feat,fix: cach up hostkey0 with structure changes, update x13s and config firewall

2024-03-07 22:01:03 +01:00 · 2024-03-07 22:01:03 +01:00 · f779649c0c
commit f779649c0c
parent b144c4501f
8 changed files with 79 additions and 58 deletions
--- a/nix/home-manager/configuration/graphical-fullblown.nix
+++ b/nix/home-manager/configuration/graphical-fullblown.nix
@ -40,7 +40,6 @@ in {
  home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"];

  nixpkgs.config.permittedInsecurePackages = [
-    "electron-25.9.0"
  ];

  home.packages =
@ -157,8 +156,8 @@ in {
      nethogs

      # Code Editing and Programming
-      # pkgsUnstableSmall.lapce
-      # pkgsUnstableSmall.helix
+      pkgsUnstableSmall.lapce
+      pkgsUnstableSmall.helix

      # Image/Graphic/Design Tools
      gnome.eog
--- a/nix/home-manager/profiles/common.nix
+++ b/nix/home-manager/profiles/common.nix
@ -3,6 +3,8 @@
  lib,
  ...
 }: {
+  home.stateVersion = lib.mkDefault "23.11";
+
  # TODO: re-enable this with the appropriate version?
  # programs.home-manager.enable = true;
  # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz;
--- a/nix/os/devices/router0-dmz0/configuration.nix
+++ b/nix/os/devices/router0-dmz0/configuration.nix
@ -194,7 +194,7 @@ in {
            rules = let
              wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces;
            in
-              # TODO: if this hostname doesn't resolve it'll break the whole ruleset
+              # ***TODO***: if this hostname doesn't resolve it'll break the whole ruleset
              [
                "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22"
                "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}"
--- a/nix/os/devices/sj-bm-hostkey0/configuration.nix
+++ b/nix/os/devices/sj-bm-hostkey0/configuration.nix
@ -22,6 +22,7 @@ in {
    repoFlake.inputs.sops-nix.nixosModules.sops

    ../../profiles/common/user.nix
+    ../../snippets/nix-settings.nix
    ../../snippets/nix-settings-holo-chain.nix

    # TODO
@ -29,20 +30,14 @@ in {
    # ./monitoring.nix

    # user config
+    ../../snippets/home-manager-with-zsh.nix
    {
      users.commonUsers = {
        enable = true;
        enableNonRoot = true;
      };
-      home-manager.users.root = import ../../../home-manager/configuration/text-minimal.nix {
-        inherit pkgs;
-      };

      home-manager.users.steveej = {pkgs, ...}: {
-        imports = [
-          ../../../home-manager/configuration/text-minimal.nix
-        ];
-
        home.packages = [
          pkgs.nil
          pkgs.rnix-lsp
--- a/nix/os/devices/sj-bm-hostkey0/flake.lock
+++ b/nix/os/devices/sj-bm-hostkey0/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704318910,
-        "narHash": "sha256-wOIJwAsnZhM0NlFRwYJRgO4Lldh8j9viyzwQXtrbNtM=",
+        "lastModified": 1709286488,
+        "narHash": "sha256-RDpTZ72zLu05djvXRzK76Ysqp9zSdh84ax/edEaJucs=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "aef9a509db64a081186af2dc185654d78dc8e344",
+        "rev": "bde7dd352c07d43bd5b8245e6c39074a391fdd46",
        "type": "github"
      },
      "original": {
@ -42,11 +42,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704383912,
-        "narHash": "sha256-Be7O73qoOj/z+4ZCgizdLlu+5BkVvO2KO299goZ9cW8=",
+        "lastModified": 1709204054,
+        "narHash": "sha256-U1idK0JHs1XOfSI1APYuXi4AEADf+B+ZU4Wifc0pBHk=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "26b8adb300e50efceb51fff6859a1a6ba1ade4f7",
+        "rev": "2f3367769a93b226c467551315e9e270c3f78b15",
        "type": "github"
      },
      "original": {
@ -56,29 +56,13 @@
        "type": "github"
      }
    },
-    "nixos-stable": {
-      "locked": {
-        "lastModified": 1703992652,
-        "narHash": "sha256-C0o8AUyu8xYgJ36kOxJfXIroy9if/G6aJbNOpA5W0+M=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "32f63574c85fbc80e4ba1fbb932cde9619bad25e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-23.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1704295289,
-        "narHash": "sha256-9WZDRfpMqCYL6g/HNWVvXF0hxdaAgwgIGeLYiOhmes8=",
+        "lastModified": 1709218635,
+        "narHash": "sha256-nytX/MkfqeTD4z7bMq4QRXcHxO9B3vRo9tM6fMtPFA8=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "b0b2c5445c64191fd8d0b31f2b1a34e45a64547d",
+        "rev": "068d4db604958d05d0b46c47f79b507d84dbc069",
        "type": "github"
      },
      "original": {
@ -99,17 +83,16 @@
    },
    "srvos": {
      "inputs": {
-        "nixos-stable": "nixos-stable",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1704357296,
-        "narHash": "sha256-npRcwAqeoLRdilyn4yOG9qShTRJ3sXL/xpyVOi+j7nw=",
+        "lastModified": 1709290688,
+        "narHash": "sha256-uGOqZffYg3mNS43MI6yhYB5tE8QYXgvCzO8dg5lC9TA=",
        "owner": "numtide",
        "repo": "srvos",
-        "rev": "341c142aad6609161b6b74cfc2d288f0ead01585",
+        "rev": "8e1328f734bff51198c44facd064b257756343c5",
        "type": "github"
      },
      "original": {
--- a/nix/os/devices/steveej-x13s/configuration.nix
+++ b/nix/os/devices/steveej-x13s/configuration.nix
@ -13,6 +13,7 @@
    enable = true;
    # TODO: use hardware address
    bluetoothMac = "65:9e:7a:8b:86:28";
+    kernel = "jhovold";
  };

  services.illum.enable = true;
@ -65,6 +66,7 @@
    ./disko.nix

    ../../snippets/nix-settings.nix
+    ../../snippets/nix-settings-holo-chain.nix
    ../../profiles/common/user.nix

    {
@ -81,6 +83,21 @@
      };
    }

+    # TODO: create syncthing os snippet
+    (let
+      tcp = [22000];
+      udp = [
+        22000
+        21027
+      ];
+    in {
+      # TODO: upstream feature for inverse rule to work: `! --in-interface zt+`
+      networking.firewall.interfaces."en+".allowedTCPPorts = tcp;
+      networking.firewall.interfaces."en+".allowedUDPPorts = udp;
+      networking.firewall.interfaces."wl+".allowedTCPPorts = tcp;
+      networking.firewall.interfaces."wl+".allowedUDPPorts = udp;
+    })
+
    ../../snippets/home-manager-with-zsh.nix
    ../../snippets/sway-desktop.nix
    ../../snippets/bluetooth.nix
@ -132,6 +149,23 @@
    loader.efi.canTouchEfiVariables = lib.mkForce false;
    loader.efi.efiSysMountPoint = "/boot";
    blacklistedKernelModules = ["wwan"];
+
+    # kernelParams = let
+    #   dtbName = "sc8280xp-lenovo-thinkpad-x13s.dtb";
+    # in lib.mkForce [
+    #   # needed to boot
+    #   "dtb=${dtbName}"
+
+    #   # jhovold recommended
+    #   "efi=noruntime"
+    #   "clk_ignore_unused"
+    #   "pd_ignore_unused"
+    #   # "regulator_ignore_unused"
+    #   "arm64.nopauth"
+
+    #   # blacklist graphics in initrd so the firmware can load from disk
+    #   "rd.driver.blacklist=msm"
+    # ];
  };

  # see https://linrunner.de/tlp/
@ -145,12 +179,20 @@
  };

  # android on linux
-  virtualisation.waydroid.enable = true;
+  virtualisation.waydroid.enable = false;
  virtualisation.podman.enable = true;
  virtualisation.podman.dockerCompat = true;

  hardware.ledger.enable = true;

+  nix.settings.substituters = [
+    "https://nixos-x13s.cachix.org"
+  ];
+
+  nix.settings.trusted-public-keys = [
+    "nixos-x13s.cachix.org-1:SzroHbidolBD3Sf6UusXp12YZ+a5ynWv0RtYF0btFos="
+  ];
+
  steveej.holo-zerotier = {
    enable = true;
    autostart = false;
--- a/nix/os/devices/steveej-x13s/flake.lock
+++ b/nix/os/devices/steveej-x13s/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1709286488,
-        "narHash": "sha256-RDpTZ72zLu05djvXRzK76Ysqp9zSdh84ax/edEaJucs=",
+        "lastModified": 1709682352,
+        "narHash": "sha256-71S/64RbyADT6FUVJq4WLiNbmcxFvgMsSihf/C2Hgno=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "bde7dd352c07d43bd5b8245e6c39074a391fdd46",
+        "rev": "ad5e8bd14df2e6bdb836582577dc163318617738",
        "type": "github"
      },
      "original": {
@ -95,16 +95,16 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1709138783,
-        "narHash": "sha256-RyX9TPeMEcRLVTaHJzXepIn1EhixNMFJzfNIWwjcfhA=",
-        "ref": "refs/tags/2024-02-28",
-        "rev": "af581b2b9506a66ddf6d6f99cf151a86bb2919bb",
-        "revCount": 35,
+        "lastModified": 1709651788,
+        "narHash": "sha256-zxyGf3cCfAvYyURL1HKhpKyA14EkolG5jBmWvz0Xxjg=",
+        "ref": "main",
+        "rev": "4d55c266488f93ed022e2f6d2848420b59f4a56a",
+        "revCount": 38,
        "type": "git",
        "url": "https://codeberg.org/adamcstephens/nixos-x13s"
      },
      "original": {
-        "ref": "refs/tags/2024-02-28",
+        "ref": "main",
        "type": "git",
        "url": "https://codeberg.org/adamcstephens/nixos-x13s"
      }
@ -161,11 +161,11 @@
    },
    "nixpkgs-unstable-small": {
      "locked": {
-        "lastModified": 1709271102,
-        "narHash": "sha256-Z2sBL/HRRTNABsU8E5XsP+FXBEyBoi6oMwm5bV7lSFw=",
+        "lastModified": 1709558755,
+        "narHash": "sha256-hx4FIbk4X4ve1oiHLOj+VE6dzO4CtXBR5RSU6kaq34M=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "09c1497ce5d4ed4a0edfdd44450d3048074cb300",
+        "rev": "207107bbc7d6d19a8b2c36a088d3756d03490243",
        "type": "github"
      },
      "original": {
@ -177,11 +177,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1709218635,
-        "narHash": "sha256-nytX/MkfqeTD4z7bMq4QRXcHxO9B3vRo9tM6fMtPFA8=",
+        "lastModified": 1709569716,
+        "narHash": "sha256-iOR44RU4jQ+YPGrn+uQeYAp7Xo7Z/+gT+wXJoGxxLTY=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "068d4db604958d05d0b46c47f79b507d84dbc069",
+        "rev": "617579a787259b9a6419492eaac670a5f7663917",
        "type": "github"
      },
      "original": {
--- a/nix/os/devices/steveej-x13s/flake.nix
+++ b/nix/os/devices/steveej-x13s/flake.nix
@ -18,8 +18,8 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    # nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s?ref=main";
-    nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s?ref=refs/tags/2024-02-28";
+    nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s?ref=main";
+    # nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s?ref=refs/tags/2024-02-28";
    # nixos-x13s.url = "path:/home/steveej/src/others/nixos-x13s";
    # nixos-x13s.inputs.nixpkgs.follows = "nixpkgs";
  };