diff --git a/.envrc b/.envrc index 90160da..64034fb 100644 --- a/.envrc +++ b/.envrc @@ -1,5 +1,7 @@ -if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then - source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM=" -fi +# if ! has nix_direnv_version || ! nix_direnv_version 1.5.1; then +# source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/1.5.1/direnvrc" "sha256-p4CDMJjuBmEh9pkn2aoJrZqr0DlPZHPU7eXOSDzzcuo=" +# fi +# use_flake . --impure + +use nix -use flake .#develop diff --git a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg index fd34c43..9587742 100644 Binary files a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg and b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg differ diff --git a/.gitignore b/.gitignore index 8c927b6..06f83d9 100644 --- a/.gitignore +++ b/.gitignore @@ -3,9 +3,3 @@ .*.log .env **/result -.direnv/ - -# nixago: ignore-linked-files -/treefmt.toml - -/debug-logs diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..efb4d91 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,10 @@ +stages: + - build + +build: + stage: build + tags: + - nix + script: + # Test the nix-shell + - just run-with-channels 'nix-shell --run "echo OK"' diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index 9ad6d2c..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,129 +0,0 @@ -# This example uses YAML anchors which allows reuse of multiple keys -# without having to repeat yourself. -# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml -# for a more complex example. - -# use `ssh-keyscan | ssh-to-age` to get the age key for a remote machine -# use `for file in $(grep -lr "sops:") secrets; do sops updatekeys -y $file; done` for updating -keys: - - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - - &steveej-age age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - - &steveej-x13s age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 - - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 - - - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - - &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - - &router0-dmz0 age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 - - &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - - &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - - &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 - -creation_rules: - - path_regex: ^(.+/|)secrets/[^/]+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *steveej-x13s - - *elias-e525 - - - *router0-dmz0 - - - *sj-srv1 - - *hstk0 - - *router0-ifog - - *router0-hosthatch - - path_regex: ^secrets/steveej-t14/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *steveej-t14 - - path_regex: ^secrets/desktop/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *steveej-t14 - - *steveej-x13s - - path_regex: ^secrets/servers/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *sj-srv1 - - path_regex: ^nix/os/containers/.+_secrets.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *sj-srv1 - - path_regex: ^secrets/holochain-infra/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - path_regex: ^secrets/router0-dmz0/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *router0-dmz0 - - path_regex: ^secrets/router0-ifog/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *router0-ifog - - path_regex: ^secrets/router0-hosthatch/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *router0-hosthatch - - path_regex: ^secrets/sj-vps-htz0/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *sj-vps-htz0 - - path_regex: ^secrets/sj-srv1/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *sj-srv1 - - path_regex: ^secrets/hstk0/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *hstk0 - - path_regex: ^secrets/steveej-x13s/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *steveej-x13s - - path_regex: ^secrets/work-holo/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *steveej-x13s diff --git a/.vscode/settings.json b/.vscode/settings.json index 660429d..d0eb512 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,20 +1,3 @@ { - "editor.defaultFormatter": "ibecker.treefmt-vscode", - "editor.formatOnSave": true, - "nix.enableLanguageServer": true, - "nix.serverPath": "nil", - "nix.serverSettings": { - // settings for 'nil' LSP - "nil": { - "autoArchive": true, - "diagnostics": { - "ignored": ["unused_binding", "unused_with"] - }, - "formatting": { - "command": ["treefmt", "--stdin", ".nil.nix"] - } - } - }, - "treefmt.command": "treefmt", - "treefmt.config": "" + "nixEnvSelector.nixFile": "${workspaceRoot}/shell.nix" } diff --git a/Justfile b/Justfile index c7fa7b3..a794d9d 100755 --- a/Justfile +++ b/Justfile @@ -1,321 +1,383 @@ -# _DEFAULT_VERSION_TMPL: -# echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix" +_DEFAULT_VERSION_TMPL: + echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix" + +_DEFAULT_VERSION: + echo "{{invocation_directory()}}/nix/variables/versions.nix" _usage: - just -l + just -l # Re-render the default versions update-default-versions: - nix flake update + #!/usr/bin/env bash + template="$(just _DEFAULT_VERSION_TMPL)" + outfile="$(just _DEFAULT_VERSION)" + esh -o ${outfile} ${template} _get_nix_path versionsPath: - echo $(set -x; nix-build --no-link --show-trace {{ invocation_directory() }}/nix/default.nix -A channelSources --argstr versionsPath {{ versionsPath }}) + echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath {{versionsPath}}) _device recipe dir +moreargs="": - #!/usr/bin/env bash - set -ex - unset NIX_PATH - source $(just -v _get_nix_path {{ invocation_directory() }}/{{ dir }}/versions.nix) - $(set -x; nix-build --no-link --show-trace $(dirname {{ dir }})/default.nix -A recipes.{{ recipe }} --argstr dir {{ dir }} {{ moreargs }}) + #!/usr/bin/env bash + set -ex + unset NIX_PATH + source $(just -v _get_nix_path {{invocation_directory()}}/{{dir}}/versions.nix) + $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}}) _render_templates: - #!/usr/bin/env bash - set -ex - if ! ip route get 1.1.1.1; then - echo No route to WAN. Skipping template rendering... - else - source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) - # nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix - fi + #!/usr/bin/env bash + set -ex + if ! ip route get 1.1.1.1; then + echo No route to WAN. Skipping template rendering... + else + source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) + # nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix + fi -rebuild-remote-device device +rebuildargs="dry-activate": - #!/usr/bin/env bash - set -ex - nix run .#colmena -- apply --impure --on {{ device }} {{ rebuildargs }} +_rebuild-device dir rebuildarg="dry-activate" +moreargs="": _render_templates + #!/usr/bin/env bash + set -ex + just -v _device rebuild {{dir}} --argstr rebuildarg {{rebuildarg}} {{moreargs}} + +rebuild-remote-device device target rebuildarg="dry-activate" : + #!/usr/bin/env bash + set -ex + just -v _rebuild-device nix/os/devices/{{device}} {{rebuildarg}} --argstr moreargs "'--target-host\ {{target}}'" # Rebuild this device's NixOS -rebuild-this-device +rebuildargs="dry-activate": - nix run .#colmena -- apply-local --impure --sudo {{ rebuildargs }} +rebuild-this-device rebuildarg="dry-activate": + #!/usr/bin/env bash + set -e + + function parse_hm_rebuildarg() { + case $1 in + switch) + echo switch + ;; + *) + echo build + ;; + esac + } + + export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log + export HOMEREBUILD_LOG=.$(hostname -s)_homerebuild.log + + echo Rebuilding system in {{rebuildarg}}-mode... + if just -v _rebuild-device nix/os/devices/$(hostname -s) {{rebuildarg}} > ${SYSREBUILD_LOG} 2>&1 ; then + echo System rebuild successful + else + cat ${SYSREBUILD_LOG} + echo ERROR: system rebuild failed + exit 1 + fi + + if type home-manager > /dev/null 2>&1; then + echo Rebuilding home in $(parse_hm_rebuildarg {{rebuildarg}})-mode... + source $(just -v _get_nix_path {{invocation_directory()}}/nix/os/devices/$(hostname -s)/versions.nix) + if home-manager -v $(parse_hm_rebuildarg {{rebuildarg}}) > ${HOMEREBUILD_LOG} 2>&1 ; then + echo Home rebuild successful + else + cat ${HOMEREBUILD_LOG} + echo ERROR: home rebuild failed + exit 1 + fi + fi # Re-render the versions of a remote device and rebuild its environment -update-remote-device devicename +rebuildargs='build': - #!/usr/bin/env bash - set -e +update-remote-device devicename target rebuildmode='switch': + #!/usr/bin/env bash + set -e - ( - set -xe - cd nix/os/devices/{{ devicename }} - nix flake update - ) + template=nix/os/devices/{{ devicename }}/versions.tmpl.nix + outfile=nix/os/devices/{{ devicename }}/versions.nix + + if ! test -e ${template}; then + template="$(just _DEFAULT_VERSION_TMPL)" + fi - just -v rebuild-remote-device {{ devicename }} {{ rebuildargs }} + esh -o ${outfile} ${template} + if ! test "$(git diff ${outfile})"; then + echo Already on latest versions + exit 0 + fi - git commit -v nix/os/devices/{{ devicename }}/flake.{nix,lock} -m "nix/os/devices/{{ devicename }}: bump versions" + just -v rebuild-remote-device {{ devicename }} {{target}} dry-activate || { + echo ERROR: rebuild in mode 'dry-active' failed after updating ${outfile} + exit 1 + } + + just -v rebuild-remote-device {{ devicename }} {{ target }} {{ rebuildmode }} || { + echo ERROR: rebuild in mode '{{ rebuildmode }}' failed after updating ${outfile} + exit 1 + } + + git commit -v ${outfile} -m "nix/os/devices/{{ devicename }}: bump versions" # Re-render the versions of the current device and rebuild its environment -update-this-device rebuild-mode='switch' +moreargs='': - #!/usr/bin/env bash - set -e +update-this-device rebuild-mode='switch': + #!/usr/bin/env bash + set -e - ( - set -xe - cd nix/os/devices/$(hostname -s) - nix flake update - ) + template=nix/os/devices/$(hostname -s)/versions.tmpl.nix + outfile=nix/os/devices/$(hostname -s)/versions.nix - just -v rebuild-this-device {{ rebuild-mode }} {{ moreargs }} + if ! test -e ${template}; then + template="$(just _DEFAULT_VERSION_TMPL)" + fi - git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions" + esh -o ${outfile} ${template} + if ! test "$(git diff ${outfile})"; then + echo Already on latest versions + exit 0 + fi + + export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log + just -v rebuild-this-device dry-activate || { + echo ERROR: Update failed, reverting ${outfile}... + exit 1 + } + + just -v rebuild-this-device {{rebuild-mode}} || { + echo ERROR: Rebuilding in {{rebuild-mode}}-mode failed + exit 1 + } + + git commit -v ${outfile} -m "nix/os/devices/$(hostname -s): bump versions" # Rebuild an offline system rebuild-disk device: - #!/usr/bin/env bash - set -xe + #!/usr/bin/env bash + set -xe - just -v disk-mount {{ device }} - trap "set +e; just -v disk-umount {{ device }}" EXIT - just -v disk-install {{ device }} + just -v disk-mount {{device}} + trap "set +e; just -v disk-umount {{device}}" EXIT + just -v disk-install {{device}} # Re-render the versions of the given offline system and reinstall it in offline-mode update-disk dir: - #!/usr/bin/env bash - set -exuo pipefail + #!/usr/bin/env bash + set -exuo pipefail - dir={{ dir }} + dir={{dir}} - template={{ dir }}/versions.tmpl.nix - outfile={{ dir }}/versions.nix + template={{dir}}/versions.tmpl.nix + outfile={{dir}}/versions.nix - if ! test -e ${template}; then - template="$(just _DEFAULT_VERSION_TMPL)" - fi + if ! test -e ${template}; then + template="$(just _DEFAULT_VERSION_TMPL)" + fi - esh -o ${outfile} ${template} - if ! test "$(git diff ${outfile})"; then - echo Already on latest versions - exit 0 - fi + esh -o ${outfile} ${template} + if ! test "$(git diff ${outfile})"; then + echo Already on latest versions + exit 0 + fi - export SYSREBUILD_LOG=.{{ dir }}_sysrebuild.log - just -v rebuild-disk {{ dir }} || { - echo ERROR: Update of {{ dir }} failed, reverting ${outfile}... - exit 1 - } + export SYSREBUILD_LOG=.{{dir}}_sysrebuild.log + just -v rebuild-disk {{dir}} || { + echo ERROR: Update of {{dir}} failed, reverting ${outfile}... + exit 1 + } - git commit -v ${outfile} -m "${dir}: bump versions" + git commit -v ${outfile} -m "${dir}: bump versions" # Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L) hm-iterate-qtile: - #!/usr/bin/env bash - set -xe - home-manager switch || just -v rebuild-this-device switch - Xephyr -ac -br -resizeable :1 & - XEPHYR_PID=$! - echo ${XEPHYR_PID} - DISPLAY=:1 $(grep qtile ~/.xsession) & - echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L" - wait $! - kill ${XEPHYR_PID} + #!/usr/bin/env bash + set -xe + home-manager switch || just -v rebuild-this-device switch + Xephyr -ac -br -resizeable :1 & + XEPHYR_PID=$! + echo ${XEPHYR_PID} + DISPLAY=:1 $(grep qtile ~/.xsession) & + echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L" + wait $! + kill ${XEPHYR_PID} # !!! DANGERIOUS !!! This wipes the disk which is configured for the given device. disk-prepare dir: - just -v _device diskPrepare {{ dir }} + just -v _device diskPrepare {{dir}} disk-relabel dir previous: - just -v _device diskRelabel {{ dir }} --argstr previousDiskId {{ previous }} + just -v _device diskRelabel {{dir}} --argstr previousDiskId {{previous}} # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6' disk-mount dir: - just -v _device diskMount {{ dir }} - + just -v _device diskMount {{dir}} # Unmount target disk, specified by device configuration directory disk-umount dir: - just -v _device diskUmount {{ dir }} + just -v _device diskUmount {{dir}} # Perform an offline installation on the mounted target disk, specified by device configuration directory disk-install dir: _render_templates - just -v _device diskInstall {{ dir }} + just -v _device diskInstall {{dir}} + verify-n-unlock sshserver attempts="10": - #!/usr/bin/env bash - set -e - env \ - GETPW="just _get_pass_entry Infrastructure/VPS/{{ sshserver }} DRIVE_PW" \ - SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} SSHOPTS)" \ - VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCSOCK)" \ - VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCPW)" \ - \ - just _verify-n-unlock {{ sshserver }} {{ attempts }} + #!/usr/bin/env bash + set -e + env \ + GETPW="just _get_pass_entry Infrastructure/VPS/{{sshserver}} DRIVE_PW" \ + SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} SSHOPTS)" \ + VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCSOCK)" \ + VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCPW)" \ + \ + just _verify-n-unlock {{sshserver}} {{attempts}} _verify-n-unlock sshserver attempts: - #!/usr/bin/env bash - set -e - : ${VNCSOCK:?VNCSOCK must be set} - : ${VNCPW:?VNCPW must be set} + #!/usr/bin/env bash + set -e + : ${VNCSOCK:?VNCSOCK must be set} + : ${VNCPW:?VNCPW must be set} - export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" - export TESS_ARGS="-c debug_file=/dev/null --psm 4" + export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" + export TESS_ARGS="-c debug_file=/dev/null --psm 4" - function send() { - local what="${1:?need something to send}" - ssh -4 ${SSHOPTS:?need sshopts} root@{{ sshserver }} "echo -e ${what}>> /dev/tty0" &>/dev/null - } + function send() { + local what="${1:?need something to send}" + ssh -4 ${SSHOPTS:?need sshopts} root@{{sshserver}} "echo -e ${what}>> /dev/tty0" &>/dev/null + } - function expect() { - local what="${1:?need something to expect}" - vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp - convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff - tesseract ${TESS_ARGS} screenshot.tiff screenshot - grep --quiet "${what}" screenshot.txt - } + function expect() { + local what="${1:?need something to expect}" + vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp + convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff + tesseract ${TESS_ARGS} screenshot.tiff screenshot + grep --quiet "${what}" screenshot.txt + } - function send_and_expect() { - local send="${1:?need something to send}" - local expect="${2:?need something to expect}" - if ! send "${send}"; then - echo warning: cannot send > /dev/stderr - return -1 - fi - expect "${expect}" - } + function send_and_expect() { + local send="${1:?need something to send}" + local expect="${2:?need something to expect}" + if ! send "${send}"; then + echo warning: cannot send > /dev/stderr + return -1 + fi + expect "${expect}" + } - trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT + trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT - for i in `seq 1 {{ attempts }}`; do - echo Attempt $i... - expect="$(pwgen -0 12)" - send="'\0033\0143'${expect}" - if send_and_expect "${send}" "${expect}"; then - pipe=$(mktemp -u) - mkfifo ${pipe} - exec 3<>${pipe} - rm ${pipe} + for i in `seq 1 {{attempts}}`; do + echo Attempt $i... + expect="$(pwgen -0 12)" + send="'\0033\0143'${expect}" + if send_and_expect "${send}" "${expect}"; then + pipe=$(mktemp -u) + mkfifo ${pipe} + exec 3<>${pipe} + rm ${pipe} - echo Verification succeeded at attempt $i. Unlocking remote drive... - ssh -4 ${SSHOPTS} root@{{ sshserver }} "cryptsetup-askpass" <&3 &>/dev/null & - eval ${GETPW} | head -n1 >&3 + echo Verification succeeded at attempt $i. Unlocking remote drive... + ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass" <&3 &>/dev/null & + eval ${GETPW} | head -n1 >&3 - for j in `seq 1 120`; do - sleep 0.5 - if expect '— success'; then - echo Unlock successful. - exit 0 - fi - done + for j in `seq 1 120`; do + sleep 0.5 + if expect '— success'; then + echo Unlock successful. + exit 0 + fi + done - echo Unlock failed... - exit 1 - fi - done - echo Verification failed {{ attempts }} times. Giving up... - exit 1 + echo Unlock failed... + exit 1 + fi + done + echo Verification failed {{attempts}} times. Giving up... + exit 1 _get_pass_entry path key: - pass show {{ path }}| grep -E "^{{ key }}:" | sed -E 's/^[^:]+: *//g' + pass show {{path}}| grep -E "^{{key}}:" | sed -E 's/^[^:]+: *//g' run-with-channels +cmds: - #!/usr/bin/env bash - source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) - {{ cmds }} + #!/usr/bin/env bash + source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) + {{cmds}} install-config config root: - sudo just run-with-channels nixos-install -I nixos-config={{ invocation_directory() }}/{{ config }} --root {{ root }} --no-root-passwd + sudo just run-with-channels nixos-install -I nixos-config={{invocation_directory()}}/{{config}} --root {{root}} --no-root-passwd # Switch between gpg-card capable devices which have a copy of the same key -switch-gpg-card key-id="6EEFA706CB17E89B": - #!/usr/bin/env bash - # - # Derived from https://github.com/drduh/YubiKey-Guide/issues/19. - # - # Connect the new device and then run this script to make it known to gnupg. - # - set -xe - if [[ -n "{{ key-id }}" ]]; then - KEY_ID="{{ key-id }}" - else - KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') - fi +switch-gpg-card: + #!/usr/bin/env bash + # + # Derived from https://github.com/drduh/YubiKey-Guide/issues/19. + # + # Connect the new device and then run this script to make it known to gnupg. + # + set -xe + KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') - # export pubkey and ownertrust - gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" - # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}` - gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust + # export pubkey and ownertrust + gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" + # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}` + gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust - # delete the key - gpg --yes --delete-secret-and-public-keys "${KEY_ID}" + # delete the key + gpg --yes --delete-secret-and-public-keys "${KEY_ID}" - # import pubkey and ownertrust back and cleanup - gpg2 --import "${KEY_ID}".pubkey - gpg2 --import-ownertrust < "${KEY_ID}".ownertrust - rm "${KEY_ID}".{pubkey,ownertrust} + # import pubkey and ownertrust back and cleanup + gpg2 --import "${KEY_ID}".pubkey + gpg2 --import-ownertrust < "${KEY_ID}".ownertrust + rm "${KEY_ID}".{pubkey,ownertrust} - # refresh the gpg agent - gpg-connect-agent "scd serialno" "learn --force" /bye - gpg --card-status + # refresh the gpg agent + gpg-connect-agent "scd serialno" "learn --force" /bye + gpg --card-status # Connect to `remote` UUID, and turn it into a short name uuid-to-device-name remote: - #!/usr/bin/env bash - set -e -o pipefail - ssh {{ remote }} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}' + #!/usr/bin/env bash + set -e -o pipefail + ssh {{remote}} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}' test-connection: - #! /usr/bin/env nix-shell - #! nix-shell -p curl zsh - #! nix-shell -i zsh - #! nix-shell --pure + #! /usr/bin/env nix-shell + #! nix-shell -p curl zsh + #! nix-shell -i zsh + #! nix-shell --pure - while true; do - FAILURE="false" - output=$( - echo "$(date)\n---" - for url in \ - "https://172.16.0.1:65443/0.7/gui/#/login/" \ - "https://192.168.0.1" \ - "http://172.172.171.9" \ - "https://172.172.171.10:65443" \ - "https://172.172.171.11:65443" \ - "https://172.172.171.13:443" \ - "https://172.172.171.14:443" \ - "http://172.172.171.15:22" \ - "http://172.172.171.16:22" \ - "https://crates.io" \ - "https://holo.host" \ - ; \ - do - print "trying ${url}": $( - curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1) - # if [ $? -ne 0 ]; then - if [[ "$curl_output" == *timeout* ]]; then - echo failure: $(echo ${curl_output} | tail -n1) - # BUG: outer FAILURE is not set by this - FAILURE="true" - else - echo success - fi - ) - done - ) - clear - echo ${output} + while true; do + FAILURE="false" + output=$( + echo "$(date)\n---" + for url in \ + "https://172.16.0.1:65443/0.7/gui/#/login/" \ + "https://192.168.0.1" \ + "http://172.172.171.9" \ + "https://172.172.171.10:65443" \ + "https://172.172.171.11:65443" \ + "https://172.172.171.13:443" \ + "https://172.172.171.14:443" \ + "http://172.172.171.15:22" \ + "http://172.172.171.16:22" \ + "https://crates.io" \ + "https://holo.host" \ + ; \ + do + print "trying ${url}": $( + curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1) + # if [ $? -ne 0 ]; then + if [[ "$curl_output" == *timeout* ]]; then + echo failure: $(echo ${curl_output} | tail -n1) + # BUG: outer FAILURE is not set by this + FAILURE="true" + else + echo success + fi + ) + done + ) + clear + echo ${output} - if [[ ${FAILURE} == "true" ]]; then - echo something failed - tracepath -m5 -n1 172.16.0.1 - tracepath -m5 -n1 192.168.0.1 - fi + if [[ ${FAILURE} == "true" ]]; then + echo something failed + tracepath -m5 -n1 172.16.0.1 + tracepath -m5 -n1 192.168.0.1 + fi - sleep 5 - done - -cachix-use name: - nix run nixpkgs/nixos-unstable#cachix -- use {{ name }} -m nixos -d nix/os/ - -update-sops-keys: - for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done - -deploy-router0-dmz0: - NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1 - -ttyusb: - screen -fa /dev/ttyUSB0 115200 + sleep 5 + done diff --git a/README.md b/README.md index 5d32951..fc6658a 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,4 @@ # steveej's infra - This repository helps me to manage all computer infrastructure. This is mostly achieved with the help of [Nix](https://nixos.org). @@ -20,7 +19,7 @@ In the unlikely case that you actually read this and have any questions please d - [ ] development environments - [x] (Semi-) automatic synchronization of important repositories - [x] Modification strategy - The approach is to use vcsh for the dotfiles + The approach is to use vcsh for the dotfiles - [x] dotfiles - [x] Toplevel Justfile for simple actions - [x] mount/umount disks @@ -30,56 +29,23 @@ In the unlikely case that you actually read this and have any questions please d - [x] annotate recipes with some documentation - [x] declare shell.nix with runtime deps - [x] partition/encrypt/format disks -- [x] Maybe make this a nix-overlay -- [x] refactor as a nix flake and adopt an existing framework - - [x] devShell version - - [x] ~~version templating~~ obsolete due to the usage of flakes - - [x] elias-e525 - - [x] steveej-t14 - - [x] contabo vps - - [x] sj-pve0 -- [x] use an existing secret management framework -- [x] adapt (or abandon?) _just_ recipes - - - [x] `rebuild-this-device` - - [x] `update-this-device` - - [x] `rebuild-remote-device` - - [x] `update-remote-device` - - evaluate, and understand a path to using these tools in a pull-based fashion: - - - [x] [colmena](https://github.com/zhaofengli/colmena) - - bootstrapping: https://github.com/zhaofengli/colmena/issues/68 - - [ ] deploy-rs - -- [x] 🚧 find a better alternative for the qtile-desktop - current issues: - - - floating windows often get lost in the background - - plugging in-/out- screen crashes the desktop - - evaluate: - - - [x] ~~🚧 gnome3 + pop-shell~~ - - [x] ~~leftwm + eww (+ wayland?)~~ - -- [ ] (Re-)document bootstrap process +- [ ] Document bootstrap process - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine - [ ] a new machine - [ ] an install media - [ ] Design disaster recovery - [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2 -- [ ] Recycle _\_archived_ +- [ ] Recycle *\_archived* +- [x] Maybe make this a nix-overlay - [ ] container migrations - [ ] ensure DDNS is updated _before_ the containers are started -## Bugs +## Bugs - [ ] home-manager leaves ~/.gnupg at 0755 ## Usage - -_(These are reminders for my future self)_ +*(These are reminders for my future self)* ``` just --list @@ -88,17 +54,15 @@ just --list ## Bootstrap ### A new machine +* ensure the dotfiles repo has a branch with the new machine's hostname -- ensure the dotfiles repo has a branch with the new machine's hostname - -- boot with an install media and go through setup +* boot with an install media and go through setup #### Post-Install Setup - -- `chmod --recursive g-rwx,o-rwx ~/.gnupg` -- `gpg2 --edit-card; fetch` -- clone password-manager and infra repositories -- gpg2: ultimately trust my own key +* `chmod --recursive g-rwx,o-rwx ~/.gnupg` +* `gpg2 --edit-card; fetch` +* clone password-manager and infra repositories +* gpg2: ultimately trust my own key ## Swapping out a disk @@ -107,18 +71,10 @@ just --list 3. replace the driveId in the device's hw.nix 4. run the `just disk-relabel nix/os/devices/ ` command to rename the filesystem and volume group -## Rebuilding an offline system +## Backup + +### Copy existing subvolumes to new backup target ``` -( -sudo cryptsetup open /dev/sdb3 steveej-t14s-cryptroot -sleep 5 - -sudo mkdir -p /mnt/root -sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root -o subvol=nixos -sudo mount /dev/sdb2 /mnt/root/boot -sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root/home -o subvol=home - -sudo nixos-install -v --flake .#steveej-t14 --root /mnt/root/ --no-root-password -) +`systemctl cat bkp-run | grep ExecStart | awk -F '=' '{print $2}'` --verbose --progress archive /var/lib/container-volumes ssh://[IP]:[PORT]/mnt/backup/container-volumes/ ``` diff --git a/_archive/environments/dev/cross.nix b/_archive/environments/dev/cross.nix new file mode 100644 index 0000000..65e6c09 --- /dev/null +++ b/_archive/environments/dev/cross.nix @@ -0,0 +1,90 @@ +import /home/steveej/src/github/NixOS/nixpkgs/default.nix { + crossSystem = rec { + config = "armv7l-unknown-linux-gnueabi"; + bigEndian = false; + arch = "arm"; + float = "hard"; + fpu = "vfpv3-d16"; + withTLS = true; + libc = "glibc"; + platform = { + name = "armv7l-hf-multiplatform"; + gcc = { + arch = "armv7-a"; + fpu = "neon"; + float = "hard"; + }; + kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc. + kernelHeadersBaseConfig = "multi_v7_defconfig"; + kernelBaseConfig = "multi_v7_defconfig"; + kernelArch = "arm"; + kernelDTB = true; + kernelAutoModules = false; + kernelExtraConfig = '' + NAMESPACES y + BTRFS_FS y + BTRFS_FS_POSIX_ACL y + OVERLAY_FS y + FUSE_FS y + ''; + kernelTarget = "zImage"; + uboot = null; + }; + openssl.system = "linux-generic32"; + gcc = { + arch = "armv7-a"; + fpu = "neon"; + float = "hard"; + }; + }; +} +# pkgs.config = { +# packageOverrides = super: let self = super.pkgs; in { +# linux_4_0 = super.linux_3_18.override { +# kernelPatches = super.linux_3_18.kernelPatches ++ [ +# # we'll also add one of our own patches +# { patch = ./dts.patch; name = "dts-fix"; } +# ]; +# +# # add "CONFIG_PPP_FILTER y" option to the set of kernel options +# extraConfig = '' +# HAVE_IMX_ANATOP y +# HAVE_IMX_GPC y +# HAVE_IMX_MMDC y +# HAVE_IMX_SRC y +# SOC_IMX6 y +# SOC_IMX6Q y +# SOC_IMX6SL y +# PCI_IMX6 y +# ARM_IMX6Q_CPUFREQ y +# IMX_WEIM y +# AHCI_IMX y +# SERIAL_IMX y +# SERIAL_IMX_CONSOLE y +# I2C_IMX y +# SPI_IMX y +# PINCTRL_IMX y +# PINCTRL_IMX6Q y +# PINCTRL_IMX6SL y +# POWER_RESET_IMX y +# IMX_THERMAL y +# IMX2_WDT y +# IMX_IPUV3_CORE y +# DRM_IMX y +# DRM_IMX_FB_HELPER y +# DRM_IMX_PARALLEL_DISPLAY y +# DRM_IMX_TVE y +# DRM_IMX_LDB y +# DRM_IMX_IPUV3 y +# DRM_IMX_HDMI y +# MMC_SDHCI_ESDHC_IMX y +# IMX_SDMA y +# PWM_IMX y +# DEBUG_IMX6Q_UART y +# +# PPP_FILTER y +# ''; +# }; +# }; +# }; + diff --git a/_archive/environments/dev/go/default.nix b/_archive/environments/dev/go/default.nix new file mode 100644 index 0000000..c92aa9d --- /dev/null +++ b/_archive/environments/dev/go/default.nix @@ -0,0 +1,89 @@ +{ + gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, + pkgs ? gitpkgs, + name ? "generic", + version, + extraBuildInputs ? [], + extraShellHook ? "", +}: let + go = builtins.getAttr "go_${version}" pkgs; + commonVimRC = '' + let g:tagbar_type_go = { + \ 'ctagstype' : 'go', + \ 'kinds' : [ + \ 'p:package', + \ 'i:imports:1', + \ 'c:constants', + \ 'v:variables', + \ 't:types', + \ 'n:interfaces', + \ 'w:fields', + \ 'e:embedded', + \ 'm:methods', + \ 'r:constructor', + \ 'f:functions' + \ ], + \ 'sro' : '.', + \ 'kind2scope' : { + \ 't' : 'ctype', + \ 'n' : 'ntype' + \ }, + \ 'scope2kind' : { + \ 'ctype' : 't', + \ 'ntype' : 'n' + \ }, + \ 'ctagsbin' : 'gotags', + \ 'ctagsargs' : '-sort -silent' + \ } + + " vim-go { + let g:go_highlight_functions = 1 + let g:go_highlight_methods = 1 + let g:go_highlight_structs = 1 + let g:go_highlight_interfaces = 1 + let g:go_highlight_operators = 1 + let g:go_highlight_build_constraints = 1 + let g:go_fmt_command = 'gofmt' + let g:go_fmt_options= '-s' + let g:go_def_mode = 'godef' + let g:go_def_reuse_buffer = 0 + + au FileType go nmap gds (go-def-split) + au FileType go nmap gdv (go-def-vertical) + au FileType go nmap gdt (go-def-tab) + au FileType go nmap gi (go-imports) + " } + ''; + buildInputs = with pkgs; [ + glibc.out + glibc.static + + go + gotools + #gotools.bin + #gocode.bin + #godef godef.bin + godep + #godep.bin + gox.bin + #ginkgo ginkgo.bin + #gomega + # ( import ./vim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } ) + # ( import ./neovim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } ) + ]; +in + pkgs.stdenv.mkDerivation { + inherit name; + buildInputs = extraBuildInputs ++ buildInputs; + shellHook = '' + goname=${go.version}_$name + # FIXME: setPS1 $goname + export GOROOT=${go}/share/go + export GOPATH="$HOME/.gopath_$goname" + export PATH="$HOME/.gopath_$goname/bin:$PATH" + unset name + unset SSL_CERT_FILE + + ${extraShellHook} + ''; + } diff --git a/_archive/environments/dev/go/neovim-go.nix b/_archive/environments/dev/go/neovim-go.nix new file mode 100644 index 0000000..1bbc4dc --- /dev/null +++ b/_archive/environments/dev/go/neovim-go.nix @@ -0,0 +1,12 @@ +{commonRC, ...} @ args: (import ../../pkg-configuration/vim-derivates/neovim.nix args + // { + additionalRC = + commonRC + + '' + " deoplete { + let g:deoplete#enable_at_startup = 1 + let g:deoplete#enable_smart_case = 1 + " } + ''; + additionalPlugins = ["deoplete-go" "deoplete-nvim" "vim-go"]; + }) diff --git a/_archive/environments/dev/pandoc.nix b/_archive/environments/dev/pandoc.nix new file mode 100644 index 0000000..fc4a298 --- /dev/null +++ b/_archive/environments/dev/pandoc.nix @@ -0,0 +1,31 @@ +{ + gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, + pkgs ? gitpkgs, + name ? "generic", + version ? "Stable", + extraBuildInputs ? [], +}: let + commonVimRC = ""; +in + pkgs.stdenv.mkDerivation { + inherit name; + buildInputs = with pkgs; + [ + (import ./vim-pandoc.nix { + pkgs = gitpkgs; + commonRC = commonVimRC; + }) + pandoc + texlive.combined.scheme-medium + python27Packages.pandocfilters + python27Packages.htmltreediff + python27Packages.html5lib + python27Packages.dbus-python + ] + ++ extraBuildInputs; + shellHook = '' + pandocname=pandoc_${pkgs.pandoc.version} + setPS1 $pandocname + unset name + ''; + } diff --git a/_archive/environments/dev/rkt.nix b/_archive/environments/dev/rkt.nix new file mode 100644 index 0000000..aa01935 --- /dev/null +++ b/_archive/environments/dev/rkt.nix @@ -0,0 +1,71 @@ +{ + pkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, + mkGoEnv ? import ./go.nix, + rktPath, +}: let + rktBasebuildInputs = with pkgs; [ + glibc.out + glibc.static + autoreconfHook + gnupg1 + squashfsTools + cpio + tree + intltool + libtool + pkgconfig + libgcrypt + gperf + libcap + libseccomp + libzip + eject + iptables + bc + acl + trousers + systemd + ]; + extraShellHook = '' + TARGET=$GOPATH/src/github.com/coreos/rkt + if [[ -e ${rktPath}/rkt/rkt.go ]]; then + pushd ${rktPath} + else + echo rktPath must be run the rkt repository clone, but got '${rktPath}' + exit 1 + fi + if ! [[ -e $TARGET/rkt/rkt.go ]]; then + mkdir -p $TARGET + echo $PWD + sudo -E mount -o bind $PWD $TARGET + fi + pushd $TARGET + ''; +in { + go15 = mkGoEnv { + inherit pkgs; + + name = "rktGo15"; + version = "1_5"; + extraBuildInputs = rktBasebuildInputs; + inherit extraShellHook; + }; + + go16 = mkGoEnv { + inherit pkgs; + + name = "rktGo16"; + version = "1_6"; + extraBuildInputs = rktBasebuildInputs; + inherit extraShellHook; + }; + + go17 = mkGoEnv { + inherit pkgs; + + name = "rktGo17"; + version = "1_7"; + extraBuildInputs = rktBasebuildInputs; + inherit extraShellHook; + }; +} diff --git a/_archive/environments/dev/rust/.envrc b/_archive/environments/dev/rust/.envrc new file mode 100644 index 0000000..051d09d --- /dev/null +++ b/_archive/environments/dev/rust/.envrc @@ -0,0 +1 @@ +eval "$(lorri direnv)" diff --git a/_archive/environments/dev/rust/default.nix b/_archive/environments/dev/rust/default.nix new file mode 100644 index 0000000..11caffa --- /dev/null +++ b/_archive/environments/dev/rust/default.nix @@ -0,0 +1,39 @@ +{ + gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, + pkgs ? gitpkgs, + name ? "generic", + version ? "Stable", + extraBuildInputs ? [], +}: let + rustPackages = builtins.getAttr "rust${version}" pkgs; + rustc = rustPackages.rustc; + rustShellHook = { + rustc, + name, + }: '' + rustname=rust_${rustc.version}_${name} + setPS1 $rustname + unset name + ''; + commonVimRC = ""; +in + pkgs.stdenv.mkDerivation { + inherit name; + buildInputs = with rustPackages; + [ + (import ./vim-rust.nix { + pkgs = gitpkgs; + commonRC = commonVimRC; + inherit rustc; + racerd = pkgs.rustracerd; + }) + rustc + cargo + ] + ++ [pkgs.rustfmt] + ++ extraBuildInputs; + shellHook = rustShellHook { + inherit name; + inherit rustc; + }; + } diff --git a/_archive/environments/dev/vim-go.nix b/_archive/environments/dev/vim-go.nix new file mode 100644 index 0000000..6eacc45 --- /dev/null +++ b/_archive/environments/dev/vim-go.nix @@ -0,0 +1,19 @@ +{commonRC, ...} @ args: +import ../../pkg-configuration/vim-derivates/vim.nix (args + // { + name = "vim-for-go"; + additionalRC = + commonRC + + '' + " Disable AutoComplPop. + let g:acp_enableAtStartup = 0 + " Use neocomplete. + let g:neocomplete#enable_at_startup = 1 + " Use smartcase. + let g:neocomplete#enable_smart_case = 1 + if !exists('g:neocomplete#sources#omni#input_patterns') + let g:neocomplete#sources#omni#input_patterns = {} + endif + ''; + additionalPlugins = ["neocomplete" "vim-go"]; + }) diff --git a/_archive/environments/dev/vim-pandoc.nix b/_archive/environments/dev/vim-pandoc.nix new file mode 100644 index 0000000..7fc03f2 --- /dev/null +++ b/_archive/environments/dev/vim-pandoc.nix @@ -0,0 +1,18 @@ +{commonRC, ...} @ args: +import ../../pkg-configuration/vim-derivates/vim.nix (args + // { + name = "vim-for-pandoc"; + additionalRC = + commonRC + + '' + set statusline+=%#warningmsg# + set statusline+=%{SyntasticStatuslineFlag()} + set statusline+=%* + + let g:syntastic_always_populate_loc_list = 1 + let g:syntastic_auto_loc_list = 1 + let g:syntastic_check_on_open = 1 + let g:syntastic_check_on_wq = 0 + ''; + additionalPlugins = ["vim-pandoc" "vim-pandoc-syntax" "vimpreviewpandoc"]; + }) diff --git a/_archive/environments/dev/vim-rust.nix b/_archive/environments/dev/vim-rust.nix new file mode 100644 index 0000000..56e3c7d --- /dev/null +++ b/_archive/environments/dev/vim-rust.nix @@ -0,0 +1,48 @@ +{ + commonRC, + rustc, + racerd, + ... +} @ args: +import ../../pkg-configuration/vim-derivates/vim.nix (args + // { + name = "vim-for-rust"; + additionalRC = + commonRC + + '' + set statusline+=%#warningmsg# + set statusline+=%{SyntasticStatuslineFlag()} + set statusline+=%* + + let g:syntastic_always_populate_loc_list = 1 + let g:syntastic_auto_loc_list = 1 + let g:syntastic_check_on_open = 1 + let g:syntastic_check_on_wq = 0 + + " tagbar + let g:tagbar_type_rust = { + \ 'ctagstype' : 'rust', + \ 'kinds' : [ + \'T:types,type definitions', + \'f:functions,function definitions', + \'g:enum,enumeration names', + \'s:structure names', + \'m:modules,module names', + \'c:consts,static constants', + \'t:traits,traits', + \'i:impls,trait implementations', + \] + \} + + let g:syntastic_rust_checkers = ["rustc"] + + "rustfmt + let g:rustfmt_autosave = 1 + + let g:ycm_auto_trigger = 1 + let g:ycm_rust_src_path = '${rustc.src}/src' + let g:ycm_racerd_binary_path = '${racerd.out}/bin/racerd' + + ''; + additionalPlugins = ["rust-vim"]; + }) diff --git a/_archive/environments/fhs/android.nix b/_archive/environments/fhs/android.nix new file mode 100644 index 0000000..074469e --- /dev/null +++ b/_archive/environments/fhs/android.nix @@ -0,0 +1,42 @@ +{pkgs ? import {}}: +(pkgs.buildFHSUserEnv { + name = "devfhs"; + multiPkgs = pkgs: (with pkgs; [ + android-udev-rules + sudo + gawk + bzip2 + file + gcc + getopt + git + gnumake + ncurses + openssl + patch + perl + pkgconfig + python + openssh + subversion + unzip + wget + which + vim + zlib + libusb + libusb1 + systemd + strace + swt + xorg.libXtst + glib + gtk2 + gnome.gtk + ]); + profile = '' + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib:/lib64:/lib32:/usr/lib32:/usr/lib64:${pkgs.xorg.libXtst}/lib:${pkgs.glib}/lib:${pkgs.gtk2}/lib + ''; + runScript = "bash"; +}) +.env diff --git a/_archive/environments/fhs/vscode.nix b/_archive/environments/fhs/vscode.nix new file mode 100644 index 0000000..da08700 --- /dev/null +++ b/_archive/environments/fhs/vscode.nix @@ -0,0 +1,36 @@ +{pkgs ? import {}}: +(pkgs.buildFHSUserEnv { + name = "everydayFHS"; + targetPkgs = pkgs: (with pkgs; [ + which + gitFull + zsh + file + direnv + + xdg_utils + xsel + + vscode + + # vscode live share + gnome3.gcr + libgnome_keyring3 + liburcu + libunwind + lttng-ust + curl + openssl + libkrb5 + libuuid + icu + zlib + libsecret + ]); + multiPkgs = pkgs: (with pkgs; []); + profile = '' + export SHELL=/bin/zsh + ''; + # FIXME runScript = "$SHELL"; +}) +.env diff --git a/_archive/nixos-configuration/common/pkg/neovim.nix b/_archive/nixos-configuration/common/pkg/neovim.nix new file mode 100644 index 0000000..a6d50b8 --- /dev/null +++ b/_archive/nixos-configuration/common/pkg/neovim.nix @@ -0,0 +1,10 @@ +{ + config, + pkgs, + ... +} @ args: { + environment.systemPackages = [ + pkgs.xsel + (import ../../../pkg-configuration/vim-derivates/neovim.nix args) + ]; +} diff --git a/_archive/nixos-configuration/common/pkg/vim.nix b/_archive/nixos-configuration/common/pkg/vim.nix new file mode 100644 index 0000000..79a3384 --- /dev/null +++ b/_archive/nixos-configuration/common/pkg/vim.nix @@ -0,0 +1,7 @@ +{pkgs, ...} @ args: { + environment.systemPackages = [ + pkgs.xsel + (import ../../../pkg-configuration/vim-derivates/vim.nix + (args // {name = "vim";})) + ]; +} diff --git a/_archive/nixos-configuration/common/user/steveej.nix b/_archive/nixos-configuration/common/user/steveej.nix new file mode 100644 index 0000000..9cd4c3e --- /dev/null +++ b/_archive/nixos-configuration/common/user/steveej.nix @@ -0,0 +1,20 @@ +{ + config, + pkgs, + ... +}: let + passwords = import ../passwords.crypt.nix; + keys = import ../keys.nix; + inherit (import ../lib) mkUser; +in { + users.mutableUsers = false; + users.defaultUserShell = pkgs.zsh; + + users.extraUsers.steveej = mkUser { + uid = 1000; + hashedPassword = passwords.users.steveej; + }; + + security.pam.enableU2F = true; + security.pam.services.steveej.u2fAuth = true; +} diff --git a/default.nix b/default.nix index 6aba02e..e386421 100644 --- a/default.nix +++ b/default.nix @@ -4,9 +4,7 @@ # Having pkgs default to is fine though, and it lets you use short # commands such as: # nix-build -A mypackage -{ - pkgs ? import { }, -}: -{ - pkgs = import ./nix/pkgs { inherit pkgs; }; +{pkgs ? import {}}: { + overlays = import ./nix/overlays; + pkgs = import ./nix/pkgs {inherit pkgs;}; } diff --git a/flake.lock b/flake.lock deleted file mode 100644 index 51825f5..0000000 --- a/flake.lock +++ /dev/null @@ -1,1491 +0,0 @@ -{ - "nodes": { - "aphorme_launcher": { - "flake": false, - "locked": { - "lastModified": 1719922896, - "narHash": "sha256-mOtCz42NFQn+0xPF3gBX4WHfo5UEClSsJ/tF8RdFQkY=", - "owner": "Iaphetes", - "repo": "aphorme_launcher", - "rev": "c7c7ce9f91a31cced181fa501a2cad3c68035def", - "type": "github" - }, - "original": { - "owner": "Iaphetes", - "ref": "main", - "repo": "aphorme_launcher", - "type": "github" - } - }, - "colmena": { - "inputs": { - "flake-compat": "flake-compat", - "flake-utils": "flake-utils", - "nix-github-actions": "nix-github-actions", - "nixpkgs": [ - "nixpkgs" - ], - "stable": "stable" - }, - "locked": { - "lastModified": 1746816769, - "narHash": "sha256-ymQzXrfHVT8/RJiGbfrNjEeuzXQan46lUJdxEhgivdM=", - "owner": "zhaofengli", - "repo": "colmena", - "rev": "df694ee23be7ed7b2d8b42c245a640f0724eb06c", - "type": "github" - }, - "original": { - "owner": "zhaofengli", - "repo": "colmena", - "type": "github" - } - }, - "crane": { - "locked": { - "lastModified": 1733286231, - "narHash": "sha256-mlIDSv1/jqWnH8JTiOV7GMUNPCXL25+6jmD+7hdxx5o=", - "owner": "ipetkov", - "repo": "crane", - "rev": "af1556ecda8bcf305820f68ec2f9d77b41d9cc80", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixos-anywhere", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1727359191, - "narHash": "sha256-5PltTychnExFwzpEnY3WhOywaMV/M6NxYI/y3oXuUtw=", - "owner": "nix-community", - "repo": "disko", - "rev": "67dc29be3036cc888f0b9d4f0a788ee0f6768700", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "master", - "repo": "disko", - "type": "github" - } - }, - "espanso": { - "flake": false, - "locked": { - "lastModified": 1711840403, - "narHash": "sha256-4y5yHFfA8SmtSJVC2YleoHCUXkgqee+k9A2pRUzqzDo=", - "owner": "espanso", - "repo": "espanso", - "rev": "db97658d1d80697a635b57801696c594eacf057b", - "type": "github" - }, - "original": { - "owner": "espanso", - "repo": "espanso", - "rev": "db97658d1d80697a635b57801696c594eacf057b", - "type": "github" - } - }, - "fenix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ], - "rust-analyzer-src": "rust-analyzer-src" - }, - "locked": { - "lastModified": 1733380458, - "narHash": "sha256-H+IQB6cJ7ji/YD537pcSUWlwGGJ49RoYylBonyNW9hk=", - "owner": "nix-community", - "repo": "fenix", - "rev": "08c9e4e29865b60cb81189f8e4de0dccaf297865", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "fenix", - "type": "github" - } - }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_3": { - "locked": { - "lastModified": 1717312683, - "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=", - "owner": "nix-community", - "repo": "flake-compat", - "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { - "inputs": { - "nixpkgs-lib": [ - "nixos-anywhere", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1726153070, - "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_3": { - "inputs": { - "nixpkgs-lib": [ - "nixpkgs-wayland", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1722555600, - "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_4": { - "inputs": { - "nixpkgs-lib": [ - "nixvim", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_5": { - "inputs": { - "nixpkgs-lib": [ - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-utils": { - "locked": { - "lastModified": 1659877975, - "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_10": { - "inputs": { - "systems": "systems_6" - }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_4": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_5": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_6": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_7": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_8": { - "inputs": { - "systems": "systems_3" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_9": { - "inputs": { - "systems": "systems_4" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "get-flake": { - "locked": { - "lastModified": 1714237590, - "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", - "owner": "ursi", - "repo": "get-flake", - "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", - "type": "github" - }, - "original": { - "owner": "ursi", - "repo": "get-flake", - "type": "github" - } - }, - "ixx": { - "inputs": { - "flake-utils": [ - "nixvim", - "nuschtosSearch", - "flake-utils" - ], - "nixpkgs": [ - "nixvim", - "nuschtosSearch", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1737371634, - "narHash": "sha256-fTVAWzT1UMm1lT+YxHuVPtH+DATrhYfea3B0MxG/cGw=", - "owner": "NuschtOS", - "repo": "ixx", - "rev": "a1176e2a10ce745ff8f63e4af124ece8fe0b1648", - "type": "github" - }, - "original": { - "owner": "NuschtOS", - "ref": "v0.0.7", - "repo": "ixx", - "type": "github" - } - }, - "jay": { - "flake": false, - "locked": { - "lastModified": 1732789238, - "narHash": "sha256-Yc87dku8r8m7YeVT9VBwfXYPdEfQbb8JKWbOMts6VqY=", - "owner": "mahkoh", - "repo": "jay", - "rev": "558fe3d3cef435108c7d31f9b3503263a14d38b0", - "type": "github" - }, - "original": { - "owner": "mahkoh", - "repo": "jay", - "type": "github" - } - }, - "lib-aggregate": { - "inputs": { - "flake-utils": "flake-utils_8", - "nixpkgs-lib": "nixpkgs-lib_2" - }, - "locked": { - "lastModified": 1733055216, - "narHash": "sha256-yB2y7tGJxDI/SDQ0D7b6ocRtLTPm93u8ybdIKQGXRDE=", - "owner": "nix-community", - "repo": "lib-aggregate", - "rev": "f67bf0781c69a46bf3a1469f83c98518aa3054c3", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "lib-aggregate", - "type": "github" - } - }, - "nix-eval-jobs": { - "inputs": { - "flake-parts": "flake-parts_3", - "nix-github-actions": "nix-github-actions_2", - "nixpkgs": "nixpkgs_4", - "treefmt-nix": "treefmt-nix_2" - }, - "locked": { - "lastModified": 1732631228, - "narHash": "sha256-/7Wyhp00yecUMPNz79gGZpjos8OLHqOfdiWWIQfZA1M=", - "owner": "nix-community", - "repo": "nix-eval-jobs", - "rev": "8f56354b794624689851b2d86c2ce0209cc8f0cf", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-eval-jobs", - "type": "github" - } - }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "colmena", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, - "nix-github-actions_2": { - "inputs": { - "nixpkgs": [ - "nixpkgs-wayland", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1731952509, - "narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "7b5f051df789b6b20d259924d349a9ba3319b226", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, - "nix-vscode-extensions": { - "inputs": { - "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1740852064, - "narHash": "sha256-A2zUu1n8Bg505s/GUIYUSQFLmYJAvx/01A2OkGAkevk=", - "owner": "nix-community", - "repo": "nix-vscode-extensions", - "rev": "1b34da949d188b205b4132c2b726415fa19d5086", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-vscode-extensions", - "type": "github" - } - }, - "nix4vscode": { - "inputs": { - "nixpkgs": "nixpkgs_2", - "rust-overlay": "rust-overlay", - "systems": "systems_2" - }, - "locked": { - "lastModified": 1733089477, - "narHash": "sha256-G08QoIxpJlnP9PiUdo2ypmKOrgodwVD6pWEa/8CaDOE=", - "owner": "nix-community", - "repo": "nix4vscode", - "rev": "60f266d2584461611a9e91ad44bbda5c1b0f91f8", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix4vscode", - "type": "github" - } - }, - "nixago": { - "inputs": { - "flake-utils": "flake-utils_3", - "nixago-exts": "nixago-exts", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1714086354, - "narHash": "sha256-yKVQMxL9p7zCWUhnGhDzRVT8sDgHoI3V595lBK0C2YA=", - "owner": "jmgilman", - "repo": "nixago", - "rev": "5133633e9fe6b144c8e00e3b212cdbd5a173b63d", - "type": "github" - }, - "original": { - "owner": "jmgilman", - "repo": "nixago", - "type": "github" - } - }, - "nixago-exts": { - "inputs": { - "flake-utils": "flake-utils_4", - "nixago": "nixago_2", - "nixpkgs": [ - "nixago", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1676070308, - "narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=", - "owner": "nix-community", - "repo": "nixago-extensions", - "rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixago-extensions", - "type": "github" - } - }, - "nixago-exts_2": { - "inputs": { - "flake-utils": "flake-utils_6", - "nixago": "nixago_3", - "nixpkgs": [ - "nixago", - "nixago-exts", - "nixago", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1655508669, - "narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=", - "owner": "nix-community", - "repo": "nixago-extensions", - "rev": "3022a932ce109258482ecc6568c163e8d0b426aa", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixago-extensions", - "type": "github" - } - }, - "nixago_2": { - "inputs": { - "flake-utils": "flake-utils_5", - "nixago-exts": "nixago-exts_2", - "nixpkgs": [ - "nixago", - "nixago-exts", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1676070010, - "narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=", - "owner": "nix-community", - "repo": "nixago", - "rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "rename-config-data", - "repo": "nixago", - "type": "github" - } - }, - "nixago_3": { - "inputs": { - "flake-utils": "flake-utils_7", - "nixpkgs": [ - "nixago", - "nixago-exts", - "nixago", - "nixago-exts", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1655405483, - "narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=", - "owner": "nix-community", - "repo": "nixago", - "rev": "e6a9566c18063db5b120e69e048d3627414e327d", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixago", - "type": "github" - } - }, - "nixos-anywhere": { - "inputs": { - "disko": "disko", - "flake-parts": "flake-parts_2", - "nixos-images": "nixos-images", - "nixos-stable": "nixos-stable", - "nixpkgs": [ - "nixpkgs" - ], - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1733093391, - "narHash": "sha256-tktgkyaBCJDJs0qVyREpETTcpDY7FZbnDurTAM9jIOE=", - "owner": "numtide", - "repo": "nixos-anywhere", - "rev": "9ba099b2ead073e0801b863c880be03a981f2dd1", - "type": "github" - }, - "original": { - "owner": "numtide", - "ref": "main", - "repo": "nixos-anywhere", - "type": "github" - } - }, - "nixos-images": { - "inputs": { - "nixos-stable": [ - "nixos-anywhere", - "nixos-stable" - ], - "nixos-unstable": [ - "nixos-anywhere", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1727367213, - "narHash": "sha256-7O4pi8MmcJpA0nYUQkdolvKGyu6zNjf2gFYD1Q0xppc=", - "owner": "nix-community", - "repo": "nixos-images", - "rev": "3e7978bab153f39f3fc329ad346d35a8871420f7", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-images", - "type": "github" - } - }, - "nixos-stable": { - "locked": { - "lastModified": 1727264057, - "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "759537f06e6999e141588ff1c9be7f3a5c060106", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1740547748, - "narHash": "sha256-Ly2fBL1LscV+KyCqPRufUBuiw+zmWrlJzpWOWbahplg=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "3a05eebede89661660945da1f151959900903b6a", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2211": { - "locked": { - "lastModified": 1688392541, - "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-22.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2411": { - "locked": { - "lastModified": 1733261153, - "narHash": "sha256-eq51hyiaIwtWo19fPEeE0Zr2s83DYMKJoukNLgGGpek=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "b681065d0919f7eb5309a93cea2cfa84dec9aa88", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2505": { - "locked": { - "lastModified": 1747953325, - "narHash": "sha256-y2ZtlIlNTuVJUZCqzZAhIw5rrKP4DOSklev6c8PyCkQ=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "55d1f923c480dadce40f5231feb472e81b0bab48", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-gimp": { - "locked": { - "lastModified": 1735507908, - "narHash": "sha256-VA+khC0S0di6w5Yv1kBNRpAihnt2prT/ehQzsKMhEoA=", - "owner": "jtojnar", - "repo": "nixpkgs", - "rev": "771cf18187fefcfaababd35834917c621447fee8", - "type": "github" - }, - "original": { - "owner": "jtojnar", - "ref": "gimp-meson", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1733096140, - "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" - } - }, - "nixpkgs-lib_2": { - "locked": { - "lastModified": 1733015484, - "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1739446958, - "narHash": "sha256-+/bYK3DbPxMIvSL4zArkMX0LQvS7rzBKXnDXLfKyRVc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "2ff53fe64443980e139eaa286017f53f88336dd0", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-vscodium": { - "locked": { - "lastModified": 1733212471, - "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-wayland": { - "inputs": { - "flake-compat": "flake-compat_3", - "lib-aggregate": "lib-aggregate", - "nix-eval-jobs": "nix-eval-jobs", - "nixpkgs": "nixpkgs_5" - }, - "locked": { - "lastModified": 1733388169, - "narHash": "sha256-WCfVVHIuxnz4O7O9BY76apUkA//ujG7rqkjAWCw0ujY=", - "owner": "nix-community", - "repo": "nixpkgs-wayland", - "rev": "fe88399ae2d22a5381c65a51f8e5a0e4f2e7a38b", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs-wayland", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1722421184, - "narHash": "sha256-/DJBI6trCeVnasdjUo9pbnodCLZcFqnVZiLUfqLH4jA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "9f918d616c5321ad374ae6cb5ea89c9e04bf3e58", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1722415718, - "narHash": "sha256-5US0/pgxbMksF92k1+eOa8arJTJiPvsdZj9Dl+vJkM4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c3392ad349a5227f4a3464dce87bcc5046692fce", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { - "locked": { - "lastModified": 1732238832, - "narHash": "sha256-sQxuJm8rHY20xq6Ah+GwIUkF95tWjGRd1X8xF+Pkk38=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "8edf06bea5bcbee082df1b7369ff973b91618b8d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_5": { - "locked": { - "lastModified": 1733212471, - "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixvim": { - "inputs": { - "flake-parts": "flake-parts_4", - "nixpkgs": [ - "nixpkgs" - ], - "nuschtosSearch": "nuschtosSearch", - "systems": "systems_5" - }, - "locked": { - "lastModified": 1748175278, - "narHash": "sha256-nXrZ25veLlj1WwVblFO28oHSOabjORGn8YLQ/9OtuSA=", - "owner": "nix-community", - "repo": "nixvim", - "rev": "f54941e333ea2afd0b03ba09f5cb90bb1c6f8130", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixvim", - "type": "github" - } - }, - "nur": { - "inputs": { - "flake-parts": "flake-parts_5", - "nixpkgs": [ - "nixpkgs" - ], - "treefmt-nix": "treefmt-nix_3" - }, - "locked": { - "lastModified": 1737225765, - "narHash": "sha256-wyJcROV/d6POpZRlfk79EWsRHZH0iP6aC5uhmM1cH98=", - "owner": "nix-community", - "repo": "NUR", - "rev": "7c2500d3cc3a1d4f51493ba208721ea7c2a4380f", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nuschtosSearch": { - "inputs": { - "flake-utils": "flake-utils_9", - "ixx": "ixx", - "nixpkgs": [ - "nixvim", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1745046075, - "narHash": "sha256-8v4y6k16Ra/fiecb4DxhsoOGtzLKgKlS+9/XJ9z0T2I=", - "owner": "NuschtOS", - "repo": "search", - "rev": "066afe8643274470f4a294442aadd988356a478f", - "type": "github" - }, - "original": { - "owner": "NuschtOS", - "repo": "search", - "type": "github" - } - }, - "ofi-pass": { - "flake": false, - "locked": { - "lastModified": 1723412133, - "narHash": "sha256-rOVbz4v1+DHPJMvRtxdOFWdOHlaxI7G2vm0bgEV/0Cg=", - "owner": "sereinity", - "repo": "ofi-pass", - "rev": "2b6aa6a3fc0504e63df4ac3449e0065a1a4d19d0", - "type": "github" - }, - "original": { - "owner": "sereinity", - "repo": "ofi-pass", - "type": "github" - } - }, - "openvscode-server": { - "flake": false, - "locked": { - "lastModified": 1714076069, - "narHash": "sha256-Yc16L13Z8AmsGoSFbvy+4+KBdHxvqLMwZLeU2/dAQVU=", - "owner": "gitpod-io", - "repo": "openvscode-server", - "rev": "7920868fc0c6f4e584cca7791c71d300f2bc3a56", - "type": "github" - }, - "original": { - "owner": "gitpod-io", - "ref": "openvscode-server-v1.88.1", - "repo": "openvscode-server", - "type": "github" - } - }, - "prs": { - "flake": false, - "locked": { - "lastModified": 1719086486, - "narHash": "sha256-YQYiN1T7YHYQYv6GoRNdi7Jq93+U+ydoF64tZxuVW+0=", - "owner": "timvisee", - "repo": "prs", - "rev": "07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973", - "type": "gitlab" - }, - "original": { - "owner": "timvisee", - "repo": "prs", - "rev": "07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973", - "type": "gitlab" - } - }, - "root": { - "inputs": { - "aphorme_launcher": "aphorme_launcher", - "colmena": "colmena", - "crane": "crane", - "disko": [ - "nixos-anywhere", - "disko" - ], - "espanso": "espanso", - "fenix": "fenix", - "flake-parts": "flake-parts", - "get-flake": "get-flake", - "jay": "jay", - "nix-vscode-extensions": "nix-vscode-extensions", - "nix4vscode": "nix4vscode", - "nixago": "nixago", - "nixos-anywhere": "nixos-anywhere", - "nixpkgs": [ - "nixpkgs-2505" - ], - "nixpkgs-2211": "nixpkgs-2211", - "nixpkgs-2411": "nixpkgs-2411", - "nixpkgs-2505": "nixpkgs-2505", - "nixpkgs-gimp": "nixpkgs-gimp", - "nixpkgs-unstable": "nixpkgs-unstable", - "nixpkgs-vscodium": "nixpkgs-vscodium", - "nixpkgs-wayland": "nixpkgs-wayland", - "nixvim": "nixvim", - "nur": "nur", - "ofi-pass": "ofi-pass", - "openvscode-server": "openvscode-server", - "prs": "prs", - "radicalePkgs": [ - "nixpkgs-2211" - ], - "rperf": "rperf", - "sops-nix": "sops-nix", - "srvos": "srvos", - "treefmt-nix": "treefmt-nix_4", - "yofi": "yofi" - } - }, - "rperf": { - "flake": false, - "locked": { - "lastModified": 1712257145, - "narHash": "sha256-IMHpJWGja69nTwF9JJOaOZeC5zxzXGanSShompQfBJE=", - "owner": "steveej-forks", - "repo": "rperf", - "rev": "ec7e1fb3a776fce09ca7c497e1d1962c56ef3785", - "type": "github" - }, - "original": { - "owner": "steveej-forks", - "repo": "rperf", - "type": "github" - } - }, - "rust-analyzer-src": { - "flake": false, - "locked": { - "lastModified": 1733330394, - "narHash": "sha256-1jwtAQYtErSsfkEQFvZJ9wJBrLGltzlvZKZzPXhpfpE=", - "owner": "rust-lang", - "repo": "rust-analyzer", - "rev": "f499faf72bcd2abbfbf3d7171e5191100547a3df", - "type": "github" - }, - "original": { - "owner": "rust-lang", - "ref": "nightly", - "repo": "rust-analyzer", - "type": "github" - } - }, - "rust-overlay": { - "inputs": { - "nixpkgs": "nixpkgs_3" - }, - "locked": { - "lastModified": 1722565199, - "narHash": "sha256-2eek4vZKsYg8jip2WQWvAOGMMboQ40DIrllpsI6AlU4=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "a9cd2009fb2eeacfea785b45bdbbc33612bba1f1", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733128155, - "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, - "srvos": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733365027, - "narHash": "sha256-Vl0pOGckECuFoMbiotwj65jjoFE8Mc2yUXNIllttxkI=", - "owner": "numtide", - "repo": "srvos", - "rev": "6047d415ca8dc7eae73dd17c832f7dc08ad544f4", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" - } - }, - "stable": { - "locked": { - "lastModified": 1746557022, - "narHash": "sha256-QkNoyEf6TbaTW5UZYX0OkwIJ/ZMeKSSoOMnSDPQuol0=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "1d3aeb5a193b9ff13f63f4d9cc169fb88129f860", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_4": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_5": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_6": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "nixos-anywhere", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1727252110, - "narHash": "sha256-3O7RWiXpvqBcCl84Mvqa8dXudZ1Bol1ubNdSmQt7nF4=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "1bff2ba6ec22bc90e9ad3f7e94cca0d37870afa3", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_2": { - "inputs": { - "nixpkgs": [ - "nixpkgs-wayland", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1723303070, - "narHash": "sha256-krGNVA30yptyRonohQ+i9cnK+CfCpedg6z3qzqVJcTs=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "14c092e0326de759e16b37535161b3cb9770cea3", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_3": { - "inputs": { - "nixpkgs": [ - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733222881, - "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "49717b5af6f80172275d47a418c9719a31a78b53", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_4": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1738953846, - "narHash": "sha256-yrK3Hjcr8F7qS/j2F+r7C7o010eVWWlm4T1PrbKBOxQ=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "4f09b473c936d41582dd744e19f34ec27592c5fd", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "yofi": { - "inputs": { - "flake-utils": "flake-utils_10", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1725018627, - "narHash": "sha256-uBEU/aKl9jlJ8vIK556TaqSBEHx6/t6AE4fbt/AoRfA=", - "owner": "l4l", - "repo": "yofi", - "rev": "09901e75cbdf2147553ab888adde480e57baa0d1", - "type": "github" - }, - "original": { - "owner": "l4l", - "ref": "master", - "repo": "yofi", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/flake.nix b/flake.nix deleted file mode 100644 index c68eef7..0000000 --- a/flake.nix +++ /dev/null @@ -1,388 +0,0 @@ -# flake.nix -{ - inputs = { - # TODO: where has this been used? - # dotfiles = { - # url = "git+https://forgejo.www.stefanjunker.de/steveej/dotfiles.git"; - # flake = false; - # }; - - # flake and infra basics - nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; - radicalePkgs.follows = "nixpkgs-2211"; - nixpkgs-2411.url = "github:nixos/nixpkgs/nixos-24.11"; - nixpkgs-2505.url = "github:nixos/nixpkgs/nixos-25.05"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs.follows = "nixpkgs-2505"; - flake-parts.url = "github:hercules-ci/flake-parts"; - get-flake.url = "github:ursi/get-flake"; - - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - nixos-anywhere.url = "github:numtide/nixos-anywhere/main"; - nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs"; - disko.follows = "nixos-anywhere/disko"; - - nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland"; - - nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; - nixpkgs-vscodium.url = "github:nixos/nixpkgs/nixos-unstable"; - - # needs to be in sync with `vscodium --version` from `nixpkgs-vscodium` - openvscode-server.url = "github:gitpod-io/openvscode-server/openvscode-server-v1.88.1"; - openvscode-server.flake = false; - - colmena = { - url = "github:zhaofengli/colmena"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - # libraries for building applications - fenix = { - url = "github:nix-community/fenix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - crane.url = "github:ipetkov/crane"; - - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - # applications - aphorme_launcher = { - url = "github:Iaphetes/aphorme_launcher/main"; - flake = false; - }; - - yofi = { - url = "github:l4l/yofi/master"; - flake = true; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - ofi-pass = { - url = "github:sereinity/ofi-pass"; - flake = false; - }; - - jay = { - url = "github:mahkoh/jay"; - flake = false; - }; - - prs = { - # url = "gitlab:timvisee/prs/v0.5.2"; - url = "gitlab:timvisee/prs/07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973"; - flake = false; - }; - - rperf = { - url = "github:steveej-forks/rperf"; - flake = false; - }; - - # nixpkgs-logseq.url = "github:steveej-forks/nixpkgs/logseq-linux-arm64-selfbuilt-appimage"; - - espanso = { - flake = false; - url = "github:espanso/espanso/db97658d1d80697a635b57801696c594eacf057b"; - }; - - nix4vscode = { - url = "github:nix-community/nix4vscode"; - # inputs.nixpkgs.follows = "nixpkgs"; - }; - nixvim = { - # TODO: pin to nixos-24.11 once available - url = "github:nix-community/nixvim"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - treefmt-nix = { - url = "github:numtide/treefmt-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nixago = { - url = "github:jmgilman/nixago"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - nur = { - url = "github:nix-community/NUR"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - nixpkgs-gimp.url = "github:jtojnar/nixpkgs/gimp-meson"; - }; - - outputs = - inputs@{ - self, - flake-parts, - nixpkgs, - ... - }: - let - inherit (nixpkgs) lib; - - systems = [ - "x86_64-linux" - "aarch64-linux" - ]; - in - flake-parts.lib.mkFlake { inherit inputs; } ( - { withSystem, ... }: - { - flake.colmenaHive = inputs.colmena.lib.makeHive ( - lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) - { meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; } - # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import - # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 - ( - builtins.map - ( - nodeName: - import ./nix/os/devices/${nodeName} { - inherit nodeName; - repoFlake = self; - repoFlakeWithSystem = withSystem; - nodeFlake = self.inputs.get-flake (self + "/nix/os/devices/${nodeName}"); - } - ) - [ - "steveej-t14" - "steveej-x13s" - "steveej-x13s-rmvbl" - "elias-e525" - # "justyna-p300" - - # "srv0-dmz0" - # "router0-dmz0" - "router0-ifog" - "router0-hosthatch" - - "sj-srv1" - ] - ) - ); - - flake.lib = { - inherit withSystem; - - prsFn = - { - lib, - prs, - skim, - rustPlatform, - makeWrapper, - }: - - prs.overrideAttrs (attrs: rec { - pname = "prs"; - - src = self.inputs.prs; - version = self.inputs.prs.shortRev; - - nativeBuildInputs = attrs.nativeBuildInputs ++ [ - makeWrapper - ]; - - cargoDeps = rustPlatform.fetchCargoVendor { - inherit src; - hash = "sha256-6kCqrwcHFy7cEl2JM+CzTWDM9abepumzdcJLq1ChzUk="; - }; - - postFixup = '' - wrapProgram $out/bin/prs \ - --prefix PATH : ${lib.makeBinPath [ skim ]} - ''; - }); - }; - - # this makes nixos-anywhere work - flake.nixosConfigurations = - let - colmenaHiveNodes = self.outputs.colmenaHive.nodes; - router0-dmz0 = (inputs.get-flake (self + "/nix/os/devices/router0-dmz0")).nixosConfigurations; - in - colmenaHiveNodes - // { - router0-dmz0 = router0-dmz0.native; - - # for now deploy directly with: - # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 - router0-dmz0_cross = router0-dmz0.cross; - - steveej-x13s_cross = - (inputs.get-flake (self + "./nix/os/devices/steveej-x13s")).nixosConfigurations.cross; - steveej-x13s-rmvbl_cross = - (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; - }; - - inherit systems; - - perSystem = - { - self', - inputs', - system, - config, - lib, - pkgs, - ... - }: - { - imports = [ ./nix/modules/flake-parts/perSystem/default.nix ]; - - packages = - let - dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { }; - - craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain; - - craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain; - - local-xwayland = pkgs.writeShellScriptBin "local-xwayland" '' - set -x - ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ - --wayland-display=wayland-3 \ - --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ - --x-display=0 \ - # --x-unscale=3 \ - --verbose - ''; - in - { - dcpj4110dwDriver = dcpj4110dw.driver; - dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; - - inherit (inputs'.colmena.packages) colmena; - - nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; - - ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' - set -x - pkill -9 wayland-proxy-v - export NIXOS_OZONE_WL="" - ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ - --wayland-display=wayland-3 \ - --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ - --x-display=3 \ - & - # --x-unscale=3 \ - #--verbose \ - - export PROXYPID="$!" - - trap "kill -9 \$PROXYPID" EXIT - # trap "pkill -9 wayland-proxy-v" EXIT - - env \ - WAYLAND_DISPLAY=wayland-3 \ - DISPLAY=:3 \ - ledger-live-desktop - ''; - - syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' - ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 - ''; - - rperf = craneLib.buildPackage { - src = inputs.rperf; - nativeBuildInputs = [ pkgs.pkg-config ]; - buildInputs = [ ]; - }; - - inherit local-xwayland; - - inherit (inputs'.nixpkgs-gimp.legacyPackages) gimp; - - }; - - formatter = - let - settingsNix = { - projectRootFile = ".git/config"; - - package = inputs'.nixpkgs-unstable.legacyPackages.treefmt2; - - programs = { - nixfmt.enable = true; - deadnix.enable = true; - statix.enable = true; - - shfmt.enable = true; - shellcheck.enable = true; - - prettier.enable = true; - just = { - enable = true; - includes = [ - "*/Justfile" - "Justfile" - ]; - }; - } // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; }; - - settings = { - global.excludes = [ - "LICENSE" - "secrets/" - ".git-crypt/" - - # unsupported extensions - "*.{enc,gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,gitignore}" - ]; - - formatter = { - deadnix = { - priority = 1; - options = [ "--no-underscore" ]; - }; - - nixfmt = { - priority = 2; - }; - - statix = { - priority = 3; - }; - - prettier = { - options = [ - "--tab-width" - "2" - ]; - includes = [ "*.{css,html,js,json,jsx,md,mdx,scss,ts,yaml}" ]; - }; - }; - }; - }; - eval = inputs.treefmt-nix.lib.evalModule pkgs settingsNix; - in - eval.config.build.wrapper.overrideAttrs (_: { - passthru = { - inherit (eval.config) package settings; - }; - }); - - devShells = - let - all = import ./nix/devShells.nix { - inherit - self - self' - inputs' - pkgs - ; - }; - in - all - // { - default = all.develop; - }; - }; - } - ); -} diff --git a/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw b/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw deleted file mode 100644 index ea5b5b8..0000000 Binary files a/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw and /dev/null differ diff --git a/nix/container-images/build.sh b/nix/container-images/build.sh index 1025cb4..6cfab1a 100755 --- a/nix/container-images/build.sh +++ b/nix/container-images/build.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -xe -[ -n "$NAME" ] +[ ! -z "$NAME" ] nix-build . --show-trace -A "$NAME" -docker image rm "$NAME":latest --force +docker image rm "$NAME":latest --force docker load -i result diff --git a/nix/container-images/default.nix b/nix/container-images/default.nix index 67f516d..7dcab2a 100644 --- a/nix/container-images/default.nix +++ b/nix/container-images/default.nix @@ -1,10 +1,6 @@ -{ - pkgs ? import { }, -}: -let - baseEnv = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; -in -rec { +{pkgs ? import {}}: let + baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; +in rec { base = pkgs.dockerTools.buildImage rec { name = "base"; @@ -25,70 +21,59 @@ rec { interactive_base = pkgs.dockerTools.buildImage { name = "interactive_base"; fromImage = base; - contents = with pkgs; [ - procps - zsh - coreutils - neovim - ]; + contents = with pkgs; [procps zsh coreutils neovim]; - config = { - Cmd = [ "/bin/zsh" ]; - }; + config = {Cmd = ["/bin/zsh"];}; }; - s3ql = - let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} + s3ql = let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} - if [ -z "$S3QL_BUCKET" ]; then - echo S3QL_BUCKET not set - exit 1 - fi + if [ -z "$S3QL_BUCKET" ]; then + echo S3QL_BUCKET not set + exit 1 + fi - if [ -z "$S3QL_STORAGE_URL" ]; then - echo S3QL_STORAGE_URL not set - exit 1 - fi + if [ -z "$S3QL_STORAGE_URL" ]; then + echo S3QL_STORAGE_URL not set + exit 1 + fi - if [ -z "$S3QL_CACHESIZE" ]; then - echo S3QL_CACHESIZE not set - exit 1 - fi + if [ -z "$S3QL_CACHESIZE" ]; then + echo S3QL_CACHESIZE not set + exit 1 + fi - set -x + set -x - if [ "$S3QL_SKIP_FSCK" != "1" ]; then - fsck.s3ql \ - --authfile $S3QL_AUTHINFO2 \ - --log none \ - --cachedir $S3QL_CACHE_DIR \ - $S3QL_STORAGE_URL - fi - - exec mount.s3ql \ - --cachedir "$S3QL_CACHE_DIR" \ - --authfile "$S3QL_AUTHINFO2" \ - --cachesize "$S3QL_CACHESIZE" \ - --fg \ - --compress lzma-6 \ - --threads 4 \ + if [ "$S3QL_SKIP_FSCK" != "1" ]; then + fsck.s3ql \ + --authfile $S3QL_AUTHINFO2 \ --log none \ - --allow-root \ - "$S3QL_STORAGE_URL" \ - /bucket + --cachedir $S3QL_CACHE_DIR \ + $S3QL_STORAGE_URL + fi - # FIXME: touch .isbucket after mount - ''; - in + exec mount.s3ql \ + --cachedir "$S3QL_CACHE_DIR" \ + --authfile "$S3QL_AUTHINFO2" \ + --cachesize "$S3QL_CACHESIZE" \ + --fg \ + --compress lzma-6 \ + --threads 4 \ + --log none \ + --allow-root \ + "$S3QL_STORAGE_URL" \ + /bucket + + # FIXME: touch .isbucket after mount + ''; + in pkgs.dockerTools.buildImage { name = "s3ql"; fromImage = interactive_base; - contents = [ - pkgs.s3ql - pkgs.fuse - ]; + contents = [pkgs.s3ql pkgs.fuse]; runAsRoot = '' #!${pkgs.stdenv.shell} @@ -99,58 +84,57 @@ rec { ''; config = { - Env = baseEnv ++ [ - "HOME=/home/s3ql" - "S3QL_CACHE_DIR=/var/cache/s3ql" - "S3QL_AUTHINFO2=/etc/s3ql/authinfo2" - "CONTAINER_ENTRYPOINT=${entrypoint}" - ]; - Cmd = [ entrypoint ]; + Env = + baseEnv + ++ [ + "HOME=/home/s3ql" + "S3QL_CACHE_DIR=/var/cache/s3ql" + "S3QL_AUTHINFO2=/etc/s3ql/authinfo2" + "CONTAINER_ENTRYPOINT=${entrypoint}" + ]; + Cmd = [entrypoint]; Volumes = { - "/var/cache/s3ql" = { }; - "/etc/s3ql/authinfo2" = { }; - "/buckets" = { }; - "/tmp" = { }; + "/var/cache/s3ql" = {}; + "/etc/s3ql/authinfo2" = {}; + "/buckets" = {}; + "/tmp" = {}; }; }; }; - syncthing = - let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} - set -x - if [ ! -e /data/.isbucket ]; then - echo ERROR: Bucket not mounted at /data - exit 1 - fi + syncthing = let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} + set -x + if [ ! -e /data/.isbucket ]; then + echo ERROR: Bucket not mounted at /data + exit 1 + fi - if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then - echo ERROR: SYNCTHING_GUI_ADDRESS is not set - exit 1 - fi + if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then + echo ERROR: SYNCTHING_GUI_ADDRESS is not set + exit 1 + fi - if [ ! -w "$SYNCTHING_HOME" ]; then - echo ERROR : SYNCTHING_HOME is not writable - fi + if [ ! -w "$SYNCTHING_HOME" ]; then + echo ERROR : SYNCTHING_HOME is not writable + fi - exec syncthing \ - -home $SYNCTHING_HOME \ - -gui-address=$SYNCTHING_GUI_ADDRESS \ - -no-browser - ''; - in + exec syncthing \ + -home $SYNCTHING_HOME \ + -gui-address=$SYNCTHING_GUI_ADDRESS \ + -no-browser + ''; + in pkgs.dockerTools.buildImage { name = "syncthing"; fromImage = interactive_base; contents = pkgs.syncthing; config = { - Env = baseEnv ++ [ "SYNCTHING_HOME=/home/syncthing" ]; - Cmd = [ entrypoint ]; - Volumes = { - "/data" = { }; - }; + Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"]; + Cmd = [entrypoint]; + Volumes = {"/data" = {};}; }; }; } diff --git a/nix/default.nix b/nix/default.nix index f8947e0..888a4e9 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,34 +1,26 @@ -{ versionsPath }: -let +{versionsPath}: let channelVersions = import versionsPath; - mkChannelSource = - name: - let - channelVersion = builtins.getAttr name channelVersions; - in + mkChannelSource = name: let + channelVersion = builtins.getAttr name channelVersions; + in builtins.fetchGit { # Descriptive name to make the store path easier to identify inherit name; inherit (channelVersion) url ref rev; }; - nixPath = builtins.concatStringsSep ":" ( - builtins.map ( - elemName: - let - elem = builtins.getAttr elemName channelVersions; - elemPath = mkChannelSource elemName; - suffix = if builtins.hasAttr "suffix" elem then elem.suffix else ""; - in - builtins.concatStringsSep "=" [ - elemName - elemPath - ] - + suffix - ) (builtins.attrNames channelVersions) - ); - pkgs = import (mkChannelSource "nixpkgs") { }; -in -{ + nixPath = builtins.concatStringsSep ":" (builtins.map + (elemName: let + elem = builtins.getAttr elemName channelVersions; + elemPath = mkChannelSource elemName; + suffix = + if builtins.hasAttr "suffix" elem + then elem.suffix + else ""; + in + builtins.concatStringsSep "=" [elemName elemPath] + suffix) + (builtins.attrNames channelVersions)); + pkgs = import (mkChannelSource "nixpkgs") {}; +in { inherit nixPath; channelSources = pkgs.writeText "channels.rc" '' export NIX_PATH=${nixPath} diff --git a/nix/devShells.nix b/nix/devShells.nix deleted file mode 100644 index fc4b55e..0000000 --- a/nix/devShells.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ - self, - self', - inputs', - pkgs, -}: -{ - install = pkgs.mkShell { - name = "infra-install"; - packages = with pkgs; [ - nixos-install-tools - inputs'.disko.packages.disko - just - git - git-crypt - gnupg - ]; - }; - - develop = pkgs.mkShell { - name = "infra-develop"; - inputsFrom = [ self'.devShells.install ]; - packages = with pkgs; [ - self'.formatter # .package - inputs'.colmena.packages.colmena - dconf2nix - inputs'.nixos-anywhere.packages.nixos-anywhere - nurl - vcsh - ripgrep - # pass - age - age-plugin-yubikey - ssh-to-age - yubico-piv-tool - inputs'.sops-nix.packages.default - sops - nil - nix-index - - apacheHttpd - - # vncdo - # tesseract - # imagemagick - - # lm_sensors - - # nmap - # sysstat - # lshw - # xxHash - # linssid - # wavemon - # wirelesstools - - # zathura - # xorg.xwininfo - # glxinfo - # autorandr - # arandr - # playerctl - # x11docker - # fwupd - - # ntfy - # hedgedoc-cli - - xwayland - pulsemixer - - (pkgs.writeShellScriptBin "rflk" '' - exec nix run nixpkgs#$@ - '') - - (pkgs.writeShellScriptBin "r11" '' - exec env NIXOS_OZONE_WL="" WAYLAND_DISPLAY="" $@ - '') - - jq - yq - wireguard-tools - - screen - - inputs'.nixpkgs-unstable.legacyPackages.kanidm - - (flameshot.override { enableWlrSupport = true; }) - ]; - - # Set Environment Variables - RUST_BACKTRACE = 1; - - KANIDM_URL = - self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin; - - shellHook = builtins.concatStringsSep "\n" [ - # (self.inputs.nixago.lib.${pkgs.system}.make { - # data = self'.formatter.settings; - # output = "treefmt.toml"; - # format = "toml"; - # }).shellHook - ]; - }; -} diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index a4ab582..133650b 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -1,288 +1,307 @@ -{ - pkgs, - lib, - config, - # these come in via home-manager.extraSpecialArgs and are specific to each node - nodeFlake, - repoFlake, - ... -}: -let - pkgsUnstable = - pkgs.pkgsUnstable - or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; }); +{pkgs}: let + zshCurried = import ../programs/zsh.nix {inherit pkgs;}; in -{ - imports = [ - ../profiles/common.nix - # ../profiles/dotfiles.nix - # FIXME: fix homeshick when no WAN connection is available - # ../programs/homeshick.nix - - # ../profiles/gnome-desktop.nix - # ../profiles/experimental-desktop.nix - - ../programs/redshift.nix - - ../programs/gpg-agent.nix - ../programs/pass.nix - - ../programs/espanso.nix - - ../programs/firefox.nix - ../programs/chromium.nix - - ../programs/libreoffice.nix - ../programs/neovim.nix - ../programs/vscode - { home.packages = [ pkgsUnstable.markdown-oxide ]; } - ]; - - home.sessionVariables.HM_CONFIG = "graphical-fullblown"; - home.sessionVariables.GOPATH = "$HOME/src/go"; - home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [ - "$HOME/.local/bin" - "$PATH" - ]; - - nixpkgs.config.allowInsecurePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "electron-28.3.3" - "electron-27.3.11" + { + pkgs, + config, + ... + }: let + # gitpkgs = import /home/steveej/src/github/NixOS/nixpkgs {}; + unstablepkgs = + import {config = config.nixpkgs.config;}; + masterpkgs = import {config = config.nixpkgs.config;}; + in { + imports = [ + ../profiles/common.nix + ../profiles/qtile-desktop.nix + ../profiles/dotfiles.nix + ../programs/firefox.nix + ../programs/chromium.nix + # FIXME: fix homeshick when no WAN connection is available + # ../programs/homeshick.nix + ../programs/libreoffice.nix + ../programs/neovim.nix + ../programs/pass.nix + zshCurried + ../programs/podman.nix + ../programs/vscode + ../programs/holochain-launcher.nix + ../programs/radicale.nix ]; - nixpkgs.config.permittedInsecurePackages = [ - "electron-28.3.3" - "electron-27.3.11" - ]; + nixpkgs.config = { + pidgin = { + openssl = true; + gnutls = true; + }; - nixpkgs.config.allowUnfree = [ - "electron-28.3.3" - "electron-27.3.11" - ]; + packageOverrides = pkgs: with pkgs; {}; + }; - # nixpkgs.config.allowUnfreePredicate = pkg: - # builtins.elem (lib.getName pkg) [ - # "smartgithg" - # "electron-27.3.11" - # ]; + home.sessionVariables = { + # TODO: find a way to prevent using a store path for the current file + # HM_CONFIG_PATH=builtins.toString "${./.}"; + HM_CONFIG = "graphical-fullblown"; - home.packages = - (with pkgs; [ - # Authentication - # cacert - # fprintd - # openssl - # mkpasswd + GOPATH = "$HOME/src/go"; - # Nix package related tools - patchelf - # nix-index - nix-prefetch-scripts - nix-tree + PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"]; + }; - # Version Control Systems - gitFull - # gitless - gitRepo - git-lfs + home.packages = + [] + ++ (with pkgs; [ + # Authentication + cacert + fprintd + openssl + mkpasswd - # Process/System Administration - htop - # gnome.gnome-tweaks - xorg.xhost - dmidecode - evtest + # Nix package related tools + patchelf + nix-index + nox + nix-prefetch-scripts + nix-prefetch-github - # Archive Managers - sshfs-fuse - p7zip - zip - unzip - gzip - lzop + # Version Control Systems + pijul + gitless + gitRepo + git-lfs - # Password Management - gnupg - yubikey-manager - yubikey-personalization - yubikey-personalization-gui + # Process/System Administration + htop + gnome.gnome-tweaks + xorg.xhost + dmidecode + evtest - # gnome.gnome-keyring - gcr - seahorse + # Archive Managers + sshfs-fuse + xarchive + p7zip + zip + unzip + gzip + lzop - # Language Support - hunspellDicts.en-us - hunspellDicts.de-de + # Password Management + gnupg + yubikey-manager + yubikey-manager-qt + yubikey-personalization + yubikey-personalization-gui + gnome.gnome-keyring + gnome.seahorse - # Messaging/Communication - # pidgin - # hexchat - pkgsUnstable.element-desktop - aspellDicts.en - aspellDicts.de - # skypeforlinux - # pkgsUnstable.jitsi-meet-electron - thunderbird-128 - # betterbird + # Language Support + hunspellDicts.en-us + hunspellDicts.de-de - # FIXME: depends on insecure openssl 1.1.1t - # kotatogram-desktop - pkgsUnstable.tdesktop - pkgsUnstable.signal-desktop + # Messaging/Communication + signal-desktop + pidgin + hexchat + aspellDicts.en + aspellDicts.de + skypeforlinux + unstablepkgs.jitsi-meet-electron + thunderbird + evolution # gnome4.glib_networking + kotatogram-desktop + zoom-us + thunderbird + evolution # gnome4.glib_networking + gnome.cheese + masterpkgs.discord - # Virtualization - virt-manager + # Virtualization + virtmanager + # (pkgs.lib.hiPrio qemu) + # virtualbox + # vagrant + # docker_compose + # unstablepkgs.kubernetes + # unstablepkgs.minikube + # unstablepkgs.openshift + # (unstablepkgs.minikube.overrideAttrs (oldAttrs: { + # patches = oldAttrs.patches ++ [ + # (builtins.fetchurl { url ="https://patch-diff.githubusercontent.com/raw/kubernetes/minikube/pull/2517.diff"; }) + # ]; + # })) + appimage-run - # Remote Control Tools - remmina - # freerdp + # Remote Control Tools + remmina + freerdp + teamviewer + rustdesk - # Audio/Video Players - # ffmpeg - vlc - # v4l-utils - # audacity - # spotify - yt-dlp - (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}") - libwebcam - libcamera - snapshot + # Audio/Video Players + ffmpeg + vlc + audacity + spotify + youtube-dl-light + libwebcam - # Network Tools - tcpdump - iftop - iperf - bind - socat - nethogs + # Network Tools + openvpn + tcpdump + iftop + iperf + bind + socat + # 2019-03-05: broken on 19.03 linssid + iptraf-ng + ipmitool - # Code Editing and Programming - # TODO(remove or use): pkgsUnstable.lapce - # TODO(remve or use): pkgsUnstable.helix + iptables + nftables + wireshark + wireguard-tools - # Image/Graphic/Design Tools - eog - # gimp - # imagemagick - # exiv2 - # graphviz - # inkscape - # qrencode + # Code Editors + # unstablepkgs.atom + xclip + xsel - # TODO: remove or move these: Modelling Tools - # plantuml - # umlet - # staruml - # eclipses.eclipse-modeling - # dia - # astah-community + # Image/Graphic/Design Tools + gnome.eog + gimp + imagemagick + exiv2 + graphviz + inkscape + # barcode + qrencode + zbar + feh + # digikam - # Misc Development Tools - # qrcode - # jq - # cdrtools + # Modelling Tools + # plantuml + # umlet + # staruml + # eclipses.eclipse-modeling + # dia + # astah-community - # Document Processing and Management - nautilus - pcmanfm - # mendeley - evince - xournalpp + # Misc Development Tools + qrcode + # travis + jq + # prometheus + cdrtools - # File Synchronzation - maestral - rsync + # Document Processing and Management + # zathura + mendeley + # zotero + pandoc + unstablepkgs.logseq - # Filesystem Tools - # ntfs3g - # ddrescue - # ncdu - # hdparm - # binwalk - # gptfdisk - # gparted - # smartmontools + # has an EOL version of electron + # obsidian - ## Python - # packages'.myPython + # LaTeX + perlPackages.YAMLTiny + perlPackages.FileHomeDir + perlPackages.UnicodeLineBreak + (texlive.combine { + inherit + (texlive) + scheme-small + texlive-de + texlive-en + texlive-scripts + collection-langgerman + latexindent + latexmk + algorithms + cm-super + preprint + enumitem + draftwatermark + everypage + ulem + placeins + minted + ifplatform + fvextra + xstring + framed + ; + }) - # Misc Desktop Tools - # ltunify - # dex - coreutils - lsof - xdg-utils - xdg-user-dirs - dconf - picocom - glib.dev # contains gdbus tool - alacritty - # wally-cli - man-pages + pdftk + # broken as of 2021-04-24 + # masterpdfeditor - # Screen recording - # gtk-recordmydesktop # can't select the window - # qt-recordmydesktop - # vokoscreen - # shutter - # kazam # doesn't start - # xvidcap # doesn't keep the recording rectangle - # shotcut - # openshot-qt - # introduces python: screenkey + # File Synchronzation + # seafile-client + # grive2 + dropbox + rsync - # avidemux # broken - # handbrake + # Filesystem Tools + ntfs3g + ddrescue + ncdu + woeusb + unetbootin + pcmanfm + hdparm + testdisk + binwalk + gptfdisk + gparted + smartmontools - # snes9x - # snes9x-gtk - # this is a displaymanager! - # libretro.snes9x2010 - # retroarchFull + ## Android + androidenv.androidPkgs_9_0.platform-tools - # pkgs.logseq-bin - pkgs.logseq - # (pkgs.callPackage "${repoFlake.inputs.nixpkgs-logseq}/pkgs/by-name/lo/logseq-bin/package.nix" { }) - ]) - ++ (with repoFlake.packages.${pkgs.system}; [ gimp ]) - ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ - pkgsUnstable.ledger-live-desktop + ## Python + myPython - # unsupported on aarch64-linux - pkgs.androidenv.androidPkgs_9_0.platform-tools - pkgs.teamviewer - pkgs.discord - pkgsUnstable.session-desktop - pkgsUnstable.rustdesk - ]); + # Code generators + # unstablepkgs.swagger-codegen - systemd.user.startServices = true; + # Misc Desktop Tools + # TODO: this may be required if brightness control isn't working + # brightnessctl + ltunify + # solaar # TODO: conflicts with solar over udev rules + dex + # kitty + busyboxStatic + xorg.xbacklight + coreutils + lsof + x11_ssh_askpass + xdotool + xdg_utils + xdg-user-dirs + dconf + picocom + glib.dev # contains gdbus tool + alacritty + unstablepkgs.wally-cli + man-pages - services.syncthing.enable = true; + # Screen recording + # gtk-recordmydesktop # can't select the window + # qt-recordmydesktop + # vokoscreen + # shutter + # kazam # doesn't start + # xvidcap # doesn't keep the recording rectangle + obs-studio + screenkey + # shotcut + # openshot-qt - services.udiskie = { - enable = true; - automount = false; - notify = true; - }; - - # TODO: uncomment this when it's in stable home-manger - # programs.joshuto = { - # enable = true; - # }; - - # systemd.user.services.maestral = { - # Unit.Description = "Maestral daemon"; - # Install.WantedBy = ["default.target"]; - # Service = { - # ExecStart = "${pkgs.maestral}/bin/maestral start -f"; - # ExecStop = "${pkgs.maestral}/bin/maestral stop"; - # Restart = "on-failure"; - # Nice = 10; - # }; - # }; -} + unstablepkgs.ledger-live-desktop + ]); + } diff --git a/nix/home-manager/configuration/graphical-gnome3.nix b/nix/home-manager/configuration/graphical-gnome3.nix index 4dbcba2..2bc669f 100644 --- a/nix/home-manager/configuration/graphical-gnome3.nix +++ b/nix/home-manager/configuration/graphical-gnome3.nix @@ -1,8 +1,124 @@ -{ pkgs, ... }: -{ - home.packages = with pkgs; [ - gnome-tweaks - gnome-keyring - seahorse - ]; -} +{pkgs}: let + zshCurried = import ../programs/zsh.nix {inherit pkgs;}; +in + { + pkgs, + config, + ... + }: let + unstablepkgs = + import {config = config.nixpkgs.config;}; + in { + imports = [ + ../profiles/common.nix + ../programs/firefox.nix + # ../programs/chromium.nix + # FIXME: fix homeshick when no WAN connection is available + # ../programs/homeshick.nix + ../programs/libreoffice.nix + ../programs/neovim.nix + ../programs/pass.nix + zshCurried + ]; + + nixpkgs.config = { + pidgin = { + openssl = true; + gnutls = true; + }; + + packageOverrides = pkgs: with pkgs; {}; + }; + + home.sessionVariables = {}; + + home.packages = + [] + ++ (with pkgs; [ + # Nix package related tools + patchelf + nix-index + nix-prefetch-scripts + + # Version Control Systems + gitless + + # Process/System Administration + htop + gnome.gnome-tweaks + xorg.xhost + dmidecode + evtest + + # Archive Managers + sshfs-fuse + xarchive + p7zip + zip + unzip + gzip + lzop + + # Password Management + gnome.gnome-keyring + gnome.seahorse + + # Remote Control Tools + remmina + freerdp + + # Network Tools + openvpn + tcpdump + iftop + iperf + bind + socat + + # samba + iptables + nftables + wireshark + + # Code Editors + xclip + xsel + unstablepkgs.vscode + + # Image/Graphic/Design Tools + gnome.eog + gimp + inkscape + + # Misc Development Tools + qrcode + jq + cdrtools + + # Document Processing and Management + zathura + + # File Synchronzation + rsync + + # Filesystem Tools + ntfs3g + ddrescue + ncdu + unstablepkgs.woeusb + unetbootin + pcmanfm + hdparm + testdisk + python38Packages.binwalk + gptfdisk + + ## Python + myPython + + busyboxStatic + + # Virtualization + virtmanager + ]); + } diff --git a/nix/home-manager/configuration/graphical-removable.nix b/nix/home-manager/configuration/graphical-removable.nix index 73c9ff3..dea1f8d 100644 --- a/nix/home-manager/configuration/graphical-removable.nix +++ b/nix/home-manager/configuration/graphical-removable.nix @@ -1,99 +1,126 @@ -{ pkgs, ... }: -{ - imports = [ - ../profiles/common.nix - ../profiles/qtile-desktop.nix - ../profiles/dotfiles.nix - ../programs/firefox.nix - ../programs/chromium.nix - # FIXME: fix homeshick when no WAN connection is available - # ../programs/homeshick.nix - ../programs/libreoffice.nix - ../programs/neovim.nix - ../programs/pass.nix - ]; +{pkgs}: let + zshCurried = import ../programs/zsh.nix {inherit pkgs;}; +in + { + pkgs, + config, + ... + }: let + unstablepkgs = + import {config = config.nixpkgs.config;}; + in { + imports = [ + ../profiles/common.nix + ../profiles/qtile-desktop.nix + ../profiles/dotfiles.nix + ../programs/firefox.nix + ../programs/chromium.nix + # FIXME: fix homeshick when no WAN connection is available + # ../programs/homeshick.nix + ../programs/libreoffice.nix + ../programs/neovim.nix + ../programs/pass.nix + zshCurried + ]; - home.packages = with pkgs; [ - # Nix package related tools - patchelf - nix-index - nix-prefetch-scripts + nixpkgs.config = { + pidgin = { + openssl = true; + gnutls = true; + }; - # Version Control Systems - gitless + packageOverrides = pkgs: with pkgs; {}; + }; - # Process/System Administration - htop - gnome-tweaks - xorg.xhost - dmidecode - evtest + home.sessionVariables = {}; - # Archive Managers - sshfs-fuse - xarchive - p7zip - zip - unzip - gzip - lzop + home.packages = + [] + ++ (with pkgs; [ + # Nix package related tools + patchelf + nix-index + nix-prefetch-scripts - # Password Management - gnome-keyring - seahorse + # Version Control Systems + gitless - # Remote Control Tools - remmina - freerdp + # Process/System Administration + htop + gnome.gnome-tweaks + xorg.xhost + dmidecode + evtest - # Network Tools - openvpn - tcpdump - iftop - iperf - bind - socat + # Archive Managers + sshfs-fuse + xarchive + p7zip + zip + unzip + gzip + lzop - # samba - iptables - nftables - wireshark + # Password Management + gnome.gnome-keyring + gnome.seahorse - # Code Editors - xclip - xsel + # Remote Control Tools + remmina + freerdp - # Image/Graphic/Design Tools - gnome.eog - gimp - inkscape + # Network Tools + openvpn + tcpdump + iftop + iperf + bind + socat - # Misc Development Tools - qrcode - jq - cdrtools + # samba + iptables + nftables + wireshark - # Document Processing and Management - zathura + # Code Editors + xclip + xsel + unstablepkgs.vscode - # File Synchronzation - rsync + # Image/Graphic/Design Tools + gnome.eog + gimp + inkscape - # Filesystem Tools - ntfs3g - ddrescue - ncdu - woeusb - unetbootin - pcmanfm - hdparm - testdisk - binwalk - gptfdisk + # Misc Development Tools + qrcode + jq + cdrtools - packages'.myPython + # Document Processing and Management + zathura - # Virtualization - virtmanager - ]; -} + # File Synchronzation + rsync + + # Filesystem Tools + ntfs3g + ddrescue + ncdu + unstablepkgs.woeusb + unetbootin + pcmanfm + hdparm + testdisk + binwalk + gptfdisk + + ## Python + myPython + + busyboxStatic + + # Virtualization + virtmanager + ]); + } diff --git a/nix/home-manager/configuration/text-minimal.nix b/nix/home-manager/configuration/text-minimal.nix new file mode 100644 index 0000000..60a2be6 --- /dev/null +++ b/nix/home-manager/configuration/text-minimal.nix @@ -0,0 +1,27 @@ +{ + pkgs, + extraPackages ? [], +}: let + zshCurried = import ../programs/zsh.nix {inherit pkgs;}; +in + { + pkgs, + config, + ... + }: let + in { + imports = [ + ../profiles/common.nix + # ../profiles/nix-channels.nix + ../programs/neovim.nix + zshCurried + ]; + + nixpkgs.config = {packageOverrides = pkgs: with pkgs; {};}; + + home.sessionVariables = {}; + + home.packages = + extraPackages + ++ (with pkgs; [iperf3 inetutils speedtest-cli]); + } diff --git a/nix/home-manager/lib.nix b/nix/home-manager/lib.nix index 7436034..3801ee0 100644 --- a/nix/home-manager/lib.nix +++ b/nix/home-manager/lib.nix @@ -1,19 +1,14 @@ -_: { - mkSimpleTrayService = - { execStart }: - { - Unit = { - Description = ""; - After = [ "graphical-session-pre.target" ]; - PartOf = [ "graphical-session.target" ]; - }; - - Install = { - WantedBy = [ "graphical-session.target" ]; - }; - - Service = { - ExecStart = execStart; - }; +{}: let +in { + mkSimpleTrayService = {execStart}: { + Unit = { + Description = "pasystray applet"; + After = ["graphical-session-pre.target"]; + PartOf = ["graphical-session.target"]; }; + + Install = {WantedBy = ["graphical-session.target"];}; + + Service = {ExecStart = execStart;}; + }; } diff --git a/nix/home-manager/profiles/common.nix b/nix/home-manager/profiles/common.nix index 77f6e57..2d08388 100644 --- a/nix/home-manager/profiles/common.nix +++ b/nix/home-manager/profiles/common.nix @@ -1,97 +1,58 @@ -{ pkgs, lib, ... }: -{ - home.stateVersion = lib.mkDefault "23.11"; - - # TODO: re-enable this with the appropriate version? +{pkgs, ...}: let +in { + # TODO: re-enable this with the appropriate version # programs.home-manager.enable = true; # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz; - # TODO: move this to an OS snippet? + nixpkgs.overlays = builtins.attrValues (import ../../overlays); + nixpkgs.config = { allowBroken = false; allowUnfree = true; - allowUnsupportedSystem = true; - allowInsecurePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "electron-32.3.3" - "electron" - ]; - - permittedInsecurePackages = [ - "electron-32.3.3" - "electron" - ]; - - allowUnfreePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "obsidian" - "vivaldi" - "aspell-dict-en-science" - ]; + permittedInsecurePackages = []; }; + nix.settings.experimental-features = ["nix-command" "flakes" "impure-derivations" "ca-derivations" "recursive-nix"]; + nix.settings.sandbox = "relaxed"; + home.keyboard = { layout = "us"; variant = "altgr-intl"; options = [ - # nodeadkeys doesn't make sense with us layout: see https://man.archlinux.org/man/xkeyboard-config.7 for valid options - # "nodeadkeys" + "nodeadkeys" # "caps:swapescape" ]; }; - xdg.enable = true; - programs.direnv.enable = true; + services.lorri.enable = true; - # Don't create .pyc files. - home.sessionVariables.PYTHONDONTWRITEBYTECODE = "1"; + home.sessionVariables = { + NIXPKGS_ALLOW_UNFREE = "1"; + # Don't create .pyc files. + PYTHONDONTWRITEBYTECODE = "1"; + }; programs.command-not-found.enable = true; programs.fzf.enable = true; - home.packages = with pkgs; [ - coreutils + home.packages = + [] + ++ (with pkgs; [ + # git helpers + git-crypt - vcsh + vcsh + # Authentication + cacert + openssl + mkpasswd - htop - iperf3 - nethogs + just + ripgrep + du-dust + ]); - # Authentication - cacert - openssl - mkpasswd - - just - ripgrep - du-dust - - elfutils - exfat - file - tree - pwgen - proot - - parted - pv - tmux - wget - curl - - # git helpers - git-crypt - gitFull - pastebinit - gist - mr - - usbutils - pciutils - ]; + home.stateVersion = "22.05"; } diff --git a/nix/home-manager/profiles/dotfiles.nix b/nix/home-manager/profiles/dotfiles.nix index a7bddd9..95b5248 100644 --- a/nix/home-manager/profiles/dotfiles.nix +++ b/nix/home-manager/profiles/dotfiles.nix @@ -1,4 +1,10 @@ -_: { +{ + pkgs, + config, + ... +}: let + vcshActivationScript = pkgs.callPackage ./dotfiles/vcsh.nix {}; +in { # TODO: fix the dotfiles # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' # $DRY_RUN_CMD ${vcshActivationScript} diff --git a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix index 2a866f2..84d629f 100644 --- a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix +++ b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix @@ -3,40 +3,38 @@ repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", ... -}: -let +}: let repoBareLocal = pkgs.runCommand "fetchbare" - { - outputHashMode = "recursive"; - outputHashAlgo = "sha256"; - outputHash = "0000000000000000000000000000000000000000000000000000"; - } - '' - ( - set -xe - export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out - ) - ''; + { + outputHashMode = "recursive"; + outputHashAlgo = "sha256"; + outputHash = "0000000000000000000000000000000000000000000000000000"; + } '' + ( + set -xe + export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out + ) + ''; in -pkgs.writeScript "activation-script" '' - export HOST=$(hostname -s) + pkgs.writeScript "activation-script" '' + export HOST=$(hostname -s) - function set_remotes { - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 - } + function set_remotes { + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 + } - if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then - echo Cloning dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles - set_remotes ${repoHttps} ${repoSsh} - else - set_remotes ${repoBareLocal} ${repoSsh} - echo Updating dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh pull $HOST || true - set_remotes ${repoHttps} ${repoSsh} - fi -'' + if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then + echo Cloning dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles + set_remotes ${repoHttps} ${repoSsh} + else + set_remotes ${repoBareLocal} ${repoSsh} + echo Updating dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh pull $HOST || true + set_remotes ${repoHttps} ${repoSsh} + fi + '' diff --git a/nix/home-manager/profiles/experimental-desktop.nix b/nix/home-manager/profiles/experimental-desktop.nix deleted file mode 100644 index d57a051..0000000 --- a/nix/home-manager/profiles/experimental-desktop.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ packages', ... }: -{ - imports = [ ../profiles/wayland-desktop.nix ]; - - home.packages = [ - # experimental WMs - packages'.jay - packages'.magmawm - ]; -} diff --git a/nix/home-manager/profiles/gnome-desktop.nix b/nix/home-manager/profiles/gnome-desktop.nix deleted file mode 100644 index e403b71..0000000 --- a/nix/home-manager/profiles/gnome-desktop.nix +++ /dev/null @@ -1,100 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ ../profiles/wayland-desktop.nix ]; - - services = { - gnome-keyring.enable = false; - blueman-applet.enable = true; - flameshot.enable = true; - pasystray.enable = true; - }; - - # TODO: remove this comment once i'm sure everything works - # xdg.configFile."autostart/gnome-keyring-ssh.desktop".text = '' - # [Desktop Entry] - # Type=Application - # Hidden=true - # ''; - - services.gpg-agent.pinentry.package = pkgs.pinentry-gnome3; - - dconf.settings = - let - manualKeybindings = [ - { - binding = "Print"; - command = "flameshot gui"; - name = "flameshot"; - } - - { - binding = "t"; - command = "alacritty"; - name = "alacritty"; - } - ]; - - numWorkspaces = 10; - customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; - customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") ( - (builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace - ); - - workspacesKeyBindingsOffset = builtins.length manualKeybindings; - - # with this we can make use of all number keys [0-9] - mapToNumber = - i: - if i < 10 then - i - else if i == 10 then - 0 - else - throw "i exceeds 10: ${i}"; - in - { - "org/gnome/settings-daemon/plugins/media-keys" = { - custom-keybindings = customKeybindingsNames; - screenreader = "@as []"; - screensaver = [ "l" ]; - }; - - # disable the builtin [1-9] functionality - "org/gnome/shell/keybindings" = builtins.listToAttrs ( - (builtins.genList (i: { - name = "switch-to-application-${toString (i + 1)}"; - value = [ ]; - }) numWorkspaces) - ++ [ - { - name = "toggle-overview"; - value = [ ]; - } - ] - ); - - # remap it to switching to the workspaces - "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs ( - builtins.genList (i: { - name = "switch-to-workspace-${toString (i + 1)}"; - value = [ "${toString (mapToNumber (i + 1))}" ]; - }) numWorkspaces - ); - } - // builtins.listToAttrs ( - builtins.genList (i: { - name = "${customKeybindingBaseName}${toString i}"; - value = builtins.elemAt manualKeybindings i; - }) (builtins.length manualKeybindings) - ) - // builtins.listToAttrs ( - builtins.genList (i: { - name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}"; - value = { - binding = "${toString (mapToNumber (i + 1))}"; - command = "wmctrl -r :ACTIVE: -t ${toString i}"; - name = "Send to workspace ${toString (i + 1)}"; - }; - }) numWorkspaces - ); -} diff --git a/nix/home-manager/profiles/nix-channels.nix b/nix/home-manager/profiles/nix-channels.nix index fc52ec6..68f21c7 100644 --- a/nix/home-manager/profiles/nix-channels.nix +++ b/nix/home-manager/profiles/nix-channels.nix @@ -1,22 +1,28 @@ -{ pkgs, config, ... }: { + pkgs, + config, + ... +}: let +in { home.file.".nix-channels".text = ""; - home.activation.removeExistingNixChannels = config.lib.dag.entryBefore [ "checkLinkTargets" ] '' - $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' - set -ex - if test -f $HOME/.nix-channels; then - echo Uninstalling available channels... - if test -f $HOME/.nix-channel; then - while read url channel; do - nix-channel --remove $channel - done < $HOME/.nix-channel + home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] '' + $DRY_RUN_CMD ${ + pkgs.writeScript "activation-script" '' + set -ex + if test -f $HOME/.nix-channels; then + echo Uninstalling available channels... + if test -f $HOME/.nix-channel; then + while read url channel; do + nix-channel --remove $channel + done < $HOME/.nix-channel + fi + echo Moving existing file away... + touch $HOME/.nix-channels.dummy + mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels + rm $HOME/.nix-channels fi - echo Moving existing file away... - touch $HOME/.nix-channels.dummy - mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels - rm $HOME/.nix-channels - fi - ''}; + '' + }; ''; } diff --git a/nix/home-manager/profiles/qtile-desktop.nix b/nix/home-manager/profiles/qtile-desktop.nix index 84d9c21..6cc9b1f 100644 --- a/nix/home-manager/profiles/qtile-desktop.nix +++ b/nix/home-manager/profiles/qtile-desktop.nix @@ -1,14 +1,12 @@ -{ pkgs, ... }: -let +{pkgs, ...}: let + passwords = import ../../variables/passwords.crypt.nix; + + inherit (import ../lib.nix {}) mkSimpleTrayService; audio = pkgs.writeShellScript "audio" '' export PATH=${ with pkgs; - lib.makeBinPath [ - pulseaudio - findutils - gnugrep - ] + lib.makeBinPath [pulseaudio findutils gnugrep] }:$PATH export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute @@ -33,7 +31,7 @@ let terminalCommand = "${pkgs.alacritty}/bin/alacritty"; dpmsScript = pkgs.writeShellScript "dpmsScript" '' - export PATH=${with pkgs; lib.makeBinPath [ xorg.xset ]}:$PATH + export PATH=${with pkgs; lib.makeBinPath [xorg.xset]}:$PATH set -xe @@ -56,7 +54,7 @@ let ''; screenLockCommand = pkgs.writeShellScript "screenLock" '' - export PATH=${with pkgs; lib.makeBinPath [ i3lock ]}:$PATH + export PATH=${with pkgs; lib.makeBinPath [i3lock]}:$PATH revert() { ${dpmsScript} default @@ -251,8 +249,14 @@ let def print_new_window(window): print("new window: ", window) ''; -in -{ +in { + systemd.user = { + startServices = true; + services = {}; + }; + + # systemd.user.sockets.gpg-agent.Socket.Accept = true; + services = { gnome-keyring.enable = true; blueman-applet.enable = true; @@ -262,9 +266,93 @@ in lockCmd = "${screenLockCommand}"; }; network-manager-applet.enable = true; + syncthing.enable = true; + gpg-agent = { + enable = true; + enableScDaemon = true; + enableSshSupport = true; + grabKeyboardAndMouse = true; + pinentryFlavor = "gtk2"; + extraConfig = ""; + + defaultCacheTtl = 0; + maxCacheTtl = 0; + }; flameshot.enable = true; pasystray.enable = true; cbatticon.enable = true; + redshift = { + enable = true; + inherit (passwords.location.stefan) longitude latitude; + temperature = { + day = 6700; + night = 3700; + }; + tray = true; + settings = { + redshift = { + brightness-day = 1.0; + brightness-night = 0.8; + adjustment-method = "randr"; + }; + }; + }; + espanso = { + enable = true; + settings = { + matches = let + playerctl = '' + ${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; + in [ + { + trigger = ":vpos"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeScript "espanso" '' + #! ${pkgs.python3}/bin/python + import subprocess, os, math, datetime + + id=str(os.getuid()) + result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) + result.check_returncode() + + position_secs = math.trunc(float(result.stdout)) + position_human = datetime.timedelta(seconds=position_secs) + print("%s - %s" % (position_human, position_secs)) + '') + ]; + }; + } + ]; + } + { + trigger = ":vtit"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeShellScript "espanso" + "${playerctl} metadata title") + ]; + }; + } + ]; + } + { + trigger = ":dunno"; + replace = "¯\\_(ツ)_/¯"; + } + ]; + }; + }; }; home.pointerCursor = { @@ -276,7 +364,7 @@ in }; xsession = { - enable = false; + enable = true; windowManager.command = "${pkgs.qtile}/bin/qtile start -c ${qtileConfig}"; initExtra = "${initScreen}"; }; @@ -285,9 +373,11 @@ in # X Tools/Libraries lightdm networkmanagerapplet + autorandr + arandr gnome-icon-theme gnome.gnome-themes-extra - adwaita-icon-theme + gnome.adwaita-icon-theme lxappearance xorg.xcursorthemes pavucontrol diff --git a/nix/home-manager/profiles/sway-desktop.nix b/nix/home-manager/profiles/sway-desktop.nix deleted file mode 100644 index 65ba632..0000000 --- a/nix/home-manager/profiles/sway-desktop.nix +++ /dev/null @@ -1,262 +0,0 @@ -/* - TODO: create helper scripts for sharing of a screen portion - ``` - - # this will create a new output named HEADLESS-. increments by 1 with each invocation even if the output is `unplug`ged. - swaymsg create_output - - # find the name and the workspace number - swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)' - - swaymsg output HEADLESS-1 mode 1920@108060Hz - - # mirror the headless workspace on the current one - nix run nixpkgs\#wl-mirror -- HEADLESS-1 - - # shift windows to the workspace and switch the focus to it -*/ -{ - pkgs, - config, - lib, - # packages', - ... -}: -let - - lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'"; - displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; - displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; - swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; -in -{ - imports = [ - ../profiles/wayland-desktop.nix - ../programs/waybar.nix - ]; - - services.dunst = { - enable = true; - }; - - services.gpg-agent.pinentry.package = pkgs.pinentry-gnome3; - - home.packages = [ - pkgs.swayidle - pkgs.swaylock - - ## themes - pkgs.adwaita-icon-theme - pkgs.hicolor-icon-theme - pkgs.gnome-icon-theme - - ## fonts - # pkgs.nerd-fonts # TODO: reinstall selected ones - pkgs.dejavu_fonts # just a basic good fond - pkgs.font-awesome_5 # needed by i3status-rust - pkgs.font-awesome - pkgs.roboto - pkgs.ttf_bitstream_vera - - pkgs.noto-fonts - pkgs.noto-fonts-cjk-sans - pkgs.noto-fonts-cjk-serif - pkgs.noto-fonts-emoji - pkgs.noto-fonts-emoji-blob-bin - pkgs.noto-fonts-extra - pkgs.noto-fonts-lgc-plus - - pkgs.liberation_ttf - pkgs.fira-code - pkgs.fira-code-symbols - pkgs.mplus-outline-fonts.githubRelease - pkgs.dina-font - pkgs.monoid - pkgs.hermit - ### found on colemickens' repo - pkgs.gelasio # metric-compatible with Georgia - pkgs.powerline-symbols - pkgs.iosevka-comfy.comfy-fixed - - ## experimental stuff - pkgs.fuzzel - ]; - - # TODO: configure kanshi to always set the 5K resolution - # DP-1 "Philips Consumer Electronics Company PHL 499P9 AU02419010010 (DP-1 via DP)" - # Make: Philips Consumer Electronics Company - # Model: PHL 499P9 - # Serial: AU02419010010 - # Physical size: 1190x340 mm - # Enabled: yes - # Modes: - # 3840x1080 px, 59.967999 Hz (preferred) - # 5120x1440 px, 59.977001 Hz (current) - - wayland.windowManager.sway = { - enable = true; - systemd.enable = true; - xwayland = false; - - config = - let - modifier = "Mod4"; - inherit (config.wayland.windowManager.sway.config) - left - right - up - down - ; - in - { - inherit modifier; - bars = [ ]; - - input = { - "type:keyboard" = - { - xkb_layout = config.home.keyboard.layout; - xkb_variant = config.home.keyboard.variant; - } - // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) { - xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; - }; - - "type:touchpad" = { - natural_scroll = "enabled"; - }; - - # alternatively run this command - # swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative" - # and then switch to a different VT (alt+ctrl+f2) and back - "1386:914:Wacom_Intuos_Pro_S_Pen" = { - tool_mode = "* relative"; - }; - }; - - keybindings = lib.mkOptionDefault { - # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi - # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; - "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; - - # only 1-9 exist on the default config - "${modifier}+0" = "workspace number 0"; - "${modifier}+Shift+0" = "move container to workspace number 0"; - - # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it - "${modifier}+b" = "nop"; - "${modifier}+v" = "nop"; - - # move workspace to output - "${modifier}+Control+Shift+${left}" = "move workspace to output left"; - "${modifier}+Control+Shift+${right}" = "move workspace to output right"; - "${modifier}+Control+Shift+${up}" = "move workspace to output up"; - "${modifier}+Control+Shift+${down}" = "move workspace to output down"; - # move workspace to output with arrow keys - "${modifier}+Control+Shift+Left" = "move workspace to output left"; - "${modifier}+Control+Shift+Right" = "move workspace to output right"; - "${modifier}+Control+Shift+Up" = "move workspace to output up"; - "${modifier}+Control+Shift+Down" = "move workspace to output down"; - - # TODO: i've been hitting this one accidentally way too often. find a better place. - # "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; - "${modifier}+q" = "kill"; - "${modifier}+Shift+q" = - "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; - - "${modifier}+x" = "exec ${swapOutputWorkspaces}"; - - "${modifier}+Ctrl+l" = "exec ${lockCmd}"; - - "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; - "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; - "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; - - "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; - "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; - "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; - - "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; - }; - - terminal = "alacritty"; - startup = - [ - { - command = builtins.toString ( - pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target - ) & - '' - ); - } - ] - ++ lib.optionals config.services.swayidle.enable [ - { - command = builtins.toString ( - pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart swayidle - ) & - '' - ); - } - ]; - - colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; }; - - window.titlebar = false; - window.border = 4; - - # this maps to focus_on_window_activation - focus.newWindow = "urgent"; - - window.commands = [ - { - command = "border pixel 0, floating enable, fullscreen disable, move absolute position 0 0"; - criteria.app_id = "flameshot"; - } - ]; - }; - }; - - services.swayidle = { - enable = true; - timeouts = [ - { - timeout = 10; - command = "if ${pkgs.procps}/bin/pgrep -x swaylock; then ${displayOffCmd}; fi"; - resumeCommand = displayOnCmd; - } - { - timeout = 60 * 5; - command = lockCmd; - } - { - timeout = 60 * 6; - command = displayOffCmd; - resumeCommand = displayOnCmd; - } - ]; - events = [ - { - event = "before-sleep"; - command = builtins.concatStringsSep "; " [ - lockCmd - "${pkgs.playerctl}/bin/playerctl pause" - ]; - } - { - event = "after-resume"; - command = displayOnCmd; - } - { - event = "lock"; - command = lockCmd; - } - ]; - }; -} diff --git a/nix/home-manager/profiles/wayland-desktop.nix b/nix/home-manager/profiles/wayland-desktop.nix deleted file mode 100644 index 2f0d2ee..0000000 --- a/nix/home-manager/profiles/wayland-desktop.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ - pkgs, - lib, - repoFlake, - ... -}: -let - - nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; -in -{ - fonts.fontconfig.enable = true; - - # services.gpg-agent.pinentryFlavor = lib.mkForce null; - # services.gpg-agent.extraConfig = '' - # pinentry-program "${wayprompt}/bin/pinentry-wayprompt" - # ''; - - services = { - blueman-applet.enable = true; - network-manager-applet.enable = true; - }; - - systemd.user.targets.tray = { - Unit = { - Description = "Home Manager System Tray"; - Requires = [ "graphical-session-pre.target" ]; - }; - }; - - home.packages = - with pkgs; - [ - # required by network-manager-applet - networkmanagerapplet - - wlr-randr - wayout - wl-clipboard - wmctrl - - nixpkgs-wayland'.shotman - - # identifies key input syms - wev - - # TODO: whwat's this for? - # wltype - - qt5.qtwayland - qt6.qtwayland - # libsForQt5.qt5.qtwayland - # libsForQt6.qt6.qtwayland - - # audio - playerctl - helvum - pasystray - sonusmix - pwvucontrol - - # probably required by flameshot - # xdg-desktop-portal xdg-desktop-portal-wlr - # grim - - waypipe - ] - ++ (lib.lists.optionals (!pkgs.stdenv.isAarch64) - # TODO: broken on aarch64 - [ ] - ); - - home.sessionVariables = { - XDG_SESSION_TYPE = "wayland"; - NIXOS_OZONE_WL = "1"; - MOZ_ENABLE_WAYLAND = "1"; - WLR_NO_HARDWARE_CURSORS = "1"; - }; - - home.pointerCursor = { - name = "Vanilla-DMZ"; - package = pkgs.vanilla-dmz; - size = 32; - x11.enable = true; - gtk.enable = true; - }; -} diff --git a/nix/home-manager/programs/chromium.nix b/nix/home-manager/programs/chromium.nix index aa3f531..bc528d0 100644 --- a/nix/home-manager/programs/chromium.nix +++ b/nix/home-manager/programs/chromium.nix @@ -1,81 +1,14 @@ -{ - name, - lib, - pkgs, - ... -}: -let - extensions = - [ - #undetectable adblocker - { id = "gcfcpohokifjldeandkfjoboemihipmb"; } +{...}: { + programs.chromium = {enable = true;}; - # ublock origin - { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } + programs.brave = {enable = true;}; - # # YT ad block - # {id = "cmedhionkhpnakcndndgjdbohmhepckk";} - - # # Adblock Plus - # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} - - # Cookie Notice Blocker - { id = "odhmfmnoejhihkmfebnolljiibpnednn"; } - # i don't care about cookies - { id = "fihnjjcciajhdojfnbdddfaoknhalnja"; } - - # NopeCHA - { id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; } - - # h264ify - { id = "aleakchihdccplidncghkekgioiakgal"; } - - # clippy - # {id = "honbeilkanbghjimjoniipnnehlmhggk"} - - { - id = "dcpihecpambacapedldabdbpakmachpb"; - updateUrl = "https://raw.githubusercontent.com/iamadamdev/bypass-paywalls-chrome/master/updates.xml"; - } - - # cookie autodelete - { id = "fhcgjolkccmbidfldomjliifgaodjagh"; } - - # unhook - { id = "khncfooichmfjbepaaaebmommgaepoid"; } - ] - ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ - # polkadotjs - { id = "mopnmbcafieddcagagdcbnhejhlodfdd"; } - - # rabby wallet - { id = "acmacodkjbdgmoleebolmdjonilkdbch"; } - - # phantom wallet - { id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; } - - # Vimium C - { id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; } - - # TODO: this causes scrolling the tab bar all the way to the end. look for a different one or report - # always right - { id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; } - - # shazam music - { id = "mmioliijnhnoblpgimnlajmefafdfilb"; } - ]); -in -{ - programs.chromium = { - enable = true; - inherit extensions; - # TODO: extensions currently don't work with ungoogled-chromium - package = pkgs.chromium; + nixpkgs.config = { + chromium = { + # 2019-03-05: missing on 19.03 enablePepperPDF = true; + # 2021-03-16: missing enablePepperFlash = false; + }; }; - programs.brave = { - # TODO: enable this on aarch64-linux - enable = true && !pkgs.stdenv.targetPlatform.isAarch64; - inherit extensions; - }; + programs.browserpass = {browsers = ["chromium" "brave"];}; } diff --git a/nix/home-manager/programs/emacs.nix b/nix/home-manager/programs/emacs.nix new file mode 100644 index 0000000..10e0ad5 --- /dev/null +++ b/nix/home-manager/programs/emacs.nix @@ -0,0 +1,22 @@ +{pkgs, ...}: { + programs.emacs = { + enable = true; + extraPackages = epkgs: + (with epkgs; [ + nix-mode + magit # ; Integrate git + zerodark-theme # ; Nicolas' theme + undo-tree # ; to show the undo tree + # zoom-frm # ; increase/decrease font size for all buffers %lt;C-x C-+> + ]) + ++ (with epkgs.melpaPackages; [evil]) + ++ (with epkgs.elpaPackages; [ + auctex # ; LaTeX mode + beacon # ; highlight my cursor when scrolling + nameless # ; hide current package name everywhere in elisp code + ]) + ++ (with pkgs; [ + pkgs.notmuch # From main packages set + ]); + }; +} diff --git a/nix/home-manager/programs/espanso.nix b/nix/home-manager/programs/espanso.nix deleted file mode 100644 index 8297183..0000000 --- a/nix/home-manager/programs/espanso.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ pkgs, ... }: -{ - services.espanso = { - package = pkgs.espanso-wayland; - # package = pkgs.espanso-wayland.overrideAttrs (_: { - # src = repoFlake.inputs.espanso; - - # cargoLock = { - # # lockFile = "${repoFlake.inputs.espanso.outPath}/Cargo.lock"; - # lockFile = repoFlake.inputs.espanso + "/Cargo.lock"; - # outputHashes = { - # "yaml-rust-0.4.6" = "sha256-wXFy0/s4y6wB3UO19jsLwBdzMy7CGX4JoUt5V6cU7LU="; - # }; - # }; - # }); - - enable = false; - configs = { - default = { - # backend = "Inject"; - # backend = "Clipboard"; - }; - }; - matches = - let - playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; - in - { - default = { - matches = [ - { - trigger = ":vpos"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeScript "espanso" '' - #! ${pkgs.python3}/bin/python - import subprocess, os, math, datetime - - id=str(os.getuid()) - result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) - result.check_returncode() - - position_secs = math.trunc(float(result.stdout)) - position_human = datetime.timedelta(seconds=position_secs) - print("%s - %s" % (position_human, position_secs)) - '') - ]; - }; - } - ]; - } - { - trigger = ":vtit"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ]; - }; - } - ]; - } - { - trigger = ":dunno"; - replace = "¯\\_(ツ)_/¯"; - } - { - trigger = ":shrug"; - replace = "¯\\_(ツ)_/¯"; - } - ]; - }; - }; - }; -} diff --git a/nix/home-manager/programs/firefox.nix b/nix/home-manager/programs/firefox.nix index b9c575f..d635426 100644 --- a/nix/home-manager/programs/firefox.nix +++ b/nix/home-manager/programs/firefox.nix @@ -1,451 +1,10 @@ -{ - repoFlake, - pkgs, - config, - lib, - ... -}: -let - # Search extension names with below command: - # nix flake show --json "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons" --all-systems | jq -r '.packages."x86_64-linux" | keys[]' | rg QUERY - ryceeAddons = with pkgs.nur.repos.rycee.firefox-addons; [ - ublock-origin +{pkgs, ...}: { + programs.firefox = {enable = true;}; - # bypass-paywalls-clean (can't use, was creating popups) - consent-o-matic - terms-of-service-didnt-read - - auto-tab-discard - - # redirector # For nixos wiki - # darkreader - - facebook-container - control-panel-for-twitter - # containerise - facebook-tracking-removal - vimium - cookie-autodelete - auto-tab-discard - istilldontcareaboutcookies - - youtube-recommended-videos - - display-_anchors - ]; - - customAddons = [ - - ]; - - search = { - force = true; - default = "ddg"; - privateDefault = "ddg"; - - order = [ - "ddg" - "ecosia" - "google" - ]; - }; - - mkProfile = - override: - lib.recursiveUpdate { - extensions.packages = ryceeAddons ++ customAddons; - inherit search; - - settings = { - # automatically enable extensions - "extensions.autoDisableScopes" = 0; - - "middlemouse.paste" = false; - - "browser.download.useDownloadDir" = false; - "browser.tabs.insertAfterCurrent" = true; - "browser.tabs.warnOnClose" = true; - "browser.toolbars.bookmarks.visibility" = "never"; - "browser.quitShortcut.disabled" = false; - - # restore the previous session automatically - "browser.startup.page" = 3; - "browser.sessionstore.resume_from_crash" = true; - "browser.sessionstore.restore_pinned_tabs_on_demand" = true; - "browser.sessionstore.restore_on_demand" = true; - - "browser.urlbar.suggest.bookmark" = true; - "browser.urlbar.suggest.engines" = true; - "browser.urlbar.suggest.history" = true; - "browser.urlbar.suggest.openpage" = true; - "browser.urlbar.suggest.topsites" = false; - "browser.urlbar.trimHttps" = true; - - "sidebar.position_start" = false; - "findbar.highlightAll" = true; - - "browser.tabs.hoverPreview.enabled" = true; - - # Disable fx accounts - "identity.fxaccounts.enabled" = false; - # Disable "save password" prompt - "signon.rememberSignons" = false; - # Harden - "privacy.trackingprotection.enabled" = true; - "dom.security.https_only_mode" = true; - - # Disable irritating first-run stuff - "browser.disableResetPrompt" = true; - "browser.download.panel.shown" = true; - "browser.feeds.showFirstRunUI" = false; - "browser.messaging-system.whatsNewPanel.enabled" = false; - "browser.rights.3.shown" = true; - "browser.shell.checkDefaultBrowser" = false; - "browser.shell.defaultBrowserCheckCount" = 1; - "browser.startup.homepage_override.mstone" = "ignore"; - "browser.uitour.enabled" = false; - "startup.homepage_override_url" = ""; - "trailhead.firstrun.didSeeAboutWelcome" = true; - "browser.bookmarks.restore_default_bookmarks" = false; - "browser.bookmarks.addedImportButton" = true; - - # Disable "Save to Pocket" or Pocket entirely - "extensions.pocket.enabled" = false; - - # Disable telemetry - "toolkit.telemetry.enabled" = false; - "toolkit.telemetry.unified" = false; - "toolkit.telemetry.archive.enabled" = false; - "datareporting.healthreport.uploadEnabled" = false; - "app.shield.optoutstudies.enabled" = false; - "browser.discovery.enabled" = false; - "browser.newtabpage.activity-stream.feeds.telemetry" = false; - "browser.newtabpage.activity-stream.telemetry" = false; - "browser.ping-centre.telemetry" = false; - "datareporting.healthreport.service.enabled" = false; - "datareporting.policy.dataSubmissionEnabled" = false; - "datareporting.sessions.current.clean" = true; - "devtools.onboarding.telemetry.logged" = false; - "toolkit.telemetry.bhrPing.enabled" = false; - "toolkit.telemetry.firstShutdownPing.enabled" = false; - "toolkit.telemetry.hybridContent.enabled" = false; - "toolkit.telemetry.newProfilePing.enabled" = false; - "toolkit.telemetry.prompted" = 2; - "toolkit.telemetry.rejected" = true; - "toolkit.telemetry.reportingpolicy.firstRun" = false; - "toolkit.telemetry.server" = ""; - "toolkit.telemetry.shutdownPingSender.enabled" = false; - "toolkit.telemetry.unifiedIsOptIn" = false; - "toolkit.telemetry.updatePing.enabled" = false; - - # Disable any feeds on the new tab page - "browser.newtabpage.activity-stream.showTopSites" = false; - "browser.newtabpage.activity-stream.default.sites" = lib.mkForce [ ]; - "browser.newtabpage.activity-stream.discoverystream.enabled" = false; - "browser.newtabpage.activity-stream.feeds.topsites" = false; - "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; - "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts" = false; - "browser.newtabpage.blocked" = lib.genAttrs [ - # Youtube - "26UbzFJ7qT9/4DhodHKA1Q==" - # Facebook - "4gPpjkxgZzXPVtuEoAL9Ig==" - # Wikipedia - "eV8/WsSLxHadrTL1gAxhug==" - # Reddit - "gLv0ja2RYVgxKdp0I5qwvA==" - # Amazon - "K00ILysCaEq8+bEqV/3nuw==" - # Twitter - "T9nJot5PurhJSy8n038xGA==" - ] (_: 1); - "browser.topsites.blockedSponsors" = [ - "adidas" - "temuaffiliateprogram.pxf" - "s.click.aliexpress" - ]; - - # enable userChrome - "toolkit.legacyUserProfileCustomizations.stylesheets" = true; - "devtools.chrome.enabled" = true; - "devtools.debugger.remote-enabled" = true; - - # disable translations for some languages - "browser.translations.neverTranslateLanguages" = [ - "en" - "de" - ]; - "browser.translations.automaticallyPopup" = false; - - # enable pipewire (and libcamera) sources - "media.webrtc.camera.allow-pipewire" = true; - - }; - - userChrome = - let - name = override.color or colors.grey; - value = colorValues."${name}".normal; - valueBright = colorValues."${name}".highlight; - valueDark = colorValues."${name}".inactive; - in - '' - @namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */ - - #nav-bar { - background-color: ${value} !important; - color: black !important; - } - - /* don't show close button on background tabs */ - #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):not([hover]) .tab-close-button { - display: none !important; - } - - /* show close button on hover */ - #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):hover .tab-close-button { - display: -moz-inline-box !important; - } - - - /* default */ - #TabsToolbar { - background: ${valueDark} !important; - } - - /* default tab */ - #TabsToolbar #tabbrowser-tabs .tabbrowser-tab .tab-content { - background: ${value} !important; - opacity: 0.8 - } - - /* selected tab */ - #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[selected] .tab-content { - background: ${valueBright} !important; - box-shadow: 0 8px 16px 0 rgba(0,0,0,0.2), 0 6px 20px 0 rgba(0,0,0,0.19); - } - - /* hovered tab */ - #TabsToolbar #tabbrowser-tabs .tabbrowser-tab:hover:not([selected]) .tab-content { - background: ${valueBright} !important; - } - - /* unloaded/pending tab */ - #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[pending] .tab-content { - background: ${valueDark} !important; - } - ''; - - # /* new tab */ - # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button .toolbarbutton-icon { - # background: unset !important; - # } - - # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button { - # /* background: var(--default_tabs_bg_newtab) !important; - # } - - # /* hovered new tab */ - # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button:hover { - # background: var(--default_tabs_bg_newtab_hovered) !important; - # } - - } (builtins.removeAttrs override [ "color" ]); - - # TODO: insert the id automatically - mkProfiles = attrs: builtins.mapAttrs (_k: v: v) attrs; - - colors = builtins.mapAttrs (name: _: name) colorValues; - - colorValues = { - blue = { - normal = "#49b1fc"; - highlight = "#05a9fc"; # Brighter blue - inactive = "#1f81c6"; # Darker blue - }; - green = { - normal = "#51cd00"; - highlight = "#5ae200"; # Brighter green - inactive = "#45ad00"; # Darker green - }; - orange = { - normal = "#ff9800"; - highlight = "#ffb74d"; # Brighter orange - inactive = "#c76a00"; # Darker orange - }; - red = { - normal = "#f6685e"; - highlight = "#ff4336"; # Brighter red - inactive = "#aa463f"; # Darker red - }; - yellow = { - normal = "#fced4b"; - highlight = "#fce705"; # Brighter yellow - inactive = "#dbbe00"; # Darker yellow - }; - purple = { - normal = "#9c27b0"; - highlight = "#ab47bc"; # Brighter purple - inactive = "#7b1fa2"; # Darker purple - }; - pink = { - normal = "#e91e63"; - highlight = "#ff6090"; # Brighter pink - inactive = "#c2185b"; # Darker pink - }; - brown = { - normal = "#795548"; - highlight = "#a88b6f"; # Brighter brown - inactive = "#4e3b30"; # Darker brown - }; - grey = { - normal = "#9e9e9e"; - highlight = "#bdbdbd"; # Brighter grey - inactive = "#757575"; # Darker grey - }; - teal = { - normal = "#009688"; - highlight = "#26c6da"; # Brighter teal - inactive = "#00796b"; # Darker teal - }; - }; - -in -{ - nixpkgs.overlays = [ - repoFlake.inputs.nur.overlays.default - ]; - - nixpkgs.config.allowUnfreePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "youtube-recommended-videos" - ]; - - programs.librewolf = { - enable = false; - }; - programs.firefox = { + programs.browserpass = { enable = true; - package = pkgs.firefox; - - profiles = - lib.filterAttrs (_: v: config.home.username == "steveej" || (v.isDefault or false)) - (mkProfiles { - "personal" = mkProfile { - id = 0; - isDefault = true; - color = colors.blue; - }; - "comms" = mkProfile { - id = 1; - color = colors.blue; - }; - "admin" = mkProfile { - id = 2; - color = colors.blue; - }; - "infra" = mkProfile { - id = 3; - color = colors.blue; - }; - "finance" = mkProfile { - id = 4; - color = colors.yellow; - }; - "business-admin" = mkProfile { - id = 5; - color = colors.teal; - }; - "business-comms" = mkProfile { - id = 6; - color = colors.teal; - }; - "business-dev" = mkProfile { - id = 7; - color = colors.teal; - }; - "holo-dev" = mkProfile { - id = 8; - color = colors.green; - }; - "holo-infra" = mkProfile { - id = 9; - color = colors.green; - }; - "holo-comms" = mkProfile { - id = 10; - color = colors.green; - }; - "justyna" = mkProfile { - id = 11; - color = colors.pink; - }; - "justyna-office" = mkProfile { - id = 12; - color = colors.pink; - }; - "tech-research" = mkProfile { - id = 13; - color = colors.purple; - }; - }); - - # policies = { - # # search via policy. the other one doesn't always work because of schema version mismatch - # SearchEngines = { - # Default = "Qwant"; - # PreventInstalls = true; - - # Add = [ - # { - # Method = "GET"; - # Alias = "qwant"; - # Description = "Description"; - # # PostData= "name=value&q={searchTerms}"; - - # Name = "Qwant"; - # SuggestURLTemplate = "https://api.qwant.com/api/suggest/?q={searchTerms}"; - # URLTemplate = "https://www.qwant.com/?q={searchTerms}"; - # } - # ]; - # }; - # }; - + browsers = ["firefox"]; }; - # create one desktop entry for each profile - xdg.desktopEntries = lib.mapAttrs' ( - k: _v: - lib.nameValuePair "firefox-profile-${k}" { - categories = [ - "Network" - "WebBrowser" - ]; - exec = "${lib.getExe config.programs.firefox.package} -P ${k}"; - genericName = "Web Browser"; - icon = - builtins.replaceStrings [ ".desktop" ] [ "" ] - config.programs.firefox.package.desktopItem.name; - mimeType = [ - "text/html" - "text/xml" - "application/xhtml+xml" - "application/vnd.mozilla.xul+xml" - "x-scheme-handler/http" - "x-scheme-handler/https" - ]; - name = "Firefox: ${k}"; - startupNotify = true; - settings.StartupWMClass = - # To group windows of different profiles. - # Set WM_CLASS on Xorg using --class, set app-id on Wayland using --name. - #if profile.name == "default" - #then "firefox" - #else "firefox-${profile.name}"; - "firefox"; - terminal = false; - type = "Application"; - } - ) config.programs.firefox.profiles; + home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json"; } diff --git a/nix/home-manager/programs/gpg-agent.nix b/nix/home-manager/programs/gpg-agent.nix deleted file mode 100644 index 6357087..0000000 --- a/nix/home-manager/programs/gpg-agent.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ - lib, - pkgs, - osConfig, - ... -}: -{ - home.packages = [ pkgs.gcr ]; - - programs.gpg.enable = true; - services.gpg-agent = { - enable = true; - enableScDaemon = !osConfig.services.pcscd.enable; - enableSshSupport = true; - grabKeyboardAndMouse = true; - pinentry.package = lib.mkDefault pkgs.pinentry-gtk2; - extraConfig = '' - no-allow-external-cache - ''; - - defaultCacheTtl = 0; - maxCacheTtl = 0; - }; -} diff --git a/nix/home-manager/programs/holochain-launcher.nix b/nix/home-manager/programs/holochain-launcher.nix new file mode 100644 index 0000000..0cc4e15 --- /dev/null +++ b/nix/home-manager/programs/holochain-launcher.nix @@ -0,0 +1,3 @@ +{pkgs, ...}: { + home.packages = [pkgs.holochain-launcher]; +} diff --git a/nix/home-manager/programs/homeshick.nix b/nix/home-manager/programs/homeshick.nix index 4ba0dfe..ba83ae1 100644 --- a/nix/home-manager/programs/homeshick.nix +++ b/nix/home-manager/programs/homeshick.nix @@ -1,25 +1,32 @@ -{ pkgs, config, ... }: { - home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}"; + pkgs, + config, + ... +}: let + # TODO: clean up the impurity in here +in { + home.sessionVariables = {HOMESHICK_DIR = "${pkgs.homeshick}";}; - home.activation.bootstrapRepos = config.lib.dag.entryAfter [ "writeBoundary" ] '' - $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' - set -e - echo home-manager path is ${config.home.path} - echo home is $HOME + home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] '' + $DRY_RUN_CMD ${ + pkgs.writeScript "activation-script" '' + set -e + echo home-manager path is ${config.home.path} + echo home is $HOME - source ${pkgs.homeshick}/homeshick.sh - type homeshick + source ${pkgs.homeshick}/homeshick.sh + type homeshick - # echo Updating homeshick - # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick - # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick - ''}; + # echo Updating homeshick + # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick + # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick + '' + }; ''; nixpkgs.config = { - packageOverrides = - pkgs: with pkgs; { + packageOverrides = pkgs: + with pkgs; { homeshick = builtins.fetchGit { url = "https://github.com/andsens/homeshick.git"; ref = "master"; diff --git a/nix/home-manager/programs/libreoffice.nix b/nix/home-manager/programs/libreoffice.nix index 2091dc8..3f9c077 100644 --- a/nix/home-manager/programs/libreoffice.nix +++ b/nix/home-manager/programs/libreoffice.nix @@ -1,8 +1,8 @@ -{ pkgs, nodeFlake, ... }: +{pkgs, ...}: { + home.sessionVariables = { + # Workaround for Libreoffice to force gtk3 + SAL_USE_VCLPLUGIN = "gtk3"; + }; -let - pkgsStable = nodeFlake.inputs.nixpkgs-stable.legacyPackages.${pkgs.system}; -in -{ - home.packages = [ pkgsStable.libreoffice ]; + home.packages = with pkgs; [libreoffice-fresh]; } diff --git a/nix/home-manager/programs/neovim.nix b/nix/home-manager/programs/neovim.nix index fa5c94a..66d7fc5 100644 --- a/nix/home-manager/programs/neovim.nix +++ b/nix/home-manager/programs/neovim.nix @@ -1,163 +1,126 @@ -{ repoFlake, pkgs, ... }: -{ - imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ]; +{pkgs, ...}: let +in { + home.sessionVariables = {EDITOR = "nvim";}; - programs.nixvim = { + programs.neovim = { enable = true; - defaultEditor = true; - vimdiffAlias = true; - vimAlias = true; - extraPython3Packages = ps: with ps; [ ]; + extraPython3Packages = ps: with ps; []; - # extraConfigVim = builtins.readFile ./neovim/vimrc; + extraConfig = builtins.readFile ./neovim/vimrc; - clipboard = { - register = "unnamedplus"; - providers.wl-copy.enable = true; - }; + plugins = with pkgs; + [ + # yaml-folds + { + plugin = vimUtils.buildVimPlugin { + name = "vim-yaml-folds"; + src = fetchFromGitHub { + owner = "pedrohdz"; + repo = "vim-yaml-folds"; + rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a"; + sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m"; + }; + buildInputs = [zip vim]; + }; + } - plugins = { - airline = { - enable = true; - settings = { - powerline_fonts = 1; - skip_empty_sections = 1; - theme = "papercolor"; - }; - }; - fugitive.enable = true; - gitblame.enable = true; - lsp = { - enable = true; - }; + { + plugin = vimUtils.buildVimPlugin { + name = "vim-yaml"; + src = fetchFromGitHub { + owner = "stephpy"; + repo = "vim-yaml"; + rev = "e97e063b16eba4e593d620676a0a15fa98613979"; + sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk"; + }; + }; + } - nix.enable = true; + # broken 2021-06-08 + # { + # plugin = vimUtils.buildVimPlugin { + # name = "vim-markdown-toc"; + # src = fetchFromGitHub { + # owner = "mzlogin"; + # repo = "vim-markdown-toc"; + # rev = "b7bb6c37033d3a6c93906af48dc0e689bd948638"; + # sha256 = "026xf2gid4qivwawh7if3nfk7zja9di0flhdzdx82lvil9x48lyz"; + # }; + # }; + # } - # TODO: enable in next release - # numbertoggle.enable = true; + # broken 2021-06-08 + # { + # plugin = vimUtils.buildVimPlugin { + # name = "vim-perl"; + # src = fetchFromGitHub { + # owner = "vim-perl"; + # repo = "vim-perl"; + # rev = "f330b5d474c44e6cfae22ba50868093dea3e9adb"; + # sha256 = "1dy40ixgixj0536c5ggra51b4yd1lbw4j6l0j5zc3diasb7m2gvr"; + # }; + # }; + # } - # successfor to ctrlp and fzf - telescope.enable = true; + { + plugin = vimUtils.buildVimPlugin { + name = "git-blame"; + src = fetchFromGitHub { + "owner" = "zivyangll"; + "repo" = "git-blame.vim"; + "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917"; + "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j"; + }; + }; + } + ] + ++ (with pkgs.vimPlugins; [ + delimitMate + vim-airline + vim-airline-themes + ctrlp + vim-css-color + rainbow_parentheses + vim-colorschemes + vim-colorstepper + vim-signify + fugitive + vim-indent-guides + UltiSnips + fzfWrapper - todo-comments.enable = true; + ncm2 + ncm2-bufword + ncm2-path + ncm2-tmux + ncm2-ultisnips + nvim-yarp - toggleterm.enable = true; + LanguageClient-neovim - treesitter = { - enable = true; + Improved-AnsiEsc + tabular - grammarPackages = with pkgs.vimPlugins.nvim-treesitter.builtGrammars; [ - bash - json - lua - make - markdown - nix - regex - toml - vim - vimdoc - xml - yaml - ]; - }; + # Nix + vim-addon-nix + tlib + vim-addon-vim2nix - treesitter-context.enable = true; - treesitter-refactor.enable = true; + # LaTeX + vim-latex-live-preview + vimtex - # This plugin trims trailing whitespace and lines. - trim.enable = true; + # YAML + vim-yaml - web-devicons.enable = true; - }; + # markdown + vim-markdown + vim-markdown-toc - # plugins = with pkgs; - # [ - # # yaml-folds - # { - # plugin = vimUtils.buildVimPlugin { - # name = "vim-yaml-folds"; - # src = fetchFromGitHub { - # owner = "pedrohdz"; - # repo = "vim-yaml-folds"; - # rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a"; - # sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m"; - # }; - # buildInputs = [zip vim]; - # }; - # } - - # { - # plugin = vimUtils.buildVimPlugin { - # name = "vim-yaml"; - # src = fetchFromGitHub { - # owner = "stephpy"; - # repo = "vim-yaml"; - # rev = "e97e063b16eba4e593d620676a0a15fa98613979"; - # sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk"; - # }; - # }; - # } - - # { - # plugin = vimUtils.buildVimPlugin { - # name = "git-blame"; - # src = fetchFromGitHub { - # "owner" = "zivyangll"; - # "repo" = "git-blame.vim"; - # "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917"; - # "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j"; - # }; - # }; - # } - # ] - # ++ (with pkgs.vimPlugins; [ - # delimitMate - # vim-airline - # vim-airline-themes - # ctrlp - # vim-css-color - # rainbow_parentheses - # vim-colorschemes - # vim-colorstepper - # vim-signify - # fugitive - # vim-indent-guides - # UltiSnips - # fzfWrapper - - # ncm2 - # ncm2-bufword - # ncm2-path - # ncm2-tmux - # ncm2-ultisnips - # nvim-yarp - - # LanguageClient-neovim - - # Improved-AnsiEsc - # tabular - - # # Nix - # vim-addon-nix - # tlib - # vim-addon-vim2nix - - # # LaTeX - # vim-latex-live-preview - # vimtex - - # # YAML - # vim-yaml - - # # markdown - # vim-markdown - # vim-markdown-toc - - # # misc syntax support - # vim-bazel - # maktaba - # ]); + # misc syntax support + vim-bazel + maktaba + ]); }; } diff --git a/nix/home-manager/programs/neovim/vimrc b/nix/home-manager/programs/neovim/vimrc index f3cb42b..c002c2b 100644 --- a/nix/home-manager/programs/neovim/vimrc +++ b/nix/home-manager/programs/neovim/vimrc @@ -49,8 +49,8 @@ let g:ctrlp_custom_ignore = { \ 'dir': '\v[\/]\.(git|hg|svn)$$', \ 'file': '\v\.(exe|so|dll)$$', \ } -"let g:ctrlp_max_files=0 -"let g:ctrlp_max_depth=1000 +let g:ctrlp_max_files=0 +let g:ctrlp_max_depth=1000 "let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' } "let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict' diff --git a/nix/home-manager/programs/obs-studio.nix b/nix/home-manager/programs/obs-studio.nix deleted file mode 100644 index d99747d..0000000 --- a/nix/home-manager/programs/obs-studio.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ pkgs, lib, ... }: -{ - programs.obs-studio = { - enable = true; - plugins = - builtins.map - ( - plugin: - (plugin.overrideAttrs (attrs: { - meta = lib.mkMerge [ - { inherit (attrs) meta; } - { meta.platforms = [ pkgs.stdenv.system ]; } - ]; - })) - ) - ( - with pkgs.obs-studio-plugins; - [ - # wlrobs - obs-backgroundremoval - obs-pipewire-audio-capture - ] - ); - }; -} diff --git a/nix/home-manager/programs/openvscode-server.nix b/nix/home-manager/programs/openvscode-server.nix deleted file mode 100644 index 4b01360..0000000 --- a/nix/home-manager/programs/openvscode-server.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ pkgs, repoFlake, ... }: -let - pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; -in -{ - home.packages = [ - pkgs.nil - pkgs.nixd - pkgs.nixfmt-rfc-style - - # TODO: automate linking this - # 1. get the commit with: `codium --version` - # 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/` - # 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/ - - /* - e.g.: - ``` - ( - set -e - export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$') - ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/" - ) - ``` - */ - - (pkgsVscodium.openvscode-server.overrideAttrs (attrs: { - src = repoFlake.inputs.openvscode-server; - version = "1.94.2"; - yarnCache = attrs.yarnCache.overrideAttrs (_: { - outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt="; - }); - })) - - pkgs.waypipe - ]; -} diff --git a/nix/home-manager/programs/pass.nix b/nix/home-manager/programs/pass.nix index 43805e0..9a1b9c4 100644 --- a/nix/home-manager/programs/pass.nix +++ b/nix/home-manager/programs/pass.nix @@ -1,17 +1,11 @@ -{ repoFlake, pkgs, ... }: -{ - # required by pass-otp - # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; - # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; - # programs.browserpass.enable = true; +{pkgs, ...}: { + home.sessionVariables = { + # required by pass-otp + PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; + PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; + }; - home.packages = [ - pkgs.gnupg + programs.browserpass = {enable = true;}; - # broken on wayland - # rofi-pass - - (pkgs.callPackage repoFlake.lib.prsFn { - }) - ]; + home.packages = with pkgs; [pass qtpass rofi-pass gnupg]; } diff --git a/nix/home-manager/programs/podman.nix b/nix/home-manager/programs/podman.nix new file mode 100644 index 0000000..f663743 --- /dev/null +++ b/nix/home-manager/programs/podman.nix @@ -0,0 +1,144 @@ +{pkgs, ...}: let + cniConfigDir = let + loopback = pkgs.writeText "00-loopback.conf" '' + { + "cniVersion": "0.3.0", + "type": "loopback" + } + ''; + + podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ''; + in + pkgs.runCommand "cniConfig" {} '' + set -x + mkdir $out; + ln -s ${loopback} $out/${loopback.name} + ln -s ${podman-bridge} $out/${podman-bridge.name} + ''; + + containersConf = pkgs.writeText "containers.conf" '' + # containers.conf is the default configuration file for all tools using libpod to + # manage containers + + [containers] + + # Maximum size of log files (in bytes) + # -1 is unlimited + log_size_max = -1 + + + [engine] + + # Default transport method for pulling and pushing for images + image_default_transport = "docker://" + + # Paths to search for the conmon container manager binary. If the paths are empty or no valid path was found, then the $PATH environment variable will be used as the fallback. + conmon_path = [ + "${pkgs.conmon}/bin/conmon" + ] + + # --runtime ${pkgs.crun}/bin/crun \ + runtime = "crun" + + # Environment variables to pass into conmon + conmon_env_vars = [ + ] + + # CGroup Manager - valid values are "systemd" and "cgroupfs" + cgroup_manager = "systemd" + + + # Whether to use chroot instead of pivot_root in the runtime + no_pivot_root = false + + # Determines whether libpod will reserve ports on the host when they are + # forwarded to containers. When enabled, when ports are forwarded to containers, + # they are held open by conmon as long as the container is running, ensuring that + # they cannot be reused by other programs on the host. However, this can cause + # significant memory usage if a container has many ports forwarded to it. + # Disabling this can save memory. + enable_port_reservation = true + + [network] + # Directory containing CNI plugin configuration files + network_config_dir = "${cniConfigDir}" + + # Directories where the CNI plugin binaries may be located + cni_plugin_dirs = [ + "${pkgs.cni-plugins}/bin" + ] + + # Default CNI network for libpod. + # If multiple CNI network configs are present, libpod will use the network with + # the name given here for containers unless explicitly overridden. + # The default here is set to the name we set in the + # 87-podman-bridge.conflist included in the repository. + # Not setting this, or setting it to the empty string, will use normal CNI + # precedence rules for selecting between multiple networks. + default_network = "podman" + ''; +in { + home.packages = with pkgs; [podman]; + + home.file.".config/containers/containers.conf".source = containersConf; + + home.file.".config/containers/registries.conf".text = '' + [registries.search] + registries = ['docker.io', 'quay.io', 'registry.fedoraproject.org'] + + [registries.insecure] + registries = [] + + #blocked (docker only) + [registries.block] + registries = [] + ''; + + home.file.".config/containers/storage.conf".text = '' + [storage] + driver = "btrfs" + ''; + + home.file.".config/containers/policy.json".text = '' + { + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": + { + "docker-daemon": + { + "": [{"type":"insecureAcceptAnything"}] + } + } + } + ''; +} diff --git a/nix/home-manager/programs/radicale.nix b/nix/home-manager/programs/radicale.nix index be31268..6631be6 100644 --- a/nix/home-manager/programs/radicale.nix +++ b/nix/home-manager/programs/radicale.nix @@ -1,11 +1,11 @@ { config, - lib, pkgs, - osConfig, + lib, ... -}: -let +}: let + passwords = import ../../variables/passwords.crypt.nix; + libdecsync = pkgs.python3Packages.buildPythonPackage rec { pname = "libdecsync"; version = "2.2.1"; @@ -14,10 +14,6 @@ let inherit pname version; hash = "sha256-Mukjzjumv9VL+A0maU0K/SliWrgeRjAeiEdN5a83G0I="; }; - - propagatedBuildInputs = [ - # pkgs.libxcrypt-legacy - ]; }; radicale-storage-decsync = pkgs.python3Packages.buildPythonPackage rec { pname = "radicale_storage_decsync"; @@ -28,62 +24,36 @@ let hash = "sha256-X+0MT5o2PjsKxca5EDI+rYyQDmUtbRoELDr6e4YXKCg="; }; - buildInputs = [ - pkgs.radicale - # pkgs.libxcrypt-legacy - # pkgs.libxcrypt - ]; - - nativeCheckInputs = [ - # pkgs.libxcrypt-legacy - # pkgs.libxcrypt - ]; - - propagatedBuildInputs = [ - libdecsync - pkgs.python3Packages.setuptools - ]; + buildInputs = [pkgs.radicale]; + propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools]; }; radicale-decsync = pkgs.radicale.overrideAttrs (old: { - propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ]; + propagatedBuildInputs = + old.propagatedBuildInputs + ++ [radicale-storage-decsync]; }); + radicale-config = pkgs.writeText "radicale-config" '' + [auth] + type = htpasswd + htpasswd_filename = ${ + pkgs.writeText "radicale" '' + radicale:${passwords.users.radicale} + '' + } + htpasswd_encryption = bcrypt - mkRadicaleService = - { suffix, port }: - let - radicale-config = pkgs.writeText "radicale-config-${suffix}" '' - [server] - hosts = localhost:${builtins.toString port} - - [auth] - type = htpasswd - htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} - htpasswd_encryption = bcrypt - - [storage] - type = radicale_storage_decsync - filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} - decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} - ''; - in - { - systemd.user.services."radicale-${suffix}" = { - Unit.Description = "Radicale with DecSync (${suffix})"; - Service = { - ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; - Restart = "on-failure"; - }; - Install.WantedBy = [ "default.target" ]; - }; + [storage] + type = radicale_storage_decsync + filesystem_folder = ${config.xdg.dataHome}/radicale + decsync_dir = ${config.xdg.dataHome}/decsync + ''; +in { + systemd.user.services.radicale = { + Unit.Description = "Radicale with DecSync"; + Service = { + ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; + Restart = "on-failure"; }; -in -builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [ - { - suffix = "personal"; - port = 5232; - } - { - suffix = "family"; - port = 5233; - } -] + Install.WantedBy = ["default.target"]; + }; +} diff --git a/nix/home-manager/programs/redshift.nix b/nix/home-manager/programs/redshift.nix deleted file mode 100644 index 9e45594..0000000 --- a/nix/home-manager/programs/redshift.nix +++ /dev/null @@ -1,28 +0,0 @@ -_: -let - passwords = import ../../variables/passwords.crypt.nix; -in -{ - services.gammastep = { - enable = true; - provider = "manual"; - enableVerboseLogging = true; - inherit (passwords.location.stefan) longitude latitude; - temperature = { - # day = 6700; - day = 3000; - night = 3000; - }; - tray = true; - settings = { - general = { - adjustment-method = "wayland"; - }; - gammastep = { - # brightness-day = 1.0; - brightness-day = 0.5; - brightness-night = 0.5; - }; - }; - }; -} diff --git a/nix/home-manager/programs/salut.nix b/nix/home-manager/programs/salut.nix deleted file mode 100644 index 415e3be..0000000 --- a/nix/home-manager/programs/salut.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ pkgs, packages', ... }: -# useful testing command: -# for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done -let - inherit (import ../lib.nix { }) mkSimpleTrayService; -in -{ - home.packages = [ packages'.salut ]; - - xdg.configFile."salut/config.ini" = { - enable = true; - text = '' - [notifications] - timeout = 5000 - - [window] - auto-hide = true - anchor = bottom-right - transition = slidebottom - - [mode] - single = true - - [style] - preference = dark - ''; - onChange = "${pkgs.systemd}/bin/systemctl --user restart salut"; - }; - - systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; }; -} diff --git a/nix/home-manager/programs/vscode/default.nix b/nix/home-manager/programs/vscode/default.nix index 676829c..71996cd 100644 --- a/nix/home-manager/programs/vscode/default.nix +++ b/nix/home-manager/programs/vscode/default.nix @@ -1,134 +1,481 @@ -{ - config, - pkgs, - repoFlake, - lib, - ... -}: -let - pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; -in -{ +{pkgs, ...}: let + packagedExtensions = with pkgs.vscode-extensions; [ + # bbenoist.Nix + ms-vscode-remote.remote-ssh + + vscodevim.vim + ]; + + marketPlaceExtensions = pkgs.vscode-utils.extensionsFromVscodeMarketplace [ + # { + # name = "vim"; + # publisher = "vscodevim"; + # version = "1.17.1"; + # sha256 = "10f8jz52gr6k2553awa66m006wszj9z2rnshsic6h2aawxiz3zq1"; + # } + # { + # name = "remote-ssh-edit"; + # publisher = "ms-vscode-remote"; + # version = "0.56.0"; + # sha256 = "1gy03ff2xqg7q3y4j47z2l94x5gbw0mjd5h4cl3n0q3iaswk1c1r"; + # } + { + name = "Theme-NaturalContrast-With-HC"; + publisher = "74th"; + version = "1.0.0"; + sha256 = "1wxwk059znkflip0c8hyqdfq0h15n4idmff4bnnfdggiqjwhr5rm"; + } + { + name = "markdown-toc"; + publisher = "AlanWalk"; + version = "1.5.6"; + sha256 = "0hh38i2dpmrm2akcd4jkxchp6b374m5jzcqm1jqqmkqjmlig7qm5"; + } + { + name = "Paper-tmTheme"; + publisher = "DiryoX"; + version = "0.4.0"; + sha256 = "0l8hgbwwg87ysfb22rvwgmkk91i4vjd0kgi30c1bn26bm2pd1gw0"; + } + { + name = "Monokai-Polished"; + publisher = "Mit"; + version = "0.3.1"; + sha256 = "11h7sfwp9ikwc8z6bkyxk1678ymfpff8i2p876b208yrq8dy2kr1"; + } + { + name = "dot"; + publisher = "Stephanvs"; + version = "0.0.1"; + sha256 = "0rq0wvnbcggg4zb4swxym77knfjma0v9lwf3x45p22qsqx2crvgf"; + } + { + name = "rust-snippets"; + publisher = "ZakCodes"; + version = "0.0.1"; + sha256 = "152i23mh8j2l26zpwid3hllxc2abkhr3g939rvxk8bry137vryy2"; + } + { + name = "better-comments"; + publisher = "aaron-bond"; + version = "2.1.0"; + sha256 = "0kmmk6bpsdrvbb7dqf0d3annpg41n9g6ljzc1dh0akjzpbchdcwp"; + } + { + name = "vscode-icalendar"; + publisher = "af4jm"; + version = "1.0.1"; + sha256 = "0g15f2595ayy9ch4f2ccd8prc51q1mwslilk8sk2ldsmdksaya79"; + } + { + name = "hugofy"; + publisher = "akmittal"; + version = "0.1.1"; + sha256 = "02rjwmy7z4qfxws8lgdki53q4b2hjklxn2nlxx3w04kahr759dlg"; + } + { + name = "asciidoctor-vscode"; + publisher = "asciidoctor"; + version = "2.8.4"; + sha256 = "0j019vwmd83mbc75kfcqzmpvqzsp3s595cgh6n9978k9q0zjrqad"; + } + { + name = "markdown-preview-github-styles"; + publisher = "bierner"; + version = "0.1.6"; + sha256 = "1plj6a1hgbhb740zbw4pbnk7919cx1s6agf5xiiqbb9485x2pqiw"; + } + { + name = "made-of-code"; + publisher = "brian-yu"; + version = "0.0.5"; + sha256 = "1cmw63vrpzxv8vkgq674xa2wqqag0a8spr623ngi87925f17p965"; + } + { + name = "better-toml"; + publisher = "bungcip"; + version = "0.3.2"; + sha256 = "08lhzhrn6p0xwi0hcyp6lj9bvpfj87vr99klzsiy8ji7621dzql3"; + } + { + name = "tabulous"; + publisher = "bwildeman"; + version = "1.2.0"; + sha256 = "0hbp345i19ncvn1v792nr257gmw0nz09nhjniiypnzvz9wszw2j9"; + } + { + name = "bracket-pair-colorizer"; + publisher = "CoenraadS"; + version = "1.0.61"; + sha256 = "0r3bfp8kvhf9zpbiil7acx7zain26grk133f0r0syxqgml12i652"; + } + { + name = "mustache"; + publisher = "dawhite"; + version = "1.1.1"; + sha256 = "1j8qn5grg8v3n3v66d8c77slwpdr130xzpv06z1wp2bmxhqsck1y"; + } + { + name = "vscode-nomnoml"; + publisher = "doctorrustynelson"; + version = "0.3.0"; + sha256 = "07nr6n5ai8m6rap8av47mqi3vv6zchymiqfw8jlbl4hsryszyr43"; + } + { + name = "gitlens"; + publisher = "eamodio"; + version = "11.0.5"; + sha256 = "1fi8j5r6cd82a50hv2lwzqnvyvhxf9waamkviyh0wyqi5i1k4q88"; + } + { + name = "monokai-light"; + publisher = "ethansugar"; + version = "0.2.1"; + sha256 = "1xn74arpv58hwdywaxvv9xhljl23wsqdpyfrgn9nvd29gsiz71w0"; + } + { + name = "Theme-Monokai-Contrast"; + publisher = "gerane"; + version = "0.0.5"; + sha256 = "1m1n1izdjgng0q3yljccwjxj0s60p5nfw3hlw7hb467a1wz479pm"; + } + { + name = "Theme-snappy-light"; + publisher = "gerane"; + version = "0.0.5"; + sha256 = "0syrm921l4lka6dmg258c2zi0a758acvcs8y0qm0kjim7h7xxf0w"; + } + { + name = "vscode-pull-request-github"; + publisher = "GitHub"; + version = "0.21.3"; + sha256 = "0p03v6y1gh62jby74vkhi897mzj8dg9xb561v0b99x81r9zhwqw0"; + } + { + name = "go"; + publisher = "golang"; + version = "0.19.0"; + sha256 = "1xr2c4xn0w68fdcbm8d2wqfb9dxf03w38367ghycrzmz2p4syr98"; + } + { + name = "terraform"; + publisher = "hashicorp"; + version = "2.3.0"; + sha256 = "0696q8nr6kb5q08295zvbqwj7lr98z18gz1chf0adgrh476zm6qq"; + } + { + name = "bonsai"; + publisher = "hawkeyegold"; + version = "1.4.0"; + sha256 = "0r7bxx1lgbg6p97xwd2wr8j7slz720a1v6vzpd0fhcq83vqzkl89"; + } + { + name = "live-html-previewer"; + publisher = "hdg"; + version = "0.3.0"; + sha256 = "0hv5plh44q97355j5la83r8hjsxpv9d173mba34xr4p82a3pcq5p"; + } + { + name = "yuml"; + publisher = "JaimeOlivares"; + version = "3.5.1"; + sha256 = "01phwj8kn2zmzpjk97wacnc8iiby0szv40b1030fkcm3szafnya0"; + } + { + name = "latex-workshop"; + publisher = "James-Yu"; + version = "8.14.0"; + sha256 = "12bh2gpmak7vgzhjnvk2hw0yqm6wkd7vsm4ki4zbqa6lpriscjyi"; + } + { + name = "plantuml"; + publisher = "jebbs"; + version = "2.13.16"; + sha256 = "0672x0a1c9yk0g4vka40f4amgxir2bs25zg6qsims9plj0x2s4si"; + } + { + name = "tasks-chooser"; + publisher = "jeremyfa"; + version = "0.3.0"; + sha256 = "0bq80wv7zf94cgn94ll3jj68z35p13r0zw5by62dnlnj1sv7dghi"; + } + { + name = "asciidoctor-vscode"; + publisher = "joaompinto"; + version = "2.8.0"; + sha256 = "06nx627fik3c3x4gsq01rj0v59ckd4byvxffwmmigy3q2ljzsp0x"; + } + { + name = "contrast-theme"; + publisher = "johndugan"; + version = "1.1.10"; + sha256 = "0hib85318940ajfbzqrpgqh4jr39w18aq6babargbf64yxg94mbw"; + } + { + name = "theme-dark-plus-contrast"; + publisher = "k3a"; + version = "0.1.101"; + sha256 = "137kq6i6xn394msjrhj7v6c8shrvw9yf8i01mf4yl4aan2bw3419"; + } + { + name = "vscode-gist"; + publisher = "kenhowardpdx"; + version = "3.0.3"; + sha256 = "033iry115hbd5jbdr04frbrcgfpfnsc2z551nlfsaczbg4j9dydw"; + } + { + name = "quick-open"; + publisher = "leizongmin"; + version = "1.1.0"; + sha256 = "03avjgkvl2w51f0lvvfksa6lxqb4i9jgz2c74hw686yaydj8mfsp"; + } + { + name = "rainbow-csv"; + publisher = "mechatroner"; + version = "1.7.1"; + sha256 = "0w5mijs4ll5qjkpyw7qpn1k40pq8spm0b3q72x150ydbcini5hxw"; + } + { + name = "openapi-lint"; + publisher = "mermade"; + version = "1.2.0"; + sha256 = "0q81ifgr211apymbs21y0l3x8n324k6mh7p8kykz2xz38cslyq49"; + } + { + name = "swagger-doc-viewer"; + publisher = "mimarec"; + version = "1.0.4"; + sha256 = "1vvqwmfav6c2r1xkyfczm564bi2cpa9nklj35w3h3hrp4f6dnvpx"; + } + { + name = "vscode-clang"; + publisher = "mitaki28"; + version = "0.2.3"; + sha256 = "0xbg2frb4dxv7zl43gi25w2mkkh4xq2aidcf5i8b4imys9h720yr"; + } + { + name = "prettify-json"; + publisher = "mohsen1"; + version = "0.0.3"; + sha256 = "1spj01dpfggfchwly3iyfm2ak618q2wqd90qx5ndvkj3a7x6rxwn"; + } + { + name = "vscode-docker"; + publisher = "ms-azuretools"; + version = "1.8.1"; + sha256 = "08691mwb3kgmk5fnjpw1g3a5i7qwalw1yrv2skm519wh62w6nmw8"; + } + { + name = "python"; + publisher = "ms-python"; + version = "2020.11.371526539"; + sha256 = "0iavy4c209k53jkqsbhsvibzjj3fjxa500rv72fywgb2vxsi9fc3"; + } + { + name = "jupyter"; + publisher = "ms-toolsai"; + version = "2020.11.372831992"; + sha256 = "0r39xqrbkzcfkz6rca039s87ibx79a983y8lbiglhkmw3bp4p658"; + } + # fails to download C/C++ tools + # { + # name = "cpptools"; + # publisher = "ms-vscode"; + # version = "1.1.2"; + # sha256 = "09z1vrshvwimdrpsnfs4lyzca2qixp3h85xib8jf2fpxdjl3r5vg"; + # } + { + name = "vscode-quick-open-create"; + publisher = "nocksock"; + version = "0.6.0"; + sha256 = "0ipkjm74xpx44h130rmbnkjwsi63kcvq6fr0b0nxqqc9aa9jk22j"; + } + { + name = "indent-rainbow"; + publisher = "oderwat"; + version = "7.4.0"; + sha256 = "1xnsdwrcx24vlbpd2igjaqlk3ck5d6jzcfmxaisrgk7sac1aa81p"; + } + { + name = "phantypist"; + publisher = "paulofallon"; + version = "1.0.3"; + sha256 = "0rsaklwsd9i25p9j82ivblkbsk5cwjm22afzc2cq5klkbz9vxg62"; + } + { + name = "swaggitor"; + publisher = "qnsolutions"; + version = "0.1.1"; + sha256 = "0dhygxawxjhm0q1nmxwwcyhnk4hm1yzadnhc5ha7amdg7gddlrc1"; + } + { + name = "vscode-yaml"; + publisher = "redhat"; + version = "0.13.0"; + sha256 = "046kdk73a5xbrwq16ff0l64271c6q6ygjvxaph58z29gyiszfkig"; + } + { + name = "papercolor-vscode"; + publisher = "rozbo"; + version = "0.4.0"; + sha256 = "0fla4dfxm6ppqgfvp9rc2izhnv0909yk3r38xmh15ald84i1jhzm"; + } + { + name = "iferrblocks"; + publisher = "rstuven"; + version = "1.1.1"; + sha256 = "0ncj1g2dqa1wwqmj27w1356f4b9nlk2narvgyjn208axfwifz1lw"; + } + { + name = "rust"; + publisher = "rust-lang"; + version = "0.7.8"; + sha256 = "039ns854v1k4jb9xqknrjkj8lf62nfcpfn0716ancmjc4f0xlzb3"; + } + { + name = "bracket-jumper"; + publisher = "sashaweiss"; + version = "1.1.8"; + sha256 = "11sj7h13yjcpd94x07wlmck7cmidk1kla00kjq7wfw2xc1143rqs"; + } + { + name = "just"; + publisher = "skellock"; + version = "2.0.0"; + sha256 = "1ph869zl757a11f8iq643f79h8gry7650a9i03mlxyxlqmspzshl"; + } + { + name = "line-endings"; + publisher = "steditor"; + version = "1.0.3"; + sha256 = "1mdybbhs771w8r9xqy1n7x2is2vhh6axkssarb2yy7gps3v81ik7"; + } + { + name = "code-spell-checker"; + publisher = "streetsidesoftware"; + version = "1.10.0"; + sha256 = "1172wcw1a1mbx8nrlnh1hyizs9abzvqmhwgc6bmp8wvxk8hk4x3i"; + } + { + name = "code-spell-checker-german"; + publisher = "streetsidesoftware"; + version = "0.1.8"; + sha256 = "117ba1m427d7nqh2p4djjswbksz1nvy2zkgdnm2iis17gzxscbmz"; + } + { + name = "code-spell-checker-german"; + publisher = "streetsidesoftware"; + version = "0.1.8"; + sha256 = "117ba1m427d7nqh2p4djjswbksz1nvy2zkgdnm2iis17gzxscbmz"; + } + { + name = "code-spell-checker"; + publisher = "streetsidesoftware"; + version = "1.10.0"; + sha256 = "1172wcw1a1mbx8nrlnh1hyizs9abzvqmhwgc6bmp8wvxk8hk4x3i"; + } + { + name = "vscode-open-in-github"; + publisher = "sysoev"; + version = "1.14.0"; + sha256 = "1whyrsckx0gikgjj1812dlsykck7cs696wz9fn4fhcishp9479hp"; + } + { + name = "html-preview-vscode"; + publisher = "tht13"; + version = "0.2.5"; + sha256 = "0k75ivigzjfq8y4xwwrgs2iy913plkwp2a68f0i4bkz9kx39wq6v"; + } + { + name = "scrolloff"; + publisher = "tickleforce"; + version = "0.0.4"; + sha256 = "1n5xcbcwdj54c9dlscd5igdbga6v9wv5j1qbhjb7p2mf7sbps3cq"; + } + { + name = "shellcheck"; + publisher = "timonwong"; + version = "0.12.1"; + sha256 = "0apvbs90mdjk5y6vy2v4azwxhdjqfypqp5d5hh9rlgxyq4m0azz2"; + } + { + name = "sort-lines"; + publisher = "Tyriar"; + version = "1.9.0"; + sha256 = "0l4wibsjnlbzbrl1wcj18vnm1q4ygvxmh347jvzziv8f1l790qjl"; + } + # slow and currently not needed + # { + # name = "vscode-lldb"; + # publisher = "vadimcn"; + # version = "1.6.0"; + # sha256 = "15m0idk75bvbzfxipdxwz2vpdklr15zv92h4mxxpr8db9jjr32vi"; + # } + # { + # name = "vim"; + # publisher = "vscodevim"; + # version = "1.17.1"; + # sha256 = "10f8jz52gr6k2553awa66m006wszj9z2rnshsic6h2aawxiz3zq1"; + # } + { + name = "prettify-selected-json"; + publisher = "vthiery"; + version = "1.0.3"; + sha256 = "0g2svrls7x4w75fj6rr839mrwd3sn912vn6ysiy0sasnnc55rpgb"; + } + { + name = "debug"; + publisher = "webfreak"; + version = "0.25.0"; + sha256 = "0qm2jgkj17a0ca5z21xbqzfjpi0hzxw4h8y2hm8c4kk2bnw02sh1"; + } + { + name = "clang-format"; + publisher = "xaver"; + version = "1.9.0"; + sha256 = "0bwc4lpcjq1x73kwd6kxr674v3rb0d2cjj65g3r69y7gfs8yzl5b"; + } + { + name = "vscode-capnp"; + publisher = "xmonader"; + version = "1.0.0"; + sha256 = "0z2shl6qvr3y3m5y63v69x94rzyb2cmf5046afx2yswnll6j52fc"; + } + { + name = "plsql-language"; + publisher = "xyz"; + version = "1.8.2"; + sha256 = "16xxa6w03wzd95v1cycmjvw9hfg3chvpclrn28v0qsa3lir1mxrr"; + } + { + name = "markdown-pdf"; + publisher = "yzane"; + version = "1.4.4"; + sha256 = "00cjwjwzsv3wx2qy0faqxryirr2hp60yhkrlzsk0avmvb0bm9paf"; + } + { + name = "vscode-proto3"; + publisher = "zxh404"; + version = "0.5.2"; + sha256 = "1jmmbz3i0hxq5ka4rsk07mynxh3pkh5g736d9ryv1czhnrb06lwf"; + } + ]; +in { programs.vscode = { enable = true; - package = pkgsVscodium.vscodium; - profiles.default.extensions = - with pkgsVscodium.vscode-extensions; - [ - eamodio.gitlens - mkhl.direnv - tomoki1207.pdf - vscodevim.vim - - # bbenoist.nix - jnoortheen.nix-ide - - ms-vscode.theme-tomorrowkit - nonylene.dark-molokai-theme - - ms-python.vscode-pylance - - # TODO: these are not in nixpkgs - - # fredwangwang.vscode-hcl-format - # hashicorp.hcl - # mindaro-dev.file-downloader - # ms-vscode.remote-explorer - - # TODO: not compatible with vscodium - # ms-vscode-remote.remote-ssh - ] - ++ ( - let - extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system}; - in - with extensions.vscode-marketplace; - with extensions.vscode-marketplace-release; - [ - - serayuzgur.crates - rust-lang.rust-analyzer - swellaby.vscode-rust-test-adapter - - tamasfe.even-better-toml - golang.go - jeff-hykin.better-go-syntax - blueglassblock.better-json5 - nefrob.vscode-just-syntax - # fabianlauer.vs-code-xml-format - - bierner.emojisense - ] - ) - ++ ( - let - nix4vscodeToml = pkgs.writeText "nix4vscode.toml" '' - vscode_version = "${config.programs.vscode.package.version}" - - [[extensions]] - publisher_name = "FelixZeller" - extension_name = "markdown-oxide" - - [[extensions]] - publisher_name = "ibecker" - extension_name = "treefmt-vscode" - - [[extensions]] - publisher_name = "AntiAntiSepticeye" - extension_name = "vscode-color-picker" - - # [[extensions]] - # publisher_name = "nefrob" - # extension_name = "vscode-just-syntax" - - [[extensions]] - publisher_name = "fabianlauer" - extension_name = "vs-code-xml-format" - ''; - - nix4vscodeNix = - pkgs.runCommand "nix4vscode.nix" - { - # nix4vscode needs internet access - __noChroot = true; - requiredSystemFeatures = [ "recursive-nix" ]; - buildInputs = [ - pkgs.nix - pkgs.cacert - (pkgs.callPackage "${repoFlake.inputs.nix4vscode.outPath}/nix/package.nix" { }) - # pkgs.strace - ]; - # outputHashAlgo = "sha256"; - # outputHashMode = "recursive"; - # outputHash = lib.fakeSha256; - } - '' - # set -x - # export RUST_BACKTRACE=full - # export RUST_LOG=trace - export HOME=$(mktemp -d) - # strace -ffZyyY - nix4vscode ${nix4vscodeToml} > $out - ''; - nix4vscodeExtensions = builtins.removeAttrs (pkgs.callPackage nix4vscodeNix { }) [ - "override" - "overrideDerivation" - ]; - nix4vscodeExtensions' = lib.attrsets.mapAttrsToList ( - _: v: builtins.head (builtins.attrValues v) - ) nix4vscodeExtensions; - in - nix4vscodeExtensions' - ); - mutableExtensionsDir = true; + extensions = + [] ++ packagedExtensions + # ++ marketPlaceExtensions + ; }; - home.packages = [ - pkgs.nil - pkgs.nixfmt-rfc-style - ]; + home.packages = [pkgs.nixpkgs-fmt pkgs.alejandra]; } # TODO: automate +# rustup install stable +# rustup component add rust-analysis --toolchain stable +# rustup component add rust-src --toolchain stable +# rustup component add rls --toolchain stable ### original list: # 74th.Theme-NaturalContrast-With-HC # AlanWalk.markdown-toc @@ -202,3 +549,4 @@ in # xyz.plsql-language # yzane.markdown-pdf # zxh404.vscode-proto3 + diff --git a/nix/home-manager/programs/waybar.css b/nix/home-manager/programs/waybar.css deleted file mode 100644 index 664a47f..0000000 --- a/nix/home-manager/programs/waybar.css +++ /dev/null @@ -1,5 +0,0 @@ -#custom-cputemp { - padding: 0 10px; - background-color: #f0932b; - color: #ffffff; -} diff --git a/nix/home-manager/programs/waybar.nix b/nix/home-manager/programs/waybar.nix deleted file mode 100644 index a559dfc..0000000 --- a/nix/home-manager/programs/waybar.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ pkgs, repoFlake, ... }: -{ - home.packages = [ - # required by any bar that has a tray plugin - pkgs.libappindicator-gtk3 - pkgs.libdbusmenu-gtk3 - ]; - - programs.waybar = { - enable = true; - package = - repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; - style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css; - systemd.enable = true; - settings = { - mainBar = { - layer = "top"; - position = "bottom"; - height = 30; - output = - # hide the bar on HEADDLESS displays as i use them only for screensharing - (builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ]; - # output = [ - # "eDP-1" - # "DP-*" - # ]; - - modules-left = [ - "sway/workspaces" - "sway/mode" - # "wlr/taskbar" - ]; - - "sway/workspaces" = { - disable-scroll = true; - all-outputs = false; - }; - - modules-center = [ - "sway/window" - # "custom/hello-from-waybar" - ]; - - modules-right = [ - "tray" - - "cpu" - "memory" - "custom/cputemp" - "custom/fan" - "battery" - "pulseaudio" - "clock" - "clock#date" - ]; - - tray.spacing = 10; - - cpu.format = " {usage}%"; - memory.format = " {}%"; - "temperature" = { - hwmon-path = "/sys/class/hwmon/hwmon3/temp1_input"; - format = " {temperatureC} °C"; - }; - - "custom/cputemp" = { - format = " {}"; - exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/CPU:/ {print $2}'"; - interval = 2; - }; - "custom/fan" = { - format = "  {} rpm "; - exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/fan1:/ {print $2}'"; - interval = 2; - }; - battery.format = "🔋 {}%"; - pulseaudio = { - format = "🔉 {volume}%"; - # on-click-middle = ''${pkgs.sway}/bin/swaymsg exec "${pkgs.pavucontrol}/bin/pavucontrol"''; - }; - clock.format = "{:%H:%M %p}"; - "clock#date".format = "{:%a, %d %b '%y}"; - }; - }; - }; -} diff --git a/nix/home-manager/programs/zsh.nix b/nix/home-manager/programs/zsh.nix index 96f9982..9e64278 100644 --- a/nix/home-manager/programs/zsh.nix +++ b/nix/home-manager/programs/zsh.nix @@ -1,31 +1,24 @@ -{ - config, - lib, - pkgs, - ... -}: -let - just-plugin = - let - plugin_file = pkgs.writeText "_just" '' - #compdef just - #autload +{pkgs}: {...}: let + just-plugin = let + plugin_file = pkgs.writeText "_just" '' + #compdef just + #autload - alias justl="\just --list" - alias juste="\just --evaluate" + alias justl="\just --list" + alias juste="\just --evaluate" - local subcmds=() + local subcmds=() - while read -r line ; do - if [[ ! $line == Available* ]] ; - then - subcmds+=(''${line/[[:space:]]*\#/:}) - fi - done < <(just --list) + while read -r line ; do + if [[ ! $line == Available* ]] ; + then + subcmds+=(''${line/[[:space:]]*\#/:}) + fi + done < <(just --list) - _describe 'command' subcmds - ''; - in + _describe 'command' subcmds + ''; + in pkgs.stdenv.mkDerivation { name = "just-completions"; version = "0.1.0"; @@ -37,76 +30,63 @@ let chmod --recursive a-w $out ''; }; -in -{ +in { programs.zsh = { enable = true; - profileExtra = '' - . "${config.home.profileDirectory}/etc/profile.d/hm-session-vars.sh" - ''; - # will be called again by oh-my-zsh enableCompletion = false; - autosuggestion.enable = true; - initContent = - let - inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; - in - '' - if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then - unset TMPDIR - fi + enableAutosuggestions = true; + initExtra = let + inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; + in '' + PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' + RPROMPT="" - if test ! -n "$TMP" -a -z "$TMP"; then - unset TMP - fi + # Automatic rehash + zstyle ':completion:*' rehash true + if [ -f $HOME/.shrc.d/sh_aliases ]; then + . $HOME/.shrc.d/sh_aliases + fi - PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' - RPROMPT="" + ${ + if builtins.hasAttr "homeshick" pkgs + then '' + source ${pkgs.homeshick}/homeshick.sh + fpath=(${pkgs.homeshick}/completions $fpath) + '' + else "" + } - # Automatic rehash - zstyle ':completion:*' rehash true + # Disable intercepting of ctrl-s and ctrl-q as flow control. + stty stop ''' -ixoff -ixon - if [ -f $HOME/.shrc.d/sh_aliases ]; then - . $HOME/.shrc.d/sh_aliases - fi + # don't cd into directories when executed + unsetopt AUTO_CD - ${ - if builtins.hasAttr "homeshick" pkgs then - '' - source ${pkgs.homeshick}/homeshick.sh - fpath=(${pkgs.homeshick}/completions $fpath) - '' - else - "" - } + export NIX_PATH="${pkgs.nixPath}" - # Disable intercepting of ctrl-s and ctrl-q as flow control. - stty stop ''' -ixoff -ixon + # print lines without termination + setopt PROMPT_CR + setopt PROMPT_SP + export PROMPT_EOL_MARK="" + ''; - # don't cd into directories when executed - unsetopt AUTO_CD - - # print lines without termination - setopt PROMPT_CR - setopt PROMPT_SP - export PROMPT_EOL_MARK="" - - ${lib.optionalString config.services.gpg-agent.enable '' - export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" - ''} - - ${lib.optionalString config.programs.neovim.enable '' - export EDITOR="nvim" - ''} - ''; + sessionVariables = { + # Add more envrionment variables here + }; plugins = [ { + # will source zsh-autosuggestions.plugin.zsh name = "zsh-autosuggestions"; - src = pkgs.zsh-autosuggestions; + src = pkgs.fetchFromGitHub { + owner = "zsh-users"; + repo = "zsh-autosuggestions"; + rev = "v0.6.3"; + sha256 = "1h8h2mz9wpjpymgl2p7pc146c1jgb3dggpvzwm9ln3in336wl95c"; + }; } { name = "enhancd"; @@ -114,8 +94,8 @@ in src = pkgs.fetchFromGitHub { owner = "b4b4r07"; repo = "enhancd"; - rev = "v2.5.1"; - sha256 = "sha256-kaintLXSfLH7zdLtcoZfVNobCJCap0S/Ldq85wd3krI="; + rev = "v2.2.4"; + sha256 = "1smskx9vkx78yhwspjq2c5r5swh9fc5xxa40ib4753f00wk4dwpp"; }; } { @@ -134,10 +114,7 @@ in oh-my-zsh = { enable = true; theme = "tjkirch"; - plugins = [ - "git" - "sudo" - ]; + plugins = ["git" "sudo"]; }; }; } diff --git a/nix/modules/flake-parts/colmena.nix b/nix/modules/flake-parts/colmena.nix deleted file mode 100644 index 136a5a1..0000000 --- a/nix/modules/flake-parts/colmena.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ lib, ... }: -{ - options.flake.colmena = lib.mkOption { - # type = lib.types.attrsOf lib.types.unspecified; - type = lib.types.raw; - default = { }; - }; -} diff --git a/nix/modules/flake-parts/perSystem/default.nix b/nix/modules/flake-parts/perSystem/default.nix deleted file mode 100644 index da1e42a..0000000 --- a/nix/modules/flake-parts/perSystem/default.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ pkgs, ... }: -{ - packages = { - myPython = pkgs.python310.withPackages ( - ps: - with ps; - [ - pep8 - yapf - flake8 - # autopep8 (broken) - # pylint (broken) - ipython - llfuse - dugong - defusedxml - wheel - pip - virtualenv - cffi - # pyopenssl - urllib3 - # mistune (insecure) - sympy - - flask - - pyaml - requests - ] - ++ [ - pkgs.pypi2nix - pkgs.libffi - ] - ); - }; -} diff --git a/nix/os/cachix.nix b/nix/os/cachix.nix deleted file mode 100644 index 0d14a2f..0000000 --- a/nix/os/cachix.nix +++ /dev/null @@ -1,12 +0,0 @@ -# WARN: this file will get overwritten by $ cachix use -{ lib, ... }: -let - folder = ./cachix; - toImport = name: _value: folder + ("/" + name); - filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; - imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); -in -{ - inherit imports; - nix.settings.substituters = [ "https://cache.nixos.org/" ]; -} diff --git a/nix/os/cachix/nixpkgs-wayland.nix b/nix/os/cachix/nixpkgs-wayland.nix deleted file mode 100644 index 1c0cca7..0000000 --- a/nix/os/cachix/nixpkgs-wayland.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - nix = { - settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ]; - settings.trusted-public-keys = [ - "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" - ]; - }; -} diff --git a/nix/os/containers/backup-target.nix b/nix/os/containers/backup-target.nix new file mode 100644 index 0000000..d1ff1f0 --- /dev/null +++ b/nix/os/containers/backup-target.nix @@ -0,0 +1,87 @@ +{ + hostAddress, + localAddress, + containerBackupCfg, + sshPort ? containerBackupCfg.portInt, + autoStart ? false, +}: { + config = { + config, + pkgs, + lib, + ... + }: { + system.stateVersion = "22.05"; # Did you read the comment? + + imports = [../profiles/containers/configuration.nix]; + + networking.firewall.enable = false; + + services.ddclientovh = { + enable = true; + domain = containerBackupCfg.addr; + }; + + services.openssh.enable = true; + + users.extraUsers."${containerBackupCfg.user}" = { + uid = 2000; + group = containerBackupCfg.group; + shell = pkgs.bashInteractive; + home = "/${containerBackupCfg.targetPath}"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNI3H0BRSYOZ/MbTs9J80doJwSd1HymFOP5quNt0J48vxZ5FPVrT2FHpQiNrCcYbCKRsU4X8AiGUHiXC0PapQQ3JDkqp6WZoqBNDx6BI7RadyH1TqVQPlou3pQmCAogzfBInruR53YTDmQqXiPwfM0okPOXgiBNjDfZXOX4+CyUfkmZZwASoicTInqWGkn1sFnh4tyXIkgWflg0njlVmfkVvH71+evvKLYHtoNpVXazkQ0SXbyuW5f3mSta7TNkpC3HbBm+4n+WxYGySrlRLWQhTo+aoWUKk9h5zvECDNpwRtbqzt+bA9nKrdg180ceu8hruwvWNiC6PPA2GW9Z1+VKROviGu1C3dliE/pPCBtK+ZoRVv2CGE+pmAuQsB9Nif9tk5tY6HJhuLNxKYiMfQkiLsDYv6KdZXUIVK/4BIDkZuQNnjhdOQBLnea0ANOhutA9gnjxnsd3UT6ovfazg5gud7n3u4yBtzjTkRrqWZ63eM1NmUVOgMWHQ715pV+hJfOFGqzRBEe3g/p3bWNgpROBYJbG1H8l9DN7emG4FGWsb1HeNFwQ5lS0Zsezb7qzahr4vSmHNugVw7w8ONt5dPbPI9wQnWvkkuHH76P/NYy6OC6lHrN1rXyA1okqdPr06YAZnCot+Pqdgn/ijxgp06J3dtkhin+Q7PoQbGff3ERIw== bkp" + ]; + + packages = with pkgs; [btrfs-progs]; + + isSystemUser = true; + }; + + security.sudo = { + enable = true; + extraRules = [ + { + users = ["bkp"]; + commands = [ + { + command = "/etc/profiles/per-user/bkp/bin/btrfs"; + options = ["NOPASSWD"]; + } + { + command = "/run/current-system/sw/bin/readlink"; + options = ["NOPASSWD"]; + } + { + command = "/run/current-system/sw/bin/test"; + options = ["NOPASSWD"]; + } + ]; + } + ]; + }; + }; + + inherit autoStart; + + bindMounts = { + "/${containerBackupCfg.targetPath}" = { + hostPath = "/var/lib/container-volumes/backup-target"; + isReadOnly = false; + }; + }; + + extraFlags = ["--resolv-conf=bind-host"]; + + privateNetwork = true; + forwardPorts = [ + { + # ssh + containerPort = 22; + hostPort = sshPort; + protocol = "tcp"; + } + ]; + + inherit hostAddress localAddress; +} diff --git a/nix/os/containers/backup.nix b/nix/os/containers/backup.nix index 2c2c171..864aa20 100644 --- a/nix/os/containers/backup.nix +++ b/nix/os/containers/backup.nix @@ -5,107 +5,88 @@ subvolumes, targetPathSuffix ? "", autoStart ? false, -}: -let +}: let passwords = import ../../variables/passwords.crypt.nix; subvolumeParentDir = "/var/lib/container-volumes"; -in -{ - config = - { pkgs, ... }: - { - system.stateVersion = "20.03"; # Did you read the comment? +in { + config = {pkgs, ...}: { + system.stateVersion = "20.03"; # Did you read the comment? - imports = [ ../profiles/containers/configuration.nix ]; + imports = [../profiles/containers/configuration.nix]; - environment.systemPackages = with pkgs; [ - btrfs-progs - btrbk - ]; + environment.systemPackages = with pkgs; [btrfs-progs btrbk]; - networking.firewall.enable = true; + networking.firewall.enable = true; - systemd.services."bkp-sync" = { - enable = true; - description = "bkp-sync service"; + systemd.services."bkp-sync" = { + enable = true; + description = "bkp-sync service"; - serviceConfig = { - Type = "oneshot"; - }; + serviceConfig = {Type = "oneshot";}; - after = [ "bkp-run.service" ]; + after = ["bkp-run.service"]; - requires = [ "bkp-run.service" ]; + requires = ["bkp-run.service"]; - path = with pkgs; [ utillinux ]; - script = '' - set -x - true + path = with pkgs; [utillinux]; + script = '' + set -x + true + ''; + }; + + systemd.services."bkp-run" = { + enable = true; + description = "bkp-run"; + + serviceConfig = {Type = "oneshot";}; + + partOf = ["bkp-sync.service"]; + + path = with pkgs; [btrfs-progs btrbk coreutils]; + + script = let + btrbkConf = pkgs.writeText "cfg" '' + timestamp_format long + ssh_identity ${passwords.storage.backupTarget.keyPath} + ssh_user ${passwords.storage.backupTarget.user} + ssh_compression no + backend_remote btrfs-progs-sudo + compat_remote busybox + btrfs_commit_delete each + snapshot_create onchange + snapshot_preserve_min latest + snapshot_preserve 7d 4w + target_preserve_min latest + target_preserve 7d 4w 12m *y + + volume ${subvolumeParentDir} + target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} + ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" + subvolumes} ''; - }; + in '' + #! ${pkgs.bash}/bin/bash + set -Eeuxo pipefail - systemd.services."bkp-run" = { - enable = true; - description = "bkp-run"; + btrbk -c ${btrbkConf} --progress ''${@:-run} + ''; + }; - serviceConfig = { - Type = "oneshot"; - }; - - partOf = [ "bkp-sync.service" ]; - - path = with pkgs; [ - btrfs-progs - btrbk - coreutils - ]; - - script = - let - btrbkConf = pkgs.writeText "cfg" '' - timestamp_format long - ssh_identity ${passwords.storage.backupTarget.keyPath} - ssh_user ${passwords.storage.backupTarget.user} - ssh_compression no - backend_remote btrfs-progs-sudo - compat_remote busybox - btrfs_commit_delete each - snapshot_create onchange - snapshot_preserve_min latest - snapshot_preserve 7d 4w - target_preserve_min latest - target_preserve 7d 4w 12m *y - - volume ${subvolumeParentDir} - target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} - ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes} - ''; - in - '' - #! ${pkgs.bash}/bin/bash - set -Eeuxo pipefail - - btrbk -c ${btrbkConf} --progress ''${@:-run} - ''; - }; - - systemd.timers."bkp" = { - description = "Timer to trigger bkp periodically"; - enable = true; - wantedBy = [ - "timer.target" - "multi-user.target" - ]; - timerConfig = { - # Obtained using `systemd-analyze calendar "Wed 23:00"` - # OnCalendar = "Wed *-*-* 23:00:00"; - OnStartupSec = "1m"; - Unit = "bkp-sync.service"; - OnUnitInactiveSec = "2h"; - Persistent = "true"; - }; + systemd.timers."bkp" = { + description = "Timer to trigger bkp periodically"; + enable = true; + wantedBy = ["timer.target" "multi-user.target"]; + timerConfig = { + # Obtained using `systemd-analyze calendar "Wed 23:00"` + # OnCalendar = "Wed *-*-* 23:00:00"; + OnStartupSec = "1m"; + Unit = "bkp-sync.service"; + OnUnitInactiveSec = "2h"; + Persistent = "true"; }; }; + }; inherit autoStart; @@ -133,10 +114,10 @@ in } ]; - extraFlags = [ "--resolv-conf=bind-host" ]; + extraFlags = ["--resolv-conf=bind-host"]; privateNetwork = true; - forwardPorts = [ ]; + forwardPorts = []; inherit hostAddress localAddress; } diff --git a/nix/os/containers/ipxe.nix b/nix/os/containers/ipxe.nix new file mode 100644 index 0000000..3623b44 --- /dev/null +++ b/nix/os/containers/ipxe.nix @@ -0,0 +1,170 @@ +{ + hostAddress, + localAddress, + httpPort ? 80, + httpsPort ? 443, +}: let + passwords = import ../../variables/passwords.crypt.nix; +in { + config = { + config, + pkgs, + lib, + ... + }: { + imports = [../profiles/containers/configuration.nix]; + + networking.firewall.enable = false; + + services.ddclientovh = { + enable = true; + domain = "www.stefanjunker.de"; + }; + + security.acme = { + acceptTerms = true; + certs."www.stefanjunker.de".email = "mail@stefanjunker.de"; + preliminarySelfsigned = true; + + # can be used for debugging + # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + }; + + services.nginx.enable = true; + services.nginx.recommendedProxySettings = true; + services.nginx.virtualHosts."www.stefanjunker.de" = { + default = true; + addSSL = true; + listen = [ + { + addr = "0.0.0.0"; + port = httpPort; + ssl = false; + } + { + addr = "0.0.0.0"; + port = httpsPort; + ssl = true; + } + ]; + + root = "/var/www/stefanjunker.de/htdocs"; + + enableACME = true; + # serverAliases = [ + # "www.stefanjunker.de" + # ]; + # sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt"; + # sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key"; + + locations."/fi" = {index = "index.php";}; + + locations."~ ^(.+.php)(.*)$".extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(.*)$; + + fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket}; + fastcgi_index index.php; + ''; + + locations."/hedgedoc/" = {proxyPass = "http://127.0.0.1:3000/";}; + + locations."/hedgedoc/socket.io/" = { + proxyPass = "http://127.0.0.1:3000/socket.io/"; + proxyWebsockets = true; + }; + }; + + services.phpfpm.pools.mypool = { + user = "nobody"; + phpPackage = pkgs.php5; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 5; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 1; + "pm.max_spare_servers" = 3; + "pm.max_requests" = 500; + + "php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED"; + }; + }; + + # the custom php5 we're using here has no fpm-systemd, so the default `Type = "notify"` won't work + systemd.services."phpfpm-mypool" = { + serviceConfig = {Type = lib.mkForce "simple";}; + }; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + }; + + services.hedgedoc = { + enable = true; + configuration = { + domain = "www.stefanjunker.de"; + urlPath = "hedgedoc"; + protocolUseSSL = true; + db = { + dialect = "sqlite"; + storage = "/var/lib/codimd/db.codimd.sqlite"; + }; + + allowAnonymous = false; + allowAnonymousEdits = false; + allowGravatar = false; + allowFreeURL = false; + defaultPermission = "private"; + allowEmailRegister = false; + + # oauth2 provider config + inherit (passwords.www_stefanjunker_de_hedgedoc) dropbox; + + uploadsPath = "/var/lib/codimd/uploads"; + }; + }; + }; + + autoStart = true; + + bindMounts = { + "/etc/secrets/" = { + hostPath = "/var/lib/container-volumes/webserver/etc-secrets"; + isReadOnly = true; + }; + + "/var/www" = { + hostPath = "/var/lib/container-volumes/webserver/var-www"; + isReadOnly = false; + }; + + "/var/lib/mysql" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql"; + isReadOnly = false; + }; + + "/var/lib/codimd" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-codimd"; + isReadOnly = false; + }; + }; + + privateNetwork = true; + forwardPorts = [ + { + # http + containerPort = 80; + hostPort = httpPort; + protocol = "tcp"; + } + { + # https + containerPort = 443; + hostPort = httpsPort; + protocol = "tcp"; + } + ]; + + inherit hostAddress localAddress; +} diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index 22ef959..1bde00d 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -1,220 +1,137 @@ { - specialArgs, - hostBridge, hostAddress, localAddress, imapsPort ? 993, sievePort ? 4190, autoStart ? false, -}: -{ - inherit specialArgs; - config = - { - pkgs, - config, - repoFlake, - ... - }: - { - system.stateVersion = "22.05"; # Did you read the comment? +}: let + passwords = import ../../variables/passwords.crypt.nix; +in { + config = {pkgs, ...}: { + system.stateVersion = "21.11"; # Did you read the comment? - imports = [ - ../profiles/containers/configuration.nix + imports = [../profiles/containers/configuration.nix ../profiles/common/user.nix]; - repoFlake.inputs.sops-nix.nixosModules.sops - ../profiles/common/user.nix - ]; + networking.firewall.enable = false; - networking.firewall.allowedTCPPorts = [ - imapsPort - sievePort - ]; - - # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately - # sops.defaultSopsFile = ./mailserver_secrets.yaml; - - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.secrets.email_mailStefanjunkerDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_mailStefanjunkerDeHetzner = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_schtifATwebDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_dovecot_steveej = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - - # TODO: switch to something other than ddclient as it's no longer maintained - - # TODO: switch to a let's encrypt certificate - sops.secrets.dovecotSslServerCert = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - sops.secrets.dovecotSslServerKey = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - services.dovecot2 = { - enable = true; - - protocols = [ "sieve" ]; - - enableImap = true; - enableLmtp = true; - enablePAM = true; - showPAMFailure = true; - mailLocation = "maildir:~/.maildir"; - sslServerCert = config.sops.secrets.dovecotSslServerCert.path; - sslServerKey = config.sops.secrets.dovecotSslServerKey.path; - - #configFile = "/etc/dovecot/dovecot2_manual.conf"; - extraConfig = '' - auth_mechanisms = cram-md5 digest-md5 - auth_verbose = yes - - passdb { - driver = passwd-file - args = scheme=CRYPT username_format=%u /etc/dovecot/users - } - - protocol lda { - postmaster_address = "mail@stefanjunker.de" - mail_plugins = $mail_plugins sieve - } - - protocol imap { - mail_max_userip_connections = 64 - } - ''; - }; - - environment.systemPackages = [ - pkgs.dovecot_pigeonhole - ]; - - environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; - - systemd.services.steveej-getmail-stefanjunker = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 600; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [ pkgs.getmail6 ]; - script = - let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = ssl0.ovh.net - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") - mailboxes = ('INBOX',) - - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda - ''; - in - '' - getmail --idle=INBOX --rcfile=${rc} - ''; - }; - - systemd.services.steveej-getmail-stefanjunker-hetzner = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 60; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [ pkgs.getmail6 ]; - script = - let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 2 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = mail.your-server.de - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") - mailboxes = ('INBOX',) - - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda - ''; - in - '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; - - systemd.services.steveej-getmail-webde = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - description = "Getmail service"; - path = [ pkgs.getmail6 ]; - serviceConfig.RestartSec = 1000; - serviceConfig.Restart = "always"; - script = - let - rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = imap.web.de - port = 993 - username = schtif - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") - mailboxes = ('INBOX',) - - [destination] - type = Maildir - path = ~/.maildir/ - ''; - in - '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; + services.ddclientovh = { + enable = true; + domain = "mailserver.svc.stefanjunker.de"; }; + services.dovecot2 = { + enable = true; + + modules = [pkgs.dovecot_pigeonhole]; + protocols = ["sieve"]; + + enableImap = true; + enableLmtp = true; + enablePAM = true; + showPAMFailure = true; + mailLocation = "maildir:~/.maildir"; + sslServerCert = "/etc/secrets/server.pem"; + sslServerKey = "/etc/secrets/server.key"; + + #configFile = "/etc/dovecot/dovecot2_manual.conf"; + extraConfig = '' + auth_mechanisms = cram-md5 digest-md5 + auth_verbose = yes + + passdb { + driver = passwd-file + args = scheme=CRYPT username_format=%u /etc/dovecot/users + } + + protocol lda { + postmaster_address = "mail@stefanjunker.de" + mail_plugins = $mail_plugins sieve + } + + protocol imap { + mail_max_userip_connections = 64 + } + ''; + }; + + environment.etc."dovecot/users".text = '' + steveej:${passwords.email.steveej} + ''; + + systemd.services.steveej-getmail-stefanjunker = { + enable = true; + wantedBy = ["multi-user.target"]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 600; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [pkgs.getmail6]; + script = let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = ssl0.ovh.net + port = 993 + username = mail@stefanjunker.de + password = ${passwords.email.mailStefanjunkerDe} + mailboxes = ('INBOX',) + + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; + + systemd.services.steveej-getmail-webde = { + enable = true; + wantedBy = ["multi-user.target"]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + description = "Getmail service"; + path = [pkgs.getmail6]; + serviceConfig.RestartSec = 1000; + serviceConfig.Restart = "always"; + script = let + rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = imap.web.de + port = 993 + username = schtif + password = ${passwords.email.schtifATwebDe} + mailboxes = ('INBOX',) + + [destination] + type = Maildir + path = ~/.maildir/ + ''; + in '' + getmail --rcfile=${rc} + ''; + }; + }; + inherit autoStart; bindMounts = { - # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host - "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; - "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true; + "/etc/secrets/" = { + hostPath = "/var/lib/container-volumes/mailserver/etc-secrets"; + isReadOnly = false; + }; "/home" = { hostPath = "/var/lib/container-volumes/mailserver/home"; @@ -222,6 +139,8 @@ }; }; + extraFlags = ["--resolv-conf=bind-host"]; + privateNetwork = true; forwardPorts = [ { @@ -239,5 +158,5 @@ } ]; - inherit hostBridge hostAddress localAddress; + inherit hostAddress localAddress; } diff --git a/nix/os/containers/mailserver_secrets.yaml b/nix/os/containers/mailserver_secrets.yaml deleted file mode 100644 index 9814c66..0000000 --- a/nix/os/containers/mailserver_secrets.yaml +++ /dev/null @@ -1,53 +0,0 @@ -email_mailStefanjunkerDe: ENC[AES256_GCM,data:sSBunuv4wipvl720vBrObPVlwMqf8MCWPA==,iv:57SPbRgdO1OtCunFbRJ9rLadWfrCF072lv27ond6qQ0=,tag:DpTeij/rGCK2NQMre5xBsw==,type:str] -email_mailStefanjunkerDeHetzner: ENC[AES256_GCM,data:HvPU/tV2uwutE8q6BzMjkw==,iv:sxERmGojxJhTre2XhslD/B3hesJaP8Cn6TJ7G2WygQw=,tag:JeRI3a2oc/cMJWqyiICgYw==,type:str] -email_schtifATwebDe: ENC[AES256_GCM,data:OOmxkHcM25A+rSmPE1lmvUylv0TT2qWWeA==,iv:ysnRyv4WwbnovgEZcwmk1Rdo6U7gBWDFvGIxgF/m/5A=,tag:9b7q+mceiDx5y8qVVHjBhw==,type:str] -email_dovecot_steveej: ENC[AES256_GCM,data:nZJX2ZIe2pJTzBIU/XRZaiiy9NmUtJydaOvSAQT3icCEeLTvgah48mgrz14eGPuOEupVqKII5jpHw3Xid+QWzdIels0B9M4+GgVT85yVAaPQKw==,iv:vb2bKtgeJI4fvRfKoR8AoBpv9WOkAAKQ3DzMInGF4SA=,tag:p6q0rfyG0g1hF8PR476TZQ==,type:str] -email_postmasterStefanjunkerDe: ENC[AES256_GCM,data:mUe2SbT1aj6yCav0X0lZ04rxYjJjQfKOqw==,iv:ZtOca09m2ne36cmLem/dNnmrsTV6fWaluuoPS85HdGc=,tag:2Z8RwuKJteXUKyuzpFzyfg==,type:str] -dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2rwHhuSoirnADu+k6pYrH4UUTB9BQsDpCzuU4vb4Rz2pQuB0PJ9iZ3XI2fTxft+UxZI4wwAkvHXeJWxLnEvySQW3mnk2uJBaeAxhkXZ55SrKA0h1u/luiXlCoLD197yqJsaR7ldlTImfiIwZPoSRJvo33/UsEIfxlmNMrJk6kgWp9Ay1pT+K3ymWTzBaxzMypUM+Wb4BulgR62qCBxoVjXPP4tVsBwRN6LREeKpP6zIZSjNNU5SWkf2GVDuRl6AMfh8UUq5aRQqNrorRm0p9FR5CXvJZH6gOxh1jSaXGFRbyfEwlaBrzU3NYqXA4tVTh6jKeRy6tmkw3KHhV3kOeJhJ5YQy4IM4Tv03zp5M/rCCIDoZLZsmNKYpLHYKfKORBYt/XlOfnXFVW/dp+q7lMiy2vPPNaVzH6aFrlzIEUyQBfawbHPBnIN09rmW9cIzZC5n3owzq8jj8aWDILqgun7RFOnBWBaG2JE9imXoS66cKAvzGf1wpjN2pELQOpSI1dVuENxMC+K8dTu/2RN2Xe0t6x6FlHK7PHB+JNGsGOHjrga+Z2rWTqcOtY30XZpBSqoZ4XxhcFtp+gxwBuW6zjzS4hEBz1/BJTYLD0dolTp3Vzo93bsezAr+iUfNrfzESTfg8fRH89tdPCeSPv4lfi+Bo4un41x6+x14Kf66Sz5AR7dBQzypNC3ChGCKtp29ZBBee+5oQWvrYBVybbOdD+uaS6pRC/Uydubx+cDGyU1vn50Iq4XTkmiy0m8joHa7gwgOggSeDoZK8lSnwCEwssWZaxzWfO8/8gxEDJD74ki+0GzkGCSIW7EIDiEEBSuL971bqgmKOgKmzqeHYxMpO3DbrFSQVIBUzlcPMoL9GuMHnF9UWT8u3Oo4eIh8rgwJQ4tbIdIbOop1LKLSKjtt/ny4+fGjrF1gzYWHu6RDMHkl9h/AplsHH6r8x3L3rM40O8mOG/SVgqA2GTN+0pviLAPzvQ+Xb0xRQH3vfXXMkufpQtb2o0xlh4pgJw+6a4QrjSq6ZJ3saA8TeC3F6BzIEr6nAwljBMSY4v8wBQivquENBCbqo4St5h+eleKpqbpyLJQYgCyvrUST8kNa014eZjNMLnJ1XBmPO9vpUk/2FJkSpaPAPQ7thqhRBEhe+GsnkScqqrq7gLpNIX4o/HR2b70T/8/4G7uZ3KPScW25TX9D9cI7LFON3Sfprn5LK6hm2nxTmjhaD0rWNnDCkfqDfzRJeQV9kW5Hfn0rBOIsmUoQEcgeCqNKenr/lalRRiifsHDdTUwzSJLgHm09RJI4CVZ+ovPHENRW02VPP9YBupemrZazN3ttj3pin8QRRcOM0w7jeGjfSyih0E4JfiC8NzLWhBpFtBSSxi79QD2vkz17ububf37p5XMg0KfClubQgnNKxlbQ/Me7xxp1X0JlmyxpwIhaaLoz9f+268/9n4RKBGDjAY9D0jZ2zcNm+MpkoG1IIWzPBtBiGTfs+HZPH3GKiEcnkEVcUbDZis9zERamYKDMMPqfAm3KsQLXxUVyuy3cuikGxg7ab+41b1s4MtyoeoUIeRruc60Gg+rSv+d0Jl/YP9Lb5/WBGwNKzm/1R70hJnbTWRt/kKZRKsVY2rcb+FH6vXBjFAHgiszFns5oXS0Q3jhVHH4i3IUn+M6HsbqDIaJ4t4Jvtcx+ESNC2NHKCSxKe4UePng8xJ+91jB04DxdJFlTrZ7RBgjmmiMR8DPF6XiYi+awZtUaTKjZev8SPl4vSobu5aqnct0F5O6aPGB/T8nHlXevdkuQ//7BXc0RwN1ZBZzGqzc8+NzIBa9aB96XnlXPDek1C5Cc9/yVWelM9dWwTzUECBWanTRFt1uz7hpoeemGI0X7IV4DXe26yZot2PlRLFBGL/5lnoSZcjfjym1yyjd5guLdRSHOihPoDDV0JR88BDzDSS/Fx4tRCxKCuaQos+QiMlZ+yJnY9v/K88NtX9X+cRr1ZFS9Li1+uBhbJamWgtWpSJireAGZkLFSEu5GpmfcofuzDsuSYsG6wDLMpJGgRvGJeDuZ4pJTMz1dhjjWUw3blpoJW99zHVDwuSMUNEOFnFgu9BNsoq2caoDcNcm7yA0dsNl1sS3ECsBAg18KsMHA5bL6gXhAkCGOzUVBzW0NRUm8SvHloB73LvfBiFHkpqkqS8KsQZkGts+vBcVAjfDYHYy+TvcaiO0I7xEOUZMdkjuZFOkh2Q0x7pQzCarYs=,iv:6zMCqVVdsbJmEr9YDQ5FqYhRcV36aM585YZz/Dd+b3c=,tag:LCDn6L/VJvW8St1CHXcObw==,type:str] -dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str] -hetznerDnsApiToken: ENC[AES256_GCM,data:JfL4Xg9TZu4Og35g0SwfrI1uxiqgdFa7p5AQcfiPwLY=,iv:yOak3uXX7CNglu8O2UW/1sOI7BGZxpRQAFJCvRbzU0Y=,tag:6orkQIy7BxACziLWpYoS5Q==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQjVya2RyY1MxQUxtTHdX - MGlZRWdxZ3VXb01KbCtTSkJMR3dkZkZ0UGw0CitXcldZT3NJWExYZG50QnowMVhV - WDBpc0VFYjZnZDJDSWhUcHFHTzBiYkUKLS0tIFlrMmlxUkNVZExSNGN4VlMxcUw1 - VW8rSVdDcGZKcHpocjdqZldiaFpqRlUKfQNcKrI6PuyeFv06Es8NsHm8I7NzxJ1k - ir088kx66xcXeEiyA4DnIcAWG9O6HEVXXnSahAIE2jcupSSouDF3ug== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0OGlqTEhtaGR2Yi8vTVcv - NUtvd0ptS3h5Rnd1RGNuYlY2bHMrUmpKWHhRCkJpYjloQWhSM0FsNlNYSVcvWktV - VkkvblAyRXBadUJjK3h3c2JJbDZHc0kKLS0tIEhMbVZsekM5VDRhbDB0KzdyK1li - dWdhSGtFN1oybGpIb294ZE0zcDFUaEkK/AyEXeVmiYk1/IZdkyNGN4bccMFx5+JE - BazBF2NkztUWnyhqRvyp0cBucx7h/HhRSzqxwSr20lvv8XpRPGh8Iw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-17T12:01:21Z" - mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str] - pgp: - - created_at: "2025-06-05T09:49:08Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ/8DFSjoJYmO4+yvi4WT6mgrlzmAIvX0Ozch9XY+6DDOwiN - 746QgI6FI5NpmayTbhddhL1J3tiWkzOyAMhxd8JVNDdZHDJ9lDMCq5s/6yYJZvst - qpoU2pjeYFc+ag+H7m8d5dIaR352aBlKw+MMGOvBinM+5qAWNWo1Vams/9HV3BAV - vsFKLSj3eo3/MjjzY3bPlfBwhkDnudzfVJXcY7GhbVVzaQKXosoGjMfCKvSQNMWr - z52P40pfkXx1nWUt79G4xcH/G+lCUlz93RmS89sLS+YrrjKGQc4xcYpqpNjy5Xdw - rz+nGuOsMKXqLuxYJVuiTcxN0agVily9BTifUYiJZfS9cpbMvLwTyUOcc64EVCKH - Gg0b5l5DhyUKKk3klzgeXTlj2zPhKjGVT2MnZShZRspfGfV6T7iP761YD4ucaExd - 1+/cegyfeCNAykt4lD6ACeQXRLDs8rU2hUjpN3J6AemLW+Aj/ZnRVZWzgIvnDEEY - pyz/rAk5J6m7Q7909TcMuFg3j9ENeJZuRSwxwF0MRUYLZByKCH3QY9CE3mCh7Xni - p5znHpYaYqNIoiTmbBcxEx4mYRXUkorLTJXt4AO7zQB24ZReLDRsSzvrnQqyLIdA - b4pK2k2/L0Hagu2SZFvfhgw4qWZpIlgcoOVbe2dkmbIXMbjb8SuF/2jFwushALjS - XAG+iXYORCrvsuJoNjnQtSW0OGqYwuNNvWo2Ymyg2sA6CW+O6gsCZpZE0FKHcbl/ - FxgecFBl+P6Dk4OOewie+E4cZWIq2uXQch8QPSk5huuyUms6VZI2fre83dMv - =mHmB - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/nix/os/containers/mycelium/flake.lock b/nix/os/containers/mycelium/flake.lock deleted file mode 100644 index 0a7597d..0000000 --- a/nix/os/containers/mycelium/flake.lock +++ /dev/null @@ -1,124 +0,0 @@ -{ - "nodes": { - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "nix-snapshotter", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1704152458, - "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "nix-snapshotter": { - "inputs": { - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1723875769, - "narHash": "sha256-66GofByLJ+S4ZZphIC+vJKeL9VJ2bzH2VbcJ3OqteMM=", - "owner": "pdtpartners", - "repo": "nix-snapshotter", - "rev": "6eaadfd8f89e5e7d79b2013626bbd36e388159da", - "type": "github" - }, - "original": { - "owner": "pdtpartners", - "repo": "nix-snapshotter", - "type": "github" - } - }, - "nixlib": { - "locked": { - "lastModified": 1728781282, - "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixos-generators": { - "inputs": { - "nixlib": "nixlib", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1728867876, - "narHash": "sha256-NCyOA8WZNoojmXH+kBDrQj3LwvakYNzSc0h+LTXkmPE=", - "owner": "nix-community", - "repo": "nixos-generators", - "rev": "fdf142111597f6c6283cf5ffe092b6293a3911d0", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-generators", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1728897630, - "narHash": "sha256-0utJPs4o2Mody8GDwo4hnGuxc8dJqju4u9lLJY4d/Lw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c9f0b4a395289ce18727e2a8e43cae6796693ccc", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "nix-snapshotter": "nix-snapshotter", - "nixos-generators": "nixos-generators", - "nixpkgs": "nixpkgs" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/containers/mycelium/flake.nix b/nix/os/containers/mycelium/flake.nix deleted file mode 100644 index 1527acf..0000000 --- a/nix/os/containers/mycelium/flake.nix +++ /dev/null @@ -1,371 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; - # nixpkgs-systemd256.url = "github:NixOS/nixpkgs/962cf03fb8c782c5e00f465397e03dc84284acc9"; - nixos-generators = { - url = "github:nix-community/nixos-generators"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nix-snapshotter = { - url = "github:pdtpartners/nix-snapshotter"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - }; - outputs = - { self, nixpkgs, ... }: - let - systems = [ - "aarch64-linux" - "x86_64-linux" - ]; - forAllSystems = nixpkgs.lib.genAttrs systems; - in - { - nixosConfigurations.default = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - - specialArgs = { }; - - modules = [ - ( - { - config, - modulesPath, - pkgs, - lib, - ... - }: - { - nixpkgs.overlays = [ - (_final: _previous: { - # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal; - # systemd = - # self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: { - # src = /home/steveej/src/others/systemd; - - # withAppArmor = false; - # withRepart = false; - # withHomed = false; - # withAcl = false; - # withEfi = false; - # withBootloader = false; - # withCryptsetup = false; - # withLibBPF = false; - # withOomd = false; - # withFido2 = false; - # withApparmor = false; - # withDocumentation = false; - # withUtmp = false; - # withQrencode = false; - # withVmspawn = false; - # withMachined = false; - # withLogTrace = true; - # withArchive = false; - # # don't need these but cause errors for exampel files not found - # # withLogind = false; - # }) - # pkgs.systemdMinimal.override { - # # getting errors with these disabled - # withCoredump = true; - # withCompression = true; - # withLogind = true; - # withSysusers = true; - # withUserDb = true; - # } - # pkgs.systemdMinimal - # pkgs.systemd.override { - # withRepart = false; - # withHomed = false; - # withAcl = false; - # withEfi = false; - # withBootloader = false; - # withCryptsetup = false; - # withLibBPF = false; - # withOomd = false; - # withFido2 = false; - # withApparmor = false; - # withDocumentation = false; - # withUtmp = false; - # withQrencode = false; - # withVmspawn = false; - # withMachined = false; - # withLogTrace = true; - # # don't need these but cause errors for exampel files not found - # # withLogind = false; - # } - # ; - }) - ]; - - imports = [ (modulesPath + "/profiles/minimal.nix") ]; - system.stateVersion = "24.11"; - - # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix - boot.isContainer = true; - # boot.tmp.useTmpfs = true; - boot.loader.grub.enable = lib.mkForce false; - boot.loader.systemd-boot.enable = lib.mkForce false; - services.journald.console = "/dev/console"; - services.journald.storage = "none"; - # boot.specialFileSystems = lib.mkForce {}; - - services.nscd.enable = false; - system.nssModules = lib.mkForce [ ]; - systemd.services.systemd-logind.enable = false; - systemd.services.console-getty.enable = false; - - systemd.sockets.nix-daemon.enable = false; - systemd.services.nix-daemon.enable = false; - systemd.oomd.enable = false; - networking.useDHCP = false; - networking.firewall.enable = false; - - # system.build.earlyMountScript = - # lib.mkForce '' - # ''; - # system.activationScripts.specialfs = - # lib.mkForce '' - # ''; - boot.postBootCommands = '' - ls -lha /run - mkdir -p /run/wrappers - ''; - - boot.kernelParams = [ "systemd.log_level=debug" ]; - - # services.udev.enable = false; - - # TODO: this is only needed because `/run/current-system` is missing - # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH"; - - systemd.mounts = lib.mkForce [ ]; - fileSystems = lib.mkForce { }; - - services.mycelium.enable = false; - services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile"; - systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false; - systemd.services.mycelium.serviceConfig.User = lib.mkForce "root"; - systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce ( - pkgs.writeShellScript "mycelium" '' - while true; do - ls -lha $CREDENTIALS_DIRECTORY - sleep 5 - done - '' - ); - - systemd.services.testing-credentials = { - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.coreutils ]; - - serviceConfig = { - # SyslogIdentifier = "testing-credentials"; - # StateDirectory = "testing-credentials"; - # DynamicUser = true; - # User = "tc"; - # ProtectHome = true; - # ProtectSystem = true; - # LoadCredential = [ - # "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}" - # "hosts:/etc/hosts" - # ]; - SetCredential = "mycelium-keyfile:not secret string"; - ExecStart = lib.mkForce ( - pkgs.writeShellScript "mycelium" '' - cd $STATE_DIRECTORY - pwd - env - while true; do - ls -lha $CREDENTIALS_DIRECTORY - sleep 5 - done - '' - ); - }; - }; - - services.caddy = { - enable = true; - globalConfig = '' - auto_https off - ''; - virtualHosts.":80" = { - extraConfig = '' - respond "hello from ${config.networking.hostName}" - ''; - }; - }; - } - ) - ]; - }; - packages = forAllSystems ( - system: - let - name = "mycelium"; - inherit (self.inputs) nix-snapshotter; - - config = { - entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init"; - # port = 2379; - args = [ ]; - # nodePort = 30001; - }; - - myceliumPorts = { - tcp = [ 9651 ]; - udp = [ - 9650 - 9651 - ]; - }; - - inherit (config) - entrypoint - # port - - args - # nodePort - - ; - - pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; }; - - image = pkgs.nix-snapshotter.buildImage { - inherit name; - resolvedByNix = true; - config = { - entrypoint = [ entrypoint ]; - env = [ - # this is read by the `/init` script and prevents various incompatible commands like mount, etc. - # the value of this doesn't seem to matter as long as it's not an empty string. - "container=nerd" - "SYSTEMD_LOG_LEVEL=debug" - ]; - volumes = { - # "/var/lib/private/mycelium/key.bin" = {}; - # "/run" = {}; - # "/tmp" = {}; - # "/etc" = {}; - }; - copyToRoot = [ - # self.nixosConfigurations.default.config.system.build.toplevel - ]; - }; - }; - in - { - k8s = - let - pod = pkgs.writeText "${name}-pod.json" ( - builtins.toJSON { - apiVersion = "v1"; - kind = "Pod"; - metadata = { - inherit name; - labels = { - inherit name; - }; - }; - spec.containers = [ - { - inherit name args; - image = "nix:0${image}"; - ports = [ - { - name = "mycelium-tcp-0"; - containerPort = builtins.elemAt myceliumPorts.tcp 0; - } - { - name = "mycelium-udp-0"; - protocol = "UDP"; - containerPort = builtins.elemAt myceliumPorts.udp 0; - } - { - name = "mycelium-udp-1"; - protocol = "UDP"; - containerPort = builtins.elemAt myceliumPorts.udp 1; - } - ]; - } - ]; - } - ); - - service = pkgs.writeText "${name}-service.json" ( - builtins.toJSON { - apiVersion = "v1"; - kind = "Service"; - metadata.name = "${name}-service"; - spec = { - type = "NodePort"; - selector = { - inherit name; - }; - ports = [ - { - name = "mycelium-tcp-0"; - port = builtins.elemAt myceliumPorts.tcp 0 + 50000; - targetPort = "mycelium-tcp-0"; - } - { - name = "mycelium-udp-0"; - protocol = "UDP"; - port = builtins.elemAt myceliumPorts.udp 0 + 50000; - targetPort = "mycelium-udp-0"; - } - { - name = "mycelium-udp-1"; - protocol = "UDP"; - port = builtins.elemAt myceliumPorts.udp 1 + 50000; - targetPort = "mycelium-udp-1"; - } - ]; - }; - } - ); - in - pkgs.runCommand "declarative-k8s" { } '' - mkdir -p $out/share/k8s - cp ${pod} $out/share/k8s/ - cp ${service} $out/share/k8s/ - ''; - - inherit image; - - start = pkgs.writeShellApplication { - name = "start"; - text = '' - set -x - rm -rf ./result - nix build --impure .#image - sudo nix2container load ./result - sudo -E nerdctl run --name ${name} --privileged -dt \ - --cgroup-manager cgroupfs \ - --volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \ - "nix:0$(readlink result):latest" - ''; - }; - - stop = pkgs.writeShellApplication { - name = "stop"; - text = '' - set +e - sudo -E nerdctl stop -t 60 ${name} - sudo -E nerdctl rm --force ${name} - sudo -E nerdctl system prune --all --force - sudo systemctl stop nix-snapshotter - sudo systemctl stop containerd - mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l - sudo systemctl start containerd - sudo systemctl start nix-snapshotter - ''; - - # tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap) - - # mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap - }; - } - ); - }; -} diff --git a/nix/os/containers/syncthing.nix b/nix/os/containers/syncthing.nix index 4cd736a..d67728b 100644 --- a/nix/os/containers/syncthing.nix +++ b/nix/os/containers/syncthing.nix @@ -1,80 +1,31 @@ { - specialArgs, - hostBridge, hostAddress, localAddress, syncthingPort ? 22000, syncthingLocalAnnouncePort ? 21027, - smbTcpPort ? 445, autoStart ? false, -}: -{ - inherit specialArgs; - config = - { ... }: - { - system.stateVersion = "20.05"; # Did you read the comment? +}: { + config = { + config, + pkgs, + ... + }: { + system.stateVersion = "20.05"; # Did you read the comment? - imports = [ ../profiles/containers/configuration.nix ]; + imports = [../profiles/containers/configuration.nix]; - networking.firewall.allowedTCPPorts = [ - # syncthing gui - 8384 - ]; + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ + # syncthing gui + 8384 + ]; - services.syncthing = { - enable = true; - openDefaultPorts = true; - guiAddress = "0.0.0.0:8384"; - }; - - services.samba = { - enable = true; - securityType = "user"; - openFirewall = true; - settings = { - global = { - "workgroup" = "DMZ"; - "server string" = "syncthing"; - "netbios name" = "syncthing"; - "security" = "user"; - #"use sendfile" = "yes"; - #"max protocol" = "smb2"; - # note: localhost is the ipv6 localhost ::1 - "hosts allow" = "192.168.23. 127.0.0.1 localhost"; - "hosts deny" = "0.0.0.0/0"; - "guest account" = "nobody"; - "map to guest" = "bad user"; - }; - "scan-stefan" = { - "path" = "/var/lib/syncthing/Sync/Home::Scan::Stefan"; - "browseable" = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = "syncthing"; - "force group" = "syncthing"; - }; - - "scan-justyna" = { - "path" = "/var/lib/syncthing/Sync/Home::Scan::Justyna"; - "browseable" = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = "syncthing"; - "force group" = "syncthing"; - }; - }; - }; - - # TODO: find out if smbpasswd file is still used and set it here. or find an alternative - # sops.secrets.smbpasswd = { - # }; - # environment.etc."samba/smbpasswd".source = config.sops.secrets.smbpasswd.text; + services.syncthing = { + enable = true; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; }; + }; inherit autoStart; @@ -85,6 +36,8 @@ }; }; + extraFlags = ["--resolv-conf=bind-host"]; + privateNetwork = true; forwardPorts = [ { @@ -92,22 +45,12 @@ hostPort = syncthingPort; protocol = "tcp"; } - { - containerPort = 22000; - hostPort = syncthingPort; - protocol = "udp"; - } { containerPort = 21027; hostPort = syncthingLocalAnnouncePort; - protocol = "udp"; - } - { - containerPort = 445; - hostPort = smbTcpPort; protocol = "tcp"; } ]; - inherit hostBridge hostAddress localAddress; + inherit hostAddress localAddress; } diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index 5992906..40af570 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -1,436 +1,141 @@ { - specialArgs, - hostBridge, hostAddress, localAddress, - httpPort, - httpsPort, - forgejoSshPort, + httpPort ? 80, + httpsPort ? 443, autoStart ? false, -}: -let - domain = "www.stefanjunker.de"; -in -{ - inherit specialArgs; - config = - { - config, - pkgs, - lib, - repoFlake, - nodeFlake, - system, - ... - }: - let - nixpkgs-kanidm = nodeFlake.inputs.nixpkgs-unstable; - in - { - system.stateVersion = "22.05"; # Did you read the comment? - - disabledModules = [ - "services/misc/forgejo.nix" - "services/security/kanidm.nix" - ]; - - imports = [ - "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix" - "${nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix" - - ../profiles/containers/configuration.nix - - repoFlake.inputs.sops-nix.nixosModules.sops - ]; - - sops.defaultSopsFile = ./webserver_secrets.yaml; - - networking.firewall.allowedTCPPorts = [ - httpPort - httpsPort - forgejoSshPort - ]; - - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.secrets.hedgedoc_environment_file = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.hedgedoc.name; - }; - - services.caddy = { - enable = true; - logFormat = '' - level ERROR - ''; - virtualHosts."${domain}" = { - extraConfig = '' - redir /hedgedoc* https://hedgedoc.${domain} - - basic_auth /justyna/202505_prt_teil1* { - prt $2a$14$y7tZYZxTlJ2JFsBtRM.D8Ok0oHhWt53mGXk.xJMLXc/JF.bTtOWaq - } - - file_server /* { - browse - root /var/www/stefanjunker.de/htdocs/caddy - pass_thru - } - - # respond "Hi" - # respond (not /*/*) "Hi" - ''; - }; - - virtualHosts."hedgedoc.${domain}" = { - extraConfig = '' - reverse_proxy http://[::1]:3000 - ''; - }; - - virtualHosts."authelia.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} - ''; - }; - - virtualHosts."lldap.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} - ''; - }; - - virtualHosts."forgejo.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT} - ''; - }; - - virtualHosts."kanidm.${domain}" = { - extraConfig = '' - reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} { - transport http { - tls_server_name ${config.services.kanidm.serverSettings.domain} - } - } - ''; - }; - }; - - services.hedgedoc = { - enable = true; - settings = { - domain = "hedgedoc.${domain}"; - urlPath = ""; - protocolUseSSL = true; - db = { - dialect = "sqlite"; - storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; - }; - - allowAnonymous = false; - allowAnonymousEdits = false; - allowGravatar = false; - allowFreeURL = false; - defaultPermission = "private"; - - allowEmailRegister = false; - email = false; - - ldap = { - url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; - bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; - # these are set via the `environmentFile` - # bindCredentials = "$LDAP_ADMIN_PASSWORD"; - searchBase = "ou=people,dc=stefanjunker,dc=de"; - searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; - useridField = "uid"; - }; - - oauth2 = - let - originURL = config.services.kanidm.serverSettings.origin; - in - { - providerName = "kanidm (${originURL})"; - - authorizationURL = "${originURL}/ui/oauth2"; - tokenURL = "${originURL}/oauth2/token"; - userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo"; - - scope = "openid email profile"; - # rolesClaim = "roles"; - # accessRole = "role/hedgedoc"; - - userProfileUsernameAttr = "name"; - userProfileDisplayNameAttr = "displayname"; - userProfileEmailAttr = "email"; - - clientID = "hedgedoc"; - # set via the `environmentFile` - # clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; - }; - - uploadsPath = "/var/lib/hedgedoc/uploads"; - }; - - environmentFile = config.sops.secrets.hedgedoc_environment_file.path; - }; - - services.jitsi-meet = { - enable = false; - hostName = "meet.${domain}"; - config = { - prejoinPageEnabled = true; - }; - caddy.enable = true; - nginx.enable = false; - }; - - sops.secrets.authelia_storageEncryptionKey = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - sops.secrets.authelia_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - services.authelia.instances.default = - let - baseDir = "/var/lib/authelia-default"; - in - { - enable = true; - secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; - secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; - settings = { - theme = "auto"; - default_2fa_method = "totp"; - log.level = "debug"; - - server = { - disable_healthcheck = true; - host = "127.0.0.1"; - port = 9091; - # path = "authelia"; - }; - - storage = { - local.path = "${baseDir}/authelia.sqlite"; - }; - - authentication_backend = { - file.path = "${baseDir}/first_factor.yaml"; - file.search.email = true; - file.search.case_insensitive = false; - }; - - access_control = { - default_policy = "one_factor"; - }; - - session.domain = "stefanjunker.de"; - - notifier = { - disable_startup_check = true; - filesystem.filename = "${baseDir}/notification.txt"; - }; - }; - }; - - users.groups.lldap = { }; - users.users.lldap = { - isSystemUser = true; - group = "lldap"; - }; - - sops.secrets.lldap_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - sops.secrets.lldap_adminPassword = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - sops.secrets.lldap_environmentFile = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - services.lldap = { - enable = true; - environment = { - LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; - LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; - }; - environmentFile = config.sops.secrets.lldap_environmentFile.path; - - settings = { - verbose = true; - - ldap_base_dn = "dc=stefanjunker,dc=de"; - http_url = "https://lldap.${domain}"; - - ## Options to configure SMTP parameters, to send password reset emails. - ## To set these options from environment variables, use the following format - ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD - smtp_options = { - ## Whether to enabled password reset via email, from LLDAP. - enable_password_reset = true; - - # port = 465; - ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". - # smtp_encryption = "TLS"; - }; - - # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; - }; - }; - - sops.secrets.FORGEJO_JWT_SECRET = { }; - sops.secrets.FORGEJO_INTERNAL_TOKEN = { }; - sops.secrets.FORGEJO_SECRET_KEY = { }; - - services.forgejo = { - enable = true; - package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo; - settings = { - service.DISABLE_REGISTRATION = true; - server.HTTP_ADDR = "127.0.0.1"; - server.START_SSH_SERVER = true; - server.SSH_PORT = forgejoSshPort; - server.ROOT_URL = "https://forgejo.${domain}"; - server.HTTP_PORT = 3001; - - # TODO: how do i get a 3072 length SSH key with the yubikey? - "ssh.minimum_key_sizes".RSA = 2048; - }; - secrets = { - oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path; - security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path; - security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path; - }; - }; - - systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; - systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; - systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; - - # combine a path watcher with a service that transfers the certs by caddy to kanidm - # TODO: had an issue where the certificate in kanidm was expired, despite caddy having a refreshed certificate - systemd.paths.kanidm-tls-watch = { - enable = true; - requiredBy = [ "kanidm.service" ]; - pathConfig = { - PathChanged = [ - "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" - "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" - ]; - Unit = "kanidm-tls-update.service"; - }; - }; - systemd.services.kanidm-tls-update = - let - dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; - in - { - enable = true; - requiredBy = [ "kanidm.service" ]; - unitConfig = { - # ConditionPathExists = [ - # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" - # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" - # ]; - }; - serviceConfig.Type = "oneshot"; - script = - let - tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key; - in - '' - set -xe - - cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key - cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain - - chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain} - chmod 400 tls.{key,chain} - - # create the kanidm directory in case it's missing - if [[ ! -d ${tlsDir} ]]; then - mkdir -p ${tlsDir} - chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir} - chmod 700 ${tlsDir} - fi - - mv tls.key ${config.services.kanidm.serverSettings.tls_key} - mv tls.chain ${config.services.kanidm.serverSettings.tls_chain} - - if [[ ! -d ${dbDir} ]]; then - mkdir -p ${dbDir} - chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir} - chmod 700 ${dbDir} - fi - ''; - }; - - systemd.services.kanidm.serviceConfig = - let - dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; - in - # stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}"; - { - # ExecStartPre = '' - # mkdir -p ${dbDir} - # ''; - BindPaths = [ - dbDir - # stateDir - ]; - }; - - services.kanidm = - let - dataDir = "/var/lib/kanidm"; - in - { - package = nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm; - - enablePam = false; - enableClient = false; - - enableServer = true; - serverSettings = { - role = "WriteReplica"; - log_level = "debug"; - - domain = "kanidm.${domain}"; - origin = "https://kanidm.${domain}"; - - bindaddress = "127.0.0.1:8444"; - - # don't expose ldap - # ldapbindaddress = "[::1]:6636"; - - tls_key = "${dataDir}/tls/tls.key"; - tls_chain = "${dataDir}/tls/tls.chain"; - - online_backup = { - schedule = "00 06 * * *"; - }; - }; - }; +}: let + passwords = import ../../variables/passwords.crypt.nix; +in { + config = { + config, + pkgs, + lib, + ... + }: { + system.stateVersion = "22.05"; # Did you read the comment? + + imports = [../profiles/containers/configuration.nix]; + + networking.firewall.enable = false; + + services.ddclientovh = { + enable = true; + domain = "www.stefanjunker.de"; }; + security.acme = { + acceptTerms = true; + certs."www.stefanjunker.de".email = "mail@stefanjunker.de"; + preliminarySelfsigned = true; + + # can be used for debugging + # server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + }; + + services.nginx.enable = true; + services.nginx.recommendedProxySettings = true; + services.nginx.virtualHosts."www.stefanjunker.de" = { + default = true; + addSSL = true; + listen = [ + { + addr = "0.0.0.0"; + port = httpPort; + ssl = false; + } + { + addr = "0.0.0.0"; + port = httpsPort; + ssl = true; + } + ]; + + root = "/var/www/stefanjunker.de/htdocs"; + + enableACME = true; + # serverAliases = [ + # "www.stefanjunker.de" + # ]; + # sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt"; + # sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key"; + + locations."/fi" = {index = "index.php";}; + + locations."~ ^(.+.php)(.*)$".extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(.*)$; + + fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket}; + fastcgi_index index.php; + ''; + + locations."/hedgedoc/" = {proxyPass = "http://127.0.0.1:3000/";}; + + locations."/hedgedoc/socket.io/" = { + proxyPass = "http://127.0.0.1:3000/socket.io/"; + proxyWebsockets = true; + }; + }; + + services.phpfpm.pools.mypool = { + user = "nobody"; + phpPackage = pkgs.php5; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 5; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 1; + "pm.max_spare_servers" = 3; + "pm.max_requests" = 500; + + "php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED"; + }; + }; + + # the custom php5 we're using here has no fpm-systemd, so the default `Type = "notify"` won't work + systemd.services."phpfpm-mypool" = { + serviceConfig = {Type = lib.mkForce "simple";}; + }; + + services.mysql = { + enable = true; + package = pkgs.mariadb_104; + }; + + services.hedgedoc = { + enable = true; + configuration = { + domain = "www.stefanjunker.de"; + urlPath = "hedgedoc"; + protocolUseSSL = true; + db = { + dialect = "sqlite"; + storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; + }; + + allowAnonymous = false; + allowAnonymousEdits = false; + allowGravatar = false; + allowFreeURL = false; + defaultPermission = "private"; + allowEmailRegister = false; + + # oauth2 provider config + inherit (passwords.www_stefanjunker_de_hedgedoc) dropbox; + + uploadsPath = "/var/lib/codimd/uploads"; + }; + }; + }; + inherit autoStart; bindMounts = { - # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host - "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; - "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true; + "/etc/secrets/" = { + hostPath = "/var/lib/container-volumes/webserver/etc-secrets"; + isReadOnly = true; + }; "/var/www" = { hostPath = "/var/lib/container-volumes/webserver/var-www"; @@ -446,28 +151,10 @@ in hostPath = "/var/lib/container-volumes/webserver/var-lib-hedgedoc"; isReadOnly = false; }; - - "/var/lib/authelia-default" = { - hostPath = "/var/lib/container-volumes/webserver/var-lib-authelia-default"; - isReadOnly = false; - }; - - "/var/lib/lldap" = { - hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap"; - isReadOnly = false; - }; - - "/var/lib/forgejo" = { - hostPath = "/var/lib/container-volumes/webserver/var-lib-forgejo"; - isReadOnly = false; - }; - - "/var/lib/kanidm" = { - hostPath = "/var/lib/container-volumes/webserver/var-lib-kanidm"; - isReadOnly = false; - }; }; + extraFlags = ["--resolv-conf=bind-host"]; + privateNetwork = true; forwardPorts = [ { @@ -482,14 +169,7 @@ in hostPort = httpsPort; protocol = "tcp"; } - - { - # forgejo ssh - containerPort = forgejoSshPort; - hostPort = forgejoSshPort; - protocol = "tcp"; - } ]; - inherit hostBridge hostAddress localAddress; + inherit hostAddress localAddress; } diff --git a/nix/os/containers/webserver_secrets.yaml b/nix/os/containers/webserver_secrets.yaml deleted file mode 100644 index d5c1dcd..0000000 --- a/nix/os/containers/webserver_secrets.yaml +++ /dev/null @@ -1,55 +0,0 @@ -hedgedoc_environment_file: ENC[AES256_GCM,data:gPTokPMGBAN/lGGeUs95vg45yVrrSmFCKWTjlMV4V+YnflcqiaZvifX9+0fe3DELwNL4kY4st4N0MadhLkTiSieyp46fP8Dujk4Prhi7JWweBDsN4WtxcwJfAdowgh5LTzqM3zggC/J9NGR/zgJGLYraOqsFueXycxDxntE+8MlepYFGsND4WbFHNRvsVd7xUWerZZD+JFhws2sjwC9DqoJ+mBX4u9J2faSrL3okBGwRpEZlJhe6/8pT0l1aVxI0b/9UsLUL/him/vVqY8ygMP8O95gzuDEaCtwSXw08ylhb3g3YHdMh9ZOe9dPNVocVFrB15HfxeY4KzRCVfvgmBsSiUrgUAZQ8aav2ZWHPKQ==,iv:AVtx/43MK5KVxP59olEmbkUzLhd0cBjPpVeiAJGELfM=,tag:Hd3edeUzLgHnwAwPiMGp4A==,type:str] -authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str] -authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str] -lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str] -lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str] -lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str] -#ENC[AES256_GCM,data:uNqahO8WF6QFNkbPnQq2UDKn/gFt0H56keUb,iv:CDVKC3ER5rsKoMmBi2g5g+F3ZfKc3+Rs8bjxFhgSPZ4=,tag:oGPl6TB/nghGwWvVBLFlGQ==,type:comment] -FORGEJO_JWT_SECRET: ENC[AES256_GCM,data:nVz9x7+K+rBIZxuQP7o0WNFHUz89eR9cwBjfSAx9/WH5PF+/aWazZOJpVg==,iv:4qpHo143fe/sVhKfYDwxr+YiBZ2q/WWViYSwoxz0i/k=,tag:smSsJsqa6uZKarcoOMUjwQ==,type:str] -FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str] -FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTitidDZpWVJsZWxmWDFa - emdyTSszczVNbDhZSlVjeWRDMDdXQmg4QmpBCmNLZ0tob2hsRHhlTXY5VHZEY01T - MUtRdUxBM0lmeEo2OVBMdElrYVVvY1EKLS0tIHIwWllkQU9RRjF1U0F0OWdCKzlq - Y3ZxSWI3MUxQNEljNXlUSnlTdlpxazAKKjJYqcDsBzo6yOYDkgtBZntxhsHjqOyZ - yg5G8vtuOiDvPLvODzI/I9VupGyLwEkxaFc67bpg4u/1Cql7oaAADQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdFg1cm9JTFFyUmYxb1ZP - WWtKTDE4bDBya3pWakJ0bFVkSnZvdExGMlNVCmo0N1BvNnV4MERUTjU2blUzbngv - VDduRWd2K1VlK1k2OWp6L0JhTERnOUEKLS0tIGV0aFZMTGRHNW5HUUhGRkYxNGMz - dHJwN0R1eHkyWXpiVDlRcldHT0gvV28KRiwauYvF4CCu5LeW7+kR3GSkZ+rpIbsC - JF9vV3rxbE9SdJ3nP6CyYQX7tQ6rbXtOKawq3k+z4zV/Dw7gYSNn5Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-16T12:28:51Z" - mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str] - pgp: - - created_at: "2025-06-05T09:49:08Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ/8DIuNUO6tpyuG0j4Ros6MjHs1USkfY+2ntzqyugGe4OpA - cXLzXWGT7pCxE6bcd7FepG/Nln17219siP9PX1WqEl324GnKXjbAbczjnu/9ggeF - bUWBhKFwGivVXDfO8VusG0MN41tJMoDwAelaJdgnXnbAwHISJ20UzFtnTBx67ALs - 5pqHzOf7uuY7eZbl79iEiBJ8Ecj/Y3yrcANbVXQtET7X5629nTMHuizFsym9fy0p - 6elwdrJSGPlncWA/+wsec5WIxwOsrLoEz8rvFpZJo/YI4/5heiL6RmgqKODzAhFp - +PD/VoksJQ0lynzH2jBUKNte7UU5fyMAn9CEu0eY7sNRHpEKWjj/uPoWPkaV3JQ/ - Au2YN9VV0qkyqYZ/6mU1L+Ukaci3kG/hJKM9MxXZ6rVEsuOnbuHPgW9jW/xogo38 - /522CAF+NThKPWbiS/VDHyUsH+h2ubh9jGyFuesP/dNhXbc+6vkcIIBgfsb2IWt1 - Fc2fvUlX9tpJYobk3PmyR88DHv4pXPkgIIEqW6JUHmkjdH+q82sGsRtni58eWUj6 - DXn09tSpM3gu02wlqobca1qrOIKVsQJ/bHB4p6PRFoeqx6Yzfdy8h4WvT75PONGD - DGW7uLYo/ISb/SDgbclNw6vlYsI7ZFtYDTWxtCjrYXFBqRSMftgreRwhi8gU0rTS - XAFXAkIp4B0y8cfxofqJyDsZmil0gJraJpkz/Y0JA+jXlQ2jHlC03xoMZIn60RKn - XI91UY65PAyoQ0LROa/TRBFCLJarLFcCSeth4MhDq06f4spXYtCV9i+2HNBj - =bUJ6 - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nix/os/devices/sj-vps-htz0/boot.nix b/nix/os/devices/167.233.1.14/boot.nix similarity index 51% rename from nix/os/devices/sj-vps-htz0/boot.nix rename to nix/os/devices/167.233.1.14/boot.nix index ed21f9c..5713789 100644 --- a/nix/os/devices/sj-vps-htz0/boot.nix +++ b/nix/os/devices/167.233.1.14/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiSupport = lib.mkForce false; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = []; } diff --git a/nix/os/devices/167.233.1.14/configuration.nix b/nix/os/devices/167.233.1.14/configuration.nix new file mode 100644 index 0000000..a405714 --- /dev/null +++ b/nix/os/devices/167.233.1.14/configuration.nix @@ -0,0 +1,11 @@ +{...}: { + disabledModules = []; + imports = [ + ../../profiles/common/configuration.nix + + ./system.nix + ./hw.nix + ./pkg.nix + ./boot.nix + ]; +} diff --git a/nix/os/devices/167.233.1.14/hw.nix b/nix/os/devices/167.233.1.14/hw.nix new file mode 100644 index 0000000..37ee809 --- /dev/null +++ b/nix/os/devices/167.233.1.14/hw.nix @@ -0,0 +1,53 @@ +{ ... }: +let + stage1Modules = [ + "virtio_balloon" + "virtio_scsi" + "virtio_net" + "virtio_pci" + "virtio_ring" + "virtio" + "scsi_mod" + + "virtio_blk" + "virtio_ring" + "bochs_drm" + "ata_piix" + "pata_acpi" + "ata_generic" + ]; +in +{ + hardware.opinionatedDisk = { + enable = true; + encrypted = false; + diskId = "virtio-virtio-paeNi8Fof9Oe"; + }; + + # fileSystems."/boot" = { + # device = "/dev/disk/by-uuid/354fb107-2f4a-42ad-80dd-9dddb61bfd02"; + # fsType = "ext4"; + # }; + + # fileSystems."/" = { + # device = "/dev/disk/by-uuid/993cce35-cc1f-40cc-b07a-5ea58b99fb5b"; + # fsType = "btrfs"; + # options = [ "subvol=root" ]; + # neededForBoot = true; + # }; + + # fileSystems."/home" = { + # device = "/dev/disk/by-uuid/993cce35-cc1f-40cc-b07a-5ea58b99fb5b"; + # fsType = "btrfs"; + # options = [ "subvol=home" ]; + # neededForBoot = true; + # }; + + # swapDevices = [{ device = "/dev/disk/by-uuid/d16b5f4a-f38c-41c6-8aae-1625be815f9d"; }]; + + # boot.loader.grub = { device = "/dev/vda"; }; + + boot.initrd.availableKernelModules = stage1Modules; + boot.initrd.kernelModules = stage1Modules; + boot.extraModprobeConfig = ""; +} diff --git a/nix/os/devices/167.233.1.14/pkg.nix b/nix/os/devices/167.233.1.14/pkg.nix new file mode 100644 index 0000000..c4a5b2c --- /dev/null +++ b/nix/os/devices/167.233.1.14/pkg.nix @@ -0,0 +1,33 @@ +{ config +, pkgs +, lib +, ... +}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }).nixPath; + }; + home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { + inherit pkgs; + extraPackages = [ + # required by vscode's remote-ssh plugin + pkgs.nodejs + + # allow clipboard exchanges + pkgs.xsel + pkgs.xclip + ]; + }; + + nix.buildMachines = [ + # { + # hostName = "localhost"; + # system = "x86_64-linux"; + # supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + # maxJobs = 4; + # } + ]; +} diff --git a/nix/os/devices/167.233.1.14/system.nix b/nix/os/devices/167.233.1.14/system.nix new file mode 100644 index 0000000..1234628 --- /dev/null +++ b/nix/os/devices/167.233.1.14/system.nix @@ -0,0 +1,75 @@ +{ pkgs +, lib +, config +, ... +}: +let + keys = import ../../../variables/keys.nix; +in +{ + # TASK: new device + networking.hostName = "sj-pvehtz0"; # Define your hostname. + # networking.domain = ""; + + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + networking.firewall.logRefusedConnections = false; + + networking.usePredictableInterfaceNames = false; + + networking.interfaces.eth0 = { + mtu = 1400; + useDHCP = false; + ipv4.addresses = [ + { + "address" = "167.233.1.14"; + "prefixLength" = 29; + } + ]; + ipv6.addresses = [ ]; + }; + + networking.defaultGateway = { + address = "167.233.1.9"; + interface = "eth0"; + }; + + networking.defaultGateway6 = { + address = "fe80::1"; + interface = "eth0"; + }; + + networking.nameservers = [ "1.1.1.1" ]; + + networking.nat = { + enable = true; + internalInterfaces = [ "ve-+" ]; + externalInterface = "eth0"; + }; + + # Kubernetes + # services.kubernetes.roles = ["master" "node"]; + + # virtualization + virtualisation = { docker.enable = true; }; + + services.spice-vdagentd.enable = true; + services.qemuGuest.enable = true; + + nix.gc = { automatic = true; }; + + networking.useHostResolvConf = true; + + services.openssh.forwardX11 = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/nix/os/devices/167.233.1.14/versions.nix b/nix/os/devices/167.233.1.14/versions.nix new file mode 100644 index 0000000..c4654c3 --- /dev/null +++ b/nix/os/devices/167.233.1.14/versions.nix @@ -0,0 +1,26 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-22.11"; + rev = "e34c5379866833f41e2a36f309912fa675d687c7"; + }; +in +{ + inherit nixpkgs; + "channels-nixos-stable" = nixpkgs; + "channels-nixos-22.11" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-22.11"; + rev = ""; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = "fb881b80f64d1b672135533a8c2fbc86e6ed8898"; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-21.05"; + rev = "7329ffc6e911106494183557fc249180d5422929"; + }; +} diff --git a/nix/os/devices/167.233.1.14/versions.tmpl.nix b/nix/os/devices/167.233.1.14/versions.tmpl.nix new file mode 100644 index 0000000..8941993 --- /dev/null +++ b/nix/os/devices/167.233.1.14/versions.tmpl.nix @@ -0,0 +1,62 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-22.11"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; +in +{ + inherit nixpkgs; + "channels-nixos-stable" = nixpkgs; + "channels-nixos-22.11" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-22.11"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-20.05 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "channels-nixos-20.09" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.09"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "channels-nixos-20.03" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.03"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-20.03 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "channels-nixos-19.09" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-19.09"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-19.09 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = '' + <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-21.05"; + rev = '' + <% git ls-remote https://github.com/nix-community/home-manager.git release-21.05 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; +} diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index 02b0212..82f3009 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -1,25 +1,20 @@ { dir, - pkgs ? import { }, - ownLib ? import ../lib/default.nix { inherit (pkgs) lib; }, + pkgs ? import {}, + ownLib ? import ../lib/default.nix {}, gitRoot ? "$(git rev-parse --show-toplevel)", # FIXME: why do these need explicit mentioning? moreargs ? "", rebuildarg ? "", ... -}@args: -let - rebuildargsSudo = [ - "switch" - "boot" - ]; - rebuild = - { - gitRoot, - rebuildarg ? "dry-activate", - moreargs ? "", - ... - }: +} @ args: let + rebuildargsSudo = ["switch" "boot"]; + rebuild = { + gitRoot, + rebuildarg ? "dry-activate", + moreargs ? "", + ... + }: pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe @@ -35,24 +30,25 @@ let ${ if - (builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null - then - "sudo -E \\" - else - "" + (builtins.elem rebuildarg rebuildargsSudo) + && (builtins.match ".*--target-host.*" moreargs) == null + then "sudo -E \\" + else "" } nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} ''; -in -{ - recipes = { - rebuild = rebuild { - inherit gitRoot; - inherit moreargs; - inherit rebuildarg; +in { + recipes = + { + rebuild = + rebuild { + inherit gitRoot; + inherit moreargs; + inherit rebuildarg; + } + # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } + # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } + ; } - # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } - # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } - ; - } // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; })); + // (import ./disk.nix (args // {inherit pkgs ownLib gitRoot;})); } diff --git a/nix/os/devices/disk.nix b/nix/os/devices/disk.nix index f639344..f62c6a9 100644 --- a/nix/os/devices/disk.nix +++ b/nix/os/devices/disk.nix @@ -3,29 +3,40 @@ ownLib, dir, gitRoot, - diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId, + diskId ? + (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") + {}) + .hardware + .opinionatedDisk + .diskId, encrypted ? - (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted, + (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") + {}) + .hardware + .opinionatedDisk + .encrypted, previousDiskId ? "", ... -}: -let +}: let mntRootVol = "/mnt/${diskId}-root"; -in -rec { +in rec { diskMount = pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe echo Mounting ${diskId} ${pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ + ownLib.disk.luksName diskId + } ''} sleep 1 sudo vgchange -ay ${ownLib.disk.volumeGroup diskId} sudo mkdir -p /mnt sudo mkdir ${mntRootVol} sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol} - sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home + sudo mount ${ + ownLib.disk.rootFsDevice diskId + } ${mntRootVol}/nixos/home -o subvol=home sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot ''; @@ -62,7 +73,9 @@ rec { #!/usr/bin/env bash set -xe - read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice + read -p "Continue to format ${ + ownLib.disk.bootGrubDevice diskId + } (YES/n)? " choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -109,11 +122,15 @@ rec { ${pkgs.lib.strings.optionalString encrypted '' # Encrypt sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} - - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ + ownLib.disk.luksName diskId + } ''} # LVM - sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted} + sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ + ownLib.disk.lvmPv diskId encrypted + } sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root @@ -137,7 +154,9 @@ rec { #!/usr/bin/env bash set -xe - read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice + read -p "Continue to relabel ${ + ownLib.disk.bootGrubDevice diskId + } (YES/n)?" choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -168,9 +187,13 @@ rec { if test "${previousDiskId}"; then - ${pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} - ''} + ${ + pkgs.lib.strings.optionalString encrypted '' + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ + ownLib.disk.luksName diskId + } + '' + } sync sleep 1 if sudo vgs ${previousDiskId}; then diff --git a/nix/os/devices/elias-e525/boot.nix b/nix/os/devices/elias-e525/boot.nix index 6698046..4d8c1d1 100644 --- a/nix/os/devices/elias-e525/boot.nix +++ b/nix/os/devices/elias-e525/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ - boot.loader.grub.efiSupport = lib.mkForce false; +{lib, ...}: { + boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/elias-e525/configuration.nix b/nix/os/devices/elias-e525/configuration.nix index ea92869..37f4c61 100644 --- a/nix/os/devices/elias-e525/configuration.nix +++ b/nix/os/devices/elias-e525/configuration.nix @@ -1,15 +1,12 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix - ../../profiles/graphical-gnome-xorg.nix ../../modules/opinionatedDisk.nix ./system.nix ./hw.nix ./pkg.nix ./user.nix - ./boot.nix ]; } diff --git a/nix/os/devices/elias-e525/default.nix b/nix/os/devices/elias-e525/default.nix deleted file mode 100644 index 4104b58..0000000 --- a/nix/os/devices/elias-e525/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - system = "x86_64-linux"; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake; - packages' = repoFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "elias-e525"; - deployment.replaceUnknownProfiles = true; - # deployment.allowLocalDeployment = true; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - }; -} diff --git a/nix/os/devices/elias-e525/flake.lock b/nix/os/devices/elias-e525/flake.lock deleted file mode 100644 index 5002d24..0000000 --- a/nix/os/devices/elias-e525/flake.lock +++ /dev/null @@ -1,52 +0,0 @@ -{ - "nodes": { - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1748665073, - "narHash": "sha256-RMhjnPKWtCoIIHiuR9QKD7xfsKb3agxzMfJY8V9MOew=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "282e1e029cb6ab4811114fc85110613d72771dea", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-25.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1749024892, - "narHash": "sha256-OGcDEz60TXQC+gVz5sdtgGJdKVYr6rwdzQKuZAJQpCA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "8f1b52b04f2cb6e5ead50bd28d76528a2f0380ef", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "home-manager": "home-manager", - "nixpkgs": [ - "nixpkgs-stable" - ], - "nixpkgs-stable": "nixpkgs-stable" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/elias-e525/flake.nix b/nix/os/devices/elias-e525/flake.nix deleted file mode 100644 index ce104cb..0000000 --- a/nix/os/devices/elias-e525/flake.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ - inputs.nixpkgs.follows = "nixpkgs-stable"; - inputs.nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.05"; - - inputs.home-manager = { - url = "github:nix-community/home-manager/release-25.05"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/elias-e525/hw.nix b/nix/os/devices/elias-e525/hw.nix index 23d4edb..269281c 100644 --- a/nix/os/devices/elias-e525/hw.nix +++ b/nix/os/devices/elias-e525/hw.nix @@ -1,4 +1,4 @@ -_: { +{...}: { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/elias-e525/pkg.nix b/nix/os/devices/elias-e525/pkg.nix index 57d813e..d07c68c 100644 --- a/nix/os/devices/elias-e525/pkg.nix +++ b/nix/os/devices/elias-e525/pkg.nix @@ -1,47 +1,63 @@ -{ pkgs, lib, ... }: -let +{ + pkgs, + lib, + ... +}: let homeEnv = keyboard: { imports = [ - ../../../home-manager/profiles/common.nix - - ../../../home-manager/configuration/graphical-gnome3.nix - - ../../../home-manager/programs/firefox.nix - ../../../home-manager/programs/libreoffice.nix - ../../../home-manager/programs/neovim.nix + (import ../../../home-manager/configuration/graphical-gnome3.nix { + inherit pkgs; + }) ]; home.keyboard = keyboard; home.packages = with pkgs; [ + rhythmbox + lollypop dia - - rustdesk + kotatogram-desktop + jitsi ]; }; -in -{ - services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) { +in { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; + }; + + services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { + games.enable = true; gnome-remote-desktop.enable = true; + gnome-user-share.enable = true; + rygel.enable = true; + sushi.enable = true; + tracker.enable = true; + tracker-miners.enable = true; }; home-manager.users.steveej = homeEnv { layout = "en"; - options = [ "nodeadkey" ]; + options = ["nodeadkey"]; variant = "altgr-intl"; }; home-manager.users.elias = homeEnv { layout = "de"; - options = [ ]; + options = []; variant = ""; }; home-manager.users.justyna = homeEnv { layout = "de"; - options = [ ]; + options = []; variant = ""; }; + services.teamviewer.enable = true; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/elias-e525/system.nix b/nix/os/devices/elias-e525/system.nix index 9922153..3cb10d3 100644 --- a/nix/os/devices/elias-e525/system.nix +++ b/nix/os/devices/elias-e525/system.nix @@ -1,5 +1,10 @@ -{ pkgs, lib, ... }: { + pkgs, + lib, + config, + ... +}: let +in { # TASK: new device networking.hostName = "elias-e525"; # Define your hostname. @@ -12,36 +17,35 @@ networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; + services.printing = { + enable = true; + drivers = with pkgs; [mfcl3770cdw.driver mfcl3770cdw.cupswrapper]; + }; + services.fprintd.enable = true; security.pam.services = { - # conflicts with nixpkgs' gdm.nix - # login.fprintAuth = true; + login.fprintAuth = true; sudo.fprintAuth = true; }; services = { xserver = { - xkb.layout = lib.mkForce "de"; - xkb.variant = lib.mkForce ""; - xkb.options = lib.mkForce ""; + layout = lib.mkForce "de"; + xkbVariant = lib.mkForce ""; + xkbOptions = lib.mkForce ""; + displayManager.autoLogin.enable = lib.mkForce false; displayManager.gdm.enable = lib.mkForce true; displayManager.lightdm.enable = lib.mkForce false; desktopManager.gnome.enable = true; }; - displayManager.autoLogin.enable = lib.mkForce false; - # dbus.packages = [ pkgs.gnome3.dconf ]; # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; }; - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; - services.xserver.videoDrivers = [ "modesetting" ]; + services.xserver.videoDrivers = ["modesetting"]; - # boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - - nix.gc = { - automatic = true; - }; + boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; } diff --git a/nix/os/devices/elias-e525/user.nix b/nix/os/devices/elias-e525/user.nix index 3e154da..1fe7f71 100644 --- a/nix/os/devices/elias-e525/user.nix +++ b/nix/os/devices/elias-e525/user.nix @@ -1,36 +1,21 @@ -{ config, lib, ... }: -let +{ + config, + pkgs, + ... +}: let + passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix { inherit lib config; }) mkUser deepMergeAttrsets; -in -deepMergeAttrsets [ - - { - sops.secrets.sharedUsers-elias = { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; - - sops.secrets.sharedUsers-justyna = { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; - } - - (mkUser { - username = "elias"; + inherit (import ../../lib/default.nix {}) mkUser; +in { + users.extraUsers.elias = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - hashedPasswordFile = config.sops.secrets.sharedUsers-elias.path; - }) + hashedPassword = passwords.users.elias; + }; - (mkUser { - username = "justyna"; + users.extraUsers.justyna = mkUser { uid = 1002; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - hashedPasswordFile = config.sops.secrets.sharedUsers-justyna.path; - }) - -] + hashedPassword = passwords.users.justyna; + }; +} diff --git a/nix/os/devices/elias-e525/versions.nix b/nix/os/devices/elias-e525/versions.nix new file mode 100644 index 0000000..81a71e6 --- /dev/null +++ b/nix/os/devices/elias-e525/versions.nix @@ -0,0 +1,26 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-21.11"; + rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; + }; +in { + inherit nixpkgs; + nixos = nixpkgs // {suffix = "/nixos";}; + "channels-nixos-stable" = nixpkgs; + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = "5aaed40d22f0d9376330b6fa413223435ad6fee5"; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = "c4d1eff44eb12cb5500fb2ab05a1a7303711254e"; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-21.11"; + rev = "697cc8c68ed6a606296efbbe9614c32537078756"; + }; +} diff --git a/nix/os/devices/elias-e525/versions.tmpl.nix b/nix/os/devices/elias-e525/versions.tmpl.nix new file mode 100644 index 0000000..ea299fb --- /dev/null +++ b/nix/os/devices/elias-e525/versions.tmpl.nix @@ -0,0 +1,34 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-21.11"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; +in { + inherit nixpkgs; + nixos = nixpkgs // {suffix = "/nixos";}; + "channels-nixos-stable" = nixpkgs; + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = '' + <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-21.11"; + rev = '' + <% git ls-remote https://github.com/nix-community/home-manager.git release-21.11 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; +} diff --git a/nix/os/devices/fwhost1/boot.nix b/nix/os/devices/fwhost1/boot.nix index 639698f..4d8c1d1 100644 --- a/nix/os/devices/fwhost1/boot.nix +++ b/nix/os/devices/fwhost1/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/fwhost1/configuration.nix b/nix/os/devices/fwhost1/configuration.nix index fbdc4c0..ed238cb 100644 --- a/nix/os/devices/fwhost1/configuration.nix +++ b/nix/os/devices/fwhost1/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/fwhost1/hw.nix b/nix/os/devices/fwhost1/hw.nix index 43334ed..6c1aaaf 100644 --- a/nix/os/devices/fwhost1/hw.nix +++ b/nix/os/devices/fwhost1/hw.nix @@ -1,4 +1,5 @@ -_: { +{...}: let +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/fwhost1/pkg.nix b/nix/os/devices/fwhost1/pkg.nix index aacf501..6650ad9 100644 --- a/nix/os/devices/fwhost1/pkg.nix +++ b/nix/os/devices/fwhost1/pkg.nix @@ -1,17 +1,17 @@ -{ pkgs, ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; +{pkgs, ...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - environment.systemPackages = with pkgs; [ - iw - wirelesstools - ]; + environment.systemPackages = with pkgs; [iw wirelesstools]; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/fwhost1/system.nix b/nix/os/devices/fwhost1/system.nix index 548caec..abe1717 100644 --- a/nix/os/devices/fwhost1/system.nix +++ b/nix/os/devices/fwhost1/system.nix @@ -1,8 +1,12 @@ -{ pkgs, lib, ... }: -let - passwords = import ../../../variables/passwords.crypt.nix; -in { + pkgs, + lib, + config, + ... +}: let + keys = import ../../../variables/keys.nix; + passwords = import ../../../variables/passwords.crypt.nix; +in { # TASK: new device networking.hostName = "fwhost1"; # Define your hostname. @@ -17,14 +21,11 @@ in networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.bridges.breth.interfaces = [ - "eth0" - "eth1" - ]; + networking.bridges.breth.interfaces = ["eth0" "eth1"]; networking.bridges.breth.rstp = true; networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = [ "172.172.171.10" ]; + networking.nameservers = ["172.172.171.10"]; # WAN interfaces, currently unused because the OPNsense guest acts as a router. networking.vlans.wan1.id = 3; diff --git a/nix/os/devices/fwhost1/user.nix b/nix/os/devices/fwhost1/user.nix index 958608a..98f59ba 100644 --- a/nix/os/devices/fwhost1/user.nix +++ b/nix/os/devices/fwhost1/user.nix @@ -1 +1,9 @@ -_: { } +{ + config, + pkgs, + ... +}: let + passwords = import ../../../variables/passwords.crypt.nix; + keys = import ../../../variables/keys.nix; + inherit (import ../../lib/default.nix {}) mkUser; +in {} diff --git a/nix/os/devices/fwhost1/versions.nix b/nix/os/devices/fwhost1/versions.nix index 276eb87..c6dac79 100644 --- a/nix/os/devices/fwhost1/versions.nix +++ b/nix/os/devices/fwhost1/versions.nix @@ -4,12 +4,9 @@ let ref = "nixos-21.11"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost1/versions.tmpl.nix b/nix/os/devices/fwhost1/versions.tmpl.nix index d3d0c19..c9dc8a9 100644 --- a/nix/os/devices/fwhost1/versions.tmpl.nix +++ b/nix/os/devices/fwhost1/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost2/boot.nix b/nix/os/devices/fwhost2/boot.nix index 639698f..4d8c1d1 100644 --- a/nix/os/devices/fwhost2/boot.nix +++ b/nix/os/devices/fwhost2/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/fwhost2/configuration.nix b/nix/os/devices/fwhost2/configuration.nix index fbdc4c0..ed238cb 100644 --- a/nix/os/devices/fwhost2/configuration.nix +++ b/nix/os/devices/fwhost2/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/fwhost2/hw.nix b/nix/os/devices/fwhost2/hw.nix index a8891e3..c207b8c 100644 --- a/nix/os/devices/fwhost2/hw.nix +++ b/nix/os/devices/fwhost2/hw.nix @@ -1,4 +1,5 @@ -_: { +{...}: let +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/fwhost2/pkg.nix b/nix/os/devices/fwhost2/pkg.nix index aacf501..6650ad9 100644 --- a/nix/os/devices/fwhost2/pkg.nix +++ b/nix/os/devices/fwhost2/pkg.nix @@ -1,17 +1,17 @@ -{ pkgs, ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; +{pkgs, ...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - environment.systemPackages = with pkgs; [ - iw - wirelesstools - ]; + environment.systemPackages = with pkgs; [iw wirelesstools]; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/fwhost2/system.nix b/nix/os/devices/fwhost2/system.nix index 652347f..54da0ba 100644 --- a/nix/os/devices/fwhost2/system.nix +++ b/nix/os/devices/fwhost2/system.nix @@ -1,8 +1,13 @@ -{ pkgs, lib, ... }: -let - passwords = import ../../../variables/passwords.crypt.nix; -in { + pkgs, + lib, + config, + utils, + ... +}: let + keys = import ../../../variables/keys.nix; + passwords = import ../../../variables/passwords.crypt.nix; +in { # TASK: new device networking.hostName = "fwhost2"; # Define your hostname. @@ -17,14 +22,11 @@ in networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.bridges.breth.interfaces = [ - "eth0" - "eth1" - ]; + networking.bridges.breth.interfaces = ["eth0" "eth1"]; networking.bridges.breth.rstp = true; networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = [ "172.172.171.10" ]; + networking.nameservers = ["172.172.171.10"]; # WAN interfaces, currently unused because the OPNsense guest acts as a router. networking.vlans.wan1.id = 3; diff --git a/nix/os/devices/fwhost2/user.nix b/nix/os/devices/fwhost2/user.nix index 47efa02..8210554 100644 --- a/nix/os/devices/fwhost2/user.nix +++ b/nix/os/devices/fwhost2/user.nix @@ -1,4 +1,12 @@ -_: { +{ + config, + pkgs, + ... +}: let + passwords = import ../../../variables/passwords.crypt.nix; + keys = import ../../../variables/keys.nix; + inherit (import ../../lib/default.nix {}) mkUser; +in { # users.extraUsers.steveej2 = mkUser { # uid = 1001; # openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/devices/fwhost2/versions.nix b/nix/os/devices/fwhost2/versions.nix index 276eb87..c6dac79 100644 --- a/nix/os/devices/fwhost2/versions.nix +++ b/nix/os/devices/fwhost2/versions.nix @@ -4,12 +4,9 @@ let ref = "nixos-21.11"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost2/versions.tmpl.nix b/nix/os/devices/fwhost2/versions.tmpl.nix index d3d0c19..c9dc8a9 100644 --- a/nix/os/devices/fwhost2/versions.tmpl.nix +++ b/nix/os/devices/fwhost2/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/hstk0/.gitignore b/nix/os/devices/hstk0/.gitignore deleted file mode 100644 index b2be92b..0000000 --- a/nix/os/devices/hstk0/.gitignore +++ /dev/null @@ -1 +0,0 @@ -result diff --git a/nix/os/devices/hstk0/README.md b/nix/os/devices/hstk0/README.md deleted file mode 100644 index 60ee180..0000000 --- a/nix/os/devices/hstk0/README.md +++ /dev/null @@ -1,6 +0,0 @@ -## bootstrapping - -``` -# TODO: generate an SSH host-key and deploy it via --extra-files -nixos-anywhere --flake .\#sj-bm-hostkey0 root@185.130.227.252 -``` diff --git a/nix/os/devices/hstk0/configuration.nix b/nix/os/devices/hstk0/configuration.nix deleted file mode 100644 index 32fad43..0000000 --- a/nix/os/devices/hstk0/configuration.nix +++ /dev/null @@ -1,146 +0,0 @@ -{ - repoFlake, - pkgs, - lib, - nodeFlake, - nodeName, - system, - ... -}: -{ - disabledModules = [ ]; - - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - repoFlake.inputs.sops-nix.nixosModules.sops - - nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder - { - roles.nix-remote-builder.schedulerPublicKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ22z5rDdCLYH+MEoEt+tXJXTJqoeZNqvJl2n4aB+Kn steveej@steveej-x13s" - - # TODO: make this a reference to the private key's secret - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14" - ]; - } - - ../../snippets/nix-settings.nix - { nix.settings.sandbox = lib.mkForce "relaxed"; } - - ../../snippets/mycelium.nix - - # user config - ../../profiles/common/user.nix - { - users.commonUsers = { - enable = true; - enableNonRoot = true; - }; - } - - ../../snippets/home-manager-with-zsh.nix - # { - # home-manager.users.steveej = {pkgs, ...}: { - # imports = [ - # ../../../home-manager/programs/pass.nix - # ../../../home-manager/programs/openvscode-server.nix - # ]; - # }; - # } - ]; - - services.openssh = { - enable = true; - openFirewall = true; - settings.PermitRootLogin = "yes"; - extraConfig = '' - StreamLocalBindUnlink yes - ''; - }; - - boot = { - kernel = { - sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - }; - }; - - networking = { - hostName = nodeName; - useNetworkd = true; - useDHCP = true; - - nat.enable = true; - firewall.enable = true; - - firewall.allowedTCPPorts = [ 5201 ]; - firewall.allowedUDPPorts = [ 5201 ]; - }; - - disko.devices = - let - disk = id: { - type = "disk"; - device = "/dev/${id}"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - mdadm = { - size = "100%"; - content = { - type = "mdraid"; - name = "raid0"; - }; - }; - }; - }; - }; - in - { - disk = { - sda = disk "sda"; - sdb = disk "sdb"; - }; - mdadm = { - raid0 = { - type = "mdadm"; - level = 0; - content = { - type = "gpt"; - partitions = { - primary = { - size = "100%"; - content = { - type = "filesystem"; - format = "btrfs"; - mountpoint = "/"; - }; - }; - }; - }; - }; - }; - }; - - system.stateVersion = "24.05"; - - boot.kernelPackages = pkgs.linuxPackages_latest; - boot.initrd.includeDefaultModules = true; - boot.initrd.kernelModules = [ - "dm-raid" - "dm-integrity" - "xhci_pci_renesas" - ]; - - hardware.enableRedistributableFirmware = true; - - virtualisation.libvirtd.enable = true; - - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; -} diff --git a/nix/os/devices/hstk0/default.nix b/nix/os/devices/hstk0/default.nix deleted file mode 100644 index 62e6cc1..0000000 --- a/nix/os/devices/hstk0/default.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - system = "x86_64-linux"; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; - packages' = repoFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "185.130.224.33"; - deployment.replaceUnknownProfiles = false; - - # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - - networking.hostName = nodeName; - }; -} diff --git a/nix/os/devices/hstk0/flake.lock b/nix/os/devices/hstk0/flake.lock deleted file mode 100644 index 8389a6a..0000000 --- a/nix/os/devices/hstk0/flake.lock +++ /dev/null @@ -1,124 +0,0 @@ -{ - "nodes": { - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719401812, - "narHash": "sha256-QONBQ/arBsKZNJuSd3sMIkSYFlBoRJpvf1jGlMfcOuI=", - "owner": "nix-community", - "repo": "disko", - "rev": "b6a1262796b2990ec3cc60bb2ec23583f35b2f43", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "get-flake": { - "locked": { - "lastModified": 1714237590, - "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", - "owner": "ursi", - "repo": "get-flake", - "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", - "type": "github" - }, - "original": { - "owner": "ursi", - "repo": "get-flake", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1718530513, - "narHash": "sha256-BmO8d0r+BVlwWtMLQEYnwmngqdXIuyFzMwvmTcLMee8=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "a1fddf0967c33754271761d91a3d921772b30d0e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1719253556, - "narHash": "sha256-A/76RFUVxZ/7Y8+OMVL1Lc8LRhBxZ8ZE2bpMnvZ1VpY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "fc07dc3bdf2956ddd64f24612ea7fc894933eb2e", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1719254875, - "narHash": "sha256-ECni+IkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "2893f56de08021cffd9b6b6dfc70fd9ccd51eb60", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "disko": "disko", - "get-flake": "get-flake", - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", - "srvos": "srvos" - } - }, - "srvos": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719189969, - "narHash": "sha256-6MSZrWvXSvUKIr0iC9eSbQ09NSm+j1Oh4o9Gentu1CU=", - "owner": "numtide", - "repo": "srvos", - "rev": "4f314be1307c8d5f1fb3d882a67e09dbdf285850", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/hstk0/flake.nix b/nix/os/devices/hstk0/flake.nix deleted file mode 100644 index 6c9b22f..0000000 --- a/nix/os/devices/hstk0/flake.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - - get-flake.url = "github:ursi/get-flake"; - - home-manager.url = "github:nix-community/home-manager/release-24.05"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; - - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - }; - - # outputs = _: {}; - - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - system = "x86_64-linux"; - nodeName = "hostkey-0"; - - mkNixosConfiguration = - { - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = { - nodeFlake = self; - repoFlake = get-flake ../../../..; - inherit nodeName; - }; - - modules = [ ./configuration.nix ] ++ extraModules; - } - ); - in - { - nixosConfigurations = { - native = mkNixosConfiguration { inherit system; }; - }; - }; -} diff --git a/nix/os/devices/hydra.json b/nix/os/devices/hydra.json index a0204bc..3723c24 100644 --- a/nix/os/devices/hydra.json +++ b/nix/os/devices/hydra.json @@ -1,24 +1,16 @@ { - "enabled": 1, - "hidden": false, - "description": "Jobsets", - "nixexprinput": "src", - "nixexprpath": "default.nix", - "checkinterval": 300, - "schedulingshares": 100, - "enableemail": false, - "emailoverride": "", - "keepnr": 3, - "inputs": { - "src": { - "type": "git", - "value": "git://github.com/shlevy/declarative-hydra-example.git", - "emailresponsible": false - }, - "nixpkgs": { - "type": "git", - "value": "git://github.com/NixOS/nixpkgs.git release-16.03", - "emailresponsible": false + "enabled": 1, + "hidden": false, + "description": "Jobsets", + "nixexprinput": "src", + "nixexprpath": "default.nix", + "checkinterval": 300, + "schedulingshares": 100, + "enableemail": false, + "emailoverride": "", + "keepnr": 3, + "inputs": { + "src": { "type": "git", "value": "git://github.com/shlevy/declarative-hydra-example.git", "emailresponsible": false }, + "nixpkgs": { "type": "git", "value": "git://github.com/NixOS/nixpkgs.git release-16.03", "emailresponsible": false } } - } } diff --git a/nix/os/devices/router0-dmz0/.gitignore b/nix/os/devices/router0-dmz0/.gitignore deleted file mode 100644 index b2be92b..0000000 --- a/nix/os/devices/router0-dmz0/.gitignore +++ /dev/null @@ -1 +0,0 @@ -result diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix deleted file mode 100644 index 07c6b1c..0000000 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ /dev/null @@ -1,1298 +0,0 @@ -# TODO: don't pull in bluez (or any bluetooth components) -{ - repoFlake, - pkgs, - lib, - config, - nodeFlake, - nodeName, - localDomainName, - system, - ... -}: -let - inherit (nodeFlake.inputs) nixos-nftables-firewall nixos-sbc; - - vlanRangeStart = builtins.head vlanRange; - vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1); - vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans); - vlanRangeWith0 = [ 0 ] ++ vlanRange; - - mkVlanIpv4HostAddr = - { - vlanid, - host, - thirdIpv4SegmentMin ? 20, - cidr ? true, - }: - let - # reserve the first subnet for vlanid == 0 - # number the other subnets continously from there - offset = if vlanid == 0 then thirdIpv4SegmentMin else thirdIpv4SegmentMin + 1 - vlanRangeStart; - in - builtins.concatStringsSep "." [ - "192" - "168" - (toString (vlanid + offset)) - "${toString host}${lib.strings.optionalString cidr "/24"}" - ]; - - defaultVlan = { - name = "${localDomainName}"; - packet_priority = 0; - }; - - vlans = { - "2".name = "dmz"; - "2".packet_priority = -5; - - "3".name = "iot"; - "3".packet_priority = -5; - - "4".name = "office"; - "4".packet_priority = -10; - - "5".name = "guests"; - "5".packet_priority = 10; - }; - - vlansByName = lib.attrsets.mapAttrs' ( - vlanid': attrs: - lib.attrsets.nameValuePair attrs.name ( - attrs - // { - id = lib.strings.toInt vlanid'; - id' = vlanid'; - } - ) - ) vlans; - - getVlanDomain = - { vlanid }: - if vlanid == 0 then defaultVlan.name else vlans."${toString vlanid}".name + "." + defaultVlan.name; - - bridgeInterfaceName = "br-lan"; - mkInterfaceName = - { vlanid }: - if vlanid == 0 then bridgeInterfaceName else "${bridgeInterfaceName}.${toString vlanid}"; - - dmzExposedHost = "sj-srv1"; - dmzExposedHostDomain = "dmz.internal"; - dmzExposedHostFQDN = "${dmzExposedHost}.${dmzExposedHostDomain}"; - dmzExposedHostIpv4 = mkVlanIpv4HostAddr { - vlanid = vlansByName.dmz.id; - host = 99; - cidr = false; - }; - - dmzExposedHostMACaddr = - repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress; -in -{ - imports = [ - nixos-sbc.nixosModules.default - nixos-sbc.nixosModules.boards.bananapi.bpir3 - { - sbc.version = "0.2"; - sbc.bootstrap.rootFilesystem = "btrfs"; - sbc.wireless.wifi.acceptRegulatoryResponsibility = true; - } - - repoFlake.inputs.sops-nix.nixosModules.sops - - ../../profiles/common/user.nix - ../../snippets/nix-settings.nix - - nixos-nftables-firewall.nixosModules.default - - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - - users.commonUsers = { - enable = true; - enableNonRoot = false; - rootPasswordFile = config.sops.secrets.passwords-root.path; - }; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - sops.secrets.passwords-root.neededForUsers = true; - - # sops.secrets.wlan0_saePasswordsFile = {}; - sops.secrets.wlan0_wpaPskFile = { }; - } - ]; - - # sops.secrets.ssh_host_ed25519_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_ed25519_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key.pub"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key.pub"; - # mode = "0644"; - # }; - - boot = { - kernel = { - sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - }; - }; - - networking = { - hostName = nodeName; - useNetworkd = true; - useDHCP = false; - - # these will be configured via nftables - nat.enable = lib.mkForce false; - firewall.enable = lib.mkForce false; - - # Use the nftables firewall instead of the base nixos scripted rules. - # This flake provides a similar utility to the base nixos scripting. - # https://github.com/thelegy/nixos-nftables-firewall/tree/main - - # TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority) - nftables = { - enable = true; - - stopRuleset = ""; - chains = { - prerouting = { - "exposeHost" = { - after = [ "hook" ]; - rules = - let - wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; - in - [ - "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" - "iifname { ${wanInterfaces} } dnat ip to ${dmzExposedHostIpv4}" - ]; - }; - }; - }; - - firewall = { - enable = true; - snippets.nnf-common.enable = true; - # included in the above - # snippets.nnf-conntrack.enable = true; - zones = - { - lan.interfaces = [ (mkInterfaceName { vlanid = 0; }) ]; - vlan.interfaces = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; - # lan.ipv4Addresses = ["192.168.0.0/16"]; - wan.interfaces = [ - "wan" - "lan0" - ]; - vpn.interfaces = [ - "wg0" - "wg1" - "wg2" - ]; - } - // - # generate a zone for each vlan - lib.attrsets.mapAttrs (_key: value: { - interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; - }) vlansByName; - rules = - let - ipv6IcmpTypes = [ - "destination-unreachable" - "echo-reply" - "echo-request" - "packet-too-big" - "parameter-problem" - "time-exceeded" - - # Without the nd-* ones ipv6 will not work. - "nd-neighbor-solicit" - "nd-router-advert" - "nd-neighbor-advert" - ]; - ipv4IcmpTypes = [ - "destination-unreachable" - "echo-reply" - "echo-request" - "source-quench" - "time-exceeded" - "router-advertisement" - ]; - allowIcmpLines = [ - "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" - "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" - ]; - in - { - fw = { - from = [ "fw" ]; - verdict = "accept"; - }; - - office-to-dmz = { - from = [ "office" ]; - to = [ "dmz" ]; - verdict = "accept"; - }; - - lan-to-fw = { - from = [ "lan" ]; - to = [ - "fw" - "lan" - ]; - verdict = "accept"; - }; - - lan-to-wan = { - from = [ "lan" ]; - to = [ "wan" ]; - verdict = "accept"; - }; - - vlan-to-wan = { - from = [ "vlan" ]; - to = [ "wan" ]; - verdict = "accept"; - }; - - vlan-to-fw = { - allowedUDPPortRanges = [ - { - from = 53; - to = 53; - } - { - from = 67; - to = 68; - } - { - from = 5201; - to = 5201; - } - ]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - { - from = 53; - to = 53; - } - { - from = 5201; - to = 5201; - } - ]; - from = [ "vlan" ]; - to = [ "fw" ]; - extraLines = allowIcmpLines ++ [ "drop" ]; - }; - - to-wan-nat = { - from = [ - "lan" - "vlan" - ]; - to = [ "wan" ]; - masquerade = true; - verdict = "accept"; - }; - - wan-to-dmz = { - from = [ "wan" ]; - to = [ "dmz" ]; - verdict = "accept"; - }; - - wan-to-fw = { - from = [ "wan" ]; - to = [ "fw" ]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - ]; - extraLines = allowIcmpLines ++ [ "drop" ]; - }; - - to-vpn-nat = { - from = [ - "lan" - "vlan" - ]; - to = [ "vpn" ]; - masquerade = false; - verdict = "accept"; - }; - }; - }; - }; - }; - - sops.secrets.wg0-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg0-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - - # TODO: this shouldn't be necessary _at all_ - systemd.services.sfp-quirk = { - enable = true; - wantedBy = [ - "network.target" - "multi-user.target" - ]; - - requires = [ - "sys-subsystem-net-devices-lan4.device" - "sys-subsystem-net-devices-eth1.device" - ]; - - after = [ - "sys-subsystem-net-devices-lan4.device" - "sys-subsystem-net-devices-eth1.device" - ]; - - path = [ - pkgs.ethtool - pkgs.iproute2 - pkgs.coreutils - ]; - - script = '' - set -xeE - - ip l set dev lan4 down - ip l set dev eth1 down - - sleep 0.5 - - ethtool -s lan4 duplex full autoneg off - ethtool -s eth1 duplex full autoneg off - - sleep 0.5 - - ip l set dev lan4 up - ip l set dev eth1 up - - echo quirk applied, fingers crossed. - ''; - }; - - systemd.network = { - wait-online.anyInterface = true; - config.networkConfig = { - IPv4Forwarding = true; - IPv6Forwarding = true; - }; - links = { - # TODO: this doesn't work, thus shoving it into a quirk service. however, there's a proper solution beyond any of this. - # "00-eth1" = { - # enable = true; - # matchConfig.Name = "eth1"; - # linkConfig = { - # # BitsPerSecond = "2500M"; - # Duplex= "full"; - # AutoNegotiation = false; - # }; - # }; - # "00-lan4" = { - # enable = true; - # matchConfig.Name = "lan4@eth0"; - # linkConfig = { - # # BitsPerSecond = "1000M"; - # Duplex= "full"; - # AutoNegotiation = false; - # }; - # }; - }; - netdevs = - let - router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; - - router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort}"; - - router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-hosthatch.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; - in - { - # Create the bridge interface - "20-${bridgeInterfaceName}" = { - netdevConfig = { - Kind = "bridge"; - Name = bridgeInterfaceName; - }; - - extraConfig = '' - [Bridge] - STP=yes - VLANFiltering=yes - VLANProtocol=802.1q - DefaultPVID=0 - ''; - }; - - wg0 = { - enable = true; - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; - FirewallMark = 100; - }; - wireguardPeers = [ - { - AllowedIPs = [ - # this allows all traffic to be routed through this interface - "0.0.0.0/0" - - # # alternatively, specific destinations could be allowed - - # # remote peer wg addr - # "10.0.0.0/32" - - # "1.1.1.1/32" - # # ifconfig.co. - # "172.67.168.106" - # "104.21.54.91" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; - PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; - Endpoint = router0-ifog_wg0Endpoint; - } - ]; - }; - - wg1 = { - enable = true; - netdevConfig = { - Name = "wg1"; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; - FirewallMark = 101; - }; - wireguardPeers = [ - { - AllowedIPs = [ - # this allows all traffic to be routed through this interface - "0.0.0.0/0" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; - PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; - Endpoint = router0-ifog_wg1Endpoint; - } - ]; - }; - - wg2 = { - enable = true; - netdevConfig = { - Name = "wg2"; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; - FirewallMark = 102; - }; - wireguardPeers = [ - { - AllowedIPs = [ - # this allows all traffic to be routed through this interface - "0.0.0.0/0" - - # # alternatively, specific destinations could be allowed - - # # remote peer wg addr - # "10.0.0.0/32" - - # "1.1.1.1/32" - # # ifconfig.co. - # "172.67.168.106" - # "104.21.54.91" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; - PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; - Endpoint = router0-hosthatch_wg0Endpoint; - } - ]; - }; - } - # generate the vlan devices. these will be tagged on the main bridge - // builtins.foldl' (acc: cur: acc // cur) { } ( - builtins.map - ( - { vlanid, vlanid' }: - { - "20-${mkInterfaceName { inherit vlanid; }}" = { - netdevConfig = { - Kind = "vlan"; - Name = "${mkInterfaceName { inherit vlanid; }}"; - }; - vlanConfig.Id = vlanid; - }; - } - ) - ( - builtins.map (vlanid: { - inherit vlanid; - vlanid' = builtins.toString vlanid; - }) vlanRange - ) - ); - networks = - let - commonWanOptions = { - networkConfig = { - # start a DHCP Client for IPv4/6 Addressing/Routing - DHCP = true; - DNSOverTLS = true; - DNSSEC = true; - - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - IPv6PrivacyExtensions = false; - DHCPPrefixDelegation = true; - }; - dhcpV4Config = { - UseDNS = false; - UseDomains = false; - UseHostname = false; - }; - dhcpV6Config = { - UseDNS = false; - UseDomains = false; - UseHostname = false; - PrefixDelegationHint = "::/56"; - UseDelegatedPrefix = true; - WithoutRA = "solicit"; - }; - ipv6AcceptRAConfig = { - UseDNS = false; - UseDomains = false; - }; - - # TODO: enable these somehow - # extraConfig = '' - # [IPv6AcceptRA] - # # FIXME: supported in nixos-24.11 - # DHCPv6Client=solicit - - # # FIXME: not supported at all yet - # UsePREF64=true - # ''; - }; - in - { - # places options here that should always exist - "lo" = { - matchConfig.Name = "lo"; - - # these are roughly equivalent to: - # ip rule add fwmark 100 priority 0 table 100 - # ip rule add fwmark 100 priority 1 prohibit - # ip rule add fwmark 101 priority 0 table 101 - # ip rule add fwmark 101 priority 1 prohibit - routingPolicyRules = [ - { - FirewallMark = 100; - Priority = 30000; - Table = 100; - } - { - FirewallMark = 100; - Priority = 30001; - Table = 100; - Type = "prohibit"; - } - { - FirewallMark = 101; - Priority = 30000; - Table = 101; - } - { - FirewallMark = 101; - Priority = 30001; - Table = 101; - Type = "prohibit"; - } - { - FirewallMark = 102; - Priority = 30000; - Table = 102; - } - { - FirewallMark = 102; - Priority = 30001; - Table = 102; - Type = "prohibit"; - } - ]; - }; - # use lan0 as secondary WAN interface - "10-lan0-wan" = lib.attrsets.recursiveUpdate commonWanOptions { - matchConfig.Name = "lan0"; - # make routing on this interface a dependency for network-online.target - # linkConfig.RequiredForOnline = "routable"; - linkConfig.RequiredForOnline = "no"; - - dhcpV4Config = { - RouteMetric = 2000; - }; - - # similar to - # ip route add default via 172.16.0.1 table 101 - routes = [ - { - Gateway = "_dhcp4"; - Table = 101; - } - ]; - }; - "10-wan" = lib.attrsets.recursiveUpdate commonWanOptions { - matchConfig.Name = "wan"; - # make routing on this interface a dependency for network-online.target - # linkConfig.RequiredForOnline = "routable"; - linkConfig.RequiredForOnline = "no"; - - dhcpV4Config = { - RouteMetric = 1000; - }; - - # similar to - # ip route add default via 192.168.0.1 table 100 - routes = [ - { - Gateway = "_dhcp4"; - Table = 100; - } - { - Gateway = "_dhcp4"; - Table = 102; - } - ]; - }; - - # Connect the bridge ports to the bridge - "30-lan1" = { - matchConfig.Name = "lan1"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = vlansByName.dmz.id; - PVID = vlansByName.dmz.id; - EgressUntagged = vlansByName.dmz.id; - } - ]; - }; - - "30-lan2" = { - matchConfig.Name = "lan2"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = vlansByName.office.id; - PVID = vlansByName.office.id; - EgressUntagged = vlansByName.office.id; - } - ]; - }; - - "30-lan3" = { - matchConfig.Name = "lan3"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; - } - ]; - }; - "30-lan4" = { - matchConfig.Name = "lan4"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = vlansByName.office.id; - PVID = vlansByName.office.id; - EgressUntagged = vlansByName.office.id; - } - ]; - }; - "30-eth1" = { - matchConfig.Name = "eth1"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = vlansByName.dmz.id; - PVID = vlansByName.dmz.id; - EgressUntagged = vlansByName.dmz.id; - } - ]; - }; - # Configure the bridge for its desired function - "40-${bridgeInterfaceName}" = { - matchConfig.Name = bridgeInterfaceName; - bridgeConfig = { }; - address = [ - (mkVlanIpv4HostAddr { - vlanid = 0; - host = 1; - }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min - linkConfig.RequiredForOnline = "no"; - linkConfig.ActivationPolicy = "always-up"; - - bridgeVLANs = [ - { - VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; - } - ]; - - vlan = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; - }; - - "50-wg0" = { - enable = true; - matchConfig.Name = "wg0"; - address = [ "10.0.0.1/31" ]; - - routes = [ - # { - # # test the set uprouting to a specific IP - # Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32"; - # MultiPathRoute = "10.0.0.0 1"; - # } - ]; - }; - "50-wg1" = { - enable = true; - matchConfig.Name = "wg1"; - address = [ "10.0.0.3/31" ]; - routes = [ - # { - # Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32"; - # MultiPathRoute = "10.0.0.2 1"; - # } - ]; - }; - - "50-wg2" = { - enable = true; - matchConfig.Name = "wg2"; - address = [ "10.0.1.1/31" ]; - - routes = [ - # TODO: add a testing route here - ]; - }; - } - # configuration for the hostapd dynamic interfaces - # * netdev type vlan - # * host address for vlan - # * vlan config for wlan interface - // builtins.foldl' (acc: cur: acc // cur) { } ( - builtins.map - ( - { vlanid, vlanid' }: - { - # configure the tagged vlan device with an address and vlan filtering. - # dnsmasq is configured to serve the respective /24 range on each tagged device. - # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. - "41-${mkInterfaceName { inherit vlanid; }}" = { - matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; - address = [ - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 1; - }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; - - # the client shouldn't be allowed to send us RAs, that would be weird. - IPv6AcceptRA = false; - - DHCPPrefixDelegation = true; - IPv6SendRA = true; - }; - - dhcpPrefixDelegationConfig = { - UplinkInterface = "wan"; - Assign = true; - SubnetId = vlanid; - Announce = true; - }; - - linkConfig.RequiredForOnline = "no"; - linkConfig.ActivationPolicy = "always-up"; - - bridgeVLANs = [ - { - VLAN = vlanid; - } - ]; - }; - - # configure the wlan interface as a bridge member that - # * only gets traffic for vid 15 - # * untags traffic after receiving it - # * tags traffic that comes out of it - "41-wlan0.${vlanid'}" = { - matchConfig.Name = "wlan0.${vlanid'}"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - - linkConfig.RequiredForOnline = "no"; - - bridgeVLANs = [ - { - VLAN = vlanid; - PVID = vlanid; - EgressUntagged = vlanid; - } - ]; - }; - - # "50-${mkInterfaceName {inherit vlanid;}}" = { - # matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; - # address = [ - # (mkVlanIpv4HostAddr { - # inherit vlanid; - # host = 1; - # }) - # ]; - # networkConfig = { - # ConfigureWithoutCarrier = true; - # }; - # linkConfig.RequiredForOnline = "no"; - # }; - } - ) - ( - builtins.map (vlanid: { - inherit vlanid; - vlanid' = builtins.toString vlanid; - }) vlanRange - ) - ); - }; - - # wireless access point - services.hostapd = { - enable = true; - # package = nodeFlake.packages.${system}.hostapd_patched; - radios = - let - # generated with https://miniwebtool.com/mac-address-generator/ - mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; - in - { - wlan0 = { - band = "2g"; - # FIXME: apparently setting this could cause bugs, testing disabling it for a while. - # countryCode = "CH"; - channel = 0; # 0 would mean Automatic Channel Selection - - settings = { - # TODO: this would be faster but x13s on windows can't connect when it's enabled. - # ieee80211n = 1; - - # Exclude DFS channels from ACS - # This option can be used to exclude all DFS channels from the ACS channel list - # in cases where the driver supports DFS channels. - acs_exclude_dfs = 0; - }; - - # use 'iw phy#1 info' to determine your VHT capabilities - wifi4 = { - enable = true; - require = false; - capabilities = [ - "HT20" - "HT40+" - "LDPC" - "SHORT-GI-20" - "SHORT-GI-40" - "TX-STBC" - "RX-STBC1" - "MAX-AMSDU-7935" - - "40-INTOLERANT" - - # not supported by BPI-R3 module - # "DELAYED-BA" - # "DSSS_CCK-40" - ]; - }; - - wifi5 = { - enable = false; - require = false; - }; - - wifi6 = { - enable = false; - require = false; - }; - - networks = { - wlan0 = - let - iface = "wlan0"; - in - { - ssid = "mlsia"; - bssid = mkBssid 0; - - # enables debug logging - logLevel = 0; - - authentication.mode = "wpa2-sha256" - # "wpa3-sae-transition" - # "wpa3-sae" - ; - - authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; - - # TODO: unfortunately SAE passwords don't work per VLAN like PSKs do - # authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; - - # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference - settings = { - # disable syslog because it duplicates stdout - logger_syslog = lib.mkForce 0; - - # bridge = bridgeInterfaceName; - - # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; - # not yet supported on hostapd 2.10 - # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; - - # resources on vlan tagging - # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging - # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 - - dynamic_vlan = 1; - # this option currently requires a patch to hostapd - vlan_no_bridge = 1; - - /* - not used due to the above vlan_no_bridge setting - vlan_tagged_interface = bridgeInterfaceName; - vlan_naming = 1; - vlan_bridge = "br-${iface}."; - */ - - vlan_file = - let - generated = builtins.map ( - vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" - ) vlanRange; - - wildcard = [ - # Optional wildcard entry matching all VLAN IDs. The first # in the interface - # name will be replaced with the VLAN ID. The network interfaces are created - # (and removed) dynamically based on the use. - # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan - "* ${iface}.#" - ]; - - file = pkgs.writeText "hostapd.vlan" (builtins.concatStringsSep "\n" (generated ++ wildcard)); - filePath = toString file; - in - filePath; - - wpa_key_mgmt = lib.mkForce ( - builtins.concatStringsSep " " [ - "WPA-PSK" - - # TODO: the printer can't connect when this is on - # "WPA-PSK-SHA256" - - # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them - # "SAE" - ] - ); - - # wpa_psk_radius = 0; - wpa_pairwise = "CCMP"; - wmm_enabled = 1; - - # IEEE 802.11i (authentication) related configuration - # Encrypt management frames to protect against deauthentication and similar attacks. - # 0 := disabled; 1 := optional; 2 := required - ieee80211w = 1; - # sae_require_mfp = 1; - # sae_groups = "19 20 21"; - - # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) - tls_flags = "[ENABLE-TLSv1.3]"; - - # TODO: debugging for wifi drops happens below here - # Require IEEE 802.1X authorization - ieee8021x = 0; - - # Optionally, hostapd can be configured to use an integrated EAP server - # to process EAP authentication locally without need for an external RADIUS - # server. This functionality can be used both as a local authentication server - # for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. - - # Use integrated EAP server instead of external RADIUS authentication - # server. This is also needed if hostapd is configured to act as a RADIUS - # authentication server. - eap_server = 0; - - # Disassociate stations based on excessive transmission failures or other - # indications of connection loss. This depends on the driver capabilities and - # may not be available with all drivers. - disassoc_low_ack = 0; - - skip_inactivity_poll = 1; - - # TODO: check if this is required. multicast can be more efficient so it'd be nice to disable this. - multicast_to_unicast = 0; - }; - }; - }; - }; - }; - }; - - services.resolved.enable = false; - - services.dnsmasq = { - enable = true; - settings = { - domain-needed = true; - bogus-priv = true; - no-resolv = true; - localise-queries = true; - - proxy-dnssec = true; - conntrack = true; - - # enable for debugging - # log-debug = true; - # log-queries = true; - - # disable negative caching - no-negcache = true; - local-ttl = 0; - dhcp-ttl = 0; - - # v6 config - enable-ra = true; - - dhcp-range = - let - mkDhcpRange = - { tag, vlanid }: - builtins.concatStringsSep "," [ - tag - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 100; - cidr = false; - }) - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 199; - cidr = false; - }) - "12h" - # "slaac" - # "ra-stateless" - # "ra-names" - ]; - in - builtins.map ( - vlanid: - mkDhcpRange { - tag = mkInterfaceName { inherit vlanid; }; - inherit vlanid; - } - ) vlanRangeWith0; - - dhcp-host = builtins.concatStringsSep "," [ - dmzExposedHostMACaddr - dmzExposedHostIpv4 - dmzExposedHostFQDN - ]; - - expand-hosts = true; - - # don't use /etc/hosts as this would advertise ${nodeName} as localhost - no-hosts = true; - - server = [ - # upstream DNS servers - - # https://dnsforge.de/ - "176.9.93.198" - "176.9.1.117" - "2a01:4f8:151:34aa::198" - "2a01:4f8:141:316d::117" - - # https://dismail.de/info.html#dns - "116.203.32.217" - "2a01:4f8:1c1b:44aa::1" - "159.69.114.157" - "2a01:4f8:c17:739a::2" - ]; - - domain = - [ "/${getVlanDomain { vlanid = 0; }}/,local" ] - ++ builtins.map ( - vlanid: - "${getVlanDomain { inherit vlanid; }},${ - mkVlanIpv4HostAddr { - inherit vlanid; - host = 0; - cidr = true; - } - },local" - ) vlanRangeWith0; - - # TODO: compare this to using `interface-name` - dynamic-host = builtins.map ( - vlanid: - builtins.concatStringsSep "," [ - # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) - "${nodeName}.${getVlanDomain { inherit vlanid; }}" - "0.0.0.1" - (mkInterfaceName { inherit vlanid; }) - ] - ) vlanRangeWith0; - - dhcp-option-force = builtins.map ( - vlanid: - "${mkInterfaceName { inherit vlanid; }},option:domain-search,${getVlanDomain { inherit vlanid; }}" - ) vlanRangeWith0; - - # auth-server = [ - # (builtins.concatStringsSep "," [ - # "www.stefanjunker.de" - # # (mkInterfaceName { vlanid = vlansByName.dmz.id; }) - # # (mkInterfaceName { vlanid = vlansByName.office.id; }) - # ]) - # ]; - - cname = [ - "mailserver.svc.stefanjunker.de,${dmzExposedHost}" - "www.stefanjunker.de,${dmzExposedHost}" - "hedgedoc.www.stefanjunker.de,${dmzExposedHost}" - "jitsi.www.stefanjunker.de,${dmzExposedHost}" - "lldap.www.stefanjunker.de,${dmzExposedHost}" - "forgejo.www.stefanjunker.de,${dmzExposedHost}" - "kanidm.www.stefanjunker.de,${dmzExposedHost}" - ]; - }; - }; - - system.stateVersion = "24.11"; - - # boot.kernelPackages = pkgs.linuxPackages_bpir3_6_6; - - environment.systemPackages = [ - pkgs.ethtool - pkgs.vim - pkgs.iperf3 - - pkgs.wireguard-tools - pkgs.tshark - pkgs.tmux - - (pkgs.writeShellScriptBin "dbg-ip" '' - echo links: - ip -br -c l - echo - echo addresses: - ip -br -c a - echo - echo vlans: - bridge -c vlan - '') - - (pkgs.writeShellScriptBin "dbg-dnsmasq" '' - # get the rendered in-use config - pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat - '') - ]; -} diff --git a/nix/os/devices/router0-dmz0/default.nix b/nix/os/devices/router0-dmz0/default.nix deleted file mode 100644 index a0520dc..0000000 --- a/nix/os/devices/router0-dmz0/default.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ - system ? "aarch64-linux", - nodeName, - repoFlake, - nodeFlake, - localDomainName ? "internal", - ... -}: -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; - packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - - inherit (nodeFlake.inputs.bpir3.packages.${system}) armTrustedFirmwareMT7986; - - inherit localDomainName; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "${nodeName}.${localDomainName}"; - deployment.replaceUnknownProfiles = true; - - # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - - networking.hostName = nodeName; - }; -} diff --git a/nix/os/devices/router0-dmz0/flake.lock b/nix/os/devices/router0-dmz0/flake.lock deleted file mode 100644 index 8f55026..0000000 --- a/nix/os/devices/router0-dmz0/flake.lock +++ /dev/null @@ -1,224 +0,0 @@ -{ - "nodes": { - "dependencyDagOfSubmodule": { - "inputs": { - "nixpkgs": [ - "nixos-nftables-firewall", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1656615370, - "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1738148035, - "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=", - "owner": "nix-community", - "repo": "disko", - "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "get-flake": { - "locked": { - "lastModified": 1714237590, - "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", - "owner": "ursi", - "repo": "get-flake", - "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", - "type": "github" - }, - "original": { - "owner": "ursi", - "repo": "get-flake", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1736373539, - "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "bd65bc3cde04c16755955630b344bc9e35272c56", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.11", - "repo": "home-manager", - "type": "github" - } - }, - "hostapd": { - "flake": false, - "locked": { - "lastModified": 1738518662, - "narHash": "sha256-MeE2FTG7Jh4BqchSvevJH7IsqTotjemndLzev8TkiRk=", - "ref": "refs/heads/main", - "rev": "c12fc97e3b59742e0c5743fceae6a87a8b13a576", - "revCount": 20282, - "type": "git", - "url": "git://w1.fi/hostap.git?branch=main" - }, - "original": { - "type": "git", - "url": "git://w1.fi/hostap.git?branch=main" - } - }, - "nixos-nftables-firewall": { - "inputs": { - "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1715521768, - "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "type": "github" - } - }, - "nixos-sbc": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1738254353, - "narHash": "sha256-SYpvOn0v/wi8lrgEBhobjKFvFWPlJ3gP7SZPfyw9td0=", - "owner": "nakato", - "repo": "nixos-sbc", - "rev": "21be4ab012197a2eea4bbff8315c40f26f715a18", - "type": "github" - }, - "original": { - "owner": "nakato", - "repo": "nixos-sbc", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1738702386, - "narHash": "sha256-nJj8f78AYAxl/zqLiFGXn5Im1qjFKU8yBPKoWEeZN5M=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "030ba1976b7c0e1a67d9716b17308ccdab5b381e", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1738680400, - "narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "799ba5bffed04ced7067a91798353d360788b30d", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "openwrt": { - "flake": false, - "locked": { - "lastModified": 1691699580, - "narHash": "sha256-CV+ufXPEr5Nz2O2FBnnuPeHNsFQ7c5s0uW39u/q3cUo=", - "ref": "main", - "rev": "847984c773d819d5579d5abae4b80a4983103ed9", - "revCount": 58166, - "type": "git", - "url": "https://github.com/openwrt/openwrt.git" - }, - "original": { - "ref": "main", - "rev": "847984c773d819d5579d5abae4b80a4983103ed9", - "type": "git", - "url": "https://github.com/openwrt/openwrt.git" - } - }, - "root": { - "inputs": { - "disko": "disko", - "get-flake": "get-flake", - "home-manager": "home-manager", - "hostapd": "hostapd", - "nixos-nftables-firewall": "nixos-nftables-firewall", - "nixos-sbc": "nixos-sbc", - "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", - "openwrt": "openwrt", - "srvos": "srvos" - } - }, - "srvos": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1738198321, - "narHash": "sha256-lhnHBXO9Y8xEn92JqxjancdL8Gh16ONuxZp60iZfmX4=", - "owner": "numtide", - "repo": "srvos", - "rev": "7d5a4aaadac9ff63f9ed4347df95175aceee5079", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/router0-dmz0/flake.nix b/nix/os/devices/router0-dmz0/flake.nix deleted file mode 100644 index d56e72a..0000000 --- a/nix/os/devices/router0-dmz0/flake.nix +++ /dev/null @@ -1,107 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - - get-flake.url = "github:ursi/get-flake"; - - home-manager.url = "github:nix-community/home-manager/release-24.11"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; - - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - - nixos-sbc.url = "github:nakato/nixos-sbc" - # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.12" - # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.13" - # "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile" - # "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile" - # "git+file:///home/steveej/src/others/nakato_nixos-sbc/" - ; - nixos-sbc.inputs.nixpkgs.follows = "nixpkgs"; - - nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; - nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; - - hostapd.url = "git://w1.fi/hostap.git?branch=main"; - hostapd.flake = false; - - openwrt.url = "git+https://github.com/openwrt/openwrt.git?ref=main&rev=847984c773d819d5579d5abae4b80a4983103ed9"; - openwrt.flake = false; - - # TODO: would be nice if this worked but it throws an error when using the input as a patch: - # error: flake input has unsupported input type 'file' - # hostapd_patch_vlan_no_bridge = { - # url = "file+https://raw.githubusercontent.com/openwrt/openwrt/847984c773d819d5579d5abae4b80a4983103ed9/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"; - # flake = false; - # }; - - # repoFlake.url = "path:../../../.."; - }; - - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - nativeSystem = "aarch64-linux"; - nodeName = "router0-dmz0"; - - mkNixosConfiguration = - { - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = - (import ./default.nix { - system = nativeSystem; - inherit nodeName; - - repoFlake = get-flake ../../../..; - # repoFlake = get-flake ./.; - # repoFlake = self.inputs.repoFlake; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; - - modules = [ - ./configuration.nix - - # flake registry - { - nixpkgs.overlays = builtins.attrValues self.overlays; - nix.registry.nixpkgs.flake = nixpkgs; - } - ] ++ extraModules; - } - ); - in - { - nixosConfigurations = { - native = mkNixosConfiguration { system = nativeSystem; }; - - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = "x86_64-linux"; - nixpkgs.hostPlatform.system = nativeSystem; - } - ]; - }; - }; - - overlays.default = _final: previous: { - hostapd = previous.hostapd.overrideDerivation (attrs: { - patches = attrs.patches ++ [ - "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" - ]; - }); - }; - }; -} diff --git a/nix/os/devices/router0-hosthatch/configuration.nix b/nix/os/devices/router0-hosthatch/configuration.nix deleted file mode 100644 index af02b3d..0000000 --- a/nix/os/devices/router0-hosthatch/configuration.nix +++ /dev/null @@ -1,337 +0,0 @@ -{ - repoFlake, - pkgs, - lib, - config, - nodeFlake, - nodeName, - system, - variables, - ... -}: -{ - system.stateVersion = "24.05"; - - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - nodeFlake.inputs.srvos.nixosModules.mixins-terminfo - - repoFlake.inputs.sops-nix.nixosModules.sops - - ../../snippets/nix-settings.nix - ../../profiles/common/user.nix - - nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default - - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - - users.commonUsers = { - enable = true; - enableNonRoot = false; - rootPasswordFile = config.sops.secrets.passwords-root.path; - }; - - # sops.age.keyFile = "/etc/age.key"; - # sops.age.sshKeyPaths = []; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - sops.secrets.passwords-root.neededForUsers = true; - } - - # TODO: extract this into single-disk VM BIOS module - { - boot.loader.systemd-boot.enable = false; - boot.loader.grub.efiSupport = false; - - # forcing seems required or else there's an error about duplicated devices - boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; - - disko.devices.disk.vda = { - device = "/dev/vda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - root = { - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition - subvolumes = { - # Subvolume name is different from mountpoint - "/rootfs" = { - mountpoint = "/"; - }; - "/nix" = { - mountOptions = [ "noatime" ]; - mountpoint = "/nix"; - }; - "/boot" = { - mountpoint = "/boot"; - }; - }; - }; - }; - }; - }; - }; - - boot.initrd.kernelModules = [ - "virtio_balloon" - "virtio_scsi" - "virtio_net" - "virtio_pci" - "virtio_ring" - "virtio" - "scsi_mod" - - "virtio_blk" - "virtio_ring" - "ata_piix" - "pata_acpi" - "ata_generic" - ]; - } - ]; - - # sops.secrets.ssh_host_ed25519_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_ed25519_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key.pub"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key.pub"; - # mode = "0644"; - # }; - - boot = { - kernel = { - sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - }; - }; - - networking = { - hostName = nodeName; - useNetworkd = true; - useDHCP = true; - usePredictableInterfaceNames = false; - - interfaces.eth0.ipv4.addresses = [ - { - address = variables.ipv4; - prefixLength = variables.ipv4length; - } - ]; - defaultGateway = { - interface = "eth0"; - address = variables.ipv4gateway; - }; - nameservers = [ variables.ipv4dns ]; - - # these will be configured via nftables - nat.enable = lib.mkForce false; - firewall.enable = lib.mkForce false; - - # Use the nftables firewall instead of the base nixos scripted rules. - # This flake provides a similar utility to the base nixos scripting. - # https://github.com/thelegy/nixos-nftables-firewall/tree/main - - nftables = { - enable = true; - - firewall = { - enable = true; - snippets.nnf-common.enable = true; - - zones.wan = { - interfaces = [ "eth0" ]; - }; - - zones.vpn = { - interfaces = [ - "wg0" - "wg1" - ]; - }; - - rules = { - to-fw = { - from = "all"; - to = [ "fw" ]; - verdict = "drop"; - - allowedTCPPorts = [ - 22 - 5201 - ]; - allowedUDPPorts = [ - 22 - 5201 - config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort - config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort - ]; - }; - - vpn-to-wan-nat = { - from = [ "vpn" ]; - to = [ "wan" ]; - masquerade = true; - verdict = "accept"; - }; - }; - }; - }; - }; - - sops.secrets.wg0-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg0-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - - systemd.network.enable = true; - systemd.network.netdevs.wg0 = { - enable = true; - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 51820; - # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= - PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - AllowedIPs = [ - "10.0.1.1/32" - "192.168.0.0/16" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; - PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; - }; - } - ]; - }; - systemd.network.netdevs.wg1 = { - enable = true; - netdevConfig = { - Name = "wg1"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 51821; - # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= - PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - AllowedIPs = [ - "10.0.1.3/31" - "192.168.0.0/16" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; - PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; - }; - } - ]; - }; - systemd.network.networks.wg0 = { - enable = true; - matchConfig.Name = "wg0"; - address = [ "10.0.1.0/31" ]; - - routes = [ - { - routeConfig = { - Destination = "192.168.0.0/16"; - MultiPathRoute = "10.0.1.1 1"; - }; - } - ]; - }; - systemd.network.networks.wg1 = { - enable = true; - matchConfig.Name = "wg1"; - address = [ "10.0.1.2/31" ]; - - routes = [ - { - routeConfig = { - Destination = "192.168.0.0/16"; - MultiPathRoute = "10.0.1.3 1"; - }; - } - ]; - }; - - environment.systemPackages = [ - pkgs.ethtool - pkgs.neovim - pkgs.tmux - - pkgs.wireguard-tools - pkgs.tshark - - (pkgs.writeShellScriptBin "dbg-ip" '' - echo links: - ip -br -c l - echo - echo addresses: - ip -br -c a - echo - echo vlans: - bridge -c vlan - '') - - (pkgs.writeShellScriptBin "dbg-dnsmasq" '' - # get the rendered in-use config - pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat - '') - ]; -} diff --git a/nix/os/devices/router0-hosthatch/default.nix b/nix/os/devices/router0-hosthatch/default.nix deleted file mode 100644 index fd2c485..0000000 --- a/nix/os/devices/router0-hosthatch/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - system ? "x86_64-linux", - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - variables = import ./variables.crypt.nix; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - variables - ; - packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = variables.ipv4; - deployment.replaceUnknownProfiles = true; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - - networking.hostName = nodeName; - }; -} diff --git a/nix/os/devices/router0-hosthatch/flake.lock b/nix/os/devices/router0-hosthatch/flake.lock deleted file mode 100644 index f66687f..0000000 --- a/nix/os/devices/router0-hosthatch/flake.lock +++ /dev/null @@ -1,151 +0,0 @@ -{ - "nodes": { - "dependencyDagOfSubmodule": { - "inputs": { - "nixpkgs": [ - "nixos-nftables-firewall", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1656615370, - "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719864345, - "narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=", - "owner": "nix-community", - "repo": "disko", - "rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719827385, - "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "391ca6e950c2525b4f853cbe29922452c14eda82", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixos-nftables-firewall": { - "inputs": { - "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1715521768, - "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1719838683, - "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "disko": "disko", - "home-manager": "home-manager", - "nixos-nftables-firewall": "nixos-nftables-firewall", - "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", - "srvos": "srvos" - } - }, - "srvos": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719965291, - "narHash": "sha256-IQiO6VNESSmgxQkpI1q86pqxRw0SZ45iSeM1jsmBpSw=", - "owner": "numtide", - "repo": "srvos", - "rev": "1844f1a15ef530c963bb07c3846172fccbfb9f74", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/router0-hosthatch/flake.nix b/nix/os/devices/router0-hosthatch/flake.nix deleted file mode 100644 index 3057b9a..0000000 --- a/nix/os/devices/router0-hosthatch/flake.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - - home-manager.url = "github:nix-community/home-manager/release-24.05"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; - - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - - nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; - nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/router0-hosthatch/variables.crypt.nix b/nix/os/devices/router0-hosthatch/variables.crypt.nix deleted file mode 100644 index 38c17df..0000000 Binary files a/nix/os/devices/router0-hosthatch/variables.crypt.nix and /dev/null differ diff --git a/nix/os/devices/router0-ifog/configuration.nix b/nix/os/devices/router0-ifog/configuration.nix deleted file mode 100644 index 9bc91ee..0000000 --- a/nix/os/devices/router0-ifog/configuration.nix +++ /dev/null @@ -1,337 +0,0 @@ -{ - repoFlake, - pkgs, - lib, - config, - nodeFlake, - nodeName, - system, - variables, - ... -}: -{ - system.stateVersion = "23.11"; - - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - nodeFlake.inputs.srvos.nixosModules.mixins-terminfo - - repoFlake.inputs.sops-nix.nixosModules.sops - - ../../snippets/nix-settings.nix - ../../profiles/common/user.nix - - nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default - - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - - users.commonUsers = { - enable = true; - enableNonRoot = false; - rootPasswordFile = config.sops.secrets.passwords-root.path; - }; - - # sops.age.keyFile = "/etc/age.key"; - # sops.age.sshKeyPaths = []; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - sops.secrets.passwords-root.neededForUsers = true; - } - - # TODO: extract this into single-disk VM BIOS module - { - boot.loader.systemd-boot.enable = false; - boot.loader.grub.efiSupport = false; - - # forcing seems required or else there's an error about duplicated devices - boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; - - disko.devices.disk.vda = { - device = "/dev/vda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - root = { - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition - subvolumes = { - # Subvolume name is different from mountpoint - "/rootfs" = { - mountpoint = "/"; - }; - "/nix" = { - mountOptions = [ "noatime" ]; - mountpoint = "/nix"; - }; - "/boot" = { - mountpoint = "/boot"; - }; - }; - }; - }; - }; - }; - }; - - boot.initrd.kernelModules = [ - "virtio_balloon" - "virtio_scsi" - "virtio_net" - "virtio_pci" - "virtio_ring" - "virtio" - "scsi_mod" - - "virtio_blk" - "virtio_ring" - "ata_piix" - "pata_acpi" - "ata_generic" - ]; - } - ]; - - # sops.secrets.ssh_host_ed25519_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_ed25519_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key.pub"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key.pub"; - # mode = "0644"; - # }; - - boot = { - kernel = { - sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - }; - }; - - networking = { - hostName = nodeName; - useNetworkd = true; - useDHCP = true; - usePredictableInterfaceNames = false; - - interfaces.eth0.ipv4.addresses = [ - { - address = variables.ipv4; - prefixLength = variables.ipv4length; - } - ]; - defaultGateway = { - interface = "eth0"; - address = variables.ipv4gateway; - }; - nameservers = [ variables.ipv4dns ]; - - # these will be configured via nftables - nat.enable = lib.mkForce false; - firewall.enable = lib.mkForce false; - - # Use the nftables firewall instead of the base nixos scripted rules. - # This flake provides a similar utility to the base nixos scripting. - # https://github.com/thelegy/nixos-nftables-firewall/tree/main - - nftables = { - enable = true; - - firewall = { - enable = true; - snippets.nnf-common.enable = true; - - zones.wan = { - interfaces = [ "eth0" ]; - }; - - zones.vpn = { - interfaces = [ - "wg0" - "wg1" - ]; - }; - - rules = { - to-fw = { - from = "all"; - to = [ "fw" ]; - verdict = "drop"; - - allowedTCPPorts = [ - 22 - 5201 - ]; - allowedUDPPorts = [ - 22 - 5201 - config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort - config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort - ]; - }; - - vpn-to-wan-nat = { - from = [ "vpn" ]; - to = [ "wan" ]; - masquerade = true; - verdict = "accept"; - }; - }; - }; - }; - }; - - sops.secrets.wg0-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg0-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - - systemd.network.enable = true; - systemd.network.netdevs.wg0 = { - enable = true; - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 51820; - # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= - PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - AllowedIPs = [ - "10.0.0.1/32" - "192.168.0.0/16" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; - PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; - }; - } - ]; - }; - systemd.network.netdevs.wg1 = { - enable = true; - netdevConfig = { - Name = "wg1"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 51821; - # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= - PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - AllowedIPs = [ - "10.0.0.3/31" - "192.168.0.0/16" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; - PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; - }; - } - ]; - }; - systemd.network.networks.wg0 = { - enable = true; - matchConfig.Name = "wg0"; - address = [ "10.0.0.0/31" ]; - - routes = [ - { - routeConfig = { - Destination = "192.168.0.0/16"; - MultiPathRoute = "10.0.0.1 1"; - }; - } - ]; - }; - systemd.network.networks.wg1 = { - enable = true; - matchConfig.Name = "wg1"; - address = [ "10.0.0.2/31" ]; - - routes = [ - { - routeConfig = { - Destination = "192.168.0.0/16"; - MultiPathRoute = "10.0.0.3 1"; - }; - } - ]; - }; - - environment.systemPackages = [ - pkgs.ethtool - pkgs.neovim - pkgs.tmux - - pkgs.wireguard-tools - pkgs.tshark - - (pkgs.writeShellScriptBin "dbg-ip" '' - echo links: - ip -br -c l - echo - echo addresses: - ip -br -c a - echo - echo vlans: - bridge -c vlan - '') - - (pkgs.writeShellScriptBin "dbg-dnsmasq" '' - # get the rendered in-use config - pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat - '') - ]; -} diff --git a/nix/os/devices/router0-ifog/default.nix b/nix/os/devices/router0-ifog/default.nix deleted file mode 100644 index fd2c485..0000000 --- a/nix/os/devices/router0-ifog/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - system ? "x86_64-linux", - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - variables = import ./variables.crypt.nix; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - variables - ; - packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = variables.ipv4; - deployment.replaceUnknownProfiles = true; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - - networking.hostName = nodeName; - }; -} diff --git a/nix/os/devices/router0-ifog/flake.lock b/nix/os/devices/router0-ifog/flake.lock deleted file mode 100644 index f66687f..0000000 --- a/nix/os/devices/router0-ifog/flake.lock +++ /dev/null @@ -1,151 +0,0 @@ -{ - "nodes": { - "dependencyDagOfSubmodule": { - "inputs": { - "nixpkgs": [ - "nixos-nftables-firewall", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1656615370, - "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719864345, - "narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=", - "owner": "nix-community", - "repo": "disko", - "rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719827385, - "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "391ca6e950c2525b4f853cbe29922452c14eda82", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixos-nftables-firewall": { - "inputs": { - "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1715521768, - "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1719838683, - "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "disko": "disko", - "home-manager": "home-manager", - "nixos-nftables-firewall": "nixos-nftables-firewall", - "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", - "srvos": "srvos" - } - }, - "srvos": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719965291, - "narHash": "sha256-IQiO6VNESSmgxQkpI1q86pqxRw0SZ45iSeM1jsmBpSw=", - "owner": "numtide", - "repo": "srvos", - "rev": "1844f1a15ef530c963bb07c3846172fccbfb9f74", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/router0-ifog/flake.nix b/nix/os/devices/router0-ifog/flake.nix deleted file mode 100644 index 3057b9a..0000000 --- a/nix/os/devices/router0-ifog/flake.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - - home-manager.url = "github:nix-community/home-manager/release-24.05"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; - - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - - nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; - nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/router0-ifog/variables.crypt.nix b/nix/os/devices/router0-ifog/variables.crypt.nix deleted file mode 100644 index 1dec120..0000000 Binary files a/nix/os/devices/router0-ifog/variables.crypt.nix and /dev/null differ diff --git a/nix/os/devices/sj-srv1/README.md b/nix/os/devices/sj-srv1/README.md deleted file mode 100644 index 394da55..0000000 --- a/nix/os/devices/sj-srv1/README.md +++ /dev/null @@ -1 +0,0 @@ -## bootstrapping diff --git a/nix/os/devices/sj-srv1/configuration.nix b/nix/os/devices/sj-srv1/configuration.nix deleted file mode 100644 index 5184bd1..0000000 --- a/nix/os/devices/sj-srv1/configuration.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ nodeName, config, ... }: -{ - disabledModules = [ ]; - imports = [ - ../../profiles/common/configuration.nix - { - users.commonUsers = { - enable = true; - enableNonRoot = true; - rootPasswordFile = config.sops.secrets.passwords-root.path; - }; - - sops.secrets.passwords-root = { - sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - neededForUsers = true; - format = "yaml"; - }; - } - - ./system.nix - ./hw.nix - ]; -} diff --git a/nix/os/devices/sj-srv1/default.nix b/nix/os/devices/sj-srv1/default.nix deleted file mode 100644 index c9076b9..0000000 --- a/nix/os/devices/sj-srv1/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - system = "x86_64-linux"; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake; - packages' = repoFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "${nodeName}.dmz.internal"; - # deployment.targetHost = "www.stefanjunker.de"; - deployment.replaceUnknownProfiles = false; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - }; -} diff --git a/nix/os/devices/sj-srv1/flake.lock b/nix/os/devices/sj-srv1/flake.lock deleted file mode 100644 index bb96205..0000000 --- a/nix/os/devices/sj-srv1/flake.lock +++ /dev/null @@ -1,100 +0,0 @@ -{ - "nodes": { - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1747556831, - "narHash": "sha256-Qb84nbYFFk0DzFeqVoHltS2RodAYY5/HZQKE8WnBDsc=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "d0bbd221482c2713cccb80220f3c9d16a6e20a33", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-25.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1747953325, - "narHash": "sha256-y2ZtlIlNTuVJUZCqzZAhIw5rrKP4DOSklev6c8PyCkQ=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "55d1f923c480dadce40f5231feb472e81b0bab48", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-kanidm": { - "locked": { - "lastModified": 1729071019, - "narHash": "sha256-c4J/ZiMbjMf98FawO5XJaTWqvrvIXpxnIpxu4OV3CGA=", - "owner": "steveej-forks", - "repo": "nixpkgs", - "rev": "984b1d5a286d3a072b840b30ec49d96878d01e64", - "type": "github" - }, - "original": { - "owner": "steveej-forks", - "ref": "kanidm", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-master": { - "locked": { - "lastModified": 1748090750, - "narHash": "sha256-q98rD+6llf/9ABNZc0lbSgGVjqMvkx4QL8LTs1jt+FY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "a9e3bbb8995849e5daa0cf5e03a09c1df63bf933", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1748074755, - "narHash": "sha256-b3SC3Q3cXr4tdCN3WVTFqMP8I9OwaXXcj1aVoSVaygw=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "c3ee76c437067f1ae09d6e530df46a3f80977992", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "nixpkgs-kanidm": "nixpkgs-kanidm", - "nixpkgs-master": "nixpkgs-master", - "nixpkgs-unstable": "nixpkgs-unstable" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/sj-srv1/flake.nix b/nix/os/devices/sj-srv1/flake.nix deleted file mode 100644 index c13b5ad..0000000 --- a/nix/os/devices/sj-srv1/flake.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; - inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; - inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; - - inputs.nixpkgs-kanidm.url = "github:steveej-forks/nixpkgs/kanidm"; - - inputs.home-manager = { - url = "github:nix-community/home-manager/release-25.05"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/sj-srv1/hw.nix b/nix/os/devices/sj-srv1/hw.nix deleted file mode 100644 index ca9158b..0000000 --- a/nix/os/devices/sj-srv1/hw.nix +++ /dev/null @@ -1,55 +0,0 @@ -_: -let - stage1Modules = [ - "virtio_balloon" - "virtio_scsi" - "virtio_net" - "virtio_pci" - "virtio_ring" - "virtio" - "scsi_mod" - - "virtio_blk" - "virtio_ring" - "ata_piix" - "pata_acpi" - "ata_generic" - - "aesni_intel" - "kvm_amd" - "nvme" - "nvme_core" - - "thunderbolt" - "e1000e" - - "usbcore" - "xhci_hcd" - "usbnet" - "snd_usb_audio" - "usbhid" - "snd_usbmidi_lib" - "cdc_mbim" - "cdc_ncm" - "usb_storage" - "cdc_wdm" - "uvcvideo" - "btusb" - "xhci_pci" - "cdc_ether" - "uas" - ]; -in -{ - imports = [ - ../../modules/opinionatedDisk.nix - ]; - hardware.opinionatedDisk = { - enable = true; - encrypted = false; - diskId = "virtio-virtio-paeNi8Fof9Oe"; - earlyDiskIdOverride = "ata-INTEL_SSDSC2KB019TZ_PHYI315001FW1P9DGN"; - }; - - boot.initrd.kernelModules = stage1Modules; -} diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix deleted file mode 100644 index c5e4c43..0000000 --- a/nix/os/devices/sj-srv1/system.nix +++ /dev/null @@ -1,220 +0,0 @@ -{ - pkgs, - lib, - config, - repoFlake, - nodeFlake, - nodeName, - ... -}: -let - hostBridgeAddress = "192.168.101.1"; -in -{ - imports = [ - ../../snippets/systemd-resolved.nix - { - # make sure it uses the DNS that comes in via DHCP - networking.nameservers = lib.mkForce [ ]; - services.resolved.enable = true; - - # provide DNS to the containers - services.resolved.extraConfig = '' - DNSStubListenerExtra=${hostBridgeAddress} - ''; - networking.firewall.interfaces.br0.allowedTCPPorts = [ 53 ]; - networking.firewall.interfaces.br0.allowedUDPPorts = [ 53 ]; - } - ]; - - programs.wireshark.enable = true; - environment.systemPackages = [ pkgs.dnsutils ]; - - networking.firewall.enable = true; - networking.nftables.enable = true; - networking.nftables.flushRuleset = true; - - networking.firewall.allowedTCPPorts = [ - # iperf3 - 5201 - ]; - - networking.firewall.logRefusedConnections = false; - - networking.usePredictableInterfaceNames = false; - - networking.useNetworkd = true; - networking.useDHCP = false; - - networking.nat = { - enable = true; - internalInterfaces = [ "br0" ]; - externalInterface = "dmz0"; - }; - - networking.bridges = { - br0 = { - interfaces = [ ]; - }; - }; - networking.interfaces = { - br0 = { - ipv4.addresses = [ - { - address = hostBridgeAddress; - prefixLength = 24; - } - ]; - }; - }; - - systemd.network.netdevs."10-dmz0" = { - enable = true; - netdevConfig = { - Name = "dmz0"; - Kind = "macvlan"; - MACAddress = "1c:69:7a:07:08:6f"; - }; - - macvlanConfig = { - Mode = "bridge"; - }; - }; - - systemd.network.networks."20-eth0" = { - enable = true; - matchConfig.Name = "eth0"; - - linkConfig.RequiredForOnline = "carrier"; - networkConfig.LinkLocalAddressing = "no"; - - # TODO: i'm not sure if and if so why this is required - macvlan = [ "dmz0" ]; - - DHCP = "no"; - }; - - systemd.network.networks."30-dmz0" = { - enable = true; - matchConfig.Name = "dmz0"; - DHCP = "yes"; - - dhcpV4Config.UseDNS = true; - dhcpV6Config.UseDNS = true; - }; - - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; - "net.ipv6.ip_forward" = 1; - }; - - # virtualization - virtualisation = { - docker.enable = false; - }; - - nix.gc = { - automatic = true; - }; - - sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - - # adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix - services.restic.backups.${nodeName} = - let - btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; - in - { - initialize = true; - repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; - - paths = [ "/backup" ]; - - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 5" - "--keep-monthly 12" - "--keep-yearly 2" - ]; - - timerConfig = { - OnCalendar = lib.mkDefault "daily"; - Persistent = true; - }; - - passwordFile = config.sops.secrets.restic-password.path; - - backupPrepareCommand = '' - ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes - ''; - backupCleanupCommand = '' - ${btrfs} su delete /backup/container-volumes - ''; - }; - - containers = { - mailserver = import ../../containers/mailserver.nix { - specialArgs = { - inherit repoFlake nodeFlake; - hostAddress = hostBridgeAddress; - }; - - autoStart = true; - - hostBridge = "br0"; - hostAddress = hostBridgeAddress; - localAddress = "192.168.101.10/24"; - - imapsPort = 993; - sievePort = 4190; - }; - - webserver = import ../../containers/webserver.nix { - specialArgs = { - inherit repoFlake nodeFlake; - hostAddress = hostBridgeAddress; - }; - - autoStart = true; - - hostBridge = "br0"; - hostAddress = hostBridgeAddress; - localAddress = "192.168.101.11/24"; - - httpPort = 80; - httpsPort = 443; - forgejoSshPort = 2222; - }; - - syncthing = import ../../containers/syncthing.nix { - specialArgs = { - inherit repoFlake nodeFlake; - hostAddress = hostBridgeAddress; - }; - autoStart = true; - - hostBridge = "br0"; - hostAddress = hostBridgeAddress; - localAddress = "192.168.101.12/24"; - - syncthingPort = 22000; - }; - }; - - virtualisation.libvirtd = { - enable = true; - onShutdown = "shutdown"; - parallelShutdown = 3; - }; - - # VM storage - # fileSystems."/mnt/8078-532D".device = "/dev/disk/by-uuid/8078-532D"; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.11"; # Did you read the comment? -} diff --git a/nix/os/devices/sj-vps-htz0/README.md b/nix/os/devices/sj-vps-htz0/README.md deleted file mode 100644 index 5c32f8e..0000000 --- a/nix/os/devices/sj-vps-htz0/README.md +++ /dev/null @@ -1,18 +0,0 @@ -## bootstrapping - -``` -systemctl stop dhcpcd -ip a add 167.233.1.14/29 dev ens18 -ip l set mtu 1400 dev ens18 -ip r add default via 167.233.1.9 -echo "nameserver 1.1.1.1" >> /etc/resolv.conf -mkdir ~/.ssh -``` - -### ssh key - -run locally: - -``` -ssh-add -L | tr \\n \\r | xdotool selectwindow windowfocus type --delay 50 --window %@ --file - -``` diff --git a/nix/os/devices/sj-vps-htz0/configuration.nix b/nix/os/devices/sj-vps-htz0/configuration.nix deleted file mode 100644 index 0f9e008..0000000 --- a/nix/os/devices/sj-vps-htz0/configuration.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ nodeName, config, ... }: -{ - disabledModules = [ ]; - imports = [ - ../../profiles/common/configuration.nix - { - users.commonUsers = { - enable = true; - enableNonRoot = true; - rootPasswordFile = config.sops.secrets.passwords-root.path; - }; - - sops.secrets.passwords-root = { - sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - neededForUsers = true; - format = "yaml"; - }; - } - ../../modules/opinionatedDisk.nix - - ./system.nix - ./hw.nix - ./boot.nix - ]; -} diff --git a/nix/os/devices/sj-vps-htz0/default.nix b/nix/os/devices/sj-vps-htz0/default.nix deleted file mode 100644 index 7683a53..0000000 --- a/nix/os/devices/sj-vps-htz0/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - system = "x86_64-linux"; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake; - packages' = repoFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "${nodeName}.infra.stefanjunker.de"; - deployment.replaceUnknownProfiles = false; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - }; -} diff --git a/nix/os/devices/sj-vps-htz0/flake.lock b/nix/os/devices/sj-vps-htz0/flake.lock deleted file mode 100644 index 56c2d36..0000000 --- a/nix/os/devices/sj-vps-htz0/flake.lock +++ /dev/null @@ -1,83 +0,0 @@ -{ - "nodes": { - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1700392168, - "narHash": "sha256-v5LprEFx3u4+1vmds9K0/i7sHjT0IYGs7u9v54iz/OA=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "28535c3a34d79071f2ccb68671971ce0c0984d7e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-23.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1700501263, - "narHash": "sha256-M0U063Ba2DKL4lMYI7XW13Rsk5tfUXnIYiAVa39AV/0=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "f741f8a839912e272d7e87ccf4b9dbc6012cdaf9", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-master": { - "locked": { - "lastModified": 1700758842, - "narHash": "sha256-WNpG3F/0dktkYbG6O8Put9GtBw4C4vb1KwtIibfXYEE=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "359d577687ea3eb033590cf1259f0355e30b9c6f", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1700641131, - "narHash": "sha256-M3bsoVMQM2PcuBWb6n1KDNeMX87svcSj/4qlBcVqs3k=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "da41de71f62bf7fb989a04e39629b8adbf8aa8b5", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "nixpkgs-master": "nixpkgs-master", - "nixpkgs-unstable": "nixpkgs-unstable" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/sj-vps-htz0/flake.nix b/nix/os/devices/sj-vps-htz0/flake.nix deleted file mode 100644 index f8ca24f..0000000 --- a/nix/os/devices/sj-vps-htz0/flake.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; - inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; - inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; - - inputs.home-manager = { - url = "github:nix-community/home-manager/release-23.05"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/sj-vps-htz0/hw.nix b/nix/os/devices/sj-vps-htz0/hw.nix deleted file mode 100644 index 080bb40..0000000 --- a/nix/os/devices/sj-vps-htz0/hw.nix +++ /dev/null @@ -1,27 +0,0 @@ -_: -let - stage1Modules = [ - "virtio_balloon" - "virtio_scsi" - "virtio_net" - "virtio_pci" - "virtio_ring" - "virtio" - "scsi_mod" - - "virtio_blk" - "virtio_ring" - "ata_piix" - "pata_acpi" - "ata_generic" - ]; -in -{ - hardware.opinionatedDisk = { - enable = true; - encrypted = false; - diskId = "virtio-virtio-paeNi8Fof9Oe"; - }; - - boot.initrd.kernelModules = stage1Modules; -} diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix deleted file mode 100644 index 7380a35..0000000 --- a/nix/os/devices/sj-vps-htz0/system.nix +++ /dev/null @@ -1,109 +0,0 @@ -{ - pkgs, - config, - nodeName, - ... -}: -let - wireguardPort = 51820; -in -{ - imports = [ ../../snippets/systemd-resolved.nix ]; - - networking.firewall.enable = true; - networking.nftables.enable = true; - - networking.firewall.allowedTCPPorts = [ - # iperf3 - 5201 - ]; - networking.firewall.allowedUDPPorts = [ wireguardPort ]; - - networking.firewall.logRefusedConnections = false; - - networking.usePredictableInterfaceNames = false; - - networking.dhcpcd.enable = false; - - networking.interfaces.eth0 = { - mtu = 1400; - useDHCP = true; - ipv4.addresses = [ - { - "address" = "167.233.1.14"; - "prefixLength" = 29; - } - ]; - ipv6.addresses = [ ]; - }; - - networking.defaultGateway = { - address = "167.233.1.9"; - interface = "eth0"; - }; - - networking.defaultGateway6 = { - address = "fe80::1"; - interface = "eth0"; - }; - - networking.nat = { - enable = true; - internalInterfaces = [ - "ve-*" - "wg*" - ]; - externalInterface = "eth0"; - }; - - networking.firewall.filterForward = true; - networking.firewall.extraForwardRules = '' - meta nfproto ipv4 tcp flags syn tcp option maxseg size set 1360; - meta nfproto ipv6 tcp flags syn tcp option maxseg size set 1340; - ''; - - sops.secrets.wg0-private.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.secrets.wg0-psk-steveej-psk.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - - networking.wireguard.enable = true; - networking.wireguard.interfaces.wg0 = { - # eth0 MTU (1400) - 80 - mtu = 1320; - ips = [ "192.168.99.1/31" ]; - listenPort = wireguardPort; - privateKeyFile = config.sops.secrets.wg0-private.path; - peers = [ - { - allowedIPs = [ "192.168.99.2/32" ]; - publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0="; - presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path; - } - ]; - }; - - # virtualization - virtualisation = { - docker.enable = false; - }; - - services.spice-vdagentd.enable = true; - services.qemuGuest.enable = true; - - nix.gc = { - automatic = true; - }; - - containers = { }; - - home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { - inherit pkgs; - }; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.11"; # Did you read the comment? -} diff --git a/nix/os/devices/srv0-dmz0/README.md b/nix/os/devices/srv0-dmz0/README.md deleted file mode 100644 index c76c8a0..0000000 --- a/nix/os/devices/srv0-dmz0/README.md +++ /dev/null @@ -1,6 +0,0 @@ -## bootstrapping - -``` -# TODO: generate an SSH host-key and deploy it via --extra-files -nixos-anywhere --flake .\#srv0-dmz0 root@srv0.dmz0.noosphere.life -``` diff --git a/nix/os/devices/srv0-dmz0/configuration.nix b/nix/os/devices/srv0-dmz0/configuration.nix deleted file mode 100644 index 5514edf..0000000 --- a/nix/os/devices/srv0-dmz0/configuration.nix +++ /dev/null @@ -1,135 +0,0 @@ -{ - modulesPath, - repoFlake, - config, - ... -}: -let - disk = "/dev/disk/by-id/ata-INTEL_SSDSC2BW240A4_PHDA435602332403GN"; -in -{ - disabledModules = [ ]; - imports = [ - repoFlake.inputs.disko.nixosModules.disko - repoFlake.inputs.srvos.nixosModules.server - (modulesPath + "/profiles/all-hardware.nix") - - repoFlake.inputs.srvos.nixosModules.mixins-terminfo - repoFlake.inputs.srvos.nixosModules.mixins-systemd-boot - - repoFlake.inputs.sops-nix.nixosModules.sops - - ../../profiles/common/user.nix - ]; - - ## bare-metal machines - srvos.boot.consoles = [ "tty0" ]; - boot.loader.grub.enable = false; - boot.loader.efi.canTouchEfiVariables = false; - - disko.devices.disk.main = { - device = disk; - type = "disk"; - content = { - type = "table"; - format = "gpt"; - partitions = [ - { - name = "boot"; - start = "0"; - end = "1M"; - part-type = "primary"; - flags = [ "bios_grub" ]; - } - { - name = "ESP"; - start = "1M"; - end = "512M"; - bootable = true; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - } - { - name = "root"; - start = "512M"; - end = "100%"; - part-type = "primary"; - bootable = true; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition - subvolumes = { - # Subvolume name is different from mountpoint - "/rootfs" = { - mountpoint = "/"; - }; - "/nix" = { - mountOptions = [ "noatime" ]; - }; - }; - }; - } - ]; - }; - }; - - hardware.enableAllFirmware = true; - nixpkgs.config.allowUnfree = true; - - hardware.enableRedistributableFirmware = true; - hardware.cpu.intel.updateMicrocode = true; - - services.openssh.enable = true; - - systemd.network.enable = true; - systemd.network.networks."10-lan" = { - matchConfig.Name = "eth*"; - networkConfig = { - # enable DHCP for IPv4 *and* IPv6 - DHCP = "yes"; - - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - }; - }; - networking.dhcpcd.enable = false; - - networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ - 22 - - # iperf3 - 5201 - ]; - networking.firewall.logRefusedConnections = false; - networking.usePredictableInterfaceNames = false; - - networking.nat = { - enable = true; - internalInterfaces = [ "ve-+" ]; - externalInterface = "eth0"; - }; - - # Kubernetes - # services.kubernetes.roles = ["master" "node"]; - - # virtualization - # virtualisation = {docker.enable = true;}; - - nix.gc = { - automatic = true; - }; - - containers = { }; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/nix/os/devices/srv0-dmz0/default.nix b/nix/os/devices/srv0-dmz0/default.nix deleted file mode 100644 index 3af624b..0000000 --- a/nix/os/devices/srv0-dmz0/default.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - system = "x86_64-linux"; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake; - packages' = repoFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "srv0.dmz0.noosphere.life"; - deployment.replaceUnknownProfiles = false; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - - networking.hostName = nodeName; - }; -} diff --git a/nix/os/devices/srv0-dmz0/flake.lock b/nix/os/devices/srv0-dmz0/flake.lock deleted file mode 100644 index 4e1a641..0000000 --- a/nix/os/devices/srv0-dmz0/flake.lock +++ /dev/null @@ -1,83 +0,0 @@ -{ - "nodes": { - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1716736833, - "narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1717144377, - "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "805a384895c696f802a9bf5bf4720f37385df547", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-master": { - "locked": { - "lastModified": 1717242134, - "narHash": "sha256-2X835ZESUaQ/KZEuG9HkoEB7h0USG5uvkSUmLzFkxAE=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "61c1d282153dbfcb5fe413c228d172d0fe7c2a7e", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1717216113, - "narHash": "sha256-DniggN0kphCCBpGlS2WyDPoNqxQoRFlhN2GMk35OHiM=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "21959d8d44197094aebc74ead6ca4a53bcce0adb", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "nixpkgs-master": "nixpkgs-master", - "nixpkgs-unstable": "nixpkgs-unstable" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/srv0-dmz0/flake.nix b/nix/os/devices/srv0-dmz0/flake.nix deleted file mode 100644 index 2f27989..0000000 --- a/nix/os/devices/srv0-dmz0/flake.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; - inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; - inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; - - inputs.home-manager = { - url = "github:nix-community/home-manager/release-24.05"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix index 9ddbde9..fe0b621 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix @@ -1,4 +1,4 @@ -_: { +{lib, ...}: { boot.loader.grub.efiSupport = true; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = []; } diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix index b29548c..28a63fb 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix @@ -1,6 +1,5 @@ -{ ... }: -{ - disabledModules = [ ]; +{...}: { + disabledModules = []; imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix index a89e29a..8815036 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix @@ -1,5 +1,4 @@ -_: -let +{...}: let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -18,8 +17,7 @@ let "xhci_hcd" "xhci_pci" ]; -in -{ +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix index 607e7f3..b6c8038 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix @@ -1,8 +1,16 @@ -{ config, pkgs, ... }: { - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; + config, + pkgs, + lib, + ... +}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; @@ -12,12 +20,7 @@ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = [ - "kvm" - "nixos-test" - "big-parallel" - "benchmark" - ]; + supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; maxJobs = 4; } ]; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix index 84bb74d..e677958 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix @@ -1,4 +1,11 @@ -_: { +{ + pkgs, + lib, + config, + ... +}: let + keys = import ../../../variables/keys.nix; +in { # TASK: new device networking.hostName = "srv0"; # Define your hostname. # networking.domain = "home-ch.stefanjunker.de"; @@ -30,7 +37,7 @@ _: { networking.nat = { enable = true; - internalInterfaces = [ "ve-+" ]; + internalInterfaces = ["ve-+"]; externalInterface = "eth0"; }; @@ -38,20 +45,14 @@ _: { # services.kubernetes.roles = ["master" "node"]; # virtualization - virtualisation = { - docker.enable = true; - }; + virtualisation = {docker.enable = true;}; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; networking.useHostResolvConf = false; - services.resolved = { - enable = true; - }; + services.resolved = {enable = true;}; - containers = { }; + containers = {}; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix index 1bc2086..bb546e6 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix @@ -4,8 +4,7 @@ let ref = "nixos-22.05"; rev = "040c6d8374d090f46ab0e99f1f7c27a4529ecffd"; }; -in -{ +in { inherit nixpkgs; "channels-nixos-stable" = nixpkgs; "nixpkgs-master" = { diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix index 5817e21..511138c 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix @@ -6,8 +6,7 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.05 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; "channels-nixos-stable" = nixpkgs; "nixpkgs-master" = { diff --git a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix index d009275..a15e1aa 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix index 76ab1b9..6d8eadd 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix @@ -1,4 +1,4 @@ -_: { +{...}: { # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-nuc7pjyh-work/system.nix b/nix/os/devices/steveej-nuc7pjyh-work/system.nix index efe0db2..73d39d9 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/system.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/system.nix @@ -1,7 +1,11 @@ -{ pkgs, lib, ... }: { + pkgs, + lib, + ... +}: let +in { services.udev.extraRules = ''SUBSYSTEM=="sgx", MODE="0660", GROUP="sgx"''; - users.groups.sgx = { }; + users.groups.sgx = {}; networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname. boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest; } diff --git a/nix/os/devices/steveej-nuc7pjyh-work/user.nix b/nix/os/devices/steveej-nuc7pjyh-work/user.nix index e37d392..bf0d943 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/user.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/user.nix @@ -1,9 +1,12 @@ -{ pkgs, ... }: -let - keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; -in { + config, + pkgs, + ... +}: let + passwords = import ../../../variables/passwords.crypt.nix; + keys = import ../../../variables/keys.nix; + inherit (import ../../lib/default.nix {}) mkUser; +in { users.extraUsers.sjunker = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; @@ -11,7 +14,7 @@ in image = "quay.io/enarx/fedora"; run_args = "-v /dev/sgx:/dev/sgx"; }; - extraGroups = [ "sgx" ]; + extraGroups = ["sgx"]; subUidRanges = [ { diff --git a/nix/os/devices/steveej-pa600/boot.nix b/nix/os/devices/steveej-pa600/boot.nix new file mode 100644 index 0000000..4d8c1d1 --- /dev/null +++ b/nix/os/devices/steveej-pa600/boot.nix @@ -0,0 +1,4 @@ +{lib, ...}: { + boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; + boot.loader.efi.canTouchEfiVariables = lib.mkForce false; +} diff --git a/nix/os/devices/steveej-pa600/configuration.nix b/nix/os/devices/steveej-pa600/configuration.nix new file mode 100644 index 0000000..37f4c61 --- /dev/null +++ b/nix/os/devices/steveej-pa600/configuration.nix @@ -0,0 +1,12 @@ +{...}: { + imports = [ + ../../profiles/common/configuration.nix + ../../profiles/graphical/configuration.nix + ../../modules/opinionatedDisk.nix + + ./system.nix + ./hw.nix + ./pkg.nix + ./user.nix + ]; +} diff --git a/nix/os/devices/steveej-pa600/hw.nix b/nix/os/devices/steveej-pa600/hw.nix new file mode 100644 index 0000000..a563c1a --- /dev/null +++ b/nix/os/devices/steveej-pa600/hw.nix @@ -0,0 +1,21 @@ +{...}: let + stage1Modules = [ + "aesni_intel" + "kvm-intel" + "aes_x86_64" + + "xhci_pci" + "hxci_hcd" + ]; +in { + # TASK: new device + hardware.opinionatedDisk = { + enable = true; + encrypted = true; + diskId = "ata-TOSHIBA_MK1652GSX_Y8B9CL6XT"; + }; + + # boot.initrd.availableKernelModules = stage1Modules; + boot.initrd.kernelModules = stage1Modules; + boot.extraModprobeConfig = ""; +} diff --git a/nix/os/devices/steveej-pa600/pkg.nix b/nix/os/devices/steveej-pa600/pkg.nix new file mode 100644 index 0000000..9897dc2 --- /dev/null +++ b/nix/os/devices/steveej-pa600/pkg.nix @@ -0,0 +1,15 @@ +{pkgs, ...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; + }; + home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix { + inherit pkgs; + }; + services.teamviewer.enable = true; + system.stateVersion = "20.09"; +} diff --git a/nix/os/devices/steveej-pa600/system.nix b/nix/os/devices/steveej-pa600/system.nix new file mode 100644 index 0000000..02256d8 --- /dev/null +++ b/nix/os/devices/steveej-pa600/system.nix @@ -0,0 +1,45 @@ +{ + pkgs, + lib, + config, + ... +}: let + keys = import ../../../variables/keys.nix; +in { + # TASK: new device + networking.hostName = "steveej-pa600"; # Define your hostname. + + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + + networking.firewall.logRefusedConnections = false; + networking.usePredictableInterfaceNames = false; + + services.printing = { + enable = true; + drivers = with pkgs; [hplip mfcl3770cdw.driver mfcl3770cdw.cupswrapper]; + }; + + services.fprintd.enable = true; + security.pam.services = { + login.fprintAuth = true; + sudo.fprintAuth = true; + }; + + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; + + services.xserver.videoDrivers = ["modesetting"]; + services.xserver.serverFlagsSection = '' + Option "BlankTime" "0" + Option "StandbyTime" "0" + Option "SuspendTime" "0" + Option "OffTime" "0" + ''; + + boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; + + hardware.ledger.enable = true; +} diff --git a/nix/os/devices/steveej-pa600/user.nix b/nix/os/devices/steveej-pa600/user.nix new file mode 100644 index 0000000..04e5489 --- /dev/null +++ b/nix/os/devices/steveej-pa600/user.nix @@ -0,0 +1,14 @@ +{ + config, + pkgs, + ... +}: let + passwords = import ../../../variables/passwords.crypt.nix; + keys = import ../../../variables/keys.nix; + inherit (import ../../lib/default.nix {}) mkUser; +in { + users.extraUsers.steveej2 = mkUser { + uid = 1001; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; + }; +} diff --git a/nix/os/devices/steveej-pa600/versions.nix b/nix/os/devices/steveej-pa600/versions.nix new file mode 100644 index 0000000..ce6b116 --- /dev/null +++ b/nix/os/devices/steveej-pa600/versions.nix @@ -0,0 +1,26 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.09"; + rev = "e065200fc90175a8f6e50e76ef10a48786126e1c"; + }; +in { + inherit nixpkgs; + nixos = nixpkgs // {suffix = "/nixos";}; + "channels-nixos-stable" = nixpkgs; + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = "2f47650c2f28d87f86ab807b8a339c684d91ec56"; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = "cb7c39605051c7b268f8e0c5c47818a06b5d88c5"; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-20.09"; + rev = "22f6736e628958f05222ddaadd7df7818fe8f59d"; + }; +} diff --git a/nix/os/devices/steveej-pa600/versions.tmpl.nix b/nix/os/devices/steveej-pa600/versions.tmpl.nix new file mode 100644 index 0000000..96f7be3 --- /dev/null +++ b/nix/os/devices/steveej-pa600/versions.tmpl.nix @@ -0,0 +1,34 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.09"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; +in { + inherit nixpkgs; + nixos = nixpkgs // {suffix = "/nixos";}; + "channels-nixos-stable" = nixpkgs; + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = '' + <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-20.09"; + rev = '' + <% git ls-remote https://github.com/nix-community/home-manager.git release-20.09 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; +} diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix index 9682eb6..b32a198 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix index 4af1def..14df96a 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix @@ -1,4 +1,4 @@ -_: { +{...}: { # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix index 7f69ec0..4329e5c 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix @@ -1,3 +1,3 @@ -_: { +{...}: { networking.hostName = "steveej-rmvbl-mmc-SL32G_0x259093f6"; # Define your hostname. } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix index 861a9ea..d49dbd3 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix @@ -1,8 +1,11 @@ -{ ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; +{...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; imports = [ diff --git a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix index c42f909..408b2a9 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix @@ -1,4 +1,4 @@ -_: { +{...}: { # TASK: new device hardware.opinionatedDisk.diskId = "usb-SanDisk_Extreme_Pro_12345978EC62-0:0"; hardware.opinionatedDisk.encrypted = true; diff --git a/nix/os/devices/steveej-rmvbl-sdep0/system.nix b/nix/os/devices/steveej-rmvbl-sdep0/system.nix index d409681..5bad73f 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/system.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/system.nix @@ -1,4 +1,4 @@ -_: { +{...}: { networking.hostName = "steveej-rmvbl-sdep0"; # Define your hostname. system.stateVersion = "21.05"; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix index 3771f25..508839d 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix @@ -1,34 +1,32 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-22.11"; - rev = ''0040164e473509b4aee6aedb3b923e400d6df10b''; + ref = "nixos-21.11"; + rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; + + # "channels-nixos-21.05" = { + # url = "https://github.com/NixOS/nixpkgs/"; + # ref = "nixos-21.05"; + # rev = "df123677560db3b0db7c19d71981b11091fbeaf6"; + # }; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = ''d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; - }; - "channels-nixos-unstable-small" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-unstable-small"; - rev = ''9c34c8adba80180608794cce600b10183b048942''; + rev = "5aaed40d22f0d9376330b6fa413223435ad6fee5"; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = ''f9adb566707a492bd3d17fee1e223695d939b52a''; + rev = "c4d1eff44eb12cb5500fb2ab05a1a7303711254e"; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; - ref = "release-22.11"; - rev = ''d6f3ba090ed090ae664ab5bac329654093aae725''; + ref = "release-21.11"; + rev = "697cc8c68ed6a606296efbbe9614c32537078756"; }; } diff --git a/nix/os/devices/steveej-t14/boot.nix b/nix/os/devices/steveej-t14/boot.nix index d3ff0b5..c48bdc6 100644 --- a/nix/os/devices/steveej-t14/boot.nix +++ b/nix/os/devices/steveej-t14/boot.nix @@ -1,12 +1,14 @@ -{ lib, pkgs, ... }: { + lib, + pkgs, + ... +}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; # boot.tmpOnTmpfs = lib.mkForce false; - boot.tmp.tmpfsSize = "100%"; - + boot.tmpOnTmpfsSize = "100%"; # TODO: make this work # systemd.tmpfiles.rules = lib.mkForce [ "d /tmp 1777 root root 1d" ]; } diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix index f5ccca0..d710849 100644 --- a/nix/os/devices/steveej-t14/configuration.nix +++ b/nix/os/devices/steveej-t14/configuration.nix @@ -1,77 +1,13 @@ -{ ... }: -{ +{...}: { imports = [ - ../../snippets/home-manager-with-zsh.nix - ../../snippets/nix-settings-holo-chain.nix - # TODO: double-check whether this works at all after the most recent changes - # ../../snippets/radicale.nix - ../../snippets/sway-desktop.nix - ../../snippets/timezone.nix - ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix ../../modules/opinionatedDisk.nix - ../../cachix.nix ./system.nix ./hw.nix ./pkg.nix ./user.nix ./boot.nix - - # samba seerver - (_: { - # networking.firewall.enable = lib.mkForce false; - services.samba-wsdd.enable = true; # make shares visible for windows 10 clients - networking.firewall.allowedTCPPorts = [ - 5357 # wsdd - ]; - networking.firewall.allowedUDPPorts = [ - 3702 # wsdd - ]; - services.samba = { - enable = true; - - securityType = "user"; - - extraConfig = '' - workgroup = ARBEITSGRUPPE - server string = steveej-t14 - netbios name = steveej-t14 - security = user - - # use sendfile = yes - - # for executables on windows - acl allow execute always = True - - # legacy windows quirks - max protocol = NT1 - min protocol = NT1 - ntlm auth = yes - - # client max protocol = SMB1 - # client min protocol = NT1 - - # note: localhost is the ipv6 localhost ::1 - hosts allow = 192.168. 127.0.0.1 localhost - hosts deny = 0.0.0.0/0 - guest account = nobody - map to guest = bad user - ''; - shares = { - voodoo = { - path = "/home/steveej/Desktop/voodoo"; - browseable = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - # "force user" = "steveej"; - # "force group" = "users"; - }; - }; - }; - }) ]; } diff --git a/nix/os/devices/steveej-t14/default.nix b/nix/os/devices/steveej-t14/default.nix deleted file mode 100644 index d7e6d28..0000000 --- a/nix/os/devices/steveej-t14/default.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ - nodeName, - repoFlake, - repoFlakeWithSystem, - nodeFlake, - ... -}: -let - system = "x86_64-linux"; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake; - packages' = repoFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = nodeName; - deployment.replaceUnknownProfiles = false; - deployment.allowLocalDeployment = true; - - imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; - }; -} diff --git a/nix/os/devices/steveej-t14/flake.lock b/nix/os/devices/steveej-t14/flake.lock deleted file mode 100644 index 5960780..0000000 --- a/nix/os/devices/steveej-t14/flake.lock +++ /dev/null @@ -1,137 +0,0 @@ -{ - "nodes": { - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1705273357, - "narHash": "sha256-JAlkxgJbWh7+auiT0rJL3IUXXtkULRqygfxQA6mvLgc=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "924d91e1e4c802fd8e60279a022dbae5acb36f2d", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-23.11", - "repo": "home-manager", - "type": "github" - } - }, - "nixpkgs-2211": { - "locked": { - "lastModified": 1688392541, - "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-22.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2305": { - "locked": { - "lastModified": 1704290814, - "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2311": { - "locked": { - "lastModified": 1705183652, - "narHash": "sha256-rnfkyUH0x72oHfiSDhuCHDHg3gFgF+lF8zkkg5Zihsw=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "428544ae95eec077c7f823b422afae5f174dee4b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-master": { - "locked": { - "lastModified": 1705325703, - "narHash": "sha256-ckwq5uZTOg79p6j9Op4tuKUiEIf0gaLskMS5g43MfVI=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "7081bd488c8fd2a1ac54fda9676e22e6f8fb581f", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1705133751, - "narHash": "sha256-rCIsyE80jgiOU78gCWN3A0wE0tR2GI5nH6MlS+HaaSQ=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable-small": { - "locked": { - "lastModified": 1705249824, - "narHash": "sha256-ZLPa6YWHeX+/yzaxU7uMWq9eMMncffrzkgOXe6AODMU=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "0c741cd9fbdc435b7ca88e17efc371b48e7c23b8", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "home-manager": "home-manager", - "nixpkgs": [ - "nixpkgs-2311" - ], - "nixpkgs-2211": "nixpkgs-2211", - "nixpkgs-2305": "nixpkgs-2305", - "nixpkgs-2311": "nixpkgs-2311", - "nixpkgs-master": "nixpkgs-master", - "nixpkgs-unstable": "nixpkgs-unstable", - "nixpkgs-unstable-small": "nixpkgs-unstable-small" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/steveej-t14/flake.nix b/nix/os/devices/steveej-t14/flake.nix deleted file mode 100644 index 504ce45..0000000 --- a/nix/os/devices/steveej-t14/flake.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ - inputs.nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; - inputs.nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05"; - inputs.nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.11"; - inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; - - inputs.nixpkgs.follows = "nixpkgs-2311"; - - inputs.home-manager = { - url = "github:nix-community/home-manager/release-23.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix index 0fa593a..551617e 100644 --- a/nix/os/devices/steveej-t14/hw.nix +++ b/nix/os/devices/steveej-t14/hw.nix @@ -1,130 +1,5 @@ -_: { - # TASK: new device - hardware.opinionatedDisk = { - enable = true; - encrypted = true; - diskId = "nvme-WD_BLACK_SN850X_4000GB_2227DT443901"; - earlyDiskIdOverride = "usb-JMicron_Generic_0123456789ABCDEF-0:0"; - }; - - # boot.loader.grub.device = lib.mkForce "/dev/disk/by-id/usb-JMicron_Generic_0123456789ABCDEF-0:0"; - - # see https://linrunner.de/tlp/ - services.tlp = { - enable = false; - settings = { - CPU_DRIVER_OPMODE_ON_AC = "active"; - CPU_DRIVER_OPMODE_ON_BAT = "passive"; - - CPU_SCALING_GOVERNOR_ON_AC = "performance"; - CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; - - CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; - CPU_ENERGY_PERF_POLICY_ON_BAT = "power"; - - CPU_BOOST_ON_AC = "0"; - CPU_BOOST_ON_BAT = "0"; - - RADEON_DPM_PERF_LEVEL_ON_AC = "low"; - RADEON_DPM_PERF_LEVEL_ON_BAT = "low"; - RADEON_POWER_PROFILE_ON_AC = "low"; - RADEON_POWER_PROFILE_ON_BAT = "low"; - RADEON_DPM_STATE_ON_AC = "battery"; - RADEON_DPM_STATE_ON_BAT = "battery"; - - # SOUND_POWER_SAVE_ON_AC="1"; - SOUND_POWER_SAVE_ON_BAT = "1"; - - PLATFORM_PROFILE_ON_AC = "performance"; - PLATFORM_PROFILE_ON_BAT = "low-power"; - - RUNTIME_PM_ON_AC = "on"; - RUNTIME_PM_ON_BAT = "auto"; - - PCIE_ASPM_ON_AC = "default"; - PCIE_ASPM_ON_BAT = "powersupersave"; - - START_CHARGE_THRESH_BAT0 = "80"; - STOP_CHARGE_THRESH_BAT0 = "85"; - - WOL_DISABLE = "Y"; - # WIFI_PWR_ON_AC="on"; - # WIFI_PWR_ON_BAT = "on"; - DEVICES_TO_DISABLE_ON_STARTUP = "wwan"; - # #DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"; - # #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"; - # #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"; - - SATA_LINKPWR_ON_AC = "max_performance"; - SATA_LINKPWR_ON_BAT = "min_power"; - }; - }; - - # see https://www.kernel.org/doc/html/v6.6/admin-guide/laptops/thinkpad-acpi.html#fan-control-and-monitoring-fan-speed-fan-enable-disable - services.thinkfan = { - enable = false; - levels = [ - # ["level auto" 0 60] - [ - 0 - 0 - 60 - ] - [ - 1 - 60 - 65 - ] - [ - 1 - 65 - 75 - ] - [ - 2 - 75 - 78 - ] - [ - 3 - 78 - 80 - ] - [ - 4 - 80 - 82 - ] - [ - 5 - 82 - 84 - ] - [ - 6 - 84 - 86 - ] - [ - 7 - 86 - 88 - ] - [ - "level full-speed" - 88 - 999 - ] - ]; - - extraArgs = [ - "-b-3" - "-s1" - ]; - }; - - hardware.enableRedistributableFirmware = true; - boot.initrd.kernelModules = [ +{...}: let + stage1Modules = [ "aesni_intel" "kvm_amd" "nvme" @@ -132,12 +7,15 @@ _: { "thunderbolt" "e1000e" - - "usbcore" - "xhci_hcd" - "usbhid" - "usb_storage" - "xhci_pci" - "uas" ]; +in { + # TASK: new device + hardware.opinionatedDisk = { + enable = true; + encrypted = true; + diskId = "nvme-WD_BLACK_SN850X_4000GB_2227DT443901"; + }; + + # boot.initrd.availableKernelModules = stage1Modules; + boot.initrd.kernelModules = stage1Modules; } diff --git a/nix/os/devices/steveej-t14/pkg.nix b/nix/os/devices/steveej-t14/pkg.nix index 4e53eaf..9897dc2 100644 --- a/nix/os/devices/steveej-t14/pkg.nix +++ b/nix/os/devices/steveej-t14/pkg.nix @@ -1,103 +1,15 @@ -{ pkgs, ... }: -{ - system.stateVersion = "23.05"; - home-manager.users.root = _: { home.stateVersion = "22.05"; }; - home-manager.users.steveej = _: { - home.stateVersion = "22.05"; - imports = [ - ../../../home-manager/configuration/graphical-fullblown.nix - - (_: { - programs.chromium.extensions = [ - # can define host-specific extensions here - ]; - }) - ]; - - home.sessionVariables = { }; - - home.packages = with pkgs; [ ]; - }; - - # TODO: fix the following errors with regreet - # - # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. - # amdgpu: amdgpu_cs_ctx_create2 failed. (-13) - # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. - # ERROR: Couldn't create log file '/var/log/regreet/log': Permission denied (os error 13) - # 2023-05-22T10:31:42.52900769+02:00 WARN regreet::tomlutils: Missing TOML file: /var/cache/regreet/cache.toml - # 2023-05-22T10:31:42.52902325+02:00 WARN regreet::tomlutils: Missing TOML file: /etc/greetd/regreet.toml - # - # (regreet:505614): Gtk-WARNING **: 10:31:42.532: Theme parser warning: :6:17-18: Empty declaration - # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. - services.greetd = - let - # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" - swayConfig = pkgs.writeText "greetd-sway-config" '' - # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. - exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" - bindsym Mod4+shift+e exec swaynag \ - -t warning \ - -m 'What do you want to do?' \ - -b 'Poweroff' 'systemctl poweroff' \ - -b 'Reboot' 'systemctl reboot' - ''; - in - { - enable = false; - settings = { - vt = 1; - default_session = { - command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; - }; - }; +{pkgs, ...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; - - environment.etc."greetd/environments".text = '' - sway - ''; - - # fonts = let - # prefs.font = rec { - # size = 13; - # default = sans; - - # sans = { family = "Noto Sans"; package = pkgs.noto-fonts; }; - # serif = { family = "Noto Serif"; package = pkgs.noto-fonts; }; - # # monospace = { family = "Iosevka Fixed"; package = pkgs.iosevka-bin; }; - # monospace = { family = "Iosevka Comfy Fixed"; package = pkgs.iosevka-comfy.comfy-fixed; }; - # # monospace = { family = "Go Mono"; package = pkgs.go-font; }; - # # monospace = { family = "Jetbrains Mono"; package = pkgs.jetbrains-mono; }; - # fallback = { family = "Font Awesome 5 Free"; package = pkgs.font-awesome; }; - # emoji = { family = "Noto Color Emoji"; package = pkgs.noto-fonts-emoji; }; - # - # allPackages = (map (p: p.package) - # [ - # default - # sans - # serif - # monospace - # fallback - # emoji - # ]) ++ - # (with pkgs; [ - # liberation_ttf # free corefonts-metric-compatible replacement - # ttf_bitstream_vera - # gelasio # metric-compatible with Georgia - # powerline-symbols - # ]); - # }; - # in { - # # fonts = prefs.font.allPackages; - - # # fontconfig = { - # # enable = true; - # # defaultFonts = { - # # serif = [ prefs.font.serif.family ]; - # # sansSerif = [ prefs.font.sans.family ]; - # # monospace = [ prefs.font.monospace.family ]; - # # emoji = [ prefs.font.emoji.family ]; - # # }; - # # }; - # }; + home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix { + inherit pkgs; + }; + services.teamviewer.enable = true; + system.stateVersion = "20.09"; } diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index db19a3b..fcfdb17 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -2,62 +2,27 @@ pkgs, lib, config, - repoFlake, ... -}: -let - localTcpPorts = [ - 22 +}: let + keys = import ../../../variables/keys.nix; + passwords = import ../../../variables/passwords.crypt.nix; +in { + nix = { + binaryCaches = ["https://holochain-ci.cachix.org" "https://cache.holo.host/"]; + binaryCachePublicKeys = [ + "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" + "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE=" + "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ=" + ]; - # syncthing - 22000 - - # iperf3 - 5201 - ]; - - localUdpPorts = [ - # syncthing - 22000 - 21027 - ]; -in -{ - nix.settings = { - substituters = [ ]; - trusted-public-keys = [ ]; + settings.extra-experimental-features = ["impure-derivations"]; + settings.system-features = ["recursive-nix"]; }; - nix.distributedBuilds = true; - nix.buildMachines = [ - { - hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost; - # TODO: make this a reference - sshUser = "nix-remote-builder"; - protocol = "ssh-ng"; - system = "x86_64-linux"; - maxJobs = 32; - speedFactor = 100; - supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features; - } + # TASK: new device + networking.hostName = "steveej-t14"; # Define your hostname. - { - hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost; - # TODO: make this a reference - sshUser = "nix-remote-builder"; - protocol = "ssh-ng"; - system = "aarch64-linux"; - maxJobs = 32; - speedFactor = 100; - supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features; - } - ]; - - networking.networkmanager.enable = true; - - networking.extraHosts = ''''; - - networking.bridges."virbr1".interfaces = [ ]; + networking.bridges."virbr1".interfaces = []; networking.interfaces."virbr1".ipv4.addresses = [ { address = "10.254.254.254"; @@ -65,22 +30,22 @@ in } ]; - # needed to make wireguard managed by networkmanager route all traffic through it - networking.firewall.checkReversePath = false; - networking.firewall.enable = true; - services.openssh.openFirewall = false; + networking.firewall.allowedTCPPorts = [ + # syncthing + 22000 - # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` - networking.firewall.interfaces."eth+".allowedTCPPorts = localTcpPorts; - networking.firewall.interfaces."eth+".allowedUDPPorts = localUdpPorts; - networking.firewall.interfaces."wlan+".allowedTCPPorts = localTcpPorts; - networking.firewall.interfaces."wlan+".allowedUDPPorts = localUdpPorts; + # iperf3 + 5201 + ]; networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - services.fwupd.enable = true; + services.printing = { + enable = true; + drivers = with pkgs; [hplip mfcl3770cdw.driver mfcl3770cdw.cupswrapper]; + }; services.fprintd.enable = true; security.pam.services = { @@ -90,19 +55,16 @@ in # virtualization virtualisation = { - libvirtd = { - enable = true; - }; + libvirtd = {enable = true;}; virtualbox.host = { enable = false; addNetworkInterface = false; }; - podman = { + docker = { enable = true; - dockerCompat = true; - # defaultNetwork.dnsname.enable = true; + extraOptions = "--experimental"; }; }; @@ -110,11 +72,17 @@ in # client min protocol = NT1 ''; - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; - services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ]; + services.xserver.videoDrivers = lib.mkForce ["amdgpu"]; + services.xserver.serverFlagsSection = '' + Option "BlankTime" "0" + Option "StandbyTime" "0" + Option "SuspendTime" "0" + Option "OffTime" "0" + ''; + + time.timeZone = lib.mkForce passwords.timeZone.stefan; hardware.ledger.enable = true; - - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; } diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix index dacf1f4..e284b53 100644 --- a/nix/os/devices/steveej-t14/user.nix +++ b/nix/os/devices/steveej-t14/user.nix @@ -1,17 +1,16 @@ -{ config, pkgs, ... }: -let - keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; -in { - users.users.steveej2 = mkUser { + config, + pkgs, + ... +}: let + passwords = import ../../../variables/passwords.crypt.nix; + keys = import ../../../variables/keys.nix; + inherit (import ../../lib/default.nix {}) mkUser; +in { + users.extraUsers.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; }; - nix.settings.trusted-users = [ "steveej" ]; - - security.pam.u2f.enable = true; - security.pam.services.steveej.u2fAuth = true; + nix.settings.trusted-users = ["steveej"]; } diff --git a/nix/os/devices/steveej-t14/versions.nix b/nix/os/devices/steveej-t14/versions.nix new file mode 100644 index 0000000..257043a --- /dev/null +++ b/nix/os/devices/steveej-t14/versions.nix @@ -0,0 +1,36 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-22.11"; + rev = '' + c43f676c938662072772339be6269226c77b51b8''; + }; +in { + inherit nixpkgs; + nixos = nixpkgs // {suffix = "/nixos";}; + "channels-nixos-stable" = nixpkgs; + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = '' + 545c7a31e5dedea4a6d372712a18e00ce097d462''; + }; + "channels-nixos-unstable-small" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable-small"; + rev = '' + b6e8ebef1966ec47edc3f1e92f3ccf6f82d0c7c4''; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = '' + ecc96be9787cfdea1b8f57aec08ad9545affc2a6''; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-22.11"; + rev = '' + 65c47ced082e3353113614f77b1bc18822dc731f''; + }; +} diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix b/nix/os/devices/steveej-t14/versions.tmpl.nix similarity index 95% rename from nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix rename to nix/os/devices/steveej-t14/versions.tmpl.nix index 92abc4a..a0fa34a 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix +++ b/nix/os/devices/steveej-t14/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-utilitepro/configuration.nix b/nix/os/devices/steveej-utilitepro/configuration.nix index 76a34c8..7762fab 100644 --- a/nix/os/devices/steveej-utilitepro/configuration.nix +++ b/nix/os/devices/steveej-utilitepro/configuration.nix @@ -1,11 +1,13 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, ... }: -let - passwords = import ../common/passwords.crypt.nix; -in { + config, + pkgs, + ... +}: let + passwords = import ../common/passwords.crypt.nix; +in { # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "16.03"; nix.maxJobs = 4; @@ -17,18 +19,22 @@ in ''; nixpkgs.config = { - packageOverrides = super: { + packageOverrides = super: let + self = super.pkgs; + in { linux_4_1 = super.linux_4_1.override { - kernelPatches = super.linux_4_1.kernelPatches ++ [ - { - patch = ./patches/utilitepro-kernel-dts.patch; - name = "utilitepro-dts"; - } - { - patch = ./patches/utilitepro-kernel-dts-Makefile.patch; - name = "utilitepro-dts-Makefile"; - } - ]; + kernelPatches = + super.linux_4_1.kernelPatches + ++ [ + { + patch = ./patches/utilitepro-kernel-dts.patch; + name = "utilitepro-dts"; + } + { + patch = ./patches/utilitepro-kernel-dts-Makefile.patch; + name = "utilitepro-dts-Makefile"; + } + ]; # add "CONFIG_PPP_FILTER y" option to the set of kernel options extraConfig = '' BTRFS_FS y @@ -263,7 +269,6 @@ in users.mutableUsers = false; users.extraUsers.root = { - # FIXME: this is deprecated but so is this device probably hashedPassword = passwords.users.root; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop" @@ -273,11 +278,7 @@ in uid = 1000; isNormalUser = true; home = "/home/steveej"; - extraGroups = [ - "wheel" - "libvirtd" - ]; - # FIXME: this is deprecated but so is this device probably + extraGroups = ["wheel" "libvirtd"]; hashedPassword = passwords.users.steveej; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop" diff --git a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix index 1d3e463..a325b30 100644 --- a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix +++ b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix @@ -1,13 +1,17 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ ... }: { - imports = [ ]; + config, + lib, + pkgs, + ... +}: { + imports = []; - boot.initrd.availableKernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; hardware.enableAllFirmware = true; @@ -20,5 +24,5 @@ device = "/dev/disk/by-uuid/f1e7e913-93a0-4258-88f9-f65041d91d66"; }; - swapDevices = [ ]; + swapDevices = []; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/.gitignore b/nix/os/devices/steveej-x13s-rmvbl/.gitignore deleted file mode 100644 index b2be92b..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/.gitignore +++ /dev/null @@ -1 +0,0 @@ -result diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix deleted file mode 100644 index 39e93de..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix +++ /dev/null @@ -1,176 +0,0 @@ -{ - repoFlake, - nodeFlake, - pkgs, - lib, - config, - nodeName, - system, - ... -}: -{ - nixos-x13s = { - enable = true; - # TODO: use hardware address - bluetoothMac = "65:9e:7a:8b:86:28"; - }; - - systemd.services.bluetooth-mac = { - enable = true; - path = [ - pkgs.systemd - pkgs.util-linux - pkgs.bluez5-experimental - pkgs.expect - ]; - script = '' - # TODO: this may not be required - while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do - echo Waiting for bluetooth firmware to complete - echo sleep 1 - done - - ( - # best effort - set +e - rfkill block bluetooth - echo $? - btmgmt public-addr ${config.nixos-x13s.bluetoothMac} - echo $? - rfkill unblock bluetooth - echo $? - ) - ''; - requiredBy = [ "bluetooth.service" ]; - before = [ "bluetooth.service" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - - # we need a tty, otherwise btmgmt will hang - StandardInput = "tty"; - TTYPath = "/dev/tty2"; - TTYReset = "yes"; - TTYVHangup = "yes"; - }; - }; - - imports = [ - nodeFlake.inputs.nixos-x13s.nixosModules.default - - repoFlake.inputs.sops-nix.nixosModules.sops - nodeFlake.inputs.disko.nixosModules.disko - ./disko.nix - - ../../snippets/nix-settings.nix - ../../profiles/common/user.nix - - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - services.openssh.openFirewall = true; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - users.commonUsers = { - enable = true; - enableNonRoot = true; - }; - } - - ../../snippets/home-manager-with-zsh.nix - ../../snippets/sway-desktop.nix - ../../snippets/bluetooth.nix - ../../snippets/timezone.nix - ../../snippets/radicale.nix - ]; - - networking.hostName = nodeName; - networking.firewall.enable = true; - networking.networkmanager.enable = true; - - nixpkgs.config.allowUnfree = true; - - environment.systemPackages = [ - pkgs.sshfs - pkgs.util-linux - pkgs.coreutils - pkgs.vim - - pkgs.git - pkgs.git-crypt - ]; - - system.stateVersion = "23.11"; - home-manager.users.root = _: { home.stateVersion = "23.11"; }; - home-manager.users.steveej = _: { - home.stateVersion = "23.11"; - - imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; - - home.sessionVariables = { }; - - home.packages = with pkgs; [ ]; - - # TODO: currently unsupported - services.gammastep.enable = lib.mkForce false; - # programs.chromium.enable = lib.mkForce false; - }; - - boot = { - loader.systemd-boot.enable = true; - loader.efi.canTouchEfiVariables = lib.mkForce false; - loader.efi.efiSysMountPoint = "/boot"; - blacklistedKernelModules = [ "wwan" ]; - - initrd.kernelModules = [ - "uas" - "usb_storage" - - "phy_qcom_qmp_pcie" - "phy_qcom_qmp_combo" - "phy_qcom_snps_femto_v2" - "phy_qcom_qmp_pcie" - "phy_qcom_qmp_usb" - "xhci-pci-renesas" - - "msm" - ]; - - initrd.extraFiles = { - "firmware/qcom/sc8280xp/LENOVO/21BX/adspr.jsn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/adspua.jsn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/audioreach-tplg.bin".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/battmgr.jsn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/cdspr.jsn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qcadsp8280.mbn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qccdsp8280.mbn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qcdxkmsuc8280.mbn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qcslpi8280.mbn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = - nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"; - }; - }; - - hardware.firmware = [ - pkgs.linux-firmware - nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware" - ]; - - hardware.enableAllFirmware = true; - - # see https://linrunner.de/tlp/ - services.tlp = { - enable = true; - settings = { - START_CHARGE_THRESH_BAT0 = "80"; - STOP_CHARGE_THRESH_BAT0 = "85"; - }; - }; - - # android on linux - virtualisation.waydroid.enable = true; - virtualisation.podman.enable = true; - virtualisation.podman.dockerCompat = true; -} diff --git a/nix/os/devices/steveej-x13s-rmvbl/default.nix b/nix/os/devices/steveej-x13s-rmvbl/default.nix deleted file mode 100644 index 2ba48d2..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ - system ? "aarch64-linux", - nodeName, - repoFlake, - repoFlakeWithSystem, - nodeFlake, - localDomainName ? "internal", - ... -}: -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; - packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); - - inherit localDomainName; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "${nodeName}.${localDomainName}"; - deployment.replaceUnknownProfiles = true; - deployment.allowLocalDeployment = true; - - # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - - imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; - }; -} diff --git a/nix/os/devices/steveej-x13s-rmvbl/disko.nix b/nix/os/devices/steveej-x13s-rmvbl/disko.nix deleted file mode 100644 index 2eb097a..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/disko.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ - disko.devices = { - disk = { - voyager-gtx = { - type = "disk"; - device = "/dev/disk/by-id/ata-Corsair_Voyager_GTX_21488170000126002054"; - content = { - type = "gpt"; - partitions = { - ESP = { - size = "500M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "defaults" ]; - }; - }; - luks = { - size = "100%"; - content = { - type = "luks"; - name = "x13s-usb-crypt"; - extraOpenArgs = [ ]; - # disable settings.keyFile if you want to use interactive password entry - #passwordFile = "/tmp/secret.key"; # Interactive - settings = { - # if you want to use the key for interactive login be sure there is no trailing newline - # for example use `echo -n "password" > /tmp/secret.key` - # keyFile = "/tmp/secret.key"; - allowDiscards = true; - }; - # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/home" = { - mountpoint = "/home"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/swap" = { - mountpoint = "/.swapvol"; - swap.swapfile.size = "32G"; - }; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.lock b/nix/os/devices/steveej-x13s-rmvbl/flake.lock deleted file mode 100644 index dcc457f..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.lock +++ /dev/null @@ -1,194 +0,0 @@ -{ - "nodes": { - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1705890365, - "narHash": "sha256-MObB+fipA/2Ai3uMuNouxcwz0cqvELPpJ+hfnhSaUeA=", - "owner": "nix-community", - "repo": "disko", - "rev": "9fcdf3375e01e2938a49df103af9fd21bd0f89d9", - "type": "github" - }, - "original": { - "id": "disko", - "type": "indirect" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1704982712, - "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "07f6395285469419cf9d078f59b5b49993198c00", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "get-flake": { - "locked": { - "lastModified": 1694475786, - "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", - "owner": "ursi", - "repo": "get-flake", - "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", - "type": "github" - }, - "original": { - "owner": "ursi", - "repo": "get-flake", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1705659542, - "narHash": "sha256-WA3xVfAk1AYmFdwghT7mt/erYpsU6JPu9mdTEP/e9HQ=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "10cd9c53115061aa6a0a90aad0b0dde6a999cdb9", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-23.11", - "repo": "home-manager", - "type": "github" - } - }, - "mobile-nixos": { - "flake": false, - "locked": { - "lastModified": 1705008488, - "narHash": "sha256-Gj97fDFZaK6gLb3ayZgTTtD+MFE1YjoyYHWkB1TIAe0=", - "owner": "NixOS", - "repo": "mobile-nixos", - "rev": "56e55df7b07b5e5c6d050732d851cec62b41df95", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "mobile-nixos", - "type": "github" - } - }, - "nixos-x13s": { - "inputs": { - "flake-parts": "flake-parts", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1706097550, - "narHash": "sha256-rR4HMpUlT7SbVPxQIvWH0DsxaEQcjTLqLrst2xoT1CY=", - "ref": "refs/heads/main", - "rev": "732a0f1549996740bdb06989599a5f0653de5056", - "revCount": 6, - "type": "git", - "url": "https://codeberg.org/steveej/nixos-x13s" - }, - "original": { - "type": "git", - "url": "https://codeberg.org/steveej/nixos-x13s" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1705916986, - "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2211": { - "locked": { - "lastModified": 1688392541, - "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-22.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-lib": { - "locked": { - "dir": "lib", - "lastModified": 1703961334, - "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", - "type": "github" - }, - "original": { - "dir": "lib", - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable-small": { - "locked": { - "lastModified": 1706022028, - "narHash": "sha256-F8Gv4R4K/AvS3+6pWd8wlnw4Vhgf7bcszy7i8XPbzA0=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "15ff1758e7816331033baa14eebbea68626128f3", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "disko": "disko", - "get-flake": "get-flake", - "home-manager": "home-manager", - "mobile-nixos": "mobile-nixos", - "nixos-x13s": "nixos-x13s", - "nixpkgs": "nixpkgs", - "nixpkgs-2211": "nixpkgs-2211", - "nixpkgs-unstable-small": "nixpkgs-unstable-small" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.nix b/nix/os/devices/steveej-x13s-rmvbl/flake.nix deleted file mode 100644 index 043907d..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; - - # required for home-manager modules - nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; - nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; - - get-flake.url = "github:ursi/get-flake"; - - disko.inputs.nixpkgs.follows = "nixpkgs"; - - mobile-nixos.url = "github:NixOS/mobile-nixos"; - mobile-nixos.flake = false; - - home-manager = { - url = "github:nix-community/home-manager/release-23.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - nixos-x13s.url = "git+https://codeberg.org/steveej/nixos-x13s"; - nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - system = "aarch64-linux"; - buildPlatform = "x86_64-linux"; - repoFlake = get-flake ../../../..; - in - { - lib = { - mkNixosConfiguration = - { - nodeName, - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = - (import ./default.nix { - inherit system; - inherit nodeName repoFlake; - - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; - - modules = extraModules; - } - ); - }; - - nixosConfigurations = - let - nodeName = "steveej-x13s-rmvbl"; - in - { - native = self.lib.mkNixosConfiguration { - inherit system nodeName; - extraModules = [ - ./configuration.nix - - { users.commonUsers.installPassword = "install"; } - ]; - }; - - cross = self.lib.mkNixosConfiguration { - inherit nodeName; - extraModules = [ - ./configuration.nix - - { - nixpkgs.buildPlatform.system = buildPlatform; - nixpkgs.hostPlatform.system = system; - } - ]; - }; - }; - }; -} diff --git a/nix/os/devices/steveej-x13s/.gitignore b/nix/os/devices/steveej-x13s/.gitignore deleted file mode 100644 index b2be92b..0000000 --- a/nix/os/devices/steveej-x13s/.gitignore +++ /dev/null @@ -1 +0,0 @@ -result diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix deleted file mode 100644 index bc2cde1..0000000 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ /dev/null @@ -1,288 +0,0 @@ -{ - repoFlake, - nodeFlake, - pkgs, - lib, - config, - nodeName, - system, - ... -}: -{ - nixpkgs.overlays = [ nodeFlake.overlays.default ]; - - nixos-x13s = { - enable = true; - # TODO: use hardware address - bluetoothMac = "65:9e:7a:8b:86:28"; - kernel = "jhovold"; - }; - - services.illum.enable = true; - - # printint and autodiscovery of printers - services.printing.enable = true; - services.printing.drivers = [ pkgs.hplip ]; - services.avahi = { - enable = true; - nssmdns4 = true; - openFirewall = true; - }; - hardware.sane.enable = true; # enables support for SANE scanners - - systemd.services.bluetooth-x13s-mac = lib.mkForce { - enable = true; - path = [ - pkgs.systemd - pkgs.util-linux - pkgs.bluez5-experimental - pkgs.expect - ]; - script = '' - # TODO: this may not be required - while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do - echo Waiting for bluetooth firmware to complete - echo sleep 1 - done - - ( - # best effort - set +e - rfkill block bluetooth - echo $? - btmgmt public-addr ${config.nixos-x13s.bluetoothMac} - echo $? - rfkill unblock bluetooth - echo $? - ) - ''; - requiredBy = [ "bluetooth.service" ]; - before = [ "bluetooth.service" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - - # we need a tty, otherwise btmgmt will hang - StandardInput = "tty"; - TTYPath = "/dev/tty2"; - TTYReset = "yes"; - TTYVHangup = "yes"; - }; - }; - - imports = [ - nodeFlake.inputs.nixos-x13s.nixosModules.default - - repoFlake.inputs.sops-nix.nixosModules.sops - nodeFlake.inputs.disko.nixosModules.disko - ./disko.nix - - ../../profiles/common/user.nix - - ../../snippets/nix-settings.nix - ../../snippets/nix-settings-holo-chain.nix - ../../snippets/mycelium.nix - - nodeFlake.inputs.extra-container.nixosModules.default - { - networking.nat = { - enable = true; - internalInterfaces = [ "ve-+" ]; - # externalInterface = "enu1u1u2"; - # Lazy IPv6 connectivity for the container - # enableIPv6 = true; - }; - } - - # TODO: broken with: v4l2loopback-0.13.2-6.13.0-rc3.drv - # make: *** [Makefile:53: v4l2loopback.ko] Error 2 - # ../../snippets/obs-studio.nix - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - services.openssh.openFirewall = true; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - users.commonUsers = { - enable = true; - enableNonRoot = true; - }; - - sops.secrets.builder-private-key = { }; - nix.distributedBuilds = true; - nix.buildMachines = [ - # test these with: sudo nix store ping --store 'ssh-ng://nix-remote-builder@?ssh-key=/run/secrets/builder-private-key' - { - hostName = "buildbot-nix-0.infra.holochain.org"; - sshUser = "nix-remote-builder"; - sshKey = config.sops.secrets.builder-private-key.path; - protocol = "ssh-ng"; - systems = [ "x86_64-linux" ]; - supportedFeatures = [ - "big-parallel" - "kvm" - "nixos-test" - ]; - maxJobs = 16; - } - - { - hostName = "aarch64-linux-builder-0.infra.holochain.org"; - sshUser = "nix-remote-builder"; - sshKey = config.sops.secrets.builder-private-key.path; - protocol = "ssh-ng"; - systems = [ "aarch64-linux" ]; - supportedFeatures = [ - "big-parallel" - "kvm" - "nixos-test" - ]; - maxJobs = 8; - } - - { - hostName = "x64-linux-dev-01.dev.infra.holochain.org"; - sshUser = "nix-remote-builder"; - sshKey = config.sops.secrets.builder-private-key.path; - protocol = "ssh-ng"; - systems = [ - # "x86_64-linux" - "aarch64-linux" - ]; - supportedFeatures = [ - "big-parallel" - "kvm" - "nixos-test" - ]; - maxJobs = 0; - } - ]; - } - - { - # yubikey / smartcard. only set to `true` for `ykman piv` commands. - services.pcscd.enable = false; - } - - # TODO: create syncthing os snippet - ( - let - tcp = [ 22000 ]; - udp = [ - 22000 - 21027 - ]; - in - { - # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` - networking.firewall.interfaces."en+".allowedTCPPorts = tcp; - networking.firewall.interfaces."en+".allowedUDPPorts = udp; - networking.firewall.interfaces."wl+".allowedTCPPorts = tcp; - networking.firewall.interfaces."wl+".allowedUDPPorts = udp; - - networking.firewall.allowedTCPPorts = [ - # iperf3 - 5201 - ]; - } - ) - - ../../snippets/home-manager-with-zsh.nix - ../../snippets/sway-desktop.nix - ../../snippets/bluetooth.nix - ../../snippets/timezone.nix - ../../snippets/radicale.nix - - ../../snippets/holo-zerotier.nix - - # ../../snippets/k3s-w-nix-snapshotter.nix - ]; - - networking.hostName = nodeName; - networking.firewall.enable = true; - networking.networkmanager.enable = true; - - nixpkgs.config.allowUnfree = true; - - environment.systemPackages = [ - pkgs.sshfs - pkgs.util-linux - pkgs.coreutils - pkgs.vim - - pkgs.git - pkgs.git-crypt - ]; - - system.stateVersion = "23.11"; - home-manager.users.root = _: { home.stateVersion = "23.11"; }; - home-manager.users.steveej = _: { - home.stateVersion = "23.11"; - - imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; - - nixpkgs.overlays = [ nodeFlake.overlays.default ]; - - home.sessionVariables = { }; - - home.packages = with pkgs; [ ]; - - # TODO(upstream): currently unsupported on x13s - services.gammastep.enable = true; - }; - - boot = { - loader.systemd-boot.enable = true; - loader.systemd-boot.configurationLimit = 5; - - loader.efi.canTouchEfiVariables = lib.mkForce false; - loader.efi.efiSysMountPoint = "/boot"; - blacklistedKernelModules = [ - "wwan" - # "qcom_soundwire" - # "snd_soc_qcom_sdw" - # "snd_soc_sc8280xp" - ]; - }; - - # TODO: debug this collision: collision between `/nix/store/cb32qlzc4pm6h4arw59kxqyzbvgnmx7g-b43-firmware-6.30.163.46-zstd/lib/firmware/b43/a0g0bsinitvals5.fw.zst' and `/nix/store/niffz3cf0v91y5knz0an29fwvm8amigm-b43-firmware-5.100.138-zstd/lib/firmware/b43/a0g0bsinitvals5.fw.zst' - hardware.firmware = lib.mkBefore [ - (pkgs.runCommand "x13s-ath11k-firmware-before" { } '' - mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/ - cp -v ${nodeFlake.inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ - cp -v ${nodeFlake.inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ - '') - ]; - - # see https://linrunner.de/tlp/ - # TODO: find an equivalent to tlp that supports this machine - services.tlp = { - enable = false; - settings = { - START_CHARGE_THRESH_BAT0 = "80"; - STOP_CHARGE_THRESH_BAT0 = "85"; - }; - }; - - # android on linux - virtualisation.waydroid.enable = true; - hardware.ledger.enable = true; - - virtualisation.containers.enable = true; - virtualisation.podman.enable = true; - - steveej.holo-zerotier = { - enable = true; - autostart = false; - }; - - services.udev.packages = [ pkgs.android-udev-rules ]; - programs.adb.enable = true; - - nix.settings.sandbox = lib.mkForce "relaxed"; - - systemd.user.services.wireplumber.environment.LIBCAMERA_IPA_PROXY_PATH = - "${pkgs.libcamera}/libexec/libcamera"; -} diff --git a/nix/os/devices/steveej-x13s/default.nix b/nix/os/devices/steveej-x13s/default.nix deleted file mode 100644 index bb170b2..0000000 --- a/nix/os/devices/steveej-x13s/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ - system ? "aarch64-linux", - nodeName, - repoFlake, - repoFlakeWithSystem, - nodeFlake, - localDomainName ? "internal", - ... -}: -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; - packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); - - inherit localDomainName; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "${nodeName}.${localDomainName}"; - deployment.replaceUnknownProfiles = true; - deployment.allowLocalDeployment = true; - - # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - - imports = [ ./configuration.nix ]; - }; -} diff --git a/nix/os/devices/steveej-x13s/disko.nix b/nix/os/devices/steveej-x13s/disko.nix deleted file mode 100644 index 40b2118..0000000 --- a/nix/os/devices/steveej-x13s/disko.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ - disko.devices = { - disk = { - x13s-nvme = { - type = "disk"; - device = "/dev/disk/by-id/nvme-KBG5AZNT1T02_LA_KIOXIA_52QC84BEEJS6"; - # device = "/dev/disk/by-id/nvme-Corsair_MP600_CORE_MINI_A7SIB33902BQLN"; - content = { - type = "gpt"; - partitions = { - ESP = { - size = "500M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "defaults" ]; - }; - }; - luks = { - size = "100%"; - content = { - type = "luks"; - name = "x13s-nvme-crypt"; - extraOpenArgs = [ ]; - # disable settings.keyFile if you want to use interactive password entry - #passwordFile = "/tmp/secret.key"; # Interactive - settings = { - # if you want to use the key for interactive login be sure there is no trailing newline - # for example use `echo -n "password" > /tmp/secret.key` - # keyFile = "/tmp/secret.key"; - allowDiscards = true; - }; - # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/home" = { - mountpoint = "/home"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/swap" = { - mountpoint = "/.swapvol"; - swap.swapfile.size = "32G"; - }; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock deleted file mode 100644 index cef30a8..0000000 --- a/nix/os/devices/steveej-x13s/flake.lock +++ /dev/null @@ -1,445 +0,0 @@ -{ - "nodes": { - "ath11k-firmware": { - "flake": false, - "locked": { - "lastModified": 1746643896, - "narHash": "sha256-QXZHcbMNX0f2RQBrCCYRS3dLU1q/02J3HjnWuv8Oaaw=", - "ref": "refs/heads/main", - "rev": "1e7cd757828d414f71da82f480696540473bd475", - "revCount": 174, - "type": "git", - "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" - }, - "original": { - "type": "git", - "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" - } - }, - "crane": { - "locked": { - "lastModified": 1742317686, - "narHash": "sha256-ScJYnUykEDhYeCepoAWBbZWx2fpQ8ottyvOyGry7HqE=", - "owner": "ipetkov", - "repo": "crane", - "rev": "66cb0013f9a99d710b167ad13cbd8cc4e64f2ddb", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1748225455, - "narHash": "sha256-AzlJCKaM4wbEyEpV3I/PUq5mHnib2ryEy32c+qfj6xk=", - "owner": "nix-community", - "repo": "disko", - "rev": "a894f2811e1ee8d10c50560551e50d6ab3c392ba", - "type": "github" - }, - "original": { - "id": "disko", - "type": "indirect" - } - }, - "extra-container": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1734542275, - "narHash": "sha256-wnRkafo4YrIuvJeRsOmfStxIzi7ty2I0OtGMO9chwJc=", - "owner": "erikarvstedt", - "repo": "extra-container", - "rev": "fa723fb67201c1b4610fd3d608681da362f800eb", - "type": "github" - }, - "original": { - "owner": "erikarvstedt", - "repo": "extra-container", - "type": "github" - } - }, - "flake-compat": { - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_2": { - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "revCount": 69, - "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" - } - }, - "flake-compat_3": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "nix-snapshotter", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1704152458, - "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "id": "flake-utils", - "type": "indirect" - } - }, - "get-flake": { - "inputs": { - "flake-compat": "flake-compat" - }, - "locked": { - "lastModified": 1745945175, - "narHash": "sha256-JGDbJRl5v1snA4JX+yp6m3UA6Mazr59Hrgz+UhhP91M=", - "owner": "ursi", - "repo": "get-flake", - "rev": "38401aa2b3a99c77d0c02727471e99e7de2fc366", - "type": "github" - }, - "original": { - "owner": "ursi", - "repo": "get-flake", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1748455938, - "narHash": "sha256-mQ/iNzPra2WtDQ+x2r5IadcWNr0m3uHvLMzJkXKAG/8=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "02077149e2921014511dac2729ae6dadb4ec50e2", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "master", - "repo": "home-manager", - "type": "github" - } - }, - "linux-jhovold": { - "flake": false, - "locked": { - "lastModified": 1748260494, - "narHash": "sha256-0KTN63q+86g++BVQPOm7MHAVQvj+t3aJFsPwE+wDk2U=", - "owner": "jhovold", - "repo": "linux", - "rev": "ababc24306a694b74995cffc4e9c51aa84b9af8a", - "type": "github" - }, - "original": { - "owner": "jhovold", - "ref": "wip/sc8280xp-6.15", - "repo": "linux", - "type": "github" - } - }, - "mycelium": { - "inputs": { - "crane": "crane", - "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_2", - "nix-filter": "nix-filter", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1747734538, - "narHash": "sha256-bFKEPbwffDSvoG6KBDH87ebbnFq1IyqAfLyg2zlwlIY=", - "owner": "threefoldtech", - "repo": "mycelium", - "rev": "71cb99dc65f47d4baced0288df1d299bf960505e", - "type": "github" - }, - "original": { - "owner": "threefoldtech", - "repo": "mycelium", - "type": "github" - } - }, - "nix-filter": { - "locked": { - "lastModified": 1731533336, - "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=", - "owner": "numtide", - "repo": "nix-filter", - "rev": "f7653272fd234696ae94229839a99b73c9ab7de0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "nix-filter", - "type": "github" - } - }, - "nix-snapshotter": { - "inputs": { - "flake-compat": "flake-compat_3", - "flake-parts": "flake-parts", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1717948701, - "narHash": "sha256-G7SXaZ7J4yO4OQEKSZPVWcccfV87uyLech0jEOU350g=", - "owner": "yu-re-ka", - "repo": "nix-snapshotter", - "rev": "c10b066a4b1bb3451507c141636014e3335e579e", - "type": "github" - }, - "original": { - "owner": "yu-re-ka", - "repo": "nix-snapshotter", - "type": "github" - } - }, - "nixos-x13s": { - "inputs": { - "flake-parts": "flake-parts_2", - "linux-jhovold": "linux-jhovold", - "nixpkgs": [ - "nixpkgs" - ], - "x13s-bt-linux-firmware": "x13s-bt-linux-firmware" - }, - "locked": { - "lastModified": 1748459535, - "narHash": "sha256-U7n47n4oIhKKiCVzGBOz0vdoihmjLBJFPvdp+gFapmU=", - "ref": "bump", - "rev": "903961b6ad426a1092d3b05501b8f17bcde3c0ab", - "revCount": 151, - "type": "git", - "url": "https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git" - }, - "original": { - "ref": "bump", - "type": "git", - "url": "https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git" - } - }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1733096140, - "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" - } - }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1748037224, - "narHash": "sha256-92vihpZr6dwEMV6g98M5kHZIttrWahb9iRPBm1atcPk=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "f09dede81861f3a83f7f06641ead34f02f37597f", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1748370509, - "narHash": "sha256-QlL8slIgc16W5UaI3w7xHQEP+Qmv/6vSNTpoZrrSlbk=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "4faa5f5321320e49a78ae7848582f684d64783e9", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "ath11k-firmware": "ath11k-firmware", - "disko": "disko", - "extra-container": "extra-container", - "get-flake": "get-flake", - "home-manager": "home-manager", - "mycelium": "mycelium", - "nix-snapshotter": "nix-snapshotter", - "nixos-x13s": "nixos-x13s", - "nixpkgs": [ - "nixpkgs-unstable" - ], - "nixpkgs-stable": "nixpkgs-stable", - "nixpkgs-unstable": "nixpkgs-unstable" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "x13s-bt-linux-firmware": { - "flake": false, - "locked": { - "lastModified": 1733240564, - "narHash": "sha256-348f+wuX7x8xqaBRkraTclupdnRcwL/z2l/1Bs/reXc=", - "ref": "refs/heads/main", - "rev": "06aea4d8bfd5ca3624b56162b24339d7b0449913", - "revCount": 4282, - "type": "git", - "url": "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git" - }, - "original": { - "rev": "06aea4d8bfd5ca3624b56162b24339d7b0449913", - "type": "git", - "url": "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix deleted file mode 100644 index ee2645d..0000000 --- a/nix/os/devices/steveej-x13s/flake.nix +++ /dev/null @@ -1,114 +0,0 @@ -{ - inputs = { - nixpkgs.follows = "nixpkgs-unstable"; - nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - # nixpkgs-unstable.url = "github:steveej-forks/nixpkgs/nixos-unstable"; - - get-flake.url = "github:ursi/get-flake"; - - disko.inputs.nixpkgs.follows = "nixpkgs"; - - home-manager = { - # url = "github:steveej-forks/home-manager/master"; - url = "github:nix-community/home-manager/master"; - # url = "github:nix-community/home-manager/release-24.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - nixos-x13s.url = "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump" - # 6.13-rc2 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump&rev=c95058f8aa1b361df3874429c5dc0f694f9cba78" - # 6.11.0 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=6b9efe77ca80653354981c720af3c4241ac71490" - # 6.12.0-rc6 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=bd580ee9c35fcb8a720122d5bb2f903f1b7395ee" - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=1286d20be2321a1a2d27f5d09257ebaf54ce0630" - #"/home/steveej/src/others/nixos-x13s" - # - ; - # nixos-x13s.url = "path:/home/steveej/src/others/nixos-x13s"; - # nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; - nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; - - ath11k-firmware = { - url = "git+https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git"; - flake = false; - }; - - mycelium.url = "github:threefoldtech/mycelium"; - mycelium.inputs.nixpkgs.follows = "nixpkgs"; - - nix-snapshotter = { - url = "github:yu-re-ka/nix-snapshotter"; - # url = "github:pdtpartners/nix-snapshotter"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - extra-container = { - url = "github:erikarvstedt/extra-container"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - }; - - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - nativeSystem = "aarch64-linux"; - nodeName = "steveej-x13s"; - - repoFlake = get-flake ../../../..; - - mkNixosConfiguration = - { - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = - (import ./default.nix { - system = nativeSystem; - inherit nodeName; - - inherit repoFlake; - repoFlakeWithSystem = repoFlake.lib.withSystem; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; - - modules = [ - ./configuration.nix - - # flake registry - { nix.registry.nixpkgs.flake = nixpkgs; } - ] ++ extraModules; - } - ); - in - { - lib = { - inherit mkNixosConfiguration; - }; - - overlays.default = _final: _previous: { - }; - - nixosConfigurations = { - native = mkNixosConfiguration { system = nativeSystem; }; - - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = "x86_64-linux"; - nixpkgs.hostPlatform.system = nativeSystem; - } - ]; - }; - }; - }; -} diff --git a/nix/os/devices/vmd102066.contaboserver.net/boot.nix b/nix/os/devices/vmd102066.contaboserver.net/boot.nix index ed21f9c..5713789 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/boot.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiSupport = lib.mkForce false; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = []; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix index b29548c..28a63fb 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix @@ -1,6 +1,5 @@ -{ ... }: -{ - disabledModules = [ ]; +{...}: { + disabledModules = []; imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/vmd102066.contaboserver.net/default.nix b/nix/os/devices/vmd102066.contaboserver.net/default.nix deleted file mode 100644 index 958331e..0000000 --- a/nix/os/devices/vmd102066.contaboserver.net/default.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ repoFlake, ... }: -let - nodeName = "vmd102066.contaboserver.net"; - system = "x86_64-linux"; - - nodeFlake = repoFlake.inputs.get-flake ./.; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit nodeName nodeFlake; - packages' = repoFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = nodeName; - deployment.replaceUnknownProfiles = true; - - imports = [ - (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") - - nodeFlake.inputs.home-manager.nixosModules.home-manager - ]; - }; -} diff --git a/nix/os/devices/vmd102066.contaboserver.net/flake.lock b/nix/os/devices/vmd102066.contaboserver.net/flake.lock deleted file mode 100644 index 2a1267e..0000000 --- a/nix/os/devices/vmd102066.contaboserver.net/flake.lock +++ /dev/null @@ -1,99 +0,0 @@ -{ - "nodes": { - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ], - "utils": "utils" - }, - "locked": { - "lastModified": 1681092193, - "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-22.11", - "repo": "home-manager", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1681759395, - "narHash": "sha256-7aaRtLxLAy8qFVIA26ulB+Q5nDVzuQ71qi0s0wMjAws=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "cd749f58ba83f7155b7062dd49d08e5e47e44d50", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-22.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-master": { - "locked": { - "lastModified": 1681895322, - "narHash": "sha256-dtduardGFljEIh0Whlnhzda7Au0s1WnnSdzh2ZhCu9c=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "57aad37a2eab85fb5522cbc8568fe27872071a1c", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1681770396, - "narHash": "sha256-tq+GZOkRA3uF3I/jIzuBGfnTRQFT4QnnRCWJ8DKSaMg=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "4df48038a44e9f3a3da8e9b42ca182726b743de4", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "nixpkgs-master": "nixpkgs-master", - "nixpkgs-unstable": "nixpkgs-unstable" - } - }, - "utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/vmd102066.contaboserver.net/flake.nix b/nix/os/devices/vmd102066.contaboserver.net/flake.nix deleted file mode 100644 index 0547466..0000000 --- a/nix/os/devices/vmd102066.contaboserver.net/flake.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; - inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; - inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; - - inputs.home-manager = { - url = "github:nix-community/home-manager/release-22.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/vmd102066.contaboserver.net/hw.nix b/nix/os/devices/vmd102066.contaboserver.net/hw.nix index 392bb1b..e09b10e 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/hw.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/hw.nix @@ -1,5 +1,4 @@ -_: -let +{...}: let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -12,8 +11,7 @@ let "virtio" "scsi_mod" ]; -in -{ +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix index 2857a30..821775e 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix @@ -1,5 +1,17 @@ -{ config, pkgs, ... }: { + config, + pkgs, + lib, + ... +}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; + }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; @@ -8,12 +20,7 @@ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = [ - "kvm" - "nixos-test" - "big-parallel" - "benchmark" - ]; + supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; maxJobs = 4; } ]; @@ -23,7 +30,7 @@ hydraURL = "http://localhost:3000"; # externally visible URL notificationSender = "hydra@${config.networking.hostName}.stefanjunker.de"; # e-mail of hydra service # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines - buildMachinesFiles = [ ]; + buildMachinesFiles = []; # you will probably also want, otherwise *everything* will be built from scratch useSubstitutes = true; }; @@ -31,13 +38,7 @@ services.gitlab-runner = { enable = false; - extraPackages = with pkgs; [ - bash - gitlab-runner - nix - gitFull - git-crypt - ]; + extraPackages = with pkgs; [bash gitlab-runner nix gitFull git-crypt]; concurrent = 2; checkInterval = 0; @@ -46,7 +47,7 @@ executor = "shell"; runUntagged = true; registrationConfigFile = "/etc/secrets/gitlab-runner/nix-runner.registration"; - tagList = [ "nix" ]; + tagList = ["nix"]; }; }; }; diff --git a/nix/os/devices/vmd102066.contaboserver.net/system.nix b/nix/os/devices/vmd102066.contaboserver.net/system.nix index cebed6a..861689d 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/system.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/system.nix @@ -1,9 +1,16 @@ -{ pkgs, config, ... }: -let +{ + pkgs, + lib, + config, + ... +}: let keys = import ../../../variables/keys.nix; passwords = import ../../../variables/passwords.crypt.nix; -in -{ +in { + # TASK: new device + networking.hostName = "vmd102066"; # Define your hostname. + networking.domain = "contaboserver.net"; + networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -33,7 +40,7 @@ in networking.nat = { enable = true; - internalInterfaces = [ "ve-+" ]; + internalInterfaces = ["ve-+"]; externalInterface = "eth0"; }; @@ -41,9 +48,7 @@ in # services.kubernetes.roles = ["master" "node"]; # virtualization - virtualisation = { - docker.enable = true; - }; + virtualisation = {docker.enable = true;}; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; @@ -51,33 +56,31 @@ in systemd.services."sshd-status" = { enable = true; description = "sshd-status service"; - path = [ pkgs.systemd ]; + path = [pkgs.systemd]; script = '' systemctl status sshd | grep -i tasks ''; }; - # systemd.services.sshd.serviceConfig = {TasksMax = 32;}; + systemd.services.sshd.serviceConfig = {TasksMax = 32;}; - # systemd.timers."sshd-status" = { - # description = "Timer to trigger sshd-status periodically"; - # enable = true; - # wantedBy = ["timer.target" "multi-user.target"]; - # timerConfig = { - # OnActiveSec = "5s"; - # OnUnitActiveSec = "5s"; - # AccuracySec = "1s"; - # Unit = "sshd-status.service"; - # }; - # }; - - nix.gc = { - automatic = true; + systemd.timers."sshd-status" = { + description = "Timer to trigger sshd-status periodically"; + enable = true; + wantedBy = ["timer.target" "multi-user.target"]; + timerConfig = { + OnActiveSec = "5s"; + OnUnitActiveSec = "5s"; + AccuracySec = "1s"; + Unit = "sshd-status.service"; + }; }; + nix.gc = {automatic = true;}; + boot.initrd.network = { enable = true; - udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ]; + udhcpc.extraArgs = ["-x hostname:${config.networking.hostName}"]; ssh = { enable = true; @@ -97,19 +100,45 @@ in done ''; + # networking.useHostResolvConf = true; + containers = { + mailserver = import ../../containers/mailserver.nix { + autoStart = true; + + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.11"; + + imapsPort = 993; + sievePort = 4190; + }; + + webserver = import ../../containers/webserver.nix { + autoStart = true; + + hostAddress = "192.168.100.12"; + localAddress = "192.168.100.13"; + + httpPort = 80; + httpsPort = 443; + }; + + syncthing = import ../../containers/syncthing.nix { + autoStart = true; + + hostAddress = "192.168.100.14"; + localAddress = "192.168.100.15"; + + syncthingPort = 22000; + }; + backup = import ../../containers/backup.nix { autoStart = false; inherit config; hostAddress = "192.168.100.16"; localAddress = "192.168.100.17"; - subvolumes = [ - "mailserver" - "webserver" - "backup" - "syncthing" - ]; + subvolumes = ["mailserver" "webserver" "backup" "syncthing"]; }; bkpTarget = import ../../containers/backup-target.nix { diff --git a/nix/os/devices/vmd102066.contaboserver.net/versions.nix b/nix/os/devices/vmd102066.contaboserver.net/versions.nix new file mode 100644 index 0000000..c15fcee --- /dev/null +++ b/nix/os/devices/vmd102066.contaboserver.net/versions.nix @@ -0,0 +1,20 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-22.05"; + rev = "b3a8f7ed267e0a7ed100eb7d716c9137ff120fe3"; + }; +in { + inherit nixpkgs; + "channels-nixos-stable" = nixpkgs; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = "6b10854c8194f1ebaa5bce623e71c6da1c008861"; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-22.05"; + rev = "f0ecd4b1db5e15103e955b18cb94bea4296e5c45"; + }; +} diff --git a/nix/os/devices/vmd102066.contaboserver.net/versions.tmpl.nix b/nix/os/devices/vmd102066.contaboserver.net/versions.tmpl.nix new file mode 100644 index 0000000..511138c --- /dev/null +++ b/nix/os/devices/vmd102066.contaboserver.net/versions.tmpl.nix @@ -0,0 +1,26 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-22.05"; + rev = '' + <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.05 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; +in { + inherit nixpkgs; + "channels-nixos-stable" = nixpkgs; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = '' + <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-22.05"; + rev = '' + <% git ls-remote https://github.com/nix-community/home-manager.git release-22.05 | awk '{ print $1 }' | tr -d ' + ' -%>''; + }; +} diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index 206c367..caa0738 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -1,52 +1,38 @@ -{ lib, config }: -let - keys = import ../../variables/keys.nix; - deepMergeAttrsets = - listOfAttrsets: lib.foldl' (acc: cur: lib.recursiveUpdate acc cur) { } listOfAttrsets; -in { - inherit deepMergeAttrsets; - - mkUser = - args@{ username, ... }: + keys ? import ../../variables/keys.nix, + passwords ? import ../../variables/passwords.crypt.nix, +}: { + mkRoot = {} @ args: { - users.users.${username} = deepMergeAttrsets [ - { - isNormalUser = true; - extraGroups = [ - "docker" - "podman" - "wheel" - "libvirtd" - "networkmanager" - "vboxusers" - "users" - "input" - "audio" - "video" - "cdrom" - "adbusers" - "dialout" - "cdrom" - "fuse" - "adbusers" - "scanner" - "lp" - "kvm" - ]; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; + hashedPassword = passwords.users.root; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; + } + // args; - # TODO: investigate why this secret cannot be found - # openssh.authorizedKeys.keyFiles = [ - # config.sops.secrets.sharedSshKeys-steveej.path - # ]; - } - - (builtins.removeAttrs args [ "username" ]) + mkUser = { + uid, + hashedPassword ? passwords.users.steveej, + ... + } @ args: + { + inherit uid hashedPassword; + isNormalUser = true; + extraGroups = [ + "docker" + "wheel" + "libvirtd" + "networkmanager" + "vboxusers" + "users" + "input" + "audio" + "video" + "cdrom" + "adbusers" ]; - - home-manager.users.${username}.home.username = username; - }; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; + } + // args; disk = rec { # TODO: verify the GPT PARTLABEL cap at 36 chars @@ -54,7 +40,7 @@ in # LVM doesn't allow most characters in VG names # TODO: replace this with a whitelist for: [a-zA-Z0-9.-_+] - volumeGroup = diskId: builtins.replaceStrings [ ":" ] [ "" ] diskId; + volumeGroup = diskId: builtins.replaceStrings [":"] [""] diskId; # This is important at install-time bootGrubDevice = diskId: "/dev/disk/by-id/" + diskId; @@ -65,10 +51,15 @@ in # Cannot use the disk ID here because might be different at install vs. runtime. # Example: MMC card which is used in the internal reader vs. USB reader - bootFsDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); - bootLuksDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); + bootFsDevice = diskId: + "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); + bootLuksDevice = diskId: + "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); luksName = diskId: (volumeGroup diskId) + "pv"; luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId); - lvmPv = diskId: encrypted: if encrypted then luksPhysicalVolume diskId else bootLuksDevice diskId; + lvmPv = diskId: encrypted: + if encrypted == true + then luksPhysicalVolume diskId + else bootLuksDevice diskId; }; } diff --git a/nix/os/modules/ddclient-hetzner.nix b/nix/os/modules/ddclient-hetzner.nix deleted file mode 100644 index 622ae62..0000000 --- a/nix/os/modules/ddclient-hetzner.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ lib, ... }: -{ - options.services.ddclient-hetzner = with lib; { - enable = mkEnableOption "Enable ddclient-hetzner"; - zone = mkOption { type = types.str; }; - domains = mkOption { type = types.listOf types.str; }; - passwordFile = mkOption { type = types.path; }; - }; -} diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix index 150d688..d12383a 100644 --- a/nix/os/modules/ddclient-ovh.nix +++ b/nix/os/modules/ddclient-ovh.nix @@ -1,7 +1,29 @@ -{ lib, ... }: { + lib, + config, + ... +}: let + cfg = config.services.ddclientovh; + + passwords = import ../../variables/passwords.crypt.nix; +in { options.services.ddclientovh = with lib; { enable = mkEnableOption "Enable ddclient-ovh"; - domain = mkOption { type = types.str; }; + domain = mkOption {type = types.str;}; + }; + + config = lib.mkIf cfg.enable { + services.ddclient = { + enable = true; + protocol = "dyndns2"; + server = "www.ovh.com"; + ssl = true; + domains = [cfg.domain]; + use = "web"; + inherit (passwords.dyndns.${cfg.domain}) username; + passwordFile = + builtins.toFile passwords.dyndns._filename + passwords.dyndns.${cfg.domain}.password; + }; }; } diff --git a/nix/os/modules/initrd-network.nix b/nix/os/modules/initrd-network.nix index 4ca89cf..e517d62 100644 --- a/nix/os/modules/initrd-network.nix +++ b/nix/os/modules/initrd-network.nix @@ -4,8 +4,7 @@ pkgs, ... }: -with lib; -let +with lib; let cfg = config.boot.initrd.network; udhcpcScript = pkgs.writeScript "udhcp-script" '' @@ -26,8 +25,7 @@ let ''; udhcpcArgs = toString cfg.udhcpc.extraArgs; -in -{ +in { options = { boot.initrd.network.enable = mkOption { type = types.bool; @@ -48,7 +46,7 @@ in }; boot.initrd.network.udhcpc.extraArgs = mkOption { - default = [ ]; + default = []; type = types.listOf types.str; description = '' Additional command-line arguments passed verbatim to udhcpc if @@ -76,9 +74,9 @@ in }; config = mkIf cfg.enable { - warnings = [ "Enabled SSH for stage1" ]; + warnings = ["Enabled SSH for stage1"]; - boot.initrd.kernelModules = [ "af_packet" ]; + boot.initrd.kernelModules = ["af_packet"]; boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.mkinitcpio-nfs-utils}/bin/ipconfig diff --git a/nix/os/modules/natrouter.nix b/nix/os/modules/natrouter.nix index d853c28..62af2a8 100644 --- a/nix/os/modules/natrouter.nix +++ b/nix/os/modules/natrouter.nix @@ -1,6 +1,9 @@ -{ lib, ... }: -with lib; { + lib, + config, + ... +}: +with lib; { # TODO # Provide a NAT/DHCP Router # diff --git a/nix/os/modules/opinionatedDisk.nix b/nix/os/modules/opinionatedDisk.nix index db2bbbf..22b4b4e 100644 --- a/nix/os/modules/opinionatedDisk.nix +++ b/nix/os/modules/opinionatedDisk.nix @@ -1,29 +1,19 @@ { lib, config, - pkgs, ... }: -with lib; -let +with lib; let cfg = config.hardware.opinionatedDisk; - ownLib = pkgs.callPackage ../lib/default.nix { }; - - earlyDiskId = cfg: if cfg.earlyDiskIdOverride != "" then cfg.earlyDiskIdOverride else cfg.diskId; -in -{ + ownLib = import ../lib/default.nix {}; +in { options.hardware.opinionatedDisk = { enable = mkEnableOption "Enable opinionated filesystem layout"; - diskId = mkOption { type = types.str; }; + diskId = mkOption {type = types.str;}; encrypted = mkOption { default = true; type = types.bool; }; - - earlyDiskIdOverride = mkOption { - default = ""; - type = types.str; - }; }; config = lib.mkIf cfg.enable { @@ -35,39 +25,38 @@ in fileSystems."/" = { device = ownLib.disk.rootFsDevice cfg.diskId; fsType = "btrfs"; - options = [ "subvol=nixos" ]; + options = ["subvol=nixos"]; }; fileSystems."/home" = { device = ownLib.disk.rootFsDevice cfg.diskId; fsType = "btrfs"; - options = [ "subvol=home" ]; + options = ["subvol=home"]; }; - swapDevices = [ { device = ownLib.disk.swapFsDevice cfg.diskId; } ]; + swapDevices = [{device = ownLib.disk.swapFsDevice cfg.diskId;}]; boot.loader.grub = { - device = ownLib.disk.bootGrubDevice (earlyDiskId cfg); + device = ownLib.disk.bootGrubDevice cfg.diskId; enableCryptodisk = cfg.encrypted; }; - boot.initrd.luks.devices = lib.optionalAttrs cfg.encrypted ( - builtins.listToAttrs [ + boot.initrd.luks.devices = + lib.optionalAttrs cfg.encrypted + (builtins.listToAttrs [ { - name = - let - splitstring = builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); - lastelem = (builtins.length splitstring) - 1; - in + name = let + splitstring = + builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); + lastelem = (builtins.length splitstring) - 1; + in builtins.elemAt splitstring lastelem; value = { device = ownLib.disk.bootLuksDevice cfg.diskId; - preLVM = true; allowDiscards = true; }; } - ] - ); + ]); }; } diff --git a/nix/os/profiles/common/boot.nix b/nix/os/profiles/common/boot.nix new file mode 100644 index 0000000..7946772 --- /dev/null +++ b/nix/os/profiles/common/boot.nix @@ -0,0 +1,16 @@ +{pkgs, ...}: { + boot.kernelPackages = pkgs.linuxPackages; + boot.loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = false; + version = 2; + }; + + boot.loader.systemd-boot.enable = false; + boot.loader.efi.canTouchEfiVariables = true; + boot.tmpOnTmpfs = true; + + # Workaround for nm-pptp to enforce module load + boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"]; +} diff --git a/nix/os/profiles/common/configuration.nix b/nix/os/profiles/common/configuration.nix index 61b4cb8..80f92dd 100644 --- a/nix/os/profiles/common/configuration.nix +++ b/nix/os/profiles/common/configuration.nix @@ -1,40 +1,5 @@ -{ - config, - pkgs, - repoFlake, - ... -}: -{ - imports = [ - repoFlake.inputs.sops-nix.nixosModules.sops +{...}: { + nixpkgs.overlays = builtins.attrValues (import ../../../overlays); - ../../snippets/nix-settings.nix - ../../snippets/home-manager-with-zsh.nix - - ./system.nix - ./hw.nix - ./user.nix - ]; - - boot.kernelPackages = pkgs.linuxPackages; - boot.loader.grub = { - enable = true; - efiSupport = true; - efiInstallAsRemovable = false; - }; - - boot.loader.systemd-boot.enable = false; - boot.loader.efi.canTouchEfiVariables = true; - boot.tmp.useTmpfs = true; - - # Workaround for nm-pptp to enforce module load - boot.kernelModules = [ - "nf_conntrack_proto_gre" - "nf_conntrack_pptp" - ]; - - nixpkgs.config = { - allowBroken = false; - allowUnfree = true; - }; + imports = [./boot.nix ./pkg.nix ./user.nix ./system.nix ./hw.nix]; } diff --git a/nix/os/profiles/common/hw.nix b/nix/os/profiles/common/hw.nix index 4d6eb74..80bdc31 100644 --- a/nix/os/profiles/common/hw.nix +++ b/nix/os/profiles/common/hw.nix @@ -1,12 +1,5 @@ -_: { +{...}: { hardware.trackpoint.emulateWheel = true; - boot.initrd.availableKernelModules = [ - "xhci_pci" - "ahci" - "usb_storage" - "sd_mod" - "rtsx_pci_sdmmc" - "cryptd" - ]; + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" "cryptd"]; } diff --git a/nix/os/profiles/common/pkg.nix b/nix/os/profiles/common/pkg.nix new file mode 100644 index 0000000..e855acf --- /dev/null +++ b/nix/os/profiles/common/pkg.nix @@ -0,0 +1,40 @@ +{ + config, + pkgs, + ... +}: { + imports = ["${}/nixos"]; + home-manager.users.root = import ../../../home-manager/configuration/text-minimal.nix { + inherit pkgs; + }; + + nixpkgs.config = { + allowBroken = false; + allowUnfree = true; + + packageOverrides = pkgs: with pkgs; {}; + }; + + environment.systemPackages = with pkgs; [ + elfutils + exfat + file + tree + pwgen + proot + + parted + pv + tmux + wget + curl + + gitFull + pastebinit + gist + mr + + usbutils + pciutils + ]; +} diff --git a/nix/os/profiles/common/system.nix b/nix/os/profiles/common/system.nix index edf8717..72c7a7f 100644 --- a/nix/os/profiles/common/system.nix +++ b/nix/os/profiles/common/system.nix @@ -1,7 +1,26 @@ -{ pkgs, nodeName, ... }: { - networking.hostName = builtins.elemAt (builtins.split "\\." nodeName) 0; # Define your hostname. - networking.domain = builtins.elemAt (builtins.split "(^[^\\.]+\.)" nodeName) 2; + config, + pkgs, + lib, + ... +}: { + nix.binaryCachePublicKeys = [ + # "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" + ]; + nix.binaryCaches = [ + "https://cache.nixos.org" + # "https://hydra.nixos.org" + ]; + nix.trustedBinaryCaches = [ + "https://cache.nixos.org" + # "https://hydra.nixos.org" + ]; + + nix.daemonCPUSchedPolicy = "idle"; + nix.daemonIOSchedClass = "idle"; + nix.maxJobs = lib.mkDefault "auto"; + nix.buildCores = lib.mkDefault 0; + nix.useSandbox = true; environment.etc."lvm/lvm.conf".text = '' devices { @@ -9,14 +28,14 @@ } ''; + environment.variables = {NIX_PATH = lib.mkForce pkgs.nixPath;}; + # Fonts, I18N, Date ... - fonts.packages = [ pkgs.corefonts ]; + fonts.fonts = [pkgs.corefonts]; console.font = "lat9w-16"; - i18n = { - defaultLocale = "en_US.UTF-8"; - }; + i18n = {defaultLocale = "en_US.UTF-8";}; time.timeZone = "Etc/UTC"; services.gpm.enable = true; @@ -40,12 +59,15 @@ # mv -Tf /etc/X11/.sessions /etc/X11/sessions # ''; - # TODO: adapt this to be arch agnostic system.activationScripts.lib64 = '' echo "setting up /lib64..." mkdir -p /lib64 ln -sfT ${pkgs.glibc}/lib/ld-linux-x86-64.so.2 /lib64/.ld-linux-x86-64.so.2 mv -Tf /lib64/.ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 ''; + + programs.zsh.enable = true; + users.defaultUserShell = pkgs.zsh; + environment.pathsToLink = ["/share/zsh"]; programs.fuse.userAllowOther = true; } diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index d5f64fe..d93de5e 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -1,89 +1,16 @@ { config, - lib, + pkgs, ... -}: -let - keys = import ../../../variables/keys.nix; - inherit - (import ../../lib/default.nix { - inherit lib config; - }) - mkUser - ; +}: let + passwords = import ../../../variables/passwords.crypt.nix; + inherit (import ../../lib/default.nix {}) mkUser mkRoot; +in { + users.mutableUsers = false; - inherit (lib) types; + users.extraUsers.root = mkRoot {}; + users.extraUsers.steveej = mkUser {uid = 1000;}; - cfg = config.users.commonUsers; -in -{ - options.users.commonUsers = { - enable = lib.mkOption { - default = true; - type = types.bool; - }; - - enableNonRoot = lib.mkOption { - default = true; - type = types.bool; - }; - - rootPasswordFile = lib.mkOption { - default = config.sops.secrets.sharedUsers-root.path; - type = types.path; - }; - - # TODO: test if this works - installPassword = lib.mkOption { - default = null; - type = types.nullOr types.str; - }; - }; - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - (lib.mkIf (cfg.installPassword == null) { - sops.secrets.sharedUsers-root = { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; - - sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; - - sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - # neededForUsers = true; - format = "yaml"; - }; - }) - - { - users.mutableUsers = cfg.installPassword != null; - - users.users.root = lib.mkMerge [ - { openssh.authorizedKeys.keys = keys.users.steveej.openssh; } - - (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) - - (lib.mkIf (cfg.installPassword == "") { hashedPasswordFile = cfg.rootPasswordFile; }) - ]; - - } - - (lib.mkIf cfg.enableNonRoot (mkUser { - username = "steveej"; - - uid = 1000; - - password = cfg.installPassword; - hashedPasswordFile = lib.mkIf ( - cfg.installPassword == null - ) config.sops.secrets.sharedUsers-steveej.path; - })) - ] - ); + security.pam.u2f.enable = true; + security.pam.services.steveej.u2fAuth = true; } diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix index 40fd3f4..765752d 100644 --- a/nix/os/profiles/containers/configuration.nix +++ b/nix/os/profiles/containers/configuration.nix @@ -1,28 +1,8 @@ -{ - hostAddress, - pkgs, - lib, - ... -}: -{ +{...}: { + nixpkgs.overlays = builtins.attrValues (import ../../../overlays); + networking.useHostResolvConf = false; + services.resolved = {enable = true;}; - networking.firewall.enable = true; - networking.nftables.enable = true; - networking.nftables.flushRuleset = true; - - networking.nameservers = lib.mkForce [ hostAddress ]; - - environment.systemPackages = [ pkgs.dnsutils ]; - - imports = [ - { - # keep DNS set up to a minimum: only query the container host - services.resolved.enable = lib.mkForce false; - networking.nameservers = [ hostAddress ]; - } - ../../snippets/nix-settings.nix - # ../../modules/ddclient-ovh.nix - # ../../modules/ddclient-hetzner.nix - ]; + imports = [../../modules/ddclient-ovh.nix]; } diff --git a/nix/os/profiles/graphical-gnome-xorg.nix b/nix/os/profiles/graphical-gnome-xorg.nix deleted file mode 100644 index bc88473..0000000 --- a/nix/os/profiles/graphical-gnome-xorg.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ pkgs, lib, ... }: -{ - services.libinput.enable = true; - services.libinput.touchpad.naturalScrolling = true; - services.xserver = { - enable = true; - - videoDrivers = [ - "qxl" - "modesetting" - "ati" - "cirrus" - "intel" - "vesa" - "vmware" - "modesetting" - ]; - xkb.layout = "us"; - xkb.variant = "altgr-intl"; - xkb.options = "nodeadkeys"; - - desktopManager = { - # FIXME: gnome should be moved to user session - gnome.enable = true; - - xterm.enable = true; - plasma5.enable = false; - }; - - displayManager = { - gdm.enable = true; - gdm.wayland = true; - }; - }; - - # gnome, most of it is disabled and ideally it could live entirely in the user's home config - programs.gpaste.enable = false; - programs.gnome-terminal.enable = false; - # programs.gnome-documents.enable = false; - programs.gnome-disks.enable = false; - - # TODO: fully delegate graphical session to home-manager config - services.gnome = { - games.enable = false; - gnome-remote-desktop.enable = false; - gnome-user-share.enable = false; - rygel.enable = false; - sushi.enable = false; - tinysparql.enable = false; - localsearch.enable = false; - - gnome-browser-connector.enable = false; - gnome-initial-setup.enable = false; - - # FIXME: gnome should be moved to home config - gnome-settings-daemon.enable = true; - core-os-services.enable = true; - at-spi2-core.enable = true; - evolution-data-server.enable = true; - gnome-online-accounts.enable = true; - gnome-keyring.enable = lib.mkForce false; - }; - - # FIXME: gnome should be moved to user session - services.gvfs.enable = true; - programs.seahorse.enable = true; - programs.dconf.enable = true; - - environment.gnome.excludePackages = with pkgs; - [ - orca - gnome-photos - gnome-tour - - snapshot # webcam tool - gnome-music - gnome-terminal - gedit # text editor - epiphany # web browser - geary # email reader - evince # document viewer - gnome-characters - totem # video player - ]; - - services.pipewire = { - audio.enable = true; - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - wireplumber.enable = true; - # If you want to use JACK applications, uncomment this - #jack.enable = true; - }; - - services.dbus.packages = with pkgs; [ dconf ]; - - # More Services - environment.systemPackages = [ - pkgs.adwaita-icon-theme - pkgs.gnomeExtensions.appindicator - ]; -} diff --git a/nix/os/profiles/graphical/boot.nix b/nix/os/profiles/graphical/boot.nix index 4bf6ca4..f6d9452 100644 --- a/nix/os/profiles/graphical/boot.nix +++ b/nix/os/profiles/graphical/boot.nix @@ -1,4 +1 @@ -{ config, ... }: -{ - boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ]; -} +{lib, ...}: {} diff --git a/nix/os/profiles/graphical/configuration.nix b/nix/os/profiles/graphical/configuration.nix index 477a93d..b9cf53e 100644 --- a/nix/os/profiles/graphical/configuration.nix +++ b/nix/os/profiles/graphical/configuration.nix @@ -1,8 +1,3 @@ -{ ... }: -{ - imports = [ - ./boot.nix - ./system.nix - ./hw.nix - ]; +{pkgs, ...}: { + imports = [./boot.nix ./system.nix ./hw.nix]; } diff --git a/nix/os/profiles/graphical/hw.nix b/nix/os/profiles/graphical/hw.nix index 821f5bf..abb1e68 100644 --- a/nix/os/profiles/graphical/hw.nix +++ b/nix/os/profiles/graphical/hw.nix @@ -1 +1,3 @@ -_: { hardware.enableAllFirmware = true; } +{...}: { + hardware.enableAllFirmware = true; +} diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index 00ed2c2..ff22960 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -1,7 +1,4 @@ -{ pkgs, ... }: -{ - imports = [ ../../snippets/bluetooth.nix ]; - +{pkgs, ...}: { networking.networkmanager = { enable = true; dns = "systemd-resolved"; @@ -18,14 +15,91 @@ services.resolved.enable = true; # hardware related services - services.pcscd.enable = true; - hardware.graphics.enable = true; + services.illum.enable = true; + services.pcscd.enable = false; + hardware = { + bluetooth.enable = true; + pulseaudio = { + enable = true; + package = pkgs.pulseaudioFull; + support32Bit = true; + }; + }; + # required for running blueman-applet in user sessions + services.dbus.packages = with pkgs; [blueman]; + services.blueman.enable = true; - services.udev.packages = [ - pkgs.libu2f-host - pkgs.yubikey-personalization - pkgs.android-udev-rules - ]; + services.xserver = { + enable = true; + libinput.enable = true; + libinput.touchpad.naturalScrolling = true; + + videoDrivers = [ + "qxl" + "modesetting" + "ati" + "cirrus" + "intel" + "vesa" + "vmware" + "modesetting" + ]; + layout = "us"; + xkbVariant = "altgr-intl"; + xkbOptions = "nodeadkeys"; + + desktopManager = { + # FIXME: gnome should be moved to user session + gnome.enable = true; + + xterm.enable = true; + plasma5.enable = false; + }; + + displayManager = { + gdm.enable = false; + + autoLogin = { + enable = true; + user = "steveej"; + }; + + lightdm = { + enable = true; + background = "${pkgs.nixos-artwork.wallpapers.simple-blue}/share/artwork/gnome/nix-wallpaper-simple-blue.png"; + }; + + sessionCommands = ""; + }; + }; + + services.gvfs.enable = true; + programs.seahorse.enable = true; + programs.gpaste.enable = false; + programs.gnome-terminal.enable = false; + programs.gnome-documents.enable = false; + programs.gnome-disks.enable = false; + + services.gnome = { + # gnome-online-miners.enable = false; TODO: enable this again + games.enable = false; + gnome-remote-desktop.enable = false; + gnome-user-share.enable = false; + rygel.enable = false; + sushi.enable = false; + tracker.enable = false; + tracker-miners.enable = false; + + # FIXME: gnome should be moved to user session + core-os-services.enable = true; + at-spi2-core.enable = true; + evolution-data-server.enable = true; + gnome-online-accounts.enable = true; + gnome-keyring.enable = true; + }; + + # More Services + services.udev.packages = [pkgs.libu2f-host pkgs.yubikey-personalization pkgs.android-udev-rules]; services.udev.extraRules = '' # OnePlusOne ATTR{idVendor}=="05c6", ATTR{idProduct}=="6764", SYMLINK+="libmtp-%k", MODE="660", GROUP="audio", ENV{ID_MTP_DEVICE}="1", ENV{ID_MEDIA_PLAYER}="1", TAG+="uaccess" @@ -40,19 +114,10 @@ SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0406", ENV{ID_SECURITY_TOKEN}="1", GROUP="wheel" ''; - # services.samba.enable = true; - # services.samba.extraConfig = '' - # client max protocol = SMB3 - # # client min protocol = SMB2_10 - # # client min protocol = NT1 - # # ntlm auth = yes - # ''; + services.samba.enable = true; + services.samba.extraConfig = '' + client max protocol = SMB3 + ''; services.logind.lidSwitchExternalPower = "ignore"; - - services.printing = { - enable = true; - drivers = with pkgs; [ - ]; - }; } diff --git a/nix/os/profiles/install-medium/iso/Justfile b/nix/os/profiles/install-medium/iso/Justfile index 099a8aa..bcd3c66 100644 --- a/nix/os/profiles/install-medium/iso/Justfile +++ b/nix/os/profiles/install-medium/iso/Justfile @@ -1,2 +1,2 @@ build: - nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix + nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix diff --git a/nix/os/profiles/install-medium/iso/iso.nix b/nix/os/profiles/install-medium/iso/iso.nix index a32f3f6..394aece 100644 --- a/nix/os/profiles/install-medium/iso/iso.nix +++ b/nix/os/profiles/install-medium/iso/iso.nix @@ -5,26 +5,25 @@ pkgs, lib, ... -}: -let +}: let nixos-init-script = '' #!${pkgs.stdenv.shell} export HOME=/root export PATH=${ - pkgs.lib.makeBinPath [ - config.nix.package - pkgs.systemd - pkgs.gnugrep - pkgs.gnused - config.system.build.nixos-rebuild - config.system.build.nixos-install - pkgs.utillinux - pkgs.e2fsprogs - pkgs.coreutils - pkgs.hdparm - ] - }:$PATH + pkgs.lib.makeBinPath [ + config.nix.package + pkgs.systemd + pkgs.gnugrep + pkgs.gnused + config.system.build.nixos-rebuild + config.system.build.nixos-install + pkgs.utillinux + pkgs.e2fsprogs + pkgs.coreutils + pkgs.hdparm + ] + }:$PATH export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels set -xe @@ -62,8 +61,7 @@ let nixos-install reboot ''; -in -{ +in { imports = [ @@ -72,11 +70,13 @@ in # ]; - isoImage.isoName = lib.mkForce "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; + isoImage.isoName = + lib.mkForce + "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; boot.loader.timeout = lib.mkForce 0; boot.postBootCommands = ""; - environment.systemPackages = [ ]; + environment.systemPackages = []; users.users.root = { openssh.authorizedKeys.keys = [ @@ -85,18 +85,18 @@ in }; services.gpm.enable = true; - systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ]; + systemd.services.sshd.wantedBy = lib.mkForce ["multi-user.target"]; systemd.services.nixos-init = { script = nixos-init-script; - path = with pkgs; [ ]; + path = with pkgs; []; description = "Initialize /dev/vda from configuration.nix found at /dev/vdb"; enable = true; - wantedBy = [ "multi-user.target" ]; - after = [ "multi-user.target" ]; - requires = [ "network-online.target" ]; + wantedBy = ["multi-user.target"]; + after = ["multi-user.target"]; + requires = ["network-online.target"]; restartIfChanged = false; unitConfig.X-StopOnRemoval = false; diff --git a/nix/os/profiles/podman/configuration.nix b/nix/os/profiles/podman/configuration.nix new file mode 100644 index 0000000..b70ff6c --- /dev/null +++ b/nix/os/profiles/podman/configuration.nix @@ -0,0 +1,182 @@ +{ + config, + pkgs, + ... +}: { + environment.systemPackages = with pkgs; [ + podman + runc + conmon + cni + cni-plugins + slirp4netns + ]; + + environment.etc."containers/registries.conf".text = '' + # This is a system-wide configuration file used to + # keep track of registries for various container backends. + # It adheres to TOML format and does not support recursive + # lists of registries. + + [registries.search] + registries = [ 'docker.io' + , 'registry.fedoraproject.org' + , 'registry.access.redhat.com' + , 'quay.io' + ] + + # If you need to access insecure registries, add the registry's fully-qualified name. + # An insecure registry is one that does not have a valid SSL certificate or only does HTTP. + [registries.insecure] + registries = ['localhost:5000'] + ''; + + environment.etc."containers/policy.json".text = '' + { + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": + { + "docker-daemon": + { + "": [{"type":"insecureAcceptAnything"}] + } + } + } + ''; + + environment.etc."cni/net.d/00-loopback.conf".text = '' + { + "cniVersion": "0.3.0", + "type": "loopback" + } + ''; + + environment.etc."cni/net.d/87-podman-bridge.conflist".text = '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ''; + + environment.etc."containers/libpod.conf".text = '' + # libpod.conf is the default configuration file for all tools using libpod to + # manage containers + + # Default transport method for pulling and pushing for images + image_default_transport = "docker://" + + # Paths to search for the Conmon container manager binary + runtime_path = [ + "${pkgs.runc}/bin/runc" + ] + + + # Paths to look for the Conmon container manager binary + conmon_path = [ + "${pkgs.conmon}/bin/conmon" + ] + + + # Environment variables to pass into conmon + conmon_env_vars = [ + # "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ] + + # CGroup Manager - valid values are "systemd" and "cgroupfs" + cgroup_manager = "systemd" + + # Container init binary + #init_path = "/usr/libexec/podman/catatonit" + + # Directory for persistent libpod files (database, etc) + # By default, this will be configured relative to where containers/storage + # stores containers + # Uncomment to change location from this default + #static_dir = "/var/lib/containers/storage/libpod" + + # Directory for temporary files. Must be tmpfs (wiped after reboot) + tmp_dir = "/var/run/libpod" + + # Maximum size of log files (in bytes) + # -1 is unlimited + max_log_size = -1 + + # Whether to use chroot instead of pivot_root in the runtime + no_pivot_root = false + + # Directory containing CNI plugin configuration files + cni_config_dir = "/etc/cni/net.d/" + + # Directories where the CNI plugin binaries may be located + cni_plugin_dir = [ + "${pkgs.cni-plugins}/bin" + ] + + + # Default CNI network for libpod. + # If multiple CNI network configs are present, libpod will use the network with + # the name given here for containers unless explicitly overridden. + # The default here is set to the name we set in the + # 87-podman-bridge.conflist included in the repository. + # Not setting this, or setting it to the empty string, will use normal CNI + # precedence rules for selecting between multiple networks. + cni_default_network = "podman" + + # Default libpod namespace + # If libpod is joined to a namespace, it will see only containers and pods + # that were created in the same namespace, and will create new containers and + # pods in that namespace. + # The default namespace is "", which corresponds to no namespace. When no + # namespace is set, all containers and pods are visible. + #namespace = "" + + # Default pause image name for pod pause containers + pause_image = "k8s.gcr.io/pause:3.1" + + # Default command to run the pause container + pause_command = "/pause" + + # Determines whether libpod will reserve ports on the host when they are + # forwarded to containers. When enabled, when ports are forwarded to containers, + # they are held open by conmon as long as the container is running, ensuring that + # they cannot be reused by other programs on the host. However, this can cause + # significant memory usage if a container has many ports forwarded to it. + # Disabling this can save memory. + #enable_port_reservation = true + + # Default libpod support for container labeling + # label=true + + # Paths to look for a valid OCI runtime (runc, runv, etc) + # FIXME: this doesn't seem to take effect + [runtimes] + runc = [ + "${pkgs.runc}/bin/runc" + ] + ''; +} diff --git a/nix/os/profiles/removable-medium/boot.nix b/nix/os/profiles/removable-medium/boot.nix index 17a1dba..e0938bd 100644 --- a/nix/os/profiles/removable-medium/boot.nix +++ b/nix/os/profiles/removable-medium/boot.nix @@ -1,6 +1,5 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = []; } diff --git a/nix/os/profiles/removable-medium/configuration.nix b/nix/os/profiles/removable-medium/configuration.nix index ad7def0..95ca049 100644 --- a/nix/os/profiles/removable-medium/configuration.nix +++ b/nix/os/profiles/removable-medium/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../modules/opinionatedDisk.nix diff --git a/nix/os/profiles/removable-medium/hw.nix b/nix/os/profiles/removable-medium/hw.nix index 0f7cbec..17c16b0 100644 --- a/nix/os/profiles/removable-medium/hw.nix +++ b/nix/os/profiles/removable-medium/hw.nix @@ -1,4 +1,4 @@ -_: { +{...}: { hardware.opinionatedDisk.enable = true; hardware.enableAllFirmware = true; } diff --git a/nix/os/profiles/removable-medium/pkg.nix b/nix/os/profiles/removable-medium/pkg.nix index d27081f..5a54115 100644 --- a/nix/os/profiles/removable-medium/pkg.nix +++ b/nix/os/profiles/removable-medium/pkg.nix @@ -1,5 +1,4 @@ -{ pkgs, ... }: -{ +{pkgs, ...}: { home-manager.users.steveej = import ../../../home-manager/configuration/graphical-removable.nix { inherit pkgs; }; diff --git a/nix/os/profiles/removable-medium/system.nix b/nix/os/profiles/removable-medium/system.nix index 243edf7..10a18ef 100644 --- a/nix/os/profiles/removable-medium/system.nix +++ b/nix/os/profiles/removable-medium/system.nix @@ -1,9 +1,11 @@ -_: { - services.illum.enable = true; - - services.printing = { - enable = false; - }; +{ + config, + lib, + pkgs, + ... +}: let +in { + services.printing = {enable = false;}; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; diff --git a/nix/os/snippets/bluetooth.nix b/nix/os/snippets/bluetooth.nix deleted file mode 100644 index 090217e..0000000 --- a/nix/os/snippets/bluetooth.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, ... }: -{ - # required for running blueman-applet in user sessions - services.dbus.packages = with pkgs; [ blueman ]; - hardware.bluetooth.enable = true; - services.blueman.enable = true; -} diff --git a/nix/os/snippets/holo-zerotier.nix b/nix/os/snippets/holo-zerotier.nix deleted file mode 100644 index 4371b78..0000000 --- a/nix/os/snippets/holo-zerotier.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ config, lib, ... }: -let - cfg = config.steveej.holo-zerotier; -in -{ - options.steveej.holo-zerotier = { - enable = lib.mkEnableOption "Enable holo-zerotier"; - autostart = lib.mkOption { default = false; }; - }; - - config = { - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "zerotierone" ]; - - services.zerotierone = { - inherit (cfg) enable; - joinNetworks = [ - # moved to the service below as it's now secret - ]; - }; - - systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); - - systemd.services.zerotieroneSecretNetworks = { - inherit (cfg) enable; - requiredBy = [ "zerotierone.service" ]; - partOf = [ "zerotierone.service" ]; - - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - - script = - let - secret = config.sops.secrets.zerotieroneNetworks; - in - '' - # include the secret's hash to trigger a restart on change - # ${builtins.hashString "sha256" (builtins.toJSON secret)} - - ${config.systemd.services.zerotierone.preStart} - - rm -rf /var/lib/zerotier-one/networks.d/*.conf - for network in `grep -v '#' ${secret.path}`; do - touch /var/lib/zerotier-one/networks.d/''${network}.conf - done - ''; - }; - - sops.secrets.zerotieroneNetworks = { - sopsFile = ../../../secrets/work-holo/zerotierone.txt; - format = "binary"; - }; - }; -} diff --git a/nix/os/snippets/home-manager-with-zsh.nix b/nix/os/snippets/home-manager-with-zsh.nix deleted file mode 100644 index 47ddd8a..0000000 --- a/nix/os/snippets/home-manager-with-zsh.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ - nodeFlake, - repoFlake, - repoFlakeInputs', - packages', - pkgs, - ... -}: -let - # TODO: make this configurable - homeUser = "steveej"; - commonHomeImports = [ - ../../home-manager/profiles/common.nix - ../../home-manager/programs/neovim.nix - ../../home-manager/programs/zsh.nix - ]; -in -{ - imports = [ nodeFlake.inputs.home-manager.nixosModules.home-manager ]; - - # TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager - # home-manager.extraSpecialArgs = specialArgs; - # hence, opt for passing the arguments selectively instead - home-manager.extraSpecialArgs = { - inherit - repoFlake - repoFlakeInputs' - packages' - nodeFlake - ; - }; - - home-manager.useGlobalPkgs = false; - home-manager.useUserPackages = true; - - home-manager.users.root = _: { imports = commonHomeImports; }; - - home-manager.users."${homeUser}" = _: { imports = commonHomeImports; }; - - programs.zsh.enable = true; - users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = [ "/share/zsh" ]; -} diff --git a/nix/os/snippets/k3s-w-nix-snapshotter.nix b/nix/os/snippets/k3s-w-nix-snapshotter.nix deleted file mode 100644 index 1774650..0000000 --- a/nix/os/snippets/k3s-w-nix-snapshotter.nix +++ /dev/null @@ -1,58 +0,0 @@ -# experiment with k3s, nix-snapshotter, and nixos images -{ - nodeFlake, - pkgs, - lib, - system, - config, - ... -}: -let - cfg = config.steveej.k3s; - -in -# TODO: make this configurable -{ - options.steveej.k3s = { - enable = lib.mkOption { - description = "steveej's k3s distro"; - type = lib.types.bool; - default = true; - }; - }; - - # (1) Import nixos module. - imports = [ nodeFlake.inputs.nix-snapshotter.nixosModules.default ]; - - config = lib.mkIf cfg.enable { - # (2) Add overlay. - nixpkgs.overlays = [ nodeFlake.inputs.nix-snapshotter.overlays.default ]; - - # (3) Enable service. - virtualisation.containerd = { - enable = true; - nixSnapshotterIntegration = true; - - # TODO: understand if this has an influence on the systemd LoadCredential issue - # settings.plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options.SystemdCgroup = lib.mkForce true; - }; - services.nix-snapshotter = { - enable = true; - }; - - # (4) Add a containerd CLI like nerdctl. - environment.systemPackages = [ - pkgs.nerdctl - nodeFlake.inputs.nix-snapshotter.packages.${system}.default - ]; - - services.k3s = { - enable = false; - setKubeConfig = true; - }; - - # home-manager.users."${homeUser}" = _: { - # home.sessionVariables.CONTAINERD_ADDRESS = "/run/user/1000/containerd/containerd.sock"; - # }; - }; -} diff --git a/nix/os/snippets/mycelium.nix b/nix/os/snippets/mycelium.nix deleted file mode 100644 index 990477e..0000000 --- a/nix/os/snippets/mycelium.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ - repoFlake, - nodeName, - config, - lib, - ... -}: -let - cfg.autostart = false; -in -{ - imports = [ ]; - - sops.secrets.mycelium-key = { - format = "binary"; - sopsFile = repoFlake + "/secrets/${nodeName}/mycelium_priv_key.bin.enc"; - }; - - services.mycelium = { - enable = true; - # package = nodeFlake.inputs.mycelium.packages.${system}.myceliumd; - keyFile = config.sops.secrets.mycelium-key.path; - addHostedPublicNodes = true; - peers = [ ]; - - # tunName = "mycelium-pub"; - - extraArgs = [ ]; - }; - - systemd.services.mycelium.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); -} diff --git a/nix/os/snippets/nix-settings-holo-chain.nix b/nix/os/snippets/nix-settings-holo-chain.nix deleted file mode 100644 index b660f1c..0000000 --- a/nix/os/snippets/nix-settings-holo-chain.nix +++ /dev/null @@ -1,16 +0,0 @@ -_: { - nix.settings = { - substituters = [ - "https://holochain-ci.cachix.org" - "https://holochain-ci-internal.cachix.org" - # "https://cache.holo.host/" - ]; - - trusted-public-keys = [ - "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" - "holochain-ci-internal.cachix.org-1:QvVsSrTiearCjrLTVtNtJOdQCDTseXh7UXUuSMx46NE=" - "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE=" - "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ=" - ]; - }; -} diff --git a/nix/os/snippets/nix-settings.nix b/nix/os/snippets/nix-settings.nix deleted file mode 100644 index 99d26d4..0000000 --- a/nix/os/snippets/nix-settings.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - nodeFlake, - pkgs, - lib, - ... -}: -{ - nix.daemonCPUSchedPolicy = "idle"; - nix.daemonIOSchedClass = "idle"; - nix.settings.max-jobs = lib.mkDefault "auto"; - nix.settings.cores = lib.mkDefault 0; - nix.settings.sandbox = true; - nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; - - nix.settings.experimental-features = [ - "nix-command" - "flakes" - "ca-derivations" - "recursive-nix" - ]; - - nix.settings.system-features = [ - "recursive-nix" - "big-parallel" - "kvm" - "nixos-test" - ]; - - # nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; - nix.registry.nixpkgs.to = { - type = "path"; - path = nodeFlake.inputs.nixpkgs.outPath; - inherit (nodeFlake.inputs.nixpkgs) narHash; - }; - - nix.package = pkgs.nixVersions.latest; -} diff --git a/nix/os/snippets/obs-studio.nix b/nix/os/snippets/obs-studio.nix deleted file mode 100644 index 8a99fcb..0000000 --- a/nix/os/snippets/obs-studio.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, ... }: -let - # TODO: make configurable - homeUser = "steveej"; -in -{ - boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback.out ]; - - # Activate kernel modules (choose from built-ins and extra ones) - boot.kernelModules = [ - # Virtual Camera - "v4l2loopback" - # Virtual Microphone, built-in - "snd-aloop" - ]; - - # exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming - # card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams - # https://github.com/umlaeute/v4l2loopback - boot.extraModprobeConfig = '' - options v4l2loopback devices=1 video_nr=1 card_label="OBSCam" exclusive_caps=1 - ''; - - security.polkit.enable = true; - - home-manager.users.${homeUser} = _: { imports = [ ../../home-manager/programs/obs-studio.nix ]; }; -} diff --git a/nix/os/snippets/radicale.nix b/nix/os/snippets/radicale.nix deleted file mode 100644 index 709b601..0000000 --- a/nix/os/snippets/radicale.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ - config, - pkgs, - repoFlakeInputs', - ... -}: -let - # TODO: make configurable - homeUser = "steveej"; -in -{ - sops.secrets.radicale_htpasswd = { - sopsFile = ../../../secrets/desktop/radicale_htpasswd; - format = "binary"; - owner = config.users.users."${homeUser}".name; - }; - - home-manager.users.${homeUser} = _: { - imports = [ - # TODO: bump these to latest and make it work - ( - args: - import ../../home-manager/programs/radicale.nix ( - args - // { - osConfig = config; - pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; - } - ) - ) - ]; - }; -} diff --git a/nix/os/snippets/sway-desktop.nix b/nix/os/snippets/sway-desktop.nix deleted file mode 100644 index df40e2b..0000000 --- a/nix/os/snippets/sway-desktop.nix +++ /dev/null @@ -1,136 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: -let - # TODO: make this configurable - homeUser = "steveej"; -in -{ - services.xserver.serverFlagsSection = '' - Option "BlankTime" "0" - Option "StandbyTime" "0" - Option "SuspendTime" "0" - Option "OffTime" "0" - ''; - - hardware.graphics.enable = true; - - services.gvfs = { - enable = true; - package = lib.mkForce pkgs.gnome.gvfs; - }; - - environment.systemPackages = with pkgs; [ - # provides a default authentification client for policykit - lxqt.lxqt-policykit - ]; - - # required by swaywm - security.polkit.enable = true; - security.pam.services.swaylock = { }; - - # test these on https://mozilla.github.io/webrtc-landing/gum_test.html - xdg.portal = { - enable = true; - # FIXME: `true` breaks xdg-open from alacritty: - # $ xdg-open "https://github.com/" - # Error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.OpenURI” on object at path /org/freedesktop/portal/desktop - xdgOpenUsePortal = false; - - wlr = { - enable = true; - settings = { - screencast = { - chooser_type = "dmenu"; - # display the output as a list in favor of the default mouse selection - chooser_cmd = lib.getExe ( - pkgs.writeShellApplication { - name = "chooser_cmd"; - runtimeInputs = [ - pkgs.sway - pkgs.jq - pkgs.fuzzel - pkgs.gnused - ]; - text = '' - swaymsg -t get_outputs | jq '.[] | "\(.name)@\(.current_mode.width)x\(.current_mode.height) on \(.model)"' | sed 's/"//g' | fuzzel -d | sed 's/@.*//' - ''; - } - ); - max_fps = 30; - }; - }; - }; - - # keep the behaviour in < 1.17, which uses the first portal implementation found in lexicographical order, use the following: - config = { - common = { - default = [ - "wlr" - "gtk" - ]; - }; - }; - - extraPortals = [ - # repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}.xdg-desktop-portal-wlr - - pkgs.xdg-desktop-portal-gtk - # (pkgs.xdg-desktop-portal-gtk.override (_: { - # buildPortalsInGnome = false; - # })) - ]; - }; - - # rtkit is optional but recommended - security.rtkit.enable = true; - services.pipewire = { - audio.enable = true; - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - wireplumber.enable = true; - # If you want to use JACK applications, uncomment this - #jack.enable = true; - }; - - security.pam.services.getty.enableGnomeKeyring = true; - security.pam.services."autovt@tty1".enableGnomeKeyring = true; - services.gnome.gnome-keyring.enable = true; - - # autologin steveej on tty1 - # TODO: make user configurable - systemd.services."autovt@tty1".description = "Autologin at the TTY1"; - systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty - systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ]; - systemd.services."autovt@tty1".serviceConfig = { - ExecStart = [ - "" # override upstream default with an empty ExecStart - "@${pkgs.utillinux}/sbin/agetty agetty --login-program ${pkgs.shadow}/bin/login --autologin steveej --noclear %I $TERM" - ]; - Restart = "always"; - Type = "idle"; - }; - - programs = - let - steveejSwayOnTty1 = '' - if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then - exec sway - fi - ''; - in - { - bash.loginShellInit = steveejSwayOnTty1; - # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion - zsh.loginShellInit = steveejSwayOnTty1; - }; - - home-manager.users."${homeUser}" = _: { - imports = [ ../../home-manager/profiles/sway-desktop.nix ]; - }; -} diff --git a/nix/os/snippets/systemd-resolved.nix b/nix/os/snippets/systemd-resolved.nix deleted file mode 100644 index f7c2301..0000000 --- a/nix/os/snippets/systemd-resolved.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ lib, ... }: -{ - networking.nameservers = [ - # https://dnsforge.de/ - "176.9.93.198" - "176.9.1.117" - - # TODO: enable IPv6 - # "2a01:4f8:151:34aa::198" - # "2a01:4f8:141:316d::117" - ]; - - services.resolved = { - enable = true; - dnssec = "true"; - domains = [ "~." ]; - - # TODO: figure out why "true" doesn't work - dnsovertls = "opportunistic"; - - fallbackDns = lib.mkForce [ ]; - - # TODO: IPv6 - # extraConfig = '' - # DNSStubListenerExtra=[::1]:53 - # ''; - }; -} diff --git a/nix/os/snippets/timezone.nix b/nix/os/snippets/timezone.nix deleted file mode 100644 index 67db1e8..0000000 --- a/nix/os/snippets/timezone.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ lib, ... }: -let - passwords = import ../../variables/passwords.crypt.nix; -in -{ - time.timeZone = lib.mkDefault passwords.timeZone.stefan; -} diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix new file mode 100644 index 0000000..e412c8d --- /dev/null +++ b/nix/overlays/default.nix @@ -0,0 +1,5 @@ +{ + overrides = import ./overrides.nix; + pkgs = import ./pkgs.nix; + posh = import ./posh.nix; +} diff --git a/nix/overlays/overrides.nix b/nix/overlays/overrides.nix new file mode 100644 index 0000000..ab37a6d --- /dev/null +++ b/nix/overlays/overrides.nix @@ -0,0 +1,38 @@ +# This overlay is used for overriding upstream packages. +self: super: let + sources = import ../../nix/sources.nix; + + nixpkgs-master = import {inherit (super) config;}; + nixpkgs-unstable = + import {inherit (super) config;}; + pr-holochain-launcher-bin = + import sources.pr-holochain-launcher-bin {inherit (super) config;}; +in { + inherit nixpkgs-master; + inherit nixpkgs-unstable; + + # alacritty = nixpkgs-master.alacritty; + alacritty = super.stdenv.mkDerivation { + name = "alacritty-custom"; + buildInputs = [super.makeWrapper]; + phases = "installPhase"; + installPhase = '' + makeWrapper ${super.alacritty}/bin/alacritty $out/bin/alacritty \ + --set-default WINIT_X11_SCALE_FACTOR 1.4 + ''; + }; + + qtile = super.qtile.overrideAttrs (oldAttrs: { + propagatedBuildInputs = + oldAttrs.passthru.unwrapped.propagatedBuildInputs + ++ (with self.python3Packages; [ + # python-wifi + # iwlib + keyring + ]); + }); + + inherit (pr-holochain-launcher-bin) holochain-launcher; + + # logseq = nixpkgs-staging-steveej.logseq; +} diff --git a/nix/overlays/pkgs.nix b/nix/overlays/pkgs.nix new file mode 100644 index 0000000..2459f2c --- /dev/null +++ b/nix/overlays/pkgs.nix @@ -0,0 +1,14 @@ +# This overlay includes all packages defined by the top-level default.nix. +# The code is copied from the NUR repository [0]. +# +# [0]: https://github.com/nix-community/nur-packages-template/blob/2610a5b60bd926cea3e6395511da8f0d14c613b9/overlay.nix +self: super: let + isReserved = n: n == "lib" || n == "overlays" || n == "modules"; + nameValuePair = n: v: { + name = n; + value = v; + }; + nurAttrs = import ../pkgs {pkgs = super;}; +in + builtins.listToAttrs (map (n: nameValuePair n nurAttrs.${n}) + (builtins.filter (n: !isReserved n) (builtins.attrNames nurAttrs))) diff --git a/nix/overlays/posh.nix b/nix/overlays/posh.nix new file mode 100644 index 0000000..e7ce1b6 --- /dev/null +++ b/nix/overlays/posh.nix @@ -0,0 +1,16 @@ +self: super: let + nixpkgs-master = import {}; + + inherit (nixpkgs-master) crun; + crun_10_6_0 = crun.overrideAttrs (oldAttrs: rec { + version = "0.10.6"; + src = super.fetchgit { + inherit (crun.src) url; + rev = version; + sha256 = "0v1hrlpnln0c976fb0k2ig4jv11qbyzf95z0wy92fd8r8in16rc1"; + }; + }); +in { + inherit (nixpkgs-master) podman conmon slirp4netns; + posh = self.callPackage ../pkgs/posh.nix {}; +} diff --git a/nix/pkgs/browserpass/default.nix b/nix/pkgs/browserpass/default.nix index 34a6977..5b13732 100644 --- a/nix/pkgs/browserpass/default.nix +++ b/nix/pkgs/browserpass/default.nix @@ -1,27 +1,27 @@ -with import { }; -stdenv.mkDerivation rec { - broken = true; +with import {}; + stdenv.mkDerivation rec { + broken = true; - name = "browserpass"; - version = "2.0.9"; + name = "browserpass"; + version = "2.0.9"; - src = fetchzip { - url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; - sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; - stripRoot = false; - }; + src = fetchzip { + url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; + sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; + stripRoot = false; + }; - buildPhase = ":"; + buildPhase = ":"; - libPath = lib.makeLibraryPath [ ]; - installPhase = '' - set -x - patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 + libPath = lib.makeLibraryPath []; + installPhase = '' + set -x + patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 - mkdir -p $out/bin - cp -a * $out/bin/ - # wrapProgram $out/bin/browserpass-linux64 \ - # --prefix LD_LIBRARY_PATH : "${libPath}" - # - ''; -} + mkdir -p $out/bin + cp -a * $out/bin/ + # wrapProgram $out/bin/browserpass-linux64 \ + # --prefix LD_LIBRARY_PATH : "${libPath}" + # + ''; + } diff --git a/nix/pkgs/dcpj4110dw/default.nix b/nix/pkgs/dcpj4110dw/default.nix deleted file mode 100644 index 93f59c7..0000000 --- a/nix/pkgs/dcpj4110dw/default.nix +++ /dev/null @@ -1,146 +0,0 @@ -{ - pkgsi686Linux, - stdenv, - fetchurl, - dpkg, - makeWrapper, - coreutils, - ghostscript, - gnugrep, - gnused, - which, - lib, - cups, - a2ps, - gawk, - file, - proot, - bash, -}: -let - model = "dcpj4110dw"; - version = "3.0.1-1"; - src = fetchurl { - url = "https://download.brother.com/welcome/dlf005595/${model}lpr-${version}.i386.deb"; - sha256 = "sha256-ryKDsSkabAD2X3WLmeqjdB3+4DXdJ0qUz3O64DV+ixw="; - }; - reldir = "opt/brother/Printers/${model}/"; -in -rec { - driver = pkgsi686Linux.stdenv.mkDerivation rec { - inherit src version; - name = "${model}drv-${version}"; - - nativeBuildInputs = [ - dpkg - makeWrapper - ]; - - unpackPhase = "dpkg-deb -x $src $out"; - - installPhase = '' - # need to use i686 glibc here, these are 32bit proprietary binaries - patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - $out/${reldir}/lpd/br${model}filter - - mkdir -p $out/lib/cups/filter/ - ln -s $out/${reldir}/lpd/filter${model} $out/lib/cups/filter/brother_lpdwrapper_${model} - - # use proot to bind /opt for the filter - mv $out/${reldir}/lpd/filter${model} $out/${reldir}/lpd/.wrapped_filter${model} - - cat <<-EOF >$out/${reldir}/lpd/.wrapper_inner_filter${model} - export PATH=\$PATH:${ - lib.makeBinPath [ - gawk - file - a2ps - coreutils - ghostscript - gnugrep - gnused - which - ] - } - exec $out/${reldir}/lpd/.wrapped_filter${model} - EOF - chmod +x $out/${reldir}/lpd/.wrapper_inner_filter${model} - - cat <<-EOF >$out/${reldir}/lpd/filter${model} - #!${bash}/bin/bash - exec ${proot}/bin/proot \ - -b /nix/store:/nix/store \ - -b $out/opt:/opt \ - -b ${cups}/share:/usr/share/cups \ - $out/${reldir}/lpd/.wrapper_inner_filter${model} - EOF - chmod +x $out/${reldir}/lpd/filter${model} - ''; - - meta = { - description = "Brother ${lib.strings.toUpper model} driver"; - homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; - # license = lib.licenses.unfree; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; - }; - }; - - cupswrapper = stdenv.mkDerivation rec { - inherit version; - - src = fetchurl { - url = "https://download.brother.com/welcome/dlf005597/${model}cupswrapper-${version}.i386.deb"; - sha256 = "sha256-nwpuuXqBrEh5tye14gFLrezktTz6kq7HtnGqdBbgGkk="; - }; - - name = "${model}cupswrapper-${version}"; - - nativeBuildInputs = [ - dpkg - makeWrapper - ]; - buildInputs = [ - cups - ghostscript - a2ps - gawk - ]; - - unpackPhase = "dpkg-deb -x $src $out"; - - installPhase = '' - wrapProgram $out/${reldir}/cupswrapper/cupswrapper${model} \ - --prefix PATH : ${ - lib.makeBinPath [ - coreutils - ghostscript - gnugrep - gnused - ] - } - - patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - $out/${reldir}/cupswrapper/brcupsconfpt1 - - mkdir -p $out/share/cups/model - ln -s $out/${reldir}/cupswrapper/brother_${model}_printer_en.ppd $out/share/cups/model/ - ''; - - meta = { - description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; - homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; - license = lib.licenses.gpl2; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; - }; - }; -} diff --git a/nix/pkgs/default.nix b/nix/pkgs/default.nix index 78b37a6..959d466 100644 --- a/nix/pkgs/default.nix +++ b/nix/pkgs/default.nix @@ -1,8 +1,119 @@ -{ pkgs }: -{ - duplicacy = pkgs.callPackage ../pkgs/duplicacy { }; +{pkgs}: let +in rec { + nixpkgs-master = import {}; + + linuxPackages_sgx_540rc3 = let + linux_sgx_pkg = { + fetchurl, + buildLinux, + ... + } @ args: + buildLinux (args + // rec { + version = "5.4.0-rc3"; + modDirVersion = version; + + src = fetchurl { + url = "https://github.com/jsakkine-intel/linux-sgx/archive/v23.tar.gz"; + sha256 = "11rwlwv7s071ia889dk1dgrxprxiwgi7djhg47vi56dj81jgib20"; + }; + kernelPatches = []; + + extraConfig = '' + INTEL_SGX y + ''; + + extraMeta.branch = "5.4"; + } + // (args.argsOverride or {})); + linux_sgx = pkgs.callPackage linux_sgx_pkg {}; + in + pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux_sgx); + linuxPackages_sgx_latest = linuxPackages_sgx_540rc3; + + busyboxStatic = pkgs.busybox.override { + enableStatic = true; + extraConfig = '' + CONFIG_STATIC y + CONFIG_INSTALL_APPLET_DONT y + CONFIG_INSTALL_APPLET_SYMLINKS n + ''; + }; + dropbearStatic = pkgs.dropbear.override {enableStatic = true;}; + + php5 = let + nixpkgsWithPhp5 = pkgs.fetchFromGitHub { + owner = "nixos"; + repo = "nixpkgs-channels"; + rev = "846d8f8305192dcc3a63139102698b4ac6b9ef9f"; + sha256 = "1qifgc1q2i4g0ivpfjnxp4jl2cc82gfjws08dsllgw7q7kw4b4rb"; + }; + php5 = + (pkgs.callPackage + "${nixpkgsWithPhp5}/pkgs/development/interpreters/php/default.nix" + { + config = pkgs.lib.attrsets.recursiveUpdate pkgs.config { + php = { + imap = false; + openssl = false; + curl = false; + ldap = false; + mcrypt = false; + }; + }; + stdenv = pkgs.llvmPackages_6.stdenv; # broken + icu = pkgs.icu60; + }) + .php56; + in + php5.overrideAttrs (attrs: rec { + # See https://secure.php.net/ChangeLog-5.php + version = "5.6.40"; + name = "php-${version}"; + + sha256 = "005s7w167dypl41wlrf51niryvwy1hfv53zxyyr3lm938v9jbl7z"; + src = pkgs.fetchurl { + url = "http://www.php.net/distributions/php-${version}.tar.bz2"; + inherit sha256; + }; + + configureFlags = attrs.configureFlags ++ ["--without-fpm-systemd"]; + + meta.license = null; + }); + + duplicacy = pkgs.callPackage ../pkgs/duplicacy {}; + mfcl3770cdw = pkgs.callPackage ../pkgs/mfcl3770cdw.nix {}; staruml = pkgs.callPackage ../pkgs/staruml.nix { inherit (pkgs.gnome2) GConf; libgcrypt = pkgs.libgcrypt_1_5; }; + + pythonPackages = myPython; + myPython = pkgs.python310.withPackages (ps: + with ps; + [ + pep8 + yapf + flake8 + # autopep8 (broken) + # pylint (broken) + ipython + llfuse + dugong + defusedxml + wheel + pip + virtualenv + cffi + pyopenssl + urllib3 + # mistune (insecure) + sympy + + flask + + pyaml + ] + ++ [pkgs.pypi2nix pkgs.libffi]); } diff --git a/nix/pkgs/duplicacy/default.nix b/nix/pkgs/duplicacy/default.nix index b961a17..7a3fc19 100644 --- a/nix/pkgs/duplicacy/default.nix +++ b/nix/pkgs/duplicacy/default.nix @@ -1,4 +1,7 @@ -{ buildGoPackage, fetchFromGitHub }: +{ + buildGoPackage, + fetchFromGitHub, +}: buildGoPackage rec { name = "duplicay-${version}"; version = "2.1.2"; diff --git a/nix/pkgs/duplicacy/shell.nix b/nix/pkgs/duplicacy/shell.nix index 045572c..051e832 100644 --- a/nix/pkgs/duplicacy/shell.nix +++ b/nix/pkgs/duplicacy/shell.nix @@ -1,12 +1,12 @@ -with import { }; -stdenv.mkDerivation { - name = "env"; - buildInputs = [ - zsh - go - go2nix - dep2nix - nix-prefetch-github - (callPackage ./default.nix { }) - ]; -} +with import {}; + stdenv.mkDerivation { + name = "env"; + buildInputs = [ + zsh + go + go2nix + dep2nix + nix-prefetch-github + (callPackage ./default.nix {}) + ]; + } diff --git a/nix/pkgs/jay.nix b/nix/pkgs/jay.nix deleted file mode 100644 index 9a7b0e5..0000000 --- a/nix/pkgs/jay.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ - lib, - src, - rustPlatform, - libinput, - libxkbcommon, - mesa, - pango, - udev, -}: -rustPlatform.buildRustPackage rec { - pname = "jay"; - version = src.rev; - - inherit src; - - cargoLock.lockFile = "${src}/Cargo.lock"; - - buildInputs = [ - libxkbcommon - mesa - pango - udev - libinput - ]; - - RUSTC_BOOTSTRAP = 1; - - meta = with lib; { - description = "A Wayland compositor written in Rust"; - homepage = "https://github.com/mahkoh/jay"; - license = licenses.gpl3; - platforms = platforms.linux; - maintainers = with maintainers; [ dit7ya ]; - }; -} diff --git a/nix/pkgs/logseq/Containerfile b/nix/pkgs/logseq/Containerfile deleted file mode 100644 index 97464d1..0000000 --- a/nix/pkgs/logseq/Containerfile +++ /dev/null @@ -1,57 +0,0 @@ -# NOTE: please keep it in sync with .github pipelines -# NOTE: during testing make sure to change the branch below -# NOTE: before running the build-docker GH action edit -# build-docker.yml and change the release channel from :latest to :testing - -# Builder image -# FROM clojure:temurin-11-tools-deps-1.11.1.1208-bullseye-slim as builder -FROM clojure:temurin-11-tools-deps-bullseye-slim as builder - -ARG DEBIAN_FRONTEND=noninteractive - -# Install reqs -RUN echo 1 -RUN apt-get update && apt-get install -y --no-install-recommends \ - curl \ - ca-certificates \ - apt-transport-https \ - gpg \ - build-essential libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev \ - zip - -# install NodeJS & yarn -RUN curl -sL https://deb.nodesource.com/setup_20.x | bash - - -RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | tee /etc/apt/trusted.gpg.d/yarn.gpg && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list && apt-get update && apt-get install -y nodejs yarn - -WORKDIR /data - -ENV VERSION=0.10.9 - -# build Logseq static resources -RUN git clone -b ${VERSION} https://github.com/logseq/logseq.git . - -RUN yarn config set network-timeout 240000 -g && yarn install -RUN yarn release-electron - -RUN mkdir /out -RUN mv /data/static/out/make/zip /out/${VERSION}.zip -RUN mv /data/static/out/make/*.AppImage /out/ - -FROM scratch as artifacts -COPY --from=builder /out / -# Logseq-${VERSION}.AppImage -# RUN mv zip /${VERSION}.zip - -# RUN \ -# mkdir -p builds -# # NOTE: save VERSION file to builds directory -# cp static/VERSION ./builds/VERSION -# mv static/out/make/*-*.AppImage ./builds/Logseq-linux-aarch64-${VERSION}.AppImage -# mv static/out/make/zip/linux/x64/*-linux-x64-*.zip ./builds/Logseq-linux-aarch64-${VERSION}.zip - -# # Web App Runner image -# FROM nginx:1.24.0-alpine3.17 -# -# COPY --from=builder /data/static /usr/share/nginx/html -# diff --git a/nix/pkgs/logseq/README.md b/nix/pkgs/logseq/README.md deleted file mode 100644 index 0c596b6..0000000 --- a/nix/pkgs/logseq/README.md +++ /dev/null @@ -1,22 +0,0 @@ -# build instructions - -this is pseudocode that serves as a reminder - -1. podman build -f Containerfile -t logseq -2. CONTAINER_ID=$(podman container create logseq) -3. podman unshare -4. podman mount $CONTAINER_ID -5. copy and upload the AppImage. e.g. - ``` - cp /home/steveej/.local/share/containers/storage/overlay/f932ca9f11ea2bfd6b221118eb54775a623bc519bfe38188afcbad51dda2777f/merged/Logseq-0.10.9.AppImage . - exit - scp Logseq-0.10.9.AppImage root@www.stefanjunker.de:/var/lib/container-volumes/webserver/var-www/stefanjunker.de/htdocs/caddy/downloads/ - ``` -6. podman unshare -7. podman unmount - -# resources - -- https://github.com/logseq/logseq/blob/dc5127b48a7874627bd9ab63696f7ddf821b90a7/docs/develop-logseq.md?plain=1#L90 -- https://github.com/logseq/logseq/blob/master/Dockerfile -- https://github.com/randomwangran/logseq-nix-flake diff --git a/nix/pkgs/magmawm.nix b/nix/pkgs/magmawm.nix deleted file mode 100644 index c1850c1..0000000 --- a/nix/pkgs/magmawm.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ - lib, - src, - craneLib, - pkg-config, - wayland, - libseat, - libinput, - libxkbcommon, - mesa, - udev, - dbus, - libGL, -}: -craneLib.buildPackage { - inherit src; - pname = "magmawm"; - version = src.rev; - - nativeBuildInputs = [ pkg-config ]; - - buildInputs = [ - wayland - udev - libxkbcommon - libinput - dbus - libseat - mesa - ]; - - preFixup = '' - if [[ -e "$out/bin/magmawm" ]]; then - patchelf \ - --add-needed "${libGL}/lib/libEGL.so.1" \ - $out/bin/magmawm - fi - ''; - - meta = with lib; { - description = "A versatile and customizable Window Manager and Wayland Compositor"; - homepage = "https://github.com/MagmaWM/MagmaWM"; - license = licenses.gpl3; - platforms = platforms.linux; - maintainers = with maintainers; [ ]; - }; -} diff --git a/nix/pkgs/mfcl3770cdw.nix b/nix/pkgs/mfcl3770cdw.nix index 142c1c0..5c04cbf 100644 --- a/nix/pkgs/mfcl3770cdw.nix +++ b/nix/pkgs/mfcl3770cdw.nix @@ -11,8 +11,7 @@ which, perl, lib, -}: -let +}: let model = "mfcl3770cdw"; version = "1.0.2-0"; src = fetchurl { @@ -20,16 +19,12 @@ let sha256 = "09fhbzhpjymhkwxqyxzv24b06ybmajr6872yp7pri39595mhrvay"; }; reldir = "opt/brother/Printers/${model}/"; -in -rec { +in rec { driver = stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [ - dpkg - makeWrapper - ]; + nativeBuildInputs = [dpkg makeWrapper]; unpackPhase = "dpkg-deb -x $src $out"; @@ -41,14 +36,8 @@ rec { --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/lpd/filter_${model} \ --prefix PATH : ${ - lib.makeBinPath [ - coreutils - ghostscript - gnugrep - gnused - which - ] - } + lib.makeBinPath [coreutils ghostscript gnugrep gnused which] + } # need to use i686 glibc here, these are 32bit proprietary binaries interpreter=${pkgsi686Linux.glibc}/lib/ld-linux.so.2 patchelf --set-interpreter "$interpreter" $dir/lpd/brmfcl3770cdwfilter @@ -58,11 +47,8 @@ rec { description = "Brother ${lib.strings.toUpper model} driver"; homepage = "http://www.brother.com/"; license = lib.licenses.unfree; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; + platforms = ["x86_64-linux" "i686-linux"]; + maintainers = [lib.maintainers.steveej]; }; }; @@ -70,10 +56,7 @@ rec { inherit version src; name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [ - dpkg - makeWrapper - ]; + nativeBuildInputs = [dpkg makeWrapper]; unpackPhase = "dpkg-deb -x $src $out"; @@ -85,13 +68,7 @@ rec { --replace "basedir =~" "basedir = \"$basedir\"; #" \ --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/cupswrapper/brother_lpdwrapper_${model} \ - --prefix PATH : ${ - lib.makeBinPath [ - coreutils - gnugrep - gnused - ] - } + --prefix PATH : ${lib.makeBinPath [coreutils gnugrep gnused]} mkdir -p $out/lib/cups/filter mkdir -p $out/share/cups/model ln $dir/cupswrapper/brother_lpdwrapper_${model} $out/lib/cups/filter @@ -102,11 +79,8 @@ rec { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; homepage = "http://www.brother.com/"; license = lib.licenses.gpl2; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; + platforms = ["x86_64-linux" "i686-linux"]; + maintainers = [lib.maintainers.steveej]; }; }; } diff --git a/nix/pkgs/nozbe/default.nix b/nix/pkgs/nozbe/default.nix index e5ac519..368add8 100644 --- a/nix/pkgs/nozbe/default.nix +++ b/nix/pkgs/nozbe/default.nix @@ -1,60 +1,60 @@ -with import { }; -stdenv.mkDerivation rec { - name = "nozbe"; - version = "3.6.3"; +with import {}; + stdenv.mkDerivation rec { + name = "nozbe"; + version = "3.6.3"; - src = fetchzip { - url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; - sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; - stripRoot = false; - }; + src = fetchzip { + url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; + sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; + stripRoot = false; + }; - buildInputs = [ makeWrapper ]; + buildInputs = [makeWrapper]; - buildPhase = ":"; + buildPhase = ":"; - libPath = lib.makeLibraryPath [ - alsaLib - atk - cairo - cups - dbus - expat - freetype - fontconfig - gnome3.gconf - gcc.cc - gdk_pixbuf - gtk2-x11 - glib - pango - nss - nspr - systemd.lib - xorg.libX11 - xorg.libXcursor - xorg.libXcomposite - xorg.libXext - xorg.libXfixes - xorg.libXdamage - xorg.libXi - xorg.libXrandr - xorg.libXrender - xorg.libXtst - xorg.libXScrnSaver - ]; - installPhase = '' - pushd Nozbe-${version} - ls -lha + libPath = lib.makeLibraryPath [ + alsaLib + atk + cairo + cups + dbus + expat + freetype + fontconfig + gnome3.gconf + gcc.cc + gdk_pixbuf + gtk2-x11 + glib + pango + nss + nspr + systemd.lib + xorg.libX11 + xorg.libXcursor + xorg.libXcomposite + xorg.libXext + xorg.libXfixes + xorg.libXdamage + xorg.libXi + xorg.libXrandr + xorg.libXrender + xorg.libXtst + xorg.libXScrnSaver + ]; + installPhase = '' + pushd Nozbe-${version} + ls -lha - patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe + patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe - mkdir -p $out/bin - cp -a * $out/ + mkdir -p $out/bin + cp -a * $out/ - wrapProgram $out/Nozbe \ - --prefix LD_LIBRARY_PATH : "${libPath}" + wrapProgram $out/Nozbe \ + --prefix LD_LIBRARY_PATH : "${libPath}" - ln -sf ../Nozbe $out/bin/ - ''; -} + ln -sf ../Nozbe $out/bin/ + ''; + } diff --git a/nix/pkgs/posh.nix b/nix/pkgs/posh.nix index b7ad5cb..4d993ba 100644 --- a/nix/pkgs/posh.nix +++ b/nix/pkgs/posh.nix @@ -1,44 +1,42 @@ # posh makes use of podman to run an encapsulated shell session -{ pkgs, ... }: -let - cniConfigDir = - let - loopback = pkgs.writeText "00-loopback.conf" '' - { - "cniVersion": "0.3.0", - "type": "loopback" - } - ''; +{pkgs, ...}: let + cniConfigDir = let + loopback = pkgs.writeText "00-loopback.conf" '' + { + "cniVersion": "0.3.0", + "type": "loopback" + } + ''; - podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' - { - "cniVersion": "0.3.0", - "name": "podman", - "plugins": [ - { - "type": "bridge", - "bridge": "cni0", - "isGateway": true, - "ipMasq": true, - "ipam": { - "type": "host-local", - "subnet": "10.88.0.0/16", - "routes": [ - { "dst": "0.0.0.0/0" } - ] - } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } + podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] } - ] - } - ''; - in - pkgs.runCommand "cniConfig" { } '' + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ''; + in + pkgs.runCommand "cniConfig" {} '' set -x mkdir $out; ln -s ${loopback} $out/${loopback.name} @@ -127,58 +125,54 @@ let } ''; in -{ - image, - pull ? "always", - global_args ? "", - run_args ? "", - userns ? "keep-id", -}: -(pkgs.writeScriptBin "posh" '' - #! ${pkgs.bash}/bin/bash - source /etc/profile + { + image, + pull ? "always", + global_args ? "", + run_args ? "", + userns ? "keep-id", + }: + (pkgs.writeScriptBin "posh" '' + #! ${pkgs.bash}/bin/bash + source /etc/profile - test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK" - tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q" + test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK" + tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q" - # define these as variables so we can override them at runtime - POSH_IMAGE=${image} - POSH_PULL=${pull} + # define these as variables so we can override them at runtime + POSH_IMAGE=${image} + POSH_PULL=${pull} - if [ "$1" == "-c" ]; then - # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string - shift - # TODO parse the beginning of the command for POSH_* overrides - fi + if [ "$1" == "-c" ]; then + # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string + shift + # TODO parse the beginning of the command for POSH_* overrides + fi - test "$@" && cmd=( -c "$@") + test "$@" && cmd=( -c "$@") - HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" - HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" - test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR - ln -sf ${policy-json} $HOME_POLICY_JSON + HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" + HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" + test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR + ln -sf ${policy-json} $HOME_POLICY_JSON - set -x - exec ${pkgs.podman}/bin/podman \ - --cgroup-manager=cgroupfs \ - ${global_args} \ - run \ - --annotation=io.crun.keep_original_groups=1 \ - --config ${podmanConfig} \ - --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ - --rm -i --network host --pull=''${POSH_PULL} \ - $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ - ${if userns != null then "--userns=" + userns else ""} \ - ${run_args} \ - ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" -'').overrideAttrs - ( - attrs: - attrs - // { - passthru = { - shellPath = "/bin/posh"; - }; - } - ) + set -x + exec ${pkgs.podman}/bin/podman \ + --cgroup-manager=cgroupfs \ + ${global_args} \ + run \ + --annotation=io.crun.keep_original_groups=1 \ + --config ${podmanConfig} \ + --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ + --rm -i --network host --pull=''${POSH_PULL} \ + $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ + ${ + if userns != null + then "--userns=" + userns + else "" + } \ + ${run_args} \ + ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" + '') + .overrideAttrs (attrs: attrs // {passthru = {shellPath = "/bin/posh";};}) diff --git a/nix/pkgs/slirp4netns.nix b/nix/pkgs/slirp4netns.nix index 5e50ecf..ffcc730 100644 --- a/nix/pkgs/slirp4netns.nix +++ b/nix/pkgs/slirp4netns.nix @@ -18,13 +18,7 @@ stdenv.mkDerivation rec { sha256 = "0kqncza4kgqkqiki569j7ym9pvp7879i6q2z0djvda9y0i6b80w4"; }; - buildInputs = [ - autoconf - automake - libtool - gnumake - gcc - ]; + buildInputs = [autoconf automake libtool gnumake gcc]; configurePhase = '' ./autogen.sh @@ -43,7 +37,7 @@ stdenv.mkDerivation rec { description = "User-mode networking for unprivileged network namespaces"; homepage = "https://github.com/rootless-containers/slirp4netns"; license = null; - maintainers = [ maintainers.steveej ]; + maintainers = [maintainers.steveej]; platforms = platforms.all; }; } diff --git a/nix/pkgs/staruml.nix b/nix/pkgs/staruml.nix index 35399ad..a0e9d90 100644 --- a/nix/pkgs/staruml.nix +++ b/nix/pkgs/staruml.nix @@ -15,8 +15,7 @@ libgcrypt, dbus, systemd, -}: -let +}: let inherit (stdenv) lib; LD_LIBRARY_PATH = lib.makeLibraryPath [ glib @@ -31,56 +30,55 @@ let dbus ]; in -stdenv.mkDerivation rec { - version = "2.8.1"; - name = "staruml-${version}"; + stdenv.mkDerivation rec { + version = "2.8.1"; + name = "staruml-${version}"; - src = - if stdenv.system == "i686-linux" then - fetchurl { - url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; - sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; - } - else - fetchurl { - url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; - sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; - }; + src = + if stdenv.system == "i686-linux" + then + fetchurl + { + url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; + sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; + } + else + fetchurl { + url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; + sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; + }; - buildInputs = [ dpkg ]; + buildInputs = [dpkg]; - nativeBuildInputs = [ makeWrapper ]; + nativeBuildInputs = [makeWrapper]; - unpackPhase = '' - mkdir pkg - dpkg-deb -x $src pkg - sourceRoot=pkg - ''; + unpackPhase = '' + mkdir pkg + dpkg-deb -x $src pkg + sourceRoot=pkg + ''; - installPhase = '' - mkdir $out - mv opt/staruml $out/bin + installPhase = '' + mkdir $out + mv opt/staruml $out/bin - mkdir -p $out/lib - ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/ - ln -s ${systemd.lib}/lib/libudev.so.1 $out/lib/libudev.so.0 + mkdir -p $out/lib + ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/ + ln -s ${systemd.lib}/lib/libudev.so.1 $out/lib/libudev.so.0 - for binary in StarUML Brackets-node; do - ${patchelf}/bin/patchelf \ - --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - $out/bin/$binary - wrapProgram $out/bin/$binary \ - --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH} - done - ''; + for binary in StarUML Brackets-node; do + ${patchelf}/bin/patchelf \ + --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ + $out/bin/$binary + wrapProgram $out/bin/$binary \ + --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH} + done + ''; - meta = with stdenv.lib; { - description = "A sophisticated software modeler"; - homepage = "http://staruml.io/"; - license = licenses.unfree; - platforms = [ - "i686-linux" - "x86_64-linux" - ]; - }; -} + meta = with stdenv.lib; { + description = "A sophisticated software modeler"; + homepage = "http://staruml.io/"; + license = licenses.unfree; + platforms = ["i686-linux" "x86_64-linux"]; + }; + } diff --git a/nix/scripts/pre-eval-fixed.sh b/nix/scripts/pre-eval-fixed.sh index ec7b14e..25a3e36 100755 --- a/nix/scripts/pre-eval-fixed.sh +++ b/nix/scripts/pre-eval-fixed.sh @@ -3,7 +3,7 @@ set -xe INFILE="${1:?Please set arg1 to INFILE}" OUTFILE="${2:?Please set arg2 to OUTFILE}" # sha256-1fm94N2Y9ptXVN6ni0nJyPRK+nsvoeliqBcFyjlaTH4= -# sha256:0zjcb8wwl18pm1ifk89gggx4mx68r54qp9yyaibrpxlqvphbvyfm -hash=$(nix-build "${INFILE}" --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*(sha256[:-].+)$' -r '$1') +# sha256:0zjcb8wwl18pm1ifk89gggx4mx68r54qp9yyaibrpxlqvphbvyfm +hash=$(nix-build ${INFILE} --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*(sha256[:-].+)$' -r '$1') -sed -E "s/0{52}/${hash}/" "${INFILE}" >"${OUTFILE}" +sed -E "s/0{52}/${hash}/" ${INFILE} > ${OUTFILE} diff --git a/nix/sources.json b/nix/sources.json new file mode 100644 index 0000000..ff4275b --- /dev/null +++ b/nix/sources.json @@ -0,0 +1,26 @@ +{ + "nixpkgs": { + "branch": "release-22.05", + "description": "Nix Packages collection", + "homepage": "https://github.com/NixOS/nixpkgs", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "26fe7618c7efbbfe28db9a52a21fb87e67ebaf06", + "sha256": "0wi8l10zn808psf0i7ka3ifpx46vdv2fkq3hcb9d5m72fv64vznr", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/26fe7618c7efbbfe28db9a52a21fb87e67ebaf06.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + }, + "pr-holochain-launcher-bin": { + "branch": "pr-holochain-launcher-bin", + "description": "Nix Packages collection", + "homepage": null, + "owner": "steveeJ-forks", + "repo": "nixpkgs", + "rev": "11f978d53355759a47d60d688709921f2e0fb158", + "sha256": "03mdx63gjynj297b55wkjcnaicsm8n2chgpp2v80sx8ixgllmxiw", + "type": "tarball", + "url": "https://github.com/steveeJ-forks/nixpkgs/archive/11f978d53355759a47d60d688709921f2e0fb158.tar.gz", + "url_template": "https://github.com///archive/.tar.gz" + } +} diff --git a/nix/sources.nix b/nix/sources.nix new file mode 100644 index 0000000..87a7093 --- /dev/null +++ b/nix/sources.nix @@ -0,0 +1,260 @@ +# This file has been generated by Niv. +let + # + # The fetchers. fetch_ fetches specs of type . + # + fetch_file = pkgs: name: spec: let + name' = sanitizeName name + "-src"; + in + if spec.builtin or true + then + builtins_fetchurl + { + inherit (spec) url sha256; + name = name'; + } + else + pkgs.fetchurl { + inherit (spec) url sha256; + name = name'; + }; + + fetch_tarball = pkgs: name: spec: let + name' = sanitizeName name + "-src"; + in + if spec.builtin or true + then + builtins_fetchTarball + { + name = name'; + inherit (spec) url sha256; + } + else + pkgs.fetchzip { + name = name'; + inherit (spec) url sha256; + }; + + fetch_git = name: spec: let + ref = + if spec ? ref + then spec.ref + else if spec ? branch + then "refs/heads/${spec.branch}" + else if spec ? tag + then "refs/tags/${spec.tag}" + else + abort + "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; + submodules = + if spec ? submodules + then spec.submodules + else false; + submoduleArg = let + nixSupportsSubmodules = + builtins.compareVersions builtins.nixVersion "2.4" >= 0; + emptyArgWithWarning = + if submodules == true + then + builtins.trace + (''The niv input "${name}" uses submodules '' + + "but your nix's (${builtins.nixVersion}) builtins.fetchGit " + + "does not support them") + {} + else {}; + in + if nixSupportsSubmodules + then { + inherit submodules; + } + else emptyArgWithWarning; + in + builtins.fetchGit ({ + url = spec.repo; + inherit (spec) rev; + inherit ref; + } + // submoduleArg); + + fetch_local = spec: spec.path; + + fetch_builtin-tarball = name: + throw '' + [${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`. + $ niv modify ${name} -a type=tarball -a builtin=true''; + + fetch_builtin-url = name: + throw '' + [${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`. + $ niv modify ${name} -a type=file -a builtin=true''; + + # + # Various helpers + # + + # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695 + sanitizeName = name: (concatMapStrings (s: + if builtins.isList s + then "-" + else s) + (builtins.split "[^[:alnum:]+._?=-]+" + ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name))); + + # The set of packages used when specs are fetched using non-builtins. + mkPkgs = sources: system: let + sourcesNixpkgs = + import + (builtins_fetchTarball {inherit (sources.nixpkgs) url sha256;}) + { + inherit system; + }; + hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; + hasThisAsNixpkgsPath = == ./.; + in + if builtins.hasAttr "nixpkgs" sources + then sourcesNixpkgs + else if hasNixpkgsPath && !hasThisAsNixpkgsPath + then import {} + else + abort '' + Please specify either (through -I or NIX_PATH=nixpkgs=...) or + add a package called "nixpkgs" to your sources.json. + ''; + + # The actual fetching function. + fetch = pkgs: name: spec: + if !builtins.hasAttr "type" spec + then abort "ERROR: niv spec ${name} does not have a 'type' attribute" + else if spec.type == "file" + then fetch_file pkgs name spec + else if spec.type == "tarball" + then fetch_tarball pkgs name spec + else if spec.type == "git" + then fetch_git name spec + else if spec.type == "local" + then fetch_local spec + else if spec.type == "builtin-tarball" + then fetch_builtin-tarball name + else if spec.type == "builtin-url" + then fetch_builtin-url name + else + abort + "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; + + # If the environment variable NIV_OVERRIDE_${name} is set, then use + # the path directly as opposed to the fetched source. + replace = name: drv: let + saneName = + stringAsChars + (c: + if isNull (builtins.match "[a-zA-Z0-9]" c) + then "_" + else c) + name; + ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; + in + if ersatz == "" + then drv + else + # this turns the string into an actual Nix path (for both absolute and + # relative paths) + if builtins.substring 0 1 ersatz == "/" + then /. + ersatz + else /. + builtins.getEnv "PWD" + "/${ersatz}"; + + # Ports of functions for older nix versions + + # a Nix version of mapAttrs if the built-in doesn't exist + mapAttrs = + builtins.mapAttrs + or (f: set: + with builtins; + listToAttrs (map (attr: { + name = attr; + value = f attr set.${attr}; + }) (attrNames set))); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 + range = first: last: + if first > last + then [] + else builtins.genList (n: first + n) (last - first + 1); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 + stringToCharacters = s: + map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); + + # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 + stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); + concatMapStrings = f: list: concatStrings (map f list); + concatStrings = builtins.concatStringsSep ""; + + # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 + optionalAttrs = cond: as: + if cond + then as + else {}; + + # fetchTarball version that is compatible between all the versions of Nix + builtins_fetchTarball = { + url, + name ? null, + sha256, + } @ attrs: let + inherit (builtins) lessThan nixVersion fetchTarball; + in + if lessThan nixVersion "1.12" + then + fetchTarball + ({inherit url;} // (optionalAttrs (!isNull name) {inherit name;})) + else fetchTarball attrs; + + # fetchurl version that is compatible between all the versions of Nix + builtins_fetchurl = { + url, + name ? null, + sha256, + } @ attrs: let + inherit (builtins) lessThan nixVersion fetchurl; + in + if lessThan nixVersion "1.12" + then + fetchurl + ({inherit url;} // (optionalAttrs (!isNull name) {inherit name;})) + else fetchurl attrs; + + # Create the final "sources" from the config + mkSources = config: + mapAttrs + (name: spec: + if builtins.hasAttr "outPath" spec + then + abort + "The values in sources.json should not have an 'outPath' attribute" + else spec // {outPath = replace name (fetch config.pkgs name spec);}) + config.sources; + + # The "config" used by the fetchers + mkConfig = { + sourcesFile ? + if builtins.pathExists ./sources.json + then ./sources.json + else null, + sources ? + if isNull sourcesFile + then {} + else builtins.fromJSON (builtins.readFile sourcesFile), + system ? builtins.currentSystem, + pkgs ? mkPkgs sources system, + }: rec { + # The sources, i.e. the attribute set of spec name to spec + inherit sources; + + # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers + inherit pkgs; + }; +in + mkSources (mkConfig {}) + // { + __functor = _: settings: mkSources (mkConfig settings); + } diff --git a/nix/tests/buildvmwithbootloader/build-vm.nix b/nix/tests/buildvmwithbootloader/build-vm.nix index a085713..be819b6 100644 --- a/nix/tests/buildvmwithbootloader/build-vm.nix +++ b/nix/tests/buildvmwithbootloader/build-vm.nix @@ -3,14 +3,20 @@ vmPkgsPath, buildPkgsPath, nixosConfigPath, -}: -let - vmPkgs' = import vmPkgsPath { }; - vmPkgs = vmPkgs' // { - runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; - }; +}: let + buildPkgs = import buildPkgsPath {}; + vmPkgs' = import vmPkgsPath {}; + vmPkgs = + vmPkgs' + // { + runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; + }; - importWithPkgs = { path, pkgs }: args: import path (args // { inherit pkgs; }); + importWithPkgs = { + path, + pkgs, + }: args: + import path (args // {inherit pkgs;}); nixosConfig = importWithPkgs { path = "${nixosConfigPath}"; @@ -30,10 +36,8 @@ let modules = [ nixosConfig vmConfig - { virtualisation.useBootLoader = true; } + {virtualisation.useBootLoader = true;} ]; - }).config; -in -{ - vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm; -} + }) + .config; +in {vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm;} diff --git a/nix/tests/buildvmwithbootloader/build-vm.sh b/nix/tests/buildvmwithbootloader/build-vm.sh index 3ee6ee0..520e0c8 100755 --- a/nix/tests/buildvmwithbootloader/build-vm.sh +++ b/nix/tests/buildvmwithbootloader/build-vm.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash set -x -rm ./*.qcow2 +rm *.qcow2 rm result* set -e @@ -8,9 +8,9 @@ BUILD_NIXPKGS="${BUILD_NIXPKGS:-${HOME}/src/github/NixOS/nixpkgs.dev}" NIXOS_CONFIG="${NIXOS_CONFIG_OVERRIDE:-${PWD}/configuration.nix}" nix-build -K --show-trace build-vm.nix \ - --arg vmPkgsPath '' \ - --argstr buildPkgsPath "${BUILD_NIXPKGS}" \ - --argstr nixosConfigPath "${NIXOS_CONFIG}" \ - -A vmWithBootLoaderMixed + --arg vmPkgsPath '' \ + --argstr buildPkgsPath "${BUILD_NIXPKGS}" \ + --argstr nixosConfigPath "${NIXOS_CONFIG}" \ + -A vmWithBootLoaderMixed -"./result/bin/run-*-vm" +./result/bin/run-*-vm diff --git a/nix/tests/buildvmwithbootloader/configuration.nix b/nix/tests/buildvmwithbootloader/configuration.nix index 49dc463..92072fe 100644 --- a/nix/tests/buildvmwithbootloader/configuration.nix +++ b/nix/tests/buildvmwithbootloader/configuration.nix @@ -1,5 +1,9 @@ -{ lib, ... }: { + pkgs, + lib, + ... +}: let +in { boot.loader.grub = { enable = true; version = 2; @@ -18,23 +22,13 @@ allowDiscards = true; } ]; - fileSystems."/" = { - label = "root"; - }; + fileSystems."/" = {label = "root";}; - fileSystems."/boot" = { - label = "boot"; - }; + fileSystems."/boot" = {label = "boot";}; boot.tmpOnTmpfs = true; - boot.initrd.availableKernelModules = [ - "xhci_pci" - "ahci" - "usb_storage" - "sd_mod" - "rtsx_pci_sdmmc" - ]; + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"]; users.extraUsers.root.initialPassword = lib.mkForce "toorroot"; users.mutableUsers = false; diff --git a/nix/tests/buildvmwithbootloader/debug-vm.sh b/nix/tests/buildvmwithbootloader/debug-vm.sh index 8e3bdce..0d11067 100755 --- a/nix/tests/buildvmwithbootloader/debug-vm.sh +++ b/nix/tests/buildvmwithbootloader/debug-vm.sh @@ -1,5 +1,3 @@ -#!/usr/bin/env bash - # /nix/store/lya9qyl9z5xb4vzdzh4vzcr7gfssk47z-qemu-host-cpu-only-for-vm-tests-2.12.0/bin/qemu-kvm \ # -cpu \ # kvm64 \ @@ -26,6 +24,7 @@ # -drive \ # index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/nixos.qcow2,cache=writeback,werror=report,if=virtio \ + /nix/store/0i6fr8vv559a50w0vipvd22r0kkg1kx1-qemu-host-cpu-only-for-vm-tests-3.0.0/bin/qemu-kvm -cpu kvm64 -name nixos -m 384 -smp 1 -device virtio-rng-pci -net nic,netdev=user.0,model=virtio -netdev user,id=user.0 -virtfs local,path=/nix/store,security_model=none,mount_tag=store -virtfs local,path=/tmp/nix-vm.BXlbOnli8K/xchg,security_model=none,mount_tag=xchg -virtfs local,path=/tmp/nix-vm.BXlbOnli8K/xchg,security_model=none,mount_tag=shared \ - -drive index=1,id=drive2,file=/tmp/nix-vm.BXlbOnli8K/disk.img,media=disk,if=virtio \ - -drive index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/tests/nixos.qcow2,cache=writeback,werror=report,if=virtio + -drive index=1,id=drive2,file=/tmp/nix-vm.BXlbOnli8K/disk.img,media=disk,if=virtio \ + -drive index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/tests/nixos.qcow2,cache=writeback,werror=report,if=virtio \ diff --git a/nix/tests/test-vm.nix b/nix/tests/test-vm.nix index fc956b6..55053e2 100644 --- a/nix/tests/test-vm.nix +++ b/nix/tests/test-vm.nix @@ -1,4 +1,10 @@ -_: { +{ + lib, + config, + pkgs, + fetchgit, + ... +}: { boot.consoleLogLevel = 6; users.users.root.initialPassword = "root"; systemd.services."serial-getty@ttyS0".enable = true; diff --git a/nix/variables/keys.nix b/nix/variables/keys.nix index bd140a9..8eb8229 100644 --- a/nix/variables/keys.nix +++ b/nix/variables/keys.nix @@ -3,7 +3,6 @@ steveej = { openssh = [ # active, current - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC98w24rC+0YwkR/60VvuHVo+HaojvrM0rre0WCj1s1YVFiLPycsAKhZvl/yo06RKgkhChGb0tHZRGseQSmyb+rEbuNFxXQZnjOylT4jlrQvFR+S9WulkHrLMU0wodwEOpTrzJr/zqThEy3pj61KpC+Yhj9FfCn/p3l7HvL2yp3j+TyclyGbEQtt3Dgo1Ls5ZiD5FVhZAMkto4mK9fThyKjQhT6dUu47j2mxhT5OB8gHNtmPvpdQAUQCNrIz4oP5gilGKsWILmXM0/UwnrSXVdR2cUeiRkKqT0h/Q5jp/+/aW8oDoNYluHw2unWJcMTF0zoVWy/IcuNBTqzfiAhiDICCJN9Y0IXf4KhYN2mGtYJjioEVzmaIp/djxDt1Ra4PTNk1DqazRX72XgXcC9hFskLgiRSGSTR1EJk8dmfN0fE9Kv7IwgmHpyGciUy9WIX4o/eYHt7uO8cmJldtt9dPT7OV3DqGWrmgdCgzV5hVrxPVyOyvuLZa2J1N3T/5v1a8zrsyJ0KwuWH64VJqjVL7dTSKCyHKKIwx5ksLwIpFXBxPiypgCtYyvM6IY7PzF492cBucKimD5wd4f5mY5YxEGZC53/ZgodFVQJkyjmIiO/E06KUjLilmnSzf/nOtk3hoiWK8av47mr8otj+UCfWx6xXVKvGAjSOt4MEzUDDG3D+nw== cardno:17_673_091" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000608695695" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000605247559" diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index 91d2eb6..24c3d5e 100644 Binary files a/nix/variables/passwords.crypt.nix and b/nix/variables/passwords.crypt.nix differ diff --git a/nix/variables/versions.nix b/nix/variables/versions.nix index 6d441a6..dfd0677 100644 --- a/nix/variables/versions.nix +++ b/nix/variables/versions.nix @@ -2,28 +2,25 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.11"; - rev = ''5b7cd5c39befee629be284970415b6eb3b0ff000''; + rev = "dac57a4eccf1442e8bf4030df6fcbb55883cb682"; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = ''4bb072f0a8b267613c127684e099a70e1f6ff106''; + rev = "1eb875e811dd59e21e77f6337f2c1592889b48b3"; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = ''a8636efe2df64047cd58898010a72f73efd56722''; + rev = "590321a5defbbabe96f8def70013d5b45406dee4"; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.11"; - rev = ''83110c259889230b324bb2d35bef78bf5f214a1f''; + rev = "89a8ba0b5b43b3350ff2e3ef37b66736b2ef8706"; }; } diff --git a/nix/variables/versions.tmpl.nix b/nix/variables/versions.tmpl.nix index 66e90e3..e0734f1 100644 --- a/nix/variables/versions.tmpl.nix +++ b/nix/variables/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/oci/user-ubuntu/Containerfile b/oci/user-ubuntu/Containerfile deleted file mode 100644 index 8afa2ce..0000000 --- a/oci/user-ubuntu/Containerfile +++ /dev/null @@ -1,27 +0,0 @@ -FROM ubuntu - -ARG USERNAME=user -ARG USER_UID=1000 -ARG USER_GID=$USER_UID - -# Create the user -RUN groupadd --gid $USER_GID $USERNAME \ - && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \ - # - # [Optional] Add sudo support. Omit if you don't need to install software after connecting. - && apt-get update \ - && apt-get install -y sudo \ - && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \ - && chmod 0440 /etc/sudoers.d/$USERNAME - -# ******************************************************** -# * Anything else you want to do like clean up goes here * -# ******************************************************** - -# [Optional] Set the default user. Omit if you want to keep the default as root. -USER $USERNAME - - -ENV DEBIAN_FRONTEND=noninteractive -RUN sudo apt install -y curl xz-utils -RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s - install --init none --no-confirm diff --git a/scripts/sway-swapoutputworkspaces.sh b/scripts/sway-swapoutputworkspaces.sh deleted file mode 100755 index 6ed8d64..0000000 --- a/scripts/sway-swapoutputworkspaces.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/usr/bin/env sh - -# Get two outputs, visible workspaces and focused workspace -output1=$(swaymsg -t get_outputs --raw | jq '.[0].name' -r) -output2=$(swaymsg -t get_outputs --raw | jq '.[1].name' -r) -workspace1=$(swaymsg -t get_outputs --raw | jq '.[0].current_workspace' -r) -workspace2=$(swaymsg -t get_outputs --raw | jq '.[1].current_workspace' -r) -workspace_active=$(swaymsg -t get_workspaces | jq -r '.[] | select(.focused==true).name') - -# If any of the outputs doesn't have a workspace, do nothing -if [ "$workspace1" = null ] || [ "$workspace2" = null ]; then - exit 0 -else - # If script is provided with `follow` argument, then follow focused workspace - if [ "$1" = "follow" ]; then - if [ "$workspace1" = "$workspace_active" ]; then - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - swaymsg workspace "$workspace2" - else - swaymsg workspace "$workspace1" - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - fi - # Else focus stays with focused output - else - if [ "$workspace1" = "$workspace_active" ]; then - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - else - swaymsg workspace "$workspace1" - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - swaymsg workspace "$workspace1" - fi - fi -fi diff --git a/secrets/desktop/radicale_htpasswd b/secrets/desktop/radicale_htpasswd deleted file mode 100644 index eba3f98..0000000 --- a/secrets/desktop/radicale_htpasswd +++ /dev/null @@ -1,30 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:rUTsNj5pW/7JhyfRWiEoOHVT06tmbAHarOEuMkWaP+jz9FX3Qvjtv2S767Be89RwBdZZPTyO5+DcWUH+m2AOoAFKZs8TgT7lmQCuweXE27HZe88y+mNvHYfExWbLaC3fxheHgy8BgZBQNdVMKhZlYr5nLxJBrUY+j2sRP/CuucUcbsCojoHqYmb9hpS03PZ7i6Uf7tImgvFc,iv:pnYzcggEWKAhRxJyOGYaXFrS6kN7uLHic+tO1PeHZmg=,tag:4eXlaWf7hJxcy6zlQC5U8Q==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLNEpQSUdkWStSb0Evbklx\nQXdHK3BtMEh3L1Vtc0VlN1paWm1sMkJhaTJJCmd3eTZyRkdMOVQ1MmwxaU1YYXBK\nb0ZKY0tqTCtEUGNHQzFhSXVBOHpUeVUKLS0tIDJtd2wrbFZNanZ6cGYwcjRNdDdN\nbm9adllGcy9GeitiYU53ZUtRaTgvUWsKuDmxV1BJPaiSyfzFmG7kE9K/GxjCfsI/\nejd+DnLe8FdHxyJyyrqShE/CWzw+CKL1Z9dO5SBmrEQXgZu1Zhdysg==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByVkRhYzVtVVBTcm5abndE\nVEtMODUwNFNaVEtqeVUyVUpuVXBqbDBtL1RZCmYyVUd3N0NBQzBRVWozWVAxczZD\nM1RLbzhYUXVjNm9KdlN4c252YVV6aVkKLS0tIE12WmFtMUxsczFBbEpES0UzZmhl\nRGRyQllzLytja1JpY1RpdXZwSFVwcU0KlNOFmcNo5T7GY6Qma/6w/GRDECR/0XQR\nCDm90Zx4QTDJrjy7ach3poPeHEKmlhW+ZQ4MlB8cuAjsjpVdgzBD3w==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcTV6NmoyekZJU3hmNTVB\nSklnWUczaHFtenpWbWNTNFZqNkV5ODFZSkZBCkc4b3BuYzdnUCt0WkgzL0tKM0Vl\ndEZ0MkZkb2p3T245S1dhenQ4MkQ1ME0KLS0tIEdWRll6VEk2SDdERTNjZG1xMmFJ\nRWJJeXJMZkRnYUxhTWltUHVYeUtlZlUKmpWPDHAdSt2fnqLzrOhwQVFWFJi/wSLA\nbRgCQc8lJIRg4nPvwBLLvvl49NCoNCsci//ZHD4RbsjMDhBLpRab1w==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-01-24T22:45:02Z", - "mac": "ENC[AES256_GCM,data:70nJ8FwQqWKUs5tVZTdaUSnFdvzh7h7GG9lJU9IVuSW8GHs9N4srFRJ0DtJbrIYm4YasNsZqNUcWx/ptxzP0DG/IJs8Vpnb4U5SXKw+zN7B5GBM0Xnh6pZZcylAw7lcXevBfI4jw7Ymmj5zBIFyKTCKhietayfmxdIxyoaxNH34=,iv:XJgmRc0tONH9H6AQyfJvDdkfJgP3ugAxOPxMkBqhLMo=,tag:MBN8FJglHqTiS5nLjtMXiA==,type:str]", - "pgp": [ - { - "created_at": "2025-06-05T09:49:10Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAw+OdhfgD3wfAQ//Y90sdCp0RviD2cAKB1FV+r/kDR/5wMlK5CKljSMr+KpX\nOp4rhWHJ+8im0FbXdEFbCatdgC6gJlwAuZE7OqSofjPoWDUAjS4Mn4HSjHX0rxhx\nSaSsM/6q929WiktwmqCVUuxgs2ZrQraCTg9Cu0gbchYEEIg3ALtaLMMQEBfs7Reb\n6sJYdRGvmJMvw0R1mgSBCpcwX4Q2lO2bFIsfXG13/oVefKKgNDLZ8p5dnrk7OwiL\ntnGh8IBSQTzba2eJdayKGF3mB7pTlCh56yt5Ia37QaJKTrXe+nWBx8HmItlCjrwn\nndRiHUG7+ElC94WxsKVAKqPhsuud8fuRLzcicT/Apd3E1Zy418XHj6qscHn4nYRM\nJeESRBkECrFIlKLjaM6rmL7FZ47RO2tIBdnL7FTT6HxIL7jaBFHdp9DBdpthXUdL\nAhbQg3mT88F2EdgCQCdm1SGiAs3h2/Od0ipIYazlq8XkhsCT8ZCijykxJNTz/2JQ\n0oXAgXRH3yJHcTbAsyrxHv98jHf0qIkLvFaYjigR4Rvv7wEOdhCgXyqCBjOkX6xT\nxqz5bRJ1rgyBT3jyoTtKw56wFWwoOqCAbReFgTtKdoEm+U3Xg+X/FsFiJ2ZrPsz3\nY35v6zsx4oi5Byvf5Jk53BeSKjgbzfu4dKFqNWzEi/UgQwVNgpV5iyhNK2ab01LS\nXAGzbiWT1YbYVLcoK1QW1G+hs4UTUMMyhyPP1fV0kUnxvuhupbvGIepcf4mcvjgs\nQxxNTRLyKt22so06awWrVNc+pltUivW3sFeTDdJBBqc9ILx33pSZiDdt2LTW\n=5gtk\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.8.1" - } -} diff --git a/secrets/holochain-infra/nomad.yaml b/secrets/holochain-infra/nomad.yaml deleted file mode 100644 index c2a5987..0000000 --- a/secrets/holochain-infra/nomad.yaml +++ /dev/null @@ -1,41 +0,0 @@ -holochain-nomad-agent-ca: ENC[AES256_GCM,data:DeB3Poq3v4mMfT4Hc46QNOcXuztGzU8X5ilGTMjjRWH0XuCju282XDMjO1eaoOzdZAHSRNKgSITJUgL7hj90CBb0YgnF0irLLKXCJftseRw30fIaJkvgESFT9CaUJkiOd9Ke0GGWWCw6hQj8KK1N7BItYiOrl1zp28Ej0oLcc+qwMMb9L0eiNmlVBBrb/o2AJuD8xvQzO48O9LffrNAxhrd5IbDxrAiu1n+2eSeWwrlmiK/sGqNw4UoJ98K1uraxWcBcrudwWwMBkPE+UTanqq6jjUMCGLtjMphs34I/pNrRBWS1KFUSdvUNMzlCGL8WQXjYD/7z0JSVxqTgaIHpiRG2NjCz1oFxNU594sXlwK0kCMgNKqa47pomWeYQ0jSuup1NVUy5wEECpc/5DlpYIP+c094PMz2jXF+kFMXohOMpT88GXlxQK1Sxpyn7rp1e+rGHeK3pENos1gedwqNW3WzCpm7Wmvc8aZvTtDXfo6XZlcpllPivKJmYz2o9Dxz0w4n7U5nic1cji0ZhqrvXWO3rsVQ5IKRkWVH6ralg7OvdkoyRDRxETmlPio3ykGbo/4D9hEh4+r4Etu+pPu0eZ7PmrCQ8rhHPNBOPEQPHnLa81r8gygEzwb7VcLii5S3/tnO9cPdFMpHfpcIHtFA9qRONlU6jx/RaDjid3BESjoDdWULtIn5JqborcomTg6BJ3lUz5zgm5nv0MY84VGuwafDyy54OelAdD0QWJdgYhyX4FuJYgVhuctJEdvJ9y1bpogpcCIf8STdy+eSP9cWHBMNI/CwKszyXI8AGH2jw4V3BxNbglUycmE7xvunmbkt/Yg+2UdKwDYHGzD4NtqY3YL+kLnpSh13XR80RdVM6EMeithpO8Awze78NWZw7I6UMIe1FqJKUlq18HdA3xUQLs4zTFWyxOtn05o1tZ2g6FFTKmkzfySDkCBUP6lDGUl8Q1IpePoE3geyIoEuO4SgszN2T9/Ncefx/846j58BvzOX8l0umdiyESarVhkQ692T5mKu7RbeaoyERj4ilUogYhtescB/ACWsbBYjqby++qBehsJMfjm6yNSalbspK4ZStBX3gv4v9YP3iSZJrnrusyVw/5WwGL0Fh/mlIsUfMmIlFzT7nMCvJZMWOk+zEX62Em+O6DhX4zuwWCasSqhPKwQLOba0ZpKpJfgiW9DhwUlZz/6VkCsOXED6K+dugT7nqbvY4JH+0LJCm3v0bj03i8vHpLGCiajcLi3t5ivSpHRrCEY/8WjTyYDr2Y+cCjjLy8GtBtvO6FTpzwmyQsCpOrTd3cw1jwvA4vmkZ/DF8sn8Za8vxYaJZAglLuZICPNIeCdhA/I767MRIosV9TL4KNlahaY8FQYdUbQtsHlpNn6TLucKiAjPWpd8MhuSMQ8EGEIUEBbyU0ZvdV1CzmuHka7QA,iv:jojLi4+X6BVLcBiDTgcrwdh/H73sQW9l1n+SrTa8HEE=,tag:2vRZsuWyR0LMlSmzILflwg==,type:str] -holochain-nomad-cli-cert: ENC[AES256_GCM,data:5XIGPcjlcVShrNMso1E3LlDfYLRac0uOqFl1kkuIw0Br0WrCelmUYrBya/QXk3IHxzl+mjvW0v9Y7qsYn6tfs+XMz41QUOQ7CKPLkK8jlCi25FXfxClh/gL5W7M1iBgZ6PZth20frszSD9dWk9DxuJHWq+Xg9hVlOyGA9I7mws5FEsLmpCKEF8Vfj7g6oU1IhJSkYawmku8r9bTyYrPH2EWy7nuFn694ddpsud3I0WBK1KI2D5coIg7uIqJO7JF65I12PLGW418mkI+CmOkanx23dOpY0H103T9IJUAYAShGbw/laPaPbF4Ms/FG9174pHROWSTM+1AT2bI/jFaFv6DUE0elnm/Bi/V6i6RPOwrBmO+KhyKX3c+5uAvWGsewKiuUVfbRtTCT3n85Bh5EoE6gzzTGE4xIDqixzthzBkLczIMbx0br4rFlcXwifNWGa6tfB0X/jI1lQEfdyu6mXzhjXLP/CoXz0pGZ3r5EkvsdU//cOkBmK8/Dg5dDsH4pIdw3Zxy41yIfciBpuMRzi23tLGtha7VtdnMelKO47d+LPFezvIIgdPtvgjTCy2Ltl2paD/UM2L39fP0G6DabNYC6QzF3p/2q5ecZUEJHDLsH0Pf+BBEvvsftb7ZE3cA8Xij/0ExqRSFY4Ndo3d78onE4jiYH+cWFGBN971sbypF9D+H5SYF2PJRVJjqYlr65HZzrLQfmTcFa7OBB+jXv8LwEFuMfVIvhRZCPULABjWRakikMT5WLz3McRP/zi+e1kUnmP2Fr0zrXUznmstO9BObUFkCW+ieDOCTDQYAqMK0H6ssPLVekXhBaqVqSqPTKt9PD8EES/rhs2qp3/OaVeznW1dA160YvM8Ahnq5Qcy9bPb8KFBFfXPvhNBjXFBSvUx5+nYA1IWuL4djBPa0WiGnPyxPeYNCT2+c5SUEOeEy0ZTcK0xGKKM2h4veJi7UA9KdSoeGisYKJ+hJTVC3lST/qN8sBVRpAp5UY6gt/cAL5yzJRn/9PtfGVKU60odwRwaZEjnNricqHpMyF8RVMZ8lkmaHAolgzXWNRtiQ2Tl0Q/Tc/qCHf1AKPqCjMGWXmLmoW5wAaaCt3V9giyi+Pn6GiIc2fY8xetp3qpBfkDHz4Kk3WtbofOBWvCaxWNShHAsNq2An+gWNidNlhVhdHCxolRmYyBftw81Pxpy9KkYQ0kC7QvAVFgUrphMDQGRm/,iv:1x4/kBIMbsB87MN+a8keJxJMVZZXRJ9WvozckByPLqU=,tag:l2WBaVhcP591TtEoZmIkUA==,type:str] -holochain-nomad-cli-key: ENC[AES256_GCM,data:Kl7EJI1V5HGeE9nogY5rujwe8MQYA6tIc3bLiyGdWHTtIbUGfp5wQ5p5zTyDBzA1IeWfTBIaM5dLyw7W+95KENaahJph+HrNbvLvBK8CXmTp7bRFJOgXIDV7CkxnTTX46Qptd17F3gY/4/HeMYsGJ7cZYmLYjW2UiyT6NmrivcaPJmECnuPPJV8aN3Kofm2gL9jbw089IiG6yksT1Y+AQUt/UQBzjYGpaYPHYaldgPQkb0+yaSb+DhF8/fr9lNsCyUbtnHFVNfiQj64IDw68jBohIMQzCMd44plJI8dcJNoA0TM=,iv:qShNRSKgqIe03a1K3FqTpDxogf4Uc25UsZXpwd6cHT8=,tag:9zr/wfR4umX6JCMslrjQjA==,type:str] -holochain-global-nomad-client-cert: ENC[AES256_GCM,data:eiPqZA5kCi5HPa5AlCTKmOD9r0uU5DlSClNTvg6asWybYZcipiQ6Md+cXxMl3VnemwBbxS8KxjuPg6k63SA+gypEW+XZP7VtCdHl4d65MOfIT6CpzTDVi0FUj58z2v7W6XfgAu33uDxTy+e4+SX69duUmmKicwe+CLK2ckfR3U32s39GKBDKYBZ8DTsAJmex45hf17rwcKsaMM142zgBcn2wbuNF46US8iWf4pKXJ4827pgD1HZ2Ry/IgFcRdSXGdsuAU9FcsuwTNfVftOtf/XGxrIJsvCoC7t/SalQSH4eg5s1N9N68vruKlV6AfVNIiQwfwdJ9ldeTOT3of/Fmu0ftiLaq5ZZ97zxd9Bean49EmJw5VEf63+cWKPonLxls1CV02dy1ua9zrjyX37Jz4dQiS02lZF/ljfcaGL+5TOQaX0oEIAA5tl7uaR/UIV7lqfFMZDUtQMHkYAkPkV/VF8wgyE8mD88KqKU+AdsL2yEyKo7VBAe/pYtGWsbyYhemmmpfPnUkt3wz+YQc7zs+MzaI/Z36BIGtY6ObNUfg++4dYXdoMrHufeRbihsLJ69m/bjF0qYtGCjrEPqTwF7WuWSz28to/ZOVrUKZgH8MOMoKKedzZ+kbzs9+hPDawCHs9VtiFo4d/roHBKMquDZVc6+VYtCjj8xjG8TJoJVWlKQogKa3zoWA0ZPwywwWb2V2ehocOk7MRxFZcek4gjvIJ7Ud6aom7dq3HIJJJYxwdVh7pJO9tJhW1T5R/n9g8zrANzXUvMyt55zUZytjF3pPFfaE7en+9LCf4h7AUocI1gOToUC9hlv/uhTOLCYU5S1xAtrlvvX4QSkmTyBTHe9XeOIZbI7LjzINRuO/XFKN/4dqz5/q195OprOBxg2fv1ETPJUwSN66PFYGh6VqhZZf/NokW1qYyrC0kW8lP/EZN6YGhQTyDRrSn3Y+U3nJuVEcydAKTSwzafR4pO4V6U02/CnBH8IqMsNMIhPPPwC1Wntqne3Rabdbx6ZWOxHQuv3cEPEronKGeeU4ADLBPSWnvGcVZuwgxzVpvVwCWtF59Aiew4pmWd8sqLnTOKrxY9BsV9nwRv0ZGE8l0NwiRGw2YIGWaXup0kwl6UVkSOgSuKqvIff09t3XXRINcwIh13jSAipsDpDjqT59qE0Uoc6/lV63eQKkqYs0wFTwc/XXZ2RJusNX+PDDCRW8xykmu4HC+rX7EMeF53xfDEi4wJGoSCySn3idt33A/QotnjDOl385/lkXwgVz4RjCiiCY016fje+78j7RBH3q,iv:nSXO+1ALy6Ie5aNIEm1ZZgZwOdJLrHjO+BwKVbbZQ7c=,tag:n4V165c86IQ3QHzYb1ThJA==,type:str] -holochain-global-client-nomad-key: ENC[AES256_GCM,data:9w+1CYOXgm+xvg9iER+cLJBlKLyYmanr93tZ8xTl63ZIKho6DJLqGPCYdjlG4sHWyQUM6/Dpaa490yC4CToLX5MuUnSvqiaSgugcGqPa1DhlRYVsa8j5rdp90EDMoarN7xKe0ShIRW2GTT9S5EEyF2qdZUAFybpDPX2laZZ44UBz1QvlCp7gzs0duO4b95WPTHmlhfaw0BVF7FhFqkAHtH6qg24qEtwB3I4NmW5UsTKR+tbUCEyQcADQr1CrXhIHkQ8yZ52rc42H6gRQXoVrJomJgtiXf28ARY5K1oZMmICLDw==,iv:FSiRHgbqpKEYINVBLYp1A9YgroLT07GMDFqT/k8Vyqs=,tag:XX7oQhllDmrRLCEiMMYsfA==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYStCU2FnN2oxWWU4aWJR - N1NXQW5oRlZCL3BPVDN0d01sTk8wUy9FNTM0CmEvdTJsZDEvWkhvcFdBSHNWMS9O - WDBYQjhzSE9IeTAzczR1eFlnVXUwRU0KLS0tIGtpTG45Qmh1cHc0ZUpGTUQ5NTF4 - OVJwWGR2TkR1VWtHeVp6Wlk4S3I4Q3cKAeQEBdqh8yeD1jSClUaofdqEPz7RNEaP - /Sk5FUTmjC07s2fyORf+03SK43+HbJRNASyC8EtCrqAMcwKFlti1eg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-12T09:51:29Z" - mac: ENC[AES256_GCM,data:Eq/hdaWf9+CG2jLQsL2Sw+IHy0vef7cC0IR5xL3jooYbmilRYS2Lj+lRckVcLKTRHjLBlJmnY20wbL/iNwlyTsY3MkCTEMAg1aY2GVPq3/gL0Gl0/Em4pktfVLZGVTZLt6mKzAJMWM9RdTapW5sRlywZ4/fa1YQwoQQ3tFVWm4U=,iv:+Oy+dBT0B5k5eItscLlXrRzbPO1u8eQNBwoDLnZC06I=,tag:hVwJwd6m6oCOlQ0jC8H+Ew==,type:str] - pgp: - - created_at: "2025-06-05T09:49:08Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ/7BTbxsFCBhKM6oM1JkRNgR3gHCabXrparjyC3ayfFkFQr - TGWW1S/RkTyAbzMkG6VJmvbd28AqzPUWMBxOHtJB8e/aLJIFchL0pAuSK3w51iGN - Ss20IDUkX8wyljdFSJYhiGF6CNRZGkMAvzghDW0zVHzJlaXlZvAL1sqhOHhykugZ - ++/RZsjnjymVL/chXr/z/VI/6Ovmjjv9mcSG5HvziJfdihZS3pChTbOPCRZhjPzT - Or/AzDBk191cF+PLq7qOSO8dNMoR/mW8gYLLpfi/N3rURpdZWPKsH11hFGo4/Iwx - pNVHER60Q98i8VYXwdvxprOc0TtknPkFRIWA1tvPuMY44992ok7eJITaPpUufB66 - POBoOQzkvjZZIY9sbJK//e3boqvGaUfs0ia+kKSovvGz9d1EefyNEmZfR9kA/Lyt - eGEBlpxwVVA+qGsC/MaCfYKsKRtzUkPshb/vPNV6pfBQ6eTuUdQKSDSIv+PTXoVt - wkIG8HJB3z/L1IlaE4y5o/8anHa/Z3cdI4wzMNoJKCTt49SzAWPONxL/KegWwLYl - KD7RVam47l2Ju4pV8IsYMTjSc2SYyzDxzAJSYNBzYT7Z+U1v08HMJLjH4oDR6mYH - d6kxkSQ77wXAwP9UcMOHbVbTbT+MKqv+UrvWSDMDdZrrymRNfMjlC65KItDBbCXS - XgHkBg6IcSO3VtmH79ceOwkhfNCXwF0rkQzfAn29l/+1MZu22CAxuiW4t0zxN83o - pv3FRQwrbuVQUZNFyy3Iq00mThs3J/Ze0BltrPBSG9mHTE8kHn6sg2uudQr69tU= - =1Ywm - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/secrets/hstk0/mycelium_priv_key.bin.enc b/secrets/hstk0/mycelium_priv_key.bin.enc deleted file mode 100644 index 5592a8f..0000000 --- a/secrets/hstk0/mycelium_priv_key.bin.enc +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:2DcYHv5RCSoM3olKYZhn4BTwEROwC4+JZ/PQxF4SV7I=,iv:B27a2XnhgiHW3HAh/MnTUonmhkWvaZkmG2c2JPWV05A=,tag:TKZ/rFzQH0uvbOFoeas3Ag==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MlpwdVpvNFpqQW9GRlJv\nQmtiK05mMkk3ZEZMNzMzNzRGN1NoWjY2VWdjCkdiOEs4bWFzNjRtNmRuZGxjYTlo\nakQ2bFVqTGE4dkZBSitLb0VjME9TaDQKLS0tIHJocmdZNUp6WjNOTTN1d3pxMENV\nNWxYdmp2ODJKbDEydXpJejBHK3M3aW8KpnFNofmSJZN6NDZ8od+RIf3v0Pa+o+Gw\ntAuyC2TuLb5N6RXyRUmnu0eD6bWLE6D7CvpYBy5GEHcKnbAdX07aJw==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcWpxa0RySm9tNWM2ekNI\nNVNUT3JCSWUwazZoeGhmNldReXRDTnpjT2djCi8wdEdJZHdaRzFyem1BUVJRUVk5\nNEF6Yms4dDgwWWFmQ2J6c3J3eEdIZFUKLS0tIHVFa0lZRWhGV1BHYjRWdHFWTkJZ\nRFJ5VUpINHdEeXYwdHliWG1ZN0J5bTQKLFZuFWgC9KE3WVbQYqxveFmzMHPE9yvB\n6odS9oKWt2v+5q1K9Bw1Q9MYv9cqPZrnfwJbjXZwLitVXlnlFMnA+g==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-05-17T14:49:38Z", - "mac": "ENC[AES256_GCM,data:HqeOxzTlr6tyDWmSpvAthf/puD1wdv3a3Nv8qdt9GcR2UqmByreFPRktTwRL53NvCW+8QGSrUjah7fB2GWsuSVXowSSkY5h8W5s0O+YkFLXo9K67hhtEk+4QwYKQk5w4ZdlAEFrgDAzCFr27Mron53VLhVo0DA6GesgywTLf/B4=,iv:uV/dpuhxXl39MTzystHafirJH0mVnLsT+0h9jh4Epm8=,tag:s5uRzLtcfyNuWau9RteyvA==,type:str]", - "pgp": [ - { - "created_at": "2025-06-05T09:49:12Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAw+OdhfgD3wfAQ//fvT0XVvugLgN6/0PduDRIl8MiaAG38eUeEWwIafDkeuN\nuoC7SUZF+xGgmcDD0hUC30Vt/vH3O8s3eOYxvAbt5NMOCI826u2wX85LEW3YvHpT\nbGdSejUMTB9tAQkFa2q9D6ZwzgJxfrxUXoXmXJA9zxEIJ2J5KPDv/Bwy2hczsJNB\nbCzY32OjrdGUhFqRsCFZN7OHkMN6+j0riUHdGMSa3efyR0Ow7LJc/e7pQBZVagVE\nFD6w5erZUzqeRtKCTBJstuALqSseeSpQ0vV/N9ZvhlaZGsaq62+qxR+B+a7gRPJc\nr7Jsd8vYuAytSckll7PnWmZgjk3cT8fXWDWzVUHl4rORtUJgeyNxEz1976Hzrbap\nZWEJeBx3Q3U9QlUncxblraViYM+NLxgbwqx4v2AktS7Dua04AImM6itXEodDVGoG\nH4A/UtRSSoIpcuDyyrqaTfeeoMwnRfJj9O0kT2DYT5G5oBjS5/IXjIDeFYj6fvp7\nsRCnY4Lt0sijH7hQcijfSjMeXdByf4FGhe1goR1dU/COljOZ4hkfgj7lGm6BtQCa\nOG+z5kI/PUzOhzb5PKxuSm4e+QNBFnRK83SWW/P8W3y3AAVtyzIpfdw/9n04wSAK\niVnhiqA3Rp3BzC7hRCpOerag4LEWKMJUxhyn3QOHGuYWFJmdxYFafovhGY/Ms8LS\nXAFS6/No9TYKa4QrFj0iw3/Kx9X6NpdnscnxJ4YelW5+3mjJNGLEfwvVdtXbrpNW\ntmlfYCj3Kg7FP3SWGCz368CU9gjGjfBOVIi+BEJ1a7Nity3fJO3aENhNjkhO\n=REjF\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.8.1" - } -} diff --git a/secrets/hstk0/secrets.yaml b/secrets/hstk0/secrets.yaml deleted file mode 100644 index c5aa7b5..0000000 --- a/secrets/hstk0/secrets.yaml +++ /dev/null @@ -1,46 +0,0 @@ -tf-eval-minio-root: ENC[AES256_GCM,data:83SacYkxLHU2fHbHNiLG9owDgakOY/nrZBnlDgltRlQDTSW9HkKejVrKtTaixjbxKCgsy9sgJBv8LZtqwthgZ6MI942YU2pJHL8le1wBsuY=,iv:uXbOw/9ljYjWCdafhupVJA7tIvcL801xszI8lrQnQIA=,tag:yolnZdYD1KZJFnH2gs8zzw==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MFFBNWJkS3NpWlkrQXZu - dlJHNnlRUXhQOTNEazd6ZDh3dEZ0REtMQUc0CnVhcElHR1JMaG4zWjh0WER5c2tk - OXhuVU5lSTJRdmdlM3p1UStyVUtqdDAKLS0tIDdLT0RubGZPT1F1NWg1SnoxV05z - N2tyUlJwcmdHL2NldmFzR3VWcE5yRkkKzORrAR7iCVY0ifCE/guH5/qTPujU4MAe - tfHCW4j8gdbTDUlwN8fTQC8D2ILp/4ikaGcg76vTDekb8mHVM4nNpw== - -----END AGE ENCRYPTED FILE----- - - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCc1VvYi9kaDA1d2NlcGZJ - RjMvSFZ0b2VCSDc3aXJXY0pTY1VGQnlUZ0IwCit2bVBhejl2VFFBRmUxZVVReXBT - Um1kek1xWTZoMkd0blJ1MnFGdndqMDAKLS0tIDY2QW5uaXl4dHZUb0txZk1lRjVt - RE41R3JJOFpudGtNUDA4bnlEekt3NEEKOrnajH190HxAa+VuAScwWM4BOZvP2Amz - OYH7v+CXvp+74NqX/CT8/2EI1mGayrmEhpl5/iiUilBy0AUjwHQ6xA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-08T16:59:30Z" - mac: ENC[AES256_GCM,data:VIA7UaP1c2kli+BuppPl4LH1jiU9qAfqvfejZ0Mv0E8CxQ0eLAMJVkZIzSygLCx00cPbqAkESrniCeLYagyEP4tS/cff2ngplzig4uFbZzniYMXcYF9VIAyBhGgQGEZlZPgh4r4wmBdUFfhc0CPzmYt0obJ1LXElGdAoeM4OcPs=,iv:KPFJX2qJaxMwvrw/R8xrw5Fk5FRyTQdxq7DnszToy88=,tag:/H7iPZlWk2qMrWbwZdeF5w==,type:str] - pgp: - - created_at: "2025-06-05T09:49:12Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ//cOnKq/AUiMJI3gdGqxCA6kLTIjXfPJz8SceFo7QClpdL - XwJYlsvUJSLBLHhb5f1gADRtVAiGGTb80wGw1CGIHykS3+H4WwqdZCWbffg1lQ4v - QrBtZ+RTHNBWekYbyLH89E3bkM5e6DJWo2zjUzpELw9shpr23Bd9C3nLBRSGxhtj - C59HjEpcY+K4aInn1sD7/ocEuQwib+B2a8mMv0fhsrSnkDg2U9R984UbwPfH7c1b - 6XHWJe926aOv9tme0M0gZRKoDd4PWW55ZWpM+uqwi0A+elSNcwq08XdfFvSWXvua - DbFAyX/1TGYzcTuatqFuDdp1HvcdK8CxIziQWlwTjA/MCu3300bcdSm8J6G94yoy - EYQWHyore/5ztBFAd7QkuFLwDdQq9A7OSW89FWsEJtExC13Oyo1puqePoGKe8hI/ - +EWvWzZaYsuZhm0sqdhVhfy0jXGrmqjsHkfUD8+/kurl/U+ZhuMHykp0nGcz+xw1 - Aum60NTpl3/PFsxHsXdtRfJCMPNXtLbYvYUb/UUztU09sfcl1uN/eoEljGJDKSZW - TVHxFT1d5KbTQOnfrSlheqA6zJEGdaHRWmGOb6GbW/yMeX496qcAAHt90tkC0XrG - 1Sn/HXjX5ICH0gVjvDi4m/Yw2zaw/wGkaKWPGBdyUUkIYG33bCzJqYd7HtG6FPfS - XAEUgwFsnCWamLyfqUd3iuFLxOYL3IcoQdhkoKBa0Zo5Wjq4qPZWxG8smpwQ5IxL - +l4TGjTydE787lk29+Zi5tk3MGMsPSvUL1ev9o5ZnaUStY/NwdKrOE5wMY5y - =25kh - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/router0-dmz0/secrets.yaml b/secrets/router0-dmz0/secrets.yaml deleted file mode 100644 index e1f528d..0000000 --- a/secrets/router0-dmz0/secrets.yaml +++ /dev/null @@ -1,63 +0,0 @@ -#ENC[AES256_GCM,data:ZkUrwF6DTQFainYhDA==,iv:VDjRBF4WfPmJdKtUpZYJcOPxoUYT3DUxAC9ct7EvFss=,tag:efllkpv2SxRv6+DyuqRQCQ==,type:comment] -#ENC[AES256_GCM,data:2luPn7XRMTtgNpz0QLXQwF92kbBLdjJoUdFKdayy0A==,iv:dr//F4r/8k9zSzkWXUlVT+81iYLTX2rmXIp+Z9Lt4XY=,tag:RZTSqCqqmRxBvWqHqmF7Gw==,type:comment] -#ENC[AES256_GCM,data:SjwWciLOzMxrq/QV00Q+gt1sNXwl6N/eTHsN9jeFHwFeOQrZ0M7/36WgjSVHpGlVmklzd0LiOB+LhNlzqysM6RI=,iv:vznczLEeyTmCxExlkFiv8ftQy+3z0LyAg8vhcpGT4M8=,tag:+QgSJtX7FFLfMnPLhrgcvQ==,type:comment] -passwords-root: ENC[AES256_GCM,data:BzQYUCGJwyA/mUohN3OkKdjkuHUfOgYFs01W/F1WM7i/UyOXA3HooUjbGe1KVQkn5NGTvWvR6t3CCr2o4Bjvq2pXrH+92a1kpQ==,iv:9PCLNVUyI2R0F5LmLe9spp7q65pwMJ9TUHmT/VtPazM=,tag:apsIgXhOkoZ8Gb0UshKg7g==,type:str] -ssh_host_ed25519_key: ENC[AES256_GCM,data:XQjTqNADLhisxPBIJ7x0bs3qgQk0u4q9HKSDukRbzel7hUiDqc6ELQAvffRqJQUtAS5Cfz9PzVcnyEA4wapvK7RLFavOmaN2MhcnQR24oQks5RVYmlvcems02Qovd15iE07XR4KCDcmQ5/XM5v4/RxW2zYzV5Il67Vzhij2wA9bJ7D3sbKUfyc6pBoIXvURbq6QO8ZMIU6ckAuOqG2230KwXLdz/ld0s3Ir1q/7t+rrrS7BPkeA+SRdYhb5XDOTKtfgFxNvdI6DSETV+q67xAalAkM/cZ2rqHJQd+wgH2VIPyiGqeq6LvPT0vmopFJn0CqQA2HauQAmBNIAtXel8GbK+qA11XilMx+hp6qhVH+BnSWWY3GriGfaGlpUZ0E7uymqRkpRwBcHmZto6E/E/XUxBfISVyJf/2RcTy10RelWLJtNuaXT2eHgXmZ/uAlcTGlCYYirr5g3iAGUoqxYbWlZb9SdqVO/0PLCZo7AkDWxk57wer/lHOG59ZpoiZnanaMIaNqJ7Tsslvvm0JuoP,iv:2U5IpWTRyQ8basBRoYpFe6Ycc5qdeCUAUTwlEHttRJU=,tag:jA0mFsMxWKq7dnkGQWNP9Q==,type:str] -ssh_host_ed25519_key_pub: ENC[AES256_GCM,data:MQ0q/I6clKNz6uzoztGA06vOjIbpK6Dsf3WbgddRA0B8nEJ4EUmRBT0KkX3o+LZmQPhmURHWWFtOSqvAzkyoxAoBZEh98H3IDsLE5PgcNbxK3dAh36+AAMPLzVFnHLyaWLQW,iv:9XIw29PkSHCeU7C2GuSJ+J+mBrwOrbSMmm7kOtCkiyI=,tag:x3JqFF08f2eVfOrrQ1gzYw==,type:str] -ssh_host_rsa_key: ENC[AES256_GCM,data:tFGQ77X5Y1TRR2F0EJ4hmauE9ABILP6V0CSmzb1QLaH6VlhriXSE1UQcQ2Rc73CR7+JLjLbggL7RKpkA8gJQq/ubhiXHJokBEo6rfBXETVepv0HlyX5UvzWhi6iKBE5YsYyyBI1VWDcx+oTR8+daqnKwbbqPeDUpC2coT3S9svEsKXeb3YOMxJ9X/Rvh96UtMmlk7WeZa2JvOP3k62HROVo8QRYXeQWTO87TCzVdU7OWnbRIuC6bu+32Uy70AsIu39fazX7WqIUxaeO/oNHsay0/TBXKNu2El0JRG8tHCHdXe1tahniGbGH5xeEZmgLTOjHntw5UIdxZbgvcbxmt9seDXUxjhhEMS8eHWaxnRDSI7n2KOb/3UaBQ3BHnYpuRjW++uFBgRHxxANlYfpfEdz/LNexdPb9+QCw80r38uZxP8yD5/PxFV/Y+gSX+WnNE0YQnBDtHFjKhHpqpm2P4Ek3hLzjXh6CPzUZru6LAO/FklcLCGaq94fDC5wW3K0x1UvyfMjBwwyeSymcV95YcZu8Ty280jRhG8l719KkEJjnBdnB25PQ5gEwc34dG5xH5HwVUDPIM9v9m+cXtldUIk3BH4PiTEI1aZsZx50BtBhxybAxhTqNElrP+/2W73muTSQboDIB1Xb2NhArLB6XnnVhVUD/Pg/9wiDUY0mYyr0eIp9AmBfSmSIDjFyVUB9o+gv/B+LpxwxPKmsPt3MRKWoZw+bIGTI82UqBv0eX6Xqq71H4DYFnJ3J+n+Jzp5ww5mSPPHffZZFSBbZSpTk8El4L5II/hyyxk7yJopt19AAsw+UgLJDO31XnyiGAEbbDdwjuCWQMmuzKJ6H7c7UGDXLO92jAlXwEWT5fwzG6Wvu5+n/OToz3CN1Cv40uwVb/fOqmzep9hoOrXeuzmnGULfGmwItjuJoMkfmPUq8obAuj5ml0YduU2eLbe15OlD2Vg2I+BH0WuCPYnnCrLyX8ixhJEuGGDkhGhaKMHaMjNuMOGmDQ6oRCVU8BA/zDgnF/GrcHgIe742Yh68PyaH2j+iX6/5YvUB+R1sDnrgfXlgET1V+nny+fD4GBnP+RKYtdGG0P4y3AYlACQE9sJ6Nkb8CTVb2Va6L3rXzeyJG2FtYkUKxxwDUv/KyieclHiJpdawunOLVkmI6p/iaZIThrdGA5p7b01/WOyJFA9aI3oU2f2rMYBLGHYirrRs3WtS7ExhKriHpgax574UIcW0mecFto9dHkGlBOTQy+Zp1GARnePXKZcyKm2qhTIjw0ho/DUe3+t1knbR6WJCwl1LDtfpPD2KPDDH+HpHm3EoiA1mDSp6lYMVxwBr2eBmFPKuPkkAL/3Bf6SKlEp1UCDee7BPlzS9kwmIEt/EuIohbMDdyaHtulW31Hdrsai8fCxc7AAzgsmoMBp2Smwoe3C8K5K8RaNp6v4boY8WBH3rLjAFTmOPB7TiZfplQjV8triZS3JFopNjvCglfZSXxSs+RjZUgSgL/1fFLT2m0Mp1XPMvGZlD73TzJ5RH5WWlxliaau42Q4vXRFUK+ZFx0SvwOO5xZvRNtAOfipEoqscKOopV+HHl74DJEk/xLibWJmkEBqoVbf1BFDUAiRSSb/0RdfCAGaj1mqV68szVtLt3jB1AJm9iu9RNU047HHQeOi++8g6lOpHmhsksfQLAucLVtLTrXpHDEAugDbSXrwPkhWa2Ej+Iva1p2vteIExcT+8h3WiXkamDBZALpJcLkDSazgAmmrB+6u6odsyin9Z5zB55EN2iz24nGNgyylt9FehC4/2SNHMX42hZ/JPQw51+vZQLoLQv+oOJAVXGBHeDy3kDl60fL6Fr5jZ0YOfO+rFGk4bDpXYjq27ahLv763tVs8SrgMseNWNWTakZUAXuYPbP3GBFEjTPHM4216WABj2cC3zSmrnbEyNRMWTdsm46ASZvhZo4wO8eTrndvy44Q2UKOFOh1sYCY4jjCWCI74pEV3rRcBJASuUipep65ZwXOlFOXu7uiaG01/KWofn4JzzrlX3MfhKsUBaEDTUXwDGw0RAEHQXb3rvfiIjCQBcpy8kM1fBR97K5LFJzZ2/qf2bPGs0yxma1O0Z6TT/2Uk2n62jK2xIM7gvTjPOVDP2etHKVxMpMjhTAbRj4K3568HZM/POBC5AORLAtBAo14CNxRMN8f05Gs13wn9ZI+pqiaOpTTnfH1xL9fd/6I03utzMKnoR8IVhrQLDLT6OAIkdeJX8s99R/J/nTOApk3XACWqjmMTcWtwt6g3x2iTk/1jTTn70rYVr8JLHHCt+bd5H/eDUiq9HpG1oFEZPXuvgATOovru0YVtmVx+yea0jWpJOsK+/SZjYAfvAKh0ZNr8dKHug/gGEpp6SfFBI+c4ywR1kM83OUHLaI/dOU9rLeCKktB+UcvTPoLhHLbTAlTrizeRmYY16Z1a+47LvwX944js3TZZkxqylz73cekWidYiiLNbiHwACftOK/GwZCG0WrVfcSi6pJYDgPgbcqFohaKI7ltKZgTlHGT1mZr1IH1RnauZmN/MkBEKVHO3E/PFgKkWNcXQi4uV2P3j8aHHc0RJrxx7qAFFXCYEwu02pv9nmul/HClLMmDYHDY1lHZvIIyPcsmr1ZkCFRV4UtnZRtXhHNAZCGFRX+y5HQXnubjPmV5I2R/gcLLi//2vIE6V2i8SpEJZlVweLpjRYwb6H6xFTuvHN+9Y5pd3rFx2BapR0AzYdOXUVqKF5ewrfE/1iitsEeDJj8OqmNzpmLBrnROnPyPh/+KGWBG5Nm4QKVMhP7XN1F+Fr7sTxw1ignXsfSwH8v/ELMzxVLu3ijWxvmk3/eOsrKYB/x3h6I1SFWZUoTjVPAmlNAnYl90Xf+FMPiII11+zrYwsJbCh25gmSvtKR+hmoTxXbJ2w5E2cFoVHMBOmS8Uo8L0BDOUzUE64cPl/v119BafVUOohLF1l3Ob19td+sMvqX8OHLGgB+/r6jKmUPnNNEzbDAogMydcVVjtPRIoDScw4ExxuxILN4/V+VulyAgU29OvFWS6+r5Y+bjqgqMg55Of0le3HUqt65qMuqiaUR5P/9WP+H666GsYTSg5I5gPJv0FF6tqXCWE9mpQ4sk2/BiWWaNeojxyhyH/cv4fbUmcee6K3+P+liXyFGGAWdBP5uGb+BzIfSaXVN3xEBPWAAe+BMkJrxbc6FSS12Wkh+bLM+NJH7XaoDl6+8LtF3bstsCoXvQgNlXHlbt4/aIIFEBShlYSQwLMDcey1VB4pu4SBv2HXwaX9zXPd+MGH77DeQU4yBkrElly51/68yzdSGpe6mNFy57Hc3UJBW1pNbds5Gxu+jFbQ6Phxvn38u9V8cphjxzgig0uZjkKHYx0EwFjBqmfrP0hQDnpcyg5QCPhnXOthmVL4jkJs3OrRHhoYRgbXpaVRMpVMLFeeSqcQABaRK5ibpB81WP8yCJPIMsbWW7sDTCiIyLq6qW5pKNq8/l3sq042+6bJgJ3CfDYdNKJCTF/09F5JKkpXeIxL4MGqvg5nOoyiahDQsUzMT3dwGg7IWqxQidcJ576XSBkR2qNwUrl6qq87JP+Zo3RJbA5bpPubm6sUonWE3hRGg4LWceVBO34J/wutWVt4W7dXnK5WVhJv8UHJcbgWR9dMpWkbeMpakqlRRLOTibztMFkx3xyIMmZS+cNyhRyatw+DwX/opuY+bl8X4yKgNOuW/w6r06r4MrL78MTjqZDQ4xkCSL3x3KWr2Tf4lAX6sdwKTzdBdzvFuLeuijngrvRYRyk/3jk/o4ujfHMdrergMjlP5Js7ICZSLhXHHOc2Hc5oPaBIx59r6FynA+W6ROmk5kVF2BNkRlP6/oV5Apn3MMUnDc4YjHaowt8UVkIHZOEL8hxymYDR4g9y1wOoIwKCorBQa5jsXH+AEop3hlsv4uqzrrcGGQhfQEW0Vb1fG4N0VAyWEodaw7wOY3XCrW7yHjIgRM3Is+juT7jMeACW+OQuvQHTS/9bc9n9sXjjVwsvoHROLxsXMFO9HablXaEKzFL1oGXpnavYf/MuZMwALsPish2Mmj9fONNMBo1yYy/j+8GzHCqByDS1ZPnlzPQD0ztGNwNfOOhNOqamqaE9GNHv92yQIf/KKGhnjFH/I9IlzA28eaaSVql/1vdhRAI2G1WxpgyQ1ryRPLYHA/Qw9OYrb+jIxHj9uqfohShgIqnv6TCXRmByfyU6Te3oqKLyezKj7tPCqv1la1ostycmE4msAs4EI7pe1OZcRulPkUJrZCPkvo+EYTw8AfGmwHFb5foQ4wk8pkjTvo1zHmjy0GjMAZpcmDHfyHAyoaED6DUKAHRBbMdSqQJWmzhHkzn5oRCR6UlWSyxRZ1wBIKn+T+kcn28XiLlJrJVK3n2CQkE1c3EfFemnimo0Yc9yNQZygfZjr2W2TnmtAZ5jHiMmv7E8CPxBQBd/pf29z/uAEwQIqVFSHxkVaVjHW5wlhfWwOuj0xZFly,iv:mXE8xpXFBYSJce9pg+g3OedMS9+ZHOHHwydCY0NbGRQ=,tag:cEqbUu9Y1PFKXwaeqioXWA==,type:str] -ssh_host_rsa_key_pub: ENC[AES256_GCM,data:N60bGf/6KNRhVUq1EIbPVo3aBDDKEpMBr5+Gt3+FMPt3uQEaKk8jBg5mOdxWMTPoLg1ZP/Pme8afoM+Skc0b50WnpErF3Ox1w+4eM0oMJYOhIvHLGURNM3Dba5MgA7YfhPdTsVdjD2yks2vYqhdtEvzTTgCJbFimVJlp+wDqE6czPgMjD03c7oJDtv38OBtc1vRMzVw3cIuyxz2yNnXQxiMgTR6pZN7+Brami2dfXOHEVgymmlU5PRE8Ykerq2fB36N5uqu4/xSPaHaM+/f2OA/TLlYYB+sGMDExZfbO/vsiRBLvTY/f4KG2mEkmH+IFH1bk6UF47xTFEe8tHN/TlLo+9OmjZTph221ZYnOsIqBY+F822ctZEe8Ikz9Ti4F1ApvxxRcWHajbgQnDJdDiHJvt3OHal4rNBtYwxxV/MDZtvKSVxmFwgx7nwNP0oKhAigQkU7Mvp1q5p3dZsdbGCUeFm2S5/qIxWPfr7wg4xocLNSsLW1EpGo6A2RUXWIV+lPuZd9dNEjGC5zKKAgMI94is6MtMXgqlFqTcZuQ9hvhoVDcFhVSJylu8pzk9d/tKviwcd98jHAhdfGpnc9eJbtyBU6/HvxLzQpsbFjwa3LGirEdtgxRZn2nJx++0U6XuLcbGwjOVAhkde6g2vFv5hsC6KaZQcp4AFvMvEdJyrnb0b2TOeOD8zEljb8u2q/eexCRSjGpobEINwu5qV+tF9eHIJ1YFzhCSmmLGKXjc7bC8uv5ffl39JmAbUrffd18zqae+Xpijd+QzwF425NG9+PksAt+PPzt4SDgGfKBIpMNFxIb18oo88z4YDLuNzRy/HVF90JV0LlAxES4ZOxoWUjJPrR6dGxNRANYOyFGmoN+yG3B9kd1NRGRNGh5P9EtZBxlPIi24djzF1n4GQSW1NFDgoGcxaXhk0PlpPxwuHK0X9FkFDDzQUYNBhx7py+hev5rBUCs7Yhj5xgcM88fdLRZi8MulNws=,iv:8c3hDcJ8wzTugmJ3Mhzx/qEXnnlpFefBmRTG/MqyeEg=,tag:uSz6+CYu9uQa0C2DXnHPUA==,type:str] -#ENC[AES256_GCM,data:QOMW5ALQD+CIXyqRAUzZfv42HvMfq9qiTho=,iv:/KlPuB6aBBhdMvJ9kYClfFRBMC0bSF16/EKrnH/Ifsk=,tag:Wwfk7YnNvla06I2/ajTd4g==,type:comment] -#ENC[AES256_GCM,data:6/aUsWY875jPKZZiJLL3TWYeZT9VOjoJBDwjRTfjnUHcc/NTTeQRPvb+keJeMt5kfWmAzieYpslvz21UktTKqHO/,iv:+zwyh6nAP7DRhQX48/BmMCbv3W3wKfUiAWCvu8UvS8A=,tag:doc142ZXZO6ajPcuWftdtA==,type:comment] -#ENC[AES256_GCM,data:GG3qBrBJSmJfUun5+0fKkp7J280oW3r5tGGjm9UMolUsZCYYv5E=,iv:gFGxT9Jr/d3fVouWEphJUxW/Hid8dAIvldkxYHb9DvM=,tag:DkgD7SIgIYyk5Ne/lGWcwQ==,type:comment] -wlan0_wpaPskFile: ENC[AES256_GCM,data:yB/1MLibWzQuV+LnM01DoOaImu6aCHB9TMsIDaby9MxjRCQNuI7qxc5dvTQ3RtA1V6at97r3ufw0W2Vwtkf8Mu3l/UL33nWoX8n4RAykF5HkDK+l1hzdW+41wZMZPc+NDE6ZgMSNG3N9gipHSjYQ+vU6KPX9RQwWTUbJiWWYtii+hi9NXMa7sBvjl1WUQtrKdAmc+7flAEFxOY1pOvkj87yOQDybQYdx268Gh2wkfgtacet4zwWvC/VGNrN2p3Eub8S16vHAZZKeW+2rr4U/GiOeS65CSk9srOGwlD6IboTUXSAoSChJmevnm+cgkzZsuOKS7knEZPjQ+l2Z+K4l3FnB8+CVvHw/DlUAG0pFgw49NfBGczGSAFh34b0k,iv:2AkphYXeupcDvB5KXlnuC7QsVJdBZHnR684045DJtfw=,tag:YFNcunSPVJUSLIPTTQ7szA==,type:str] -wg0-privatekey: ENC[AES256_GCM,data:5/5llD0itgdKhZ53IbtkwfhO+qUI+/xBCxnfQOg9yjS7knvUINURY7rl/F8=,iv:86t6XuY4a1rHY3kmC3XB6WwwPZVWAyM2saGqEZaHdJ0=,tag:4xemlclKI4RIxAe60HGuuQ==,type:str] -wg0-publickey: ENC[AES256_GCM,data:D/RU+43/bYhg1lRZE9zA52AIWGd2KRF0EQcvteS4CtQN0Yy65vjGqVEkjyk=,iv:BmS0TfUQXRt1tdWBBKIUi+DqXCLTXePzbq4dUYSlQQw=,tag:qglrKjhcSBPtqNd6YCMlPQ==,type:str] -wg0-peer0-psk: ENC[AES256_GCM,data:859rOfvyaeaH07s06IT2qJZjXcWZiXazQPUImYOMngTj+xNop8UHX0iDegA=,iv:V7cR9mGQrk6aKctY+1egYFhBiveqc0OwrQSJxByk0zk=,tag:WF5via8rVm8Leol5rANPqQ==,type:str] -wg1-privatekey: ENC[AES256_GCM,data:Q3zb6oLhBqW+D063S37O2vZD3PSn3yIYWWkOtZwvpmMmdAMtztGqdrHzXRE=,iv:tIEDtHa3s2/Shg6Kw/8G+xjtixH32fxS3l5KtR2VUIs=,tag:JpKjYmV2pPip9hDkKg8pRQ==,type:str] -wg1-publickey: ENC[AES256_GCM,data:7svFjRVdWBmrUt2qzHSmgBo4HPwJR6I6p3rZg2U+h1uVhQwCnUCH6JATVZs=,iv:xWUKpjmmrf/U8T8XmdL4Ox+aqkftnh8oeORCkhtJoBU=,tag:+k+E13X+EbZxfiq0MoGIEg==,type:str] -wg1-peer0-psk: ENC[AES256_GCM,data:egtyccOYD4NAUTunpvVXTJwjtSdJJT8v5O9Wl7NoCKy2eDzrQvrEEK8Zzts=,iv:D7EQkj2Oz2JJIF6slTLq3A4esKN6VfkOA+odHvjSeUE=,tag:z/blOUXX1JOyqtXgMldnlg==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQNzRJeDlFdHhYSlRFWjJ4 - dXZtN21CRllTSitTZ2h2VnBNV2l2Wk5hVFNRCjhvVDFBR0ZYc3pkT0ZOMmVNMkRj - MGk5RXJ6UExmTUxoMml1bFgxLytUZjQKLS0tIFhrYS9xYzhHc0NTbHVpNEJEMU5U - UElCL0JIdWxkQ3oyZWJTUTRsYUxJdkkKobP1eWNWnvFCOY9AQRNhGjg9EzAX1MjP - QxhTNYs94CPFLeVsMghSw1v5rHLoXdyQnHc6LJ/rer6qLoSq//mv0A== - -----END AGE ENCRYPTED FILE----- - - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1R1g5OHEyUVFzclNwYXFN - K3N1R2xoYjdyYzF3Y0NNUXNCemJ5Y05uSEJ3CkVNdXNudk13VnlXNGR0MWt2Vm5P - UHI0ZUlVemkyNGJFeklaTmhlRm5KU0EKLS0tIHQyckt0RWNtVDA1aXVLNlVyUklQ - REhSYTUzeCtoUmJhWW5oZlZkVDM0N3cKid4XtaA3rjY89HOcRdv2xivlJAabjj7u - ES/s4YtRx/S1TIaAXlMmtQe1llKv0OIaioFvtgKnkrlpf7+tROZT7Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-05T09:44:59Z" - mac: ENC[AES256_GCM,data:P2bEHq4ZBg2Y8RPmUSuIOxWxJdYTUpTD5nXv3vqAHOU0t5ZlyOjFUPYejGBLdvd++v+plwo4lYG4/JJ3/LFIM/n2f1kFOOPSIt6yox6oYHHzJRly2kBfyIpUz4q+1c/xhMjpcQdAlWEdIQLm80BMUpny9y2KhVYot9TvTNTSkxM=,iv:uso8kcW8gildOD7FF1Xvage2dccQ8GkMI6nDCaUw2qc=,tag:urKtsRoGqwoZzk7DuMCINw==,type:str] - pgp: - - created_at: "2025-06-05T09:49:09Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ/9Hx9PkWEL0en32Ji+fk4kCcXwToFf6EOe06bNit/8r5Qw - C3ixd+uOykhbwN77yssvB8uZ52A7NTSdf6iV5E7M+nFx4+mLYMW+mZekF82ICyjW - SW4b0HsI8WwVYn7EWb3BiNa2D3ku1XXqkmaMLtEb8N+LTXW3jCq/gC1xuB6Msdny - egz7l7KemiWcOPxXZmh9INKxpEYziXCnkq7p9T+04noi6Yz9hPWBzBRBOw88AfrP - eyFzFIbWPsNpsRhVzRlWNmu4Sx0NtqNy2zHk2wkcndJaldk5EEFO2c4szofuQV0o - lmssfVH+BGwtEUs/37igSxeHwnYxEEhEof3B8qnXReUsqcrLqpvQIgleQgUg4T3s - SCbA9dCSTBfos+rVM1764B6lw5ISOj2JxJyoV5itXu1LNK45fpsT2YgRXOoaziHK - hn4WOsVnRuaadHrd2ULA/0qXlWE+QscetZzrKCIZsuqHCqNumjhNhtIlOlKLFv4U - GVMyalRmSJTCVI5EfewyHzMJpGa+OVtfEoUgM2xm1Jd34dEjjHjyynyqOj0ybB0+ - CgC8IGcWpCQZwijITMMZ/bPyet68nVrApy44pniTENcXN1byQECUuZV3Z+BTWNZg - VOuOPmiTQf26qjQ8I4fEUuRgPpC1Wze4MiDyXkX2jtgU5nbLxAhZLln4z9JA1FfS - XAGEKaPlu9x0WB9vSu3ArEERIw/rmu5Ux23Gzev4IFhzJ21Jzp4tpjZhGQvAIafQ - fStDytk2DOS71x7Z8MzqE10BQJ0oB37donhAxqAgOCpOnAtK1a/IOkT1m9IZ - =xkVg - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.9.1 diff --git a/secrets/router0-hosthatch/secrets.yaml b/secrets/router0-hosthatch/secrets.yaml deleted file mode 100644 index 6939402..0000000 --- a/secrets/router0-hosthatch/secrets.yaml +++ /dev/null @@ -1,53 +0,0 @@ -#ENC[AES256_GCM,data:62US77UkclVlR3klMH6P/oYC006vFa6DEVgvmemMFh6INuw95NyRwJaiMs4EGaNFuX+jkfBbtlm0MQK73rXfGxg=,iv:UALT0vebke8KDPdroZnC3rSUCB0CmlX9dfbLqNAlJ7Y=,tag:iKxAWDTdUZDBD0PWfomeWQ==,type:comment] -passwords-root: ENC[AES256_GCM,data:ummvEe+5HipUvVEyHLA6NULuWJuPyv2VqlXEZFp/UdybLU+1t/VRo+KPLYRPpXQBbsBaHVa/XOiOqLK9dPDHuVZBavnTTMC3Yg==,iv:pqjtzPH+T8CLJsJusi5CpVklPUAnioIoTjBXAR3y620=,tag:vrGzZlRX1TJ5b6Wxt29V+Q==,type:str] -wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str] -wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str] -wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str] -wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFxKf2RAqSqxEXkhzU=,iv:HVB+uJG0SwxH3gbSpyZJZnzadVK2MYWvaZ3t7vPXn3E=,tag:/q7hgBA45Hq3446w83ConA==,type:str] -wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] -wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0bW12THJKV1B1Zkw2RG1H - YnpPZE9UTDVFSFZtWDRTWkd2c2pRaHdmRHdvCngyNDlmVSs0Zm5yYkFLbFFFZ2xR - M1FnYWx6UmZIQ0xZcnVtdVhmR1REL3MKLS0tIFA5TTYxSXhFN3JzRUd2UkJnV0tE - dHFiZFZIdkRtUzBSNTIzUWNIb3h4TTAKYThgfHX91UXq27b2U/wtrCyZY8484Yga - Ic7FhMQMEgRVC58q6xLOglCmM11USL3YeyOYEFeoLnsvecgobft3Aw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdGZhTThjd290dUM4ME11 - Y2Q3dy9sNks2OFpUNXdQZmdEUFFuVGZRZzFzClhyU0ZxY1hvUkxaa3BLajJGOHlr - M05XQTZtNGlhZ1VaeTN1ZlAwVjZVNW8KLS0tIHk1WUt2UENZaHRaSVhoanY1WEdp - YzZpeDBrM05oRXFjM2E2dTRoZmF3R2sKr9kID48vUng7tbIoc50kzB3X8SM+vIvK - GQi0dHVaYIvrIkdDm7utuqPRFTwOrxb+Fii0HVBKGzeOLTfckqfOnA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-09T14:08:09Z" - mac: ENC[AES256_GCM,data:nCwAca0MktoxUb0W+1B7+4UP5IOG4cuj2BhJBxjDV4gjYBSKYJs5gSdYytjOpu76ePXSUHgyiPH0Joe5ESubaUN4zPIWMLpkEk6WjXnmXRTY8B5ZZ+AVR2lxNi7UtiCyx0yjAVZFxuk33MmKR2yXMLEqE6U/70fccJlY+dbTaVU=,iv:QTafba+auq3Zv/xoBzHmnIMmfDAynqApAcr/T0Uh/2g=,tag:RREUDKF4Kruy0AEFDqSVuw==,type:str] - pgp: - - created_at: "2025-06-05T09:49:11Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfARAAosMhFMHsZ2uXt0AVKf+tbGxyr3oZte7uX45SDv+mWkpa - kGBQiiY2tLU2+GqTnec9MRx5D12r6kBuVjW3UG2FCIhONLMFk+3L80lHEZLYNVID - Og30hKqEGSRrJasnVgQPAo7SXfyfFKGflZyQV56P4jAphWCwSvkFywcXlP9ZZKA6 - SmMZrdQeylM9Qp9/B2DtoVLVv6beeSqV6gu8KBN8qSXky+MTOHadfNePNnyvl0EV - kH9SeH1ch+XbEqHhEMm/EB+RXZSBgXv0yVhHBhtr3sx06o3Jpbw7mDMEscNl76xx - QQtzR4OsBp/VKQEJde3OYUOvKzNyYk1yB5Oocrb+shAjHXrF73Yt0yeq1LiTWYA4 - BLQWzeraCoo14m8tMD9nKo4tEurTBFWOmSITTu85V+kzJ6FRc/F3i2OjB94DUBsM - VNsldqQhc4mDioVywBQ1MaA9phWHTUHprJPflByQmP3jj2bjbure1UHOFVqqzW0W - zAp5yFCJXfUJap6MPKl9ZR5zCTZmpiChJxkipwpmNSQh589uiJrCzgwJ/VQC/yHq - a56PGW6eANzjGC3CkWzEBDELjYsXhxV4jbc6Qfh0owcbWDNe2xV6u6Mp+9DvfJQx - iz06fQaN4YQP8xhfLSBg/utc+H7U8dkd1jr3/GYr4PAf17FNQA4VkF5XhxDkT6zS - XAEFECB086pVQFehiL3SpvoTJUdkJdLySQ3qVYmldA/mQXlg3SEDhGHtJlgkx+US - v0BYfCrlnygbXyuPcKKwN54K8H/uL8OAB90Vq0FFeaVbVE1zn5MJx5wQaxL7 - =v2Ad - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/router0-ifog/secrets.yaml b/secrets/router0-ifog/secrets.yaml deleted file mode 100644 index 9a2ca9f..0000000 --- a/secrets/router0-ifog/secrets.yaml +++ /dev/null @@ -1,55 +0,0 @@ -#ENC[AES256_GCM,data:+I8pZeH8kkkGaeUJ7A==,iv:5Yv2K6pU33CA82oCspb5exjaAPMRszslozTphxvDhbw=,tag:OpKwj8SYXSMcLlusEVX7GA==,type:comment] -age-key: ENC[AES256_GCM,data:8L4IWs31RUXGns25pP6BrhFKVAYvVY7yIOe6MSk4abvgks2eyHnQDTiSKVUQGjTyZFVbQ4mtF9O8CmqqlaK5z4nrUYSUN/Ustc13L98V+PMUOxljka0UL/pOe36aHEQz3Z2MuobEtZHwccPEqWhOlF2v+OgFQ4Kp2Vczw9REf4ahxyqz3fz58ymR8HKfTHD7YBawEAgYU6WVyrLfyA78860pkjlYMwhnjkVBvkP/zd4H+L2JxzjwUeUCqcm0,iv:8RwmmtgKqLsJov+DxNjvtjPk8t8yVmRhRa3k5HdCvgk=,tag:CZoZL3aYucIk1JENWY/mMQ==,type:str] -#ENC[AES256_GCM,data:62US77UkclVlR3klMH6P/oYC006vFa6DEVgvmemMFh6INuw95NyRwJaiMs4EGaNFuX+jkfBbtlm0MQK73rXfGxg=,iv:UALT0vebke8KDPdroZnC3rSUCB0CmlX9dfbLqNAlJ7Y=,tag:iKxAWDTdUZDBD0PWfomeWQ==,type:comment] -passwords-root: ENC[AES256_GCM,data:ummvEe+5HipUvVEyHLA6NULuWJuPyv2VqlXEZFp/UdybLU+1t/VRo+KPLYRPpXQBbsBaHVa/XOiOqLK9dPDHuVZBavnTTMC3Yg==,iv:pqjtzPH+T8CLJsJusi5CpVklPUAnioIoTjBXAR3y620=,tag:vrGzZlRX1TJ5b6Wxt29V+Q==,type:str] -wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str] -wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str] -wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str] -wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFxKf2RAqSqxEXkhzU=,iv:HVB+uJG0SwxH3gbSpyZJZnzadVK2MYWvaZ3t7vPXn3E=,tag:/q7hgBA45Hq3446w83ConA==,type:str] -wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] -wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtRHh0S0o2RWh2azFpL0k3 - b3dPNjJmbzZwclkxVkxDdkJ6NWpTRGxycFZVCmtkNWVRZldKUXVTTFA4LzRxZita - QmNJV00wYVBOUGdlOEViVjRqRjFSSE0KLS0tIGtSYzMrQTFUREQ3all3N3VHTXZ1 - M251bnVseUdqcUFwek9SZ1FEbk9XWEEKs7g7qxFzmr5I56jPiLH2K06a4lZ59pxy - qQCXK3AIZZtz8ibLfgo058Om/36SIX7rddOVxab7QnagGwdKF4d6EQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdjE0YUlKNW1WeHJ5YWZl - aGk3N250MHlHRTNaZDN4OExjVmRoaVhReFE0CmRTeDZleHR1RzZBMWJXV2U5YU1L - MklidG5lcm1sWlZIbDV2YzlmU1ZQNEkKLS0tIFZNL2o5RlpRdlhxMnhSV3p1Ukg5 - ZHJyalhzSWJhUk96TkxuM09aUWcwMjAKu6pzq11IDeOLR9C4GEf5VyLk6WJHxxAl - X1JUdl7IFfGLSpGfFRmFN6HJxtiC1IGkEYinCfFWPR6ogx9dTp5H0Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-26T17:23:41Z" - mac: ENC[AES256_GCM,data:Ez/79vUHs+9B/v2qlUiPQeuYHRdvjUg1jJOt3C6xEnncDQ2fH0CUxKEIfjgJR7eatwvZSznprv2wCD8Ik0SKunjRI1UGe5JmrVstqoSDbo+MxpdwrqA8zC5unpRUYenvyo9m8ZW/DnjKz0ArorYjA9vid878MdemkHtSjjZzik8=,iv:2CkmPRjYYt7q7HAdEjIbJHaSUG6Yr92pEkk+Dd3E7LE=,tag:S8LPb0mEjRZQqawX310SOg==,type:str] - pgp: - - created_at: "2025-06-05T09:49:11Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ//fh09erpIbQiOxllj9U47PNkGNHQHiw1mrECpdjXUwVxz - 2KLJ2Sg0KLDcU5tDmr8s4Agm7pKluncJ9xPSNs1RriP6pZ/uJQrX4nc3tSRktgPv - haHBrwVSX+E1WDcxk9mpbS1jfpE2YsgtjLRMsHgequ2zf0JhSJiJJnI7IR3eur2Q - qewY3MfBE3jMGZoqt5r5P0pTFwZZhsdNlSc4UpYxNWKw+mCZd6jL9J1c9l/LkIZc - rn9hxqGTlouRw7pRrCD8HPD3g27PFcWfqRO18CBM+tHlj62q8PTZX+IfkLh7VbCG - Py1ByglXYvfT6y8NgFPjzaIl+ZLMcPuHkMW2sdOFGQ1L2+W3GaVaD0TFYlFUT1dD - A47/8yFFXYD/4MzcZK7W2fHdzQt1qtACoAPxgiM38uon237gNOSbuSmamfR66rI2 - L6+v7jlkt364Yt9D0bQCqNJQ6uhtFykaLqN6mLoj1IeoP9yQGaEni2pJzDfW4QYd - EiwigSxviiDnGRGaithMMexrLzcf7UhEZJgGrq+D3d2xPN4mJ9irT9MheFYwYLW4 - M/yDnA50GvwxHA7IzrR1fxneO6P44zi82stX+agFTmbiBKw2aelGJM+wwzCEVGfR - /ksU6xhLbL7aMZLBXkZ1ZV9tf0t5EbizapqNdILxSMgaKfGegJGZHLuvukv55ODS - XAFXaECdhLj92gxmtVAf9Ct/17J7fkD+qLHHmrVBTHJWZ40zDeA+7sw7LUeE0sPl - 0z3QLEk+szBOyo/07ZIVC9xA292Rt5VQJrMSTOIGcGw4g0m1nOzTtT3Q5DLL - =aStS - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/servers/dyndns.yaml b/secrets/servers/dyndns.yaml deleted file mode 100644 index d01380b..0000000 --- a/secrets/servers/dyndns.yaml +++ /dev/null @@ -1,47 +0,0 @@ -dyndns_www.stefanjunker.de: ENC[AES256_GCM,data:xHpC/V9OWCMpTKs1,iv:gW6f6kQedbdxbz1zJAY6xceoeG/LqPG/Ss3DaBm/Ta0=,tag:v2V/hzRg+xgO8zpwyIBVXA==,type:str] -dyndns_mailserver.svc.stefanjunker.de: ENC[AES256_GCM,data:auVHa5n4335mNXAy,iv:WZMOA+Z7/w+Jsu5193WwERXZrt/5JDiMUKIZo8ieT7w=,tag:YmEDp/0gjgPY2kg9GNKmxQ==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTE1ZQXpZR2JWNXZyZG10 - NHhwbTZQZEVKQURZOS9BZ1BBbVgwdHpWMUNvCm9RNU1nbk1uT2VLTkVtSkFIQ3lh - OUZQSjZsK1Zvb3ZWVzZoTmVRQXpselkKLS0tIDJlanZpanZ5bDF2TUFLWWxSbytz - cEdYRnBHOERkWjZiWUFVQnZ0VU5EZEEKJD9EdW3iNVs9BdflLBsYgqRAQuJsWkVM - 7OdYSnB+aEULLRYcTpbCH/AJ3U5TDGFemj2ec9nq0H2qgUBCNOvicQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTSUxNQ1ZoeVBsR2VTRjNS - a3BJZ0pxU0JSYkgxWjNTdk01UzJ2SUJrUW1nCnczNGxBNVhBY2hLZ2c0UjludlBD - bGl1UFY4Ti9OSnIzK0hRb2dmdUY0T3MKLS0tIE5FT1BDYmsxRThhVXo0SVFjYlZi - TzVhN01zNTZkYk1jL1VYS2YwTkJIejgKLD9zpgrTV8ViOaV+WdXIdZXrd4eyRV20 - iNq3B+DF8Xzpu/cQJ2Id6ZXvuBNPVDvSn8N79FmO+Ad2a5XZl80Png== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-14T20:50:30Z" - mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str] - pgp: - - created_at: "2025-06-05T09:49:10Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ/9EgxX9o0GjO+n1fnAEeYYkhHyx3ITJKT2XQIwMSbAukhA - PgNSmojyAr2FUuScDZ4cZh4ACj4itPFVT1kDNEDyHZaaWmqcDIrx0SKgtUymDAiA - hXnB9IqzPJVqodo6+Eav+p6JEB3IoENQ6p/9BLN0o8P2RDYiKRV6i1pSQfDvHzfs - EnsQYHpDBNHSo/L+WwvsVmq60tmywBy7SF35B86JQPfbgYEVr0bxEHCkzfGAdilY - fYY92QH3YoXvc4mE4mF7BnWjOpyHsQ/UKSUrl2223r+dPSGthrGfvCOnpE4CN12o - 5yZ7T7oXZlIgvwNUn3BjQm/KXSYmLVhe1KWmkXA23wZ7NlmGL3WKLj++8P1GjpM9 - TGBHp96CBAl5NsC3tTovqtDLdsEV66nGXnVaF0e1avaeyt9396PCVw9GiEl/phH2 - Mw8UBwgBxJ1jx6WB+tnUdBXvlJRc4/ZLpfxTyUxAkYxDfYfiZ/Wago+sZZc1XBGR - 5BlHsGm4Fsu1DaQt3IrBcvzrladwtFaYv7OcwQccQRHmQ5jXh4qo2HE0qHUSK/PD - Rpjw9D1DhDjolfMVSJID0GgFyjEeya9MaKvzTTkBW0u5Hn7HayzePE7GfDrzDwJg - Ef5DcH+b1YOjtxoaU9dxcPMT0QHGK6f3CO7K+q6EzxMMo7Wx41Vv5K4KGBj3vjDS - XAGUt9b+GwugiS1A6bHnssDH0JVsHc2aitz5Q8N0l3h3J9d6DxVGew6S9+4pkq0B - gB9uwzJWME6Sgpa6xx2a2krlIlbUX9ehfmYB2LIvpp5U25nw13YVwTUjH5Yj - =hMaH - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/secrets/shared-users.yaml b/secrets/shared-users.yaml deleted file mode 100644 index 2596180..0000000 --- a/secrets/shared-users.yaml +++ /dev/null @@ -1,111 +0,0 @@ -#ENC[AES256_GCM,data:I4vX/lS1zWiEBbp9wA==,iv:P3tlp4VmVKasE434JuWZsg9H7t5PpP1FxUxPygahtDs=,tag:knVhCKkx25QJfTH/tcx2Ow==,type:comment] -#ENC[AES256_GCM,data:aqlLlXgwwtjBYxytS2H33KbN0z8pHijFXKBAPQyQ7cxE8iO6tDfn/3kEVaEa1YaiYUMXACX2Ow==,iv:uKTUsccWAqrBkdG/ymCZB1pcumRreGv/2rIn6YG8Y7c=,tag:NWDO4dPRA45Ki4ymGblGIg==,type:comment] -sharedUsers-root: ENC[AES256_GCM,data:RhMqzHmMzsPZnskGAKQ5GEagkAmtCqbp3FI4XPWweq6U8WcML+XEOKBfRoemK6yMHpSobBUPEHudNDeVxhGLH1VREmO6+JVZ/3dz44qWudhyuAj2CHiVkVgMlSfOKIbY9FLLxXxfySnEsQ==,iv:EYWeRKI+nFpEkxtBJ57xH6V4arE+hVAHy5ht9v8P1oQ=,tag:I5WA5+FjJ3lF30dth3H2ug==,type:str] -#ENC[AES256_GCM,data:d9jstVxMebNWmJHo79RF0YdurMqwRoDrFzbwjoQ=,iv:UG+qk8hc/WiCviJSCmrUyQZATDD1gBhqiYU6spf7Zo4=,tag:4HNfJQh+3GEP+MHqg1KNHA==,type:comment] -#ENC[AES256_GCM,data:4FjqAy/pZMkBFC7aq6Jqx+TqCtU=,iv:iWxPm8etDkAIuz9op4ck5AgszLuEN9cXXixzO705afc=,tag:MC03p7Kqk0srtDjbov91LA==,type:comment] -sharedUsers-steveej: ENC[AES256_GCM,data:almzynLh7RHcjTFOQWVaGk027uAanFcE+AYVhcbzSs5Xwd9sZR5+Ckbb//YxT/Imz9WKVG7z+bxPuhYPgbzUPCyxUu6/X9ZeCF0gmffyTbXVQHpo2W+71Zcob2Mbt9yMAF1146Dr1Q5R2w==,iv:fHMmtO3U6f/0ZNjxcvm0vOx/W/BYWvpD3WtzLNejGpA=,tag:tsLziHECG323TCKBLO6FzA==,type:str] -sharedSshKeys-steveej: ENC[AES256_GCM,data:Cj8aoHYN95kOuFwMIr+gYTtvE2MNMT6WhHg+r5cEvfgLbI6EJQdMBU30nhJZ8S7uRwJwyVEnqw9qgaZYVorXrIh4oZoQBT6g0UGQ5b5lhtfj86omP7w/NukvpjUPBJEUL+JgvaNGsAbAmExPb1yQY9f/kn2QuyY31pTywcV6qeSHHlK8I2cpei5RxtuG2IX+EjvDXZ3CtQwLY7YrhLvv0K+N8XlEusnytNkXLfjRgd0dJqNLQdkuzrjFPQnuzkxoBBmwfheO8CaTpmH1C5z/dbmeIP5H9GY2gnBCu5xB2zp8ZerVi2E3teW5EZ+Sh+lz/5DOuVpPn3G8W7l4fTM8iX2IHeakjlpYewx1wmW9SZdV/zxyt5rQUtmMj3F+IVktbOWsOyXwSz0CDUlKkVKJdvzATlWdIjteKTwKEgS8RWjg5H7mGylfxyg6YrHYAHTZjC4J1Qz2CwWmAFxzpFCkHvF6QwAOUg+ST+crfw4DiSamb6SKjIg7LNz6VZTOeji6+71Q59u6g2RcdgNowzgrrQCAw7qHnewbFX/2IOW+pdASCB/q9/7218yM6fzMtcPHPiDpZ2tLHQd+45zxZpbUXXCNdNm5v9OTjjK+uA0ARLOVCw5gtd2FbKsJcwyMhXY/h028tgdRhsXIalLolorrYBPx9hR+UHU0TNihspajoNYJCTuJccMiwo8N9AT1DIdUXcOxrQL80RvWY0S6rBzES3q7a91aC/lGEmS/beO7MDgOKaEV+qwPZOLOZXWAesqsR3sKzpOdPx1gFrLvX6vIhAtzuteH0KvKujIAhCg0sEz3Ct/A1S2uNtohz8CstvEEqP6GiR6/X+sQRgxOcXGPQglz68FFKOErIz5XZJBz5+14u/lady1jxhXnVW0cxZDgmqmAvNbrQ9JjNgBvremaDUvuO5R5V5K4MHAMsNQ5yxE9iScXEfwmEvo+Gj4huJwXvwLDE/1TqIaQWX6LfZKOOZ93ivhj7eEiAz7TsLojdNUeDhnWGOYcWbEkMNzYyPb7obN/HgKzcuSixpYm+IZu4sOzXyoO5Lblzd7OObtG4P9jIj4cdxF+vm/s6MYYxtst7jRwzcv9vMLETDXx40IOSqTo2e8New2e/D003T4jx2sis0+68Iyg9m8ltEYb85v6oGFshIdafIGKBaNHm/zIL4Dw03M8kxxfuVuWZD8S2P3bnfryfA4lbOZttv2DnlPZf/Dfb+Ax5qTe5yn4uzLYDTqq9rIqdoNYUmx1OaxGa69oTIqCpL7FC6xe+9NnTEdojl9svZUhtGfThiphYcK72lryqrTyYVuAOa3WjZtHgUJ5lU8x79eExXyDexmC4RNDszar+qMiwlzMC977qsKczfTGe2audm5PLaLTYhWSOZ1p83d/xhFWhLmqjqHrPF5kYrnG+W4ZuVIqxJOrLHQhseKc4fFZrF/XCusgIcoDEq81M/EmHeEDcuWEYldn1pjbE8yzb2ZgfG8mycNh8z41lKsalKmesyZs0k0IvWmrdCpLXqWl/TgsPSO1q+zbQHyfiNewoZec3GC8k1k64zrG3CNI8bP40L6i4Uo/GFPS/y0OjgQhww+He0bWY7yP9MKqdbahpdYQE9kYU5yoJTUG+ZYRir6h6o/JmTJQy4QIvwmcx2jiiA5XXpj3cYAJ9/3eHDFCeg==,iv:QeYNlLR97tdC9i5N909GnoNyBwNNiuljF/eVbdhvGXg=,tag:lBWDaaZMQRPX/4Ln+oUQPA==,type:str] -#ENC[AES256_GCM,data:8u2UAE6lXi0e6qKJxB3VP1k7hmfUYRcejXoR7K6NIQ9E7AqOlMiLDyQFw77NBlqpy0G6mPVOnC+XskGAscm3TLFzs7+o+/i0IxH7uDPwoh+U,iv:n4wheHkpPbnKeXb4DTxwks2bph4LO6xQW6LcrlA4jKU=,tag:mgwa7rYvqoubFdQDXJADZQ==,type:comment] -sharedUsers-radicale: ENC[AES256_GCM,data:Mn1QIwQDX0ZnZ0Jbk1RYY60k+XbbGPYYf+NG3xQz3oR14CqSVy3hjQEkqcezwj/v2ELrLWid2hK+lDtY,iv:TNoJ7Kq3WDkkPBLG3a+N/A8yBZcx7Gc0jaBToYX3Y5M=,tag:VU5P4YtzMv1FVc3ugig8TA==,type:str] -#ENC[AES256_GCM,data:685Grzm+Qw==,iv:sswI1QEvU3nXgQCJcF/O4n3a1z3r6fAVAOSF7W24PZw=,tag:cH/AroGEBfCnnepyqtjt0Q==,type:comment] -sharedUsers-elias: ENC[AES256_GCM,data:RsGDCguYkqegKhkO20lr8HjrTABAaNJmDiGK3DhhbX1sOLMweZwDtESvYjCfAOzWpiAaFh0BqevMkuUcEYQTBubSX+X0EZ0dFrdbVxIe7lq7Dosds98SqKLL4zWqe2y2qsphvj+oAz7Utg==,iv:JXIbyqAUt1OcB+bvgK6H2NU6Ip4nWRJ1/Hje75FfHC4=,tag:kPFALVkf1GbRj1J85SZm6Q==,type:str] -sharedUsers-justyna: ENC[AES256_GCM,data:BGVp2QppWWaYHK3rwLlyy7SOWxSqKGsn7lemWe0KUzgiQc6D8ivYvXdGaAhJNvhgVTxlK6BZOacG4NESWf5hi7sN8AkwTT/6pa9WzhQQGNnwZIaVulXeddzFlebbh8pAt0WYV82DRejX3Q==,iv:RMysIp0pMnCLhWogWiGq4IpZA43sd0DPj3jeV0oRkY8=,tag:VvXPzyGAoATlSedvV2prJA==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArejJMdC9Xb1EvMlkvUk9Y - MW5LcnhTdktHVlNoMFpYWG0xUkRjZm1GbVVZCjJaNEN5ZHFSeC9YNVBmM0QxM3VK - c1NJRVlzWDQ0QS9XZFpWeEJwTTV2Q2sKLS0tIEcwZ1JjeHhNdXFId2YwQXMyMk52 - NVMzL2U0eUdISlQrLzYvSTlKQkUzancK2dmrpC6+Bl7DrHtx5mvF+c4BRv0HPzjU - aT6GbjP3uZ0/jrRM1REqfLQe0v/AP9yMIenZNLdkfoSELtXpHIIsNQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKalYrWUlmN1d5WXpDOEtM - Qmd0SXZMdXpJdVdtcW5lcHZoT3hTMGhTZldFCm5XcEJ4WWgrbW9YQ0lrRzFOYndZ - VE1QTzlMUmdEZkRzakRUOHVrcWZ0dWMKLS0tIHVyeEVtekRnTDY2c25idUpTMXhH - ak1jbnQ0dFBFM3c5TVJvcDlkR1VjcTAKUeMBhu4ZFBYLW9jB63JErQwCsAV3YCKG - kxJTfdaoS3X2QWGIp6s+oE/YYCikKiOR6UxoHoBBgklP8tOXG03cPg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSGpDSGZQVUExL2tXbFQ2 - MldVZGFQNlVULy9BVUYxVXlseTlKL0RhU1F3CnVSUXdoczRjYWJCMnpyWldUMU9R - blJwVXIwdmFRd1JlSURQTEZkTmRkSFkKLS0tIE9VcXRVZytWUTBUV1gzdytrbTla - MjBvNXdWU3Q5ZENraWIrYmlZUmNqRU0KfDDVeBKs9gm1oBufKfSvkNSbdlyjQt3q - is+5wfSgiV7vzvdh7MWqQhyYI3U+JJB2sq2dy8m65GLT5XMJdqm80w== - -----END AGE ENCRYPTED FILE----- - - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SGJ0bTRXN2RSeEprZGtO - NTI5YXRhV3VXWHpsekNWY0N2Rm90WmpVM0JrCmw2dkczbDNwOHViM1B2eVNmMGRS - R2QvMEZIOXhXS2t2RGRDTU9yK3ZJV1EKLS0tIFNwMFJmWFFJMjFPNDVEbk5naGR5 - Q0txMjlPNStWY0RqcEZTS2VBbEF0NWsKS2nLfY2AcTmI3Jkd+xtEw+LCJ0RCXSfW - 9L0EO9VuoMcEXUtPmMBVWnfFRS9e7MuYrrFy66tNO29+088bYGOXvw== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNnhSai9KMjh1RC83UjBm - K2dPZisvcTA3a0JqNzVwWWJkWmp4Mkt5bFE4Ck91TnpJR1dGcnNzNFk0bWJkZENB - elp5NWpGY2F4K052MXZaTzluUkc1NEkKLS0tIFBvbHBZNWlqNitDbmFwbWt4Y2o4 - OVdhWGJQb0hIYXJkbXNGVUlEanJPclEKkX9L1XTFP8euXXcBESc4vGZycYGRTj2e - 9xQW8ABndvyvz9hWXvjD8US9A26nxDyCAoFYluF/dvpt3M4gg4hhBA== - -----END AGE ENCRYPTED FILE----- - - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd1U4MWNwYVA1WU51cXlJ - SVNkeTBPaTVJWjFKRFZDRWx4a08venB2MmhrCnJzRzFTR1YxS0hSQmp3T29IcUJW - YWVRQkpIRWsxL1FqaElZNEdDcXpxRUEKLS0tIDljL0FZN3VraE42SXg3V0o4cGFl - eDVCaXE5bGRTcW8yN3hpL3FiaHZaYXMK682pq4hOUq29PXvPyrgWlZnxmXlNLXIX - lP4zA+nOCeTn6Mj4ffCr1uwz6Z+KraNzr8cWne5XRod56E+/uYNddQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhU0EvNmlJaFViNnFrNlJJ - Y1lRajh4cWVnUVRrcDV4QlZITGpqUERLZ2k0CnlOUVhPL2xMdGtMMHo5cExKVEFX - cWlQZGZ0ODRremRINGlFcU5tMUNmZkEKLS0tIHhhU0tHL3NFM1o0Wkw0aE9EanJB - eFAydDVGOTN0b2ZrMHYyMkR0SElHZncKx5oAailIVsgXi1ajrgkYkBIr8AJQtEj8 - YOBoaXBGppSUygMxWHSt4vzdtEBYcC9xaZ7zAKVYQbOODAlSRd58rw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxY1UwdUsvai8rRnd3bzAx - SUhKZ0RHWW1wWXpadWhQOHVYTGRoYXBsbDNJClRjaE5Vai8rbENBaEt2ZE5JNVZL - aUs4ZHVQL3JxTWhibVBmNnVicmM2SjgKLS0tIGkra2kybjRORmlzbUFYcG9zSTVU - MzJrSGdPaldlakloeU1HVHFSdWlUWFkKq2oHlI3o7cIb0NEtOu3q5n9t9jYQmQNe - gfUnJ0BxkE43otBEWU7ZqRsVvsXfJYreq1IRNz4KyLEi0/taTe4QyA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-05T09:27:48Z" - mac: ENC[AES256_GCM,data:XXj7KCnNkL0nX3aVz+20aNhOESyfX2O4fKVKyAA0lOwNLHyMb1K0dXyctUVofLd5YvWA2cRFBm33vodlkYeS3wXDhYapeUGI9RJ9CLgFpNS1J6OPureTfW3/a25XSKj7vVnLn9Ng+LVI94MriQlmjg7lCBdat0sBRKEVYktuQEM=,iv:1ptZZ9QjHhhbLn7qp1MDJMlgxrOxzQZqwR64bEM36dg=,tag:25lCi/KmRAUGx8QHRmlohw==,type:str] - pgp: - - created_at: "2025-06-05T09:49:12Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ/9ENt3lsKgc/XZJYMGHKhQa/kRJT7y12VfhvySitKBGOtr - 5eGQTwUo/4WXBwUb3fPDGC/4Y9MIVuARQzSgzULLy3HG5ESkx6UpOjz38NA6OQSb - fTB+ljVzLgxk5uxB3q3/TUp3nK3PFPlpHpBf/9oIMgGDdoRBqCJWjGQIDaVb1tba - I8l05XsjKv69a/Qo6OXhrScfU83dh136D5yrX65z53MlaVIbH7K4tKxQVLIBkbS7 - iW4uCZfL0GpG3AAEFQj8KXKbPb5ptAxsE7zNX+wml17o42Vzfu3Mtf5xY0zxpttu - oJYZHTq9MxaEMFKHE34QTARMTFeb8MgA+19Cc0V0rKa6ZoB+jKiwyIN+Hg5wiodD - xMT8dqYPnN7cEqB8mPQPojcra3yE8UAiQppAebLxFUXTFIi7H1ZyYR9DmpHJ7b+j - y2ao79gyzDa79PSE3Z3AITnUw+aVrdo+Fv/8tvjAa3VEtz/vVPmYHL1CuLd1huiC - ZwxWUoEcCOqjMq8vUkVb3MsU9+N/Unq+r+5hCwUPDzKfHhZgiyTR8fQLzyROol57 - +tS8OXeE6nbKYVIjGqIjkj+q22RThtMVRIzbouK+ByfhTbI5j8FMgGWapgrG92CL - e3TTINTKNDNH9wbtDlz2N+ywdMv33RuIjCHifnLIYloivt20YIeJeKphZN5F1tjS - XAG/8Ir5mJsgenNWB5kxR755VO556zu5jSvaBqoAltmPutmN4Uig8zKfT4Li9NfP - OHpqyIcg/DN5Un16BS8dxhmJYuG8PZTIE/gKjnDJlwVntsiaoxde3hO/mo8T - =JIPa - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.10.2 diff --git a/secrets/sj-srv1/secrets.yaml b/secrets/sj-srv1/secrets.yaml deleted file mode 100644 index 9c563eb..0000000 --- a/secrets/sj-srv1/secrets.yaml +++ /dev/null @@ -1,48 +0,0 @@ -#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] -passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] -restic-password: ENC[AES256_GCM,data:0cTVlqHCW/xCk7y3ikh0RtVk/5xFOrcrnQmMbIBtfOd7PYbiTUzwBtYXwOaXO4ob7/+KJUEwhl5TzX/Of1J+y7ML7JbpNPtLr8r0gzDYOvBPY5GlmkDGcorz7QTaomuDprJkoD06lJWme/L893u7rxwamF222D2JvGz5FfTuWfaRWb1PcehBkew89gjdAgqFJJwqlX1vwvQDPg6yj+vnk9ZqR/E967bbQeN/G/qGJ9xfVmeuOPYoZH2IrL0Zgif/FLqZWZtlJ1JnRUBXsVN6FZXfT1Q82euLPOpaUHrFJjAF26PuTwVreIjcBLX3wqc8vhAYWfc+RThS3ITwNdNTSA==,iv:KBqME0cqIIX15xPgKi5mBalk01tswj8xVd8rFETX9zU=,tag:V6KltIGVarWXP1R5lY2FAw==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bjVmWnlmMSsvSlR3N1Js - ODhHc0RzRHFxK2xmbkM3ZFYyZHFOMkEzcFdrCnVVRGNIc3lLWUNPL0owUGZSZVpv - UjJOc1V1djRBUHA4cG83OEVWci9EbTgKLS0tIFFnV2srUGJ0UWlYMlJRdkc3citK - VUVuZkZPUW52ZjhBUXVzTmVINUkrL00K2I8yT9TQAHRnHpAVF2BvldPPXXnkzovu - 5E0+aVGLn59/LwUNKzDaEy+WHkpNvRID3fXWYLK1Uyl8YxuqfRrj6A== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQ2JYaXhMcHhmc3F4dnBF - NWl5ditHeTBrcGJFTGUyM3NKUFNza0RYWFJjCkdkNDdTYmV1b3NNOXNWM3NIMGhB - bi9BVGFqOVgyb2F5dDF1bzI0eDh3VkUKLS0tIHZud2pYNzh5K1BhUHdaSU5jNC9S - ay9vd0dGYXpUUWFEbEtTK245UFV2V00KPXPEAhhL54Hz7m3YSk88hZtPm2WUrY7C - k7fC78uLtALlwnORr6aqj/1+sODaLF1ER/UXfYOGCiIcCZu85C46JQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-19T20:25:37Z" - mac: ENC[AES256_GCM,data:gAn4HAJRiejixDApIBZD87JjHLyOnC9LvYR0E4oDa0GVu6/BLVNbie0zG1TdnYl4LAuLa0rf4gkSDCLNvjkBGesGb7oez06WAHJd3VAK6wyFYxQSxKA8U5OZu8nozciuatTCvc/JL1ZjxxGlDFDSHSP2m1PsB6br2e0g8oL1vJw=,iv:7rOU6w+Ly+OYEnF5SikijEpauMp5lhTae74zDi2vF+U=,tag:EURfxNbEe4ZLFF4l19EzFA==,type:str] - pgp: - - created_at: "2025-06-05T09:49:10Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfARAAmxdorYO1KLI5NpkQ8GF744tb7Pa37zTQ84At57905S8p - kBFKZW6OXEVFZaog5qQAGv8c4/hjWhRkFsGRlZlda7dUD/LomUG7bUSpZ2tXsbTp - tKvX0GFaqgehYI1UuRNcN0W54jeUq0+W5fqsOaQEwnt6x5qQSk2C8m63q8x0zRcf - fDGwXtGuChyqjUus7qBnLiacnq+XObPOEP5cE46y1Zgl7HjGkfv7dCWekgs1Aq4T - W6D1Hz/33vrudbwMhvcqqHVyL3JPtTVhNrip3Z+DCh7KGq54PmXzKwyIM4eK5OFA - es1SNhVplkX7NQv6539ifWv1ZYA2RMyOheK421yrRKqPyV9faq7kJ9ShRsGViUye - V7OXdlVIHWAYl1WWmIHJWoZ8v+MI44w31J3wBNlY6QsLpR+6T5t6y7j25p2Af1/Q - Mc7htobx2J4DwRZoVGewLYBRQPIoz4qLbKln/m/igsWqn1K/i6AUzRd91qXGII+v - 2cDNDLG5QspwXS02N143/gvk/9f2PZhONmoDGsdvqsTyhoQ4YAWEqCXtx4kqcBE2 - KptK/Ox5A9Z7+UkhE+5nJz5pDOQfCG8kCk8xp5qqwwttyDm1Y9iD+mhwNPCHoBhp - GI+WjJ9lD6KSx2vdMXUkgzma5y2SSQSxRAF8uscqCYjv6glX8tfET9gBW65jrW3S - XAFHYiaOZIDpI5g4XILPNbLIwyrngd+/sOb4aQa3/M4ztRGs7VuUpsiBjecsnamU - qx6qvkSh73AwE3MGrUbzyyCl06gwh/nYgV97NN+PXTkFtd0kr65VfX1W2RrJ - =n6yr - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/secrets/sj-vps-htz0/secrets.yaml b/secrets/sj-vps-htz0/secrets.yaml deleted file mode 100644 index a3d5191..0000000 --- a/secrets/sj-vps-htz0/secrets.yaml +++ /dev/null @@ -1,51 +0,0 @@ -#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] -passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] -wg0-private: ENC[AES256_GCM,data:hiUUUhQ/hi6d51Wgwb0gZ5lBB5TS9+F8gVEGrRUqLauKjGZujyqjZIFix7E=,iv:ISb5cqkOE0UyQqlQCeclyMBof037XF1+7zDFslKStr0=,tag:Ox0S+YOkfXpFCSbNrdSrxQ==,type:str] -wg0-public: ENC[AES256_GCM,data:AnEK0wlEIlVrz0nubLWr3lv7R1ddzA/RPjP0CosyEJzCJU6cF2DBJig4xYo=,iv:ifaQVHQyoYqcr6a4kJ1Kvd4QBDLT5xNyr75GuogBv5g=,tag:Tl9HpsJ5+LaV81LiLcThkg==,type:str] -wg0-psk-steveej-psk: ENC[AES256_GCM,data:Z5txIdXKVshlqMBLEnW/ulFiQSmMKj6m1vLE8fuL+zl+tJxh9EX/XvjLaC4=,iv:h4ypudvQAKPM7+5vQNAb69JntdZPNa8Km6wd14ovCHc=,tag:t7ZbbcpRCTAF7zP8vKPpJw==,type:str] -wg0-psk-steveej-public: ENC[AES256_GCM,data:KU6aRVK06RkyvvYFzFZaCplz1HyirSfpjW+jjvHP+eTMs3hfhFUnPSZRCN4=,iv:2A019CQD2vjcOmX6PFpDaDCo8yN9oA9kdKxiW1e3Dss=,tag:kfRENOJY7RnwWGN1eOeEhQ==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTjc1QUtRSWRwaGdOdE83 - WWxsVWpWMXZ2cjZ0RzBiMUVSUVp2dmRKb0c0ClRURUZmWXdHdkR3eVF0Y1ZqYWFR - b253TVhRQSswZGVCSjZoNFVldGhPaFkKLS0tIFJRcno4V0RNSlNoUFc4TzRpL2pG - eEpxZXdNTVBxd1FETWlxdGpZQ3BRdU0KJqQLuwyf8V7bPDLMvuryFrYTZoCmxUlR - mzvYKGQTFNaTcY8fvsSiYxTxXx+WXMLXtz0o2y5fX/1Rz4AW7hW0yg== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURk5aMnE4THNVVW0rSVRC - Z09lbUdzeHZlOEdmYUE3Qy9BckVNUGc2Sng0CnZRM3VTRXdKbXBDQlBxenFXa1FB - SXBwK0pvQjg5Z1R4djU1NjE5dUI1VEkKLS0tIFV1U2FpWGFFYk9pcVFFTHdrMzdM - RDM0OEFIUWh4SU5LRzJRSUlwcm5BeU0KA2RW/rYniJbIqRRiQfzE+ZZp+DgNODDg - +5xYpgegsBoBwcIkFemYwVXxKy4pzF57FR3oaf/0Gi1imXiKSAPdVg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-13T17:03:01Z" - mac: ENC[AES256_GCM,data:AtD2QZsLpOLQB7Jcb0Cn+zGUK/fMzuVhQ2r5f4jL3dttqfaDa4k+bUMP7wQ9RW6cUXm5ps+s1t9TkRUi2P7bkQjtEuyiTGAUiM8OnkJQ26npITWWs8giekKq01m2DlZufWRcrZrQU43EgVNDqRTVlMK1IoVS4zqNwqt4tXG6YWk=,iv:F+BbR5aGg+6/0LBxpC+AoNT4dLutvkgeUJszkMrV5xk=,tag:4Cvd4nG+h1+hXg/NzH0wRg==,type:str] - pgp: - - created_at: "2025-06-05T09:49:10Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfARAApmxc/Ubnhh5F2uwxquqpWb/BBH57dS6+qZJ9KdGMcR86 - engG3qbFHZWK2yzCKXh9Sqs7o2Tw80HWSjzgI1+r7YBp6e0FNwaIRCsuxOzlNtKT - M8yVrtkRxoDJ2OnfaarKubpzGR69Zt9Zcvw3Zy8xDyuoDgAuh09q3n3ctVYeAkuV - E6xNSwAv9kPuOGUvjh+XAfB5ZUpOymmOBfKPoT1mdgZ0Q8Ye3oH27oGjfSfyMavB - BKJn8dQXDvTo/mX+7o7e7TPt9NstLoxmMctaE3MIyBX07nunFrdCSooODY7GqV6X - 5q0IyLI5Sy+hqetWRhLZxeF9nyxRhd3FohII8osf/l9WeqPZ6R5BcDJpsHmlOOEl - EOea4gRPWY8x0jJ3jZ6cVyVNINg8TOe2d5BIE6+INaoT2VpVowIPOI91i/0xNVuq - lWrzYJyDxk/7e4XId3GlM/SuEpjnL5cPQMmQRKqZ1lykwhF0ADQZgqzKp28sW1L3 - baq4hk1Gi19SRqaR2FnCioc7Ybxi6VJ6fesLGGGDvK8RAVCY+J1c1q6nUqazEqj2 - S2288c+mLpMyGlPHIaI3Qdyg8Fb27054EzGve2u/MmQpATAMj9hny65qVqcIsx7K - LQHBbdweDyHOZylO5ApGE9uf+0Q2zZjtX2LXN2S9wc8o2KMOfFYHkNEVjwqD4bLS - XAED066xz2GnHM1VdzaXPDw5Jokpp9wma2j9KxeOy0jOW+HNpO2bth3vhTsUwAcj - Dlq1UbIyf+4+My0LKopdCW5SJ8lhyysk4dMISu3m8XP0PVgJY7PzSC8/haty - =ykfJ - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/secrets/steveej-x13s/mycelium_priv_key.bin.enc b/secrets/steveej-x13s/mycelium_priv_key.bin.enc deleted file mode 100644 index d3ad822..0000000 --- a/secrets/steveej-x13s/mycelium_priv_key.bin.enc +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:ILo+B9hfSEOaNleohfdc+RlzFHOu5y0kS9Ocys5KBKQ=,iv:GNzGem+eBseA99FoFHRSDQbnpo0RS6lRRR6oLV5xajE=,tag:FmBrSBT1qQ+jXhUlAjCRSg==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocVpZSUxWK25CaC9PYVJY\nK1U2TXo1TWJlRDhJZTI4ZFRLeHE5ODNMZndJCmpmT0p3b294bWs5UE44ZG45TXdD\nbzM1V3ByQkxIQWFacTgwaWozRkZFaHcKLS0tIG90VXdaSXF6NjBnSHEzdTd4d0M1\nTnpiYkNjVTlKQjFKQ1hNYVBIbUp2a0kKsneBNjaJjULUgZ+E5wiPvtpBR22tCtAy\notjS/WOiOvslYRT7H/N6I11rvlTnwZi/orBcMmE18GEfNVRzLUTReA==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MDl1cmt0eTQzNm96M2Z3\nQnNNeGpITzJOb0t5QS9DMGZNNHJ4YmZZV2pvCkhESmMvTndnS3ZoWHIwRnlXdStQ\nNUlsMnRnMmlWNW51Lzk3L3d4SmNDR0UKLS0tIDU0VXdxK3ptQ3JSdUdPS3g1M09r\nQVFrTXFkUSs5MFluVHlmbVpOQWlDYXcKFXtj/r11QoHMDbELo9oHVxwGDneZ2cyz\nQBLMhlZWX5uMqgLes5tLXW1r5xondqbGblEWYMcjj0lzZq+Jml9DoA==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-04-19T19:07:46Z", - "mac": "ENC[AES256_GCM,data:e6xOIt73MDaMOnP3d2G/xqjwozdvdkxNkso4ry3Wj5UELoSKtjOXn0oWA1KIApQM72rcytyAMuvuF8nIRzOsU+RjCxyoyFxK+x1ljvXcjJF/mrB8+27QEIKMFbCRYDtDtiax0MnVkW3a4zqAz9ETd2hlBRS2DcVXvgV8GVRZL4o=,iv:jd5Mwf+IUrm5vbHftImsB7iX3AP8O61/2kEf2BpOFRQ=,tag:aXmSU8qPGTKRmzddVz6s8w==,type:str]", - "pgp": [ - { - "created_at": "2025-06-05T09:49:11Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAw+OdhfgD3wfAQ//QX8Tebm/qWToFViEiMlleF3Xqp5xno3NkrJSc5Bc4MF7\nG/qeh6cEii+m+SzQW+M8S0YDQmxqL9ddJqmrNmFBSMauqBjX99G/7COgCsQwtjYu\n2G/dclkBAE/jrdsw1uEnGQwIWxKcTPFx2x7qCDtXKIvikLbbclyBuo14+lp8SmW/\nTA8hBtisngwz8gH23zgly8NEZBRo8m/szjsiNd2NAujPni3pFQe/9NQgwH63oLkO\nbVlg3yRhaNJdB4e/rzBjMysEXW8vNakfpmw+SfP49aRBHAlj7keMajjBllKO0CRe\nLeqQsU+WogbCUjvPdrazeW8Nv1fN5iz/wXX6ZjI+EqyEywODKDquO9+HipyJcvs4\nlqH5TgkFh1M1eTD8M/Al2511gLKrt0pAbx3x8ldOVZyKd06NAakKXvVVEdDkiSeQ\nSSFvko9aG+qf87iC3gIt+L9KpA8WsA66f8gIP3wQgcr0CqPxZe/zVn6OE2V5vKc6\noIGZ9kwdVW3EB9EKEoYghG8F/32nhOIZ0MUfefJo4BQ9paqUSbcfAqb5QfnRWEZl\nVRSPXqTLNErZp8V1NWmS/ycoz54EaJsHDHKjpmoKo0G07wOb4jxefs9S+mQNVBu7\nX0jnEDjCtWGFiFAXyZ+FVh2mRuRRP6AlrvaPxDbT4v2SNljL4A2r1QEuChxDPyjS\nXAH90Blsv0wX6whS26rXosFNxisgR08NDpbaIzEjTtJKVidfOHWjZyXcuSzUeL9E\ni0zzTY1hR5bc+86KDljO7+AvoEguibUbQiItjECltYs4t2+97pmjqyZnMCX3\n=fYod\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.8.1" - } -} diff --git a/secrets/steveej-x13s/secrets.yaml b/secrets/steveej-x13s/secrets.yaml deleted file mode 100644 index c7566c5..0000000 --- a/secrets/steveej-x13s/secrets.yaml +++ /dev/null @@ -1,46 +0,0 @@ -builder-private-key: ENC[AES256_GCM,data:KG5V86SDVM5LfFPZI5rjKGvYwqLZInEqpwdIJPAiF7fMdG3rTq3JgNJCQr0eOhfmLwT3KEN2Fv0mHZS4smMGdh0WCkza8CzRn/KFY8gqEWxxdff1Wqj7+2/5lSI8I7Qp2EW+eaAgU53PPOh/M3Cgm/Rraw2ARmIJNIgtuJC8ZeZlsh3sl0tacF9rgSrP8p4xAH3C/QUs1HW+10eL9F3STtAV+ZBruU68lNmCdiyqKjg3O3qdRFsjdGWAwHNHL42cEm3il4PofyS5fDDF4otQktZa5n8832ukF5Aj6RNgJwubrsxB9+1M9s7hD1UQyKo6oQKJr1GXNK+IPyXAvdxckZ8INhsxP4c4v8GzR0zJK4MfESx0r67ciGLOcYulNBDOMSbD57oW+wRvCI2eZlpB3ugBcUm/rsQbgFVEX8q6jD8WipJ+Q3hz1zWq45s66XooFmnwc2nBhT6cRmtGzTJCcDpiovgj5tKXSXrWfwYO7tWr7lYg8T4zhfplZBtQOaqTUrAOhW7IRT5Lo/310cMRcp1h44TSnpWXZN7l,iv:DOUijPr4wHmjNIniF2IRjinXZ6iyg8Z1Nt5EgFfX5Zw=,tag:VWxHpfpyphtu6XLR1yKugg==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMHdBc2dlNHNMRGNMVjQx - aEk0eFpEZVppMHpCQTJsM0JDNGJIOXdXODNrCmhqTnFCNTM3QWZjQm40YzVTS2pB - V29VY2RhcmN1RGR6bEhVU2FmakVFWUkKLS0tIG1GbENQdWF1S2pHWWtRZnRLL1dC - bXJGVTB1WmRJMVd4TFdtcXZxWnJTVHMKeLAbvyypDNUddigWYxmLSaqBK4jNpQyo - oGX/UnFchExIYIqsuasHEUbUsTOJmMj6JJYIb4reSNCUKfLpF81ONg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbEM3UDV5WU14RE1wZW5x - NFJDbklaeFNjem1oN3Znc3hVVG9PMEJPemlJCjY2aDFiS1d1bzIvSUFJOW42ZnRj - L3o5Tkx6TVFLRldMQzM3TXlJRnhYR3cKLS0tIFZPckwwZ3RXY0w2NXVSK1NMamJB - MFM1dUY2cWFWc3pJNlhNekovUEgwTG8K7XAKzsKqoUinTiGX9zgRtkLo8OD2WPfx - /jH6IECHhOjMLWOowEzyCcUd1Tmi44FzBytVRYUGfxlLESQmEydHzg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-01T16:50:35Z" - mac: ENC[AES256_GCM,data:wDnv7wZLks2EME+JqlBtagVaDZEo9ap3d6xFfnBy2/D4wrJhhYlo8vOYM8GFXEhfa0Jek+9ZlkmXYerLNWLMiUMKWIvk0cvHjxBaR2wcxt9FnynPT9W9hSX7UFhM/eTiJviksOESTI7pqNh9X7ggLSZ0c+O5mBxxEh/bcjz8vIU=,iv:vgvmyvUkZBapCpRbPU3cDgmHsc5NwHzCsMzjHvr/Xc0=,tag:FMI0YrwdCPIFe8tnLQr69w==,type:str] - pgp: - - created_at: "2025-06-05T09:49:10Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ/9HkWJKy3V5aXqDRgS9O6vFq/AVtCSc5RzBB8SgrKxiSgy - UIGXX6y2k+Iw5sWMwyFanu2Wf+4/36N2HcGlIEDrJG/XvSrBVAteN1dcwYkY1r38 - L8PDrSdP9zBPqnq+R3+Tzp2L0djNA7MYgRD9gm78kRwW7TTSKID5QWhhkQ0X1xuN - mCIeUKVjPQhjJWkV3687QIzyrMGFUwxDz5DbG5lYdAZZXxYmLJpS+Gi88mMfF+bc - ShYLrH6JHYf1zLV0vrHHRUb8C8Nb6eOLX4PKIOC9agMlDdYdi1uH5zSqaxJhWT3j - 7N1APdt2YhODU/P9r+5JtfKML/nAWAlH+ztJy5h5f4uwb0qjlZsEAGEr3VDklC/R - 0Hqos1UQgWPX6KuMTKrtBZbuMg/kvaCjeqYGohhBWdMUOrf0F2uo/z2nUso9mRLF - 0whLeFtMnSdlX2IZG7meyUdD7IVGAbONRLGDAFP7607Bdufn2HXOenXRTebSa4Ei - whaaSVMa7nY57oFIBPW4Itwa6BSslx7PRaZv3ug52m85JZZ++PgBUUcwlz393GTX - Gr3EVKOaZIeeF3BMGApiungfI2sywbcTkUUgX5ULHSuFHNC/zVTOfTeVoTOvScJK - awyceOLGvtl7YuBJTUq2PoSID/RWJ6mj7l88jU3jIXXLmhXMUpCoQl04xJGshtbS - XgFvlmAIic7NjKtNL7lzVm9il+jTe8uqXcxqcgDGNbUdlzPxXfRs3wPoNUW9OOto - Bp8CFmVsnpSy14ss6Rj+qRfvSbZr/R9G/WJXDo5XphPBJJCad8smwGBK2tatwbc= - =O4hn - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/work-holo/zerotierone.txt b/secrets/work-holo/zerotierone.txt deleted file mode 100644 index 2e5522a..0000000 --- a/secrets/work-holo/zerotierone.txt +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3ZFlVdXhuOW5zZ0FFVS82\nUDM3TVUzUEh5STFMNHlyZGdtNlRManNoOUFjCmxuMERXVUNmdFBxT1F2YUVPa0Ny\ndDBURUZ3dUlVOFF4V3YvMDlHVEZlRU0KLS0tIDRTV0QwL3F4a1VMMnM1TUxPTWIv\nNHVETVZxdTEyM3NrMDN0eDBucVZjTWMKQi66m7gORsxbCUCiIc509a9npsAyExdO\nbHymSiGR9sOsjIse213YL8jmQd+FcUbQ0u5v88IVsNBusOMHLet4kA==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZUw1TWR3TVdDQ1hsNWhJ\nek5VVGZYb1NJdk81QmdlZFhwV0w0U0E0aG13CjhTVlIzTWg2K1N1SDhOOGFGdnp4\nSVJHL2tVOE9qNG9jUnkvbFZCVnpDYWcKLS0tIG9wb050NS9wNjhSYnIrVExJNzdP\ncWRCK1JyY01adm1SL25MZjJoVml5VjQKdOgbB+SpvreR6Lc970nIQjBQgCv7ngsl\ndYBnu0TgwgbTPibFaAdV+ndFUy27bbwBvGyPCiuKAZx0T44BZIcSrg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2023-07-01T20:19:12Z", - "mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]", - "pgp": [ - { - "created_at": "2025-06-05T09:49:11Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAw+OdhfgD3wfAQ/+MEjuddwMdAVWyoXEJJt/YW0sleAVJzvh5XDgg9fQ9nXB\nJaNlt2yWmaa894zh5JYrnkHp17d756lJQz/PgMukUt2xzO5UfjPlZRUaZLRirhpr\nJbv9+A5M52SHuCSG9qH2GYQXzd+5M0CEztMAyX3PMbcW4fNtagnfD54jW4LXt+om\nlIYIHPp5Mpl0/8EdcBMm6HPIKCGm44g7ghENlfPDfDvGH0TQF57hQUyB6h14uU4u\n/ffLgTK8y87tFblaN/Bbv+/3D+PcVNoqblD5fXgXW0LZOnG9BWM6v1tlJ78s0hP+\n81DXuumKNvoxkgsQdZiADMTCC8EDKVwz7mUaCs7j6TOG9t2Nu870mxfuBiIUUwRm\nANnHqgYVLuhgAZnmdrSX1UeN1jaccOTQCsFweyr8/0lL/H+83uRjMLWMNCMtw4Mj\nF17+Tig6lYevF0IXmPvKeyWxuxr2TMBg1Bg7QDfwWpfhT2u3Fqj1W0qQnUNxXHRT\n9mxOEPvxJCE2RkeHFsFQE4vT7cMLoaw9vrWfPKKTJeCir+24QngFmRSS1zxQtkop\nNiNXy4focN4bnZdWirJRsu7z5vLXXbMdWvUQ379DqZy6uepTm5l/gG6h+RciJ9Ux\nKJu+WzLniU092ArWRgcnNnyMvmBmP2iSnpMsLliWwzNLcVxU8F/KByHNbXTCsZ/S\nXAF9rWs6+VmhEqBqtuNWmACdtTjHBQAk+FPTAr/7qIERhCynnh7I3RDssV34HSdH\n7edAn78hfYd+WPpwCMJvrN3puppj7QNhSc9sYSiKgyaGr52DvMVkNu91gkbO\n=FVew\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" - } -} diff --git a/services/home-ch/router-family.lan/Justfile b/services/home-ch/router-family.lan/Justfile index c15ed68..c599600 100644 --- a/services/home-ch/router-family.lan/Justfile +++ b/services/home-ch/router-family.lan/Justfile @@ -1,12 +1,12 @@ _run_ssh_cmd cmd: - ssh root@router-family.lan "{{ cmd }}" + ssh root@router-family.lan "{{cmd}}" post-setup: - just -v _run_ssh_cmd "opkg update" - just -v _run_ssh_cmd "opkg install luci-ssl luci-app-ddns" - just -v _run_ssh_cmd "opkg install luci-app-samba samba36-server" - just -v _run_ssh_cmd "opkg install block-mount blockd kmod-fs-vfat kmod-usb-storage usbutils kmod-usb-storage-uas kmod-fs-btrfs btrfs-progs" - # multiuser SFTP - just -v _run_ssh_cmd "opkg install openssh-server openssh-sftp-server" - just -v _run_ssh_cmd "opkg install sudo coreutils-readlink" - just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" + just -v _run_ssh_cmd "opkg update" + just -v _run_ssh_cmd "opkg install luci-ssl luci-app-ddns" + just -v _run_ssh_cmd "opkg install luci-app-samba samba36-server" + just -v _run_ssh_cmd "opkg install block-mount blockd kmod-fs-vfat kmod-usb-storage usbutils kmod-usb-storage-uas kmod-fs-btrfs btrfs-progs" + # multiuser SFTP + just -v _run_ssh_cmd "opkg install openssh-server openssh-sftp-server" + just -v _run_ssh_cmd "opkg install sudo coreutils-readlink" + just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" diff --git a/services/home-ch/router-wan.dmz/Justfile b/services/home-ch/router-wan.dmz/Justfile index 6f818a8..921adb4 100644 --- a/services/home-ch/router-wan.dmz/Justfile +++ b/services/home-ch/router-wan.dmz/Justfile @@ -1,9 +1,9 @@ _run_ssh_cmd cmd: - ssh root@router-wan.dmz "{{ cmd }}" + ssh root@router-wan.dmz "{{cmd}}" post-setup: - just -v _run_ssh_cmd "opkg update" - just -v _run_ssh_cmd "opkg install luci-ssl" - just -v _run_ssh_cmd "opkg install luci-app-mwan3" - # multiuser SFTP - just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" + just -v _run_ssh_cmd "opkg update" + just -v _run_ssh_cmd "opkg install luci-ssl" + just -v _run_ssh_cmd "opkg install luci-app-mwan3" + # multiuser SFTP + just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..0ec42a9 --- /dev/null +++ b/shell.nix @@ -0,0 +1,58 @@ +{...}: let + pkgsPath = (import ./nix/sources.nix).nixpkgs; + pkgs = + import pkgsPath {overlays = builtins.attrValues (import ./nix/overlays);}; +in + pkgs.stdenv.mkDerivation { + name = "infra-env"; + buildInputs = + [ + (with import (pkgsPath + "/nixos") {configuration = {};}; + with config.system.build; [ + nixos-generate-config + nixos-install + nixos-enter + manual.manpages + ]) + ] + ++ (with pkgs; [ + just + git-crypt + vcsh + gnupg + git + nixUnstable + niv + nixos-install-tools + apacheHttpd + + vncdo + tesseract + imagemagick + + esh + + xorg.xwininfo + nmap + sysstat + lshw + xxHash + linssid + wavemon + wirelesstools + lm_sensors + + zathura + + ripgrep + glxinfo + nixfmt + + ntfy + + playerctl + ]); + + # Set Environment Variables + RUST_BACKTRACE = 1; + }