diff --git a/.envrc b/.envrc index 90160da..051d09d 100644 --- a/.envrc +++ b/.envrc @@ -1,5 +1 @@ -if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then - source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM=" -fi - -use flake .#develop +eval "$(lorri direnv)" diff --git a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg index fd34c43..9587742 100644 Binary files a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg and b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg differ diff --git a/.gitignore b/.gitignore index 8c927b6..5e0fed2 100644 --- a/.gitignore +++ b/.gitignore @@ -2,10 +2,3 @@ *.qcow2 .*.log .env -**/result -.direnv/ - -# nixago: ignore-linked-files -/treefmt.toml - -/debug-logs diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..efb4d91 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,10 @@ +stages: + - build + +build: + stage: build + tags: + - nix + script: + # Test the nix-shell + - just run-with-channels 'nix-shell --run "echo OK"' diff --git a/.sops.yaml b/.sops.yaml deleted file mode 100644 index 9ad6d2c..0000000 --- a/.sops.yaml +++ /dev/null @@ -1,129 +0,0 @@ -# This example uses YAML anchors which allows reuse of multiple keys -# without having to repeat yourself. -# Also see https://github.com/Mic92/dotfiles/blob/master/nixos/.sops.yaml -# for a more complex example. - -# use `ssh-keyscan | ssh-to-age` to get the age key for a remote machine -# use `for file in $(grep -lr "sops:") secrets; do sops updatekeys -y $file; done` for updating -keys: - - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - - &steveej-age age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - - &steveej-x13s age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 - - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 - - - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - - &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - - &router0-dmz0 age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 - - &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - - &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - - &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 - -creation_rules: - - path_regex: ^(.+/|)secrets/[^/]+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *steveej-x13s - - *elias-e525 - - - *router0-dmz0 - - - *sj-srv1 - - *hstk0 - - *router0-ifog - - *router0-hosthatch - - path_regex: ^secrets/steveej-t14/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *steveej-t14 - - path_regex: ^secrets/desktop/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *steveej-t14 - - *steveej-x13s - - path_regex: ^secrets/servers/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *sj-srv1 - - path_regex: ^nix/os/containers/.+_secrets.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *sj-srv1 - - path_regex: ^secrets/holochain-infra/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - path_regex: ^secrets/router0-dmz0/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *router0-dmz0 - - path_regex: ^secrets/router0-ifog/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *router0-ifog - - path_regex: ^secrets/router0-hosthatch/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *router0-hosthatch - - path_regex: ^secrets/sj-vps-htz0/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *sj-vps-htz0 - - path_regex: ^secrets/sj-srv1/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *sj-srv1 - - path_regex: ^secrets/hstk0/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *hstk0 - - path_regex: ^secrets/steveej-x13s/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *steveej-x13s - - path_regex: ^secrets/work-holo/.+$ - key_groups: - - pgp: - - *steveej - age: - - *steveej-age - - *steveej-x13s diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index 660429d..0000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "editor.defaultFormatter": "ibecker.treefmt-vscode", - "editor.formatOnSave": true, - "nix.enableLanguageServer": true, - "nix.serverPath": "nil", - "nix.serverSettings": { - // settings for 'nil' LSP - "nil": { - "autoArchive": true, - "diagnostics": { - "ignored": ["unused_binding", "unused_with"] - }, - "formatting": { - "command": ["treefmt", "--stdin", ".nil.nix"] - } - } - }, - "treefmt.command": "treefmt", - "treefmt.config": "" -} diff --git a/Justfile b/Justfile index c7fa7b3..d4bf5cc 100755 --- a/Justfile +++ b/Justfile @@ -1,321 +1,318 @@ -# _DEFAULT_VERSION_TMPL: -# echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix" +_DEFAULT_VERSION_TMPL: + echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix" + +_DEFAULT_VERSION: + echo "{{invocation_directory()}}/nix/variables/versions.nix" _usage: - just -l + just -l # Re-render the default versions update-default-versions: - nix flake update + #!/usr/bin/env bash + template="$(just _DEFAULT_VERSION_TMPL)" + outfile="$(just _DEFAULT_VERSION)" + esh -o ${outfile} ${template} _get_nix_path versionsPath: - echo $(set -x; nix-build --no-link --show-trace {{ invocation_directory() }}/nix/default.nix -A channelSources --argstr versionsPath {{ versionsPath }}) + echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath {{versionsPath}}) _device recipe dir +moreargs="": - #!/usr/bin/env bash - set -ex - unset NIX_PATH - source $(just -v _get_nix_path {{ invocation_directory() }}/{{ dir }}/versions.nix) - $(set -x; nix-build --no-link --show-trace $(dirname {{ dir }})/default.nix -A recipes.{{ recipe }} --argstr dir {{ dir }} {{ moreargs }}) + #!/usr/bin/env bash + set -ex + source $(just -v _get_nix_path {{invocation_directory()}}/{{dir}}/versions.nix) + $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}}) _render_templates: - #!/usr/bin/env bash - set -ex - if ! ip route get 1.1.1.1; then - echo No route to WAN. Skipping template rendering... - else - source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) - # nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix - fi + #!/usr/bin/env bash + set -ex + if ! ip route get 1.1.1.1; then + echo No route to WAN. Skipping template rendering... + else + source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) + nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix + fi -rebuild-remote-device device +rebuildargs="dry-activate": - #!/usr/bin/env bash - set -ex - nix run .#colmena -- apply --impure --on {{ device }} {{ rebuildargs }} +_rebuild-device dir rebuildarg="dry-activate" +moreargs="": _render_templates + #!/usr/bin/env bash + set -ex + just -v _device rebuild {{dir}} --argstr rebuildarg {{rebuildarg}} {{moreargs}} + +rebuild-remote-device device target rebuildarg="dry-activate" : + #!/usr/bin/env bash + set -ex + just -v _rebuild-device nix/os/devices/{{device}} {{rebuildarg}} --argstr moreargs "'--target-host\ {{target}}'" # Rebuild this device's NixOS -rebuild-this-device +rebuildargs="dry-activate": - nix run .#colmena -- apply-local --impure --sudo {{ rebuildargs }} +rebuild-this-device rebuildarg="dry-activate": + #!/usr/bin/env bash + set -e + + function parse_hm_rebuildarg() { + case $1 in + switch) + echo switch + ;; + *) + echo build + ;; + esac + } + + export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log + export HOMEREBUILD_LOG=.$(hostname -s)_homerebuild.log + + echo Rebuilding system in {{rebuildarg}}-mode... + if just -v _rebuild-device nix/os/devices/$(hostname -s) {{rebuildarg}} > ${SYSREBUILD_LOG} 2>&1 ; then + echo System rebuild successful + else + cat ${SYSREBUILD_LOG} + echo ERROR: system rebuild failed + exit 1 + fi + + if type home-manager > /dev/null 2>&1; then + echo Rebuilding home in $(parse_hm_rebuildarg {{rebuildarg}})-mode... + source $(just -v _get_nix_path {{invocation_directory()}}/nix/os/devices/$(hostname -s)/versions.nix) + if home-manager -v $(parse_hm_rebuildarg {{rebuildarg}}) > ${HOMEREBUILD_LOG} 2>&1 ; then + echo Home rebuild successful + else + cat ${HOMEREBUILD_LOG} + echo ERROR: home rebuild failed + exit 1 + fi + fi # Re-render the versions of a remote device and rebuild its environment -update-remote-device devicename +rebuildargs='build': - #!/usr/bin/env bash - set -e +update-remote-device device target rebuildmode='switch': + #!/usr/bin/env bash + set -e - ( - set -xe - cd nix/os/devices/{{ devicename }} - nix flake update - ) + template=nix/os/devices/{{device}}/versions.tmpl.nix + outfile=nix/os/devices/{{device}}/versions.nix + + if ! test -e ${template}; then + template="$(just _DEFAULT_VERSION_TMPL)" + fi - just -v rebuild-remote-device {{ devicename }} {{ rebuildargs }} + esh -o ${outfile} ${template} + if ! test "$(git diff ${outfile})"; then + echo Already on latest versions + exit 0 + fi - git commit -v nix/os/devices/{{ devicename }}/flake.{nix,lock} -m "nix/os/devices/{{ devicename }}: bump versions" + just -v rebuild-remote-device {{device}} {{target}} dry-activate || { + echo ERROR: rebuild in mode 'dry-active' failed after updating ${outfile} + exit 1 + } + + just -v rebuild-remote-device {{ device }} {{ target }} {{ rebuildmode }} || { + echo ERROR: rebuild in mode '{{ rebuildmode }}' failed after updating ${outfile} + exit 1 + } + + git commit -v ${outfile} -m "nix/os/devices/{{ device }}: bump versions" # Re-render the versions of the current device and rebuild its environment -update-this-device rebuild-mode='switch' +moreargs='': - #!/usr/bin/env bash - set -e +update-this-device rebuild-mode='switch': + #!/usr/bin/env bash + set -e - ( - set -xe - cd nix/os/devices/$(hostname -s) - nix flake update - ) + template=nix/os/devices/$(hostname -s)/versions.tmpl.nix + outfile=nix/os/devices/$(hostname -s)/versions.nix - just -v rebuild-this-device {{ rebuild-mode }} {{ moreargs }} + if ! test -e ${template}; then + template="$(just _DEFAULT_VERSION_TMPL)" + fi - git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions" + esh -o ${outfile} ${template} + if ! test "$(git diff ${outfile})"; then + echo Already on latest versions + exit 0 + fi + + export SYSREBUILD_LOG=.$(hostname -s)_sysrebuild.log + just -v rebuild-this-device dry-activate || { + echo ERROR: Update failed, reverting ${outfile}... + exit 1 + } + + just -v rebuild-this-device {{rebuild-mode}} || { + echo ERROR: Rebuilding in {{rebuild-mode}}-mode failed + exit 1 + } + + git commit -v ${outfile} -m "nix/os/devices/$(hostname -s): bump versions" # Rebuild an offline system rebuild-disk device: - #!/usr/bin/env bash - set -xe + #!/usr/bin/env bash + set -xe - just -v disk-mount {{ device }} - trap "set +e; just -v disk-umount {{ device }}" EXIT - just -v disk-install {{ device }} + just -v disk-mount {{device}} + trap "set +e; just -v disk-umount {{device}}" EXIT + just -v disk-install {{device}} # Re-render the versions of the given offline system and reinstall it in offline-mode update-disk dir: - #!/usr/bin/env bash - set -exuo pipefail + #!/usr/bin/env bash + set -exuo pipefail - dir={{ dir }} + dir={{dir}} - template={{ dir }}/versions.tmpl.nix - outfile={{ dir }}/versions.nix + template={{dir}}/versions.tmpl.nix + outfile={{dir}}/versions.nix - if ! test -e ${template}; then - template="$(just _DEFAULT_VERSION_TMPL)" - fi + if ! test -e ${template}; then + template="$(just _DEFAULT_VERSION_TMPL)" + fi - esh -o ${outfile} ${template} - if ! test "$(git diff ${outfile})"; then - echo Already on latest versions - exit 0 - fi + esh -o ${outfile} ${template} + if ! test "$(git diff ${outfile})"; then + echo Already on latest versions + exit 0 + fi - export SYSREBUILD_LOG=.{{ dir }}_sysrebuild.log - just -v rebuild-disk {{ dir }} || { - echo ERROR: Update of {{ dir }} failed, reverting ${outfile}... - exit 1 - } + export SYSREBUILD_LOG=.{{dir}}_sysrebuild.log + just -v rebuild-disk {{dir}} || { + echo ERROR: Update of {{dir}} failed, reverting ${outfile}... + exit 1 + } - git commit -v ${outfile} -m "${dir}: bump versions" + git commit -v ${outfile} -m "${dir}: bump versions" # Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L) hm-iterate-qtile: - #!/usr/bin/env bash - set -xe - home-manager switch || just -v rebuild-this-device switch - Xephyr -ac -br -resizeable :1 & - XEPHYR_PID=$! - echo ${XEPHYR_PID} - DISPLAY=:1 $(grep qtile ~/.xsession) & - echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L" - wait $! - kill ${XEPHYR_PID} + #!/usr/bin/env bash + set -xe + home-manager switch || just -v rebuild-this-device switch + Xephyr -ac -br -resizeable :1 & + XEPHYR_PID=$! + echo ${XEPHYR_PID} + DISPLAY=:1 $(grep qtile ~/.xsession) & + echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L" + wait $! + kill ${XEPHYR_PID} # !!! DANGERIOUS !!! This wipes the disk which is configured for the given device. disk-prepare dir: - just -v _device diskPrepare {{ dir }} + just -v _device diskPrepare {{dir}} --argstr rebuildarg "dummy" disk-relabel dir previous: - just -v _device diskRelabel {{ dir }} --argstr previousDiskId {{ previous }} + just -v _device diskRelabel {{dir}} --argstr rebuildarg "dummy" --argstr previousDiskId {{previous}} # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6' disk-mount dir: - just -v _device diskMount {{ dir }} + just -v _device diskMount {{dir}} --argstr rebuildarg "dummy" # Unmount target disk, specified by device configuration directory disk-umount dir: - just -v _device diskUmount {{ dir }} + just -v _device diskUmount {{dir}} --argstr rebuildarg "dummy" # Perform an offline installation on the mounted target disk, specified by device configuration directory disk-install dir: _render_templates - just -v _device diskInstall {{ dir }} + just -v _device diskInstall {{dir}} --argstr rebuildarg "dummy" verify-n-unlock sshserver attempts="10": - #!/usr/bin/env bash - set -e - env \ - GETPW="just _get_pass_entry Infrastructure/VPS/{{ sshserver }} DRIVE_PW" \ - SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} SSHOPTS)" \ - VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCSOCK)" \ - VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCPW)" \ - \ - just _verify-n-unlock {{ sshserver }} {{ attempts }} + #!/usr/bin/env bash + set -e + : ${VNCSOCK:?VNCSOCK must be set} + : ${VNCPW:?VNCPW must be set} -_verify-n-unlock sshserver attempts: - #!/usr/bin/env bash - set -e - : ${VNCSOCK:?VNCSOCK must be set} - : ${VNCPW:?VNCPW must be set} + export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" + export TESS_ARGS="-c debug_file=/dev/null --psm 4" - export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" - export TESS_ARGS="-c debug_file=/dev/null --psm 4" + function send() { + local what="${1:?need something to send}" + ssh -4 ${SSHOPTS:?need sshopts} root@{{sshserver}} "echo -e ${what}>> /dev/tty0" &>/dev/null + } - function send() { - local what="${1:?need something to send}" - ssh -4 ${SSHOPTS:?need sshopts} root@{{ sshserver }} "echo -e ${what}>> /dev/tty0" &>/dev/null - } + function expect() { + local what="${1:?need something to expect}" + vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp + convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff + tesseract ${TESS_ARGS} screenshot.tiff screenshot + grep --quiet "${what}" screenshot.txt + } - function expect() { - local what="${1:?need something to expect}" - vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp - convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff - tesseract ${TESS_ARGS} screenshot.tiff screenshot - grep --quiet "${what}" screenshot.txt - } + function send_and_expect() { + local send="${1:?need something to send}" + local expect="${2:?need something to expect}" + if ! send "${send}"; then + echo warning: cannot send > /dev/stderr + return -1 + fi + expect "${expect}" + } - function send_and_expect() { - local send="${1:?need something to send}" - local expect="${2:?need something to expect}" - if ! send "${send}"; then - echo warning: cannot send > /dev/stderr - return -1 - fi - expect "${expect}" - } + trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT - trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT + for i in `seq 1 {{attempts}}`; do + echo Attempt $i... + expect="$(pwgen -0 12)" + send="'\0033\0143'${expect}" + if send_and_expect "${send}" "${expect}"; then + pipe=$(mktemp -u) + mkfifo ${pipe} + exec 3<>${pipe} + rm ${pipe} - for i in `seq 1 {{ attempts }}`; do - echo Attempt $i... - expect="$(pwgen -0 12)" - send="'\0033\0143'${expect}" - if send_and_expect "${send}" "${expect}"; then - pipe=$(mktemp -u) - mkfifo ${pipe} - exec 3<>${pipe} - rm ${pipe} + echo Verification succeeded at attempt $i. Unlocking remote drive... + ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass" <&3 &>/dev/null & + eval ${GETPW} | head -n1 >&3 - echo Verification succeeded at attempt $i. Unlocking remote drive... - ssh -4 ${SSHOPTS} root@{{ sshserver }} "cryptsetup-askpass" <&3 &>/dev/null & - eval ${GETPW} | head -n1 >&3 + for j in `seq 1 120`; do + sleep 0.5 + if expect '— success'; then + echo Unlock successful. + exit 0 + fi + done - for j in `seq 1 120`; do - sleep 0.5 - if expect '— success'; then - echo Unlock successful. - exit 0 - fi - done - - echo Unlock failed... - exit 1 - fi - done - echo Verification failed {{ attempts }} times. Giving up... - exit 1 + echo Unlock failed... + exit 1 + fi + done + echo Verification failed {{attempts}} times. Giving up... + exit 1 _get_pass_entry path key: - pass show {{ path }}| grep -E "^{{ key }}:" | sed -E 's/^[^:]+: *//g' + pass show {{path}}| grep -E "^{{key}}:" | awk '{ print $2 }' + # jq -sR 'split("\n") | map(split(":"))' <(pass show Infrastructure/VPS/CFB4ED74 | grep -E "^[A-Za-z_]+:") run-with-channels +cmds: - #!/usr/bin/env bash - source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) - {{ cmds }} + #!/usr/bin/env bash + set -x + source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) + {{cmds}} install-config config root: - sudo just run-with-channels nixos-install -I nixos-config={{ invocation_directory() }}/{{ config }} --root {{ root }} --no-root-passwd + just run-with-channels sudo -E nixos-install -I nixos-config={{invocation_directory()}}/{{config}} --root {{root}} --no-root-passwd # Switch between gpg-card capable devices which have a copy of the same key -switch-gpg-card key-id="6EEFA706CB17E89B": - #!/usr/bin/env bash - # - # Derived from https://github.com/drduh/YubiKey-Guide/issues/19. - # - # Connect the new device and then run this script to make it known to gnupg. - # - set -xe - if [[ -n "{{ key-id }}" ]]; then - KEY_ID="{{ key-id }}" - else - KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') - fi +switch-gpg-card: + #!/usr/bin/env bash + # + # Derived from https://github.com/drduh/YubiKey-Guide/issues/19. + # + # Connect the new device and then run this script to make it known to gnupg. + # + set -xe + KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') - # export pubkey and ownertrust - gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" - # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}` - gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust + # export pubkey and ownertrust + gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" + # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}` + gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust - # delete the key - gpg --yes --delete-secret-and-public-keys "${KEY_ID}" + # delete the key + gpg --yes --delete-secret-and-public-keys "${KEY_ID}" - # import pubkey and ownertrust back and cleanup - gpg2 --import "${KEY_ID}".pubkey - gpg2 --import-ownertrust < "${KEY_ID}".ownertrust - rm "${KEY_ID}".{pubkey,ownertrust} + # import pubkey and ownertrust back and cleanup + gpg2 --import "${KEY_ID}".pubkey + gpg2 --import-ownertrust < "${KEY_ID}".ownertrust + rm "${KEY_ID}".{pubkey,ownertrust} - # refresh the gpg agent - gpg-connect-agent "scd serialno" "learn --force" /bye - gpg --card-status - -# Connect to `remote` UUID, and turn it into a short name -uuid-to-device-name remote: - #!/usr/bin/env bash - set -e -o pipefail - ssh {{ remote }} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}' - -test-connection: - #! /usr/bin/env nix-shell - #! nix-shell -p curl zsh - #! nix-shell -i zsh - #! nix-shell --pure - - while true; do - FAILURE="false" - output=$( - echo "$(date)\n---" - for url in \ - "https://172.16.0.1:65443/0.7/gui/#/login/" \ - "https://192.168.0.1" \ - "http://172.172.171.9" \ - "https://172.172.171.10:65443" \ - "https://172.172.171.11:65443" \ - "https://172.172.171.13:443" \ - "https://172.172.171.14:443" \ - "http://172.172.171.15:22" \ - "http://172.172.171.16:22" \ - "https://crates.io" \ - "https://holo.host" \ - ; \ - do - print "trying ${url}": $( - curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1) - # if [ $? -ne 0 ]; then - if [[ "$curl_output" == *timeout* ]]; then - echo failure: $(echo ${curl_output} | tail -n1) - # BUG: outer FAILURE is not set by this - FAILURE="true" - else - echo success - fi - ) - done - ) - clear - echo ${output} - - if [[ ${FAILURE} == "true" ]]; then - echo something failed - tracepath -m5 -n1 172.16.0.1 - tracepath -m5 -n1 192.168.0.1 - fi - - sleep 5 - done - -cachix-use name: - nix run nixpkgs/nixos-unstable#cachix -- use {{ name }} -m nixos -d nix/os/ - -update-sops-keys: - for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done - -deploy-router0-dmz0: - NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1 - -ttyusb: - screen -fa /dev/ttyUSB0 115200 + # refresh the gpg agent + gpg-connect-agent "scd serialno" "learn --force" /bye + gpg --card-status diff --git a/README.md b/README.md index 5d32951..486235b 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,4 @@ # steveej's infra - This repository helps me to manage all computer infrastructure. This is mostly achieved with the help of [Nix](https://nixos.org). @@ -20,7 +19,7 @@ In the unlikely case that you actually read this and have any questions please d - [ ] development environments - [x] (Semi-) automatic synchronization of important repositories - [x] Modification strategy - The approach is to use vcsh for the dotfiles + The approach is to use vcsh for the dotfiles - [x] dotfiles - [x] Toplevel Justfile for simple actions - [x] mount/umount disks @@ -30,56 +29,19 @@ In the unlikely case that you actually read this and have any questions please d - [x] annotate recipes with some documentation - [x] declare shell.nix with runtime deps - [x] partition/encrypt/format disks -- [x] Maybe make this a nix-overlay -- [x] refactor as a nix flake and adopt an existing framework - - [x] devShell version - - [x] ~~version templating~~ obsolete due to the usage of flakes - - [x] elias-e525 - - [x] steveej-t14 - - [x] contabo vps - - [x] sj-pve0 -- [x] use an existing secret management framework -- [x] adapt (or abandon?) _just_ recipes - - - [x] `rebuild-this-device` - - [x] `update-this-device` - - [x] `rebuild-remote-device` - - [x] `update-remote-device` - - evaluate, and understand a path to using these tools in a pull-based fashion: - - - [x] [colmena](https://github.com/zhaofengli/colmena) - - bootstrapping: https://github.com/zhaofengli/colmena/issues/68 - - [ ] deploy-rs - -- [x] 🚧 find a better alternative for the qtile-desktop - current issues: - - - floating windows often get lost in the background - - plugging in-/out- screen crashes the desktop - - evaluate: - - - [x] ~~🚧 gnome3 + pop-shell~~ - - [x] ~~leftwm + eww (+ wayland?)~~ - -- [ ] (Re-)document bootstrap process - - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine +- [ ] Document bootstrap process - [ ] a new machine - [ ] an install media - [ ] Design disaster recovery - [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2 -- [ ] Recycle _\_archived_ -- [ ] container migrations - - [ ] ensure DDNS is updated _before_ the containers are started +- [ ] Recycle *\_archived* +- [x] Maybe make this a nix-overlay ## Bugs - - [ ] home-manager leaves ~/.gnupg at 0755 ## Usage - -_(These are reminders for my future self)_ +*(These are reminders for my future self)* ``` just --list @@ -88,37 +50,9 @@ just --list ## Bootstrap ### A new machine +* ensure the dotfiles repo has a branch with the new machine's hostname -- ensure the dotfiles repo has a branch with the new machine's hostname - -- boot with an install media and go through setup +* boot with an install media and go through setup #### Post-Install Setup - -- `chmod --recursive g-rwx,o-rwx ~/.gnupg` -- `gpg2 --edit-card; fetch` -- clone password-manager and infra repositories -- gpg2: ultimately trust my own key - -## Swapping out a disk - -1. offline-bitwise copy of drive -2. disconnect remove the previous drive -3. replace the driveId in the device's hw.nix -4. run the `just disk-relabel nix/os/devices/ ` command to rename the filesystem and volume group - -## Rebuilding an offline system - -``` -( -sudo cryptsetup open /dev/sdb3 steveej-t14s-cryptroot -sleep 5 - -sudo mkdir -p /mnt/root -sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root -o subvol=nixos -sudo mount /dev/sdb2 /mnt/root/boot -sudo mount /dev/mapper/nvme--WD_BLACK_SN850X_4000GB_2227DT443901-root /mnt/root/home -o subvol=home - -sudo nixos-install -v --flake .#steveej-t14 --root /mnt/root/ --no-root-password -) -``` +* `gpg2 --edit-card; fetch` diff --git a/_archive/environments/dev/cross.nix b/_archive/environments/dev/cross.nix new file mode 100644 index 0000000..59b6b3d --- /dev/null +++ b/_archive/environments/dev/cross.nix @@ -0,0 +1,89 @@ +import /home/steveej/src/github/NixOS/nixpkgs/default.nix { + crossSystem = rec { + config = "armv7l-unknown-linux-gnueabi"; + bigEndian = false; + arch = "arm"; + float = "hard"; + fpu = "vfpv3-d16"; + withTLS = true; + libc = "glibc"; + platform = { + name = "armv7l-hf-multiplatform"; + gcc = { + arch = "armv7-a"; + fpu = "neon"; + float = "hard"; + }; + kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc. + kernelHeadersBaseConfig = "multi_v7_defconfig"; + kernelBaseConfig = "multi_v7_defconfig"; + kernelArch = "arm"; + kernelDTB = true; + kernelAutoModules = false; + kernelExtraConfig = '' + NAMESPACES y + BTRFS_FS y + BTRFS_FS_POSIX_ACL y + OVERLAY_FS y + FUSE_FS y + ''; + kernelTarget = "zImage"; + uboot = null; + }; + openssl.system = "linux-generic32"; + gcc = { + arch = "armv7-a"; + fpu = "neon"; + float = "hard"; + }; + }; +} +# pkgs.config = { +# packageOverrides = super: let self = super.pkgs; in { +# linux_4_0 = super.linux_3_18.override { +# kernelPatches = super.linux_3_18.kernelPatches ++ [ +# # we'll also add one of our own patches +# { patch = ./dts.patch; name = "dts-fix"; } +# ]; +# +# # add "CONFIG_PPP_FILTER y" option to the set of kernel options +# extraConfig = '' +# HAVE_IMX_ANATOP y +# HAVE_IMX_GPC y +# HAVE_IMX_MMDC y +# HAVE_IMX_SRC y +# SOC_IMX6 y +# SOC_IMX6Q y +# SOC_IMX6SL y +# PCI_IMX6 y +# ARM_IMX6Q_CPUFREQ y +# IMX_WEIM y +# AHCI_IMX y +# SERIAL_IMX y +# SERIAL_IMX_CONSOLE y +# I2C_IMX y +# SPI_IMX y +# PINCTRL_IMX y +# PINCTRL_IMX6Q y +# PINCTRL_IMX6SL y +# POWER_RESET_IMX y +# IMX_THERMAL y +# IMX2_WDT y +# IMX_IPUV3_CORE y +# DRM_IMX y +# DRM_IMX_FB_HELPER y +# DRM_IMX_PARALLEL_DISPLAY y +# DRM_IMX_TVE y +# DRM_IMX_LDB y +# DRM_IMX_IPUV3 y +# DRM_IMX_HDMI y +# MMC_SDHCI_ESDHC_IMX y +# IMX_SDMA y +# PWM_IMX y +# DEBUG_IMX6Q_UART y +# +# PPP_FILTER y +# ''; +# }; +# }; +# }; diff --git a/_archive/environments/dev/go/default.nix b/_archive/environments/dev/go/default.nix new file mode 100644 index 0000000..e67468d --- /dev/null +++ b/_archive/environments/dev/go/default.nix @@ -0,0 +1,89 @@ +{ gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {} +, pkgs ? gitpkgs +, name ? "generic" +, version +, extraBuildInputs ? [] +, extraShellHook ? "" +}: +let + go = builtins.getAttr "go_${version}" pkgs; + commonVimRC = '' + let g:tagbar_type_go = { + \ 'ctagstype' : 'go', + \ 'kinds' : [ + \ 'p:package', + \ 'i:imports:1', + \ 'c:constants', + \ 'v:variables', + \ 't:types', + \ 'n:interfaces', + \ 'w:fields', + \ 'e:embedded', + \ 'm:methods', + \ 'r:constructor', + \ 'f:functions' + \ ], + \ 'sro' : '.', + \ 'kind2scope' : { + \ 't' : 'ctype', + \ 'n' : 'ntype' + \ }, + \ 'scope2kind' : { + \ 'ctype' : 't', + \ 'ntype' : 'n' + \ }, + \ 'ctagsbin' : 'gotags', + \ 'ctagsargs' : '-sort -silent' + \ } + + " vim-go { + let g:go_highlight_functions = 1 + let g:go_highlight_methods = 1 + let g:go_highlight_structs = 1 + let g:go_highlight_interfaces = 1 + let g:go_highlight_operators = 1 + let g:go_highlight_build_constraints = 1 + let g:go_fmt_command = 'gofmt' + let g:go_fmt_options= '-s' + let g:go_def_mode = 'godef' + let g:go_def_reuse_buffer = 0 + + au FileType go nmap gds (go-def-split) + au FileType go nmap gdv (go-def-vertical) + au FileType go nmap gdt (go-def-tab) + au FileType go nmap gi (go-imports) + " } + ''; + buildInputs = with pkgs; [ + glibc.out + glibc.static + + go + gotools + #gotools.bin + #gocode.bin + #godef godef.bin + godep + #godep.bin + gox.bin + #ginkgo ginkgo.bin + #gomega +# ( import ./vim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } ) +# ( import ./neovim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } ) + ]; + +in pkgs.stdenv.mkDerivation { + inherit name; + buildInputs = extraBuildInputs ++ buildInputs; + shellHook = '' + goname=${go.version}_$name + # FIXME: setPS1 $goname + export GOROOT=${go}/share/go + export GOPATH="$HOME/.gopath_$goname" + export PATH="$HOME/.gopath_$goname/bin:$PATH" + unset name + unset SSL_CERT_FILE + + ${extraShellHook} + ''; +} diff --git a/_archive/environments/dev/go/neovim-go.nix b/_archive/environments/dev/go/neovim-go.nix new file mode 100644 index 0000000..c160104 --- /dev/null +++ b/_archive/environments/dev/go/neovim-go.nix @@ -0,0 +1,15 @@ +{ commonRC, ... } @ args : + +(import ../../pkg-configuration/vim-derivates/neovim.nix args // { + additionalRC = commonRC + '' + " deoplete { + let g:deoplete#enable_at_startup = 1 + let g:deoplete#enable_smart_case = 1 + " } + ''; + additionalPlugins = [ + "deoplete-go" + "deoplete-nvim" + "vim-go" + ]; +}) diff --git a/_archive/environments/dev/pandoc.nix b/_archive/environments/dev/pandoc.nix new file mode 100644 index 0000000..93a3fb1 --- /dev/null +++ b/_archive/environments/dev/pandoc.nix @@ -0,0 +1,26 @@ +{ gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {} +, pkgs ? gitpkgs +, name ? "generic" +, version ? "Stable" +, extraBuildInputs ? [] +}: +let + commonVimRC = '' + ''; +in pkgs.stdenv.mkDerivation { + inherit name; + buildInputs = with pkgs; [ + ( import ./vim-pandoc.nix { pkgs=gitpkgs; commonRC=commonVimRC; }) + pandoc + texlive.combined.scheme-medium + python27Packages.pandocfilters + python27Packages.htmltreediff + python27Packages.html5lib + python27Packages.dbus-python + ] ++ extraBuildInputs; + shellHook = '' + pandocname=pandoc_${pkgs.pandoc.version} + setPS1 $pandocname + unset name + ''; +} diff --git a/_archive/environments/dev/rkt.nix b/_archive/environments/dev/rkt.nix new file mode 100644 index 0000000..072018c --- /dev/null +++ b/_archive/environments/dev/rkt.nix @@ -0,0 +1,72 @@ +{ +pkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, +mkGoEnv ? import ./go.nix, +rktPath, +}: +let + rktBasebuildInputs = with pkgs; [ + glibc.out + glibc.static + autoreconfHook + gnupg1 + squashfsTools + cpio + tree + intltool + libtool + pkgconfig + libgcrypt + gperf + libcap + libseccomp + libzip + eject + iptables + bc + acl + trousers + systemd + ]; + extraShellHook = '' + TARGET=$GOPATH/src/github.com/coreos/rkt + if [[ -e ${rktPath}/rkt/rkt.go ]]; then + pushd ${rktPath} + else + echo rktPath must be run the rkt repository clone, but got '${rktPath}' + exit 1 + fi + if ! [[ -e $TARGET/rkt/rkt.go ]]; then + mkdir -p $TARGET + echo $PWD + sudo -E mount -o bind $PWD $TARGET + fi + pushd $TARGET + ''; +in { + go15 = mkGoEnv { + inherit pkgs; + + name = "rktGo15"; + version = "1_5"; + extraBuildInputs = rktBasebuildInputs; + inherit extraShellHook; + }; + + go16 = mkGoEnv { + inherit pkgs; + + name = "rktGo16"; + version = "1_6"; + extraBuildInputs = rktBasebuildInputs; + inherit extraShellHook; + }; + + go17 = mkGoEnv { + inherit pkgs; + + name = "rktGo17"; + version = "1_7"; + extraBuildInputs = rktBasebuildInputs; + inherit extraShellHook; + }; +} diff --git a/_archive/environments/dev/rust/.envrc b/_archive/environments/dev/rust/.envrc new file mode 100644 index 0000000..051d09d --- /dev/null +++ b/_archive/environments/dev/rust/.envrc @@ -0,0 +1 @@ +eval "$(lorri direnv)" diff --git a/_archive/environments/dev/rust/default.nix b/_archive/environments/dev/rust/default.nix new file mode 100644 index 0000000..acb6104 --- /dev/null +++ b/_archive/environments/dev/rust/default.nix @@ -0,0 +1,32 @@ +{ gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {} +, pkgs ? gitpkgs +, name ? "generic" +, version ? "Stable" +, extraBuildInputs ? [] +}: +let + rustPackages = builtins.getAttr "rust${version}" pkgs; + rustc = rustPackages.rustc; + rustShellHook = { rustc, name }: '' + rustname=rust_${rustc.version}_${name} + setPS1 $rustname + unset name + ''; + commonVimRC = '' + ''; +in pkgs.stdenv.mkDerivation { + inherit name; + buildInputs = with rustPackages;[ + ( import ./vim-rust.nix { pkgs=gitpkgs; commonRC=commonVimRC; + inherit rustc; + racerd=pkgs.rustracerd; + }) + rustc cargo + ] ++ [ + pkgs.rustfmt + ] ++ extraBuildInputs; + shellHook = (rustShellHook){ + inherit name; + inherit rustc; + }; +} diff --git a/_archive/environments/dev/vim-go.nix b/_archive/environments/dev/vim-go.nix new file mode 100644 index 0000000..977d555 --- /dev/null +++ b/_archive/environments/dev/vim-go.nix @@ -0,0 +1,20 @@ +{ commonRC, ... } @ args : + +import ../../pkg-configuration/vim-derivates/vim.nix (args // { + name = "vim-for-go"; + additionalRC = commonRC + '' + " Disable AutoComplPop. + let g:acp_enableAtStartup = 0 + " Use neocomplete. + let g:neocomplete#enable_at_startup = 1 + " Use smartcase. + let g:neocomplete#enable_smart_case = 1 + if !exists('g:neocomplete#sources#omni#input_patterns') + let g:neocomplete#sources#omni#input_patterns = {} + endif + ''; + additionalPlugins = [ + "neocomplete" + "vim-go" + ]; +}) diff --git a/_archive/environments/dev/vim-pandoc.nix b/_archive/environments/dev/vim-pandoc.nix new file mode 100644 index 0000000..7e17759 --- /dev/null +++ b/_archive/environments/dev/vim-pandoc.nix @@ -0,0 +1,22 @@ +{ commonRC +, +... } @ args : + +import ../../pkg-configuration/vim-derivates/vim.nix (args // { + name = "vim-for-pandoc"; + additionalRC = commonRC + '' + set statusline+=%#warningmsg# + set statusline+=%{SyntasticStatuslineFlag()} + set statusline+=%* + + let g:syntastic_always_populate_loc_list = 1 + let g:syntastic_auto_loc_list = 1 + let g:syntastic_check_on_open = 1 + let g:syntastic_check_on_wq = 0 + ''; + additionalPlugins = [ + "vim-pandoc" + "vim-pandoc-syntax" + "vimpreviewpandoc" + ]; +}) diff --git a/_archive/environments/dev/vim-rust.nix b/_archive/environments/dev/vim-rust.nix new file mode 100644 index 0000000..4b4ade9 --- /dev/null +++ b/_archive/environments/dev/vim-rust.nix @@ -0,0 +1,46 @@ +{ commonRC +, rustc +, racerd, +... } @ args : + +import ../../pkg-configuration/vim-derivates/vim.nix (args // { + name = "vim-for-rust"; + additionalRC = commonRC + '' + set statusline+=%#warningmsg# + set statusline+=%{SyntasticStatuslineFlag()} + set statusline+=%* + + let g:syntastic_always_populate_loc_list = 1 + let g:syntastic_auto_loc_list = 1 + let g:syntastic_check_on_open = 1 + let g:syntastic_check_on_wq = 0 + + " tagbar + let g:tagbar_type_rust = { + \ 'ctagstype' : 'rust', + \ 'kinds' : [ + \'T:types,type definitions', + \'f:functions,function definitions', + \'g:enum,enumeration names', + \'s:structure names', + \'m:modules,module names', + \'c:consts,static constants', + \'t:traits,traits', + \'i:impls,trait implementations', + \] + \} + + let g:syntastic_rust_checkers = ["rustc"] + + "rustfmt + let g:rustfmt_autosave = 1 + + let g:ycm_auto_trigger = 1 + let g:ycm_rust_src_path = '${rustc.src}/src' + let g:ycm_racerd_binary_path = '${racerd.out}/bin/racerd' + + ''; + additionalPlugins = [ + "rust-vim" + ]; +}) diff --git a/_archive/environments/fhs/android.nix b/_archive/environments/fhs/android.nix new file mode 100644 index 0000000..616618b --- /dev/null +++ b/_archive/environments/fhs/android.nix @@ -0,0 +1,42 @@ +{ pkgs ? import {} }: + +(pkgs.buildFHSUserEnv { + name = "devfhs"; + multiPkgs = pkgs: (with pkgs; [ + android-udev-rules + sudo + gawk + bzip2 + file + gcc + getopt + git + gnumake + ncurses + openssl + patch + perl + pkgconfig + python + openssh + subversion + unzip + wget + which + vim + zlib + libusb + libusb1 + systemd + strace + swt + xorg.libXtst + glib + gtk2 + gnome.gtk + ]); + profile = '' + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib:/lib64:/lib32:/usr/lib32:/usr/lib64:${pkgs.xorg.libXtst}/lib:${pkgs.glib}/lib:${pkgs.gtk2}/lib + ''; + runScript = "bash"; +}).env diff --git a/_archive/environments/fhs/vscode.nix b/_archive/environments/fhs/vscode.nix new file mode 100644 index 0000000..e6d3b4b --- /dev/null +++ b/_archive/environments/fhs/vscode.nix @@ -0,0 +1,38 @@ +{ pkgs ? import {} }: + +(pkgs.buildFHSUserEnv { + name = "everydayFHS"; + targetPkgs = pkgs: (with pkgs; + [ which + gitFull + zsh + file + direnv + + xdg_utils + xsel + + vscode + + # vscode live share + gnome3.gcr + libgnome_keyring3 + liburcu + libunwind + lttng-ust + curl + openssl + libkrb5 + libuuid + icu + zlib + libsecret + ]); + multiPkgs = pkgs: (with pkgs; + [ + ]); + profile = '' + export SHELL=/bin/zsh + ''; + # FIXME runScript = "$SHELL"; +}).env diff --git a/_archive/nixos-configuration/common/pkg/neovim.nix b/_archive/nixos-configuration/common/pkg/neovim.nix new file mode 100644 index 0000000..2226a39 --- /dev/null +++ b/_archive/nixos-configuration/common/pkg/neovim.nix @@ -0,0 +1,10 @@ +{ config +, pkgs +, ... } @ args: + +{ + environment.systemPackages = [ + pkgs.xsel + (import ../../../pkg-configuration/vim-derivates/neovim.nix args) + ]; +} diff --git a/_archive/nixos-configuration/common/pkg/vim.nix b/_archive/nixos-configuration/common/pkg/vim.nix new file mode 100644 index 0000000..d3cd726 --- /dev/null +++ b/_archive/nixos-configuration/common/pkg/vim.nix @@ -0,0 +1,9 @@ +{ pkgs +, ... } @ args: + +{ + environment.systemPackages = [ + pkgs.xsel + (import ../../../pkg-configuration/vim-derivates/vim.nix (args // { name = "vim"; })) + ]; +} diff --git a/_archive/nixos-configuration/common/user/steveej.nix b/_archive/nixos-configuration/common/user/steveej.nix new file mode 100644 index 0000000..dbea0b7 --- /dev/null +++ b/_archive/nixos-configuration/common/user/steveej.nix @@ -0,0 +1,20 @@ +{ config +, pkgs +, ... }: + +let + passwords = import ../passwords.crypt.nix; + keys = import ../keys.nix; + inherit (import ../lib) mkUser; +in { + users.mutableUsers = false; + users.defaultUserShell = pkgs.zsh; + + users.extraUsers.steveej = mkUser { + uid = 1000; + hashedPassword = passwords.users.steveej; + }; + + security.pam.enableU2F = true; + security.pam.services.steveej.u2fAuth = true; +} diff --git a/certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt b/certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt new file mode 100644 index 0000000..a836e9b --- /dev/null +++ b/certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt @@ -0,0 +1,98 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + d0:17:d1:86:81:d4:f1:28 + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=sat-r220-02.lab.eng.rdu2.redhat.com + Validity + Not Before: Nov 2 15:37:13 2018 GMT + Not After : Jan 17 15:37:13 2038 GMT + Subject: C=US, ST=North Carolina, L=Raleigh, O=Katello, OU=SomeOrgUnit, CN=sat-r220-02.lab.eng.rdu2.redhat.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ba:03:39:e3:af:3e:c7:89:bd:d0:07:66:83:18: + 9c:c0:da:56:e8:bb:37:fe:03:67:94:9a:1c:9d:47: + da:6a:a7:6e:56:6d:0a:73:05:79:0e:44:61:71:78: + 33:33:79:b1:ce:a6:9d:87:d0:01:81:10:d5:e3:21: + 0f:d0:e9:ef:86:dc:13:34:62:42:47:81:f6:ce:d8: + 78:de:00:0c:a6:5d:25:d8:cc:72:6a:c4:7c:e1:5b: + 84:2b:e2:3c:b6:51:7e:8e:e6:e1:55:7d:b4:c8:e7: + 98:76:eb:20:15:48:6f:2e:91:ca:b7:17:d4:d9:76: + 5b:40:1c:7e:4c:0b:6f:2c:63:fa:78:c5:8b:b5:36: + b6:01:d9:da:58:a9:06:76:32:18:ca:b2:7c:2d:aa: + 4f:4e:f5:67:30:4c:a6:a3:e3:ef:7c:1d:d3:67:de: + da:a5:b9:57:0d:74:01:c3:24:a9:03:61:98:91:c2: + 1f:1d:a4:36:d2:a6:f4:95:6f:01:6a:99:41:ea:f0: + 8c:7a:7d:a0:0d:34:93:a3:80:cb:19:fb:1a:e1:c4: + 0b:60:5c:8d:33:ea:90:ed:98:d2:2a:06:6e:a2:02: + 1f:f8:2c:1e:d4:d0:d4:8f:93:8d:c9:fe:21:39:6a: + 5b:7b:60:5d:2a:9c:1e:3f:51:31:b1:be:56:28:cb: + 4d:cd + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Key Usage: + Digital Signature, Key Encipherment, Certificate Sign, CRL Sign + X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication + Netscape Cert Type: + SSL Server, SSL CA + Netscape Comment: + Katello SSL Tool Generated Certificate + X509v3 Subject Key Identifier: + 72:CD:88:06:03:FE:5D:A2:D0:B3:20:C7:37:74:06:84:A8:A8:13:DF + X509v3 Authority Key Identifier: + keyid:72:CD:88:06:03:FE:5D:A2:D0:B3:20:C7:37:74:06:84:A8:A8:13:DF + DirName:/C=US/ST=North Carolina/L=Raleigh/O=Katello/OU=SomeOrgUnit/CN=sat-r220-02.lab.eng.rdu2.redhat.com + serial:D0:17:D1:86:81:D4:F1:28 + + Signature Algorithm: sha256WithRSAEncryption + 70:fe:c6:9f:1a:62:e8:b0:a6:25:df:e8:51:6c:e9:08:48:00: + 72:2b:d8:a2:95:6e:57:01:8e:2a:9c:a0:14:f8:c9:8a:e3:5d: + 48:64:f9:0f:81:e7:3e:b1:c2:cb:a0:ec:55:d6:e4:7f:c0:46: + 7b:bc:66:15:88:61:73:3b:ea:9e:ea:cb:32:79:35:bc:dc:eb: + 6f:d8:d0:89:c2:ae:fd:02:43:cd:e0:38:d6:9c:16:d7:6d:bb: + 2c:73:53:3c:82:56:51:d8:96:71:e1:28:49:31:be:fb:ed:23: + 08:e5:8d:eb:48:c7:25:5d:ef:0e:30:22:d3:93:7f:f1:66:b8: + 7f:8f:5c:d2:97:e7:13:0e:5b:06:1d:fd:97:1d:a5:24:93:d9: + 8a:d2:ba:51:00:b3:71:c8:61:da:79:31:64:75:96:d0:b8:d8: + 45:57:24:40:2f:11:d6:63:70:f5:bf:8d:fc:7f:1b:b9:ad:e0: + 16:6a:89:9b:6a:0c:d3:e3:b5:14:b4:5c:36:8a:b0:dd:15:4d: + 4e:77:e9:9b:29:df:e9:e3:27:dc:87:f8:6e:5d:a9:14:42:5c: + 8b:7b:13:9d:8b:c7:7a:4d:6d:52:7e:5f:02:9f:21:15:de:98: + 5d:f5:25:30:d3:fa:b4:34:f3:ff:8d:36:c7:e3:1c:d3:b1:f7: + b6:7b:ad:40 +-----BEGIN CERTIFICATE----- +MIIFEDCCA/igAwIBAgIJANAX0YaB1PEoMA0GCSqGSIb3DQEBCwUAMIGOMQswCQYD +VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp +Z2gxEDAOBgNVBAoMB0thdGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MSwwKgYD +VQQDDCNzYXQtcjIyMC0wMi5sYWIuZW5nLnJkdTIucmVkaGF0LmNvbTAeFw0xODEx +MDIxNTM3MTNaFw0zODAxMTcxNTM3MTNaMIGOMQswCQYDVQQGEwJVUzEXMBUGA1UE +CAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVpZ2gxEDAOBgNVBAoMB0th +dGVsbG8xFDASBgNVBAsMC1NvbWVPcmdVbml0MSwwKgYDVQQDDCNzYXQtcjIyMC0w +Mi5sYWIuZW5nLnJkdTIucmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALoDOeOvPseJvdAHZoMYnMDaVui7N/4DZ5SaHJ1H2mqnblZtCnMF +eQ5EYXF4MzN5sc6mnYfQAYEQ1eMhD9Dp74bcEzRiQkeB9s7YeN4ADKZdJdjMcmrE +fOFbhCviPLZRfo7m4VV9tMjnmHbrIBVIby6RyrcX1Nl2W0AcfkwLbyxj+njFi7U2 +tgHZ2lipBnYyGMqyfC2qT071ZzBMpqPj73wd02fe2qW5Vw10AcMkqQNhmJHCHx2k +NtKm9JVvAWqZQerwjHp9oA00k6OAyxn7GuHEC2BcjTPqkO2Y0ioGbqICH/gsHtTQ +1I+Tjcn+ITlqW3tgXSqcHj9RMbG+VijLTc0CAwEAAaOCAW0wggFpMAwGA1UdEwQF +MAMBAf8wCwYDVR0PBAQDAgGmMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD +AjARBglghkgBhvhCAQEEBAMCAkQwNQYJYIZIAYb4QgENBCgWJkthdGVsbG8gU1NM +IFRvb2wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRyzYgGA/5dotCz +IMc3dAaEqKgT3zCBwwYDVR0jBIG7MIG4gBRyzYgGA/5dotCzIMc3dAaEqKgT36GB +lKSBkTCBjjELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAw +DgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdLYXRlbGxvMRQwEgYDVQQLDAtTb21l +T3JnVW5pdDEsMCoGA1UEAwwjc2F0LXIyMjAtMDIubGFiLmVuZy5yZHUyLnJlZGhh +dC5jb22CCQDQF9GGgdTxKDANBgkqhkiG9w0BAQsFAAOCAQEAcP7Gnxpi6LCmJd/o +UWzpCEgAcivYopVuVwGOKpygFPjJiuNdSGT5D4HnPrHCy6DsVdbkf8BGe7xmFYhh +czvqnurLMnk1vNzrb9jQicKu/QJDzeA41pwW1227LHNTPIJWUdiWceEoSTG+++0j +COWN60jHJV3vDjAi05N/8Wa4f49c0pfnEw5bBh39lx2lJJPZitK6UQCzcchh2nkx +ZHWW0LjYRVckQC8R1mNw9b+N/H8bua3gFmqJm2oM0+O1FLRcNoqw3RVNTnfpmynf +6eMn3If4bl2pFEJci3sTnYvHek1tUn5fAp8hFd6YXfUlMNP6tDTz/402x+Mc07H3 +tnutQA== +-----END CERTIFICATE----- diff --git a/default.nix b/default.nix index 6aba02e..b5e1171 100644 --- a/default.nix +++ b/default.nix @@ -4,9 +4,11 @@ # Having pkgs default to is fine though, and it lets you use short # commands such as: # nix-build -A mypackage + +{ pkgs ? import {} }: + + { - pkgs ? import { }, -}: -{ + overlays = import ./nix/overlays; pkgs = import ./nix/pkgs { inherit pkgs; }; } diff --git a/flake.lock b/flake.lock deleted file mode 100644 index 51825f5..0000000 --- a/flake.lock +++ /dev/null @@ -1,1491 +0,0 @@ -{ - "nodes": { - "aphorme_launcher": { - "flake": false, - "locked": { - "lastModified": 1719922896, - "narHash": "sha256-mOtCz42NFQn+0xPF3gBX4WHfo5UEClSsJ/tF8RdFQkY=", - "owner": "Iaphetes", - "repo": "aphorme_launcher", - "rev": "c7c7ce9f91a31cced181fa501a2cad3c68035def", - "type": "github" - }, - "original": { - "owner": "Iaphetes", - "ref": "main", - "repo": "aphorme_launcher", - "type": "github" - } - }, - "colmena": { - "inputs": { - "flake-compat": "flake-compat", - "flake-utils": "flake-utils", - "nix-github-actions": "nix-github-actions", - "nixpkgs": [ - "nixpkgs" - ], - "stable": "stable" - }, - "locked": { - "lastModified": 1746816769, - "narHash": "sha256-ymQzXrfHVT8/RJiGbfrNjEeuzXQan46lUJdxEhgivdM=", - "owner": "zhaofengli", - "repo": "colmena", - "rev": "df694ee23be7ed7b2d8b42c245a640f0724eb06c", - "type": "github" - }, - "original": { - "owner": "zhaofengli", - "repo": "colmena", - "type": "github" - } - }, - "crane": { - "locked": { - "lastModified": 1733286231, - "narHash": "sha256-mlIDSv1/jqWnH8JTiOV7GMUNPCXL25+6jmD+7hdxx5o=", - "owner": "ipetkov", - "repo": "crane", - "rev": "af1556ecda8bcf305820f68ec2f9d77b41d9cc80", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixos-anywhere", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1727359191, - "narHash": "sha256-5PltTychnExFwzpEnY3WhOywaMV/M6NxYI/y3oXuUtw=", - "owner": "nix-community", - "repo": "disko", - "rev": "67dc29be3036cc888f0b9d4f0a788ee0f6768700", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "master", - "repo": "disko", - "type": "github" - } - }, - "espanso": { - "flake": false, - "locked": { - "lastModified": 1711840403, - "narHash": "sha256-4y5yHFfA8SmtSJVC2YleoHCUXkgqee+k9A2pRUzqzDo=", - "owner": "espanso", - "repo": "espanso", - "rev": "db97658d1d80697a635b57801696c594eacf057b", - "type": "github" - }, - "original": { - "owner": "espanso", - "repo": "espanso", - "rev": "db97658d1d80697a635b57801696c594eacf057b", - "type": "github" - } - }, - "fenix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ], - "rust-analyzer-src": "rust-analyzer-src" - }, - "locked": { - "lastModified": 1733380458, - "narHash": "sha256-H+IQB6cJ7ji/YD537pcSUWlwGGJ49RoYylBonyNW9hk=", - "owner": "nix-community", - "repo": "fenix", - "rev": "08c9e4e29865b60cb81189f8e4de0dccaf297865", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "fenix", - "type": "github" - } - }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_3": { - "locked": { - "lastModified": 1717312683, - "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=", - "owner": "nix-community", - "repo": "flake-compat", - "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { - "inputs": { - "nixpkgs-lib": [ - "nixos-anywhere", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1726153070, - "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_3": { - "inputs": { - "nixpkgs-lib": [ - "nixpkgs-wayland", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1722555600, - "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_4": { - "inputs": { - "nixpkgs-lib": [ - "nixvim", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_5": { - "inputs": { - "nixpkgs-lib": [ - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-utils": { - "locked": { - "lastModified": 1659877975, - "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_10": { - "inputs": { - "systems": "systems_6" - }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_4": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_5": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_6": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_7": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_8": { - "inputs": { - "systems": "systems_3" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_9": { - "inputs": { - "systems": "systems_4" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "get-flake": { - "locked": { - "lastModified": 1714237590, - "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", - "owner": "ursi", - "repo": "get-flake", - "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", - "type": "github" - }, - "original": { - "owner": "ursi", - "repo": "get-flake", - "type": "github" - } - }, - "ixx": { - "inputs": { - "flake-utils": [ - "nixvim", - "nuschtosSearch", - "flake-utils" - ], - "nixpkgs": [ - "nixvim", - "nuschtosSearch", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1737371634, - "narHash": "sha256-fTVAWzT1UMm1lT+YxHuVPtH+DATrhYfea3B0MxG/cGw=", - "owner": "NuschtOS", - "repo": "ixx", - "rev": "a1176e2a10ce745ff8f63e4af124ece8fe0b1648", - "type": "github" - }, - "original": { - "owner": "NuschtOS", - "ref": "v0.0.7", - "repo": "ixx", - "type": "github" - } - }, - "jay": { - "flake": false, - "locked": { - "lastModified": 1732789238, - "narHash": "sha256-Yc87dku8r8m7YeVT9VBwfXYPdEfQbb8JKWbOMts6VqY=", - "owner": "mahkoh", - "repo": "jay", - "rev": "558fe3d3cef435108c7d31f9b3503263a14d38b0", - "type": "github" - }, - "original": { - "owner": "mahkoh", - "repo": "jay", - "type": "github" - } - }, - "lib-aggregate": { - "inputs": { - "flake-utils": "flake-utils_8", - "nixpkgs-lib": "nixpkgs-lib_2" - }, - "locked": { - "lastModified": 1733055216, - "narHash": "sha256-yB2y7tGJxDI/SDQ0D7b6ocRtLTPm93u8ybdIKQGXRDE=", - "owner": "nix-community", - "repo": "lib-aggregate", - "rev": "f67bf0781c69a46bf3a1469f83c98518aa3054c3", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "lib-aggregate", - "type": "github" - } - }, - "nix-eval-jobs": { - "inputs": { - "flake-parts": "flake-parts_3", - "nix-github-actions": "nix-github-actions_2", - "nixpkgs": "nixpkgs_4", - "treefmt-nix": "treefmt-nix_2" - }, - "locked": { - "lastModified": 1732631228, - "narHash": "sha256-/7Wyhp00yecUMPNz79gGZpjos8OLHqOfdiWWIQfZA1M=", - "owner": "nix-community", - "repo": "nix-eval-jobs", - "rev": "8f56354b794624689851b2d86c2ce0209cc8f0cf", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-eval-jobs", - "type": "github" - } - }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "colmena", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1729742964, - "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, - "nix-github-actions_2": { - "inputs": { - "nixpkgs": [ - "nixpkgs-wayland", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1731952509, - "narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "7b5f051df789b6b20d259924d349a9ba3319b226", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, - "nix-vscode-extensions": { - "inputs": { - "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1740852064, - "narHash": "sha256-A2zUu1n8Bg505s/GUIYUSQFLmYJAvx/01A2OkGAkevk=", - "owner": "nix-community", - "repo": "nix-vscode-extensions", - "rev": "1b34da949d188b205b4132c2b726415fa19d5086", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-vscode-extensions", - "type": "github" - } - }, - "nix4vscode": { - "inputs": { - "nixpkgs": "nixpkgs_2", - "rust-overlay": "rust-overlay", - "systems": "systems_2" - }, - "locked": { - "lastModified": 1733089477, - "narHash": "sha256-G08QoIxpJlnP9PiUdo2ypmKOrgodwVD6pWEa/8CaDOE=", - "owner": "nix-community", - "repo": "nix4vscode", - "rev": "60f266d2584461611a9e91ad44bbda5c1b0f91f8", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix4vscode", - "type": "github" - } - }, - "nixago": { - "inputs": { - "flake-utils": "flake-utils_3", - "nixago-exts": "nixago-exts", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1714086354, - "narHash": "sha256-yKVQMxL9p7zCWUhnGhDzRVT8sDgHoI3V595lBK0C2YA=", - "owner": "jmgilman", - "repo": "nixago", - "rev": "5133633e9fe6b144c8e00e3b212cdbd5a173b63d", - "type": "github" - }, - "original": { - "owner": "jmgilman", - "repo": "nixago", - "type": "github" - } - }, - "nixago-exts": { - "inputs": { - "flake-utils": "flake-utils_4", - "nixago": "nixago_2", - "nixpkgs": [ - "nixago", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1676070308, - "narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=", - "owner": "nix-community", - "repo": "nixago-extensions", - "rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixago-extensions", - "type": "github" - } - }, - "nixago-exts_2": { - "inputs": { - "flake-utils": "flake-utils_6", - "nixago": "nixago_3", - "nixpkgs": [ - "nixago", - "nixago-exts", - "nixago", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1655508669, - "narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=", - "owner": "nix-community", - "repo": "nixago-extensions", - "rev": "3022a932ce109258482ecc6568c163e8d0b426aa", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixago-extensions", - "type": "github" - } - }, - "nixago_2": { - "inputs": { - "flake-utils": "flake-utils_5", - "nixago-exts": "nixago-exts_2", - "nixpkgs": [ - "nixago", - "nixago-exts", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1676070010, - "narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=", - "owner": "nix-community", - "repo": "nixago", - "rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "rename-config-data", - "repo": "nixago", - "type": "github" - } - }, - "nixago_3": { - "inputs": { - "flake-utils": "flake-utils_7", - "nixpkgs": [ - "nixago", - "nixago-exts", - "nixago", - "nixago-exts", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1655405483, - "narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=", - "owner": "nix-community", - "repo": "nixago", - "rev": "e6a9566c18063db5b120e69e048d3627414e327d", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixago", - "type": "github" - } - }, - "nixos-anywhere": { - "inputs": { - "disko": "disko", - "flake-parts": "flake-parts_2", - "nixos-images": "nixos-images", - "nixos-stable": "nixos-stable", - "nixpkgs": [ - "nixpkgs" - ], - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1733093391, - "narHash": "sha256-tktgkyaBCJDJs0qVyREpETTcpDY7FZbnDurTAM9jIOE=", - "owner": "numtide", - "repo": "nixos-anywhere", - "rev": "9ba099b2ead073e0801b863c880be03a981f2dd1", - "type": "github" - }, - "original": { - "owner": "numtide", - "ref": "main", - "repo": "nixos-anywhere", - "type": "github" - } - }, - "nixos-images": { - "inputs": { - "nixos-stable": [ - "nixos-anywhere", - "nixos-stable" - ], - "nixos-unstable": [ - "nixos-anywhere", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1727367213, - "narHash": "sha256-7O4pi8MmcJpA0nYUQkdolvKGyu6zNjf2gFYD1Q0xppc=", - "owner": "nix-community", - "repo": "nixos-images", - "rev": "3e7978bab153f39f3fc329ad346d35a8871420f7", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-images", - "type": "github" - } - }, - "nixos-stable": { - "locked": { - "lastModified": 1727264057, - "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "759537f06e6999e141588ff1c9be7f3a5c060106", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1740547748, - "narHash": "sha256-Ly2fBL1LscV+KyCqPRufUBuiw+zmWrlJzpWOWbahplg=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "3a05eebede89661660945da1f151959900903b6a", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2211": { - "locked": { - "lastModified": 1688392541, - "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-22.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2411": { - "locked": { - "lastModified": 1733261153, - "narHash": "sha256-eq51hyiaIwtWo19fPEeE0Zr2s83DYMKJoukNLgGGpek=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "b681065d0919f7eb5309a93cea2cfa84dec9aa88", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2505": { - "locked": { - "lastModified": 1747953325, - "narHash": "sha256-y2ZtlIlNTuVJUZCqzZAhIw5rrKP4DOSklev6c8PyCkQ=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "55d1f923c480dadce40f5231feb472e81b0bab48", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-gimp": { - "locked": { - "lastModified": 1735507908, - "narHash": "sha256-VA+khC0S0di6w5Yv1kBNRpAihnt2prT/ehQzsKMhEoA=", - "owner": "jtojnar", - "repo": "nixpkgs", - "rev": "771cf18187fefcfaababd35834917c621447fee8", - "type": "github" - }, - "original": { - "owner": "jtojnar", - "ref": "gimp-meson", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1733096140, - "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" - } - }, - "nixpkgs-lib_2": { - "locked": { - "lastModified": 1733015484, - "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1739446958, - "narHash": "sha256-+/bYK3DbPxMIvSL4zArkMX0LQvS7rzBKXnDXLfKyRVc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "2ff53fe64443980e139eaa286017f53f88336dd0", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-vscodium": { - "locked": { - "lastModified": 1733212471, - "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-wayland": { - "inputs": { - "flake-compat": "flake-compat_3", - "lib-aggregate": "lib-aggregate", - "nix-eval-jobs": "nix-eval-jobs", - "nixpkgs": "nixpkgs_5" - }, - "locked": { - "lastModified": 1733388169, - "narHash": "sha256-WCfVVHIuxnz4O7O9BY76apUkA//ujG7rqkjAWCw0ujY=", - "owner": "nix-community", - "repo": "nixpkgs-wayland", - "rev": "fe88399ae2d22a5381c65a51f8e5a0e4f2e7a38b", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs-wayland", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1722421184, - "narHash": "sha256-/DJBI6trCeVnasdjUo9pbnodCLZcFqnVZiLUfqLH4jA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "9f918d616c5321ad374ae6cb5ea89c9e04bf3e58", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1722415718, - "narHash": "sha256-5US0/pgxbMksF92k1+eOa8arJTJiPvsdZj9Dl+vJkM4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c3392ad349a5227f4a3464dce87bcc5046692fce", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { - "locked": { - "lastModified": 1732238832, - "narHash": "sha256-sQxuJm8rHY20xq6Ah+GwIUkF95tWjGRd1X8xF+Pkk38=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "8edf06bea5bcbee082df1b7369ff973b91618b8d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_5": { - "locked": { - "lastModified": 1733212471, - "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixvim": { - "inputs": { - "flake-parts": "flake-parts_4", - "nixpkgs": [ - "nixpkgs" - ], - "nuschtosSearch": "nuschtosSearch", - "systems": "systems_5" - }, - "locked": { - "lastModified": 1748175278, - "narHash": "sha256-nXrZ25veLlj1WwVblFO28oHSOabjORGn8YLQ/9OtuSA=", - "owner": "nix-community", - "repo": "nixvim", - "rev": "f54941e333ea2afd0b03ba09f5cb90bb1c6f8130", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixvim", - "type": "github" - } - }, - "nur": { - "inputs": { - "flake-parts": "flake-parts_5", - "nixpkgs": [ - "nixpkgs" - ], - "treefmt-nix": "treefmt-nix_3" - }, - "locked": { - "lastModified": 1737225765, - "narHash": "sha256-wyJcROV/d6POpZRlfk79EWsRHZH0iP6aC5uhmM1cH98=", - "owner": "nix-community", - "repo": "NUR", - "rev": "7c2500d3cc3a1d4f51493ba208721ea7c2a4380f", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "NUR", - "type": "github" - } - }, - "nuschtosSearch": { - "inputs": { - "flake-utils": "flake-utils_9", - "ixx": "ixx", - "nixpkgs": [ - "nixvim", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1745046075, - "narHash": "sha256-8v4y6k16Ra/fiecb4DxhsoOGtzLKgKlS+9/XJ9z0T2I=", - "owner": "NuschtOS", - "repo": "search", - "rev": "066afe8643274470f4a294442aadd988356a478f", - "type": "github" - }, - "original": { - "owner": "NuschtOS", - "repo": "search", - "type": "github" - } - }, - "ofi-pass": { - "flake": false, - "locked": { - "lastModified": 1723412133, - "narHash": "sha256-rOVbz4v1+DHPJMvRtxdOFWdOHlaxI7G2vm0bgEV/0Cg=", - "owner": "sereinity", - "repo": "ofi-pass", - "rev": "2b6aa6a3fc0504e63df4ac3449e0065a1a4d19d0", - "type": "github" - }, - "original": { - "owner": "sereinity", - "repo": "ofi-pass", - "type": "github" - } - }, - "openvscode-server": { - "flake": false, - "locked": { - "lastModified": 1714076069, - "narHash": "sha256-Yc16L13Z8AmsGoSFbvy+4+KBdHxvqLMwZLeU2/dAQVU=", - "owner": "gitpod-io", - "repo": "openvscode-server", - "rev": "7920868fc0c6f4e584cca7791c71d300f2bc3a56", - "type": "github" - }, - "original": { - "owner": "gitpod-io", - "ref": "openvscode-server-v1.88.1", - "repo": "openvscode-server", - "type": "github" - } - }, - "prs": { - "flake": false, - "locked": { - "lastModified": 1719086486, - "narHash": "sha256-YQYiN1T7YHYQYv6GoRNdi7Jq93+U+ydoF64tZxuVW+0=", - "owner": "timvisee", - "repo": "prs", - "rev": "07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973", - "type": "gitlab" - }, - "original": { - "owner": "timvisee", - "repo": "prs", - "rev": "07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973", - "type": "gitlab" - } - }, - "root": { - "inputs": { - "aphorme_launcher": "aphorme_launcher", - "colmena": "colmena", - "crane": "crane", - "disko": [ - "nixos-anywhere", - "disko" - ], - "espanso": "espanso", - "fenix": "fenix", - "flake-parts": "flake-parts", - "get-flake": "get-flake", - "jay": "jay", - "nix-vscode-extensions": "nix-vscode-extensions", - "nix4vscode": "nix4vscode", - "nixago": "nixago", - "nixos-anywhere": "nixos-anywhere", - "nixpkgs": [ - "nixpkgs-2505" - ], - "nixpkgs-2211": "nixpkgs-2211", - "nixpkgs-2411": "nixpkgs-2411", - "nixpkgs-2505": "nixpkgs-2505", - "nixpkgs-gimp": "nixpkgs-gimp", - "nixpkgs-unstable": "nixpkgs-unstable", - "nixpkgs-vscodium": "nixpkgs-vscodium", - "nixpkgs-wayland": "nixpkgs-wayland", - "nixvim": "nixvim", - "nur": "nur", - "ofi-pass": "ofi-pass", - "openvscode-server": "openvscode-server", - "prs": "prs", - "radicalePkgs": [ - "nixpkgs-2211" - ], - "rperf": "rperf", - "sops-nix": "sops-nix", - "srvos": "srvos", - "treefmt-nix": "treefmt-nix_4", - "yofi": "yofi" - } - }, - "rperf": { - "flake": false, - "locked": { - "lastModified": 1712257145, - "narHash": "sha256-IMHpJWGja69nTwF9JJOaOZeC5zxzXGanSShompQfBJE=", - "owner": "steveej-forks", - "repo": "rperf", - "rev": "ec7e1fb3a776fce09ca7c497e1d1962c56ef3785", - "type": "github" - }, - "original": { - "owner": "steveej-forks", - "repo": "rperf", - "type": "github" - } - }, - "rust-analyzer-src": { - "flake": false, - "locked": { - "lastModified": 1733330394, - "narHash": "sha256-1jwtAQYtErSsfkEQFvZJ9wJBrLGltzlvZKZzPXhpfpE=", - "owner": "rust-lang", - "repo": "rust-analyzer", - "rev": "f499faf72bcd2abbfbf3d7171e5191100547a3df", - "type": "github" - }, - "original": { - "owner": "rust-lang", - "ref": "nightly", - "repo": "rust-analyzer", - "type": "github" - } - }, - "rust-overlay": { - "inputs": { - "nixpkgs": "nixpkgs_3" - }, - "locked": { - "lastModified": 1722565199, - "narHash": "sha256-2eek4vZKsYg8jip2WQWvAOGMMboQ40DIrllpsI6AlU4=", - "owner": "oxalica", - "repo": "rust-overlay", - "rev": "a9cd2009fb2eeacfea785b45bdbbc33612bba1f1", - "type": "github" - }, - "original": { - "owner": "oxalica", - "repo": "rust-overlay", - "type": "github" - } - }, - "sops-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733128155, - "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", - "owner": "Mic92", - "repo": "sops-nix", - "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", - "type": "github" - }, - "original": { - "owner": "Mic92", - "repo": "sops-nix", - "type": "github" - } - }, - "srvos": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733365027, - "narHash": "sha256-Vl0pOGckECuFoMbiotwj65jjoFE8Mc2yUXNIllttxkI=", - "owner": "numtide", - "repo": "srvos", - "rev": "6047d415ca8dc7eae73dd17c832f7dc08ad544f4", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" - } - }, - "stable": { - "locked": { - "lastModified": 1746557022, - "narHash": "sha256-QkNoyEf6TbaTW5UZYX0OkwIJ/ZMeKSSoOMnSDPQuol0=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "1d3aeb5a193b9ff13f63f4d9cc169fb88129f860", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_3": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_4": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_5": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_6": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "nixos-anywhere", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1727252110, - "narHash": "sha256-3O7RWiXpvqBcCl84Mvqa8dXudZ1Bol1ubNdSmQt7nF4=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "1bff2ba6ec22bc90e9ad3f7e94cca0d37870afa3", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_2": { - "inputs": { - "nixpkgs": [ - "nixpkgs-wayland", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1723303070, - "narHash": "sha256-krGNVA30yptyRonohQ+i9cnK+CfCpedg6z3qzqVJcTs=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "14c092e0326de759e16b37535161b3cb9770cea3", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_3": { - "inputs": { - "nixpkgs": [ - "nur", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1733222881, - "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "49717b5af6f80172275d47a418c9719a31a78b53", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "treefmt-nix_4": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1738953846, - "narHash": "sha256-yrK3Hjcr8F7qS/j2F+r7C7o010eVWWlm4T1PrbKBOxQ=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "4f09b473c936d41582dd744e19f34ec27592c5fd", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, - "yofi": { - "inputs": { - "flake-utils": "flake-utils_10", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1725018627, - "narHash": "sha256-uBEU/aKl9jlJ8vIK556TaqSBEHx6/t6AE4fbt/AoRfA=", - "owner": "l4l", - "repo": "yofi", - "rev": "09901e75cbdf2147553ab888adde480e57baa0d1", - "type": "github" - }, - "original": { - "owner": "l4l", - "ref": "master", - "repo": "yofi", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/flake.nix b/flake.nix deleted file mode 100644 index c68eef7..0000000 --- a/flake.nix +++ /dev/null @@ -1,388 +0,0 @@ -# flake.nix -{ - inputs = { - # TODO: where has this been used? - # dotfiles = { - # url = "git+https://forgejo.www.stefanjunker.de/steveej/dotfiles.git"; - # flake = false; - # }; - - # flake and infra basics - nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; - radicalePkgs.follows = "nixpkgs-2211"; - nixpkgs-2411.url = "github:nixos/nixpkgs/nixos-24.11"; - nixpkgs-2505.url = "github:nixos/nixpkgs/nixos-25.05"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs.follows = "nixpkgs-2505"; - flake-parts.url = "github:hercules-ci/flake-parts"; - get-flake.url = "github:ursi/get-flake"; - - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - nixos-anywhere.url = "github:numtide/nixos-anywhere/main"; - nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs"; - disko.follows = "nixos-anywhere/disko"; - - nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland"; - - nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; - nixpkgs-vscodium.url = "github:nixos/nixpkgs/nixos-unstable"; - - # needs to be in sync with `vscodium --version` from `nixpkgs-vscodium` - openvscode-server.url = "github:gitpod-io/openvscode-server/openvscode-server-v1.88.1"; - openvscode-server.flake = false; - - colmena = { - url = "github:zhaofengli/colmena"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - # libraries for building applications - fenix = { - url = "github:nix-community/fenix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - crane.url = "github:ipetkov/crane"; - - sops-nix = { - url = "github:Mic92/sops-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - # applications - aphorme_launcher = { - url = "github:Iaphetes/aphorme_launcher/main"; - flake = false; - }; - - yofi = { - url = "github:l4l/yofi/master"; - flake = true; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - ofi-pass = { - url = "github:sereinity/ofi-pass"; - flake = false; - }; - - jay = { - url = "github:mahkoh/jay"; - flake = false; - }; - - prs = { - # url = "gitlab:timvisee/prs/v0.5.2"; - url = "gitlab:timvisee/prs/07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973"; - flake = false; - }; - - rperf = { - url = "github:steveej-forks/rperf"; - flake = false; - }; - - # nixpkgs-logseq.url = "github:steveej-forks/nixpkgs/logseq-linux-arm64-selfbuilt-appimage"; - - espanso = { - flake = false; - url = "github:espanso/espanso/db97658d1d80697a635b57801696c594eacf057b"; - }; - - nix4vscode = { - url = "github:nix-community/nix4vscode"; - # inputs.nixpkgs.follows = "nixpkgs"; - }; - nixvim = { - # TODO: pin to nixos-24.11 once available - url = "github:nix-community/nixvim"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - treefmt-nix = { - url = "github:numtide/treefmt-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nixago = { - url = "github:jmgilman/nixago"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - nur = { - url = "github:nix-community/NUR"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - nixpkgs-gimp.url = "github:jtojnar/nixpkgs/gimp-meson"; - }; - - outputs = - inputs@{ - self, - flake-parts, - nixpkgs, - ... - }: - let - inherit (nixpkgs) lib; - - systems = [ - "x86_64-linux" - "aarch64-linux" - ]; - in - flake-parts.lib.mkFlake { inherit inputs; } ( - { withSystem, ... }: - { - flake.colmenaHive = inputs.colmena.lib.makeHive ( - lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) - { meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; } - # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import - # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 - ( - builtins.map - ( - nodeName: - import ./nix/os/devices/${nodeName} { - inherit nodeName; - repoFlake = self; - repoFlakeWithSystem = withSystem; - nodeFlake = self.inputs.get-flake (self + "/nix/os/devices/${nodeName}"); - } - ) - [ - "steveej-t14" - "steveej-x13s" - "steveej-x13s-rmvbl" - "elias-e525" - # "justyna-p300" - - # "srv0-dmz0" - # "router0-dmz0" - "router0-ifog" - "router0-hosthatch" - - "sj-srv1" - ] - ) - ); - - flake.lib = { - inherit withSystem; - - prsFn = - { - lib, - prs, - skim, - rustPlatform, - makeWrapper, - }: - - prs.overrideAttrs (attrs: rec { - pname = "prs"; - - src = self.inputs.prs; - version = self.inputs.prs.shortRev; - - nativeBuildInputs = attrs.nativeBuildInputs ++ [ - makeWrapper - ]; - - cargoDeps = rustPlatform.fetchCargoVendor { - inherit src; - hash = "sha256-6kCqrwcHFy7cEl2JM+CzTWDM9abepumzdcJLq1ChzUk="; - }; - - postFixup = '' - wrapProgram $out/bin/prs \ - --prefix PATH : ${lib.makeBinPath [ skim ]} - ''; - }); - }; - - # this makes nixos-anywhere work - flake.nixosConfigurations = - let - colmenaHiveNodes = self.outputs.colmenaHive.nodes; - router0-dmz0 = (inputs.get-flake (self + "/nix/os/devices/router0-dmz0")).nixosConfigurations; - in - colmenaHiveNodes - // { - router0-dmz0 = router0-dmz0.native; - - # for now deploy directly with: - # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 - router0-dmz0_cross = router0-dmz0.cross; - - steveej-x13s_cross = - (inputs.get-flake (self + "./nix/os/devices/steveej-x13s")).nixosConfigurations.cross; - steveej-x13s-rmvbl_cross = - (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; - }; - - inherit systems; - - perSystem = - { - self', - inputs', - system, - config, - lib, - pkgs, - ... - }: - { - imports = [ ./nix/modules/flake-parts/perSystem/default.nix ]; - - packages = - let - dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { }; - - craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain; - - craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain; - - local-xwayland = pkgs.writeShellScriptBin "local-xwayland" '' - set -x - ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ - --wayland-display=wayland-3 \ - --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ - --x-display=0 \ - # --x-unscale=3 \ - --verbose - ''; - in - { - dcpj4110dwDriver = dcpj4110dw.driver; - dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; - - inherit (inputs'.colmena.packages) colmena; - - nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; - - ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' - set -x - pkill -9 wayland-proxy-v - export NIXOS_OZONE_WL="" - ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ - --wayland-display=wayland-3 \ - --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ - --x-display=3 \ - & - # --x-unscale=3 \ - #--verbose \ - - export PROXYPID="$!" - - trap "kill -9 \$PROXYPID" EXIT - # trap "pkill -9 wayland-proxy-v" EXIT - - env \ - WAYLAND_DISPLAY=wayland-3 \ - DISPLAY=:3 \ - ledger-live-desktop - ''; - - syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' - ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 - ''; - - rperf = craneLib.buildPackage { - src = inputs.rperf; - nativeBuildInputs = [ pkgs.pkg-config ]; - buildInputs = [ ]; - }; - - inherit local-xwayland; - - inherit (inputs'.nixpkgs-gimp.legacyPackages) gimp; - - }; - - formatter = - let - settingsNix = { - projectRootFile = ".git/config"; - - package = inputs'.nixpkgs-unstable.legacyPackages.treefmt2; - - programs = { - nixfmt.enable = true; - deadnix.enable = true; - statix.enable = true; - - shfmt.enable = true; - shellcheck.enable = true; - - prettier.enable = true; - just = { - enable = true; - includes = [ - "*/Justfile" - "Justfile" - ]; - }; - } // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; }; - - settings = { - global.excludes = [ - "LICENSE" - "secrets/" - ".git-crypt/" - - # unsupported extensions - "*.{enc,gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,gitignore}" - ]; - - formatter = { - deadnix = { - priority = 1; - options = [ "--no-underscore" ]; - }; - - nixfmt = { - priority = 2; - }; - - statix = { - priority = 3; - }; - - prettier = { - options = [ - "--tab-width" - "2" - ]; - includes = [ "*.{css,html,js,json,jsx,md,mdx,scss,ts,yaml}" ]; - }; - }; - }; - }; - eval = inputs.treefmt-nix.lib.evalModule pkgs settingsNix; - in - eval.config.build.wrapper.overrideAttrs (_: { - passthru = { - inherit (eval.config) package settings; - }; - }); - - devShells = - let - all = import ./nix/devShells.nix { - inherit - self - self' - inputs' - pkgs - ; - }; - in - all - // { - default = all.develop; - }; - }; - } - ); -} diff --git a/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw b/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw deleted file mode 100644 index ea5b5b8..0000000 Binary files a/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw and /dev/null differ diff --git a/nix/container-images/build.sh b/nix/container-images/build.sh index 1025cb4..6cfab1a 100755 --- a/nix/container-images/build.sh +++ b/nix/container-images/build.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -xe -[ -n "$NAME" ] +[ ! -z "$NAME" ] nix-build . --show-trace -A "$NAME" -docker image rm "$NAME":latest --force +docker image rm "$NAME":latest --force docker load -i result diff --git a/nix/container-images/default.nix b/nix/container-images/default.nix index 67f516d..e6d6f0b 100644 --- a/nix/container-images/default.nix +++ b/nix/container-images/default.nix @@ -1,10 +1,14 @@ -{ - pkgs ? import { }, +{ pkgs ? import {} }: + let - baseEnv = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; -in -rec { + baseEnv = [ + "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" + ]; + + +in rec { + base = pkgs.dockerTools.buildImage rec { name = "base"; @@ -37,52 +41,50 @@ rec { }; }; - s3ql = - let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} + s3ql = let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} - if [ -z "$S3QL_BUCKET" ]; then - echo S3QL_BUCKET not set - exit 1 - fi + if [ -z "$S3QL_BUCKET" ]; then + echo S3QL_BUCKET not set + exit 1 + fi - if [ -z "$S3QL_STORAGE_URL" ]; then - echo S3QL_STORAGE_URL not set - exit 1 - fi + if [ -z "$S3QL_STORAGE_URL" ]; then + echo S3QL_STORAGE_URL not set + exit 1 + fi - if [ -z "$S3QL_CACHESIZE" ]; then - echo S3QL_CACHESIZE not set - exit 1 - fi + if [ -z "$S3QL_CACHESIZE" ]; then + echo S3QL_CACHESIZE not set + exit 1 + fi - set -x + set -x - if [ "$S3QL_SKIP_FSCK" != "1" ]; then - fsck.s3ql \ - --authfile $S3QL_AUTHINFO2 \ - --log none \ - --cachedir $S3QL_CACHE_DIR \ - $S3QL_STORAGE_URL - fi - - exec mount.s3ql \ - --cachedir "$S3QL_CACHE_DIR" \ - --authfile "$S3QL_AUTHINFO2" \ - --cachesize "$S3QL_CACHESIZE" \ - --fg \ - --compress lzma-6 \ - --threads 4 \ + if [ "$S3QL_SKIP_FSCK" != "1" ]; then + fsck.s3ql \ + --authfile $S3QL_AUTHINFO2 \ --log none \ - --allow-root \ - "$S3QL_STORAGE_URL" \ - /bucket + --cachedir $S3QL_CACHE_DIR \ + $S3QL_STORAGE_URL + fi - # FIXME: touch .isbucket after mount - ''; - in - pkgs.dockerTools.buildImage { + exec mount.s3ql \ + --cachedir "$S3QL_CACHE_DIR" \ + --authfile "$S3QL_AUTHINFO2" \ + --cachesize "$S3QL_CACHESIZE" \ + --fg \ + --compress lzma-6 \ + --threads 4 \ + --log none \ + --allow-root \ + "$S3QL_STORAGE_URL" \ + /bucket + + # FIXME: touch .isbucket after mount + ''; + in pkgs.dockerTools.buildImage { name = "s3ql"; fromImage = interactive_base; contents = [ @@ -93,11 +95,11 @@ rec { runAsRoot = '' #!${pkgs.stdenv.shell} mkdir -p /usr/bin - cp -a ${pkgs.fuse}/bin/fusermount /usr/bin + cp -a ${pkgs.fuse}/bin/fusermount /usr/bin chmod +s /usr/bin/fusermount echo user_allow_other >> /etc/fuse.conf ''; - + config = { Env = baseEnv ++ [ "HOME=/home/s3ql" @@ -107,49 +109,49 @@ rec { ]; Cmd = [ entrypoint ]; Volumes = { - "/var/cache/s3ql" = { }; - "/etc/s3ql/authinfo2" = { }; - "/buckets" = { }; - "/tmp" = { }; - }; + "/var/cache/s3ql" = {}; + "/etc/s3ql/authinfo2" = {}; + "/buckets" = {}; + "/tmp" = {}; }; }; + }; - syncthing = - let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} - set -x - if [ ! -e /data/.isbucket ]; then - echo ERROR: Bucket not mounted at /data - exit 1 - fi + syncthing = let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} + set -x + if [ ! -e /data/.isbucket ]; then + echo ERROR: Bucket not mounted at /data + exit 1 + fi - if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then - echo ERROR: SYNCTHING_GUI_ADDRESS is not set - exit 1 - fi + if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then + echo ERROR: SYNCTHING_GUI_ADDRESS is not set + exit 1 + fi - if [ ! -w "$SYNCTHING_HOME" ]; then - echo ERROR : SYNCTHING_HOME is not writable - fi + if [ ! -w "$SYNCTHING_HOME" ]; then + echo ERROR : SYNCTHING_HOME is not writable + fi - exec syncthing \ - -home $SYNCTHING_HOME \ - -gui-address=$SYNCTHING_GUI_ADDRESS \ - -no-browser - ''; - in - pkgs.dockerTools.buildImage { + exec syncthing \ + -home $SYNCTHING_HOME \ + -gui-address=$SYNCTHING_GUI_ADDRESS \ + -no-browser + ''; + in pkgs.dockerTools.buildImage { name = "syncthing"; fromImage = interactive_base; contents = pkgs.syncthing; - + config = { - Env = baseEnv ++ [ "SYNCTHING_HOME=/home/syncthing" ]; + Env = baseEnv ++ [ + "SYNCTHING_HOME=/home/syncthing" + ]; Cmd = [ entrypoint ]; Volumes = { - "/data" = { }; + "/data" = {}; }; }; }; diff --git a/nix/default.nix b/nix/default.nix index f8947e0..2512b43 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,33 +1,26 @@ { versionsPath }: + let - channelVersions = import versionsPath; - mkChannelSource = - name: + channelVersions = (import versionsPath); + mkChannelSource = name: let channelVersion = builtins.getAttr name channelVersions; - in - builtins.fetchGit { + in builtins.fetchGit { # Descriptive name to make the store path easier to identify inherit name; inherit (channelVersion) url ref rev; - }; - nixPath = builtins.concatStringsSep ":" ( - builtins.map ( - elemName: - let - elem = builtins.getAttr elemName channelVersions; - elemPath = mkChannelSource elemName; - suffix = if builtins.hasAttr "suffix" elem then elem.suffix else ""; - in - builtins.concatStringsSep "=" [ - elemName - elemPath - ] - + suffix - ) (builtins.attrNames channelVersions) - ); - pkgs = import (mkChannelSource "nixpkgs") { }; + }; + nixPath = builtins.foldl' (path: elemName: + let + elem = builtins.getAttr elemName channelVersions; + elemPath = (mkChannelSource elemName); + suffix = if builtins.hasAttr "suffix" elem then elem.suffix else ""; + in + path + ":" + builtins.concatStringsSep "=" [ elemName elemPath ] + suffix + ) "" (builtins.attrNames channelVersions); + pkgs = import (mkChannelSource "nixpkgs") {}; in + { inherit nixPath; channelSources = pkgs.writeText "channels.rc" '' diff --git a/nix/devShells.nix b/nix/devShells.nix deleted file mode 100644 index fc4b55e..0000000 --- a/nix/devShells.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ - self, - self', - inputs', - pkgs, -}: -{ - install = pkgs.mkShell { - name = "infra-install"; - packages = with pkgs; [ - nixos-install-tools - inputs'.disko.packages.disko - just - git - git-crypt - gnupg - ]; - }; - - develop = pkgs.mkShell { - name = "infra-develop"; - inputsFrom = [ self'.devShells.install ]; - packages = with pkgs; [ - self'.formatter # .package - inputs'.colmena.packages.colmena - dconf2nix - inputs'.nixos-anywhere.packages.nixos-anywhere - nurl - vcsh - ripgrep - # pass - age - age-plugin-yubikey - ssh-to-age - yubico-piv-tool - inputs'.sops-nix.packages.default - sops - nil - nix-index - - apacheHttpd - - # vncdo - # tesseract - # imagemagick - - # lm_sensors - - # nmap - # sysstat - # lshw - # xxHash - # linssid - # wavemon - # wirelesstools - - # zathura - # xorg.xwininfo - # glxinfo - # autorandr - # arandr - # playerctl - # x11docker - # fwupd - - # ntfy - # hedgedoc-cli - - xwayland - pulsemixer - - (pkgs.writeShellScriptBin "rflk" '' - exec nix run nixpkgs#$@ - '') - - (pkgs.writeShellScriptBin "r11" '' - exec env NIXOS_OZONE_WL="" WAYLAND_DISPLAY="" $@ - '') - - jq - yq - wireguard-tools - - screen - - inputs'.nixpkgs-unstable.legacyPackages.kanidm - - (flameshot.override { enableWlrSupport = true; }) - ]; - - # Set Environment Variables - RUST_BACKTRACE = 1; - - KANIDM_URL = - self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin; - - shellHook = builtins.concatStringsSep "\n" [ - # (self.inputs.nixago.lib.${pkgs.system}.make { - # data = self'.formatter.settings; - # output = "treefmt.toml"; - # format = "toml"; - # }).shellHook - ]; - }; -} diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index a4ab582..e368858 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -1,102 +1,89 @@ -{ - pkgs, - lib, - config, - # these come in via home-manager.extraSpecialArgs and are specific to each node - nodeFlake, - repoFlake, - ... -}: +{ pkgs }: + let - pkgsUnstable = - pkgs.pkgsUnstable - or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; }); + zshCurried = import ../programs/zsh.nix { inherit pkgs; }; in -{ + +{ pkgs +, config +, ... }: + +let + # gitpkgs = import /home/steveej/src/github/NixOS/nixpkgs {}; + unstablepkgs = import { config = config.nixpkgs.config; }; + masterpkgs = import { config = config.nixpkgs.config; }; + +in { imports = [ ../profiles/common.nix - # ../profiles/dotfiles.nix - # FIXME: fix homeshick when no WAN connection is available - # ../programs/homeshick.nix - - # ../profiles/gnome-desktop.nix - # ../profiles/experimental-desktop.nix - - ../programs/redshift.nix - - ../programs/gpg-agent.nix - ../programs/pass.nix - - ../programs/espanso.nix - + ../profiles/qtile-desktop.nix + ../profiles/dotfiles.nix ../programs/firefox.nix ../programs/chromium.nix - + # FIXME: fix homeshick when no WAN connection is available + # ../programs/homeshick.nix ../programs/libreoffice.nix ../programs/neovim.nix + ../programs/pass.nix + zshCurried + ../programs/podman.nix ../programs/vscode - { home.packages = [ pkgsUnstable.markdown-oxide ]; } ]; - home.sessionVariables.HM_CONFIG = "graphical-fullblown"; - home.sessionVariables.GOPATH = "$HOME/src/go"; - home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [ - "$HOME/.local/bin" - "$PATH" - ]; + nixpkgs.config = { + pidgin = { + openssl = true; + gnutls = true; + }; - nixpkgs.config.allowInsecurePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "electron-28.3.3" - "electron-27.3.11" + packageOverrides = pkgs: with pkgs; { + }; + }; + + home.sessionVariables = { + # TODO: find a way to prevent using a store path for the current file + # HM_CONFIG_PATH=builtins.toString "${./.}"; + HM_CONFIG="graphical-fullblown"; + + GOPATH="$HOME/src/go"; + + PATH=pkgs.lib.concatStringsSep ":" [ + "$HOME/.local/bin" + "$PATH" ]; + }; - nixpkgs.config.permittedInsecurePackages = [ - "electron-28.3.3" - "electron-27.3.11" - ]; - - nixpkgs.config.allowUnfree = [ - "electron-28.3.3" - "electron-27.3.11" - ]; - - # nixpkgs.config.allowUnfreePredicate = pkg: - # builtins.elem (lib.getName pkg) [ - # "smartgithg" - # "electron-27.3.11" - # ]; - - home.packages = - (with pkgs; [ + home.packages = [] + ++ (with pkgs; [ # Authentication - # cacert - # fprintd - # openssl - # mkpasswd + cacert + fprintd + openssl + mkpasswd # Nix package related tools patchelf - # nix-index + nix-index + nox nix-prefetch-scripts - nix-tree + nix-prefetch-github # Version Control Systems - gitFull - # gitless + pijul + gitless gitRepo git-lfs # Process/System Administration htop - # gnome.gnome-tweaks + gnome3.gnome-tweak-tool xorg.xhost dmidecode evtest # Archive Managers - sshfs-fuse + sshfsFuse + xarchive p7zip zip unzip @@ -106,74 +93,98 @@ in # Password Management gnupg yubikey-manager + yubikey-neo-manager yubikey-personalization yubikey-personalization-gui - - # gnome.gnome-keyring - gcr - seahorse + gnome3.gnome_keyring + gnome3.seahorse # Language Support hunspellDicts.en-us hunspellDicts.de-de # Messaging/Communication - # pidgin - # hexchat - pkgsUnstable.element-desktop + signal-desktop + pidgin + hexchat aspellDicts.en aspellDicts.de - # skypeforlinux - # pkgsUnstable.jitsi-meet-electron - thunderbird-128 - # betterbird - - # FIXME: depends on insecure openssl 1.1.1t - # kotatogram-desktop - pkgsUnstable.tdesktop - pkgsUnstable.signal-desktop + skype + unstablepkgs.jitsi-meet-electron + zoom-us # broken as of 2019-10-30 + bluejeans-gui + thunderbird + gnome3.evolution # gnome4.glib_networking + # telegram + unstablepkgs.tdesktop + gnome3.cheese # Virtualization - virt-manager + virtmanager + # (pkgs.lib.hiPrio qemu) + # virtualbox + # vagrant + # docker_compose + # unstablepkgs.kubernetes + # unstablepkgs.minikube + # unstablepkgs.openshift + # (unstablepkgs.minikube.overrideAttrs (oldAttrs: { + # patches = oldAttrs.patches ++ [ + # (builtins.fetchurl { url ="https://patch-diff.githubusercontent.com/raw/kubernetes/minikube/pull/2517.diff"; }) + # ]; + # })) + appimage-run + # Remote Control Tools remmina - # freerdp + freerdp + teamviewer # Audio/Video Players - # ffmpeg + ffmpeg vlc - # v4l-utils - # audacity - # spotify - yt-dlp - (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}") + audacity + spotify + python38Packages.youtube-dl-light libwebcam - libcamera - snapshot # Network Tools + openvpn tcpdump iftop iperf bind socat - nethogs + # 2019-03-05: broken on 19.03 linssid + iptraf-ng + ipmitool - # Code Editing and Programming - # TODO(remove or use): pkgsUnstable.lapce - # TODO(remve or use): pkgsUnstable.helix + # samba + iptables + nftables + wireshark + + # Code Editors + # unstablepkgs.atom + xclip + xsel # Image/Graphic/Design Tools - eog - # gimp - # imagemagick - # exiv2 - # graphviz - # inkscape - # qrencode + gnome3.eog + gimp + imagemagick + exiv2 + graphviz + inkscape + # barcode + qrencode + zbar + feh + # digikam - # TODO: remove or move these: Modelling Tools + + # Modelling Tools # plantuml # umlet # staruml @@ -182,46 +193,99 @@ in # astah-community # Misc Development Tools - # qrcode - # jq - # cdrtools + qrcode + # travis + jq + # prometheus + cdrtools # Document Processing and Management - nautilus - pcmanfm - # mendeley - evince - xournalpp + # zathura + mendeley + # zotero + pandoc + + # LaTeX + perlPackages.YAMLTiny + perlPackages.FileHomeDir + perlPackages.UnicodeLineBreak + (texlive.combine { + inherit (texlive) + scheme-small + texlive-de + texlive-en + texlive-scripts + collection-langgerman + + latexindent + latexmk + + algorithms + cm-super + + preprint + enumitem + draftwatermark + everypage + ulem + placeins + minted ifplatform fvextra xstring framed + ; + }) + + pdftk + masterpdfeditor # File Synchronzation - maestral + seafile-client + grive2 + dropbox rsync # Filesystem Tools - # ntfs3g - # ddrescue - # ncdu - # hdparm - # binwalk - # gptfdisk - # gparted - # smartmontools + ntfs3g + ddrescue + ncdu + woeusb + unetbootin + pcmanfm + hdparm + testdisk + python38Packages.binwalk + gptfdisk + gparted + smartmontools + + ## Android + androidenv.androidPkgs_9_0.platform-tools ## Python - # packages'.myPython + myPython + + # Code generators + # unstablepkgs.swagger-codegen # Misc Desktop Tools - # ltunify - # dex + # TODO: this may be required if brightness control isn't working + # brightnessctl + ltunify + # solaar # TODO: conflicts with solar over udev rules + dex + # kitty + busyboxStatic + xorg.xbacklight coreutils lsof - xdg-utils + x11_ssh_askpass + xdotool + xdg_utils xdg-user-dirs - dconf + gnome3.dconf picocom glib.dev # contains gdbus tool alacritty - # wally-cli + roxterm + unstablepkgs.wally-cli man-pages # Screen recording @@ -231,58 +295,11 @@ in # shutter # kazam # doesn't start # xvidcap # doesn't keep the recording rectangle + obs-studio + screenkey # shotcut # openshot-qt - # introduces python: screenkey - # avidemux # broken - # handbrake - - # snes9x - # snes9x-gtk - # this is a displaymanager! - # libretro.snes9x2010 - # retroarchFull - - # pkgs.logseq-bin - pkgs.logseq - # (pkgs.callPackage "${repoFlake.inputs.nixpkgs-logseq}/pkgs/by-name/lo/logseq-bin/package.nix" { }) - ]) - ++ (with repoFlake.packages.${pkgs.system}; [ gimp ]) - ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ - pkgsUnstable.ledger-live-desktop - - # unsupported on aarch64-linux - pkgs.androidenv.androidPkgs_9_0.platform-tools - pkgs.teamviewer - pkgs.discord - pkgsUnstable.session-desktop - pkgsUnstable.rustdesk - ]); - - systemd.user.startServices = true; - - services.syncthing.enable = true; - - services.udiskie = { - enable = true; - automount = false; - notify = true; - }; - - # TODO: uncomment this when it's in stable home-manger - # programs.joshuto = { - # enable = true; - # }; - - # systemd.user.services.maestral = { - # Unit.Description = "Maestral daemon"; - # Install.WantedBy = ["default.target"]; - # Service = { - # ExecStart = "${pkgs.maestral}/bin/maestral start -f"; - # ExecStop = "${pkgs.maestral}/bin/maestral stop"; - # Restart = "on-failure"; - # Nice = 10; - # }; - # }; + ledger-live-desktop + ]); } diff --git a/nix/home-manager/configuration/graphical-gnome3.nix b/nix/home-manager/configuration/graphical-gnome3.nix deleted file mode 100644 index 4dbcba2..0000000 --- a/nix/home-manager/configuration/graphical-gnome3.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ pkgs, ... }: -{ - home.packages = with pkgs; [ - gnome-tweaks - gnome-keyring - seahorse - ]; -} diff --git a/nix/home-manager/configuration/graphical-removable.nix b/nix/home-manager/configuration/graphical-removable.nix index 73c9ff3..cd62667 100644 --- a/nix/home-manager/configuration/graphical-removable.nix +++ b/nix/home-manager/configuration/graphical-removable.nix @@ -1,5 +1,17 @@ -{ pkgs, ... }: -{ +{ pkgs }: + +let + zshCurried = import ../programs/zsh.nix { inherit pkgs; }; +in + +{ pkgs +, config, +... }: + +let + unstablepkgs = import { config = config.nixpkgs.config; }; + +in { imports = [ ../profiles/common.nix ../profiles/qtile-desktop.nix @@ -11,89 +23,109 @@ ../programs/libreoffice.nix ../programs/neovim.nix ../programs/pass.nix + zshCurried ]; - home.packages = with pkgs; [ - # Nix package related tools - patchelf - nix-index - nix-prefetch-scripts + nixpkgs.config = { + pidgin = { + openssl = true; + gnutls = true; + }; - # Version Control Systems - gitless + packageOverrides = pkgs: with pkgs; { + }; + }; - # Process/System Administration - htop - gnome-tweaks - xorg.xhost - dmidecode - evtest + home.sessionVariables = { + }; - # Archive Managers - sshfs-fuse - xarchive - p7zip - zip - unzip - gzip - lzop - # Password Management - gnome-keyring - seahorse + home.packages = + [] ++ (with pkgs; [ + # Nix package related tools + patchelf + nix-index + nix-prefetch-scripts - # Remote Control Tools - remmina - freerdp + # Version Control Systems + gitless - # Network Tools - openvpn - tcpdump - iftop - iperf - bind - socat + # Process/System Administration + htop + gnome3.gnome-tweak-tool + xorg.xhost + dmidecode + evtest - # samba - iptables - nftables - wireshark + # Archive Managers + sshfsFuse + xarchive + p7zip + zip + unzip + gzip + lzop - # Code Editors - xclip - xsel + # Password Management + gnome3.gnome_keyring + gnome3.seahorse - # Image/Graphic/Design Tools - gnome.eog - gimp - inkscape + # Remote Control Tools + remmina + freerdp - # Misc Development Tools - qrcode - jq - cdrtools + # Network Tools + openvpn + tcpdump + iftop + iperf + bind + socat - # Document Processing and Management - zathura + # samba + iptables + nftables + wireshark - # File Synchronzation - rsync + # Code Editors + xclip + xsel + unstablepkgs.vscode - # Filesystem Tools - ntfs3g - ddrescue - ncdu - woeusb - unetbootin - pcmanfm - hdparm - testdisk - binwalk - gptfdisk + # Image/Graphic/Design Tools + gnome3.eog + gimp + inkscape - packages'.myPython + # Misc Development Tools + qrcode + jq + cdrtools - # Virtualization - virtmanager - ]; + # Document Processing and Management + zathura + + # File Synchronzation + rsync + + # Filesystem Tools + ntfs3g + ddrescue + ncdu + unstablepkgs.woeusb + unetbootin + pcmanfm + hdparm + testdisk + python38Packages.binwalk + gptfdisk + + ## Python + myPython + + busyboxStatic + + # Virtualization + virtmanager + ]); } diff --git a/nix/home-manager/configuration/text-minimal.nix b/nix/home-manager/configuration/text-minimal.nix new file mode 100644 index 0000000..5937909 --- /dev/null +++ b/nix/home-manager/configuration/text-minimal.nix @@ -0,0 +1,35 @@ +{ pkgs, extraPackages ? [] }: + +let + zshCurried = import ../programs/zsh.nix { inherit pkgs; }; +in + +{ pkgs +, config +, ... }: + +let + +in { + imports = [ + ../profiles/common.nix + ../profiles/nix-channels.nix + ../programs/neovim.nix + zshCurried + ]; + + nixpkgs.config = { + packageOverrides = pkgs: with pkgs; { + }; + }; + + home.sessionVariables = { + }; + + home.packages = extraPackages + ++ (with pkgs; [ + iperf3 + telnet + speedtest-cli + ]); +} diff --git a/nix/home-manager/lib.nix b/nix/home-manager/lib.nix index 7436034..0c240cc 100644 --- a/nix/home-manager/lib.nix +++ b/nix/home-manager/lib.nix @@ -1,19 +1,22 @@ -_: { - mkSimpleTrayService = - { execStart }: - { - Unit = { - Description = ""; - After = [ "graphical-session-pre.target" ]; - PartOf = [ "graphical-session.target" ]; - }; +{ +}: - Install = { - WantedBy = [ "graphical-session.target" ]; - }; +let - Service = { - ExecStart = execStart; - }; +in { + mkSimpleTrayService = { execStart }: { + Unit = { + Description = "pasystray applet"; + After = [ "graphical-session-pre.target" ]; + PartOf = [ "graphical-session.target" ]; }; + + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + + Service = { + ExecStart = execStart; + }; + }; } diff --git a/nix/home-manager/profiles/common.nix b/nix/home-manager/profiles/common.nix index 77f6e57..b350058 100644 --- a/nix/home-manager/profiles/common.nix +++ b/nix/home-manager/profiles/common.nix @@ -1,97 +1,54 @@ -{ pkgs, lib, ... }: -{ - home.stateVersion = lib.mkDefault "23.11"; +{ pkgs +, ... +}: - # TODO: re-enable this with the appropriate version? +let +in { + # TODO: re-enable this with the appropriate version # programs.home-manager.enable = true; # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz; - # TODO: move this to an OS snippet? + nixpkgs.overlays = builtins.attrValues (import ../../overlays); + nixpkgs.config = { - allowBroken = false; + allowBroken = true; allowUnfree = true; - allowUnsupportedSystem = true; - - allowInsecurePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "electron-32.3.3" - "electron" - ]; - - permittedInsecurePackages = [ - "electron-32.3.3" - "electron" - ]; - - allowUnfreePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "obsidian" - "vivaldi" - "aspell-dict-en-science" - ]; }; home.keyboard = { layout = "us"; variant = "altgr-intl"; - options = [ - # nodeadkeys doesn't make sense with us layout: see https://man.archlinux.org/man/xkeyboard-config.7 for valid options - # "nodeadkeys" - # "caps:swapescape" + options = [ + "nodeadkeys" + # "caps:swapescape" ]; }; - xdg.enable = true; - programs.direnv.enable = true; + services.lorri.enable = true; - # Don't create .pyc files. - home.sessionVariables.PYTHONDONTWRITEBYTECODE = "1"; + home.sessionVariables = { + NIXPKGS_ALLOW_UNFREE = "1"; + # Don't create .pyc files. + PYTHONDONTWRITEBYTECODE = "1"; + }; programs.command-not-found.enable = true; programs.fzf.enable = true; - home.packages = with pkgs; [ - coreutils + home.packages = + [] ++ (with pkgs; [ + # git helpers + git-crypt - vcsh + vcsh + # Authentication + cacert + openssl + mkpasswd - htop - iperf3 - nethogs - - # Authentication - cacert - openssl - mkpasswd - - just - ripgrep - du-dust - - elfutils - exfat - file - tree - pwgen - proot - - parted - pv - tmux - wget - curl - - # git helpers - git-crypt - gitFull - pastebinit - gist - mr - - usbutils - pciutils - ]; + just + ripgrep + du-dust + ]); } diff --git a/nix/home-manager/profiles/dotfiles.nix b/nix/home-manager/profiles/dotfiles.nix index a7bddd9..2609ee2 100644 --- a/nix/home-manager/profiles/dotfiles.nix +++ b/nix/home-manager/profiles/dotfiles.nix @@ -1,6 +1,13 @@ -_: { - # TODO: fix the dotfiles - # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' - # $DRY_RUN_CMD ${vcshActivationScript} - # ''; +{ pkgs +, config +, ... +}: + +let + vcshActivationScript = pkgs.callPackage ./dotfiles/vcsh.nix {}; + +in { + home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' + $DRY_RUN_CMD ${vcshActivationScript} + ''; } diff --git a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix index 2a866f2..521a126 100644 --- a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix +++ b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix @@ -1,42 +1,39 @@ -{ - pkgs, - repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", - repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", - ... +{ pkgs +, repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git" +, repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git" +, ... }: + let - repoBareLocal = - pkgs.runCommand "fetchbare" - { - outputHashMode = "recursive"; - outputHashAlgo = "sha256"; - outputHash = "0000000000000000000000000000000000000000000000000000"; - } - '' - ( - set -xe - export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out - ) - ''; -in -pkgs.writeScript "activation-script" '' - export HOST=$(hostname -s) + repoBareLocal = pkgs.runCommand "fetchbare" { + outputHashMode = "recursive"; + outputHashAlgo = "sha256"; + outputHash = "0000000000000000000000000000000000000000000000000000"; + } '' + ( + set -xe + export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out + ) + ''; - function set_remotes { - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 - } +in pkgs.writeScript "activation-script" '' + export HOST=$(hostname -s) - if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then - echo Cloning dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles - set_remotes ${repoHttps} ${repoSsh} - else - set_remotes ${repoBareLocal} ${repoSsh} - echo Updating dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh pull $HOST || true - set_remotes ${repoHttps} ${repoSsh} - fi -'' + function set_remotes { + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 + } + + if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then + echo Cloning dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles + set_remotes ${repoHttps} ${repoSsh} + else + set_remotes ${repoBareLocal} ${repoSsh} + echo Updating dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh pull $HOST || true + set_remotes ${repoHttps} ${repoSsh} + fi + '' diff --git a/nix/home-manager/profiles/experimental-desktop.nix b/nix/home-manager/profiles/experimental-desktop.nix deleted file mode 100644 index d57a051..0000000 --- a/nix/home-manager/profiles/experimental-desktop.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ packages', ... }: -{ - imports = [ ../profiles/wayland-desktop.nix ]; - - home.packages = [ - # experimental WMs - packages'.jay - packages'.magmawm - ]; -} diff --git a/nix/home-manager/profiles/gnome-desktop.nix b/nix/home-manager/profiles/gnome-desktop.nix deleted file mode 100644 index e403b71..0000000 --- a/nix/home-manager/profiles/gnome-desktop.nix +++ /dev/null @@ -1,100 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ ../profiles/wayland-desktop.nix ]; - - services = { - gnome-keyring.enable = false; - blueman-applet.enable = true; - flameshot.enable = true; - pasystray.enable = true; - }; - - # TODO: remove this comment once i'm sure everything works - # xdg.configFile."autostart/gnome-keyring-ssh.desktop".text = '' - # [Desktop Entry] - # Type=Application - # Hidden=true - # ''; - - services.gpg-agent.pinentry.package = pkgs.pinentry-gnome3; - - dconf.settings = - let - manualKeybindings = [ - { - binding = "Print"; - command = "flameshot gui"; - name = "flameshot"; - } - - { - binding = "t"; - command = "alacritty"; - name = "alacritty"; - } - ]; - - numWorkspaces = 10; - customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; - customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") ( - (builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace - ); - - workspacesKeyBindingsOffset = builtins.length manualKeybindings; - - # with this we can make use of all number keys [0-9] - mapToNumber = - i: - if i < 10 then - i - else if i == 10 then - 0 - else - throw "i exceeds 10: ${i}"; - in - { - "org/gnome/settings-daemon/plugins/media-keys" = { - custom-keybindings = customKeybindingsNames; - screenreader = "@as []"; - screensaver = [ "l" ]; - }; - - # disable the builtin [1-9] functionality - "org/gnome/shell/keybindings" = builtins.listToAttrs ( - (builtins.genList (i: { - name = "switch-to-application-${toString (i + 1)}"; - value = [ ]; - }) numWorkspaces) - ++ [ - { - name = "toggle-overview"; - value = [ ]; - } - ] - ); - - # remap it to switching to the workspaces - "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs ( - builtins.genList (i: { - name = "switch-to-workspace-${toString (i + 1)}"; - value = [ "${toString (mapToNumber (i + 1))}" ]; - }) numWorkspaces - ); - } - // builtins.listToAttrs ( - builtins.genList (i: { - name = "${customKeybindingBaseName}${toString i}"; - value = builtins.elemAt manualKeybindings i; - }) (builtins.length manualKeybindings) - ) - // builtins.listToAttrs ( - builtins.genList (i: { - name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}"; - value = { - binding = "${toString (mapToNumber (i + 1))}"; - command = "wmctrl -r :ACTIVE: -t ${toString i}"; - name = "Send to workspace ${toString (i + 1)}"; - }; - }) numWorkspaces - ); -} diff --git a/nix/home-manager/profiles/nix-channels.nix b/nix/home-manager/profiles/nix-channels.nix index fc52ec6..4a0eebe 100644 --- a/nix/home-manager/profiles/nix-channels.nix +++ b/nix/home-manager/profiles/nix-channels.nix @@ -1,22 +1,26 @@ -{ pkgs, config, ... }: -{ - home.file.".nix-channels".text = ""; +{ pkgs +, config +, ... +}: - home.activation.removeExistingNixChannels = config.lib.dag.entryBefore [ "checkLinkTargets" ] '' +let +in { + home.file.".nix-channels".text = '' + ''; + + home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] '' $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' - set -ex - if test -f $HOME/.nix-channels; then - echo Uninstalling available channels... - if test -f $HOME/.nix-channel; then - while read url channel; do - nix-channel --remove $channel - done < $HOME/.nix-channel - fi - echo Moving existing file away... - touch $HOME/.nix-channels.dummy - mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels - rm $HOME/.nix-channels - fi + set -ex + if test -f $HOME/.nix-channels; then + echo Uninstalling available channels... + while read url channel; do + nix-channel --remove $channel + done < $HOME/.nix-channel + echo Moving existing file away... + touch $HOME/.nix-channels.dummy + mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels + rm $HOME/.nix-channels + fi ''}; ''; } diff --git a/nix/home-manager/profiles/qtile-desktop.nix b/nix/home-manager/profiles/qtile-desktop.nix index 84d9c21..004f821 100644 --- a/nix/home-manager/profiles/qtile-desktop.nix +++ b/nix/home-manager/profiles/qtile-desktop.nix @@ -1,15 +1,17 @@ -{ pkgs, ... }: -let +{ pkgs +, ... +}: - audio = pkgs.writeShellScript "audio" '' - export PATH=${ - with pkgs; - lib.makeBinPath [ - pulseaudio - findutils - gnugrep - ] - }:$PATH +let + inherit (import ../lib.nix { }) + mkSimpleTrayService + ; + + audio = pkgs.writeScript "audio" '' + #!${pkgs.bash}/bin/bash + export PATH=${with pkgs; lib.makeBinPath [ + pulseaudio findutils gnugrep + ]}:$PATH export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute case $1 in @@ -31,9 +33,13 @@ let esac ''; terminalCommand = "${pkgs.alacritty}/bin/alacritty"; + # terminalCommand = "${pkgs.roxterm}/bin/roxterm"; - dpmsScript = pkgs.writeShellScript "dpmsScript" '' - export PATH=${with pkgs; lib.makeBinPath [ xorg.xset ]}:$PATH + dpmsScript = pkgs.writeScript "dpmsScript" '' + #!${pkgs.bash}/bin/bash + export PATH=${with pkgs; lib.makeBinPath [ + xlibs.xset + ]}:$PATH set -xe @@ -55,8 +61,11 @@ let esac ''; - screenLockCommand = pkgs.writeShellScript "screenLock" '' - export PATH=${with pkgs; lib.makeBinPath [ i3lock ]}:$PATH + screenLockCommand = pkgs.writeScript "screenLock" '' + #!${pkgs.bash}/bin/bash + export PATH=${with pkgs; lib.makeBinPath [ + i3lock + ]}:$PATH revert() { ${dpmsScript} default @@ -69,190 +78,229 @@ let revert ''; - initScreen = pkgs.writeShellScript "initScreen" '' - # ${pkgs.xorg.xinput}/bin/xinput set-prop "ZSA Moonlander Mark I Mouse" "libinput Natural Scrolling Enabled" 1 - ${pkgs.autorandr}/bin/autorandr -c - ${pkgs.feh}/bin/feh --bg-scale ${pkgs.nixos-artwork.wallpapers.simple-blue}/share/artwork/gnome/nix-wallpaper-simple-blue.png - ${dpmsScript} default - ''; qtileConfig = pkgs.writeScript "qtile_config.py" '' - from libqtile.config import Key, Screen, Group, Drag, Click - from libqtile.command import lazy - from libqtile import layout, bar, widget - from libqtile import hook +from libqtile.config import Key, Screen, Group, Drag, Click +from libqtile.command import lazy +from libqtile import layout, bar, widget +from libqtile import hook - import logging, os - logger = logging.getLogger() - logger.setLevel(logging.WARN) +import logging, os +logger = logging.getLogger() +logger.setLevel(logging.WARN) - handler = logging.handlers.RotatingFileHandler( - os.path.join(os.getenv('TEMPDIR', default="/tmp"), '.qtilelog'), maxBytes=10240000, - backupCount=7 - ) - handler.setLevel(logging.WARN) - logger.addHandler(handler) +handler = logging.handlers.RotatingFileHandler( + os.path.join(os.getenv('TEMPDIR', default="/tmp"), '.qtilelog'), maxBytes=10240000, + backupCount=7 +) +handler.setLevel(logging.WARN) +logger.addHandler(handler) - key_super = "mod4" - key_alt = "mod1" - key_control = "control" +# @hook.subscribe.screen_change +# def restart_on_randr(qtile, ev): +# import time +# +# with open(os.path.join(os.environ['TEMPDIR', default="/tmp"], ".qtilelastrestart"), "w"): +# pass +# +# lastRestart = 0 +# with open(os.path.join(os.environ['TEMPDIR', default="/tmp"], ".qtilelastrestart"), "r+") as lastRestartFile: +# lastRestartStr = lastRestartFile.read() +# if len(lastRestartStr) > 0: +# lastRestart = float(lastRestartStr) +# +# print("screen changed. (last change: %s)" % lastRestart) +# +# delta=time.time()-lastRestart +# if delta > 3: +# import subprocess +# lastRestartFile.seek(0) +# lastRestartFile.write("%s" % time.time()) +# lastRestartFile.truncate() +# +# subprocess.call(["autorandr","-c"]) +# qtile.cmd_restart() +# else: +# print("screen is changing too fast: %s" % delta) +# +# active_screen = 0 +# @hook.subscribe.client_focus +# def focus_changed(window): +# global active_screen +# pass +# active_screen = window.group.screen.index +# +# @hook.subscribe.current_screen_change +# def move_widget(): +# global active_screen +# systray = widget.Systray() +# logging.warn("Screen changed to %i" % active_screen) - keys = [ - # https://github.com/qtile/qtile/blob/master/libqtile/backend/x11/xkeysyms.py - Key([key_super], "Return", lazy.spawn("${terminalCommand}")), - Key([key_super], "r", lazy.spawncmd()), - Key([key_super], "w", lazy.window.kill()), +key_super = "mod4" +key_alt = "mod1" +key_control = "control" - Key([key_alt, key_super], "l", lazy.spawn('${pkgs.bash}/bin/sh -c "loginctl lock-session $XDG_SESSION_ID"')), - Key([key_alt, key_super], "s", lazy.spawn("${pkgs.systemd}/bin/systemctl suspend")), +keys = [ + # https://github.com/qtile/qtile/blob/develop/libqtile/xkeysyms.py + Key([key_super], "Return", lazy.spawn("${terminalCommand}")), + Key([key_super], "backslash", lazy.spawn("${terminalCommand}")), + Key([key_super], "apostrophe", lazy.spawn("${terminalCommand}")), + Key([key_super], "r", lazy.spawncmd()), + Key([key_super], "w", lazy.window.kill()), - Key([key_super, key_control], "r", lazy.spawn("${initScreen}")), - Key([key_super, key_control], "q", lazy.shutdown()), + Key([key_alt, key_super], "l", lazy.spawn('${pkgs.bash}/bin/sh -c "loginctl lock-session $XDG_SESSION_ID"')), + Key([key_alt, key_super], "s", lazy.spawn("${pkgs.systemd}/bin/systemctl suspend")), - # Toggle between different layouts as defined below - Key([key_super], "Tab", lazy.next_layout()), + # Key([key_super, key_control], "r", lazy.restart()), + Key([key_super, key_control], "r", lazy.spawn("${pkgs.autorandr}/bin/autorandr -c && ${dpmsScript} default"), lazy.restart()), + Key([key_super, key_control], "q", lazy.shutdown()), - # this is usefull when floating windows get buried - Key([key_super], "Escape", lazy.window.bring_to_front()), + # Toggle between different layouts as defined below + Key([key_super], "Tab", lazy.next_layout()), - # common to all layouts - Key([key_control, key_alt], "h", lazy.layout.grow_left()), - Key([key_control, key_alt], "j", lazy.layout.grow_down()), - Key([key_control, key_alt], "k", lazy.layout.grow_up()), - Key([key_control, key_alt], "l", lazy.layout.grow_right()), - Key([key_super], "n", lazy.layout.normalize()), - Key([key_super], "o", lazy.layout.maximize()), + # MonadTall keybindings + Key([key_super], "h", lazy.layout.left()), + Key([key_super], "l", lazy.layout.right()), + Key([key_super], "j", lazy.layout.down()), + Key([key_super], "k", lazy.layout.up()), + Key([key_super, key_control], "h", lazy.layout.shuffle_left()), + Key([key_super, key_control], "l", lazy.layout.shuffle_right()), + Key([key_super, key_control], "j", lazy.layout.shuffle_down()), + Key([key_super, key_control], "k", lazy.layout.shuffle_up()), + Key([key_super, key_control], "space", lazy.layout.toggle_split()), + Key([key_control, key_alt], "h", lazy.layout.grow_left()), + Key([key_control, key_alt], "j", lazy.layout.grow_down()), + Key([key_control, key_alt], "k", lazy.layout.grow_up()), + Key([key_control, key_alt], "l", lazy.layout.grow_right()), + Key([key_super], "n", lazy.layout.normalize()), + Key([key_super], "o", lazy.layout.maximize()), - # MonadTall keybindings - Key([key_super], "h", lazy.layout.left().when(layout="monad")), - Key([key_super], "l", lazy.layout.right().when(layout="monad")), - Key([key_super], "j", lazy.layout.down().when(layout="monad")), - Key([key_super], "k", lazy.layout.up().when(layout="monad")), - Key([key_super, key_control], "h", lazy.layout.shuffle_left().when(layout="monad")), - Key([key_super, key_control], "l", lazy.layout.shuffle_right().when(layout="monad")), - Key([key_super, key_control], "j", lazy.layout.shuffle_down().when(layout="monad")), - Key([key_super, key_control], "k", lazy.layout.shuffle_up().when(layout="monad")), - Key([key_super, key_control], "space", lazy.layout.toggle_split().when(layout="monad")), + # Stack + Key([key_super], "h", lazy.layout.previous().when('stack')), + Key([key_super], "l", lazy.layout.next().when('stack')), + Key([key_super], "j", lazy.layout.up().when('stack')), + Key([key_super], "k", lazy.layout.down().when('stack')), + Key([key_super, key_control], "j", lazy.layout.shuffle_up().when('stack')), + Key([key_super, key_control], "k", lazy.layout.shuffle_down().when('stack')), + Key([key_super, key_control], "h", lazy.layout.client_to_previous().when('stack')), + Key([key_super, key_control], "l", lazy.layout.client_to_next().when('stack')), - # Stack - Key([key_super], "h", lazy.layout.previous().when(layout='stack')), - Key([key_super], "l", lazy.layout.next().when(layout='stack')), - Key([key_super], "j", lazy.layout.up().when(layout='stack')), - Key([key_super], "k", lazy.layout.down().when(layout='stack')), - Key([key_super, key_control], "j", lazy.layout.shuffle_up().when(layout='stack')), - Key([key_super, key_control], "k", lazy.layout.shuffle_down().when(layout='stack')), - Key([key_super, key_control], "h", lazy.layout.client_to_previous().when(layout='stack')), - Key([key_super, key_control], "l", lazy.layout.client_to_next().when(layout='stack')), + # Columns + Key([key_super], "h", lazy.layout.left().when('columns')), + Key([key_super], "l", lazy.layout.right().when('columns')), + Key([key_super], "j", lazy.layout.down().when('columns')), + Key([key_super], "k", lazy.layout.up().when('columns')), + Key([key_super, key_control], "j", lazy.layout.shuffle_down().when('columns')), + Key([key_super, key_control], "k", lazy.layout.shuffle_up().when('columns')), + Key([key_super, key_control], "h", lazy.layout.shuffle_left().when('columns')), + Key([key_super, key_control], "l", lazy.layout.shuffle_right().when('columns')), - # Columns - Key([key_super], "h", lazy.layout.left().when(layout="columns")), - Key([key_super], "l", lazy.layout.right().when(layout="columns")), - Key([key_super], "j", lazy.layout.next().when(layout="columns")), - Key([key_super], "k", lazy.layout.previous().when(layout="columns")), - Key([key_super, key_control], "j", lazy.layout.shuffle_down().when(layout="columns")), - Key([key_super, key_control], "k", lazy.layout.shuffle_up().when(layout="columns")), - Key([key_super, key_control], "h", lazy.layout.shuffle_left().when(layout="columns")), - Key([key_super, key_control], "l", lazy.layout.shuffle_right().when(layout="columns")), - Key([key_super, key_control], "space", lazy.layout.toggle_split().when(layout="columns")), + # Max + Key([key_super], "j", lazy.layout.next()), + Key([key_super], "k", lazy.layout.previous()), - # Max - Key([key_super], "j", lazy.layout.down().when(layout="max")), - Key([key_super], "k", lazy.layout.up().when(layout="max")), + # Multimedia Keys + Key([], "XF86AudioPlay", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.PlayPause")), + Key([], "XF86AudioPrev", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Previous")), + Key([], "XF86AudioNext", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Next")), + ## Microsoft Comfort Curve specific + Key([key_super, "shift"], "XF86TouchpadToggle", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Previous")), + Key([key_alt, key_super], "XF86TouchpadToggle", lazy.spawn("${pkgs.dbus}/bin/dbus-send --print-reply --dest=org.mpris.MediaPlayer2.spotify /org/mpris/MediaPlayer2 org.mpris.MediaPlayer2.Player.Next")), + Key([], "XF86AudioMute", lazy.spawn("${audio} mute")), + Key([], "XF86AudioLowerVolume", lazy.spawn("${audio} lower")), + Key([], "XF86AudioRaiseVolume", lazy.spawn("${audio} raise")), + Key([], "Print", lazy.spawn("${pkgs.flameshot}/bin/flameshot gui")), +] +groups = [Group(i) for i in "1234567890"] - # TODO: these are required to make the 'columns' layout work, but why? - Key([key_super], "j", lazy.layout.next()), - Key([key_super], "k", lazy.layout.previous()), - - # Multimedia Keys - Key([], "XF86AudioPlay", lazy.spawn("${pkgs.playerctl}/bin/playerctl play-pause")), - Key([], "XF86AudioPrev", lazy.spawn("${pkgs.playerctl}/bin/playerctl previous")), - Key([], "XF86AudioNext", lazy.spawn("${pkgs.playerctl}/bin/playerctl next")), - # TODO: the next two don't work yet - Key([], "XF86AudioRewind", lazy.spawn("${pkgs.playerctl}/bin/playerctl offset 10-")), - Key([], "XF86BackForward", lazy.spawn("${pkgs.playerctl}/bin/playerctl offset 10+")), - Key([], "XF86AudioMute", lazy.spawn("${audio} mute")), - Key([], "XF86AudioLowerVolume", lazy.spawn("${audio} lower")), - Key([], "XF86AudioRaiseVolume", lazy.spawn("${audio} raise")), - Key([], "Print", lazy.spawn("${pkgs.flameshot}/bin/flameshot gui")), - ] - groups = [Group(i) for i in "1234567890"] - - for i in groups: - # super + letter of group = switch to group - keys.append( - Key([key_super], i.name, lazy.group[i.name].toscreen()) - ) - - # super + shift + letter of group = switch to & move focused window to group - keys.append( - Key([key_super, key_control], i.name, lazy.window.togroup(i.name)) - ) - - layouts = [ - layout.Columns(num_columns=3, border_focus='#00ff00', border_width=2), - layout.Max(), - # layout.Stack(num_stacks=3, border_focus='#00ff00', border_width=2, autosplit=True, previous_on_rm=True), - # layout.Wmii(border_focus='#00ff00'), - # layout.MonadTall(ratio=0.6, border_focus='#00ff00'), - ] - - widget_defaults = dict( - font='Arial', - fontsize=16, - padding=3, +for i in groups: + # super + letter of group = switch to group + keys.append( + Key([key_super], i.name, lazy.group[i.name].toscreen()) ) - screens_count = 4 - screens = [] - for i in range(0, screens_count+1): - j = i+1 - widgets = [ - widget.TextBox("Screen %i" % j, name="Screen %i" % j), - widget.GroupBox(), - widget.WindowName(), - widget.Prompt(), - widget.CPUGraph(), - widget.ThermalSensor(tag_sensor = "CPU"), - widget.Memory(), - # widget.Net(interface='eth0'), - widget.Net(interface='wlan0'), - widget.Clock(format='%Y-%m-%d %a %I:%M %p'), - ] - if i is 0: - widgets.insert(-1, widget.Systray()) + # super + shift + letter of group = switch to & move focused window to group + keys.append( + Key([key_super, key_control], i.name, lazy.window.togroup(i.name)) + ) - screens.append(Screen(bottom=bar.Bar(widgets, 30))) +layouts = [ + layout.Columns(num_columns=3, border_focus='#00ff00', border_width=2), + layout.Max(), + # layout.Stack(num_stacks=3, border_focus='#00ff00', border_width=2, autosplit=True, previous_on_rm=True), + # layout.Wmii(border_focus='#00ff00'), + # layout.MonadTall(ratio=0.6, border_focus='#00ff00'), +] - keys.append(Key([key_super, "shift"], "%i" % (i+1), lazy.to_screen(i))) +widget_defaults = dict( + font='Arial', + fontsize=16, + padding=3, +) - dgroups_key_binder = None - dgroups_app_rules = [] - follow_mouse_focus = False - bring_front_click = False - cursor_warp = False - auto_fullscreen = True - auto_minimize = False - # focus_on_window_activation = "urgent" - - - # Drag floating layouts. - mouse = [ - # Drag([key_super,key_control], "Button1", lazy.window.set_position_floating(), start=lazy.window.get_position()), - # Drag([key_super,key_control], "Button2", lazy.window.set_size_floating(), start=lazy.window.get_size()), - Click([key_super,key_control], "Button3", lazy.window.disable_floating()) +screens_count = 4 +screens = [] +for i in range(0, screens_count+1): + j = i+1 + widgets = [ + widget.TextBox("Screen %i" % j, name="Screen %i" % j), + widget.GroupBox(), + widget.WindowName(), + widget.Prompt(), + widget.CPUGraph(), + widget.ThermalSensor(), + widget.Memory(), + widget.Net(interface='eth0'), + widget.Net(interface='wlan0'), + widget.Clock(format='%Y-%m-%d %a %I:%M %p'), ] + if i is 0: + widgets.insert(-1, widget.Systray()) - # disable any floating - @hook.subscribe.client_new - def disable_floating_for_all_new_windows(window): - window.floating = False + screens.append(Screen(bottom=bar.Bar(widgets, 30))) - @hook.subscribe.client_new - def print_new_window(window): - print("new window: ", window) + keys.append(Key([key_super, "shift"], "%i" % (i+1), lazy.to_screen(i))) + +# subscribe.current_screen_change(func) + +dgroups_key_binder = None +dgroups_app_rules = [] +main = None +follow_mouse_focus = False +bring_front_click = True +cursor_warp = False +auto_fullscreen = True +focus_on_window_activation = "urgent" + + +# Drag floating layouts. +mouse = [ + Drag([key_super,key_control], "Button1", lazy.window.set_position_floating(), start=lazy.window.get_position()), + Drag([key_super,key_control], "Button2", lazy.window.set_size_floating(), start=lazy.window.get_size()), + Click([key_super,key_control], "Button3", lazy.window.disable_floating()) +] +floating_layout = layout.Floating() + +wmname = "LG3D" ''; -in -{ +in { + systemd.user = { + startServices = true; + services = { + redshift-gtk = mkSimpleTrayService { + execStart = "${pkgs.redshift}/bin/redshift-gtk -v -l 47.6691:9.1698 -t 7000:4500 -m randr"; + }; + + pasystray = mkSimpleTrayService { + execStart = "${pkgs.pasystray}/bin/pasystray"; + }; + + cbatticon = mkSimpleTrayService { + execStart = "${pkgs.cbatticon}/bin/cbatticon"; + }; + }; + }; + services = { gnome-keyring.enable = true; blueman-applet.enable = true; @@ -262,32 +310,43 @@ in lockCmd = "${screenLockCommand}"; }; network-manager-applet.enable = true; + syncthing.enable = true; + gpg-agent = { + enable = true; + enableScDaemon = true; + enableSshSupport = true; + grabKeyboardAndMouse = true; + extraConfig = "pinentry-program ${pkgs.pinentry-gtk2}/bin/pinentry"; + }; flameshot.enable = true; - pasystray.enable = true; - cbatticon.enable = true; - }; - - home.pointerCursor = { - name = "Vanilla-DMZ"; - package = pkgs.vanilla-dmz; - size = 32; - x11.enable = true; - gtk.enable = true; }; xsession = { - enable = false; - windowManager.command = "${pkgs.qtile}/bin/qtile start -c ${qtileConfig}"; - initExtra = "${initScreen}"; + enable = true; + windowManager.command = "${pkgs.qtile}/bin/qtile -c ${qtileConfig}"; + initExtra = '' + # ${pkgs.xorg.xinput}/bin/xinput set-prop "ErgoDox EZ ErgoDox EZ Mouse" "libinput Natural Scrolling Enabled" + ${pkgs.autorandr}/bin/autorandr -c + ${pkgs.feh}/bin/feh --bg-scale ${pkgs.nixos-artwork.wallpapers.simple-blue}/share/artwork/gnome/nix-wallpaper-simple-blue.png + ${dpmsScript} default + ''; + + pointerCursor = { + name = "Vanilla-DMZ-AA"; + package = pkgs.vanilla-dmz; + size = 32; + }; }; home.packages = with pkgs; [ # X Tools/Libraries lightdm - networkmanagerapplet - gnome-icon-theme - gnome.gnome-themes-extra - adwaita-icon-theme + qtile + gnome3.networkmanagerapplet + autorandr + arandr + gnome3.gnome_themes_standard + gnome3.adwaita-icon-theme lxappearance xorg.xcursorthemes pavucontrol diff --git a/nix/home-manager/profiles/sway-desktop.nix b/nix/home-manager/profiles/sway-desktop.nix deleted file mode 100644 index 65ba632..0000000 --- a/nix/home-manager/profiles/sway-desktop.nix +++ /dev/null @@ -1,262 +0,0 @@ -/* - TODO: create helper scripts for sharing of a screen portion - ``` - - # this will create a new output named HEADLESS-. increments by 1 with each invocation even if the output is `unplug`ged. - swaymsg create_output - - # find the name and the workspace number - swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)' - - swaymsg output HEADLESS-1 mode 1920@108060Hz - - # mirror the headless workspace on the current one - nix run nixpkgs\#wl-mirror -- HEADLESS-1 - - # shift windows to the workspace and switch the focus to it -*/ -{ - pkgs, - config, - lib, - # packages', - ... -}: -let - - lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'"; - displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; - displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; - swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; -in -{ - imports = [ - ../profiles/wayland-desktop.nix - ../programs/waybar.nix - ]; - - services.dunst = { - enable = true; - }; - - services.gpg-agent.pinentry.package = pkgs.pinentry-gnome3; - - home.packages = [ - pkgs.swayidle - pkgs.swaylock - - ## themes - pkgs.adwaita-icon-theme - pkgs.hicolor-icon-theme - pkgs.gnome-icon-theme - - ## fonts - # pkgs.nerd-fonts # TODO: reinstall selected ones - pkgs.dejavu_fonts # just a basic good fond - pkgs.font-awesome_5 # needed by i3status-rust - pkgs.font-awesome - pkgs.roboto - pkgs.ttf_bitstream_vera - - pkgs.noto-fonts - pkgs.noto-fonts-cjk-sans - pkgs.noto-fonts-cjk-serif - pkgs.noto-fonts-emoji - pkgs.noto-fonts-emoji-blob-bin - pkgs.noto-fonts-extra - pkgs.noto-fonts-lgc-plus - - pkgs.liberation_ttf - pkgs.fira-code - pkgs.fira-code-symbols - pkgs.mplus-outline-fonts.githubRelease - pkgs.dina-font - pkgs.monoid - pkgs.hermit - ### found on colemickens' repo - pkgs.gelasio # metric-compatible with Georgia - pkgs.powerline-symbols - pkgs.iosevka-comfy.comfy-fixed - - ## experimental stuff - pkgs.fuzzel - ]; - - # TODO: configure kanshi to always set the 5K resolution - # DP-1 "Philips Consumer Electronics Company PHL 499P9 AU02419010010 (DP-1 via DP)" - # Make: Philips Consumer Electronics Company - # Model: PHL 499P9 - # Serial: AU02419010010 - # Physical size: 1190x340 mm - # Enabled: yes - # Modes: - # 3840x1080 px, 59.967999 Hz (preferred) - # 5120x1440 px, 59.977001 Hz (current) - - wayland.windowManager.sway = { - enable = true; - systemd.enable = true; - xwayland = false; - - config = - let - modifier = "Mod4"; - inherit (config.wayland.windowManager.sway.config) - left - right - up - down - ; - in - { - inherit modifier; - bars = [ ]; - - input = { - "type:keyboard" = - { - xkb_layout = config.home.keyboard.layout; - xkb_variant = config.home.keyboard.variant; - } - // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) { - xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; - }; - - "type:touchpad" = { - natural_scroll = "enabled"; - }; - - # alternatively run this command - # swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative" - # and then switch to a different VT (alt+ctrl+f2) and back - "1386:914:Wacom_Intuos_Pro_S_Pen" = { - tool_mode = "* relative"; - }; - }; - - keybindings = lib.mkOptionDefault { - # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi - # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; - "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; - - # only 1-9 exist on the default config - "${modifier}+0" = "workspace number 0"; - "${modifier}+Shift+0" = "move container to workspace number 0"; - - # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it - "${modifier}+b" = "nop"; - "${modifier}+v" = "nop"; - - # move workspace to output - "${modifier}+Control+Shift+${left}" = "move workspace to output left"; - "${modifier}+Control+Shift+${right}" = "move workspace to output right"; - "${modifier}+Control+Shift+${up}" = "move workspace to output up"; - "${modifier}+Control+Shift+${down}" = "move workspace to output down"; - # move workspace to output with arrow keys - "${modifier}+Control+Shift+Left" = "move workspace to output left"; - "${modifier}+Control+Shift+Right" = "move workspace to output right"; - "${modifier}+Control+Shift+Up" = "move workspace to output up"; - "${modifier}+Control+Shift+Down" = "move workspace to output down"; - - # TODO: i've been hitting this one accidentally way too often. find a better place. - # "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; - "${modifier}+q" = "kill"; - "${modifier}+Shift+q" = - "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; - - "${modifier}+x" = "exec ${swapOutputWorkspaces}"; - - "${modifier}+Ctrl+l" = "exec ${lockCmd}"; - - "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; - "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; - "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; - - "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; - "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; - "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; - - "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; - }; - - terminal = "alacritty"; - startup = - [ - { - command = builtins.toString ( - pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target - ) & - '' - ); - } - ] - ++ lib.optionals config.services.swayidle.enable [ - { - command = builtins.toString ( - pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart swayidle - ) & - '' - ); - } - ]; - - colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; }; - - window.titlebar = false; - window.border = 4; - - # this maps to focus_on_window_activation - focus.newWindow = "urgent"; - - window.commands = [ - { - command = "border pixel 0, floating enable, fullscreen disable, move absolute position 0 0"; - criteria.app_id = "flameshot"; - } - ]; - }; - }; - - services.swayidle = { - enable = true; - timeouts = [ - { - timeout = 10; - command = "if ${pkgs.procps}/bin/pgrep -x swaylock; then ${displayOffCmd}; fi"; - resumeCommand = displayOnCmd; - } - { - timeout = 60 * 5; - command = lockCmd; - } - { - timeout = 60 * 6; - command = displayOffCmd; - resumeCommand = displayOnCmd; - } - ]; - events = [ - { - event = "before-sleep"; - command = builtins.concatStringsSep "; " [ - lockCmd - "${pkgs.playerctl}/bin/playerctl pause" - ]; - } - { - event = "after-resume"; - command = displayOnCmd; - } - { - event = "lock"; - command = lockCmd; - } - ]; - }; -} diff --git a/nix/home-manager/profiles/wayland-desktop.nix b/nix/home-manager/profiles/wayland-desktop.nix deleted file mode 100644 index 2f0d2ee..0000000 --- a/nix/home-manager/profiles/wayland-desktop.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ - pkgs, - lib, - repoFlake, - ... -}: -let - - nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; -in -{ - fonts.fontconfig.enable = true; - - # services.gpg-agent.pinentryFlavor = lib.mkForce null; - # services.gpg-agent.extraConfig = '' - # pinentry-program "${wayprompt}/bin/pinentry-wayprompt" - # ''; - - services = { - blueman-applet.enable = true; - network-manager-applet.enable = true; - }; - - systemd.user.targets.tray = { - Unit = { - Description = "Home Manager System Tray"; - Requires = [ "graphical-session-pre.target" ]; - }; - }; - - home.packages = - with pkgs; - [ - # required by network-manager-applet - networkmanagerapplet - - wlr-randr - wayout - wl-clipboard - wmctrl - - nixpkgs-wayland'.shotman - - # identifies key input syms - wev - - # TODO: whwat's this for? - # wltype - - qt5.qtwayland - qt6.qtwayland - # libsForQt5.qt5.qtwayland - # libsForQt6.qt6.qtwayland - - # audio - playerctl - helvum - pasystray - sonusmix - pwvucontrol - - # probably required by flameshot - # xdg-desktop-portal xdg-desktop-portal-wlr - # grim - - waypipe - ] - ++ (lib.lists.optionals (!pkgs.stdenv.isAarch64) - # TODO: broken on aarch64 - [ ] - ); - - home.sessionVariables = { - XDG_SESSION_TYPE = "wayland"; - NIXOS_OZONE_WL = "1"; - MOZ_ENABLE_WAYLAND = "1"; - WLR_NO_HARDWARE_CURSORS = "1"; - }; - - home.pointerCursor = { - name = "Vanilla-DMZ"; - package = pkgs.vanilla-dmz; - size = 32; - x11.enable = true; - gtk.enable = true; - }; -} diff --git a/nix/home-manager/programs/chromium.nix b/nix/home-manager/programs/chromium.nix index aa3f531..0585746 100644 --- a/nix/home-manager/programs/chromium.nix +++ b/nix/home-manager/programs/chromium.nix @@ -1,81 +1,23 @@ -{ - name, - lib, - pkgs, - ... +{ +... }: -let - extensions = - [ - #undetectable adblocker - { id = "gcfcpohokifjldeandkfjoboemihipmb"; } - # ublock origin - { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } - - # # YT ad block - # {id = "cmedhionkhpnakcndndgjdbohmhepckk";} - - # # Adblock Plus - # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} - - # Cookie Notice Blocker - { id = "odhmfmnoejhihkmfebnolljiibpnednn"; } - # i don't care about cookies - { id = "fihnjjcciajhdojfnbdddfaoknhalnja"; } - - # NopeCHA - { id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; } - - # h264ify - { id = "aleakchihdccplidncghkekgioiakgal"; } - - # clippy - # {id = "honbeilkanbghjimjoniipnnehlmhggk"} - - { - id = "dcpihecpambacapedldabdbpakmachpb"; - updateUrl = "https://raw.githubusercontent.com/iamadamdev/bypass-paywalls-chrome/master/updates.xml"; - } - - # cookie autodelete - { id = "fhcgjolkccmbidfldomjliifgaodjagh"; } - - # unhook - { id = "khncfooichmfjbepaaaebmommgaepoid"; } - ] - ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ - # polkadotjs - { id = "mopnmbcafieddcagagdcbnhejhlodfdd"; } - - # rabby wallet - { id = "acmacodkjbdgmoleebolmdjonilkdbch"; } - - # phantom wallet - { id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; } - - # Vimium C - { id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; } - - # TODO: this causes scrolling the tab bar all the way to the end. look for a different one or report - # always right - { id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; } - - # shazam music - { id = "mmioliijnhnoblpgimnlajmefafdfilb"; } - ]); -in { programs.chromium = { enable = true; - inherit extensions; - # TODO: extensions currently don't work with ungoogled-chromium - package = pkgs.chromium; }; - programs.brave = { - # TODO: enable this on aarch64-linux - enable = true && !pkgs.stdenv.targetPlatform.isAarch64; - inherit extensions; + nixpkgs.config = { + chromium = { + # 2019-03-05: missing on 19.03 enablePepperPDF = true; + enablePepperFlash = false; + }; + }; + + programs.browserpass = { + browsers = [ + "chromium" + ]; }; } + diff --git a/nix/home-manager/programs/emacs.nix b/nix/home-manager/programs/emacs.nix new file mode 100644 index 0000000..2b606a9 --- /dev/null +++ b/nix/home-manager/programs/emacs.nix @@ -0,0 +1,24 @@ +{ pkgs, +... +}: + +{ + programs.emacs = { + enable = true; + extraPackages = epkgs: (with epkgs; [ + nix-mode + magit # ; Integrate git + zerodark-theme # ; Nicolas' theme + undo-tree # ; to show the undo tree + # zoom-frm # ; increase/decrease font size for all buffers %lt;C-x C-+> + ]) ++ (with epkgs.melpaPackages; [ + evil + ]) ++ (with epkgs.elpaPackages; [ + auctex # ; LaTeX mode + beacon # ; highlight my cursor when scrolling + nameless # ; hide current package name everywhere in elisp code + ]) ++ (with pkgs; [ + pkgs.notmuch # From main packages set + ]); + }; +} diff --git a/nix/home-manager/programs/espanso.nix b/nix/home-manager/programs/espanso.nix deleted file mode 100644 index 8297183..0000000 --- a/nix/home-manager/programs/espanso.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ pkgs, ... }: -{ - services.espanso = { - package = pkgs.espanso-wayland; - # package = pkgs.espanso-wayland.overrideAttrs (_: { - # src = repoFlake.inputs.espanso; - - # cargoLock = { - # # lockFile = "${repoFlake.inputs.espanso.outPath}/Cargo.lock"; - # lockFile = repoFlake.inputs.espanso + "/Cargo.lock"; - # outputHashes = { - # "yaml-rust-0.4.6" = "sha256-wXFy0/s4y6wB3UO19jsLwBdzMy7CGX4JoUt5V6cU7LU="; - # }; - # }; - # }); - - enable = false; - configs = { - default = { - # backend = "Inject"; - # backend = "Clipboard"; - }; - }; - matches = - let - playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; - in - { - default = { - matches = [ - { - trigger = ":vpos"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeScript "espanso" '' - #! ${pkgs.python3}/bin/python - import subprocess, os, math, datetime - - id=str(os.getuid()) - result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) - result.check_returncode() - - position_secs = math.trunc(float(result.stdout)) - position_human = datetime.timedelta(seconds=position_secs) - print("%s - %s" % (position_human, position_secs)) - '') - ]; - }; - } - ]; - } - { - trigger = ":vtit"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ]; - }; - } - ]; - } - { - trigger = ":dunno"; - replace = "¯\\_(ツ)_/¯"; - } - { - trigger = ":shrug"; - replace = "¯\\_(ツ)_/¯"; - } - ]; - }; - }; - }; -} diff --git a/nix/home-manager/programs/firefox.nix b/nix/home-manager/programs/firefox.nix index b9c575f..f93f020 100644 --- a/nix/home-manager/programs/firefox.nix +++ b/nix/home-manager/programs/firefox.nix @@ -1,451 +1,19 @@ -{ - repoFlake, - pkgs, - config, - lib, - ... +{ pkgs +, ... }: -let - # Search extension names with below command: - # nix flake show --json "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons" --all-systems | jq -r '.packages."x86_64-linux" | keys[]' | rg QUERY - ryceeAddons = with pkgs.nur.repos.rycee.firefox-addons; [ - ublock-origin - # bypass-paywalls-clean (can't use, was creating popups) - consent-o-matic - terms-of-service-didnt-read - - auto-tab-discard - - # redirector # For nixos wiki - # darkreader - - facebook-container - control-panel-for-twitter - # containerise - facebook-tracking-removal - vimium - cookie-autodelete - auto-tab-discard - istilldontcareaboutcookies - - youtube-recommended-videos - - display-_anchors - ]; - - customAddons = [ - - ]; - - search = { - force = true; - default = "ddg"; - privateDefault = "ddg"; - - order = [ - "ddg" - "ecosia" - "google" - ]; - }; - - mkProfile = - override: - lib.recursiveUpdate { - extensions.packages = ryceeAddons ++ customAddons; - inherit search; - - settings = { - # automatically enable extensions - "extensions.autoDisableScopes" = 0; - - "middlemouse.paste" = false; - - "browser.download.useDownloadDir" = false; - "browser.tabs.insertAfterCurrent" = true; - "browser.tabs.warnOnClose" = true; - "browser.toolbars.bookmarks.visibility" = "never"; - "browser.quitShortcut.disabled" = false; - - # restore the previous session automatically - "browser.startup.page" = 3; - "browser.sessionstore.resume_from_crash" = true; - "browser.sessionstore.restore_pinned_tabs_on_demand" = true; - "browser.sessionstore.restore_on_demand" = true; - - "browser.urlbar.suggest.bookmark" = true; - "browser.urlbar.suggest.engines" = true; - "browser.urlbar.suggest.history" = true; - "browser.urlbar.suggest.openpage" = true; - "browser.urlbar.suggest.topsites" = false; - "browser.urlbar.trimHttps" = true; - - "sidebar.position_start" = false; - "findbar.highlightAll" = true; - - "browser.tabs.hoverPreview.enabled" = true; - - # Disable fx accounts - "identity.fxaccounts.enabled" = false; - # Disable "save password" prompt - "signon.rememberSignons" = false; - # Harden - "privacy.trackingprotection.enabled" = true; - "dom.security.https_only_mode" = true; - - # Disable irritating first-run stuff - "browser.disableResetPrompt" = true; - "browser.download.panel.shown" = true; - "browser.feeds.showFirstRunUI" = false; - "browser.messaging-system.whatsNewPanel.enabled" = false; - "browser.rights.3.shown" = true; - "browser.shell.checkDefaultBrowser" = false; - "browser.shell.defaultBrowserCheckCount" = 1; - "browser.startup.homepage_override.mstone" = "ignore"; - "browser.uitour.enabled" = false; - "startup.homepage_override_url" = ""; - "trailhead.firstrun.didSeeAboutWelcome" = true; - "browser.bookmarks.restore_default_bookmarks" = false; - "browser.bookmarks.addedImportButton" = true; - - # Disable "Save to Pocket" or Pocket entirely - "extensions.pocket.enabled" = false; - - # Disable telemetry - "toolkit.telemetry.enabled" = false; - "toolkit.telemetry.unified" = false; - "toolkit.telemetry.archive.enabled" = false; - "datareporting.healthreport.uploadEnabled" = false; - "app.shield.optoutstudies.enabled" = false; - "browser.discovery.enabled" = false; - "browser.newtabpage.activity-stream.feeds.telemetry" = false; - "browser.newtabpage.activity-stream.telemetry" = false; - "browser.ping-centre.telemetry" = false; - "datareporting.healthreport.service.enabled" = false; - "datareporting.policy.dataSubmissionEnabled" = false; - "datareporting.sessions.current.clean" = true; - "devtools.onboarding.telemetry.logged" = false; - "toolkit.telemetry.bhrPing.enabled" = false; - "toolkit.telemetry.firstShutdownPing.enabled" = false; - "toolkit.telemetry.hybridContent.enabled" = false; - "toolkit.telemetry.newProfilePing.enabled" = false; - "toolkit.telemetry.prompted" = 2; - "toolkit.telemetry.rejected" = true; - "toolkit.telemetry.reportingpolicy.firstRun" = false; - "toolkit.telemetry.server" = ""; - "toolkit.telemetry.shutdownPingSender.enabled" = false; - "toolkit.telemetry.unifiedIsOptIn" = false; - "toolkit.telemetry.updatePing.enabled" = false; - - # Disable any feeds on the new tab page - "browser.newtabpage.activity-stream.showTopSites" = false; - "browser.newtabpage.activity-stream.default.sites" = lib.mkForce [ ]; - "browser.newtabpage.activity-stream.discoverystream.enabled" = false; - "browser.newtabpage.activity-stream.feeds.topsites" = false; - "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; - "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts" = false; - "browser.newtabpage.blocked" = lib.genAttrs [ - # Youtube - "26UbzFJ7qT9/4DhodHKA1Q==" - # Facebook - "4gPpjkxgZzXPVtuEoAL9Ig==" - # Wikipedia - "eV8/WsSLxHadrTL1gAxhug==" - # Reddit - "gLv0ja2RYVgxKdp0I5qwvA==" - # Amazon - "K00ILysCaEq8+bEqV/3nuw==" - # Twitter - "T9nJot5PurhJSy8n038xGA==" - ] (_: 1); - "browser.topsites.blockedSponsors" = [ - "adidas" - "temuaffiliateprogram.pxf" - "s.click.aliexpress" - ]; - - # enable userChrome - "toolkit.legacyUserProfileCustomizations.stylesheets" = true; - "devtools.chrome.enabled" = true; - "devtools.debugger.remote-enabled" = true; - - # disable translations for some languages - "browser.translations.neverTranslateLanguages" = [ - "en" - "de" - ]; - "browser.translations.automaticallyPopup" = false; - - # enable pipewire (and libcamera) sources - "media.webrtc.camera.allow-pipewire" = true; - - }; - - userChrome = - let - name = override.color or colors.grey; - value = colorValues."${name}".normal; - valueBright = colorValues."${name}".highlight; - valueDark = colorValues."${name}".inactive; - in - '' - @namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */ - - #nav-bar { - background-color: ${value} !important; - color: black !important; - } - - /* don't show close button on background tabs */ - #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):not([hover]) .tab-close-button { - display: none !important; - } - - /* show close button on hover */ - #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):hover .tab-close-button { - display: -moz-inline-box !important; - } - - - /* default */ - #TabsToolbar { - background: ${valueDark} !important; - } - - /* default tab */ - #TabsToolbar #tabbrowser-tabs .tabbrowser-tab .tab-content { - background: ${value} !important; - opacity: 0.8 - } - - /* selected tab */ - #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[selected] .tab-content { - background: ${valueBright} !important; - box-shadow: 0 8px 16px 0 rgba(0,0,0,0.2), 0 6px 20px 0 rgba(0,0,0,0.19); - } - - /* hovered tab */ - #TabsToolbar #tabbrowser-tabs .tabbrowser-tab:hover:not([selected]) .tab-content { - background: ${valueBright} !important; - } - - /* unloaded/pending tab */ - #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[pending] .tab-content { - background: ${valueDark} !important; - } - ''; - - # /* new tab */ - # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button .toolbarbutton-icon { - # background: unset !important; - # } - - # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button { - # /* background: var(--default_tabs_bg_newtab) !important; - # } - - # /* hovered new tab */ - # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button:hover { - # background: var(--default_tabs_bg_newtab_hovered) !important; - # } - - } (builtins.removeAttrs override [ "color" ]); - - # TODO: insert the id automatically - mkProfiles = attrs: builtins.mapAttrs (_k: v: v) attrs; - - colors = builtins.mapAttrs (name: _: name) colorValues; - - colorValues = { - blue = { - normal = "#49b1fc"; - highlight = "#05a9fc"; # Brighter blue - inactive = "#1f81c6"; # Darker blue - }; - green = { - normal = "#51cd00"; - highlight = "#5ae200"; # Brighter green - inactive = "#45ad00"; # Darker green - }; - orange = { - normal = "#ff9800"; - highlight = "#ffb74d"; # Brighter orange - inactive = "#c76a00"; # Darker orange - }; - red = { - normal = "#f6685e"; - highlight = "#ff4336"; # Brighter red - inactive = "#aa463f"; # Darker red - }; - yellow = { - normal = "#fced4b"; - highlight = "#fce705"; # Brighter yellow - inactive = "#dbbe00"; # Darker yellow - }; - purple = { - normal = "#9c27b0"; - highlight = "#ab47bc"; # Brighter purple - inactive = "#7b1fa2"; # Darker purple - }; - pink = { - normal = "#e91e63"; - highlight = "#ff6090"; # Brighter pink - inactive = "#c2185b"; # Darker pink - }; - brown = { - normal = "#795548"; - highlight = "#a88b6f"; # Brighter brown - inactive = "#4e3b30"; # Darker brown - }; - grey = { - normal = "#9e9e9e"; - highlight = "#bdbdbd"; # Brighter grey - inactive = "#757575"; # Darker grey - }; - teal = { - normal = "#009688"; - highlight = "#26c6da"; # Brighter teal - inactive = "#00796b"; # Darker teal - }; - }; - -in { - nixpkgs.overlays = [ - repoFlake.inputs.nur.overlays.default - ]; - - nixpkgs.config.allowUnfreePredicate = - pkg: - builtins.elem (lib.getName pkg) [ - "youtube-recommended-videos" - ]; - - programs.librewolf = { - enable = false; - }; programs.firefox = { enable = true; - package = pkgs.firefox; - - profiles = - lib.filterAttrs (_: v: config.home.username == "steveej" || (v.isDefault or false)) - (mkProfiles { - "personal" = mkProfile { - id = 0; - isDefault = true; - color = colors.blue; - }; - "comms" = mkProfile { - id = 1; - color = colors.blue; - }; - "admin" = mkProfile { - id = 2; - color = colors.blue; - }; - "infra" = mkProfile { - id = 3; - color = colors.blue; - }; - "finance" = mkProfile { - id = 4; - color = colors.yellow; - }; - "business-admin" = mkProfile { - id = 5; - color = colors.teal; - }; - "business-comms" = mkProfile { - id = 6; - color = colors.teal; - }; - "business-dev" = mkProfile { - id = 7; - color = colors.teal; - }; - "holo-dev" = mkProfile { - id = 8; - color = colors.green; - }; - "holo-infra" = mkProfile { - id = 9; - color = colors.green; - }; - "holo-comms" = mkProfile { - id = 10; - color = colors.green; - }; - "justyna" = mkProfile { - id = 11; - color = colors.pink; - }; - "justyna-office" = mkProfile { - id = 12; - color = colors.pink; - }; - "tech-research" = mkProfile { - id = 13; - color = colors.purple; - }; - }); - - # policies = { - # # search via policy. the other one doesn't always work because of schema version mismatch - # SearchEngines = { - # Default = "Qwant"; - # PreventInstalls = true; - - # Add = [ - # { - # Method = "GET"; - # Alias = "qwant"; - # Description = "Description"; - # # PostData= "name=value&q={searchTerms}"; - - # Name = "Qwant"; - # SuggestURLTemplate = "https://api.qwant.com/api/suggest/?q={searchTerms}"; - # URLTemplate = "https://www.qwant.com/?q={searchTerms}"; - # } - # ]; - # }; - # }; - + enableAdobeFlash = false; }; - # create one desktop entry for each profile - xdg.desktopEntries = lib.mapAttrs' ( - k: _v: - lib.nameValuePair "firefox-profile-${k}" { - categories = [ - "Network" - "WebBrowser" - ]; - exec = "${lib.getExe config.programs.firefox.package} -P ${k}"; - genericName = "Web Browser"; - icon = - builtins.replaceStrings [ ".desktop" ] [ "" ] - config.programs.firefox.package.desktopItem.name; - mimeType = [ - "text/html" - "text/xml" - "application/xhtml+xml" - "application/vnd.mozilla.xul+xml" - "x-scheme-handler/http" - "x-scheme-handler/https" - ]; - name = "Firefox: ${k}"; - startupNotify = true; - settings.StartupWMClass = - # To group windows of different profiles. - # Set WM_CLASS on Xorg using --class, set app-id on Wayland using --name. - #if profile.name == "default" - #then "firefox" - #else "firefox-${profile.name}"; - "firefox"; - terminal = false; - type = "Application"; - } - ) config.programs.firefox.profiles; + programs.browserpass = { + browsers = [ + "firefox" + ]; + }; + + home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json"; } + diff --git a/nix/home-manager/programs/gpg-agent.nix b/nix/home-manager/programs/gpg-agent.nix deleted file mode 100644 index 6357087..0000000 --- a/nix/home-manager/programs/gpg-agent.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ - lib, - pkgs, - osConfig, - ... -}: -{ - home.packages = [ pkgs.gcr ]; - - programs.gpg.enable = true; - services.gpg-agent = { - enable = true; - enableScDaemon = !osConfig.services.pcscd.enable; - enableSshSupport = true; - grabKeyboardAndMouse = true; - pinentry.package = lib.mkDefault pkgs.pinentry-gtk2; - extraConfig = '' - no-allow-external-cache - ''; - - defaultCacheTtl = 0; - maxCacheTtl = 0; - }; -} diff --git a/nix/home-manager/programs/homeshick.nix b/nix/home-manager/programs/homeshick.nix index 4ba0dfe..dc05362 100644 --- a/nix/home-manager/programs/homeshick.nix +++ b/nix/home-manager/programs/homeshick.nix @@ -1,29 +1,38 @@ -{ pkgs, config, ... }: -{ - home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}"; +{ pkgs +, config +, ... +}: - home.activation.bootstrapRepos = config.lib.dag.entryAfter [ "writeBoundary" ] '' +let + # TODO: clean up the impurity in here + +in { + home.sessionVariables = { + HOMESHICK_DIR="${pkgs.homeshick}"; + }; + + home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] '' $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' - set -e - echo home-manager path is ${config.home.path} - echo home is $HOME + set -e + echo home-manager path is ${config.home.path} + echo home is $HOME - source ${pkgs.homeshick}/homeshick.sh - type homeshick - - # echo Updating homeshick - # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick - # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick + source ${pkgs.homeshick}/homeshick.sh + type homeshick + + # echo Updating homeshick + # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick + # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick ''}; ''; nixpkgs.config = { - packageOverrides = - pkgs: with pkgs; { - homeshick = builtins.fetchGit { - url = "https://github.com/andsens/homeshick.git"; - ref = "master"; - }; + + packageOverrides = pkgs: with pkgs; { + homeshick = builtins.fetchGit { + url = "https://github.com/andsens/homeshick.git"; + ref = "master"; }; + }; }; } diff --git a/nix/home-manager/programs/libreoffice.nix b/nix/home-manager/programs/libreoffice.nix index 2091dc8..7edf5b9 100644 --- a/nix/home-manager/programs/libreoffice.nix +++ b/nix/home-manager/programs/libreoffice.nix @@ -1,8 +1,14 @@ -{ pkgs, nodeFlake, ... }: +{ pkgs, +... +}: -let - pkgsStable = nodeFlake.inputs.nixpkgs-stable.legacyPackages.${pkgs.system}; -in { - home.packages = [ pkgsStable.libreoffice ]; + home.sessionVariables = { + # Workaround for Libreoffice to force gtk3 + SAL_USE_VCLPLUGIN = "gtk3"; + }; + + home.packages = with pkgs; [ + libreoffice-fresh + ]; } diff --git a/nix/home-manager/programs/neovim.nix b/nix/home-manager/programs/neovim.nix index fa5c94a..3f6fa44 100644 --- a/nix/home-manager/programs/neovim.nix +++ b/nix/home-manager/programs/neovim.nix @@ -1,163 +1,166 @@ -{ repoFlake, pkgs, ... }: -{ - imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ]; +{ pkgs, +... +}: - programs.nixvim = { - enable = true; - defaultEditor = true; - vimdiffAlias = true; - vimAlias = true; +let + unstablepkgs = import {}; - extraPython3Packages = ps: with ps; [ ]; +in { + home.sessionVariables = { + EDITOR = "nvim"; + }; - # extraConfigVim = builtins.readFile ./neovim/vimrc; - - clipboard = { - register = "unnamedplus"; - providers.wl-copy.enable = true; + nixpkgs.config = { + pidgin = { + openssl = true; + gnutls = true; }; - plugins = { - airline = { - enable = true; - settings = { - powerline_fonts = 1; - skip_empty_sections = 1; - theme = "papercolor"; + packageOverrides = pkgs: with pkgs; { + neovim = unstablepkgs.neovim; + vimPlugins = unstablepkgs.vimPlugins; + }; + }; + + programs.neovim = { + enable = true; + + extraPythonPackages = (ps: with ps; [ ]); + extraPython3Packages = (ps: with ps; [ ]); + + configure = { + customRC = builtins.readFile ./neovim/vimrc; + vam = { + knownPlugins = with pkgs; vimPlugins // { + delimitMate = vimUtils.buildVimPlugin { + name = "delimitMate-vim"; + src = fetchFromGitHub { + owner = "Raimondi"; + repo = "delimitMate"; + rev = "728b57a6564c1d2bdfb9b9e0f2f8c5ba3d7e0c5c"; + sha256 = "0fskm9gz81dk8arcidrm71mv72a7isng1clssqkqn5wnygbiimsn"; + }; + buildInputs = [ zip vim ]; + }; + + yaml-folds = vimUtils.buildVimPlugin { + name = "vim-yaml-folds"; + src = fetchFromGitHub { + owner = "pedrohdz"; + repo = "vim-yaml-folds"; + rev = "0672d9a3b685b51b4c49d8716c2ad4e27cfa5abd"; + sha256 = "0yp2jgaqiria79lh75fkrs77rw7nk518bq63w9bvyy814i7s4scn"; + }; + buildInputs = [ zip vim ]; + }; + + vim-yaml = vimUtils.buildVimPlugin { + name = "vim-yaml"; + src = fetchFromGitHub { + owner = "stephpy"; + repo = "vim-yaml"; + rev = "e97e063b16eba4e593d620676a0a15fa98613979"; + sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk"; + }; + }; + + + vim-markdown-toc = vimUtils.buildVimPlugin { + name = "vim-markdown-toc"; + src = fetchFromGitHub { + owner = "mzlogin"; + repo = "vim-markdown-toc"; + rev = "a6e227023f405a7c39590a8aaf0d54dde5614a2e"; + sha256 = "1vpsnjzc7hvrkp6mq68myxl3k1x363iif58rrd17njcsa4jh1zwy"; + }; + }; + vim-perl = vimUtils.buildVimPlugin { + name = "vim-perl"; + src = fetchFromGitHub { + owner = "vim-perl"; + repo = "vim-perl"; + rev = "21d0a0d795336acf8a9306da35f379c32cfc5e08"; + sha256 = "0f2sa0v3djd89k16n4saji9n7grziyhkljq75dskcbv8r19m8i1j"; + }; + }; + + git-blame = vimUtils.buildVimPlugin { + name = "git-blame"; + src = fetchFromGitHub { + "owner" = "zivyangll"; + "repo" = "git-blame.vim"; + "rev" = "a5b666840eead1b1ea1c351038da6ce026716bb6"; + "sha256" = "181siphb87yzln9433159ssa6vmm1h2dd0kqhlx7bgsi51gng4rv"; + }; + }; + + tlib = vimPlugins.tlib_vim; }; - }; - fugitive.enable = true; - gitblame.enable = true; - lsp = { - enable = true; - }; - nix.enable = true; + pluginDictionaries = let + default = [ + "delimitMate" + "vim-airline" + "vim-airline-themes" + "ctrlp" + "vim-css-color" + "rainbow_parentheses" + "vim-colorschemes" + "vim-colorstepper" + "vim-signify" + "fugitive" + "vim-indent-guides" + "UltiSnips" + "fzfWrapper" - # TODO: enable in next release - # numbertoggle.enable = true; + "ncm2" + "ncm2-bufword" + "ncm2-path" + "ncm2-tmux" + "ncm2-ultisnips" + "nvim-yarp" - # successfor to ctrlp and fzf - telescope.enable = true; + "LanguageClient-neovim" - todo-comments.enable = true; + "Improved-AnsiEsc" + "tabular" + "git-blame" - toggleterm.enable = true; + # Nix + "vim-addon-nix" "tlib" + "vim-addon-vim2nix" - treesitter = { - enable = true; + # LaTeX + "vim-latex-live-preview" + "vimtex" - grammarPackages = with pkgs.vimPlugins.nvim-treesitter.builtGrammars; [ - bash - json - lua - make - markdown - nix - regex - toml - vim - vimdoc - xml - yaml + # YAML + "yaml-folds" + "vim-yaml" + + # Perl + # "vim-perl" + + + # markdown + "vim-markdown" + "vim-markdown-toc" + + # misc syntax support + "vim-bazel" "maktaba" + ]; + in [ + { names = default; } + { names = default ++ [ + ]; + filename_regex = ".*\.nix\$"; + } + { names = default ++ [ + ]; + filename_regex = ".*\.tex\$"; + } ]; }; - - treesitter-context.enable = true; - treesitter-refactor.enable = true; - - # This plugin trims trailing whitespace and lines. - trim.enable = true; - - web-devicons.enable = true; }; - - # plugins = with pkgs; - # [ - # # yaml-folds - # { - # plugin = vimUtils.buildVimPlugin { - # name = "vim-yaml-folds"; - # src = fetchFromGitHub { - # owner = "pedrohdz"; - # repo = "vim-yaml-folds"; - # rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a"; - # sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m"; - # }; - # buildInputs = [zip vim]; - # }; - # } - - # { - # plugin = vimUtils.buildVimPlugin { - # name = "vim-yaml"; - # src = fetchFromGitHub { - # owner = "stephpy"; - # repo = "vim-yaml"; - # rev = "e97e063b16eba4e593d620676a0a15fa98613979"; - # sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk"; - # }; - # }; - # } - - # { - # plugin = vimUtils.buildVimPlugin { - # name = "git-blame"; - # src = fetchFromGitHub { - # "owner" = "zivyangll"; - # "repo" = "git-blame.vim"; - # "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917"; - # "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j"; - # }; - # }; - # } - # ] - # ++ (with pkgs.vimPlugins; [ - # delimitMate - # vim-airline - # vim-airline-themes - # ctrlp - # vim-css-color - # rainbow_parentheses - # vim-colorschemes - # vim-colorstepper - # vim-signify - # fugitive - # vim-indent-guides - # UltiSnips - # fzfWrapper - - # ncm2 - # ncm2-bufword - # ncm2-path - # ncm2-tmux - # ncm2-ultisnips - # nvim-yarp - - # LanguageClient-neovim - - # Improved-AnsiEsc - # tabular - - # # Nix - # vim-addon-nix - # tlib - # vim-addon-vim2nix - - # # LaTeX - # vim-latex-live-preview - # vimtex - - # # YAML - # vim-yaml - - # # markdown - # vim-markdown - # vim-markdown-toc - - # # misc syntax support - # vim-bazel - # maktaba - # ]); }; } diff --git a/nix/home-manager/programs/neovim/vimrc b/nix/home-manager/programs/neovim/vimrc index f3cb42b..21987f5 100644 --- a/nix/home-manager/programs/neovim/vimrc +++ b/nix/home-manager/programs/neovim/vimrc @@ -46,11 +46,9 @@ noremap :tabp let g:ctrlp_map = '' set wildignore+=*/site/*,*.so,*.swp,*.zip let g:ctrlp_custom_ignore = { -\ 'dir': '\v[\/]\.(git|hg|svn)$$', +\ 'dir': '\v[\/]\.(git|hg|svn|)$$', \ 'file': '\v\.(exe|so|dll)$$', \ } -"let g:ctrlp_max_files=0 -"let g:ctrlp_max_depth=1000 "let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' } "let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict' diff --git a/nix/home-manager/programs/obs-studio.nix b/nix/home-manager/programs/obs-studio.nix deleted file mode 100644 index d99747d..0000000 --- a/nix/home-manager/programs/obs-studio.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ pkgs, lib, ... }: -{ - programs.obs-studio = { - enable = true; - plugins = - builtins.map - ( - plugin: - (plugin.overrideAttrs (attrs: { - meta = lib.mkMerge [ - { inherit (attrs) meta; } - { meta.platforms = [ pkgs.stdenv.system ]; } - ]; - })) - ) - ( - with pkgs.obs-studio-plugins; - [ - # wlrobs - obs-backgroundremoval - obs-pipewire-audio-capture - ] - ); - }; -} diff --git a/nix/home-manager/programs/openvscode-server.nix b/nix/home-manager/programs/openvscode-server.nix deleted file mode 100644 index 4b01360..0000000 --- a/nix/home-manager/programs/openvscode-server.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ pkgs, repoFlake, ... }: -let - pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; -in -{ - home.packages = [ - pkgs.nil - pkgs.nixd - pkgs.nixfmt-rfc-style - - # TODO: automate linking this - # 1. get the commit with: `codium --version` - # 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/` - # 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/ - - /* - e.g.: - ``` - ( - set -e - export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$') - ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/" - ) - ``` - */ - - (pkgsVscodium.openvscode-server.overrideAttrs (attrs: { - src = repoFlake.inputs.openvscode-server; - version = "1.94.2"; - yarnCache = attrs.yarnCache.overrideAttrs (_: { - outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt="; - }); - })) - - pkgs.waypipe - ]; -} diff --git a/nix/home-manager/programs/pass.nix b/nix/home-manager/programs/pass.nix index 43805e0..5b892f5 100644 --- a/nix/home-manager/programs/pass.nix +++ b/nix/home-manager/programs/pass.nix @@ -1,17 +1,23 @@ -{ repoFlake, pkgs, ... }: +{ pkgs +, ... +}: + { - # required by pass-otp - # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; - # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; - # programs.browserpass.enable = true; + home.sessionVariables = { + # required by pass-otp + PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; + PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; + }; + + programs.browserpass = { + enable = true; + }; - home.packages = [ - pkgs.gnupg - - # broken on wayland - # rofi-pass - - (pkgs.callPackage repoFlake.lib.prsFn { - }) + home.packages = with pkgs; [ + pass-otp + qtpass + rofi-pass + gnupg ]; } + diff --git a/nix/home-manager/programs/podman.nix b/nix/home-manager/programs/podman.nix new file mode 100644 index 0000000..193e981 --- /dev/null +++ b/nix/home-manager/programs/podman.nix @@ -0,0 +1,160 @@ +{ pkgs +, ... +}: + +let + cniConfigDir = let + loopback = pkgs.writeText "00-loopback.conf" '' + { + "cniVersion": "0.3.0", + "type": "loopback" + } + ''; + + podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ''; + in pkgs.runCommand "cniConfig" {} '' + set -x + mkdir $out; + ln -s ${loopback} $out/${loopback.name} + ln -s ${podman-bridge} $out/${podman-bridge.name} + ''; + + containersConf = pkgs.writeText "containers.conf" '' + # containers.conf is the default configuration file for all tools using libpod to + # manage containers + + # Default transport method for pulling and pushing for images + image_default_transport = "docker://" + + # Paths to search for the conmon container manager binary. If the paths are empty or no valid path was found, then the $PATH environment variable will be used as the fallback. + conmon_path = [ + "${pkgs.conmon}/bin/conmon" + ] + + # --runtime ${pkgs.crun}/bin/crun \ + runtime = "crun" + + # Environment variables to pass into conmon + conmon_env_vars = [ + ] + + # CGroup Manager - valid values are "systemd" and "cgroupfs" + # cgroup_manager = "systemd" + cgroup_manager = "cgroupfs" + + # Maximum size of log files (in bytes) + # -1 is unlimited + max_log_size = -1 + + # Whether to use chroot instead of pivot_root in the runtime + no_pivot_root = false + + # Directory containing CNI plugin configuration files + cni_config_dir = "${cniConfigDir}" + + # Directories where the CNI plugin binaries may be located + cni_plugin_dir = [ + "${pkgs.cni-plugins}/bin" + ] + + # Default CNI network for libpod. + # If multiple CNI network configs are present, libpod will use the network with + # the name given here for containers unless explicitly overridden. + # The default here is set to the name we set in the + # 87-podman-bridge.conflist included in the repository. + # Not setting this, or setting it to the empty string, will use normal CNI + # precedence rules for selecting between multiple networks. + cni_default_network = "podman" + + # Default libpod namespace + # If libpod is joined to a namespace, it will see only containers and pods + # that were created in the same namespace, and will create new containers and + # pods in that namespace. + # The default namespace is "", which corresponds to no namespace. When no + # namespace is set, all containers and pods are visible. + #namespace = "" + + # Default pause image name for pod pause containers + pause_image = "k8s.gcr.io/pause:3.1" + + # Default command to run the pause container + pause_command = "/pause" + + # Determines whether libpod will reserve ports on the host when they are + # forwarded to containers. When enabled, when ports are forwarded to containers, + # they are held open by conmon as long as the container is running, ensuring that + # they cannot be reused by other programs on the host. However, this can cause + # significant memory usage if a container has many ports forwarded to it. + # Disabling this can save memory. + enable_port_reservation = true + + # Default libpod support for container labeling + # label=true + ''; +in { + home.packages = with pkgs; [ + podman + ]; + + home.file.".config/containers/containers.conf".source = containersConf; + + home.file.".config/containers/registries.conf".text = '' + [registries.search] + registries = ['docker.io', 'quay.io', 'registry.fedoraproject.org'] + + [registries.insecure] + registries = [] + + #blocked (docker only) + [registries.block] + registries = [] + ''; + + home.file.".config/containers/storage.conf".text = '' + [storage] + driver = "btrfs" + ''; + + home.file.".config/containers/policy.json".text = '' + { + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": + { + "docker-daemon": + { + "": [{"type":"insecureAcceptAnything"}] + } + } + } + ''; +} diff --git a/nix/home-manager/programs/radicale.nix b/nix/home-manager/programs/radicale.nix deleted file mode 100644 index be31268..0000000 --- a/nix/home-manager/programs/radicale.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ - config, - lib, - pkgs, - osConfig, - ... -}: -let - libdecsync = pkgs.python3Packages.buildPythonPackage rec { - pname = "libdecsync"; - version = "2.2.1"; - - src = pkgs.python3Packages.fetchPypi { - inherit pname version; - hash = "sha256-Mukjzjumv9VL+A0maU0K/SliWrgeRjAeiEdN5a83G0I="; - }; - - propagatedBuildInputs = [ - # pkgs.libxcrypt-legacy - ]; - }; - radicale-storage-decsync = pkgs.python3Packages.buildPythonPackage rec { - pname = "radicale_storage_decsync"; - version = "2.1.0"; - - src = pkgs.python3Packages.fetchPypi { - inherit pname version; - hash = "sha256-X+0MT5o2PjsKxca5EDI+rYyQDmUtbRoELDr6e4YXKCg="; - }; - - buildInputs = [ - pkgs.radicale - # pkgs.libxcrypt-legacy - # pkgs.libxcrypt - ]; - - nativeCheckInputs = [ - # pkgs.libxcrypt-legacy - # pkgs.libxcrypt - ]; - - propagatedBuildInputs = [ - libdecsync - pkgs.python3Packages.setuptools - ]; - }; - radicale-decsync = pkgs.radicale.overrideAttrs (old: { - propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ]; - }); - - mkRadicaleService = - { suffix, port }: - let - radicale-config = pkgs.writeText "radicale-config-${suffix}" '' - [server] - hosts = localhost:${builtins.toString port} - - [auth] - type = htpasswd - htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} - htpasswd_encryption = bcrypt - - [storage] - type = radicale_storage_decsync - filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} - decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} - ''; - in - { - systemd.user.services."radicale-${suffix}" = { - Unit.Description = "Radicale with DecSync (${suffix})"; - Service = { - ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; - Restart = "on-failure"; - }; - Install.WantedBy = [ "default.target" ]; - }; - }; -in -builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [ - { - suffix = "personal"; - port = 5232; - } - { - suffix = "family"; - port = 5233; - } -] diff --git a/nix/home-manager/programs/redshift.nix b/nix/home-manager/programs/redshift.nix deleted file mode 100644 index 9e45594..0000000 --- a/nix/home-manager/programs/redshift.nix +++ /dev/null @@ -1,28 +0,0 @@ -_: -let - passwords = import ../../variables/passwords.crypt.nix; -in -{ - services.gammastep = { - enable = true; - provider = "manual"; - enableVerboseLogging = true; - inherit (passwords.location.stefan) longitude latitude; - temperature = { - # day = 6700; - day = 3000; - night = 3000; - }; - tray = true; - settings = { - general = { - adjustment-method = "wayland"; - }; - gammastep = { - # brightness-day = 1.0; - brightness-day = 0.5; - brightness-night = 0.5; - }; - }; - }; -} diff --git a/nix/home-manager/programs/salut.nix b/nix/home-manager/programs/salut.nix deleted file mode 100644 index 415e3be..0000000 --- a/nix/home-manager/programs/salut.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ pkgs, packages', ... }: -# useful testing command: -# for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done -let - inherit (import ../lib.nix { }) mkSimpleTrayService; -in -{ - home.packages = [ packages'.salut ]; - - xdg.configFile."salut/config.ini" = { - enable = true; - text = '' - [notifications] - timeout = 5000 - - [window] - auto-hide = true - anchor = bottom-right - transition = slidebottom - - [mode] - single = true - - [style] - preference = dark - ''; - onChange = "${pkgs.systemd}/bin/systemctl --user restart salut"; - }; - - systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; }; -} diff --git a/nix/home-manager/programs/vscode/default.nix b/nix/home-manager/programs/vscode/default.nix index 676829c..6e54887 100644 --- a/nix/home-manager/programs/vscode/default.nix +++ b/nix/home-manager/programs/vscode/default.nix @@ -1,134 +1,483 @@ -{ - config, - pkgs, - repoFlake, - lib, - ... -}: +{ pkgs, ... }: + let - pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; + packagedExtensions = with pkgs.vscode-extensions; [ + bbenoist.Nix + ms-vscode-remote.remote-ssh + ]; + + marketPlaceExtensions = pkgs.vscode-utils.extensionsFromVscodeMarketplace [ + { + name = "vim"; + publisher = "vscodevim"; + version = "1.17.1"; + sha256 = "10f8jz52gr6k2553awa66m006wszj9z2rnshsic6h2aawxiz3zq1"; + } + { + name = "remote-ssh-edit"; + publisher = "ms-vscode-remote"; + version = "0.56.0"; + sha256 = "1gy03ff2xqg7q3y4j47z2l94x5gbw0mjd5h4cl3n0q3iaswk1c1r"; + } + { + name = "Theme-NaturalContrast-With-HC"; + publisher = "74th"; + version = "1.0.0"; + sha256 = "1wxwk059znkflip0c8hyqdfq0h15n4idmff4bnnfdggiqjwhr5rm"; + } + { + name = "markdown-toc"; + publisher = "AlanWalk"; + version = "1.5.6"; + sha256 = "0hh38i2dpmrm2akcd4jkxchp6b374m5jzcqm1jqqmkqjmlig7qm5"; + } + { + name = "Paper-tmTheme"; + publisher = "DiryoX"; + version = "0.4.0"; + sha256 = "0l8hgbwwg87ysfb22rvwgmkk91i4vjd0kgi30c1bn26bm2pd1gw0"; + } + { + name = "Monokai-Polished"; + publisher = "Mit"; + version = "0.3.1"; + sha256 = "11h7sfwp9ikwc8z6bkyxk1678ymfpff8i2p876b208yrq8dy2kr1"; + } + { + name = "dot"; + publisher = "Stephanvs"; + version = "0.0.1"; + sha256 = "0rq0wvnbcggg4zb4swxym77knfjma0v9lwf3x45p22qsqx2crvgf"; + } + { + name = "rust-snippets"; + publisher = "ZakCodes"; + version = "0.0.1"; + sha256 = "152i23mh8j2l26zpwid3hllxc2abkhr3g939rvxk8bry137vryy2"; + } + { + name = "better-comments"; + publisher = "aaron-bond"; + version = "2.1.0"; + sha256 = "0kmmk6bpsdrvbb7dqf0d3annpg41n9g6ljzc1dh0akjzpbchdcwp"; + } + { + name = "vscode-icalendar"; + publisher = "af4jm"; + version = "1.0.1"; + sha256 = "0g15f2595ayy9ch4f2ccd8prc51q1mwslilk8sk2ldsmdksaya79"; + } + { + name = "hugofy"; + publisher = "akmittal"; + version = "0.1.1"; + sha256 = "02rjwmy7z4qfxws8lgdki53q4b2hjklxn2nlxx3w04kahr759dlg"; + } + { + name = "asciidoctor-vscode"; + publisher = "asciidoctor"; + version = "2.8.4"; + sha256 = "0j019vwmd83mbc75kfcqzmpvqzsp3s595cgh6n9978k9q0zjrqad"; + } + { + name = "markdown-preview-github-styles"; + publisher = "bierner"; + version = "0.1.6"; + sha256 = "1plj6a1hgbhb740zbw4pbnk7919cx1s6agf5xiiqbb9485x2pqiw"; + } + { + name = "made-of-code"; + publisher = "brian-yu"; + version = "0.0.5"; + sha256 = "1cmw63vrpzxv8vkgq674xa2wqqag0a8spr623ngi87925f17p965"; + } + { + name = "better-toml"; + publisher = "bungcip"; + version = "0.3.2"; + sha256 = "08lhzhrn6p0xwi0hcyp6lj9bvpfj87vr99klzsiy8ji7621dzql3"; + } + { + name = "tabulous"; + publisher = "bwildeman"; + version = "1.2.0"; + sha256 = "0hbp345i19ncvn1v792nr257gmw0nz09nhjniiypnzvz9wszw2j9"; + } + { + name = "bracket-pair-colorizer"; + publisher = "CoenraadS"; + version = "1.0.61"; + sha256 = "0r3bfp8kvhf9zpbiil7acx7zain26grk133f0r0syxqgml12i652"; + } + { + name = "mustache"; + publisher = "dawhite"; + version = "1.1.1"; + sha256 = "1j8qn5grg8v3n3v66d8c77slwpdr130xzpv06z1wp2bmxhqsck1y"; + } + { + name = "vscode-nomnoml"; + publisher = "doctorrustynelson"; + version = "0.3.0"; + sha256 = "07nr6n5ai8m6rap8av47mqi3vv6zchymiqfw8jlbl4hsryszyr43"; + } + { + name = "gitlens"; + publisher = "eamodio"; + version = "11.0.5"; + sha256 = "1fi8j5r6cd82a50hv2lwzqnvyvhxf9waamkviyh0wyqi5i1k4q88"; + } + { + name = "monokai-light"; + publisher = "ethansugar"; + version = "0.2.1"; + sha256 = "1xn74arpv58hwdywaxvv9xhljl23wsqdpyfrgn9nvd29gsiz71w0"; + } + { + name = "Theme-Monokai-Contrast"; + publisher = "gerane"; + version = "0.0.5"; + sha256 = "1m1n1izdjgng0q3yljccwjxj0s60p5nfw3hlw7hb467a1wz479pm"; + } + { + name = "Theme-snappy-light"; + publisher = "gerane"; + version = "0.0.5"; + sha256 = "0syrm921l4lka6dmg258c2zi0a758acvcs8y0qm0kjim7h7xxf0w"; + } + { + name = "vscode-pull-request-github"; + publisher = "GitHub"; + version = "0.21.3"; + sha256 = "0p03v6y1gh62jby74vkhi897mzj8dg9xb561v0b99x81r9zhwqw0"; + } + { + name = "go"; + publisher = "golang"; + version = "0.19.0"; + sha256 = "1xr2c4xn0w68fdcbm8d2wqfb9dxf03w38367ghycrzmz2p4syr98"; + } + { + name = "terraform"; + publisher = "hashicorp"; + version = "2.3.0"; + sha256 = "0696q8nr6kb5q08295zvbqwj7lr98z18gz1chf0adgrh476zm6qq"; + } + { + name = "bonsai"; + publisher = "hawkeyegold"; + version = "1.4.0"; + sha256 = "0r7bxx1lgbg6p97xwd2wr8j7slz720a1v6vzpd0fhcq83vqzkl89"; + } + { + name = "live-html-previewer"; + publisher = "hdg"; + version = "0.3.0"; + sha256 = "0hv5plh44q97355j5la83r8hjsxpv9d173mba34xr4p82a3pcq5p"; + } + { + name = "yuml"; + publisher = "JaimeOlivares"; + version = "3.5.1"; + sha256 = "01phwj8kn2zmzpjk97wacnc8iiby0szv40b1030fkcm3szafnya0"; + } + { + name = "latex-workshop"; + publisher = "James-Yu"; + version = "8.14.0"; + sha256 = "12bh2gpmak7vgzhjnvk2hw0yqm6wkd7vsm4ki4zbqa6lpriscjyi"; + } + { + name = "plantuml"; + publisher = "jebbs"; + version = "2.13.16"; + sha256 = "0672x0a1c9yk0g4vka40f4amgxir2bs25zg6qsims9plj0x2s4si"; + } + { + name = "tasks-chooser"; + publisher = "jeremyfa"; + version = "0.3.0"; + sha256 = "0bq80wv7zf94cgn94ll3jj68z35p13r0zw5by62dnlnj1sv7dghi"; + } + { + name = "asciidoctor-vscode"; + publisher = "joaompinto"; + version = "2.8.0"; + sha256 = "06nx627fik3c3x4gsq01rj0v59ckd4byvxffwmmigy3q2ljzsp0x"; + } + { + name = "contrast-theme"; + publisher = "johndugan"; + version = "1.1.10"; + sha256 = "0hib85318940ajfbzqrpgqh4jr39w18aq6babargbf64yxg94mbw"; + } + { + name = "theme-dark-plus-contrast"; + publisher = "k3a"; + version = "0.1.101"; + sha256 = "137kq6i6xn394msjrhj7v6c8shrvw9yf8i01mf4yl4aan2bw3419"; + } + { + name = "vscode-gist"; + publisher = "kenhowardpdx"; + version = "3.0.3"; + sha256 = "033iry115hbd5jbdr04frbrcgfpfnsc2z551nlfsaczbg4j9dydw"; + } + { + name = "quick-open"; + publisher = "leizongmin"; + version = "1.1.0"; + sha256 = "03avjgkvl2w51f0lvvfksa6lxqb4i9jgz2c74hw686yaydj8mfsp"; + } + { + name = "rainbow-csv"; + publisher = "mechatroner"; + version = "1.7.1"; + sha256 = "0w5mijs4ll5qjkpyw7qpn1k40pq8spm0b3q72x150ydbcini5hxw"; + } + { + name = "openapi-lint"; + publisher = "mermade"; + version = "1.2.0"; + sha256 = "0q81ifgr211apymbs21y0l3x8n324k6mh7p8kykz2xz38cslyq49"; + } + { + name = "swagger-doc-viewer"; + publisher = "mimarec"; + version = "1.0.4"; + sha256 = "1vvqwmfav6c2r1xkyfczm564bi2cpa9nklj35w3h3hrp4f6dnvpx"; + } + { + name = "vscode-clang"; + publisher = "mitaki28"; + version = "0.2.3"; + sha256 = "0xbg2frb4dxv7zl43gi25w2mkkh4xq2aidcf5i8b4imys9h720yr"; + } + { + name = "prettify-json"; + publisher = "mohsen1"; + version = "0.0.3"; + sha256 = "1spj01dpfggfchwly3iyfm2ak618q2wqd90qx5ndvkj3a7x6rxwn"; + } + { + name = "vscode-docker"; + publisher = "ms-azuretools"; + version = "1.8.1"; + sha256 = "08691mwb3kgmk5fnjpw1g3a5i7qwalw1yrv2skm519wh62w6nmw8"; + } + { + name = "python"; + publisher = "ms-python"; + version = "2020.11.371526539"; + sha256 = "0iavy4c209k53jkqsbhsvibzjj3fjxa500rv72fywgb2vxsi9fc3"; + } + { + name = "jupyter"; + publisher = "ms-toolsai"; + version = "2020.11.372831992"; + sha256 = "0r39xqrbkzcfkz6rca039s87ibx79a983y8lbiglhkmw3bp4p658"; + } + # fails to download C/C++ tools + # { + # name = "cpptools"; + # publisher = "ms-vscode"; + # version = "1.1.2"; + # sha256 = "09z1vrshvwimdrpsnfs4lyzca2qixp3h85xib8jf2fpxdjl3r5vg"; + # } + { + name = "vscode-quick-open-create"; + publisher = "nocksock"; + version = "0.6.0"; + sha256 = "0ipkjm74xpx44h130rmbnkjwsi63kcvq6fr0b0nxqqc9aa9jk22j"; + } + { + name = "indent-rainbow"; + publisher = "oderwat"; + version = "7.4.0"; + sha256 = "1xnsdwrcx24vlbpd2igjaqlk3ck5d6jzcfmxaisrgk7sac1aa81p"; + } + { + name = "phantypist"; + publisher = "paulofallon"; + version = "1.0.3"; + sha256 = "0rsaklwsd9i25p9j82ivblkbsk5cwjm22afzc2cq5klkbz9vxg62"; + } + { + name = "swaggitor"; + publisher = "qnsolutions"; + version = "0.1.1"; + sha256 = "0dhygxawxjhm0q1nmxwwcyhnk4hm1yzadnhc5ha7amdg7gddlrc1"; + } + { + name = "vscode-yaml"; + publisher = "redhat"; + version = "0.13.0"; + sha256 = "046kdk73a5xbrwq16ff0l64271c6q6ygjvxaph58z29gyiszfkig"; + } + { + name = "papercolor-vscode"; + publisher = "rozbo"; + version = "0.4.0"; + sha256 = "0fla4dfxm6ppqgfvp9rc2izhnv0909yk3r38xmh15ald84i1jhzm"; + } + { + name = "iferrblocks"; + publisher = "rstuven"; + version = "1.1.1"; + sha256 = "0ncj1g2dqa1wwqmj27w1356f4b9nlk2narvgyjn208axfwifz1lw"; + } + { + name = "rust"; + publisher = "rust-lang"; + version = "0.7.8"; + sha256 = "039ns854v1k4jb9xqknrjkj8lf62nfcpfn0716ancmjc4f0xlzb3"; + } + { + name = "bracket-jumper"; + publisher = "sashaweiss"; + version = "1.1.8"; + sha256 = "11sj7h13yjcpd94x07wlmck7cmidk1kla00kjq7wfw2xc1143rqs"; + } + { + name = "just"; + publisher = "skellock"; + version = "2.0.0"; + sha256 = "1ph869zl757a11f8iq643f79h8gry7650a9i03mlxyxlqmspzshl"; + } + { + name = "line-endings"; + publisher = "steditor"; + version = "1.0.3"; + sha256 = "1mdybbhs771w8r9xqy1n7x2is2vhh6axkssarb2yy7gps3v81ik7"; + } + { + name = "code-spell-checker"; + publisher = "streetsidesoftware"; + version = "1.10.0"; + sha256 = "1172wcw1a1mbx8nrlnh1hyizs9abzvqmhwgc6bmp8wvxk8hk4x3i"; + } + { + name = "code-spell-checker-german"; + publisher = "streetsidesoftware"; + version = "0.1.8"; + sha256 = "117ba1m427d7nqh2p4djjswbksz1nvy2zkgdnm2iis17gzxscbmz"; + } + { + name = "code-spell-checker-german"; + publisher = "streetsidesoftware"; + version = "0.1.8"; + sha256 = "117ba1m427d7nqh2p4djjswbksz1nvy2zkgdnm2iis17gzxscbmz"; + } + { + name = "code-spell-checker"; + publisher = "streetsidesoftware"; + version = "1.10.0"; + sha256 = "1172wcw1a1mbx8nrlnh1hyizs9abzvqmhwgc6bmp8wvxk8hk4x3i"; + } + { + name = "vscode-open-in-github"; + publisher = "sysoev"; + version = "1.14.0"; + sha256 = "1whyrsckx0gikgjj1812dlsykck7cs696wz9fn4fhcishp9479hp"; + } + { + name = "html-preview-vscode"; + publisher = "tht13"; + version = "0.2.5"; + sha256 = "0k75ivigzjfq8y4xwwrgs2iy913plkwp2a68f0i4bkz9kx39wq6v"; + } + { + name = "scrolloff"; + publisher = "tickleforce"; + version = "0.0.4"; + sha256 = "1n5xcbcwdj54c9dlscd5igdbga6v9wv5j1qbhjb7p2mf7sbps3cq"; + } + { + name = "shellcheck"; + publisher = "timonwong"; + version = "0.12.1"; + sha256 = "0apvbs90mdjk5y6vy2v4azwxhdjqfypqp5d5hh9rlgxyq4m0azz2"; + } + { + name = "sort-lines"; + publisher = "Tyriar"; + version = "1.9.0"; + sha256 = "0l4wibsjnlbzbrl1wcj18vnm1q4ygvxmh347jvzziv8f1l790qjl"; + } + # slow and currently not needed + # { + # name = "vscode-lldb"; + # publisher = "vadimcn"; + # version = "1.6.0"; + # sha256 = "15m0idk75bvbzfxipdxwz2vpdklr15zv92h4mxxpr8db9jjr32vi"; + # } + { + name = "vim"; + publisher = "vscodevim"; + version = "1.17.1"; + sha256 = "10f8jz52gr6k2553awa66m006wszj9z2rnshsic6h2aawxiz3zq1"; + } + { + name = "prettify-selected-json"; + publisher = "vthiery"; + version = "1.0.3"; + sha256 = "0g2svrls7x4w75fj6rr839mrwd3sn912vn6ysiy0sasnnc55rpgb"; + } + { + name = "debug"; + publisher = "webfreak"; + version = "0.25.0"; + sha256 = "0qm2jgkj17a0ca5z21xbqzfjpi0hzxw4h8y2hm8c4kk2bnw02sh1"; + } + { + name = "clang-format"; + publisher = "xaver"; + version = "1.9.0"; + sha256 = "0bwc4lpcjq1x73kwd6kxr674v3rb0d2cjj65g3r69y7gfs8yzl5b"; + } + { + name = "vscode-capnp"; + publisher = "xmonader"; + version = "1.0.0"; + sha256 = "0z2shl6qvr3y3m5y63v69x94rzyb2cmf5046afx2yswnll6j52fc"; + } + { + name = "plsql-language"; + publisher = "xyz"; + version = "1.8.2"; + sha256 = "16xxa6w03wzd95v1cycmjvw9hfg3chvpclrn28v0qsa3lir1mxrr"; + } + { + name = "markdown-pdf"; + publisher = "yzane"; + version = "1.4.4"; + sha256 = "00cjwjwzsv3wx2qy0faqxryirr2hp60yhkrlzsk0avmvb0bm9paf"; + } + { + name = "vscode-proto3"; + publisher = "zxh404"; + version = "0.5.2"; + sha256 = "1jmmbz3i0hxq5ka4rsk07mynxh3pkh5g736d9ryv1czhnrb06lwf"; + } + ]; in + { programs.vscode = { enable = true; - package = pkgsVscodium.vscodium; - profiles.default.extensions = - with pkgsVscodium.vscode-extensions; - [ - eamodio.gitlens - mkhl.direnv - tomoki1207.pdf - vscodevim.vim - - # bbenoist.nix - jnoortheen.nix-ide - - ms-vscode.theme-tomorrowkit - nonylene.dark-molokai-theme - - ms-python.vscode-pylance - - # TODO: these are not in nixpkgs - - # fredwangwang.vscode-hcl-format - # hashicorp.hcl - # mindaro-dev.file-downloader - # ms-vscode.remote-explorer - - # TODO: not compatible with vscodium - # ms-vscode-remote.remote-ssh - ] - ++ ( - let - extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system}; - in - with extensions.vscode-marketplace; - with extensions.vscode-marketplace-release; - [ - - serayuzgur.crates - rust-lang.rust-analyzer - swellaby.vscode-rust-test-adapter - - tamasfe.even-better-toml - golang.go - jeff-hykin.better-go-syntax - blueglassblock.better-json5 - nefrob.vscode-just-syntax - # fabianlauer.vs-code-xml-format - - bierner.emojisense - ] - ) - ++ ( - let - nix4vscodeToml = pkgs.writeText "nix4vscode.toml" '' - vscode_version = "${config.programs.vscode.package.version}" - - [[extensions]] - publisher_name = "FelixZeller" - extension_name = "markdown-oxide" - - [[extensions]] - publisher_name = "ibecker" - extension_name = "treefmt-vscode" - - [[extensions]] - publisher_name = "AntiAntiSepticeye" - extension_name = "vscode-color-picker" - - # [[extensions]] - # publisher_name = "nefrob" - # extension_name = "vscode-just-syntax" - - [[extensions]] - publisher_name = "fabianlauer" - extension_name = "vs-code-xml-format" - ''; - - nix4vscodeNix = - pkgs.runCommand "nix4vscode.nix" - { - # nix4vscode needs internet access - __noChroot = true; - requiredSystemFeatures = [ "recursive-nix" ]; - buildInputs = [ - pkgs.nix - pkgs.cacert - (pkgs.callPackage "${repoFlake.inputs.nix4vscode.outPath}/nix/package.nix" { }) - # pkgs.strace - ]; - # outputHashAlgo = "sha256"; - # outputHashMode = "recursive"; - # outputHash = lib.fakeSha256; - } - '' - # set -x - # export RUST_BACKTRACE=full - # export RUST_LOG=trace - export HOME=$(mktemp -d) - # strace -ffZyyY - nix4vscode ${nix4vscodeToml} > $out - ''; - nix4vscodeExtensions = builtins.removeAttrs (pkgs.callPackage nix4vscodeNix { }) [ - "override" - "overrideDerivation" - ]; - nix4vscodeExtensions' = lib.attrsets.mapAttrsToList ( - _: v: builtins.head (builtins.attrValues v) - ) nix4vscodeExtensions; - in - nix4vscodeExtensions' - ); - mutableExtensionsDir = true; + extensions = [] + ++ packagedExtensions + ++ marketPlaceExtensions + ; }; - - home.packages = [ - pkgs.nil - pkgs.nixfmt-rfc-style - ]; } + # TODO: automate +# rustup install stable +# rustup component add rust-analysis --toolchain stable +# rustup component add rust-src --toolchain stable +# rustup component add rls --toolchain stable + ### original list: # 74th.Theme-NaturalContrast-With-HC # AlanWalk.markdown-toc diff --git a/nix/home-manager/programs/waybar.css b/nix/home-manager/programs/waybar.css deleted file mode 100644 index 664a47f..0000000 --- a/nix/home-manager/programs/waybar.css +++ /dev/null @@ -1,5 +0,0 @@ -#custom-cputemp { - padding: 0 10px; - background-color: #f0932b; - color: #ffffff; -} diff --git a/nix/home-manager/programs/waybar.nix b/nix/home-manager/programs/waybar.nix deleted file mode 100644 index a559dfc..0000000 --- a/nix/home-manager/programs/waybar.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ pkgs, repoFlake, ... }: -{ - home.packages = [ - # required by any bar that has a tray plugin - pkgs.libappindicator-gtk3 - pkgs.libdbusmenu-gtk3 - ]; - - programs.waybar = { - enable = true; - package = - repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; - style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css; - systemd.enable = true; - settings = { - mainBar = { - layer = "top"; - position = "bottom"; - height = 30; - output = - # hide the bar on HEADDLESS displays as i use them only for screensharing - (builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ]; - # output = [ - # "eDP-1" - # "DP-*" - # ]; - - modules-left = [ - "sway/workspaces" - "sway/mode" - # "wlr/taskbar" - ]; - - "sway/workspaces" = { - disable-scroll = true; - all-outputs = false; - }; - - modules-center = [ - "sway/window" - # "custom/hello-from-waybar" - ]; - - modules-right = [ - "tray" - - "cpu" - "memory" - "custom/cputemp" - "custom/fan" - "battery" - "pulseaudio" - "clock" - "clock#date" - ]; - - tray.spacing = 10; - - cpu.format = " {usage}%"; - memory.format = " {}%"; - "temperature" = { - hwmon-path = "/sys/class/hwmon/hwmon3/temp1_input"; - format = " {temperatureC} °C"; - }; - - "custom/cputemp" = { - format = " {}"; - exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/CPU:/ {print $2}'"; - interval = 2; - }; - "custom/fan" = { - format = "  {} rpm "; - exec = "${pkgs.lm_sensors}/bin/sensors | ${pkgs.gawk}/bin/awk '/fan1:/ {print $2}'"; - interval = 2; - }; - battery.format = "🔋 {}%"; - pulseaudio = { - format = "🔉 {volume}%"; - # on-click-middle = ''${pkgs.sway}/bin/swaymsg exec "${pkgs.pavucontrol}/bin/pavucontrol"''; - }; - clock.format = "{:%H:%M %p}"; - "clock#date".format = "{:%a, %d %b '%y}"; - }; - }; - }; -} diff --git a/nix/home-manager/programs/zsh.nix b/nix/home-manager/programs/zsh.nix index 96f9982..112f336 100644 --- a/nix/home-manager/programs/zsh.nix +++ b/nix/home-manager/programs/zsh.nix @@ -1,9 +1,7 @@ -{ - config, - lib, - pkgs, - ... -}: +{ pkgs }: + +{ ... }: + let just-plugin = let @@ -25,8 +23,8 @@ let _describe 'command' subcmds ''; - in - pkgs.stdenv.mkDerivation { + + in pkgs.stdenv.mkDerivation { name = "just-completions"; version = "0.1.0"; phases = "installPhase"; @@ -36,77 +34,60 @@ let cp ${plugin_file} $PLUGIN_PATH/_just chmod --recursive a-w $out ''; - }; -in -{ + }; + +in { programs.zsh = { enable = true; - profileExtra = '' - . "${config.home.profileDirectory}/etc/profile.d/hm-session-vars.sh" - ''; - # will be called again by oh-my-zsh enableCompletion = false; - autosuggestion.enable = true; - initContent = - let - inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; - in - '' - if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then - unset TMPDIR - fi + enableAutosuggestions = true; + initExtra = '' + PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f %F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' + RPROMPT="" - if test ! -n "$TMP" -a -z "$TMP"; then - unset TMP - fi + # Automatic rehash + zstyle ':completion:*' rehash true + if [ -f $HOME/.shrc.d/sh_aliases ]; then + . $HOME/.shrc.d/sh_aliases + fi - PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' - RPROMPT="" + ${if builtins.hasAttr "homeshick" pkgs then '' + source ${pkgs.homeshick}/homeshick.sh + fpath=(${pkgs.homeshick}/completions $fpath) + '' else '' + ''} - # Automatic rehash - zstyle ':completion:*' rehash true + # Disable intercepting of ctrl-s and ctrl-q as flow control. + stty stop ''' -ixoff -ixon - if [ -f $HOME/.shrc.d/sh_aliases ]; then - . $HOME/.shrc.d/sh_aliases - fi + # don't cd into directories when executed + unsetopt AUTO_CD - ${ - if builtins.hasAttr "homeshick" pkgs then - '' - source ${pkgs.homeshick}/homeshick.sh - fpath=(${pkgs.homeshick}/completions $fpath) - '' - else - "" - } + export NIX_PATH="${pkgs.nixPath}" - # Disable intercepting of ctrl-s and ctrl-q as flow control. - stty stop ''' -ixoff -ixon + # print lines without termination + setopt PROMPT_CR + setopt PROMPT_SP + export PROMPT_EOL_MARK="" + ''; - # don't cd into directories when executed - unsetopt AUTO_CD - - # print lines without termination - setopt PROMPT_CR - setopt PROMPT_SP - export PROMPT_EOL_MARK="" - - ${lib.optionalString config.services.gpg-agent.enable '' - export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" - ''} - - ${lib.optionalString config.programs.neovim.enable '' - export EDITOR="nvim" - ''} - ''; + sessionVariables = { + # Add more envrionment variables here + }; plugins = [ { + # will source zsh-autosuggestions.plugin.zsh name = "zsh-autosuggestions"; - src = pkgs.zsh-autosuggestions; + src = pkgs.fetchFromGitHub { + owner = "zsh-users"; + repo = "zsh-autosuggestions"; + rev = "v0.6.3"; + sha256 = "1h8h2mz9wpjpymgl2p7pc146c1jgb3dggpvzwm9ln3in336wl95c"; + }; } { name = "enhancd"; @@ -114,8 +95,8 @@ in src = pkgs.fetchFromGitHub { owner = "b4b4r07"; repo = "enhancd"; - rev = "v2.5.1"; - sha256 = "sha256-kaintLXSfLH7zdLtcoZfVNobCJCap0S/Ldq85wd3krI="; + rev = "v2.2.4"; + sha256 = "1smskx9vkx78yhwspjq2c5r5swh9fc5xxa40ib4753f00wk4dwpp"; }; } { diff --git a/nix/modules/flake-parts/colmena.nix b/nix/modules/flake-parts/colmena.nix deleted file mode 100644 index 136a5a1..0000000 --- a/nix/modules/flake-parts/colmena.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ lib, ... }: -{ - options.flake.colmena = lib.mkOption { - # type = lib.types.attrsOf lib.types.unspecified; - type = lib.types.raw; - default = { }; - }; -} diff --git a/nix/modules/flake-parts/perSystem/default.nix b/nix/modules/flake-parts/perSystem/default.nix deleted file mode 100644 index da1e42a..0000000 --- a/nix/modules/flake-parts/perSystem/default.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ pkgs, ... }: -{ - packages = { - myPython = pkgs.python310.withPackages ( - ps: - with ps; - [ - pep8 - yapf - flake8 - # autopep8 (broken) - # pylint (broken) - ipython - llfuse - dugong - defusedxml - wheel - pip - virtualenv - cffi - # pyopenssl - urllib3 - # mistune (insecure) - sympy - - flask - - pyaml - requests - ] - ++ [ - pkgs.pypi2nix - pkgs.libffi - ] - ); - }; -} diff --git a/nix/ops/nano/configuration.nix b/nix/ops/nano/configuration.nix new file mode 100644 index 0000000..afc3626 --- /dev/null +++ b/nix/ops/nano/configuration.nix @@ -0,0 +1,65 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ n, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + # Define on which hard drive you want to install Grub. + boot.loader.grub.device = "/dev/sdb"; + + networking.hostName = "nano${toString n}"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Select internationalisation properties. + # i18n = { + # consoleFont = "Lat2-Terminus16"; + # consoleKeyMap = "us"; + # defaultLocale = "en_US.UTF-8"; + # }; + + # Set your time zone. + # time.timeZone = "Europe/Amsterdam"; + + # List packages installed in system profile. To search by name, run: + # $ nix-env -qaP | grep wget + # environment.systemPackages = with pkgs; [ + # wget + # ]; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.openssh.permitRootLogin = "yes"; + + # Enable CUPS to print documents. + services.printing.enable = false; + + # Enable the X11 windowing system. + services.xserver.enable = false; + # services.xserver.layout = "us"; + # services.xserver.xkbOptions = "eurosign:e"; + + # Enable the KDE Desktop Environment. + # services.xserver.displayManager.kdm.enable = true; + # services.xserver.desktopManager.kde4.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + # users.extraUsers.guest = { + # isNormalUser = true; + # uid = 1000; + # }; + + # The NixOS release to be compatible with for stateful data such as databases. + system.stateVersion = "16.03"; + +} diff --git a/nix/ops/nano/hardware-configuration.nix b/nix/ops/nano/hardware-configuration.nix new file mode 100644 index 0000000..501306c --- /dev/null +++ b/nix/ops/nano/hardware-configuration.nix @@ -0,0 +1,23 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, ... }: + +{ + imports = + [ + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/e02a410e-5044-440f-90e9-b573e51f1315"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + nix.maxJobs = 2; +} diff --git a/nix/ops/nanos@kn.nix b/nix/ops/nanos@kn.nix new file mode 100644 index 0000000..d2003da --- /dev/null +++ b/nix/ops/nanos@kn.nix @@ -0,0 +1,26 @@ +{ nixpkgs ? import {} +, nrNanos ? 1 # Number of nanos +}: + +let + pkgs = nixpkgs; + webserver = { services.httpd.enable = true; + services.httpd.adminAddr = "mail@stefanjunker.de"; + services.httpd.documentRoot = "${pkgs.nixops}/share/doc/nixops/"; + networking.firewall.allowedTCPPorts = [ 80 ]; + }; + + mkNano = { n }: { + imports = [ + (import ./nano/configuration.nix {inherit pkgs n;}) + ../configuration/common/user/root.nix + ]; + deployment.targetEnv = "none"; + deployment.targetHost = "nano${toString n}"; + }; + + mkNanos = n: nixpkgs.lib.nameValuePair "nano${toString n}" ( + mkNano { inherit n; } + ); + +in nixpkgs.lib.listToAttrs (map mkNanos (nixpkgs.lib.range 0 (nrNanos - 1))) diff --git a/nix/os/cachix.nix b/nix/os/cachix.nix deleted file mode 100644 index 0d14a2f..0000000 --- a/nix/os/cachix.nix +++ /dev/null @@ -1,12 +0,0 @@ -# WARN: this file will get overwritten by $ cachix use -{ lib, ... }: -let - folder = ./cachix; - toImport = name: _value: folder + ("/" + name); - filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; - imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); -in -{ - inherit imports; - nix.settings.substituters = [ "https://cache.nixos.org/" ]; -} diff --git a/nix/os/cachix/nixpkgs-wayland.nix b/nix/os/cachix/nixpkgs-wayland.nix deleted file mode 100644 index 1c0cca7..0000000 --- a/nix/os/cachix/nixpkgs-wayland.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ - nix = { - settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ]; - settings.trusted-public-keys = [ - "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" - ]; - }; -} diff --git a/nix/os/containers/backup.nix b/nix/os/containers/backup.nix index 2c2c171..6ade22f 100644 --- a/nix/os/containers/backup.nix +++ b/nix/os/containers/backup.nix @@ -1,125 +1,185 @@ -{ - config, - hostAddress, - localAddress, - subvolumes, - targetPathSuffix ? "", - autoStart ? false, +{ config +, hostAddress +, localAddress }: + let + unstablepkgs = import { config = config.nixpkgs.config; }; + passwords = import ../../variables/passwords.crypt.nix; - subvolumeParentDir = "/var/lib/container-volumes"; -in -{ - config = - { pkgs, ... }: - { - system.stateVersion = "20.03"; # Did you read the comment? + bucket = "bkp"; + subvolumeParentDir = "/var/lib"; - imports = [ ../profiles/containers/configuration.nix ]; + subvolumeDir = "/var/lib/container-volumes"; + subvolumeSnapshot = "/var/lib/container-volumes.snapshot"; - environment.systemPackages = with pkgs; [ - btrfs-progs - btrbk - ]; + bkpSource = subvolumeSnapshot; + bkpDestination = "/container/backup"; + cacheDir = "/var/lib/rclone-cachedir"; - networking.firewall.enable = true; + wasabiRc = pkgs: pkgs.writeText "rc" '' + [wasabi-${bucket}] + type = s3 + provider = Wasabi + env_auth = false - systemd.services."bkp-sync" = { - enable = true; - description = "bkp-sync service"; + #bkp user + access_key_id = ${passwords.storage.wasabi.bkp.key} + secret_access_key = ${passwords.storage.wasabi.bkp.secret} - serviceConfig = { - Type = "oneshot"; - }; + region = us-east-1 + endpoint = s3.wasabisys.com + location_constraint = + acl = + server_side_encryption = + storage_class = + ''; - after = [ "bkp-run.service" ]; - requires = [ "bkp-run.service" ]; - - path = with pkgs; [ utillinux ]; - script = '' - set -x - true - ''; + bkp-mount-rclone-manual = pkgs: { + enable = true; + description = "bkp-mount-rclone-manual service"; + path = with pkgs; [ unstablepkgs.rclone utillinux ]; + serviceConfig = { + Type = "notify"; }; + script = '' + export PATH="$PATH:/run/wrappers/bin" + exec rclone --config ${wasabiRc pkgs} mount wasabi-${bucket}:${bucket} ${bkpDestination} \ + --stats=50m --stats-log-level=NOTICE \ + --cache-dir=${cacheDir} \ + --vfs-cache-mode=full - systemd.services."bkp-run" = { - enable = true; - description = "bkp-run"; + ''; + preStart = '' + mkdir -p ${bkpDestination} + mkdir -p ${cacheDir} + ''; + postStop = '' + sync + umount ${bkpDestination} \ + || umount -l ${bkpDestination} \ + || : - serviceConfig = { - Type = "oneshot"; - }; - - partOf = [ "bkp-sync.service" ]; - - path = with pkgs; [ - btrfs-progs - btrbk - coreutils - ]; - - script = - let - btrbkConf = pkgs.writeText "cfg" '' - timestamp_format long - ssh_identity ${passwords.storage.backupTarget.keyPath} - ssh_user ${passwords.storage.backupTarget.user} - ssh_compression no - backend_remote btrfs-progs-sudo - compat_remote busybox - btrfs_commit_delete each - snapshot_create onchange - snapshot_preserve_min latest - snapshot_preserve 7d 4w - target_preserve_min latest - target_preserve 7d 4w 12m *y - - volume ${subvolumeParentDir} - target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} - ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes} - ''; - in - '' - #! ${pkgs.bash}/bin/bash - set -Eeuxo pipefail - - btrbk -c ${btrbkConf} --progress ''${@:-run} - ''; - }; - - systemd.timers."bkp" = { - description = "Timer to trigger bkp periodically"; - enable = true; - wantedBy = [ - "timer.target" - "multi-user.target" - ]; - timerConfig = { - # Obtained using `systemd-analyze calendar "Wed 23:00"` - # OnCalendar = "Wed *-*-* 23:00:00"; - OnStartupSec = "1m"; - Unit = "bkp-sync.service"; - OnUnitInactiveSec = "2h"; - Persistent = "true"; - }; - }; + rmdir ${bkpDestination} + ''; }; - inherit autoStart; + +in { + config = { pkgs, ... }: { + imports = [ + ../profiles/containers/configuration.nix + ]; + + environment.systemPackages = with pkgs; [ + btrfs-progs + rdup rdedup + iptraf-ng nethogs + rclone + ]; + + networking.firewall.enable = true; + + systemd.services."bkp-mount-rclone-manual" = bkp-mount-rclone-manual pkgs; + + systemd.services."bkp-sync-rclone" = { + enable = true; + description = "bkp-sync-rclone service"; + + serviceConfig = { + Type = "oneshot"; + }; + + after = [ + "bkp-run.service" + ]; + + requires = [ + "bkp-run.service" + ]; + + path = with pkgs; [ unstablepkgs.rclone utillinux ]; + script = '' + set -x + echo Starting rclone sync... + rclone --config ${wasabiRc pkgs} sync \ + ${bkpDestination}/rdedup/ wasabi-${bucket}:${bucket}/rdedup/ \ + --stats=50m --stats-log-level=WARNING + echo Finished rclone sync... + ''; + }; + + systemd.services."bkp-run" = { + enable = true; + description = "bkp-run"; + + serviceConfig = { + Type = "oneshot"; + }; + + partOf = [ + "bkp-sync-rclone.service" + ]; + + path = with pkgs; [ btrfs-progs rdup rdedup coreutils ]; + preStart = '' + echo Creating new btrfs snapshot of ${subvolumeDir} at ${subvolumeSnapshot} + btrfs subvolume snapshot -r ${subvolumeDir} ${subvolumeSnapshot} + ''; + script = '' + #! ${pkgs.bash}/bin/bash + set -Eeuxo pipefail + + export RUST_BACKTRACE=1 + export TIMESTAMP=$(date +"%Y%m%d.%H%M%S") + + echo Starting rdup/rdedup backup... + for d in `ls -1 ${bkpSource}`; do + echo Determining backup source size ${bkpSource}/$d... + du -hs ${bkpSource}/$d + rdup -x /dev/null ${bkpSource}/$d | rdedup -v -ttt --dir=${bkpDestination}/rdedup store $d-''${TIMESTAMP} + done + sync + echo Finished rdup/rdedup backup... + + echo Removing all previous backups... + rdedup --dir=${bkpDestination}/rdedup list | grep -v ''${TIMESTAMP} | xargs echo rdedup --dir=${bkpDestination}/rdedup remove + + echo Running rdedup garbage-collector... + time rdedup -v -ttt --dir=${bkpDestination}/rdedup gc + + echo Determining backup destination size ${bkpDestination}/rdedup... + du -hs ${bkpDestination}/rdedup + ''; + postStop = '' + btrfs subvolume delete ${subvolumeSnapshot} + ''; + }; + + systemd.timers."bkp" = { + description = "Timer to trigger bkp periodically"; + enable = true; + wantedBy = [ "timer.target" "multi-user.target" ]; + timerConfig = { + # Obtained using `systemd-analyze calendar "Wed 23:00"` + # OnCalendar = "Wed *-*-* 23:00:00"; + OnStartupSec="2d"; + Unit = "bkp-sync-rclone.service"; + OnUnitInactiveSec="2d"; + Persistent="true"; + }; + }; + }; + + autoStart = true; bindMounts = { "${subvolumeParentDir}" = { - hostPath = subvolumeParentDir; + hostPath = "/var/lib/"; isReadOnly = false; }; - "/etc/secrets/" = { - hostPath = "/var/lib/container-volumes/backup/etc-secrets"; - isReadOnly = true; - }; - "/dev/fuse" = { hostPath = "/dev/fuse"; isReadOnly = false; @@ -127,16 +187,12 @@ in }; allowedDevices = [ - { - node = "/dev/fuse"; - modifier = "rw"; - } + { node = "/dev/fuse"; modifier = "rw"; } ]; - extraFlags = [ "--resolv-conf=bind-host" ]; - privateNetwork = true; - forwardPorts = [ ]; + forwardPorts = [ + ]; inherit hostAddress localAddress; } diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index 22ef959..d82740a 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -1,228 +1,149 @@ -{ - specialArgs, - hostBridge, - hostAddress, - localAddress, - imapsPort ? 993, - sievePort ? 4190, - autoStart ? false, +{ hostAddress +, localAddress +, imapsPort ? 993 +, sievePort ? 4190 }: -{ - inherit specialArgs; - config = - { - pkgs, - config, - repoFlake, - ... - }: - { - system.stateVersion = "22.05"; # Did you read the comment? - imports = [ - ../profiles/containers/configuration.nix +let + passwords = import ../../variables/passwords.crypt.nix; - repoFlake.inputs.sops-nix.nixosModules.sops - ../profiles/common/user.nix - ]; +in { - networking.firewall.allowedTCPPorts = [ - imapsPort - sievePort - ]; + config = { pkgs, ... }: { + imports = [ + ../profiles/containers/configuration.nix + ../profiles/common/user.nix + ]; - # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately - # sops.defaultSopsFile = ./mailserver_secrets.yaml; + networking.firewall.enable = false; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.secrets.email_mailStefanjunkerDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_mailStefanjunkerDeHetzner = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_schtifATwebDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_dovecot_steveej = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - - # TODO: switch to something other than ddclient as it's no longer maintained - - # TODO: switch to a let's encrypt certificate - sops.secrets.dovecotSslServerCert = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - sops.secrets.dovecotSslServerKey = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - services.dovecot2 = { + services.ddclientovh = { enable = true; + domain = "mailserver.svc.stefanjunker.de"; + }; - protocols = [ "sieve" ]; + services.dovecot2 = { + enable = true; - enableImap = true; - enableLmtp = true; - enablePAM = true; - showPAMFailure = true; - mailLocation = "maildir:~/.maildir"; - sslServerCert = config.sops.secrets.dovecotSslServerCert.path; - sslServerKey = config.sops.secrets.dovecotSslServerKey.path; + modules = [ pkgs.dovecot_pigeonhole ]; + protocols = [ "sieve" ]; - #configFile = "/etc/dovecot/dovecot2_manual.conf"; - extraConfig = '' - auth_mechanisms = cram-md5 digest-md5 - auth_verbose = yes + enableImap = true; + enableLmtp = true; + enablePAM = true; + showPAMFailure = true; + mailLocation = "maildir:~/.maildir"; + sslServerCert = "/etc/secrets/server.pem"; + sslServerKey = "/etc/secrets/server.key"; - passdb { - driver = passwd-file - args = scheme=CRYPT username_format=%u /etc/dovecot/users - } + #configFile = "/etc/dovecot/dovecot2_manual.conf"; + extraConfig = '' + auth_mechanisms = cram-md5 digest-md5 + auth_verbose = yes + + passdb { + driver = passwd-file + args = scheme=CRYPT username_format=%u /etc/dovecot/users + } - protocol lda { - postmaster_address = "mail@stefanjunker.de" - mail_plugins = $mail_plugins sieve - } + protocol lda { + postmaster_address = "mail@stefanjunker.de" + mail_plugins = $mail_plugins sieve + } - protocol imap { - mail_max_userip_connections = 64 - } - ''; - }; + protocol imap { + mail_max_userip_connections = 64 + } + ''; - environment.systemPackages = [ - pkgs.dovecot_pigeonhole - ]; + }; - environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; + environment.etc."dovecot/users".text = '' + steveej:${passwords.email.steveej} + ''; - systemd.services.steveej-getmail-stefanjunker = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 600; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [ pkgs.getmail6 ]; - script = - let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 + systemd.services.steveej-getmail-stefanjunker = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 600; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [ ]; + script = let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 - [retriever] - type = SimpleIMAPSSLRetriever - server = ssl0.ovh.net - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") - mailboxes = ('INBOX',) + [retriever] + type = SimpleIMAPSSLRetriever + server = ssl0.ovh.net + port = 993 + username = mail@stefanjunker.de + password = ${passwords.email.mailStefanjunkerDe} + mailboxes = ('INBOX',) - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda - ''; - in - '' - getmail --idle=INBOX --rcfile=${rc} + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda ''; - }; + in '' + ${pkgs.getmail}/bin/getmail --rcfile=${rc} --idle=INBOX + ''; + }; - systemd.services.steveej-getmail-stefanjunker-hetzner = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 60; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [ pkgs.getmail6 ]; - script = - let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 2 - read_all = 0 - delete_after = 30 + systemd.services.steveej-getmail-webde = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + description = "Getmail service"; + path = [ pkgs.getmail ]; + serviceConfig.RestartSec = 1000; + serviceConfig.Restart = "always"; + script = let + rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 - [retriever] - type = SimpleIMAPSSLRetriever - server = mail.your-server.de - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") - mailboxes = ('INBOX',) + [retriever] + type = SimpleIMAPSSLRetriever + server = imap.web.de + port = 993 + username = schtif + password = ${passwords.email.schtifATwebDe} + mailboxes = ('INBOX',) - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda - ''; - in - '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; - - systemd.services.steveej-getmail-webde = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - description = "Getmail service"; - path = [ pkgs.getmail6 ]; - serviceConfig.RestartSec = 1000; - serviceConfig.Restart = "always"; - script = - let - rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = imap.web.de - port = 993 - username = schtif - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") - mailboxes = ('INBOX',) - - [destination] - type = Maildir - path = ~/.maildir/ - ''; - in - '' - getmail --rcfile=${rc} --idle=INBOX + [destination] + type = Maildir + path = ~/.maildir/ ''; + in '' + getmail --rcfile=${rc} + ''; }; }; - inherit autoStart; + autoStart = true; bindMounts = { - # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host - "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; - "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true; + "/etc/secrets/" = { + hostPath = "/var/lib/container-volumes/mailserver/etc-secrets"; + isReadOnly = false; + }; - "/home" = { + "/home" = { hostPath = "/var/lib/container-volumes/mailserver/home"; isReadOnly = false; }; }; - privateNetwork = true; + privateNetwork = true ; forwardPorts = [ { # imaps @@ -239,5 +160,5 @@ } ]; - inherit hostBridge hostAddress localAddress; + inherit hostAddress localAddress; } diff --git a/nix/os/containers/mailserver_secrets.yaml b/nix/os/containers/mailserver_secrets.yaml deleted file mode 100644 index 9814c66..0000000 --- a/nix/os/containers/mailserver_secrets.yaml +++ /dev/null @@ -1,53 +0,0 @@ -email_mailStefanjunkerDe: ENC[AES256_GCM,data:sSBunuv4wipvl720vBrObPVlwMqf8MCWPA==,iv:57SPbRgdO1OtCunFbRJ9rLadWfrCF072lv27ond6qQ0=,tag:DpTeij/rGCK2NQMre5xBsw==,type:str] -email_mailStefanjunkerDeHetzner: ENC[AES256_GCM,data:HvPU/tV2uwutE8q6BzMjkw==,iv:sxERmGojxJhTre2XhslD/B3hesJaP8Cn6TJ7G2WygQw=,tag:JeRI3a2oc/cMJWqyiICgYw==,type:str] -email_schtifATwebDe: ENC[AES256_GCM,data:OOmxkHcM25A+rSmPE1lmvUylv0TT2qWWeA==,iv:ysnRyv4WwbnovgEZcwmk1Rdo6U7gBWDFvGIxgF/m/5A=,tag:9b7q+mceiDx5y8qVVHjBhw==,type:str] -email_dovecot_steveej: ENC[AES256_GCM,data:nZJX2ZIe2pJTzBIU/XRZaiiy9NmUtJydaOvSAQT3icCEeLTvgah48mgrz14eGPuOEupVqKII5jpHw3Xid+QWzdIels0B9M4+GgVT85yVAaPQKw==,iv:vb2bKtgeJI4fvRfKoR8AoBpv9WOkAAKQ3DzMInGF4SA=,tag:p6q0rfyG0g1hF8PR476TZQ==,type:str] -email_postmasterStefanjunkerDe: ENC[AES256_GCM,data:mUe2SbT1aj6yCav0X0lZ04rxYjJjQfKOqw==,iv:ZtOca09m2ne36cmLem/dNnmrsTV6fWaluuoPS85HdGc=,tag:2Z8RwuKJteXUKyuzpFzyfg==,type:str] -dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2rwHhuSoirnADu+k6pYrH4UUTB9BQsDpCzuU4vb4Rz2pQuB0PJ9iZ3XI2fTxft+UxZI4wwAkvHXeJWxLnEvySQW3mnk2uJBaeAxhkXZ55SrKA0h1u/luiXlCoLD197yqJsaR7ldlTImfiIwZPoSRJvo33/UsEIfxlmNMrJk6kgWp9Ay1pT+K3ymWTzBaxzMypUM+Wb4BulgR62qCBxoVjXPP4tVsBwRN6LREeKpP6zIZSjNNU5SWkf2GVDuRl6AMfh8UUq5aRQqNrorRm0p9FR5CXvJZH6gOxh1jSaXGFRbyfEwlaBrzU3NYqXA4tVTh6jKeRy6tmkw3KHhV3kOeJhJ5YQy4IM4Tv03zp5M/rCCIDoZLZsmNKYpLHYKfKORBYt/XlOfnXFVW/dp+q7lMiy2vPPNaVzH6aFrlzIEUyQBfawbHPBnIN09rmW9cIzZC5n3owzq8jj8aWDILqgun7RFOnBWBaG2JE9imXoS66cKAvzGf1wpjN2pELQOpSI1dVuENxMC+K8dTu/2RN2Xe0t6x6FlHK7PHB+JNGsGOHjrga+Z2rWTqcOtY30XZpBSqoZ4XxhcFtp+gxwBuW6zjzS4hEBz1/BJTYLD0dolTp3Vzo93bsezAr+iUfNrfzESTfg8fRH89tdPCeSPv4lfi+Bo4un41x6+x14Kf66Sz5AR7dBQzypNC3ChGCKtp29ZBBee+5oQWvrYBVybbOdD+uaS6pRC/Uydubx+cDGyU1vn50Iq4XTkmiy0m8joHa7gwgOggSeDoZK8lSnwCEwssWZaxzWfO8/8gxEDJD74ki+0GzkGCSIW7EIDiEEBSuL971bqgmKOgKmzqeHYxMpO3DbrFSQVIBUzlcPMoL9GuMHnF9UWT8u3Oo4eIh8rgwJQ4tbIdIbOop1LKLSKjtt/ny4+fGjrF1gzYWHu6RDMHkl9h/AplsHH6r8x3L3rM40O8mOG/SVgqA2GTN+0pviLAPzvQ+Xb0xRQH3vfXXMkufpQtb2o0xlh4pgJw+6a4QrjSq6ZJ3saA8TeC3F6BzIEr6nAwljBMSY4v8wBQivquENBCbqo4St5h+eleKpqbpyLJQYgCyvrUST8kNa014eZjNMLnJ1XBmPO9vpUk/2FJkSpaPAPQ7thqhRBEhe+GsnkScqqrq7gLpNIX4o/HR2b70T/8/4G7uZ3KPScW25TX9D9cI7LFON3Sfprn5LK6hm2nxTmjhaD0rWNnDCkfqDfzRJeQV9kW5Hfn0rBOIsmUoQEcgeCqNKenr/lalRRiifsHDdTUwzSJLgHm09RJI4CVZ+ovPHENRW02VPP9YBupemrZazN3ttj3pin8QRRcOM0w7jeGjfSyih0E4JfiC8NzLWhBpFtBSSxi79QD2vkz17ububf37p5XMg0KfClubQgnNKxlbQ/Me7xxp1X0JlmyxpwIhaaLoz9f+268/9n4RKBGDjAY9D0jZ2zcNm+MpkoG1IIWzPBtBiGTfs+HZPH3GKiEcnkEVcUbDZis9zERamYKDMMPqfAm3KsQLXxUVyuy3cuikGxg7ab+41b1s4MtyoeoUIeRruc60Gg+rSv+d0Jl/YP9Lb5/WBGwNKzm/1R70hJnbTWRt/kKZRKsVY2rcb+FH6vXBjFAHgiszFns5oXS0Q3jhVHH4i3IUn+M6HsbqDIaJ4t4Jvtcx+ESNC2NHKCSxKe4UePng8xJ+91jB04DxdJFlTrZ7RBgjmmiMR8DPF6XiYi+awZtUaTKjZev8SPl4vSobu5aqnct0F5O6aPGB/T8nHlXevdkuQ//7BXc0RwN1ZBZzGqzc8+NzIBa9aB96XnlXPDek1C5Cc9/yVWelM9dWwTzUECBWanTRFt1uz7hpoeemGI0X7IV4DXe26yZot2PlRLFBGL/5lnoSZcjfjym1yyjd5guLdRSHOihPoDDV0JR88BDzDSS/Fx4tRCxKCuaQos+QiMlZ+yJnY9v/K88NtX9X+cRr1ZFS9Li1+uBhbJamWgtWpSJireAGZkLFSEu5GpmfcofuzDsuSYsG6wDLMpJGgRvGJeDuZ4pJTMz1dhjjWUw3blpoJW99zHVDwuSMUNEOFnFgu9BNsoq2caoDcNcm7yA0dsNl1sS3ECsBAg18KsMHA5bL6gXhAkCGOzUVBzW0NRUm8SvHloB73LvfBiFHkpqkqS8KsQZkGts+vBcVAjfDYHYy+TvcaiO0I7xEOUZMdkjuZFOkh2Q0x7pQzCarYs=,iv:6zMCqVVdsbJmEr9YDQ5FqYhRcV36aM585YZz/Dd+b3c=,tag:LCDn6L/VJvW8St1CHXcObw==,type:str] -dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str] -hetznerDnsApiToken: ENC[AES256_GCM,data:JfL4Xg9TZu4Og35g0SwfrI1uxiqgdFa7p5AQcfiPwLY=,iv:yOak3uXX7CNglu8O2UW/1sOI7BGZxpRQAFJCvRbzU0Y=,tag:6orkQIy7BxACziLWpYoS5Q==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQjVya2RyY1MxQUxtTHdX - MGlZRWdxZ3VXb01KbCtTSkJMR3dkZkZ0UGw0CitXcldZT3NJWExYZG50QnowMVhV - WDBpc0VFYjZnZDJDSWhUcHFHTzBiYkUKLS0tIFlrMmlxUkNVZExSNGN4VlMxcUw1 - VW8rSVdDcGZKcHpocjdqZldiaFpqRlUKfQNcKrI6PuyeFv06Es8NsHm8I7NzxJ1k - ir088kx66xcXeEiyA4DnIcAWG9O6HEVXXnSahAIE2jcupSSouDF3ug== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0OGlqTEhtaGR2Yi8vTVcv - NUtvd0ptS3h5Rnd1RGNuYlY2bHMrUmpKWHhRCkJpYjloQWhSM0FsNlNYSVcvWktV - VkkvblAyRXBadUJjK3h3c2JJbDZHc0kKLS0tIEhMbVZsekM5VDRhbDB0KzdyK1li - dWdhSGtFN1oybGpIb294ZE0zcDFUaEkK/AyEXeVmiYk1/IZdkyNGN4bccMFx5+JE - BazBF2NkztUWnyhqRvyp0cBucx7h/HhRSzqxwSr20lvv8XpRPGh8Iw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-17T12:01:21Z" - mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str] - pgp: - - created_at: "2025-06-05T09:49:08Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ/8DFSjoJYmO4+yvi4WT6mgrlzmAIvX0Ozch9XY+6DDOwiN - 746QgI6FI5NpmayTbhddhL1J3tiWkzOyAMhxd8JVNDdZHDJ9lDMCq5s/6yYJZvst - qpoU2pjeYFc+ag+H7m8d5dIaR352aBlKw+MMGOvBinM+5qAWNWo1Vams/9HV3BAV - vsFKLSj3eo3/MjjzY3bPlfBwhkDnudzfVJXcY7GhbVVzaQKXosoGjMfCKvSQNMWr - z52P40pfkXx1nWUt79G4xcH/G+lCUlz93RmS89sLS+YrrjKGQc4xcYpqpNjy5Xdw - rz+nGuOsMKXqLuxYJVuiTcxN0agVily9BTifUYiJZfS9cpbMvLwTyUOcc64EVCKH - Gg0b5l5DhyUKKk3klzgeXTlj2zPhKjGVT2MnZShZRspfGfV6T7iP761YD4ucaExd - 1+/cegyfeCNAykt4lD6ACeQXRLDs8rU2hUjpN3J6AemLW+Aj/ZnRVZWzgIvnDEEY - pyz/rAk5J6m7Q7909TcMuFg3j9ENeJZuRSwxwF0MRUYLZByKCH3QY9CE3mCh7Xni - p5znHpYaYqNIoiTmbBcxEx4mYRXUkorLTJXt4AO7zQB24ZReLDRsSzvrnQqyLIdA - b4pK2k2/L0Hagu2SZFvfhgw4qWZpIlgcoOVbe2dkmbIXMbjb8SuF/2jFwushALjS - XAG+iXYORCrvsuJoNjnQtSW0OGqYwuNNvWo2Ymyg2sA6CW+O6gsCZpZE0FKHcbl/ - FxgecFBl+P6Dk4OOewie+E4cZWIq2uXQch8QPSk5huuyUms6VZI2fre83dMv - =mHmB - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/nix/os/containers/mycelium/flake.lock b/nix/os/containers/mycelium/flake.lock deleted file mode 100644 index 0a7597d..0000000 --- a/nix/os/containers/mycelium/flake.lock +++ /dev/null @@ -1,124 +0,0 @@ -{ - "nodes": { - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "nix-snapshotter", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1704152458, - "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "nix-snapshotter": { - "inputs": { - "flake-compat": "flake-compat", - "flake-parts": "flake-parts", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1723875769, - "narHash": "sha256-66GofByLJ+S4ZZphIC+vJKeL9VJ2bzH2VbcJ3OqteMM=", - "owner": "pdtpartners", - "repo": "nix-snapshotter", - "rev": "6eaadfd8f89e5e7d79b2013626bbd36e388159da", - "type": "github" - }, - "original": { - "owner": "pdtpartners", - "repo": "nix-snapshotter", - "type": "github" - } - }, - "nixlib": { - "locked": { - "lastModified": 1728781282, - "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixos-generators": { - "inputs": { - "nixlib": "nixlib", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1728867876, - "narHash": "sha256-NCyOA8WZNoojmXH+kBDrQj3LwvakYNzSc0h+LTXkmPE=", - "owner": "nix-community", - "repo": "nixos-generators", - "rev": "fdf142111597f6c6283cf5ffe092b6293a3911d0", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-generators", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1728897630, - "narHash": "sha256-0utJPs4o2Mody8GDwo4hnGuxc8dJqju4u9lLJY4d/Lw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "c9f0b4a395289ce18727e2a8e43cae6796693ccc", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "nix-snapshotter": "nix-snapshotter", - "nixos-generators": "nixos-generators", - "nixpkgs": "nixpkgs" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/containers/mycelium/flake.nix b/nix/os/containers/mycelium/flake.nix deleted file mode 100644 index 1527acf..0000000 --- a/nix/os/containers/mycelium/flake.nix +++ /dev/null @@ -1,371 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; - # nixpkgs-systemd256.url = "github:NixOS/nixpkgs/962cf03fb8c782c5e00f465397e03dc84284acc9"; - nixos-generators = { - url = "github:nix-community/nixos-generators"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nix-snapshotter = { - url = "github:pdtpartners/nix-snapshotter"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - }; - outputs = - { self, nixpkgs, ... }: - let - systems = [ - "aarch64-linux" - "x86_64-linux" - ]; - forAllSystems = nixpkgs.lib.genAttrs systems; - in - { - nixosConfigurations.default = nixpkgs.lib.nixosSystem { - system = "aarch64-linux"; - - specialArgs = { }; - - modules = [ - ( - { - config, - modulesPath, - pkgs, - lib, - ... - }: - { - nixpkgs.overlays = [ - (_final: _previous: { - # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal; - # systemd = - # self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: { - # src = /home/steveej/src/others/systemd; - - # withAppArmor = false; - # withRepart = false; - # withHomed = false; - # withAcl = false; - # withEfi = false; - # withBootloader = false; - # withCryptsetup = false; - # withLibBPF = false; - # withOomd = false; - # withFido2 = false; - # withApparmor = false; - # withDocumentation = false; - # withUtmp = false; - # withQrencode = false; - # withVmspawn = false; - # withMachined = false; - # withLogTrace = true; - # withArchive = false; - # # don't need these but cause errors for exampel files not found - # # withLogind = false; - # }) - # pkgs.systemdMinimal.override { - # # getting errors with these disabled - # withCoredump = true; - # withCompression = true; - # withLogind = true; - # withSysusers = true; - # withUserDb = true; - # } - # pkgs.systemdMinimal - # pkgs.systemd.override { - # withRepart = false; - # withHomed = false; - # withAcl = false; - # withEfi = false; - # withBootloader = false; - # withCryptsetup = false; - # withLibBPF = false; - # withOomd = false; - # withFido2 = false; - # withApparmor = false; - # withDocumentation = false; - # withUtmp = false; - # withQrencode = false; - # withVmspawn = false; - # withMachined = false; - # withLogTrace = true; - # # don't need these but cause errors for exampel files not found - # # withLogind = false; - # } - # ; - }) - ]; - - imports = [ (modulesPath + "/profiles/minimal.nix") ]; - system.stateVersion = "24.11"; - - # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix - boot.isContainer = true; - # boot.tmp.useTmpfs = true; - boot.loader.grub.enable = lib.mkForce false; - boot.loader.systemd-boot.enable = lib.mkForce false; - services.journald.console = "/dev/console"; - services.journald.storage = "none"; - # boot.specialFileSystems = lib.mkForce {}; - - services.nscd.enable = false; - system.nssModules = lib.mkForce [ ]; - systemd.services.systemd-logind.enable = false; - systemd.services.console-getty.enable = false; - - systemd.sockets.nix-daemon.enable = false; - systemd.services.nix-daemon.enable = false; - systemd.oomd.enable = false; - networking.useDHCP = false; - networking.firewall.enable = false; - - # system.build.earlyMountScript = - # lib.mkForce '' - # ''; - # system.activationScripts.specialfs = - # lib.mkForce '' - # ''; - boot.postBootCommands = '' - ls -lha /run - mkdir -p /run/wrappers - ''; - - boot.kernelParams = [ "systemd.log_level=debug" ]; - - # services.udev.enable = false; - - # TODO: this is only needed because `/run/current-system` is missing - # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH"; - - systemd.mounts = lib.mkForce [ ]; - fileSystems = lib.mkForce { }; - - services.mycelium.enable = false; - services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile"; - systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false; - systemd.services.mycelium.serviceConfig.User = lib.mkForce "root"; - systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce ( - pkgs.writeShellScript "mycelium" '' - while true; do - ls -lha $CREDENTIALS_DIRECTORY - sleep 5 - done - '' - ); - - systemd.services.testing-credentials = { - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.coreutils ]; - - serviceConfig = { - # SyslogIdentifier = "testing-credentials"; - # StateDirectory = "testing-credentials"; - # DynamicUser = true; - # User = "tc"; - # ProtectHome = true; - # ProtectSystem = true; - # LoadCredential = [ - # "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}" - # "hosts:/etc/hosts" - # ]; - SetCredential = "mycelium-keyfile:not secret string"; - ExecStart = lib.mkForce ( - pkgs.writeShellScript "mycelium" '' - cd $STATE_DIRECTORY - pwd - env - while true; do - ls -lha $CREDENTIALS_DIRECTORY - sleep 5 - done - '' - ); - }; - }; - - services.caddy = { - enable = true; - globalConfig = '' - auto_https off - ''; - virtualHosts.":80" = { - extraConfig = '' - respond "hello from ${config.networking.hostName}" - ''; - }; - }; - } - ) - ]; - }; - packages = forAllSystems ( - system: - let - name = "mycelium"; - inherit (self.inputs) nix-snapshotter; - - config = { - entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init"; - # port = 2379; - args = [ ]; - # nodePort = 30001; - }; - - myceliumPorts = { - tcp = [ 9651 ]; - udp = [ - 9650 - 9651 - ]; - }; - - inherit (config) - entrypoint - # port - - args - # nodePort - - ; - - pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; }; - - image = pkgs.nix-snapshotter.buildImage { - inherit name; - resolvedByNix = true; - config = { - entrypoint = [ entrypoint ]; - env = [ - # this is read by the `/init` script and prevents various incompatible commands like mount, etc. - # the value of this doesn't seem to matter as long as it's not an empty string. - "container=nerd" - "SYSTEMD_LOG_LEVEL=debug" - ]; - volumes = { - # "/var/lib/private/mycelium/key.bin" = {}; - # "/run" = {}; - # "/tmp" = {}; - # "/etc" = {}; - }; - copyToRoot = [ - # self.nixosConfigurations.default.config.system.build.toplevel - ]; - }; - }; - in - { - k8s = - let - pod = pkgs.writeText "${name}-pod.json" ( - builtins.toJSON { - apiVersion = "v1"; - kind = "Pod"; - metadata = { - inherit name; - labels = { - inherit name; - }; - }; - spec.containers = [ - { - inherit name args; - image = "nix:0${image}"; - ports = [ - { - name = "mycelium-tcp-0"; - containerPort = builtins.elemAt myceliumPorts.tcp 0; - } - { - name = "mycelium-udp-0"; - protocol = "UDP"; - containerPort = builtins.elemAt myceliumPorts.udp 0; - } - { - name = "mycelium-udp-1"; - protocol = "UDP"; - containerPort = builtins.elemAt myceliumPorts.udp 1; - } - ]; - } - ]; - } - ); - - service = pkgs.writeText "${name}-service.json" ( - builtins.toJSON { - apiVersion = "v1"; - kind = "Service"; - metadata.name = "${name}-service"; - spec = { - type = "NodePort"; - selector = { - inherit name; - }; - ports = [ - { - name = "mycelium-tcp-0"; - port = builtins.elemAt myceliumPorts.tcp 0 + 50000; - targetPort = "mycelium-tcp-0"; - } - { - name = "mycelium-udp-0"; - protocol = "UDP"; - port = builtins.elemAt myceliumPorts.udp 0 + 50000; - targetPort = "mycelium-udp-0"; - } - { - name = "mycelium-udp-1"; - protocol = "UDP"; - port = builtins.elemAt myceliumPorts.udp 1 + 50000; - targetPort = "mycelium-udp-1"; - } - ]; - }; - } - ); - in - pkgs.runCommand "declarative-k8s" { } '' - mkdir -p $out/share/k8s - cp ${pod} $out/share/k8s/ - cp ${service} $out/share/k8s/ - ''; - - inherit image; - - start = pkgs.writeShellApplication { - name = "start"; - text = '' - set -x - rm -rf ./result - nix build --impure .#image - sudo nix2container load ./result - sudo -E nerdctl run --name ${name} --privileged -dt \ - --cgroup-manager cgroupfs \ - --volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \ - "nix:0$(readlink result):latest" - ''; - }; - - stop = pkgs.writeShellApplication { - name = "stop"; - text = '' - set +e - sudo -E nerdctl stop -t 60 ${name} - sudo -E nerdctl rm --force ${name} - sudo -E nerdctl system prune --all --force - sudo systemctl stop nix-snapshotter - sudo systemctl stop containerd - mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l - sudo systemctl start containerd - sudo systemctl start nix-snapshotter - ''; - - # tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap) - - # mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap - }; - } - ); - }; -} diff --git a/nix/os/containers/syncthing.nix b/nix/os/containers/syncthing.nix index 4cd736a..9ab498a 100644 --- a/nix/os/containers/syncthing.nix +++ b/nix/os/containers/syncthing.nix @@ -1,82 +1,29 @@ -{ - specialArgs, - hostBridge, - hostAddress, - localAddress, - syncthingPort ? 22000, - syncthingLocalAnnouncePort ? 21027, - smbTcpPort ? 445, - autoStart ? false, +{ hostAddress +, localAddress +, syncthingPort ? 22000 }: + { - inherit specialArgs; - config = - { ... }: - { - system.stateVersion = "20.05"; # Did you read the comment? - imports = [ ../profiles/containers/configuration.nix ]; + config = { config, pkgs, ... }: { + imports = [ + ../profiles/containers/configuration.nix + ]; - networking.firewall.allowedTCPPorts = [ - # syncthing gui - 8384 - ]; + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ + # syncthing gui + 8384 + ]; - services.syncthing = { - enable = true; - openDefaultPorts = true; - guiAddress = "0.0.0.0:8384"; - }; - - services.samba = { - enable = true; - securityType = "user"; - openFirewall = true; - settings = { - global = { - "workgroup" = "DMZ"; - "server string" = "syncthing"; - "netbios name" = "syncthing"; - "security" = "user"; - #"use sendfile" = "yes"; - #"max protocol" = "smb2"; - # note: localhost is the ipv6 localhost ::1 - "hosts allow" = "192.168.23. 127.0.0.1 localhost"; - "hosts deny" = "0.0.0.0/0"; - "guest account" = "nobody"; - "map to guest" = "bad user"; - }; - "scan-stefan" = { - "path" = "/var/lib/syncthing/Sync/Home::Scan::Stefan"; - "browseable" = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = "syncthing"; - "force group" = "syncthing"; - }; - - "scan-justyna" = { - "path" = "/var/lib/syncthing/Sync/Home::Scan::Justyna"; - "browseable" = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - "force user" = "syncthing"; - "force group" = "syncthing"; - }; - }; - }; - - # TODO: find out if smbpasswd file is still used and set it here. or find an alternative - # sops.secrets.smbpasswd = { - # }; - # environment.etc."samba/smbpasswd".source = config.sops.secrets.smbpasswd.text; + services.syncthing = { + enable = true; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; }; + }; - inherit autoStart; + autoStart = true; bindMounts = { "/var/lib/syncthing/" = { @@ -92,22 +39,7 @@ hostPort = syncthingPort; protocol = "tcp"; } - { - containerPort = 22000; - hostPort = syncthingPort; - protocol = "udp"; - } - { - containerPort = 21027; - hostPort = syncthingLocalAnnouncePort; - protocol = "udp"; - } - { - containerPort = 445; - hostPort = smbTcpPort; - protocol = "tcp"; - } ]; - inherit hostBridge hostAddress localAddress; + inherit hostAddress localAddress; } diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index 5992906..089f266 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -1,436 +1,76 @@ -{ - specialArgs, - hostBridge, - hostAddress, - localAddress, - httpPort, - httpsPort, - forgejoSshPort, - autoStart ? false, -}: -let - domain = "www.stefanjunker.de"; -in -{ - inherit specialArgs; - config = - { - config, - pkgs, - lib, - repoFlake, - nodeFlake, - system, - ... - }: - let - nixpkgs-kanidm = nodeFlake.inputs.nixpkgs-unstable; - in - { - system.stateVersion = "22.05"; # Did you read the comment? +{ hostAddress +, localAddress +, httpsPort ? 443 +}: { + config = { config, pkgs, lib, ... }: { + imports = [ + ../profiles/containers/configuration.nix + ]; - disabledModules = [ - "services/misc/forgejo.nix" - "services/security/kanidm.nix" - ]; + networking.firewall.enable = false; - imports = [ - "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix" - "${nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix" - - ../profiles/containers/configuration.nix - - repoFlake.inputs.sops-nix.nixosModules.sops - ]; - - sops.defaultSopsFile = ./webserver_secrets.yaml; - - networking.firewall.allowedTCPPorts = [ - httpPort - httpsPort - forgejoSshPort - ]; - - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.secrets.hedgedoc_environment_file = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.hedgedoc.name; - }; - - services.caddy = { + services.ddclientovh = { enable = true; - logFormat = '' - level ERROR - ''; - virtualHosts."${domain}" = { - extraConfig = '' - redir /hedgedoc* https://hedgedoc.${domain} - - basic_auth /justyna/202505_prt_teil1* { - prt $2a$14$y7tZYZxTlJ2JFsBtRM.D8Ok0oHhWt53mGXk.xJMLXc/JF.bTtOWaq - } - - file_server /* { - browse - root /var/www/stefanjunker.de/htdocs/caddy - pass_thru - } - - # respond "Hi" - # respond (not /*/*) "Hi" - ''; - }; - - virtualHosts."hedgedoc.${domain}" = { - extraConfig = '' - reverse_proxy http://[::1]:3000 - ''; - }; - - virtualHosts."authelia.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} - ''; - }; - - virtualHosts."lldap.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} - ''; - }; - - virtualHosts."forgejo.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT} - ''; - }; - - virtualHosts."kanidm.${domain}" = { - extraConfig = '' - reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} { - transport http { - tls_server_name ${config.services.kanidm.serverSettings.domain} - } - } - ''; - }; - }; - - services.hedgedoc = { - enable = true; - settings = { - domain = "hedgedoc.${domain}"; - urlPath = ""; - protocolUseSSL = true; - db = { - dialect = "sqlite"; - storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; - }; - - allowAnonymous = false; - allowAnonymousEdits = false; - allowGravatar = false; - allowFreeURL = false; - defaultPermission = "private"; - - allowEmailRegister = false; - email = false; - - ldap = { - url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; - bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; - # these are set via the `environmentFile` - # bindCredentials = "$LDAP_ADMIN_PASSWORD"; - searchBase = "ou=people,dc=stefanjunker,dc=de"; - searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; - useridField = "uid"; - }; - - oauth2 = - let - originURL = config.services.kanidm.serverSettings.origin; - in - { - providerName = "kanidm (${originURL})"; - - authorizationURL = "${originURL}/ui/oauth2"; - tokenURL = "${originURL}/oauth2/token"; - userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo"; - - scope = "openid email profile"; - # rolesClaim = "roles"; - # accessRole = "role/hedgedoc"; - - userProfileUsernameAttr = "name"; - userProfileDisplayNameAttr = "displayname"; - userProfileEmailAttr = "email"; - - clientID = "hedgedoc"; - # set via the `environmentFile` - # clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; - }; - - uploadsPath = "/var/lib/hedgedoc/uploads"; - }; - - environmentFile = config.sops.secrets.hedgedoc_environment_file.path; - }; - - services.jitsi-meet = { - enable = false; - hostName = "meet.${domain}"; - config = { - prejoinPageEnabled = true; - }; - caddy.enable = true; - nginx.enable = false; - }; - - sops.secrets.authelia_storageEncryptionKey = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - sops.secrets.authelia_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - services.authelia.instances.default = - let - baseDir = "/var/lib/authelia-default"; - in - { - enable = true; - secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; - secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; - settings = { - theme = "auto"; - default_2fa_method = "totp"; - log.level = "debug"; - - server = { - disable_healthcheck = true; - host = "127.0.0.1"; - port = 9091; - # path = "authelia"; - }; - - storage = { - local.path = "${baseDir}/authelia.sqlite"; - }; - - authentication_backend = { - file.path = "${baseDir}/first_factor.yaml"; - file.search.email = true; - file.search.case_insensitive = false; - }; - - access_control = { - default_policy = "one_factor"; - }; - - session.domain = "stefanjunker.de"; - - notifier = { - disable_startup_check = true; - filesystem.filename = "${baseDir}/notification.txt"; - }; - }; - }; - - users.groups.lldap = { }; - users.users.lldap = { - isSystemUser = true; - group = "lldap"; - }; - - sops.secrets.lldap_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - sops.secrets.lldap_adminPassword = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - sops.secrets.lldap_environmentFile = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - services.lldap = { - enable = true; - environment = { - LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; - LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; - }; - environmentFile = config.sops.secrets.lldap_environmentFile.path; - - settings = { - verbose = true; - - ldap_base_dn = "dc=stefanjunker,dc=de"; - http_url = "https://lldap.${domain}"; - - ## Options to configure SMTP parameters, to send password reset emails. - ## To set these options from environment variables, use the following format - ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD - smtp_options = { - ## Whether to enabled password reset via email, from LLDAP. - enable_password_reset = true; - - # port = 465; - ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". - # smtp_encryption = "TLS"; - }; - - # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; - }; - }; - - sops.secrets.FORGEJO_JWT_SECRET = { }; - sops.secrets.FORGEJO_INTERNAL_TOKEN = { }; - sops.secrets.FORGEJO_SECRET_KEY = { }; - - services.forgejo = { - enable = true; - package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo; - settings = { - service.DISABLE_REGISTRATION = true; - server.HTTP_ADDR = "127.0.0.1"; - server.START_SSH_SERVER = true; - server.SSH_PORT = forgejoSshPort; - server.ROOT_URL = "https://forgejo.${domain}"; - server.HTTP_PORT = 3001; - - # TODO: how do i get a 3072 length SSH key with the yubikey? - "ssh.minimum_key_sizes".RSA = 2048; - }; - secrets = { - oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path; - security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path; - security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path; - }; - }; - - systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; - systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; - systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; - - # combine a path watcher with a service that transfers the certs by caddy to kanidm - # TODO: had an issue where the certificate in kanidm was expired, despite caddy having a refreshed certificate - systemd.paths.kanidm-tls-watch = { - enable = true; - requiredBy = [ "kanidm.service" ]; - pathConfig = { - PathChanged = [ - "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" - "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" - ]; - Unit = "kanidm-tls-update.service"; - }; - }; - systemd.services.kanidm-tls-update = - let - dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; - in - { - enable = true; - requiredBy = [ "kanidm.service" ]; - unitConfig = { - # ConditionPathExists = [ - # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" - # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" - # ]; - }; - serviceConfig.Type = "oneshot"; - script = - let - tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key; - in - '' - set -xe - - cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key - cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain - - chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain} - chmod 400 tls.{key,chain} - - # create the kanidm directory in case it's missing - if [[ ! -d ${tlsDir} ]]; then - mkdir -p ${tlsDir} - chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir} - chmod 700 ${tlsDir} - fi - - mv tls.key ${config.services.kanidm.serverSettings.tls_key} - mv tls.chain ${config.services.kanidm.serverSettings.tls_chain} - - if [[ ! -d ${dbDir} ]]; then - mkdir -p ${dbDir} - chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir} - chmod 700 ${dbDir} - fi - ''; - }; - - systemd.services.kanidm.serviceConfig = - let - dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; - in - # stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}"; - { - # ExecStartPre = '' - # mkdir -p ${dbDir} - # ''; - BindPaths = [ - dbDir - # stateDir - ]; - }; - - services.kanidm = - let - dataDir = "/var/lib/kanidm"; - in - { - package = nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm; - - enablePam = false; - enableClient = false; - - enableServer = true; - serverSettings = { - role = "WriteReplica"; - log_level = "debug"; - - domain = "kanidm.${domain}"; - origin = "https://kanidm.${domain}"; - - bindaddress = "127.0.0.1:8444"; - - # don't expose ldap - # ldapbindaddress = "[::1]:6636"; - - tls_key = "${dataDir}/tls/tls.key"; - tls_chain = "${dataDir}/tls/tls.chain"; - - online_backup = { - schedule = "00 06 * * *"; - }; - }; - }; + domain = "www.stefanjunker.de"; }; - inherit autoStart; + services.nginx.enable = true; + services.nginx.virtualHosts."stefanjunker.de" = { + default = true; + onlySSL = true; + root = "/var/www/stefanjunker.de/htdocs"; + + sslCertificate = "/etc/secrets/stefanjunker.de/nginx/nginx.crt"; + sslCertificateKey = "/etc/secrets/stefanjunker.de/nginx/nginx.key"; + + locations."/fi" = { + index = "index.php"; + }; + + locations."~ ^(.+\.php)(.*)$".extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(.*)$; + + fastcgi_pass unix:${config.services.phpfpm.pools.mypool.socket}; + fastcgi_index index.php; + ''; + }; + + services.phpfpm.pools.mypool = { + user = "nobody"; + phpPackage = pkgs.php5; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 5; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 1; + "pm.max_spare_servers" = 3; + "pm.max_requests" = 500; + + "php_admin_value[error_reporting]" = "E_ALL & ~E_NOTICE & ~E_WARNING & ~E_STRICT & ~E_DEPRECATED"; + }; + }; + + # the custom php5 we're using here has no fpm-systemd, so the default `Type = "notify"` won't work + systemd.services."phpfpm-mypool" = { + serviceConfig = { + Type = lib.mkForce "simple"; + }; + }; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + }; + }; + + autoStart = true; bindMounts = { - # FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host - "/etc/ssh/ssh_host_ed25519_key".isReadOnly = true; - "/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true; + "/etc/secrets/" = { + hostPath = "/var/lib/container-volumes/webserver/etc-secrets"; + isReadOnly = true; + }; "/var/www" = { hostPath = "/var/lib/container-volumes/webserver/var-www"; @@ -441,55 +81,17 @@ in hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql"; isReadOnly = false; }; - - "/var/lib/hedgedoc" = { - hostPath = "/var/lib/container-volumes/webserver/var-lib-hedgedoc"; - isReadOnly = false; - }; - - "/var/lib/authelia-default" = { - hostPath = "/var/lib/container-volumes/webserver/var-lib-authelia-default"; - isReadOnly = false; - }; - - "/var/lib/lldap" = { - hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap"; - isReadOnly = false; - }; - - "/var/lib/forgejo" = { - hostPath = "/var/lib/container-volumes/webserver/var-lib-forgejo"; - isReadOnly = false; - }; - - "/var/lib/kanidm" = { - hostPath = "/var/lib/container-volumes/webserver/var-lib-kanidm"; - isReadOnly = false; - }; }; privateNetwork = true; forwardPorts = [ - { - # http - containerPort = 80; - hostPort = httpPort; - protocol = "tcp"; - } { # https containerPort = 443; hostPort = httpsPort; protocol = "tcp"; } - - { - # forgejo ssh - containerPort = forgejoSshPort; - hostPort = forgejoSshPort; - protocol = "tcp"; - } ]; - inherit hostBridge hostAddress localAddress; + inherit hostAddress localAddress; } diff --git a/nix/os/containers/webserver_secrets.yaml b/nix/os/containers/webserver_secrets.yaml deleted file mode 100644 index d5c1dcd..0000000 --- a/nix/os/containers/webserver_secrets.yaml +++ /dev/null @@ -1,55 +0,0 @@ -hedgedoc_environment_file: ENC[AES256_GCM,data:gPTokPMGBAN/lGGeUs95vg45yVrrSmFCKWTjlMV4V+YnflcqiaZvifX9+0fe3DELwNL4kY4st4N0MadhLkTiSieyp46fP8Dujk4Prhi7JWweBDsN4WtxcwJfAdowgh5LTzqM3zggC/J9NGR/zgJGLYraOqsFueXycxDxntE+8MlepYFGsND4WbFHNRvsVd7xUWerZZD+JFhws2sjwC9DqoJ+mBX4u9J2faSrL3okBGwRpEZlJhe6/8pT0l1aVxI0b/9UsLUL/him/vVqY8ygMP8O95gzuDEaCtwSXw08ylhb3g3YHdMh9ZOe9dPNVocVFrB15HfxeY4KzRCVfvgmBsSiUrgUAZQ8aav2ZWHPKQ==,iv:AVtx/43MK5KVxP59olEmbkUzLhd0cBjPpVeiAJGELfM=,tag:Hd3edeUzLgHnwAwPiMGp4A==,type:str] -authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str] -authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str] -lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str] -lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str] -lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str] -#ENC[AES256_GCM,data:uNqahO8WF6QFNkbPnQq2UDKn/gFt0H56keUb,iv:CDVKC3ER5rsKoMmBi2g5g+F3ZfKc3+Rs8bjxFhgSPZ4=,tag:oGPl6TB/nghGwWvVBLFlGQ==,type:comment] -FORGEJO_JWT_SECRET: ENC[AES256_GCM,data:nVz9x7+K+rBIZxuQP7o0WNFHUz89eR9cwBjfSAx9/WH5PF+/aWazZOJpVg==,iv:4qpHo143fe/sVhKfYDwxr+YiBZ2q/WWViYSwoxz0i/k=,tag:smSsJsqa6uZKarcoOMUjwQ==,type:str] -FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str] -FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuTitidDZpWVJsZWxmWDFa - emdyTSszczVNbDhZSlVjeWRDMDdXQmg4QmpBCmNLZ0tob2hsRHhlTXY5VHZEY01T - MUtRdUxBM0lmeEo2OVBMdElrYVVvY1EKLS0tIHIwWllkQU9RRjF1U0F0OWdCKzlq - Y3ZxSWI3MUxQNEljNXlUSnlTdlpxazAKKjJYqcDsBzo6yOYDkgtBZntxhsHjqOyZ - yg5G8vtuOiDvPLvODzI/I9VupGyLwEkxaFc67bpg4u/1Cql7oaAADQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsdFg1cm9JTFFyUmYxb1ZP - WWtKTDE4bDBya3pWakJ0bFVkSnZvdExGMlNVCmo0N1BvNnV4MERUTjU2blUzbngv - VDduRWd2K1VlK1k2OWp6L0JhTERnOUEKLS0tIGV0aFZMTGRHNW5HUUhGRkYxNGMz - dHJwN0R1eHkyWXpiVDlRcldHT0gvV28KRiwauYvF4CCu5LeW7+kR3GSkZ+rpIbsC - JF9vV3rxbE9SdJ3nP6CyYQX7tQ6rbXtOKawq3k+z4zV/Dw7gYSNn5Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-16T12:28:51Z" - mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str] - pgp: - - created_at: "2025-06-05T09:49:08Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ/8DIuNUO6tpyuG0j4Ros6MjHs1USkfY+2ntzqyugGe4OpA - cXLzXWGT7pCxE6bcd7FepG/Nln17219siP9PX1WqEl324GnKXjbAbczjnu/9ggeF - bUWBhKFwGivVXDfO8VusG0MN41tJMoDwAelaJdgnXnbAwHISJ20UzFtnTBx67ALs - 5pqHzOf7uuY7eZbl79iEiBJ8Ecj/Y3yrcANbVXQtET7X5629nTMHuizFsym9fy0p - 6elwdrJSGPlncWA/+wsec5WIxwOsrLoEz8rvFpZJo/YI4/5heiL6RmgqKODzAhFp - +PD/VoksJQ0lynzH2jBUKNte7UU5fyMAn9CEu0eY7sNRHpEKWjj/uPoWPkaV3JQ/ - Au2YN9VV0qkyqYZ/6mU1L+Ukaci3kG/hJKM9MxXZ6rVEsuOnbuHPgW9jW/xogo38 - /522CAF+NThKPWbiS/VDHyUsH+h2ubh9jGyFuesP/dNhXbc+6vkcIIBgfsb2IWt1 - Fc2fvUlX9tpJYobk3PmyR88DHv4pXPkgIIEqW6JUHmkjdH+q82sGsRtni58eWUj6 - DXn09tSpM3gu02wlqobca1qrOIKVsQJ/bHB4p6PRFoeqx6Yzfdy8h4WvT75PONGD - DGW7uLYo/ISb/SDgbclNw6vlYsI7ZFtYDTWxtCjrYXFBqRSMftgreRwhi8gU0rTS - XAFXAkIp4B0y8cfxofqJyDsZmil0gJraJpkz/Y0JA+jXlQ2jHlC03xoMZIn60RKn - XI91UY65PAyoQ0LROa/TRBFCLJarLFcCSeth4MhDq06f4spXYtCV9i+2HNBj - =bUJ6 - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/nix/os/devices/vmd102066.contaboserver.net/boot.nix b/nix/os/devices/167.233.1.14/boot.nix similarity index 84% rename from nix/os/devices/vmd102066.contaboserver.net/boot.nix rename to nix/os/devices/167.233.1.14/boot.nix index ed21f9c..18fcc13 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/boot.nix +++ b/nix/os/devices/167.233.1.14/boot.nix @@ -1,4 +1,7 @@ -{ lib, ... }: +{ lib +, ... +}: + { boot.loader.grub.efiSupport = lib.mkForce false; boot.extraModulePackages = [ ]; diff --git a/nix/os/devices/fwhost2/configuration.nix b/nix/os/devices/167.233.1.14/configuration.nix similarity index 69% rename from nix/os/devices/fwhost2/configuration.nix rename to nix/os/devices/167.233.1.14/configuration.nix index fbdc4c0..626c5f1 100644 --- a/nix/os/devices/fwhost2/configuration.nix +++ b/nix/os/devices/167.233.1.14/configuration.nix @@ -1,12 +1,14 @@ { ... }: + { + disabledModules = [ + ]; imports = [ ../../profiles/common/configuration.nix - ../../modules/opinionatedDisk.nix ./system.nix ./hw.nix ./pkg.nix - ./user.nix + ./boot.nix ]; } diff --git a/nix/os/devices/167.233.1.14/hw.nix b/nix/os/devices/167.233.1.14/hw.nix new file mode 100644 index 0000000..126fc35 --- /dev/null +++ b/nix/os/devices/167.233.1.14/hw.nix @@ -0,0 +1,56 @@ +{ ... }: + +let + stage1Modules = [ + # "aesni_intel" + # "kvm-intel" + "aes_x86_64" + + "virtio_balloon" + "virtio_scsi" + "virtio_net" + "virtio_pci" + "virtio_ring" + "virtio" + "scsi_mod" + + "virtio_blk" + "virtio_ring" + "bochs_drm" + "ata_piix" + "pata_acpi" + "ata_generic" + ]; + +in +{ + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/354fb107-2f4a-42ad-80dd-9dddb61bfd02"; + fsType = "ext4"; + }; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/993cce35-cc1f-40cc-b07a-5ea58b99fb5b"; + fsType = "btrfs"; + options = [ "subvol=root" ]; + neededForBoot = true; + }; + + fileSystems."/home" = { + device = "/dev/disk/by-uuid/993cce35-cc1f-40cc-b07a-5ea58b99fb5b"; + fsType = "btrfs"; + options = [ "subvol=home" ]; + neededForBoot = true; + }; + + swapDevices = [ { device = "/dev/disk/by-uuid/d16b5f4a-f38c-41c6-8aae-1625be815f9d"; } ]; + + boot.loader.grub = { + device = "/dev/vda"; + }; + + boot.initrd.availableKernelModules = stage1Modules; + boot.initrd.kernelModules = stage1Modules; + boot.extraModprobeConfig = '' + ''; +} diff --git a/nix/os/devices/167.233.1.14/pkg.nix b/nix/os/devices/167.233.1.14/pkg.nix new file mode 100644 index 0000000..bad7478 --- /dev/null +++ b/nix/os/devices/167.233.1.14/pkg.nix @@ -0,0 +1,30 @@ +{ config +, pkgs +, lib +, ... +}: + +{ + nixpkgs.config.packageOverrides = pkgs: with pkgs; { + nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; + }; + home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { + inherit pkgs; + extraPackages = [ + # required by vscode's remote-ssh plugin + pkgs.nodejs + + # allow clipboard exchanges + pkgs.xsel + pkgs.xclip + ]; + }; + + nix.buildMachines = [ + { hostName = "localhost"; + system = "x86_64-linux"; + supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + maxJobs = 4; + } + ]; +} diff --git a/nix/os/devices/167.233.1.14/system.nix b/nix/os/devices/167.233.1.14/system.nix new file mode 100644 index 0000000..e57d1b0 --- /dev/null +++ b/nix/os/devices/167.233.1.14/system.nix @@ -0,0 +1,104 @@ +{ pkgs +, lib +, config +, ... }: + +let + keys = import ../../../variables/keys.nix; + +in { + # TASK: new device + networking.hostName = "sj-pvehtz-0"; # Define your hostname. + # networking.domain = ""; + + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + networking.firewall.logRefusedConnections = false; + + networking.usePredictableInterfaceNames = false; + + networking.interfaces.eth0 = { + mtu = 1400; + useDHCP = false; + ipv4.addresses = [ + { "address" = "167.233.1.14"; "prefixLength" = 29; } + ]; + ipv6.addresses = [ + ]; + }; + + networking.defaultGateway = { + address = "167.233.1.9"; + interface = "eth0"; + }; + + networking.defaultGateway6 = { + address = "fe80::1"; + interface = "eth0"; + }; + + networking.nameservers = [ + "1.1.1.1" + ]; + + networking.nat = { + enable = true; + internalInterfaces = [ "ve-+" ]; + externalInterface = "eth0"; + }; + + # Kubernetes + # services.kubernetes.roles = ["master" "node"]; + + # virtualization + virtualisation = { + docker.enable = true; + }; + + services.spice-vdagentd.enable = true; + services.qemuGuest.enable = true; + + systemd.services."sshd-status" = { + enable = true; + description = "sshd-status service"; + path = [ pkgs.systemd ]; + script = '' + systemctl status sshd | grep -i tasks + ''; + }; + + systemd.services.sshd.serviceConfig = { + TasksMax = 32; + }; + + systemd.timers."sshd-status" = { + description = "Timer to trigger sshd-status periodically"; + enable = true; + wantedBy = [ "timer.target" "multi-user.target" ]; + timerConfig = { + OnActiveSec="360s"; + OnUnitActiveSec="360s"; + AccuracySec="1s"; + Unit = "sshd-status.service"; + }; + }; + + nix.gc = { + automatic = true; + }; + + networking.useHostResolvConf = true; + + services.openssh.forwardX11 = true; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.09"; # Did you read the comment? +} diff --git a/nix/os/devices/167.233.1.14/versions.nix b/nix/os/devices/167.233.1.14/versions.nix new file mode 100644 index 0000000..519781a --- /dev/null +++ b/nix/os/devices/167.233.1.14/versions.nix @@ -0,0 +1,37 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.09"; + rev = "51aaa3fa1b69559456f9bd4968bd5b179a784f67"; + }; +in + +{ + inherit nixpkgs; + "channels-nixos-stable" = nixpkgs; + "channels-nixos-20.03" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.03"; + rev = "ff6fda61600cc60404bab5cb6b18b8636785b7bc"; + }; + "channels-nixos-19.09" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-19.09"; + rev = "75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1"; + }; + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = "24c9b05ac53e422f1af81a156f1fd58499eb27fb"; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = "9b3e35d991ea6a43f256069dcb2e006006730d05"; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-20.09"; + rev = "7339784e07217ed0232e08d1ea33b610c94657d8"; + }; +} diff --git a/nix/os/devices/167.233.1.14/versions.tmpl.nix b/nix/os/devices/167.233.1.14/versions.tmpl.nix new file mode 100644 index 0000000..a19cc09 --- /dev/null +++ b/nix/os/devices/167.233.1.14/versions.tmpl.nix @@ -0,0 +1,37 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.09"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; +in + +{ + inherit nixpkgs; + "channels-nixos-stable" = nixpkgs; + "channels-nixos-20.03" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.03"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.03 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + "channels-nixos-19.09" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-19.09"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-19.09 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = "<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-20.09"; + rev = "<% git ls-remote https://github.com/nix-community/home-manager.git release-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; +} diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index 02b0212..932f730 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -1,58 +1,40 @@ -{ - dir, - pkgs ? import { }, - ownLib ? import ../lib/default.nix { inherit (pkgs) lib; }, - gitRoot ? "$(git rev-parse --show-toplevel)", - # FIXME: why do these need explicit mentioning? - moreargs ? "", - rebuildarg ? "", - ... -}@args: +{ pkgs ? import {} +, ownLib ? import ../lib/default.nix { } +, dir +, rebuildarg +, moreargs ? "" +, diskId ? (import ((builtins.getEnv "PWD")+"/${dir}/hw.nix") {}).hardware.encryptedDisk.diskId +, gitRoot ? "$(git rev-parse --show-toplevel)" +, previousDiskId ? "" +}: + let - rebuildargsSudo = [ - "switch" - "boot" - ]; - rebuild = - { - gitRoot, - rebuildarg ? "dry-activate", - moreargs ? "", - ... - }: - pkgs.writeScript "script" '' - #!/usr/bin/env bash - set -xe + rebuildargsSudo = [ "switch" "boot" ]; + rebuild = pkgs.writeScript "script" '' + #!/usr/bin/env bash + set -xe - pushd ${gitRoot}/${dir} - export NIXOS_CONFIG="$PWD"/configuration.nix + pushd ${gitRoot}/${dir} + export NIXOS_CONFIG="$PWD"/configuration.nix - [[ -e "''${NIXOS_CONFIG}" ]] + [[ -e "''${NIXOS_CONFIG}" ]] - if test -L result; then - rm result - fi - - ${ - if - (builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null - then - "sudo -E \\" - else - "" - } - nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} - ''; -in -{ - recipes = { - rebuild = rebuild { - inherit gitRoot; - inherit moreargs; - inherit rebuildarg; + ${if (builtins.elem rebuildarg rebuildargsSudo) + && builtins.match ".*--target-host.*" moreargs == null + then + "sudo -E \\" + else + "" } - # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } - # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } - ; - } // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; })); + nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} + if test -L result; then + rm result + fi + ''; + + +in { + recipes = { + inherit rebuild; + } // (import ./disk.nix { inherit pkgs ownLib dir rebuildarg moreargs diskId gitRoot previousDiskId; }); } diff --git a/nix/os/devices/disk.nix b/nix/os/devices/disk.nix index f639344..58fb360 100644 --- a/nix/os/devices/disk.nix +++ b/nix/os/devices/disk.nix @@ -1,25 +1,22 @@ -{ - pkgs, - ownLib, - dir, - gitRoot, - diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId, - encrypted ? - (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted, - previousDiskId ? "", - ... +{ pkgs +, ownLib +, dir +, rebuildarg +, moreargs +, diskId +, gitRoot +, previousDiskId ? "" }: + let - mntRootVol = "/mnt/${diskId}-root"; -in -rec { + mntRootVol="/mnt/${diskId}-root"; + +in rec { diskMount = pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe echo Mounting ${diskId} - ${pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} - ''} + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} sleep 1 sudo vgchange -ay ${ownLib.disk.volumeGroup diskId} sudo mkdir -p /mnt @@ -35,9 +32,7 @@ rec { sudo umount -Rl ${mntRootVol} sudo rmdir ${mntRootVol} sudo vgchange -an ${ownLib.disk.volumeGroup diskId} - ${pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup close ${ownLib.disk.luksName diskId} - ''} + sudo cryptsetup close ${ownLib.disk.luksName diskId} sync ''; @@ -50,10 +45,9 @@ rec { [[ -e "''${NIXOS_CONFIG}" ]] [[ -e "${mntRootVol}/nixos" ]] - sudo --preserve-env=PATH -E $SHELL <''; - }; -in -{ - inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; - "channels-nixos-stable" = nixpkgs; - - "channels-nixos-unstable" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-unstable"; - rev = '' - <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; - "nixpkgs-master" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "master"; - rev = '' - <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; - "home-manager-module" = { - url = "https://github.com/nix-community/home-manager"; - ref = "release-21.11"; - rev = '' - <% git ls-remote https://github.com/nix-community/home-manager.git release-21.11 | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; -} diff --git a/nix/os/devices/fwhost2/boot.nix b/nix/os/devices/fwhost2/boot.nix deleted file mode 100644 index 639698f..0000000 --- a/nix/os/devices/fwhost2/boot.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ lib, ... }: -{ - boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; - boot.loader.efi.canTouchEfiVariables = lib.mkForce false; -} diff --git a/nix/os/devices/fwhost2/hw.nix b/nix/os/devices/fwhost2/hw.nix deleted file mode 100644 index a8891e3..0000000 --- a/nix/os/devices/fwhost2/hw.nix +++ /dev/null @@ -1,11 +0,0 @@ -_: { - # TASK: new device - hardware.opinionatedDisk = { - enable = true; - encrypted = false; - diskId = "ata-ST9500325AS_S2WGAP8C"; - }; - - hardware.enableRedistributableFirmware = true; - boot.extraModprobeConfig = ""; -} diff --git a/nix/os/devices/fwhost2/pkg.nix b/nix/os/devices/fwhost2/pkg.nix deleted file mode 100644 index aacf501..0000000 --- a/nix/os/devices/fwhost2/pkg.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ pkgs, ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; - }; - home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { - inherit pkgs; - }; - - environment.systemPackages = with pkgs; [ - iw - wirelesstools - ]; - - system.stateVersion = "21.11"; -} diff --git a/nix/os/devices/fwhost2/system.nix b/nix/os/devices/fwhost2/system.nix deleted file mode 100644 index 652347f..0000000 --- a/nix/os/devices/fwhost2/system.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ pkgs, lib, ... }: -let - passwords = import ../../../variables/passwords.crypt.nix; -in -{ - # TASK: new device - networking.hostName = "fwhost2"; # Define your hostname. - - networking.useDHCP = false; - - networking.firewall.enable = lib.mkForce false; - networking.firewall.allowedTCPPorts = [ - # iperf3 - 5201 - ]; - - networking.firewall.logRefusedConnections = false; - networking.usePredictableInterfaceNames = false; - - networking.bridges.breth.interfaces = [ - "eth0" - "eth1" - ]; - networking.bridges.breth.rstp = true; - - networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = [ "172.172.171.10" ]; - - # WAN interfaces, currently unused because the OPNsense guest acts as a router. - networking.vlans.wan1.id = 3; - networking.vlans.wan1.interface = "breth"; - networking.interfaces.wan1.ipv4.addresses = [ - { - address = "192.168.0.16"; - prefixLength = 24; - } - ]; - - networking.vlans.wan2.id = 4; - networking.vlans.wan2.interface = "breth"; - networking.interfaces.wan2.ipv4.addresses = [ - { - address = "172.16.0.16"; - prefixLength = 12; - } - ]; - - # Local interfaces, all accessed via VLAN tags on the main bridge - networking.vlans.lan.id = 1; - networking.vlans.lan.interface = "breth"; - networking.interfaces.lan.ipv4.addresses = [ - { - address = "172.172.171.16"; - prefixLength = 24; - } - ]; - - networking.vlans.dmz.id = 5; - networking.vlans.dmz.interface = "breth"; - - networking.vlans.family.id = 6; - networking.vlans.family.interface = "breth"; - - networking.vlans.guests.id = 7; - networking.vlans.guests.interface = "breth"; - - services.hostapd = { - enable = false; - hwMode = "g"; - interface = "wlan0"; - ssid = "noowhere-lan"; - wpaPassphrase = passwords.wifi.noowhere-lan; - extraConfig = '' - bridge=breth - ''; - }; - - virtualisation = { - libvirtd = { - onShutdown = "shutdown"; - enable = true; - }; - }; - - boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; -} diff --git a/nix/os/devices/fwhost2/user.nix b/nix/os/devices/fwhost2/user.nix deleted file mode 100644 index 47efa02..0000000 --- a/nix/os/devices/fwhost2/user.nix +++ /dev/null @@ -1,6 +0,0 @@ -_: { - # users.extraUsers.steveej2 = mkUser { - # uid = 1001; - # openssh.authorizedKeys.keys = keys.users.steveej.openssh; - # }; -} diff --git a/nix/os/devices/fwhost2/versions.nix b/nix/os/devices/fwhost2/versions.nix deleted file mode 100644 index 276eb87..0000000 --- a/nix/os/devices/fwhost2/versions.nix +++ /dev/null @@ -1,30 +0,0 @@ -let - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-21.11"; - rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; - }; -in -{ - inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; - "channels-nixos-stable" = nixpkgs; - - "channels-nixos-unstable" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-unstable"; - rev = "5aaed40d22f0d9376330b6fa413223435ad6fee5"; - }; - "nixpkgs-master" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "master"; - rev = "4fa26474495acc710fa2b88e7a3f51d90ad3a530"; - }; - "home-manager-module" = { - url = "https://github.com/nix-community/home-manager"; - ref = "release-21.11"; - rev = "697cc8c68ed6a606296efbbe9614c32537078756"; - }; -} diff --git a/nix/os/devices/fwhost2/versions.tmpl.nix b/nix/os/devices/fwhost2/versions.tmpl.nix deleted file mode 100644 index d3d0c19..0000000 --- a/nix/os/devices/fwhost2/versions.tmpl.nix +++ /dev/null @@ -1,38 +0,0 @@ -let - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-21.11"; - rev = '' - <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; -in -{ - inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; - "channels-nixos-stable" = nixpkgs; - - "channels-nixos-unstable" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-unstable"; - rev = '' - <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; - "nixpkgs-master" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "master"; - rev = '' - <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; - "home-manager-module" = { - url = "https://github.com/nix-community/home-manager"; - ref = "release-21.11"; - rev = '' - <% git ls-remote https://github.com/nix-community/home-manager.git release-21.11 | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; -} diff --git a/nix/os/devices/hstk0/.gitignore b/nix/os/devices/hstk0/.gitignore deleted file mode 100644 index b2be92b..0000000 --- a/nix/os/devices/hstk0/.gitignore +++ /dev/null @@ -1 +0,0 @@ -result diff --git a/nix/os/devices/hstk0/README.md b/nix/os/devices/hstk0/README.md deleted file mode 100644 index 60ee180..0000000 --- a/nix/os/devices/hstk0/README.md +++ /dev/null @@ -1,6 +0,0 @@ -## bootstrapping - -``` -# TODO: generate an SSH host-key and deploy it via --extra-files -nixos-anywhere --flake .\#sj-bm-hostkey0 root@185.130.227.252 -``` diff --git a/nix/os/devices/hstk0/configuration.nix b/nix/os/devices/hstk0/configuration.nix deleted file mode 100644 index 32fad43..0000000 --- a/nix/os/devices/hstk0/configuration.nix +++ /dev/null @@ -1,146 +0,0 @@ -{ - repoFlake, - pkgs, - lib, - nodeFlake, - nodeName, - system, - ... -}: -{ - disabledModules = [ ]; - - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - repoFlake.inputs.sops-nix.nixosModules.sops - - nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder - { - roles.nix-remote-builder.schedulerPublicKeys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ22z5rDdCLYH+MEoEt+tXJXTJqoeZNqvJl2n4aB+Kn steveej@steveej-x13s" - - # TODO: make this a reference to the private key's secret - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14" - ]; - } - - ../../snippets/nix-settings.nix - { nix.settings.sandbox = lib.mkForce "relaxed"; } - - ../../snippets/mycelium.nix - - # user config - ../../profiles/common/user.nix - { - users.commonUsers = { - enable = true; - enableNonRoot = true; - }; - } - - ../../snippets/home-manager-with-zsh.nix - # { - # home-manager.users.steveej = {pkgs, ...}: { - # imports = [ - # ../../../home-manager/programs/pass.nix - # ../../../home-manager/programs/openvscode-server.nix - # ]; - # }; - # } - ]; - - services.openssh = { - enable = true; - openFirewall = true; - settings.PermitRootLogin = "yes"; - extraConfig = '' - StreamLocalBindUnlink yes - ''; - }; - - boot = { - kernel = { - sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - }; - }; - - networking = { - hostName = nodeName; - useNetworkd = true; - useDHCP = true; - - nat.enable = true; - firewall.enable = true; - - firewall.allowedTCPPorts = [ 5201 ]; - firewall.allowedUDPPorts = [ 5201 ]; - }; - - disko.devices = - let - disk = id: { - type = "disk"; - device = "/dev/${id}"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - mdadm = { - size = "100%"; - content = { - type = "mdraid"; - name = "raid0"; - }; - }; - }; - }; - }; - in - { - disk = { - sda = disk "sda"; - sdb = disk "sdb"; - }; - mdadm = { - raid0 = { - type = "mdadm"; - level = 0; - content = { - type = "gpt"; - partitions = { - primary = { - size = "100%"; - content = { - type = "filesystem"; - format = "btrfs"; - mountpoint = "/"; - }; - }; - }; - }; - }; - }; - }; - - system.stateVersion = "24.05"; - - boot.kernelPackages = pkgs.linuxPackages_latest; - boot.initrd.includeDefaultModules = true; - boot.initrd.kernelModules = [ - "dm-raid" - "dm-integrity" - "xhci_pci_renesas" - ]; - - hardware.enableRedistributableFirmware = true; - - virtualisation.libvirtd.enable = true; - - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; -} diff --git a/nix/os/devices/hstk0/default.nix b/nix/os/devices/hstk0/default.nix deleted file mode 100644 index 62e6cc1..0000000 --- a/nix/os/devices/hstk0/default.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - system = "x86_64-linux"; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; - packages' = repoFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "185.130.224.33"; - deployment.replaceUnknownProfiles = false; - - # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - - networking.hostName = nodeName; - }; -} diff --git a/nix/os/devices/hstk0/flake.lock b/nix/os/devices/hstk0/flake.lock deleted file mode 100644 index 8389a6a..0000000 --- a/nix/os/devices/hstk0/flake.lock +++ /dev/null @@ -1,124 +0,0 @@ -{ - "nodes": { - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719401812, - "narHash": "sha256-QONBQ/arBsKZNJuSd3sMIkSYFlBoRJpvf1jGlMfcOuI=", - "owner": "nix-community", - "repo": "disko", - "rev": "b6a1262796b2990ec3cc60bb2ec23583f35b2f43", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "get-flake": { - "locked": { - "lastModified": 1714237590, - "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", - "owner": "ursi", - "repo": "get-flake", - "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", - "type": "github" - }, - "original": { - "owner": "ursi", - "repo": "get-flake", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1718530513, - "narHash": "sha256-BmO8d0r+BVlwWtMLQEYnwmngqdXIuyFzMwvmTcLMee8=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "a1fddf0967c33754271761d91a3d921772b30d0e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1719253556, - "narHash": "sha256-A/76RFUVxZ/7Y8+OMVL1Lc8LRhBxZ8ZE2bpMnvZ1VpY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "fc07dc3bdf2956ddd64f24612ea7fc894933eb2e", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1719254875, - "narHash": "sha256-ECni+IkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "2893f56de08021cffd9b6b6dfc70fd9ccd51eb60", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "disko": "disko", - "get-flake": "get-flake", - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", - "srvos": "srvos" - } - }, - "srvos": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719189969, - "narHash": "sha256-6MSZrWvXSvUKIr0iC9eSbQ09NSm+j1Oh4o9Gentu1CU=", - "owner": "numtide", - "repo": "srvos", - "rev": "4f314be1307c8d5f1fb3d882a67e09dbdf285850", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/hstk0/flake.nix b/nix/os/devices/hstk0/flake.nix deleted file mode 100644 index 6c9b22f..0000000 --- a/nix/os/devices/hstk0/flake.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - - get-flake.url = "github:ursi/get-flake"; - - home-manager.url = "github:nix-community/home-manager/release-24.05"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; - - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - }; - - # outputs = _: {}; - - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - system = "x86_64-linux"; - nodeName = "hostkey-0"; - - mkNixosConfiguration = - { - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = { - nodeFlake = self; - repoFlake = get-flake ../../../..; - inherit nodeName; - }; - - modules = [ ./configuration.nix ] ++ extraModules; - } - ); - in - { - nixosConfigurations = { - native = mkNixosConfiguration { inherit system; }; - }; - }; -} diff --git a/nix/os/devices/hydra.json b/nix/os/devices/hydra.json index a0204bc..3723c24 100644 --- a/nix/os/devices/hydra.json +++ b/nix/os/devices/hydra.json @@ -1,24 +1,16 @@ { - "enabled": 1, - "hidden": false, - "description": "Jobsets", - "nixexprinput": "src", - "nixexprpath": "default.nix", - "checkinterval": 300, - "schedulingshares": 100, - "enableemail": false, - "emailoverride": "", - "keepnr": 3, - "inputs": { - "src": { - "type": "git", - "value": "git://github.com/shlevy/declarative-hydra-example.git", - "emailresponsible": false - }, - "nixpkgs": { - "type": "git", - "value": "git://github.com/NixOS/nixpkgs.git release-16.03", - "emailresponsible": false + "enabled": 1, + "hidden": false, + "description": "Jobsets", + "nixexprinput": "src", + "nixexprpath": "default.nix", + "checkinterval": 300, + "schedulingshares": 100, + "enableemail": false, + "emailoverride": "", + "keepnr": 3, + "inputs": { + "src": { "type": "git", "value": "git://github.com/shlevy/declarative-hydra-example.git", "emailresponsible": false }, + "nixpkgs": { "type": "git", "value": "git://github.com/NixOS/nixpkgs.git release-16.03", "emailresponsible": false } } - } } diff --git a/nix/os/devices/odroidh2p-0/README.md b/nix/os/devices/odroidh2p-0/README.md new file mode 100644 index 0000000..8ed679d --- /dev/null +++ b/nix/os/devices/odroidh2p-0/README.md @@ -0,0 +1,37 @@ +# Manual installation - unencrypted + +## Partitioning +``` +mkpart bios_grub 1MiB 2MiB +set 1 bios_grub on +mkpart bios 2MiB 512MiB +set 2 esp on +mkpart pv 512MiB 100% +``` + +## LVM +``` +pvcreate /dev/mmcblk0p3 +vgcreate odroidh2p-0 /dev/mmcblk0p3 +lvcreate -L 1g -n swap odroidh2p-0 +lvcreate -L 32G -n nixos odroidh2p-0 +``` + +## Filesystems + +``` +mkfs.fat -F 32 -n boot /dev/mmcblk0p2 +mkfs.btrfs /dev/odroidh2p-0/nixos +mkswap /dev/odroidh2p-0/swap +# subvolume for rootfs and home +# mount at /mnt/nixos +mkdir -p /mnt/nixos/etc/boot/ +``` + +## NixOS install + +FIXME: why was this necessary? +``` +mkdir -p /mnt/nixos/etc/nixos/ +touch /mnt/nixos/etc/nixos/configuration.nix +``` diff --git a/nix/os/devices/odroidh2p-0/boot.nix b/nix/os/devices/odroidh2p-0/boot.nix new file mode 100644 index 0000000..2cb19ca --- /dev/null +++ b/nix/os/devices/odroidh2p-0/boot.nix @@ -0,0 +1,10 @@ +{ lib +, config +, ... +}: + +{ + boot.extraModulePackages = [ + config.boot.kernelPackages.r8125 + ]; +} diff --git a/nix/os/devices/fwhost1/configuration.nix b/nix/os/devices/odroidh2p-0/configuration.nix similarity index 69% rename from nix/os/devices/fwhost1/configuration.nix rename to nix/os/devices/odroidh2p-0/configuration.nix index fbdc4c0..626c5f1 100644 --- a/nix/os/devices/fwhost1/configuration.nix +++ b/nix/os/devices/odroidh2p-0/configuration.nix @@ -1,12 +1,14 @@ { ... }: + { + disabledModules = [ + ]; imports = [ ../../profiles/common/configuration.nix - ../../modules/opinionatedDisk.nix ./system.nix ./hw.nix ./pkg.nix - ./user.nix + ./boot.nix ]; } diff --git a/nix/os/devices/odroidh2p-0/hw.nix b/nix/os/devices/odroidh2p-0/hw.nix new file mode 100644 index 0000000..bb12514 --- /dev/null +++ b/nix/os/devices/odroidh2p-0/hw.nix @@ -0,0 +1,71 @@ +{ ... }: + +let + stage1Modules = [ + # "aesni_intel" + # "kvm-intel" + "aes_x86_64" + + "mmc_block" + "mmc_core" + "sdhci_pci" + "sdhci" + "cqhci" + "mii" + "usbnet" + "ax88179_178a" + "libphy" + "libata" + "libahci" + "usbcore" + "xhci_hcd" + "scsi_mod" + + + "fat" + "vfat" + "i915" + "mei_me" + "ahci" + "xhci_pci" + "intel_lpss_pci" + "intel_lpss_pci" + "intel_lpss_pci" + "intel_lpss_pci" + "sdhci_pci" + "i2c_i801" + "r8169" + ]; + +in +{ + fileSystems."/boot" = { + device = "/dev/mmcblk0p2"; + fsType = "vfat"; + }; + + fileSystems."/" = { + device = "/dev/odroidh2p-0/nixos"; + fsType = "btrfs"; + options = [ "subvol=rootfs" ]; + neededForBoot = true; + }; + + fileSystems."/home" = { + device = "/dev/odroidh2p-0/nixos"; + fsType = "btrfs"; + options = [ "subvol=home" ]; + neededForBoot = true; + }; + + swapDevices = [ { device = "/dev/odroidh2p-0/swap"; } ]; + + boot.loader.grub = { + device = "/dev/mmcblk0"; + }; + + boot.initrd.availableKernelModules = stage1Modules; + boot.initrd.kernelModules = stage1Modules; + boot.extraModprobeConfig = '' + ''; +} diff --git a/nix/os/devices/odroidh2p-0/pkg.nix b/nix/os/devices/odroidh2p-0/pkg.nix new file mode 100644 index 0000000..bad7478 --- /dev/null +++ b/nix/os/devices/odroidh2p-0/pkg.nix @@ -0,0 +1,30 @@ +{ config +, pkgs +, lib +, ... +}: + +{ + nixpkgs.config.packageOverrides = pkgs: with pkgs; { + nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; + }; + home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { + inherit pkgs; + extraPackages = [ + # required by vscode's remote-ssh plugin + pkgs.nodejs + + # allow clipboard exchanges + pkgs.xsel + pkgs.xclip + ]; + }; + + nix.buildMachines = [ + { hostName = "localhost"; + system = "x86_64-linux"; + supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + maxJobs = 4; + } + ]; +} diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix b/nix/os/devices/odroidh2p-0/system.nix similarity index 61% rename from nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix rename to nix/os/devices/odroidh2p-0/system.nix index 84bb74d..325cc7f 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix +++ b/nix/os/devices/odroidh2p-0/system.nix @@ -1,7 +1,15 @@ -_: { +{ pkgs +, lib +, config +, ... }: + +let + keys = import ../../../variables/keys.nix; + +in { # TASK: new device - networking.hostName = "srv0"; # Define your hostname. - # networking.domain = "home-ch.stefanjunker.de"; + networking.hostName = "odroidh2p-0"; # Define your hostname. + # networking.domain = ""; networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ @@ -11,22 +19,16 @@ _: { networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.dhcpcd = { - enable = true; - persistent = true; - }; + + networking.useDHCP = false; networking.interfaces.eth0 = { useDHCP = true; - # ipv6.addresses = [ - # { address = "2a02:c207:3003:2387::1"; prefixLength = 64; } - # ]; }; - # networking.defaultGateway6 = { - # address = "fe80::1"; - # interface = "eth0"; - # }; + networking.interfaces.eth1 = { + useDHCP = false; + }; networking.nat = { enable = true; @@ -34,9 +36,6 @@ _: { externalInterface = "eth0"; }; - # Kubernetes - # services.kubernetes.roles = ["master" "node"]; - # virtualization virtualisation = { docker.enable = true; @@ -46,12 +45,9 @@ _: { automatic = true; }; - networking.useHostResolvConf = false; - services.resolved = { - enable = true; - }; + networking.useHostResolvConf = true; - containers = { }; + services.openssh.forwardX11 = true; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions @@ -59,5 +55,5 @@ _: { # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "20.03"; # Did you read the comment? + system.stateVersion = "20.09"; # Did you read the comment? } diff --git a/nix/os/devices/odroidh2p-0/versions.nix b/nix/os/devices/odroidh2p-0/versions.nix new file mode 100644 index 0000000..519781a --- /dev/null +++ b/nix/os/devices/odroidh2p-0/versions.nix @@ -0,0 +1,37 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.09"; + rev = "51aaa3fa1b69559456f9bd4968bd5b179a784f67"; + }; +in + +{ + inherit nixpkgs; + "channels-nixos-stable" = nixpkgs; + "channels-nixos-20.03" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.03"; + rev = "ff6fda61600cc60404bab5cb6b18b8636785b7bc"; + }; + "channels-nixos-19.09" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-19.09"; + rev = "75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1"; + }; + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = "24c9b05ac53e422f1af81a156f1fd58499eb27fb"; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = "9b3e35d991ea6a43f256069dcb2e006006730d05"; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-20.09"; + rev = "7339784e07217ed0232e08d1ea33b610c94657d8"; + }; +} diff --git a/nix/os/devices/odroidh2p-0/versions.tmpl.nix b/nix/os/devices/odroidh2p-0/versions.tmpl.nix new file mode 100644 index 0000000..a19cc09 --- /dev/null +++ b/nix/os/devices/odroidh2p-0/versions.tmpl.nix @@ -0,0 +1,37 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.09"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; +in + +{ + inherit nixpkgs; + "channels-nixos-stable" = nixpkgs; + "channels-nixos-20.03" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.03"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.03 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + "channels-nixos-19.09" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-19.09"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-19.09 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = "<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-20.09"; + rev = "<% git ls-remote https://github.com/nix-community/home-manager.git release-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; +} diff --git a/nix/os/devices/router0-dmz0/.gitignore b/nix/os/devices/router0-dmz0/.gitignore deleted file mode 100644 index b2be92b..0000000 --- a/nix/os/devices/router0-dmz0/.gitignore +++ /dev/null @@ -1 +0,0 @@ -result diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix deleted file mode 100644 index 07c6b1c..0000000 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ /dev/null @@ -1,1298 +0,0 @@ -# TODO: don't pull in bluez (or any bluetooth components) -{ - repoFlake, - pkgs, - lib, - config, - nodeFlake, - nodeName, - localDomainName, - system, - ... -}: -let - inherit (nodeFlake.inputs) nixos-nftables-firewall nixos-sbc; - - vlanRangeStart = builtins.head vlanRange; - vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1); - vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans); - vlanRangeWith0 = [ 0 ] ++ vlanRange; - - mkVlanIpv4HostAddr = - { - vlanid, - host, - thirdIpv4SegmentMin ? 20, - cidr ? true, - }: - let - # reserve the first subnet for vlanid == 0 - # number the other subnets continously from there - offset = if vlanid == 0 then thirdIpv4SegmentMin else thirdIpv4SegmentMin + 1 - vlanRangeStart; - in - builtins.concatStringsSep "." [ - "192" - "168" - (toString (vlanid + offset)) - "${toString host}${lib.strings.optionalString cidr "/24"}" - ]; - - defaultVlan = { - name = "${localDomainName}"; - packet_priority = 0; - }; - - vlans = { - "2".name = "dmz"; - "2".packet_priority = -5; - - "3".name = "iot"; - "3".packet_priority = -5; - - "4".name = "office"; - "4".packet_priority = -10; - - "5".name = "guests"; - "5".packet_priority = 10; - }; - - vlansByName = lib.attrsets.mapAttrs' ( - vlanid': attrs: - lib.attrsets.nameValuePair attrs.name ( - attrs - // { - id = lib.strings.toInt vlanid'; - id' = vlanid'; - } - ) - ) vlans; - - getVlanDomain = - { vlanid }: - if vlanid == 0 then defaultVlan.name else vlans."${toString vlanid}".name + "." + defaultVlan.name; - - bridgeInterfaceName = "br-lan"; - mkInterfaceName = - { vlanid }: - if vlanid == 0 then bridgeInterfaceName else "${bridgeInterfaceName}.${toString vlanid}"; - - dmzExposedHost = "sj-srv1"; - dmzExposedHostDomain = "dmz.internal"; - dmzExposedHostFQDN = "${dmzExposedHost}.${dmzExposedHostDomain}"; - dmzExposedHostIpv4 = mkVlanIpv4HostAddr { - vlanid = vlansByName.dmz.id; - host = 99; - cidr = false; - }; - - dmzExposedHostMACaddr = - repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress; -in -{ - imports = [ - nixos-sbc.nixosModules.default - nixos-sbc.nixosModules.boards.bananapi.bpir3 - { - sbc.version = "0.2"; - sbc.bootstrap.rootFilesystem = "btrfs"; - sbc.wireless.wifi.acceptRegulatoryResponsibility = true; - } - - repoFlake.inputs.sops-nix.nixosModules.sops - - ../../profiles/common/user.nix - ../../snippets/nix-settings.nix - - nixos-nftables-firewall.nixosModules.default - - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - - users.commonUsers = { - enable = true; - enableNonRoot = false; - rootPasswordFile = config.sops.secrets.passwords-root.path; - }; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - sops.secrets.passwords-root.neededForUsers = true; - - # sops.secrets.wlan0_saePasswordsFile = {}; - sops.secrets.wlan0_wpaPskFile = { }; - } - ]; - - # sops.secrets.ssh_host_ed25519_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_ed25519_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key.pub"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key.pub"; - # mode = "0644"; - # }; - - boot = { - kernel = { - sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - }; - }; - - networking = { - hostName = nodeName; - useNetworkd = true; - useDHCP = false; - - # these will be configured via nftables - nat.enable = lib.mkForce false; - firewall.enable = lib.mkForce false; - - # Use the nftables firewall instead of the base nixos scripted rules. - # This flake provides a similar utility to the base nixos scripting. - # https://github.com/thelegy/nixos-nftables-firewall/tree/main - - # TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority) - nftables = { - enable = true; - - stopRuleset = ""; - chains = { - prerouting = { - "exposeHost" = { - after = [ "hook" ]; - rules = - let - wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; - in - [ - "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" - "iifname { ${wanInterfaces} } dnat ip to ${dmzExposedHostIpv4}" - ]; - }; - }; - }; - - firewall = { - enable = true; - snippets.nnf-common.enable = true; - # included in the above - # snippets.nnf-conntrack.enable = true; - zones = - { - lan.interfaces = [ (mkInterfaceName { vlanid = 0; }) ]; - vlan.interfaces = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; - # lan.ipv4Addresses = ["192.168.0.0/16"]; - wan.interfaces = [ - "wan" - "lan0" - ]; - vpn.interfaces = [ - "wg0" - "wg1" - "wg2" - ]; - } - // - # generate a zone for each vlan - lib.attrsets.mapAttrs (_key: value: { - interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; - }) vlansByName; - rules = - let - ipv6IcmpTypes = [ - "destination-unreachable" - "echo-reply" - "echo-request" - "packet-too-big" - "parameter-problem" - "time-exceeded" - - # Without the nd-* ones ipv6 will not work. - "nd-neighbor-solicit" - "nd-router-advert" - "nd-neighbor-advert" - ]; - ipv4IcmpTypes = [ - "destination-unreachable" - "echo-reply" - "echo-request" - "source-quench" - "time-exceeded" - "router-advertisement" - ]; - allowIcmpLines = [ - "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" - "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" - ]; - in - { - fw = { - from = [ "fw" ]; - verdict = "accept"; - }; - - office-to-dmz = { - from = [ "office" ]; - to = [ "dmz" ]; - verdict = "accept"; - }; - - lan-to-fw = { - from = [ "lan" ]; - to = [ - "fw" - "lan" - ]; - verdict = "accept"; - }; - - lan-to-wan = { - from = [ "lan" ]; - to = [ "wan" ]; - verdict = "accept"; - }; - - vlan-to-wan = { - from = [ "vlan" ]; - to = [ "wan" ]; - verdict = "accept"; - }; - - vlan-to-fw = { - allowedUDPPortRanges = [ - { - from = 53; - to = 53; - } - { - from = 67; - to = 68; - } - { - from = 5201; - to = 5201; - } - ]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - { - from = 53; - to = 53; - } - { - from = 5201; - to = 5201; - } - ]; - from = [ "vlan" ]; - to = [ "fw" ]; - extraLines = allowIcmpLines ++ [ "drop" ]; - }; - - to-wan-nat = { - from = [ - "lan" - "vlan" - ]; - to = [ "wan" ]; - masquerade = true; - verdict = "accept"; - }; - - wan-to-dmz = { - from = [ "wan" ]; - to = [ "dmz" ]; - verdict = "accept"; - }; - - wan-to-fw = { - from = [ "wan" ]; - to = [ "fw" ]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - ]; - extraLines = allowIcmpLines ++ [ "drop" ]; - }; - - to-vpn-nat = { - from = [ - "lan" - "vlan" - ]; - to = [ "vpn" ]; - masquerade = false; - verdict = "accept"; - }; - }; - }; - }; - }; - - sops.secrets.wg0-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg0-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - - # TODO: this shouldn't be necessary _at all_ - systemd.services.sfp-quirk = { - enable = true; - wantedBy = [ - "network.target" - "multi-user.target" - ]; - - requires = [ - "sys-subsystem-net-devices-lan4.device" - "sys-subsystem-net-devices-eth1.device" - ]; - - after = [ - "sys-subsystem-net-devices-lan4.device" - "sys-subsystem-net-devices-eth1.device" - ]; - - path = [ - pkgs.ethtool - pkgs.iproute2 - pkgs.coreutils - ]; - - script = '' - set -xeE - - ip l set dev lan4 down - ip l set dev eth1 down - - sleep 0.5 - - ethtool -s lan4 duplex full autoneg off - ethtool -s eth1 duplex full autoneg off - - sleep 0.5 - - ip l set dev lan4 up - ip l set dev eth1 up - - echo quirk applied, fingers crossed. - ''; - }; - - systemd.network = { - wait-online.anyInterface = true; - config.networkConfig = { - IPv4Forwarding = true; - IPv6Forwarding = true; - }; - links = { - # TODO: this doesn't work, thus shoving it into a quirk service. however, there's a proper solution beyond any of this. - # "00-eth1" = { - # enable = true; - # matchConfig.Name = "eth1"; - # linkConfig = { - # # BitsPerSecond = "2500M"; - # Duplex= "full"; - # AutoNegotiation = false; - # }; - # }; - # "00-lan4" = { - # enable = true; - # matchConfig.Name = "lan4@eth0"; - # linkConfig = { - # # BitsPerSecond = "1000M"; - # Duplex= "full"; - # AutoNegotiation = false; - # }; - # }; - }; - netdevs = - let - router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; - - router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort}"; - - router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-hosthatch.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; - in - { - # Create the bridge interface - "20-${bridgeInterfaceName}" = { - netdevConfig = { - Kind = "bridge"; - Name = bridgeInterfaceName; - }; - - extraConfig = '' - [Bridge] - STP=yes - VLANFiltering=yes - VLANProtocol=802.1q - DefaultPVID=0 - ''; - }; - - wg0 = { - enable = true; - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; - FirewallMark = 100; - }; - wireguardPeers = [ - { - AllowedIPs = [ - # this allows all traffic to be routed through this interface - "0.0.0.0/0" - - # # alternatively, specific destinations could be allowed - - # # remote peer wg addr - # "10.0.0.0/32" - - # "1.1.1.1/32" - # # ifconfig.co. - # "172.67.168.106" - # "104.21.54.91" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; - PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; - Endpoint = router0-ifog_wg0Endpoint; - } - ]; - }; - - wg1 = { - enable = true; - netdevConfig = { - Name = "wg1"; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; - FirewallMark = 101; - }; - wireguardPeers = [ - { - AllowedIPs = [ - # this allows all traffic to be routed through this interface - "0.0.0.0/0" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; - PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; - Endpoint = router0-ifog_wg1Endpoint; - } - ]; - }; - - wg2 = { - enable = true; - netdevConfig = { - Name = "wg2"; - Kind = "wireguard"; - }; - wireguardConfig = { - PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; - FirewallMark = 102; - }; - wireguardPeers = [ - { - AllowedIPs = [ - # this allows all traffic to be routed through this interface - "0.0.0.0/0" - - # # alternatively, specific destinations could be allowed - - # # remote peer wg addr - # "10.0.0.0/32" - - # "1.1.1.1/32" - # # ifconfig.co. - # "172.67.168.106" - # "104.21.54.91" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; - PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; - Endpoint = router0-hosthatch_wg0Endpoint; - } - ]; - }; - } - # generate the vlan devices. these will be tagged on the main bridge - // builtins.foldl' (acc: cur: acc // cur) { } ( - builtins.map - ( - { vlanid, vlanid' }: - { - "20-${mkInterfaceName { inherit vlanid; }}" = { - netdevConfig = { - Kind = "vlan"; - Name = "${mkInterfaceName { inherit vlanid; }}"; - }; - vlanConfig.Id = vlanid; - }; - } - ) - ( - builtins.map (vlanid: { - inherit vlanid; - vlanid' = builtins.toString vlanid; - }) vlanRange - ) - ); - networks = - let - commonWanOptions = { - networkConfig = { - # start a DHCP Client for IPv4/6 Addressing/Routing - DHCP = true; - DNSOverTLS = true; - DNSSEC = true; - - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - IPv6PrivacyExtensions = false; - DHCPPrefixDelegation = true; - }; - dhcpV4Config = { - UseDNS = false; - UseDomains = false; - UseHostname = false; - }; - dhcpV6Config = { - UseDNS = false; - UseDomains = false; - UseHostname = false; - PrefixDelegationHint = "::/56"; - UseDelegatedPrefix = true; - WithoutRA = "solicit"; - }; - ipv6AcceptRAConfig = { - UseDNS = false; - UseDomains = false; - }; - - # TODO: enable these somehow - # extraConfig = '' - # [IPv6AcceptRA] - # # FIXME: supported in nixos-24.11 - # DHCPv6Client=solicit - - # # FIXME: not supported at all yet - # UsePREF64=true - # ''; - }; - in - { - # places options here that should always exist - "lo" = { - matchConfig.Name = "lo"; - - # these are roughly equivalent to: - # ip rule add fwmark 100 priority 0 table 100 - # ip rule add fwmark 100 priority 1 prohibit - # ip rule add fwmark 101 priority 0 table 101 - # ip rule add fwmark 101 priority 1 prohibit - routingPolicyRules = [ - { - FirewallMark = 100; - Priority = 30000; - Table = 100; - } - { - FirewallMark = 100; - Priority = 30001; - Table = 100; - Type = "prohibit"; - } - { - FirewallMark = 101; - Priority = 30000; - Table = 101; - } - { - FirewallMark = 101; - Priority = 30001; - Table = 101; - Type = "prohibit"; - } - { - FirewallMark = 102; - Priority = 30000; - Table = 102; - } - { - FirewallMark = 102; - Priority = 30001; - Table = 102; - Type = "prohibit"; - } - ]; - }; - # use lan0 as secondary WAN interface - "10-lan0-wan" = lib.attrsets.recursiveUpdate commonWanOptions { - matchConfig.Name = "lan0"; - # make routing on this interface a dependency for network-online.target - # linkConfig.RequiredForOnline = "routable"; - linkConfig.RequiredForOnline = "no"; - - dhcpV4Config = { - RouteMetric = 2000; - }; - - # similar to - # ip route add default via 172.16.0.1 table 101 - routes = [ - { - Gateway = "_dhcp4"; - Table = 101; - } - ]; - }; - "10-wan" = lib.attrsets.recursiveUpdate commonWanOptions { - matchConfig.Name = "wan"; - # make routing on this interface a dependency for network-online.target - # linkConfig.RequiredForOnline = "routable"; - linkConfig.RequiredForOnline = "no"; - - dhcpV4Config = { - RouteMetric = 1000; - }; - - # similar to - # ip route add default via 192.168.0.1 table 100 - routes = [ - { - Gateway = "_dhcp4"; - Table = 100; - } - { - Gateway = "_dhcp4"; - Table = 102; - } - ]; - }; - - # Connect the bridge ports to the bridge - "30-lan1" = { - matchConfig.Name = "lan1"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = vlansByName.dmz.id; - PVID = vlansByName.dmz.id; - EgressUntagged = vlansByName.dmz.id; - } - ]; - }; - - "30-lan2" = { - matchConfig.Name = "lan2"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = vlansByName.office.id; - PVID = vlansByName.office.id; - EgressUntagged = vlansByName.office.id; - } - ]; - }; - - "30-lan3" = { - matchConfig.Name = "lan3"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; - } - ]; - }; - "30-lan4" = { - matchConfig.Name = "lan4"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = vlansByName.office.id; - PVID = vlansByName.office.id; - EgressUntagged = vlansByName.office.id; - } - ]; - }; - "30-eth1" = { - matchConfig.Name = "eth1"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "enslaved"; - - bridgeVLANs = [ - { - VLAN = vlansByName.dmz.id; - PVID = vlansByName.dmz.id; - EgressUntagged = vlansByName.dmz.id; - } - ]; - }; - # Configure the bridge for its desired function - "40-${bridgeInterfaceName}" = { - matchConfig.Name = bridgeInterfaceName; - bridgeConfig = { }; - address = [ - (mkVlanIpv4HostAddr { - vlanid = 0; - host = 1; - }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min - linkConfig.RequiredForOnline = "no"; - linkConfig.ActivationPolicy = "always-up"; - - bridgeVLANs = [ - { - VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; - } - ]; - - vlan = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; - }; - - "50-wg0" = { - enable = true; - matchConfig.Name = "wg0"; - address = [ "10.0.0.1/31" ]; - - routes = [ - # { - # # test the set uprouting to a specific IP - # Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32"; - # MultiPathRoute = "10.0.0.0 1"; - # } - ]; - }; - "50-wg1" = { - enable = true; - matchConfig.Name = "wg1"; - address = [ "10.0.0.3/31" ]; - routes = [ - # { - # Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32"; - # MultiPathRoute = "10.0.0.2 1"; - # } - ]; - }; - - "50-wg2" = { - enable = true; - matchConfig.Name = "wg2"; - address = [ "10.0.1.1/31" ]; - - routes = [ - # TODO: add a testing route here - ]; - }; - } - # configuration for the hostapd dynamic interfaces - # * netdev type vlan - # * host address for vlan - # * vlan config for wlan interface - // builtins.foldl' (acc: cur: acc // cur) { } ( - builtins.map - ( - { vlanid, vlanid' }: - { - # configure the tagged vlan device with an address and vlan filtering. - # dnsmasq is configured to serve the respective /24 range on each tagged device. - # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. - "41-${mkInterfaceName { inherit vlanid; }}" = { - matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; - address = [ - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 1; - }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; - - # the client shouldn't be allowed to send us RAs, that would be weird. - IPv6AcceptRA = false; - - DHCPPrefixDelegation = true; - IPv6SendRA = true; - }; - - dhcpPrefixDelegationConfig = { - UplinkInterface = "wan"; - Assign = true; - SubnetId = vlanid; - Announce = true; - }; - - linkConfig.RequiredForOnline = "no"; - linkConfig.ActivationPolicy = "always-up"; - - bridgeVLANs = [ - { - VLAN = vlanid; - } - ]; - }; - - # configure the wlan interface as a bridge member that - # * only gets traffic for vid 15 - # * untags traffic after receiving it - # * tags traffic that comes out of it - "41-wlan0.${vlanid'}" = { - matchConfig.Name = "wlan0.${vlanid'}"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - - linkConfig.RequiredForOnline = "no"; - - bridgeVLANs = [ - { - VLAN = vlanid; - PVID = vlanid; - EgressUntagged = vlanid; - } - ]; - }; - - # "50-${mkInterfaceName {inherit vlanid;}}" = { - # matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; - # address = [ - # (mkVlanIpv4HostAddr { - # inherit vlanid; - # host = 1; - # }) - # ]; - # networkConfig = { - # ConfigureWithoutCarrier = true; - # }; - # linkConfig.RequiredForOnline = "no"; - # }; - } - ) - ( - builtins.map (vlanid: { - inherit vlanid; - vlanid' = builtins.toString vlanid; - }) vlanRange - ) - ); - }; - - # wireless access point - services.hostapd = { - enable = true; - # package = nodeFlake.packages.${system}.hostapd_patched; - radios = - let - # generated with https://miniwebtool.com/mac-address-generator/ - mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; - in - { - wlan0 = { - band = "2g"; - # FIXME: apparently setting this could cause bugs, testing disabling it for a while. - # countryCode = "CH"; - channel = 0; # 0 would mean Automatic Channel Selection - - settings = { - # TODO: this would be faster but x13s on windows can't connect when it's enabled. - # ieee80211n = 1; - - # Exclude DFS channels from ACS - # This option can be used to exclude all DFS channels from the ACS channel list - # in cases where the driver supports DFS channels. - acs_exclude_dfs = 0; - }; - - # use 'iw phy#1 info' to determine your VHT capabilities - wifi4 = { - enable = true; - require = false; - capabilities = [ - "HT20" - "HT40+" - "LDPC" - "SHORT-GI-20" - "SHORT-GI-40" - "TX-STBC" - "RX-STBC1" - "MAX-AMSDU-7935" - - "40-INTOLERANT" - - # not supported by BPI-R3 module - # "DELAYED-BA" - # "DSSS_CCK-40" - ]; - }; - - wifi5 = { - enable = false; - require = false; - }; - - wifi6 = { - enable = false; - require = false; - }; - - networks = { - wlan0 = - let - iface = "wlan0"; - in - { - ssid = "mlsia"; - bssid = mkBssid 0; - - # enables debug logging - logLevel = 0; - - authentication.mode = "wpa2-sha256" - # "wpa3-sae-transition" - # "wpa3-sae" - ; - - authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; - - # TODO: unfortunately SAE passwords don't work per VLAN like PSKs do - # authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; - - # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference - settings = { - # disable syslog because it duplicates stdout - logger_syslog = lib.mkForce 0; - - # bridge = bridgeInterfaceName; - - # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; - # not yet supported on hostapd 2.10 - # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; - - # resources on vlan tagging - # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging - # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 - - dynamic_vlan = 1; - # this option currently requires a patch to hostapd - vlan_no_bridge = 1; - - /* - not used due to the above vlan_no_bridge setting - vlan_tagged_interface = bridgeInterfaceName; - vlan_naming = 1; - vlan_bridge = "br-${iface}."; - */ - - vlan_file = - let - generated = builtins.map ( - vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" - ) vlanRange; - - wildcard = [ - # Optional wildcard entry matching all VLAN IDs. The first # in the interface - # name will be replaced with the VLAN ID. The network interfaces are created - # (and removed) dynamically based on the use. - # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan - "* ${iface}.#" - ]; - - file = pkgs.writeText "hostapd.vlan" (builtins.concatStringsSep "\n" (generated ++ wildcard)); - filePath = toString file; - in - filePath; - - wpa_key_mgmt = lib.mkForce ( - builtins.concatStringsSep " " [ - "WPA-PSK" - - # TODO: the printer can't connect when this is on - # "WPA-PSK-SHA256" - - # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them - # "SAE" - ] - ); - - # wpa_psk_radius = 0; - wpa_pairwise = "CCMP"; - wmm_enabled = 1; - - # IEEE 802.11i (authentication) related configuration - # Encrypt management frames to protect against deauthentication and similar attacks. - # 0 := disabled; 1 := optional; 2 := required - ieee80211w = 1; - # sae_require_mfp = 1; - # sae_groups = "19 20 21"; - - # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) - tls_flags = "[ENABLE-TLSv1.3]"; - - # TODO: debugging for wifi drops happens below here - # Require IEEE 802.1X authorization - ieee8021x = 0; - - # Optionally, hostapd can be configured to use an integrated EAP server - # to process EAP authentication locally without need for an external RADIUS - # server. This functionality can be used both as a local authentication server - # for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. - - # Use integrated EAP server instead of external RADIUS authentication - # server. This is also needed if hostapd is configured to act as a RADIUS - # authentication server. - eap_server = 0; - - # Disassociate stations based on excessive transmission failures or other - # indications of connection loss. This depends on the driver capabilities and - # may not be available with all drivers. - disassoc_low_ack = 0; - - skip_inactivity_poll = 1; - - # TODO: check if this is required. multicast can be more efficient so it'd be nice to disable this. - multicast_to_unicast = 0; - }; - }; - }; - }; - }; - }; - - services.resolved.enable = false; - - services.dnsmasq = { - enable = true; - settings = { - domain-needed = true; - bogus-priv = true; - no-resolv = true; - localise-queries = true; - - proxy-dnssec = true; - conntrack = true; - - # enable for debugging - # log-debug = true; - # log-queries = true; - - # disable negative caching - no-negcache = true; - local-ttl = 0; - dhcp-ttl = 0; - - # v6 config - enable-ra = true; - - dhcp-range = - let - mkDhcpRange = - { tag, vlanid }: - builtins.concatStringsSep "," [ - tag - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 100; - cidr = false; - }) - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 199; - cidr = false; - }) - "12h" - # "slaac" - # "ra-stateless" - # "ra-names" - ]; - in - builtins.map ( - vlanid: - mkDhcpRange { - tag = mkInterfaceName { inherit vlanid; }; - inherit vlanid; - } - ) vlanRangeWith0; - - dhcp-host = builtins.concatStringsSep "," [ - dmzExposedHostMACaddr - dmzExposedHostIpv4 - dmzExposedHostFQDN - ]; - - expand-hosts = true; - - # don't use /etc/hosts as this would advertise ${nodeName} as localhost - no-hosts = true; - - server = [ - # upstream DNS servers - - # https://dnsforge.de/ - "176.9.93.198" - "176.9.1.117" - "2a01:4f8:151:34aa::198" - "2a01:4f8:141:316d::117" - - # https://dismail.de/info.html#dns - "116.203.32.217" - "2a01:4f8:1c1b:44aa::1" - "159.69.114.157" - "2a01:4f8:c17:739a::2" - ]; - - domain = - [ "/${getVlanDomain { vlanid = 0; }}/,local" ] - ++ builtins.map ( - vlanid: - "${getVlanDomain { inherit vlanid; }},${ - mkVlanIpv4HostAddr { - inherit vlanid; - host = 0; - cidr = true; - } - },local" - ) vlanRangeWith0; - - # TODO: compare this to using `interface-name` - dynamic-host = builtins.map ( - vlanid: - builtins.concatStringsSep "," [ - # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) - "${nodeName}.${getVlanDomain { inherit vlanid; }}" - "0.0.0.1" - (mkInterfaceName { inherit vlanid; }) - ] - ) vlanRangeWith0; - - dhcp-option-force = builtins.map ( - vlanid: - "${mkInterfaceName { inherit vlanid; }},option:domain-search,${getVlanDomain { inherit vlanid; }}" - ) vlanRangeWith0; - - # auth-server = [ - # (builtins.concatStringsSep "," [ - # "www.stefanjunker.de" - # # (mkInterfaceName { vlanid = vlansByName.dmz.id; }) - # # (mkInterfaceName { vlanid = vlansByName.office.id; }) - # ]) - # ]; - - cname = [ - "mailserver.svc.stefanjunker.de,${dmzExposedHost}" - "www.stefanjunker.de,${dmzExposedHost}" - "hedgedoc.www.stefanjunker.de,${dmzExposedHost}" - "jitsi.www.stefanjunker.de,${dmzExposedHost}" - "lldap.www.stefanjunker.de,${dmzExposedHost}" - "forgejo.www.stefanjunker.de,${dmzExposedHost}" - "kanidm.www.stefanjunker.de,${dmzExposedHost}" - ]; - }; - }; - - system.stateVersion = "24.11"; - - # boot.kernelPackages = pkgs.linuxPackages_bpir3_6_6; - - environment.systemPackages = [ - pkgs.ethtool - pkgs.vim - pkgs.iperf3 - - pkgs.wireguard-tools - pkgs.tshark - pkgs.tmux - - (pkgs.writeShellScriptBin "dbg-ip" '' - echo links: - ip -br -c l - echo - echo addresses: - ip -br -c a - echo - echo vlans: - bridge -c vlan - '') - - (pkgs.writeShellScriptBin "dbg-dnsmasq" '' - # get the rendered in-use config - pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat - '') - ]; -} diff --git a/nix/os/devices/router0-dmz0/default.nix b/nix/os/devices/router0-dmz0/default.nix deleted file mode 100644 index a0520dc..0000000 --- a/nix/os/devices/router0-dmz0/default.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ - system ? "aarch64-linux", - nodeName, - repoFlake, - nodeFlake, - localDomainName ? "internal", - ... -}: -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; - packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - - inherit (nodeFlake.inputs.bpir3.packages.${system}) armTrustedFirmwareMT7986; - - inherit localDomainName; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "${nodeName}.${localDomainName}"; - deployment.replaceUnknownProfiles = true; - - # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - - networking.hostName = nodeName; - }; -} diff --git a/nix/os/devices/router0-dmz0/flake.lock b/nix/os/devices/router0-dmz0/flake.lock deleted file mode 100644 index 8f55026..0000000 --- a/nix/os/devices/router0-dmz0/flake.lock +++ /dev/null @@ -1,224 +0,0 @@ -{ - "nodes": { - "dependencyDagOfSubmodule": { - "inputs": { - "nixpkgs": [ - "nixos-nftables-firewall", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1656615370, - "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1738148035, - "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=", - "owner": "nix-community", - "repo": "disko", - "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "get-flake": { - "locked": { - "lastModified": 1714237590, - "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", - "owner": "ursi", - "repo": "get-flake", - "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", - "type": "github" - }, - "original": { - "owner": "ursi", - "repo": "get-flake", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1736373539, - "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "bd65bc3cde04c16755955630b344bc9e35272c56", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.11", - "repo": "home-manager", - "type": "github" - } - }, - "hostapd": { - "flake": false, - "locked": { - "lastModified": 1738518662, - "narHash": "sha256-MeE2FTG7Jh4BqchSvevJH7IsqTotjemndLzev8TkiRk=", - "ref": "refs/heads/main", - "rev": "c12fc97e3b59742e0c5743fceae6a87a8b13a576", - "revCount": 20282, - "type": "git", - "url": "git://w1.fi/hostap.git?branch=main" - }, - "original": { - "type": "git", - "url": "git://w1.fi/hostap.git?branch=main" - } - }, - "nixos-nftables-firewall": { - "inputs": { - "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1715521768, - "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "type": "github" - } - }, - "nixos-sbc": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1738254353, - "narHash": "sha256-SYpvOn0v/wi8lrgEBhobjKFvFWPlJ3gP7SZPfyw9td0=", - "owner": "nakato", - "repo": "nixos-sbc", - "rev": "21be4ab012197a2eea4bbff8315c40f26f715a18", - "type": "github" - }, - "original": { - "owner": "nakato", - "repo": "nixos-sbc", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1738702386, - "narHash": "sha256-nJj8f78AYAxl/zqLiFGXn5Im1qjFKU8yBPKoWEeZN5M=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "030ba1976b7c0e1a67d9716b17308ccdab5b381e", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1738680400, - "narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "799ba5bffed04ced7067a91798353d360788b30d", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "openwrt": { - "flake": false, - "locked": { - "lastModified": 1691699580, - "narHash": "sha256-CV+ufXPEr5Nz2O2FBnnuPeHNsFQ7c5s0uW39u/q3cUo=", - "ref": "main", - "rev": "847984c773d819d5579d5abae4b80a4983103ed9", - "revCount": 58166, - "type": "git", - "url": "https://github.com/openwrt/openwrt.git" - }, - "original": { - "ref": "main", - "rev": "847984c773d819d5579d5abae4b80a4983103ed9", - "type": "git", - "url": "https://github.com/openwrt/openwrt.git" - } - }, - "root": { - "inputs": { - "disko": "disko", - "get-flake": "get-flake", - "home-manager": "home-manager", - "hostapd": "hostapd", - "nixos-nftables-firewall": "nixos-nftables-firewall", - "nixos-sbc": "nixos-sbc", - "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", - "openwrt": "openwrt", - "srvos": "srvos" - } - }, - "srvos": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1738198321, - "narHash": "sha256-lhnHBXO9Y8xEn92JqxjancdL8Gh16ONuxZp60iZfmX4=", - "owner": "numtide", - "repo": "srvos", - "rev": "7d5a4aaadac9ff63f9ed4347df95175aceee5079", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/router0-dmz0/flake.nix b/nix/os/devices/router0-dmz0/flake.nix deleted file mode 100644 index d56e72a..0000000 --- a/nix/os/devices/router0-dmz0/flake.nix +++ /dev/null @@ -1,107 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - - get-flake.url = "github:ursi/get-flake"; - - home-manager.url = "github:nix-community/home-manager/release-24.11"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; - - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - - nixos-sbc.url = "github:nakato/nixos-sbc" - # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.12" - # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.13" - # "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile" - # "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile" - # "git+file:///home/steveej/src/others/nakato_nixos-sbc/" - ; - nixos-sbc.inputs.nixpkgs.follows = "nixpkgs"; - - nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; - nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; - - hostapd.url = "git://w1.fi/hostap.git?branch=main"; - hostapd.flake = false; - - openwrt.url = "git+https://github.com/openwrt/openwrt.git?ref=main&rev=847984c773d819d5579d5abae4b80a4983103ed9"; - openwrt.flake = false; - - # TODO: would be nice if this worked but it throws an error when using the input as a patch: - # error: flake input has unsupported input type 'file' - # hostapd_patch_vlan_no_bridge = { - # url = "file+https://raw.githubusercontent.com/openwrt/openwrt/847984c773d819d5579d5abae4b80a4983103ed9/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"; - # flake = false; - # }; - - # repoFlake.url = "path:../../../.."; - }; - - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - nativeSystem = "aarch64-linux"; - nodeName = "router0-dmz0"; - - mkNixosConfiguration = - { - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = - (import ./default.nix { - system = nativeSystem; - inherit nodeName; - - repoFlake = get-flake ../../../..; - # repoFlake = get-flake ./.; - # repoFlake = self.inputs.repoFlake; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; - - modules = [ - ./configuration.nix - - # flake registry - { - nixpkgs.overlays = builtins.attrValues self.overlays; - nix.registry.nixpkgs.flake = nixpkgs; - } - ] ++ extraModules; - } - ); - in - { - nixosConfigurations = { - native = mkNixosConfiguration { system = nativeSystem; }; - - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = "x86_64-linux"; - nixpkgs.hostPlatform.system = nativeSystem; - } - ]; - }; - }; - - overlays.default = _final: previous: { - hostapd = previous.hostapd.overrideDerivation (attrs: { - patches = attrs.patches ++ [ - "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" - ]; - }); - }; - }; -} diff --git a/nix/os/devices/router0-hosthatch/configuration.nix b/nix/os/devices/router0-hosthatch/configuration.nix deleted file mode 100644 index af02b3d..0000000 --- a/nix/os/devices/router0-hosthatch/configuration.nix +++ /dev/null @@ -1,337 +0,0 @@ -{ - repoFlake, - pkgs, - lib, - config, - nodeFlake, - nodeName, - system, - variables, - ... -}: -{ - system.stateVersion = "24.05"; - - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - nodeFlake.inputs.srvos.nixosModules.mixins-terminfo - - repoFlake.inputs.sops-nix.nixosModules.sops - - ../../snippets/nix-settings.nix - ../../profiles/common/user.nix - - nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default - - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - - users.commonUsers = { - enable = true; - enableNonRoot = false; - rootPasswordFile = config.sops.secrets.passwords-root.path; - }; - - # sops.age.keyFile = "/etc/age.key"; - # sops.age.sshKeyPaths = []; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - sops.secrets.passwords-root.neededForUsers = true; - } - - # TODO: extract this into single-disk VM BIOS module - { - boot.loader.systemd-boot.enable = false; - boot.loader.grub.efiSupport = false; - - # forcing seems required or else there's an error about duplicated devices - boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; - - disko.devices.disk.vda = { - device = "/dev/vda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - root = { - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition - subvolumes = { - # Subvolume name is different from mountpoint - "/rootfs" = { - mountpoint = "/"; - }; - "/nix" = { - mountOptions = [ "noatime" ]; - mountpoint = "/nix"; - }; - "/boot" = { - mountpoint = "/boot"; - }; - }; - }; - }; - }; - }; - }; - - boot.initrd.kernelModules = [ - "virtio_balloon" - "virtio_scsi" - "virtio_net" - "virtio_pci" - "virtio_ring" - "virtio" - "scsi_mod" - - "virtio_blk" - "virtio_ring" - "ata_piix" - "pata_acpi" - "ata_generic" - ]; - } - ]; - - # sops.secrets.ssh_host_ed25519_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_ed25519_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key.pub"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key.pub"; - # mode = "0644"; - # }; - - boot = { - kernel = { - sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - }; - }; - - networking = { - hostName = nodeName; - useNetworkd = true; - useDHCP = true; - usePredictableInterfaceNames = false; - - interfaces.eth0.ipv4.addresses = [ - { - address = variables.ipv4; - prefixLength = variables.ipv4length; - } - ]; - defaultGateway = { - interface = "eth0"; - address = variables.ipv4gateway; - }; - nameservers = [ variables.ipv4dns ]; - - # these will be configured via nftables - nat.enable = lib.mkForce false; - firewall.enable = lib.mkForce false; - - # Use the nftables firewall instead of the base nixos scripted rules. - # This flake provides a similar utility to the base nixos scripting. - # https://github.com/thelegy/nixos-nftables-firewall/tree/main - - nftables = { - enable = true; - - firewall = { - enable = true; - snippets.nnf-common.enable = true; - - zones.wan = { - interfaces = [ "eth0" ]; - }; - - zones.vpn = { - interfaces = [ - "wg0" - "wg1" - ]; - }; - - rules = { - to-fw = { - from = "all"; - to = [ "fw" ]; - verdict = "drop"; - - allowedTCPPorts = [ - 22 - 5201 - ]; - allowedUDPPorts = [ - 22 - 5201 - config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort - config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort - ]; - }; - - vpn-to-wan-nat = { - from = [ "vpn" ]; - to = [ "wan" ]; - masquerade = true; - verdict = "accept"; - }; - }; - }; - }; - }; - - sops.secrets.wg0-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg0-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - - systemd.network.enable = true; - systemd.network.netdevs.wg0 = { - enable = true; - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 51820; - # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= - PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - AllowedIPs = [ - "10.0.1.1/32" - "192.168.0.0/16" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; - PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; - }; - } - ]; - }; - systemd.network.netdevs.wg1 = { - enable = true; - netdevConfig = { - Name = "wg1"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 51821; - # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= - PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - AllowedIPs = [ - "10.0.1.3/31" - "192.168.0.0/16" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; - PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; - }; - } - ]; - }; - systemd.network.networks.wg0 = { - enable = true; - matchConfig.Name = "wg0"; - address = [ "10.0.1.0/31" ]; - - routes = [ - { - routeConfig = { - Destination = "192.168.0.0/16"; - MultiPathRoute = "10.0.1.1 1"; - }; - } - ]; - }; - systemd.network.networks.wg1 = { - enable = true; - matchConfig.Name = "wg1"; - address = [ "10.0.1.2/31" ]; - - routes = [ - { - routeConfig = { - Destination = "192.168.0.0/16"; - MultiPathRoute = "10.0.1.3 1"; - }; - } - ]; - }; - - environment.systemPackages = [ - pkgs.ethtool - pkgs.neovim - pkgs.tmux - - pkgs.wireguard-tools - pkgs.tshark - - (pkgs.writeShellScriptBin "dbg-ip" '' - echo links: - ip -br -c l - echo - echo addresses: - ip -br -c a - echo - echo vlans: - bridge -c vlan - '') - - (pkgs.writeShellScriptBin "dbg-dnsmasq" '' - # get the rendered in-use config - pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat - '') - ]; -} diff --git a/nix/os/devices/router0-hosthatch/default.nix b/nix/os/devices/router0-hosthatch/default.nix deleted file mode 100644 index fd2c485..0000000 --- a/nix/os/devices/router0-hosthatch/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - system ? "x86_64-linux", - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - variables = import ./variables.crypt.nix; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - variables - ; - packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = variables.ipv4; - deployment.replaceUnknownProfiles = true; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - - networking.hostName = nodeName; - }; -} diff --git a/nix/os/devices/router0-hosthatch/flake.lock b/nix/os/devices/router0-hosthatch/flake.lock deleted file mode 100644 index f66687f..0000000 --- a/nix/os/devices/router0-hosthatch/flake.lock +++ /dev/null @@ -1,151 +0,0 @@ -{ - "nodes": { - "dependencyDagOfSubmodule": { - "inputs": { - "nixpkgs": [ - "nixos-nftables-firewall", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1656615370, - "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719864345, - "narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=", - "owner": "nix-community", - "repo": "disko", - "rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719827385, - "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "391ca6e950c2525b4f853cbe29922452c14eda82", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixos-nftables-firewall": { - "inputs": { - "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1715521768, - "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1719838683, - "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "disko": "disko", - "home-manager": "home-manager", - "nixos-nftables-firewall": "nixos-nftables-firewall", - "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", - "srvos": "srvos" - } - }, - "srvos": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719965291, - "narHash": "sha256-IQiO6VNESSmgxQkpI1q86pqxRw0SZ45iSeM1jsmBpSw=", - "owner": "numtide", - "repo": "srvos", - "rev": "1844f1a15ef530c963bb07c3846172fccbfb9f74", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/router0-hosthatch/flake.nix b/nix/os/devices/router0-hosthatch/flake.nix deleted file mode 100644 index 3057b9a..0000000 --- a/nix/os/devices/router0-hosthatch/flake.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - - home-manager.url = "github:nix-community/home-manager/release-24.05"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; - - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - - nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; - nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/router0-hosthatch/variables.crypt.nix b/nix/os/devices/router0-hosthatch/variables.crypt.nix deleted file mode 100644 index 38c17df..0000000 Binary files a/nix/os/devices/router0-hosthatch/variables.crypt.nix and /dev/null differ diff --git a/nix/os/devices/router0-ifog/configuration.nix b/nix/os/devices/router0-ifog/configuration.nix deleted file mode 100644 index 9bc91ee..0000000 --- a/nix/os/devices/router0-ifog/configuration.nix +++ /dev/null @@ -1,337 +0,0 @@ -{ - repoFlake, - pkgs, - lib, - config, - nodeFlake, - nodeName, - system, - variables, - ... -}: -{ - system.stateVersion = "23.11"; - - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - nodeFlake.inputs.srvos.nixosModules.mixins-terminfo - - repoFlake.inputs.sops-nix.nixosModules.sops - - ../../snippets/nix-settings.nix - ../../profiles/common/user.nix - - nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default - - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - - users.commonUsers = { - enable = true; - enableNonRoot = false; - rootPasswordFile = config.sops.secrets.passwords-root.path; - }; - - # sops.age.keyFile = "/etc/age.key"; - # sops.age.sshKeyPaths = []; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - sops.secrets.passwords-root.neededForUsers = true; - } - - # TODO: extract this into single-disk VM BIOS module - { - boot.loader.systemd-boot.enable = false; - boot.loader.grub.efiSupport = false; - - # forcing seems required or else there's an error about duplicated devices - boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; - - disko.devices.disk.vda = { - device = "/dev/vda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - root = { - size = "100%"; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition - subvolumes = { - # Subvolume name is different from mountpoint - "/rootfs" = { - mountpoint = "/"; - }; - "/nix" = { - mountOptions = [ "noatime" ]; - mountpoint = "/nix"; - }; - "/boot" = { - mountpoint = "/boot"; - }; - }; - }; - }; - }; - }; - }; - - boot.initrd.kernelModules = [ - "virtio_balloon" - "virtio_scsi" - "virtio_net" - "virtio_pci" - "virtio_ring" - "virtio" - "scsi_mod" - - "virtio_blk" - "virtio_ring" - "ata_piix" - "pata_acpi" - "ata_generic" - ]; - } - ]; - - # sops.secrets.ssh_host_ed25519_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_ed25519_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_ed25519_key.pub"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key"; - # mode = "0600"; - # }; - # sops.secrets.ssh_host_rsa_key_pub = { - # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # format = "yaml"; - - # path = "/etc/ssh/ssh_host_rsa_key.pub"; - # mode = "0644"; - # }; - - boot = { - kernel = { - sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - }; - }; - - networking = { - hostName = nodeName; - useNetworkd = true; - useDHCP = true; - usePredictableInterfaceNames = false; - - interfaces.eth0.ipv4.addresses = [ - { - address = variables.ipv4; - prefixLength = variables.ipv4length; - } - ]; - defaultGateway = { - interface = "eth0"; - address = variables.ipv4gateway; - }; - nameservers = [ variables.ipv4dns ]; - - # these will be configured via nftables - nat.enable = lib.mkForce false; - firewall.enable = lib.mkForce false; - - # Use the nftables firewall instead of the base nixos scripted rules. - # This flake provides a similar utility to the base nixos scripting. - # https://github.com/thelegy/nixos-nftables-firewall/tree/main - - nftables = { - enable = true; - - firewall = { - enable = true; - snippets.nnf-common.enable = true; - - zones.wan = { - interfaces = [ "eth0" ]; - }; - - zones.vpn = { - interfaces = [ - "wg0" - "wg1" - ]; - }; - - rules = { - to-fw = { - from = "all"; - to = [ "fw" ]; - verdict = "drop"; - - allowedTCPPorts = [ - 22 - 5201 - ]; - allowedUDPPorts = [ - 22 - 5201 - config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort - config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort - ]; - }; - - vpn-to-wan-nat = { - from = [ "vpn" ]; - to = [ "wan" ]; - masquerade = true; - verdict = "accept"; - }; - }; - }; - }; - }; - - sops.secrets.wg0-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg0-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-privatekey = { - mode = "440"; - group = "systemd-network"; - }; - sops.secrets.wg1-peer0-psk = { - mode = "440"; - group = "systemd-network"; - }; - - systemd.network.enable = true; - systemd.network.netdevs.wg0 = { - enable = true; - netdevConfig = { - Name = "wg0"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 51820; - # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= - PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - AllowedIPs = [ - "10.0.0.1/32" - "192.168.0.0/16" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; - PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; - }; - } - ]; - }; - systemd.network.netdevs.wg1 = { - enable = true; - netdevConfig = { - Name = "wg1"; - Kind = "wireguard"; - }; - wireguardConfig = { - ListenPort = 51821; - # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= - PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; - }; - wireguardPeers = [ - { - wireguardPeerConfig = { - AllowedIPs = [ - "10.0.0.3/31" - "192.168.0.0/16" - ]; - PersistentKeepalive = 15; - PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; - PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; - }; - } - ]; - }; - systemd.network.networks.wg0 = { - enable = true; - matchConfig.Name = "wg0"; - address = [ "10.0.0.0/31" ]; - - routes = [ - { - routeConfig = { - Destination = "192.168.0.0/16"; - MultiPathRoute = "10.0.0.1 1"; - }; - } - ]; - }; - systemd.network.networks.wg1 = { - enable = true; - matchConfig.Name = "wg1"; - address = [ "10.0.0.2/31" ]; - - routes = [ - { - routeConfig = { - Destination = "192.168.0.0/16"; - MultiPathRoute = "10.0.0.3 1"; - }; - } - ]; - }; - - environment.systemPackages = [ - pkgs.ethtool - pkgs.neovim - pkgs.tmux - - pkgs.wireguard-tools - pkgs.tshark - - (pkgs.writeShellScriptBin "dbg-ip" '' - echo links: - ip -br -c l - echo - echo addresses: - ip -br -c a - echo - echo vlans: - bridge -c vlan - '') - - (pkgs.writeShellScriptBin "dbg-dnsmasq" '' - # get the rendered in-use config - pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat - '') - ]; -} diff --git a/nix/os/devices/router0-ifog/default.nix b/nix/os/devices/router0-ifog/default.nix deleted file mode 100644 index fd2c485..0000000 --- a/nix/os/devices/router0-ifog/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ - system ? "x86_64-linux", - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - variables = import ./variables.crypt.nix; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - variables - ; - packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = variables.ipv4; - deployment.replaceUnknownProfiles = true; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - - networking.hostName = nodeName; - }; -} diff --git a/nix/os/devices/router0-ifog/flake.lock b/nix/os/devices/router0-ifog/flake.lock deleted file mode 100644 index f66687f..0000000 --- a/nix/os/devices/router0-ifog/flake.lock +++ /dev/null @@ -1,151 +0,0 @@ -{ - "nodes": { - "dependencyDagOfSubmodule": { - "inputs": { - "nixpkgs": [ - "nixos-nftables-firewall", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1656615370, - "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719864345, - "narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=", - "owner": "nix-community", - "repo": "disko", - "rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719827385, - "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "391ca6e950c2525b4f853cbe29922452c14eda82", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixos-nftables-firewall": { - "inputs": { - "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1715521768, - "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1719838683, - "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1719848872, - "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "disko": "disko", - "home-manager": "home-manager", - "nixos-nftables-firewall": "nixos-nftables-firewall", - "nixpkgs": "nixpkgs", - "nixpkgs-unstable": "nixpkgs-unstable", - "srvos": "srvos" - } - }, - "srvos": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1719965291, - "narHash": "sha256-IQiO6VNESSmgxQkpI1q86pqxRw0SZ45iSeM1jsmBpSw=", - "owner": "numtide", - "repo": "srvos", - "rev": "1844f1a15ef530c963bb07c3846172fccbfb9f74", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/router0-ifog/flake.nix b/nix/os/devices/router0-ifog/flake.nix deleted file mode 100644 index 3057b9a..0000000 --- a/nix/os/devices/router0-ifog/flake.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - - home-manager.url = "github:nix-community/home-manager/release-24.05"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; - - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - - nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; - nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/router0-ifog/variables.crypt.nix b/nix/os/devices/router0-ifog/variables.crypt.nix deleted file mode 100644 index 1dec120..0000000 Binary files a/nix/os/devices/router0-ifog/variables.crypt.nix and /dev/null differ diff --git a/nix/os/devices/sj-srv1/README.md b/nix/os/devices/sj-srv1/README.md deleted file mode 100644 index 394da55..0000000 --- a/nix/os/devices/sj-srv1/README.md +++ /dev/null @@ -1 +0,0 @@ -## bootstrapping diff --git a/nix/os/devices/sj-srv1/configuration.nix b/nix/os/devices/sj-srv1/configuration.nix deleted file mode 100644 index 5184bd1..0000000 --- a/nix/os/devices/sj-srv1/configuration.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ nodeName, config, ... }: -{ - disabledModules = [ ]; - imports = [ - ../../profiles/common/configuration.nix - { - users.commonUsers = { - enable = true; - enableNonRoot = true; - rootPasswordFile = config.sops.secrets.passwords-root.path; - }; - - sops.secrets.passwords-root = { - sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - neededForUsers = true; - format = "yaml"; - }; - } - - ./system.nix - ./hw.nix - ]; -} diff --git a/nix/os/devices/sj-srv1/default.nix b/nix/os/devices/sj-srv1/default.nix deleted file mode 100644 index c9076b9..0000000 --- a/nix/os/devices/sj-srv1/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - system = "x86_64-linux"; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake; - packages' = repoFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "${nodeName}.dmz.internal"; - # deployment.targetHost = "www.stefanjunker.de"; - deployment.replaceUnknownProfiles = false; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - }; -} diff --git a/nix/os/devices/sj-srv1/flake.lock b/nix/os/devices/sj-srv1/flake.lock deleted file mode 100644 index bb96205..0000000 --- a/nix/os/devices/sj-srv1/flake.lock +++ /dev/null @@ -1,100 +0,0 @@ -{ - "nodes": { - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1747556831, - "narHash": "sha256-Qb84nbYFFk0DzFeqVoHltS2RodAYY5/HZQKE8WnBDsc=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "d0bbd221482c2713cccb80220f3c9d16a6e20a33", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-25.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1747953325, - "narHash": "sha256-y2ZtlIlNTuVJUZCqzZAhIw5rrKP4DOSklev6c8PyCkQ=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "55d1f923c480dadce40f5231feb472e81b0bab48", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-kanidm": { - "locked": { - "lastModified": 1729071019, - "narHash": "sha256-c4J/ZiMbjMf98FawO5XJaTWqvrvIXpxnIpxu4OV3CGA=", - "owner": "steveej-forks", - "repo": "nixpkgs", - "rev": "984b1d5a286d3a072b840b30ec49d96878d01e64", - "type": "github" - }, - "original": { - "owner": "steveej-forks", - "ref": "kanidm", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-master": { - "locked": { - "lastModified": 1748090750, - "narHash": "sha256-q98rD+6llf/9ABNZc0lbSgGVjqMvkx4QL8LTs1jt+FY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "a9e3bbb8995849e5daa0cf5e03a09c1df63bf933", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1748074755, - "narHash": "sha256-b3SC3Q3cXr4tdCN3WVTFqMP8I9OwaXXcj1aVoSVaygw=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "c3ee76c437067f1ae09d6e530df46a3f80977992", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "nixpkgs-kanidm": "nixpkgs-kanidm", - "nixpkgs-master": "nixpkgs-master", - "nixpkgs-unstable": "nixpkgs-unstable" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/sj-srv1/flake.nix b/nix/os/devices/sj-srv1/flake.nix deleted file mode 100644 index c13b5ad..0000000 --- a/nix/os/devices/sj-srv1/flake.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; - inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; - inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; - - inputs.nixpkgs-kanidm.url = "github:steveej-forks/nixpkgs/kanidm"; - - inputs.home-manager = { - url = "github:nix-community/home-manager/release-25.05"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/sj-srv1/hw.nix b/nix/os/devices/sj-srv1/hw.nix deleted file mode 100644 index ca9158b..0000000 --- a/nix/os/devices/sj-srv1/hw.nix +++ /dev/null @@ -1,55 +0,0 @@ -_: -let - stage1Modules = [ - "virtio_balloon" - "virtio_scsi" - "virtio_net" - "virtio_pci" - "virtio_ring" - "virtio" - "scsi_mod" - - "virtio_blk" - "virtio_ring" - "ata_piix" - "pata_acpi" - "ata_generic" - - "aesni_intel" - "kvm_amd" - "nvme" - "nvme_core" - - "thunderbolt" - "e1000e" - - "usbcore" - "xhci_hcd" - "usbnet" - "snd_usb_audio" - "usbhid" - "snd_usbmidi_lib" - "cdc_mbim" - "cdc_ncm" - "usb_storage" - "cdc_wdm" - "uvcvideo" - "btusb" - "xhci_pci" - "cdc_ether" - "uas" - ]; -in -{ - imports = [ - ../../modules/opinionatedDisk.nix - ]; - hardware.opinionatedDisk = { - enable = true; - encrypted = false; - diskId = "virtio-virtio-paeNi8Fof9Oe"; - earlyDiskIdOverride = "ata-INTEL_SSDSC2KB019TZ_PHYI315001FW1P9DGN"; - }; - - boot.initrd.kernelModules = stage1Modules; -} diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix deleted file mode 100644 index c5e4c43..0000000 --- a/nix/os/devices/sj-srv1/system.nix +++ /dev/null @@ -1,220 +0,0 @@ -{ - pkgs, - lib, - config, - repoFlake, - nodeFlake, - nodeName, - ... -}: -let - hostBridgeAddress = "192.168.101.1"; -in -{ - imports = [ - ../../snippets/systemd-resolved.nix - { - # make sure it uses the DNS that comes in via DHCP - networking.nameservers = lib.mkForce [ ]; - services.resolved.enable = true; - - # provide DNS to the containers - services.resolved.extraConfig = '' - DNSStubListenerExtra=${hostBridgeAddress} - ''; - networking.firewall.interfaces.br0.allowedTCPPorts = [ 53 ]; - networking.firewall.interfaces.br0.allowedUDPPorts = [ 53 ]; - } - ]; - - programs.wireshark.enable = true; - environment.systemPackages = [ pkgs.dnsutils ]; - - networking.firewall.enable = true; - networking.nftables.enable = true; - networking.nftables.flushRuleset = true; - - networking.firewall.allowedTCPPorts = [ - # iperf3 - 5201 - ]; - - networking.firewall.logRefusedConnections = false; - - networking.usePredictableInterfaceNames = false; - - networking.useNetworkd = true; - networking.useDHCP = false; - - networking.nat = { - enable = true; - internalInterfaces = [ "br0" ]; - externalInterface = "dmz0"; - }; - - networking.bridges = { - br0 = { - interfaces = [ ]; - }; - }; - networking.interfaces = { - br0 = { - ipv4.addresses = [ - { - address = hostBridgeAddress; - prefixLength = 24; - } - ]; - }; - }; - - systemd.network.netdevs."10-dmz0" = { - enable = true; - netdevConfig = { - Name = "dmz0"; - Kind = "macvlan"; - MACAddress = "1c:69:7a:07:08:6f"; - }; - - macvlanConfig = { - Mode = "bridge"; - }; - }; - - systemd.network.networks."20-eth0" = { - enable = true; - matchConfig.Name = "eth0"; - - linkConfig.RequiredForOnline = "carrier"; - networkConfig.LinkLocalAddressing = "no"; - - # TODO: i'm not sure if and if so why this is required - macvlan = [ "dmz0" ]; - - DHCP = "no"; - }; - - systemd.network.networks."30-dmz0" = { - enable = true; - matchConfig.Name = "dmz0"; - DHCP = "yes"; - - dhcpV4Config.UseDNS = true; - dhcpV6Config.UseDNS = true; - }; - - boot.kernel.sysctl = { - "net.ipv4.ip_forward" = 1; - "net.ipv6.ip_forward" = 1; - }; - - # virtualization - virtualisation = { - docker.enable = false; - }; - - nix.gc = { - automatic = true; - }; - - sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - - # adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix - services.restic.backups.${nodeName} = - let - btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; - in - { - initialize = true; - repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; - - paths = [ "/backup" ]; - - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 5" - "--keep-monthly 12" - "--keep-yearly 2" - ]; - - timerConfig = { - OnCalendar = lib.mkDefault "daily"; - Persistent = true; - }; - - passwordFile = config.sops.secrets.restic-password.path; - - backupPrepareCommand = '' - ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes - ''; - backupCleanupCommand = '' - ${btrfs} su delete /backup/container-volumes - ''; - }; - - containers = { - mailserver = import ../../containers/mailserver.nix { - specialArgs = { - inherit repoFlake nodeFlake; - hostAddress = hostBridgeAddress; - }; - - autoStart = true; - - hostBridge = "br0"; - hostAddress = hostBridgeAddress; - localAddress = "192.168.101.10/24"; - - imapsPort = 993; - sievePort = 4190; - }; - - webserver = import ../../containers/webserver.nix { - specialArgs = { - inherit repoFlake nodeFlake; - hostAddress = hostBridgeAddress; - }; - - autoStart = true; - - hostBridge = "br0"; - hostAddress = hostBridgeAddress; - localAddress = "192.168.101.11/24"; - - httpPort = 80; - httpsPort = 443; - forgejoSshPort = 2222; - }; - - syncthing = import ../../containers/syncthing.nix { - specialArgs = { - inherit repoFlake nodeFlake; - hostAddress = hostBridgeAddress; - }; - autoStart = true; - - hostBridge = "br0"; - hostAddress = hostBridgeAddress; - localAddress = "192.168.101.12/24"; - - syncthingPort = 22000; - }; - }; - - virtualisation.libvirtd = { - enable = true; - onShutdown = "shutdown"; - parallelShutdown = 3; - }; - - # VM storage - # fileSystems."/mnt/8078-532D".device = "/dev/disk/by-uuid/8078-532D"; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.11"; # Did you read the comment? -} diff --git a/nix/os/devices/sj-vps-htz0/README.md b/nix/os/devices/sj-vps-htz0/README.md deleted file mode 100644 index 5c32f8e..0000000 --- a/nix/os/devices/sj-vps-htz0/README.md +++ /dev/null @@ -1,18 +0,0 @@ -## bootstrapping - -``` -systemctl stop dhcpcd -ip a add 167.233.1.14/29 dev ens18 -ip l set mtu 1400 dev ens18 -ip r add default via 167.233.1.9 -echo "nameserver 1.1.1.1" >> /etc/resolv.conf -mkdir ~/.ssh -``` - -### ssh key - -run locally: - -``` -ssh-add -L | tr \\n \\r | xdotool selectwindow windowfocus type --delay 50 --window %@ --file - -``` diff --git a/nix/os/devices/sj-vps-htz0/configuration.nix b/nix/os/devices/sj-vps-htz0/configuration.nix deleted file mode 100644 index 0f9e008..0000000 --- a/nix/os/devices/sj-vps-htz0/configuration.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ nodeName, config, ... }: -{ - disabledModules = [ ]; - imports = [ - ../../profiles/common/configuration.nix - { - users.commonUsers = { - enable = true; - enableNonRoot = true; - rootPasswordFile = config.sops.secrets.passwords-root.path; - }; - - sops.secrets.passwords-root = { - sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - neededForUsers = true; - format = "yaml"; - }; - } - ../../modules/opinionatedDisk.nix - - ./system.nix - ./hw.nix - ./boot.nix - ]; -} diff --git a/nix/os/devices/sj-vps-htz0/default.nix b/nix/os/devices/sj-vps-htz0/default.nix deleted file mode 100644 index 7683a53..0000000 --- a/nix/os/devices/sj-vps-htz0/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - system = "x86_64-linux"; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake; - packages' = repoFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "${nodeName}.infra.stefanjunker.de"; - deployment.replaceUnknownProfiles = false; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - }; -} diff --git a/nix/os/devices/sj-vps-htz0/flake.lock b/nix/os/devices/sj-vps-htz0/flake.lock deleted file mode 100644 index 56c2d36..0000000 --- a/nix/os/devices/sj-vps-htz0/flake.lock +++ /dev/null @@ -1,83 +0,0 @@ -{ - "nodes": { - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1700392168, - "narHash": "sha256-v5LprEFx3u4+1vmds9K0/i7sHjT0IYGs7u9v54iz/OA=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "28535c3a34d79071f2ccb68671971ce0c0984d7e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-23.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1700501263, - "narHash": "sha256-M0U063Ba2DKL4lMYI7XW13Rsk5tfUXnIYiAVa39AV/0=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "f741f8a839912e272d7e87ccf4b9dbc6012cdaf9", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-master": { - "locked": { - "lastModified": 1700758842, - "narHash": "sha256-WNpG3F/0dktkYbG6O8Put9GtBw4C4vb1KwtIibfXYEE=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "359d577687ea3eb033590cf1259f0355e30b9c6f", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1700641131, - "narHash": "sha256-M3bsoVMQM2PcuBWb6n1KDNeMX87svcSj/4qlBcVqs3k=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "da41de71f62bf7fb989a04e39629b8adbf8aa8b5", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "nixpkgs-master": "nixpkgs-master", - "nixpkgs-unstable": "nixpkgs-unstable" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/sj-vps-htz0/flake.nix b/nix/os/devices/sj-vps-htz0/flake.nix deleted file mode 100644 index f8ca24f..0000000 --- a/nix/os/devices/sj-vps-htz0/flake.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; - inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; - inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; - - inputs.home-manager = { - url = "github:nix-community/home-manager/release-23.05"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/sj-vps-htz0/hw.nix b/nix/os/devices/sj-vps-htz0/hw.nix deleted file mode 100644 index 080bb40..0000000 --- a/nix/os/devices/sj-vps-htz0/hw.nix +++ /dev/null @@ -1,27 +0,0 @@ -_: -let - stage1Modules = [ - "virtio_balloon" - "virtio_scsi" - "virtio_net" - "virtio_pci" - "virtio_ring" - "virtio" - "scsi_mod" - - "virtio_blk" - "virtio_ring" - "ata_piix" - "pata_acpi" - "ata_generic" - ]; -in -{ - hardware.opinionatedDisk = { - enable = true; - encrypted = false; - diskId = "virtio-virtio-paeNi8Fof9Oe"; - }; - - boot.initrd.kernelModules = stage1Modules; -} diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix deleted file mode 100644 index 7380a35..0000000 --- a/nix/os/devices/sj-vps-htz0/system.nix +++ /dev/null @@ -1,109 +0,0 @@ -{ - pkgs, - config, - nodeName, - ... -}: -let - wireguardPort = 51820; -in -{ - imports = [ ../../snippets/systemd-resolved.nix ]; - - networking.firewall.enable = true; - networking.nftables.enable = true; - - networking.firewall.allowedTCPPorts = [ - # iperf3 - 5201 - ]; - networking.firewall.allowedUDPPorts = [ wireguardPort ]; - - networking.firewall.logRefusedConnections = false; - - networking.usePredictableInterfaceNames = false; - - networking.dhcpcd.enable = false; - - networking.interfaces.eth0 = { - mtu = 1400; - useDHCP = true; - ipv4.addresses = [ - { - "address" = "167.233.1.14"; - "prefixLength" = 29; - } - ]; - ipv6.addresses = [ ]; - }; - - networking.defaultGateway = { - address = "167.233.1.9"; - interface = "eth0"; - }; - - networking.defaultGateway6 = { - address = "fe80::1"; - interface = "eth0"; - }; - - networking.nat = { - enable = true; - internalInterfaces = [ - "ve-*" - "wg*" - ]; - externalInterface = "eth0"; - }; - - networking.firewall.filterForward = true; - networking.firewall.extraForwardRules = '' - meta nfproto ipv4 tcp flags syn tcp option maxseg size set 1360; - meta nfproto ipv6 tcp flags syn tcp option maxseg size set 1340; - ''; - - sops.secrets.wg0-private.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.secrets.wg0-psk-steveej-psk.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - - networking.wireguard.enable = true; - networking.wireguard.interfaces.wg0 = { - # eth0 MTU (1400) - 80 - mtu = 1320; - ips = [ "192.168.99.1/31" ]; - listenPort = wireguardPort; - privateKeyFile = config.sops.secrets.wg0-private.path; - peers = [ - { - allowedIPs = [ "192.168.99.2/32" ]; - publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0="; - presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path; - } - ]; - }; - - # virtualization - virtualisation = { - docker.enable = false; - }; - - services.spice-vdagentd.enable = true; - services.qemuGuest.enable = true; - - nix.gc = { - automatic = true; - }; - - containers = { }; - - home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { - inherit pkgs; - }; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.11"; # Did you read the comment? -} diff --git a/nix/os/devices/srv0-dmz0/README.md b/nix/os/devices/srv0-dmz0/README.md deleted file mode 100644 index c76c8a0..0000000 --- a/nix/os/devices/srv0-dmz0/README.md +++ /dev/null @@ -1,6 +0,0 @@ -## bootstrapping - -``` -# TODO: generate an SSH host-key and deploy it via --extra-files -nixos-anywhere --flake .\#srv0-dmz0 root@srv0.dmz0.noosphere.life -``` diff --git a/nix/os/devices/srv0-dmz0/configuration.nix b/nix/os/devices/srv0-dmz0/configuration.nix deleted file mode 100644 index 5514edf..0000000 --- a/nix/os/devices/srv0-dmz0/configuration.nix +++ /dev/null @@ -1,135 +0,0 @@ -{ - modulesPath, - repoFlake, - config, - ... -}: -let - disk = "/dev/disk/by-id/ata-INTEL_SSDSC2BW240A4_PHDA435602332403GN"; -in -{ - disabledModules = [ ]; - imports = [ - repoFlake.inputs.disko.nixosModules.disko - repoFlake.inputs.srvos.nixosModules.server - (modulesPath + "/profiles/all-hardware.nix") - - repoFlake.inputs.srvos.nixosModules.mixins-terminfo - repoFlake.inputs.srvos.nixosModules.mixins-systemd-boot - - repoFlake.inputs.sops-nix.nixosModules.sops - - ../../profiles/common/user.nix - ]; - - ## bare-metal machines - srvos.boot.consoles = [ "tty0" ]; - boot.loader.grub.enable = false; - boot.loader.efi.canTouchEfiVariables = false; - - disko.devices.disk.main = { - device = disk; - type = "disk"; - content = { - type = "table"; - format = "gpt"; - partitions = [ - { - name = "boot"; - start = "0"; - end = "1M"; - part-type = "primary"; - flags = [ "bios_grub" ]; - } - { - name = "ESP"; - start = "1M"; - end = "512M"; - bootable = true; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - } - { - name = "root"; - start = "512M"; - end = "100%"; - part-type = "primary"; - bootable = true; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition - subvolumes = { - # Subvolume name is different from mountpoint - "/rootfs" = { - mountpoint = "/"; - }; - "/nix" = { - mountOptions = [ "noatime" ]; - }; - }; - }; - } - ]; - }; - }; - - hardware.enableAllFirmware = true; - nixpkgs.config.allowUnfree = true; - - hardware.enableRedistributableFirmware = true; - hardware.cpu.intel.updateMicrocode = true; - - services.openssh.enable = true; - - systemd.network.enable = true; - systemd.network.networks."10-lan" = { - matchConfig.Name = "eth*"; - networkConfig = { - # enable DHCP for IPv4 *and* IPv6 - DHCP = "yes"; - - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - }; - }; - networking.dhcpcd.enable = false; - - networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ - 22 - - # iperf3 - 5201 - ]; - networking.firewall.logRefusedConnections = false; - networking.usePredictableInterfaceNames = false; - - networking.nat = { - enable = true; - internalInterfaces = [ "ve-+" ]; - externalInterface = "eth0"; - }; - - # Kubernetes - # services.kubernetes.roles = ["master" "node"]; - - # virtualization - # virtualisation = {docker.enable = true;}; - - nix.gc = { - automatic = true; - }; - - containers = { }; - - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.11"; # Did you read the comment? -} diff --git a/nix/os/devices/srv0-dmz0/default.nix b/nix/os/devices/srv0-dmz0/default.nix deleted file mode 100644 index 3af624b..0000000 --- a/nix/os/devices/srv0-dmz0/default.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ - nodeName, - repoFlake, - nodeFlake, - ... -}: -let - system = "x86_64-linux"; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake; - packages' = repoFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "srv0.dmz0.noosphere.life"; - deployment.replaceUnknownProfiles = false; - - imports = [ - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ./configuration.nix - ]; - - networking.hostName = nodeName; - }; -} diff --git a/nix/os/devices/srv0-dmz0/flake.lock b/nix/os/devices/srv0-dmz0/flake.lock deleted file mode 100644 index 4e1a641..0000000 --- a/nix/os/devices/srv0-dmz0/flake.lock +++ /dev/null @@ -1,83 +0,0 @@ -{ - "nodes": { - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1716736833, - "narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-24.05", - "repo": "home-manager", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1717144377, - "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "805a384895c696f802a9bf5bf4720f37385df547", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-master": { - "locked": { - "lastModified": 1717242134, - "narHash": "sha256-2X835ZESUaQ/KZEuG9HkoEB7h0USG5uvkSUmLzFkxAE=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "61c1d282153dbfcb5fe413c228d172d0fe7c2a7e", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1717216113, - "narHash": "sha256-DniggN0kphCCBpGlS2WyDPoNqxQoRFlhN2GMk35OHiM=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "21959d8d44197094aebc74ead6ca4a53bcce0adb", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "nixpkgs-master": "nixpkgs-master", - "nixpkgs-unstable": "nixpkgs-unstable" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/srv0-dmz0/flake.nix b/nix/os/devices/srv0-dmz0/flake.nix deleted file mode 100644 index 2f27989..0000000 --- a/nix/os/devices/srv0-dmz0/flake.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; - inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; - inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; - - inputs.home-manager = { - url = "github:nix-community/home-manager/release-24.05"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix deleted file mode 100644 index 9ddbde9..0000000 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix +++ /dev/null @@ -1,4 +0,0 @@ -_: { - boot.loader.grub.efiSupport = true; - boot.extraModulePackages = [ ]; -} diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix deleted file mode 100644 index a89e29a..0000000 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix +++ /dev/null @@ -1,33 +0,0 @@ -_: -let - stage1Modules = [ - "aesni_intel" - "kvm-intel" - - "virtio_balloon" - "virtio_scsi" - "virtio_net" - "virtio_pci" - "virtio_ring" - "virtio" - - "scsi_mod" - "uas" - "usb_storage" - - "xhci_hcd" - "xhci_pci" - ]; -in -{ - # TASK: new device - hardware.opinionatedDisk = { - enable = true; - encrypted = false; - diskId = "usb-JMicron_Generic_0123456789ABCDEF-0:0"; - }; - - boot.initrd.availableKernelModules = stage1Modules; - boot.initrd.kernelModules = stage1Modules; - boot.extraModprobeConfig = ""; -} diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix deleted file mode 100644 index 607e7f3..0000000 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ config, pkgs, ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; - }; - home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { - inherit pkgs; - }; - - nix.buildMachines = [ - { - hostName = "localhost"; - system = "x86_64-linux"; - supportedFeatures = [ - "kvm" - "nixos-test" - "big-parallel" - "benchmark" - ]; - maxJobs = 4; - } - ]; - - # services.hydra = { - # enable = false; - # hydraURL = "http://localhost:3000"; # externally visible URL - # notificationSender = "hydra@${config.networking.hostName}.stefanjunker.de"; # e-mail of hydra service - # # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines - # buildMachinesFiles = []; - # # you will probably also want, otherwise *everything* will be built from scratch - # useSubstitutes = true; - # }; - - # services.gitlab-runner = { - # enable = false; - - # extraPackages = with pkgs; [ - # bash - # gitlab-runner - # nix - # gitFull - # git-crypt - # ]; - - # concurrent = 2; - # checkInterval = 0; - # services = { - # nixRunner = { - # executor = "shell"; - # runUntagged = true; - # registrationConfigFile = "/etc/secrets/gitlab-runner/nix-runner.registration"; - # tagList = [ "nix" ]; - # }; - # }; - # }; -} diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix deleted file mode 100644 index 1bc2086..0000000 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix +++ /dev/null @@ -1,21 +0,0 @@ -let - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-22.05"; - rev = "040c6d8374d090f46ab0e99f1f7c27a4529ecffd"; - }; -in -{ - inherit nixpkgs; - "channels-nixos-stable" = nixpkgs; - "nixpkgs-master" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "master"; - rev = "5527a41eb304aa7c77efeefbda0e17ca105a4c8c"; - }; - "home-manager-module" = { - url = "https://github.com/nix-community/home-manager"; - ref = "release-22.05"; - rev = "b81e128fc053ab3159d7b464d9b7dedc9d6a6891"; - }; -} diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix deleted file mode 100644 index 5817e21..0000000 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix +++ /dev/null @@ -1,27 +0,0 @@ -let - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-22.05"; - rev = '' - <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.05 | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; -in -{ - inherit nixpkgs; - "channels-nixos-stable" = nixpkgs; - "nixpkgs-master" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "master"; - rev = '' - <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; - "home-manager-module" = { - url = "https://github.com/nix-community/home-manager"; - ref = "release-22.05"; - rev = '' - <% git ls-remote https://github.com/nix-community/home-manager.git release-22.05 | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; -} diff --git a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix index d009275..40aeaeb 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix @@ -1,4 +1,5 @@ { ... }: + { imports = [ ../../profiles/common/configuration.nix diff --git a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix index 76ab1b9..30186d1 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix @@ -1,4 +1,6 @@ -_: { +{ ... }: + +{ # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-nuc7pjyh-work/system.nix b/nix/os/devices/steveej-nuc7pjyh-work/system.nix index efe0db2..8d673ba 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/system.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/system.nix @@ -1,7 +1,9 @@ { pkgs, lib, ... }: -{ + +let +in { services.udev.extraRules = ''SUBSYSTEM=="sgx", MODE="0660", GROUP="sgx"''; - users.groups.sgx = { }; + users.groups.sgx = {}; networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname. boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest; } diff --git a/nix/os/devices/steveej-nuc7pjyh-work/user.nix b/nix/os/devices/steveej-nuc7pjyh-work/user.nix index e37d392..05a9670 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/user.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/user.nix @@ -1,29 +1,20 @@ -{ pkgs, ... }: +{ config +, pkgs +, ... }: + let + passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; -in -{ + inherit (import ../../lib/default.nix { }) mkUser; + +in { users.extraUsers.sjunker = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - shell = pkgs.posh { - image = "quay.io/enarx/fedora"; - run_args = "-v /dev/sgx:/dev/sgx"; - }; + shell = pkgs.posh { image = "quay.io/enarx/fedora"; run_args = "-v /dev/sgx:/dev/sgx"; }; extraGroups = [ "sgx" ]; - subUidRanges = [ - { - startUid = 100000; - count = 65536; - } - ]; - subGidRanges = [ - { - startGid = 100000; - count = 65536; - } - ]; + subUidRanges = [{ startUid = 100000; count = 65536; }]; + subGidRanges = [{ startGid = 100000; count = 65536; }]; }; } diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix index 9682eb6..87284bc 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix @@ -1,4 +1,5 @@ { ... }: + { imports = [ ../../profiles/common/configuration.nix diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix index 4af1def..1c7f7a3 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix @@ -1,4 +1,6 @@ -_: { +{ ... }: + +{ # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix index 7f69ec0..4ac0ac9 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix @@ -1,3 +1,5 @@ -_: { +{ ... }: + +{ networking.hostName = "steveej-rmvbl-mmc-SL32G_0x259093f6"; # Define your hostname. } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix index 861a9ea..860f09f 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix @@ -1,9 +1,9 @@ { ... }: + { - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; - }; + nixpkgs.config.packageOverrides = pkgs: with pkgs; { + nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; + }; imports = [ ../../profiles/common/configuration.nix diff --git a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix index c42f909..34dd81c 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix @@ -1,6 +1,9 @@ -_: { +{ ... }: + +{ # TASK: new device - hardware.opinionatedDisk.diskId = "usb-SanDisk_Extreme_Pro_12345978EC62-0:0"; - hardware.opinionatedDisk.encrypted = true; - hardware.enableRedistributableFirmware = true; + hardware.encryptedDisk = { + enable = true; + diskId = "usb-SanDisk_Extreme_Pro_12345978EC62-0:0"; + }; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/system.nix b/nix/os/devices/steveej-rmvbl-sdep0/system.nix index d409681..4374ff2 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/system.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/system.nix @@ -1,4 +1,5 @@ -_: { +{ ... }: + +{ networking.hostName = "steveej-rmvbl-sdep0"; # Define your hostname. - system.stateVersion = "21.05"; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix index 3771f25..90388f6 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix @@ -1,10 +1,11 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-22.11"; - rev = ''0040164e473509b4aee6aedb3b923e400d6df10b''; + ref = "nixos-20.09"; + rev = "19db3e5ea2777daa874563b5986288151f502e27"; }; in + { inherit nixpkgs; nixos = nixpkgs // { @@ -14,21 +15,16 @@ in "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = ''d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; - }; - "channels-nixos-unstable-small" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-unstable-small"; - rev = ''9c34c8adba80180608794cce600b10183b048942''; + rev = "2247d824fe07f16325596acc7faa286502faffd1"; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = ''f9adb566707a492bd3d17fee1e223695d939b52a''; + rev = "8d4af2e08c3d161fa482fe8e14af721e79ae7a09"; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; - ref = "release-22.11"; - rev = ''d6f3ba090ed090ae664ab5bac329654093aae725''; + ref = "release-20.09"; + rev = "63f299b3347aea183fc5088e4d6c4a193b334a41"; }; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix deleted file mode 100644 index 92abc4a..0000000 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix +++ /dev/null @@ -1,44 +0,0 @@ -let - nixpkgs = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-22.11"; - rev = '' - <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; -in -{ - inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; - "channels-nixos-stable" = nixpkgs; - "channels-nixos-unstable" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-unstable"; - rev = '' - <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; - "channels-nixos-unstable-small" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-unstable-small"; - rev = '' - <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable-small | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; - "nixpkgs-master" = { - url = "https://github.com/NixOS/nixpkgs/"; - ref = "master"; - rev = '' - <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; - "home-manager-module" = { - url = "https://github.com/nix-community/home-manager"; - ref = "release-22.11"; - rev = '' - <% git ls-remote https://github.com/nix-community/home-manager.git release-22.11 | awk '{ print $1 }' | tr -d ' - ' -%>''; - }; -} diff --git a/nix/os/devices/steveej-t14/boot.nix b/nix/os/devices/steveej-t14/boot.nix deleted file mode 100644 index d3ff0b5..0000000 --- a/nix/os/devices/steveej-t14/boot.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ lib, pkgs, ... }: -{ - boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; - boot.loader.efi.canTouchEfiVariables = lib.mkForce false; - boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - - # boot.tmpOnTmpfs = lib.mkForce false; - boot.tmp.tmpfsSize = "100%"; - - # TODO: make this work - # systemd.tmpfiles.rules = lib.mkForce [ "d /tmp 1777 root root 1d" ]; -} diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix deleted file mode 100644 index f5ccca0..0000000 --- a/nix/os/devices/steveej-t14/configuration.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ ... }: -{ - imports = [ - ../../snippets/home-manager-with-zsh.nix - ../../snippets/nix-settings-holo-chain.nix - # TODO: double-check whether this works at all after the most recent changes - # ../../snippets/radicale.nix - ../../snippets/sway-desktop.nix - ../../snippets/timezone.nix - - ../../profiles/common/configuration.nix - ../../profiles/graphical/configuration.nix - ../../modules/opinionatedDisk.nix - ../../cachix.nix - - ./system.nix - ./hw.nix - ./pkg.nix - ./user.nix - ./boot.nix - - # samba seerver - (_: { - # networking.firewall.enable = lib.mkForce false; - services.samba-wsdd.enable = true; # make shares visible for windows 10 clients - networking.firewall.allowedTCPPorts = [ - 5357 # wsdd - ]; - networking.firewall.allowedUDPPorts = [ - 3702 # wsdd - ]; - services.samba = { - enable = true; - - securityType = "user"; - - extraConfig = '' - workgroup = ARBEITSGRUPPE - server string = steveej-t14 - netbios name = steveej-t14 - security = user - - # use sendfile = yes - - # for executables on windows - acl allow execute always = True - - # legacy windows quirks - max protocol = NT1 - min protocol = NT1 - ntlm auth = yes - - # client max protocol = SMB1 - # client min protocol = NT1 - - # note: localhost is the ipv6 localhost ::1 - hosts allow = 192.168. 127.0.0.1 localhost - hosts deny = 0.0.0.0/0 - guest account = nobody - map to guest = bad user - ''; - shares = { - voodoo = { - path = "/home/steveej/Desktop/voodoo"; - browseable = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - # "force user" = "steveej"; - # "force group" = "users"; - }; - }; - }; - }) - ]; -} diff --git a/nix/os/devices/steveej-t14/default.nix b/nix/os/devices/steveej-t14/default.nix deleted file mode 100644 index d7e6d28..0000000 --- a/nix/os/devices/steveej-t14/default.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ - nodeName, - repoFlake, - repoFlakeWithSystem, - nodeFlake, - ... -}: -let - system = "x86_64-linux"; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake; - packages' = repoFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = nodeName; - deployment.replaceUnknownProfiles = false; - deployment.allowLocalDeployment = true; - - imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; - }; -} diff --git a/nix/os/devices/steveej-t14/flake.lock b/nix/os/devices/steveej-t14/flake.lock deleted file mode 100644 index 5960780..0000000 --- a/nix/os/devices/steveej-t14/flake.lock +++ /dev/null @@ -1,137 +0,0 @@ -{ - "nodes": { - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1705273357, - "narHash": "sha256-JAlkxgJbWh7+auiT0rJL3IUXXtkULRqygfxQA6mvLgc=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "924d91e1e4c802fd8e60279a022dbae5acb36f2d", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-23.11", - "repo": "home-manager", - "type": "github" - } - }, - "nixpkgs-2211": { - "locked": { - "lastModified": 1688392541, - "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-22.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2305": { - "locked": { - "lastModified": 1704290814, - "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2311": { - "locked": { - "lastModified": 1705183652, - "narHash": "sha256-rnfkyUH0x72oHfiSDhuCHDHg3gFgF+lF8zkkg5Zihsw=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "428544ae95eec077c7f823b422afae5f174dee4b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-master": { - "locked": { - "lastModified": 1705325703, - "narHash": "sha256-ckwq5uZTOg79p6j9Op4tuKUiEIf0gaLskMS5g43MfVI=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "7081bd488c8fd2a1ac54fda9676e22e6f8fb581f", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1705133751, - "narHash": "sha256-rCIsyE80jgiOU78gCWN3A0wE0tR2GI5nH6MlS+HaaSQ=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable-small": { - "locked": { - "lastModified": 1705249824, - "narHash": "sha256-ZLPa6YWHeX+/yzaxU7uMWq9eMMncffrzkgOXe6AODMU=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "0c741cd9fbdc435b7ca88e17efc371b48e7c23b8", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "home-manager": "home-manager", - "nixpkgs": [ - "nixpkgs-2311" - ], - "nixpkgs-2211": "nixpkgs-2211", - "nixpkgs-2305": "nixpkgs-2305", - "nixpkgs-2311": "nixpkgs-2311", - "nixpkgs-master": "nixpkgs-master", - "nixpkgs-unstable": "nixpkgs-unstable", - "nixpkgs-unstable-small": "nixpkgs-unstable-small" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/steveej-t14/flake.nix b/nix/os/devices/steveej-t14/flake.nix deleted file mode 100644 index 504ce45..0000000 --- a/nix/os/devices/steveej-t14/flake.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ - inputs.nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; - inputs.nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05"; - inputs.nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.11"; - inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; - - inputs.nixpkgs.follows = "nixpkgs-2311"; - - inputs.home-manager = { - url = "github:nix-community/home-manager/release-23.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix deleted file mode 100644 index 0fa593a..0000000 --- a/nix/os/devices/steveej-t14/hw.nix +++ /dev/null @@ -1,143 +0,0 @@ -_: { - # TASK: new device - hardware.opinionatedDisk = { - enable = true; - encrypted = true; - diskId = "nvme-WD_BLACK_SN850X_4000GB_2227DT443901"; - earlyDiskIdOverride = "usb-JMicron_Generic_0123456789ABCDEF-0:0"; - }; - - # boot.loader.grub.device = lib.mkForce "/dev/disk/by-id/usb-JMicron_Generic_0123456789ABCDEF-0:0"; - - # see https://linrunner.de/tlp/ - services.tlp = { - enable = false; - settings = { - CPU_DRIVER_OPMODE_ON_AC = "active"; - CPU_DRIVER_OPMODE_ON_BAT = "passive"; - - CPU_SCALING_GOVERNOR_ON_AC = "performance"; - CPU_SCALING_GOVERNOR_ON_BAT = "powersave"; - - CPU_ENERGY_PERF_POLICY_ON_AC = "performance"; - CPU_ENERGY_PERF_POLICY_ON_BAT = "power"; - - CPU_BOOST_ON_AC = "0"; - CPU_BOOST_ON_BAT = "0"; - - RADEON_DPM_PERF_LEVEL_ON_AC = "low"; - RADEON_DPM_PERF_LEVEL_ON_BAT = "low"; - RADEON_POWER_PROFILE_ON_AC = "low"; - RADEON_POWER_PROFILE_ON_BAT = "low"; - RADEON_DPM_STATE_ON_AC = "battery"; - RADEON_DPM_STATE_ON_BAT = "battery"; - - # SOUND_POWER_SAVE_ON_AC="1"; - SOUND_POWER_SAVE_ON_BAT = "1"; - - PLATFORM_PROFILE_ON_AC = "performance"; - PLATFORM_PROFILE_ON_BAT = "low-power"; - - RUNTIME_PM_ON_AC = "on"; - RUNTIME_PM_ON_BAT = "auto"; - - PCIE_ASPM_ON_AC = "default"; - PCIE_ASPM_ON_BAT = "powersupersave"; - - START_CHARGE_THRESH_BAT0 = "80"; - STOP_CHARGE_THRESH_BAT0 = "85"; - - WOL_DISABLE = "Y"; - # WIFI_PWR_ON_AC="on"; - # WIFI_PWR_ON_BAT = "on"; - DEVICES_TO_DISABLE_ON_STARTUP = "wwan"; - # #DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"; - # #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"; - # #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"; - - SATA_LINKPWR_ON_AC = "max_performance"; - SATA_LINKPWR_ON_BAT = "min_power"; - }; - }; - - # see https://www.kernel.org/doc/html/v6.6/admin-guide/laptops/thinkpad-acpi.html#fan-control-and-monitoring-fan-speed-fan-enable-disable - services.thinkfan = { - enable = false; - levels = [ - # ["level auto" 0 60] - [ - 0 - 0 - 60 - ] - [ - 1 - 60 - 65 - ] - [ - 1 - 65 - 75 - ] - [ - 2 - 75 - 78 - ] - [ - 3 - 78 - 80 - ] - [ - 4 - 80 - 82 - ] - [ - 5 - 82 - 84 - ] - [ - 6 - 84 - 86 - ] - [ - 7 - 86 - 88 - ] - [ - "level full-speed" - 88 - 999 - ] - ]; - - extraArgs = [ - "-b-3" - "-s1" - ]; - }; - - hardware.enableRedistributableFirmware = true; - boot.initrd.kernelModules = [ - "aesni_intel" - "kvm_amd" - "nvme" - "nvme_core" - - "thunderbolt" - "e1000e" - - "usbcore" - "xhci_hcd" - "usbhid" - "usb_storage" - "xhci_pci" - "uas" - ]; -} diff --git a/nix/os/devices/steveej-t14/pkg.nix b/nix/os/devices/steveej-t14/pkg.nix deleted file mode 100644 index 4e53eaf..0000000 --- a/nix/os/devices/steveej-t14/pkg.nix +++ /dev/null @@ -1,103 +0,0 @@ -{ pkgs, ... }: -{ - system.stateVersion = "23.05"; - home-manager.users.root = _: { home.stateVersion = "22.05"; }; - home-manager.users.steveej = _: { - home.stateVersion = "22.05"; - imports = [ - ../../../home-manager/configuration/graphical-fullblown.nix - - (_: { - programs.chromium.extensions = [ - # can define host-specific extensions here - ]; - }) - ]; - - home.sessionVariables = { }; - - home.packages = with pkgs; [ ]; - }; - - # TODO: fix the following errors with regreet - # - # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. - # amdgpu: amdgpu_cs_ctx_create2 failed. (-13) - # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. - # ERROR: Couldn't create log file '/var/log/regreet/log': Permission denied (os error 13) - # 2023-05-22T10:31:42.52900769+02:00 WARN regreet::tomlutils: Missing TOML file: /var/cache/regreet/cache.toml - # 2023-05-22T10:31:42.52902325+02:00 WARN regreet::tomlutils: Missing TOML file: /etc/greetd/regreet.toml - # - # (regreet:505614): Gtk-WARNING **: 10:31:42.532: Theme parser warning: :6:17-18: Empty declaration - # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. - services.greetd = - let - # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" - swayConfig = pkgs.writeText "greetd-sway-config" '' - # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. - exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" - bindsym Mod4+shift+e exec swaynag \ - -t warning \ - -m 'What do you want to do?' \ - -b 'Poweroff' 'systemctl poweroff' \ - -b 'Reboot' 'systemctl reboot' - ''; - in - { - enable = false; - settings = { - vt = 1; - default_session = { - command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; - }; - }; - }; - - environment.etc."greetd/environments".text = '' - sway - ''; - - # fonts = let - # prefs.font = rec { - # size = 13; - # default = sans; - - # sans = { family = "Noto Sans"; package = pkgs.noto-fonts; }; - # serif = { family = "Noto Serif"; package = pkgs.noto-fonts; }; - # # monospace = { family = "Iosevka Fixed"; package = pkgs.iosevka-bin; }; - # monospace = { family = "Iosevka Comfy Fixed"; package = pkgs.iosevka-comfy.comfy-fixed; }; - # # monospace = { family = "Go Mono"; package = pkgs.go-font; }; - # # monospace = { family = "Jetbrains Mono"; package = pkgs.jetbrains-mono; }; - # fallback = { family = "Font Awesome 5 Free"; package = pkgs.font-awesome; }; - # emoji = { family = "Noto Color Emoji"; package = pkgs.noto-fonts-emoji; }; - # - # allPackages = (map (p: p.package) - # [ - # default - # sans - # serif - # monospace - # fallback - # emoji - # ]) ++ - # (with pkgs; [ - # liberation_ttf # free corefonts-metric-compatible replacement - # ttf_bitstream_vera - # gelasio # metric-compatible with Georgia - # powerline-symbols - # ]); - # }; - # in { - # # fonts = prefs.font.allPackages; - - # # fontconfig = { - # # enable = true; - # # defaultFonts = { - # # serif = [ prefs.font.serif.family ]; - # # sansSerif = [ prefs.font.sans.family ]; - # # monospace = [ prefs.font.monospace.family ]; - # # emoji = [ prefs.font.emoji.family ]; - # # }; - # # }; - # }; -} diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix deleted file mode 100644 index db19a3b..0000000 --- a/nix/os/devices/steveej-t14/system.nix +++ /dev/null @@ -1,120 +0,0 @@ -{ - pkgs, - lib, - config, - repoFlake, - ... -}: -let - localTcpPorts = [ - 22 - - # syncthing - 22000 - - # iperf3 - 5201 - ]; - - localUdpPorts = [ - # syncthing - 22000 - 21027 - ]; -in -{ - nix.settings = { - substituters = [ ]; - trusted-public-keys = [ ]; - }; - - nix.distributedBuilds = true; - nix.buildMachines = [ - { - hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost; - # TODO: make this a reference - sshUser = "nix-remote-builder"; - protocol = "ssh-ng"; - system = "x86_64-linux"; - maxJobs = 32; - speedFactor = 100; - supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features; - } - - { - hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost; - # TODO: make this a reference - sshUser = "nix-remote-builder"; - protocol = "ssh-ng"; - system = "aarch64-linux"; - maxJobs = 32; - speedFactor = 100; - supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features; - } - ]; - - networking.networkmanager.enable = true; - - networking.extraHosts = ''''; - - networking.bridges."virbr1".interfaces = [ ]; - networking.interfaces."virbr1".ipv4.addresses = [ - { - address = "10.254.254.254"; - prefixLength = 24; - } - ]; - - # needed to make wireguard managed by networkmanager route all traffic through it - networking.firewall.checkReversePath = false; - - networking.firewall.enable = true; - services.openssh.openFirewall = false; - - # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` - networking.firewall.interfaces."eth+".allowedTCPPorts = localTcpPorts; - networking.firewall.interfaces."eth+".allowedUDPPorts = localUdpPorts; - networking.firewall.interfaces."wlan+".allowedTCPPorts = localTcpPorts; - networking.firewall.interfaces."wlan+".allowedUDPPorts = localUdpPorts; - - networking.firewall.logRefusedConnections = false; - networking.usePredictableInterfaceNames = false; - - services.fwupd.enable = true; - - services.fprintd.enable = true; - security.pam.services = { - login.fprintAuth = true; - sudo.fprintAuth = true; - }; - - # virtualization - virtualisation = { - libvirtd = { - enable = true; - }; - - virtualbox.host = { - enable = false; - addNetworkInterface = false; - }; - - podman = { - enable = true; - dockerCompat = true; - # defaultNetwork.dnsname.enable = true; - }; - }; - - services.samba.extraConfig = '' - # client min protocol = NT1 - ''; - - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; - - services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ]; - - hardware.ledger.enable = true; - - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; -} diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix deleted file mode 100644 index dacf1f4..0000000 --- a/nix/os/devices/steveej-t14/user.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, pkgs, ... }: -let - keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; -in -{ - users.users.steveej2 = mkUser { - uid = 1001; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; - hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; - }; - - nix.settings.trusted-users = [ "steveej" ]; - - security.pam.u2f.enable = true; - security.pam.services.steveej.u2fAuth = true; -} diff --git a/nix/os/devices/elias-e525/configuration.nix b/nix/os/devices/steveej-t480s-work/configuration.nix similarity index 56% rename from nix/os/devices/elias-e525/configuration.nix rename to nix/os/devices/steveej-t480s-work/configuration.nix index ea92869..3830116 100644 --- a/nix/os/devices/elias-e525/configuration.nix +++ b/nix/os/devices/steveej-t480s-work/configuration.nix @@ -1,15 +1,20 @@ { ... }: + { + disabledModules = [ + "system/boot/initrd-network.nix" + ]; + imports = [ + ../../modules/initrd-network.nix + ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix - ../../profiles/graphical-gnome-xorg.nix - ../../modules/opinionatedDisk.nix + ../../modules/encryptedDisk.nix ./system.nix ./hw.nix ./pkg.nix ./user.nix - ./boot.nix ]; } diff --git a/nix/os/devices/steveej-t480s-work/hw.nix b/nix/os/devices/steveej-t480s-work/hw.nix new file mode 100644 index 0000000..43a91a7 --- /dev/null +++ b/nix/os/devices/steveej-t480s-work/hw.nix @@ -0,0 +1,34 @@ +{ ... }: + +let + stage1Modules = [ + "aesni_intel" + "kvm-intel" + "aes_x86_64" + "nvme" + "nvme_core" + + "pcieport" + "thunderbolt" + "e1000e" + "xhci_pci" + "hxci_hcd" + ]; + +in +{ + # TASK: new device + hardware.encryptedDisk = { + enable = true; + diskId = "ata-Crucial_CT750MX300SSD1_16161311C7A6"; + }; + + # boot.initrd.availableKernelModules = stage1Modules; + boot.initrd.kernelModules = stage1Modules; + boot.extraModprobeConfig = '' + options kvm-intel nested=1 + options kvm-intel enable_shadow_vmcs=1 + options kvm-intel enable_apicv=1 + options kvm-intel ept=1 + ''; +} diff --git a/nix/os/devices/steveej-t480s-work/pkg.nix b/nix/os/devices/steveej-t480s-work/pkg.nix new file mode 100644 index 0000000..aa7035f --- /dev/null +++ b/nix/os/devices/steveej-t480s-work/pkg.nix @@ -0,0 +1,12 @@ +{ pkgs +, ... +}: + +{ + nixpkgs.config.packageOverrides = pkgs: with pkgs; { + nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; + }; + home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix { inherit pkgs; }; + services.teamviewer.enable = true; + system.stateVersion = "19.09"; +} diff --git a/nix/os/devices/steveej-t480s-work/system.nix b/nix/os/devices/steveej-t480s-work/system.nix new file mode 100644 index 0000000..8f17b3c --- /dev/null +++ b/nix/os/devices/steveej-t480s-work/system.nix @@ -0,0 +1,140 @@ +{ pkgs +, lib +, config +, ... }: + +let + keys = import ../../../variables/keys.nix; +in { + + # TASK: new device + networking.hostName = "steveej-t480s-work"; # Define your hostname. + + # Used for testing local Openshift clusters + environment.etc."NetworkManager/dnsmasq.d/openshift.conf".text = + let + openshiftClusterName = "openshift-steveej"; + openshiftDomain = "openshift.testing"; + openshiftSubnetBase = "192.168.126"; + in '' + server=/${openshiftDomain}/${openshiftSubnetBase}.1 + address=/.apps.${openshiftClusterName}.${openshiftDomain}/${openshiftSubnetBase}.51 + ''; + networking.firewall.enable = lib.mkForce false; + networking.firewall.checkReversePath = false; + + networking.bridges."virbr1".interfaces = []; + networking.interfaces."virbr1".ipv4.addresses = [ + { address = "10.254.254.254"; prefixLength = 24; } + ]; + + services.printing = { + enable = true; + drivers = with pkgs; [ + hplip + mfcl3770cdw.driver + mfcl3770cdw.cupswrapper + ]; + }; + + services.fprintd.enable = true; + security.pam.services = { + login.fprintAuth = true; + sudo.fprintAuth = true; + }; + + # Kubernetes + # services.kubernetes.roles = ["master" "node"]; + + # virtualization + virtualisation = { + libvirtd = { + enable = true; + }; + + virtualbox.host = { + enable = false ; + addNetworkInterface = false; + }; + + docker = { + enable = true; + extraOptions = "--experimental"; + }; + }; + + + boot.initrd.network = { + enable = true; + useDHCP = true; + udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ]; + + ssh = { + enable = true; + authorizedKeys = keys.users.steveej.openssh; + hostKeys = [ + "/etc/secrets/initrd/ssh_host_rsa_key" + "/etc/secrets/initrd/ssh_host_ed25519_key" + ]; + }; + }; + + security.pki.certificateFiles = [ + "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" + ../../../../certificates/sat-r220-02.lab.eng.rdu2.redhat.com.crt + ]; + + services.xserver.videoDrivers = [ "modesetting" ]; + services.xserver.serverFlagsSection = '' + Option "BlankTime" "0" + Option "StandbyTime" "0" + Option "SuspendTime" "0" + Option "OffTime" "0" + ''; + + # the default profile uses linuxPackages_latest + # boot.kernelPackages = lib.mkForce pkgs.linuxPackages; + + krb5 = { + enable = true; + config = let + pkinit_crt = pkgs.fetchurl { + url = "https://password.corp.redhat.com/ipa.crt"; + sha256 = "0cflhkb7szzlakjmz2rmw8l8j5jqsyy2rl7ciclmi5fdfjrrx1cd"; + }; + in '' + [libdefaults] + default_realm = IPA.REDHAT.COM + dns_lookup_realm = true + dns_lookup_kdc = true + rdns = false + dns_canonicalize_hostname = true + ticket_lifetime = 24h + forwardable = true + udp_preference_limit = 0 + default_ccache_name = KEYRING:persistent:%{uid} + + [realms] + REDHAT.COM = { + default_domain = redhat.com + dns_lookup_kdc = true + master_kdc = kerberos.corp.redhat.com + admin_server = kerberos.corp.redhat.com + } + + #make sure to save the IPA CA cert + #mkdir /etc/ipa && curl -o /etc/ipa/ca.crt https://password.corp.redhat.com/ipa.crt + IPA.REDHAT.COM = { + pkinit_anchors = FILE:${pkinit_crt} + pkinit_pool = FILE:${pkinit_crt} + default_domain = ipa.redhat.com + dns_lookup_kdc = true + # Trust tickets issued by legacy realm on this host + auth_to_local = RULE:[1:$1@$0](.*@REDHAT\.COM)s/@.*// + auth_to_local = DEFAULT + } + ''; + }; + + hardware.ledger.enable = true; +} diff --git a/nix/os/devices/steveej-t480s-work/user.nix b/nix/os/devices/steveej-t480s-work/user.nix new file mode 100644 index 0000000..b5f1244 --- /dev/null +++ b/nix/os/devices/steveej-t480s-work/user.nix @@ -0,0 +1,21 @@ +{ config +, pkgs +, ... }: + +let + passwords = import ../../../variables/passwords.crypt.nix; + keys = import ../../../variables/keys.nix; + inherit (import ../../lib/default.nix { }) mkUser; + +in { + users.extraUsers.steveej2 = mkUser { + uid = 1001; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; + }; + + users.extraUsers.steveej3 = mkUser { + uid = 1002; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; + shell = pkgs.posh { image = "quay.io/enarx/fedora"; }; + }; +} diff --git a/nix/os/devices/fwhost1/versions.nix b/nix/os/devices/steveej-t480s-work/versions.nix similarity index 64% rename from nix/os/devices/fwhost1/versions.nix rename to nix/os/devices/steveej-t480s-work/versions.nix index 276eb87..a8f5a2d 100644 --- a/nix/os/devices/fwhost1/versions.nix +++ b/nix/os/devices/steveej-t480s-work/versions.nix @@ -1,30 +1,30 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-21.11"; - rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; + ref = "nixos-20.09"; + rev = "58f9c4c7d3a42c912362ca68577162e38ea8edfb"; }; in + { inherit nixpkgs; nixos = nixpkgs // { suffix = "/nixos"; }; "channels-nixos-stable" = nixpkgs; - "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = "5aaed40d22f0d9376330b6fa413223435ad6fee5"; + rev = "2deeb58f49480f468adca6b08291322de4dbce6b"; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = "4fa26474495acc710fa2b88e7a3f51d90ad3a530"; + rev = "c81c3c3daff4a96980da2fce2d80a9e57f9db953"; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; - ref = "release-21.11"; - rev = "697cc8c68ed6a606296efbbe9614c32537078756"; + ref = "release-20.09"; + rev = "63f299b3347aea183fc5088e4d6c4a193b334a41"; }; } diff --git a/nix/os/devices/steveej-t480s-work/versions.tmpl.nix b/nix/os/devices/steveej-t480s-work/versions.tmpl.nix new file mode 100644 index 0000000..09f95fd --- /dev/null +++ b/nix/os/devices/steveej-t480s-work/versions.tmpl.nix @@ -0,0 +1,30 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.09"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; +in + +{ + inherit nixpkgs; + nixos = nixpkgs // { + suffix = "/nixos"; + }; + "channels-nixos-stable" = nixpkgs; + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = "<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-20.09"; + rev = "<% git ls-remote https://github.com/nix-community/home-manager.git release-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; +} diff --git a/nix/os/devices/steveej-utilitepro/configuration.nix b/nix/os/devices/steveej-utilitepro/configuration.nix index 76a34c8..721d3c6 100644 --- a/nix/os/devices/steveej-utilitepro/configuration.nix +++ b/nix/os/devices/steveej-utilitepro/configuration.nix @@ -1,228 +1,227 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). + { config, pkgs, ... }: + let passwords = import ../common/passwords.crypt.nix; in { # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "16.03"; - nix.maxJobs = 4; - nix.buildCores = 4; + nix.maxJobs = 4; + nix.buildCores = 4; - nix.extraOptions = '' + nix.extraOptions = '' gc-keep-outputs = true gc-keep-derivations = true - ''; + ''; - nixpkgs.config = { - packageOverrides = super: { + + + nixpkgs.config = { + + packageOverrides = super: let self = super.pkgs; in { linux_4_1 = super.linux_4_1.override { kernelPatches = super.linux_4_1.kernelPatches ++ [ - { - patch = ./patches/utilitepro-kernel-dts.patch; - name = "utilitepro-dts"; - } - { - patch = ./patches/utilitepro-kernel-dts-Makefile.patch; - name = "utilitepro-dts-Makefile"; - } + { patch = ./patches/utilitepro-kernel-dts.patch; name = "utilitepro-dts"; } + { patch = ./patches/utilitepro-kernel-dts-Makefile.patch; name = "utilitepro-dts-Makefile"; } ]; # add "CONFIG_PPP_FILTER y" option to the set of kernel options extraConfig = '' - BTRFS_FS y - BTRFS_FS_POSIX_ACL y - FUSE_FS y - OVERLAY_FS y + BTRFS_FS y + BTRFS_FS_POSIX_ACL y + FUSE_FS y + OVERLAY_FS y - BLK_DEV_DM y - DM_THIN_PROVISIONING y + BLK_DEV_DM y + DM_THIN_PROVISIONING y - NAMESPACES y - NET_NS y - PID_NS y - IPC_NS y - UTS_NS y - DEVPTS_MULTIPLE_INSTANCES y - CGROUPS y - CGROUP_CPUACCT y - CGROUP_DEVICE y - CGROUP_FREEZER y - CGROUP_SCHED y - CPUSETS y - MEMCG y - POSIX_MQUEUE y + NAMESPACES y + NET_NS y + PID_NS y + IPC_NS y + UTS_NS y + DEVPTS_MULTIPLE_INSTANCES y + CGROUPS y + CGROUP_CPUACCT y + CGROUP_DEVICE y + CGROUP_FREEZER y + CGROUP_SCHED y + CPUSETS y + MEMCG y + POSIX_MQUEUE y - MACVLAN m - VETH m - BRIDGE m + MACVLAN m + VETH m + BRIDGE m - NF_TABLES m - NETFILTER y - NETFILTER_ADVANCED y - NF_NAT_IPV4 m - IP_NF_FILTER m - IP_NF_TARGET_MASQUERADE m - NETFILTER_XT_MATCH_ADDRTYPE m - NETFILTER_XT_MATCH_CONNTRACK m - NF_NAT m - NF_NAT_NEEDED m - BRIDGE_NETFILTER m - NETFILTER_INGRESS y - NETFILTER_NETLINK m - NETFILTER_NETLINK_ACCT m - NETFILTER_NETLINK_QUEUE m - NETFILTER_NETLINK_LOG m - NETFILTER_SYNPROXY m - NETFILTER_XTABLES m - NETFILTER_XT_MARK m - NETFILTER_XT_CONNMARK m - NETFILTER_XT_SET m - NETFILTER_XT_TARGET_AUDIT m - NETFILTER_XT_TARGET_CHECKSUM m - NETFILTER_XT_TARGET_CLASSIFY m - NETFILTER_XT_TARGET_CONNMARK m - NETFILTER_XT_TARGET_CONNSECMARK m - NETFILTER_XT_TARGET_CT m - NETFILTER_XT_TARGET_DSCP m - NETFILTER_XT_TARGET_HL m - NETFILTER_XT_TARGET_HMARK m - NETFILTER_XT_TARGET_IDLETIMER m - NETFILTER_XT_TARGET_LED m - NETFILTER_XT_TARGET_LOG m - NETFILTER_XT_TARGET_MARK m - NETFILTER_XT_NAT m - NETFILTER_XT_TARGET_NETMAP m - NETFILTER_XT_TARGET_NFLOG m - NETFILTER_XT_TARGET_NFQUEUE m - NETFILTER_XT_TARGET_NOTRACK m - NETFILTER_XT_TARGET_RATEEST m - NETFILTER_XT_TARGET_REDIRECT m - NETFILTER_XT_TARGET_TEE m - NETFILTER_XT_TARGET_TPROXY m - NETFILTER_XT_TARGET_TRACE m - NETFILTER_XT_TARGET_SECMARK m - NETFILTER_XT_TARGET_TCPMSS m - NETFILTER_XT_TARGET_TCPOPTSTRIP m - NETFILTER_XT_MATCH_ADDRTYPE m - NETFILTER_XT_MATCH_BPF m - NETFILTER_XT_MATCH_CGROUP m - NETFILTER_XT_MATCH_CLUSTER m - NETFILTER_XT_MATCH_COMMENT m - NETFILTER_XT_MATCH_CONNBYTES m - NETFILTER_XT_MATCH_CONNLABEL m - NETFILTER_XT_MATCH_CONNLIMIT m - NETFILTER_XT_MATCH_CONNMARK m - NETFILTER_XT_MATCH_CONNTRACK m - NETFILTER_XT_MATCH_CPU m - NETFILTER_XT_MATCH_DCCP m - NETFILTER_XT_MATCH_DEVGROUP m - NETFILTER_XT_MATCH_DSCP m - NETFILTER_XT_MATCH_ECN m - NETFILTER_XT_MATCH_ESP m - NETFILTER_XT_MATCH_HASHLIMIT m - NETFILTER_XT_MATCH_HELPER m - NETFILTER_XT_MATCH_HL m - NETFILTER_XT_MATCH_IPCOMP m - NETFILTER_XT_MATCH_IPRANGE m - NETFILTER_XT_MATCH_IPVS m - NETFILTER_XT_MATCH_L2TP m - NETFILTER_XT_MATCH_LENGTH m - NETFILTER_XT_MATCH_LIMIT m - NETFILTER_XT_MATCH_MAC m - NETFILTER_XT_MATCH_MARK m - NETFILTER_XT_MATCH_MULTIPORT m - NETFILTER_XT_MATCH_NFACCT m - NETFILTER_XT_MATCH_OSF m - NETFILTER_XT_MATCH_OWNER m - NETFILTER_XT_MATCH_POLICY m - NETFILTER_XT_MATCH_PHYSDEV m - NETFILTER_XT_MATCH_PKTTYPE m - NETFILTER_XT_MATCH_QUOTA m - NETFILTER_XT_MATCH_RATEEST m - NETFILTER_XT_MATCH_REALM m - NETFILTER_XT_MATCH_RECENT m - NETFILTER_XT_MATCH_SCTP m - NETFILTER_XT_MATCH_SOCKET m - NETFILTER_XT_MATCH_STATE m - NETFILTER_XT_MATCH_STATISTIC m - NETFILTER_XT_MATCH_STRING m - NETFILTER_XT_MATCH_TCPMSS m - NETFILTER_XT_MATCH_TIME m - NETFILTER_XT_MATCH_U32 m + NF_TABLES m + NETFILTER y + NETFILTER_ADVANCED y + NF_NAT_IPV4 m + IP_NF_FILTER m + IP_NF_TARGET_MASQUERADE m + NETFILTER_XT_MATCH_ADDRTYPE m + NETFILTER_XT_MATCH_CONNTRACK m + NF_NAT m + NF_NAT_NEEDED m + BRIDGE_NETFILTER m + NETFILTER_INGRESS y + NETFILTER_NETLINK m + NETFILTER_NETLINK_ACCT m + NETFILTER_NETLINK_QUEUE m + NETFILTER_NETLINK_LOG m + NETFILTER_SYNPROXY m + NETFILTER_XTABLES m + NETFILTER_XT_MARK m + NETFILTER_XT_CONNMARK m + NETFILTER_XT_SET m + NETFILTER_XT_TARGET_AUDIT m + NETFILTER_XT_TARGET_CHECKSUM m + NETFILTER_XT_TARGET_CLASSIFY m + NETFILTER_XT_TARGET_CONNMARK m + NETFILTER_XT_TARGET_CONNSECMARK m + NETFILTER_XT_TARGET_CT m + NETFILTER_XT_TARGET_DSCP m + NETFILTER_XT_TARGET_HL m + NETFILTER_XT_TARGET_HMARK m + NETFILTER_XT_TARGET_IDLETIMER m + NETFILTER_XT_TARGET_LED m + NETFILTER_XT_TARGET_LOG m + NETFILTER_XT_TARGET_MARK m + NETFILTER_XT_NAT m + NETFILTER_XT_TARGET_NETMAP m + NETFILTER_XT_TARGET_NFLOG m + NETFILTER_XT_TARGET_NFQUEUE m + NETFILTER_XT_TARGET_NOTRACK m + NETFILTER_XT_TARGET_RATEEST m + NETFILTER_XT_TARGET_REDIRECT m + NETFILTER_XT_TARGET_TEE m + NETFILTER_XT_TARGET_TPROXY m + NETFILTER_XT_TARGET_TRACE m + NETFILTER_XT_TARGET_SECMARK m + NETFILTER_XT_TARGET_TCPMSS m + NETFILTER_XT_TARGET_TCPOPTSTRIP m + NETFILTER_XT_MATCH_ADDRTYPE m + NETFILTER_XT_MATCH_BPF m + NETFILTER_XT_MATCH_CGROUP m + NETFILTER_XT_MATCH_CLUSTER m + NETFILTER_XT_MATCH_COMMENT m + NETFILTER_XT_MATCH_CONNBYTES m + NETFILTER_XT_MATCH_CONNLABEL m + NETFILTER_XT_MATCH_CONNLIMIT m + NETFILTER_XT_MATCH_CONNMARK m + NETFILTER_XT_MATCH_CONNTRACK m + NETFILTER_XT_MATCH_CPU m + NETFILTER_XT_MATCH_DCCP m + NETFILTER_XT_MATCH_DEVGROUP m + NETFILTER_XT_MATCH_DSCP m + NETFILTER_XT_MATCH_ECN m + NETFILTER_XT_MATCH_ESP m + NETFILTER_XT_MATCH_HASHLIMIT m + NETFILTER_XT_MATCH_HELPER m + NETFILTER_XT_MATCH_HL m + NETFILTER_XT_MATCH_IPCOMP m + NETFILTER_XT_MATCH_IPRANGE m + NETFILTER_XT_MATCH_IPVS m + NETFILTER_XT_MATCH_L2TP m + NETFILTER_XT_MATCH_LENGTH m + NETFILTER_XT_MATCH_LIMIT m + NETFILTER_XT_MATCH_MAC m + NETFILTER_XT_MATCH_MARK m + NETFILTER_XT_MATCH_MULTIPORT m + NETFILTER_XT_MATCH_NFACCT m + NETFILTER_XT_MATCH_OSF m + NETFILTER_XT_MATCH_OWNER m + NETFILTER_XT_MATCH_POLICY m + NETFILTER_XT_MATCH_PHYSDEV m + NETFILTER_XT_MATCH_PKTTYPE m + NETFILTER_XT_MATCH_QUOTA m + NETFILTER_XT_MATCH_RATEEST m + NETFILTER_XT_MATCH_REALM m + NETFILTER_XT_MATCH_RECENT m + NETFILTER_XT_MATCH_SCTP m + NETFILTER_XT_MATCH_SOCKET m + NETFILTER_XT_MATCH_STATE m + NETFILTER_XT_MATCH_STATISTIC m + NETFILTER_XT_MATCH_STRING m + NETFILTER_XT_MATCH_TCPMSS m + NETFILTER_XT_MATCH_TIME m + NETFILTER_XT_MATCH_U32 m - MEMCG_KMEM y - MEMCG_SWAP y - MEMCG_SWAP_ENABLED y - BLK_CGROUP y - IOSCHED_CFQ y - BLK_DEV_THROTTLING y - CGROUP_PERF y - CGROUP_HUGETLB y - NET_CLS_CGROUP y - CGROUP_NET_PRIO y - CFS_BANDWIDTH y - FAIR_GROUP_SCHED y - RT_GROUP_SCHED y - EXT3_FS y - EXT3_FS_XATTR y - EXT3_FS_POSIX_ACL y - EXT3_FS_SECURITY y + MEMCG_KMEM y + MEMCG_SWAP y + MEMCG_SWAP_ENABLED y + BLK_CGROUP y + IOSCHED_CFQ y + BLK_DEV_THROTTLING y + CGROUP_PERF y + CGROUP_HUGETLB y + NET_CLS_CGROUP y + CGROUP_NET_PRIO y + CFS_BANDWIDTH y + FAIR_GROUP_SCHED y + RT_GROUP_SCHED y + EXT3_FS y + EXT3_FS_XATTR y + EXT3_FS_POSIX_ACL y + EXT3_FS_SECURITY y - PPP_FILTER y - HAVE_IMX_ANATOP y - HAVE_IMX_GPC y - HAVE_IMX_MMDC y - HAVE_IMX_SRC y - SOC_IMX6 y - SOC_IMX6Q y - SOC_IMX6SL y - PCI_IMX6 y - ARM_IMX6Q_CPUFREQ y - IMX_WEIM y - AHCI_IMX y - SERIAL_IMX y - SERIAL_IMX_CONSOLE y - I2C_IMX y - SPI_IMX y - PINCTRL_IMX y - PINCTRL_IMX6Q y - PINCTRL_IMX6SL y - POWER_RESET_IMX y - IMX_THERMAL y - IMX2_WDT y - IMX_IPUV3_CORE y - DRM_IMX y - DRM_IMX_FB_HELPER y - DRM_IMX_PARALLEL_DISPLAY y - DRM_IMX_TVE y - DRM_IMX_LDB y - DRM_IMX_IPUV3 y - DRM_IMX_HDMI y - MMC_SDHCI_ESDHC_IMX y - IMX_SDMA y - PWM_IMX y - DEBUG_IMX6Q_UART y + PPP_FILTER y + HAVE_IMX_ANATOP y + HAVE_IMX_GPC y + HAVE_IMX_MMDC y + HAVE_IMX_SRC y + SOC_IMX6 y + SOC_IMX6Q y + SOC_IMX6SL y + PCI_IMX6 y + ARM_IMX6Q_CPUFREQ y + IMX_WEIM y + AHCI_IMX y + SERIAL_IMX y + SERIAL_IMX_CONSOLE y + I2C_IMX y + SPI_IMX y + PINCTRL_IMX y + PINCTRL_IMX6Q y + PINCTRL_IMX6SL y + POWER_RESET_IMX y + IMX_THERMAL y + IMX2_WDT y + IMX_IPUV3_CORE y + DRM_IMX y + DRM_IMX_FB_HELPER y + DRM_IMX_PARALLEL_DISPLAY y + DRM_IMX_TVE y + DRM_IMX_LDB y + DRM_IMX_IPUV3 y + DRM_IMX_HDMI y + MMC_SDHCI_ESDHC_IMX y + IMX_SDMA y + PWM_IMX y + DEBUG_IMX6Q_UART y ''; }; - # pkgs.linux_4_2 = "/nix/store/jc1h6mcc6sq420q2i572qba4b0xzw4gm-linux-4.3-armv7l-unknown-linux-gnueabi"; - }; - allowUnfree = true; - }; +# pkgs.linux_4_2 = "/nix/store/jc1h6mcc6sq420q2i572qba4b0xzw4gm-linux-4.3-armv7l-unknown-linux-gnueabi"; + }; + allowUnfree = true; + }; - imports = [ - # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; networking.hostName = "steveej-utilitepro"; # Define your hostname. - #networking.wireless.enable = true; # Enables wireless support viawpa_supplicant. +#networking.wireless.enable = true; # Enables wireless support viawpa_supplicant. - boot.kernelPackages = pkgs.linuxPackages_4_1; + boot.kernelPackages = pkgs.linuxPackages_4_1; boot.extraKernelParams = [ "cm_fx6_v4l_msize=128M" "vmalloc=256M" @@ -263,27 +262,18 @@ in users.mutableUsers = false; users.extraUsers.root = { - # FIXME: this is deprecated but so is this device probably hashedPassword = passwords.users.root; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop" - ]; + openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"]; }; users.extraUsers.steveej = { uid = 1000; isNormalUser = true; home = "/home/steveej"; - extraGroups = [ - "wheel" - "libvirtd" - ]; - # FIXME: this is deprecated but so is this device probably + extraGroups = [ "wheel" "libvirtd" ]; hashedPassword = passwords.users.steveej; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop" - ]; - }; + openssh.authorizedKeys.keys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3niN5KcIYikRhXTYZCSehI1ZQs+vvG/dZ7KxNVHslfsS+p1yTycXcZFtDDn5vtG2fAo3yksxCk+G10/AWQ+NMOcFKuAi5qTOYSLbEcHVlZ4ko8sDUe3fF79vrCqY7IWbKKjZ4DH77Qs6SXk5GIlNaIzxut8Dpv8qHnkPiPuFgrJC4oGk60ZKmCPvOEpgg9twcdI6ykIxD4Fg+hHgG1p07uSEcm9EADli8RsU3UJ1UBhXMohMC6HrKVBkBX9wTo+zY+xqXxxem6xGNnkNiZLACfhCnjXv39zh85pgFuNv7R8SzVZQ9iRoCmax/w3JtWdDjqoTGgLfJyhMMjNdjVHOx steveej@steveej-laptop"]; + }; networking.firewall.enable = false; - networking.useNetworkd = true; + networking.useNetworkd = true; } diff --git a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix index 1d3e463..e5eecc9 100644 --- a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix +++ b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix @@ -1,9 +1,12 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ ... }: +{ config, lib, pkgs, ... }: + { - imports = [ ]; + imports = + [ + ]; boot.initrd.availableKernelModules = [ ]; boot.kernelModules = [ ]; @@ -11,14 +14,14 @@ hardware.enableAllFirmware = true; - fileSystems."/" = { - device = "/dev/disk/by-uuid/09d1e4a2-d57b-4de8-a42b-671c4c188367"; - fsType = "btrfs"; - options = "subvol=nixos"; - }; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/f1e7e913-93a0-4258-88f9-f65041d91d66"; - }; + fileSystems."/" = + { device = "/dev/disk/by-uuid/09d1e4a2-d57b-4de8-a42b-671c4c188367"; + fsType = "btrfs"; + options = "subvol=nixos"; + }; + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/f1e7e913-93a0-4258-88f9-f65041d91d66"; + }; swapDevices = [ ]; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/.gitignore b/nix/os/devices/steveej-x13s-rmvbl/.gitignore deleted file mode 100644 index b2be92b..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/.gitignore +++ /dev/null @@ -1 +0,0 @@ -result diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix deleted file mode 100644 index 39e93de..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix +++ /dev/null @@ -1,176 +0,0 @@ -{ - repoFlake, - nodeFlake, - pkgs, - lib, - config, - nodeName, - system, - ... -}: -{ - nixos-x13s = { - enable = true; - # TODO: use hardware address - bluetoothMac = "65:9e:7a:8b:86:28"; - }; - - systemd.services.bluetooth-mac = { - enable = true; - path = [ - pkgs.systemd - pkgs.util-linux - pkgs.bluez5-experimental - pkgs.expect - ]; - script = '' - # TODO: this may not be required - while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do - echo Waiting for bluetooth firmware to complete - echo sleep 1 - done - - ( - # best effort - set +e - rfkill block bluetooth - echo $? - btmgmt public-addr ${config.nixos-x13s.bluetoothMac} - echo $? - rfkill unblock bluetooth - echo $? - ) - ''; - requiredBy = [ "bluetooth.service" ]; - before = [ "bluetooth.service" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - - # we need a tty, otherwise btmgmt will hang - StandardInput = "tty"; - TTYPath = "/dev/tty2"; - TTYReset = "yes"; - TTYVHangup = "yes"; - }; - }; - - imports = [ - nodeFlake.inputs.nixos-x13s.nixosModules.default - - repoFlake.inputs.sops-nix.nixosModules.sops - nodeFlake.inputs.disko.nixosModules.disko - ./disko.nix - - ../../snippets/nix-settings.nix - ../../profiles/common/user.nix - - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - services.openssh.openFirewall = true; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - users.commonUsers = { - enable = true; - enableNonRoot = true; - }; - } - - ../../snippets/home-manager-with-zsh.nix - ../../snippets/sway-desktop.nix - ../../snippets/bluetooth.nix - ../../snippets/timezone.nix - ../../snippets/radicale.nix - ]; - - networking.hostName = nodeName; - networking.firewall.enable = true; - networking.networkmanager.enable = true; - - nixpkgs.config.allowUnfree = true; - - environment.systemPackages = [ - pkgs.sshfs - pkgs.util-linux - pkgs.coreutils - pkgs.vim - - pkgs.git - pkgs.git-crypt - ]; - - system.stateVersion = "23.11"; - home-manager.users.root = _: { home.stateVersion = "23.11"; }; - home-manager.users.steveej = _: { - home.stateVersion = "23.11"; - - imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; - - home.sessionVariables = { }; - - home.packages = with pkgs; [ ]; - - # TODO: currently unsupported - services.gammastep.enable = lib.mkForce false; - # programs.chromium.enable = lib.mkForce false; - }; - - boot = { - loader.systemd-boot.enable = true; - loader.efi.canTouchEfiVariables = lib.mkForce false; - loader.efi.efiSysMountPoint = "/boot"; - blacklistedKernelModules = [ "wwan" ]; - - initrd.kernelModules = [ - "uas" - "usb_storage" - - "phy_qcom_qmp_pcie" - "phy_qcom_qmp_combo" - "phy_qcom_snps_femto_v2" - "phy_qcom_qmp_pcie" - "phy_qcom_qmp_usb" - "xhci-pci-renesas" - - "msm" - ]; - - initrd.extraFiles = { - "firmware/qcom/sc8280xp/LENOVO/21BX/adspr.jsn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/adspua.jsn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/audioreach-tplg.bin".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/battmgr.jsn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/cdspr.jsn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qcadsp8280.mbn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qccdsp8280.mbn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qcdxkmsuc8280.mbn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qcslpi8280.mbn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = - nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"; - }; - }; - - hardware.firmware = [ - pkgs.linux-firmware - nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware" - ]; - - hardware.enableAllFirmware = true; - - # see https://linrunner.de/tlp/ - services.tlp = { - enable = true; - settings = { - START_CHARGE_THRESH_BAT0 = "80"; - STOP_CHARGE_THRESH_BAT0 = "85"; - }; - }; - - # android on linux - virtualisation.waydroid.enable = true; - virtualisation.podman.enable = true; - virtualisation.podman.dockerCompat = true; -} diff --git a/nix/os/devices/steveej-x13s-rmvbl/default.nix b/nix/os/devices/steveej-x13s-rmvbl/default.nix deleted file mode 100644 index 2ba48d2..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ - system ? "aarch64-linux", - nodeName, - repoFlake, - repoFlakeWithSystem, - nodeFlake, - localDomainName ? "internal", - ... -}: -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; - packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); - - inherit localDomainName; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "${nodeName}.${localDomainName}"; - deployment.replaceUnknownProfiles = true; - deployment.allowLocalDeployment = true; - - # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - - imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; - }; -} diff --git a/nix/os/devices/steveej-x13s-rmvbl/disko.nix b/nix/os/devices/steveej-x13s-rmvbl/disko.nix deleted file mode 100644 index 2eb097a..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/disko.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ - disko.devices = { - disk = { - voyager-gtx = { - type = "disk"; - device = "/dev/disk/by-id/ata-Corsair_Voyager_GTX_21488170000126002054"; - content = { - type = "gpt"; - partitions = { - ESP = { - size = "500M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "defaults" ]; - }; - }; - luks = { - size = "100%"; - content = { - type = "luks"; - name = "x13s-usb-crypt"; - extraOpenArgs = [ ]; - # disable settings.keyFile if you want to use interactive password entry - #passwordFile = "/tmp/secret.key"; # Interactive - settings = { - # if you want to use the key for interactive login be sure there is no trailing newline - # for example use `echo -n "password" > /tmp/secret.key` - # keyFile = "/tmp/secret.key"; - allowDiscards = true; - }; - # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/home" = { - mountpoint = "/home"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/swap" = { - mountpoint = "/.swapvol"; - swap.swapfile.size = "32G"; - }; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.lock b/nix/os/devices/steveej-x13s-rmvbl/flake.lock deleted file mode 100644 index dcc457f..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.lock +++ /dev/null @@ -1,194 +0,0 @@ -{ - "nodes": { - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1705890365, - "narHash": "sha256-MObB+fipA/2Ai3uMuNouxcwz0cqvELPpJ+hfnhSaUeA=", - "owner": "nix-community", - "repo": "disko", - "rev": "9fcdf3375e01e2938a49df103af9fd21bd0f89d9", - "type": "github" - }, - "original": { - "id": "disko", - "type": "indirect" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1704982712, - "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "07f6395285469419cf9d078f59b5b49993198c00", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "get-flake": { - "locked": { - "lastModified": 1694475786, - "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", - "owner": "ursi", - "repo": "get-flake", - "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", - "type": "github" - }, - "original": { - "owner": "ursi", - "repo": "get-flake", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1705659542, - "narHash": "sha256-WA3xVfAk1AYmFdwghT7mt/erYpsU6JPu9mdTEP/e9HQ=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "10cd9c53115061aa6a0a90aad0b0dde6a999cdb9", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-23.11", - "repo": "home-manager", - "type": "github" - } - }, - "mobile-nixos": { - "flake": false, - "locked": { - "lastModified": 1705008488, - "narHash": "sha256-Gj97fDFZaK6gLb3ayZgTTtD+MFE1YjoyYHWkB1TIAe0=", - "owner": "NixOS", - "repo": "mobile-nixos", - "rev": "56e55df7b07b5e5c6d050732d851cec62b41df95", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "mobile-nixos", - "type": "github" - } - }, - "nixos-x13s": { - "inputs": { - "flake-parts": "flake-parts", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1706097550, - "narHash": "sha256-rR4HMpUlT7SbVPxQIvWH0DsxaEQcjTLqLrst2xoT1CY=", - "ref": "refs/heads/main", - "rev": "732a0f1549996740bdb06989599a5f0653de5056", - "revCount": 6, - "type": "git", - "url": "https://codeberg.org/steveej/nixos-x13s" - }, - "original": { - "type": "git", - "url": "https://codeberg.org/steveej/nixos-x13s" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1705916986, - "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-2211": { - "locked": { - "lastModified": 1688392541, - "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-22.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-lib": { - "locked": { - "dir": "lib", - "lastModified": 1703961334, - "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", - "type": "github" - }, - "original": { - "dir": "lib", - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable-small": { - "locked": { - "lastModified": 1706022028, - "narHash": "sha256-F8Gv4R4K/AvS3+6pWd8wlnw4Vhgf7bcszy7i8XPbzA0=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "15ff1758e7816331033baa14eebbea68626128f3", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "disko": "disko", - "get-flake": "get-flake", - "home-manager": "home-manager", - "mobile-nixos": "mobile-nixos", - "nixos-x13s": "nixos-x13s", - "nixpkgs": "nixpkgs", - "nixpkgs-2211": "nixpkgs-2211", - "nixpkgs-unstable-small": "nixpkgs-unstable-small" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.nix b/nix/os/devices/steveej-x13s-rmvbl/flake.nix deleted file mode 100644 index 043907d..0000000 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; - - # required for home-manager modules - nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; - nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; - - get-flake.url = "github:ursi/get-flake"; - - disko.inputs.nixpkgs.follows = "nixpkgs"; - - mobile-nixos.url = "github:NixOS/mobile-nixos"; - mobile-nixos.flake = false; - - home-manager = { - url = "github:nix-community/home-manager/release-23.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - nixos-x13s.url = "git+https://codeberg.org/steveej/nixos-x13s"; - nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - system = "aarch64-linux"; - buildPlatform = "x86_64-linux"; - repoFlake = get-flake ../../../..; - in - { - lib = { - mkNixosConfiguration = - { - nodeName, - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = - (import ./default.nix { - inherit system; - inherit nodeName repoFlake; - - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; - - modules = extraModules; - } - ); - }; - - nixosConfigurations = - let - nodeName = "steveej-x13s-rmvbl"; - in - { - native = self.lib.mkNixosConfiguration { - inherit system nodeName; - extraModules = [ - ./configuration.nix - - { users.commonUsers.installPassword = "install"; } - ]; - }; - - cross = self.lib.mkNixosConfiguration { - inherit nodeName; - extraModules = [ - ./configuration.nix - - { - nixpkgs.buildPlatform.system = buildPlatform; - nixpkgs.hostPlatform.system = system; - } - ]; - }; - }; - }; -} diff --git a/nix/os/devices/steveej-x13s/.gitignore b/nix/os/devices/steveej-x13s/.gitignore deleted file mode 100644 index b2be92b..0000000 --- a/nix/os/devices/steveej-x13s/.gitignore +++ /dev/null @@ -1 +0,0 @@ -result diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix deleted file mode 100644 index bc2cde1..0000000 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ /dev/null @@ -1,288 +0,0 @@ -{ - repoFlake, - nodeFlake, - pkgs, - lib, - config, - nodeName, - system, - ... -}: -{ - nixpkgs.overlays = [ nodeFlake.overlays.default ]; - - nixos-x13s = { - enable = true; - # TODO: use hardware address - bluetoothMac = "65:9e:7a:8b:86:28"; - kernel = "jhovold"; - }; - - services.illum.enable = true; - - # printint and autodiscovery of printers - services.printing.enable = true; - services.printing.drivers = [ pkgs.hplip ]; - services.avahi = { - enable = true; - nssmdns4 = true; - openFirewall = true; - }; - hardware.sane.enable = true; # enables support for SANE scanners - - systemd.services.bluetooth-x13s-mac = lib.mkForce { - enable = true; - path = [ - pkgs.systemd - pkgs.util-linux - pkgs.bluez5-experimental - pkgs.expect - ]; - script = '' - # TODO: this may not be required - while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do - echo Waiting for bluetooth firmware to complete - echo sleep 1 - done - - ( - # best effort - set +e - rfkill block bluetooth - echo $? - btmgmt public-addr ${config.nixos-x13s.bluetoothMac} - echo $? - rfkill unblock bluetooth - echo $? - ) - ''; - requiredBy = [ "bluetooth.service" ]; - before = [ "bluetooth.service" ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - - # we need a tty, otherwise btmgmt will hang - StandardInput = "tty"; - TTYPath = "/dev/tty2"; - TTYReset = "yes"; - TTYVHangup = "yes"; - }; - }; - - imports = [ - nodeFlake.inputs.nixos-x13s.nixosModules.default - - repoFlake.inputs.sops-nix.nixosModules.sops - nodeFlake.inputs.disko.nixosModules.disko - ./disko.nix - - ../../profiles/common/user.nix - - ../../snippets/nix-settings.nix - ../../snippets/nix-settings-holo-chain.nix - ../../snippets/mycelium.nix - - nodeFlake.inputs.extra-container.nixosModules.default - { - networking.nat = { - enable = true; - internalInterfaces = [ "ve-+" ]; - # externalInterface = "enu1u1u2"; - # Lazy IPv6 connectivity for the container - # enableIPv6 = true; - }; - } - - # TODO: broken with: v4l2loopback-0.13.2-6.13.0-rc3.drv - # make: *** [Makefile:53: v4l2loopback.ko] Error 2 - # ../../snippets/obs-studio.nix - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - services.openssh.openFirewall = true; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; - - users.commonUsers = { - enable = true; - enableNonRoot = true; - }; - - sops.secrets.builder-private-key = { }; - nix.distributedBuilds = true; - nix.buildMachines = [ - # test these with: sudo nix store ping --store 'ssh-ng://nix-remote-builder@?ssh-key=/run/secrets/builder-private-key' - { - hostName = "buildbot-nix-0.infra.holochain.org"; - sshUser = "nix-remote-builder"; - sshKey = config.sops.secrets.builder-private-key.path; - protocol = "ssh-ng"; - systems = [ "x86_64-linux" ]; - supportedFeatures = [ - "big-parallel" - "kvm" - "nixos-test" - ]; - maxJobs = 16; - } - - { - hostName = "aarch64-linux-builder-0.infra.holochain.org"; - sshUser = "nix-remote-builder"; - sshKey = config.sops.secrets.builder-private-key.path; - protocol = "ssh-ng"; - systems = [ "aarch64-linux" ]; - supportedFeatures = [ - "big-parallel" - "kvm" - "nixos-test" - ]; - maxJobs = 8; - } - - { - hostName = "x64-linux-dev-01.dev.infra.holochain.org"; - sshUser = "nix-remote-builder"; - sshKey = config.sops.secrets.builder-private-key.path; - protocol = "ssh-ng"; - systems = [ - # "x86_64-linux" - "aarch64-linux" - ]; - supportedFeatures = [ - "big-parallel" - "kvm" - "nixos-test" - ]; - maxJobs = 0; - } - ]; - } - - { - # yubikey / smartcard. only set to `true` for `ykman piv` commands. - services.pcscd.enable = false; - } - - # TODO: create syncthing os snippet - ( - let - tcp = [ 22000 ]; - udp = [ - 22000 - 21027 - ]; - in - { - # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` - networking.firewall.interfaces."en+".allowedTCPPorts = tcp; - networking.firewall.interfaces."en+".allowedUDPPorts = udp; - networking.firewall.interfaces."wl+".allowedTCPPorts = tcp; - networking.firewall.interfaces."wl+".allowedUDPPorts = udp; - - networking.firewall.allowedTCPPorts = [ - # iperf3 - 5201 - ]; - } - ) - - ../../snippets/home-manager-with-zsh.nix - ../../snippets/sway-desktop.nix - ../../snippets/bluetooth.nix - ../../snippets/timezone.nix - ../../snippets/radicale.nix - - ../../snippets/holo-zerotier.nix - - # ../../snippets/k3s-w-nix-snapshotter.nix - ]; - - networking.hostName = nodeName; - networking.firewall.enable = true; - networking.networkmanager.enable = true; - - nixpkgs.config.allowUnfree = true; - - environment.systemPackages = [ - pkgs.sshfs - pkgs.util-linux - pkgs.coreutils - pkgs.vim - - pkgs.git - pkgs.git-crypt - ]; - - system.stateVersion = "23.11"; - home-manager.users.root = _: { home.stateVersion = "23.11"; }; - home-manager.users.steveej = _: { - home.stateVersion = "23.11"; - - imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; - - nixpkgs.overlays = [ nodeFlake.overlays.default ]; - - home.sessionVariables = { }; - - home.packages = with pkgs; [ ]; - - # TODO(upstream): currently unsupported on x13s - services.gammastep.enable = true; - }; - - boot = { - loader.systemd-boot.enable = true; - loader.systemd-boot.configurationLimit = 5; - - loader.efi.canTouchEfiVariables = lib.mkForce false; - loader.efi.efiSysMountPoint = "/boot"; - blacklistedKernelModules = [ - "wwan" - # "qcom_soundwire" - # "snd_soc_qcom_sdw" - # "snd_soc_sc8280xp" - ]; - }; - - # TODO: debug this collision: collision between `/nix/store/cb32qlzc4pm6h4arw59kxqyzbvgnmx7g-b43-firmware-6.30.163.46-zstd/lib/firmware/b43/a0g0bsinitvals5.fw.zst' and `/nix/store/niffz3cf0v91y5knz0an29fwvm8amigm-b43-firmware-5.100.138-zstd/lib/firmware/b43/a0g0bsinitvals5.fw.zst' - hardware.firmware = lib.mkBefore [ - (pkgs.runCommand "x13s-ath11k-firmware-before" { } '' - mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/ - cp -v ${nodeFlake.inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ - cp -v ${nodeFlake.inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ - '') - ]; - - # see https://linrunner.de/tlp/ - # TODO: find an equivalent to tlp that supports this machine - services.tlp = { - enable = false; - settings = { - START_CHARGE_THRESH_BAT0 = "80"; - STOP_CHARGE_THRESH_BAT0 = "85"; - }; - }; - - # android on linux - virtualisation.waydroid.enable = true; - hardware.ledger.enable = true; - - virtualisation.containers.enable = true; - virtualisation.podman.enable = true; - - steveej.holo-zerotier = { - enable = true; - autostart = false; - }; - - services.udev.packages = [ pkgs.android-udev-rules ]; - programs.adb.enable = true; - - nix.settings.sandbox = lib.mkForce "relaxed"; - - systemd.user.services.wireplumber.environment.LIBCAMERA_IPA_PROXY_PATH = - "${pkgs.libcamera}/libexec/libcamera"; -} diff --git a/nix/os/devices/steveej-x13s/default.nix b/nix/os/devices/steveej-x13s/default.nix deleted file mode 100644 index bb170b2..0000000 --- a/nix/os/devices/steveej-x13s/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ - system ? "aarch64-linux", - nodeName, - repoFlake, - repoFlakeWithSystem, - nodeFlake, - localDomainName ? "internal", - ... -}: -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; - packages' = repoFlake.packages.${system}; - nodePackages' = nodeFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); - - inherit localDomainName; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = "${nodeName}.${localDomainName}"; - deployment.replaceUnknownProfiles = true; - deployment.allowLocalDeployment = true; - - # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - - imports = [ ./configuration.nix ]; - }; -} diff --git a/nix/os/devices/steveej-x13s/disko.nix b/nix/os/devices/steveej-x13s/disko.nix deleted file mode 100644 index 40b2118..0000000 --- a/nix/os/devices/steveej-x13s/disko.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ - disko.devices = { - disk = { - x13s-nvme = { - type = "disk"; - device = "/dev/disk/by-id/nvme-KBG5AZNT1T02_LA_KIOXIA_52QC84BEEJS6"; - # device = "/dev/disk/by-id/nvme-Corsair_MP600_CORE_MINI_A7SIB33902BQLN"; - content = { - type = "gpt"; - partitions = { - ESP = { - size = "500M"; - type = "EF00"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "defaults" ]; - }; - }; - luks = { - size = "100%"; - content = { - type = "luks"; - name = "x13s-nvme-crypt"; - extraOpenArgs = [ ]; - # disable settings.keyFile if you want to use interactive password entry - #passwordFile = "/tmp/secret.key"; # Interactive - settings = { - # if you want to use the key for interactive login be sure there is no trailing newline - # for example use `echo -n "password" > /tmp/secret.key` - # keyFile = "/tmp/secret.key"; - allowDiscards = true; - }; - # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; - content = { - type = "btrfs"; - extraArgs = [ "-f" ]; - subvolumes = { - "/root" = { - mountpoint = "/"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/home" = { - mountpoint = "/home"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/nix" = { - mountpoint = "/nix"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; - }; - "/swap" = { - mountpoint = "/.swapvol"; - swap.swapfile.size = "32G"; - }; - }; - }; - }; - }; - }; - }; - }; - }; - }; -} diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock deleted file mode 100644 index cef30a8..0000000 --- a/nix/os/devices/steveej-x13s/flake.lock +++ /dev/null @@ -1,445 +0,0 @@ -{ - "nodes": { - "ath11k-firmware": { - "flake": false, - "locked": { - "lastModified": 1746643896, - "narHash": "sha256-QXZHcbMNX0f2RQBrCCYRS3dLU1q/02J3HjnWuv8Oaaw=", - "ref": "refs/heads/main", - "rev": "1e7cd757828d414f71da82f480696540473bd475", - "revCount": 174, - "type": "git", - "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" - }, - "original": { - "type": "git", - "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" - } - }, - "crane": { - "locked": { - "lastModified": 1742317686, - "narHash": "sha256-ScJYnUykEDhYeCepoAWBbZWx2fpQ8ottyvOyGry7HqE=", - "owner": "ipetkov", - "repo": "crane", - "rev": "66cb0013f9a99d710b167ad13cbd8cc4e64f2ddb", - "type": "github" - }, - "original": { - "owner": "ipetkov", - "repo": "crane", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1748225455, - "narHash": "sha256-AzlJCKaM4wbEyEpV3I/PUq5mHnib2ryEy32c+qfj6xk=", - "owner": "nix-community", - "repo": "disko", - "rev": "a894f2811e1ee8d10c50560551e50d6ab3c392ba", - "type": "github" - }, - "original": { - "id": "disko", - "type": "indirect" - } - }, - "extra-container": { - "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1734542275, - "narHash": "sha256-wnRkafo4YrIuvJeRsOmfStxIzi7ty2I0OtGMO9chwJc=", - "owner": "erikarvstedt", - "repo": "extra-container", - "rev": "fa723fb67201c1b4610fd3d608681da362f800eb", - "type": "github" - }, - "original": { - "owner": "erikarvstedt", - "repo": "extra-container", - "type": "github" - } - }, - "flake-compat": { - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_2": { - "locked": { - "lastModified": 1733328505, - "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", - "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", - "revCount": 69, - "type": "tarball", - "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" - } - }, - "flake-compat_3": { - "flake": false, - "locked": { - "lastModified": 1696426674, - "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "nix-snapshotter", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1704152458, - "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { - "inputs": { - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-utils": { - "inputs": { - "systems": "systems" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems_2" - }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "id": "flake-utils", - "type": "indirect" - } - }, - "get-flake": { - "inputs": { - "flake-compat": "flake-compat" - }, - "locked": { - "lastModified": 1745945175, - "narHash": "sha256-JGDbJRl5v1snA4JX+yp6m3UA6Mazr59Hrgz+UhhP91M=", - "owner": "ursi", - "repo": "get-flake", - "rev": "38401aa2b3a99c77d0c02727471e99e7de2fc366", - "type": "github" - }, - "original": { - "owner": "ursi", - "repo": "get-flake", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1748455938, - "narHash": "sha256-mQ/iNzPra2WtDQ+x2r5IadcWNr0m3uHvLMzJkXKAG/8=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "02077149e2921014511dac2729ae6dadb4ec50e2", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "master", - "repo": "home-manager", - "type": "github" - } - }, - "linux-jhovold": { - "flake": false, - "locked": { - "lastModified": 1748260494, - "narHash": "sha256-0KTN63q+86g++BVQPOm7MHAVQvj+t3aJFsPwE+wDk2U=", - "owner": "jhovold", - "repo": "linux", - "rev": "ababc24306a694b74995cffc4e9c51aa84b9af8a", - "type": "github" - }, - "original": { - "owner": "jhovold", - "ref": "wip/sc8280xp-6.15", - "repo": "linux", - "type": "github" - } - }, - "mycelium": { - "inputs": { - "crane": "crane", - "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_2", - "nix-filter": "nix-filter", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1747734538, - "narHash": "sha256-bFKEPbwffDSvoG6KBDH87ebbnFq1IyqAfLyg2zlwlIY=", - "owner": "threefoldtech", - "repo": "mycelium", - "rev": "71cb99dc65f47d4baced0288df1d299bf960505e", - "type": "github" - }, - "original": { - "owner": "threefoldtech", - "repo": "mycelium", - "type": "github" - } - }, - "nix-filter": { - "locked": { - "lastModified": 1731533336, - "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=", - "owner": "numtide", - "repo": "nix-filter", - "rev": "f7653272fd234696ae94229839a99b73c9ab7de0", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "nix-filter", - "type": "github" - } - }, - "nix-snapshotter": { - "inputs": { - "flake-compat": "flake-compat_3", - "flake-parts": "flake-parts", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1717948701, - "narHash": "sha256-G7SXaZ7J4yO4OQEKSZPVWcccfV87uyLech0jEOU350g=", - "owner": "yu-re-ka", - "repo": "nix-snapshotter", - "rev": "c10b066a4b1bb3451507c141636014e3335e579e", - "type": "github" - }, - "original": { - "owner": "yu-re-ka", - "repo": "nix-snapshotter", - "type": "github" - } - }, - "nixos-x13s": { - "inputs": { - "flake-parts": "flake-parts_2", - "linux-jhovold": "linux-jhovold", - "nixpkgs": [ - "nixpkgs" - ], - "x13s-bt-linux-firmware": "x13s-bt-linux-firmware" - }, - "locked": { - "lastModified": 1748459535, - "narHash": "sha256-U7n47n4oIhKKiCVzGBOz0vdoihmjLBJFPvdp+gFapmU=", - "ref": "bump", - "rev": "903961b6ad426a1092d3b05501b8f17bcde3c0ab", - "revCount": 151, - "type": "git", - "url": "https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git" - }, - "original": { - "ref": "bump", - "type": "git", - "url": "https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git" - } - }, - "nixpkgs-lib": { - "locked": { - "lastModified": 1733096140, - "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" - }, - "original": { - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" - } - }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1748037224, - "narHash": "sha256-92vihpZr6dwEMV6g98M5kHZIttrWahb9iRPBm1atcPk=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "f09dede81861f3a83f7f06641ead34f02f37597f", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1748370509, - "narHash": "sha256-QlL8slIgc16W5UaI3w7xHQEP+Qmv/6vSNTpoZrrSlbk=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "4faa5f5321320e49a78ae7848582f684d64783e9", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "ath11k-firmware": "ath11k-firmware", - "disko": "disko", - "extra-container": "extra-container", - "get-flake": "get-flake", - "home-manager": "home-manager", - "mycelium": "mycelium", - "nix-snapshotter": "nix-snapshotter", - "nixos-x13s": "nixos-x13s", - "nixpkgs": [ - "nixpkgs-unstable" - ], - "nixpkgs-stable": "nixpkgs-stable", - "nixpkgs-unstable": "nixpkgs-unstable" - } - }, - "systems": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, - "x13s-bt-linux-firmware": { - "flake": false, - "locked": { - "lastModified": 1733240564, - "narHash": "sha256-348f+wuX7x8xqaBRkraTclupdnRcwL/z2l/1Bs/reXc=", - "ref": "refs/heads/main", - "rev": "06aea4d8bfd5ca3624b56162b24339d7b0449913", - "revCount": 4282, - "type": "git", - "url": "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git" - }, - "original": { - "rev": "06aea4d8bfd5ca3624b56162b24339d7b0449913", - "type": "git", - "url": "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix deleted file mode 100644 index ee2645d..0000000 --- a/nix/os/devices/steveej-x13s/flake.nix +++ /dev/null @@ -1,114 +0,0 @@ -{ - inputs = { - nixpkgs.follows = "nixpkgs-unstable"; - nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - # nixpkgs-unstable.url = "github:steveej-forks/nixpkgs/nixos-unstable"; - - get-flake.url = "github:ursi/get-flake"; - - disko.inputs.nixpkgs.follows = "nixpkgs"; - - home-manager = { - # url = "github:steveej-forks/home-manager/master"; - url = "github:nix-community/home-manager/master"; - # url = "github:nix-community/home-manager/release-24.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - nixos-x13s.url = "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump" - # 6.13-rc2 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump&rev=c95058f8aa1b361df3874429c5dc0f694f9cba78" - # 6.11.0 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=6b9efe77ca80653354981c720af3c4241ac71490" - # 6.12.0-rc6 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=bd580ee9c35fcb8a720122d5bb2f903f1b7395ee" - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=1286d20be2321a1a2d27f5d09257ebaf54ce0630" - #"/home/steveej/src/others/nixos-x13s" - # - ; - # nixos-x13s.url = "path:/home/steveej/src/others/nixos-x13s"; - # nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; - nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; - - ath11k-firmware = { - url = "git+https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git"; - flake = false; - }; - - mycelium.url = "github:threefoldtech/mycelium"; - mycelium.inputs.nixpkgs.follows = "nixpkgs"; - - nix-snapshotter = { - url = "github:yu-re-ka/nix-snapshotter"; - # url = "github:pdtpartners/nix-snapshotter"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - extra-container = { - url = "github:erikarvstedt/extra-container"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - }; - - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - nativeSystem = "aarch64-linux"; - nodeName = "steveej-x13s"; - - repoFlake = get-flake ../../../..; - - mkNixosConfiguration = - { - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = - (import ./default.nix { - system = nativeSystem; - inherit nodeName; - - inherit repoFlake; - repoFlakeWithSystem = repoFlake.lib.withSystem; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; - - modules = [ - ./configuration.nix - - # flake registry - { nix.registry.nixpkgs.flake = nixpkgs; } - ] ++ extraModules; - } - ); - in - { - lib = { - inherit mkNixosConfiguration; - }; - - overlays.default = _final: _previous: { - }; - - nixosConfigurations = { - native = mkNixosConfiguration { system = nativeSystem; }; - - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = "x86_64-linux"; - nixpkgs.hostPlatform.system = nativeSystem; - } - ]; - }; - }; - }; -} diff --git a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix deleted file mode 100644 index b29548c..0000000 --- a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ ... }: -{ - disabledModules = [ ]; - imports = [ - ../../profiles/common/configuration.nix - ../../modules/opinionatedDisk.nix - - ./system.nix - ./hw.nix - ./pkg.nix - ./boot.nix - ]; -} diff --git a/nix/os/devices/vmd102066.contaboserver.net/default.nix b/nix/os/devices/vmd102066.contaboserver.net/default.nix deleted file mode 100644 index 958331e..0000000 --- a/nix/os/devices/vmd102066.contaboserver.net/default.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ repoFlake, ... }: -let - nodeName = "vmd102066.contaboserver.net"; - system = "x86_64-linux"; - - nodeFlake = repoFlake.inputs.get-flake ./.; -in -{ - meta.nodeSpecialArgs.${nodeName} = { - inherit nodeName nodeFlake; - packages' = repoFlake.packages.${system}; - }; - - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; - - ${nodeName} = { - deployment.targetHost = nodeName; - deployment.replaceUnknownProfiles = true; - - imports = [ - (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") - - nodeFlake.inputs.home-manager.nixosModules.home-manager - ]; - }; -} diff --git a/nix/os/devices/vmd102066.contaboserver.net/flake.lock b/nix/os/devices/vmd102066.contaboserver.net/flake.lock deleted file mode 100644 index 2a1267e..0000000 --- a/nix/os/devices/vmd102066.contaboserver.net/flake.lock +++ /dev/null @@ -1,99 +0,0 @@ -{ - "nodes": { - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ], - "utils": "utils" - }, - "locked": { - "lastModified": 1681092193, - "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "release-22.11", - "repo": "home-manager", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1681759395, - "narHash": "sha256-7aaRtLxLAy8qFVIA26ulB+Q5nDVzuQ71qi0s0wMjAws=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "cd749f58ba83f7155b7062dd49d08e5e47e44d50", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-22.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-master": { - "locked": { - "lastModified": 1681895322, - "narHash": "sha256-dtduardGFljEIh0Whlnhzda7Au0s1WnnSdzh2ZhCu9c=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "57aad37a2eab85fb5522cbc8568fe27872071a1c", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1681770396, - "narHash": "sha256-tq+GZOkRA3uF3I/jIzuBGfnTRQFT4QnnRCWJ8DKSaMg=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "4df48038a44e9f3a3da8e9b42ca182726b743de4", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable-small", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "home-manager": "home-manager", - "nixpkgs": "nixpkgs", - "nixpkgs-master": "nixpkgs-master", - "nixpkgs-unstable": "nixpkgs-unstable" - } - }, - "utils": { - "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/vmd102066.contaboserver.net/flake.nix b/nix/os/devices/vmd102066.contaboserver.net/flake.nix deleted file mode 100644 index 0547466..0000000 --- a/nix/os/devices/vmd102066.contaboserver.net/flake.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; - inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; - inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; - - inputs.home-manager = { - url = "github:nix-community/home-manager/release-22.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = _: { }; -} diff --git a/nix/os/devices/sj-vps-htz0/boot.nix b/nix/os/devices/vmd32387.contaboserver.net/boot.nix similarity index 84% rename from nix/os/devices/sj-vps-htz0/boot.nix rename to nix/os/devices/vmd32387.contaboserver.net/boot.nix index ed21f9c..18fcc13 100644 --- a/nix/os/devices/sj-vps-htz0/boot.nix +++ b/nix/os/devices/vmd32387.contaboserver.net/boot.nix @@ -1,4 +1,7 @@ -{ lib, ... }: +{ lib +, ... +}: + { boot.loader.grub.efiSupport = lib.mkForce false; boot.extraModulePackages = [ ]; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix b/nix/os/devices/vmd32387.contaboserver.net/configuration.nix similarity index 68% rename from nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix rename to nix/os/devices/vmd32387.contaboserver.net/configuration.nix index b29548c..ffce549 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix +++ b/nix/os/devices/vmd32387.contaboserver.net/configuration.nix @@ -1,9 +1,11 @@ { ... }: + { - disabledModules = [ ]; + disabledModules = [ + ]; imports = [ ../../profiles/common/configuration.nix - ../../modules/opinionatedDisk.nix + ../../modules/encryptedDisk.nix ./system.nix ./hw.nix diff --git a/nix/os/devices/vmd102066.contaboserver.net/hw.nix b/nix/os/devices/vmd32387.contaboserver.net/hw.nix similarity index 76% rename from nix/os/devices/vmd102066.contaboserver.net/hw.nix rename to nix/os/devices/vmd32387.contaboserver.net/hw.nix index 392bb1b..7a04340 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/hw.nix +++ b/nix/os/devices/vmd32387.contaboserver.net/hw.nix @@ -1,8 +1,10 @@ -_: +{ ... }: + let - stage1Modules = [ + stage1Modules = [ "aesni_intel" "kvm-intel" + "aes_x86_64" "virtio_balloon" "virtio_scsi" @@ -12,16 +14,17 @@ let "virtio" "scsi_mod" ]; + in { # TASK: new device - hardware.opinionatedDisk = { + hardware.encryptedDisk = { enable = true; - encrypted = true; diskId = "scsi-0QEMU_QEMU_HARDDISK_drive-scsi0"; }; boot.initrd.availableKernelModules = stage1Modules; boot.initrd.kernelModules = stage1Modules; - boot.extraModprobeConfig = ""; + boot.extraModprobeConfig = '' + ''; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix b/nix/os/devices/vmd32387.contaboserver.net/pkg.nix similarity index 73% rename from nix/os/devices/vmd102066.contaboserver.net/pkg.nix rename to nix/os/devices/vmd32387.contaboserver.net/pkg.nix index 2857a30..f8ee564 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix +++ b/nix/os/devices/vmd32387.contaboserver.net/pkg.nix @@ -1,19 +1,19 @@ -{ config, pkgs, ... }: +{ config +, pkgs +, lib +, ... +}: + { - home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { - inherit pkgs; + nixpkgs.config.packageOverrides = pkgs: with pkgs; { + nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; }; + home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; nix.buildMachines = [ - { - hostName = "localhost"; + { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = [ - "kvm" - "nixos-test" - "big-parallel" - "benchmark" - ]; + supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; maxJobs = 4; } ]; @@ -23,13 +23,13 @@ hydraURL = "http://localhost:3000"; # externally visible URL notificationSender = "hydra@${config.networking.hostName}.stefanjunker.de"; # e-mail of hydra service # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines - buildMachinesFiles = [ ]; + buildMachinesFiles = []; # you will probably also want, otherwise *everything* will be built from scratch useSubstitutes = true; }; services.gitlab-runner = { - enable = false; + enable = true; extraPackages = with pkgs; [ bash @@ -49,5 +49,6 @@ tagList = [ "nix" ]; }; }; + }; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/system.nix b/nix/os/devices/vmd32387.contaboserver.net/system.nix similarity index 64% rename from nix/os/devices/vmd102066.contaboserver.net/system.nix rename to nix/os/devices/vmd32387.contaboserver.net/system.nix index cebed6a..2944e09 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/system.nix +++ b/nix/os/devices/vmd32387.contaboserver.net/system.nix @@ -1,9 +1,16 @@ -{ pkgs, config, ... }: +{ pkgs +, lib +, config +, ... }: + let keys = import ../../../variables/keys.nix; - passwords = import ../../../variables/passwords.crypt.nix; -in -{ + +in { + # TASK: new device + networking.hostName = "vmd32387"; # Define your hostname. + networking.domain = "contaboserver.net"; + networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -20,10 +27,7 @@ in networking.interfaces.eth0 = { useDHCP = true; ipv6.addresses = [ - { - address = "2a02:c206:3010:2066::1"; - prefixLength = 64; - } + { address = "2a02:c207:3003:2387::1"; prefixLength = 64; } ]; }; networking.defaultGateway6 = { @@ -57,19 +61,21 @@ in ''; }; - # systemd.services.sshd.serviceConfig = {TasksMax = 32;}; + systemd.services.sshd.serviceConfig = { + TasksMax = 32; + }; - # systemd.timers."sshd-status" = { - # description = "Timer to trigger sshd-status periodically"; - # enable = true; - # wantedBy = ["timer.target" "multi-user.target"]; - # timerConfig = { - # OnActiveSec = "5s"; - # OnUnitActiveSec = "5s"; - # AccuracySec = "1s"; - # Unit = "sshd-status.service"; - # }; - # }; + systemd.timers."sshd-status" = { + description = "Timer to trigger sshd-status periodically"; + enable = true; + wantedBy = [ "timer.target" "multi-user.target" ]; + timerConfig = { + OnActiveSec="5s"; + OnUnitActiveSec="5s"; + AccuracySec="1s"; + Unit = "sshd-status.service"; + }; + }; nix.gc = { automatic = true; @@ -97,26 +103,35 @@ in done ''; - containers = { - backup = import ../../containers/backup.nix { - autoStart = false; + networking.useHostResolvConf = true; + containers = { + mailserver = import ../../containers/mailserver.nix { + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.11"; + + imapsPort = 993; + sievePort = 4190; + }; + + webserver = import ../../containers/webserver.nix { + hostAddress = "192.168.100.12"; + localAddress = "192.168.100.13"; + + httpsPort = 443; + }; + + syncthing = import ../../containers/syncthing.nix { + hostAddress = "192.168.100.14"; + localAddress = "192.168.100.15"; + + syncthingPort = 22000; + }; + + backup = import ../../containers/backup.nix { inherit config; hostAddress = "192.168.100.16"; localAddress = "192.168.100.17"; - subvolumes = [ - "mailserver" - "webserver" - "backup" - "syncthing" - ]; - }; - - bkpTarget = import ../../containers/backup-target.nix { - autoStart = false; - hostAddress = "192.168.100.18"; - localAddress = "192.168.100.19"; - containerBackupCfg = passwords.storage.backupTarget; }; }; @@ -126,5 +141,5 @@ in # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "22.05"; # Did you read the comment? + system.stateVersion = "20.03"; # Did you read the comment? } diff --git a/nix/os/devices/vmd32387.contaboserver.net/versions.nix b/nix/os/devices/vmd32387.contaboserver.net/versions.nix new file mode 100644 index 0000000..519781a --- /dev/null +++ b/nix/os/devices/vmd32387.contaboserver.net/versions.nix @@ -0,0 +1,37 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.09"; + rev = "51aaa3fa1b69559456f9bd4968bd5b179a784f67"; + }; +in + +{ + inherit nixpkgs; + "channels-nixos-stable" = nixpkgs; + "channels-nixos-20.03" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.03"; + rev = "ff6fda61600cc60404bab5cb6b18b8636785b7bc"; + }; + "channels-nixos-19.09" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-19.09"; + rev = "75f4ba05c63be3f147bcc2f7bd4ba1f029cedcb1"; + }; + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = "24c9b05ac53e422f1af81a156f1fd58499eb27fb"; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = "9b3e35d991ea6a43f256069dcb2e006006730d05"; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-20.09"; + rev = "7339784e07217ed0232e08d1ea33b610c94657d8"; + }; +} diff --git a/nix/os/devices/vmd32387.contaboserver.net/versions.tmpl.nix b/nix/os/devices/vmd32387.contaboserver.net/versions.tmpl.nix new file mode 100644 index 0000000..a19cc09 --- /dev/null +++ b/nix/os/devices/vmd32387.contaboserver.net/versions.tmpl.nix @@ -0,0 +1,37 @@ +let + nixpkgs = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.09"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; +in + +{ + inherit nixpkgs; + "channels-nixos-stable" = nixpkgs; + "channels-nixos-20.03" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-20.03"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.03 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + "channels-nixos-19.09" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-19.09"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-19.09 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + "channels-nixos-unstable" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "nixos-unstable"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + "nixpkgs-master" = { + url = "https://github.com/NixOS/nixpkgs/"; + ref = "master"; + rev = "<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; + "home-manager-module" = { + url = "https://github.com/nix-community/home-manager"; + ref = "release-20.09"; + rev = "<% git ls-remote https://github.com/nix-community/home-manager.git release-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; + }; +} diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index 206c367..566ccb9 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -1,52 +1,31 @@ -{ lib, config }: -let - keys = import ../../variables/keys.nix; - deepMergeAttrsets = - listOfAttrsets: lib.foldl' (acc: cur: lib.recursiveUpdate acc cur) { } listOfAttrsets; -in +{ keys ? import ../../variables/keys.nix +, passwords ? import ../../variables/passwords.crypt.nix +}: + { - inherit deepMergeAttrsets; + mkRoot = { } @ args: { + hashedPassword = passwords.users.root; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; + } // args; - mkUser = - args@{ username, ... }: - { - users.users.${username} = deepMergeAttrsets [ - { - isNormalUser = true; - extraGroups = [ - "docker" - "podman" - "wheel" - "libvirtd" - "networkmanager" - "vboxusers" - "users" - "input" - "audio" - "video" - "cdrom" - "adbusers" - "dialout" - "cdrom" - "fuse" - "adbusers" - "scanner" - "lp" - "kvm" - ]; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; - - # TODO: investigate why this secret cannot be found - # openssh.authorizedKeys.keyFiles = [ - # config.sops.secrets.sharedSshKeys-steveej.path - # ]; - } - - (builtins.removeAttrs args [ "username" ]) - ]; - - home-manager.users.${username}.home.username = username; - }; + mkUser = {uid, hashedPassword ? passwords.users.steveej, ... } @ args: { + inherit uid hashedPassword; + isNormalUser = true; + extraGroups = [ + "docker" + "wheel" + "libvirtd" + "networkmanager" + "vboxusers" + "users" + "input" + "audio" + "video" + "cdrom" + "adbusers" + ]; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; + } // args; disk = rec { # TODO: verify the GPT PARTLABEL cap at 36 chars @@ -65,10 +44,9 @@ in # Cannot use the disk ID here because might be different at install vs. runtime. # Example: MMC card which is used in the internal reader vs. USB reader - bootFsDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); - bootLuksDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); - luksName = diskId: (volumeGroup diskId) + "pv"; + bootFsDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-"+diskId)); + bootLuksDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-"+diskId)); + luksName = diskId: (volumeGroup diskId)+"pv"; luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId); - lvmPv = diskId: encrypted: if encrypted then luksPhysicalVolume diskId else bootLuksDevice diskId; }; } diff --git a/nix/os/modules/ddclient-hetzner.nix b/nix/os/modules/ddclient-hetzner.nix deleted file mode 100644 index 622ae62..0000000 --- a/nix/os/modules/ddclient-hetzner.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ lib, ... }: -{ - options.services.ddclient-hetzner = with lib; { - enable = mkEnableOption "Enable ddclient-hetzner"; - zone = mkOption { type = types.str; }; - domains = mkOption { type = types.listOf types.str; }; - passwordFile = mkOption { type = types.path; }; - }; -} diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix index 150d688..f7f9893 100644 --- a/nix/os/modules/ddclient-ovh.nix +++ b/nix/os/modules/ddclient-ovh.nix @@ -1,7 +1,30 @@ -{ lib, ... }: -{ +{ lib +, config +, ... }: + +let + cfg = config.services.ddclientovh; + + passwords = import ../../variables/passwords.crypt.nix; + +in { + options.services.ddclientovh = with lib; { enable = mkEnableOption "Enable ddclient-ovh"; - domain = mkOption { type = types.str; }; + domain = mkOption { + type = types.str; + }; + }; + + config = lib.mkIf cfg.enable { + services.ddclient = { + enable = true; + protocol = "dyndns2"; + server = "www.ovh.com"; + ssl = true; + domains = [ cfg.domain ]; + use = "web, web=ifconfig.co"; + inherit (passwords.dyndns.${cfg.domain}) username password; + }; }; } diff --git a/nix/os/modules/encryptedDisk.nix b/nix/os/modules/encryptedDisk.nix new file mode 100644 index 0000000..b70c7be --- /dev/null +++ b/nix/os/modules/encryptedDisk.nix @@ -0,0 +1,58 @@ +{ lib +, config +, ... }: +with lib; + +let + cfg = config.hardware.encryptedDisk; + ownLib = import ../lib/default.nix { }; +in { + options.hardware.encryptedDisk = { + enable = mkEnableOption "Enable encrypted filesystem layout"; + diskId = mkOption { + type = types.str; + }; + }; + + config = lib.mkIf cfg.enable { + fileSystems."/boot" = { + device = (ownLib.disk.bootFsDevice cfg.diskId); + fsType = "vfat"; + }; + + fileSystems."/" = { + device = (ownLib.disk.rootFsDevice cfg.diskId); + fsType = "btrfs"; + options = [ "subvol=nixos" ]; + }; + + fileSystems."/home" = { + device = (ownLib.disk.rootFsDevice cfg.diskId); + fsType = "btrfs"; + options = [ "subvol=home" ]; + }; + + swapDevices = [ { device = (ownLib.disk.swapFsDevice cfg.diskId); } ]; + + boot.loader.grub = { + device = (ownLib.disk.bootGrubDevice cfg.diskId); + enableCryptodisk = true; + }; + + boot.initrd.luks.devices = builtins.listToAttrs [ + { + name = + let + splitstring = builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); + lastelem = (builtins.length splitstring)-1; + in + builtins.elemAt splitstring lastelem; + value = { + device = (ownLib.disk.bootLuksDevice cfg.diskId); + preLVM = true; + allowDiscards = true; + }; + } + ]; + }; +} diff --git a/nix/os/modules/initrd-network.nix b/nix/os/modules/initrd-network.nix index 4ca89cf..4c9da89 100644 --- a/nix/os/modules/initrd-network.nix +++ b/nix/os/modules/initrd-network.nix @@ -1,34 +1,37 @@ -{ - config, - lib, - pkgs, - ... -}: +{ config, lib, pkgs, ... }: + with lib; + let + cfg = config.boot.initrd.network; - udhcpcScript = pkgs.writeScript "udhcp-script" '' - #! /bin/sh - if [ "$1" = bound ]; then - ip address add "$ip/$mask" dev "$interface" - if [ -n "$router" ]; then - ip route add "$router" dev "$interface" # just in case if "$router" is not within "$ip/$mask" (e.g. Hetzner Cloud) - ip route add default via "$router" dev "$interface" + udhcpcScript = pkgs.writeScript "udhcp-script" + '' + #! /bin/sh + if [ "$1" = bound ]; then + ip address add "$ip/$mask" dev "$interface" + if [ -n "$router" ]; then + ip route add "$router" dev "$interface" # just in case if "$router" is not within "$ip/$mask" (e.g. Hetzner Cloud) + ip route add default via "$router" dev "$interface" + fi + if [ -n "$dns" ]; then + rm -f /etc/resolv.conf + for i in $dns; do + echo "nameserver $dns" >> /etc/resolv.conf + done + fi fi - if [ -n "$dns" ]; then - rm -f /etc/resolv.conf - for i in $dns; do - echo "nameserver $dns" >> /etc/resolv.conf - done - fi - fi - ''; + ''; udhcpcArgs = toString cfg.udhcpc.extraArgs; + in + { + options = { + boot.initrd.network.enable = mkOption { type = types.bool; default = false; @@ -48,7 +51,7 @@ in }; boot.initrd.network.udhcpc.extraArgs = mkOption { - default = [ ]; + default = []; type = types.listOf types.str; description = '' Additional command-line arguments passed verbatim to udhcpc if @@ -73,9 +76,11 @@ in Whether to enable DHCP for the network interfaces. ''; }; + }; config = mkIf cfg.enable { + warnings = [ "Enabled SSH for stage1" ]; boot.initrd.kernelModules = [ "af_packet" ]; @@ -95,6 +100,7 @@ in esac done '' + # Otherwise, use DHCP. + optionalString cfg.useDHCP '' if [ -z "$hasNetwork" ]; then @@ -110,12 +116,14 @@ in udhcpc --quit --now --script ${udhcpcScript} ${udhcpcArgs} && hasNetwork=1 fi '' + + '' if [ -n "$hasNetwork" ]; then echo "networking is up!" ${cfg.postCommands} fi - '' - ); + ''); + }; + } diff --git a/nix/os/modules/natrouter.nix b/nix/os/modules/natrouter.nix index d853c28..a834cca 100644 --- a/nix/os/modules/natrouter.nix +++ b/nix/os/modules/natrouter.nix @@ -1,5 +1,8 @@ -{ lib, ... }: -with lib; +{ lib +, config +, ... }: +with lib; + { # TODO # Provide a NAT/DHCP Router diff --git a/nix/os/modules/opinionatedDisk.nix b/nix/os/modules/opinionatedDisk.nix deleted file mode 100644 index db2bbbf..0000000 --- a/nix/os/modules/opinionatedDisk.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ - lib, - config, - pkgs, - ... -}: -with lib; -let - cfg = config.hardware.opinionatedDisk; - ownLib = pkgs.callPackage ../lib/default.nix { }; - - earlyDiskId = cfg: if cfg.earlyDiskIdOverride != "" then cfg.earlyDiskIdOverride else cfg.diskId; -in -{ - options.hardware.opinionatedDisk = { - enable = mkEnableOption "Enable opinionated filesystem layout"; - diskId = mkOption { type = types.str; }; - encrypted = mkOption { - default = true; - type = types.bool; - }; - - earlyDiskIdOverride = mkOption { - default = ""; - type = types.str; - }; - }; - - config = lib.mkIf cfg.enable { - fileSystems."/boot" = { - device = ownLib.disk.bootFsDevice cfg.diskId; - fsType = "vfat"; - }; - - fileSystems."/" = { - device = ownLib.disk.rootFsDevice cfg.diskId; - fsType = "btrfs"; - options = [ "subvol=nixos" ]; - }; - - fileSystems."/home" = { - device = ownLib.disk.rootFsDevice cfg.diskId; - fsType = "btrfs"; - options = [ "subvol=home" ]; - }; - - swapDevices = [ { device = ownLib.disk.swapFsDevice cfg.diskId; } ]; - - boot.loader.grub = { - device = ownLib.disk.bootGrubDevice (earlyDiskId cfg); - enableCryptodisk = cfg.encrypted; - }; - - boot.initrd.luks.devices = lib.optionalAttrs cfg.encrypted ( - builtins.listToAttrs [ - { - name = - let - splitstring = builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); - lastelem = (builtins.length splitstring) - 1; - in - builtins.elemAt splitstring lastelem; - value = { - device = ownLib.disk.bootLuksDevice cfg.diskId; - - preLVM = true; - allowDiscards = true; - }; - } - ] - ); - }; -} diff --git a/nix/os/profiles/common/boot.nix b/nix/os/profiles/common/boot.nix new file mode 100644 index 0000000..3d2d00c --- /dev/null +++ b/nix/os/profiles/common/boot.nix @@ -0,0 +1,24 @@ +{ pkgs +, ... +}: + +{ + boot.kernelPackages = pkgs.linuxPackages; + boot.loader.grub = { + efiSupport = true; + efiInstallAsRemovable = false; + enable = true; + version = 2; + }; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.tmpOnTmpfs = true; + + # Workaround for nm-pptp to enforce module load + boot.kernelModules = [ + "nf_conntrack_proto_gre" + "nf_conntrack_pptp" + ]; +} + diff --git a/nix/os/profiles/common/configuration.nix b/nix/os/profiles/common/configuration.nix index 61b4cb8..361f538 100644 --- a/nix/os/profiles/common/configuration.nix +++ b/nix/os/profiles/common/configuration.nix @@ -1,40 +1,13 @@ -{ - config, - pkgs, - repoFlake, - ... -}: -{ - imports = [ - repoFlake.inputs.sops-nix.nixosModules.sops +{ ... }: - ../../snippets/nix-settings.nix - ../../snippets/home-manager-with-zsh.nix +{ + nixpkgs.overlays = builtins.attrValues (import ../../../overlays); + imports = [ + ./boot.nix + ./pkg.nix + ./user.nix ./system.nix ./hw.nix - ./user.nix ]; - - boot.kernelPackages = pkgs.linuxPackages; - boot.loader.grub = { - enable = true; - efiSupport = true; - efiInstallAsRemovable = false; - }; - - boot.loader.systemd-boot.enable = false; - boot.loader.efi.canTouchEfiVariables = true; - boot.tmp.useTmpfs = true; - - # Workaround for nm-pptp to enforce module load - boot.kernelModules = [ - "nf_conntrack_proto_gre" - "nf_conntrack_pptp" - ]; - - nixpkgs.config = { - allowBroken = false; - allowUnfree = true; - }; } diff --git a/nix/os/profiles/common/hw.nix b/nix/os/profiles/common/hw.nix index 4d6eb74..885663e 100644 --- a/nix/os/profiles/common/hw.nix +++ b/nix/os/profiles/common/hw.nix @@ -1,4 +1,6 @@ -_: { +{ ... }: + +{ hardware.trackpoint.emulateWheel = true; boot.initrd.availableKernelModules = [ diff --git a/nix/os/profiles/common/pkg.nix b/nix/os/profiles/common/pkg.nix new file mode 100644 index 0000000..df14e0f --- /dev/null +++ b/nix/os/profiles/common/pkg.nix @@ -0,0 +1,41 @@ +{ config +, pkgs +, ... }: + +{ + imports = [ + "${}/nixos" + ]; + home-manager.users.root = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; + + nixpkgs.config = { + allowBroken = false; + allowUnfree = true; + + packageOverrides = pkgs: with pkgs; { + }; + }; + + environment.systemPackages = with pkgs; [ + elfutils + exfat + file + tree + pwgen + proot + + parted + pv + tmux + wget + curl + + gitFull + pastebinit + gist + mr + + usbutils + pciutils + ]; +} diff --git a/nix/os/profiles/common/system.nix b/nix/os/profiles/common/system.nix index edf8717..6256dff 100644 --- a/nix/os/profiles/common/system.nix +++ b/nix/os/profiles/common/system.nix @@ -1,7 +1,27 @@ -{ pkgs, nodeName, ... }: +{ config +, pkgs +, lib +, ... +}: + { - networking.hostName = builtins.elemAt (builtins.split "\\." nodeName) 0; # Define your hostname. - networking.domain = builtins.elemAt (builtins.split "(^[^\\.]+\.)" nodeName) 2; + nix.binaryCachePublicKeys = [ + # "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" + ]; + nix.binaryCaches = [ + "https://cache.nixos.org" + # "https://hydra.nixos.org" + ]; + nix.trustedBinaryCaches = [ + "https://cache.nixos.org" + # "https://hydra.nixos.org" + ]; + + nix.daemonNiceLevel = lib.mkDefault 19; + nix.daemonIONiceLevel = lib.mkDefault 7; + nix.maxJobs = lib.mkDefault "auto"; + nix.buildCores = lib.mkDefault 0; + nix.useSandbox = true; environment.etc."lvm/lvm.conf".text = '' devices { @@ -9,15 +29,21 @@ } ''; + environment.variables = { + NIX_PATH = lib.mkForce pkgs.nixPath; + }; + # Fonts, I18N, Date ... - fonts.packages = [ pkgs.corefonts ]; + fonts.fonts = [ + pkgs.corefonts + ]; console.font = "lat9w-16"; i18n = { defaultLocale = "en_US.UTF-8"; }; - time.timeZone = "Etc/UTC"; + time.timeZone = "Europe/Berlin"; services.gpm.enable = true; services.packagekit.enable = true; @@ -40,12 +66,14 @@ # mv -Tf /etc/X11/.sessions /etc/X11/sessions # ''; - # TODO: adapt this to be arch agnostic system.activationScripts.lib64 = '' echo "setting up /lib64..." mkdir -p /lib64 - ln -sfT ${pkgs.glibc}/lib/ld-linux-x86-64.so.2 /lib64/.ld-linux-x86-64.so.2 + ln -sfT ${pkgs.stdenv.glibc}/lib/ld-linux-x86-64.so.2 /lib64/.ld-linux-x86-64.so.2 mv -Tf /lib64/.ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 ''; - programs.fuse.userAllowOther = true; + + programs.zsh.enable = true; + users.defaultUserShell = pkgs.zsh; + environment.pathsToLink = [ "/share/zsh" ]; } diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index d5f64fe..673bc49 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -1,89 +1,18 @@ -{ - config, - lib, - ... -}: +{ config +, pkgs +, ... }: + let - keys = import ../../../variables/keys.nix; - inherit - (import ../../lib/default.nix { - inherit lib config; - }) - mkUser - ; + passwords = import ../../../variables/passwords.crypt.nix; + inherit (import ../../lib/default.nix { }) mkUser mkRoot; +in { + users.mutableUsers = false; - inherit (lib) types; - - cfg = config.users.commonUsers; -in -{ - options.users.commonUsers = { - enable = lib.mkOption { - default = true; - type = types.bool; - }; - - enableNonRoot = lib.mkOption { - default = true; - type = types.bool; - }; - - rootPasswordFile = lib.mkOption { - default = config.sops.secrets.sharedUsers-root.path; - type = types.path; - }; - - # TODO: test if this works - installPassword = lib.mkOption { - default = null; - type = types.nullOr types.str; - }; + users.extraUsers.root = mkRoot { }; + users.extraUsers.steveej = mkUser { + uid = 1000; }; - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - (lib.mkIf (cfg.installPassword == null) { - sops.secrets.sharedUsers-root = { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; - sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; - - sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - # neededForUsers = true; - format = "yaml"; - }; - }) - - { - users.mutableUsers = cfg.installPassword != null; - - users.users.root = lib.mkMerge [ - { openssh.authorizedKeys.keys = keys.users.steveej.openssh; } - - (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) - - (lib.mkIf (cfg.installPassword == "") { hashedPasswordFile = cfg.rootPasswordFile; }) - ]; - - } - - (lib.mkIf cfg.enableNonRoot (mkUser { - username = "steveej"; - - uid = 1000; - - password = cfg.installPassword; - hashedPasswordFile = lib.mkIf ( - cfg.installPassword == null - ) config.sops.secrets.sharedUsers-steveej.path; - })) - ] - ); + security.pam.u2f.enable = true; + security.pam.services.steveej.u2fAuth = true; } diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix index 40fd3f4..89a5fe4 100644 --- a/nix/os/profiles/containers/configuration.nix +++ b/nix/os/profiles/containers/configuration.nix @@ -1,28 +1,9 @@ +{ ... }: + { - hostAddress, - pkgs, - lib, - ... -}: -{ - networking.useHostResolvConf = false; - - networking.firewall.enable = true; - networking.nftables.enable = true; - networking.nftables.flushRuleset = true; - - networking.nameservers = lib.mkForce [ hostAddress ]; - - environment.systemPackages = [ pkgs.dnsutils ]; + nixpkgs.overlays = builtins.attrValues (import ../../../overlays); imports = [ - { - # keep DNS set up to a minimum: only query the container host - services.resolved.enable = lib.mkForce false; - networking.nameservers = [ hostAddress ]; - } - ../../snippets/nix-settings.nix - # ../../modules/ddclient-ovh.nix - # ../../modules/ddclient-hetzner.nix + ../../modules/ddclient-ovh.nix ]; } diff --git a/nix/os/profiles/graphical-gnome-xorg.nix b/nix/os/profiles/graphical-gnome-xorg.nix deleted file mode 100644 index bc88473..0000000 --- a/nix/os/profiles/graphical-gnome-xorg.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ pkgs, lib, ... }: -{ - services.libinput.enable = true; - services.libinput.touchpad.naturalScrolling = true; - services.xserver = { - enable = true; - - videoDrivers = [ - "qxl" - "modesetting" - "ati" - "cirrus" - "intel" - "vesa" - "vmware" - "modesetting" - ]; - xkb.layout = "us"; - xkb.variant = "altgr-intl"; - xkb.options = "nodeadkeys"; - - desktopManager = { - # FIXME: gnome should be moved to user session - gnome.enable = true; - - xterm.enable = true; - plasma5.enable = false; - }; - - displayManager = { - gdm.enable = true; - gdm.wayland = true; - }; - }; - - # gnome, most of it is disabled and ideally it could live entirely in the user's home config - programs.gpaste.enable = false; - programs.gnome-terminal.enable = false; - # programs.gnome-documents.enable = false; - programs.gnome-disks.enable = false; - - # TODO: fully delegate graphical session to home-manager config - services.gnome = { - games.enable = false; - gnome-remote-desktop.enable = false; - gnome-user-share.enable = false; - rygel.enable = false; - sushi.enable = false; - tinysparql.enable = false; - localsearch.enable = false; - - gnome-browser-connector.enable = false; - gnome-initial-setup.enable = false; - - # FIXME: gnome should be moved to home config - gnome-settings-daemon.enable = true; - core-os-services.enable = true; - at-spi2-core.enable = true; - evolution-data-server.enable = true; - gnome-online-accounts.enable = true; - gnome-keyring.enable = lib.mkForce false; - }; - - # FIXME: gnome should be moved to user session - services.gvfs.enable = true; - programs.seahorse.enable = true; - programs.dconf.enable = true; - - environment.gnome.excludePackages = with pkgs; - [ - orca - gnome-photos - gnome-tour - - snapshot # webcam tool - gnome-music - gnome-terminal - gedit # text editor - epiphany # web browser - geary # email reader - evince # document viewer - gnome-characters - totem # video player - ]; - - services.pipewire = { - audio.enable = true; - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - wireplumber.enable = true; - # If you want to use JACK applications, uncomment this - #jack.enable = true; - }; - - services.dbus.packages = with pkgs; [ dconf ]; - - # More Services - environment.systemPackages = [ - pkgs.adwaita-icon-theme - pkgs.gnomeExtensions.appindicator - ]; -} diff --git a/nix/os/profiles/graphical/boot.nix b/nix/os/profiles/graphical/boot.nix index 4bf6ca4..e4d35b0 100644 --- a/nix/os/profiles/graphical/boot.nix +++ b/nix/os/profiles/graphical/boot.nix @@ -1,4 +1,7 @@ -{ config, ... }: + +{ lib +, ... +}: + { - boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ]; } diff --git a/nix/os/profiles/graphical/configuration.nix b/nix/os/profiles/graphical/configuration.nix index 477a93d..1ab66e9 100644 --- a/nix/os/profiles/graphical/configuration.nix +++ b/nix/os/profiles/graphical/configuration.nix @@ -1,4 +1,7 @@ -{ ... }: +{ pkgs +, ... +}: + { imports = [ ./boot.nix diff --git a/nix/os/profiles/graphical/hw.nix b/nix/os/profiles/graphical/hw.nix index 821f5bf..7cc04be 100644 --- a/nix/os/profiles/graphical/hw.nix +++ b/nix/os/profiles/graphical/hw.nix @@ -1 +1,7 @@ -_: { hardware.enableAllFirmware = true; } +{ +... +}: + +{ + hardware.enableAllFirmware = true; +} diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index 00ed2c2..ff3def4 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -1,10 +1,11 @@ -{ pkgs, ... }: -{ - imports = [ ../../snippets/bluetooth.nix ]; +{ pkgs +, ... +}: +{ networking.networkmanager = { enable = true; - dns = "systemd-resolved"; + dns = "dnsmasq"; unmanaged = [ "interface-name:veth*" "interface-name:virbr*" @@ -15,12 +16,85 @@ }; networking.usePredictableInterfaceNames = false; - services.resolved.enable = true; + services.resolved.enable = false; # hardware related services + services.illum.enable = true; services.pcscd.enable = true; - hardware.graphics.enable = true; + hardware = { + bluetooth.enable = true; + pulseaudio = { + enable = true; + package = pkgs.pulseaudioFull; + support32Bit = true; + }; + }; + # required for running blueman-applet in user sessions + services.dbus.packages = with pkgs; [ + blueman + ]; + services.blueman.enable = true; + services.xserver = { + enable = true; + libinput.enable = true; + libinput.naturalScrolling = true; + + videoDrivers = [ "qxl" "modesetting" "ati" "cirrus" "intel" "vesa" "vmware" "modesetting" ]; + xkbVariant = "altgr-intl"; + xkbOptions = "nodeadkeys"; + + desktopManager = { + # FIXME: gnome should be moved to user session + gnome3.enable = true; + + xterm.enable = true; + plasma5.enable = false; + }; + + displayManager = { + gdm.enable = false; + + autoLogin = { + enable = true; + user = "steveej"; + }; + + lightdm = { + enable = true; + background = "${pkgs.nixos-artwork.wallpapers.simple-blue}/share/artwork/gnome/nix-wallpaper-simple-blue.png"; + }; + + sessionCommands = '' + ''; + }; + }; + + services.gvfs.enable = true; + programs.seahorse.enable = true; + programs.gpaste.enable = false; + programs.gnome-terminal.enable = false; + programs.gnome-documents.enable = false; + programs.gnome-disks.enable = false; + + services.gnome3 = { + # gnome-online-miners.enable = false; TODO: enable this again + games.enable = false; + gnome-remote-desktop.enable = false; + gnome-user-share.enable = false; + rygel.enable = false; + sushi.enable = false; + tracker.enable = false; + tracker-miners.enable = false; + + # FIXME: gnome should be moved to user session + at-spi2-core.enable = true; + evolution-data-server.enable = true; + gnome-online-accounts.enable = true; + gnome-keyring.enable = true; + }; + + # More Services services.udev.packages = [ pkgs.libu2f-host pkgs.yubikey-personalization @@ -35,24 +109,13 @@ SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="011a", GROUP="users", MODE="0777" SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="fffe", GROUP="users", MODE="0777" SUBSYSTEM=="usb", ATTR{idVendor}=="047f", ATTR{idProduct}=="0001", GROUP="users", MODE="0777" - - # Yubikey 4/5 U2F+CCID - SUBSYSTEM=="usb", ATTR{idVendor}=="1050", ATTR{idProduct}=="0406", ENV{ID_SECURITY_TOKEN}="1", GROUP="wheel" ''; - # services.samba.enable = true; - # services.samba.extraConfig = '' - # client max protocol = SMB3 - # # client min protocol = SMB2_10 - # # client min protocol = NT1 - # # ntlm auth = yes - # ''; + + services.samba.enable = true; + services.samba.extraConfig = '' + client max protocol = SMB3 + ''; services.logind.lidSwitchExternalPower = "ignore"; - - services.printing = { - enable = true; - drivers = with pkgs; [ - ]; - }; } diff --git a/nix/os/profiles/install-medium/iso/Justfile b/nix/os/profiles/install-medium/iso/Justfile index 099a8aa..bcd3c66 100644 --- a/nix/os/profiles/install-medium/iso/Justfile +++ b/nix/os/profiles/install-medium/iso/Justfile @@ -1,2 +1,2 @@ build: - nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix + nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix diff --git a/nix/os/profiles/install-medium/iso/iso.nix b/nix/os/profiles/install-medium/iso/iso.nix index a32f3f6..a93f3d9 100644 --- a/nix/os/profiles/install-medium/iso/iso.nix +++ b/nix/os/profiles/install-medium/iso/iso.nix @@ -1,69 +1,53 @@ # This module defines a small NixOS installation CD. It does not # contain any graphical stuff. -{ - config, - pkgs, - lib, - ... -}: -let - nixos-init-script = '' - #!${pkgs.stdenv.shell} +{config, pkgs, lib, ...}: - export HOME=/root - export PATH=${ - pkgs.lib.makeBinPath [ - config.nix.package - pkgs.systemd - pkgs.gnugrep - pkgs.gnused - config.system.build.nixos-rebuild - config.system.build.nixos-install - pkgs.utillinux - pkgs.e2fsprogs - pkgs.coreutils - pkgs.hdparm - ] - }:$PATH - export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels +let nixos-init-script = '' + #!${pkgs.stdenv.shell} - set -xe + export HOME=/root + export PATH=${pkgs.lib.makeBinPath [ + config.nix.package pkgs.systemd pkgs.gnugrep pkgs.gnused config.system.build.nixos-rebuild + config.system.build.nixos-install pkgs.utillinux pkgs.e2fsprogs pkgs.coreutils pkgs.hdparm + ]}:$PATH + export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels - fdisk -w always -W always /dev/vda < @@ -74,14 +58,13 @@ in isoImage.isoName = lib.mkForce "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; boot.loader.timeout = lib.mkForce 0; - boot.postBootCommands = ""; + boot.postBootCommands = '' + ''; - environment.systemPackages = [ ]; + environment.systemPackages = []; users.users.root = { - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4RFtHz0sE5y0AyZZm/tH7bBBgsx55gLPt5tGsl9yZlOzih6n4qbJE/9OOdwnOY2AHRe2lrlTekbW5ewWSBBCbiBE3Vux86sLgy7LM9zoKaNC+E3hmxaoS9SExn0BTkb3kNlOcj2k6UyJhkZWEsqVMV5C21R8EWmMlLY/qm3AxptNjOyzKDwNX2zlHZ5IyjgzO4ZjIxjawmJlUrVEn7/m+M7qK3I1Tyg/ZvDSfmxVJS97sVzseYE0rVwLEWJQOnHh0wnfl27smr2McAB7Cy6sxKyPKvEGyXbNqqb8fqk4okZlRRxhq/XkKlC7IZr+uqYxlL4HN8vjkTRNlgenDUSVT cardno:000604870382" - ]; + openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4RFtHz0sE5y0AyZZm/tH7bBBgsx55gLPt5tGsl9yZlOzih6n4qbJE/9OOdwnOY2AHRe2lrlTekbW5ewWSBBCbiBE3Vux86sLgy7LM9zoKaNC+E3hmxaoS9SExn0BTkb3kNlOcj2k6UyJhkZWEsqVMV5C21R8EWmMlLY/qm3AxptNjOyzKDwNX2zlHZ5IyjgzO4ZjIxjawmJlUrVEn7/m+M7qK3I1Tyg/ZvDSfmxVJS97sVzseYE0rVwLEWJQOnHh0wnfl27smr2McAB7Cy6sxKyPKvEGyXbNqqb8fqk4okZlRRxhq/XkKlC7IZr+uqYxlL4HN8vjkTRNlgenDUSVT cardno:000604870382" ]; }; services.gpm.enable = true; @@ -97,7 +80,7 @@ in wantedBy = [ "multi-user.target" ]; after = [ "multi-user.target" ]; requires = [ "network-online.target" ]; - + restartIfChanged = false; unitConfig.X-StopOnRemoval = false; diff --git a/nix/os/profiles/podman/configuration.nix b/nix/os/profiles/podman/configuration.nix new file mode 100644 index 0000000..d15563e --- /dev/null +++ b/nix/os/profiles/podman/configuration.nix @@ -0,0 +1,180 @@ +{ config, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + podman + runc + conmon + cni + cni-plugins + slirp4netns + ]; + + environment.etc."containers/registries.conf".text = '' + # This is a system-wide configuration file used to + # keep track of registries for various container backends. + # It adheres to TOML format and does not support recursive + # lists of registries. + + [registries.search] + registries = [ 'docker.io' + , 'registry.fedoraproject.org' + , 'registry.access.redhat.com' + , 'quay.io' + ] + + # If you need to access insecure registries, add the registry's fully-qualified name. + # An insecure registry is one that does not have a valid SSL certificate or only does HTTP. + [registries.insecure] + registries = ['localhost:5000'] + ''; + + environment.etc."containers/policy.json".text = '' + { + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": + { + "docker-daemon": + { + "": [{"type":"insecureAcceptAnything"}] + } + } + } + ''; + + environment.etc."cni/net.d/00-loopback.conf".text = '' + { + "cniVersion": "0.3.0", + "type": "loopback" + } + ''; + + environment.etc."cni/net.d/87-podman-bridge.conflist".text = '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ''; + + environment.etc."containers/libpod.conf".text = '' + # libpod.conf is the default configuration file for all tools using libpod to + # manage containers + + # Default transport method for pulling and pushing for images + image_default_transport = "docker://" + + # Paths to search for the Conmon container manager binary + runtime_path = [ + "${pkgs.runc}/bin/runc" + ] + + + # Paths to look for the Conmon container manager binary + conmon_path = [ + "${pkgs.conmon}/bin/conmon" + ] + + + # Environment variables to pass into conmon + conmon_env_vars = [ + # "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + ] + + # CGroup Manager - valid values are "systemd" and "cgroupfs" + cgroup_manager = "systemd" + + # Container init binary + #init_path = "/usr/libexec/podman/catatonit" + + # Directory for persistent libpod files (database, etc) + # By default, this will be configured relative to where containers/storage + # stores containers + # Uncomment to change location from this default + #static_dir = "/var/lib/containers/storage/libpod" + + # Directory for temporary files. Must be tmpfs (wiped after reboot) + tmp_dir = "/var/run/libpod" + + # Maximum size of log files (in bytes) + # -1 is unlimited + max_log_size = -1 + + # Whether to use chroot instead of pivot_root in the runtime + no_pivot_root = false + + # Directory containing CNI plugin configuration files + cni_config_dir = "/etc/cni/net.d/" + + # Directories where the CNI plugin binaries may be located + cni_plugin_dir = [ + "${pkgs.cni-plugins}/bin" + ] + + + # Default CNI network for libpod. + # If multiple CNI network configs are present, libpod will use the network with + # the name given here for containers unless explicitly overridden. + # The default here is set to the name we set in the + # 87-podman-bridge.conflist included in the repository. + # Not setting this, or setting it to the empty string, will use normal CNI + # precedence rules for selecting between multiple networks. + cni_default_network = "podman" + + # Default libpod namespace + # If libpod is joined to a namespace, it will see only containers and pods + # that were created in the same namespace, and will create new containers and + # pods in that namespace. + # The default namespace is "", which corresponds to no namespace. When no + # namespace is set, all containers and pods are visible. + #namespace = "" + + # Default pause image name for pod pause containers + pause_image = "k8s.gcr.io/pause:3.1" + + # Default command to run the pause container + pause_command = "/pause" + + # Determines whether libpod will reserve ports on the host when they are + # forwarded to containers. When enabled, when ports are forwarded to containers, + # they are held open by conmon as long as the container is running, ensuring that + # they cannot be reused by other programs on the host. However, this can cause + # significant memory usage if a container has many ports forwarded to it. + # Disabling this can save memory. + #enable_port_reservation = true + + # Default libpod support for container labeling + # label=true + + # Paths to look for a valid OCI runtime (runc, runv, etc) + # FIXME: this doesn't seem to take effect + [runtimes] + runc = [ + "${pkgs.runc}/bin/runc" + ] +''; +} diff --git a/nix/os/profiles/removable-medium/boot.nix b/nix/os/profiles/removable-medium/boot.nix index 17a1dba..b3939cb 100644 --- a/nix/os/profiles/removable-medium/boot.nix +++ b/nix/os/profiles/removable-medium/boot.nix @@ -1,6 +1,9 @@ -{ lib, ... }: +{ lib +, ... +}: + { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; - boot.loader.efi.canTouchEfiVariables = lib.mkForce false; + boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.extraModulePackages = [ ]; } diff --git a/nix/os/profiles/removable-medium/configuration.nix b/nix/os/profiles/removable-medium/configuration.nix index ad7def0..883c2a4 100644 --- a/nix/os/profiles/removable-medium/configuration.nix +++ b/nix/os/profiles/removable-medium/configuration.nix @@ -1,7 +1,8 @@ { ... }: + { - imports = [ - ../../modules/opinionatedDisk.nix + imports = [ + ../../modules/encryptedDisk.nix ./pkg.nix ./hw.nix diff --git a/nix/os/profiles/removable-medium/hw.nix b/nix/os/profiles/removable-medium/hw.nix index 0f7cbec..99f014f 100644 --- a/nix/os/profiles/removable-medium/hw.nix +++ b/nix/os/profiles/removable-medium/hw.nix @@ -1,4 +1,6 @@ -_: { - hardware.opinionatedDisk.enable = true; +{ ... }: + +{ + hardware.encryptedDisk.enable = true; hardware.enableAllFirmware = true; } diff --git a/nix/os/profiles/removable-medium/pkg.nix b/nix/os/profiles/removable-medium/pkg.nix index d27081f..7b9ee0e 100644 --- a/nix/os/profiles/removable-medium/pkg.nix +++ b/nix/os/profiles/removable-medium/pkg.nix @@ -1,6 +1,7 @@ -{ pkgs, ... }: +{ pkgs +, ... +}: + { - home-manager.users.steveej = import ../../../home-manager/configuration/graphical-removable.nix { - inherit pkgs; - }; + home-manager.users.steveej = import ../../../home-manager/configuration/graphical-removable.nix { inherit pkgs; }; } diff --git a/nix/os/profiles/removable-medium/system.nix b/nix/os/profiles/removable-medium/system.nix index 243edf7..fccfc9e 100644 --- a/nix/os/profiles/removable-medium/system.nix +++ b/nix/os/profiles/removable-medium/system.nix @@ -1,6 +1,9 @@ -_: { - services.illum.enable = true; +{ config, lib, pkgs, ... }: + +let + +in { services.printing = { enable = false; }; diff --git a/nix/os/snippets/bluetooth.nix b/nix/os/snippets/bluetooth.nix deleted file mode 100644 index 090217e..0000000 --- a/nix/os/snippets/bluetooth.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs, ... }: -{ - # required for running blueman-applet in user sessions - services.dbus.packages = with pkgs; [ blueman ]; - hardware.bluetooth.enable = true; - services.blueman.enable = true; -} diff --git a/nix/os/snippets/holo-zerotier.nix b/nix/os/snippets/holo-zerotier.nix deleted file mode 100644 index 4371b78..0000000 --- a/nix/os/snippets/holo-zerotier.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ config, lib, ... }: -let - cfg = config.steveej.holo-zerotier; -in -{ - options.steveej.holo-zerotier = { - enable = lib.mkEnableOption "Enable holo-zerotier"; - autostart = lib.mkOption { default = false; }; - }; - - config = { - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "zerotierone" ]; - - services.zerotierone = { - inherit (cfg) enable; - joinNetworks = [ - # moved to the service below as it's now secret - ]; - }; - - systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); - - systemd.services.zerotieroneSecretNetworks = { - inherit (cfg) enable; - requiredBy = [ "zerotierone.service" ]; - partOf = [ "zerotierone.service" ]; - - serviceConfig.Type = "oneshot"; - serviceConfig.RemainAfterExit = true; - - script = - let - secret = config.sops.secrets.zerotieroneNetworks; - in - '' - # include the secret's hash to trigger a restart on change - # ${builtins.hashString "sha256" (builtins.toJSON secret)} - - ${config.systemd.services.zerotierone.preStart} - - rm -rf /var/lib/zerotier-one/networks.d/*.conf - for network in `grep -v '#' ${secret.path}`; do - touch /var/lib/zerotier-one/networks.d/''${network}.conf - done - ''; - }; - - sops.secrets.zerotieroneNetworks = { - sopsFile = ../../../secrets/work-holo/zerotierone.txt; - format = "binary"; - }; - }; -} diff --git a/nix/os/snippets/home-manager-with-zsh.nix b/nix/os/snippets/home-manager-with-zsh.nix deleted file mode 100644 index 47ddd8a..0000000 --- a/nix/os/snippets/home-manager-with-zsh.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ - nodeFlake, - repoFlake, - repoFlakeInputs', - packages', - pkgs, - ... -}: -let - # TODO: make this configurable - homeUser = "steveej"; - commonHomeImports = [ - ../../home-manager/profiles/common.nix - ../../home-manager/programs/neovim.nix - ../../home-manager/programs/zsh.nix - ]; -in -{ - imports = [ nodeFlake.inputs.home-manager.nixosModules.home-manager ]; - - # TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager - # home-manager.extraSpecialArgs = specialArgs; - # hence, opt for passing the arguments selectively instead - home-manager.extraSpecialArgs = { - inherit - repoFlake - repoFlakeInputs' - packages' - nodeFlake - ; - }; - - home-manager.useGlobalPkgs = false; - home-manager.useUserPackages = true; - - home-manager.users.root = _: { imports = commonHomeImports; }; - - home-manager.users."${homeUser}" = _: { imports = commonHomeImports; }; - - programs.zsh.enable = true; - users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = [ "/share/zsh" ]; -} diff --git a/nix/os/snippets/k3s-w-nix-snapshotter.nix b/nix/os/snippets/k3s-w-nix-snapshotter.nix deleted file mode 100644 index 1774650..0000000 --- a/nix/os/snippets/k3s-w-nix-snapshotter.nix +++ /dev/null @@ -1,58 +0,0 @@ -# experiment with k3s, nix-snapshotter, and nixos images -{ - nodeFlake, - pkgs, - lib, - system, - config, - ... -}: -let - cfg = config.steveej.k3s; - -in -# TODO: make this configurable -{ - options.steveej.k3s = { - enable = lib.mkOption { - description = "steveej's k3s distro"; - type = lib.types.bool; - default = true; - }; - }; - - # (1) Import nixos module. - imports = [ nodeFlake.inputs.nix-snapshotter.nixosModules.default ]; - - config = lib.mkIf cfg.enable { - # (2) Add overlay. - nixpkgs.overlays = [ nodeFlake.inputs.nix-snapshotter.overlays.default ]; - - # (3) Enable service. - virtualisation.containerd = { - enable = true; - nixSnapshotterIntegration = true; - - # TODO: understand if this has an influence on the systemd LoadCredential issue - # settings.plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options.SystemdCgroup = lib.mkForce true; - }; - services.nix-snapshotter = { - enable = true; - }; - - # (4) Add a containerd CLI like nerdctl. - environment.systemPackages = [ - pkgs.nerdctl - nodeFlake.inputs.nix-snapshotter.packages.${system}.default - ]; - - services.k3s = { - enable = false; - setKubeConfig = true; - }; - - # home-manager.users."${homeUser}" = _: { - # home.sessionVariables.CONTAINERD_ADDRESS = "/run/user/1000/containerd/containerd.sock"; - # }; - }; -} diff --git a/nix/os/snippets/mycelium.nix b/nix/os/snippets/mycelium.nix deleted file mode 100644 index 990477e..0000000 --- a/nix/os/snippets/mycelium.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ - repoFlake, - nodeName, - config, - lib, - ... -}: -let - cfg.autostart = false; -in -{ - imports = [ ]; - - sops.secrets.mycelium-key = { - format = "binary"; - sopsFile = repoFlake + "/secrets/${nodeName}/mycelium_priv_key.bin.enc"; - }; - - services.mycelium = { - enable = true; - # package = nodeFlake.inputs.mycelium.packages.${system}.myceliumd; - keyFile = config.sops.secrets.mycelium-key.path; - addHostedPublicNodes = true; - peers = [ ]; - - # tunName = "mycelium-pub"; - - extraArgs = [ ]; - }; - - systemd.services.mycelium.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); -} diff --git a/nix/os/snippets/nix-settings-holo-chain.nix b/nix/os/snippets/nix-settings-holo-chain.nix deleted file mode 100644 index b660f1c..0000000 --- a/nix/os/snippets/nix-settings-holo-chain.nix +++ /dev/null @@ -1,16 +0,0 @@ -_: { - nix.settings = { - substituters = [ - "https://holochain-ci.cachix.org" - "https://holochain-ci-internal.cachix.org" - # "https://cache.holo.host/" - ]; - - trusted-public-keys = [ - "holochain-ci.cachix.org-1:5IUSkZc0aoRS53rfkvH9Kid40NpyjwCMCzwRTXy+QN8=" - "holochain-ci-internal.cachix.org-1:QvVsSrTiearCjrLTVtNtJOdQCDTseXh7UXUuSMx46NE=" - "cache.holo.host-1:lNXIXtJgS9Iuw4Cu6X0HINLu9sTfcjEntnrgwMQIMcE=" - "cache.holo.host-2:ZJCkX3AUYZ8soxTLfTb60g+F3MkWD7hkH9y8CgqwhDQ=" - ]; - }; -} diff --git a/nix/os/snippets/nix-settings.nix b/nix/os/snippets/nix-settings.nix deleted file mode 100644 index 99d26d4..0000000 --- a/nix/os/snippets/nix-settings.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - nodeFlake, - pkgs, - lib, - ... -}: -{ - nix.daemonCPUSchedPolicy = "idle"; - nix.daemonIOSchedClass = "idle"; - nix.settings.max-jobs = lib.mkDefault "auto"; - nix.settings.cores = lib.mkDefault 0; - nix.settings.sandbox = true; - nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; - - nix.settings.experimental-features = [ - "nix-command" - "flakes" - "ca-derivations" - "recursive-nix" - ]; - - nix.settings.system-features = [ - "recursive-nix" - "big-parallel" - "kvm" - "nixos-test" - ]; - - # nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; - nix.registry.nixpkgs.to = { - type = "path"; - path = nodeFlake.inputs.nixpkgs.outPath; - inherit (nodeFlake.inputs.nixpkgs) narHash; - }; - - nix.package = pkgs.nixVersions.latest; -} diff --git a/nix/os/snippets/obs-studio.nix b/nix/os/snippets/obs-studio.nix deleted file mode 100644 index 8a99fcb..0000000 --- a/nix/os/snippets/obs-studio.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, ... }: -let - # TODO: make configurable - homeUser = "steveej"; -in -{ - boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback.out ]; - - # Activate kernel modules (choose from built-ins and extra ones) - boot.kernelModules = [ - # Virtual Camera - "v4l2loopback" - # Virtual Microphone, built-in - "snd-aloop" - ]; - - # exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming - # card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams - # https://github.com/umlaeute/v4l2loopback - boot.extraModprobeConfig = '' - options v4l2loopback devices=1 video_nr=1 card_label="OBSCam" exclusive_caps=1 - ''; - - security.polkit.enable = true; - - home-manager.users.${homeUser} = _: { imports = [ ../../home-manager/programs/obs-studio.nix ]; }; -} diff --git a/nix/os/snippets/radicale.nix b/nix/os/snippets/radicale.nix deleted file mode 100644 index 709b601..0000000 --- a/nix/os/snippets/radicale.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ - config, - pkgs, - repoFlakeInputs', - ... -}: -let - # TODO: make configurable - homeUser = "steveej"; -in -{ - sops.secrets.radicale_htpasswd = { - sopsFile = ../../../secrets/desktop/radicale_htpasswd; - format = "binary"; - owner = config.users.users."${homeUser}".name; - }; - - home-manager.users.${homeUser} = _: { - imports = [ - # TODO: bump these to latest and make it work - ( - args: - import ../../home-manager/programs/radicale.nix ( - args - // { - osConfig = config; - pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; - } - ) - ) - ]; - }; -} diff --git a/nix/os/snippets/sway-desktop.nix b/nix/os/snippets/sway-desktop.nix deleted file mode 100644 index df40e2b..0000000 --- a/nix/os/snippets/sway-desktop.nix +++ /dev/null @@ -1,136 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: -let - # TODO: make this configurable - homeUser = "steveej"; -in -{ - services.xserver.serverFlagsSection = '' - Option "BlankTime" "0" - Option "StandbyTime" "0" - Option "SuspendTime" "0" - Option "OffTime" "0" - ''; - - hardware.graphics.enable = true; - - services.gvfs = { - enable = true; - package = lib.mkForce pkgs.gnome.gvfs; - }; - - environment.systemPackages = with pkgs; [ - # provides a default authentification client for policykit - lxqt.lxqt-policykit - ]; - - # required by swaywm - security.polkit.enable = true; - security.pam.services.swaylock = { }; - - # test these on https://mozilla.github.io/webrtc-landing/gum_test.html - xdg.portal = { - enable = true; - # FIXME: `true` breaks xdg-open from alacritty: - # $ xdg-open "https://github.com/" - # Error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.OpenURI” on object at path /org/freedesktop/portal/desktop - xdgOpenUsePortal = false; - - wlr = { - enable = true; - settings = { - screencast = { - chooser_type = "dmenu"; - # display the output as a list in favor of the default mouse selection - chooser_cmd = lib.getExe ( - pkgs.writeShellApplication { - name = "chooser_cmd"; - runtimeInputs = [ - pkgs.sway - pkgs.jq - pkgs.fuzzel - pkgs.gnused - ]; - text = '' - swaymsg -t get_outputs | jq '.[] | "\(.name)@\(.current_mode.width)x\(.current_mode.height) on \(.model)"' | sed 's/"//g' | fuzzel -d | sed 's/@.*//' - ''; - } - ); - max_fps = 30; - }; - }; - }; - - # keep the behaviour in < 1.17, which uses the first portal implementation found in lexicographical order, use the following: - config = { - common = { - default = [ - "wlr" - "gtk" - ]; - }; - }; - - extraPortals = [ - # repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}.xdg-desktop-portal-wlr - - pkgs.xdg-desktop-portal-gtk - # (pkgs.xdg-desktop-portal-gtk.override (_: { - # buildPortalsInGnome = false; - # })) - ]; - }; - - # rtkit is optional but recommended - security.rtkit.enable = true; - services.pipewire = { - audio.enable = true; - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - wireplumber.enable = true; - # If you want to use JACK applications, uncomment this - #jack.enable = true; - }; - - security.pam.services.getty.enableGnomeKeyring = true; - security.pam.services."autovt@tty1".enableGnomeKeyring = true; - services.gnome.gnome-keyring.enable = true; - - # autologin steveej on tty1 - # TODO: make user configurable - systemd.services."autovt@tty1".description = "Autologin at the TTY1"; - systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty - systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ]; - systemd.services."autovt@tty1".serviceConfig = { - ExecStart = [ - "" # override upstream default with an empty ExecStart - "@${pkgs.utillinux}/sbin/agetty agetty --login-program ${pkgs.shadow}/bin/login --autologin steveej --noclear %I $TERM" - ]; - Restart = "always"; - Type = "idle"; - }; - - programs = - let - steveejSwayOnTty1 = '' - if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then - exec sway - fi - ''; - in - { - bash.loginShellInit = steveejSwayOnTty1; - # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion - zsh.loginShellInit = steveejSwayOnTty1; - }; - - home-manager.users."${homeUser}" = _: { - imports = [ ../../home-manager/profiles/sway-desktop.nix ]; - }; -} diff --git a/nix/os/snippets/systemd-resolved.nix b/nix/os/snippets/systemd-resolved.nix deleted file mode 100644 index f7c2301..0000000 --- a/nix/os/snippets/systemd-resolved.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ lib, ... }: -{ - networking.nameservers = [ - # https://dnsforge.de/ - "176.9.93.198" - "176.9.1.117" - - # TODO: enable IPv6 - # "2a01:4f8:151:34aa::198" - # "2a01:4f8:141:316d::117" - ]; - - services.resolved = { - enable = true; - dnssec = "true"; - domains = [ "~." ]; - - # TODO: figure out why "true" doesn't work - dnsovertls = "opportunistic"; - - fallbackDns = lib.mkForce [ ]; - - # TODO: IPv6 - # extraConfig = '' - # DNSStubListenerExtra=[::1]:53 - # ''; - }; -} diff --git a/nix/os/snippets/timezone.nix b/nix/os/snippets/timezone.nix deleted file mode 100644 index 67db1e8..0000000 --- a/nix/os/snippets/timezone.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ lib, ... }: -let - passwords = import ../../variables/passwords.crypt.nix; -in -{ - time.timeZone = lib.mkDefault passwords.timeZone.stefan; -} diff --git a/nix/overlays/default.nix b/nix/overlays/default.nix new file mode 100644 index 0000000..e412c8d --- /dev/null +++ b/nix/overlays/default.nix @@ -0,0 +1,5 @@ +{ + overrides = import ./overrides.nix; + pkgs = import ./pkgs.nix; + posh = import ./posh.nix; +} diff --git a/nix/overlays/overrides.nix b/nix/overlays/overrides.nix new file mode 100644 index 0000000..92516fc --- /dev/null +++ b/nix/overlays/overrides.nix @@ -0,0 +1,47 @@ +# This overlay is used for overriding upstream packages. + +self: super: + +let + nixpkgs-master = import { inherit (super) config; }; + +in { + inherit nixpkgs-master; + + # alacritty = nixpkgs-master.alacritty; + alacritty = super.stdenv.mkDerivation { + name = "alacritty-custom"; + buildInputs = [ super.makeWrapper ]; + phases = "installPhase"; + installPhase = '' + makeWrapper ${self.nixpkgs-master.alacritty}/bin/alacritty $out/bin/alacritty \ + --set-default WINIT_X11_SCALE_FACTOR 1.4 + ''; + }; + + roxterm = super.stdenv.mkDerivation { + name = "roxterm-custom"; + buildInputs = [ super.makeWrapper ]; + phases = "installPhase"; + installPhase = '' + makeWrapper ${super.roxterm}/bin/roxterm $out/bin/roxterm \ + --add-flags "--separate" + ''; + }; + + # TODO: facetimehd is currfently broken (https://github.com/NixOS/nixpkgs/pull/72804) + facetimehd-firmware = super.hello; + + qtile = self.nixpkgs-master.qtile.overrideAttrs(oldAttrs: { + pythonPath = oldAttrs.pythonPath ++ (with self.python37Packages; [ + psutil + dbus-python + pyxdg + mpd2 + # python-wifi + # iwlib + dateutil + keyring + ]); + }); +} diff --git a/nix/overlays/pkgs.nix b/nix/overlays/pkgs.nix new file mode 100644 index 0000000..b6b57ef --- /dev/null +++ b/nix/overlays/pkgs.nix @@ -0,0 +1,18 @@ +# This overlay includes all packages defined by the top-level default.nix. +# The code is copied from the NUR repository [0]. +# +# [0]: https://github.com/nix-community/nur-packages-template/blob/2610a5b60bd926cea3e6395511da8f0d14c613b9/overlay.nix + +self: super: + +let + + isReserved = n: n == "lib" || n == "overlays" || n == "modules"; + nameValuePair = n: v: { name = n; value = v; }; + nurAttrs = import ../pkgs { pkgs = super; }; + +in + builtins.listToAttrs + (map (n: nameValuePair n nurAttrs.${n}) + (builtins.filter (n: !isReserved n) + (builtins.attrNames nurAttrs))) diff --git a/nix/overlays/posh.nix b/nix/overlays/posh.nix new file mode 100644 index 0000000..6c8905d --- /dev/null +++ b/nix/overlays/posh.nix @@ -0,0 +1,20 @@ +self: super: + +let + nixpkgs-master = import {}; + + inherit (nixpkgs-master) crun; + crun_10_6_0 = crun.overrideAttrs (oldAttrs: rec { + version = "0.10.6"; + src = super.fetchgit { + inherit (crun.src) url; + rev = version; + sha256 = "0v1hrlpnln0c976fb0k2ig4jv11qbyzf95z0wy92fd8r8in16rc1"; + }; + }); + +in { + inherit (nixpkgs-master) podman conmon slirp4netns; + crun = crun_10_6_0; + posh = self.callPackage ../pkgs/posh.nix {}; +} diff --git a/nix/pkgs/browserpass/default.nix b/nix/pkgs/browserpass/default.nix index 34a6977..a98268e 100644 --- a/nix/pkgs/browserpass/default.nix +++ b/nix/pkgs/browserpass/default.nix @@ -1,27 +1,28 @@ -with import { }; +with import {}; + stdenv.mkDerivation rec { - broken = true; + broken = true; - name = "browserpass"; - version = "2.0.9"; + name = "browserpass"; + version = "2.0.9"; - src = fetchzip { - url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; - sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; - stripRoot = false; - }; + src = fetchzip { + url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; + sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; + stripRoot = false; + }; - buildPhase = ":"; + buildPhase = '':''; - libPath = lib.makeLibraryPath [ ]; - installPhase = '' - set -x - patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 + libPath = lib.makeLibraryPath [ ]; + installPhase = '' + set -x + patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 - mkdir -p $out/bin - cp -a * $out/bin/ - # wrapProgram $out/bin/browserpass-linux64 \ - # --prefix LD_LIBRARY_PATH : "${libPath}" - # - ''; + mkdir -p $out/bin + cp -a * $out/bin/ +# wrapProgram $out/bin/browserpass-linux64 \ +# --prefix LD_LIBRARY_PATH : "${libPath}" +# + ''; } diff --git a/nix/pkgs/dcpj4110dw/default.nix b/nix/pkgs/dcpj4110dw/default.nix deleted file mode 100644 index 93f59c7..0000000 --- a/nix/pkgs/dcpj4110dw/default.nix +++ /dev/null @@ -1,146 +0,0 @@ -{ - pkgsi686Linux, - stdenv, - fetchurl, - dpkg, - makeWrapper, - coreutils, - ghostscript, - gnugrep, - gnused, - which, - lib, - cups, - a2ps, - gawk, - file, - proot, - bash, -}: -let - model = "dcpj4110dw"; - version = "3.0.1-1"; - src = fetchurl { - url = "https://download.brother.com/welcome/dlf005595/${model}lpr-${version}.i386.deb"; - sha256 = "sha256-ryKDsSkabAD2X3WLmeqjdB3+4DXdJ0qUz3O64DV+ixw="; - }; - reldir = "opt/brother/Printers/${model}/"; -in -rec { - driver = pkgsi686Linux.stdenv.mkDerivation rec { - inherit src version; - name = "${model}drv-${version}"; - - nativeBuildInputs = [ - dpkg - makeWrapper - ]; - - unpackPhase = "dpkg-deb -x $src $out"; - - installPhase = '' - # need to use i686 glibc here, these are 32bit proprietary binaries - patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - $out/${reldir}/lpd/br${model}filter - - mkdir -p $out/lib/cups/filter/ - ln -s $out/${reldir}/lpd/filter${model} $out/lib/cups/filter/brother_lpdwrapper_${model} - - # use proot to bind /opt for the filter - mv $out/${reldir}/lpd/filter${model} $out/${reldir}/lpd/.wrapped_filter${model} - - cat <<-EOF >$out/${reldir}/lpd/.wrapper_inner_filter${model} - export PATH=\$PATH:${ - lib.makeBinPath [ - gawk - file - a2ps - coreutils - ghostscript - gnugrep - gnused - which - ] - } - exec $out/${reldir}/lpd/.wrapped_filter${model} - EOF - chmod +x $out/${reldir}/lpd/.wrapper_inner_filter${model} - - cat <<-EOF >$out/${reldir}/lpd/filter${model} - #!${bash}/bin/bash - exec ${proot}/bin/proot \ - -b /nix/store:/nix/store \ - -b $out/opt:/opt \ - -b ${cups}/share:/usr/share/cups \ - $out/${reldir}/lpd/.wrapper_inner_filter${model} - EOF - chmod +x $out/${reldir}/lpd/filter${model} - ''; - - meta = { - description = "Brother ${lib.strings.toUpper model} driver"; - homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; - # license = lib.licenses.unfree; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; - }; - }; - - cupswrapper = stdenv.mkDerivation rec { - inherit version; - - src = fetchurl { - url = "https://download.brother.com/welcome/dlf005597/${model}cupswrapper-${version}.i386.deb"; - sha256 = "sha256-nwpuuXqBrEh5tye14gFLrezktTz6kq7HtnGqdBbgGkk="; - }; - - name = "${model}cupswrapper-${version}"; - - nativeBuildInputs = [ - dpkg - makeWrapper - ]; - buildInputs = [ - cups - ghostscript - a2ps - gawk - ]; - - unpackPhase = "dpkg-deb -x $src $out"; - - installPhase = '' - wrapProgram $out/${reldir}/cupswrapper/cupswrapper${model} \ - --prefix PATH : ${ - lib.makeBinPath [ - coreutils - ghostscript - gnugrep - gnused - ] - } - - patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - $out/${reldir}/cupswrapper/brcupsconfpt1 - - mkdir -p $out/share/cups/model - ln -s $out/${reldir}/cupswrapper/brother_${model}_printer_en.ppd $out/share/cups/model/ - ''; - - meta = { - description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; - homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; - license = lib.licenses.gpl2; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; - }; - }; -} diff --git a/nix/pkgs/default.nix b/nix/pkgs/default.nix index 78b37a6..a4c21e9 100644 --- a/nix/pkgs/default.nix +++ b/nix/pkgs/default.nix @@ -1,8 +1,112 @@ { pkgs }: -{ - duplicacy = pkgs.callPackage ../pkgs/duplicacy { }; - staruml = pkgs.callPackage ../pkgs/staruml.nix { - inherit (pkgs.gnome2) GConf; - libgcrypt = pkgs.libgcrypt_1_5; +let + +in rec { + nixpkgs-master = import {}; + + linuxPackages_sgx_540rc3 = let + linux_sgx_pkg = { fetchurl, buildLinux, ... } @ args: + + buildLinux (args // rec { + version = "5.4.0-rc3"; + modDirVersion = version; + + src = fetchurl { + url = "https://github.com/jsakkine-intel/linux-sgx/archive/v23.tar.gz"; + sha256 = "11rwlwv7s071ia889dk1dgrxprxiwgi7djhg47vi56dj81jgib20"; + }; + kernelPatches = []; + + extraConfig = '' + INTEL_SGX y + ''; + + extraMeta.branch = "5.4"; + } // (args.argsOverride or {})); + linux_sgx = pkgs.callPackage linux_sgx_pkg {}; + in + pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor linux_sgx); + linuxPackages_sgx_latest = linuxPackages_sgx_540rc3; + + busyboxStatic = pkgs.busybox.override { + enableStatic = true; + extraConfig = '' + CONFIG_STATIC y + CONFIG_INSTALL_APPLET_DONT y + CONFIG_INSTALL_APPLET_SYMLINKS n + ''; }; + dropbearStatic = pkgs.dropbear.override { + enableStatic = true; + }; + + php5 = let + nixpkgsWithPhp5 = pkgs.fetchFromGitHub { + owner = "nixos"; + repo = "nixpkgs-channels"; + rev = "pkgs"; + sha256 = "1qifgc1q2i4g0ivpfjnxp4jl2cc82gfjws08dsllgw7q7kw4b4rb"; + }; + php5 = (pkgs.callPackage "${nixpkgsWithPhp5}/pkgs/development/interpreters/php/default.nix" { + config = (pkgs.lib.attrsets.recursiveUpdate + pkgs.config + { + php = { + imap = false; + openssl = false; + curl = false; + ldap = false; + mcrypt = false; + }; + } + ); + stdenv = pkgs.llvmPackages_6.stdenv; #broken + icu = pkgs.icu60; + }).php56; + in + php5 + .overrideAttrs(attrs: rec { + # See https://secure.php.net/ChangeLog-5.php + version = "5.6.40"; + name = "php-${version}"; + + sha256 = "005s7w167dypl41wlrf51niryvwy1hfv53zxyyr3lm938v9jbl7z"; + src = pkgs.fetchurl { + url = "http://www.php.net/distributions/php-${version}.tar.bz2"; + inherit sha256; + }; + + configureFlags = attrs.configureFlags ++ [ + "--without-fpm-systemd" + ]; + + }); + + duplicacy = pkgs.callPackage ../pkgs/duplicacy {}; + mfcl3770cdw = pkgs.callPackage ../pkgs/mfcl3770cdw.nix {}; + staruml = pkgs.callPackage ../pkgs/staruml.nix { inherit (pkgs.gnome2) GConf; libgcrypt = pkgs.libgcrypt_1_5; }; + + myPython = pkgs.python37Full.withPackages (ps: with ps; [ + pep8 yapf flake8 + # autopep8 (broken) + # pylint (broken) + ipython + llfuse + dugong + defusedxml + wheel + pip + virtualenv + cffi + pyopenssl + urllib3 + mistune + + flask + + pyaml + ] ++ [ + pkgs.pypi2nix + pkgs.libffi + ]); } diff --git a/nix/pkgs/duplicacy/default.nix b/nix/pkgs/duplicacy/default.nix index b961a17..9aed9df 100644 --- a/nix/pkgs/duplicacy/default.nix +++ b/nix/pkgs/duplicacy/default.nix @@ -1,4 +1,7 @@ -{ buildGoPackage, fetchFromGitHub }: +{ buildGoPackage +, fetchFromGitHub +}: + buildGoPackage rec { name = "duplicay-${version}"; version = "2.1.2"; diff --git a/nix/pkgs/duplicacy/deps.nix b/nix/pkgs/duplicacy/deps.nix index 8621cb1..5511b2e 100644 --- a/nix/pkgs/duplicacy/deps.nix +++ b/nix/pkgs/duplicacy/deps.nix @@ -1,336 +1,336 @@ # file generated from Gopkg.lock using dep2nix (https://github.com/nixcloud/dep2nix) [ { - goPackagePath = "cloud.google.com/go"; + goPackagePath = "cloud.google.com/go"; fetch = { type = "git"; url = "https://code.googlesource.com/gocloud"; - rev = "2d3a6656c17a60b0815b7e06ab0be04eacb6e613"; + rev = "2d3a6656c17a60b0815b7e06ab0be04eacb6e613"; sha256 = "0fi3qj9fvc4bxbrwa1m5sxsb8yhvawiwigaddvmmizjykxbq5csq"; }; } { - goPackagePath = "github.com/Azure/azure-sdk-for-go"; + goPackagePath = "github.com/Azure/azure-sdk-for-go"; fetch = { type = "git"; url = "https://github.com/Azure/azure-sdk-for-go"; - rev = "b7fadebe0e7f5c5720986080a01495bd8d27be37"; + rev = "b7fadebe0e7f5c5720986080a01495bd8d27be37"; sha256 = "11zcmd17206byxhgz2a75qascilydlzjbz73l2mrqng3yyr20yk1"; }; } { - goPackagePath = "github.com/Azure/go-autorest"; + goPackagePath = "github.com/Azure/go-autorest"; fetch = { type = "git"; url = "https://github.com/Azure/go-autorest"; - rev = "0ae36a9e544696de46fdadb7b0d5fb38af48c063"; + rev = "0ae36a9e544696de46fdadb7b0d5fb38af48c063"; sha256 = "0f2qcv24l9bx3jys2m9ycyy77vqlx7dbfa3frxlk19wnrwiv3p6g"; }; } { - goPackagePath = "github.com/aryann/difflib"; + goPackagePath = "github.com/aryann/difflib"; fetch = { type = "git"; url = "https://github.com/aryann/difflib"; - rev = "e206f873d14a916d3d26c40ab667bca123f365a3"; + rev = "e206f873d14a916d3d26c40ab667bca123f365a3"; sha256 = "00zb9sx6l6b2zq614x45zlyshl20zjhwfj8r5krw4f9y0mx3n2dm"; }; } { - goPackagePath = "github.com/aws/aws-sdk-go"; + goPackagePath = "github.com/aws/aws-sdk-go"; fetch = { type = "git"; url = "https://github.com/aws/aws-sdk-go"; - rev = "a32b1dcd091264b5dee7b386149b6cc3823395c9"; + rev = "a32b1dcd091264b5dee7b386149b6cc3823395c9"; sha256 = "1yicb7l6m4hs3mi724hz74wn8305qvx6g73mjqafaaqvh6dyn86m"; }; } { - goPackagePath = "github.com/bkaradzic/go-lz4"; + goPackagePath = "github.com/bkaradzic/go-lz4"; fetch = { type = "git"; url = "https://github.com/bkaradzic/go-lz4"; - rev = "74ddf82598bc4745b965729e9c6a463bedd33049"; + rev = "74ddf82598bc4745b965729e9c6a463bedd33049"; sha256 = "1vdid8v0c2v2qhrg9rzn3l7ya1h34jirrxfnir7gv7w6s4ivdvc1"; }; } { - goPackagePath = "github.com/dgrijalva/jwt-go"; + goPackagePath = "github.com/dgrijalva/jwt-go"; fetch = { type = "git"; url = "https://github.com/dgrijalva/jwt-go"; - rev = "dbeaa9332f19a944acb5736b4456cfcc02140e29"; + rev = "dbeaa9332f19a944acb5736b4456cfcc02140e29"; sha256 = "0zk6l6kzsjdijfn7c4h0aywdjx5j2hjwi67vy1k6wr46hc8ks2hs"; }; } { - goPackagePath = "github.com/gilbertchen/azure-sdk-for-go"; + goPackagePath = "github.com/gilbertchen/azure-sdk-for-go"; fetch = { type = "git"; url = "https://github.com/gilbertchen/azure-sdk-for-go"; - rev = "bbf89bd4d716c184f158d1e1428c2dbef4a18307"; + rev = "bbf89bd4d716c184f158d1e1428c2dbef4a18307"; sha256 = "14563izc2y05k8s20fmhanvjydbcq8k5adp4cgw91d9bs52qivx7"; }; } { - goPackagePath = "github.com/gilbertchen/cli"; + goPackagePath = "github.com/gilbertchen/cli"; fetch = { type = "git"; url = "https://github.com/gilbertchen/cli"; - rev = "1de0a1836ce9c3ae1bf737a0869c4f04f28a7f98"; + rev = "1de0a1836ce9c3ae1bf737a0869c4f04f28a7f98"; sha256 = "00vbyjsn009cqg24sxcizq10rgicnmrv0f8jg3fa1fw6yp5gqdl5"; }; } { - goPackagePath = "github.com/gilbertchen/go-dropbox"; + goPackagePath = "github.com/gilbertchen/go-dropbox"; fetch = { type = "git"; url = "https://github.com/gilbertchen/go-dropbox"; - rev = "90711b603312b1f973f3a5da3793ac4f1e5c2f2a"; + rev = "90711b603312b1f973f3a5da3793ac4f1e5c2f2a"; sha256 = "0y2ydl3mjbkfbqyygrwq7vqig9hjh7cxvzsn2gxc1851haqp4h19"; }; } { - goPackagePath = "github.com/gilbertchen/go-ole"; + goPackagePath = "github.com/gilbertchen/go-ole"; fetch = { type = "git"; url = "https://github.com/gilbertchen/go-ole"; - rev = "0e87ea779d9deb219633b828a023b32e1244dd57"; + rev = "0e87ea779d9deb219633b828a023b32e1244dd57"; sha256 = "1d937b4i9mrwfgs1s17qhbd78dcd97wwm8zsajkarky8d55rz1bw"; }; } { - goPackagePath = "github.com/gilbertchen/go.dbus"; + goPackagePath = "github.com/gilbertchen/go.dbus"; fetch = { type = "git"; url = "https://github.com/gilbertchen/go.dbus"; - rev = "9e442e6378618c083fd3b85b703ffd202721fb17"; + rev = "9e442e6378618c083fd3b85b703ffd202721fb17"; sha256 = "0q8ld38gnr4adzw5287lw5f5l14yp8slxsz1za5ryrkprh04bhkv"; }; } { - goPackagePath = "github.com/gilbertchen/goamz"; + goPackagePath = "github.com/gilbertchen/goamz"; fetch = { type = "git"; url = "https://github.com/gilbertchen/goamz"; - rev = "eada9f4e8cc2a45db775dee08a2c37597ce4760a"; + rev = "eada9f4e8cc2a45db775dee08a2c37597ce4760a"; sha256 = "0v6i4jdly06wixmm58ygxh284hnlbfxczvcwxvywiyy9bp5qyaid"; }; } { - goPackagePath = "github.com/gilbertchen/gopass"; + goPackagePath = "github.com/gilbertchen/gopass"; fetch = { type = "git"; url = "https://github.com/gilbertchen/gopass"; - rev = "bf9dde6d0d2c004a008c27aaee91170c786f6db8"; + rev = "bf9dde6d0d2c004a008c27aaee91170c786f6db8"; sha256 = "1jxzyfnqi0h1fzlsvlkn10bncic803bfhslyijcxk55mgh297g45"; }; } { - goPackagePath = "github.com/gilbertchen/keyring"; + goPackagePath = "github.com/gilbertchen/keyring"; fetch = { type = "git"; url = "https://github.com/gilbertchen/keyring"; - rev = "8855f5632086e51468cd7ce91056f8da69687ef6"; + rev = "8855f5632086e51468cd7ce91056f8da69687ef6"; sha256 = "1ja623dqnhkr1cvynrcai10s8kn2aiq53cvd8yxr47bb8i2a2q1m"; }; } { - goPackagePath = "github.com/gilbertchen/xattr"; + goPackagePath = "github.com/gilbertchen/xattr"; fetch = { type = "git"; url = "https://github.com/gilbertchen/xattr"; - rev = "68e7a6806b0137a396d7d05601d7403ae1abac58"; + rev = "68e7a6806b0137a396d7d05601d7403ae1abac58"; sha256 = "120lq8vasc5yh0ajczsdpi8cfzgi4ymrnphgqdfcar3b9rsvx80b"; }; } { - goPackagePath = "github.com/go-ini/ini"; + goPackagePath = "github.com/go-ini/ini"; fetch = { type = "git"; url = "https://github.com/go-ini/ini"; - rev = "32e4c1e6bc4e7d0d8451aa6b75200d19e37a536a"; + rev = "32e4c1e6bc4e7d0d8451aa6b75200d19e37a536a"; sha256 = "0mhgxw5q6b0pryhikx3k4wby7g32rwjjljzihi47lwn34kw5y1qn"; }; } { - goPackagePath = "github.com/golang/protobuf"; + goPackagePath = "github.com/golang/protobuf"; fetch = { type = "git"; url = "https://github.com/golang/protobuf"; - rev = "1e59b77b52bf8e4b449a57e6f79f21226d571845"; + rev = "1e59b77b52bf8e4b449a57e6f79f21226d571845"; sha256 = "19bkh81wnp6njg3931wky6hsnnl2d1ig20vfjxpv450sd3k6yys8"; }; } { - goPackagePath = "github.com/googleapis/gax-go"; + goPackagePath = "github.com/googleapis/gax-go"; fetch = { type = "git"; url = "https://github.com/googleapis/gax-go"; - rev = "317e0006254c44a0ac427cc52a0e083ff0b9622f"; + rev = "317e0006254c44a0ac427cc52a0e083ff0b9622f"; sha256 = "0h92x579vbrv2fka8q2ddy1kq6a63qbqa8zc09ygl6skzn9gw1dh"; }; } { - goPackagePath = "github.com/jmespath/go-jmespath"; + goPackagePath = "github.com/jmespath/go-jmespath"; fetch = { type = "git"; url = "https://github.com/jmespath/go-jmespath"; - rev = "0b12d6b5"; + rev = "0b12d6b5"; sha256 = "1vv6hph8j6xgv7gwl9vvhlsaaqsm22sxxqmgmldi4v11783pc1ld"; }; } { - goPackagePath = "github.com/kr/fs"; + goPackagePath = "github.com/kr/fs"; fetch = { type = "git"; url = "https://github.com/kr/fs"; - rev = "2788f0dbd16903de03cb8186e5c7d97b69ad387b"; + rev = "2788f0dbd16903de03cb8186e5c7d97b69ad387b"; sha256 = "1c0fipl4rsh0v5liq1ska1dl83v3llab4k6lm8mvrx9c4dyp71ly"; }; } { - goPackagePath = "github.com/marstr/guid"; + goPackagePath = "github.com/marstr/guid"; fetch = { type = "git"; url = "https://github.com/marstr/guid"; - rev = "8bd9a64bf37eb297b492a4101fb28e80ac0b290f"; + rev = "8bd9a64bf37eb297b492a4101fb28e80ac0b290f"; sha256 = "081qrar6wwpmb2pq3swv4byh73r9riyhl2dwv0902d8jg3kwricm"; }; } { - goPackagePath = "github.com/minio/blake2b-simd"; + goPackagePath = "github.com/minio/blake2b-simd"; fetch = { type = "git"; url = "https://github.com/minio/blake2b-simd"; - rev = "3f5f724cb5b182a5c278d6d3d55b40e7f8c2efb4"; + rev = "3f5f724cb5b182a5c278d6d3d55b40e7f8c2efb4"; sha256 = "0b6jbnj62c0gmmfd4zdmh8xbg01p80f13yygir9xprqkzk6fikmd"; }; } { - goPackagePath = "github.com/ncw/swift"; + goPackagePath = "github.com/ncw/swift"; fetch = { type = "git"; url = "https://github.com/ncw/swift"; - rev = "ae9f0ea1605b9aa6434ed5c731ca35d83ba67c55"; + rev = "ae9f0ea1605b9aa6434ed5c731ca35d83ba67c55"; sha256 = "0a0iwynhgxsl3czabl7ajnxpyw6x0dzbiqz6il8aw7kn10ld1rvl"; }; } { - goPackagePath = "github.com/pkg/errors"; + goPackagePath = "github.com/pkg/errors"; fetch = { type = "git"; url = "https://github.com/pkg/errors"; - rev = "645ef00459ed84a119197bfb8d8205042c6df63d"; + rev = "645ef00459ed84a119197bfb8d8205042c6df63d"; sha256 = "001i6n71ghp2l6kdl3qq1v2vmghcz3kicv9a5wgcihrzigm75pp5"; }; } { - goPackagePath = "github.com/pkg/sftp"; + goPackagePath = "github.com/pkg/sftp"; fetch = { type = "git"; url = "https://github.com/pkg/sftp"; - rev = "98203f5a8333288eb3163b7c667d4260fe1333e9"; + rev = "98203f5a8333288eb3163b7c667d4260fe1333e9"; sha256 = "09wxyrhwwh20rzpzb06vsj8k2bmw52cjlx7j4115zhky27528sx9"; }; } { - goPackagePath = "github.com/satori/go.uuid"; + goPackagePath = "github.com/satori/go.uuid"; fetch = { type = "git"; url = "https://github.com/satori/go.uuid"; - rev = "f58768cc1a7a7e77a3bd49e98cdd21419399b6a3"; + rev = "f58768cc1a7a7e77a3bd49e98cdd21419399b6a3"; sha256 = "1j4s5pfg2ldm35y8ls8jah4dya2grfnx2drb4jcbjsyrp4cm5yfb"; }; } { - goPackagePath = "github.com/vaughan0/go-ini"; + goPackagePath = "github.com/vaughan0/go-ini"; fetch = { type = "git"; url = "https://github.com/vaughan0/go-ini"; - rev = "a98ad7ee00ec53921f08832bc06ecf7fd600e6a1"; + rev = "a98ad7ee00ec53921f08832bc06ecf7fd600e6a1"; sha256 = "1l1isi3czis009d9k5awsj4xdxgbxn4n9yqjc1ac7f724x6jacfa"; }; } { - goPackagePath = "golang.org/x/crypto"; + goPackagePath = "golang.org/x/crypto"; fetch = { type = "git"; url = "https://go.googlesource.com/crypto"; - rev = "9f005a07e0d31d45e6656d241bb5c0f2efd4bc94"; + rev = "9f005a07e0d31d45e6656d241bb5c0f2efd4bc94"; sha256 = "1mhmr6ljzl3iafsz4qy8vval7rmr828wh59dlqqqjqx6sqmcs1dv"; }; } { - goPackagePath = "golang.org/x/net"; + goPackagePath = "golang.org/x/net"; fetch = { type = "git"; url = "https://go.googlesource.com/net"; - rev = "9dfe39835686865bff950a07b394c12a98ddc811"; + rev = "9dfe39835686865bff950a07b394c12a98ddc811"; sha256 = "0z8mnl4mi88syafrgqys2ak2gg3yrbna25hpz88y3anl8x4jhg1a"; }; } { - goPackagePath = "golang.org/x/oauth2"; + goPackagePath = "golang.org/x/oauth2"; fetch = { type = "git"; url = "https://go.googlesource.com/oauth2"; - rev = "f95fa95eaa936d9d87489b15d1d18b97c1ba9c28"; + rev = "f95fa95eaa936d9d87489b15d1d18b97c1ba9c28"; sha256 = "0p9kis69wvhv8a2qbcjxvn9ggpdh81cbfjpq5pjga7n8k6d065fh"; }; } { - goPackagePath = "golang.org/x/sys"; + goPackagePath = "golang.org/x/sys"; fetch = { type = "git"; url = "https://go.googlesource.com/sys"; - rev = "82aafbf43bf885069dc71b7e7c2f9d7a614d47da"; + rev = "82aafbf43bf885069dc71b7e7c2f9d7a614d47da"; sha256 = "1jvngpvy0q40f7krkgmwf5bbjzhv449297awcr0y78kzn0cyawi2"; }; } { - goPackagePath = "golang.org/x/text"; + goPackagePath = "golang.org/x/text"; fetch = { type = "git"; url = "https://go.googlesource.com/text"; - rev = "88f656faf3f37f690df1a32515b479415e1a6769"; + rev = "88f656faf3f37f690df1a32515b479415e1a6769"; sha256 = "0zakmgg6dlwnkhignwjajn0dckzqq18zxvnmmg0fq6455x7fs673"; }; } { - goPackagePath = "google.golang.org/api"; + goPackagePath = "google.golang.org/api"; fetch = { type = "git"; url = "https://code.googlesource.com/google-api-go-client"; - rev = "17b5f22a248d6d3913171c1a557552ace0d9c806"; + rev = "17b5f22a248d6d3913171c1a557552ace0d9c806"; sha256 = "0gs78qsxfg89kpiiray1x9jiv6bh328jmjkwd3ghnygf3l98kc8c"; }; } { - goPackagePath = "google.golang.org/appengine"; + goPackagePath = "google.golang.org/appengine"; fetch = { type = "git"; url = "https://github.com/golang/appengine"; - rev = "150dc57a1b433e64154302bdc40b6bb8aefa313a"; + rev = "150dc57a1b433e64154302bdc40b6bb8aefa313a"; sha256 = "0w3knznv39k8bm85ri62f83czcrxknql7dv6p9hk1a5jx3xljgxq"; }; } { - goPackagePath = "google.golang.org/genproto"; + goPackagePath = "google.golang.org/genproto"; fetch = { type = "git"; url = "https://github.com/google/go-genproto"; - rev = "891aceb7c239e72692819142dfca057bdcbfcb96"; + rev = "891aceb7c239e72692819142dfca057bdcbfcb96"; sha256 = "1axim84fqzsp6iialk6zl4fsbfpx658vssc6ccakn4yy1xc9h854"; }; } { - goPackagePath = "google.golang.org/grpc"; + goPackagePath = "google.golang.org/grpc"; fetch = { type = "git"; url = "https://github.com/grpc/grpc-go"; - rev = "5a9f7b402fe85096d2e1d0383435ee1876e863d0"; + rev = "5a9f7b402fe85096d2e1d0383435ee1876e863d0"; sha256 = "1hlirgvmzb929jpb1dvh930646ih5ffg3b6pmlilqr7ffdkl5z3j"; }; } -] +] \ No newline at end of file diff --git a/nix/pkgs/duplicacy/shell.nix b/nix/pkgs/duplicacy/shell.nix index 045572c..72c40b1 100644 --- a/nix/pkgs/duplicacy/shell.nix +++ b/nix/pkgs/duplicacy/shell.nix @@ -1,4 +1,4 @@ -with import { }; +with import {}; stdenv.mkDerivation { name = "env"; buildInputs = [ @@ -7,6 +7,6 @@ stdenv.mkDerivation { go2nix dep2nix nix-prefetch-github - (callPackage ./default.nix { }) + (callPackage ./default.nix {}) ]; } diff --git a/nix/pkgs/jay.nix b/nix/pkgs/jay.nix deleted file mode 100644 index 9a7b0e5..0000000 --- a/nix/pkgs/jay.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ - lib, - src, - rustPlatform, - libinput, - libxkbcommon, - mesa, - pango, - udev, -}: -rustPlatform.buildRustPackage rec { - pname = "jay"; - version = src.rev; - - inherit src; - - cargoLock.lockFile = "${src}/Cargo.lock"; - - buildInputs = [ - libxkbcommon - mesa - pango - udev - libinput - ]; - - RUSTC_BOOTSTRAP = 1; - - meta = with lib; { - description = "A Wayland compositor written in Rust"; - homepage = "https://github.com/mahkoh/jay"; - license = licenses.gpl3; - platforms = platforms.linux; - maintainers = with maintainers; [ dit7ya ]; - }; -} diff --git a/nix/pkgs/logseq/Containerfile b/nix/pkgs/logseq/Containerfile deleted file mode 100644 index 97464d1..0000000 --- a/nix/pkgs/logseq/Containerfile +++ /dev/null @@ -1,57 +0,0 @@ -# NOTE: please keep it in sync with .github pipelines -# NOTE: during testing make sure to change the branch below -# NOTE: before running the build-docker GH action edit -# build-docker.yml and change the release channel from :latest to :testing - -# Builder image -# FROM clojure:temurin-11-tools-deps-1.11.1.1208-bullseye-slim as builder -FROM clojure:temurin-11-tools-deps-bullseye-slim as builder - -ARG DEBIAN_FRONTEND=noninteractive - -# Install reqs -RUN echo 1 -RUN apt-get update && apt-get install -y --no-install-recommends \ - curl \ - ca-certificates \ - apt-transport-https \ - gpg \ - build-essential libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev \ - zip - -# install NodeJS & yarn -RUN curl -sL https://deb.nodesource.com/setup_20.x | bash - - -RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | tee /etc/apt/trusted.gpg.d/yarn.gpg && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list && apt-get update && apt-get install -y nodejs yarn - -WORKDIR /data - -ENV VERSION=0.10.9 - -# build Logseq static resources -RUN git clone -b ${VERSION} https://github.com/logseq/logseq.git . - -RUN yarn config set network-timeout 240000 -g && yarn install -RUN yarn release-electron - -RUN mkdir /out -RUN mv /data/static/out/make/zip /out/${VERSION}.zip -RUN mv /data/static/out/make/*.AppImage /out/ - -FROM scratch as artifacts -COPY --from=builder /out / -# Logseq-${VERSION}.AppImage -# RUN mv zip /${VERSION}.zip - -# RUN \ -# mkdir -p builds -# # NOTE: save VERSION file to builds directory -# cp static/VERSION ./builds/VERSION -# mv static/out/make/*-*.AppImage ./builds/Logseq-linux-aarch64-${VERSION}.AppImage -# mv static/out/make/zip/linux/x64/*-linux-x64-*.zip ./builds/Logseq-linux-aarch64-${VERSION}.zip - -# # Web App Runner image -# FROM nginx:1.24.0-alpine3.17 -# -# COPY --from=builder /data/static /usr/share/nginx/html -# diff --git a/nix/pkgs/logseq/README.md b/nix/pkgs/logseq/README.md deleted file mode 100644 index 0c596b6..0000000 --- a/nix/pkgs/logseq/README.md +++ /dev/null @@ -1,22 +0,0 @@ -# build instructions - -this is pseudocode that serves as a reminder - -1. podman build -f Containerfile -t logseq -2. CONTAINER_ID=$(podman container create logseq) -3. podman unshare -4. podman mount $CONTAINER_ID -5. copy and upload the AppImage. e.g. - ``` - cp /home/steveej/.local/share/containers/storage/overlay/f932ca9f11ea2bfd6b221118eb54775a623bc519bfe38188afcbad51dda2777f/merged/Logseq-0.10.9.AppImage . - exit - scp Logseq-0.10.9.AppImage root@www.stefanjunker.de:/var/lib/container-volumes/webserver/var-www/stefanjunker.de/htdocs/caddy/downloads/ - ``` -6. podman unshare -7. podman unmount - -# resources - -- https://github.com/logseq/logseq/blob/dc5127b48a7874627bd9ab63696f7ddf821b90a7/docs/develop-logseq.md?plain=1#L90 -- https://github.com/logseq/logseq/blob/master/Dockerfile -- https://github.com/randomwangran/logseq-nix-flake diff --git a/nix/pkgs/magmawm.nix b/nix/pkgs/magmawm.nix deleted file mode 100644 index c1850c1..0000000 --- a/nix/pkgs/magmawm.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ - lib, - src, - craneLib, - pkg-config, - wayland, - libseat, - libinput, - libxkbcommon, - mesa, - udev, - dbus, - libGL, -}: -craneLib.buildPackage { - inherit src; - pname = "magmawm"; - version = src.rev; - - nativeBuildInputs = [ pkg-config ]; - - buildInputs = [ - wayland - udev - libxkbcommon - libinput - dbus - libseat - mesa - ]; - - preFixup = '' - if [[ -e "$out/bin/magmawm" ]]; then - patchelf \ - --add-needed "${libGL}/lib/libEGL.so.1" \ - $out/bin/magmawm - fi - ''; - - meta = with lib; { - description = "A versatile and customizable Window Manager and Wayland Compositor"; - homepage = "https://github.com/MagmaWM/MagmaWM"; - license = licenses.gpl3; - platforms = platforms.linux; - maintainers = with maintainers; [ ]; - }; -} diff --git a/nix/pkgs/mfcl3770cdw.nix b/nix/pkgs/mfcl3770cdw.nix index 142c1c0..9fa1c05 100644 --- a/nix/pkgs/mfcl3770cdw.nix +++ b/nix/pkgs/mfcl3770cdw.nix @@ -1,18 +1,18 @@ -{ - pkgsi686Linux, - stdenv, - fetchurl, - dpkg, - makeWrapper, - coreutils, - ghostscript, - gnugrep, - gnused, - which, - perl, - lib, +{ pkgsi686Linux +, stdenv +, fetchurl +, dpkg +, makeWrapper +, coreutils +, ghostscript +, gnugrep +, gnused +, which +, perl +, lib }: -let + +let model = "mfcl3770cdw"; version = "1.0.2-0"; src = fetchurl { @@ -20,49 +20,37 @@ let sha256 = "09fhbzhpjymhkwxqyxzv24b06ybmajr6872yp7pri39595mhrvay"; }; reldir = "opt/brother/Printers/${model}/"; -in -rec { + +in rec { driver = stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [ - dpkg - makeWrapper - ]; + nativeBuildInputs = [ dpkg makeWrapper ]; unpackPhase = "dpkg-deb -x $src $out"; installPhase = '' - dir="$out/${reldir}" - substituteInPlace $dir/lpd/filter_${model} \ - --replace /usr/bin/perl ${perl}/bin/perl \ - --replace "BR_PRT_PATH =~" "BR_PRT_PATH = \"$dir\"; #" \ - --replace "PRINTER =~" "PRINTER = \"${model}\"; #" - wrapProgram $dir/lpd/filter_${model} \ - --prefix PATH : ${ - lib.makeBinPath [ - coreutils - ghostscript - gnugrep - gnused - which - ] - } - # need to use i686 glibc here, these are 32bit proprietary binaries - interpreter=${pkgsi686Linux.glibc}/lib/ld-linux.so.2 - patchelf --set-interpreter "$interpreter" $dir/lpd/brmfcl3770cdwfilter + dir="$out/${reldir}" + substituteInPlace $dir/lpd/filter_${model} \ + --replace /usr/bin/perl ${perl}/bin/perl \ + --replace "BR_PRT_PATH =~" "BR_PRT_PATH = \"$dir\"; #" \ + --replace "PRINTER =~" "PRINTER = \"${model}\"; #" + wrapProgram $dir/lpd/filter_${model} \ + --prefix PATH : ${stdenv.lib.makeBinPath [ + coreutils ghostscript gnugrep gnused which + ]} + # need to use i686 glibc here, these are 32bit proprietary binaries + interpreter=${pkgsi686Linux.glibc}/lib/ld-linux.so.2 + patchelf --set-interpreter "$interpreter" $dir/lpd/brmfcl3770cdwfilter ''; meta = { description = "Brother ${lib.strings.toUpper model} driver"; - homepage = "http://www.brother.com/"; - license = lib.licenses.unfree; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; + homepage = http://www.brother.com/; + license = stdenv.lib.licenses.unfree; + platforms = [ "x86_64-linux" "i686-linux" ]; + maintainers = [ stdenv.lib.maintainers.steveej ]; }; }; @@ -70,10 +58,7 @@ rec { inherit version src; name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [ - dpkg - makeWrapper - ]; + nativeBuildInputs = [ dpkg makeWrapper ]; unpackPhase = "dpkg-deb -x $src $out"; @@ -85,13 +70,7 @@ rec { --replace "basedir =~" "basedir = \"$basedir\"; #" \ --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/cupswrapper/brother_lpdwrapper_${model} \ - --prefix PATH : ${ - lib.makeBinPath [ - coreutils - gnugrep - gnused - ] - } + --prefix PATH : ${stdenv.lib.makeBinPath [ coreutils gnugrep gnused ]} mkdir -p $out/lib/cups/filter mkdir -p $out/share/cups/model ln $dir/cupswrapper/brother_lpdwrapper_${model} $out/lib/cups/filter @@ -100,13 +79,10 @@ rec { meta = { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; - homepage = "http://www.brother.com/"; - license = lib.licenses.gpl2; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; + homepage = http://www.brother.com/; + license = stdenv.lib.licenses.gpl2; + platforms = [ "x86_64-linux" "i686-linux" ]; + maintainers = [ stdenv.lib.maintainers.steveej ]; }; }; } diff --git a/nix/pkgs/nomad/default.nix b/nix/pkgs/nomad/default.nix new file mode 100644 index 0000000..4214ce9 --- /dev/null +++ b/nix/pkgs/nomad/default.nix @@ -0,0 +1,29 @@ +with import {}; + +stdenv.mkDerivation rec { + name = "nomad"; + version = "0.1.2"; + filename = "nomad_${version}_linux_amd64.zip"; + + src = fetchurl { + url = "https://releases.hashicorp.com/nomad/${version}/${filename}"; + sha256 = "0d3r3n1wwlic1kg3hgghds7f3b0qhh97v8xf36mcmsnmn2ngfd9k"; + }; + + unpackPhase = '' + unzip ${src} + ''; + + + buildInputs = [ makeWrapper unzip ]; + libPath = lib.makeLibraryPath [ ]; + installPhase = '' + patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 ./nomad + + mkdir -p $out/bin + cp ./nomad $out/bin/nomad +# wrapProgram $out/bin/nomad \ +# --prefix LD_LIBRARY_PATH : "${libPath}" +# + ''; +} diff --git a/nix/pkgs/nozbe/default.nix b/nix/pkgs/nozbe/default.nix index e5ac519..47bf205 100644 --- a/nix/pkgs/nozbe/default.nix +++ b/nix/pkgs/nozbe/default.nix @@ -1,60 +1,61 @@ -with import { }; +with import {}; + stdenv.mkDerivation rec { - name = "nozbe"; - version = "3.6.3"; + name = "nozbe"; + version = "3.6.3"; - src = fetchzip { - url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; - sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; - stripRoot = false; - }; + src = fetchzip { + url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; + sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; + stripRoot = false; + }; - buildInputs = [ makeWrapper ]; + buildInputs = [ makeWrapper ]; - buildPhase = ":"; + buildPhase = '':''; - libPath = lib.makeLibraryPath [ - alsaLib - atk - cairo - cups - dbus - expat - freetype - fontconfig - gnome3.gconf - gcc.cc - gdk_pixbuf - gtk2-x11 - glib - pango - nss - nspr - systemd.lib - xorg.libX11 - xorg.libXcursor - xorg.libXcomposite - xorg.libXext - xorg.libXfixes - xorg.libXdamage - xorg.libXi - xorg.libXrandr - xorg.libXrender - xorg.libXtst - xorg.libXScrnSaver - ]; - installPhase = '' - pushd Nozbe-${version} - ls -lha + libPath = lib.makeLibraryPath [ + alsaLib + atk + cairo + cups + dbus + expat + freetype + fontconfig + gnome3.gconf + gcc.cc + gdk_pixbuf + gtk2-x11 + glib + pango + nss + nspr + systemd.lib + xorg.libX11 + xorg.libXcursor + xorg.libXcomposite + xorg.libXext + xorg.libXfixes + xorg.libXdamage + xorg.libXi + xorg.libXrandr + xorg.libXrender + xorg.libXtst + xorg.libXScrnSaver + ]; + installPhase = '' + pushd Nozbe-${version} + ls -lha - patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe + patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe - mkdir -p $out/bin - cp -a * $out/ + mkdir -p $out/bin + cp -a * $out/ - wrapProgram $out/Nozbe \ - --prefix LD_LIBRARY_PATH : "${libPath}" + wrapProgram $out/Nozbe \ + --prefix LD_LIBRARY_PATH : "${libPath}" - ln -sf ../Nozbe $out/bin/ - ''; + ln -sf ../Nozbe $out/bin/ + ''; } diff --git a/nix/pkgs/posh.nix b/nix/pkgs/posh.nix index b7ad5cb..488a31e 100644 --- a/nix/pkgs/posh.nix +++ b/nix/pkgs/posh.nix @@ -1,8 +1,8 @@ # posh makes use of podman to run an encapsulated shell session { pkgs, ... }: + let - cniConfigDir = - let + cniConfigDir = let loopback = pkgs.writeText "00-loopback.conf" '' { "cniVersion": "0.3.0", @@ -37,8 +37,7 @@ let ] } ''; - in - pkgs.runCommand "cniConfig" { } '' + in pkgs.runCommand "cniConfig" {} '' set -x mkdir $out; ln -s ${loopback} $out/${loopback.name} @@ -126,14 +125,16 @@ let } } ''; + in -{ - image, - pull ? "always", - global_args ? "", - run_args ? "", - userns ? "keep-id", + +{ image +, pull ? "always" +, global_args ? "" +, run_args ? "" +, userns ? "keep-id" }: + (pkgs.writeScriptBin "posh" '' #! ${pkgs.bash}/bin/bash source /etc/profile @@ -169,16 +170,12 @@ in --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ --rm -i --network host --pull=''${POSH_PULL} \ $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ - ${if userns != null then "--userns=" + userns else ""} \ + ${if userns != null then "--userns="+userns else ""} \ ${run_args} \ ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" -'').overrideAttrs - ( - attrs: - attrs - // { - passthru = { - shellPath = "/bin/posh"; - }; - } - ) +'') +.overrideAttrs(attrs: attrs // { + passthru = { + shellPath = "/bin/posh"; + }; +}) diff --git a/nix/pkgs/slirp4netns.nix b/nix/pkgs/slirp4netns.nix index 5e50ecf..8d456d6 100644 --- a/nix/pkgs/slirp4netns.nix +++ b/nix/pkgs/slirp4netns.nix @@ -1,12 +1,12 @@ -{ - stdenv, - fetchFromGitHub, - autoconf, - automake, - libtool, - gnumake, - gcc, +{ stdenv +, fetchFromGitHub +, autoconf +, automake +, libtool +, gnumake +, gcc }: + stdenv.mkDerivation rec { name = "slirp4netns-${version}"; version = "v0.2.1"; @@ -25,14 +25,14 @@ stdenv.mkDerivation rec { gnumake gcc ]; - + configurePhase = '' ./autogen.sh ./configure --prefix="" ''; buildPhase = '' - make + make ''; installPhase = '' @@ -41,7 +41,7 @@ stdenv.mkDerivation rec { meta = with stdenv.lib; { description = "User-mode networking for unprivileged network namespaces"; - homepage = "https://github.com/rootless-containers/slirp4netns"; + homepage = https://github.com/rootless-containers/slirp4netns; license = null; maintainers = [ maintainers.steveej ]; platforms = platforms.all; diff --git a/nix/pkgs/staruml.nix b/nix/pkgs/staruml.nix index 35399ad..7886d1b 100644 --- a/nix/pkgs/staruml.nix +++ b/nix/pkgs/staruml.nix @@ -1,51 +1,25 @@ -{ - stdenv, - fetchurl, - makeWrapper, - dpkg, - patchelf, - gtk2, - glib, - gdk_pixbuf, - alsaLib, - nss, - nspr, - GConf, - cups, - libgcrypt, - dbus, - systemd, +{ stdenv, fetchurl, makeWrapper +, dpkg, patchelf +, gtk2, glib, gdk_pixbuf, alsaLib, nss, nspr, GConf, cups, libgcrypt, dbus, systemd }: + let inherit (stdenv) lib; - LD_LIBRARY_PATH = lib.makeLibraryPath [ - glib - gtk2 - gdk_pixbuf - alsaLib - nss - nspr - GConf - cups - libgcrypt - dbus - ]; + LD_LIBRARY_PATH = lib.makeLibraryPath + [ glib gtk2 gdk_pixbuf alsaLib nss nspr GConf cups libgcrypt dbus ]; in stdenv.mkDerivation rec { version = "2.8.1"; name = "staruml-${version}"; src = - if stdenv.system == "i686-linux" then - fetchurl { - url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; - sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; - } - else - fetchurl { - url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; - sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; - }; + if stdenv.system == "i686-linux" then fetchurl { + url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; + sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; + } else fetchurl { + url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; + sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; + }; buildInputs = [ dpkg ]; @@ -76,11 +50,8 @@ stdenv.mkDerivation rec { meta = with stdenv.lib; { description = "A sophisticated software modeler"; - homepage = "http://staruml.io/"; + homepage = http://staruml.io/; license = licenses.unfree; - platforms = [ - "i686-linux" - "x86_64-linux" - ]; + platforms = [ "i686-linux" "x86_64-linux" ]; }; } diff --git a/nix/scripts/pre-eval-fixed.sh b/nix/scripts/pre-eval-fixed.sh index ec7b14e..e6bc4a0 100755 --- a/nix/scripts/pre-eval-fixed.sh +++ b/nix/scripts/pre-eval-fixed.sh @@ -2,8 +2,5 @@ set -xe INFILE="${1:?Please set arg1 to INFILE}" OUTFILE="${2:?Please set arg2 to OUTFILE}" -# sha256-1fm94N2Y9ptXVN6ni0nJyPRK+nsvoeliqBcFyjlaTH4= -# sha256:0zjcb8wwl18pm1ifk89gggx4mx68r54qp9yyaibrpxlqvphbvyfm -hash=$(nix-build "${INFILE}" --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*(sha256[:-].+)$' -r '$1') - -sed -E "s/0{52}/${hash}/" "${INFILE}" >"${OUTFILE}" +hash=$(nix-build ${INFILE} --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*sha256:([0-9a-z]{52})' -r '$1') +sed -E "s/0{52}/${hash}/" ${INFILE} > ${OUTFILE} diff --git a/nix/tests/buildvmwithbootloader/build-vm.nix b/nix/tests/buildvmwithbootloader/build-vm.nix index a085713..8347b45 100644 --- a/nix/tests/buildvmwithbootloader/build-vm.nix +++ b/nix/tests/buildvmwithbootloader/build-vm.nix @@ -1,39 +1,32 @@ -{ - system ? builtins.currentSystem, - vmPkgsPath, - buildPkgsPath, - nixosConfigPath, +{ system ? builtins.currentSystem +, vmPkgsPath +, buildPkgsPath +, nixosConfigPath }: + let - vmPkgs' = import vmPkgsPath { }; + buildPkgs = import buildPkgsPath {}; + vmPkgs'= import vmPkgsPath {}; vmPkgs = vmPkgs' // { runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; }; importWithPkgs = { path, pkgs }: args: import path (args // { inherit pkgs; }); + + nixosConfig = importWithPkgs { path = "${nixosConfigPath}"; pkgs = vmPkgs; }; + vmConfig = importWithPkgs { path = "${buildPkgsPath}/nixos/modules/virtualisation/qemu-vm.nix"; pkgs = vmPkgs; }; + evalConfig = importWithPkgs { path = "${vmPkgsPath}/nixos/lib/eval-config.nix"; pkgs = null; }; - nixosConfig = importWithPkgs { - path = "${nixosConfigPath}"; - pkgs = vmPkgs; - }; - vmConfig = importWithPkgs { - path = "${buildPkgsPath}/nixos/modules/virtualisation/qemu-vm.nix"; - pkgs = vmPkgs; - }; - evalConfig = importWithPkgs { - path = "${vmPkgsPath}/nixos/lib/eval-config.nix"; - pkgs = null; - }; + vmWithBootLoaderConfigMixed = (evalConfig { + modules = [ + nixosConfig + vmConfig + { + virtualisation.useBootLoader = true; + } - vmWithBootLoaderConfigMixed = - (evalConfig { - modules = [ - nixosConfig - vmConfig - { virtualisation.useBootLoader = true; } - ]; - }).config; -in -{ + ]; + }).config; +in { vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm; } diff --git a/nix/tests/buildvmwithbootloader/build-vm.sh b/nix/tests/buildvmwithbootloader/build-vm.sh index 3ee6ee0..520e0c8 100755 --- a/nix/tests/buildvmwithbootloader/build-vm.sh +++ b/nix/tests/buildvmwithbootloader/build-vm.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash set -x -rm ./*.qcow2 +rm *.qcow2 rm result* set -e @@ -8,9 +8,9 @@ BUILD_NIXPKGS="${BUILD_NIXPKGS:-${HOME}/src/github/NixOS/nixpkgs.dev}" NIXOS_CONFIG="${NIXOS_CONFIG_OVERRIDE:-${PWD}/configuration.nix}" nix-build -K --show-trace build-vm.nix \ - --arg vmPkgsPath '' \ - --argstr buildPkgsPath "${BUILD_NIXPKGS}" \ - --argstr nixosConfigPath "${NIXOS_CONFIG}" \ - -A vmWithBootLoaderMixed + --arg vmPkgsPath '' \ + --argstr buildPkgsPath "${BUILD_NIXPKGS}" \ + --argstr nixosConfigPath "${NIXOS_CONFIG}" \ + -A vmWithBootLoaderMixed -"./result/bin/run-*-vm" +./result/bin/run-*-vm diff --git a/nix/tests/buildvmwithbootloader/configuration.nix b/nix/tests/buildvmwithbootloader/configuration.nix index 49dc463..874bea1 100644 --- a/nix/tests/buildvmwithbootloader/configuration.nix +++ b/nix/tests/buildvmwithbootloader/configuration.nix @@ -1,4 +1,8 @@ -{ lib, ... }: +{ pkgs, lib, ... }: +let + +in + { boot.loader.grub = { enable = true; @@ -10,8 +14,7 @@ boot.loader.efi.canTouchEfiVariables = true; boot.loader.systemd-boot.enable = true; - boot.initrd.luks.devices = [ - { + boot.initrd.luks.devices = [ { name = "crypt"; device = "/dev/disk/uuid/463d886d-7dfe-421b-8cef-f9af3a3fa09d"; preLVM = true; @@ -19,23 +22,17 @@ } ]; fileSystems."/" = { - label = "root"; + label = "root"; }; fileSystems."/boot" = { - label = "boot"; + label = "boot"; }; boot.tmpOnTmpfs = true; - boot.initrd.availableKernelModules = [ - "xhci_pci" - "ahci" - "usb_storage" - "sd_mod" - "rtsx_pci_sdmmc" - ]; - + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + users.extraUsers.root.initialPassword = lib.mkForce "toorroot"; users.mutableUsers = false; } diff --git a/nix/tests/buildvmwithbootloader/debug-vm.sh b/nix/tests/buildvmwithbootloader/debug-vm.sh index 8e3bdce..0d11067 100755 --- a/nix/tests/buildvmwithbootloader/debug-vm.sh +++ b/nix/tests/buildvmwithbootloader/debug-vm.sh @@ -1,5 +1,3 @@ -#!/usr/bin/env bash - # /nix/store/lya9qyl9z5xb4vzdzh4vzcr7gfssk47z-qemu-host-cpu-only-for-vm-tests-2.12.0/bin/qemu-kvm \ # -cpu \ # kvm64 \ @@ -26,6 +24,7 @@ # -drive \ # index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/nixos.qcow2,cache=writeback,werror=report,if=virtio \ + /nix/store/0i6fr8vv559a50w0vipvd22r0kkg1kx1-qemu-host-cpu-only-for-vm-tests-3.0.0/bin/qemu-kvm -cpu kvm64 -name nixos -m 384 -smp 1 -device virtio-rng-pci -net nic,netdev=user.0,model=virtio -netdev user,id=user.0 -virtfs local,path=/nix/store,security_model=none,mount_tag=store -virtfs local,path=/tmp/nix-vm.BXlbOnli8K/xchg,security_model=none,mount_tag=xchg -virtfs local,path=/tmp/nix-vm.BXlbOnli8K/xchg,security_model=none,mount_tag=shared \ - -drive index=1,id=drive2,file=/tmp/nix-vm.BXlbOnli8K/disk.img,media=disk,if=virtio \ - -drive index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/tests/nixos.qcow2,cache=writeback,werror=report,if=virtio + -drive index=1,id=drive2,file=/tmp/nix-vm.BXlbOnli8K/disk.img,media=disk,if=virtio \ + -drive index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/tests/nixos.qcow2,cache=writeback,werror=report,if=virtio \ diff --git a/nix/tests/buildvmwithbootloader/result b/nix/tests/buildvmwithbootloader/result new file mode 120000 index 0000000..a5fdbfc --- /dev/null +++ b/nix/tests/buildvmwithbootloader/result @@ -0,0 +1 @@ +/nix/store/xh6p394kh1bncmc3lr6l9fb81284ckhf-nixos-vm \ No newline at end of file diff --git a/nix/tests/test-vm.nix b/nix/tests/test-vm.nix index fc956b6..d647b3c 100644 --- a/nix/tests/test-vm.nix +++ b/nix/tests/test-vm.nix @@ -1,5 +1,6 @@ -_: { - boot.consoleLogLevel = 6; +{ lib, config, pkgs, fetchgit, ... }: +{ + boot.consoleLogLevel=6; users.users.root.initialPassword = "root"; systemd.services."serial-getty@ttyS0".enable = true; networking.firewall.enable = false; diff --git a/nix/variables/keys.nix b/nix/variables/keys.nix index bd140a9..8eb8229 100644 --- a/nix/variables/keys.nix +++ b/nix/variables/keys.nix @@ -3,7 +3,6 @@ steveej = { openssh = [ # active, current - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC98w24rC+0YwkR/60VvuHVo+HaojvrM0rre0WCj1s1YVFiLPycsAKhZvl/yo06RKgkhChGb0tHZRGseQSmyb+rEbuNFxXQZnjOylT4jlrQvFR+S9WulkHrLMU0wodwEOpTrzJr/zqThEy3pj61KpC+Yhj9FfCn/p3l7HvL2yp3j+TyclyGbEQtt3Dgo1Ls5ZiD5FVhZAMkto4mK9fThyKjQhT6dUu47j2mxhT5OB8gHNtmPvpdQAUQCNrIz4oP5gilGKsWILmXM0/UwnrSXVdR2cUeiRkKqT0h/Q5jp/+/aW8oDoNYluHw2unWJcMTF0zoVWy/IcuNBTqzfiAhiDICCJN9Y0IXf4KhYN2mGtYJjioEVzmaIp/djxDt1Ra4PTNk1DqazRX72XgXcC9hFskLgiRSGSTR1EJk8dmfN0fE9Kv7IwgmHpyGciUy9WIX4o/eYHt7uO8cmJldtt9dPT7OV3DqGWrmgdCgzV5hVrxPVyOyvuLZa2J1N3T/5v1a8zrsyJ0KwuWH64VJqjVL7dTSKCyHKKIwx5ksLwIpFXBxPiypgCtYyvM6IY7PzF492cBucKimD5wd4f5mY5YxEGZC53/ZgodFVQJkyjmIiO/E06KUjLilmnSzf/nOtk3hoiWK8av47mr8otj+UCfWx6xXVKvGAjSOt4MEzUDDG3D+nw== cardno:17_673_091" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000608695695" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000605247559" diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index 91d2eb6..92f89d2 100644 Binary files a/nix/variables/passwords.crypt.nix and b/nix/variables/passwords.crypt.nix differ diff --git a/nix/variables/versions.nix b/nix/variables/versions.nix index 6d441a6..4a3e8f4 100644 --- a/nix/variables/versions.nix +++ b/nix/variables/versions.nix @@ -1,10 +1,11 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-22.11"; - rev = ''5b7cd5c39befee629be284970415b6eb3b0ff000''; + ref = "nixos-20.09"; + rev = "51aaa3fa1b69559456f9bd4968bd5b179a784f67"; }; in + { inherit nixpkgs; nixos = nixpkgs // { @@ -14,16 +15,16 @@ in "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = ''4bb072f0a8b267613c127684e099a70e1f6ff106''; + rev = "24c9b05ac53e422f1af81a156f1fd58499eb27fb"; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = ''a8636efe2df64047cd58898010a72f73efd56722''; + rev = "3312e1c3ba80506c435876f016d7b3888f297c4e"; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; - ref = "release-22.11"; - rev = ''83110c259889230b324bb2d35bef78bf5f214a1f''; + ref = "release-20.09"; + rev = "7339784e07217ed0232e08d1ea33b610c94657d8"; }; } diff --git a/nix/variables/versions.tmpl.nix b/nix/variables/versions.tmpl.nix index 66e90e3..09f95fd 100644 --- a/nix/variables/versions.tmpl.nix +++ b/nix/variables/versions.tmpl.nix @@ -1,12 +1,11 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; - ref = "nixos-22.11"; - rev = '' - <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' - ' -%>''; + ref = "nixos-20.09"; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; }; in + { inherit nixpkgs; nixos = nixpkgs // { @@ -16,22 +15,16 @@ in "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = '' - <% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d ' - ' -%>''; + rev = "<% git ls-remote https://github.com/nixos/nixpkgs nixos-unstable | awk '{ print $1 }' | tr -d '\n' -%>"; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = '' - <% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d ' - ' -%>''; + rev = "<% git ls-remote https://github.com/NixOS/nixpkgs.git master | head -n1 | awk '{ print $1 }' | tr -d '\n' -%>"; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; - ref = "release-22.11"; - rev = '' - <% git ls-remote https://github.com/nix-community/home-manager.git release-22.11 | awk '{ print $1 }' | tr -d ' - ' -%>''; + ref = "release-20.09"; + rev = "<% git ls-remote https://github.com/nix-community/home-manager.git release-20.09 | awk '{ print $1 }' | tr -d '\n' -%>"; }; } diff --git a/oci/user-ubuntu/Containerfile b/oci/user-ubuntu/Containerfile deleted file mode 100644 index 8afa2ce..0000000 --- a/oci/user-ubuntu/Containerfile +++ /dev/null @@ -1,27 +0,0 @@ -FROM ubuntu - -ARG USERNAME=user -ARG USER_UID=1000 -ARG USER_GID=$USER_UID - -# Create the user -RUN groupadd --gid $USER_GID $USERNAME \ - && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \ - # - # [Optional] Add sudo support. Omit if you don't need to install software after connecting. - && apt-get update \ - && apt-get install -y sudo \ - && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \ - && chmod 0440 /etc/sudoers.d/$USERNAME - -# ******************************************************** -# * Anything else you want to do like clean up goes here * -# ******************************************************** - -# [Optional] Set the default user. Omit if you want to keep the default as root. -USER $USERNAME - - -ENV DEBIAN_FRONTEND=noninteractive -RUN sudo apt install -y curl xz-utils -RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s - install --init none --no-confirm diff --git a/scripts/sway-swapoutputworkspaces.sh b/scripts/sway-swapoutputworkspaces.sh deleted file mode 100755 index 6ed8d64..0000000 --- a/scripts/sway-swapoutputworkspaces.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/usr/bin/env sh - -# Get two outputs, visible workspaces and focused workspace -output1=$(swaymsg -t get_outputs --raw | jq '.[0].name' -r) -output2=$(swaymsg -t get_outputs --raw | jq '.[1].name' -r) -workspace1=$(swaymsg -t get_outputs --raw | jq '.[0].current_workspace' -r) -workspace2=$(swaymsg -t get_outputs --raw | jq '.[1].current_workspace' -r) -workspace_active=$(swaymsg -t get_workspaces | jq -r '.[] | select(.focused==true).name') - -# If any of the outputs doesn't have a workspace, do nothing -if [ "$workspace1" = null ] || [ "$workspace2" = null ]; then - exit 0 -else - # If script is provided with `follow` argument, then follow focused workspace - if [ "$1" = "follow" ]; then - if [ "$workspace1" = "$workspace_active" ]; then - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - swaymsg workspace "$workspace2" - else - swaymsg workspace "$workspace1" - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - fi - # Else focus stays with focused output - else - if [ "$workspace1" = "$workspace_active" ]; then - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - else - swaymsg workspace "$workspace1" - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - swaymsg workspace "$workspace1" - fi - fi -fi diff --git a/secrets/desktop/radicale_htpasswd b/secrets/desktop/radicale_htpasswd deleted file mode 100644 index eba3f98..0000000 --- a/secrets/desktop/radicale_htpasswd +++ /dev/null @@ -1,30 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:rUTsNj5pW/7JhyfRWiEoOHVT06tmbAHarOEuMkWaP+jz9FX3Qvjtv2S767Be89RwBdZZPTyO5+DcWUH+m2AOoAFKZs8TgT7lmQCuweXE27HZe88y+mNvHYfExWbLaC3fxheHgy8BgZBQNdVMKhZlYr5nLxJBrUY+j2sRP/CuucUcbsCojoHqYmb9hpS03PZ7i6Uf7tImgvFc,iv:pnYzcggEWKAhRxJyOGYaXFrS6kN7uLHic+tO1PeHZmg=,tag:4eXlaWf7hJxcy6zlQC5U8Q==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLNEpQSUdkWStSb0Evbklx\nQXdHK3BtMEh3L1Vtc0VlN1paWm1sMkJhaTJJCmd3eTZyRkdMOVQ1MmwxaU1YYXBK\nb0ZKY0tqTCtEUGNHQzFhSXVBOHpUeVUKLS0tIDJtd2wrbFZNanZ6cGYwcjRNdDdN\nbm9adllGcy9GeitiYU53ZUtRaTgvUWsKuDmxV1BJPaiSyfzFmG7kE9K/GxjCfsI/\nejd+DnLe8FdHxyJyyrqShE/CWzw+CKL1Z9dO5SBmrEQXgZu1Zhdysg==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByVkRhYzVtVVBTcm5abndE\nVEtMODUwNFNaVEtqeVUyVUpuVXBqbDBtL1RZCmYyVUd3N0NBQzBRVWozWVAxczZD\nM1RLbzhYUXVjNm9KdlN4c252YVV6aVkKLS0tIE12WmFtMUxsczFBbEpES0UzZmhl\nRGRyQllzLytja1JpY1RpdXZwSFVwcU0KlNOFmcNo5T7GY6Qma/6w/GRDECR/0XQR\nCDm90Zx4QTDJrjy7ach3poPeHEKmlhW+ZQ4MlB8cuAjsjpVdgzBD3w==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcTV6NmoyekZJU3hmNTVB\nSklnWUczaHFtenpWbWNTNFZqNkV5ODFZSkZBCkc4b3BuYzdnUCt0WkgzL0tKM0Vl\ndEZ0MkZkb2p3T245S1dhenQ4MkQ1ME0KLS0tIEdWRll6VEk2SDdERTNjZG1xMmFJ\nRWJJeXJMZkRnYUxhTWltUHVYeUtlZlUKmpWPDHAdSt2fnqLzrOhwQVFWFJi/wSLA\nbRgCQc8lJIRg4nPvwBLLvvl49NCoNCsci//ZHD4RbsjMDhBLpRab1w==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-01-24T22:45:02Z", - "mac": "ENC[AES256_GCM,data:70nJ8FwQqWKUs5tVZTdaUSnFdvzh7h7GG9lJU9IVuSW8GHs9N4srFRJ0DtJbrIYm4YasNsZqNUcWx/ptxzP0DG/IJs8Vpnb4U5SXKw+zN7B5GBM0Xnh6pZZcylAw7lcXevBfI4jw7Ymmj5zBIFyKTCKhietayfmxdIxyoaxNH34=,iv:XJgmRc0tONH9H6AQyfJvDdkfJgP3ugAxOPxMkBqhLMo=,tag:MBN8FJglHqTiS5nLjtMXiA==,type:str]", - "pgp": [ - { - "created_at": "2025-06-05T09:49:10Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAw+OdhfgD3wfAQ//Y90sdCp0RviD2cAKB1FV+r/kDR/5wMlK5CKljSMr+KpX\nOp4rhWHJ+8im0FbXdEFbCatdgC6gJlwAuZE7OqSofjPoWDUAjS4Mn4HSjHX0rxhx\nSaSsM/6q929WiktwmqCVUuxgs2ZrQraCTg9Cu0gbchYEEIg3ALtaLMMQEBfs7Reb\n6sJYdRGvmJMvw0R1mgSBCpcwX4Q2lO2bFIsfXG13/oVefKKgNDLZ8p5dnrk7OwiL\ntnGh8IBSQTzba2eJdayKGF3mB7pTlCh56yt5Ia37QaJKTrXe+nWBx8HmItlCjrwn\nndRiHUG7+ElC94WxsKVAKqPhsuud8fuRLzcicT/Apd3E1Zy418XHj6qscHn4nYRM\nJeESRBkECrFIlKLjaM6rmL7FZ47RO2tIBdnL7FTT6HxIL7jaBFHdp9DBdpthXUdL\nAhbQg3mT88F2EdgCQCdm1SGiAs3h2/Od0ipIYazlq8XkhsCT8ZCijykxJNTz/2JQ\n0oXAgXRH3yJHcTbAsyrxHv98jHf0qIkLvFaYjigR4Rvv7wEOdhCgXyqCBjOkX6xT\nxqz5bRJ1rgyBT3jyoTtKw56wFWwoOqCAbReFgTtKdoEm+U3Xg+X/FsFiJ2ZrPsz3\nY35v6zsx4oi5Byvf5Jk53BeSKjgbzfu4dKFqNWzEi/UgQwVNgpV5iyhNK2ab01LS\nXAGzbiWT1YbYVLcoK1QW1G+hs4UTUMMyhyPP1fV0kUnxvuhupbvGIepcf4mcvjgs\nQxxNTRLyKt22so06awWrVNc+pltUivW3sFeTDdJBBqc9ILx33pSZiDdt2LTW\n=5gtk\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.8.1" - } -} diff --git a/secrets/holochain-infra/nomad.yaml b/secrets/holochain-infra/nomad.yaml deleted file mode 100644 index c2a5987..0000000 --- a/secrets/holochain-infra/nomad.yaml +++ /dev/null @@ -1,41 +0,0 @@ -holochain-nomad-agent-ca: ENC[AES256_GCM,data:DeB3Poq3v4mMfT4Hc46QNOcXuztGzU8X5ilGTMjjRWH0XuCju282XDMjO1eaoOzdZAHSRNKgSITJUgL7hj90CBb0YgnF0irLLKXCJftseRw30fIaJkvgESFT9CaUJkiOd9Ke0GGWWCw6hQj8KK1N7BItYiOrl1zp28Ej0oLcc+qwMMb9L0eiNmlVBBrb/o2AJuD8xvQzO48O9LffrNAxhrd5IbDxrAiu1n+2eSeWwrlmiK/sGqNw4UoJ98K1uraxWcBcrudwWwMBkPE+UTanqq6jjUMCGLtjMphs34I/pNrRBWS1KFUSdvUNMzlCGL8WQXjYD/7z0JSVxqTgaIHpiRG2NjCz1oFxNU594sXlwK0kCMgNKqa47pomWeYQ0jSuup1NVUy5wEECpc/5DlpYIP+c094PMz2jXF+kFMXohOMpT88GXlxQK1Sxpyn7rp1e+rGHeK3pENos1gedwqNW3WzCpm7Wmvc8aZvTtDXfo6XZlcpllPivKJmYz2o9Dxz0w4n7U5nic1cji0ZhqrvXWO3rsVQ5IKRkWVH6ralg7OvdkoyRDRxETmlPio3ykGbo/4D9hEh4+r4Etu+pPu0eZ7PmrCQ8rhHPNBOPEQPHnLa81r8gygEzwb7VcLii5S3/tnO9cPdFMpHfpcIHtFA9qRONlU6jx/RaDjid3BESjoDdWULtIn5JqborcomTg6BJ3lUz5zgm5nv0MY84VGuwafDyy54OelAdD0QWJdgYhyX4FuJYgVhuctJEdvJ9y1bpogpcCIf8STdy+eSP9cWHBMNI/CwKszyXI8AGH2jw4V3BxNbglUycmE7xvunmbkt/Yg+2UdKwDYHGzD4NtqY3YL+kLnpSh13XR80RdVM6EMeithpO8Awze78NWZw7I6UMIe1FqJKUlq18HdA3xUQLs4zTFWyxOtn05o1tZ2g6FFTKmkzfySDkCBUP6lDGUl8Q1IpePoE3geyIoEuO4SgszN2T9/Ncefx/846j58BvzOX8l0umdiyESarVhkQ692T5mKu7RbeaoyERj4ilUogYhtescB/ACWsbBYjqby++qBehsJMfjm6yNSalbspK4ZStBX3gv4v9YP3iSZJrnrusyVw/5WwGL0Fh/mlIsUfMmIlFzT7nMCvJZMWOk+zEX62Em+O6DhX4zuwWCasSqhPKwQLOba0ZpKpJfgiW9DhwUlZz/6VkCsOXED6K+dugT7nqbvY4JH+0LJCm3v0bj03i8vHpLGCiajcLi3t5ivSpHRrCEY/8WjTyYDr2Y+cCjjLy8GtBtvO6FTpzwmyQsCpOrTd3cw1jwvA4vmkZ/DF8sn8Za8vxYaJZAglLuZICPNIeCdhA/I767MRIosV9TL4KNlahaY8FQYdUbQtsHlpNn6TLucKiAjPWpd8MhuSMQ8EGEIUEBbyU0ZvdV1CzmuHka7QA,iv:jojLi4+X6BVLcBiDTgcrwdh/H73sQW9l1n+SrTa8HEE=,tag:2vRZsuWyR0LMlSmzILflwg==,type:str] -holochain-nomad-cli-cert: ENC[AES256_GCM,data:5XIGPcjlcVShrNMso1E3LlDfYLRac0uOqFl1kkuIw0Br0WrCelmUYrBya/QXk3IHxzl+mjvW0v9Y7qsYn6tfs+XMz41QUOQ7CKPLkK8jlCi25FXfxClh/gL5W7M1iBgZ6PZth20frszSD9dWk9DxuJHWq+Xg9hVlOyGA9I7mws5FEsLmpCKEF8Vfj7g6oU1IhJSkYawmku8r9bTyYrPH2EWy7nuFn694ddpsud3I0WBK1KI2D5coIg7uIqJO7JF65I12PLGW418mkI+CmOkanx23dOpY0H103T9IJUAYAShGbw/laPaPbF4Ms/FG9174pHROWSTM+1AT2bI/jFaFv6DUE0elnm/Bi/V6i6RPOwrBmO+KhyKX3c+5uAvWGsewKiuUVfbRtTCT3n85Bh5EoE6gzzTGE4xIDqixzthzBkLczIMbx0br4rFlcXwifNWGa6tfB0X/jI1lQEfdyu6mXzhjXLP/CoXz0pGZ3r5EkvsdU//cOkBmK8/Dg5dDsH4pIdw3Zxy41yIfciBpuMRzi23tLGtha7VtdnMelKO47d+LPFezvIIgdPtvgjTCy2Ltl2paD/UM2L39fP0G6DabNYC6QzF3p/2q5ecZUEJHDLsH0Pf+BBEvvsftb7ZE3cA8Xij/0ExqRSFY4Ndo3d78onE4jiYH+cWFGBN971sbypF9D+H5SYF2PJRVJjqYlr65HZzrLQfmTcFa7OBB+jXv8LwEFuMfVIvhRZCPULABjWRakikMT5WLz3McRP/zi+e1kUnmP2Fr0zrXUznmstO9BObUFkCW+ieDOCTDQYAqMK0H6ssPLVekXhBaqVqSqPTKt9PD8EES/rhs2qp3/OaVeznW1dA160YvM8Ahnq5Qcy9bPb8KFBFfXPvhNBjXFBSvUx5+nYA1IWuL4djBPa0WiGnPyxPeYNCT2+c5SUEOeEy0ZTcK0xGKKM2h4veJi7UA9KdSoeGisYKJ+hJTVC3lST/qN8sBVRpAp5UY6gt/cAL5yzJRn/9PtfGVKU60odwRwaZEjnNricqHpMyF8RVMZ8lkmaHAolgzXWNRtiQ2Tl0Q/Tc/qCHf1AKPqCjMGWXmLmoW5wAaaCt3V9giyi+Pn6GiIc2fY8xetp3qpBfkDHz4Kk3WtbofOBWvCaxWNShHAsNq2An+gWNidNlhVhdHCxolRmYyBftw81Pxpy9KkYQ0kC7QvAVFgUrphMDQGRm/,iv:1x4/kBIMbsB87MN+a8keJxJMVZZXRJ9WvozckByPLqU=,tag:l2WBaVhcP591TtEoZmIkUA==,type:str] -holochain-nomad-cli-key: ENC[AES256_GCM,data:Kl7EJI1V5HGeE9nogY5rujwe8MQYA6tIc3bLiyGdWHTtIbUGfp5wQ5p5zTyDBzA1IeWfTBIaM5dLyw7W+95KENaahJph+HrNbvLvBK8CXmTp7bRFJOgXIDV7CkxnTTX46Qptd17F3gY/4/HeMYsGJ7cZYmLYjW2UiyT6NmrivcaPJmECnuPPJV8aN3Kofm2gL9jbw089IiG6yksT1Y+AQUt/UQBzjYGpaYPHYaldgPQkb0+yaSb+DhF8/fr9lNsCyUbtnHFVNfiQj64IDw68jBohIMQzCMd44plJI8dcJNoA0TM=,iv:qShNRSKgqIe03a1K3FqTpDxogf4Uc25UsZXpwd6cHT8=,tag:9zr/wfR4umX6JCMslrjQjA==,type:str] -holochain-global-nomad-client-cert: ENC[AES256_GCM,data:eiPqZA5kCi5HPa5AlCTKmOD9r0uU5DlSClNTvg6asWybYZcipiQ6Md+cXxMl3VnemwBbxS8KxjuPg6k63SA+gypEW+XZP7VtCdHl4d65MOfIT6CpzTDVi0FUj58z2v7W6XfgAu33uDxTy+e4+SX69duUmmKicwe+CLK2ckfR3U32s39GKBDKYBZ8DTsAJmex45hf17rwcKsaMM142zgBcn2wbuNF46US8iWf4pKXJ4827pgD1HZ2Ry/IgFcRdSXGdsuAU9FcsuwTNfVftOtf/XGxrIJsvCoC7t/SalQSH4eg5s1N9N68vruKlV6AfVNIiQwfwdJ9ldeTOT3of/Fmu0ftiLaq5ZZ97zxd9Bean49EmJw5VEf63+cWKPonLxls1CV02dy1ua9zrjyX37Jz4dQiS02lZF/ljfcaGL+5TOQaX0oEIAA5tl7uaR/UIV7lqfFMZDUtQMHkYAkPkV/VF8wgyE8mD88KqKU+AdsL2yEyKo7VBAe/pYtGWsbyYhemmmpfPnUkt3wz+YQc7zs+MzaI/Z36BIGtY6ObNUfg++4dYXdoMrHufeRbihsLJ69m/bjF0qYtGCjrEPqTwF7WuWSz28to/ZOVrUKZgH8MOMoKKedzZ+kbzs9+hPDawCHs9VtiFo4d/roHBKMquDZVc6+VYtCjj8xjG8TJoJVWlKQogKa3zoWA0ZPwywwWb2V2ehocOk7MRxFZcek4gjvIJ7Ud6aom7dq3HIJJJYxwdVh7pJO9tJhW1T5R/n9g8zrANzXUvMyt55zUZytjF3pPFfaE7en+9LCf4h7AUocI1gOToUC9hlv/uhTOLCYU5S1xAtrlvvX4QSkmTyBTHe9XeOIZbI7LjzINRuO/XFKN/4dqz5/q195OprOBxg2fv1ETPJUwSN66PFYGh6VqhZZf/NokW1qYyrC0kW8lP/EZN6YGhQTyDRrSn3Y+U3nJuVEcydAKTSwzafR4pO4V6U02/CnBH8IqMsNMIhPPPwC1Wntqne3Rabdbx6ZWOxHQuv3cEPEronKGeeU4ADLBPSWnvGcVZuwgxzVpvVwCWtF59Aiew4pmWd8sqLnTOKrxY9BsV9nwRv0ZGE8l0NwiRGw2YIGWaXup0kwl6UVkSOgSuKqvIff09t3XXRINcwIh13jSAipsDpDjqT59qE0Uoc6/lV63eQKkqYs0wFTwc/XXZ2RJusNX+PDDCRW8xykmu4HC+rX7EMeF53xfDEi4wJGoSCySn3idt33A/QotnjDOl385/lkXwgVz4RjCiiCY016fje+78j7RBH3q,iv:nSXO+1ALy6Ie5aNIEm1ZZgZwOdJLrHjO+BwKVbbZQ7c=,tag:n4V165c86IQ3QHzYb1ThJA==,type:str] -holochain-global-client-nomad-key: ENC[AES256_GCM,data:9w+1CYOXgm+xvg9iER+cLJBlKLyYmanr93tZ8xTl63ZIKho6DJLqGPCYdjlG4sHWyQUM6/Dpaa490yC4CToLX5MuUnSvqiaSgugcGqPa1DhlRYVsa8j5rdp90EDMoarN7xKe0ShIRW2GTT9S5EEyF2qdZUAFybpDPX2laZZ44UBz1QvlCp7gzs0duO4b95WPTHmlhfaw0BVF7FhFqkAHtH6qg24qEtwB3I4NmW5UsTKR+tbUCEyQcADQr1CrXhIHkQ8yZ52rc42H6gRQXoVrJomJgtiXf28ARY5K1oZMmICLDw==,iv:FSiRHgbqpKEYINVBLYp1A9YgroLT07GMDFqT/k8Vyqs=,tag:XX7oQhllDmrRLCEiMMYsfA==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtYStCU2FnN2oxWWU4aWJR - N1NXQW5oRlZCL3BPVDN0d01sTk8wUy9FNTM0CmEvdTJsZDEvWkhvcFdBSHNWMS9O - WDBYQjhzSE9IeTAzczR1eFlnVXUwRU0KLS0tIGtpTG45Qmh1cHc0ZUpGTUQ5NTF4 - OVJwWGR2TkR1VWtHeVp6Wlk4S3I4Q3cKAeQEBdqh8yeD1jSClUaofdqEPz7RNEaP - /Sk5FUTmjC07s2fyORf+03SK43+HbJRNASyC8EtCrqAMcwKFlti1eg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-12T09:51:29Z" - mac: ENC[AES256_GCM,data:Eq/hdaWf9+CG2jLQsL2Sw+IHy0vef7cC0IR5xL3jooYbmilRYS2Lj+lRckVcLKTRHjLBlJmnY20wbL/iNwlyTsY3MkCTEMAg1aY2GVPq3/gL0Gl0/Em4pktfVLZGVTZLt6mKzAJMWM9RdTapW5sRlywZ4/fa1YQwoQQ3tFVWm4U=,iv:+Oy+dBT0B5k5eItscLlXrRzbPO1u8eQNBwoDLnZC06I=,tag:hVwJwd6m6oCOlQ0jC8H+Ew==,type:str] - pgp: - - created_at: "2025-06-05T09:49:08Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ/7BTbxsFCBhKM6oM1JkRNgR3gHCabXrparjyC3ayfFkFQr - TGWW1S/RkTyAbzMkG6VJmvbd28AqzPUWMBxOHtJB8e/aLJIFchL0pAuSK3w51iGN - Ss20IDUkX8wyljdFSJYhiGF6CNRZGkMAvzghDW0zVHzJlaXlZvAL1sqhOHhykugZ - ++/RZsjnjymVL/chXr/z/VI/6Ovmjjv9mcSG5HvziJfdihZS3pChTbOPCRZhjPzT - Or/AzDBk191cF+PLq7qOSO8dNMoR/mW8gYLLpfi/N3rURpdZWPKsH11hFGo4/Iwx - pNVHER60Q98i8VYXwdvxprOc0TtknPkFRIWA1tvPuMY44992ok7eJITaPpUufB66 - POBoOQzkvjZZIY9sbJK//e3boqvGaUfs0ia+kKSovvGz9d1EefyNEmZfR9kA/Lyt - eGEBlpxwVVA+qGsC/MaCfYKsKRtzUkPshb/vPNV6pfBQ6eTuUdQKSDSIv+PTXoVt - wkIG8HJB3z/L1IlaE4y5o/8anHa/Z3cdI4wzMNoJKCTt49SzAWPONxL/KegWwLYl - KD7RVam47l2Ju4pV8IsYMTjSc2SYyzDxzAJSYNBzYT7Z+U1v08HMJLjH4oDR6mYH - d6kxkSQ77wXAwP9UcMOHbVbTbT+MKqv+UrvWSDMDdZrrymRNfMjlC65KItDBbCXS - XgHkBg6IcSO3VtmH79ceOwkhfNCXwF0rkQzfAn29l/+1MZu22CAxuiW4t0zxN83o - pv3FRQwrbuVQUZNFyy3Iq00mThs3J/Ze0BltrPBSG9mHTE8kHn6sg2uudQr69tU= - =1Ywm - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/secrets/hstk0/mycelium_priv_key.bin.enc b/secrets/hstk0/mycelium_priv_key.bin.enc deleted file mode 100644 index 5592a8f..0000000 --- a/secrets/hstk0/mycelium_priv_key.bin.enc +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:2DcYHv5RCSoM3olKYZhn4BTwEROwC4+JZ/PQxF4SV7I=,iv:B27a2XnhgiHW3HAh/MnTUonmhkWvaZkmG2c2JPWV05A=,tag:TKZ/rFzQH0uvbOFoeas3Ag==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MlpwdVpvNFpqQW9GRlJv\nQmtiK05mMkk3ZEZMNzMzNzRGN1NoWjY2VWdjCkdiOEs4bWFzNjRtNmRuZGxjYTlo\nakQ2bFVqTGE4dkZBSitLb0VjME9TaDQKLS0tIHJocmdZNUp6WjNOTTN1d3pxMENV\nNWxYdmp2ODJKbDEydXpJejBHK3M3aW8KpnFNofmSJZN6NDZ8od+RIf3v0Pa+o+Gw\ntAuyC2TuLb5N6RXyRUmnu0eD6bWLE6D7CvpYBy5GEHcKnbAdX07aJw==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYcWpxa0RySm9tNWM2ekNI\nNVNUT3JCSWUwazZoeGhmNldReXRDTnpjT2djCi8wdEdJZHdaRzFyem1BUVJRUVk5\nNEF6Yms4dDgwWWFmQ2J6c3J3eEdIZFUKLS0tIHVFa0lZRWhGV1BHYjRWdHFWTkJZ\nRFJ5VUpINHdEeXYwdHliWG1ZN0J5bTQKLFZuFWgC9KE3WVbQYqxveFmzMHPE9yvB\n6odS9oKWt2v+5q1K9Bw1Q9MYv9cqPZrnfwJbjXZwLitVXlnlFMnA+g==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-05-17T14:49:38Z", - "mac": "ENC[AES256_GCM,data:HqeOxzTlr6tyDWmSpvAthf/puD1wdv3a3Nv8qdt9GcR2UqmByreFPRktTwRL53NvCW+8QGSrUjah7fB2GWsuSVXowSSkY5h8W5s0O+YkFLXo9K67hhtEk+4QwYKQk5w4ZdlAEFrgDAzCFr27Mron53VLhVo0DA6GesgywTLf/B4=,iv:uV/dpuhxXl39MTzystHafirJH0mVnLsT+0h9jh4Epm8=,tag:s5uRzLtcfyNuWau9RteyvA==,type:str]", - "pgp": [ - { - "created_at": "2025-06-05T09:49:12Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAw+OdhfgD3wfAQ//fvT0XVvugLgN6/0PduDRIl8MiaAG38eUeEWwIafDkeuN\nuoC7SUZF+xGgmcDD0hUC30Vt/vH3O8s3eOYxvAbt5NMOCI826u2wX85LEW3YvHpT\nbGdSejUMTB9tAQkFa2q9D6ZwzgJxfrxUXoXmXJA9zxEIJ2J5KPDv/Bwy2hczsJNB\nbCzY32OjrdGUhFqRsCFZN7OHkMN6+j0riUHdGMSa3efyR0Ow7LJc/e7pQBZVagVE\nFD6w5erZUzqeRtKCTBJstuALqSseeSpQ0vV/N9ZvhlaZGsaq62+qxR+B+a7gRPJc\nr7Jsd8vYuAytSckll7PnWmZgjk3cT8fXWDWzVUHl4rORtUJgeyNxEz1976Hzrbap\nZWEJeBx3Q3U9QlUncxblraViYM+NLxgbwqx4v2AktS7Dua04AImM6itXEodDVGoG\nH4A/UtRSSoIpcuDyyrqaTfeeoMwnRfJj9O0kT2DYT5G5oBjS5/IXjIDeFYj6fvp7\nsRCnY4Lt0sijH7hQcijfSjMeXdByf4FGhe1goR1dU/COljOZ4hkfgj7lGm6BtQCa\nOG+z5kI/PUzOhzb5PKxuSm4e+QNBFnRK83SWW/P8W3y3AAVtyzIpfdw/9n04wSAK\niVnhiqA3Rp3BzC7hRCpOerag4LEWKMJUxhyn3QOHGuYWFJmdxYFafovhGY/Ms8LS\nXAFS6/No9TYKa4QrFj0iw3/Kx9X6NpdnscnxJ4YelW5+3mjJNGLEfwvVdtXbrpNW\ntmlfYCj3Kg7FP3SWGCz368CU9gjGjfBOVIi+BEJ1a7Nity3fJO3aENhNjkhO\n=REjF\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.8.1" - } -} diff --git a/secrets/hstk0/secrets.yaml b/secrets/hstk0/secrets.yaml deleted file mode 100644 index c5aa7b5..0000000 --- a/secrets/hstk0/secrets.yaml +++ /dev/null @@ -1,46 +0,0 @@ -tf-eval-minio-root: ENC[AES256_GCM,data:83SacYkxLHU2fHbHNiLG9owDgakOY/nrZBnlDgltRlQDTSW9HkKejVrKtTaixjbxKCgsy9sgJBv8LZtqwthgZ6MI942YU2pJHL8le1wBsuY=,iv:uXbOw/9ljYjWCdafhupVJA7tIvcL801xszI8lrQnQIA=,tag:yolnZdYD1KZJFnH2gs8zzw==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5MFFBNWJkS3NpWlkrQXZu - dlJHNnlRUXhQOTNEazd6ZDh3dEZ0REtMQUc0CnVhcElHR1JMaG4zWjh0WER5c2tk - OXhuVU5lSTJRdmdlM3p1UStyVUtqdDAKLS0tIDdLT0RubGZPT1F1NWg1SnoxV05z - N2tyUlJwcmdHL2NldmFzR3VWcE5yRkkKzORrAR7iCVY0ifCE/guH5/qTPujU4MAe - tfHCW4j8gdbTDUlwN8fTQC8D2ILp/4ikaGcg76vTDekb8mHVM4nNpw== - -----END AGE ENCRYPTED FILE----- - - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCc1VvYi9kaDA1d2NlcGZJ - RjMvSFZ0b2VCSDc3aXJXY0pTY1VGQnlUZ0IwCit2bVBhejl2VFFBRmUxZVVReXBT - Um1kek1xWTZoMkd0blJ1MnFGdndqMDAKLS0tIDY2QW5uaXl4dHZUb0txZk1lRjVt - RE41R3JJOFpudGtNUDA4bnlEekt3NEEKOrnajH190HxAa+VuAScwWM4BOZvP2Amz - OYH7v+CXvp+74NqX/CT8/2EI1mGayrmEhpl5/iiUilBy0AUjwHQ6xA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-08T16:59:30Z" - mac: ENC[AES256_GCM,data:VIA7UaP1c2kli+BuppPl4LH1jiU9qAfqvfejZ0Mv0E8CxQ0eLAMJVkZIzSygLCx00cPbqAkESrniCeLYagyEP4tS/cff2ngplzig4uFbZzniYMXcYF9VIAyBhGgQGEZlZPgh4r4wmBdUFfhc0CPzmYt0obJ1LXElGdAoeM4OcPs=,iv:KPFJX2qJaxMwvrw/R8xrw5Fk5FRyTQdxq7DnszToy88=,tag:/H7iPZlWk2qMrWbwZdeF5w==,type:str] - pgp: - - created_at: "2025-06-05T09:49:12Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ//cOnKq/AUiMJI3gdGqxCA6kLTIjXfPJz8SceFo7QClpdL - XwJYlsvUJSLBLHhb5f1gADRtVAiGGTb80wGw1CGIHykS3+H4WwqdZCWbffg1lQ4v - QrBtZ+RTHNBWekYbyLH89E3bkM5e6DJWo2zjUzpELw9shpr23Bd9C3nLBRSGxhtj - C59HjEpcY+K4aInn1sD7/ocEuQwib+B2a8mMv0fhsrSnkDg2U9R984UbwPfH7c1b - 6XHWJe926aOv9tme0M0gZRKoDd4PWW55ZWpM+uqwi0A+elSNcwq08XdfFvSWXvua - DbFAyX/1TGYzcTuatqFuDdp1HvcdK8CxIziQWlwTjA/MCu3300bcdSm8J6G94yoy - EYQWHyore/5ztBFAd7QkuFLwDdQq9A7OSW89FWsEJtExC13Oyo1puqePoGKe8hI/ - +EWvWzZaYsuZhm0sqdhVhfy0jXGrmqjsHkfUD8+/kurl/U+ZhuMHykp0nGcz+xw1 - Aum60NTpl3/PFsxHsXdtRfJCMPNXtLbYvYUb/UUztU09sfcl1uN/eoEljGJDKSZW - TVHxFT1d5KbTQOnfrSlheqA6zJEGdaHRWmGOb6GbW/yMeX496qcAAHt90tkC0XrG - 1Sn/HXjX5ICH0gVjvDi4m/Yw2zaw/wGkaKWPGBdyUUkIYG33bCzJqYd7HtG6FPfS - XAEUgwFsnCWamLyfqUd3iuFLxOYL3IcoQdhkoKBa0Zo5Wjq4qPZWxG8smpwQ5IxL - +l4TGjTydE787lk29+Zi5tk3MGMsPSvUL1ev9o5ZnaUStY/NwdKrOE5wMY5y - =25kh - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/router0-dmz0/secrets.yaml b/secrets/router0-dmz0/secrets.yaml deleted file mode 100644 index e1f528d..0000000 --- a/secrets/router0-dmz0/secrets.yaml +++ /dev/null @@ -1,63 +0,0 @@ -#ENC[AES256_GCM,data:ZkUrwF6DTQFainYhDA==,iv:VDjRBF4WfPmJdKtUpZYJcOPxoUYT3DUxAC9ct7EvFss=,tag:efllkpv2SxRv6+DyuqRQCQ==,type:comment] -#ENC[AES256_GCM,data:2luPn7XRMTtgNpz0QLXQwF92kbBLdjJoUdFKdayy0A==,iv:dr//F4r/8k9zSzkWXUlVT+81iYLTX2rmXIp+Z9Lt4XY=,tag:RZTSqCqqmRxBvWqHqmF7Gw==,type:comment] -#ENC[AES256_GCM,data:SjwWciLOzMxrq/QV00Q+gt1sNXwl6N/eTHsN9jeFHwFeOQrZ0M7/36WgjSVHpGlVmklzd0LiOB+LhNlzqysM6RI=,iv:vznczLEeyTmCxExlkFiv8ftQy+3z0LyAg8vhcpGT4M8=,tag:+QgSJtX7FFLfMnPLhrgcvQ==,type:comment] -passwords-root: ENC[AES256_GCM,data:BzQYUCGJwyA/mUohN3OkKdjkuHUfOgYFs01W/F1WM7i/UyOXA3HooUjbGe1KVQkn5NGTvWvR6t3CCr2o4Bjvq2pXrH+92a1kpQ==,iv:9PCLNVUyI2R0F5LmLe9spp7q65pwMJ9TUHmT/VtPazM=,tag:apsIgXhOkoZ8Gb0UshKg7g==,type:str] -ssh_host_ed25519_key: ENC[AES256_GCM,data:XQjTqNADLhisxPBIJ7x0bs3qgQk0u4q9HKSDukRbzel7hUiDqc6ELQAvffRqJQUtAS5Cfz9PzVcnyEA4wapvK7RLFavOmaN2MhcnQR24oQks5RVYmlvcems02Qovd15iE07XR4KCDcmQ5/XM5v4/RxW2zYzV5Il67Vzhij2wA9bJ7D3sbKUfyc6pBoIXvURbq6QO8ZMIU6ckAuOqG2230KwXLdz/ld0s3Ir1q/7t+rrrS7BPkeA+SRdYhb5XDOTKtfgFxNvdI6DSETV+q67xAalAkM/cZ2rqHJQd+wgH2VIPyiGqeq6LvPT0vmopFJn0CqQA2HauQAmBNIAtXel8GbK+qA11XilMx+hp6qhVH+BnSWWY3GriGfaGlpUZ0E7uymqRkpRwBcHmZto6E/E/XUxBfISVyJf/2RcTy10RelWLJtNuaXT2eHgXmZ/uAlcTGlCYYirr5g3iAGUoqxYbWlZb9SdqVO/0PLCZo7AkDWxk57wer/lHOG59ZpoiZnanaMIaNqJ7Tsslvvm0JuoP,iv:2U5IpWTRyQ8basBRoYpFe6Ycc5qdeCUAUTwlEHttRJU=,tag:jA0mFsMxWKq7dnkGQWNP9Q==,type:str] -ssh_host_ed25519_key_pub: ENC[AES256_GCM,data:MQ0q/I6clKNz6uzoztGA06vOjIbpK6Dsf3WbgddRA0B8nEJ4EUmRBT0KkX3o+LZmQPhmURHWWFtOSqvAzkyoxAoBZEh98H3IDsLE5PgcNbxK3dAh36+AAMPLzVFnHLyaWLQW,iv:9XIw29PkSHCeU7C2GuSJ+J+mBrwOrbSMmm7kOtCkiyI=,tag:x3JqFF08f2eVfOrrQ1gzYw==,type:str] -ssh_host_rsa_key: ENC[AES256_GCM,data:tFGQ77X5Y1TRR2F0EJ4hmauE9ABILP6V0CSmzb1QLaH6VlhriXSE1UQcQ2Rc73CR7+JLjLbggL7RKpkA8gJQq/ubhiXHJokBEo6rfBXETVepv0HlyX5UvzWhi6iKBE5YsYyyBI1VWDcx+oTR8+daqnKwbbqPeDUpC2coT3S9svEsKXeb3YOMxJ9X/Rvh96UtMmlk7WeZa2JvOP3k62HROVo8QRYXeQWTO87TCzVdU7OWnbRIuC6bu+32Uy70AsIu39fazX7WqIUxaeO/oNHsay0/TBXKNu2El0JRG8tHCHdXe1tahniGbGH5xeEZmgLTOjHntw5UIdxZbgvcbxmt9seDXUxjhhEMS8eHWaxnRDSI7n2KOb/3UaBQ3BHnYpuRjW++uFBgRHxxANlYfpfEdz/LNexdPb9+QCw80r38uZxP8yD5/PxFV/Y+gSX+WnNE0YQnBDtHFjKhHpqpm2P4Ek3hLzjXh6CPzUZru6LAO/FklcLCGaq94fDC5wW3K0x1UvyfMjBwwyeSymcV95YcZu8Ty280jRhG8l719KkEJjnBdnB25PQ5gEwc34dG5xH5HwVUDPIM9v9m+cXtldUIk3BH4PiTEI1aZsZx50BtBhxybAxhTqNElrP+/2W73muTSQboDIB1Xb2NhArLB6XnnVhVUD/Pg/9wiDUY0mYyr0eIp9AmBfSmSIDjFyVUB9o+gv/B+LpxwxPKmsPt3MRKWoZw+bIGTI82UqBv0eX6Xqq71H4DYFnJ3J+n+Jzp5ww5mSPPHffZZFSBbZSpTk8El4L5II/hyyxk7yJopt19AAsw+UgLJDO31XnyiGAEbbDdwjuCWQMmuzKJ6H7c7UGDXLO92jAlXwEWT5fwzG6Wvu5+n/OToz3CN1Cv40uwVb/fOqmzep9hoOrXeuzmnGULfGmwItjuJoMkfmPUq8obAuj5ml0YduU2eLbe15OlD2Vg2I+BH0WuCPYnnCrLyX8ixhJEuGGDkhGhaKMHaMjNuMOGmDQ6oRCVU8BA/zDgnF/GrcHgIe742Yh68PyaH2j+iX6/5YvUB+R1sDnrgfXlgET1V+nny+fD4GBnP+RKYtdGG0P4y3AYlACQE9sJ6Nkb8CTVb2Va6L3rXzeyJG2FtYkUKxxwDUv/KyieclHiJpdawunOLVkmI6p/iaZIThrdGA5p7b01/WOyJFA9aI3oU2f2rMYBLGHYirrRs3WtS7ExhKriHpgax574UIcW0mecFto9dHkGlBOTQy+Zp1GARnePXKZcyKm2qhTIjw0ho/DUe3+t1knbR6WJCwl1LDtfpPD2KPDDH+HpHm3EoiA1mDSp6lYMVxwBr2eBmFPKuPkkAL/3Bf6SKlEp1UCDee7BPlzS9kwmIEt/EuIohbMDdyaHtulW31Hdrsai8fCxc7AAzgsmoMBp2Smwoe3C8K5K8RaNp6v4boY8WBH3rLjAFTmOPB7TiZfplQjV8triZS3JFopNjvCglfZSXxSs+RjZUgSgL/1fFLT2m0Mp1XPMvGZlD73TzJ5RH5WWlxliaau42Q4vXRFUK+ZFx0SvwOO5xZvRNtAOfipEoqscKOopV+HHl74DJEk/xLibWJmkEBqoVbf1BFDUAiRSSb/0RdfCAGaj1mqV68szVtLt3jB1AJm9iu9RNU047HHQeOi++8g6lOpHmhsksfQLAucLVtLTrXpHDEAugDbSXrwPkhWa2Ej+Iva1p2vteIExcT+8h3WiXkamDBZALpJcLkDSazgAmmrB+6u6odsyin9Z5zB55EN2iz24nGNgyylt9FehC4/2SNHMX42hZ/JPQw51+vZQLoLQv+oOJAVXGBHeDy3kDl60fL6Fr5jZ0YOfO+rFGk4bDpXYjq27ahLv763tVs8SrgMseNWNWTakZUAXuYPbP3GBFEjTPHM4216WABj2cC3zSmrnbEyNRMWTdsm46ASZvhZo4wO8eTrndvy44Q2UKOFOh1sYCY4jjCWCI74pEV3rRcBJASuUipep65ZwXOlFOXu7uiaG01/KWofn4JzzrlX3MfhKsUBaEDTUXwDGw0RAEHQXb3rvfiIjCQBcpy8kM1fBR97K5LFJzZ2/qf2bPGs0yxma1O0Z6TT/2Uk2n62jK2xIM7gvTjPOVDP2etHKVxMpMjhTAbRj4K3568HZM/POBC5AORLAtBAo14CNxRMN8f05Gs13wn9ZI+pqiaOpTTnfH1xL9fd/6I03utzMKnoR8IVhrQLDLT6OAIkdeJX8s99R/J/nTOApk3XACWqjmMTcWtwt6g3x2iTk/1jTTn70rYVr8JLHHCt+bd5H/eDUiq9HpG1oFEZPXuvgATOovru0YVtmVx+yea0jWpJOsK+/SZjYAfvAKh0ZNr8dKHug/gGEpp6SfFBI+c4ywR1kM83OUHLaI/dOU9rLeCKktB+UcvTPoLhHLbTAlTrizeRmYY16Z1a+47LvwX944js3TZZkxqylz73cekWidYiiLNbiHwACftOK/GwZCG0WrVfcSi6pJYDgPgbcqFohaKI7ltKZgTlHGT1mZr1IH1RnauZmN/MkBEKVHO3E/PFgKkWNcXQi4uV2P3j8aHHc0RJrxx7qAFFXCYEwu02pv9nmul/HClLMmDYHDY1lHZvIIyPcsmr1ZkCFRV4UtnZRtXhHNAZCGFRX+y5HQXnubjPmV5I2R/gcLLi//2vIE6V2i8SpEJZlVweLpjRYwb6H6xFTuvHN+9Y5pd3rFx2BapR0AzYdOXUVqKF5ewrfE/1iitsEeDJj8OqmNzpmLBrnROnPyPh/+KGWBG5Nm4QKVMhP7XN1F+Fr7sTxw1ignXsfSwH8v/ELMzxVLu3ijWxvmk3/eOsrKYB/x3h6I1SFWZUoTjVPAmlNAnYl90Xf+FMPiII11+zrYwsJbCh25gmSvtKR+hmoTxXbJ2w5E2cFoVHMBOmS8Uo8L0BDOUzUE64cPl/v119BafVUOohLF1l3Ob19td+sMvqX8OHLGgB+/r6jKmUPnNNEzbDAogMydcVVjtPRIoDScw4ExxuxILN4/V+VulyAgU29OvFWS6+r5Y+bjqgqMg55Of0le3HUqt65qMuqiaUR5P/9WP+H666GsYTSg5I5gPJv0FF6tqXCWE9mpQ4sk2/BiWWaNeojxyhyH/cv4fbUmcee6K3+P+liXyFGGAWdBP5uGb+BzIfSaXVN3xEBPWAAe+BMkJrxbc6FSS12Wkh+bLM+NJH7XaoDl6+8LtF3bstsCoXvQgNlXHlbt4/aIIFEBShlYSQwLMDcey1VB4pu4SBv2HXwaX9zXPd+MGH77DeQU4yBkrElly51/68yzdSGpe6mNFy57Hc3UJBW1pNbds5Gxu+jFbQ6Phxvn38u9V8cphjxzgig0uZjkKHYx0EwFjBqmfrP0hQDnpcyg5QCPhnXOthmVL4jkJs3OrRHhoYRgbXpaVRMpVMLFeeSqcQABaRK5ibpB81WP8yCJPIMsbWW7sDTCiIyLq6qW5pKNq8/l3sq042+6bJgJ3CfDYdNKJCTF/09F5JKkpXeIxL4MGqvg5nOoyiahDQsUzMT3dwGg7IWqxQidcJ576XSBkR2qNwUrl6qq87JP+Zo3RJbA5bpPubm6sUonWE3hRGg4LWceVBO34J/wutWVt4W7dXnK5WVhJv8UHJcbgWR9dMpWkbeMpakqlRRLOTibztMFkx3xyIMmZS+cNyhRyatw+DwX/opuY+bl8X4yKgNOuW/w6r06r4MrL78MTjqZDQ4xkCSL3x3KWr2Tf4lAX6sdwKTzdBdzvFuLeuijngrvRYRyk/3jk/o4ujfHMdrergMjlP5Js7ICZSLhXHHOc2Hc5oPaBIx59r6FynA+W6ROmk5kVF2BNkRlP6/oV5Apn3MMUnDc4YjHaowt8UVkIHZOEL8hxymYDR4g9y1wOoIwKCorBQa5jsXH+AEop3hlsv4uqzrrcGGQhfQEW0Vb1fG4N0VAyWEodaw7wOY3XCrW7yHjIgRM3Is+juT7jMeACW+OQuvQHTS/9bc9n9sXjjVwsvoHROLxsXMFO9HablXaEKzFL1oGXpnavYf/MuZMwALsPish2Mmj9fONNMBo1yYy/j+8GzHCqByDS1ZPnlzPQD0ztGNwNfOOhNOqamqaE9GNHv92yQIf/KKGhnjFH/I9IlzA28eaaSVql/1vdhRAI2G1WxpgyQ1ryRPLYHA/Qw9OYrb+jIxHj9uqfohShgIqnv6TCXRmByfyU6Te3oqKLyezKj7tPCqv1la1ostycmE4msAs4EI7pe1OZcRulPkUJrZCPkvo+EYTw8AfGmwHFb5foQ4wk8pkjTvo1zHmjy0GjMAZpcmDHfyHAyoaED6DUKAHRBbMdSqQJWmzhHkzn5oRCR6UlWSyxRZ1wBIKn+T+kcn28XiLlJrJVK3n2CQkE1c3EfFemnimo0Yc9yNQZygfZjr2W2TnmtAZ5jHiMmv7E8CPxBQBd/pf29z/uAEwQIqVFSHxkVaVjHW5wlhfWwOuj0xZFly,iv:mXE8xpXFBYSJce9pg+g3OedMS9+ZHOHHwydCY0NbGRQ=,tag:cEqbUu9Y1PFKXwaeqioXWA==,type:str] -ssh_host_rsa_key_pub: ENC[AES256_GCM,data:N60bGf/6KNRhVUq1EIbPVo3aBDDKEpMBr5+Gt3+FMPt3uQEaKk8jBg5mOdxWMTPoLg1ZP/Pme8afoM+Skc0b50WnpErF3Ox1w+4eM0oMJYOhIvHLGURNM3Dba5MgA7YfhPdTsVdjD2yks2vYqhdtEvzTTgCJbFimVJlp+wDqE6czPgMjD03c7oJDtv38OBtc1vRMzVw3cIuyxz2yNnXQxiMgTR6pZN7+Brami2dfXOHEVgymmlU5PRE8Ykerq2fB36N5uqu4/xSPaHaM+/f2OA/TLlYYB+sGMDExZfbO/vsiRBLvTY/f4KG2mEkmH+IFH1bk6UF47xTFEe8tHN/TlLo+9OmjZTph221ZYnOsIqBY+F822ctZEe8Ikz9Ti4F1ApvxxRcWHajbgQnDJdDiHJvt3OHal4rNBtYwxxV/MDZtvKSVxmFwgx7nwNP0oKhAigQkU7Mvp1q5p3dZsdbGCUeFm2S5/qIxWPfr7wg4xocLNSsLW1EpGo6A2RUXWIV+lPuZd9dNEjGC5zKKAgMI94is6MtMXgqlFqTcZuQ9hvhoVDcFhVSJylu8pzk9d/tKviwcd98jHAhdfGpnc9eJbtyBU6/HvxLzQpsbFjwa3LGirEdtgxRZn2nJx++0U6XuLcbGwjOVAhkde6g2vFv5hsC6KaZQcp4AFvMvEdJyrnb0b2TOeOD8zEljb8u2q/eexCRSjGpobEINwu5qV+tF9eHIJ1YFzhCSmmLGKXjc7bC8uv5ffl39JmAbUrffd18zqae+Xpijd+QzwF425NG9+PksAt+PPzt4SDgGfKBIpMNFxIb18oo88z4YDLuNzRy/HVF90JV0LlAxES4ZOxoWUjJPrR6dGxNRANYOyFGmoN+yG3B9kd1NRGRNGh5P9EtZBxlPIi24djzF1n4GQSW1NFDgoGcxaXhk0PlpPxwuHK0X9FkFDDzQUYNBhx7py+hev5rBUCs7Yhj5xgcM88fdLRZi8MulNws=,iv:8c3hDcJ8wzTugmJ3Mhzx/qEXnnlpFefBmRTG/MqyeEg=,tag:uSz6+CYu9uQa0C2DXnHPUA==,type:str] -#ENC[AES256_GCM,data:QOMW5ALQD+CIXyqRAUzZfv42HvMfq9qiTho=,iv:/KlPuB6aBBhdMvJ9kYClfFRBMC0bSF16/EKrnH/Ifsk=,tag:Wwfk7YnNvla06I2/ajTd4g==,type:comment] -#ENC[AES256_GCM,data:6/aUsWY875jPKZZiJLL3TWYeZT9VOjoJBDwjRTfjnUHcc/NTTeQRPvb+keJeMt5kfWmAzieYpslvz21UktTKqHO/,iv:+zwyh6nAP7DRhQX48/BmMCbv3W3wKfUiAWCvu8UvS8A=,tag:doc142ZXZO6ajPcuWftdtA==,type:comment] -#ENC[AES256_GCM,data:GG3qBrBJSmJfUun5+0fKkp7J280oW3r5tGGjm9UMolUsZCYYv5E=,iv:gFGxT9Jr/d3fVouWEphJUxW/Hid8dAIvldkxYHb9DvM=,tag:DkgD7SIgIYyk5Ne/lGWcwQ==,type:comment] -wlan0_wpaPskFile: ENC[AES256_GCM,data:yB/1MLibWzQuV+LnM01DoOaImu6aCHB9TMsIDaby9MxjRCQNuI7qxc5dvTQ3RtA1V6at97r3ufw0W2Vwtkf8Mu3l/UL33nWoX8n4RAykF5HkDK+l1hzdW+41wZMZPc+NDE6ZgMSNG3N9gipHSjYQ+vU6KPX9RQwWTUbJiWWYtii+hi9NXMa7sBvjl1WUQtrKdAmc+7flAEFxOY1pOvkj87yOQDybQYdx268Gh2wkfgtacet4zwWvC/VGNrN2p3Eub8S16vHAZZKeW+2rr4U/GiOeS65CSk9srOGwlD6IboTUXSAoSChJmevnm+cgkzZsuOKS7knEZPjQ+l2Z+K4l3FnB8+CVvHw/DlUAG0pFgw49NfBGczGSAFh34b0k,iv:2AkphYXeupcDvB5KXlnuC7QsVJdBZHnR684045DJtfw=,tag:YFNcunSPVJUSLIPTTQ7szA==,type:str] -wg0-privatekey: ENC[AES256_GCM,data:5/5llD0itgdKhZ53IbtkwfhO+qUI+/xBCxnfQOg9yjS7knvUINURY7rl/F8=,iv:86t6XuY4a1rHY3kmC3XB6WwwPZVWAyM2saGqEZaHdJ0=,tag:4xemlclKI4RIxAe60HGuuQ==,type:str] -wg0-publickey: ENC[AES256_GCM,data:D/RU+43/bYhg1lRZE9zA52AIWGd2KRF0EQcvteS4CtQN0Yy65vjGqVEkjyk=,iv:BmS0TfUQXRt1tdWBBKIUi+DqXCLTXePzbq4dUYSlQQw=,tag:qglrKjhcSBPtqNd6YCMlPQ==,type:str] -wg0-peer0-psk: ENC[AES256_GCM,data:859rOfvyaeaH07s06IT2qJZjXcWZiXazQPUImYOMngTj+xNop8UHX0iDegA=,iv:V7cR9mGQrk6aKctY+1egYFhBiveqc0OwrQSJxByk0zk=,tag:WF5via8rVm8Leol5rANPqQ==,type:str] -wg1-privatekey: ENC[AES256_GCM,data:Q3zb6oLhBqW+D063S37O2vZD3PSn3yIYWWkOtZwvpmMmdAMtztGqdrHzXRE=,iv:tIEDtHa3s2/Shg6Kw/8G+xjtixH32fxS3l5KtR2VUIs=,tag:JpKjYmV2pPip9hDkKg8pRQ==,type:str] -wg1-publickey: ENC[AES256_GCM,data:7svFjRVdWBmrUt2qzHSmgBo4HPwJR6I6p3rZg2U+h1uVhQwCnUCH6JATVZs=,iv:xWUKpjmmrf/U8T8XmdL4Ox+aqkftnh8oeORCkhtJoBU=,tag:+k+E13X+EbZxfiq0MoGIEg==,type:str] -wg1-peer0-psk: ENC[AES256_GCM,data:egtyccOYD4NAUTunpvVXTJwjtSdJJT8v5O9Wl7NoCKy2eDzrQvrEEK8Zzts=,iv:D7EQkj2Oz2JJIF6slTLq3A4esKN6VfkOA+odHvjSeUE=,tag:z/blOUXX1JOyqtXgMldnlg==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQNzRJeDlFdHhYSlRFWjJ4 - dXZtN21CRllTSitTZ2h2VnBNV2l2Wk5hVFNRCjhvVDFBR0ZYc3pkT0ZOMmVNMkRj - MGk5RXJ6UExmTUxoMml1bFgxLytUZjQKLS0tIFhrYS9xYzhHc0NTbHVpNEJEMU5U - UElCL0JIdWxkQ3oyZWJTUTRsYUxJdkkKobP1eWNWnvFCOY9AQRNhGjg9EzAX1MjP - QxhTNYs94CPFLeVsMghSw1v5rHLoXdyQnHc6LJ/rer6qLoSq//mv0A== - -----END AGE ENCRYPTED FILE----- - - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1R1g5OHEyUVFzclNwYXFN - K3N1R2xoYjdyYzF3Y0NNUXNCemJ5Y05uSEJ3CkVNdXNudk13VnlXNGR0MWt2Vm5P - UHI0ZUlVemkyNGJFeklaTmhlRm5KU0EKLS0tIHQyckt0RWNtVDA1aXVLNlVyUklQ - REhSYTUzeCtoUmJhWW5oZlZkVDM0N3cKid4XtaA3rjY89HOcRdv2xivlJAabjj7u - ES/s4YtRx/S1TIaAXlMmtQe1llKv0OIaioFvtgKnkrlpf7+tROZT7Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-05T09:44:59Z" - mac: ENC[AES256_GCM,data:P2bEHq4ZBg2Y8RPmUSuIOxWxJdYTUpTD5nXv3vqAHOU0t5ZlyOjFUPYejGBLdvd++v+plwo4lYG4/JJ3/LFIM/n2f1kFOOPSIt6yox6oYHHzJRly2kBfyIpUz4q+1c/xhMjpcQdAlWEdIQLm80BMUpny9y2KhVYot9TvTNTSkxM=,iv:uso8kcW8gildOD7FF1Xvage2dccQ8GkMI6nDCaUw2qc=,tag:urKtsRoGqwoZzk7DuMCINw==,type:str] - pgp: - - created_at: "2025-06-05T09:49:09Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ/9Hx9PkWEL0en32Ji+fk4kCcXwToFf6EOe06bNit/8r5Qw - C3ixd+uOykhbwN77yssvB8uZ52A7NTSdf6iV5E7M+nFx4+mLYMW+mZekF82ICyjW - SW4b0HsI8WwVYn7EWb3BiNa2D3ku1XXqkmaMLtEb8N+LTXW3jCq/gC1xuB6Msdny - egz7l7KemiWcOPxXZmh9INKxpEYziXCnkq7p9T+04noi6Yz9hPWBzBRBOw88AfrP - eyFzFIbWPsNpsRhVzRlWNmu4Sx0NtqNy2zHk2wkcndJaldk5EEFO2c4szofuQV0o - lmssfVH+BGwtEUs/37igSxeHwnYxEEhEof3B8qnXReUsqcrLqpvQIgleQgUg4T3s - SCbA9dCSTBfos+rVM1764B6lw5ISOj2JxJyoV5itXu1LNK45fpsT2YgRXOoaziHK - hn4WOsVnRuaadHrd2ULA/0qXlWE+QscetZzrKCIZsuqHCqNumjhNhtIlOlKLFv4U - GVMyalRmSJTCVI5EfewyHzMJpGa+OVtfEoUgM2xm1Jd34dEjjHjyynyqOj0ybB0+ - CgC8IGcWpCQZwijITMMZ/bPyet68nVrApy44pniTENcXN1byQECUuZV3Z+BTWNZg - VOuOPmiTQf26qjQ8I4fEUuRgPpC1Wze4MiDyXkX2jtgU5nbLxAhZLln4z9JA1FfS - XAGEKaPlu9x0WB9vSu3ArEERIw/rmu5Ux23Gzev4IFhzJ21Jzp4tpjZhGQvAIafQ - fStDytk2DOS71x7Z8MzqE10BQJ0oB37donhAxqAgOCpOnAtK1a/IOkT1m9IZ - =xkVg - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.9.1 diff --git a/secrets/router0-hosthatch/secrets.yaml b/secrets/router0-hosthatch/secrets.yaml deleted file mode 100644 index 6939402..0000000 --- a/secrets/router0-hosthatch/secrets.yaml +++ /dev/null @@ -1,53 +0,0 @@ -#ENC[AES256_GCM,data:62US77UkclVlR3klMH6P/oYC006vFa6DEVgvmemMFh6INuw95NyRwJaiMs4EGaNFuX+jkfBbtlm0MQK73rXfGxg=,iv:UALT0vebke8KDPdroZnC3rSUCB0CmlX9dfbLqNAlJ7Y=,tag:iKxAWDTdUZDBD0PWfomeWQ==,type:comment] -passwords-root: ENC[AES256_GCM,data:ummvEe+5HipUvVEyHLA6NULuWJuPyv2VqlXEZFp/UdybLU+1t/VRo+KPLYRPpXQBbsBaHVa/XOiOqLK9dPDHuVZBavnTTMC3Yg==,iv:pqjtzPH+T8CLJsJusi5CpVklPUAnioIoTjBXAR3y620=,tag:vrGzZlRX1TJ5b6Wxt29V+Q==,type:str] -wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str] -wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str] -wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str] -wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFxKf2RAqSqxEXkhzU=,iv:HVB+uJG0SwxH3gbSpyZJZnzadVK2MYWvaZ3t7vPXn3E=,tag:/q7hgBA45Hq3446w83ConA==,type:str] -wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] -wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0bW12THJKV1B1Zkw2RG1H - YnpPZE9UTDVFSFZtWDRTWkd2c2pRaHdmRHdvCngyNDlmVSs0Zm5yYkFLbFFFZ2xR - M1FnYWx6UmZIQ0xZcnVtdVhmR1REL3MKLS0tIFA5TTYxSXhFN3JzRUd2UkJnV0tE - dHFiZFZIdkRtUzBSNTIzUWNIb3h4TTAKYThgfHX91UXq27b2U/wtrCyZY8484Yga - Ic7FhMQMEgRVC58q6xLOglCmM11USL3YeyOYEFeoLnsvecgobft3Aw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdGZhTThjd290dUM4ME11 - Y2Q3dy9sNks2OFpUNXdQZmdEUFFuVGZRZzFzClhyU0ZxY1hvUkxaa3BLajJGOHlr - M05XQTZtNGlhZ1VaeTN1ZlAwVjZVNW8KLS0tIHk1WUt2UENZaHRaSVhoanY1WEdp - YzZpeDBrM05oRXFjM2E2dTRoZmF3R2sKr9kID48vUng7tbIoc50kzB3X8SM+vIvK - GQi0dHVaYIvrIkdDm7utuqPRFTwOrxb+Fii0HVBKGzeOLTfckqfOnA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-09T14:08:09Z" - mac: ENC[AES256_GCM,data:nCwAca0MktoxUb0W+1B7+4UP5IOG4cuj2BhJBxjDV4gjYBSKYJs5gSdYytjOpu76ePXSUHgyiPH0Joe5ESubaUN4zPIWMLpkEk6WjXnmXRTY8B5ZZ+AVR2lxNi7UtiCyx0yjAVZFxuk33MmKR2yXMLEqE6U/70fccJlY+dbTaVU=,iv:QTafba+auq3Zv/xoBzHmnIMmfDAynqApAcr/T0Uh/2g=,tag:RREUDKF4Kruy0AEFDqSVuw==,type:str] - pgp: - - created_at: "2025-06-05T09:49:11Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfARAAosMhFMHsZ2uXt0AVKf+tbGxyr3oZte7uX45SDv+mWkpa - kGBQiiY2tLU2+GqTnec9MRx5D12r6kBuVjW3UG2FCIhONLMFk+3L80lHEZLYNVID - Og30hKqEGSRrJasnVgQPAo7SXfyfFKGflZyQV56P4jAphWCwSvkFywcXlP9ZZKA6 - SmMZrdQeylM9Qp9/B2DtoVLVv6beeSqV6gu8KBN8qSXky+MTOHadfNePNnyvl0EV - kH9SeH1ch+XbEqHhEMm/EB+RXZSBgXv0yVhHBhtr3sx06o3Jpbw7mDMEscNl76xx - QQtzR4OsBp/VKQEJde3OYUOvKzNyYk1yB5Oocrb+shAjHXrF73Yt0yeq1LiTWYA4 - BLQWzeraCoo14m8tMD9nKo4tEurTBFWOmSITTu85V+kzJ6FRc/F3i2OjB94DUBsM - VNsldqQhc4mDioVywBQ1MaA9phWHTUHprJPflByQmP3jj2bjbure1UHOFVqqzW0W - zAp5yFCJXfUJap6MPKl9ZR5zCTZmpiChJxkipwpmNSQh589uiJrCzgwJ/VQC/yHq - a56PGW6eANzjGC3CkWzEBDELjYsXhxV4jbc6Qfh0owcbWDNe2xV6u6Mp+9DvfJQx - iz06fQaN4YQP8xhfLSBg/utc+H7U8dkd1jr3/GYr4PAf17FNQA4VkF5XhxDkT6zS - XAEFECB086pVQFehiL3SpvoTJUdkJdLySQ3qVYmldA/mQXlg3SEDhGHtJlgkx+US - v0BYfCrlnygbXyuPcKKwN54K8H/uL8OAB90Vq0FFeaVbVE1zn5MJx5wQaxL7 - =v2Ad - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/router0-ifog/secrets.yaml b/secrets/router0-ifog/secrets.yaml deleted file mode 100644 index 9a2ca9f..0000000 --- a/secrets/router0-ifog/secrets.yaml +++ /dev/null @@ -1,55 +0,0 @@ -#ENC[AES256_GCM,data:+I8pZeH8kkkGaeUJ7A==,iv:5Yv2K6pU33CA82oCspb5exjaAPMRszslozTphxvDhbw=,tag:OpKwj8SYXSMcLlusEVX7GA==,type:comment] -age-key: ENC[AES256_GCM,data:8L4IWs31RUXGns25pP6BrhFKVAYvVY7yIOe6MSk4abvgks2eyHnQDTiSKVUQGjTyZFVbQ4mtF9O8CmqqlaK5z4nrUYSUN/Ustc13L98V+PMUOxljka0UL/pOe36aHEQz3Z2MuobEtZHwccPEqWhOlF2v+OgFQ4Kp2Vczw9REf4ahxyqz3fz58ymR8HKfTHD7YBawEAgYU6WVyrLfyA78860pkjlYMwhnjkVBvkP/zd4H+L2JxzjwUeUCqcm0,iv:8RwmmtgKqLsJov+DxNjvtjPk8t8yVmRhRa3k5HdCvgk=,tag:CZoZL3aYucIk1JENWY/mMQ==,type:str] -#ENC[AES256_GCM,data:62US77UkclVlR3klMH6P/oYC006vFa6DEVgvmemMFh6INuw95NyRwJaiMs4EGaNFuX+jkfBbtlm0MQK73rXfGxg=,iv:UALT0vebke8KDPdroZnC3rSUCB0CmlX9dfbLqNAlJ7Y=,tag:iKxAWDTdUZDBD0PWfomeWQ==,type:comment] -passwords-root: ENC[AES256_GCM,data:ummvEe+5HipUvVEyHLA6NULuWJuPyv2VqlXEZFp/UdybLU+1t/VRo+KPLYRPpXQBbsBaHVa/XOiOqLK9dPDHuVZBavnTTMC3Yg==,iv:pqjtzPH+T8CLJsJusi5CpVklPUAnioIoTjBXAR3y620=,tag:vrGzZlRX1TJ5b6Wxt29V+Q==,type:str] -wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str] -wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str] -wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str] -wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFxKf2RAqSqxEXkhzU=,iv:HVB+uJG0SwxH3gbSpyZJZnzadVK2MYWvaZ3t7vPXn3E=,tag:/q7hgBA45Hq3446w83ConA==,type:str] -wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] -wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtRHh0S0o2RWh2azFpL0k3 - b3dPNjJmbzZwclkxVkxDdkJ6NWpTRGxycFZVCmtkNWVRZldKUXVTTFA4LzRxZita - QmNJV00wYVBOUGdlOEViVjRqRjFSSE0KLS0tIGtSYzMrQTFUREQ3all3N3VHTXZ1 - M251bnVseUdqcUFwek9SZ1FEbk9XWEEKs7g7qxFzmr5I56jPiLH2K06a4lZ59pxy - qQCXK3AIZZtz8ibLfgo058Om/36SIX7rddOVxab7QnagGwdKF4d6EQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdjE0YUlKNW1WeHJ5YWZl - aGk3N250MHlHRTNaZDN4OExjVmRoaVhReFE0CmRTeDZleHR1RzZBMWJXV2U5YU1L - MklidG5lcm1sWlZIbDV2YzlmU1ZQNEkKLS0tIFZNL2o5RlpRdlhxMnhSV3p1Ukg5 - ZHJyalhzSWJhUk96TkxuM09aUWcwMjAKu6pzq11IDeOLR9C4GEf5VyLk6WJHxxAl - X1JUdl7IFfGLSpGfFRmFN6HJxtiC1IGkEYinCfFWPR6ogx9dTp5H0Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-26T17:23:41Z" - mac: ENC[AES256_GCM,data:Ez/79vUHs+9B/v2qlUiPQeuYHRdvjUg1jJOt3C6xEnncDQ2fH0CUxKEIfjgJR7eatwvZSznprv2wCD8Ik0SKunjRI1UGe5JmrVstqoSDbo+MxpdwrqA8zC5unpRUYenvyo9m8ZW/DnjKz0ArorYjA9vid878MdemkHtSjjZzik8=,iv:2CkmPRjYYt7q7HAdEjIbJHaSUG6Yr92pEkk+Dd3E7LE=,tag:S8LPb0mEjRZQqawX310SOg==,type:str] - pgp: - - created_at: "2025-06-05T09:49:11Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ//fh09erpIbQiOxllj9U47PNkGNHQHiw1mrECpdjXUwVxz - 2KLJ2Sg0KLDcU5tDmr8s4Agm7pKluncJ9xPSNs1RriP6pZ/uJQrX4nc3tSRktgPv - haHBrwVSX+E1WDcxk9mpbS1jfpE2YsgtjLRMsHgequ2zf0JhSJiJJnI7IR3eur2Q - qewY3MfBE3jMGZoqt5r5P0pTFwZZhsdNlSc4UpYxNWKw+mCZd6jL9J1c9l/LkIZc - rn9hxqGTlouRw7pRrCD8HPD3g27PFcWfqRO18CBM+tHlj62q8PTZX+IfkLh7VbCG - Py1ByglXYvfT6y8NgFPjzaIl+ZLMcPuHkMW2sdOFGQ1L2+W3GaVaD0TFYlFUT1dD - A47/8yFFXYD/4MzcZK7W2fHdzQt1qtACoAPxgiM38uon237gNOSbuSmamfR66rI2 - L6+v7jlkt364Yt9D0bQCqNJQ6uhtFykaLqN6mLoj1IeoP9yQGaEni2pJzDfW4QYd - EiwigSxviiDnGRGaithMMexrLzcf7UhEZJgGrq+D3d2xPN4mJ9irT9MheFYwYLW4 - M/yDnA50GvwxHA7IzrR1fxneO6P44zi82stX+agFTmbiBKw2aelGJM+wwzCEVGfR - /ksU6xhLbL7aMZLBXkZ1ZV9tf0t5EbizapqNdILxSMgaKfGegJGZHLuvukv55ODS - XAFXaECdhLj92gxmtVAf9Ct/17J7fkD+qLHHmrVBTHJWZ40zDeA+7sw7LUeE0sPl - 0z3QLEk+szBOyo/07ZIVC9xA292Rt5VQJrMSTOIGcGw4g0m1nOzTtT3Q5DLL - =aStS - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/servers/dyndns.yaml b/secrets/servers/dyndns.yaml deleted file mode 100644 index d01380b..0000000 --- a/secrets/servers/dyndns.yaml +++ /dev/null @@ -1,47 +0,0 @@ -dyndns_www.stefanjunker.de: ENC[AES256_GCM,data:xHpC/V9OWCMpTKs1,iv:gW6f6kQedbdxbz1zJAY6xceoeG/LqPG/Ss3DaBm/Ta0=,tag:v2V/hzRg+xgO8zpwyIBVXA==,type:str] -dyndns_mailserver.svc.stefanjunker.de: ENC[AES256_GCM,data:auVHa5n4335mNXAy,iv:WZMOA+Z7/w+Jsu5193WwERXZrt/5JDiMUKIZo8ieT7w=,tag:YmEDp/0gjgPY2kg9GNKmxQ==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBTE1ZQXpZR2JWNXZyZG10 - NHhwbTZQZEVKQURZOS9BZ1BBbVgwdHpWMUNvCm9RNU1nbk1uT2VLTkVtSkFIQ3lh - OUZQSjZsK1Zvb3ZWVzZoTmVRQXpselkKLS0tIDJlanZpanZ5bDF2TUFLWWxSbytz - cEdYRnBHOERkWjZiWUFVQnZ0VU5EZEEKJD9EdW3iNVs9BdflLBsYgqRAQuJsWkVM - 7OdYSnB+aEULLRYcTpbCH/AJ3U5TDGFemj2ec9nq0H2qgUBCNOvicQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTSUxNQ1ZoeVBsR2VTRjNS - a3BJZ0pxU0JSYkgxWjNTdk01UzJ2SUJrUW1nCnczNGxBNVhBY2hLZ2c0UjludlBD - bGl1UFY4Ti9OSnIzK0hRb2dmdUY0T3MKLS0tIE5FT1BDYmsxRThhVXo0SVFjYlZi - TzVhN01zNTZkYk1jL1VYS2YwTkJIejgKLD9zpgrTV8ViOaV+WdXIdZXrd4eyRV20 - iNq3B+DF8Xzpu/cQJ2Id6ZXvuBNPVDvSn8N79FmO+Ad2a5XZl80Png== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-14T20:50:30Z" - mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str] - pgp: - - created_at: "2025-06-05T09:49:10Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ/9EgxX9o0GjO+n1fnAEeYYkhHyx3ITJKT2XQIwMSbAukhA - PgNSmojyAr2FUuScDZ4cZh4ACj4itPFVT1kDNEDyHZaaWmqcDIrx0SKgtUymDAiA - hXnB9IqzPJVqodo6+Eav+p6JEB3IoENQ6p/9BLN0o8P2RDYiKRV6i1pSQfDvHzfs - EnsQYHpDBNHSo/L+WwvsVmq60tmywBy7SF35B86JQPfbgYEVr0bxEHCkzfGAdilY - fYY92QH3YoXvc4mE4mF7BnWjOpyHsQ/UKSUrl2223r+dPSGthrGfvCOnpE4CN12o - 5yZ7T7oXZlIgvwNUn3BjQm/KXSYmLVhe1KWmkXA23wZ7NlmGL3WKLj++8P1GjpM9 - TGBHp96CBAl5NsC3tTovqtDLdsEV66nGXnVaF0e1avaeyt9396PCVw9GiEl/phH2 - Mw8UBwgBxJ1jx6WB+tnUdBXvlJRc4/ZLpfxTyUxAkYxDfYfiZ/Wago+sZZc1XBGR - 5BlHsGm4Fsu1DaQt3IrBcvzrladwtFaYv7OcwQccQRHmQ5jXh4qo2HE0qHUSK/PD - Rpjw9D1DhDjolfMVSJID0GgFyjEeya9MaKvzTTkBW0u5Hn7HayzePE7GfDrzDwJg - Ef5DcH+b1YOjtxoaU9dxcPMT0QHGK6f3CO7K+q6EzxMMo7Wx41Vv5K4KGBj3vjDS - XAGUt9b+GwugiS1A6bHnssDH0JVsHc2aitz5Q8N0l3h3J9d6DxVGew6S9+4pkq0B - gB9uwzJWME6Sgpa6xx2a2krlIlbUX9ehfmYB2LIvpp5U25nw13YVwTUjH5Yj - =hMaH - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/secrets/shared-users.yaml b/secrets/shared-users.yaml deleted file mode 100644 index 2596180..0000000 --- a/secrets/shared-users.yaml +++ /dev/null @@ -1,111 +0,0 @@ -#ENC[AES256_GCM,data:I4vX/lS1zWiEBbp9wA==,iv:P3tlp4VmVKasE434JuWZsg9H7t5PpP1FxUxPygahtDs=,tag:knVhCKkx25QJfTH/tcx2Ow==,type:comment] -#ENC[AES256_GCM,data:aqlLlXgwwtjBYxytS2H33KbN0z8pHijFXKBAPQyQ7cxE8iO6tDfn/3kEVaEa1YaiYUMXACX2Ow==,iv:uKTUsccWAqrBkdG/ymCZB1pcumRreGv/2rIn6YG8Y7c=,tag:NWDO4dPRA45Ki4ymGblGIg==,type:comment] -sharedUsers-root: ENC[AES256_GCM,data:RhMqzHmMzsPZnskGAKQ5GEagkAmtCqbp3FI4XPWweq6U8WcML+XEOKBfRoemK6yMHpSobBUPEHudNDeVxhGLH1VREmO6+JVZ/3dz44qWudhyuAj2CHiVkVgMlSfOKIbY9FLLxXxfySnEsQ==,iv:EYWeRKI+nFpEkxtBJ57xH6V4arE+hVAHy5ht9v8P1oQ=,tag:I5WA5+FjJ3lF30dth3H2ug==,type:str] -#ENC[AES256_GCM,data:d9jstVxMebNWmJHo79RF0YdurMqwRoDrFzbwjoQ=,iv:UG+qk8hc/WiCviJSCmrUyQZATDD1gBhqiYU6spf7Zo4=,tag:4HNfJQh+3GEP+MHqg1KNHA==,type:comment] -#ENC[AES256_GCM,data:4FjqAy/pZMkBFC7aq6Jqx+TqCtU=,iv:iWxPm8etDkAIuz9op4ck5AgszLuEN9cXXixzO705afc=,tag:MC03p7Kqk0srtDjbov91LA==,type:comment] -sharedUsers-steveej: ENC[AES256_GCM,data:almzynLh7RHcjTFOQWVaGk027uAanFcE+AYVhcbzSs5Xwd9sZR5+Ckbb//YxT/Imz9WKVG7z+bxPuhYPgbzUPCyxUu6/X9ZeCF0gmffyTbXVQHpo2W+71Zcob2Mbt9yMAF1146Dr1Q5R2w==,iv:fHMmtO3U6f/0ZNjxcvm0vOx/W/BYWvpD3WtzLNejGpA=,tag:tsLziHECG323TCKBLO6FzA==,type:str] -sharedSshKeys-steveej: ENC[AES256_GCM,data:Cj8aoHYN95kOuFwMIr+gYTtvE2MNMT6WhHg+r5cEvfgLbI6EJQdMBU30nhJZ8S7uRwJwyVEnqw9qgaZYVorXrIh4oZoQBT6g0UGQ5b5lhtfj86omP7w/NukvpjUPBJEUL+JgvaNGsAbAmExPb1yQY9f/kn2QuyY31pTywcV6qeSHHlK8I2cpei5RxtuG2IX+EjvDXZ3CtQwLY7YrhLvv0K+N8XlEusnytNkXLfjRgd0dJqNLQdkuzrjFPQnuzkxoBBmwfheO8CaTpmH1C5z/dbmeIP5H9GY2gnBCu5xB2zp8ZerVi2E3teW5EZ+Sh+lz/5DOuVpPn3G8W7l4fTM8iX2IHeakjlpYewx1wmW9SZdV/zxyt5rQUtmMj3F+IVktbOWsOyXwSz0CDUlKkVKJdvzATlWdIjteKTwKEgS8RWjg5H7mGylfxyg6YrHYAHTZjC4J1Qz2CwWmAFxzpFCkHvF6QwAOUg+ST+crfw4DiSamb6SKjIg7LNz6VZTOeji6+71Q59u6g2RcdgNowzgrrQCAw7qHnewbFX/2IOW+pdASCB/q9/7218yM6fzMtcPHPiDpZ2tLHQd+45zxZpbUXXCNdNm5v9OTjjK+uA0ARLOVCw5gtd2FbKsJcwyMhXY/h028tgdRhsXIalLolorrYBPx9hR+UHU0TNihspajoNYJCTuJccMiwo8N9AT1DIdUXcOxrQL80RvWY0S6rBzES3q7a91aC/lGEmS/beO7MDgOKaEV+qwPZOLOZXWAesqsR3sKzpOdPx1gFrLvX6vIhAtzuteH0KvKujIAhCg0sEz3Ct/A1S2uNtohz8CstvEEqP6GiR6/X+sQRgxOcXGPQglz68FFKOErIz5XZJBz5+14u/lady1jxhXnVW0cxZDgmqmAvNbrQ9JjNgBvremaDUvuO5R5V5K4MHAMsNQ5yxE9iScXEfwmEvo+Gj4huJwXvwLDE/1TqIaQWX6LfZKOOZ93ivhj7eEiAz7TsLojdNUeDhnWGOYcWbEkMNzYyPb7obN/HgKzcuSixpYm+IZu4sOzXyoO5Lblzd7OObtG4P9jIj4cdxF+vm/s6MYYxtst7jRwzcv9vMLETDXx40IOSqTo2e8New2e/D003T4jx2sis0+68Iyg9m8ltEYb85v6oGFshIdafIGKBaNHm/zIL4Dw03M8kxxfuVuWZD8S2P3bnfryfA4lbOZttv2DnlPZf/Dfb+Ax5qTe5yn4uzLYDTqq9rIqdoNYUmx1OaxGa69oTIqCpL7FC6xe+9NnTEdojl9svZUhtGfThiphYcK72lryqrTyYVuAOa3WjZtHgUJ5lU8x79eExXyDexmC4RNDszar+qMiwlzMC977qsKczfTGe2audm5PLaLTYhWSOZ1p83d/xhFWhLmqjqHrPF5kYrnG+W4ZuVIqxJOrLHQhseKc4fFZrF/XCusgIcoDEq81M/EmHeEDcuWEYldn1pjbE8yzb2ZgfG8mycNh8z41lKsalKmesyZs0k0IvWmrdCpLXqWl/TgsPSO1q+zbQHyfiNewoZec3GC8k1k64zrG3CNI8bP40L6i4Uo/GFPS/y0OjgQhww+He0bWY7yP9MKqdbahpdYQE9kYU5yoJTUG+ZYRir6h6o/JmTJQy4QIvwmcx2jiiA5XXpj3cYAJ9/3eHDFCeg==,iv:QeYNlLR97tdC9i5N909GnoNyBwNNiuljF/eVbdhvGXg=,tag:lBWDaaZMQRPX/4Ln+oUQPA==,type:str] -#ENC[AES256_GCM,data:8u2UAE6lXi0e6qKJxB3VP1k7hmfUYRcejXoR7K6NIQ9E7AqOlMiLDyQFw77NBlqpy0G6mPVOnC+XskGAscm3TLFzs7+o+/i0IxH7uDPwoh+U,iv:n4wheHkpPbnKeXb4DTxwks2bph4LO6xQW6LcrlA4jKU=,tag:mgwa7rYvqoubFdQDXJADZQ==,type:comment] -sharedUsers-radicale: ENC[AES256_GCM,data:Mn1QIwQDX0ZnZ0Jbk1RYY60k+XbbGPYYf+NG3xQz3oR14CqSVy3hjQEkqcezwj/v2ELrLWid2hK+lDtY,iv:TNoJ7Kq3WDkkPBLG3a+N/A8yBZcx7Gc0jaBToYX3Y5M=,tag:VU5P4YtzMv1FVc3ugig8TA==,type:str] -#ENC[AES256_GCM,data:685Grzm+Qw==,iv:sswI1QEvU3nXgQCJcF/O4n3a1z3r6fAVAOSF7W24PZw=,tag:cH/AroGEBfCnnepyqtjt0Q==,type:comment] -sharedUsers-elias: ENC[AES256_GCM,data:RsGDCguYkqegKhkO20lr8HjrTABAaNJmDiGK3DhhbX1sOLMweZwDtESvYjCfAOzWpiAaFh0BqevMkuUcEYQTBubSX+X0EZ0dFrdbVxIe7lq7Dosds98SqKLL4zWqe2y2qsphvj+oAz7Utg==,iv:JXIbyqAUt1OcB+bvgK6H2NU6Ip4nWRJ1/Hje75FfHC4=,tag:kPFALVkf1GbRj1J85SZm6Q==,type:str] -sharedUsers-justyna: ENC[AES256_GCM,data:BGVp2QppWWaYHK3rwLlyy7SOWxSqKGsn7lemWe0KUzgiQc6D8ivYvXdGaAhJNvhgVTxlK6BZOacG4NESWf5hi7sN8AkwTT/6pa9WzhQQGNnwZIaVulXeddzFlebbh8pAt0WYV82DRejX3Q==,iv:RMysIp0pMnCLhWogWiGq4IpZA43sd0DPj3jeV0oRkY8=,tag:VvXPzyGAoATlSedvV2prJA==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArejJMdC9Xb1EvMlkvUk9Y - MW5LcnhTdktHVlNoMFpYWG0xUkRjZm1GbVVZCjJaNEN5ZHFSeC9YNVBmM0QxM3VK - c1NJRVlzWDQ0QS9XZFpWeEJwTTV2Q2sKLS0tIEcwZ1JjeHhNdXFId2YwQXMyMk52 - NVMzL2U0eUdISlQrLzYvSTlKQkUzancK2dmrpC6+Bl7DrHtx5mvF+c4BRv0HPzjU - aT6GbjP3uZ0/jrRM1REqfLQe0v/AP9yMIenZNLdkfoSELtXpHIIsNQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKalYrWUlmN1d5WXpDOEtM - Qmd0SXZMdXpJdVdtcW5lcHZoT3hTMGhTZldFCm5XcEJ4WWgrbW9YQ0lrRzFOYndZ - VE1QTzlMUmdEZkRzakRUOHVrcWZ0dWMKLS0tIHVyeEVtekRnTDY2c25idUpTMXhH - ak1jbnQ0dFBFM3c5TVJvcDlkR1VjcTAKUeMBhu4ZFBYLW9jB63JErQwCsAV3YCKG - kxJTfdaoS3X2QWGIp6s+oE/YYCikKiOR6UxoHoBBgklP8tOXG03cPg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCSGpDSGZQVUExL2tXbFQ2 - MldVZGFQNlVULy9BVUYxVXlseTlKL0RhU1F3CnVSUXdoczRjYWJCMnpyWldUMU9R - blJwVXIwdmFRd1JlSURQTEZkTmRkSFkKLS0tIE9VcXRVZytWUTBUV1gzdytrbTla - MjBvNXdWU3Q5ZENraWIrYmlZUmNqRU0KfDDVeBKs9gm1oBufKfSvkNSbdlyjQt3q - is+5wfSgiV7vzvdh7MWqQhyYI3U+JJB2sq2dy8m65GLT5XMJdqm80w== - -----END AGE ENCRYPTED FILE----- - - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SGJ0bTRXN2RSeEprZGtO - NTI5YXRhV3VXWHpsekNWY0N2Rm90WmpVM0JrCmw2dkczbDNwOHViM1B2eVNmMGRS - R2QvMEZIOXhXS2t2RGRDTU9yK3ZJV1EKLS0tIFNwMFJmWFFJMjFPNDVEbk5naGR5 - Q0txMjlPNStWY0RqcEZTS2VBbEF0NWsKS2nLfY2AcTmI3Jkd+xtEw+LCJ0RCXSfW - 9L0EO9VuoMcEXUtPmMBVWnfFRS9e7MuYrrFy66tNO29+088bYGOXvw== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZNnhSai9KMjh1RC83UjBm - K2dPZisvcTA3a0JqNzVwWWJkWmp4Mkt5bFE4Ck91TnpJR1dGcnNzNFk0bWJkZENB - elp5NWpGY2F4K052MXZaTzluUkc1NEkKLS0tIFBvbHBZNWlqNitDbmFwbWt4Y2o4 - OVdhWGJQb0hIYXJkbXNGVUlEanJPclEKkX9L1XTFP8euXXcBESc4vGZycYGRTj2e - 9xQW8ABndvyvz9hWXvjD8US9A26nxDyCAoFYluF/dvpt3M4gg4hhBA== - -----END AGE ENCRYPTED FILE----- - - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzd1U4MWNwYVA1WU51cXlJ - SVNkeTBPaTVJWjFKRFZDRWx4a08venB2MmhrCnJzRzFTR1YxS0hSQmp3T29IcUJW - YWVRQkpIRWsxL1FqaElZNEdDcXpxRUEKLS0tIDljL0FZN3VraE42SXg3V0o4cGFl - eDVCaXE5bGRTcW8yN3hpL3FiaHZaYXMK682pq4hOUq29PXvPyrgWlZnxmXlNLXIX - lP4zA+nOCeTn6Mj4ffCr1uwz6Z+KraNzr8cWne5XRod56E+/uYNddQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhU0EvNmlJaFViNnFrNlJJ - Y1lRajh4cWVnUVRrcDV4QlZITGpqUERLZ2k0CnlOUVhPL2xMdGtMMHo5cExKVEFX - cWlQZGZ0ODRremRINGlFcU5tMUNmZkEKLS0tIHhhU0tHL3NFM1o0Wkw0aE9EanJB - eFAydDVGOTN0b2ZrMHYyMkR0SElHZncKx5oAailIVsgXi1ajrgkYkBIr8AJQtEj8 - YOBoaXBGppSUygMxWHSt4vzdtEBYcC9xaZ7zAKVYQbOODAlSRd58rw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxY1UwdUsvai8rRnd3bzAx - SUhKZ0RHWW1wWXpadWhQOHVYTGRoYXBsbDNJClRjaE5Vai8rbENBaEt2ZE5JNVZL - aUs4ZHVQL3JxTWhibVBmNnVicmM2SjgKLS0tIGkra2kybjRORmlzbUFYcG9zSTVU - MzJrSGdPaldlakloeU1HVHFSdWlUWFkKq2oHlI3o7cIb0NEtOu3q5n9t9jYQmQNe - gfUnJ0BxkE43otBEWU7ZqRsVvsXfJYreq1IRNz4KyLEi0/taTe4QyA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-05T09:27:48Z" - mac: ENC[AES256_GCM,data:XXj7KCnNkL0nX3aVz+20aNhOESyfX2O4fKVKyAA0lOwNLHyMb1K0dXyctUVofLd5YvWA2cRFBm33vodlkYeS3wXDhYapeUGI9RJ9CLgFpNS1J6OPureTfW3/a25XSKj7vVnLn9Ng+LVI94MriQlmjg7lCBdat0sBRKEVYktuQEM=,iv:1ptZZ9QjHhhbLn7qp1MDJMlgxrOxzQZqwR64bEM36dg=,tag:25lCi/KmRAUGx8QHRmlohw==,type:str] - pgp: - - created_at: "2025-06-05T09:49:12Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ/9ENt3lsKgc/XZJYMGHKhQa/kRJT7y12VfhvySitKBGOtr - 5eGQTwUo/4WXBwUb3fPDGC/4Y9MIVuARQzSgzULLy3HG5ESkx6UpOjz38NA6OQSb - fTB+ljVzLgxk5uxB3q3/TUp3nK3PFPlpHpBf/9oIMgGDdoRBqCJWjGQIDaVb1tba - I8l05XsjKv69a/Qo6OXhrScfU83dh136D5yrX65z53MlaVIbH7K4tKxQVLIBkbS7 - iW4uCZfL0GpG3AAEFQj8KXKbPb5ptAxsE7zNX+wml17o42Vzfu3Mtf5xY0zxpttu - oJYZHTq9MxaEMFKHE34QTARMTFeb8MgA+19Cc0V0rKa6ZoB+jKiwyIN+Hg5wiodD - xMT8dqYPnN7cEqB8mPQPojcra3yE8UAiQppAebLxFUXTFIi7H1ZyYR9DmpHJ7b+j - y2ao79gyzDa79PSE3Z3AITnUw+aVrdo+Fv/8tvjAa3VEtz/vVPmYHL1CuLd1huiC - ZwxWUoEcCOqjMq8vUkVb3MsU9+N/Unq+r+5hCwUPDzKfHhZgiyTR8fQLzyROol57 - +tS8OXeE6nbKYVIjGqIjkj+q22RThtMVRIzbouK+ByfhTbI5j8FMgGWapgrG92CL - e3TTINTKNDNH9wbtDlz2N+ywdMv33RuIjCHifnLIYloivt20YIeJeKphZN5F1tjS - XAG/8Ir5mJsgenNWB5kxR755VO556zu5jSvaBqoAltmPutmN4Uig8zKfT4Li9NfP - OHpqyIcg/DN5Un16BS8dxhmJYuG8PZTIE/gKjnDJlwVntsiaoxde3hO/mo8T - =JIPa - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.10.2 diff --git a/secrets/sj-srv1/secrets.yaml b/secrets/sj-srv1/secrets.yaml deleted file mode 100644 index 9c563eb..0000000 --- a/secrets/sj-srv1/secrets.yaml +++ /dev/null @@ -1,48 +0,0 @@ -#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] -passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] -restic-password: ENC[AES256_GCM,data:0cTVlqHCW/xCk7y3ikh0RtVk/5xFOrcrnQmMbIBtfOd7PYbiTUzwBtYXwOaXO4ob7/+KJUEwhl5TzX/Of1J+y7ML7JbpNPtLr8r0gzDYOvBPY5GlmkDGcorz7QTaomuDprJkoD06lJWme/L893u7rxwamF222D2JvGz5FfTuWfaRWb1PcehBkew89gjdAgqFJJwqlX1vwvQDPg6yj+vnk9ZqR/E967bbQeN/G/qGJ9xfVmeuOPYoZH2IrL0Zgif/FLqZWZtlJ1JnRUBXsVN6FZXfT1Q82euLPOpaUHrFJjAF26PuTwVreIjcBLX3wqc8vhAYWfc+RThS3ITwNdNTSA==,iv:KBqME0cqIIX15xPgKi5mBalk01tswj8xVd8rFETX9zU=,tag:V6KltIGVarWXP1R5lY2FAw==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bjVmWnlmMSsvSlR3N1Js - ODhHc0RzRHFxK2xmbkM3ZFYyZHFOMkEzcFdrCnVVRGNIc3lLWUNPL0owUGZSZVpv - UjJOc1V1djRBUHA4cG83OEVWci9EbTgKLS0tIFFnV2srUGJ0UWlYMlJRdkc3citK - VUVuZkZPUW52ZjhBUXVzTmVINUkrL00K2I8yT9TQAHRnHpAVF2BvldPPXXnkzovu - 5E0+aVGLn59/LwUNKzDaEy+WHkpNvRID3fXWYLK1Uyl8YxuqfRrj6A== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQ2JYaXhMcHhmc3F4dnBF - NWl5ditHeTBrcGJFTGUyM3NKUFNza0RYWFJjCkdkNDdTYmV1b3NNOXNWM3NIMGhB - bi9BVGFqOVgyb2F5dDF1bzI0eDh3VkUKLS0tIHZud2pYNzh5K1BhUHdaSU5jNC9S - ay9vd0dGYXpUUWFEbEtTK245UFV2V00KPXPEAhhL54Hz7m3YSk88hZtPm2WUrY7C - k7fC78uLtALlwnORr6aqj/1+sODaLF1ER/UXfYOGCiIcCZu85C46JQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-19T20:25:37Z" - mac: ENC[AES256_GCM,data:gAn4HAJRiejixDApIBZD87JjHLyOnC9LvYR0E4oDa0GVu6/BLVNbie0zG1TdnYl4LAuLa0rf4gkSDCLNvjkBGesGb7oez06WAHJd3VAK6wyFYxQSxKA8U5OZu8nozciuatTCvc/JL1ZjxxGlDFDSHSP2m1PsB6br2e0g8oL1vJw=,iv:7rOU6w+Ly+OYEnF5SikijEpauMp5lhTae74zDi2vF+U=,tag:EURfxNbEe4ZLFF4l19EzFA==,type:str] - pgp: - - created_at: "2025-06-05T09:49:10Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfARAAmxdorYO1KLI5NpkQ8GF744tb7Pa37zTQ84At57905S8p - kBFKZW6OXEVFZaog5qQAGv8c4/hjWhRkFsGRlZlda7dUD/LomUG7bUSpZ2tXsbTp - tKvX0GFaqgehYI1UuRNcN0W54jeUq0+W5fqsOaQEwnt6x5qQSk2C8m63q8x0zRcf - fDGwXtGuChyqjUus7qBnLiacnq+XObPOEP5cE46y1Zgl7HjGkfv7dCWekgs1Aq4T - W6D1Hz/33vrudbwMhvcqqHVyL3JPtTVhNrip3Z+DCh7KGq54PmXzKwyIM4eK5OFA - es1SNhVplkX7NQv6539ifWv1ZYA2RMyOheK421yrRKqPyV9faq7kJ9ShRsGViUye - V7OXdlVIHWAYl1WWmIHJWoZ8v+MI44w31J3wBNlY6QsLpR+6T5t6y7j25p2Af1/Q - Mc7htobx2J4DwRZoVGewLYBRQPIoz4qLbKln/m/igsWqn1K/i6AUzRd91qXGII+v - 2cDNDLG5QspwXS02N143/gvk/9f2PZhONmoDGsdvqsTyhoQ4YAWEqCXtx4kqcBE2 - KptK/Ox5A9Z7+UkhE+5nJz5pDOQfCG8kCk8xp5qqwwttyDm1Y9iD+mhwNPCHoBhp - GI+WjJ9lD6KSx2vdMXUkgzma5y2SSQSxRAF8uscqCYjv6glX8tfET9gBW65jrW3S - XAFHYiaOZIDpI5g4XILPNbLIwyrngd+/sOb4aQa3/M4ztRGs7VuUpsiBjecsnamU - qx6qvkSh73AwE3MGrUbzyyCl06gwh/nYgV97NN+PXTkFtd0kr65VfX1W2RrJ - =n6yr - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/secrets/sj-vps-htz0/secrets.yaml b/secrets/sj-vps-htz0/secrets.yaml deleted file mode 100644 index a3d5191..0000000 --- a/secrets/sj-vps-htz0/secrets.yaml +++ /dev/null @@ -1,51 +0,0 @@ -#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] -passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] -wg0-private: ENC[AES256_GCM,data:hiUUUhQ/hi6d51Wgwb0gZ5lBB5TS9+F8gVEGrRUqLauKjGZujyqjZIFix7E=,iv:ISb5cqkOE0UyQqlQCeclyMBof037XF1+7zDFslKStr0=,tag:Ox0S+YOkfXpFCSbNrdSrxQ==,type:str] -wg0-public: ENC[AES256_GCM,data:AnEK0wlEIlVrz0nubLWr3lv7R1ddzA/RPjP0CosyEJzCJU6cF2DBJig4xYo=,iv:ifaQVHQyoYqcr6a4kJ1Kvd4QBDLT5xNyr75GuogBv5g=,tag:Tl9HpsJ5+LaV81LiLcThkg==,type:str] -wg0-psk-steveej-psk: ENC[AES256_GCM,data:Z5txIdXKVshlqMBLEnW/ulFiQSmMKj6m1vLE8fuL+zl+tJxh9EX/XvjLaC4=,iv:h4ypudvQAKPM7+5vQNAb69JntdZPNa8Km6wd14ovCHc=,tag:t7ZbbcpRCTAF7zP8vKPpJw==,type:str] -wg0-psk-steveej-public: ENC[AES256_GCM,data:KU6aRVK06RkyvvYFzFZaCplz1HyirSfpjW+jjvHP+eTMs3hfhFUnPSZRCN4=,iv:2A019CQD2vjcOmX6PFpDaDCo8yN9oA9kdKxiW1e3Dss=,tag:kfRENOJY7RnwWGN1eOeEhQ==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjTjc1QUtRSWRwaGdOdE83 - WWxsVWpWMXZ2cjZ0RzBiMUVSUVp2dmRKb0c0ClRURUZmWXdHdkR3eVF0Y1ZqYWFR - b253TVhRQSswZGVCSjZoNFVldGhPaFkKLS0tIFJRcno4V0RNSlNoUFc4TzRpL2pG - eEpxZXdNTVBxd1FETWlxdGpZQ3BRdU0KJqQLuwyf8V7bPDLMvuryFrYTZoCmxUlR - mzvYKGQTFNaTcY8fvsSiYxTxXx+WXMLXtz0o2y5fX/1Rz4AW7hW0yg== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBURk5aMnE4THNVVW0rSVRC - Z09lbUdzeHZlOEdmYUE3Qy9BckVNUGc2Sng0CnZRM3VTRXdKbXBDQlBxenFXa1FB - SXBwK0pvQjg5Z1R4djU1NjE5dUI1VEkKLS0tIFV1U2FpWGFFYk9pcVFFTHdrMzdM - RDM0OEFIUWh4SU5LRzJRSUlwcm5BeU0KA2RW/rYniJbIqRRiQfzE+ZZp+DgNODDg - +5xYpgegsBoBwcIkFemYwVXxKy4pzF57FR3oaf/0Gi1imXiKSAPdVg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-13T17:03:01Z" - mac: ENC[AES256_GCM,data:AtD2QZsLpOLQB7Jcb0Cn+zGUK/fMzuVhQ2r5f4jL3dttqfaDa4k+bUMP7wQ9RW6cUXm5ps+s1t9TkRUi2P7bkQjtEuyiTGAUiM8OnkJQ26npITWWs8giekKq01m2DlZufWRcrZrQU43EgVNDqRTVlMK1IoVS4zqNwqt4tXG6YWk=,iv:F+BbR5aGg+6/0LBxpC+AoNT4dLutvkgeUJszkMrV5xk=,tag:4Cvd4nG+h1+hXg/NzH0wRg==,type:str] - pgp: - - created_at: "2025-06-05T09:49:10Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfARAApmxc/Ubnhh5F2uwxquqpWb/BBH57dS6+qZJ9KdGMcR86 - engG3qbFHZWK2yzCKXh9Sqs7o2Tw80HWSjzgI1+r7YBp6e0FNwaIRCsuxOzlNtKT - M8yVrtkRxoDJ2OnfaarKubpzGR69Zt9Zcvw3Zy8xDyuoDgAuh09q3n3ctVYeAkuV - E6xNSwAv9kPuOGUvjh+XAfB5ZUpOymmOBfKPoT1mdgZ0Q8Ye3oH27oGjfSfyMavB - BKJn8dQXDvTo/mX+7o7e7TPt9NstLoxmMctaE3MIyBX07nunFrdCSooODY7GqV6X - 5q0IyLI5Sy+hqetWRhLZxeF9nyxRhd3FohII8osf/l9WeqPZ6R5BcDJpsHmlOOEl - EOea4gRPWY8x0jJ3jZ6cVyVNINg8TOe2d5BIE6+INaoT2VpVowIPOI91i/0xNVuq - lWrzYJyDxk/7e4XId3GlM/SuEpjnL5cPQMmQRKqZ1lykwhF0ADQZgqzKp28sW1L3 - baq4hk1Gi19SRqaR2FnCioc7Ybxi6VJ6fesLGGGDvK8RAVCY+J1c1q6nUqazEqj2 - S2288c+mLpMyGlPHIaI3Qdyg8Fb27054EzGve2u/MmQpATAMj9hny65qVqcIsx7K - LQHBbdweDyHOZylO5ApGE9uf+0Q2zZjtX2LXN2S9wc8o2KMOfFYHkNEVjwqD4bLS - XAED066xz2GnHM1VdzaXPDw5Jokpp9wma2j9KxeOy0jOW+HNpO2bth3vhTsUwAcj - Dlq1UbIyf+4+My0LKopdCW5SJ8lhyysk4dMISu3m8XP0PVgJY7PzSC8/haty - =ykfJ - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/secrets/steveej-x13s/mycelium_priv_key.bin.enc b/secrets/steveej-x13s/mycelium_priv_key.bin.enc deleted file mode 100644 index d3ad822..0000000 --- a/secrets/steveej-x13s/mycelium_priv_key.bin.enc +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:ILo+B9hfSEOaNleohfdc+RlzFHOu5y0kS9Ocys5KBKQ=,iv:GNzGem+eBseA99FoFHRSDQbnpo0RS6lRRR6oLV5xajE=,tag:FmBrSBT1qQ+jXhUlAjCRSg==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBocVpZSUxWK25CaC9PYVJY\nK1U2TXo1TWJlRDhJZTI4ZFRLeHE5ODNMZndJCmpmT0p3b294bWs5UE44ZG45TXdD\nbzM1V3ByQkxIQWFacTgwaWozRkZFaHcKLS0tIG90VXdaSXF6NjBnSHEzdTd4d0M1\nTnpiYkNjVTlKQjFKQ1hNYVBIbUp2a0kKsneBNjaJjULUgZ+E5wiPvtpBR22tCtAy\notjS/WOiOvslYRT7H/N6I11rvlTnwZi/orBcMmE18GEfNVRzLUTReA==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MDl1cmt0eTQzNm96M2Z3\nQnNNeGpITzJOb0t5QS9DMGZNNHJ4YmZZV2pvCkhESmMvTndnS3ZoWHIwRnlXdStQ\nNUlsMnRnMmlWNW51Lzk3L3d4SmNDR0UKLS0tIDU0VXdxK3ptQ3JSdUdPS3g1M09r\nQVFrTXFkUSs5MFluVHlmbVpOQWlDYXcKFXtj/r11QoHMDbELo9oHVxwGDneZ2cyz\nQBLMhlZWX5uMqgLes5tLXW1r5xondqbGblEWYMcjj0lzZq+Jml9DoA==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2024-04-19T19:07:46Z", - "mac": "ENC[AES256_GCM,data:e6xOIt73MDaMOnP3d2G/xqjwozdvdkxNkso4ry3Wj5UELoSKtjOXn0oWA1KIApQM72rcytyAMuvuF8nIRzOsU+RjCxyoyFxK+x1ljvXcjJF/mrB8+27QEIKMFbCRYDtDtiax0MnVkW3a4zqAz9ETd2hlBRS2DcVXvgV8GVRZL4o=,iv:jd5Mwf+IUrm5vbHftImsB7iX3AP8O61/2kEf2BpOFRQ=,tag:aXmSU8qPGTKRmzddVz6s8w==,type:str]", - "pgp": [ - { - "created_at": "2025-06-05T09:49:11Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAw+OdhfgD3wfAQ//QX8Tebm/qWToFViEiMlleF3Xqp5xno3NkrJSc5Bc4MF7\nG/qeh6cEii+m+SzQW+M8S0YDQmxqL9ddJqmrNmFBSMauqBjX99G/7COgCsQwtjYu\n2G/dclkBAE/jrdsw1uEnGQwIWxKcTPFx2x7qCDtXKIvikLbbclyBuo14+lp8SmW/\nTA8hBtisngwz8gH23zgly8NEZBRo8m/szjsiNd2NAujPni3pFQe/9NQgwH63oLkO\nbVlg3yRhaNJdB4e/rzBjMysEXW8vNakfpmw+SfP49aRBHAlj7keMajjBllKO0CRe\nLeqQsU+WogbCUjvPdrazeW8Nv1fN5iz/wXX6ZjI+EqyEywODKDquO9+HipyJcvs4\nlqH5TgkFh1M1eTD8M/Al2511gLKrt0pAbx3x8ldOVZyKd06NAakKXvVVEdDkiSeQ\nSSFvko9aG+qf87iC3gIt+L9KpA8WsA66f8gIP3wQgcr0CqPxZe/zVn6OE2V5vKc6\noIGZ9kwdVW3EB9EKEoYghG8F/32nhOIZ0MUfefJo4BQ9paqUSbcfAqb5QfnRWEZl\nVRSPXqTLNErZp8V1NWmS/ycoz54EaJsHDHKjpmoKo0G07wOb4jxefs9S+mQNVBu7\nX0jnEDjCtWGFiFAXyZ+FVh2mRuRRP6AlrvaPxDbT4v2SNljL4A2r1QEuChxDPyjS\nXAH90Blsv0wX6whS26rXosFNxisgR08NDpbaIzEjTtJKVidfOHWjZyXcuSzUeL9E\ni0zzTY1hR5bc+86KDljO7+AvoEguibUbQiItjECltYs4t2+97pmjqyZnMCX3\n=fYod\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.8.1" - } -} diff --git a/secrets/steveej-x13s/secrets.yaml b/secrets/steveej-x13s/secrets.yaml deleted file mode 100644 index c7566c5..0000000 --- a/secrets/steveej-x13s/secrets.yaml +++ /dev/null @@ -1,46 +0,0 @@ -builder-private-key: ENC[AES256_GCM,data:KG5V86SDVM5LfFPZI5rjKGvYwqLZInEqpwdIJPAiF7fMdG3rTq3JgNJCQr0eOhfmLwT3KEN2Fv0mHZS4smMGdh0WCkza8CzRn/KFY8gqEWxxdff1Wqj7+2/5lSI8I7Qp2EW+eaAgU53PPOh/M3Cgm/Rraw2ARmIJNIgtuJC8ZeZlsh3sl0tacF9rgSrP8p4xAH3C/QUs1HW+10eL9F3STtAV+ZBruU68lNmCdiyqKjg3O3qdRFsjdGWAwHNHL42cEm3il4PofyS5fDDF4otQktZa5n8832ukF5Aj6RNgJwubrsxB9+1M9s7hD1UQyKo6oQKJr1GXNK+IPyXAvdxckZ8INhsxP4c4v8GzR0zJK4MfESx0r67ciGLOcYulNBDOMSbD57oW+wRvCI2eZlpB3ugBcUm/rsQbgFVEX8q6jD8WipJ+Q3hz1zWq45s66XooFmnwc2nBhT6cRmtGzTJCcDpiovgj5tKXSXrWfwYO7tWr7lYg8T4zhfplZBtQOaqTUrAOhW7IRT5Lo/310cMRcp1h44TSnpWXZN7l,iv:DOUijPr4wHmjNIniF2IRjinXZ6iyg8Z1Nt5EgFfX5Zw=,tag:VWxHpfpyphtu6XLR1yKugg==,type:str] -sops: - age: - - recipient: age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMHdBc2dlNHNMRGNMVjQx - aEk0eFpEZVppMHpCQTJsM0JDNGJIOXdXODNrCmhqTnFCNTM3QWZjQm40YzVTS2pB - V29VY2RhcmN1RGR6bEhVU2FmakVFWUkKLS0tIG1GbENQdWF1S2pHWWtRZnRLL1dC - bXJGVTB1WmRJMVd4TFdtcXZxWnJTVHMKeLAbvyypDNUddigWYxmLSaqBK4jNpQyo - oGX/UnFchExIYIqsuasHEUbUsTOJmMj6JJYIb4reSNCUKfLpF81ONg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwbEM3UDV5WU14RE1wZW5x - NFJDbklaeFNjem1oN3Znc3hVVG9PMEJPemlJCjY2aDFiS1d1bzIvSUFJOW42ZnRj - L3o5Tkx6TVFLRldMQzM3TXlJRnhYR3cKLS0tIFZPckwwZ3RXY0w2NXVSK1NMamJB - MFM1dUY2cWFWc3pJNlhNekovUEgwTG8K7XAKzsKqoUinTiGX9zgRtkLo8OD2WPfx - /jH6IECHhOjMLWOowEzyCcUd1Tmi44FzBytVRYUGfxlLESQmEydHzg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-01T16:50:35Z" - mac: ENC[AES256_GCM,data:wDnv7wZLks2EME+JqlBtagVaDZEo9ap3d6xFfnBy2/D4wrJhhYlo8vOYM8GFXEhfa0Jek+9ZlkmXYerLNWLMiUMKWIvk0cvHjxBaR2wcxt9FnynPT9W9hSX7UFhM/eTiJviksOESTI7pqNh9X7ggLSZ0c+O5mBxxEh/bcjz8vIU=,iv:vgvmyvUkZBapCpRbPU3cDgmHsc5NwHzCsMzjHvr/Xc0=,tag:FMI0YrwdCPIFe8tnLQr69w==,type:str] - pgp: - - created_at: "2025-06-05T09:49:10Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw+OdhfgD3wfAQ/9HkWJKy3V5aXqDRgS9O6vFq/AVtCSc5RzBB8SgrKxiSgy - UIGXX6y2k+Iw5sWMwyFanu2Wf+4/36N2HcGlIEDrJG/XvSrBVAteN1dcwYkY1r38 - L8PDrSdP9zBPqnq+R3+Tzp2L0djNA7MYgRD9gm78kRwW7TTSKID5QWhhkQ0X1xuN - mCIeUKVjPQhjJWkV3687QIzyrMGFUwxDz5DbG5lYdAZZXxYmLJpS+Gi88mMfF+bc - ShYLrH6JHYf1zLV0vrHHRUb8C8Nb6eOLX4PKIOC9agMlDdYdi1uH5zSqaxJhWT3j - 7N1APdt2YhODU/P9r+5JtfKML/nAWAlH+ztJy5h5f4uwb0qjlZsEAGEr3VDklC/R - 0Hqos1UQgWPX6KuMTKrtBZbuMg/kvaCjeqYGohhBWdMUOrf0F2uo/z2nUso9mRLF - 0whLeFtMnSdlX2IZG7meyUdD7IVGAbONRLGDAFP7607Bdufn2HXOenXRTebSa4Ei - whaaSVMa7nY57oFIBPW4Itwa6BSslx7PRaZv3ug52m85JZZ++PgBUUcwlz393GTX - Gr3EVKOaZIeeF3BMGApiungfI2sywbcTkUUgX5ULHSuFHNC/zVTOfTeVoTOvScJK - awyceOLGvtl7YuBJTUq2PoSID/RWJ6mj7l88jU3jIXXLmhXMUpCoQl04xJGshtbS - XgFvlmAIic7NjKtNL7lzVm9il+jTe8uqXcxqcgDGNbUdlzPxXfRs3wPoNUW9OOto - Bp8CFmVsnpSy14ss6Rj+qRfvSbZr/R9G/WJXDo5XphPBJJCad8smwGBK2tatwbc= - =O4hn - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/secrets/work-holo/zerotierone.txt b/secrets/work-holo/zerotierone.txt deleted file mode 100644 index 2e5522a..0000000 --- a/secrets/work-holo/zerotierone.txt +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1tkvtkw62xy90xc5xdcq836wgyrwlwmdslh76cete5g98vvvhj34qvwdw0g", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3ZFlVdXhuOW5zZ0FFVS82\nUDM3TVUzUEh5STFMNHlyZGdtNlRManNoOUFjCmxuMERXVUNmdFBxT1F2YUVPa0Ny\ndDBURUZ3dUlVOFF4V3YvMDlHVEZlRU0KLS0tIDRTV0QwL3F4a1VMMnM1TUxPTWIv\nNHVETVZxdTEyM3NrMDN0eDBucVZjTWMKQi66m7gORsxbCUCiIc509a9npsAyExdO\nbHymSiGR9sOsjIse213YL8jmQd+FcUbQ0u5v88IVsNBusOMHLet4kA==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6ZUw1TWR3TVdDQ1hsNWhJ\nek5VVGZYb1NJdk81QmdlZFhwV0w0U0E0aG13CjhTVlIzTWg2K1N1SDhOOGFGdnp4\nSVJHL2tVOE9qNG9jUnkvbFZCVnpDYWcKLS0tIG9wb050NS9wNjhSYnIrVExJNzdP\ncWRCK1JyY01adm1SL25MZjJoVml5VjQKdOgbB+SpvreR6Lc970nIQjBQgCv7ngsl\ndYBnu0TgwgbTPibFaAdV+ndFUy27bbwBvGyPCiuKAZx0T44BZIcSrg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2023-07-01T20:19:12Z", - "mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]", - "pgp": [ - { - "created_at": "2025-06-05T09:49:11Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAw+OdhfgD3wfAQ/+MEjuddwMdAVWyoXEJJt/YW0sleAVJzvh5XDgg9fQ9nXB\nJaNlt2yWmaa894zh5JYrnkHp17d756lJQz/PgMukUt2xzO5UfjPlZRUaZLRirhpr\nJbv9+A5M52SHuCSG9qH2GYQXzd+5M0CEztMAyX3PMbcW4fNtagnfD54jW4LXt+om\nlIYIHPp5Mpl0/8EdcBMm6HPIKCGm44g7ghENlfPDfDvGH0TQF57hQUyB6h14uU4u\n/ffLgTK8y87tFblaN/Bbv+/3D+PcVNoqblD5fXgXW0LZOnG9BWM6v1tlJ78s0hP+\n81DXuumKNvoxkgsQdZiADMTCC8EDKVwz7mUaCs7j6TOG9t2Nu870mxfuBiIUUwRm\nANnHqgYVLuhgAZnmdrSX1UeN1jaccOTQCsFweyr8/0lL/H+83uRjMLWMNCMtw4Mj\nF17+Tig6lYevF0IXmPvKeyWxuxr2TMBg1Bg7QDfwWpfhT2u3Fqj1W0qQnUNxXHRT\n9mxOEPvxJCE2RkeHFsFQE4vT7cMLoaw9vrWfPKKTJeCir+24QngFmRSS1zxQtkop\nNiNXy4focN4bnZdWirJRsu7z5vLXXbMdWvUQ379DqZy6uepTm5l/gG6h+RciJ9Ux\nKJu+WzLniU092ArWRgcnNnyMvmBmP2iSnpMsLliWwzNLcVxU8F/KByHNbXTCsZ/S\nXAF9rWs6+VmhEqBqtuNWmACdtTjHBQAk+FPTAr/7qIERhCynnh7I3RDssV34HSdH\n7edAn78hfYd+WPpwCMJvrN3puppj7QNhSc9sYSiKgyaGr52DvMVkNu91gkbO\n=FVew\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" - } -} diff --git a/services/home-ch/router-family.lan/Justfile b/services/home-ch/router-family.lan/Justfile deleted file mode 100644 index c15ed68..0000000 --- a/services/home-ch/router-family.lan/Justfile +++ /dev/null @@ -1,12 +0,0 @@ -_run_ssh_cmd cmd: - ssh root@router-family.lan "{{ cmd }}" - -post-setup: - just -v _run_ssh_cmd "opkg update" - just -v _run_ssh_cmd "opkg install luci-ssl luci-app-ddns" - just -v _run_ssh_cmd "opkg install luci-app-samba samba36-server" - just -v _run_ssh_cmd "opkg install block-mount blockd kmod-fs-vfat kmod-usb-storage usbutils kmod-usb-storage-uas kmod-fs-btrfs btrfs-progs" - # multiuser SFTP - just -v _run_ssh_cmd "opkg install openssh-server openssh-sftp-server" - just -v _run_ssh_cmd "opkg install sudo coreutils-readlink" - just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" diff --git a/services/home-ch/router-family.lan/mlsia.qrcode.png.secret b/services/home-ch/router-family.lan/mlsia.qrcode.png.secret deleted file mode 100644 index 4c771ef..0000000 Binary files a/services/home-ch/router-family.lan/mlsia.qrcode.png.secret and /dev/null differ diff --git a/services/home-ch/router-wan.dmz/Justfile b/services/home-ch/router-wan.dmz/Justfile deleted file mode 100644 index 6f818a8..0000000 --- a/services/home-ch/router-wan.dmz/Justfile +++ /dev/null @@ -1,9 +0,0 @@ -_run_ssh_cmd cmd: - ssh root@router-wan.dmz "{{ cmd }}" - -post-setup: - just -v _run_ssh_cmd "opkg update" - just -v _run_ssh_cmd "opkg install luci-ssl" - just -v _run_ssh_cmd "opkg install luci-app-mwan3" - # multiuser SFTP - just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" diff --git a/services/home-ch/router-wan.lan/Justfile b/services/home-ch/router-wan.lan/Justfile new file mode 100644 index 0000000..8792f32 --- /dev/null +++ b/services/home-ch/router-wan.lan/Justfile @@ -0,0 +1,9 @@ +_run_ssh_cmd cmd: + ssh root@router-wan.lan "{{cmd}}" + +post-setup: + just -v _run_ssh_cmd "opkg update" + just -v _run_ssh_cmd "opkg install luci-ssl" + just -v _run_ssh_cmd "opkg install luci-app-samba samba36-server" + just -v _run_ssh_cmd "opkg install block-mount blockd kmod-fs-vfat kmod-usb-storage usbutils" + just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" diff --git a/shell.nix b/shell.nix new file mode 100644 index 0000000..c8557d3 --- /dev/null +++ b/shell.nix @@ -0,0 +1,34 @@ +{ ... }: + +let + channels-nixos-stable-path = (builtins.fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/dbacfa172f9a6399f180bcd0aef7998fdec0d55a.tar.gz); + channels-nixos-stable = import channels-nixos-stable-path { overlays = builtins.attrValues (import ./nix/overlays); }; + +in +with channels-nixos-stable; +stdenv.mkDerivation { + name = "infra-env"; + buildInputs = [ + (with import (channels-nixos-stable-path+"/nixos") { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ]) + just + git-crypt + vcsh + gnupg + git + + vncdo + tesseract + imagemagick + + esh + + xorg.xwininfo + nmap + sysstat + lshw + vim + ]; + + # Set Environment Variables + RUST_BACKTRACE = 1; +}