diff --git a/.envrc b/.envrc index d8f5b3d..90160da 100644 --- a/.envrc +++ b/.envrc @@ -1 +1,5 @@ -use_flake . --impure +if ! has nix_direnv_version || ! nix_direnv_version 3.0.6; then + source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/3.0.6/direnvrc" "sha256-RYcUJaRMf8oF5LznDrlCXbkOQrywm0HDv1VjYGaJGdM=" +fi + +use flake .#develop diff --git a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg index 9587742..fd34c43 100644 Binary files a/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg and b/.git-crypt/keys/default/0/6F7069FE6B96E894E60EC45C6EEFA706CB17E89B.gpg differ diff --git a/.gitignore b/.gitignore index 92102e5..8c927b6 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,8 @@ .env **/result .direnv/ + +# nixago: ignore-linked-files +/treefmt.toml + +/debug-logs diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index efb4d91..0000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,10 +0,0 @@ -stages: - - build - -build: - stage: build - tags: - - nix - script: - # Test the nix-shell - - just run-with-channels 'nix-shell --run "echo OK"' diff --git a/.sops.yaml b/.sops.yaml index eb17a55..9e709f9 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -8,68 +8,115 @@ keys: - &steveej 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - &steveej-t14 age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl + - &steveej-x13s age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 - &elias-e525 age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + - &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - # - &router0-dmz0 age1jetxwpmd9hc4crkjtrdle2qxn9dlq7vcmqhfslv0vlxctrk4u3xq8hcvkz - - &router0-dmz0 age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 - - &sj-bm-hostkey0 age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44 + - &router0-dmz0 age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 + - &router0-ifog age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 + - &router0-hosthatch age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 + - &hstk0 age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 + creation_rules: - path_regex: ^(.+/|)secrets/[^/]+$ key_groups: - - pgp: - - *steveej - age: - - *steveej-t14 - - *elias-e525 - - *justyna-p300 + - pgp: + - *steveej + age: + - *steveej-t14 + - *steveej-x13s + - *elias-e525 + - *justyna-p300 - - *srv0-dmz0 - - *router0-dmz0 + - *srv0-dmz0 + - *router0-dmz0 - - *sj-vps-htz0 - - *sj-bm-hostkey0 + - *sj-vps-htz0 + - *sj-srv1 + - *hstk0 + - *router0-ifog + - *router0-hosthatch - path_regex: ^secrets/steveej-t14/.+$ key_groups: - - pgp: - - *steveej - age: - - *steveej-t14 + - pgp: + - *steveej + age: + - *steveej-t14 + - path_regex: ^secrets/desktop/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-t14 + - *steveej-x13s - path_regex: ^secrets/servers/.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-vps-htz0 + - pgp: + - *steveej + age: + - *sj-vps-htz0 + - *sj-srv1 - path_regex: ^nix/os/containers/.+_secrets.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-vps-htz0 + - pgp: + - *steveej + age: + - *sj-vps-htz0 + - *sj-srv1 - path_regex: ^secrets/holochain-infra/.+$ key_groups: - - pgp: - - *steveej - age: - - *srv0-dmz0 + - pgp: + - *steveej + age: + - *srv0-dmz0 - path_regex: ^secrets/router0-dmz0/.+$ key_groups: - - pgp: - - *steveej - age: - - *router0-dmz0 + - pgp: + - *steveej + age: + - *router0-dmz0 + - path_regex: ^secrets/router0-ifog/.+$ + key_groups: + - pgp: + - *steveej + age: + - *router0-ifog + - path_regex: ^secrets/router0-hosthatch/.+$ + key_groups: + - pgp: + - *steveej + age: + - *router0-hosthatch - path_regex: ^secrets/sj-vps-htz0/.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-vps-htz0 - - path_regex: ^secrets/sj-bm-hostkey0/.+$ + - pgp: + - *steveej + age: + - *sj-vps-htz0 + - path_regex: ^secrets/sj-srv1/.+$ key_groups: - - pgp: - - *steveej - age: - - *sj-bm-hostkey0 + - pgp: + - *steveej + age: + - *sj-srv1 + - path_regex: ^secrets/hstk0/.+$ + key_groups: + - pgp: + - *steveej + age: + - *hstk0 + - path_regex: ^secrets/steveej-x13s/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-x13s + - path_regex: ^secrets/work-holo/.+$ + key_groups: + - pgp: + - *steveej + age: + - *steveej-x13s diff --git a/.vscode/settings.json b/.vscode/settings.json index 0691bf9..660429d 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,6 +1,20 @@ { - "nixEnvSelector.nixFile": "${workspaceRoot}/shell.nix", - "[nix]": { - "editor.defaultFormatter": "jnoortheen.nix-ide" - }, + "editor.defaultFormatter": "ibecker.treefmt-vscode", + "editor.formatOnSave": true, + "nix.enableLanguageServer": true, + "nix.serverPath": "nil", + "nix.serverSettings": { + // settings for 'nil' LSP + "nil": { + "autoArchive": true, + "diagnostics": { + "ignored": ["unused_binding", "unused_with"] + }, + "formatting": { + "command": ["treefmt", "--stdin", ".nil.nix"] + } + } + }, + "treefmt.command": "treefmt", + "treefmt.config": "" } diff --git a/Justfile b/Justfile index 0b3bb36..414e736 100755 --- a/Justfile +++ b/Justfile @@ -2,307 +2,320 @@ # echo "{{invocation_directory()}}/nix/variables/versions.tmpl.nix" _usage: - just -l + just -l # Re-render the default versions update-default-versions: - nix flake update + nix flake update _get_nix_path versionsPath: - echo $(set -x; nix-build --no-link --show-trace {{invocation_directory()}}/nix/default.nix -A channelSources --argstr versionsPath {{versionsPath}}) + echo $(set -x; nix-build --no-link --show-trace {{ invocation_directory() }}/nix/default.nix -A channelSources --argstr versionsPath {{ versionsPath }}) _device recipe dir +moreargs="": - #!/usr/bin/env bash - set -ex - unset NIX_PATH - source $(just -v _get_nix_path {{invocation_directory()}}/{{dir}}/versions.nix) - $(set -x; nix-build --no-link --show-trace $(dirname {{dir}})/default.nix -A recipes.{{recipe}} --argstr dir {{dir}} {{moreargs}}) + #!/usr/bin/env bash + set -ex + unset NIX_PATH + source $(just -v _get_nix_path {{ invocation_directory() }}/{{ dir }}/versions.nix) + $(set -x; nix-build --no-link --show-trace $(dirname {{ dir }})/default.nix -A recipes.{{ recipe }} --argstr dir {{ dir }} {{ moreargs }}) _render_templates: - #!/usr/bin/env bash - set -ex - if ! ip route get 1.1.1.1; then - echo No route to WAN. Skipping template rendering... - else - source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) - # nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix - fi + #!/usr/bin/env bash + set -ex + if ! ip route get 1.1.1.1; then + echo No route to WAN. Skipping template rendering... + else + source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) + # nix/scripts/pre-eval-fixed.sh nix/home-manager/profiles/dotfiles/vcsh{.tmpl,}.nix + fi rebuild-remote-device device +rebuildargs="dry-activate": - #!/usr/bin/env bash - set -ex - nix run .#colmena -- apply --on {{device}} {{rebuildargs}} + #!/usr/bin/env bash + set -ex + nix run .#colmena -- apply --impure --on {{ device }} {{ rebuildargs }} # Rebuild this device's NixOS rebuild-this-device +rebuildargs="dry-activate": - nix run .#colmena -- apply-local --sudo {{rebuildargs}} + nix run .#colmena -- apply-local --impure --sudo {{ rebuildargs }} # Re-render the versions of a remote device and rebuild its environment update-remote-device devicename +rebuildargs='build': - #!/usr/bin/env bash - set -e + #!/usr/bin/env bash + set -e - ( - set -xe - cd nix/os/devices/{{devicename}} - nix flake update - ) + ( + set -xe + cd nix/os/devices/{{ devicename }} + nix flake update + ) - just -v rebuild-remote-device {{devicename}} {{rebuildargs}} + just -v rebuild-remote-device {{ devicename }} {{ rebuildargs }} - git commit -v nix/os/devices/{{devicename}}/flake.{nix,lock} -m "nix/os/devices/{{devicename}}: bump versions" + git commit -v nix/os/devices/{{ devicename }}/flake.{nix,lock} -m "nix/os/devices/{{ devicename }}: bump versions" # Re-render the versions of the current device and rebuild its environment update-this-device rebuild-mode='switch' +moreargs='': - #!/usr/bin/env bash - set -e + #!/usr/bin/env bash + set -e - ( - set -xe - cd nix/os/devices/$(hostname -s) - nix flake update - ) + ( + set -xe + cd nix/os/devices/$(hostname -s) + nix flake update + ) - just -v rebuild-this-device {{rebuild-mode}} {{moreargs}} + just -v rebuild-this-device {{ rebuild-mode }} {{ moreargs }} - git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions" + git commit -v nix/os/devices/$(hostname -s)/flake.{nix,lock} -m "nix/os/devices/$(hostname -s): bump versions" # Rebuild an offline system rebuild-disk device: - #!/usr/bin/env bash - set -xe + #!/usr/bin/env bash + set -xe - just -v disk-mount {{device}} - trap "set +e; just -v disk-umount {{device}}" EXIT - just -v disk-install {{device}} + just -v disk-mount {{ device }} + trap "set +e; just -v disk-umount {{ device }}" EXIT + just -v disk-install {{ device }} # Re-render the versions of the given offline system and reinstall it in offline-mode update-disk dir: - #!/usr/bin/env bash - set -exuo pipefail + #!/usr/bin/env bash + set -exuo pipefail - dir={{dir}} + dir={{ dir }} - template={{dir}}/versions.tmpl.nix - outfile={{dir}}/versions.nix + template={{ dir }}/versions.tmpl.nix + outfile={{ dir }}/versions.nix - if ! test -e ${template}; then - template="$(just _DEFAULT_VERSION_TMPL)" - fi + if ! test -e ${template}; then + template="$(just _DEFAULT_VERSION_TMPL)" + fi - esh -o ${outfile} ${template} - if ! test "$(git diff ${outfile})"; then - echo Already on latest versions - exit 0 - fi + esh -o ${outfile} ${template} + if ! test "$(git diff ${outfile})"; then + echo Already on latest versions + exit 0 + fi - export SYSREBUILD_LOG=.{{dir}}_sysrebuild.log - just -v rebuild-disk {{dir}} || { - echo ERROR: Update of {{dir}} failed, reverting ${outfile}... - exit 1 - } + export SYSREBUILD_LOG=.{{ dir }}_sysrebuild.log + just -v rebuild-disk {{ dir }} || { + echo ERROR: Update of {{ dir }} failed, reverting ${outfile}... + exit 1 + } - git commit -v ${outfile} -m "${dir}: bump versions" + git commit -v ${outfile} -m "${dir}: bump versions" # Iterate on a qtile config by running it inside Xephyr. (un-/grab the mouse with Ctrl + Shift-L) hm-iterate-qtile: - #!/usr/bin/env bash - set -xe - home-manager switch || just -v rebuild-this-device switch - Xephyr -ac -br -resizeable :1 & - XEPHYR_PID=$! - echo ${XEPHYR_PID} - DISPLAY=:1 $(grep qtile ~/.xsession) & - echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L" - wait $! - kill ${XEPHYR_PID} + #!/usr/bin/env bash + set -xe + home-manager switch || just -v rebuild-this-device switch + Xephyr -ac -br -resizeable :1 & + XEPHYR_PID=$! + echo ${XEPHYR_PID} + DISPLAY=:1 $(grep qtile ~/.xsession) & + echo "Xephyr started. un-/grab the mouse with Ctrl + Shift-L" + wait $! + kill ${XEPHYR_PID} # !!! DANGERIOUS !!! This wipes the disk which is configured for the given device. disk-prepare dir: - just -v _device diskPrepare {{dir}} + just -v _device diskPrepare {{ dir }} disk-relabel dir previous: - just -v _device diskRelabel {{dir}} --argstr previousDiskId {{previous}} + just -v _device diskRelabel {{ dir }} --argstr previousDiskId {{ previous }} # Mount the target disk specified by device configuration directory. The 'dir' argument points to a device configuration, e.g. 'nix/os/devices/steveej-live-mmc-SL32G_0x259093f6' disk-mount dir: - just -v _device diskMount {{dir}} + just -v _device diskMount {{ dir }} + # Unmount target disk, specified by device configuration directory disk-umount dir: - just -v _device diskUmount {{dir}} + just -v _device diskUmount {{ dir }} # Perform an offline installation on the mounted target disk, specified by device configuration directory disk-install dir: _render_templates - just -v _device diskInstall {{dir}} - + just -v _device diskInstall {{ dir }} verify-n-unlock sshserver attempts="10": - #!/usr/bin/env bash - set -e - env \ - GETPW="just _get_pass_entry Infrastructure/VPS/{{sshserver}} DRIVE_PW" \ - SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} SSHOPTS)" \ - VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCSOCK)" \ - VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{sshserver}} VNCPW)" \ - \ - just _verify-n-unlock {{sshserver}} {{attempts}} + #!/usr/bin/env bash + set -e + env \ + GETPW="just _get_pass_entry Infrastructure/VPS/{{ sshserver }} DRIVE_PW" \ + SSHOPTS="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} SSHOPTS)" \ + VNCSOCK="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCSOCK)" \ + VNCPW="$(just _get_pass_entry Infrastructure/VPS/{{ sshserver }} VNCPW)" \ + \ + just _verify-n-unlock {{ sshserver }} {{ attempts }} _verify-n-unlock sshserver attempts: - #!/usr/bin/env bash - set -e - : ${VNCSOCK:?VNCSOCK must be set} - : ${VNCPW:?VNCPW must be set} + #!/usr/bin/env bash + set -e + : ${VNCSOCK:?VNCSOCK must be set} + : ${VNCPW:?VNCPW must be set} - export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" - export TESS_ARGS="-c debug_file=/dev/null --psm 4" + export MAGICK_ARGS="-filter Catrom -density 72 -resample 300 -contrast -normalize -despeckle -type grayscale -sharpen 1 -posterize 3 -negate -gamma 100 -blur 1x65535" + export TESS_ARGS="-c debug_file=/dev/null --psm 4" - function send() { - local what="${1:?need something to send}" - ssh -4 ${SSHOPTS:?need sshopts} root@{{sshserver}} "echo -e ${what}>> /dev/tty0" &>/dev/null - } + function send() { + local what="${1:?need something to send}" + ssh -4 ${SSHOPTS:?need sshopts} root@{{ sshserver }} "echo -e ${what}>> /dev/tty0" &>/dev/null + } - function expect() { - local what="${1:?need something to expect}" - vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp - convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff - tesseract ${TESS_ARGS} screenshot.tiff screenshot - grep --quiet "${what}" screenshot.txt - } + function expect() { + local what="${1:?need something to expect}" + vncdo --server=${VNCSOCK} --password=${VNCPW} --disable-desktop-resizing --nocursor capture $PWD/screenshot.bmp + convert ${MAGICK_ARGS} screenshot.bmp screenshot.tiff + tesseract ${TESS_ARGS} screenshot.tiff screenshot + grep --quiet "${what}" screenshot.txt + } - function send_and_expect() { - local send="${1:?need something to send}" - local expect="${2:?need something to expect}" - if ! send "${send}"; then - echo warning: cannot send > /dev/stderr - return -1 - fi - expect "${expect}" - } + function send_and_expect() { + local send="${1:?need something to send}" + local expect="${2:?need something to expect}" + if ! send "${send}"; then + echo warning: cannot send > /dev/stderr + return -1 + fi + expect "${expect}" + } - trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT + trap 'E=$?; set +e; rm screenshot.*; echo Exiting...; kill $(jobs -p | cut -d " " -f 4); exit $E' EXIT - for i in `seq 1 {{attempts}}`; do - echo Attempt $i... - expect="$(pwgen -0 12)" - send="'\0033\0143'${expect}" - if send_and_expect "${send}" "${expect}"; then - pipe=$(mktemp -u) - mkfifo ${pipe} - exec 3<>${pipe} - rm ${pipe} + for i in `seq 1 {{ attempts }}`; do + echo Attempt $i... + expect="$(pwgen -0 12)" + send="'\0033\0143'${expect}" + if send_and_expect "${send}" "${expect}"; then + pipe=$(mktemp -u) + mkfifo ${pipe} + exec 3<>${pipe} + rm ${pipe} - echo Verification succeeded at attempt $i. Unlocking remote drive... - ssh -4 ${SSHOPTS} root@{{sshserver}} "cryptsetup-askpass" <&3 &>/dev/null & - eval ${GETPW} | head -n1 >&3 + echo Verification succeeded at attempt $i. Unlocking remote drive... + ssh -4 ${SSHOPTS} root@{{ sshserver }} "cryptsetup-askpass" <&3 &>/dev/null & + eval ${GETPW} | head -n1 >&3 - for j in `seq 1 120`; do - sleep 0.5 - if expect '— success'; then - echo Unlock successful. - exit 0 - fi - done + for j in `seq 1 120`; do + sleep 0.5 + if expect '— success'; then + echo Unlock successful. + exit 0 + fi + done - echo Unlock failed... - exit 1 - fi - done - echo Verification failed {{attempts}} times. Giving up... - exit 1 + echo Unlock failed... + exit 1 + fi + done + echo Verification failed {{ attempts }} times. Giving up... + exit 1 _get_pass_entry path key: - pass show {{path}}| grep -E "^{{key}}:" | sed -E 's/^[^:]+: *//g' + pass show {{ path }}| grep -E "^{{ key }}:" | sed -E 's/^[^:]+: *//g' run-with-channels +cmds: - #!/usr/bin/env bash - source $(just -v _get_nix_path {{invocation_directory()}}/nix/variables/versions.nix) - {{cmds}} + #!/usr/bin/env bash + source $(just -v _get_nix_path {{ invocation_directory() }}/nix/variables/versions.nix) + {{ cmds }} install-config config root: - sudo just run-with-channels nixos-install -I nixos-config={{invocation_directory()}}/{{config}} --root {{root}} --no-root-passwd + sudo just run-with-channels nixos-install -I nixos-config={{ invocation_directory() }}/{{ config }} --root {{ root }} --no-root-passwd # Switch between gpg-card capable devices which have a copy of the same key -switch-gpg-card: - #!/usr/bin/env bash - # - # Derived from https://github.com/drduh/YubiKey-Guide/issues/19. - # - # Connect the new device and then run this script to make it known to gnupg. - # - set -xe - KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') +switch-gpg-card key-id="6EEFA706CB17E89B": + #!/usr/bin/env bash + # + # Derived from https://github.com/drduh/YubiKey-Guide/issues/19. + # + # Connect the new device and then run this script to make it known to gnupg. + # + set -xe + if [[ -n "{{key-id}}" ]]; then + KEY_ID="{{key-id}}" + else + KEY_ID=$(gpg --card-status | rg sec | rg -o '[0-9A-Z]{16}') + fi - # export pubkey and ownertrust - gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" - # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}` - gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust + # export pubkey and ownertrust + gpg2 --output "${KEY_ID}".pubkey --export "${KEY_ID}" + # if this fails the trust in the key is missing and can be fixed with `gpg --edit-key ${KEY_ID}` + gpg2 --export-ownertrust | rg "${KEY_ID}" > "${KEY_ID}".ownertrust - # delete the key - gpg --yes --delete-secret-and-public-keys "${KEY_ID}" + # delete the key + gpg --yes --delete-secret-and-public-keys "${KEY_ID}" - # import pubkey and ownertrust back and cleanup - gpg2 --import "${KEY_ID}".pubkey - gpg2 --import-ownertrust < "${KEY_ID}".ownertrust - rm "${KEY_ID}".{pubkey,ownertrust} + # import pubkey and ownertrust back and cleanup + gpg2 --import "${KEY_ID}".pubkey + gpg2 --import-ownertrust < "${KEY_ID}".ownertrust + rm "${KEY_ID}".{pubkey,ownertrust} - # refresh the gpg agent - gpg-connect-agent "scd serialno" "learn --force" /bye - gpg --card-status + # refresh the gpg agent + gpg-connect-agent "scd serialno" "learn --force" /bye + gpg --card-status # Connect to `remote` UUID, and turn it into a short name uuid-to-device-name remote: - #!/usr/bin/env bash - set -e -o pipefail - ssh {{remote}} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}' + #!/usr/bin/env bash + set -e -o pipefail + ssh {{ remote }} 'nix run nixpkgs.dmidecode -c dmidecode -s system-uuid' | xxhsum --quiet -H1 | awk '{print $1}' test-connection: - #! /usr/bin/env nix-shell - #! nix-shell -p curl zsh - #! nix-shell -i zsh - #! nix-shell --pure + #! /usr/bin/env nix-shell + #! nix-shell -p curl zsh + #! nix-shell -i zsh + #! nix-shell --pure - while true; do - FAILURE="false" - output=$( - echo "$(date)\n---" - for url in \ - "https://172.16.0.1:65443/0.7/gui/#/login/" \ - "https://192.168.0.1" \ - "http://172.172.171.9" \ - "https://172.172.171.10:65443" \ - "https://172.172.171.11:65443" \ - "https://172.172.171.13:443" \ - "https://172.172.171.14:443" \ - "http://172.172.171.15:22" \ - "http://172.172.171.16:22" \ - "https://crates.io" \ - "https://holo.host" \ - ; \ - do - print "trying ${url}": $( - curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1) - # if [ $? -ne 0 ]; then - if [[ "$curl_output" == *timeout* ]]; then - echo failure: $(echo ${curl_output} | tail -n1) - # BUG: outer FAILURE is not set by this - FAILURE="true" - else - echo success - fi - ) - done - ) - clear - echo ${output} + while true; do + FAILURE="false" + output=$( + echo "$(date)\n---" + for url in \ + "https://172.16.0.1:65443/0.7/gui/#/login/" \ + "https://192.168.0.1" \ + "http://172.172.171.9" \ + "https://172.172.171.10:65443" \ + "https://172.172.171.11:65443" \ + "https://172.172.171.13:443" \ + "https://172.172.171.14:443" \ + "http://172.172.171.15:22" \ + "http://172.172.171.16:22" \ + "https://crates.io" \ + "https://holo.host" \ + ; \ + do + print "trying ${url}": $( + curl_output=$(curl --http0.9 -k --head --connect-timeout 0.5 ${url} 2>&1) + # if [ $? -ne 0 ]; then + if [[ "$curl_output" == *timeout* ]]; then + echo failure: $(echo ${curl_output} | tail -n1) + # BUG: outer FAILURE is not set by this + FAILURE="true" + else + echo success + fi + ) + done + ) + clear + echo ${output} - if [[ ${FAILURE} == "true" ]]; then - echo something failed - tracepath -m5 -n1 172.16.0.1 - tracepath -m5 -n1 192.168.0.1 - fi + if [[ ${FAILURE} == "true" ]]; then + echo something failed + tracepath -m5 -n1 172.16.0.1 + tracepath -m5 -n1 192.168.0.1 + fi - sleep 5 - done + sleep 5 + done cachix-use name: - nix run nixpkgs/nixos-unstable#cachix -- use {{name}} -m nixos -d nix/os/ + nix run nixpkgs/nixos-unstable#cachix -- use {{ name }} -m nixos -d nix/os/ + +update-sops-keys: + for file in $(egrep -lr '"?sops"?:') secrets; do sops updatekeys -y $file; done + +deploy-router0-dmz0: + NIX_SSHOPTS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o CheckHostIP=no" nixos-rebuild switch --impure --flake .\#router0-dmz0 --target-host root@192.168.20.1 + +ttyusb: + screen -fa /dev/ttyUSB0 115200 diff --git a/README.md b/README.md index d59de56..5d32951 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ # steveej's infra + This repository helps me to manage all computer infrastructure. This is mostly achieved with the help of [Nix](https://nixos.org). @@ -19,7 +20,7 @@ In the unlikely case that you actually read this and have any questions please d - [ ] development environments - [x] (Semi-) automatic synchronization of important repositories - [x] Modification strategy - The approach is to use vcsh for the dotfiles + The approach is to use vcsh for the dotfiles - [x] dotfiles - [x] Toplevel Justfile for simple actions - [x] mount/umount disks @@ -39,39 +40,46 @@ In the unlikely case that you actually read this and have any questions please d - [x] sj-pve0 - [x] use an existing secret management framework - [x] adapt (or abandon?) _just_ recipes - - [x] `rebuild-this-device` - - [x] `update-this-device` - - [x] `rebuild-remote-device` - - [x] `update-remote-device` - evaluate, and understand a path to using these tools in a pull-based fashion: + - [x] `rebuild-this-device` + - [x] `update-this-device` + - [x] `rebuild-remote-device` + - [x] `update-remote-device` + + evaluate, and understand a path to using these tools in a pull-based fashion: + - [x] [colmena](https://github.com/zhaofengli/colmena) - * bootstrapping: https://github.com/zhaofengli/colmena/issues/68 + - bootstrapping: https://github.com/zhaofengli/colmena/issues/68 - [ ] deploy-rs -- [x] 🚧 find a better alternative for the qtile-desktop - current issues: - - floating windows often get lost in the background - - plugging in-/out- screen crashes the desktop - evaluate: - - [x] ~~🚧 gnome3 + pop-shell~~ - - [x] ~~leftwm + eww (+ wayland?)~~ +- [x] 🚧 find a better alternative for the qtile-desktop + current issues: + + - floating windows often get lost in the background + - plugging in-/out- screen crashes the desktop + + evaluate: + + - [x] ~~🚧 gnome3 + pop-shell~~ + - [x] ~~leftwm + eww (+ wayland?)~~ + - [ ] (Re-)document bootstrap process - [ ] `apt install sudo cryptsetup` as a requirements on a deb admin machine - [ ] a new machine - [ ] an install media - [ ] Design disaster recovery - [ ] Automatic synchronization of other state files - see https://gitlab.com/steveeJ/nix-expressions/issues/2 -- [ ] Recycle *\_archived* +- [ ] Recycle _\_archived_ - [ ] container migrations - [ ] ensure DDNS is updated _before_ the containers are started - ## Bugs + - [ ] home-manager leaves ~/.gnupg at 0755 ## Usage -*(These are reminders for my future self)* + +_(These are reminders for my future self)_ ``` just --list @@ -80,15 +88,17 @@ just --list ## Bootstrap ### A new machine -* ensure the dotfiles repo has a branch with the new machine's hostname -* boot with an install media and go through setup +- ensure the dotfiles repo has a branch with the new machine's hostname + +- boot with an install media and go through setup #### Post-Install Setup -* `chmod --recursive g-rwx,o-rwx ~/.gnupg` -* `gpg2 --edit-card; fetch` -* clone password-manager and infra repositories -* gpg2: ultimately trust my own key + +- `chmod --recursive g-rwx,o-rwx ~/.gnupg` +- `gpg2 --edit-card; fetch` +- clone password-manager and infra repositories +- gpg2: ultimately trust my own key ## Swapping out a disk diff --git a/_archive/environments/dev/cross.nix b/_archive/environments/dev/cross.nix deleted file mode 100644 index 65e6c09..0000000 --- a/_archive/environments/dev/cross.nix +++ /dev/null @@ -1,90 +0,0 @@ -import /home/steveej/src/github/NixOS/nixpkgs/default.nix { - crossSystem = rec { - config = "armv7l-unknown-linux-gnueabi"; - bigEndian = false; - arch = "arm"; - float = "hard"; - fpu = "vfpv3-d16"; - withTLS = true; - libc = "glibc"; - platform = { - name = "armv7l-hf-multiplatform"; - gcc = { - arch = "armv7-a"; - fpu = "neon"; - float = "hard"; - }; - kernelMajor = "2.6"; # Using "2.6" enables 2.6 kernel syscalls in glibc. - kernelHeadersBaseConfig = "multi_v7_defconfig"; - kernelBaseConfig = "multi_v7_defconfig"; - kernelArch = "arm"; - kernelDTB = true; - kernelAutoModules = false; - kernelExtraConfig = '' - NAMESPACES y - BTRFS_FS y - BTRFS_FS_POSIX_ACL y - OVERLAY_FS y - FUSE_FS y - ''; - kernelTarget = "zImage"; - uboot = null; - }; - openssl.system = "linux-generic32"; - gcc = { - arch = "armv7-a"; - fpu = "neon"; - float = "hard"; - }; - }; -} -# pkgs.config = { -# packageOverrides = super: let self = super.pkgs; in { -# linux_4_0 = super.linux_3_18.override { -# kernelPatches = super.linux_3_18.kernelPatches ++ [ -# # we'll also add one of our own patches -# { patch = ./dts.patch; name = "dts-fix"; } -# ]; -# -# # add "CONFIG_PPP_FILTER y" option to the set of kernel options -# extraConfig = '' -# HAVE_IMX_ANATOP y -# HAVE_IMX_GPC y -# HAVE_IMX_MMDC y -# HAVE_IMX_SRC y -# SOC_IMX6 y -# SOC_IMX6Q y -# SOC_IMX6SL y -# PCI_IMX6 y -# ARM_IMX6Q_CPUFREQ y -# IMX_WEIM y -# AHCI_IMX y -# SERIAL_IMX y -# SERIAL_IMX_CONSOLE y -# I2C_IMX y -# SPI_IMX y -# PINCTRL_IMX y -# PINCTRL_IMX6Q y -# PINCTRL_IMX6SL y -# POWER_RESET_IMX y -# IMX_THERMAL y -# IMX2_WDT y -# IMX_IPUV3_CORE y -# DRM_IMX y -# DRM_IMX_FB_HELPER y -# DRM_IMX_PARALLEL_DISPLAY y -# DRM_IMX_TVE y -# DRM_IMX_LDB y -# DRM_IMX_IPUV3 y -# DRM_IMX_HDMI y -# MMC_SDHCI_ESDHC_IMX y -# IMX_SDMA y -# PWM_IMX y -# DEBUG_IMX6Q_UART y -# -# PPP_FILTER y -# ''; -# }; -# }; -# }; - diff --git a/_archive/environments/dev/go/default.nix b/_archive/environments/dev/go/default.nix deleted file mode 100644 index c92aa9d..0000000 --- a/_archive/environments/dev/go/default.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ - gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, - pkgs ? gitpkgs, - name ? "generic", - version, - extraBuildInputs ? [], - extraShellHook ? "", -}: let - go = builtins.getAttr "go_${version}" pkgs; - commonVimRC = '' - let g:tagbar_type_go = { - \ 'ctagstype' : 'go', - \ 'kinds' : [ - \ 'p:package', - \ 'i:imports:1', - \ 'c:constants', - \ 'v:variables', - \ 't:types', - \ 'n:interfaces', - \ 'w:fields', - \ 'e:embedded', - \ 'm:methods', - \ 'r:constructor', - \ 'f:functions' - \ ], - \ 'sro' : '.', - \ 'kind2scope' : { - \ 't' : 'ctype', - \ 'n' : 'ntype' - \ }, - \ 'scope2kind' : { - \ 'ctype' : 't', - \ 'ntype' : 'n' - \ }, - \ 'ctagsbin' : 'gotags', - \ 'ctagsargs' : '-sort -silent' - \ } - - " vim-go { - let g:go_highlight_functions = 1 - let g:go_highlight_methods = 1 - let g:go_highlight_structs = 1 - let g:go_highlight_interfaces = 1 - let g:go_highlight_operators = 1 - let g:go_highlight_build_constraints = 1 - let g:go_fmt_command = 'gofmt' - let g:go_fmt_options= '-s' - let g:go_def_mode = 'godef' - let g:go_def_reuse_buffer = 0 - - au FileType go nmap gds (go-def-split) - au FileType go nmap gdv (go-def-vertical) - au FileType go nmap gdt (go-def-tab) - au FileType go nmap gi (go-imports) - " } - ''; - buildInputs = with pkgs; [ - glibc.out - glibc.static - - go - gotools - #gotools.bin - #gocode.bin - #godef godef.bin - godep - #godep.bin - gox.bin - #ginkgo ginkgo.bin - #gomega - # ( import ./vim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } ) - # ( import ./neovim-go.nix { pkgs=gitpkgs; commonRC=commonVimRC; } ) - ]; -in - pkgs.stdenv.mkDerivation { - inherit name; - buildInputs = extraBuildInputs ++ buildInputs; - shellHook = '' - goname=${go.version}_$name - # FIXME: setPS1 $goname - export GOROOT=${go}/share/go - export GOPATH="$HOME/.gopath_$goname" - export PATH="$HOME/.gopath_$goname/bin:$PATH" - unset name - unset SSL_CERT_FILE - - ${extraShellHook} - ''; - } diff --git a/_archive/environments/dev/go/neovim-go.nix b/_archive/environments/dev/go/neovim-go.nix deleted file mode 100644 index 1bbc4dc..0000000 --- a/_archive/environments/dev/go/neovim-go.nix +++ /dev/null @@ -1,12 +0,0 @@ -{commonRC, ...} @ args: (import ../../pkg-configuration/vim-derivates/neovim.nix args - // { - additionalRC = - commonRC - + '' - " deoplete { - let g:deoplete#enable_at_startup = 1 - let g:deoplete#enable_smart_case = 1 - " } - ''; - additionalPlugins = ["deoplete-go" "deoplete-nvim" "vim-go"]; - }) diff --git a/_archive/environments/dev/pandoc.nix b/_archive/environments/dev/pandoc.nix deleted file mode 100644 index fc4a298..0000000 --- a/_archive/environments/dev/pandoc.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ - gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, - pkgs ? gitpkgs, - name ? "generic", - version ? "Stable", - extraBuildInputs ? [], -}: let - commonVimRC = ""; -in - pkgs.stdenv.mkDerivation { - inherit name; - buildInputs = with pkgs; - [ - (import ./vim-pandoc.nix { - pkgs = gitpkgs; - commonRC = commonVimRC; - }) - pandoc - texlive.combined.scheme-medium - python27Packages.pandocfilters - python27Packages.htmltreediff - python27Packages.html5lib - python27Packages.dbus-python - ] - ++ extraBuildInputs; - shellHook = '' - pandocname=pandoc_${pkgs.pandoc.version} - setPS1 $pandocname - unset name - ''; - } diff --git a/_archive/environments/dev/rkt.nix b/_archive/environments/dev/rkt.nix deleted file mode 100644 index aa01935..0000000 --- a/_archive/environments/dev/rkt.nix +++ /dev/null @@ -1,71 +0,0 @@ -{ - pkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, - mkGoEnv ? import ./go.nix, - rktPath, -}: let - rktBasebuildInputs = with pkgs; [ - glibc.out - glibc.static - autoreconfHook - gnupg1 - squashfsTools - cpio - tree - intltool - libtool - pkgconfig - libgcrypt - gperf - libcap - libseccomp - libzip - eject - iptables - bc - acl - trousers - systemd - ]; - extraShellHook = '' - TARGET=$GOPATH/src/github.com/coreos/rkt - if [[ -e ${rktPath}/rkt/rkt.go ]]; then - pushd ${rktPath} - else - echo rktPath must be run the rkt repository clone, but got '${rktPath}' - exit 1 - fi - if ! [[ -e $TARGET/rkt/rkt.go ]]; then - mkdir -p $TARGET - echo $PWD - sudo -E mount -o bind $PWD $TARGET - fi - pushd $TARGET - ''; -in { - go15 = mkGoEnv { - inherit pkgs; - - name = "rktGo15"; - version = "1_5"; - extraBuildInputs = rktBasebuildInputs; - inherit extraShellHook; - }; - - go16 = mkGoEnv { - inherit pkgs; - - name = "rktGo16"; - version = "1_6"; - extraBuildInputs = rktBasebuildInputs; - inherit extraShellHook; - }; - - go17 = mkGoEnv { - inherit pkgs; - - name = "rktGo17"; - version = "1_7"; - extraBuildInputs = rktBasebuildInputs; - inherit extraShellHook; - }; -} diff --git a/_archive/environments/dev/rust/.envrc b/_archive/environments/dev/rust/.envrc deleted file mode 100644 index 051d09d..0000000 --- a/_archive/environments/dev/rust/.envrc +++ /dev/null @@ -1 +0,0 @@ -eval "$(lorri direnv)" diff --git a/_archive/environments/dev/rust/default.nix b/_archive/environments/dev/rust/default.nix deleted file mode 100644 index 11caffa..0000000 --- a/_archive/environments/dev/rust/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ - gitpkgs ? import /home/steveej/src/github/NixOS/nixpkgs {}, - pkgs ? gitpkgs, - name ? "generic", - version ? "Stable", - extraBuildInputs ? [], -}: let - rustPackages = builtins.getAttr "rust${version}" pkgs; - rustc = rustPackages.rustc; - rustShellHook = { - rustc, - name, - }: '' - rustname=rust_${rustc.version}_${name} - setPS1 $rustname - unset name - ''; - commonVimRC = ""; -in - pkgs.stdenv.mkDerivation { - inherit name; - buildInputs = with rustPackages; - [ - (import ./vim-rust.nix { - pkgs = gitpkgs; - commonRC = commonVimRC; - inherit rustc; - racerd = pkgs.rustracerd; - }) - rustc - cargo - ] - ++ [pkgs.rustfmt] - ++ extraBuildInputs; - shellHook = rustShellHook { - inherit name; - inherit rustc; - }; - } diff --git a/_archive/environments/dev/vim-go.nix b/_archive/environments/dev/vim-go.nix deleted file mode 100644 index 6eacc45..0000000 --- a/_archive/environments/dev/vim-go.nix +++ /dev/null @@ -1,19 +0,0 @@ -{commonRC, ...} @ args: -import ../../pkg-configuration/vim-derivates/vim.nix (args - // { - name = "vim-for-go"; - additionalRC = - commonRC - + '' - " Disable AutoComplPop. - let g:acp_enableAtStartup = 0 - " Use neocomplete. - let g:neocomplete#enable_at_startup = 1 - " Use smartcase. - let g:neocomplete#enable_smart_case = 1 - if !exists('g:neocomplete#sources#omni#input_patterns') - let g:neocomplete#sources#omni#input_patterns = {} - endif - ''; - additionalPlugins = ["neocomplete" "vim-go"]; - }) diff --git a/_archive/environments/dev/vim-pandoc.nix b/_archive/environments/dev/vim-pandoc.nix deleted file mode 100644 index 7fc03f2..0000000 --- a/_archive/environments/dev/vim-pandoc.nix +++ /dev/null @@ -1,18 +0,0 @@ -{commonRC, ...} @ args: -import ../../pkg-configuration/vim-derivates/vim.nix (args - // { - name = "vim-for-pandoc"; - additionalRC = - commonRC - + '' - set statusline+=%#warningmsg# - set statusline+=%{SyntasticStatuslineFlag()} - set statusline+=%* - - let g:syntastic_always_populate_loc_list = 1 - let g:syntastic_auto_loc_list = 1 - let g:syntastic_check_on_open = 1 - let g:syntastic_check_on_wq = 0 - ''; - additionalPlugins = ["vim-pandoc" "vim-pandoc-syntax" "vimpreviewpandoc"]; - }) diff --git a/_archive/environments/dev/vim-rust.nix b/_archive/environments/dev/vim-rust.nix deleted file mode 100644 index 56e3c7d..0000000 --- a/_archive/environments/dev/vim-rust.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ - commonRC, - rustc, - racerd, - ... -} @ args: -import ../../pkg-configuration/vim-derivates/vim.nix (args - // { - name = "vim-for-rust"; - additionalRC = - commonRC - + '' - set statusline+=%#warningmsg# - set statusline+=%{SyntasticStatuslineFlag()} - set statusline+=%* - - let g:syntastic_always_populate_loc_list = 1 - let g:syntastic_auto_loc_list = 1 - let g:syntastic_check_on_open = 1 - let g:syntastic_check_on_wq = 0 - - " tagbar - let g:tagbar_type_rust = { - \ 'ctagstype' : 'rust', - \ 'kinds' : [ - \'T:types,type definitions', - \'f:functions,function definitions', - \'g:enum,enumeration names', - \'s:structure names', - \'m:modules,module names', - \'c:consts,static constants', - \'t:traits,traits', - \'i:impls,trait implementations', - \] - \} - - let g:syntastic_rust_checkers = ["rustc"] - - "rustfmt - let g:rustfmt_autosave = 1 - - let g:ycm_auto_trigger = 1 - let g:ycm_rust_src_path = '${rustc.src}/src' - let g:ycm_racerd_binary_path = '${racerd.out}/bin/racerd' - - ''; - additionalPlugins = ["rust-vim"]; - }) diff --git a/_archive/environments/fhs/android.nix b/_archive/environments/fhs/android.nix deleted file mode 100644 index 074469e..0000000 --- a/_archive/environments/fhs/android.nix +++ /dev/null @@ -1,42 +0,0 @@ -{pkgs ? import {}}: -(pkgs.buildFHSUserEnv { - name = "devfhs"; - multiPkgs = pkgs: (with pkgs; [ - android-udev-rules - sudo - gawk - bzip2 - file - gcc - getopt - git - gnumake - ncurses - openssl - patch - perl - pkgconfig - python - openssh - subversion - unzip - wget - which - vim - zlib - libusb - libusb1 - systemd - strace - swt - xorg.libXtst - glib - gtk2 - gnome.gtk - ]); - profile = '' - export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/lib:/lib64:/lib32:/usr/lib32:/usr/lib64:${pkgs.xorg.libXtst}/lib:${pkgs.glib}/lib:${pkgs.gtk2}/lib - ''; - runScript = "bash"; -}) -.env diff --git a/_archive/environments/fhs/vscode.nix b/_archive/environments/fhs/vscode.nix deleted file mode 100644 index da08700..0000000 --- a/_archive/environments/fhs/vscode.nix +++ /dev/null @@ -1,36 +0,0 @@ -{pkgs ? import {}}: -(pkgs.buildFHSUserEnv { - name = "everydayFHS"; - targetPkgs = pkgs: (with pkgs; [ - which - gitFull - zsh - file - direnv - - xdg_utils - xsel - - vscode - - # vscode live share - gnome3.gcr - libgnome_keyring3 - liburcu - libunwind - lttng-ust - curl - openssl - libkrb5 - libuuid - icu - zlib - libsecret - ]); - multiPkgs = pkgs: (with pkgs; []); - profile = '' - export SHELL=/bin/zsh - ''; - # FIXME runScript = "$SHELL"; -}) -.env diff --git a/default.nix b/default.nix index 75e1dbb..6aba02e 100644 --- a/default.nix +++ b/default.nix @@ -4,6 +4,9 @@ # Having pkgs default to is fine though, and it lets you use short # commands such as: # nix-build -A mypackage -{pkgs ? import {}}: { - pkgs = import ./nix/pkgs {inherit pkgs;}; +{ + pkgs ? import { }, +}: +{ + pkgs = import ./nix/pkgs { inherit pkgs; }; } diff --git a/flake-sandbox/flake.lock b/flake-sandbox/flake.lock deleted file mode 100644 index b600a49..0000000 --- a/flake-sandbox/flake.lock +++ /dev/null @@ -1,27 +0,0 @@ -{ - "nodes": { - "nixpkgs": { - "locked": { - "lastModified": 1681091990, - "narHash": "sha256-ifIzhksUBZKp5WgCuoVhDY32qaEplXp7khzrB6zkaFc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "ea96b4af6148114421fda90df33cf236ff5ecf1d", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-22.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "nixpkgs": "nixpkgs" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/flake-sandbox/flake.nix b/flake-sandbox/flake.nix deleted file mode 100644 index 112447e..0000000 --- a/flake-sandbox/flake.nix +++ /dev/null @@ -1,142 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-22.11"; - }; - outputs = { - self, - nixpkgs, - }: let - system = "x86_64-linux"; - pkgs = import nixpkgs {inherit system;}; - in { - devShells."${system}".default = pkgs.mkShell { - packages = with pkgs; - with pkgs.gnome; [ - hexchat - audacity - proot - yubikey-manager-qt - cheese - remmina - exiv2 - wireshark-qt - seahorse - kotatogram-desktop - usbutils - networkmanagerapplet - sshfs-fuse - pavucontrol - libwebcam - just - eog - git-crypt - espanso - unetbootin - vcsh - skypeforlinux - du-dust - bind - teamviewer - gparted - neovim - inkscape - rustdesk - gnome-themes-extra - pass - xdg-user-dirs - cbatticon - yubikey-personalization-gui - zoom - signal-desktop - xorg.xbacklight - vscode - ripgrep - lightdm - nixpkgs-fmt - git-lfs - qtpass - gimp - lxappearance - flameshot - thunderbird - fprintd - chromium - evtest - alejandra - vlc - pastebinit - evolution - zbar - libreoffice - brave - pidgin - direnv - xorg.xhost - lorri - firefox - logseq - x11_ssh_askpass - xsel - feh - htop - openvpn - syncthing - ncdu - rofi-pass - testdisk - vanilla-dmz - wireguard-tools - xarchive - gnome-icon-theme - wget - nix-index - mr - passff-host - browserpass - xorg.xcursorthemes - gitRepo - gitSVN - androidenv.androidPkgs_9_0.platform-tools - - # introduces python - (qtile.passthru.unwrapped.overrideAttrs (oldAttrs: { - propagatedBuildInputs = - [] - # ++ oldAttrs.passthru.unwrapped.propagatedBuildInputs - # ++ (with pkgs.python3Packages; [ - # # python-wifi - # # iwlib - # keyring - # ]) - ; - - makeWrapperArgs = - oldAttrs.makeWrapperArgs - ++ [ - "--prefix PATH : ${pkgs.lib.makeBinPath oldAttrs.propagatedBuildInputs}" - ]; - })) - - # gi-docgen - # yelp-tools - # scons - # autorandr - # arandr - # meson - # mercurial - # unrar-wrapper - # orca - # radicale - # criu - # gnome-music - # gnome-browser-connector - # radicale - # hplip - # qtile - # gtk-doc - # asciidoc - # meson - ]; - }; - }; -} diff --git a/flake.lock b/flake.lock index af15232..595341f 100644 --- a/flake.lock +++ b/flake.lock @@ -3,11 +3,11 @@ "aphorme_launcher": { "flake": false, "locked": { - "lastModified": 1699523648, - "narHash": "sha256-OmeelrddWuPQL84W/1Fi3FczKfrR+XdosRfKofc2o6w=", + "lastModified": 1719922896, + "narHash": "sha256-mOtCz42NFQn+0xPF3gBX4WHfo5UEClSsJ/tF8RdFQkY=", "owner": "Iaphetes", "repo": "aphorme_launcher", - "rev": "3404dd1ac0c448d517efc0a20f554da0f1d5550c", + "rev": "c7c7ce9f91a31cced181fa501a2cad3c68035def", "type": "github" }, "original": { @@ -21,17 +21,18 @@ "inputs": { "flake-compat": "flake-compat", "flake-utils": "flake-utils", + "nix-github-actions": "nix-github-actions", "nixpkgs": [ "nixpkgs" ], "stable": "stable" }, "locked": { - "lastModified": 1699171528, - "narHash": "sha256-ZsN6y+tgN5w84oAqRQpMhIvQM39ZNSZoZvn2AK0QYr4=", + "lastModified": 1731527002, + "narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=", "owner": "zhaofengli", "repo": "colmena", - "rev": "665603956a1c3040d756987bc7a810ffe86a3b15", + "rev": "e3ad42138015fcdf2524518dd564a13145c72ea1", "type": "github" }, "original": { @@ -41,17 +42,12 @@ } }, "crane": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, "locked": { - "lastModified": 1703439018, - "narHash": "sha256-VT+06ft/x3eMZ1MJxWzQP3zXFGcrxGo5VR2rB7t88hs=", + "lastModified": 1733286231, + "narHash": "sha256-mlIDSv1/jqWnH8JTiOV7GMUNPCXL25+6jmD+7hdxx5o=", "owner": "ipetkov", "repo": "crane", - "rev": "afdcd41180e3dfe4dac46b5ee396e3b12ccc967a", + "rev": "af1556ecda8bcf305820f68ec2f9d77b41d9cc80", "type": "github" }, "original": { @@ -60,6 +56,27 @@ "type": "github" } }, + "devshell": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1728330715, + "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=", + "owner": "numtide", + "repo": "devshell", + "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, "disko": { "inputs": { "nixpkgs": [ @@ -68,11 +85,11 @@ ] }, "locked": { - "lastModified": 1701905325, - "narHash": "sha256-lda63LmEIlDMeCgWfjr3/wb487XPllBByfrGRieyEk4=", + "lastModified": 1727359191, + "narHash": "sha256-5PltTychnExFwzpEnY3WhOywaMV/M6NxYI/y3oXuUtw=", "owner": "nix-community", "repo": "disko", - "rev": "1144887c6f4d2dcbb2316a24364ef53e25b0fcfe", + "rev": "67dc29be3036cc888f0b9d4f0a788ee0f6768700", "type": "github" }, "original": { @@ -82,6 +99,23 @@ "type": "github" } }, + "espanso": { + "flake": false, + "locked": { + "lastModified": 1711840403, + "narHash": "sha256-4y5yHFfA8SmtSJVC2YleoHCUXkgqee+k9A2pRUzqzDo=", + "owner": "espanso", + "repo": "espanso", + "rev": "db97658d1d80697a635b57801696c594eacf057b", + "type": "github" + }, + "original": { + "owner": "espanso", + "repo": "espanso", + "rev": "db97658d1d80697a635b57801696c594eacf057b", + "type": "github" + } + }, "fenix": { "inputs": { "nixpkgs": [ @@ -90,11 +124,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1704176544, - "narHash": "sha256-A6PfA1DB6cF3cQerysGK8zIumGTrXucdHoFRU+8H7Lc=", + "lastModified": 1733380458, + "narHash": "sha256-H+IQB6cJ7ji/YD537pcSUWlwGGJ49RoYylBonyNW9hk=", "owner": "nix-community", "repo": "fenix", - "rev": "54df821cae7bd492a049ef213336810247128110", + "rev": "08c9e4e29865b60cb81189f8e4de0dccaf297865", "type": "github" }, "original": { @@ -120,12 +154,28 @@ } }, "flake-compat_2": { + "flake": false, "locked": { - "lastModified": 1688025799, - "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { + "locked": { + "lastModified": 1717312683, + "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=", "owner": "nix-community", "repo": "flake-compat", - "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c", + "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea", "type": "github" }, "original": { @@ -134,16 +184,30 @@ "type": "github" } }, + "flake-compat_4": { + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "revCount": 57, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1704152458, - "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", "type": "github" }, "original": { @@ -160,11 +224,11 @@ ] }, "locked": { - "lastModified": 1701473968, - "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", + "lastModified": 1726153070, + "narHash": "sha256-HO4zgY0ekfwO5bX0QH/3kJ/h4KvUDFZg8YpkNwIbg1U=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", + "rev": "bcef6817a8b2aa20a5a6dbb19b43e63c5bf8619a", "type": "github" }, "original": { @@ -182,11 +246,53 @@ ] }, "locked": { - "lastModified": 1701473968, - "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_4": { + "inputs": { + "nixpkgs-lib": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1730504689, + "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "506278e768c2a08bec68eb62932193e341f55c90", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-parts_5": { + "inputs": { + "nixpkgs-lib": [ + "nur", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", "type": "github" }, "original": { @@ -210,16 +316,34 @@ "type": "github" } }, + "flake-utils_10": { + "inputs": { + "systems": "systems_5" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "flake-utils_2": { "inputs": { "systems": "systems" }, "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { @@ -230,11 +354,107 @@ }, "flake-utils_3": { "locked": { - "lastModified": 1667395993, - "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_5": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_6": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_7": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_8": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_9": { + "inputs": { + "systems": "systems_4" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "type": "github" }, "original": { @@ -245,11 +465,11 @@ }, "get-flake": { "locked": { - "lastModified": 1694475786, - "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", + "lastModified": 1714237590, + "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", "owner": "ursi", "repo": "get-flake", - "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", + "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", "type": "github" }, "original": { @@ -258,14 +478,115 @@ "type": "github" } }, + "git-hooks": { + "inputs": { + "flake-compat": [ + "nixvim", + "flake-compat" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "nixvim", + "nixpkgs" + ], + "nixpkgs-stable": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1732021966, + "narHash": "sha256-mnTbjpdqF0luOkou8ZFi2asa1N3AA2CchR/RqCNmsGE=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "3308484d1a443fc5bc92012435d79e80458fe43c", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "nixvim", + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733175814, + "narHash": "sha256-zFOtOaqjzZfPMsm1mwu98syv3y+jziAq5DfWygaMtLg=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "bf23fe41082aa0289c209169302afd3397092f22", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, + "ixx": { + "inputs": { + "flake-utils": [ + "nixvim", + "nuschtosSearch", + "flake-utils" + ], + "nixpkgs": [ + "nixvim", + "nuschtosSearch", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729958008, + "narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=", + "owner": "NuschtOS", + "repo": "ixx", + "rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb", + "type": "github" + }, + "original": { + "owner": "NuschtOS", + "ref": "v0.0.6", + "repo": "ixx", + "type": "github" + } + }, "jay": { "flake": false, "locked": { - "lastModified": 1698077919, - "narHash": "sha256-X4bMOBS2WFcbiOiynvSId1XoWgQW3wbO7/atJ9V7buk=", + "lastModified": 1732789238, + "narHash": "sha256-Yc87dku8r8m7YeVT9VBwfXYPdEfQbb8JKWbOMts6VqY=", "owner": "mahkoh", "repo": "jay", - "rev": "b4d73064d9c112c69ff16200231145ccffcb3e81", + "rev": "558fe3d3cef435108c7d31f9b3503263a14d38b0", "type": "github" }, "original": { @@ -276,15 +597,15 @@ }, "lib-aggregate": { "inputs": { - "flake-utils": "flake-utils_2", + "flake-utils": "flake-utils_8", "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1704024543, - "narHash": "sha256-hmKcKSuTqVK47l2G0PkLAinZN1oCOb6XdPPJhNCQ2rg=", + "lastModified": 1733055216, + "narHash": "sha256-yB2y7tGJxDI/SDQ0D7b6ocRtLTPm93u8ybdIKQGXRDE=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "4608880f02f8f868e1b7f85c60abdfc5cb0cf9ec", + "rev": "f67bf0781c69a46bf3a1469f83c98518aa3054c3", "type": "github" }, "original": { @@ -293,35 +614,40 @@ "type": "github" } }, - "magmawm": { - "flake": false, + "nix-darwin": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, "locked": { - "lastModified": 1703542178, - "narHash": "sha256-HuCAz+B+cg7HoEEL67heaYRc8zmQCnPBR+DgmuiIZBk=", - "owner": "MagmaWM", - "repo": "MagmaWM", - "rev": "24dc21f228efb034cd0237fb5ff9a8310f1929b7", + "lastModified": 1733105089, + "narHash": "sha256-Qs3YmoLYUJ8g4RkFj2rMrzrP91e4ShAioC9s+vG6ENM=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "c6b65d946097baf3915dd51373251de98199280d", "type": "github" }, "original": { - "owner": "MagmaWM", - "repo": "MagmaWM", + "owner": "lnl7", + "repo": "nix-darwin", "type": "github" } }, "nix-eval-jobs": { "inputs": { "flake-parts": "flake-parts_3", - "nix-github-actions": "nix-github-actions", - "nixpkgs": "nixpkgs", + "nix-github-actions": "nix-github-actions_2", + "nixpkgs": "nixpkgs_4", "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1703466376, - "narHash": "sha256-Wy8iF8u5KSzrTxg1hStTBmUjzzKdKyCyMOg8b/eTvVQ=", + "lastModified": 1732631228, + "narHash": "sha256-/7Wyhp00yecUMPNz79gGZpjos8OLHqOfdiWWIQfZA1M=", "owner": "nix-community", "repo": "nix-eval-jobs", - "rev": "64104a3c55593c903af78af86a4c9d2e5487a2d7", + "rev": "8f56354b794624689851b2d86c2ce0209cc8f0cf", "type": "github" }, "original": { @@ -331,6 +657,27 @@ } }, "nix-github-actions": { + "inputs": { + "nixpkgs": [ + "colmena", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1729742964, + "narHash": "sha256-B4mzTcQ0FZHdpeWcpDYPERtyjJd/NIuaQ9+BV1h+MpA=", + "owner": "nix-community", + "repo": "nix-github-actions", + "rev": "e04df33f62cdcf93d73e9a04142464753a16db67", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-github-actions", + "type": "github" + } + }, + "nix-github-actions_2": { "inputs": { "nixpkgs": [ "nixpkgs-wayland", @@ -339,11 +686,11 @@ ] }, "locked": { - "lastModified": 1701208414, - "narHash": "sha256-xrQ0FyhwTZK6BwKhahIkUVZhMNk21IEI1nUcWSONtpo=", + "lastModified": 1731952509, + "narHash": "sha256-p4gB3Rhw8R6Ak4eMl8pqjCPOLCZRqaehZxdZ/mbFClM=", "owner": "nix-community", "repo": "nix-github-actions", - "rev": "93e39cc1a087d65bcf7a132e75a650c44dd2b734", + "rev": "7b5f051df789b6b20d259924d349a9ba3319b226", "type": "github" }, "original": { @@ -352,6 +699,166 @@ "type": "github" } }, + "nix-vscode-extensions": { + "inputs": { + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1740852064, + "narHash": "sha256-A2zUu1n8Bg505s/GUIYUSQFLmYJAvx/01A2OkGAkevk=", + "owner": "nix-community", + "repo": "nix-vscode-extensions", + "rev": "1b34da949d188b205b4132c2b726415fa19d5086", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-vscode-extensions", + "type": "github" + } + }, + "nix4vscode": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "rust-overlay": "rust-overlay", + "systems": "systems_2" + }, + "locked": { + "lastModified": 1733089477, + "narHash": "sha256-G08QoIxpJlnP9PiUdo2ypmKOrgodwVD6pWEa/8CaDOE=", + "owner": "nix-community", + "repo": "nix4vscode", + "rev": "60f266d2584461611a9e91ad44bbda5c1b0f91f8", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix4vscode", + "type": "github" + } + }, + "nixago": { + "inputs": { + "flake-utils": "flake-utils_3", + "nixago-exts": "nixago-exts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1714086354, + "narHash": "sha256-yKVQMxL9p7zCWUhnGhDzRVT8sDgHoI3V595lBK0C2YA=", + "owner": "jmgilman", + "repo": "nixago", + "rev": "5133633e9fe6b144c8e00e3b212cdbd5a173b63d", + "type": "github" + }, + "original": { + "owner": "jmgilman", + "repo": "nixago", + "type": "github" + } + }, + "nixago-exts": { + "inputs": { + "flake-utils": "flake-utils_4", + "nixago": "nixago_2", + "nixpkgs": [ + "nixago", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676070308, + "narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=", + "owner": "nix-community", + "repo": "nixago-extensions", + "rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago-extensions", + "type": "github" + } + }, + "nixago-exts_2": { + "inputs": { + "flake-utils": "flake-utils_6", + "nixago": "nixago_3", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixago", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1655508669, + "narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=", + "owner": "nix-community", + "repo": "nixago-extensions", + "rev": "3022a932ce109258482ecc6568c163e8d0b426aa", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago-extensions", + "type": "github" + } + }, + "nixago_2": { + "inputs": { + "flake-utils": "flake-utils_5", + "nixago-exts": "nixago-exts_2", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1676070010, + "narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=", + "owner": "nix-community", + "repo": "nixago", + "rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "rename-config-data", + "repo": "nixago", + "type": "github" + } + }, + "nixago_3": { + "inputs": { + "flake-utils": "flake-utils_7", + "nixpkgs": [ + "nixago", + "nixago-exts", + "nixago", + "nixago-exts", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1655405483, + "narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=", + "owner": "nix-community", + "repo": "nixago", + "rev": "e6a9566c18063db5b120e69e048d3627414e327d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago", + "type": "github" + } + }, "nixos-anywhere": { "inputs": { "disko": "disko", @@ -364,11 +871,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1704071157, - "narHash": "sha256-p8KFWE16nu8ltY17psLU4KTcxXTpjvc1fCzMVPel080=", + "lastModified": 1733093391, + "narHash": "sha256-tktgkyaBCJDJs0qVyREpETTcpDY7FZbnDurTAM9jIOE=", "owner": "numtide", "repo": "nixos-anywhere", - "rev": "d2911784c30a6c94d3a581bc99c94d3ce0deba0b", + "rev": "9ba099b2ead073e0801b863c880be03a981f2dd1", "type": "github" }, "original": { @@ -380,7 +887,7 @@ }, "nixos-images": { "inputs": { - "nixos-2311": [ + "nixos-stable": [ "nixos-anywhere", "nixos-stable" ], @@ -390,11 +897,11 @@ ] }, "locked": { - "lastModified": 1702375325, - "narHash": "sha256-kEdrh6IB7xh7YDwZ0ZVCngCs+uoS9gx4ydEoJRnM1Is=", + "lastModified": 1727367213, + "narHash": "sha256-7O4pi8MmcJpA0nYUQkdolvKGyu6zNjf2gFYD1Q0xppc=", "owner": "nix-community", "repo": "nixos-images", - "rev": "d655cc02fcb9ecdcca4f3fb307e291a4b5be1339", + "rev": "3e7978bab153f39f3fc329ad346d35a8871420f7", "type": "github" }, "original": { @@ -405,43 +912,27 @@ }, "nixos-stable": { "locked": { - "lastModified": 1702233072, - "narHash": "sha256-H5G2wgbim2Ku6G6w+NSaQaauv6B6DlPhY9fMvArKqRo=", + "lastModified": 1727264057, + "narHash": "sha256-KQPI8CTTnB9CrJ7LrmLC4VWbKZfljEPBXOFGZFRpxao=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "781e2a9797ecf0f146e81425c822dca69fe4a348", + "rev": "759537f06e6999e141588ff1c9be7f3a5c060106", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixos-stable_2": { - "locked": { - "lastModified": 1703900474, - "narHash": "sha256-Zu+chYVYG2cQ4FCbhyo6rc5Lu0ktZCjRbSPE0fDgukI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9dd7699928e26c3c00d5d46811f1358524081062", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-23.11", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1703134684, - "narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=", + "lastModified": 1740547748, + "narHash": "sha256-Ly2fBL1LscV+KyCqPRufUBuiw+zmWrlJzpWOWbahplg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d6863cbcbbb80e71cecfc03356db1cda38919523", + "rev": "3a05eebede89661660945da1f151959900903b6a", "type": "github" }, "original": { @@ -467,63 +958,57 @@ "type": "github" } }, - "nixpkgs-2305": { + "nixpkgs-2411": { "locked": { - "lastModified": 1704018918, - "narHash": "sha256-erjg/HrpC9liEfm7oLqb8GXCqsxaFwIIPqCsknW5aFY=", + "lastModified": 1733261153, + "narHash": "sha256-eq51hyiaIwtWo19fPEeE0Zr2s83DYMKJoukNLgGGpek=", "owner": "nixos", "repo": "nixpkgs", - "rev": "2c9c58e98243930f8cb70387934daa4bc8b00373", + "rev": "b681065d0919f7eb5309a93cea2cfa84dec9aa88", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.05", + "ref": "nixos-24.11", "repo": "nixpkgs", "type": "github" } }, - "nixpkgs-2311": { + "nixpkgs-gimp": { "locked": { - "lastModified": 1704018918, - "narHash": "sha256-erjg/HrpC9liEfm7oLqb8GXCqsxaFwIIPqCsknW5aFY=", - "owner": "nixos", + "lastModified": 1735507908, + "narHash": "sha256-VA+khC0S0di6w5Yv1kBNRpAihnt2prT/ehQzsKMhEoA=", + "owner": "jtojnar", "repo": "nixpkgs", - "rev": "2c9c58e98243930f8cb70387934daa4bc8b00373", + "rev": "771cf18187fefcfaababd35834917c621447fee8", "type": "github" }, "original": { - "owner": "nixos", - "ref": "nixos-23.05", + "owner": "jtojnar", + "ref": "gimp-meson", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-lib": { "locked": { - "dir": "lib", - "lastModified": 1703961334, - "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", - "type": "github" + "lastModified": 1733096140, + "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" }, "original": { - "dir": "lib", - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" } }, "nixpkgs-lib_2": { "locked": { - "lastModified": 1703983607, - "narHash": "sha256-YECXW8P0bqFM5e65Mu2fL4wZlonNWCuNEk7UQPsuJZ0=", + "lastModified": 1733015484, + "narHash": "sha256-qiyO0GrTvbp869U4VGX5GhAZ00fSiPXszvosY1AgKQ8=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a6c99b57d2e58f7fc6d52a08b0ba40160e75f738", + "rev": "0e4fdd4a0ab733276b6d2274ff84ae353f17129e", "type": "github" }, "original": { @@ -532,29 +1017,13 @@ "type": "github" } }, - "nixpkgs-stable": { - "locked": { - "lastModified": 1703950681, - "narHash": "sha256-veU5bE4eLOmi7aOzhE7LfZXcSOONRMay0BKv01WHojo=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "0aad9113182747452dbfc68b93c86e168811fa6c", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "release-23.05", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs-unstable": { "locked": { - "lastModified": 1703961334, - "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", + "lastModified": 1739446958, + "narHash": "sha256-+/bYK3DbPxMIvSL4zArkMX0LQvS7rzBKXnDXLfKyRVc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", + "rev": "2ff53fe64443980e139eaa286017f53f88336dd0", "type": "github" }, "original": { @@ -564,35 +1033,35 @@ "type": "github" } }, - "nixpkgs-unstable-small": { + "nixpkgs-vscodium": { "locked": { - "lastModified": 1704177376, - "narHash": "sha256-6AV8TWX/juwV8delRDtlbUzi1X8irrtCfrtcYByVhCs=", + "lastModified": 1733212471, + "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "e2e36d8af3b7c465311f11913b7dedd209633c84", + "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-unstable-small", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-wayland": { "inputs": { - "flake-compat": "flake-compat_2", + "flake-compat": "flake-compat_3", "lib-aggregate": "lib-aggregate", "nix-eval-jobs": "nix-eval-jobs", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1704201485, - "narHash": "sha256-pFDUR45wmq1HehY3WlJOJydFkLOzKC2pWqvMykLj2Qk=", + "lastModified": 1733388169, + "narHash": "sha256-WCfVVHIuxnz4O7O9BY76apUkA//ujG7rqkjAWCw0ujY=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "b0c06873775fe978bd9384ab14c24903bde92e74", + "rev": "fe88399ae2d22a5381c65a51f8e5a0e4f2e7a38b", "type": "github" }, "original": { @@ -603,11 +1072,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1703961334, - "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", + "lastModified": 1722421184, + "narHash": "sha256-/DJBI6trCeVnasdjUo9pbnodCLZcFqnVZiLUfqLH4jA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", + "rev": "9f918d616c5321ad374ae6cb5ea89c9e04bf3e58", "type": "github" }, "original": { @@ -617,14 +1086,135 @@ "type": "github" } }, + "nixpkgs_3": { + "locked": { + "lastModified": 1722415718, + "narHash": "sha256-5US0/pgxbMksF92k1+eOa8arJTJiPvsdZj9Dl+vJkM4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c3392ad349a5227f4a3464dce87bcc5046692fce", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1732238832, + "narHash": "sha256-sQxuJm8rHY20xq6Ah+GwIUkF95tWjGRd1X8xF+Pkk38=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8edf06bea5bcbee082df1b7369ff973b91618b8d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { + "locked": { + "lastModified": 1733212471, + "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixvim": { + "inputs": { + "devshell": "devshell", + "flake-compat": "flake-compat_4", + "flake-parts": "flake-parts_4", + "git-hooks": "git-hooks", + "home-manager": "home-manager", + "nix-darwin": "nix-darwin", + "nixpkgs": [ + "nixpkgs" + ], + "nuschtosSearch": "nuschtosSearch", + "treefmt-nix": "treefmt-nix_3" + }, + "locked": { + "lastModified": 1733355056, + "narHash": "sha256-EOldkOLdgUVIa8ZJiHkqjD6yaW+AZiZwd94aBqfZERY=", + "owner": "nix-community", + "repo": "nixvim", + "rev": "277dbeb607210f6a6db656ac7eee9eef3143070c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixvim", + "type": "github" + } + }, + "nur": { + "inputs": { + "flake-parts": "flake-parts_5", + "nixpkgs": [ + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix_4" + }, + "locked": { + "lastModified": 1737225765, + "narHash": "sha256-wyJcROV/d6POpZRlfk79EWsRHZH0iP6aC5uhmM1cH98=", + "owner": "nix-community", + "repo": "NUR", + "rev": "7c2500d3cc3a1d4f51493ba208721ea7c2a4380f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "NUR", + "type": "github" + } + }, + "nuschtosSearch": { + "inputs": { + "flake-utils": "flake-utils_9", + "ixx": "ixx", + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733006402, + "narHash": "sha256-BC1CecAQISV5Q4LZK72Gx0+faemOwaChiD9rMVfDPoA=", + "owner": "NuschtOS", + "repo": "search", + "rev": "16307548b7a1247291c84ae6a12c0aacb07dfba2", + "type": "github" + }, + "original": { + "owner": "NuschtOS", + "repo": "search", + "type": "github" + } + }, "ofi-pass": { "flake": false, "locked": { - "lastModified": 1691863924, - "narHash": "sha256-Vkm3QXjkLIu0RnM0w+upzAF9M7atKBPYqiV7f+eBKJY=", + "lastModified": 1723412133, + "narHash": "sha256-rOVbz4v1+DHPJMvRtxdOFWdOHlaxI7G2vm0bgEV/0Cg=", "owner": "sereinity", "repo": "ofi-pass", - "rev": "b20bd3440686429b113821c51a68b799675d5bb0", + "rev": "2b6aa6a3fc0504e63df4ac3449e0065a1a4d19d0", "type": "github" }, "original": { @@ -633,20 +1223,37 @@ "type": "github" } }, + "openvscode-server": { + "flake": false, + "locked": { + "lastModified": 1714076069, + "narHash": "sha256-Yc16L13Z8AmsGoSFbvy+4+KBdHxvqLMwZLeU2/dAQVU=", + "owner": "gitpod-io", + "repo": "openvscode-server", + "rev": "7920868fc0c6f4e584cca7791c71d300f2bc3a56", + "type": "github" + }, + "original": { + "owner": "gitpod-io", + "ref": "openvscode-server-v1.88.1", + "repo": "openvscode-server", + "type": "github" + } + }, "prs": { "flake": false, "locked": { - "lastModified": 1692545676, - "narHash": "sha256-jA97WxXBgWtttXnTBxfb4lPEEFqRMflL1BYfDCYeVfo=", + "lastModified": 1719086486, + "narHash": "sha256-YQYiN1T7YHYQYv6GoRNdi7Jq93+U+ydoF64tZxuVW+0=", "owner": "timvisee", "repo": "prs", - "rev": "308e753f769e5ddcda14d13eeeb7b40c5887e0ca", + "rev": "07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973", "type": "gitlab" }, "original": { "owner": "timvisee", - "ref": "master", "repo": "prs", + "rev": "07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973", "type": "gitlab" } }, @@ -659,37 +1266,63 @@ "nixos-anywhere", "disko" ], + "espanso": "espanso", "fenix": "fenix", "flake-parts": "flake-parts", "get-flake": "get-flake", "jay": "jay", - "magmawm": "magmawm", + "nix-vscode-extensions": "nix-vscode-extensions", + "nix4vscode": "nix4vscode", + "nixago": "nixago", "nixos-anywhere": "nixos-anywhere", "nixpkgs": [ - "nixpkgs-2311" + "nixpkgs-2411" ], "nixpkgs-2211": "nixpkgs-2211", - "nixpkgs-2305": "nixpkgs-2305", - "nixpkgs-2311": "nixpkgs-2311", + "nixpkgs-2411": "nixpkgs-2411", + "nixpkgs-gimp": "nixpkgs-gimp", "nixpkgs-unstable": "nixpkgs-unstable", - "nixpkgs-unstable-small": "nixpkgs-unstable-small", + "nixpkgs-vscodium": "nixpkgs-vscodium", "nixpkgs-wayland": "nixpkgs-wayland", + "nixvim": "nixvim", + "nur": "nur", "ofi-pass": "ofi-pass", + "openvscode-server": "openvscode-server", "prs": "prs", - "salut": "salut", + "radicalePkgs": [ + "nixpkgs-2211" + ], + "rperf": "rperf", "sops-nix": "sops-nix", "srvos": "srvos", + "treefmt-nix": "treefmt-nix_5", "yofi": "yofi" } }, + "rperf": { + "flake": false, + "locked": { + "lastModified": 1712257145, + "narHash": "sha256-IMHpJWGja69nTwF9JJOaOZeC5zxzXGanSShompQfBJE=", + "owner": "steveej-forks", + "repo": "rperf", + "rev": "ec7e1fb3a776fce09ca7c497e1d1962c56ef3785", + "type": "github" + }, + "original": { + "owner": "steveej-forks", + "repo": "rperf", + "type": "github" + } + }, "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1704114818, - "narHash": "sha256-/0gMZ32JaUTQ0THA/S9rcQSAmEKfL3hGorX5En8lG98=", + "lastModified": 1733330394, + "narHash": "sha256-1jwtAQYtErSsfkEQFvZJ9wJBrLGltzlvZKZzPXhpfpE=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "a8d935eedc80df8b453d90539cbe78b7e2c75e3c", + "rev": "f499faf72bcd2abbfbf3d7171e5191100547a3df", "type": "github" }, "original": { @@ -699,35 +1332,36 @@ "type": "github" } }, - "salut": { - "flake": false, + "rust-overlay": { + "inputs": { + "nixpkgs": "nixpkgs_3" + }, "locked": { - "lastModified": 1671283721, - "narHash": "sha256-W0lhhImSXtYJDeMbxyEioYu/Bh7ZclwR1/5DzNbxM8o=", - "owner": "snakedye", - "repo": "salut", - "rev": "aa57c4d190812908a9c32cd49cff14390c6dfdcb", - "type": "gitlab" + "lastModified": 1722565199, + "narHash": "sha256-2eek4vZKsYg8jip2WQWvAOGMMboQ40DIrllpsI6AlU4=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "a9cd2009fb2eeacfea785b45bdbbc33612bba1f1", + "type": "github" }, "original": { - "owner": "snakedye", - "repo": "salut", - "type": "gitlab" + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" } }, "sops-nix": { "inputs": { "nixpkgs": [ "nixpkgs" - ], - "nixpkgs-stable": "nixpkgs-stable" + ] }, "locked": { - "lastModified": 1703991717, - "narHash": "sha256-XfBg2dmDJXPQEB8EdNBnzybvnhswaiAkUeeDj7fa/hQ=", + "lastModified": 1733128155, + "narHash": "sha256-m6/qwJAJYcidGMEdLqjKzRIjapK4nUfMq7rDCTmZajc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "cfdbaf68d00bc2f9e071f17ae77be4b27ff72fa6", + "rev": "c6134b6fff6bda95a1ac872a2a9d5f32e3c37856", "type": "github" }, "original": { @@ -738,17 +1372,16 @@ }, "srvos": { "inputs": { - "nixos-stable": "nixos-stable_2", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1704204620, - "narHash": "sha256-u7C59X3s706W9ptqfYHLlZlropun5Fzr9eYaKAsEuN8=", + "lastModified": 1733365027, + "narHash": "sha256-Vl0pOGckECuFoMbiotwj65jjoFE8Mc2yUXNIllttxkI=", "owner": "numtide", "repo": "srvos", - "rev": "e5eecdf21bdf048cef7cb9e52bf573fdf959d491", + "rev": "6047d415ca8dc7eae73dd17c832f7dc08ad544f4", "type": "github" }, "original": { @@ -759,16 +1392,16 @@ }, "stable": { "locked": { - "lastModified": 1696039360, - "narHash": "sha256-g7nIUV4uq1TOVeVIDEZLb005suTWCUjSY0zYOlSBsyE=", + "lastModified": 1730883749, + "narHash": "sha256-mwrFF0vElHJP8X3pFCByJR365Q2463ATp2qGIrDUdlE=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "32dcb45f66c0487e92db8303a798ebc548cadedc", + "rev": "dba414932936fde69f0606b4f1d87c5bc0003ede", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.05", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } @@ -788,6 +1421,66 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "treefmt-nix": { "inputs": { "nixpkgs": [ @@ -796,11 +1489,11 @@ ] }, "locked": { - "lastModified": 1702376629, - "narHash": "sha256-9uAY8a7JN4DvLe/g4OoldqPbcNZ09YOVXID+CkIqL70=", + "lastModified": 1727252110, + "narHash": "sha256-3O7RWiXpvqBcCl84Mvqa8dXudZ1Bol1ubNdSmQt7nF4=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "390018a9398f9763bfc05ffe6443ce0622cb9ba6", + "rev": "1bff2ba6ec22bc90e9ad3f7e94cca0d37870afa3", "type": "github" }, "original": { @@ -818,11 +1511,73 @@ ] }, "locked": { - "lastModified": 1702979157, - "narHash": "sha256-RnFBbLbpqtn4AoJGXKevQMCGhra4h6G2MPcuTSZZQ+g=", + "lastModified": 1723303070, + "narHash": "sha256-krGNVA30yptyRonohQ+i9cnK+CfCpedg6z3qzqVJcTs=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "2961375283668d867e64129c22af532de8e77734", + "rev": "14c092e0326de759e16b37535161b3cb9770cea3", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_3": { + "inputs": { + "nixpkgs": [ + "nixvim", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1732894027, + "narHash": "sha256-2qbdorpq0TXHBWbVXaTqKoikN4bqAtAplTwGuII+oAc=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "6209c381904cab55796c5d7350e89681d3b2a8ef", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_4": { + "inputs": { + "nixpkgs": [ + "nur", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1733222881, + "narHash": "sha256-JIPcz1PrpXUCbaccEnrcUS8jjEb/1vJbZz5KkobyFdM=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "49717b5af6f80172275d47a418c9719a31a78b53", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_5": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1738953846, + "narHash": "sha256-yrK3Hjcr8F7qS/j2F+r7C7o010eVWWlm4T1PrbKBOxQ=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "4f09b473c936d41582dd744e19f34ec27592c5fd", "type": "github" }, "original": { @@ -833,17 +1588,17 @@ }, "yofi": { "inputs": { - "flake-utils": "flake-utils_3", + "flake-utils": "flake-utils_10", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1702939607, - "narHash": "sha256-nPIt1JIQ3g6lBE7+qI8gV1cmJ+uA55aAzho2dGOIFik=", + "lastModified": 1725018627, + "narHash": "sha256-uBEU/aKl9jlJ8vIK556TaqSBEHx6/t6AE4fbt/AoRfA=", "owner": "l4l", "repo": "yofi", - "rev": "c0ca3365a702e7a2852a801ca357df5eb87d0cf9", + "rev": "09901e75cbdf2147553ab888adde480e57baa0d1", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 9400ed8..832b535 100644 --- a/flake.nix +++ b/flake.nix @@ -1,24 +1,36 @@ # flake.nix { inputs = { + # TODO: where has this been used? + # dotfiles = { + # url = "git+https://forgejo.www.stefanjunker.de/steveej/dotfiles.git"; + # flake = false; + # }; + # flake and infra basics nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; - nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05"; - nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.05"; + radicalePkgs.follows = "nixpkgs-2211"; + nixpkgs-2411.url = "github:nixos/nixpkgs/nixos-24.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; - nixpkgs.follows = "nixpkgs-2311"; + nixpkgs.follows = "nixpkgs-2411"; flake-parts.url = "github:hercules-ci/flake-parts"; get-flake.url = "github:ursi/get-flake"; srvos.url = "github:numtide/srvos"; srvos.inputs.nixpkgs.follows = "nixpkgs"; - nixos-anywhere.url = github:numtide/nixos-anywhere/main; + nixos-anywhere.url = "github:numtide/nixos-anywhere/main"; nixos-anywhere.inputs.nixpkgs.follows = "nixpkgs"; disko.follows = "nixos-anywhere/disko"; nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland"; + nix-vscode-extensions.url = "github:nix-community/nix-vscode-extensions"; + nixpkgs-vscodium.url = "github:nixos/nixpkgs/nixos-unstable"; + + # needs to be in sync with `vscodium --version` from `nixpkgs-vscodium` + openvscode-server.url = "github:gitpod-io/openvscode-server/openvscode-server-v1.88.1"; + openvscode-server.flake = false; + colmena = { url = "github:zhaofengli/colmena"; inputs.nixpkgs.follows = "nixpkgs"; @@ -29,14 +41,13 @@ url = "github:nix-community/fenix"; inputs.nixpkgs.follows = "nixpkgs"; }; - crane = { - url = "github:ipetkov/crane"; + crane.url = "github:ipetkov/crane"; + + sops-nix = { + url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; }; - sops-nix.url = "github:Mic92/sops-nix"; - sops-nix.inputs.nixpkgs.follows = "nixpkgs"; - # applications aphorme_launcher = { url = "github:Iaphetes/aphorme_launcher/main"; @@ -59,27 +70,56 @@ flake = false; }; - magmawm = { - url = "github:MagmaWM/MagmaWM"; - flake = false; - }; - - salut = { - url = "gitlab:snakedye/salut"; - flake = false; - }; - prs = { - url = "gitlab:timvisee/prs/master"; + # url = "gitlab:timvisee/prs/v0.5.2"; + url = "gitlab:timvisee/prs/07f17a93d19fb6bc92c9c7f3ae3f5cc750b1f973"; flake = false; }; + + rperf = { + url = "github:steveej-forks/rperf"; + flake = false; + }; + + # nixpkgs-logseq.url = "github:steveej-forks/nixpkgs/logseq-linux-arm64-selfbuilt-appimage"; + + espanso = { + flake = false; + url = "github:espanso/espanso/db97658d1d80697a635b57801696c594eacf057b"; + }; + + nix4vscode = { + url = "github:nix-community/nix4vscode"; + # inputs.nixpkgs.follows = "nixpkgs"; + }; + nixvim = { + # TODO: pin to nixos-24.11 once available + url = "github:nix-community/nixvim"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + treefmt-nix = { + url = "github:numtide/treefmt-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nixago = { + url = "github:jmgilman/nixago"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nur = { + url = "github:nix-community/NUR"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixpkgs-gimp.url = "github:jtojnar/nixpkgs/gimp-meson"; }; outputs = - inputs @ { self - , flake-parts - , nixpkgs - , ... + inputs@{ + self, + flake-parts, + nixpkgs, + ... }: let inherit (nixpkgs) lib; @@ -89,163 +129,176 @@ "aarch64-linux" ]; in - flake-parts.lib.mkFlake { inherit inputs; } - ({ withSystem, ... }: { + flake-parts.lib.mkFlake { inherit inputs; } ( + { withSystem, ... }: + { flake.colmena = lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) - { - meta.nixpkgs = import inputs.nixpkgs.outPath { - system = builtins.elemAt systems 0; - }; - } + { meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; } # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 - (builtins.map - (nodeName: - import ./nix/os/devices/${nodeName} { - inherit nodeName; - repoFlake = self; - repoFlakeWithSystem = withSystem; - nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName}; - }) [ - "steveej-t14" - # "elias-e525" - # "justyna-p300" + ( + builtins.map + ( + nodeName: + import ./nix/os/devices/${nodeName} { + inherit nodeName; + repoFlake = self; + repoFlakeWithSystem = withSystem; + nodeFlake = self.inputs.get-flake (self + "/nix/os/devices/${nodeName}"); + } + ) + [ + "steveej-t14" + "steveej-x13s" + "steveej-x13s-rmvbl" + # "elias-e525" + # "justyna-p300" - # "srv0-dmz0" - # # "router0-dmz0" + # "srv0-dmz0" + # "router0-dmz0" + "router0-ifog" + "router0-hosthatch" - # "sj-vps-htz0" - "sj-bm-hostkey0" + "sj-srv1" + ] + ); - # "retro" - ]); + flake.lib = { + inherit withSystem; + }; # this makes nixos-anywhere work flake.nixosConfigurations = - (inputs.colmena.lib.makeHive self.outputs.colmena).nodes - // ( - let - router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; - steveej-x13s = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations; - retro = (inputs.get-flake ./nix/os/devices/retro).nixosConfigurations; - in - { - router0-dmz0 = router0-dmz0.native; + let + colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; + router0-dmz0 = (inputs.get-flake (self + "/nix/os/devices/router0-dmz0")).nixosConfigurations; + in + colmenaHive + // { + router0-dmz0 = router0-dmz0.native; - # for now deploy directly with: - # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 - router0-dmz0_cross = router0-dmz0.cross; + # for now deploy directly with: + # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 + router0-dmz0_cross = router0-dmz0.cross; - # nixos-install --flake .\#retro_cross - retro_cross = retro.cross; - - steveej-x13s_cross = steveej-x13s.cross; - } - ); + steveej-x13s_cross = + (inputs.get-flake (self + "./nix/os/devices/steveej-x13s")).nixosConfigurations.cross; + steveej-x13s-rmvbl_cross = + (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; + }; inherit systems; perSystem = - { inputs' - , system - , config - , lib - , pkgs - , ... - }: rec { - imports = [ - ./nix/modules/flake-parts/perSystem/default.nix - ]; + { + self', + inputs', + system, + config, + lib, + pkgs, + ... + }: + { + imports = [ ./nix/modules/flake-parts/perSystem/default.nix ]; packages = let dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { }; - craneLib = - inputs.crane.lib.${system}.overrideToolchain - inputs'.fenix.packages.stable.toolchain; + craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain; - craneLibOfiPass = - inputs.crane.lib.${system}.overrideToolchain - ( - inputs'.fenix.packages.stable.toolchain - # .override { - # date = "1.60.0"; - # } - ); + craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain; + + _prsPackage = + { + lib, + rustPlatform, + installShellFiles, + pkg-config, + python3, + glib, + gpgme, + gtk3, + stdenv, + cargoHash ? "sha256-T57RqIzurpYLHyeFhvqxmC+DoB6zUf+iTu1YkMmwtp8=", + src, + version, + makeWrapper, + skim, + }: + + rustPlatform.buildRustPackage rec { + pname = "prs"; + + inherit src version cargoHash; + + nativeBuildInputs = [ + gpgme + installShellFiles + pkg-config + python3 + makeWrapper + ]; + + cargoBuildFlags = [ + "--no-default-features" + "--features=alias,backend-gpgme,clipboard,notify,select-fzf-bin,select-skim-bin,tomb,totp" + ]; + + buildInputs = [ + glib + gpgme + gtk3 + ]; + + postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) '' + for shell in bash fish zsh; do + installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout) + done + ''; + + postFixup = '' + wrapProgram $out/bin/prs \ + --prefix PATH : ${lib.makeBinPath [ skim ]} + ''; + + meta = with lib; { + description = "Secure, fast & convenient password manager CLI using GPG and git to sync"; + homepage = "https://gitlab.com/timvisee/prs"; + changelog = "https://gitlab.com/timvisee/prs/-/blob/v${version}/CHANGELOG.md"; + license = with licenses; [ + lgpl3Only # lib + gpl3Only # everything else + ]; + maintainers = with maintainers; [ dotlambda ]; + mainProgram = "prs"; + }; + }; + + local-xwayland = pkgs.writeShellScriptBin "local-xwayland" '' + set -x + ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ + --wayland-display=wayland-3 \ + --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ + --x-display=0 \ + # --x-unscale=3 \ + --verbose + ''; in { dcpj4110dwDriver = dcpj4110dw.driver; dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; - # broken as of 2023-04-27 because it doesn't load without a config - # aphorme_launcher = craneLib.buildPackage {src = inputs.aphorme_launcher;}; - # yofi = inputs'.yofi.packages.default; - # ofi-pass = craneLibOfiPass.buildPackage {src = inputs.ofi-pass;}; - inherit (inputs'.colmena.packages) colmena; - # jay = pkgs.callPackage (self + /nix/pkgs/jay.nix) { - # src = inputs.jay; - # rustPlatform = pkgs.makeRustPlatform { - # cargo = inputs'.fenix.packages.stable.toolchain; - # rustc = inputs'.fenix.packages.stable.toolchain; - # }; - # }; - - # magmawm = pkgs.callPackage (self + /nix/pkgs/magmawm.nix) { - # inherit craneLib; - # src = inputs.magmawm; - # }; - - salut = craneLib.buildPackage { - src = inputs.salut; - nativeBuildInputs = [ - pkgs.pkg-config - ]; - buildInputs = [ - pkgs.libxkbcommon - pkgs.fontconfig - ]; + prs = pkgs.callPackage _prsPackage { + src = inputs.prs; + version = inputs.prs.shortRev; + cargoHash = "sha256-oXuAKOHIfwUvcS0qXDTe68DN+MUNS4TAKV986vxdeh8="; }; - prs = pkgs.callPackage - ({ pkgs - , dbus - , glib - , gpgme - , gtk3 - , libxcb - , libxkbcommon - , installShellFiles - , pkg-config - , python3 - }: craneLib.buildPackage { - pname = "prs"; - version = inputs.prs.shortRev; - src = inputs.prs; - nativeBuildInputs = [ gpgme installShellFiles pkg-config python3 ]; - - buildInputs = [ - dbus - glib - gpgme - gtk3 - libxcb - libxkbcommon - ]; - - cargoExtraArgs = "--features backend-gpgme"; - - postInstall = '' - for shell in bash fish zsh; do - installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout) - done - ''; - }) - { }; - nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' @@ -274,13 +327,102 @@ syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 ''; + + rperf = craneLib.buildPackage { + src = inputs.rperf; + nativeBuildInputs = [ pkgs.pkg-config ]; + buildInputs = [ ]; + }; + + inherit local-xwayland; + + inherit (inputs'.nixpkgs-gimp.legacyPackages) gimp; + }; - formatter = pkgs.alejandra; - devShells.default = import ./nix/devShells.nix { - inherit inputs' pkgs; - packages' = packages; - }; + formatter = + let + settingsNix = { + projectRootFile = ".git/config"; + + package = inputs'.nixpkgs-unstable.legacyPackages.treefmt2; + + programs = { + nixfmt.enable = true; + deadnix.enable = true; + statix.enable = true; + + shfmt.enable = true; + shellcheck.enable = true; + + prettier.enable = true; + just = { + enable = true; + includes = [ + "*/Justfile" + "Justfile" + ]; + }; + } // pkgs.lib.optionalAttrs (pkgs.system != "riscv64-linux") { shellcheck.enable = true; }; + + settings = { + global.excludes = [ + "LICENSE" + "secrets/" + ".git-crypt/" + + # unsupported extensions + "*.{enc,gif,png,svg,tape,mts,lock,mod,sum,toml,env,envrc,gitignore}" + ]; + + formatter = { + deadnix = { + priority = 1; + options = [ "--no-underscore" ]; + }; + + nixfmt = { + priority = 2; + }; + + statix = { + priority = 3; + }; + + prettier = { + options = [ + "--tab-width" + "2" + ]; + includes = [ "*.{css,html,js,json,jsx,md,mdx,scss,ts,yaml}" ]; + }; + }; + }; + }; + eval = inputs.treefmt-nix.lib.evalModule pkgs settingsNix; + in + eval.config.build.wrapper.overrideAttrs (_: { + passthru = { + inherit (eval.config) package settings; + }; + }); + + devShells = + let + all = import ./nix/devShells.nix { + inherit + self + self' + inputs' + pkgs + ; + }; + in + all + // { + default = all.develop; + }; }; - }); + } + ); } diff --git a/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw b/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw new file mode 100644 index 0000000..ea5b5b8 Binary files /dev/null and b/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw differ diff --git a/nix/container-images/build.sh b/nix/container-images/build.sh index 6cfab1a..1025cb4 100755 --- a/nix/container-images/build.sh +++ b/nix/container-images/build.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash set -xe -[ ! -z "$NAME" ] +[ -n "$NAME" ] nix-build . --show-trace -A "$NAME" -docker image rm "$NAME":latest --force +docker image rm "$NAME":latest --force docker load -i result diff --git a/nix/container-images/default.nix b/nix/container-images/default.nix index 7dcab2a..67f516d 100644 --- a/nix/container-images/default.nix +++ b/nix/container-images/default.nix @@ -1,6 +1,10 @@ -{pkgs ? import {}}: let - baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; -in rec { +{ + pkgs ? import { }, +}: +let + baseEnv = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; +in +rec { base = pkgs.dockerTools.buildImage rec { name = "base"; @@ -21,59 +25,70 @@ in rec { interactive_base = pkgs.dockerTools.buildImage { name = "interactive_base"; fromImage = base; - contents = with pkgs; [procps zsh coreutils neovim]; + contents = with pkgs; [ + procps + zsh + coreutils + neovim + ]; - config = {Cmd = ["/bin/zsh"];}; + config = { + Cmd = [ "/bin/zsh" ]; + }; }; - s3ql = let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} + s3ql = + let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} - if [ -z "$S3QL_BUCKET" ]; then - echo S3QL_BUCKET not set - exit 1 - fi + if [ -z "$S3QL_BUCKET" ]; then + echo S3QL_BUCKET not set + exit 1 + fi - if [ -z "$S3QL_STORAGE_URL" ]; then - echo S3QL_STORAGE_URL not set - exit 1 - fi + if [ -z "$S3QL_STORAGE_URL" ]; then + echo S3QL_STORAGE_URL not set + exit 1 + fi - if [ -z "$S3QL_CACHESIZE" ]; then - echo S3QL_CACHESIZE not set - exit 1 - fi + if [ -z "$S3QL_CACHESIZE" ]; then + echo S3QL_CACHESIZE not set + exit 1 + fi - set -x + set -x - if [ "$S3QL_SKIP_FSCK" != "1" ]; then - fsck.s3ql \ - --authfile $S3QL_AUTHINFO2 \ + if [ "$S3QL_SKIP_FSCK" != "1" ]; then + fsck.s3ql \ + --authfile $S3QL_AUTHINFO2 \ + --log none \ + --cachedir $S3QL_CACHE_DIR \ + $S3QL_STORAGE_URL + fi + + exec mount.s3ql \ + --cachedir "$S3QL_CACHE_DIR" \ + --authfile "$S3QL_AUTHINFO2" \ + --cachesize "$S3QL_CACHESIZE" \ + --fg \ + --compress lzma-6 \ + --threads 4 \ --log none \ - --cachedir $S3QL_CACHE_DIR \ - $S3QL_STORAGE_URL - fi + --allow-root \ + "$S3QL_STORAGE_URL" \ + /bucket - exec mount.s3ql \ - --cachedir "$S3QL_CACHE_DIR" \ - --authfile "$S3QL_AUTHINFO2" \ - --cachesize "$S3QL_CACHESIZE" \ - --fg \ - --compress lzma-6 \ - --threads 4 \ - --log none \ - --allow-root \ - "$S3QL_STORAGE_URL" \ - /bucket - - # FIXME: touch .isbucket after mount - ''; - in + # FIXME: touch .isbucket after mount + ''; + in pkgs.dockerTools.buildImage { name = "s3ql"; fromImage = interactive_base; - contents = [pkgs.s3ql pkgs.fuse]; + contents = [ + pkgs.s3ql + pkgs.fuse + ]; runAsRoot = '' #!${pkgs.stdenv.shell} @@ -84,57 +99,58 @@ in rec { ''; config = { - Env = - baseEnv - ++ [ - "HOME=/home/s3ql" - "S3QL_CACHE_DIR=/var/cache/s3ql" - "S3QL_AUTHINFO2=/etc/s3ql/authinfo2" - "CONTAINER_ENTRYPOINT=${entrypoint}" - ]; - Cmd = [entrypoint]; + Env = baseEnv ++ [ + "HOME=/home/s3ql" + "S3QL_CACHE_DIR=/var/cache/s3ql" + "S3QL_AUTHINFO2=/etc/s3ql/authinfo2" + "CONTAINER_ENTRYPOINT=${entrypoint}" + ]; + Cmd = [ entrypoint ]; Volumes = { - "/var/cache/s3ql" = {}; - "/etc/s3ql/authinfo2" = {}; - "/buckets" = {}; - "/tmp" = {}; + "/var/cache/s3ql" = { }; + "/etc/s3ql/authinfo2" = { }; + "/buckets" = { }; + "/tmp" = { }; }; }; }; - syncthing = let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} - set -x - if [ ! -e /data/.isbucket ]; then - echo ERROR: Bucket not mounted at /data - exit 1 - fi + syncthing = + let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} + set -x + if [ ! -e /data/.isbucket ]; then + echo ERROR: Bucket not mounted at /data + exit 1 + fi - if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then - echo ERROR: SYNCTHING_GUI_ADDRESS is not set - exit 1 - fi + if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then + echo ERROR: SYNCTHING_GUI_ADDRESS is not set + exit 1 + fi - if [ ! -w "$SYNCTHING_HOME" ]; then - echo ERROR : SYNCTHING_HOME is not writable - fi + if [ ! -w "$SYNCTHING_HOME" ]; then + echo ERROR : SYNCTHING_HOME is not writable + fi - exec syncthing \ - -home $SYNCTHING_HOME \ - -gui-address=$SYNCTHING_GUI_ADDRESS \ - -no-browser - ''; - in + exec syncthing \ + -home $SYNCTHING_HOME \ + -gui-address=$SYNCTHING_GUI_ADDRESS \ + -no-browser + ''; + in pkgs.dockerTools.buildImage { name = "syncthing"; fromImage = interactive_base; contents = pkgs.syncthing; config = { - Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"]; - Cmd = [entrypoint]; - Volumes = {"/data" = {};}; + Env = baseEnv ++ [ "SYNCTHING_HOME=/home/syncthing" ]; + Cmd = [ entrypoint ]; + Volumes = { + "/data" = { }; + }; }; }; } diff --git a/nix/default.nix b/nix/default.nix index 888a4e9..f8947e0 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,26 +1,34 @@ -{versionsPath}: let +{ versionsPath }: +let channelVersions = import versionsPath; - mkChannelSource = name: let - channelVersion = builtins.getAttr name channelVersions; - in + mkChannelSource = + name: + let + channelVersion = builtins.getAttr name channelVersions; + in builtins.fetchGit { # Descriptive name to make the store path easier to identify inherit name; inherit (channelVersion) url ref rev; }; - nixPath = builtins.concatStringsSep ":" (builtins.map - (elemName: let - elem = builtins.getAttr elemName channelVersions; - elemPath = mkChannelSource elemName; - suffix = - if builtins.hasAttr "suffix" elem - then elem.suffix - else ""; - in - builtins.concatStringsSep "=" [elemName elemPath] + suffix) - (builtins.attrNames channelVersions)); - pkgs = import (mkChannelSource "nixpkgs") {}; -in { + nixPath = builtins.concatStringsSep ":" ( + builtins.map ( + elemName: + let + elem = builtins.getAttr elemName channelVersions; + elemPath = mkChannelSource elemName; + suffix = if builtins.hasAttr "suffix" elem then elem.suffix else ""; + in + builtins.concatStringsSep "=" [ + elemName + elemPath + ] + + suffix + ) (builtins.attrNames channelVersions) + ); + pkgs = import (mkChannelSource "nixpkgs") { }; +in +{ inherit nixPath; channelSources = pkgs.writeText "channels.rc" '' export NIX_PATH=${nixPath} diff --git a/nix/devShells.nix b/nix/devShells.nix index 3f59c5b..aa4eda5 100644 --- a/nix/devShells.nix +++ b/nix/devShells.nix @@ -1,72 +1,73 @@ { + self, + self', inputs', - packages', pkgs, }: -pkgs.stdenv.mkDerivation { - name = "infra-env"; - buildInputs = - [ - (with pkgs.callPackage (pkgs.path + "/nixos") {configuration = {};}; - with config.system.build; [ - nixos-generate-config - nixos-install - nixos-enter - manual.manpages - ]) - ] - ++ (with pkgs; [ - inputs'.colmena.packages.colmena +{ + install = pkgs.mkShell { + name = "infra-install"; + packages = with pkgs; [ nixos-install-tools + inputs'.disko.packages.disko + just + git + git-crypt + gnupg + ]; + }; + + develop = pkgs.mkShell { + name = "infra-develop"; + inputsFrom = [ self'.devShells.install ]; + packages = with pkgs; [ + self'.formatter # .package + inputs'.colmena.packages.colmena dconf2nix inputs'.nixos-anywhere.packages.nixos-anywhere nurl - - just - git-crypt vcsh - gnupg - git ripgrep - lm_sensors - pass - fuzzel - wofi + # pass age age-plugin-yubikey ssh-to-age yubico-piv-tool inputs'.sops-nix.packages.default sops + nil + nix-index apacheHttpd - vncdo - tesseract - imagemagick + # vncdo + # tesseract + # imagemagick - nmap - sysstat - lshw - xxHash - linssid - wavemon - wirelesstools + # lm_sensors - zathura - xorg.xwininfo - glxinfo - autorandr - arandr - playerctl - x11docker - fwupd + # nmap + # sysstat + # lshw + # xxHash + # linssid + # wavemon + # wirelesstools - ntfy + # zathura + # xorg.xwininfo + # glxinfo + # autorandr + # arandr + # playerctl + # x11docker + # fwupd - hedgedoc-cli + # ntfy + # hedgedoc-cli xwayland + pulsemixer (pkgs.writeShellScriptBin "rflk" '' exec nix run nixpkgs#$@ @@ -76,8 +77,27 @@ pkgs.stdenv.mkDerivation { exec env NIXOS_OZONE_WL="" WAYLAND_DISPLAY="" $@ '') - ]); + jq + yq + wireguard-tools - # Set Environment Variables - RUST_BACKTRACE = 1; + screen + + inputs'.nixpkgs-unstable.legacyPackages.kanidm + ]; + + # Set Environment Variables + RUST_BACKTRACE = 1; + + KANIDM_URL = + self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin; + + shellHook = builtins.concatStringsSep "\n" [ + # (self.inputs.nixago.lib.${pkgs.system}.make { + # data = self'.formatter.settings; + # output = "treefmt.toml"; + # format = "toml"; + # }).shellHook + ]; + }; } diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 8ef7cc4..921c4dc 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -1,25 +1,25 @@ { pkgs, + lib, config, # these come in via home-manager.extraSpecialArgs and are specific to each node nodeFlake, - packages', - # repoFlake, - # repoFlakeInputs', + repoFlake, ... -}: let - # pkgsMaster = nodeFlake.inputs.nixpkgs-master.legacyPackages.${pkgs.system}; - pkgsUnstableSmall = import nodeFlake.inputs.nixpkgs-unstable-small {inherit (pkgs) system config;}; - pkgs2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system}; -in { +}: +let + pkgsUnstable = + pkgs.pkgsUnstable + or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; }); +in +{ imports = [ ../profiles/common.nix - ../profiles/dotfiles.nix + # ../profiles/dotfiles.nix # FIXME: fix homeshick when no WAN connection is available # ../programs/homeshick.nix # ../profiles/gnome-desktop.nix - ../profiles/sway-desktop.nix # ../profiles/experimental-desktop.nix ../programs/redshift.nix @@ -35,40 +35,55 @@ in { ../programs/libreoffice.nix ../programs/neovim.nix ../programs/vscode - - # TODO: bump these to 23.05 and make it work - (args: import ../programs/radicale.nix (args // {pkgs = pkgs2211;})) - # (args: import ../programs/espanso.nix (args // {pkgs = pkgs2211;})) + { home.packages = [ pkgsUnstable.markdown-oxide ]; } ]; home.sessionVariables.HM_CONFIG = "graphical-fullblown"; home.sessionVariables.GOPATH = "$HOME/src/go"; - home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"]; - - nixpkgs.config.permittedInsecurePackages = [ - "electron-24.8.6" - "electron-25.9.0" + home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [ + "$HOME/.local/bin" + "$PATH" ]; + nixpkgs.config.allowInsecurePredicate = + pkg: + builtins.elem (lib.getName pkg) [ + "electron-28.3.3" + "electron-27.3.11" + ]; + + nixpkgs.config.permittedInsecurePackages = [ + "electron-28.3.3" + "electron-27.3.11" + ]; + + nixpkgs.config.allowUnfree = [ + "electron-28.3.3" + "electron-27.3.11" + ]; + + # nixpkgs.config.allowUnfreePredicate = pkg: + # builtins.elem (lib.getName pkg) [ + # "smartgithg" + # "electron-27.3.11" + # ]; + home.packages = - [] - ++ (with pkgs; [ + (with pkgs; [ # Authentication - cacert - fprintd - openssl - mkpasswd + # cacert + # fprintd + # openssl + # mkpasswd # Nix package related tools patchelf - nix-index + # nix-index nix-prefetch-scripts - # nix-prefetch-github nix-tree # Version Control Systems gitFull - pijul # gitless gitRepo git-lfs @@ -90,14 +105,13 @@ in { # Password Management gnupg - # yubikey-manager - yubikey-manager-qt + yubikey-manager yubikey-personalization yubikey-personalization-gui # gnome.gnome-keyring gcr - gnome.seahorse + seahorse # Language Support hunspellDicts.en-us @@ -106,129 +120,58 @@ in { # Messaging/Communication # pidgin # hexchat - # schildichat-desktop # insecure as of 2023-12-16 + pkgsUnstable.element-desktop aspellDicts.en aspellDicts.de # skypeforlinux # pkgsUnstable.jitsi-meet-electron - thunderbird - evolution # gnome4.glib_networking + thunderbird-128 + # betterbird # FIXME: depends on insecure openssl 1.1.1t # kotatogram-desktop - tdesktop - pkgsUnstableSmall.signal-desktop - #(let - # version = "6.20.0-beta.1"; - #in - # pkgsUnstableSmall.signal-desktop-beta.overrideAttrs (old: { - # # inherit version; - # # src = builtins.fetchurl { - # # url = "https://updates.signal.org/desktop/apt/pool/main/s/signal-desktop-beta/signal-desktop-beta_${version}_amd64.deb"; - # # sha256 = "0xkagnldagfxnpv4c23yd9w0kz1y719m1sj9vqn8mnr1zfn7j62a"; - # # }; - # preFixup = - # old.preFixup - # + '' - # gappsWrapperArgs+=( - # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}" - # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}" - # ) - # ''; - # })) - - pkgsUnstableSmall.session-desktop - # --add-flags "--enable-features=UseOzonePlatform" - # --add-flags "--ozone-platform=wayland" - # (pkgsUnstableSmall.session-desktop.overrideAttrs (old: { - # nativeBuildInputs = - # old.nativeBuildInputs - # ++ [ - # pkgs.wrapGAppsHook - # ]; - - # preFixup = - # (old.preFixup or "") - # + '' - # gappsWrapperArgs+=( - # --add-flags "--enable-features=UseOzonePlatform" - # --add-flags "--ozone-platform=wayland" - # # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto}}" - # # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=WaylandWindowDecorations}}" - # # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}" - # ) - # ''; - # })) - - #(pkgsUnstableSmall.session-desktop.overrideAttrs(old: { - # nativeBuildInputs = old.nativeBuildInputs ++ [ - # pkgs.wrapGAppsHook - # ]; - # - # preFixup = (old.preFixup or "") + '' - # gappsWrapperArgs+=( - # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform=wayland}}" - # --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--enable-features=UseOzonePlatform}}" - # ) - # ''; - # })) - - thunderbird - # gnome.cheese - discord + pkgsUnstable.tdesktop + pkgsUnstable.signal-desktop-source # Virtualization - # virtmanager + virt-manager # Remote Control Tools remmina - freerdp - teamviewer - pkgsUnstableSmall.rustdesk + # freerdp # Audio/Video Players - ffmpeg + # ffmpeg vlc - v4l-utils - audacity - spotify + # v4l-utils + # audacity + # spotify yt-dlp (writeShellScriptBin "youtube-dl-audio" "${yt-dlp}/bin/yt-dlp --extract-audio --audio-format best --audio-quality 9 \${@:?}") libwebcam + libcamera + snapshot # Network Tools - openvpn tcpdump iftop iperf bind socat - # 2019-03-05: broken on 19.03 linssid - iptraf-ng - ipmitool - - iptables - nftables - wireshark - wireguard-tools + nethogs # Code Editing and Programming - xclip - xsel - pkgsUnstableSmall.lapce - pkgsUnstableSmall.helix - pkgsUnstableSmall.nil + # TODO(remove or use): pkgsUnstable.lapce + # TODO(remve or use): pkgsUnstable.helix # Image/Graphic/Design Tools - gnome.eog - gimp - imagemagick - exiv2 - graphviz - inkscape - qrencode - zbar - feh + eog + # gimp + # imagemagick + # exiv2 + # graphviz + # inkscape + # qrencode # TODO: remove or move these: Modelling Tools # plantuml @@ -239,61 +182,46 @@ in { # astah-community # Misc Development Tools - qrcode - jq - cdrtools + # qrcode + # jq + # cdrtools # Document Processing and Management - gnome.nautilus - xfce.thunar + nautilus pcmanfm # mendeley evince - (runCommand "logseq-wrapper" { - nativeBuildInputs = [ makeWrapper ]; - } '' - makeWrapper ${logseq}/bin/logseq $out/bin/logseq \ - --set NIXOS_OZONE_WL "" - '') - # (logseq.override({ electron_25 = electron_26; })) + xournalpp # File Synchronzation maestral - maestral-gui rsync # Filesystem Tools - ntfs3g - ddrescue - ncdu - unetbootin - hdparm - testdisk + # ntfs3g + # ddrescue + # ncdu + # hdparm # binwalk - gptfdisk - gparted - smartmontools - - ## Android - androidenv.androidPkgs_9_0.platform-tools + # gptfdisk + # gparted + # smartmontools ## Python - packages'.myPython + # packages'.myPython # Misc Desktop Tools - ltunify + # ltunify # dex - xorg.xbacklight coreutils lsof - xdotool - xdg_utils + xdg-utils xdg-user-dirs dconf picocom glib.dev # contains gdbus tool alacritty - wally-cli + # wally-cli man-pages # Screen recording @@ -303,70 +231,45 @@ in { # shutter # kazam # doesn't start # xvidcap # doesn't keep the recording rectangle - # obs-studio # shotcut # openshot-qt # introduces python: screenkey # avidemux # broken - handbrake + # handbrake - pkgsUnstableSmall.ledger-live-desktop - - (banana-accounting.overrideDerivation (attrs: - with inputs'.nixpkgs-2211.legacyPackages; { - # dontWrapGApps = true; - - srcs = builtins.fetchurl { - # hosted via https://web3.storage - url = "https://bafybeiabi4m2i4izummipbl5wzhwxjyjt2rylgsrahhkh7i63piwd37n4u.ipfs.w3s.link/mfpcksczayaqqx8fdacp0627zm36c001-bananaplus.tgz"; - - sha256 = "09666iqzqdw2526pf6bg5kd0hfw0wblw8ag636ki72dsiw6bmbf1"; - }; - - # nativeBuildInputs = - # attrs.nativeBuildInputs - # ++ [ - # qt5.qtbase - # qt5.wrapQtAppsHook - # ]; - - # buildInputs = - # attrs.buildInputs - # ++ [ - # qt5.qtwayland - # ]; - - # preFixup = - # (attrs.preFixup or "") - # + '' - # qtWrapperArgs+=("''${gappsWrapperArgs[@]}") - # ''; - })) - - - snes9x - snes9x-gtk + # snes9x + # snes9x-gtk # this is a displaymanager! # libretro.snes9x2010 # retroarchFull + + # pkgs.logseq-bin + pkgs.logseq + # (pkgs.callPackage "${repoFlake.inputs.nixpkgs-logseq}/pkgs/by-name/lo/logseq-bin/package.nix" { }) + ]) + ++ (with repoFlake.packages.${pkgs.system}; [ gimp ]) + ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ + pkgsUnstable.ledger-live-desktop + + # unsupported on aarch64-linux + pkgs.androidenv.androidPkgs_9_0.platform-tools + pkgs.teamviewer + pkgs.discord + pkgsUnstable.session-desktop + pkgsUnstable.rustdesk ]); systemd.user.startServices = true; + services.syncthing.enable = true; services.udiskie = { enable = true; - automount = true; + automount = false; notify = true; }; - # FIXME: doesn't work as the service can't seem to control its started PID - services.dropbox = { - enable = false; - path = "${config.home.homeDirectory}/Dropbox-Hm"; - }; - # TODO: uncomment this when it's in stable home-manger # programs.joshuto = { # enable = true; diff --git a/nix/home-manager/configuration/graphical-gnome3.nix b/nix/home-manager/configuration/graphical-gnome3.nix index 12e1948..5eaebd1 100644 --- a/nix/home-manager/configuration/graphical-gnome3.nix +++ b/nix/home-manager/configuration/graphical-gnome3.nix @@ -1,13 +1,8 @@ +{ pkgs, ... }: { - pkgs, - config, - ... -}: { - home.packages = - [] - ++ (with pkgs; [ - gnome.gnome-tweaks - gnome.gnome-keyring - gnome.seahorse - ]); + home.packages = with pkgs; [ + gnome.gnome-tweaks + gnome.gnome-keyring + gnome.seahorse + ]; } diff --git a/nix/home-manager/configuration/graphical-removable.nix b/nix/home-manager/configuration/graphical-removable.nix index faac0d5..d6296a2 100644 --- a/nix/home-manager/configuration/graphical-removable.nix +++ b/nix/home-manager/configuration/graphical-removable.nix @@ -1,8 +1,5 @@ +{ pkgs, ... }: { - pkgs, - config, - ... -}: { imports = [ ../profiles/common.nix ../profiles/qtile-desktop.nix @@ -16,89 +13,87 @@ ../programs/pass.nix ]; - home.packages = - [] - ++ (with pkgs; [ - # Nix package related tools - patchelf - nix-index - nix-prefetch-scripts + home.packages = with pkgs; [ + # Nix package related tools + patchelf + nix-index + nix-prefetch-scripts - # Version Control Systems - gitless + # Version Control Systems + gitless - # Process/System Administration - htop - gnome.gnome-tweaks - xorg.xhost - dmidecode - evtest + # Process/System Administration + htop + gnome.gnome-tweaks + xorg.xhost + dmidecode + evtest - # Archive Managers - sshfs-fuse - xarchive - p7zip - zip - unzip - gzip - lzop + # Archive Managers + sshfs-fuse + xarchive + p7zip + zip + unzip + gzip + lzop - # Password Management - gnome.gnome-keyring - gnome.seahorse + # Password Management + gnome.gnome-keyring + gnome.seahorse - # Remote Control Tools - remmina - freerdp + # Remote Control Tools + remmina + freerdp - # Network Tools - openvpn - tcpdump - iftop - iperf - bind - socat + # Network Tools + openvpn + tcpdump + iftop + iperf + bind + socat - # samba - iptables - nftables - wireshark + # samba + iptables + nftables + wireshark - # Code Editors - xclip - xsel + # Code Editors + xclip + xsel - # Image/Graphic/Design Tools - gnome.eog - gimp - inkscape + # Image/Graphic/Design Tools + gnome.eog + gimp + inkscape - # Misc Development Tools - qrcode - jq - cdrtools + # Misc Development Tools + qrcode + jq + cdrtools - # Document Processing and Management - zathura + # Document Processing and Management + zathura - # File Synchronzation - rsync + # File Synchronzation + rsync - # Filesystem Tools - ntfs3g - ddrescue - ncdu - woeusb - unetbootin - pcmanfm - hdparm - testdisk - binwalk - gptfdisk + # Filesystem Tools + ntfs3g + ddrescue + ncdu + woeusb + unetbootin + pcmanfm + hdparm + testdisk + binwalk + gptfdisk - packages'.myPython + packages'.myPython - # Virtualization - virtmanager - ]); + # Virtualization + virtmanager + ]; } diff --git a/nix/home-manager/configuration/text-minimal.nix b/nix/home-manager/configuration/text-minimal.nix deleted file mode 100644 index 4566af7..0000000 --- a/nix/home-manager/configuration/text-minimal.nix +++ /dev/null @@ -1,12 +0,0 @@ -{pkgs, ...}: { - imports = [ - ../profiles/common.nix - ../programs/neovim.nix - ]; - - home.packages = with pkgs; [ - iperf3 - inetutils - speedtest-cli - ]; -} diff --git a/nix/home-manager/lib.nix b/nix/home-manager/lib.nix index b731c1d..7436034 100644 --- a/nix/home-manager/lib.nix +++ b/nix/home-manager/lib.nix @@ -1,14 +1,19 @@ -{}: let -in { - mkSimpleTrayService = {execStart}: { - Unit = { - Description = ""; - After = ["graphical-session-pre.target"]; - PartOf = ["graphical-session.target"]; +_: { + mkSimpleTrayService = + { execStart }: + { + Unit = { + Description = ""; + After = [ "graphical-session-pre.target" ]; + PartOf = [ "graphical-session.target" ]; + }; + + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + + Service = { + ExecStart = execStart; + }; }; - - Install = {WantedBy = ["graphical-session.target"];}; - - Service = {ExecStart = execStart;}; - }; } diff --git a/nix/home-manager/profiles/common.nix b/nix/home-manager/profiles/common.nix index 20a17e3..77f6e57 100644 --- a/nix/home-manager/profiles/common.nix +++ b/nix/home-manager/profiles/common.nix @@ -1,22 +1,38 @@ -{pkgs, ...}: { +{ pkgs, lib, ... }: +{ + home.stateVersion = lib.mkDefault "23.11"; + # TODO: re-enable this with the appropriate version? # programs.home-manager.enable = true; # programs.home-manager.path = https://github.com/rycee/home-manager/archive/445c0b1482c38172a9f8294ee16a7ca7462388e5.tar.gz; - imports = [ - ../programs/zsh.nix - ]; - + # TODO: move this to an OS snippet? nixpkgs.config = { allowBroken = false; allowUnfree = true; + allowUnsupportedSystem = true; - permittedInsecurePackages = []; + allowInsecurePredicate = + pkg: + builtins.elem (lib.getName pkg) [ + "electron-32.3.3" + "electron" + ]; + + permittedInsecurePackages = [ + "electron-32.3.3" + "electron" + ]; + + allowUnfreePredicate = + pkg: + builtins.elem (lib.getName pkg) [ + "obsidian" + "vivaldi" + "aspell-dict-en-science" + ]; }; - nix.settings.experimental-features = ["nix-command" "flakes" "impure-derivations" "ca-derivations" "recursive-nix"]; - nix.settings.sandbox = "relaxed"; - home.keyboard = { layout = "us"; variant = "altgr-intl"; @@ -30,53 +46,52 @@ xdg.enable = true; programs.direnv.enable = true; - services.lorri.enable = true; - home.sessionVariables.NIXPKGS_ALLOW_UNFREE = "1"; # Don't create .pyc files. home.sessionVariables.PYTHONDONTWRITEBYTECODE = "1"; programs.command-not-found.enable = true; programs.fzf.enable = true; - home.packages = - [] - ++ (with pkgs; [ - htop - vcsh + home.packages = with pkgs; [ + coreutils - # Authentication - cacert - openssl - mkpasswd + vcsh - just - ripgrep - du-dust + htop + iperf3 + nethogs - elfutils - exfat - file - tree - pwgen - proot + # Authentication + cacert + openssl + mkpasswd - parted - pv - tmux - wget - curl + just + ripgrep + du-dust - # git helpers - git-crypt - gitFull - pastebinit - gist - mr + elfutils + exfat + file + tree + pwgen + proot - usbutils - pciutils - ]); + parted + pv + tmux + wget + curl - home.stateVersion = "22.05"; + # git helpers + git-crypt + gitFull + pastebinit + gist + mr + + usbutils + pciutils + ]; } diff --git a/nix/home-manager/profiles/dotfiles.nix b/nix/home-manager/profiles/dotfiles.nix index 95b5248..a7bddd9 100644 --- a/nix/home-manager/profiles/dotfiles.nix +++ b/nix/home-manager/profiles/dotfiles.nix @@ -1,10 +1,4 @@ -{ - pkgs, - config, - ... -}: let - vcshActivationScript = pkgs.callPackage ./dotfiles/vcsh.nix {}; -in { +_: { # TODO: fix the dotfiles # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' # $DRY_RUN_CMD ${vcshActivationScript} diff --git a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix index 84d629f..2a866f2 100644 --- a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix +++ b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix @@ -3,38 +3,40 @@ repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", ... -}: let +}: +let repoBareLocal = pkgs.runCommand "fetchbare" - { - outputHashMode = "recursive"; - outputHashAlgo = "sha256"; - outputHash = "0000000000000000000000000000000000000000000000000000"; - } '' - ( - set -xe - export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out - ) - ''; + { + outputHashMode = "recursive"; + outputHashAlgo = "sha256"; + outputHash = "0000000000000000000000000000000000000000000000000000"; + } + '' + ( + set -xe + export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out + ) + ''; in - pkgs.writeScript "activation-script" '' - export HOST=$(hostname -s) +pkgs.writeScript "activation-script" '' + export HOST=$(hostname -s) - function set_remotes { - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 - } + function set_remotes { + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 + } - if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then - echo Cloning dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles - set_remotes ${repoHttps} ${repoSsh} - else - set_remotes ${repoBareLocal} ${repoSsh} - echo Updating dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh pull $HOST || true - set_remotes ${repoHttps} ${repoSsh} - fi - '' + if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then + echo Cloning dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles + set_remotes ${repoHttps} ${repoSsh} + else + set_remotes ${repoBareLocal} ${repoSsh} + echo Updating dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh pull $HOST || true + set_remotes ${repoHttps} ${repoSsh} + fi +'' diff --git a/nix/home-manager/profiles/experimental-desktop.nix b/nix/home-manager/profiles/experimental-desktop.nix index 13d87d7..d57a051 100644 --- a/nix/home-manager/profiles/experimental-desktop.nix +++ b/nix/home-manager/profiles/experimental-desktop.nix @@ -1,16 +1,6 @@ +{ packages', ... }: { - pkgs, - config, - lib, - nodeFlake, - packages', - ... -}: let - pkgsUnstable = pkgs.callPackage nodeFlake.inputs.nixpkgs-unstable.outPath {}; -in { - imports = [ - ../profiles/wayland-desktop.nix - ]; + imports = [ ../profiles/wayland-desktop.nix ]; home.packages = [ # experimental WMs diff --git a/nix/home-manager/profiles/gnome-desktop.nix b/nix/home-manager/profiles/gnome-desktop.nix index b0a7a7b..5051205 100644 --- a/nix/home-manager/profiles/gnome-desktop.nix +++ b/nix/home-manager/profiles/gnome-desktop.nix @@ -1,13 +1,6 @@ +{ pkgs, ... }: { - pkgs, - config, - lib, - ... -}: let -in { - imports = [ - ../profiles/wayland-desktop.nix - ]; + imports = [ ../profiles/wayland-desktop.nix ]; services = { gnome-keyring.enable = false; @@ -23,87 +16,85 @@ in { # Hidden=true # ''; - services.gpg-agent.pinentryFlavor = "gnome3"; + services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; - dconf.settings = let - manualKeybindings = [ - { - binding = "Print"; - command = "flameshot gui"; - name = "flameshot"; - } + dconf.settings = + let + manualKeybindings = [ + { + binding = "Print"; + command = "flameshot gui"; + name = "flameshot"; + } - { - binding = "t"; - command = "alacritty"; - name = "alacritty"; - } - ]; + { + binding = "t"; + command = "alacritty"; + name = "alacritty"; + } + ]; - numWorkspaces = 10; - customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; - customKeybindingsNames = - builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") - ( - (builtins.length manualKeybindings) - + numWorkspaces # for sending to the workspace + numWorkspaces = 10; + customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; + customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") ( + (builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace ); - workspacesKeyBindingsOffset = builtins.length manualKeybindings; + workspacesKeyBindingsOffset = builtins.length manualKeybindings; - # with this we can make use of all number keys [0-9] - mapToNumber = i: - if i < 10 - then i - else if i == 10 - then 0 - else throw "i exceeds 10: ${i}"; - in + # with this we can make use of all number keys [0-9] + mapToNumber = + i: + if i < 10 then + i + else if i == 10 then + 0 + else + throw "i exceeds 10: ${i}"; + in { "org/gnome/settings-daemon/plugins/media-keys" = { custom-keybindings = customKeybindingsNames; screenreader = "@as []"; - screensaver = ["l"]; + screensaver = [ "l" ]; }; # disable the builtin [1-9] functionality - "org/gnome/shell/keybindings" = builtins.listToAttrs ((builtins.genList - (i: { - name = "switch-to-application-${toString (i + 1)}"; - value = []; - }) - numWorkspaces) + "org/gnome/shell/keybindings" = builtins.listToAttrs ( + (builtins.genList (i: { + name = "switch-to-application-${toString (i + 1)}"; + value = [ ]; + }) numWorkspaces) ++ [ { name = "toggle-overview"; - value = []; + value = [ ]; } - ]); + ] + ); # remap it to switching to the workspaces - "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (builtins.genList - (i: { + "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs ( + builtins.genList (i: { name = "switch-to-workspace-${toString (i + 1)}"; - value = [ - "${toString (mapToNumber (i + 1))}" - ]; - }) - numWorkspaces); + value = [ "${toString (mapToNumber (i + 1))}" ]; + }) numWorkspaces + ); } - // builtins.listToAttrs (builtins.genList - (i: { + // builtins.listToAttrs ( + builtins.genList (i: { name = "${customKeybindingBaseName}${toString i}"; value = builtins.elemAt manualKeybindings i; - }) - (builtins.length manualKeybindings)) - // builtins.listToAttrs (builtins.genList - (i: { + }) (builtins.length manualKeybindings) + ) + // builtins.listToAttrs ( + builtins.genList (i: { name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}"; value = { binding = "${toString (mapToNumber (i + 1))}"; command = "wmctrl -r :ACTIVE: -t ${toString i}"; name = "Send to workspace ${toString (i + 1)}"; }; - }) - numWorkspaces); + }) numWorkspaces + ); } diff --git a/nix/home-manager/profiles/nix-channels.nix b/nix/home-manager/profiles/nix-channels.nix index 68f21c7..fc52ec6 100644 --- a/nix/home-manager/profiles/nix-channels.nix +++ b/nix/home-manager/profiles/nix-channels.nix @@ -1,28 +1,22 @@ +{ pkgs, config, ... }: { - pkgs, - config, - ... -}: let -in { home.file.".nix-channels".text = ""; - home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] '' - $DRY_RUN_CMD ${ - pkgs.writeScript "activation-script" '' - set -ex - if test -f $HOME/.nix-channels; then - echo Uninstalling available channels... - if test -f $HOME/.nix-channel; then - while read url channel; do - nix-channel --remove $channel - done < $HOME/.nix-channel - fi - echo Moving existing file away... - touch $HOME/.nix-channels.dummy - mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels - rm $HOME/.nix-channels + home.activation.removeExistingNixChannels = config.lib.dag.entryBefore [ "checkLinkTargets" ] '' + $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' + set -ex + if test -f $HOME/.nix-channels; then + echo Uninstalling available channels... + if test -f $HOME/.nix-channel; then + while read url channel; do + nix-channel --remove $channel + done < $HOME/.nix-channel fi - '' - }; + echo Moving existing file away... + touch $HOME/.nix-channels.dummy + mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels + rm $HOME/.nix-channels + fi + ''}; ''; } diff --git a/nix/home-manager/profiles/qtile-desktop.nix b/nix/home-manager/profiles/qtile-desktop.nix index da12f62..84d9c21 100644 --- a/nix/home-manager/profiles/qtile-desktop.nix +++ b/nix/home-manager/profiles/qtile-desktop.nix @@ -1,14 +1,14 @@ -{ - pkgs, - config, - ... -}: let - inherit (import ../lib.nix {}) mkSimpleTrayService; +{ pkgs, ... }: +let audio = pkgs.writeShellScript "audio" '' export PATH=${ with pkgs; - lib.makeBinPath [pulseaudio findutils gnugrep] + lib.makeBinPath [ + pulseaudio + findutils + gnugrep + ] }:$PATH export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute @@ -33,7 +33,7 @@ terminalCommand = "${pkgs.alacritty}/bin/alacritty"; dpmsScript = pkgs.writeShellScript "dpmsScript" '' - export PATH=${with pkgs; lib.makeBinPath [xorg.xset]}:$PATH + export PATH=${with pkgs; lib.makeBinPath [ xorg.xset ]}:$PATH set -xe @@ -56,7 +56,7 @@ ''; screenLockCommand = pkgs.writeShellScript "screenLock" '' - export PATH=${with pkgs; lib.makeBinPath [i3lock]}:$PATH + export PATH=${with pkgs; lib.makeBinPath [ i3lock ]}:$PATH revert() { ${dpmsScript} default @@ -251,7 +251,8 @@ def print_new_window(window): print("new window: ", window) ''; -in { +in +{ services = { gnome-keyring.enable = true; blueman-applet.enable = true; @@ -286,7 +287,7 @@ in { networkmanagerapplet gnome-icon-theme gnome.gnome-themes-extra - gnome.adwaita-icon-theme + adwaita-icon-theme lxappearance xorg.xcursorthemes pavucontrol diff --git a/nix/home-manager/profiles/sway-desktop.nix b/nix/home-manager/profiles/sway-desktop.nix index b11550a..c6b1e1f 100644 --- a/nix/home-manager/profiles/sway-desktop.nix +++ b/nix/home-manager/profiles/sway-desktop.nix @@ -1,80 +1,64 @@ +/* + TODO: create helper scripts for sharing of a screen portion + ``` + + # this will create a new output named HEADLESS-. increments by 1 with each invocation even if the output is `unplug`ged. + swaymsg create_output + + # find the name and the workspace number + swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)' + + swaymsg output HEADLESS-1 mode 1920@108060Hz + + # mirror the headless workspace on the current one + nix run nixpkgs\#wl-mirror -- HEADLESS-1 + + # shift windows to the workspace and switch the focus to it +*/ { pkgs, config, lib, # packages', - repoFlakeInputs', ... -}: let - inherit (import ../lib.nix {}) mkSimpleTrayService; +}: +let lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'"; displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; -in { +in +{ imports = [ ../profiles/wayland-desktop.nix ../programs/waybar.nix - # ../programs/salut.nix ]; - # TODO: autostart - # environment.loginShellInit = '' - # if [[ "$(tty)" == /dev/tty1 ]]; then - # echo starting sway.. - # exec sway - # fi - # ''; - - services = { - # TODO: doesn't work with 2 screens - # flameshot.enable = true; - }; - services.dunst = { enable = true; }; - services.gpg-agent.pinentryFlavor = "gnome3"; - - nixpkgs.overlays = [ - (final: prev: { - # xdg-desktop-portal-wlr' = repoFlakeInputs'.nixpkgs-wayland.packages.xdg-desktop-portal-wlr; - # xdg-desktop-portal-wlr-gtk' = repoFlakeInputs'.nixpkgs-wayland.packages.xdg-desktop-portal-wlr-gtk; - # sway-unwrapped = let - # fixed_wlroots = prev.wlroots_0_16.overrideAttrs (old: { - # patches = [ - # (builtins.fetchurl { - # sha256 = "05h9xzicz3fccskg2hbqnw2qh4bm7mwi70c4m00y87w5yhj9gxps"; - # url = "https://gist.githubusercontent.com/steveej/1d8c96ed2fdb3d9ddd0344ca5136073f/raw/d6a097a452b950865b554587db606e718d99c572/fix-wlroots.patch"; - # }) - # ]; - # }); - # in - # prev.sway-unwrapped.override {wlroots_0_16 = fixed_wlroots;}; - }) - ]; + services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; home.packages = [ pkgs.swayidle pkgs.swaylock ## themes - pkgs.gnome.adwaita-icon-theme + pkgs.adwaita-icon-theme pkgs.hicolor-icon-theme pkgs.gnome-icon-theme ## fonts + # pkgs.nerd-fonts # TODO: reinstall selected ones pkgs.dejavu_fonts # just a basic good fond pkgs.font-awesome_5 # needed by i3status-rust - pkgs.nerdfonts pkgs.font-awesome pkgs.roboto pkgs.ttf_bitstream_vera pkgs.noto-fonts - pkgs.noto-fonts-cjk pkgs.noto-fonts-cjk-sans pkgs.noto-fonts-cjk-serif pkgs.noto-fonts-emoji @@ -89,117 +73,146 @@ in { pkgs.dina-font pkgs.monoid pkgs.hermit - # found on colemickens' repo + ### found on colemickens' repo pkgs.gelasio # metric-compatible with Georgia pkgs.powerline-symbols pkgs.iosevka-comfy.comfy-fixed - # experimental stuff + ## experimental stuff pkgs.fuzzel ]; + # TODO: configure kanshi to always set the 5K resolution + # DP-1 "Philips Consumer Electronics Company PHL 499P9 AU02419010010 (DP-1 via DP)" + # Make: Philips Consumer Electronics Company + # Model: PHL 499P9 + # Serial: AU02419010010 + # Physical size: 1190x340 mm + # Enabled: yes + # Modes: + # 3840x1080 px, 59.967999 Hz (preferred) + # 5120x1440 px, 59.977001 Hz (current) + wayland.windowManager.sway = { enable = true; systemd.enable = true; - xwayland = true; + xwayland = false; - config = let - modifier = "Mod4"; - inherit (config.wayland.windowManager.sway.config) left right up down; - in { - inherit modifier; - bars = []; + config = + let + modifier = "Mod4"; + inherit (config.wayland.windowManager.sway.config) + left + right + up + down + ; + in + { + inherit modifier; + bars = [ ]; - input = { - "type:keyboard" = - { - xkb_layout = config.home.keyboard.layout; - xkb_variant = config.home.keyboard.variant; - } - // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) { - xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; + input = { + "type:keyboard" = + { + xkb_layout = config.home.keyboard.layout; + xkb_variant = config.home.keyboard.variant; + } + // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) { + xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; + }; + + "type:touchpad" = { + natural_scroll = "enabled"; }; - "type:touchpad" = { - natural_scroll = "enabled"; + # alternatively run this command + # swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative" + # and then switch to a different VT (alt+ctrl+f2) and back + "1386:914:Wacom_Intuos_Pro_S_Pen" = { + tool_mode = "* relative"; + }; }; + + keybindings = lib.mkOptionDefault { + # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi + # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; + "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; + + # only 1-9 exist on the default config + "${modifier}+0" = "workspace number 0"; + "${modifier}+Shift+0" = "move container to workspace number 0"; + + # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it + "${modifier}+b" = "nop"; + "${modifier}+v" = "nop"; + + # move workspace to output + "${modifier}+Control+Shift+${left}" = "move workspace to output left"; + "${modifier}+Control+Shift+${right}" = "move workspace to output right"; + "${modifier}+Control+Shift+${up}" = "move workspace to output up"; + "${modifier}+Control+Shift+${down}" = "move workspace to output down"; + # move workspace to output with arrow keys + "${modifier}+Control+Shift+Left" = "move workspace to output left"; + "${modifier}+Control+Shift+Right" = "move workspace to output right"; + "${modifier}+Control+Shift+Up" = "move workspace to output up"; + "${modifier}+Control+Shift+Down" = "move workspace to output down"; + + # TODO: i've been hitting this one accidentally way too often. find a better place. + # "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; + "${modifier}+q" = "kill"; + "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; + + "${modifier}+x" = "exec ${swapOutputWorkspaces}"; + + "${modifier}+Ctrl+l" = "exec ${lockCmd}"; + + "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; + "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; + "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; + + "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; + "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; + "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; + + "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; + }; + + terminal = "alacritty"; + startup = + [ + { + command = builtins.toString ( + pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target + ) & + '' + ); + } + ] + ++ lib.optionals config.services.swayidle.enable [ + { + command = builtins.toString ( + pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart swayidle + ) & + '' + ); + } + ]; + + colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; }; + + window.titlebar = false; + window.border = 4; + + # this maps to focus_on_window_activation + focus.newWindow = "urgent"; }; - - keybindings = lib.mkOptionDefault { - # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi - # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; - "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; - - # only 1-9 exist on the default config - "${modifier}+0" = "workspace number 0"; - "${modifier}+Shift+0" = "move container to workspace number 0"; - - # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it - "${modifier}+b" = "nop"; - "${modifier}+v" = "nop"; - - # move workspace to output - "${modifier}+Control+Shift+${left}" = "move workspace to output left"; - "${modifier}+Control+Shift+${right}" = "move workspace to output right"; - "${modifier}+Control+Shift+${up}" = "move workspace to output up"; - "${modifier}+Control+Shift+${down}" = "move workspace to output down"; - # move workspace to output with arrow keys - "${modifier}+Control+Shift+Left" = "move workspace to output left"; - "${modifier}+Control+Shift+Right" = "move workspace to output right"; - "${modifier}+Control+Shift+Up" = "move workspace to output up"; - "${modifier}+Control+Shift+Down" = "move workspace to output down"; - - "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; - "${modifier}+q" = "kill"; - "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; - - "${modifier}+x" = "exec ${swapOutputWorkspaces}"; - - "${modifier}+Ctrl+l" = "exec ${lockCmd}"; - - "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; - "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; - "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; - - "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; - "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; - "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; - - "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; - }; - - terminal = "alacritty"; - startup = - [ - { - command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target - ) & - ''); - } - ] - ++ lib.optionals config.services.swayidle.enable [ - { - command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart swayidle - ) & - ''); - } - ]; - - colors.focused = lib.mkOptionDefault { - childBorder = lib.mkForce "#ffa500"; - }; - - window.border = 4; - - # this maps to focus_on_window_activation - focus.newWindow = "urgent"; - }; }; services.swayidle = { diff --git a/nix/home-manager/profiles/wayland-desktop.nix b/nix/home-manager/profiles/wayland-desktop.nix index 6c4d820..2f0d2ee 100644 --- a/nix/home-manager/profiles/wayland-desktop.nix +++ b/nix/home-manager/profiles/wayland-desktop.nix @@ -1,19 +1,14 @@ { pkgs, - config, lib, repoFlake, - nodeFlake, ... -}: let - inherit (import ../lib.nix {}) mkSimpleTrayService; +}: +let - nixpkgs-2211 = nodeFlake.inputs.nixpkgs-2211.legacyPackages.${pkgs.system}; - nixpkgs-unstable-small = nodeFlake.inputs.nixpkgs-unstable-small.legacyPackages.${pkgs.system}; nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; - - wayprompt = nixpkgs-wayland'.wayprompt; -in { +in +{ fonts.fontconfig.enable = true; # services.gpg-agent.pinentryFlavor = lib.mkForce null; @@ -29,45 +24,57 @@ in { systemd.user.targets.tray = { Unit = { Description = "Home Manager System Tray"; - Requires = ["graphical-session-pre.target"]; + Requires = [ "graphical-session-pre.target" ]; }; }; - home.packages = with pkgs; [ - # required by network-manager-applet - pkgs.networkmanagerapplet + home.packages = + with pkgs; + [ + # required by network-manager-applet + networkmanagerapplet - wlr-randr - wayout - wl-clipboard - wmctrl + wlr-randr + wayout + wl-clipboard + wmctrl - wayprompt - nixpkgs-wayland'.shotman + nixpkgs-wayland'.shotman - # identifies key input syms - wev + # identifies key input syms + wev - # TODO: whwat's this for? - # wltype + # TODO: whwat's this for? + # wltype - pavucontrol - playerctl - pasystray - qt5.qtwayland - qt6.qtwayland - # libsForQt5.qt5.qtwayland - # libsForQt6.qt6.qtwayland + qt5.qtwayland + qt6.qtwayland + # libsForQt5.qt5.qtwayland + # libsForQt6.qt6.qtwayland - # probably required by flameshot - # xdg-desktop-portal xdg-desktop-portal-wlr - # grim - ]; + # audio + playerctl + helvum + pasystray + sonusmix + pwvucontrol + + # probably required by flameshot + # xdg-desktop-portal xdg-desktop-portal-wlr + # grim + + waypipe + ] + ++ (lib.lists.optionals (!pkgs.stdenv.isAarch64) + # TODO: broken on aarch64 + [ ] + ); home.sessionVariables = { XDG_SESSION_TYPE = "wayland"; NIXOS_OZONE_WL = "1"; MOZ_ENABLE_WAYLAND = "1"; + WLR_NO_HARDWARE_CURSORS = "1"; }; home.pointerCursor = { diff --git a/nix/home-manager/programs/chromium.nix b/nix/home-manager/programs/chromium.nix index c2240b9..aa3f531 100644 --- a/nix/home-manager/programs/chromium.nix +++ b/nix/home-manager/programs/chromium.nix @@ -1,15 +1,17 @@ { name, lib, + pkgs, ... -}: let +}: +let extensions = [ #undetectable adblocker - {id = "gcfcpohokifjldeandkfjoboemihipmb";} + { id = "gcfcpohokifjldeandkfjoboemihipmb"; } # ublock origin - {id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";} + { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # # YT ad block # {id = "cmedhionkhpnakcndndgjdbohmhepckk";} @@ -18,15 +20,15 @@ # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} # Cookie Notice Blocker - {id = "odhmfmnoejhihkmfebnolljiibpnednn";} + { id = "odhmfmnoejhihkmfebnolljiibpnednn"; } # i don't care about cookies - {id = "fihnjjcciajhdojfnbdddfaoknhalnja";} + { id = "fihnjjcciajhdojfnbdddfaoknhalnja"; } # NopeCHA - {id = "dknlfmjaanfblgfdfebhijalfmhmjjjo";} + { id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; } # h264ify - {id = "aleakchihdccplidncghkekgioiakgal";} + { id = "aleakchihdccplidncghkekgioiakgal"; } # clippy # {id = "honbeilkanbghjimjoniipnnehlmhggk"} @@ -37,25 +39,43 @@ } # cookie autodelete - {id = "fhcgjolkccmbidfldomjliifgaodjagh";} + { id = "fhcgjolkccmbidfldomjliifgaodjagh"; } # unhook - { id = "khncfooichmfjbepaaaebmommgaepoid";} + { id = "khncfooichmfjbepaaaebmommgaepoid"; } ] ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ + # polkadotjs + { id = "mopnmbcafieddcagagdcbnhejhlodfdd"; } + + # rabby wallet + { id = "acmacodkjbdgmoleebolmdjonilkdbch"; } + + # phantom wallet + { id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; } + # Vimium C - {id = "hfjbmagddngcpeloejdejnfgbamkjaeg";} + { id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; } + + # TODO: this causes scrolling the tab bar all the way to the end. look for a different one or report + # always right + { id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; } + + # shazam music + { id = "mmioliijnhnoblpgimnlajmefafdfilb"; } ]); -in { +in +{ programs.chromium = { enable = true; inherit extensions; + # TODO: extensions currently don't work with ungoogled-chromium + package = pkgs.chromium; }; programs.brave = { - enable = true; + # TODO: enable this on aarch64-linux + enable = true && !pkgs.stdenv.targetPlatform.isAarch64; inherit extensions; }; - - programs.browserpass = {browsers = ["chromium" "brave"];}; } diff --git a/nix/home-manager/programs/espanso.nix b/nix/home-manager/programs/espanso.nix index 23f727a..8297183 100644 --- a/nix/home-manager/programs/espanso.nix +++ b/nix/home-manager/programs/espanso.nix @@ -1,73 +1,82 @@ -{pkgs, ...}: { +{ pkgs, ... }: +{ services.espanso = { - # package = pkgs.espanso.overrideAttrs(_: { - # # src = - # }) - enable = true; + package = pkgs.espanso-wayland; + # package = pkgs.espanso-wayland.overrideAttrs (_: { + # src = repoFlake.inputs.espanso; + + # cargoLock = { + # # lockFile = "${repoFlake.inputs.espanso.outPath}/Cargo.lock"; + # lockFile = repoFlake.inputs.espanso + "/Cargo.lock"; + # outputHashes = { + # "yaml-rust-0.4.6" = "sha256-wXFy0/s4y6wB3UO19jsLwBdzMy7CGX4JoUt5V6cU7LU="; + # }; + # }; + # }); + + enable = false; configs = { default = { # backend = "Inject"; # backend = "Clipboard"; }; }; - matches = let - playerctl = '' - ${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; - in { - default = { - matches = [ - { - trigger = ":vpos"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeScript "espanso" '' - #! ${pkgs.python3}/bin/python - import subprocess, os, math, datetime + matches = + let + playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; + in + { + default = { + matches = [ + { + trigger = ":vpos"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeScript "espanso" '' + #! ${pkgs.python3}/bin/python + import subprocess, os, math, datetime - id=str(os.getuid()) - result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) - result.check_returncode() + id=str(os.getuid()) + result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) + result.check_returncode() - position_secs = math.trunc(float(result.stdout)) - position_human = datetime.timedelta(seconds=position_secs) - print("%s - %s" % (position_human, position_secs)) - '') - ]; - }; - } - ]; - } - { - trigger = ":vtit"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeShellScript "espanso" - "${playerctl} metadata title") - ]; - }; - } - ]; - } - { - trigger = ":dunno"; - replace = "¯\\_(ツ)_/¯"; - } - { - trigger = ":shrug"; - replace = "¯\\_(ツ)_/¯"; - } - ]; + position_secs = math.trunc(float(result.stdout)) + position_human = datetime.timedelta(seconds=position_secs) + print("%s - %s" % (position_human, position_secs)) + '') + ]; + }; + } + ]; + } + { + trigger = ":vtit"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ]; + }; + } + ]; + } + { + trigger = ":dunno"; + replace = "¯\\_(ツ)_/¯"; + } + { + trigger = ":shrug"; + replace = "¯\\_(ツ)_/¯"; + } + ]; + }; }; - }; }; } diff --git a/nix/home-manager/programs/firefox.nix b/nix/home-manager/programs/firefox.nix index 05beab4..51c7a93 100644 --- a/nix/home-manager/programs/firefox.nix +++ b/nix/home-manager/programs/firefox.nix @@ -1,6 +1,417 @@ -{pkgs, ...}: { - programs.librewolf = {enable = true;}; - programs.firefox = {enable = true;}; +{ + repoFlake, + pkgs, + config, + lib, + ... +}: +let + # Search extension names with below command: + # nix flake show --json "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons" --all-systems | jq -r '.packages."x86_64-linux" | keys[]' | rg QUERY + ryceeAddons = with pkgs.nur.repos.rycee.firefox-addons; [ + ublock-origin - # home.file.".mozilla/native-messaging-hosts/passff.json".source = "${pkgs.passff-host}/share/passff-host/passff.json"; + # bypass-paywalls-clean (can't use, was creating popups) + consent-o-matic + terms-of-service-didnt-read + + auto-tab-discard + + # redirector # For nixos wiki + # darkreader + + facebook-container + control-panel-for-twitter + # containerise + facebook-tracking-removal + vimium + cookie-autodelete + auto-tab-discard + istilldontcareaboutcookies + + youtube-recommended-videos + + display-_anchors + ]; + + customAddons = [ + + ]; + + search = { + force = true; + default = "DuckDuckGo"; + privateDefault = "DuckDuckGo"; + }; + + mkProfile = + override: + lib.recursiveUpdate { + extensions = ryceeAddons ++ customAddons; + inherit search; + + settings = { + # automatically enable extensions + "extensions.autoDisableScopes" = 0; + + "middlemouse.paste" = false; + + "browser.download.useDownloadDir" = false; + "browser.tabs.insertAfterCurrent" = true; + "browser.tabs.warnOnClose" = true; + "browser.toolbars.bookmarks.visibility" = "never"; + "browser.quitShortcut.disabled" = false; + + # restore the previous session automatically + "browser.startup.page" = 3; + "browser.sessionstore.resume_from_crash" = true; + "browser.sessionstore.restore_pinned_tabs_on_demand" = true; + "browser.sessionstore.restore_on_demand" = true; + + "browser.urlbar.suggest.bookmark" = true; + "browser.urlbar.suggest.engines" = true; + "browser.urlbar.suggest.history" = true; + "browser.urlbar.suggest.openpage" = true; + "browser.urlbar.suggest.topsites" = false; + "browser.urlbar.trimHttps" = true; + + "sidebar.position_start" = false; + "findbar.highlightAll" = true; + + "browser.tabs.hoverPreview.enabled" = true; + + # Disable fx accounts + "identity.fxaccounts.enabled" = false; + # Disable "save password" prompt + "signon.rememberSignons" = false; + # Harden + "privacy.trackingprotection.enabled" = true; + "dom.security.https_only_mode" = true; + + # Disable irritating first-run stuff + "browser.disableResetPrompt" = true; + "browser.download.panel.shown" = true; + "browser.feeds.showFirstRunUI" = false; + "browser.messaging-system.whatsNewPanel.enabled" = false; + "browser.rights.3.shown" = true; + "browser.shell.checkDefaultBrowser" = false; + "browser.shell.defaultBrowserCheckCount" = 1; + "browser.startup.homepage_override.mstone" = "ignore"; + "browser.uitour.enabled" = false; + "startup.homepage_override_url" = ""; + "trailhead.firstrun.didSeeAboutWelcome" = true; + "browser.bookmarks.restore_default_bookmarks" = false; + "browser.bookmarks.addedImportButton" = true; + + # Disable "Save to Pocket" or Pocket entirely + "extensions.pocket.enabled" = false; + + # Disable telemetry + "toolkit.telemetry.enabled" = false; + "toolkit.telemetry.unified" = false; + "toolkit.telemetry.archive.enabled" = false; + "datareporting.healthreport.uploadEnabled" = false; + "app.shield.optoutstudies.enabled" = false; + "browser.discovery.enabled" = false; + "browser.newtabpage.activity-stream.feeds.telemetry" = false; + "browser.newtabpage.activity-stream.telemetry" = false; + "browser.ping-centre.telemetry" = false; + "datareporting.healthreport.service.enabled" = false; + "datareporting.policy.dataSubmissionEnabled" = false; + "datareporting.sessions.current.clean" = true; + "devtools.onboarding.telemetry.logged" = false; + "toolkit.telemetry.bhrPing.enabled" = false; + "toolkit.telemetry.firstShutdownPing.enabled" = false; + "toolkit.telemetry.hybridContent.enabled" = false; + "toolkit.telemetry.newProfilePing.enabled" = false; + "toolkit.telemetry.prompted" = 2; + "toolkit.telemetry.rejected" = true; + "toolkit.telemetry.reportingpolicy.firstRun" = false; + "toolkit.telemetry.server" = ""; + "toolkit.telemetry.shutdownPingSender.enabled" = false; + "toolkit.telemetry.unifiedIsOptIn" = false; + "toolkit.telemetry.updatePing.enabled" = false; + + # Disable any feeds on the new tab page + "browser.newtabpage.activity-stream.showTopSites" = false; + "browser.newtabpage.activity-stream.default.sites" = lib.mkForce [ ]; + "browser.newtabpage.activity-stream.discoverystream.enabled" = false; + "browser.newtabpage.activity-stream.feeds.topsites" = false; + "browser.newtabpage.activity-stream.showSponsoredTopSites" = false; + "browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts" = false; + "browser.newtabpage.blocked" = lib.genAttrs [ + # Youtube + "26UbzFJ7qT9/4DhodHKA1Q==" + # Facebook + "4gPpjkxgZzXPVtuEoAL9Ig==" + # Wikipedia + "eV8/WsSLxHadrTL1gAxhug==" + # Reddit + "gLv0ja2RYVgxKdp0I5qwvA==" + # Amazon + "K00ILysCaEq8+bEqV/3nuw==" + # Twitter + "T9nJot5PurhJSy8n038xGA==" + ] (_: 1); + "browser.topsites.blockedSponsors" = [ + "adidas" + "temuaffiliateprogram.pxf" + "s.click.aliexpress" + ]; + + # enable userChrome + "toolkit.legacyUserProfileCustomizations.stylesheets" = true; + "devtools.chrome.enabled" = true; + "devtools.debugger.remote-enabled" = true; + + # disable translations for some languages + "browser.translations.neverTranslateLanguages" = [ + "en" + "de" + ]; + "browser.translations.automaticallyPopup" = false; + + # enable pipewire (and libcamera) sources + "media.webrtc.camera.allow-pipewire" = true; + }; + + userChrome = + let + name = override.color or colors.grey; + value = colorValues."${name}".normal; + valueBright = colorValues."${name}".highlight; + valueDark = colorValues."${name}".inactive; + in + '' + @namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* only needed once */ + + #nav-bar { + background-color: ${value} !important; + color: black !important; + } + + /* don't show close button on background tabs */ + #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):not([hover]) .tab-close-button { + display: none !important; + } + + /* show close button on hover */ + #tabbrowser-tabs[closebuttons="activetab"] .tabbrowser-tab:not([selected]):not([pinned]):hover .tab-close-button { + display: -moz-inline-box !important; + } + + + /* default */ + #TabsToolbar { + background: ${valueDark} !important; + } + + /* default tab */ + #TabsToolbar #tabbrowser-tabs .tabbrowser-tab .tab-content { + background: ${value} !important; + opacity: 0.8 + } + + /* selected tab */ + #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[selected] .tab-content { + background: ${valueBright} !important; + box-shadow: 0 8px 16px 0 rgba(0,0,0,0.2), 0 6px 20px 0 rgba(0,0,0,0.19); + } + + /* hovered tab */ + #TabsToolbar #tabbrowser-tabs .tabbrowser-tab:hover:not([selected]) .tab-content { + background: ${valueBright} !important; + } + + /* unloaded/pending tab */ + #TabsToolbar #tabbrowser-tabs .tabbrowser-tab[pending] .tab-content { + background: ${valueDark} !important; + } + ''; + + # /* new tab */ + # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button .toolbarbutton-icon { + # background: unset !important; + # } + + # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button { + # /* background: var(--default_tabs_bg_newtab) !important; + # } + + # /* hovered new tab */ + # #TabsToolbar #tabbrowser-tabs #tabs-newtab-button:hover { + # background: var(--default_tabs_bg_newtab_hovered) !important; + # } + + } (builtins.removeAttrs override [ "color" ]); + + # TODO: insert the id automatically + mkProfiles = attrs: builtins.mapAttrs (_k: v: v) attrs; + + colors = builtins.mapAttrs (name: _: name) colorValues; + + colorValues = { + blue = { + normal = "#49b1fc"; + highlight = "#05a9fc"; # Brighter blue + inactive = "#1f81c6"; # Darker blue + }; + green = { + normal = "#51cd00"; + highlight = "#5ae200"; # Brighter green + inactive = "#45ad00"; # Darker green + }; + orange = { + normal = "#ff9800"; + highlight = "#ffb74d"; # Brighter orange + inactive = "#c76a00"; # Darker orange + }; + red = { + normal = "#f6685e"; + highlight = "#ff4336"; # Brighter red + inactive = "#aa463f"; # Darker red + }; + yellow = { + normal = "#fced4b"; + highlight = "#fce705"; # Brighter yellow + inactive = "#dbbe00"; # Darker yellow + }; + purple = { + normal = "#9c27b0"; + highlight = "#ab47bc"; # Brighter purple + inactive = "#7b1fa2"; # Darker purple + }; + pink = { + normal = "#e91e63"; + highlight = "#ff6090"; # Brighter pink + inactive = "#c2185b"; # Darker pink + }; + brown = { + normal = "#795548"; + highlight = "#a88b6f"; # Brighter brown + inactive = "#4e3b30"; # Darker brown + }; + grey = { + normal = "#9e9e9e"; + highlight = "#bdbdbd"; # Brighter grey + inactive = "#757575"; # Darker grey + }; + teal = { + normal = "#009688"; + highlight = "#26c6da"; # Brighter teal + inactive = "#00796b"; # Darker teal + }; + }; + +in +{ + nixpkgs.overlays = [ + repoFlake.inputs.nur.overlays.default + ]; + + nixpkgs.config.allowUnfreePredicate = + pkg: + builtins.elem (lib.getName pkg) [ + "youtube-recommended-videos" + ]; + + programs.librewolf = { + enable = false; + }; + programs.firefox = { + enable = true; + package = pkgs.firefox-esr; + + profiles = mkProfiles { + "personal" = mkProfile { + id = 0; + isDefault = true; + color = colors.blue; + }; + "comms" = mkProfile { + id = 1; + color = colors.blue; + }; + "admin" = mkProfile { + id = 2; + color = colors.blue; + }; + "infra" = mkProfile { + id = 3; + color = colors.blue; + }; + "finance" = mkProfile { + id = 4; + color = colors.yellow; + }; + "business-admin" = mkProfile { + id = 5; + color = colors.teal; + }; + "business-comms" = mkProfile { + id = 6; + color = colors.teal; + }; + "business-dev" = mkProfile { + id = 7; + color = colors.teal; + }; + "holo-dev" = mkProfile { + id = 8; + color = colors.green; + }; + "holo-infra" = mkProfile { + id = 9; + color = colors.green; + }; + "holo-comms" = mkProfile { + id = 10; + color = colors.green; + }; + "justyna" = mkProfile { + id = 11; + color = colors.pink; + }; + "justyna-office" = mkProfile { + id = 12; + color = colors.pink; + }; + }; + + }; + + # create one desktop entry for each profile + xdg.desktopEntries = lib.mapAttrs' ( + k: _v: + lib.nameValuePair "firefox-profile-${k}" { + categories = [ + "Network" + "WebBrowser" + ]; + exec = "${lib.getExe config.programs.firefox.package} -P ${k}"; + genericName = "Web Browser"; + icon = + builtins.replaceStrings [ ".desktop" ] [ "" ] + config.programs.firefox.package.desktopItem.name; + mimeType = [ + "text/html" + "text/xml" + "application/xhtml+xml" + "application/vnd.mozilla.xul+xml" + "x-scheme-handler/http" + "x-scheme-handler/https" + ]; + name = "Firefox: ${k}"; + startupNotify = true; + settings.StartupWMClass = + # To group windows of different profiles. + # Set WM_CLASS on Xorg using --class, set app-id on Wayland using --name. + #if profile.name == "default" + #then "firefox" + #else "firefox-${profile.name}"; + "firefox"; + terminal = false; + type = "Application"; + } + ) config.programs.firefox.profiles; } diff --git a/nix/home-manager/programs/gpg-agent.nix b/nix/home-manager/programs/gpg-agent.nix index 5fff979..b81c150 100644 --- a/nix/home-manager/programs/gpg-agent.nix +++ b/nix/home-manager/programs/gpg-agent.nix @@ -1,29 +1,17 @@ +{ lib, pkgs, osConfig, ... }: { - lib, - pkgs, - config, - ... -}: { - home.packages = - [ - pkgs.gcr - ] - ++ ( - if config.services.gpg-agent.pinentryFlavor == "gtk2" - then [pkgs.pinentry-gtk2] - else if config.services.gpg-agent.pinentryFlavor == "gnome3" - then [pkgs.pinentry-gnome] - else [] - ); + home.packages = [ pkgs.gcr ]; programs.gpg.enable = true; services.gpg-agent = { enable = true; - enableScDaemon = true; + enableScDaemon = !osConfig.services.pcscd.enable; enableSshSupport = true; grabKeyboardAndMouse = true; - pinentryFlavor = lib.mkDefault "gtk2"; - extraConfig = ""; + pinentryPackage = lib.mkDefault pkgs.pinentry-gtk2; + extraConfig = '' + no-allow-external-cache + ''; defaultCacheTtl = 0; maxCacheTtl = 0; diff --git a/nix/home-manager/programs/homeshick.nix b/nix/home-manager/programs/homeshick.nix index cbd4964..4ba0dfe 100644 --- a/nix/home-manager/programs/homeshick.nix +++ b/nix/home-manager/programs/homeshick.nix @@ -1,32 +1,25 @@ +{ pkgs, config, ... }: { - pkgs, - config, - ... -}: let - # TODO: clean up the impurity in here -in { home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}"; - home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] '' - $DRY_RUN_CMD ${ - pkgs.writeScript "activation-script" '' - set -e - echo home-manager path is ${config.home.path} - echo home is $HOME + home.activation.bootstrapRepos = config.lib.dag.entryAfter [ "writeBoundary" ] '' + $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' + set -e + echo home-manager path is ${config.home.path} + echo home is $HOME - source ${pkgs.homeshick}/homeshick.sh - type homeshick + source ${pkgs.homeshick}/homeshick.sh + type homeshick - # echo Updating homeshick - # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick - # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick - '' - }; + # echo Updating homeshick + # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick + # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick + ''}; ''; nixpkgs.config = { - packageOverrides = pkgs: - with pkgs; { + packageOverrides = + pkgs: with pkgs; { homeshick = builtins.fetchGit { url = "https://github.com/andsens/homeshick.git"; ref = "master"; diff --git a/nix/home-manager/programs/libreoffice.nix b/nix/home-manager/programs/libreoffice.nix index f5921e2..2091dc8 100644 --- a/nix/home-manager/programs/libreoffice.nix +++ b/nix/home-manager/programs/libreoffice.nix @@ -1,3 +1,8 @@ -{pkgs, ...}: { - home.packages = with pkgs; [libreoffice-fresh]; +{ pkgs, nodeFlake, ... }: + +let + pkgsStable = nodeFlake.inputs.nixpkgs-stable.legacyPackages.${pkgs.system}; +in +{ + home.packages = [ pkgsStable.libreoffice ]; } diff --git a/nix/home-manager/programs/neovim.nix b/nix/home-manager/programs/neovim.nix index e169eea..d5f60dc 100644 --- a/nix/home-manager/programs/neovim.nix +++ b/nix/home-manager/programs/neovim.nix @@ -1,131 +1,161 @@ +{ repoFlake, pkgs, ... }: { - pkgs, - lib, - ... -}: let -in { - # FIXME: this doesn't work - home.sessionVariables.EDITOR = "nvim"; + imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ]; - programs.neovim = { + programs.nixvim = { enable = true; + defaultEditor = true; + vimdiffAlias = true; + vimAlias = true; - extraPython3Packages = ps: with ps; []; + extraPython3Packages = ps: with ps; [ ]; - extraConfig = builtins.readFile ./neovim/vimrc; + # extraConfigVim = builtins.readFile ./neovim/vimrc; - plugins = with pkgs; - [ - # yaml-folds - { - plugin = vimUtils.buildVimPlugin { - name = "vim-yaml-folds"; - src = fetchFromGitHub { - owner = "pedrohdz"; - repo = "vim-yaml-folds"; - rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a"; - sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m"; - }; - buildInputs = [zip vim]; - }; - } + clipboard = { + register = "unnamedplus"; + providers.wl-copy.enable = true; + }; - { - plugin = vimUtils.buildVimPlugin { - name = "vim-yaml"; - src = fetchFromGitHub { - owner = "stephpy"; - repo = "vim-yaml"; - rev = "e97e063b16eba4e593d620676a0a15fa98613979"; - sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk"; - }; - }; - } + plugins = { + airline = { + enable = true; + settings = { + powerline_fonts = 1; + skip_empty_sections = 1; + theme = "papercolor"; + }; + }; + fugitive.enable = true; + gitblame.enable = true; + lsp = { + enable = true; + }; - # broken 2021-06-08 - # { - # plugin = vimUtils.buildVimPlugin { - # name = "vim-markdown-toc"; - # src = fetchFromGitHub { - # owner = "mzlogin"; - # repo = "vim-markdown-toc"; - # rev = "b7bb6c37033d3a6c93906af48dc0e689bd948638"; - # sha256 = "026xf2gid4qivwawh7if3nfk7zja9di0flhdzdx82lvil9x48lyz"; - # }; - # }; - # } + nix.enable = true; - # broken 2021-06-08 - # { - # plugin = vimUtils.buildVimPlugin { - # name = "vim-perl"; - # src = fetchFromGitHub { - # owner = "vim-perl"; - # repo = "vim-perl"; - # rev = "f330b5d474c44e6cfae22ba50868093dea3e9adb"; - # sha256 = "1dy40ixgixj0536c5ggra51b4yd1lbw4j6l0j5zc3diasb7m2gvr"; - # }; - # }; - # } + # TODO: enable in next release + # numbertoggle.enable = true; - { - plugin = vimUtils.buildVimPlugin { - name = "git-blame"; - src = fetchFromGitHub { - "owner" = "zivyangll"; - "repo" = "git-blame.vim"; - "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917"; - "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j"; - }; - }; - } - ] - ++ (with pkgs.vimPlugins; [ - delimitMate - vim-airline - vim-airline-themes - ctrlp - vim-css-color - rainbow_parentheses - vim-colorschemes - vim-colorstepper - vim-signify - fugitive - vim-indent-guides - UltiSnips - fzfWrapper + # successfor to ctrlp and fzf + telescope.enable = true; - ncm2 - ncm2-bufword - ncm2-path - ncm2-tmux - ncm2-ultisnips - nvim-yarp + todo-comments.enable = true; - LanguageClient-neovim + toggleterm.enable = true; - Improved-AnsiEsc - tabular + treesitter = { + enable = true; - # Nix - vim-addon-nix - tlib - vim-addon-vim2nix + grammarPackages = with pkgs.vimPlugins.nvim-treesitter.builtGrammars; [ + bash + json + lua + make + markdown + nix + regex + toml + vim + vimdoc + xml + yaml + ]; + }; - # LaTeX - vim-latex-live-preview - vimtex + treesitter-context.enable = true; + treesitter-refactor.enable = true; - # YAML - vim-yaml + # This plugin trims trailing whitespace and lines. + trim.enable = true; + }; - # markdown - vim-markdown - vim-markdown-toc + # plugins = with pkgs; + # [ + # # yaml-folds + # { + # plugin = vimUtils.buildVimPlugin { + # name = "vim-yaml-folds"; + # src = fetchFromGitHub { + # owner = "pedrohdz"; + # repo = "vim-yaml-folds"; + # rev = "890ccd8e5370808d569e96dbb06cbeca2cf5993a"; + # sha256 = "018z6xcwrq58q6lj6gwhrifjaxkmrlkkg0n86s6mjjlwkbs2qa4m"; + # }; + # buildInputs = [zip vim]; + # }; + # } - # misc syntax support - vim-bazel - maktaba - ]); + # { + # plugin = vimUtils.buildVimPlugin { + # name = "vim-yaml"; + # src = fetchFromGitHub { + # owner = "stephpy"; + # repo = "vim-yaml"; + # rev = "e97e063b16eba4e593d620676a0a15fa98613979"; + # sha256 = "0vqahbrnr43lxanpziyrmzaqqb3cmyny8ry1xvmy2xyd1larzfrk"; + # }; + # }; + # } + + # { + # plugin = vimUtils.buildVimPlugin { + # name = "git-blame"; + # src = fetchFromGitHub { + # "owner" = "zivyangll"; + # "repo" = "git-blame.vim"; + # "rev" = "9d144b7bed5d8f1c9259551768b7f3b3d1294917"; + # "sha256" = "06zb5xcc59k25rpwl46j82fcqckiznmj97v6i0mwlb8jhqqrhy9j"; + # }; + # }; + # } + # ] + # ++ (with pkgs.vimPlugins; [ + # delimitMate + # vim-airline + # vim-airline-themes + # ctrlp + # vim-css-color + # rainbow_parentheses + # vim-colorschemes + # vim-colorstepper + # vim-signify + # fugitive + # vim-indent-guides + # UltiSnips + # fzfWrapper + + # ncm2 + # ncm2-bufword + # ncm2-path + # ncm2-tmux + # ncm2-ultisnips + # nvim-yarp + + # LanguageClient-neovim + + # Improved-AnsiEsc + # tabular + + # # Nix + # vim-addon-nix + # tlib + # vim-addon-vim2nix + + # # LaTeX + # vim-latex-live-preview + # vimtex + + # # YAML + # vim-yaml + + # # markdown + # vim-markdown + # vim-markdown-toc + + # # misc syntax support + # vim-bazel + # maktaba + # ]); }; } diff --git a/nix/home-manager/programs/neovim/vimrc b/nix/home-manager/programs/neovim/vimrc index c002c2b..f3cb42b 100644 --- a/nix/home-manager/programs/neovim/vimrc +++ b/nix/home-manager/programs/neovim/vimrc @@ -49,8 +49,8 @@ let g:ctrlp_custom_ignore = { \ 'dir': '\v[\/]\.(git|hg|svn)$$', \ 'file': '\v\.(exe|so|dll)$$', \ } -let g:ctrlp_max_files=0 -let g:ctrlp_max_depth=1000 +"let g:ctrlp_max_files=0 +"let g:ctrlp_max_depth=1000 "let g:ctrlp_match_func = { 'match': 'pymatcher#PyMatch' } "let g:pydiction_location = '~/.vim/bundle/pydiction/complete-dict' diff --git a/nix/home-manager/programs/obs-studio.nix b/nix/home-manager/programs/obs-studio.nix new file mode 100644 index 0000000..d99747d --- /dev/null +++ b/nix/home-manager/programs/obs-studio.nix @@ -0,0 +1,25 @@ +{ pkgs, lib, ... }: +{ + programs.obs-studio = { + enable = true; + plugins = + builtins.map + ( + plugin: + (plugin.overrideAttrs (attrs: { + meta = lib.mkMerge [ + { inherit (attrs) meta; } + { meta.platforms = [ pkgs.stdenv.system ]; } + ]; + })) + ) + ( + with pkgs.obs-studio-plugins; + [ + # wlrobs + obs-backgroundremoval + obs-pipewire-audio-capture + ] + ); + }; +} diff --git a/nix/home-manager/programs/openvscode-server.nix b/nix/home-manager/programs/openvscode-server.nix new file mode 100644 index 0000000..4b01360 --- /dev/null +++ b/nix/home-manager/programs/openvscode-server.nix @@ -0,0 +1,37 @@ +{ pkgs, repoFlake, ... }: +let + pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; +in +{ + home.packages = [ + pkgs.nil + pkgs.nixd + pkgs.nixfmt-rfc-style + + # TODO: automate linking this + # 1. get the commit with: `codium --version` + # 2. create the binary directory: `mkdir -p /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/` + # 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/ + + /* + e.g.: + ``` + ( + set -e + export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$') + ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/" + ) + ``` + */ + + (pkgsVscodium.openvscode-server.overrideAttrs (attrs: { + src = repoFlake.inputs.openvscode-server; + version = "1.94.2"; + yarnCache = attrs.yarnCache.overrideAttrs (_: { + outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt="; + }); + })) + + pkgs.waypipe + ]; +} diff --git a/nix/home-manager/programs/pass.nix b/nix/home-manager/programs/pass.nix index a17e9a0..056d08d 100644 --- a/nix/home-manager/programs/pass.nix +++ b/nix/home-manager/programs/pass.nix @@ -1,4 +1,5 @@ -{repoFlake, pkgs, ...}: { +{ repoFlake, pkgs, ... }: +{ # required by pass-otp # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; @@ -6,7 +7,6 @@ home.packages = with pkgs; [ gnupg - pass # broken on wayland # rofi-pass diff --git a/nix/home-manager/programs/radicale.nix b/nix/home-manager/programs/radicale.nix index a8e4eef..be31268 100644 --- a/nix/home-manager/programs/radicale.nix +++ b/nix/home-manager/programs/radicale.nix @@ -4,7 +4,8 @@ pkgs, osConfig, ... -}: let +}: +let libdecsync = pkgs.python3Packages.buildPythonPackage rec { pname = "libdecsync"; version = "2.2.1"; @@ -38,50 +39,51 @@ # pkgs.libxcrypt ]; - propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools]; + propagatedBuildInputs = [ + libdecsync + pkgs.python3Packages.setuptools + ]; }; radicale-decsync = pkgs.radicale.overrideAttrs (old: { - propagatedBuildInputs = - old.propagatedBuildInputs - ++ [radicale-storage-decsync]; + propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ]; }); - mkRadicaleService = { - suffix, - port, - }: let - radicale-config = pkgs.writeText "radicale-config-${suffix}" '' - [server] - hosts = localhost:${builtins.toString port} + mkRadicaleService = + { suffix, port }: + let + radicale-config = pkgs.writeText "radicale-config-${suffix}" '' + [server] + hosts = localhost:${builtins.toString port} - [auth] - type = htpasswd - htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} - htpasswd_encryption = bcrypt + [auth] + type = htpasswd + htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} + htpasswd_encryption = bcrypt - [storage] - type = radicale_storage_decsync - filesystem_folder = ${config.xdg.dataHome}/radicale-${suffix} - decsync_dir = ${config.xdg.dataHome}/decsync-${suffix} - ''; - in { - systemd.user.services."radicale-${suffix}" = { - Unit.Description = "Radicale with DecSync (${suffix})"; - Service = { - ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; - Restart = "on-failure"; + [storage] + type = radicale_storage_decsync + filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} + decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} + ''; + in + { + systemd.user.services."radicale-${suffix}" = { + Unit.Description = "Radicale with DecSync (${suffix})"; + Service = { + ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; + Restart = "on-failure"; + }; + Install.WantedBy = [ "default.target" ]; }; - Install.WantedBy = ["default.target"]; }; - }; in - builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [ - { - suffix = "personal"; - port = 5232; - } - { - suffix = "family"; - port = 5233; - } - ] +builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [ + { + suffix = "personal"; + port = 5232; + } + { + suffix = "family"; + port = 5233; + } +] diff --git a/nix/home-manager/programs/redshift.nix b/nix/home-manager/programs/redshift.nix index 0946b2e..9e45594 100644 --- a/nix/home-manager/programs/redshift.nix +++ b/nix/home-manager/programs/redshift.nix @@ -1,21 +1,26 @@ -{ - pkgs, - config, - ... -}: let +_: +let passwords = import ../../variables/passwords.crypt.nix; -in { +in +{ services.gammastep = { enable = true; + provider = "manual"; + enableVerboseLogging = true; inherit (passwords.location.stefan) longitude latitude; temperature = { - day = 6700; + # day = 6700; + day = 3000; night = 3000; }; tray = true; settings = { + general = { + adjustment-method = "wayland"; + }; gammastep = { - brightness-day = 1.0; + # brightness-day = 1.0; + brightness-day = 0.5; brightness-night = 0.5; }; }; diff --git a/nix/home-manager/programs/salut.nix b/nix/home-manager/programs/salut.nix index 6a2894d..415e3be 100644 --- a/nix/home-manager/programs/salut.nix +++ b/nix/home-manager/programs/salut.nix @@ -1,18 +1,11 @@ -{ - pkgs, - config, - lib, - packages', - ... -}: +{ pkgs, packages', ... }: # useful testing command: # for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done let - inherit (import ../lib.nix {}) mkSimpleTrayService; -in { - home.packages = [ - packages'.salut - ]; + inherit (import ../lib.nix { }) mkSimpleTrayService; +in +{ + home.packages = [ packages'.salut ]; xdg.configFile."salut/config.ini" = { enable = true; @@ -34,7 +27,5 @@ in { onChange = "${pkgs.systemd}/bin/systemctl --user restart salut"; }; - systemd.user.services.salut = mkSimpleTrayService { - execStart = "${packages'.salut}/bin/salut"; - }; + systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; }; } diff --git a/nix/home-manager/programs/vscode/default.nix b/nix/home-manager/programs/vscode/default.nix index b7a6a3d..df72028 100644 --- a/nix/home-manager/programs/vscode/default.nix +++ b/nix/home-manager/programs/vscode/default.nix @@ -1,24 +1,132 @@ -{pkgs, ...}: let - marketPlaceExtensions = - pkgs.vscode-utils.extensionsFromVscodeMarketplace [ - ]; -in { +{ + config, + pkgs, + repoFlake, + lib, + ... +}: +let + pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; +in +{ programs.vscode = { enable = true; - # package = pkgs.vscodium; - extensions = with pkgs.vscode-extensions; + package = pkgsVscodium.vscodium; + extensions = + with pkgsVscodium.vscode-extensions; [ - ms-vscode-remote.remote-ssh + eamodio.gitlens + mkhl.direnv + tomoki1207.pdf + vscodevim.vim + # bbenoist.nix - # vscodevim.vim - # rust-lang.rust-analyzer - # mkhl.direnv + jnoortheen.nix-ide + + ms-vscode.theme-tomorrowkit + nonylene.dark-molokai-theme + + ms-python.vscode-pylance + + # TODO: these are not in nixpkgs + + # fredwangwang.vscode-hcl-format + # hashicorp.hcl + # mindaro-dev.file-downloader + # ms-vscode.remote-explorer + + # TODO: not compatible with vscodium + # ms-vscode-remote.remote-ssh ] - ++ marketPlaceExtensions; + ++ ( + let + extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system}; + in + with extensions.vscode-marketplace; + with extensions.vscode-marketplace-release; + [ + + serayuzgur.crates + rust-lang.rust-analyzer + swellaby.vscode-rust-test-adapter + + tamasfe.even-better-toml + golang.go + jeff-hykin.better-go-syntax + blueglassblock.better-json5 + nefrob.vscode-just-syntax + # fabianlauer.vs-code-xml-format + + bierner.emojisense + ] + ) + ++ ( + let + nix4vscodeToml = pkgs.writeText "nix4vscode.toml" '' + vscode_version = "${config.programs.vscode.package.version}" + + [[extensions]] + publisher_name = "FelixZeller" + extension_name = "markdown-oxide" + + [[extensions]] + publisher_name = "ibecker" + extension_name = "treefmt-vscode" + + [[extensions]] + publisher_name = "AntiAntiSepticeye" + extension_name = "vscode-color-picker" + + # [[extensions]] + # publisher_name = "nefrob" + # extension_name = "vscode-just-syntax" + + [[extensions]] + publisher_name = "fabianlauer" + extension_name = "vs-code-xml-format" + ''; + + nix4vscodeNix = + pkgs.runCommand "nix4vscode.nix" + { + # nix4vscode needs internet access + __noChroot = true; + requiredSystemFeatures = [ "recursive-nix" ]; + buildInputs = [ + pkgs.nix + pkgs.cacert + (pkgs.callPackage "${repoFlake.inputs.nix4vscode.outPath}/nix/package.nix" { }) + # pkgs.strace + ]; + # outputHashAlgo = "sha256"; + # outputHashMode = "recursive"; + # outputHash = lib.fakeSha256; + } + '' + # set -x + # export RUST_BACKTRACE=full + # export RUST_LOG=trace + export HOME=$(mktemp -d) + # strace -ffZyyY + nix4vscode ${nix4vscodeToml} > $out + ''; + nix4vscodeExtensions = builtins.removeAttrs (pkgs.callPackage nix4vscodeNix { }) [ + "override" + "overrideDerivation" + ]; + nix4vscodeExtensions' = lib.attrsets.mapAttrsToList ( + _: v: builtins.head (builtins.attrValues v) + ) nix4vscodeExtensions; + in + nix4vscodeExtensions' + ); mutableExtensionsDir = true; }; - home.packages = [pkgs.nixpkgs-fmt pkgs.alejandra]; + home.packages = [ + pkgs.nil + pkgs.nixfmt-rfc-style + ]; } # TODO: automate ### original list: @@ -94,4 +202,3 @@ in { # xyz.plsql-language # yzane.markdown-pdf # zxh404.vscode-proto3 - diff --git a/nix/home-manager/programs/waybar.css b/nix/home-manager/programs/waybar.css index 60eff50..664a47f 100644 --- a/nix/home-manager/programs/waybar.css +++ b/nix/home-manager/programs/waybar.css @@ -1,6 +1,5 @@ - #custom-cputemp { - padding: 0 10px; - background-color: #f0932b; - color: #ffffff; + padding: 0 10px; + background-color: #f0932b; + color: #ffffff; } diff --git a/nix/home-manager/programs/waybar.nix b/nix/home-manager/programs/waybar.nix index 05392c5..a559dfc 100644 --- a/nix/home-manager/programs/waybar.nix +++ b/nix/home-manager/programs/waybar.nix @@ -1,9 +1,5 @@ +{ pkgs, repoFlake, ... }: { - pkgs, - config, - repoFlake, - ... -}: { home.packages = [ # required by any bar that has a tray plugin pkgs.libappindicator-gtk3 @@ -12,17 +8,18 @@ programs.waybar = { enable = true; - package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; - style = - pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" - + pkgs.lib.readFile ./waybar.css; + package = + repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; + style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css; systemd.enable = true; settings = { mainBar = { layer = "top"; position = "bottom"; height = 30; - output = ["*"]; + output = + # hide the bar on HEADDLESS displays as i use them only for screensharing + (builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ]; # output = [ # "eDP-1" # "DP-*" diff --git a/nix/home-manager/programs/zsh.nix b/nix/home-manager/programs/zsh.nix index 0d3085d..333d3d7 100644 --- a/nix/home-manager/programs/zsh.nix +++ b/nix/home-manager/programs/zsh.nix @@ -3,27 +3,29 @@ lib, pkgs, ... -}: let - just-plugin = let - plugin_file = pkgs.writeText "_just" '' - #compdef just - #autload +}: +let + just-plugin = + let + plugin_file = pkgs.writeText "_just" '' + #compdef just + #autload - alias justl="\just --list" - alias juste="\just --evaluate" + alias justl="\just --list" + alias juste="\just --evaluate" - local subcmds=() + local subcmds=() - while read -r line ; do - if [[ ! $line == Available* ]] ; - then - subcmds+=(''${line/[[:space:]]*\#/:}) - fi - done < <(just --list) + while read -r line ; do + if [[ ! $line == Available* ]] ; + then + subcmds+=(''${line/[[:space:]]*\#/:}) + fi + done < <(just --list) - _describe 'command' subcmds - ''; - in + _describe 'command' subcmds + ''; + in pkgs.stdenv.mkDerivation { name = "just-completions"; version = "0.1.0"; @@ -35,7 +37,8 @@ chmod --recursive a-w $out ''; }; -in { +in +{ programs.zsh = { enable = true; @@ -46,47 +49,59 @@ in { # will be called again by oh-my-zsh enableCompletion = false; enableAutosuggestions = true; - initExtra = let - inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; - in '' - PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' - RPROMPT="" + initExtra = + let + inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; + in + '' + if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then + unset TMPDIR + fi - # Automatic rehash - zstyle ':completion:*' rehash true + if test ! -n "$TMP" -a -z "$TMP"; then + unset TMP + fi - if [ -f $HOME/.shrc.d/sh_aliases ]; then - . $HOME/.shrc.d/sh_aliases - fi - ${ - if builtins.hasAttr "homeshick" pkgs - then '' - source ${pkgs.homeshick}/homeshick.sh - fpath=(${pkgs.homeshick}/completions $fpath) - '' - else "" - } + PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' + RPROMPT="" - # Disable intercepting of ctrl-s and ctrl-q as flow control. - stty stop ''' -ixoff -ixon + # Automatic rehash + zstyle ':completion:*' rehash true - # don't cd into directories when executed - unsetopt AUTO_CD + if [ -f $HOME/.shrc.d/sh_aliases ]; then + . $HOME/.shrc.d/sh_aliases + fi - # print lines without termination - setopt PROMPT_CR - setopt PROMPT_SP - export PROMPT_EOL_MARK="" + ${ + if builtins.hasAttr "homeshick" pkgs then + '' + source ${pkgs.homeshick}/homeshick.sh + fpath=(${pkgs.homeshick}/completions $fpath) + '' + else + "" + } - ${lib.optionalString config.services.gpg-agent.enable '' - export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" - ''} + # Disable intercepting of ctrl-s and ctrl-q as flow control. + stty stop ''' -ixoff -ixon - ${lib.optionalString config.programs.neovim.enable '' - export EDITOR="nvim" - ''} - ''; + # don't cd into directories when executed + unsetopt AUTO_CD + + # print lines without termination + setopt PROMPT_CR + setopt PROMPT_SP + export PROMPT_EOL_MARK="" + + ${lib.optionalString config.services.gpg-agent.enable '' + export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" + ''} + + ${lib.optionalString config.programs.neovim.enable '' + export EDITOR="nvim" + ''} + ''; plugins = [ { @@ -119,7 +134,10 @@ in { oh-my-zsh = { enable = true; theme = "tjkirch"; - plugins = ["git" "sudo"]; + plugins = [ + "git" + "sudo" + ]; }; }; } diff --git a/nix/modules/flake-parts/colmena.nix b/nix/modules/flake-parts/colmena.nix index ee885cf..136a5a1 100644 --- a/nix/modules/flake-parts/colmena.nix +++ b/nix/modules/flake-parts/colmena.nix @@ -1,7 +1,8 @@ -{lib, ...}: { +{ lib, ... }: +{ options.flake.colmena = lib.mkOption { # type = lib.types.attrsOf lib.types.unspecified; type = lib.types.raw; - default = {}; + default = { }; }; } diff --git a/nix/modules/flake-parts/perSystem/default.nix b/nix/modules/flake-parts/perSystem/default.nix index a752173..da1e42a 100644 --- a/nix/modules/flake-parts/perSystem/default.nix +++ b/nix/modules/flake-parts/perSystem/default.nix @@ -1,38 +1,37 @@ +{ pkgs, ... }: { - inputs', - system, - config, - lib, - pkgs, - ... -}: { packages = { - myPython = pkgs.python310.withPackages (ps: + myPython = pkgs.python310.withPackages ( + ps: with ps; - [ - pep8 - yapf - flake8 - # autopep8 (broken) - # pylint (broken) - ipython - llfuse - dugong - defusedxml - wheel - pip - virtualenv - cffi - # pyopenssl - urllib3 - # mistune (insecure) - sympy + [ + pep8 + yapf + flake8 + # autopep8 (broken) + # pylint (broken) + ipython + llfuse + dugong + defusedxml + wheel + pip + virtualenv + cffi + # pyopenssl + urllib3 + # mistune (insecure) + sympy - flask + flask - pyaml - requests - ] - ++ [pkgs.pypi2nix pkgs.libffi]); + pyaml + requests + ] + ++ [ + pkgs.pypi2nix + pkgs.libffi + ] + ); }; } diff --git a/nix/os/cachix.nix b/nix/os/cachix.nix index d888840..0d14a2f 100644 --- a/nix/os/cachix.nix +++ b/nix/os/cachix.nix @@ -1,14 +1,12 @@ # WARN: this file will get overwritten by $ cachix use -{ - pkgs, - lib, - ... -}: let +{ lib, ... }: +let folder = ./cachix; - toImport = name: value: folder + ("/" + name); + toImport = name: _value: folder + ("/" + name); filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); -in { +in +{ inherit imports; - nix.settings.substituters = ["https://cache.nixos.org/"]; + nix.settings.substituters = [ "https://cache.nixos.org/" ]; } diff --git a/nix/os/cachix/nixpkgs-wayland.nix b/nix/os/cachix/nixpkgs-wayland.nix index 499e6e0..1c0cca7 100644 --- a/nix/os/cachix/nixpkgs-wayland.nix +++ b/nix/os/cachix/nixpkgs-wayland.nix @@ -1,8 +1,6 @@ { nix = { - settings.substituters = [ - "https://nixpkgs-wayland.cachix.org" - ]; + settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ]; settings.trusted-public-keys = [ "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" ]; diff --git a/nix/os/containers/backup-target.nix b/nix/os/containers/backup-target.nix deleted file mode 100644 index 608ac47..0000000 --- a/nix/os/containers/backup-target.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ - hostAddress, - localAddress, - containerBackupCfg, - sshPort ? containerBackupCfg.portInt, - autoStart ? false, -}: { - config = { - config, - pkgs, - lib, - ... - }: { - system.stateVersion = "22.05"; # Did you read the comment? - - imports = [../profiles/containers/configuration.nix]; - - networking.firewall.enable = false; - - # services.ddclientovh = { - # enable = true; - # domain = containerBackupCfg.addr; - # }; - - services.openssh.enable = true; - - users.extraUsers."${containerBackupCfg.user}" = { - uid = 2000; - group = containerBackupCfg.group; - shell = pkgs.bashInteractive; - home = "/${containerBackupCfg.targetPath}"; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNI3H0BRSYOZ/MbTs9J80doJwSd1HymFOP5quNt0J48vxZ5FPVrT2FHpQiNrCcYbCKRsU4X8AiGUHiXC0PapQQ3JDkqp6WZoqBNDx6BI7RadyH1TqVQPlou3pQmCAogzfBInruR53YTDmQqXiPwfM0okPOXgiBNjDfZXOX4+CyUfkmZZwASoicTInqWGkn1sFnh4tyXIkgWflg0njlVmfkVvH71+evvKLYHtoNpVXazkQ0SXbyuW5f3mSta7TNkpC3HbBm+4n+WxYGySrlRLWQhTo+aoWUKk9h5zvECDNpwRtbqzt+bA9nKrdg180ceu8hruwvWNiC6PPA2GW9Z1+VKROviGu1C3dliE/pPCBtK+ZoRVv2CGE+pmAuQsB9Nif9tk5tY6HJhuLNxKYiMfQkiLsDYv6KdZXUIVK/4BIDkZuQNnjhdOQBLnea0ANOhutA9gnjxnsd3UT6ovfazg5gud7n3u4yBtzjTkRrqWZ63eM1NmUVOgMWHQ715pV+hJfOFGqzRBEe3g/p3bWNgpROBYJbG1H8l9DN7emG4FGWsb1HeNFwQ5lS0Zsezb7qzahr4vSmHNugVw7w8ONt5dPbPI9wQnWvkkuHH76P/NYy6OC6lHrN1rXyA1okqdPr06YAZnCot+Pqdgn/ijxgp06J3dtkhin+Q7PoQbGff3ERIw== bkp" - ]; - - packages = with pkgs; [btrfs-progs]; - - isSystemUser = true; - }; - - security.sudo = { - enable = true; - extraRules = [ - { - users = ["bkp"]; - commands = [ - { - command = "/etc/profiles/per-user/bkp/bin/btrfs"; - options = ["NOPASSWD"]; - } - { - command = "/run/current-system/sw/bin/readlink"; - options = ["NOPASSWD"]; - } - { - command = "/run/current-system/sw/bin/test"; - options = ["NOPASSWD"]; - } - ]; - } - ]; - }; - }; - - inherit autoStart; - - bindMounts = { - "/${containerBackupCfg.targetPath}" = { - hostPath = "/var/lib/container-volumes/backup-target"; - isReadOnly = false; - }; - }; - - extraFlags = ["--resolv-conf=bind-host"]; - - privateNetwork = true; - forwardPorts = [ - { - # ssh - containerPort = 22; - hostPort = sshPort; - protocol = "tcp"; - } - ]; - - inherit hostAddress localAddress; -} diff --git a/nix/os/containers/backup.nix b/nix/os/containers/backup.nix index 864aa20..2c2c171 100644 --- a/nix/os/containers/backup.nix +++ b/nix/os/containers/backup.nix @@ -5,88 +5,107 @@ subvolumes, targetPathSuffix ? "", autoStart ? false, -}: let +}: +let passwords = import ../../variables/passwords.crypt.nix; subvolumeParentDir = "/var/lib/container-volumes"; -in { - config = {pkgs, ...}: { - system.stateVersion = "20.03"; # Did you read the comment? +in +{ + config = + { pkgs, ... }: + { + system.stateVersion = "20.03"; # Did you read the comment? - imports = [../profiles/containers/configuration.nix]; + imports = [ ../profiles/containers/configuration.nix ]; - environment.systemPackages = with pkgs; [btrfs-progs btrbk]; + environment.systemPackages = with pkgs; [ + btrfs-progs + btrbk + ]; - networking.firewall.enable = true; + networking.firewall.enable = true; - systemd.services."bkp-sync" = { - enable = true; - description = "bkp-sync service"; + systemd.services."bkp-sync" = { + enable = true; + description = "bkp-sync service"; - serviceConfig = {Type = "oneshot";}; + serviceConfig = { + Type = "oneshot"; + }; - after = ["bkp-run.service"]; + after = [ "bkp-run.service" ]; - requires = ["bkp-run.service"]; + requires = [ "bkp-run.service" ]; - path = with pkgs; [utillinux]; - script = '' - set -x - true - ''; - }; - - systemd.services."bkp-run" = { - enable = true; - description = "bkp-run"; - - serviceConfig = {Type = "oneshot";}; - - partOf = ["bkp-sync.service"]; - - path = with pkgs; [btrfs-progs btrbk coreutils]; - - script = let - btrbkConf = pkgs.writeText "cfg" '' - timestamp_format long - ssh_identity ${passwords.storage.backupTarget.keyPath} - ssh_user ${passwords.storage.backupTarget.user} - ssh_compression no - backend_remote btrfs-progs-sudo - compat_remote busybox - btrfs_commit_delete each - snapshot_create onchange - snapshot_preserve_min latest - snapshot_preserve 7d 4w - target_preserve_min latest - target_preserve 7d 4w 12m *y - - volume ${subvolumeParentDir} - target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} - ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" - subvolumes} + path = with pkgs; [ utillinux ]; + script = '' + set -x + true ''; - in '' - #! ${pkgs.bash}/bin/bash - set -Eeuxo pipefail + }; - btrbk -c ${btrbkConf} --progress ''${@:-run} - ''; - }; + systemd.services."bkp-run" = { + enable = true; + description = "bkp-run"; - systemd.timers."bkp" = { - description = "Timer to trigger bkp periodically"; - enable = true; - wantedBy = ["timer.target" "multi-user.target"]; - timerConfig = { - # Obtained using `systemd-analyze calendar "Wed 23:00"` - # OnCalendar = "Wed *-*-* 23:00:00"; - OnStartupSec = "1m"; - Unit = "bkp-sync.service"; - OnUnitInactiveSec = "2h"; - Persistent = "true"; + serviceConfig = { + Type = "oneshot"; + }; + + partOf = [ "bkp-sync.service" ]; + + path = with pkgs; [ + btrfs-progs + btrbk + coreutils + ]; + + script = + let + btrbkConf = pkgs.writeText "cfg" '' + timestamp_format long + ssh_identity ${passwords.storage.backupTarget.keyPath} + ssh_user ${passwords.storage.backupTarget.user} + ssh_compression no + backend_remote btrfs-progs-sudo + compat_remote busybox + btrfs_commit_delete each + snapshot_create onchange + snapshot_preserve_min latest + snapshot_preserve 7d 4w + target_preserve_min latest + target_preserve 7d 4w 12m *y + + volume ${subvolumeParentDir} + target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} + ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes} + ''; + in + '' + #! ${pkgs.bash}/bin/bash + set -Eeuxo pipefail + + btrbk -c ${btrbkConf} --progress ''${@:-run} + ''; + }; + + systemd.timers."bkp" = { + description = "Timer to trigger bkp periodically"; + enable = true; + wantedBy = [ + "timer.target" + "multi-user.target" + ]; + timerConfig = { + # Obtained using `systemd-analyze calendar "Wed 23:00"` + # OnCalendar = "Wed *-*-* 23:00:00"; + OnStartupSec = "1m"; + Unit = "bkp-sync.service"; + OnUnitInactiveSec = "2h"; + Persistent = "true"; + }; }; }; - }; inherit autoStart; @@ -114,10 +133,10 @@ in { } ]; - extraFlags = ["--resolv-conf=bind-host"]; + extraFlags = [ "--resolv-conf=bind-host" ]; privateNetwork = true; - forwardPorts = []; + forwardPorts = [ ]; inherit hostAddress localAddress; } diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index d113925..0be078c 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -1,195 +1,211 @@ { - repoFlake, + specialArgs, + hostBridge, hostAddress, localAddress, imapsPort ? 993, sievePort ? 4190, autoStart ? false, -}: { - config = { - pkgs, - config, - lib, - ... - }: { - system.stateVersion = "21.11"; # Did you read the comment? +}: +{ + inherit specialArgs; + config = + { + pkgs, + config, + repoFlake, + ... + }: + { + system.stateVersion = "22.05"; # Did you read the comment? - imports = [ - ../profiles/containers/configuration.nix + imports = [ + ../profiles/containers/configuration.nix - repoFlake.inputs.sops-nix.nixosModules.sops - ../profiles/common/user.nix - ]; + repoFlake.inputs.sops-nix.nixosModules.sops + ../profiles/common/user.nix + ]; - # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately - # sops.defaultSopsFile = ./mailserver_secrets.yaml; + networking.firewall.allowedTCPPorts = [ + imapsPort + sievePort + ]; - sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; - sops.secrets.email_mailStefanjunkerDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_mailStefanjunkerDeHetzner = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_schtifATwebDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_dovecot_steveej = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; + # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately + # sops.defaultSopsFile = ./mailserver_secrets.yaml; - # TODO: switch to something other than ddclient as it's no longer maintained + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.secrets.email_mailStefanjunkerDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_mailStefanjunkerDeHetzner = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_schtifATwebDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_dovecot_steveej = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; - # TODO: switch to a let's encrypt certificate - sops.secrets.dovecotSslServerCert = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - sops.secrets.dovecotSslServerKey = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - services.dovecot2 = { - enable = true; + # TODO: switch to something other than ddclient as it's no longer maintained - modules = [pkgs.dovecot_pigeonhole]; - protocols = ["sieve"]; + # TODO: switch to a let's encrypt certificate + sops.secrets.dovecotSslServerCert = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + sops.secrets.dovecotSslServerKey = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + services.dovecot2 = { + enable = true; - enableImap = true; - enableLmtp = true; - enablePAM = true; - showPAMFailure = true; - mailLocation = "maildir:~/.maildir"; - sslServerCert = config.sops.secrets.dovecotSslServerCert.path; - sslServerKey = config.sops.secrets.dovecotSslServerKey.path; + modules = [ pkgs.dovecot_pigeonhole ]; + protocols = [ "sieve" ]; - #configFile = "/etc/dovecot/dovecot2_manual.conf"; - extraConfig = '' - auth_mechanisms = cram-md5 digest-md5 - auth_verbose = yes + enableImap = true; + enableLmtp = true; + enablePAM = true; + showPAMFailure = true; + mailLocation = "maildir:~/.maildir"; + sslServerCert = config.sops.secrets.dovecotSslServerCert.path; + sslServerKey = config.sops.secrets.dovecotSslServerKey.path; - passdb { - driver = passwd-file - args = scheme=CRYPT username_format=%u /etc/dovecot/users - } + #configFile = "/etc/dovecot/dovecot2_manual.conf"; + extraConfig = '' + auth_mechanisms = cram-md5 digest-md5 + auth_verbose = yes - protocol lda { - postmaster_address = "mail@stefanjunker.de" - mail_plugins = $mail_plugins sieve - } + passdb { + driver = passwd-file + args = scheme=CRYPT username_format=%u /etc/dovecot/users + } - protocol imap { - mail_max_userip_connections = 64 - } - ''; - }; + protocol lda { + postmaster_address = "mail@stefanjunker.de" + mail_plugins = $mail_plugins sieve + } - environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; - - systemd.services.steveej-getmail-stefanjunker = { - enable = true; - wantedBy = ["multi-user.target"]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 600; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [pkgs.getmail6]; - script = let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = ssl0.ovh.net - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") - mailboxes = ('INBOX',) - - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + protocol imap { + mail_max_userip_connections = 64 + } ''; - in '' - getmail --idle=INBOX --rcfile=${rc} - ''; + }; + + environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; + + systemd.services.steveej-getmail-stefanjunker = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 600; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [ pkgs.getmail6 ]; + script = + let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = ssl0.ovh.net + port = 993 + username = mail@stefanjunker.de + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") + mailboxes = ('INBOX',) + + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in + '' + getmail --idle=INBOX --rcfile=${rc} + ''; + }; + + systemd.services.steveej-getmail-stefanjunker-hetzner = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 60; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [ pkgs.getmail6 ]; + script = + let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 2 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = mail.your-server.de + port = 993 + username = mail@stefanjunker.de + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") + mailboxes = ('INBOX',) + + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in + '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; + + systemd.services.steveej-getmail-webde = { + enable = true; + wantedBy = [ "multi-user.target" ]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + description = "Getmail service"; + path = [ pkgs.getmail6 ]; + serviceConfig.RestartSec = 1000; + serviceConfig.Restart = "always"; + script = + let + rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = imap.web.de + port = 993 + username = schtif + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") + mailboxes = ('INBOX',) + + [destination] + type = Maildir + path = ~/.maildir/ + ''; + in + '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; }; - systemd.services.steveej-getmail-stefanjunker-hetzner = { - enable = true; - wantedBy = ["multi-user.target"]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 60; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [pkgs.getmail6]; - script = let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 2 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = mail.your-server.de - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") - mailboxes = ('INBOX',) - - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda - ''; - in '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; - - systemd.services.steveej-getmail-webde = { - enable = true; - wantedBy = ["multi-user.target"]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - description = "Getmail service"; - path = [pkgs.getmail6]; - serviceConfig.RestartSec = 1000; - serviceConfig.Restart = "always"; - script = let - rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = imap.web.de - port = 993 - username = schtif - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") - mailboxes = ('INBOX',) - - [destination] - type = Maildir - path = ~/.maildir/ - ''; - in '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; - }; - inherit autoStart; bindMounts = { @@ -203,8 +219,6 @@ }; }; - # extraFlags = ["--resolv-conf=bind-host"]; - privateNetwork = true; forwardPorts = [ { @@ -222,5 +236,5 @@ } ]; - inherit hostAddress localAddress; + inherit hostBridge hostAddress localAddress; } diff --git a/nix/os/containers/mailserver_secrets.yaml b/nix/os/containers/mailserver_secrets.yaml index ffb595a..f519b36 100644 --- a/nix/os/containers/mailserver_secrets.yaml +++ b/nix/os/containers/mailserver_secrets.yaml @@ -7,37 +7,37 @@ dovecotSslServerCert: ENC[AES256_GCM,data:ylK0IIj2vdY0mXOqSgA5zYmFYGote/uMtDWy2r dovecotSslServerKey: ENC[AES256_GCM,data:KYpQZbioLGrp/6R6j/c4uJhBpoDT2aj7UffQQug8Otzr/0rk51tavsjg4YRQGIv+ZpFYpWAuHbhW4O8AsRgpi0AX3hKsZICEdNubfK5zfd+SInXveaVFbHHjOuzcqftraUrqx9APu+omk4LlpxpWTbj/bAcRnRBn0C093AeJNi1giaCZd4NxmmkYqwYzrjUc6LYHvICEnjA87ZVpeOKE/6B2Ng5QWDKhZNmjy7YDXAk4DS+P2grLmoGvnz6ubtaypSzaKXYTFz/uxEvtCCPlIaJHm3Nz0i0j1rjX3S/w3c26zuIFtwCmAQzGnHyQwbx7ILwCXfnyQnpM7+R5+fxcYvcK2GEJyTGzg/JFa++TI1YO+wpknjzxK3Sa8aX0pUbx/TEjnY3+tRnx7YNuih2ZNZrPHy8uJJtO9Aef84Sq5vLQG5n1/ya0pVhjCbs1pgpeK/qT3ikLbkcJg6NxAq3hqqQdR4TTkZBwKLVfzcMXLDZB0GphhVvtO0W7afRCE+nA/FPDT2NN6WLD15cN5F8w6USi0iQlwFb+TE8nt1ghhoGmwCMx+lX1Bk/jdIlYtJ62T8+T3nRVJ6ZRlUa1rkbAADaWZVvLR2/ylaEkeYFo/CC6lUg4DWPCVoGFxaWaU+ZaIDjbiYcqGQFBwq8JZ44hAOyJQpb7N1zgDVyPh/xr+ukmjutFuu97FY55VTn+8eipRiR4TZpPRH+KvB/FmlLNaim76YZCRH9Dv2ENbz9fXpWv7P+yh06+ci9HKvjNAzR6NRr368tK2srEEhWzFv+nAsRetzc2VcfwNMcg5/mvlWHVZSmONXC5adEo/W5XgJgUnH/fkz5IRPY/1iteq8PTCPUkubzF+qT2+suzEDnvgXlaKsqHkrk+n8YySl+GRABnasmnBYdb8vboDM41ptw3PXDoL+l07o6KxTwPOWWl9BVNMT8VzL7gAl+dlxjkEUSqn53OrsYDluxefBa3c0rfvk8CCvOMjgLkagK9O+VavqJEo00zd3f0ZzMcIoRebuDzYILw3DTrG/qyLXGsRoybBr+qcuSVBzM5RnjcToFJO4W/0EIdH1drZmqHdNgSNwPPRSNCivrhV25syUCrTee/xkDVUr47z67pK/5Mh0ewlwq0hcl/dBoA0YP/PptntK0CHfistD8chNtdMk3PyzqSiFaDPQ3T4wdc3zTNUjXeQ5643k5weJXFPg4tUuCCa8HxUJHd5sLnNY0OaRBwh2SLkQlcXYFQDzVHSoVscR3tf+57L7aF2hVQT2QtJKdZQjOyMg5YK0UlVc3tkyPZzyjOVaP7eTCRKwXI1NminHmmy1ZzZ+w+8+oX8cfvE9HdbqDoDp0MnkicS0+5S0lZwkRWrjUx/gS4aMWLbCHUQHY8wm+fmyDLJ/oI4ukdUI5YLOutlCsIY+aotnVMoORgdd/EPeZVYJmci/pvMjPF9Eard0aD4rLA7z/HwGgc3VEGmNluE+20BXO3bFIqwa9tzMqzOJB0qglP35MjVGiUe6Svq13DAmSOnzN+WqcVbTMJG8J1bwKqvmaN8AEpO0zU94ZhHspUtGyQQ0D6sMsw9jqJ1WyLE7aXeFR6OHrpw3DC2mCpr/qX8QFsveeyB83Za2+CuVVi2sqGAKYzkwlUPkeuaxfBak0apwJsF2trT1uMvPOuIda8k4XhtYLxah2BDJZIoMqUVz2xcN4OuW8bdSX/lepsyZZO34VEQDLBa2dxCCHJmCKf6io/0YlswNKGDQh+DI935KTdqBnHSJ9IjvADQuu+K37aS0L9V0ZLXiM5SBQtbB7kQpHjvivq97ru7QpFqJf8HCl1vDs4gJ/NV+J0+CX6dQTQOtHvwxD2CPGiiSv40ycoJAcwiqTh5T+hRPtca6bSes/jGN5iQjfLCRbwvL/ItLLAK3F2cEIdKZnfhJkdEAIwWFLvR4R5I7ZcCK5GgKz5dPROup8BAONA8XxcJWXaXV0YkfEmCDbZYMFC7pcx4NAnGp881RyAaG/HlstBHHVagpP2fwZ8K0J/2KPillOq/Die+vNc2++hx4EuftvNkZhSd+7zIYNKHQd0M4Ea74flgmmW5lG73bE1BkhVd2DsgEDihH19/vJjFH4PxKINKp0ij4jMyq9w+WsGiUqSDaQz/MZJ8wjzaSjvmSj4qlOAitr/s3f041e77rMb0W2ieCtYEy7IsebIqIWgKn/crm5FhyUtBCPEqFZgAKS313bXUio8LktqXCrZjZ0ZG8DmQG6hnK4PstKlIUQoNuFnb8Bp1zDgY4i2hb6Zmu7NnqnOaJJTjSGwaZOav0oMousn67BuFtwoMaGp+OjCopZ3HPfg19usnjvWpOgccXWYlQc0HOlGXUq+otKlXtQwAjUvz50GmV+lY3t4rpCgqk+pj9iH62xuzDQ01FOXl+v3Ehnw97mNJk9YarueG0Hl/1f6dhwXnjeEv35LLyWUjQolOoYgycEkgQ/cCCOSm7zgK1VT0oTLFISai8IG0qDP9HCszteHZhp+y4bsXQfAJTY11QLr7hx9/nQmVlHksDN5Wsno4wbkT+D2xb5EaDU2RBqZfTVcbRBWRtAhQcRPxdaUXyI7oKEaFg8fvQZ8wK/Ae+L18ub+Latb5W69dUVT6I13tPleXDl1oen9BXzaX7sygSpY4lJoXlu+SCKyNTMrC36PrB39QUWosw03ZsiKT5xjgN5+1m32yv4cg8lAwNCR4xxShrnhSbZ328yifaAuTnSawZmUGBVxPx4glVcvNUOXW2UvVtmeKU0SG1E+UGBAq7/UfaadMM7BsjyaaKpBa/tXZTm0rn8UiFqujvgNjQ3F/3ybRdlO5d6eMI9Na+1gqg6qxYSGR0H0wAdPhtyGRxpumehAQGeMKd49Sg6jspaf3NAjjuZ0Yp+eJV9652WqVZ7xtCNqRURV353h+XPGR+ZZ9siHRDQ+NcbxPkfbHw0/RTvZvEIdaDi5+DLh6tgIxMEtOpwTlfFrOUDaIcmWvzk92VtBFuafvoGzTipryTnMszjCsUTvyEPN8jPd6r8UmOFGXF2aVNksmn/bI97i4s1kYLgY8XsEOyx+Q9pUTkTEMn2JWgnEcSOAtaX1ZskHnfueKzUPb+/YWb+z8SNCgnUqHqa42qBqwlhdshzYhhfKhEisUptirzzp1kcbyHrug5PzHxh8Qri2pjHxSHYQ5sjig6K6B1YEuHP6uo19fL6BdgGlhKroiOF/6TMAcE9V3+yqvDdsW/IC0QXLHIBKC7wlDgLc25ltGogD/76P6tViDAb6+HNSSXJO056Ovq0z2BrXhnq1AmWa99mVnOLJwafRWPZC,iv:XxnAsh6yx9gICi3N6oTttpGXvguGZImWNIMp9srDJLM=,tag:M9gFSD5PNIfoCLet6Vy6QA==,type:str] hetznerDnsApiToken: ENC[AES256_GCM,data:JfL4Xg9TZu4Og35g0SwfrI1uxiqgdFa7p5AQcfiPwLY=,iv:yOak3uXX7CNglu8O2UW/1sOI7BGZxpRQAFJCvRbzU0Y=,tag:6orkQIy7BxACziLWpYoS5Q==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn - R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2 - dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj - bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl - T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-17T12:01:21Z" - mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str] - pgp: - - created_at: "2023-07-02T20:30:30Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWaE9nNytUbXhWeWZYWndn + R3pMV3N1NjJPK2gzUDl2YitxWEU4NUFPRUJ3Cm1tMGhGcU56bSs5SUIzRmhqVHN2 + dXIzYlkvS1JnWnladGdXTnRKMXNOWncKLS0tIGhyRFhFV1VRVXVYN1pJWjNFd1Rj + bENCWmVNUEJyZFBpRmYwbWVndFJGcUEKzvkGz3WycSrU4qPcBhs4cSCn/9TQ62sl + T6TuDra97qJJ1Pg9VZGHT/OoSleLA4s0qpNlAxnAnNaO0conTsREZQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-17T12:01:21Z" + mac: ENC[AES256_GCM,data:003nzaNWdXLscJy9XZcwAb93M9Eo3Bdg9s5MHHiv4/TitaaZE7VghWHKv5DrcoA0GGdN9SnIVqHd+o6OPVER91XLVxoiX7ixtlu1RIRfqdama3RRPtSki5wP5wPz6qF4vRBIKfrTpZK7thXLYs2NhCB9HJYljNhcgLtzEG5bWgY=,iv:tEP530Pij3bt3hc5PCYGjFFyPiKgo34dHm23Xtmrxt8=,tag:macr/U8R5+wktTBJ9OqI/w==,type:str] + pgp: + - created_at: "2023-07-02T20:30:30Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds - 0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf - SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb - 5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc - Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc - RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx - 44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5 - uGcEfsNiUXPngkNrh/Nvhh9w - =yHDZ - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQgAli6PQTNwh9N5Oo1LJvHysQNdxdZAq4QbfcwcIfpJIDds + 0TQs28EeSttv47P2ga4Nb1O5dVUnlvwbP+uV9RbioYF4LfZ2/uNlS1lSGwsLbPcf + SsY+U2WvpJgyo3EWQRusR/OXLFg0EdqDPDseH1w1u8tGALDrewre5oBjrMa0GRbb + 5F8lK/FVxSJxz70UkHgE7c6pSqPpznlgVduUwoOWnlhTw4aet7lLik+/C9K7LBDc + Q04sW1W2yqYr2882xPAUwfBhgfZQ1Uld5aDwqwPH+1Ttx26e7JrGSFaIX8GTVVpc + RJqN6uman5at3lOaEKXS1qf7T9ZI003CvdFwHS1G89JRAemdeK4bur5wS3VXBhDx + 44fHgmDcOohHilTahwmyXCT70KjjHbd9665vAhsl0N9aOrOBdOgq0HmLjNzAQkz5 + uGcEfsNiUXPngkNrh/Nvhh9w + =yHDZ + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/nix/os/containers/mycelium/flake.lock b/nix/os/containers/mycelium/flake.lock new file mode 100644 index 0000000..0a7597d --- /dev/null +++ b/nix/os/containers/mycelium/flake.lock @@ -0,0 +1,124 @@ +{ + "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nix-snapshotter", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1704152458, + "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "nix-snapshotter": { + "inputs": { + "flake-compat": "flake-compat", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1723875769, + "narHash": "sha256-66GofByLJ+S4ZZphIC+vJKeL9VJ2bzH2VbcJ3OqteMM=", + "owner": "pdtpartners", + "repo": "nix-snapshotter", + "rev": "6eaadfd8f89e5e7d79b2013626bbd36e388159da", + "type": "github" + }, + "original": { + "owner": "pdtpartners", + "repo": "nix-snapshotter", + "type": "github" + } + }, + "nixlib": { + "locked": { + "lastModified": 1728781282, + "narHash": "sha256-hUP9oxmnOmNnKcDOf5Y55HQ+NnoT0+bLWHLQWLLw9Ks=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "16340f605f4e8e5cf07fd74dcbe692eee2d4f51b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixos-generators": { + "inputs": { + "nixlib": "nixlib", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1728867876, + "narHash": "sha256-NCyOA8WZNoojmXH+kBDrQj3LwvakYNzSc0h+LTXkmPE=", + "owner": "nix-community", + "repo": "nixos-generators", + "rev": "fdf142111597f6c6283cf5ffe092b6293a3911d0", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixos-generators", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1728897630, + "narHash": "sha256-0utJPs4o2Mody8GDwo4hnGuxc8dJqju4u9lLJY4d/Lw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c9f0b4a395289ce18727e2a8e43cae6796693ccc", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nix-snapshotter": "nix-snapshotter", + "nixos-generators": "nixos-generators", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/containers/mycelium/flake.nix b/nix/os/containers/mycelium/flake.nix new file mode 100644 index 0000000..1527acf --- /dev/null +++ b/nix/os/containers/mycelium/flake.nix @@ -0,0 +1,371 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small"; + # nixpkgs-systemd256.url = "github:NixOS/nixpkgs/962cf03fb8c782c5e00f465397e03dc84284acc9"; + nixos-generators = { + url = "github:nix-community/nixos-generators"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + nix-snapshotter = { + url = "github:pdtpartners/nix-snapshotter"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + outputs = + { self, nixpkgs, ... }: + let + systems = [ + "aarch64-linux" + "x86_64-linux" + ]; + forAllSystems = nixpkgs.lib.genAttrs systems; + in + { + nixosConfigurations.default = nixpkgs.lib.nixosSystem { + system = "aarch64-linux"; + + specialArgs = { }; + + modules = [ + ( + { + config, + modulesPath, + pkgs, + lib, + ... + }: + { + nixpkgs.overlays = [ + (_final: _previous: { + # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal; + # systemd = + # self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: { + # src = /home/steveej/src/others/systemd; + + # withAppArmor = false; + # withRepart = false; + # withHomed = false; + # withAcl = false; + # withEfi = false; + # withBootloader = false; + # withCryptsetup = false; + # withLibBPF = false; + # withOomd = false; + # withFido2 = false; + # withApparmor = false; + # withDocumentation = false; + # withUtmp = false; + # withQrencode = false; + # withVmspawn = false; + # withMachined = false; + # withLogTrace = true; + # withArchive = false; + # # don't need these but cause errors for exampel files not found + # # withLogind = false; + # }) + # pkgs.systemdMinimal.override { + # # getting errors with these disabled + # withCoredump = true; + # withCompression = true; + # withLogind = true; + # withSysusers = true; + # withUserDb = true; + # } + # pkgs.systemdMinimal + # pkgs.systemd.override { + # withRepart = false; + # withHomed = false; + # withAcl = false; + # withEfi = false; + # withBootloader = false; + # withCryptsetup = false; + # withLibBPF = false; + # withOomd = false; + # withFido2 = false; + # withApparmor = false; + # withDocumentation = false; + # withUtmp = false; + # withQrencode = false; + # withVmspawn = false; + # withMachined = false; + # withLogTrace = true; + # # don't need these but cause errors for exampel files not found + # # withLogind = false; + # } + # ; + }) + ]; + + imports = [ (modulesPath + "/profiles/minimal.nix") ]; + system.stateVersion = "24.11"; + + # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix + boot.isContainer = true; + # boot.tmp.useTmpfs = true; + boot.loader.grub.enable = lib.mkForce false; + boot.loader.systemd-boot.enable = lib.mkForce false; + services.journald.console = "/dev/console"; + services.journald.storage = "none"; + # boot.specialFileSystems = lib.mkForce {}; + + services.nscd.enable = false; + system.nssModules = lib.mkForce [ ]; + systemd.services.systemd-logind.enable = false; + systemd.services.console-getty.enable = false; + + systemd.sockets.nix-daemon.enable = false; + systemd.services.nix-daemon.enable = false; + systemd.oomd.enable = false; + networking.useDHCP = false; + networking.firewall.enable = false; + + # system.build.earlyMountScript = + # lib.mkForce '' + # ''; + # system.activationScripts.specialfs = + # lib.mkForce '' + # ''; + boot.postBootCommands = '' + ls -lha /run + mkdir -p /run/wrappers + ''; + + boot.kernelParams = [ "systemd.log_level=debug" ]; + + # services.udev.enable = false; + + # TODO: this is only needed because `/run/current-system` is missing + # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH"; + + systemd.mounts = lib.mkForce [ ]; + fileSystems = lib.mkForce { }; + + services.mycelium.enable = false; + services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile"; + systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false; + systemd.services.mycelium.serviceConfig.User = lib.mkForce "root"; + systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce ( + pkgs.writeShellScript "mycelium" '' + while true; do + ls -lha $CREDENTIALS_DIRECTORY + sleep 5 + done + '' + ); + + systemd.services.testing-credentials = { + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.coreutils ]; + + serviceConfig = { + # SyslogIdentifier = "testing-credentials"; + # StateDirectory = "testing-credentials"; + # DynamicUser = true; + # User = "tc"; + # ProtectHome = true; + # ProtectSystem = true; + # LoadCredential = [ + # "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}" + # "hosts:/etc/hosts" + # ]; + SetCredential = "mycelium-keyfile:not secret string"; + ExecStart = lib.mkForce ( + pkgs.writeShellScript "mycelium" '' + cd $STATE_DIRECTORY + pwd + env + while true; do + ls -lha $CREDENTIALS_DIRECTORY + sleep 5 + done + '' + ); + }; + }; + + services.caddy = { + enable = true; + globalConfig = '' + auto_https off + ''; + virtualHosts.":80" = { + extraConfig = '' + respond "hello from ${config.networking.hostName}" + ''; + }; + }; + } + ) + ]; + }; + packages = forAllSystems ( + system: + let + name = "mycelium"; + inherit (self.inputs) nix-snapshotter; + + config = { + entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init"; + # port = 2379; + args = [ ]; + # nodePort = 30001; + }; + + myceliumPorts = { + tcp = [ 9651 ]; + udp = [ + 9650 + 9651 + ]; + }; + + inherit (config) + entrypoint + # port + + args + # nodePort + + ; + + pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; }; + + image = pkgs.nix-snapshotter.buildImage { + inherit name; + resolvedByNix = true; + config = { + entrypoint = [ entrypoint ]; + env = [ + # this is read by the `/init` script and prevents various incompatible commands like mount, etc. + # the value of this doesn't seem to matter as long as it's not an empty string. + "container=nerd" + "SYSTEMD_LOG_LEVEL=debug" + ]; + volumes = { + # "/var/lib/private/mycelium/key.bin" = {}; + # "/run" = {}; + # "/tmp" = {}; + # "/etc" = {}; + }; + copyToRoot = [ + # self.nixosConfigurations.default.config.system.build.toplevel + ]; + }; + }; + in + { + k8s = + let + pod = pkgs.writeText "${name}-pod.json" ( + builtins.toJSON { + apiVersion = "v1"; + kind = "Pod"; + metadata = { + inherit name; + labels = { + inherit name; + }; + }; + spec.containers = [ + { + inherit name args; + image = "nix:0${image}"; + ports = [ + { + name = "mycelium-tcp-0"; + containerPort = builtins.elemAt myceliumPorts.tcp 0; + } + { + name = "mycelium-udp-0"; + protocol = "UDP"; + containerPort = builtins.elemAt myceliumPorts.udp 0; + } + { + name = "mycelium-udp-1"; + protocol = "UDP"; + containerPort = builtins.elemAt myceliumPorts.udp 1; + } + ]; + } + ]; + } + ); + + service = pkgs.writeText "${name}-service.json" ( + builtins.toJSON { + apiVersion = "v1"; + kind = "Service"; + metadata.name = "${name}-service"; + spec = { + type = "NodePort"; + selector = { + inherit name; + }; + ports = [ + { + name = "mycelium-tcp-0"; + port = builtins.elemAt myceliumPorts.tcp 0 + 50000; + targetPort = "mycelium-tcp-0"; + } + { + name = "mycelium-udp-0"; + protocol = "UDP"; + port = builtins.elemAt myceliumPorts.udp 0 + 50000; + targetPort = "mycelium-udp-0"; + } + { + name = "mycelium-udp-1"; + protocol = "UDP"; + port = builtins.elemAt myceliumPorts.udp 1 + 50000; + targetPort = "mycelium-udp-1"; + } + ]; + }; + } + ); + in + pkgs.runCommand "declarative-k8s" { } '' + mkdir -p $out/share/k8s + cp ${pod} $out/share/k8s/ + cp ${service} $out/share/k8s/ + ''; + + inherit image; + + start = pkgs.writeShellApplication { + name = "start"; + text = '' + set -x + rm -rf ./result + nix build --impure .#image + sudo nix2container load ./result + sudo -E nerdctl run --name ${name} --privileged -dt \ + --cgroup-manager cgroupfs \ + --volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \ + "nix:0$(readlink result):latest" + ''; + }; + + stop = pkgs.writeShellApplication { + name = "stop"; + text = '' + set +e + sudo -E nerdctl stop -t 60 ${name} + sudo -E nerdctl rm --force ${name} + sudo -E nerdctl system prune --all --force + sudo systemctl stop nix-snapshotter + sudo systemctl stop containerd + mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l + sudo systemctl start containerd + sudo systemctl start nix-snapshotter + ''; + + # tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap) + + # mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap + }; + } + ); + }; +} diff --git a/nix/os/containers/syncthing.nix b/nix/os/containers/syncthing.nix index 72aaab8..921662f 100644 --- a/nix/os/containers/syncthing.nix +++ b/nix/os/containers/syncthing.nix @@ -1,31 +1,81 @@ { + specialArgs, + hostBridge, hostAddress, localAddress, syncthingPort ? 22000, syncthingLocalAnnouncePort ? 21027, + smbTcpPort ? 445, autoStart ? false, -}: { - config = { - config, - pkgs, - ... - }: { - system.stateVersion = "20.05"; # Did you read the comment? +}: +{ + inherit specialArgs; + config = + { ... }: + { + system.stateVersion = "20.05"; # Did you read the comment? - imports = [../profiles/containers/configuration.nix]; + imports = [ ../profiles/containers/configuration.nix ]; - networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ - # syncthing gui - 8384 - ]; + networking.firewall.allowedTCPPorts = [ + # syncthing gui + 8384 + ]; - services.syncthing = { - enable = true; - openDefaultPorts = true; - guiAddress = "0.0.0.0:8384"; + services.syncthing = { + enable = true; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; + }; + + services.samba = { + enable = true; + securityType = "user"; + openFirewall = true; + settings = { + global = { + "workgroup" = "DMZ"; + "server string" = "syncthing"; + "netbios name" = "syncthing"; + "security" = "user"; + #"use sendfile" = "yes"; + #"max protocol" = "smb2"; + # note: localhost is the ipv6 localhost ::1 + "hosts allow" = "192.168.23. 127.0.0.1 localhost"; + "hosts deny" = "0.0.0.0/0"; + "guest account" = "nobody"; + "map to guest" = "bad user"; + }; + "scan-stefan" = { + "path" = "/var/lib/syncthing/Sync/Home::Scan::Stefan"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "syncthing"; + "force group" = "syncthing"; + }; + + "scan-justyna" = { + "path" = "/var/lib/syncthing/Sync/Home::Scan::Justyna"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "syncthing"; + "force group" = "syncthing"; + }; + }; + }; + + + # TODO: find out if smbpasswd file is still used and set it here. or find an alternative + # sops.secrets.smbpasswd = { + # }; + # environment.etc."samba/smbpasswd".source = config.sops.secrets.smbpasswd.text; }; - }; inherit autoStart; @@ -36,8 +86,6 @@ }; }; - extraFlags = ["--resolv-conf=bind-host"]; - privateNetwork = true; forwardPorts = [ { @@ -55,7 +103,12 @@ hostPort = syncthingLocalAnnouncePort; protocol = "udp"; } + { + containerPort = 445; + hostPort = smbTcpPort; + protocol = "tcp"; + } ]; - inherit hostAddress localAddress; + inherit hostBridge hostAddress localAddress; } diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index df3c445..6389cc5 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -1,226 +1,426 @@ { - repoFlake, + specialArgs, + hostBridge, hostAddress, localAddress, - httpPort ? 80, - httpsPort ? 443, + httpPort, + httpsPort, + forgejoSshPort, autoStart ? false, -}: let +}: +let domain = "www.stefanjunker.de"; -in { - config = { - config, - pkgs, - lib, - ... - }: { - system.stateVersion = "22.05"; # Did you read the comment? +in +{ + inherit specialArgs; + config = + { + config, + pkgs, + lib, + repoFlake, + nodeFlake, + system, + ... + }: + let + nixpkgs-kanidm = nodeFlake.inputs.nixpkgs-unstable; + in + { + system.stateVersion = "22.05"; # Did you read the comment? - imports = [ - ../profiles/containers/configuration.nix + disabledModules = [ + "services/misc/forgejo.nix" + "services/security/kanidm.nix" + ]; - repoFlake.inputs.sops-nix.nixosModules.sops - ]; + imports = [ + "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix" + "${nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix" - networking.firewall.enable = false; + ../profiles/containers/configuration.nix - sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; - sops.secrets.hedgedoc_environment_file = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.hedgedoc.name; - }; + repoFlake.inputs.sops-nix.nixosModules.sops + ]; - services.caddy = { - enable = true; - virtualHosts."${domain}" = { - extraConfig = let - port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}"; - path = "${config.services.authelia.instances.default.settings.server.path}"; - in '' - redir /hedgedoc* https://hedgedoc.${domain} + sops.defaultSopsFile = ./webserver_secrets.yaml; - file_server /*/* { - browse - root /var/www/stefanjunker.de/htdocs/caddy - pass_thru - } + networking.firewall.allowedTCPPorts = [ + httpPort + httpsPort + forgejoSshPort + ]; - # respond "Hi" - # respond (not /*/*) "Hi" + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.secrets.hedgedoc_environment_file = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.hedgedoc.name; + }; + + services.caddy = { + enable = true; + logFormat = '' + level ERROR ''; - }; + virtualHosts."${domain}" = { + extraConfig = '' + redir /hedgedoc* https://hedgedoc.${domain} - virtualHosts."hedgedoc.${domain}" = { - extraConfig = '' - reverse_proxy http://[::1]:3000 - ''; - }; + file_server /*/* { + browse + root /var/www/stefanjunker.de/htdocs/caddy + pass_thru + } - virtualHosts."authelia.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} - ''; - }; - - virtualHosts."lldap.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} - ''; - }; - }; - - services.hedgedoc = { - enable = true; - settings = { - domain = "hedgedoc.${domain}"; - urlPath = ""; - protocolUseSSL = true; - db = { - dialect = "sqlite"; - storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; + # respond "Hi" + # respond (not /*/*) "Hi" + ''; }; - allowAnonymous = false; - allowAnonymousEdits = false; - allowGravatar = false; - allowFreeURL = false; - defaultPermission = "private"; - - allowEmailRegister = false; - email = false; - - ldap = { - url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; - bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; - # these are set via the `environmentFile` - bindCredentials = "$LDAP_ADMIN_PASSWORD"; - searchBase = "ou=people,dc=stefanjunker,dc=de"; - searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; - useridField = "uid"; + virtualHosts."hedgedoc.${domain}" = { + extraConfig = '' + reverse_proxy http://[::1]:3000 + ''; }; - uploadsPath = "/var/lib/hedgedoc/uploads"; - }; - - environmentFile = config.sops.secrets.hedgedoc_environment_file.path; - }; - - services.jitsi-meet = { - enable = false; - hostName = "meet.${domain}"; - config = { - prejoinPageEnabled = true; - }; - caddy.enable = true; - nginx.enable = false; - }; - - sops.secrets.authelia_storageEncryptionKey = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - sops.secrets.authelia_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - services.authelia.instances.default = let - baseDir = "/var/lib/authelia-default"; - in { - enable = true; - secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; - secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; - settings = { - theme = "auto"; - default_2fa_method = "totp"; - log.level = "debug"; - - server = { - disable_healthcheck = true; - host = "127.0.0.1"; - port = 9091; - # path = "authelia"; + virtualHosts."authelia.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} + ''; }; - storage = { - local.path = "${baseDir}/authelia.sqlite"; + virtualHosts."lldap.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} + ''; }; - authentication_backend = { - file.path = "${baseDir}/first_factor.yaml"; - file.search.email = true; - file.search.case_insensitive = false; + virtualHosts."forgejo.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT} + ''; }; - access_control = { - default_policy = "one_factor"; - }; - - session.domain = "stefanjunker.de"; - - notifier = { - disable_startup_check = true; - filesystem.filename = "${baseDir}/notification.txt"; + virtualHosts."kanidm.${domain}" = { + extraConfig = '' + reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} { + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} + } + } + ''; }; }; - }; - users.groups.lldap = {}; - users.users.lldap = { - isSystemUser = true; - group = "lldap"; - }; + services.hedgedoc = { + enable = true; + settings = { + domain = "hedgedoc.${domain}"; + urlPath = ""; + protocolUseSSL = true; + db = { + dialect = "sqlite"; + storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; + }; - sops.secrets.lldap_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; + allowAnonymous = false; + allowAnonymousEdits = false; + allowGravatar = false; + allowFreeURL = false; + defaultPermission = "private"; - sops.secrets.lldap_adminPassword = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; + allowEmailRegister = false; + email = false; - sops.secrets.lldap_environmentFile = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; + ldap = { + url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; + bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; + # these are set via the `environmentFile` + # bindCredentials = "$LDAP_ADMIN_PASSWORD"; + searchBase = "ou=people,dc=stefanjunker,dc=de"; + searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; + useridField = "uid"; + }; - services.lldap = { - enable = true; - environment = { - LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; - LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; - }; - environmentFile = config.sops.secrets.lldap_environmentFile.path; + oauth2 = + let + originURL = config.services.kanidm.serverSettings.origin; + in + { + providerName = "kanidm (${originURL})"; - settings = { - verbose = true; + authorizationURL = "${originURL}/ui/oauth2"; + tokenURL = "${originURL}/oauth2/token"; + userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo"; - ldap_base_dn = "dc=stefanjunker,dc=de"; - http_url = "https://lldap.${domain}"; + scope = "openid email profile"; + # rolesClaim = "roles"; + # accessRole = "role/hedgedoc"; - ## Options to configure SMTP parameters, to send password reset emails. - ## To set these options from environment variables, use the following format - ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD - smtp_options = { - ## Whether to enabled password reset via email, from LLDAP. - enable_password_reset = true; + userProfileUsernameAttr = "name"; + userProfileDisplayNameAttr = "displayname"; + userProfileEmailAttr = "email"; - # port = 465; - ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". - # smtp_encryption = "TLS"; + clientID = "hedgedoc"; + # set via the `environmentFile` + # clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; + }; + + uploadsPath = "/var/lib/hedgedoc/uploads"; }; - # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; + environmentFile = config.sops.secrets.hedgedoc_environment_file.path; }; - }; - systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; - systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; - systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; - }; + services.jitsi-meet = { + enable = false; + hostName = "meet.${domain}"; + config = { + prejoinPageEnabled = true; + }; + caddy.enable = true; + nginx.enable = false; + }; + + sops.secrets.authelia_storageEncryptionKey = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + sops.secrets.authelia_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + services.authelia.instances.default = + let + baseDir = "/var/lib/authelia-default"; + in + { + enable = true; + secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; + secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; + settings = { + theme = "auto"; + default_2fa_method = "totp"; + log.level = "debug"; + + server = { + disable_healthcheck = true; + host = "127.0.0.1"; + port = 9091; + # path = "authelia"; + }; + + storage = { + local.path = "${baseDir}/authelia.sqlite"; + }; + + authentication_backend = { + file.path = "${baseDir}/first_factor.yaml"; + file.search.email = true; + file.search.case_insensitive = false; + }; + + access_control = { + default_policy = "one_factor"; + }; + + session.domain = "stefanjunker.de"; + + notifier = { + disable_startup_check = true; + filesystem.filename = "${baseDir}/notification.txt"; + }; + }; + }; + + users.groups.lldap = { }; + users.users.lldap = { + isSystemUser = true; + group = "lldap"; + }; + + sops.secrets.lldap_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_adminPassword = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_environmentFile = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + services.lldap = { + enable = true; + environment = { + LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; + LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; + }; + environmentFile = config.sops.secrets.lldap_environmentFile.path; + + settings = { + verbose = true; + + ldap_base_dn = "dc=stefanjunker,dc=de"; + http_url = "https://lldap.${domain}"; + + ## Options to configure SMTP parameters, to send password reset emails. + ## To set these options from environment variables, use the following format + ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD + smtp_options = { + ## Whether to enabled password reset via email, from LLDAP. + enable_password_reset = true; + + # port = 465; + ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". + # smtp_encryption = "TLS"; + }; + + # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; + }; + }; + + sops.secrets.FORGEJO_JWT_SECRET = { }; + sops.secrets.FORGEJO_INTERNAL_TOKEN = { }; + sops.secrets.FORGEJO_SECRET_KEY = { }; + + services.forgejo = { + enable = true; + package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo; + settings = { + service.DISABLE_REGISTRATION = true; + server.HTTP_ADDR = "127.0.0.1"; + server.START_SSH_SERVER = true; + server.SSH_PORT = forgejoSshPort; + server.ROOT_URL = "https://forgejo.${domain}"; + server.HTTP_PORT = 3001; + + # TODO: how do i get a 3072 length SSH key with the yubikey? + "ssh.minimum_key_sizes".RSA = 2048; + }; + secrets = { + oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path; + security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path; + security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path; + }; + }; + + systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; + systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; + systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; + + # combine a path watcher with a service that transfers the certs by caddy to kanidm + # TODO: had an issue where the certificate in kanidm was expired, despite caddy having a refreshed certificate + systemd.paths.kanidm-tls-watch = { + enable = true; + requiredBy = [ "kanidm.service" ]; + pathConfig = { + PathChanged = [ + "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" + "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" + ]; + Unit = "kanidm-tls-update.service"; + }; + }; + systemd.services.kanidm-tls-update = + let + dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; + in + { + enable = true; + requiredBy = [ "kanidm.service" ]; + unitConfig = { + # ConditionPathExists = [ + # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" + # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" + # ]; + }; + serviceConfig.Type = "oneshot"; + script = + let + tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key; + in + '' + set -xe + + cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key + cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain + + chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain} + chmod 400 tls.{key,chain} + + # create the kanidm directory in case it's missing + if [[ ! -d ${tlsDir} ]]; then + mkdir -p ${tlsDir} + chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir} + chmod 700 ${tlsDir} + fi + + mv tls.key ${config.services.kanidm.serverSettings.tls_key} + mv tls.chain ${config.services.kanidm.serverSettings.tls_chain} + + if [[ ! -d ${dbDir} ]]; then + mkdir -p ${dbDir} + chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir} + chmod 700 ${dbDir} + fi + ''; + }; + + systemd.services.kanidm.serviceConfig = + let + dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; + in + # stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}"; + { + # ExecStartPre = '' + # mkdir -p ${dbDir} + # ''; + BindPaths = [ + dbDir + # stateDir + ]; + }; + + services.kanidm = + let + dataDir = "/var/lib/kanidm"; + in + { + package = nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm; + + enablePam = false; + enableClient = false; + + enableServer = true; + serverSettings = { + role = "WriteReplica"; + log_level = "debug"; + + domain = "kanidm.${domain}"; + origin = "https://kanidm.${domain}"; + + + bindaddress = "127.0.0.1:8444"; + + # don't expose ldap + # ldapbindaddress = "[::1]:6636"; + + tls_key = "${dataDir}/tls/tls.key"; + tls_chain = "${dataDir}/tls/tls.chain"; + + online_backup = { + schedule = "00 06 * * *"; + }; + }; + }; + }; inherit autoStart; @@ -253,10 +453,17 @@ in { hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap"; isReadOnly = false; }; - }; - # extraFlags = ["--resolv-conf=bind-host"]; - # networking.useHostResolvConf = true; + "/var/lib/forgejo" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-forgejo"; + isReadOnly = false; + }; + + "/var/lib/kanidm" = { + hostPath = "/var/lib/container-volumes/webserver/var-lib-kanidm"; + isReadOnly = false; + }; + }; privateNetwork = true; forwardPorts = [ @@ -272,7 +479,14 @@ in { hostPort = httpsPort; protocol = "tcp"; } + + { + # forgejo ssh + containerPort = forgejoSshPort; + hostPort = forgejoSshPort; + protocol = "tcp"; + } ]; - inherit hostAddress localAddress; + inherit hostBridge hostAddress localAddress; } diff --git a/nix/os/containers/webserver_secrets.yaml b/nix/os/containers/webserver_secrets.yaml index 29bb119..62dc6e8 100644 --- a/nix/os/containers/webserver_secrets.yaml +++ b/nix/os/containers/webserver_secrets.yaml @@ -1,41 +1,45 @@ -hedgedoc_environment_file: ENC[AES256_GCM,data:uBaATOTIkCkboAfaB7d6G2G4AfKszipQe+mc0XPJHik30wLppCKpEc61ELLbiZ1xGaOEWKUSMHc0GyBapykrgEe0UUYJ0Ukpq9bj9/J2VC7BLu1ABbr+pWpJR68+IOKY2GWlioSDIL6JwaGIjLV5sLrUjJgtwzAYrqAU13VS5RVHtGtz+7TgwHIJADoec+jSRhkh82g198eaAUbKyAFB9yhXFWgq6ozh8RgtkYKAP7LXIuyJt9BYJoNQ,iv:MCMJph0W1PC0n9h7xhPMxtJINQP+QRBf2anzXEzydwc=,tag:zj2o+/JpBRTYgYpSMJedPw==,type:str] +hedgedoc_environment_file: ENC[AES256_GCM,data:gPTokPMGBAN/lGGeUs95vg45yVrrSmFCKWTjlMV4V+YnflcqiaZvifX9+0fe3DELwNL4kY4st4N0MadhLkTiSieyp46fP8Dujk4Prhi7JWweBDsN4WtxcwJfAdowgh5LTzqM3zggC/J9NGR/zgJGLYraOqsFueXycxDxntE+8MlepYFGsND4WbFHNRvsVd7xUWerZZD+JFhws2sjwC9DqoJ+mBX4u9J2faSrL3okBGwRpEZlJhe6/8pT0l1aVxI0b/9UsLUL/him/vVqY8ygMP8O95gzuDEaCtwSXw08ylhb3g3YHdMh9ZOe9dPNVocVFrB15HfxeY4KzRCVfvgmBsSiUrgUAZQ8aav2ZWHPKQ==,iv:AVtx/43MK5KVxP59olEmbkUzLhd0cBjPpVeiAJGELfM=,tag:Hd3edeUzLgHnwAwPiMGp4A==,type:str] authelia_storageEncryptionKey: ENC[AES256_GCM,data:BLj2+w0jUOiiqljd4WcYt90I1Y/tm6vYRn9IPvv7k+ykjeWeafDcb9LpAbYZ82iAbCDZ6cDnTIJSH50TYFM1Bw==,iv:DfrFuTMS6rzWS1F7hIloD7Eb9N6LV6MDsPGEidTCIkM=,tag:4TxiUuWj8LLCAe+3SQWthA==,type:str] authelia_jwtSecret: ENC[AES256_GCM,data:CtvhPJDlM8kZDh3MWI6jBEIK5P/Rc0ZY3JfQ/1qn2FyZ0kOE9CMznRQdzi125Mlh+LgfhS00aeY/esuSJ1YKnw==,iv:o29+Ja4E4USpxD5Bgg4nGpj1WdK+uJJeuyqa3c92Pys=,tag:Ko/6PqIM7FyvqMJAepTNKw==,type:str] lldap_jwtSecret: ENC[AES256_GCM,data:Jd05K5zZZcdFY9P+PM1ycpl4eKr7THXzlEC2gxhfq0kZ0c7NrmqpnxLFyMOoq0oZwFXQ3aE29N+dYYCbWgEs0g==,iv:k9Y4XZcFSUaaOvooMzH1AlHaI/RiZZ0cpSqTU6jzsUU=,tag:EHwIMQ00Z+IrXAKgugMbmQ==,type:str] lldap_adminPassword: ENC[AES256_GCM,data:qZviC+/V25iHWS2d5KKrMfCLmmWKAkXoiLW3NJyZWIvMRbFPtfJGv/5e++idcKNLdPHRgvGpdeTpOdZNK7ETSQ==,iv:jX8bzgYVXZfMQ8Qxa7WaUiQFE/mBmQWZ3o000njeEC8=,tag:4Rd3WVGIw1rBLKND4xPbMg==,type:str] lldap_environmentFile: ENC[AES256_GCM,data:TpdO1N2MgHWI4TipvlwfVjnKppzpluI9WA3ejbgT8jrRXXTCA94PS734wDHLtEAIwKdIQd/JGDS+1kbdvgDL3F3HIOX5HLz9h7CtkDBYT6qOy0Zb0tNHjmJco6dL/iMwuzglXxu2460nadO+lHoTs3DA3lesghzpJzm41hgElzcxXS2sa/hsV+kjmbyfu6Xi94kbqcHBLA/mppWmLSgJN6wu/bO07XfaSB1ghHnAR7BL9XZDjoNDzljZAXDpDBw3WD6mwoZeIjGbkEuL4nUnkS6CkA+y7IORA24XGGAczRxZp4vLfUOnnlFCPGIHBsRTbrTB4bcEDBK4+5gHfNhXxvD5VlNMb4TPqYdcEIxkgMxZNLV5U2LTlzn18HNOCvsPb9XOOtY21j6qHMMQDXZREmn5NsW0HXM4gNZ0fC9UEe1MYBhyE3gGEGDzzDUrrQCGLm7/1OC7NRlzuI7M/5DlgcREwK1PkjPDmfRCAq86l0N5lMP/A7MMq2SJWcZvf+ot3fInugq485773vgWWl2Rodl08SZ8YHnzj0L6anPu856v2BsIotE0iRJSCpzA2ZgOJ9RViBfoq6F3beJKLnGN7oGb8XBviRTnXrTN6BTuFyv3dIZ7qcuTGTY+ucjRXfGJ1TVlVQBbiqhQDz5c9D5e0RVnRe3AkMXeDMOd4GlWW5gsJSuZtlYq1aMEf/Bx+4WMyY/Wh+Jk1xxf30bth5L1dW82p6fNFhEuKabtkBALOg/CQzYczMeGP9ai6BWgZL8QPlQoEUpHh59Vz91V6unQSOJ2PNr5wzC6j75IKInVjcp4d1S9K2UAxg+HETn5p9T1sBRdAAVz0YgO5902FwDTsA+2x6Q=,iv:U94CNFxQ8kyIYdH0EyqQIJ3s7QKaLlMa+5coO0dQnto=,tag:KZEizL99W5BtcaXSnYXFhg==,type:str] +#ENC[AES256_GCM,data:uNqahO8WF6QFNkbPnQq2UDKn/gFt0H56keUb,iv:CDVKC3ER5rsKoMmBi2g5g+F3ZfKc3+Rs8bjxFhgSPZ4=,tag:oGPl6TB/nghGwWvVBLFlGQ==,type:comment] +FORGEJO_JWT_SECRET: ENC[AES256_GCM,data:nVz9x7+K+rBIZxuQP7o0WNFHUz89eR9cwBjfSAx9/WH5PF+/aWazZOJpVg==,iv:4qpHo143fe/sVhKfYDwxr+YiBZ2q/WWViYSwoxz0i/k=,tag:smSsJsqa6uZKarcoOMUjwQ==,type:str] +FORGEJO_INTERNAL_TOKEN: ENC[AES256_GCM,data:EIono9HSyvp1nQM0ij3ln3IUXO4moFbRgVddeV0BZBXmZG05jdjZ1SIXo/BxoSmRKnjllR7P00CpajNM5zORldlsBId5oAYL5GZtY3/nmxeXucJidknuow22G7Z8wRJJGBdishbgQhmc,iv:1D93gTUF1+DUR8qLJgML+oUhvSslhxEjGnbBC/PWHXw=,tag:NZB+mwba4TzLcUANZLDRTw==,type:str] +FORGEJO_SECRET_KEY: ENC[AES256_GCM,data:CewYFZtcXKUD5/oSM0Q32rhw+urdA0eQhdYp8EFHUXxEtL6f5NWK6IOwIlMuEv1/FjtTWlqxWekOZpmxBRzwnw==,iv:qLyVB7Nc+rDbBoO5g82/vPdykwOATHCSDLhvS+fK9PM=,tag:4NMhUvKmrRd6qrcQq3R8wA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh - U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh - YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP - eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc - KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-17T11:48:04Z" - mac: ENC[AES256_GCM,data:Bgmm5+IrFdnTG907cZe0cnSmbWLyNDVYyABFj5eRuGsYCthclRM9WEKktvJg2RVYcND39IEH/FiFR/Hxf5YgrUcU7HKEXKzn7U4AGcREh2tb5EVTELjAJ4e00omNoD1gmFOklRS9AWce1g03AGzfbzM68enpDUkxWWTU2FOPei8=,iv:A9V4EsMAIoEs7j/eWy06Y9RExz+N/PT70TBNSViswKc=,tag:287n8ygaEj/40vh1x2IQig==,type:str] - pgp: - - created_at: "2023-07-09T17:51:27Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SkxFSkJQb29UeVRnZnFh + U3BJeGZ1NUVzMk0ycXBvWExyZDcveXZrd2pJCmpCeS80VE5McWVHQnZpaHFERmNh + YWZIMHRtQkd5Vm54MWR3bkhUUDRvejQKLS0tIG9NSkpCSkEyZFRyOXorWE1KLytP + eWdXVHg5MTlQQU9GeElPeUZXUlBlaTgKceDu3tLbQM/DxY0tJYJTPy2Dl/SBYaoc + KfMZOkc322/NvgWu/3Ke0hV1/eMk8EICwXbSwHhXr5a0+cwPZ9xV4A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-16T12:28:51Z" + mac: ENC[AES256_GCM,data:nrd2czzJlBcFfwn6lzh4qqco+/XsU2J6BqvQqMtskh3mL4Xx25IAzxiCno0KlNGr6o4YsuZP5anOX9RvrDq76Us3JQ7pDi3iQGPhmg+SE9u3Rwqn1/3YConvdfPV2DNB+tuyG3UVoRqpA4d+HdcYjN9n1UKk54R6UdSm9UrA+zc=,iv:Juupyet09zUAMu7bmVxq+/Q0bXJAzR0wAyt6vKNns3w=,tag:owdUWuXrQcDdiWi+1geY9A==,type:str] + pgp: + - created_at: "2023-07-09T17:51:27Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD - gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO - 8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+ - XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w - YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku - bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI - F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i - g+ZF+9NNqOTKsBzEnuGsZRnI - =iXfo - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQgAs92CvegZAcuyNllIp9zHUp7jFqfXhuoAOKKmOZvN4TBD + gQM7jKAXXwbMy90gGWF9EkdMzeBqG4S9ZM8gPAYcZkt98F0PGu6wBSvvYnUdDOcO + 8tvhEhBSE19xCIR7BeG9bhooEJ1V3LSZzrwyikeHUHAqDQLrwM7jrPOef22PIzH+ + XPtwWMVwVzwRJTZ/uV11vIV60b0zfnB8ZJzv7RbXsob8octy4LRe6Vb0BUd5ON3w + YULnyMlFFGekiqAPBk0K5Xib35qBu6mtnmxWzVUqT4pgiShoZsRQs3At1Onm7Cku + bqIDMoCYTvSzwDCOYp2+ni/ZOIuDvBiRCPoNuLjkD9JRAcCbjuxA6w0eaJKFTzoI + F1olIecBtQOQQn+iXya/rx69wDtR9965gecWRMbRg6tYncumpdQB//MWALhVmr6i + g+ZF+9NNqOTKsBzEnuGsZRnI + =iXfo + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index bc8e0ad..02b0212 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -1,20 +1,25 @@ { dir, - pkgs ? import {}, - ownLib ? import ../lib/default.nix {inherit (pkgs) lib;}, + pkgs ? import { }, + ownLib ? import ../lib/default.nix { inherit (pkgs) lib; }, gitRoot ? "$(git rev-parse --show-toplevel)", # FIXME: why do these need explicit mentioning? moreargs ? "", rebuildarg ? "", ... -} @ args: let - rebuildargsSudo = ["switch" "boot"]; - rebuild = { - gitRoot, - rebuildarg ? "dry-activate", - moreargs ? "", - ... - }: +}@args: +let + rebuildargsSudo = [ + "switch" + "boot" + ]; + rebuild = + { + gitRoot, + rebuildarg ? "dry-activate", + moreargs ? "", + ... + }: pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe @@ -30,25 +35,24 @@ ${ if - (builtins.elem rebuildarg rebuildargsSudo) - && (builtins.match ".*--target-host.*" moreargs) == null - then "sudo -E \\" - else "" + (builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null + then + "sudo -E \\" + else + "" } nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} ''; -in { - recipes = - { - rebuild = - rebuild { - inherit gitRoot; - inherit moreargs; - inherit rebuildarg; - } - # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } - # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } - ; +in +{ + recipes = { + rebuild = rebuild { + inherit gitRoot; + inherit moreargs; + inherit rebuildarg; } - // (import ./disk.nix (args // {inherit pkgs ownLib gitRoot;})); + # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } + # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } + ; + } // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; })); } diff --git a/nix/os/devices/disk.nix b/nix/os/devices/disk.nix index f62c6a9..f639344 100644 --- a/nix/os/devices/disk.nix +++ b/nix/os/devices/disk.nix @@ -3,40 +3,29 @@ ownLib, dir, gitRoot, - diskId ? - (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") - {}) - .hardware - .opinionatedDisk - .diskId, + diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId, encrypted ? - (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") - {}) - .hardware - .opinionatedDisk - .encrypted, + (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted, previousDiskId ? "", ... -}: let +}: +let mntRootVol = "/mnt/${diskId}-root"; -in rec { +in +rec { diskMount = pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe echo Mounting ${diskId} ${pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ - ownLib.disk.luksName diskId - } + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} ''} sleep 1 sudo vgchange -ay ${ownLib.disk.volumeGroup diskId} sudo mkdir -p /mnt sudo mkdir ${mntRootVol} sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol} - sudo mount ${ - ownLib.disk.rootFsDevice diskId - } ${mntRootVol}/nixos/home -o subvol=home + sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot ''; @@ -73,9 +62,7 @@ in rec { #!/usr/bin/env bash set -xe - read -p "Continue to format ${ - ownLib.disk.bootGrubDevice diskId - } (YES/n)? " choice + read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -122,15 +109,11 @@ in rec { ${pkgs.lib.strings.optionalString encrypted '' # Encrypt sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} - - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ - ownLib.disk.luksName diskId - } + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} ''} # LVM - sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ - ownLib.disk.lvmPv diskId encrypted - } + sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted} sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root @@ -154,9 +137,7 @@ in rec { #!/usr/bin/env bash set -xe - read -p "Continue to relabel ${ - ownLib.disk.bootGrubDevice diskId - } (YES/n)?" choice + read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -187,13 +168,9 @@ in rec { if test "${previousDiskId}"; then - ${ - pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ - ownLib.disk.luksName diskId - } - '' - } + ${pkgs.lib.strings.optionalString encrypted '' + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + ''} sync sleep 1 if sudo vgs ${previousDiskId}; then diff --git a/nix/os/devices/elias-e525/boot.nix b/nix/os/devices/elias-e525/boot.nix index ab6c098..6698046 100644 --- a/nix/os/devices/elias-e525/boot.nix +++ b/nix/os/devices/elias-e525/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiSupport = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/elias-e525/configuration.nix b/nix/os/devices/elias-e525/configuration.nix index d39da6f..ea92869 100644 --- a/nix/os/devices/elias-e525/configuration.nix +++ b/nix/os/devices/elias-e525/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/elias-e525/default.nix b/nix/os/devices/elias-e525/default.nix index 4b4d676..ba02693 100644 --- a/nix/os/devices/elias-e525/default.nix +++ b/nix/os/devices/elias-e525/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "elias-e525.lan"; diff --git a/nix/os/devices/elias-e525/flake.nix b/nix/os/devices/elias-e525/flake.nix index 3f73b91..d5bd2c5 100644 --- a/nix/os/devices/elias-e525/flake.nix +++ b/nix/os/devices/elias-e525/flake.nix @@ -6,5 +6,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/elias-e525/hw.nix b/nix/os/devices/elias-e525/hw.nix index 269281c..23d4edb 100644 --- a/nix/os/devices/elias-e525/hw.nix +++ b/nix/os/devices/elias-e525/hw.nix @@ -1,4 +1,4 @@ -{...}: { +_: { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/elias-e525/pkg.nix b/nix/os/devices/elias-e525/pkg.nix index e119032..57d813e 100644 --- a/nix/os/devices/elias-e525/pkg.nix +++ b/nix/os/devices/elias-e525/pkg.nix @@ -1,8 +1,5 @@ -{ - pkgs, - lib, - ... -}: let +{ pkgs, lib, ... }: +let homeEnv = keyboard: { imports = [ ../../../home-manager/profiles/common.nix @@ -22,26 +19,27 @@ rustdesk ]; }; -in { - services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { +in +{ + services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) { gnome-remote-desktop.enable = true; }; home-manager.users.steveej = homeEnv { layout = "en"; - options = ["nodeadkey"]; + options = [ "nodeadkey" ]; variant = "altgr-intl"; }; home-manager.users.elias = homeEnv { layout = "de"; - options = []; + options = [ ]; variant = ""; }; home-manager.users.justyna = homeEnv { layout = "de"; - options = []; + options = [ ]; variant = ""; }; diff --git a/nix/os/devices/elias-e525/system.nix b/nix/os/devices/elias-e525/system.nix index 6763062..d2a3efe 100644 --- a/nix/os/devices/elias-e525/system.nix +++ b/nix/os/devices/elias-e525/system.nix @@ -1,10 +1,5 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - config, - ... -}: let -in { # TASK: new device networking.hostName = "elias-e525"; # Define your hostname. @@ -38,11 +33,13 @@ in { # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; }; - security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; - services.xserver.videoDrivers = ["modesetting"]; + services.xserver.videoDrivers = [ "modesetting" ]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; } diff --git a/nix/os/devices/elias-e525/user.nix b/nix/os/devices/elias-e525/user.nix index 196c96a..c4690cf 100644 --- a/nix/os/devices/elias-e525/user.nix +++ b/nix/os/devices/elias-e525/user.nix @@ -1,12 +1,9 @@ -{ - config, - pkgs, - lib, - ... -}: let +{ config, pkgs, ... }: +let keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; -in { + inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; +in +{ sops.secrets.sharedUsers-elias = { sopsFile = ../../../../secrets/shared-users.yaml; neededForUsers = true; diff --git a/nix/os/devices/fwhost1/boot.nix b/nix/os/devices/fwhost1/boot.nix index 4d8c1d1..639698f 100644 --- a/nix/os/devices/fwhost1/boot.nix +++ b/nix/os/devices/fwhost1/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/fwhost1/configuration.nix b/nix/os/devices/fwhost1/configuration.nix index ed238cb..fbdc4c0 100644 --- a/nix/os/devices/fwhost1/configuration.nix +++ b/nix/os/devices/fwhost1/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/fwhost1/hw.nix b/nix/os/devices/fwhost1/hw.nix index 6c1aaaf..43334ed 100644 --- a/nix/os/devices/fwhost1/hw.nix +++ b/nix/os/devices/fwhost1/hw.nix @@ -1,5 +1,4 @@ -{...}: let -in { +_: { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/fwhost1/pkg.nix b/nix/os/devices/fwhost1/pkg.nix index 6650ad9..aacf501 100644 --- a/nix/os/devices/fwhost1/pkg.nix +++ b/nix/os/devices/fwhost1/pkg.nix @@ -1,17 +1,17 @@ -{pkgs, ...}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +{ pkgs, ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - environment.systemPackages = with pkgs; [iw wirelesstools]; + environment.systemPackages = with pkgs; [ + iw + wirelesstools + ]; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/fwhost1/system.nix b/nix/os/devices/fwhost1/system.nix index abe1717..548caec 100644 --- a/nix/os/devices/fwhost1/system.nix +++ b/nix/os/devices/fwhost1/system.nix @@ -1,12 +1,8 @@ -{ - pkgs, - lib, - config, - ... -}: let - keys = import ../../../variables/keys.nix; +{ pkgs, lib, ... }: +let passwords = import ../../../variables/passwords.crypt.nix; -in { +in +{ # TASK: new device networking.hostName = "fwhost1"; # Define your hostname. @@ -21,11 +17,14 @@ in { networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.bridges.breth.interfaces = ["eth0" "eth1"]; + networking.bridges.breth.interfaces = [ + "eth0" + "eth1" + ]; networking.bridges.breth.rstp = true; networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = ["172.172.171.10"]; + networking.nameservers = [ "172.172.171.10" ]; # WAN interfaces, currently unused because the OPNsense guest acts as a router. networking.vlans.wan1.id = 3; diff --git a/nix/os/devices/fwhost1/user.nix b/nix/os/devices/fwhost1/user.nix index 98f59ba..958608a 100644 --- a/nix/os/devices/fwhost1/user.nix +++ b/nix/os/devices/fwhost1/user.nix @@ -1,9 +1 @@ -{ - config, - pkgs, - ... -}: let - passwords = import ../../../variables/passwords.crypt.nix; - keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {}) mkUser; -in {} +_: { } diff --git a/nix/os/devices/fwhost1/versions.nix b/nix/os/devices/fwhost1/versions.nix index c6dac79..276eb87 100644 --- a/nix/os/devices/fwhost1/versions.nix +++ b/nix/os/devices/fwhost1/versions.nix @@ -4,9 +4,12 @@ let ref = "nixos-21.11"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost1/versions.tmpl.nix b/nix/os/devices/fwhost1/versions.tmpl.nix index c9dc8a9..d3d0c19 100644 --- a/nix/os/devices/fwhost1/versions.tmpl.nix +++ b/nix/os/devices/fwhost1/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost2/boot.nix b/nix/os/devices/fwhost2/boot.nix index 4d8c1d1..639698f 100644 --- a/nix/os/devices/fwhost2/boot.nix +++ b/nix/os/devices/fwhost2/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/fwhost2/configuration.nix b/nix/os/devices/fwhost2/configuration.nix index ed238cb..fbdc4c0 100644 --- a/nix/os/devices/fwhost2/configuration.nix +++ b/nix/os/devices/fwhost2/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/fwhost2/hw.nix b/nix/os/devices/fwhost2/hw.nix index c207b8c..a8891e3 100644 --- a/nix/os/devices/fwhost2/hw.nix +++ b/nix/os/devices/fwhost2/hw.nix @@ -1,5 +1,4 @@ -{...}: let -in { +_: { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/fwhost2/pkg.nix b/nix/os/devices/fwhost2/pkg.nix index 6650ad9..aacf501 100644 --- a/nix/os/devices/fwhost2/pkg.nix +++ b/nix/os/devices/fwhost2/pkg.nix @@ -1,17 +1,17 @@ -{pkgs, ...}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +{ pkgs, ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - environment.systemPackages = with pkgs; [iw wirelesstools]; + environment.systemPackages = with pkgs; [ + iw + wirelesstools + ]; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/fwhost2/system.nix b/nix/os/devices/fwhost2/system.nix index 54da0ba..652347f 100644 --- a/nix/os/devices/fwhost2/system.nix +++ b/nix/os/devices/fwhost2/system.nix @@ -1,13 +1,8 @@ -{ - pkgs, - lib, - config, - utils, - ... -}: let - keys = import ../../../variables/keys.nix; +{ pkgs, lib, ... }: +let passwords = import ../../../variables/passwords.crypt.nix; -in { +in +{ # TASK: new device networking.hostName = "fwhost2"; # Define your hostname. @@ -22,11 +17,14 @@ in { networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.bridges.breth.interfaces = ["eth0" "eth1"]; + networking.bridges.breth.interfaces = [ + "eth0" + "eth1" + ]; networking.bridges.breth.rstp = true; networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = ["172.172.171.10"]; + networking.nameservers = [ "172.172.171.10" ]; # WAN interfaces, currently unused because the OPNsense guest acts as a router. networking.vlans.wan1.id = 3; diff --git a/nix/os/devices/fwhost2/user.nix b/nix/os/devices/fwhost2/user.nix index d7dc0dc..47efa02 100644 --- a/nix/os/devices/fwhost2/user.nix +++ b/nix/os/devices/fwhost2/user.nix @@ -1,12 +1,4 @@ -{ - config, - pkgs, - ... -}: let - passwords = import ../../../variables/passwords.crypt.nix; - keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; -in { +_: { # users.extraUsers.steveej2 = mkUser { # uid = 1001; # openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/devices/fwhost2/versions.nix b/nix/os/devices/fwhost2/versions.nix index c6dac79..276eb87 100644 --- a/nix/os/devices/fwhost2/versions.nix +++ b/nix/os/devices/fwhost2/versions.nix @@ -4,9 +4,12 @@ let ref = "nixos-21.11"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost2/versions.tmpl.nix b/nix/os/devices/fwhost2/versions.tmpl.nix index c9dc8a9..d3d0c19 100644 --- a/nix/os/devices/fwhost2/versions.tmpl.nix +++ b/nix/os/devices/fwhost2/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/sj-bm-hostkey0/.gitignore b/nix/os/devices/hstk0/.gitignore similarity index 100% rename from nix/os/devices/sj-bm-hostkey0/.gitignore rename to nix/os/devices/hstk0/.gitignore diff --git a/nix/os/devices/sj-bm-hostkey0/README.md b/nix/os/devices/hstk0/README.md similarity index 98% rename from nix/os/devices/sj-bm-hostkey0/README.md rename to nix/os/devices/hstk0/README.md index d70e379..60ee180 100644 --- a/nix/os/devices/sj-bm-hostkey0/README.md +++ b/nix/os/devices/hstk0/README.md @@ -1,7 +1,6 @@ ## bootstrapping ``` -# TODO: generate an SSH host-key and deploy it via --extra-files +# TODO: generate an SSH host-key and deploy it via --extra-files nixos-anywhere --flake .\#sj-bm-hostkey0 root@185.130.227.252 ``` - diff --git a/nix/os/devices/hstk0/configuration.nix b/nix/os/devices/hstk0/configuration.nix new file mode 100644 index 0000000..32fad43 --- /dev/null +++ b/nix/os/devices/hstk0/configuration.nix @@ -0,0 +1,146 @@ +{ + repoFlake, + pkgs, + lib, + nodeFlake, + nodeName, + system, + ... +}: +{ + disabledModules = [ ]; + + imports = [ + nodeFlake.inputs.disko.nixosModules.disko + repoFlake.inputs.sops-nix.nixosModules.sops + + nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder + { + roles.nix-remote-builder.schedulerPublicKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINQ22z5rDdCLYH+MEoEt+tXJXTJqoeZNqvJl2n4aB+Kn steveej@steveej-x13s" + + # TODO: make this a reference to the private key's secret + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14" + ]; + } + + ../../snippets/nix-settings.nix + { nix.settings.sandbox = lib.mkForce "relaxed"; } + + ../../snippets/mycelium.nix + + # user config + ../../profiles/common/user.nix + { + users.commonUsers = { + enable = true; + enableNonRoot = true; + }; + } + + ../../snippets/home-manager-with-zsh.nix + # { + # home-manager.users.steveej = {pkgs, ...}: { + # imports = [ + # ../../../home-manager/programs/pass.nix + # ../../../home-manager/programs/openvscode-server.nix + # ]; + # }; + # } + ]; + + services.openssh = { + enable = true; + openFirewall = true; + settings.PermitRootLogin = "yes"; + extraConfig = '' + StreamLocalBindUnlink yes + ''; + }; + + boot = { + kernel = { + sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + }; + }; + + networking = { + hostName = nodeName; + useNetworkd = true; + useDHCP = true; + + nat.enable = true; + firewall.enable = true; + + firewall.allowedTCPPorts = [ 5201 ]; + firewall.allowedUDPPorts = [ 5201 ]; + }; + + disko.devices = + let + disk = id: { + type = "disk"; + device = "/dev/${id}"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + mdadm = { + size = "100%"; + content = { + type = "mdraid"; + name = "raid0"; + }; + }; + }; + }; + }; + in + { + disk = { + sda = disk "sda"; + sdb = disk "sdb"; + }; + mdadm = { + raid0 = { + type = "mdadm"; + level = 0; + content = { + type = "gpt"; + partitions = { + primary = { + size = "100%"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; + + system.stateVersion = "24.05"; + + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.initrd.includeDefaultModules = true; + boot.initrd.kernelModules = [ + "dm-raid" + "dm-integrity" + "xhci_pci_renesas" + ]; + + hardware.enableRedistributableFirmware = true; + + virtualisation.libvirtd.enable = true; + + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; +} diff --git a/nix/os/devices/sj-bm-hostkey0/default.nix b/nix/os/devices/hstk0/default.nix similarity index 73% rename from nix/os/devices/sj-bm-hostkey0/default.nix rename to nix/os/devices/hstk0/default.nix index 86b5f1a..62e6cc1 100644 --- a/nix/os/devices/sj-bm-hostkey0/default.nix +++ b/nix/os/devices/hstk0/default.nix @@ -3,19 +3,22 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake system; + inherit + repoFlake + nodeName + nodeFlake + system + ; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = - import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "185.130.224.33"; diff --git a/nix/os/devices/sj-bm-hostkey0/flake.lock b/nix/os/devices/hstk0/flake.lock similarity index 60% rename from nix/os/devices/sj-bm-hostkey0/flake.lock rename to nix/os/devices/hstk0/flake.lock index 7b84218..8389a6a 100644 --- a/nix/os/devices/sj-bm-hostkey0/flake.lock +++ b/nix/os/devices/hstk0/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1704318910, - "narHash": "sha256-wOIJwAsnZhM0NlFRwYJRgO4Lldh8j9viyzwQXtrbNtM=", + "lastModified": 1719401812, + "narHash": "sha256-QONBQ/arBsKZNJuSd3sMIkSYFlBoRJpvf1jGlMfcOuI=", "owner": "nix-community", "repo": "disko", - "rev": "aef9a509db64a081186af2dc185654d78dc8e344", + "rev": "b6a1262796b2990ec3cc60bb2ec23583f35b2f43", "type": "github" }, "original": { @@ -22,11 +22,11 @@ }, "get-flake": { "locked": { - "lastModified": 1694475786, - "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", + "lastModified": 1714237590, + "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", "owner": "ursi", "repo": "get-flake", - "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", + "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", "type": "github" }, "original": { @@ -42,48 +42,48 @@ ] }, "locked": { - "lastModified": 1704383912, - "narHash": "sha256-Be7O73qoOj/z+4ZCgizdLlu+5BkVvO2KO299goZ9cW8=", + "lastModified": 1718530513, + "narHash": "sha256-BmO8d0r+BVlwWtMLQEYnwmngqdXIuyFzMwvmTcLMee8=", "owner": "nix-community", "repo": "home-manager", - "rev": "26b8adb300e50efceb51fff6859a1a6ba1ade4f7", + "rev": "a1fddf0967c33754271761d91a3d921772b30d0e", "type": "github" }, "original": { "owner": "nix-community", - "ref": "master", + "ref": "release-24.05", "repo": "home-manager", "type": "github" } }, - "nixos-stable": { - "locked": { - "lastModified": 1703992652, - "narHash": "sha256-C0o8AUyu8xYgJ36kOxJfXIroy9if/G6aJbNOpA5W0+M=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "32f63574c85fbc80e4ba1fbb932cde9619bad25e", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1704295289, - "narHash": "sha256-9WZDRfpMqCYL6g/HNWVvXF0hxdaAgwgIGeLYiOhmes8=", + "lastModified": 1719253556, + "narHash": "sha256-A/76RFUVxZ/7Y8+OMVL1Lc8LRhBxZ8ZE2bpMnvZ1VpY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "b0b2c5445c64191fd8d0b31f2b1a34e45a64547d", + "rev": "fc07dc3bdf2956ddd64f24612ea7fc894933eb2e", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.11", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1719254875, + "narHash": "sha256-ECni+IkwXjusHsm9Sexdtq8weAq/yUyt1TWIemXt3Ko=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "2893f56de08021cffd9b6b6dfc70fd9ccd51eb60", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -94,22 +94,22 @@ "get-flake": "get-flake", "home-manager": "home-manager", "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", "srvos": "srvos" } }, "srvos": { "inputs": { - "nixos-stable": "nixos-stable", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1704357296, - "narHash": "sha256-npRcwAqeoLRdilyn4yOG9qShTRJ3sXL/xpyVOi+j7nw=", + "lastModified": 1719189969, + "narHash": "sha256-6MSZrWvXSvUKIr0iC9eSbQ09NSm+j1Oh4o9Gentu1CU=", "owner": "numtide", "repo": "srvos", - "rev": "341c142aad6609161b6b74cfc2d288f0ead01585", + "rev": "4f314be1307c8d5f1fb3d882a67e09dbdf285850", "type": "github" }, "original": { diff --git a/nix/os/devices/hstk0/flake.nix b/nix/os/devices/hstk0/flake.nix new file mode 100644 index 0000000..6c9b22f --- /dev/null +++ b/nix/os/devices/hstk0/flake.nix @@ -0,0 +1,52 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + get-flake.url = "github:ursi/get-flake"; + + home-manager.url = "github:nix-community/home-manager/release-24.05"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + }; + + # outputs = _: {}; + + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + system = "x86_64-linux"; + nodeName = "hostkey-0"; + + mkNixosConfiguration = + { + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = { + nodeFlake = self; + repoFlake = get-flake ../../../..; + inherit nodeName; + }; + + modules = [ ./configuration.nix ] ++ extraModules; + } + ); + in + { + nixosConfigurations = { + native = mkNixosConfiguration { inherit system; }; + }; + }; +} diff --git a/nix/os/devices/hydra.json b/nix/os/devices/hydra.json index 3723c24..a0204bc 100644 --- a/nix/os/devices/hydra.json +++ b/nix/os/devices/hydra.json @@ -1,16 +1,24 @@ { - "enabled": 1, - "hidden": false, - "description": "Jobsets", - "nixexprinput": "src", - "nixexprpath": "default.nix", - "checkinterval": 300, - "schedulingshares": 100, - "enableemail": false, - "emailoverride": "", - "keepnr": 3, - "inputs": { - "src": { "type": "git", "value": "git://github.com/shlevy/declarative-hydra-example.git", "emailresponsible": false }, - "nixpkgs": { "type": "git", "value": "git://github.com/NixOS/nixpkgs.git release-16.03", "emailresponsible": false } + "enabled": 1, + "hidden": false, + "description": "Jobsets", + "nixexprinput": "src", + "nixexprpath": "default.nix", + "checkinterval": 300, + "schedulingshares": 100, + "enableemail": false, + "emailoverride": "", + "keepnr": 3, + "inputs": { + "src": { + "type": "git", + "value": "git://github.com/shlevy/declarative-hydra-example.git", + "emailresponsible": false + }, + "nixpkgs": { + "type": "git", + "value": "git://github.com/NixOS/nixpkgs.git release-16.03", + "emailresponsible": false } + } } diff --git a/nix/os/devices/justyna-p300/boot.nix b/nix/os/devices/justyna-p300/boot.nix index 85006ed..9d6bbe7 100644 --- a/nix/os/devices/justyna-p300/boot.nix +++ b/nix/os/devices/justyna-p300/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.grub.efiSupport = lib.mkForce false; diff --git a/nix/os/devices/justyna-p300/configuration.nix b/nix/os/devices/justyna-p300/configuration.nix index f2cb3f7..e636106 100644 --- a/nix/os/devices/justyna-p300/configuration.nix +++ b/nix/os/devices/justyna-p300/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/justyna-p300/default.nix b/nix/os/devices/justyna-p300/default.nix index 907e60b..427ce7e 100644 --- a/nix/os/devices/justyna-p300/default.nix +++ b/nix/os/devices/justyna-p300/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = nodeName; diff --git a/nix/os/devices/justyna-p300/flake.nix b/nix/os/devices/justyna-p300/flake.nix index 3e68abe..9b8b8ed 100644 --- a/nix/os/devices/justyna-p300/flake.nix +++ b/nix/os/devices/justyna-p300/flake.nix @@ -6,8 +6,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - inputs.disko.url = github:nix-community/disko; + inputs.disko.url = "github:nix-community/disko"; inputs.disko.inputs.nixpkgs.follows = "nixpkgs"; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/justyna-p300/hw.nix b/nix/os/devices/justyna-p300/hw.nix index 0924dd2..b68e082 100644 --- a/nix/os/devices/justyna-p300/hw.nix +++ b/nix/os/devices/justyna-p300/hw.nix @@ -1,12 +1,6 @@ +{ nodeFlake, ... }: { - repoFlake, - nodeFlake, - lib, - ... -}: { - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - ]; + imports = [ nodeFlake.inputs.disko.nixosModules.disko ]; disko.devices.disk.sda = { device = "/dev/sda"; @@ -20,7 +14,7 @@ start = "0"; end = "1M"; part-type = "primary"; - flags = ["bios_grub"]; + flags = [ "bios_grub" ]; } { name = "root"; @@ -30,14 +24,14 @@ bootable = true; content = { type = "btrfs"; - extraArgs = ["-f"]; # Override existing partition + extraArgs = [ "-f" ]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = ["noatime"]; + mountOptions = [ "noatime" ]; }; }; }; diff --git a/nix/os/devices/justyna-p300/pkg.nix b/nix/os/devices/justyna-p300/pkg.nix index 2b9ebf0..d23cfb0 100644 --- a/nix/os/devices/justyna-p300/pkg.nix +++ b/nix/os/devices/justyna-p300/pkg.nix @@ -3,7 +3,8 @@ lib, packages', ... -}: let +}: +let homeEnv = keyboard: { imports = [ ../../../home-manager/profiles/common.nix @@ -23,15 +24,19 @@ rustdesk ]; }; -in { - services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { +in +{ + services.gnome = builtins.mapAttrs (_attr: value: lib.mkForce value) { gnome-remote-desktop.enable = true; }; - services.printing.drivers = lib.mkForce (with packages'; [ - dcpj4110dwDriver - dcpj4110dwCupswrapper - ]); + services.printing.drivers = lib.mkForce ( + with packages'; + [ + dcpj4110dwDriver + dcpj4110dwCupswrapper + ] + ); services.printing.extraConf = '' LogLevel debug @@ -39,29 +44,29 @@ in { home-manager.users.steveej = homeEnv { layout = "en"; - options = ["nodeadkey"]; + options = [ "nodeadkey" ]; variant = "altgr-intl"; }; home-manager.users.elias = homeEnv { layout = "de"; - options = []; + options = [ ]; variant = ""; }; home-manager.users.justyna = - lib.attrsets.recursiveUpdate (homeEnv { - layout = "de"; - options = []; - variant = ""; - }) { - services.syncthing.enable = true; - services.syncthing.tray = true; + lib.attrsets.recursiveUpdate + (homeEnv { + layout = "de"; + options = [ ]; + variant = ""; + }) + { + services.syncthing.enable = true; + services.syncthing.tray = true; - home.packages = with pkgs; [ - session-desktop - ]; - }; + home.packages = with pkgs; [ session-desktop ]; + }; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/justyna-p300/system.nix b/nix/os/devices/justyna-p300/system.nix index 44c3db9..82a7b02 100644 --- a/nix/os/devices/justyna-p300/system.nix +++ b/nix/os/devices/justyna-p300/system.nix @@ -1,11 +1,8 @@ -{ - pkgs, - lib, - config, - ... -}: let +{ pkgs, lib, ... }: +let passwords = import ../../../variables/passwords.crypt.nix; -in { +in +{ networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -39,11 +36,13 @@ in { # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; }; - security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; - services.xserver.videoDrivers = ["modesetting"]; + services.xserver.videoDrivers = [ "modesetting" ]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; } diff --git a/nix/os/devices/justyna-p300/user.nix b/nix/os/devices/justyna-p300/user.nix index 6d86c59..c4690cf 100644 --- a/nix/os/devices/justyna-p300/user.nix +++ b/nix/os/devices/justyna-p300/user.nix @@ -1,11 +1,9 @@ -{ - config, - pkgs, - ... -}: let +{ config, pkgs, ... }: +let keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; -in { + inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; +in +{ sops.secrets.sharedUsers-elias = { sopsFile = ../../../../secrets/shared-users.yaml; neededForUsers = true; diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 75ca38f..07c6b1c 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -1,3 +1,4 @@ +# TODO: don't pull in bluez (or any bluetooth components) { repoFlake, pkgs, @@ -8,29 +9,33 @@ localDomainName, system, ... -}: let - inherit - (nodeFlake.inputs) - bpir3 - nixos-nftables-firewall - ; +}: +let + inherit (nodeFlake.inputs) nixos-nftables-firewall nixos-sbc; vlanRangeStart = builtins.head vlanRange; - vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange)-1); + vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1); vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans); vlanRangeWith0 = [ 0 ] ++ vlanRange; - mkVlanIpv4HostAddr = { vlanid, host, thirdIpv4SegmentMin ? 20, cidr ? true }: let - # reserve the first subnet for vlanid == 0 - # number the other subnets continously from there - offset = - if vlanid == 0 - then thirdIpv4SegmentMin - else thirdIpv4SegmentMin + 1 - vlanRangeStart; - - in - builtins.concatStringsSep "." - [ "192" "168" (toString (vlanid + offset)) "${toString host}${lib.strings.optionalString cidr "/24"}" ]; + mkVlanIpv4HostAddr = + { + vlanid, + host, + thirdIpv4SegmentMin ? 20, + cidr ? true, + }: + let + # reserve the first subnet for vlanid == 0 + # number the other subnets continously from there + offset = if vlanid == 0 then thirdIpv4SegmentMin else thirdIpv4SegmentMin + 1 - vlanRangeStart; + in + builtins.concatStringsSep "." [ + "192" + "168" + (toString (vlanid + offset)) + "${toString host}${lib.strings.optionalString cidr "/24"}" + ]; defaultVlan = { name = "${localDomainName}"; @@ -38,69 +43,68 @@ }; vlans = { - "10".name = "mgmt"; - "10".packet_priority = 0; + "2".name = "dmz"; + "2".packet_priority = -5; - "11".name = "dmz"; - "11".packet_priority = -5; + "3".name = "iot"; + "3".packet_priority = -5; - "12".name = "iot"; - "12".packet_priority = -5; + "4".name = "office"; + "4".packet_priority = -10; - "13".name = "office"; - "13".packet_priority = -10; - - "14".name = "guests"; - "14".packet_priority = 10; - - "15".name = "iot2"; - "15".packet_priority = -10; + "5".name = "guests"; + "5".packet_priority = 10; }; - vlansByName = lib.attrsets.mapAttrs' (vlanid': attrs: - lib.attrsets.nameValuePair - attrs.name - (attrs // { id = lib.strings.toInt vlanid'; id' = vlanid';}) + vlansByName = lib.attrsets.mapAttrs' ( + vlanid': attrs: + lib.attrsets.nameValuePair attrs.name ( + attrs + // { + id = lib.strings.toInt vlanid'; + id' = vlanid'; + } + ) ) vlans; - getVlanDomain = { vlanid }: - if vlanid == 0 - then - defaultVlan.name - else - vlans."${toString vlanid}".name + "." + defaultVlan.name - ; + getVlanDomain = + { vlanid }: + if vlanid == 0 then defaultVlan.name else vlans."${toString vlanid}".name + "." + defaultVlan.name; bridgeInterfaceName = "br-lan"; - mkInterfaceName = { vlanid }: - if vlanid == 0 - then bridgeInterfaceName - else "${bridgeInterfaceName}.${toString vlanid}" - ; -in { + mkInterfaceName = + { vlanid }: + if vlanid == 0 then bridgeInterfaceName else "${bridgeInterfaceName}.${toString vlanid}"; + + dmzExposedHost = "sj-srv1"; + dmzExposedHostDomain = "dmz.internal"; + dmzExposedHostFQDN = "${dmzExposedHost}.${dmzExposedHostDomain}"; + dmzExposedHostIpv4 = mkVlanIpv4HostAddr { + vlanid = vlansByName.dmz.id; + host = 99; + cidr = false; + }; + + dmzExposedHostMACaddr = + repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress; +in +{ imports = [ + nixos-sbc.nixosModules.default + nixos-sbc.nixosModules.boards.bananapi.bpir3 + { + sbc.version = "0.2"; + sbc.bootstrap.rootFilesystem = "btrfs"; + sbc.wireless.wifi.acceptRegulatoryResponsibility = true; + } + repoFlake.inputs.sops-nix.nixosModules.sops ../../profiles/common/user.nix - - "${bpir3}/lib/sd-image-mt7986.nix" + ../../snippets/nix-settings.nix nixos-nftables-firewall.nixosModules.default - { - nix.nixPath = [ - "nixpkgs=${pkgs.path}" - ]; - - nix.settings.experimental-features = [ - "nix-command" - "flakes" - ]; - - nix.settings.max-jobs = lib.mkDefault "auto"; - nix.settings.cores = lib.mkDefault 0; - } - { services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "yes"; @@ -116,7 +120,7 @@ in { sops.secrets.passwords-root.neededForUsers = true; - sops.secrets.wlan0_saePasswordsFile = { }; + # sops.secrets.wlan0_saePasswordsFile = {}; sops.secrets.wlan0_wpaPskFile = { }; } ]; @@ -173,606 +177,962 @@ in { # https://github.com/thelegy/nixos-nftables-firewall/tree/main # TODO: configure packet_priority for VLANs (see https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority, https://wiki.nftables.org/wiki-nftables/index.php/Setting_packet_metainformation#packet_priority) - nftables = - { + nftables = { enable = true; - stopRuleset = ""; + stopRuleset = ""; chains = { prerouting = { - "redirectweb" = { - after = ["hook"]; - rules = let - wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; - exposedHost = "srv0-dmz0.dmz.internal"; - in [ - "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" - # TODO: if this hostname doesn't resolve it'll break the whole ruleset - # "iifname { ${wanInterfaces} } dnat ip to ${exposedHost}" - ]; + "exposeHost" = { + after = [ "hook" ]; + rules = + let + wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; + in + [ + "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" + "iifname { ${wanInterfaces} } dnat ip to ${dmzExposedHostIpv4}" + ]; }; }; }; firewall = { enable = true; - zones = { - lan.interfaces = [ (mkInterfaceName {vlanid = 0;}) ]; - vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange; - # lan.ipv4Addresses = ["192.168.0.0/16"]; - wan.interfaces = ["wan" "lan0"]; - } // + snippets.nnf-common.enable = true; + # included in the above + # snippets.nnf-conntrack.enable = true; + zones = + { + lan.interfaces = [ (mkInterfaceName { vlanid = 0; }) ]; + vlan.interfaces = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; + # lan.ipv4Addresses = ["192.168.0.0/16"]; + wan.interfaces = [ + "wan" + "lan0" + ]; + vpn.interfaces = [ + "wg0" + "wg1" + "wg2" + ]; + } + // # generate a zone for each vlan - lib.attrsets.mapAttrs (key: value: { + lib.attrsets.mapAttrs (_key: value: { interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; - }) - vlansByName - ; - rules = let - ipv6IcmpTypes = [ - "destination-unreachable" "echo-reply" "echo-request" - "packet-too-big" "parameter-problem" "time-exceeded" + }) vlansByName; + rules = + let + ipv6IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "packet-too-big" + "parameter-problem" + "time-exceeded" # Without the nd-* ones ipv6 will not work. - "nd-neighbor-solicit" "nd-router-advert" "nd-neighbor-advert" + "nd-neighbor-solicit" + "nd-router-advert" + "nd-neighbor-advert" ]; - ipv4IcmpTypes = [ - "destination-unreachable" "echo-reply" "echo-request" "source-quench" "time-exceeded" - "router-advertisement" - ]; - allowIcmpLines = [ - "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" - "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" - ]; - in { - fw = { - from = ["fw"]; - verdict = "accept"; - }; - - office-to-dmz = { - from = ["office"]; - to = ["dmz"]; - verdict = "accept"; - }; - - lan-to-fw = { - from = ["lan"]; - to = ["fw" "lan"]; - verdict = "accept"; - }; - - lan-to-wan = { - from = ["lan"]; - to = ["wan"]; - verdict = "accept"; - }; - - vlan-to-wan = { - from = ["vlan"]; - to = ["wan"]; - verdict = "accept"; - }; - - vlan-to-fw = { - allowedUDPPortRanges = [ - { from = 67; to = 68; } - { from = 53; to = 53; } + ipv4IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "source-quench" + "time-exceeded" + "router-advertisement" ]; - allowedTCPPortRanges = [ - { from = 22; to = 22; } - { from = 53; to = 53; } - { from = 5201; to = 5201; } + allowIcmpLines = [ + "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" + "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" ]; - from = ["vlan"]; - to = ["fw"]; - extraLines = allowIcmpLines ++ [ - "drop" - ]; - }; + in + { + fw = { + from = [ "fw" ]; + verdict = "accept"; + }; - to-wan-nat = { - from = ["lan" "vlan"]; - to = ["wan"]; - masquerade = true; - verdict = "accept"; - }; + office-to-dmz = { + from = [ "office" ]; + to = [ "dmz" ]; + verdict = "accept"; + }; - wan-to-dmz = { - from = ["wan"]; - to = ["dmz"]; - verdict = "accept"; - }; + lan-to-fw = { + from = [ "lan" ]; + to = [ + "fw" + "lan" + ]; + verdict = "accept"; + }; - wan-to-fw = { - from = ["wan"]; - to = ["fw"]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - ]; - extraLines = allowIcmpLines ++ [ - "drop" - ]; + lan-to-wan = { + from = [ "lan" ]; + to = [ "wan" ]; + verdict = "accept"; + }; + + vlan-to-wan = { + from = [ "vlan" ]; + to = [ "wan" ]; + verdict = "accept"; + }; + + vlan-to-fw = { + allowedUDPPortRanges = [ + { + from = 53; + to = 53; + } + { + from = 67; + to = 68; + } + { + from = 5201; + to = 5201; + } + ]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + { + from = 53; + to = 53; + } + { + from = 5201; + to = 5201; + } + ]; + from = [ "vlan" ]; + to = [ "fw" ]; + extraLines = allowIcmpLines ++ [ "drop" ]; + }; + + to-wan-nat = { + from = [ + "lan" + "vlan" + ]; + to = [ "wan" ]; + masquerade = true; + verdict = "accept"; + }; + + wan-to-dmz = { + from = [ "wan" ]; + to = [ "dmz" ]; + verdict = "accept"; + }; + + wan-to-fw = { + from = [ "wan" ]; + to = [ "fw" ]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + ]; + extraLines = allowIcmpLines ++ [ "drop" ]; + }; + + to-vpn-nat = { + from = [ + "lan" + "vlan" + ]; + to = [ "vpn" ]; + masquerade = false; + verdict = "accept"; + }; }; - }; }; }; }; + sops.secrets.wg0-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg0-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + + # TODO: this shouldn't be necessary _at all_ + systemd.services.sfp-quirk = { + enable = true; + wantedBy = [ + "network.target" + "multi-user.target" + ]; + + requires = [ + "sys-subsystem-net-devices-lan4.device" + "sys-subsystem-net-devices-eth1.device" + ]; + + after = [ + "sys-subsystem-net-devices-lan4.device" + "sys-subsystem-net-devices-eth1.device" + ]; + + path = [ + pkgs.ethtool + pkgs.iproute2 + pkgs.coreutils + ]; + + script = '' + set -xeE + + ip l set dev lan4 down + ip l set dev eth1 down + + sleep 0.5 + + ethtool -s lan4 duplex full autoneg off + ethtool -s eth1 duplex full autoneg off + + sleep 0.5 + + ip l set dev lan4 up + ip l set dev eth1 up + + echo quirk applied, fingers crossed. + ''; + }; + systemd.network = { wait-online.anyInterface = true; - netdevs = { - # Create the bridge interface - "20-${bridgeInterfaceName}" = { - netdevConfig = { - Kind = "bridge"; - Name = bridgeInterfaceName; - }; + config.networkConfig = { + IPv4Forwarding = true; + IPv6Forwarding = true; + }; + links = { + # TODO: this doesn't work, thus shoving it into a quirk service. however, there's a proper solution beyond any of this. + # "00-eth1" = { + # enable = true; + # matchConfig.Name = "eth1"; + # linkConfig = { + # # BitsPerSecond = "2500M"; + # Duplex= "full"; + # AutoNegotiation = false; + # }; + # }; + # "00-lan4" = { + # enable = true; + # matchConfig.Name = "lan4@eth0"; + # linkConfig = { + # # BitsPerSecond = "1000M"; + # Duplex= "full"; + # AutoNegotiation = false; + # }; + # }; + }; + netdevs = + let + router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; - extraConfig = '' - [Bridge] - STP=yes - VLANFiltering=yes - VLANProtocol=802.1q - DefaultPVID=0 - ''; - }; + router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort}"; - } - # generate the vlan devices. these will be tagged on the main bridge - // builtins.foldl' - (acc: cur: acc // cur) - {} - (builtins.map - ({ vlanid, vlanid' }: { - "20-${mkInterfaceName { inherit vlanid; }}" = { - netdevConfig = { - Kind = "vlan"; - Name = "${mkInterfaceName { inherit vlanid; }}"; - }; - vlanConfig.Id = vlanid; + router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-hosthatch.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; + in + { + # Create the bridge interface + "20-${bridgeInterfaceName}" = { + netdevConfig = { + Kind = "bridge"; + Name = bridgeInterfaceName; }; - }) - (builtins.map - (vlanid: { inherit vlanid; vlanid' = builtins.toString vlanid; }) - vlanRange - ) - ) - ; - networks = { - # use lan0 as secondary WAN interface - "10-lan0-wan" = { - matchConfig.Name = "lan0"; - networkConfig = { - # start a DHCP Client for IPv4 Addressing/Routing - DHCP = "ipv4"; - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - DNSOverTLS = true; - DNSSEC = true; - IPv6PrivacyExtensions = false; - IPForward = true; - }; - # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min - linkConfig.RequiredForOnline = "no"; - }; - "10-wan" = { - matchConfig.Name = "wan"; - networkConfig = { - # start a DHCP Client for IPv4 Addressing/Routing - DHCP = "ipv4"; - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - DNSOverTLS = true; - DNSSEC = true; - IPv6PrivacyExtensions = false; - IPForward = true; - }; - # make routing on this interface a dependency for network-online.target - linkConfig.RequiredForOnline = "routable"; - }; - # Connect the bridge ports to the bridge - "30-lan1" = { - matchConfig.Name = "lan1"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; + extraConfig = '' + [Bridge] + STP=yes + VLANFiltering=yes + VLANProtocol=802.1q + DefaultPVID=0 + ''; }; - linkConfig.RequiredForOnline = "enslaved"; - bridgeVLANs = [ - { - bridgeVLANConfig = { + wg0 = { + enable = true; + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; + FirewallMark = 100; + }; + wireguardPeers = [ + { + AllowedIPs = [ + # this allows all traffic to be routed through this interface + "0.0.0.0/0" + + # # alternatively, specific destinations could be allowed + + # # remote peer wg addr + # "10.0.0.0/32" + + # "1.1.1.1/32" + # # ifconfig.co. + # "172.67.168.106" + # "104.21.54.91" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; + PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; + Endpoint = router0-ifog_wg0Endpoint; + } + ]; + }; + + wg1 = { + enable = true; + netdevConfig = { + Name = "wg1"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; + FirewallMark = 101; + }; + wireguardPeers = [ + { + AllowedIPs = [ + # this allows all traffic to be routed through this interface + "0.0.0.0/0" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; + PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; + Endpoint = router0-ifog_wg1Endpoint; + } + ]; + }; + + wg2 = { + enable = true; + netdevConfig = { + Name = "wg2"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; + FirewallMark = 102; + }; + wireguardPeers = [ + { + AllowedIPs = [ + # this allows all traffic to be routed through this interface + "0.0.0.0/0" + + # # alternatively, specific destinations could be allowed + + # # remote peer wg addr + # "10.0.0.0/32" + + # "1.1.1.1/32" + # # ifconfig.co. + # "172.67.168.106" + # "104.21.54.91" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; + PublicKey = "/RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM="; + Endpoint = router0-hosthatch_wg0Endpoint; + } + ]; + }; + } + # generate the vlan devices. these will be tagged on the main bridge + // builtins.foldl' (acc: cur: acc // cur) { } ( + builtins.map + ( + { vlanid, vlanid' }: + { + "20-${mkInterfaceName { inherit vlanid; }}" = { + netdevConfig = { + Kind = "vlan"; + Name = "${mkInterfaceName { inherit vlanid; }}"; + }; + vlanConfig.Id = vlanid; + }; + } + ) + ( + builtins.map (vlanid: { + inherit vlanid; + vlanid' = builtins.toString vlanid; + }) vlanRange + ) + ); + networks = + let + commonWanOptions = { + networkConfig = { + # start a DHCP Client for IPv4/6 Addressing/Routing + DHCP = true; + DNSOverTLS = true; + DNSSEC = true; + + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + IPv6PrivacyExtensions = false; + DHCPPrefixDelegation = true; + }; + dhcpV4Config = { + UseDNS = false; + UseDomains = false; + UseHostname = false; + }; + dhcpV6Config = { + UseDNS = false; + UseDomains = false; + UseHostname = false; + PrefixDelegationHint = "::/56"; + UseDelegatedPrefix = true; + WithoutRA = "solicit"; + }; + ipv6AcceptRAConfig = { + UseDNS = false; + UseDomains = false; + }; + + # TODO: enable these somehow + # extraConfig = '' + # [IPv6AcceptRA] + # # FIXME: supported in nixos-24.11 + # DHCPv6Client=solicit + + # # FIXME: not supported at all yet + # UsePREF64=true + # ''; + }; + in + { + # places options here that should always exist + "lo" = { + matchConfig.Name = "lo"; + + # these are roughly equivalent to: + # ip rule add fwmark 100 priority 0 table 100 + # ip rule add fwmark 100 priority 1 prohibit + # ip rule add fwmark 101 priority 0 table 101 + # ip rule add fwmark 101 priority 1 prohibit + routingPolicyRules = [ + { + FirewallMark = 100; + Priority = 30000; + Table = 100; + } + { + FirewallMark = 100; + Priority = 30001; + Table = 100; + Type = "prohibit"; + } + { + FirewallMark = 101; + Priority = 30000; + Table = 101; + } + { + FirewallMark = 101; + Priority = 30001; + Table = 101; + Type = "prohibit"; + } + { + FirewallMark = 102; + Priority = 30000; + Table = 102; + } + { + FirewallMark = 102; + Priority = 30001; + Table = 102; + Type = "prohibit"; + } + ]; + }; + # use lan0 as secondary WAN interface + "10-lan0-wan" = lib.attrsets.recursiveUpdate commonWanOptions { + matchConfig.Name = "lan0"; + # make routing on this interface a dependency for network-online.target + # linkConfig.RequiredForOnline = "routable"; + linkConfig.RequiredForOnline = "no"; + + dhcpV4Config = { + RouteMetric = 2000; + }; + + # similar to + # ip route add default via 172.16.0.1 table 101 + routes = [ + { + Gateway = "_dhcp4"; + Table = 101; + } + ]; + }; + "10-wan" = lib.attrsets.recursiveUpdate commonWanOptions { + matchConfig.Name = "wan"; + # make routing on this interface a dependency for network-online.target + # linkConfig.RequiredForOnline = "routable"; + linkConfig.RequiredForOnline = "no"; + + dhcpV4Config = { + RouteMetric = 1000; + }; + + # similar to + # ip route add default via 192.168.0.1 table 100 + routes = [ + { + Gateway = "_dhcp4"; + Table = 100; + } + { + Gateway = "_dhcp4"; + Table = 102; + } + ]; + }; + + # Connect the bridge ports to the bridge + "30-lan1" = { + matchConfig.Name = "lan1"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + + bridgeVLANs = [ + { VLAN = vlansByName.dmz.id; PVID = vlansByName.dmz.id; EgressUntagged = vlansByName.dmz.id; - }; - } - ]; - }; - - "30-lan2" = { - matchConfig.Name = "lan2"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; + } + ]; }; - linkConfig.RequiredForOnline = "enslaved"; - bridgeVLANs = [ - { - bridgeVLANConfig = { + "30-lan2" = { + matchConfig.Name = "lan2"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + + bridgeVLANs = [ + { VLAN = vlansByName.office.id; PVID = vlansByName.office.id; EgressUntagged = vlansByName.office.id; - }; - } - ]; - }; - - "30-lan3" = { - matchConfig.Name = "lan3"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; + } + ]; }; - linkConfig.RequiredForOnline = "enslaved"; - bridgeVLANs = [ - { - bridgeVLANConfig = { + "30-lan3" = { + matchConfig.Name = "lan3"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + + bridgeVLANs = [ + { VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; - }; - } - ]; - }; - # Configure the bridge for its desired function - "40-${bridgeInterfaceName}" = { - matchConfig.Name = bridgeInterfaceName; - bridgeConfig = {}; - address = [ - (mkVlanIpv4HostAddr { vlanid = 0; host = 1;}) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; + } + ]; }; - # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min - linkConfig.RequiredForOnline = "no"; - linkConfig.ActivationPolicy = "always-up"; + "30-lan4" = { + matchConfig.Name = "lan4"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; - bridgeVLANs = [ - { - bridgeVLANConfig = { + bridgeVLANs = [ + { + VLAN = vlansByName.office.id; + PVID = vlansByName.office.id; + EgressUntagged = vlansByName.office.id; + } + ]; + }; + "30-eth1" = { + matchConfig.Name = "eth1"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + linkConfig.RequiredForOnline = "enslaved"; + + bridgeVLANs = [ + { + VLAN = vlansByName.dmz.id; + PVID = vlansByName.dmz.id; + EgressUntagged = vlansByName.dmz.id; + } + ]; + }; + # Configure the bridge for its desired function + "40-${bridgeInterfaceName}" = { + matchConfig.Name = bridgeInterfaceName; + bridgeConfig = { }; + address = [ + (mkVlanIpv4HostAddr { + vlanid = 0; + host = 1; + }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + }; + # Don't wait for it as it also would wait for wlan and DFS which takes around 5 min + linkConfig.RequiredForOnline = "no"; + linkConfig.ActivationPolicy = "always-up"; + + bridgeVLANs = [ + { VLAN = "${toString vlanRangeStart}-${toString vlanRangeEnd}"; - }; - } - ]; + } + ]; - vlan = (builtins.map - (vlanid: (mkInterfaceName { inherit vlanid; })) - vlanRange - ); - }; - - } - - # configuration for the hostapd dynamic interfaces - # * netdev type vlan - # * host address for vlan - # * vlan config for wlan interface - // - builtins.foldl' - (acc: cur: acc // cur) - {} - (builtins.map ({ vlanid, vlanid' }: { - # configure the tagged vlan device with an address and vlan filtering. - # dnsmasq is configured to serve the respective /24 range on each tagged device. - # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. - "41-${mkInterfaceName { inherit vlanid; }}" = { - matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; - address = [ - (mkVlanIpv4HostAddr { inherit vlanid; host = 1; }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; + vlan = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; }; - linkConfig.RequiredForOnline = "no"; - linkConfig.ActivationPolicy = "always-up"; + "50-wg0" = { + enable = true; + matchConfig.Name = "wg0"; + address = [ "10.0.0.1/31" ]; - bridgeVLANs = [ - { - bridgeVLANConfig = { - VLAN = vlanid; - }; - } - ]; - }; - - # configure the wlan interface as a bridge member that - # * only gets traffic for vid 15 - # * untags traffic after receiving it - # * tags traffic that comes out of it - "41-wlan0.${vlanid'}" = { - matchConfig.Name = "wlan0.${vlanid'}"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; + routes = [ + # { + # # test the set uprouting to a specific IP + # Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32"; + # MultiPathRoute = "10.0.0.0 1"; + # } + ]; + }; + "50-wg1" = { + enable = true; + matchConfig.Name = "wg1"; + address = [ "10.0.0.3/31" ]; + routes = [ + # { + # Destination = "${repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost}/32"; + # MultiPathRoute = "10.0.0.2 1"; + # } + ]; }; - linkConfig.RequiredForOnline = "no"; + "50-wg2" = { + enable = true; + matchConfig.Name = "wg2"; + address = [ "10.0.1.1/31" ]; - bridgeVLANs = [ - { - bridgeVLANConfig = { - VLAN = vlanid; - PVID = vlanid; - EgressUntagged = vlanid; - }; - } - ]; - }; - - "50-${mkInterfaceName { inherit vlanid; }}" = { - matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; - address = [ - (mkVlanIpv4HostAddr { inherit vlanid; host = 1; }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; + routes = [ + # TODO: add a testing route here + ]; }; - linkConfig.RequiredForOnline = "no"; - }; - }) - (builtins.map - (vlanid: { inherit vlanid; vlanid' = builtins.toString vlanid; }) - vlanRange - )) - ; + } + # configuration for the hostapd dynamic interfaces + # * netdev type vlan + # * host address for vlan + # * vlan config for wlan interface + // builtins.foldl' (acc: cur: acc // cur) { } ( + builtins.map + ( + { vlanid, vlanid' }: + { + # configure the tagged vlan device with an address and vlan filtering. + # dnsmasq is configured to serve the respective /24 range on each tagged device. + # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. + "41-${mkInterfaceName { inherit vlanid; }}" = { + matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; + address = [ + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 1; + }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; + + # the client shouldn't be allowed to send us RAs, that would be weird. + IPv6AcceptRA = false; + + DHCPPrefixDelegation = true; + IPv6SendRA = true; + }; + + dhcpPrefixDelegationConfig = { + UplinkInterface = "wan"; + Assign = true; + SubnetId = vlanid; + Announce = true; + }; + + linkConfig.RequiredForOnline = "no"; + linkConfig.ActivationPolicy = "always-up"; + + bridgeVLANs = [ + { + VLAN = vlanid; + } + ]; + }; + + # configure the wlan interface as a bridge member that + # * only gets traffic for vid 15 + # * untags traffic after receiving it + # * tags traffic that comes out of it + "41-wlan0.${vlanid'}" = { + matchConfig.Name = "wlan0.${vlanid'}"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + + linkConfig.RequiredForOnline = "no"; + + bridgeVLANs = [ + { + VLAN = vlanid; + PVID = vlanid; + EgressUntagged = vlanid; + } + ]; + }; + + # "50-${mkInterfaceName {inherit vlanid;}}" = { + # matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; + # address = [ + # (mkVlanIpv4HostAddr { + # inherit vlanid; + # host = 1; + # }) + # ]; + # networkConfig = { + # ConfigureWithoutCarrier = true; + # }; + # linkConfig.RequiredForOnline = "no"; + # }; + } + ) + ( + builtins.map (vlanid: { + inherit vlanid; + vlanid' = builtins.toString vlanid; + }) vlanRange + ) + ); }; # wireless access point services.hostapd = { enable = true; - package = nodeFlake.packages.${system}.hostapd_patched; - radios = let - # generated with https://miniwebtool.com/mac-address-generator/ - mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; - in { - wlan0 = { - band = "2g"; - countryCode = "CH"; - channel = 0; # ACS + # package = nodeFlake.packages.${system}.hostapd_patched; + radios = + let + # generated with https://miniwebtool.com/mac-address-generator/ + mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; + in + { + wlan0 = { + band = "2g"; + # FIXME: apparently setting this could cause bugs, testing disabling it for a while. + # countryCode = "CH"; + channel = 0; # 0 would mean Automatic Channel Selection - # use 'iw phy#1 info' to determine your VHT capabilities - wifi4 = { - enable = true; - capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; - }; - networks = { - wlan0 = let - iface = "wlan0"; - in { - ssid = "mlsia"; - bssid = mkBssid 0; + settings = { + # TODO: this would be faster but x13s on windows can't connect when it's enabled. + # ieee80211n = 1; - # authentication.mode = "wpa3-sae"; - authentication.mode = "wpa3-sae-transition"; - - authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; - authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; - - # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference - settings = { - # bridge = bridgeInterfaceName; - - # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; - # not yet supported on hostapd 2.10 - # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; - - # enables debug logging - logger_stdout_level= lib.mkForce 0; - logger_stdout = -1; - # logger_syslog_level= lib.mkForce 0; - - # resources on vlan tagging - # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging - # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 - - dynamic_vlan = 1; - - # this option currently requires a patch to hostapd - vlan_no_bridge = 1; - - /* not used due to the above vlan_no_bridge setting - vlan_tagged_interface = bridgeInterfaceName; - vlan_naming = 1; - vlan_bridge = "br-${iface}."; - */ - - vlan_file = let - generated = builtins.map (vlanid: - "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" - ) vlanRange - ; - - wildcard = [ - # Optional wildcard entry matching all VLAN IDs. The first # in the interface - # name will be replaced with the VLAN ID. The network interfaces are created - # (and removed) dynamically based on the use. - # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan - "* ${iface}.#" - ]; - - file = pkgs.writeText "hostapd.vlan" - (builtins.concatStringsSep "\n" (generated ++ wildcard)); - filePath = toString file; - in filePath; - - wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [ - "WPA-PSK" - - # TODO: the printer can't connect when this is on - # "WPA-PSK-SHA256" - - # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them - # "SAE" - ]); - - # wpa_psk_radius = 0; - wpa_pairwise = "CCMP"; - wmm_enabled = 1; - - # IEEE 802.11i (authentication) related configuration - # Encrypt management frames to protect against deauthentication and similar attacks - ieee80211w = 1; - sae_require_mfp = 1; - sae_groups = "19 20 21"; - - # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) - tls_flags= "[ENABLE-TLSv1.3]"; - - ieee8021x=0; - eap_server=0; - }; + # Exclude DFS channels from ACS + # This option can be used to exclude all DFS channels from the ACS channel list + # in cases where the driver supports DFS channels. + acs_exclude_dfs = 0; }; - # wlan0-1 = { - # ssid = "mlsia-testing"; - # authentication = { - # mode = "wpa3-sae-transition"; - # }; + # use 'iw phy#1 info' to determine your VHT capabilities + wifi4 = { + enable = true; + require = false; + capabilities = [ + "HT20" + "HT40+" + "LDPC" + "SHORT-GI-20" + "SHORT-GI-40" + "TX-STBC" + "RX-STBC1" + "MAX-AMSDU-7935" - # bssid = mkBssid 1; - # settings = { - # bridge = bridgeInterfaceName; - # }; - # }; + "40-INTOLERANT" - # wlan0-1 = { - # ssid = "justtestingwifi-wpa3"; - # authentication = { - # mode = "wpa3-sae"; - # saePasswordsFile = config.sops.secrets.wlan0_1_saePasswordFile.path; - # }; + # not supported by BPI-R3 module + # "DELAYED-BA" + # "DSSS_CCK-40" + ]; + }; - # bssid = mkBssid 1; - # settings = { - # bridge = bridgeInterfaceName; - # }; - # }; + wifi5 = { + enable = false; + require = false; + }; - # Uncomment when needed otherwise remove - # wlan0-1 = { - # ssid = "koteczkowo3"; - # authentication = { - # mode = "none"; # this is overriden by settings - # }; - # managementFrameProtection = "optional"; - # bssid = "e6:02:43:07:00:00"; - # settings = { - # bridge = bridgeInterfaceName; - # wpa = lib.mkForce 2; - # wpa_key_mgmt = "WPA-PSK"; - # wpa_pairwise = "CCMP"; - # wpa_psk_file = config.sops.secrets.legacyWifiPassword.path; - # }; - # }; + wifi6 = { + enable = false; + require = false; + }; + + networks = { + wlan0 = + let + iface = "wlan0"; + in + { + ssid = "mlsia"; + bssid = mkBssid 0; + + # enables debug logging + logLevel = 0; + + authentication.mode = "wpa2-sha256" + # "wpa3-sae-transition" + # "wpa3-sae" + ; + + authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; + + # TODO: unfortunately SAE passwords don't work per VLAN like PSKs do + # authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; + + # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference + settings = { + # disable syslog because it duplicates stdout + logger_syslog = lib.mkForce 0; + + # bridge = bridgeInterfaceName; + + # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; + # not yet supported on hostapd 2.10 + # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; + + # resources on vlan tagging + # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging + # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 + + dynamic_vlan = 1; + # this option currently requires a patch to hostapd + vlan_no_bridge = 1; + + /* + not used due to the above vlan_no_bridge setting + vlan_tagged_interface = bridgeInterfaceName; + vlan_naming = 1; + vlan_bridge = "br-${iface}."; + */ + + vlan_file = + let + generated = builtins.map ( + vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" + ) vlanRange; + + wildcard = [ + # Optional wildcard entry matching all VLAN IDs. The first # in the interface + # name will be replaced with the VLAN ID. The network interfaces are created + # (and removed) dynamically based on the use. + # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan + "* ${iface}.#" + ]; + + file = pkgs.writeText "hostapd.vlan" (builtins.concatStringsSep "\n" (generated ++ wildcard)); + filePath = toString file; + in + filePath; + + wpa_key_mgmt = lib.mkForce ( + builtins.concatStringsSep " " [ + "WPA-PSK" + + # TODO: the printer can't connect when this is on + # "WPA-PSK-SHA256" + + # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them + # "SAE" + ] + ); + + # wpa_psk_radius = 0; + wpa_pairwise = "CCMP"; + wmm_enabled = 1; + + # IEEE 802.11i (authentication) related configuration + # Encrypt management frames to protect against deauthentication and similar attacks. + # 0 := disabled; 1 := optional; 2 := required + ieee80211w = 1; + # sae_require_mfp = 1; + # sae_groups = "19 20 21"; + + # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) + tls_flags = "[ENABLE-TLSv1.3]"; + + # TODO: debugging for wifi drops happens below here + # Require IEEE 802.1X authorization + ieee8021x = 0; + + # Optionally, hostapd can be configured to use an integrated EAP server + # to process EAP authentication locally without need for an external RADIUS + # server. This functionality can be used both as a local authentication server + # for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. + + # Use integrated EAP server instead of external RADIUS authentication + # server. This is also needed if hostapd is configured to act as a RADIUS + # authentication server. + eap_server = 0; + + # Disassociate stations based on excessive transmission failures or other + # indications of connection loss. This depends on the driver capabilities and + # may not be available with all drivers. + disassoc_low_ack = 0; + + skip_inactivity_poll = 1; + + # TODO: check if this is required. multicast can be more efficient so it'd be nice to disable this. + multicast_to_unicast = 0; + }; + }; + }; }; }; - - # wlan1 = { - # band = "5g"; - # # channels with 160 MHz width in Poland: 36, 52, 100 i 116 - # channel = 0; # ACS - # countryCode = "PL"; - - # # use 'iw phy#1 info' to determine your VHT capabilities - # wifi4 = { - # enable = true; - # capabilities = ["HT40+" "LDPC" "SHORT-GI-20" "SHORT-GI-40" "TX-STBC" "RX-STBC1" "MAX-AMSDU-7935"]; - # }; - # wifi5 = { - # enable = true; - # operatingChannelWidth = "160"; - # capabilities = ["RXLDPC" "SHORT-GI-80" "SHORT-GI-160" "TX-STBC-2BY1" "SU-BEAMFORMER" "SU-BEAMFORMEE" "MU-BEAMFORMER" "MU-BEAMFORMEE" "RX-ANTENNA-PATTERN" "TX-ANTENNA-PATTERN" "RX-STBC-1" "SOUNDING-DIMENSION-4" "BF-ANTENNA-4" "VHT160" "MAX-MPDU-11454" "MAX-A-MPDU-LEN-EXP7"]; - # }; - # wifi6 = { - # enable = true; - # singleUserBeamformer = true; - # singleUserBeamformee = true; - # multiUserBeamformer = true; - # operatingChannelWidth = "160"; - # }; - # settings = { - # # these two are mandatory for wifi 5 & 6 to work - # vht_oper_centr_freq_seg0_idx = 50; - # he_oper_centr_freq_seg0_idx = 50; - - # # The "tx_queue_data2_burst" parameter in Linux refers to the burst size for - # # transmitting data packets from the second data queue of a network interface. - # # It determines the number of packets that can be sent in a burst. - # # Adjusting this parameter can impact network throughput and latency. - # tx_queue_data2_burst = 2; - - # # The "he_bss_color" parameter in Wi-Fi 6 (802.11ax) refers to the BSS Color field in the HE (High Efficiency) MAC header. - # # BSS Color is a mechanism introduced in Wi-Fi 6 to mitigate interference and improve network efficiency in dense deployment scenarios. - # # It allows multiple overlapping Basic Service Sets (BSS) to differentiate and coexist in the same area without causing excessive interference. - # he_bss_color = 63; # was set to 128 by openwrt but range of possible values in 2.10 is 1-63 - - # # Magic values that were set by openwrt but I didn't bother inspecting every single one - # he_spr_sr_control = 3; - # he_default_pe_duration = 4; - # he_rts_threshold = 1023; - - # he_mu_edca_qos_info_param_count = 0; - # he_mu_edca_qos_info_q_ack = 0; - # he_mu_edca_qos_info_queue_request = 0; - # he_mu_edca_qos_info_txop_request = 0; - - # # he_mu_edca_ac_be_aci=0; missing in 2.10 - # he_mu_edca_ac_be_aifsn = 8; - # he_mu_edca_ac_be_ecwmin = 9; - # he_mu_edca_ac_be_ecwmax = 10; - # he_mu_edca_ac_be_timer = 255; - - # he_mu_edca_ac_bk_aifsn = 15; - # he_mu_edca_ac_bk_aci = 1; - # he_mu_edca_ac_bk_ecwmin = 9; - # he_mu_edca_ac_bk_ecwmax = 10; - # he_mu_edca_ac_bk_timer = 255; - - # he_mu_edca_ac_vi_ecwmin = 5; - # he_mu_edca_ac_vi_ecwmax = 7; - # he_mu_edca_ac_vi_aifsn = 5; - # he_mu_edca_ac_vi_aci = 2; - # he_mu_edca_ac_vi_timer = 255; - - # he_mu_edca_ac_vo_aifsn = 5; - # he_mu_edca_ac_vo_aci = 3; - # he_mu_edca_ac_vo_ecwmin = 5; - # he_mu_edca_ac_vo_ecwmax = 7; - # he_mu_edca_ac_vo_timer = 255; - # }; - # networks = { - # wlan1 = { - # ssid = "koteczkowo5"; - # authentication = { - # mode = "wpa3-sae"; - # saePasswordsFile = config.sops.secrets.wifiPassword.path; # Use saePasswordsFile if possible. - # }; - # bssid = "36:b9:02:21:08:a2"; - # settings = { - # bridge = bridgeInterfaceName; - # }; - # }; - # }; - # }; - }; }; services.resolved.enable = false; @@ -797,35 +1157,50 @@ in { local-ttl = 0; dhcp-ttl = 0; - dhcp-range = let - mkDhcpRange = { tag, vlanid }: builtins.concatStringsSep "," [ - tag - (mkVlanIpv4HostAddr { inherit vlanid; host = 100; cidr = false; }) - (mkVlanIpv4HostAddr { inherit vlanid; host = 199; cidr = false; }) - "12h" - ]; - in - builtins.map - (vlanid: - mkDhcpRange { tag = mkInterfaceName {inherit vlanid;}; inherit vlanid; } - ) - vlanRangeWith0 - ; + # v6 config + enable-ra = true; - # interface = bridgeInterfaceName; - # bind-interfaces = true; - # dhcp-host = "192.168.10.1"; + dhcp-range = + let + mkDhcpRange = + { tag, vlanid }: + builtins.concatStringsSep "," [ + tag + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 100; + cidr = false; + }) + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 199; + cidr = false; + }) + "12h" + # "slaac" + # "ra-stateless" + # "ra-names" + ]; + in + builtins.map ( + vlanid: + mkDhcpRange { + tag = mkInterfaceName { inherit vlanid; }; + inherit vlanid; + } + ) vlanRangeWith0; + + dhcp-host = builtins.concatStringsSep "," [ + dmzExposedHostMACaddr + dmzExposedHostIpv4 + dmzExposedHostFQDN + ]; - # local domains - # local = "/${getVlanDomain {vlanid = 0;}/"; - # domain = getVlanDomain {vlanid = 0;}; expand-hosts = true; # don't use /etc/hosts as this would advertise ${nodeName} as localhost no-hosts = true; - - # address = "/${nodeName}.lan/${fwLanHostAddr}"; server = [ # upstream DNS servers @@ -835,107 +1210,74 @@ in { "2a01:4f8:151:34aa::198" "2a01:4f8:141:316d::117" - # cloudflare and google - # "9.9.9.9" "8.8.8.8" "1.1.1.1" + # https://dismail.de/info.html#dns + "116.203.32.217" + "2a01:4f8:1c1b:44aa::1" + "159.69.114.157" + "2a01:4f8:c17:739a::2" ]; - domain = [ - "/${getVlanDomain {vlanid = 0;}}/,local" - ] ++ builtins.map - (vlanid: - "${getVlanDomain {inherit vlanid;}},${mkVlanIpv4HostAddr { inherit vlanid; host = 0; cidr = true; }},local" - ) - vlanRangeWith0 - ; + domain = + [ "/${getVlanDomain { vlanid = 0; }}/,local" ] + ++ builtins.map ( + vlanid: + "${getVlanDomain { inherit vlanid; }},${ + mkVlanIpv4HostAddr { + inherit vlanid; + host = 0; + cidr = true; + } + },local" + ) vlanRangeWith0; # TODO: compare this to using `interface-name` - dynamic-host = [ - ] ++ builtins.map - (vlanid: - builtins.concatStringsSep "," [ - # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) - "${nodeName}.${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) - ] - ) - vlanRangeWith0 - ; + dynamic-host = builtins.map ( + vlanid: + builtins.concatStringsSep "," [ + # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) + "${nodeName}.${getVlanDomain { inherit vlanid; }}" + "0.0.0.1" + (mkInterfaceName { inherit vlanid; }) + ] + ) vlanRangeWith0; - dhcp-option-force = builtins.map - (vlanid: "${mkInterfaceName {inherit vlanid;}},option:domain-search,${getVlanDomain{inherit vlanid;}}") - vlanRangeWith0 - ; + dhcp-option-force = builtins.map ( + vlanid: + "${mkInterfaceName { inherit vlanid; }},option:domain-search,${getVlanDomain { inherit vlanid; }}" + ) vlanRangeWith0; + + # auth-server = [ + # (builtins.concatStringsSep "," [ + # "www.stefanjunker.de" + # # (mkInterfaceName { vlanid = vlansByName.dmz.id; }) + # # (mkInterfaceName { vlanid = vlansByName.office.id; }) + # ]) + # ]; + + cname = [ + "mailserver.svc.stefanjunker.de,${dmzExposedHost}" + "www.stefanjunker.de,${dmzExposedHost}" + "hedgedoc.www.stefanjunker.de,${dmzExposedHost}" + "jitsi.www.stefanjunker.de,${dmzExposedHost}" + "lldap.www.stefanjunker.de,${dmzExposedHost}" + "forgejo.www.stefanjunker.de,${dmzExposedHost}" + "kanidm.www.stefanjunker.de,${dmzExposedHost}" + ]; }; }; - # The service irqbalance is useful as it assigns certain IRQ calls to specific CPUs instead of letting the first CPU core to handle everything. This is supposed to increase performance by hitting CPU cache more often. - # disable for now as i think it causes wifi issues - services.irqbalance.enable = false; + system.stateVersion = "24.11"; - system.stateVersion = "23.05"; - - boot.kernelPackages = pkgs.linuxPackages_bpir3_latest; - # We exclude a number of modules included in the default list. A non-insignificant amount do - # not apply to embedded hardware like this, so simply skip the defaults. - # - # Custom kernel is required as a lot of MTK components misbehave when built as modules. - # They fail to load properly, leaving the system without working ethernet, they'll oops on - # remove. MTK-DSA parts and PCIe were observed to do this. - boot.initrd.includeDefaultModules = false; - boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"]; - boot.initrd.availableKernelModules = ["nvme"]; - - boot.kernelParams = ["console=ttyS0,115200"]; - hardware.enableRedistributableFirmware = true; - # Wireless hardware exists, regulatory database is essential. - hardware.wirelessRegulatoryDatabase = true; - - # Extlinux compatible with custom uboot patches in this repo, which also provide unique - # MAC addresses instead of the non-unique one that gets used by a lot of MTK devices... - boot.loader.grub.enable = false; - boot.loader.generic-extlinux-compatible.enable = true; - # Known to work with u-boot; bz2, lzma, and lz4 should be safe too, need to test. - boot.initrd.compressor = "gzip"; - hardware.deviceTree.filter = "mt7986a-bananapi-bpi-r3.dtb"; - - hardware.deviceTree.overlays = [ - { - name = "bpir3-sd-enable"; - dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-sd.dts"; - } - { - name = "bpir3-nand-enable"; - dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-nand.dts"; - } - { - name = "bpi-r3 wifi training data"; - dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-wirless.dts"; - } - { - name = "reset button disable"; - dtsFile = "${bpir3}/bpir3-dts/mt7986a-bananapi-bpi-r3-pcie-button.dts"; - } - { - name = "mt7986a efuses"; - dtsFile = "${bpir3}/bpir3-dts/mt7986a-efuse-device-tree-node.dts"; - } - ]; - - boot.initrd.preDeviceCommands = '' - if [ ! -d /sys/bus/pci/devices/0000:01:00.0 ]; then - if [ -d /sys/bus/pci/devices/0000:00:00.0 ]; then - # Remove PCI bridge, then rescan. NVMe init crashes if PCI bridge not removed first - echo 1 > /sys/bus/pci/devices/0000:00:00.0/remove - # Rescan brings PCI root back and brings the NVMe device in. - echo 1 > /sys/bus/pci/rescan - else - info "PCIe bridge missing" - fi - fi - ''; + # boot.kernelPackages = pkgs.linuxPackages_bpir3_6_6; environment.systemPackages = [ pkgs.ethtool - pkgs.neovim + pkgs.vim + pkgs.iperf3 + + pkgs.wireguard-tools + pkgs.tshark + pkgs.tmux (pkgs.writeShellScriptBin "dbg-ip" '' echo links: diff --git a/nix/os/devices/router0-dmz0/default.nix b/nix/os/devices/router0-dmz0/default.nix index 9dd8d5e..a0520dc 100644 --- a/nix/os/devices/router0-dmz0/default.nix +++ b/nix/os/devices/router0-dmz0/default.nix @@ -5,25 +5,24 @@ nodeFlake, localDomainName ? "internal", ... -}: { +}: +{ meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake system; + inherit + repoFlake + nodeName + nodeFlake + system + ; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; - inherit - (nodeFlake.inputs.bpir3.packages.${system}) - armTrustedFirmwareMT7986 - ; + inherit (nodeFlake.inputs.bpir3.packages.${system}) armTrustedFirmwareMT7986; inherit localDomainName; }; - meta.nodeNixpkgs.${nodeName} = - import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; diff --git a/nix/os/devices/router0-dmz0/flake.lock b/nix/os/devices/router0-dmz0/flake.lock index 089ad5e..8f55026 100644 --- a/nix/os/devices/router0-dmz0/flake.lock +++ b/nix/os/devices/router0-dmz0/flake.lock @@ -1,26 +1,5 @@ { "nodes": { - "bpir3": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1703603768, - "narHash": "sha256-ZViXHNt7ClqNtlRO9iot+LxiSbBvZi/RR+/6Q7W6UV8=", - "owner": "steveej-forks", - "repo": "nixos-bpir3", - "rev": "47cb545b92c136d1482a66b940c4719c40eb5fe3", - "type": "github" - }, - "original": { - "owner": "steveej-forks", - "ref": "linux-6.6", - "repo": "nixos-bpir3", - "type": "github" - } - }, "dependencyDagOfSubmodule": { "inputs": { "nixpkgs": [ @@ -49,11 +28,11 @@ ] }, "locked": { - "lastModified": 1703532766, - "narHash": "sha256-ojjW3cuNmqL5uqDWohwLoO8dYpheM5+AfgsNmGIMwG8=", + "lastModified": 1738148035, + "narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=", "owner": "nix-community", "repo": "disko", - "rev": "1b191113874dee97796749bb21eac3d84735c70a", + "rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54", "type": "github" }, "original": { @@ -64,11 +43,11 @@ }, "get-flake": { "locked": { - "lastModified": 1694475786, - "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", + "lastModified": 1714237590, + "narHash": "sha256-9gtHdGbzFHaR20xORN8IYd67ROWS+1nqQ5CsPf9MD8I=", "owner": "ursi", "repo": "get-flake", - "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", + "rev": "a6c57417d1b857b8be53aba4095869a0f438c502", "type": "github" }, "original": { @@ -84,16 +63,16 @@ ] }, "locked": { - "lastModified": 1703527373, - "narHash": "sha256-AjypRssRtS6F3xkf7rE3/bXkIF2WJOZLbTIspjcE1zM=", + "lastModified": 1736373539, + "narHash": "sha256-dinzAqCjenWDxuy+MqUQq0I4zUSfaCvN9rzuCmgMZJY=", "owner": "nix-community", "repo": "home-manager", - "rev": "80679ea5074ab7190c4cce478c600057cfb5edae", + "rev": "bd65bc3cde04c16755955630b344bc9e35272c56", "type": "github" }, "original": { "owner": "nix-community", - "ref": "master", + "ref": "release-24.11", "repo": "home-manager", "type": "github" } @@ -101,11 +80,11 @@ "hostapd": { "flake": false, "locked": { - "lastModified": 1703346062, - "narHash": "sha256-SHSBKIgKc5zEGhKDT2v+yGERTJHf8pe+9ZPUwJBTJKQ=", + "lastModified": 1738518662, + "narHash": "sha256-MeE2FTG7Jh4BqchSvevJH7IsqTotjemndLzev8TkiRk=", "ref": "refs/heads/main", - "rev": "196d6c83b9cb7d298fdc92684dc37115348b159e", - "revCount": 19119, + "rev": "c12fc97e3b59742e0c5743fceae6a87a8b13a576", + "revCount": 20282, "type": "git", "url": "git://w1.fi/hostap.git?branch=main" }, @@ -122,11 +101,11 @@ ] }, "locked": { - "lastModified": 1703279052, - "narHash": "sha256-0rbG/9SwaWtXT7ZuifMq+7wvfxDpZrjr0zdMcM4KK+E=", + "lastModified": 1715521768, + "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", "owner": "thelegy", "repo": "nixos-nftables-firewall", - "rev": "3bf23aeb346e772d157816e6b72a742a6c97db80", + "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", "type": "github" }, "original": { @@ -135,29 +114,49 @@ "type": "github" } }, - "nixos-stable": { + "nixos-sbc": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, "locked": { - "lastModified": 1703068421, - "narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f", + "lastModified": 1738254353, + "narHash": "sha256-SYpvOn0v/wi8lrgEBhobjKFvFWPlJ3gP7SZPfyw9td0=", + "owner": "nakato", + "repo": "nixos-sbc", + "rev": "21be4ab012197a2eea4bbff8315c40f26f715a18", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixos-23.11", - "repo": "nixpkgs", + "owner": "nakato", + "repo": "nixos-sbc", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1703255338, - "narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=", + "lastModified": 1738702386, + "narHash": "sha256-nJj8f78AYAxl/zqLiFGXn5Im1qjFKU8yBPKoWEeZN5M=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6df37dc6a77654682fe9f071c62b4242b5342e04", + "rev": "030ba1976b7c0e1a67d9716b17308ccdab5b381e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1738680400, + "narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "799ba5bffed04ced7067a91798353d360788b30d", "type": "github" }, "original": { @@ -187,30 +186,30 @@ }, "root": { "inputs": { - "bpir3": "bpir3", "disko": "disko", "get-flake": "get-flake", "home-manager": "home-manager", "hostapd": "hostapd", "nixos-nftables-firewall": "nixos-nftables-firewall", + "nixos-sbc": "nixos-sbc", "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", "openwrt": "openwrt", "srvos": "srvos" } }, "srvos": { "inputs": { - "nixos-stable": "nixos-stable", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1703469109, - "narHash": "sha256-hTQJ9uV43Vt8UXwervEj9mbDoQSN1mD3lwwPChG8jy8=", + "lastModified": 1738198321, + "narHash": "sha256-lhnHBXO9Y8xEn92JqxjancdL8Gh16ONuxZp60iZfmX4=", "owner": "numtide", "repo": "srvos", - "rev": "52d07db520046c4775f1047e68a05dcb53bba9ec", + "rev": "7d5a4aaadac9ff63f9ed4347df95175aceee5079", "type": "github" }, "original": { diff --git a/nix/os/devices/router0-dmz0/flake.nix b/nix/os/devices/router0-dmz0/flake.nix index 494551e..d56e72a 100644 --- a/nix/os/devices/router0-dmz0/flake.nix +++ b/nix/os/devices/router0-dmz0/flake.nix @@ -1,10 +1,11 @@ { inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; get-flake.url = "github:ursi/get-flake"; - home-manager.url = "github:nix-community/home-manager/master"; + home-manager.url = "github:nix-community/home-manager/release-24.11"; home-manager.inputs.nixpkgs.follows = "nixpkgs"; disko.url = "github:nix-community/disko"; @@ -12,13 +13,14 @@ srvos.url = "github:numtide/srvos"; srvos.inputs.nixpkgs.follows = "nixpkgs"; - bpir3.url = - "github:steveej-forks/nixos-bpir3/linux-6.6" - # "/home/steveej/src/steveej/nixos-bpir3" - ; - - bpir3.inputs.nixpkgs.follows = "nixpkgs"; - + nixos-sbc.url = "github:nakato/nixos-sbc" + # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.12" + # "github:steveej-forks/nakato_nixos-sbc//bpi-r3_kernel-6.13" + # "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile" + # "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile" + # "git+file:///home/steveej/src/others/nakato_nixos-sbc/" + ; + nixos-sbc.inputs.nixpkgs.follows = "nixpkgs"; nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; @@ -35,96 +37,71 @@ # url = "file+https://raw.githubusercontent.com/openwrt/openwrt/847984c773d819d5579d5abae4b80a4983103ed9/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"; # flake = false; # }; + + # repoFlake.url = "path:../../../.."; }; - outputs = { - self, - get-flake, - nixpkgs, - bpir3, - ... - }: let - nativeSystem = "aarch64-linux"; - nodeName = "router0-dmz0"; + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + nativeSystem = "aarch64-linux"; + nodeName = "router0-dmz0"; - pkgs = nixpkgs.legacyPackages.${nativeSystem}; - pkgsCross = import self.inputs.nixpkgs { - system = "x86_64-linux"; - crossSystem = { - config = "aarch64-unknown-linux-gnu"; - }; - }; - - mkNixosConfiguration = {extraModules ? [], ...} @ attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate - attrs + mkNixosConfiguration = { - specialArgs = (import ./default.nix { - system = nativeSystem; - inherit nodeName; + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = + (import ./default.nix { + system = nativeSystem; + inherit nodeName; - repoFlake = get-flake ../../../..; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; + repoFlake = get-flake ../../../..; + # repoFlake = get-flake ./.; + # repoFlake = self.inputs.repoFlake; + nodeFlake = self; + }).meta.nodeSpecialArgs.${nodeName}; - modules = - [ + modules = [ ./configuration.nix # flake registry { + nixpkgs.overlays = builtins.attrValues self.overlays; nix.registry.nixpkgs.flake = nixpkgs; } - - { - nixpkgs.overlays = [ - (final: previous: let - bpir3Pkgs = previous.callPackage "${bpir3}/pkgs" {}; - in { - inherit - (bpir3Pkgs) - linuxPackages_bpir3 - linuxPackages_bpir3_latest - ; - }) - - ]; - } - ] - ++ extraModules; - } - ); - in { - nixosConfigurations = { - native = mkNixosConfiguration { - system = nativeSystem; - }; - - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = "x86_64-linux"; - nixpkgs.hostPlatform.system = nativeSystem; + ] ++ extraModules; } - ]; + ); + in + { + nixosConfigurations = { + native = mkNixosConfiguration { system = nativeSystem; }; + + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.system = nativeSystem; + } + ]; + }; + }; + + overlays.default = _final: previous: { + hostapd = previous.hostapd.overrideDerivation (attrs: { + patches = attrs.patches ++ [ + "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" + ]; + }); }; }; - - packages = let - mkPatchedHostapd = pkgs: pkgs.hostapd.overrideDerivation(attrs: { - patches = attrs.patches ++ [ - "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" - ]; - }); - in { - "${nativeSystem}" = { - hostapd_patched = mkPatchedHostapd pkgs; - }; - - cross = { - hostapd_patched = mkPatchedHostapd pkgsCross; - }; - }; - }; } diff --git a/nix/os/devices/router0-hosthatch/configuration.nix b/nix/os/devices/router0-hosthatch/configuration.nix new file mode 100644 index 0000000..af02b3d --- /dev/null +++ b/nix/os/devices/router0-hosthatch/configuration.nix @@ -0,0 +1,337 @@ +{ + repoFlake, + pkgs, + lib, + config, + nodeFlake, + nodeName, + system, + variables, + ... +}: +{ + system.stateVersion = "24.05"; + + imports = [ + nodeFlake.inputs.disko.nixosModules.disko + nodeFlake.inputs.srvos.nixosModules.mixins-terminfo + + repoFlake.inputs.sops-nix.nixosModules.sops + + ../../snippets/nix-settings.nix + ../../profiles/common/user.nix + + nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default + + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + + users.commonUsers = { + enable = true; + enableNonRoot = false; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + # sops.age.keyFile = "/etc/age.key"; + # sops.age.sshKeyPaths = []; + + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + sops.secrets.passwords-root.neededForUsers = true; + } + + # TODO: extract this into single-disk VM BIOS module + { + boot.loader.systemd-boot.enable = false; + boot.loader.grub.efiSupport = false; + + # forcing seems required or else there's an error about duplicated devices + boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; + + disko.devices.disk.vda = { + device = "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; # Override existing partition + subvolumes = { + # Subvolume name is different from mountpoint + "/rootfs" = { + mountpoint = "/"; + }; + "/nix" = { + mountOptions = [ "noatime" ]; + mountpoint = "/nix"; + }; + "/boot" = { + mountpoint = "/boot"; + }; + }; + }; + }; + }; + }; + }; + + boot.initrd.kernelModules = [ + "virtio_balloon" + "virtio_scsi" + "virtio_net" + "virtio_pci" + "virtio_ring" + "virtio" + "scsi_mod" + + "virtio_blk" + "virtio_ring" + "ata_piix" + "pata_acpi" + "ata_generic" + ]; + } + ]; + + # sops.secrets.ssh_host_ed25519_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_ed25519_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key.pub"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key.pub"; + # mode = "0644"; + # }; + + boot = { + kernel = { + sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + }; + }; + + networking = { + hostName = nodeName; + useNetworkd = true; + useDHCP = true; + usePredictableInterfaceNames = false; + + interfaces.eth0.ipv4.addresses = [ + { + address = variables.ipv4; + prefixLength = variables.ipv4length; + } + ]; + defaultGateway = { + interface = "eth0"; + address = variables.ipv4gateway; + }; + nameservers = [ variables.ipv4dns ]; + + # these will be configured via nftables + nat.enable = lib.mkForce false; + firewall.enable = lib.mkForce false; + + # Use the nftables firewall instead of the base nixos scripted rules. + # This flake provides a similar utility to the base nixos scripting. + # https://github.com/thelegy/nixos-nftables-firewall/tree/main + + nftables = { + enable = true; + + firewall = { + enable = true; + snippets.nnf-common.enable = true; + + zones.wan = { + interfaces = [ "eth0" ]; + }; + + zones.vpn = { + interfaces = [ + "wg0" + "wg1" + ]; + }; + + rules = { + to-fw = { + from = "all"; + to = [ "fw" ]; + verdict = "drop"; + + allowedTCPPorts = [ + 22 + 5201 + ]; + allowedUDPPorts = [ + 22 + 5201 + config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort + config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort + ]; + }; + + vpn-to-wan-nat = { + from = [ "vpn" ]; + to = [ "wan" ]; + masquerade = true; + verdict = "accept"; + }; + }; + }; + }; + }; + + sops.secrets.wg0-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg0-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + + systemd.network.enable = true; + systemd.network.netdevs.wg0 = { + enable = true; + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51820; + # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= + PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + AllowedIPs = [ + "10.0.1.1/32" + "192.168.0.0/16" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; + PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; + }; + } + ]; + }; + systemd.network.netdevs.wg1 = { + enable = true; + netdevConfig = { + Name = "wg1"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51821; + # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= + PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + AllowedIPs = [ + "10.0.1.3/31" + "192.168.0.0/16" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; + PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; + }; + } + ]; + }; + systemd.network.networks.wg0 = { + enable = true; + matchConfig.Name = "wg0"; + address = [ "10.0.1.0/31" ]; + + routes = [ + { + routeConfig = { + Destination = "192.168.0.0/16"; + MultiPathRoute = "10.0.1.1 1"; + }; + } + ]; + }; + systemd.network.networks.wg1 = { + enable = true; + matchConfig.Name = "wg1"; + address = [ "10.0.1.2/31" ]; + + routes = [ + { + routeConfig = { + Destination = "192.168.0.0/16"; + MultiPathRoute = "10.0.1.3 1"; + }; + } + ]; + }; + + environment.systemPackages = [ + pkgs.ethtool + pkgs.neovim + pkgs.tmux + + pkgs.wireguard-tools + pkgs.tshark + + (pkgs.writeShellScriptBin "dbg-ip" '' + echo links: + ip -br -c l + echo + echo addresses: + ip -br -c a + echo + echo vlans: + bridge -c vlan + '') + + (pkgs.writeShellScriptBin "dbg-dnsmasq" '' + # get the rendered in-use config + pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat + '') + ]; +} diff --git a/nix/os/devices/router0-hosthatch/default.nix b/nix/os/devices/router0-hosthatch/default.nix new file mode 100644 index 0000000..fd2c485 --- /dev/null +++ b/nix/os/devices/router0-hosthatch/default.nix @@ -0,0 +1,38 @@ +{ + system ? "x86_64-linux", + nodeName, + repoFlake, + nodeFlake, + ... +}: +let + variables = import ./variables.crypt.nix; +in +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit + repoFlake + nodeName + nodeFlake + system + variables + ; + packages' = repoFlake.packages.${system}; + nodePackages' = nodeFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = variables.ipv4; + deployment.replaceUnknownProfiles = true; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/router0-hosthatch/flake.lock b/nix/os/devices/router0-hosthatch/flake.lock new file mode 100644 index 0000000..f66687f --- /dev/null +++ b/nix/os/devices/router0-hosthatch/flake.lock @@ -0,0 +1,151 @@ +{ + "nodes": { + "dependencyDagOfSubmodule": { + "inputs": { + "nixpkgs": [ + "nixos-nftables-firewall", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1656615370, + "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719864345, + "narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=", + "owner": "nix-community", + "repo": "disko", + "rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719827385, + "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "391ca6e950c2525b4f853cbe29922452c14eda82", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixos-nftables-firewall": { + "inputs": { + "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715521768, + "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1719838683, + "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1719848872, + "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "home-manager": "home-manager", + "nixos-nftables-firewall": "nixos-nftables-firewall", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "srvos": "srvos" + } + }, + "srvos": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719965291, + "narHash": "sha256-IQiO6VNESSmgxQkpI1q86pqxRw0SZ45iSeM1jsmBpSw=", + "owner": "numtide", + "repo": "srvos", + "rev": "1844f1a15ef530c963bb07c3846172fccbfb9f74", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/router0-hosthatch/flake.nix b/nix/os/devices/router0-hosthatch/flake.nix new file mode 100644 index 0000000..3057b9a --- /dev/null +++ b/nix/os/devices/router0-hosthatch/flake.nix @@ -0,0 +1,19 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + home-manager.url = "github:nix-community/home-manager/release-24.05"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + + nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; + nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = _: { }; +} diff --git a/nix/os/devices/router0-hosthatch/variables.crypt.nix b/nix/os/devices/router0-hosthatch/variables.crypt.nix new file mode 100644 index 0000000..38c17df Binary files /dev/null and b/nix/os/devices/router0-hosthatch/variables.crypt.nix differ diff --git a/nix/os/devices/router0-ifog/configuration.nix b/nix/os/devices/router0-ifog/configuration.nix new file mode 100644 index 0000000..9bc91ee --- /dev/null +++ b/nix/os/devices/router0-ifog/configuration.nix @@ -0,0 +1,337 @@ +{ + repoFlake, + pkgs, + lib, + config, + nodeFlake, + nodeName, + system, + variables, + ... +}: +{ + system.stateVersion = "23.11"; + + imports = [ + nodeFlake.inputs.disko.nixosModules.disko + nodeFlake.inputs.srvos.nixosModules.mixins-terminfo + + repoFlake.inputs.sops-nix.nixosModules.sops + + ../../snippets/nix-settings.nix + ../../profiles/common/user.nix + + nodeFlake.inputs.nixos-nftables-firewall.nixosModules.default + + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + + users.commonUsers = { + enable = true; + enableNonRoot = false; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + # sops.age.keyFile = "/etc/age.key"; + # sops.age.sshKeyPaths = []; + + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + sops.secrets.passwords-root.neededForUsers = true; + } + + # TODO: extract this into single-disk VM BIOS module + { + boot.loader.systemd-boot.enable = false; + boot.loader.grub.efiSupport = false; + + # forcing seems required or else there's an error about duplicated devices + boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; + + disko.devices.disk.vda = { + device = "/dev/vda"; + type = "disk"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; # Override existing partition + subvolumes = { + # Subvolume name is different from mountpoint + "/rootfs" = { + mountpoint = "/"; + }; + "/nix" = { + mountOptions = [ "noatime" ]; + mountpoint = "/nix"; + }; + "/boot" = { + mountpoint = "/boot"; + }; + }; + }; + }; + }; + }; + }; + + boot.initrd.kernelModules = [ + "virtio_balloon" + "virtio_scsi" + "virtio_net" + "virtio_pci" + "virtio_ring" + "virtio" + "scsi_mod" + + "virtio_blk" + "virtio_ring" + "ata_piix" + "pata_acpi" + "ata_generic" + ]; + } + ]; + + # sops.secrets.ssh_host_ed25519_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_ed25519_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_ed25519_key.pub"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key"; + # mode = "0600"; + # }; + # sops.secrets.ssh_host_rsa_key_pub = { + # sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + # format = "yaml"; + + # path = "/etc/ssh/ssh_host_rsa_key.pub"; + # mode = "0644"; + # }; + + boot = { + kernel = { + sysctl = { + "net.ipv4.conf.all.forwarding" = true; + "net.ipv6.conf.all.forwarding" = true; + }; + }; + }; + + networking = { + hostName = nodeName; + useNetworkd = true; + useDHCP = true; + usePredictableInterfaceNames = false; + + interfaces.eth0.ipv4.addresses = [ + { + address = variables.ipv4; + prefixLength = variables.ipv4length; + } + ]; + defaultGateway = { + interface = "eth0"; + address = variables.ipv4gateway; + }; + nameservers = [ variables.ipv4dns ]; + + # these will be configured via nftables + nat.enable = lib.mkForce false; + firewall.enable = lib.mkForce false; + + # Use the nftables firewall instead of the base nixos scripted rules. + # This flake provides a similar utility to the base nixos scripting. + # https://github.com/thelegy/nixos-nftables-firewall/tree/main + + nftables = { + enable = true; + + firewall = { + enable = true; + snippets.nnf-common.enable = true; + + zones.wan = { + interfaces = [ "eth0" ]; + }; + + zones.vpn = { + interfaces = [ + "wg0" + "wg1" + ]; + }; + + rules = { + to-fw = { + from = "all"; + to = [ "fw" ]; + verdict = "drop"; + + allowedTCPPorts = [ + 22 + 5201 + ]; + allowedUDPPorts = [ + 22 + 5201 + config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort + config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort + ]; + }; + + vpn-to-wan-nat = { + from = [ "vpn" ]; + to = [ "wan" ]; + masquerade = true; + verdict = "accept"; + }; + }; + }; + }; + }; + + sops.secrets.wg0-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg0-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-privatekey = { + mode = "440"; + group = "systemd-network"; + }; + sops.secrets.wg1-peer0-psk = { + mode = "440"; + group = "systemd-network"; + }; + + systemd.network.enable = true; + systemd.network.netdevs.wg0 = { + enable = true; + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51820; + # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= + PrivateKeyFile = builtins.toString config.sops.secrets.wg0-privatekey.path; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + AllowedIPs = [ + "10.0.0.1/32" + "192.168.0.0/16" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg0-peer0-psk.path; + PublicKey = "hsjIenUFV/FBqplIKxSL/Zn2zDAfojlIKHMxPA6RC04="; + }; + } + ]; + }; + systemd.network.netdevs.wg1 = { + enable = true; + netdevConfig = { + Name = "wg1"; + Kind = "wireguard"; + }; + wireguardConfig = { + ListenPort = 51821; + # PublicKey /RPDdqPzr9iRc7zR0bRkt9aS2QCt+b2K3WbsNg8XamM= + PrivateKeyFile = builtins.toString config.sops.secrets.wg1-privatekey.path; + }; + wireguardPeers = [ + { + wireguardPeerConfig = { + AllowedIPs = [ + "10.0.0.3/31" + "192.168.0.0/16" + ]; + PersistentKeepalive = 15; + PresharedKeyFile = builtins.toString config.sops.secrets.wg1-peer0-psk.path; + PublicKey = "Ha5hsarCRO8LX9SrkopUeP14ebLdFgxXUC0ezrobax4="; + }; + } + ]; + }; + systemd.network.networks.wg0 = { + enable = true; + matchConfig.Name = "wg0"; + address = [ "10.0.0.0/31" ]; + + routes = [ + { + routeConfig = { + Destination = "192.168.0.0/16"; + MultiPathRoute = "10.0.0.1 1"; + }; + } + ]; + }; + systemd.network.networks.wg1 = { + enable = true; + matchConfig.Name = "wg1"; + address = [ "10.0.0.2/31" ]; + + routes = [ + { + routeConfig = { + Destination = "192.168.0.0/16"; + MultiPathRoute = "10.0.0.3 1"; + }; + } + ]; + }; + + environment.systemPackages = [ + pkgs.ethtool + pkgs.neovim + pkgs.tmux + + pkgs.wireguard-tools + pkgs.tshark + + (pkgs.writeShellScriptBin "dbg-ip" '' + echo links: + ip -br -c l + echo + echo addresses: + ip -br -c a + echo + echo vlans: + bridge -c vlan + '') + + (pkgs.writeShellScriptBin "dbg-dnsmasq" '' + # get the rendered in-use config + pgrep -a dnsmasq | grep -Eo '[^ ]*conf' | xargs cat | grep -Eo '[^=]*conf' | xargs cat + '') + ]; +} diff --git a/nix/os/devices/router0-ifog/default.nix b/nix/os/devices/router0-ifog/default.nix new file mode 100644 index 0000000..fd2c485 --- /dev/null +++ b/nix/os/devices/router0-ifog/default.nix @@ -0,0 +1,38 @@ +{ + system ? "x86_64-linux", + nodeName, + repoFlake, + nodeFlake, + ... +}: +let + variables = import ./variables.crypt.nix; +in +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit + repoFlake + nodeName + nodeFlake + system + variables + ; + packages' = repoFlake.packages.${system}; + nodePackages' = nodeFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = variables.ipv4; + deployment.replaceUnknownProfiles = true; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + + networking.hostName = nodeName; + }; +} diff --git a/nix/os/devices/router0-ifog/flake.lock b/nix/os/devices/router0-ifog/flake.lock new file mode 100644 index 0000000..f66687f --- /dev/null +++ b/nix/os/devices/router0-ifog/flake.lock @@ -0,0 +1,151 @@ +{ + "nodes": { + "dependencyDagOfSubmodule": { + "inputs": { + "nixpkgs": [ + "nixos-nftables-firewall", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1656615370, + "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nix-dependencyDagOfSubmodule", + "type": "github" + } + }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719864345, + "narHash": "sha256-e4Pw+30vFAxuvkSTaTypd9zYemB/QlWcH186dsGT+Ms=", + "owner": "nix-community", + "repo": "disko", + "rev": "544a80a69d6e2da04e4df7ec8210a858de8c7533", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719827385, + "narHash": "sha256-qs+nU20Sm8czHg3bhGCqiH+8e13BJyRrKONW34g3i50=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "391ca6e950c2525b4f853cbe29922452c14eda82", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixos-nftables-firewall": { + "inputs": { + "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1715521768, + "narHash": "sha256-BQkkBqDemoPRd2a4G94I9w9fNE0IxWtVsQ9SalnNqCQ=", + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "rev": "2c5a19966b4dfc5ca92df7eb250c68f90be653c8", + "type": "github" + }, + "original": { + "owner": "thelegy", + "repo": "nixos-nftables-firewall", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1719838683, + "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1719848872, + "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "home-manager": "home-manager", + "nixos-nftables-firewall": "nixos-nftables-firewall", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable", + "srvos": "srvos" + } + }, + "srvos": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719965291, + "narHash": "sha256-IQiO6VNESSmgxQkpI1q86pqxRw0SZ45iSeM1jsmBpSw=", + "owner": "numtide", + "repo": "srvos", + "rev": "1844f1a15ef530c963bb07c3846172fccbfb9f74", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/router0-ifog/flake.nix b/nix/os/devices/router0-ifog/flake.nix new file mode 100644 index 0000000..3057b9a --- /dev/null +++ b/nix/os/devices/router0-ifog/flake.nix @@ -0,0 +1,19 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + + home-manager.url = "github:nix-community/home-manager/release-24.05"; + home-manager.inputs.nixpkgs.follows = "nixpkgs"; + + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + srvos.url = "github:numtide/srvos"; + srvos.inputs.nixpkgs.follows = "nixpkgs"; + + nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; + nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = _: { }; +} diff --git a/nix/os/devices/router0-ifog/variables.crypt.nix b/nix/os/devices/router0-ifog/variables.crypt.nix new file mode 100644 index 0000000..1dec120 Binary files /dev/null and b/nix/os/devices/router0-ifog/variables.crypt.nix differ diff --git a/nix/os/devices/sj-bm-hostkey0/configuration.nix b/nix/os/devices/sj-bm-hostkey0/configuration.nix deleted file mode 100644 index 76ddb97..0000000 --- a/nix/os/devices/sj-bm-hostkey0/configuration.nix +++ /dev/null @@ -1,169 +0,0 @@ -{ - modulesPath, - repoFlake, - packages', - pkgs, - lib, - config, - nodeFlake, - nodeName, - system, - ... -}: { - disabledModules = [ - ]; - - imports = [ - nodeFlake.inputs.disko.nixosModules.disko - nodeFlake.inputs.srvos.nixosModules.roles-nix-remote-builder - repoFlake.inputs.sops-nix.nixosModules.sops - - ../../profiles/common/user.nix - ../../snippets/nix-settings-holo-chain.nix - - # TODO - # ./network.nix - # ./monitoring.nix - - # user config - { - users.commonUsers = { - enable = true; - enableNonRoot = true; - }; - home-manager.users.root = import ../../../home-manager/configuration/text-minimal.nix { - inherit pkgs; - }; - - home-manager.users.steveej = { pkgs, ... }: { - imports = [ - ../../../home-manager/configuration/text-minimal.nix - ]; - - home.packages = [ - pkgs.nil - pkgs.rnix-lsp - pkgs.nixd - pkgs.nixpkgs-fmt - pkgs.alejandra - pkgs.nixfmt - ]; - }; - - programs.zsh.enable = true; - users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = ["/share/zsh"]; - } - ]; - - roles.nix-remote-builder.schedulerPublicKeys = [ - # TODO: make this a reference to the private key's secret - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC8FHuK0k86iBWq41+NAhVwJqH1ZpGJe+q01m7iLviz6 root@steveej-t14" - ]; - - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - - boot = { - kernel = { - sysctl = { - "net.ipv4.conf.all.forwarding" = true; - "net.ipv6.conf.all.forwarding" = true; - }; - }; - }; - - networking = { - hostName = nodeName; - useNetworkd = true; - useDHCP = true; - - # No local firewall. - nat.enable = true; - firewall.enable = false; - }; - - disko.devices = let - disk = id: { - type = "disk"; - device = "/dev/${id}"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - mdadm = { - size = "100%"; - content = { - type = "mdraid"; - name = "raid0"; - }; - }; - }; - }; - }; - in { - disk = { - sda = disk "sda"; - sdb = disk "sdb"; - }; - mdadm = { - raid0 = { - type = "mdadm"; - level = 0; - content = { - type = "gpt"; - partitions = { - primary = { - size = "100%"; - content = { - type = "filesystem"; - format = "btrfs"; - mountpoint = "/"; - }; - }; - }; - }; - }; - }; - }; - - system.stateVersion = "23.11"; - - boot.kernelPackages = pkgs.linuxPackages_latest; - boot.initrd.includeDefaultModules = true; - boot.initrd.kernelModules = [ - "dm-raid" - "dm-integrity" - "xhci_pci_renesas" - ]; - - hardware.enableRedistributableFirmware = true; - - environment.systemPackages = [ - pkgs.hdparm - ]; - - # home-manager.users.steveej = _: { - # imports = [ - # ../../../home-manager/configuration/text-minimal.nix - # ]; - - # home.sessionVariables = { - # }; - - # home.packages = with pkgs; [ - # ]; - # }; - - virtualisation.libvirtd.enable = true; - - boot.binfmt.emulatedSystems = [ - "aarch64-linux" - "i686-linux" - # "i386-linux" - # "i586-linux" - ]; -} diff --git a/nix/os/devices/sj-bm-hostkey0/flake.nix b/nix/os/devices/sj-bm-hostkey0/flake.nix deleted file mode 100644 index 3b4ed54..0000000 --- a/nix/os/devices/sj-bm-hostkey0/flake.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; - - get-flake.url = "github:ursi/get-flake"; - - home-manager.url = "github:nix-community/home-manager/master"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; - - disko.url = "github:nix-community/disko"; - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - }; - - # outputs = _: {}; - - outputs = { - self, - get-flake, - nixpkgs, - ... - } @ attrs: let - system = "x86_64-linux"; - nodeName = "sj-bm-hostkey0"; - - mkNixosConfiguration = {extraModules ? [], ...} @ attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate - attrs - { - specialArgs = { - nodeFlake = self; - repoFlake = get-flake ../../../..; - inherit nodeName; - }; - - modules = - [ - ./configuration.nix - - # flake registry - { - nix.registry.nixpkgs.flake = nixpkgs; - } - - { - nixpkgs.overlays = [ - (final: previous: { - }) - ]; - } - ] - ++ extraModules; - } - ); - in { - nixosConfigurations = { - native = mkNixosConfiguration { - inherit system; - }; - }; - }; -} diff --git a/nix/os/devices/sj-srv1/README.md b/nix/os/devices/sj-srv1/README.md new file mode 100644 index 0000000..394da55 --- /dev/null +++ b/nix/os/devices/sj-srv1/README.md @@ -0,0 +1 @@ +## bootstrapping diff --git a/nix/os/devices/sj-srv1/configuration.nix b/nix/os/devices/sj-srv1/configuration.nix new file mode 100644 index 0000000..5184bd1 --- /dev/null +++ b/nix/os/devices/sj-srv1/configuration.nix @@ -0,0 +1,23 @@ +{ nodeName, config, ... }: +{ + disabledModules = [ ]; + imports = [ + ../../profiles/common/configuration.nix + { + users.commonUsers = { + enable = true; + enableNonRoot = true; + rootPasswordFile = config.sops.secrets.passwords-root.path; + }; + + sops.secrets.passwords-root = { + sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + neededForUsers = true; + format = "yaml"; + }; + } + + ./system.nix + ./hw.nix + ]; +} diff --git a/nix/os/devices/sj-srv1/default.nix b/nix/os/devices/sj-srv1/default.nix new file mode 100644 index 0000000..6ec896d --- /dev/null +++ b/nix/os/devices/sj-srv1/default.nix @@ -0,0 +1,28 @@ +{ + nodeName, + repoFlake, + nodeFlake, + ... +}: +let + system = "x86_64-linux"; +in +{ + meta.nodeSpecialArgs.${nodeName} = { + inherit repoFlake nodeName nodeFlake; + packages' = repoFlake.packages.${system}; + }; + + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + + ${nodeName} = { + deployment.targetHost = "${nodeName}.dmz.internal"; + deployment.replaceUnknownProfiles = false; + + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + + ./configuration.nix + ]; + }; +} diff --git a/nix/os/devices/sj-srv1/flake.lock b/nix/os/devices/sj-srv1/flake.lock new file mode 100644 index 0000000..05230e2 --- /dev/null +++ b/nix/os/devices/sj-srv1/flake.lock @@ -0,0 +1,100 @@ +{ + "nodes": { + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1747020534, + "narHash": "sha256-D/6rkiC6w2p+4SwRiVKrWIeYzun8FBg7NlMKMwQMxO0=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "b4bbdc6fde16fc2051fcde232f6e288cd22007ca", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-24.11", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1746957726, + "narHash": "sha256-k9ut1LSfHCr0AW82ttEQzXVCqmyWVA5+SHJkS5ID/Jo=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "a39ed32a651fdee6842ec930761e31d1f242cb94", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-kanidm": { + "locked": { + "lastModified": 1729071019, + "narHash": "sha256-c4J/ZiMbjMf98FawO5XJaTWqvrvIXpxnIpxu4OV3CGA=", + "owner": "steveej-forks", + "repo": "nixpkgs", + "rev": "984b1d5a286d3a072b840b30ec49d96878d01e64", + "type": "github" + }, + "original": { + "owner": "steveej-forks", + "ref": "kanidm", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-master": { + "locked": { + "lastModified": 1747142919, + "narHash": "sha256-84jJ5uDXws7EYch+4fxmfoCCTWRWZCXCCVM0Dh65ZH8=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "60bdd7db9e890967224c2244be45beecd7d6e448", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "master", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1747114929, + "narHash": "sha256-GnQGiZiOnGfxM9oVhgqOJk0Qv1aZ11p5Aloac2tdoKY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "fab95ba4b9523f310644e6e6087c0014535c8e02", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "nixpkgs-kanidm": "nixpkgs-kanidm", + "nixpkgs-master": "nixpkgs-master", + "nixpkgs-unstable": "nixpkgs-unstable" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/sj-srv1/flake.nix b/nix/os/devices/sj-srv1/flake.nix new file mode 100644 index 0000000..213d325 --- /dev/null +++ b/nix/os/devices/sj-srv1/flake.nix @@ -0,0 +1,14 @@ +{ + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; + inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; + + inputs.nixpkgs-kanidm.url = "github:steveej-forks/nixpkgs/kanidm"; + + inputs.home-manager = { + url = "github:nix-community/home-manager/release-24.11"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = _: { }; +} diff --git a/nix/os/devices/sj-srv1/hw.nix b/nix/os/devices/sj-srv1/hw.nix new file mode 100644 index 0000000..ca9158b --- /dev/null +++ b/nix/os/devices/sj-srv1/hw.nix @@ -0,0 +1,55 @@ +_: +let + stage1Modules = [ + "virtio_balloon" + "virtio_scsi" + "virtio_net" + "virtio_pci" + "virtio_ring" + "virtio" + "scsi_mod" + + "virtio_blk" + "virtio_ring" + "ata_piix" + "pata_acpi" + "ata_generic" + + "aesni_intel" + "kvm_amd" + "nvme" + "nvme_core" + + "thunderbolt" + "e1000e" + + "usbcore" + "xhci_hcd" + "usbnet" + "snd_usb_audio" + "usbhid" + "snd_usbmidi_lib" + "cdc_mbim" + "cdc_ncm" + "usb_storage" + "cdc_wdm" + "uvcvideo" + "btusb" + "xhci_pci" + "cdc_ether" + "uas" + ]; +in +{ + imports = [ + ../../modules/opinionatedDisk.nix + ]; + hardware.opinionatedDisk = { + enable = true; + encrypted = false; + diskId = "virtio-virtio-paeNi8Fof9Oe"; + earlyDiskIdOverride = "ata-INTEL_SSDSC2KB019TZ_PHYI315001FW1P9DGN"; + }; + + boot.initrd.kernelModules = stage1Modules; +} diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix new file mode 100644 index 0000000..c5e4c43 --- /dev/null +++ b/nix/os/devices/sj-srv1/system.nix @@ -0,0 +1,220 @@ +{ + pkgs, + lib, + config, + repoFlake, + nodeFlake, + nodeName, + ... +}: +let + hostBridgeAddress = "192.168.101.1"; +in +{ + imports = [ + ../../snippets/systemd-resolved.nix + { + # make sure it uses the DNS that comes in via DHCP + networking.nameservers = lib.mkForce [ ]; + services.resolved.enable = true; + + # provide DNS to the containers + services.resolved.extraConfig = '' + DNSStubListenerExtra=${hostBridgeAddress} + ''; + networking.firewall.interfaces.br0.allowedTCPPorts = [ 53 ]; + networking.firewall.interfaces.br0.allowedUDPPorts = [ 53 ]; + } + ]; + + programs.wireshark.enable = true; + environment.systemPackages = [ pkgs.dnsutils ]; + + networking.firewall.enable = true; + networking.nftables.enable = true; + networking.nftables.flushRuleset = true; + + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + + networking.firewall.logRefusedConnections = false; + + networking.usePredictableInterfaceNames = false; + + networking.useNetworkd = true; + networking.useDHCP = false; + + networking.nat = { + enable = true; + internalInterfaces = [ "br0" ]; + externalInterface = "dmz0"; + }; + + networking.bridges = { + br0 = { + interfaces = [ ]; + }; + }; + networking.interfaces = { + br0 = { + ipv4.addresses = [ + { + address = hostBridgeAddress; + prefixLength = 24; + } + ]; + }; + }; + + systemd.network.netdevs."10-dmz0" = { + enable = true; + netdevConfig = { + Name = "dmz0"; + Kind = "macvlan"; + MACAddress = "1c:69:7a:07:08:6f"; + }; + + macvlanConfig = { + Mode = "bridge"; + }; + }; + + systemd.network.networks."20-eth0" = { + enable = true; + matchConfig.Name = "eth0"; + + linkConfig.RequiredForOnline = "carrier"; + networkConfig.LinkLocalAddressing = "no"; + + # TODO: i'm not sure if and if so why this is required + macvlan = [ "dmz0" ]; + + DHCP = "no"; + }; + + systemd.network.networks."30-dmz0" = { + enable = true; + matchConfig.Name = "dmz0"; + DHCP = "yes"; + + dhcpV4Config.UseDNS = true; + dhcpV6Config.UseDNS = true; + }; + + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + "net.ipv6.ip_forward" = 1; + }; + + # virtualization + virtualisation = { + docker.enable = false; + }; + + nix.gc = { + automatic = true; + }; + + sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + + # adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix + services.restic.backups.${nodeName} = + let + btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; + in + { + initialize = true; + repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; + + paths = [ "/backup" ]; + + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 2" + ]; + + timerConfig = { + OnCalendar = lib.mkDefault "daily"; + Persistent = true; + }; + + passwordFile = config.sops.secrets.restic-password.path; + + backupPrepareCommand = '' + ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes + ''; + backupCleanupCommand = '' + ${btrfs} su delete /backup/container-volumes + ''; + }; + + containers = { + mailserver = import ../../containers/mailserver.nix { + specialArgs = { + inherit repoFlake nodeFlake; + hostAddress = hostBridgeAddress; + }; + + autoStart = true; + + hostBridge = "br0"; + hostAddress = hostBridgeAddress; + localAddress = "192.168.101.10/24"; + + imapsPort = 993; + sievePort = 4190; + }; + + webserver = import ../../containers/webserver.nix { + specialArgs = { + inherit repoFlake nodeFlake; + hostAddress = hostBridgeAddress; + }; + + autoStart = true; + + hostBridge = "br0"; + hostAddress = hostBridgeAddress; + localAddress = "192.168.101.11/24"; + + httpPort = 80; + httpsPort = 443; + forgejoSshPort = 2222; + }; + + syncthing = import ../../containers/syncthing.nix { + specialArgs = { + inherit repoFlake nodeFlake; + hostAddress = hostBridgeAddress; + }; + autoStart = true; + + hostBridge = "br0"; + hostAddress = hostBridgeAddress; + localAddress = "192.168.101.12/24"; + + syncthingPort = 22000; + }; + }; + + virtualisation.libvirtd = { + enable = true; + onShutdown = "shutdown"; + parallelShutdown = 3; + }; + + # VM storage + # fileSystems."/mnt/8078-532D".device = "/dev/disk/by-uuid/8078-532D"; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "22.11"; # Did you read the comment? +} diff --git a/nix/os/devices/sj-vps-htz0/boot.nix b/nix/os/devices/sj-vps-htz0/boot.nix index 5713789..ed21f9c 100644 --- a/nix/os/devices/sj-vps-htz0/boot.nix +++ b/nix/os/devices/sj-vps-htz0/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiSupport = lib.mkForce false; - boot.extraModulePackages = []; + boot.extraModulePackages = [ ]; } diff --git a/nix/os/devices/sj-vps-htz0/configuration.nix b/nix/os/devices/sj-vps-htz0/configuration.nix index b734123..0f9e008 100644 --- a/nix/os/devices/sj-vps-htz0/configuration.nix +++ b/nix/os/devices/sj-vps-htz0/configuration.nix @@ -1,10 +1,6 @@ +{ nodeName, config, ... }: { - nodeName, - config, - pkgs, - ... -}: { - disabledModules = []; + disabledModules = [ ]; imports = [ ../../profiles/common/configuration.nix { diff --git a/nix/os/devices/sj-vps-htz0/default.nix b/nix/os/devices/sj-vps-htz0/default.nix index 12e0271..7683a53 100644 --- a/nix/os/devices/sj-vps-htz0/default.nix +++ b/nix/os/devices/sj-vps-htz0/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "${nodeName}.infra.stefanjunker.de"; diff --git a/nix/os/devices/sj-vps-htz0/flake.nix b/nix/os/devices/sj-vps-htz0/flake.nix index c315b8e..f8ca24f 100644 --- a/nix/os/devices/sj-vps-htz0/flake.nix +++ b/nix/os/devices/sj-vps-htz0/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/sj-vps-htz0/hw.nix b/nix/os/devices/sj-vps-htz0/hw.nix index 7566a02..080bb40 100644 --- a/nix/os/devices/sj-vps-htz0/hw.nix +++ b/nix/os/devices/sj-vps-htz0/hw.nix @@ -1,4 +1,5 @@ -{...}: let +_: +let stage1Modules = [ "virtio_balloon" "virtio_scsi" @@ -14,7 +15,8 @@ "pata_acpi" "ata_generic" ]; -in { +in +{ hardware.opinionatedDisk = { enable = true; encrypted = false; diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix index 0657935..7380a35 100644 --- a/nix/os/devices/sj-vps-htz0/system.nix +++ b/nix/os/devices/sj-vps-htz0/system.nix @@ -1,17 +1,14 @@ -{ pkgs -, lib -, config -, repoFlake -, nodeName -, ... +{ + pkgs, + config, + nodeName, + ... }: let wireguardPort = 51820; in { - imports = [ - ../../snippets/systemd-resolved.nix - ]; + imports = [ ../../snippets/systemd-resolved.nix ]; networking.firewall.enable = true; networking.nftables.enable = true; @@ -20,9 +17,7 @@ in # iperf3 5201 ]; - networking.firewall.allowedUDPPorts = [ - wireguardPort - ]; + networking.firewall.allowedUDPPorts = [ wireguardPort ]; networking.firewall.logRefusedConnections = false; @@ -54,7 +49,10 @@ in networking.nat = { enable = true; - internalInterfaces = [ "ve-*" "wg*" ]; + internalInterfaces = [ + "ve-*" + "wg*" + ]; externalInterface = "eth0"; }; @@ -71,11 +69,8 @@ in networking.wireguard.interfaces.wg0 = { # eth0 MTU (1400) - 80 mtu = 1320; - ips = [ - "192.168.99.1/31" - ]; - listenPort = - wireguardPort; + ips = [ "192.168.99.1/31" ]; + listenPort = wireguardPort; privateKeyFile = config.sops.secrets.wg0-private.path; peers = [ { @@ -87,50 +82,19 @@ in }; # virtualization - virtualisation = { docker.enable = false; }; + virtualisation = { + docker.enable = false; + }; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; - nix.gc = { automatic = true; }; - - containers = { - mailserver = import ../../containers/mailserver.nix { - inherit repoFlake; - - autoStart = true; - - hostAddress = "192.168.100.10"; - localAddress = "192.168.100.11"; - - imapsPort = 993; - sievePort = 4190; - }; - - webserver = - import ../../containers/webserver.nix - { - inherit repoFlake; - - autoStart = true; - - hostAddress = "192.168.100.12"; - localAddress = "192.168.100.13"; - - httpPort = 80; - httpsPort = 443; - }; - - syncthing = import ../../containers/syncthing.nix { - autoStart = true; - - hostAddress = "192.168.100.14"; - localAddress = "192.168.100.15"; - - syncthingPort = 22000; - }; + nix.gc = { + automatic = true; }; + containers = { }; + home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; diff --git a/nix/os/devices/srv0-dmz0/README.md b/nix/os/devices/srv0-dmz0/README.md index 92893b6..c76c8a0 100644 --- a/nix/os/devices/srv0-dmz0/README.md +++ b/nix/os/devices/srv0-dmz0/README.md @@ -1,7 +1,6 @@ ## bootstrapping ``` -# TODO: generate an SSH host-key and deploy it via --extra-files +# TODO: generate an SSH host-key and deploy it via --extra-files nixos-anywhere --flake .\#srv0-dmz0 root@srv0.dmz0.noosphere.life ``` - diff --git a/nix/os/devices/srv0-dmz0/configuration.nix b/nix/os/devices/srv0-dmz0/configuration.nix index c1983d2..5514edf 100644 --- a/nix/os/devices/srv0-dmz0/configuration.nix +++ b/nix/os/devices/srv0-dmz0/configuration.nix @@ -1,14 +1,14 @@ { modulesPath, repoFlake, - packages', - pkgs, config, ... -}: let +}: +let disk = "/dev/disk/by-id/ata-INTEL_SSDSC2BW240A4_PHDA435602332403GN"; -in { - disabledModules = []; +in +{ + disabledModules = [ ]; imports = [ repoFlake.inputs.disko.nixosModules.disko repoFlake.inputs.srvos.nixosModules.server @@ -23,7 +23,7 @@ in { ]; ## bare-metal machines - srvos.boot.consoles = ["tty0"]; + srvos.boot.consoles = [ "tty0" ]; boot.loader.grub.enable = false; boot.loader.efi.canTouchEfiVariables = false; @@ -39,7 +39,7 @@ in { start = "0"; end = "1M"; part-type = "primary"; - flags = ["bios_grub"]; + flags = [ "bios_grub" ]; } { name = "ESP"; @@ -60,14 +60,14 @@ in { bootable = true; content = { type = "btrfs"; - extraArgs = ["-f"]; # Override existing partition + extraArgs = [ "-f" ]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = ["noatime"]; + mountOptions = [ "noatime" ]; }; }; }; @@ -109,7 +109,7 @@ in { networking.nat = { enable = true; - internalInterfaces = ["ve-+"]; + internalInterfaces = [ "ve-+" ]; externalInterface = "eth0"; }; @@ -119,95 +119,11 @@ in { # virtualization # virtualisation = {docker.enable = true;}; - nix.gc = {automatic = true;}; - - containers = { + nix.gc = { + automatic = true; }; - # sops.secrets.holochain-nomad-agent-ca = { - # sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; - # owner = config.users.extraUsers.nomad.name; - # group = config.users.groups.nomad.name; - # }; - # sops.secrets.holochain-global-nomad-client-cert = { - # sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; - # owner = config.users.extraUsers.nomad.name; - # group = config.users.groups.nomad.name; - # }; - # sops.secrets.holochain-global-client-nomad-key = { - # sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; - # owner = config.users.extraUsers.nomad.name; - # group = config.users.groups.nomad.name; - # }; - - # services.nomad = { - # enable = true; - # package = packages'.nomad; - # enableDocker = false; - # dropPrivileges = false; - - # extraPackages = [ - # pkgs.coreutils - # pkgs.nix - # pkgs.bash - # pkgs.gitFull - # pkgs.cacert - # ]; - - # settings = { - # server.enabled = false; - - # client = { - # enabled = true; - # server_join = { - # retry_join = [ - # "infra.holochain.org" - # ]; - # retry_interval = "60s"; - # }; - - # node_class = "testing"; - - # meta = { - # inherit (pkgs.targetPlatform) system; - - # features = builtins.concatStringsSep "," [ - # "poc-1" - # "poc-2" - # "ipv4-nat" - # "nix" - # "nixos" - # "holoport" - # ]; - - # machine_type = "baremetal"; - # }; - # }; - - # tls = { - # http = true; - # rpc = true; - # ca_file = config.sops.secrets.holochain-nomad-agent-ca.path; - # cert_file = config.sops.secrets.holochain-global-nomad-client-cert.path; - # key_file = config.sops.secrets.holochain-global-client-nomad-key.path; - - # verify_server_hostname = true; - # verify_https_client = true; - # }; - - # plugin.raw_exec.config.enabled = true; - # }; - # }; - - # users.extraUsers.nomad.isNormalUser = true; - # users.extraUsers.nomad.isSystemUser = false; - # users.extraUsers.nomad.group = "nomad"; - # users.extraUsers.nomad.home = config.services.nomad.settings.data_dir; - # users.extraUsers.nomad.createHome = true; - # users.groups.nomad.members = ["nomad"]; - - # systemd.services.nomad.serviceConfig.User = "nomad"; - # systemd.services.nomad.serviceConfig.Group = "nomad"; + containers = { }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/nix/os/devices/srv0-dmz0/default.nix b/nix/os/devices/srv0-dmz0/default.nix index 5c0b7bb..3af624b 100644 --- a/nix/os/devices/srv0-dmz0/default.nix +++ b/nix/os/devices/srv0-dmz0/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: let +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "srv0.dmz0.noosphere.life"; diff --git a/nix/os/devices/srv0-dmz0/flake.lock b/nix/os/devices/srv0-dmz0/flake.lock index 5008566..4e1a641 100644 --- a/nix/os/devices/srv0-dmz0/flake.lock +++ b/nix/os/devices/srv0-dmz0/flake.lock @@ -7,43 +7,43 @@ ] }, "locked": { - "lastModified": 1703367386, - "narHash": "sha256-FMbm48UGrBfOWGt8+opuS+uLBLQlRfhiYXhHNcYMS5k=", + "lastModified": 1716736833, + "narHash": "sha256-rNObca6dm7Qs524O4st8VJH6pZ/Xe1gxl+Rx6mcWYo0=", "owner": "nix-community", "repo": "home-manager", - "rev": "d5824a76bc6bb93d1dce9ebbbcb09a9b6abcc224", + "rev": "a631666f5ec18271e86a5cde998cba68c33d9ac6", "type": "github" }, "original": { "owner": "nix-community", - "ref": "release-23.11", + "ref": "release-24.05", "repo": "home-manager", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1703467016, - "narHash": "sha256-/5A/dNPhbQx/Oa2d+Get174eNI3LERQ7u6WTWOlR1eQ=", + "lastModified": 1717144377, + "narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "d02d818f22c777aa4e854efc3242ec451e5d462a", + "rev": "805a384895c696f802a9bf5bf4720f37385df547", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-23.11", + "ref": "nixos-24.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-master": { "locked": { - "lastModified": 1703766384, - "narHash": "sha256-PN7mpVqo/Rf/XIIJv7Kuc4MVvF349F9hBipcGjr4HNg=", + "lastModified": 1717242134, + "narHash": "sha256-2X835ZESUaQ/KZEuG9HkoEB7h0USG5uvkSUmLzFkxAE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "05d50dc97a11f0382514bb062ce470ce7da20dfd", + "rev": "61c1d282153dbfcb5fe413c228d172d0fe7c2a7e", "type": "github" }, "original": { @@ -55,11 +55,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1703643441, - "narHash": "sha256-UsAtbIwxBuciNfiwY9g+jiLDyvYIaO5jai8avtAK+EE=", + "lastModified": 1717216113, + "narHash": "sha256-DniggN0kphCCBpGlS2WyDPoNqxQoRFlhN2GMk35OHiM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f930306a698f1ae7045cf3265693b7ebc9512f23", + "rev": "21959d8d44197094aebc74ead6ca4a53bcce0adb", "type": "github" }, "original": { diff --git a/nix/os/devices/srv0-dmz0/flake.nix b/nix/os/devices/srv0-dmz0/flake.nix index 991b38a..2f27989 100644 --- a/nix/os/devices/srv0-dmz0/flake.nix +++ b/nix/os/devices/srv0-dmz0/flake.nix @@ -1,12 +1,12 @@ { - inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05"; inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small"; inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; inputs.home-manager = { - url = "github:nix-community/home-manager/release-23.11"; + url = "github:nix-community/home-manager/release-24.05"; inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix index fe0b621..9ddbde9 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix @@ -1,4 +1,4 @@ -{lib, ...}: { +_: { boot.loader.grub.efiSupport = true; - boot.extraModulePackages = []; + boot.extraModulePackages = [ ]; } diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix index 28a63fb..b29548c 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix @@ -1,5 +1,6 @@ -{...}: { - disabledModules = []; +{ ... }: +{ + disabledModules = [ ]; imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix index 8815036..a89e29a 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix @@ -1,4 +1,5 @@ -{...}: let +_: +let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -17,7 +18,8 @@ "xhci_hcd" "xhci_pci" ]; -in { +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix index b6c8038..607e7f3 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix @@ -1,16 +1,8 @@ +{ config, pkgs, ... }: { - config, - pkgs, - lib, - ... -}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; @@ -20,7 +12,12 @@ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + supportedFeatures = [ + "kvm" + "nixos-test" + "big-parallel" + "benchmark" + ]; maxJobs = 4; } ]; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix index e677958..84bb74d 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix @@ -1,11 +1,4 @@ -{ - pkgs, - lib, - config, - ... -}: let - keys = import ../../../variables/keys.nix; -in { +_: { # TASK: new device networking.hostName = "srv0"; # Define your hostname. # networking.domain = "home-ch.stefanjunker.de"; @@ -37,7 +30,7 @@ in { networking.nat = { enable = true; - internalInterfaces = ["ve-+"]; + internalInterfaces = [ "ve-+" ]; externalInterface = "eth0"; }; @@ -45,14 +38,20 @@ in { # services.kubernetes.roles = ["master" "node"]; # virtualization - virtualisation = {docker.enable = true;}; + virtualisation = { + docker.enable = true; + }; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; networking.useHostResolvConf = false; - services.resolved = {enable = true;}; + services.resolved = { + enable = true; + }; - containers = {}; + containers = { }; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix index bb546e6..1bc2086 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix @@ -4,7 +4,8 @@ let ref = "nixos-22.05"; rev = "040c6d8374d090f46ab0e99f1f7c27a4529ecffd"; }; -in { +in +{ inherit nixpkgs; "channels-nixos-stable" = nixpkgs; "nixpkgs-master" = { diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix index 511138c..5817e21 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix @@ -6,7 +6,8 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.05 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; "channels-nixos-stable" = nixpkgs; "nixpkgs-master" = { diff --git a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix index a15e1aa..d009275 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix index 6d8eadd..76ab1b9 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix @@ -1,4 +1,4 @@ -{...}: { +_: { # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-nuc7pjyh-work/system.nix b/nix/os/devices/steveej-nuc7pjyh-work/system.nix index 73d39d9..efe0db2 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/system.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/system.nix @@ -1,11 +1,7 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - ... -}: let -in { services.udev.extraRules = ''SUBSYSTEM=="sgx", MODE="0660", GROUP="sgx"''; - users.groups.sgx = {}; + users.groups.sgx = { }; networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname. boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest; } diff --git a/nix/os/devices/steveej-nuc7pjyh-work/user.nix b/nix/os/devices/steveej-nuc7pjyh-work/user.nix index 2b72309..e37d392 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/user.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/user.nix @@ -1,12 +1,9 @@ -{ - config, - pkgs, - ... -}: let - passwords = import ../../../variables/passwords.crypt.nix; +{ pkgs, ... }: +let keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; -in { + inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; +in +{ users.extraUsers.sjunker = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; @@ -14,7 +11,7 @@ in { image = "quay.io/enarx/fedora"; run_args = "-v /dev/sgx:/dev/sgx"; }; - extraGroups = ["sgx"]; + extraGroups = [ "sgx" ]; subUidRanges = [ { diff --git a/nix/os/devices/steveej-pa600/boot.nix b/nix/os/devices/steveej-pa600/boot.nix index 4d8c1d1..639698f 100644 --- a/nix/os/devices/steveej-pa600/boot.nix +++ b/nix/os/devices/steveej-pa600/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/steveej-pa600/configuration.nix b/nix/os/devices/steveej-pa600/configuration.nix index 37f4c61..68ad190 100644 --- a/nix/os/devices/steveej-pa600/configuration.nix +++ b/nix/os/devices/steveej-pa600/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-pa600/hw.nix b/nix/os/devices/steveej-pa600/hw.nix index a563c1a..651a6e2 100644 --- a/nix/os/devices/steveej-pa600/hw.nix +++ b/nix/os/devices/steveej-pa600/hw.nix @@ -1,4 +1,5 @@ -{...}: let +_: +let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -7,7 +8,8 @@ "xhci_pci" "hxci_hcd" ]; -in { +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/steveej-pa600/pkg.nix b/nix/os/devices/steveej-pa600/pkg.nix index 1db742a..360c17b 100644 --- a/nix/os/devices/steveej-pa600/pkg.nix +++ b/nix/os/devices/steveej-pa600/pkg.nix @@ -1,11 +1,8 @@ -{pkgs, ...}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +{ pkgs, ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix { inherit pkgs; diff --git a/nix/os/devices/steveej-pa600/system.nix b/nix/os/devices/steveej-pa600/system.nix index 02256d8..2a4551a 100644 --- a/nix/os/devices/steveej-pa600/system.nix +++ b/nix/os/devices/steveej-pa600/system.nix @@ -1,11 +1,5 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - config, - ... -}: let - keys = import ../../../variables/keys.nix; -in { # TASK: new device networking.hostName = "steveej-pa600"; # Define your hostname. @@ -20,7 +14,11 @@ in { services.printing = { enable = true; - drivers = with pkgs; [hplip mfcl3770cdw.driver mfcl3770cdw.cupswrapper]; + drivers = with pkgs; [ + hplip + mfcl3770cdw.driver + mfcl3770cdw.cupswrapper + ]; }; services.fprintd.enable = true; @@ -29,9 +27,9 @@ in { sudo.fprintAuth = true; }; - security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; + security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; - services.xserver.videoDrivers = ["modesetting"]; + services.xserver.videoDrivers = [ "modesetting" ]; services.xserver.serverFlagsSection = '' Option "BlankTime" "0" Option "StandbyTime" "0" diff --git a/nix/os/devices/steveej-pa600/user.nix b/nix/os/devices/steveej-pa600/user.nix index 4b85fea..bb94098 100644 --- a/nix/os/devices/steveej-pa600/user.nix +++ b/nix/os/devices/steveej-pa600/user.nix @@ -1,12 +1,9 @@ -{ - config, - pkgs, - ... -}: let - passwords = import ../../../variables/passwords.crypt.nix; +{ pkgs, ... }: +let keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; -in { + inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; +in +{ users.extraUsers.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/devices/steveej-pa600/versions.nix b/nix/os/devices/steveej-pa600/versions.nix index ce6b116..e7d4567 100644 --- a/nix/os/devices/steveej-pa600/versions.nix +++ b/nix/os/devices/steveej-pa600/versions.nix @@ -4,9 +4,12 @@ let ref = "nixos-20.09"; rev = "e065200fc90175a8f6e50e76ef10a48786126e1c"; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-pa600/versions.tmpl.nix b/nix/os/devices/steveej-pa600/versions.tmpl.nix index 96f7be3..08f1a43 100644 --- a/nix/os/devices/steveej-pa600/versions.tmpl.nix +++ b/nix/os/devices/steveej-pa600/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix index b32a198..9682eb6 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix index 14df96a..4af1def 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix @@ -1,4 +1,4 @@ -{...}: { +_: { # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix index 4329e5c..7f69ec0 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix @@ -1,3 +1,3 @@ -{...}: { +_: { networking.hostName = "steveej-rmvbl-mmc-SL32G_0x259093f6"; # Define your hostname. } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix index d49dbd3..861a9ea 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix @@ -1,11 +1,8 @@ -{...}: { - nixpkgs.config.packageOverrides = pkgs: - with pkgs; { - nixPath = - (import ../../../default.nix { - versionsPath = ./versions.nix; - }) - .nixPath; +{ ... }: +{ + nixpkgs.config.packageOverrides = + pkgs: with pkgs; { + inherit ((import ../../../default.nix { versionsPath = ./versions.nix; })) nixPath; }; imports = [ diff --git a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix index 408b2a9..c42f909 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix @@ -1,4 +1,4 @@ -{...}: { +_: { # TASK: new device hardware.opinionatedDisk.diskId = "usb-SanDisk_Extreme_Pro_12345978EC62-0:0"; hardware.opinionatedDisk.encrypted = true; diff --git a/nix/os/devices/steveej-rmvbl-sdep0/system.nix b/nix/os/devices/steveej-rmvbl-sdep0/system.nix index 5bad73f..d409681 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/system.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/system.nix @@ -1,4 +1,4 @@ -{...}: { +_: { networking.hostName = "steveej-rmvbl-sdep0"; # Define your hostname. system.stateVersion = "21.05"; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix index f8759b8..3771f25 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix @@ -2,35 +2,33 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.11"; - rev = '' - 0040164e473509b4aee6aedb3b923e400d6df10b''; + rev = ''0040164e473509b4aee6aedb3b923e400d6df10b''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = '' - d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; + rev = ''d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; }; "channels-nixos-unstable-small" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable-small"; - rev = '' - 9c34c8adba80180608794cce600b10183b048942''; + rev = ''9c34c8adba80180608794cce600b10183b048942''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = '' - f9adb566707a492bd3d17fee1e223695d939b52a''; + rev = ''f9adb566707a492bd3d17fee1e223695d939b52a''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.11"; - rev = '' - d6f3ba090ed090ae664ab5bac329654093aae725''; + rev = ''d6f3ba090ed090ae664ab5bac329654093aae725''; }; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix index a0fa34a..92abc4a 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-t14/boot.nix b/nix/os/devices/steveej-t14/boot.nix index 281d09e..d3ff0b5 100644 --- a/nix/os/devices/steveej-t14/boot.nix +++ b/nix/os/devices/steveej-t14/boot.nix @@ -1,8 +1,5 @@ +{ lib, pkgs, ... }: { - lib, - pkgs, - ... -}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix index 2a655c5..f5ccca0 100644 --- a/nix/os/devices/steveej-t14/configuration.nix +++ b/nix/os/devices/steveej-t14/configuration.nix @@ -1,5 +1,13 @@ -{...}: { +{ ... }: +{ imports = [ + ../../snippets/home-manager-with-zsh.nix + ../../snippets/nix-settings-holo-chain.nix + # TODO: double-check whether this works at all after the most recent changes + # ../../snippets/radicale.nix + ../../snippets/sway-desktop.nix + ../../snippets/timezone.nix + ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix ../../modules/opinionatedDisk.nix @@ -10,11 +18,9 @@ ./pkg.nix ./user.nix ./boot.nix - ./secrets.nix # samba seerver - ({ lib, ... }: { - + (_: { # networking.firewall.enable = lib.mkForce false; services.samba-wsdd.enable = true; # make shares visible for windows 10 clients networking.firewall.allowedTCPPorts = [ diff --git a/nix/os/devices/steveej-t14/default.nix b/nix/os/devices/steveej-t14/default.nix index 15b7745..d7e6d28 100644 --- a/nix/os/devices/steveej-t14/default.nix +++ b/nix/os/devices/steveej-t14/default.nix @@ -3,33 +3,25 @@ repoFlake, repoFlakeWithSystem, nodeFlake, -}: let + ... +}: +let system = "x86_64-linux"; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - overlays = [ - (final: prev: { - # FIXME: why are these not effective in for the configuration.nix below? - }) - ]; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = nodeName; deployment.replaceUnknownProfiles = false; deployment.allowLocalDeployment = true; - imports = [ - (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") - - nodeFlake.inputs.home-manager.nixosModules.home-manager - ]; + imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; }; } diff --git a/nix/os/devices/steveej-t14/flake.nix b/nix/os/devices/steveej-t14/flake.nix index 357ecab..504ce45 100644 --- a/nix/os/devices/steveej-t14/flake.nix +++ b/nix/os/devices/steveej-t14/flake.nix @@ -3,7 +3,6 @@ inputs.nixpkgs-2305.url = "github:nixos/nixpkgs/nixos-23.05"; inputs.nixpkgs-2311.url = "github:nixos/nixpkgs/nixos-23.11"; inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; - inputs.nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master"; inputs.nixpkgs.follows = "nixpkgs-2311"; @@ -13,5 +12,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix index 5c8c9b4..0fa593a 100644 --- a/nix/os/devices/steveej-t14/hw.nix +++ b/nix/os/devices/steveej-t14/hw.nix @@ -1,43 +1,17 @@ -{lib, ...}: let - stage1Modules = [ - "aesni_intel" - "kvm_amd" - "nvme" - "nvme_core" - - "thunderbolt" - "e1000e" - - "usbcore" - "xhci_hcd" - "usbnet" - "snd_usb_audio" - "usbhid" - "snd_usbmidi_lib" - "cdc_mbim" - "cdc_ncm" - "usb_storage" - "cdc_wdm" - "uvcvideo" - "btusb" - "xhci_pci" - "cdc_ether" - "uas" - ]; -in { +_: { # TASK: new device hardware.opinionatedDisk = { enable = true; encrypted = true; diskId = "nvme-WD_BLACK_SN850X_4000GB_2227DT443901"; - earlyDiskIdOverride = "usb-JMicron_Generic_0123456789ABCDEF-0:0"; + earlyDiskIdOverride = "usb-JMicron_Generic_0123456789ABCDEF-0:0"; }; # boot.loader.grub.device = lib.mkForce "/dev/disk/by-id/usb-JMicron_Generic_0123456789ABCDEF-0:0"; # see https://linrunner.de/tlp/ services.tlp = { - enable = true; + enable = false; settings = { CPU_DRIVER_OPMODE_ON_AC = "active"; CPU_DRIVER_OPMODE_ON_BAT = "passive"; @@ -81,26 +55,66 @@ in { # #DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"; # #DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"; - SATA_LINKPWR_ON_AC = "maax_performance"; + SATA_LINKPWR_ON_AC = "max_performance"; SATA_LINKPWR_ON_BAT = "min_power"; }; }; # see https://www.kernel.org/doc/html/v6.6/admin-guide/laptops/thinkpad-acpi.html#fan-control-and-monitoring-fan-speed-fan-enable-disable services.thinkfan = { - enable = true; + enable = false; levels = [ # ["level auto" 0 60] - [0 0 60] - [1 60 65] - [1 65 75] - [2 75 78] - [3 78 80] - [4 80 82] - [5 82 84] - [6 84 86] - [7 86 88] - ["level full-speed" 88 999] + [ + 0 + 0 + 60 + ] + [ + 1 + 60 + 65 + ] + [ + 1 + 65 + 75 + ] + [ + 2 + 75 + 78 + ] + [ + 3 + 78 + 80 + ] + [ + 4 + 80 + 82 + ] + [ + 5 + 82 + 84 + ] + [ + 6 + 84 + 86 + ] + [ + 7 + 86 + 88 + ] + [ + "level full-speed" + 88 + 999 + ] ]; extraArgs = [ @@ -110,6 +124,20 @@ in { }; hardware.enableRedistributableFirmware = true; - # boot.initrd.availableKernelModules = stage1Modules; - boot.initrd.kernelModules = stage1Modules; + boot.initrd.kernelModules = [ + "aesni_intel" + "kvm_amd" + "nvme" + "nvme_core" + + "thunderbolt" + "e1000e" + + "usbcore" + "xhci_hcd" + "usbhid" + "usb_storage" + "xhci_pci" + "uas" + ]; } diff --git a/nix/os/devices/steveej-t14/pkg.nix b/nix/os/devices/steveej-t14/pkg.nix index 1ff1a59..4e53eaf 100644 --- a/nix/os/devices/steveej-t14/pkg.nix +++ b/nix/os/devices/steveej-t14/pkg.nix @@ -1,11 +1,9 @@ +{ pkgs, ... }: { - pkgs, - lib, - repoFlake, - nodeFlake, - ... -}: { + system.stateVersion = "23.05"; + home-manager.users.root = _: { home.stateVersion = "22.05"; }; home-manager.users.steveej = _: { + home.stateVersion = "22.05"; imports = [ ../../../home-manager/configuration/graphical-fullblown.nix @@ -16,11 +14,9 @@ }) ]; - home.sessionVariables = { - }; + home.sessionVariables = { }; - home.packages = with pkgs; [ - ]; + home.packages = with pkgs; [ ]; }; # TODO: fix the following errors with regreet @@ -34,50 +30,33 @@ # # (regreet:505614): Gtk-WARNING **: 10:31:42.532: Theme parser warning: :6:17-18: Empty declaration # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. - services.greetd = let - # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" - swayConfig = pkgs.writeText "greetd-sway-config" '' - # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. - exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" - bindsym Mod4+shift+e exec swaynag \ - -t warning \ - -m 'What do you want to do?' \ - -b 'Poweroff' 'systemctl poweroff' \ - -b 'Reboot' 'systemctl reboot' - ''; - in { - enable = false; - settings = { - vt = 1; - default_session = { - command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; + services.greetd = + let + # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" + swayConfig = pkgs.writeText "greetd-sway-config" '' + # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. + exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" + bindsym Mod4+shift+e exec swaynag \ + -t warning \ + -m 'What do you want to do?' \ + -b 'Poweroff' 'systemctl poweroff' \ + -b 'Reboot' 'systemctl reboot' + ''; + in + { + enable = false; + settings = { + vt = 1; + default_session = { + command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; + }; }; }; - }; environment.etc."greetd/environments".text = '' sway ''; - - # autologin steveej on tty1 - systemd.services."autovt@tty1".description = "Autologin at the TTY1"; - systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty - systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ]; - systemd.services."autovt@tty1".serviceConfig = - { ExecStart = [ - "" # override upstream default with an empty ExecStart - "@${pkgs.utillinux}/sbin/agetty agetty --login-program ${pkgs.shadow}/bin/login --autologin steveej --noclear %I $TERM" - ]; - Restart = "always"; - Type = "idle"; - }; - programs.zsh.loginShellInit = '' - if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then - exec sway - fi - ''; - # fonts = let # prefs.font = rec { # size = 13; @@ -121,43 +100,4 @@ # # }; # # }; # }; - - security.pam.services.getty.enableGnomeKeyring = true; - services.gnome.gnome-keyring.enable = true; - - # rtkit is optional but recommended - security.rtkit.enable = true; - services.pipewire = { - audio.enable = true; - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - # If you want to use JACK applications, uncomment this - #jack.enable = true; - }; - - # required by swaywm - security.polkit.enable = true; - security.pam.services.swaylock = {}; - - # test these on https://mozilla.github.io/webrtc-landing/gum_test.html - xdg.portal = { - enable = true; - # FIXME: `true` breaks xdg-open from alacritty: - # $ xdg-open "https://github.com/" - # Error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.OpenURI” on object at path /org/freedesktop/portal/desktop - xdgOpenUsePortal = false; - extraPortals = [ - pkgs.xdg-desktop-portal-wlr - pkgs.xdg-desktop-portal-gtk - - # repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}.xdg-desktop-portal-wlr - # (pkgs.xdg-desktop-portal-gtk.override (_: { - # buildPortalsInGnome = false; - # })) - ]; - }; - - system.stateVersion = "23.05"; } diff --git a/nix/os/devices/steveej-t14/secrets.nix b/nix/os/devices/steveej-t14/secrets.nix deleted file mode 100644 index a97d67d..0000000 --- a/nix/os/devices/steveej-t14/secrets.nix +++ /dev/null @@ -1,7 +0,0 @@ -{config, ...}: { - sops.secrets.radicale_htpasswd = { - sopsFile = ../../../../secrets/steveej-t14/radicale_htpasswd; - format = "binary"; - owner = config.users.users.steveej.name; - }; -} diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index 3e35163..db19a3b 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -1,13 +1,11 @@ -{ pkgs -, lib -, config -, nodeName -, repoFlake -, ... +{ + pkgs, + lib, + config, + repoFlake, + ... }: let - passwords = import ../../../variables/passwords.crypt.nix; - localTcpPorts = [ 22 @@ -23,18 +21,11 @@ let 22000 21027 ]; - in { - imports = [ - ../../snippets/nix-settings-holo-chain.nix - ]; - nix.settings = { - substituters = [ - ]; - trusted-public-keys = [ - ]; + substituters = [ ]; + trusted-public-keys = [ ]; }; nix.distributedBuilds = true; @@ -47,12 +38,24 @@ in system = "x86_64-linux"; maxJobs = 32; speedFactor = 100; - supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ [ ]; + supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features; + } + + { + hostName = repoFlake.colmena.sj-bm-hostkey0.deployment.targetHost; + # TODO: make this a reference + sshUser = "nix-remote-builder"; + protocol = "ssh-ng"; + system = "aarch64-linux"; + maxJobs = 32; + speedFactor = 100; + supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features; } ]; - networking.extraHosts = '' - ''; + networking.networkmanager.enable = true; + + networking.extraHosts = ''''; networking.bridges."virbr1".interfaces = [ ]; networking.interfaces."virbr1".ipv4.addresses = [ @@ -87,7 +90,9 @@ in # virtualization virtualisation = { - libvirtd = { enable = true; }; + libvirtd = { + enable = true; + }; virtualbox.host = { enable = false; @@ -104,64 +109,12 @@ in services.samba.extraConfig = '' # client min protocol = NT1 ''; - services.gvfs = { - enable = true; - package = lib.mkForce pkgs.gnome3.gvfs; - }; - environment.systemPackages = with pkgs; [ lxqt.lxqt-policykit ]; # provides a default authentification client for policykit security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ]; - services.xserver.serverFlagsSection = '' - Option "BlankTime" "0" - Option "StandbyTime" "0" - Option "SuspendTime" "0" - Option "OffTime" "0" - ''; - - time.timeZone = lib.mkForce passwords.timeZone.stefan; hardware.ledger.enable = true; - # services.zerotierone = { - # enable = false; - # joinNetworks = [ - # # moved to the service below as it's now secret - # ]; - # }; - - # systemd.services.zerotieroneSecretNetworks = { - # enable = false; - # requiredBy = [ "zerotierone.service" ]; - # partOf = [ "zerotierone.service" ]; - - # serviceConfig.Type = "oneshot"; - # serviceConfig.RemainAfterExit = true; - - # script = - # let - # secret = config.sops.secrets.zerotieroneNetworks; - # in - # '' - # # include the secret's hash to trigger a restart on change - # # ${builtins.hashString "sha256" (builtins.toJSON secret)} - - # ${config.systemd.services.zerotierone.preStart} - - # rm -rf /var/lib/zerotier-one/networks.d/*.conf - # for network in `grep -v '#' ${secret.path}`; do - # touch /var/lib/zerotier-one/networks.d/''${network}.conf - # done - # ''; - # }; - - sops.secrets.zerotieroneNetworks = { - sopsFile = ../../../../secrets/zerotierone.txt; - format = "binary"; - }; - - boot.binfmt.emulatedSystems = [ - "aarch64-linux" - ]; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; } diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix index ece9cec..dacf1f4 100644 --- a/nix/os/devices/steveej-t14/user.nix +++ b/nix/os/devices/steveej-t14/user.nix @@ -1,19 +1,16 @@ -{ - config, - pkgs, - lib, - ... -}: let +{ config, pkgs, ... }: +let keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; -in { - users.extraUsers.steveej2 = mkUser { + inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; +in +{ + users.users.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; - passwordFile = config.sops.secrets.sharedUsers-steveej.path; + hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; }; - nix.settings.trusted-users = ["steveej"]; + nix.settings.trusted-users = [ "steveej" ]; security.pam.u2f.enable = true; security.pam.services.steveej.u2fAuth = true; diff --git a/nix/os/devices/steveej-utilitepro/configuration.nix b/nix/os/devices/steveej-utilitepro/configuration.nix index 06cc7d1..76a34c8 100644 --- a/nix/os/devices/steveej-utilitepro/configuration.nix +++ b/nix/os/devices/steveej-utilitepro/configuration.nix @@ -1,13 +1,11 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ - config, - pkgs, - ... -}: let +{ config, pkgs, ... }: +let passwords = import ../common/passwords.crypt.nix; -in { +in +{ # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "16.03"; nix.maxJobs = 4; @@ -19,22 +17,18 @@ in { ''; nixpkgs.config = { - packageOverrides = super: let - self = super.pkgs; - in { + packageOverrides = super: { linux_4_1 = super.linux_4_1.override { - kernelPatches = - super.linux_4_1.kernelPatches - ++ [ - { - patch = ./patches/utilitepro-kernel-dts.patch; - name = "utilitepro-dts"; - } - { - patch = ./patches/utilitepro-kernel-dts-Makefile.patch; - name = "utilitepro-dts-Makefile"; - } - ]; + kernelPatches = super.linux_4_1.kernelPatches ++ [ + { + patch = ./patches/utilitepro-kernel-dts.patch; + name = "utilitepro-dts"; + } + { + patch = ./patches/utilitepro-kernel-dts-Makefile.patch; + name = "utilitepro-dts-Makefile"; + } + ]; # add "CONFIG_PPP_FILTER y" option to the set of kernel options extraConfig = '' BTRFS_FS y @@ -279,7 +273,10 @@ in { uid = 1000; isNormalUser = true; home = "/home/steveej"; - extraGroups = ["wheel" "libvirtd"]; + extraGroups = [ + "wheel" + "libvirtd" + ]; # FIXME: this is deprecated but so is this device probably hashedPassword = passwords.users.steveej; openssh.authorizedKeys.keys = [ diff --git a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix index a325b30..1d3e463 100644 --- a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix +++ b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix @@ -1,17 +1,13 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. +{ ... }: { - config, - lib, - pkgs, - ... -}: { - imports = []; + imports = [ ]; - boot.initrd.availableKernelModules = []; - boot.kernelModules = []; - boot.extraModulePackages = []; + boot.initrd.availableKernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; hardware.enableAllFirmware = true; @@ -24,5 +20,5 @@ device = "/dev/disk/by-uuid/f1e7e913-93a0-4258-88f9-f65041d91d66"; }; - swapDevices = []; + swapDevices = [ ]; } diff --git a/nix/os/devices/voodoo/.gitignore b/nix/os/devices/steveej-x13s-rmvbl/.gitignore similarity index 100% rename from nix/os/devices/voodoo/.gitignore rename to nix/os/devices/steveej-x13s-rmvbl/.gitignore diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix new file mode 100644 index 0000000..39e93de --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix @@ -0,0 +1,176 @@ +{ + repoFlake, + nodeFlake, + pkgs, + lib, + config, + nodeName, + system, + ... +}: +{ + nixos-x13s = { + enable = true; + # TODO: use hardware address + bluetoothMac = "65:9e:7a:8b:86:28"; + }; + + systemd.services.bluetooth-mac = { + enable = true; + path = [ + pkgs.systemd + pkgs.util-linux + pkgs.bluez5-experimental + pkgs.expect + ]; + script = '' + # TODO: this may not be required + while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do + echo Waiting for bluetooth firmware to complete + echo sleep 1 + done + + ( + # best effort + set +e + rfkill block bluetooth + echo $? + btmgmt public-addr ${config.nixos-x13s.bluetoothMac} + echo $? + rfkill unblock bluetooth + echo $? + ) + ''; + requiredBy = [ "bluetooth.service" ]; + before = [ "bluetooth.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + + # we need a tty, otherwise btmgmt will hang + StandardInput = "tty"; + TTYPath = "/dev/tty2"; + TTYReset = "yes"; + TTYVHangup = "yes"; + }; + }; + + imports = [ + nodeFlake.inputs.nixos-x13s.nixosModules.default + + repoFlake.inputs.sops-nix.nixosModules.sops + nodeFlake.inputs.disko.nixosModules.disko + ./disko.nix + + ../../snippets/nix-settings.nix + ../../profiles/common/user.nix + + { + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "yes"; + services.openssh.openFirewall = true; + + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; + + users.commonUsers = { + enable = true; + enableNonRoot = true; + }; + } + + ../../snippets/home-manager-with-zsh.nix + ../../snippets/sway-desktop.nix + ../../snippets/bluetooth.nix + ../../snippets/timezone.nix + ../../snippets/radicale.nix + ]; + + networking.hostName = nodeName; + networking.firewall.enable = true; + networking.networkmanager.enable = true; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = [ + pkgs.sshfs + pkgs.util-linux + pkgs.coreutils + pkgs.vim + + pkgs.git + pkgs.git-crypt + ]; + + system.stateVersion = "23.11"; + home-manager.users.root = _: { home.stateVersion = "23.11"; }; + home-manager.users.steveej = _: { + home.stateVersion = "23.11"; + + imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; + + home.sessionVariables = { }; + + home.packages = with pkgs; [ ]; + + # TODO: currently unsupported + services.gammastep.enable = lib.mkForce false; + # programs.chromium.enable = lib.mkForce false; + }; + + boot = { + loader.systemd-boot.enable = true; + loader.efi.canTouchEfiVariables = lib.mkForce false; + loader.efi.efiSysMountPoint = "/boot"; + blacklistedKernelModules = [ "wwan" ]; + + initrd.kernelModules = [ + "uas" + "usb_storage" + + "phy_qcom_qmp_pcie" + "phy_qcom_qmp_combo" + "phy_qcom_snps_femto_v2" + "phy_qcom_qmp_pcie" + "phy_qcom_qmp_usb" + "xhci-pci-renesas" + + "msm" + ]; + + initrd.extraFiles = { + "firmware/qcom/sc8280xp/LENOVO/21BX/adspr.jsn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/adspua.jsn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/audioreach-tplg.bin".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/battmgr.jsn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/cdspr.jsn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcadsp8280.mbn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qccdsp8280.mbn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcdxkmsuc8280.mbn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcslpi8280.mbn".source = pkgs.linux-firmware; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = + nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"; + }; + }; + + hardware.firmware = [ + pkgs.linux-firmware + nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware" + ]; + + hardware.enableAllFirmware = true; + + # see https://linrunner.de/tlp/ + services.tlp = { + enable = true; + settings = { + START_CHARGE_THRESH_BAT0 = "80"; + STOP_CHARGE_THRESH_BAT0 = "85"; + }; + }; + + # android on linux + virtualisation.waydroid.enable = true; + virtualisation.podman.enable = true; + virtualisation.podman.dockerCompat = true; +} diff --git a/nix/os/devices/voodoo/default.nix b/nix/os/devices/steveej-x13s-rmvbl/default.nix similarity index 51% rename from nix/os/devices/voodoo/default.nix rename to nix/os/devices/steveej-x13s-rmvbl/default.nix index e43dbc4..2ba48d2 100644 --- a/nix/os/devices/voodoo/default.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/default.nix @@ -1,35 +1,36 @@ { - system ? "i586-linux", + system ? "aarch64-linux", nodeName, repoFlake, + repoFlakeWithSystem, nodeFlake, localDomainName ? "internal", ... -}: { +}: +{ meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake system; + inherit + repoFlake + nodeName + nodeFlake + system + ; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); inherit localDomainName; }; - meta.nodeNixpkgs.${nodeName} = - import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; deployment.replaceUnknownProfiles = true; + deployment.allowLocalDeployment = true; # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - imports = [ - ./configuration.nix - ]; - - networking.hostName = nodeName; + imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; }; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/disko.nix b/nix/os/devices/steveej-x13s-rmvbl/disko.nix new file mode 100644 index 0000000..2eb097a --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/disko.nix @@ -0,0 +1,73 @@ +{ + disko.devices = { + disk = { + voyager-gtx = { + type = "disk"; + device = "/dev/disk/by-id/ata-Corsair_Voyager_GTX_21488170000126002054"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "x13s-usb-crypt"; + extraOpenArgs = [ ]; + # disable settings.keyFile if you want to use interactive password entry + #passwordFile = "/tmp/secret.key"; # Interactive + settings = { + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + # keyFile = "/tmp/secret.key"; + allowDiscards = true; + }; + # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "32G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.lock b/nix/os/devices/steveej-x13s-rmvbl/flake.lock new file mode 100644 index 0000000..dcc457f --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.lock @@ -0,0 +1,194 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1705890365, + "narHash": "sha256-MObB+fipA/2Ai3uMuNouxcwz0cqvELPpJ+hfnhSaUeA=", + "owner": "nix-community", + "repo": "disko", + "rev": "9fcdf3375e01e2938a49df103af9fd21bd0f89d9", + "type": "github" + }, + "original": { + "id": "disko", + "type": "indirect" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1704982712, + "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "07f6395285469419cf9d078f59b5b49993198c00", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "get-flake": { + "locked": { + "lastModified": 1694475786, + "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", + "owner": "ursi", + "repo": "get-flake", + "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", + "type": "github" + }, + "original": { + "owner": "ursi", + "repo": "get-flake", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1705659542, + "narHash": "sha256-WA3xVfAk1AYmFdwghT7mt/erYpsU6JPu9mdTEP/e9HQ=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "10cd9c53115061aa6a0a90aad0b0dde6a999cdb9", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-23.11", + "repo": "home-manager", + "type": "github" + } + }, + "mobile-nixos": { + "flake": false, + "locked": { + "lastModified": 1705008488, + "narHash": "sha256-Gj97fDFZaK6gLb3ayZgTTtD+MFE1YjoyYHWkB1TIAe0=", + "owner": "NixOS", + "repo": "mobile-nixos", + "rev": "56e55df7b07b5e5c6d050732d851cec62b41df95", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "mobile-nixos", + "type": "github" + } + }, + "nixos-x13s": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1706097550, + "narHash": "sha256-rR4HMpUlT7SbVPxQIvWH0DsxaEQcjTLqLrst2xoT1CY=", + "ref": "refs/heads/main", + "rev": "732a0f1549996740bdb06989599a5f0653de5056", + "revCount": 6, + "type": "git", + "url": "https://codeberg.org/steveej/nixos-x13s" + }, + "original": { + "type": "git", + "url": "https://codeberg.org/steveej/nixos-x13s" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1705916986, + "narHash": "sha256-iBpfltu6QvN4xMpen6jGGEb6jOqmmVQKUrXdOJ32u8w=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "d7f206b723e42edb09d9d753020a84b3061a79d8", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-2211": { + "locked": { + "lastModified": 1688392541, + "narHash": "sha256-lHrKvEkCPTUO+7tPfjIcb7Trk6k31rz18vkyqmkeJfY=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ea4c80b39be4c09702b0cb3b42eab59e2ba4f24b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1703961334, + "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", + "type": "github" + }, + "original": { + "dir": "lib", + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable-small": { + "locked": { + "lastModified": 1706022028, + "narHash": "sha256-F8Gv4R4K/AvS3+6pWd8wlnw4Vhgf7bcszy7i8XPbzA0=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "15ff1758e7816331033baa14eebbea68626128f3", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "get-flake": "get-flake", + "home-manager": "home-manager", + "mobile-nixos": "mobile-nixos", + "nixos-x13s": "nixos-x13s", + "nixpkgs": "nixpkgs", + "nixpkgs-2211": "nixpkgs-2211", + "nixpkgs-unstable-small": "nixpkgs-unstable-small" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.nix b/nix/os/devices/steveej-x13s-rmvbl/flake.nix new file mode 100644 index 0000000..043907d --- /dev/null +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.nix @@ -0,0 +1,87 @@ +{ + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; + + # required for home-manager modules + nixpkgs-unstable-small.url = "github:nixos/nixpkgs/nixos-unstable-small"; + nixpkgs-2211.url = "github:nixos/nixpkgs/nixos-22.11"; + + get-flake.url = "github:ursi/get-flake"; + + disko.inputs.nixpkgs.follows = "nixpkgs"; + + mobile-nixos.url = "github:NixOS/mobile-nixos"; + mobile-nixos.flake = false; + + home-manager = { + url = "github:nix-community/home-manager/release-23.11"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixos-x13s.url = "git+https://codeberg.org/steveej/nixos-x13s"; + nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; + }; + + outputs = + { + self, + get-flake, + nixpkgs, + ... + }: + let + system = "aarch64-linux"; + buildPlatform = "x86_64-linux"; + repoFlake = get-flake ../../../..; + in + { + lib = { + mkNixosConfiguration = + { + nodeName, + extraModules ? [ ], + ... + }@attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = + (import ./default.nix { + inherit system; + inherit nodeName repoFlake; + + nodeFlake = self; + }).meta.nodeSpecialArgs.${nodeName}; + + modules = extraModules; + } + ); + }; + + nixosConfigurations = + let + nodeName = "steveej-x13s-rmvbl"; + in + { + native = self.lib.mkNixosConfiguration { + inherit system nodeName; + extraModules = [ + ./configuration.nix + + { users.commonUsers.installPassword = "install"; } + ]; + }; + + cross = self.lib.mkNixosConfiguration { + inherit nodeName; + extraModules = [ + ./configuration.nix + + { + nixpkgs.buildPlatform.system = buildPlatform; + nixpkgs.hostPlatform.system = system; + } + ]; + }; + }; + }; +} diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index 8bbc5c9..d5c9475 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -1,82 +1,287 @@ -{ repoFlake -, pkgs -, lib -, config -, nodeFlake -, nodeName -, localDomainName -, system -, ... -}: - { + repoFlake, + nodeFlake, + pkgs, + lib, + config, + nodeName, + system, + ... +}: +{ + nixpkgs.overlays = [ nodeFlake.overlays.default ]; + + nixos-x13s = { + enable = true; + # TODO: use hardware address + bluetoothMac = "65:9e:7a:8b:86:28"; + kernel = "jhovold"; + }; + + services.illum.enable = true; + + # printint and autodiscovery of printers + services.printing.enable = true; + services.printing.drivers = [ pkgs.hplip ]; + services.avahi = { + enable = true; + nssmdns4 = true; + openFirewall = true; + }; + hardware.sane.enable = true; # enables support for SANE scanners + + systemd.services.bluetooth-x13s-mac = lib.mkForce { + enable = true; + path = [ + pkgs.systemd + pkgs.util-linux + pkgs.bluez5-experimental + pkgs.expect + ]; + script = '' + # TODO: this may not be required + while ! (journalctl -b0 | grep 'Bluetooth: hci0: QCA setup on UART is completed'); do + echo Waiting for bluetooth firmware to complete + echo sleep 1 + done + + ( + # best effort + set +e + rfkill block bluetooth + echo $? + btmgmt public-addr ${config.nixos-x13s.bluetoothMac} + echo $? + rfkill unblock bluetooth + echo $? + ) + ''; + requiredBy = [ "bluetooth.service" ]; + before = [ "bluetooth.service" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + + # we need a tty, otherwise btmgmt will hang + StandardInput = "tty"; + TTYPath = "/dev/tty2"; + TTYReset = "yes"; + TTYVHangup = "yes"; + }; + }; + imports = [ - # repoFlake.inputs.sops-nix.nixosModules.sops + nodeFlake.inputs.nixos-x13s.nixosModules.default - # ../../profiles/common/user.nix + repoFlake.inputs.sops-nix.nixosModules.sops + nodeFlake.inputs.disko.nixosModules.disko + ./disko.nix + ../../profiles/common/user.nix + + ../../snippets/nix-settings.nix + ../../snippets/nix-settings-holo-chain.nix + ../../snippets/mycelium.nix + + nodeFlake.inputs.extra-container.nixosModules.default { - nix.nixPath = [ - "nixpkgs=${pkgs.path}" - ]; - - nix.settings.experimental-features = [ - "nix-command" - "flakes" - ]; - - nix.settings.max-jobs = lib.mkDefault "auto"; - nix.settings.cores = lib.mkDefault 0; + networking.nat = { + enable = true; + internalInterfaces = ["ve-+"]; + # externalInterface = "enu1u1u2"; + # Lazy IPv6 connectivity for the container + # enableIPv6 = true; + }; } + # TODO: broken with: v4l2loopback-0.13.2-6.13.0-rc3.drv + # make: *** [Makefile:53: v4l2loopback.ko] Error 2 + # ../../snippets/obs-studio.nix { services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "yes"; + services.openssh.openFirewall = true; - # users.commonUsers = { - # enable = true; - # enableNonRoot = false; - # rootPasswordFile = config.sops.secrets.passwords-root.path; - # }; + sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; + sops.defaultSopsFormat = "yaml"; - users.users.root.password = "install"; + users.commonUsers = { + enable = true; + enableNonRoot = true; + }; - # sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # sops.defaultSopsFormat = "yaml"; + sops.secrets.builder-private-key = { }; + nix.distributedBuilds = true; + nix.buildMachines = [ + # test these with: sudo nix store ping --store 'ssh-ng://nix-remote-builder@?ssh-key=/run/secrets/builder-private-key' + { + hostName = "buildbot-nix-0.infra.holochain.org"; + sshUser = "nix-remote-builder"; + sshKey = config.sops.secrets.builder-private-key.path; + protocol = "ssh-ng"; + systems = [ "x86_64-linux" ]; + supportedFeatures = [ + "big-parallel" + "kvm" + "nixos-test" + ]; + maxJobs = 16; + } - # sops.secrets.passwords-root.neededForUsers = true; + { + hostName = "aarch64-linux-builder-0.infra.holochain.org"; + sshUser = "nix-remote-builder"; + sshKey = config.sops.secrets.builder-private-key.path; + protocol = "ssh-ng"; + systems = [ "aarch64-linux" ]; + supportedFeatures = [ + "big-parallel" + "kvm" + "nixos-test" + ]; + maxJobs = 8; + } + + { + hostName = "x64-linux-dev-01.dev.infra.holochain.org"; + sshUser = "nix-remote-builder"; + sshKey = config.sops.secrets.builder-private-key.path; + protocol = "ssh-ng"; + systems = [ + # "x86_64-linux" + "aarch64-linux" + ]; + supportedFeatures = [ + "big-parallel" + "kvm" + "nixos-test" + ]; + maxJobs = 0; + } + ]; } + + { + # yubikey / smartcard. only set to `true` for `ykman piv` commands. + services.pcscd.enable = false; + } + + # TODO: create syncthing os snippet + ( + let + tcp = [ 22000 ]; + udp = [ + 22000 + 21027 + ]; + in + { + # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` + networking.firewall.interfaces."en+".allowedTCPPorts = tcp; + networking.firewall.interfaces."en+".allowedUDPPorts = udp; + networking.firewall.interfaces."wl+".allowedTCPPorts = tcp; + networking.firewall.interfaces."wl+".allowedUDPPorts = udp; + + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + } + ) + + ../../snippets/home-manager-with-zsh.nix + ../../snippets/sway-desktop.nix + ../../snippets/bluetooth.nix + ../../snippets/timezone.nix + ../../snippets/radicale.nix + + ../../snippets/holo-zerotier.nix + + # ../../snippets/k3s-w-nix-snapshotter.nix ]; - networking = { - hostName = nodeName; - useNetworkd = false; - - networkmanager.enable = false; - - firewall.enable = false; - }; - - system.stateVersion = "23.11"; - - # We exclude a number of modules included in the default list. A non-insignificant amount do - # not apply to embedded hardware like this, so simply skip the defaults. - # - # Custom kernel is required as a lot of MTK components misbehave when built as modules. - # They fail to load properly, leaving the system without working ethernet, they'll oops on - # remove. MTK-DSA parts and PCIe were observed to do this. - - # boot.initrd.includeDefaultModules = false; - # boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"]; - # boot.initrd.availableKernelModules = ["nvme"]; + networking.hostName = nodeName; + networking.firewall.enable = true; + networking.networkmanager.enable = true; nixpkgs.config.allowUnfree = true; - # hardware.enableRedistributableFirmware = true; - environment.systemPackages = [ - pkgs.busybox + pkgs.sshfs + pkgs.util-linux + pkgs.coreutils + pkgs.vim + + pkgs.git + pkgs.git-crypt ]; - fileSystems."/".label = "x13s_root"; + system.stateVersion = "23.11"; + home-manager.users.root = _: { home.stateVersion = "23.11"; }; + home-manager.users.steveej = _: { + home.stateVersion = "23.11"; + + imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; + + nixpkgs.overlays = [ nodeFlake.overlays.default ]; + + home.sessionVariables = { }; + + home.packages = with pkgs; [ ]; + + # TODO(upstream): currently unsupported on x13s + services.gammastep.enable = true; + }; + + boot = { + loader.systemd-boot.enable = true; + loader.systemd-boot.configurationLimit = 5; + + loader.efi.canTouchEfiVariables = lib.mkForce false; + loader.efi.efiSysMountPoint = "/boot"; + blacklistedKernelModules = [ + "wwan" + # "qcom_soundwire" + # "snd_soc_qcom_sdw" + # "snd_soc_sc8280xp" + ]; + }; + + # TODO: debug this collision: collision between `/nix/store/cb32qlzc4pm6h4arw59kxqyzbvgnmx7g-b43-firmware-6.30.163.46-zstd/lib/firmware/b43/a0g0bsinitvals5.fw.zst' and `/nix/store/niffz3cf0v91y5knz0an29fwvm8amigm-b43-firmware-5.100.138-zstd/lib/firmware/b43/a0g0bsinitvals5.fw.zst' + hardware.firmware = lib.mkBefore [ + (pkgs.runCommand "x13s-ath11k-firmware-before" { } '' + mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/ + cp -v ${nodeFlake.inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ + cp -v ${nodeFlake.inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ + '') + ]; + + # see https://linrunner.de/tlp/ + # TODO: find an equivalent to tlp that supports this machine + services.tlp = { + enable = false; + settings = { + START_CHARGE_THRESH_BAT0 = "80"; + STOP_CHARGE_THRESH_BAT0 = "85"; + }; + }; + + # android on linux + virtualisation.waydroid.enable = true; + hardware.ledger.enable = true; + + virtualisation.containers.enable = true; + virtualisation.podman.enable = true; + + steveej.holo-zerotier = { + enable = true; + autostart = false; + }; + + services.udev.packages = [ pkgs.android-udev-rules ]; + programs.adb.enable = true; + + nix.settings.sandbox = lib.mkForce "relaxed"; + + systemd.user.services.wireplumber.environment.LIBCAMERA_IPA_PROXY_PATH = "${pkgs.libcamera}/libexec/libcamera"; } diff --git a/nix/os/devices/steveej-x13s/default.nix b/nix/os/devices/steveej-x13s/default.nix index 3961f0b..bb170b2 100644 --- a/nix/os/devices/steveej-x13s/default.nix +++ b/nix/os/devices/steveej-x13s/default.nix @@ -2,34 +2,35 @@ system ? "aarch64-linux", nodeName, repoFlake, + repoFlakeWithSystem, nodeFlake, localDomainName ? "internal", ... -}: { +}: +{ meta.nodeSpecialArgs.${nodeName} = { - inherit repoFlake nodeName nodeFlake system; + inherit + repoFlake + nodeName + nodeFlake + system + ; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; + repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); inherit localDomainName; }; - meta.nodeNixpkgs.${nodeName} = - import nodeFlake.inputs.nixpkgs.outPath - { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; deployment.replaceUnknownProfiles = true; + deployment.allowLocalDeployment = true; # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - imports = [ - ./configuration.nix - ]; - - networking.hostName = nodeName; + imports = [ ./configuration.nix ]; }; } diff --git a/nix/os/devices/steveej-x13s/disko.nix b/nix/os/devices/steveej-x13s/disko.nix new file mode 100644 index 0000000..40b2118 --- /dev/null +++ b/nix/os/devices/steveej-x13s/disko.nix @@ -0,0 +1,74 @@ +{ + disko.devices = { + disk = { + x13s-nvme = { + type = "disk"; + device = "/dev/disk/by-id/nvme-KBG5AZNT1T02_LA_KIOXIA_52QC84BEEJS6"; + # device = "/dev/disk/by-id/nvme-Corsair_MP600_CORE_MINI_A7SIB33902BQLN"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "500M"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "defaults" ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "x13s-nvme-crypt"; + extraOpenArgs = [ ]; + # disable settings.keyFile if you want to use interactive password entry + #passwordFile = "/tmp/secret.key"; # Interactive + settings = { + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + # keyFile = "/tmp/secret.key"; + allowDiscards = true; + }; + # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "/root" = { + mountpoint = "/"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/home" = { + mountpoint = "/home"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/nix" = { + mountpoint = "/nix"; + mountOptions = [ + "compress=zstd" + "noatime" + ]; + }; + "/swap" = { + mountpoint = "/.swapvol"; + swap.swapfile.size = "32G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/os/devices/steveej-x13s/flake.lock b/nix/os/devices/steveej-x13s/flake.lock index be88708..8ee318a 100644 --- a/nix/os/devices/steveej-x13s/flake.lock +++ b/nix/os/devices/steveej-x13s/flake.lock @@ -1,19 +1,33 @@ { "nodes": { - "brainwart_x13s-nixos": { + "ath11k-firmware": { "flake": false, "locked": { - "lastModified": 1701822673, - "narHash": "sha256-F2LBV8tqGPhEAvmn5Frxj79RPWgPGUYxJRYz8Pn9uj0=", - "owner": "BrainWart", - "repo": "x13s-nixos", - "rev": "ba245df7a72a78ec93aa500ba1a0cb29f0f65f37", + "lastModified": 1741293326, + "narHash": "sha256-Ew0d2h1pHqJB8SC0pEYezU5lMknvlcYazVVYCtjW3OY=", + "ref": "refs/heads/main", + "rev": "bc6359cb7ad38b7bc4de6580b7a3c70851c0cafb", + "revCount": 173, + "type": "git", + "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" + }, + "original": { + "type": "git", + "url": "https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git" + } + }, + "crane": { + "locked": { + "lastModified": 1742317686, + "narHash": "sha256-ScJYnUykEDhYeCepoAWBbZWx2fpQ8ottyvOyGry7HqE=", + "owner": "ipetkov", + "repo": "crane", + "rev": "66cb0013f9a99d710b167ad13cbd8cc4e64f2ddb", "type": "github" }, "original": { - "owner": "BrainWart", - "ref": "main", - "repo": "x13s-nixos", + "owner": "ipetkov", + "repo": "crane", "type": "github" } }, @@ -24,11 +38,11 @@ ] }, "locked": { - "lastModified": 1705348229, - "narHash": "sha256-CssPema1sBxZkrT95KFuKCNNiqxNe1lnf2QNeXk88Xk=", + "lastModified": 1745812220, + "narHash": "sha256-hotBG0EJ9VmAHJYF0yhWuTVZpENHvwcJ2SxvIPrXm+g=", "owner": "nix-community", "repo": "disko", - "rev": "d0b4408eaf782a1ada0a9133bb1cecefdd59c696", + "rev": "d0c543d740fad42fe2c035b43c9d41127e073c78", "type": "github" }, "original": { @@ -36,19 +50,85 @@ "type": "indirect" } }, - "flake-parts": { + "extra-container": { "inputs": { - "nixpkgs-lib": [ - "srvos", + "flake-utils": "flake-utils", + "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1704982712, - "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=", + "lastModified": 1734542275, + "narHash": "sha256-wnRkafo4YrIuvJeRsOmfStxIzi7ty2I0OtGMO9chwJc=", + "owner": "erikarvstedt", + "repo": "extra-container", + "rev": "fa723fb67201c1b4610fd3d608681da362f800eb", + "type": "github" + }, + "original": { + "owner": "erikarvstedt", + "repo": "extra-container", + "type": "github" + } + }, + "flake-compat": { + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "locked": { + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", + "revCount": 69, + "type": "tarball", + "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz" + } + }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nix-snapshotter", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1704152458, + "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "07f6395285469419cf9d078f59b5b49993198c00", + "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", "type": "github" }, "original": { @@ -57,13 +137,69 @@ "type": "github" } }, + "flake-parts_2": { + "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1733312601, + "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "id": "flake-utils", + "type": "indirect" + } + }, "get-flake": { + "inputs": { + "flake-compat": "flake-compat" + }, "locked": { - "lastModified": 1694475786, - "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", + "lastModified": 1745945175, + "narHash": "sha256-JGDbJRl5v1snA4JX+yp6m3UA6Mazr59Hrgz+UhhP91M=", "owner": "ursi", "repo": "get-flake", - "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", + "rev": "38401aa2b3a99c77d0c02727471e99e7de2fc366", "type": "github" }, "original": { @@ -72,46 +208,164 @@ "type": "github" } }, - "linux_x13s": { + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1737233786, + "narHash": "sha256-WO6owkCecetn7bbu/ofy8aftO3rPCHUeq5GlVLsfS4M=", + "owner": "steveej-forks", + "repo": "home-manager", + "rev": "40ecdf4fc8bb698b8cbdb2ddb0ed5b1868e43c1a", + "type": "github" + }, + "original": { + "owner": "steveej-forks", + "ref": "master", + "repo": "home-manager", + "type": "github" + } + }, + "linux-jhovold": { "flake": false, "locked": { - "lastModified": 1705487080, - "narHash": "sha256-DTOPiUGaeH5Ey+AZaO1c1n/QFikIXmvo2tTzgFtJ70k=", + "lastModified": 1745847827, + "narHash": "sha256-ewM7Rpd6On6ys3OkcWOtR7TNWSRZRLZpRP7L9syhn6s=", "owner": "jhovold", "repo": "linux", - "rev": "dd209a8fb4840e48ca4963bb23057f38b1066a6d", + "rev": "1786db28b335abb5a0fa1e8a27e9950a73f64acf", "type": "github" }, "original": { "owner": "jhovold", - "ref": "wip/sc8280xp-v6.7", + "ref": "wip/sc8280xp-6.15-rc4", "repo": "linux", "type": "github" } }, - "mobile-nixos": { - "flake": false, + "mycelium": { + "inputs": { + "crane": "crane", + "flake-compat": "flake-compat_2", + "flake-utils": "flake-utils_2", + "nix-filter": "nix-filter", + "nixpkgs": [ + "nixpkgs" + ] + }, "locked": { - "lastModified": 1705008488, - "narHash": "sha256-Gj97fDFZaK6gLb3ayZgTTtD+MFE1YjoyYHWkB1TIAe0=", - "owner": "NixOS", - "repo": "mobile-nixos", - "rev": "56e55df7b07b5e5c6d050732d851cec62b41df95", + "lastModified": 1745920427, + "narHash": "sha256-E5uUuKv7Mn0/EfmffRQZpSeATcSzJFVeYVF6Cn7KbJc=", + "owner": "threefoldtech", + "repo": "mycelium", + "rev": "1eec5651bf5f194b7f7875ec2483582ccebf1cc1", "type": "github" }, "original": { - "owner": "NixOS", - "repo": "mobile-nixos", + "owner": "threefoldtech", + "repo": "mycelium", "type": "github" } }, - "nixpkgs": { + "nix-filter": { "locked": { - "lastModified": 1705316053, - "narHash": "sha256-J2Ey5mPFT8gdfL2XC0JTZvKaBw/b2pnyudEXFvl+dQM=", + "lastModified": 1731533336, + "narHash": "sha256-oRam5PS1vcrr5UPgALW0eo1m/5/pls27Z/pabHNy2Ms=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "f7653272fd234696ae94229839a99b73c9ab7de0", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nix-filter", + "type": "github" + } + }, + "nix-snapshotter": { + "inputs": { + "flake-compat": "flake-compat_3", + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1717948701, + "narHash": "sha256-G7SXaZ7J4yO4OQEKSZPVWcccfV87uyLech0jEOU350g=", + "owner": "yu-re-ka", + "repo": "nix-snapshotter", + "rev": "c10b066a4b1bb3451507c141636014e3335e579e", + "type": "github" + }, + "original": { + "owner": "yu-re-ka", + "repo": "nix-snapshotter", + "type": "github" + } + }, + "nixos-x13s": { + "inputs": { + "flake-parts": "flake-parts_2", + "linux-jhovold": "linux-jhovold", + "nixpkgs": [ + "nixpkgs" + ], + "x13s-bt-linux-firmware": "x13s-bt-linux-firmware" + }, + "locked": { + "lastModified": 1745914252, + "narHash": "sha256-u8hbsI+oW+cO+omdGeY6Q+Z/NvVZaHIZS70f1mq1gac=", + "ref": "bump", + "rev": "8bd7972c74b12b45aee190ce2ddd6960a0771af6", + "revCount": 147, + "type": "git", + "url": "https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git" + }, + "original": { + "ref": "bump", + "type": "git", + "url": "https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git" + } + }, + "nixpkgs-lib": { + "locked": { + "lastModified": 1733096140, + "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1746055187, + "narHash": "sha256-3dqArYSMP9hM7Qpy5YWhnSjiqniSaT2uc5h2Po7tmg0=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c3e128f3c0ecc1fb04aef9f72b3dcc2f6cecf370", + "rev": "3e362ce63e16b9572d8c2297c04f7c19ab6725a5", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1745930157, + "narHash": "sha256-y3h3NLnzRSiUkYpnfvnS669zWZLoqqI6NprtLQ+5dck=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "46e634be05ce9dc6d4db8e664515ba10b78151ae", "type": "github" }, "original": { @@ -123,35 +377,88 @@ }, "root": { "inputs": { - "brainwart_x13s-nixos": "brainwart_x13s-nixos", + "ath11k-firmware": "ath11k-firmware", "disko": "disko", + "extra-container": "extra-container", "get-flake": "get-flake", - "linux_x13s": "linux_x13s", - "mobile-nixos": "mobile-nixos", - "nixpkgs": "nixpkgs", - "srvos": "srvos" + "home-manager": "home-manager", + "mycelium": "mycelium", + "nix-snapshotter": "nix-snapshotter", + "nixos-x13s": "nixos-x13s", + "nixpkgs": [ + "nixpkgs-unstable" + ], + "nixpkgs-stable": "nixpkgs-stable", + "nixpkgs-unstable": "nixpkgs-unstable", + "signal-desktop": "signal-desktop" } }, - "srvos": { + "signal-desktop": { "inputs": { - "flake-parts": "flake-parts", "nixpkgs": [ "nixpkgs" ] }, "locked": { - "lastModified": 1705346686, - "narHash": "sha256-lTf1b2I6wwNDhV5eEKIAMT5DOa43bK5KaPqDWH2yfek=", - "owner": "numtide", - "repo": "srvos", - "rev": "8e03bea707212a7225b0ab02a8186af8b1e98e0a", + "lastModified": 1745037528, + "narHash": "sha256-twzHVBNEX6daUCFwtjn3X7WaJnwRqHeAxX0MB7kosHo=", + "owner": "youwen5", + "repo": "signal-desktop-flake", + "rev": "1b41af6489574da6ba1e0186235c87acbf57163f", "type": "github" }, "original": { - "owner": "numtide", - "repo": "srvos", + "owner": "youwen5", + "repo": "signal-desktop-flake", "type": "github" } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "x13s-bt-linux-firmware": { + "flake": false, + "locked": { + "lastModified": 1733240564, + "narHash": "sha256-348f+wuX7x8xqaBRkraTclupdnRcwL/z2l/1Bs/reXc=", + "ref": "refs/heads/main", + "rev": "06aea4d8bfd5ca3624b56162b24339d7b0449913", + "revCount": 4282, + "type": "git", + "url": "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git" + }, + "original": { + "rev": "06aea4d8bfd5ca3624b56162b24339d7b0449913", + "type": "git", + "url": "git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git" + } } }, "root": "root", diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix index 05b3765..ffd00f9 100644 --- a/nix/os/devices/steveej-x13s/flake.nix +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -1,270 +1,121 @@ { - inputs = - { - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + inputs = { + nixpkgs.follows = "nixpkgs-unstable"; + nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + # nixpkgs-unstable.url = "github:steveej-forks/nixpkgs/nixos-unstable"; - get-flake.url = "github:ursi/get-flake"; + get-flake.url = "github:ursi/get-flake"; - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; + disko.inputs.nixpkgs.follows = "nixpkgs"; - mobile-nixos.url = "github:NixOS/mobile-nixos"; - mobile-nixos.flake = false; - - # see https://github.com/jhovold/linux/wiki/X13s for status updates - linux_x13s.url = "github:jhovold/linux/wip/sc8280xp-v6.7"; - linux_x13s.flake = false; - - brainwart_x13s-nixos = { - url = "github:BrainWart/x13s-nixos/main"; - flake = false; - }; + home-manager = { + url = "github:steveej-forks/home-manager/master"; + # url = "github:nix-community/home-manager/master"; + # url = "github:nix-community/home-manager/release-24.11"; + inputs.nixpkgs.follows = "nixpkgs"; }; + nixos-x13s.url = "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump" + # 6.13-rc2 + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump&rev=c95058f8aa1b361df3874429c5dc0f694f9cba78" + # 6.11.0 + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=6b9efe77ca80653354981c720af3c4241ac71490" + # 6.12.0-rc6 + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=bd580ee9c35fcb8a720122d5bb2f903f1b7395ee" + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=1286d20be2321a1a2d27f5d09257ebaf54ce0630" + #"/home/steveej/src/others/nixos-x13s" + # + ; + # nixos-x13s.url = "path:/home/steveej/src/others/nixos-x13s"; + # nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; + nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; + + ath11k-firmware = { + url = "git+https://git.codelinaro.org/clo/ath-firmware/ath11k-firmware.git"; + flake = false; + }; + + mycelium.url = "github:threefoldtech/mycelium"; + mycelium.inputs.nixpkgs.follows = "nixpkgs"; + + nix-snapshotter = { + url = "github:yu-re-ka/nix-snapshotter"; + # url = "github:pdtpartners/nix-snapshotter"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + extra-container = { + url = "github:erikarvstedt/extra-container"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + signal-desktop = { + url = "github:youwen5/signal-desktop-flake"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + outputs = - { self - , get-flake - , nixpkgs - , ... + { + self, + get-flake, + nixpkgs, + ... }: let - targetPlatform = "aarch64-linux"; - buildPlatform = "x86_64-linux"; + nativeSystem = "aarch64-linux"; nodeName = "steveej-x13s"; - pkgs = nixpkgs.legacyPackages.${targetPlatform}; - pkgsCross = import self.inputs.nixpkgs { - system = buildPlatform; - crossSystem = { - config = "pentium2-unknown-linux-gnu"; - }; - }; + repoFlake = get-flake ../../../..; - mkNixosConfiguration = { extraModules ? [ ], ... } @ attrs: + mkNixosConfiguration = + { + extraModules ? [ ], + ... + }@attrs: nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate - attrs - { - specialArgs = (import ./default.nix { - system = targetPlatform; + nixpkgs.lib.attrsets.recursiveUpdate attrs { + specialArgs = + (import ./default.nix { + system = nativeSystem; inherit nodeName; - repoFlake = get-flake ../../../..; + inherit repoFlake; + repoFlakeWithSystem = repoFlake.lib.withSystem; nodeFlake = self; }).meta.nodeSpecialArgs.${nodeName}; - modules = - [ - self.nixosModules.hardware-x13s + modules = [ + ./configuration.nix - ./configuration.nix - - # flake registry - { - nix.registry.nixpkgs.flake = nixpkgs; - } - - { - nixpkgs.overlays = [ - (final: prev: - { - qrtr = final.callPackage "${self.inputs.mobile-nixos}/overlay/qrtr/qrtr.nix" { }; - qmic = final.callPackage "${self.inputs.mobile-nixos}/overlay/qrtr/qmic.nix" { }; - rmtfs = final.callPackage "${self.inputs.mobile-nixos}/overlay/qrtr/rmtfs.nix" { }; - pd-mapper = final.callPackage "${self.inputs.mobile-nixos}/overlay/qrtr/pd-mapper.nix" { - inherit (final) qrtr; - }; - compressFirmwareXz = prev.lib.id; #this leaves all firmware uncompressed :) for pd-mapper - }) - ]; - } - ] - ++ extraModules; - } + # flake registry + { nix.registry.nixpkgs.flake = nixpkgs; } + ] ++ extraModules; + } ); in { - nixosConfigurations = { - native = mkNixosConfiguration { - system = targetPlatform; + lib = { + inherit mkNixosConfiguration; + }; + + overlays.default = + _final: _previous: + { }; + nixosConfigurations = { + native = mkNixosConfiguration { system = nativeSystem; }; + cross = mkNixosConfiguration { extraModules = [ { - nixpkgs.buildPlatform.system = buildPlatform; - nixpkgs.hostPlatform.system = targetPlatform; + nixpkgs.buildPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.system = nativeSystem; } ]; }; }; - - nixosModules.hardware-x13s = { pkgs, config, lib, options, ... }: - let - # TODO: introduce options for these - kernelPdMapper = true; - in - { - config = - let - inherit (config.boot.loader) efi; - kp = [ - { - name = "x13s-cfg"; - patch = null; - extraStructuredConfig = with lib.kernel; { - EFI_ARMSTUB_DTB_LOADER = lib.mkForce yes; - OF_OVERLAY = lib.mkForce yes; - BTRFS_FS = lib.mkForce yes; - BTRFS_FS_POSIX_ACL = lib.mkForce yes; - MEDIA_CONTROLLER = lib.mkForce yes; - SND_USB_AUDIO_USE_MEDIA_CONTROLLER = lib.mkForce yes; - SND_USB = lib.mkForce yes; - SND_USB_AUDIO = lib.mkForce module; - USB_XHCI_PCI = lib.mkForce module; - NO_HZ_FULL = lib.mkForce yes; - HZ_100 = lib.mkForce yes; - HZ_250 = lib.mkForce no; - DRM_AMDGPU = lib.mkForce no; - DRM_NOUVEAU = lib.mkForce no; - QCOM_TSENS = lib.mkForce yes; - NVMEM_QCOM_QFPROM = lib.mkForce yes; - ARM_QCOM_CPUFREQ_NVMEM = lib.mkForce yes; - } // lib.optionalAttrs kernelPdMapper { - QCOM_PD_MAPPER = lib.mkForce yes; - QRTR = lib.mkForce yes; - }; - } - ]; - - # We can't quite move to mainline linux - linux_x13s_pkg = { buildLinux, ... } @ args: - buildLinux (args // rec { - version = "6.7.0"; - modDirVersion = lib.versions.pad 3 version; - extraMeta.branch = lib.versions.majorMinor version; - - src = self.inputs.linux_x13s; - kernelPatches = (args.kernelPatches or [ ]) ++ kp; - } // (args.argsOverride or { })); - - # we add additional configuration on top of te normal configuration above - # using the extraStructuredConfig option on the kernel patch - linux_x13s = pkgs.callPackage linux_x13s_pkg { - defconfig = "johan_defconfig"; - }; - - uncompressed-fw = pkgs.callPackage - ({ lib, runCommand, buildEnv, firmwareFilesList }: - runCommand "qcom-modem-uncompressed-firmware-share" - { - firmwareFiles = buildEnv { - name = "qcom-modem-uncompressed-firmware"; - paths = firmwareFilesList; - pathsToLink = [ - "/lib/firmware/rmtfs" - "/lib/firmware/qcom" - ]; - }; - } '' - PS4=" $ " - ( - set -x - mkdir -p $out/share/ - ln -s $firmwareFiles/lib/firmware/ $out/share/uncompressed-firmware - ) - '') - { - firmwareFilesList = lib.flatten options.hardware.firmware.definitions; - }; - - linuxPackages_x13s = pkgs.linuxPackagesFor linux_x13s; - dtb = "${linuxPackages_x13s.kernel}/dtbs/qcom/sc8280xp-lenovo-thinkpad-x13s.dtb"; - - dtbName = "x13s63rc4.dtb"; - in - { - boot = { - loader.systemd-boot.enable = true; - loader.systemd-boot.extraFiles = { - "${dtbName}" = dtb; - }; - loader.efi.canTouchEfiVariables = true; - loader.efi.efiSysMountPoint = "/boot"; - - kernelPackages = linuxPackages_x13s; - - kernelParams = [ - "boot.shell_on_fail" - "clk_ignore_unused" - "pd_ignore_unused" - "arm64.nopauth" - "cma=128M" - "nvme.noacpi=1" - "iommu.strict=0" - "dtb=${dtbName}" - ]; - initrd = { - includeDefaultModules = false; - availableKernelModules = [ - "i2c_hid" - "i2c_hid_of" - "i2c_qcom_geni" - "leds_qcom_lpg" - "pwm_bl" - "qrtr" - "pmic_glink_altmode" - "gpio_sbu_mux" - "phy_qcom_qmp_combo" - "panel-edp" - "msm" - "phy_qcom_edp" - "i2c-core" - "i2c-hid" - "i2c-hid-of" - "i2c-qcom-geni" - "pcie-qcom" - "phy-qcom-qmp-combo" - "phy-qcom-qmp-pcie" - "phy-qcom-qmp-usb" - "phy-qcom-snps-femto-v2" - "phy-qcom-usb-hs" - "nvme" - ]; - }; - }; - - # power management, etc. - environment.systemPackages = with pkgs; [ - qrtr - qmic - rmtfs - pd-mapper - uncompressed-fw - ]; - environment.pathsToLink = [ "share/uncompressed-firmware" ]; - - # ensure the x13s' dtb file is in the boot partition - system.activationScripts.x13s-dtb = '' - in_package="${dtb}" - esp_tool_folder="${efi.efiSysMountPoint}/" - in_esp="''${esp_tool_folder}${dtbName}" - >&2 echo "Ensuring $in_esp in EFI System Partition" - if ! ${pkgs.diffutils}/bin/cmp --silent "$in_package" "$in_esp"; then - >&2 echo "Copying $in_package -> $in_esp" - mkdir -p "$esp_tool_folder" - cp "$in_package" "$in_esp" - sync - fi - ''; - - hardware.enableAllFirmware = true; - hardware.firmware = [ - pkgs.linux-firmware - (pkgs.callPackage "${self.inputs.brainwart_x13s-nixos}/pkgs/x13s-firmware.nix" { }) - ]; - }; - }; }; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/boot.nix b/nix/os/devices/vmd102066.contaboserver.net/boot.nix index 5713789..ed21f9c 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/boot.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/boot.nix @@ -1,4 +1,5 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiSupport = lib.mkForce false; - boot.extraModulePackages = []; + boot.extraModulePackages = [ ]; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix index 28a63fb..b29548c 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix @@ -1,5 +1,6 @@ -{...}: { - disabledModules = []; +{ ... }: +{ + disabledModules = [ ]; imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/vmd102066.contaboserver.net/default.nix b/nix/os/devices/vmd102066.contaboserver.net/default.nix index db025f1..958331e 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/default.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/default.nix @@ -1,17 +1,17 @@ -{repoFlake, ...}: let +{ repoFlake, ... }: +let nodeName = "vmd102066.contaboserver.net"; system = "x86_64-linux"; nodeFlake = repoFlake.inputs.get-flake ./.; -in { +in +{ meta.nodeSpecialArgs.${nodeName} = { inherit nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { - inherit system; - }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; ${nodeName} = { deployment.targetHost = nodeName; diff --git a/nix/os/devices/vmd102066.contaboserver.net/flake.nix b/nix/os/devices/vmd102066.contaboserver.net/flake.nix index d432f24..0547466 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/flake.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: {}; + outputs = _: { }; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/hw.nix b/nix/os/devices/vmd102066.contaboserver.net/hw.nix index e09b10e..392bb1b 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/hw.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/hw.nix @@ -1,4 +1,5 @@ -{...}: let +_: +let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -11,7 +12,8 @@ "virtio" "scsi_mod" ]; -in { +in +{ # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix index 96cfc55..2857a30 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix @@ -1,9 +1,5 @@ +{ config, pkgs, ... }: { - config, - pkgs, - lib, - ... -}: { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; @@ -12,7 +8,12 @@ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; + supportedFeatures = [ + "kvm" + "nixos-test" + "big-parallel" + "benchmark" + ]; maxJobs = 4; } ]; @@ -22,7 +23,7 @@ hydraURL = "http://localhost:3000"; # externally visible URL notificationSender = "hydra@${config.networking.hostName}.stefanjunker.de"; # e-mail of hydra service # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines - buildMachinesFiles = []; + buildMachinesFiles = [ ]; # you will probably also want, otherwise *everything* will be built from scratch useSubstitutes = true; }; @@ -30,7 +31,13 @@ services.gitlab-runner = { enable = false; - extraPackages = with pkgs; [bash gitlab-runner nix gitFull git-crypt]; + extraPackages = with pkgs; [ + bash + gitlab-runner + nix + gitFull + git-crypt + ]; concurrent = 2; checkInterval = 0; @@ -39,7 +46,7 @@ executor = "shell"; runUntagged = true; registrationConfigFile = "/etc/secrets/gitlab-runner/nix-runner.registration"; - tagList = ["nix"]; + tagList = [ "nix" ]; }; }; }; diff --git a/nix/os/devices/vmd102066.contaboserver.net/system.nix b/nix/os/devices/vmd102066.contaboserver.net/system.nix index 45c6b0c..cebed6a 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/system.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/system.nix @@ -1,13 +1,9 @@ -{ - pkgs, - lib, - config, - nodeName, - ... -}: let +{ pkgs, config, ... }: +let keys = import ../../../variables/keys.nix; passwords = import ../../../variables/passwords.crypt.nix; -in { +in +{ networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -37,7 +33,7 @@ in { networking.nat = { enable = true; - internalInterfaces = ["ve-+"]; + internalInterfaces = [ "ve-+" ]; externalInterface = "eth0"; }; @@ -45,7 +41,9 @@ in { # services.kubernetes.roles = ["master" "node"]; # virtualization - virtualisation = {docker.enable = true;}; + virtualisation = { + docker.enable = true; + }; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; @@ -53,7 +51,7 @@ in { systemd.services."sshd-status" = { enable = true; description = "sshd-status service"; - path = [pkgs.systemd]; + path = [ pkgs.systemd ]; script = '' systemctl status sshd | grep -i tasks ''; @@ -73,11 +71,13 @@ in { # }; # }; - nix.gc = {automatic = true;}; + nix.gc = { + automatic = true; + }; boot.initrd.network = { enable = true; - udhcpc.extraArgs = ["-x hostname:${config.networking.hostName}"]; + udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ]; ssh = { enable = true; @@ -104,7 +104,12 @@ in { inherit config; hostAddress = "192.168.100.16"; localAddress = "192.168.100.17"; - subvolumes = ["mailserver" "webserver" "backup" "syncthing"]; + subvolumes = [ + "mailserver" + "webserver" + "backup" + "syncthing" + ]; }; bkpTarget = import ../../containers/backup-target.nix { diff --git a/nix/os/devices/voodoo/configuration.nix b/nix/os/devices/voodoo/configuration.nix deleted file mode 100644 index d6ae93c..0000000 --- a/nix/os/devices/voodoo/configuration.nix +++ /dev/null @@ -1,85 +0,0 @@ -{ - repoFlake, - pkgs, - lib, - config, - nodeFlake, - nodeName, - localDomainName, - system, - ... -}: let -in { - imports = [ - # repoFlake.inputs.sops-nix.nixosModules.sops - - # ../../profiles/common/user.nix - - { - nix.nixPath = [ - "nixpkgs=${pkgs.path}" - ]; - - nix.settings.experimental-features = [ - "nix-command" - "flakes" - ]; - - nix.settings.max-jobs = lib.mkDefault "auto"; - nix.settings.cores = lib.mkDefault 0; - } - - { - services.openssh.enable = true; - services.openssh.settings.PermitRootLogin = "yes"; - - # users.commonUsers = { - # enable = true; - # enableNonRoot = false; - # rootPasswordFile = config.sops.secrets.passwords-root.path; - # }; - - users.users.root.password = "voodoo"; - - # sops.defaultSopsFile = ../../../../secrets/${nodeName}/secrets.yaml; - # sops.defaultSopsFormat = "yaml"; - - # sops.secrets.passwords-root.neededForUsers = true; - } - ]; - - networking = { - hostName = nodeName; - useNetworkd = false; - useDHCP = true; - firewall.enable = false; - }; - - system.stateVersion = "23.11"; - - # We exclude a number of modules included in the default list. A non-insignificant amount do - # not apply to embedded hardware like this, so simply skip the defaults. - # - # Custom kernel is required as a lot of MTK components misbehave when built as modules. - # They fail to load properly, leaving the system without working ethernet, they'll oops on - # remove. MTK-DSA parts and PCIe were observed to do this. - - # boot.initrd.includeDefaultModules = false; - # boot.initrd.kernelModules = ["rfkill" "cfg80211" "mt7915e"]; - # boot.initrd.availableKernelModules = ["nvme"]; - - hardware.enableRedistributableFirmware = false; - - # Extlinux compatible with custom uboot patches in this repo, which also provide unique - # MAC addresses instead of the non-unique one that gets used by a lot of MTK devices... - boot.loader.grub.enable = true; - - environment.systemPackages = [ - # pkgs.pciutils - ]; - - fileSystems."/".label = "voodoo_root"; - boot.loader.grub.devices = [ - "/dev/disk/by-id/usb-ST313640_A_20171021-0" - ]; -} diff --git a/nix/os/devices/voodoo/flake.lock b/nix/os/devices/voodoo/flake.lock deleted file mode 100644 index 089ad5e..0000000 --- a/nix/os/devices/voodoo/flake.lock +++ /dev/null @@ -1,225 +0,0 @@ -{ - "nodes": { - "bpir3": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1703603768, - "narHash": "sha256-ZViXHNt7ClqNtlRO9iot+LxiSbBvZi/RR+/6Q7W6UV8=", - "owner": "steveej-forks", - "repo": "nixos-bpir3", - "rev": "47cb545b92c136d1482a66b940c4719c40eb5fe3", - "type": "github" - }, - "original": { - "owner": "steveej-forks", - "ref": "linux-6.6", - "repo": "nixos-bpir3", - "type": "github" - } - }, - "dependencyDagOfSubmodule": { - "inputs": { - "nixpkgs": [ - "nixos-nftables-firewall", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1656615370, - "narHash": "sha256-IZDqz1aSySoqf1qtVQg+oJMHfC4IlT55Zoa7EkjvPug=", - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "rev": "98eb563d80b35acafbfc1abb9ccee569c1efb19c", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nix-dependencyDagOfSubmodule", - "type": "github" - } - }, - "disko": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1703532766, - "narHash": "sha256-ojjW3cuNmqL5uqDWohwLoO8dYpheM5+AfgsNmGIMwG8=", - "owner": "nix-community", - "repo": "disko", - "rev": "1b191113874dee97796749bb21eac3d84735c70a", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "disko", - "type": "github" - } - }, - "get-flake": { - "locked": { - "lastModified": 1694475786, - "narHash": "sha256-s5wDmPooMUNIAAsxxCMMh9g68AueGg63DYk2hVZJbc8=", - "owner": "ursi", - "repo": "get-flake", - "rev": "ac54750e3b95dab6ec0726d77f440efe6045bec1", - "type": "github" - }, - "original": { - "owner": "ursi", - "repo": "get-flake", - "type": "github" - } - }, - "home-manager": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1703527373, - "narHash": "sha256-AjypRssRtS6F3xkf7rE3/bXkIF2WJOZLbTIspjcE1zM=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "80679ea5074ab7190c4cce478c600057cfb5edae", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "master", - "repo": "home-manager", - "type": "github" - } - }, - "hostapd": { - "flake": false, - "locked": { - "lastModified": 1703346062, - "narHash": "sha256-SHSBKIgKc5zEGhKDT2v+yGERTJHf8pe+9ZPUwJBTJKQ=", - "ref": "refs/heads/main", - "rev": "196d6c83b9cb7d298fdc92684dc37115348b159e", - "revCount": 19119, - "type": "git", - "url": "git://w1.fi/hostap.git?branch=main" - }, - "original": { - "type": "git", - "url": "git://w1.fi/hostap.git?branch=main" - } - }, - "nixos-nftables-firewall": { - "inputs": { - "dependencyDagOfSubmodule": "dependencyDagOfSubmodule", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1703279052, - "narHash": "sha256-0rbG/9SwaWtXT7ZuifMq+7wvfxDpZrjr0zdMcM4KK+E=", - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "rev": "3bf23aeb346e772d157816e6b72a742a6c97db80", - "type": "github" - }, - "original": { - "owner": "thelegy", - "repo": "nixos-nftables-firewall", - "type": "github" - } - }, - "nixos-stable": { - "locked": { - "lastModified": 1703068421, - "narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-23.11", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1703255338, - "narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "6df37dc6a77654682fe9f071c62b4242b5342e04", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "openwrt": { - "flake": false, - "locked": { - "lastModified": 1691699580, - "narHash": "sha256-CV+ufXPEr5Nz2O2FBnnuPeHNsFQ7c5s0uW39u/q3cUo=", - "ref": "main", - "rev": "847984c773d819d5579d5abae4b80a4983103ed9", - "revCount": 58166, - "type": "git", - "url": "https://github.com/openwrt/openwrt.git" - }, - "original": { - "ref": "main", - "rev": "847984c773d819d5579d5abae4b80a4983103ed9", - "type": "git", - "url": "https://github.com/openwrt/openwrt.git" - } - }, - "root": { - "inputs": { - "bpir3": "bpir3", - "disko": "disko", - "get-flake": "get-flake", - "home-manager": "home-manager", - "hostapd": "hostapd", - "nixos-nftables-firewall": "nixos-nftables-firewall", - "nixpkgs": "nixpkgs", - "openwrt": "openwrt", - "srvos": "srvos" - } - }, - "srvos": { - "inputs": { - "nixos-stable": "nixos-stable", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1703469109, - "narHash": "sha256-hTQJ9uV43Vt8UXwervEj9mbDoQSN1mD3lwwPChG8jy8=", - "owner": "numtide", - "repo": "srvos", - "rev": "52d07db520046c4775f1047e68a05dcb53bba9ec", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "srvos", - "type": "github" - } - } - }, - "root": "root", - "version": 7 -} diff --git a/nix/os/devices/voodoo/flake.nix b/nix/os/devices/voodoo/flake.nix deleted file mode 100644 index 6282785..0000000 --- a/nix/os/devices/voodoo/flake.nix +++ /dev/null @@ -1,80 +0,0 @@ -{ - inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11"; - - get-flake.url = "github:ursi/get-flake"; - - disko.inputs.nixpkgs.follows = "nixpkgs"; - srvos.url = "github:numtide/srvos"; - srvos.inputs.nixpkgs.follows = "nixpkgs"; - }; - - outputs = { - self, - get-flake, - nixpkgs, - ... - }: let - targetPlatform = "i686-linux"; - buildPlatform = "x86_64-linux"; - nodeName = "voodoo"; - - pkgs = nixpkgs.legacyPackages.${targetPlatform}; - pkgsCross = import self.inputs.nixpkgs { - system = buildPlatform; - crossSystem = { - config = "pentium2-unknown-linux-gnu"; - }; - }; - - mkNixosConfiguration = {extraModules ? [], ...} @ attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate - attrs - { - specialArgs = (import ./default.nix { - system = targetPlatform; - inherit nodeName; - - repoFlake = get-flake ../../../..; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; - - modules = - [ - ./configuration.nix - - # flake registry - { - nix.registry.nixpkgs.flake = nixpkgs; - } - - { - nixpkgs.overlays = [ - (final: previous: - { - }) - - ]; - } - ] - ++ extraModules; - } - ); - in { - nixosConfigurations = { - native = mkNixosConfiguration { - system = targetPlatform; - }; - - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = buildPlatform; - nixpkgs.hostPlatform.system = targetPlatform; - } - ]; - }; - }; - }; -} diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index 9871d3b..b4f4dcc 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -1,36 +1,43 @@ -{ - lib, - config, -}: let +{ lib, config }: +let keys = import ../../variables/keys.nix; -in { - mkUser = args: ( - lib.attrsets.recursiveUpdate { - isNormalUser = true; - extraGroups = [ - "docker" - "wheel" - "libvirtd" - "networkmanager" - "vboxusers" - "users" - "input" - "audio" - "video" - "cdrom" - "adbusers" - "dialout" - "cdrom" - ]; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; +in +{ + mkUser = + args: + lib.mkMerge [ + { + isNormalUser = true; + extraGroups = [ + "docker" + "podman" + "wheel" + "libvirtd" + "networkmanager" + "vboxusers" + "users" + "input" + "audio" + "video" + "cdrom" + "adbusers" + "dialout" + "cdrom" + "fuse" + "adbusers" + "scanner" + "lp" + "kvm" + ]; + openssh.authorizedKeys.keys = keys.users.steveej.openssh; - # TODO: investigate why this secret cannot be found - # openssh.authorizedKeys.keyFiles = [ - # config.sops.secrets.sharedSshKeys-steveej.path - # ]; - } - args - ); + # TODO: investigate why this secret cannot be found + # openssh.authorizedKeys.keyFiles = [ + # config.sops.secrets.sharedSshKeys-steveej.path + # ]; + } + args + ]; disk = rec { # TODO: verify the GPT PARTLABEL cap at 36 chars @@ -38,7 +45,7 @@ in { # LVM doesn't allow most characters in VG names # TODO: replace this with a whitelist for: [a-zA-Z0-9.-_+] - volumeGroup = diskId: builtins.replaceStrings [":"] [""] diskId; + volumeGroup = diskId: builtins.replaceStrings [ ":" ] [ "" ] diskId; # This is important at install-time bootGrubDevice = diskId: "/dev/disk/by-id/" + diskId; @@ -49,15 +56,10 @@ in { # Cannot use the disk ID here because might be different at install vs. runtime. # Example: MMC card which is used in the internal reader vs. USB reader - bootFsDevice = diskId: - "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); - bootLuksDevice = diskId: - "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); + bootFsDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); + bootLuksDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); luksName = diskId: (volumeGroup diskId) + "pv"; luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId); - lvmPv = diskId: encrypted: - if encrypted == true - then luksPhysicalVolume diskId - else bootLuksDevice diskId; + lvmPv = diskId: encrypted: if encrypted then luksPhysicalVolume diskId else bootLuksDevice diskId; }; } diff --git a/nix/os/modules/ddclient-hetzner.nix b/nix/os/modules/ddclient-hetzner.nix index 893620a..622ae62 100644 --- a/nix/os/modules/ddclient-hetzner.nix +++ b/nix/os/modules/ddclient-hetzner.nix @@ -1,14 +1,9 @@ +{ lib, ... }: { - lib, - config, - ... -}: let - cfg = config.services.ddclient-hetzner; -in { options.services.ddclient-hetzner = with lib; { enable = mkEnableOption "Enable ddclient-hetzner"; - zone = mkOption {type = types.str;}; - domains = mkOption {type = types.listOf types.str;}; - passwordFile = mkOption {type = types.path;}; + zone = mkOption { type = types.str; }; + domains = mkOption { type = types.listOf types.str; }; + passwordFile = mkOption { type = types.path; }; }; } diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix index 9b0321d..150d688 100644 --- a/nix/os/modules/ddclient-ovh.nix +++ b/nix/os/modules/ddclient-ovh.nix @@ -1,12 +1,7 @@ +{ lib, ... }: { - lib, - config, - ... -}: let - cfg = config.services.ddclientovh; -in { options.services.ddclientovh = with lib; { enable = mkEnableOption "Enable ddclient-ovh"; - domain = mkOption {type = types.str;}; + domain = mkOption { type = types.str; }; }; } diff --git a/nix/os/modules/initrd-network.nix b/nix/os/modules/initrd-network.nix index e517d62..4ca89cf 100644 --- a/nix/os/modules/initrd-network.nix +++ b/nix/os/modules/initrd-network.nix @@ -4,7 +4,8 @@ pkgs, ... }: -with lib; let +with lib; +let cfg = config.boot.initrd.network; udhcpcScript = pkgs.writeScript "udhcp-script" '' @@ -25,7 +26,8 @@ with lib; let ''; udhcpcArgs = toString cfg.udhcpc.extraArgs; -in { +in +{ options = { boot.initrd.network.enable = mkOption { type = types.bool; @@ -46,7 +48,7 @@ in { }; boot.initrd.network.udhcpc.extraArgs = mkOption { - default = []; + default = [ ]; type = types.listOf types.str; description = '' Additional command-line arguments passed verbatim to udhcpc if @@ -74,9 +76,9 @@ in { }; config = mkIf cfg.enable { - warnings = ["Enabled SSH for stage1"]; + warnings = [ "Enabled SSH for stage1" ]; - boot.initrd.kernelModules = ["af_packet"]; + boot.initrd.kernelModules = [ "af_packet" ]; boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.mkinitcpio-nfs-utils}/bin/ipconfig diff --git a/nix/os/modules/natrouter.nix b/nix/os/modules/natrouter.nix index 62af2a8..d853c28 100644 --- a/nix/os/modules/natrouter.nix +++ b/nix/os/modules/natrouter.nix @@ -1,9 +1,6 @@ +{ lib, ... }: +with lib; { - lib, - config, - ... -}: -with lib; { # TODO # Provide a NAT/DHCP Router # diff --git a/nix/os/modules/opinionatedDisk.nix b/nix/os/modules/opinionatedDisk.nix index 399eb43..db2bbbf 100644 --- a/nix/os/modules/opinionatedDisk.nix +++ b/nix/os/modules/opinionatedDisk.nix @@ -4,19 +4,17 @@ pkgs, ... }: -with lib; let +with lib; +let cfg = config.hardware.opinionatedDisk; - ownLib = pkgs.callPackage ../lib/default.nix {}; + ownLib = pkgs.callPackage ../lib/default.nix { }; - earlyDiskId = cfg: - if cfg.earlyDiskIdOverride != "" - then cfg.earlyDiskIdOverride - else cfg.diskId - ; -in { + earlyDiskId = cfg: if cfg.earlyDiskIdOverride != "" then cfg.earlyDiskIdOverride else cfg.diskId; +in +{ options.hardware.opinionatedDisk = { enable = mkEnableOption "Enable opinionated filesystem layout"; - diskId = mkOption {type = types.str;}; + diskId = mkOption { type = types.str; }; encrypted = mkOption { default = true; type = types.bool; @@ -24,7 +22,7 @@ in { earlyDiskIdOverride = mkOption { default = ""; - type = types.string; + type = types.str; }; }; @@ -37,31 +35,30 @@ in { fileSystems."/" = { device = ownLib.disk.rootFsDevice cfg.diskId; fsType = "btrfs"; - options = ["subvol=nixos"]; + options = [ "subvol=nixos" ]; }; fileSystems."/home" = { device = ownLib.disk.rootFsDevice cfg.diskId; fsType = "btrfs"; - options = ["subvol=home"]; + options = [ "subvol=home" ]; }; - swapDevices = [{device = ownLib.disk.swapFsDevice cfg.diskId;}]; + swapDevices = [ { device = ownLib.disk.swapFsDevice cfg.diskId; } ]; boot.loader.grub = { device = ownLib.disk.bootGrubDevice (earlyDiskId cfg); enableCryptodisk = cfg.encrypted; }; - boot.initrd.luks.devices = - lib.optionalAttrs cfg.encrypted - (builtins.listToAttrs [ + boot.initrd.luks.devices = lib.optionalAttrs cfg.encrypted ( + builtins.listToAttrs [ { - name = let - splitstring = - builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); - lastelem = (builtins.length splitstring) - 1; - in + name = + let + splitstring = builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); + lastelem = (builtins.length splitstring) - 1; + in builtins.elemAt splitstring lastelem; value = { device = ownLib.disk.bootLuksDevice cfg.diskId; @@ -70,6 +67,7 @@ in { allowDiscards = true; }; } - ]); + ] + ); }; } diff --git a/nix/os/profiles/common/boot.nix b/nix/os/profiles/common/boot.nix deleted file mode 100644 index 21fa70c..0000000 --- a/nix/os/profiles/common/boot.nix +++ /dev/null @@ -1,15 +0,0 @@ -{pkgs, ...}: { - boot.kernelPackages = pkgs.linuxPackages; - boot.loader.grub = { - enable = true; - efiSupport = true; - efiInstallAsRemovable = false; - }; - - boot.loader.systemd-boot.enable = false; - boot.loader.efi.canTouchEfiVariables = true; - boot.tmp.useTmpfs = true; - - # Workaround for nm-pptp to enforce module load - boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"]; -} diff --git a/nix/os/profiles/common/configuration.nix b/nix/os/profiles/common/configuration.nix index 0590e79..61b4cb8 100644 --- a/nix/os/profiles/common/configuration.nix +++ b/nix/os/profiles/common/configuration.nix @@ -3,16 +3,38 @@ pkgs, repoFlake, ... -}: { +}: +{ imports = [ - ./boot.nix - ./pkg.nix - ./system.nix - ../../snippets/nix-settings.nix - ./hw.nix - - ./user.nix - repoFlake.inputs.sops-nix.nixosModules.sops + + ../../snippets/nix-settings.nix + ../../snippets/home-manager-with-zsh.nix + + ./system.nix + ./hw.nix + ./user.nix ]; + + boot.kernelPackages = pkgs.linuxPackages; + boot.loader.grub = { + enable = true; + efiSupport = true; + efiInstallAsRemovable = false; + }; + + boot.loader.systemd-boot.enable = false; + boot.loader.efi.canTouchEfiVariables = true; + boot.tmp.useTmpfs = true; + + # Workaround for nm-pptp to enforce module load + boot.kernelModules = [ + "nf_conntrack_proto_gre" + "nf_conntrack_pptp" + ]; + + nixpkgs.config = { + allowBroken = false; + allowUnfree = true; + }; } diff --git a/nix/os/profiles/common/hw.nix b/nix/os/profiles/common/hw.nix index 80bdc31..4d6eb74 100644 --- a/nix/os/profiles/common/hw.nix +++ b/nix/os/profiles/common/hw.nix @@ -1,5 +1,12 @@ -{...}: { +_: { hardware.trackpoint.emulateWheel = true; - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" "cryptd"]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + "cryptd" + ]; } diff --git a/nix/os/profiles/common/pkg.nix b/nix/os/profiles/common/pkg.nix deleted file mode 100644 index 7cd1dfb..0000000 --- a/nix/os/profiles/common/pkg.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ - config, - pkgs, - # these come in via nodeSpecialArgs and are expected to be defined for every node - repoFlake, - repoFlakeInputs', - nodeFlake, - packages', - ... -}: { - imports = [ - ]; - - nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; - home-manager.useGlobalPkgs = false; - home-manager.useUserPackages = true; - home-manager.users.root = import ../../../home-manager/configuration/text-minimal.nix; - - # TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager - # home-manager.extraSpecialArgs = specialArgs; - # hence, opt for passing the arguments selectively instead - home-manager.extraSpecialArgs = { - inherit - repoFlake - repoFlakeInputs' - packages' - nodeFlake - ; - - osConfig = config; - }; - - nixpkgs.config = { - allowBroken = false; - allowUnfree = true; - }; -} diff --git a/nix/os/profiles/common/system.nix b/nix/os/profiles/common/system.nix index 4039a9e..edf8717 100644 --- a/nix/os/profiles/common/system.nix +++ b/nix/os/profiles/common/system.nix @@ -1,10 +1,5 @@ +{ pkgs, nodeName, ... }: { - config, - pkgs, - lib, - nodeName, - ... -}: { networking.hostName = builtins.elemAt (builtins.split "\\." nodeName) 0; # Define your hostname. networking.domain = builtins.elemAt (builtins.split "(^[^\\.]+\.)" nodeName) 2; @@ -15,11 +10,13 @@ ''; # Fonts, I18N, Date ... - fonts.fonts = [pkgs.corefonts]; + fonts.packages = [ pkgs.corefonts ]; console.font = "lat9w-16"; - i18n = {defaultLocale = "en_US.UTF-8";}; + i18n = { + defaultLocale = "en_US.UTF-8"; + }; time.timeZone = "Etc/UTC"; services.gpm.enable = true; @@ -43,15 +40,12 @@ # mv -Tf /etc/X11/.sessions /etc/X11/sessions # ''; + # TODO: adapt this to be arch agnostic system.activationScripts.lib64 = '' echo "setting up /lib64..." mkdir -p /lib64 ln -sfT ${pkgs.glibc}/lib/ld-linux-x86-64.so.2 /lib64/.ld-linux-x86-64.so.2 mv -Tf /lib64/.ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2 ''; - - programs.zsh.enable = true; - users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = ["/share/zsh"]; programs.fuse.userAllowOther = true; } diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index b21cd4e..6c799c9 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -3,7 +3,8 @@ pkgs, lib, ... -}: let +}: +let keys = import ../../../variables/keys.nix; inherit (import ../../lib/default.nix { @@ -16,7 +17,8 @@ inherit (lib) types; cfg = config.users.commonUsers; -in { +in +{ options.users.commonUsers = { enable = lib.mkOption { default = true; @@ -32,41 +34,60 @@ in { default = config.sops.secrets.sharedUsers-root.path; type = types.path; }; + + # TODO: test if this works + installPassword = lib.mkOption { + default = ""; + type = types.str; + }; }; - config = lib.mkIf cfg.enable { - sops.secrets.sharedUsers-root = { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; + config = lib.mkIf cfg.enable ( + lib.mkMerge [ + (lib.mkIf (cfg.installPassword == "") { + sops.secrets.sharedUsers-root = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; + sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - # neededForUsers = true; - format = "yaml"; - }; + sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + # neededForUsers = true; + format = "yaml"; + }; + }) - users.mutableUsers = lib.mkForce false; + { + users.mutableUsers = cfg.installPassword != ""; - users.extraUsers.root = { - passwordFile = cfg.rootPasswordFile; - openssh.authorizedKeys.keys = keys.users.steveej.openssh; + users.users.root = lib.mkMerge [ + { openssh.authorizedKeys.keys = keys.users.steveej.openssh; } - # TODO: investigate why this secret cannot be found - # openssh.authorizedKeys.keyFiles = [ - # config.sops.secrets.sharedSshKeys-steveej.path - # ]; - }; + (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) - users.extraUsers.steveej = lib.mkIf cfg.enableNonRoot (mkUser { - uid = 1000; - passwordFile = config.sops.secrets.sharedUsers-steveej.path; - }); - }; + (lib.mkIf (cfg.installPassword == "") { hashedPasswordFile = cfg.rootPasswordFile; }) + ]; + + users.users.steveej = lib.mkIf cfg.enableNonRoot ( + mkUser ( + lib.mkMerge [ + { uid = 1000; } + + (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) + + (lib.mkIf (cfg.installPassword == "") { + hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; + }) + ] + ) + ); + } + ] + ); } diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix index 7462c08..40fd3f4 100644 --- a/nix/os/profiles/containers/configuration.nix +++ b/nix/os/profiles/containers/configuration.nix @@ -1,8 +1,27 @@ -{...}: { +{ + hostAddress, + pkgs, + lib, + ... +}: +{ networking.useHostResolvConf = false; + networking.firewall.enable = true; + networking.nftables.enable = true; + networking.nftables.flushRuleset = true; + + networking.nameservers = lib.mkForce [ hostAddress ]; + + environment.systemPackages = [ pkgs.dnsutils ]; + imports = [ - ../../snippets/systemd-resolved.nix + { + # keep DNS set up to a minimum: only query the container host + services.resolved.enable = lib.mkForce false; + networking.nameservers = [ hostAddress ]; + } + ../../snippets/nix-settings.nix # ../../modules/ddclient-ovh.nix # ../../modules/ddclient-hetzner.nix ]; diff --git a/nix/os/profiles/graphical-gnome-xorg.nix b/nix/os/profiles/graphical-gnome-xorg.nix index bfd4036..a13dd07 100644 --- a/nix/os/profiles/graphical-gnome-xorg.nix +++ b/nix/os/profiles/graphical-gnome-xorg.nix @@ -1,8 +1,5 @@ +{ pkgs, lib, ... }: { - pkgs, - lib, - ... -}: { services.xserver = { enable = true; libinput.enable = true; @@ -98,8 +95,11 @@ support32Bit = true; }; - services.dbus.packages = with pkgs; [dconf]; + services.dbus.packages = with pkgs; [ dconf ]; # More Services - environment.systemPackages = [pkgs.gnome.adwaita-icon-theme pkgs.gnomeExtensions.appindicator]; + environment.systemPackages = [ + pkgs.gnome.adwaita-icon-theme + pkgs.gnomeExtensions.appindicator + ]; } diff --git a/nix/os/profiles/graphical/boot.nix b/nix/os/profiles/graphical/boot.nix index 91b4ae9..4bf6ca4 100644 --- a/nix/os/profiles/graphical/boot.nix +++ b/nix/os/profiles/graphical/boot.nix @@ -1,5 +1,4 @@ -{config, ...}: { - boot.extraModulePackages = [ - config.boot.kernelPackages.v4l2loopback - ]; +{ config, ... }: +{ + boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ]; } diff --git a/nix/os/profiles/graphical/configuration.nix b/nix/os/profiles/graphical/configuration.nix index b9cf53e..477a93d 100644 --- a/nix/os/profiles/graphical/configuration.nix +++ b/nix/os/profiles/graphical/configuration.nix @@ -1,3 +1,8 @@ -{pkgs, ...}: { - imports = [./boot.nix ./system.nix ./hw.nix]; +{ ... }: +{ + imports = [ + ./boot.nix + ./system.nix + ./hw.nix + ]; } diff --git a/nix/os/profiles/graphical/hw.nix b/nix/os/profiles/graphical/hw.nix index abb1e68..821f5bf 100644 --- a/nix/os/profiles/graphical/hw.nix +++ b/nix/os/profiles/graphical/hw.nix @@ -1,3 +1 @@ -{...}: { - hardware.enableAllFirmware = true; -} +_: { hardware.enableAllFirmware = true; } diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index 1eb2d07..42eccfb 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -1,8 +1,7 @@ +{ pkgs, ... }: { - pkgs, - lib, - ... -}: { + imports = [ ../../snippets/bluetooth.nix ]; + networking.networkmanager = { enable = true; dns = "systemd-resolved"; @@ -19,15 +18,14 @@ services.resolved.enable = true; # hardware related services - services.illum.enable = true; services.pcscd.enable = true; hardware.opengl.enable = true; - hardware.bluetooth.enable = true; - # required for running blueman-applet in user sessions - services.dbus.packages = with pkgs; [blueman]; - services.blueman.enable = true; - services.udev.packages = [pkgs.libu2f-host pkgs.yubikey-personalization pkgs.android-udev-rules]; + services.udev.packages = [ + pkgs.libu2f-host + pkgs.yubikey-personalization + pkgs.android-udev-rules + ]; services.udev.extraRules = '' # OnePlusOne ATTR{idVendor}=="05c6", ATTR{idProduct}=="6764", SYMLINK+="libmtp-%k", MODE="660", GROUP="audio", ENV{ID_MTP_DEVICE}="1", ENV{ID_MEDIA_PLAYER}="1", TAG+="uaccess" @@ -54,6 +52,9 @@ services.printing = { enable = true; - drivers = with pkgs; [mfcl3770cdwlpr mfcl3770cdwcupswrapper]; + drivers = with pkgs; [ + mfcl3770cdwlpr + mfcl3770cdwcupswrapper + ]; }; } diff --git a/nix/os/profiles/install-medium/iso/Justfile b/nix/os/profiles/install-medium/iso/Justfile index bcd3c66..099a8aa 100644 --- a/nix/os/profiles/install-medium/iso/Justfile +++ b/nix/os/profiles/install-medium/iso/Justfile @@ -1,2 +1,2 @@ build: - nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix + nix-build '' -A config.system.build.isoImage -I nixos-config=iso.nix diff --git a/nix/os/profiles/install-medium/iso/iso.nix b/nix/os/profiles/install-medium/iso/iso.nix index 394aece..a32f3f6 100644 --- a/nix/os/profiles/install-medium/iso/iso.nix +++ b/nix/os/profiles/install-medium/iso/iso.nix @@ -5,25 +5,26 @@ pkgs, lib, ... -}: let +}: +let nixos-init-script = '' #!${pkgs.stdenv.shell} export HOME=/root export PATH=${ - pkgs.lib.makeBinPath [ - config.nix.package - pkgs.systemd - pkgs.gnugrep - pkgs.gnused - config.system.build.nixos-rebuild - config.system.build.nixos-install - pkgs.utillinux - pkgs.e2fsprogs - pkgs.coreutils - pkgs.hdparm - ] - }:$PATH + pkgs.lib.makeBinPath [ + config.nix.package + pkgs.systemd + pkgs.gnugrep + pkgs.gnused + config.system.build.nixos-rebuild + config.system.build.nixos-install + pkgs.utillinux + pkgs.e2fsprogs + pkgs.coreutils + pkgs.hdparm + ] + }:$PATH export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels set -xe @@ -61,7 +62,8 @@ nixos-install reboot ''; -in { +in +{ imports = [ @@ -70,13 +72,11 @@ in { # ]; - isoImage.isoName = - lib.mkForce - "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; + isoImage.isoName = lib.mkForce "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; boot.loader.timeout = lib.mkForce 0; boot.postBootCommands = ""; - environment.systemPackages = []; + environment.systemPackages = [ ]; users.users.root = { openssh.authorizedKeys.keys = [ @@ -85,18 +85,18 @@ in { }; services.gpm.enable = true; - systemd.services.sshd.wantedBy = lib.mkForce ["multi-user.target"]; + systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ]; systemd.services.nixos-init = { script = nixos-init-script; - path = with pkgs; []; + path = with pkgs; [ ]; description = "Initialize /dev/vda from configuration.nix found at /dev/vdb"; enable = true; - wantedBy = ["multi-user.target"]; - after = ["multi-user.target"]; - requires = ["network-online.target"]; + wantedBy = [ "multi-user.target" ]; + after = [ "multi-user.target" ]; + requires = [ "network-online.target" ]; restartIfChanged = false; unitConfig.X-StopOnRemoval = false; diff --git a/nix/os/profiles/removable-medium/boot.nix b/nix/os/profiles/removable-medium/boot.nix index e0938bd..17a1dba 100644 --- a/nix/os/profiles/removable-medium/boot.nix +++ b/nix/os/profiles/removable-medium/boot.nix @@ -1,5 +1,6 @@ -{lib, ...}: { +{ lib, ... }: +{ boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; - boot.extraModulePackages = []; + boot.extraModulePackages = [ ]; } diff --git a/nix/os/profiles/removable-medium/configuration.nix b/nix/os/profiles/removable-medium/configuration.nix index 95ca049..ad7def0 100644 --- a/nix/os/profiles/removable-medium/configuration.nix +++ b/nix/os/profiles/removable-medium/configuration.nix @@ -1,4 +1,5 @@ -{...}: { +{ ... }: +{ imports = [ ../../modules/opinionatedDisk.nix diff --git a/nix/os/profiles/removable-medium/hw.nix b/nix/os/profiles/removable-medium/hw.nix index 17c16b0..0f7cbec 100644 --- a/nix/os/profiles/removable-medium/hw.nix +++ b/nix/os/profiles/removable-medium/hw.nix @@ -1,4 +1,4 @@ -{...}: { +_: { hardware.opinionatedDisk.enable = true; hardware.enableAllFirmware = true; } diff --git a/nix/os/profiles/removable-medium/pkg.nix b/nix/os/profiles/removable-medium/pkg.nix index 5a54115..d27081f 100644 --- a/nix/os/profiles/removable-medium/pkg.nix +++ b/nix/os/profiles/removable-medium/pkg.nix @@ -1,4 +1,5 @@ -{pkgs, ...}: { +{ pkgs, ... }: +{ home-manager.users.steveej = import ../../../home-manager/configuration/graphical-removable.nix { inherit pkgs; }; diff --git a/nix/os/profiles/removable-medium/system.nix b/nix/os/profiles/removable-medium/system.nix index 10a18ef..243edf7 100644 --- a/nix/os/profiles/removable-medium/system.nix +++ b/nix/os/profiles/removable-medium/system.nix @@ -1,11 +1,9 @@ -{ - config, - lib, - pkgs, - ... -}: let -in { - services.printing = {enable = false;}; +_: { + services.illum.enable = true; + + services.printing = { + enable = false; + }; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; diff --git a/nix/os/snippets/bluetooth.nix b/nix/os/snippets/bluetooth.nix new file mode 100644 index 0000000..090217e --- /dev/null +++ b/nix/os/snippets/bluetooth.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: +{ + # required for running blueman-applet in user sessions + services.dbus.packages = with pkgs; [ blueman ]; + hardware.bluetooth.enable = true; + services.blueman.enable = true; +} diff --git a/nix/os/snippets/holo-zerotier.nix b/nix/os/snippets/holo-zerotier.nix new file mode 100644 index 0000000..4371b78 --- /dev/null +++ b/nix/os/snippets/holo-zerotier.nix @@ -0,0 +1,53 @@ +{ config, lib, ... }: +let + cfg = config.steveej.holo-zerotier; +in +{ + options.steveej.holo-zerotier = { + enable = lib.mkEnableOption "Enable holo-zerotier"; + autostart = lib.mkOption { default = false; }; + }; + + config = { + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "zerotierone" ]; + + services.zerotierone = { + inherit (cfg) enable; + joinNetworks = [ + # moved to the service below as it's now secret + ]; + }; + + systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); + + systemd.services.zerotieroneSecretNetworks = { + inherit (cfg) enable; + requiredBy = [ "zerotierone.service" ]; + partOf = [ "zerotierone.service" ]; + + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; + + script = + let + secret = config.sops.secrets.zerotieroneNetworks; + in + '' + # include the secret's hash to trigger a restart on change + # ${builtins.hashString "sha256" (builtins.toJSON secret)} + + ${config.systemd.services.zerotierone.preStart} + + rm -rf /var/lib/zerotier-one/networks.d/*.conf + for network in `grep -v '#' ${secret.path}`; do + touch /var/lib/zerotier-one/networks.d/''${network}.conf + done + ''; + }; + + sops.secrets.zerotieroneNetworks = { + sopsFile = ../../../secrets/work-holo/zerotierone.txt; + format = "binary"; + }; + }; +} diff --git a/nix/os/snippets/home-manager-with-zsh.nix b/nix/os/snippets/home-manager-with-zsh.nix new file mode 100644 index 0000000..47ddd8a --- /dev/null +++ b/nix/os/snippets/home-manager-with-zsh.nix @@ -0,0 +1,43 @@ +{ + nodeFlake, + repoFlake, + repoFlakeInputs', + packages', + pkgs, + ... +}: +let + # TODO: make this configurable + homeUser = "steveej"; + commonHomeImports = [ + ../../home-manager/profiles/common.nix + ../../home-manager/programs/neovim.nix + ../../home-manager/programs/zsh.nix + ]; +in +{ + imports = [ nodeFlake.inputs.home-manager.nixosModules.home-manager ]; + + # TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager + # home-manager.extraSpecialArgs = specialArgs; + # hence, opt for passing the arguments selectively instead + home-manager.extraSpecialArgs = { + inherit + repoFlake + repoFlakeInputs' + packages' + nodeFlake + ; + }; + + home-manager.useGlobalPkgs = false; + home-manager.useUserPackages = true; + + home-manager.users.root = _: { imports = commonHomeImports; }; + + home-manager.users."${homeUser}" = _: { imports = commonHomeImports; }; + + programs.zsh.enable = true; + users.defaultUserShell = pkgs.zsh; + environment.pathsToLink = [ "/share/zsh" ]; +} diff --git a/nix/os/snippets/k3s-w-nix-snapshotter.nix b/nix/os/snippets/k3s-w-nix-snapshotter.nix new file mode 100644 index 0000000..1774650 --- /dev/null +++ b/nix/os/snippets/k3s-w-nix-snapshotter.nix @@ -0,0 +1,58 @@ +# experiment with k3s, nix-snapshotter, and nixos images +{ + nodeFlake, + pkgs, + lib, + system, + config, + ... +}: +let + cfg = config.steveej.k3s; + +in +# TODO: make this configurable +{ + options.steveej.k3s = { + enable = lib.mkOption { + description = "steveej's k3s distro"; + type = lib.types.bool; + default = true; + }; + }; + + # (1) Import nixos module. + imports = [ nodeFlake.inputs.nix-snapshotter.nixosModules.default ]; + + config = lib.mkIf cfg.enable { + # (2) Add overlay. + nixpkgs.overlays = [ nodeFlake.inputs.nix-snapshotter.overlays.default ]; + + # (3) Enable service. + virtualisation.containerd = { + enable = true; + nixSnapshotterIntegration = true; + + # TODO: understand if this has an influence on the systemd LoadCredential issue + # settings.plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options.SystemdCgroup = lib.mkForce true; + }; + services.nix-snapshotter = { + enable = true; + }; + + # (4) Add a containerd CLI like nerdctl. + environment.systemPackages = [ + pkgs.nerdctl + nodeFlake.inputs.nix-snapshotter.packages.${system}.default + ]; + + services.k3s = { + enable = false; + setKubeConfig = true; + }; + + # home-manager.users."${homeUser}" = _: { + # home.sessionVariables.CONTAINERD_ADDRESS = "/run/user/1000/containerd/containerd.sock"; + # }; + }; +} diff --git a/nix/os/snippets/mycelium.nix b/nix/os/snippets/mycelium.nix new file mode 100644 index 0000000..990477e --- /dev/null +++ b/nix/os/snippets/mycelium.nix @@ -0,0 +1,32 @@ +{ + repoFlake, + nodeName, + config, + lib, + ... +}: +let + cfg.autostart = false; +in +{ + imports = [ ]; + + sops.secrets.mycelium-key = { + format = "binary"; + sopsFile = repoFlake + "/secrets/${nodeName}/mycelium_priv_key.bin.enc"; + }; + + services.mycelium = { + enable = true; + # package = nodeFlake.inputs.mycelium.packages.${system}.myceliumd; + keyFile = config.sops.secrets.mycelium-key.path; + addHostedPublicNodes = true; + peers = [ ]; + + # tunName = "mycelium-pub"; + + extraArgs = [ ]; + }; + + systemd.services.mycelium.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); +} diff --git a/nix/os/snippets/nix-settings-holo-chain.nix b/nix/os/snippets/nix-settings-holo-chain.nix index 660695c..b660f1c 100644 --- a/nix/os/snippets/nix-settings-holo-chain.nix +++ b/nix/os/snippets/nix-settings-holo-chain.nix @@ -1,9 +1,9 @@ -{pkgs, ...}: { +_: { nix.settings = { substituters = [ "https://holochain-ci.cachix.org" "https://holochain-ci-internal.cachix.org" - "https://cache.holo.host/" + # "https://cache.holo.host/" ]; trusted-public-keys = [ diff --git a/nix/os/snippets/nix-settings.nix b/nix/os/snippets/nix-settings.nix index 36db65e..6340977 100644 --- a/nix/os/snippets/nix-settings.nix +++ b/nix/os/snippets/nix-settings.nix @@ -1,24 +1,25 @@ { nodeFlake, - pkgs, lib, ... -}: { +}: +let + pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config; }; +in +{ nix.daemonCPUSchedPolicy = "idle"; nix.daemonIOSchedClass = "idle"; nix.settings.max-jobs = lib.mkDefault "auto"; nix.settings.cores = lib.mkDefault 0; nix.settings.sandbox = true; - nix.nixPath = [ - "nixpkgs=${pkgs.path}" - ]; + nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; nix.settings.experimental-features = [ "nix-command" "flakes" "ca-derivations" - "impure-derivations" + "recursive-nix" ]; nix.settings.system-features = [ @@ -28,5 +29,12 @@ "nixos-test" ]; - nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; + # nix.registry.nixpkgs.flake = nodeFlake.inputs.nixpkgs; + nix.registry.nixpkgs.to = { + type = "path"; + path = nodeFlake.inputs.nixpkgs.outPath; + inherit (nodeFlake.inputs.nixpkgs) narHash; + }; + + nix.package = pkgsUnstable.nixVersions.latest; } diff --git a/nix/os/snippets/obs-studio.nix b/nix/os/snippets/obs-studio.nix new file mode 100644 index 0000000..8a99fcb --- /dev/null +++ b/nix/os/snippets/obs-studio.nix @@ -0,0 +1,27 @@ +{ config, ... }: +let + # TODO: make configurable + homeUser = "steveej"; +in +{ + boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback.out ]; + + # Activate kernel modules (choose from built-ins and extra ones) + boot.kernelModules = [ + # Virtual Camera + "v4l2loopback" + # Virtual Microphone, built-in + "snd-aloop" + ]; + + # exclusive_caps: Skype, Zoom, Teams etc. will only show device when actually streaming + # card_label: Name of virtual camera, how it'll show up in Skype, Zoom, Teams + # https://github.com/umlaeute/v4l2loopback + boot.extraModprobeConfig = '' + options v4l2loopback devices=1 video_nr=1 card_label="OBSCam" exclusive_caps=1 + ''; + + security.polkit.enable = true; + + home-manager.users.${homeUser} = _: { imports = [ ../../home-manager/programs/obs-studio.nix ]; }; +} diff --git a/nix/os/snippets/radicale.nix b/nix/os/snippets/radicale.nix new file mode 100644 index 0000000..709b601 --- /dev/null +++ b/nix/os/snippets/radicale.nix @@ -0,0 +1,33 @@ +{ + config, + pkgs, + repoFlakeInputs', + ... +}: +let + # TODO: make configurable + homeUser = "steveej"; +in +{ + sops.secrets.radicale_htpasswd = { + sopsFile = ../../../secrets/desktop/radicale_htpasswd; + format = "binary"; + owner = config.users.users."${homeUser}".name; + }; + + home-manager.users.${homeUser} = _: { + imports = [ + # TODO: bump these to latest and make it work + ( + args: + import ../../home-manager/programs/radicale.nix ( + args + // { + osConfig = config; + pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; + } + ) + ) + ]; + }; +} diff --git a/nix/os/snippets/sway-desktop.nix b/nix/os/snippets/sway-desktop.nix new file mode 100644 index 0000000..a40eb85 --- /dev/null +++ b/nix/os/snippets/sway-desktop.nix @@ -0,0 +1,136 @@ +{ + pkgs, + lib, + config, + ... +}: +let + # TODO: make this configurable + homeUser = "steveej"; +in +{ + services.xserver.serverFlagsSection = '' + Option "BlankTime" "0" + Option "StandbyTime" "0" + Option "SuspendTime" "0" + Option "OffTime" "0" + ''; + + hardware.opengl.enable = true; + + services.gvfs = { + enable = true; + package = lib.mkForce pkgs.gnome.gvfs; + }; + + environment.systemPackages = with pkgs; [ + # provides a default authentification client for policykit + lxqt.lxqt-policykit + ]; + + # required by swaywm + security.polkit.enable = true; + security.pam.services.swaylock = { }; + + # test these on https://mozilla.github.io/webrtc-landing/gum_test.html + xdg.portal = { + enable = true; + # FIXME: `true` breaks xdg-open from alacritty: + # $ xdg-open "https://github.com/" + # Error: GDBus.Error:org.freedesktop.DBus.Error.UnknownMethod: No such interface “org.freedesktop.portal.OpenURI” on object at path /org/freedesktop/portal/desktop + xdgOpenUsePortal = false; + + wlr = { + enable = true; + settings = { + screencast = { + chooser_type = "dmenu"; + # display the output as a list in favor of the default mouse selection + chooser_cmd = lib.getExe ( + pkgs.writeShellApplication { + name = "chooser_cmd"; + runtimeInputs = [ + pkgs.sway + pkgs.jq + pkgs.fuzzel + pkgs.gnused + ]; + text = '' + swaymsg -t get_outputs | jq '.[] | "\(.name)@\(.current_mode.width)x\(.current_mode.height) on \(.model)"' | sed 's/"//g' | fuzzel -d | sed 's/@.*//' + ''; + } + ); + max_fps = 30; + }; + }; + }; + + # keep the behaviour in < 1.17, which uses the first portal implementation found in lexicographical order, use the following: + config = { + common = { + default = [ + "wlr" + "gtk" + ]; + }; + }; + + extraPortals = [ + # repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}.xdg-desktop-portal-wlr + + pkgs.xdg-desktop-portal-gtk + # (pkgs.xdg-desktop-portal-gtk.override (_: { + # buildPortalsInGnome = false; + # })) + ]; + }; + + # rtkit is optional but recommended + security.rtkit.enable = true; + services.pipewire = { + audio.enable = true; + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + wireplumber.enable = true; + # If you want to use JACK applications, uncomment this + #jack.enable = true; + }; + + security.pam.services.getty.enableGnomeKeyring = true; + security.pam.services."autovt@tty1".enableGnomeKeyring = true; + services.gnome.gnome-keyring.enable = true; + + # autologin steveej on tty1 + # TODO: make user configurable + systemd.services."autovt@tty1".description = "Autologin at the TTY1"; + systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty + systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ]; + systemd.services."autovt@tty1".serviceConfig = { + ExecStart = [ + "" # override upstream default with an empty ExecStart + "@${pkgs.utillinux}/sbin/agetty agetty --login-program ${pkgs.shadow}/bin/login --autologin steveej --noclear %I $TERM" + ]; + Restart = "always"; + Type = "idle"; + }; + + programs = + let + steveejSwayOnTty1 = '' + if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then + exec sway + fi + ''; + in + { + bash.loginShellInit = steveejSwayOnTty1; + # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion + zsh.loginShellInit = steveejSwayOnTty1; + }; + + home-manager.users."${homeUser}" = _: { + imports = [ ../../home-manager/profiles/sway-desktop.nix ]; + }; +} diff --git a/nix/os/snippets/systemd-resolved.nix b/nix/os/snippets/systemd-resolved.nix index 57dfb86..f7c2301 100644 --- a/nix/os/snippets/systemd-resolved.nix +++ b/nix/os/snippets/systemd-resolved.nix @@ -1,3 +1,4 @@ +{ lib, ... }: { networking.nameservers = [ # https://dnsforge.de/ @@ -12,10 +13,16 @@ services.resolved = { enable = true; dnssec = "true"; - domains = ["~."]; - extraConfig = '' - # TODO: figure out why "true" doesn't work - DNSOverTLS=opportunistic - ''; + domains = [ "~." ]; + + # TODO: figure out why "true" doesn't work + dnsovertls = "opportunistic"; + + fallbackDns = lib.mkForce [ ]; + + # TODO: IPv6 + # extraConfig = '' + # DNSStubListenerExtra=[::1]:53 + # ''; }; } diff --git a/nix/os/snippets/timezone.nix b/nix/os/snippets/timezone.nix new file mode 100644 index 0000000..67db1e8 --- /dev/null +++ b/nix/os/snippets/timezone.nix @@ -0,0 +1,7 @@ +{ lib, ... }: +let + passwords = import ../../variables/passwords.crypt.nix; +in +{ + time.timeZone = lib.mkDefault passwords.timeZone.stefan; +} diff --git a/nix/pkgs/browserpass/default.nix b/nix/pkgs/browserpass/default.nix index 5b13732..34a6977 100644 --- a/nix/pkgs/browserpass/default.nix +++ b/nix/pkgs/browserpass/default.nix @@ -1,27 +1,27 @@ -with import {}; - stdenv.mkDerivation rec { - broken = true; +with import { }; +stdenv.mkDerivation rec { + broken = true; - name = "browserpass"; - version = "2.0.9"; + name = "browserpass"; + version = "2.0.9"; - src = fetchzip { - url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; - sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; - stripRoot = false; - }; + src = fetchzip { + url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; + sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; + stripRoot = false; + }; - buildPhase = ":"; + buildPhase = ":"; - libPath = lib.makeLibraryPath []; - installPhase = '' - set -x - patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 + libPath = lib.makeLibraryPath [ ]; + installPhase = '' + set -x + patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 - mkdir -p $out/bin - cp -a * $out/bin/ - # wrapProgram $out/bin/browserpass-linux64 \ - # --prefix LD_LIBRARY_PATH : "${libPath}" - # - ''; - } + mkdir -p $out/bin + cp -a * $out/bin/ + # wrapProgram $out/bin/browserpass-linux64 \ + # --prefix LD_LIBRARY_PATH : "${libPath}" + # + ''; +} diff --git a/nix/pkgs/dcpj4110dw/default.nix b/nix/pkgs/dcpj4110dw/default.nix index 8a4f6a6..93f59c7 100644 --- a/nix/pkgs/dcpj4110dw/default.nix +++ b/nix/pkgs/dcpj4110dw/default.nix @@ -16,7 +16,8 @@ file, proot, bash, -}: let +}: +let model = "dcpj4110dw"; version = "3.0.1-1"; src = fetchurl { @@ -24,12 +25,16 @@ sha256 = "sha256-ryKDsSkabAD2X3WLmeqjdB3+4DXdJ0qUz3O64DV+ixw="; }; reldir = "opt/brother/Printers/${model}/"; -in rec { +in +rec { driver = pkgsi686Linux.stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [dpkg makeWrapper]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; unpackPhase = "dpkg-deb -x $src $out"; @@ -45,7 +50,18 @@ in rec { mv $out/${reldir}/lpd/filter${model} $out/${reldir}/lpd/.wrapped_filter${model} cat <<-EOF >$out/${reldir}/lpd/.wrapper_inner_filter${model} - export PATH=\$PATH:${lib.makeBinPath [gawk file a2ps coreutils ghostscript gnugrep gnused which]} + export PATH=\$PATH:${ + lib.makeBinPath [ + gawk + file + a2ps + coreutils + ghostscript + gnugrep + gnused + which + ] + } exec $out/${reldir}/lpd/.wrapped_filter${model} EOF chmod +x $out/${reldir}/lpd/.wrapper_inner_filter${model} @@ -64,10 +80,13 @@ in rec { meta = { description = "Brother ${lib.strings.toUpper model} driver"; homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; + sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; # license = lib.licenses.unfree; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = [lib.maintainers.steveej]; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; @@ -81,14 +100,29 @@ in rec { name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [dpkg makeWrapper]; - buildInputs = [cups ghostscript a2ps gawk]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; + buildInputs = [ + cups + ghostscript + a2ps + gawk + ]; unpackPhase = "dpkg-deb -x $src $out"; installPhase = '' wrapProgram $out/${reldir}/cupswrapper/cupswrapper${model} \ - --prefix PATH : ${lib.makeBinPath [coreutils ghostscript gnugrep gnused]} + --prefix PATH : ${ + lib.makeBinPath [ + coreutils + ghostscript + gnugrep + gnused + ] + } patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ $out/${reldir}/cupswrapper/brcupsconfpt1 @@ -100,10 +134,13 @@ in rec { meta = { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; + sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; license = lib.licenses.gpl2; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = [lib.maintainers.steveej]; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; } diff --git a/nix/pkgs/default.nix b/nix/pkgs/default.nix index 6f114b2..78b37a6 100644 --- a/nix/pkgs/default.nix +++ b/nix/pkgs/default.nix @@ -1,5 +1,6 @@ -{pkgs}: { - duplicacy = pkgs.callPackage ../pkgs/duplicacy {}; +{ pkgs }: +{ + duplicacy = pkgs.callPackage ../pkgs/duplicacy { }; staruml = pkgs.callPackage ../pkgs/staruml.nix { inherit (pkgs.gnome2) GConf; libgcrypt = pkgs.libgcrypt_1_5; diff --git a/nix/pkgs/duplicacy/default.nix b/nix/pkgs/duplicacy/default.nix index 7a3fc19..b961a17 100644 --- a/nix/pkgs/duplicacy/default.nix +++ b/nix/pkgs/duplicacy/default.nix @@ -1,7 +1,4 @@ -{ - buildGoPackage, - fetchFromGitHub, -}: +{ buildGoPackage, fetchFromGitHub }: buildGoPackage rec { name = "duplicay-${version}"; version = "2.1.2"; diff --git a/nix/pkgs/duplicacy/shell.nix b/nix/pkgs/duplicacy/shell.nix index 051e832..045572c 100644 --- a/nix/pkgs/duplicacy/shell.nix +++ b/nix/pkgs/duplicacy/shell.nix @@ -1,12 +1,12 @@ -with import {}; - stdenv.mkDerivation { - name = "env"; - buildInputs = [ - zsh - go - go2nix - dep2nix - nix-prefetch-github - (callPackage ./default.nix {}) - ]; - } +with import { }; +stdenv.mkDerivation { + name = "env"; + buildInputs = [ + zsh + go + go2nix + dep2nix + nix-prefetch-github + (callPackage ./default.nix { }) + ]; +} diff --git a/nix/pkgs/jay.nix b/nix/pkgs/jay.nix index a4c2db4..9a7b0e5 100644 --- a/nix/pkgs/jay.nix +++ b/nix/pkgs/jay.nix @@ -31,6 +31,6 @@ rustPlatform.buildRustPackage rec { homepage = "https://github.com/mahkoh/jay"; license = licenses.gpl3; platforms = platforms.linux; - maintainers = with maintainers; [dit7ya]; + maintainers = with maintainers; [ dit7ya ]; }; } diff --git a/nix/pkgs/logseq/Containerfile b/nix/pkgs/logseq/Containerfile new file mode 100644 index 0000000..97464d1 --- /dev/null +++ b/nix/pkgs/logseq/Containerfile @@ -0,0 +1,57 @@ +# NOTE: please keep it in sync with .github pipelines +# NOTE: during testing make sure to change the branch below +# NOTE: before running the build-docker GH action edit +# build-docker.yml and change the release channel from :latest to :testing + +# Builder image +# FROM clojure:temurin-11-tools-deps-1.11.1.1208-bullseye-slim as builder +FROM clojure:temurin-11-tools-deps-bullseye-slim as builder + +ARG DEBIAN_FRONTEND=noninteractive + +# Install reqs +RUN echo 1 +RUN apt-get update && apt-get install -y --no-install-recommends \ + curl \ + ca-certificates \ + apt-transport-https \ + gpg \ + build-essential libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev \ + zip + +# install NodeJS & yarn +RUN curl -sL https://deb.nodesource.com/setup_20.x | bash - + +RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | tee /etc/apt/trusted.gpg.d/yarn.gpg && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list && apt-get update && apt-get install -y nodejs yarn + +WORKDIR /data + +ENV VERSION=0.10.9 + +# build Logseq static resources +RUN git clone -b ${VERSION} https://github.com/logseq/logseq.git . + +RUN yarn config set network-timeout 240000 -g && yarn install +RUN yarn release-electron + +RUN mkdir /out +RUN mv /data/static/out/make/zip /out/${VERSION}.zip +RUN mv /data/static/out/make/*.AppImage /out/ + +FROM scratch as artifacts +COPY --from=builder /out / +# Logseq-${VERSION}.AppImage +# RUN mv zip /${VERSION}.zip + +# RUN \ +# mkdir -p builds +# # NOTE: save VERSION file to builds directory +# cp static/VERSION ./builds/VERSION +# mv static/out/make/*-*.AppImage ./builds/Logseq-linux-aarch64-${VERSION}.AppImage +# mv static/out/make/zip/linux/x64/*-linux-x64-*.zip ./builds/Logseq-linux-aarch64-${VERSION}.zip + +# # Web App Runner image +# FROM nginx:1.24.0-alpine3.17 +# +# COPY --from=builder /data/static /usr/share/nginx/html +# diff --git a/nix/pkgs/logseq/README.md b/nix/pkgs/logseq/README.md new file mode 100644 index 0000000..0c596b6 --- /dev/null +++ b/nix/pkgs/logseq/README.md @@ -0,0 +1,22 @@ +# build instructions + +this is pseudocode that serves as a reminder + +1. podman build -f Containerfile -t logseq +2. CONTAINER_ID=$(podman container create logseq) +3. podman unshare +4. podman mount $CONTAINER_ID +5. copy and upload the AppImage. e.g. + ``` + cp /home/steveej/.local/share/containers/storage/overlay/f932ca9f11ea2bfd6b221118eb54775a623bc519bfe38188afcbad51dda2777f/merged/Logseq-0.10.9.AppImage . + exit + scp Logseq-0.10.9.AppImage root@www.stefanjunker.de:/var/lib/container-volumes/webserver/var-www/stefanjunker.de/htdocs/caddy/downloads/ + ``` +6. podman unshare +7. podman unmount + +# resources + +- https://github.com/logseq/logseq/blob/dc5127b48a7874627bd9ab63696f7ddf821b90a7/docs/develop-logseq.md?plain=1#L90 +- https://github.com/logseq/logseq/blob/master/Dockerfile +- https://github.com/randomwangran/logseq-nix-flake diff --git a/nix/pkgs/magmawm.nix b/nix/pkgs/magmawm.nix index 2d4c335..c1850c1 100644 --- a/nix/pkgs/magmawm.nix +++ b/nix/pkgs/magmawm.nix @@ -8,7 +8,6 @@ libinput, libxkbcommon, mesa, - pango, udev, dbus, libGL, @@ -18,9 +17,7 @@ craneLib.buildPackage { pname = "magmawm"; version = src.rev; - nativeBuildInputs = [ - pkg-config - ]; + nativeBuildInputs = [ pkg-config ]; buildInputs = [ wayland @@ -45,6 +42,6 @@ craneLib.buildPackage { homepage = "https://github.com/MagmaWM/MagmaWM"; license = licenses.gpl3; platforms = platforms.linux; - maintainers = with maintainers; []; + maintainers = with maintainers; [ ]; }; } diff --git a/nix/pkgs/mfcl3770cdw.nix b/nix/pkgs/mfcl3770cdw.nix index 5c04cbf..142c1c0 100644 --- a/nix/pkgs/mfcl3770cdw.nix +++ b/nix/pkgs/mfcl3770cdw.nix @@ -11,7 +11,8 @@ which, perl, lib, -}: let +}: +let model = "mfcl3770cdw"; version = "1.0.2-0"; src = fetchurl { @@ -19,12 +20,16 @@ sha256 = "09fhbzhpjymhkwxqyxzv24b06ybmajr6872yp7pri39595mhrvay"; }; reldir = "opt/brother/Printers/${model}/"; -in rec { +in +rec { driver = stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [dpkg makeWrapper]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; unpackPhase = "dpkg-deb -x $src $out"; @@ -36,8 +41,14 @@ in rec { --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/lpd/filter_${model} \ --prefix PATH : ${ - lib.makeBinPath [coreutils ghostscript gnugrep gnused which] - } + lib.makeBinPath [ + coreutils + ghostscript + gnugrep + gnused + which + ] + } # need to use i686 glibc here, these are 32bit proprietary binaries interpreter=${pkgsi686Linux.glibc}/lib/ld-linux.so.2 patchelf --set-interpreter "$interpreter" $dir/lpd/brmfcl3770cdwfilter @@ -47,8 +58,11 @@ in rec { description = "Brother ${lib.strings.toUpper model} driver"; homepage = "http://www.brother.com/"; license = lib.licenses.unfree; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = [lib.maintainers.steveej]; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; @@ -56,7 +70,10 @@ in rec { inherit version src; name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [dpkg makeWrapper]; + nativeBuildInputs = [ + dpkg + makeWrapper + ]; unpackPhase = "dpkg-deb -x $src $out"; @@ -68,7 +85,13 @@ in rec { --replace "basedir =~" "basedir = \"$basedir\"; #" \ --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/cupswrapper/brother_lpdwrapper_${model} \ - --prefix PATH : ${lib.makeBinPath [coreutils gnugrep gnused]} + --prefix PATH : ${ + lib.makeBinPath [ + coreutils + gnugrep + gnused + ] + } mkdir -p $out/lib/cups/filter mkdir -p $out/share/cups/model ln $dir/cupswrapper/brother_lpdwrapper_${model} $out/lib/cups/filter @@ -79,8 +102,11 @@ in rec { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; homepage = "http://www.brother.com/"; license = lib.licenses.gpl2; - platforms = ["x86_64-linux" "i686-linux"]; - maintainers = [lib.maintainers.steveej]; + platforms = [ + "x86_64-linux" + "i686-linux" + ]; + maintainers = [ lib.maintainers.steveej ]; }; }; } diff --git a/nix/pkgs/nozbe/default.nix b/nix/pkgs/nozbe/default.nix index 368add8..e5ac519 100644 --- a/nix/pkgs/nozbe/default.nix +++ b/nix/pkgs/nozbe/default.nix @@ -1,60 +1,60 @@ -with import {}; - stdenv.mkDerivation rec { - name = "nozbe"; - version = "3.6.3"; +with import { }; +stdenv.mkDerivation rec { + name = "nozbe"; + version = "3.6.3"; - src = fetchzip { - url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; - sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; - stripRoot = false; - }; + src = fetchzip { + url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; + sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; + stripRoot = false; + }; - buildInputs = [makeWrapper]; + buildInputs = [ makeWrapper ]; - buildPhase = ":"; + buildPhase = ":"; - libPath = lib.makeLibraryPath [ - alsaLib - atk - cairo - cups - dbus - expat - freetype - fontconfig - gnome3.gconf - gcc.cc - gdk_pixbuf - gtk2-x11 - glib - pango - nss - nspr - systemd.lib - xorg.libX11 - xorg.libXcursor - xorg.libXcomposite - xorg.libXext - xorg.libXfixes - xorg.libXdamage - xorg.libXi - xorg.libXrandr - xorg.libXrender - xorg.libXtst - xorg.libXScrnSaver - ]; - installPhase = '' - pushd Nozbe-${version} - ls -lha + libPath = lib.makeLibraryPath [ + alsaLib + atk + cairo + cups + dbus + expat + freetype + fontconfig + gnome3.gconf + gcc.cc + gdk_pixbuf + gtk2-x11 + glib + pango + nss + nspr + systemd.lib + xorg.libX11 + xorg.libXcursor + xorg.libXcomposite + xorg.libXext + xorg.libXfixes + xorg.libXdamage + xorg.libXi + xorg.libXrandr + xorg.libXrender + xorg.libXtst + xorg.libXScrnSaver + ]; + installPhase = '' + pushd Nozbe-${version} + ls -lha - patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe + patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe - mkdir -p $out/bin - cp -a * $out/ + mkdir -p $out/bin + cp -a * $out/ - wrapProgram $out/Nozbe \ - --prefix LD_LIBRARY_PATH : "${libPath}" + wrapProgram $out/Nozbe \ + --prefix LD_LIBRARY_PATH : "${libPath}" - ln -sf ../Nozbe $out/bin/ - ''; - } + ln -sf ../Nozbe $out/bin/ + ''; +} diff --git a/nix/pkgs/posh.nix b/nix/pkgs/posh.nix index 4d993ba..b7ad5cb 100644 --- a/nix/pkgs/posh.nix +++ b/nix/pkgs/posh.nix @@ -1,42 +1,44 @@ # posh makes use of podman to run an encapsulated shell session -{pkgs, ...}: let - cniConfigDir = let - loopback = pkgs.writeText "00-loopback.conf" '' - { - "cniVersion": "0.3.0", - "type": "loopback" - } - ''; - - podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' - { +{ pkgs, ... }: +let + cniConfigDir = + let + loopback = pkgs.writeText "00-loopback.conf" '' + { "cniVersion": "0.3.0", - "name": "podman", - "plugins": [ - { - "type": "bridge", - "bridge": "cni0", - "isGateway": true, - "ipMasq": true, - "ipam": { - "type": "host-local", - "subnet": "10.88.0.0/16", - "routes": [ - { "dst": "0.0.0.0/0" } - ] + "type": "loopback" + } + ''; + + podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } - } - ] - } - ''; - in - pkgs.runCommand "cniConfig" {} '' + ] + } + ''; + in + pkgs.runCommand "cniConfig" { } '' set -x mkdir $out; ln -s ${loopback} $out/${loopback.name} @@ -125,54 +127,58 @@ } ''; in - { - image, - pull ? "always", - global_args ? "", - run_args ? "", - userns ? "keep-id", - }: - (pkgs.writeScriptBin "posh" '' - #! ${pkgs.bash}/bin/bash - source /etc/profile +{ + image, + pull ? "always", + global_args ? "", + run_args ? "", + userns ? "keep-id", +}: +(pkgs.writeScriptBin "posh" '' + #! ${pkgs.bash}/bin/bash + source /etc/profile - test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK" - tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q" + test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK" + tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q" - # define these as variables so we can override them at runtime - POSH_IMAGE=${image} - POSH_PULL=${pull} + # define these as variables so we can override them at runtime + POSH_IMAGE=${image} + POSH_PULL=${pull} - if [ "$1" == "-c" ]; then - # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string - shift - # TODO parse the beginning of the command for POSH_* overrides - fi + if [ "$1" == "-c" ]; then + # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string + shift + # TODO parse the beginning of the command for POSH_* overrides + fi - test "$@" && cmd=( -c "$@") + test "$@" && cmd=( -c "$@") - HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" - HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" - test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR - ln -sf ${policy-json} $HOME_POLICY_JSON + HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" + HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" + test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR + ln -sf ${policy-json} $HOME_POLICY_JSON - set -x - exec ${pkgs.podman}/bin/podman \ - --cgroup-manager=cgroupfs \ - ${global_args} \ - run \ - --annotation=io.crun.keep_original_groups=1 \ - --config ${podmanConfig} \ - --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ - --rm -i --network host --pull=''${POSH_PULL} \ - $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ - ${ - if userns != null - then "--userns=" + userns - else "" - } \ - ${run_args} \ - ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" - '') - .overrideAttrs (attrs: attrs // {passthru = {shellPath = "/bin/posh";};}) + set -x + exec ${pkgs.podman}/bin/podman \ + --cgroup-manager=cgroupfs \ + ${global_args} \ + run \ + --annotation=io.crun.keep_original_groups=1 \ + --config ${podmanConfig} \ + --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ + --rm -i --network host --pull=''${POSH_PULL} \ + $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ + ${if userns != null then "--userns=" + userns else ""} \ + ${run_args} \ + ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" +'').overrideAttrs + ( + attrs: + attrs + // { + passthru = { + shellPath = "/bin/posh"; + }; + } + ) diff --git a/nix/pkgs/slirp4netns.nix b/nix/pkgs/slirp4netns.nix index ffcc730..5e50ecf 100644 --- a/nix/pkgs/slirp4netns.nix +++ b/nix/pkgs/slirp4netns.nix @@ -18,7 +18,13 @@ stdenv.mkDerivation rec { sha256 = "0kqncza4kgqkqiki569j7ym9pvp7879i6q2z0djvda9y0i6b80w4"; }; - buildInputs = [autoconf automake libtool gnumake gcc]; + buildInputs = [ + autoconf + automake + libtool + gnumake + gcc + ]; configurePhase = '' ./autogen.sh @@ -37,7 +43,7 @@ stdenv.mkDerivation rec { description = "User-mode networking for unprivileged network namespaces"; homepage = "https://github.com/rootless-containers/slirp4netns"; license = null; - maintainers = [maintainers.steveej]; + maintainers = [ maintainers.steveej ]; platforms = platforms.all; }; } diff --git a/nix/pkgs/staruml.nix b/nix/pkgs/staruml.nix index a0e9d90..35399ad 100644 --- a/nix/pkgs/staruml.nix +++ b/nix/pkgs/staruml.nix @@ -15,7 +15,8 @@ libgcrypt, dbus, systemd, -}: let +}: +let inherit (stdenv) lib; LD_LIBRARY_PATH = lib.makeLibraryPath [ glib @@ -30,55 +31,56 @@ dbus ]; in - stdenv.mkDerivation rec { - version = "2.8.1"; - name = "staruml-${version}"; +stdenv.mkDerivation rec { + version = "2.8.1"; + name = "staruml-${version}"; - src = - if stdenv.system == "i686-linux" - then - fetchurl - { - url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; - sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; - } - else - fetchurl { - url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; - sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; - }; + src = + if stdenv.system == "i686-linux" then + fetchurl { + url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; + sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; + } + else + fetchurl { + url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; + sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; + }; - buildInputs = [dpkg]; + buildInputs = [ dpkg ]; - nativeBuildInputs = [makeWrapper]; + nativeBuildInputs = [ makeWrapper ]; - unpackPhase = '' - mkdir pkg - dpkg-deb -x $src pkg - sourceRoot=pkg - ''; + unpackPhase = '' + mkdir pkg + dpkg-deb -x $src pkg + sourceRoot=pkg + ''; - installPhase = '' - mkdir $out - mv opt/staruml $out/bin + installPhase = '' + mkdir $out + mv opt/staruml $out/bin - mkdir -p $out/lib - ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/ - ln -s ${systemd.lib}/lib/libudev.so.1 $out/lib/libudev.so.0 + mkdir -p $out/lib + ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/ + ln -s ${systemd.lib}/lib/libudev.so.1 $out/lib/libudev.so.0 - for binary in StarUML Brackets-node; do - ${patchelf}/bin/patchelf \ - --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - $out/bin/$binary - wrapProgram $out/bin/$binary \ - --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH} - done - ''; + for binary in StarUML Brackets-node; do + ${patchelf}/bin/patchelf \ + --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ + $out/bin/$binary + wrapProgram $out/bin/$binary \ + --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH} + done + ''; - meta = with stdenv.lib; { - description = "A sophisticated software modeler"; - homepage = "http://staruml.io/"; - license = licenses.unfree; - platforms = ["i686-linux" "x86_64-linux"]; - }; - } + meta = with stdenv.lib; { + description = "A sophisticated software modeler"; + homepage = "http://staruml.io/"; + license = licenses.unfree; + platforms = [ + "i686-linux" + "x86_64-linux" + ]; + }; +} diff --git a/nix/scripts/pre-eval-fixed.sh b/nix/scripts/pre-eval-fixed.sh index 25a3e36..ec7b14e 100755 --- a/nix/scripts/pre-eval-fixed.sh +++ b/nix/scripts/pre-eval-fixed.sh @@ -3,7 +3,7 @@ set -xe INFILE="${1:?Please set arg1 to INFILE}" OUTFILE="${2:?Please set arg2 to OUTFILE}" # sha256-1fm94N2Y9ptXVN6ni0nJyPRK+nsvoeliqBcFyjlaTH4= -# sha256:0zjcb8wwl18pm1ifk89gggx4mx68r54qp9yyaibrpxlqvphbvyfm -hash=$(nix-build ${INFILE} --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*(sha256[:-].+)$' -r '$1') +# sha256:0zjcb8wwl18pm1ifk89gggx4mx68r54qp9yyaibrpxlqvphbvyfm +hash=$(nix-build "${INFILE}" --arg pkgs 'import {}' --arg config 'null' 2>&1 | rg -o 'got.*(sha256[:-].+)$' -r '$1') -sed -E "s/0{52}/${hash}/" ${INFILE} > ${OUTFILE} +sed -E "s/0{52}/${hash}/" "${INFILE}" >"${OUTFILE}" diff --git a/nix/sources.json b/nix/sources.json deleted file mode 100644 index 49bfd31..0000000 --- a/nix/sources.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "nixpkgs": { - "branch": "release-22.05", - "description": "Nix Packages collection", - "homepage": "https://github.com/NixOS/nixpkgs", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "26fe7618c7efbbfe28db9a52a21fb87e67ebaf06", - "sha256": "0wi8l10zn808psf0i7ka3ifpx46vdv2fkq3hcb9d5m72fv64vznr", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/26fe7618c7efbbfe28db9a52a21fb87e67ebaf06.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - } -} diff --git a/nix/sources.nix b/nix/sources.nix deleted file mode 100644 index 87a7093..0000000 --- a/nix/sources.nix +++ /dev/null @@ -1,260 +0,0 @@ -# This file has been generated by Niv. -let - # - # The fetchers. fetch_ fetches specs of type . - # - fetch_file = pkgs: name: spec: let - name' = sanitizeName name + "-src"; - in - if spec.builtin or true - then - builtins_fetchurl - { - inherit (spec) url sha256; - name = name'; - } - else - pkgs.fetchurl { - inherit (spec) url sha256; - name = name'; - }; - - fetch_tarball = pkgs: name: spec: let - name' = sanitizeName name + "-src"; - in - if spec.builtin or true - then - builtins_fetchTarball - { - name = name'; - inherit (spec) url sha256; - } - else - pkgs.fetchzip { - name = name'; - inherit (spec) url sha256; - }; - - fetch_git = name: spec: let - ref = - if spec ? ref - then spec.ref - else if spec ? branch - then "refs/heads/${spec.branch}" - else if spec ? tag - then "refs/tags/${spec.tag}" - else - abort - "In git source '${name}': Please specify `ref`, `tag` or `branch`!"; - submodules = - if spec ? submodules - then spec.submodules - else false; - submoduleArg = let - nixSupportsSubmodules = - builtins.compareVersions builtins.nixVersion "2.4" >= 0; - emptyArgWithWarning = - if submodules == true - then - builtins.trace - (''The niv input "${name}" uses submodules '' - + "but your nix's (${builtins.nixVersion}) builtins.fetchGit " - + "does not support them") - {} - else {}; - in - if nixSupportsSubmodules - then { - inherit submodules; - } - else emptyArgWithWarning; - in - builtins.fetchGit ({ - url = spec.repo; - inherit (spec) rev; - inherit ref; - } - // submoduleArg); - - fetch_local = spec: spec.path; - - fetch_builtin-tarball = name: - throw '' - [${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`. - $ niv modify ${name} -a type=tarball -a builtin=true''; - - fetch_builtin-url = name: - throw '' - [${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`. - $ niv modify ${name} -a type=file -a builtin=true''; - - # - # Various helpers - # - - # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695 - sanitizeName = name: (concatMapStrings (s: - if builtins.isList s - then "-" - else s) - (builtins.split "[^[:alnum:]+._?=-]+" - ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name))); - - # The set of packages used when specs are fetched using non-builtins. - mkPkgs = sources: system: let - sourcesNixpkgs = - import - (builtins_fetchTarball {inherit (sources.nixpkgs) url sha256;}) - { - inherit system; - }; - hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; - hasThisAsNixpkgsPath = == ./.; - in - if builtins.hasAttr "nixpkgs" sources - then sourcesNixpkgs - else if hasNixpkgsPath && !hasThisAsNixpkgsPath - then import {} - else - abort '' - Please specify either (through -I or NIX_PATH=nixpkgs=...) or - add a package called "nixpkgs" to your sources.json. - ''; - - # The actual fetching function. - fetch = pkgs: name: spec: - if !builtins.hasAttr "type" spec - then abort "ERROR: niv spec ${name} does not have a 'type' attribute" - else if spec.type == "file" - then fetch_file pkgs name spec - else if spec.type == "tarball" - then fetch_tarball pkgs name spec - else if spec.type == "git" - then fetch_git name spec - else if spec.type == "local" - then fetch_local spec - else if spec.type == "builtin-tarball" - then fetch_builtin-tarball name - else if spec.type == "builtin-url" - then fetch_builtin-url name - else - abort - "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; - - # If the environment variable NIV_OVERRIDE_${name} is set, then use - # the path directly as opposed to the fetched source. - replace = name: drv: let - saneName = - stringAsChars - (c: - if isNull (builtins.match "[a-zA-Z0-9]" c) - then "_" - else c) - name; - ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; - in - if ersatz == "" - then drv - else - # this turns the string into an actual Nix path (for both absolute and - # relative paths) - if builtins.substring 0 1 ersatz == "/" - then /. + ersatz - else /. + builtins.getEnv "PWD" + "/${ersatz}"; - - # Ports of functions for older nix versions - - # a Nix version of mapAttrs if the built-in doesn't exist - mapAttrs = - builtins.mapAttrs - or (f: set: - with builtins; - listToAttrs (map (attr: { - name = attr; - value = f attr set.${attr}; - }) (attrNames set))); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 - range = first: last: - if first > last - then [] - else builtins.genList (n: first + n) (last - first + 1); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 - stringToCharacters = s: - map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 - stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); - concatMapStrings = f: list: concatStrings (map f list); - concatStrings = builtins.concatStringsSep ""; - - # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 - optionalAttrs = cond: as: - if cond - then as - else {}; - - # fetchTarball version that is compatible between all the versions of Nix - builtins_fetchTarball = { - url, - name ? null, - sha256, - } @ attrs: let - inherit (builtins) lessThan nixVersion fetchTarball; - in - if lessThan nixVersion "1.12" - then - fetchTarball - ({inherit url;} // (optionalAttrs (!isNull name) {inherit name;})) - else fetchTarball attrs; - - # fetchurl version that is compatible between all the versions of Nix - builtins_fetchurl = { - url, - name ? null, - sha256, - } @ attrs: let - inherit (builtins) lessThan nixVersion fetchurl; - in - if lessThan nixVersion "1.12" - then - fetchurl - ({inherit url;} // (optionalAttrs (!isNull name) {inherit name;})) - else fetchurl attrs; - - # Create the final "sources" from the config - mkSources = config: - mapAttrs - (name: spec: - if builtins.hasAttr "outPath" spec - then - abort - "The values in sources.json should not have an 'outPath' attribute" - else spec // {outPath = replace name (fetch config.pkgs name spec);}) - config.sources; - - # The "config" used by the fetchers - mkConfig = { - sourcesFile ? - if builtins.pathExists ./sources.json - then ./sources.json - else null, - sources ? - if isNull sourcesFile - then {} - else builtins.fromJSON (builtins.readFile sourcesFile), - system ? builtins.currentSystem, - pkgs ? mkPkgs sources system, - }: rec { - # The sources, i.e. the attribute set of spec name to spec - inherit sources; - - # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers - inherit pkgs; - }; -in - mkSources (mkConfig {}) - // { - __functor = _: settings: mkSources (mkConfig settings); - } diff --git a/nix/tests/buildvmwithbootloader/build-vm.nix b/nix/tests/buildvmwithbootloader/build-vm.nix index be819b6..a085713 100644 --- a/nix/tests/buildvmwithbootloader/build-vm.nix +++ b/nix/tests/buildvmwithbootloader/build-vm.nix @@ -3,20 +3,14 @@ vmPkgsPath, buildPkgsPath, nixosConfigPath, -}: let - buildPkgs = import buildPkgsPath {}; - vmPkgs' = import vmPkgsPath {}; - vmPkgs = - vmPkgs' - // { - runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; - }; +}: +let + vmPkgs' = import vmPkgsPath { }; + vmPkgs = vmPkgs' // { + runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; + }; - importWithPkgs = { - path, - pkgs, - }: args: - import path (args // {inherit pkgs;}); + importWithPkgs = { path, pkgs }: args: import path (args // { inherit pkgs; }); nixosConfig = importWithPkgs { path = "${nixosConfigPath}"; @@ -36,8 +30,10 @@ modules = [ nixosConfig vmConfig - {virtualisation.useBootLoader = true;} + { virtualisation.useBootLoader = true; } ]; - }) - .config; -in {vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm;} + }).config; +in +{ + vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm; +} diff --git a/nix/tests/buildvmwithbootloader/build-vm.sh b/nix/tests/buildvmwithbootloader/build-vm.sh index 520e0c8..3ee6ee0 100755 --- a/nix/tests/buildvmwithbootloader/build-vm.sh +++ b/nix/tests/buildvmwithbootloader/build-vm.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash set -x -rm *.qcow2 +rm ./*.qcow2 rm result* set -e @@ -8,9 +8,9 @@ BUILD_NIXPKGS="${BUILD_NIXPKGS:-${HOME}/src/github/NixOS/nixpkgs.dev}" NIXOS_CONFIG="${NIXOS_CONFIG_OVERRIDE:-${PWD}/configuration.nix}" nix-build -K --show-trace build-vm.nix \ - --arg vmPkgsPath '' \ - --argstr buildPkgsPath "${BUILD_NIXPKGS}" \ - --argstr nixosConfigPath "${NIXOS_CONFIG}" \ - -A vmWithBootLoaderMixed + --arg vmPkgsPath '' \ + --argstr buildPkgsPath "${BUILD_NIXPKGS}" \ + --argstr nixosConfigPath "${NIXOS_CONFIG}" \ + -A vmWithBootLoaderMixed -./result/bin/run-*-vm +"./result/bin/run-*-vm" diff --git a/nix/tests/buildvmwithbootloader/configuration.nix b/nix/tests/buildvmwithbootloader/configuration.nix index 92072fe..49dc463 100644 --- a/nix/tests/buildvmwithbootloader/configuration.nix +++ b/nix/tests/buildvmwithbootloader/configuration.nix @@ -1,9 +1,5 @@ +{ lib, ... }: { - pkgs, - lib, - ... -}: let -in { boot.loader.grub = { enable = true; version = 2; @@ -22,13 +18,23 @@ in { allowDiscards = true; } ]; - fileSystems."/" = {label = "root";}; + fileSystems."/" = { + label = "root"; + }; - fileSystems."/boot" = {label = "boot";}; + fileSystems."/boot" = { + label = "boot"; + }; boot.tmpOnTmpfs = true; - boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"]; + boot.initrd.availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "rtsx_pci_sdmmc" + ]; users.extraUsers.root.initialPassword = lib.mkForce "toorroot"; users.mutableUsers = false; diff --git a/nix/tests/buildvmwithbootloader/debug-vm.sh b/nix/tests/buildvmwithbootloader/debug-vm.sh index 0d11067..8e3bdce 100755 --- a/nix/tests/buildvmwithbootloader/debug-vm.sh +++ b/nix/tests/buildvmwithbootloader/debug-vm.sh @@ -1,3 +1,5 @@ +#!/usr/bin/env bash + # /nix/store/lya9qyl9z5xb4vzdzh4vzcr7gfssk47z-qemu-host-cpu-only-for-vm-tests-2.12.0/bin/qemu-kvm \ # -cpu \ # kvm64 \ @@ -24,7 +26,6 @@ # -drive \ # index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/nixos.qcow2,cache=writeback,werror=report,if=virtio \ - /nix/store/0i6fr8vv559a50w0vipvd22r0kkg1kx1-qemu-host-cpu-only-for-vm-tests-3.0.0/bin/qemu-kvm -cpu kvm64 -name nixos -m 384 -smp 1 -device virtio-rng-pci -net nic,netdev=user.0,model=virtio -netdev user,id=user.0 -virtfs local,path=/nix/store,security_model=none,mount_tag=store -virtfs local,path=/tmp/nix-vm.BXlbOnli8K/xchg,security_model=none,mount_tag=xchg -virtfs local,path=/tmp/nix-vm.BXlbOnli8K/xchg,security_model=none,mount_tag=shared \ - -drive index=1,id=drive2,file=/tmp/nix-vm.BXlbOnli8K/disk.img,media=disk,if=virtio \ - -drive index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/tests/nixos.qcow2,cache=writeback,werror=report,if=virtio \ + -drive index=1,id=drive2,file=/tmp/nix-vm.BXlbOnli8K/disk.img,media=disk,if=virtio \ + -drive index=0,id=drive1,file=/home/steveej/src/steveej/nix-expressions/tests/nixos.qcow2,cache=writeback,werror=report,if=virtio diff --git a/nix/tests/test-vm.nix b/nix/tests/test-vm.nix index 55053e2..fc956b6 100644 --- a/nix/tests/test-vm.nix +++ b/nix/tests/test-vm.nix @@ -1,10 +1,4 @@ -{ - lib, - config, - pkgs, - fetchgit, - ... -}: { +_: { boot.consoleLogLevel = 6; users.users.root.initialPassword = "root"; systemd.services."serial-getty@ttyS0".enable = true; diff --git a/nix/variables/keys.nix b/nix/variables/keys.nix index 8eb8229..bd140a9 100644 --- a/nix/variables/keys.nix +++ b/nix/variables/keys.nix @@ -3,6 +3,7 @@ steveej = { openssh = [ # active, current + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC98w24rC+0YwkR/60VvuHVo+HaojvrM0rre0WCj1s1YVFiLPycsAKhZvl/yo06RKgkhChGb0tHZRGseQSmyb+rEbuNFxXQZnjOylT4jlrQvFR+S9WulkHrLMU0wodwEOpTrzJr/zqThEy3pj61KpC+Yhj9FfCn/p3l7HvL2yp3j+TyclyGbEQtt3Dgo1Ls5ZiD5FVhZAMkto4mK9fThyKjQhT6dUu47j2mxhT5OB8gHNtmPvpdQAUQCNrIz4oP5gilGKsWILmXM0/UwnrSXVdR2cUeiRkKqT0h/Q5jp/+/aW8oDoNYluHw2unWJcMTF0zoVWy/IcuNBTqzfiAhiDICCJN9Y0IXf4KhYN2mGtYJjioEVzmaIp/djxDt1Ra4PTNk1DqazRX72XgXcC9hFskLgiRSGSTR1EJk8dmfN0fE9Kv7IwgmHpyGciUy9WIX4o/eYHt7uO8cmJldtt9dPT7OV3DqGWrmgdCgzV5hVrxPVyOyvuLZa2J1N3T/5v1a8zrsyJ0KwuWH64VJqjVL7dTSKCyHKKIwx5ksLwIpFXBxPiypgCtYyvM6IY7PzF492cBucKimD5wd4f5mY5YxEGZC53/ZgodFVQJkyjmIiO/E06KUjLilmnSzf/nOtk3hoiWK8av47mr8otj+UCfWx6xXVKvGAjSOt4MEzUDDG3D+nw== cardno:17_673_091" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000608695695" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAIODJoJ7Chi8jPTGmKQ5MlB7+TgNGznreeRW/K34v1ey23/FlnIxP9XyyLkzojKALTfAQYgqzrQV3HDSRwhd1rXB7YLq1/CiVWRJvDMTkJiOCV515eiUJGXu1G8e12d/USPNBMEzMJGvqBCIGYen5OxXkyIHIREfePNi5k337G5z9fiuiggxJl9ty6qZ4XIRgFQj9jAoShixP/+99I7XrGWeFQ1BmLZWzi20SQGKvogYnOszDZFqBAHGFnCFYHaTz2jOXXCtQsa27gr8D2iLRFaxvhB7XMK+VbpDcZGjmfRJ701XxFv15GFnFAV71hTaYqj/Ebpw9Vs02+gUp3+tt cardno:000605247559" diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index ce2f0fc..91d2eb6 100644 Binary files a/nix/variables/passwords.crypt.nix and b/nix/variables/passwords.crypt.nix differ diff --git a/nix/variables/versions.nix b/nix/variables/versions.nix index 535d7d3..6d441a6 100644 --- a/nix/variables/versions.nix +++ b/nix/variables/versions.nix @@ -2,29 +2,28 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.11"; - rev = '' - 5b7cd5c39befee629be284970415b6eb3b0ff000''; + rev = ''5b7cd5c39befee629be284970415b6eb3b0ff000''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = '' - 4bb072f0a8b267613c127684e099a70e1f6ff106''; + rev = ''4bb072f0a8b267613c127684e099a70e1f6ff106''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = '' - a8636efe2df64047cd58898010a72f73efd56722''; + rev = ''a8636efe2df64047cd58898010a72f73efd56722''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.11"; - rev = '' - 83110c259889230b324bb2d35bef78bf5f214a1f''; + rev = ''83110c259889230b324bb2d35bef78bf5f214a1f''; }; } diff --git a/nix/variables/versions.tmpl.nix b/nix/variables/versions.tmpl.nix index e0734f1..66e90e3 100644 --- a/nix/variables/versions.tmpl.nix +++ b/nix/variables/versions.tmpl.nix @@ -6,9 +6,12 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in { +in +{ inherit nixpkgs; - nixos = nixpkgs // {suffix = "/nixos";}; + nixos = nixpkgs // { + suffix = "/nixos"; + }; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/oci/user-ubuntu/Containerfile b/oci/user-ubuntu/Containerfile new file mode 100644 index 0000000..8afa2ce --- /dev/null +++ b/oci/user-ubuntu/Containerfile @@ -0,0 +1,27 @@ +FROM ubuntu + +ARG USERNAME=user +ARG USER_UID=1000 +ARG USER_GID=$USER_UID + +# Create the user +RUN groupadd --gid $USER_GID $USERNAME \ + && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME \ + # + # [Optional] Add sudo support. Omit if you don't need to install software after connecting. + && apt-get update \ + && apt-get install -y sudo \ + && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \ + && chmod 0440 /etc/sudoers.d/$USERNAME + +# ******************************************************** +# * Anything else you want to do like clean up goes here * +# ******************************************************** + +# [Optional] Set the default user. Omit if you want to keep the default as root. +USER $USERNAME + + +ENV DEBIAN_FRONTEND=noninteractive +RUN sudo apt install -y curl xz-utils +RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s - install --init none --no-confirm diff --git a/scripts/sway-swapoutputworkspaces.sh b/scripts/sway-swapoutputworkspaces.sh index 9f8f637..6ed8d64 100755 --- a/scripts/sway-swapoutputworkspaces.sh +++ b/scripts/sway-swapoutputworkspaces.sh @@ -9,33 +9,33 @@ workspace_active=$(swaymsg -t get_workspaces | jq -r '.[] | select(.focused==tru # If any of the outputs doesn't have a workspace, do nothing if [ "$workspace1" = null ] || [ "$workspace2" = null ]; then - exit 0 + exit 0 else - # If script is provided with `follow` argument, then follow focused workspace - if [ "$1" = "follow" ]; then - if [ "$workspace1" = "$workspace_active" ]; then - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - swaymsg workspace "$workspace2" - else - swaymsg workspace "$workspace1" - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - fi - # Else focus stays with focused output + # If script is provided with `follow` argument, then follow focused workspace + if [ "$1" = "follow" ]; then + if [ "$workspace1" = "$workspace_active" ]; then + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + swaymsg workspace "$workspace2" else - if [ "$workspace1" = "$workspace_active" ]; then - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - else - swaymsg workspace "$workspace1" - swaymsg move workspace to output "$output2" - swaymsg workspace "$workspace2" - swaymsg move workspace to output "$output1" - swaymsg workspace "$workspace1" - fi + swaymsg workspace "$workspace1" + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" fi + # Else focus stays with focused output + else + if [ "$workspace1" = "$workspace_active" ]; then + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + else + swaymsg workspace "$workspace1" + swaymsg move workspace to output "$output2" + swaymsg workspace "$workspace2" + swaymsg move workspace to output "$output1" + swaymsg workspace "$workspace1" + fi + fi fi diff --git a/secrets/desktop/radicale_htpasswd b/secrets/desktop/radicale_htpasswd new file mode 100644 index 0000000..5b0f6b6 --- /dev/null +++ b/secrets/desktop/radicale_htpasswd @@ -0,0 +1,30 @@ +{ + "data": "ENC[AES256_GCM,data:rUTsNj5pW/7JhyfRWiEoOHVT06tmbAHarOEuMkWaP+jz9FX3Qvjtv2S767Be89RwBdZZPTyO5+DcWUH+m2AOoAFKZs8TgT7lmQCuweXE27HZe88y+mNvHYfExWbLaC3fxheHgy8BgZBQNdVMKhZlYr5nLxJBrUY+j2sRP/CuucUcbsCojoHqYmb9hpS03PZ7i6Uf7tImgvFc,iv:pnYzcggEWKAhRxJyOGYaXFrS6kN7uLHic+tO1PeHZmg=,tag:4eXlaWf7hJxcy6zlQC5U8Q==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsRG1PWnJpTjRCOFVXS21h\nTUxFb1ZsS1piTUxtdmRSVGFmNGlzZmZqWXo4CnhMY3hBZU93bE45MFBJSG9Nd3Zh\nNi9DQjZlb2FzQXplZXovOENBOWRUQ0kKLS0tIFJsNklCUWFZdzhNaXlFQ2lFTGd5\nREp5VFZaNFlZeWVTUXlJSWpUOXA0OEEKEO5EEvjKL2BdBd+eHxvicl3IhGV/WNRS\ni5065sFhraZ+6MAg91eHUcwcfwjhx0tr06v9xARtKzgEEpgxHLT6BQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvWHZjdERBT0hHTVVnMzJJ\nSURhU0NrelB4b0FuTmM1VFIvRFRpQS9sMEQwClJsWGVTUE1hN0Y5c3dETUcyUllX\nSmIzR2ZhMDJDa1hsY0xBaGJrNXkrMUUKLS0tIHAwenJOOHZOSksrQ2dacVhKQVg5\ndEl6QVdkTHdGbG81OUUzOFprZHVRUm8KVYgQ5wUkCDZa9SUbmJgtpWY/LWruAg2t\nZFVYJUZ7B/Pd6rzvtOVjU8mEOaMbtq1cYkiAcuzhIdoTxu1TX11OPA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-01-24T22:45:02Z", + "mac": "ENC[AES256_GCM,data:70nJ8FwQqWKUs5tVZTdaUSnFdvzh7h7GG9lJU9IVuSW8GHs9N4srFRJ0DtJbrIYm4YasNsZqNUcWx/ptxzP0DG/IJs8Vpnb4U5SXKw+zN7B5GBM0Xnh6pZZcylAw7lcXevBfI4jw7Ymmj5zBIFyKTCKhietayfmxdIxyoaxNH34=,iv:XJgmRc0tONH9H6AQyfJvDdkfJgP3ugAxOPxMkBqhLMo=,tag:MBN8FJglHqTiS5nLjtMXiA==,type:str]", + "pgp": [ + { + "created_at": "2024-01-24T22:48:30Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQgAl7wj8pgA42CyZ+b0ykAVMIzfVsX5zfyLTL3fKRC78kGH\n7D6Lp6Fesp3dZ8c7awWEM3b1WEFOS8Yklo6bfZCnioJoqZhMtYhyTCi+KEBXdw7g\n+KAquXkrD6mYOVBXoKHUqUBoDjFjU/stfV2Pdnl5I7SGYFHtyv8jwdJXbBInDNI6\nmtVzpKoM7pCFHH0Vz+A1D1X4k+96znbSnjHVBgOFLjyZ2KGPKBKud4nM0idAO/tO\nH77ApV1qRBU7weI5yTbK7GeuUxFYrolxkqOCPUH6E5Z2eVQ8ACUFpvgX4ET91jeP\nYTbTuq9cfm/gPsFIGtZLgWSq7cCZHe12nPHT//ajK9JcASNmmTiJFvK19WmN7spg\nbfDJLZud80PNu6MVXthwRGJ50/yRSrO8e/5tCjVz7UlkOmVG5ClsGDfRCH5gJDqS\nMJ+UdOHZjqcZu6TkBmSNX+9fRS1hgCiGxOjT2mU=\n=q3es\n-----END PGP MESSAGE-----", + "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/secrets/holochain-infra/nomad.yaml b/secrets/holochain-infra/nomad.yaml index 89bcb33..f0fe5cd 100644 --- a/secrets/holochain-infra/nomad.yaml +++ b/secrets/holochain-infra/nomad.yaml @@ -4,37 +4,37 @@ holochain-nomad-cli-key: ENC[AES256_GCM,data:Kl7EJI1V5HGeE9nogY5rujwe8MQYA6tIc3b holochain-global-nomad-client-cert: ENC[AES256_GCM,data:eiPqZA5kCi5HPa5AlCTKmOD9r0uU5DlSClNTvg6asWybYZcipiQ6Md+cXxMl3VnemwBbxS8KxjuPg6k63SA+gypEW+XZP7VtCdHl4d65MOfIT6CpzTDVi0FUj58z2v7W6XfgAu33uDxTy+e4+SX69duUmmKicwe+CLK2ckfR3U32s39GKBDKYBZ8DTsAJmex45hf17rwcKsaMM142zgBcn2wbuNF46US8iWf4pKXJ4827pgD1HZ2Ry/IgFcRdSXGdsuAU9FcsuwTNfVftOtf/XGxrIJsvCoC7t/SalQSH4eg5s1N9N68vruKlV6AfVNIiQwfwdJ9ldeTOT3of/Fmu0ftiLaq5ZZ97zxd9Bean49EmJw5VEf63+cWKPonLxls1CV02dy1ua9zrjyX37Jz4dQiS02lZF/ljfcaGL+5TOQaX0oEIAA5tl7uaR/UIV7lqfFMZDUtQMHkYAkPkV/VF8wgyE8mD88KqKU+AdsL2yEyKo7VBAe/pYtGWsbyYhemmmpfPnUkt3wz+YQc7zs+MzaI/Z36BIGtY6ObNUfg++4dYXdoMrHufeRbihsLJ69m/bjF0qYtGCjrEPqTwF7WuWSz28to/ZOVrUKZgH8MOMoKKedzZ+kbzs9+hPDawCHs9VtiFo4d/roHBKMquDZVc6+VYtCjj8xjG8TJoJVWlKQogKa3zoWA0ZPwywwWb2V2ehocOk7MRxFZcek4gjvIJ7Ud6aom7dq3HIJJJYxwdVh7pJO9tJhW1T5R/n9g8zrANzXUvMyt55zUZytjF3pPFfaE7en+9LCf4h7AUocI1gOToUC9hlv/uhTOLCYU5S1xAtrlvvX4QSkmTyBTHe9XeOIZbI7LjzINRuO/XFKN/4dqz5/q195OprOBxg2fv1ETPJUwSN66PFYGh6VqhZZf/NokW1qYyrC0kW8lP/EZN6YGhQTyDRrSn3Y+U3nJuVEcydAKTSwzafR4pO4V6U02/CnBH8IqMsNMIhPPPwC1Wntqne3Rabdbx6ZWOxHQuv3cEPEronKGeeU4ADLBPSWnvGcVZuwgxzVpvVwCWtF59Aiew4pmWd8sqLnTOKrxY9BsV9nwRv0ZGE8l0NwiRGw2YIGWaXup0kwl6UVkSOgSuKqvIff09t3XXRINcwIh13jSAipsDpDjqT59qE0Uoc6/lV63eQKkqYs0wFTwc/XXZ2RJusNX+PDDCRW8xykmu4HC+rX7EMeF53xfDEi4wJGoSCySn3idt33A/QotnjDOl385/lkXwgVz4RjCiiCY016fje+78j7RBH3q,iv:nSXO+1ALy6Ie5aNIEm1ZZgZwOdJLrHjO+BwKVbbZQ7c=,tag:n4V165c86IQ3QHzYb1ThJA==,type:str] holochain-global-client-nomad-key: ENC[AES256_GCM,data:9w+1CYOXgm+xvg9iER+cLJBlKLyYmanr93tZ8xTl63ZIKho6DJLqGPCYdjlG4sHWyQUM6/Dpaa490yC4CToLX5MuUnSvqiaSgugcGqPa1DhlRYVsa8j5rdp90EDMoarN7xKe0ShIRW2GTT9S5EEyF2qdZUAFybpDPX2laZZ44UBz1QvlCp7gzs0duO4b95WPTHmlhfaw0BVF7FhFqkAHtH6qg24qEtwB3I4NmW5UsTKR+tbUCEyQcADQr1CrXhIHkQ8yZ52rc42H6gRQXoVrJomJgtiXf28ARY5K1oZMmICLDw==,iv:FSiRHgbqpKEYINVBLYp1A9YgroLT07GMDFqT/k8Vyqs=,tag:XX7oQhllDmrRLCEiMMYsfA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQmFtWk8vSHYydmt5OW5I - Z2JCVFJ0MHRoWkU1QXpzY1NGOFU5NHF1SkNzCkN6SEVXUlhnRHZKVXcrVStYRHFL - R2g5WG5tbExSVkVYMFlFL2tnWHlCNW8KLS0tIG5CaURNSjQ3QkRUS1FkdjljbmNB - YUwvY0hIZkhJcEZLUkFMWXBjMW1VSFUKBDDoDAbVaex00VRjuWKifbTrtKaHz7m8 - M3nrwfIcjsJiMs9vJXWh5J/dhRTWQp0kEZRaCtxN6gDz+dDE3TVAiw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-12T09:51:29Z" - mac: ENC[AES256_GCM,data:Eq/hdaWf9+CG2jLQsL2Sw+IHy0vef7cC0IR5xL3jooYbmilRYS2Lj+lRckVcLKTRHjLBlJmnY20wbL/iNwlyTsY3MkCTEMAg1aY2GVPq3/gL0Gl0/Em4pktfVLZGVTZLt6mKzAJMWM9RdTapW5sRlywZ4/fa1YQwoQQ3tFVWm4U=,iv:+Oy+dBT0B5k5eItscLlXrRzbPO1u8eQNBwoDLnZC06I=,tag:hVwJwd6m6oCOlQ0jC8H+Ew==,type:str] - pgp: - - created_at: "2023-07-12T10:09:31Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQmFtWk8vSHYydmt5OW5I + Z2JCVFJ0MHRoWkU1QXpzY1NGOFU5NHF1SkNzCkN6SEVXUlhnRHZKVXcrVStYRHFL + R2g5WG5tbExSVkVYMFlFL2tnWHlCNW8KLS0tIG5CaURNSjQ3QkRUS1FkdjljbmNB + YUwvY0hIZkhJcEZLUkFMWXBjMW1VSFUKBDDoDAbVaex00VRjuWKifbTrtKaHz7m8 + M3nrwfIcjsJiMs9vJXWh5J/dhRTWQp0kEZRaCtxN6gDz+dDE3TVAiw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-12T09:51:29Z" + mac: ENC[AES256_GCM,data:Eq/hdaWf9+CG2jLQsL2Sw+IHy0vef7cC0IR5xL3jooYbmilRYS2Lj+lRckVcLKTRHjLBlJmnY20wbL/iNwlyTsY3MkCTEMAg1aY2GVPq3/gL0Gl0/Em4pktfVLZGVTZLt6mKzAJMWM9RdTapW5sRlywZ4/fa1YQwoQQ3tFVWm4U=,iv:+Oy+dBT0B5k5eItscLlXrRzbPO1u8eQNBwoDLnZC06I=,tag:hVwJwd6m6oCOlQ0jC8H+Ew==,type:str] + pgp: + - created_at: "2023-07-12T10:09:31Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAlXTAMih9lsxCEvh3UyK8vxuhnmnlluf22D+oz/e0JabE - DirPEM4FUlCV+8j+Hia5mKpgWJFDcMK0FqxIQvUwTj/I9AnIB740kcr5TVPcOWOU - 9TPmhjLT8RRhQWu8/URUnjdiF1YypOHYfUItSw/agTJa89T4ZJFsaA9IjNdZBUq8 - e0eTF+7Ha0wfll+V+veOPfL53uYuuIoDXoi5wwAjYa2433QsdLwUTKrRi4dNrQyo - dYnYltYRAe/4w/sFCkMlLRpo47J5m7SEggXrM8wni8QpTOJzOIqCP7XTm8MX3MKE - pU25kh0iCsBaNfwD34NF2Ti5l9aUuRWmy0EI+wcTKtJRAaMojKInR/TB8Tj4OD2O - p2IVFwZlPGgOOwZUTn5wyWWSuZD8JRJHxrYETpejXtPIGtnSkiVgphYlD/bagPA5 - eHRQH6uDdKM+/6FXnNMiu50G - =itdA - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQgAlXTAMih9lsxCEvh3UyK8vxuhnmnlluf22D+oz/e0JabE + DirPEM4FUlCV+8j+Hia5mKpgWJFDcMK0FqxIQvUwTj/I9AnIB740kcr5TVPcOWOU + 9TPmhjLT8RRhQWu8/URUnjdiF1YypOHYfUItSw/agTJa89T4ZJFsaA9IjNdZBUq8 + e0eTF+7Ha0wfll+V+veOPfL53uYuuIoDXoi5wwAjYa2433QsdLwUTKrRi4dNrQyo + dYnYltYRAe/4w/sFCkMlLRpo47J5m7SEggXrM8wni8QpTOJzOIqCP7XTm8MX3MKE + pU25kh0iCsBaNfwD34NF2Ti5l9aUuRWmy0EI+wcTKtJRAaMojKInR/TB8Tj4OD2O + p2IVFwZlPGgOOwZUTn5wyWWSuZD8JRJHxrYETpejXtPIGtnSkiVgphYlD/bagPA5 + eHRQH6uDdKM+/6FXnNMiu50G + =itdA + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/hstk0/mycelium_priv_key.bin.enc b/secrets/hstk0/mycelium_priv_key.bin.enc new file mode 100644 index 0000000..49f69ca --- /dev/null +++ b/secrets/hstk0/mycelium_priv_key.bin.enc @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:2DcYHv5RCSoM3olKYZhn4BTwEROwC4+JZ/PQxF4SV7I=,iv:B27a2XnhgiHW3HAh/MnTUonmhkWvaZkmG2c2JPWV05A=,tag:TKZ/rFzQH0uvbOFoeas3Ag==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwKzZsYytMYkd0WTF1TW5a\nZGpQcUYyUjYzY2UrQVp2bHhJTHRSR013Z1h3CmtjSEFaOGE5WDNDZElkM0c2N0Nh\nQTFRU2hvdlpGYlhsUlZoUGZSaWg1UTgKLS0tIHNNWUw0YytRTm5pRTFXTndBamVL\nbTJUNGNSdTloZXM4OWhrN1dlVFpHUGcKq+owmJktDTqpOgtD/makczGkRTphCtb/\nKnL1ig8xdnG+DdyhVCDmtjC7tAFgSUJBZnQi8ervh+yXOXvTJfGglg==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-05-17T14:49:38Z", + "mac": "ENC[AES256_GCM,data:HqeOxzTlr6tyDWmSpvAthf/puD1wdv3a3Nv8qdt9GcR2UqmByreFPRktTwRL53NvCW+8QGSrUjah7fB2GWsuSVXowSSkY5h8W5s0O+YkFLXo9K67hhtEk+4QwYKQk5w4ZdlAEFrgDAzCFr27Mron53VLhVo0DA6GesgywTLf/B4=,iv:uV/dpuhxXl39MTzystHafirJH0mVnLsT+0h9jh4Epm8=,tag:s5uRzLtcfyNuWau9RteyvA==,type:str]", + "pgp": [ + { + "created_at": "2024-06-26T19:27:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQf+NduNIJaTv/DNmY3dGucui5Ud/ONikEdt/8q3M/iSNeQy\njdHjDbHu0UDBwKqD0Pmhs3StWSv2cs4UDvxPtaPV2sN8/WjeAUZJ1Sf2+k1Duy3n\ns40TpaHAf66JuDRkkFaYt5114AE1ypbMp29S0nv9OTpvAFy7FWtw1dsgKskQOWxW\nTnkxfttpaMoCVoUTjPZFbfPE3WJrp+r20QzwzelX5xl3SGmYvdPVDCPp1S54q+gY\n4l3b5R2wvGv3IAA0l7tKtmFe6XqzYlATOSUaP3+qHTKnXFmT1GAr3o+mLRJOG5/R\ny2CJS0wR9JKowAk23ubc1gYxcc/gIUzi5BGMvM4GlNJcAb3Q/nBs5WtjnHrk7zPK\nzzhV758th72GKhzJko6qUFwcfjaIB6h3o0NQAAlVCMXKUWk4KFY1TCgpLbd0Z6Gm\nv8tE1CFUViT/8Ys+2x7UYeWqN53ZWsioGzrk2F4=\n=sXbx\n-----END PGP MESSAGE-----", + "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/secrets/hstk0/secrets.yaml b/secrets/hstk0/secrets.yaml new file mode 100644 index 0000000..044372c --- /dev/null +++ b/secrets/hstk0/secrets.yaml @@ -0,0 +1,36 @@ +tf-eval-minio-root: ENC[AES256_GCM,data:83SacYkxLHU2fHbHNiLG9owDgakOY/nrZBnlDgltRlQDTSW9HkKejVrKtTaixjbxKCgsy9sgJBv8LZtqwthgZ6MI942YU2pJHL8le1wBsuY=,iv:uXbOw/9ljYjWCdafhupVJA7tIvcL801xszI8lrQnQIA=,tag:yolnZdYD1KZJFnH2gs8zzw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVXBDSTgwVWtpN01ldjdv + UWIxNEZFVVowbFk4bnRNSEl6M1pHcUdIelFFClVHK211enBkODljWHVYNmFYM0gx + L01hVFFSeExtQmFXbytzSEMrbVMxYTAKLS0tIG9lMnBTMXJMMUZUcTRFcThrd1Ny + bEhlUzFqU2hkbXBZaldzeTdCbnhOdTgKsCcLlqcl+fnvZ8EGKNWlbSbLQvzx099E + fC/QlagRvdmVfsFpOQnd0cFzQ1X0EDAx6XcGF8mHBrAKqCS9GCAIyA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-08T16:59:30Z" + mac: ENC[AES256_GCM,data:VIA7UaP1c2kli+BuppPl4LH1jiU9qAfqvfejZ0Mv0E8CxQ0eLAMJVkZIzSygLCx00cPbqAkESrniCeLYagyEP4tS/cff2ngplzig4uFbZzniYMXcYF9VIAyBhGgQGEZlZPgh4r4wmBdUFfhc0CPzmYt0obJ1LXElGdAoeM4OcPs=,iv:KPFJX2qJaxMwvrw/R8xrw5Fk5FRyTQdxq7DnszToy88=,tag:/H7iPZlWk2qMrWbwZdeF5w==,type:str] + pgp: + - created_at: "2024-06-26T19:27:08Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA0SHG/zF3227AQgA1qnWMAoXFJsx0A9dX2qFhRUHOlO+VKOi678pGQu4Pwld + wUdqAylrtaLDsr+kFwLvsGUKKHzfvaQH/EfEChQb2L9njzQjwNwmgZPAq6NqZAmB + EhudaY7R12Lb507Fsh/k7dgOFTuH0/ceKtW+QKF3SVVa+DwgOx8VRP3LJwGW4PQq + mRmPkyjnuFmepziTULe0ZPvO6PaH8FvLISBvMkBH+IGXat98OVgqGFzxHkpA3pey + 8w7mKDEi6i6g72GrrjuWFuh5JjSSb3og1ziO4O8XQ7mHqbUYwc4NfeVTYD7thdyh + OsijkXHvvHkRidTjTn4ZEzxFaNgTvzRB0V7r/jEu3tJcASfyDt4sXkKv84xu29Pp + BYZLj9xUrS30bmI8NOP77sy/3++ppX96oKhi91S7F0HZcznJPOhS+YtomXCCGvS9 + qaN8kkDXt5k5dkLd2+eft7CCF8+lwf6XX/qEjPw= + =+0h1 + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/router0-dmz0/secrets.yaml b/secrets/router0-dmz0/secrets.yaml index 56e013e..b797baa 100644 --- a/secrets/router0-dmz0/secrets.yaml +++ b/secrets/router0-dmz0/secrets.yaml @@ -1,43 +1,53 @@ -#ENC[AES256_GCM,data:QydWKuMH8uixprFup1rEwvPkKAMw0yat9MOOK1DleeCJ5tqRqrPh9NiOpJs6nve8Rmji3WyrHAkUaK9zT/f8VKk=,iv:I6OHO6sLTtFBV6CYGmLh5owCrNjzS/LBjOjW9VovGlE=,tag:Vg0IZSFbYa7UQvuPpmMVKw==,type:comment] -passwords-root: ENC[AES256_GCM,data:+8IcZ4pbJ1qIjRCK7oycmgOVWy6hzc2oDISYMMqE9SmgRE//PQ5ABwtBtpaghrhZTXrUV2l3qsvTHD9UdYRNMB1VBlM6vn4Iug==,iv:2eUIa46QNby++yLK9dax/SD7Ajtj+U0ptheRuKV9r+g=,tag:5tA5rhm1eztDh7Q4d+C1BQ==,type:str] +#ENC[AES256_GCM,data:ZkUrwF6DTQFainYhDA==,iv:VDjRBF4WfPmJdKtUpZYJcOPxoUYT3DUxAC9ct7EvFss=,tag:efllkpv2SxRv6+DyuqRQCQ==,type:comment] +#ENC[AES256_GCM,data:2luPn7XRMTtgNpz0QLXQwF92kbBLdjJoUdFKdayy0A==,iv:dr//F4r/8k9zSzkWXUlVT+81iYLTX2rmXIp+Z9Lt4XY=,tag:RZTSqCqqmRxBvWqHqmF7Gw==,type:comment] +#ENC[AES256_GCM,data:SjwWciLOzMxrq/QV00Q+gt1sNXwl6N/eTHsN9jeFHwFeOQrZ0M7/36WgjSVHpGlVmklzd0LiOB+LhNlzqysM6RI=,iv:vznczLEeyTmCxExlkFiv8ftQy+3z0LyAg8vhcpGT4M8=,tag:+QgSJtX7FFLfMnPLhrgcvQ==,type:comment] +passwords-root: ENC[AES256_GCM,data:BzQYUCGJwyA/mUohN3OkKdjkuHUfOgYFs01W/F1WM7i/UyOXA3HooUjbGe1KVQkn5NGTvWvR6t3CCr2o4Bjvq2pXrH+92a1kpQ==,iv:9PCLNVUyI2R0F5LmLe9spp7q65pwMJ9TUHmT/VtPazM=,tag:apsIgXhOkoZ8Gb0UshKg7g==,type:str] ssh_host_ed25519_key: ENC[AES256_GCM,data:XQjTqNADLhisxPBIJ7x0bs3qgQk0u4q9HKSDukRbzel7hUiDqc6ELQAvffRqJQUtAS5Cfz9PzVcnyEA4wapvK7RLFavOmaN2MhcnQR24oQks5RVYmlvcems02Qovd15iE07XR4KCDcmQ5/XM5v4/RxW2zYzV5Il67Vzhij2wA9bJ7D3sbKUfyc6pBoIXvURbq6QO8ZMIU6ckAuOqG2230KwXLdz/ld0s3Ir1q/7t+rrrS7BPkeA+SRdYhb5XDOTKtfgFxNvdI6DSETV+q67xAalAkM/cZ2rqHJQd+wgH2VIPyiGqeq6LvPT0vmopFJn0CqQA2HauQAmBNIAtXel8GbK+qA11XilMx+hp6qhVH+BnSWWY3GriGfaGlpUZ0E7uymqRkpRwBcHmZto6E/E/XUxBfISVyJf/2RcTy10RelWLJtNuaXT2eHgXmZ/uAlcTGlCYYirr5g3iAGUoqxYbWlZb9SdqVO/0PLCZo7AkDWxk57wer/lHOG59ZpoiZnanaMIaNqJ7Tsslvvm0JuoP,iv:2U5IpWTRyQ8basBRoYpFe6Ycc5qdeCUAUTwlEHttRJU=,tag:jA0mFsMxWKq7dnkGQWNP9Q==,type:str] ssh_host_ed25519_key_pub: ENC[AES256_GCM,data:MQ0q/I6clKNz6uzoztGA06vOjIbpK6Dsf3WbgddRA0B8nEJ4EUmRBT0KkX3o+LZmQPhmURHWWFtOSqvAzkyoxAoBZEh98H3IDsLE5PgcNbxK3dAh36+AAMPLzVFnHLyaWLQW,iv:9XIw29PkSHCeU7C2GuSJ+J+mBrwOrbSMmm7kOtCkiyI=,tag:x3JqFF08f2eVfOrrQ1gzYw==,type:str] ssh_host_rsa_key: ENC[AES256_GCM,data:tFGQ77X5Y1TRR2F0EJ4hmauE9ABILP6V0CSmzb1QLaH6VlhriXSE1UQcQ2Rc73CR7+JLjLbggL7RKpkA8gJQq/ubhiXHJokBEo6rfBXETVepv0HlyX5UvzWhi6iKBE5YsYyyBI1VWDcx+oTR8+daqnKwbbqPeDUpC2coT3S9svEsKXeb3YOMxJ9X/Rvh96UtMmlk7WeZa2JvOP3k62HROVo8QRYXeQWTO87TCzVdU7OWnbRIuC6bu+32Uy70AsIu39fazX7WqIUxaeO/oNHsay0/TBXKNu2El0JRG8tHCHdXe1tahniGbGH5xeEZmgLTOjHntw5UIdxZbgvcbxmt9seDXUxjhhEMS8eHWaxnRDSI7n2KOb/3UaBQ3BHnYpuRjW++uFBgRHxxANlYfpfEdz/LNexdPb9+QCw80r38uZxP8yD5/PxFV/Y+gSX+WnNE0YQnBDtHFjKhHpqpm2P4Ek3hLzjXh6CPzUZru6LAO/FklcLCGaq94fDC5wW3K0x1UvyfMjBwwyeSymcV95YcZu8Ty280jRhG8l719KkEJjnBdnB25PQ5gEwc34dG5xH5HwVUDPIM9v9m+cXtldUIk3BH4PiTEI1aZsZx50BtBhxybAxhTqNElrP+/2W73muTSQboDIB1Xb2NhArLB6XnnVhVUD/Pg/9wiDUY0mYyr0eIp9AmBfSmSIDjFyVUB9o+gv/B+LpxwxPKmsPt3MRKWoZw+bIGTI82UqBv0eX6Xqq71H4DYFnJ3J+n+Jzp5ww5mSPPHffZZFSBbZSpTk8El4L5II/hyyxk7yJopt19AAsw+UgLJDO31XnyiGAEbbDdwjuCWQMmuzKJ6H7c7UGDXLO92jAlXwEWT5fwzG6Wvu5+n/OToz3CN1Cv40uwVb/fOqmzep9hoOrXeuzmnGULfGmwItjuJoMkfmPUq8obAuj5ml0YduU2eLbe15OlD2Vg2I+BH0WuCPYnnCrLyX8ixhJEuGGDkhGhaKMHaMjNuMOGmDQ6oRCVU8BA/zDgnF/GrcHgIe742Yh68PyaH2j+iX6/5YvUB+R1sDnrgfXlgET1V+nny+fD4GBnP+RKYtdGG0P4y3AYlACQE9sJ6Nkb8CTVb2Va6L3rXzeyJG2FtYkUKxxwDUv/KyieclHiJpdawunOLVkmI6p/iaZIThrdGA5p7b01/WOyJFA9aI3oU2f2rMYBLGHYirrRs3WtS7ExhKriHpgax574UIcW0mecFto9dHkGlBOTQy+Zp1GARnePXKZcyKm2qhTIjw0ho/DUe3+t1knbR6WJCwl1LDtfpPD2KPDDH+HpHm3EoiA1mDSp6lYMVxwBr2eBmFPKuPkkAL/3Bf6SKlEp1UCDee7BPlzS9kwmIEt/EuIohbMDdyaHtulW31Hdrsai8fCxc7AAzgsmoMBp2Smwoe3C8K5K8RaNp6v4boY8WBH3rLjAFTmOPB7TiZfplQjV8triZS3JFopNjvCglfZSXxSs+RjZUgSgL/1fFLT2m0Mp1XPMvGZlD73TzJ5RH5WWlxliaau42Q4vXRFUK+ZFx0SvwOO5xZvRNtAOfipEoqscKOopV+HHl74DJEk/xLibWJmkEBqoVbf1BFDUAiRSSb/0RdfCAGaj1mqV68szVtLt3jB1AJm9iu9RNU047HHQeOi++8g6lOpHmhsksfQLAucLVtLTrXpHDEAugDbSXrwPkhWa2Ej+Iva1p2vteIExcT+8h3WiXkamDBZALpJcLkDSazgAmmrB+6u6odsyin9Z5zB55EN2iz24nGNgyylt9FehC4/2SNHMX42hZ/JPQw51+vZQLoLQv+oOJAVXGBHeDy3kDl60fL6Fr5jZ0YOfO+rFGk4bDpXYjq27ahLv763tVs8SrgMseNWNWTakZUAXuYPbP3GBFEjTPHM4216WABj2cC3zSmrnbEyNRMWTdsm46ASZvhZo4wO8eTrndvy44Q2UKOFOh1sYCY4jjCWCI74pEV3rRcBJASuUipep65ZwXOlFOXu7uiaG01/KWofn4JzzrlX3MfhKsUBaEDTUXwDGw0RAEHQXb3rvfiIjCQBcpy8kM1fBR97K5LFJzZ2/qf2bPGs0yxma1O0Z6TT/2Uk2n62jK2xIM7gvTjPOVDP2etHKVxMpMjhTAbRj4K3568HZM/POBC5AORLAtBAo14CNxRMN8f05Gs13wn9ZI+pqiaOpTTnfH1xL9fd/6I03utzMKnoR8IVhrQLDLT6OAIkdeJX8s99R/J/nTOApk3XACWqjmMTcWtwt6g3x2iTk/1jTTn70rYVr8JLHHCt+bd5H/eDUiq9HpG1oFEZPXuvgATOovru0YVtmVx+yea0jWpJOsK+/SZjYAfvAKh0ZNr8dKHug/gGEpp6SfFBI+c4ywR1kM83OUHLaI/dOU9rLeCKktB+UcvTPoLhHLbTAlTrizeRmYY16Z1a+47LvwX944js3TZZkxqylz73cekWidYiiLNbiHwACftOK/GwZCG0WrVfcSi6pJYDgPgbcqFohaKI7ltKZgTlHGT1mZr1IH1RnauZmN/MkBEKVHO3E/PFgKkWNcXQi4uV2P3j8aHHc0RJrxx7qAFFXCYEwu02pv9nmul/HClLMmDYHDY1lHZvIIyPcsmr1ZkCFRV4UtnZRtXhHNAZCGFRX+y5HQXnubjPmV5I2R/gcLLi//2vIE6V2i8SpEJZlVweLpjRYwb6H6xFTuvHN+9Y5pd3rFx2BapR0AzYdOXUVqKF5ewrfE/1iitsEeDJj8OqmNzpmLBrnROnPyPh/+KGWBG5Nm4QKVMhP7XN1F+Fr7sTxw1ignXsfSwH8v/ELMzxVLu3ijWxvmk3/eOsrKYB/x3h6I1SFWZUoTjVPAmlNAnYl90Xf+FMPiII11+zrYwsJbCh25gmSvtKR+hmoTxXbJ2w5E2cFoVHMBOmS8Uo8L0BDOUzUE64cPl/v119BafVUOohLF1l3Ob19td+sMvqX8OHLGgB+/r6jKmUPnNNEzbDAogMydcVVjtPRIoDScw4ExxuxILN4/V+VulyAgU29OvFWS6+r5Y+bjqgqMg55Of0le3HUqt65qMuqiaUR5P/9WP+H666GsYTSg5I5gPJv0FF6tqXCWE9mpQ4sk2/BiWWaNeojxyhyH/cv4fbUmcee6K3+P+liXyFGGAWdBP5uGb+BzIfSaXVN3xEBPWAAe+BMkJrxbc6FSS12Wkh+bLM+NJH7XaoDl6+8LtF3bstsCoXvQgNlXHlbt4/aIIFEBShlYSQwLMDcey1VB4pu4SBv2HXwaX9zXPd+MGH77DeQU4yBkrElly51/68yzdSGpe6mNFy57Hc3UJBW1pNbds5Gxu+jFbQ6Phxvn38u9V8cphjxzgig0uZjkKHYx0EwFjBqmfrP0hQDnpcyg5QCPhnXOthmVL4jkJs3OrRHhoYRgbXpaVRMpVMLFeeSqcQABaRK5ibpB81WP8yCJPIMsbWW7sDTCiIyLq6qW5pKNq8/l3sq042+6bJgJ3CfDYdNKJCTF/09F5JKkpXeIxL4MGqvg5nOoyiahDQsUzMT3dwGg7IWqxQidcJ576XSBkR2qNwUrl6qq87JP+Zo3RJbA5bpPubm6sUonWE3hRGg4LWceVBO34J/wutWVt4W7dXnK5WVhJv8UHJcbgWR9dMpWkbeMpakqlRRLOTibztMFkx3xyIMmZS+cNyhRyatw+DwX/opuY+bl8X4yKgNOuW/w6r06r4MrL78MTjqZDQ4xkCSL3x3KWr2Tf4lAX6sdwKTzdBdzvFuLeuijngrvRYRyk/3jk/o4ujfHMdrergMjlP5Js7ICZSLhXHHOc2Hc5oPaBIx59r6FynA+W6ROmk5kVF2BNkRlP6/oV5Apn3MMUnDc4YjHaowt8UVkIHZOEL8hxymYDR4g9y1wOoIwKCorBQa5jsXH+AEop3hlsv4uqzrrcGGQhfQEW0Vb1fG4N0VAyWEodaw7wOY3XCrW7yHjIgRM3Is+juT7jMeACW+OQuvQHTS/9bc9n9sXjjVwsvoHROLxsXMFO9HablXaEKzFL1oGXpnavYf/MuZMwALsPish2Mmj9fONNMBo1yYy/j+8GzHCqByDS1ZPnlzPQD0ztGNwNfOOhNOqamqaE9GNHv92yQIf/KKGhnjFH/I9IlzA28eaaSVql/1vdhRAI2G1WxpgyQ1ryRPLYHA/Qw9OYrb+jIxHj9uqfohShgIqnv6TCXRmByfyU6Te3oqKLyezKj7tPCqv1la1ostycmE4msAs4EI7pe1OZcRulPkUJrZCPkvo+EYTw8AfGmwHFb5foQ4wk8pkjTvo1zHmjy0GjMAZpcmDHfyHAyoaED6DUKAHRBbMdSqQJWmzhHkzn5oRCR6UlWSyxRZ1wBIKn+T+kcn28XiLlJrJVK3n2CQkE1c3EfFemnimo0Yc9yNQZygfZjr2W2TnmtAZ5jHiMmv7E8CPxBQBd/pf29z/uAEwQIqVFSHxkVaVjHW5wlhfWwOuj0xZFly,iv:mXE8xpXFBYSJce9pg+g3OedMS9+ZHOHHwydCY0NbGRQ=,tag:cEqbUu9Y1PFKXwaeqioXWA==,type:str] ssh_host_rsa_key_pub: ENC[AES256_GCM,data:N60bGf/6KNRhVUq1EIbPVo3aBDDKEpMBr5+Gt3+FMPt3uQEaKk8jBg5mOdxWMTPoLg1ZP/Pme8afoM+Skc0b50WnpErF3Ox1w+4eM0oMJYOhIvHLGURNM3Dba5MgA7YfhPdTsVdjD2yks2vYqhdtEvzTTgCJbFimVJlp+wDqE6czPgMjD03c7oJDtv38OBtc1vRMzVw3cIuyxz2yNnXQxiMgTR6pZN7+Brami2dfXOHEVgymmlU5PRE8Ykerq2fB36N5uqu4/xSPaHaM+/f2OA/TLlYYB+sGMDExZfbO/vsiRBLvTY/f4KG2mEkmH+IFH1bk6UF47xTFEe8tHN/TlLo+9OmjZTph221ZYnOsIqBY+F822ctZEe8Ikz9Ti4F1ApvxxRcWHajbgQnDJdDiHJvt3OHal4rNBtYwxxV/MDZtvKSVxmFwgx7nwNP0oKhAigQkU7Mvp1q5p3dZsdbGCUeFm2S5/qIxWPfr7wg4xocLNSsLW1EpGo6A2RUXWIV+lPuZd9dNEjGC5zKKAgMI94is6MtMXgqlFqTcZuQ9hvhoVDcFhVSJylu8pzk9d/tKviwcd98jHAhdfGpnc9eJbtyBU6/HvxLzQpsbFjwa3LGirEdtgxRZn2nJx++0U6XuLcbGwjOVAhkde6g2vFv5hsC6KaZQcp4AFvMvEdJyrnb0b2TOeOD8zEljb8u2q/eexCRSjGpobEINwu5qV+tF9eHIJ1YFzhCSmmLGKXjc7bC8uv5ffl39JmAbUrffd18zqae+Xpijd+QzwF425NG9+PksAt+PPzt4SDgGfKBIpMNFxIb18oo88z4YDLuNzRy/HVF90JV0LlAxES4ZOxoWUjJPrR6dGxNRANYOyFGmoN+yG3B9kd1NRGRNGh5P9EtZBxlPIi24djzF1n4GQSW1NFDgoGcxaXhk0PlpPxwuHK0X9FkFDDzQUYNBhx7py+hev5rBUCs7Yhj5xgcM88fdLRZi8MulNws=,iv:8c3hDcJ8wzTugmJ3Mhzx/qEXnnlpFefBmRTG/MqyeEg=,tag:uSz6+CYu9uQa0C2DXnHPUA==,type:str] -wlan0_saePasswordsFile: ENC[AES256_GCM,data:ylY1LwMYlHdvYIVPIIr65BuxkW/BHCikkbGO5nNSU9WVekWiDXNIt2EQ2sYcdqnvZMGvcG0G4SQvCwpNO8ihh/RqcLYpTxldI8zwSqAwvATu7prV8l2bCvBQ+NXZ3yAW,iv:L6ncjd0u316gF/3InI7cuqO1kDpH7ahWGcsssYfb2YU=,tag:IAqt8vSDjW3OasOTJ44PeQ==,type:str] -wlan0_wpaPskFile: ENC[AES256_GCM,data:I/30uOrCPoWqnNq4WelPsDMevrmO+TuzmNrjMtPeCLS5MncX7BnX20YV5LxLsLCJS0NmCEqE58pgpeQEaUUcR0YRejCdO0yZnpMRbla6IR/irNSR/xctDQmMV6HYe6IKWE2d2LA/qWTkj+uBGJ0NtAsPIRLknuCwT8SLjClzF4/WCdoqHvxhBCESxhd3OTYr9op9uxk94iRxKsFfUBuNnckIeT/tQKqOQIHlkpperGBNRtTZ9q+Glb6lqFO1o/BJ8tAGpw0qyNO48jrRAtiIG3sauMH+UPWp86AYPhwQjwA6iDReFoH5KhZsohJSTX4vwoj46yycOTPu/loHrxySBSrYuRyOuIv7mwpRVZgJP+c3ZcngVncE3YQhLA==,iv:AlQIFKqcFSnyH1LrRN/XaTTocsMjZM20YHWcz7S3gCE=,tag:octNvum5lOOUOS6ALJ0x4g==,type:str] +#ENC[AES256_GCM,data:QOMW5ALQD+CIXyqRAUzZfv42HvMfq9qiTho=,iv:/KlPuB6aBBhdMvJ9kYClfFRBMC0bSF16/EKrnH/Ifsk=,tag:Wwfk7YnNvla06I2/ajTd4g==,type:comment] +#ENC[AES256_GCM,data:6/aUsWY875jPKZZiJLL3TWYeZT9VOjoJBDwjRTfjnUHcc/NTTeQRPvb+keJeMt5kfWmAzieYpslvz21UktTKqHO/,iv:+zwyh6nAP7DRhQX48/BmMCbv3W3wKfUiAWCvu8UvS8A=,tag:doc142ZXZO6ajPcuWftdtA==,type:comment] +#ENC[AES256_GCM,data:GG3qBrBJSmJfUun5+0fKkp7J280oW3r5tGGjm9UMolUsZCYYv5E=,iv:gFGxT9Jr/d3fVouWEphJUxW/Hid8dAIvldkxYHb9DvM=,tag:DkgD7SIgIYyk5Ne/lGWcwQ==,type:comment] +wlan0_wpaPskFile: ENC[AES256_GCM,data:yB/1MLibWzQuV+LnM01DoOaImu6aCHB9TMsIDaby9MxjRCQNuI7qxc5dvTQ3RtA1V6at97r3ufw0W2Vwtkf8Mu3l/UL33nWoX8n4RAykF5HkDK+l1hzdW+41wZMZPc+NDE6ZgMSNG3N9gipHSjYQ+vU6KPX9RQwWTUbJiWWYtii+hi9NXMa7sBvjl1WUQtrKdAmc+7flAEFxOY1pOvkj87yOQDybQYdx268Gh2wkfgtacet4zwWvC/VGNrN2p3Eub8S16vHAZZKeW+2rr4U/GiOeS65CSk9srOGwlD6IboTUXSAoSChJmevnm+cgkzZsuOKS7knEZPjQ+l2Z+K4l3FnB8+CVvHw/DlUAG0pFgw49NfBGczGSAFh34b0k,iv:2AkphYXeupcDvB5KXlnuC7QsVJdBZHnR684045DJtfw=,tag:YFNcunSPVJUSLIPTTQ7szA==,type:str] +wg0-privatekey: ENC[AES256_GCM,data:5/5llD0itgdKhZ53IbtkwfhO+qUI+/xBCxnfQOg9yjS7knvUINURY7rl/F8=,iv:86t6XuY4a1rHY3kmC3XB6WwwPZVWAyM2saGqEZaHdJ0=,tag:4xemlclKI4RIxAe60HGuuQ==,type:str] +wg0-publickey: ENC[AES256_GCM,data:D/RU+43/bYhg1lRZE9zA52AIWGd2KRF0EQcvteS4CtQN0Yy65vjGqVEkjyk=,iv:BmS0TfUQXRt1tdWBBKIUi+DqXCLTXePzbq4dUYSlQQw=,tag:qglrKjhcSBPtqNd6YCMlPQ==,type:str] +wg0-peer0-psk: ENC[AES256_GCM,data:859rOfvyaeaH07s06IT2qJZjXcWZiXazQPUImYOMngTj+xNop8UHX0iDegA=,iv:V7cR9mGQrk6aKctY+1egYFhBiveqc0OwrQSJxByk0zk=,tag:WF5via8rVm8Leol5rANPqQ==,type:str] +wg1-privatekey: ENC[AES256_GCM,data:Q3zb6oLhBqW+D063S37O2vZD3PSn3yIYWWkOtZwvpmMmdAMtztGqdrHzXRE=,iv:tIEDtHa3s2/Shg6Kw/8G+xjtixH32fxS3l5KtR2VUIs=,tag:JpKjYmV2pPip9hDkKg8pRQ==,type:str] +wg1-publickey: ENC[AES256_GCM,data:7svFjRVdWBmrUt2qzHSmgBo4HPwJR6I6p3rZg2U+h1uVhQwCnUCH6JATVZs=,iv:xWUKpjmmrf/U8T8XmdL4Ox+aqkftnh8oeORCkhtJoBU=,tag:+k+E13X+EbZxfiq0MoGIEg==,type:str] +wg1-peer0-psk: ENC[AES256_GCM,data:egtyccOYD4NAUTunpvVXTJwjtSdJJT8v5O9Wl7NoCKy2eDzrQvrEEK8Zzts=,iv:D7EQkj2Oz2JJIF6slTLq3A4esKN6VfkOA+odHvjSeUE=,tag:z/blOUXX1JOyqtXgMldnlg==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6NDRCejdyRzY4Q3RwY3Nk - REV5RklTUWluQzVZZ3V0VUdKTnF3TFRzTUVFCnZxUXRaRlJXSWRqVWZwNG55OW5P - T1RHT0xXaDc0bkFCNHZQdW53aWpZMHcKLS0tIDVIWTM4VjN0UXdxK3ptOEtMWG1r - THRNR0tEUzhPdFFhWWxvZlpKYmZKM2MKxc5s1jsci8jPOrvZAoofVNvHT4o9P6yv - J8rALQQXgql6obK51Q/Doyzvo1RJ0T7epiWEAZm5B3vDrf6KqbWBYw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-25T21:25:35Z" - mac: ENC[AES256_GCM,data:Sk3eyBaxhL7cX78YprYsv75oO+auEoxxGHCk1MRYGcAkat3vrc2vXjmKn6SsVQC8SWvu2YR2dOGU85Z7FCUUmmnwKeh+1PKMsurwfrNkB4umADXjaESNUWNevzAK9LR4pI1I6rGzl7mFEFYGEPd948JMOfkIfwNm1KMmETGkkI0=,iv:UzfDF94UFjPuEgRkpkRyLxSwZGymZclboHYQ/HxulJQ=,tag:MIBhvegV4NaZF+nGShotPw==,type:str] - pgp: - - created_at: "2023-08-11T16:15:11Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRNE9VK05aYlRKcXRBak1h + Sk5GS08zUE93U2VSL2FYTTllS3Fjb2I5R1ZZCjFtL1RZUWVvbzdlcnBCN1NJbE5S + QW9paVFDaldhSVh2eitoaStpZU94T2MKLS0tIHV4ajZFdEl0TjFNNXhhTlFBaGMz + S0Y0WjA5eXovc2pUUzdUY0ZEZVN1dkUKNuvEcQ5lmVUNan4fj0tfwXc3JUfV8opV + KCBiiPEIBRwryWg7CLo7qgFU9nRTnA7Wjjo2vnh9nLLnIjNSmc/ECQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-02-05T09:44:59Z" + mac: ENC[AES256_GCM,data:P2bEHq4ZBg2Y8RPmUSuIOxWxJdYTUpTD5nXv3vqAHOU0t5ZlyOjFUPYejGBLdvd++v+plwo4lYG4/JJ3/LFIM/n2f1kFOOPSIt6yox6oYHHzJRly2kBfyIpUz4q+1c/xhMjpcQdAlWEdIQLm80BMUpny9y2KhVYot9TvTNTSkxM=,iv:uso8kcW8gildOD7FF1Xvage2dccQ8GkMI6nDCaUw2qc=,tag:urKtsRoGqwoZzk7DuMCINw==,type:str] + pgp: + - created_at: "2024-12-24T19:36:20Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf+LuGZY70bnoWRAzpxCJnxtf0UfoYkIQoVGeHdnjJ5DTx+ - NXtGN+gYTfuCUIf1lQRnd8FdQbDUSuHFmaDKFFts3SJR24ZO3N761Ye429FycMp3 - pyx5RYs1qXYMilN/RLSnEqrsjOpnO21VpxuAxbe9HY5Wp0jLDGdUvpdk2mQqqhx8 - ZYFbEs9ZZHq568k9ELpJcudlNnvkZPoecMsFiAWP1oh7V0cSacfSUJiqXA2/Ug1a - 8vweej2pwJ6kaoLIFqjD6qI2rKNtSC+woHD517kldLr6BMetNNc/gEiyat2zOGRB - 596SIBBf3eCvXCHSMJDtOWsT977CUO2pz+DPTmdqMtJRAbbz9Ks22jtPViAFZDzY - pyDwCuX2hTJ2c7r3KA0o7lG4pfvfLkOqXXcV3SnSBvYy4fuhLp2Id+1GWCOD0o1O - v5QlxcXSMuOeGygclwHdxzs+ - =NQjH - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + hQEMA0SHG/zF3227AQf/RIzNBL+pVy3msNL8iuGdPXywQhS4JPgP9QqiYu8hqTsw + ja/jx8ShJmLjC5i7D8nwwbUyY1DJTSdHcRblcsROgo4DgthdtuprJlSQIPZhaW5Q + Rbo52yT1LkzypUcSQFIDY2QFpPw2zL3ZmPyIwg7YCI3seNQckv93nZQzpLx2Ifad + hLU0+C8tU94z+sgqLq0OVryZb6taQP/h41niFKHZtemnykA03JIbCmyl1HZDEtRJ + 1xSFpAKAtfzdhR5SfrGYtSBj7FysanfSEi4Gxxp7VcfqBVYTHAOsDLFnFCEwr13H + sopUdgCeZdZTBFgzS+AVb0zcHti/YJ9xUNrIKJXwAdJcAS9w3Y4MqcbEdcFp/CD5 + W8w7WZjHm8ly0qm2DgyQmd3040V64mt5cDe7+8YRqu5cZILyKpRGwUx3ES0eJ+g3 + g2P8+l5NEvzTX3ldXHObOUVebLouZrxd6UjWvUo= + =mYf/ + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/secrets/router0-hosthatch/secrets.yaml b/secrets/router0-hosthatch/secrets.yaml new file mode 100644 index 0000000..c0606da --- /dev/null +++ b/secrets/router0-hosthatch/secrets.yaml @@ -0,0 +1,43 @@ +#ENC[AES256_GCM,data:62US77UkclVlR3klMH6P/oYC006vFa6DEVgvmemMFh6INuw95NyRwJaiMs4EGaNFuX+jkfBbtlm0MQK73rXfGxg=,iv:UALT0vebke8KDPdroZnC3rSUCB0CmlX9dfbLqNAlJ7Y=,tag:iKxAWDTdUZDBD0PWfomeWQ==,type:comment] +passwords-root: ENC[AES256_GCM,data:ummvEe+5HipUvVEyHLA6NULuWJuPyv2VqlXEZFp/UdybLU+1t/VRo+KPLYRPpXQBbsBaHVa/XOiOqLK9dPDHuVZBavnTTMC3Yg==,iv:pqjtzPH+T8CLJsJusi5CpVklPUAnioIoTjBXAR3y620=,tag:vrGzZlRX1TJ5b6Wxt29V+Q==,type:str] +wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str] +wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str] +wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str] +wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFxKf2RAqSqxEXkhzU=,iv:HVB+uJG0SwxH3gbSpyZJZnzadVK2MYWvaZ3t7vPXn3E=,tag:/q7hgBA45Hq3446w83ConA==,type:str] +wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] +wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRzJxaGJVclFwZE9ZT3BP + OHNEaVg5ZVl0Nm9YTWo3Q1lmSEw5dnRoRVY0CkpCeWxXU0RybU45Y3RvVkxJYkEv + TjJsb3AyNVR6QmJVbnJsZzE3S0VmQjgKLS0tIHVHSTZVOHc4R0E1TWNETWNlWEty + czc2YUdudGdnVlZteXBmaHZaV1NWbGcK6jWSkOEBYN+1HQ+IZdBKknYo96Aydp/s + +hK8V6qEyCkAqWLYEnZ5ErMEc8OcOyYCQnYyCb10SWJvye+uyX8SZg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-09T14:08:09Z" + mac: ENC[AES256_GCM,data:nCwAca0MktoxUb0W+1B7+4UP5IOG4cuj2BhJBxjDV4gjYBSKYJs5gSdYytjOpu76ePXSUHgyiPH0Joe5ESubaUN4zPIWMLpkEk6WjXnmXRTY8B5ZZ+AVR2lxNi7UtiCyx0yjAVZFxuk33MmKR2yXMLEqE6U/70fccJlY+dbTaVU=,iv:QTafba+auq3Zv/xoBzHmnIMmfDAynqApAcr/T0Uh/2g=,tag:RREUDKF4Kruy0AEFDqSVuw==,type:str] + pgp: + - created_at: "2024-06-09T14:07:43Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA0SHG/zF3227AQgAkYv+dSMKF647ApqeslZpv22LmhdphDTSQjaRJdIK4gM4 + kv4aJ4L0K/fDqKtsbszbAnuratJnOxnhGaydTX5Ob9tb5QbFfmC2C4OED6hB/enu + hsP9BpsA945Keqf27NyXgxnLDVr6OXcpZqWZbYqHmWDx+BHrw500hgFb91ejzf3c + 6KF2Rrp4PsUl58D6LcSFxfqcna7l2+Ptx+k2vfInSkyPit/5tjry8SyBbUFWPwz2 + gVj9MN0bLCMqhToFh532GSDmnxNd8d1Sb8G1riJ4JaTHStV3s6KebF90ws3FtC5n + y0f/BbjkSqEqNIKFplPZ4Cx6O7WsXbH1hU1Dgba9G9JeAYVAFyi+OnCV49ugZ93p + uwGhpXmP6RbGVT6JB/beAdUToTdP0EfdVE4LlxkssEFd8HHzO8kD2u7k7glkDEq7 + Ox1QlDrMuz0zRE6D5B4DwXrWvAOw/TjvydWjyS6HCg== + =5YRC + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/router0-ifog/secrets.yaml b/secrets/router0-ifog/secrets.yaml new file mode 100644 index 0000000..0566d57 --- /dev/null +++ b/secrets/router0-ifog/secrets.yaml @@ -0,0 +1,45 @@ +#ENC[AES256_GCM,data:+I8pZeH8kkkGaeUJ7A==,iv:5Yv2K6pU33CA82oCspb5exjaAPMRszslozTphxvDhbw=,tag:OpKwj8SYXSMcLlusEVX7GA==,type:comment] +age-key: ENC[AES256_GCM,data:8L4IWs31RUXGns25pP6BrhFKVAYvVY7yIOe6MSk4abvgks2eyHnQDTiSKVUQGjTyZFVbQ4mtF9O8CmqqlaK5z4nrUYSUN/Ustc13L98V+PMUOxljka0UL/pOe36aHEQz3Z2MuobEtZHwccPEqWhOlF2v+OgFQ4Kp2Vczw9REf4ahxyqz3fz58ymR8HKfTHD7YBawEAgYU6WVyrLfyA78860pkjlYMwhnjkVBvkP/zd4H+L2JxzjwUeUCqcm0,iv:8RwmmtgKqLsJov+DxNjvtjPk8t8yVmRhRa3k5HdCvgk=,tag:CZoZL3aYucIk1JENWY/mMQ==,type:str] +#ENC[AES256_GCM,data:62US77UkclVlR3klMH6P/oYC006vFa6DEVgvmemMFh6INuw95NyRwJaiMs4EGaNFuX+jkfBbtlm0MQK73rXfGxg=,iv:UALT0vebke8KDPdroZnC3rSUCB0CmlX9dfbLqNAlJ7Y=,tag:iKxAWDTdUZDBD0PWfomeWQ==,type:comment] +passwords-root: ENC[AES256_GCM,data:ummvEe+5HipUvVEyHLA6NULuWJuPyv2VqlXEZFp/UdybLU+1t/VRo+KPLYRPpXQBbsBaHVa/XOiOqLK9dPDHuVZBavnTTMC3Yg==,iv:pqjtzPH+T8CLJsJusi5CpVklPUAnioIoTjBXAR3y620=,tag:vrGzZlRX1TJ5b6Wxt29V+Q==,type:str] +wg0-privatekey: ENC[AES256_GCM,data:6BR3zB5oDPu5XyM5pgrdXoYKvwf+rAK7ngDzLcIQZnr4JH2YXH9UWERjVpg=,iv:2Z3yG+fWC4diGANCurCEpA5ybEpMdE1t/rviRJtUE0Q=,tag:4sqnLfAnxQOAci37RCY6jQ==,type:str] +wg0-publickey: ENC[AES256_GCM,data:7QLstpkyVDFU5oxgRdVYdBOZB1tjKMbzxgZtCYp3G1+AO85ir6kNXo8P65U=,iv:XRnPg93nnSR3h+R/K2rh1QYgmdJTE6i17ZomMf0BJ9k=,tag:fhyySGI0y5swGp3ot+q3pA==,type:str] +wg0-peer0-psk: ENC[AES256_GCM,data:p5V/8fFEmozG6nFCpHNcWNdunYlHxnsnW+YjTAIEXlm2ku4yEL45H9t9/Sw=,iv:jDZMhrZIJwaDWm+s6aXVWovdo116q2D5cUyHzMdWCIU=,tag:M5IebfGfeL6VW+OOgtARpA==,type:str] +wg1-privatekey: ENC[AES256_GCM,data:dcD5isfYT+diae7tS6OSEQiqEkrpUxw0io8EqaSUaaFxKf2RAqSqxEXkhzU=,iv:HVB+uJG0SwxH3gbSpyZJZnzadVK2MYWvaZ3t7vPXn3E=,tag:/q7hgBA45Hq3446w83ConA==,type:str] +wg1-publickey: ENC[AES256_GCM,data:08fRjmGysmgGwXgwGqtMmO4iMWNIOucRnD7l4qaCh1hVWAk2BbO3OcHw010=,iv:PfKUVRyjEVT2BBUCmruR026n/P2kT2Papq46DOFq3rE=,tag:AhyI1yHdEucmQEo6iHnznQ==,type:str] +wg1-peer0-psk: ENC[AES256_GCM,data:zlQv7B2Xm+QUzevsYDD2ckIp3PdEAOSEPv6UKYLKRUGWXKE9eLhC1dNq5t8=,iv:kehiDKfew68S2pfRFq5OyTm+Ixo05uiAiHDg30xhP4Y=,tag:0GSr1d26ALehewMF5b6woQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNmRsNDJRbHZmS3JmOVht + c1kyKzBXdGxkQXErQlhXUzBmMm12eXNCVlVVCm9KUCtZeWJWYWVJUFhYRUlLVDdD + Nk9Wdk5WeXl2ZGNybGxnZWtGR2thTDgKLS0tIEovQnU0bzRCdEp6RnVvZCtUTlFL + dFBOcE9leDQrYzVQNUpLZzJBYlBYaE0KyKVh0VDpbA2eIh9d+KhCYKjbl4fHPt07 + fVbbDEz67bWNjaH6Yg6xlNQIhv9prUK2isckVizpUANmOKxPJ2ia2Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-26T17:23:41Z" + mac: ENC[AES256_GCM,data:Ez/79vUHs+9B/v2qlUiPQeuYHRdvjUg1jJOt3C6xEnncDQ2fH0CUxKEIfjgJR7eatwvZSznprv2wCD8Ik0SKunjRI1UGe5JmrVstqoSDbo+MxpdwrqA8zC5unpRUYenvyo9m8ZW/DnjKz0ArorYjA9vid878MdemkHtSjjZzik8=,iv:2CkmPRjYYt7q7HAdEjIbJHaSUG6Yr92pEkk+Dd3E7LE=,tag:S8LPb0mEjRZQqawX310SOg==,type:str] + pgp: + - created_at: "2024-06-08T18:36:55Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA0SHG/zF3227AQf/VntYsys2fb7NslwBbEwQ4VYh8OOWtCGhqbVw045QflFD + 2hS1cT85MDNTwPnnDW4NYbf3UEIq12eXVDFR8+4S4mMun68OmxEf3UhSB6k2cDgh + iwM6HdAh13cC4UfYBpEq/NTr9omdoXPrcjQNYxqm8OBRNf1126L5XmQ4NT2Lg8Yw + 2HcDIxrl9vX1X8OYd7fwc7TIJpVYCmG2UhVrz+gS4q51s1hi1t1BZdeUhU9RpSdZ + Mu2HlB68t597wAXOB88K+zJG4+uUQrpz9V2Xd/lfzFIeQtwLcA/NdoZs+AMEQE+j + wa5FPI08uF68KbwzXYCq2NEPKA4SX9UzlirJjdAukdJeAfqO5woWkuDHmDj+nDDS + fSwL7mVNd43h9uO3PXi7j8kj32dwLcBSjkeuN1+gaTBLixzzp0drLTD1DkeY8kBS + ROvWaNhXsrm+uB9d8aaznqfWS9C+3PE5fY9untPIUA== + =f2HS + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/servers/dyndns.yaml b/secrets/servers/dyndns.yaml index 94768bd..b93a80f 100644 --- a/secrets/servers/dyndns.yaml +++ b/secrets/servers/dyndns.yaml @@ -1,37 +1,37 @@ dyndns_www.stefanjunker.de: ENC[AES256_GCM,data:xHpC/V9OWCMpTKs1,iv:gW6f6kQedbdxbz1zJAY6xceoeG/LqPG/Ss3DaBm/Ta0=,tag:v2V/hzRg+xgO8zpwyIBVXA==,type:str] dyndns_mailserver.svc.stefanjunker.de: ENC[AES256_GCM,data:auVHa5n4335mNXAy,iv:WZMOA+Z7/w+Jsu5193WwERXZrt/5JDiMUKIZo8ieT7w=,tag:YmEDp/0gjgPY2kg9GNKmxQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWFR1cWJkWFl3SHphNVlt - NmI0eDFJanVLVlFKeWcydDNaclp0VlQveVJnCnRBc0JTUzZkV0l6cWdaNko3YUNM - bWZRaGpYMHZWWkRPMjY4SEF3S200YlUKLS0tIExrWGhjM01YdS85U000Q2o1TjUw - VFpZb0dEL2w5NWErR245MUplZE9xN28KiGaqrH9wYZ2goHKYygLgPZIZmUCosHc0 - RNaMVrIv7I9dPMiqlKdSl1Xp/ePa9gxUhVCpsFIZmlrlhHxv0TLtkQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-14T20:50:30Z" - mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str] - pgp: - - created_at: "2023-11-23T12:05:35Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnWFR1cWJkWFl3SHphNVlt + NmI0eDFJanVLVlFKeWcydDNaclp0VlQveVJnCnRBc0JTUzZkV0l6cWdaNko3YUNM + bWZRaGpYMHZWWkRPMjY4SEF3S200YlUKLS0tIExrWGhjM01YdS85U000Q2o1TjUw + VFpZb0dEL2w5NWErR245MUplZE9xN28KiGaqrH9wYZ2goHKYygLgPZIZmUCosHc0 + RNaMVrIv7I9dPMiqlKdSl1Xp/ePa9gxUhVCpsFIZmlrlhHxv0TLtkQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-14T20:50:30Z" + mac: ENC[AES256_GCM,data:09EAhiFSNroQKelSHF0YdJl8INdYVcjK4BfiOktY+Nx1GK2BA6T8grvIHGB1UZaDvS/AzjcSIq+5ZnyfBU13Ks8zH5oQ11La48FheE3bL38KS+JNgqw3F53w/NUVFkYFp2YRuCqkg8/OBmT3OONLggF7ziuQEByW5NlOUdLejkA=,iv:qe4kBBxxpFdKNszbvZlIXjA2Ybc+NAU2GkMcSviZczE=,tag:98ABbbVh5qPnAzo0xkZ81w==,type:str] + pgp: + - created_at: "2023-11-23T12:05:35Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQgAjfBO/8RSFW5aIhchSLLvhNzhIF+p2f4KZTAiT0uhB5u6 - T10j8i0q5IV9XVDdRXxYZwBn6LDFOJ6WJ7hIv61Ri+jCGZ8N8Mr6OA7HyB+6zQmg - 3PON+5qJC8FHFHiW+bB7NEULdlILS5Q6E3atjGmgOHKYq2O5L+IZgxp5Udt/oXuF - CqIW22M/9ftEipgG2b2Txgq1PTNFWI8gYRVacuSU5UD687EacH4fTDyIdXk01FMW - LmIh9h64kA5b6VALma1C2ztP0uvCUOSfVsvKJEILOb/kTb0qCdSkEM44onXTCHM+ - fBo140l54Cy1aIxFPsU8J/KkVbQ9Q6dOxIxrpaEQP9JRAUrBpLwbVLpWww2WFwG3 - nTplRw3DzGTGoV7CgdzRRhjv7fkb+h5eWLpFqSj6r2MG5PnEjnnDiBaa611sDN// - ijdeSDMnCT93t6BEeNKvmTPS - =60WW - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQgAjfBO/8RSFW5aIhchSLLvhNzhIF+p2f4KZTAiT0uhB5u6 + T10j8i0q5IV9XVDdRXxYZwBn6LDFOJ6WJ7hIv61Ri+jCGZ8N8Mr6OA7HyB+6zQmg + 3PON+5qJC8FHFHiW+bB7NEULdlILS5Q6E3atjGmgOHKYq2O5L+IZgxp5Udt/oXuF + CqIW22M/9ftEipgG2b2Txgq1PTNFWI8gYRVacuSU5UD687EacH4fTDyIdXk01FMW + LmIh9h64kA5b6VALma1C2ztP0uvCUOSfVsvKJEILOb/kTb0qCdSkEM44onXTCHM+ + fBo140l54Cy1aIxFPsU8J/KkVbQ9Q6dOxIxrpaEQP9JRAUrBpLwbVLpWww2WFwG3 + nTplRw3DzGTGoV7CgdzRRhjv7fkb+h5eWLpFqSj6r2MG5PnEjnnDiBaa611sDN// + ijdeSDMnCT93t6BEeNKvmTPS + =60WW + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/shared-users.yaml b/secrets/shared-users.yaml index c081ae5..428b745 100644 --- a/secrets/shared-users.yaml +++ b/secrets/shared-users.yaml @@ -1,6 +1,8 @@ #ENC[AES256_GCM,data:aqlLlXgwwtjBYxytS2H33KbN0z8pHijFXKBAPQyQ7cxE8iO6tDfn/3kEVaEa1YaiYUMXACX2Ow==,iv:uKTUsccWAqrBkdG/ymCZB1pcumRreGv/2rIn6YG8Y7c=,tag:NWDO4dPRA45Ki4ymGblGIg==,type:comment] sharedUsers-root: ENC[AES256_GCM,data:RhMqzHmMzsPZnskGAKQ5GEagkAmtCqbp3FI4XPWweq6U8WcML+XEOKBfRoemK6yMHpSobBUPEHudNDeVxhGLH1VREmO6+JVZ/3dz44qWudhyuAj2CHiVkVgMlSfOKIbY9FLLxXxfySnEsQ==,iv:EYWeRKI+nFpEkxtBJ57xH6V4arE+hVAHy5ht9v8P1oQ=,tag:I5WA5+FjJ3lF30dth3H2ug==,type:str] -sharedUsers-steveej: ENC[AES256_GCM,data:vuvklQJFb0kziB/qr7LNiTB30T/1UmZUV3YE3fFpKLZSlxqwYR7e8pnj94hFMhCtPquw3qdtB8vFAIQSb2LxXUgsfNo1bmkGJU86vz3Vy9Js7oua7KlLyZjoFNpMBgbD7swyXns=,iv:nsymZS1wQ7QSL5ZqoVx/ygaP4UR/e0cYIXHg+UyhbYs=,tag:+/N1QRESOUUK/XJXgiyFfg==,type:str] +#ENC[AES256_GCM,data:d9jstVxMebNWmJHo79RF0YdurMqwRoDrFzbwjoQ=,iv:UG+qk8hc/WiCviJSCmrUyQZATDD1gBhqiYU6spf7Zo4=,tag:4HNfJQh+3GEP+MHqg1KNHA==,type:comment] +#ENC[AES256_GCM,data:4FjqAy/pZMkBFC7aq6Jqx+TqCtU=,iv:iWxPm8etDkAIuz9op4ck5AgszLuEN9cXXixzO705afc=,tag:MC03p7Kqk0srtDjbov91LA==,type:comment] +sharedUsers-steveej: ENC[AES256_GCM,data:almzynLh7RHcjTFOQWVaGk027uAanFcE+AYVhcbzSs5Xwd9sZR5+Ckbb//YxT/Imz9WKVG7z+bxPuhYPgbzUPCyxUu6/X9ZeCF0gmffyTbXVQHpo2W+71Zcob2Mbt9yMAF1146Dr1Q5R2w==,iv:fHMmtO3U6f/0ZNjxcvm0vOx/W/BYWvpD3WtzLNejGpA=,tag:tsLziHECG323TCKBLO6FzA==,type:str] sharedSshKeys-steveej: ENC[AES256_GCM,data:Cj8aoHYN95kOuFwMIr+gYTtvE2MNMT6WhHg+r5cEvfgLbI6EJQdMBU30nhJZ8S7uRwJwyVEnqw9qgaZYVorXrIh4oZoQBT6g0UGQ5b5lhtfj86omP7w/NukvpjUPBJEUL+JgvaNGsAbAmExPb1yQY9f/kn2QuyY31pTywcV6qeSHHlK8I2cpei5RxtuG2IX+EjvDXZ3CtQwLY7YrhLvv0K+N8XlEusnytNkXLfjRgd0dJqNLQdkuzrjFPQnuzkxoBBmwfheO8CaTpmH1C5z/dbmeIP5H9GY2gnBCu5xB2zp8ZerVi2E3teW5EZ+Sh+lz/5DOuVpPn3G8W7l4fTM8iX2IHeakjlpYewx1wmW9SZdV/zxyt5rQUtmMj3F+IVktbOWsOyXwSz0CDUlKkVKJdvzATlWdIjteKTwKEgS8RWjg5H7mGylfxyg6YrHYAHTZjC4J1Qz2CwWmAFxzpFCkHvF6QwAOUg+ST+crfw4DiSamb6SKjIg7LNz6VZTOeji6+71Q59u6g2RcdgNowzgrrQCAw7qHnewbFX/2IOW+pdASCB/q9/7218yM6fzMtcPHPiDpZ2tLHQd+45zxZpbUXXCNdNm5v9OTjjK+uA0ARLOVCw5gtd2FbKsJcwyMhXY/h028tgdRhsXIalLolorrYBPx9hR+UHU0TNihspajoNYJCTuJccMiwo8N9AT1DIdUXcOxrQL80RvWY0S6rBzES3q7a91aC/lGEmS/beO7MDgOKaEV+qwPZOLOZXWAesqsR3sKzpOdPx1gFrLvX6vIhAtzuteH0KvKujIAhCg0sEz3Ct/A1S2uNtohz8CstvEEqP6GiR6/X+sQRgxOcXGPQglz68FFKOErIz5XZJBz5+14u/lady1jxhXnVW0cxZDgmqmAvNbrQ9JjNgBvremaDUvuO5R5V5K4MHAMsNQ5yxE9iScXEfwmEvo+Gj4huJwXvwLDE/1TqIaQWX6LfZKOOZ93ivhj7eEiAz7TsLojdNUeDhnWGOYcWbEkMNzYyPb7obN/HgKzcuSixpYm+IZu4sOzXyoO5Lblzd7OObtG4P9jIj4cdxF+vm/s6MYYxtst7jRwzcv9vMLETDXx40IOSqTo2e8New2e/D003T4jx2sis0+68Iyg9m8ltEYb85v6oGFshIdafIGKBaNHm/zIL4Dw03M8kxxfuVuWZD8S2P3bnfryfA4lbOZttv2DnlPZf/Dfb+Ax5qTe5yn4uzLYDTqq9rIqdoNYUmx1OaxGa69oTIqCpL7FC6xe+9NnTEdojl9svZUhtGfThiphYcK72lryqrTyYVuAOa3WjZtHgUJ5lU8x79eExXyDexmC4RNDszar+qMiwlzMC977qsKczfTGe2audm5PLaLTYhWSOZ1p83d/xhFWhLmqjqHrPF5kYrnG+W4ZuVIqxJOrLHQhseKc4fFZrF/XCusgIcoDEq81M/EmHeEDcuWEYldn1pjbE8yzb2ZgfG8mycNh8z41lKsalKmesyZs0k0IvWmrdCpLXqWl/TgsPSO1q+zbQHyfiNewoZec3GC8k1k64zrG3CNI8bP40L6i4Uo/GFPS/y0OjgQhww+He0bWY7yP9MKqdbahpdYQE9kYU5yoJTUG+ZYRir6h6o/JmTJQy4QIvwmcx2jiiA5XXpj3cYAJ9/3eHDFCeg==,iv:QeYNlLR97tdC9i5N909GnoNyBwNNiuljF/eVbdhvGXg=,tag:lBWDaaZMQRPX/4Ln+oUQPA==,type:str] #ENC[AES256_GCM,data:8u2UAE6lXi0e6qKJxB3VP1k7hmfUYRcejXoR7K6NIQ9E7AqOlMiLDyQFw77NBlqpy0G6mPVOnC+XskGAscm3TLFzs7+o+/i0IxH7uDPwoh+U,iv:n4wheHkpPbnKeXb4DTxwks2bph4LO6xQW6LcrlA4jKU=,tag:mgwa7rYvqoubFdQDXJADZQ==,type:comment] sharedUsers-radicale: ENC[AES256_GCM,data:Mn1QIwQDX0ZnZ0Jbk1RYY60k+XbbGPYYf+NG3xQz3oR14CqSVy3hjQEkqcezwj/v2ELrLWid2hK+lDtY,iv:TNoJ7Kq3WDkkPBLG3a+N/A8yBZcx7Gc0jaBToYX3Y5M=,tag:VU5P4YtzMv1FVc3ugig8TA==,type:str] @@ -8,91 +10,118 @@ sharedUsers-radicale: ENC[AES256_GCM,data:Mn1QIwQDX0ZnZ0Jbk1RYY60k+XbbGPYYf+NG3x sharedUsers-elias: ENC[AES256_GCM,data:RsGDCguYkqegKhkO20lr8HjrTABAaNJmDiGK3DhhbX1sOLMweZwDtESvYjCfAOzWpiAaFh0BqevMkuUcEYQTBubSX+X0EZ0dFrdbVxIe7lq7Dosds98SqKLL4zWqe2y2qsphvj+oAz7Utg==,iv:JXIbyqAUt1OcB+bvgK6H2NU6Ip4nWRJ1/Hje75FfHC4=,tag:kPFALVkf1GbRj1J85SZm6Q==,type:str] sharedUsers-justyna: ENC[AES256_GCM,data:BGVp2QppWWaYHK3rwLlyy7SOWxSqKGsn7lemWe0KUzgiQc6D8ivYvXdGaAhJNvhgVTxlK6BZOacG4NESWf5hi7sN8AkwTT/6pa9WzhQQGNnwZIaVulXeddzFlebbh8pAt0WYV82DRejX3Q==,iv:RMysIp0pMnCLhWogWiGq4IpZA43sd0DPj3jeV0oRkY8=,tag:VvXPzyGAoATlSedvV2prJA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlbG5RWWVBZ2JZOXlENDVr - M3lCdEc4RnVwWlZJZXY5RGJ5aEFmcmlmK0hFCnNFSHliMHZyWTBLZG5ub2hPSy93 - dDNoWmgvTEhQdUdWL1dEbDZpRnBacFUKLS0tIFpjdVZBZjhRdll2TGdKdFVQTzVp - UDV5bXpzWXNzMTQwTkZPVjc0ckNUUFEKwYIl0ErBjh83ogRau2mYzkivxruLKQXj - eEQgNMf/xdWZ76OAKDwCF/7zmCSeT2UYoJFCfYtnMw7OxwOCyvPIOg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAramZoZmdSOFdoWEttNndT - RHVWUC9RekVVL21iQVA5Z3JvajliSVZVNVNFCjhiMkdGOXNTa2FnVStUTVRVZm1s - Y1ZVdGFnZ0I2VGYxTW1Wakt5Znd3NXcKLS0tIERvVjFySDJDU3lRNGlpL3pYRWwy - UU0ybTRsSVlBaFV2d2xqVTc5Q1lNQWcKUti+W3HLneDzq/VI5yPBsTPyDUAUYL6U - tO1SMC8xBVbgzlFQtM84gYCE8ATxvwOJV+8wNrcHdWXQ8AJLF9UwPA== - -----END AGE ENCRYPTED FILE----- - - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ZXpGREZxdzREU0tSV1Nu - ZnVONGdxU0VBb3RXY21pTEJVWUw3aUV1UG5ZCmZYcXVzdUgzalFvdXR1Q0FESENF - Q0VDSmlqbGRxemlGYVRQN2NQcGU3VEEKLS0tIFp1N2V6V3dkeWVpRGtrTzhyNUFE - TUdFcXpEbnpmdTlWM1I3UTBYSFo5UnMKJm4gkNDHnCujMk+i46hGEMoQWEs9IBRM - /Lb1BpHA+5BB0LB6yL1VkXttSBNp69s5LN/EgdvTnZ7qL4/KqhwvMg== - -----END AGE ENCRYPTED FILE----- - - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxSk9GbVpxaHJPUGY4U3hu - K3hpbzhkMWVJNHIrNWVPRUphcjkvY0h1cWpnCkxYTmtiWjk2QktxSHJON01XRGJD - MDZZZlB3dU9NbXN4RHRMc2ZRTHdERE0KLS0tIFJpdUhWdm1INFU3eU96NFN3OFk1 - Z2dMQ2xGOTJCcXdCU0FFdVJjQVIwK1EKHLo6YIsfKAwQ/yBQvS1icIAS6W7AwABw - d5hD2G0KVJK66HnYWuQALQbuWh2i0OA2fNAywcKe4R5ACN5M8TKHew== - -----END AGE ENCRYPTED FILE----- - - recipient: age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3dEttcnphWlVpbTdET1pY - L2RxWkx2VWVxZ21URE53MFg1cVFpTkwxN1N3CmJSRk1DY2JkZk5DMlUvZFp5RXNw - YWh0Q1FxTUJwTWNVY09NTTdSRHEzM1UKLS0tIEREeGY4M2J1QWZUTThhTWxoOUVX - QVJSemJ4eldSbGU4dWZtU1hRNi9VQk0KhT8lL2mk8J/uZ0dECGbi14Se2cC7l6AK - yWgNHggdrPcSvHH/A2u1yUdfQCU36yEvoxAwa8y/uQW3lgU35iVT+g== - -----END AGE ENCRYPTED FILE----- - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuT29LTzAxcHZPd0VFa2pG - ZVJ6K2tiT2V3MDJlakpjZ1puczFWZEdORFJNCitNRzViZHU4ZTRXMmJZYUZqRHJ2 - aDZtRlAyMDdOUHoxbWJ1c0JHaURXSlEKLS0tIHpnRitqc1BmV3FyUjZQcGtZZUtG - dXRPaEJna0duZDVLZVRpODM2enpiUmcKWLmGdJzLZ6UMcGRAzCb/UmsHl1Q+FQgk - IPTiCyyun+1JjWMSXC/z7rf2LFuvWvPPxHOChnYivBD60BYMgHJ8Sg== - -----END AGE ENCRYPTED FILE----- - - recipient: age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXN1hoQWdERDRTN0lJM0pI - RWcvZXVPN3ljd0h0QTA1SmN6dlorVi9vWjNNCmhscXhNTmhBVlZZN3VzdzFnRWNt - VTlTUGk0RnRIaHF2bnBPeFpOVHY4RGsKLS0tIDA5MjVFZnU3bTE3bHZZSzJJQmpD - NEJkTStUaWVzZTNpKzZNTnRmR0tJUGsKBsVqJ0Xg8qWHGb2IDJXrEq4k4LgQFhQS - HrVF7MAwE/WSnGRhh/V8osej3QHW4vLg37IjaT6v+hCcBOiJeCqg5g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-06T20:14:22Z" - mac: ENC[AES256_GCM,data:GPWu5DjjJ1ki+HRuedGdDCt+2V0RPbOsD/yWJxPIkgu5923vnF8y9y4V6e6+ZsTqHv4hsKeCjKtUnh2Ldn+xadwJmqrIxyJ8NzH5TOvcBxAab9cJCp/yKENw0O1WMUTlDPelvQKMDwbgiebaVVfxbQPUEfJGOgkHkyXrgqN94FU=,iv:h9YALYahUl7mRJmZKjArEfaMrfW9YZkVYd2CEooF13Q=,tag:wotqxup/ouG/bEVOZCs19w==,type:str] - pgp: - - created_at: "2023-11-23T20:47:07Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6T2hmV3BOU0M1MTloWktK + YTRXS3lTcERncjNpaFlhRlljNWlJQURmdW1FCmQzNEFFZ2VxTmdmZ21idzZEUHVZ + clFMZU1tTG9kWkNFVzdXK0NYQjVMMnMKLS0tIHVwRzlpR2VwcXlCdUxUbTN4YWcy + Y3dqOXlTeDZRU3YycUtqTXpKcWt4bk0KT71rTNU/kZci9u3NahgR3/fL6IHHxVdu + unIWav0e6cZVQXKw29Pji966zuB5Rv0vb+5LAYsXzC0E6vtiC7kwzA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxM0NiZ1RIekpsY2pDVEh0 + MldzL0Zna045QVY5TnAwYU1rTitQMkxOZ1M4Ck80a2dnTlFxYkZyKzE3emFTa29R + THNTblJuU1g0Zlg1RlhMV0JsY3ZpR0UKLS0tIGhLWFZOcS9za0Riak9QUVZ1dGhZ + SnVNUTJFWnVHTDZKZzFBME5ZZzFBWE0K6jMchwT9eJOqyBhSiyg0XS69KxWc2Xx1 + SJS0acLF+Lcrw0xEr856846P/bH+l/SY4Ii7Mv0b38GOb5KPGra3cA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1pmznn2tjpelpmxjxqef48rse5ujggf9kcr8x5vewuadqcw03aavqwy54zm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBENVQ5MHZ3VXBMbUdBTHFN + Z09QTDdyWFpHUG9LWGdqZXhBRm90ZnBsNFhJClJpaTFCaSt6Q0E1UlR0WEljWjVv + UE1LUDZ1by9zYmhibGJHRGpKT2RhbzQKLS0tIEhKYTlTcmw2NDBDVGluc1N0Y2Rl + d2dsU0ZnMFVlYnJtai9UWDJROG9JTWcKeCVOvRWUJutoFOhDLni2CpgKUUvxTFUS + NNozeDy27P+ZZFDHxBGPoJhJmAKt7Vs4FpdAYJM1xeZWd4BgakdUZw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIMWxSQ3ovamNoaFovcDRi + NGVRRGNZZDJoVWdhMDBhRU9VZHNzMUkzV1RFCjgzQ1FDdSsyMWYrZC9iZXBDa1NJ + dThoNms4aW5iQVBzK21URXkrQjFQR3cKLS0tIDFmR2o4OEpxZnJheGJTWHRMNDBV + djkrN0xTR25zeEVjYnpMbllZRHcySGsKvPzezvh4MF5TvrqEAg5z/nDRw8iviIx0 + wcnO7RQZGSZ71Cv0T11dIpAixUE90l5b6xHKdaeS8vtYFTKdw8FjKg== + -----END AGE ENCRYPTED FILE----- + - recipient: age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZW9HdjNSTE5xWlVWY01R + bXAyWVZhcjlkbFVneXhaVnZOQkQ5amszeDJJCjVWa3lLSWhBUDYyd1N1QlZ3T2Fs + QkN2MDViUGwyV0w4NGJiZHhaQ0VjcW8KLS0tIFNkZnNJbXpFOVZsdjREbWFwQ1RB + RTVML1czWWk1QkYzMlVwOWVXNVRwancKKngA02rNH1ZN2jvJ4QZcN07djYzzqoPo + OFeFoOHOKNz3Obwlxv6eW1bd0AP/MT7VR+cTDdaAxwNf8I1gEC9bjw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1qju6ms625tlgcjwc9p447seu2p8gu0cr63e5gv5y0wx9mvgmre9slxzzs0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdG5NWlVURFA0TDhWak5u + R0tmR3JiMThtNnpqM05yQWZTdVAxZTQ4TEcwCndjSlYvMTg1NlRvSHhmdmNMRzhS + MjgwMU5ZcnVnWVplY1lOc1JQNFkxMDQKLS0tIHhHenE2SmdFcC95ampNbmdOSDJX + ZnJLR0RKZ3FrOUxRSU11dlh5ZzBidmcK7PsJYwMJpv9YoaYiN+U20HA2opK2IUnF + elU57b01ZOZM5nfpnyZBdqZO6VRDAZC2h81z+BCNXUQus4SSNQi0aw== + -----END AGE ENCRYPTED FILE----- + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bzBRSi9qOEsxR0Z4RTNt + U0VKT0o3b3I0dXJxSHRSVnFiR3BWOUNTR2ljCmlHWWZnTGJKeWNhTWxKaEVrbWdG + M2twejZqaFU2RU8wemVxWHlpQVJYZWcKLS0tIDA5Y1Q0RWJvbUlGUHpKN1BIMGM2 + cGU2bXpEaVNRcko4TVlBMG9KdnJibjQK86rJ3S+JQhD8+gCkr748z1oVy55ukOMv + c408QBFGToOuzvaRbOIb8lhci4ImuSJJE7TZUzgYsADEAaeudDKVtw== + -----END AGE ENCRYPTED FILE----- + - recipient: age10xwq7a4y256yhv02j0u80te0vt4krgfjc68r0uw07t96z7ggmpwqtv38a0 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5WHJjQThud1IzSHk2Z0Zn + L2NybEJyMVdoRWszb0lZTlcyN1ppa1BOSmdzCitZa2thNkJyWWxKU0IxdnhrVXNI + Q2dXL1BST1hzMy9PZWpVcU1lckcvdVkKLS0tIDd1VXBGRmdkdnV6UHdzbU1UMjVB + WjB5akxEeUd2eS95ZnZHSUFXSmNXWncK3VXZqfKo8jat4gbn/5YSL/cV5qILqV5b + E/OBRFStWmfhuCZJzCDhU9a0QJocW+UkkI4XRzDDaN66gEmZe+u7mA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1dktk5glcuu34u9t6kp3g2vqyj7dy0elray38t8n75mwa6l0s0vdst2cy00 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2cE5lLy9ZNXdXb0owcnZk + S0JRSkc4Q2p4bGxPSG14VjlKZ3NMMUpEd2drClBGU0FyaGJ1WCtHVHRzYTFqRXpz + VWJvTlBEcXg4TVVLZzV4djE2bUhIRVEKLS0tICtSTCtNS2dON0pIMHNzWmE5Q253 + c3loYWpFd0h6N3FpdkdpZGdHZjU0aE0K2zsQNBl1jdhLWf1PeGVo+deCc6BwnTo4 + tUg59pWQ5BvwMQx0kjhEoa29S1QUU4Or4erPPoHS5teK4Llv0s2gRQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1v458x2q70yt0a6m6cq5ehemphtrzfzyhmeg3r872vsyyf65asgwstmqqk4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNHNvaU5sUDEvd3JGWUFa + VjZDbm9VMXpjQWhCYTRxbUlEREErT0tDUXpRCnN4YXhVVW8zTi9ZZmVUYWwwRHhH + dXd0dnB5WE9sTDZ2R3d4MlFiWlFZcmsKLS0tIENJSTNvNWV3SlVwRk15RDRpNllQ + YmZuei9iVFMvcytqS3podTZZb2g3S0kK+qGQ8LkLO6v8T718dyD5j5CTC+UwBaCn + 9dxkh9MWkKknRL89MHbV9gVG/StiOa+USGqulXEGbapiZ9q1JYCa7A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-16T19:17:41Z" + mac: ENC[AES256_GCM,data:WWOWqwrUtpJWY7o7M6Aac7B9O6tw91yNiL74Fg0TKq4OH/0TGHI7YJK4c9swXs95jctFvFL9qQPTNEENgnqhJyZJGuc2qTsSaKERsSReaV4gURNEm2J2R52EQkyZXRbrn0oSoDazORqRXQo1KvULV75fyIPtsE1OcU/1/TPkWHY=,iv:XwyR6rM+0eTmKg4+vpQx26iKgKm0NL6siKxLoF3MufM=,tag:ks777fUl7uUgn7W48zBoMg==,type:str] + pgp: + - created_at: "2024-12-24T19:36:21Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf/Y907bW+LYWHAT8FPF12f8+GvUy744+9sMZe3oSX1ML9F - JOEjxSOs9OCWM79qBIMI6Nets3lV1eEoR8eG74jcIwNPQMfQn/U4hHtJM9Nq4yI7 - 1FLQEfGZcuSMUk2/1c/9lEi+Sye9W+9ZYGUIcvBu1ksPmZpJT/BVOaNc8xWe1hzY - FmEzwaWAPaxSH1EM3KnPhxezzn76DxjDKc4iMNi+5UoAIT2cssbdckf5uDaTa3CE - 6GrfR9//5ldsPqineM2MHeEMHgn+mlVYmpiXNBCfcMfEi81o6l5nmNjy1qjABEKC - 254kSW+vMFOhdH6AZvJ/21z/3aUTwMM2mFEti/nh4dJRAWNWEymviIC1o2esJ9K6 - 77xHv4pEIEahuBcHLBbeBK3AYYqJxcZr5BhIqGAir8OlCOaXzRsN5ElzmVS+Hoib - t04nfgpuRfKyso0zrndvLwDn - =lmD0 - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + hQEMA0SHG/zF3227AQgAqL1QC5kKDaMVQQp9Lboe3krFMW6MxBjilO3BvGYoXHKu + kKP4hJomuF8wqkKzwsXZihIoXmc767/lKG7AIIMnMJjShGgIjSU668l0guuxlGdT + r58W+JvA1Hu6LadQ6iPS5dVJgW0MJj5YGG0+EPljHVjFIXOKJff+09jBv2648kDh + SuuDVwFueX88qgKLnGNw/JWsmG6TRb8WPpbtK0zd30Y/guTRdx57+W4GcLz6zs98 + kkU/VwAKy8ghkXlDyG/TBWipgj+xPGvOIRYiddZc6FBE14e5Miyuw4vgtLaYIWpS + aDB0BUbjmCaiVyZ3PF8nzJcUj3thAepkGyGIgPAgCNJcAW0hIzLoYdU9Dt5kxmGf + tCH3/l3nOuqFZ2EFe6xlBuYEfkjCDLMnDD6W4gvJTkOjfYDWuF0TldyfXeGken+J + BYeYA3OGTslhrVlXSPQeY1OqITnbqbPgwLkd7D0= + =Nc6x + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/sj-bm-hostkey0/secrets.yaml b/secrets/sj-bm-hostkey0/secrets.yaml deleted file mode 100644 index 7d9cdc0..0000000 --- a/secrets/sj-bm-hostkey0/secrets.yaml +++ /dev/null @@ -1,36 +0,0 @@ -unused-secret: ENC[AES256_GCM,data:rKIjC2Ri,iv:PIs3Xuv9zEMhawvMyxwN0CI4Xzr1lTpg1o2scsosizs=,tag:++t0A80KDxctiXwxW5Vd2Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1dw43sxtdxptzgyhsxhrj36x5gn7376gqk45t7wtyt3s97v7ux39sdmdd44 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBa2YwTDAyWUZqRjFPWnc3 - R2FySXZ4d2RxRjlLTkZFblZIOUNPUS9kM1EwCjUrNTE2cmx6bGVTOXljZVllQzJG - clBPa1BjcC9GQ3Z6N0xYSFMvZ0J2c0EKLS0tIFQzQ2NHdmJBTFdNck53NVVyejRN - Y0xhYnI3MlhnbjhTS1dFMUdNZFdnSjgK4cl3R943LNMxA3dODf8nsSdmINkKIjB+ - fgp2whfSacWQchsWgpzdiayQoZ9XlWoklmTAX+yN0J8Q3j3CBb3S5g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-23T11:45:17Z" - mac: ENC[AES256_GCM,data:VFEtWuEoqlU3wW8SwgWjlnnuv8aJw5Az9j82gc9YfexwR6lNyyQHY5EdZfqPdO4ZRNLen60Xq98kotTYiY7GJ9x3ZR8KPW3puRvqeD8qZf1NMwvkzQliZ+078HCBHmBTeoouWLuvWdP9uv3XOQWdR7/ZfMB/eC4bWS+Acq+tVZ4=,iv:5CRupDm9jNslcn96kUrhQdT5zadEqyKtrKbv+BtcYW0=,tag:ukHLjRdZCTRliB+LXGBHWQ==,type:str] - pgp: - - created_at: "2023-11-23T20:47:08Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - wcBMA0SHG/zF3227AQf/VZ3eNZsb6emw7b5N9rgkRqTW3QvHe/w2QJcjCjp4Hk2M - Es2jYS6EaMLvduiSf6Xl5qHoQNS+HfM3GBKyRdgP/AcrjXXqj5CzmmbMYk5MY2oU - qseV4VFvvk9i9gbHaGbbntixYHBDeBSEHb/k7jWfUxz4wPhSWxpsEW/UQ1UabDgU - C54m3l9NoJw8oseDHOW7gTPW1mm1KFVBqaJ9zeZX5FHSJ0OBDj015wuGwTxkR7pv - /NL1Xg3wtpYHEhRKh1qxqwijW6EkTK9aAJFutkkYE9nI4x48cLCHjDg1GbXgYQkn - 5rPRZPPmWhJPJIyCZIX1RkrVSXSIkI2Vjr3iKpEfltJRAY1KD6PSI3rWRHPDbM7B - oFIdVwLKvV1tBrdVk+3M+nDrXwEshBJUt7r9GTdsWVxjdFgCteTkgkSnzM2y5mbG - AUodj6a/Fvni4sYQka1QbRLn - =YLrT - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/secrets/sj-srv1/secrets.yaml b/secrets/sj-srv1/secrets.yaml new file mode 100644 index 0000000..40a927b --- /dev/null +++ b/secrets/sj-srv1/secrets.yaml @@ -0,0 +1,38 @@ +#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment] +passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str] +restic-password: ENC[AES256_GCM,data:0cTVlqHCW/xCk7y3ikh0RtVk/5xFOrcrnQmMbIBtfOd7PYbiTUzwBtYXwOaXO4ob7/+KJUEwhl5TzX/Of1J+y7ML7JbpNPtLr8r0gzDYOvBPY5GlmkDGcorz7QTaomuDprJkoD06lJWme/L893u7rxwamF222D2JvGz5FfTuWfaRWb1PcehBkew89gjdAgqFJJwqlX1vwvQDPg6yj+vnk9ZqR/E967bbQeN/G/qGJ9xfVmeuOPYoZH2IrL0Zgif/FLqZWZtlJ1JnRUBXsVN6FZXfT1Q82euLPOpaUHrFJjAF26PuTwVreIjcBLX3wqc8vhAYWfc+RThS3ITwNdNTSA==,iv:KBqME0cqIIX15xPgKi5mBalk01tswj8xVd8rFETX9zU=,tag:V6KltIGVarWXP1R5lY2FAw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v + ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL + dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 + czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 + iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-19T20:25:37Z" + mac: ENC[AES256_GCM,data:gAn4HAJRiejixDApIBZD87JjHLyOnC9LvYR0E4oDa0GVu6/BLVNbie0zG1TdnYl4LAuLa0rf4gkSDCLNvjkBGesGb7oez06WAHJd3VAK6wyFYxQSxKA8U5OZu8nozciuatTCvc/JL1ZjxxGlDFDSHSP2m1PsB6br2e0g8oL1vJw=,iv:7rOU6w+Ly+OYEnF5SikijEpauMp5lhTae74zDi2vF+U=,tag:EURfxNbEe4ZLFF4l19EzFA==,type:str] + pgp: + - created_at: "2023-08-11T16:31:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n + TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 + R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ + JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP + kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy + 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT + eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 + C5Jot9exml6467YZkApBm0eM + =HulH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/sj-vps-htz0/secrets.yaml b/secrets/sj-vps-htz0/secrets.yaml index 5eba76e..09a13a2 100644 --- a/secrets/sj-vps-htz0/secrets.yaml +++ b/secrets/sj-vps-htz0/secrets.yaml @@ -5,37 +5,37 @@ wg0-public: ENC[AES256_GCM,data:AnEK0wlEIlVrz0nubLWr3lv7R1ddzA/RPjP0CosyEJzCJU6c wg0-psk-steveej-psk: ENC[AES256_GCM,data:Z5txIdXKVshlqMBLEnW/ulFiQSmMKj6m1vLE8fuL+zl+tJxh9EX/XvjLaC4=,iv:h4ypudvQAKPM7+5vQNAb69JntdZPNa8Km6wd14ovCHc=,tag:t7ZbbcpRCTAF7zP8vKPpJw==,type:str] wg0-psk-steveej-public: ENC[AES256_GCM,data:KU6aRVK06RkyvvYFzFZaCplz1HyirSfpjW+jjvHP+eTMs3hfhFUnPSZRCN4=,iv:2A019CQD2vjcOmX6PFpDaDCo8yN9oA9kdKxiW1e3Dss=,tag:kfRENOJY7RnwWGN1eOeEhQ==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v - ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL - dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 - czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 - iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-13T17:03:01Z" - mac: ENC[AES256_GCM,data:AtD2QZsLpOLQB7Jcb0Cn+zGUK/fMzuVhQ2r5f4jL3dttqfaDa4k+bUMP7wQ9RW6cUXm5ps+s1t9TkRUi2P7bkQjtEuyiTGAUiM8OnkJQ26npITWWs8giekKq01m2DlZufWRcrZrQU43EgVNDqRTVlMK1IoVS4zqNwqt4tXG6YWk=,iv:F+BbR5aGg+6/0LBxpC+AoNT4dLutvkgeUJszkMrV5xk=,tag:4Cvd4nG+h1+hXg/NzH0wRg==,type:str] - pgp: - - created_at: "2023-08-11T16:31:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v + ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL + dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2 + czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0 + iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-13T17:03:01Z" + mac: ENC[AES256_GCM,data:AtD2QZsLpOLQB7Jcb0Cn+zGUK/fMzuVhQ2r5f4jL3dttqfaDa4k+bUMP7wQ9RW6cUXm5ps+s1t9TkRUi2P7bkQjtEuyiTGAUiM8OnkJQ26npITWWs8giekKq01m2DlZufWRcrZrQU43EgVNDqRTVlMK1IoVS4zqNwqt4tXG6YWk=,iv:F+BbR5aGg+6/0LBxpC+AoNT4dLutvkgeUJszkMrV5xk=,tag:4Cvd4nG+h1+hXg/NzH0wRg==,type:str] + pgp: + - created_at: "2023-08-11T16:31:41Z" + enc: |- + -----BEGIN PGP MESSAGE----- - wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n - TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 - R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ - JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP - kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy - 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT - eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 - C5Jot9exml6467YZkApBm0eM - =HulH - -----END PGP MESSAGE----- - fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B - unencrypted_suffix: _unencrypted - version: 3.7.3 + wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n + TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7 + R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ + JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP + kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy + 0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT + eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7 + C5Jot9exml6467YZkApBm0eM + =HulH + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/secrets/steveej-t14/radicale_htpasswd b/secrets/steveej-t14/radicale_htpasswd deleted file mode 100644 index 0ab6e33..0000000 --- a/secrets/steveej-t14/radicale_htpasswd +++ /dev/null @@ -1,26 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:4Oo7a4iL9ry9qFnzd/uwllP8UZ1re+RglnvkEO11XvSqqGhGOCUX0k0kOVD/CYbdLNq7jqVI8h5Fw5grSb6SCDzlknV0bJ70mmBQ9wEhRA82P1M/T50KH6V6XIVR7IlVhjMKkdW6YH0XAyrqaVh3fJUbOk9hJVvrylLvPF4vpc9+aYdzUCvn5jbecpywYY7NRKLI7H7xUmnW,iv:vvyS08x5yXTmlZo1A+Z2zsW9Mj6JrIkNt+CvB7VZJ38=,tag:MrjYVpS+SyYLUAbin85fkw==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmTVMxdkpjQllIZlRpQjEr\nc0RqNzNnOGplcDR6by9aL0JQY0ZmZjV3OUhrCm1sbHEvQ3hFZVg1YU5wOU5kaGpI\nK25zckJNaXhWd21kUHIyTm8yVW0reWsKLS0tIHVvbDhYZjRSbVRjOWZNaWkwcm1z\neVJyTTRNNTJBeVYxdDFCL1ozQjhQUkUK09k0LVNUugbxtZJB1JEXWmB2Q35mK1MW\nY12rpx4QwFUf1uhZDGmHMU0mrmaZRhkiTXTW+MtbHHtiGCxI8JrgLQ==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2023-07-01T17:49:07Z", - "mac": "ENC[AES256_GCM,data:DLKp0oBRgqoC1vm7Gt8IgTXQZBVhFMzRlP2CeWUHCi0PhOFFDCQCbJMJ4GnLeVAMgn1PTQXxDBJsqx1dd99oR3xXOqV6s9RUrg7BNql6G1PRnROnvGavVq+K8Oqyc6K3RDMK95Fwd20Svvyplc7fvvJVYA7XE8oVyPCj7adgIzA=,iv:0T60zdgBXTNEUyzWNH2gRJsH7D/mofiBQKD4XpaTdf4=,tag:9s0g5W0fu7PrKybYNQMfxA==,type:str]", - "pgp": [ - { - "created_at": "2023-07-01T17:45:58Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf/e3rEGHYLdAQ3t5Ye7EY8HGj3zplmEm6yX/OD6atnIH56\n1n+buBEsCnj6OMJ8IPBI1KMlR3agvrTcP1U428VaJKEqMAfAbmTxHvuYv17r4z3c\nuxtvnK4BUC0BIgf3b9FP1uQBvmwSR3bIV1JuD1or88j9iY3dO7KbwbAEF+HMqj9/\nz+NM9ZGi/mpdFHLCKp52FgKi+eiNyGiJS1a8VSda/X8GwcmQYUzSkUxOcjGVTmYr\nBzie319eutOq6zf9+8WGO+Jd8XDlFdmucXyb5kkJkKv0kUeEMKePktpxjh/SUH2E\nVWLDa3rLPEZWvvLtDeOgAWdxNVBsvAhFwyUl7hJ+INJRAbgK7jJpGJuNUmN48P/Y\nKj1/x5hKlBOQpqWyoB751Sq2hAITS/UyvpIEL7cH9ASq369SVa7tI6KL0Ut5wSDb\n1681kueTerz2szUe6DPcAC4U\n=Bu6s\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" - } -} \ No newline at end of file diff --git a/secrets/steveej-x13s/mycelium_priv_key.bin.enc b/secrets/steveej-x13s/mycelium_priv_key.bin.enc new file mode 100644 index 0000000..d1693e7 --- /dev/null +++ b/secrets/steveej-x13s/mycelium_priv_key.bin.enc @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:ILo+B9hfSEOaNleohfdc+RlzFHOu5y0kS9Ocys5KBKQ=,iv:GNzGem+eBseA99FoFHRSDQbnpo0RS6lRRR6oLV5xajE=,tag:FmBrSBT1qQ+jXhUlAjCRSg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvOHM2dFdaSmRjVXRGOWdM\nc3NySkxDWjl3bXl0VHpRUURINlRWNTJhM1JNCmQzV2xUTUlEb0l2Q0FZUDMrOVVF\neTNEWG1kV1hlY3dWaDVubzdBMUpjdjgKLS0tIGtzeUF5TCtoSk92aDZkdkhqMjZm\nellNZk84ckRXZW5LYlA0Zjc0MXFVMFUKkbgJvketPLkiRtiM2ot/o2q0roCyMcNB\nDjvUDLeExvpz11T12pFETaeSGKMH/R6HfDt37T/K2cpCNvOXHU8MpQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-04-19T19:07:46Z", + "mac": "ENC[AES256_GCM,data:e6xOIt73MDaMOnP3d2G/xqjwozdvdkxNkso4ry3Wj5UELoSKtjOXn0oWA1KIApQM72rcytyAMuvuF8nIRzOsU+RjCxyoyFxK+x1ljvXcjJF/mrB8+27QEIKMFbCRYDtDtiax0MnVkW3a4zqAz9ETd2hlBRS2DcVXvgV8GVRZL4o=,iv:jd5Mwf+IUrm5vbHftImsB7iX3AP8O61/2kEf2BpOFRQ=,tag:aXmSU8qPGTKRmzddVz6s8w==,type:str]", + "pgp": [ + { + "created_at": "2024-04-19T19:07:46Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQf/UWVXKoYna+QMRhlTcMeEYBYD1twGiU2M+Qov7lMwCVd0\nyLd/TW0E3l7nNp+8pVeQb2a84F3W6kitWSv6sSEQuz74vMGtAHJs63NRaRP+apdV\nKE9kada00clOgd8gDAwEZUUMaTuCxZalsLHOLmKa/5UJVCaYuHcS1wyKWqhK7l9j\nYuELlmM0DcJixWved7t0UL9O1s15b6aFGjc029OIEXwIGuh9Fe01lDjqC/NM+bZC\neL8osDcyTvz2AJB7IjlKQ9EQ9SGxhKXdcoJ0iGvZn5UJx4Dmvw7U2egHN511WDR7\nE4UGux7u7D+DfvOmeCxd/6iCzMdOZUUk3E+yb05YxNJcAZNG/2HLxs2eIs/W81Uk\nLM4UVDBrrrH9hAAyE5sSHsZOIxoqbNol9FSU3iTKEdCq9giU1C8P5mjKymr1hhro\nbYiCYZXhSV0X+bEm27NH8KqEg7wYv6FWMwiYVVY=\n=Itgp\n-----END PGP MESSAGE-----", + "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/secrets/steveej-x13s/secrets.yaml b/secrets/steveej-x13s/secrets.yaml new file mode 100644 index 0000000..a76e0dc --- /dev/null +++ b/secrets/steveej-x13s/secrets.yaml @@ -0,0 +1,36 @@ +builder-private-key: ENC[AES256_GCM,data:KG5V86SDVM5LfFPZI5rjKGvYwqLZInEqpwdIJPAiF7fMdG3rTq3JgNJCQr0eOhfmLwT3KEN2Fv0mHZS4smMGdh0WCkza8CzRn/KFY8gqEWxxdff1Wqj7+2/5lSI8I7Qp2EW+eaAgU53PPOh/M3Cgm/Rraw2ARmIJNIgtuJC8ZeZlsh3sl0tacF9rgSrP8p4xAH3C/QUs1HW+10eL9F3STtAV+ZBruU68lNmCdiyqKjg3O3qdRFsjdGWAwHNHL42cEm3il4PofyS5fDDF4otQktZa5n8832ukF5Aj6RNgJwubrsxB9+1M9s7hD1UQyKo6oQKJr1GXNK+IPyXAvdxckZ8INhsxP4c4v8GzR0zJK4MfESx0r67ciGLOcYulNBDOMSbD57oW+wRvCI2eZlpB3ugBcUm/rsQbgFVEX8q6jD8WipJ+Q3hz1zWq45s66XooFmnwc2nBhT6cRmtGzTJCcDpiovgj5tKXSXrWfwYO7tWr7lYg8T4zhfplZBtQOaqTUrAOhW7IRT5Lo/310cMRcp1h44TSnpWXZN7l,iv:DOUijPr4wHmjNIniF2IRjinXZ6iyg8Z1Nt5EgFfX5Zw=,tag:VWxHpfpyphtu6XLR1yKugg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByZWRvaWFlU25sYkdTejg3 + YXRrVHhHaDN2anR0WWJmcDdCZDNLUFhiU2hrCmZSNWNFbVd3Wm95SU9iNmhqaVE1 + TlFuYzFNOVFEekYvWjlQWEpqbzZCU1UKLS0tIFczTHlsN2lNdlh3clI2VEI4Y0lI + dUQ5ZE9keUtxVU5mMklGODRjSld0TnMKGWu7m6/q6PhS1R8N9YBsxDs9O76U6Bta + wr8Tqr/1JLWoSLbPapltKH8+hKAb84LeILezVS1SrL+mjf2KYa3WQQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-01T16:50:35Z" + mac: ENC[AES256_GCM,data:wDnv7wZLks2EME+JqlBtagVaDZEo9ap3d6xFfnBy2/D4wrJhhYlo8vOYM8GFXEhfa0Jek+9ZlkmXYerLNWLMiUMKWIvk0cvHjxBaR2wcxt9FnynPT9W9hSX7UFhM/eTiJviksOESTI7pqNh9X7ggLSZ0c+O5mBxxEh/bcjz8vIU=,iv:vgvmyvUkZBapCpRbPU3cDgmHsc5NwHzCsMzjHvr/Xc0=,tag:FMI0YrwdCPIFe8tnLQr69w==,type:str] + pgp: + - created_at: "2024-04-04T18:26:01Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMA0SHG/zF3227AQgAn6CqJhclheA82nJm39h/52Ir/gVGRZz1ViK157MxRVs3 + NSrNZCPW+x9vGExPWJ8wnT3KZ7jeo7jEbJ260WSp4xwQtCuUrDR6Oyp0mrtN6SMo + 4hHZo+OwLb3brQGHOng43Hedk6E74ZRMyUr5mmRKLTC1l9GeKtf3HoSvNq+bS7B8 + SrmkemzsS2SrXYE7Qslzhi8QKwby8nsjN2pE5hk12wZKefT4XP3q+lf7n2QeboG0 + 8d4u+706BO4DoxtnXPs1Gop3sJ3TZdAXTdfjnuv+LDMOmIDoVp1tgXRPiAvCfMPV + 9YiFS/WYMD5OA69SPBjCWIMPMw8PIU8OuHjy71eXlNJeAXeVLp70pGQOiPOZSvtl + vmfiPWOZnX+6jSpsSfmEa8FxAZYLgHUayF8YMtHi3kdz3x0kWMx3Pzvjvs4BfIyd + pp7PTfMycrk67Y3lcokNswt/fle0tN6xuqP4Uv4zWw== + =y1Sk + -----END PGP MESSAGE----- + fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/work-holo/zerotierone.txt b/secrets/work-holo/zerotierone.txt new file mode 100644 index 0000000..38a76e4 --- /dev/null +++ b/secrets/work-holo/zerotierone.txt @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1y9urllccdcemlv7g5z4peuzeh5ah0a8nu6cnkvym8v2vfhqjd5jql483c6", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByYWNzWm5ZQVFRNWRSQ3I2\nckQ0YVc0NlJPYVFvYi9Zd2ZNaVh3UG91T2xNClVDaGtvcHlvUnZTOVgyV242OHhy\nWW84NW9LZ242Nk5RalBWUUFITmEvaVEKLS0tIEtOemlTWHYwU3RTVUFoQU8yNU9N\nMlJnL2ZjWVh1RWJwMEpXUjZQZDIxb0kKKbe3H99dII7ni0NQv/QcotAQ4OdrV87/\nro5JVYotk/m0NtS76nJ0NuNpkz4/r4D0XE1r/y3eRH/q+JHyjHFX1w==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-07-01T20:19:12Z", + "mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]", + "pgp": [ + { + "created_at": "2024-06-26T19:27:08Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhQEMA0SHG/zF3227AQgAgxxDv/vq2N5Hn37enDmLSjOegRW+IbDE/M3zbEvaKh9R\n+UdPf2+9oBjMLX42fOdSihGIHbrQtfG37nFLcJb/W1+Kay205INSDLSWIyUlyNvT\nwtPSVBZdgCbH5rW8yoX5xaS6Fdm1ANCof+hYyQxNtC7LgcgHLKvubhPrsckEoul1\nVuL0g9DGFysxnb4MCOZyFmziucwTKvLFzkaIb68PAYigPJG+wWVx5G/CvoC7Mzxp\nVYApk/6OnHR8TZOhtpnD9Q7Uj5g2ZGAJWE/B2z6xY2m9NJNC8UEL0QypVOnqBaSq\nyDDwrfOdTHqm3u0huJ4mV3cXzzb6RtRw89AuXS+6O9JcATtlFBazwos44yV/WAKz\nT3ZOZ4oD6elvqnvj9J7oOIwuPylaXd802YQSzPrfWQSqMUYds0gt3gklfIx+/SRm\nqBvQqStPmm3njU1TEPU3xrTywDSWGDKXCklnkVM=\n=CPPt\n-----END PGP MESSAGE-----", + "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/secrets/zerotierone.txt b/secrets/zerotierone.txt deleted file mode 100644 index 347b737..0000000 --- a/secrets/zerotierone.txt +++ /dev/null @@ -1,30 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:D6xhJ8RgtO3wuNQF0N9V4TlYcKahT8Rv3rHPeZH5F2Wk+V1GhZ+Bhl+D75ersKPv3vmNWlKD2lHb46LaM3Cz7gKAgcQ=,iv:BsnB+Tt+83QVdfive5+s824f3MBZSy6N3g+/raqWgGA=,tag:foQL/RYGfovt1feSlE5GAg==,type:str]", - "sops": { - "kms": null, - "gcp_kms": null, - "azure_kv": null, - "hc_vault": null, - "age": [ - { - "recipient": "age17jxphuql70wjkd84azn62ltx9ky69hyvkac23lm8f2j92lznf9hseqq0vl", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAybUlwMVhVSTlxWjk0aXV1\nRkFKN0d2TWdTNGxFK1o3QitpTG5JN1FUNEVFCmRZdVYrSlJYbVF2NFlkRHBQNFgx\nM2dGOE5yaWl0VnJVU1MzNGJ1VUZYK1kKLS0tIEh4dkI2Vk9yUStHRlNzVUVPeWVB\nVmw0V0MxWWdudE1ONkszRSs5MEtUT28KkIW7Y+9AfxbPu1V0YoL5Brdv+2AaTAn0\nXmJmn8qwOtuyWRR3sJfDfkR2eW85mrMmhJnNa1aHg5lDQUGA/eqinQ==\n-----END AGE ENCRYPTED FILE-----\n" - }, - { - "recipient": "age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFOGdQN0xOVzYvOFdzbUgy\ncStsYXdxUkY4OEJ5TGhVWitoQnpsSGYxS1VjCkhaYmxOOEh6eS8yeGViZjJZZ3o5\nUVBSYXFOSkJHQnB3aHVTeEk1VWNhblEKLS0tIG9NRTFpZFJlRUVYeHpVN2ljVngv\nRzJNZnZMRlJsL0F0eVIzcnhEbSszSGsKnK0SfJe7hQKyslklwvvFlBX9GjGWf6md\nl7AZLivBP67A0GbD2DztUaiS8NsPtlV899xqIH4/YUIIUGG9M2XHew==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2023-07-01T20:19:12Z", - "mac": "ENC[AES256_GCM,data:aIizzl+WFLI8rwp9r9p3kJIsbAISp8vRnSUQKKRIY8V8WdjBNuR+ebSlMf8kBg4e+D9hpTGEY0byv8bpgx/1m5MMEXIDBiBb8GHBk8qwB/3JWsBMyCHOyylw9AAgteyCDEKMCHgU/ZBvExW9n5gnuvkngKK8X1imrNG2ySL9cIo=,iv:UFacq8BdavyiHGRAcKq9obdAD7ZsW8wqugkvtbpi8pw=,tag:fkoaJKrA54tNlTLbAwRsug==,type:str]", - "pgp": [ - { - "created_at": "2023-07-01T20:50:27Z", - "enc": "-----BEGIN PGP MESSAGE-----\n\nwcBMA0SHG/zF3227AQf+JijZCf20beuFsUX5Qjt9IVmeA1VG+iRiSncX6Q9NQWqc\nRlxZP3gZz9a/SQDaG3v7S0v5FBmbCScan2xrHSrJne6ljVkxlsiE4SE9Mq1wczF7\n0gdt1pnmjKMjhVVeG2jzNqL3bPGlhIBIIBB+Sv3FHftiXwfBYP5OJh9MTaokwj5/\ntd2x9LxBi6seH+RShrFk33wKJ3gMA2cF9aFEsbvmdXPHs91glwLD1NHN3vp0lGNX\nm4otFLZ0e36aqSVyAiwpoIgLwInZxtx6nnMWVk25s0fj+fKfgnHE3RNh9BntQ19d\nZDpQn7b2DqrKozUnycwpPRojPkmaqpom5XmbuurrA9JRAQYWSmeOuJXUBfZclzLJ\nERYPWDJIN7bmYPFoMkZ2YdV/GCin6lwFfl6u74VAkpU+AMgB+0c51nEHZcO5UaWT\nLRcMPADwjmk35oiltQYOvOpm\n=CGsu\n-----END PGP MESSAGE-----", - "fp": "6F7069FE6B96E894E60EC45C6EEFA706CB17E89B" - } - ], - "unencrypted_suffix": "_unencrypted", - "version": "3.7.3" - } -} \ No newline at end of file diff --git a/services/home-ch/router-family.lan/Justfile b/services/home-ch/router-family.lan/Justfile index c599600..c15ed68 100644 --- a/services/home-ch/router-family.lan/Justfile +++ b/services/home-ch/router-family.lan/Justfile @@ -1,12 +1,12 @@ _run_ssh_cmd cmd: - ssh root@router-family.lan "{{cmd}}" + ssh root@router-family.lan "{{ cmd }}" post-setup: - just -v _run_ssh_cmd "opkg update" - just -v _run_ssh_cmd "opkg install luci-ssl luci-app-ddns" - just -v _run_ssh_cmd "opkg install luci-app-samba samba36-server" - just -v _run_ssh_cmd "opkg install block-mount blockd kmod-fs-vfat kmod-usb-storage usbutils kmod-usb-storage-uas kmod-fs-btrfs btrfs-progs" - # multiuser SFTP - just -v _run_ssh_cmd "opkg install openssh-server openssh-sftp-server" - just -v _run_ssh_cmd "opkg install sudo coreutils-readlink" - just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" + just -v _run_ssh_cmd "opkg update" + just -v _run_ssh_cmd "opkg install luci-ssl luci-app-ddns" + just -v _run_ssh_cmd "opkg install luci-app-samba samba36-server" + just -v _run_ssh_cmd "opkg install block-mount blockd kmod-fs-vfat kmod-usb-storage usbutils kmod-usb-storage-uas kmod-fs-btrfs btrfs-progs" + # multiuser SFTP + just -v _run_ssh_cmd "opkg install openssh-server openssh-sftp-server" + just -v _run_ssh_cmd "opkg install sudo coreutils-readlink" + just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" diff --git a/services/home-ch/router-wan.dmz/Justfile b/services/home-ch/router-wan.dmz/Justfile index 921adb4..6f818a8 100644 --- a/services/home-ch/router-wan.dmz/Justfile +++ b/services/home-ch/router-wan.dmz/Justfile @@ -1,9 +1,9 @@ _run_ssh_cmd cmd: - ssh root@router-wan.dmz "{{cmd}}" + ssh root@router-wan.dmz "{{ cmd }}" post-setup: - just -v _run_ssh_cmd "opkg update" - just -v _run_ssh_cmd "opkg install luci-ssl" - just -v _run_ssh_cmd "opkg install luci-app-mwan3" - # multiuser SFTP - just -v _run_ssh_cmd "/etc/init.d/uhttpd restart" + just -v _run_ssh_cmd "opkg update" + just -v _run_ssh_cmd "opkg install luci-ssl" + just -v _run_ssh_cmd "opkg install luci-app-mwan3" + # multiuser SFTP + just -v _run_ssh_cmd "/etc/init.d/uhttpd restart"