nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/router0-ifog/configuration.nix b/nix/os/devices/router0-ifog/configuration.nix index 6aadabb..a449e43 100644 --- a/nix/os/devices/router0-ifog/configuration.nix +++ b/nix/os/devices/router0-ifog/configuration.nix @@ -9,7 +9,8 @@ system, variables, ... -}: { +}: +{ system.stateVersion = "23.11"; imports = [ @@ -48,7 +49,7 @@ boot.loader.grub.efiSupport = false; # forcing seems required or else there's an error about duplicated devices - boot.loader.grub.devices = lib.mkForce ["/dev/vda"]; + boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; disko.devices.disk.vda = { device = "/dev/vda"; @@ -64,14 +65,14 @@ size = "100%"; content = { type = "btrfs"; - extraArgs = ["-f"]; # Override existing partition + extraArgs = [ "-f" ]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = ["noatime"]; + mountOptions = [ "noatime" ]; mountpoint = "/nix"; }; "/boot" = { @@ -156,9 +157,7 @@ interface = "eth0"; address = variables.ipv4gateway; }; - nameservers = [ - variables.ipv4dns - ]; + nameservers = [ variables.ipv4dns ]; # these will be configured via nftables nat.enable = lib.mkForce false; @@ -176,17 +175,20 @@ snippets.nnf-common.enable = true; zones.wan = { - interfaces = ["eth0"]; + interfaces = [ "eth0" ]; }; zones.vpn = { - interfaces = ["wg0" "wg1"]; + interfaces = [ + "wg0" + "wg1" + ]; }; rules = { to-fw = { from = "all"; - to = ["fw"]; + to = [ "fw" ]; verdict = "drop"; allowedTCPPorts = [ @@ -202,8 +204,8 @@ }; vpn-to-wan-nat = { - from = ["vpn"]; - to = ["wan"]; + from = [ "vpn" ]; + to = [ "wan" ]; masquerade = true; verdict = "accept"; }; @@ -283,9 +285,7 @@ systemd.network.networks.wg0 = { enable = true; matchConfig.Name = "wg0"; - address = [ - "10.0.0.0/31" - ]; + address = [ "10.0.0.0/31" ]; routes = [ { @@ -299,9 +299,7 @@ systemd.network.networks.wg1 = { enable = true; matchConfig.Name = "wg1"; - address = [ - "10.0.0.2/31" - ]; + address = [ "10.0.0.2/31" ]; routes = [ { diff --git a/nix/os/devices/router0-ifog/default.nix b/nix/os/devices/router0-ifog/default.nix index 202e206..fd2c485 100644 --- a/nix/os/devices/router0-ifog/default.nix +++ b/nix/os/devices/router0-ifog/default.nix @@ -4,20 +4,24 @@ repoFlake, nodeFlake, ... -}: let +}: +let variables = import ./variables.crypt.nix; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake system variables; + inherit + repoFlake + nodeName + nodeFlake + system + variables + ; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = - import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = variables.ipv4; diff --git a/nix/os/devices/router0-ifog/flake.nix b/nix/os/devices/router0-ifog/flake.nix index 6e7501b..3057b9a 100644 --- a/nix/os/devices/router0-ifog/flake.nix +++ b/nix/os/devices/router0-ifog/flake.nix @@ -15,5 +15,5 @@ nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/sj-srv1/boot.nix b/nix/os/devices/sj-srv1/boot.nix index 59a5051..6a7ae06 100644 --- a/nix/os/devices/sj-srv1/boot.nix +++ b/nix/os/devices/sj-srv1/boot.nix @@ -1,3 +1,4 @@ -{lib, ...}: { - boot.extraModulePackages = []; +{ lib, ... }: +{ + boot.extraModulePackages = [ ]; } diff --git a/nix/os/devices/sj-srv1/configuration.nix b/nix/os/devices/sj-srv1/configuration.nix index bada0c3..4975dde 100644 --- a/nix/os/devices/sj-srv1/configuration.nix +++ b/nix/os/devices/sj-srv1/configuration.nix @@ -3,8 +3,9 @@ config, pkgs, ... -}: { - disabledModules = []; +}: +{ + disabledModules = [ ]; imports = [ ../../profiles/common/configuration.nix { diff --git a/nix/os/devices/sj-srv1/default.nix b/nix/os/devices/sj-srv1/default.nix index 94458cb..6ec896d 100644 --- a/nix/os/devices/sj-srv1/default.nix +++ b/nix/os/devices/sj-srv1/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "${nodeName}.dmz.internal"; diff --git a/nix/os/devices/sj-srv1/flake.nix b/nix/os/devices/sj-srv1/flake.nix index 5d25964..20a919c 100644 --- a/nix/os/devices/sj-srv1/flake.nix +++ b/nix/os/devices/sj-srv1/flake.nix @@ -12,5 +12,5 @@ inputs.nixpkgs_forgejo.url = "github:NixOS/nixpkgs/af4ac075a3e97cb239078e187112afdf380cd47b"; # nixpkgs_forgejo.url = "github:steveej-forks/nixpkgs/9c3519ab3beb11b8d997281f8922330f707df419"; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/sj-srv1/hw.nix b/nix/os/devices/sj-srv1/hw.nix index 65a001d..22f021a 100644 --- a/nix/os/devices/sj-srv1/hw.nix +++ b/nix/os/devices/sj-srv1/hw.nix @@ -1,4 +1,5 @@ -{...}: let +{ ... }: +let stage1Modules = [ "virtio_balloon" "virtio_scsi" @@ -38,7 +39,8 @@ "cdc_ether" "uas" ]; -in { +in +{ hardware.opinionatedDisk = { enable = true; encrypted = false; diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix index 978ce76..5aea904 100644 --- a/nix/os/devices/sj-srv1/system.nix +++ b/nix/os/devices/sj-srv1/system.nix @@ -6,29 +6,29 @@ nodeFlake, nodeName, ... -}: let +}: +let hostBridgeAddress = "192.168.101.1"; -in { +in +{ imports = [ ../../snippets/systemd-resolved.nix { # make sure it uses the DNS that comes in via DHCP - networking.nameservers = lib.mkForce []; + networking.nameservers = lib.mkForce [ ]; services.resolved.enable = true; # provide DNS to the containers services.resolved.extraConfig = '' DNSStubListenerExtra=${hostBridgeAddress} ''; - networking.firewall.interfaces.br0.allowedTCPPorts = [53]; - networking.firewall.interfaces.br0.allowedUDPPorts = [53]; + networking.firewall.interfaces.br0.allowedTCPPorts = [ 53 ]; + networking.firewall.interfaces.br0.allowedUDPPorts = [ 53 ]; } ]; programs.wireshark.enable = true; - environment.systemPackages = [ - pkgs.dnsutils - ]; + environment.systemPackages = [ pkgs.dnsutils ]; networking.firewall.enable = true; networking.nftables.enable = true; @@ -48,13 +48,13 @@ in { networking.nat = { enable = true; - internalInterfaces = ["br0"]; + internalInterfaces = [ "br0" ]; externalInterface = "dmz0"; }; networking.bridges = { br0 = { - interfaces = []; + interfaces = [ ]; }; }; networking.interfaces = { @@ -89,9 +89,7 @@ in { networkConfig.LinkLocalAddressing = "no"; # TODO: i'm not sure if and if so why this is required - macvlan = [ - "dmz0" - ]; + macvlan = [ "dmz0" ]; DHCP = "no"; }; @@ -111,45 +109,49 @@ in { }; # virtualization - virtualisation = {docker.enable = false;}; + virtualisation = { + docker.enable = false; + }; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; # adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix - services.restic.backups.${nodeName} = let - btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; - in { - initialize = true; - repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; + services.restic.backups.${nodeName} = + let + btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; + in + { + initialize = true; + repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; - paths = [ - "/backup" - ]; + paths = [ "/backup" ]; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 5" - "--keep-monthly 12" - "--keep-yearly 2" - ]; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 2" + ]; - timerConfig = { - OnCalendar = lib.mkDefault "daily"; - Persistent = true; + timerConfig = { + OnCalendar = lib.mkDefault "daily"; + Persistent = true; + }; + + passwordFile = config.sops.secrets.restic-password.path; + + backupPrepareCommand = '' + ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes + ''; + backupCleanupCommand = '' + ${btrfs} su delete /backup/container-volumes + ''; }; - passwordFile = config.sops.secrets.restic-password.path; - - backupPrepareCommand = '' - ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes - ''; - backupCleanupCommand = '' - ${btrfs} su delete /backup/container-volumes - ''; - }; - containers = { mailserver = import ../../containers/mailserver.nix { specialArgs = { @@ -167,25 +169,23 @@ in { sievePort = 4190; }; - webserver = - import ../../containers/webserver.nix - { - specialArgs = { - inherit repoFlake nodeFlake; - hostAddress = hostBridgeAddress; - }; - - autoStart = true; - - hostBridge = "br0"; + webserver = import ../../containers/webserver.nix { + specialArgs = { + inherit repoFlake nodeFlake; hostAddress = hostBridgeAddress; - localAddress = "192.168.101.11/24"; - - httpPort = 80; - httpsPort = 443; - forgejoSshPort = 2222; }; + autoStart = true; + + hostBridge = "br0"; + hostAddress = hostBridgeAddress; + localAddress = "192.168.101.11/24"; + + httpPort = 80; + httpsPort = 443; + forgejoSshPort = 2222; + }; + syncthing = import ../../containers/syncthing.nix { specialArgs = { inherit repoFlake nodeFlake; diff --git a/nix/os/devices/sj-vps-htz0/boot.nix b/nix/os/devices/sj-vps-htz0/boot.nix index 5713789..ed21f9c 100644 --- a/nix/os/devices/sj-vps-htz0/boot.nix +++ b/nix/os/devices/sj-vps-htz0/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiSupport = lib.mkForce false; - boot.extraModulePackages = []; + boot.extraModulePackages = [ ]; } diff --git a/nix/os/devices/sj-vps-htz0/configuration.nix b/nix/os/devices/sj-vps-htz0/configuration.nix index b734123..5ef0c25 100644 --- a/nix/os/devices/sj-vps-htz0/configuration.nix +++ b/nix/os/devices/sj-vps-htz0/configuration.nix @@ -3,8 +3,9 @@ config, pkgs, ... -}: { - disabledModules = []; +}: +{ + disabledModules = [ ]; imports = [ ../../profiles/common/configuration.nix { diff --git a/nix/os/devices/sj-vps-htz0/default.nix b/nix/os/devices/sj-vps-htz0/default.nix index 12e0271..7683a53 100644 --- a/nix/os/devices/sj-vps-htz0/default.nix +++ b/nix/os/devices/sj-vps-htz0/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "${nodeName}.infra.stefanjunker.de"; diff --git a/nix/os/devices/sj-vps-htz0/flake.nix b/nix/os/devices/sj-vps-htz0/flake.nix index c315b8e..f8ca24f 100644 --- a/nix/os/devices/sj-vps-htz0/flake.nix +++ b/nix/os/devices/sj-vps-htz0/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/sj-vps-htz0/hw.nix b/nix/os/devices/sj-vps-htz0/hw.nix index 7566a02..9eb01fc 100644 --- a/nix/os/devices/sj-vps-htz0/hw.nix +++ b/nix/os/devices/sj-vps-htz0/hw.nix @@ -1,4 +1,5 @@ -{...}: let +{ ... }: +let stage1Modules = [ "virtio_balloon" "virtio_scsi" @@ -14,7 +15,8 @@ "pata_acpi" "ata_generic" ]; -in { +in +{ hardware.opinionatedDisk = { enable = true; encrypted = false; diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix index 7efcbbd..322c790 100644 --- a/nix/os/devices/sj-vps-htz0/system.nix +++ b/nix/os/devices/sj-vps-htz0/system.nix @@ -5,12 +5,12 @@ repoFlake, nodeName, ... -}: let +}: +let wireguardPort = 51820; -in { - imports = [ - ../../snippets/systemd-resolved.nix - ]; +in +{ + imports = [ ../../snippets/systemd-resolved.nix ]; networking.firewall.enable = true; networking.nftables.enable = true; @@ -19,9 +19,7 @@ in { # iperf3 5201 ]; - networking.firewall.allowedUDPPorts = [ - wireguardPort - ]; + networking.firewall.allowedUDPPorts = [ wireguardPort ]; networking.firewall.logRefusedConnections = false; @@ -38,7 +36,7 @@ in { "prefixLength" = 29; } ]; - ipv6.addresses = []; + ipv6.addresses = [ ]; }; networking.defaultGateway = { @@ -53,7 +51,10 @@ in { networking.nat = { enable = true; - internalInterfaces = ["ve-*" "wg*"]; + internalInterfaces = [ + "ve-*" + "wg*" + ]; externalInterface = "eth0"; }; @@ -70,15 +71,12 @@ in { networking.wireguard.interfaces.wg0 = { # eth0 MTU (1400) - 80 mtu = 1320; - ips = [ - "192.168.99.1/31" - ]; - listenPort = - wireguardPort; + ips = [ "192.168.99.1/31" ]; + listenPort = wireguardPort; privateKeyFile = config.sops.secrets.wg0-private.path; peers = [ { - allowedIPs = ["192.168.99.2/32"]; + allowedIPs = [ "192.168.99.2/32" ]; publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0="; presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path; } @@ -86,14 +84,18 @@ in { }; # virtualization - virtualisation = {docker.enable = false;}; + virtualisation = { + docker.enable = false; + }; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; - containers = {}; + containers = { }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; diff --git a/nix/os/devices/srv0-dmz0/configuration.nix b/nix/os/devices/srv0-dmz0/configuration.nix index b59afac..49c79de 100644 --- a/nix/os/devices/srv0-dmz0/configuration.nix +++ b/nix/os/devices/srv0-dmz0/configuration.nix @@ -5,10 +5,12 @@ pkgs, config, ... -}: let +}: +let disk = "/dev/disk/by-id/ata-INTEL_SSDSC2BW240A4_PHDA435602332403GN"; -in { - disabledModules = []; +in +{ + disabledModules = [ ]; imports = [ repoFlake.inputs.disko.nixosModules.disko repoFlake.inputs.srvos.nixosModules.server @@ -23,7 +25,7 @@ in { ]; ## bare-metal machines - srvos.boot.consoles = ["tty0"]; + srvos.boot.consoles = [ "tty0" ]; boot.loader.grub.enable = false; boot.loader.efi.canTouchEfiVariables = false; @@ -39,7 +41,7 @@ in { start = "0"; end = "1M"; part-type = "primary"; - flags = ["bios_grub"]; + flags = [ "bios_grub" ]; } { name = "ESP"; @@ -60,14 +62,14 @@ in { bootable = true; content = { type = "btrfs"; - extraArgs = ["-f"]; # Override existing partition + extraArgs = [ "-f" ]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = ["noatime"]; + mountOptions = [ "noatime" ]; }; }; }; @@ -109,7 +111,7 @@ in { networking.nat = { enable = true; - internalInterfaces = ["ve-+"]; + internalInterfaces = [ "ve-+" ]; externalInterface = "eth0"; }; @@ -119,9 +121,11 @@ in { # virtualization # virtualisation = {docker.enable = true;}; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; - containers = {}; + containers = { }; # sops.secrets.holochain-nomad-agent-ca = { # sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; diff --git a/nix/os/devices/srv0-dmz0/default.nix b/nix/os/devices/srv0-dmz0/default.nix index 5c0b7bb..3af624b 100644 --- a/nix/os/devices/srv0-dmz0/default.nix +++ b/nix/os/devices/srv0-dmz0/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "srv0.dmz0.noosphere.life"; diff --git a/nix/os/devices/srv0-dmz0/flake.nix b/nix/os/devices/srv0-dmz0/flake.nix index f2af929..2f27989 100644 --- a/nix/os/devices/srv0-dmz0/flake.nix +++ b/nix/os/devices/srv0-dmz0/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix index fe0b621..2e02970 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiSupport = true; - boot.extraModulePackages = []; + boot.extraModulePackages = [ ]; } diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix index 28a63fb..b29548c 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix @@ -1,5 +1,6 @@ -{...}: { - disabledModules = []; +{ ... }: +{ + disabledModules = [ ]; imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix index 8815036..b092ef6 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix @@ -1,4 +1,5 @@ -{...}: let +{ ... }: +let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -17,7 +18,8 @@ "xhci_hcd" "xhci_pci" ]; -in { +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix index b6c8038..1f5de15 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix @@ -3,14 +3,11 @@ pkgs, lib, ... -}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +}: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; @@ -20,7 +17,12 @@ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + supportedFeatures = [ + "kvm" + "nixos-test" + "big-parallel" + "benchmark" + ]; maxJobs = 4; } ]; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix index e677958..743cee7 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix @@ -3,9 +3,11 @@ lib, config, ... -}: let +}: +let keys = import ../../../variables/keys.nix; -in { +in +{ # TASK: new device networking.hostName = "srv0"; # Define your hostname. # networking.domain = "home-ch.stefanjunker.de"; @@ -37,7 +39,7 @@ in { networking.nat = { enable = true; - internalInterfaces = ["ve-+"]; + internalInterfaces = [ "ve-+" ]; externalInterface = "eth0"; }; @@ -45,14 +47,20 @@ in { # services.kubernetes.roles = ["master" "node"]; # virtualization - virtualisation = {docker.enable = true;}; + virtualisation = { + docker.enable = true; + }; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; networking.useHostResolvConf = false; - services.resolved = {enable = true;}; + services.resolved = { + enable = true; + }; - containers = {}; + containers = { }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix index bb546e6..1bc2086 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix @@ -4,7 +4,8 @@ let ref = "nixos-22.05"; rev = "040c6d8374d090f46ab0e99f1f7c27a4529ecffd"; }; -in { +in +{ inherit nixpkgs; "channels-nixos-stable" = nixpkgs; "nixpkgs-master" = { diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix index 511138c..5817e21 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix @@ -6,7 +6,8 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.05 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; "channels-nixos-stable" = nixpkgs; "nixpkgs-master" = { diff --git a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix index a15e1aa..d009275 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix index 6d8eadd..ac9e009 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-nuc7pjyh-work/system.nix b/nix/os/devices/steveej-nuc7pjyh-work/system.nix index 73d39d9..94eeae2 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/system.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/system.nix @@ -1,11 +1,9 @@ +{ pkgs, lib, ... }: +let +in { - pkgs, - lib, - ... -}: let -in { services.udev.extraRules = ''SUBSYSTEM=="sgx", MODE="0660", GROUP="sgx"''; - users.groups.sgx = {}; + users.groups.sgx = { }; networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname. boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest; } diff --git a/nix/os/devices/steveej-nuc7pjyh-work/user.nix b/nix/os/devices/steveej-nuc7pjyh-work/user.nix index 2b72309..8549047 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/user.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/user.nix @@ -1,12 +1,10 @@ -{ - config, - pkgs, - ... -}: let +{ config, pkgs, ... }: +let passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; -in { + inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; +in +{ users.extraUsers.sjunker = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; @@ -14,7 +12,7 @@ in { image = "quay.io/enarx/fedora"; run_args = "-v /dev/sgx:/dev/sgx"; }; - extraGroups = ["sgx"]; + extraGroups = [ "sgx" ]; subUidRanges = [ { diff --git a/nix/os/devices/steveej-pa600/boot.nix b/nix/os/devices/steveej-pa600/boot.nix index 4d8c1d1..639698f 100644 --- a/nix/os/devices/steveej-pa600/boot.nix +++ b/nix/os/devices/steveej-pa600/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/steveej-pa600/configuration.nix b/nix/os/devices/steveej-pa600/configuration.nix index 37f4c61..68ad190 100644 --- a/nix/os/devices/steveej-pa600/configuration.nix +++ b/nix/os/devices/steveej-pa600/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-pa600/hw.nix b/nix/os/devices/steveej-pa600/hw.nix index a563c1a..d5c1402 100644 --- a/nix/os/devices/steveej-pa600/hw.nix +++ b/nix/os/devices/steveej-pa600/hw.nix @@ -1,4 +1,5 @@ -{...}: let +{ ... }: +let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -7,7 +8,8 @@ "xhci_pci" "hxci_hcd" ]; -in { +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/steveej-pa600/pkg.nix b/nix/os/devices/steveej-pa600/pkg.nix index 1db742a..8e23ab6 100644 --- a/nix/os/devices/steveej-pa600/pkg.nix +++ b/nix/os/devices/steveej-pa600/pkg.nix @@ -1,11 +1,8 @@ -{pkgs, ...}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +{ pkgs, ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix { inherit pkgs; diff --git a/nix/os/devices/steveej-pa600/system.nix b/nix/os/devices/steveej-pa600/system.nix index 02256d8..a1d8fdd 100644 --- a/nix/os/devices/steveej-pa600/system.nix +++ b/nix/os/devices/steveej-pa600/system.nix @@ -3,9 +3,11 @@ lib, config, ... -}: let +}: +let keys = import ../../../variables/keys.nix; -in { +in +{ # TASK: new device networking.hostName = "steveej-pa600"; # Define your hostname. @@ -20,7 +22,11 @@ in { services.printing = { enable = true; - drivers = with pkgs; [hplip mfcl3770cdw.driver mfcl3770cdw.cupswrapper]; + drivers = with pkgs; [ + hplip + mfcl3770cdw.driver + mfcl3770cdw.cupswrapper + ]; }; services.fprintd.enable = true; @@ -29,9 +35,9 @@ in { sudo.fprintAuth = true; }; - security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; - services.xserver.videoDrivers = ["modesetting"]; + services.xserver.videoDrivers = [ "modesetting" ]; services.xserver.serverFlagsSection = '' Option "BlankTime" "0" Option "StandbyTime" "0" diff --git a/nix/os/devices/steveej-pa600/user.nix b/nix/os/devices/steveej-pa600/user.nix index 4b85fea..ccea56e 100644 --- a/nix/os/devices/steveej-pa600/user.nix +++ b/nix/os/devices/steveej-pa600/user.nix @@ -1,12 +1,10 @@ -{ - config, - pkgs, - ... -}: let +{ config, pkgs, ... }: +let passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; -in { + inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; +in +{ users.extraUsers.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/devices/steveej-pa600/versions.nix b/nix/os/devices/steveej-pa600/versions.nix index ce6b116..e7d4567 100644 --- a/nix/os/devices/steveej-pa600/versions.nix +++ b/nix/os/devices/steveej-pa600/versions.nix @@ -4,9 +4,12 @@ let ref = "nixos-20.09"; rev = "e065200fc90175a8f6e50e76ef10a48786126e1c"; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-pa600/versions.tmpl.nix b/nix/os/devices/steveej-pa600/versions.tmpl.nix index 96f7be3..08f1a43 100644 --- a/nix/os/devices/steveej-pa600/versions.tmpl.nix +++ b/nix/os/devices/steveej-pa600/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix index b32a198..9682eb6 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix index 14df96a..6e9151e 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix index 4329e5c..fb919e7 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix @@ -1,3 +1,4 @@ -{...}: { +{ ... }: +{ networking.hostName = "steveej-rmvbl-mmc-SL32G_0x259093f6"; # Define your hostname. } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix index d49dbd3..c08504e 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix @@ -1,11 +1,8 @@ -{...}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +{ ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; }; imports = [ diff --git a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix index 408b2a9..21b47b9 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ # TASK: new device hardware.opinionatedDisk.diskId = "usb-SanDisk_Extreme_Pro_12345978EC62-0:0"; hardware.opinionatedDisk.encrypted = true; diff --git a/nix/os/devices/steveej-rmvbl-sdep0/system.nix b/nix/os/devices/steveej-rmvbl-sdep0/system.nix index 5bad73f..cdad21b 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/system.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/system.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ networking.hostName = "steveej-rmvbl-sdep0"; # Define your hostname. system.stateVersion = "21.05"; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix index f8759b8..3771f25 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix @@ -2,35 +2,33 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.11"; - rev = '' - 0040164e473509b4aee6aedb3b923e400d6df10b''; + rev = ''0040164e473509b4aee6aedb3b923e400d6df10b''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = '' - d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; + rev = ''d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; }; "channels-nixos-unstable-small" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable-small"; - rev = '' - 9c34c8adba80180608794cce600b10183b048942''; + rev = ''9c34c8adba80180608794cce600b10183b048942''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = '' - f9adb566707a492bd3d17fee1e223695d939b52a''; + rev = ''f9adb566707a492bd3d17fee1e223695d939b52a''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.11"; - rev = '' - d6f3ba090ed090ae664ab5bac329654093aae725''; + rev = ''d6f3ba090ed090ae664ab5bac329654093aae725''; }; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix index a0fa34a..92abc4a 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-t14/boot.nix b/nix/os/devices/steveej-t14/boot.nix index 281d09e..d3ff0b5 100644 --- a/nix/os/devices/steveej-t14/boot.nix +++ b/nix/os/devices/steveej-t14/boot.nix @@ -1,8 +1,5 @@ +{ lib, pkgs, ... }: { - lib, - pkgs, - ... -}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix index a094278..d4221ca 100644 --- a/nix/os/devices/steveej-t14/configuration.nix +++ b/nix/os/devices/steveej-t14/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../snippets/home-manager-with-zsh.nix ../../snippets/nix-settings-holo-chain.nix @@ -19,58 +20,61 @@ ./boot.nix # samba seerver - ({lib, ...}: { - # networking.firewall.enable = lib.mkForce false; - services.samba-wsdd.enable = true; # make shares visible for windows 10 clients - networking.firewall.allowedTCPPorts = [ - 5357 # wsdd - ]; - networking.firewall.allowedUDPPorts = [ - 3702 # wsdd - ]; - services.samba = { - enable = true; + ( + { lib, ... }: + { + # networking.firewall.enable = lib.mkForce false; + services.samba-wsdd.enable = true; # make shares visible for windows 10 clients + networking.firewall.allowedTCPPorts = [ + 5357 # wsdd + ]; + networking.firewall.allowedUDPPorts = [ + 3702 # wsdd + ]; + services.samba = { + enable = true; - securityType = "user"; + securityType = "user"; - extraConfig = '' - workgroup = ARBEITSGRUPPE - server string = steveej-t14 - netbios name = steveej-t14 - security = user + extraConfig = '' + workgroup = ARBEITSGRUPPE + server string = steveej-t14 + netbios name = steveej-t14 + security = user - # use sendfile = yes + # use sendfile = yes - # for executables on windows - acl allow execute always = True + # for executables on windows + acl allow execute always = True - # legacy windows quirks - max protocol = NT1 - min protocol = NT1 - ntlm auth = yes + # legacy windows quirks + max protocol = NT1 + min protocol = NT1 + ntlm auth = yes - # client max protocol = SMB1 - # client min protocol = NT1 + # client max protocol = SMB1 + # client min protocol = NT1 - # note: localhost is the ipv6 localhost ::1 - hosts allow = 192.168. 127.0.0.1 localhost - hosts deny = 0.0.0.0/0 - guest account = nobody - map to guest = bad user - ''; - shares = { - voodoo = { - path = "/home/steveej/Desktop/voodoo"; - browseable = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - # "force user" = "steveej"; - # "force group" = "users"; + # note: localhost is the ipv6 localhost ::1 + hosts allow = 192.168. 127.0.0.1 localhost + hosts deny = 0.0.0.0/0 + guest account = nobody + map to guest = bad user + ''; + shares = { + voodoo = { + path = "/home/steveej/Desktop/voodoo"; + browseable = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + # "force user" = "steveej"; + # "force group" = "users"; + }; }; }; - }; - }) + } + ) ]; } diff --git a/nix/os/devices/steveej-t14/default.nix b/nix/os/devices/steveej-t14/default.nix index bcb5e94..d7e6d28 100644 --- a/nix/os/devices/steveej-t14/default.nix +++ b/nix/os/devices/steveej-t14/default.nix @@ -4,26 +4,24 @@ repoFlakeWithSystem, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = nodeName; deployment.replaceUnknownProfiles = false; deployment.allowLocalDeployment = true; - imports = [ - (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") - ]; + imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; }; } diff --git a/nix/os/devices/steveej-t14/flake.nix b/nix/os/devices/steveej-t14/flake.nix index d2a549b..504ce45 100644 --- a/nix/os/devices/steveej-t14/flake.nix +++ b/nix/os/devices/steveej-t14/flake.nix @@ -12,5 +12,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix index 1b905e0..a76e451 100644 --- a/nix/os/devices/steveej-t14/hw.nix +++ b/nix/os/devices/steveej-t14/hw.nix @@ -1,5 +1,7 @@ -{lib, ...}: let -in { +{ lib, ... }: +let +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; @@ -66,16 +68,56 @@ in { enable = false; levels = [ # ["level auto" 0 60] - [0 0 60] - [1 60 65] - [1 65 75] - [2 75 78] - [3 78 80] - [4 80 82] - [5 82 84] - [6 84 86] - [7 86 88] - ["level full-speed" 88 999] + [ + 0 + 0 + 60 + ] + [ + 1 + 60 + 65 + ] + [ + 1 + 65 + 75 + ] + [ + 2 + 75 + 78 + ] + [ + 3 + 78 + 80 + ] + [ + 4 + 80 + 82 + ] + [ + 5 + 82 + 84 + ] + [ + 6 + 84 + 86 + ] + [ + 7 + 86 + 88 + ] + [ + "level full-speed" + 88 + 999 + ] ]; extraArgs = [ diff --git a/nix/os/devices/steveej-t14/pkg.nix b/nix/os/devices/steveej-t14/pkg.nix index 0cc3c04..7cf98a0 100644 --- a/nix/os/devices/steveej-t14/pkg.nix +++ b/nix/os/devices/steveej-t14/pkg.nix @@ -4,11 +4,10 @@ repoFlake, nodeFlake, ... -}: { +}: +{ system.stateVersion = "23.05"; - home-manager.users.root = _: { - home.stateVersion = "22.05"; - }; + home-manager.users.root = _: { home.stateVersion = "22.05"; }; home-manager.users.steveej = _: { home.stateVersion = "22.05"; imports = [ @@ -21,10 +20,9 @@ }) ]; - home.sessionVariables = {}; + home.sessionVariables = { }; - home.packages = with pkgs; [ - ]; + home.packages = with pkgs; [ ]; }; # TODO: fix the following errors with regreet @@ -38,26 +36,28 @@ # # (regreet:505614): Gtk-WARNING **: 10:31:42.532: Theme parser warning: :6:17-18: Empty declaration # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. - services.greetd = let - # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" - swayConfig = pkgs.writeText "greetd-sway-config" '' - # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. - exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" - bindsym Mod4+shift+e exec swaynag \ - -t warning \ - -m 'What do you want to do?' \ - -b 'Poweroff' 'systemctl poweroff' \ - -b 'Reboot' 'systemctl reboot' - ''; - in { - enable = false; - settings = { - vt = 1; - default_session = { - command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; + services.greetd = + let + # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" + swayConfig = pkgs.writeText "greetd-sway-config" '' + # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. + exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" + bindsym Mod4+shift+e exec swaynag \ + -t warning \ + -m 'What do you want to do?' \ + -b 'Poweroff' 'systemctl poweroff' \ + -b 'Reboot' 'systemctl reboot' + ''; + in + { + enable = false; + settings = { + vt = 1; + default_session = { + command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; + }; }; }; - }; environment.etc."greetd/environments".text = '' sway diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index 04fb60a..a551d45 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -5,7 +5,8 @@ nodeName, repoFlake, ... -}: let +}: +let localTcpPorts = [ 22 @@ -21,12 +22,11 @@ 22000 21027 ]; -in { +in +{ nix.settings = { - substituters = [ - ]; - trusted-public-keys = [ - ]; + substituters = [ ]; + trusted-public-keys = [ ]; }; nix.distributedBuilds = true; @@ -39,7 +39,8 @@ in { system = "x86_64-linux"; maxJobs = 32; speedFactor = 100; - supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features ++ []; + supportedFeatures = + repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features ++ [ ]; } { @@ -50,16 +51,16 @@ in { system = "aarch64-linux"; maxJobs = 32; speedFactor = 100; - supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ []; + supportedFeatures = + repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ [ ]; } ]; networking.networkmanager.enable = true; - networking.extraHosts = '' - ''; + networking.extraHosts = ''''; - networking.bridges."virbr1".interfaces = []; + networking.bridges."virbr1".interfaces = [ ]; networking.interfaces."virbr1".ipv4.addresses = [ { address = "10.254.254.254"; @@ -92,7 +93,9 @@ in { # virtualization virtualisation = { - libvirtd = {enable = true;}; + libvirtd = { + enable = true; + }; virtualbox.host = { enable = false; @@ -110,13 +113,11 @@ in { # client min protocol = NT1 ''; - security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; - services.xserver.videoDrivers = lib.mkForce ["amdgpu"]; + services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ]; hardware.ledger.enable = true; - boot.binfmt.emulatedSystems = [ - "aarch64-linux" - ]; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; } diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix index 6068f93..dc9102b 100644 --- a/nix/os/devices/steveej-t14/user.nix +++ b/nix/os/devices/steveej-t14/user.nix @@ -3,17 +3,19 @@ pkgs, lib, ... -}: let +}: +let keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; -in { + inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; +in +{ users.users.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; }; - nix.settings.trusted-users = ["steveej"]; + nix.settings.trusted-users = [ "steveej" ]; security.pam.u2f.enable = true; security.pam.services.steveej.u2fAuth = true; diff --git a/nix/os/devices/steveej-utilitepro/configuration.nix b/nix/os/devices/steveej-utilitepro/configuration.nix index 06cc7d1..2770114 100644 --- a/nix/os/devices/steveej-utilitepro/configuration.nix +++ b/nix/os/devices/steveej-utilitepro/configuration.nix @@ -1,13 +1,11 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ - config, - pkgs, - ... -}: let +{ config, pkgs, ... }: +let passwords = import ../common/passwords.crypt.nix; -in { +in +{ # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "16.03"; nix.maxJobs = 4; @@ -19,13 +17,14 @@ in { ''; nixpkgs.config = { - packageOverrides = super: let - self = super.pkgs; - in { - linux_4_1 = super.linux_4_1.override { - kernelPatches = - super.linux_4_1.kernelPatches - ++ [ + packageOverrides = + super: + let + self = super.pkgs; + in + { + linux_4_1 = super.linux_4_1.override { + kernelPatches = super.linux_4_1.kernelPatches ++ [ { patch = ./patches/utilitepro-kernel-dts.patch; name = "utilitepro-dts"; @@ -35,188 +34,188 @@ in { name = "utilitepro-dts-Makefile"; } ]; - # add "CONFIG_PPP_FILTER y" option to the set of kernel options - extraConfig = '' - BTRFS_FS y - BTRFS_FS_POSIX_ACL y - FUSE_FS y - OVERLAY_FS y + # add "CONFIG_PPP_FILTER y" option to the set of kernel options + extraConfig = '' + BTRFS_FS y + BTRFS_FS_POSIX_ACL y + FUSE_FS y + OVERLAY_FS y - BLK_DEV_DM y - DM_THIN_PROVISIONING y + BLK_DEV_DM y + DM_THIN_PROVISIONING y - NAMESPACES y - NET_NS y - PID_NS y - IPC_NS y - UTS_NS y - DEVPTS_MULTIPLE_INSTANCES y - CGROUPS y - CGROUP_CPUACCT y - CGROUP_DEVICE y - CGROUP_FREEZER y - CGROUP_SCHED y - CPUSETS y - MEMCG y - POSIX_MQUEUE y + NAMESPACES y + NET_NS y + PID_NS y + IPC_NS y + UTS_NS y + DEVPTS_MULTIPLE_INSTANCES y + CGROUPS y + CGROUP_CPUACCT y + CGROUP_DEVICE y + CGROUP_FREEZER y + CGROUP_SCHED y + CPUSETS y + MEMCG y + POSIX_MQUEUE y - MACVLAN m - VETH m - BRIDGE m + MACVLAN m + VETH m + BRIDGE m - NF_TABLES m - NETFILTER y - NETFILTER_ADVANCED y - NF_NAT_IPV4 m - IP_NF_FILTER m - IP_NF_TARGET_MASQUERADE m - NETFILTER_XT_MATCH_ADDRTYPE m - NETFILTER_XT_MATCH_CONNTRACK m - NF_NAT m - NF_NAT_NEEDED m - BRIDGE_NETFILTER m - NETFILTER_INGRESS y - NETFILTER_NETLINK m - NETFILTER_NETLINK_ACCT m - NETFILTER_NETLINK_QUEUE m - NETFILTER_NETLINK_LOG m - NETFILTER_SYNPROXY m - NETFILTER_XTABLES m - NETFILTER_XT_MARK m - NETFILTER_XT_CONNMARK m - NETFILTER_XT_SET m - NETFILTER_XT_TARGET_AUDIT m - NETFILTER_XT_TARGET_CHECKSUM m - NETFILTER_XT_TARGET_CLASSIFY m - NETFILTER_XT_TARGET_CONNMARK m - NETFILTER_XT_TARGET_CONNSECMARK m - NETFILTER_XT_TARGET_CT m - NETFILTER_XT_TARGET_DSCP m - NETFILTER_XT_TARGET_HL m - NETFILTER_XT_TARGET_HMARK m - NETFILTER_XT_TARGET_IDLETIMER m - NETFILTER_XT_TARGET_LED m - NETFILTER_XT_TARGET_LOG m - NETFILTER_XT_TARGET_MARK m - NETFILTER_XT_NAT m - NETFILTER_XT_TARGET_NETMAP m - NETFILTER_XT_TARGET_NFLOG m - NETFILTER_XT_TARGET_NFQUEUE m - NETFILTER_XT_TARGET_NOTRACK m - NETFILTER_XT_TARGET_RATEEST m - NETFILTER_XT_TARGET_REDIRECT m - NETFILTER_XT_TARGET_TEE m - NETFILTER_XT_TARGET_TPROXY m - NETFILTER_XT_TARGET_TRACE m - NETFILTER_XT_TARGET_SECMARK m - NETFILTER_XT_TARGET_TCPMSS m - NETFILTER_XT_TARGET_TCPOPTSTRIP m - NETFILTER_XT_MATCH_ADDRTYPE m - NETFILTER_XT_MATCH_BPF m - NETFILTER_XT_MATCH_CGROUP m - NETFILTER_XT_MATCH_CLUSTER m - NETFILTER_XT_MATCH_COMMENT m - NETFILTER_XT_MATCH_CONNBYTES m - NETFILTER_XT_MATCH_CONNLABEL m - NETFILTER_XT_MATCH_CONNLIMIT m - NETFILTER_XT_MATCH_CONNMARK m - NETFILTER_XT_MATCH_CONNTRACK m - NETFILTER_XT_MATCH_CPU m - NETFILTER_XT_MATCH_DCCP m - NETFILTER_XT_MATCH_DEVGROUP m - NETFILTER_XT_MATCH_DSCP m - NETFILTER_XT_MATCH_ECN m - NETFILTER_XT_MATCH_ESP m - NETFILTER_XT_MATCH_HASHLIMIT m - NETFILTER_XT_MATCH_HELPER m - NETFILTER_XT_MATCH_HL m - NETFILTER_XT_MATCH_IPCOMP m - NETFILTER_XT_MATCH_IPRANGE m - NETFILTER_XT_MATCH_IPVS m - NETFILTER_XT_MATCH_L2TP m - NETFILTER_XT_MATCH_LENGTH m - NETFILTER_XT_MATCH_LIMIT m - NETFILTER_XT_MATCH_MAC m - NETFILTER_XT_MATCH_MARK m - NETFILTER_XT_MATCH_MULTIPORT m - NETFILTER_XT_MATCH_NFACCT m - NETFILTER_XT_MATCH_OSF m - NETFILTER_XT_MATCH_OWNER m - NETFILTER_XT_MATCH_POLICY m - NETFILTER_XT_MATCH_PHYSDEV m - NETFILTER_XT_MATCH_PKTTYPE m - NETFILTER_XT_MATCH_QUOTA m - NETFILTER_XT_MATCH_RATEEST m - NETFILTER_XT_MATCH_REALM m - NETFILTER_XT_MATCH_RECENT m - NETFILTER_XT_MATCH_SCTP m - NETFILTER_XT_MATCH_SOCKET m - NETFILTER_XT_MATCH_STATE m - NETFILTER_XT_MATCH_STATISTIC m - NETFILTER_XT_MATCH_STRING m - NETFILTER_XT_MATCH_TCPMSS m - NETFILTER_XT_MATCH_TIME m - NETFILTER_XT_MATCH_U32 m + NF_TABLES m + NETFILTER y + NETFILTER_ADVANCED y + NF_NAT_IPV4 m + IP_NF_FILTER m + IP_NF_TARGET_MASQUERADE m + NETFILTER_XT_MATCH_ADDRTYPE m + NETFILTER_XT_MATCH_CONNTRACK m + NF_NAT m + NF_NAT_NEEDED m + BRIDGE_NETFILTER m + NETFILTER_INGRESS y + NETFILTER_NETLINK m + NETFILTER_NETLINK_ACCT m + NETFILTER_NETLINK_QUEUE m + NETFILTER_NETLINK_LOG m + NETFILTER_SYNPROXY m + NETFILTER_XTABLES m + NETFILTER_XT_MARK m + NETFILTER_XT_CONNMARK m + NETFILTER_XT_SET m + NETFILTER_XT_TARGET_AUDIT m + NETFILTER_XT_TARGET_CHECKSUM m + NETFILTER_XT_TARGET_CLASSIFY m + NETFILTER_XT_TARGET_CONNMARK m + NETFILTER_XT_TARGET_CONNSECMARK m + NETFILTER_XT_TARGET_CT m + NETFILTER_XT_TARGET_DSCP m + NETFILTER_XT_TARGET_HL m + NETFILTER_XT_TARGET_HMARK m + NETFILTER_XT_TARGET_IDLETIMER m + NETFILTER_XT_TARGET_LED m + NETFILTER_XT_TARGET_LOG m + NETFILTER_XT_TARGET_MARK m + NETFILTER_XT_NAT m + NETFILTER_XT_TARGET_NETMAP m + NETFILTER_XT_TARGET_NFLOG m + NETFILTER_XT_TARGET_NFQUEUE m + NETFILTER_XT_TARGET_NOTRACK m + NETFILTER_XT_TARGET_RATEEST m + NETFILTER_XT_TARGET_REDIRECT m + NETFILTER_XT_TARGET_TEE m + NETFILTER_XT_TARGET_TPROXY m + NETFILTER_XT_TARGET_TRACE m + NETFILTER_XT_TARGET_SECMARK m + NETFILTER_XT_TARGET_TCPMSS m + NETFILTER_XT_TARGET_TCPOPTSTRIP m + NETFILTER_XT_MATCH_ADDRTYPE m + NETFILTER_XT_MATCH_BPF m + NETFILTER_XT_MATCH_CGROUP m + NETFILTER_XT_MATCH_CLUSTER m + NETFILTER_XT_MATCH_COMMENT m + NETFILTER_XT_MATCH_CONNBYTES m + NETFILTER_XT_MATCH_CONNLABEL m + NETFILTER_XT_MATCH_CONNLIMIT m + NETFILTER_XT_MATCH_CONNMARK m + NETFILTER_XT_MATCH_CONNTRACK m + NETFILTER_XT_MATCH_CPU m + NETFILTER_XT_MATCH_DCCP m + NETFILTER_XT_MATCH_DEVGROUP m + NETFILTER_XT_MATCH_DSCP m + NETFILTER_XT_MATCH_ECN m + NETFILTER_XT_MATCH_ESP m + NETFILTER_XT_MATCH_HASHLIMIT m + NETFILTER_XT_MATCH_HELPER m + NETFILTER_XT_MATCH_HL m + NETFILTER_XT_MATCH_IPCOMP m + NETFILTER_XT_MATCH_IPRANGE m + NETFILTER_XT_MATCH_IPVS m + NETFILTER_XT_MATCH_L2TP m + NETFILTER_XT_MATCH_LENGTH m + NETFILTER_XT_MATCH_LIMIT m + NETFILTER_XT_MATCH_MAC m + NETFILTER_XT_MATCH_MARK m + NETFILTER_XT_MATCH_MULTIPORT m + NETFILTER_XT_MATCH_NFACCT m + NETFILTER_XT_MATCH_OSF m + NETFILTER_XT_MATCH_OWNER m + NETFILTER_XT_MATCH_POLICY m + NETFILTER_XT_MATCH_PHYSDEV m + NETFILTER_XT_MATCH_PKTTYPE m + NETFILTER_XT_MATCH_QUOTA m + NETFILTER_XT_MATCH_RATEEST m + NETFILTER_XT_MATCH_REALM m + NETFILTER_XT_MATCH_RECENT m + NETFILTER_XT_MATCH_SCTP m + NETFILTER_XT_MATCH_SOCKET m + NETFILTER_XT_MATCH_STATE m + NETFILTER_XT_MATCH_STATISTIC m + NETFILTER_XT_MATCH_STRING m + NETFILTER_XT_MATCH_TCPMSS m + NETFILTER_XT_MATCH_TIME m + NETFILTER_XT_MATCH_U32 m - MEMCG_KMEM y - MEMCG_SWAP y - MEMCG_SWAP_ENABLED y - BLK_CGROUP y - IOSCHED_CFQ y - BLK_DEV_THROTTLING y - CGROUP_PERF y - CGROUP_HUGETLB y - NET_CLS_CGROUP y - CGROUP_NET_PRIO y - CFS_BANDWIDTH y - FAIR_GROUP_SCHED y - RT_GROUP_SCHED y - EXT3_FS y - EXT3_FS_XATTR y - EXT3_FS_POSIX_ACL y - EXT3_FS_SECURITY y + MEMCG_KMEM y + MEMCG_SWAP y + MEMCG_SWAP_ENABLED y + BLK_CGROUP y + IOSCHED_CFQ y + BLK_DEV_THROTTLING y + CGROUP_PERF y + CGROUP_HUGETLB y + NET_CLS_CGROUP y + CGROUP_NET_PRIO y + CFS_BANDWIDTH y + FAIR_GROUP_SCHED y + RT_GROUP_SCHED y + EXT3_FS y + EXT3_FS_XATTR y + EXT3_FS_POSIX_ACL y + EXT3_FS_SECURITY y - PPP_FILTER y - HAVE_IMX_ANATOP y - HAVE_IMX_GPC y - HAVE_IMX_MMDC y - HAVE_IMX_SRC y - SOC_IMX6 y - SOC_IMX6Q y - SOC_IMX6SL y - PCI_IMX6 y - ARM_IMX6Q_CPUFREQ y - IMX_WEIM y - AHCI_IMX y - SERIAL_IMX y - SERIAL_IMX_CONSOLE y - I2C_IMX y - SPI_IMX y - PINCTRL_IMX y - PINCTRL_IMX6Q y - PINCTRL_IMX6SL y - POWER_RESET_IMX y - IMX_THERMAL y - IMX2_WDT y - IMX_IPUV3_CORE y - DRM_IMX y - DRM_IMX_FB_HELPER y - DRM_IMX_PARALLEL_DISPLAY y - DRM_IMX_TVE y - DRM_IMX_LDB y - DRM_IMX_IPUV3 y - DRM_IMX_HDMI y - MMC_SDHCI_ESDHC_IMX y - IMX_SDMA y - PWM_IMX y - DEBUG_IMX6Q_UART y + PPP_FILTER y + HAVE_IMX_ANATOP y + HAVE_IMX_GPC y + HAVE_IMX_MMDC y + HAVE_IMX_SRC y + SOC_IMX6 y + SOC_IMX6Q y + SOC_IMX6SL y + PCI_IMX6 y + ARM_IMX6Q_CPUFREQ y + IMX_WEIM y + AHCI_IMX y + SERIAL_IMX y + SERIAL_IMX_CONSOLE y + I2C_IMX y + SPI_IMX y + PINCTRL_IMX y + PINCTRL_IMX6Q y + PINCTRL_IMX6SL y + POWER_RESET_IMX y + IMX_THERMAL y + IMX2_WDT y + IMX_IPUV3_CORE y + DRM_IMX y + DRM_IMX_FB_HELPER y + DRM_IMX_PARALLEL_DISPLAY y + DRM_IMX_TVE y + DRM_IMX_LDB y + DRM_IMX_IPUV3 y + DRM_IMX_HDMI y + MMC_SDHCI_ESDHC_IMX y + IMX_SDMA y + PWM_IMX y + DEBUG_IMX6Q_UART y - ''; + ''; + }; + # pkgs.linux_4_2 = "/nix/store/jc1h6mcc6sq420q2i572qba4b0xzw4gm-linux-4.3-armv7l-unknown-linux-gnueabi"; }; - # pkgs.linux_4_2 = "/nix/store/jc1h6mcc6sq420q2i572qba4b0xzw4gm-linux-4.3-armv7l-unknown-linux-gnueabi"; - }; allowUnfree = true; }; @@ -279,7 +278,10 @@ in { uid = 1000; isNormalUser = true; home = "/home/steveej"; - extraGroups = ["wheel" "libvirtd"]; + extraGroups = [ + "wheel" + "libvirtd" + ]; # FIXME: this is deprecated but so is this device probably hashedPassword = passwords.users.steveej; openssh.authorizedKeys.keys = [ diff --git a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix index a325b30..0bbf318 100644 --- a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix +++ b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix @@ -6,12 +6,13 @@ lib, pkgs, ... -}: { - imports = []; +}: +{ + imports = [ ]; - boot.initrd.availableKernelModules = []; - boot.kernelModules = []; - boot.extraModulePackages = []; + boot.initrd.availableKernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; hardware.enableAllFirmware = true; @@ -24,5 +25,5 @@ device = "/dev/disk/by-uuid/f1e7e913-93a0-4258-88f9-f65041d91d66"; }; - swapDevices = []; + swapDevices = [ ]; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix index 9aec1e2..518fc1b 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix @@ -8,7 +8,8 @@ localDomainName, system, ... -}: { +}: +{ nixos-x13s = { enable = true; # TODO: use hardware address @@ -41,8 +42,8 @@ echo $? ) ''; - requiredBy = ["bluetooth.service"]; - before = ["bluetooth.service"]; + requiredBy = [ "bluetooth.service" ]; + before = [ "bluetooth.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -103,20 +104,15 @@ ]; system.stateVersion = "23.11"; - home-manager.users.root = _: { - home.stateVersion = "23.11"; - }; + home-manager.users.root = _: { home.stateVersion = "23.11"; }; home-manager.users.steveej = _: { home.stateVersion = "23.11"; - imports = [ - ../../../home-manager/configuration/graphical-fullblown.nix - ]; + imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; - home.sessionVariables = {}; + home.sessionVariables = { }; - home.packages = with pkgs; [ - ]; + home.packages = with pkgs; [ ]; # TODO: currently unsupported services.gammastep.enable = lib.mkForce false; @@ -127,7 +123,7 @@ loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = lib.mkForce false; loader.efi.efiSysMountPoint = "/boot"; - blacklistedKernelModules = ["wwan"]; + blacklistedKernelModules = [ "wwan" ]; initrd.kernelModules = [ "uas" @@ -153,7 +149,8 @@ "firmware/qcom/sc8280xp/LENOVO/21BX/qccdsp8280.mbn".source = pkgs.linux-firmware; "firmware/qcom/sc8280xp/LENOVO/21BX/qcdxkmsuc8280.mbn".source = pkgs.linux-firmware; "firmware/qcom/sc8280xp/LENOVO/21BX/qcslpi8280.mbn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = + nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"; }; }; diff --git a/nix/os/devices/steveej-x13s-rmvbl/default.nix b/nix/os/devices/steveej-x13s-rmvbl/default.nix index fa66cf4..2ba48d2 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/default.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/default.nix @@ -6,21 +6,23 @@ nodeFlake, localDomainName ? "internal", ... -}: { +}: +{ meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake system; + inherit + repoFlake + nodeName + nodeFlake + system + ; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); inherit localDomainName; }; - meta.nodeNixpkgs.${nodeName} = - import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; @@ -29,8 +31,6 @@ # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - imports = [ - (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") - ]; + imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; }; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/disko.nix b/nix/os/devices/steveej-x13s-rmvbl/disko.nix index e56b0d1..2eb097a 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/disko.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/disko.nix @@ -14,9 +14,7 @@ type = "filesystem"; format = "vfat"; mountpoint = "/boot"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; luks = { @@ -24,7 +22,7 @@ content = { type = "luks"; name = "x13s-usb-crypt"; - extraOpenArgs = []; + extraOpenArgs = [ ]; # disable settings.keyFile if you want to use interactive password entry #passwordFile = "/tmp/secret.key"; # Interactive settings = { @@ -36,19 +34,28 @@ # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; content = { type = "btrfs"; - extraArgs = ["-f"]; + extraArgs = [ "-f" ]; subvolumes = { "/root" = { mountpoint = "/"; - mountOptions = ["compress=zstd" "noatime"]; + mountOptions = [ + "compress=zstd" + "noatime" + ]; }; "/home" = { mountpoint = "/home"; - mountOptions = ["compress=zstd" "noatime"]; + mountOptions = [ + "compress=zstd" + "noatime" + ]; }; "/nix" = { mountpoint = "/nix"; - mountOptions = ["compress=zstd" "noatime"]; + mountOptions = [ + "compress=zstd" + "noatime" + ]; }; "/swap" = { mountpoint = "/.swapvol"; diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.nix b/nix/os/devices/steveej-x13s-rmvbl/flake.nix index bcc82bb..39a915e 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.nix @@ -22,71 +22,68 @@ nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = { - self, - get-flake, - nixpkgs, - ... - }: let - system = "aarch64-linux"; - buildPlatform = "x86_64-linux"; - repoFlake = get-flake ../../../..; - in { - lib = { - mkNixosConfiguration = { - nodeName, - extraModules ? [], - ... - } @ attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate - attrs + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + system = "aarch64-linux"; + buildPlatform = "x86_64-linux"; + repoFlake = get-flake ../../../..; + in + { + lib = { + mkNixosConfiguration = { - specialArgs = - (import ./default.nix { - inherit system; - inherit nodeName repoFlake; + nodeName, + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = + (import ./default.nix { + inherit system; + inherit nodeName repoFlake; - nodeFlake = self; - }) - .meta - .nodeSpecialArgs - .${nodeName}; + nodeFlake = self; + }).meta.nodeSpecialArgs.${nodeName}; - modules = - [ + modules = [ # repoFlake.nixosModules.hardware-x13s - ] - ++ extraModules; - } - ); - }; - - nixosConfigurations = let - nodeName = "steveej-x13s-rmvbl"; - in { - native = self.lib.mkNixosConfiguration { - inherit system nodeName; - extraModules = [ - ./configuration.nix - - { - users.commonUsers.installPassword = "install"; - } - ]; + ] ++ extraModules; + } + ); }; - cross = self.lib.mkNixosConfiguration { - inherit nodeName; - extraModules = [ - ./configuration.nix + nixosConfigurations = + let + nodeName = "steveej-x13s-rmvbl"; + in + { + native = self.lib.mkNixosConfiguration { + inherit system nodeName; + extraModules = [ + ./configuration.nix - { - nixpkgs.buildPlatform.system = buildPlatform; - nixpkgs.hostPlatform.system = system; - } - ]; - }; + { users.commonUsers.installPassword = "install"; } + ]; + }; + + cross = self.lib.mkNixosConfiguration { + inherit nodeName; + extraModules = [ + ./configuration.nix + + { + nixpkgs.buildPlatform.system = buildPlatform; + nixpkgs.hostPlatform.system = system; + } + ]; + }; + }; }; - }; } diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index 831f1f0..cd508db 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -9,8 +9,9 @@ system, packages', ... -}: { - nixpkgs.overlays = [nodeFlake.overlays.default]; +}: +{ + nixpkgs.overlays = [ nodeFlake.overlays.default ]; nixos-x13s = { enable = true; @@ -23,7 +24,7 @@ # printint and autodiscovery of printers services.printing.enable = true; - services.printing.drivers = [pkgs.hplip]; + services.printing.drivers = [ pkgs.hplip ]; services.avahi = { enable = true; nssmdns4 = true; @@ -57,8 +58,8 @@ echo $? ) ''; - requiredBy = ["bluetooth.service"]; - before = ["bluetooth.service"]; + requiredBy = [ "bluetooth.service" ]; + before = [ "bluetooth.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -98,7 +99,7 @@ enableNonRoot = true; }; - sops.secrets.builder-private-key = {}; + sops.secrets.builder-private-key = { }; nix.distributedBuilds = true; nix.buildMachines = [ # test these with: sudo nix store ping --store 'ssh-ng://nix-remote-builder@?ssh-key=/run/secrets/builder-private-key' @@ -107,9 +108,7 @@ sshUser = "nix-remote-builder"; sshKey = config.sops.secrets.builder-private-key.path; protocol = "ssh-ng"; - systems = [ - "x86_64-linux" - ]; + systems = [ "x86_64-linux" ]; supportedFeatures = [ "big-parallel" "kvm" @@ -123,9 +122,7 @@ sshUser = "nix-remote-builder"; sshKey = config.sops.secrets.builder-private-key.path; protocol = "ssh-ng"; - systems = [ - "aarch64-linux" - ]; + systems = [ "aarch64-linux" ]; supportedFeatures = [ "big-parallel" "kvm" @@ -154,24 +151,27 @@ } # TODO: create syncthing os snippet - (let - tcp = [22000]; - udp = [ - 22000 - 21027 - ]; - in { - # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` - networking.firewall.interfaces."en+".allowedTCPPorts = tcp; - networking.firewall.interfaces."en+".allowedUDPPorts = udp; - networking.firewall.interfaces."wl+".allowedTCPPorts = tcp; - networking.firewall.interfaces."wl+".allowedUDPPorts = udp; + ( + let + tcp = [ 22000 ]; + udp = [ + 22000 + 21027 + ]; + in + { + # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` + networking.firewall.interfaces."en+".allowedTCPPorts = tcp; + networking.firewall.interfaces."en+".allowedUDPPorts = udp; + networking.firewall.interfaces."wl+".allowedTCPPorts = tcp; + networking.firewall.interfaces."wl+".allowedUDPPorts = udp; - networking.firewall.allowedTCPPorts = [ - # iperf3 - 5201 - ]; - }) + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + } + ) ../../snippets/home-manager-with-zsh.nix ../../snippets/sway-desktop.nix @@ -201,22 +201,17 @@ ]; system.stateVersion = "23.11"; - home-manager.users.root = _: { - home.stateVersion = "23.11"; - }; + home-manager.users.root = _: { home.stateVersion = "23.11"; }; home-manager.users.steveej = _: { home.stateVersion = "23.11"; - imports = [ - ../../../home-manager/configuration/graphical-fullblown.nix - ]; + imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; - nixpkgs.overlays = [nodeFlake.overlays.default]; + nixpkgs.overlays = [ nodeFlake.overlays.default ]; - home.sessionVariables = {}; + home.sessionVariables = { }; - home.packages = with pkgs; [ - ]; + home.packages = with pkgs; [ ]; # TODO(upstream): currently unsupported on x13s services.gammastep.enable = true; @@ -228,7 +223,7 @@ loader.efi.canTouchEfiVariables = lib.mkForce false; loader.efi.efiSysMountPoint = "/boot"; - blacklistedKernelModules = ["wwan"]; + blacklistedKernelModules = [ "wwan" ]; }; hardware.firmware = lib.mkBefore [ @@ -258,9 +253,7 @@ autostart = false; }; - services.udev.packages = [ - pkgs.android-udev-rules - ]; + services.udev.packages = [ pkgs.android-udev-rules ]; programs.adb.enable = true; nix.settings.sandbox = lib.mkForce "relaxed"; diff --git a/nix/os/devices/steveej-x13s/default.nix b/nix/os/devices/steveej-x13s/default.nix index e6d8ece..bb170b2 100644 --- a/nix/os/devices/steveej-x13s/default.nix +++ b/nix/os/devices/steveej-x13s/default.nix @@ -6,21 +6,23 @@ nodeFlake, localDomainName ? "internal", ... -}: { +}: +{ meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake system; + inherit + repoFlake + nodeName + nodeFlake + system + ; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); inherit localDomainName; }; - meta.nodeNixpkgs.${nodeName} = - import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; @@ -29,8 +31,6 @@ # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - imports = [ - ./configuration.nix - ]; + imports = [ ./configuration.nix ]; }; } diff --git a/nix/os/devices/steveej-x13s/disko.nix b/nix/os/devices/steveej-x13s/disko.nix index 89f6dd8..40b2118 100644 --- a/nix/os/devices/steveej-x13s/disko.nix +++ b/nix/os/devices/steveej-x13s/disko.nix @@ -15,9 +15,7 @@ type = "filesystem"; format = "vfat"; mountpoint = "/boot"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; luks = { @@ -25,7 +23,7 @@ content = { type = "luks"; name = "x13s-nvme-crypt"; - extraOpenArgs = []; + extraOpenArgs = [ ]; # disable settings.keyFile if you want to use interactive password entry #passwordFile = "/tmp/secret.key"; # Interactive settings = { @@ -37,19 +35,28 @@ # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; content = { type = "btrfs"; - extraArgs = ["-f"]; + extraArgs = [ "-f" ]; subvolumes = { "/root" = { mountpoint = "/"; - mountOptions = ["compress=zstd" "noatime"]; + mountOptions = [ + "compress=zstd" + "noatime" + ]; }; "/home" = { mountpoint = "/home"; - mountOptions = ["compress=zstd" "noatime"]; + mountOptions = [ + "compress=zstd" + "noatime" + ]; }; "/nix" = { mountpoint = "/nix"; - mountOptions = ["compress=zstd" "noatime"]; + mountOptions = [ + "compress=zstd" + "noatime" + ]; }; "/swap" = { mountpoint = "/.swapvol"; diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix index 09b27a1..f809c1e 100644 --- a/nix/os/devices/steveej-x13s/flake.nix +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -14,16 +14,15 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nixos-x13s.url = - "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump" - # 6.11.0 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=6b9efe77ca80653354981c720af3c4241ac71490" - # 6.12.0-rc6 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=bd580ee9c35fcb8a720122d5bb2f903f1b7395ee" - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=1286d20be2321a1a2d27f5d09257ebaf54ce0630" - #"/home/steveej/src/others/nixos-x13s" - # - ; + nixos-x13s.url = "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump" + # 6.11.0 + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=6b9efe77ca80653354981c720af3c4241ac71490" + # 6.12.0-rc6 + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=bd580ee9c35fcb8a720122d5bb2f903f1b7395ee" + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=1286d20be2321a1a2d27f5d09257ebaf54ce0630" + #"/home/steveej/src/others/nixos-x13s" + # + ; # nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s?ref=refs/tags/2024-02-28"; # nixos-x13s.url = "path:/home/steveej/src/others/nixos-x13s"; @@ -39,127 +38,125 @@ }; }; - outputs = { - self, - get-flake, - nixpkgs, - ... - }: let - nativeSystem = "aarch64-linux"; - nodeName = "steveej-x13s"; + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + nativeSystem = "aarch64-linux"; + nodeName = "steveej-x13s"; - repoFlake = get-flake ../../../..; + repoFlake = get-flake ../../../..; - mkNixosConfiguration = {extraModules ? [], ...} @ attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate - attrs + mkNixosConfiguration = { - specialArgs = - (import ./default.nix { - system = nativeSystem; - inherit nodeName; + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = + (import ./default.nix { + system = nativeSystem; + inherit nodeName; - inherit repoFlake; - repoFlakeWithSystem = repoFlake.lib.withSystem; - nodeFlake = self; - }) - .meta - .nodeSpecialArgs - .${nodeName}; + inherit repoFlake; + repoFlakeWithSystem = repoFlake.lib.withSystem; + nodeFlake = self; + }).meta.nodeSpecialArgs.${nodeName}; - modules = - [ + modules = [ ./configuration.nix # flake registry - { - nix.registry.nixpkgs.flake = nixpkgs; - } - ] - ++ extraModules; - } - ); - in { - lib = { - inherit mkNixosConfiguration; - }; - - overlays.libcamera = final: previous: let - webkitgtkPreConfigure = '' - export NIX_BUILD_CORES="$((NIX_BUILD_CORES > 2 ? 2 : NIX_BUILD_CORES))" - export NUMBER_OF_PROCESSORS="$NIX_BUILD_CORES" - ''; - in { - wireplumber = previous.wireplumber.overrideAttrs (_: { - version = "git"; - src = previous.fetchFromGitLab { - domain = "gitlab.freedesktop.org"; - owner = "pipewire"; - repo = "wireplumber"; - rev = "71f868233792f10848644319dbdc97a4f147d554"; - hash = "sha256-VX3OFsBK9AbISm/XTx8p05ak+z/VcKXfUXhB9aI9ev8="; - }; - }); - - libcamera = previous.libcamera.overrideAttrs (_: { - postFixup = '' - ../src/ipa/ipa-sign-install.sh src/ipa-priv-key.pem $out/lib/libcamera/ipa_*.so - ''; - }); - - libcamera-qcam = previous.libcamera-qcam.overrideAttrs (_: { - postFixup = '' - ../src/ipa/ipa-sign-install.sh src/ipa-priv-key.pem $out/lib/libcamera/ipa_*.so - ''; - }); - - webkitgtk = previous.webkitgtk.overrideAttrs (attrs: { - preConfigure = - attrs.preConfigure + webkitgtkPreConfigure; - }); - - webkitgtk_4_1 = previous.webkitgtk_4_1.overrideAttrs (attrs: { - preConfigure = - attrs.preConfigure + webkitgtkPreConfigure; - }); - - webkitgtk_6_0 = previous.webkitgtk_6_0.overrideAttrs (attrs: { - preConfigure = - attrs.preConfigure + webkitgtkPreConfigure; - }); - }; - - overlays.default = final: previous: let - inherit (previous.stdenv) system; - pkgsUnstable = import self.inputs.nixpkgs-unstable.outPath { - inherit system; - overlays = [self.overlays.libcamera]; - }; - in { - inherit pkgsUnstable; - inherit - (pkgsUnstable) - libcamera - webkitgtk - webkitgtk_4_1 - webkitgtk_6_0 - ; - }; - - nixosConfigurations = { - native = mkNixosConfiguration { - system = nativeSystem; - }; - - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = "x86_64-linux"; - nixpkgs.hostPlatform.system = nativeSystem; + { nix.registry.nixpkgs.flake = nixpkgs; } + ] ++ extraModules; } - ]; + ); + in + { + lib = { + inherit mkNixosConfiguration; + }; + + overlays.libcamera = + final: previous: + let + webkitgtkPreConfigure = '' + export NIX_BUILD_CORES="$((NIX_BUILD_CORES > 2 ? 2 : NIX_BUILD_CORES))" + export NUMBER_OF_PROCESSORS="$NIX_BUILD_CORES" + ''; + in + { + wireplumber = previous.wireplumber.overrideAttrs (_: { + version = "git"; + src = previous.fetchFromGitLab { + domain = "gitlab.freedesktop.org"; + owner = "pipewire"; + repo = "wireplumber"; + rev = "71f868233792f10848644319dbdc97a4f147d554"; + hash = "sha256-VX3OFsBK9AbISm/XTx8p05ak+z/VcKXfUXhB9aI9ev8="; + }; + }); + + libcamera = previous.libcamera.overrideAttrs (_: { + postFixup = '' + ../src/ipa/ipa-sign-install.sh src/ipa-priv-key.pem $out/lib/libcamera/ipa_*.so + ''; + }); + + libcamera-qcam = previous.libcamera-qcam.overrideAttrs (_: { + postFixup = '' + ../src/ipa/ipa-sign-install.sh src/ipa-priv-key.pem $out/lib/libcamera/ipa_*.so + ''; + }); + + webkitgtk = previous.webkitgtk.overrideAttrs (attrs: { + preConfigure = attrs.preConfigure + webkitgtkPreConfigure; + }); + + webkitgtk_4_1 = previous.webkitgtk_4_1.overrideAttrs (attrs: { + preConfigure = attrs.preConfigure + webkitgtkPreConfigure; + }); + + webkitgtk_6_0 = previous.webkitgtk_6_0.overrideAttrs (attrs: { + preConfigure = attrs.preConfigure + webkitgtkPreConfigure; + }); + }; + + overlays.default = + final: previous: + let + inherit (previous.stdenv) system; + pkgsUnstable = import self.inputs.nixpkgs-unstable.outPath { + inherit system; + overlays = [ self.overlays.libcamera ]; + }; + in + { + inherit pkgsUnstable; + inherit (pkgsUnstable) + libcamera + webkitgtk + webkitgtk_4_1 + webkitgtk_6_0 + ; + }; + + nixosConfigurations = { + native = mkNixosConfiguration { system = nativeSystem; }; + + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.system = nativeSystem; + } + ]; + }; }; }; - }; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/boot.nix b/nix/os/devices/vmd102066.contaboserver.net/boot.nix index 5713789..ed21f9c 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/boot.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiSupport = lib.mkForce false; - boot.extraModulePackages = []; + boot.extraModulePackages = [ ]; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix index 28a63fb..b29548c 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix @@ -1,5 +1,6 @@ -{...}: { - disabledModules = []; +{ ... }: +{ + disabledModules = [ ]; imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/vmd102066.contaboserver.net/default.nix b/nix/os/devices/vmd102066.contaboserver.net/default.nix index db025f1..958331e 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/default.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/default.nix @@ -1,17 +1,17 @@ -{repoFlake, ...}: let +{ repoFlake, ... }: +let nodeName = "vmd102066.contaboserver.net"; system = "x86_64-linux"; nodeFlake = repoFlake.inputs.get-flake ./.; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = nodeName; diff --git a/nix/os/devices/vmd102066.contaboserver.net/flake.nix b/nix/os/devices/vmd102066.contaboserver.net/flake.nix index d432f24..0547466 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/flake.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/hw.nix b/nix/os/devices/vmd102066.contaboserver.net/hw.nix index e09b10e..9f1ce04 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/hw.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/hw.nix @@ -1,4 +1,5 @@ -{...}: let +{ ... }: +let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -11,7 +12,8 @@ "virtio" "scsi_mod" ]; -in { +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix index 96cfc55..e0c96b0 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix @@ -3,7 +3,8 @@ pkgs, lib, ... -}: { +}: +{ home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; @@ -12,7 +13,12 @@ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + supportedFeatures = [ + "kvm" + "nixos-test" + "big-parallel" + "benchmark" + ]; maxJobs = 4; } ]; @@ -22,7 +28,7 @@ hydraURL = "http://localhost:3000"; # externally visible URL notificationSender = "hydra@${config.networking.hostName}.stefanjunker.de"; # e-mail of hydra service # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines - buildMachinesFiles = []; + buildMachinesFiles = [ ]; # you will probably also want, otherwise *everything* will be built from scratch useSubstitutes = true; }; @@ -30,7 +36,13 @@ services.gitlab-runner = { enable = false; - extraPackages = with pkgs; [bash gitlab-runner nix gitFull git-crypt]; + extraPackages = with pkgs; [ + bash + gitlab-runner + nix + gitFull + git-crypt + ]; concurrent = 2; checkInterval = 0; @@ -39,7 +51,7 @@ executor = "shell"; runUntagged = true; registrationConfigFile = "/etc/secrets/gitlab-runner/nix-runner.registration"; - tagList = ["nix"]; + tagList = [ "nix" ]; }; }; }; diff --git a/nix/os/devices/vmd102066.contaboserver.net/system.nix b/nix/os/devices/vmd102066.contaboserver.net/system.nix index 45c6b0c..f3ee31c 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/system.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/system.nix @@ -4,10 +4,12 @@ config, nodeName, ... -}: let +}: +let keys = import ../../../variables/keys.nix; passwords = import ../../../variables/passwords.crypt.nix; -in { +in +{ networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -37,7 +39,7 @@ in { networking.nat = { enable = true; - internalInterfaces = ["ve-+"]; + internalInterfaces = [ "ve-+" ]; externalInterface = "eth0"; }; @@ -45,7 +47,9 @@ in { # services.kubernetes.roles = ["master" "node"]; # virtualization - virtualisation = {docker.enable = true;}; + virtualisation = { + docker.enable = true; + }; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; @@ -53,7 +57,7 @@ in { systemd.services."sshd-status" = { enable = true; description = "sshd-status service"; - path = [pkgs.systemd]; + path = [ pkgs.systemd ]; script = '' systemctl status sshd | grep -i tasks ''; @@ -73,11 +77,13 @@ in { # }; # }; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; boot.initrd.network = { enable = true; - udhcpc.extraArgs = ["-x hostname:${config.networking.hostName}"]; + udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ]; ssh = { enable = true; @@ -104,7 +110,12 @@ in { inherit config; hostAddress = "192.168.100.16"; localAddress = "192.168.100.17"; - subvolumes = ["mailserver" "webserver" "backup" "syncthing"]; + subvolumes = [ + "mailserver" + "webserver" + "backup" + "syncthing" + ]; }; bkpTarget = import ../../containers/backup-target.nix { diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index 03bf5e7..e8a0933 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -1,10 +1,10 @@ -{ - lib, - config, -}: let +{ lib, config }: +let keys = import ../../variables/keys.nix; -in { - mkUser = args: +in +{ + mkUser = + args: lib.mkMerge [ { isNormalUser = true; @@ -45,7 +45,7 @@ in { # LVM doesn't allow most characters in VG names # TODO: replace this with a whitelist for: [a-zA-Z0-9.-_+] - volumeGroup = diskId: builtins.replaceStrings [":"] [""] diskId; + volumeGroup = diskId: builtins.replaceStrings [ ":" ] [ "" ] diskId; # This is important at install-time bootGrubDevice = diskId: "/dev/disk/by-id/" + diskId; @@ -56,15 +56,11 @@ in { # Cannot use the disk ID here because might be different at install vs. runtime. # Example: MMC card which is used in the internal reader vs. USB reader - bootFsDevice = diskId: - "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); - bootLuksDevice = diskId: - "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); + bootFsDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); + bootLuksDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); luksName = diskId: (volumeGroup diskId) + "pv"; luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId); - lvmPv = diskId: encrypted: - if encrypted == true - then luksPhysicalVolume diskId - else bootLuksDevice diskId; + lvmPv = + diskId: encrypted: if encrypted == true then luksPhysicalVolume diskId else bootLuksDevice diskId; }; } diff --git a/nix/os/modules/ddclient-hetzner.nix b/nix/os/modules/ddclient-hetzner.nix index 893620a..f9685e2 100644 --- a/nix/os/modules/ddclient-hetzner.nix +++ b/nix/os/modules/ddclient-hetzner.nix @@ -1,14 +1,12 @@ -{ - lib, - config, - ... -}: let +{ lib, config, ... }: +let cfg = config.services.ddclient-hetzner; -in { +in +{ options.services.ddclient-hetzner = with lib; { enable = mkEnableOption "Enable ddclient-hetzner"; - zone = mkOption {type = types.str;}; - domains = mkOption {type = types.listOf types.str;}; - passwordFile = mkOption {type = types.path;}; + zone = mkOption { type = types.str; }; + domains = mkOption { type = types.listOf types.str; }; + passwordFile = mkOption { type = types.path; }; }; } diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix index 9b0321d..260cd86 100644 --- a/nix/os/modules/ddclient-ovh.nix +++ b/nix/os/modules/ddclient-ovh.nix @@ -1,12 +1,10 @@ -{ - lib, - config, - ... -}: let +{ lib, config, ... }: +let cfg = config.services.ddclientovh; -in { +in +{ options.services.ddclientovh = with lib; { enable = mkEnableOption "Enable ddclient-ovh"; - domain = mkOption {type = types.str;}; + domain = mkOption { type = types.str; }; }; } diff --git a/nix/os/modules/initrd-network.nix b/nix/os/modules/initrd-network.nix index e517d62..4ca89cf 100644 --- a/nix/os/modules/initrd-network.nix +++ b/nix/os/modules/initrd-network.nix @@ -4,7 +4,8 @@ pkgs, ... }: -with lib; let +with lib; +let cfg = config.boot.initrd.network; udhcpcScript = pkgs.writeScript "udhcp-script" '' @@ -25,7 +26,8 @@ with lib; let ''; udhcpcArgs = toString cfg.udhcpc.extraArgs; -in { +in +{ options = { boot.initrd.network.enable = mkOption { type = types.bool; @@ -46,7 +48,7 @@ in { }; boot.initrd.network.udhcpc.extraArgs = mkOption { - default = []; + default = [ ]; type = types.listOf types.str; description = '' Additional command-line arguments passed verbatim to udhcpc if @@ -74,9 +76,9 @@ in { }; config = mkIf cfg.enable { - warnings = ["Enabled SSH for stage1"]; + warnings = [ "Enabled SSH for stage1" ]; - boot.initrd.kernelModules = ["af_packet"]; + boot.initrd.kernelModules = [ "af_packet" ]; boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.mkinitcpio-nfs-utils}/bin/ipconfig diff --git a/nix/os/modules/natrouter.nix b/nix/os/modules/natrouter.nix index 62af2a8..ed2c3bd 100644 --- a/nix/os/modules/natrouter.nix +++ b/nix/os/modules/natrouter.nix @@ -1,9 +1,6 @@ +{ lib, config, ... }: +with lib; { - lib, - config, - ... -}: -with lib; { # TODO # Provide a NAT/DHCP Router # diff --git a/nix/os/modules/opinionatedDisk.nix b/nix/os/modules/opinionatedDisk.nix index dbe449b..db2bbbf 100644 --- a/nix/os/modules/opinionatedDisk.nix +++ b/nix/os/modules/opinionatedDisk.nix @@ -4,18 +4,17 @@ pkgs, ... }: -with lib; let +with lib; +let cfg = config.hardware.opinionatedDisk; - ownLib = pkgs.callPackage ../lib/default.nix {}; + ownLib = pkgs.callPackage ../lib/default.nix { }; - earlyDiskId = cfg: - if cfg.earlyDiskIdOverride != "" - then cfg.earlyDiskIdOverride - else cfg.diskId; -in { + earlyDiskId = cfg: if cfg.earlyDiskIdOverride != "" then cfg.earlyDiskIdOverride else cfg.diskId; +in +{ options.hardware.opinionatedDisk = { enable = mkEnableOption "Enable opinionated filesystem layout"; - diskId = mkOption {type = types.str;}; + diskId = mkOption { type = types.str; }; encrypted = mkOption { default = true; type = types.bool; @@ -36,31 +35,30 @@ in { fileSystems."/" = { device = ownLib.disk.rootFsDevice cfg.diskId; fsType = "btrfs"; - options = ["subvol=nixos"]; + options = [ "subvol=nixos" ]; }; fileSystems."/home" = { device = ownLib.disk.rootFsDevice cfg.diskId; fsType = "btrfs"; - options = ["subvol=home"]; + options = [ "subvol=home" ]; }; - swapDevices = [{device = ownLib.disk.swapFsDevice cfg.diskId;}]; + swapDevices = [ { device = ownLib.disk.swapFsDevice cfg.diskId; } ]; boot.loader.grub = { device = ownLib.disk.bootGrubDevice (earlyDiskId cfg); enableCryptodisk = cfg.encrypted; }; - boot.initrd.luks.devices = - lib.optionalAttrs cfg.encrypted - (builtins.listToAttrs [ + boot.initrd.luks.devices = lib.optionalAttrs cfg.encrypted ( + builtins.listToAttrs [ { - name = let - splitstring = - builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); - lastelem = (builtins.length splitstring) - 1; - in + name = + let + splitstring = builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); + lastelem = (builtins.length splitstring) - 1; + in builtins.elemAt splitstring lastelem; value = { device = ownLib.disk.bootLuksDevice cfg.diskId; @@ -69,6 +67,7 @@ in { allowDiscards = true; }; } - ]); + ] + ); }; } diff --git a/nix/os/profiles/common/configuration.nix b/nix/os/profiles/common/configuration.nix index 7c1f786..9a404e5 100644 --- a/nix/os/profiles/common/configuration.nix +++ b/nix/os/profiles/common/configuration.nix @@ -6,7 +6,8 @@ repoFlakeInputs', packages', ... -}: { +}: +{ imports = [ repoFlake.inputs.sops-nix.nixosModules.sops @@ -30,7 +31,10 @@ boot.tmp.useTmpfs = true; # Workaround for nm-pptp to enforce module load - boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"]; + boot.kernelModules = [ + "nf_conntrack_proto_gre" + "nf_conntrack_pptp" + ]; nixpkgs.config = { allowBroken = false; diff --git a/nix/os/profiles/common/hw.nix b/nix/os/profiles/common/hw.nix index 80bdc31..7e5fb14 100644 --- a/nix/os/profiles/common/hw.nix +++ b/nix/os/profiles/common/hw.nix @@ -1,5 +1,13 @@ -{...}: { +{ ... }: +{ hardware.trackpoint.emulateWheel = true; - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" "cryptd"]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + "cryptd" + ]; } diff --git a/nix/os/profiles/common/system.nix b/nix/os/profiles/common/system.nix index f576a28..f38e9aa 100644 --- a/nix/os/profiles/common/system.nix +++ b/nix/os/profiles/common/system.nix @@ -4,7 +4,8 @@ lib, nodeName, ... -}: { +}: +{ networking.hostName = builtins.elemAt (builtins.split "\\." nodeName) 0; # Define your hostname. networking.domain = builtins.elemAt (builtins.split "(^[^\\.]+\.)" nodeName) 2; @@ -15,11 +16,13 @@ ''; # Fonts, I18N, Date ... - fonts.packages = [pkgs.corefonts]; + fonts.packages = [ pkgs.corefonts ]; console.font = "lat9w-16"; - i18n = {defaultLocale = "en_US.UTF-8";}; + i18n = { + defaultLocale = "en_US.UTF-8"; + }; time.timeZone = "Etc/UTC"; services.gpm.enable = true; diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index 27b7427..6c799c9 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -3,7 +3,8 @@ pkgs, lib, ... -}: let +}: +let keys = import ../../../variables/keys.nix; inherit (import ../../lib/default.nix { @@ -16,7 +17,8 @@ inherit (lib) types; cfg = config.users.commonUsers; -in { +in +{ options.users.commonUsers = { enable = lib.mkOption { default = true; @@ -39,57 +41,53 @@ in { type = types.str; }; }; - config = lib.mkIf cfg.enable (lib.mkMerge [ - (lib.mkIf (cfg.installPassword == "") { - sops.secrets.sharedUsers-root = { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + (lib.mkIf (cfg.installPassword == "") { + sops.secrets.sharedUsers-root = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; + sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - # neededForUsers = true; - format = "yaml"; - }; - }) + sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + # neededForUsers = true; + format = "yaml"; + }; + }) - { - users.mutableUsers = cfg.installPassword != ""; + { + users.mutableUsers = cfg.installPassword != ""; - users.users.root = lib.mkMerge [ - { - openssh.authorizedKeys.keys = keys.users.steveej.openssh; - } + users.users.root = lib.mkMerge [ + { openssh.authorizedKeys.keys = keys.users.steveej.openssh; } - (lib.mkIf (cfg.installPassword != "") { - password = cfg.installPassword; - }) + (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) - (lib.mkIf (cfg.installPassword == "") { - hashedPasswordFile = cfg.rootPasswordFile; - }) - ]; + (lib.mkIf (cfg.installPassword == "") { hashedPasswordFile = cfg.rootPasswordFile; }) + ]; - users.users.steveej = lib.mkIf cfg.enableNonRoot (mkUser (lib.mkMerge [ - { - uid = 1000; - } + users.users.steveej = lib.mkIf cfg.enableNonRoot ( + mkUser ( + lib.mkMerge [ + { uid = 1000; } - (lib.mkIf (cfg.installPassword != "") { - password = cfg.installPassword; - }) + (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) - (lib.mkIf (cfg.installPassword == "") { - hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; - }) - ])); - } - ]); + (lib.mkIf (cfg.installPassword == "") { + hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; + }) + ] + ) + ); + } + ] + ); } diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix index 28ebb64..40fd3f4 100644 --- a/nix/os/profiles/containers/configuration.nix +++ b/nix/os/profiles/containers/configuration.nix @@ -3,26 +3,23 @@ pkgs, lib, ... -}: { +}: +{ networking.useHostResolvConf = false; networking.firewall.enable = true; networking.nftables.enable = true; networking.nftables.flushRuleset = true; - networking.nameservers = lib.mkForce [hostAddress]; + networking.nameservers = lib.mkForce [ hostAddress ]; - environment.systemPackages = [ - pkgs.dnsutils - ]; + environment.systemPackages = [ pkgs.dnsutils ]; imports = [ { # keep DNS set up to a minimum: only query the container host services.resolved.enable = lib.mkForce false; - networking.nameservers = [ - hostAddress - ]; + networking.nameservers = [ hostAddress ]; } ../../snippets/nix-settings.nix # ../../modules/ddclient-ovh.nix diff --git a/nix/os/profiles/graphical-gnome-xorg.nix b/nix/os/profiles/graphical-gnome-xorg.nix index bfd4036..a13dd07 100644 --- a/nix/os/profiles/graphical-gnome-xorg.nix +++ b/nix/os/profiles/graphical-gnome-xorg.nix @@ -1,8 +1,5 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - ... -}: { services.xserver = { enable = true; libinput.enable = true; @@ -98,8 +95,11 @@ support32Bit = true; }; - services.dbus.packages = with pkgs; [dconf]; + services.dbus.packages = with pkgs; [ dconf ]; # More Services - environment.systemPackages = [pkgs.gnome.adwaita-icon-theme pkgs.gnomeExtensions.appindicator]; + environment.systemPackages = [ + pkgs.gnome.adwaita-icon-theme + pkgs.gnomeExtensions.appindicator + ]; } diff --git a/nix/os/profiles/graphical/boot.nix b/nix/os/profiles/graphical/boot.nix index 91b4ae9..4bf6ca4 100644 --- a/nix/os/profiles/graphical/boot.nix +++ b/nix/os/profiles/graphical/boot.nix @@ -1,5 +1,4 @@ -{config, ...}: { - boot.extraModulePackages = [ - config.boot.kernelPackages.v4l2loopback - ]; +{ config, ... }: +{ + boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ]; } diff --git a/nix/os/profiles/graphical/configuration.nix b/nix/os/profiles/graphical/configuration.nix index b9cf53e..bc955f4 100644 --- a/nix/os/profiles/graphical/configuration.nix +++ b/nix/os/profiles/graphical/configuration.nix @@ -1,3 +1,8 @@ -{pkgs, ...}: { - imports = [./boot.nix ./system.nix ./hw.nix]; +{ pkgs, ... }: +{ + imports = [ + ./boot.nix + ./system.nix + ./hw.nix + ]; } diff --git a/nix/os/profiles/graphical/hw.nix b/nix/os/profiles/graphical/hw.nix index abb1e68..76ceacf 100644 --- a/nix/os/profiles/graphical/hw.nix +++ b/nix/os/profiles/graphical/hw.nix @@ -1,3 +1,4 @@ -{...}: { +{ ... }: +{ hardware.enableAllFirmware = true; } diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index ce49500..28e4504 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -1,11 +1,6 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - ... -}: { - imports = [ - ../../snippets/bluetooth.nix - ]; + imports = [ ../../snippets/bluetooth.nix ]; networking.networkmanager = { enable = true; @@ -26,7 +21,11 @@ services.pcscd.enable = true; hardware.opengl.enable = true; - services.udev.packages = [pkgs.libu2f-host pkgs.yubikey-personalization pkgs.android-udev-rules]; + services.udev.packages = [ + pkgs.libu2f-host + pkgs.yubikey-personalization + pkgs.android-udev-rules + ]; services.udev.extraRules = '' # OnePlusOne ATTR{idVendor}=="05c6", ATTR{idProduct}=="6764", SYMLINK+="libmtp-%k", MODE="660", GROUP="audio", ENV{ID_MTP_DEVICE}="1", ENV{ID_MEDIA_PLAYER}="1", TAG+="uaccess" @@ -53,6 +52,9 @@ services.printing = { enable = true; - drivers = with pkgs; [mfcl3770cdwlpr mfcl3770cdwcupswrapper]; + drivers = with pkgs; [ + mfcl3770cdwlpr + mfcl3770cdwcupswrapper + ]; }; } diff --git a/nix/os/profiles/install-medium/iso/iso.nix b/nix/os/profiles/install-medium/iso/iso.nix index 394aece..a32f3f6 100644 --- a/nix/os/profiles/install-medium/iso/iso.nix +++ b/nix/os/profiles/install-medium/iso/iso.nix @@ -5,25 +5,26 @@ pkgs, lib, ... -}: let +}: +let nixos-init-script = '' #!${pkgs.stdenv.shell} export HOME=/root export PATH=${ - pkgs.lib.makeBinPath [ - config.nix.package - pkgs.systemd - pkgs.gnugrep - pkgs.gnused - config.system.build.nixos-rebuild - config.system.build.nixos-install - pkgs.utillinux - pkgs.e2fsprogs - pkgs.coreutils - pkgs.hdparm - ] - }:$PATH + pkgs.lib.makeBinPath [ + config.nix.package + pkgs.systemd + pkgs.gnugrep + pkgs.gnused + config.system.build.nixos-rebuild + config.system.build.nixos-install + pkgs.utillinux + pkgs.e2fsprogs + pkgs.coreutils + pkgs.hdparm + ] + }:$PATH export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels set -xe @@ -61,7 +62,8 @@ nixos-install reboot ''; -in { +in +{ imports = [ @@ -70,13 +72,11 @@ in { # ]; - isoImage.isoName = - lib.mkForce - "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; + isoImage.isoName = lib.mkForce "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; boot.loader.timeout = lib.mkForce 0; boot.postBootCommands = ""; - environment.systemPackages = []; + environment.systemPackages = [ ]; users.users.root = { openssh.authorizedKeys.keys = [ @@ -85,18 +85,18 @@ in { }; services.gpm.enable = true; - systemd.services.sshd.wantedBy = lib.mkForce ["multi-user.target"]; + systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ]; systemd.services.nixos-init = { script = nixos-init-script; - path = with pkgs; []; + path = with pkgs; [ ]; description = "Initialize /dev/vda from configuration.nix found at /dev/vdb"; enable = true; - wantedBy = ["multi-user.target"]; - after = ["multi-user.target"]; - requires = ["network-online.target"]; + wantedBy = [ "multi-user.target" ]; + after = [ "multi-user.target" ]; + requires = [ "network-online.target" ]; restartIfChanged = false; unitConfig.X-StopOnRemoval = false; diff --git a/nix/os/profiles/removable-medium/boot.nix b/nix/os/profiles/removable-medium/boot.nix index e0938bd..17a1dba 100644 --- a/nix/os/profiles/removable-medium/boot.nix +++ b/nix/os/profiles/removable-medium/boot.nix @@ -1,5 +1,6 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; - boot.extraModulePackages = []; + boot.extraModulePackages = [ ]; } diff --git a/nix/os/profiles/removable-medium/configuration.nix b/nix/os/profiles/removable-medium/configuration.nix index 95ca049..ad7def0 100644 --- a/nix/os/profiles/removable-medium/configuration.nix +++ b/nix/os/profiles/removable-medium/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../modules/opinionatedDisk.nix diff --git a/nix/os/profiles/removable-medium/hw.nix b/nix/os/profiles/removable-medium/hw.nix index 17c16b0..c689541 100644 --- a/nix/os/profiles/removable-medium/hw.nix +++ b/nix/os/profiles/removable-medium/hw.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ hardware.opinionatedDisk.enable = true; hardware.enableAllFirmware = true; } diff --git a/nix/os/profiles/removable-medium/pkg.nix b/nix/os/profiles/removable-medium/pkg.nix index 5a54115..d27081f 100644 --- a/nix/os/profiles/removable-medium/pkg.nix +++ b/nix/os/profiles/removable-medium/pkg.nix @@ -1,4 +1,5 @@ -{pkgs, ...}: { +{ pkgs, ... }: +{ home-manager.users.steveej = import ../../../home-manager/configuration/graphical-removable.nix { inherit pkgs; }; diff --git a/nix/os/profiles/removable-medium/system.nix b/nix/os/profiles/removable-medium/system.nix index 7586a85..147ebec 100644 --- a/nix/os/profiles/removable-medium/system.nix +++ b/nix/os/profiles/removable-medium/system.nix @@ -3,11 +3,15 @@ lib, pkgs, ... -}: let -in { +}: +let +in +{ services.illum.enable = true; - services.printing = {enable = false;}; + services.printing = { + enable = false; + }; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; diff --git a/nix/os/snippets/bluetooth.nix b/nix/os/snippets/bluetooth.nix index a4cfeca..754995f 100644 --- a/nix/os/snippets/bluetooth.nix +++ b/nix/os/snippets/bluetooth.nix @@ -1,10 +1,7 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - ... -}: { # required for running blueman-applet in user sessions - services.dbus.packages = with pkgs; [blueman]; + services.dbus.packages = with pkgs; [ blueman ]; hardware.bluetooth.enable = true; services.blueman.enable = true; } diff --git a/nix/os/snippets/holo-zerotier.nix b/nix/os/snippets/holo-zerotier.nix index 8ea2be5..24abf73 100644 --- a/nix/os/snippets/holo-zerotier.nix +++ b/nix/os/snippets/holo-zerotier.nix @@ -1,17 +1,15 @@ -{ - config, - lib, - ... -}: let +{ config, lib, ... }: +let cfg = config.steveej.holo-zerotier; -in { +in +{ options.steveej.holo-zerotier = { enable = lib.mkEnableOption "Enable holo-zerotier"; - autostart = lib.mkOption {default = false;}; + autostart = lib.mkOption { default = false; }; }; config = { - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) ["zerotierone"]; + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "zerotierone" ]; services.zerotierone = { enable = cfg.enable; @@ -20,29 +18,31 @@ in { ]; }; - systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce []); + systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); systemd.services.zerotieroneSecretNetworks = { enable = cfg.enable; - requiredBy = ["zerotierone.service"]; - partOf = ["zerotierone.service"]; + requiredBy = [ "zerotierone.service" ]; + partOf = [ "zerotierone.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; - script = let - secret = config.sops.secrets.zerotieroneNetworks; - in '' - # include the secret's hash to trigger a restart on change - # ${builtins.hashString "sha256" (builtins.toJSON secret)} + script = + let + secret = config.sops.secrets.zerotieroneNetworks; + in + '' + # include the secret's hash to trigger a restart on change + # ${builtins.hashString "sha256" (builtins.toJSON secret)} - ${config.systemd.services.zerotierone.preStart} + ${config.systemd.services.zerotierone.preStart} - rm -rf /var/lib/zerotier-one/networks.d/*.conf - for network in `grep -v '#' ${secret.path}`; do - touch /var/lib/zerotier-one/networks.d/''${network}.conf - done - ''; + rm -rf /var/lib/zerotier-one/networks.d/*.conf + for network in `grep -v '#' ${secret.path}`; do + touch /var/lib/zerotier-one/networks.d/''${network}.conf + done + ''; }; sops.secrets.zerotieroneNetworks = { diff --git a/nix/os/snippets/home-manager-with-zsh.nix b/nix/os/snippets/home-manager-with-zsh.nix index 266a125..2b4646d 100644 --- a/nix/os/snippets/home-manager-with-zsh.nix +++ b/nix/os/snippets/home-manager-with-zsh.nix @@ -6,7 +6,8 @@ pkgs, lib, ... -}: let +}: +let # TODO: make this configurable homeUser = "steveej"; commonHomeImports = [ @@ -14,10 +15,9 @@ ../../home-manager/programs/neovim.nix ../../home-manager/programs/zsh.nix ]; -in { - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - ]; +in +{ + imports = [ nodeFlake.inputs.home-manager.nixosModules.home-manager ]; # TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager # home-manager.extraSpecialArgs = specialArgs; @@ -34,15 +34,11 @@ in { home-manager.useGlobalPkgs = false; home-manager.useUserPackages = true; - home-manager.users.root = _: { - imports = commonHomeImports; - }; + home-manager.users.root = _: { imports = commonHomeImports; }; - home-manager.users."${homeUser}" = _: { - imports = commonHomeImports; - }; + home-manager.users."${homeUser}" = _: { imports = commonHomeImports; }; programs.zsh.enable = true; users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = ["/share/zsh"]; + environment.pathsToLink = [ "/share/zsh" ]; } diff --git a/nix/os/snippets/k3s-w-nix-snapshotter.nix b/nix/os/snippets/k3s-w-nix-snapshotter.nix index d6f1279..f208ba7 100644 --- a/nix/os/snippets/k3s-w-nix-snapshotter.nix +++ b/nix/os/snippets/k3s-w-nix-snapshotter.nix @@ -7,12 +7,14 @@ system, config, ... -}: let +}: +let cfg = config.steveej.k3s; # TODO: make this configurable homeUser = "steveej"; -in { +in +{ options.steveej.k3s = { enable = lib.mkOption { description = "steveej's k3s distro"; @@ -22,13 +24,11 @@ in { }; # (1) Import nixos module. - imports = [ - nodeFlake.inputs.nix-snapshotter.nixosModules.default - ]; + imports = [ nodeFlake.inputs.nix-snapshotter.nixosModules.default ]; config = lib.mkIf cfg.enable { # (2) Add overlay. - nixpkgs.overlays = [nodeFlake.inputs.nix-snapshotter.overlays.default]; + nixpkgs.overlays = [ nodeFlake.inputs.nix-snapshotter.overlays.default ]; # (3) Enable service. virtualisation.containerd = { diff --git a/nix/os/snippets/mycelium.nix b/nix/os/snippets/mycelium.nix index 6d211cf..b3da3a2 100644 --- a/nix/os/snippets/mycelium.nix +++ b/nix/os/snippets/mycelium.nix @@ -6,11 +6,12 @@ system, lib, ... -}: let +}: +let cfg.autostart = false; -in { - imports = [ - ]; +in +{ + imports = [ ]; sops.secrets.mycelium-key = { format = "binary"; @@ -22,14 +23,12 @@ in { # package = nodeFlake.inputs.mycelium.packages.${system}.myceliumd; keyFile = config.sops.secrets.mycelium-key.path; addHostedPublicNodes = true; - peers = [ - ]; + peers = [ ]; # tunName = "mycelium-pub"; - extraArgs = [ - ]; + extraArgs = [ ]; }; - systemd.services.mycelium.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce []); + systemd.services.mycelium.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); } diff --git a/nix/os/snippets/nix-settings-holo-chain.nix b/nix/os/snippets/nix-settings-holo-chain.nix index d975cea..32bdf73 100644 --- a/nix/os/snippets/nix-settings-holo-chain.nix +++ b/nix/os/snippets/nix-settings-holo-chain.nix @@ -1,4 +1,5 @@ -{pkgs, ...}: { +{ pkgs, ... }: +{ nix.settings = { substituters = [ "https://holochain-ci.cachix.org" diff --git a/nix/os/snippets/nix-settings.nix b/nix/os/snippets/nix-settings.nix index 4b7104e..947e03b 100644 --- a/nix/os/snippets/nix-settings.nix +++ b/nix/os/snippets/nix-settings.nix @@ -3,17 +3,17 @@ pkgs, lib, ... -}: let - pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config;}; -in { +}: +let + pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config; }; +in +{ nix.daemonCPUSchedPolicy = "idle"; nix.daemonIOSchedClass = "idle"; nix.settings.max-jobs = lib.mkDefault "auto"; nix.settings.cores = lib.mkDefault 0; nix.settings.sandbox = true; - nix.nixPath = [ - "nixpkgs=${pkgs.path}" - ]; + nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; nix.settings.experimental-features = [ "nix-command" diff --git a/nix/os/snippets/obs-studio.nix b/nix/os/snippets/obs-studio.nix index c46305e..8a99fcb 100644 --- a/nix/os/snippets/obs-studio.nix +++ b/nix/os/snippets/obs-studio.nix @@ -1,10 +1,10 @@ -{config, ...}: let +{ config, ... }: +let # TODO: make configurable homeUser = "steveej"; -in { - boot.extraModulePackages = [ - config.boot.kernelPackages.v4l2loopback.out - ]; +in +{ + boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback.out ]; # Activate kernel modules (choose from built-ins and extra ones) boot.kernelModules = [ @@ -23,9 +23,5 @@ in { security.polkit.enable = true; - home-manager.users.${homeUser} = _: { - imports = [ - ../../home-manager/programs/obs-studio.nix - ]; - }; + home-manager.users.${homeUser} = _: { imports = [ ../../home-manager/programs/obs-studio.nix ]; }; } diff --git a/nix/os/snippets/radicale.nix b/nix/os/snippets/radicale.nix index 69628bf..48cd869 100644 --- a/nix/os/snippets/radicale.nix +++ b/nix/os/snippets/radicale.nix @@ -4,10 +4,12 @@ pkgs, repoFlakeInputs', ... -}: let +}: +let # TODO: make configurable homeUser = "steveej"; -in { +in +{ sops.secrets.radicale_htpasswd = { sopsFile = ../../../secrets/desktop/radicale_htpasswd; format = "binary"; @@ -19,11 +21,13 @@ in { # TODO: bump these to latest and make it work ( args: - import ../../home-manager/programs/radicale.nix (args - // { - osConfig = config; - pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; - }) + import ../../home-manager/programs/radicale.nix ( + args + // { + osConfig = config; + pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; + } + ) ) ]; }; diff --git a/nix/os/snippets/sway-desktop.nix b/nix/os/snippets/sway-desktop.nix index f8d21b0..a40eb85 100644 --- a/nix/os/snippets/sway-desktop.nix +++ b/nix/os/snippets/sway-desktop.nix @@ -3,10 +3,12 @@ lib, config, ... -}: let +}: +let # TODO: make this configurable homeUser = "steveej"; -in { +in +{ services.xserver.serverFlagsSection = '' Option "BlankTime" "0" Option "StandbyTime" "0" @@ -28,7 +30,7 @@ in { # required by swaywm security.polkit.enable = true; - security.pam.services.swaylock = {}; + security.pam.services.swaylock = { }; # test these on https://mozilla.github.io/webrtc-landing/gum_test.html xdg.portal = { @@ -44,18 +46,20 @@ in { screencast = { chooser_type = "dmenu"; # display the output as a list in favor of the default mouse selection - chooser_cmd = lib.getExe (pkgs.writeShellApplication { - name = "chooser_cmd"; - runtimeInputs = [ - pkgs.sway - pkgs.jq - pkgs.fuzzel - pkgs.gnused - ]; - text = '' - swaymsg -t get_outputs | jq '.[] | "\(.name)@\(.current_mode.width)x\(.current_mode.height) on \(.model)"' | sed 's/"//g' | fuzzel -d | sed 's/@.*//' - ''; - }); + chooser_cmd = lib.getExe ( + pkgs.writeShellApplication { + name = "chooser_cmd"; + runtimeInputs = [ + pkgs.sway + pkgs.jq + pkgs.fuzzel + pkgs.gnused + ]; + text = '' + swaymsg -t get_outputs | jq '.[] | "\(.name)@\(.current_mode.width)x\(.current_mode.height) on \(.model)"' | sed 's/"//g' | fuzzel -d | sed 's/@.*//' + ''; + } + ); max_fps = 30; }; }; @@ -101,8 +105,8 @@ in { # autologin steveej on tty1 # TODO: make user configurable systemd.services."autovt@tty1".description = "Autologin at the TTY1"; - systemd.services."autovt@tty1".after = ["systemd-logind.service"]; # without it user session not started and xorg can't be run from this tty - systemd.services."autovt@tty1".wantedBy = ["multi-user.target"]; + systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty + systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ]; systemd.services."autovt@tty1".serviceConfig = { ExecStart = [ "" # override upstream default with an empty ExecStart @@ -112,21 +116,21 @@ in { Type = "idle"; }; - programs = let - steveejSwayOnTty1 = '' - if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then - exec sway - fi - ''; - in { - bash.loginShellInit = steveejSwayOnTty1; - # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion - zsh.loginShellInit = steveejSwayOnTty1; - }; + programs = + let + steveejSwayOnTty1 = '' + if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then + exec sway + fi + ''; + in + { + bash.loginShellInit = steveejSwayOnTty1; + # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion + zsh.loginShellInit = steveejSwayOnTty1; + }; home-manager.users."${homeUser}" = _: { - imports = [ - ../../home-manager/profiles/sway-desktop.nix - ]; + imports = [ ../../home-manager/profiles/sway-desktop.nix ]; }; } diff --git a/nix/os/snippets/systemd-resolved.nix b/nix/os/snippets/systemd-resolved.nix index 3b8c145..f7c2301 100644 --- a/nix/os/snippets/systemd-resolved.nix +++ b/nix/os/snippets/systemd-resolved.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ networking.nameservers = [ # https://dnsforge.de/ "176.9.93.198" @@ -12,12 +13,12 @@ services.resolved = { enable = true; dnssec = "true"; - domains = ["~."]; + domains = [ "~." ]; # TODO: figure out why "true" doesn't work dnsovertls = "opportunistic"; - fallbackDns = lib.mkForce []; + fallbackDns = lib.mkForce [ ]; # TODO: IPv6 # extraConfig = '' diff --git a/nix/os/snippets/timezone.nix b/nix/os/snippets/timezone.nix index 25aee48..67db1e8 100644 --- a/nix/os/snippets/timezone.nix +++ b/nix/os/snippets/timezone.nix @@ -1,5 +1,7 @@ -{lib, ...}: let +{ lib, ... }: +let passwords = import ../../variables/passwords.crypt.nix; -in { +in +{ time.timeZone = lib.mkDefault passwords.timeZone.stefan; } diff --git a/nix/pkgs/browserpass/default.nix b/nix/pkgs/browserpass/default.nix index 5b13732..34a6977 100644 --- a/nix/pkgs/browserpass/default.nix +++ b/nix/pkgs/browserpass/default.nix @@ -1,27 +1,27 @@ -with import {}; - stdenv.mkDerivation rec { - broken = true; +with import { }; +stdenv.mkDerivation rec { + broken = true; - name = "browserpass"; - version = "2.0.9"; + name = "browserpass"; + version = "2.0.9"; - src = fetchzip { - url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; - sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; - stripRoot = false; - }; + src = fetchzip { + url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; + sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; + stripRoot = false; + }; - buildPhase = ":"; + buildPhase = ":"; - libPath = lib.makeLibraryPath []; - installPhase = '' - set -x - patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 + libPath = lib.makeLibraryPath [ ]; + installPhase = '' + set -x + patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 - mkdir -p $out/bin - cp -a * $out/bin/ - # wrapProgram $out/bin/browserpass-linux64 \ - # --prefix LD_LIBRARY_PATH : "${libPath}" - # - ''; - } + mkdir -p $out/bin + cp -a * $out/bin/ + # wrapProgram $out/bin/browserpass-linux64 \ + # --prefix LD_LIBRARY_PATH : "${libPath}" + # + ''; +} diff --git a/nix/pkgs/dcpj4110dw/default.nix b/nix/pkgs/dcpj4110dw/default.nix index 8a4f6a6..93f59c7 100644 --- a/nix/pkgs/dcpj4110dw/default.nix +++ b/nix/pkgs/dcpj4110dw/default.nix @@ -16,7 +16,8 @@ file, proot, bash, -}: let +}: +let model = "dcpj4110dw"; version = "3.0.1-1"; src = fetchurl { @@ -24,12 +25,16 @@ sha256 = "sha256-ryKDsSkabAD2X3WLmeqjdB3+4DXdJ0qUz3O64DV+ixw="; }; reldir = "opt/brother/Printers/${model}/"; -in rec { +in +rec { driver = pkgsi686Linux.stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [dpkg makeWrapper]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; unpackPhase = "dpkg-deb -x $src $out"; @@ -45,7 +50,18 @@ in rec { mv $out/${reldir}/lpd/filter${model} $out/${reldir}/lpd/.wrapped_filter${model} cat <<-EOF >$out/${reldir}/lpd/.wrapper_inner_filter${model} - export PATH=\$PATH:${lib.makeBinPath [gawk file a2ps coreutils ghostscript gnugrep gnused which]} + export PATH=\$PATH:${ + lib.makeBinPath [ + gawk + file + a2ps + coreutils + ghostscript + gnugrep + gnused + which + ] + } exec $out/${reldir}/lpd/.wrapped_filter${model} EOF chmod +x $out/${reldir}/lpd/.wrapper_inner_filter${model} @@ -64,10 +80,13 @@ in rec { meta = { description = "Brother ${lib.strings.toUpper model} driver"; homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; + sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; # license = lib.licenses.unfree; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = [lib.maintainers.steveej]; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; @@ -81,14 +100,29 @@ in rec { name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [dpkg makeWrapper]; - buildInputs = [cups ghostscript a2ps gawk]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; + buildInputs = [ + cups + ghostscript + a2ps + gawk + ]; unpackPhase = "dpkg-deb -x $src $out"; installPhase = '' wrapProgram $out/${reldir}/cupswrapper/cupswrapper${model} \ - --prefix PATH : ${lib.makeBinPath [coreutils ghostscript gnugrep gnused]} + --prefix PATH : ${ + lib.makeBinPath [ + coreutils + ghostscript + gnugrep + gnused + ] + } patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ $out/${reldir}/cupswrapper/brcupsconfpt1 @@ -100,10 +134,13 @@ in rec { meta = { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; + sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; license = lib.licenses.gpl2; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = [lib.maintainers.steveej]; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; } diff --git a/nix/pkgs/default.nix b/nix/pkgs/default.nix index 6f114b2..78b37a6 100644 --- a/nix/pkgs/default.nix +++ b/nix/pkgs/default.nix @@ -1,5 +1,6 @@ -{pkgs}: { - duplicacy = pkgs.callPackage ../pkgs/duplicacy {}; +{ pkgs }: +{ + duplicacy = pkgs.callPackage ../pkgs/duplicacy { }; staruml = pkgs.callPackage ../pkgs/staruml.nix { inherit (pkgs.gnome2) GConf; libgcrypt = pkgs.libgcrypt_1_5; diff --git a/nix/pkgs/duplicacy/default.nix b/nix/pkgs/duplicacy/default.nix index 7a3fc19..b961a17 100644 --- a/nix/pkgs/duplicacy/default.nix +++ b/nix/pkgs/duplicacy/default.nix @@ -1,7 +1,4 @@ -{ - buildGoPackage, - fetchFromGitHub, -}: +{ buildGoPackage, fetchFromGitHub }: buildGoPackage rec { name = "duplicay-${version}"; version = "2.1.2"; diff --git a/nix/pkgs/duplicacy/shell.nix b/nix/pkgs/duplicacy/shell.nix index 051e832..045572c 100644 --- a/nix/pkgs/duplicacy/shell.nix +++ b/nix/pkgs/duplicacy/shell.nix @@ -1,12 +1,12 @@ -with import {}; - stdenv.mkDerivation { - name = "env"; - buildInputs = [ - zsh - go - go2nix - dep2nix - nix-prefetch-github - (callPackage ./default.nix {}) - ]; - } +with import { }; +stdenv.mkDerivation { + name = "env"; + buildInputs = [ + zsh + go + go2nix + dep2nix + nix-prefetch-github + (callPackage ./default.nix { }) + ]; +} diff --git a/nix/pkgs/jay.nix b/nix/pkgs/jay.nix index a4c2db4..9a7b0e5 100644 --- a/nix/pkgs/jay.nix +++ b/nix/pkgs/jay.nix @@ -31,6 +31,6 @@ rustPlatform.buildRustPackage rec { homepage = "https://github.com/mahkoh/jay"; license = licenses.gpl3; platforms = platforms.linux; - maintainers = with maintainers; [dit7ya]; + maintainers = with maintainers; [ dit7ya ]; }; } diff --git a/nix/pkgs/logseq/default.nix b/nix/pkgs/logseq/default.nix index 159d03b..b8176f3 100644 --- a/nix/pkgs/logseq/default.nix +++ b/nix/pkgs/logseq/default.nix @@ -14,85 +14,98 @@ nix-update-script, overrideSrc ? null, }: -stdenv.mkDerivation (finalAttrs: let - inherit (finalAttrs) pname version src appimageContents; -in { - pname = "logseq"; - version = "0.10.9"; +stdenv.mkDerivation ( + finalAttrs: + let + inherit (finalAttrs) + pname + version + src + appimageContents + ; + in + { + pname = "logseq"; + version = "0.10.9"; - src = - if overrideSrc != null - then overrideSrc - else - (fetchurl { - url = "https://github.com/logseq/logseq/releases/download/${version}/logseq-linux-x64-${version}.AppImage"; - hash = "sha256-F3YbqgvL04P0nXaIVkJlCq/z8hUE0M0UutkBs2omuBe="; - name = "${pname}-${version}.AppImage"; - }); + src = + if overrideSrc != null then + overrideSrc + else + (fetchurl { + url = "https://github.com/logseq/logseq/releases/download/${version}/logseq-linux-x64-${version}.AppImage"; + hash = "sha256-F3YbqgvL04P0nXaIVkJlCq/z8hUE0M0UutkBs2omuBe="; + name = "${pname}-${version}.AppImage"; + }); - nativeBuildInputs = - [makeWrapper] - ++ lib.optionals stdenv.hostPlatform.isLinux [autoPatchelfHook] - ++ lib.optionals stdenv.hostPlatform.isDarwin [unzip]; - buildInputs = [stdenv.cc.cc.lib]; + nativeBuildInputs = + [ makeWrapper ] + ++ lib.optionals stdenv.hostPlatform.isLinux [ autoPatchelfHook ] + ++ lib.optionals stdenv.hostPlatform.isDarwin [ unzip ]; + buildInputs = [ stdenv.cc.cc.lib ]; - dontUnpack = stdenv.hostPlatform.isLinux; - dontConfigure = true; - dontBuild = true; + dontUnpack = stdenv.hostPlatform.isLinux; + dontConfigure = true; + dontBuild = true; - installPhase = - '' - runHook preInstall - '' - + lib.optionalString stdenv.hostPlatform.isLinux ( - let - appimageContents = appimageTools.extract {inherit pname src version;}; - in '' - mkdir -p $out/bin $out/share/logseq $out/share/applications - cp -a ${appimageContents}/{locales,resources} $out/share/logseq - cp -a ${appimageContents}/Logseq.desktop $out/share/applications/logseq.desktop - - # remove the `git` in `dugite` because we want the `git` in `nixpkgs` - chmod +w -R $out/share/logseq/resources/app/node_modules/dugite/git - chmod +w $out/share/logseq/resources/app/node_modules/dugite - rm -rf $out/share/logseq/resources/app/node_modules/dugite/git - chmod -w $out/share/logseq/resources/app/node_modules/dugite - - mkdir -p $out/share/pixmaps - ln -s $out/share/logseq/resources/app/icons/logseq.png $out/share/pixmaps/logseq.png - - substituteInPlace $out/share/applications/logseq.desktop \ - --replace Exec=Logseq Exec=logseq \ - --replace Icon=Logseq Icon=logseq + installPhase = '' - ) - + lib.optionalString stdenv.hostPlatform.isDarwin '' - mkdir -p $out/{Applications/Logseq.app,bin} - cp -R . $out/Applications/Logseq.app - makeWrapper $out/Applications/Logseq.app/Contents/MacOS/Logseq $out/bin/logseq - '' - + '' - runHook postInstall + runHook preInstall + '' + + lib.optionalString stdenv.hostPlatform.isLinux ( + let + appimageContents = appimageTools.extract { inherit pname src version; }; + in + '' + mkdir -p $out/bin $out/share/logseq $out/share/applications + cp -a ${appimageContents}/{locales,resources} $out/share/logseq + cp -a ${appimageContents}/Logseq.desktop $out/share/applications/logseq.desktop + + # remove the `git` in `dugite` because we want the `git` in `nixpkgs` + chmod +w -R $out/share/logseq/resources/app/node_modules/dugite/git + chmod +w $out/share/logseq/resources/app/node_modules/dugite + rm -rf $out/share/logseq/resources/app/node_modules/dugite/git + chmod -w $out/share/logseq/resources/app/node_modules/dugite + + mkdir -p $out/share/pixmaps + ln -s $out/share/logseq/resources/app/icons/logseq.png $out/share/pixmaps/logseq.png + + substituteInPlace $out/share/applications/logseq.desktop \ + --replace Exec=Logseq Exec=logseq \ + --replace Icon=Logseq Icon=logseq + '' + ) + + lib.optionalString stdenv.hostPlatform.isDarwin '' + mkdir -p $out/{Applications/Logseq.app,bin} + cp -R . $out/Applications/Logseq.app + makeWrapper $out/Applications/Logseq.app/Contents/MacOS/Logseq $out/bin/logseq + '' + + '' + runHook postInstall + ''; + + postFixup = lib.optionalString stdenv.hostPlatform.isLinux '' + # set the env "LOCAL_GIT_DIRECTORY" for dugite so that we can use the git in nixpkgs + makeWrapper ${electron_27}/bin/electron $out/bin/logseq \ + --set "LOCAL_GIT_DIRECTORY" ${git} \ + --add-flags $out/share/logseq/resources/app \ + --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" ''; - postFixup = lib.optionalString stdenv.hostPlatform.isLinux '' - # set the env "LOCAL_GIT_DIRECTORY" for dugite so that we can use the git in nixpkgs - makeWrapper ${electron_27}/bin/electron $out/bin/logseq \ - --set "LOCAL_GIT_DIRECTORY" ${git} \ - --add-flags $out/share/logseq/resources/app \ - --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" - ''; + passthru.updateScript = nix-update-script { }; - passthru.updateScript = nix-update-script {}; - - meta = { - description = "Local-first, non-linear, outliner notebook for organizing and sharing your personal knowledge base"; - homepage = "https://github.com/logseq/logseq"; - changelog = "https://github.com/logseq/logseq/releases/tag/${version}"; - license = lib.licenses.agpl3Plus; - sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; - maintainers = with lib.maintainers; [cheeseecake]; - platforms = ["x86_64-linux" "aarch64-linux"] ++ lib.platforms.darwin; - mainProgram = "logseq"; - }; -}) + meta = { + description = "Local-first, non-linear, outliner notebook for organizing and sharing your personal knowledge base"; + homepage = "https://github.com/logseq/logseq"; + changelog = "https://github.com/logseq/logseq/releases/tag/${version}"; + license = lib.licenses.agpl3Plus; + sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; + maintainers = with lib.maintainers; [ cheeseecake ]; + platforms = [ + "x86_64-linux" + "aarch64-linux" + ] ++ lib.platforms.darwin; + mainProgram = "logseq"; + }; + } +) diff --git a/nix/pkgs/magmawm.nix b/nix/pkgs/magmawm.nix index 2d4c335..2676b77 100644 --- a/nix/pkgs/magmawm.nix +++ b/nix/pkgs/magmawm.nix @@ -18,9 +18,7 @@ craneLib.buildPackage { pname = "magmawm"; version = src.rev; - nativeBuildInputs = [ - pkg-config - ]; + nativeBuildInputs = [ pkg-config ]; buildInputs = [ wayland @@ -45,6 +43,6 @@ craneLib.buildPackage { homepage = "https://github.com/MagmaWM/MagmaWM"; license = licenses.gpl3; platforms = platforms.linux; - maintainers = with maintainers; []; + maintainers = with maintainers; [ ]; }; } diff --git a/nix/pkgs/mfcl3770cdw.nix b/nix/pkgs/mfcl3770cdw.nix index 5c04cbf..142c1c0 100644 --- a/nix/pkgs/mfcl3770cdw.nix +++ b/nix/pkgs/mfcl3770cdw.nix @@ -11,7 +11,8 @@ which, perl, lib, -}: let +}: +let model = "mfcl3770cdw"; version = "1.0.2-0"; src = fetchurl { @@ -19,12 +20,16 @@ sha256 = "09fhbzhpjymhkwxqyxzv24b06ybmajr6872yp7pri39595mhrvay"; }; reldir = "opt/brother/Printers/${model}/"; -in rec { +in +rec { driver = stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [dpkg makeWrapper]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; unpackPhase = "dpkg-deb -x $src $out"; @@ -36,8 +41,14 @@ in rec { --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/lpd/filter_${model} \ --prefix PATH : ${ - lib.makeBinPath [coreutils ghostscript gnugrep gnused which] - } + lib.makeBinPath [ + coreutils + ghostscript + gnugrep + gnused + which + ] + } # need to use i686 glibc here, these are 32bit proprietary binaries interpreter=${pkgsi686Linux.glibc}/lib/ld-linux.so.2 patchelf --set-interpreter "$interpreter" $dir/lpd/brmfcl3770cdwfilter @@ -47,8 +58,11 @@ in rec { description = "Brother ${lib.strings.toUpper model} driver"; homepage = "http://www.brother.com/"; license = lib.licenses.unfree; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = [lib.maintainers.steveej]; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; @@ -56,7 +70,10 @@ in rec { inherit version src; name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [dpkg makeWrapper]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; unpackPhase = "dpkg-deb -x $src $out"; @@ -68,7 +85,13 @@ in rec { --replace "basedir =~" "basedir = \"$basedir\"; #" \ --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/cupswrapper/brother_lpdwrapper_${model} \ - --prefix PATH : ${lib.makeBinPath [coreutils gnugrep gnused]} + --prefix PATH : ${ + lib.makeBinPath [ + coreutils + gnugrep + gnused + ] + } mkdir -p $out/lib/cups/filter mkdir -p $out/share/cups/model ln $dir/cupswrapper/brother_lpdwrapper_${model} $out/lib/cups/filter @@ -79,8 +102,11 @@ in rec { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; homepage = "http://www.brother.com/"; license = lib.licenses.gpl2; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = [lib.maintainers.steveej]; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; } diff --git a/nix/pkgs/nozbe/default.nix b/nix/pkgs/nozbe/default.nix index 368add8..e5ac519 100644 --- a/nix/pkgs/nozbe/default.nix +++ b/nix/pkgs/nozbe/default.nix @@ -1,60 +1,60 @@ -with import {}; - stdenv.mkDerivation rec { - name = "nozbe"; - version = "3.6.3"; +with import { }; +stdenv.mkDerivation rec { + name = "nozbe"; + version = "3.6.3"; - src = fetchzip { - url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; - sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; - stripRoot = false; - }; + src = fetchzip { + url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; + sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; + stripRoot = false; + }; - buildInputs = [makeWrapper]; + buildInputs = [ makeWrapper ]; - buildPhase = ":"; + buildPhase = ":"; - libPath = lib.makeLibraryPath [ - alsaLib - atk - cairo - cups - dbus - expat - freetype - fontconfig - gnome3.gconf - gcc.cc - gdk_pixbuf - gtk2-x11 - glib - pango - nss - nspr - systemd.lib - xorg.libX11 - xorg.libXcursor - xorg.libXcomposite - xorg.libXext - xorg.libXfixes - xorg.libXdamage - xorg.libXi - xorg.libXrandr - xorg.libXrender - xorg.libXtst - xorg.libXScrnSaver - ]; - installPhase = '' - pushd Nozbe-${version} - ls -lha + libPath = lib.makeLibraryPath [ + alsaLib + atk + cairo + cups + dbus + expat + freetype + fontconfig + gnome3.gconf + gcc.cc + gdk_pixbuf + gtk2-x11 + glib + pango + nss + nspr + systemd.lib + xorg.libX11 + xorg.libXcursor + xorg.libXcomposite + xorg.libXext + xorg.libXfixes + xorg.libXdamage + xorg.libXi + xorg.libXrandr + xorg.libXrender + xorg.libXtst + xorg.libXScrnSaver + ]; + installPhase = '' + pushd Nozbe-${version} + ls -lha - patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe + patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe - mkdir -p $out/bin - cp -a * $out/ + mkdir -p $out/bin + cp -a * $out/ - wrapProgram $out/Nozbe \ - --prefix LD_LIBRARY_PATH : "${libPath}" + wrapProgram $out/Nozbe \ + --prefix LD_LIBRARY_PATH : "${libPath}" - ln -sf ../Nozbe $out/bin/ - ''; - } + ln -sf ../Nozbe $out/bin/ + ''; +} diff --git a/nix/pkgs/posh.nix b/nix/pkgs/posh.nix index 4d993ba..b7ad5cb 100644 --- a/nix/pkgs/posh.nix +++ b/nix/pkgs/posh.nix @@ -1,42 +1,44 @@ # posh makes use of podman to run an encapsulated shell session -{pkgs, ...}: let - cniConfigDir = let - loopback = pkgs.writeText "00-loopback.conf" '' - { - "cniVersion": "0.3.0", - "type": "loopback" - } - ''; - - podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' - { +{ pkgs, ... }: +let + cniConfigDir = + let + loopback = pkgs.writeText "00-loopback.conf" '' + { "cniVersion": "0.3.0", - "name": "podman", - "plugins": [ - { - "type": "bridge", - "bridge": "cni0", - "isGateway": true, - "ipMasq": true, - "ipam": { - "type": "host-local", - "subnet": "10.88.0.0/16", - "routes": [ - { "dst": "0.0.0.0/0" } - ] + "type": "loopback" + } + ''; + + podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } - } - ] - } - ''; - in - pkgs.runCommand "cniConfig" {} '' + ] + } + ''; + in + pkgs.runCommand "cniConfig" { } '' set -x mkdir $out; ln -s ${loopback} $out/${loopback.name} @@ -125,54 +127,58 @@ } ''; in - { - image, - pull ? "always", - global_args ? "", - run_args ? "", - userns ? "keep-id", - }: - (pkgs.writeScriptBin "posh" '' - #! ${pkgs.bash}/bin/bash - source /etc/profile +{ + image, + pull ? "always", + global_args ? "", + run_args ? "", + userns ? "keep-id", +}: +(pkgs.writeScriptBin "posh" '' + #! ${pkgs.bash}/bin/bash + source /etc/profile - test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK" - tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q" + test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK" + tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q" - # define these as variables so we can override them at runtime - POSH_IMAGE=${image} - POSH_PULL=${pull} + # define these as variables so we can override them at runtime + POSH_IMAGE=${image} + POSH_PULL=${pull} - if [ "$1" == "-c" ]; then - # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string - shift - # TODO parse the beginning of the command for POSH_* overrides - fi + if [ "$1" == "-c" ]; then + # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string + shift + # TODO parse the beginning of the command for POSH_* overrides + fi - test "$@" && cmd=( -c "$@") + test "$@" && cmd=( -c "$@") - HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" - HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" - test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR - ln -sf ${policy-json} $HOME_POLICY_JSON + HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" + HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" + test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR + ln -sf ${policy-json} $HOME_POLICY_JSON - set -x - exec ${pkgs.podman}/bin/podman \ - --cgroup-manager=cgroupfs \ - ${global_args} \ - run \ - --annotation=io.crun.keep_original_groups=1 \ - --config ${podmanConfig} \ - --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ - --rm -i --network host --pull=''${POSH_PULL} \ - $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ - ${ - if userns != null - then "--userns=" + userns - else "" - } \ - ${run_args} \ - ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" - '') - .overrideAttrs (attrs: attrs // {passthru = {shellPath = "/bin/posh";};}) + set -x + exec ${pkgs.podman}/bin/podman \ + --cgroup-manager=cgroupfs \ + ${global_args} \ + run \ + --annotation=io.crun.keep_original_groups=1 \ + --config ${podmanConfig} \ + --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ + --rm -i --network host --pull=''${POSH_PULL} \ + $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ + ${if userns != null then "--userns=" + userns else ""} \ + ${run_args} \ + ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" +'').overrideAttrs + ( + attrs: + attrs + // { + passthru = { + shellPath = "/bin/posh"; + }; + } + ) diff --git a/nix/pkgs/slirp4netns.nix b/nix/pkgs/slirp4netns.nix index ffcc730..5e50ecf 100644 --- a/nix/pkgs/slirp4netns.nix +++ b/nix/pkgs/slirp4netns.nix @@ -18,7 +18,13 @@ stdenv.mkDerivation rec { sha256 = "0kqncza4kgqkqiki569j7ym9pvp7879i6q2z0djvda9y0i6b80w4"; }; - buildInputs = [autoconf automake libtool gnumake gcc]; + buildInputs = [ + autoconf + automake + libtool + gnumake + gcc + ]; configurePhase = '' ./autogen.sh @@ -37,7 +43,7 @@ stdenv.mkDerivation rec { description = "User-mode networking for unprivileged network namespaces"; homepage = "https://github.com/rootless-containers/slirp4netns"; license = null; - maintainers = [maintainers.steveej]; + maintainers = [ maintainers.steveej ]; platforms = platforms.all; }; } diff --git a/nix/pkgs/staruml.nix b/nix/pkgs/staruml.nix index a0e9d90..35399ad 100644 --- a/nix/pkgs/staruml.nix +++ b/nix/pkgs/staruml.nix @@ -15,7 +15,8 @@ libgcrypt, dbus, systemd, -}: let +}: +let inherit (stdenv) lib; LD_LIBRARY_PATH = lib.makeLibraryPath [ glib @@ -30,55 +31,56 @@ dbus ]; in - stdenv.mkDerivation rec { - version = "2.8.1"; - name = "staruml-${version}"; +stdenv.mkDerivation rec { + version = "2.8.1"; + name = "staruml-${version}"; - src = - if stdenv.system == "i686-linux" - then - fetchurl - { - url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; - sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; - } - else - fetchurl { - url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; - sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; - }; + src = + if stdenv.system == "i686-linux" then + fetchurl { + url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; + sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; + } + else + fetchurl { + url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; + sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; + }; - buildInputs = [dpkg]; + buildInputs = [ dpkg ]; - nativeBuildInputs = [makeWrapper]; + nativeBuildInputs = [ makeWrapper ]; - unpackPhase = '' - mkdir pkg - dpkg-deb -x $src pkg - sourceRoot=pkg - ''; + unpackPhase = '' + mkdir pkg + dpkg-deb -x $src pkg + sourceRoot=pkg + ''; - installPhase = '' - mkdir $out - mv opt/staruml $out/bin + installPhase = '' + mkdir $out + mv opt/staruml $out/bin - mkdir -p $out/lib - ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/ - ln -s ${systemd.lib}/lib/libudev.so.1 $out/lib/libudev.so.0 + mkdir -p $out/lib + ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/ + ln -s ${systemd.lib}/lib/libudev.so.1 $out/lib/libudev.so.0 - for binary in StarUML Brackets-node; do - ${patchelf}/bin/patchelf \ - --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - $out/bin/$binary - wrapProgram $out/bin/$binary \ - --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH} - done - ''; + for binary in StarUML Brackets-node; do + ${patchelf}/bin/patchelf \ + --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ + $out/bin/$binary + wrapProgram $out/bin/$binary \ + --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH} + done + ''; - meta = with stdenv.lib; { - description = "A sophisticated software modeler"; - homepage = "http://staruml.io/"; - license = licenses.unfree; - platforms = ["i686-linux" "x86_64-linux"]; - }; - } + meta = with stdenv.lib; { + description = "A sophisticated software modeler"; + homepage = "http://staruml.io/"; + license = licenses.unfree; + platforms = [ + "i686-linux" + "x86_64-linux" + ]; + }; +} diff --git a/nix/tests/buildvmwithbootloader/build-vm.nix b/nix/tests/buildvmwithbootloader/build-vm.nix index be819b6..62dc948 100644 --- a/nix/tests/buildvmwithbootloader/build-vm.nix +++ b/nix/tests/buildvmwithbootloader/build-vm.nix @@ -3,20 +3,15 @@ vmPkgsPath, buildPkgsPath, nixosConfigPath, -}: let - buildPkgs = import buildPkgsPath {}; - vmPkgs' = import vmPkgsPath {}; - vmPkgs = - vmPkgs' - // { - runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; - }; +}: +let + buildPkgs = import buildPkgsPath { }; + vmPkgs' = import vmPkgsPath { }; + vmPkgs = vmPkgs' // { + runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; + }; - importWithPkgs = { - path, - pkgs, - }: args: - import path (args // {inherit pkgs;}); + importWithPkgs = { path, pkgs }: args: import path (args // { inherit pkgs; }); nixosConfig = importWithPkgs { path = "${nixosConfigPath}"; @@ -36,8 +31,10 @@ modules = [ nixosConfig vmConfig - {virtualisation.useBootLoader = true;} + { virtualisation.useBootLoader = true; } ]; - }) - .config; -in {vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm;} + }).config; +in +{ + vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm; +} diff --git a/nix/tests/buildvmwithbootloader/configuration.nix b/nix/tests/buildvmwithbootloader/configuration.nix index 92072fe..bf197d0 100644 --- a/nix/tests/buildvmwithbootloader/configuration.nix +++ b/nix/tests/buildvmwithbootloader/configuration.nix @@ -1,9 +1,7 @@ +{ pkgs, lib, ... }: +let +in { - pkgs, - lib, - ... -}: let -in { boot.loader.grub = { enable = true; version = 2; @@ -22,13 +20,23 @@ in { allowDiscards = true; } ]; - fileSystems."/" = {label = "root";}; + fileSystems."/" = { + label = "root"; + }; - fileSystems."/boot" = {label = "boot";}; + fileSystems."/boot" = { + label = "boot"; + }; boot.tmpOnTmpfs = true; - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + ]; users.extraUsers.root.initialPassword = lib.mkForce "toorroot"; users.mutableUsers = false; diff --git a/nix/tests/test-vm.nix b/nix/tests/test-vm.nix index 55053e2..ebbdb46 100644 --- a/nix/tests/test-vm.nix +++ b/nix/tests/test-vm.nix @@ -4,7 +4,8 @@ pkgs, fetchgit, ... -}: { +}: +{ boot.consoleLogLevel = 6; users.users.root.initialPassword = "root"; systemd.services."serial-getty@ttyS0".enable = true; diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index 3edf90a..91d2eb6 100644 Binary files a/nix/variables/passwords.crypt.nix and b/nix/variables/passwords.crypt.nix differ diff --git a/nix/variables/versions.nix b/nix/variables/versions.nix index 535d7d3..6d441a6 100644 --- a/nix/variables/versions.nix +++ b/nix/variables/versions.nix @@ -2,29 +2,28 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.11"; - rev = '' - 5b7cd5c39befee629be284970415b6eb3b0ff000''; + rev = ''5b7cd5c39befee629be284970415b6eb3b0ff000''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = '' - 4bb072f0a8b267613c127684e099a70e1f6ff106''; + rev = ''4bb072f0a8b267613c127684e099a70e1f6ff106''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = '' - a8636efe2df64047cd58898010a72f73efd56722''; + rev = ''a8636efe2df64047cd58898010a72f73efd56722''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.11"; - rev = '' - 83110c259889230b324bb2d35bef78bf5f214a1f''; + rev = ''83110c259889230b324bb2d35bef78bf5f214a1f''; }; } diff --git a/nix/variables/versions.tmpl.nix b/nix/variables/versions.tmpl.nix index e0734f1..66e90e3 100644 --- a/nix/variables/versions.tmpl.nix +++ b/nix/variables/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/";