steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat: start migrating steveej-t14 and sj-vps-htz-0 to sops

Browse source
This commit is contained in:
steveej 2023-07-05 15:55:04 +02:00
parent 6587a914e4
commit b481126ae2
55 changed files with 877 additions and 452 deletions
Download patch file Download diff file Expand all files Collapse all files

7
nix/devShells.nix
View file

@ -20,6 +20,7 @@ pkgs.stdenv.mkDerivation {
nixos-install-tools
dconf2nix
inputs'.nixos-anywhere.packages.nixos-anywhere
nurl
just
git-crypt
@ -36,6 +37,12 @@ pkgs.stdenv.mkDerivation {
# packages'.aphorme_launcher
packages'.yofi
# packages'.ofi-pass
age
age-plugin-yubikey
ssh-to-age
yubico-piv-tool
inputs'.sops-nix.packages.default
sops
apacheHttpd

84
nix/home-manager/configuration/graphical-fullblown.nix
View file

@ -4,10 +4,14 @@
# these come in via home-manager.extraSpecialArgs and are specific to each node
nodeFlake,
packages',
repoFlake,
# repoFlakeInputs',
...
}: let
pkgsMaster = nodeFlake.inputs.nixpkgs-master.${pkgs.system};
pkgsUnstableSmall = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system};
pkgs2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system};
# pkgs2211 = repoFlakeInputs'.nixpkgs-2211.legacyPackages;
in {
imports = [
../profiles/common.nix
@ -22,6 +26,7 @@ in {
../programs/redshift.nix
../programs/gpg-agent.nix
# ../programs/espanso.nix
../programs/firefox.nix
../programs/chromium.nix
@ -31,18 +36,16 @@ in {
../programs/pass.nix
../programs/vscode
# TODO: broken since nixos-23.05
# ../programs/radicale.nix
# ../programs/espanso.nix
# TODO: bump these to 23.05 and make it work
(args: import ../programs/radicale.nix (args // {pkgs = pkgs2211;}))
# (args: import ../programs/espanso.nix (args // {pkgs = pkgs2211;}))
];
home.sessionVariables.HM_CONFIG = "graphical-fullblown";
home.sessionVariables.GOPATH = "$HOME/src/go";
home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"];
# required by logseq as of 2023-05-24
nixpkgs.config.permittedInsecurePackages = [
"electron-20.3.11"
];
home.packages =
@ -89,8 +92,9 @@ in {
yubikey-personalization
yubikey-personalization-gui
# gnome.gnome-keyring
gcr gnome.seahorse
# gnome.gnome-keyring
gcr
gnome.seahorse
# Language Support
hunspellDicts.en-us
@ -110,6 +114,59 @@ in {
# FIXME: depends on insecure openssl 1.1.1t
# kotatogram-desktop
tdesktop
(let
version = "6.20.0-beta.1";
in
pkgsUnstableSmall.signal-desktop-beta.overrideAttrs (old: {
inherit version;
src = builtins.fetchurl {
url = "https://updates.signal.org/desktop/apt/pool/main/s/signal-desktop-beta/signal-desktop-beta_${version}_amd64.deb";
sha256 = "0xkagnldagfxnpv4c23yd9w0kz1y719m1sj9vqn8mnr1zfn7j62a";
};
preFixup =
old.preFixup
+ ''
gappsWrapperArgs+=(
--add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}"
--add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
)
'';
}))
# --add-flags "--enable-features=UseOzonePlatform"
# --add-flags "--ozone-platform=wayland"
(pkgsUnstableSmall.session-desktop.overrideAttrs (old: {
nativeBuildInputs =
old.nativeBuildInputs
++ [
pkgs.wrapGAppsHook
];
preFixup =
(old.preFixup or "")
+ ''
gappsWrapperArgs+=(
--add-flags "--enable-features=UseOzonePlatform"
--add-flags "--ozone-platform=wayland"
# --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}"
# --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=WaylandWindowDecorations}}"
# --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
)
'';
}))
#(pkgsUnstableSmall.session-desktop.overrideAttrs(old: {
# nativeBuildInputs = old.nativeBuildInputs ++ [
# pkgs.wrapGAppsHook
# ];
#
# preFixup = (old.preFixup or "") + ''
# gappsWrapperArgs+=(
# --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform=wayland}}"
# --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}"
# )
# '';
# }))
thunderbird
# gnome.cheese
@ -129,7 +186,8 @@ in {
vlc
audacity
spotify
# youtube-dl-light
yt-dlp
(writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}")
libwebcam
# Network Tools
@ -177,9 +235,15 @@ in {
cdrtools
# Document Processing and Management
mendeley
xfce.thunar
# mendeley
evince
(logseq.override (_: {electron = pkgs.electron_20;}))
((logseq.overrideAttrs (attrs: {
version = "nightly";
src = repoFlake.inputs.logseqNightly;
})).override (_: {
electron = pkgs.electron_24;
}))
# File Synchronzation
dropbox

105
nix/home-manager/profiles/sway-desktop.nix
View file

@ -11,12 +11,11 @@
displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'";
displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'";
swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh;
in {
imports = [
../profiles/wayland-desktop.nix
../programs/waybar.nix
../programs/salut.nix
../profiles/wayland-desktop.nix
../programs/waybar.nix
../programs/salut.nix
];
# TODO: autostart
@ -44,7 +43,7 @@ in {
pkgs.gnome-icon-theme
## fonts
pkgs.dejavu_fonts # just a basic good fond
pkgs.dejavu_fonts # just a basic good fond
pkgs.font-awesome_5 # needed by i3status-rust
pkgs.nerdfonts
pkgs.font-awesome
@ -80,9 +79,10 @@ in {
wayland.windowManager.sway = {
enable = true;
systemdIntegration = true;
# systemd.enable = true;
xwayland = false;
config = let
config = let
modifier = "Mod4";
inherit (config.wayland.windowManager.sway.config) left right up down;
in {
@ -90,12 +90,14 @@ in {
bars = [];
input = {
"type:keyboard" = {
xkb_layout = config.home.keyboard.layout;
xkb_variant = config.home.keyboard.variant;
} // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) {
xkb_options = builtins.concatStringsSep "," config.home.keyboard.options;
};
"type:keyboard" =
{
xkb_layout = config.home.keyboard.layout;
xkb_variant = config.home.keyboard.variant;
}
// lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) {
xkb_options = builtins.concatStringsSep "," config.home.keyboard.options;
};
"type:touchpad" = {
natural_scroll = "enabled";
@ -105,8 +107,8 @@ in {
keybindings = lib.mkOptionDefault {
# as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi
# "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps";
"${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel";
"${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions";
# only 1-9 exist on the default config
"${modifier}+0" = "workspace number 0";
"${modifier}+Shift+0" = "move container to workspace number 0";
@ -118,15 +120,15 @@ in {
# move workspace to output
"${modifier}+Control+Shift+${left}" = "move workspace to output left";
"${modifier}+Control+Shift+${right}" = "move workspace to output right";
"${modifier}+Control+Shift+${up}" = "move workspace to output up";
"${modifier}+Control+Shift+${up}" = "move workspace to output up";
"${modifier}+Control+Shift+${down}" = "move workspace to output down";
# move workspace to output with arrow keys
"${modifier}+Control+Shift+Left" = "move workspace to output left";
"${modifier}+Control+Shift+Left" = "move workspace to output left";
"${modifier}+Control+Shift+Right" = "move workspace to output right";
"${modifier}+Control+Shift+Up" = "move workspace to output up";
"${modifier}+Control+Shift+Down" = "move workspace to output down";
"${modifier}+Control+Shift+Up" = "move workspace to output up";
"${modifier}+Control+Shift+Down" = "move workspace to output down";
"${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit";
"${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit";
"${modifier}+q" = "kill";
"${modifier}+x" = "exec ${swapOutputWorkspaces}";
@ -140,20 +142,31 @@ in {
"XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5";
"--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute";
# TODO: screenshot util, flameshot doesn't work in the packaged version
"Print" = "exec ${pkgs.flameshot}/bin/flameshot gui";
"Print" = "exec ${pkgs.shotman}/bin/shotman --capture region";
};
terminal = "alacritty";
startup = [
{command = builtins.toString(pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
) &
'');
}
];
startup =
[
{
command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
) &
'');
}
]
++ lib.optionals config.services.swayidle.enable [
{
command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart swayidle
) &
'');
}
];
colors.focused = lib.mkOptionDefault {
childBorder = lib.mkForce "#ffa500";
@ -166,19 +179,37 @@ in {
services.swayidle = {
enable = true;
timeouts = [
{ timeout = 10; command = "if ${pkgs.procps}/bin/pgrep -x swaylock; then ${displayOffCmd}; fi"; resumeCommand = displayOnCmd; }
{ timeout = 60 * 5; command = lockCmd; }
{ timeout = 60 * 6; command = displayOffCmd; resumeCommand = displayOnCmd; }
{
timeout = 10;
command = "if ${pkgs.procps}/bin/pgrep -x swaylock; then ${displayOffCmd}; fi";
resumeCommand = displayOnCmd;
}
{
timeout = 60 * 5;
command = lockCmd;
}
{
timeout = 60 * 6;
command = displayOffCmd;
resumeCommand = displayOnCmd;
}
];
events = [
{ event = "before-sleep";
{
event = "before-sleep";
command = builtins.concatStringsSep "; " [
lockCmd
"${pkgs.playerctl}/bin/playerctl pause"
];
];
}
{
event = "after-resume";
command = displayOnCmd;
}
{
event = "lock";
command = lockCmd;
}
{ event = "after-resume"; command = displayOnCmd; }
{ event = "lock"; command = lockCmd; }
];
};
}

28
nix/home-manager/profiles/wayland-desktop.nix
View file

@ -54,37 +54,13 @@ in {
pavucontrol
playerctl
pasystray
qt5.qtwayland
qt6.qtwayland
# qt5.qtwayland
# qt6.qtwayland
# probably required by flameshot
# xdg-desktop-portal xdg-desktop-portal-wlr
# grim
(nixpkgs-unstable-small.signal-desktop.overrideAttrs (old: {
preFixup = old.preFixup + ''
gappsWrapperArgs+=(
--add-flags "--enable-features=UseOzonePlatform"
--add-flags "--ozone-platform=wayland"
)
'';
}))
((nixpkgs-unstable-small.session-desktop.override (old: {
inherit (nixpkgs-2211) appimageTools;
}))
.overrideAttrs(old: {
nativeBuildInputs = old.nativeBuildInputs ++ [
pkgs.wrapGAppsHook
];
preFixup = (old.preFixup or "") + ''
gappsWrapperArgs+=(
--add-flags "--enable-features=UseOzonePlatform"
--add-flags "--ozone-platform=wayland"
)
'';
}))
];
home.sessionVariables = {

7
nix/home-manager/programs/espanso.nix
View file

@ -2,10 +2,11 @@
pkgs,
config,
...
}: let
passwords = import ../../variables/passwords.crypt.nix;
in {
}: {
services.espanso = {
# package = pkgs.espanso.overrideAttrs(_: {
# # src =
# })
enable = true;
settings = {
matches = let

1
nix/home-manager/programs/firefox.nix
View file

@ -1,4 +1,5 @@
{pkgs, ...}: {
programs.librewolf = {enable = true;};
programs.firefox = {enable = true;};
programs.browserpass = {

44
nix/home-manager/programs/radicale.nix
View file

@ -1,11 +1,10 @@
{
config,
pkgs,
lib,
pkgs,
osConfig,
...
}: let
passwords = import ../../variables/passwords.crypt.nix;
libdecsync = pkgs.python3Packages.buildPythonPackage rec {
pname = "libdecsync";
version = "2.2.1";
@ -16,9 +15,8 @@
};
propagatedBuildInputs = [
pkgs.libxcrypt-legacy
# pkgs.libxcrypt-legacy
];
};
radicale-storage-decsync = pkgs.python3Packages.buildPythonPackage rec {
pname = "radicale_storage_decsync";
@ -31,13 +29,13 @@
buildInputs = [
pkgs.radicale
pkgs.libxcrypt-legacy
pkgs.libxcrypt
# pkgs.libxcrypt-legacy
# pkgs.libxcrypt
];
nativeCheckInputs = [
pkgs.libxcrypt-legacy
pkgs.libxcrypt
# pkgs.libxcrypt-legacy
# pkgs.libxcrypt
];
propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools];
@ -48,18 +46,17 @@
++ [radicale-storage-decsync];
});
mkRadicaleService = { suffix, port }: let
mkRadicaleService = {
suffix,
port,
}: let
radicale-config = pkgs.writeText "radicale-config-${suffix}" ''
[server]
hosts = localhost:${builtins.toString(port)}
hosts = localhost:${builtins.toString port}
[auth]
type = htpasswd
htpasswd_filename = ${
pkgs.writeText "radicale" ''
radicale:${passwords.users.radicale}
''
}
htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path}
htpasswd_encryption = bcrypt
[storage]
@ -77,7 +74,14 @@
Install.WantedBy = ["default.target"];
};
};
in builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [
{suffix = "personal"; port = 5232;}
{suffix = "family"; port = 5233;}
]
in
builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [
{
suffix = "personal";
port = 5232;
}
{
suffix = "family";
port = 5233;
}
]

32
nix/home-manager/programs/waybar.nix
View file

@ -1,6 +1,9 @@
{ pkgs, config, repoFlake, ... }:
{
pkgs,
config,
repoFlake,
...
}: {
home.packages = [
# required by any bar that has a tray plugin
pkgs.libappindicator-gtk3
@ -10,8 +13,9 @@
programs.waybar = {
enable = true;
package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar;
style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css"
+ pkgs.lib.readFile ./waybar.css;
style =
pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css"
+ pkgs.lib.readFile ./waybar.css;
systemd.enable = true;
settings = {
mainBar = {
@ -35,12 +39,12 @@
all-outputs = false;
};
modules-center = [
modules-center = [
"sway/window"
# "custom/hello-from-waybar"
];
modules-right = [
modules-right = [
"tray"
"cpu"
@ -55,22 +59,22 @@
tray.spacing = 10;
cpu.format = " {}%";
cpu.format = " {usage}%";
memory.format = " {}%";
"temperature" = {
"temperature" = {
hwmon-path = "/sys/class/hwmon/hwmon3/temp1_input";
format = " {temperatureC} °C";
};
"custom/cputemp" = {
format = " {}";
exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/CPU:/ {print $2}'";
interval = 2;
format = " {}";
exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/CPU:/ {print $2}'";
interval = 2;
};
"custom/fan" = {
format = " {} rpm ";
exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/fan1:/ {print $2}'";
interval = 2;
format = " {} rpm ";
exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/fan1:/ {print $2}'";
interval = 2;
};
battery.format = "🔋 {}%";
pulseaudio = {

43
nix/os/containers/mailserver.nix
View file

@ -1,4 +1,5 @@
{
repoFlake,
hostAddress,
localAddress,
imapsPort ? 993,
@ -7,10 +8,34 @@
}: let
passwords = import ../../variables/passwords.crypt.nix;
in {
config = {pkgs, ...}: {
config = {
pkgs,
config,
...
}: {
system.stateVersion = "21.11"; # Did you read the comment?
imports = [../profiles/containers/configuration.nix ../profiles/common/user.nix];
imports = [
../profiles/containers/configuration.nix
repoFlake.inputs.sops-nix.nixosModules.sops
../profiles/common/user.nix
];
# sops.defaultSopsFile = ./mailserver_secrets.yaml;
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.secrets.email_mailStefanjunkerDe = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name;
};
sops.secrets.email_schtifATwebDe = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.steveej.name;
};
sops.secrets.email_dovecot_steveej = {
sopsFile = ./mailserver_secrets.yaml;
owner = config.users.users.dovecot2.name;
};
networking.firewall.enable = false;
@ -54,9 +79,10 @@ in {
'';
};
environment.etc."dovecot/users".text = ''
steveej:${passwords.email.steveej}
'';
# environment.etc."dovecot/users".text = ''
# steveej:${passwords.email.steveej}
# '';
environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path;
systemd.services.steveej-getmail-stefanjunker = {
enable = true;
@ -79,7 +105,7 @@ in {
server = ssl0.ovh.net
port = 993
username = mail@stefanjunker.de
password = ${passwords.email.mailStefanjunkerDe}
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}")
mailboxes = ('INBOX',)
[destination]
@ -112,7 +138,7 @@ in {
server = imap.web.de
port = 993
username = schtif
password = ${passwords.email.schtifATwebDe}
password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}")
mailboxes = ('INBOX',)
[destination]
@ -128,6 +154,9 @@ in {
inherit autoStart;
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
"/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;
"/etc/secrets/" = {
hostPath = "/var/lib/container-volumes/mailserver/etc-secrets";
isReadOnly = false;

38
nix/os/containers/mailserver_secrets.yaml Normal file
View file

@ -0,0 +1,38 @@
email_mailStefanjunkerDe: ENC[AES256_GCM,data:DsPwNMahaSKFF8mof2qGxj6cIdYZeL6uRr4=,iv:2lamFXYKrGkHey5QCXBlEODYksDuJDyW3MYpz/7qj7s=,tag:2L34qD0XSbfsl0djvgYJYw==,type:str]
email_schtifATwebDe: ENC[AES256_GCM,data:OOmxkHcM25A+rSmPE1lmvUylv0TT2qWWeA==,iv:ysnRyv4WwbnovgEZcwmk1Rdo6U7gBWDFvGIxgF/m/5A=,tag:9b7q+mceiDx5y8qVVHjBhw==,type:str]
email_dovecot_steveej: ENC[AES256_GCM,data:nZJX2ZIe2pJTzBIU/XRZaiiy9NmUtJydaOvSAQT3icCEeLTvgah48mgrz14eGPuOEupVqKII5jpHw3Xid+QWzdIels0B9M4+GgVT85yVAaPQKw==,iv:vb2bKtgeJI4fvRfKoR8AoBpv9WOkAAKQ3DzMInGF4SA=,tag:p6q0rfyG0g1hF8PR476TZQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn
R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2
dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj
bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl
T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-07-02T21:16:00Z"
mac: ENC[AES256_GCM,data:bDHu/9Hz2lyzoA92yA4K9/oaO6gxDjog8OSoEduE4Q8KE6VObzkHHvMwsPR46LE74dtRy9LNEXcMTWQzJBYoaKGi+wz0IJ/wy8Japrbu0Kiwx3dIeY0mg/OvBGlsAybvbDpfSjCsxVpgg7g1jQNntejljv1WHp4zD0hKn9hdYm0=,iv:MUaGwoPaHEZQgoTHXxkhMHdTGaIgk0UYx9qwfpt4Uds=,tag:qLa2QBTFbs/BdOH8TJWVxw==,type:str]
pgp:
- created_at: "2023-07-02T20:30:30Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds
0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf
SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb
5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc
Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc
RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx
44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5
uGcEfsNiUXPngkNrh/Nvhh9w
=yHDZ
-----END PGP MESSAGE-----
fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
unencrypted_suffix: _unencrypted
version: 3.7.3

2
nix/os/devices/default.nix
View file

@ -1,7 +1,7 @@
{
dir,
pkgs ? import <channels-nixos-stable> {},
ownLib ? import ../lib/default.nix {},
ownLib ? import ../lib/default.nix {inherit (pkgs) lib;},
gitRoot ? "$(git rev-parse --show-toplevel)",
# FIXME: why do these need explicit mentioning?
moreargs ? "",

2
nix/os/devices/elias-e525/default.nix
View file

@ -1,4 +1,4 @@
{repoFlake}: let
{repoFlake, ...}: let
nodeName = "elias-e525";
system = "x86_64-linux";

3
nix/os/devices/elias-e525/user.nix
View file

@ -1,11 +1,12 @@
{
config,
pkgs,
lib,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
users.extraUsers.elias = mkUser {
uid = 1001;

2
nix/os/devices/fwhost2/user.nix
View file

@ -5,7 +5,7 @@
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
# users.extraUsers.steveej2 = mkUser {
# uid = 1001;

2
nix/os/devices/justyna-p300/default.nix
View file

@ -1,4 +1,4 @@
{repoFlake}: let
{repoFlake, ...}: let
nodeName = "justyna-p300";
# system = "i686-linux";
system = "x86_64-linux";

2
nix/os/devices/justyna-p300/user.nix
View file

@ -5,7 +5,7 @@
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
users.extraUsers.elias = mkUser {
uid = 1001;

36
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.nix
View file

@ -1,36 +0,0 @@
let
nixpkgs = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-22.11";
rev = ''
a7cc81913bb3cd1ef05ed0ece048b773e1839e51'';
};
in {
inherit nixpkgs;
nixos = nixpkgs // {suffix = "/nixos";};
"channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-unstable";
rev = ''
c707238dc262923da5a53a5a11914117caac07a2'';
};
"channels-nixos-unstable-small" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-unstable-small";
rev = ''
09c509a5075931382582dee69f3e44bf1535c092'';
};
"nixpkgs-master" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "master";
rev = ''
3d57138bd9abe31bae25704cebaab7527010cc5e'';
};
"home-manager-module" = {
url = "https://github.com/nix-community/home-manager";
ref = "release-22.11";
rev = ''
b0be47978de5cfd729a79c3f57ace4c86364ff45'';
};
}

41
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/versions.tmpl.nix
View file

@ -1,41 +0,0 @@
let
nixpkgs = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-22.11";
rev = ''
<% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d '
' -%>'';
};
in {
inherit nixpkgs;
nixos = nixpkgs // {suffix = "/nixos";};
"channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-unstable";
rev = ''
<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '
' -%>'';
};
"channels-nixos-unstable-small" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "nixos-unstable-small";
rev = ''
<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable-small | awk '{ print $1 }' | tr -d '
' -%>'';
};
"nixpkgs-master" = {
url = "https://github.com/NixOS/nixpkgs/";
ref = "master";
rev = ''
<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '
' -%>'';
};
"home-manager-module" = {
url = "https://github.com/nix-community/home-manager";
ref = "release-22.11";
rev = ''
<% git ls-remote https://github.com/nix-community/home-manager.git release-22.11 | awk '{ print $1 }' | tr -d '
' -%>'';
};
}

0
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/README.md → nix/os/devices/sj-vps-htz0/README.md
View file

0
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/boot.nix → nix/os/devices/sj-vps-htz0/boot.nix
View file

0
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/configuration.nix → nix/os/devices/sj-vps-htz0/configuration.nix
View file

20
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/default.nix → nix/os/devices/sj-vps-htz0/default.nix
View file

@ -1,11 +1,13 @@
{repoFlake}: let
nodeName = "sj-vps-htz0.infra.stefanjunker.de";
{
nodeName,
repoFlake,
nodeFlake,
...
}: let
system = "x86_64-linux";
nodeFlake = repoFlake.inputs.get-flake ./.;
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit nodeName nodeFlake;
inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system};
};
@ -14,13 +16,13 @@ in {
};
${nodeName} = {
deployment.targetHost = nodeName;
deployment.replaceUnknownProfiles = true;
deployment.targetHost = "${nodeName}.infra.stefanjunker.de";
deployment.replaceUnknownProfiles = false;
imports = [
(repoFlake + "/nix/os/devices/${nodeName}/configuration.nix")
nodeFlake.inputs.home-manager.nixosModules.home-manager
./configuration.nix
];
};
}

46
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/flake.lock → nix/os/devices/sj-vps-htz0/flake.lock generated
View file

@ -4,47 +4,46 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
]
},
"locked": {
"lastModified": 1681092193,
"narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
"lastModified": 1687871164,
"narHash": "sha256-bBFlPthuYX322xOlpJvkjUBz0C+MOBjZdDOOJJ+G2jU=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
"rev": "07c347bb50994691d7b0095f45ebd8838cf6bc38",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "release-22.11",
"ref": "release-23.05",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1681759395,
"narHash": "sha256-7aaRtLxLAy8qFVIA26ulB+Q5nDVzuQ71qi0s0wMjAws=",
"lastModified": 1688109178,
"narHash": "sha256-BSdeYp331G4b1yc7GIRgAnfUyaktW2nl7k0C577Tttk=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "cd749f58ba83f7155b7062dd49d08e5e47e44d50",
"rev": "b72aa95f7f096382bff3aea5f8fde645bca07422",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-22.11",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-master": {
"locked": {
"lastModified": 1681895322,
"narHash": "sha256-dtduardGFljEIh0Whlnhzda7Au0s1WnnSdzh2ZhCu9c=",
"lastModified": 1688246754,
"narHash": "sha256-OuUvCCMrJgN9K/L1j2ADMxu/nuJhplFjIZFFtelnymc=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "57aad37a2eab85fb5522cbc8568fe27872071a1c",
"rev": "b9b176f8b8155c122e01a336b439ce57b2485b40",
"type": "github"
},
"original": {
@ -56,11 +55,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1681770396,
"narHash": "sha256-tq+GZOkRA3uF3I/jIzuBGfnTRQFT4QnnRCWJ8DKSaMg=",
"lastModified": 1688180391,
"narHash": "sha256-oTUSZepWQ7AYQKvNPkf8QyxkfoVpEhGioVji0hd3p8U=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "4df48038a44e9f3a3da8e9b42ca182726b743de4",
"rev": "1353de5923daba8462cfc3624d8c2d70cbafafcd",
"type": "github"
},
"original": {
@ -77,21 +76,6 @@
"nixpkgs-master": "nixpkgs-master",
"nixpkgs-unstable": "nixpkgs-unstable"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
}
},
"root": "root",

4
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/flake.nix → nix/os/devices/sj-vps-htz0/flake.nix
View file

@ -1,10 +1,10 @@
{
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11";
inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master";
inputs.home-manager = {
url = "github:nix-community/home-manager/release-22.11";
url = "github:nix-community/home-manager/release-23.05";
inputs.nixpkgs.follows = "nixpkgs";
};

0
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/hw.nix → nix/os/devices/sj-vps-htz0/hw.nix
View file

0
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/pkg.nix → nix/os/devices/sj-vps-htz0/pkg.nix
View file

11
nix/os/devices/sj-vps-htz0.infra.stefanjunker.de/system.nix → nix/os/devices/sj-vps-htz0/system.nix
View file

@ -2,10 +2,9 @@
pkgs,
lib,
config,
repoFlake,
...
}: let
keys = import ../../../variables/keys.nix;
in {
}: {
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [
# iperf3
@ -58,12 +57,10 @@ in {
nix.gc = {automatic = true;};
# networking.useHostResolvConf = true;
services.openssh.forwardX11 = true;
containers = {
mailserver = import ../../containers/mailserver.nix {
inherit repoFlake;
autoStart = true;
hostAddress = "192.168.100.10";

2
nix/os/devices/steveej-nuc7pjyh-work/user.nix
View file

@ -5,7 +5,7 @@
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
users.extraUsers.sjunker = mkUser {
uid = 1001;

2
nix/os/devices/steveej-pa600/user.nix
View file

@ -5,7 +5,7 @@
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
users.extraUsers.steveej2 = mkUser {
uid = 1001;

3
nix/os/devices/steveej-t14/boot.nix
View file

@ -8,7 +8,8 @@
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
# boot.tmpOnTmpfs = lib.mkForce false;
boot.tmpOnTmpfsSize = "100%";
boot.tmp.tmpfsSize = "100%";
# TODO: make this work
# systemd.tmpfiles.rules = lib.mkForce [ "d /tmp 1777 root root 1d" ];
}

1
nix/os/devices/steveej-t14/configuration.nix
View file

@ -10,5 +10,6 @@
./pkg.nix
./user.nix
./boot.nix
./secrets.nix
];
}

11
nix/os/devices/steveej-t14/default.nix
View file

@ -1,12 +1,15 @@
{repoFlake}: let
nodeName = "steveej-t14";
{
nodeName,
repoFlake,
repoFlakeWithSystem,
nodeFlake,
}: let
system = "x86_64-linux";
nodeFlake = repoFlake.inputs.get-flake ./.;
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system};
repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs');
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {

44
nix/os/devices/steveej-t14/hw.nix
View file

@ -20,48 +20,47 @@ in {
services.tlp = {
enable = true;
settings = {
CPU_SCALING_GOVERNOR_ON_AC = "schedutil";
# CPU_SCALING_GOVERNOR_ON_AC = "schedutil";
CPU_SCALING_GOVERNOR_ON_BAT = "schedutil";
CPU_ENERGY_PERF_POLICY_ON_AC="balance_power";
# CPU_ENERGY_PERF_POLICY_ON_AC="balance_power";
CPU_ENERGY_PERF_POLICY_ON_BAT="power";
SCHED_POWERSAVE_ON_AC="1";
# SCHED_POWERSAVE_ON_AC="1";
SCHED_POWERSAVE_ON_BAT="1";
CPU_BOOST_ON_AC="0";
CPU_BOOST_ON_BAT="0";
RADEON_DPM_PERF_LEVEL_ON_AC="auto";
# RADEON_DPM_PERF_LEVEL_ON_AC="auto";
RADEON_DPM_PERF_LEVEL_ON_BAT="low";
RADEON_DPM_STATE_ON_AC="balanced";
# RADEON_DPM_STATE_ON_AC="balanced";
RADEON_DPM_STATE_ON_BAT="battery";
SOUND_POWER_SAVE_ON_AC="1";
# SOUND_POWER_SAVE_ON_AC="1";
SOUND_POWER_SAVE_ON_BAT="1";
# PLATFORM_PROFILE_ON_AC="low-power";
# PLATFORM_PROFILE_ON_BAT="low-power";
PLATFORM_PROFILE_ON_AC="balanced";
# # PLATFORM_PROFILE_ON_AC="low-power";
# # PLATFORM_PROFILE_ON_BAT="low-power";
# PLATFORM_PROFILE_ON_AC="balanced";
PLATFORM_PROFILE_ON_BAT="low-power";
RUNTIME_PM_ON_AC = "auto";
# RUNTIME_PM_ON_AC = "auto";
RUNTIME_PM_ON_BAT = "auto";
PCIE_ASPM_ON_AC="default";
# PCIE_ASPM_ON_AC="default";
PCIE_ASPM_ON_BAT="powersave";
START_CHARGE_THRESH_BAT0 = "75";
STOP_CHARGE_THRESH_BAT0 = "80";
WOL_DISABLE="Y";
WIFI_PWR_ON_AC="on";
# WIFI_PWR_ON_AC="on";
WIFI_PWR_ON_BAT="on";
DEVICES_TO_DISABLE_ON_STARTUP="wwan";
#DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan";
#DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan";
#DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi";
# #DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan";
# #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan";
# #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi";
};
};
@ -71,12 +70,13 @@ in {
[0 0 55]
[1 55 65]
[1 65 75]
[3 75 78]
[4 78 80]
[5 80 82]
[6 82 84]
[7 84 86]
["level full-speed" 86 999]
[2 75 78]
[3 78 80]
[4 80 82]
[5 82 84]
[6 84 86]
[7 86 88]
["level full-speed" 88 999]
];
};

3
nix/os/devices/steveej-t14/pkg.nix
View file

@ -9,6 +9,9 @@
];
})
];
home.sessionVariables = {
};
};
# TODO: fix the following errors with regreet

7
nix/os/devices/steveej-t14/secrets.nix Normal file
View file

@ -0,0 +1,7 @@
{config, ...}: {
sops.secrets.radicale_htpasswd = {
sopsFile = ../../../../secrets/steveej-t14/radicale_htpasswd;
format = "binary";
owner = config.users.users.steveej.name;
};
}

79
nix/os/devices/steveej-t14/system.nix
View file

@ -3,6 +3,7 @@
lib,
config,
nodeName,
repoFlake,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
@ -10,18 +11,37 @@ in {
nix.settings = {
substituters = [
"https://holochain-ci.cachix.org"
# "https://cache.holo.host/"
"https://cache.holo.host/"
];
trusted-public-keys = [
"holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8="
# "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE="
# "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ="
"cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE="
"cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ="
];
extra-experimental-features = ["impure-derivations"];
system-features = ["recursive-nix" "big-parallel"];
};
networking.extraHosts = ''
# qemu box
172.24.40.13 steveej-qemu.infra.holochain.org
172.24.40.13 steveej-qemu.d.dweb.city
# bare metal
192.168.14.117 steveej-hw1.infra.holochain.org
192.168.14.117 steveej-hw1.d.dweb.city
192.168.14.117 steveej-hw2.infra.holochain.org
192.168.14.117 steveej-hw2.d.dweb.city
192.168.14.117 steveej-hw3.infra.holochain.org
192.168.14.117 steveej-hw3.d.dweb.city
192.168.14.117 steveej-hw4.infra.holochain.org
192.168.14.117 steveej-hw4.d.dweb.city
172.24.135.11 emerge3.d.dweb.city
172.24.74.194 emerge4.d.dweb.city
'';
networking.bridges."virbr1".interfaces = [];
networking.interfaces."virbr1".ipv4.addresses = [
{
@ -35,7 +55,7 @@ in {
# TODO: upstream feature for inverse rule to work: `! --in-interface zt+`
networking.firewall.interfaces."eth+".allowedTCPPorts = [
22
22
# syncthing
22000
@ -43,9 +63,10 @@ in {
# iperf3
5201
];
networking.firewall.interfaces."eth+".allowedUDPPorts = [
networking.firewall.interfaces."eth+".allowedUDPPorts = [
# syncthing
22000 21027
22000
21027
];
networking.firewall.logRefusedConnections = false;
@ -96,8 +117,50 @@ in {
services.zerotierone = {
enable = true;
joinNetworks = [
"93afae5963c547f1"
passwords.zerotier.dweb2023.networkId
# moved to the service below as it's now secret
];
};
systemd.services.zerotieroneSecretNetworks = {
enable = true;
requiredBy = ["zerotierone.service"];
partOf = ["zerotierone.service"];
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
script = let
secret = config.sops.secrets.zerotieroneNetworks;
in ''
# include the secret's hash to trigger a restart on change
# ${builtins.hashString "sha256" (builtins.toJSON secret)}
${config.systemd.services.zerotierone.preStart}
rm -rf /var/lib/zerotier-one/networks.d/*.conf
for network in `grep -v '#' ${secret.path}`; do
touch /var/lib/zerotier-one/networks.d/''${network}.conf
done
'';
};
sops.secrets.zerotieroneNetworks = {
sopsFile = ../../../../secrets/zerotierone.txt;
format = "binary";
};
sops.secrets.nomad-holochain-agent-ca = {
sopsFile = ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
owner = config.users.extraUsers.steveej.name;
};
sops.secrets.nomad-holochain-cli-cert = {
sopsFile = ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
owner = config.users.extraUsers.steveej.name;
};
sops.secrets.nomad-holochain-cli-key = {
sopsFile = ../../../../secrets/steveej-t14/nomad-holochain-infra.yaml;
owner = config.users.extraUsers.steveej.name;
};
}

5
nix/os/devices/steveej-t14/user.nix
View file

@ -1,15 +1,16 @@
{
config,
pkgs,
lib,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
users.extraUsers.steveej2 = mkUser {
uid = 1001;
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
passwordFile = config.sops.secrets.sharedUsers-steveej.path;
};
nix.settings.trusted-users = ["steveej"];

2
nix/os/devices/vmd102066.contaboserver.net/default.nix
View file

@ -1,4 +1,4 @@
{repoFlake}: let
{repoFlake, ...}: let
nodeName = "vmd102066.contaboserver.net";
system = "x86_64-linux";

21
nix/os/lib/default.nix
View file

@ -1,21 +1,9 @@
{
lib,
keys ? import ../../variables/keys.nix,
passwords ? import ../../variables/passwords.crypt.nix,
}: {
mkRoot = {} @ args:
{
hashedPassword = passwords.users.root;
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
}
// args;
mkUser = {
uid,
hashedPassword ? passwords.users.steveej,
...
} @ args:
{
inherit uid hashedPassword;
mkUser = args: (
lib.attrsets.recursiveUpdate {
isNormalUser = true;
extraGroups = [
"docker"
@ -32,7 +20,8 @@
];
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
}
// args;
args
);
disk = rec {
# TODO: verify the GPT PARTLABEL cap at 36 chars

9
nix/os/modules/ddclient-ovh.nix
View file

@ -4,8 +4,7 @@
...
}: let
cfg = config.services.ddclientovh;
passwords = import ../../variables/passwords.crypt.nix;
# passwords = import ../../variables/passwords.crypt.nix;
in {
options.services.ddclientovh = with lib; {
enable = mkEnableOption "Enable ddclient-ovh";
@ -20,10 +19,8 @@ in {
ssl = true;
domains = [cfg.domain];
use = "web";
inherit (passwords.dyndns.${cfg.domain}) username;
passwordFile =
builtins.toFile passwords.dyndns._filename
passwords.dyndns.${cfg.domain}.password;
# inherit (passwords.dyndns.${cfg.domain}) username;
# passwordFile = config.sops.secrets."dyndns_${cfg.domain}".path;
};
};
}

2
nix/os/modules/opinionatedDisk.nix
View file

@ -5,7 +5,7 @@
}:
with lib; let
cfg = config.hardware.opinionatedDisk;
ownLib = import ../lib/default.nix {};
ownLib = import ../lib/default.nix {inherit lib;};
in {
options.hardware.opinionatedDisk = {
enable = mkEnableOption "Enable opinionated filesystem layout";

3
nix/os/profiles/common/boot.nix
View file

@ -4,12 +4,11 @@
enable = true;
efiSupport = true;
efiInstallAsRemovable = false;
version = 2;
};
boot.loader.systemd-boot.enable = false;
boot.loader.efi.canTouchEfiVariables = true;
boot.tmpOnTmpfs = true;
boot.tmp.useTmpfs = true;
# Workaround for nm-pptp to enforce module load
boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"];

18
nix/os/profiles/common/configuration.nix
View file

@ -1,3 +1,17 @@
{...}: {
imports = [./boot.nix ./pkg.nix ./user.nix ./system.nix ./hw.nix];
{
config,
pkgs,
repoFlake,
...
}: {
imports = [
./boot.nix
./pkg.nix
./system.nix
./hw.nix
./user.nix
repoFlake.inputs.sops-nix.nixosModules.sops
];
}

5
nix/os/profiles/common/pkg.nix
View file

@ -1,7 +1,9 @@
{
config,
pkgs,
# these come in via nodeSpecialArgs and are expected to be defined for every node
repoFlake,
repoFlakeInputs',
nodeFlake,
packages',
...
@ -20,9 +22,12 @@
home-manager.extraSpecialArgs = {
inherit
repoFlake
repoFlakeInputs'
packages'
nodeFlake
;
osConfig = config;
};
nixpkgs.config = {

26
nix/os/profiles/common/user.nix
View file

@ -3,13 +3,31 @@
pkgs,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
inherit (import ../../lib/default.nix {}) mkUser mkRoot;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
sops.secrets.sharedUsers-root = {
sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true;
};
sops.secrets.sharedUsers-steveej = {
sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true;
format = "yaml";
};
users.mutableUsers = false;
users.extraUsers.root = mkRoot {};
users.extraUsers.steveej = mkUser {uid = 1000;};
users.extraUsers.root = {
passwordFile = config.sops.secrets.sharedUsers-root.path;
openssh.authorizedKeys.keys = keys.users.steveej.openssh;
};
users.extraUsers.steveej = mkUser {
uid = 1000;
passwordFile = config.sops.secrets.sharedUsers-steveej.path;
};
security.pam.u2f.enable = true;
security.pam.services.steveej.u2fAuth = true;

2
nix/os/profiles/graphical/system.nix
View file

@ -21,7 +21,7 @@
# hardware related services
services.illum.enable = true;
services.pcscd.enable = false;
services.pcscd.enable = true;
hardware.opengl.enable = true;
hardware.bluetooth.enable = true;
# required for running blueman-applet in user sessions

BIN
nix/variables/passwords.crypt.nix
View file

Binary file not shown.