From a825e8eea90e7cf87473d6e8ca29fdcf9983d47b Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 18 Jan 2024 21:06:45 +0000 Subject: [PATCH 01/42] sj-srv1 --- .sops.yaml | 10 +++ flake.nix | 2 +- nix/os/devices/sj-srv1/README.md | 1 + nix/os/devices/sj-srv1/boot.nix | 3 + nix/os/devices/sj-srv1/configuration.nix | 29 ++++++++ nix/os/devices/sj-srv1/default.nix | 28 ++++++++ nix/os/devices/sj-srv1/flake.lock | 83 ++++++++++++++++++++++ nix/os/devices/sj-srv1/flake.nix | 12 ++++ nix/os/devices/sj-srv1/hw.nix | 50 ++++++++++++++ nix/os/devices/sj-srv1/system.nix | 88 ++++++++++++++++++++++++ nix/os/devices/sj-vps-htz0/system.nix | 33 --------- secrets/sj-srv1/secrets.yaml | 41 +++++++++++ 12 files changed, 346 insertions(+), 34 deletions(-) create mode 100644 nix/os/devices/sj-srv1/README.md create mode 100644 nix/os/devices/sj-srv1/boot.nix create mode 100644 nix/os/devices/sj-srv1/configuration.nix create mode 100644 nix/os/devices/sj-srv1/default.nix create mode 100644 nix/os/devices/sj-srv1/flake.lock create mode 100644 nix/os/devices/sj-srv1/flake.nix create mode 100644 nix/os/devices/sj-srv1/hw.nix create mode 100644 nix/os/devices/sj-srv1/system.nix create mode 100644 secrets/sj-srv1/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index eb17a55..7f5c5ec 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -12,6 +12,7 @@ keys: - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + - &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 # - &router0-dmz0 age1jetxwpmd9hc4crkjtrdle2qxn9dlq7vcmqhfslv0vlxctrk4u3xq8hcvkz - &router0-dmz0 age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 @@ -30,6 +31,7 @@ creation_rules: - *router0-dmz0 - *sj-vps-htz0 + - *sj-srv1 - *sj-bm-hostkey0 - path_regex: ^secrets/steveej-t14/.+$ key_groups: @@ -43,12 +45,14 @@ creation_rules: - *steveej age: - *sj-vps-htz0 + - *sj-srv1 - path_regex: ^nix/os/containers/.+_secrets.+$ key_groups: - pgp: - *steveej age: - *sj-vps-htz0 + - *sj-srv1 - path_regex: ^secrets/holochain-infra/.+$ key_groups: - pgp: @@ -67,6 +71,12 @@ creation_rules: - *steveej age: - *sj-vps-htz0 + - path_regex: ^secrets/sj-srv1/.+$ + key_groups: + - pgp: + - *steveej + age: + - *sj-srv1 - path_regex: ^secrets/sj-bm-hostkey0/.+$ key_groups: - pgp: diff --git a/flake.nix b/flake.nix index 9400ed8..ba852b7 100644 --- a/flake.nix +++ b/flake.nix @@ -115,7 +115,7 @@ # "srv0-dmz0" # # "router0-dmz0" - # "sj-vps-htz0" + "sj-srv1" "sj-bm-hostkey0" # "retro" diff --git a/nix/os/devices/sj-srv1/README.md b/nix/os/devices/sj-srv1/README.md new file mode 100644 index 0000000..394da55 --- /dev/null +++ b/nix/os/devices/sj-srv1/README.md @@ -0,0 +1 @@ +## bootstrapping diff --git a/nix/os/devices/sj-srv1/boot.nix b/nix/os/devices/sj-srv1/boot.nix new file mode 100644 index 0000000..59a5051 --- /dev/null +++ b/nix/os/devices/sj-srv1/boot.nix @@ -0,0 +1,3 @@ +{lib, ...}: { + boot.extraModulePackages = []; +} diff --git a/nix/os/devices/sj-srv1/configuration.nix b/nix/os/devices/sj-srv1/configuration.nix new file mode 100644 index 0000000..b734123 --- /dev/null +++ b/nix/os/devices/sj-srv1/configuration.nix @@ -0,0 +1,29 @@ +{ + nodeName, + config, + pkgs, + ... +}: { + disabledModules = []; + imports = [ + ../../profiles/common/configuration.nix + { + users.commonUsers = { + enable = true; + enableNonRoot = true; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + sops.secrets.passwords-root = { + sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + neededForUsers = true; + format = "yaml"; + }; + } + ../../modules/opinionatedDisk.nix + + ./system.nix + ./hw.nix + ./boot.nix + ]; +} diff --git a/nix/os/devices/sj-srv1/default.nix b/nix/os/devices/sj-srv1/default.nix new file mode 100644 index 0000000..94458cb --- /dev/null +++ b/nix/os/devices/sj-srv1/default.nix @@ -0,0 +1,28 @@ +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: let + system = "x86_64-linux"; +in { + meta.nodeSpecialArgs.${nodeName} = { + inherit repoFlake nodeName nodeFlake; + packages' = repoFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; + + ${nodeName} = { + deployment.targetHost = "${nodeName}.dmz.internal"; + deployment.replaceUnknownProfiles = false; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + }; +} diff --git a/nix/os/devices/sj-srv1/flake.lock b/nix/os/devices/sj-srv1/flake.lock new file mode 100644 index 0000000..56c2d36 --- /dev/null +++ b/nix/os/devices/sj-srv1/flake.lock @@ -0,0 +1,83 @@ +{ + "nodes": { + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1700392168, + "narHash": "sha256-v5LprEFx3u4+1vmds9K0/i7sHjT0IYGs7u9v54iz/OA=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "28535c3a34d79071f2ccb68671971ce0c0984d7e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1700501263, + "narHash": "sha256-M0U063Ba2DKL4lMYI7XW13Rsk5tfUXnIYiAVa39AV/0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "f741f8a839912e272d7e87ccf4b9dbc6012cdaf9", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-master": { + "locked": { + "lastModified": 1700758842, + "narHash": "sha256-WNpG3F/0dktkYbG6O8Put9GtBw4C4vb1KwtIibfXYEE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "359d577687ea3eb033590cf1259f0355e30b9c6f", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1700641131, + "narHash": "sha256-M3bsoVMQM2PcuBWb6n1KDNeMX87svcSj/4qlBcVqs3k=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "da41de71f62bf7fb989a04e39629b8adbf8aa8b5", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "nixpkgs-master": "nixpkgs-master", + "nixpkgs-unstable": "nixpkgs-unstable" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/sj-srv1/flake.nix b/nix/os/devices/sj-srv1/flake.nix new file mode 100644 index 0000000..c315b8e --- /dev/null +++ b/nix/os/devices/sj-srv1/flake.nix @@ -0,0 +1,12 @@ +{ + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05"; + inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; + inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; + + inputs.home-manager = { + url = "github:nix-community/home-manager/release-23.05"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = _: {}; +} diff --git a/nix/os/devices/sj-srv1/hw.nix b/nix/os/devices/sj-srv1/hw.nix new file mode 100644 index 0000000..226275c --- /dev/null +++ b/nix/os/devices/sj-srv1/hw.nix @@ -0,0 +1,50 @@ +{...}: let + stage1Modules = [ + "virtio_balloon" + "virtio_scsi" + "virtio_net" + "virtio_pci" + "virtio_ring" + "virtio" + "scsi_mod" + + "virtio_blk" + "virtio_ring" + "ata_piix" + "pata_acpi" + "ata_generic" + + "aesni_intel" + "kvm_amd" + "nvme" + "nvme_core" + + "thunderbolt" + "e1000e" + + "usbcore" + "xhci_hcd" + "usbnet" + "snd_usb_audio" + "usbhid" + "snd_usbmidi_lib" + "cdc_mbim" + "cdc_ncm" + "usb_storage" + "cdc_wdm" + "uvcvideo" + "btusb" + "xhci_pci" + "cdc_ether" + "uas" + ]; +in { + hardware.opinionatedDisk = { + enable = true; + encrypted = false; + diskId = "virtio-virtio-paeNi8Fof9Oe"; + earlyDiskIdOverride = "ata-INTEL_SSDSC2KB019TZ_PHYI315001FW1P9DGN"; + }; + + boot.initrd.kernelModules = stage1Modules; +} diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix new file mode 100644 index 0000000..cd68496 --- /dev/null +++ b/nix/os/devices/sj-srv1/system.nix @@ -0,0 +1,88 @@ +{ pkgs +, lib +, config +, repoFlake +, nodeName +, ... +}: + +{ + imports = [ + ../../snippets/systemd-resolved.nix + ]; + + networking.firewall.enable = true; + networking.nftables.enable = true; + + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + + networking.firewall.logRefusedConnections = false; + + networking.usePredictableInterfaceNames = false; + + networking.useNetworkd = true; + networking.useDHCP = true; + + networking.nat = { + enable = true; + internalInterfaces = [ "ve-*" ]; + externalInterface = "eth0"; + }; + + # virtualization + virtualisation = { docker.enable = false; }; + + nix.gc = { automatic = true; }; + + containers = { + mailserver = import ../../containers/mailserver.nix { + inherit repoFlake; + + autoStart = true; + + hostAddress = "192.168.100.10"; + localAddress = "192.168.100.11"; + + imapsPort = 993; + sievePort = 4190; + }; + + webserver = + import ../../containers/webserver.nix + { + inherit repoFlake; + + autoStart = true; + + hostAddress = "192.168.100.12"; + localAddress = "192.168.100.13"; + + httpPort = 80; + httpsPort = 443; + }; + + syncthing = import ../../containers/syncthing.nix { + autoStart = true; + + hostAddress = "192.168.100.14"; + localAddress = "192.168.100.15"; + + syncthingPort = 22000; + }; + }; + + home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { + inherit pkgs; + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix index 0657935..43eca83 100644 --- a/nix/os/devices/sj-vps-htz0/system.nix +++ b/nix/os/devices/sj-vps-htz0/system.nix @@ -95,40 +95,7 @@ in nix.gc = { automatic = true; }; containers = { - mailserver = import ../../containers/mailserver.nix { - inherit repoFlake; - autoStart = true; - - hostAddress = "192.168.100.10"; - localAddress = "192.168.100.11"; - - imapsPort = 993; - sievePort = 4190; - }; - - webserver = - import ../../containers/webserver.nix - { - inherit repoFlake; - - autoStart = true; - - hostAddress = "192.168.100.12"; - localAddress = "192.168.100.13"; - - httpPort = 80; - httpsPort = 443; - }; - - syncthing = import ../../containers/syncthing.nix { - autoStart = true; - - hostAddress = "192.168.100.14"; - localAddress = "192.168.100.15"; - - syncthingPort = 22000; - }; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { diff --git a/secrets/sj-srv1/secrets.yaml b/secrets/sj-srv1/secrets.yaml new file mode 100644 index 0000000..5eba76e --- /dev/null +++ b/secrets/sj-srv1/secrets.yaml @@ -0,0 +1,41 @@ +#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] +passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] +wg0-private: ENC[AES256_GCM,data:hiUUUhQ/hi6d51Wgwb0gZ5lBB5TS9+F8gVEGrRUqLauKjGZujyqjZIFix7E=,iv:ISb5cqkOE0UyQqlQCeclyMBof037XF1+7zDFslKStr0=,tag:Ox0S+YOkfXpFCSbNrdSrxQ==,type:str] +wg0-public: ENC[AES256_GCM,data:AnEK0wlEIlVrz0nubLWr3lv7R1ddzA/RPjP0CosyEJzCJU6cF2DBJig4xYo=,iv:ifaQVHQyoYqcr6a4kJ1Kvd4QBDLT5xNyr75GuogBv5g=,tag:Tl9HpsJ5+LaV81LiLcThkg==,type:str] +wg0-psk-steveej-psk: ENC[AES256_GCM,data:Z5txIdXKVshlqMBLEnW/ulFiQSmMKj6m1vLE8fuL+zl+tJxh9EX/XvjLaC4=,iv:h4ypudvQAKPM7+5vQNAb69JntdZPNa8Km6wd14ovCHc=,tag:t7ZbbcpRCTAF7zP8vKPpJw==,type:str] +wg0-psk-steveej-public: ENC[AES256_GCM,data:KU6aRVK06RkyvvYFzFZaCplz1HyirSfpjW+jjvHP+eTMs3hfhFUnPSZRCN4=,iv:2A019CQD2vjcOmX6PFpDaDCo8yN9oA9kdKxiW1e3Dss=,tag:kfRENOJY7RnwWGN1eOeEhQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v + ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL + dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 + czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 + iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-13T17:03:01Z" + mac: ENC[AES256_GCM,data:AtD2QZsLpOLQB7Jcb0Cn+zGUK/fMzuVhQ2r5f4jL3dttqfaDa4k+bUMP7wQ9RW6cUXm5ps+s1t9TkRUi2P7bkQjtEuyiTGAUiM8OnkJQ26npITWWs8giekKq01m2DlZufWRcrZrQU43EgVNDqRTVlMK1IoVS4zqNwqt4tXG6YWk=,iv:F+BbR5aGg+6/0LBxpC+AoNT4dLutvkgeUJszkMrV5xk=,tag:4Cvd4nG+h1+hXg/NzH0wRg==,type:str] + pgp: + - created_at: "2023-08-11T16:31:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n + TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 + R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ + JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP + kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy + 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT + eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 + C5Jot9exml6467YZkApBm0eM + =HulH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 From a7e2bc2c3bfdaf5eaa8b5b6883994a5f42906232 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 18 Jan 2024 23:35:54 +0100 Subject: [PATCH 02/42] router0-dmz0: lots of formattign and exposed host fixes --- nix/os/devices/router0-dmz0/configuration.nix | 911 +++++++++--------- nix/os/devices/steveej-t14/hw.nix | 41 +- 2 files changed, 491 insertions(+), 461 deletions(-) diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 75ca38f..434e3a7 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -1,14 +1,14 @@ -{ - repoFlake, - pkgs, - lib, - config, - nodeFlake, - nodeName, - localDomainName, - system, - ... -}: let +{ repoFlake +, pkgs +, lib +, config +, nodeFlake +, nodeName +, localDomainName +, system +, ... +}: +let inherit (nodeFlake.inputs) bpir3 @@ -16,21 +16,22 @@ ; vlanRangeStart = builtins.head vlanRange; - vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange)-1); + vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1); vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans); vlanRangeWith0 = [ 0 ] ++ vlanRange; - mkVlanIpv4HostAddr = { vlanid, host, thirdIpv4SegmentMin ? 20, cidr ? true }: let - # reserve the first subnet for vlanid == 0 - # number the other subnets continously from there - offset = - if vlanid == 0 - then thirdIpv4SegmentMin - else thirdIpv4SegmentMin + 1 - vlanRangeStart; + mkVlanIpv4HostAddr = { vlanid, host, thirdIpv4SegmentMin ? 20, cidr ? true }: + let + # reserve the first subnet for vlanid == 0 + # number the other subnets continously from there + offset = + if vlanid == 0 + then thirdIpv4SegmentMin + else thirdIpv4SegmentMin + 1 - vlanRangeStart; - in + in builtins.concatStringsSep "." - [ "192" "168" (toString (vlanid + offset)) "${toString host}${lib.strings.optionalString cidr "/24"}" ]; + [ "192" "168" (toString (vlanid + offset)) "${toString host}${lib.strings.optionalString cidr "/24"}" ]; defaultVlan = { name = "${localDomainName}"; @@ -57,11 +58,13 @@ "15".packet_priority = -10; }; - vlansByName = lib.attrsets.mapAttrs' (vlanid': attrs: - lib.attrsets.nameValuePair - attrs.name - (attrs // { id = lib.strings.toInt vlanid'; id' = vlanid';}) - ) vlans; + vlansByName = lib.attrsets.mapAttrs' + (vlanid': attrs: + lib.attrsets.nameValuePair + attrs.name + (attrs // { id = lib.strings.toInt vlanid'; id' = vlanid'; }) + ) + vlans; getVlanDomain = { vlanid }: if vlanid == 0 @@ -69,15 +72,18 @@ defaultVlan.name else vlans."${toString vlanid}".name + "." + defaultVlan.name - ; + ; bridgeInterfaceName = "br-lan"; mkInterfaceName = { vlanid }: if vlanid == 0 then bridgeInterfaceName else "${bridgeInterfaceName}.${toString vlanid}" - ; -in { + ; + + exposedHost = "sj-srv1.dmz.internal"; +in +{ imports = [ repoFlake.inputs.sops-nix.nixosModules.sops @@ -174,132 +180,146 @@ in { # TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority) nftables = - { - enable = true; - stopRuleset = ""; - - chains = { - prerouting = { - "redirectweb" = { - after = ["hook"]; - rules = let - wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; - exposedHost = "srv0-dmz0.dmz.internal"; - in [ - "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" - # TODO: if this hostname doesn't resolve it'll break the whole ruleset - # "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}" - ]; - }; - }; - }; - - firewall = { + { enable = true; - zones = { - lan.interfaces = [ (mkInterfaceName {vlanid = 0;}) ]; - vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange; - # lan.ipv4Addresses = ["192.168.0.0/16"]; - wan.interfaces = ["wan" "lan0"]; - } // - # generate a zone for each vlan - lib.attrsets.mapAttrs (key: value: { - interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; - }) - vlansByName - ; - rules = let - ipv6IcmpTypes = [ - "destination-unreachable" "echo-reply" "echo-request" - "packet-too-big" "parameter-problem" "time-exceeded" + stopRuleset = ""; - # Without the nd-* ones ipv6 will not work. - "nd-neighbor-solicit" "nd-router-advert" "nd-neighbor-advert" - ]; - ipv4IcmpTypes = [ - "destination-unreachable" "echo-reply" "echo-request" "source-quench" "time-exceeded" - "router-advertisement" - ]; - allowIcmpLines = [ - "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" - "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" - ]; - in { - fw = { - from = ["fw"]; - verdict = "accept"; - }; - - office-to-dmz = { - from = ["office"]; - to = ["dmz"]; - verdict = "accept"; - }; - - lan-to-fw = { - from = ["lan"]; - to = ["fw" "lan"]; - verdict = "accept"; - }; - - lan-to-wan = { - from = ["lan"]; - to = ["wan"]; - verdict = "accept"; - }; - - vlan-to-wan = { - from = ["vlan"]; - to = ["wan"]; - verdict = "accept"; - }; - - vlan-to-fw = { - allowedUDPPortRanges = [ - { from = 67; to = 68; } - { from = 53; to = 53; } - ]; - allowedTCPPortRanges = [ - { from = 22; to = 22; } - { from = 53; to = 53; } - { from = 5201; to = 5201; } - ]; - from = ["vlan"]; - to = ["fw"]; - extraLines = allowIcmpLines ++ [ - "drop" - ]; - }; - - to-wan-nat = { - from = ["lan" "vlan"]; - to = ["wan"]; - masquerade = true; - verdict = "accept"; - }; - - wan-to-dmz = { - from = ["wan"]; - to = ["dmz"]; - verdict = "accept"; - }; - - wan-to-fw = { - from = ["wan"]; - to = ["fw"]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - ]; - extraLines = allowIcmpLines ++ [ - "drop" - ]; + chains = { + prerouting = { + "exposeHost" = { + after = [ "hook" ]; + rules = + let + wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; + in + # TODO: if this hostname doesn't resolve it'll break the whole ruleset + [ + "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" + "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}" + ]; + }; }; }; + + firewall = { + enable = true; + zones = { + lan.interfaces = [ (mkInterfaceName { vlanid = 0; }) ]; + vlan.interfaces = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; + # lan.ipv4Addresses = ["192.168.0.0/16"]; + wan.interfaces = [ "wan" "lan0" ]; + } // + # generate a zone for each vlan + lib.attrsets.mapAttrs + (key: value: { + interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; + }) + vlansByName + ; + rules = + let + ipv6IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "packet-too-big" + "parameter-problem" + "time-exceeded" + + # Without the nd-* ones ipv6 will not work. + "nd-neighbor-solicit" + "nd-router-advert" + "nd-neighbor-advert" + ]; + ipv4IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "source-quench" + "time-exceeded" + "router-advertisement" + ]; + allowIcmpLines = [ + "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" + "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" + ]; + in + { + fw = { + from = [ "fw" ]; + verdict = "accept"; + }; + + office-to-dmz = { + from = [ "office" ]; + to = [ "dmz" ]; + verdict = "accept"; + }; + + lan-to-fw = { + from = [ "lan" ]; + to = [ "fw" "lan" ]; + verdict = "accept"; + }; + + lan-to-wan = { + from = [ "lan" ]; + to = [ "wan" ]; + verdict = "accept"; + }; + + vlan-to-wan = { + from = [ "vlan" ]; + to = [ "wan" ]; + verdict = "accept"; + }; + + vlan-to-fw = { + allowedUDPPortRanges = [ + { from = 67; to = 68; } + { from = 53; to = 53; } + ]; + allowedTCPPortRanges = [ + { from = 22; to = 22; } + { from = 53; to = 53; } + { from = 5201; to = 5201; } + ]; + from = [ "vlan" ]; + to = [ "fw" ]; + extraLines = allowIcmpLines ++ [ + "drop" + ]; + }; + + to-wan-nat = { + from = [ "lan" "vlan" ]; + to = [ "wan" ]; + masquerade = true; + verdict = "accept"; + }; + + wan-to-dmz = { + from = [ "wan" ]; + to = [ "dmz" ]; + verdict = "accept"; + }; + + wan-to-fw = { + from = [ "wan" ]; + to = [ "fw" ]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + ]; + extraLines = allowIcmpLines ++ [ + "drop" + ]; + }; + }; + }; }; - }; }; systemd.network = { @@ -322,10 +342,10 @@ in { }; } - # generate the vlan devices. these will be tagged on the main bridge - // builtins.foldl' + # generate the vlan devices. these will be tagged on the main bridge + // builtins.foldl' (acc: cur: acc // cur) - {} + { } (builtins.map ({ vlanid, vlanid' }: { "20-${mkInterfaceName { inherit vlanid; }}" = { @@ -433,9 +453,9 @@ in { # Configure the bridge for its desired function "40-${bridgeInterfaceName}" = { matchConfig.Name = bridgeInterfaceName; - bridgeConfig = {}; + bridgeConfig = { }; address = [ - (mkVlanIpv4HostAddr { vlanid = 0; host = 1;}) + (mkVlanIpv4HostAddr { vlanid = 0; host = 1; }) ]; networkConfig = { ConfigureWithoutCarrier = true; @@ -466,72 +486,73 @@ in { # * vlan config for wlan interface // builtins.foldl' - (acc: cur: acc // cur) - {} - (builtins.map ({ vlanid, vlanid' }: { - # configure the tagged vlan device with an address and vlan filtering. - # dnsmasq is configured to serve the respective /24 range on each tagged device. - # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. - "41-${mkInterfaceName { inherit vlanid; }}" = { - matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; - address = [ - (mkVlanIpv4HostAddr { inherit vlanid; host = 1; }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - - linkConfig.RequiredForOnline = "no"; - linkConfig.ActivationPolicy = "always-up"; - - bridgeVLANs = [ - { - bridgeVLANConfig = { - VLAN = vlanid; + (acc: cur: acc // cur) + { } + (builtins.map + ({ vlanid, vlanid' }: { + # configure the tagged vlan device with an address and vlan filtering. + # dnsmasq is configured to serve the respective /24 range on each tagged device. + # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. + "41-${mkInterfaceName { inherit vlanid; }}" = { + matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; + address = [ + (mkVlanIpv4HostAddr { inherit vlanid; host = 1; }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; }; - } - ]; - }; - # configure the wlan interface as a bridge member that - # * only gets traffic for vid 15 - # * untags traffic after receiving it - # * tags traffic that comes out of it - "41-wlan0.${vlanid'}" = { - matchConfig.Name = "wlan0.${vlanid'}"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; + linkConfig.RequiredForOnline = "no"; + linkConfig.ActivationPolicy = "always-up"; - linkConfig.RequiredForOnline = "no"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + VLAN = vlanid; + }; + } + ]; + }; - bridgeVLANs = [ - { - bridgeVLANConfig = { - VLAN = vlanid; - PVID = vlanid; - EgressUntagged = vlanid; + # configure the wlan interface as a bridge member that + # * only gets traffic for vid 15 + # * untags traffic after receiving it + # * tags traffic that comes out of it + "41-wlan0.${vlanid'}" = { + matchConfig.Name = "wlan0.${vlanid'}"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; }; - } - ]; - }; - "50-${mkInterfaceName { inherit vlanid; }}" = { - matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; - address = [ - (mkVlanIpv4HostAddr { inherit vlanid; host = 1; }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; - }; - linkConfig.RequiredForOnline = "no"; - }; - }) - (builtins.map - (vlanid: { inherit vlanid; vlanid' = builtins.toString vlanid; }) - vlanRange - )) + linkConfig.RequiredForOnline = "no"; + + bridgeVLANs = [ + { + bridgeVLANConfig = { + VLAN = vlanid; + PVID = vlanid; + EgressUntagged = vlanid; + }; + } + ]; + }; + + "50-${mkInterfaceName { inherit vlanid; }}" = { + matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; + address = [ + (mkVlanIpv4HostAddr { inherit vlanid; host = 1; }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "no"; + }; + }) + (builtins.map + (vlanid: { inherit vlanid; vlanid' = builtins.toString vlanid; }) + vlanRange + )) ; }; @@ -539,240 +560,248 @@ in { services.hostapd = { enable = true; package = nodeFlake.packages.${system}.hostapd_patched; - radios = let - # generated with https://miniwebtool.com/mac-address-generator/ - mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; - in { - wlan0 = { - band = "2g"; - countryCode = "CH"; - channel = 0; # ACS + radios = + let + # generated with https://miniwebtool.com/mac-address-generator/ + mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; + in + { + wlan0 = { + band = "2g"; + countryCode = "CH"; + channel = 0; # ACS - # use 'iw phy#1 info' to determine your VHT capabilities - wifi4 = { - enable = true; - capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; - }; - networks = { - wlan0 = let - iface = "wlan0"; - in { - ssid = "mlsia"; - bssid = mkBssid 0; + # use 'iw phy#1 info' to determine your VHT capabilities + wifi4 = { + enable = true; + capabilities = [ "HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" ]; + }; + networks = { + wlan0 = + let + iface = "wlan0"; + in + { + ssid = "mlsia"; + bssid = mkBssid 0; - # authentication.mode = "wpa3-sae"; - authentication.mode = "wpa3-sae-transition"; + # authentication.mode = "wpa3-sae"; + authentication.mode = "wpa3-sae-transition"; - authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; - authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; + authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; + authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; - # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference - settings = { - # bridge = bridgeInterfaceName; + # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference + settings = { + # bridge = bridgeInterfaceName; - # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; - # not yet supported on hostapd 2.10 - # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; + # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; + # not yet supported on hostapd 2.10 + # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; - # enables debug logging - logger_stdout_level= lib.mkForce 0; - logger_stdout = -1; - # logger_syslog_level= lib.mkForce 0; + # enables debug logging + logger_stdout_level = lib.mkForce 0; + logger_stdout = -1; + # logger_syslog_level= lib.mkForce 0; - # resources on vlan tagging - # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging - # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 + # resources on vlan tagging + # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging + # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 - dynamic_vlan = 1; + dynamic_vlan = 1; - # this option currently requires a patch to hostapd - vlan_no_bridge = 1; + # this option currently requires a patch to hostapd + vlan_no_bridge = 1; - /* not used due to the above vlan_no_bridge setting + /* not used due to the above vlan_no_bridge setting vlan_tagged_interface = bridgeInterfaceName; vlan_naming = 1; vlan_bridge = "br-${iface}."; - */ + */ - vlan_file = let - generated = builtins.map (vlanid: - "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" - ) vlanRange - ; + vlan_file = + let + generated = builtins.map + (vlanid: + "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" + ) + vlanRange + ; - wildcard = [ - # Optional wildcard entry matching all VLAN IDs. The first # in the interface - # name will be replaced with the VLAN ID. The network interfaces are created - # (and removed) dynamically based on the use. - # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan - "* ${iface}.#" - ]; + wildcard = [ + # Optional wildcard entry matching all VLAN IDs. The first # in the interface + # name will be replaced with the VLAN ID. The network interfaces are created + # (and removed) dynamically based on the use. + # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan + "* ${iface}.#" + ]; - file = pkgs.writeText "hostapd.vlan" - (builtins.concatStringsSep "\n" (generated ++ wildcard)); - filePath = toString file; - in filePath; + file = pkgs.writeText "hostapd.vlan" + (builtins.concatStringsSep "\n" (generated ++ wildcard)); + filePath = toString file; + in + filePath; - wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [ - "WPA-PSK" + wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [ + "WPA-PSK" - # TODO: the printer can't connect when this is on - # "WPA-PSK-SHA256" + # TODO: the printer can't connect when this is on + # "WPA-PSK-SHA256" - # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them - # "SAE" - ]); + # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them + # "SAE" + ]); - # wpa_psk_radius = 0; - wpa_pairwise = "CCMP"; - wmm_enabled = 1; + # wpa_psk_radius = 0; + wpa_pairwise = "CCMP"; + wmm_enabled = 1; - # IEEE 802.11i (authentication) related configuration - # Encrypt management frames to protect against deauthentication and similar attacks - ieee80211w = 1; - sae_require_mfp = 1; - sae_groups = "19 20 21"; + # IEEE 802.11i (authentication) related configuration + # Encrypt management frames to protect against deauthentication and similar attacks + ieee80211w = 1; + sae_require_mfp = 1; + sae_groups = "19 20 21"; - # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) - tls_flags= "[ENABLE-TLSv1.3]"; + # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) + tls_flags = "[ENABLE-TLSv1.3]"; - ieee8021x=0; - eap_server=0; - }; + ieee8021x = 0; + eap_server = 0; + }; + }; + + # wlan0-1 = { + # ssid = "mlsia-testing"; + # authentication = { + # mode = "wpa3-sae-transition"; + # }; + + # bssid = mkBssid 1; + # settings = { + # bridge = bridgeInterfaceName; + # }; + # }; + + # wlan0-1 = { + # ssid = "justtestingwifi-wpa3"; + # authentication = { + # mode = "wpa3-sae"; + # saePasswordsFile = config.sops.secrets.wlan0_1_saePasswordFile.path; + # }; + + # bssid = mkBssid 1; + # settings = { + # bridge = bridgeInterfaceName; + # }; + # }; + + # Uncomment when needed otherwise remove + # wlan0-1 = { + # ssid = "koteczkowo3"; + # authentication = { + # mode = "none"; # this is overriden by settings + # }; + # managementFrameProtection = "optional"; + # bssid = "e6:02:43:07:00:00"; + # settings = { + # bridge = bridgeInterfaceName; + # wpa = lib.mkForce 2; + # wpa_key_mgmt = "WPA-PSK"; + # wpa_pairwise = "CCMP"; + # wpa_psk_file = config.sops.secrets.legacyWifiPassword.path; + # }; + # }; }; - - # wlan0-1 = { - # ssid = "mlsia-testing"; - # authentication = { - # mode = "wpa3-sae-transition"; - # }; - - # bssid = mkBssid 1; - # settings = { - # bridge = bridgeInterfaceName; - # }; - # }; - - # wlan0-1 = { - # ssid = "justtestingwifi-wpa3"; - # authentication = { - # mode = "wpa3-sae"; - # saePasswordsFile = config.sops.secrets.wlan0_1_saePasswordFile.path; - # }; - - # bssid = mkBssid 1; - # settings = { - # bridge = bridgeInterfaceName; - # }; - # }; - - # Uncomment when needed otherwise remove - # wlan0-1 = { - # ssid = "koteczkowo3"; - # authentication = { - # mode = "none"; # this is overriden by settings - # }; - # managementFrameProtection = "optional"; - # bssid = "e6:02:43:07:00:00"; - # settings = { - # bridge = bridgeInterfaceName; - # wpa = lib.mkForce 2; - # wpa_key_mgmt = "WPA-PSK"; - # wpa_pairwise = "CCMP"; - # wpa_psk_file = config.sops.secrets.legacyWifiPassword.path; - # }; - # }; }; + + # wlan1 = { + # band = "5g"; + # # channels with 160 MHz width in Poland: 36, 52, 100 i 116 + # channel = 0; # ACS + # countryCode = "PL"; + + # # use 'iw phy#1 info' to determine your VHT capabilities + # wifi4 = { + # enable = true; + # capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; + # }; + # wifi5 = { + # enable = true; + # operatingChannelWidth = "160"; + # capabilities = ["RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-4" "BF-ANTENNA-4" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"]; + # }; + # wifi6 = { + # enable = true; + # singleUserBeamformer = true; + # singleUserBeamformee = true; + # multiUserBeamformer = true; + # operatingChannelWidth = "160"; + # }; + # settings = { + # # these two are mandatory for wifi 5 & 6 to work + # vht_oper_centr_freq_seg0_idx = 50; + # he_oper_centr_freq_seg0_idx = 50; + + # # The "tx_queue_data2_burst" parameter in Linux refers to the burst size for + # # transmitting data packets from the second data queue of a network interface. + # # It determines the number of packets that can be sent in a burst. + # # Adjusting this parameter can impact network throughput and latency. + # tx_queue_data2_burst = 2; + + # # The "he_bss_color" parameter in Wi-Fi 6 (802.11ax) refers to the BSS Color field in the HE (High Efficiency) MAC header. + # # BSS Color is a mechanism introduced in Wi-Fi 6 to mitigate interference and improve network efficiency in dense deployment scenarios. + # # It allows multiple overlapping Basic Service Sets (BSS) to differentiate and coexist in the same area without causing excessive interference. + # he_bss_color = 63; # was set to 128 by openwrt but range of possible values in 2.10 is 1-63 + + # # Magic values that were set by openwrt but I didn't bother inspecting every single one + # he_spr_sr_control = 3; + # he_default_pe_duration = 4; + # he_rts_threshold = 1023; + + # he_mu_edca_qos_info_param_count = 0; + # he_mu_edca_qos_info_q_ack = 0; + # he_mu_edca_qos_info_queue_request = 0; + # he_mu_edca_qos_info_txop_request = 0; + + # # he_mu_edca_ac_be_aci=0; missing in 2.10 + # he_mu_edca_ac_be_aifsn = 8; + # he_mu_edca_ac_be_ecwmin = 9; + # he_mu_edca_ac_be_ecwmax = 10; + # he_mu_edca_ac_be_timer = 255; + + # he_mu_edca_ac_bk_aifsn = 15; + # he_mu_edca_ac_bk_aci = 1; + # he_mu_edca_ac_bk_ecwmin = 9; + # he_mu_edca_ac_bk_ecwmax = 10; + # he_mu_edca_ac_bk_timer = 255; + + # he_mu_edca_ac_vi_ecwmin = 5; + # he_mu_edca_ac_vi_ecwmax = 7; + # he_mu_edca_ac_vi_aifsn = 5; + # he_mu_edca_ac_vi_aci = 2; + # he_mu_edca_ac_vi_timer = 255; + + # he_mu_edca_ac_vo_aifsn = 5; + # he_mu_edca_ac_vo_aci = 3; + # he_mu_edca_ac_vo_ecwmin = 5; + # he_mu_edca_ac_vo_ecwmax = 7; + # he_mu_edca_ac_vo_timer = 255; + # }; + # networks = { + # wlan1 = { + # ssid = "koteczkowo5"; + # authentication = { + # mode = "wpa3-sae"; + # saePasswordsFile = config.sops.secrets.wifiPassword.path; # Use saePasswordsFile if possible. + # }; + # bssid = "36:b9:02:21:08:a2"; + # settings = { + # bridge = bridgeInterfaceName; + # }; + # }; + # }; + # }; }; - - # wlan1 = { - # band = "5g"; - # # channels with 160 MHz width in Poland: 36, 52, 100 i 116 - # channel = 0; # ACS - # countryCode = "PL"; - - # # use 'iw phy#1 info' to determine your VHT capabilities - # wifi4 = { - # enable = true; - # capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; - # }; - # wifi5 = { - # enable = true; - # operatingChannelWidth = "160"; - # capabilities = ["RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-4" "BF-ANTENNA-4" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"]; - # }; - # wifi6 = { - # enable = true; - # singleUserBeamformer = true; - # singleUserBeamformee = true; - # multiUserBeamformer = true; - # operatingChannelWidth = "160"; - # }; - # settings = { - # # these two are mandatory for wifi 5 & 6 to work - # vht_oper_centr_freq_seg0_idx = 50; - # he_oper_centr_freq_seg0_idx = 50; - - # # The "tx_queue_data2_burst" parameter in Linux refers to the burst size for - # # transmitting data packets from the second data queue of a network interface. - # # It determines the number of packets that can be sent in a burst. - # # Adjusting this parameter can impact network throughput and latency. - # tx_queue_data2_burst = 2; - - # # The "he_bss_color" parameter in Wi-Fi 6 (802.11ax) refers to the BSS Color field in the HE (High Efficiency) MAC header. - # # BSS Color is a mechanism introduced in Wi-Fi 6 to mitigate interference and improve network efficiency in dense deployment scenarios. - # # It allows multiple overlapping Basic Service Sets (BSS) to differentiate and coexist in the same area without causing excessive interference. - # he_bss_color = 63; # was set to 128 by openwrt but range of possible values in 2.10 is 1-63 - - # # Magic values that were set by openwrt but I didn't bother inspecting every single one - # he_spr_sr_control = 3; - # he_default_pe_duration = 4; - # he_rts_threshold = 1023; - - # he_mu_edca_qos_info_param_count = 0; - # he_mu_edca_qos_info_q_ack = 0; - # he_mu_edca_qos_info_queue_request = 0; - # he_mu_edca_qos_info_txop_request = 0; - - # # he_mu_edca_ac_be_aci=0; missing in 2.10 - # he_mu_edca_ac_be_aifsn = 8; - # he_mu_edca_ac_be_ecwmin = 9; - # he_mu_edca_ac_be_ecwmax = 10; - # he_mu_edca_ac_be_timer = 255; - - # he_mu_edca_ac_bk_aifsn = 15; - # he_mu_edca_ac_bk_aci = 1; - # he_mu_edca_ac_bk_ecwmin = 9; - # he_mu_edca_ac_bk_ecwmax = 10; - # he_mu_edca_ac_bk_timer = 255; - - # he_mu_edca_ac_vi_ecwmin = 5; - # he_mu_edca_ac_vi_ecwmax = 7; - # he_mu_edca_ac_vi_aifsn = 5; - # he_mu_edca_ac_vi_aci = 2; - # he_mu_edca_ac_vi_timer = 255; - - # he_mu_edca_ac_vo_aifsn = 5; - # he_mu_edca_ac_vo_aci = 3; - # he_mu_edca_ac_vo_ecwmin = 5; - # he_mu_edca_ac_vo_ecwmax = 7; - # he_mu_edca_ac_vo_timer = 255; - # }; - # networks = { - # wlan1 = { - # ssid = "koteczkowo5"; - # authentication = { - # mode = "wpa3-sae"; - # saePasswordsFile = config.sops.secrets.wifiPassword.path; # Use saePasswordsFile if possible. - # }; - # bssid = "36:b9:02:21:08:a2"; - # settings = { - # bridge = bridgeInterfaceName; - # }; - # }; - # }; - # }; - }; }; services.resolved.enable = false; @@ -797,20 +826,21 @@ in { local-ttl = 0; dhcp-ttl = 0; - dhcp-range = let - mkDhcpRange = { tag, vlanid }: builtins.concatStringsSep "," [ - tag - (mkVlanIpv4HostAddr { inherit vlanid; host = 100; cidr = false; }) - (mkVlanIpv4HostAddr { inherit vlanid; host = 199; cidr = false; }) - "12h" - ]; - in + dhcp-range = + let + mkDhcpRange = { tag, vlanid }: builtins.concatStringsSep "," [ + tag + (mkVlanIpv4HostAddr { inherit vlanid; host = 100; cidr = false; }) + (mkVlanIpv4HostAddr { inherit vlanid; host = 199; cidr = false; }) + "12h" + ]; + in builtins.map (vlanid: - mkDhcpRange { tag = mkInterfaceName {inherit vlanid;}; inherit vlanid; } + mkDhcpRange { tag = mkInterfaceName { inherit vlanid; }; inherit vlanid; } ) vlanRangeWith0 - ; + ; # interface = bridgeInterfaceName; # bind-interfaces = true; @@ -854,7 +884,9 @@ in { (vlanid: builtins.concatStringsSep "," [ # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) - "${nodeName}.${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) + "${nodeName}.${getVlanDomain{inherit vlanid;}}" + "0.0.0.1" + (mkInterfaceName { inherit vlanid; }) ] ) vlanRangeWith0 @@ -864,6 +896,11 @@ in { (vlanid: "${mkInterfaceName {inherit vlanid;}},option:domain-search,${getVlanDomain{inherit vlanid;}}") vlanRangeWith0 ; + + cname = [ + "mailserver.svc.stefanjunker.de,${exposedHost}" + "www.stefanjunker.de,${exposedHost}" + ]; }; }; @@ -881,10 +918,10 @@ in { # They fail to load properly, leaving the system without working ethernet, they'll oops on # remove. MTK-DSA parts and PCIe were observed to do this. boot.initrd.includeDefaultModules = false; - boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"]; - boot.initrd.availableKernelModules = ["nvme"]; + boot.initrd.kernelModules = [ "rfkill" "cfg80211" "mt7915e" ]; + boot.initrd.availableKernelModules = [ "nvme" ]; - boot.kernelParams = ["console=ttyS0,115200"]; + boot.kernelParams = [ "console=ttyS0,115200" ]; hardware.enableRedistributableFirmware = true; # Wireless hardware exists, regulatory database is essential. hardware.wirelessRegulatoryDatabase = true; diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix index 5c8c9b4..f60324f 100644 --- a/nix/os/devices/steveej-t14/hw.nix +++ b/nix/os/devices/steveej-t14/hw.nix @@ -1,4 +1,5 @@ -{lib, ...}: let +{ lib, ... }: +let stage1Modules = [ "aesni_intel" "kvm_amd" @@ -10,34 +11,26 @@ "usbcore" "xhci_hcd" - "usbnet" - "snd_usb_audio" "usbhid" - "snd_usbmidi_lib" - "cdc_mbim" - "cdc_ncm" "usb_storage" - "cdc_wdm" - "uvcvideo" - "btusb" "xhci_pci" - "cdc_ether" "uas" ]; -in { +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; encrypted = true; diskId = "nvme-WD_BLACK_SN850X_4000GB_2227DT443901"; - earlyDiskIdOverride = "usb-JMicron_Generic_0123456789ABCDEF-0:0"; + earlyDiskIdOverride = "usb-JMicron_Generic_0123456789ABCDEF-0:0"; }; # boot.loader.grub.device = lib.mkForce "/dev/disk/by-id/usb-JMicron_Generic_0123456789ABCDEF-0:0"; # see https://linrunner.de/tlp/ services.tlp = { - enable = true; + enable = false; settings = { CPU_DRIVER_OPMODE_ON_AC = "active"; CPU_DRIVER_OPMODE_ON_BAT = "passive"; @@ -81,7 +74,7 @@ in { # #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"; # #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"; - SATA_LINKPWR_ON_AC = "maax_performance"; + SATA_LINKPWR_ON_AC = "max_performance"; SATA_LINKPWR_ON_BAT = "min_power"; }; }; @@ -91,16 +84,16 @@ in { enable = true; levels = [ # ["level auto" 0 60] - [0 0 60] - [1 60 65] - [1 65 75] - [2 75 78] - [3 78 80] - [4 80 82] - [5 82 84] - [6 84 86] - [7 86 88] - ["level full-speed" 88 999] + [ 0 0 60 ] + [ 1 60 65 ] + [ 1 65 75 ] + [ 2 75 78 ] + [ 3 78 80 ] + [ 4 80 82 ] + [ 5 82 84 ] + [ 6 84 86 ] + [ 7 86 88 ] + [ "level full-speed" 88 999 ] ]; extraArgs = [ From 93282cdf6e9a1dee2ade4b26adc6422fd2f7036f Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 19 Jan 2024 11:49:33 +0100 Subject: [PATCH 03/42] lib/default: format --- nix/os/lib/default.nix | 63 ++++++++++++++++++++++-------------------- 1 file changed, 33 insertions(+), 30 deletions(-) diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index 9871d3b..c74ccd0 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -1,35 +1,38 @@ -{ - lib, - config, -}: let +{ lib +, config +, +}: +let keys = import ../../variables/keys.nix; -in { +in +{ mkUser = args: ( - lib.attrsets.recursiveUpdate { - isNormalUser = true; - extraGroups = [ - "docker" - "wheel" - "libvirtd" - "networkmanager" - "vboxusers" - "users" - "input" - "audio" - "video" - "cdrom" - "adbusers" - "dialout" - "cdrom" - ]; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; + lib.attrsets.recursiveUpdate + { + isNormalUser = true; + extraGroups = [ + "docker" + "wheel" + "libvirtd" + "networkmanager" + "vboxusers" + "users" + "input" + "audio" + "video" + "cdrom" + "adbusers" + "dialout" + "cdrom" + ]; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; - # TODO: investigate why this secret cannot be found - # openssh.authorizedKeys.keyFiles = [ - # config.sops.secrets.sharedSshKeys-steveej.path - # ]; - } - args + # TODO: investigate why this secret cannot be found + # openssh.authorizedKeys.keyFiles = [ + # config.sops.secrets.sharedSshKeys-steveej.path + # ]; + } + args ); disk = rec { @@ -38,7 +41,7 @@ in { # LVM doesn't allow most characters in VG names # TODO: replace this with a whitelist for: [a-zA-Z0-9.-_+] - volumeGroup = diskId: builtins.replaceStrings [":"] [""] diskId; + volumeGroup = diskId: builtins.replaceStrings [ ":" ] [ "" ] diskId; # This is important at install-time bootGrubDevice = diskId: "/dev/disk/by-id/" + diskId; From 2ab49e3de9b6f9b583a1f918dc51ad108197090a Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 19 Jan 2024 11:49:49 +0100 Subject: [PATCH 04/42] lib/default: add fuse to default groups --- nix/os/lib/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index c74ccd0..252989e 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -24,6 +24,7 @@ in "adbusers" "dialout" "cdrom" + "fuse" ]; openssh.authorizedKeys.keys = keys.users.steveej.openssh; From d46eb4f3abe9aa18fa6c654a09290f80d601379a Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 19 Jan 2024 13:56:20 +0100 Subject: [PATCH 05/42] router0-dmz0: remove cname as it's not needed --- nix/os/devices/router0-dmz0/configuration.nix | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 434e3a7..9256425 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -897,10 +897,20 @@ in vlanRangeWith0 ; - cname = [ - "mailserver.svc.stefanjunker.de,${exposedHost}" - "www.stefanjunker.de,${exposedHost}" - ]; + # auth-server = [ + # (builtins.concatStringsSep "," [ + # "www.stefanjunker.de" + # # (mkInterfaceName { vlanid = vlansByName.dmz.id; }) + # # (mkInterfaceName { vlanid = vlansByName.office.id; }) + # ]) + # ]; + + # cname = [ + # "mailserver.svc.stefanjunker.de,${exposedHost}" + # "www.stefanjunker.de,${exposedHost}" + # "hedgedoc.www.stefanjunker.de,${exposedHost}" + # "jitsi.www.stefanjunker.de,${exposedHost}" + # ]; }; }; From 411896973a9f519845b82acb5da30fe86f26ae05 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 19 Jan 2024 13:56:34 +0100 Subject: [PATCH 06/42] t14: disable thinkfan --- nix/os/devices/steveej-t14/hw.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix index f60324f..419399b 100644 --- a/nix/os/devices/steveej-t14/hw.nix +++ b/nix/os/devices/steveej-t14/hw.nix @@ -81,7 +81,7 @@ in # see https://www.kernel.org/doc/html/v6.6/admin-guide/laptops/thinkpad-acpi.html#fan-control-and-monitoring-fan-speed-fan-enable-disable services.thinkfan = { - enable = true; + enable = false; levels = [ # ["level auto" 0 60] [ 0 0 60 ] From 93778b1f21d99e03afe90a915d5593db3f391b5b Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Fri, 19 Jan 2024 22:21:14 +0100 Subject: [PATCH 07/42] sj-srv1: set up restic backup --- nix/os/devices/sj-srv1/configuration.nix | 12 ++++---- nix/os/devices/sj-srv1/system.nix | 37 ++++++++++++++++++++++++ secrets/sj-srv1/secrets.yaml | 9 ++---- 3 files changed, 46 insertions(+), 12 deletions(-) diff --git a/nix/os/devices/sj-srv1/configuration.nix b/nix/os/devices/sj-srv1/configuration.nix index b734123..ff7d0a1 100644 --- a/nix/os/devices/sj-srv1/configuration.nix +++ b/nix/os/devices/sj-srv1/configuration.nix @@ -1,10 +1,9 @@ -{ - nodeName, - config, - pkgs, - ... +{ nodeName +, config +, pkgs +, ... }: { - disabledModules = []; + disabledModules = [ ]; imports = [ ../../profiles/common/configuration.nix { @@ -20,6 +19,7 @@ format = "yaml"; }; } + ../../modules/opinionatedDisk.nix ./system.nix diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix index cd68496..d1f9774 100644 --- a/nix/os/devices/sj-srv1/system.nix +++ b/nix/os/devices/sj-srv1/system.nix @@ -37,6 +37,43 @@ nix.gc = { automatic = true; }; + sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + + # adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix + services.restic.backups.${nodeName} = + let + btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; + in + { + initialize = true; + repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; + + paths = [ + "/backup" + ]; + + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 2" + ]; + + timerConfig = { + OnCalendar = lib.mkDefault "daily"; + Persistent = true; + }; + + passwordFile = config.sops.secrets.restic-password.path; + + backupPrepareCommand = '' + ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes + ''; + backupCleanupCommand = '' + ${btrfs} su delete /backup/container-volumes + ''; + }; + containers = { mailserver = import ../../containers/mailserver.nix { inherit repoFlake; diff --git a/secrets/sj-srv1/secrets.yaml b/secrets/sj-srv1/secrets.yaml index 5eba76e..2303d41 100644 --- a/secrets/sj-srv1/secrets.yaml +++ b/secrets/sj-srv1/secrets.yaml @@ -1,9 +1,6 @@ #ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] -wg0-private: ENC[AES256_GCM,data:hiUUUhQ/hi6d51Wgwb0gZ5lBB5TS9+F8gVEGrRUqLauKjGZujyqjZIFix7E=,iv:ISb5cqkOE0UyQqlQCeclyMBof037XF1+7zDFslKStr0=,tag:Ox0S+YOkfXpFCSbNrdSrxQ==,type:str] -wg0-public: ENC[AES256_GCM,data:AnEK0wlEIlVrz0nubLWr3lv7R1ddzA/RPjP0CosyEJzCJU6cF2DBJig4xYo=,iv:ifaQVHQyoYqcr6a4kJ1Kvd4QBDLT5xNyr75GuogBv5g=,tag:Tl9HpsJ5+LaV81LiLcThkg==,type:str] -wg0-psk-steveej-psk: ENC[AES256_GCM,data:Z5txIdXKVshlqMBLEnW/ulFiQSmMKj6m1vLE8fuL+zl+tJxh9EX/XvjLaC4=,iv:h4ypudvQAKPM7+5vQNAb69JntdZPNa8Km6wd14ovCHc=,tag:t7ZbbcpRCTAF7zP8vKPpJw==,type:str] -wg0-psk-steveej-public: ENC[AES256_GCM,data:KU6aRVK06RkyvvYFzFZaCplz1HyirSfpjW+jjvHP+eTMs3hfhFUnPSZRCN4=,iv:2A019CQD2vjcOmX6PFpDaDCo8yN9oA9kdKxiW1e3Dss=,tag:kfRENOJY7RnwWGN1eOeEhQ==,type:str] +restic-password: ENC[AES256_GCM,data:0cTVlqHCW/xCk7y3ikh0RtVk/5xFOrcrnQmMbIBtfOd7PYbiTUzwBtYXwOaXO4ob7/+KJUEwhl5TzX/Of1J+y7ML7JbpNPtLr8r0gzDYOvBPY5GlmkDGcorz7QTaomuDprJkoD06lJWme/L893u7rxwamF222D2JvGz5FfTuWfaRWb1PcehBkew89gjdAgqFJJwqlX1vwvQDPg6yj+vnk9ZqR/E967bbQeN/G/qGJ9xfVmeuOPYoZH2IrL0Zgif/FLqZWZtlJ1JnRUBXsVN6FZXfT1Q82euLPOpaUHrFJjAF26PuTwVreIjcBLX3wqc8vhAYWfc+RThS3ITwNdNTSA==,iv:KBqME0cqIIX15xPgKi5mBalk01tswj8xVd8rFETX9zU=,tag:V6KltIGVarWXP1R5lY2FAw==,type:str] sops: kms: [] gcp_kms: [] @@ -19,8 +16,8 @@ sops: czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-13T17:03:01Z" - mac: ENC[AES256_GCM,data:AtD2QZsLpOLQB7Jcb0Cn+zGUK/fMzuVhQ2r5f4jL3dttqfaDa4k+bUMP7wQ9RW6cUXm5ps+s1t9TkRUi2P7bkQjtEuyiTGAUiM8OnkJQ26npITWWs8giekKq01m2DlZufWRcrZrQU43EgVNDqRTVlMK1IoVS4zqNwqt4tXG6YWk=,iv:F+BbR5aGg+6/0LBxpC+AoNT4dLutvkgeUJszkMrV5xk=,tag:4Cvd4nG+h1+hXg/NzH0wRg==,type:str] + lastmodified: "2024-01-19T20:25:37Z" + mac: ENC[AES256_GCM,data:gAn4HAJRiejixDApIBZD87JjHLyOnC9LvYR0E4oDa0GVu6/BLVNbie0zG1TdnYl4LAuLa0rf4gkSDCLNvjkBGesGb7oez06WAHJd3VAK6wyFYxQSxKA8U5OZu8nozciuatTCvc/JL1ZjxxGlDFDSHSP2m1PsB6br2e0g8oL1vJw=,iv:7rOU6w+Ly+OYEnF5SikijEpauMp5lhTae74zDi2vF+U=,tag:EURfxNbEe4ZLFF4l19EzFA==,type:str] pgp: - created_at: "2023-08-11T16:31:41Z" enc: |- From 5af42df5a9a63991ba5024e89c54df046116a029 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 21 Jan 2024 21:08:01 +0100 Subject: [PATCH 08/42] steveej-x13s-rmvbl: init with minimal setup this configures a standalone USB device that doesn't need configuration of the firmware's EFI variables. --- .sops.yaml | 8 + flake.lock | 17 -- flake.nix | 15 +- nix/devShells.nix | 24 +-- .../devices/sj-bm-hostkey0/configuration.nix | 100 +++++---- nix/os/devices/steveej-t14/hw.nix | 34 ++-- nix/os/devices/steveej-t14/system.nix | 11 + .../.gitignore | 0 .../steveej-x13s-rmvbl/configuration.nix | 66 ++++++ .../default.nix | 0 nix/os/devices/steveej-x13s-rmvbl/disko.nix | 66 ++++++ .../flake.lock | 108 +++++----- .../flake.nix | 190 ++++++++++-------- nix/os/devices/steveej-x13s/configuration.nix | 82 -------- secrets/shared-users.yaml | 108 +++++----- secrets/steveej-x13s-rmvbl/secrets.yaml | 46 +++++ 16 files changed, 501 insertions(+), 374 deletions(-) rename nix/os/devices/{steveej-x13s => steveej-x13s-rmvbl}/.gitignore (100%) create mode 100644 nix/os/devices/steveej-x13s-rmvbl/configuration.nix rename nix/os/devices/{steveej-x13s => steveej-x13s-rmvbl}/default.nix (100%) create mode 100644 nix/os/devices/steveej-x13s-rmvbl/disko.nix rename nix/os/devices/{steveej-x13s => steveej-x13s-rmvbl}/flake.lock (58%) rename nix/os/devices/{steveej-x13s => steveej-x13s-rmvbl}/flake.nix (61%) delete mode 100644 nix/os/devices/steveej-x13s/configuration.nix create mode 100644 secrets/steveej-x13s-rmvbl/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 7f5c5ec..4ac1cea 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -8,6 +8,7 @@ keys: - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl + - &steveej-x13s-rmvbl age1hkta9w0yawwwwchapemkygzxkrv7vx759vrafgrjhm63spckwstque8x97 - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 @@ -24,6 +25,7 @@ creation_rules: - *steveej age: - *steveej-t14 + - *steveej-x13s-rmvbl - *elias-e525 - *justyna-p300 @@ -83,3 +85,9 @@ creation_rules: - *steveej age: - *sj-bm-hostkey0 + - path_regex: ^secrets/steveej-x13s-rmvbl/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-x13s-rmvbl diff --git a/flake.lock b/flake.lock index af15232..86a3f52 100644 --- a/flake.lock +++ b/flake.lock @@ -293,22 +293,6 @@ "type": "github" } }, - "magmawm": { - "flake": false, - "locked": { - "lastModified": 1703542178, - "narHash": "sha256-HuCAz+B+cg7HoEEL67heaYRc8zmQCnPBR+DgmuiIZBk=", - "owner": "MagmaWM", - "repo": "MagmaWM", - "rev": "24dc21f228efb034cd0237fb5ff9a8310f1929b7", - "type": "github" - }, - "original": { - "owner": "MagmaWM", - "repo": "MagmaWM", - "type": "github" - } - }, "nix-eval-jobs": { "inputs": { "flake-parts": "flake-parts_3", @@ -663,7 +647,6 @@ "flake-parts": "flake-parts", "get-flake": "get-flake", "jay": "jay", - "magmawm": "magmawm", "nixos-anywhere": "nixos-anywhere", "nixpkgs": [ "nixpkgs-2311" diff --git a/flake.nix b/flake.nix index ba852b7..691edf1 100644 --- a/flake.nix +++ b/flake.nix @@ -59,11 +59,6 @@ flake = false; }; - magmawm = { - url = "github:MagmaWM/MagmaWM"; - flake = false; - }; - salut = { url = "gitlab:snakedye/salut"; flake = false; @@ -127,7 +122,7 @@ // ( let router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; - steveej-x13s = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations; + steveej-x13s-rmvbl = (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations; retro = (inputs.get-flake ./nix/os/devices/retro).nixosConfigurations; in { @@ -140,7 +135,8 @@ # nixos-install --flake .\#retro_cross retro_cross = retro.cross; - steveej-x13s_cross = steveej-x13s.cross; + steveej-x13s-rmvbl = steveej-x13s-rmvbl.native; + steveej-x13s-rmvbl_cross = steveej-x13s-rmvbl.cross; } ); @@ -194,11 +190,6 @@ # }; # }; - # magmawm = pkgs.callPackage (self + /nix/pkgs/magmawm.nix) { - # inherit craneLib; - # src = inputs.magmawm; - # }; - salut = craneLib.buildPackage { src = inputs.salut; nativeBuildInputs = [ diff --git a/nix/devShells.nix b/nix/devShells.nix index 3f59c5b..d4d5c07 100644 --- a/nix/devShells.nix +++ b/nix/devShells.nix @@ -1,27 +1,27 @@ -{ - inputs', - packages', - pkgs, +{ inputs' +, packages' +, pkgs +, }: pkgs.stdenv.mkDerivation { name = "infra-env"; buildInputs = [ - (with pkgs.callPackage (pkgs.path + "/nixos") {configuration = {};}; - with config.system.build; [ - nixos-generate-config - nixos-install - nixos-enter - manual.manpages - ]) + (with pkgs.callPackage (pkgs.path + "/nixos") { configuration = { }; }; + with config.system.build; [ + nixos-generate-config + nixos-install + nixos-enter + manual.manpages + ]) ] ++ (with pkgs; [ inputs'.colmena.packages.colmena nixos-install-tools dconf2nix inputs'.nixos-anywhere.packages.nixos-anywhere + inputs'.disko.packages.default nurl - just git-crypt vcsh diff --git a/nix/os/devices/sj-bm-hostkey0/configuration.nix b/nix/os/devices/sj-bm-hostkey0/configuration.nix index 76ddb97..f2dd56d 100644 --- a/nix/os/devices/sj-bm-hostkey0/configuration.nix +++ b/nix/os/devices/sj-bm-hostkey0/configuration.nix @@ -1,14 +1,13 @@ -{ - modulesPath, - repoFlake, - packages', - pkgs, - lib, - config, - nodeFlake, - nodeName, - system, - ... +{ modulesPath +, repoFlake +, packages' +, pkgs +, lib +, config +, nodeFlake +, nodeName +, system +, ... }: { disabledModules = [ ]; @@ -52,7 +51,7 @@ programs.zsh.enable = true; users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = ["/share/zsh"]; + environment.pathsToLink = [ "/share/zsh" ]; } ]; @@ -83,52 +82,54 @@ firewall.enable = false; }; - disko.devices = let - disk = id: { - type = "disk"; - device = "/dev/${id}"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - mdadm = { - size = "100%"; - content = { - type = "mdraid"; - name = "raid0"; + disko.devices = + let + disk = id: { + type = "disk"; + device = "/dev/${id}"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + mdadm = { + size = "100%"; + content = { + type = "mdraid"; + name = "raid0"; + }; }; }; }; }; - }; - in { - disk = { - sda = disk "sda"; - sdb = disk "sdb"; - }; - mdadm = { - raid0 = { - type = "mdadm"; - level = 0; - content = { - type = "gpt"; - partitions = { - primary = { - size = "100%"; - content = { - type = "filesystem"; - format = "btrfs"; - mountpoint = "/"; + in + { + disk = { + sda = disk "sda"; + sdb = disk "sdb"; + }; + mdadm = { + raid0 = { + type = "mdadm"; + level = 0; + content = { + type = "gpt"; + partitions = { + primary = { + size = "100%"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/"; + }; }; }; }; }; }; }; - }; system.stateVersion = "23.11"; @@ -162,8 +163,5 @@ boot.binfmt.emulatedSystems = [ "aarch64-linux" - "i686-linux" - # "i386-linux" - # "i586-linux" ]; } diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix index 419399b..ea1352c 100644 --- a/nix/os/devices/steveej-t14/hw.nix +++ b/nix/os/devices/steveej-t14/hw.nix @@ -1,21 +1,5 @@ { lib, ... }: let - stage1Modules = [ - "aesni_intel" - "kvm_amd" - "nvme" - "nvme_core" - - "thunderbolt" - "e1000e" - - "usbcore" - "xhci_hcd" - "usbhid" - "usb_storage" - "xhci_pci" - "uas" - ]; in { # TASK: new device @@ -103,6 +87,20 @@ in }; hardware.enableRedistributableFirmware = true; - # boot.initrd.availableKernelModules = stage1Modules; - boot.initrd.kernelModules = stage1Modules; + boot.initrd.kernelModules = [ + "aesni_intel" + "kvm_amd" + "nvme" + "nvme_core" + + "thunderbolt" + "e1000e" + + "usbcore" + "xhci_hcd" + "usbhid" + "usb_storage" + "xhci_pci" + "uas" + ]; } diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index 3e35163..11a2690 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -47,6 +47,17 @@ in system = "x86_64-linux"; maxJobs = 32; speedFactor = 100; + supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features ++ [ ]; + } + + { + hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost; + # TODO: make this a reference + sshUser = "nix-remote-builder"; + protocol = "ssh-ng"; + system = "aarch64-linux"; + maxJobs = 32; + speedFactor = 100; supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ [ ]; } ]; diff --git a/nix/os/devices/steveej-x13s/.gitignore b/nix/os/devices/steveej-x13s-rmvbl/.gitignore similarity index 100% rename from nix/os/devices/steveej-x13s/.gitignore rename to nix/os/devices/steveej-x13s-rmvbl/.gitignore diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix new file mode 100644 index 0000000..6ecdbb8 --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix @@ -0,0 +1,66 @@ +{ repoFlake +, pkgs +, lib +, config +, nodeFlake +, nodeName +, localDomainName +, system +, ... +}: + +{ + imports = [ + repoFlake.inputs.sops-nix.nixosModules.sops + nodeFlake.inputs.disko.nixosModules.disko + ./disko.nix + + ../../profiles/common/user.nix + + { + nix.nixPath = [ + "nixpkgs=${pkgs.path}" + ]; + + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + + nix.settings.max-jobs = lib.mkDefault "auto"; + } + + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + services.openssh.openFirewall = true; + + users.commonUsers = { + enable = true; + enableNonRoot = true; + }; + + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + } + ]; + + networking = { + hostName = nodeName; + + firewall.enable = true; + + useNetworkd = true; + networkmanager.enable = false; + }; + + system.stateVersion = "23.11"; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = [ + pkgs.util-linux + pkgs.coreutils + pkgs.vim + ]; +} diff --git a/nix/os/devices/steveej-x13s/default.nix b/nix/os/devices/steveej-x13s-rmvbl/default.nix similarity index 100% rename from nix/os/devices/steveej-x13s/default.nix rename to nix/os/devices/steveej-x13s-rmvbl/default.nix diff --git a/nix/os/devices/steveej-x13s-rmvbl/disko.nix b/nix/os/devices/steveej-x13s-rmvbl/disko.nix new file mode 100644 index 0000000..e7e0391 --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/disko.nix @@ -0,0 +1,66 @@ +{ + disko.devices = { + disk = { + voyager-gtx = { + type = "disk"; + device = "/dev/disk/by-id/ata-Corsair_Voyager_GTX_21488170000126002054"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "x13s-usb-crypt"; + extraOpenArgs = [ ]; + # disable settings.keyFile if you want to use interactive password entry + #passwordFile = "/tmp/secret.key"; # Interactive + settings = { + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + # keyFile = "/tmp/secret.key"; + allowDiscards = true; + }; + # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "32G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s-rmvbl/flake.lock similarity index 58% rename from nix/os/devices/steveej-x13s/flake.lock rename to nix/os/devices/steveej-x13s-rmvbl/flake.lock index be88708..71d8fc6 100644 --- a/nix/os/devices/steveej-x13s/flake.lock +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.lock @@ -1,18 +1,51 @@ { "nodes": { + "acamcstephens_stop-export": { + "flake": false, + "locked": { + "lastModified": 1705858695, + "narHash": "sha256-iTIwMsw/cjacCkSzzCwb+nEkpOK/PoPenPHOysWCBSk=", + "ref": "refs/heads/main", + "rev": "8b61e53b83caf55bd374f4ce2b20f1e8012ce2ec", + "revCount": 13, + "type": "git", + "url": "https://codeberg.org/adamcstephens/stop-export.git" + }, + "original": { + "type": "git", + "url": "https://codeberg.org/adamcstephens/stop-export.git" + } + }, + "alsa-ucm-conf": { + "flake": false, + "locked": { + "lastModified": 1705501566, + "narHash": "sha256-Nyr7tjH5VBjocvaKaHCiK+zsjThYBtcr936aRWCBBpM=", + "owner": "alsa-project", + "repo": "alsa-ucm-conf", + "rev": "e87dde51d68950537f92af955ad0633437cc419a", + "type": "github" + }, + "original": { + "owner": "alsa-project", + "repo": "alsa-ucm-conf", + "rev": "e87dde51d68950537f92af955ad0633437cc419a", + "type": "github" + } + }, "brainwart_x13s-nixos": { "flake": false, "locked": { - "lastModified": 1701822673, - "narHash": "sha256-F2LBV8tqGPhEAvmn5Frxj79RPWgPGUYxJRYz8Pn9uj0=", + "lastModified": 1705565623, + "narHash": "sha256-sisr/dFIz8p3/Y7mz+arWxjeiBmUTQkMqkF9j3c2dWE=", "owner": "BrainWart", "repo": "x13s-nixos", - "rev": "ba245df7a72a78ec93aa500ba1a0cb29f0f65f37", + "rev": "29002122d86a1009ba70e7a4ca3063e5404c77a2", "type": "github" }, "original": { "owner": "BrainWart", - "ref": "main", + "ref": "flake", "repo": "x13s-nixos", "type": "github" } @@ -24,11 +57,11 @@ ] }, "locked": { - "lastModified": 1705348229, - "narHash": "sha256-CssPema1sBxZkrT95KFuKCNNiqxNe1lnf2QNeXk88Xk=", + "lastModified": 1705540973, + "narHash": "sha256-kNt/qAEy7ueV7NKbVc8YMHWiQAAgrir02MROYNI8fV0=", "owner": "nix-community", "repo": "disko", - "rev": "d0b4408eaf782a1ada0a9133bb1cecefdd59c696", + "rev": "0033adc6e3f1ed076f3ed1c637ef1dfe6bef6733", "type": "github" }, "original": { @@ -36,27 +69,6 @@ "type": "indirect" } }, - "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "srvos", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1704982712, - "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "07f6395285469419cf9d078f59b5b49993198c00", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, "get-flake": { "locked": { "lastModified": 1694475786, @@ -75,11 +87,11 @@ "linux_x13s": { "flake": false, "locked": { - "lastModified": 1705487080, - "narHash": "sha256-DTOPiUGaeH5Ey+AZaO1c1n/QFikIXmvo2tTzgFtJ70k=", + "lastModified": 1705680516, + "narHash": "sha256-NjCuPYjYHBJcoJR1ZaWQ9sRh0VpY2Y0hawkbUBRfCvk=", "owner": "jhovold", "repo": "linux", - "rev": "dd209a8fb4840e48ca4963bb23057f38b1066a6d", + "rev": "bac95eabe6577faa2773cbe7e91c34fd17ab79a0", "type": "github" }, "original": { @@ -107,50 +119,30 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705316053, - "narHash": "sha256-J2Ey5mPFT8gdfL2XC0JTZvKaBw/b2pnyudEXFvl+dQM=", + "lastModified": 1705641746, + "narHash": "sha256-D6c2aH8HQbWc7ZWSV0BUpFpd94ImFyCP8jFIsKQ4Slg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370", + "rev": "d2003f2223cbb8cd95134e4a0541beea215c1073", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-unstable", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } }, "root": { "inputs": { + "acamcstephens_stop-export": "acamcstephens_stop-export", + "alsa-ucm-conf": "alsa-ucm-conf", "brainwart_x13s-nixos": "brainwart_x13s-nixos", "disko": "disko", "get-flake": "get-flake", "linux_x13s": "linux_x13s", "mobile-nixos": "mobile-nixos", - "nixpkgs": "nixpkgs", - "srvos": "srvos" - } - }, - "srvos": { - "inputs": { - "flake-parts": "flake-parts", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1705346686, - "narHash": "sha256-lTf1b2I6wwNDhV5eEKIAMT5DOa43bK5KaPqDWH2yfek=", - "owner": "numtide", - "repo": "srvos", - "rev": "8e03bea707212a7225b0ab02a8186af8b1e98e0a", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" + "nixpkgs": "nixpkgs" } } }, diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s-rmvbl/flake.nix similarity index 61% rename from nix/os/devices/steveej-x13s/flake.nix rename to nix/os/devices/steveej-x13s-rmvbl/flake.nix index 05b3765..d5eceb3 100644 --- a/nix/os/devices/steveej-x13s/flake.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.nix @@ -1,13 +1,11 @@ { inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; get-flake.url = "github:ursi/get-flake"; disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; mobile-nixos.url = "github:NixOS/mobile-nixos"; mobile-nixos.flake = false; @@ -17,9 +15,20 @@ linux_x13s.flake = false; brainwart_x13s-nixos = { - url = "github:BrainWart/x13s-nixos/main"; + url = "github:BrainWart/x13s-nixos/flake"; flake = false; }; + + acamcstephens_stop-export = { + flake = false; + url = "git+https://codeberg.org/adamcstephens/stop-export.git"; + }; + + + alsa-ucm-conf = { + flake = false; + url = "github:alsa-project/alsa-ucm-conf/e87dde51d68950537f92af955ad0633437cc419a"; + }; }; outputs = @@ -31,15 +40,7 @@ let targetPlatform = "aarch64-linux"; buildPlatform = "x86_64-linux"; - nodeName = "steveej-x13s"; - - pkgs = nixpkgs.legacyPackages.${targetPlatform}; - pkgsCross = import self.inputs.nixpkgs { - system = buildPlatform; - crossSystem = { - config = "pentium2-unknown-linux-gnu"; - }; - }; + nodeName = "steveej-x13s-rmvbl"; mkNixosConfiguration = { extraModules ? [ ], ... } @ attrs: nixpkgs.lib.nixosSystem ( @@ -64,21 +65,6 @@ { nix.registry.nixpkgs.flake = nixpkgs; } - - { - nixpkgs.overlays = [ - (final: prev: - { - qrtr = final.callPackage "${self.inputs.mobile-nixos}/overlay/qrtr/qrtr.nix" { }; - qmic = final.callPackage "${self.inputs.mobile-nixos}/overlay/qrtr/qmic.nix" { }; - rmtfs = final.callPackage "${self.inputs.mobile-nixos}/overlay/qrtr/rmtfs.nix" { }; - pd-mapper = final.callPackage "${self.inputs.mobile-nixos}/overlay/qrtr/pd-mapper.nix" { - inherit (final) qrtr; - }; - compressFirmwareXz = prev.lib.id; #this leaves all firmware uncompressed :) for pd-mapper - }) - ]; - } ] ++ extraModules; } @@ -155,56 +141,76 @@ defconfig = "johan_defconfig"; }; - uncompressed-fw = pkgs.callPackage - ({ lib, runCommand, buildEnv, firmwareFilesList }: - runCommand "qcom-modem-uncompressed-firmware-share" - { - firmwareFiles = buildEnv { - name = "qcom-modem-uncompressed-firmware"; - paths = firmwareFilesList; - pathsToLink = [ - "/lib/firmware/rmtfs" - "/lib/firmware/qcom" - ]; - }; - } '' - PS4=" $ " - ( - set -x - mkdir -p $out/share/ - ln -s $firmwareFiles/lib/firmware/ $out/share/uncompressed-firmware - ) - '') - { - firmwareFilesList = lib.flatten options.hardware.firmware.definitions; - }; - linuxPackages_x13s = pkgs.linuxPackagesFor linux_x13s; dtb = "${linuxPackages_x13s.kernel}/dtbs/qcom/sc8280xp-lenovo-thinkpad-x13s.dtb"; dtbName = "x13s63rc4.dtb"; + + x13_firmware = { stdenvNoCC, fetchFromGitHub }: + stdenvNoCC.mkDerivation { + pname = "x13s-extra-firmware"; + version = "1.0.0"; + + src = fetchFromGitHub { + owner = "ironrobin"; + repo = "x13s-alarm"; + rev = "efa51c3b519f75b3983aef67855b1561d9828771"; + sha256 = "sha256-weETbWXz9aL2pDQDKk7fkb1ecQH0qrhUYDs2E5EiJcI="; + }; + + dontFixup = true; + dontBuild = true; + + installPhase = '' + mkdir -p $out/lib/firmware/qcom/sc8280xp/LENOVO/21BX + cp x13s-firmware/qcvss8280.mbn $out/lib/firmware/qcom/sc8280xp/LENOVO/21BX/ + ''; + }; + in { + nixpkgs.overlays = [ + (final: prev: + { + qrtr = final.callPackage "${self.inputs.acamcstephens_stop-export}/hardware/x13s/qrtr/qrtr.nix" { }; + pd-mapper = final.callPackage "${self.inputs.acamcstephens_stop-export}/hardware/x13s/qrtr/pd-mapper.nix" { + inherit (final) qrtr; + }; + + x13s_alsa-ucm-conf = prev.alsa-ucm-conf.overrideAttrs (prev: { + src = self.inputs.alsa-ucm-conf; + }); + } + ) + ]; + boot = { loader.systemd-boot.enable = true; loader.systemd-boot.extraFiles = { "${dtbName}" = dtb; }; - loader.efi.canTouchEfiVariables = true; + loader.efi.canTouchEfiVariables = false; loader.efi.efiSysMountPoint = "/boot"; + blacklistedKernelModules = [ "wwan" ]; + kernelPackages = linuxPackages_x13s; kernelParams = [ + "dtb=${dtbName}" + "boot.shell_on_fail" + + # jhovold recommended + "efi=noruntime" "clk_ignore_unused" "pd_ignore_unused" "arm64.nopauth" - "cma=128M" - "nvme.noacpi=1" - "iommu.strict=0" - "dtb=${dtbName}" + + # blacklist graphics in initrd so the firmware can load from disk + "rd.driver.blacklist=msm" ]; + initrd = { includeDefaultModules = false; availableKernelModules = [ @@ -231,39 +237,65 @@ "phy-qcom-snps-femto-v2" "phy-qcom-usb-hs" "nvme" + + "usbcore" + "xhci_hcd" + "usbhid" + "usb_storage" + # "xhci_pci" + "uas" ]; }; }; - # power management, etc. - environment.systemPackages = with pkgs; [ - qrtr - qmic - rmtfs - pd-mapper - uncompressed-fw - ]; - environment.pathsToLink = [ "share/uncompressed-firmware" ]; - # ensure the x13s' dtb file is in the boot partition - system.activationScripts.x13s-dtb = '' - in_package="${dtb}" - esp_tool_folder="${efi.efiSysMountPoint}/" - in_esp="''${esp_tool_folder}${dtbName}" - >&2 echo "Ensuring $in_esp in EFI System Partition" - if ! ${pkgs.diffutils}/bin/cmp --silent "$in_package" "$in_esp"; then - >&2 echo "Copying $in_package -> $in_esp" - mkdir -p "$esp_tool_folder" - cp "$in_package" "$in_esp" - sync - fi - ''; + # default is performance + powerManagement.cpuFreqGovernor = "ondemand"; hardware.enableAllFirmware = true; hardware.firmware = [ pkgs.linux-firmware + + (pkgs.callPackage x13_firmware { }) (pkgs.callPackage "${self.inputs.brainwart_x13s-nixos}/pkgs/x13s-firmware.nix" { }) ]; + + systemd.services.pd-mapper = { + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "${lib.getExe pkgs.pd-mapper}"; + Restart = "always"; + }; + }; + + # bind mount over existing alsa-ucm-conf + # this is just config, but is in the critical path for lots of packages + # systemd.services.x13s-alsa-conf = { + # wantedBy = [ "multi-user.target" ]; + + # serviceConfig = { + # Type = "oneshot"; + # RemainAfterExit = true; + + # ExecStart = "${pkgs.util-linux.mount}/bin/mount -o bind ${pkgs.x13s_alsa-ucm-conf}/share/alsa ${pkgs.alsa-ucm-conf}/share/alsa"; + # ExecStop = "${pkgs.util-linux.mount}/bin/umount ${pkgs.alsa-ucm-conf}/share/alsa"; + # }; + # }; + + systemd.services.bluetooth = { + serviceConfig = { + # disabled because btmgmt call hangs + # ExecStartPre = [ + # "" + # "${pkgs.util-linux}/bin/rfkill block bluetooth" + # "${pkgs.bluez5-experimental}/bin/btmgmt public-addr ${cfg.bluetoothMac}" + # "${pkgs.util-linux}/bin/rfkill unblock bluetooth" + # ]; + RestartSec = 5; + Restart = "on-failure"; + }; + }; }; }; }; diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix deleted file mode 100644 index 8bbc5c9..0000000 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ repoFlake -, pkgs -, lib -, config -, nodeFlake -, nodeName -, localDomainName -, system -, ... -}: - -{ - imports = [ - # repoFlake.inputs.sops-nix.nixosModules.sops - - # ../../profiles/common/user.nix - - { - nix.nixPath = [ - "nixpkgs=${pkgs.path}" - ]; - - nix.settings.experimental-features = [ - "nix-command" - "flakes" - ]; - - nix.settings.max-jobs = lib.mkDefault "auto"; - nix.settings.cores = lib.mkDefault 0; - } - - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - - # users.commonUsers = { - # enable = true; - # enableNonRoot = false; - # rootPasswordFile = config.sops.secrets.passwords-root.path; - # }; - - users.users.root.password = "install"; - - # sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # sops.defaultSopsFormat = "yaml"; - - # sops.secrets.passwords-root.neededForUsers = true; - } - ]; - - networking = { - hostName = nodeName; - useNetworkd = false; - - networkmanager.enable = false; - - firewall.enable = false; - }; - - system.stateVersion = "23.11"; - - # We exclude a number of modules included in the default list. A non-insignificant amount do - # not apply to embedded hardware like this, so simply skip the defaults. - # - # Custom kernel is required as a lot of MTK components misbehave when built as modules. - # They fail to load properly, leaving the system without working ethernet, they'll oops on - # remove. MTK-DSA parts and PCIe were observed to do this. - - # boot.initrd.includeDefaultModules = false; - # boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"]; - # boot.initrd.availableKernelModules = ["nvme"]; - - nixpkgs.config.allowUnfree = true; - - # hardware.enableRedistributableFirmware = true; - - environment.systemPackages = [ - pkgs.busybox - ]; - - fileSystems."/".label = "x13s_root"; -} diff --git a/secrets/shared-users.yaml b/secrets/shared-users.yaml index c081ae5..e423eb6 100644 --- a/secrets/shared-users.yaml +++ b/secrets/shared-users.yaml @@ -16,82 +16,100 @@ sops: - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlbG5RWWVBZ2JZOXlENDVr - M3lCdEc4RnVwWlZJZXY5RGJ5aEFmcmlmK0hFCnNFSHliMHZyWTBLZG5ub2hPSy93 - dDNoWmgvTEhQdUdWL1dEbDZpRnBacFUKLS0tIFpjdVZBZjhRdll2TGdKdFVQTzVp - UDV5bXpzWXNzMTQwTkZPVjc0ckNUUFEKwYIl0ErBjh83ogRau2mYzkivxruLKQXj - eEQgNMf/xdWZ76OAKDwCF/7zmCSeT2UYoJFCfYtnMw7OxwOCyvPIOg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlanJ3b29Ed2Q3Y2I3SWRt + TlpTRFpMT3FhOUl0dGZGMW1lU3pQNW95bkZjCjY0bXV4Q2dBQjd6emZRdlczQ0F6 + V3RvbklucGhzbGpPUzJ4K3FrNzJ2SVEKLS0tIFRlWWRBNk1HdllsZzNQZDIwa2N6 + bUpjR0ZzNVd5dEpEZUJCSnVUWVJtSzAKb2dEX133nceasBIwgd8q6x6WWPCQ0Ukg + Rmsbi5u1SYrZr3544sVoo0PvkU7gT9Fh4/LOy9oPpJSEcTXf5DMzjQ== -----END AGE ENCRYPTED FILE----- - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAramZoZmdSOFdoWEttNndT - RHVWUC9RekVVL21iQVA5Z3JvajliSVZVNVNFCjhiMkdGOXNTa2FnVStUTVRVZm1s - Y1ZVdGFnZ0I2VGYxTW1Wakt5Znd3NXcKLS0tIERvVjFySDJDU3lRNGlpL3pYRWwy - UU0ybTRsSVlBaFV2d2xqVTc5Q1lNQWcKUti+W3HLneDzq/VI5yPBsTPyDUAUYL6U - tO1SMC8xBVbgzlFQtM84gYCE8ATxvwOJV+8wNrcHdWXQ8AJLF9UwPA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRjBHQ2lDYmhsei84STdk + eUVOdWZGOTJMR1JwbHB2ek5mRzVVdkJuU0ZjCmk2NUttVjgwTk42OUtxVStVMEFK + VFo0RFRyR3RJa2VJSm95NVV3dm5YL3MKLS0tIExGQUlhS3RDMjRHejRaZ01BQWZ1 + U0pZR3BzakVmUW1QNGhsQkNQMk1NY00KR3ZP/WB3sMNoWi13mjMqgnZuM8tnIjty + QHgwav0qOkcQqdYSfOY/DxmPgTG0CKroqRXY8Hk72Y/UH2HpyIptnQ== -----END AGE ENCRYPTED FILE----- - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ZXpGREZxdzREU0tSV1Nu - ZnVONGdxU0VBb3RXY21pTEJVWUw3aUV1UG5ZCmZYcXVzdUgzalFvdXR1Q0FESENF - Q0VDSmlqbGRxemlGYVRQN2NQcGU3VEEKLS0tIFp1N2V6V3dkeWVpRGtrTzhyNUFE - TUdFcXpEbnpmdTlWM1I3UTBYSFo5UnMKJm4gkNDHnCujMk+i46hGEMoQWEs9IBRM - /Lb1BpHA+5BB0LB6yL1VkXttSBNp69s5LN/EgdvTnZ7qL4/KqhwvMg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3UUs4dTFIcXVvZ285N1A1 + MmhleE50YXVGaDg0QlZsUWZNam4wYjRwL1FVClNBUm9GcWNvUitYSnBla1dIeDFl + SmZKMzBQTWpSdGRPcDVlTmRjQzZxNWcKLS0tIFh2UGJtMHdZTXo1N2lzckM3YXRl + NmZpcGRLVmZsYjkwZkJ2NEk5dzlmY0EKtxNY7qvh5ErrAhRcQHVnDc1orsYlLGCS + 8uLSOapuC8W6EH6w6aewQiggKBjDmECpNo7VyXfbURfaOk4o8uqg3A== -----END AGE ENCRYPTED FILE----- - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSk9GbVpxaHJPUGY4U3hu - K3hpbzhkMWVJNHIrNWVPRUphcjkvY0h1cWpnCkxYTmtiWjk2QktxSHJON01XRGJD - MDZZZlB3dU9NbXN4RHRMc2ZRTHdERE0KLS0tIFJpdUhWdm1INFU3eU96NFN3OFk1 - Z2dMQ2xGOTJCcXdCU0FFdVJjQVIwK1EKHLo6YIsfKAwQ/yBQvS1icIAS6W7AwABw - d5hD2G0KVJK66HnYWuQALQbuWh2i0OA2fNAywcKe4R5ACN5M8TKHew== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUEFIb3VmZVE2Q1NheGEx + YmdscFdEYThQa29jTEdzdjZlK1U2WFlUY3dVCm1CUmlMY21pMXRGTXY4RDZ3cE1p + UUxNMEozQndUaTNGUlVrK0pKWC9WODAKLS0tIG1wSnNEZVUvakkxZS8yaklpWlNH + MFZkc2Z4M1FNdWZkdmwvQVpiRDFtbTQKbnNBlKnsNiL6BeSC9AoGx6IVeOyvB5IH + mP6aBQHyOBMgGql2+WHLdjBS5qEeR43jZbWNKiTnt8lnnfj7GVgiPA== -----END AGE ENCRYPTED FILE----- - recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3dEttcnphWlVpbTdET1pY - L2RxWkx2VWVxZ21URE53MFg1cVFpTkwxN1N3CmJSRk1DY2JkZk5DMlUvZFp5RXNw - YWh0Q1FxTUJwTWNVY09NTTdSRHEzM1UKLS0tIEREeGY4M2J1QWZUTThhTWxoOUVX - QVJSemJ4eldSbGU4dWZtU1hRNi9VQk0KhT8lL2mk8J/uZ0dECGbi14Se2cC7l6AK - yWgNHggdrPcSvHH/A2u1yUdfQCU36yEvoxAwa8y/uQW3lgU35iVT+g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1NTlhSXRFN1ZrYjZGdXlG + dDBlVUxJd0FlQnpETkJSbHppNGlncEp1emhRCjRLMkEvbXRkampwcWxvNnhRRVhY + dWlQWWI5YXJQMmR3cWxOVUtneWRDRFkKLS0tICt6ZEF3cHg0SUxES243TzdFcnVS + bkgrWklIbFFrRHdHZGdvMGlHTGNXUkEKUuT35aX71q+KBXozpoGWcHeSs0g70kyY + yo5uuD6Ay4QlNtdfeOYmsyg8iikOrpw5Mer2vsSTWGbszy8p1+93Pw== -----END AGE ENCRYPTED FILE----- - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuT29LTzAxcHZPd0VFa2pG - ZVJ6K2tiT2V3MDJlakpjZ1puczFWZEdORFJNCitNRzViZHU4ZTRXMmJZYUZqRHJ2 - aDZtRlAyMDdOUHoxbWJ1c0JHaURXSlEKLS0tIHpnRitqc1BmV3FyUjZQcGtZZUtG - dXRPaEJna0duZDVLZVRpODM2enpiUmcKWLmGdJzLZ6UMcGRAzCb/UmsHl1Q+FQgk - IPTiCyyun+1JjWMSXC/z7rf2LFuvWvPPxHOChnYivBD60BYMgHJ8Sg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSzR0SFJPSjBVQVlCcFBT + ajMwNUFzZWwzMDkzTHh0anJETnVicWdiVFJJClRSVi9MbjdKcUUvRVFyby9RSVdk + VHpxbnBuQll3QzQwUERCNXdQOCtZSE0KLS0tIDBhbW1YU2c5YVpwUVMwY2EwVjRD + dk1uTzNZN1hnT2NHU29EN2FsQ1pUQVEK+cpcftNnD8HhLimsrp+YDLwurUZqENkQ + HX45h7tC7J6R0+w8A/1nfY1gsST/asgJhSGjroB+EdsP2aGUCUiNyA== + -----END AGE ENCRYPTED FILE----- + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bXZsYnYzMC8wQnhMUGpu + TVFKWkFTU1U0VTFDeUlaR2dzZzN6WG9ueFQ4CnFYMWpoUGFPbkZRTUtSN2ZnelFJ + Nk1CdjVTbnY3aG1FNVZrY3hQYmRGalEKLS0tIERsd2xvaStod1N4eHg3eTIxSlUy + NERKTEZpSkV3N2wxWTlVazhNdFk2NDQKt+omfSoPJQvohV4aED0HYMXwFKMq25lB + 9+gB0BJDYe7btIUuFr861EDWx+D32gBtbpRsyAitNJKc9NlZ4VLWuw== -----END AGE ENCRYPTED FILE----- - recipient: age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXN1hoQWdERDRTN0lJM0pI - RWcvZXVPN3ljd0h0QTA1SmN6dlorVi9vWjNNCmhscXhNTmhBVlZZN3VzdzFnRWNt - VTlTUGk0RnRIaHF2bnBPeFpOVHY4RGsKLS0tIDA5MjVFZnU3bTE3bHZZSzJJQmpD - NEJkTStUaWVzZTNpKzZNTnRmR0tJUGsKBsVqJ0Xg8qWHGb2IDJXrEq4k4LgQFhQS - HrVF7MAwE/WSnGRhh/V8osej3QHW4vLg37IjaT6v+hCcBOiJeCqg5g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXc0dETndkQVFwa2FwUUtj + aHNNaG5rS2VvamRtVDR1Rm1ubXFaR2NWa0RzCmdLbTFFUzlrZ01KWTY5Uk9uWTAy + Ym1kRXp4bWM1QUs2d1BwcE1WTEsyY3cKLS0tIG5qVm84WGlGVDlDWUVHWGNrcXJQ + NHR6S3pPRFhWemNWM0FMSjZpbXkzN0UKoTE6GuckP7QwuCQ8gZgitmW0URtG57u6 + VuWmt7vpSuutHJmccODDpFg4iJKC8SKIeUoQANKsnBJf/uZhDaG42Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1hkta9w0yawwwwchapemkygzxkrv7vx759vrafgrjhm63spckwstque8x97 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsM2ptZVl5R0tybkU1bHJp + ams0OENxU21FZDJjNkZNQUlteDF3RHBoOWpZCjFNUXhzMzhXR1FhUmxnSFAzcnVK + NVZONlNkVVdGcUNtZyszT1liOVdtOVUKLS0tIDZIR2NMWGVJclhqeitqN1V3endv + Z0wzT0hweEVML2plRTkzaFZsWHJHY2MKTcX84PLdHpuGzUn2v7r5gJLp9ZBhgLu6 + WI1KWIwbYj91hsoHjUH4lW0Xv7/mVLrON9wOQuOuyuVeDfP7GQ73qA== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-06T20:14:22Z" mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str] pgp: - - created_at: "2023-11-23T20:47:07Z" + - created_at: "2024-01-22T09:16:19Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf/Y907bW+LYWHAT8FPF12f8+GvUy744+9sMZe3oSX1ML9F - JOEjxSOs9OCWM79qBIMI6Nets3lV1eEoR8eG74jcIwNPQMfQn/U4hHtJM9Nq4yI7 - 1FLQEfGZcuSMUk2/1c/9lEi+Sye9W+9ZYGUIcvBu1ksPmZpJT/BVOaNc8xWe1hzY - FmEzwaWAPaxSH1EM3KnPhxezzn76DxjDKc4iMNi+5UoAIT2cssbdckf5uDaTa3CE - 6GrfR9//5ldsPqineM2MHeEMHgn+mlVYmpiXNBCfcMfEi81o6l5nmNjy1qjABEKC - 254kSW+vMFOhdH6AZvJ/21z/3aUTwMM2mFEti/nh4dJRAWNWEymviIC1o2esJ9K6 - 77xHv4pEIEahuBcHLBbeBK3AYYqJxcZr5BhIqGAir8OlCOaXzRsN5ElzmVS+Hoib - t04nfgpuRfKyso0zrndvLwDn - =lmD0 + wcBMA0SHG/zF3227AQf/WsDFXBatZSxOmQWVGXw0MOeC2QOKaUo5if7C4Z0d+cMg + AyEmUMFcU3KkTFTqjqSqjA/9k/AJiqJxQkXqcSVHT4z3vNdGzrWVsJI4fimmumFZ + Hcc7hIgkBK1THkTkoOr3G3WRHJ/J4nZmABycWSt1kF1FdnHnXo8bXh25Sk+Ellt2 + +SlaC8NAZtd2P6L3ZxQYFUud3mc6/uUV5GTkZ7RisjMnAEVF5BbvzSAlAj7fh4Ph + ZJxMLzVnqQHrN+U/0WuFtL8KJaCF9zecxQxzaM/Zf/Sa5x4fsoqsjmMPhtwQMvC5 + ehiXSoVYETuJylSQF+N44V46/lrO6qqnIi+5NqqC2NJRAXH01P/bMQfW5M6AqQgJ + muPztPFjBL46D3wVo6Hg0JL6ag5DV4/mjTOpEiiGUHKxTDxFwlNYRQQX2EHnBHFb + Otf7rnrSdA+I9GqEpCNkzdbi + =pR8T -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B unencrypted_suffix: _unencrypted diff --git a/secrets/steveej-x13s-rmvbl/secrets.yaml b/secrets/steveej-x13s-rmvbl/secrets.yaml new file mode 100644 index 0000000..7b2d3ec --- /dev/null +++ b/secrets/steveej-x13s-rmvbl/secrets.yaml @@ -0,0 +1,46 @@ +hello: ENC[AES256_GCM,data:9dO0Gd4YDDxWHHBYtdomfK8BJnBZC+SQYfUvTAkCq9sOO/ZH/bFhN0Fl/NvLzQ==,iv:m1TZ9PGjsoMo7NA9EHrLb0tCtIl98E3OEN1bkpZZxXY=,tag:Gup/pACLIXGXu8KEyzmfWg==,type:str] +example_key: ENC[AES256_GCM,data:EQ+uewu8+17QhrbIHg==,iv:N9i1tCT5IHz5WYbqyF0AIqCq/c67uPMiavUxt0Eb2Oc=,tag:UwOrM3cOLYMxIe80GenljA==,type:str] +#ENC[AES256_GCM,data:qZzxU9ai1z/5f3gxHrR5Dq56,iv:ccvxVS693K9Jjp/YIesWo8kemtkCSFWHJlJposcmXt0=,tag:FQUUPO+ydScUVZWH89vEew==,type:comment] +#ENC[AES256_GCM,data:Il5rKFCgUQERmLqSEOnzoQ==,iv:ALxNqdu/MgDdPyiEsq0Qgb/5bOBS3OgIWf0ZOUbGLJg=,tag:u4vJ7Y6iwa1Na5FIebrVow==,type:comment] +example_array: + - ENC[AES256_GCM,data:yMM0kfvv4WI/reWLuM8=,iv:51XoWYOFLAbhIzejbWBwIpi2JVhQZIivLt4HVJtXPpA=,tag:J9C7NwdVOoocGKWUvUAOSQ==,type:str] + - ENC[AES256_GCM,data:Tg1bRwtydMuaLvnvTDc=,iv:8c44EM1U5tqD8Mn8Fg37MyASi+xv78BB+8AjG59tzXE=,tag:OvxU9x0pZbjW9j/DQMahFg==,type:str] +example_number: ENC[AES256_GCM,data:DhzIPdpqm/p1pQ==,iv:ZWkBTeuyaXVzffEVGuw1xxi+ekiSGyspE9PeBNRRm1k=,tag:Qq1/Wo3XY+Y2u5luxxxTeA==,type:float] +example_booleans: + - ENC[AES256_GCM,data:ZA6WIQ==,iv:gkQnXrVZiP6Yj4SVdtM09Jmpebb11998tv3y/P5pvqE=,tag:ujwkH9l6/+1W4IeDu3HBFw==,type:bool] + - ENC[AES256_GCM,data:YcDPFAc=,iv:r9gBG5YIq5Sgs6/HWRWjBJZ8TrlXDxnAZN1PRBVIq8k=,tag:TTP0tsiPsPsd6BjkScCRbQ==,type:bool] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hkta9w0yawwwwchapemkygzxkrv7vx759vrafgrjhm63spckwstque8x97 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWk1LS3A0NENRZk1HZm8x + dW1PNkxZV1ZWdStzb2M5MzRRNmJmUXcvakJJCnpwVlZRV3FHVDNUbURSMWZXY3k2 + NUliMUpNT3kreEZITjR3dDdrU2MvVkEKLS0tIFp5U2tCa3V5NWhqWHgzdDR5RG9D + SmxNVk45UklhUjRYc2pTVy9FWFBhQUUK1QMqDCIZnyyzJhUb0TBgheW2P6lAUTQe + KLhYqTRuo5/zS5C2uANa028CNGWJVOoEgKEw3xjHz0pvSkT5JkI8WQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-22T09:20:19Z" + mac: ENC[AES256_GCM,data:Mmo5XJaMIDZ0sqKyn7oK+l6XdrTyA0NuF8tueLEKSdSCFxr2TJjroyojsybrYKehp5rrW1rT8cWWld2wXEEr+txsMCzIrlDqyerkcsu7ioMJb7ihRyXATBzdBOfUTq/8iLLc9gE9uRaMbeNOrglF0nxS+VtwOmst/z6fl7wC0+Q=,iv:t+dSzeBBhVfPo2efHM4iWIE/DHTDAm917kZrV1UxV0I=,tag:+CPkO6bbWqMzWBs16HT8GA==,type:str] + pgp: + - created_at: "2024-01-22T09:20:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA0SHG/zF3227AQgApMVbQc+4BUc/7ima51XMJzIBA93SOLOCmyn2J9tLG/V/ + ZM6fmWyiLvCRowA0nLt19DYnaRrEXTcRlvBPs/RIx6Fmq4260ZvyPN7Fea6ltVOL + EhG5IJHaweUhXMi6UV2/6vuTBbQsLzWK8xl6bZNCVFWB/JiLrHzukWpE4ACeqD0Y + P/428L4XCW05DkltQdfQrn2bIlf/6c/itvepRr1tHFr8ABuBM/g4hSg/nFyHlrH3 + CtrdPSQBopZxhVv4MoHPWSQ6jGjrmqumc6gyNGa1Ugry3FmuFmdlMAoUsQtG/cU1 + ORM/CvKwxLZU+qifm8QU4BO+0Gw/nhLrYfX0/EWsmtJRAQJt51PK3t/nXUTE47sT + lz+zPgpT/Sz9E/wKH3yAq9RuXKKtwc7oRJS+NHuv10YPIkhVejSjvmsGEKezU1ed + 6BsZrcVnaQt+SdmUOEuP/iRF + =8elR + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 From 2ff952b3a3ab4b248e260feaae1aafb944b55f02 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 22 Jan 2024 14:51:46 +0100 Subject: [PATCH 09/42] x13s: fiddle with modules because of screen blanking issues --- .../steveej-x13s-rmvbl/configuration.nix | 11 ++ nix/os/devices/steveej-x13s-rmvbl/flake.lock | 14 +- nix/os/devices/steveej-x13s-rmvbl/flake.nix | 171 ++++++++++-------- 3 files changed, 118 insertions(+), 78 deletions(-) diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix index 6ecdbb8..14d206e 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix @@ -45,6 +45,13 @@ } ]; + hardware.thinkpad-x13s = { + enable = true; + + # TODO: use hardware address + bluetoothMac = "65:9e:7a:8b:86:28"; + }; + networking = { hostName = nodeName; @@ -59,8 +66,12 @@ nixpkgs.config.allowUnfree = true; environment.systemPackages = [ + pkgs.sshfs pkgs.util-linux pkgs.coreutils pkgs.vim + + pkgs.git + pkgs.git-crypt ]; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.lock b/nix/os/devices/steveej-x13s-rmvbl/flake.lock index 71d8fc6..385f8dd 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.lock +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.lock @@ -1,13 +1,13 @@ { "nodes": { - "acamcstephens_stop-export": { + "adamcstephens_stop-export": { "flake": false, "locked": { - "lastModified": 1705858695, - "narHash": "sha256-iTIwMsw/cjacCkSzzCwb+nEkpOK/PoPenPHOysWCBSk=", + "lastModified": 1705876512, + "narHash": "sha256-nvBqLyi8dMQf3xnROwEcUv4iqV55Mr8S8OGYepu14i4=", "ref": "refs/heads/main", - "rev": "8b61e53b83caf55bd374f4ce2b20f1e8012ce2ec", - "revCount": 13, + "rev": "388684db5b529bbd6f3e948cf175df089eb09766", + "revCount": 14, "type": "git", "url": "https://codeberg.org/adamcstephens/stop-export.git" }, @@ -28,8 +28,8 @@ }, "original": { "owner": "alsa-project", + "ref": "master", "repo": "alsa-ucm-conf", - "rev": "e87dde51d68950537f92af955ad0633437cc419a", "type": "github" } }, @@ -135,7 +135,7 @@ }, "root": { "inputs": { - "acamcstephens_stop-export": "acamcstephens_stop-export", + "adamcstephens_stop-export": "adamcstephens_stop-export", "alsa-ucm-conf": "alsa-ucm-conf", "brainwart_x13s-nixos": "brainwart_x13s-nixos", "disko": "disko", diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.nix b/nix/os/devices/steveej-x13s-rmvbl/flake.nix index d5eceb3..a60ced8 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.nix @@ -19,7 +19,7 @@ flake = false; }; - acamcstephens_stop-export = { + adamcstephens_stop-export = { flake = false; url = "git+https://codeberg.org/adamcstephens/stop-export.git"; }; @@ -27,7 +27,7 @@ alsa-ucm-conf = { flake = false; - url = "github:alsa-project/alsa-ucm-conf/e87dde51d68950537f92af955ad0633437cc419a"; + url = "github:alsa-project/alsa-ucm-conf/master"; }; }; @@ -90,8 +90,24 @@ let # TODO: introduce options for these kernelPdMapper = true; + cfg = config.hardware.thinkpad-x13s; in { + options.hardware.thinkpad-x13s = { + # TODO: respect this + enable = lib.mkEnableOption "x13s hardware support"; + + bluetoothMac = lib.mkOption { + type = lib.types.str; + description = "mac address to set on boot"; + }; + + bluetoothMacAddr = lib.mkOption { + default = "00:00:00:00:00"; + type = lib.types.str; + }; + + }; config = let inherit (config.boot.loader) efi; @@ -117,13 +133,18 @@ QCOM_TSENS = lib.mkForce yes; NVMEM_QCOM_QFPROM = lib.mkForce yes; ARM_QCOM_CPUFREQ_NVMEM = lib.mkForce yes; - } // lib.optionalAttrs kernelPdMapper { - QCOM_PD_MAPPER = lib.mkForce yes; - QRTR = lib.mkForce yes; + VIRTIO_PCI = lib.mkForce module; + # forthcoming kernel work: QCOM_PD_MAPPER = lib.mkForce module; }; } ]; + qrtr = pkgs.callPackage "${self.inputs.adamcstephens_stop-export}/hardware/x13s/qrtr/qrtr.nix" { }; + pd-mapper = pkgs.callPackage "${self.inputs.adamcstephens_stop-export}/hardware/x13s/qrtr/pd-mapper.nix" { + inherit qrtr; + }; + + # We can't quite move to mainline linux linux_x13s_pkg = { buildLinux, ... } @ args: buildLinux (args // rec { @@ -142,48 +163,43 @@ }; linuxPackages_x13s = pkgs.linuxPackagesFor linux_x13s; - dtb = "${linuxPackages_x13s.kernel}/dtbs/qcom/sc8280xp-lenovo-thinkpad-x13s.dtb"; + dtbName = "sc8280xp-lenovo-thinkpad-x13s.dtb"; + dtb = "${linuxPackages_x13s.kernel}/dtbs/qcom/${dtbName}"; - dtbName = "x13s63rc4.dtb"; - - x13_firmware = { stdenvNoCC, fetchFromGitHub }: - stdenvNoCC.mkDerivation { - pname = "x13s-extra-firmware"; - version = "1.0.0"; - - src = fetchFromGitHub { - owner = "ironrobin"; - repo = "x13s-alarm"; - rev = "efa51c3b519f75b3983aef67855b1561d9828771"; - sha256 = "sha256-weETbWXz9aL2pDQDKk7fkb1ecQH0qrhUYDs2E5EiJcI="; - }; - - dontFixup = true; - dontBuild = true; - - installPhase = '' - mkdir -p $out/lib/firmware/qcom/sc8280xp/LENOVO/21BX - cp x13s-firmware/qcvss8280.mbn $out/lib/firmware/qcom/sc8280xp/LENOVO/21BX/ - ''; - }; + x13s_alsa-ucm-conf = pkgs.alsa-ucm-conf.overrideAttrs (prev: { + src = self.inputs.alsa-ucm-conf; + }); + alsa-ucm-conf-env.ALSA_CONFIG_UCM2 = "${x13s_alsa-ucm-conf}/share/alsa/ucm2"; in { nixpkgs.overlays = [ (final: prev: { - qrtr = final.callPackage "${self.inputs.acamcstephens_stop-export}/hardware/x13s/qrtr/qrtr.nix" { }; - pd-mapper = final.callPackage "${self.inputs.acamcstephens_stop-export}/hardware/x13s/qrtr/pd-mapper.nix" { - inherit (final) qrtr; - }; + x13s_extra-firmware = pkgs.callPackage + "${self.inputs.adamcstephens_stop-export}/hardware/x13s/extra-firmware.nix" + { }; - x13s_alsa-ucm-conf = prev.alsa-ucm-conf.overrideAttrs (prev: { - src = self.inputs.alsa-ucm-conf; - }); + inherit qrtr pd-mapper; } ) ]; + # ensure the x13s' dtb file is in the boot partition + # TODO:: is this needed for the VT display somehow? + system.activationScripts.x13s-dtb = '' + in_package="${dtb}" + esp_tool_folder="${efi.efiSysMountPoint}/" + in_esp="''${esp_tool_folder}${dtbName}" + >&2 echo "Ensuring $in_esp in EFI System Partition" + if ! ${pkgs.diffutils}/bin/cmp --silent "$in_package" "$in_esp"; then + >&2 echo "Copying $in_package -> $in_esp" + mkdir -p "$esp_tool_folder" + cp "$in_package" "$in_esp" + sync + fi + ''; + boot = { loader.systemd-boot.enable = true; loader.systemd-boot.extraFiles = { @@ -213,6 +229,31 @@ initrd = { includeDefaultModules = false; + + # kernelModules = [ + # "nvme" + # "phy_qcom_qmp_pcie" + # "pcie_qcom" + + # "i2c_core" + # "i2c_hid" + # "i2c_hid_of" + # "i2c_qcom_geni" + + # "leds_qcom_lpg" + # "pwm_bl" + # "qrtr" + # "pmic_glink_altmode" + # "gpio_sbu_mux" + # "phy_qcom_qmp_combo" + # "gpucc_sc8280xp" + # "dispcc_sc8280xp" + # "phy_qcom_edp" + # "panel_edp" + # # "msm" + + # ]; + availableKernelModules = [ "i2c_hid" "i2c_hid_of" @@ -223,26 +264,25 @@ "pmic_glink_altmode" "gpio_sbu_mux" "phy_qcom_qmp_combo" - "panel-edp" - "msm" + "panel_edp" + # "msm" "phy_qcom_edp" - "i2c-core" - "i2c-hid" - "i2c-hid-of" - "i2c-qcom-geni" - "pcie-qcom" - "phy-qcom-qmp-combo" - "phy-qcom-qmp-pcie" - "phy-qcom-qmp-usb" - "phy-qcom-snps-femto-v2" - "phy-qcom-usb-hs" + "i2c_core" + "i2c_hid" + "i2c_hid_of" + "i2c_qcom_geni" + "pcie_qcom" + "phy_qcom_qmp_combo" + "phy_qcom_qmp_pcie" + "phy_qcom_qmp_usb" + "phy_qcom_snps_femto_v2" + "phy_qcom_usb_hs" "nvme" "usbcore" "xhci_hcd" "usbhid" "usb_storage" - # "xhci_pci" "uas" ]; }; @@ -254,44 +294,33 @@ hardware.enableAllFirmware = true; hardware.firmware = [ - pkgs.linux-firmware + # pkgs.linux-firmware - (pkgs.callPackage x13_firmware { }) - (pkgs.callPackage "${self.inputs.brainwart_x13s-nixos}/pkgs/x13s-firmware.nix" { }) + pkgs.x13s_extra-firmware ]; systemd.services.pd-mapper = { wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${lib.getExe pkgs.pd-mapper}"; + ExecStart = "${lib.getExe pd-mapper}"; Restart = "always"; }; }; - # bind mount over existing alsa-ucm-conf - # this is just config, but is in the critical path for lots of packages - # systemd.services.x13s-alsa-conf = { - # wantedBy = [ "multi-user.target" ]; - - # serviceConfig = { - # Type = "oneshot"; - # RemainAfterExit = true; - - # ExecStart = "${pkgs.util-linux.mount}/bin/mount -o bind ${pkgs.x13s_alsa-ucm-conf}/share/alsa ${pkgs.alsa-ucm-conf}/share/alsa"; - # ExecStop = "${pkgs.util-linux.mount}/bin/umount ${pkgs.alsa-ucm-conf}/share/alsa"; - # }; - # }; + environment.sessionVariables = alsa-ucm-conf-env; + systemd.user.services.pipewire.environment = alsa-ucm-conf-env; + systemd.user.services.wireplumber.environment = alsa-ucm-conf-env; systemd.services.bluetooth = { serviceConfig = { # disabled because btmgmt call hangs - # ExecStartPre = [ - # "" - # "${pkgs.util-linux}/bin/rfkill block bluetooth" - # "${pkgs.bluez5-experimental}/bin/btmgmt public-addr ${cfg.bluetoothMac}" - # "${pkgs.util-linux}/bin/rfkill unblock bluetooth" - # ]; + ExecStartPre = [ + "" + "${pkgs.util-linux}/bin/rfkill block bluetooth" + "${pkgs.bluez5-experimental}/bin/btmgmt public-addr ${cfg.bluetoothMac}" + "${pkgs.util-linux}/bin/rfkill unblock bluetooth" + ]; RestartSec = 5; Restart = "on-failure"; }; From 69b17e91f26842642e1ca187b07b5efda93ac500 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 22 Jan 2024 15:01:36 +0100 Subject: [PATCH 10/42] fmt --- .../configuration/graphical-fullblown.nix | 38 ++++++++++--------- 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 8ef7cc4..0333dad 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -1,17 +1,18 @@ -{ - pkgs, - config, - # these come in via home-manager.extraSpecialArgs and are specific to each node - nodeFlake, - packages', - # repoFlake, +{ pkgs +, config +, # these come in via home-manager.extraSpecialArgs and are specific to each node + nodeFlake +, packages' +, # repoFlake, # repoFlakeInputs', ... -}: let +}: +let # pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system}; - pkgsUnstableSmall = import nodeFlake.inputs.nixpkgs-unstable-small {inherit (pkgs) system config;}; + pkgsUnstableSmall = import nodeFlake.inputs.nixpkgs-unstable-small { inherit (pkgs) system config; }; pkgs2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system}; -in { +in +{ imports = [ ../profiles/common.nix ../profiles/dotfiles.nix @@ -37,13 +38,13 @@ in { ../programs/vscode # TODO: bump these to 23.05 and make it work - (args: import ../programs/radicale.nix (args // {pkgs = pkgs2211;})) + (args: import ../programs/radicale.nix (args // { pkgs = pkgs2211; })) # (args: import ../programs/espanso.nix (args // {pkgs = pkgs2211;})) ]; home.sessionVariables.HM_CONFIG = "graphical-fullblown"; home.sessionVariables.GOPATH = "$HOME/src/go"; - home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"]; + home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [ "$HOME/.local/bin" "$PATH" ]; nixpkgs.config.permittedInsecurePackages = [ "electron-24.8.6" @@ -51,7 +52,7 @@ in { ]; home.packages = - [] + [ ] ++ (with pkgs; [ # Authentication cacert @@ -249,11 +250,12 @@ in { pcmanfm # mendeley evince - (runCommand "logseq-wrapper" { - nativeBuildInputs = [ makeWrapper ]; - } '' - makeWrapper ${logseq}/bin/logseq $out/bin/logseq \ - --set NIXOS_OZONE_WL "" + (runCommand "logseq-wrapper" + { + nativeBuildInputs = [ makeWrapper ]; + } '' + makeWrapper ${logseq}/bin/logseq $out/bin/logseq \ + --set NIXOS_OZONE_WL "" '') # (logseq.override({ electron_25 = electron_26; })) From 0d070589effe6f4fe8db6e7dde02a49d2fa320e1 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 22 Jan 2024 19:02:32 +0100 Subject: [PATCH 11/42] fmt --- nix/home-manager/profiles/wayland-desktop.nix | 23 ++-- nix/os/devices/steveej-t14/secrets.nix | 7 -- nix/os/snippets/radicale.nix | 101 ++++++++++++++++++ .../radicale_htpasswd | 0 4 files changed, 113 insertions(+), 18 deletions(-) delete mode 100644 nix/os/devices/steveej-t14/secrets.nix create mode 100644 nix/os/snippets/radicale.nix rename secrets/{steveej-t14 => desktop}/radicale_htpasswd (100%) diff --git a/nix/home-manager/profiles/wayland-desktop.nix b/nix/home-manager/profiles/wayland-desktop.nix index 6c4d820..ffab825 100644 --- a/nix/home-manager/profiles/wayland-desktop.nix +++ b/nix/home-manager/profiles/wayland-desktop.nix @@ -1,19 +1,20 @@ -{ - pkgs, - config, - lib, - repoFlake, - nodeFlake, - ... -}: let - inherit (import ../lib.nix {}) mkSimpleTrayService; +{ pkgs +, config +, lib +, repoFlake +, nodeFlake +, ... +}: +let + inherit (import ../lib.nix { }) mkSimpleTrayService; nixpkgs-2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system}; nixpkgs-unstable-small = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system}; nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; wayprompt = nixpkgs-wayland'.wayprompt; -in { +in +{ fonts.fontconfig.enable = true; # services.gpg-agent.pinentryFlavor = lib.mkForce null; @@ -29,7 +30,7 @@ in { systemd.user.targets.tray = { Unit = { Description = "Home Manager System Tray"; - Requires = ["graphical-session-pre.target"]; + Requires = [ "graphical-session-pre.target" ]; }; }; diff --git a/nix/os/devices/steveej-t14/secrets.nix b/nix/os/devices/steveej-t14/secrets.nix deleted file mode 100644 index a97d67d..0000000 --- a/nix/os/devices/steveej-t14/secrets.nix +++ /dev/null @@ -1,7 +0,0 @@ -{config, ...}: { - sops.secrets.radicale_htpasswd = { - sopsFile = ../../../../secrets/steveej-t14/radicale_htpasswd; - format = "binary"; - owner = config.users.users.steveej.name; - }; -} diff --git a/nix/os/snippets/radicale.nix b/nix/os/snippets/radicale.nix new file mode 100644 index 0000000..97f4fdc --- /dev/null +++ b/nix/os/snippets/radicale.nix @@ -0,0 +1,101 @@ +{ config +, lib +, pkgs +, repoFlake + # TODO: make configurable +, homeUser ? "steveej" +, ... +}: + +let + radicalePkgs = repoFlake.inputs.radicale-nixpkgs.legacyPackages.${pkgs.system}; + + libdecsync = pkgs.python3Packages.buildPythonPackage rec { + pname = "libdecsync"; + version = "2.2.1"; + + src = pkgs.python3Packages.fetchPypi { + inherit pname version; + hash = "sha256-Mukjzjumv9VL+A0maU0K/SliWrgeRjAeiEdN5a83G0I="; + }; + + propagatedBuildInputs = [ + # pkgs.libxcrypt-legacy + ]; + }; + radicale-storage-decsync = pkgs.python3Packages.buildPythonPackage rec { + pname = "radicale_storage_decsync"; + version = "2.1.0"; + + src = pkgs.python3Packages.fetchPypi { + inherit pname version; + hash = "sha256-X+0MT5o2PjsKxca5EDI+rYyQDmUtbRoELDr6e4YXKCg="; + }; + + buildInputs = [ + pkgs.radicale + # pkgs.libxcrypt-legacy + # pkgs.libxcrypt + ]; + + nativeCheckInputs = [ + # pkgs.libxcrypt-legacy + # pkgs.libxcrypt + ]; + + propagatedBuildInputs = [ libdecsync pkgs.python3Packages.setuptools ]; + }; + radicale-decsync = pkgs.radicale.overrideAttrs (old: { + propagatedBuildInputs = + old.propagatedBuildInputs + ++ [ radicale-storage-decsync ]; + }); + + mkRadicaleService = + { suffix + , port + , + }: + let + radicale-config = pkgs.writeText "radicale-config-${suffix}" '' + [server] + hosts = localhost:${builtins.toString port} + + [auth] + type = htpasswd + htpasswd_filename = ${config.sops.secrets.radicale_htpasswd.path} + htpasswd_encryption = bcrypt + + [storage] + type = radicale_storage_decsync + filesystem_folder = ${config.xdg.dataHome}/radicale-${suffix} + decsync_dir = ${config.xdg.dataHome}/decsync-${suffix} + ''; + in + { + home-manager.users.${homeUser}.systemd.user.services."radicale-${suffix}" = { + Unit.Description = "Radicale with DecSync (${suffix})"; + Service = { + ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; + Restart = "on-failure"; + }; + Install.WantedBy = [ "default.target" ]; + }; + }; +in +{ + sops.secrets.radicale_htpasswd = { + sopsFile = ../../../../secrets/desktop/radicale_htpasswd; + format = "binary"; + owner = config.users.users.${homeUser}.name; + }; +} // (builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [ + { + suffix = "personal"; + port = 5232; + } + { + suffix = "family"; + port = 5233; + } +]) diff --git a/secrets/steveej-t14/radicale_htpasswd b/secrets/desktop/radicale_htpasswd similarity index 100% rename from secrets/steveej-t14/radicale_htpasswd rename to secrets/desktop/radicale_htpasswd From ea13703ea0d18d6c5b7761e7ab94dd30cdde855f Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 22 Jan 2024 22:50:51 +0100 Subject: [PATCH 12/42] WIP: x13s: install to nvme, refactor into module --- .sops.yaml | 7 + flake.lock | 74 +++++ flake.nix | 39 ++- .../configuration/graphical-fullblown.nix | 224 +++++++-------- nix/home-manager/profiles/common.nix | 14 +- nix/home-manager/profiles/wayland-desktop.nix | 10 +- nix/home-manager/programs/chromium.nix | 37 +-- nix/home-manager/programs/radicale.nix | 89 +++--- nix/home-manager/programs/zsh.nix | 118 ++++---- nix/os/devices/steveej-t14/configuration.nix | 3 +- nix/os/devices/steveej-t14/pkg.nix | 108 ++----- nix/os/devices/steveej-t14/system.nix | 13 +- .../steveej-x13s-rmvbl/configuration.nix | 35 ++- nix/os/devices/steveej-x13s-rmvbl/default.nix | 25 +- nix/os/devices/steveej-x13s-rmvbl/flake.lock | 70 ++++- nix/os/devices/steveej-x13s-rmvbl/flake.nix | 272 +----------------- nix/os/devices/steveej-x13s/.gitignore | 1 + nix/os/devices/steveej-x13s/configuration.nix | 107 +++++++ nix/os/devices/steveej-x13s/default.nix | 40 +++ nix/os/devices/steveej-x13s/disko.nix | 66 +++++ nix/os/devices/steveej-x13s/flake.lock | 207 +++++++++++++ nix/os/devices/steveej-x13s/flake.nix | 73 +++++ nix/os/modules/hardware.thinkpad-x13s.nix | 242 ++++++++++++++++ nix/os/modules/opinionatedDisk.nix | 2 +- nix/os/profiles/common/pkg.nix | 19 +- nix/os/snippets/radicale.nix | 107 ++----- nix/os/snippets/sway-desktop.nix | 90 ++++++ secrets/desktop/radicale_htpasswd | 6 +- 28 files changed, 1361 insertions(+), 737 deletions(-) create mode 100644 nix/os/devices/steveej-x13s/.gitignore create mode 100644 nix/os/devices/steveej-x13s/configuration.nix create mode 100644 nix/os/devices/steveej-x13s/default.nix create mode 100644 nix/os/devices/steveej-x13s/disko.nix create mode 100644 nix/os/devices/steveej-x13s/flake.lock create mode 100644 nix/os/devices/steveej-x13s/flake.nix create mode 100644 nix/os/modules/hardware.thinkpad-x13s.nix create mode 100644 nix/os/snippets/sway-desktop.nix diff --git a/.sops.yaml b/.sops.yaml index 4ac1cea..895ce81 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -41,6 +41,13 @@ creation_rules: - *steveej age: - *steveej-t14 + - path_regex: ^secrets/desktop/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-t14 + - *steveej-x13s-rmvbl - path_regex: ^secrets/servers/.+$ key_groups: - pgp: diff --git a/flake.lock b/flake.lock index 86a3f52..825f580 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,38 @@ { "nodes": { + "adamcstephens_stop-export": { + "flake": false, + "locked": { + "lastModified": 1705876512, + "narHash": "sha256-nvBqLyi8dMQf3xnROwEcUv4iqV55Mr8S8OGYepu14i4=", + "ref": "refs/heads/main", + "rev": "388684db5b529bbd6f3e948cf175df089eb09766", + "revCount": 14, + "type": "git", + "url": "https://codeberg.org/adamcstephens/stop-export.git" + }, + "original": { + "type": "git", + "url": "https://codeberg.org/adamcstephens/stop-export.git" + } + }, + "alsa-ucm-conf": { + "flake": false, + "locked": { + "lastModified": 1705501566, + "narHash": "sha256-Nyr7tjH5VBjocvaKaHCiK+zsjThYBtcr936aRWCBBpM=", + "owner": "alsa-project", + "repo": "alsa-ucm-conf", + "rev": "e87dde51d68950537f92af955ad0633437cc419a", + "type": "github" + }, + "original": { + "owner": "alsa-project", + "ref": "master", + "repo": "alsa-ucm-conf", + "type": "github" + } + }, "aphorme_launcher": { "flake": false, "locked": { @@ -17,6 +50,23 @@ "type": "github" } }, + "brainwart_x13s-nixos": { + "flake": false, + "locked": { + "lastModified": 1705565623, + "narHash": "sha256-sisr/dFIz8p3/Y7mz+arWxjeiBmUTQkMqkF9j3c2dWE=", + "owner": "BrainWart", + "repo": "x13s-nixos", + "rev": "29002122d86a1009ba70e7a4ca3063e5404c77a2", + "type": "github" + }, + "original": { + "owner": "BrainWart", + "ref": "flake", + "repo": "x13s-nixos", + "type": "github" + } + }, "colmena": { "inputs": { "flake-compat": "flake-compat", @@ -293,6 +343,23 @@ "type": "github" } }, + "linux_x13s": { + "flake": false, + "locked": { + "lastModified": 1705680516, + "narHash": "sha256-NjCuPYjYHBJcoJR1ZaWQ9sRh0VpY2Y0hawkbUBRfCvk=", + "owner": "jhovold", + "repo": "linux", + "rev": "bac95eabe6577faa2773cbe7e91c34fd17ab79a0", + "type": "github" + }, + "original": { + "owner": "jhovold", + "ref": "wip/sc8280xp-v6.7", + "repo": "linux", + "type": "github" + } + }, "nix-eval-jobs": { "inputs": { "flake-parts": "flake-parts_3", @@ -636,7 +703,10 @@ }, "root": { "inputs": { + "adamcstephens_stop-export": "adamcstephens_stop-export", + "alsa-ucm-conf": "alsa-ucm-conf", "aphorme_launcher": "aphorme_launcher", + "brainwart_x13s-nixos": "brainwart_x13s-nixos", "colmena": "colmena", "crane": "crane", "disko": [ @@ -647,6 +717,7 @@ "flake-parts": "flake-parts", "get-flake": "get-flake", "jay": "jay", + "linux_x13s": "linux_x13s", "nixos-anywhere": "nixos-anywhere", "nixpkgs": [ "nixpkgs-2311" @@ -659,6 +730,9 @@ "nixpkgs-wayland": "nixpkgs-wayland", "ofi-pass": "ofi-pass", "prs": "prs", + "radicalePkgs": [ + "nixpkgs-2211" + ], "salut": "salut", "sops-nix": "sops-nix", "srvos": "srvos", diff --git a/flake.nix b/flake.nix index 691edf1..3191f4c 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,7 @@ inputs = { # flake and infra basics nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; + radicalePkgs.follows = "nixpkgs-2211"; nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05"; nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.05"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; @@ -13,7 +14,7 @@ srvos.url = "github:numtide/srvos"; srvos.inputs.nixpkgs.follows = "nixpkgs"; - nixos-anywhere.url = github:numtide/nixos-anywhere/main; + nixos-anywhere.url = "github:numtide/nixos-anywhere/main"; nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs"; disko.follows = "nixos-anywhere/disko"; @@ -68,6 +69,31 @@ url = "gitlab:timvisee/prs/master"; flake = false; }; + + + ### inputs for thinkpad x13s + # see https://github.com/jhovold/linux/wiki/X13s for status updates + linux_x13s.url = "github:jhovold/linux/wip/sc8280xp-v6.7"; + linux_x13s.flake = false; + + brainwart_x13s-nixos = { + url = "github:BrainWart/x13s-nixos/flake"; + flake = false; + }; + + adamcstephens_stop-export = { + flake = false; + url = "git+https://codeberg.org/adamcstephens/stop-export.git"; + }; + + + alsa-ucm-conf = { + flake = false; + url = "github:alsa-project/alsa-ucm-conf/master"; + }; + + + ### }; outputs = @@ -104,6 +130,7 @@ nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName}; }) [ "steveej-t14" + "steveej-x13s" # "elias-e525" # "justyna-p300" @@ -122,7 +149,7 @@ // ( let router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; - steveej-x13s-rmvbl = (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations; + steveej-x13s = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations; retro = (inputs.get-flake ./nix/os/devices/retro).nixosConfigurations; in { @@ -135,8 +162,7 @@ # nixos-install --flake .\#retro_cross retro_cross = retro.cross; - steveej-x13s-rmvbl = steveej-x13s-rmvbl.native; - steveej-x13s-rmvbl_cross = steveej-x13s-rmvbl.cross; + steveej-x13s_cross = steveej-x13s.cross; } ); @@ -272,6 +298,11 @@ inherit inputs' pkgs; packages' = packages; }; + }; + + flake.nixosModules = { + thinkpad-x13s = { pkgs, config, lib, options, ... } @ args: (import ./nix/os/modules/hardware.thinkpad-x13s.nix (args // { inherit self; })); + }; }); } diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 0333dad..aa8f6e7 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -1,26 +1,23 @@ { pkgs +, lib , config , # these come in via home-manager.extraSpecialArgs and are specific to each node nodeFlake , packages' -, # repoFlake, - # repoFlakeInputs', - ... +, ... }: let # pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system}; pkgsUnstableSmall = import nodeFlake.inputs.nixpkgs-unstable-small { inherit (pkgs) system config; }; - pkgs2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system}; in { imports = [ ../profiles/common.nix - ../profiles/dotfiles.nix + # ../profiles/dotfiles.nix # FIXME: fix homeshick when no WAN connection is available # ../programs/homeshick.nix # ../profiles/gnome-desktop.nix - ../profiles/sway-desktop.nix # ../profiles/experimental-desktop.nix ../programs/redshift.nix @@ -28,7 +25,7 @@ in ../programs/gpg-agent.nix ../programs/pass.nix - ../programs/espanso.nix + # ../programs/espanso.nix ../programs/firefox.nix ../programs/chromium.nix @@ -36,10 +33,6 @@ in ../programs/libreoffice.nix ../programs/neovim.nix ../programs/vscode - - # TODO: bump these to 23.05 and make it work - (args: import ../programs/radicale.nix (args // { pkgs = pkgs2211; })) - # (args: import ../programs/espanso.nix (args // {pkgs = pkgs2211;})) ]; home.sessionVariables.HM_CONFIG = "graphical-fullblown"; @@ -55,21 +48,19 @@ in [ ] ++ (with pkgs; [ # Authentication - cacert - fprintd - openssl - mkpasswd + # cacert + # fprintd + # openssl + # mkpasswd # Nix package related tools patchelf - nix-index + # nix-index nix-prefetch-scripts - # nix-prefetch-github nix-tree # Version Control Systems gitFull - pijul # gitless gitRepo git-lfs @@ -118,7 +109,9 @@ in # FIXME: depends on insecure openssl 1.1.1t # kotatogram-desktop tdesktop + pkgsUnstableSmall.signal-desktop + #(let # version = "6.20.0-beta.1"; #in @@ -138,7 +131,6 @@ in # ''; # })) - pkgsUnstableSmall.session-desktop # --add-flags "--enable-features=UseOzonePlatform" # --add-flags "--ozone-platform=wayland" # (pkgsUnstableSmall.session-desktop.overrideAttrs (old: { @@ -175,61 +167,51 @@ in # })) thunderbird + # gnome.cheese - discord + + # Virtualization # virtmanager # Remote Control Tools remmina - freerdp - teamviewer - pkgsUnstableSmall.rustdesk + # freerdp + + # Audio/Video Players ffmpeg vlc - v4l-utils - audacity - spotify + # v4l-utils + # audacity + # spotify yt-dlp (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}") libwebcam # Network Tools - openvpn tcpdump iftop iperf bind socat - # 2019-03-05: broken on 19.03 linssid - iptraf-ng - ipmitool - - iptables - nftables - wireshark - wireguard-tools + nethogs # Code Editing and Programming - xclip - xsel - pkgsUnstableSmall.lapce - pkgsUnstableSmall.helix - pkgsUnstableSmall.nil + # pkgsUnstableSmall.lapce + # pkgsUnstableSmall.helix + # pkgsUnstableSmall.nil # Image/Graphic/Design Tools gnome.eog - gimp - imagemagick - exiv2 - graphviz - inkscape - qrencode - zbar - feh + # gimp + # imagemagick + # exiv2 + # graphviz + # inkscape + # qrencode # TODO: remove or move these: Modelling Tools # plantuml @@ -240,62 +222,47 @@ in # astah-community # Misc Development Tools - qrcode - jq - cdrtools + # qrcode + # jq + # cdrtools # Document Processing and Management gnome.nautilus - xfce.thunar pcmanfm # mendeley evince - (runCommand "logseq-wrapper" - { - nativeBuildInputs = [ makeWrapper ]; - } '' - makeWrapper ${logseq}/bin/logseq $out/bin/logseq \ - --set NIXOS_OZONE_WL "" - '') - # (logseq.override({ electron_25 = electron_26; })) + # File Synchronzation maestral - maestral-gui rsync # Filesystem Tools - ntfs3g - ddrescue - ncdu - unetbootin - hdparm - testdisk + # ntfs3g + # ddrescue + # ncdu + # hdparm # binwalk - gptfdisk - gparted - smartmontools + # gptfdisk + # gparted + # smartmontools - ## Android - androidenv.androidPkgs_9_0.platform-tools ## Python - packages'.myPython + # packages'.myPython # Misc Desktop Tools - ltunify + # ltunify # dex - xorg.xbacklight coreutils lsof - xdotool xdg_utils xdg-user-dirs dconf picocom glib.dev # contains gdbus tool alacritty - wally-cli + # wally-cli man-pages # Screen recording @@ -311,64 +278,77 @@ in # introduces python: screenkey # avidemux # broken - handbrake + # handbrake - pkgsUnstableSmall.ledger-live-desktop - - (banana-accounting.overrideDerivation (attrs: - with inputs'.nixpkgs-2211.legacyPackages; { - # dontWrapGApps = true; - - srcs = builtins.fetchurl { - # hosted via https://web3.storage - url = "https://bafybeiabi4m2i4izummipbl5wzhwxjyjt2rylgsrahhkh7i63piwd37n4u.ipfs.w3s.link/mfpcksczayaqqx8fdacp0627zm36c001-bananaplus.tgz"; - - sha256 = "09666iqzqdw2526pf6bg5kd0hfw0wblw8ag636ki72dsiw6bmbf1"; - }; - - # nativeBuildInputs = - # attrs.nativeBuildInputs - # ++ [ - # qt5.qtbase - # qt5.wrapQtAppsHook - # ]; - - # buildInputs = - # attrs.buildInputs - # ++ [ - # qt5.qtwayland - # ]; - - # preFixup = - # (attrs.preFixup or "") - # + '' - # qtWrapperArgs+=("''${gappsWrapperArgs[@]}") - # ''; - })) - - - snes9x - snes9x-gtk + # snes9x + # snes9x-gtk # this is a displaymanager! # libretro.snes9x2010 # retroarchFull - ]); + ]) + ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ + (pkgs.banana-accounting.overrideDerivation + (attrs: + with nodeFlake.inputs'.nixpkgs-2211.legacyPackages; { + # dontWrapGApps = true; + + srcs = builtins.fetchurl { + # hosted via https://web3.storage + url = "https://bafybeiabi4m2i4izummipbl5wzhwxjyjt2rylgsrahhkh7i63piwd37n4u.ipfs.w3s.link/mfpcksczayaqqx8fdacp0627zm36c001-bananaplus.tgz"; + + sha256 = "09666iqzqdw2526pf6bg5kd0hfw0wblw8ag636ki72dsiw6bmbf1"; + }; + + # nativeBuildInputs = + # attrs.nativeBuildInputs + # ++ [ + # qt5.qtbase + # qt5.wrapQtAppsHook + # ]; + + # buildInputs = + # attrs.buildInputs + # ++ [ + # qt5.qtwayland + # ]; + + # preFixup = + # (attrs.preFixup or "") + # + '' + # qtWrapperArgs+=("''${gappsWrapperArgs[@]}") + # ''; + }) + ) + + pkgsUnstableSmall.ledger-live-desktop + + (pkgs.runCommand "logseq-wrapper" + { + nativeBuildInputs = [ pkgs.makeWrapper ]; + } '' + makeWrapper ${pkgs.logseq}/bin/logseq $out/bin/logseq \ + --set NIXOS_OZONE_WL "" + '') + # (logseq.override({ electron_25 = electron_26; })) + + # unsupported on aarch64-linux + pkgs.androidenv.androidPkgs_9_0.platform-tools + pkgs.teamviewer + pkgs.discord + pkgsUnstableSmall.session-desktop + pkgsUnstableSmall.rustdesk + ]) + ; systemd.user.startServices = true; services.syncthing.enable = true; services.udiskie = { enable = true; - automount = true; + automount = false; notify = true; }; - # FIXME: doesn't work as the service can't seem to control its started PID - services.dropbox = { - enable = false; - path = "${config.home.homeDirectory}/Dropbox-Hm"; - }; - # TODO: uncomment this when it's in stable home-manger # programs.joshuto = { # enable = true; diff --git a/nix/home-manager/profiles/common.nix b/nix/home-manager/profiles/common.nix index 20a17e3..9c76c30 100644 --- a/nix/home-manager/profiles/common.nix +++ b/nix/home-manager/profiles/common.nix @@ -1,4 +1,4 @@ -{pkgs, ...}: { +{ pkgs, ... }: { # TODO: re-enable this with the appropriate version? # programs.home-manager.enable = true; # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz; @@ -11,10 +11,16 @@ allowBroken = false; allowUnfree = true; - permittedInsecurePackages = []; + permittedInsecurePackages = [ ]; }; - nix.settings.experimental-features = ["nix-command" "flakes" "impure-derivations" "ca-derivations" "recursive-nix"]; + nix.settings.experimental-features = [ + "nix-command" + "flakes" + "impure-derivations" + "ca-derivations" + "recursive-nix" + ]; nix.settings.sandbox = "relaxed"; home.keyboard = { @@ -40,7 +46,7 @@ programs.fzf.enable = true; home.packages = - [] + [ ] ++ (with pkgs; [ htop vcsh diff --git a/nix/home-manager/profiles/wayland-desktop.nix b/nix/home-manager/profiles/wayland-desktop.nix index ffab825..298aaf5 100644 --- a/nix/home-manager/profiles/wayland-desktop.nix +++ b/nix/home-manager/profiles/wayland-desktop.nix @@ -8,10 +8,7 @@ let inherit (import ../lib.nix { }) mkSimpleTrayService; - nixpkgs-2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system}; - nixpkgs-unstable-small = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system}; nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; - wayprompt = nixpkgs-wayland'.wayprompt; in { @@ -43,7 +40,6 @@ in wl-clipboard wmctrl - wayprompt nixpkgs-wayland'.shotman # identifies key input syms @@ -63,7 +59,11 @@ in # probably required by flameshot # xdg-desktop-portal xdg-desktop-portal-wlr # grim - ]; + ] ++ (lib.lists.optionals (!pkgs.stdenv.isAarch64) + # TODO: broken on aarch64 + [ + ] + ); home.sessionVariables = { XDG_SESSION_TYPE = "wayland"; diff --git a/nix/home-manager/programs/chromium.nix b/nix/home-manager/programs/chromium.nix index c2240b9..81383c9 100644 --- a/nix/home-manager/programs/chromium.nix +++ b/nix/home-manager/programs/chromium.nix @@ -1,15 +1,16 @@ -{ - name, - lib, - ... -}: let +{ name +, lib +, pkgs +, ... +}: +let extensions = [ #undetectable adblocker - {id = "gcfcpohokifjldeandkfjoboemihipmb";} + { id = "gcfcpohokifjldeandkfjoboemihipmb"; } # ublock origin - {id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";} + { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # # YT ad block # {id = "cmedhionkhpnakcndndgjdbohmhepckk";} @@ -18,15 +19,15 @@ # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} # Cookie Notice Blocker - {id = "odhmfmnoejhihkmfebnolljiibpnednn";} + { id = "odhmfmnoejhihkmfebnolljiibpnednn"; } # i don't care about cookies - {id = "fihnjjcciajhdojfnbdddfaoknhalnja";} + { id = "fihnjjcciajhdojfnbdddfaoknhalnja"; } # NopeCHA - {id = "dknlfmjaanfblgfdfebhijalfmhmjjjo";} + { id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; } # h264ify - {id = "aleakchihdccplidncghkekgioiakgal";} + { id = "aleakchihdccplidncghkekgioiakgal"; } # clippy # {id = "honbeilkanbghjimjoniipnnehlmhggk"} @@ -37,25 +38,27 @@ } # cookie autodelete - {id = "fhcgjolkccmbidfldomjliifgaodjagh";} + { id = "fhcgjolkccmbidfldomjliifgaodjagh"; } # unhook - { id = "khncfooichmfjbepaaaebmommgaepoid";} + { id = "khncfooichmfjbepaaaebmommgaepoid"; } ] ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ # Vimium C - {id = "hfjbmagddngcpeloejdejnfgbamkjaeg";} + { id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; } ]); -in { +in +{ programs.chromium = { enable = true; inherit extensions; }; programs.brave = { - enable = true; + # TODO: enable this on aarch64-linux + enable = true && !pkgs.stdenv.targetPlatform.isAarch64; inherit extensions; }; - programs.browserpass = {browsers = ["chromium" "brave"];}; + programs.browserpass = { browsers = [ "chromium" "brave" ]; }; } diff --git a/nix/home-manager/programs/radicale.nix b/nix/home-manager/programs/radicale.nix index a8e4eef..bcedd41 100644 --- a/nix/home-manager/programs/radicale.nix +++ b/nix/home-manager/programs/radicale.nix @@ -1,10 +1,10 @@ -{ - config, - lib, - pkgs, - osConfig, - ... -}: let +{ config +, lib +, pkgs +, osConfig +, ... +}: +let libdecsync = pkgs.python3Packages.buildPythonPackage rec { pname = "libdecsync"; version = "2.2.1"; @@ -38,50 +38,53 @@ # pkgs.libxcrypt ]; - propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools]; + propagatedBuildInputs = [ libdecsync pkgs.python3Packages.setuptools ]; }; radicale-decsync = pkgs.radicale.overrideAttrs (old: { propagatedBuildInputs = old.propagatedBuildInputs - ++ [radicale-storage-decsync]; + ++ [ radicale-storage-decsync ]; }); - mkRadicaleService = { - suffix, - port, - }: let - radicale-config = pkgs.writeText "radicale-config-${suffix}" '' - [server] - hosts = localhost:${builtins.toString port} + mkRadicaleService = + { suffix + , port + , + }: + let + radicale-config = pkgs.writeText "radicale-config-${suffix}" '' + [server] + hosts = localhost:${builtins.toString port} - [auth] - type = htpasswd - htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} - htpasswd_encryption = bcrypt + [auth] + type = htpasswd + htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} + htpasswd_encryption = bcrypt - [storage] - type = radicale_storage_decsync - filesystem_folder = ${config.xdg.dataHome}/radicale-${suffix} - decsync_dir = ${config.xdg.dataHome}/decsync-${suffix} - ''; - in { - systemd.user.services."radicale-${suffix}" = { - Unit.Description = "Radicale with DecSync (${suffix})"; - Service = { - ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; - Restart = "on-failure"; + [storage] + type = radicale_storage_decsync + filesystem_folder = ${config.xdg.dataHome}/radicale-${suffix} + decsync_dir = ${config.xdg.dataHome}/decsync-${suffix} + ''; + in + { + systemd.user.services."radicale-${suffix}" = { + Unit.Description = "Radicale with DecSync (${suffix})"; + Service = { + ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; + Restart = "on-failure"; + }; + Install.WantedBy = [ "default.target" ]; }; - Install.WantedBy = ["default.target"]; }; - }; in - builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [ - { - suffix = "personal"; - port = 5232; - } - { - suffix = "family"; - port = 5233; - } - ] +builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [ + { + suffix = "personal"; + port = 5232; + } + { + suffix = "family"; + port = 5233; + } +] diff --git a/nix/home-manager/programs/zsh.nix b/nix/home-manager/programs/zsh.nix index 0d3085d..8d2596a 100644 --- a/nix/home-manager/programs/zsh.nix +++ b/nix/home-manager/programs/zsh.nix @@ -1,29 +1,30 @@ -{ - config, - lib, - pkgs, - ... -}: let - just-plugin = let - plugin_file = pkgs.writeText "_just" '' - #compdef just - #autload +{ config +, lib +, pkgs +, ... +}: +let + just-plugin = + let + plugin_file = pkgs.writeText "_just" '' + #compdef just + #autload - alias justl="\just --list" - alias juste="\just --evaluate" + alias justl="\just --list" + alias juste="\just --evaluate" - local subcmds=() + local subcmds=() - while read -r line ; do - if [[ ! $line == Available* ]] ; - then - subcmds+=(''${line/[[:space:]]*\#/:}) - fi - done < <(just --list) + while read -r line ; do + if [[ ! $line == Available* ]] ; + then + subcmds+=(''${line/[[:space:]]*\#/:}) + fi + done < <(just --list) - _describe 'command' subcmds - ''; - in + _describe 'command' subcmds + ''; + in pkgs.stdenv.mkDerivation { name = "just-completions"; version = "0.1.0"; @@ -35,7 +36,8 @@ chmod --recursive a-w $out ''; }; -in { +in +{ programs.zsh = { enable = true; @@ -46,47 +48,49 @@ in { # will be called again by oh-my-zsh enableCompletion = false; enableAutosuggestions = true; - initExtra = let - inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; - in '' - PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' - RPROMPT="" + initExtra = + let + inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; + in + '' + PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' + RPROMPT="" - # Automatic rehash - zstyle ':completion:*' rehash true + # Automatic rehash + zstyle ':completion:*' rehash true - if [ -f $HOME/.shrc.d/sh_aliases ]; then - . $HOME/.shrc.d/sh_aliases - fi + if [ -f $HOME/.shrc.d/sh_aliases ]; then + . $HOME/.shrc.d/sh_aliases + fi - ${ - if builtins.hasAttr "homeshick" pkgs - then '' - source ${pkgs.homeshick}/homeshick.sh - fpath=(${pkgs.homeshick}/completions $fpath) - '' - else "" - } + ${ + if builtins.hasAttr "homeshick" pkgs + then '' + source ${pkgs.homeshick}/homeshick.sh + fpath=(${pkgs.homeshick}/completions $fpath) + '' + else "" + } - # Disable intercepting of ctrl-s and ctrl-q as flow control. - stty stop ''' -ixoff -ixon + # Disable intercepting of ctrl-s and ctrl-q as flow control. + stty stop ''' -ixoff -ixon - # don't cd into directories when executed - unsetopt AUTO_CD + # don't cd into directories when executed + unsetopt AUTO_CD - # print lines without termination - setopt PROMPT_CR - setopt PROMPT_SP - export PROMPT_EOL_MARK="" + # print lines without termination + setopt PROMPT_CR + setopt PROMPT_SP + export PROMPT_EOL_MARK="" - ${lib.optionalString config.services.gpg-agent.enable '' - export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" - ''} + ${lib.optionalString config.services.gpg-agent.enable '' + export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" + ''} - ${lib.optionalString config.programs.neovim.enable '' - export EDITOR="nvim" - ''} - ''; + ${lib.optionalString config.programs.neovim.enable '' + export EDITOR="nvim" + ''} + ''; plugins = [ { @@ -119,7 +123,7 @@ in { oh-my-zsh = { enable = true; theme = "tjkirch"; - plugins = ["git" "sudo"]; + plugins = [ "git" "sudo" ]; }; }; } diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix index 2a655c5..fc3d209 100644 --- a/nix/os/devices/steveej-t14/configuration.nix +++ b/nix/os/devices/steveej-t14/configuration.nix @@ -1,4 +1,4 @@ -{...}: { +{ ... }: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix @@ -10,7 +10,6 @@ ./pkg.nix ./user.nix ./boot.nix - ./secrets.nix # samba seerver ({ lib, ... }: { diff --git a/nix/os/devices/steveej-t14/pkg.nix b/nix/os/devices/steveej-t14/pkg.nix index 1ff1a59..25c15c5 100644 --- a/nix/os/devices/steveej-t14/pkg.nix +++ b/nix/os/devices/steveej-t14/pkg.nix @@ -1,9 +1,8 @@ -{ - pkgs, - lib, - repoFlake, - nodeFlake, - ... +{ pkgs +, lib +, repoFlake +, nodeFlake +, ... }: { home-manager.users.steveej = _: { imports = [ @@ -16,8 +15,7 @@ }) ]; - home.sessionVariables = { - }; + home.sessionVariables = { }; home.packages = with pkgs; [ ]; @@ -34,50 +32,33 @@ # # (regreet:505614): Gtk-WARNING **: 10:31:42.532: Theme parser warning: :6:17-18: Empty declaration # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. - services.greetd = let - # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" - swayConfig = pkgs.writeText "greetd-sway-config" '' - # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. - exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" - bindsym Mod4+shift+e exec swaynag \ - -t warning \ - -m 'What do you want to do?' \ - -b 'Poweroff' 'systemctl poweroff' \ - -b 'Reboot' 'systemctl reboot' - ''; - in { - enable = false; - settings = { - vt = 1; - default_session = { - command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; + services.greetd = + let + # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" + swayConfig = pkgs.writeText "greetd-sway-config" '' + # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. + exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" + bindsym Mod4+shift+e exec swaynag \ + -t warning \ + -m 'What do you want to do?' \ + -b 'Poweroff' 'systemctl poweroff' \ + -b 'Reboot' 'systemctl reboot' + ''; + in + { + enable = false; + settings = { + vt = 1; + default_session = { + command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; + }; }; }; - }; environment.etc."greetd/environments".text = '' sway ''; - - # autologin steveej on tty1 - systemd.services."autovt@tty1".description = "Autologin at the TTY1"; - systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty - systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ]; - systemd.services."autovt@tty1".serviceConfig = - { ExecStart = [ - "" # override upstream default with an empty ExecStart - "@${pkgs.utillinux}/sbin/agetty agetty --login-program ${pkgs.shadow}/bin/login --autologin steveej --noclear %I $TERM" - ]; - Restart = "always"; - Type = "idle"; - }; - programs.zsh.loginShellInit = '' - if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then - exec sway - fi - ''; - # fonts = let # prefs.font = rec { # size = 13; @@ -122,42 +103,5 @@ # # }; # }; - security.pam.services.getty.enableGnomeKeyring = true; - services.gnome.gnome-keyring.enable = true; - - # rtkit is optional but recommended - security.rtkit.enable = true; - services.pipewire = { - audio.enable = true; - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - # If you want to use JACK applications, uncomment this - #jack.enable = true; - }; - - # required by swaywm - security.polkit.enable = true; - security.pam.services.swaylock = {}; - - # test these on https://mozilla.github.io/webrtc-landing/gum_test.html - xdg.portal = { - enable = true; - # FIXME: `true` breaks xdg-open from alacritty: - # $ xdg-open "https://github.com/" - # Error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.OpenURI” on object at path /org/freedesktop/portal/desktop - xdgOpenUsePortal = false; - extraPortals = [ - pkgs.xdg-desktop-portal-wlr - pkgs.xdg-desktop-portal-gtk - - # repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}.xdg-desktop-portal-wlr - # (pkgs.xdg-desktop-portal-gtk.override (_: { - # buildPortalsInGnome = false; - # })) - ]; - }; - system.stateVersion = "23.05"; } diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index 11a2690..c5604f8 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -28,6 +28,8 @@ in { imports = [ ../../snippets/nix-settings-holo-chain.nix + ../../snippets/radicale.nix + ../../snippets/sway-desktop.nix ]; nix.settings = { @@ -115,21 +117,10 @@ in services.samba.extraConfig = '' # client min protocol = NT1 ''; - services.gvfs = { - enable = true; - package = lib.mkForce pkgs.gnome3.gvfs; - }; - environment.systemPackages = with pkgs; [ lxqt.lxqt-policykit ]; # provides a default authentification client for policykit security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ]; - services.xserver.serverFlagsSection = '' - Option "BlankTime" "0" - Option "StandbyTime" "0" - Option "SuspendTime" "0" - Option "OffTime" "0" - ''; time.timeZone = lib.mkForce passwords.timeZone.stefan; diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix index 14d206e..7e39af7 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix @@ -1,8 +1,8 @@ { repoFlake +, nodeFlake , pkgs , lib , config -, nodeFlake , nodeName , localDomainName , system @@ -16,8 +16,15 @@ ./disko.nix ../../profiles/common/user.nix + ../../profiles/common/pkg.nix + { + # nixpkgs.config.allowUnsupportedSystem = true; + + # flake registry + nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; + nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; @@ -43,6 +50,11 @@ sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; sops.defaultSopsFormat = "yaml"; } + + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ../../snippets/sway-desktop.nix + ../../snippets/radicale.nix ]; hardware.thinkpad-x13s = { @@ -57,8 +69,8 @@ firewall.enable = true; - useNetworkd = true; - networkmanager.enable = false; + # useNetworkd = true; + networkmanager.enable = true; }; system.stateVersion = "23.11"; @@ -74,4 +86,21 @@ pkgs.git pkgs.git-crypt ]; + + home-manager.users.steveej = _: { + imports = [ + ../../../home-manager/configuration/graphical-fullblown.nix + + (_: { + programs.chromium.extensions = [ + # can define host-specific extensions here + ]; + }) + ]; + + home.sessionVariables = { }; + + home.packages = with pkgs; [ + ]; + }; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/default.nix b/nix/os/devices/steveej-x13s-rmvbl/default.nix index 3961f0b..0ccb5dc 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/default.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/default.nix @@ -1,10 +1,9 @@ -{ - system ? "aarch64-linux", - nodeName, - repoFlake, - nodeFlake, - localDomainName ? "internal", - ... +{ system ? "aarch64-linux" +, nodeName +, repoFlake +, nodeFlake +, localDomainName ? "internal" +, ... }: { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake system; @@ -16,18 +15,22 @@ meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + { + inherit system; + }; ${nodeName} = { + deployment.targetHost = "${nodeName}.${localDomainName}"; deployment.replaceUnknownProfiles = true; + deployment.allowLocalDeployment = true; # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; imports = [ - ./configuration.nix + (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") + + nodeFlake.inputs.home-manager.nixosModules.home-manager ]; networking.hostName = nodeName; diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.lock b/nix/os/devices/steveej-x13s-rmvbl/flake.lock index 385f8dd..f7008e1 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.lock +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.lock @@ -57,11 +57,11 @@ ] }, "locked": { - "lastModified": 1705540973, - "narHash": "sha256-kNt/qAEy7ueV7NKbVc8YMHWiQAAgrir02MROYNI8fV0=", + "lastModified": 1705890365, + "narHash": "sha256-MObB+fipA/2Ai3uMuNouxcwz0cqvELPpJ+hfnhSaUeA=", "owner": "nix-community", "repo": "disko", - "rev": "0033adc6e3f1ed076f3ed1c637ef1dfe6bef6733", + "rev": "9fcdf3375e01e2938a49df103af9fd21bd0f89d9", "type": "github" }, "original": { @@ -84,6 +84,27 @@ "type": "github" } }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1705659542, + "narHash": "sha256-WA3xVfAk1AYmFdwghT7mt/erYpsU6JPu9mdTEP/e9HQ=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "10cd9c53115061aa6a0a90aad0b0dde6a999cdb9", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.11", + "repo": "home-manager", + "type": "github" + } + }, "linux_x13s": { "flake": false, "locked": { @@ -119,11 +140,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705641746, - "narHash": "sha256-D6c2aH8HQbWc7ZWSV0BUpFpd94ImFyCP8jFIsKQ4Slg=", + "lastModified": 1705774713, + "narHash": "sha256-j6ADaDH9XiumUzkTPlFyCBcoWYhO83lfgiSqEJF2zcs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d2003f2223cbb8cd95134e4a0541beea215c1073", + "rev": "1b64fc1287991a9cce717a01c1973ef86cb1af0b", "type": "github" }, "original": { @@ -133,6 +154,38 @@ "type": "github" } }, + "nixpkgs-2211": { + "locked": { + "lastModified": 1688392541, + "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable-small": { + "locked": { + "lastModified": 1705891108, + "narHash": "sha256-PQ0Df5BzByg+0gPE1goa9WYVXSoEP6gtjblrbYC8WOI=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "8cccce637e19577815de54c5ecc3132dff965aee", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "adamcstephens_stop-export": "adamcstephens_stop-export", @@ -140,9 +193,12 @@ "brainwart_x13s-nixos": "brainwart_x13s-nixos", "disko": "disko", "get-flake": "get-flake", + "home-manager": "home-manager", "linux_x13s": "linux_x13s", "mobile-nixos": "mobile-nixos", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "nixpkgs-2211": "nixpkgs-2211", + "nixpkgs-unstable-small": "nixpkgs-unstable-small" } } }, diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.nix b/nix/os/devices/steveej-x13s-rmvbl/flake.nix index a60ced8..d9cc53c 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.nix @@ -3,6 +3,10 @@ { nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + # requires for home-manager modules + nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; + nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; + get-flake.url = "github:ursi/get-flake"; disko.inputs.nixpkgs.follows = "nixpkgs"; @@ -10,24 +14,9 @@ mobile-nixos.url = "github:NixOS/mobile-nixos"; mobile-nixos.flake = false; - # see https://github.com/jhovold/linux/wiki/X13s for status updates - linux_x13s.url = "github:jhovold/linux/wip/sc8280xp-v6.7"; - linux_x13s.flake = false; - - brainwart_x13s-nixos = { - url = "github:BrainWart/x13s-nixos/flake"; - flake = false; - }; - - adamcstephens_stop-export = { - flake = false; - url = "git+https://codeberg.org/adamcstephens/stop-export.git"; - }; - - - alsa-ucm-conf = { - flake = false; - url = "github:alsa-project/alsa-ucm-conf/master"; + home-manager = { + url = "github:nix-community/home-manager/release-23.11"; + inputs.nixpkgs.follows = "nixpkgs"; }; }; @@ -60,11 +49,6 @@ self.nixosModules.hardware-x13s ./configuration.nix - - # flake registry - { - nix.registry.nixpkgs.flake = nixpkgs; - } ] ++ extraModules; } @@ -85,247 +69,5 @@ ]; }; }; - - nixosModules.hardware-x13s = { pkgs, config, lib, options, ... }: - let - # TODO: introduce options for these - kernelPdMapper = true; - cfg = config.hardware.thinkpad-x13s; - in - { - options.hardware.thinkpad-x13s = { - # TODO: respect this - enable = lib.mkEnableOption "x13s hardware support"; - - bluetoothMac = lib.mkOption { - type = lib.types.str; - description = "mac address to set on boot"; - }; - - bluetoothMacAddr = lib.mkOption { - default = "00:00:00:00:00"; - type = lib.types.str; - }; - - }; - config = - let - inherit (config.boot.loader) efi; - kp = [ - { - name = "x13s-cfg"; - patch = null; - extraStructuredConfig = with lib.kernel; { - EFI_ARMSTUB_DTB_LOADER = lib.mkForce yes; - OF_OVERLAY = lib.mkForce yes; - BTRFS_FS = lib.mkForce yes; - BTRFS_FS_POSIX_ACL = lib.mkForce yes; - MEDIA_CONTROLLER = lib.mkForce yes; - SND_USB_AUDIO_USE_MEDIA_CONTROLLER = lib.mkForce yes; - SND_USB = lib.mkForce yes; - SND_USB_AUDIO = lib.mkForce module; - USB_XHCI_PCI = lib.mkForce module; - NO_HZ_FULL = lib.mkForce yes; - HZ_100 = lib.mkForce yes; - HZ_250 = lib.mkForce no; - DRM_AMDGPU = lib.mkForce no; - DRM_NOUVEAU = lib.mkForce no; - QCOM_TSENS = lib.mkForce yes; - NVMEM_QCOM_QFPROM = lib.mkForce yes; - ARM_QCOM_CPUFREQ_NVMEM = lib.mkForce yes; - VIRTIO_PCI = lib.mkForce module; - # forthcoming kernel work: QCOM_PD_MAPPER = lib.mkForce module; - }; - } - ]; - - qrtr = pkgs.callPackage "${self.inputs.adamcstephens_stop-export}/hardware/x13s/qrtr/qrtr.nix" { }; - pd-mapper = pkgs.callPackage "${self.inputs.adamcstephens_stop-export}/hardware/x13s/qrtr/pd-mapper.nix" { - inherit qrtr; - }; - - - # We can't quite move to mainline linux - linux_x13s_pkg = { buildLinux, ... } @ args: - buildLinux (args // rec { - version = "6.7.0"; - modDirVersion = lib.versions.pad 3 version; - extraMeta.branch = lib.versions.majorMinor version; - - src = self.inputs.linux_x13s; - kernelPatches = (args.kernelPatches or [ ]) ++ kp; - } // (args.argsOverride or { })); - - # we add additional configuration on top of te normal configuration above - # using the extraStructuredConfig option on the kernel patch - linux_x13s = pkgs.callPackage linux_x13s_pkg { - defconfig = "johan_defconfig"; - }; - - linuxPackages_x13s = pkgs.linuxPackagesFor linux_x13s; - dtbName = "sc8280xp-lenovo-thinkpad-x13s.dtb"; - dtb = "${linuxPackages_x13s.kernel}/dtbs/qcom/${dtbName}"; - - x13s_alsa-ucm-conf = pkgs.alsa-ucm-conf.overrideAttrs (prev: { - src = self.inputs.alsa-ucm-conf; - }); - alsa-ucm-conf-env.ALSA_CONFIG_UCM2 = "${x13s_alsa-ucm-conf}/share/alsa/ucm2"; - - in - { - nixpkgs.overlays = [ - (final: prev: - { - x13s_extra-firmware = pkgs.callPackage - "${self.inputs.adamcstephens_stop-export}/hardware/x13s/extra-firmware.nix" - { }; - - inherit qrtr pd-mapper; - } - ) - ]; - - # ensure the x13s' dtb file is in the boot partition - # TODO:: is this needed for the VT display somehow? - system.activationScripts.x13s-dtb = '' - in_package="${dtb}" - esp_tool_folder="${efi.efiSysMountPoint}/" - in_esp="''${esp_tool_folder}${dtbName}" - >&2 echo "Ensuring $in_esp in EFI System Partition" - if ! ${pkgs.diffutils}/bin/cmp --silent "$in_package" "$in_esp"; then - >&2 echo "Copying $in_package -> $in_esp" - mkdir -p "$esp_tool_folder" - cp "$in_package" "$in_esp" - sync - fi - ''; - - boot = { - loader.systemd-boot.enable = true; - loader.systemd-boot.extraFiles = { - "${dtbName}" = dtb; - }; - loader.efi.canTouchEfiVariables = false; - loader.efi.efiSysMountPoint = "/boot"; - - blacklistedKernelModules = [ "wwan" ]; - - kernelPackages = linuxPackages_x13s; - - kernelParams = [ - "dtb=${dtbName}" - - "boot.shell_on_fail" - - # jhovold recommended - "efi=noruntime" - "clk_ignore_unused" - "pd_ignore_unused" - "arm64.nopauth" - - # blacklist graphics in initrd so the firmware can load from disk - "rd.driver.blacklist=msm" - ]; - - initrd = { - includeDefaultModules = false; - - # kernelModules = [ - # "nvme" - # "phy_qcom_qmp_pcie" - # "pcie_qcom" - - # "i2c_core" - # "i2c_hid" - # "i2c_hid_of" - # "i2c_qcom_geni" - - # "leds_qcom_lpg" - # "pwm_bl" - # "qrtr" - # "pmic_glink_altmode" - # "gpio_sbu_mux" - # "phy_qcom_qmp_combo" - # "gpucc_sc8280xp" - # "dispcc_sc8280xp" - # "phy_qcom_edp" - # "panel_edp" - # # "msm" - - # ]; - - availableKernelModules = [ - "i2c_hid" - "i2c_hid_of" - "i2c_qcom_geni" - "leds_qcom_lpg" - "pwm_bl" - "qrtr" - "pmic_glink_altmode" - "gpio_sbu_mux" - "phy_qcom_qmp_combo" - "panel_edp" - # "msm" - "phy_qcom_edp" - "i2c_core" - "i2c_hid" - "i2c_hid_of" - "i2c_qcom_geni" - "pcie_qcom" - "phy_qcom_qmp_combo" - "phy_qcom_qmp_pcie" - "phy_qcom_qmp_usb" - "phy_qcom_snps_femto_v2" - "phy_qcom_usb_hs" - "nvme" - - "usbcore" - "xhci_hcd" - "usbhid" - "usb_storage" - "uas" - ]; - }; - }; - - - # default is performance - powerManagement.cpuFreqGovernor = "ondemand"; - - hardware.enableAllFirmware = true; - hardware.firmware = [ - # pkgs.linux-firmware - - pkgs.x13s_extra-firmware - ]; - - systemd.services.pd-mapper = { - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - ExecStart = "${lib.getExe pd-mapper}"; - Restart = "always"; - }; - }; - - environment.sessionVariables = alsa-ucm-conf-env; - systemd.user.services.pipewire.environment = alsa-ucm-conf-env; - systemd.user.services.wireplumber.environment = alsa-ucm-conf-env; - - systemd.services.bluetooth = { - serviceConfig = { - # disabled because btmgmt call hangs - ExecStartPre = [ - "" - "${pkgs.util-linux}/bin/rfkill block bluetooth" - "${pkgs.bluez5-experimental}/bin/btmgmt public-addr ${cfg.bluetoothMac}" - "${pkgs.util-linux}/bin/rfkill unblock bluetooth" - ]; - RestartSec = 5; - Restart = "on-failure"; - }; - }; - }; - }; }; } diff --git a/nix/os/devices/steveej-x13s/.gitignore b/nix/os/devices/steveej-x13s/.gitignore new file mode 100644 index 0000000..b2be92b --- /dev/null +++ b/nix/os/devices/steveej-x13s/.gitignore @@ -0,0 +1 @@ +result diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix new file mode 100644 index 0000000..72edd99 --- /dev/null +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -0,0 +1,107 @@ +{ repoFlake +, nodeFlake +, pkgs +, lib +, config +, nodeName +, localDomainName +, system +, ... +}: + +{ + imports = [ + # repoFlake.inputs.sops-nix.nixosModules.sops + nodeFlake.inputs.disko.nixosModules.disko + ./disko.nix + + repoFlake.nixosModules.thinkpad-x13s + + ../../profiles/common/pkg.nix + + + { + # nixpkgs.config.allowUnsupportedSystem = true; + + # flake registry + nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; + + nix.nixPath = [ + "nixpkgs=${pkgs.path}" + ]; + + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + + nix.settings.max-jobs = lib.mkDefault "auto"; + } + + # ../../profiles/common/user.nix + + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + services.openssh.openFirewall = true; + + + # sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # sops.defaultSopsFormat = "yaml"; + + # users.commonUsers = { + # enable = true; + # enableNonRoot = true; + # }; + + users.users.root.initialPassword = "install"; + } + + nodeFlake.inputs.home-manager.nixosModules.home-manager + + # ../../snippets/sway-desktop.nix + # ../../snippets/radicale.nix + ]; + + hardware.thinkpad-x13s = { + enable = true; + + # TODO: use hardware address + bluetoothMac = "65:9e:7a:8b:86:28"; + }; + + networking = { + hostName = nodeName; + + firewall.enable = true; + + # useNetworkd = true; + }; + + system.stateVersion = "23.11"; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = [ + pkgs.sshfs + pkgs.util-linux + pkgs.coreutils + pkgs.vim + + pkgs.git + pkgs.git-crypt + ]; + + # home-manager.users.steveej = _: { + # home.stateVersion = "23.11"; + + # imports = [ + # ../../../home-manager/configuration/graphical-fullblown.nix + # ]; + + # home.sessionVariables = { }; + + # home.packages = with pkgs; [ + # ]; + # }; +} diff --git a/nix/os/devices/steveej-x13s/default.nix b/nix/os/devices/steveej-x13s/default.nix new file mode 100644 index 0000000..51d487b --- /dev/null +++ b/nix/os/devices/steveej-x13s/default.nix @@ -0,0 +1,40 @@ +{ system ? "aarch64-linux" +, nodeName +, repoFlake +, repoFlakeWithSystem +, nodeFlake +, localDomainName ? "internal" +, ... +}: { + meta.nodeSpecialArgs.${nodeName} = { + inherit repoFlake nodeName nodeFlake system; + packages' = repoFlake.packages.${system}; + nodePackages' = nodeFlake.packages.${system}; + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); + + inherit localDomainName; + }; + + meta.nodeNixpkgs.${nodeName} = + import nodeFlake.inputs.nixpkgs.outPath + { + inherit system; + }; + + ${nodeName} = { + + deployment.targetHost = "${nodeName}.${localDomainName}"; + deployment.replaceUnknownProfiles = true; + deployment.allowLocalDeployment = true; + + # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; + + imports = [ + (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") + + nodeFlake.inputs.home-manager.nixosModules.home-manager + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/steveej-x13s/disko.nix b/nix/os/devices/steveej-x13s/disko.nix new file mode 100644 index 0000000..5abf297 --- /dev/null +++ b/nix/os/devices/steveej-x13s/disko.nix @@ -0,0 +1,66 @@ +{ + disko.devices = { + disk = { + x13s-nvme = { + type = "disk"; + device = "/dev/disk/by-id/nvme-KBG5AZNT1T02_LA_KIOXIA_52QC84BEEJS6"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "x13s-usb-crypt"; + extraOpenArgs = [ ]; + # disable settings.keyFile if you want to use interactive password entry + #passwordFile = "/tmp/secret.key"; # Interactive + settings = { + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + # keyFile = "/tmp/secret.key"; + allowDiscards = true; + }; + # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ "compress=zstd" "noatime" ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "32G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock new file mode 100644 index 0000000..f7008e1 --- /dev/null +++ b/nix/os/devices/steveej-x13s/flake.lock @@ -0,0 +1,207 @@ +{ + "nodes": { + "adamcstephens_stop-export": { + "flake": false, + "locked": { + "lastModified": 1705876512, + "narHash": "sha256-nvBqLyi8dMQf3xnROwEcUv4iqV55Mr8S8OGYepu14i4=", + "ref": "refs/heads/main", + "rev": "388684db5b529bbd6f3e948cf175df089eb09766", + "revCount": 14, + "type": "git", + "url": "https://codeberg.org/adamcstephens/stop-export.git" + }, + "original": { + "type": "git", + "url": "https://codeberg.org/adamcstephens/stop-export.git" + } + }, + "alsa-ucm-conf": { + "flake": false, + "locked": { + "lastModified": 1705501566, + "narHash": "sha256-Nyr7tjH5VBjocvaKaHCiK+zsjThYBtcr936aRWCBBpM=", + "owner": "alsa-project", + "repo": "alsa-ucm-conf", + "rev": "e87dde51d68950537f92af955ad0633437cc419a", + "type": "github" + }, + "original": { + "owner": "alsa-project", + "ref": "master", + "repo": "alsa-ucm-conf", + "type": "github" + } + }, + "brainwart_x13s-nixos": { + "flake": false, + "locked": { + "lastModified": 1705565623, + "narHash": "sha256-sisr/dFIz8p3/Y7mz+arWxjeiBmUTQkMqkF9j3c2dWE=", + "owner": "BrainWart", + "repo": "x13s-nixos", + "rev": "29002122d86a1009ba70e7a4ca3063e5404c77a2", + "type": "github" + }, + "original": { + "owner": "BrainWart", + "ref": "flake", + "repo": "x13s-nixos", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1705890365, + "narHash": "sha256-MObB+fipA/2Ai3uMuNouxcwz0cqvELPpJ+hfnhSaUeA=", + "owner": "nix-community", + "repo": "disko", + "rev": "9fcdf3375e01e2938a49df103af9fd21bd0f89d9", + "type": "github" + }, + "original": { + "id": "disko", + "type": "indirect" + } + }, + "get-flake": { + "locked": { + "lastModified": 1694475786, + "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", + "owner": "ursi", + "repo": "get-flake", + "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", + "type": "github" + }, + "original": { + "owner": "ursi", + "repo": "get-flake", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1705659542, + "narHash": "sha256-WA3xVfAk1AYmFdwghT7mt/erYpsU6JPu9mdTEP/e9HQ=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "10cd9c53115061aa6a0a90aad0b0dde6a999cdb9", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.11", + "repo": "home-manager", + "type": "github" + } + }, + "linux_x13s": { + "flake": false, + "locked": { + "lastModified": 1705680516, + "narHash": "sha256-NjCuPYjYHBJcoJR1ZaWQ9sRh0VpY2Y0hawkbUBRfCvk=", + "owner": "jhovold", + "repo": "linux", + "rev": "bac95eabe6577faa2773cbe7e91c34fd17ab79a0", + "type": "github" + }, + "original": { + "owner": "jhovold", + "ref": "wip/sc8280xp-v6.7", + "repo": "linux", + "type": "github" + } + }, + "mobile-nixos": { + "flake": false, + "locked": { + "lastModified": 1705008488, + "narHash": "sha256-Gj97fDFZaK6gLb3ayZgTTtD+MFE1YjoyYHWkB1TIAe0=", + "owner": "NixOS", + "repo": "mobile-nixos", + "rev": "56e55df7b07b5e5c6d050732d851cec62b41df95", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "mobile-nixos", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1705774713, + "narHash": "sha256-j6ADaDH9XiumUzkTPlFyCBcoWYhO83lfgiSqEJF2zcs=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "1b64fc1287991a9cce717a01c1973ef86cb1af0b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-2211": { + "locked": { + "lastModified": 1688392541, + "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable-small": { + "locked": { + "lastModified": 1705891108, + "narHash": "sha256-PQ0Df5BzByg+0gPE1goa9WYVXSoEP6gtjblrbYC8WOI=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "8cccce637e19577815de54c5ecc3132dff965aee", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "adamcstephens_stop-export": "adamcstephens_stop-export", + "alsa-ucm-conf": "alsa-ucm-conf", + "brainwart_x13s-nixos": "brainwart_x13s-nixos", + "disko": "disko", + "get-flake": "get-flake", + "home-manager": "home-manager", + "linux_x13s": "linux_x13s", + "mobile-nixos": "mobile-nixos", + "nixpkgs": "nixpkgs", + "nixpkgs-2211": "nixpkgs-2211", + "nixpkgs-unstable-small": "nixpkgs-unstable-small" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix new file mode 100644 index 0000000..8ee5695 --- /dev/null +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -0,0 +1,73 @@ +{ + inputs = + { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + + # requires for home-manager modules + nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; + nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; + + get-flake.url = "github:ursi/get-flake"; + + disko.inputs.nixpkgs.follows = "nixpkgs"; + + mobile-nixos.url = "github:NixOS/mobile-nixos"; + mobile-nixos.flake = false; + + home-manager = { + url = "github:nix-community/home-manager/release-23.11"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = + { self + , get-flake + , nixpkgs + , ... + }: + let + targetPlatform = "aarch64-linux"; + buildPlatform = "x86_64-linux"; + nodeName = "steveej-x13s"; + + mkNixosConfiguration = { extraModules ? [ ], ... } @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs + { + specialArgs = (import ./default.nix { + system = targetPlatform; + inherit nodeName; + + repoFlake = get-flake ../../../..; + nodeFlake = self; + }).meta.nodeSpecialArgs.${nodeName}; + + modules = + [ + ({ repoFlake, ... }: repoFlake.nixosModules.hardware-x13s) + + ./configuration.nix + ] + ++ extraModules; + } + ); + in + { + nixosConfigurations = { + native = mkNixosConfiguration { + system = targetPlatform; + }; + + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = buildPlatform; + nixpkgs.hostPlatform.system = targetPlatform; + } + ]; + }; + }; + }; +} diff --git a/nix/os/modules/hardware.thinkpad-x13s.nix b/nix/os/modules/hardware.thinkpad-x13s.nix new file mode 100644 index 0000000..a1c6682 --- /dev/null +++ b/nix/os/modules/hardware.thinkpad-x13s.nix @@ -0,0 +1,242 @@ +{ self, pkgs, config, lib, options, ... }: +let + # TODO: introduce options for these + kernelPdMapper = true; + cfg = config.hardware.thinkpad-x13s; +in +{ + options.hardware.thinkpad-x13s = { + # TODO: respect this + enable = lib.mkEnableOption "x13s hardware support"; + + bluetoothMac = lib.mkOption { + type = lib.types.str; + description = "mac address to set on boot"; + }; + + bluetoothMacAddr = lib.mkOption { + default = "00:00:00:00:00"; + type = lib.types.str; + }; + + }; + config = + let + inherit (config.boot.loader) efi; + kp = [ + { + name = "x13s-cfg"; + patch = null; + extraStructuredConfig = with lib.kernel; { + EFI_ARMSTUB_DTB_LOADER = lib.mkForce yes; + OF_OVERLAY = lib.mkForce yes; + BTRFS_FS = lib.mkForce yes; + BTRFS_FS_POSIX_ACL = lib.mkForce yes; + MEDIA_CONTROLLER = lib.mkForce yes; + SND_USB_AUDIO_USE_MEDIA_CONTROLLER = lib.mkForce yes; + SND_USB = lib.mkForce yes; + SND_USB_AUDIO = lib.mkForce module; + USB_XHCI_PCI = lib.mkForce module; + NO_HZ_FULL = lib.mkForce yes; + HZ_100 = lib.mkForce yes; + HZ_250 = lib.mkForce no; + DRM_AMDGPU = lib.mkForce no; + DRM_NOUVEAU = lib.mkForce no; + QCOM_TSENS = lib.mkForce yes; + NVMEM_QCOM_QFPROM = lib.mkForce yes; + ARM_QCOM_CPUFREQ_NVMEM = lib.mkForce yes; + VIRTIO_PCI = lib.mkForce module; + # forthcoming kernel work: QCOM_PD_MAPPER = lib.mkForce module; + }; + } + ]; + + qrtr = pkgs.callPackage "${self.inputs.adamcstephens_stop-export}/hardware/x13s/qrtr/qrtr.nix" { }; + pd-mapper = pkgs.callPackage "${self.inputs.adamcstephens_stop-export}/hardware/x13s/qrtr/pd-mapper.nix" { + inherit qrtr; + }; + + + # We can't quite move to mainline linux + linux_x13s_pkg = { buildLinux, ... } @ args: + buildLinux (args // rec { + version = "6.7.0"; + modDirVersion = lib.versions.pad 3 version; + extraMeta.branch = lib.versions.majorMinor version; + + src = self.inputs.linux_x13s; + kernelPatches = (args.kernelPatches or [ ]) ++ kp; + } // (args.argsOverride or { })); + + # we add additional configuration on top of te normal configuration above + # using the extraStructuredConfig option on the kernel patch + linux_x13s = pkgs.callPackage linux_x13s_pkg { + defconfig = "johan_defconfig"; + }; + + linuxPackages_x13s = pkgs.linuxPackagesFor linux_x13s; + dtbName = "sc8280xp-lenovo-thinkpad-x13s.dtb"; + dtb = "${linuxPackages_x13s.kernel}/dtbs/qcom/${dtbName}"; + + x13s_alsa-ucm-conf = pkgs.alsa-ucm-conf.overrideAttrs (prev: { + src = self.inputs.alsa-ucm-conf; + }); + alsa-ucm-conf-env.ALSA_CONFIG_UCM2 = "${x13s_alsa-ucm-conf}/share/alsa/ucm2"; + + in + lib.mkIf cfg.enable + { + nixpkgs.overlays = [ + (final: prev: + { + x13s_extra-firmware = pkgs.callPackage + "${self.inputs.adamcstephens_stop-export}/hardware/x13s/extra-firmware.nix" + { }; + + inherit qrtr pd-mapper; + } + ) + ]; + + # ensure the x13s' dtb file is in the boot partition + # TODO:: is this needed for the VT display somehow? + system.activationScripts.x13s-dtb = '' + in_package="${dtb}" + esp_tool_folder="${efi.efiSysMountPoint}/" + in_esp="''${esp_tool_folder}${dtbName}" + >&2 echo "Ensuring $in_esp in EFI System Partition" + if ! ${pkgs.diffutils}/bin/cmp --silent "$in_package" "$in_esp"; then + >&2 echo "Copying $in_package -> $in_esp" + mkdir -p "$esp_tool_folder" + cp "$in_package" "$in_esp" + sync + fi + ''; + + boot = { + loader.systemd-boot.enable = true; + loader.systemd-boot.extraFiles = { + "${dtbName}" = dtb; + }; + loader.efi.canTouchEfiVariables = false; + loader.efi.efiSysMountPoint = "/boot"; + + blacklistedKernelModules = [ "wwan" ]; + + kernelPackages = linuxPackages_x13s; + + kernelParams = [ + "dtb=${dtbName}" + + "boot.shell_on_fail" + + # jhovold recommended + "efi=noruntime" + "clk_ignore_unused" + "pd_ignore_unused" + "arm64.nopauth" + + # blacklist graphics in initrd so the firmware can load from disk + "rd.driver.blacklist=msm" + ]; + + initrd = { + includeDefaultModules = false; + + # kernelModules = [ + # "nvme" + # "phy_qcom_qmp_pcie" + # "pcie_qcom" + + # "i2c_core" + # "i2c_hid" + # "i2c_hid_of" + # "i2c_qcom_geni" + + # "leds_qcom_lpg" + # "pwm_bl" + # "qrtr" + # "pmic_glink_altmode" + # "gpio_sbu_mux" + # "phy_qcom_qmp_combo" + # "gpucc_sc8280xp" + # "dispcc_sc8280xp" + # "phy_qcom_edp" + # "panel_edp" + # # "msm" + + # ]; + + availableKernelModules = [ + "i2c_hid" + "i2c_hid_of" + "i2c_qcom_geni" + "leds_qcom_lpg" + "pwm_bl" + "qrtr" + "pmic_glink_altmode" + "gpio_sbu_mux" + "phy_qcom_qmp_combo" + "panel_edp" + # "msm" + "phy_qcom_edp" + "i2c_core" + "i2c_hid" + "i2c_hid_of" + "i2c_qcom_geni" + "pcie_qcom" + "phy_qcom_qmp_combo" + "phy_qcom_qmp_pcie" + "phy_qcom_qmp_usb" + "phy_qcom_snps_femto_v2" + "phy_qcom_usb_hs" + "nvme" + + "usbcore" + "xhci_hcd" + "usbhid" + "usb_storage" + "uas" + ]; + }; + }; + + + # default is performance + powerManagement.cpuFreqGovernor = "ondemand"; + + hardware.enableAllFirmware = true; + hardware.firmware = [ + # pkgs.linux-firmware + + pkgs.x13s_extra-firmware + ]; + + systemd.services.pd-mapper = { + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + ExecStart = "${lib.getExe pd-mapper}"; + Restart = "always"; + }; + }; + + environment.sessionVariables = alsa-ucm-conf-env; + systemd.user.services.pipewire.environment = alsa-ucm-conf-env; + systemd.user.services.wireplumber.environment = alsa-ucm-conf-env; + + systemd.services.bluetooth = { + serviceConfig = { + # disabled because btmgmt call hangs + ExecStartPre = [ + "" + "${pkgs.util-linux}/bin/rfkill block bluetooth" + "${pkgs.bluez5-experimental}/bin/btmgmt public-addr ${cfg.bluetoothMac}" + "${pkgs.util-linux}/bin/rfkill unblock bluetooth" + ]; + RestartSec = 5; + Restart = "on-failure"; + }; + }; + }; +} diff --git a/nix/os/modules/opinionatedDisk.nix b/nix/os/modules/opinionatedDisk.nix index 399eb43..5dea719 100644 --- a/nix/os/modules/opinionatedDisk.nix +++ b/nix/os/modules/opinionatedDisk.nix @@ -24,7 +24,7 @@ in { earlyDiskIdOverride = mkOption { default = ""; - type = types.string; + type = types.str; }; }; diff --git a/nix/os/profiles/common/pkg.nix b/nix/os/profiles/common/pkg.nix index 7cd1dfb..74e987b 100644 --- a/nix/os/profiles/common/pkg.nix +++ b/nix/os/profiles/common/pkg.nix @@ -1,12 +1,11 @@ -{ - config, - pkgs, - # these come in via nodeSpecialArgs and are expected to be defined for every node - repoFlake, - repoFlakeInputs', - nodeFlake, - packages', - ... +{ config +, pkgs +, # these come in via nodeSpecialArgs and are expected to be defined for every node + repoFlake +, repoFlakeInputs' +, nodeFlake +, packages' +, ... }: { imports = [ ]; @@ -26,8 +25,6 @@ packages' nodeFlake ; - - osConfig = config; }; nixpkgs.config = { diff --git a/nix/os/snippets/radicale.nix b/nix/os/snippets/radicale.nix index 97f4fdc..74edd68 100644 --- a/nix/os/snippets/radicale.nix +++ b/nix/os/snippets/radicale.nix @@ -1,101 +1,30 @@ { config , lib , pkgs -, repoFlake - # TODO: make configurable -, homeUser ? "steveej" +, repoFlakeInputs' , ... }: let - radicalePkgs = repoFlake.inputs.radicale-nixpkgs.legacyPackages.${pkgs.system}; - - libdecsync = pkgs.python3Packages.buildPythonPackage rec { - pname = "libdecsync"; - version = "2.2.1"; - - src = pkgs.python3Packages.fetchPypi { - inherit pname version; - hash = "sha256-Mukjzjumv9VL+A0maU0K/SliWrgeRjAeiEdN5a83G0I="; - }; - - propagatedBuildInputs = [ - # pkgs.libxcrypt-legacy - ]; - }; - radicale-storage-decsync = pkgs.python3Packages.buildPythonPackage rec { - pname = "radicale_storage_decsync"; - version = "2.1.0"; - - src = pkgs.python3Packages.fetchPypi { - inherit pname version; - hash = "sha256-X+0MT5o2PjsKxca5EDI+rYyQDmUtbRoELDr6e4YXKCg="; - }; - - buildInputs = [ - pkgs.radicale - # pkgs.libxcrypt-legacy - # pkgs.libxcrypt - ]; - - nativeCheckInputs = [ - # pkgs.libxcrypt-legacy - # pkgs.libxcrypt - ]; - - propagatedBuildInputs = [ libdecsync pkgs.python3Packages.setuptools ]; - }; - radicale-decsync = pkgs.radicale.overrideAttrs (old: { - propagatedBuildInputs = - old.propagatedBuildInputs - ++ [ radicale-storage-decsync ]; - }); - - mkRadicaleService = - { suffix - , port - , - }: - let - radicale-config = pkgs.writeText "radicale-config-${suffix}" '' - [server] - hosts = localhost:${builtins.toString port} - - [auth] - type = htpasswd - htpasswd_filename = ${config.sops.secrets.radicale_htpasswd.path} - htpasswd_encryption = bcrypt - - [storage] - type = radicale_storage_decsync - filesystem_folder = ${config.xdg.dataHome}/radicale-${suffix} - decsync_dir = ${config.xdg.dataHome}/decsync-${suffix} - ''; - in - { - home-manager.users.${homeUser}.systemd.user.services."radicale-${suffix}" = { - Unit.Description = "Radicale with DecSync (${suffix})"; - Service = { - ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; - Restart = "on-failure"; - }; - Install.WantedBy = [ "default.target" ]; - }; - }; + # TODO: make configurable + homeUser = "steveej"; in { sops.secrets.radicale_htpasswd = { - sopsFile = ../../../../secrets/desktop/radicale_htpasswd; + sopsFile = ../../../secrets/desktop/radicale_htpasswd; format = "binary"; - owner = config.users.users.${homeUser}.name; + owner = config.users.users."${homeUser}".name; }; -} // (builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [ - { - suffix = "personal"; - port = 5232; - } - { - suffix = "family"; - port = 5233; - } -]) + + home-manager.users.${homeUser} = _: { + imports = [ + # TODO: bump these to latest and make it work + (args: + import ../../home-manager/programs/radicale.nix (args // { + osConfig = config; + pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; + }) + ) + ]; + }; +} diff --git a/nix/os/snippets/sway-desktop.nix b/nix/os/snippets/sway-desktop.nix new file mode 100644 index 0000000..8f8bf23 --- /dev/null +++ b/nix/os/snippets/sway-desktop.nix @@ -0,0 +1,90 @@ +{ pkgs, lib, ... }: + +let + # TODO: make this configurable + homeUser = "steveej"; +in +{ + services.xserver.serverFlagsSection = '' + Option "BlankTime" "0" + Option "StandbyTime" "0" + Option "SuspendTime" "0" + Option "OffTime" "0" + ''; + + hardware.opengl.enable = true; + + services.gvfs = { + enable = true; + package = lib.mkForce pkgs.gnome3.gvfs; + }; + + environment.systemPackages = with pkgs; [ + # provides a default authentification client for policykit + lxqt.lxqt-policykit + ]; + + # required by swaywm + security.polkit.enable = true; + security.pam.services.swaylock = { }; + + # test these on https://mozilla.github.io/webrtc-landing/gum_test.html + xdg.portal = { + enable = true; + # FIXME: `true` breaks xdg-open from alacritty: + # $ xdg-open "https://github.com/" + # Error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.OpenURI” on object at path /org/freedesktop/portal/desktop + xdgOpenUsePortal = false; + extraPortals = [ + pkgs.xdg-desktop-portal-wlr + pkgs.xdg-desktop-portal-gtk + + # repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}.xdg-desktop-portal-wlr + # (pkgs.xdg-desktop-portal-gtk.override (_: { + # buildPortalsInGnome = false; + # })) + ]; + }; + + + # rtkit is optional but recommended + security.rtkit.enable = true; + services.pipewire = { + audio.enable = true; + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + }; + + networkmanager.enable = false; + + security.pam.services.getty.enableGnomeKeyring = true; + services.gnome.gnome-keyring.enable = true; + # autologin steveej on tty1 + systemd.services."autovt@tty1".description = "Autologin at the TTY1"; + systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty + systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ]; + systemd.services."autovt@tty1".serviceConfig = + { + ExecStart = [ + "" # override upstream default with an empty ExecStart + "@${pkgs.utillinux}/sbin/agetty agetty --login-program ${pkgs.shadow}/bin/login --autologin steveej --noclear %I $TERM" + ]; + Restart = "always"; + Type = "idle"; + }; + programs.zsh.loginShellInit = '' + if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then + exec sway + fi + ''; + + home-manager.users.${homeUser} = _: { + imports = [ + ../../home-manager/profiles/sway-desktop.nix + ]; + }; +} diff --git a/secrets/desktop/radicale_htpasswd b/secrets/desktop/radicale_htpasswd index 0ab6e33..10cda96 100644 --- a/secrets/desktop/radicale_htpasswd +++ b/secrets/desktop/radicale_htpasswd @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:4Oo7a4iL9ry9qFnzd/uwllP8UZ1re+RglnvkEO11XvSqqGhGOCUX0k0kOVD/CYbdLNq7jqVI8h5Fw5grSb6SCDzlknV0bJ70mmBQ9wEhRA82P1M/T50KH6V6XIVR7IlVhjMKkdW6YH0XAyrqaVh3fJUbOk9hJVvrylLvPF4vpc9+aYdzUCvn5jbecpywYY7NRKLI7H7xUmnW,iv:vvyS08x5yXTmlZo1A+Z2zsW9Mj6JrIkNt+CvB7VZJ38=,tag:MrjYVpS+SyYLUAbin85fkw==,type:str]", + "data": "ENC[AES256_GCM,data:4Sfp4HqBQ/gsdK1iIwVisHxXHB9ryuTcsxqa4pJMYPBkn0C/Z43TuvZnUpZyACAIL00h7sPMEqQbdvmiHoo2CVizl5hB0wT6QdBwjuSjjuNDwqqJTvistCNBGsTQrb8fdsmTMGEyQmC0yQ6eF3STIT2PP/M1NPZ30zqxQInscv0Mem3n1yT0S3xamwvXkJq+WQvEhJpggsp8,iv:B+KVrsWRHYhvNCkwWhHOF6CFTpF4/tI5wOD05aMf2JI=,tag:srnaV+etedgReXLZ9QBPCw==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -11,8 +11,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmTVMxdkpjQllIZlRpQjEr\nc0RqNzNnOGplcDR6by9aL0JQY0ZmZjV3OUhrCm1sbHEvQ3hFZVg1YU5wOU5kaGpI\nK25zckJNaXhWd21kUHIyTm8yVW0reWsKLS0tIHVvbDhYZjRSbVRjOWZNaWkwcm1z\neVJyTTRNNTJBeVYxdDFCL1ozQjhQUkUK09k0LVNUugbxtZJB1JEXWmB2Q35mK1MW\nY12rpx4QwFUf1uhZDGmHMU0mrmaZRhkiTXTW+MtbHHtiGCxI8JrgLQ==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2023-07-01T17:49:07Z", - "mac": "ENC[AES256_GCM,data:DLKp0oBRgqoC1vm7Gt8IgTXQZBVhFMzRlP2CeWUHCi0PhOFFDCQCbJMJ4GnLeVAMgn1PTQXxDBJsqx1dd99oR3xXOqV6s9RUrg7BNql6G1PRnROnvGavVq+K8Oqyc6K3RDMK95Fwd20Svvyplc7fvvJVYA7XE8oVyPCj7adgIzA=,iv:0T60zdgBXTNEUyzWNH2gRJsH7D/mofiBQKD4XpaTdf4=,tag:9s0g5W0fu7PrKybYNQMfxA==,type:str]", + "lastmodified": "2024-01-22T17:03:08Z", + "mac": "ENC[AES256_GCM,data:BS4BPjzA663knjD53QWjjDKmYmT6GcOVJru0XBWDQakVvgZwrPnRSZWSuC+ubtTBiG+EMK8Zx7nY3i8S/T0AkO9FmxBR476m8oopkNvCQIIEOkOK0F5I2gd6W/SDqKBC8Wzb6qWxGYDeZBmnvjpapcyW+VvJvaXhjSJpOgff+LQ=,iv:mwa9p6YJPLDWUcPxgGErZUSd5afCdg3YmY3fL1/f6do=,tag:MQN6KPB0NwVakSps9/sLzw==,type:str]", "pgp": [ { "created_at": "2023-07-01T17:45:58Z", From 255ca68af57f9e1b3ec25b40130b77864d8b3ca7 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 22 Jan 2024 23:05:23 +0100 Subject: [PATCH 13/42] fixup! WIP: x13s: install to nvme, refactor into module --- nix/os/devices/steveej-x13s/configuration.nix | 30 ++++++++----------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index 72edd99..9a082d1 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -11,7 +11,7 @@ { imports = [ - # repoFlake.inputs.sops-nix.nixosModules.sops + repoFlake.inputs.sops-nix.nixosModules.sops nodeFlake.inputs.disko.nixosModules.disko ./disko.nix @@ -19,10 +19,7 @@ ../../profiles/common/pkg.nix - { - # nixpkgs.config.allowUnsupportedSystem = true; - # flake registry nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; @@ -38,14 +35,13 @@ nix.settings.max-jobs = lib.mkDefault "auto"; } - # ../../profiles/common/user.nix + ../../profiles/common/user.nix { services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "yes"; services.openssh.openFirewall = true; - # sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; # sops.defaultSopsFormat = "yaml"; @@ -59,7 +55,7 @@ nodeFlake.inputs.home-manager.nixosModules.home-manager - # ../../snippets/sway-desktop.nix + ../../snippets/sway-desktop.nix # ../../snippets/radicale.nix ]; @@ -78,7 +74,6 @@ # useNetworkd = true; }; - system.stateVersion = "23.11"; nixpkgs.config.allowUnfree = true; @@ -92,16 +87,17 @@ pkgs.git-crypt ]; - # home-manager.users.steveej = _: { - # home.stateVersion = "23.11"; + system.stateVersion = "23.11"; + home-manager.users.steveej = _: { + home.stateVersion = "23.11"; - # imports = [ - # ../../../home-manager/configuration/graphical-fullblown.nix - # ]; + imports = [ + ../../../home-manager/configuration/graphical-fullblown.nix + ]; - # home.sessionVariables = { }; + home.sessionVariables = { }; - # home.packages = with pkgs; [ - # ]; - # }; + home.packages = with pkgs; [ + ]; + }; } From ed4768a7953f1a7422eb9e584c6645c74f15c7b7 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 22 Jan 2024 22:45:42 +0000 Subject: [PATCH 14/42] update commonUsers and refactor system config --- nix/os/devices/steveej-t14/system.nix | 7 +- nix/os/devices/steveej-t14/user.nix | 21 ++-- nix/os/devices/steveej-x13s/configuration.nix | 22 ++--- nix/os/lib/default.nix | 55 +++++------ nix/os/profiles/common/system.nix | 17 ++-- nix/os/profiles/common/user.nix | 98 ++++++++++++------- nix/os/snippets/sway-desktop.nix | 6 +- nix/os/snippets/timezone.nix | 9 ++ 8 files changed, 131 insertions(+), 104 deletions(-) create mode 100644 nix/os/snippets/timezone.nix diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index c5604f8..a0d5395 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -6,8 +6,6 @@ , ... }: let - passwords = import ../../../variables/passwords.crypt.nix; - localTcpPorts = [ 22 @@ -30,6 +28,7 @@ in ../../snippets/nix-settings-holo-chain.nix ../../snippets/radicale.nix ../../snippets/sway-desktop.nix + ../../snippets/timezone.nix ]; nix.settings = { @@ -64,6 +63,8 @@ in } ]; + networking.networkmanager.enable = true; + networking.extraHosts = '' ''; @@ -122,8 +123,6 @@ in services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ]; - time.timeZone = lib.mkForce passwords.timeZone.stefan; - hardware.ledger.enable = true; # services.zerotierone = { diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix index ece9cec..f9201cd 100644 --- a/nix/os/devices/steveej-t14/user.nix +++ b/nix/os/devices/steveej-t14/user.nix @@ -1,19 +1,20 @@ -{ - config, - pkgs, - lib, - ... -}: let +{ config +, pkgs +, lib +, ... +}: +let keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; -in { + inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; +in +{ users.extraUsers.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - passwordFile = config.sops.secrets.sharedUsers-steveej.path; + hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; }; - nix.settings.trusted-users = ["steveej"]; + nix.settings.trusted-users = [ "steveej" ]; security.pam.u2f.enable = true; security.pam.services.steveej.u2fAuth = true; diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index 9a082d1..cd2f9f2 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -45,12 +45,11 @@ # sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; # sops.defaultSopsFormat = "yaml"; - # users.commonUsers = { - # enable = true; - # enableNonRoot = true; - # }; - - users.users.root.initialPassword = "install"; + users.commonUsers = { + enable = true; + enableNonRoot = true; + installPassword = "install"; + }; } nodeFlake.inputs.home-manager.nixosModules.home-manager @@ -66,14 +65,9 @@ bluetoothMac = "65:9e:7a:8b:86:28"; }; - networking = { - hostName = nodeName; - - firewall.enable = true; - - # useNetworkd = true; - }; - + networking.hostName = nodeName; + networking.firewall.enable = true; + networking.networkmanager.enable = true; nixpkgs.config.allowUnfree = true; diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index 252989e..38930fe 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -6,35 +6,34 @@ let keys = import ../../variables/keys.nix; in { - mkUser = args: ( - lib.attrsets.recursiveUpdate - { - isNormalUser = true; - extraGroups = [ - "docker" - "wheel" - "libvirtd" - "networkmanager" - "vboxusers" - "users" - "input" - "audio" - "video" - "cdrom" - "adbusers" - "dialout" - "cdrom" - "fuse" - ]; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; + mkUser = args: lib.mkMerge [ + { + isNormalUser = true; + extraGroups = [ + "docker" + "wheel" + "libvirtd" + "networkmanager" + "vboxusers" + "users" + "input" + "audio" + "video" + "cdrom" + "adbusers" + "dialout" + "cdrom" + "fuse" + ]; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; - # TODO: investigate why this secret cannot be found - # openssh.authorizedKeys.keyFiles = [ - # config.sops.secrets.sharedSshKeys-steveej.path - # ]; - } - args - ); + # TODO: investigate why this secret cannot be found + # openssh.authorizedKeys.keyFiles = [ + # config.sops.secrets.sharedSshKeys-steveej.path + # ]; + } + args + ]; disk = rec { # TODO: verify the GPT PARTLABEL cap at 36 chars diff --git a/nix/os/profiles/common/system.nix b/nix/os/profiles/common/system.nix index 4039a9e..7fa2c2d 100644 --- a/nix/os/profiles/common/system.nix +++ b/nix/os/profiles/common/system.nix @@ -1,9 +1,8 @@ -{ - config, - pkgs, - lib, - nodeName, - ... +{ config +, pkgs +, lib +, nodeName +, ... }: { networking.hostName = builtins.elemAt (builtins.split "\\." nodeName) 0; # Define your hostname. networking.domain = builtins.elemAt (builtins.split "(^[^\\.]+\.)" nodeName) 2; @@ -15,11 +14,11 @@ ''; # Fonts, I18N, Date ... - fonts.fonts = [pkgs.corefonts]; + fonts.packages = [ pkgs.corefonts ]; console.font = "lat9w-16"; - i18n = {defaultLocale = "en_US.UTF-8";}; + i18n = { defaultLocale = "en_US.UTF-8"; }; time.timeZone = "Etc/UTC"; services.gpm.enable = true; @@ -52,6 +51,6 @@ programs.zsh.enable = true; users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = ["/share/zsh"]; + environment.pathsToLink = [ "/share/zsh" ]; programs.fuse.userAllowOther = true; } diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index b21cd4e..0df5e5f 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -1,9 +1,9 @@ -{ - config, - pkgs, - lib, - ... -}: let +{ config +, pkgs +, lib +, ... +}: +let keys = import ../../../variables/keys.nix; inherit (import ../../lib/default.nix { @@ -16,7 +16,8 @@ inherit (lib) types; cfg = config.users.commonUsers; -in { +in +{ options.users.commonUsers = { enable = lib.mkOption { default = true; @@ -32,41 +33,64 @@ in { default = config.sops.secrets.sharedUsers-root.path; type = types.path; }; + + installPassword = lib.mkOption { + default = ""; + type = types.str; + }; }; - config = lib.mkIf cfg.enable { - sops.secrets.sharedUsers-root = { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; + config = lib.mkIf cfg.enable (lib.mkMerge [ + (lib.mkIf (cfg.installPassword == "") { + sops.secrets.sharedUsers-root = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; + sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - # neededForUsers = true; - format = "yaml"; - }; + sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + # neededForUsers = true; + format = "yaml"; + }; + }) - users.mutableUsers = lib.mkForce false; + { + users.mutableUsers = lib.mkForce false; - users.extraUsers.root = { - passwordFile = cfg.rootPasswordFile; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; + users.users.root = lib.mkMerge [ + { + openssh.authorizedKeys.keys = keys.users.steveej.openssh; + } - # TODO: investigate why this secret cannot be found - # openssh.authorizedKeys.keyFiles = [ - # config.sops.secrets.sharedSshKeys-steveej.path - # ]; - }; + (lib.mkIf (cfg.installPassword != "") { + password = cfg.installPassword; + }) - users.extraUsers.steveej = lib.mkIf cfg.enableNonRoot (mkUser { - uid = 1000; - passwordFile = config.sops.secrets.sharedUsers-steveej.path; - }); - }; + (lib.mkIf (cfg.installPassword == "") { + hashedPasswordFile = cfg.rootPasswordFile; + }) + ]; + + + users.users.steveej = lib.mkIf cfg.enableNonRoot (mkUser (lib.mkMerge [ + { + uid = 1000; + } + + (lib.mkIf (cfg.installPassword != "") { + password = cfg.installPassword; + }) + + (lib.mkIf (cfg.installPassword == "") { + hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; + }) + ])); + } + ]); } diff --git a/nix/os/snippets/sway-desktop.nix b/nix/os/snippets/sway-desktop.nix index 8f8bf23..e032d26 100644 --- a/nix/os/snippets/sway-desktop.nix +++ b/nix/os/snippets/sway-desktop.nix @@ -35,6 +35,10 @@ in # $ xdg-open "https://github.com/" # Error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.OpenURI” on object at path /org/freedesktop/portal/desktop xdgOpenUsePortal = false; + + # keep the behaviour in < 1.17, which uses the first portal implementation found in lexicographical order, use the following: + config.common.default = "*"; + extraPortals = [ pkgs.xdg-desktop-portal-wlr pkgs.xdg-desktop-portal-gtk @@ -59,8 +63,6 @@ in #jack.enable = true; }; - networkmanager.enable = false; - security.pam.services.getty.enableGnomeKeyring = true; services.gnome.gnome-keyring.enable = true; # autologin steveej on tty1 diff --git a/nix/os/snippets/timezone.nix b/nix/os/snippets/timezone.nix new file mode 100644 index 0000000..9ed1dea --- /dev/null +++ b/nix/os/snippets/timezone.nix @@ -0,0 +1,9 @@ +{ lib, ... }: + +let + passwords = import ../../../variables/passwords.crypt.nix; + +in +{ + time.timeZone = lib.mkDefault passwords.timeZone.stefan; +} From 82362958dbfa1f4597c0e673dc7eb6e0cbb9c0aa Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 22 Jan 2024 23:47:36 +0000 Subject: [PATCH 15/42] refactor flaken.nix hive handling --- flake.nix | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/flake.nix b/flake.nix index 3191f4c..c6bbc6b 100644 --- a/flake.nix +++ b/flake.nix @@ -145,13 +145,14 @@ # this makes nixos-anywhere work flake.nixosConfigurations = - (inputs.colmena.lib.makeHive self.outputs.colmena).nodes - // ( - let - router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; - steveej-x13s = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations; - retro = (inputs.get-flake ./nix/os/devices/retro).nixosConfigurations; - in + let + colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; + router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; + retro = (inputs.get-flake ./nix/os/devices/retro).nixosConfigurations; + in + ( + colmenaHive // + { router0-dmz0 = router0-dmz0.native; @@ -162,7 +163,7 @@ # nixos-install --flake .\#retro_cross retro_cross = retro.cross; - steveej-x13s_cross = steveej-x13s.cross; + steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross; } ); From d26e64452d3dbaa8bedf24d3b8414489445bebbb Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Mon, 22 Jan 2024 23:47:48 +0000 Subject: [PATCH 16/42] mostly fix up stateVersions --- nix/home-manager/profiles/common.nix | 4 +- nix/home-manager/profiles/sway-desktop.nix | 210 +++++++++--------- nix/os/devices/steveej-t14/pkg.nix | 6 +- nix/os/devices/steveej-t14/user.nix | 2 +- nix/os/devices/steveej-x13s/configuration.nix | 7 + nix/os/devices/steveej-x13s/flake.nix | 6 +- nix/os/snippets/sway-desktop.nix | 21 +- nix/os/snippets/timezone.nix | 2 +- 8 files changed, 136 insertions(+), 122 deletions(-) diff --git a/nix/home-manager/profiles/common.nix b/nix/home-manager/profiles/common.nix index 9c76c30..4356534 100644 --- a/nix/home-manager/profiles/common.nix +++ b/nix/home-manager/profiles/common.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: { +{ pkgs, lib, ... }: { # TODO: re-enable this with the appropriate version? # programs.home-manager.enable = true; # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz; @@ -83,6 +83,4 @@ usbutils pciutils ]); - - home.stateVersion = "22.05"; } diff --git a/nix/home-manager/profiles/sway-desktop.nix b/nix/home-manager/profiles/sway-desktop.nix index b11550a..f2bde47 100644 --- a/nix/home-manager/profiles/sway-desktop.nix +++ b/nix/home-manager/profiles/sway-desktop.nix @@ -1,18 +1,19 @@ -{ - pkgs, - config, - lib, - # packages', - repoFlakeInputs', - ... -}: let - inherit (import ../lib.nix {}) mkSimpleTrayService; +{ pkgs +, config +, lib +, # packages', + repoFlakeInputs' +, ... +}: +let + inherit (import ../lib.nix { }) mkSimpleTrayService; lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'"; displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; -in { +in +{ imports = [ ../profiles/wayland-desktop.nix ../programs/waybar.nix @@ -103,103 +104,106 @@ in { systemd.enable = true; xwayland = true; - config = let - modifier = "Mod4"; - inherit (config.wayland.windowManager.sway.config) left right up down; - in { - inherit modifier; - bars = []; + config = + let + modifier = "Mod4"; + inherit (config.wayland.windowManager.sway.config) left right up down; + in + { + inherit modifier; + bars = [ ]; - input = { - "type:keyboard" = - { - xkb_layout = config.home.keyboard.layout; - xkb_variant = config.home.keyboard.variant; - } - // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) { - xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; + input = { + "type:keyboard" = + { + xkb_layout = config.home.keyboard.layout; + xkb_variant = config.home.keyboard.variant; + } + // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) { + xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; + }; + + "type:touchpad" = { + natural_scroll = "enabled"; }; - - "type:touchpad" = { - natural_scroll = "enabled"; }; + + keybindings = lib.mkOptionDefault { + # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi + # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; + "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; + + # only 1-9 exist on the default config + "${modifier}+0" = "workspace number 0"; + "${modifier}+Shift+0" = "move container to workspace number 0"; + + # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it + "${modifier}+b" = "nop"; + "${modifier}+v" = "nop"; + + # move workspace to output + "${modifier}+Control+Shift+${left}" = "move workspace to output left"; + "${modifier}+Control+Shift+${right}" = "move workspace to output right"; + "${modifier}+Control+Shift+${up}" = "move workspace to output up"; + "${modifier}+Control+Shift+${down}" = "move workspace to output down"; + # move workspace to output with arrow keys + "${modifier}+Control+Shift+Left" = "move workspace to output left"; + "${modifier}+Control+Shift+Right" = "move workspace to output right"; + "${modifier}+Control+Shift+Up" = "move workspace to output up"; + "${modifier}+Control+Shift+Down" = "move workspace to output down"; + + "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; + "${modifier}+q" = "kill"; + "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; + + "${modifier}+x" = "exec ${swapOutputWorkspaces}"; + + "${modifier}+Ctrl+l" = "exec ${lockCmd}"; + + "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; + "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; + "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; + + "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; + "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; + "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; + + "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; + }; + + terminal = "alacritty"; + startup = + [ + { + command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target + ) & + ''); + } + ] + ++ lib.optionals config.services.swayidle.enable [ + { + command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart swayidle + ) & + ''); + } + ]; + + colors.focused = lib.mkOptionDefault { + childBorder = lib.mkForce "#ffa500"; + }; + + window.titlebar = false; + window.border = 4; + + # this maps to focus_on_window_activation + focus.newWindow = "urgent"; }; - - keybindings = lib.mkOptionDefault { - # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi - # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; - "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; - - # only 1-9 exist on the default config - "${modifier}+0" = "workspace number 0"; - "${modifier}+Shift+0" = "move container to workspace number 0"; - - # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it - "${modifier}+b" = "nop"; - "${modifier}+v" = "nop"; - - # move workspace to output - "${modifier}+Control+Shift+${left}" = "move workspace to output left"; - "${modifier}+Control+Shift+${right}" = "move workspace to output right"; - "${modifier}+Control+Shift+${up}" = "move workspace to output up"; - "${modifier}+Control+Shift+${down}" = "move workspace to output down"; - # move workspace to output with arrow keys - "${modifier}+Control+Shift+Left" = "move workspace to output left"; - "${modifier}+Control+Shift+Right" = "move workspace to output right"; - "${modifier}+Control+Shift+Up" = "move workspace to output up"; - "${modifier}+Control+Shift+Down" = "move workspace to output down"; - - "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; - "${modifier}+q" = "kill"; - "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; - - "${modifier}+x" = "exec ${swapOutputWorkspaces}"; - - "${modifier}+Ctrl+l" = "exec ${lockCmd}"; - - "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; - "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; - "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; - - "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; - "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; - "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; - - "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; - }; - - terminal = "alacritty"; - startup = - [ - { - command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target - ) & - ''); - } - ] - ++ lib.optionals config.services.swayidle.enable [ - { - command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart swayidle - ) & - ''); - } - ]; - - colors.focused = lib.mkOptionDefault { - childBorder = lib.mkForce "#ffa500"; - }; - - window.border = 4; - - # this maps to focus_on_window_activation - focus.newWindow = "urgent"; - }; }; services.swayidle = { diff --git a/nix/os/devices/steveej-t14/pkg.nix b/nix/os/devices/steveej-t14/pkg.nix index 25c15c5..806de3c 100644 --- a/nix/os/devices/steveej-t14/pkg.nix +++ b/nix/os/devices/steveej-t14/pkg.nix @@ -4,7 +4,12 @@ , nodeFlake , ... }: { + system.stateVersion = "23.05"; + home-manager.users.root = _: { + home.stateVersion = "22.05"; + }; home-manager.users.steveej = _: { + home.stateVersion = "22.05"; imports = [ ../../../home-manager/configuration/graphical-fullblown.nix @@ -103,5 +108,4 @@ # # }; # }; - system.stateVersion = "23.05"; } diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix index f9201cd..2a83802 100644 --- a/nix/os/devices/steveej-t14/user.nix +++ b/nix/os/devices/steveej-t14/user.nix @@ -8,7 +8,7 @@ let inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; in { - users.extraUsers.steveej2 = mkUser { + users.users.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index cd2f9f2..0da079a 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -55,6 +55,7 @@ nodeFlake.inputs.home-manager.nixosModules.home-manager ../../snippets/sway-desktop.nix + ../../snippets/timezone.nix # ../../snippets/radicale.nix ]; @@ -82,6 +83,9 @@ ]; system.stateVersion = "23.11"; + home-manager.users.root = _: { + home.stateVersion = "23.11"; + }; home-manager.users.steveej = _: { home.stateVersion = "23.11"; @@ -89,6 +93,9 @@ ../../../home-manager/configuration/graphical-fullblown.nix ]; + # seems to be broke on install + programs.chromium.enable = lib.mkForce false; + home.sessionVariables = { }; home.packages = with pkgs; [ diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix index 8ee5695..cb1fed8 100644 --- a/nix/os/devices/steveej-x13s/flake.nix +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -30,6 +30,7 @@ targetPlatform = "aarch64-linux"; buildPlatform = "x86_64-linux"; nodeName = "steveej-x13s"; + repoFlake = get-flake ../../../..; mkNixosConfiguration = { extraModules ? [ ], ... } @ attrs: nixpkgs.lib.nixosSystem ( @@ -38,15 +39,14 @@ { specialArgs = (import ./default.nix { system = targetPlatform; - inherit nodeName; + inherit nodeName repoFlake; - repoFlake = get-flake ../../../..; nodeFlake = self; }).meta.nodeSpecialArgs.${nodeName}; modules = [ - ({ repoFlake, ... }: repoFlake.nixosModules.hardware-x13s) + repoFlake.nixosModules.hardware-x13s ./configuration.nix ] diff --git a/nix/os/snippets/sway-desktop.nix b/nix/os/snippets/sway-desktop.nix index e032d26..2ede0f6 100644 --- a/nix/os/snippets/sway-desktop.nix +++ b/nix/os/snippets/sway-desktop.nix @@ -65,26 +65,27 @@ in security.pam.services.getty.enableGnomeKeyring = true; services.gnome.gnome-keyring.enable = true; + # autologin steveej on tty1 + # TODO: make user configurable systemd.services."autovt@tty1".description = "Autologin at the TTY1"; systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ]; - systemd.services."autovt@tty1".serviceConfig = - { - ExecStart = [ - "" # override upstream default with an empty ExecStart - "@${pkgs.utillinux}/sbin/agetty agetty --login-program ${pkgs.shadow}/bin/login --autologin steveej --noclear %I $TERM" - ]; - Restart = "always"; - Type = "idle"; - }; + systemd.services."autovt@tty1".serviceConfig = { + ExecStart = [ + "" # override upstream default with an empty ExecStart + "@${pkgs.utillinux}/sbin/agetty agetty --login-program ${pkgs.shadow}/bin/login --autologin steveej --noclear %I $TERM" + ]; + Restart = "always"; + Type = "idle"; + }; programs.zsh.loginShellInit = '' if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then exec sway fi ''; - home-manager.users.${homeUser} = _: { + home-manager.users."${homeUser}" = _: { imports = [ ../../home-manager/profiles/sway-desktop.nix ]; diff --git a/nix/os/snippets/timezone.nix b/nix/os/snippets/timezone.nix index 9ed1dea..a3ebd92 100644 --- a/nix/os/snippets/timezone.nix +++ b/nix/os/snippets/timezone.nix @@ -1,7 +1,7 @@ { lib, ... }: let - passwords = import ../../../variables/passwords.crypt.nix; + passwords = import ../../variables/passwords.crypt.nix; in { From bcaadcfb3db33f4e40cc1b85cb9dd2e552f572bf Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Tue, 23 Jan 2024 09:39:43 +0000 Subject: [PATCH 17/42] direnv,devShells: split into develop and install --- .envrc | 2 +- flake.nix | 18 +++- nix/devShells.nix | 99 +++++++++---------- .../secrets.yaml | 0 4 files changed, 63 insertions(+), 56 deletions(-) rename secrets/{steveej-x13s-rmvbl => steveej-x13s}/secrets.yaml (100%) diff --git a/.envrc b/.envrc index d8f5b3d..697ced8 100644 --- a/.envrc +++ b/.envrc @@ -1 +1 @@ -use_flake . --impure +use_flake .#develop --impure diff --git a/flake.nix b/flake.nix index c6bbc6b..5c9e433 100644 --- a/flake.nix +++ b/flake.nix @@ -170,7 +170,8 @@ inherit systems; perSystem = - { inputs' + { self' + , inputs' , system , config , lib @@ -295,11 +296,18 @@ }; formatter = pkgs.alejandra; - devShells.default = import ./nix/devShells.nix { - inherit inputs' pkgs; - packages' = packages; - }; + devShells = + let + all = import ./nix/devShells.nix { + inherit + self' + inputs' + pkgs + ; + }; + in + (all // { default = all.develop; }); }; flake.nixosModules = { diff --git a/nix/devShells.nix b/nix/devShells.nix index d4d5c07..ebd879b 100644 --- a/nix/devShells.nix +++ b/nix/devShells.nix @@ -1,70 +1,69 @@ -{ inputs' -, packages' +{ self' +, inputs' , pkgs -, }: -pkgs.stdenv.mkDerivation { - name = "infra-env"; - buildInputs = - [ - (with pkgs.callPackage (pkgs.path + "/nixos") { configuration = { }; }; - with config.system.build; [ - nixos-generate-config - nixos-install - nixos-enter - manual.manpages - ]) - ] - ++ (with pkgs; [ - inputs'.colmena.packages.colmena + +{ + install = pkgs.mkShell { + name = "infra-install"; + packages = with pkgs; [ nixos-install-tools + inputs'.disko.packages.disko + just + git + git-crypt + gnupg + ]; + }; + + develop = pkgs.mkShell { + name = "infra-develop"; + inputsFrom = [ + self'.devShells.install + ]; + packages = with pkgs; [ + inputs'.colmena.packages.colmena dconf2nix inputs'.nixos-anywhere.packages.nixos-anywhere - inputs'.disko.packages.default nurl - just - git-crypt vcsh - gnupg - git ripgrep - lm_sensors - pass - fuzzel - wofi + # pass age age-plugin-yubikey ssh-to-age yubico-piv-tool inputs'.sops-nix.packages.default sops + nil apacheHttpd - vncdo - tesseract - imagemagick + # vncdo + # tesseract + # imagemagick - nmap - sysstat - lshw - xxHash - linssid - wavemon - wirelesstools + # lm_sensors - zathura - xorg.xwininfo - glxinfo - autorandr - arandr - playerctl - x11docker - fwupd + # nmap + # sysstat + # lshw + # xxHash + # linssid + # wavemon + # wirelesstools - ntfy + # zathura + # xorg.xwininfo + # glxinfo + # autorandr + # arandr + # playerctl + # x11docker + # fwupd - hedgedoc-cli + # ntfy + # hedgedoc-cli xwayland @@ -75,9 +74,9 @@ pkgs.stdenv.mkDerivation { (pkgs.writeShellScriptBin "r11" '' exec env NIXOS_OZONE_WL="" WAYLAND_DISPLAY="" $@ '') + ]; - ]); - - # Set Environment Variables - RUST_BACKTRACE = 1; + # Set Environment Variables + RUST_BACKTRACE = 1; + }; } diff --git a/secrets/steveej-x13s-rmvbl/secrets.yaml b/secrets/steveej-x13s/secrets.yaml similarity index 100% rename from secrets/steveej-x13s-rmvbl/secrets.yaml rename to secrets/steveej-x13s/secrets.yaml From 13dcb13bacb363b058030fdad72b54f29d8fe1dc Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Tue, 23 Jan 2024 09:40:21 +0000 Subject: [PATCH 18/42] secrets: rename steveej-x13s{-rmvbl} and update key --- .sops.yaml | 10 +- .../configuration/graphical-fullblown.nix | 1 - secrets/shared-users.yaml | 118 +++++++++--------- secrets/steveej-x13s/secrets.yaml | 32 ++--- 4 files changed, 80 insertions(+), 81 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 895ce81..d003e1b 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -8,7 +8,7 @@ keys: - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - - &steveej-x13s-rmvbl age1hkta9w0yawwwwchapemkygzxkrv7vx759vrafgrjhm63spckwstque8x97 + - &steveej-x13s age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 @@ -25,7 +25,7 @@ creation_rules: - *steveej age: - *steveej-t14 - - *steveej-x13s-rmvbl + - *steveej-x13s - *elias-e525 - *justyna-p300 @@ -47,7 +47,7 @@ creation_rules: - *steveej age: - *steveej-t14 - - *steveej-x13s-rmvbl + - *steveej-x13s - path_regex: ^secrets/servers/.+$ key_groups: - pgp: @@ -92,9 +92,9 @@ creation_rules: - *steveej age: - *sj-bm-hostkey0 - - path_regex: ^secrets/steveej-x13s-rmvbl/.+$ + - path_regex: ^secrets/steveej-x13s/.+$ key_groups: - pgp: - *steveej age: - - *steveej-x13s-rmvbl + - *steveej-x13s diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index aa8f6e7..b46e96c 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -202,7 +202,6 @@ in # Code Editing and Programming # pkgsUnstableSmall.lapce # pkgsUnstableSmall.helix - # pkgsUnstableSmall.nil # Image/Graphic/Design Tools gnome.eog diff --git a/secrets/shared-users.yaml b/secrets/shared-users.yaml index e423eb6..66305f1 100644 --- a/secrets/shared-users.yaml +++ b/secrets/shared-users.yaml @@ -16,100 +16,100 @@ sops: - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlanJ3b29Ed2Q3Y2I3SWRt - TlpTRFpMT3FhOUl0dGZGMW1lU3pQNW95bkZjCjY0bXV4Q2dBQjd6emZRdlczQ0F6 - V3RvbklucGhzbGpPUzJ4K3FrNzJ2SVEKLS0tIFRlWWRBNk1HdllsZzNQZDIwa2N6 - bUpjR0ZzNVd5dEpEZUJCSnVUWVJtSzAKb2dEX133nceasBIwgd8q6x6WWPCQ0Ukg - Rmsbi5u1SYrZr3544sVoo0PvkU7gT9Fh4/LOy9oPpJSEcTXf5DMzjQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzWFp1QUNPeEJDci9ibTg2 + ZUNkMVNld1ZxNkVmUk9jMld3L01ndWVtakZ3ClQ1V2crS3hITG8rSmx4OWE3RU96 + SC9xb0VybDZDN0FwU0JTTHJPRDB0QkUKLS0tIEU5cmh3bW1iWHJ4RDdrUUF0VG5M + MUhWRm5qdnpCUFZ2N3FvL1FITDhNMmsK1TKbM1jrJMvy16yhZwLGcqOan5RTiKYu + jVaSgPaxJLPhtWReAH5RM2JOmrET1DdI7q8vFD7eaJIzKdBxAIwhQg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6K2x0c0swK1lHb2VCZi9v + RUo5VkRPayt2V0RyRVVhSlRGME5TMm9KZFRFCnY0NTdEb1FqK1JUaUdmQ09mOGha + SCtMVnRWYUpmYkM5OUY4TlJQd3MrdE0KLS0tIGdiZFpuZnFiNloxMTNFOWhoM2hV + TlovVmMrVHdDdmQ0dnRhZWxRZHJkMmMKpYOiZy2BVhddpSNiXasycmDaD9lA8irk + ThkO0iaLu2fG7RhT9A9VfXu6eE3ZHN6vr4hv/ItzAbP+T8Ro+Yvwfg== -----END AGE ENCRYPTED FILE----- - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRjBHQ2lDYmhsei84STdk - eUVOdWZGOTJMR1JwbHB2ek5mRzVVdkJuU0ZjCmk2NUttVjgwTk42OUtxVStVMEFK - VFo0RFRyR3RJa2VJSm95NVV3dm5YL3MKLS0tIExGQUlhS3RDMjRHejRaZ01BQWZ1 - U0pZR3BzakVmUW1QNGhsQkNQMk1NY00KR3ZP/WB3sMNoWi13mjMqgnZuM8tnIjty - QHgwav0qOkcQqdYSfOY/DxmPgTG0CKroqRXY8Hk72Y/UH2HpyIptnQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuS0FVR3N3YnRlMXBwMVpj + elZ6dVlyMWRoSUx1UlVmYThBcWFFdmxEWTNRCkhFZEVDUGpsS1ZmelBSQVpZUWVC + ZlNqcm9EVXF3U3hLYThpbGVSeVFDNDQKLS0tIGV0bkI2aVNmbnJmR2lqSFVLMGNr + aVZFd091T1U4QVdVcWtSbnppd3BEODAKPzj/phV8BijdFewcwBV+loKk4o1tBJ6t + CP8kwiIb03/lCd9HmyLgAUt0PlMJFbT4FJNEjwBstMErUdvClXO3dg== -----END AGE ENCRYPTED FILE----- - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3UUs4dTFIcXVvZ285N1A1 - MmhleE50YXVGaDg0QlZsUWZNam4wYjRwL1FVClNBUm9GcWNvUitYSnBla1dIeDFl - SmZKMzBQTWpSdGRPcDVlTmRjQzZxNWcKLS0tIFh2UGJtMHdZTXo1N2lzckM3YXRl - NmZpcGRLVmZsYjkwZkJ2NEk5dzlmY0EKtxNY7qvh5ErrAhRcQHVnDc1orsYlLGCS - 8uLSOapuC8W6EH6w6aewQiggKBjDmECpNo7VyXfbURfaOk4o8uqg3A== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwOEZ0V2pOcStDb2YwclZG + U0t2RklFMkJQdE82cTVDK1NGMUt5R2R0c0VFCmV4Q2Rob2E2REVMUlRkeS8xTVVu + U296N2FFRHpmRnJPQjRBUmRaMEpnL2cKLS0tIFBseEpvSTJ0azBRUEVRa1dqT1RK + bFVpbVY5RU01R3pEcWFsQ0pkQWkwYlEKIW1AmTBR1UIjD9n3o2QyWb/FfUUa8qQz + b0GtaaQkY17GyoBzrBh0G4D2yziPy8N9AwOTaaDJ7l5VZq9ydKbTrA== -----END AGE ENCRYPTED FILE----- - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUEFIb3VmZVE2Q1NheGEx - YmdscFdEYThQa29jTEdzdjZlK1U2WFlUY3dVCm1CUmlMY21pMXRGTXY4RDZ3cE1p - UUxNMEozQndUaTNGUlVrK0pKWC9WODAKLS0tIG1wSnNEZVUvakkxZS8yaklpWlNH - MFZkc2Z4M1FNdWZkdmwvQVpiRDFtbTQKbnNBlKnsNiL6BeSC9AoGx6IVeOyvB5IH - mP6aBQHyOBMgGql2+WHLdjBS5qEeR43jZbWNKiTnt8lnnfj7GVgiPA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2YTZGb1pXSWZVNk95aFVp + UTFDUHlweGVUQmV1KyttSXpjeng0WFd5d1ZFClJwL2xGVmhlTlJzNVhhaElmbnl2 + K2RmUlR0SzNkMWhmb1lOTTMyVUt4Rk0KLS0tIElFV0hCZVRwWTNJYldmR2ZYU2Rm + dHRuVThQRm9NT05HdzdHOWh6R2dLYnMKvrsQXgfRyHOl2aN64JHPXEdlvcHynEss + I4dCLuvKuPh5WjcFZ16zidGzffNKZTHsXPv/WKFUsy20lONByRuRbA== -----END AGE ENCRYPTED FILE----- - recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1NTlhSXRFN1ZrYjZGdXlG - dDBlVUxJd0FlQnpETkJSbHppNGlncEp1emhRCjRLMkEvbXRkampwcWxvNnhRRVhY - dWlQWWI5YXJQMmR3cWxOVUtneWRDRFkKLS0tICt6ZEF3cHg0SUxES243TzdFcnVS - bkgrWklIbFFrRHdHZGdvMGlHTGNXUkEKUuT35aX71q+KBXozpoGWcHeSs0g70kyY - yo5uuD6Ay4QlNtdfeOYmsyg8iikOrpw5Mer2vsSTWGbszy8p1+93Pw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WndIcHhndkVjazRKV3Rq + U2JjYTZyYUhheG5pSlI0VE9tZ2w0SlRBM0JBCm1YSWxFa0RjVUhFb2xHMnMxbGZy + S1V1b1RMVExFRW0rUU03YXNjejJ3enMKLS0tIHlwdHNNRHNYL2xyeFFCcHdIVFRi + MDZaQjREbWw5aG82NG1Ea0J2d0tTMWMKCodGBDTKbq5qcmtrAh0HrdZ7fmEx8VhH + InCa5SXSRo7cVQe6VRBczF3RC/Mc2u+xzEDd1XbyGviqt1CkI1UPRQ== -----END AGE ENCRYPTED FILE----- - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUSzR0SFJPSjBVQVlCcFBT - ajMwNUFzZWwzMDkzTHh0anJETnVicWdiVFJJClRSVi9MbjdKcUUvRVFyby9RSVdk - VHpxbnBuQll3QzQwUERCNXdQOCtZSE0KLS0tIDBhbW1YU2c5YVpwUVMwY2EwVjRD - dk1uTzNZN1hnT2NHU29EN2FsQ1pUQVEK+cpcftNnD8HhLimsrp+YDLwurUZqENkQ - HX45h7tC7J6R0+w8A/1nfY1gsST/asgJhSGjroB+EdsP2aGUCUiNyA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDa2YzeTBEOXlIcUJlZlVl + NUdCTGRYcUhOa0dkRjR2RHJNZ3VWclJWd3hjCmFZY0dEVTlwb3lNajE2emFCZmZ2 + SkhTejc3cFA1Yjc0ZHF2TjRYZ1Qvc1kKLS0tIGxDbWNjaXlvU2ttbDR4NW9UYThr + OWRZb1d5dkxETCt1RThQK0Z4cmJSb28KGrAeCR7Q37WwyEzHT5CvaMVmVUoyv1s3 + dDbEu8mtNhDBi9LYMwfbXiZHAlPWQ1Ogveot8vc4kMOAlvWMR4FwdA== -----END AGE ENCRYPTED FILE----- - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6bXZsYnYzMC8wQnhMUGpu - TVFKWkFTU1U0VTFDeUlaR2dzZzN6WG9ueFQ4CnFYMWpoUGFPbkZRTUtSN2ZnelFJ - Nk1CdjVTbnY3aG1FNVZrY3hQYmRGalEKLS0tIERsd2xvaStod1N4eHg3eTIxSlUy - NERKTEZpSkV3N2wxWTlVazhNdFk2NDQKt+omfSoPJQvohV4aED0HYMXwFKMq25lB - 9+gB0BJDYe7btIUuFr861EDWx+D32gBtbpRsyAitNJKc9NlZ4VLWuw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRT2dIMGFEbUErU1pYUXRR + Yk1tUmx2R3BmUXVhK1JMd3J6WVNwOGVmRkUwCnZBSGxvcFd4Y1dGbkg4UEF2RUxE + TUdpVGV1ZEpFQmNWN1ZKei8rSWJtaVEKLS0tIGRLd013RVB2eHhXeHpXbWoyaktu + OExualc3eWk1UGgvZDlNbWZydXBXWkUK0vhwGhegmrQASWqFQYpZgJungzt7vtfC + sBna05p6lnSEdtclUa1MZ/a9wlqAtmrA2fUarLnc6/bs0K8Oz9HRPA== -----END AGE ENCRYPTED FILE----- - recipient: age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXc0dETndkQVFwa2FwUUtj - aHNNaG5rS2VvamRtVDR1Rm1ubXFaR2NWa0RzCmdLbTFFUzlrZ01KWTY5Uk9uWTAy - Ym1kRXp4bWM1QUs2d1BwcE1WTEsyY3cKLS0tIG5qVm84WGlGVDlDWUVHWGNrcXJQ - NHR6S3pPRFhWemNWM0FMSjZpbXkzN0UKoTE6GuckP7QwuCQ8gZgitmW0URtG57u6 - VuWmt7vpSuutHJmccODDpFg4iJKC8SKIeUoQANKsnBJf/uZhDaG42Q== - -----END AGE ENCRYPTED FILE----- - - recipient: age1hkta9w0yawwwwchapemkygzxkrv7vx759vrafgrjhm63spckwstque8x97 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsM2ptZVl5R0tybkU1bHJp - ams0OENxU21FZDJjNkZNQUlteDF3RHBoOWpZCjFNUXhzMzhXR1FhUmxnSFAzcnVK - NVZONlNkVVdGcUNtZyszT1liOVdtOVUKLS0tIDZIR2NMWGVJclhqeitqN1V3endv - Z0wzT0hweEVML2plRTkzaFZsWHJHY2MKTcX84PLdHpuGzUn2v7r5gJLp9ZBhgLu6 - WI1KWIwbYj91hsoHjUH4lW0Xv7/mVLrON9wOQuOuyuVeDfP7GQ73qA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsSFIvcUEwbnZ6Qm95V3hT + SlBiSS9ycE4xTmpRR1l0SDZKYkFNVmtXUG00ClBKYzBMSmNOMmdCSktGV29WbFBE + U0x1K2dsU2FoVVBPSWthZ0hmRkdTKzAKLS0tIGhZaU9kQU54ZzNWVnhLNEozWXZN + Z3MvRnRGSUlVNlJVdzVEMjcxNE4xbWcKkS3GagirASPe/XnJgwBIZ9cCdyeOi9Uy + mcD5Pa6AU7itXL9pHtDcMUsDlKkKYWSUtouW8wAESWdXfFBd2Q+Vgg== -----END AGE ENCRYPTED FILE----- lastmodified: "2023-07-06T20:14:22Z" mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str] pgp: - - created_at: "2024-01-22T09:16:19Z" + - created_at: "2024-01-23T09:01:13Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf/WsDFXBatZSxOmQWVGXw0MOeC2QOKaUo5if7C4Z0d+cMg - AyEmUMFcU3KkTFTqjqSqjA/9k/AJiqJxQkXqcSVHT4z3vNdGzrWVsJI4fimmumFZ - Hcc7hIgkBK1THkTkoOr3G3WRHJ/J4nZmABycWSt1kF1FdnHnXo8bXh25Sk+Ellt2 - +SlaC8NAZtd2P6L3ZxQYFUud3mc6/uUV5GTkZ7RisjMnAEVF5BbvzSAlAj7fh4Ph - ZJxMLzVnqQHrN+U/0WuFtL8KJaCF9zecxQxzaM/Zf/Sa5x4fsoqsjmMPhtwQMvC5 - ehiXSoVYETuJylSQF+N44V46/lrO6qqnIi+5NqqC2NJRAXH01P/bMQfW5M6AqQgJ - muPztPFjBL46D3wVo6Hg0JL6ag5DV4/mjTOpEiiGUHKxTDxFwlNYRQQX2EHnBHFb - Otf7rnrSdA+I9GqEpCNkzdbi - =pR8T + wcBMA0SHG/zF3227AQf+Oo8GZF91ry7FhASb7USKTxKYFfdlJPWDxLFtBNSFkqdV + U7tOgAB3WJTSlED8Cs+6gyNNr3n7Y6p2KaOLYjft05T/Ms9pDuJAV1S8Ogfo5zys + W7Ss4hkCMZqIXZXTQ03yZner+8o8v/F/f0SPNji8znT2qZmLZbhwa2IPjmORo3L7 + y4F38IVie8keQNWObSFqd7qVqKynHHg+ur5NmVgUAVO/wMg6TytV3Wa11Hfq50tc + EenVAyBW1GUOtsBCH8MOCgH4paZcrzkBPU2dK9UppUWzB5RxayIZT34Qf4mNHwdL + sa83I2MwMp0fuTW66YvJPR1vjcYgY/wOxxZw28biidJRAWpiGsPhGKg+AHmHNp/T + NjN/7MVxZMUX/DHm2LmF6sjSp99wqCl8yvEIrXcGXSSY218XZ0QgXQRhhErwCEaT + JM145ZTHicA2qi4NqMkfsvjf + =6arN -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B unencrypted_suffix: _unencrypted diff --git a/secrets/steveej-x13s/secrets.yaml b/secrets/steveej-x13s/secrets.yaml index 7b2d3ec..a7306d2 100644 --- a/secrets/steveej-x13s/secrets.yaml +++ b/secrets/steveej-x13s/secrets.yaml @@ -15,31 +15,31 @@ sops: azure_kv: [] hc_vault: [] age: - - recipient: age1hkta9w0yawwwwchapemkygzxkrv7vx759vrafgrjhm63spckwstque8x97 + - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWk1LS3A0NENRZk1HZm8x - dW1PNkxZV1ZWdStzb2M5MzRRNmJmUXcvakJJCnpwVlZRV3FHVDNUbURSMWZXY3k2 - NUliMUpNT3kreEZITjR3dDdrU2MvVkEKLS0tIFp5U2tCa3V5NWhqWHgzdDR5RG9D - SmxNVk45UklhUjRYc2pTVy9FWFBhQUUK1QMqDCIZnyyzJhUb0TBgheW2P6lAUTQe - KLhYqTRuo5/zS5C2uANa028CNGWJVOoEgKEw3xjHz0pvSkT5JkI8WQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjU3VmRjNmYzhPT1A5WFpB + S2ZBeE0xWGkyR0pJVm9vVnc2ZzNWWHNkY2tvCnhHUlh6d3F2cDdHZWpvMGJ6ajhw + WHgyd21RZWQrSHA4bllsWVExRksrcm8KLS0tIGVvNVF1TkJ0MDBxMzRFZE01VVVz + Q1FmbW9BL3E1emwwWFhJTTZoRlhVdFEKCkpvkW65v0+fuh2bXZVNVbnwsl1Aca/O + 9tkIMNLFhD/Rn8MFmkhIZmWYWB4IUwW/UNSxrmkt7cyFJNlpAH0+YA== -----END AGE ENCRYPTED FILE----- lastmodified: "2024-01-22T09:20:19Z" mac: ENC[AES256_GCM,data:Mmo5XJaMIDZ0sqKyn7oK+l6XdrTyA0NuF8tueLEKSdSCFxr2TJjroyojsybrYKehp5rrW1rT8cWWld2wXEEr+txsMCzIrlDqyerkcsu7ioMJb7ihRyXATBzdBOfUTq/8iLLc9gE9uRaMbeNOrglF0nxS+VtwOmst/z6fl7wC0+Q=,iv:t+dSzeBBhVfPo2efHM4iWIE/DHTDAm917kZrV1UxV0I=,tag:+CPkO6bbWqMzWBs16HT8GA==,type:str] pgp: - - created_at: "2024-01-22T09:20:12Z" + - created_at: "2024-01-23T09:01:14Z" enc: |- -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgApMVbQc+4BUc/7ima51XMJzIBA93SOLOCmyn2J9tLG/V/ - ZM6fmWyiLvCRowA0nLt19DYnaRrEXTcRlvBPs/RIx6Fmq4260ZvyPN7Fea6ltVOL - EhG5IJHaweUhXMi6UV2/6vuTBbQsLzWK8xl6bZNCVFWB/JiLrHzukWpE4ACeqD0Y - P/428L4XCW05DkltQdfQrn2bIlf/6c/itvepRr1tHFr8ABuBM/g4hSg/nFyHlrH3 - CtrdPSQBopZxhVv4MoHPWSQ6jGjrmqumc6gyNGa1Ugry3FmuFmdlMAoUsQtG/cU1 - ORM/CvKwxLZU+qifm8QU4BO+0Gw/nhLrYfX0/EWsmtJRAQJt51PK3t/nXUTE47sT - lz+zPgpT/Sz9E/wKH3yAq9RuXKKtwc7oRJS+NHuv10YPIkhVejSjvmsGEKezU1ed - 6BsZrcVnaQt+SdmUOEuP/iRF - =8elR + wcBMA0SHG/zF3227AQgAp6QdUiZPpktzBQ4kG3QctoiCJ6NwiYEtPJAftgbbBCDb + WdtjiLmp0+XFf4TvihdaFy7kDQh2wvMSj3dOLANV/V3BSJwk4WjtJoEEG+B8ZVEN + T0B2SauM7FcgN4eRe3jx0R9xoQGsE8vXdDbyU/rRpf1LZ6HuEjFC1Boe98mtWsAD + MRxYbBfmIsh0DBF9GZyaKR62PyHu7+doRHzxxDJXhItaGW96cKdydw4GhXBvqiXn + 9SUxxXhg+FpIMXysncB4+yWKSV8FoCkmqPeNlONgk5hwDNpkeXEDND8mHbhZFN5n + ElUTO2ild4Cxh8E1U3A4IQ8ARMcmyag7wnCUmcxnTdJRAa11NhS+6h2PVNqRt53E + p2UKvgbpMgMYj3pWlP9dSuege0+YhynTGRpjTbbUqNJVGFAKfwvPa0zY0hc0hG6G + 7Y5zpcqR+/NlVgerPZwLNFib + =0kQe -----END PGP MESSAGE----- fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B unencrypted_suffix: _unencrypted From faf0818e0035747dc7f83e04d05924833d114856 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 24 Jan 2024 00:24:04 +0000 Subject: [PATCH 19/42] clean up and refactor more into OS snippets; bluetooth works on x13s --- flake.lock | 17 +++ flake.nix | 6 + .../configuration/text-minimal.nix | 12 -- nix/home-manager/profiles/common.nix | 23 +-- nix/home-manager/profiles/dotfiles.nix | 49 +++++- nix/home-manager/profiles/sway-desktop.nix | 18 --- nix/os/devices/steveej-t14/configuration.nix | 6 + nix/os/devices/steveej-t14/default.nix | 25 ++-- nix/os/devices/steveej-t14/system.nix | 7 - .../steveej-x13s-rmvbl/configuration.nix | 86 +---------- nix/os/devices/steveej-x13s-rmvbl/flake.lock | 83 +---------- nix/os/devices/steveej-x13s-rmvbl/flake.nix | 10 +- nix/os/devices/steveej-x13s/configuration.nix | 101 ++++++++----- nix/os/devices/steveej-x13s/default.nix | 2 - nix/os/devices/steveej-x13s/flake.lock | 141 ++++++++---------- nix/os/devices/steveej-x13s/flake.nix | 6 +- nix/os/modules/hardware.thinkpad-x13s.nix | 6 - nix/os/profiles/common/boot.nix | 15 -- nix/os/profiles/common/configuration.nix | 46 ++++-- nix/os/profiles/common/pkg.nix | 34 ----- nix/os/profiles/common/system.nix | 5 +- nix/os/profiles/graphical/system.nix | 19 ++- nix/os/snippets/bluetooth.nix | 9 ++ nix/os/snippets/home-manager-with-zsh.nix | 49 ++++++ nix/os/snippets/nix-settings.nix | 13 +- nix/os/snippets/sway-desktop.nix | 26 +++- secrets/steveej-x13s/secrets.yaml | 14 +- 27 files changed, 367 insertions(+), 461 deletions(-) delete mode 100644 nix/home-manager/configuration/text-minimal.nix delete mode 100644 nix/os/profiles/common/boot.nix delete mode 100644 nix/os/profiles/common/pkg.nix create mode 100644 nix/os/snippets/bluetooth.nix create mode 100644 nix/os/snippets/home-manager-with-zsh.nix diff --git a/flake.lock b/flake.lock index 825f580..4926126 100644 --- a/flake.lock +++ b/flake.lock @@ -132,6 +132,22 @@ "type": "github" } }, + "dotfiles": { + "flake": false, + "locked": { + "lastModified": 1541334338, + "narHash": "sha256-9QAq7bjITpaO8A8qD8IVoa+89Bg13CEwxf771d9S/Ag=", + "owner": "steveeJ", + "repo": "dotfiles", + "rev": "9a8484f7094edc1b533bad3be71c511ba8ff45eb", + "type": "gitlab" + }, + "original": { + "owner": "steveeJ", + "repo": "dotfiles", + "type": "gitlab" + } + }, "fenix": { "inputs": { "nixpkgs": [ @@ -713,6 +729,7 @@ "nixos-anywhere", "disko" ], + "dotfiles": "dotfiles", "fenix": "fenix", "flake-parts": "flake-parts", "get-flake": "get-flake", diff --git a/flake.nix b/flake.nix index 5c9e433..a0bdcc8 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,11 @@ # flake.nix { inputs = { + dotfiles = { + url = "gitlab:steveeJ/dotfiles"; + flake = false; + }; + # flake and infra basics nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; radicalePkgs.follows = "nixpkgs-2211"; @@ -164,6 +169,7 @@ retro_cross = retro.cross; steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross; + steveej-x13s-rmvbl_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; } ); diff --git a/nix/home-manager/configuration/text-minimal.nix b/nix/home-manager/configuration/text-minimal.nix deleted file mode 100644 index 4566af7..0000000 --- a/nix/home-manager/configuration/text-minimal.nix +++ /dev/null @@ -1,12 +0,0 @@ -{pkgs, ...}: { - imports = [ - ../profiles/common.nix - ../programs/neovim.nix - ]; - - home.packages = with pkgs; [ - iperf3 - inetutils - speedtest-cli - ]; -} diff --git a/nix/home-manager/profiles/common.nix b/nix/home-manager/profiles/common.nix index 4356534..4ea2e6c 100644 --- a/nix/home-manager/profiles/common.nix +++ b/nix/home-manager/profiles/common.nix @@ -3,10 +3,7 @@ # programs.home-manager.enable = true; # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz; - imports = [ - ../programs/zsh.nix - ]; - + # TODO: move this to an OS snippet? nixpkgs.config = { allowBroken = false; allowUnfree = true; @@ -14,15 +11,6 @@ permittedInsecurePackages = [ ]; }; - nix.settings.experimental-features = [ - "nix-command" - "flakes" - "impure-derivations" - "ca-derivations" - "recursive-nix" - ]; - nix.settings.sandbox = "relaxed"; - home.keyboard = { layout = "us"; variant = "altgr-intl"; @@ -36,9 +24,7 @@ xdg.enable = true; programs.direnv.enable = true; - services.lorri.enable = true; - home.sessionVariables.NIXPKGS_ALLOW_UNFREE = "1"; # Don't create .pyc files. home.sessionVariables.PYTHONDONTWRITEBYTECODE = "1"; @@ -48,9 +34,14 @@ home.packages = [ ] ++ (with pkgs; [ - htop + coreutils + vcsh + htop + iperf3 + nethogs + # Authentication cacert openssl diff --git a/nix/home-manager/profiles/dotfiles.nix b/nix/home-manager/profiles/dotfiles.nix index 95b5248..c702f82 100644 --- a/nix/home-manager/profiles/dotfiles.nix +++ b/nix/home-manager/profiles/dotfiles.nix @@ -1,10 +1,47 @@ +{ repoFlake +, pkgs +, config +, repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git" +, repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git" +, ... +}: +let + repoBareLocal = + pkgs.runCommand "fetchbare" + { + outputHashMode = "recursive"; + outputHashAlgo = "sha256"; + outputHash = "0000000000000000000000000000000000000000000000000000"; + } '' + ( + set -xe + export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out + ) + ''; + vcshActivationScript = pkgs.writeScript "activation-script" '' + export HOST=$(hostname -s) + + function set_remotes { + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 + } + + if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then + echo Cloning dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles + set_remotes ${repoHttps} ${repoSsh} + else + set_remotes ${repoBareLocal} ${repoSsh} + echo Updating dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh pull $HOST || true + set_remotes ${repoHttps} ${repoSsh} + fi + ''; + +in { - pkgs, - config, - ... -}: let - vcshActivationScript = pkgs.callPackage ./dotfiles/vcsh.nix {}; -in { # TODO: fix the dotfiles # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' # $DRY_RUN_CMD ${vcshActivationScript} diff --git a/nix/home-manager/profiles/sway-desktop.nix b/nix/home-manager/profiles/sway-desktop.nix index f2bde47..a30fb64 100644 --- a/nix/home-manager/profiles/sway-desktop.nix +++ b/nix/home-manager/profiles/sway-desktop.nix @@ -39,24 +39,6 @@ in services.gpg-agent.pinentryFlavor = "gnome3"; - nixpkgs.overlays = [ - (final: prev: { - # xdg-desktop-portal-wlr' = repoFlakeInputs'.nixpkgs-wayland.packages.xdg-desktop-portal-wlr; - # xdg-desktop-portal-wlr-gtk' = repoFlakeInputs'.nixpkgs-wayland.packages.xdg-desktop-portal-wlr-gtk; - # sway-unwrapped = let - # fixed_wlroots = prev.wlroots_0_16.overrideAttrs (old: { - # patches = [ - # (builtins.fetchurl { - # sha256 = "05h9xzicz3fccskg2hbqnw2qh4bm7mwi70c4m00y87w5yhj9gxps"; - # url = "https://gist.githubusercontent.com/steveej/1d8c96ed2fdb3d9ddd0344ca5136073f/raw/d6a097a452b950865b554587db606e718d99c572/fix-wlroots.patch"; - # }) - # ]; - # }); - # in - # prev.sway-unwrapped.override {wlroots_0_16 = fixed_wlroots;}; - }) - ]; - home.packages = [ pkgs.swayidle pkgs.swaylock diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix index fc3d209..fab73d5 100644 --- a/nix/os/devices/steveej-t14/configuration.nix +++ b/nix/os/devices/steveej-t14/configuration.nix @@ -1,5 +1,11 @@ { ... }: { imports = [ + ../../snippets/home-manager-with-zsh.nix + ../../snippets/nix-settings-holo-chain.nix + ../../snippets/radicale.nix + ../../snippets/sway-desktop.nix + ../../snippets/timezone.nix + ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/steveej-t14/default.nix b/nix/os/devices/steveej-t14/default.nix index 15b7745..430b017 100644 --- a/nix/os/devices/steveej-t14/default.nix +++ b/nix/os/devices/steveej-t14/default.nix @@ -1,24 +1,21 @@ -{ - nodeName, - repoFlake, - repoFlakeWithSystem, - nodeFlake, -}: let +{ nodeName +, repoFlake +, repoFlakeWithSystem +, nodeFlake +, ... +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); }; meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; - overlays = [ - (final: prev: { - # FIXME: why are these not effective in for the configuration.nix below? - }) - ]; }; ${nodeName} = { @@ -28,8 +25,6 @@ in { imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") - - nodeFlake.inputs.home-manager.nixosModules.home-manager ]; }; } diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index a0d5395..9dc6590 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -24,13 +24,6 @@ let in { - imports = [ - ../../snippets/nix-settings-holo-chain.nix - ../../snippets/radicale.nix - ../../snippets/sway-desktop.nix - ../../snippets/timezone.nix - ]; - nix.settings = { substituters = [ ]; diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix index 7e39af7..cfbf501 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix @@ -11,96 +11,12 @@ { imports = [ - repoFlake.inputs.sops-nix.nixosModules.sops - nodeFlake.inputs.disko.nixosModules.disko - ./disko.nix - - ../../profiles/common/user.nix - ../../profiles/common/pkg.nix - - { - # nixpkgs.config.allowUnsupportedSystem = true; - - # flake registry - nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; - - nix.nixPath = [ - "nixpkgs=${pkgs.path}" - ]; - - nix.settings.experimental-features = [ - "nix-command" - "flakes" - ]; - - nix.settings.max-jobs = lib.mkDefault "auto"; - } - - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - services.openssh.openFirewall = true; - users.commonUsers = { enable = true; enableNonRoot = true; + installPassword = "install"; }; - - sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - sops.defaultSopsFormat = "yaml"; } - - nodeFlake.inputs.home-manager.nixosModules.home-manager - - ../../snippets/sway-desktop.nix - ../../snippets/radicale.nix ]; - - hardware.thinkpad-x13s = { - enable = true; - - # TODO: use hardware address - bluetoothMac = "65:9e:7a:8b:86:28"; - }; - - networking = { - hostName = nodeName; - - firewall.enable = true; - - # useNetworkd = true; - networkmanager.enable = true; - }; - - system.stateVersion = "23.11"; - - nixpkgs.config.allowUnfree = true; - - environment.systemPackages = [ - pkgs.sshfs - pkgs.util-linux - pkgs.coreutils - pkgs.vim - - pkgs.git - pkgs.git-crypt - ]; - - home-manager.users.steveej = _: { - imports = [ - ../../../home-manager/configuration/graphical-fullblown.nix - - (_: { - programs.chromium.extensions = [ - # can define host-specific extensions here - ]; - }) - ]; - - home.sessionVariables = { }; - - home.packages = with pkgs; [ - ]; - }; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.lock b/nix/os/devices/steveej-x13s-rmvbl/flake.lock index f7008e1..6fc6701 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.lock +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.lock @@ -1,55 +1,5 @@ { "nodes": { - "adamcstephens_stop-export": { - "flake": false, - "locked": { - "lastModified": 1705876512, - "narHash": "sha256-nvBqLyi8dMQf3xnROwEcUv4iqV55Mr8S8OGYepu14i4=", - "ref": "refs/heads/main", - "rev": "388684db5b529bbd6f3e948cf175df089eb09766", - "revCount": 14, - "type": "git", - "url": "https://codeberg.org/adamcstephens/stop-export.git" - }, - "original": { - "type": "git", - "url": "https://codeberg.org/adamcstephens/stop-export.git" - } - }, - "alsa-ucm-conf": { - "flake": false, - "locked": { - "lastModified": 1705501566, - "narHash": "sha256-Nyr7tjH5VBjocvaKaHCiK+zsjThYBtcr936aRWCBBpM=", - "owner": "alsa-project", - "repo": "alsa-ucm-conf", - "rev": "e87dde51d68950537f92af955ad0633437cc419a", - "type": "github" - }, - "original": { - "owner": "alsa-project", - "ref": "master", - "repo": "alsa-ucm-conf", - "type": "github" - } - }, - "brainwart_x13s-nixos": { - "flake": false, - "locked": { - "lastModified": 1705565623, - "narHash": "sha256-sisr/dFIz8p3/Y7mz+arWxjeiBmUTQkMqkF9j3c2dWE=", - "owner": "BrainWart", - "repo": "x13s-nixos", - "rev": "29002122d86a1009ba70e7a4ca3063e5404c77a2", - "type": "github" - }, - "original": { - "owner": "BrainWart", - "ref": "flake", - "repo": "x13s-nixos", - "type": "github" - } - }, "disko": { "inputs": { "nixpkgs": [ @@ -105,23 +55,6 @@ "type": "github" } }, - "linux_x13s": { - "flake": false, - "locked": { - "lastModified": 1705680516, - "narHash": "sha256-NjCuPYjYHBJcoJR1ZaWQ9sRh0VpY2Y0hawkbUBRfCvk=", - "owner": "jhovold", - "repo": "linux", - "rev": "bac95eabe6577faa2773cbe7e91c34fd17ab79a0", - "type": "github" - }, - "original": { - "owner": "jhovold", - "ref": "wip/sc8280xp-v6.7", - "repo": "linux", - "type": "github" - } - }, "mobile-nixos": { "flake": false, "locked": { @@ -140,11 +73,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705774713, - "narHash": "sha256-j6ADaDH9XiumUzkTPlFyCBcoWYhO83lfgiSqEJF2zcs=", + "lastModified": 1705916986, + "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1b64fc1287991a9cce717a01c1973ef86cb1af0b", + "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8", "type": "github" }, "original": { @@ -172,11 +105,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1705891108, - "narHash": "sha256-PQ0Df5BzByg+0gPE1goa9WYVXSoEP6gtjblrbYC8WOI=", + "lastModified": 1706022028, + "narHash": "sha256-F8Gv4R4K/AvS3+6pWd8wlnw4Vhgf7bcszy7i8XPbzA0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8cccce637e19577815de54c5ecc3132dff965aee", + "rev": "15ff1758e7816331033baa14eebbea68626128f3", "type": "github" }, "original": { @@ -188,13 +121,9 @@ }, "root": { "inputs": { - "adamcstephens_stop-export": "adamcstephens_stop-export", - "alsa-ucm-conf": "alsa-ucm-conf", - "brainwart_x13s-nixos": "brainwart_x13s-nixos", "disko": "disko", "get-flake": "get-flake", "home-manager": "home-manager", - "linux_x13s": "linux_x13s", "mobile-nixos": "mobile-nixos", "nixpkgs": "nixpkgs", "nixpkgs-2211": "nixpkgs-2211", diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.nix b/nix/os/devices/steveej-x13s-rmvbl/flake.nix index d9cc53c..9a6bcba 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.nix @@ -31,6 +31,8 @@ buildPlatform = "x86_64-linux"; nodeName = "steveej-x13s-rmvbl"; + x13s-flake = get-flake ../steveej-x13s; + mkNixosConfiguration = { extraModules ? [ ], ... } @ attrs: nixpkgs.lib.nixosSystem ( nixpkgs.lib.attrsets.recursiveUpdate @@ -41,13 +43,15 @@ inherit nodeName; repoFlake = get-flake ../../../..; - nodeFlake = self; + + # TODO: double-check if this hack doesn't have negative side-effects + # the reason for it is so that `nodeFlake.inputs.nixos-x13s.nixosModules.default` in the module is found + nodeFlake = x13s-flake; }).meta.nodeSpecialArgs.${nodeName}; modules = [ - self.nixosModules.hardware-x13s - + ../steveej-x13s/configuration.nix ./configuration.nix ] ++ extraModules; diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index 0da079a..204aa33 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -10,31 +10,60 @@ }: { + nixos-x13s = { + enable = true; + # TODO: use hardware address + bluetoothMac = "65:9e:7a:8b:86:28"; + }; + + systemd.services.bluetooth-mac = { + enable = true; + path = [ + pkgs.systemd + pkgs.util-linux + pkgs.bluez5-experimental + pkgs.expect + ]; + script = '' + # TODO: this may not be required + while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do + echo Waiting for bluetooth firmware to complete + echo sleep 1 + done + + ( + # best effort + set +e + rfkill block bluetooth + echo $? + btmgmt public-addr ${config.nixos-x13s.bluetoothMac} + echo $? + rfkill unblock bluetooth + echo $? + ) + ''; + requiredBy = [ "bluetooth.service" ]; + before = [ "bluetooth.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + + # we need a tty, otherwise btmgmt will hang + StandardInput = "tty"; + TTYPath = "/dev/tty2"; + TTYReset = "yes"; + TTYVHangup = "yes"; + }; + }; + imports = [ + nodeFlake.inputs.nixos-x13s.nixosModules.default + repoFlake.inputs.sops-nix.nixosModules.sops nodeFlake.inputs.disko.nixosModules.disko ./disko.nix - repoFlake.nixosModules.thinkpad-x13s - - ../../profiles/common/pkg.nix - - { - # flake registry - nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; - - nix.nixPath = [ - "nixpkgs=${pkgs.path}" - ]; - - nix.settings.experimental-features = [ - "nix-command" - "flakes" - ]; - - nix.settings.max-jobs = lib.mkDefault "auto"; - } - + ../../snippets/nix-settings.nix ../../profiles/common/user.nix { @@ -42,30 +71,23 @@ services.openssh.settings.PermitRootLogin = "yes"; services.openssh.openFirewall = true; - # sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # sops.defaultSopsFormat = "yaml"; + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; users.commonUsers = { enable = true; enableNonRoot = true; - installPassword = "install"; }; } - nodeFlake.inputs.home-manager.nixosModules.home-manager + ../../snippets/home-manager-with-zsh.nix ../../snippets/sway-desktop.nix + ../../snippets/bluetooth.nix ../../snippets/timezone.nix # ../../snippets/radicale.nix ]; - hardware.thinkpad-x13s = { - enable = true; - - # TODO: use hardware address - bluetoothMac = "65:9e:7a:8b:86:28"; - }; - networking.hostName = nodeName; networking.firewall.enable = true; networking.networkmanager.enable = true; @@ -93,12 +115,23 @@ ../../../home-manager/configuration/graphical-fullblown.nix ]; - # seems to be broke on install - programs.chromium.enable = lib.mkForce false; - home.sessionVariables = { }; home.packages = with pkgs; [ ]; + + # TODO: currently unsupported + services.gammastep.enable = lib.mkForce false; + # programs.chromium.enable = lib.mkForce false; + }; + + boot = { + kernelParams = [ + "dtb=sc8280xp-lenovo-thinkpad-x13s.dtb" + ]; + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = lib.mkForce false; + loader.efi.efiSysMountPoint = "/boot"; + blacklistedKernelModules = [ "wwan" ]; }; } diff --git a/nix/os/devices/steveej-x13s/default.nix b/nix/os/devices/steveej-x13s/default.nix index 51d487b..545dde3 100644 --- a/nix/os/devices/steveej-x13s/default.nix +++ b/nix/os/devices/steveej-x13s/default.nix @@ -31,8 +31,6 @@ imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") - - nodeFlake.inputs.home-manager.nixosModules.home-manager ]; networking.hostName = nodeName; diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock index f7008e1..5e95546 100644 --- a/nix/os/devices/steveej-x13s/flake.lock +++ b/nix/os/devices/steveej-x13s/flake.lock @@ -1,55 +1,5 @@ { "nodes": { - "adamcstephens_stop-export": { - "flake": false, - "locked": { - "lastModified": 1705876512, - "narHash": "sha256-nvBqLyi8dMQf3xnROwEcUv4iqV55Mr8S8OGYepu14i4=", - "ref": "refs/heads/main", - "rev": "388684db5b529bbd6f3e948cf175df089eb09766", - "revCount": 14, - "type": "git", - "url": "https://codeberg.org/adamcstephens/stop-export.git" - }, - "original": { - "type": "git", - "url": "https://codeberg.org/adamcstephens/stop-export.git" - } - }, - "alsa-ucm-conf": { - "flake": false, - "locked": { - "lastModified": 1705501566, - "narHash": "sha256-Nyr7tjH5VBjocvaKaHCiK+zsjThYBtcr936aRWCBBpM=", - "owner": "alsa-project", - "repo": "alsa-ucm-conf", - "rev": "e87dde51d68950537f92af955ad0633437cc419a", - "type": "github" - }, - "original": { - "owner": "alsa-project", - "ref": "master", - "repo": "alsa-ucm-conf", - "type": "github" - } - }, - "brainwart_x13s-nixos": { - "flake": false, - "locked": { - "lastModified": 1705565623, - "narHash": "sha256-sisr/dFIz8p3/Y7mz+arWxjeiBmUTQkMqkF9j3c2dWE=", - "owner": "BrainWart", - "repo": "x13s-nixos", - "rev": "29002122d86a1009ba70e7a4ca3063e5404c77a2", - "type": "github" - }, - "original": { - "owner": "BrainWart", - "ref": "flake", - "repo": "x13s-nixos", - "type": "github" - } - }, "disko": { "inputs": { "nixpkgs": [ @@ -69,6 +19,24 @@ "type": "indirect" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1704982712, + "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "07f6395285469419cf9d078f59b5b49993198c00", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "get-flake": { "locked": { "lastModified": 1694475786, @@ -105,23 +73,6 @@ "type": "github" } }, - "linux_x13s": { - "flake": false, - "locked": { - "lastModified": 1705680516, - "narHash": "sha256-NjCuPYjYHBJcoJR1ZaWQ9sRh0VpY2Y0hawkbUBRfCvk=", - "owner": "jhovold", - "repo": "linux", - "rev": "bac95eabe6577faa2773cbe7e91c34fd17ab79a0", - "type": "github" - }, - "original": { - "owner": "jhovold", - "ref": "wip/sc8280xp-v6.7", - "repo": "linux", - "type": "github" - } - }, "mobile-nixos": { "flake": false, "locked": { @@ -138,13 +89,34 @@ "type": "github" } }, + "nixos-x13s": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1705945811, + "narHash": "sha256-eDqgRYGMzRfpfWvSVj6IhHAWOMJC3xiwKaClbe79Gro=", + "ref": "refs/heads/main", + "rev": "9320defc4b8f381e5b7887d212d8d2babc41f2f2", + "revCount": 2, + "type": "git", + "url": "https://codeberg.org/adamcstephens/nixos-x13s" + }, + "original": { + "type": "git", + "url": "https://codeberg.org/adamcstephens/nixos-x13s" + } + }, "nixpkgs": { "locked": { - "lastModified": 1705774713, - "narHash": "sha256-j6ADaDH9XiumUzkTPlFyCBcoWYhO83lfgiSqEJF2zcs=", + "lastModified": 1705916986, + "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=", "owner": "nixos", "repo": "nixpkgs", - "rev": "1b64fc1287991a9cce717a01c1973ef86cb1af0b", + "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8", "type": "github" }, "original": { @@ -170,13 +142,31 @@ "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1703961334, + "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1705891108, - "narHash": "sha256-PQ0Df5BzByg+0gPE1goa9WYVXSoEP6gtjblrbYC8WOI=", + "lastModified": 1706022028, + "narHash": "sha256-F8Gv4R4K/AvS3+6pWd8wlnw4Vhgf7bcszy7i8XPbzA0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8cccce637e19577815de54c5ecc3132dff965aee", + "rev": "15ff1758e7816331033baa14eebbea68626128f3", "type": "github" }, "original": { @@ -188,14 +178,11 @@ }, "root": { "inputs": { - "adamcstephens_stop-export": "adamcstephens_stop-export", - "alsa-ucm-conf": "alsa-ucm-conf", - "brainwart_x13s-nixos": "brainwart_x13s-nixos", "disko": "disko", "get-flake": "get-flake", "home-manager": "home-manager", - "linux_x13s": "linux_x13s", "mobile-nixos": "mobile-nixos", + "nixos-x13s": "nixos-x13s", "nixpkgs": "nixpkgs", "nixpkgs-2211": "nixpkgs-2211", "nixpkgs-unstable-small": "nixpkgs-unstable-small" diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix index cb1fed8..7ff3529 100644 --- a/nix/os/devices/steveej-x13s/flake.nix +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -18,6 +18,9 @@ url = "github:nix-community/home-manager/release-23.11"; inputs.nixpkgs.follows = "nixpkgs"; }; + + nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s"; + nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = @@ -46,7 +49,8 @@ modules = [ - repoFlake.nixosModules.hardware-x13s + # repoFlake.nixosModules.hardware-x13s + ./configuration.nix ] diff --git a/nix/os/modules/hardware.thinkpad-x13s.nix b/nix/os/modules/hardware.thinkpad-x13s.nix index a1c6682..df69d6c 100644 --- a/nix/os/modules/hardware.thinkpad-x13s.nix +++ b/nix/os/modules/hardware.thinkpad-x13s.nix @@ -13,12 +13,6 @@ in type = lib.types.str; description = "mac address to set on boot"; }; - - bluetoothMacAddr = lib.mkOption { - default = "00:00:00:00:00"; - type = lib.types.str; - }; - }; config = let diff --git a/nix/os/profiles/common/boot.nix b/nix/os/profiles/common/boot.nix deleted file mode 100644 index 21fa70c..0000000 --- a/nix/os/profiles/common/boot.nix +++ /dev/null @@ -1,15 +0,0 @@ -{pkgs, ...}: { - boot.kernelPackages = pkgs.linuxPackages; - boot.loader.grub = { - enable = true; - efiSupport = true; - efiInstallAsRemovable = false; - }; - - boot.loader.systemd-boot.enable = false; - boot.loader.efi.canTouchEfiVariables = true; - boot.tmp.useTmpfs = true; - - # Workaround for nm-pptp to enforce module load - boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"]; -} diff --git a/nix/os/profiles/common/configuration.nix b/nix/os/profiles/common/configuration.nix index 0590e79..c6ed9fb 100644 --- a/nix/os/profiles/common/configuration.nix +++ b/nix/os/profiles/common/configuration.nix @@ -1,18 +1,38 @@ -{ - config, - pkgs, - repoFlake, - ... +{ config +, pkgs +, repoFlake +, nodeFlake +, repoFlakeInputs' +, packages' +, ... }: { imports = [ - ./boot.nix - ./pkg.nix - ./system.nix - ../../snippets/nix-settings.nix - ./hw.nix - - ./user.nix - repoFlake.inputs.sops-nix.nixosModules.sops + + ../../snippets/nix-settings.nix + ../../snippets/home-manager-with-zsh.nix + + ./system.nix + ./hw.nix + ./user.nix ]; + + boot.kernelPackages = pkgs.linuxPackages; + boot.loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = false; + }; + + boot.loader.systemd-boot.enable = false; + boot.loader.efi.canTouchEfiVariables = true; + boot.tmp.useTmpfs = true; + + # Workaround for nm-pptp to enforce module load + boot.kernelModules = [ "nf_conntrack_proto_gre" "nf_conntrack_pptp" ]; + + nixpkgs.config = { + allowBroken = false; + allowUnfree = true; + }; } diff --git a/nix/os/profiles/common/pkg.nix b/nix/os/profiles/common/pkg.nix deleted file mode 100644 index 74e987b..0000000 --- a/nix/os/profiles/common/pkg.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config -, pkgs -, # these come in via nodeSpecialArgs and are expected to be defined for every node - repoFlake -, repoFlakeInputs' -, nodeFlake -, packages' -, ... -}: { - imports = [ - ]; - - nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; - home-manager.useGlobalPkgs = false; - home-manager.useUserPackages = true; - home-manager.users.root = import ../../../home-manager/configuration/text-minimal.nix; - - # TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager - # home-manager.extraSpecialArgs = specialArgs; - # hence, opt for passing the arguments selectively instead - home-manager.extraSpecialArgs = { - inherit - repoFlake - repoFlakeInputs' - packages' - nodeFlake - ; - }; - - nixpkgs.config = { - allowBroken = false; - allowUnfree = true; - }; -} diff --git a/nix/os/profiles/common/system.nix b/nix/os/profiles/common/system.nix index 7fa2c2d..9c25dbc 100644 --- a/nix/os/profiles/common/system.nix +++ b/nix/os/profiles/common/system.nix @@ -42,15 +42,12 @@ # mv -Tf /etc/X11/.sessions /etc/X11/sessions # ''; + # TODO: adapt this to be arch agnostic system.activationScripts.lib64 = '' echo "setting up /lib64..." mkdir -p /lib64 ln -sfT ${pkgs.glibc}/lib/ld-linux-x86-64.so.2 /lib64/.ld-linux-x86-64.so.2 mv -Tf /lib64/.ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 ''; - - programs.zsh.enable = true; - users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = [ "/share/zsh" ]; programs.fuse.userAllowOther = true; } diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index 1eb2d07..4e68144 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -1,8 +1,11 @@ -{ - pkgs, - lib, - ... +{ pkgs +, lib +, ... }: { + imports = [ + ../../snippets/bluetooth.nix + ]; + networking.networkmanager = { enable = true; dns = "systemd-resolved"; @@ -22,12 +25,8 @@ services.illum.enable = true; services.pcscd.enable = true; hardware.opengl.enable = true; - hardware.bluetooth.enable = true; - # required for running blueman-applet in user sessions - services.dbus.packages = with pkgs; [blueman]; - services.blueman.enable = true; - services.udev.packages = [pkgs.libu2f-host pkgs.yubikey-personalization pkgs.android-udev-rules]; + services.udev.packages = [ pkgs.libu2f-host pkgs.yubikey-personalization pkgs.android-udev-rules ]; services.udev.extraRules = '' # OnePlusOne ATTR{idVendor}=="05c6", ATTR{idProduct}=="6764", SYMLINK+="libmtp-%k", MODE="660", GROUP="audio", ENV{ID_MTP_DEVICE}="1", ENV{ID_MEDIA_PLAYER}="1", TAG+="uaccess" @@ -54,6 +53,6 @@ services.printing = { enable = true; - drivers = with pkgs; [mfcl3770cdwlpr mfcl3770cdwcupswrapper]; + drivers = with pkgs; [ mfcl3770cdwlpr mfcl3770cdwcupswrapper ]; }; } diff --git a/nix/os/snippets/bluetooth.nix b/nix/os/snippets/bluetooth.nix new file mode 100644 index 0000000..47c5ab5 --- /dev/null +++ b/nix/os/snippets/bluetooth.nix @@ -0,0 +1,9 @@ +{ pkgs +, lib +, ... +}: { + # required for running blueman-applet in user sessions + services.dbus.packages = with pkgs; [ blueman ]; + hardware.bluetooth.enable = true; + services.blueman.enable = true; +} diff --git a/nix/os/snippets/home-manager-with-zsh.nix b/nix/os/snippets/home-manager-with-zsh.nix new file mode 100644 index 0000000..5bbb1e5 --- /dev/null +++ b/nix/os/snippets/home-manager-with-zsh.nix @@ -0,0 +1,49 @@ +{ nodeFlake +, repoFlake +, repoFlakeInputs' +, packages' +, pkgs +, ... +}: + +let + # TODO: make this configurable + homeUser = "steveej"; + commonHomeImports = [ + ../../home-manager/profiles/common.nix + ../../home-manager/programs/neovim.nix + ../../home-manager/programs/zsh.nix + ]; +in +{ + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + ]; + + # TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager + # home-manager.extraSpecialArgs = specialArgs; + # hence, opt for passing the arguments selectively instead + home-manager.extraSpecialArgs = { + inherit + repoFlake + repoFlakeInputs' + packages' + nodeFlake + ; + }; + + home-manager.useGlobalPkgs = false; + home-manager.useUserPackages = true; + + home-manager.users.root = _: { + imports = commonHomeImports; + }; + + home-manager.users."${homeUser}" = _: { + imports = commonHomeImports; + }; + + programs.zsh.enable = true; + users.defaultUserShell = pkgs.zsh; + environment.pathsToLink = [ "/share/zsh" ]; +} diff --git a/nix/os/snippets/nix-settings.nix b/nix/os/snippets/nix-settings.nix index 36db65e..f3f577b 100644 --- a/nix/os/snippets/nix-settings.nix +++ b/nix/os/snippets/nix-settings.nix @@ -1,9 +1,7 @@ -{ - nodeFlake, - - pkgs, - lib, - ... +{ nodeFlake +, pkgs +, lib +, ... }: { nix.daemonCPUSchedPolicy = "idle"; nix.daemonIOSchedClass = "idle"; @@ -17,8 +15,6 @@ nix.settings.experimental-features = [ "nix-command" "flakes" - "ca-derivations" - "impure-derivations" ]; nix.settings.system-features = [ @@ -29,4 +25,5 @@ ]; nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; + } diff --git a/nix/os/snippets/sway-desktop.nix b/nix/os/snippets/sway-desktop.nix index 2ede0f6..4c51002 100644 --- a/nix/os/snippets/sway-desktop.nix +++ b/nix/os/snippets/sway-desktop.nix @@ -1,4 +1,8 @@ -{ pkgs, lib, ... }: +{ pkgs +, lib +, config +, ... +}: let # TODO: make this configurable @@ -64,6 +68,7 @@ in }; security.pam.services.getty.enableGnomeKeyring = true; + security.pam.services."autovt@tty1".enableGnomeKeyring = true; services.gnome.gnome-keyring.enable = true; # autologin steveej on tty1 @@ -79,11 +84,20 @@ in Restart = "always"; Type = "idle"; }; - programs.zsh.loginShellInit = '' - if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then - exec sway - fi - ''; + + programs = + let + steveejSwayOnTty1 = '' + if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then + exec sway + fi + ''; + in + { + bash.loginShellInit = steveejSwayOnTty1; + # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion + zsh.loginShellInit = steveejSwayOnTty1; + }; home-manager.users."${homeUser}" = _: { imports = [ diff --git a/secrets/steveej-x13s/secrets.yaml b/secrets/steveej-x13s/secrets.yaml index a7306d2..f8c2741 100644 --- a/secrets/steveej-x13s/secrets.yaml +++ b/secrets/steveej-x13s/secrets.yaml @@ -1,14 +1,4 @@ hello: ENC[AES256_GCM,data:9dO0Gd4YDDxWHHBYtdomfK8BJnBZC+SQYfUvTAkCq9sOO/ZH/bFhN0Fl/NvLzQ==,iv:m1TZ9PGjsoMo7NA9EHrLb0tCtIl98E3OEN1bkpZZxXY=,tag:Gup/pACLIXGXu8KEyzmfWg==,type:str] -example_key: ENC[AES256_GCM,data:EQ+uewu8+17QhrbIHg==,iv:N9i1tCT5IHz5WYbqyF0AIqCq/c67uPMiavUxt0Eb2Oc=,tag:UwOrM3cOLYMxIe80GenljA==,type:str] -#ENC[AES256_GCM,data:qZzxU9ai1z/5f3gxHrR5Dq56,iv:ccvxVS693K9Jjp/YIesWo8kemtkCSFWHJlJposcmXt0=,tag:FQUUPO+ydScUVZWH89vEew==,type:comment] -#ENC[AES256_GCM,data:Il5rKFCgUQERmLqSEOnzoQ==,iv:ALxNqdu/MgDdPyiEsq0Qgb/5bOBS3OgIWf0ZOUbGLJg=,tag:u4vJ7Y6iwa1Na5FIebrVow==,type:comment] -example_array: - - ENC[AES256_GCM,data:yMM0kfvv4WI/reWLuM8=,iv:51XoWYOFLAbhIzejbWBwIpi2JVhQZIivLt4HVJtXPpA=,tag:J9C7NwdVOoocGKWUvUAOSQ==,type:str] - - ENC[AES256_GCM,data:Tg1bRwtydMuaLvnvTDc=,iv:8c44EM1U5tqD8Mn8Fg37MyASi+xv78BB+8AjG59tzXE=,tag:OvxU9x0pZbjW9j/DQMahFg==,type:str] -example_number: ENC[AES256_GCM,data:DhzIPdpqm/p1pQ==,iv:ZWkBTeuyaXVzffEVGuw1xxi+ekiSGyspE9PeBNRRm1k=,tag:Qq1/Wo3XY+Y2u5luxxxTeA==,type:float] -example_booleans: - - ENC[AES256_GCM,data:ZA6WIQ==,iv:gkQnXrVZiP6Yj4SVdtM09Jmpebb11998tv3y/P5pvqE=,tag:ujwkH9l6/+1W4IeDu3HBFw==,type:bool] - - ENC[AES256_GCM,data:YcDPFAc=,iv:r9gBG5YIq5Sgs6/HWRWjBJZ8TrlXDxnAZN1PRBVIq8k=,tag:TTP0tsiPsPsd6BjkScCRbQ==,type:bool] sops: kms: [] gcp_kms: [] @@ -24,8 +14,8 @@ sops: Q1FmbW9BL3E1emwwWFhJTTZoRlhVdFEKCkpvkW65v0+fuh2bXZVNVbnwsl1Aca/O 9tkIMNLFhD/Rn8MFmkhIZmWYWB4IUwW/UNSxrmkt7cyFJNlpAH0+YA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-22T09:20:19Z" - mac: ENC[AES256_GCM,data:Mmo5XJaMIDZ0sqKyn7oK+l6XdrTyA0NuF8tueLEKSdSCFxr2TJjroyojsybrYKehp5rrW1rT8cWWld2wXEEr+txsMCzIrlDqyerkcsu7ioMJb7ihRyXATBzdBOfUTq/8iLLc9gE9uRaMbeNOrglF0nxS+VtwOmst/z6fl7wC0+Q=,iv:t+dSzeBBhVfPo2efHM4iWIE/DHTDAm917kZrV1UxV0I=,tag:+CPkO6bbWqMzWBs16HT8GA==,type:str] + lastmodified: "2024-01-23T09:41:31Z" + mac: ENC[AES256_GCM,data:xGspZnqqcwoxM0otV3m6RJdwp4laYC+b6DSOEhzbQDeS6hslD6BddQ2g+tS7l3QTtItOjmB6pLb1JJkyhaG3PDWaDu89GNlvUyTyTUxfZWzTfiB6LWJS7eDTwb6OvzDklzCRltoH+8bWTjedWkeWIOtYbjJPo6zwUAiXgiKOj2s=,iv:MSgm5HXlb/NtvqHvVmDdwzX5ebipf7UJnmPNFUV9Nzs=,tag:XT4Evu+Sn+t/+EPb+dZ61Q==,type:str] pgp: - created_at: "2024-01-23T09:01:14Z" enc: |- From eadfa1a28c364d9d1a97edc904319e562f8a6f9d Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 25 Jan 2024 00:09:06 +0100 Subject: [PATCH 20/42] radicale path updates and updatekey command --- Justfile | 3 + nix/home-manager/programs/radicale.nix | 4 +- nix/pkgs/logseq/Containerfile | 59 +++++++++++++++++++ nix/pkgs/logseq/README.md | 6 ++ nix/pkgs/logseq/default.nix | 80 ++++++++++++++++++++++++++ nix/pkgs/logseq/flake.nix | 18 ++++++ secrets/desktop/radicale_htpasswd | 18 +++--- 7 files changed, 179 insertions(+), 9 deletions(-) create mode 100644 nix/pkgs/logseq/Containerfile create mode 100644 nix/pkgs/logseq/README.md create mode 100644 nix/pkgs/logseq/default.nix create mode 100644 nix/pkgs/logseq/flake.nix diff --git a/Justfile b/Justfile index 0b3bb36..1633cba 100755 --- a/Justfile +++ b/Justfile @@ -306,3 +306,6 @@ test-connection: cachix-use name: nix run nixpkgs/nixos-unstable#cachix -- use {{name}} -m nixos -d nix/os/ + +update-sops-keys: + for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done diff --git a/nix/home-manager/programs/radicale.nix b/nix/home-manager/programs/radicale.nix index bcedd41..1a89d95 100644 --- a/nix/home-manager/programs/radicale.nix +++ b/nix/home-manager/programs/radicale.nix @@ -63,8 +63,8 @@ let [storage] type = radicale_storage_decsync - filesystem_folder = ${config.xdg.dataHome}/radicale-${suffix} - decsync_dir = ${config.xdg.dataHome}/decsync-${suffix} + filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} + decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} ''; in { diff --git a/nix/pkgs/logseq/Containerfile b/nix/pkgs/logseq/Containerfile new file mode 100644 index 0000000..e61e2b9 --- /dev/null +++ b/nix/pkgs/logseq/Containerfile @@ -0,0 +1,59 @@ +# NOTE: please keep it in sync with .github pipelines +# NOTE: during testing make sure to change the branch below +# NOTE: before running the build-docker GH action edit +# build-docker.yml and change the release channel from :latest to :testing + +# Builder image +FROM clojure:temurin-11-tools-deps-1.11.1.1208-bullseye-slim as builder + +ARG DEBIAN_FRONTEND=noninteractive + +# Install reqs +RUN apt-get update && apt-get install -y --no-install-recommends \ + curl \ + ca-certificates \ + apt-transport-https \ + gpg \ + build-essential libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev \ + zip + +# install NodeJS & yarn +RUN curl -sL https://deb.nodesource.com/setup_18.x | bash - + +RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | \ + tee /etc/apt/trusted.gpg.d/yarn.gpg && \ + echo "deb https://dl.yarnpkg.com/debian/ stable main" | \ + tee /etc/apt/sources.list.d/yarn.list && \ + apt-get update && apt-get install -y nodejs yarn + +WORKDIR /data + +ENV VERSION=0.10.5 + +# build Logseq static resources +RUN git clone -b ${VERSION} https://github.com/logseq/logseq.git . + +RUN yarn config set network-timeout 240000 -g && yarn install +RUN yarn release-electron + +RUN mkdir /out +RUN mv /data/static/out/make/zip /out/${VERSION}.zip +RUN mv /data/static/out/make/*.AppImage /out/ + +FROM scratch as artifacts +COPY --from=builder /out / +# Logseq-${VERSION}.AppImage +# RUN mv zip /${VERSION}.zip + +# RUN \ +# mkdir -p builds +# # NOTE: save VERSION file to builds directory +# cp static/VERSION ./builds/VERSION +# mv static/out/make/*-*.AppImage ./builds/Logseq-linux-aarch64-${VERSION}.AppImage +# mv static/out/make/zip/linux/x64/*-linux-x64-*.zip ./builds/Logseq-linux-aarch64-${VERSION}.zip + +# # Web App Runner image +# FROM nginx:1.24.0-alpine3.17 +# +# COPY --from=builder /data/static /usr/share/nginx/html +# diff --git a/nix/pkgs/logseq/README.md b/nix/pkgs/logseq/README.md new file mode 100644 index 0000000..1ae1756 --- /dev/null +++ b/nix/pkgs/logseq/README.md @@ -0,0 +1,6 @@ +this is pseudocode that serves as a reminder + +1. podman build -f Containerfile +2. podman unshare +3. podman mount $CONTAINER_ID +4. upload the AppImaeg diff --git a/nix/pkgs/logseq/default.nix b/nix/pkgs/logseq/default.nix new file mode 100644 index 0000000..f93efb0 --- /dev/null +++ b/nix/pkgs/logseq/default.nix @@ -0,0 +1,80 @@ +{ lib +, pname ? "logseq" +, version ? "0.10.5" +, src ? fetchurl { + url = "https://github.com/logseq/logseq/releases/download/${ version}/logseq-linux-x64-${ version}.AppImage"; + hash = "sha256-F3YbqgvL04P0nXaIVkJlCq/z8hUE0M0UutkBs2omuBE="; + name = "${ pname}-${ version}.AppImage"; + } +, stdenv +, fetchurl +, appimageTools +, makeWrapper + # graphs will not sync without matching upstream's major electron version +, electron_27 +, git +, nix-update-script +}: + +stdenv.mkDerivation + (finalAttrs: + let + inherit (finalAttrs) pname version src appimageContents; + + in + { + inherit version pname src; + + appimageContents = appimageTools.extract { + inherit pname src version; + }; + + dontUnpack = true; + dontConfigure = true; + dontBuild = true; + + nativeBuildInputs = [ makeWrapper ]; + + installPhase = '' + runHook preInstall + + mkdir -p $out/bin $out/share/${pname} $out/share/applications + cp -a ${appimageContents}/{locales,resources} $out/share/${pname} + cp -a ${appimageContents}/Logseq.desktop $out/share/applications/${pname}.desktop + + # remove the `git` in `dugite` because we want the `git` in `nixpkgs` + chmod +w -R $out/share/${pname}/resources/app/node_modules/dugite/git + chmod +w $out/share/${pname}/resources/app/node_modules/dugite + rm -rf $out/share/${pname}/resources/app/node_modules/dugite/git + chmod -w $out/share/${pname}/resources/app/node_modules/dugite + + mkdir -p $out/share/pixmaps + ln -s $out/share/${pname}/resources/app/icons/logseq.png $out/share/pixmaps/${pname}.png + + substituteInPlace $out/share/applications/${pname}.desktop \ + --replace Exec=Logseq Exec=${pname} \ + --replace Icon=Logseq Icon=${pname} + + runHook postInstall + ''; + + postFixup = '' + # set the env "LOCAL_GIT_DIRECTORY" for dugite so that we can use the git in nixpkgs + makeWrapper ${electron_27}/bin/electron $out/bin/${pname} \ + --set "LOCAL_GIT_DIRECTORY" ${git} \ + --add-flags $out/share/${pname}/resources/app \ + --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" \ + --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ stdenv.cc.cc.lib ]}" + ''; + + passthru.updateScript = nix-update-script { }; + + meta = { + description = "A local-first, non-linear, outliner notebook for organizing and sharing your personal knowledge base"; + homepage = "https://github.com/logseq/logseq"; + changelog = "https://github.com/logseq/logseq/releases/tag/${version}"; + license = lib.licenses.agpl3Plus; + maintainers = with lib.maintainers; [ ]; + platforms = [ "x86_64-linux" ]; + }; + }) diff --git a/nix/pkgs/logseq/flake.nix b/nix/pkgs/logseq/flake.nix new file mode 100644 index 0000000..0ddb02e --- /dev/null +++ b/nix/pkgs/logseq/flake.nix @@ -0,0 +1,18 @@ +{ + inputs = { + utils.url = "github:numtide/flake-utils"; + # clj2nix.url = "github:hlolli/clj2nix"; + logseq.url = "github:logseq/logseq/0.5.9"; + }; + + outputs = { nixpkgs, self, utils }: utils.lib.eachDefaultSystem (system: + let + pkgs = import nixpkgs { inherit system; }; + # clj2nixBin = clj2nix.defaultPackage.${system}; + in + { + packages = pkgs.callPackage ./default.nix { inherit self; }; + nixpkgs = pkgs; + }); + +} diff --git a/secrets/desktop/radicale_htpasswd b/secrets/desktop/radicale_htpasswd index 10cda96..5b0f6b6 100644 --- a/secrets/desktop/radicale_htpasswd +++ b/secrets/desktop/radicale_htpasswd @@ -1,5 +1,5 @@ { - "data": "ENC[AES256_GCM,data:4Sfp4HqBQ/gsdK1iIwVisHxXHB9ryuTcsxqa4pJMYPBkn0C/Z43TuvZnUpZyACAIL00h7sPMEqQbdvmiHoo2CVizl5hB0wT6QdBwjuSjjuNDwqqJTvistCNBGsTQrb8fdsmTMGEyQmC0yQ6eF3STIT2PP/M1NPZ30zqxQInscv0Mem3n1yT0S3xamwvXkJq+WQvEhJpggsp8,iv:B+KVrsWRHYhvNCkwWhHOF6CFTpF4/tI5wOD05aMf2JI=,tag:srnaV+etedgReXLZ9QBPCw==,type:str]", + "data": "ENC[AES256_GCM,data:rUTsNj5pW/7JhyfRWiEoOHVT06tmbAHarOEuMkWaP+jz9FX3Qvjtv2S767Be89RwBdZZPTyO5+DcWUH+m2AOoAFKZs8TgT7lmQCuweXE27HZe88y+mNvHYfExWbLaC3fxheHgy8BgZBQNdVMKhZlYr5nLxJBrUY+j2sRP/CuucUcbsCojoHqYmb9hpS03PZ7i6Uf7tImgvFc,iv:pnYzcggEWKAhRxJyOGYaXFrS6kN7uLHic+tO1PeHZmg=,tag:4eXlaWf7hJxcy6zlQC5U8Q==,type:str]", "sops": { "kms": null, "gcp_kms": null, @@ -8,19 +8,23 @@ "age": [ { "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmTVMxdkpjQllIZlRpQjEr\nc0RqNzNnOGplcDR6by9aL0JQY0ZmZjV3OUhrCm1sbHEvQ3hFZVg1YU5wOU5kaGpI\nK25zckJNaXhWd21kUHIyTm8yVW0reWsKLS0tIHVvbDhYZjRSbVRjOWZNaWkwcm1z\neVJyTTRNNTJBeVYxdDFCL1ozQjhQUkUK09k0LVNUugbxtZJB1JEXWmB2Q35mK1MW\nY12rpx4QwFUf1uhZDGmHMU0mrmaZRhkiTXTW+MtbHHtiGCxI8JrgLQ==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsRG1PWnJpTjRCOFVXS21h\nTUxFb1ZsS1piTUxtdmRSVGFmNGlzZmZqWXo4CnhMY3hBZU93bE45MFBJSG9Nd3Zh\nNi9DQjZlb2FzQXplZXovOENBOWRUQ0kKLS0tIFJsNklCUWFZdzhNaXlFQ2lFTGd5\nREp5VFZaNFlZeWVTUXlJSWpUOXA0OEEKEO5EEvjKL2BdBd+eHxvicl3IhGV/WNRS\ni5065sFhraZ+6MAg91eHUcwcfwjhx0tr06v9xARtKzgEEpgxHLT6BQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvWHZjdERBT0hHTVVnMzJJ\nSURhU0NrelB4b0FuTmM1VFIvRFRpQS9sMEQwClJsWGVTUE1hN0Y5c3dETUcyUllX\nSmIzR2ZhMDJDa1hsY0xBaGJrNXkrMUUKLS0tIHAwenJOOHZOSksrQ2dacVhKQVg5\ndEl6QVdkTHdGbG81OUUzOFprZHVRUm8KVYgQ5wUkCDZa9SUbmJgtpWY/LWruAg2t\nZFVYJUZ7B/Pd6rzvtOVjU8mEOaMbtq1cYkiAcuzhIdoTxu1TX11OPA==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2024-01-22T17:03:08Z", - "mac": "ENC[AES256_GCM,data:BS4BPjzA663knjD53QWjjDKmYmT6GcOVJru0XBWDQakVvgZwrPnRSZWSuC+ubtTBiG+EMK8Zx7nY3i8S/T0AkO9FmxBR476m8oopkNvCQIIEOkOK0F5I2gd6W/SDqKBC8Wzb6qWxGYDeZBmnvjpapcyW+VvJvaXhjSJpOgff+LQ=,iv:mwa9p6YJPLDWUcPxgGErZUSd5afCdg3YmY3fL1/f6do=,tag:MQN6KPB0NwVakSps9/sLzw==,type:str]", + "lastmodified": "2024-01-24T22:45:02Z", + "mac": "ENC[AES256_GCM,data:70nJ8FwQqWKUs5tVZTdaUSnFdvzh7h7GG9lJU9IVuSW8GHs9N4srFRJ0DtJbrIYm4YasNsZqNUcWx/ptxzP0DG/IJs8Vpnb4U5SXKw+zN7B5GBM0Xnh6pZZcylAw7lcXevBfI4jw7Ymmj5zBIFyKTCKhietayfmxdIxyoaxNH34=,iv:XJgmRc0tONH9H6AQyfJvDdkfJgP3ugAxOPxMkBqhLMo=,tag:MBN8FJglHqTiS5nLjtMXiA==,type:str]", "pgp": [ { - "created_at": "2023-07-01T17:45:58Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf/e3rEGHYLdAQ3t5Ye7EY8HGj3zplmEm6yX/OD6atnIH56\n1n+buBEsCnj6OMJ8IPBI1KMlR3agvrTcP1U428VaJKEqMAfAbmTxHvuYv17r4z3c\nuxtvnK4BUC0BIgf3b9FP1uQBvmwSR3bIV1JuD1or88j9iY3dO7KbwbAEF+HMqj9/\nz+NM9ZGi/mpdFHLCKp52FgKi+eiNyGiJS1a8VSda/X8GwcmQYUzSkUxOcjGVTmYr\nBzie319eutOq6zf9+8WGO+Jd8XDlFdmucXyb5kkJkKv0kUeEMKePktpxjh/SUH2E\nVWLDa3rLPEZWvvLtDeOgAWdxNVBsvAhFwyUl7hJ+INJRAbgK7jJpGJuNUmN48P/Y\nKj1/x5hKlBOQpqWyoB751Sq2hAITS/UyvpIEL7cH9ASq369SVa7tI6KL0Ut5wSDb\n1681kueTerz2szUe6DPcAC4U\n=Bu6s\n-----END PGP MESSAGE-----", + "created_at": "2024-01-24T22:48:30Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQgAl7wj8pgA42CyZ+b0ykAVMIzfVsX5zfyLTL3fKRC78kGH\n7D6Lp6Fesp3dZ8c7awWEM3b1WEFOS8Yklo6bfZCnioJoqZhMtYhyTCi+KEBXdw7g\n+KAquXkrD6mYOVBXoKHUqUBoDjFjU/stfV2Pdnl5I7SGYFHtyv8jwdJXbBInDNI6\nmtVzpKoM7pCFHH0Vz+A1D1X4k+96znbSnjHVBgOFLjyZ2KGPKBKud4nM0idAO/tO\nH77ApV1qRBU7weI5yTbK7GeuUxFYrolxkqOCPUH6E5Z2eVQ8ACUFpvgX4ET91jeP\nYTbTuq9cfm/gPsFIGtZLgWSq7cCZHe12nPHT//ajK9JcASNmmTiJFvK19WmN7spg\nbfDJLZud80PNu6MVXthwRGJ50/yRSrO8e/5tCjVz7UlkOmVG5ClsGDfRCH5gJDqS\nMJ+UdOHZjqcZu6TkBmSNX+9fRS1hgCiGxOjT2mU=\n=q3es\n-----END PGP MESSAGE-----", "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" } ], "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" + "version": "3.8.1" } } \ No newline at end of file From a138ac20acaa94400e74aae1370d4dd8235e268c Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 24 Jan 2024 23:20:45 +0000 Subject: [PATCH 21/42] steveej-t14: disable radicale --- nix/os/devices/steveej-t14/configuration.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix index fab73d5..0b199cc 100644 --- a/nix/os/devices/steveej-t14/configuration.nix +++ b/nix/os/devices/steveej-t14/configuration.nix @@ -2,7 +2,8 @@ imports = [ ../../snippets/home-manager-with-zsh.nix ../../snippets/nix-settings-holo-chain.nix - ../../snippets/radicale.nix + # TODO: double-check whether this works at all after the most recent changes + # ../../snippets/radicale.nix ../../snippets/sway-desktop.nix ../../snippets/timezone.nix From f243e0c2dc580ebe5079e85ede3a96caac1b8534 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 25 Jan 2024 00:32:37 +0100 Subject: [PATCH 22/42] logseq on arm64, latest signal on arm, waydroid, radicale, vscode --- flake.lock | 47 ++++---- flake.nix | 16 ++- .../configuration/graphical-fullblown.nix | 94 +++++---------- nix/home-manager/programs/chromium.nix | 3 + nix/home-manager/programs/vscode/default.nix | 16 ++- nix/os/devices/steveej-x13s/configuration.nix | 19 +++- nix/os/devices/steveej-x13s/flake.lock | 12 +- nix/os/devices/steveej-x13s/flake.nix | 2 +- nix/pkgs/logseq/README.md | 8 ++ nix/pkgs/logseq/default.nix | 107 +++++++++--------- nix/pkgs/logseq/flake.nix | 18 --- secrets/zerotierone.txt | 36 +++++- 12 files changed, 196 insertions(+), 182 deletions(-) delete mode 100644 nix/pkgs/logseq/flake.nix diff --git a/flake.lock b/flake.lock index 4926126..4cd0d25 100644 --- a/flake.lock +++ b/flake.lock @@ -376,6 +376,18 @@ "type": "github" } }, + "logseq_0_10_5_aarch64_appimage": { + "flake": false, + "locked": { + "narHash": "sha256-5uHRJpNcAzVRqyF5eR2sY0u/Q9rHXWh/g36/sehmSys=", + "type": "file", + "url": "https://www.stefanjunker.de/downloads/Logseq-0.10.5.AppImage" + }, + "original": { + "type": "file", + "url": "https://www.stefanjunker.de/downloads/Logseq-0.10.5.AppImage" + } + }, "nix-eval-jobs": { "inputs": { "flake-parts": "flake-parts_3", @@ -552,16 +564,16 @@ }, "nixpkgs-2311": { "locked": { - "lastModified": 1704018918, - "narHash": "sha256-erjg/HrpC9liEfm7oLqb8GXCqsxaFwIIPqCsknW5aFY=", + "lastModified": 1705916986, + "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2c9c58e98243930f8cb70387934daa4bc8b00373", + "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.05", + "ref": "nixos-23.11", "repo": "nixpkgs", "type": "github" } @@ -615,29 +627,13 @@ "type": "github" } }, - "nixpkgs-unstable": { - "locked": { - "lastModified": 1703961334, - "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1704177376, - "narHash": "sha256-6AV8TWX/juwV8delRDtlbUzi1X8irrtCfrtcYByVhCs=", + "lastModified": 1706112902, + "narHash": "sha256-GKPwSY0fBShj0FfaPqA4gg5oHGhpya/m2DVb+3m+Uzs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e2e36d8af3b7c465311f11913b7dedd209633c84", + "rev": "5cd2baa57a9ff2d84f2615700434fa04f3067fdb", "type": "github" }, "original": { @@ -735,6 +731,7 @@ "get-flake": "get-flake", "jay": "jay", "linux_x13s": "linux_x13s", + "logseq_0_10_5_aarch64_appimage": "logseq_0_10_5_aarch64_appimage", "nixos-anywhere": "nixos-anywhere", "nixpkgs": [ "nixpkgs-2311" @@ -742,7 +739,9 @@ "nixpkgs-2211": "nixpkgs-2211", "nixpkgs-2305": "nixpkgs-2305", "nixpkgs-2311": "nixpkgs-2311", - "nixpkgs-unstable": "nixpkgs-unstable", + "nixpkgs-unstable": [ + "nixpkgs-unstable-small" + ], "nixpkgs-unstable-small": "nixpkgs-unstable-small", "nixpkgs-wayland": "nixpkgs-wayland", "ofi-pass": "ofi-pass", diff --git a/flake.nix b/flake.nix index a0bdcc8..0931bc3 100644 --- a/flake.nix +++ b/flake.nix @@ -10,9 +10,9 @@ nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; radicalePkgs.follows = "nixpkgs-2211"; nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05"; - nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.05"; - nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.11"; nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; + nixpkgs-unstable.follows = "nixpkgs-unstable-small"; nixpkgs.follows = "nixpkgs-2311"; flake-parts.url = "github:hercules-ci/flake-parts"; get-flake.url = "github:ursi/get-flake"; @@ -98,7 +98,10 @@ }; - ### + logseq_0_10_5_aarch64_appimage = { + flake = false; + url = "https://www.stefanjunker.de/downloads/Logseq-0.10.5.AppImage"; + }; }; outputs = @@ -271,7 +274,7 @@ }) { }; - nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; + nomad = inputs'.nixpkgs-unstable-small.legacyPackages.nomad_1_6; ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' set -x @@ -299,6 +302,11 @@ syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 ''; + + logseq = pkgs.callPackage ./nix/pkgs/logseq + (lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 { + overrideSrc = self.inputs.logseq_0_10_5_aarch64_appimage; + }); }; formatter = pkgs.alejandra; diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index b46e96c..7564c35 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -110,68 +110,30 @@ in # kotatogram-desktop tdesktop - pkgsUnstableSmall.signal-desktop - - #(let - # version = "6.20.0-beta.1"; - #in - # pkgsUnstableSmall.signal-desktop-beta.overrideAttrs (old: { - # # inherit version; - # # src = builtins.fetchurl { - # # url = "https://updates.signal.org/desktop/apt/pool/main/s/signal-desktop-beta/signal-desktop-beta_${version}_amd64.deb"; - # # sha256 = "0xkagnldagfxnpv4c23yd9w0kz1y719m1sj9vqn8mnr1zfn7j62a"; - # # }; - # preFixup = - # old.preFixup - # + '' - # gappsWrapperArgs+=( - # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}" - # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}" - # ) - # ''; - # })) - - # --add-flags "--enable-features=UseOzonePlatform" - # --add-flags "--ozone-platform=wayland" - # (pkgsUnstableSmall.session-desktop.overrideAttrs (old: { - # nativeBuildInputs = - # old.nativeBuildInputs - # ++ [ - # pkgs.wrapGAppsHook - # ]; - - # preFixup = - # (old.preFixup or "") - # + '' - # gappsWrapperArgs+=( - # --add-flags "--enable-features=UseOzonePlatform" - # --add-flags "--ozone-platform=wayland" - # # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}" - # # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=WaylandWindowDecorations}}" - # # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}" - # ) - # ''; - # })) - - #(pkgsUnstableSmall.session-desktop.overrideAttrs(old: { - # nativeBuildInputs = old.nativeBuildInputs ++ [ - # pkgs.wrapGAppsHook - # ]; - # - # preFixup = (old.preFixup or "") + '' - # gappsWrapperArgs+=( - # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform=wayland}}" - # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}" - # ) - # ''; - # })) + ( + let + version = "6.44.0"; + in + pkgsUnstableSmall.signal-desktop.overrideAttrs (old: + lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 { + inherit version; + src = builtins.fetchurl + { + url = "https://github.com/0mniteck/Signal-Desktop-Mobian/raw/master/builds/release/signal-desktop_${version}_arm64.deb"; + sha256 = + # lib.fakeSha256 + "sha256:0svb5vz08n3j4lx4kdjmx5lw9619kvvxg981rs6chh83qz5y519k" + ; + } + ; + }) + ) thunderbird # gnome.cheese - # Virtualization # virtmanager @@ -284,6 +246,17 @@ in # this is a displaymanager! # libretro.snes9x2010 # retroarchFull + + packages'.logseq + # (pkgs.runCommand "logseq-wrapper" + # { + # nativeBuildInputs = [ pkgs.makeWrapper ]; + # } '' + # makeWrapper ${pkgs.logseq}/bin/logseq $out/bin/logseq \ + # --set NIXOS_OZONE_WL "" + # '') + ]) + ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ ]) ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ (pkgs.banana-accounting.overrideDerivation @@ -321,15 +294,6 @@ in pkgsUnstableSmall.ledger-live-desktop - (pkgs.runCommand "logseq-wrapper" - { - nativeBuildInputs = [ pkgs.makeWrapper ]; - } '' - makeWrapper ${pkgs.logseq}/bin/logseq $out/bin/logseq \ - --set NIXOS_OZONE_WL "" - '') - # (logseq.override({ electron_25 = electron_26; })) - # unsupported on aarch64-linux pkgs.androidenv.androidPkgs_9_0.platform-tools pkgs.teamviewer diff --git a/nix/home-manager/programs/chromium.nix b/nix/home-manager/programs/chromium.nix index 81383c9..1119653 100644 --- a/nix/home-manager/programs/chromium.nix +++ b/nix/home-manager/programs/chromium.nix @@ -46,6 +46,9 @@ let ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ # Vimium C { id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; } + + # always right + { id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; } ]); in { diff --git a/nix/home-manager/programs/vscode/default.nix b/nix/home-manager/programs/vscode/default.nix index b7a6a3d..6213e55 100644 --- a/nix/home-manager/programs/vscode/default.nix +++ b/nix/home-manager/programs/vscode/default.nix @@ -9,10 +9,18 @@ in { extensions = with pkgs.vscode-extensions; [ ms-vscode-remote.remote-ssh - # bbenoist.nix - # vscodevim.vim - # rust-lang.rust-analyzer - # mkhl.direnv + bbenoist.nix + eamodio.gitlens + mkhl.direnv + jnoortheen.nix-ide + tomoki1207.pdf + vscodevim.vim + + # TODO: these are not in nixpkgs + # fredwangwang.vscode-hcl-format + # hashicorp.hcl + # mindaro-dev.file-downloader + # ms-vscode.remote-explorer ] ++ marketPlaceExtensions; mutableExtensionsDir = true; diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index 204aa33..6e902e6 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -85,7 +85,7 @@ ../../snippets/sway-desktop.nix ../../snippets/bluetooth.nix ../../snippets/timezone.nix - # ../../snippets/radicale.nix + ../../snippets/radicale.nix ]; networking.hostName = nodeName; @@ -126,12 +126,23 @@ }; boot = { - kernelParams = [ - "dtb=sc8280xp-lenovo-thinkpad-x13s.dtb" - ]; loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = lib.mkForce false; loader.efi.efiSysMountPoint = "/boot"; blacklistedKernelModules = [ "wwan" ]; }; + + # see https://linrunner.de/tlp/ + services.tlp = { + enable = true; + settings = { + START_CHARGE_THRESH_BAT0 = "80"; + STOP_CHARGE_THRESH_BAT0 = "85"; + }; + }; + + # android on linux + virtualisation.waydroid.enable = true; + virtualisation.podman.enable = true; + virtualisation.podman.dockerCompat = true; } diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock index 5e95546..dcc457f 100644 --- a/nix/os/devices/steveej-x13s/flake.lock +++ b/nix/os/devices/steveej-x13s/flake.lock @@ -97,17 +97,17 @@ ] }, "locked": { - "lastModified": 1705945811, - "narHash": "sha256-eDqgRYGMzRfpfWvSVj6IhHAWOMJC3xiwKaClbe79Gro=", + "lastModified": 1706097550, + "narHash": "sha256-rR4HMpUlT7SbVPxQIvWH0DsxaEQcjTLqLrst2xoT1CY=", "ref": "refs/heads/main", - "rev": "9320defc4b8f381e5b7887d212d8d2babc41f2f2", - "revCount": 2, + "rev": "732a0f1549996740bdb06989599a5f0653de5056", + "revCount": 6, "type": "git", - "url": "https://codeberg.org/adamcstephens/nixos-x13s" + "url": "https://codeberg.org/steveej/nixos-x13s" }, "original": { "type": "git", - "url": "https://codeberg.org/adamcstephens/nixos-x13s" + "url": "https://codeberg.org/steveej/nixos-x13s" } }, "nixpkgs": { diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix index 7ff3529..9f10331 100644 --- a/nix/os/devices/steveej-x13s/flake.nix +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -19,7 +19,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s"; + nixos-x13s.url = "git+https://codeberg.org/steveej/nixos-x13s"; nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/nix/pkgs/logseq/README.md b/nix/pkgs/logseq/README.md index 1ae1756..e7be282 100644 --- a/nix/pkgs/logseq/README.md +++ b/nix/pkgs/logseq/README.md @@ -1,6 +1,14 @@ +# build instructions + this is pseudocode that serves as a reminder 1. podman build -f Containerfile 2. podman unshare 3. podman mount $CONTAINER_ID 4. upload the AppImaeg + +# resources + +* https://github.com/logseq/logseq/blob/dc5127b48a7874627bd9ab63696f7ddf821b90a7/docs/develop-logseq.md?plain=1#L90 +* https://github.com/logseq/logseq/blob/master/Dockerfile +* https://github.com/randomwangran/logseq-nix-flake diff --git a/nix/pkgs/logseq/default.nix b/nix/pkgs/logseq/default.nix index f93efb0..40cc9cd 100644 --- a/nix/pkgs/logseq/default.nix +++ b/nix/pkgs/logseq/default.nix @@ -1,11 +1,4 @@ { lib -, pname ? "logseq" -, version ? "0.10.5" -, src ? fetchurl { - url = "https://github.com/logseq/logseq/releases/download/${ version}/logseq-linux-x64-${ version}.AppImage"; - hash = "sha256-F3YbqgvL04P0nXaIVkJlCq/z8hUE0M0UutkBs2omuBE="; - name = "${ pname}-${ version}.AppImage"; - } , stdenv , fetchurl , appimageTools @@ -14,67 +7,77 @@ , electron_27 , git , nix-update-script +, overrideSrc ? null }: -stdenv.mkDerivation - (finalAttrs: - let - inherit (finalAttrs) pname version src appimageContents; +stdenv.mkDerivation (finalAttrs: +let + inherit (finalAttrs) pname version src appimageContents; - in - { - inherit version pname src; +in +{ + pname = "logseq"; + version = "0.10.5"; - appimageContents = appimageTools.extract { - inherit pname src version; - }; + src = if overrideSrc != null then overrideSrc else + (fetchurl { + url = "https://github.com/logseq/logseq/releases/download/${version}/logseq-linux-x64-${version}.AppImage"; + hash = "sha256-F3YbqgvL04P0nXaIVkJlCq/z8hUE0M0UutkBs2omuBE="; + name = "${pname}-${version}.AppImage"; + }); - dontUnpack = true; - dontConfigure = true; - dontBuild = true; + appimageContents = appimageTools.extract { + inherit pname src version; + }; - nativeBuildInputs = [ makeWrapper ]; + dontUnpack = true; + dontConfigure = true; + dontBuild = true; - installPhase = '' - runHook preInstall + nativeBuildInputs = [ makeWrapper ]; - mkdir -p $out/bin $out/share/${pname} $out/share/applications - cp -a ${appimageContents}/{locales,resources} $out/share/${pname} - cp -a ${appimageContents}/Logseq.desktop $out/share/applications/${pname}.desktop + installPhase = '' + runHook preInstall - # remove the `git` in `dugite` because we want the `git` in `nixpkgs` + mkdir -p $out/bin $out/share/${pname} $out/share/applications + cp -a ${appimageContents}/{locales,resources} $out/share/${pname} + cp -a ${appimageContents}/Logseq.desktop $out/share/applications/${pname}.desktop + + # remove the `git` in `dugite` because we want the `git` in `nixpkgs` + if test -e $out/share/${pname}/resources/app/node_modules/dugite/git; then chmod +w -R $out/share/${pname}/resources/app/node_modules/dugite/git chmod +w $out/share/${pname}/resources/app/node_modules/dugite rm -rf $out/share/${pname}/resources/app/node_modules/dugite/git chmod -w $out/share/${pname}/resources/app/node_modules/dugite + fi - mkdir -p $out/share/pixmaps - ln -s $out/share/${pname}/resources/app/icons/logseq.png $out/share/pixmaps/${pname}.png + mkdir -p $out/share/pixmaps + ln -s $out/share/${pname}/resources/app/icons/logseq.png $out/share/pixmaps/${pname}.png - substituteInPlace $out/share/applications/${pname}.desktop \ - --replace Exec=Logseq Exec=${pname} \ - --replace Icon=Logseq Icon=${pname} + substituteInPlace $out/share/applications/${pname}.desktop \ + --replace Exec=Logseq Exec=${pname} \ + --replace Icon=Logseq Icon=${pname} - runHook postInstall - ''; + runHook postInstall + ''; - postFixup = '' - # set the env "LOCAL_GIT_DIRECTORY" for dugite so that we can use the git in nixpkgs - makeWrapper ${electron_27}/bin/electron $out/bin/${pname} \ - --set "LOCAL_GIT_DIRECTORY" ${git} \ - --add-flags $out/share/${pname}/resources/app \ - --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" \ - --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ stdenv.cc.cc.lib ]}" - ''; + postFixup = '' + # set the env "LOCAL_GIT_DIRECTORY" for dugite so that we can use the git in nixpkgs + makeWrapper ${electron_27}/bin/electron $out/bin/${pname} \ + --set "LOCAL_GIT_DIRECTORY" ${git} \ + --add-flags $out/share/${pname}/resources/app \ + --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" \ + --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ stdenv.cc.cc.lib ]}" + ''; - passthru.updateScript = nix-update-script { }; + passthru.updateScript = nix-update-script { }; - meta = { - description = "A local-first, non-linear, outliner notebook for organizing and sharing your personal knowledge base"; - homepage = "https://github.com/logseq/logseq"; - changelog = "https://github.com/logseq/logseq/releases/tag/${version}"; - license = lib.licenses.agpl3Plus; - maintainers = with lib.maintainers; [ ]; - platforms = [ "x86_64-linux" ]; - }; - }) + meta = { + description = "A local-first, non-linear, outliner notebook for organizing and sharing your personal knowledge base"; + homepage = "https://github.com/logseq/logseq"; + changelog = "https://github.com/logseq/logseq/releases/tag/${version}"; + license = lib.licenses.agpl3Plus; + maintainers = with lib.maintainers; [ ]; + platforms = [ "x86_64-linux" "aarch64-linux" ]; + }; +}) diff --git a/nix/pkgs/logseq/flake.nix b/nix/pkgs/logseq/flake.nix deleted file mode 100644 index 0ddb02e..0000000 --- a/nix/pkgs/logseq/flake.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ - inputs = { - utils.url = "github:numtide/flake-utils"; - # clj2nix.url = "github:hlolli/clj2nix"; - logseq.url = "github:logseq/logseq/0.5.9"; - }; - - outputs = { nixpkgs, self, utils }: utils.lib.eachDefaultSystem (system: - let - pkgs = import nixpkgs { inherit system; }; - # clj2nixBin = clj2nix.defaultPackage.${system}; - in - { - packages = pkgs.callPackage ./default.nix { inherit self; }; - nixpkgs = pkgs; - }); - -} diff --git a/secrets/zerotierone.txt b/secrets/zerotierone.txt index 347b737..9059ac3 100644 --- a/secrets/zerotierone.txt +++ b/secrets/zerotierone.txt @@ -8,19 +8,47 @@ "age": [ { "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybUlwMVhVSTlxWjk0aXV1\nRkFKN0d2TWdTNGxFK1o3QitpTG5JN1FUNEVFCmRZdVYrSlJYbVF2NFlkRHBQNFgx\nM2dGOE5yaWl0VnJVU1MzNGJ1VUZYK1kKLS0tIEh4dkI2Vk9yUStHRlNzVUVPeWVB\nVmw0V0MxWWdudE1ONkszRSs5MEtUT28KkIW7Y+9AfxbPu1V0YoL5Brdv+2AaTAn0\nXmJmn8qwOtuyWRR3sJfDfkR2eW85mrMmhJnNa1aHg5lDQUGA/eqinQ==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBva2lYMFY1V1piNlBpUURv\naWh3dHpaQXdqdzRCU2JIcHExbkhwZzhXd0JnCkFTMG5wVDNQVzNVUmo1cUh1TWtF\naHVTcGRpSDNxa1NHVDZvZWFpREdOcVEKLS0tIFVJSTdiZFBwTlJEMFowYnJqdjFr\nWDdKM2FGM0dQS1NZOTlZUGlOa2srV2cKr/EwcrbOw9vjmFp7OsEF6y0KxACs8NPM\nRYMKhnzd/6VFY5aK79V6JuMSOLaMT+AbQODg+R/iA3TNLev22Jfcvw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkOWsvenhWdC9ENVlXTXZi\ndWtJWWZUZGMyTzduMzFvK2M1NmFLZ1JwVFNFCkpTMDh6eWhwV0Fya0syRDhuWDlK\nV1lBbGNDbXUvNHB5MGMrS3R0b043YnMKLS0tIExXNXlsaUhsTUxGZGY5U2VRNXJr\nNjZmTU80QVZ1blFKd2dGandsVm42blEK/3uqLhxS16HU67wA0T0Y9uqb2WJI6dII\ndCktjLZcKKyGB+UXNyzDiRgMR4OKIvB0MjLIql2SZKt53OpkpytAbQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWlErYU5pUHJRdXlCRmZS\nNWlWalFDb0xFZFlrbkdXMG0zYXl1UjhmNUQwCmNCcWZPME8yOGcycnVRWXJxeFo3\nTHFuWHY5aXRxZERNU3duSzRsaFIreWMKLS0tIDRyWmFzeGN2YU9LNW9IWUZNWkVJ\nOTlYTlNteEU0REhmd3ovbGQ4Z09FakkKliCyJsTqsUD5t2vOfTigqA7WObfNCcsd\nt1Fs8vf/1tReWqF8V0f97lD2APgfqgg0hqWFcKkiGYBRWEJvBAj8Lw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRT0xzWEtNRHl3bFBZRGl2\nTlkyaWRGTHcxcDVqa012VUk1ZUVjREF2bGlJCmRBNkdzRmsxT2dFemJ6NFAxV1g5\nV2p2c09VKzNVSTJ0V2lheWNwMFlMdk0KLS0tIDZWMTBtaWZjcmRYMnhjY3VudlUz\nem10U1FzZ3p2VzZrRXZyRDFUTy92dkUKcM0Nh1/rQ/aoXHJ16QjZ0daxyaOIyzyx\nXbWDj0opTiYweKrL93P8MSQr8V5i2zVcxP7Gw/fZsWlCs26nBeK1xQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1ZVdzS2lONzg0eGJUei9X\nem9Nc1FhTm5XampHVjJieHJjOUczR09VNTFjCjBkejNlY0I3dEhYbzYvaTBsMDd5\ndjc0alpKNWF6YTVOczltTFRueWZBYXcKLS0tIFJTSThncVdhajhaNmdZTjRNQVFB\nTi93ejQ2bUsrVXl0eDRkbFE5UlhKUzQKg/cJKYzhq1YIBvvNx/N4F258WUnrmNMs\n2MnxrLk9a67AGciCynEMO02dpUXPWxgUkTSqOjRkkcA20x5Rpn4e6w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRUliYTB2MG1zUVU0ZWFM\nNUNEMUdha3ZSZ2dkYmZuVk96VjlUTVpWNkI0ClIyUFBZWFppTzJwbHhJaFhXWTBM\nT0pvVklqbE00aW9GMG4wWnFkZkNoQVkKLS0tIExoeTBBcjlsUkZyQkNrUW1zdXU2\nUytDNk9YOXNtU3hLUzdFQnlzQ1lJSjgK+64AJTx4ZjT4njl0Gr4Hk3ykljRTgaqO\nuOjLz/9Qy2rM3BcJzajhCU1pU4f1A0qDQRjoYj5+M9qW/NMbZt6Ujw==\n-----END AGE ENCRYPTED FILE-----\n" }, { "recipient": "age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFOGdQN0xOVzYvOFdzbUgy\ncStsYXdxUkY4OEJ5TGhVWitoQnpsSGYxS1VjCkhaYmxOOEh6eS8yeGViZjJZZ3o5\nUVBSYXFOSkJHQnB3aHVTeEk1VWNhblEKLS0tIG9NRTFpZFJlRUVYeHpVN2ljVngv\nRzJNZnZMRlJsL0F0eVIzcnhEbSszSGsKnK0SfJe7hQKyslklwvvFlBX9GjGWf6md\nl7AZLivBP67A0GbD2DztUaiS8NsPtlV899xqIH4/YUIIUGG9M2XHew==\n-----END AGE ENCRYPTED FILE-----\n" + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoWjJsQVpGQXhLdkh0UGtp\nUkZKa0hRblFHaHpVZm9MNnA2SnBIYVdLUDE4Cmkvbmx1aVBVMVFjdlBjU2JTNlVa\nYTQwdUF0ZHhzRGFIY2RUS1JmOVhCWE0KLS0tIGd0eHNOUmJ3T21jQ0QvRHlnOWRw\ndXBIVFdRQld3RmR3VWhpRS9XLy93ZzgKIcCl3r4Q+p1GqeMQmTQFDOhGDN1KE1Fl\npdx6QOkhZSVAux3YcbWNex7nDju5Meqhyhfe5l4YLJKnM5gs3efFcQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArazhNT3QzWFpXNTFmWVkr\nTklLei9RN1M1R0pVVTBZTUJkTDVvbzdWbG5zCmx0RVgwbG5IZXNvZUFkaWNzRW10\nKzdNTDZyaGZVNDg0MXR6aGpVQ3FOSEUKLS0tIHB2WnNHZStodXZJTElBV0ljWExy\nbFo2Q3RMRm5BNm1zcnNhdzRYbk5CcWMKsdK8OIVKidayA0LU1NF2pjHjTirVQ/MA\nS4yGouebH4YbFkHDpHbttv572Iw1mbZK0EVIbiJuYoGudb1w60ROIA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUU090RWZqSnpSaGFWcmVM\nQlRWckdLMk5Kd2E0dFVnSzZEcXBPNmkyTkVZCnNtekhvcUhYZG1RS0ZINVBNMU9L\nSHFqNlMxODdRbm5MOEw3UG9VM2NlVUUKLS0tIE5acnhENFNwR3JMc0s3N2g4dFBs\nR0FuSi94d3RUNFVWQ01uM3UyZW1tRDAKfIVF6+PE2iMC3m81wPoqH9LqL3MsK1WV\nslE4l1m04UL315vdAyPm3k9b+vkTGD4Fmeywsto7Am92/JCanlT7+g==\n-----END AGE ENCRYPTED FILE-----\n" } ], "lastmodified": "2023-07-01T20:19:12Z", "mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]", "pgp": [ { - "created_at": "2023-07-01T20:50:27Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf+JijZCf20beuFsUX5Qjt9IVmeA1VG+iRiSncX6Q9NQWqc\nRlxZP3gZz9a/SQDaG3v7S0v5FBmbCScan2xrHSrJne6ljVkxlsiE4SE9Mq1wczF7\n0gdt1pnmjKMjhVVeG2jzNqL3bPGlhIBIIBB+Sv3FHftiXwfBYP5OJh9MTaokwj5/\ntd2x9LxBi6seH+RShrFk33wKJ3gMA2cF9aFEsbvmdXPHs91glwLD1NHN3vp0lGNX\nm4otFLZ0e36aqSVyAiwpoIgLwInZxtx6nnMWVk25s0fj+fKfgnHE3RNh9BntQ19d\nZDpQn7b2DqrKozUnycwpPRojPkmaqpom5XmbuurrA9JRAQYWSmeOuJXUBfZclzLJ\nERYPWDJIN7bmYPFoMkZ2YdV/GCin6lwFfl6u74VAkpU+AMgB+0c51nEHZcO5UaWT\nLRcMPADwjmk35oiltQYOvOpm\n=CGsu\n-----END PGP MESSAGE-----", + "created_at": "2024-01-24T22:48:30Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQf9H8VPhApFkYZi72afxgtHIqclNN4BPuSEhYQYR0m2tvm+\nj0sa3ehI6frkH8KxCtgXgaVB+74yWe+JeVnWRZUk1nIm+q0kuN+0Kn5+YQW0iYuv\n3z34VCw938Gebz57BLaWZTcns3xur+Ug3a+fjyjsKW7w90aP2Q7V2qp9AgxxsN1U\nl9Z1RXHlIUS1CGqA8py2mIkgvlK0WHiYRXsqdRvJh1jdUvzkJjYSpgz4Kj7pyyte\nvXIB4HckW6Fjn6Nlfeyzt6Ka9NziX7EAFlBs/8U8QvkX8AizCxuTwwB9n5rbRxb3\nDjXbgckkkKHc2nEx3xSRe7vh1cfQhTU/TNTuZI3GcNJeAVD89dwR7hhkqFzkanw+\n3hVV1mbDNIDA2fCfxiDLvBDYq8jhaMosAIrwO5TcXEm1PeEuRx1mDEjHsthwmOad\nEJNSBWKGzd13r23WlPRjdeCUF0YSnNFbhM0rwLlLdA==\n=5GJ1\n-----END PGP MESSAGE-----", "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" } ], From a384026025d8576b50f693617f5ce8a7e41c4566 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 28 Jan 2024 17:49:13 +0100 Subject: [PATCH 23/42] home-manager(vscode): use OSS vscodium --- nix/home-manager/programs/vscode/default.nix | 30 +++++++++++++------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/nix/home-manager/programs/vscode/default.nix b/nix/home-manager/programs/vscode/default.nix index 6213e55..417db07 100644 --- a/nix/home-manager/programs/vscode/default.nix +++ b/nix/home-manager/programs/vscode/default.nix @@ -1,14 +1,17 @@ -{pkgs, ...}: let - marketPlaceExtensions = - pkgs.vscode-utils.extensionsFromVscodeMarketplace [ - ]; -in { +{ pkgs, nodeFlake, ... }: +{ programs.vscode = { enable = true; - # package = pkgs.vscodium; - extensions = with pkgs.vscode-extensions; + package = pkgs.vscodium; + extensions = [ + # TODO: how can i install (this) vsix(s) directly? + # (builtins.fetchurl { + # # https://open-vsx.org/extension/jeanp413/open-remote-ssh + # url = "https://open-vsx.org/api/jeanp413/open-remote-ssh/0.0.45/file/jeanp413.open-remote-ssh-0.0.45.vsix"; + # sha256 = "1qc1qsahfx1nvznq4adplx63w5d94xhafngv76vnqjjbzhv991v2"; + # }) + ] ++ (with pkgs.vscode-extensions; [ - ms-vscode-remote.remote-ssh bbenoist.nix eamodio.gitlens mkhl.direnv @@ -16,17 +19,22 @@ in { tomoki1207.pdf vscodevim.vim + ms-vscode.theme-tomorrowkit + nonylene.dark-molokai-theme + # TODO: these are not in nixpkgs # fredwangwang.vscode-hcl-format # hashicorp.hcl # mindaro-dev.file-downloader # ms-vscode.remote-explorer - ] - ++ marketPlaceExtensions; + + # TODO: not compatible with vscodium + # ms-vscode-remote.remote-ssh + ]); mutableExtensionsDir = true; }; - home.packages = [pkgs.nixpkgs-fmt pkgs.alejandra]; + home.packages = [ pkgs.nixpkgs-fmt pkgs.alejandra ]; } # TODO: automate ### original list: From 438793db87609a68c0d6dc84e54185eeee1e556a Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 28 Jan 2024 18:17:43 +0100 Subject: [PATCH 24/42] fix duplicate luks name between x13s and x13s-rmvbl --- nix/os/devices/steveej-x13s-rmvbl/configuration.nix | 10 +++------- nix/os/devices/steveej-x13s-rmvbl/default.nix | 5 ----- nix/os/devices/steveej-x13s/default.nix | 3 --- nix/os/devices/steveej-x13s/disko.nix | 2 +- 4 files changed, 4 insertions(+), 16 deletions(-) diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix index cfbf501..fd8e1c1 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix @@ -11,12 +11,8 @@ { imports = [ - { - users.commonUsers = { - enable = true; - enableNonRoot = true; - installPassword = "install"; - }; - } + ../steveej-x13s/configuration.nix ]; + + users.commonUsers.installPassword = "install"; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/default.nix b/nix/os/devices/steveej-x13s-rmvbl/default.nix index 0ccb5dc..e7a5794 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/default.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/default.nix @@ -20,17 +20,12 @@ }; ${nodeName} = { - deployment.targetHost = "${nodeName}.${localDomainName}"; deployment.replaceUnknownProfiles = true; deployment.allowLocalDeployment = true; - # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") - - nodeFlake.inputs.home-manager.nixosModules.home-manager ]; networking.hostName = nodeName; diff --git a/nix/os/devices/steveej-x13s/default.nix b/nix/os/devices/steveej-x13s/default.nix index 545dde3..fc3933e 100644 --- a/nix/os/devices/steveej-x13s/default.nix +++ b/nix/os/devices/steveej-x13s/default.nix @@ -22,7 +22,6 @@ }; ${nodeName} = { - deployment.targetHost = "${nodeName}.${localDomainName}"; deployment.replaceUnknownProfiles = true; deployment.allowLocalDeployment = true; @@ -32,7 +31,5 @@ imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; - - networking.hostName = nodeName; }; } diff --git a/nix/os/devices/steveej-x13s/disko.nix b/nix/os/devices/steveej-x13s/disko.nix index 5abf297..39eb9e1 100644 --- a/nix/os/devices/steveej-x13s/disko.nix +++ b/nix/os/devices/steveej-x13s/disko.nix @@ -23,7 +23,7 @@ size = "100%"; content = { type = "luks"; - name = "x13s-usb-crypt"; + name = "x13s-nvme-crypt"; extraOpenArgs = [ ]; # disable settings.keyFile if you want to use interactive password entry #passwordFile = "/tmp/secret.key"; # Interactive From d97da5b9ac056b11e1592e1e517c9bc5810e67f9 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 28 Jan 2024 21:18:08 +0100 Subject: [PATCH 25/42] steveej-x13s-rmvbl: boring setup with copying the whole x13s flake --- flake.nix | 3 +- .../steveej-x13s-rmvbl/configuration.nix | 134 +++++++++++++++++- nix/os/devices/steveej-x13s-rmvbl/default.nix | 6 +- nix/os/devices/steveej-x13s-rmvbl/flake.lock | 58 ++++++++ nix/os/devices/steveej-x13s-rmvbl/flake.nix | 96 +++++++------ nix/os/devices/steveej-x13s/flake.nix | 49 ++++--- nix/os/profiles/common/user.nix | 2 +- 7 files changed, 281 insertions(+), 67 deletions(-) diff --git a/flake.nix b/flake.nix index 0931bc3..46ae21a 100644 --- a/flake.nix +++ b/flake.nix @@ -139,6 +139,7 @@ }) [ "steveej-t14" "steveej-x13s" + "steveej-x13s-rmvbl" # "elias-e525" # "justyna-p300" @@ -186,7 +187,7 @@ , lib , pkgs , ... - }: rec { + }: { imports = [ ./nix/modules/flake-parts/perSystem/default.nix ]; diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix index fd8e1c1..6e902e6 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix @@ -10,9 +10,139 @@ }: { + nixos-x13s = { + enable = true; + # TODO: use hardware address + bluetoothMac = "65:9e:7a:8b:86:28"; + }; + + systemd.services.bluetooth-mac = { + enable = true; + path = [ + pkgs.systemd + pkgs.util-linux + pkgs.bluez5-experimental + pkgs.expect + ]; + script = '' + # TODO: this may not be required + while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do + echo Waiting for bluetooth firmware to complete + echo sleep 1 + done + + ( + # best effort + set +e + rfkill block bluetooth + echo $? + btmgmt public-addr ${config.nixos-x13s.bluetoothMac} + echo $? + rfkill unblock bluetooth + echo $? + ) + ''; + requiredBy = [ "bluetooth.service" ]; + before = [ "bluetooth.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + + # we need a tty, otherwise btmgmt will hang + StandardInput = "tty"; + TTYPath = "/dev/tty2"; + TTYReset = "yes"; + TTYVHangup = "yes"; + }; + }; + imports = [ - ../steveej-x13s/configuration.nix + nodeFlake.inputs.nixos-x13s.nixosModules.default + + repoFlake.inputs.sops-nix.nixosModules.sops + nodeFlake.inputs.disko.nixosModules.disko + ./disko.nix + + ../../snippets/nix-settings.nix + ../../profiles/common/user.nix + + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + services.openssh.openFirewall = true; + + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + users.commonUsers = { + enable = true; + enableNonRoot = true; + }; + } + + + ../../snippets/home-manager-with-zsh.nix + ../../snippets/sway-desktop.nix + ../../snippets/bluetooth.nix + ../../snippets/timezone.nix + ../../snippets/radicale.nix ]; - users.commonUsers.installPassword = "install"; + networking.hostName = nodeName; + networking.firewall.enable = true; + networking.networkmanager.enable = true; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = [ + pkgs.sshfs + pkgs.util-linux + pkgs.coreutils + pkgs.vim + + pkgs.git + pkgs.git-crypt + ]; + + system.stateVersion = "23.11"; + home-manager.users.root = _: { + home.stateVersion = "23.11"; + }; + home-manager.users.steveej = _: { + home.stateVersion = "23.11"; + + imports = [ + ../../../home-manager/configuration/graphical-fullblown.nix + ]; + + home.sessionVariables = { }; + + home.packages = with pkgs; [ + ]; + + # TODO: currently unsupported + services.gammastep.enable = lib.mkForce false; + # programs.chromium.enable = lib.mkForce false; + }; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = lib.mkForce false; + loader.efi.efiSysMountPoint = "/boot"; + blacklistedKernelModules = [ "wwan" ]; + }; + + # see https://linrunner.de/tlp/ + services.tlp = { + enable = true; + settings = { + START_CHARGE_THRESH_BAT0 = "80"; + STOP_CHARGE_THRESH_BAT0 = "85"; + }; + }; + + # android on linux + virtualisation.waydroid.enable = true; + virtualisation.podman.enable = true; + virtualisation.podman.dockerCompat = true; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/default.nix b/nix/os/devices/steveej-x13s-rmvbl/default.nix index e7a5794..fc3933e 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/default.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/default.nix @@ -1,6 +1,7 @@ { system ? "aarch64-linux" , nodeName , repoFlake +, repoFlakeWithSystem , nodeFlake , localDomainName ? "internal" , ... @@ -9,6 +10,7 @@ inherit repoFlake nodeName nodeFlake system; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); inherit localDomainName; }; @@ -24,10 +26,10 @@ deployment.replaceUnknownProfiles = true; deployment.allowLocalDeployment = true; + # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; + imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; - - networking.hostName = nodeName; }; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.lock b/nix/os/devices/steveej-x13s-rmvbl/flake.lock index 6fc6701..dcc457f 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.lock +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.lock @@ -19,6 +19,24 @@ "type": "indirect" } }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1704982712, + "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "07f6395285469419cf9d078f59b5b49993198c00", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "get-flake": { "locked": { "lastModified": 1694475786, @@ -71,6 +89,27 @@ "type": "github" } }, + "nixos-x13s": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1706097550, + "narHash": "sha256-rR4HMpUlT7SbVPxQIvWH0DsxaEQcjTLqLrst2xoT1CY=", + "ref": "refs/heads/main", + "rev": "732a0f1549996740bdb06989599a5f0653de5056", + "revCount": 6, + "type": "git", + "url": "https://codeberg.org/steveej/nixos-x13s" + }, + "original": { + "type": "git", + "url": "https://codeberg.org/steveej/nixos-x13s" + } + }, "nixpkgs": { "locked": { "lastModified": 1705916986, @@ -103,6 +142,24 @@ "type": "github" } }, + "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1703961334, + "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-unstable-small": { "locked": { "lastModified": 1706022028, @@ -125,6 +182,7 @@ "get-flake": "get-flake", "home-manager": "home-manager", "mobile-nixos": "mobile-nixos", + "nixos-x13s": "nixos-x13s", "nixpkgs": "nixpkgs", "nixpkgs-2211": "nixpkgs-2211", "nixpkgs-unstable-small": "nixpkgs-unstable-small" diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.nix b/nix/os/devices/steveej-x13s-rmvbl/flake.nix index 9a6bcba..cf5a06e 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.nix @@ -3,7 +3,7 @@ { nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; - # requires for home-manager modules + # required for home-manager modules nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; @@ -18,6 +18,9 @@ url = "github:nix-community/home-manager/release-23.11"; inputs.nixpkgs.follows = "nixpkgs"; }; + + nixos-x13s.url = "git+https://codeberg.org/steveej/nixos-x13s"; + nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; }; outputs = @@ -27,51 +30,60 @@ , ... }: let - targetPlatform = "aarch64-linux"; + system = "aarch64-linux"; buildPlatform = "x86_64-linux"; - nodeName = "steveej-x13s-rmvbl"; - - x13s-flake = get-flake ../steveej-x13s; - - mkNixosConfiguration = { extraModules ? [ ], ... } @ attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate - attrs - { - specialArgs = (import ./default.nix { - system = targetPlatform; - inherit nodeName; - - repoFlake = get-flake ../../../..; - - # TODO: double-check if this hack doesn't have negative side-effects - # the reason for it is so that `nodeFlake.inputs.nixos-x13s.nixosModules.default` in the module is found - nodeFlake = x13s-flake; - }).meta.nodeSpecialArgs.${nodeName}; - - modules = - [ - ../steveej-x13s/configuration.nix - ./configuration.nix - ] - ++ extraModules; - } - ); + repoFlake = get-flake ../../../..; in { - nixosConfigurations = { - native = mkNixosConfiguration { - system = targetPlatform; - }; + lib = { + mkNixosConfiguration = { nodeName, extraModules ? [ ], ... } @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs + { + specialArgs = (import ./default.nix { + inherit system; + inherit nodeName repoFlake; - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = buildPlatform; - nixpkgs.hostPlatform.system = targetPlatform; - } - ]; - }; + nodeFlake = self; + }).meta.nodeSpecialArgs.${nodeName}; + + modules = + [ + # repoFlake.nixosModules.hardware-x13s + ] + ++ extraModules; + } + ); }; + + nixosConfigurations = + let + nodeName = "steveej-x13s-rmvbl"; + in + { + native = self.lib.mkNixosConfiguration { + inherit system nodeName; + extraModules = [ + ./configuration.nix + + { + users.commonUsers.installPassword = "install"; + } + ]; + }; + + cross = self.lib.mkNixosConfiguration { + inherit nodeName; + extraModules = [ + ./configuration.nix + + { + nixpkgs.buildPlatform.system = buildPlatform; + nixpkgs.hostPlatform.system = system; + } + ]; + }; + }; }; } diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix index 9f10331..6220ebb 100644 --- a/nix/os/devices/steveej-x13s/flake.nix +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -3,7 +3,7 @@ { nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; - # requires for home-manager modules + # required for home-manager modules nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; @@ -32,10 +32,9 @@ let targetPlatform = "aarch64-linux"; buildPlatform = "x86_64-linux"; - nodeName = "steveej-x13s"; repoFlake = get-flake ../../../..; - mkNixosConfiguration = { extraModules ? [ ], ... } @ attrs: + mkNixosConfiguration = { nodeName, extraModules ? [ ], ... } @ attrs: nixpkgs.lib.nixosSystem ( nixpkgs.lib.attrsets.recursiveUpdate attrs @@ -50,28 +49,40 @@ modules = [ # repoFlake.nixosModules.hardware-x13s - - - ./configuration.nix ] ++ extraModules; } ); in { - nixosConfigurations = { - native = mkNixosConfiguration { - system = targetPlatform; - }; - - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = buildPlatform; - nixpkgs.hostPlatform.system = targetPlatform; - } - ]; - }; + lib = { + inherit mkNixosConfiguration; }; + + nixosConfigurations = + let + nodeName = "steveej-x13s"; + in + { + native = mkNixosConfiguration { + inherit nodeName; + system = targetPlatform; + extraModules = [ + ./configuration.nix + ]; + }; + + cross = mkNixosConfiguration { + inherit nodeName; + extraModules = [ + ./configuration.nix + + { + nixpkgs.buildPlatform.system = buildPlatform; + nixpkgs.hostPlatform.system = targetPlatform; + } + ]; + }; + }; }; } diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index 0df5e5f..1b6afbd 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -61,7 +61,7 @@ in }) { - users.mutableUsers = lib.mkForce false; + users.mutableUsers = cfg.installPassword != ""; users.users.root = lib.mkMerge [ { From 80863e1bdf981f61bc4303ae31f5f0747e5d1d28 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Sun, 28 Jan 2024 21:54:43 +0100 Subject: [PATCH 26/42] x13s-rmvbl: attempt to load msm with firmware --- nix/os/devices/steveej-x13s-rmvbl/configuration.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix index 6e902e6..eae1137 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix @@ -130,6 +130,17 @@ loader.efi.canTouchEfiVariables = lib.mkForce false; loader.efi.efiSysMountPoint = "/boot"; blacklistedKernelModules = [ "wwan" ]; + + initrd.kernelModules = [ + "phy_qcom_qmp_usb" + "uas" + + "msm" + ]; + + initrd.extraFiles = { + "firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"; + }; }; # see https://linrunner.de/tlp/ From b3434c5ebbe834a7bbe9686da62b796f4f34845c Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Tue, 30 Jan 2024 10:11:09 +0100 Subject: [PATCH 27/42] nix/os/devices/steveej-x13s: bump versions --- nix/os/devices/steveej-x13s/flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock index dcc457f..235cad5 100644 --- a/nix/os/devices/steveej-x13s/flake.lock +++ b/nix/os/devices/steveej-x13s/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1705890365, - "narHash": "sha256-MObB+fipA/2Ai3uMuNouxcwz0cqvELPpJ+hfnhSaUeA=", + "lastModified": 1706491084, + "narHash": "sha256-eaEv+orTmr2arXpoE4aFZQMVPOYXCBEbLgK22kOtkhs=", "owner": "nix-community", "repo": "disko", - "rev": "9fcdf3375e01e2938a49df103af9fd21bd0f89d9", + "rev": "f67ba6552845ea5d7f596a24d57c33a8a9dc8de9", "type": "github" }, "original": { @@ -112,11 +112,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705916986, - "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=", + "lastModified": 1706373441, + "narHash": "sha256-S1hbgNbVYhuY2L05OANWqmRzj4cElcbLuIkXTb69xkk=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8", + "rev": "56911ef3403a9318b7621ce745f5452fb9ef6867", "type": "github" }, "original": { @@ -162,11 +162,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1706022028, - "narHash": "sha256-F8Gv4R4K/AvS3+6pWd8wlnw4Vhgf7bcszy7i8XPbzA0=", + "lastModified": 1706547092, + "narHash": "sha256-Gs3RWi83YRmQFnEKDI2vK5XWTOpUK21uDHH/GEMWIio=", "owner": "nixos", "repo": "nixpkgs", - "rev": "15ff1758e7816331033baa14eebbea68626128f3", + "rev": "8131c739ff0b40820a7d7888666dbf6e43809233", "type": "github" }, "original": { From 9a9c912b777d29c7538f350f8bd673cd8a8deb2d Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Tue, 30 Jan 2024 14:14:49 +0100 Subject: [PATCH 28/42] steveej-x13s: switch to adamcstephens' repo --- nix/os/devices/steveej-x13s/flake.lock | 12 ++++++------ nix/os/devices/steveej-x13s/flake.nix | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock index 235cad5..ca29fcd 100644 --- a/nix/os/devices/steveej-x13s/flake.lock +++ b/nix/os/devices/steveej-x13s/flake.lock @@ -97,17 +97,17 @@ ] }, "locked": { - "lastModified": 1706097550, - "narHash": "sha256-rR4HMpUlT7SbVPxQIvWH0DsxaEQcjTLqLrst2xoT1CY=", + "lastModified": 1706542645, + "narHash": "sha256-XIxV5qw9cfAfRZfuw6J/GBhJxiSCQ37fnu7ZaF3Vk58=", "ref": "refs/heads/main", - "rev": "732a0f1549996740bdb06989599a5f0653de5056", - "revCount": 6, + "rev": "769c31de6af3ddc9853e388b31af8faba01709b7", + "revCount": 9, "type": "git", - "url": "https://codeberg.org/steveej/nixos-x13s" + "url": "https://codeberg.org/adamcstephens/nixos-x13s" }, "original": { "type": "git", - "url": "https://codeberg.org/steveej/nixos-x13s" + "url": "https://codeberg.org/adamcstephens/nixos-x13s" } }, "nixpkgs": { diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix index 6220ebb..941ddd6 100644 --- a/nix/os/devices/steveej-x13s/flake.nix +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -19,7 +19,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nixos-x13s.url = "git+https://codeberg.org/steveej/nixos-x13s"; + nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s"; nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; }; From ff8798830331a74c7a92de5fdde4ea76c7d8e093 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 31 Jan 2024 08:28:54 +0100 Subject: [PATCH 29/42] nix/os/devices/steveej-x13s: bump versions --- nix/os/devices/steveej-x13s/flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock index ca29fcd..2be1c5a 100644 --- a/nix/os/devices/steveej-x13s/flake.lock +++ b/nix/os/devices/steveej-x13s/flake.lock @@ -112,11 +112,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1706373441, - "narHash": "sha256-S1hbgNbVYhuY2L05OANWqmRzj4cElcbLuIkXTb69xkk=", + "lastModified": 1706515015, + "narHash": "sha256-eFfY5A7wlYy3jD/75lx6IJRueg4noE+jowl0a8lIlVo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "56911ef3403a9318b7621ce745f5452fb9ef6867", + "rev": "f4a8d6d5324c327dcc2d863eb7f3cc06ad630df4", "type": "github" }, "original": { @@ -162,11 +162,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1706547092, - "narHash": "sha256-Gs3RWi83YRmQFnEKDI2vK5XWTOpUK21uDHH/GEMWIio=", + "lastModified": 1706631780, + "narHash": "sha256-prq+Rk/1drYmoG5Xm/ttzyYux2NNn5ZGX0Lt3j69VBo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8131c739ff0b40820a7d7888666dbf6e43809233", + "rev": "d3c09ae008dbb08a238aadfad70d5a168bc63e29", "type": "github" }, "original": { From 7f1d80176ed91d1e6ae3b950019a1c3d86452e2c Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 31 Jan 2024 09:42:16 +0100 Subject: [PATCH 30/42] fmt(espanso) --- nix/home-manager/programs/espanso.nix | 116 +++++++++++++------------- 1 file changed, 59 insertions(+), 57 deletions(-) diff --git a/nix/home-manager/programs/espanso.nix b/nix/home-manager/programs/espanso.nix index 23f727a..439ced1 100644 --- a/nix/home-manager/programs/espanso.nix +++ b/nix/home-manager/programs/espanso.nix @@ -1,4 +1,4 @@ -{pkgs, ...}: { +{ pkgs, ... }: { services.espanso = { # package = pkgs.espanso.overrideAttrs(_: { # # src = @@ -10,64 +10,66 @@ # backend = "Clipboard"; }; }; - matches = let - playerctl = '' - ${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; - in { - default = { - matches = [ - { - trigger = ":vpos"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeScript "espanso" '' - #! ${pkgs.python3}/bin/python - import subprocess, os, math, datetime + matches = + let + playerctl = '' + ${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; + in + { + default = { + matches = [ + { + trigger = ":vpos"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeScript "espanso" '' + #! ${pkgs.python3}/bin/python + import subprocess, os, math, datetime - id=str(os.getuid()) - result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) - result.check_returncode() + id=str(os.getuid()) + result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) + result.check_returncode() - position_secs = math.trunc(float(result.stdout)) - position_human = datetime.timedelta(seconds=position_secs) - print("%s - %s" % (position_human, position_secs)) - '') - ]; - }; - } - ]; - } - { - trigger = ":vtit"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeShellScript "espanso" - "${playerctl} metadata title") - ]; - }; - } - ]; - } - { - trigger = ":dunno"; - replace = "¯\\_(ツ)_/¯"; - } - { - trigger = ":shrug"; - replace = "¯\\_(ツ)_/¯"; - } - ]; + position_secs = math.trunc(float(result.stdout)) + position_human = datetime.timedelta(seconds=position_secs) + print("%s - %s" % (position_human, position_secs)) + '') + ]; + }; + } + ]; + } + { + trigger = ":vtit"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeShellScript "espanso" + "${playerctl} metadata title") + ]; + }; + } + ]; + } + { + trigger = ":dunno"; + replace = "¯\\_(ツ)_/¯"; + } + { + trigger = ":shrug"; + replace = "¯\\_(ツ)_/¯"; + } + ]; + }; }; - }; }; } From 8d23a787f17872d14b74b4e16d3f4f089dc79c12 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 31 Jan 2024 09:42:30 +0100 Subject: [PATCH 31/42] graphical-fullblown: enable espanso --- nix/home-manager/configuration/graphical-fullblown.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 7564c35..750140a 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -25,7 +25,7 @@ in ../programs/gpg-agent.nix ../programs/pass.nix - # ../programs/espanso.nix + ../programs/espanso.nix ../programs/firefox.nix ../programs/chromium.nix From 4716db6785f8918462b88883b74faa1171bb0748 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 1 Feb 2024 15:50:46 +0100 Subject: [PATCH 32/42] nix/os/devices/steveej-x13s: bump versions --- nix/os/devices/steveej-x13s/flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock index 2be1c5a..de39467 100644 --- a/nix/os/devices/steveej-x13s/flake.lock +++ b/nix/os/devices/steveej-x13s/flake.lock @@ -162,11 +162,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1706631780, - "narHash": "sha256-prq+Rk/1drYmoG5Xm/ttzyYux2NNn5ZGX0Lt3j69VBo=", + "lastModified": 1706672657, + "narHash": "sha256-API05c0SDZrmzz1wpqt/K3iCwlaOqDeDfZGp0YGQnek=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d3c09ae008dbb08a238aadfad70d5a168bc63e29", + "rev": "632751bf0ceeefc74af7a9d2335ea923ad9c831a", "type": "github" }, "original": { From 40a165d54183615fd82a06b9c09241505cdf5f48 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 1 Feb 2024 21:46:57 +0100 Subject: [PATCH 33/42] nix/os/devices/steveej-x13s: bump versions --- nix/os/devices/steveej-x13s/flake.lock | 12 ++++++------ nix/os/devices/steveej-x13s/flake.nix | 1 + 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock index de39467..493b409 100644 --- a/nix/os/devices/steveej-x13s/flake.lock +++ b/nix/os/devices/steveej-x13s/flake.lock @@ -112,11 +112,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1706515015, - "narHash": "sha256-eFfY5A7wlYy3jD/75lx6IJRueg4noE+jowl0a8lIlVo=", + "lastModified": 1706718339, + "narHash": "sha256-S+S97c/HzkO2A/YsU7ZmNF9w2s7Xk6P8dzmfDdckzLs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f4a8d6d5324c327dcc2d863eb7f3cc06ad630df4", + "rev": "53fbe41cf76b6a685004194e38e889bc8857e8c2", "type": "github" }, "original": { @@ -162,11 +162,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1706672657, - "narHash": "sha256-API05c0SDZrmzz1wpqt/K3iCwlaOqDeDfZGp0YGQnek=", + "lastModified": 1706768163, + "narHash": "sha256-mSQ/t2+AriQCxsHHDJ/2uJGMnUzjZLKFVYImln05JPs=", "owner": "nixos", "repo": "nixpkgs", - "rev": "632751bf0ceeefc74af7a9d2335ea923ad9c831a", + "rev": "32cf02a2607143d94c565c068b73fe45fd57c3a0", "type": "github" }, "original": { diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix index 941ddd6..0201bb9 100644 --- a/nix/os/devices/steveej-x13s/flake.nix +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -19,6 +19,7 @@ inputs.nixpkgs.follows = "nixpkgs"; }; + # nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s?rev=5044811f7804e7cf83923908d1b35322f34fb3fc"; # 6.7.0-1 nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s"; nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; }; From 9e251bed9e55e156752f72ee1fc59a47b91140a0 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 7 Feb 2024 11:08:26 +0100 Subject: [PATCH 34/42] update toplevel and nixos-x13s --- flake.lock | 197 ++++++++++++------------- flake.nix | 10 +- nix/os/devices/steveej-x13s/flake.lock | 20 +-- 3 files changed, 107 insertions(+), 120 deletions(-) diff --git a/flake.lock b/flake.lock index 4cd0d25..08892be 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,11 @@ "adamcstephens_stop-export": { "flake": false, "locked": { - "lastModified": 1705876512, - "narHash": "sha256-nvBqLyi8dMQf3xnROwEcUv4iqV55Mr8S8OGYepu14i4=", + "lastModified": 1706405938, + "narHash": "sha256-L+MeX7m78uM09h/7b0jtyGOlgJC1ETQHCBphcJRa5V0=", "ref": "refs/heads/main", - "rev": "388684db5b529bbd6f3e948cf175df089eb09766", - "revCount": 14, + "rev": "823b14873da7cc0a8a6bf37eaab71d10863272d3", + "revCount": 16, "type": "git", "url": "https://codeberg.org/adamcstephens/stop-export.git" }, @@ -16,23 +16,6 @@ "url": "https://codeberg.org/adamcstephens/stop-export.git" } }, - "alsa-ucm-conf": { - "flake": false, - "locked": { - "lastModified": 1705501566, - "narHash": "sha256-Nyr7tjH5VBjocvaKaHCiK+zsjThYBtcr936aRWCBBpM=", - "owner": "alsa-project", - "repo": "alsa-ucm-conf", - "rev": "e87dde51d68950537f92af955ad0633437cc419a", - "type": "github" - }, - "original": { - "owner": "alsa-project", - "ref": "master", - "repo": "alsa-ucm-conf", - "type": "github" - } - }, "aphorme_launcher": { "flake": false, "locked": { @@ -77,11 +60,11 @@ "stable": "stable" }, "locked": { - "lastModified": 1699171528, - "narHash": "sha256-ZsN6y+tgN5w84oAqRQpMhIvQM39ZNSZoZvn2AK0QYr4=", + "lastModified": 1706509311, + "narHash": "sha256-QQKQ6r3CID8aXn2ZXZ79ZJxdCOeVP+JTnOctDALErOw=", "owner": "zhaofengli", "repo": "colmena", - "rev": "665603956a1c3040d756987bc7a810ffe86a3b15", + "rev": "c84ccd0a7a712475e861c2b111574472b1a8d0cd", "type": "github" }, "original": { @@ -97,11 +80,11 @@ ] }, "locked": { - "lastModified": 1703439018, - "narHash": "sha256-VT+06ft/x3eMZ1MJxWzQP3zXFGcrxGo5VR2rB7t88hs=", + "lastModified": 1707075082, + "narHash": "sha256-PUplk5F5jlIyofxqn/xEDN9pbjrd0tnkd0pDsZ52db0=", "owner": "ipetkov", "repo": "crane", - "rev": "afdcd41180e3dfe4dac46b5ee396e3b12ccc967a", + "rev": "7d5b46c17d857ee9ddb2e8d88185729a3e5637b6", "type": "github" }, "original": { @@ -156,11 +139,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1704176544, - "narHash": "sha256-A6PfA1DB6cF3cQerysGK8zIumGTrXucdHoFRU+8H7Lc=", + "lastModified": 1706941198, + "narHash": "sha256-t6/qloMYdknVJ9a3QzjylQIZnQfgefJ5kMim50B7dwA=", "owner": "nix-community", "repo": "fenix", - "rev": "54df821cae7bd492a049ef213336810247128110", + "rev": "28dbd8b43ea328ee708f7da538c63e03d5ed93c8", "type": "github" }, "original": { @@ -205,11 +188,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1704152458, - "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", + "lastModified": 1706830856, + "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", + "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f", "type": "github" }, "original": { @@ -261,6 +244,27 @@ "type": "github" } }, + "flake-parts_4": { + "inputs": { + "nixpkgs-lib": [ + "srvos", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1706830856, + "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1659877975, @@ -281,11 +285,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", "owner": "numtide", "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", "type": "github" }, "original": { @@ -327,11 +331,11 @@ "jay": { "flake": false, "locked": { - "lastModified": 1698077919, - "narHash": "sha256-X4bMOBS2WFcbiOiynvSId1XoWgQW3wbO7/atJ9V7buk=", + "lastModified": 1707233644, + "narHash": "sha256-VMbqnbhmevlWjVaabBgwB62CKQay6LrTyQ7XvDv/lC0=", "owner": "mahkoh", "repo": "jay", - "rev": "b4d73064d9c112c69ff16200231145ccffcb3e81", + "rev": "e7709f695f3cfcf9bb9e857cb488f0c7f269d719", "type": "github" }, "original": { @@ -346,11 +350,11 @@ "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1704024543, - "narHash": "sha256-hmKcKSuTqVK47l2G0PkLAinZN1oCOb6XdPPJhNCQ2rg=", + "lastModified": 1707048513, + "narHash": "sha256-gZh1mHkjtOmXrlgWWdl6G27NlKuNuruz1lOnhgmg1Nk=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "4608880f02f8f868e1b7f85c60abdfc5cb0cf9ec", + "rev": "83a014ca34f5cf6ef441b760e12d503856f20b35", "type": "github" }, "original": { @@ -362,11 +366,11 @@ "linux_x13s": { "flake": false, "locked": { - "lastModified": 1705680516, - "narHash": "sha256-NjCuPYjYHBJcoJR1ZaWQ9sRh0VpY2Y0hawkbUBRfCvk=", + "lastModified": 1706261399, + "narHash": "sha256-NJSN4j2VbFIPerb/bFqmaYbcHjxF3u6lijuXpC0USYo=", "owner": "jhovold", "repo": "linux", - "rev": "bac95eabe6577faa2773cbe7e91c34fd17ab79a0", + "rev": "b929f8eed9ad1f156cae932dea741bc4383e6367", "type": "github" }, "original": { @@ -396,11 +400,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1703466376, - "narHash": "sha256-Wy8iF8u5KSzrTxg1hStTBmUjzzKdKyCyMOg8b/eTvVQ=", + "lastModified": 1705242886, + "narHash": "sha256-TLj334vRwFtSym3m+NnKcNCnKKPNoTC/TDZL40vmOso=", "owner": "nix-community", "repo": "nix-eval-jobs", - "rev": "64104a3c55593c903af78af86a4c9d2e5487a2d7", + "rev": "6b03a93296faf174b97546fd573c8b379f523a8d", "type": "github" }, "original": { @@ -443,11 +447,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1704071157, - "narHash": "sha256-p8KFWE16nu8ltY17psLU4KTcxXTpjvc1fCzMVPel080=", + "lastModified": 1704629536, + "narHash": "sha256-hCMBZ61Kpj54JD/miAhhoSHWMyP6NWrOmYOSHd0rB4E=", "owner": "numtide", "repo": "nixos-anywhere", - "rev": "d2911784c30a6c94d3a581bc99c94d3ce0deba0b", + "rev": "4c94cecf3dd551adf1359fb06aa926330f44e5a6", "type": "github" }, "original": { @@ -498,22 +502,6 @@ "type": "github" } }, - "nixos-stable_2": { - "locked": { - "lastModified": 1703900474, - "narHash": "sha256-Zu+chYVYG2cQ4FCbhyo6rc5Lu0ktZCjRbSPE0fDgukI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9dd7699928e26c3c00d5d46811f1358524081062", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs": { "locked": { "lastModified": 1703134684, @@ -548,11 +536,11 @@ }, "nixpkgs-2305": { "locked": { - "lastModified": 1704018918, - "narHash": "sha256-erjg/HrpC9liEfm7oLqb8GXCqsxaFwIIPqCsknW5aFY=", + "lastModified": 1704290814, + "narHash": "sha256-LWvKHp7kGxk/GEtlrGYV68qIvPHkU9iToomNFGagixU=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2c9c58e98243930f8cb70387934daa4bc8b00373", + "rev": "70bdadeb94ffc8806c0570eb5c2695ad29f0e421", "type": "github" }, "original": { @@ -564,11 +552,11 @@ }, "nixpkgs-2311": { "locked": { - "lastModified": 1705916986, - "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=", + "lastModified": 1707091808, + "narHash": "sha256-LahKBAfGbY836gtpVNnWwBTIzN7yf/uYM/S0g393r0Y=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8", + "rev": "9f2ee8c91ac42da3ae6c6a1d21555f283458247e", "type": "github" }, "original": { @@ -581,11 +569,11 @@ "nixpkgs-lib": { "locked": { "dir": "lib", - "lastModified": 1703961334, - "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", + "lastModified": 1706550542, + "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", + "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652", "type": "github" }, "original": { @@ -598,11 +586,11 @@ }, "nixpkgs-lib_2": { "locked": { - "lastModified": 1703983607, - "narHash": "sha256-YECXW8P0bqFM5e65Mu2fL4wZlonNWCuNEk7UQPsuJZ0=", + "lastModified": 1707007541, + "narHash": "sha256-fuFppCuZO4wJAfodUkiWhtSxTb+pkBW+lJP2S51jRNU=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a6c99b57d2e58f7fc6d52a08b0ba40160e75f738", + "rev": "948ff77600f9fff8c904d1e1ffb87a60773991af", "type": "github" }, "original": { @@ -613,11 +601,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1703950681, - "narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=", + "lastModified": 1705957679, + "narHash": "sha256-Q8LJaVZGJ9wo33wBafvZSzapYsjOaNjP/pOnSiKVGHY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0aad9113182747452dbfc68b93c86e168811fa6c", + "rev": "9a333eaa80901efe01df07eade2c16d183761fa3", "type": "github" }, "original": { @@ -629,11 +617,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1706112902, - "narHash": "sha256-GKPwSY0fBShj0FfaPqA4gg5oHGhpya/m2DVb+3m+Uzs=", + "lastModified": 1707217908, + "narHash": "sha256-5Dauh04xrEZqlokpYWftfVmDrljORnA48tGrRp+TURM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "5cd2baa57a9ff2d84f2615700434fa04f3067fdb", + "rev": "3b0709da3eeed918323399c68b1fe4309b2ac483", "type": "github" }, "original": { @@ -651,11 +639,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1704201485, - "narHash": "sha256-pFDUR45wmq1HehY3WlJOJydFkLOzKC2pWqvMykLj2Qk=", + "lastModified": 1707290091, + "narHash": "sha256-QX1lZCenEuNe/yFnPUuxEA5B3QJx3D5UEeLvWQ4QK1w=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "b0c06873775fe978bd9384ab14c24903bde92e74", + "rev": "2a54a12e504659a36b20bfce96522b403fa73fdd", "type": "github" }, "original": { @@ -666,11 +654,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1703961334, - "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", + "lastModified": 1707092692, + "narHash": "sha256-ZbHsm+mGk/izkWtT4xwwqz38fdlwu7nUUKXTOmm4SyE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", + "rev": "faf912b086576fd1a15fca610166c98d47bc667e", "type": "github" }, "original": { @@ -716,7 +704,6 @@ "root": { "inputs": { "adamcstephens_stop-export": "adamcstephens_stop-export", - "alsa-ucm-conf": "alsa-ucm-conf", "aphorme_launcher": "aphorme_launcher", "brainwart_x13s-nixos": "brainwart_x13s-nixos", "colmena": "colmena", @@ -758,11 +745,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1704114818, - "narHash": "sha256-/0gMZ32JaUTQ0THA/S9rcQSAmEKfL3hGorX5En8lG98=", + "lastModified": 1706875368, + "narHash": "sha256-KOBXxNurIU2lEmO6lR2A5El32X9x8ITt25McxKZ/Ew0=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "a8d935eedc80df8b453d90539cbe78b7e2c75e3c", + "rev": "8f6a72871ec87ed53cfe43a09fb284168a284e7e", "type": "github" }, "original": { @@ -796,11 +783,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1703991717, - "narHash": "sha256-XfBg2dmDJXPQEB8EdNBnzybvnhswaiAkUeeDj7fa/hQ=", + "lastModified": 1707015547, + "narHash": "sha256-YZr0OrqWPdbwBhxpBu69D32ngJZw8AMgZtJeaJn0e94=", "owner": "Mic92", "repo": "sops-nix", - "rev": "cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6", + "rev": "23f61b897c00b66855074db471ba016e0cda20dd", "type": "github" }, "original": { @@ -811,17 +798,17 @@ }, "srvos": { "inputs": { - "nixos-stable": "nixos-stable_2", + "flake-parts": "flake-parts_4", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1704204620, - "narHash": "sha256-u7C59X3s706W9ptqfYHLlZlropun5Fzr9eYaKAsEuN8=", + "lastModified": 1707160670, + "narHash": "sha256-svt/yQB8l/edU9yhYB78lIGKiaO7mXzUQvu/uJLZAVs=", "owner": "numtide", "repo": "srvos", - "rev": "e5eecdf21bdf048cef7cb9e52bf573fdf959d491", + "rev": "977371a151fc3c96d6fac923b3032d07000e9490", "type": "github" }, "original": { @@ -912,11 +899,11 @@ ] }, "locked": { - "lastModified": 1702939607, - "narHash": "sha256-nPIt1JIQ3g6lBE7+qI8gV1cmJ+uA55aAzho2dGOIFik=", + "lastModified": 1707043587, + "narHash": "sha256-bSuJX5BNN31XMFPinZhteeJO0M8ZHaSoXQXXwZ5MR1c=", "owner": "l4l", "repo": "yofi", - "rev": "c0ca3365a702e7a2852a801ca357df5eb87d0cf9", + "rev": "5b67f8db1ee9bd1e09b3bf3354d08bd5e89f596e", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 46ae21a..96acff4 100644 --- a/flake.nix +++ b/flake.nix @@ -92,10 +92,10 @@ }; - alsa-ucm-conf = { - flake = false; - url = "github:alsa-project/alsa-ucm-conf/master"; - }; + # alsa-ucm-conf = { + # flake = false; + # url = "github:alsa-project/alsa-ucm-conf/master"; + # }; logseq_0_10_5_aarch64_appimage = { @@ -326,7 +326,7 @@ }; flake.nixosModules = { - thinkpad-x13s = { pkgs, config, lib, options, ... } @ args: (import ./nix/os/modules/hardware.thinkpad-x13s.nix (args // { inherit self; })); + # thinkpad-x13s = { pkgs, config, lib, options, ... } @ args: (import ./nix/os/modules/hardware.thinkpad-x13s.nix (args // { inherit self; })); }; }); } diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock index 493b409..3d547b2 100644 --- a/nix/os/devices/steveej-x13s/flake.lock +++ b/nix/os/devices/steveej-x13s/flake.lock @@ -24,11 +24,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1704982712, - "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", + "lastModified": 1706830856, + "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "07f6395285469419cf9d078f59b5b49993198c00", + "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f", "type": "github" }, "original": { @@ -97,11 +97,11 @@ ] }, "locked": { - "lastModified": 1706542645, - "narHash": "sha256-XIxV5qw9cfAfRZfuw6J/GBhJxiSCQ37fnu7ZaF3Vk58=", + "lastModified": 1707142515, + "narHash": "sha256-qTiDyZP7JvTyITRwmAGo9KGMJx0lj7ibhYqe65/Gypc=", "ref": "refs/heads/main", - "rev": "769c31de6af3ddc9853e388b31af8faba01709b7", - "revCount": 9, + "rev": "66bc91c89daf8a14769e1f403004578463578138", + "revCount": 12, "type": "git", "url": "https://codeberg.org/adamcstephens/nixos-x13s" }, @@ -145,11 +145,11 @@ "nixpkgs-lib": { "locked": { "dir": "lib", - "lastModified": 1703961334, - "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", + "lastModified": 1706550542, + "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", + "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652", "type": "github" }, "original": { From 9b62708d32f3c5a2bc4a0507dee7504c849870aa Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 7 Feb 2024 11:08:46 +0100 Subject: [PATCH 35/42] x13s: enable ledger hw support --- nix/os/devices/steveej-x13s/configuration.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index 6e902e6..d0a9982 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -145,4 +145,6 @@ virtualisation.waydroid.enable = true; virtualisation.podman.enable = true; virtualisation.podman.dockerCompat = true; + + hardware.ledger.enable = true; } From cbd73c74669fadc7fc192f71df91788acc29ed17 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Wed, 7 Feb 2024 11:15:16 +0100 Subject: [PATCH 36/42] shift illum serivce around and enable on x13s --- nix/os/devices/steveej-x13s/configuration.nix | 5 ++++- nix/os/profiles/graphical/system.nix | 1 - nix/os/profiles/removable-medium/system.nix | 2 ++ 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index d0a9982..e45fc83 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -16,6 +16,8 @@ bluetoothMac = "65:9e:7a:8b:86:28"; }; + services.illum.enable = true; + systemd.services.bluetooth-mac = { enable = true; path = [ @@ -133,8 +135,9 @@ }; # see https://linrunner.de/tlp/ + # TODO: find an equivalent to tlp that supports this machine services.tlp = { - enable = true; + enable = false; settings = { START_CHARGE_THRESH_BAT0 = "80"; STOP_CHARGE_THRESH_BAT0 = "85"; diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index 4e68144..a90c1e8 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -22,7 +22,6 @@ services.resolved.enable = true; # hardware related services - services.illum.enable = true; services.pcscd.enable = true; hardware.opengl.enable = true; diff --git a/nix/os/profiles/removable-medium/system.nix b/nix/os/profiles/removable-medium/system.nix index 10a18ef..7586a85 100644 --- a/nix/os/profiles/removable-medium/system.nix +++ b/nix/os/profiles/removable-medium/system.nix @@ -5,6 +5,8 @@ ... }: let in { + services.illum.enable = true; + services.printing = {enable = false;}; services.spice-vdagentd.enable = true; From 028c57b0db5ebde520b8e65048d730011797523a Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 8 Feb 2024 13:58:05 +0100 Subject: [PATCH 37/42] zsh: unset empty TMP and TMPDIR this is a safety mechanism so that `/` is never used --- nix/home-manager/programs/zsh.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/nix/home-manager/programs/zsh.nix b/nix/home-manager/programs/zsh.nix index 8d2596a..abe7a5c 100644 --- a/nix/home-manager/programs/zsh.nix +++ b/nix/home-manager/programs/zsh.nix @@ -53,6 +53,15 @@ in inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; in '' + if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then + unset TMPDIR + fi + + if test ! -n "$TMP" -a -z "$TMP"; then + unset TMP + fi + + PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' RPROMPT="" From b6d97d058144dec4facf82cae811c40bab8ded0d Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 8 Feb 2024 20:53:22 +0100 Subject: [PATCH 38/42] nix fmt --- flake.nix | 419 +++--- nix/devShells.nix | 9 +- .../configuration/graphical-fullblown.nix | 65 +- nix/home-manager/profiles/common.nix | 10 +- nix/home-manager/profiles/dotfiles.nix | 30 +- nix/home-manager/profiles/sway-desktop.nix | 211 ++- nix/home-manager/profiles/wayland-desktop.nix | 88 +- nix/home-manager/programs/chromium.nix | 37 +- nix/home-manager/programs/espanso.nix | 116 +- nix/home-manager/programs/pass.nix | 6 +- nix/home-manager/programs/radicale.nix | 89 +- nix/home-manager/programs/vscode/default.nix | 24 +- nix/home-manager/programs/zsh.nix | 130 +- nix/os/devices/router0-dmz0/configuration.nix | 1206 +++++++++-------- nix/os/devices/router0-dmz0/flake.nix | 43 +- .../devices/sj-bm-hostkey0/configuration.nix | 99 +- nix/os/devices/sj-srv1/configuration.nix | 11 +- nix/os/devices/sj-srv1/hw.nix | 2 +- nix/os/devices/sj-srv1/system.nix | 93 +- nix/os/devices/sj-vps-htz0/system.nix | 30 +- nix/os/devices/steveej-t14/configuration.nix | 5 +- nix/os/devices/steveej-t14/default.nix | 19 +- nix/os/devices/steveej-t14/hw.nix | 26 +- nix/os/devices/steveej-t14/pkg.nix | 52 +- nix/os/devices/steveej-t14/system.nix | 32 +- nix/os/devices/steveej-t14/user.nix | 19 +- .../steveej-x13s-rmvbl/configuration.nix | 30 +- nix/os/devices/steveej-x13s-rmvbl/default.nix | 23 +- nix/os/devices/steveej-x13s-rmvbl/disko.nix | 10 +- nix/os/devices/steveej-x13s-rmvbl/flake.nix | 151 ++- nix/os/devices/steveej-x13s/configuration.nix | 30 +- nix/os/devices/steveej-x13s/default.nix | 23 +- nix/os/devices/steveej-x13s/disko.nix | 10 +- nix/os/devices/steveej-x13s/flake.nix | 151 ++- nix/os/devices/voodoo/flake.nix | 20 +- nix/os/lib/default.nix | 69 +- nix/os/modules/hardware.thinkpad-x13s.nix | 404 +++--- nix/os/modules/opinionatedDisk.nix | 3 +- nix/os/profiles/common/configuration.nix | 17 +- nix/os/profiles/common/system.nix | 15 +- nix/os/profiles/common/user.nix | 16 +- nix/os/profiles/graphical/system.nix | 11 +- nix/os/snippets/bluetooth.nix | 9 +- nix/os/snippets/home-manager-with-zsh.nix | 22 +- nix/os/snippets/nix-settings.nix | 10 +- nix/os/snippets/radicale.nix | 30 +- nix/os/snippets/sway-desktop.nix | 47 +- nix/os/snippets/timezone.nix | 8 +- nix/pkgs/logseq/default.nix | 56 +- 49 files changed, 2034 insertions(+), 2002 deletions(-) diff --git a/flake.nix b/flake.nix index 96acff4..2538a15 100644 --- a/flake.nix +++ b/flake.nix @@ -75,7 +75,6 @@ flake = false; }; - ### inputs for thinkpad x13s # see https://github.com/jhovold/linux/wiki/X13s for status updates linux_x13s.url = "github:jhovold/linux/wip/sc8280xp-v6.7"; @@ -91,242 +90,236 @@ url = "git+https://codeberg.org/adamcstephens/stop-export.git"; }; - # alsa-ucm-conf = { # flake = false; # url = "github:alsa-project/alsa-ucm-conf/master"; # }; - logseq_0_10_5_aarch64_appimage = { flake = false; url = "https://www.stefanjunker.de/downloads/Logseq-0.10.5.AppImage"; }; }; - outputs = - inputs @ { self - , flake-parts - , nixpkgs - , ... - }: - let - inherit (nixpkgs) lib; + outputs = inputs @ { + self, + flake-parts, + nixpkgs, + ... + }: let + inherit (nixpkgs) lib; - systems = [ - "x86_64-linux" - "aarch64-linux" - ]; - in - flake-parts.lib.mkFlake { inherit inputs; } - ({ withSystem, ... }: { - flake.colmena = - lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) - { - meta.nixpkgs = import inputs.nixpkgs.outPath { - system = builtins.elemAt systems 0; - }; - } - # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import - # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 - (builtins.map - (nodeName: - import ./nix/os/devices/${nodeName} { - inherit nodeName; - repoFlake = self; - repoFlakeWithSystem = withSystem; - nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName}; - }) [ - "steveej-t14" - "steveej-x13s" - "steveej-x13s-rmvbl" - # "elias-e525" - # "justyna-p300" + systems = [ + "x86_64-linux" + "aarch64-linux" + ]; + in + flake-parts.lib.mkFlake {inherit inputs;} + ({withSystem, ...}: { + flake.colmena = + lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) + { + meta.nixpkgs = import inputs.nixpkgs.outPath { + system = builtins.elemAt systems 0; + }; + } + # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import + # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 + (builtins.map + (nodeName: + import ./nix/os/devices/${nodeName} { + inherit nodeName; + repoFlake = self; + repoFlakeWithSystem = withSystem; + nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName}; + }) [ + "steveej-t14" + "steveej-x13s" + "steveej-x13s-rmvbl" + # "elias-e525" + # "justyna-p300" - # "srv0-dmz0" - # # "router0-dmz0" + # "srv0-dmz0" + # # "router0-dmz0" - "sj-srv1" - "sj-bm-hostkey0" + "sj-srv1" + "sj-bm-hostkey0" - # "retro" - ]); + # "retro" + ]); - # this makes nixos-anywhere work - flake.nixosConfigurations = - let - colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; - router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; - retro = (inputs.get-flake ./nix/os/devices/retro).nixosConfigurations; - in - ( - colmenaHive // + # this makes nixos-anywhere work + flake.nixosConfigurations = let + colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; + router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; + retro = (inputs.get-flake ./nix/os/devices/retro).nixosConfigurations; + in ( + colmenaHive + // { + router0-dmz0 = router0-dmz0.native; - { - router0-dmz0 = router0-dmz0.native; + # for now deploy directly with: + # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 + router0-dmz0_cross = router0-dmz0.cross; - # for now deploy directly with: - # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 - router0-dmz0_cross = router0-dmz0.cross; + # nixos-install --flake .\#retro_cross + retro_cross = retro.cross; - # nixos-install --flake .\#retro_cross - retro_cross = retro.cross; + steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross; + steveej-x13s-rmvbl_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; + } + ); - steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross; - steveej-x13s-rmvbl_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; - } - ); + inherit systems; - inherit systems; + perSystem = { + self', + inputs', + system, + config, + lib, + pkgs, + ... + }: { + imports = [ + ./nix/modules/flake-parts/perSystem/default.nix + ]; - perSystem = - { self' - , inputs' - , system - , config - , lib - , pkgs - , ... - }: { - imports = [ - ./nix/modules/flake-parts/perSystem/default.nix + packages = let + dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) {}; + + craneLib = + inputs.crane.lib.${system}.overrideToolchain + inputs'.fenix.packages.stable.toolchain; + + craneLibOfiPass = + inputs.crane.lib.${system}.overrideToolchain + ( + inputs'.fenix.packages.stable.toolchain + # .override { + # date = "1.60.0"; + # } + ); + in { + dcpj4110dwDriver = dcpj4110dw.driver; + dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; + + # broken as of 2023-04-27 because it doesn't load without a config + # aphorme_launcher = craneLib.buildPackage {src = inputs.aphorme_launcher;}; + # yofi = inputs'.yofi.packages.default; + # ofi-pass = craneLibOfiPass.buildPackage {src = inputs.ofi-pass;}; + + inherit (inputs'.colmena.packages) colmena; + + # jay = pkgs.callPackage (self + /nix/pkgs/jay.nix) { + # src = inputs.jay; + # rustPlatform = pkgs.makeRustPlatform { + # cargo = inputs'.fenix.packages.stable.toolchain; + # rustc = inputs'.fenix.packages.stable.toolchain; + # }; + # }; + + salut = craneLib.buildPackage { + src = inputs.salut; + nativeBuildInputs = [ + pkgs.pkg-config + ]; + buildInputs = [ + pkgs.libxkbcommon + pkgs.fontconfig ]; - - packages = - let - dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { }; - - craneLib = - inputs.crane.lib.${system}.overrideToolchain - inputs'.fenix.packages.stable.toolchain; - - craneLibOfiPass = - inputs.crane.lib.${system}.overrideToolchain - ( - inputs'.fenix.packages.stable.toolchain - # .override { - # date = "1.60.0"; - # } - ); - in - { - dcpj4110dwDriver = dcpj4110dw.driver; - dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; - - # broken as of 2023-04-27 because it doesn't load without a config - # aphorme_launcher = craneLib.buildPackage {src = inputs.aphorme_launcher;}; - # yofi = inputs'.yofi.packages.default; - # ofi-pass = craneLibOfiPass.buildPackage {src = inputs.ofi-pass;}; - - inherit (inputs'.colmena.packages) colmena; - - # jay = pkgs.callPackage (self + /nix/pkgs/jay.nix) { - # src = inputs.jay; - # rustPlatform = pkgs.makeRustPlatform { - # cargo = inputs'.fenix.packages.stable.toolchain; - # rustc = inputs'.fenix.packages.stable.toolchain; - # }; - # }; - - salut = craneLib.buildPackage { - src = inputs.salut; - nativeBuildInputs = [ - pkgs.pkg-config - ]; - buildInputs = [ - pkgs.libxkbcommon - pkgs.fontconfig - ]; - }; - - prs = pkgs.callPackage - ({ pkgs - , dbus - , glib - , gpgme - , gtk3 - , libxcb - , libxkbcommon - , installShellFiles - , pkg-config - , python3 - }: craneLib.buildPackage { - pname = "prs"; - version = inputs.prs.shortRev; - src = inputs.prs; - nativeBuildInputs = [ gpgme installShellFiles pkg-config python3 ]; - - buildInputs = [ - dbus - glib - gpgme - gtk3 - libxcb - libxkbcommon - ]; - - cargoExtraArgs = "--features backend-gpgme"; - - postInstall = '' - for shell in bash fish zsh; do - installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout) - done - ''; - }) - { }; - - nomad = inputs'.nixpkgs-unstable-small.legacyPackages.nomad_1_6; - - ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' - set -x - pkill -9 wayland-proxy-v - export NIXOS_OZONE_WL="" - ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ - --wayland-display=wayland-3 \ - --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ - --x-display=3 \ - & - # --x-unscale=3 \ - #--verbose \ - - export PROXYPID="$!" - - trap "kill -9 \$PROXYPID" EXIT - # trap "pkill -9 wayland-proxy-v" EXIT - - env \ - WAYLAND_DISPLAY=wayland-3 \ - DISPLAY=:3 \ - ledger-live-desktop - ''; - - syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' - ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 - ''; - - logseq = pkgs.callPackage ./nix/pkgs/logseq - (lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 { - overrideSrc = self.inputs.logseq_0_10_5_aarch64_appimage; - }); - }; - - formatter = pkgs.alejandra; - - devShells = - let - all = import ./nix/devShells.nix { - inherit - self' - inputs' - pkgs - ; - }; - in - (all // { default = all.develop; }); }; - flake.nixosModules = { - # thinkpad-x13s = { pkgs, config, lib, options, ... } @ args: (import ./nix/os/modules/hardware.thinkpad-x13s.nix (args // { inherit self; })); + prs = + pkgs.callPackage + ({ + pkgs, + dbus, + glib, + gpgme, + gtk3, + libxcb, + libxkbcommon, + installShellFiles, + pkg-config, + python3, + }: + craneLib.buildPackage { + pname = "prs"; + version = inputs.prs.shortRev; + src = inputs.prs; + nativeBuildInputs = [gpgme installShellFiles pkg-config python3]; + + buildInputs = [ + dbus + glib + gpgme + gtk3 + libxcb + libxkbcommon + ]; + + cargoExtraArgs = "--features backend-gpgme"; + + postInstall = '' + for shell in bash fish zsh; do + installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout) + done + ''; + }) + {}; + + nomad = inputs'.nixpkgs-unstable-small.legacyPackages.nomad_1_6; + + ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' + set -x + pkill -9 wayland-proxy-v + export NIXOS_OZONE_WL="" + ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ + --wayland-display=wayland-3 \ + --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ + --x-display=3 \ + & + # --x-unscale=3 \ + #--verbose \ + + export PROXYPID="$!" + + trap "kill -9 \$PROXYPID" EXIT + # trap "pkill -9 wayland-proxy-v" EXIT + + env \ + WAYLAND_DISPLAY=wayland-3 \ + DISPLAY=:3 \ + ledger-live-desktop + ''; + + syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' + ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 + ''; + + logseq = + pkgs.callPackage ./nix/pkgs/logseq + (lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 { + overrideSrc = self.inputs.logseq_0_10_5_aarch64_appimage; + }); }; - }); + + formatter = pkgs.alejandra; + + devShells = let + all = import ./nix/devShells.nix { + inherit + self' + inputs' + pkgs + ; + }; + in (all // {default = all.develop;}); + }; + + flake.nixosModules = { + # thinkpad-x13s = { pkgs, config, lib, options, ... } @ args: (import ./nix/os/modules/hardware.thinkpad-x13s.nix (args // { inherit self; })); + }; + }); } diff --git a/nix/devShells.nix b/nix/devShells.nix index ebd879b..4cac540 100644 --- a/nix/devShells.nix +++ b/nix/devShells.nix @@ -1,9 +1,8 @@ -{ self' -, inputs' -, pkgs -}: - { + self', + inputs', + pkgs, +}: { install = pkgs.mkShell { name = "infra-install"; packages = with pkgs; [ diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 750140a..632cf0f 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -1,16 +1,15 @@ -{ pkgs -, lib -, config -, # these come in via home-manager.extraSpecialArgs and are specific to each node - nodeFlake -, packages' -, ... -}: -let - # pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system}; - pkgsUnstableSmall = import nodeFlake.inputs.nixpkgs-unstable-small { inherit (pkgs) system config; }; -in { + pkgs, + lib, + config, + # these come in via home-manager.extraSpecialArgs and are specific to each node + nodeFlake, + packages', + ... +}: let + # pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system}; + pkgsUnstableSmall = import nodeFlake.inputs.nixpkgs-unstable-small {inherit (pkgs) system config;}; +in { imports = [ ../profiles/common.nix # ../profiles/dotfiles.nix @@ -37,7 +36,7 @@ in home.sessionVariables.HM_CONFIG = "graphical-fullblown"; home.sessionVariables.GOPATH = "$HOME/src/go"; - home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [ "$HOME/.local/bin" "$PATH" ]; + home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"]; nixpkgs.config.permittedInsecurePackages = [ "electron-24.8.6" @@ -45,7 +44,7 @@ in ]; home.packages = - [ ] + [] ++ (with pkgs; [ # Authentication # cacert @@ -114,26 +113,24 @@ in let version = "6.44.0"; in - pkgsUnstableSmall.signal-desktop.overrideAttrs (old: - lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 { - inherit version; - src = builtins.fetchurl - { - url = "https://github.com/0mniteck/Signal-Desktop-Mobian/raw/master/builds/release/signal-desktop_${version}_arm64.deb"; - sha256 = - # lib.fakeSha256 - "sha256:0svb5vz08n3j4lx4kdjmx5lw9619kvvxg981rs6chh83qz5y519k" - ; - } - ; - }) + pkgsUnstableSmall.signal-desktop.overrideAttrs (old: + lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 { + inherit version; + src = + builtins.fetchurl + { + url = "https://github.com/0mniteck/Signal-Desktop-Mobian/raw/master/builds/release/signal-desktop_${version}_arm64.deb"; + sha256 = + # lib.fakeSha256 + "sha256:0svb5vz08n3j4lx4kdjmx5lw9619kvvxg981rs6chh83qz5y519k"; + }; + }) ) thunderbird # gnome.cheese - # Virtualization # virtmanager @@ -141,8 +138,6 @@ in remmina # freerdp - - # Audio/Video Players ffmpeg vlc @@ -193,7 +188,6 @@ in # mendeley evince - # File Synchronzation maestral rsync @@ -208,7 +202,6 @@ in # gparted # smartmontools - ## Python # packages'.myPython @@ -257,9 +250,10 @@ in # '') ]) ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ - ]) + ]) ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ - (pkgs.banana-accounting.overrideDerivation + ( + pkgs.banana-accounting.overrideDerivation (attrs: with nodeFlake.inputs'.nixpkgs-2211.legacyPackages; { # dontWrapGApps = true; @@ -300,8 +294,7 @@ in pkgs.discord pkgsUnstableSmall.session-desktop pkgsUnstableSmall.rustdesk - ]) - ; + ]); systemd.user.startServices = true; services.syncthing.enable = true; diff --git a/nix/home-manager/profiles/common.nix b/nix/home-manager/profiles/common.nix index 4ea2e6c..9df371b 100644 --- a/nix/home-manager/profiles/common.nix +++ b/nix/home-manager/profiles/common.nix @@ -1,4 +1,8 @@ -{ pkgs, lib, ... }: { +{ + pkgs, + lib, + ... +}: { # TODO: re-enable this with the appropriate version? # programs.home-manager.enable = true; # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz; @@ -8,7 +12,7 @@ allowBroken = false; allowUnfree = true; - permittedInsecurePackages = [ ]; + permittedInsecurePackages = []; }; home.keyboard = { @@ -32,7 +36,7 @@ programs.fzf.enable = true; home.packages = - [ ] + [] ++ (with pkgs; [ coreutils diff --git a/nix/home-manager/profiles/dotfiles.nix b/nix/home-manager/profiles/dotfiles.nix index c702f82..670ea75 100644 --- a/nix/home-manager/profiles/dotfiles.nix +++ b/nix/home-manager/profiles/dotfiles.nix @@ -1,18 +1,18 @@ -{ repoFlake -, pkgs -, config -, repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git" -, repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git" -, ... -}: -let +{ + repoFlake, + pkgs, + config, + repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", + repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", + ... +}: let repoBareLocal = pkgs.runCommand "fetchbare" - { - outputHashMode = "recursive"; - outputHashAlgo = "sha256"; - outputHash = "0000000000000000000000000000000000000000000000000000"; - } '' + { + outputHashMode = "recursive"; + outputHashAlgo = "sha256"; + outputHash = "0000000000000000000000000000000000000000000000000000"; + } '' ( set -xe export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt @@ -39,9 +39,7 @@ let set_remotes ${repoHttps} ${repoSsh} fi ''; - -in -{ +in { # TODO: fix the dotfiles # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' # $DRY_RUN_CMD ${vcshActivationScript} diff --git a/nix/home-manager/profiles/sway-desktop.nix b/nix/home-manager/profiles/sway-desktop.nix index a30fb64..284a8a1 100644 --- a/nix/home-manager/profiles/sway-desktop.nix +++ b/nix/home-manager/profiles/sway-desktop.nix @@ -1,19 +1,18 @@ -{ pkgs -, config -, lib -, # packages', - repoFlakeInputs' -, ... -}: -let - inherit (import ../lib.nix { }) mkSimpleTrayService; +{ + pkgs, + config, + lib, + # packages', + repoFlakeInputs', + ... +}: let + inherit (import ../lib.nix {}) mkSimpleTrayService; lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'"; displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; -in -{ +in { imports = [ ../profiles/wayland-desktop.nix ../programs/waybar.nix @@ -86,106 +85,104 @@ in systemd.enable = true; xwayland = true; - config = - let - modifier = "Mod4"; - inherit (config.wayland.windowManager.sway.config) left right up down; - in - { - inherit modifier; - bars = [ ]; + config = let + modifier = "Mod4"; + inherit (config.wayland.windowManager.sway.config) left right up down; + in { + inherit modifier; + bars = []; - input = { - "type:keyboard" = - { - xkb_layout = config.home.keyboard.layout; - xkb_variant = config.home.keyboard.variant; - } - // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) { - xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; - }; - - "type:touchpad" = { - natural_scroll = "enabled"; + input = { + "type:keyboard" = + { + xkb_layout = config.home.keyboard.layout; + xkb_variant = config.home.keyboard.variant; + } + // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) { + xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; }; + + "type:touchpad" = { + natural_scroll = "enabled"; }; - - keybindings = lib.mkOptionDefault { - # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi - # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; - "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; - - # only 1-9 exist on the default config - "${modifier}+0" = "workspace number 0"; - "${modifier}+Shift+0" = "move container to workspace number 0"; - - # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it - "${modifier}+b" = "nop"; - "${modifier}+v" = "nop"; - - # move workspace to output - "${modifier}+Control+Shift+${left}" = "move workspace to output left"; - "${modifier}+Control+Shift+${right}" = "move workspace to output right"; - "${modifier}+Control+Shift+${up}" = "move workspace to output up"; - "${modifier}+Control+Shift+${down}" = "move workspace to output down"; - # move workspace to output with arrow keys - "${modifier}+Control+Shift+Left" = "move workspace to output left"; - "${modifier}+Control+Shift+Right" = "move workspace to output right"; - "${modifier}+Control+Shift+Up" = "move workspace to output up"; - "${modifier}+Control+Shift+Down" = "move workspace to output down"; - - "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; - "${modifier}+q" = "kill"; - "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; - - "${modifier}+x" = "exec ${swapOutputWorkspaces}"; - - "${modifier}+Ctrl+l" = "exec ${lockCmd}"; - - "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; - "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; - "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; - - "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; - "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; - "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; - - "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; - }; - - terminal = "alacritty"; - startup = - [ - { - command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target - ) & - ''); - } - ] - ++ lib.optionals config.services.swayidle.enable [ - { - command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart swayidle - ) & - ''); - } - ]; - - colors.focused = lib.mkOptionDefault { - childBorder = lib.mkForce "#ffa500"; - }; - - window.titlebar = false; - window.border = 4; - - # this maps to focus_on_window_activation - focus.newWindow = "urgent"; }; + + keybindings = lib.mkOptionDefault { + # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi + # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; + "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; + + # only 1-9 exist on the default config + "${modifier}+0" = "workspace number 0"; + "${modifier}+Shift+0" = "move container to workspace number 0"; + + # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it + "${modifier}+b" = "nop"; + "${modifier}+v" = "nop"; + + # move workspace to output + "${modifier}+Control+Shift+${left}" = "move workspace to output left"; + "${modifier}+Control+Shift+${right}" = "move workspace to output right"; + "${modifier}+Control+Shift+${up}" = "move workspace to output up"; + "${modifier}+Control+Shift+${down}" = "move workspace to output down"; + # move workspace to output with arrow keys + "${modifier}+Control+Shift+Left" = "move workspace to output left"; + "${modifier}+Control+Shift+Right" = "move workspace to output right"; + "${modifier}+Control+Shift+Up" = "move workspace to output up"; + "${modifier}+Control+Shift+Down" = "move workspace to output down"; + + "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; + "${modifier}+q" = "kill"; + "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; + + "${modifier}+x" = "exec ${swapOutputWorkspaces}"; + + "${modifier}+Ctrl+l" = "exec ${lockCmd}"; + + "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; + "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; + "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; + + "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; + "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; + "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; + + "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; + }; + + terminal = "alacritty"; + startup = + [ + { + command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target + ) & + ''); + } + ] + ++ lib.optionals config.services.swayidle.enable [ + { + command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart swayidle + ) & + ''); + } + ]; + + colors.focused = lib.mkOptionDefault { + childBorder = lib.mkForce "#ffa500"; + }; + + window.titlebar = false; + window.border = 4; + + # this maps to focus_on_window_activation + focus.newWindow = "urgent"; + }; }; services.swayidle = { diff --git a/nix/home-manager/profiles/wayland-desktop.nix b/nix/home-manager/profiles/wayland-desktop.nix index 298aaf5..cf77c15 100644 --- a/nix/home-manager/profiles/wayland-desktop.nix +++ b/nix/home-manager/profiles/wayland-desktop.nix @@ -1,17 +1,16 @@ -{ pkgs -, config -, lib -, repoFlake -, nodeFlake -, ... -}: -let - inherit (import ../lib.nix { }) mkSimpleTrayService; +{ + pkgs, + config, + lib, + repoFlake, + nodeFlake, + ... +}: let + inherit (import ../lib.nix {}) mkSimpleTrayService; nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; wayprompt = nixpkgs-wayland'.wayprompt; -in -{ +in { fonts.fontconfig.enable = true; # services.gpg-agent.pinentryFlavor = lib.mkForce null; @@ -27,43 +26,46 @@ in systemd.user.targets.tray = { Unit = { Description = "Home Manager System Tray"; - Requires = [ "graphical-session-pre.target" ]; + Requires = ["graphical-session-pre.target"]; }; }; - home.packages = with pkgs; [ - # required by network-manager-applet - pkgs.networkmanagerapplet - - wlr-randr - wayout - wl-clipboard - wmctrl - - nixpkgs-wayland'.shotman - - # identifies key input syms - wev - - # TODO: whwat's this for? - # wltype - - pavucontrol - playerctl - pasystray - qt5.qtwayland - qt6.qtwayland - # libsForQt5.qt5.qtwayland - # libsForQt6.qt6.qtwayland - - # probably required by flameshot - # xdg-desktop-portal xdg-desktop-portal-wlr - # grim - ] ++ (lib.lists.optionals (!pkgs.stdenv.isAarch64) - # TODO: broken on aarch64 + home.packages = with pkgs; [ + # required by network-manager-applet + pkgs.networkmanagerapplet + + wlr-randr + wayout + wl-clipboard + wmctrl + + nixpkgs-wayland'.shotman + + # identifies key input syms + wev + + # TODO: whwat's this for? + # wltype + + pavucontrol + playerctl + pasystray + qt5.qtwayland + qt6.qtwayland + # libsForQt5.qt5.qtwayland + # libsForQt6.qt6.qtwayland + + # probably required by flameshot + # xdg-desktop-portal xdg-desktop-portal-wlr + # grim ] - ); + ++ ( + lib.lists.optionals (!pkgs.stdenv.isAarch64) + # TODO: broken on aarch64 + [ + ] + ); home.sessionVariables = { XDG_SESSION_TYPE = "wayland"; diff --git a/nix/home-manager/programs/chromium.nix b/nix/home-manager/programs/chromium.nix index 1119653..3552e7b 100644 --- a/nix/home-manager/programs/chromium.nix +++ b/nix/home-manager/programs/chromium.nix @@ -1,16 +1,16 @@ -{ name -, lib -, pkgs -, ... -}: -let +{ + name, + lib, + pkgs, + ... +}: let extensions = [ #undetectable adblocker - { id = "gcfcpohokifjldeandkfjoboemihipmb"; } + {id = "gcfcpohokifjldeandkfjoboemihipmb";} # ublock origin - { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } + {id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";} # # YT ad block # {id = "cmedhionkhpnakcndndgjdbohmhepckk";} @@ -19,15 +19,15 @@ let # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} # Cookie Notice Blocker - { id = "odhmfmnoejhihkmfebnolljiibpnednn"; } + {id = "odhmfmnoejhihkmfebnolljiibpnednn";} # i don't care about cookies - { id = "fihnjjcciajhdojfnbdddfaoknhalnja"; } + {id = "fihnjjcciajhdojfnbdddfaoknhalnja";} # NopeCHA - { id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; } + {id = "dknlfmjaanfblgfdfebhijalfmhmjjjo";} # h264ify - { id = "aleakchihdccplidncghkekgioiakgal"; } + {id = "aleakchihdccplidncghkekgioiakgal";} # clippy # {id = "honbeilkanbghjimjoniipnnehlmhggk"} @@ -38,20 +38,19 @@ let } # cookie autodelete - { id = "fhcgjolkccmbidfldomjliifgaodjagh"; } + {id = "fhcgjolkccmbidfldomjliifgaodjagh";} # unhook - { id = "khncfooichmfjbepaaaebmommgaepoid"; } + {id = "khncfooichmfjbepaaaebmommgaepoid";} ] ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ # Vimium C - { id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; } + {id = "hfjbmagddngcpeloejdejnfgbamkjaeg";} # always right - { id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; } + {id = "npjpaghfnndnnmjiliibnkmdfgbojokj";} ]); -in -{ +in { programs.chromium = { enable = true; inherit extensions; @@ -63,5 +62,5 @@ in inherit extensions; }; - programs.browserpass = { browsers = [ "chromium" "brave" ]; }; + programs.browserpass = {browsers = ["chromium" "brave"];}; } diff --git a/nix/home-manager/programs/espanso.nix b/nix/home-manager/programs/espanso.nix index 439ced1..23f727a 100644 --- a/nix/home-manager/programs/espanso.nix +++ b/nix/home-manager/programs/espanso.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: { +{pkgs, ...}: { services.espanso = { # package = pkgs.espanso.overrideAttrs(_: { # # src = @@ -10,66 +10,64 @@ # backend = "Clipboard"; }; }; - matches = - let - playerctl = '' - ${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; - in - { - default = { - matches = [ - { - trigger = ":vpos"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeScript "espanso" '' - #! ${pkgs.python3}/bin/python - import subprocess, os, math, datetime + matches = let + playerctl = '' + ${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; + in { + default = { + matches = [ + { + trigger = ":vpos"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeScript "espanso" '' + #! ${pkgs.python3}/bin/python + import subprocess, os, math, datetime - id=str(os.getuid()) - result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) - result.check_returncode() + id=str(os.getuid()) + result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) + result.check_returncode() - position_secs = math.trunc(float(result.stdout)) - position_human = datetime.timedelta(seconds=position_secs) - print("%s - %s" % (position_human, position_secs)) - '') - ]; - }; - } - ]; - } - { - trigger = ":vtit"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeShellScript "espanso" - "${playerctl} metadata title") - ]; - }; - } - ]; - } - { - trigger = ":dunno"; - replace = "¯\\_(ツ)_/¯"; - } - { - trigger = ":shrug"; - replace = "¯\\_(ツ)_/¯"; - } - ]; - }; + position_secs = math.trunc(float(result.stdout)) + position_human = datetime.timedelta(seconds=position_secs) + print("%s - %s" % (position_human, position_secs)) + '') + ]; + }; + } + ]; + } + { + trigger = ":vtit"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeShellScript "espanso" + "${playerctl} metadata title") + ]; + }; + } + ]; + } + { + trigger = ":dunno"; + replace = "¯\\_(ツ)_/¯"; + } + { + trigger = ":shrug"; + replace = "¯\\_(ツ)_/¯"; + } + ]; }; + }; }; } diff --git a/nix/home-manager/programs/pass.nix b/nix/home-manager/programs/pass.nix index a17e9a0..7c1f221 100644 --- a/nix/home-manager/programs/pass.nix +++ b/nix/home-manager/programs/pass.nix @@ -1,4 +1,8 @@ -{repoFlake, pkgs, ...}: { +{ + repoFlake, + pkgs, + ... +}: { # required by pass-otp # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; diff --git a/nix/home-manager/programs/radicale.nix b/nix/home-manager/programs/radicale.nix index 1a89d95..207b9e6 100644 --- a/nix/home-manager/programs/radicale.nix +++ b/nix/home-manager/programs/radicale.nix @@ -1,10 +1,10 @@ -{ config -, lib -, pkgs -, osConfig -, ... -}: -let +{ + config, + lib, + pkgs, + osConfig, + ... +}: let libdecsync = pkgs.python3Packages.buildPythonPackage rec { pname = "libdecsync"; version = "2.2.1"; @@ -38,53 +38,50 @@ let # pkgs.libxcrypt ]; - propagatedBuildInputs = [ libdecsync pkgs.python3Packages.setuptools ]; + propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools]; }; radicale-decsync = pkgs.radicale.overrideAttrs (old: { propagatedBuildInputs = old.propagatedBuildInputs - ++ [ radicale-storage-decsync ]; + ++ [radicale-storage-decsync]; }); - mkRadicaleService = - { suffix - , port - , - }: - let - radicale-config = pkgs.writeText "radicale-config-${suffix}" '' - [server] - hosts = localhost:${builtins.toString port} + mkRadicaleService = { + suffix, + port, + }: let + radicale-config = pkgs.writeText "radicale-config-${suffix}" '' + [server] + hosts = localhost:${builtins.toString port} - [auth] - type = htpasswd - htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} - htpasswd_encryption = bcrypt + [auth] + type = htpasswd + htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} + htpasswd_encryption = bcrypt - [storage] - type = radicale_storage_decsync - filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} - decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} - ''; - in - { - systemd.user.services."radicale-${suffix}" = { - Unit.Description = "Radicale with DecSync (${suffix})"; - Service = { - ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; - Restart = "on-failure"; - }; - Install.WantedBy = [ "default.target" ]; + [storage] + type = radicale_storage_decsync + filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} + decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} + ''; + in { + systemd.user.services."radicale-${suffix}" = { + Unit.Description = "Radicale with DecSync (${suffix})"; + Service = { + ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; + Restart = "on-failure"; }; + Install.WantedBy = ["default.target"]; }; + }; in -builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [ - { - suffix = "personal"; - port = 5232; - } - { - suffix = "family"; - port = 5233; - } -] + builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [ + { + suffix = "personal"; + port = 5232; + } + { + suffix = "family"; + port = 5233; + } + ] diff --git a/nix/home-manager/programs/vscode/default.nix b/nix/home-manager/programs/vscode/default.nix index 417db07..a0c0d76 100644 --- a/nix/home-manager/programs/vscode/default.nix +++ b/nix/home-manager/programs/vscode/default.nix @@ -1,17 +1,21 @@ -{ pkgs, nodeFlake, ... }: { + pkgs, + nodeFlake, + ... +}: { programs.vscode = { enable = true; package = pkgs.vscodium; - extensions = [ - # TODO: how can i install (this) vsix(s) directly? - # (builtins.fetchurl { - # # https://open-vsx.org/extension/jeanp413/open-remote-ssh - # url = "https://open-vsx.org/api/jeanp413/open-remote-ssh/0.0.45/file/jeanp413.open-remote-ssh-0.0.45.vsix"; - # sha256 = "1qc1qsahfx1nvznq4adplx63w5d94xhafngv76vnqjjbzhv991v2"; - # }) - ] ++ (with pkgs.vscode-extensions; + extensions = [ + # TODO: how can i install (this) vsix(s) directly? + # (builtins.fetchurl { + # # https://open-vsx.org/extension/jeanp413/open-remote-ssh + # url = "https://open-vsx.org/api/jeanp413/open-remote-ssh/0.0.45/file/jeanp413.open-remote-ssh-0.0.45.vsix"; + # sha256 = "1qc1qsahfx1nvznq4adplx63w5d94xhafngv76vnqjjbzhv991v2"; + # }) + ] + ++ (with pkgs.vscode-extensions; [ bbenoist.nix eamodio.gitlens mkhl.direnv @@ -34,7 +38,7 @@ mutableExtensionsDir = true; }; - home.packages = [ pkgs.nixpkgs-fmt pkgs.alejandra ]; + home.packages = [pkgs.nixpkgs-fmt pkgs.alejandra]; } # TODO: automate ### original list: diff --git a/nix/home-manager/programs/zsh.nix b/nix/home-manager/programs/zsh.nix index abe7a5c..40e603d 100644 --- a/nix/home-manager/programs/zsh.nix +++ b/nix/home-manager/programs/zsh.nix @@ -1,30 +1,29 @@ -{ config -, lib -, pkgs -, ... -}: -let - just-plugin = - let - plugin_file = pkgs.writeText "_just" '' - #compdef just - #autload +{ + config, + lib, + pkgs, + ... +}: let + just-plugin = let + plugin_file = pkgs.writeText "_just" '' + #compdef just + #autload - alias justl="\just --list" - alias juste="\just --evaluate" + alias justl="\just --list" + alias juste="\just --evaluate" - local subcmds=() + local subcmds=() - while read -r line ; do - if [[ ! $line == Available* ]] ; - then - subcmds+=(''${line/[[:space:]]*\#/:}) - fi - done < <(just --list) + while read -r line ; do + if [[ ! $line == Available* ]] ; + then + subcmds+=(''${line/[[:space:]]*\#/:}) + fi + done < <(just --list) - _describe 'command' subcmds - ''; - in + _describe 'command' subcmds + ''; + in pkgs.stdenv.mkDerivation { name = "just-completions"; version = "0.1.0"; @@ -36,8 +35,7 @@ let chmod --recursive a-w $out ''; }; -in -{ +in { programs.zsh = { enable = true; @@ -48,58 +46,56 @@ in # will be called again by oh-my-zsh enableCompletion = false; enableAutosuggestions = true; - initExtra = - let - inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; - in - '' - if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then - unset TMPDIR - fi + initExtra = let + inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; + in '' + if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then + unset TMPDIR + fi - if test ! -n "$TMP" -a -z "$TMP"; then - unset TMP - fi + if test ! -n "$TMP" -a -z "$TMP"; then + unset TMP + fi - PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' - RPROMPT="" + PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' + RPROMPT="" - # Automatic rehash - zstyle ':completion:*' rehash true + # Automatic rehash + zstyle ':completion:*' rehash true - if [ -f $HOME/.shrc.d/sh_aliases ]; then - . $HOME/.shrc.d/sh_aliases - fi + if [ -f $HOME/.shrc.d/sh_aliases ]; then + . $HOME/.shrc.d/sh_aliases + fi - ${ - if builtins.hasAttr "homeshick" pkgs - then '' - source ${pkgs.homeshick}/homeshick.sh - fpath=(${pkgs.homeshick}/completions $fpath) - '' - else "" - } + ${ + if builtins.hasAttr "homeshick" pkgs + then '' + source ${pkgs.homeshick}/homeshick.sh + fpath=(${pkgs.homeshick}/completions $fpath) + '' + else "" + } - # Disable intercepting of ctrl-s and ctrl-q as flow control. - stty stop ''' -ixoff -ixon + # Disable intercepting of ctrl-s and ctrl-q as flow control. + stty stop ''' -ixoff -ixon - # don't cd into directories when executed - unsetopt AUTO_CD + # don't cd into directories when executed + unsetopt AUTO_CD - # print lines without termination - setopt PROMPT_CR - setopt PROMPT_SP - export PROMPT_EOL_MARK="" + # print lines without termination + setopt PROMPT_CR + setopt PROMPT_SP + export PROMPT_EOL_MARK="" - ${lib.optionalString config.services.gpg-agent.enable '' - export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" - ''} + ${lib.optionalString config.services.gpg-agent.enable '' + export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" + ''} - ${lib.optionalString config.programs.neovim.enable '' - export EDITOR="nvim" - ''} - ''; + ${lib.optionalString config.programs.neovim.enable '' + export EDITOR="nvim" + ''} + ''; plugins = [ { @@ -132,7 +128,7 @@ in oh-my-zsh = { enable = true; theme = "tjkirch"; - plugins = [ "git" "sudo" ]; + plugins = ["git" "sudo"]; }; }; } diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 9256425..366c640 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -1,14 +1,14 @@ -{ repoFlake -, pkgs -, lib -, config -, nodeFlake -, nodeName -, localDomainName -, system -, ... -}: -let +{ + repoFlake, + pkgs, + lib, + config, + nodeFlake, + nodeName, + localDomainName, + system, + ... +}: let inherit (nodeFlake.inputs) bpir3 @@ -18,20 +18,23 @@ let vlanRangeStart = builtins.head vlanRange; vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1); vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans); - vlanRangeWith0 = [ 0 ] ++ vlanRange; + vlanRangeWith0 = [0] ++ vlanRange; - mkVlanIpv4HostAddr = { vlanid, host, thirdIpv4SegmentMin ? 20, cidr ? true }: - let - # reserve the first subnet for vlanid == 0 - # number the other subnets continously from there - offset = - if vlanid == 0 - then thirdIpv4SegmentMin - else thirdIpv4SegmentMin + 1 - vlanRangeStart; - - in + mkVlanIpv4HostAddr = { + vlanid, + host, + thirdIpv4SegmentMin ? 20, + cidr ? true, + }: let + # reserve the first subnet for vlanid == 0 + # number the other subnets continously from there + offset = + if vlanid == 0 + then thirdIpv4SegmentMin + else thirdIpv4SegmentMin + 1 - vlanRangeStart; + in builtins.concatStringsSep "." - [ "192" "168" (toString (vlanid + offset)) "${toString host}${lib.strings.optionalString cidr "/24"}" ]; + ["192" "168" (toString (vlanid + offset)) "${toString host}${lib.strings.optionalString cidr "/24"}"]; defaultVlan = { name = "${localDomainName}"; @@ -58,32 +61,33 @@ let "15".packet_priority = -10; }; - vlansByName = lib.attrsets.mapAttrs' - (vlanid': attrs: - lib.attrsets.nameValuePair + vlansByName = + lib.attrsets.mapAttrs' + ( + vlanid': attrs: + lib.attrsets.nameValuePair attrs.name - (attrs // { id = lib.strings.toInt vlanid'; id' = vlanid'; }) + (attrs + // { + id = lib.strings.toInt vlanid'; + id' = vlanid'; + }) ) vlans; - getVlanDomain = { vlanid }: + getVlanDomain = {vlanid}: if vlanid == 0 - then - defaultVlan.name - else - vlans."${toString vlanid}".name + "." + defaultVlan.name - ; + then defaultVlan.name + else vlans."${toString vlanid}".name + "." + defaultVlan.name; bridgeInterfaceName = "br-lan"; - mkInterfaceName = { vlanid }: + mkInterfaceName = {vlanid}: if vlanid == 0 then bridgeInterfaceName - else "${bridgeInterfaceName}.${toString vlanid}" - ; + else "${bridgeInterfaceName}.${toString vlanid}"; exposedHost = "sj-srv1.dmz.internal"; -in -{ +in { imports = [ repoFlake.inputs.sops-nix.nixosModules.sops @@ -122,8 +126,8 @@ in sops.secrets.passwords-root.neededForUsers = true; - sops.secrets.wlan0_saePasswordsFile = { }; - sops.secrets.wlan0_wpaPskFile = { }; + sops.secrets.wlan0_saePasswordsFile = {}; + sops.secrets.wlan0_wpaPskFile = {}; } ]; @@ -179,324 +183,355 @@ in # https://github.com/thelegy/nixos-nftables-firewall/tree/main # TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority) - nftables = - { - enable = true; - stopRuleset = ""; + nftables = { + enable = true; + stopRuleset = ""; - chains = { - prerouting = { - "exposeHost" = { - after = [ "hook" ]; - rules = - let - wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; - in - # TODO: if this hostname doesn't resolve it'll break the whole ruleset - [ - "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" - "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}" - ]; - }; + chains = { + prerouting = { + "exposeHost" = { + after = ["hook"]; + rules = let + wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; + in + # TODO: if this hostname doesn't resolve it'll break the whole ruleset + [ + "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" + "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}" + ]; }; }; + }; - firewall = { - enable = true; - zones = { - lan.interfaces = [ (mkInterfaceName { vlanid = 0; }) ]; - vlan.interfaces = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; + firewall = { + enable = true; + zones = + { + lan.interfaces = [(mkInterfaceName {vlanid = 0;})]; + vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange; # lan.ipv4Addresses = ["192.168.0.0/16"]; - wan.interfaces = [ "wan" "lan0" ]; - } // + wan.interfaces = ["wan" "lan0"]; + } + // # generate a zone for each vlan lib.attrsets.mapAttrs - (key: value: { - interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; - }) - vlansByName - ; - rules = - let - ipv6IcmpTypes = [ - "destination-unreachable" - "echo-reply" - "echo-request" - "packet-too-big" - "parameter-problem" - "time-exceeded" + (key: value: { + interfaces = [(mkInterfaceName {vlanid = value.id;})]; + }) + vlansByName; + rules = let + ipv6IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "packet-too-big" + "parameter-problem" + "time-exceeded" - # Without the nd-* ones ipv6 will not work. - "nd-neighbor-solicit" - "nd-router-advert" - "nd-neighbor-advert" + # Without the nd-* ones ipv6 will not work. + "nd-neighbor-solicit" + "nd-router-advert" + "nd-neighbor-advert" + ]; + ipv4IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "source-quench" + "time-exceeded" + "router-advertisement" + ]; + allowIcmpLines = [ + "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" + "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" + ]; + in { + fw = { + from = ["fw"]; + verdict = "accept"; + }; + + office-to-dmz = { + from = ["office"]; + to = ["dmz"]; + verdict = "accept"; + }; + + lan-to-fw = { + from = ["lan"]; + to = ["fw" "lan"]; + verdict = "accept"; + }; + + lan-to-wan = { + from = ["lan"]; + to = ["wan"]; + verdict = "accept"; + }; + + vlan-to-wan = { + from = ["vlan"]; + to = ["wan"]; + verdict = "accept"; + }; + + vlan-to-fw = { + allowedUDPPortRanges = [ + { + from = 67; + to = 68; + } + { + from = 53; + to = 53; + } + ]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + { + from = 53; + to = 53; + } + { + from = 5201; + to = 5201; + } + ]; + from = ["vlan"]; + to = ["fw"]; + extraLines = + allowIcmpLines + ++ [ + "drop" ]; - ipv4IcmpTypes = [ - "destination-unreachable" - "echo-reply" - "echo-request" - "source-quench" - "time-exceeded" - "router-advertisement" + }; + + to-wan-nat = { + from = ["lan" "vlan"]; + to = ["wan"]; + masquerade = true; + verdict = "accept"; + }; + + wan-to-dmz = { + from = ["wan"]; + to = ["dmz"]; + verdict = "accept"; + }; + + wan-to-fw = { + from = ["wan"]; + to = ["fw"]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + ]; + extraLines = + allowIcmpLines + ++ [ + "drop" ]; - allowIcmpLines = [ - "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" - "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" - ]; - in - { - fw = { - from = [ "fw" ]; - verdict = "accept"; - }; - - office-to-dmz = { - from = [ "office" ]; - to = [ "dmz" ]; - verdict = "accept"; - }; - - lan-to-fw = { - from = [ "lan" ]; - to = [ "fw" "lan" ]; - verdict = "accept"; - }; - - lan-to-wan = { - from = [ "lan" ]; - to = [ "wan" ]; - verdict = "accept"; - }; - - vlan-to-wan = { - from = [ "vlan" ]; - to = [ "wan" ]; - verdict = "accept"; - }; - - vlan-to-fw = { - allowedUDPPortRanges = [ - { from = 67; to = 68; } - { from = 53; to = 53; } - ]; - allowedTCPPortRanges = [ - { from = 22; to = 22; } - { from = 53; to = 53; } - { from = 5201; to = 5201; } - ]; - from = [ "vlan" ]; - to = [ "fw" ]; - extraLines = allowIcmpLines ++ [ - "drop" - ]; - }; - - to-wan-nat = { - from = [ "lan" "vlan" ]; - to = [ "wan" ]; - masquerade = true; - verdict = "accept"; - }; - - wan-to-dmz = { - from = [ "wan" ]; - to = [ "dmz" ]; - verdict = "accept"; - }; - - wan-to-fw = { - from = [ "wan" ]; - to = [ "fw" ]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - ]; - extraLines = allowIcmpLines ++ [ - "drop" - ]; - }; - }; + }; }; }; + }; }; systemd.network = { wait-online.anyInterface = true; - netdevs = { - # Create the bridge interface - "20-${bridgeInterfaceName}" = { - netdevConfig = { - Kind = "bridge"; - Name = bridgeInterfaceName; + netdevs = + { + # Create the bridge interface + "20-${bridgeInterfaceName}" = { + netdevConfig = { + Kind = "bridge"; + Name = bridgeInterfaceName; + }; + + extraConfig = '' + [Bridge] + STP=yes + VLANFiltering=yes + VLANProtocol=802.1q + DefaultPVID=0 + ''; }; - - extraConfig = '' - [Bridge] - STP=yes - VLANFiltering=yes - VLANProtocol=802.1q - DefaultPVID=0 - ''; - }; - - } - # generate the vlan devices. these will be tagged on the main bridge - // builtins.foldl' + } + # generate the vlan devices. these will be tagged on the main bridge + // builtins.foldl' (acc: cur: acc // cur) - { } - (builtins.map - ({ vlanid, vlanid' }: { - "20-${mkInterfaceName { inherit vlanid; }}" = { + {} + ( + builtins.map + ({ + vlanid, + vlanid', + }: { + "20-${mkInterfaceName {inherit vlanid;}}" = { netdevConfig = { Kind = "vlan"; - Name = "${mkInterfaceName { inherit vlanid; }}"; + Name = "${mkInterfaceName {inherit vlanid;}}"; }; vlanConfig.Id = vlanid; }; }) - (builtins.map - (vlanid: { inherit vlanid; vlanid' = builtins.toString vlanid; }) + ( + builtins.map + (vlanid: { + inherit vlanid; + vlanid' = builtins.toString vlanid; + }) vlanRange ) - ) - ; - networks = { - # use lan0 as secondary WAN interface - "10-lan0-wan" = { - matchConfig.Name = "lan0"; - networkConfig = { - # start a DHCP Client for IPv4 Addressing/Routing - DHCP = "ipv4"; - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - DNSOverTLS = true; - DNSSEC = true; - IPv6PrivacyExtensions = false; - IPForward = true; + ); + networks = + { + # use lan0 as secondary WAN interface + "10-lan0-wan" = { + matchConfig.Name = "lan0"; + networkConfig = { + # start a DHCP Client for IPv4 Addressing/Routing + DHCP = "ipv4"; + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + DNSOverTLS = true; + DNSSEC = true; + IPv6PrivacyExtensions = false; + IPForward = true; + }; + # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min + linkConfig.RequiredForOnline = "no"; }; - # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min - linkConfig.RequiredForOnline = "no"; - }; - "10-wan" = { - matchConfig.Name = "wan"; - networkConfig = { - # start a DHCP Client for IPv4 Addressing/Routing - DHCP = "ipv4"; - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - DNSOverTLS = true; - DNSSEC = true; - IPv6PrivacyExtensions = false; - IPForward = true; + "10-wan" = { + matchConfig.Name = "wan"; + networkConfig = { + # start a DHCP Client for IPv4 Addressing/Routing + DHCP = "ipv4"; + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + DNSOverTLS = true; + DNSSEC = true; + IPv6PrivacyExtensions = false; + IPForward = true; + }; + # make routing on this interface a dependency for network-online.target + linkConfig.RequiredForOnline = "routable"; }; - # make routing on this interface a dependency for network-online.target - linkConfig.RequiredForOnline = "routable"; - }; - # Connect the bridge ports to the bridge - "30-lan1" = { - matchConfig.Name = "lan1"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; + # Connect the bridge ports to the bridge + "30-lan1" = { + matchConfig.Name = "lan1"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + + bridgeVLANs = [ + { + bridgeVLANConfig = { + VLAN = vlansByName.dmz.id; + PVID = vlansByName.dmz.id; + EgressUntagged = vlansByName.dmz.id; + }; + } + ]; }; - linkConfig.RequiredForOnline = "enslaved"; - bridgeVLANs = [ - { - bridgeVLANConfig = { - VLAN = vlansByName.dmz.id; - PVID = vlansByName.dmz.id; - EgressUntagged = vlansByName.dmz.id; - }; - } - ]; - }; + "30-lan2" = { + matchConfig.Name = "lan2"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; - "30-lan2" = { - matchConfig.Name = "lan2"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; + bridgeVLANs = [ + { + bridgeVLANConfig = { + VLAN = vlansByName.office.id; + PVID = vlansByName.office.id; + EgressUntagged = vlansByName.office.id; + }; + } + ]; }; - linkConfig.RequiredForOnline = "enslaved"; - bridgeVLANs = [ - { - bridgeVLANConfig = { - VLAN = vlansByName.office.id; - PVID = vlansByName.office.id; - EgressUntagged = vlansByName.office.id; - }; - } - ]; - }; + "30-lan3" = { + matchConfig.Name = "lan3"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; - "30-lan3" = { - matchConfig.Name = "lan3"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; + bridgeVLANs = [ + { + bridgeVLANConfig = { + VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; + }; + } + ]; }; - linkConfig.RequiredForOnline = "enslaved"; + # Configure the bridge for its desired function + "40-${bridgeInterfaceName}" = { + matchConfig.Name = bridgeInterfaceName; + bridgeConfig = {}; + address = [ + (mkVlanIpv4HostAddr { + vlanid = 0; + host = 1; + }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min + linkConfig.RequiredForOnline = "no"; + linkConfig.ActivationPolicy = "always-up"; - bridgeVLANs = [ - { - bridgeVLANConfig = { - VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; - }; - } - ]; - }; - # Configure the bridge for its desired function - "40-${bridgeInterfaceName}" = { - matchConfig.Name = bridgeInterfaceName; - bridgeConfig = { }; - address = [ - (mkVlanIpv4HostAddr { vlanid = 0; host = 1; }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; + bridgeVLANs = [ + { + bridgeVLANConfig = { + VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; + }; + } + ]; + + vlan = ( + builtins.map + (vlanid: (mkInterfaceName {inherit vlanid;})) + vlanRange + ); }; - # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min - linkConfig.RequiredForOnline = "no"; - linkConfig.ActivationPolicy = "always-up"; - - bridgeVLANs = [ - { - bridgeVLANConfig = { - VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; - }; - } - ]; - - vlan = (builtins.map - (vlanid: (mkInterfaceName { inherit vlanid; })) - vlanRange - ); - }; - - } - - # configuration for the hostapd dynamic interfaces - # * netdev type vlan - # * host address for vlan - # * vlan config for wlan interface - // - builtins.foldl' + } + # configuration for the hostapd dynamic interfaces + # * netdev type vlan + # * host address for vlan + # * vlan config for wlan interface + // builtins.foldl' (acc: cur: acc // cur) - { } + {} (builtins.map - ({ vlanid, vlanid' }: { + ({ + vlanid, + vlanid', + }: { # configure the tagged vlan device with an address and vlan filtering. # dnsmasq is configured to serve the respective /24 range on each tagged device. # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. - "41-${mkInterfaceName { inherit vlanid; }}" = { - matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; + "41-${mkInterfaceName {inherit vlanid;}}" = { + matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; address = [ - (mkVlanIpv4HostAddr { inherit vlanid; host = 1; }) + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 1; + }) ]; networkConfig = { ConfigureWithoutCarrier = true; @@ -538,10 +573,13 @@ in ]; }; - "50-${mkInterfaceName { inherit vlanid; }}" = { - matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; + "50-${mkInterfaceName {inherit vlanid;}}" = { + matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; address = [ - (mkVlanIpv4HostAddr { inherit vlanid; host = 1; }) + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 1; + }) ]; networkConfig = { ConfigureWithoutCarrier = true; @@ -549,259 +587,259 @@ in linkConfig.RequiredForOnline = "no"; }; }) - (builtins.map - (vlanid: { inherit vlanid; vlanid' = builtins.toString vlanid; }) + ( + builtins.map + (vlanid: { + inherit vlanid; + vlanid' = builtins.toString vlanid; + }) vlanRange - )) - ; + )); }; # wireless access point services.hostapd = { enable = true; package = nodeFlake.packages.${system}.hostapd_patched; - radios = - let - # generated with https://miniwebtool.com/mac-address-generator/ - mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; - in - { - wlan0 = { - band = "2g"; - countryCode = "CH"; - channel = 0; # ACS + radios = let + # generated with https://miniwebtool.com/mac-address-generator/ + mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; + in { + wlan0 = { + band = "2g"; + countryCode = "CH"; + channel = 0; # ACS - # use 'iw phy#1 info' to determine your VHT capabilities - wifi4 = { - enable = true; - capabilities = [ "HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935" ]; - }; - networks = { - wlan0 = - let - iface = "wlan0"; - in - { - ssid = "mlsia"; - bssid = mkBssid 0; + # use 'iw phy#1 info' to determine your VHT capabilities + wifi4 = { + enable = true; + capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; + }; + networks = { + wlan0 = let + iface = "wlan0"; + in { + ssid = "mlsia"; + bssid = mkBssid 0; - # authentication.mode = "wpa3-sae"; - authentication.mode = "wpa3-sae-transition"; + # authentication.mode = "wpa3-sae"; + authentication.mode = "wpa3-sae-transition"; - authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; - authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; + authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; + authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; - # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference - settings = { - # bridge = bridgeInterfaceName; + # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference + settings = { + # bridge = bridgeInterfaceName; - # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; - # not yet supported on hostapd 2.10 - # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; + # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; + # not yet supported on hostapd 2.10 + # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; - # enables debug logging - logger_stdout_level = lib.mkForce 0; - logger_stdout = -1; - # logger_syslog_level= lib.mkForce 0; + # enables debug logging + logger_stdout_level = lib.mkForce 0; + logger_stdout = -1; + # logger_syslog_level= lib.mkForce 0; - # resources on vlan tagging - # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging - # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 + # resources on vlan tagging + # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging + # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 - dynamic_vlan = 1; + dynamic_vlan = 1; - # this option currently requires a patch to hostapd - vlan_no_bridge = 1; + # this option currently requires a patch to hostapd + vlan_no_bridge = 1; - /* not used due to the above vlan_no_bridge setting + /* + not used due to the above vlan_no_bridge setting vlan_tagged_interface = bridgeInterfaceName; vlan_naming = 1; vlan_bridge = "br-${iface}."; - */ + */ - vlan_file = - let - generated = builtins.map - (vlanid: - "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" - ) - vlanRange - ; + vlan_file = let + generated = + builtins.map + ( + vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" + ) + vlanRange; - wildcard = [ - # Optional wildcard entry matching all VLAN IDs. The first # in the interface - # name will be replaced with the VLAN ID. The network interfaces are created - # (and removed) dynamically based on the use. - # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan - "* ${iface}.#" - ]; + wildcard = [ + # Optional wildcard entry matching all VLAN IDs. The first # in the interface + # name will be replaced with the VLAN ID. The network interfaces are created + # (and removed) dynamically based on the use. + # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan + "* ${iface}.#" + ]; - file = pkgs.writeText "hostapd.vlan" - (builtins.concatStringsSep "\n" (generated ++ wildcard)); - filePath = toString file; - in - filePath; + file = + pkgs.writeText "hostapd.vlan" + (builtins.concatStringsSep "\n" (generated ++ wildcard)); + filePath = toString file; + in + filePath; - wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [ - "WPA-PSK" + wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [ + "WPA-PSK" - # TODO: the printer can't connect when this is on - # "WPA-PSK-SHA256" + # TODO: the printer can't connect when this is on + # "WPA-PSK-SHA256" - # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them - # "SAE" - ]); + # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them + # "SAE" + ]); - # wpa_psk_radius = 0; - wpa_pairwise = "CCMP"; - wmm_enabled = 1; + # wpa_psk_radius = 0; + wpa_pairwise = "CCMP"; + wmm_enabled = 1; - # IEEE 802.11i (authentication) related configuration - # Encrypt management frames to protect against deauthentication and similar attacks - ieee80211w = 1; - sae_require_mfp = 1; - sae_groups = "19 20 21"; + # IEEE 802.11i (authentication) related configuration + # Encrypt management frames to protect against deauthentication and similar attacks + ieee80211w = 1; + sae_require_mfp = 1; + sae_groups = "19 20 21"; - # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) - tls_flags = "[ENABLE-TLSv1.3]"; + # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) + tls_flags = "[ENABLE-TLSv1.3]"; - ieee8021x = 0; - eap_server = 0; - }; - }; - - # wlan0-1 = { - # ssid = "mlsia-testing"; - # authentication = { - # mode = "wpa3-sae-transition"; - # }; - - # bssid = mkBssid 1; - # settings = { - # bridge = bridgeInterfaceName; - # }; - # }; - - # wlan0-1 = { - # ssid = "justtestingwifi-wpa3"; - # authentication = { - # mode = "wpa3-sae"; - # saePasswordsFile = config.sops.secrets.wlan0_1_saePasswordFile.path; - # }; - - # bssid = mkBssid 1; - # settings = { - # bridge = bridgeInterfaceName; - # }; - # }; - - # Uncomment when needed otherwise remove - # wlan0-1 = { - # ssid = "koteczkowo3"; - # authentication = { - # mode = "none"; # this is overriden by settings - # }; - # managementFrameProtection = "optional"; - # bssid = "e6:02:43:07:00:00"; - # settings = { - # bridge = bridgeInterfaceName; - # wpa = lib.mkForce 2; - # wpa_key_mgmt = "WPA-PSK"; - # wpa_pairwise = "CCMP"; - # wpa_psk_file = config.sops.secrets.legacyWifiPassword.path; - # }; - # }; + ieee8021x = 0; + eap_server = 0; + }; }; + + # wlan0-1 = { + # ssid = "mlsia-testing"; + # authentication = { + # mode = "wpa3-sae-transition"; + # }; + + # bssid = mkBssid 1; + # settings = { + # bridge = bridgeInterfaceName; + # }; + # }; + + # wlan0-1 = { + # ssid = "justtestingwifi-wpa3"; + # authentication = { + # mode = "wpa3-sae"; + # saePasswordsFile = config.sops.secrets.wlan0_1_saePasswordFile.path; + # }; + + # bssid = mkBssid 1; + # settings = { + # bridge = bridgeInterfaceName; + # }; + # }; + + # Uncomment when needed otherwise remove + # wlan0-1 = { + # ssid = "koteczkowo3"; + # authentication = { + # mode = "none"; # this is overriden by settings + # }; + # managementFrameProtection = "optional"; + # bssid = "e6:02:43:07:00:00"; + # settings = { + # bridge = bridgeInterfaceName; + # wpa = lib.mkForce 2; + # wpa_key_mgmt = "WPA-PSK"; + # wpa_pairwise = "CCMP"; + # wpa_psk_file = config.sops.secrets.legacyWifiPassword.path; + # }; + # }; }; - - # wlan1 = { - # band = "5g"; - # # channels with 160 MHz width in Poland: 36, 52, 100 i 116 - # channel = 0; # ACS - # countryCode = "PL"; - - # # use 'iw phy#1 info' to determine your VHT capabilities - # wifi4 = { - # enable = true; - # capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; - # }; - # wifi5 = { - # enable = true; - # operatingChannelWidth = "160"; - # capabilities = ["RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-4" "BF-ANTENNA-4" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"]; - # }; - # wifi6 = { - # enable = true; - # singleUserBeamformer = true; - # singleUserBeamformee = true; - # multiUserBeamformer = true; - # operatingChannelWidth = "160"; - # }; - # settings = { - # # these two are mandatory for wifi 5 & 6 to work - # vht_oper_centr_freq_seg0_idx = 50; - # he_oper_centr_freq_seg0_idx = 50; - - # # The "tx_queue_data2_burst" parameter in Linux refers to the burst size for - # # transmitting data packets from the second data queue of a network interface. - # # It determines the number of packets that can be sent in a burst. - # # Adjusting this parameter can impact network throughput and latency. - # tx_queue_data2_burst = 2; - - # # The "he_bss_color" parameter in Wi-Fi 6 (802.11ax) refers to the BSS Color field in the HE (High Efficiency) MAC header. - # # BSS Color is a mechanism introduced in Wi-Fi 6 to mitigate interference and improve network efficiency in dense deployment scenarios. - # # It allows multiple overlapping Basic Service Sets (BSS) to differentiate and coexist in the same area without causing excessive interference. - # he_bss_color = 63; # was set to 128 by openwrt but range of possible values in 2.10 is 1-63 - - # # Magic values that were set by openwrt but I didn't bother inspecting every single one - # he_spr_sr_control = 3; - # he_default_pe_duration = 4; - # he_rts_threshold = 1023; - - # he_mu_edca_qos_info_param_count = 0; - # he_mu_edca_qos_info_q_ack = 0; - # he_mu_edca_qos_info_queue_request = 0; - # he_mu_edca_qos_info_txop_request = 0; - - # # he_mu_edca_ac_be_aci=0; missing in 2.10 - # he_mu_edca_ac_be_aifsn = 8; - # he_mu_edca_ac_be_ecwmin = 9; - # he_mu_edca_ac_be_ecwmax = 10; - # he_mu_edca_ac_be_timer = 255; - - # he_mu_edca_ac_bk_aifsn = 15; - # he_mu_edca_ac_bk_aci = 1; - # he_mu_edca_ac_bk_ecwmin = 9; - # he_mu_edca_ac_bk_ecwmax = 10; - # he_mu_edca_ac_bk_timer = 255; - - # he_mu_edca_ac_vi_ecwmin = 5; - # he_mu_edca_ac_vi_ecwmax = 7; - # he_mu_edca_ac_vi_aifsn = 5; - # he_mu_edca_ac_vi_aci = 2; - # he_mu_edca_ac_vi_timer = 255; - - # he_mu_edca_ac_vo_aifsn = 5; - # he_mu_edca_ac_vo_aci = 3; - # he_mu_edca_ac_vo_ecwmin = 5; - # he_mu_edca_ac_vo_ecwmax = 7; - # he_mu_edca_ac_vo_timer = 255; - # }; - # networks = { - # wlan1 = { - # ssid = "koteczkowo5"; - # authentication = { - # mode = "wpa3-sae"; - # saePasswordsFile = config.sops.secrets.wifiPassword.path; # Use saePasswordsFile if possible. - # }; - # bssid = "36:b9:02:21:08:a2"; - # settings = { - # bridge = bridgeInterfaceName; - # }; - # }; - # }; - # }; }; + + # wlan1 = { + # band = "5g"; + # # channels with 160 MHz width in Poland: 36, 52, 100 i 116 + # channel = 0; # ACS + # countryCode = "PL"; + + # # use 'iw phy#1 info' to determine your VHT capabilities + # wifi4 = { + # enable = true; + # capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; + # }; + # wifi5 = { + # enable = true; + # operatingChannelWidth = "160"; + # capabilities = ["RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-4" "BF-ANTENNA-4" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"]; + # }; + # wifi6 = { + # enable = true; + # singleUserBeamformer = true; + # singleUserBeamformee = true; + # multiUserBeamformer = true; + # operatingChannelWidth = "160"; + # }; + # settings = { + # # these two are mandatory for wifi 5 & 6 to work + # vht_oper_centr_freq_seg0_idx = 50; + # he_oper_centr_freq_seg0_idx = 50; + + # # The "tx_queue_data2_burst" parameter in Linux refers to the burst size for + # # transmitting data packets from the second data queue of a network interface. + # # It determines the number of packets that can be sent in a burst. + # # Adjusting this parameter can impact network throughput and latency. + # tx_queue_data2_burst = 2; + + # # The "he_bss_color" parameter in Wi-Fi 6 (802.11ax) refers to the BSS Color field in the HE (High Efficiency) MAC header. + # # BSS Color is a mechanism introduced in Wi-Fi 6 to mitigate interference and improve network efficiency in dense deployment scenarios. + # # It allows multiple overlapping Basic Service Sets (BSS) to differentiate and coexist in the same area without causing excessive interference. + # he_bss_color = 63; # was set to 128 by openwrt but range of possible values in 2.10 is 1-63 + + # # Magic values that were set by openwrt but I didn't bother inspecting every single one + # he_spr_sr_control = 3; + # he_default_pe_duration = 4; + # he_rts_threshold = 1023; + + # he_mu_edca_qos_info_param_count = 0; + # he_mu_edca_qos_info_q_ack = 0; + # he_mu_edca_qos_info_queue_request = 0; + # he_mu_edca_qos_info_txop_request = 0; + + # # he_mu_edca_ac_be_aci=0; missing in 2.10 + # he_mu_edca_ac_be_aifsn = 8; + # he_mu_edca_ac_be_ecwmin = 9; + # he_mu_edca_ac_be_ecwmax = 10; + # he_mu_edca_ac_be_timer = 255; + + # he_mu_edca_ac_bk_aifsn = 15; + # he_mu_edca_ac_bk_aci = 1; + # he_mu_edca_ac_bk_ecwmin = 9; + # he_mu_edca_ac_bk_ecwmax = 10; + # he_mu_edca_ac_bk_timer = 255; + + # he_mu_edca_ac_vi_ecwmin = 5; + # he_mu_edca_ac_vi_ecwmax = 7; + # he_mu_edca_ac_vi_aifsn = 5; + # he_mu_edca_ac_vi_aci = 2; + # he_mu_edca_ac_vi_timer = 255; + + # he_mu_edca_ac_vo_aifsn = 5; + # he_mu_edca_ac_vo_aci = 3; + # he_mu_edca_ac_vo_ecwmin = 5; + # he_mu_edca_ac_vo_ecwmax = 7; + # he_mu_edca_ac_vo_timer = 255; + # }; + # networks = { + # wlan1 = { + # ssid = "koteczkowo5"; + # authentication = { + # mode = "wpa3-sae"; + # saePasswordsFile = config.sops.secrets.wifiPassword.path; # Use saePasswordsFile if possible. + # }; + # bssid = "36:b9:02:21:08:a2"; + # settings = { + # bridge = bridgeInterfaceName; + # }; + # }; + # }; + # }; + }; }; services.resolved.enable = false; @@ -826,21 +864,35 @@ in local-ttl = 0; dhcp-ttl = 0; - dhcp-range = - let - mkDhcpRange = { tag, vlanid }: builtins.concatStringsSep "," [ + dhcp-range = let + mkDhcpRange = { + tag, + vlanid, + }: + builtins.concatStringsSep "," [ tag - (mkVlanIpv4HostAddr { inherit vlanid; host = 100; cidr = false; }) - (mkVlanIpv4HostAddr { inherit vlanid; host = 199; cidr = false; }) + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 100; + cidr = false; + }) + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 199; + cidr = false; + }) "12h" ]; - in + in builtins.map - (vlanid: - mkDhcpRange { tag = mkInterfaceName { inherit vlanid; }; inherit vlanid; } - ) - vlanRangeWith0 - ; + ( + vlanid: + mkDhcpRange { + tag = mkInterfaceName {inherit vlanid;}; + inherit vlanid; + } + ) + vlanRangeWith0; # interface = bridgeInterfaceName; # bind-interfaces = true; @@ -854,7 +906,6 @@ in # don't use /etc/hosts as this would advertise ${nodeName} as localhost no-hosts = true; - # address = "/${nodeName}.lan/${fwLanHostAddr}"; server = [ # upstream DNS servers @@ -869,33 +920,40 @@ in # "9.9.9.9" "8.8.8.8" "1.1.1.1" ]; - domain = [ - "/${getVlanDomain {vlanid = 0;}}/,local" - ] ++ builtins.map - (vlanid: - "${getVlanDomain {inherit vlanid;}},${mkVlanIpv4HostAddr { inherit vlanid; host = 0; cidr = true; }},local" + domain = + [ + "/${getVlanDomain {vlanid = 0;}}/,local" + ] + ++ builtins.map + ( + vlanid: "${getVlanDomain {inherit vlanid;}},${mkVlanIpv4HostAddr { + inherit vlanid; + host = 0; + cidr = true; + }},local" ) - vlanRangeWith0 - ; + vlanRangeWith0; # TODO: compare this to using `interface-name` - dynamic-host = [ - ] ++ builtins.map - (vlanid: - builtins.concatStringsSep "," [ - # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) - "${nodeName}.${getVlanDomain{inherit vlanid;}}" - "0.0.0.1" - (mkInterfaceName { inherit vlanid; }) - ] + dynamic-host = + [ + ] + ++ builtins.map + ( + vlanid: + builtins.concatStringsSep "," [ + # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) + "${nodeName}.${getVlanDomain {inherit vlanid;}}" + "0.0.0.1" + (mkInterfaceName {inherit vlanid;}) + ] ) - vlanRangeWith0 - ; + vlanRangeWith0; - dhcp-option-force = builtins.map - (vlanid: "${mkInterfaceName {inherit vlanid;}},option:domain-search,${getVlanDomain{inherit vlanid;}}") - vlanRangeWith0 - ; + dhcp-option-force = + builtins.map + (vlanid: "${mkInterfaceName {inherit vlanid;}},option:domain-search,${getVlanDomain {inherit vlanid;}}") + vlanRangeWith0; # auth-server = [ # (builtins.concatStringsSep "," [ @@ -928,10 +986,10 @@ in # They fail to load properly, leaving the system without working ethernet, they'll oops on # remove. MTK-DSA parts and PCIe were observed to do this. boot.initrd.includeDefaultModules = false; - boot.initrd.kernelModules = [ "rfkill" "cfg80211" "mt7915e" ]; - boot.initrd.availableKernelModules = [ "nvme" ]; + boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"]; + boot.initrd.availableKernelModules = ["nvme"]; - boot.kernelParams = [ "console=ttyS0,115200" ]; + boot.kernelParams = ["console=ttyS0,115200"]; hardware.enableRedistributableFirmware = true; # Wireless hardware exists, regulatory database is essential. hardware.wirelessRegulatoryDatabase = true; diff --git a/nix/os/devices/router0-dmz0/flake.nix b/nix/os/devices/router0-dmz0/flake.nix index 494551e..22c71ae 100644 --- a/nix/os/devices/router0-dmz0/flake.nix +++ b/nix/os/devices/router0-dmz0/flake.nix @@ -19,7 +19,6 @@ bpir3.inputs.nixpkgs.follows = "nixpkgs"; - nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; @@ -60,13 +59,17 @@ nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = (import ./default.nix { - system = nativeSystem; - inherit nodeName; + specialArgs = + (import ./default.nix { + system = nativeSystem; + inherit nodeName; - repoFlake = get-flake ../../../..; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; + repoFlake = get-flake ../../../..; + nodeFlake = self; + }) + .meta + .nodeSpecialArgs + .${nodeName}; modules = [ @@ -88,7 +91,6 @@ linuxPackages_bpir3_latest ; }) - ]; } ] @@ -112,19 +114,22 @@ }; packages = let - mkPatchedHostapd = pkgs: pkgs.hostapd.overrideDerivation(attrs: { - patches = attrs.patches ++ [ - "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" - ]; - }); + mkPatchedHostapd = pkgs: + pkgs.hostapd.overrideDerivation (attrs: { + patches = + attrs.patches + ++ [ + "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" + ]; + }); in { - "${nativeSystem}" = { - hostapd_patched = mkPatchedHostapd pkgs; - }; + "${nativeSystem}" = { + hostapd_patched = mkPatchedHostapd pkgs; + }; - cross = { - hostapd_patched = mkPatchedHostapd pkgsCross; - }; + cross = { + hostapd_patched = mkPatchedHostapd pkgsCross; + }; }; }; } diff --git a/nix/os/devices/sj-bm-hostkey0/configuration.nix b/nix/os/devices/sj-bm-hostkey0/configuration.nix index f2dd56d..5c32ea3 100644 --- a/nix/os/devices/sj-bm-hostkey0/configuration.nix +++ b/nix/os/devices/sj-bm-hostkey0/configuration.nix @@ -1,13 +1,14 @@ -{ modulesPath -, repoFlake -, packages' -, pkgs -, lib -, config -, nodeFlake -, nodeName -, system -, ... +{ + modulesPath, + repoFlake, + packages', + pkgs, + lib, + config, + nodeFlake, + nodeName, + system, + ... }: { disabledModules = [ ]; @@ -34,7 +35,7 @@ inherit pkgs; }; - home-manager.users.steveej = { pkgs, ... }: { + home-manager.users.steveej = {pkgs, ...}: { imports = [ ../../../home-manager/configuration/text-minimal.nix ]; @@ -51,7 +52,7 @@ programs.zsh.enable = true; users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = [ "/share/zsh" ]; + environment.pathsToLink = ["/share/zsh"]; } ]; @@ -82,54 +83,52 @@ firewall.enable = false; }; - disko.devices = - let - disk = id: { - type = "disk"; - device = "/dev/${id}"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - mdadm = { - size = "100%"; - content = { - type = "mdraid"; - name = "raid0"; - }; + disko.devices = let + disk = id: { + type = "disk"; + device = "/dev/${id}"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + mdadm = { + size = "100%"; + content = { + type = "mdraid"; + name = "raid0"; }; }; }; }; - in - { - disk = { - sda = disk "sda"; - sdb = disk "sdb"; - }; - mdadm = { - raid0 = { - type = "mdadm"; - level = 0; - content = { - type = "gpt"; - partitions = { - primary = { - size = "100%"; - content = { - type = "filesystem"; - format = "btrfs"; - mountpoint = "/"; - }; + }; + in { + disk = { + sda = disk "sda"; + sdb = disk "sdb"; + }; + mdadm = { + raid0 = { + type = "mdadm"; + level = 0; + content = { + type = "gpt"; + partitions = { + primary = { + size = "100%"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/"; }; }; }; }; }; }; + }; system.stateVersion = "23.11"; diff --git a/nix/os/devices/sj-srv1/configuration.nix b/nix/os/devices/sj-srv1/configuration.nix index ff7d0a1..bada0c3 100644 --- a/nix/os/devices/sj-srv1/configuration.nix +++ b/nix/os/devices/sj-srv1/configuration.nix @@ -1,9 +1,10 @@ -{ nodeName -, config -, pkgs -, ... +{ + nodeName, + config, + pkgs, + ... }: { - disabledModules = [ ]; + disabledModules = []; imports = [ ../../profiles/common/configuration.nix { diff --git a/nix/os/devices/sj-srv1/hw.nix b/nix/os/devices/sj-srv1/hw.nix index 226275c..65a001d 100644 --- a/nix/os/devices/sj-srv1/hw.nix +++ b/nix/os/devices/sj-srv1/hw.nix @@ -43,7 +43,7 @@ in { enable = true; encrypted = false; diskId = "virtio-virtio-paeNi8Fof9Oe"; - earlyDiskIdOverride = "ata-INTEL_SSDSC2KB019TZ_PHYI315001FW1P9DGN"; + earlyDiskIdOverride = "ata-INTEL_SSDSC2KB019TZ_PHYI315001FW1P9DGN"; }; boot.initrd.kernelModules = stage1Modules; diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix index d1f9774..c481d5d 100644 --- a/nix/os/devices/sj-srv1/system.nix +++ b/nix/os/devices/sj-srv1/system.nix @@ -1,12 +1,11 @@ -{ pkgs -, lib -, config -, repoFlake -, nodeName -, ... -}: - { + pkgs, + lib, + config, + repoFlake, + nodeName, + ... +}: { imports = [ ../../snippets/systemd-resolved.nix ]; @@ -28,52 +27,50 @@ networking.nat = { enable = true; - internalInterfaces = [ "ve-*" ]; + internalInterfaces = ["ve-*"]; externalInterface = "eth0"; }; # virtualization - virtualisation = { docker.enable = false; }; + virtualisation = {docker.enable = false;}; - nix.gc = { automatic = true; }; + nix.gc = {automatic = true;}; sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; # adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix - services.restic.backups.${nodeName} = - let - btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; - in - { - initialize = true; - repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; + services.restic.backups.${nodeName} = let + btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; + in { + initialize = true; + repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; - paths = [ - "/backup" - ]; + paths = [ + "/backup" + ]; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 5" - "--keep-monthly 12" - "--keep-yearly 2" - ]; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 2" + ]; - timerConfig = { - OnCalendar = lib.mkDefault "daily"; - Persistent = true; - }; - - passwordFile = config.sops.secrets.restic-password.path; - - backupPrepareCommand = '' - ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes - ''; - backupCleanupCommand = '' - ${btrfs} su delete /backup/container-volumes - ''; + timerConfig = { + OnCalendar = lib.mkDefault "daily"; + Persistent = true; }; + passwordFile = config.sops.secrets.restic-password.path; + + backupPrepareCommand = '' + ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes + ''; + backupCleanupCommand = '' + ${btrfs} su delete /backup/container-volumes + ''; + }; + containers = { mailserver = import ../../containers/mailserver.nix { inherit repoFlake; @@ -89,17 +86,17 @@ webserver = import ../../containers/webserver.nix - { - inherit repoFlake; + { + inherit repoFlake; - autoStart = true; + autoStart = true; - hostAddress = "192.168.100.12"; - localAddress = "192.168.100.13"; + hostAddress = "192.168.100.12"; + localAddress = "192.168.100.13"; - httpPort = 80; - httpsPort = 443; - }; + httpPort = 80; + httpsPort = 443; + }; syncthing = import ../../containers/syncthing.nix { autoStart = true; diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix index 43eca83..2bb6048 100644 --- a/nix/os/devices/sj-vps-htz0/system.nix +++ b/nix/os/devices/sj-vps-htz0/system.nix @@ -1,14 +1,13 @@ -{ pkgs -, lib -, config -, repoFlake -, nodeName -, ... -}: -let - wireguardPort = 51820; -in { + pkgs, + lib, + config, + repoFlake, + nodeName, + ... +}: let + wireguardPort = 51820; +in { imports = [ ../../snippets/systemd-resolved.nix ]; @@ -39,7 +38,7 @@ in "prefixLength" = 29; } ]; - ipv6.addresses = [ ]; + ipv6.addresses = []; }; networking.defaultGateway = { @@ -54,7 +53,7 @@ in networking.nat = { enable = true; - internalInterfaces = [ "ve-*" "wg*" ]; + internalInterfaces = ["ve-*" "wg*"]; externalInterface = "eth0"; }; @@ -79,7 +78,7 @@ in privateKeyFile = config.sops.secrets.wg0-private.path; peers = [ { - allowedIPs = [ "192.168.99.2/32" ]; + allowedIPs = ["192.168.99.2/32"]; publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0="; presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path; } @@ -87,15 +86,14 @@ in }; # virtualization - virtualisation = { docker.enable = false; }; + virtualisation = {docker.enable = false;}; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; - nix.gc = { automatic = true; }; + nix.gc = {automatic = true;}; containers = { - }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix index 0b199cc..a094278 100644 --- a/nix/os/devices/steveej-t14/configuration.nix +++ b/nix/os/devices/steveej-t14/configuration.nix @@ -1,4 +1,4 @@ -{ ... }: { +{...}: { imports = [ ../../snippets/home-manager-with-zsh.nix ../../snippets/nix-settings-holo-chain.nix @@ -19,8 +19,7 @@ ./boot.nix # samba seerver - ({ lib, ... }: { - + ({lib, ...}: { # networking.firewall.enable = lib.mkForce false; services.samba-wsdd.enable = true; # make shares visible for windows 10 clients networking.firewall.allowedTCPPorts = [ diff --git a/nix/os/devices/steveej-t14/default.nix b/nix/os/devices/steveej-t14/default.nix index 430b017..bcb5e94 100644 --- a/nix/os/devices/steveej-t14/default.nix +++ b/nix/os/devices/steveej-t14/default.nix @@ -1,17 +1,16 @@ -{ nodeName -, repoFlake -, repoFlakeWithSystem -, nodeFlake -, ... -}: -let - system = "x86_64-linux"; -in { + nodeName, + repoFlake, + repoFlakeWithSystem, + nodeFlake, + ... +}: let + system = "x86_64-linux"; +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); }; meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix index ea1352c..1b905e0 100644 --- a/nix/os/devices/steveej-t14/hw.nix +++ b/nix/os/devices/steveej-t14/hw.nix @@ -1,7 +1,5 @@ -{ lib, ... }: -let -in -{ +{lib, ...}: let +in { # TASK: new device hardware.opinionatedDisk = { enable = true; @@ -68,16 +66,16 @@ in enable = false; levels = [ # ["level auto" 0 60] - [ 0 0 60 ] - [ 1 60 65 ] - [ 1 65 75 ] - [ 2 75 78 ] - [ 3 78 80 ] - [ 4 80 82 ] - [ 5 82 84 ] - [ 6 84 86 ] - [ 7 86 88 ] - [ "level full-speed" 88 999 ] + [0 0 60] + [1 60 65] + [1 65 75] + [2 75 78] + [3 78 80] + [4 80 82] + [5 82 84] + [6 84 86] + [7 86 88] + ["level full-speed" 88 999] ]; extraArgs = [ diff --git a/nix/os/devices/steveej-t14/pkg.nix b/nix/os/devices/steveej-t14/pkg.nix index 806de3c..0cc3c04 100644 --- a/nix/os/devices/steveej-t14/pkg.nix +++ b/nix/os/devices/steveej-t14/pkg.nix @@ -1,8 +1,9 @@ -{ pkgs -, lib -, repoFlake -, nodeFlake -, ... +{ + pkgs, + lib, + repoFlake, + nodeFlake, + ... }: { system.stateVersion = "23.05"; home-manager.users.root = _: { @@ -20,7 +21,7 @@ }) ]; - home.sessionVariables = { }; + home.sessionVariables = {}; home.packages = with pkgs; [ ]; @@ -37,28 +38,26 @@ # # (regreet:505614): Gtk-WARNING **: 10:31:42.532: Theme parser warning: :6:17-18: Empty declaration # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. - services.greetd = - let - # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" - swayConfig = pkgs.writeText "greetd-sway-config" '' - # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. - exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" - bindsym Mod4+shift+e exec swaynag \ - -t warning \ - -m 'What do you want to do?' \ - -b 'Poweroff' 'systemctl poweroff' \ - -b 'Reboot' 'systemctl reboot' - ''; - in - { - enable = false; - settings = { - vt = 1; - default_session = { - command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; - }; + services.greetd = let + # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" + swayConfig = pkgs.writeText "greetd-sway-config" '' + # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. + exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" + bindsym Mod4+shift+e exec swaynag \ + -t warning \ + -m 'What do you want to do?' \ + -b 'Poweroff' 'systemctl poweroff' \ + -b 'Reboot' 'systemctl reboot' + ''; + in { + enable = false; + settings = { + vt = 1; + default_session = { + command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; }; }; + }; environment.etc."greetd/environments".text = '' sway @@ -107,5 +106,4 @@ # # }; # # }; # }; - } diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index 9dc6590..4d43885 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -1,11 +1,11 @@ -{ pkgs -, lib -, config -, nodeName -, repoFlake -, ... -}: -let +{ + pkgs, + lib, + config, + nodeName, + repoFlake, + ... +}: let localTcpPorts = [ 22 @@ -21,9 +21,7 @@ let 22000 21027 ]; - -in -{ +in { nix.settings = { substituters = [ ]; @@ -41,7 +39,7 @@ in system = "x86_64-linux"; maxJobs = 32; speedFactor = 100; - supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features ++ [ ]; + supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features ++ []; } { @@ -52,7 +50,7 @@ in system = "aarch64-linux"; maxJobs = 32; speedFactor = 100; - supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ [ ]; + supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ []; } ]; @@ -61,7 +59,7 @@ in networking.extraHosts = '' ''; - networking.bridges."virbr1".interfaces = [ ]; + networking.bridges."virbr1".interfaces = []; networking.interfaces."virbr1".ipv4.addresses = [ { address = "10.254.254.254"; @@ -94,7 +92,7 @@ in # virtualization virtualisation = { - libvirtd = { enable = true; }; + libvirtd = {enable = true;}; virtualbox.host = { enable = false; @@ -112,9 +110,9 @@ in # client min protocol = NT1 ''; - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; - services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ]; + services.xserver.videoDrivers = lib.mkForce ["amdgpu"]; hardware.ledger.enable = true; diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix index 2a83802..6068f93 100644 --- a/nix/os/devices/steveej-t14/user.nix +++ b/nix/os/devices/steveej-t14/user.nix @@ -1,20 +1,19 @@ -{ config -, pkgs -, lib -, ... -}: -let - keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; -in { + config, + pkgs, + lib, + ... +}: let + keys = import ../../../variables/keys.nix; + inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; +in { users.users.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; }; - nix.settings.trusted-users = [ "steveej" ]; + nix.settings.trusted-users = ["steveej"]; security.pam.u2f.enable = true; security.pam.services.steveej.u2fAuth = true; diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix index eae1137..6f31bc9 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix @@ -1,15 +1,14 @@ -{ repoFlake -, nodeFlake -, pkgs -, lib -, config -, nodeName -, localDomainName -, system -, ... -}: - { + repoFlake, + nodeFlake, + pkgs, + lib, + config, + nodeName, + localDomainName, + system, + ... +}: { nixos-x13s = { enable = true; # TODO: use hardware address @@ -42,8 +41,8 @@ echo $? ) ''; - requiredBy = [ "bluetooth.service" ]; - before = [ "bluetooth.service" ]; + requiredBy = ["bluetooth.service"]; + before = ["bluetooth.service"]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -80,7 +79,6 @@ }; } - ../../snippets/home-manager-with-zsh.nix ../../snippets/sway-desktop.nix ../../snippets/bluetooth.nix @@ -115,7 +113,7 @@ ../../../home-manager/configuration/graphical-fullblown.nix ]; - home.sessionVariables = { }; + home.sessionVariables = {}; home.packages = with pkgs; [ ]; @@ -129,7 +127,7 @@ loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = lib.mkForce false; loader.efi.efiSysMountPoint = "/boot"; - blacklistedKernelModules = [ "wwan" ]; + blacklistedKernelModules = ["wwan"]; initrd.kernelModules = [ "phy_qcom_qmp_usb" diff --git a/nix/os/devices/steveej-x13s-rmvbl/default.nix b/nix/os/devices/steveej-x13s-rmvbl/default.nix index fc3933e..fa66cf4 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/default.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/default.nix @@ -1,25 +1,26 @@ -{ system ? "aarch64-linux" -, nodeName -, repoFlake -, repoFlakeWithSystem -, nodeFlake -, localDomainName ? "internal" -, ... +{ + system ? "aarch64-linux", + nodeName, + repoFlake, + repoFlakeWithSystem, + nodeFlake, + localDomainName ? "internal", + ... }: { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake system; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); inherit localDomainName; }; meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + { + inherit system; + }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; diff --git a/nix/os/devices/steveej-x13s-rmvbl/disko.nix b/nix/os/devices/steveej-x13s-rmvbl/disko.nix index e7e0391..e56b0d1 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/disko.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/disko.nix @@ -24,7 +24,7 @@ content = { type = "luks"; name = "x13s-usb-crypt"; - extraOpenArgs = [ ]; + extraOpenArgs = []; # disable settings.keyFile if you want to use interactive password entry #passwordFile = "/tmp/secret.key"; # Interactive settings = { @@ -36,19 +36,19 @@ # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; content = { type = "btrfs"; - extraArgs = [ "-f" ]; + extraArgs = ["-f"]; subvolumes = { "/root" = { mountpoint = "/"; - mountOptions = [ "compress=zstd" "noatime" ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/home" = { mountpoint = "/home"; - mountOptions = [ "compress=zstd" "noatime" ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/nix" = { mountpoint = "/nix"; - mountOptions = [ "compress=zstd" "noatime" ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/swap" = { mountpoint = "/.swapvol"; diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.nix b/nix/os/devices/steveej-x13s-rmvbl/flake.nix index cf5a06e..bcc82bb 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.nix @@ -1,89 +1,92 @@ { - inputs = - { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; - # required for home-manager modules - nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; - nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; + # required for home-manager modules + nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; + nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; - get-flake.url = "github:ursi/get-flake"; + get-flake.url = "github:ursi/get-flake"; - disko.inputs.nixpkgs.follows = "nixpkgs"; + disko.inputs.nixpkgs.follows = "nixpkgs"; - mobile-nixos.url = "github:NixOS/mobile-nixos"; - mobile-nixos.flake = false; + mobile-nixos.url = "github:NixOS/mobile-nixos"; + mobile-nixos.flake = false; - home-manager = { - url = "github:nix-community/home-manager/release-23.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - nixos-x13s.url = "git+https://codeberg.org/steveej/nixos-x13s"; - nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; + home-manager = { + url = "github:nix-community/home-manager/release-23.11"; + inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = - { self - , get-flake - , nixpkgs - , ... - }: - let - system = "aarch64-linux"; - buildPlatform = "x86_64-linux"; - repoFlake = get-flake ../../../..; - in - { - lib = { - mkNixosConfiguration = { nodeName, extraModules ? [ ], ... } @ attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate - attrs - { - specialArgs = (import ./default.nix { - inherit system; - inherit nodeName repoFlake; + nixos-x13s.url = "git+https://codeberg.org/steveej/nixos-x13s"; + nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; + }; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; + outputs = { + self, + get-flake, + nixpkgs, + ... + }: let + system = "aarch64-linux"; + buildPlatform = "x86_64-linux"; + repoFlake = get-flake ../../../..; + in { + lib = { + mkNixosConfiguration = { + nodeName, + extraModules ? [], + ... + } @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs + { + specialArgs = + (import ./default.nix { + inherit system; + inherit nodeName repoFlake; - modules = - [ - # repoFlake.nixosModules.hardware-x13s - ] - ++ extraModules; - } - ); + nodeFlake = self; + }) + .meta + .nodeSpecialArgs + .${nodeName}; + + modules = + [ + # repoFlake.nixosModules.hardware-x13s + ] + ++ extraModules; + } + ); + }; + + nixosConfigurations = let + nodeName = "steveej-x13s-rmvbl"; + in { + native = self.lib.mkNixosConfiguration { + inherit system nodeName; + extraModules = [ + ./configuration.nix + + { + users.commonUsers.installPassword = "install"; + } + ]; }; - nixosConfigurations = - let - nodeName = "steveej-x13s-rmvbl"; - in - { - native = self.lib.mkNixosConfiguration { - inherit system nodeName; - extraModules = [ - ./configuration.nix + cross = self.lib.mkNixosConfiguration { + inherit nodeName; + extraModules = [ + ./configuration.nix - { - users.commonUsers.installPassword = "install"; - } - ]; - }; - - cross = self.lib.mkNixosConfiguration { - inherit nodeName; - extraModules = [ - ./configuration.nix - - { - nixpkgs.buildPlatform.system = buildPlatform; - nixpkgs.hostPlatform.system = system; - } - ]; - }; - }; + { + nixpkgs.buildPlatform.system = buildPlatform; + nixpkgs.hostPlatform.system = system; + } + ]; + }; }; + }; } diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index e45fc83..6d90f3d 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -1,15 +1,14 @@ -{ repoFlake -, nodeFlake -, pkgs -, lib -, config -, nodeName -, localDomainName -, system -, ... -}: - { + repoFlake, + nodeFlake, + pkgs, + lib, + config, + nodeName, + localDomainName, + system, + ... +}: { nixos-x13s = { enable = true; # TODO: use hardware address @@ -44,8 +43,8 @@ echo $? ) ''; - requiredBy = [ "bluetooth.service" ]; - before = [ "bluetooth.service" ]; + requiredBy = ["bluetooth.service"]; + before = ["bluetooth.service"]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -82,7 +81,6 @@ }; } - ../../snippets/home-manager-with-zsh.nix ../../snippets/sway-desktop.nix ../../snippets/bluetooth.nix @@ -117,7 +115,7 @@ ../../../home-manager/configuration/graphical-fullblown.nix ]; - home.sessionVariables = { }; + home.sessionVariables = {}; home.packages = with pkgs; [ ]; @@ -131,7 +129,7 @@ loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = lib.mkForce false; loader.efi.efiSysMountPoint = "/boot"; - blacklistedKernelModules = [ "wwan" ]; + blacklistedKernelModules = ["wwan"]; }; # see https://linrunner.de/tlp/ diff --git a/nix/os/devices/steveej-x13s/default.nix b/nix/os/devices/steveej-x13s/default.nix index fc3933e..fa66cf4 100644 --- a/nix/os/devices/steveej-x13s/default.nix +++ b/nix/os/devices/steveej-x13s/default.nix @@ -1,25 +1,26 @@ -{ system ? "aarch64-linux" -, nodeName -, repoFlake -, repoFlakeWithSystem -, nodeFlake -, localDomainName ? "internal" -, ... +{ + system ? "aarch64-linux", + nodeName, + repoFlake, + repoFlakeWithSystem, + nodeFlake, + localDomainName ? "internal", + ... }: { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake system; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); inherit localDomainName; }; meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + { + inherit system; + }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; diff --git a/nix/os/devices/steveej-x13s/disko.nix b/nix/os/devices/steveej-x13s/disko.nix index 39eb9e1..973c2a4 100644 --- a/nix/os/devices/steveej-x13s/disko.nix +++ b/nix/os/devices/steveej-x13s/disko.nix @@ -24,7 +24,7 @@ content = { type = "luks"; name = "x13s-nvme-crypt"; - extraOpenArgs = [ ]; + extraOpenArgs = []; # disable settings.keyFile if you want to use interactive password entry #passwordFile = "/tmp/secret.key"; # Interactive settings = { @@ -36,19 +36,19 @@ # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; content = { type = "btrfs"; - extraArgs = [ "-f" ]; + extraArgs = ["-f"]; subvolumes = { "/root" = { mountpoint = "/"; - mountOptions = [ "compress=zstd" "noatime" ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/home" = { mountpoint = "/home"; - mountOptions = [ "compress=zstd" "noatime" ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/nix" = { mountpoint = "/nix"; - mountOptions = [ "compress=zstd" "noatime" ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/swap" = { mountpoint = "/.swapvol"; diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix index 0201bb9..b0cdc09 100644 --- a/nix/os/devices/steveej-x13s/flake.nix +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -1,89 +1,92 @@ { - inputs = - { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; - # required for home-manager modules - nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; - nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; + # required for home-manager modules + nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; + nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; - get-flake.url = "github:ursi/get-flake"; + get-flake.url = "github:ursi/get-flake"; - disko.inputs.nixpkgs.follows = "nixpkgs"; + disko.inputs.nixpkgs.follows = "nixpkgs"; - mobile-nixos.url = "github:NixOS/mobile-nixos"; - mobile-nixos.flake = false; + mobile-nixos.url = "github:NixOS/mobile-nixos"; + mobile-nixos.flake = false; - home-manager = { - url = "github:nix-community/home-manager/release-23.11"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - - # nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s?rev=5044811f7804e7cf83923908d1b35322f34fb3fc"; # 6.7.0-1 - nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s"; - nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; + home-manager = { + url = "github:nix-community/home-manager/release-23.11"; + inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = - { self - , get-flake - , nixpkgs - , ... - }: - let - targetPlatform = "aarch64-linux"; - buildPlatform = "x86_64-linux"; - repoFlake = get-flake ../../../..; + # nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s?rev=5044811f7804e7cf83923908d1b35322f34fb3fc"; # 6.7.0-1 + nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s"; + nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; + }; - mkNixosConfiguration = { nodeName, extraModules ? [ ], ... } @ attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate - attrs - { - specialArgs = (import ./default.nix { - system = targetPlatform; - inherit nodeName repoFlake; + outputs = { + self, + get-flake, + nixpkgs, + ... + }: let + targetPlatform = "aarch64-linux"; + buildPlatform = "x86_64-linux"; + repoFlake = get-flake ../../../..; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; - - modules = - [ - # repoFlake.nixosModules.hardware-x13s - ] - ++ extraModules; - } - ); - in - { - lib = { - inherit mkNixosConfiguration; - }; - - nixosConfigurations = - let - nodeName = "steveej-x13s"; - in + mkNixosConfiguration = { + nodeName, + extraModules ? [], + ... + } @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs { - native = mkNixosConfiguration { - inherit nodeName; - system = targetPlatform; - extraModules = [ - ./configuration.nix - ]; - }; + specialArgs = + (import ./default.nix { + system = targetPlatform; + inherit nodeName repoFlake; - cross = mkNixosConfiguration { - inherit nodeName; - extraModules = [ - ./configuration.nix + nodeFlake = self; + }) + .meta + .nodeSpecialArgs + .${nodeName}; - { - nixpkgs.buildPlatform.system = buildPlatform; - nixpkgs.hostPlatform.system = targetPlatform; - } - ]; - }; - }; + modules = + [ + # repoFlake.nixosModules.hardware-x13s + ] + ++ extraModules; + } + ); + in { + lib = { + inherit mkNixosConfiguration; }; + + nixosConfigurations = let + nodeName = "steveej-x13s"; + in { + native = mkNixosConfiguration { + inherit nodeName; + system = targetPlatform; + extraModules = [ + ./configuration.nix + ]; + }; + + cross = mkNixosConfiguration { + inherit nodeName; + extraModules = [ + ./configuration.nix + + { + nixpkgs.buildPlatform.system = buildPlatform; + nixpkgs.hostPlatform.system = targetPlatform; + } + ]; + }; + }; + }; } diff --git a/nix/os/devices/voodoo/flake.nix b/nix/os/devices/voodoo/flake.nix index 6282785..a926349 100644 --- a/nix/os/devices/voodoo/flake.nix +++ b/nix/os/devices/voodoo/flake.nix @@ -32,13 +32,17 @@ nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = (import ./default.nix { - system = targetPlatform; - inherit nodeName; + specialArgs = + (import ./default.nix { + system = targetPlatform; + inherit nodeName; - repoFlake = get-flake ../../../..; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; + repoFlake = get-flake ../../../..; + nodeFlake = self; + }) + .meta + .nodeSpecialArgs + .${nodeName}; modules = [ @@ -51,10 +55,8 @@ { nixpkgs.overlays = [ - (final: previous: - { + (final: previous: { }) - ]; } ] diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index 38930fe..a4dbcff 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -1,39 +1,38 @@ -{ lib -, config -, -}: -let - keys = import ../../variables/keys.nix; -in { - mkUser = args: lib.mkMerge [ - { - isNormalUser = true; - extraGroups = [ - "docker" - "wheel" - "libvirtd" - "networkmanager" - "vboxusers" - "users" - "input" - "audio" - "video" - "cdrom" - "adbusers" - "dialout" - "cdrom" - "fuse" - ]; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; + lib, + config, +}: let + keys = import ../../variables/keys.nix; +in { + mkUser = args: + lib.mkMerge [ + { + isNormalUser = true; + extraGroups = [ + "docker" + "wheel" + "libvirtd" + "networkmanager" + "vboxusers" + "users" + "input" + "audio" + "video" + "cdrom" + "adbusers" + "dialout" + "cdrom" + "fuse" + ]; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; - # TODO: investigate why this secret cannot be found - # openssh.authorizedKeys.keyFiles = [ - # config.sops.secrets.sharedSshKeys-steveej.path - # ]; - } - args - ]; + # TODO: investigate why this secret cannot be found + # openssh.authorizedKeys.keyFiles = [ + # config.sops.secrets.sharedSshKeys-steveej.path + # ]; + } + args + ]; disk = rec { # TODO: verify the GPT PARTLABEL cap at 36 chars @@ -41,7 +40,7 @@ in # LVM doesn't allow most characters in VG names # TODO: replace this with a whitelist for: [a-zA-Z0-9.-_+] - volumeGroup = diskId: builtins.replaceStrings [ ":" ] [ "" ] diskId; + volumeGroup = diskId: builtins.replaceStrings [":"] [""] diskId; # This is important at install-time bootGrubDevice = diskId: "/dev/disk/by-id/" + diskId; diff --git a/nix/os/modules/hardware.thinkpad-x13s.nix b/nix/os/modules/hardware.thinkpad-x13s.nix index df69d6c..1e7223d 100644 --- a/nix/os/modules/hardware.thinkpad-x13s.nix +++ b/nix/os/modules/hardware.thinkpad-x13s.nix @@ -1,10 +1,15 @@ -{ self, pkgs, config, lib, options, ... }: -let +{ + self, + pkgs, + config, + lib, + options, + ... +}: let # TODO: introduce options for these kernelPdMapper = true; cfg = config.hardware.thinkpad-x13s; -in -{ +in { options.hardware.thinkpad-x13s = { # TODO: respect this enable = lib.mkEnableOption "x13s hardware support"; @@ -14,223 +19,222 @@ in description = "mac address to set on boot"; }; }; - config = - let - inherit (config.boot.loader) efi; - kp = [ - { - name = "x13s-cfg"; - patch = null; - extraStructuredConfig = with lib.kernel; { - EFI_ARMSTUB_DTB_LOADER = lib.mkForce yes; - OF_OVERLAY = lib.mkForce yes; - BTRFS_FS = lib.mkForce yes; - BTRFS_FS_POSIX_ACL = lib.mkForce yes; - MEDIA_CONTROLLER = lib.mkForce yes; - SND_USB_AUDIO_USE_MEDIA_CONTROLLER = lib.mkForce yes; - SND_USB = lib.mkForce yes; - SND_USB_AUDIO = lib.mkForce module; - USB_XHCI_PCI = lib.mkForce module; - NO_HZ_FULL = lib.mkForce yes; - HZ_100 = lib.mkForce yes; - HZ_250 = lib.mkForce no; - DRM_AMDGPU = lib.mkForce no; - DRM_NOUVEAU = lib.mkForce no; - QCOM_TSENS = lib.mkForce yes; - NVMEM_QCOM_QFPROM = lib.mkForce yes; - ARM_QCOM_CPUFREQ_NVMEM = lib.mkForce yes; - VIRTIO_PCI = lib.mkForce module; - # forthcoming kernel work: QCOM_PD_MAPPER = lib.mkForce module; - }; - } - ]; + config = let + inherit (config.boot.loader) efi; + kp = [ + { + name = "x13s-cfg"; + patch = null; + extraStructuredConfig = with lib.kernel; { + EFI_ARMSTUB_DTB_LOADER = lib.mkForce yes; + OF_OVERLAY = lib.mkForce yes; + BTRFS_FS = lib.mkForce yes; + BTRFS_FS_POSIX_ACL = lib.mkForce yes; + MEDIA_CONTROLLER = lib.mkForce yes; + SND_USB_AUDIO_USE_MEDIA_CONTROLLER = lib.mkForce yes; + SND_USB = lib.mkForce yes; + SND_USB_AUDIO = lib.mkForce module; + USB_XHCI_PCI = lib.mkForce module; + NO_HZ_FULL = lib.mkForce yes; + HZ_100 = lib.mkForce yes; + HZ_250 = lib.mkForce no; + DRM_AMDGPU = lib.mkForce no; + DRM_NOUVEAU = lib.mkForce no; + QCOM_TSENS = lib.mkForce yes; + NVMEM_QCOM_QFPROM = lib.mkForce yes; + ARM_QCOM_CPUFREQ_NVMEM = lib.mkForce yes; + VIRTIO_PCI = lib.mkForce module; + # forthcoming kernel work: QCOM_PD_MAPPER = lib.mkForce module; + }; + } + ]; - qrtr = pkgs.callPackage "${self.inputs.adamcstephens_stop-export}/hardware/x13s/qrtr/qrtr.nix" { }; - pd-mapper = pkgs.callPackage "${self.inputs.adamcstephens_stop-export}/hardware/x13s/qrtr/pd-mapper.nix" { - inherit qrtr; - }; + qrtr = pkgs.callPackage "${self.inputs.adamcstephens_stop-export}/hardware/x13s/qrtr/qrtr.nix" {}; + pd-mapper = pkgs.callPackage "${self.inputs.adamcstephens_stop-export}/hardware/x13s/qrtr/pd-mapper.nix" { + inherit qrtr; + }; - - # We can't quite move to mainline linux - linux_x13s_pkg = { buildLinux, ... } @ args: - buildLinux (args // rec { + # We can't quite move to mainline linux + linux_x13s_pkg = {buildLinux, ...} @ args: + buildLinux (args + // rec { version = "6.7.0"; modDirVersion = lib.versions.pad 3 version; extraMeta.branch = lib.versions.majorMinor version; src = self.inputs.linux_x13s; - kernelPatches = (args.kernelPatches or [ ]) ++ kp; - } // (args.argsOverride or { })); + kernelPatches = (args.kernelPatches or []) ++ kp; + } + // (args.argsOverride or {})); - # we add additional configuration on top of te normal configuration above - # using the extraStructuredConfig option on the kernel patch - linux_x13s = pkgs.callPackage linux_x13s_pkg { - defconfig = "johan_defconfig"; - }; + # we add additional configuration on top of te normal configuration above + # using the extraStructuredConfig option on the kernel patch + linux_x13s = pkgs.callPackage linux_x13s_pkg { + defconfig = "johan_defconfig"; + }; - linuxPackages_x13s = pkgs.linuxPackagesFor linux_x13s; - dtbName = "sc8280xp-lenovo-thinkpad-x13s.dtb"; - dtb = "${linuxPackages_x13s.kernel}/dtbs/qcom/${dtbName}"; + linuxPackages_x13s = pkgs.linuxPackagesFor linux_x13s; + dtbName = "sc8280xp-lenovo-thinkpad-x13s.dtb"; + dtb = "${linuxPackages_x13s.kernel}/dtbs/qcom/${dtbName}"; - x13s_alsa-ucm-conf = pkgs.alsa-ucm-conf.overrideAttrs (prev: { - src = self.inputs.alsa-ucm-conf; - }); - alsa-ucm-conf-env.ALSA_CONFIG_UCM2 = "${x13s_alsa-ucm-conf}/share/alsa/ucm2"; - - in + x13s_alsa-ucm-conf = pkgs.alsa-ucm-conf.overrideAttrs (prev: { + src = self.inputs.alsa-ucm-conf; + }); + alsa-ucm-conf-env.ALSA_CONFIG_UCM2 = "${x13s_alsa-ucm-conf}/share/alsa/ucm2"; + in lib.mkIf cfg.enable - { - nixpkgs.overlays = [ - (final: prev: - { - x13s_extra-firmware = pkgs.callPackage - "${self.inputs.adamcstephens_stop-export}/hardware/x13s/extra-firmware.nix" - { }; + { + nixpkgs.overlays = [ + ( + final: prev: { + x13s_extra-firmware = + pkgs.callPackage + "${self.inputs.adamcstephens_stop-export}/hardware/x13s/extra-firmware.nix" + {}; - inherit qrtr pd-mapper; - } - ) + inherit qrtr pd-mapper; + } + ) + ]; + + # ensure the x13s' dtb file is in the boot partition + # TODO:: is this needed for the VT display somehow? + system.activationScripts.x13s-dtb = '' + in_package="${dtb}" + esp_tool_folder="${efi.efiSysMountPoint}/" + in_esp="''${esp_tool_folder}${dtbName}" + >&2 echo "Ensuring $in_esp in EFI System Partition" + if ! ${pkgs.diffutils}/bin/cmp --silent "$in_package" "$in_esp"; then + >&2 echo "Copying $in_package -> $in_esp" + mkdir -p "$esp_tool_folder" + cp "$in_package" "$in_esp" + sync + fi + ''; + + boot = { + loader.systemd-boot.enable = true; + loader.systemd-boot.extraFiles = { + "${dtbName}" = dtb; + }; + loader.efi.canTouchEfiVariables = false; + loader.efi.efiSysMountPoint = "/boot"; + + blacklistedKernelModules = ["wwan"]; + + kernelPackages = linuxPackages_x13s; + + kernelParams = [ + "dtb=${dtbName}" + + "boot.shell_on_fail" + + # jhovold recommended + "efi=noruntime" + "clk_ignore_unused" + "pd_ignore_unused" + "arm64.nopauth" + + # blacklist graphics in initrd so the firmware can load from disk + "rd.driver.blacklist=msm" ]; - # ensure the x13s' dtb file is in the boot partition - # TODO:: is this needed for the VT display somehow? - system.activationScripts.x13s-dtb = '' - in_package="${dtb}" - esp_tool_folder="${efi.efiSysMountPoint}/" - in_esp="''${esp_tool_folder}${dtbName}" - >&2 echo "Ensuring $in_esp in EFI System Partition" - if ! ${pkgs.diffutils}/bin/cmp --silent "$in_package" "$in_esp"; then - >&2 echo "Copying $in_package -> $in_esp" - mkdir -p "$esp_tool_folder" - cp "$in_package" "$in_esp" - sync - fi - ''; + initrd = { + includeDefaultModules = false; - boot = { - loader.systemd-boot.enable = true; - loader.systemd-boot.extraFiles = { - "${dtbName}" = dtb; - }; - loader.efi.canTouchEfiVariables = false; - loader.efi.efiSysMountPoint = "/boot"; + # kernelModules = [ + # "nvme" + # "phy_qcom_qmp_pcie" + # "pcie_qcom" - blacklistedKernelModules = [ "wwan" ]; + # "i2c_core" + # "i2c_hid" + # "i2c_hid_of" + # "i2c_qcom_geni" - kernelPackages = linuxPackages_x13s; + # "leds_qcom_lpg" + # "pwm_bl" + # "qrtr" + # "pmic_glink_altmode" + # "gpio_sbu_mux" + # "phy_qcom_qmp_combo" + # "gpucc_sc8280xp" + # "dispcc_sc8280xp" + # "phy_qcom_edp" + # "panel_edp" + # # "msm" - kernelParams = [ - "dtb=${dtbName}" + # ]; - "boot.shell_on_fail" + availableKernelModules = [ + "i2c_hid" + "i2c_hid_of" + "i2c_qcom_geni" + "leds_qcom_lpg" + "pwm_bl" + "qrtr" + "pmic_glink_altmode" + "gpio_sbu_mux" + "phy_qcom_qmp_combo" + "panel_edp" + # "msm" + "phy_qcom_edp" + "i2c_core" + "i2c_hid" + "i2c_hid_of" + "i2c_qcom_geni" + "pcie_qcom" + "phy_qcom_qmp_combo" + "phy_qcom_qmp_pcie" + "phy_qcom_qmp_usb" + "phy_qcom_snps_femto_v2" + "phy_qcom_usb_hs" + "nvme" - # jhovold recommended - "efi=noruntime" - "clk_ignore_unused" - "pd_ignore_unused" - "arm64.nopauth" - - # blacklist graphics in initrd so the firmware can load from disk - "rd.driver.blacklist=msm" + "usbcore" + "xhci_hcd" + "usbhid" + "usb_storage" + "uas" ]; - - initrd = { - includeDefaultModules = false; - - # kernelModules = [ - # "nvme" - # "phy_qcom_qmp_pcie" - # "pcie_qcom" - - # "i2c_core" - # "i2c_hid" - # "i2c_hid_of" - # "i2c_qcom_geni" - - # "leds_qcom_lpg" - # "pwm_bl" - # "qrtr" - # "pmic_glink_altmode" - # "gpio_sbu_mux" - # "phy_qcom_qmp_combo" - # "gpucc_sc8280xp" - # "dispcc_sc8280xp" - # "phy_qcom_edp" - # "panel_edp" - # # "msm" - - # ]; - - availableKernelModules = [ - "i2c_hid" - "i2c_hid_of" - "i2c_qcom_geni" - "leds_qcom_lpg" - "pwm_bl" - "qrtr" - "pmic_glink_altmode" - "gpio_sbu_mux" - "phy_qcom_qmp_combo" - "panel_edp" - # "msm" - "phy_qcom_edp" - "i2c_core" - "i2c_hid" - "i2c_hid_of" - "i2c_qcom_geni" - "pcie_qcom" - "phy_qcom_qmp_combo" - "phy_qcom_qmp_pcie" - "phy_qcom_qmp_usb" - "phy_qcom_snps_femto_v2" - "phy_qcom_usb_hs" - "nvme" - - "usbcore" - "xhci_hcd" - "usbhid" - "usb_storage" - "uas" - ]; - }; - }; - - - # default is performance - powerManagement.cpuFreqGovernor = "ondemand"; - - hardware.enableAllFirmware = true; - hardware.firmware = [ - # pkgs.linux-firmware - - pkgs.x13s_extra-firmware - ]; - - systemd.services.pd-mapper = { - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - ExecStart = "${lib.getExe pd-mapper}"; - Restart = "always"; - }; - }; - - environment.sessionVariables = alsa-ucm-conf-env; - systemd.user.services.pipewire.environment = alsa-ucm-conf-env; - systemd.user.services.wireplumber.environment = alsa-ucm-conf-env; - - systemd.services.bluetooth = { - serviceConfig = { - # disabled because btmgmt call hangs - ExecStartPre = [ - "" - "${pkgs.util-linux}/bin/rfkill block bluetooth" - "${pkgs.bluez5-experimental}/bin/btmgmt public-addr ${cfg.bluetoothMac}" - "${pkgs.util-linux}/bin/rfkill unblock bluetooth" - ]; - RestartSec = 5; - Restart = "on-failure"; - }; }; }; + + # default is performance + powerManagement.cpuFreqGovernor = "ondemand"; + + hardware.enableAllFirmware = true; + hardware.firmware = [ + # pkgs.linux-firmware + + pkgs.x13s_extra-firmware + ]; + + systemd.services.pd-mapper = { + wantedBy = ["multi-user.target"]; + + serviceConfig = { + ExecStart = "${lib.getExe pd-mapper}"; + Restart = "always"; + }; + }; + + environment.sessionVariables = alsa-ucm-conf-env; + systemd.user.services.pipewire.environment = alsa-ucm-conf-env; + systemd.user.services.wireplumber.environment = alsa-ucm-conf-env; + + systemd.services.bluetooth = { + serviceConfig = { + # disabled because btmgmt call hangs + ExecStartPre = [ + "" + "${pkgs.util-linux}/bin/rfkill block bluetooth" + "${pkgs.bluez5-experimental}/bin/btmgmt public-addr ${cfg.bluetoothMac}" + "${pkgs.util-linux}/bin/rfkill unblock bluetooth" + ]; + RestartSec = 5; + Restart = "on-failure"; + }; + }; + }; } diff --git a/nix/os/modules/opinionatedDisk.nix b/nix/os/modules/opinionatedDisk.nix index 5dea719..dbe449b 100644 --- a/nix/os/modules/opinionatedDisk.nix +++ b/nix/os/modules/opinionatedDisk.nix @@ -11,8 +11,7 @@ with lib; let earlyDiskId = cfg: if cfg.earlyDiskIdOverride != "" then cfg.earlyDiskIdOverride - else cfg.diskId - ; + else cfg.diskId; in { options.hardware.opinionatedDisk = { enable = mkEnableOption "Enable opinionated filesystem layout"; diff --git a/nix/os/profiles/common/configuration.nix b/nix/os/profiles/common/configuration.nix index c6ed9fb..7c1f786 100644 --- a/nix/os/profiles/common/configuration.nix +++ b/nix/os/profiles/common/configuration.nix @@ -1,10 +1,11 @@ -{ config -, pkgs -, repoFlake -, nodeFlake -, repoFlakeInputs' -, packages' -, ... +{ + config, + pkgs, + repoFlake, + nodeFlake, + repoFlakeInputs', + packages', + ... }: { imports = [ repoFlake.inputs.sops-nix.nixosModules.sops @@ -29,7 +30,7 @@ boot.tmp.useTmpfs = true; # Workaround for nm-pptp to enforce module load - boot.kernelModules = [ "nf_conntrack_proto_gre" "nf_conntrack_pptp" ]; + boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"]; nixpkgs.config = { allowBroken = false; diff --git a/nix/os/profiles/common/system.nix b/nix/os/profiles/common/system.nix index 9c25dbc..f576a28 100644 --- a/nix/os/profiles/common/system.nix +++ b/nix/os/profiles/common/system.nix @@ -1,8 +1,9 @@ -{ config -, pkgs -, lib -, nodeName -, ... +{ + config, + pkgs, + lib, + nodeName, + ... }: { networking.hostName = builtins.elemAt (builtins.split "\\." nodeName) 0; # Define your hostname. networking.domain = builtins.elemAt (builtins.split "(^[^\\.]+\.)" nodeName) 2; @@ -14,11 +15,11 @@ ''; # Fonts, I18N, Date ... - fonts.packages = [ pkgs.corefonts ]; + fonts.packages = [pkgs.corefonts]; console.font = "lat9w-16"; - i18n = { defaultLocale = "en_US.UTF-8"; }; + i18n = {defaultLocale = "en_US.UTF-8";}; time.timeZone = "Etc/UTC"; services.gpm.enable = true; diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index 1b6afbd..3d74166 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -1,9 +1,9 @@ -{ config -, pkgs -, lib -, ... -}: -let +{ + config, + pkgs, + lib, + ... +}: let keys = import ../../../variables/keys.nix; inherit (import ../../lib/default.nix { @@ -16,8 +16,7 @@ let inherit (lib) types; cfg = config.users.commonUsers; -in -{ +in { options.users.commonUsers = { enable = lib.mkOption { default = true; @@ -77,7 +76,6 @@ in }) ]; - users.users.steveej = lib.mkIf cfg.enableNonRoot (mkUser (lib.mkMerge [ { uid = 1000; diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index a90c1e8..ce49500 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -1,6 +1,7 @@ -{ pkgs -, lib -, ... +{ + pkgs, + lib, + ... }: { imports = [ ../../snippets/bluetooth.nix @@ -25,7 +26,7 @@ services.pcscd.enable = true; hardware.opengl.enable = true; - services.udev.packages = [ pkgs.libu2f-host pkgs.yubikey-personalization pkgs.android-udev-rules ]; + services.udev.packages = [pkgs.libu2f-host pkgs.yubikey-personalization pkgs.android-udev-rules]; services.udev.extraRules = '' # OnePlusOne ATTR{idVendor}=="05c6", ATTR{idProduct}=="6764", SYMLINK+="libmtp-%k", MODE="660", GROUP="audio", ENV{ID_MTP_DEVICE}="1", ENV{ID_MEDIA_PLAYER}="1", TAG+="uaccess" @@ -52,6 +53,6 @@ services.printing = { enable = true; - drivers = with pkgs; [ mfcl3770cdwlpr mfcl3770cdwcupswrapper ]; + drivers = with pkgs; [mfcl3770cdwlpr mfcl3770cdwcupswrapper]; }; } diff --git a/nix/os/snippets/bluetooth.nix b/nix/os/snippets/bluetooth.nix index 47c5ab5..a4cfeca 100644 --- a/nix/os/snippets/bluetooth.nix +++ b/nix/os/snippets/bluetooth.nix @@ -1,9 +1,10 @@ -{ pkgs -, lib -, ... +{ + pkgs, + lib, + ... }: { # required for running blueman-applet in user sessions - services.dbus.packages = with pkgs; [ blueman ]; + services.dbus.packages = with pkgs; [blueman]; hardware.bluetooth.enable = true; services.blueman.enable = true; } diff --git a/nix/os/snippets/home-manager-with-zsh.nix b/nix/os/snippets/home-manager-with-zsh.nix index 5bbb1e5..63f4962 100644 --- a/nix/os/snippets/home-manager-with-zsh.nix +++ b/nix/os/snippets/home-manager-with-zsh.nix @@ -1,12 +1,11 @@ -{ nodeFlake -, repoFlake -, repoFlakeInputs' -, packages' -, pkgs -, ... -}: - -let +{ + nodeFlake, + repoFlake, + repoFlakeInputs', + packages', + pkgs, + ... +}: let # TODO: make this configurable homeUser = "steveej"; commonHomeImports = [ @@ -14,8 +13,7 @@ let ../../home-manager/programs/neovim.nix ../../home-manager/programs/zsh.nix ]; -in -{ +in { imports = [ nodeFlake.inputs.home-manager.nixosModules.home-manager ]; @@ -45,5 +43,5 @@ in programs.zsh.enable = true; users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = [ "/share/zsh" ]; + environment.pathsToLink = ["/share/zsh"]; } diff --git a/nix/os/snippets/nix-settings.nix b/nix/os/snippets/nix-settings.nix index f3f577b..704d69a 100644 --- a/nix/os/snippets/nix-settings.nix +++ b/nix/os/snippets/nix-settings.nix @@ -1,7 +1,8 @@ -{ nodeFlake -, pkgs -, lib -, ... +{ + nodeFlake, + pkgs, + lib, + ... }: { nix.daemonCPUSchedPolicy = "idle"; nix.daemonIOSchedClass = "idle"; @@ -25,5 +26,4 @@ ]; nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; - } diff --git a/nix/os/snippets/radicale.nix b/nix/os/snippets/radicale.nix index 74edd68..69628bf 100644 --- a/nix/os/snippets/radicale.nix +++ b/nix/os/snippets/radicale.nix @@ -1,15 +1,13 @@ -{ config -, lib -, pkgs -, repoFlakeInputs' -, ... -}: - -let +{ + config, + lib, + pkgs, + repoFlakeInputs', + ... +}: let # TODO: make configurable homeUser = "steveej"; -in -{ +in { sops.secrets.radicale_htpasswd = { sopsFile = ../../../secrets/desktop/radicale_htpasswd; format = "binary"; @@ -19,11 +17,13 @@ in home-manager.users.${homeUser} = _: { imports = [ # TODO: bump these to latest and make it work - (args: - import ../../home-manager/programs/radicale.nix (args // { - osConfig = config; - pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; - }) + ( + args: + import ../../home-manager/programs/radicale.nix (args + // { + osConfig = config; + pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; + }) ) ]; }; diff --git a/nix/os/snippets/sway-desktop.nix b/nix/os/snippets/sway-desktop.nix index 4c51002..46c2bc0 100644 --- a/nix/os/snippets/sway-desktop.nix +++ b/nix/os/snippets/sway-desktop.nix @@ -1,14 +1,12 @@ -{ pkgs -, lib -, config -, ... -}: - -let +{ + pkgs, + lib, + config, + ... +}: let # TODO: make this configurable homeUser = "steveej"; -in -{ +in { services.xserver.serverFlagsSection = '' Option "BlankTime" "0" Option "StandbyTime" "0" @@ -30,7 +28,7 @@ in # required by swaywm security.polkit.enable = true; - security.pam.services.swaylock = { }; + security.pam.services.swaylock = {}; # test these on https://mozilla.github.io/webrtc-landing/gum_test.html xdg.portal = { @@ -54,7 +52,6 @@ in ]; }; - # rtkit is optional but recommended security.rtkit.enable = true; services.pipewire = { @@ -74,8 +71,8 @@ in # autologin steveej on tty1 # TODO: make user configurable systemd.services."autovt@tty1".description = "Autologin at the TTY1"; - systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty - systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ]; + systemd.services."autovt@tty1".after = ["systemd-logind.service"]; # without it user session not started and xorg can't be run from this tty + systemd.services."autovt@tty1".wantedBy = ["multi-user.target"]; systemd.services."autovt@tty1".serviceConfig = { ExecStart = [ "" # override upstream default with an empty ExecStart @@ -85,19 +82,17 @@ in Type = "idle"; }; - programs = - let - steveejSwayOnTty1 = '' - if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then - exec sway - fi - ''; - in - { - bash.loginShellInit = steveejSwayOnTty1; - # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion - zsh.loginShellInit = steveejSwayOnTty1; - }; + programs = let + steveejSwayOnTty1 = '' + if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then + exec sway + fi + ''; + in { + bash.loginShellInit = steveejSwayOnTty1; + # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion + zsh.loginShellInit = steveejSwayOnTty1; + }; home-manager.users."${homeUser}" = _: { imports = [ diff --git a/nix/os/snippets/timezone.nix b/nix/os/snippets/timezone.nix index a3ebd92..25aee48 100644 --- a/nix/os/snippets/timezone.nix +++ b/nix/os/snippets/timezone.nix @@ -1,9 +1,5 @@ -{ lib, ... }: - -let +{lib, ...}: let passwords = import ../../variables/passwords.crypt.nix; - -in -{ +in { time.timeZone = lib.mkDefault passwords.timeZone.stefan; } diff --git a/nix/pkgs/logseq/default.nix b/nix/pkgs/logseq/default.nix index 40cc9cd..c1dffd0 100644 --- a/nix/pkgs/logseq/default.nix +++ b/nix/pkgs/logseq/default.nix @@ -1,30 +1,30 @@ -{ lib -, stdenv -, fetchurl -, appimageTools -, makeWrapper - # graphs will not sync without matching upstream's major electron version -, electron_27 -, git -, nix-update-script -, overrideSrc ? null -}: - -stdenv.mkDerivation (finalAttrs: -let - inherit (finalAttrs) pname version src appimageContents; - -in { + lib, + stdenv, + fetchurl, + appimageTools, + makeWrapper, + # graphs will not sync without matching upstream's major electron version + electron_27, + git, + nix-update-script, + overrideSrc ? null, +}: +stdenv.mkDerivation (finalAttrs: let + inherit (finalAttrs) pname version src appimageContents; +in { pname = "logseq"; version = "0.10.5"; - src = if overrideSrc != null then overrideSrc else - (fetchurl { - url = "https://github.com/logseq/logseq/releases/download/${version}/logseq-linux-x64-${version}.AppImage"; - hash = "sha256-F3YbqgvL04P0nXaIVkJlCq/z8hUE0M0UutkBs2omuBE="; - name = "${pname}-${version}.AppImage"; - }); + src = + if overrideSrc != null + then overrideSrc + else + (fetchurl { + url = "https://github.com/logseq/logseq/releases/download/${version}/logseq-linux-x64-${version}.AppImage"; + hash = "sha256-F3YbqgvL04P0nXaIVkJlCq/z8hUE0M0UutkBs2omuBE="; + name = "${pname}-${version}.AppImage"; + }); appimageContents = appimageTools.extract { inherit pname src version; @@ -34,7 +34,7 @@ in dontConfigure = true; dontBuild = true; - nativeBuildInputs = [ makeWrapper ]; + nativeBuildInputs = [makeWrapper]; installPhase = '' runHook preInstall @@ -67,17 +67,17 @@ in --set "LOCAL_GIT_DIRECTORY" ${git} \ --add-flags $out/share/${pname}/resources/app \ --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" \ - --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ stdenv.cc.cc.lib ]}" + --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [stdenv.cc.cc.lib]}" ''; - passthru.updateScript = nix-update-script { }; + passthru.updateScript = nix-update-script {}; meta = { description = "A local-first, non-linear, outliner notebook for organizing and sharing your personal knowledge base"; homepage = "https://github.com/logseq/logseq"; changelog = "https://github.com/logseq/logseq/releases/tag/${version}"; license = lib.licenses.agpl3Plus; - maintainers = with lib.maintainers; [ ]; - platforms = [ "x86_64-linux" "aarch64-linux" ]; + maintainers = with lib.maintainers; []; + platforms = ["x86_64-linux" "aarch64-linux"]; }; }) From 8280b538651ccddaa0f55c7e6dd11c464a771aef Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 8 Feb 2024 20:57:55 +0100 Subject: [PATCH 39/42] remove obsolete nix/sources.* --- nix/sources.json | 14 --- nix/sources.nix | 260 ----------------------------------------------- 2 files changed, 274 deletions(-) delete mode 100644 nix/sources.json delete mode 100644 nix/sources.nix diff --git a/nix/sources.json b/nix/sources.json deleted file mode 100644 index 49bfd31..0000000 --- a/nix/sources.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "nixpkgs": { - "branch": "release-22.05", - "description": "Nix Packages collection", - "homepage": "https://github.com/NixOS/nixpkgs", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "26fe7618c7efbbfe28db9a52a21fb87e67ebaf06", - "sha256": "0wi8l10zn808psf0i7ka3ifpx46vdv2fkq3hcb9d5m72fv64vznr", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/26fe7618c7efbbfe28db9a52a21fb87e67ebaf06.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - } -} diff --git a/nix/sources.nix b/nix/sources.nix deleted file mode 100644 index 87a7093..0000000 --- a/nix/sources.nix +++ /dev/null @@ -1,260 +0,0 @@ -# This file has been generated by Niv. -let - # - # The fetchers. fetch_ fetches specs of type . - # - fetch_file = pkgs: name: spec: let - name' = sanitizeName name + "-src"; - in - if spec.builtin or true - then - builtins_fetchurl - { - inherit (spec) url sha256; - name = name'; - } - else - pkgs.fetchurl { - inherit (spec) url sha256; - name = name'; - }; - - fetch_tarball = pkgs: name: spec: let - name' = sanitizeName name + "-src"; - in - if spec.builtin or true - then - builtins_fetchTarball - { - name = name'; - inherit (spec) url sha256; - } - else - pkgs.fetchzip { - name = name'; - inherit (spec) url sha256; - }; - - fetch_git = name: spec: let - ref = - if spec ? ref - then spec.ref - else if spec ? branch - then "refs/heads/${spec.branch}" - else if spec ? tag - then "refs/tags/${spec.tag}" - else - abort - "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; - submodules = - if spec ? submodules - then spec.submodules - else false; - submoduleArg = let - nixSupportsSubmodules = - builtins.compareVersions builtins.nixVersion "2.4" >= 0; - emptyArgWithWarning = - if submodules == true - then - builtins.trace - (''The niv input "${name}" uses submodules '' - + "but your nix's (${builtins.nixVersion}) builtins.fetchGit " - + "does not support them") - {} - else {}; - in - if nixSupportsSubmodules - then { - inherit submodules; - } - else emptyArgWithWarning; - in - builtins.fetchGit ({ - url = spec.repo; - inherit (spec) rev; - inherit ref; - } - // submoduleArg); - - fetch_local = spec: spec.path; - - fetch_builtin-tarball = name: - throw '' - [${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`. - $ niv modify ${name} -a type=tarball -a builtin=true''; - - fetch_builtin-url = name: - throw '' - [${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`. - $ niv modify ${name} -a type=file -a builtin=true''; - - # - # Various helpers - # - - # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695 - sanitizeName = name: (concatMapStrings (s: - if builtins.isList s - then "-" - else s) - (builtins.split "[^[:alnum:]+._?=-]+" - ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name))); - - # The set of packages used when specs are fetched using non-builtins. - mkPkgs = sources: system: let - sourcesNixpkgs = - import - (builtins_fetchTarball {inherit (sources.nixpkgs) url sha256;}) - { - inherit system; - }; - hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; - hasThisAsNixpkgsPath = == ./.; - in - if builtins.hasAttr "nixpkgs" sources - then sourcesNixpkgs - else if hasNixpkgsPath && !hasThisAsNixpkgsPath - then import {} - else - abort '' - Please specify either (through -I or NIX_PATH=nixpkgs=...) or - add a package called "nixpkgs" to your sources.json. - ''; - - # The actual fetching function. - fetch = pkgs: name: spec: - if !builtins.hasAttr "type" spec - then abort "ERROR: niv spec ${name} does not have a 'type' attribute" - else if spec.type == "file" - then fetch_file pkgs name spec - else if spec.type == "tarball" - then fetch_tarball pkgs name spec - else if spec.type == "git" - then fetch_git name spec - else if spec.type == "local" - then fetch_local spec - else if spec.type == "builtin-tarball" - then fetch_builtin-tarball name - else if spec.type == "builtin-url" - then fetch_builtin-url name - else - abort - "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; - - # If the environment variable NIV_OVERRIDE_${name} is set, then use - # the path directly as opposed to the fetched source. - replace = name: drv: let - saneName = - stringAsChars - (c: - if isNull (builtins.match "[a-zA-Z0-9]" c) - then "_" - else c) - name; - ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; - in - if ersatz == "" - then drv - else - # this turns the string into an actual Nix path (for both absolute and - # relative paths) - if builtins.substring 0 1 ersatz == "/" - then /. + ersatz - else /. + builtins.getEnv "PWD" + "/${ersatz}"; - - # Ports of functions for older nix versions - - # a Nix version of mapAttrs if the built-in doesn't exist - mapAttrs = - builtins.mapAttrs - or (f: set: - with builtins; - listToAttrs (map (attr: { - name = attr; - value = f attr set.${attr}; - }) (attrNames set))); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 - range = first: last: - if first > last - then [] - else builtins.genList (n: first + n) (last - first + 1); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 - stringToCharacters = s: - map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 - stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); - concatMapStrings = f: list: concatStrings (map f list); - concatStrings = builtins.concatStringsSep ""; - - # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 - optionalAttrs = cond: as: - if cond - then as - else {}; - - # fetchTarball version that is compatible between all the versions of Nix - builtins_fetchTarball = { - url, - name ? null, - sha256, - } @ attrs: let - inherit (builtins) lessThan nixVersion fetchTarball; - in - if lessThan nixVersion "1.12" - then - fetchTarball - ({inherit url;} // (optionalAttrs (!isNull name) {inherit name;})) - else fetchTarball attrs; - - # fetchurl version that is compatible between all the versions of Nix - builtins_fetchurl = { - url, - name ? null, - sha256, - } @ attrs: let - inherit (builtins) lessThan nixVersion fetchurl; - in - if lessThan nixVersion "1.12" - then - fetchurl - ({inherit url;} // (optionalAttrs (!isNull name) {inherit name;})) - else fetchurl attrs; - - # Create the final "sources" from the config - mkSources = config: - mapAttrs - (name: spec: - if builtins.hasAttr "outPath" spec - then - abort - "The values in sources.json should not have an 'outPath' attribute" - else spec // {outPath = replace name (fetch config.pkgs name spec);}) - config.sources; - - # The "config" used by the fetchers - mkConfig = { - sourcesFile ? - if builtins.pathExists ./sources.json - then ./sources.json - else null, - sources ? - if isNull sourcesFile - then {} - else builtins.fromJSON (builtins.readFile sourcesFile), - system ? builtins.currentSystem, - pkgs ? mkPkgs sources system, - }: rec { - # The sources, i.e. the attribute set of spec name to spec - inherit sources; - - # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers - inherit pkgs; - }; -in - mkSources (mkConfig {}) - // { - __functor = _: settings: mkSources (mkConfig settings); - } From 751bb82daf1c722d945aca5212223acf8483a6f0 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 8 Feb 2024 20:59:08 +0100 Subject: [PATCH 40/42] update x13s --- .../configuration/graphical-fullblown.nix | 1 - nix/os/devices/steveej-x13s/flake.lock | 32 +++++++++---------- nix/os/devices/steveej-x13s/flake.nix | 2 +- 3 files changed, 17 insertions(+), 18 deletions(-) diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 632cf0f..56f7820 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -39,7 +39,6 @@ in { home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"]; nixpkgs.config.permittedInsecurePackages = [ - "electron-24.8.6" "electron-25.9.0" ]; diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock index 3d547b2..9a78061 100644 --- a/nix/os/devices/steveej-x13s/flake.lock +++ b/nix/os/devices/steveej-x13s/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1706491084, - "narHash": "sha256-eaEv+orTmr2arXpoE4aFZQMVPOYXCBEbLgK22kOtkhs=", + "lastModified": 1707354935, + "narHash": "sha256-COv13Awbwut8Q8h8WxWpbVGHsUlZ6Yb+6YiWyWUV+yY=", "owner": "nix-community", "repo": "disko", - "rev": "f67ba6552845ea5d7f596a24d57c33a8a9dc8de9", + "rev": "c49bb95ac852841b9015fb56a503a36ebdb46a59", "type": "github" }, "original": { @@ -59,11 +59,11 @@ ] }, "locked": { - "lastModified": 1705659542, - "narHash": "sha256-WA3xVfAk1AYmFdwghT7mt/erYpsU6JPu9mdTEP/e9HQ=", + "lastModified": 1706981411, + "narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=", "owner": "nix-community", "repo": "home-manager", - "rev": "10cd9c53115061aa6a0a90aad0b0dde6a999cdb9", + "rev": "652fda4ca6dafeb090943422c34ae9145787af37", "type": "github" }, "original": { @@ -97,11 +97,11 @@ ] }, "locked": { - "lastModified": 1707142515, - "narHash": "sha256-qTiDyZP7JvTyITRwmAGo9KGMJx0lj7ibhYqe65/Gypc=", + "lastModified": 1707341322, + "narHash": "sha256-hfJDFRAFrdLDY0ebNy7BpaKBmj3BwR/WTbQswlrpU1Y=", "ref": "refs/heads/main", - "rev": "66bc91c89daf8a14769e1f403004578463578138", - "revCount": 12, + "rev": "e612b7c968318bcd7f6ae5a4eaf930e21baa644d", + "revCount": 14, "type": "git", "url": "https://codeberg.org/adamcstephens/nixos-x13s" }, @@ -112,11 +112,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1706718339, - "narHash": "sha256-S+S97c/HzkO2A/YsU7ZmNF9w2s7Xk6P8dzmfDdckzLs=", + "lastModified": 1707238373, + "narHash": "sha256-WKxT0yLzWbFZwYi92lI0yWJpYtRaFSWHGX8QXzejapw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "53fbe41cf76b6a685004194e38e889bc8857e8c2", + "rev": "fb0c047e30b69696acc42e669d02452ca1b55755", "type": "github" }, "original": { @@ -162,11 +162,11 @@ }, "nixpkgs-unstable-small": { "locked": { - "lastModified": 1706768163, - "narHash": "sha256-mSQ/t2+AriQCxsHHDJ/2uJGMnUzjZLKFVYImln05JPs=", + "lastModified": 1707347693, + "narHash": "sha256-/MxX1WUwKui2dWtKghN+8qIKf8X7hHPD1KCeDXoApEI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "32cf02a2607143d94c565c068b73fe45fd57c3a0", + "rev": "9a113b42b3b15eafa91a027bd9fb9fd69fa6ed96", "type": "github" }, "original": { diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix index b0cdc09..4c632c8 100644 --- a/nix/os/devices/steveej-x13s/flake.nix +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -18,8 +18,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - # nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s?rev=5044811f7804e7cf83923908d1b35322f34fb3fc"; # 6.7.0-1 nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s"; + # nixos-x13s.url = "path:/home/steveej/src/others/nixos-x13s"; nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; }; From 45a283c7bde339af4b92e35cbf8c534b5b054837 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 8 Feb 2024 20:59:31 +0100 Subject: [PATCH 41/42] formatting --- nix/home-manager/programs/chromium.nix | 4 +++- nix/os/devices/justyna-p300/pkg.nix | 6 ++++-- nix/os/devices/sj-bm-hostkey0/flake.nix | 3 +-- nix/os/devices/sj-vps-htz0/system.nix | 3 +-- nix/os/devices/srv0-dmz0/configuration.nix | 3 +-- nix/os/devices/voodoo/flake.nix | 3 +-- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/nix/home-manager/programs/chromium.nix b/nix/home-manager/programs/chromium.nix index 3552e7b..2d9070d 100644 --- a/nix/home-manager/programs/chromium.nix +++ b/nix/home-manager/programs/chromium.nix @@ -58,7 +58,9 @@ in { programs.brave = { # TODO: enable this on aarch64-linux - enable = true && !pkgs.stdenv.targetPlatform.isAarch64; + enable = + true + && !pkgs.stdenv.targetPlatform.isAarch64; inherit extensions; }; diff --git a/nix/os/devices/justyna-p300/pkg.nix b/nix/os/devices/justyna-p300/pkg.nix index 2b9ebf0..e780b7e 100644 --- a/nix/os/devices/justyna-p300/pkg.nix +++ b/nix/os/devices/justyna-p300/pkg.nix @@ -50,11 +50,13 @@ in { }; home-manager.users.justyna = - lib.attrsets.recursiveUpdate (homeEnv { + lib.attrsets.recursiveUpdate + (homeEnv { layout = "de"; options = []; variant = ""; - }) { + }) + { services.syncthing.enable = true; services.syncthing.tray = true; diff --git a/nix/os/devices/sj-bm-hostkey0/flake.nix b/nix/os/devices/sj-bm-hostkey0/flake.nix index 3b4ed54..74478dd 100644 --- a/nix/os/devices/sj-bm-hostkey0/flake.nix +++ b/nix/os/devices/sj-bm-hostkey0/flake.nix @@ -46,8 +46,7 @@ { nixpkgs.overlays = [ - (final: previous: { - }) + (final: previous: {}) ]; } ] diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix index 2bb6048..7efcbbd 100644 --- a/nix/os/devices/sj-vps-htz0/system.nix +++ b/nix/os/devices/sj-vps-htz0/system.nix @@ -93,8 +93,7 @@ in { nix.gc = {automatic = true;}; - containers = { - }; + containers = {}; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; diff --git a/nix/os/devices/srv0-dmz0/configuration.nix b/nix/os/devices/srv0-dmz0/configuration.nix index c1983d2..b59afac 100644 --- a/nix/os/devices/srv0-dmz0/configuration.nix +++ b/nix/os/devices/srv0-dmz0/configuration.nix @@ -121,8 +121,7 @@ in { nix.gc = {automatic = true;}; - containers = { - }; + containers = {}; # sops.secrets.holochain-nomad-agent-ca = { # sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; diff --git a/nix/os/devices/voodoo/flake.nix b/nix/os/devices/voodoo/flake.nix index a926349..7e94241 100644 --- a/nix/os/devices/voodoo/flake.nix +++ b/nix/os/devices/voodoo/flake.nix @@ -55,8 +55,7 @@ { nixpkgs.overlays = [ - (final: previous: { - }) + (final: previous: {}) ]; } ] From a1306114f77d9e189f387c421119e73825aca545 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 8 Feb 2024 20:59:47 +0100 Subject: [PATCH 42/42] WIP: x13s-rmvbl supposedly this will boot from USB --- .../steveej-x13s-rmvbl/configuration.nix | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix index 6f31bc9..9aec1e2 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix @@ -130,17 +130,40 @@ blacklistedKernelModules = ["wwan"]; initrd.kernelModules = [ - "phy_qcom_qmp_usb" "uas" + "usb_storage" + + "phy_qcom_qmp_pcie" + "phy_qcom_qmp_combo" + "phy_qcom_snps_femto_v2" + "phy_qcom_qmp_pcie" + "phy_qcom_qmp_usb" + "xhci-pci-renesas" "msm" ]; initrd.extraFiles = { + "firmware/qcom/sc8280xp/LENOVO/21BX/adspr.jsn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/adspua.jsn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/audioreach-tplg.bin".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/battmgr.jsn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/cdspr.jsn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcadsp8280.mbn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qccdsp8280.mbn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcdxkmsuc8280.mbn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcslpi8280.mbn".source = pkgs.linux-firmware; "firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"; }; }; + hardware.firmware = [ + pkgs.linux-firmware + nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware" + ]; + + hardware.enableAllFirmware = true; + # see https://linrunner.de/tlp/ services.tlp = { enable = true;