From fd6077c4769930bd79845a05bf74f4ecb19dc71d Mon Sep 17 00:00:00 2001
From: Stefan Junker <mail@stefanjunker.de>
Date: Sun, 17 Dec 2023 23:25:24 +0100
Subject: [PATCH] workaround elctron issues, fix firewall for syncthing, set
 uphostkey0 as builder to steveej-t14

---
 .../configuration/graphical-fullblown.nix     | 13 ++++-
 nix/home-manager/profiles/sway-desktop.nix    |  3 +-
 nix/home-manager/programs/chromium.nix        |  3 +
 nix/home-manager/programs/firefox.nix         |  4 +-
 .../devices/sj-bm-hostkey0/configuration.nix  | 28 ++++++++-
 nix/os/devices/sj-bm-hostkey0/flake.nix       |  9 ---
 nix/os/devices/steveej-t14/system.nix         | 57 ++++++++++++-------
 nix/os/snippets/nix-settings.nix              |  4 +-
 8 files changed, 78 insertions(+), 43 deletions(-)

diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix
index 8d225ce..6bf8d93 100644
--- a/nix/home-manager/configuration/graphical-fullblown.nix
+++ b/nix/home-manager/configuration/graphical-fullblown.nix
@@ -47,6 +47,7 @@ in {
 
   nixpkgs.config.permittedInsecurePackages = [
     "electron-24.8.6"
+    "electron-25.9.0"
   ];
 
   home.packages =
@@ -104,8 +105,8 @@ in {
 
       # Messaging/Communication
       # pidgin
-      hexchat
-      schildichat-desktop
+      # hexchat
+      # schildichat-desktop # insecure as of 2023-12-16
       aspellDicts.en
       aspellDicts.de
       # skypeforlinux
@@ -248,7 +249,13 @@ in {
       pcmanfm
       # mendeley
       evince
-      pkgsUnstableSmall.logseq
+      (runCommand "logseq-wrapper" {
+            nativeBuildInputs = [ makeWrapper ];
+      } ''
+            makeWrapper ${logseq}/bin/logseq $out/bin/logseq  \
+                  --set NIXOS_OZONE_WL ""
+      '')
+      # (logseq.override({ electron_25 = electron_26; }))
 
       # File Synchronzation
       maestral
diff --git a/nix/home-manager/profiles/sway-desktop.nix b/nix/home-manager/profiles/sway-desktop.nix
index bee4d5f..b11550a 100644
--- a/nix/home-manager/profiles/sway-desktop.nix
+++ b/nix/home-manager/profiles/sway-desktop.nix
@@ -100,8 +100,7 @@ in {
 
   wayland.windowManager.sway = {
     enable = true;
-    systemdIntegration = true;
-    # systemd.enable = true;
+    systemd.enable = true;
     xwayland = true;
 
     config = let
diff --git a/nix/home-manager/programs/chromium.nix b/nix/home-manager/programs/chromium.nix
index 9d3d5ae..c2240b9 100644
--- a/nix/home-manager/programs/chromium.nix
+++ b/nix/home-manager/programs/chromium.nix
@@ -38,6 +38,9 @@
 
       # cookie autodelete
       {id = "fhcgjolkccmbidfldomjliifgaodjagh";}
+
+      # unhook
+      { id = "khncfooichmfjbepaaaebmommgaepoid";}
     ]
     ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [
       # Vimium C
diff --git a/nix/home-manager/programs/firefox.nix b/nix/home-manager/programs/firefox.nix
index b008242..05beab4 100644
--- a/nix/home-manager/programs/firefox.nix
+++ b/nix/home-manager/programs/firefox.nix
@@ -1,6 +1,6 @@
 {pkgs, ...}: {
-  # programs.librewolf = {enable = true;};
+  programs.librewolf = {enable = true;};
   programs.firefox = {enable = true;};
 
-  home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json";
+  # home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json";
 }
diff --git a/nix/os/devices/sj-bm-hostkey0/configuration.nix b/nix/os/devices/sj-bm-hostkey0/configuration.nix
index 0d279ca..ee50d8a 100644
--- a/nix/os/devices/sj-bm-hostkey0/configuration.nix
+++ b/nix/os/devices/sj-bm-hostkey0/configuration.nix
@@ -11,11 +11,11 @@
   ...
 }: {
   disabledModules = [
-    # "services/networking/hostapd.nix"
   ];
 
   imports = [
     nodeFlake.inputs.disko.nixosModules.disko
+    nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder
     repoFlake.inputs.sops-nix.nixosModules.sops
 
     ../../profiles/common/user.nix
@@ -35,8 +35,19 @@
         inherit pkgs;
       };
 
-      home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
-        inherit pkgs;
+      home-manager.users.steveej = { pkgs, ... }: {
+        imports = [
+          ../../../home-manager/configuration/text-minimal.nix
+        ];
+
+        home.packages = [
+          pkgs.nil
+          pkgs.rnix-lsp
+          pkgs.nixd
+          pkgs.nixpkgs-fmt
+          pkgs.alejandra
+          pkgs.nixfmt
+        ];
       };
 
       programs.zsh.enable = true;
@@ -45,6 +56,11 @@
     }
   ];
 
+  roles.nix-remote-builder.schedulerPublicKeys = [
+    # TODO: make this a reference to the private key's secret
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14"
+  ];
+
   services.openssh.enable = true;
   services.openssh.settings.PermitRootLogin = "yes";
 
@@ -141,4 +157,10 @@
   #   home.packages = with pkgs; [
   #   ];
   # };
+
+  virtualisation.libvirtd.enable = true;
+
+  boot.binfmt.emulatedSystems = [
+    "aarch64-linux"
+  ];
 }
diff --git a/nix/os/devices/sj-bm-hostkey0/flake.nix b/nix/os/devices/sj-bm-hostkey0/flake.nix
index bd3431f..3b4ed54 100644
--- a/nix/os/devices/sj-bm-hostkey0/flake.nix
+++ b/nix/os/devices/sj-bm-hostkey0/flake.nix
@@ -59,15 +59,6 @@
       native = mkNixosConfiguration {
         inherit system;
       };
-
-      # cross = mkNixosConfiguration {
-      #   extraModules = [
-      #     {
-      #       nixpkgs.buildPlatform.system = "x86_64-linux";
-      #       nixpkgs.hostPlatform.system = system;
-      #     }
-      #   ];
-      # };
     };
   };
 }
diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix
index 802aa36..07ef0ae 100644
--- a/nix/os/devices/steveej-t14/system.nix
+++ b/nix/os/devices/steveej-t14/system.nix
@@ -7,6 +7,23 @@
   ...
 }: let
   passwords = import ../../../variables/passwords.crypt.nix;
+
+  localTcpPorts = [
+    22
+
+    # syncthing
+    22000
+
+    # iperf3
+    5201
+  ];
+
+  localUdpPorts = [
+    # syncthing
+    22000
+    21027
+  ];
+
 in {
   imports = [
     ../../snippets/nix-settings-holo-chain.nix
@@ -19,6 +36,20 @@ in {
     ];
   };
 
+  nix.distributedBuilds = true;
+  nix.buildMachines = [
+    {
+      hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost;
+      # TODO: make this a reference
+      sshUser = "nix-remote-builder";
+      protocol = "ssh-ng";
+      system = "x86_64-linux";
+      maxJobs = 24;
+      speedFactor = 100;
+      supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ [];
+    }
+  ];
+
   networking.extraHosts = ''
   '';
 
@@ -37,28 +68,10 @@ in {
   services.openssh.openFirewall = false;
 
   # TODO: upstream feature for inverse rule to work: `! --in-interface zt+`
-  networking.firewall.interfaces."eth+".allowedTCPPorts = [
-    22
-
-    # syncthing
-    22000
-
-    # iperf3
-    5201
-
-    # used on holochain hackathon for cache reverse proxy
-    80
-  ];
-  networking.firewall.interfaces."eth+".allowedUDPPorts = [
-    # syncthing
-    22000
-    21027
-  ];
-
-  networking.firewall.interfaces."wlan+".allowedTCPPorts = [
-    # used on holochain hackathon for cache reverse proxy
-    80
-  ];
+  networking.firewall.interfaces."eth+".allowedTCPPorts = localTcpPorts;
+  networking.firewall.interfaces."eth+".allowedUDPPorts = localUdpPorts;
+  networking.firewall.interfaces."wlan+".allowedTCPPorts = localTcpPorts;
+  networking.firewall.interfaces."wlan+".allowedUDPPorts = localUdpPorts;
 
   networking.firewall.logRefusedConnections = false;
   networking.usePredictableInterfaceNames = false;
diff --git a/nix/os/snippets/nix-settings.nix b/nix/os/snippets/nix-settings.nix
index 28630c9..7e2fd37 100644
--- a/nix/os/snippets/nix-settings.nix
+++ b/nix/os/snippets/nix-settings.nix
@@ -12,14 +12,14 @@
     "nixpkgs=${pkgs.path}"
   ];
 
-  nix.experimental-features = [
+  nix.settings.experimental-features = [
     "nix-command"
     "flakes"
     "ca-derivations"
     "impure-derivations"
   ];
 
-  nix.system-features = [
+  nix.settings.system-features = [
     "recursive-nix"
     "big-parallel"
     "kvm"