diff --git a/.gitignore b/.gitignore index fbfe182..92102e5 100644 --- a/.gitignore +++ b/.gitignore @@ -4,6 +4,3 @@ .env **/result .direnv/ - -# nixago: ignore-linked-files -/treefmt.toml \ No newline at end of file diff --git a/.vscode/settings.json b/.vscode/settings.json index 3e061dc..8ace7b1 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,9 +1,4 @@ { - "editor.defaultFormatter": "ibecker.treefmt-vscode", - "treefmt.command": "treefmt", - "editor.formatOnSave": true, - "nix.enableLanguageServer": true, - "nix.serverPath": "nil", "nix.serverSettings": { // settings for 'nil' LSP "nil": { @@ -14,14 +9,11 @@ "unused_with" ] }, - // TODO: this doesn't work because treefmt-nix wants the output path as an argument - // "formatting": { - // "command": [ - // "treefmt-nix", - // "--stdin", - // "/dev/stdout" - // ] - // } + "formatting": { + "command": [ + "alejandra", + ] + } } }, } diff --git a/default.nix b/default.nix index 6aba02e..75e1dbb 100644 --- a/default.nix +++ b/default.nix @@ -4,9 +4,6 @@ # Having pkgs default to is fine though, and it lets you use short # commands such as: # nix-build -A mypackage -{ - pkgs ? import { }, -}: -{ - pkgs = import ./nix/pkgs { inherit pkgs; }; +{pkgs ? import {}}: { + pkgs = import ./nix/pkgs {inherit pkgs;}; } diff --git a/flake.lock b/flake.lock index ca784f0..785838f 100644 --- a/flake.lock +++ b/flake.lock @@ -346,81 +346,6 @@ } }, "flake-utils_3": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_4": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_5": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_6": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_7": { - "locked": { - "lastModified": 1653893745, - "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_8": { "inputs": { "systems": "systems_3" }, @@ -438,7 +363,7 @@ "type": "github" } }, - "flake-utils_9": { + "flake-utils_4": { "inputs": { "systems": "systems_4" }, @@ -560,7 +485,7 @@ }, "lib-aggregate": { "inputs": { - "flake-utils": "flake-utils_8", + "flake-utils": "flake-utils_3", "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { @@ -714,126 +639,6 @@ "type": "github" } }, - "nixago": { - "inputs": { - "flake-utils": "flake-utils_3", - "nixago-exts": "nixago-exts", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1714086354, - "narHash": "sha256-yKVQMxL9p7zCWUhnGhDzRVT8sDgHoI3V595lBK0C2YA=", - "owner": "jmgilman", - "repo": "nixago", - "rev": "5133633e9fe6b144c8e00e3b212cdbd5a173b63d", - "type": "github" - }, - "original": { - "owner": "jmgilman", - "repo": "nixago", - "type": "github" - } - }, - "nixago-exts": { - "inputs": { - "flake-utils": "flake-utils_4", - "nixago": "nixago_2", - "nixpkgs": [ - "nixago", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1676070308, - "narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=", - "owner": "nix-community", - "repo": "nixago-extensions", - "rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixago-extensions", - "type": "github" - } - }, - "nixago-exts_2": { - "inputs": { - "flake-utils": "flake-utils_6", - "nixago": "nixago_3", - "nixpkgs": [ - "nixago", - "nixago-exts", - "nixago", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1655508669, - "narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=", - "owner": "nix-community", - "repo": "nixago-extensions", - "rev": "3022a932ce109258482ecc6568c163e8d0b426aa", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixago-extensions", - "type": "github" - } - }, - "nixago_2": { - "inputs": { - "flake-utils": "flake-utils_5", - "nixago-exts": "nixago-exts_2", - "nixpkgs": [ - "nixago", - "nixago-exts", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1676070010, - "narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=", - "owner": "nix-community", - "repo": "nixago", - "rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e", - "type": "github" - }, - "original": { - "owner": "nix-community", - "ref": "rename-config-data", - "repo": "nixago", - "type": "github" - } - }, - "nixago_3": { - "inputs": { - "flake-utils": "flake-utils_7", - "nixpkgs": [ - "nixago", - "nixago-exts", - "nixago", - "nixago-exts", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1655405483, - "narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=", - "owner": "nix-community", - "repo": "nixago", - "rev": "e6a9566c18063db5b120e69e048d3627414e327d", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixago", - "type": "github" - } - }, "nixos-anywhere": { "inputs": { "disko": "disko", @@ -1253,7 +1058,6 @@ "logseq_0_10_9_aarch64_appimage": "logseq_0_10_9_aarch64_appimage", "nix-vscode-extensions": "nix-vscode-extensions", "nix4vscode": "nix4vscode", - "nixago": "nixago", "nixos-anywhere": "nixos-anywhere", "nixpkgs": [ "nixpkgs-2405" @@ -1276,7 +1080,6 @@ "rperf": "rperf", "sops-nix": "sops-nix", "srvos": "srvos", - "treefmt-nix": "treefmt-nix_4", "x13s-bt-firmware": "x13s-bt-firmware", "yofi": "yofi" } @@ -1513,26 +1316,6 @@ "type": "github" } }, - "treefmt-nix_4": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1730321837, - "narHash": "sha256-vK+a09qq19QNu2MlLcvN4qcRctJbqWkX7ahgPZ/+maI=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "746901bb8dba96d154b66492a29f5db0693dbfcc", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, "x13s-bt-firmware": { "flake": false, "locked": { @@ -1547,7 +1330,7 @@ }, "yofi": { "inputs": { - "flake-utils": "flake-utils_9", + "flake-utils": "flake-utils_4", "nixpkgs": [ "nixpkgs" ] diff --git a/flake.nix b/flake.nix index 655ead0..1a53f44 100644 --- a/flake.nix +++ b/flake.nix @@ -125,246 +125,218 @@ url = "github:nix-community/nixvim/nixos-24.05"; inputs.nixpkgs.follows = "nixpkgs"; }; - treefmt-nix = { - url = "github:numtide/treefmt-nix"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nixago.url = "github:jmgilman/nixago"; - nixago.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = - inputs@{ - self, - flake-parts, - nixpkgs, - ... - }: - let - inherit (nixpkgs) lib; + outputs = inputs @ { + self, + flake-parts, + nixpkgs, + ... + }: let + inherit (nixpkgs) lib; - systems = [ - "x86_64-linux" - "aarch64-linux" - ]; - in - flake-parts.lib.mkFlake { inherit inputs; } ( - { withSystem, ... }: - { - flake.colmena = - lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) - { meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; } - # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import - # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 + systems = [ + "x86_64-linux" + "aarch64-linux" + ]; + in + flake-parts.lib.mkFlake {inherit inputs;} + ({withSystem, ...}: { + flake.colmena = + lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur) + { + meta.nixpkgs = import inputs.nixpkgs.outPath { + system = builtins.elemAt systems 0; + }; + } + # FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import + # try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861 + (builtins.map + (nodeName: + import ./nix/os/devices/${nodeName} { + inherit nodeName; + repoFlake = self; + repoFlakeWithSystem = withSystem; + nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName}; + }) [ + "steveej-t14" + "steveej-x13s" + "steveej-x13s-rmvbl" + # "elias-e525" + # "justyna-p300" + + # "srv0-dmz0" + # "router0-dmz0" + "router0-ifog" + "router0-hosthatch" + + "sj-srv1" + + "hstk0" + ]); + + flake.lib = { + inherit withSystem; + }; + + # this makes nixos-anywhere work + flake.nixosConfigurations = let + colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; + router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; + in ( + colmenaHive + // { + router0-dmz0 = router0-dmz0.native; + + # for now deploy directly with: + # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 + router0-dmz0_cross = router0-dmz0.cross; + + steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross; + steveej-x13s-rmvbl_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; + } + ); + + inherit systems; + + perSystem = { + self', + inputs', + system, + config, + lib, + pkgs, + ... + }: { + imports = [ + ./nix/modules/flake-parts/perSystem/default.nix + ]; + + packages = let + dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) {}; + + craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain; + + craneLib = + craneLibFn + inputs'.fenix.packages.stable.toolchain; + + craneLibOfiPass = + craneLibFn ( - builtins.map - ( - nodeName: - import ./nix/os/devices/${nodeName} { - inherit nodeName; - repoFlake = self; - repoFlakeWithSystem = withSystem; - nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName}; - } - ) - [ - "steveej-t14" - "steveej-x13s" - "steveej-x13s-rmvbl" - # "elias-e525" - # "justyna-p300" - - # "srv0-dmz0" - # "router0-dmz0" - "router0-ifog" - "router0-hosthatch" - - "sj-srv1" - - "hstk0" - ] + inputs'.fenix.packages.stable.toolchain + # .override { + # date = "1.60.0"; + # } ); + in { + dcpj4110dwDriver = dcpj4110dw.driver; + dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; - flake.lib = { - inherit withSystem; + inherit (inputs'.colmena.packages) colmena; - treefmtEval = - pkgs: - let - settingsNix = { - # Used to find the project root - projectRootFile = ".git/config"; - programs.nixfmt.enable = true; - }; - in - inputs.treefmt-nix.lib.evalModule pkgs settingsNix; + prs = + pkgs.callPackage + ({ + pkgs, + dbus, + glib, + gpgme, + gtk3, + libxcb, + libxkbcommon, + installShellFiles, + pkg-config, + python3, + }: + craneLib.buildPackage { + pname = "prs"; + version = inputs.prs.shortRev; + src = inputs.prs; + nativeBuildInputs = [gpgme installShellFiles pkg-config python3]; - treefmtSettings = pkgs: (self.lib.treefmtEval pkgs).config.settings; + buildInputs = [ + dbus + glib + gpgme + gtk3 + libxcb + libxkbcommon + ]; + + cargoExtraArgs = "--features backend-gpgme"; + + postInstall = '' + for shell in bash fish zsh; do + installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout) + done + ''; + }) + {}; + + nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; + + ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' + set -x + pkill -9 wayland-proxy-v + export NIXOS_OZONE_WL="" + ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ + --wayland-display=wayland-3 \ + --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ + --x-display=3 \ + & + # --x-unscale=3 \ + #--verbose \ + + export PROXYPID="$!" + + trap "kill -9 \$PROXYPID" EXIT + # trap "pkill -9 wayland-proxy-v" EXIT + + env \ + WAYLAND_DISPLAY=wayland-3 \ + DISPLAY=:3 \ + ledger-live-desktop + ''; + + syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' + ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 + ''; + + rperf = craneLib.buildPackage { + src = inputs.rperf; + nativeBuildInputs = [ + pkgs.pkg-config + ]; + buildInputs = [ + ]; + }; + + x13s-bt-firmware = pkgs.runCommand "x13s-bt-firmware" {} '' + mkdir -p $out/lib/firmware/qca + cp -v ${self}/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw $out/lib/firmware/qca/hpnv21.bin + cp -v ${inputs.x13s-bt-firmware} $out/lib/firmware/qca//hpbtfw21.tlv + ''; + + x13s-ath11k-firmware = pkgs.runCommand "x13s-ath11k-firmware-before" {} '' + mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/ + cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ + cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ + ''; }; - # this makes nixos-anywhere work - flake.nixosConfigurations = - let - colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes; - router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations; - in - ( - colmenaHive - // { - router0-dmz0 = router0-dmz0.native; + formatter = pkgs.alejandra; - # for now deploy directly with: - # nixos-rebuild switch --flake .\#router0-dmz0_cross --build-host localhost --target-host root@192.168.10.1 - router0-dmz0_cross = router0-dmz0.cross; - - steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross; - steveej-x13s-rmvbl_cross = - (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross; - } - ); - - inherit systems; - - perSystem = - { - self', - inputs', - system, - config, - lib, - pkgs, - ... - }: - { - imports = [ ./nix/modules/flake-parts/perSystem/default.nix ]; - - packages = - let - dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) { }; - - craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain; - - craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain; - - craneLibOfiPass = craneLibFn ( - inputs'.fenix.packages.stable.toolchain - # .override { - # date = "1.60.0"; - # } - ); - in - { - dcpj4110dwDriver = dcpj4110dw.driver; - dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper; - - inherit (inputs'.colmena.packages) colmena; - - prs = pkgs.callPackage ( - { - pkgs, - dbus, - glib, - gpgme, - gtk3, - libxcb, - libxkbcommon, - installShellFiles, - pkg-config, - python3, - }: - craneLib.buildPackage { - pname = "prs"; - version = inputs.prs.shortRev; - src = inputs.prs; - nativeBuildInputs = [ - gpgme - installShellFiles - pkg-config - python3 - ]; - - buildInputs = [ - dbus - glib - gpgme - gtk3 - libxcb - libxkbcommon - ]; - - cargoExtraArgs = "--features backend-gpgme"; - - postInstall = '' - for shell in bash fish zsh; do - installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout) - done - ''; - } - ) { }; - - nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6; - - ledger-live-desktop-wrapped = pkgs.writeShellScriptBin "ledger-live-desktop-wrapped" '' - set -x - pkill -9 wayland-proxy-v - export NIXOS_OZONE_WL="" - ${pkgs.wayland-proxy-virtwl}/bin/wayland-proxy-virtwl \ - --wayland-display=wayland-3 \ - --xwayland-binary=${pkgs.xwayland}/bin/Xwayland \ - --x-display=3 \ - & - # --x-unscale=3 \ - #--verbose \ - - export PROXYPID="$!" - - trap "kill -9 \$PROXYPID" EXIT - # trap "pkill -9 wayland-proxy-v" EXIT - - env \ - WAYLAND_DISPLAY=wayland-3 \ - DISPLAY=:3 \ - ledger-live-desktop - ''; - - syncthing-container-webui = pkgs.writeShellScriptBin "reverse-port-forward-syncthing-container" '' - ssh root@${self.colmena.sj-vps-htz0.deployment.targetHost} -L 8385:syncthing.containers:8384 - ''; - - rperf = craneLib.buildPackage { - src = inputs.rperf; - nativeBuildInputs = [ pkgs.pkg-config ]; - buildInputs = [ ]; - }; - - x13s-bt-firmware = pkgs.runCommand "x13s-bt-firmware" { } '' - mkdir -p $out/lib/firmware/qca - cp -v ${self}/misc/x13s_bt_firmware/hpnv21g.b8c.crypt.fw $out/lib/firmware/qca/hpnv21.bin - cp -v ${inputs.x13s-bt-firmware} $out/lib/firmware/qca//hpbtfw21.tlv - ''; - - x13s-ath11k-firmware = pkgs.runCommand "x13s-ath11k-firmware-before" { } '' - mkdir -p $out/lib/firmware/ath11k/WCN6855/hw2.1/ - cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/{board-2,regdb}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ - cp -v ${inputs.ath11k-firmware}/WCN6855/hw2.1/1.1/WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41/{amss,m3}.bin $out/lib/firmware/ath11k/WCN6855/hw2.1/ - ''; - }; - - formatter = (self.lib.treefmtEval pkgs).config.build.wrapper; - - devShells = - let - all = import ./nix/devShells.nix { - inherit - self - self' - inputs' - pkgs - ; - }; - in - (all // { default = all.develop; }); + devShells = let + all = import ./nix/devShells.nix { + inherit + self + self' + inputs' + pkgs + ; }; - } - ); + in (all // {default = all.develop;}); + }; + }); } diff --git a/nix/container-images/default.nix b/nix/container-images/default.nix index 67f516d..7dcab2a 100644 --- a/nix/container-images/default.nix +++ b/nix/container-images/default.nix @@ -1,10 +1,6 @@ -{ - pkgs ? import { }, -}: -let - baseEnv = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; -in -rec { +{pkgs ? import {}}: let + baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; +in rec { base = pkgs.dockerTools.buildImage rec { name = "base"; @@ -25,70 +21,59 @@ rec { interactive_base = pkgs.dockerTools.buildImage { name = "interactive_base"; fromImage = base; - contents = with pkgs; [ - procps - zsh - coreutils - neovim - ]; + contents = with pkgs; [procps zsh coreutils neovim]; - config = { - Cmd = [ "/bin/zsh" ]; - }; + config = {Cmd = ["/bin/zsh"];}; }; - s3ql = - let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} + s3ql = let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} - if [ -z "$S3QL_BUCKET" ]; then - echo S3QL_BUCKET not set - exit 1 - fi + if [ -z "$S3QL_BUCKET" ]; then + echo S3QL_BUCKET not set + exit 1 + fi - if [ -z "$S3QL_STORAGE_URL" ]; then - echo S3QL_STORAGE_URL not set - exit 1 - fi + if [ -z "$S3QL_STORAGE_URL" ]; then + echo S3QL_STORAGE_URL not set + exit 1 + fi - if [ -z "$S3QL_CACHESIZE" ]; then - echo S3QL_CACHESIZE not set - exit 1 - fi + if [ -z "$S3QL_CACHESIZE" ]; then + echo S3QL_CACHESIZE not set + exit 1 + fi - set -x + set -x - if [ "$S3QL_SKIP_FSCK" != "1" ]; then - fsck.s3ql \ - --authfile $S3QL_AUTHINFO2 \ - --log none \ - --cachedir $S3QL_CACHE_DIR \ - $S3QL_STORAGE_URL - fi - - exec mount.s3ql \ - --cachedir "$S3QL_CACHE_DIR" \ - --authfile "$S3QL_AUTHINFO2" \ - --cachesize "$S3QL_CACHESIZE" \ - --fg \ - --compress lzma-6 \ - --threads 4 \ + if [ "$S3QL_SKIP_FSCK" != "1" ]; then + fsck.s3ql \ + --authfile $S3QL_AUTHINFO2 \ --log none \ - --allow-root \ - "$S3QL_STORAGE_URL" \ - /bucket + --cachedir $S3QL_CACHE_DIR \ + $S3QL_STORAGE_URL + fi - # FIXME: touch .isbucket after mount - ''; - in + exec mount.s3ql \ + --cachedir "$S3QL_CACHE_DIR" \ + --authfile "$S3QL_AUTHINFO2" \ + --cachesize "$S3QL_CACHESIZE" \ + --fg \ + --compress lzma-6 \ + --threads 4 \ + --log none \ + --allow-root \ + "$S3QL_STORAGE_URL" \ + /bucket + + # FIXME: touch .isbucket after mount + ''; + in pkgs.dockerTools.buildImage { name = "s3ql"; fromImage = interactive_base; - contents = [ - pkgs.s3ql - pkgs.fuse - ]; + contents = [pkgs.s3ql pkgs.fuse]; runAsRoot = '' #!${pkgs.stdenv.shell} @@ -99,58 +84,57 @@ rec { ''; config = { - Env = baseEnv ++ [ - "HOME=/home/s3ql" - "S3QL_CACHE_DIR=/var/cache/s3ql" - "S3QL_AUTHINFO2=/etc/s3ql/authinfo2" - "CONTAINER_ENTRYPOINT=${entrypoint}" - ]; - Cmd = [ entrypoint ]; + Env = + baseEnv + ++ [ + "HOME=/home/s3ql" + "S3QL_CACHE_DIR=/var/cache/s3ql" + "S3QL_AUTHINFO2=/etc/s3ql/authinfo2" + "CONTAINER_ENTRYPOINT=${entrypoint}" + ]; + Cmd = [entrypoint]; Volumes = { - "/var/cache/s3ql" = { }; - "/etc/s3ql/authinfo2" = { }; - "/buckets" = { }; - "/tmp" = { }; + "/var/cache/s3ql" = {}; + "/etc/s3ql/authinfo2" = {}; + "/buckets" = {}; + "/tmp" = {}; }; }; }; - syncthing = - let - entrypoint = pkgs.writeScript "entrypoint" '' - #!${pkgs.stdenv.shell} - set -x - if [ ! -e /data/.isbucket ]; then - echo ERROR: Bucket not mounted at /data - exit 1 - fi + syncthing = let + entrypoint = pkgs.writeScript "entrypoint" '' + #!${pkgs.stdenv.shell} + set -x + if [ ! -e /data/.isbucket ]; then + echo ERROR: Bucket not mounted at /data + exit 1 + fi - if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then - echo ERROR: SYNCTHING_GUI_ADDRESS is not set - exit 1 - fi + if [ -z "$SYNCTHING_GUI_ADDRESS" ]; then + echo ERROR: SYNCTHING_GUI_ADDRESS is not set + exit 1 + fi - if [ ! -w "$SYNCTHING_HOME" ]; then - echo ERROR : SYNCTHING_HOME is not writable - fi + if [ ! -w "$SYNCTHING_HOME" ]; then + echo ERROR : SYNCTHING_HOME is not writable + fi - exec syncthing \ - -home $SYNCTHING_HOME \ - -gui-address=$SYNCTHING_GUI_ADDRESS \ - -no-browser - ''; - in + exec syncthing \ + -home $SYNCTHING_HOME \ + -gui-address=$SYNCTHING_GUI_ADDRESS \ + -no-browser + ''; + in pkgs.dockerTools.buildImage { name = "syncthing"; fromImage = interactive_base; contents = pkgs.syncthing; config = { - Env = baseEnv ++ [ "SYNCTHING_HOME=/home/syncthing" ]; - Cmd = [ entrypoint ]; - Volumes = { - "/data" = { }; - }; + Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"]; + Cmd = [entrypoint]; + Volumes = {"/data" = {};}; }; }; } diff --git a/nix/default.nix b/nix/default.nix index f8947e0..888a4e9 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,34 +1,26 @@ -{ versionsPath }: -let +{versionsPath}: let channelVersions = import versionsPath; - mkChannelSource = - name: - let - channelVersion = builtins.getAttr name channelVersions; - in + mkChannelSource = name: let + channelVersion = builtins.getAttr name channelVersions; + in builtins.fetchGit { # Descriptive name to make the store path easier to identify inherit name; inherit (channelVersion) url ref rev; }; - nixPath = builtins.concatStringsSep ":" ( - builtins.map ( - elemName: - let - elem = builtins.getAttr elemName channelVersions; - elemPath = mkChannelSource elemName; - suffix = if builtins.hasAttr "suffix" elem then elem.suffix else ""; - in - builtins.concatStringsSep "=" [ - elemName - elemPath - ] - + suffix - ) (builtins.attrNames channelVersions) - ); - pkgs = import (mkChannelSource "nixpkgs") { }; -in -{ + nixPath = builtins.concatStringsSep ":" (builtins.map + (elemName: let + elem = builtins.getAttr elemName channelVersions; + elemPath = mkChannelSource elemName; + suffix = + if builtins.hasAttr "suffix" elem + then elem.suffix + else ""; + in + builtins.concatStringsSep "=" [elemName elemPath] + suffix) + (builtins.attrNames channelVersions)); + pkgs = import (mkChannelSource "nixpkgs") {}; +in { inherit nixPath; channelSources = pkgs.writeText "channels.rc" '' export NIX_PATH=${nixPath} diff --git a/nix/devShells.nix b/nix/devShells.nix index 232f59a..fabf520 100644 --- a/nix/devShells.nix +++ b/nix/devShells.nix @@ -3,11 +3,9 @@ self', inputs', pkgs, -}: -let +}: let pkgsUnstable = inputs'.nixpkgs-unstable.legacyPackages; -in -{ +in { install = pkgs.mkShell { name = "infra-install"; packages = with pkgs; [ @@ -22,9 +20,10 @@ in develop = pkgs.mkShell { name = "infra-develop"; - inputsFrom = [ self'.devShells.install ]; + inputsFrom = [ + self'.devShells.install + ]; packages = with pkgs; [ - pkgs.treefmt inputs'.colmena.packages.colmena dconf2nix inputs'.nixos-anywhere.packages.nixos-anywhere @@ -92,15 +91,6 @@ in # Set Environment Variables RUST_BACKTRACE = 1; - KANIDM_URL = - self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin; - - shellHook = - (self.inputs.nixago.lib.${pkgs.stdenv.system}.make { - data = self.lib.treefmtSettings pkgs; - output = "treefmt.toml"; - format = "toml"; - }).shellHook; - + KANIDM_URL = self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin; }; } diff --git a/nix/home-manager/configuration/graphical-fullblown.nix b/nix/home-manager/configuration/graphical-fullblown.nix index 135dd22..ac0914d 100644 --- a/nix/home-manager/configuration/graphical-fullblown.nix +++ b/nix/home-manager/configuration/graphical-fullblown.nix @@ -7,13 +7,11 @@ repoFlake, packages', ... -}: -let +}: let pkgsUnstable = pkgs.pkgsUnstable - or (import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config overlays; }); -in -{ + or (import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config overlays;}); +in { imports = [ ../profiles/common.nix # ../profiles/dotfiles.nix @@ -36,18 +34,18 @@ in ../programs/libreoffice.nix ../programs/neovim.nix ../programs/vscode - { home.packages = [ pkgsUnstable.markdown-oxide ]; } + { + home.packages = [ + pkgsUnstable.markdown-oxide + ]; + } ]; home.sessionVariables.HM_CONFIG = "graphical-fullblown"; home.sessionVariables.GOPATH = "$HOME/src/go"; - home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [ - "$HOME/.local/bin" - "$PATH" - ]; + home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"]; - nixpkgs.config.allowInsecurePredicate = - pkg: + nixpkgs.config.allowInsecurePredicate = pkg: builtins.elem (lib.getName pkg) [ "electron-28.3.3" "electron-27.3.11" @@ -70,7 +68,7 @@ in # ]; home.packages = - [ ] + [] ++ (with pkgs; [ # Authentication # cacert @@ -248,15 +246,19 @@ in # libretro.snes9x2010 # retroarchFull - (pkgs.logseq.overrideAttrs ( - attrs: - lib.attrsets.recursiveUpdate attrs ( - lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 { - src = repoFlake.inputs.logseq_0_10_9_aarch64_appimage; - meta.platforms = [ "aarch64-linux" ]; - } + ( + pkgs.logseq.overrideAttrs ( + attrs: + lib.attrsets.recursiveUpdate + attrs + ( + lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 { + src = repoFlake.inputs.logseq_0_10_9_aarch64_appimage; + meta.platforms = ["aarch64-linux"]; + } + ) ) - )) + ) # ( # pkgsUnstable.callPackage (repoFlake + "/nix/pkgs/logseq") @@ -265,7 +267,8 @@ in # }) # ) ]) - ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ ]) + ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ + ]) ++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ pkgsUnstable.ledger-live-desktop diff --git a/nix/home-manager/configuration/graphical-gnome3.nix b/nix/home-manager/configuration/graphical-gnome3.nix index 320f102..12e1948 100644 --- a/nix/home-manager/configuration/graphical-gnome3.nix +++ b/nix/home-manager/configuration/graphical-gnome3.nix @@ -1,7 +1,10 @@ -{ pkgs, config, ... }: { + pkgs, + config, + ... +}: { home.packages = - [ ] + [] ++ (with pkgs; [ gnome.gnome-tweaks gnome.gnome-keyring diff --git a/nix/home-manager/configuration/graphical-removable.nix b/nix/home-manager/configuration/graphical-removable.nix index 28dc3e2..faac0d5 100644 --- a/nix/home-manager/configuration/graphical-removable.nix +++ b/nix/home-manager/configuration/graphical-removable.nix @@ -1,5 +1,8 @@ -{ pkgs, config, ... }: { + pkgs, + config, + ... +}: { imports = [ ../profiles/common.nix ../profiles/qtile-desktop.nix @@ -14,7 +17,7 @@ ]; home.packages = - [ ] + [] ++ (with pkgs; [ # Nix package related tools patchelf diff --git a/nix/home-manager/lib.nix b/nix/home-manager/lib.nix index 3a5c59e..b731c1d 100644 --- a/nix/home-manager/lib.nix +++ b/nix/home-manager/lib.nix @@ -1,22 +1,14 @@ -{ }: -let -in -{ - mkSimpleTrayService = - { execStart }: - { - Unit = { - Description = ""; - After = [ "graphical-session-pre.target" ]; - PartOf = [ "graphical-session.target" ]; - }; - - Install = { - WantedBy = [ "graphical-session.target" ]; - }; - - Service = { - ExecStart = execStart; - }; +{}: let +in { + mkSimpleTrayService = {execStart}: { + Unit = { + Description = ""; + After = ["graphical-session-pre.target"]; + PartOf = ["graphical-session.target"]; }; + + Install = {WantedBy = ["graphical-session.target"];}; + + Service = {ExecStart = execStart;}; + }; } diff --git a/nix/home-manager/profiles/common.nix b/nix/home-manager/profiles/common.nix index 9243634..d5b0c7e 100644 --- a/nix/home-manager/profiles/common.nix +++ b/nix/home-manager/profiles/common.nix @@ -1,5 +1,8 @@ -{ pkgs, lib, ... }: { + pkgs, + lib, + ... +}: { home.stateVersion = lib.mkDefault "23.11"; # TODO: re-enable this with the appropriate version? @@ -12,8 +15,7 @@ allowUnfree = true; allowUnsupportedSystem = true; - allowInsecurePredicate = - pkg: + allowInsecurePredicate = pkg: builtins.elem (lib.getName pkg) [ "electron-28.3.3" "electron-27.3.11" @@ -26,8 +28,7 @@ "electron" ]; - allowUnfreePredicate = - pkg: + allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "obsidian" "vivaldi" @@ -56,7 +57,7 @@ programs.fzf.enable = true; home.packages = - [ ] + [] ++ (with pkgs; [ coreutils diff --git a/nix/home-manager/profiles/dotfiles.nix b/nix/home-manager/profiles/dotfiles.nix index 066d0b7..670ea75 100644 --- a/nix/home-manager/profiles/dotfiles.nix +++ b/nix/home-manager/profiles/dotfiles.nix @@ -5,23 +5,21 @@ repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", ... -}: -let +}: let repoBareLocal = pkgs.runCommand "fetchbare" - { - outputHashMode = "recursive"; - outputHashAlgo = "sha256"; - outputHash = "0000000000000000000000000000000000000000000000000000"; - } - '' - ( - set -xe - export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out - ) - ''; + { + outputHashMode = "recursive"; + outputHashAlgo = "sha256"; + outputHash = "0000000000000000000000000000000000000000000000000000"; + } '' + ( + set -xe + export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out + ) + ''; vcshActivationScript = pkgs.writeScript "activation-script" '' export HOST=$(hostname -s) @@ -41,8 +39,7 @@ let set_remotes ${repoHttps} ${repoSsh} fi ''; -in -{ +in { # TODO: fix the dotfiles # home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] '' # $DRY_RUN_CMD ${vcshActivationScript} diff --git a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix index 2a866f2..84d629f 100644 --- a/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix +++ b/nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix @@ -3,40 +3,38 @@ repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git", repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git", ... -}: -let +}: let repoBareLocal = pkgs.runCommand "fetchbare" - { - outputHashMode = "recursive"; - outputHashAlgo = "sha256"; - outputHash = "0000000000000000000000000000000000000000000000000000"; - } - '' - ( - set -xe - export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt - ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out - ) - ''; + { + outputHashMode = "recursive"; + outputHashAlgo = "sha256"; + outputHash = "0000000000000000000000000000000000000000000000000000"; + } '' + ( + set -xe + export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + export SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt + ${pkgs.git}/bin/git clone --mirror ${repoHttps} $out + ) + ''; in -pkgs.writeScript "activation-script" '' - export HOST=$(hostname -s) + pkgs.writeScript "activation-script" '' + export HOST=$(hostname -s) - function set_remotes { - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 - ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 - } + function set_remotes { + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url origin $1 + ${pkgs.vcsh}/bin/vcsh dotfiles remote set-url --push origin $2 + } - if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then - echo Cloning dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles - set_remotes ${repoHttps} ${repoSsh} - else - set_remotes ${repoBareLocal} ${repoSsh} - echo Updating dotfiles for $HOST... - ${pkgs.vcsh}/bin/vcsh pull $HOST || true - set_remotes ${repoHttps} ${repoSsh} - fi -'' + if ! test -d $HOME/.config/vcsh/repo.d/dotfiles.git; then + echo Cloning dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh clone -b $HOST ${repoBareLocal} dotfiles + set_remotes ${repoHttps} ${repoSsh} + else + set_remotes ${repoBareLocal} ${repoSsh} + echo Updating dotfiles for $HOST... + ${pkgs.vcsh}/bin/vcsh pull $HOST || true + set_remotes ${repoHttps} ${repoSsh} + fi + '' diff --git a/nix/home-manager/profiles/experimental-desktop.nix b/nix/home-manager/profiles/experimental-desktop.nix index 404ed2a..13d87d7 100644 --- a/nix/home-manager/profiles/experimental-desktop.nix +++ b/nix/home-manager/profiles/experimental-desktop.nix @@ -5,12 +5,12 @@ nodeFlake, packages', ... -}: -let - pkgsUnstable = pkgs.callPackage nodeFlake.inputs.nixpkgs-unstable.outPath { }; -in -{ - imports = [ ../profiles/wayland-desktop.nix ]; +}: let + pkgsUnstable = pkgs.callPackage nodeFlake.inputs.nixpkgs-unstable.outPath {}; +in { + imports = [ + ../profiles/wayland-desktop.nix + ]; home.packages = [ # experimental WMs diff --git a/nix/home-manager/profiles/gnome-desktop.nix b/nix/home-manager/profiles/gnome-desktop.nix index b8435ba..b803ea5 100644 --- a/nix/home-manager/profiles/gnome-desktop.nix +++ b/nix/home-manager/profiles/gnome-desktop.nix @@ -3,11 +3,11 @@ config, lib, ... -}: -let -in -{ - imports = [ ../profiles/wayland-desktop.nix ]; +}: let +in { + imports = [ + ../profiles/wayland-desktop.nix + ]; services = { gnome-keyring.enable = false; @@ -25,83 +25,85 @@ in services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3; - dconf.settings = - let - manualKeybindings = [ - { - binding = "Print"; - command = "flameshot gui"; - name = "flameshot"; - } + dconf.settings = let + manualKeybindings = [ + { + binding = "Print"; + command = "flameshot gui"; + name = "flameshot"; + } - { - binding = "t"; - command = "alacritty"; - name = "alacritty"; - } - ]; + { + binding = "t"; + command = "alacritty"; + name = "alacritty"; + } + ]; - numWorkspaces = 10; - customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; - customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") ( - (builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace + numWorkspaces = 10; + customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom"; + customKeybindingsNames = + builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") + ( + (builtins.length manualKeybindings) + + numWorkspaces # for sending to the workspace ); - workspacesKeyBindingsOffset = builtins.length manualKeybindings; + workspacesKeyBindingsOffset = builtins.length manualKeybindings; - # with this we can make use of all number keys [0-9] - mapToNumber = - i: - if i < 10 then - i - else if i == 10 then - 0 - else - throw "i exceeds 10: ${i}"; - in + # with this we can make use of all number keys [0-9] + mapToNumber = i: + if i < 10 + then i + else if i == 10 + then 0 + else throw "i exceeds 10: ${i}"; + in { "org/gnome/settings-daemon/plugins/media-keys" = { custom-keybindings = customKeybindingsNames; screenreader = "@as []"; - screensaver = [ "l" ]; + screensaver = ["l"]; }; # disable the builtin [1-9] functionality - "org/gnome/shell/keybindings" = builtins.listToAttrs ( - (builtins.genList (i: { - name = "switch-to-application-${toString (i + 1)}"; - value = [ ]; - }) numWorkspaces) + "org/gnome/shell/keybindings" = builtins.listToAttrs ((builtins.genList + (i: { + name = "switch-to-application-${toString (i + 1)}"; + value = []; + }) + numWorkspaces) ++ [ { name = "toggle-overview"; - value = [ ]; + value = []; } - ] - ); + ]); # remap it to switching to the workspaces - "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs ( - builtins.genList (i: { + "org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (builtins.genList + (i: { name = "switch-to-workspace-${toString (i + 1)}"; - value = [ "${toString (mapToNumber (i + 1))}" ]; - }) numWorkspaces - ); + value = [ + "${toString (mapToNumber (i + 1))}" + ]; + }) + numWorkspaces); } - // builtins.listToAttrs ( - builtins.genList (i: { + // builtins.listToAttrs (builtins.genList + (i: { name = "${customKeybindingBaseName}${toString i}"; value = builtins.elemAt manualKeybindings i; - }) (builtins.length manualKeybindings) - ) - // builtins.listToAttrs ( - builtins.genList (i: { + }) + (builtins.length manualKeybindings)) + // builtins.listToAttrs (builtins.genList + (i: { name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}"; value = { binding = "${toString (mapToNumber (i + 1))}"; command = "wmctrl -r :ACTIVE: -t ${toString i}"; name = "Send to workspace ${toString (i + 1)}"; }; - }) numWorkspaces - ); + }) + numWorkspaces); } diff --git a/nix/home-manager/profiles/nix-channels.nix b/nix/home-manager/profiles/nix-channels.nix index 226e624..68f21c7 100644 --- a/nix/home-manager/profiles/nix-channels.nix +++ b/nix/home-manager/profiles/nix-channels.nix @@ -1,24 +1,28 @@ -{ pkgs, config, ... }: -let -in { + pkgs, + config, + ... +}: let +in { home.file.".nix-channels".text = ""; - home.activation.removeExistingNixChannels = config.lib.dag.entryBefore [ "checkLinkTargets" ] '' - $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' - set -ex - if test -f $HOME/.nix-channels; then - echo Uninstalling available channels... - if test -f $HOME/.nix-channel; then - while read url channel; do - nix-channel --remove $channel - done < $HOME/.nix-channel + home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] '' + $DRY_RUN_CMD ${ + pkgs.writeScript "activation-script" '' + set -ex + if test -f $HOME/.nix-channels; then + echo Uninstalling available channels... + if test -f $HOME/.nix-channel; then + while read url channel; do + nix-channel --remove $channel + done < $HOME/.nix-channel + fi + echo Moving existing file away... + touch $HOME/.nix-channels.dummy + mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels + rm $HOME/.nix-channels fi - echo Moving existing file away... - touch $HOME/.nix-channels.dummy - mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels - rm $HOME/.nix-channels - fi - ''}; + '' + }; ''; } diff --git a/nix/home-manager/profiles/qtile-desktop.nix b/nix/home-manager/profiles/qtile-desktop.nix index 759aaa4..da12f62 100644 --- a/nix/home-manager/profiles/qtile-desktop.nix +++ b/nix/home-manager/profiles/qtile-desktop.nix @@ -1,15 +1,14 @@ -{ pkgs, config, ... }: -let - inherit (import ../lib.nix { }) mkSimpleTrayService; +{ + pkgs, + config, + ... +}: let + inherit (import ../lib.nix {}) mkSimpleTrayService; audio = pkgs.writeShellScript "audio" '' export PATH=${ with pkgs; - lib.makeBinPath [ - pulseaudio - findutils - gnugrep - ] + lib.makeBinPath [pulseaudio findutils gnugrep] }:$PATH export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute @@ -34,7 +33,7 @@ let terminalCommand = "${pkgs.alacritty}/bin/alacritty"; dpmsScript = pkgs.writeShellScript "dpmsScript" '' - export PATH=${with pkgs; lib.makeBinPath [ xorg.xset ]}:$PATH + export PATH=${with pkgs; lib.makeBinPath [xorg.xset]}:$PATH set -xe @@ -57,7 +56,7 @@ let ''; screenLockCommand = pkgs.writeShellScript "screenLock" '' - export PATH=${with pkgs; lib.makeBinPath [ i3lock ]}:$PATH + export PATH=${with pkgs; lib.makeBinPath [i3lock]}:$PATH revert() { ${dpmsScript} default @@ -252,8 +251,7 @@ let def print_new_window(window): print("new window: ", window) ''; -in -{ +in { services = { gnome-keyring.enable = true; blueman-applet.enable = true; diff --git a/nix/home-manager/profiles/sway-desktop.nix b/nix/home-manager/profiles/sway-desktop.nix index 0fefe08..8cfe85a 100644 --- a/nix/home-manager/profiles/sway-desktop.nix +++ b/nix/home-manager/profiles/sway-desktop.nix @@ -1,19 +1,19 @@ /* - TODO: create helper scripts for sharing of a screen portion - ``` +TODO: create helper scripts for sharing of a screen portion +``` - # this will create a new output named HEADLESS-. increments by 1 with each invocation even if the output is `unplug`ged. - swaymsg create_output +# this will create a new output named HEADLESS-. increments by 1 with each invocation even if the output is `unplug`ged. +swaymsg create_output - # find the name and the workspace number - swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)' +# find the name and the workspace number +swaymsg -t get_outputs | jq '.[] | select(.name | test("HEADLESS-.*")) | (.name, .current_workspace)' - swaymsg output HEADLESS-1 mode 1920@108060Hz +swaymsg output HEADLESS-1 mode 1920@108060Hz - # mirror the headless workspace on the current one - nix run nixpkgs\#wl-mirror -- HEADLESS-1 +# mirror the headless workspace on the current one +nix run nixpkgs\#wl-mirror -- HEADLESS-1 - # shift windows to the workspace and switch the focus to it +# shift windows to the workspace and switch the focus to it */ { pkgs, @@ -22,16 +22,14 @@ # packages', repoFlakeInputs', ... -}: -let - inherit (import ../lib.nix { }) mkSimpleTrayService; +}: let + inherit (import ../lib.nix {}) mkSimpleTrayService; lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'"; displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'"; displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'"; swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh; -in -{ +in { imports = [ ../profiles/wayland-desktop.nix ../programs/waybar.nix @@ -100,121 +98,112 @@ in systemd.enable = true; xwayland = false; - config = - let - modifier = "Mod4"; - inherit (config.wayland.windowManager.sway.config) - left - right - up - down - ; - in - { - inherit modifier; - bars = [ ]; + config = let + modifier = "Mod4"; + inherit (config.wayland.windowManager.sway.config) left right up down; + in { + inherit modifier; + bars = []; - input = { - "type:keyboard" = - { - xkb_layout = config.home.keyboard.layout; - xkb_variant = config.home.keyboard.variant; - } - // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or [ ]) > 0) { - xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; - }; - - "type:touchpad" = { - natural_scroll = "enabled"; + input = { + "type:keyboard" = + { + xkb_layout = config.home.keyboard.layout; + xkb_variant = config.home.keyboard.variant; + } + // lib.attrsets.optionalAttrs (builtins.length (config.home.keyboard.options or []) > 0) { + xkb_options = builtins.concatStringsSep "," config.home.keyboard.options; }; - # alternatively run this command - # swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative" - # and then switch to a different VT (alt+ctrl+f2) and back - "1386:914:Wacom_Intuos_Pro_S_Pen" = { - tool_mode = "* relative"; - }; + "type:touchpad" = { + natural_scroll = "enabled"; }; - keybindings = lib.mkOptionDefault { - # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi - # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; - "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; - - # only 1-9 exist on the default config - "${modifier}+0" = "workspace number 0"; - "${modifier}+Shift+0" = "move container to workspace number 0"; - - # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it - "${modifier}+b" = "nop"; - "${modifier}+v" = "nop"; - - # move workspace to output - "${modifier}+Control+Shift+${left}" = "move workspace to output left"; - "${modifier}+Control+Shift+${right}" = "move workspace to output right"; - "${modifier}+Control+Shift+${up}" = "move workspace to output up"; - "${modifier}+Control+Shift+${down}" = "move workspace to output down"; - # move workspace to output with arrow keys - "${modifier}+Control+Shift+Left" = "move workspace to output left"; - "${modifier}+Control+Shift+Right" = "move workspace to output right"; - "${modifier}+Control+Shift+Up" = "move workspace to output up"; - "${modifier}+Control+Shift+Down" = "move workspace to output down"; - - # TODO: i've been hitting this one accidentally way too often. find a better place. - # "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; - "${modifier}+q" = "kill"; - "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; - - "${modifier}+x" = "exec ${swapOutputWorkspaces}"; - - "${modifier}+Ctrl+l" = "exec ${lockCmd}"; - - "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; - "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; - "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; - - "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; - "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; - "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; - - "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; + # alternatively run this command + # swaymsg input "1386:914:Wacom_Intuos_Pro_S_Pen" tool_mode "* relative" + # and then switch to a different VT (alt+ctrl+f2) and back + "1386:914:Wacom_Intuos_Pro_S_Pen" = { + tool_mode = "* relative"; }; - - terminal = "alacritty"; - startup = - [ - { - command = builtins.toString ( - pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target - ) & - '' - ); - } - ] - ++ lib.optionals config.services.swayidle.enable [ - { - command = builtins.toString ( - pkgs.writeShellScript "ensure-graphical-session" '' - ( - ${pkgs.coreutils}/bin/sleep 0.2 - ${pkgs.systemd}/bin/systemctl --user restart swayidle - ) & - '' - ); - } - ]; - - colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; }; - - window.titlebar = false; - window.border = 4; - - # this maps to focus_on_window_activation - focus.newWindow = "urgent"; }; + + keybindings = lib.mkOptionDefault { + # as of 2023-05-21 the `!!` arg parsing mode was broken for me on yofi + # "${modifier}+d" = "exec ${packages'.yofi}/bin/yofi binapps"; + "${modifier}+d" = "exec ${pkgs.fuzzel}/bin/fuzzel --show-actions"; + + # only 1-9 exist on the default config + "${modifier}+0" = "workspace number 0"; + "${modifier}+Shift+0" = "move container to workspace number 0"; + + # disable splitting for now as i sometimes trigger it accidentally and then get stuck with it + "${modifier}+b" = "nop"; + "${modifier}+v" = "nop"; + + # move workspace to output + "${modifier}+Control+Shift+${left}" = "move workspace to output left"; + "${modifier}+Control+Shift+${right}" = "move workspace to output right"; + "${modifier}+Control+Shift+${up}" = "move workspace to output up"; + "${modifier}+Control+Shift+${down}" = "move workspace to output down"; + # move workspace to output with arrow keys + "${modifier}+Control+Shift+Left" = "move workspace to output left"; + "${modifier}+Control+Shift+Right" = "move workspace to output right"; + "${modifier}+Control+Shift+Up" = "move workspace to output up"; + "${modifier}+Control+Shift+Down" = "move workspace to output down"; + + # TODO: i've been hitting this one accidentally way too often. find a better place. + # "${modifier}+Shift+e" = "exec ${pkgs.sway}/bin/swaymsg exit"; + "${modifier}+q" = "kill"; + "${modifier}+Shift+q" = "exec ${pkgs.sway}/bin/swaymsg -t get_tree | ${pkgs.jq}/bin/jq 'recurse(.nodes[], .floating_nodes[]) | select(.focused).pid' | ${pkgs.findutils}/bin/xargs -L1 kill -9"; + + "${modifier}+x" = "exec ${swapOutputWorkspaces}"; + + "${modifier}+Ctrl+l" = "exec ${lockCmd}"; + + "--locked XF86AudioPlay" = "exec ${pkgs.playerctl}/bin/playerctl play-pause"; + "XF86AudioPrev" = "exec ${pkgs.playerctl}/bin/playerctl previous"; + "XF86AudioNext" = "exec ${pkgs.playerctl}/bin/playerctl next"; + + "XF86AudioRaiseVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume +5"; + "XF86AudioLowerVolume" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --change-volume -5"; + "--locked XF86AudioMute" = "exec ${pkgs.pulsemixer}/bin/pulsemixer --toggle-mute"; + + "Print" = "exec ${pkgs.shotman}/bin/shotman --capture region"; + }; + + terminal = "alacritty"; + startup = + [ + { + command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart graphical-session.target + ) & + ''); + } + ] + ++ lib.optionals config.services.swayidle.enable [ + { + command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" '' + ( + ${pkgs.coreutils}/bin/sleep 0.2 + ${pkgs.systemd}/bin/systemctl --user restart swayidle + ) & + ''); + } + ]; + + colors.focused = lib.mkOptionDefault { + childBorder = lib.mkForce "#ffa500"; + }; + + window.titlebar = false; + window.border = 4; + + # this maps to focus_on_window_activation + focus.newWindow = "urgent"; + }; }; services.swayidle = { diff --git a/nix/home-manager/profiles/wayland-desktop.nix b/nix/home-manager/profiles/wayland-desktop.nix index 9117de7..73fc23a 100644 --- a/nix/home-manager/profiles/wayland-desktop.nix +++ b/nix/home-manager/profiles/wayland-desktop.nix @@ -5,14 +5,12 @@ repoFlake, nodeFlake, ... -}: -let - inherit (import ../lib.nix { }) mkSimpleTrayService; +}: let + inherit (import ../lib.nix {}) mkSimpleTrayService; nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system}; wayprompt = nixpkgs-wayland'.wayprompt; -in -{ +in { fonts.fontconfig.enable = true; # services.gpg-agent.pinentryFlavor = lib.mkForce null; @@ -28,12 +26,11 @@ in systemd.user.targets.tray = { Unit = { Description = "Home Manager System Tray"; - Requires = [ "graphical-session-pre.target" ]; + Requires = ["graphical-session-pre.target"]; }; }; - home.packages = - with pkgs; + home.packages = with pkgs; [ # required by network-manager-applet networkmanagerapplet @@ -65,9 +62,11 @@ in waypipe ] - ++ (lib.lists.optionals (!pkgs.stdenv.isAarch64) + ++ ( + lib.lists.optionals (!pkgs.stdenv.isAarch64) # TODO: broken on aarch64 - [ ] + [ + ] ); home.sessionVariables = { diff --git a/nix/home-manager/programs/chromium.nix b/nix/home-manager/programs/chromium.nix index 8d12110..712eb42 100644 --- a/nix/home-manager/programs/chromium.nix +++ b/nix/home-manager/programs/chromium.nix @@ -3,15 +3,14 @@ lib, pkgs, ... -}: -let +}: let extensions = [ #undetectable adblocker - { id = "gcfcpohokifjldeandkfjoboemihipmb"; } + {id = "gcfcpohokifjldeandkfjoboemihipmb";} # ublock origin - { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } + {id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";} # # YT ad block # {id = "cmedhionkhpnakcndndgjdbohmhepckk";} @@ -20,15 +19,15 @@ let # {id = "cfhdojbkjhnklbpkdaibdccddilifddb";} # Cookie Notice Blocker - { id = "odhmfmnoejhihkmfebnolljiibpnednn"; } + {id = "odhmfmnoejhihkmfebnolljiibpnednn";} # i don't care about cookies - { id = "fihnjjcciajhdojfnbdddfaoknhalnja"; } + {id = "fihnjjcciajhdojfnbdddfaoknhalnja";} # NopeCHA - { id = "dknlfmjaanfblgfdfebhijalfmhmjjjo"; } + {id = "dknlfmjaanfblgfdfebhijalfmhmjjjo";} # h264ify - { id = "aleakchihdccplidncghkekgioiakgal"; } + {id = "aleakchihdccplidncghkekgioiakgal";} # clippy # {id = "honbeilkanbghjimjoniipnnehlmhggk"} @@ -39,32 +38,31 @@ let } # cookie autodelete - { id = "fhcgjolkccmbidfldomjliifgaodjagh"; } + {id = "fhcgjolkccmbidfldomjliifgaodjagh";} # unhook - { id = "khncfooichmfjbepaaaebmommgaepoid"; } + {id = "khncfooichmfjbepaaaebmommgaepoid";} ] ++ (lib.lists.optionals ((builtins.match "^steveej.*" name) != null) [ # polkadotjs - { id = "mopnmbcafieddcagagdcbnhejhlodfdd"; } + {id = "mopnmbcafieddcagagdcbnhejhlodfdd";} # rabby wallet - { id = "acmacodkjbdgmoleebolmdjonilkdbch"; } + {id = "acmacodkjbdgmoleebolmdjonilkdbch";} # phantom wallet - { id = "bfnaelmomeimhlpmgjnjophhpkkoljpa"; } + {id = "bfnaelmomeimhlpmgjnjophhpkkoljpa";} # Vimium C - { id = "hfjbmagddngcpeloejdejnfgbamkjaeg"; } + {id = "hfjbmagddngcpeloejdejnfgbamkjaeg";} # always right - { id = "npjpaghfnndnnmjiliibnkmdfgbojokj"; } + {id = "npjpaghfnndnnmjiliibnkmdfgbojokj";} # shazam music - { id = "mmioliijnhnoblpgimnlajmefafdfilb"; } + {id = "mmioliijnhnoblpgimnlajmefafdfilb";} ]); -in -{ +in { programs.chromium = { enable = true; inherit extensions; @@ -74,7 +72,9 @@ in programs.brave = { # TODO: enable this on aarch64-linux - enable = true && !pkgs.stdenv.targetPlatform.isAarch64; + enable = + true + && !pkgs.stdenv.targetPlatform.isAarch64; inherit extensions; }; } diff --git a/nix/home-manager/programs/espanso.nix b/nix/home-manager/programs/espanso.nix index 38522b4..86d6371 100644 --- a/nix/home-manager/programs/espanso.nix +++ b/nix/home-manager/programs/espanso.nix @@ -1,5 +1,8 @@ -{ pkgs, repoFlake, ... }: { + pkgs, + repoFlake, + ... +}: { services.espanso = { package = pkgs.espanso-wayland; # package = pkgs.espanso-wayland.overrideAttrs (_: { @@ -21,62 +24,64 @@ # backend = "Clipboard"; }; }; - matches = - let - playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; - in - { - default = { - matches = [ - { - trigger = ":vpos"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ - (pkgs.writeScript "espanso" '' - #! ${pkgs.python3}/bin/python - import subprocess, os, math, datetime + matches = let + playerctl = '' + ${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl''; + in { + default = { + matches = [ + { + trigger = ":vpos"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeScript "espanso" '' + #! ${pkgs.python3}/bin/python + import subprocess, os, math, datetime - id=str(os.getuid()) - result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) - result.check_returncode() + id=str(os.getuid()) + result=subprocess.run(args=["${pkgs.playerctl}/bin/playerctl", "position"], env={"DBUS_SESSION_BUS_ADDRESS": "unix:path=/run/user/"+id+"/bus"},capture_output=True) + result.check_returncode() - position_secs = math.trunc(float(result.stdout)) - position_human = datetime.timedelta(seconds=position_secs) - print("%s - %s" % (position_human, position_secs)) - '') - ]; - }; - } - ]; - } - { - trigger = ":vtit"; - replace = "{{output}}"; - vars = [ - { - name = "output"; - type = "script"; - params = { - args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ]; - }; - } - ]; - } - { - trigger = ":dunno"; - replace = "¯\\_(ツ)_/¯"; - } - { - trigger = ":shrug"; - replace = "¯\\_(ツ)_/¯"; - } - ]; - }; + position_secs = math.trunc(float(result.stdout)) + position_human = datetime.timedelta(seconds=position_secs) + print("%s - %s" % (position_human, position_secs)) + '') + ]; + }; + } + ]; + } + { + trigger = ":vtit"; + replace = "{{output}}"; + vars = [ + { + name = "output"; + type = "script"; + params = { + args = [ + (pkgs.writeShellScript "espanso" + "${playerctl} metadata title") + ]; + }; + } + ]; + } + { + trigger = ":dunno"; + replace = "¯\\_(ツ)_/¯"; + } + { + trigger = ":shrug"; + replace = "¯\\_(ツ)_/¯"; + } + ]; }; + }; }; } diff --git a/nix/home-manager/programs/firefox.nix b/nix/home-manager/programs/firefox.nix index d07f3aa..993cbc4 100644 --- a/nix/home-manager/programs/firefox.nix +++ b/nix/home-manager/programs/firefox.nix @@ -1,8 +1,5 @@ -{ pkgs, ... }: -{ - programs.librewolf = { - enable = false; - }; +{pkgs, ...}: { + programs.librewolf = {enable = false;}; programs.firefox = { enable = true; package = pkgs.firefox-esr-128; diff --git a/nix/home-manager/programs/gpg-agent.nix b/nix/home-manager/programs/gpg-agent.nix index ac35d80..069c7ca 100644 --- a/nix/home-manager/programs/gpg-agent.nix +++ b/nix/home-manager/programs/gpg-agent.nix @@ -3,9 +3,10 @@ pkgs, config, ... -}: -{ - home.packages = [ pkgs.gcr ]; +}: { + home.packages = [ + pkgs.gcr + ]; programs.gpg.enable = true; services.gpg-agent = { diff --git a/nix/home-manager/programs/homeshick.nix b/nix/home-manager/programs/homeshick.nix index c12cf00..cbd4964 100644 --- a/nix/home-manager/programs/homeshick.nix +++ b/nix/home-manager/programs/homeshick.nix @@ -1,28 +1,32 @@ -{ pkgs, config, ... }: -let -in -# TODO: clean up the impurity in here { + pkgs, + config, + ... +}: let + # TODO: clean up the impurity in here +in { home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}"; - home.activation.bootstrapRepos = config.lib.dag.entryAfter [ "writeBoundary" ] '' - $DRY_RUN_CMD ${pkgs.writeScript "activation-script" '' - set -e - echo home-manager path is ${config.home.path} - echo home is $HOME + home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] '' + $DRY_RUN_CMD ${ + pkgs.writeScript "activation-script" '' + set -e + echo home-manager path is ${config.home.path} + echo home is $HOME - source ${pkgs.homeshick}/homeshick.sh - type homeshick + source ${pkgs.homeshick}/homeshick.sh + type homeshick - # echo Updating homeshick - # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick - # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick - ''}; + # echo Updating homeshick + # ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick + # mv -Tf "$HOMESICK_REPOS"/{.,}homeshick + '' + }; ''; nixpkgs.config = { - packageOverrides = - pkgs: with pkgs; { + packageOverrides = pkgs: + with pkgs; { homeshick = builtins.fetchGit { url = "https://github.com/andsens/homeshick.git"; ref = "master"; diff --git a/nix/home-manager/programs/libreoffice.nix b/nix/home-manager/programs/libreoffice.nix index 1e846d4..17d0a24 100644 --- a/nix/home-manager/programs/libreoffice.nix +++ b/nix/home-manager/programs/libreoffice.nix @@ -1,4 +1,3 @@ -{ pkgs, ... }: -{ - home.packages = [ pkgs.libreoffice ]; +{pkgs, ...}: { + home.packages = [pkgs.libreoffice]; } diff --git a/nix/home-manager/programs/neovim.nix b/nix/home-manager/programs/neovim.nix index f8a3655..be7e02b 100644 --- a/nix/home-manager/programs/neovim.nix +++ b/nix/home-manager/programs/neovim.nix @@ -3,9 +3,10 @@ pkgs, lib, ... -}: -{ - imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ]; +}: { + imports = [ + repoFlake.inputs.nixvim.homeManagerModules.nixvim + ]; programs.nixvim = { enable = true; @@ -13,7 +14,7 @@ vimdiffAlias = true; vimAlias = true; - extraPython3Packages = ps: with ps; [ ]; + extraPython3Packages = ps: with ps; []; # extraConfigVim = builtins.readFile ./neovim/vimrc; diff --git a/nix/home-manager/programs/obs-studio.nix b/nix/home-manager/programs/obs-studio.nix index d99747d..b053e24 100644 --- a/nix/home-manager/programs/obs-studio.nix +++ b/nix/home-manager/programs/obs-studio.nix @@ -1,25 +1,21 @@ -{ pkgs, lib, ... }: { + pkgs, + lib, + ... +}: { programs.obs-studio = { enable = true; plugins = - builtins.map - ( - plugin: - (plugin.overrideAttrs (attrs: { - meta = lib.mkMerge [ - { inherit (attrs) meta; } - { meta.platforms = [ pkgs.stdenv.system ]; } - ]; - })) - ) - ( - with pkgs.obs-studio-plugins; - [ - # wlrobs - obs-backgroundremoval - obs-pipewire-audio-capture - ] - ); + builtins.map (plugin: (plugin.overrideAttrs (attrs: { + meta = lib.mkMerge [ + {inherit (attrs) meta;} + {meta.platforms = [pkgs.stdenv.system];} + ]; + }))) + (with pkgs.obs-studio-plugins; [ + # wlrobs + obs-backgroundremoval + obs-pipewire-audio-capture + ]); }; } diff --git a/nix/home-manager/programs/openvscode-server.nix b/nix/home-manager/programs/openvscode-server.nix index 8341600..6e74406 100644 --- a/nix/home-manager/programs/openvscode-server.nix +++ b/nix/home-manager/programs/openvscode-server.nix @@ -3,12 +3,10 @@ nodeFlake, repoFlake, ... -}: -let - pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config; }; - pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; -in -{ +}: let + pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config;}; + pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;}; +in { home.packages = [ pkgs.nil pkgs.nixd @@ -22,22 +20,20 @@ in # 3. link the binary. this relies on the client-side setting `"remote.SSH.experimental.serverBinaryName": "openvscode-server"` : ln -s $(which openvscode-server) /home/steveej/.vscodium-server/bin/c8ce3ba4bc6b30b3b10edc61481cb85b1d2396bc/bin/ /* - e.g.: - ``` - ( - set -e - export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$') - ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/" - ) - ``` + e.g.: + ``` + ( + set -e + export COMMIT=$(codium --version | rg '^[0-9a-f]{40}$') + ssh bm-hostkey0 "pkill -9 openvscode; rm -rf /home/steveej/.vscodium-server/bin/$COMMIT; mkdir -p /home/steveej/.vscodium-server/bin/$COMMIT/bin/; ln -s \$(which openvscode-server) /home/steveej/.vscodium-server/bin/$COMMIT/bin/" + ) + ``` */ (pkgsVscodium.openvscode-server.overrideAttrs (attrs: { src = repoFlake.inputs.openvscode-server; version = "1.94.2"; - yarnCache = attrs.yarnCache.overrideAttrs (_: { - outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt="; - }); + yarnCache = attrs.yarnCache.overrideAttrs (_: {outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt=";}); })) pkgs.waypipe diff --git a/nix/home-manager/programs/pass.nix b/nix/home-manager/programs/pass.nix index 056d08d..2d533c9 100644 --- a/nix/home-manager/programs/pass.nix +++ b/nix/home-manager/programs/pass.nix @@ -1,5 +1,8 @@ -{ repoFlake, pkgs, ... }: { + repoFlake, + pkgs, + ... +}: { # required by pass-otp # home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions"; # home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true"; diff --git a/nix/home-manager/programs/radicale.nix b/nix/home-manager/programs/radicale.nix index be31268..207b9e6 100644 --- a/nix/home-manager/programs/radicale.nix +++ b/nix/home-manager/programs/radicale.nix @@ -4,8 +4,7 @@ pkgs, osConfig, ... -}: -let +}: let libdecsync = pkgs.python3Packages.buildPythonPackage rec { pname = "libdecsync"; version = "2.2.1"; @@ -39,51 +38,50 @@ let # pkgs.libxcrypt ]; - propagatedBuildInputs = [ - libdecsync - pkgs.python3Packages.setuptools - ]; + propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools]; }; radicale-decsync = pkgs.radicale.overrideAttrs (old: { - propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ]; + propagatedBuildInputs = + old.propagatedBuildInputs + ++ [radicale-storage-decsync]; }); - mkRadicaleService = - { suffix, port }: - let - radicale-config = pkgs.writeText "radicale-config-${suffix}" '' - [server] - hosts = localhost:${builtins.toString port} + mkRadicaleService = { + suffix, + port, + }: let + radicale-config = pkgs.writeText "radicale-config-${suffix}" '' + [server] + hosts = localhost:${builtins.toString port} - [auth] - type = htpasswd - htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} - htpasswd_encryption = bcrypt + [auth] + type = htpasswd + htpasswd_filename = ${osConfig.sops.secrets.radicale_htpasswd.path} + htpasswd_encryption = bcrypt - [storage] - type = radicale_storage_decsync - filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} - decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} - ''; - in - { - systemd.user.services."radicale-${suffix}" = { - Unit.Description = "Radicale with DecSync (${suffix})"; - Service = { - ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; - Restart = "on-failure"; - }; - Install.WantedBy = [ "default.target" ]; + [storage] + type = radicale_storage_decsync + filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix} + decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix} + ''; + in { + systemd.user.services."radicale-${suffix}" = { + Unit.Description = "Radicale with DecSync (${suffix})"; + Service = { + ExecStart = "${radicale-decsync}/bin/radicale -C ${radicale-config}"; + Restart = "on-failure"; }; + Install.WantedBy = ["default.target"]; }; + }; in -builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) { } [ - { - suffix = "personal"; - port = 5232; - } - { - suffix = "family"; - port = 5233; - } -] + builtins.foldl' (sum: cur: lib.recursiveUpdate sum (mkRadicaleService cur)) {} [ + { + suffix = "personal"; + port = 5232; + } + { + suffix = "family"; + port = 5233; + } + ] diff --git a/nix/home-manager/programs/redshift.nix b/nix/home-manager/programs/redshift.nix index 474b650..6fb73d0 100644 --- a/nix/home-manager/programs/redshift.nix +++ b/nix/home-manager/programs/redshift.nix @@ -1,8 +1,10 @@ -{ pkgs, config, ... }: -let - passwords = import ../../variables/passwords.crypt.nix; -in { + pkgs, + config, + ... +}: let + passwords = import ../../variables/passwords.crypt.nix; +in { services.gammastep = { enable = true; provider = "manual"; diff --git a/nix/home-manager/programs/salut.nix b/nix/home-manager/programs/salut.nix index c23032e..6a2894d 100644 --- a/nix/home-manager/programs/salut.nix +++ b/nix/home-manager/programs/salut.nix @@ -8,10 +8,11 @@ # useful testing command: # for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done let - inherit (import ../lib.nix { }) mkSimpleTrayService; -in -{ - home.packages = [ packages'.salut ]; + inherit (import ../lib.nix {}) mkSimpleTrayService; +in { + home.packages = [ + packages'.salut + ]; xdg.configFile."salut/config.ini" = { enable = true; @@ -33,5 +34,7 @@ in onChange = "${pkgs.systemd}/bin/systemctl --user restart salut"; }; - systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; }; + systemd.user.services.salut = mkSimpleTrayService { + execStart = "${packages'.salut}/bin/salut"; + }; } diff --git a/nix/home-manager/programs/vscode/default.nix b/nix/home-manager/programs/vscode/default.nix index 5380200..2746fcb 100644 --- a/nix/home-manager/programs/vscode/default.nix +++ b/nix/home-manager/programs/vscode/default.nix @@ -3,11 +3,9 @@ nodeFlake, repoFlake, ... -}: -let - pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium { inherit (pkgs) system config; }; -in -{ +}: let + pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;}; +in { programs.vscode = { enable = true; package = pkgsVscodium.vscodium; @@ -20,16 +18,16 @@ in # sha256 = "1qc1qsahfx1nvznq4adplx63w5d94xhafngv76vnqjjbzhv991v2"; # }) ] - ++ ( - with pkgsVscodium.vscode-extensions; + ++ (with pkgsVscodium.vscode-extensions; [ eamodio.gitlens mkhl.direnv tomoki1207.pdf vscodevim.vim - # bbenoist.nix + bbenoist.nix jnoortheen.nix-ide + # kamadorueda.alejandra ms-vscode.theme-tomorrowkit nonylene.dark-molokai-theme @@ -46,41 +44,38 @@ in # TODO: not compatible with vscodium # ms-vscode-remote.remote-ssh ] - ++ ( - let - extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system}; - in - ( - with extensions.vscode-marketplace; - with extensions.vscode-marketplace-release; - [ - tamasfe.even-better-toml + ++ (let + extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system}; + in ( + with extensions.vscode-marketplace; + with extensions.vscode-marketplace-release; [ + tamasfe.even-better-toml - serayuzgur.crates - rust-lang.rust-analyzer - swellaby.vscode-rust-test-adapter + serayuzgur.crates + rust-lang.rust-analyzer + swellaby.vscode-rust-test-adapter - golang.go - jeff-hykin.better-go-syntax + golang.go + jeff-hykin.better-go-syntax - ibecker.treefmt-vscode - ] - ) - ) - ) + ibecker.treefmt-vscode + ] + ))) ++ [ - (pkgsVscodium.vscode-utils.extensionFromVscodeMarketplace { - name = "markdown-oxide"; - publisher = "felixzeller"; - version = "1.1.0"; - sha256 = "07l37hkg106m3nl9530l7i39iw1kibckv1zi4n23gbp7srdrwbs3"; - }) + (pkgsVscodium.vscode-utils.extensionFromVscodeMarketplace + { + name = "markdown-oxide"; + publisher = "felixzeller"; + version = "1.1.0"; + sha256 = "07l37hkg106m3nl9530l7i39iw1kibckv1zi4n23gbp7srdrwbs3"; + }) ]; mutableExtensionsDir = true; }; home.packages = [ pkgs.nixpkgs-fmt + pkgs.alejandra pkgs.nil ]; } @@ -158,3 +153,4 @@ in # xyz.plsql-language # yzane.markdown-pdf # zxh404.vscode-proto3 + diff --git a/nix/home-manager/programs/vscode/nix4vscode/default.nix b/nix/home-manager/programs/vscode/nix4vscode/default.nix deleted file mode 100644 index 14bacca..0000000 --- a/nix/home-manager/programs/vscode/nix4vscode/default.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ pkgs, lib }: -let - inherit (pkgs.stdenv) - isDarwin - isLinux - isi686 - isx86_64 - isAarch32 - isAarch64 - ; - vscode-utils = pkgs.vscode-utils; - merge = lib.attrsets.recursiveUpdate; -in -merge - (merge - (merge - (merge - { - "felixzeller"."markdown-oxide" = vscode-utils.extensionFromVscodeMarketplace { - name = "markdown-oxide"; - publisher = "felixzeller"; - version = "1.1.0"; - sha256 = "07l37hkg106m3nl9530l7i39iw1kibckv1zi4n23gbp7srdrwbs3"; - }; - } - ( - lib.attrsets.optionalAttrs (isLinux && (isi686 || isx86_64)) { - "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { - name = "treefmt-vscode"; - publisher = "ibecker"; - version = "2.1.0"; - sha256 = "1r17wjpw8xiha5r9h3146facxghpcp416zf8551sw93cmam9ky6j"; - arch = "linux-x64"; - }; - } - ) - ) - ( - lib.attrsets.optionalAttrs (isLinux && (isAarch32 || isAarch64)) { - "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { - name = "treefmt-vscode"; - publisher = "ibecker"; - version = "2.1.0"; - sha256 = "0swvl7fkjcwp43grnrhnmy60a5m3hfwawk204byi8hhbczy131li"; - arch = "linux-arm64"; - }; - } - ) - ) - ( - lib.attrsets.optionalAttrs (isDarwin && (isi686 || isx86_64)) { - "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { - name = "treefmt-vscode"; - publisher = "ibecker"; - version = "2.1.0"; - sha256 = "1swq9hy6a9nzkrn07j21g59pyk2m7aqsfi1pphl9l9y8p4zwiaqm"; - arch = "darwin-x64"; - }; - } - ) - ) - ( - lib.attrsets.optionalAttrs (isDarwin && (isAarch32 || isAarch64)) { - "ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace { - name = "treefmt-vscode"; - publisher = "ibecker"; - version = "2.1.0"; - sha256 = "1xg3wnn3f1kvsz5a09l0cjpzfm3l9va73cahbvl14mx3n6734r2m"; - arch = "darwin-arm64"; - }; - } - ) diff --git a/nix/home-manager/programs/waybar.nix b/nix/home-manager/programs/waybar.nix index 0d90e23..b6137e1 100644 --- a/nix/home-manager/programs/waybar.nix +++ b/nix/home-manager/programs/waybar.nix @@ -3,8 +3,7 @@ config, repoFlake, ... -}: -{ +}: { home.packages = [ # required by any bar that has a tray plugin pkgs.libappindicator-gtk3 @@ -13,9 +12,10 @@ programs.waybar = { enable = true; - package = - repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; - style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css; + package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar; + style = + pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + + pkgs.lib.readFile ./waybar.css; systemd.enable = true; settings = { mainBar = { @@ -24,7 +24,12 @@ height = 30; output = # hide the bar on HEADDLESS displays as i use them only for screensharing - (builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ]; + ( + builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99 + ) + ++ [ + "*" + ]; # output = [ # "eDP-1" # "DP-*" diff --git a/nix/home-manager/programs/zsh.nix b/nix/home-manager/programs/zsh.nix index 333d3d7..40e603d 100644 --- a/nix/home-manager/programs/zsh.nix +++ b/nix/home-manager/programs/zsh.nix @@ -3,29 +3,27 @@ lib, pkgs, ... -}: -let - just-plugin = - let - plugin_file = pkgs.writeText "_just" '' - #compdef just - #autload +}: let + just-plugin = let + plugin_file = pkgs.writeText "_just" '' + #compdef just + #autload - alias justl="\just --list" - alias juste="\just --evaluate" + alias justl="\just --list" + alias juste="\just --evaluate" - local subcmds=() + local subcmds=() - while read -r line ; do - if [[ ! $line == Available* ]] ; - then - subcmds+=(''${line/[[:space:]]*\#/:}) - fi - done < <(just --list) + while read -r line ; do + if [[ ! $line == Available* ]] ; + then + subcmds+=(''${line/[[:space:]]*\#/:}) + fi + done < <(just --list) - _describe 'command' subcmds - ''; - in + _describe 'command' subcmds + ''; + in pkgs.stdenv.mkDerivation { name = "just-completions"; version = "0.1.0"; @@ -37,8 +35,7 @@ let chmod --recursive a-w $out ''; }; -in -{ +in { programs.zsh = { enable = true; @@ -49,59 +46,56 @@ in # will be called again by oh-my-zsh enableCompletion = false; enableAutosuggestions = true; - initExtra = - let - inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; - in - '' - if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then - unset TMPDIR - fi + initExtra = let + inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")''; + in '' + if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then + unset TMPDIR + fi - if test ! -n "$TMP" -a -z "$TMP"; then - unset TMP - fi + if test ! -n "$TMP" -a -z "$TMP"; then + unset TMP + fi - PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' - RPROMPT="" + PROMPT='%F{%(!.red.green)}%n%f@%m %(?.%F{green}✓%f.%F{red}✗ ($?%))%f %F{blue}%~%f${inNixShell}%F{magenta}$(git_prompt_info)%f$prompt_newline%_%F{%(!.red.green)}$(prompt_char)%f ' + RPROMPT="" - # Automatic rehash - zstyle ':completion:*' rehash true + # Automatic rehash + zstyle ':completion:*' rehash true - if [ -f $HOME/.shrc.d/sh_aliases ]; then - . $HOME/.shrc.d/sh_aliases - fi + if [ -f $HOME/.shrc.d/sh_aliases ]; then + . $HOME/.shrc.d/sh_aliases + fi - ${ - if builtins.hasAttr "homeshick" pkgs then - '' - source ${pkgs.homeshick}/homeshick.sh - fpath=(${pkgs.homeshick}/completions $fpath) - '' - else - "" - } + ${ + if builtins.hasAttr "homeshick" pkgs + then '' + source ${pkgs.homeshick}/homeshick.sh + fpath=(${pkgs.homeshick}/completions $fpath) + '' + else "" + } - # Disable intercepting of ctrl-s and ctrl-q as flow control. - stty stop ''' -ixoff -ixon + # Disable intercepting of ctrl-s and ctrl-q as flow control. + stty stop ''' -ixoff -ixon - # don't cd into directories when executed - unsetopt AUTO_CD + # don't cd into directories when executed + unsetopt AUTO_CD - # print lines without termination - setopt PROMPT_CR - setopt PROMPT_SP - export PROMPT_EOL_MARK="" + # print lines without termination + setopt PROMPT_CR + setopt PROMPT_SP + export PROMPT_EOL_MARK="" - ${lib.optionalString config.services.gpg-agent.enable '' - export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" - ''} + ${lib.optionalString config.services.gpg-agent.enable '' + export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/gnupg/S.gpg-agent.ssh" + ''} - ${lib.optionalString config.programs.neovim.enable '' - export EDITOR="nvim" - ''} - ''; + ${lib.optionalString config.programs.neovim.enable '' + export EDITOR="nvim" + ''} + ''; plugins = [ { @@ -134,10 +128,7 @@ in oh-my-zsh = { enable = true; theme = "tjkirch"; - plugins = [ - "git" - "sudo" - ]; + plugins = ["git" "sudo"]; }; }; } diff --git a/nix/modules/flake-parts/colmena.nix b/nix/modules/flake-parts/colmena.nix index 136a5a1..ee885cf 100644 --- a/nix/modules/flake-parts/colmena.nix +++ b/nix/modules/flake-parts/colmena.nix @@ -1,8 +1,7 @@ -{ lib, ... }: -{ +{lib, ...}: { options.flake.colmena = lib.mkOption { # type = lib.types.attrsOf lib.types.unspecified; type = lib.types.raw; - default = { }; + default = {}; }; } diff --git a/nix/modules/flake-parts/perSystem/default.nix b/nix/modules/flake-parts/perSystem/default.nix index c3ad3e0..a752173 100644 --- a/nix/modules/flake-parts/perSystem/default.nix +++ b/nix/modules/flake-parts/perSystem/default.nix @@ -5,40 +5,34 @@ lib, pkgs, ... -}: -{ +}: { packages = { - myPython = pkgs.python310.withPackages ( - ps: + myPython = pkgs.python310.withPackages (ps: with ps; - [ - pep8 - yapf - flake8 - # autopep8 (broken) - # pylint (broken) - ipython - llfuse - dugong - defusedxml - wheel - pip - virtualenv - cffi - # pyopenssl - urllib3 - # mistune (insecure) - sympy + [ + pep8 + yapf + flake8 + # autopep8 (broken) + # pylint (broken) + ipython + llfuse + dugong + defusedxml + wheel + pip + virtualenv + cffi + # pyopenssl + urllib3 + # mistune (insecure) + sympy - flask + flask - pyaml - requests - ] - ++ [ - pkgs.pypi2nix - pkgs.libffi - ] - ); + pyaml + requests + ] + ++ [pkgs.pypi2nix pkgs.libffi]); }; } diff --git a/nix/os/cachix.nix b/nix/os/cachix.nix index d5742c0..d888840 100644 --- a/nix/os/cachix.nix +++ b/nix/os/cachix.nix @@ -1,12 +1,14 @@ # WARN: this file will get overwritten by $ cachix use -{ pkgs, lib, ... }: -let +{ + pkgs, + lib, + ... +}: let folder = ./cachix; toImport = name: value: folder + ("/" + name); filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key; imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder)); -in -{ +in { inherit imports; - nix.settings.substituters = [ "https://cache.nixos.org/" ]; + nix.settings.substituters = ["https://cache.nixos.org/"]; } diff --git a/nix/os/cachix/nixpkgs-wayland.nix b/nix/os/cachix/nixpkgs-wayland.nix index 1c0cca7..499e6e0 100644 --- a/nix/os/cachix/nixpkgs-wayland.nix +++ b/nix/os/cachix/nixpkgs-wayland.nix @@ -1,6 +1,8 @@ { nix = { - settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ]; + settings.substituters = [ + "https://nixpkgs-wayland.cachix.org" + ]; settings.trusted-public-keys = [ "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" ]; diff --git a/nix/os/containers/backup.nix b/nix/os/containers/backup.nix index 2c2c171..864aa20 100644 --- a/nix/os/containers/backup.nix +++ b/nix/os/containers/backup.nix @@ -5,107 +5,88 @@ subvolumes, targetPathSuffix ? "", autoStart ? false, -}: -let +}: let passwords = import ../../variables/passwords.crypt.nix; subvolumeParentDir = "/var/lib/container-volumes"; -in -{ - config = - { pkgs, ... }: - { - system.stateVersion = "20.03"; # Did you read the comment? +in { + config = {pkgs, ...}: { + system.stateVersion = "20.03"; # Did you read the comment? - imports = [ ../profiles/containers/configuration.nix ]; + imports = [../profiles/containers/configuration.nix]; - environment.systemPackages = with pkgs; [ - btrfs-progs - btrbk - ]; + environment.systemPackages = with pkgs; [btrfs-progs btrbk]; - networking.firewall.enable = true; + networking.firewall.enable = true; - systemd.services."bkp-sync" = { - enable = true; - description = "bkp-sync service"; + systemd.services."bkp-sync" = { + enable = true; + description = "bkp-sync service"; - serviceConfig = { - Type = "oneshot"; - }; + serviceConfig = {Type = "oneshot";}; - after = [ "bkp-run.service" ]; + after = ["bkp-run.service"]; - requires = [ "bkp-run.service" ]; + requires = ["bkp-run.service"]; - path = with pkgs; [ utillinux ]; - script = '' - set -x - true + path = with pkgs; [utillinux]; + script = '' + set -x + true + ''; + }; + + systemd.services."bkp-run" = { + enable = true; + description = "bkp-run"; + + serviceConfig = {Type = "oneshot";}; + + partOf = ["bkp-sync.service"]; + + path = with pkgs; [btrfs-progs btrbk coreutils]; + + script = let + btrbkConf = pkgs.writeText "cfg" '' + timestamp_format long + ssh_identity ${passwords.storage.backupTarget.keyPath} + ssh_user ${passwords.storage.backupTarget.user} + ssh_compression no + backend_remote btrfs-progs-sudo + compat_remote busybox + btrfs_commit_delete each + snapshot_create onchange + snapshot_preserve_min latest + snapshot_preserve 7d 4w + target_preserve_min latest + target_preserve 7d 4w 12m *y + + volume ${subvolumeParentDir} + target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} + ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" + subvolumes} ''; - }; + in '' + #! ${pkgs.bash}/bin/bash + set -Eeuxo pipefail - systemd.services."bkp-run" = { - enable = true; - description = "bkp-run"; + btrbk -c ${btrbkConf} --progress ''${@:-run} + ''; + }; - serviceConfig = { - Type = "oneshot"; - }; - - partOf = [ "bkp-sync.service" ]; - - path = with pkgs; [ - btrfs-progs - btrbk - coreutils - ]; - - script = - let - btrbkConf = pkgs.writeText "cfg" '' - timestamp_format long - ssh_identity ${passwords.storage.backupTarget.keyPath} - ssh_user ${passwords.storage.backupTarget.user} - ssh_compression no - backend_remote btrfs-progs-sudo - compat_remote busybox - btrfs_commit_delete each - snapshot_create onchange - snapshot_preserve_min latest - snapshot_preserve 7d 4w - target_preserve_min latest - target_preserve 7d 4w 12m *y - - volume ${subvolumeParentDir} - target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix} - ${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes} - ''; - in - '' - #! ${pkgs.bash}/bin/bash - set -Eeuxo pipefail - - btrbk -c ${btrbkConf} --progress ''${@:-run} - ''; - }; - - systemd.timers."bkp" = { - description = "Timer to trigger bkp periodically"; - enable = true; - wantedBy = [ - "timer.target" - "multi-user.target" - ]; - timerConfig = { - # Obtained using `systemd-analyze calendar "Wed 23:00"` - # OnCalendar = "Wed *-*-* 23:00:00"; - OnStartupSec = "1m"; - Unit = "bkp-sync.service"; - OnUnitInactiveSec = "2h"; - Persistent = "true"; - }; + systemd.timers."bkp" = { + description = "Timer to trigger bkp periodically"; + enable = true; + wantedBy = ["timer.target" "multi-user.target"]; + timerConfig = { + # Obtained using `systemd-analyze calendar "Wed 23:00"` + # OnCalendar = "Wed *-*-* 23:00:00"; + OnStartupSec = "1m"; + Unit = "bkp-sync.service"; + OnUnitInactiveSec = "2h"; + Persistent = "true"; }; }; + }; inherit autoStart; @@ -133,10 +114,10 @@ in } ]; - extraFlags = [ "--resolv-conf=bind-host" ]; + extraFlags = ["--resolv-conf=bind-host"]; privateNetwork = true; - forwardPorts = [ ]; + forwardPorts = []; inherit hostAddress localAddress; } diff --git a/nix/os/containers/mailserver.nix b/nix/os/containers/mailserver.nix index 2ac146e..c821bf4 100644 --- a/nix/os/containers/mailserver.nix +++ b/nix/os/containers/mailserver.nix @@ -6,206 +6,197 @@ imapsPort ? 993, sievePort ? 4190, autoStart ? false, -}: -{ +}: { inherit specialArgs; - config = - { - pkgs, - config, - lib, - repoFlake, - ... - }: - { - system.stateVersion = "22.05"; # Did you read the comment? + config = { + pkgs, + config, + lib, + repoFlake, + ... + }: { + system.stateVersion = "22.05"; # Did you read the comment? - imports = [ - ../profiles/containers/configuration.nix + imports = [ + ../profiles/containers/configuration.nix - repoFlake.inputs.sops-nix.nixosModules.sops - ../profiles/common/user.nix - ]; + repoFlake.inputs.sops-nix.nixosModules.sops + ../profiles/common/user.nix + ]; - networking.firewall.allowedTCPPorts = [ - imapsPort - sievePort - ]; + networking.firewall.allowedTCPPorts = [ + imapsPort + sievePort + ]; - # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately - # sops.defaultSopsFile = ./mailserver_secrets.yaml; + # FIXME: find out how to use the `defaultSopsFile` so i don't have to specify each secret separately + # sops.defaultSopsFile = ./mailserver_secrets.yaml; - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.secrets.email_mailStefanjunkerDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_mailStefanjunkerDeHetzner = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_schtifATwebDe = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.steveej.name; - }; - sops.secrets.email_dovecot_steveej = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - - # TODO: switch to something other than ddclient as it's no longer maintained - - # TODO: switch to a let's encrypt certificate - sops.secrets.dovecotSslServerCert = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - sops.secrets.dovecotSslServerKey = { - sopsFile = ./mailserver_secrets.yaml; - owner = config.users.users.dovecot2.name; - }; - services.dovecot2 = { - enable = true; - - modules = [ pkgs.dovecot_pigeonhole ]; - protocols = [ "sieve" ]; - - enableImap = true; - enableLmtp = true; - enablePAM = true; - showPAMFailure = true; - mailLocation = "maildir:~/.maildir"; - sslServerCert = config.sops.secrets.dovecotSslServerCert.path; - sslServerKey = config.sops.secrets.dovecotSslServerKey.path; - - #configFile = "/etc/dovecot/dovecot2_manual.conf"; - extraConfig = '' - auth_mechanisms = cram-md5 digest-md5 - auth_verbose = yes - - passdb { - driver = passwd-file - args = scheme=CRYPT username_format=%u /etc/dovecot/users - } - - protocol lda { - postmaster_address = "mail@stefanjunker.de" - mail_plugins = $mail_plugins sieve - } - - protocol imap { - mail_max_userip_connections = 64 - } - ''; - }; - - environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; - - systemd.services.steveej-getmail-stefanjunker = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 600; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [ pkgs.getmail6 ]; - script = - let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = ssl0.ovh.net - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") - mailboxes = ('INBOX',) - - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda - ''; - in - '' - getmail --idle=INBOX --rcfile=${rc} - ''; - }; - - systemd.services.steveej-getmail-stefanjunker-hetzner = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - serviceConfig.RestartSec = 60; - serviceConfig.Restart = "always"; - description = "Getmail service"; - path = [ pkgs.getmail6 ]; - script = - let - rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' - [options] - verbose = 2 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = mail.your-server.de - port = 993 - username = mail@stefanjunker.de - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") - mailboxes = ('INBOX',) - - [destination] - type = MDA_external - path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda - ''; - in - '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; - - systemd.services.steveej-getmail-webde = { - enable = true; - wantedBy = [ "multi-user.target" ]; - serviceConfig.User = "steveej"; - serviceConfig.Group = "dovecot2"; - description = "Getmail service"; - path = [ pkgs.getmail6 ]; - serviceConfig.RestartSec = 1000; - serviceConfig.Restart = "always"; - script = - let - rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' - [options] - verbose = 1 - read_all = 0 - delete_after = 30 - - [retriever] - type = SimpleIMAPSSLRetriever - server = imap.web.de - port = 993 - username = schtif - password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") - mailboxes = ('INBOX',) - - [destination] - type = Maildir - path = ~/.maildir/ - ''; - in - '' - getmail --rcfile=${rc} --idle=INBOX - ''; - }; + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + sops.secrets.email_mailStefanjunkerDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; }; + sops.secrets.email_mailStefanjunkerDeHetzner = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_schtifATwebDe = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.steveej.name; + }; + sops.secrets.email_dovecot_steveej = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + + # TODO: switch to something other than ddclient as it's no longer maintained + + # TODO: switch to a let's encrypt certificate + sops.secrets.dovecotSslServerCert = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + sops.secrets.dovecotSslServerKey = { + sopsFile = ./mailserver_secrets.yaml; + owner = config.users.users.dovecot2.name; + }; + services.dovecot2 = { + enable = true; + + modules = [pkgs.dovecot_pigeonhole]; + protocols = ["sieve"]; + + enableImap = true; + enableLmtp = true; + enablePAM = true; + showPAMFailure = true; + mailLocation = "maildir:~/.maildir"; + sslServerCert = config.sops.secrets.dovecotSslServerCert.path; + sslServerKey = config.sops.secrets.dovecotSslServerKey.path; + + #configFile = "/etc/dovecot/dovecot2_manual.conf"; + extraConfig = '' + auth_mechanisms = cram-md5 digest-md5 + auth_verbose = yes + + passdb { + driver = passwd-file + args = scheme=CRYPT username_format=%u /etc/dovecot/users + } + + protocol lda { + postmaster_address = "mail@stefanjunker.de" + mail_plugins = $mail_plugins sieve + } + + protocol imap { + mail_max_userip_connections = 64 + } + ''; + }; + + environment.etc."dovecot/users".source = config.sops.secrets.email_dovecot_steveej.path; + + systemd.services.steveej-getmail-stefanjunker = { + enable = true; + wantedBy = ["multi-user.target"]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 600; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [pkgs.getmail6]; + script = let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = ssl0.ovh.net + port = 993 + username = mail@stefanjunker.de + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDe.path}") + mailboxes = ('INBOX',) + + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in '' + getmail --idle=INBOX --rcfile=${rc} + ''; + }; + + systemd.services.steveej-getmail-stefanjunker-hetzner = { + enable = true; + wantedBy = ["multi-user.target"]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + serviceConfig.RestartSec = 60; + serviceConfig.Restart = "always"; + description = "Getmail service"; + path = [pkgs.getmail6]; + script = let + rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" '' + [options] + verbose = 2 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = mail.your-server.de + port = 993 + username = mail@stefanjunker.de + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_mailStefanjunkerDeHetzner.path}") + mailboxes = ('INBOX',) + + [destination] + type = MDA_external + path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda + ''; + in '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; + + systemd.services.steveej-getmail-webde = { + enable = true; + wantedBy = ["multi-user.target"]; + serviceConfig.User = "steveej"; + serviceConfig.Group = "dovecot2"; + description = "Getmail service"; + path = [pkgs.getmail6]; + serviceConfig.RestartSec = 1000; + serviceConfig.Restart = "always"; + script = let + rc = pkgs.writeText "schtifATweb.de.getmail.rc" '' + [options] + verbose = 1 + read_all = 0 + delete_after = 30 + + [retriever] + type = SimpleIMAPSSLRetriever + server = imap.web.de + port = 993 + username = schtif + password_command = ("${pkgs.coreutils}/bin/cat", "${config.sops.secrets.email_schtifATwebDe.path}") + mailboxes = ('INBOX',) + + [destination] + type = Maildir + path = ~/.maildir/ + ''; + in '' + getmail --rcfile=${rc} --idle=INBOX + ''; + }; + }; inherit autoStart; diff --git a/nix/os/containers/mycelium/flake.nix b/nix/os/containers/mycelium/flake.nix index 68e11e8..fa8340a 100644 --- a/nix/os/containers/mycelium/flake.nix +++ b/nix/os/containers/mycelium/flake.nix @@ -11,366 +11,350 @@ inputs.nixpkgs.follows = "nixpkgs"; }; }; - outputs = - { - self, - nixpkgs, - nixos-generators, - ... - }: - let - systems = [ - "aarch64-linux" - "x86_64-linux" - ]; - forAllSystems = nixpkgs.lib.genAttrs systems; - in - { - nixosConfigurations.default = nixpkgs.lib.nixosSystem { + outputs = { + self, + nixpkgs, + nixos-generators, + ... + }: let + systems = [ + "aarch64-linux" + "x86_64-linux" + ]; + forAllSystems = nixpkgs.lib.genAttrs systems; + in { + nixosConfigurations.default = + nixpkgs.lib.nixosSystem + { system = "aarch64-linux"; - specialArgs = { }; + specialArgs = {}; modules = [ - ( - { - config, - modulesPath, - pkgs, - lib, - ... - }: - { - nixpkgs.overlays = [ - (final: previous: { - # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal; - # systemd = - # self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: { - # src = /home/steveej/src/others/systemd; + ({ + config, + modulesPath, + pkgs, + lib, + ... + }: { + nixpkgs.overlays = [ + (final: previous: { + # inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal; + # systemd = + # self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}.systemd.overrideAttrs (prevAttrs: { + # src = /home/steveej/src/others/systemd; - # withAppArmor = false; - # withRepart = false; - # withHomed = false; - # withAcl = false; - # withEfi = false; - # withBootloader = false; - # withCryptsetup = false; - # withLibBPF = false; - # withOomd = false; - # withFido2 = false; - # withApparmor = false; - # withDocumentation = false; - # withUtmp = false; - # withQrencode = false; - # withVmspawn = false; - # withMachined = false; - # withLogTrace = true; - # withArchive = false; - # # don't need these but cause errors for exampel files not found - # # withLogind = false; - # }) - # pkgs.systemdMinimal.override { - # # getting errors with these disabled - # withCoredump = true; - # withCompression = true; - # withLogind = true; - # withSysusers = true; - # withUserDb = true; - # } - # pkgs.systemdMinimal - # pkgs.systemd.override { - # withRepart = false; - # withHomed = false; - # withAcl = false; - # withEfi = false; - # withBootloader = false; - # withCryptsetup = false; - # withLibBPF = false; - # withOomd = false; - # withFido2 = false; - # withApparmor = false; - # withDocumentation = false; - # withUtmp = false; - # withQrencode = false; - # withVmspawn = false; - # withMachined = false; - # withLogTrace = true; - # # don't need these but cause errors for exampel files not found - # # withLogind = false; - # } - # ; - }) - ]; + # withAppArmor = false; + # withRepart = false; + # withHomed = false; + # withAcl = false; + # withEfi = false; + # withBootloader = false; + # withCryptsetup = false; + # withLibBPF = false; + # withOomd = false; + # withFido2 = false; + # withApparmor = false; + # withDocumentation = false; + # withUtmp = false; + # withQrencode = false; + # withVmspawn = false; + # withMachined = false; + # withLogTrace = true; + # withArchive = false; + # # don't need these but cause errors for exampel files not found + # # withLogind = false; + # }) + # pkgs.systemdMinimal.override { + # # getting errors with these disabled + # withCoredump = true; + # withCompression = true; + # withLogind = true; + # withSysusers = true; + # withUserDb = true; + # } + # pkgs.systemdMinimal + # pkgs.systemd.override { + # withRepart = false; + # withHomed = false; + # withAcl = false; + # withEfi = false; + # withBootloader = false; + # withCryptsetup = false; + # withLibBPF = false; + # withOomd = false; + # withFido2 = false; + # withApparmor = false; + # withDocumentation = false; + # withUtmp = false; + # withQrencode = false; + # withVmspawn = false; + # withMachined = false; + # withLogTrace = true; + # # don't need these but cause errors for exampel files not found + # # withLogind = false; + # } + # ; + }) + ]; - imports = [ (modulesPath + "/profiles/minimal.nix") ]; - system.stateVersion = "24.11"; + imports = [ + (modulesPath + "/profiles/minimal.nix") + ]; + system.stateVersion = "24.11"; - # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix - boot.isContainer = true; - # boot.tmp.useTmpfs = true; - boot.loader.grub.enable = lib.mkForce false; - boot.loader.systemd-boot.enable = lib.mkForce false; - services.journald.console = "/dev/console"; - services.journald.storage = "none"; - # boot.specialFileSystems = lib.mkForce {}; + # https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix + boot.isContainer = true; + # boot.tmp.useTmpfs = true; + boot.loader.grub.enable = lib.mkForce false; + boot.loader.systemd-boot.enable = lib.mkForce false; + services.journald.console = "/dev/console"; + services.journald.storage = "none"; + # boot.specialFileSystems = lib.mkForce {}; - services.nscd.enable = false; - system.nssModules = lib.mkForce [ ]; - systemd.services.systemd-logind.enable = false; - systemd.services.console-getty.enable = false; + services.nscd.enable = false; + system.nssModules = lib.mkForce []; + systemd.services.systemd-logind.enable = false; + systemd.services.console-getty.enable = false; - systemd.sockets.nix-daemon.enable = false; - systemd.services.nix-daemon.enable = false; - systemd.oomd.enable = false; - networking.useDHCP = false; - networking.firewall.enable = false; + systemd.sockets.nix-daemon.enable = false; + systemd.services.nix-daemon.enable = false; + systemd.oomd.enable = false; + networking.useDHCP = false; + networking.firewall.enable = false; - # system.build.earlyMountScript = - # lib.mkForce '' - # ''; - # system.activationScripts.specialfs = - # lib.mkForce '' - # ''; - boot.postBootCommands = '' - ls -lha /run - mkdir -p /run/wrappers - ''; + # system.build.earlyMountScript = + # lib.mkForce '' + # ''; + # system.activationScripts.specialfs = + # lib.mkForce '' + # ''; + boot.postBootCommands = '' + ls -lha /run + mkdir -p /run/wrappers + ''; - boot.kernelParams = [ "systemd.log_level=debug" ]; + boot.kernelParams = [ + "systemd.log_level=debug" + ]; - # services.udev.enable = false; + # services.udev.enable = false; - # TODO: this is only needed because `/run/current-system` is missing - # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH"; + # TODO: this is only needed because `/run/current-system` is missing + # environment.variables.PATH = "${lib.makeBinPath config.environment.systemPackages}:$PATH"; - systemd.mounts = lib.mkForce [ ]; - fileSystems = lib.mkForce { }; + systemd.mounts = lib.mkForce []; + fileSystems = lib.mkForce {}; - services.mycelium.enable = false; - services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile"; - systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false; - systemd.services.mycelium.serviceConfig.User = lib.mkForce "root"; - systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce ( - pkgs.writeShellScript "mycelium" '' + services.mycelium.enable = false; + services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile"; + systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false; + systemd.services.mycelium.serviceConfig.User = lib.mkForce "root"; + systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce (pkgs.writeShellScript "mycelium" '' + while true; do + ls -lha $CREDENTIALS_DIRECTORY + sleep 5 + done + ''); + + systemd.services.testing-credentials = { + wantedBy = ["multi-user.target"]; + path = [pkgs.coreutils]; + + serviceConfig = { + # SyslogIdentifier = "testing-credentials"; + # StateDirectory = "testing-credentials"; + # DynamicUser = true; + # User = "tc"; + # ProtectHome = true; + # ProtectSystem = true; + # LoadCredential = [ + # "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}" + # "hosts:/etc/hosts" + # ]; + SetCredential = "mycelium-keyfile:not secret string"; + ExecStart = lib.mkForce (pkgs.writeShellScript "mycelium" '' + cd $STATE_DIRECTORY + pwd + env while true; do ls -lha $CREDENTIALS_DIRECTORY sleep 5 done - '' - ); - - systemd.services.testing-credentials = { - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.coreutils ]; - - serviceConfig = { - # SyslogIdentifier = "testing-credentials"; - # StateDirectory = "testing-credentials"; - # DynamicUser = true; - # User = "tc"; - # ProtectHome = true; - # ProtectSystem = true; - # LoadCredential = [ - # "mycelium-keyfile:${self.nixosConfigurations.default.config.services.mycelium.keyFile}" - # "hosts:/etc/hosts" - # ]; - SetCredential = "mycelium-keyfile:not secret string"; - ExecStart = lib.mkForce ( - pkgs.writeShellScript "mycelium" '' - cd $STATE_DIRECTORY - pwd - env - while true; do - ls -lha $CREDENTIALS_DIRECTORY - sleep 5 - done - '' - ); - }; + ''); }; + }; - services.caddy = { - enable = true; - globalConfig = '' - auto_https off + services.caddy = { + enable = true; + globalConfig = '' + auto_https off + ''; + virtualHosts.":80" = { + extraConfig = '' + respond "hello from ${config.networking.hostName}" ''; - virtualHosts.":80" = { - extraConfig = '' - respond "hello from ${config.networking.hostName}" - ''; - }; }; - } - ) + }; + }) ]; }; - packages = forAllSystems ( - system: - let - name = "mycelium"; - inherit (self.inputs) nix-snapshotter; + packages = forAllSystems (system: let + name = "mycelium"; + inherit (self.inputs) nix-snapshotter; - config = { - entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init"; - # port = 2379; - args = [ ]; - # nodePort = 30001; + config = { + entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init"; + # port = 2379; + args = [ + ]; + # nodePort = 30001; + }; + + myceliumPorts = { + tcp = [9651]; + udp = [9650 9651]; + }; + + inherit + (config) + entrypoint + # port + + args + # nodePort + + ; + + pkgs = import nixpkgs { + overlays = [nix-snapshotter.overlays.default]; + }; + + image = pkgs.nix-snapshotter.buildImage { + inherit name; + resolvedByNix = true; + config = { + entrypoint = [entrypoint]; + env = [ + # this is read by the `/init` script and prevents various incompatible commands like mount, etc. + # the value of this doesn't seem to matter as long as it's not an empty string. + "container=nerd" + "SYSTEMD_LOG_LEVEL=debug" + ]; + volumes = { + # "/var/lib/private/mycelium/key.bin" = {}; + # "/run" = {}; + # "/tmp" = {}; + # "/etc" = {}; }; + copyToRoot = [ + # self.nixosConfigurations.default.config.system.build.toplevel + ]; + }; + }; + in { + k8s = let + pod = pkgs.writeText "${name}-pod.json" (builtins.toJSON { + apiVersion = "v1"; + kind = "Pod"; + metadata = { + inherit name; + labels = {inherit name;}; + }; + spec.containers = [ + { + inherit name args; + image = "nix:0${image}"; + ports = [ + { + name = "mycelium-tcp-0"; + containerPort = builtins.elemAt myceliumPorts.tcp 0; + } + { + name = "mycelium-udp-0"; + protocol = "UDP"; + containerPort = builtins.elemAt myceliumPorts.udp 0; + } + { + name = "mycelium-udp-1"; + protocol = "UDP"; + containerPort = builtins.elemAt myceliumPorts.udp 1; + } + ]; + } + ]; + }); - myceliumPorts = { - tcp = [ 9651 ]; - udp = [ - 9650 - 9651 + service = pkgs.writeText "${name}-service.json" (builtins.toJSON { + apiVersion = "v1"; + kind = "Service"; + metadata.name = "${name}-service"; + spec = { + type = "NodePort"; + selector = {inherit name;}; + ports = [ + { + name = "mycelium-tcp-0"; + port = builtins.elemAt myceliumPorts.tcp 0 + 50000; + targetPort = "mycelium-tcp-0"; + } + { + name = "mycelium-udp-0"; + protocol = "UDP"; + port = builtins.elemAt myceliumPorts.udp 0 + 50000; + targetPort = "mycelium-udp-0"; + } + { + name = "mycelium-udp-1"; + protocol = "UDP"; + port = builtins.elemAt myceliumPorts.udp 1 + 50000; + targetPort = "mycelium-udp-1"; + } ]; }; + }); + in + pkgs.runCommand "declarative-k8s" {} '' + mkdir -p $out/share/k8s + cp ${pod} $out/share/k8s/ + cp ${service} $out/share/k8s/ + ''; - inherit (config) - entrypoint - # port + inherit image; - args - # nodePort + start = pkgs.writeShellApplication { + name = "start"; + text = '' + set -x + rm -rf ./result + nix build --impure .#image + sudo nix2container load ./result + sudo -E nerdctl run --name ${name} --privileged -dt \ + --cgroup-manager cgroupfs \ + --volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \ + "nix:0$(readlink result):latest" + ''; + }; - ; + stop = pkgs.writeShellApplication { + name = "stop"; + text = '' + set +e + sudo -E nerdctl stop -t 60 ${name} + sudo -E nerdctl rm --force ${name} + sudo -E nerdctl system prune --all --force + sudo systemctl stop nix-snapshotter + sudo systemctl stop containerd + mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l + sudo systemctl start containerd + sudo systemctl start nix-snapshotter + ''; - pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; }; + # tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap) - image = pkgs.nix-snapshotter.buildImage { - inherit name; - resolvedByNix = true; - config = { - entrypoint = [ entrypoint ]; - env = [ - # this is read by the `/init` script and prevents various incompatible commands like mount, etc. - # the value of this doesn't seem to matter as long as it's not an empty string. - "container=nerd" - "SYSTEMD_LOG_LEVEL=debug" - ]; - volumes = { - # "/var/lib/private/mycelium/key.bin" = {}; - # "/run" = {}; - # "/tmp" = {}; - # "/etc" = {}; - }; - copyToRoot = [ - # self.nixosConfigurations.default.config.system.build.toplevel - ]; - }; - }; - in - { - k8s = - let - pod = pkgs.writeText "${name}-pod.json" ( - builtins.toJSON { - apiVersion = "v1"; - kind = "Pod"; - metadata = { - inherit name; - labels = { - inherit name; - }; - }; - spec.containers = [ - { - inherit name args; - image = "nix:0${image}"; - ports = [ - { - name = "mycelium-tcp-0"; - containerPort = builtins.elemAt myceliumPorts.tcp 0; - } - { - name = "mycelium-udp-0"; - protocol = "UDP"; - containerPort = builtins.elemAt myceliumPorts.udp 0; - } - { - name = "mycelium-udp-1"; - protocol = "UDP"; - containerPort = builtins.elemAt myceliumPorts.udp 1; - } - ]; - } - ]; - } - ); - - service = pkgs.writeText "${name}-service.json" ( - builtins.toJSON { - apiVersion = "v1"; - kind = "Service"; - metadata.name = "${name}-service"; - spec = { - type = "NodePort"; - selector = { - inherit name; - }; - ports = [ - { - name = "mycelium-tcp-0"; - port = builtins.elemAt myceliumPorts.tcp 0 + 50000; - targetPort = "mycelium-tcp-0"; - } - { - name = "mycelium-udp-0"; - protocol = "UDP"; - port = builtins.elemAt myceliumPorts.udp 0 + 50000; - targetPort = "mycelium-udp-0"; - } - { - name = "mycelium-udp-1"; - protocol = "UDP"; - port = builtins.elemAt myceliumPorts.udp 1 + 50000; - targetPort = "mycelium-udp-1"; - } - ]; - }; - } - ); - in - pkgs.runCommand "declarative-k8s" { } '' - mkdir -p $out/share/k8s - cp ${pod} $out/share/k8s/ - cp ${service} $out/share/k8s/ - ''; - - inherit image; - - start = pkgs.writeShellApplication { - name = "start"; - text = '' - set -x - rm -rf ./result - nix build --impure .#image - sudo nix2container load ./result - sudo -E nerdctl run --name ${name} --privileged -dt \ - --cgroup-manager cgroupfs \ - --volume "$PWD/key.bin.crypt:${self.nixosConfigurations.default.config.services.mycelium.keyFile}:ro" \ - "nix:0$(readlink result):latest" - ''; - }; - - stop = pkgs.writeShellApplication { - name = "stop"; - text = '' - set +e - sudo -E nerdctl stop -t 60 ${name} - sudo -E nerdctl rm --force ${name} - sudo -E nerdctl system prune --all --force - sudo systemctl stop nix-snapshotter - sudo systemctl stop containerd - mount | rg -No '(/var/lib/container|/tmp/initial)[^ ]+' | tac | xargs sudo umount -l - sudo systemctl start containerd - sudo systemctl start nix-snapshotter - ''; - - # tmpfs on /run/credentials/mycelium.service type tmpfs (ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap) - - # mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap - }; - } - ); - }; + # mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap + }; + }); + }; } diff --git a/nix/os/containers/syncthing.nix b/nix/os/containers/syncthing.nix index 0375102..8c0ba82 100644 --- a/nix/os/containers/syncthing.nix +++ b/nix/os/containers/syncthing.nix @@ -6,27 +6,28 @@ syncthingPort ? 22000, syncthingLocalAnnouncePort ? 21027, autoStart ? false, -}: -{ +}: { inherit specialArgs; - config = - { config, pkgs, ... }: - { - system.stateVersion = "20.05"; # Did you read the comment? + config = { + config, + pkgs, + ... + }: { + system.stateVersion = "20.05"; # Did you read the comment? - imports = [ ../profiles/containers/configuration.nix ]; + imports = [../profiles/containers/configuration.nix]; - networking.firewall.allowedTCPPorts = [ - # syncthing gui - 8384 - ]; + networking.firewall.allowedTCPPorts = [ + # syncthing gui + 8384 + ]; - services.syncthing = { - enable = true; - openDefaultPorts = true; - guiAddress = "0.0.0.0:8384"; - }; + services.syncthing = { + enable = true; + openDefaultPorts = true; + guiAddress = "0.0.0.0:8384"; }; + }; inherit autoStart; diff --git a/nix/os/containers/webserver.nix b/nix/os/containers/webserver.nix index b20fa28..456ef59 100644 --- a/nix/os/containers/webserver.nix +++ b/nix/os/containers/webserver.nix @@ -7,418 +7,406 @@ httpsPort, forgejoSshPort, autoStart ? false, -}: -let +}: let domain = "www.stefanjunker.de"; -in -{ +in { inherit specialArgs; - config = - { - config, - pkgs, - lib, - repoFlake, - nodeFlake, - system, - ... - }: - { - system.stateVersion = "22.05"; # Did you read the comment? - - disabledModules = [ - "services/misc/forgejo.nix" - "services/security/kanidm.nix" - ]; - - imports = [ - "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix" - "${repoFlake.inputs.nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix" - - ../profiles/containers/configuration.nix - - repoFlake.inputs.sops-nix.nixosModules.sops - ]; - - sops.defaultSopsFile = ./webserver_secrets.yaml; - - networking.firewall.allowedTCPPorts = [ - httpPort - httpsPort - forgejoSshPort - ]; - - sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; - sops.secrets.hedgedoc_environment_file = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.hedgedoc.name; - }; - - services.caddy = { - enable = true; - logFormat = '' - level ERROR - ''; - virtualHosts."${domain}" = { - extraConfig = '' - redir /hedgedoc* https://hedgedoc.${domain} - - file_server /*/* { - browse - root /var/www/stefanjunker.de/htdocs/caddy - pass_thru - } - - # respond "Hi" - # respond (not /*/*) "Hi" - ''; - }; - - virtualHosts."hedgedoc.${domain}" = { - extraConfig = '' - reverse_proxy http://[::1]:3000 - ''; - }; - - virtualHosts."authelia.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} - ''; - }; - - virtualHosts."lldap.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} - ''; - }; - - virtualHosts."forgejo.${domain}" = { - extraConfig = '' - reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT} - ''; - }; - - virtualHosts."kanidm.${domain}" = { - extraConfig = '' - reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} { - transport http { - tls_server_name ${config.services.kanidm.serverSettings.domain} - } - } - ''; - }; - }; - - services.hedgedoc = { - enable = true; - settings = { - domain = "hedgedoc.${domain}"; - urlPath = ""; - protocolUseSSL = true; - db = { - dialect = "sqlite"; - storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; - }; - - allowAnonymous = false; - allowAnonymousEdits = false; - allowGravatar = false; - allowFreeURL = false; - defaultPermission = "private"; - - allowEmailRegister = false; - email = false; - - ldap = { - url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; - bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; - # these are set via the `environmentFile` - # bindCredentials = "$LDAP_ADMIN_PASSWORD"; - searchBase = "ou=people,dc=stefanjunker,dc=de"; - searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; - useridField = "uid"; - }; - - oauth2 = - let - originURL = config.services.kanidm.serverSettings.origin; - in - { - providerName = "kanidm (${originURL})"; - - authorizationURL = "${originURL}/ui/oauth2"; - tokenURL = "${originURL}/oauth2/token"; - userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo"; - - scope = "openid email profile"; - # rolesClaim = "roles"; - # accessRole = "role/hedgedoc"; - - userProfileUsernameAttr = "name"; - userProfileDisplayNameAttr = "displayname"; - userProfileEmailAttr = "email"; - - clientID = "hedgedoc"; - # set via the `environmentFile` - # clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; - }; - - uploadsPath = "/var/lib/hedgedoc/uploads"; - }; - - environmentFile = config.sops.secrets.hedgedoc_environment_file.path; - }; - - services.jitsi-meet = { - enable = false; - hostName = "meet.${domain}"; - config = { - prejoinPageEnabled = true; - }; - caddy.enable = true; - nginx.enable = false; - }; - - sops.secrets.authelia_storageEncryptionKey = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - sops.secrets.authelia_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.authelia-default.name; - }; - - services.authelia.instances.default = - let - baseDir = "/var/lib/authelia-default"; - in - { - enable = true; - secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; - secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; - settings = { - theme = "auto"; - default_2fa_method = "totp"; - log.level = "debug"; - - server = { - disable_healthcheck = true; - host = "127.0.0.1"; - port = 9091; - # path = "authelia"; - }; - - storage = { - local.path = "${baseDir}/authelia.sqlite"; - }; - - authentication_backend = { - file.path = "${baseDir}/first_factor.yaml"; - file.search.email = true; - file.search.case_insensitive = false; - }; - - access_control = { - default_policy = "one_factor"; - }; - - session.domain = "stefanjunker.de"; - - notifier = { - disable_startup_check = true; - filesystem.filename = "${baseDir}/notification.txt"; - }; - }; - }; - - users.groups.lldap = { }; - users.users.lldap = { - isSystemUser = true; - group = "lldap"; - }; - - sops.secrets.lldap_jwtSecret = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - sops.secrets.lldap_adminPassword = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - sops.secrets.lldap_environmentFile = { - sopsFile = ./webserver_secrets.yaml; - owner = config.users.users.lldap.name; - }; - - services.lldap = { - enable = true; - environment = { - LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; - LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; - }; - environmentFile = config.sops.secrets.lldap_environmentFile.path; - - settings = { - verbose = true; - - ldap_base_dn = "dc=stefanjunker,dc=de"; - http_url = "https://lldap.${domain}"; - - ## Options to configure SMTP parameters, to send password reset emails. - ## To set these options from environment variables, use the following format - ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD - smtp_options = { - ## Whether to enabled password reset via email, from LLDAP. - enable_password_reset = true; - - # port = 465; - ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". - # smtp_encryption = "TLS"; - }; - - # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; - }; - }; - - sops.secrets.FORGEJO_JWT_SECRET = { }; - sops.secrets.FORGEJO_INTERNAL_TOKEN = { }; - sops.secrets.FORGEJO_SECRET_KEY = { }; - - services.forgejo = { - enable = true; - package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo; - settings = { - service.DISABLE_REGISTRATION = true; - server.HTTP_ADDR = "127.0.0.1"; - server.START_SSH_SERVER = true; - server.SSH_PORT = forgejoSshPort; - server.ROOT_URL = "https://forgejo.${domain}"; - server.HTTP_PORT = 3001; - - # TODO: how do i get a 3072 length SSH key with the yubikey? - "ssh.minimum_key_sizes".RSA = 2048; - }; - secrets = { - oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path; - security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path; - security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path; - }; - }; - - systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; - systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; - systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; - - # combine a path watcher with a service that transfers the certs by caddy to kanidm - systemd.paths.kanidm-tls-watch = { - enable = true; - requiredBy = [ "kanidm.service" ]; - pathConfig = { - PathChanged = [ - "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" - "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" - ]; - Unit = "kanidm-tls-update.service"; - }; - }; - systemd.services.kanidm-tls-update = - let - dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; - in - { - enable = true; - requiredBy = [ "kanidm.service" ]; - unitConfig = { - # ConditionPathExists = [ - # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" - # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" - # ]; - }; - serviceConfig.Type = "oneshot"; - script = - let - tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key; - in - '' - set -xe - - cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key - cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain - - chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain} - chmod 400 tls.{key,chain} - - # create the kanidm directory in case it's missing - if [[ ! -d ${tlsDir} ]]; then - mkdir -p ${tlsDir} - chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir} - chmod 700 ${tlsDir} - fi - - mv tls.key ${config.services.kanidm.serverSettings.tls_key} - mv tls.chain ${config.services.kanidm.serverSettings.tls_chain} - - if [[ ! -d ${dbDir} ]]; then - mkdir -p ${dbDir} - chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir} - chmod 700 ${dbDir} - fi - ''; - }; - - systemd.services.kanidm.serviceConfig = - let - dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path; - in - # stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}"; - { - # ExecStartPre = '' - # mkdir -p ${dbDir} - # ''; - BindPaths = [ - dbDir - # stateDir - ]; - }; - - services.kanidm = - let - dataDir = "/var/lib/kanidm"; - in - { - package = repoFlake.inputs.nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm; - - enablePam = false; - enableClient = false; - - enableServer = true; - serverSettings = { - role = "WriteReplica"; - log_level = "debug"; - - domain = "kanidm.${domain}"; - origin = "https://kanidm.${domain}"; - - db_path = "${dataDir}/db/kanidm.db"; - - bindaddress = "127.0.0.1:8444"; - - # don't expose ldap - # ldapbindaddress = "[::1]:6636"; - - tls_key = "${dataDir}/tls/tls.key"; - tls_chain = "${dataDir}/tls/tls.chain"; - - online_backup = { - schedule = "00 06 * * *"; - }; - }; - }; + config = { + config, + pkgs, + lib, + repoFlake, + nodeFlake, + system, + ... + }: { + system.stateVersion = "22.05"; # Did you read the comment? + + disabledModules = [ + "services/misc/forgejo.nix" + "services/security/kanidm.nix" + ]; + + imports = [ + "${nodeFlake.inputs.nixpkgs-unstable}/nixos/modules/services/misc/forgejo.nix" + "${repoFlake.inputs.nixpkgs-kanidm}/nixos/modules/services/security/kanidm.nix" + + ../profiles/containers/configuration.nix + + repoFlake.inputs.sops-nix.nixosModules.sops + ]; + + sops.defaultSopsFile = ./webserver_secrets.yaml; + + networking.firewall.allowedTCPPorts = [ + httpPort + httpsPort + forgejoSshPort + ]; + + sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"]; + sops.secrets.hedgedoc_environment_file = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.hedgedoc.name; }; + services.caddy = { + enable = true; + logFormat = '' + level ERROR + ''; + virtualHosts."${domain}" = { + extraConfig = '' + redir /hedgedoc* https://hedgedoc.${domain} + + file_server /*/* { + browse + root /var/www/stefanjunker.de/htdocs/caddy + pass_thru + } + + # respond "Hi" + # respond (not /*/*) "Hi" + ''; + }; + + virtualHosts."hedgedoc.${domain}" = { + extraConfig = '' + reverse_proxy http://[::1]:3000 + ''; + }; + + virtualHosts."authelia.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port} + ''; + }; + + virtualHosts."lldap.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port} + ''; + }; + + virtualHosts."forgejo.${domain}" = { + extraConfig = '' + reverse_proxy http://127.0.0.1:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT} + ''; + }; + + virtualHosts."kanidm.${domain}" = { + extraConfig = '' + reverse_proxy https://${builtins.toString config.services.kanidm.serverSettings.bindaddress} { + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} + } + } + ''; + }; + }; + + services.hedgedoc = { + enable = true; + settings = { + domain = "hedgedoc.${domain}"; + urlPath = ""; + protocolUseSSL = true; + db = { + dialect = "sqlite"; + storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; + }; + + allowAnonymous = false; + allowAnonymousEdits = false; + allowGravatar = false; + allowFreeURL = false; + defaultPermission = "private"; + + allowEmailRegister = false; + email = false; + + ldap = { + url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}"; + bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de"; + # these are set via the `environmentFile` + # bindCredentials = "$LDAP_ADMIN_PASSWORD"; + searchBase = "ou=people,dc=stefanjunker,dc=de"; + searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))"; + useridField = "uid"; + }; + + oauth2 = let + originURL = config.services.kanidm.serverSettings.origin; + in { + providerName = "kanidm (${originURL})"; + + authorizationURL = "${originURL}/ui/oauth2"; + tokenURL = "${originURL}/oauth2/token"; + userProfileURL = "${originURL}/oauth2/openid/hedgedoc/userinfo"; + + scope = "openid email profile"; + # rolesClaim = "roles"; + # accessRole = "role/hedgedoc"; + + userProfileUsernameAttr = "name"; + userProfileDisplayNameAttr = "displayname"; + userProfileEmailAttr = "email"; + + clientID = "hedgedoc"; + # set via the `environmentFile` + # clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; + }; + + uploadsPath = "/var/lib/hedgedoc/uploads"; + }; + + environmentFile = config.sops.secrets.hedgedoc_environment_file.path; + }; + + services.jitsi-meet = { + enable = false; + hostName = "meet.${domain}"; + config = { + prejoinPageEnabled = true; + }; + caddy.enable = true; + nginx.enable = false; + }; + + sops.secrets.authelia_storageEncryptionKey = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + sops.secrets.authelia_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.authelia-default.name; + }; + + services.authelia.instances.default = let + baseDir = "/var/lib/authelia-default"; + in { + enable = true; + secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path; + secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path; + settings = { + theme = "auto"; + default_2fa_method = "totp"; + log.level = "debug"; + + server = { + disable_healthcheck = true; + host = "127.0.0.1"; + port = 9091; + # path = "authelia"; + }; + + storage = { + local.path = "${baseDir}/authelia.sqlite"; + }; + + authentication_backend = { + file.path = "${baseDir}/first_factor.yaml"; + file.search.email = true; + file.search.case_insensitive = false; + }; + + access_control = { + default_policy = "one_factor"; + }; + + session.domain = "stefanjunker.de"; + + notifier = { + disable_startup_check = true; + filesystem.filename = "${baseDir}/notification.txt"; + }; + }; + }; + + users.groups.lldap = {}; + users.users.lldap = { + isSystemUser = true; + group = "lldap"; + }; + + sops.secrets.lldap_jwtSecret = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_adminPassword = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + sops.secrets.lldap_environmentFile = { + sopsFile = ./webserver_secrets.yaml; + owner = config.users.users.lldap.name; + }; + + services.lldap = { + enable = true; + environment = { + LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path; + LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path; + }; + environmentFile = config.sops.secrets.lldap_environmentFile.path; + + settings = { + verbose = true; + + ldap_base_dn = "dc=stefanjunker,dc=de"; + http_url = "https://lldap.${domain}"; + + ## Options to configure SMTP parameters, to send password reset emails. + ## To set these options from environment variables, use the following format + ## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD + smtp_options = { + ## Whether to enabled password reset via email, from LLDAP. + enable_password_reset = true; + + # port = 465; + ## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS". + # smtp_encryption = "TLS"; + }; + + # database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc"; + }; + }; + + sops.secrets.FORGEJO_JWT_SECRET = {}; + sops.secrets.FORGEJO_INTERNAL_TOKEN = {}; + sops.secrets.FORGEJO_SECRET_KEY = {}; + + services.forgejo = { + enable = true; + package = nodeFlake.inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.forgejo; + settings = { + service.DISABLE_REGISTRATION = true; + server.HTTP_ADDR = "127.0.0.1"; + server.START_SSH_SERVER = true; + server.SSH_PORT = forgejoSshPort; + server.ROOT_URL = "https://forgejo.${domain}"; + server.HTTP_PORT = 3001; + + # TODO: how do i get a 3072 length SSH key with the yubikey? + "ssh.minimum_key_sizes".RSA = 2048; + }; + secrets = { + oauth2.JWT_SECRET = lib.mkForce config.sops.secrets.FORGEJO_JWT_SECRET.path; + security.INTERNAL_TOKEN = lib.mkForce config.sops.secrets.FORGEJO_INTERNAL_TOKEN.path; + security.SECRET_KEY = lib.mkForce config.sops.secrets.FORGEJO_SECRET_KEY.path; + }; + }; + + systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name; + systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name; + systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false; + + # combine a path watcher with a service that transfers the certs by caddy to kanidm + systemd.paths.kanidm-tls-watch = { + enable = true; + requiredBy = ["kanidm.service"]; + pathConfig = { + PathChanged = [ + "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" + "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" + ]; + Unit = "kanidm-tls-update.service"; + }; + }; + systemd.services.kanidm-tls-update = let + dbDir = + builtins.dirOf + config.services.kanidm.serverSettings.db_path; + in { + enable = true; + requiredBy = ["kanidm.service"]; + unitConfig = { + # ConditionPathExists = [ + # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" + # "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" + # ]; + }; + serviceConfig.Type = "oneshot"; + script = let + tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key; + in '' + set -xe + + cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key + cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.crt" > tls.chain + + chown ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} tls.{key,chain} + chmod 400 tls.{key,chain} + + # create the kanidm directory in case it's missing + if [[ ! -d ${tlsDir} ]]; then + mkdir -p ${tlsDir} + chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${tlsDir} + chmod 700 ${tlsDir} + fi + + mv tls.key ${config.services.kanidm.serverSettings.tls_key} + mv tls.chain ${config.services.kanidm.serverSettings.tls_chain} + + if [[ ! -d ${dbDir} ]]; then + mkdir -p ${dbDir} + chown -R ${config.systemd.services.kanidm.serviceConfig.User}:${config.systemd.services.kanidm.serviceConfig.Group} ${dbDir} + chmod 700 ${dbDir} + fi + ''; + }; + + systemd.services.kanidm.serviceConfig = let + dbDir = + builtins.dirOf + config.services.kanidm.serverSettings.db_path; + # stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}"; + in { + # ExecStartPre = '' + # mkdir -p ${dbDir} + # ''; + BindPaths = [ + dbDir + # stateDir + ]; + }; + + services.kanidm = let + dataDir = "/var/lib/kanidm"; + in { + package = repoFlake.inputs.nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm; + + enablePam = false; + enableClient = false; + + enableServer = true; + serverSettings = { + role = "WriteReplica"; + log_level = "debug"; + + domain = "kanidm.${domain}"; + origin = "https://kanidm.${domain}"; + + db_path = "${dataDir}/db/kanidm.db"; + + bindaddress = "127.0.0.1:8444"; + + # don't expose ldap + # ldapbindaddress = "[::1]:6636"; + + tls_key = "${dataDir}/tls/tls.key"; + tls_chain = "${dataDir}/tls/tls.chain"; + + online_backup = { + schedule = "00 06 * * *"; + }; + }; + }; + }; + inherit autoStart; bindMounts = { diff --git a/nix/os/devices/default.nix b/nix/os/devices/default.nix index 02b0212..bc8e0ad 100644 --- a/nix/os/devices/default.nix +++ b/nix/os/devices/default.nix @@ -1,25 +1,20 @@ { dir, - pkgs ? import { }, - ownLib ? import ../lib/default.nix { inherit (pkgs) lib; }, + pkgs ? import {}, + ownLib ? import ../lib/default.nix {inherit (pkgs) lib;}, gitRoot ? "$(git rev-parse --show-toplevel)", # FIXME: why do these need explicit mentioning? moreargs ? "", rebuildarg ? "", ... -}@args: -let - rebuildargsSudo = [ - "switch" - "boot" - ]; - rebuild = - { - gitRoot, - rebuildarg ? "dry-activate", - moreargs ? "", - ... - }: +} @ args: let + rebuildargsSudo = ["switch" "boot"]; + rebuild = { + gitRoot, + rebuildarg ? "dry-activate", + moreargs ? "", + ... + }: pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe @@ -35,24 +30,25 @@ let ${ if - (builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null - then - "sudo -E \\" - else - "" + (builtins.elem rebuildarg rebuildargsSudo) + && (builtins.match ".*--target-host.*" moreargs) == null + then "sudo -E \\" + else "" } nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs} ''; -in -{ - recipes = { - rebuild = rebuild { - inherit gitRoot; - inherit moreargs; - inherit rebuildarg; +in { + recipes = + { + rebuild = + rebuild { + inherit gitRoot; + inherit moreargs; + inherit rebuildarg; + } + # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } + # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } + ; } - # // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; } - # // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; } - ; - } // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; })); + // (import ./disk.nix (args // {inherit pkgs ownLib gitRoot;})); } diff --git a/nix/os/devices/disk.nix b/nix/os/devices/disk.nix index f639344..f62c6a9 100644 --- a/nix/os/devices/disk.nix +++ b/nix/os/devices/disk.nix @@ -3,29 +3,40 @@ ownLib, dir, gitRoot, - diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId, + diskId ? + (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") + {}) + .hardware + .opinionatedDisk + .diskId, encrypted ? - (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted, + (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") + {}) + .hardware + .opinionatedDisk + .encrypted, previousDiskId ? "", ... -}: -let +}: let mntRootVol = "/mnt/${diskId}-root"; -in -rec { +in rec { diskMount = pkgs.writeScript "script" '' #!/usr/bin/env bash set -xe echo Mounting ${diskId} ${pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ + ownLib.disk.luksName diskId + } ''} sleep 1 sudo vgchange -ay ${ownLib.disk.volumeGroup diskId} sudo mkdir -p /mnt sudo mkdir ${mntRootVol} sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol} - sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home + sudo mount ${ + ownLib.disk.rootFsDevice diskId + } ${mntRootVol}/nixos/home -o subvol=home sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot ''; @@ -62,7 +73,9 @@ rec { #!/usr/bin/env bash set -xe - read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice + read -p "Continue to format ${ + ownLib.disk.bootGrubDevice diskId + } (YES/n)? " choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -109,11 +122,15 @@ rec { ${pkgs.lib.strings.optionalString encrypted '' # Encrypt sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} - - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ + ownLib.disk.luksName diskId + } ''} # LVM - sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted} + sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ + ownLib.disk.lvmPv diskId encrypted + } sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root @@ -137,7 +154,9 @@ rec { #!/usr/bin/env bash set -xe - read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice + read -p "Continue to relabel ${ + ownLib.disk.bootGrubDevice diskId + } (YES/n)?" choice case "$choice" in YES ) echo "Continuing in 3 seconds..."; sleep 3;; n|N ) echo "Exiting..."; exit 0;; @@ -168,9 +187,13 @@ rec { if test "${previousDiskId}"; then - ${pkgs.lib.strings.optionalString encrypted '' - sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId} - ''} + ${ + pkgs.lib.strings.optionalString encrypted '' + sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ + ownLib.disk.luksName diskId + } + '' + } sync sleep 1 if sudo vgs ${previousDiskId}; then diff --git a/nix/os/devices/elias-e525/boot.nix b/nix/os/devices/elias-e525/boot.nix index 6698046..ab6c098 100644 --- a/nix/os/devices/elias-e525/boot.nix +++ b/nix/os/devices/elias-e525/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiSupport = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/elias-e525/configuration.nix b/nix/os/devices/elias-e525/configuration.nix index ea92869..d39da6f 100644 --- a/nix/os/devices/elias-e525/configuration.nix +++ b/nix/os/devices/elias-e525/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/elias-e525/default.nix b/nix/os/devices/elias-e525/default.nix index ba02693..4b4d676 100644 --- a/nix/os/devices/elias-e525/default.nix +++ b/nix/os/devices/elias-e525/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = "elias-e525.lan"; diff --git a/nix/os/devices/elias-e525/flake.nix b/nix/os/devices/elias-e525/flake.nix index d5bd2c5..3f73b91 100644 --- a/nix/os/devices/elias-e525/flake.nix +++ b/nix/os/devices/elias-e525/flake.nix @@ -6,5 +6,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/elias-e525/hw.nix b/nix/os/devices/elias-e525/hw.nix index 0a67e1e..269281c 100644 --- a/nix/os/devices/elias-e525/hw.nix +++ b/nix/os/devices/elias-e525/hw.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/elias-e525/pkg.nix b/nix/os/devices/elias-e525/pkg.nix index a9483b2..e119032 100644 --- a/nix/os/devices/elias-e525/pkg.nix +++ b/nix/os/devices/elias-e525/pkg.nix @@ -1,5 +1,8 @@ -{ pkgs, lib, ... }: -let +{ + pkgs, + lib, + ... +}: let homeEnv = keyboard: { imports = [ ../../../home-manager/profiles/common.nix @@ -19,27 +22,26 @@ let rustdesk ]; }; -in -{ +in { services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { gnome-remote-desktop.enable = true; }; home-manager.users.steveej = homeEnv { layout = "en"; - options = [ "nodeadkey" ]; + options = ["nodeadkey"]; variant = "altgr-intl"; }; home-manager.users.elias = homeEnv { layout = "de"; - options = [ ]; + options = []; variant = ""; }; home-manager.users.justyna = homeEnv { layout = "de"; - options = [ ]; + options = []; variant = ""; }; diff --git a/nix/os/devices/elias-e525/system.nix b/nix/os/devices/elias-e525/system.nix index b9a20df..6763062 100644 --- a/nix/os/devices/elias-e525/system.nix +++ b/nix/os/devices/elias-e525/system.nix @@ -3,10 +3,8 @@ lib, config, ... -}: -let -in -{ +}: let +in { # TASK: new device networking.hostName = "elias-e525"; # Define your hostname. @@ -40,13 +38,11 @@ in # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; }; - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; - services.xserver.videoDrivers = [ "modesetting" ]; + services.xserver.videoDrivers = ["modesetting"]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; } diff --git a/nix/os/devices/elias-e525/user.nix b/nix/os/devices/elias-e525/user.nix index d80024f..196c96a 100644 --- a/nix/os/devices/elias-e525/user.nix +++ b/nix/os/devices/elias-e525/user.nix @@ -3,12 +3,10 @@ pkgs, lib, ... -}: -let +}: let keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; -in -{ + inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; +in { sops.secrets.sharedUsers-elias = { sopsFile = ../../../../secrets/shared-users.yaml; neededForUsers = true; diff --git a/nix/os/devices/fwhost1/boot.nix b/nix/os/devices/fwhost1/boot.nix index 639698f..4d8c1d1 100644 --- a/nix/os/devices/fwhost1/boot.nix +++ b/nix/os/devices/fwhost1/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/fwhost1/configuration.nix b/nix/os/devices/fwhost1/configuration.nix index fbdc4c0..ed238cb 100644 --- a/nix/os/devices/fwhost1/configuration.nix +++ b/nix/os/devices/fwhost1/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/fwhost1/hw.nix b/nix/os/devices/fwhost1/hw.nix index 15fd266..6c1aaaf 100644 --- a/nix/os/devices/fwhost1/hw.nix +++ b/nix/os/devices/fwhost1/hw.nix @@ -1,7 +1,5 @@ -{ ... }: -let -in -{ +{...}: let +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/fwhost1/pkg.nix b/nix/os/devices/fwhost1/pkg.nix index 99120aa..6650ad9 100644 --- a/nix/os/devices/fwhost1/pkg.nix +++ b/nix/os/devices/fwhost1/pkg.nix @@ -1,17 +1,17 @@ -{ pkgs, ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; +{pkgs, ...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - environment.systemPackages = with pkgs; [ - iw - wirelesstools - ]; + environment.systemPackages = with pkgs; [iw wirelesstools]; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/fwhost1/system.nix b/nix/os/devices/fwhost1/system.nix index 22bc1e9..abe1717 100644 --- a/nix/os/devices/fwhost1/system.nix +++ b/nix/os/devices/fwhost1/system.nix @@ -3,12 +3,10 @@ lib, config, ... -}: -let +}: let keys = import ../../../variables/keys.nix; passwords = import ../../../variables/passwords.crypt.nix; -in -{ +in { # TASK: new device networking.hostName = "fwhost1"; # Define your hostname. @@ -23,14 +21,11 @@ in networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.bridges.breth.interfaces = [ - "eth0" - "eth1" - ]; + networking.bridges.breth.interfaces = ["eth0" "eth1"]; networking.bridges.breth.rstp = true; networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = [ "172.172.171.10" ]; + networking.nameservers = ["172.172.171.10"]; # WAN interfaces, currently unused because the OPNsense guest acts as a router. networking.vlans.wan1.id = 3; diff --git a/nix/os/devices/fwhost1/user.nix b/nix/os/devices/fwhost1/user.nix index 9fd85fb..98f59ba 100644 --- a/nix/os/devices/fwhost1/user.nix +++ b/nix/os/devices/fwhost1/user.nix @@ -1,7 +1,9 @@ -{ config, pkgs, ... }: -let +{ + config, + pkgs, + ... +}: let passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix { }) mkUser; -in -{ } + inherit (import ../../lib/default.nix {}) mkUser; +in {} diff --git a/nix/os/devices/fwhost1/versions.nix b/nix/os/devices/fwhost1/versions.nix index 276eb87..c6dac79 100644 --- a/nix/os/devices/fwhost1/versions.nix +++ b/nix/os/devices/fwhost1/versions.nix @@ -4,12 +4,9 @@ let ref = "nixos-21.11"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost1/versions.tmpl.nix b/nix/os/devices/fwhost1/versions.tmpl.nix index d3d0c19..c9dc8a9 100644 --- a/nix/os/devices/fwhost1/versions.tmpl.nix +++ b/nix/os/devices/fwhost1/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost2/boot.nix b/nix/os/devices/fwhost2/boot.nix index 639698f..4d8c1d1 100644 --- a/nix/os/devices/fwhost2/boot.nix +++ b/nix/os/devices/fwhost2/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/fwhost2/configuration.nix b/nix/os/devices/fwhost2/configuration.nix index fbdc4c0..ed238cb 100644 --- a/nix/os/devices/fwhost2/configuration.nix +++ b/nix/os/devices/fwhost2/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/fwhost2/hw.nix b/nix/os/devices/fwhost2/hw.nix index a1b9b21..c207b8c 100644 --- a/nix/os/devices/fwhost2/hw.nix +++ b/nix/os/devices/fwhost2/hw.nix @@ -1,7 +1,5 @@ -{ ... }: -let -in -{ +{...}: let +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/fwhost2/pkg.nix b/nix/os/devices/fwhost2/pkg.nix index 99120aa..6650ad9 100644 --- a/nix/os/devices/fwhost2/pkg.nix +++ b/nix/os/devices/fwhost2/pkg.nix @@ -1,17 +1,17 @@ -{ pkgs, ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; +{pkgs, ...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; - environment.systemPackages = with pkgs; [ - iw - wirelesstools - ]; + environment.systemPackages = with pkgs; [iw wirelesstools]; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/fwhost2/system.nix b/nix/os/devices/fwhost2/system.nix index d923e14..54da0ba 100644 --- a/nix/os/devices/fwhost2/system.nix +++ b/nix/os/devices/fwhost2/system.nix @@ -4,12 +4,10 @@ config, utils, ... -}: -let +}: let keys = import ../../../variables/keys.nix; passwords = import ../../../variables/passwords.crypt.nix; -in -{ +in { # TASK: new device networking.hostName = "fwhost2"; # Define your hostname. @@ -24,14 +22,11 @@ in networking.firewall.logRefusedConnections = false; networking.usePredictableInterfaceNames = false; - networking.bridges.breth.interfaces = [ - "eth0" - "eth1" - ]; + networking.bridges.breth.interfaces = ["eth0" "eth1"]; networking.bridges.breth.rstp = true; networking.defaultGateway.address = "172.172.171.10"; - networking.nameservers = [ "172.172.171.10" ]; + networking.nameservers = ["172.172.171.10"]; # WAN interfaces, currently unused because the OPNsense guest acts as a router. networking.vlans.wan1.id = 3; diff --git a/nix/os/devices/fwhost2/user.nix b/nix/os/devices/fwhost2/user.nix index 78ca58d..d7dc0dc 100644 --- a/nix/os/devices/fwhost2/user.nix +++ b/nix/os/devices/fwhost2/user.nix @@ -1,10 +1,12 @@ -{ config, pkgs, ... }: -let +{ + config, + pkgs, + ... +}: let passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; -in -{ + inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; +in { # users.extraUsers.steveej2 = mkUser { # uid = 1001; # openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/devices/fwhost2/versions.nix b/nix/os/devices/fwhost2/versions.nix index 276eb87..c6dac79 100644 --- a/nix/os/devices/fwhost2/versions.nix +++ b/nix/os/devices/fwhost2/versions.nix @@ -4,12 +4,9 @@ let ref = "nixos-21.11"; rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb"; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/fwhost2/versions.tmpl.nix b/nix/os/devices/fwhost2/versions.tmpl.nix index d3d0c19..c9dc8a9 100644 --- a/nix/os/devices/fwhost2/versions.tmpl.nix +++ b/nix/os/devices/fwhost2/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { diff --git a/nix/os/devices/hstk0/configuration.nix b/nix/os/devices/hstk0/configuration.nix index b844805..ea3c795 100644 --- a/nix/os/devices/hstk0/configuration.nix +++ b/nix/os/devices/hstk0/configuration.nix @@ -9,9 +9,9 @@ nodeName, system, ... -}: -{ - disabledModules = [ ]; +}: { + disabledModules = [ + ]; imports = [ nodeFlake.inputs.disko.nixosModules.disko @@ -28,7 +28,9 @@ } ../../snippets/nix-settings.nix - { nix.settings.sandbox = lib.mkForce "relaxed"; } + { + nix.settings.sandbox = lib.mkForce "relaxed"; + } ../../snippets/mycelium.nix @@ -78,58 +80,60 @@ nat.enable = true; firewall.enable = true; - firewall.allowedTCPPorts = [ 5201 ]; - firewall.allowedUDPPorts = [ 5201 ]; + firewall.allowedTCPPorts = [ + 5201 + ]; + firewall.allowedUDPPorts = [ + 5201 + ]; }; - disko.devices = - let - disk = id: { - type = "disk"; - device = "/dev/${id}"; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; # for grub MBR - }; - mdadm = { - size = "100%"; - content = { - type = "mdraid"; - name = "raid0"; - }; + disko.devices = let + disk = id: { + type = "disk"; + device = "/dev/${id}"; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + mdadm = { + size = "100%"; + content = { + type = "mdraid"; + name = "raid0"; }; }; }; }; - in - { - disk = { - sda = disk "sda"; - sdb = disk "sdb"; - }; - mdadm = { - raid0 = { - type = "mdadm"; - level = 0; - content = { - type = "gpt"; - partitions = { - primary = { - size = "100%"; - content = { - type = "filesystem"; - format = "btrfs"; - mountpoint = "/"; - }; + }; + in { + disk = { + sda = disk "sda"; + sdb = disk "sdb"; + }; + mdadm = { + raid0 = { + type = "mdadm"; + level = 0; + content = { + type = "gpt"; + partitions = { + primary = { + size = "100%"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/"; }; }; }; }; }; }; + }; system.stateVersion = "24.05"; @@ -145,5 +149,7 @@ virtualisation.libvirtd.enable = true; - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + boot.binfmt.emulatedSystems = [ + "aarch64-linux" + ]; } diff --git a/nix/os/devices/hstk0/default.nix b/nix/os/devices/hstk0/default.nix index 62e6cc1..86b5f1a 100644 --- a/nix/os/devices/hstk0/default.nix +++ b/nix/os/devices/hstk0/default.nix @@ -3,22 +3,19 @@ repoFlake, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; + inherit repoFlake nodeName nodeFlake system; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = + import nodeFlake.inputs.nixpkgs.outPath + { + inherit system; + }; ${nodeName} = { deployment.targetHost = "185.130.224.33"; diff --git a/nix/os/devices/hstk0/flake.nix b/nix/os/devices/hstk0/flake.nix index 721927c..8f0a7f4 100644 --- a/nix/os/devices/hstk0/flake.nix +++ b/nix/os/devices/hstk0/flake.nix @@ -16,37 +16,38 @@ # outputs = _: {}; - outputs = - { - self, - get-flake, - nixpkgs, - ... - }@attrs: - let - system = "x86_64-linux"; - nodeName = "hostkey-0"; + outputs = { + self, + get-flake, + nixpkgs, + ... + } @ attrs: let + system = "x86_64-linux"; + nodeName = "hostkey-0"; - mkNixosConfiguration = + mkNixosConfiguration = {extraModules ? [], ...} @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs { - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = { - nodeFlake = self; - repoFlake = get-flake ../../../..; - inherit nodeName; - }; + specialArgs = { + nodeFlake = self; + repoFlake = get-flake ../../../..; + inherit nodeName; + }; - modules = [ ./configuration.nix ] ++ extraModules; - } - ); - in - { - nixosConfigurations = { - native = mkNixosConfiguration { inherit system; }; + modules = + [ + ./configuration.nix + ] + ++ extraModules; + } + ); + in { + nixosConfigurations = { + native = mkNixosConfiguration { + inherit system; }; }; + }; } diff --git a/nix/os/devices/justyna-p300/boot.nix b/nix/os/devices/justyna-p300/boot.nix index 9d6bbe7..85006ed 100644 --- a/nix/os/devices/justyna-p300/boot.nix +++ b/nix/os/devices/justyna-p300/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce false; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.loader.grub.efiSupport = lib.mkForce false; diff --git a/nix/os/devices/justyna-p300/configuration.nix b/nix/os/devices/justyna-p300/configuration.nix index e636106..f2cb3f7 100644 --- a/nix/os/devices/justyna-p300/configuration.nix +++ b/nix/os/devices/justyna-p300/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/justyna-p300/default.nix b/nix/os/devices/justyna-p300/default.nix index 427ce7e..907e60b 100644 --- a/nix/os/devices/justyna-p300/default.nix +++ b/nix/os/devices/justyna-p300/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = nodeName; diff --git a/nix/os/devices/justyna-p300/flake.nix b/nix/os/devices/justyna-p300/flake.nix index 9b8b8ed..3e68abe 100644 --- a/nix/os/devices/justyna-p300/flake.nix +++ b/nix/os/devices/justyna-p300/flake.nix @@ -6,8 +6,8 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - inputs.disko.url = "github:nix-community/disko"; + inputs.disko.url = github:nix-community/disko; inputs.disko.inputs.nixpkgs.follows = "nixpkgs"; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/justyna-p300/hw.nix b/nix/os/devices/justyna-p300/hw.nix index 4cf258f..0924dd2 100644 --- a/nix/os/devices/justyna-p300/hw.nix +++ b/nix/os/devices/justyna-p300/hw.nix @@ -3,9 +3,10 @@ nodeFlake, lib, ... -}: -{ - imports = [ nodeFlake.inputs.disko.nixosModules.disko ]; +}: { + imports = [ + nodeFlake.inputs.disko.nixosModules.disko + ]; disko.devices.disk.sda = { device = "/dev/sda"; @@ -19,7 +20,7 @@ start = "0"; end = "1M"; part-type = "primary"; - flags = [ "bios_grub" ]; + flags = ["bios_grub"]; } { name = "root"; @@ -29,14 +30,14 @@ bootable = true; content = { type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition + extraArgs = ["-f"]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = [ "noatime" ]; + mountOptions = ["noatime"]; }; }; }; diff --git a/nix/os/devices/justyna-p300/pkg.nix b/nix/os/devices/justyna-p300/pkg.nix index 9982952..e780b7e 100644 --- a/nix/os/devices/justyna-p300/pkg.nix +++ b/nix/os/devices/justyna-p300/pkg.nix @@ -3,8 +3,7 @@ lib, packages', ... -}: -let +}: let homeEnv = keyboard: { imports = [ ../../../home-manager/profiles/common.nix @@ -24,19 +23,15 @@ let rustdesk ]; }; -in -{ +in { services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) { gnome-remote-desktop.enable = true; }; - services.printing.drivers = lib.mkForce ( - with packages'; - [ - dcpj4110dwDriver - dcpj4110dwCupswrapper - ] - ); + services.printing.drivers = lib.mkForce (with packages'; [ + dcpj4110dwDriver + dcpj4110dwCupswrapper + ]); services.printing.extraConf = '' LogLevel debug @@ -44,29 +39,31 @@ in home-manager.users.steveej = homeEnv { layout = "en"; - options = [ "nodeadkey" ]; + options = ["nodeadkey"]; variant = "altgr-intl"; }; home-manager.users.elias = homeEnv { layout = "de"; - options = [ ]; + options = []; variant = ""; }; home-manager.users.justyna = lib.attrsets.recursiveUpdate - (homeEnv { - layout = "de"; - options = [ ]; - variant = ""; - }) - { - services.syncthing.enable = true; - services.syncthing.tray = true; + (homeEnv { + layout = "de"; + options = []; + variant = ""; + }) + { + services.syncthing.enable = true; + services.syncthing.tray = true; - home.packages = with pkgs; [ session-desktop ]; - }; + home.packages = with pkgs; [ + session-desktop + ]; + }; system.stateVersion = "21.11"; } diff --git a/nix/os/devices/justyna-p300/system.nix b/nix/os/devices/justyna-p300/system.nix index 19ce3df..44c3db9 100644 --- a/nix/os/devices/justyna-p300/system.nix +++ b/nix/os/devices/justyna-p300/system.nix @@ -3,11 +3,9 @@ lib, config, ... -}: -let +}: let passwords = import ../../../variables/passwords.crypt.nix; -in -{ +in { networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -41,13 +39,11 @@ in # udev.packages = [ pkgs.gnome3.gnome-settings-daemon ]; }; - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; - services.xserver.videoDrivers = [ "modesetting" ]; + services.xserver.videoDrivers = ["modesetting"]; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; } diff --git a/nix/os/devices/justyna-p300/user.nix b/nix/os/devices/justyna-p300/user.nix index c4690cf..6d86c59 100644 --- a/nix/os/devices/justyna-p300/user.nix +++ b/nix/os/devices/justyna-p300/user.nix @@ -1,9 +1,11 @@ -{ config, pkgs, ... }: -let - keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; -in { + config, + pkgs, + ... +}: let + keys = import ../../../variables/keys.nix; + inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; +in { sops.secrets.sharedUsers-elias = { sopsFile = ../../../../secrets/shared-users.yaml; neededForUsers = true; diff --git a/nix/os/devices/router0-dmz0/configuration.nix b/nix/os/devices/router0-dmz0/configuration.nix index 6336562..8507ade 100644 --- a/nix/os/devices/router0-dmz0/configuration.nix +++ b/nix/os/devices/router0-dmz0/configuration.nix @@ -9,33 +9,33 @@ localDomainName, system, ... -}: -let - inherit (nodeFlake.inputs) nixos-nftables-firewall nixos-sbc; +}: let + inherit + (nodeFlake.inputs) + nixos-nftables-firewall + nixos-sbc + ; vlanRangeStart = builtins.head vlanRange; vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1); vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans); - vlanRangeWith0 = [ 0 ] ++ vlanRange; + vlanRangeWith0 = [0] ++ vlanRange; - mkVlanIpv4HostAddr = - { - vlanid, - host, - thirdIpv4SegmentMin ? 20, - cidr ? true, - }: - let - # reserve the first subnet for vlanid == 0 - # number the other subnets continously from there - offset = if vlanid == 0 then thirdIpv4SegmentMin else thirdIpv4SegmentMin + 1 - vlanRangeStart; - in - builtins.concatStringsSep "." [ - "192" - "168" - (toString (vlanid + offset)) - "${toString host}${lib.strings.optionalString cidr "/24"}" - ]; + mkVlanIpv4HostAddr = { + vlanid, + host, + thirdIpv4SegmentMin ? 20, + cidr ? true, + }: let + # reserve the first subnet for vlanid == 0 + # number the other subnets continously from there + offset = + if vlanid == 0 + then thirdIpv4SegmentMin + else thirdIpv4SegmentMin + 1 - vlanRangeStart; + in + builtins.concatStringsSep "." + ["192" "168" (toString (vlanid + offset)) "${toString host}${lib.strings.optionalString cidr "/24"}"]; defaultVlan = { name = "${localDomainName}"; @@ -62,25 +62,30 @@ let "15".packet_priority = -10; }; - vlansByName = lib.attrsets.mapAttrs' ( - vlanid': attrs: - lib.attrsets.nameValuePair attrs.name ( - attrs - // { - id = lib.strings.toInt vlanid'; - id' = vlanid'; - } + vlansByName = + lib.attrsets.mapAttrs' + ( + vlanid': attrs: + lib.attrsets.nameValuePair + attrs.name + (attrs + // { + id = lib.strings.toInt vlanid'; + id' = vlanid'; + }) ) - ) vlans; + vlans; - getVlanDomain = - { vlanid }: - if vlanid == 0 then defaultVlan.name else vlans."${toString vlanid}".name + "." + defaultVlan.name; + getVlanDomain = {vlanid}: + if vlanid == 0 + then defaultVlan.name + else vlans."${toString vlanid}".name + "." + defaultVlan.name; bridgeInterfaceName = "br-lan"; - mkInterfaceName = - { vlanid }: - if vlanid == 0 then bridgeInterfaceName else "${bridgeInterfaceName}.${toString vlanid}"; + mkInterfaceName = {vlanid}: + if vlanid == 0 + then bridgeInterfaceName + else "${bridgeInterfaceName}.${toString vlanid}"; dmzExposedHost = "sj-srv1"; dmzExposedHostDomain = "dmz.internal"; @@ -91,10 +96,8 @@ let cidr = false; }; - dmzExposedHostMACaddr = - repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress; -in -{ + dmzExposedHostMACaddr = repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress; +in { imports = [ nixos-sbc.nixosModules.default nixos-sbc.nixosModules.boards.bananapi.bpir3 @@ -127,7 +130,7 @@ in sops.secrets.passwords-root.neededForUsers = true; # sops.secrets.wlan0_saePasswordsFile = {}; - sops.secrets.wlan0_wpaPskFile = { }; + sops.secrets.wlan0_wpaPskFile = {}; } ]; @@ -190,15 +193,13 @@ in chains = { prerouting = { "exposeHost" = { - after = [ "hook" ]; - rules = - let - wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; - in - [ - "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" - "iifname { ${wanInterfaces} } dnat ip to ${dmzExposedHostIpv4}" - ]; + after = ["hook"]; + rules = let + wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces; + in [ + "iifname { ${wanInterfaces} } tcp dport 220 redirect to 22" + "iifname { ${wanInterfaces} } dnat ip to ${dmzExposedHostIpv4}" + ]; }; }; }; @@ -210,157 +211,149 @@ in # snippets.nnf-conntrack.enable = true; zones = { - lan.interfaces = [ (mkInterfaceName { vlanid = 0; }) ]; - vlan.interfaces = builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange; + lan.interfaces = [(mkInterfaceName {vlanid = 0;})]; + vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange; # lan.ipv4Addresses = ["192.168.0.0/16"]; - wan.interfaces = [ - "wan" - "lan0" - ]; - vpn.interfaces = [ - "wg0" - "wg1" - "wg2" - ]; + wan.interfaces = ["wan" "lan0"]; + vpn.interfaces = ["wg0" "wg1" "wg2"]; } // # generate a zone for each vlan - lib.attrsets.mapAttrs (key: value: { - interfaces = [ (mkInterfaceName { vlanid = value.id; }) ]; - }) vlansByName; - rules = - let - ipv6IcmpTypes = [ - "destination-unreachable" - "echo-reply" - "echo-request" - "packet-too-big" - "parameter-problem" - "time-exceeded" + lib.attrsets.mapAttrs + (key: value: { + interfaces = [(mkInterfaceName {vlanid = value.id;})]; + }) + vlansByName; + rules = let + ipv6IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "packet-too-big" + "parameter-problem" + "time-exceeded" - # Without the nd-* ones ipv6 will not work. - "nd-neighbor-solicit" - "nd-router-advert" - "nd-neighbor-advert" - ]; - ipv4IcmpTypes = [ - "destination-unreachable" - "echo-reply" - "echo-request" - "source-quench" - "time-exceeded" - "router-advertisement" - ]; - allowIcmpLines = [ - "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" - "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" - ]; - in - { - fw = { - from = [ "fw" ]; - verdict = "accept"; - }; - - office-to-dmz = { - from = [ "office" ]; - to = [ "dmz" ]; - verdict = "accept"; - }; - - lan-to-fw = { - from = [ "lan" ]; - to = [ - "fw" - "lan" - ]; - verdict = "accept"; - }; - - lan-to-wan = { - from = [ "lan" ]; - to = [ "wan" ]; - verdict = "accept"; - }; - - vlan-to-wan = { - from = [ "vlan" ]; - to = [ "wan" ]; - verdict = "accept"; - }; - - vlan-to-fw = { - allowedUDPPortRanges = [ - { - from = 53; - to = 53; - } - { - from = 67; - to = 68; - } - { - from = 5201; - to = 5201; - } - ]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - { - from = 53; - to = 53; - } - { - from = 5201; - to = 5201; - } - ]; - from = [ "vlan" ]; - to = [ "fw" ]; - extraLines = allowIcmpLines ++ [ "drop" ]; - }; - - to-wan-nat = { - from = [ - "lan" - "vlan" - ]; - to = [ "wan" ]; - masquerade = true; - verdict = "accept"; - }; - - wan-to-dmz = { - from = [ "wan" ]; - to = [ "dmz" ]; - verdict = "accept"; - }; - - wan-to-fw = { - from = [ "wan" ]; - to = [ "fw" ]; - allowedTCPPortRanges = [ - { - from = 22; - to = 22; - } - ]; - extraLines = allowIcmpLines ++ [ "drop" ]; - }; - - to-vpn-nat = { - from = [ - "lan" - "vlan" - ]; - to = [ "vpn" ]; - masquerade = false; - verdict = "accept"; - }; + # Without the nd-* ones ipv6 will not work. + "nd-neighbor-solicit" + "nd-router-advert" + "nd-neighbor-advert" + ]; + ipv4IcmpTypes = [ + "destination-unreachable" + "echo-reply" + "echo-request" + "source-quench" + "time-exceeded" + "router-advertisement" + ]; + allowIcmpLines = [ + "ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept" + "ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept" + ]; + in { + fw = { + from = ["fw"]; + verdict = "accept"; }; + + office-to-dmz = { + from = ["office"]; + to = ["dmz"]; + verdict = "accept"; + }; + + lan-to-fw = { + from = ["lan"]; + to = ["fw" "lan"]; + verdict = "accept"; + }; + + lan-to-wan = { + from = ["lan"]; + to = ["wan"]; + verdict = "accept"; + }; + + vlan-to-wan = { + from = ["vlan"]; + to = ["wan"]; + verdict = "accept"; + }; + + vlan-to-fw = { + allowedUDPPortRanges = [ + { + from = 53; + to = 53; + } + { + from = 67; + to = 68; + } + { + from = 5201; + to = 5201; + } + ]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + { + from = 53; + to = 53; + } + { + from = 5201; + to = 5201; + } + ]; + from = ["vlan"]; + to = ["fw"]; + extraLines = + allowIcmpLines + ++ [ + "drop" + ]; + }; + + to-wan-nat = { + from = ["lan" "vlan"]; + to = ["wan"]; + masquerade = true; + verdict = "accept"; + }; + + wan-to-dmz = { + from = ["wan"]; + to = ["dmz"]; + verdict = "accept"; + }; + + wan-to-fw = { + from = ["wan"]; + to = ["fw"]; + allowedTCPPortRanges = [ + { + from = 22; + to = 22; + } + ]; + extraLines = + allowIcmpLines + ++ [ + "drop" + ]; + }; + + to-vpn-nat = { + from = ["lan" "vlan"]; + to = ["vpn"]; + masquerade = false; + verdict = "accept"; + }; + }; }; }; }; @@ -384,14 +377,49 @@ in systemd.network = { wait-online.anyInterface = true; - netdevs = - let - router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; + netdevs = let + router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${ + builtins.toString + repoFlake + .nixosConfigurations + .router0-ifog + .config + .systemd + .network + .netdevs + .wg0 + .wireguardConfig + .ListenPort + }"; - router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort}"; + router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${ + builtins.toString + repoFlake + .nixosConfigurations + .router0-ifog + .config + .systemd + .network + .netdevs + .wg1 + .wireguardConfig + .ListenPort + }"; - router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-hosthatch.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}"; - in + router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${ + builtins.toString + repoFlake + .nixosConfigurations + .router0-hosthatch + .config + .systemd + .network + .netdevs + .wg0 + .wireguardConfig + .ListenPort + }"; + in { # Create the bridge interface "20-${bridgeInterfaceName}" = { @@ -508,71 +536,75 @@ in }; } # generate the vlan devices. these will be tagged on the main bridge - // builtins.foldl' (acc: cur: acc // cur) { } ( + // builtins.foldl' + (acc: cur: acc // cur) + {} + ( builtins.map - ( - { vlanid, vlanid' }: - { - "20-${mkInterfaceName { inherit vlanid; }}" = { - netdevConfig = { - Kind = "vlan"; - Name = "${mkInterfaceName { inherit vlanid; }}"; - }; - vlanConfig.Id = vlanid; - }; - } - ) - ( - builtins.map (vlanid: { - inherit vlanid; - vlanid' = builtins.toString vlanid; - }) vlanRange - ) + ({ + vlanid, + vlanid', + }: { + "20-${mkInterfaceName {inherit vlanid;}}" = { + netdevConfig = { + Kind = "vlan"; + Name = "${mkInterfaceName {inherit vlanid;}}"; + }; + vlanConfig.Id = vlanid; + }; + }) + ( + builtins.map + (vlanid: { + inherit vlanid; + vlanid' = builtins.toString vlanid; + }) + vlanRange + ) ); - networks = - let - commonWanOptions = { - networkConfig = { - # start a DHCP Client for IPv4/6 Addressing/Routing - DHCP = true; - DNSOverTLS = true; - DNSSEC = true; - IPForward = true; + networks = let + commonWanOptions = { + networkConfig = { + # start a DHCP Client for IPv4/6 Addressing/Routing + DHCP = true; + DNSOverTLS = true; + DNSSEC = true; + IPForward = true; - # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) - IPv6AcceptRA = true; - IPv6PrivacyExtensions = false; - DHCPPrefixDelegation = true; - }; - dhcpV4Config = { - UseDNS = false; - UseDomains = false; - UseHostname = false; - }; - dhcpV6Config = { - UseDNS = false; - UseDomains = false; - UseHostname = false; - PrefixDelegationHint = "::/56"; - UseDelegatedPrefix = true; - WithoutRA = "solicit"; - }; - ipv6AcceptRAConfig = { - UseDNS = false; - UseDomains = false; - }; - - # TODO: enable these somehow - # extraConfig = '' - # [IPv6AcceptRA] - # # FIXME: supported in nixos-24.11 - # DHCPv6Client=solicit - - # # FIXME: not supported at all yet - # UsePREF64=true - # ''; + # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) + IPv6AcceptRA = true; + IPv6PrivacyExtensions = false; + DHCPPrefixDelegation = true; }; - in + dhcpV4Config = { + UseDNS = false; + UseDomains = false; + UseHostname = false; + }; + dhcpV6Config = { + UseDNS = false; + UseDomains = false; + UseHostname = false; + PrefixDelegationHint = "::/56"; + UseDelegatedPrefix = true; + WithoutRA = "solicit"; + }; + ipv6AcceptRAConfig = { + UseDNS = false; + UseDomains = false; + }; + + # TODO: enable these somehow + # extraConfig = '' + # [IPv6AcceptRA] + # # FIXME: supported in nixos-24.11 + # DHCPv6Client=solicit + + # # FIXME: not supported at all yet + # UsePREF64=true + # ''; + }; + in { # places options here that should always exist "lo" = { @@ -739,7 +771,7 @@ in # Configure the bridge for its desired function "40-${bridgeInterfaceName}" = { matchConfig.Name = bridgeInterfaceName; - bridgeConfig = { }; + bridgeConfig = {}; address = [ (mkVlanIpv4HostAddr { vlanid = 0; @@ -761,13 +793,19 @@ in } ]; - vlan = (builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange); + vlan = ( + builtins.map + (vlanid: (mkInterfaceName {inherit vlanid;})) + vlanRange + ); }; "50-wg0" = { enable = true; matchConfig.Name = "wg0"; - address = [ "10.0.0.1/31" ]; + address = [ + "10.0.0.1/31" + ]; routes = [ # { @@ -782,7 +820,9 @@ in "50-wg1" = { enable = true; matchConfig.Name = "wg1"; - address = [ "10.0.0.3/31" ]; + address = [ + "10.0.0.3/31" + ]; routes = [ # { # routeConfig = { @@ -796,7 +836,9 @@ in "50-wg2" = { enable = true; matchConfig.Name = "wg2"; - address = [ "10.0.1.1/31" ]; + address = [ + "10.0.1.1/31" + ]; routes = [ # TODO: add a testing route here @@ -807,278 +849,280 @@ in # * netdev type vlan # * host address for vlan # * vlan config for wlan interface - // builtins.foldl' (acc: cur: acc // cur) { } ( - builtins.map - ( - { vlanid, vlanid' }: - { - # configure the tagged vlan device with an address and vlan filtering. - # dnsmasq is configured to serve the respective /24 range on each tagged device. - # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. - "41-${mkInterfaceName { inherit vlanid; }}" = { - matchConfig.Name = "${mkInterfaceName { inherit vlanid; }}"; - address = [ - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 1; - }) - ]; - networkConfig = { - ConfigureWithoutCarrier = true; + // builtins.foldl' + (acc: cur: acc // cur) + {} + (builtins.map + ({ + vlanid, + vlanid', + }: { + # configure the tagged vlan device with an address and vlan filtering. + # dnsmasq is configured to serve the respective /24 range on each tagged device. + # this device only receives traffic for the given vlanid and sends tagged traffic to the bridge. + "41-${mkInterfaceName {inherit vlanid;}}" = { + matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; + address = [ + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 1; + }) + ]; + networkConfig = { + ConfigureWithoutCarrier = true; - # the client shouldn't be allowed to send us RAs, that would be weird. - IPv6AcceptRA = false; + # the client shouldn't be allowed to send us RAs, that would be weird. + IPv6AcceptRA = false; - DHCPPrefixDelegation = true; - IPv6SendRA = true; + DHCPPrefixDelegation = true; + IPv6SendRA = true; + }; + + dhcpPrefixDelegationConfig = { + UplinkInterface = "wan"; + Assign = true; + SubnetId = vlanid; + Announce = true; + }; + + linkConfig.RequiredForOnline = "no"; + linkConfig.ActivationPolicy = "always-up"; + + bridgeVLANs = [ + { + bridgeVLANConfig = { + VLAN = vlanid; }; + } + ]; + }; - dhcpPrefixDelegationConfig = { - UplinkInterface = "wan"; - Assign = true; - SubnetId = vlanid; - Announce = true; + # configure the wlan interface as a bridge member that + # * only gets traffic for vid 15 + # * untags traffic after receiving it + # * tags traffic that comes out of it + "41-wlan0.${vlanid'}" = { + matchConfig.Name = "wlan0.${vlanid'}"; + networkConfig = { + Bridge = bridgeInterfaceName; + ConfigureWithoutCarrier = true; + }; + + linkConfig.RequiredForOnline = "no"; + + bridgeVLANs = [ + { + bridgeVLANConfig = { + VLAN = vlanid; + PVID = vlanid; + EgressUntagged = vlanid; }; + } + ]; + }; - linkConfig.RequiredForOnline = "no"; - linkConfig.ActivationPolicy = "always-up"; - - bridgeVLANs = [ - { - bridgeVLANConfig = { - VLAN = vlanid; - }; - } - ]; - }; - - # configure the wlan interface as a bridge member that - # * only gets traffic for vid 15 - # * untags traffic after receiving it - # * tags traffic that comes out of it - "41-wlan0.${vlanid'}" = { - matchConfig.Name = "wlan0.${vlanid'}"; - networkConfig = { - Bridge = bridgeInterfaceName; - ConfigureWithoutCarrier = true; - }; - - linkConfig.RequiredForOnline = "no"; - - bridgeVLANs = [ - { - bridgeVLANConfig = { - VLAN = vlanid; - PVID = vlanid; - EgressUntagged = vlanid; - }; - } - ]; - }; - - # "50-${mkInterfaceName {inherit vlanid;}}" = { - # matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; - # address = [ - # (mkVlanIpv4HostAddr { - # inherit vlanid; - # host = 1; - # }) - # ]; - # networkConfig = { - # ConfigureWithoutCarrier = true; - # }; - # linkConfig.RequiredForOnline = "no"; - # }; - } - ) - ( - builtins.map (vlanid: { - inherit vlanid; - vlanid' = builtins.toString vlanid; - }) vlanRange - ) - ); + # "50-${mkInterfaceName {inherit vlanid;}}" = { + # matchConfig.Name = "${mkInterfaceName {inherit vlanid;}}"; + # address = [ + # (mkVlanIpv4HostAddr { + # inherit vlanid; + # host = 1; + # }) + # ]; + # networkConfig = { + # ConfigureWithoutCarrier = true; + # }; + # linkConfig.RequiredForOnline = "no"; + # }; + }) + ( + builtins.map + (vlanid: { + inherit vlanid; + vlanid' = builtins.toString vlanid; + }) + vlanRange + )); }; # wireless access point services.hostapd = { enable = true; # package = nodeFlake.packages.${system}.hostapd_patched; - radios = - let - # generated with https://miniwebtool.com/mac-address-generator/ - mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; - in - { - wlan0 = { - band = "2g"; - # FIXME: apparently setting this could cause bugs, testing disabling it for a while. - # countryCode = "CH"; - channel = 0; # 0 would mean Automatic Channel Selection + radios = let + # generated with https://miniwebtool.com/mac-address-generator/ + mkBssid = i: "34:56:ce:0f:ed:4${toString i}"; + in { + wlan0 = { + band = "2g"; + # FIXME: apparently setting this could cause bugs, testing disabling it for a while. + # countryCode = "CH"; + channel = 0; # 0 would mean Automatic Channel Selection - settings = { - # TODO: this would be faster but x13s on windows can't connect when it's enabled. - # ieee80211n = 1; + settings = { + # TODO: this would be faster but x13s on windows can't connect when it's enabled. + # ieee80211n = 1; - # Exclude DFS channels from ACS - # This option can be used to exclude all DFS channels from the ACS channel list - # in cases where the driver supports DFS channels. - acs_exclude_dfs = 0; - }; + # Exclude DFS channels from ACS + # This option can be used to exclude all DFS channels from the ACS channel list + # in cases where the driver supports DFS channels. + acs_exclude_dfs = 0; + }; - # use 'iw phy#1 info' to determine your VHT capabilities - wifi4 = { - enable = true; - require = false; - capabilities = [ - "HT20" - "HT40+" - "LDPC" - "SHORT-GI-20" - "SHORT-GI-40" - "TX-STBC" - "RX-STBC1" - "MAX-AMSDU-7935" + # use 'iw phy#1 info' to determine your VHT capabilities + wifi4 = { + enable = true; + require = false; + capabilities = [ + "HT20" + "HT40+" + "LDPC" + "SHORT-GI-20" + "SHORT-GI-40" + "TX-STBC" + "RX-STBC1" + "MAX-AMSDU-7935" - "40-INTOLERANT" + "40-INTOLERANT" - # not supported by BPI-R3 module - # "DELAYED-BA" - # "DSSS_CCK-40" - ]; - }; + # not supported by BPI-R3 module + # "DELAYED-BA" + # "DSSS_CCK-40" + ]; + }; - wifi5 = { - enable = false; - require = false; - }; + wifi5 = { + enable = false; + require = false; + }; - wifi6 = { - enable = false; - require = false; - }; + wifi6 = { + enable = false; + require = false; + }; - networks = { - wlan0 = - let - iface = "wlan0"; + networks = { + wlan0 = let + iface = "wlan0"; + in { + ssid = "mlsia"; + bssid = mkBssid 0; + + # enables debug logging + logLevel = 0; + + authentication.mode = + "wpa2-sha256" + # "wpa3-sae-transition" + # "wpa3-sae" + ; + + authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; + + # TODO: unfortunately SAE passwords don't work per VLAN like PSKs do + # authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; + + # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference + settings = { + # disable syslog because it duplicates stdout + logger_syslog = lib.mkForce 0; + + # bridge = bridgeInterfaceName; + + # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; + # not yet supported on hostapd 2.10 + # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; + + # resources on vlan tagging + # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging + # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 + + dynamic_vlan = 1; + # this option currently requires a patch to hostapd + vlan_no_bridge = 1; + + /* + not used due to the above vlan_no_bridge setting + vlan_tagged_interface = bridgeInterfaceName; + vlan_naming = 1; + vlan_bridge = "br-${iface}."; + */ + + vlan_file = let + generated = + builtins.map + ( + vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" + ) + vlanRange; + + wildcard = [ + # Optional wildcard entry matching all VLAN IDs. The first # in the interface + # name will be replaced with the VLAN ID. The network interfaces are created + # (and removed) dynamically based on the use. + # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan + "* ${iface}.#" + ]; + + file = + pkgs.writeText "hostapd.vlan" + (builtins.concatStringsSep "\n" (generated ++ wildcard)); + filePath = toString file; in - { - ssid = "mlsia"; - bssid = mkBssid 0; + filePath; - # enables debug logging - logLevel = 0; + wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [ + "WPA-PSK" - authentication.mode = "wpa2-sha256" - # "wpa3-sae-transition" - # "wpa3-sae" - ; + # TODO: the printer can't connect when this is on + # "WPA-PSK-SHA256" - authentication.wpaPskFile = config.sops.secrets."${iface}_wpaPskFile".path; + # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them + # "SAE" + ]); - # TODO: unfortunately SAE passwords don't work per VLAN like PSKs do - # authentication.saePasswordsFile = config.sops.secrets."${iface}_saePasswordsFile".path; + # wpa_psk_radius = 0; + wpa_pairwise = "CCMP"; + wmm_enabled = 1; - # see https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for reference - settings = { - # disable syslog because it duplicates stdout - logger_syslog = lib.mkForce 0; + # IEEE 802.11i (authentication) related configuration + # Encrypt management frames to protect against deauthentication and similar attacks. + # 0 := disabled; 1 := optional; 2 := required + ieee80211w = 1; + # sae_require_mfp = 1; + # sae_groups = "19 20 21"; - # bridge = bridgeInterfaceName; + # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) + tls_flags = "[ENABLE-TLSv1.3]"; - # wpa_psk_file = config.sops.secrets.wlan0_wpaPskFile.path; - # not yet supported on hostapd 2.10 - # sae_password_file = config.sops.secrets.wlan0_saePasswordsFile.path; + # TODO: debugging for wifi drops happens below here + # Require IEEE 802.1X authorization + ieee8021x = 0; - # resources on vlan tagging - # https://wireless.wiki.kernel.org/en/users/Documentation/hostapd#dynamic_vlan_tagging - # https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/4 + # Optionally, hostapd can be configured to use an integrated EAP server + # to process EAP authentication locally without need for an external RADIUS + # server. This functionality can be used both as a local authentication server + # for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. - dynamic_vlan = 1; - # this option currently requires a patch to hostapd - vlan_no_bridge = 1; + # Use integrated EAP server instead of external RADIUS authentication + # server. This is also needed if hostapd is configured to act as a RADIUS + # authentication server. + eap_server = 0; - /* - not used due to the above vlan_no_bridge setting - vlan_tagged_interface = bridgeInterfaceName; - vlan_naming = 1; - vlan_bridge = "br-${iface}."; - */ + # Disassociate stations based on excessive transmission failures or other + # indications of connection loss. This depends on the driver capabilities and + # may not be available with all drivers. + disassoc_low_ack = 0; - vlan_file = - let - generated = builtins.map ( - vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}" - ) vlanRange; + skip_inactivity_poll = 1; - wildcard = [ - # Optional wildcard entry matching all VLAN IDs. The first # in the interface - # name will be replaced with the VLAN ID. The network interfaces are created - # (and removed) dynamically based on the use. - # see https://w1.fi/cgit/hostap/tree/hostapd/hostapd.vlan - "* ${iface}.#" - ]; - - file = pkgs.writeText "hostapd.vlan" (builtins.concatStringsSep "\n" (generated ++ wildcard)); - filePath = toString file; - in - filePath; - - wpa_key_mgmt = lib.mkForce ( - builtins.concatStringsSep " " [ - "WPA-PSK" - - # TODO: the printer can't connect when this is on - # "WPA-PSK-SHA256" - - # unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them - # "SAE" - ] - ); - - # wpa_psk_radius = 0; - wpa_pairwise = "CCMP"; - wmm_enabled = 1; - - # IEEE 802.11i (authentication) related configuration - # Encrypt management frames to protect against deauthentication and similar attacks. - # 0 := disabled; 1 := optional; 2 := required - ieee80211w = 1; - # sae_require_mfp = 1; - # sae_groups = "19 20 21"; - - # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) - tls_flags = "[ENABLE-TLSv1.3]"; - - # TODO: debugging for wifi drops happens below here - # Require IEEE 802.1X authorization - ieee8021x = 0; - - # Optionally, hostapd can be configured to use an integrated EAP server - # to process EAP authentication locally without need for an external RADIUS - # server. This functionality can be used both as a local authentication server - # for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. - - # Use integrated EAP server instead of external RADIUS authentication - # server. This is also needed if hostapd is configured to act as a RADIUS - # authentication server. - eap_server = 0; - - # Disassociate stations based on excessive transmission failures or other - # indications of connection loss. This depends on the driver capabilities and - # may not be available with all drivers. - disassoc_low_ack = 0; - - skip_inactivity_poll = 1; - - # TODO: check if this is required. multicast can be more efficient so it'd be nice to disable this. - multicast_to_unicast = 0; - }; - }; + # TODO: check if this is required. multicast can be more efficient so it'd be nice to disable this. + multicast_to_unicast = 0; + }; }; }; }; + }; }; services.resolved.enable = false; @@ -1106,35 +1150,38 @@ in # v6 config enable-ra = true; - dhcp-range = - let - mkDhcpRange = - { tag, vlanid }: - builtins.concatStringsSep "," [ - tag - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 100; - cidr = false; - }) - (mkVlanIpv4HostAddr { - inherit vlanid; - host = 199; - cidr = false; - }) - "12h" - # "slaac" - # "ra-stateless" - # "ra-names" - ]; - in - builtins.map ( + dhcp-range = let + mkDhcpRange = { + tag, + vlanid, + }: + builtins.concatStringsSep "," [ + tag + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 100; + cidr = false; + }) + (mkVlanIpv4HostAddr { + inherit vlanid; + host = 199; + cidr = false; + }) + "12h" + # "slaac" + # "ra-stateless" + # "ra-names" + ]; + in + builtins.map + ( vlanid: - mkDhcpRange { - tag = mkInterfaceName { inherit vlanid; }; - inherit vlanid; - } - ) vlanRangeWith0; + mkDhcpRange { + tag = mkInterfaceName {inherit vlanid;}; + inherit vlanid; + } + ) + vlanRangeWith0; dhcp-host = builtins.concatStringsSep "," [ dmzExposedHostMACaddr @@ -1164,35 +1211,39 @@ in ]; domain = - [ "/${getVlanDomain { vlanid = 0; }}/,local" ] - ++ builtins.map ( - vlanid: - "${getVlanDomain { inherit vlanid; }},${ - mkVlanIpv4HostAddr { - inherit vlanid; - host = 0; - cidr = true; - } - },local" - ) vlanRangeWith0; + [ + "/${getVlanDomain {vlanid = 0;}}/,local" + ] + ++ builtins.map + ( + vlanid: "${getVlanDomain {inherit vlanid;}},${mkVlanIpv4HostAddr { + inherit vlanid; + host = 0; + cidr = true; + }},local" + ) + vlanRangeWith0; # TODO: compare this to using `interface-name` dynamic-host = - [ ] - ++ builtins.map ( + [ + ] + ++ builtins.map + ( vlanid: - builtins.concatStringsSep "," [ - # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) - "${nodeName}.${getVlanDomain { inherit vlanid; }}" - "0.0.0.1" - (mkInterfaceName { inherit vlanid; }) - ] - ) vlanRangeWith0; + builtins.concatStringsSep "," [ + # "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;}) + "${nodeName}.${getVlanDomain {inherit vlanid;}}" + "0.0.0.1" + (mkInterfaceName {inherit vlanid;}) + ] + ) + vlanRangeWith0; - dhcp-option-force = builtins.map ( - vlanid: - "${mkInterfaceName { inherit vlanid; }},option:domain-search,${getVlanDomain { inherit vlanid; }}" - ) vlanRangeWith0; + dhcp-option-force = + builtins.map + (vlanid: "${mkInterfaceName {inherit vlanid;}},option:domain-search,${getVlanDomain {inherit vlanid;}}") + vlanRangeWith0; # auth-server = [ # (builtins.concatStringsSep "," [ diff --git a/nix/os/devices/router0-dmz0/default.nix b/nix/os/devices/router0-dmz0/default.nix index a0520dc..9dd8d5e 100644 --- a/nix/os/devices/router0-dmz0/default.nix +++ b/nix/os/devices/router0-dmz0/default.nix @@ -5,24 +5,25 @@ nodeFlake, localDomainName ? "internal", ... -}: -{ +}: { meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; + inherit repoFlake nodeName nodeFlake system; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; - inherit (nodeFlake.inputs.bpir3.packages.${system}) armTrustedFirmwareMT7986; + inherit + (nodeFlake.inputs.bpir3.packages.${system}) + armTrustedFirmwareMT7986 + ; inherit localDomainName; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = + import nodeFlake.inputs.nixpkgs.outPath + { + inherit system; + }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; diff --git a/nix/os/devices/router0-dmz0/flake.nix b/nix/os/devices/router0-dmz0/flake.nix index d222d2b..41f2f35 100644 --- a/nix/os/devices/router0-dmz0/flake.nix +++ b/nix/os/devices/router0-dmz0/flake.nix @@ -18,8 +18,8 @@ # "github:steveej-forks/nakato_nixos-sbc/kernel-6.9_and_cross-compile" # "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile" "github:steveej-forks/nakato_nixos-sbc/kernel-6.10_and_cross-compile_mtkbump" - # "git+file:///home/steveej/src/others/nakato_nixos-sbc/" - ; + # "git+file:///home/steveej/src/others/nakato_nixos-sbc/" + ; nixos-sbc.inputs.nixpkgs.follows = "nixpkgs"; nixos-nftables-firewall.url = "github:thelegy/nixos-nftables-firewall"; @@ -39,43 +39,43 @@ # }; }; - outputs = - { - self, - get-flake, - nixpkgs, - nixos-sbc, - ... - }: - let - nativeSystem = "aarch64-linux"; - nodeName = "router0-dmz0"; + outputs = { + self, + get-flake, + nixpkgs, + nixos-sbc, + ... + }: let + nativeSystem = "aarch64-linux"; + nodeName = "router0-dmz0"; - pkgs = nixpkgs.legacyPackages.${nativeSystem}; - pkgsCross = import self.inputs.nixpkgs { - system = "x86_64-linux"; - crossSystem = { - config = "aarch64-unknown-linux-gnu"; - }; + pkgs = nixpkgs.legacyPackages.${nativeSystem}; + pkgsCross = import self.inputs.nixpkgs { + system = "x86_64-linux"; + crossSystem = { + config = "aarch64-unknown-linux-gnu"; }; + }; - mkNixosConfiguration = + mkNixosConfiguration = {extraModules ? [], ...} @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs { - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = - (import ./default.nix { - system = nativeSystem; - inherit nodeName; + specialArgs = + (import ./default.nix { + system = nativeSystem; + inherit nodeName; - repoFlake = get-flake ../../../..; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; + repoFlake = get-flake ../../../..; + nodeFlake = self; + }) + .meta + .nodeSpecialArgs + .${nodeName}; - modules = [ + modules = + [ ./configuration.nix # flake registry @@ -83,30 +83,34 @@ nixpkgs.overlays = builtins.attrValues self.overlays; nix.registry.nixpkgs.flake = nixpkgs; } - ] ++ extraModules; - } - ); - in - { - nixosConfigurations = { - native = mkNixosConfiguration { system = nativeSystem; }; - - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = "x86_64-linux"; - nixpkgs.hostPlatform.system = nativeSystem; - } - ]; - }; + ] + ++ extraModules; + } + ); + in { + nixosConfigurations = { + native = mkNixosConfiguration { + system = nativeSystem; }; - overlays.default = final: previous: { - hostapd = previous.hostapd.overrideDerivation (attrs: { - patches = attrs.patches ++ [ - "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" - ]; - }); + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.system = nativeSystem; + } + ]; }; }; + + overlays.default = final: previous: { + hostapd = previous.hostapd.overrideDerivation (attrs: { + patches = + attrs.patches + ++ [ + "${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch" + ]; + }); + }; + }; } diff --git a/nix/os/devices/router0-hosthatch/configuration.nix b/nix/os/devices/router0-hosthatch/configuration.nix index eaad322..b6b2146 100644 --- a/nix/os/devices/router0-hosthatch/configuration.nix +++ b/nix/os/devices/router0-hosthatch/configuration.nix @@ -9,8 +9,7 @@ system, variables, ... -}: -{ +}: { system.stateVersion = "24.05"; imports = [ @@ -49,7 +48,7 @@ boot.loader.grub.efiSupport = false; # forcing seems required or else there's an error about duplicated devices - boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; + boot.loader.grub.devices = lib.mkForce ["/dev/vda"]; disko.devices.disk.vda = { device = "/dev/vda"; @@ -65,14 +64,14 @@ size = "100%"; content = { type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition + extraArgs = ["-f"]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = [ "noatime" ]; + mountOptions = ["noatime"]; mountpoint = "/nix"; }; "/boot" = { @@ -157,7 +156,9 @@ interface = "eth0"; address = variables.ipv4gateway; }; - nameservers = [ variables.ipv4dns ]; + nameservers = [ + variables.ipv4dns + ]; # these will be configured via nftables nat.enable = lib.mkForce false; @@ -175,20 +176,17 @@ snippets.nnf-common.enable = true; zones.wan = { - interfaces = [ "eth0" ]; + interfaces = ["eth0"]; }; zones.vpn = { - interfaces = [ - "wg0" - "wg1" - ]; + interfaces = ["wg0" "wg1"]; }; rules = { to-fw = { from = "all"; - to = [ "fw" ]; + to = ["fw"]; verdict = "drop"; allowedTCPPorts = [ @@ -204,8 +202,8 @@ }; vpn-to-wan-nat = { - from = [ "vpn" ]; - to = [ "wan" ]; + from = ["vpn"]; + to = ["wan"]; masquerade = true; verdict = "accept"; }; @@ -285,7 +283,9 @@ systemd.network.networks.wg0 = { enable = true; matchConfig.Name = "wg0"; - address = [ "10.0.1.0/31" ]; + address = [ + "10.0.1.0/31" + ]; routes = [ { @@ -299,7 +299,9 @@ systemd.network.networks.wg1 = { enable = true; matchConfig.Name = "wg1"; - address = [ "10.0.1.2/31" ]; + address = [ + "10.0.1.2/31" + ]; routes = [ { diff --git a/nix/os/devices/router0-hosthatch/default.nix b/nix/os/devices/router0-hosthatch/default.nix index fd2c485..202e206 100644 --- a/nix/os/devices/router0-hosthatch/default.nix +++ b/nix/os/devices/router0-hosthatch/default.nix @@ -4,24 +4,20 @@ repoFlake, nodeFlake, ... -}: -let +}: let variables = import ./variables.crypt.nix; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - variables - ; + inherit repoFlake nodeName nodeFlake system variables; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = + import nodeFlake.inputs.nixpkgs.outPath + { + inherit system; + }; ${nodeName} = { deployment.targetHost = variables.ipv4; diff --git a/nix/os/devices/router0-hosthatch/flake.nix b/nix/os/devices/router0-hosthatch/flake.nix index 3057b9a..6e7501b 100644 --- a/nix/os/devices/router0-hosthatch/flake.nix +++ b/nix/os/devices/router0-hosthatch/flake.nix @@ -15,5 +15,5 @@ nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/router0-ifog/configuration.nix b/nix/os/devices/router0-ifog/configuration.nix index a449e43..6aadabb 100644 --- a/nix/os/devices/router0-ifog/configuration.nix +++ b/nix/os/devices/router0-ifog/configuration.nix @@ -9,8 +9,7 @@ system, variables, ... -}: -{ +}: { system.stateVersion = "23.11"; imports = [ @@ -49,7 +48,7 @@ boot.loader.grub.efiSupport = false; # forcing seems required or else there's an error about duplicated devices - boot.loader.grub.devices = lib.mkForce [ "/dev/vda" ]; + boot.loader.grub.devices = lib.mkForce ["/dev/vda"]; disko.devices.disk.vda = { device = "/dev/vda"; @@ -65,14 +64,14 @@ size = "100%"; content = { type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition + extraArgs = ["-f"]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = [ "noatime" ]; + mountOptions = ["noatime"]; mountpoint = "/nix"; }; "/boot" = { @@ -157,7 +156,9 @@ interface = "eth0"; address = variables.ipv4gateway; }; - nameservers = [ variables.ipv4dns ]; + nameservers = [ + variables.ipv4dns + ]; # these will be configured via nftables nat.enable = lib.mkForce false; @@ -175,20 +176,17 @@ snippets.nnf-common.enable = true; zones.wan = { - interfaces = [ "eth0" ]; + interfaces = ["eth0"]; }; zones.vpn = { - interfaces = [ - "wg0" - "wg1" - ]; + interfaces = ["wg0" "wg1"]; }; rules = { to-fw = { from = "all"; - to = [ "fw" ]; + to = ["fw"]; verdict = "drop"; allowedTCPPorts = [ @@ -204,8 +202,8 @@ }; vpn-to-wan-nat = { - from = [ "vpn" ]; - to = [ "wan" ]; + from = ["vpn"]; + to = ["wan"]; masquerade = true; verdict = "accept"; }; @@ -285,7 +283,9 @@ systemd.network.networks.wg0 = { enable = true; matchConfig.Name = "wg0"; - address = [ "10.0.0.0/31" ]; + address = [ + "10.0.0.0/31" + ]; routes = [ { @@ -299,7 +299,9 @@ systemd.network.networks.wg1 = { enable = true; matchConfig.Name = "wg1"; - address = [ "10.0.0.2/31" ]; + address = [ + "10.0.0.2/31" + ]; routes = [ { diff --git a/nix/os/devices/router0-ifog/default.nix b/nix/os/devices/router0-ifog/default.nix index fd2c485..202e206 100644 --- a/nix/os/devices/router0-ifog/default.nix +++ b/nix/os/devices/router0-ifog/default.nix @@ -4,24 +4,20 @@ repoFlake, nodeFlake, ... -}: -let +}: let variables = import ./variables.crypt.nix; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - variables - ; + inherit repoFlake nodeName nodeFlake system variables; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = + import nodeFlake.inputs.nixpkgs.outPath + { + inherit system; + }; ${nodeName} = { deployment.targetHost = variables.ipv4; diff --git a/nix/os/devices/router0-ifog/flake.nix b/nix/os/devices/router0-ifog/flake.nix index 3057b9a..6e7501b 100644 --- a/nix/os/devices/router0-ifog/flake.nix +++ b/nix/os/devices/router0-ifog/flake.nix @@ -15,5 +15,5 @@ nixos-nftables-firewall.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/sj-srv1/boot.nix b/nix/os/devices/sj-srv1/boot.nix index 6a7ae06..59a5051 100644 --- a/nix/os/devices/sj-srv1/boot.nix +++ b/nix/os/devices/sj-srv1/boot.nix @@ -1,4 +1,3 @@ -{ lib, ... }: -{ - boot.extraModulePackages = [ ]; +{lib, ...}: { + boot.extraModulePackages = []; } diff --git a/nix/os/devices/sj-srv1/configuration.nix b/nix/os/devices/sj-srv1/configuration.nix index 4975dde..bada0c3 100644 --- a/nix/os/devices/sj-srv1/configuration.nix +++ b/nix/os/devices/sj-srv1/configuration.nix @@ -3,9 +3,8 @@ config, pkgs, ... -}: -{ - disabledModules = [ ]; +}: { + disabledModules = []; imports = [ ../../profiles/common/configuration.nix { diff --git a/nix/os/devices/sj-srv1/default.nix b/nix/os/devices/sj-srv1/default.nix index 6ec896d..94458cb 100644 --- a/nix/os/devices/sj-srv1/default.nix +++ b/nix/os/devices/sj-srv1/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = "${nodeName}.dmz.internal"; diff --git a/nix/os/devices/sj-srv1/flake.nix b/nix/os/devices/sj-srv1/flake.nix index 20a919c..5d25964 100644 --- a/nix/os/devices/sj-srv1/flake.nix +++ b/nix/os/devices/sj-srv1/flake.nix @@ -12,5 +12,5 @@ inputs.nixpkgs_forgejo.url = "github:NixOS/nixpkgs/af4ac075a3e97cb239078e187112afdf380cd47b"; # nixpkgs_forgejo.url = "github:steveej-forks/nixpkgs/9c3519ab3beb11b8d997281f8922330f707df419"; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/sj-srv1/hw.nix b/nix/os/devices/sj-srv1/hw.nix index 22f021a..65a001d 100644 --- a/nix/os/devices/sj-srv1/hw.nix +++ b/nix/os/devices/sj-srv1/hw.nix @@ -1,5 +1,4 @@ -{ ... }: -let +{...}: let stage1Modules = [ "virtio_balloon" "virtio_scsi" @@ -39,8 +38,7 @@ let "cdc_ether" "uas" ]; -in -{ +in { hardware.opinionatedDisk = { enable = true; encrypted = false; diff --git a/nix/os/devices/sj-srv1/system.nix b/nix/os/devices/sj-srv1/system.nix index 5aea904..978ce76 100644 --- a/nix/os/devices/sj-srv1/system.nix +++ b/nix/os/devices/sj-srv1/system.nix @@ -6,29 +6,29 @@ nodeFlake, nodeName, ... -}: -let +}: let hostBridgeAddress = "192.168.101.1"; -in -{ +in { imports = [ ../../snippets/systemd-resolved.nix { # make sure it uses the DNS that comes in via DHCP - networking.nameservers = lib.mkForce [ ]; + networking.nameservers = lib.mkForce []; services.resolved.enable = true; # provide DNS to the containers services.resolved.extraConfig = '' DNSStubListenerExtra=${hostBridgeAddress} ''; - networking.firewall.interfaces.br0.allowedTCPPorts = [ 53 ]; - networking.firewall.interfaces.br0.allowedUDPPorts = [ 53 ]; + networking.firewall.interfaces.br0.allowedTCPPorts = [53]; + networking.firewall.interfaces.br0.allowedUDPPorts = [53]; } ]; programs.wireshark.enable = true; - environment.systemPackages = [ pkgs.dnsutils ]; + environment.systemPackages = [ + pkgs.dnsutils + ]; networking.firewall.enable = true; networking.nftables.enable = true; @@ -48,13 +48,13 @@ in networking.nat = { enable = true; - internalInterfaces = [ "br0" ]; + internalInterfaces = ["br0"]; externalInterface = "dmz0"; }; networking.bridges = { br0 = { - interfaces = [ ]; + interfaces = []; }; }; networking.interfaces = { @@ -89,7 +89,9 @@ in networkConfig.LinkLocalAddressing = "no"; # TODO: i'm not sure if and if so why this is required - macvlan = [ "dmz0" ]; + macvlan = [ + "dmz0" + ]; DHCP = "no"; }; @@ -109,49 +111,45 @@ in }; # virtualization - virtualisation = { - docker.enable = false; - }; + virtualisation = {docker.enable = false;}; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml; # adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix - services.restic.backups.${nodeName} = - let - btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; - in - { - initialize = true; - repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; + services.restic.backups.${nodeName} = let + btrfs = "${pkgs.btrfs-progs}/bin/btrfs"; + in { + initialize = true; + repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}"; - paths = [ "/backup" ]; + paths = [ + "/backup" + ]; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 5" - "--keep-monthly 12" - "--keep-yearly 2" - ]; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 2" + ]; - timerConfig = { - OnCalendar = lib.mkDefault "daily"; - Persistent = true; - }; - - passwordFile = config.sops.secrets.restic-password.path; - - backupPrepareCommand = '' - ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes - ''; - backupCleanupCommand = '' - ${btrfs} su delete /backup/container-volumes - ''; + timerConfig = { + OnCalendar = lib.mkDefault "daily"; + Persistent = true; }; + passwordFile = config.sops.secrets.restic-password.path; + + backupPrepareCommand = '' + ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes + ''; + backupCleanupCommand = '' + ${btrfs} su delete /backup/container-volumes + ''; + }; + containers = { mailserver = import ../../containers/mailserver.nix { specialArgs = { @@ -169,23 +167,25 @@ in sievePort = 4190; }; - webserver = import ../../containers/webserver.nix { - specialArgs = { - inherit repoFlake nodeFlake; + webserver = + import ../../containers/webserver.nix + { + specialArgs = { + inherit repoFlake nodeFlake; + hostAddress = hostBridgeAddress; + }; + + autoStart = true; + + hostBridge = "br0"; hostAddress = hostBridgeAddress; + localAddress = "192.168.101.11/24"; + + httpPort = 80; + httpsPort = 443; + forgejoSshPort = 2222; }; - autoStart = true; - - hostBridge = "br0"; - hostAddress = hostBridgeAddress; - localAddress = "192.168.101.11/24"; - - httpPort = 80; - httpsPort = 443; - forgejoSshPort = 2222; - }; - syncthing = import ../../containers/syncthing.nix { specialArgs = { inherit repoFlake nodeFlake; diff --git a/nix/os/devices/sj-vps-htz0/boot.nix b/nix/os/devices/sj-vps-htz0/boot.nix index ed21f9c..5713789 100644 --- a/nix/os/devices/sj-vps-htz0/boot.nix +++ b/nix/os/devices/sj-vps-htz0/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiSupport = lib.mkForce false; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = []; } diff --git a/nix/os/devices/sj-vps-htz0/configuration.nix b/nix/os/devices/sj-vps-htz0/configuration.nix index 5ef0c25..b734123 100644 --- a/nix/os/devices/sj-vps-htz0/configuration.nix +++ b/nix/os/devices/sj-vps-htz0/configuration.nix @@ -3,9 +3,8 @@ config, pkgs, ... -}: -{ - disabledModules = [ ]; +}: { + disabledModules = []; imports = [ ../../profiles/common/configuration.nix { diff --git a/nix/os/devices/sj-vps-htz0/default.nix b/nix/os/devices/sj-vps-htz0/default.nix index 7683a53..12e0271 100644 --- a/nix/os/devices/sj-vps-htz0/default.nix +++ b/nix/os/devices/sj-vps-htz0/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = "${nodeName}.infra.stefanjunker.de"; diff --git a/nix/os/devices/sj-vps-htz0/flake.nix b/nix/os/devices/sj-vps-htz0/flake.nix index f8ca24f..c315b8e 100644 --- a/nix/os/devices/sj-vps-htz0/flake.nix +++ b/nix/os/devices/sj-vps-htz0/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/sj-vps-htz0/hw.nix b/nix/os/devices/sj-vps-htz0/hw.nix index 9eb01fc..7566a02 100644 --- a/nix/os/devices/sj-vps-htz0/hw.nix +++ b/nix/os/devices/sj-vps-htz0/hw.nix @@ -1,5 +1,4 @@ -{ ... }: -let +{...}: let stage1Modules = [ "virtio_balloon" "virtio_scsi" @@ -15,8 +14,7 @@ let "pata_acpi" "ata_generic" ]; -in -{ +in { hardware.opinionatedDisk = { enable = true; encrypted = false; diff --git a/nix/os/devices/sj-vps-htz0/system.nix b/nix/os/devices/sj-vps-htz0/system.nix index 322c790..7efcbbd 100644 --- a/nix/os/devices/sj-vps-htz0/system.nix +++ b/nix/os/devices/sj-vps-htz0/system.nix @@ -5,12 +5,12 @@ repoFlake, nodeName, ... -}: -let +}: let wireguardPort = 51820; -in -{ - imports = [ ../../snippets/systemd-resolved.nix ]; +in { + imports = [ + ../../snippets/systemd-resolved.nix + ]; networking.firewall.enable = true; networking.nftables.enable = true; @@ -19,7 +19,9 @@ in # iperf3 5201 ]; - networking.firewall.allowedUDPPorts = [ wireguardPort ]; + networking.firewall.allowedUDPPorts = [ + wireguardPort + ]; networking.firewall.logRefusedConnections = false; @@ -36,7 +38,7 @@ in "prefixLength" = 29; } ]; - ipv6.addresses = [ ]; + ipv6.addresses = []; }; networking.defaultGateway = { @@ -51,10 +53,7 @@ in networking.nat = { enable = true; - internalInterfaces = [ - "ve-*" - "wg*" - ]; + internalInterfaces = ["ve-*" "wg*"]; externalInterface = "eth0"; }; @@ -71,12 +70,15 @@ in networking.wireguard.interfaces.wg0 = { # eth0 MTU (1400) - 80 mtu = 1320; - ips = [ "192.168.99.1/31" ]; - listenPort = wireguardPort; + ips = [ + "192.168.99.1/31" + ]; + listenPort = + wireguardPort; privateKeyFile = config.sops.secrets.wg0-private.path; peers = [ { - allowedIPs = [ "192.168.99.2/32" ]; + allowedIPs = ["192.168.99.2/32"]; publicKey = "O3k4jEdX6jkV1fHP/J8KSH5tvi+n1VvnBTD5na6Naw0="; presharedKeyFile = config.sops.secrets.wg0-psk-steveej-psk.path; } @@ -84,18 +86,14 @@ in }; # virtualization - virtualisation = { - docker.enable = false; - }; + virtualisation = {docker.enable = false;}; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; - containers = { }; + containers = {}; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; diff --git a/nix/os/devices/srv0-dmz0/configuration.nix b/nix/os/devices/srv0-dmz0/configuration.nix index 49c79de..b59afac 100644 --- a/nix/os/devices/srv0-dmz0/configuration.nix +++ b/nix/os/devices/srv0-dmz0/configuration.nix @@ -5,12 +5,10 @@ pkgs, config, ... -}: -let +}: let disk = "/dev/disk/by-id/ata-INTEL_SSDSC2BW240A4_PHDA435602332403GN"; -in -{ - disabledModules = [ ]; +in { + disabledModules = []; imports = [ repoFlake.inputs.disko.nixosModules.disko repoFlake.inputs.srvos.nixosModules.server @@ -25,7 +23,7 @@ in ]; ## bare-metal machines - srvos.boot.consoles = [ "tty0" ]; + srvos.boot.consoles = ["tty0"]; boot.loader.grub.enable = false; boot.loader.efi.canTouchEfiVariables = false; @@ -41,7 +39,7 @@ in start = "0"; end = "1M"; part-type = "primary"; - flags = [ "bios_grub" ]; + flags = ["bios_grub"]; } { name = "ESP"; @@ -62,14 +60,14 @@ in bootable = true; content = { type = "btrfs"; - extraArgs = [ "-f" ]; # Override existing partition + extraArgs = ["-f"]; # Override existing partition subvolumes = { # Subvolume name is different from mountpoint "/rootfs" = { mountpoint = "/"; }; "/nix" = { - mountOptions = [ "noatime" ]; + mountOptions = ["noatime"]; }; }; }; @@ -111,7 +109,7 @@ in networking.nat = { enable = true; - internalInterfaces = [ "ve-+" ]; + internalInterfaces = ["ve-+"]; externalInterface = "eth0"; }; @@ -121,11 +119,9 @@ in # virtualization # virtualisation = {docker.enable = true;}; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; - containers = { }; + containers = {}; # sops.secrets.holochain-nomad-agent-ca = { # sopsFile = ../../../../secrets/holochain-infra/nomad.yaml; diff --git a/nix/os/devices/srv0-dmz0/default.nix b/nix/os/devices/srv0-dmz0/default.nix index 3af624b..5c0b7bb 100644 --- a/nix/os/devices/srv0-dmz0/default.nix +++ b/nix/os/devices/srv0-dmz0/default.nix @@ -3,17 +3,17 @@ repoFlake, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = "srv0.dmz0.noosphere.life"; diff --git a/nix/os/devices/srv0-dmz0/flake.nix b/nix/os/devices/srv0-dmz0/flake.nix index 2f27989..f2af929 100644 --- a/nix/os/devices/srv0-dmz0/flake.nix +++ b/nix/os/devices/srv0-dmz0/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix index 2e02970..fe0b621 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiSupport = true; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = []; } diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix index b29548c..28a63fb 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/configuration.nix @@ -1,6 +1,5 @@ -{ ... }: -{ - disabledModules = [ ]; +{...}: { + disabledModules = []; imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix index b092ef6..8815036 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/hw.nix @@ -1,5 +1,4 @@ -{ ... }: -let +{...}: let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -18,8 +17,7 @@ let "xhci_hcd" "xhci_pci" ]; -in -{ +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix index 1f5de15..b6c8038 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/pkg.nix @@ -3,11 +3,14 @@ pkgs, lib, ... -}: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; +}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; @@ -17,12 +20,7 @@ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = [ - "kvm" - "nixos-test" - "big-parallel" - "benchmark" - ]; + supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; maxJobs = 4; } ]; diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix index 743cee7..e677958 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/system.nix @@ -3,11 +3,9 @@ lib, config, ... -}: -let +}: let keys = import ../../../variables/keys.nix; -in -{ +in { # TASK: new device networking.hostName = "srv0"; # Define your hostname. # networking.domain = "home-ch.stefanjunker.de"; @@ -39,7 +37,7 @@ in networking.nat = { enable = true; - internalInterfaces = [ "ve-+" ]; + internalInterfaces = ["ve-+"]; externalInterface = "eth0"; }; @@ -47,20 +45,14 @@ in # services.kubernetes.roles = ["master" "node"]; # virtualization - virtualisation = { - docker.enable = true; - }; + virtualisation = {docker.enable = true;}; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; networking.useHostResolvConf = false; - services.resolved = { - enable = true; - }; + services.resolved = {enable = true;}; - containers = { }; + containers = {}; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix index 1bc2086..bb546e6 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.nix @@ -4,8 +4,7 @@ let ref = "nixos-22.05"; rev = "040c6d8374d090f46ab0e99f1f7c27a4529ecffd"; }; -in -{ +in { inherit nixpkgs; "channels-nixos-stable" = nixpkgs; "nixpkgs-master" = { diff --git a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix index 5817e21..511138c 100644 --- a/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix +++ b/nix/os/devices/srv0.home-ch.stefanjunker.de/versions.tmpl.nix @@ -6,8 +6,7 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.05 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; "channels-nixos-stable" = nixpkgs; "nixpkgs-master" = { diff --git a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix index d009275..a15e1aa 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix index ac9e009..6d8eadd 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/hw.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/hw.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-nuc7pjyh-work/system.nix b/nix/os/devices/steveej-nuc7pjyh-work/system.nix index 94eeae2..73d39d9 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/system.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/system.nix @@ -1,9 +1,11 @@ -{ pkgs, lib, ... }: -let -in { + pkgs, + lib, + ... +}: let +in { services.udev.extraRules = ''SUBSYSTEM=="sgx", MODE="0660", GROUP="sgx"''; - users.groups.sgx = { }; + users.groups.sgx = {}; networking.hostName = "steveej-nuc7pjyh-work"; # Define your hostname. boot.kernelPackages = lib.mkForce pkgs.linuxPackages_sgx_latest; } diff --git a/nix/os/devices/steveej-nuc7pjyh-work/user.nix b/nix/os/devices/steveej-nuc7pjyh-work/user.nix index 8549047..2b72309 100644 --- a/nix/os/devices/steveej-nuc7pjyh-work/user.nix +++ b/nix/os/devices/steveej-nuc7pjyh-work/user.nix @@ -1,10 +1,12 @@ -{ config, pkgs, ... }: -let +{ + config, + pkgs, + ... +}: let passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; -in -{ + inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; +in { users.extraUsers.sjunker = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; @@ -12,7 +14,7 @@ in image = "quay.io/enarx/fedora"; run_args = "-v /dev/sgx:/dev/sgx"; }; - extraGroups = [ "sgx" ]; + extraGroups = ["sgx"]; subUidRanges = [ { diff --git a/nix/os/devices/steveej-pa600/boot.nix b/nix/os/devices/steveej-pa600/boot.nix index 639698f..4d8c1d1 100644 --- a/nix/os/devices/steveej-pa600/boot.nix +++ b/nix/os/devices/steveej-pa600/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; } diff --git a/nix/os/devices/steveej-pa600/configuration.nix b/nix/os/devices/steveej-pa600/configuration.nix index 68ad190..37f4c61 100644 --- a/nix/os/devices/steveej-pa600/configuration.nix +++ b/nix/os/devices/steveej-pa600/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-pa600/hw.nix b/nix/os/devices/steveej-pa600/hw.nix index d5c1402..a563c1a 100644 --- a/nix/os/devices/steveej-pa600/hw.nix +++ b/nix/os/devices/steveej-pa600/hw.nix @@ -1,5 +1,4 @@ -{ ... }: -let +{...}: let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -8,8 +7,7 @@ let "xhci_pci" "hxci_hcd" ]; -in -{ +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/steveej-pa600/pkg.nix b/nix/os/devices/steveej-pa600/pkg.nix index 8e23ab6..1db742a 100644 --- a/nix/os/devices/steveej-pa600/pkg.nix +++ b/nix/os/devices/steveej-pa600/pkg.nix @@ -1,8 +1,11 @@ -{ pkgs, ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; +{pkgs, ...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; home-manager.users.steveej = import ../../../home-manager/configuration/graphical-fullblown.nix { inherit pkgs; diff --git a/nix/os/devices/steveej-pa600/system.nix b/nix/os/devices/steveej-pa600/system.nix index a1d8fdd..02256d8 100644 --- a/nix/os/devices/steveej-pa600/system.nix +++ b/nix/os/devices/steveej-pa600/system.nix @@ -3,11 +3,9 @@ lib, config, ... -}: -let +}: let keys = import ../../../variables/keys.nix; -in -{ +in { # TASK: new device networking.hostName = "steveej-pa600"; # Define your hostname. @@ -22,11 +20,7 @@ in services.printing = { enable = true; - drivers = with pkgs; [ - hplip - mfcl3770cdw.driver - mfcl3770cdw.cupswrapper - ]; + drivers = with pkgs; [hplip mfcl3770cdw.driver mfcl3770cdw.cupswrapper]; }; services.fprintd.enable = true; @@ -35,9 +29,9 @@ in sudo.fprintAuth = true; }; - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; - services.xserver.videoDrivers = [ "modesetting" ]; + services.xserver.videoDrivers = ["modesetting"]; services.xserver.serverFlagsSection = '' Option "BlankTime" "0" Option "StandbyTime" "0" diff --git a/nix/os/devices/steveej-pa600/user.nix b/nix/os/devices/steveej-pa600/user.nix index ccea56e..4b85fea 100644 --- a/nix/os/devices/steveej-pa600/user.nix +++ b/nix/os/devices/steveej-pa600/user.nix @@ -1,10 +1,12 @@ -{ config, pkgs, ... }: -let +{ + config, + pkgs, + ... +}: let passwords = import ../../../variables/passwords.crypt.nix; keys = import ../../../variables/keys.nix; - inherit (import ../../lib/default.nix { inherit (pkgs) lib; }) mkUser; -in -{ + inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser; +in { users.extraUsers.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; diff --git a/nix/os/devices/steveej-pa600/versions.nix b/nix/os/devices/steveej-pa600/versions.nix index e7d4567..ce6b116 100644 --- a/nix/os/devices/steveej-pa600/versions.nix +++ b/nix/os/devices/steveej-pa600/versions.nix @@ -4,12 +4,9 @@ let ref = "nixos-20.09"; rev = "e065200fc90175a8f6e50e76ef10a48786126e1c"; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-pa600/versions.tmpl.nix b/nix/os/devices/steveej-pa600/versions.tmpl.nix index 08f1a43..96f7be3 100644 --- a/nix/os/devices/steveej-pa600/versions.tmpl.nix +++ b/nix/os/devices/steveej-pa600/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-20.09 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix index 9682eb6..b32a198 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../profiles/common/configuration.nix ../../profiles/graphical/configuration.nix diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix index 6e9151e..14df96a 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/hw.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { # TASK: new device hardware.encryptedDisk = { enable = true; diff --git a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix index fb919e7..4329e5c 100644 --- a/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix +++ b/nix/os/devices/steveej-rmvbl-mmc-SL32G_0x259093f6/system.nix @@ -1,4 +1,3 @@ -{ ... }: -{ +{...}: { networking.hostName = "steveej-rmvbl-mmc-SL32G_0x259093f6"; # Define your hostname. } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix index c08504e..d49dbd3 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/configuration.nix @@ -1,8 +1,11 @@ -{ ... }: -{ - nixpkgs.config.packageOverrides = - pkgs: with pkgs; { - nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath; +{...}: { + nixpkgs.config.packageOverrides = pkgs: + with pkgs; { + nixPath = + (import ../../../default.nix { + versionsPath = ./versions.nix; + }) + .nixPath; }; imports = [ diff --git a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix index 21b47b9..408b2a9 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/hw.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/hw.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { # TASK: new device hardware.opinionatedDisk.diskId = "usb-SanDisk_Extreme_Pro_12345978EC62-0:0"; hardware.opinionatedDisk.encrypted = true; diff --git a/nix/os/devices/steveej-rmvbl-sdep0/system.nix b/nix/os/devices/steveej-rmvbl-sdep0/system.nix index cdad21b..5bad73f 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/system.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/system.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { networking.hostName = "steveej-rmvbl-sdep0"; # Define your hostname. system.stateVersion = "21.05"; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix index 3771f25..f8759b8 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.nix @@ -2,33 +2,35 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.11"; - rev = ''0040164e473509b4aee6aedb3b923e400d6df10b''; + rev = '' + 0040164e473509b4aee6aedb3b923e400d6df10b''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = ''d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; + rev = '' + d9f759f2ea8d265d974a6e1259bd510ac5844c5d''; }; "channels-nixos-unstable-small" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable-small"; - rev = ''9c34c8adba80180608794cce600b10183b048942''; + rev = '' + 9c34c8adba80180608794cce600b10183b048942''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = ''f9adb566707a492bd3d17fee1e223695d939b52a''; + rev = '' + f9adb566707a492bd3d17fee1e223695d939b52a''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.11"; - rev = ''d6f3ba090ed090ae664ab5bac329654093aae725''; + rev = '' + d6f3ba090ed090ae664ab5bac329654093aae725''; }; } diff --git a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix index 92abc4a..a0fa34a 100644 --- a/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix +++ b/nix/os/devices/steveej-rmvbl-sdep0/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; diff --git a/nix/os/devices/steveej-t14/boot.nix b/nix/os/devices/steveej-t14/boot.nix index d3ff0b5..281d09e 100644 --- a/nix/os/devices/steveej-t14/boot.nix +++ b/nix/os/devices/steveej-t14/boot.nix @@ -1,5 +1,8 @@ -{ lib, pkgs, ... }: { + lib, + pkgs, + ... +}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; diff --git a/nix/os/devices/steveej-t14/configuration.nix b/nix/os/devices/steveej-t14/configuration.nix index d4221ca..a094278 100644 --- a/nix/os/devices/steveej-t14/configuration.nix +++ b/nix/os/devices/steveej-t14/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../snippets/home-manager-with-zsh.nix ../../snippets/nix-settings-holo-chain.nix @@ -20,61 +19,58 @@ ./boot.nix # samba seerver - ( - { lib, ... }: - { - # networking.firewall.enable = lib.mkForce false; - services.samba-wsdd.enable = true; # make shares visible for windows 10 clients - networking.firewall.allowedTCPPorts = [ - 5357 # wsdd - ]; - networking.firewall.allowedUDPPorts = [ - 3702 # wsdd - ]; - services.samba = { - enable = true; + ({lib, ...}: { + # networking.firewall.enable = lib.mkForce false; + services.samba-wsdd.enable = true; # make shares visible for windows 10 clients + networking.firewall.allowedTCPPorts = [ + 5357 # wsdd + ]; + networking.firewall.allowedUDPPorts = [ + 3702 # wsdd + ]; + services.samba = { + enable = true; - securityType = "user"; + securityType = "user"; - extraConfig = '' - workgroup = ARBEITSGRUPPE - server string = steveej-t14 - netbios name = steveej-t14 - security = user + extraConfig = '' + workgroup = ARBEITSGRUPPE + server string = steveej-t14 + netbios name = steveej-t14 + security = user - # use sendfile = yes + # use sendfile = yes - # for executables on windows - acl allow execute always = True + # for executables on windows + acl allow execute always = True - # legacy windows quirks - max protocol = NT1 - min protocol = NT1 - ntlm auth = yes + # legacy windows quirks + max protocol = NT1 + min protocol = NT1 + ntlm auth = yes - # client max protocol = SMB1 - # client min protocol = NT1 + # client max protocol = SMB1 + # client min protocol = NT1 - # note: localhost is the ipv6 localhost ::1 - hosts allow = 192.168. 127.0.0.1 localhost - hosts deny = 0.0.0.0/0 - guest account = nobody - map to guest = bad user - ''; - shares = { - voodoo = { - path = "/home/steveej/Desktop/voodoo"; - browseable = "yes"; - "read only" = "no"; - "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; - # "force user" = "steveej"; - # "force group" = "users"; - }; + # note: localhost is the ipv6 localhost ::1 + hosts allow = 192.168. 127.0.0.1 localhost + hosts deny = 0.0.0.0/0 + guest account = nobody + map to guest = bad user + ''; + shares = { + voodoo = { + path = "/home/steveej/Desktop/voodoo"; + browseable = "yes"; + "read only" = "no"; + "guest ok" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + # "force user" = "steveej"; + # "force group" = "users"; }; }; - } - ) + }; + }) ]; } diff --git a/nix/os/devices/steveej-t14/default.nix b/nix/os/devices/steveej-t14/default.nix index d7e6d28..bcb5e94 100644 --- a/nix/os/devices/steveej-t14/default.nix +++ b/nix/os/devices/steveej-t14/default.nix @@ -4,24 +4,26 @@ repoFlakeWithSystem, nodeFlake, ... -}: -let +}: let system = "x86_64-linux"; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit repoFlake nodeName nodeFlake; packages' = repoFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = nodeName; deployment.replaceUnknownProfiles = false; deployment.allowLocalDeployment = true; - imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; + imports = [ + (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") + ]; }; } diff --git a/nix/os/devices/steveej-t14/flake.nix b/nix/os/devices/steveej-t14/flake.nix index 504ce45..d2a549b 100644 --- a/nix/os/devices/steveej-t14/flake.nix +++ b/nix/os/devices/steveej-t14/flake.nix @@ -12,5 +12,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/steveej-t14/hw.nix b/nix/os/devices/steveej-t14/hw.nix index a76e451..1b905e0 100644 --- a/nix/os/devices/steveej-t14/hw.nix +++ b/nix/os/devices/steveej-t14/hw.nix @@ -1,7 +1,5 @@ -{ lib, ... }: -let -in -{ +{lib, ...}: let +in { # TASK: new device hardware.opinionatedDisk = { enable = true; @@ -68,56 +66,16 @@ in enable = false; levels = [ # ["level auto" 0 60] - [ - 0 - 0 - 60 - ] - [ - 1 - 60 - 65 - ] - [ - 1 - 65 - 75 - ] - [ - 2 - 75 - 78 - ] - [ - 3 - 78 - 80 - ] - [ - 4 - 80 - 82 - ] - [ - 5 - 82 - 84 - ] - [ - 6 - 84 - 86 - ] - [ - 7 - 86 - 88 - ] - [ - "level full-speed" - 88 - 999 - ] + [0 0 60] + [1 60 65] + [1 65 75] + [2 75 78] + [3 78 80] + [4 80 82] + [5 82 84] + [6 84 86] + [7 86 88] + ["level full-speed" 88 999] ]; extraArgs = [ diff --git a/nix/os/devices/steveej-t14/pkg.nix b/nix/os/devices/steveej-t14/pkg.nix index 7cf98a0..0cc3c04 100644 --- a/nix/os/devices/steveej-t14/pkg.nix +++ b/nix/os/devices/steveej-t14/pkg.nix @@ -4,10 +4,11 @@ repoFlake, nodeFlake, ... -}: -{ +}: { system.stateVersion = "23.05"; - home-manager.users.root = _: { home.stateVersion = "22.05"; }; + home-manager.users.root = _: { + home.stateVersion = "22.05"; + }; home-manager.users.steveej = _: { home.stateVersion = "22.05"; imports = [ @@ -20,9 +21,10 @@ }) ]; - home.sessionVariables = { }; + home.sessionVariables = {}; - home.packages = with pkgs; [ ]; + home.packages = with pkgs; [ + ]; }; # TODO: fix the following errors with regreet @@ -36,28 +38,26 @@ # # (regreet:505614): Gtk-WARNING **: 10:31:42.532: Theme parser warning: :6:17-18: Empty declaration # Failed to create /var/empty/.cache for shader cache (Operation not permitted)---disabling. - services.greetd = - let - # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" - swayConfig = pkgs.writeText "greetd-sway-config" '' - # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. - exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" - bindsym Mod4+shift+e exec swaynag \ - -t warning \ - -m 'What do you want to do?' \ - -b 'Poweroff' 'systemctl poweroff' \ - -b 'Reboot' 'systemctl reboot' - ''; - in - { - enable = false; - settings = { - vt = 1; - default_session = { - command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; - }; + services.greetd = let + # exec "${pkgs.greetd.gtkgreet}/bin/gtkgreet -l; swaymsg exit" + swayConfig = pkgs.writeText "greetd-sway-config" '' + # `-l` activates layer-shell mode. Notice that `swaymsg exit` will run after gtkgreet. + exec "dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK; ${pkgs.greetd.regreet}/bin/regreet; swaymsg exit" + bindsym Mod4+shift+e exec swaynag \ + -t warning \ + -m 'What do you want to do?' \ + -b 'Poweroff' 'systemctl poweroff' \ + -b 'Reboot' 'systemctl reboot' + ''; + in { + enable = false; + settings = { + vt = 1; + default_session = { + command = "${pkgs.sway}/bin/sway --config ${swayConfig}"; }; }; + }; environment.etc."greetd/environments".text = '' sway diff --git a/nix/os/devices/steveej-t14/system.nix b/nix/os/devices/steveej-t14/system.nix index a551d45..04fb60a 100644 --- a/nix/os/devices/steveej-t14/system.nix +++ b/nix/os/devices/steveej-t14/system.nix @@ -5,8 +5,7 @@ nodeName, repoFlake, ... -}: -let +}: let localTcpPorts = [ 22 @@ -22,11 +21,12 @@ let 22000 21027 ]; -in -{ +in { nix.settings = { - substituters = [ ]; - trusted-public-keys = [ ]; + substituters = [ + ]; + trusted-public-keys = [ + ]; }; nix.distributedBuilds = true; @@ -39,8 +39,7 @@ in system = "x86_64-linux"; maxJobs = 32; speedFactor = 100; - supportedFeatures = - repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features ++ [ ]; + supportedFeatures = repoFlake.nixosConfigurations.steveej-t14.config.nix.settings.system-features ++ []; } { @@ -51,16 +50,16 @@ in system = "aarch64-linux"; maxJobs = 32; speedFactor = 100; - supportedFeatures = - repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ [ ]; + supportedFeatures = repoFlake.nixosConfigurations.router0-dmz0.config.nix.settings.system-features ++ []; } ]; networking.networkmanager.enable = true; - networking.extraHosts = ''''; + networking.extraHosts = '' + ''; - networking.bridges."virbr1".interfaces = [ ]; + networking.bridges."virbr1".interfaces = []; networking.interfaces."virbr1".ipv4.addresses = [ { address = "10.254.254.254"; @@ -93,9 +92,7 @@ in # virtualization virtualisation = { - libvirtd = { - enable = true; - }; + libvirtd = {enable = true;}; virtualbox.host = { enable = false; @@ -113,11 +110,13 @@ in # client min protocol = NT1 ''; - security.pki.certificateFiles = [ "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" ]; + security.pki.certificateFiles = ["${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"]; - services.xserver.videoDrivers = lib.mkForce [ "amdgpu" ]; + services.xserver.videoDrivers = lib.mkForce ["amdgpu"]; hardware.ledger.enable = true; - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + boot.binfmt.emulatedSystems = [ + "aarch64-linux" + ]; } diff --git a/nix/os/devices/steveej-t14/user.nix b/nix/os/devices/steveej-t14/user.nix index dc9102b..6068f93 100644 --- a/nix/os/devices/steveej-t14/user.nix +++ b/nix/os/devices/steveej-t14/user.nix @@ -3,19 +3,17 @@ pkgs, lib, ... -}: -let +}: let keys = import ../../../variables/keys.nix; - inherit (pkgs.callPackage ../../lib/default.nix { }) mkUser; -in -{ + inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser; +in { users.users.steveej2 = mkUser { uid = 1001; openssh.authorizedKeys.keys = keys.users.steveej.openssh; hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; }; - nix.settings.trusted-users = [ "steveej" ]; + nix.settings.trusted-users = ["steveej"]; security.pam.u2f.enable = true; security.pam.services.steveej.u2fAuth = true; diff --git a/nix/os/devices/steveej-utilitepro/configuration.nix b/nix/os/devices/steveej-utilitepro/configuration.nix index 2770114..06cc7d1 100644 --- a/nix/os/devices/steveej-utilitepro/configuration.nix +++ b/nix/os/devices/steveej-utilitepro/configuration.nix @@ -1,11 +1,13 @@ # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, ... }: -let - passwords = import ../common/passwords.crypt.nix; -in { + config, + pkgs, + ... +}: let + passwords = import ../common/passwords.crypt.nix; +in { # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "16.03"; nix.maxJobs = 4; @@ -17,14 +19,13 @@ in ''; nixpkgs.config = { - packageOverrides = - super: - let - self = super.pkgs; - in - { - linux_4_1 = super.linux_4_1.override { - kernelPatches = super.linux_4_1.kernelPatches ++ [ + packageOverrides = super: let + self = super.pkgs; + in { + linux_4_1 = super.linux_4_1.override { + kernelPatches = + super.linux_4_1.kernelPatches + ++ [ { patch = ./patches/utilitepro-kernel-dts.patch; name = "utilitepro-dts"; @@ -34,188 +35,188 @@ in name = "utilitepro-dts-Makefile"; } ]; - # add "CONFIG_PPP_FILTER y" option to the set of kernel options - extraConfig = '' - BTRFS_FS y - BTRFS_FS_POSIX_ACL y - FUSE_FS y - OVERLAY_FS y + # add "CONFIG_PPP_FILTER y" option to the set of kernel options + extraConfig = '' + BTRFS_FS y + BTRFS_FS_POSIX_ACL y + FUSE_FS y + OVERLAY_FS y - BLK_DEV_DM y - DM_THIN_PROVISIONING y + BLK_DEV_DM y + DM_THIN_PROVISIONING y - NAMESPACES y - NET_NS y - PID_NS y - IPC_NS y - UTS_NS y - DEVPTS_MULTIPLE_INSTANCES y - CGROUPS y - CGROUP_CPUACCT y - CGROUP_DEVICE y - CGROUP_FREEZER y - CGROUP_SCHED y - CPUSETS y - MEMCG y - POSIX_MQUEUE y + NAMESPACES y + NET_NS y + PID_NS y + IPC_NS y + UTS_NS y + DEVPTS_MULTIPLE_INSTANCES y + CGROUPS y + CGROUP_CPUACCT y + CGROUP_DEVICE y + CGROUP_FREEZER y + CGROUP_SCHED y + CPUSETS y + MEMCG y + POSIX_MQUEUE y - MACVLAN m - VETH m - BRIDGE m + MACVLAN m + VETH m + BRIDGE m - NF_TABLES m - NETFILTER y - NETFILTER_ADVANCED y - NF_NAT_IPV4 m - IP_NF_FILTER m - IP_NF_TARGET_MASQUERADE m - NETFILTER_XT_MATCH_ADDRTYPE m - NETFILTER_XT_MATCH_CONNTRACK m - NF_NAT m - NF_NAT_NEEDED m - BRIDGE_NETFILTER m - NETFILTER_INGRESS y - NETFILTER_NETLINK m - NETFILTER_NETLINK_ACCT m - NETFILTER_NETLINK_QUEUE m - NETFILTER_NETLINK_LOG m - NETFILTER_SYNPROXY m - NETFILTER_XTABLES m - NETFILTER_XT_MARK m - NETFILTER_XT_CONNMARK m - NETFILTER_XT_SET m - NETFILTER_XT_TARGET_AUDIT m - NETFILTER_XT_TARGET_CHECKSUM m - NETFILTER_XT_TARGET_CLASSIFY m - NETFILTER_XT_TARGET_CONNMARK m - NETFILTER_XT_TARGET_CONNSECMARK m - NETFILTER_XT_TARGET_CT m - NETFILTER_XT_TARGET_DSCP m - NETFILTER_XT_TARGET_HL m - NETFILTER_XT_TARGET_HMARK m - NETFILTER_XT_TARGET_IDLETIMER m - NETFILTER_XT_TARGET_LED m - NETFILTER_XT_TARGET_LOG m - NETFILTER_XT_TARGET_MARK m - NETFILTER_XT_NAT m - NETFILTER_XT_TARGET_NETMAP m - NETFILTER_XT_TARGET_NFLOG m - NETFILTER_XT_TARGET_NFQUEUE m - NETFILTER_XT_TARGET_NOTRACK m - NETFILTER_XT_TARGET_RATEEST m - NETFILTER_XT_TARGET_REDIRECT m - NETFILTER_XT_TARGET_TEE m - NETFILTER_XT_TARGET_TPROXY m - NETFILTER_XT_TARGET_TRACE m - NETFILTER_XT_TARGET_SECMARK m - NETFILTER_XT_TARGET_TCPMSS m - NETFILTER_XT_TARGET_TCPOPTSTRIP m - NETFILTER_XT_MATCH_ADDRTYPE m - NETFILTER_XT_MATCH_BPF m - NETFILTER_XT_MATCH_CGROUP m - NETFILTER_XT_MATCH_CLUSTER m - NETFILTER_XT_MATCH_COMMENT m - NETFILTER_XT_MATCH_CONNBYTES m - NETFILTER_XT_MATCH_CONNLABEL m - NETFILTER_XT_MATCH_CONNLIMIT m - NETFILTER_XT_MATCH_CONNMARK m - NETFILTER_XT_MATCH_CONNTRACK m - NETFILTER_XT_MATCH_CPU m - NETFILTER_XT_MATCH_DCCP m - NETFILTER_XT_MATCH_DEVGROUP m - NETFILTER_XT_MATCH_DSCP m - NETFILTER_XT_MATCH_ECN m - NETFILTER_XT_MATCH_ESP m - NETFILTER_XT_MATCH_HASHLIMIT m - NETFILTER_XT_MATCH_HELPER m - NETFILTER_XT_MATCH_HL m - NETFILTER_XT_MATCH_IPCOMP m - NETFILTER_XT_MATCH_IPRANGE m - NETFILTER_XT_MATCH_IPVS m - NETFILTER_XT_MATCH_L2TP m - NETFILTER_XT_MATCH_LENGTH m - NETFILTER_XT_MATCH_LIMIT m - NETFILTER_XT_MATCH_MAC m - NETFILTER_XT_MATCH_MARK m - NETFILTER_XT_MATCH_MULTIPORT m - NETFILTER_XT_MATCH_NFACCT m - NETFILTER_XT_MATCH_OSF m - NETFILTER_XT_MATCH_OWNER m - NETFILTER_XT_MATCH_POLICY m - NETFILTER_XT_MATCH_PHYSDEV m - NETFILTER_XT_MATCH_PKTTYPE m - NETFILTER_XT_MATCH_QUOTA m - NETFILTER_XT_MATCH_RATEEST m - NETFILTER_XT_MATCH_REALM m - NETFILTER_XT_MATCH_RECENT m - NETFILTER_XT_MATCH_SCTP m - NETFILTER_XT_MATCH_SOCKET m - NETFILTER_XT_MATCH_STATE m - NETFILTER_XT_MATCH_STATISTIC m - NETFILTER_XT_MATCH_STRING m - NETFILTER_XT_MATCH_TCPMSS m - NETFILTER_XT_MATCH_TIME m - NETFILTER_XT_MATCH_U32 m + NF_TABLES m + NETFILTER y + NETFILTER_ADVANCED y + NF_NAT_IPV4 m + IP_NF_FILTER m + IP_NF_TARGET_MASQUERADE m + NETFILTER_XT_MATCH_ADDRTYPE m + NETFILTER_XT_MATCH_CONNTRACK m + NF_NAT m + NF_NAT_NEEDED m + BRIDGE_NETFILTER m + NETFILTER_INGRESS y + NETFILTER_NETLINK m + NETFILTER_NETLINK_ACCT m + NETFILTER_NETLINK_QUEUE m + NETFILTER_NETLINK_LOG m + NETFILTER_SYNPROXY m + NETFILTER_XTABLES m + NETFILTER_XT_MARK m + NETFILTER_XT_CONNMARK m + NETFILTER_XT_SET m + NETFILTER_XT_TARGET_AUDIT m + NETFILTER_XT_TARGET_CHECKSUM m + NETFILTER_XT_TARGET_CLASSIFY m + NETFILTER_XT_TARGET_CONNMARK m + NETFILTER_XT_TARGET_CONNSECMARK m + NETFILTER_XT_TARGET_CT m + NETFILTER_XT_TARGET_DSCP m + NETFILTER_XT_TARGET_HL m + NETFILTER_XT_TARGET_HMARK m + NETFILTER_XT_TARGET_IDLETIMER m + NETFILTER_XT_TARGET_LED m + NETFILTER_XT_TARGET_LOG m + NETFILTER_XT_TARGET_MARK m + NETFILTER_XT_NAT m + NETFILTER_XT_TARGET_NETMAP m + NETFILTER_XT_TARGET_NFLOG m + NETFILTER_XT_TARGET_NFQUEUE m + NETFILTER_XT_TARGET_NOTRACK m + NETFILTER_XT_TARGET_RATEEST m + NETFILTER_XT_TARGET_REDIRECT m + NETFILTER_XT_TARGET_TEE m + NETFILTER_XT_TARGET_TPROXY m + NETFILTER_XT_TARGET_TRACE m + NETFILTER_XT_TARGET_SECMARK m + NETFILTER_XT_TARGET_TCPMSS m + NETFILTER_XT_TARGET_TCPOPTSTRIP m + NETFILTER_XT_MATCH_ADDRTYPE m + NETFILTER_XT_MATCH_BPF m + NETFILTER_XT_MATCH_CGROUP m + NETFILTER_XT_MATCH_CLUSTER m + NETFILTER_XT_MATCH_COMMENT m + NETFILTER_XT_MATCH_CONNBYTES m + NETFILTER_XT_MATCH_CONNLABEL m + NETFILTER_XT_MATCH_CONNLIMIT m + NETFILTER_XT_MATCH_CONNMARK m + NETFILTER_XT_MATCH_CONNTRACK m + NETFILTER_XT_MATCH_CPU m + NETFILTER_XT_MATCH_DCCP m + NETFILTER_XT_MATCH_DEVGROUP m + NETFILTER_XT_MATCH_DSCP m + NETFILTER_XT_MATCH_ECN m + NETFILTER_XT_MATCH_ESP m + NETFILTER_XT_MATCH_HASHLIMIT m + NETFILTER_XT_MATCH_HELPER m + NETFILTER_XT_MATCH_HL m + NETFILTER_XT_MATCH_IPCOMP m + NETFILTER_XT_MATCH_IPRANGE m + NETFILTER_XT_MATCH_IPVS m + NETFILTER_XT_MATCH_L2TP m + NETFILTER_XT_MATCH_LENGTH m + NETFILTER_XT_MATCH_LIMIT m + NETFILTER_XT_MATCH_MAC m + NETFILTER_XT_MATCH_MARK m + NETFILTER_XT_MATCH_MULTIPORT m + NETFILTER_XT_MATCH_NFACCT m + NETFILTER_XT_MATCH_OSF m + NETFILTER_XT_MATCH_OWNER m + NETFILTER_XT_MATCH_POLICY m + NETFILTER_XT_MATCH_PHYSDEV m + NETFILTER_XT_MATCH_PKTTYPE m + NETFILTER_XT_MATCH_QUOTA m + NETFILTER_XT_MATCH_RATEEST m + NETFILTER_XT_MATCH_REALM m + NETFILTER_XT_MATCH_RECENT m + NETFILTER_XT_MATCH_SCTP m + NETFILTER_XT_MATCH_SOCKET m + NETFILTER_XT_MATCH_STATE m + NETFILTER_XT_MATCH_STATISTIC m + NETFILTER_XT_MATCH_STRING m + NETFILTER_XT_MATCH_TCPMSS m + NETFILTER_XT_MATCH_TIME m + NETFILTER_XT_MATCH_U32 m - MEMCG_KMEM y - MEMCG_SWAP y - MEMCG_SWAP_ENABLED y - BLK_CGROUP y - IOSCHED_CFQ y - BLK_DEV_THROTTLING y - CGROUP_PERF y - CGROUP_HUGETLB y - NET_CLS_CGROUP y - CGROUP_NET_PRIO y - CFS_BANDWIDTH y - FAIR_GROUP_SCHED y - RT_GROUP_SCHED y - EXT3_FS y - EXT3_FS_XATTR y - EXT3_FS_POSIX_ACL y - EXT3_FS_SECURITY y + MEMCG_KMEM y + MEMCG_SWAP y + MEMCG_SWAP_ENABLED y + BLK_CGROUP y + IOSCHED_CFQ y + BLK_DEV_THROTTLING y + CGROUP_PERF y + CGROUP_HUGETLB y + NET_CLS_CGROUP y + CGROUP_NET_PRIO y + CFS_BANDWIDTH y + FAIR_GROUP_SCHED y + RT_GROUP_SCHED y + EXT3_FS y + EXT3_FS_XATTR y + EXT3_FS_POSIX_ACL y + EXT3_FS_SECURITY y - PPP_FILTER y - HAVE_IMX_ANATOP y - HAVE_IMX_GPC y - HAVE_IMX_MMDC y - HAVE_IMX_SRC y - SOC_IMX6 y - SOC_IMX6Q y - SOC_IMX6SL y - PCI_IMX6 y - ARM_IMX6Q_CPUFREQ y - IMX_WEIM y - AHCI_IMX y - SERIAL_IMX y - SERIAL_IMX_CONSOLE y - I2C_IMX y - SPI_IMX y - PINCTRL_IMX y - PINCTRL_IMX6Q y - PINCTRL_IMX6SL y - POWER_RESET_IMX y - IMX_THERMAL y - IMX2_WDT y - IMX_IPUV3_CORE y - DRM_IMX y - DRM_IMX_FB_HELPER y - DRM_IMX_PARALLEL_DISPLAY y - DRM_IMX_TVE y - DRM_IMX_LDB y - DRM_IMX_IPUV3 y - DRM_IMX_HDMI y - MMC_SDHCI_ESDHC_IMX y - IMX_SDMA y - PWM_IMX y - DEBUG_IMX6Q_UART y + PPP_FILTER y + HAVE_IMX_ANATOP y + HAVE_IMX_GPC y + HAVE_IMX_MMDC y + HAVE_IMX_SRC y + SOC_IMX6 y + SOC_IMX6Q y + SOC_IMX6SL y + PCI_IMX6 y + ARM_IMX6Q_CPUFREQ y + IMX_WEIM y + AHCI_IMX y + SERIAL_IMX y + SERIAL_IMX_CONSOLE y + I2C_IMX y + SPI_IMX y + PINCTRL_IMX y + PINCTRL_IMX6Q y + PINCTRL_IMX6SL y + POWER_RESET_IMX y + IMX_THERMAL y + IMX2_WDT y + IMX_IPUV3_CORE y + DRM_IMX y + DRM_IMX_FB_HELPER y + DRM_IMX_PARALLEL_DISPLAY y + DRM_IMX_TVE y + DRM_IMX_LDB y + DRM_IMX_IPUV3 y + DRM_IMX_HDMI y + MMC_SDHCI_ESDHC_IMX y + IMX_SDMA y + PWM_IMX y + DEBUG_IMX6Q_UART y - ''; - }; - # pkgs.linux_4_2 = "/nix/store/jc1h6mcc6sq420q2i572qba4b0xzw4gm-linux-4.3-armv7l-unknown-linux-gnueabi"; + ''; }; + # pkgs.linux_4_2 = "/nix/store/jc1h6mcc6sq420q2i572qba4b0xzw4gm-linux-4.3-armv7l-unknown-linux-gnueabi"; + }; allowUnfree = true; }; @@ -278,10 +279,7 @@ in uid = 1000; isNormalUser = true; home = "/home/steveej"; - extraGroups = [ - "wheel" - "libvirtd" - ]; + extraGroups = ["wheel" "libvirtd"]; # FIXME: this is deprecated but so is this device probably hashedPassword = passwords.users.steveej; openssh.authorizedKeys.keys = [ diff --git a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix index 0bbf318..a325b30 100644 --- a/nix/os/devices/steveej-utilitepro/hardware-configuration.nix +++ b/nix/os/devices/steveej-utilitepro/hardware-configuration.nix @@ -6,13 +6,12 @@ lib, pkgs, ... -}: -{ - imports = [ ]; +}: { + imports = []; - boot.initrd.availableKernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = []; + boot.kernelModules = []; + boot.extraModulePackages = []; hardware.enableAllFirmware = true; @@ -25,5 +24,5 @@ device = "/dev/disk/by-uuid/f1e7e913-93a0-4258-88f9-f65041d91d66"; }; - swapDevices = [ ]; + swapDevices = []; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix index 518fc1b..9aec1e2 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/configuration.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/configuration.nix @@ -8,8 +8,7 @@ localDomainName, system, ... -}: -{ +}: { nixos-x13s = { enable = true; # TODO: use hardware address @@ -42,8 +41,8 @@ echo $? ) ''; - requiredBy = [ "bluetooth.service" ]; - before = [ "bluetooth.service" ]; + requiredBy = ["bluetooth.service"]; + before = ["bluetooth.service"]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -104,15 +103,20 @@ ]; system.stateVersion = "23.11"; - home-manager.users.root = _: { home.stateVersion = "23.11"; }; + home-manager.users.root = _: { + home.stateVersion = "23.11"; + }; home-manager.users.steveej = _: { home.stateVersion = "23.11"; - imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; + imports = [ + ../../../home-manager/configuration/graphical-fullblown.nix + ]; - home.sessionVariables = { }; + home.sessionVariables = {}; - home.packages = with pkgs; [ ]; + home.packages = with pkgs; [ + ]; # TODO: currently unsupported services.gammastep.enable = lib.mkForce false; @@ -123,7 +127,7 @@ loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = lib.mkForce false; loader.efi.efiSysMountPoint = "/boot"; - blacklistedKernelModules = [ "wwan" ]; + blacklistedKernelModules = ["wwan"]; initrd.kernelModules = [ "uas" @@ -149,8 +153,7 @@ "firmware/qcom/sc8280xp/LENOVO/21BX/qccdsp8280.mbn".source = pkgs.linux-firmware; "firmware/qcom/sc8280xp/LENOVO/21BX/qcdxkmsuc8280.mbn".source = pkgs.linux-firmware; "firmware/qcom/sc8280xp/LENOVO/21BX/qcslpi8280.mbn".source = pkgs.linux-firmware; - "firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = - nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"; + "firmware/qcom/sc8280xp/LENOVO/21BX/qcvss8280.mbn".source = nodeFlake.inputs.nixos-x13s.packages.${system}."x13s/extra-firmware"; }; }; diff --git a/nix/os/devices/steveej-x13s-rmvbl/default.nix b/nix/os/devices/steveej-x13s-rmvbl/default.nix index 2ba48d2..fa66cf4 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/default.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/default.nix @@ -6,23 +6,21 @@ nodeFlake, localDomainName ? "internal", ... -}: -{ +}: { meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; + inherit repoFlake nodeName nodeFlake system; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); inherit localDomainName; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = + import nodeFlake.inputs.nixpkgs.outPath + { + inherit system; + }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; @@ -31,6 +29,8 @@ # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - imports = [ (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") ]; + imports = [ + (repoFlake + "/nix/os/devices/${nodeName}/configuration.nix") + ]; }; } diff --git a/nix/os/devices/steveej-x13s-rmvbl/disko.nix b/nix/os/devices/steveej-x13s-rmvbl/disko.nix index 2eb097a..e56b0d1 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/disko.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/disko.nix @@ -14,7 +14,9 @@ type = "filesystem"; format = "vfat"; mountpoint = "/boot"; - mountOptions = [ "defaults" ]; + mountOptions = [ + "defaults" + ]; }; }; luks = { @@ -22,7 +24,7 @@ content = { type = "luks"; name = "x13s-usb-crypt"; - extraOpenArgs = [ ]; + extraOpenArgs = []; # disable settings.keyFile if you want to use interactive password entry #passwordFile = "/tmp/secret.key"; # Interactive settings = { @@ -34,28 +36,19 @@ # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; content = { type = "btrfs"; - extraArgs = [ "-f" ]; + extraArgs = ["-f"]; subvolumes = { "/root" = { mountpoint = "/"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/home" = { mountpoint = "/home"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/nix" = { mountpoint = "/nix"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/swap" = { mountpoint = "/.swapvol"; diff --git a/nix/os/devices/steveej-x13s-rmvbl/flake.nix b/nix/os/devices/steveej-x13s-rmvbl/flake.nix index 39a915e..bcc82bb 100644 --- a/nix/os/devices/steveej-x13s-rmvbl/flake.nix +++ b/nix/os/devices/steveej-x13s-rmvbl/flake.nix @@ -22,68 +22,71 @@ nixos-x13s.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - system = "aarch64-linux"; - buildPlatform = "x86_64-linux"; - repoFlake = get-flake ../../../..; - in - { - lib = { - mkNixosConfiguration = + outputs = { + self, + get-flake, + nixpkgs, + ... + }: let + system = "aarch64-linux"; + buildPlatform = "x86_64-linux"; + repoFlake = get-flake ../../../..; + in { + lib = { + mkNixosConfiguration = { + nodeName, + extraModules ? [], + ... + } @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs { - nodeName, - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = - (import ./default.nix { - inherit system; - inherit nodeName repoFlake; + specialArgs = + (import ./default.nix { + inherit system; + inherit nodeName repoFlake; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; + nodeFlake = self; + }) + .meta + .nodeSpecialArgs + .${nodeName}; - modules = [ + modules = + [ # repoFlake.nixosModules.hardware-x13s - ] ++ extraModules; - } - ); + ] + ++ extraModules; + } + ); + }; + + nixosConfigurations = let + nodeName = "steveej-x13s-rmvbl"; + in { + native = self.lib.mkNixosConfiguration { + inherit system nodeName; + extraModules = [ + ./configuration.nix + + { + users.commonUsers.installPassword = "install"; + } + ]; }; - nixosConfigurations = - let - nodeName = "steveej-x13s-rmvbl"; - in - { - native = self.lib.mkNixosConfiguration { - inherit system nodeName; - extraModules = [ - ./configuration.nix + cross = self.lib.mkNixosConfiguration { + inherit nodeName; + extraModules = [ + ./configuration.nix - { users.commonUsers.installPassword = "install"; } - ]; - }; - - cross = self.lib.mkNixosConfiguration { - inherit nodeName; - extraModules = [ - ./configuration.nix - - { - nixpkgs.buildPlatform.system = buildPlatform; - nixpkgs.hostPlatform.system = system; - } - ]; - }; - }; + { + nixpkgs.buildPlatform.system = buildPlatform; + nixpkgs.hostPlatform.system = system; + } + ]; + }; }; + }; } diff --git a/nix/os/devices/steveej-x13s/configuration.nix b/nix/os/devices/steveej-x13s/configuration.nix index cd508db..831f1f0 100644 --- a/nix/os/devices/steveej-x13s/configuration.nix +++ b/nix/os/devices/steveej-x13s/configuration.nix @@ -9,9 +9,8 @@ system, packages', ... -}: -{ - nixpkgs.overlays = [ nodeFlake.overlays.default ]; +}: { + nixpkgs.overlays = [nodeFlake.overlays.default]; nixos-x13s = { enable = true; @@ -24,7 +23,7 @@ # printint and autodiscovery of printers services.printing.enable = true; - services.printing.drivers = [ pkgs.hplip ]; + services.printing.drivers = [pkgs.hplip]; services.avahi = { enable = true; nssmdns4 = true; @@ -58,8 +57,8 @@ echo $? ) ''; - requiredBy = [ "bluetooth.service" ]; - before = [ "bluetooth.service" ]; + requiredBy = ["bluetooth.service"]; + before = ["bluetooth.service"]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; @@ -99,7 +98,7 @@ enableNonRoot = true; }; - sops.secrets.builder-private-key = { }; + sops.secrets.builder-private-key = {}; nix.distributedBuilds = true; nix.buildMachines = [ # test these with: sudo nix store ping --store 'ssh-ng://nix-remote-builder@?ssh-key=/run/secrets/builder-private-key' @@ -108,7 +107,9 @@ sshUser = "nix-remote-builder"; sshKey = config.sops.secrets.builder-private-key.path; protocol = "ssh-ng"; - systems = [ "x86_64-linux" ]; + systems = [ + "x86_64-linux" + ]; supportedFeatures = [ "big-parallel" "kvm" @@ -122,7 +123,9 @@ sshUser = "nix-remote-builder"; sshKey = config.sops.secrets.builder-private-key.path; protocol = "ssh-ng"; - systems = [ "aarch64-linux" ]; + systems = [ + "aarch64-linux" + ]; supportedFeatures = [ "big-parallel" "kvm" @@ -151,27 +154,24 @@ } # TODO: create syncthing os snippet - ( - let - tcp = [ 22000 ]; - udp = [ - 22000 - 21027 - ]; - in - { - # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` - networking.firewall.interfaces."en+".allowedTCPPorts = tcp; - networking.firewall.interfaces."en+".allowedUDPPorts = udp; - networking.firewall.interfaces."wl+".allowedTCPPorts = tcp; - networking.firewall.interfaces."wl+".allowedUDPPorts = udp; + (let + tcp = [22000]; + udp = [ + 22000 + 21027 + ]; + in { + # TODO: upstream feature for inverse rule to work: `! --in-interface zt+` + networking.firewall.interfaces."en+".allowedTCPPorts = tcp; + networking.firewall.interfaces."en+".allowedUDPPorts = udp; + networking.firewall.interfaces."wl+".allowedTCPPorts = tcp; + networking.firewall.interfaces."wl+".allowedUDPPorts = udp; - networking.firewall.allowedTCPPorts = [ - # iperf3 - 5201 - ]; - } - ) + networking.firewall.allowedTCPPorts = [ + # iperf3 + 5201 + ]; + }) ../../snippets/home-manager-with-zsh.nix ../../snippets/sway-desktop.nix @@ -201,17 +201,22 @@ ]; system.stateVersion = "23.11"; - home-manager.users.root = _: { home.stateVersion = "23.11"; }; + home-manager.users.root = _: { + home.stateVersion = "23.11"; + }; home-manager.users.steveej = _: { home.stateVersion = "23.11"; - imports = [ ../../../home-manager/configuration/graphical-fullblown.nix ]; + imports = [ + ../../../home-manager/configuration/graphical-fullblown.nix + ]; - nixpkgs.overlays = [ nodeFlake.overlays.default ]; + nixpkgs.overlays = [nodeFlake.overlays.default]; - home.sessionVariables = { }; + home.sessionVariables = {}; - home.packages = with pkgs; [ ]; + home.packages = with pkgs; [ + ]; # TODO(upstream): currently unsupported on x13s services.gammastep.enable = true; @@ -223,7 +228,7 @@ loader.efi.canTouchEfiVariables = lib.mkForce false; loader.efi.efiSysMountPoint = "/boot"; - blacklistedKernelModules = [ "wwan" ]; + blacklistedKernelModules = ["wwan"]; }; hardware.firmware = lib.mkBefore [ @@ -253,7 +258,9 @@ autostart = false; }; - services.udev.packages = [ pkgs.android-udev-rules ]; + services.udev.packages = [ + pkgs.android-udev-rules + ]; programs.adb.enable = true; nix.settings.sandbox = lib.mkForce "relaxed"; diff --git a/nix/os/devices/steveej-x13s/default.nix b/nix/os/devices/steveej-x13s/default.nix index bb170b2..e6d8ece 100644 --- a/nix/os/devices/steveej-x13s/default.nix +++ b/nix/os/devices/steveej-x13s/default.nix @@ -6,23 +6,21 @@ nodeFlake, localDomainName ? "internal", ... -}: -{ +}: { meta.nodeSpecialArgs.${nodeName} = { - inherit - repoFlake - nodeName - nodeFlake - system - ; + inherit repoFlake nodeName nodeFlake system; packages' = repoFlake.packages.${system}; nodePackages' = nodeFlake.packages.${system}; - repoFlakeInputs' = repoFlakeWithSystem system ({ inputs', ... }: inputs'); + repoFlakeInputs' = repoFlakeWithSystem system ({inputs', ...}: inputs'); inherit localDomainName; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = + import nodeFlake.inputs.nixpkgs.outPath + { + inherit system; + }; ${nodeName} = { deployment.targetHost = "${nodeName}.${localDomainName}"; @@ -31,6 +29,8 @@ # nixpkgs.pkgs = nodeFlake.inputs.nixpkgs.legacyPackages.${system}; - imports = [ ./configuration.nix ]; + imports = [ + ./configuration.nix + ]; }; } diff --git a/nix/os/devices/steveej-x13s/disko.nix b/nix/os/devices/steveej-x13s/disko.nix index 40b2118..89f6dd8 100644 --- a/nix/os/devices/steveej-x13s/disko.nix +++ b/nix/os/devices/steveej-x13s/disko.nix @@ -15,7 +15,9 @@ type = "filesystem"; format = "vfat"; mountpoint = "/boot"; - mountOptions = [ "defaults" ]; + mountOptions = [ + "defaults" + ]; }; }; luks = { @@ -23,7 +25,7 @@ content = { type = "luks"; name = "x13s-nvme-crypt"; - extraOpenArgs = [ ]; + extraOpenArgs = []; # disable settings.keyFile if you want to use interactive password entry #passwordFile = "/tmp/secret.key"; # Interactive settings = { @@ -35,28 +37,19 @@ # additionalKeyFiles = [ "/tmp/additionalSecret.key" ]; content = { type = "btrfs"; - extraArgs = [ "-f" ]; + extraArgs = ["-f"]; subvolumes = { "/root" = { mountpoint = "/"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/home" = { mountpoint = "/home"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/nix" = { mountpoint = "/nix"; - mountOptions = [ - "compress=zstd" - "noatime" - ]; + mountOptions = ["compress=zstd" "noatime"]; }; "/swap" = { mountpoint = "/.swapvol"; diff --git a/nix/os/devices/steveej-x13s/flake.nix b/nix/os/devices/steveej-x13s/flake.nix index f809c1e..09b27a1 100644 --- a/nix/os/devices/steveej-x13s/flake.nix +++ b/nix/os/devices/steveej-x13s/flake.nix @@ -14,15 +14,16 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - nixos-x13s.url = "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump" - # 6.11.0 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=6b9efe77ca80653354981c720af3c4241ac71490" - # 6.12.0-rc6 - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=bd580ee9c35fcb8a720122d5bb2f903f1b7395ee" - # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=1286d20be2321a1a2d27f5d09257ebaf54ce0630" - #"/home/steveej/src/others/nixos-x13s" - # - ; + nixos-x13s.url = + "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?ref=bump" + # 6.11.0 + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=6b9efe77ca80653354981c720af3c4241ac71490" + # 6.12.0-rc6 + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=bd580ee9c35fcb8a720122d5bb2f903f1b7395ee" + # "git+https://forgejo.www.stefanjunker.de/steveej/nixos-x13s.git?branch=remaintain&rev=1286d20be2321a1a2d27f5d09257ebaf54ce0630" + #"/home/steveej/src/others/nixos-x13s" + # + ; # nixos-x13s.url = "git+https://codeberg.org/adamcstephens/nixos-x13s?ref=refs/tags/2024-02-28"; # nixos-x13s.url = "path:/home/steveej/src/others/nixos-x13s"; @@ -38,125 +39,127 @@ }; }; - outputs = - { - self, - get-flake, - nixpkgs, - ... - }: - let - nativeSystem = "aarch64-linux"; - nodeName = "steveej-x13s"; + outputs = { + self, + get-flake, + nixpkgs, + ... + }: let + nativeSystem = "aarch64-linux"; + nodeName = "steveej-x13s"; - repoFlake = get-flake ../../../..; + repoFlake = get-flake ../../../..; - mkNixosConfiguration = + mkNixosConfiguration = {extraModules ? [], ...} @ attrs: + nixpkgs.lib.nixosSystem ( + nixpkgs.lib.attrsets.recursiveUpdate + attrs { - extraModules ? [ ], - ... - }@attrs: - nixpkgs.lib.nixosSystem ( - nixpkgs.lib.attrsets.recursiveUpdate attrs { - specialArgs = - (import ./default.nix { - system = nativeSystem; - inherit nodeName; + specialArgs = + (import ./default.nix { + system = nativeSystem; + inherit nodeName; - inherit repoFlake; - repoFlakeWithSystem = repoFlake.lib.withSystem; - nodeFlake = self; - }).meta.nodeSpecialArgs.${nodeName}; + inherit repoFlake; + repoFlakeWithSystem = repoFlake.lib.withSystem; + nodeFlake = self; + }) + .meta + .nodeSpecialArgs + .${nodeName}; - modules = [ + modules = + [ ./configuration.nix # flake registry - { nix.registry.nixpkgs.flake = nixpkgs; } - ] ++ extraModules; - } - ); - in - { - lib = { - inherit mkNixosConfiguration; + { + nix.registry.nixpkgs.flake = nixpkgs; + } + ] + ++ extraModules; + } + ); + in { + lib = { + inherit mkNixosConfiguration; + }; + + overlays.libcamera = final: previous: let + webkitgtkPreConfigure = '' + export NIX_BUILD_CORES="$((NIX_BUILD_CORES > 2 ? 2 : NIX_BUILD_CORES))" + export NUMBER_OF_PROCESSORS="$NIX_BUILD_CORES" + ''; + in { + wireplumber = previous.wireplumber.overrideAttrs (_: { + version = "git"; + src = previous.fetchFromGitLab { + domain = "gitlab.freedesktop.org"; + owner = "pipewire"; + repo = "wireplumber"; + rev = "71f868233792f10848644319dbdc97a4f147d554"; + hash = "sha256-VX3OFsBK9AbISm/XTx8p05ak+z/VcKXfUXhB9aI9ev8="; + }; + }); + + libcamera = previous.libcamera.overrideAttrs (_: { + postFixup = '' + ../src/ipa/ipa-sign-install.sh src/ipa-priv-key.pem $out/lib/libcamera/ipa_*.so + ''; + }); + + libcamera-qcam = previous.libcamera-qcam.overrideAttrs (_: { + postFixup = '' + ../src/ipa/ipa-sign-install.sh src/ipa-priv-key.pem $out/lib/libcamera/ipa_*.so + ''; + }); + + webkitgtk = previous.webkitgtk.overrideAttrs (attrs: { + preConfigure = + attrs.preConfigure + webkitgtkPreConfigure; + }); + + webkitgtk_4_1 = previous.webkitgtk_4_1.overrideAttrs (attrs: { + preConfigure = + attrs.preConfigure + webkitgtkPreConfigure; + }); + + webkitgtk_6_0 = previous.webkitgtk_6_0.overrideAttrs (attrs: { + preConfigure = + attrs.preConfigure + webkitgtkPreConfigure; + }); + }; + + overlays.default = final: previous: let + inherit (previous.stdenv) system; + pkgsUnstable = import self.inputs.nixpkgs-unstable.outPath { + inherit system; + overlays = [self.overlays.libcamera]; + }; + in { + inherit pkgsUnstable; + inherit + (pkgsUnstable) + libcamera + webkitgtk + webkitgtk_4_1 + webkitgtk_6_0 + ; + }; + + nixosConfigurations = { + native = mkNixosConfiguration { + system = nativeSystem; }; - overlays.libcamera = - final: previous: - let - webkitgtkPreConfigure = '' - export NIX_BUILD_CORES="$((NIX_BUILD_CORES > 2 ? 2 : NIX_BUILD_CORES))" - export NUMBER_OF_PROCESSORS="$NIX_BUILD_CORES" - ''; - in - { - wireplumber = previous.wireplumber.overrideAttrs (_: { - version = "git"; - src = previous.fetchFromGitLab { - domain = "gitlab.freedesktop.org"; - owner = "pipewire"; - repo = "wireplumber"; - rev = "71f868233792f10848644319dbdc97a4f147d554"; - hash = "sha256-VX3OFsBK9AbISm/XTx8p05ak+z/VcKXfUXhB9aI9ev8="; - }; - }); - - libcamera = previous.libcamera.overrideAttrs (_: { - postFixup = '' - ../src/ipa/ipa-sign-install.sh src/ipa-priv-key.pem $out/lib/libcamera/ipa_*.so - ''; - }); - - libcamera-qcam = previous.libcamera-qcam.overrideAttrs (_: { - postFixup = '' - ../src/ipa/ipa-sign-install.sh src/ipa-priv-key.pem $out/lib/libcamera/ipa_*.so - ''; - }); - - webkitgtk = previous.webkitgtk.overrideAttrs (attrs: { - preConfigure = attrs.preConfigure + webkitgtkPreConfigure; - }); - - webkitgtk_4_1 = previous.webkitgtk_4_1.overrideAttrs (attrs: { - preConfigure = attrs.preConfigure + webkitgtkPreConfigure; - }); - - webkitgtk_6_0 = previous.webkitgtk_6_0.overrideAttrs (attrs: { - preConfigure = attrs.preConfigure + webkitgtkPreConfigure; - }); - }; - - overlays.default = - final: previous: - let - inherit (previous.stdenv) system; - pkgsUnstable = import self.inputs.nixpkgs-unstable.outPath { - inherit system; - overlays = [ self.overlays.libcamera ]; - }; - in - { - inherit pkgsUnstable; - inherit (pkgsUnstable) - libcamera - webkitgtk - webkitgtk_4_1 - webkitgtk_6_0 - ; - }; - - nixosConfigurations = { - native = mkNixosConfiguration { system = nativeSystem; }; - - cross = mkNixosConfiguration { - extraModules = [ - { - nixpkgs.buildPlatform.system = "x86_64-linux"; - nixpkgs.hostPlatform.system = nativeSystem; - } - ]; - }; + cross = mkNixosConfiguration { + extraModules = [ + { + nixpkgs.buildPlatform.system = "x86_64-linux"; + nixpkgs.hostPlatform.system = nativeSystem; + } + ]; }; }; + }; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/boot.nix b/nix/os/devices/vmd102066.contaboserver.net/boot.nix index ed21f9c..5713789 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/boot.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/boot.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiSupport = lib.mkForce false; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = []; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix index b29548c..28a63fb 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/configuration.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/configuration.nix @@ -1,6 +1,5 @@ -{ ... }: -{ - disabledModules = [ ]; +{...}: { + disabledModules = []; imports = [ ../../profiles/common/configuration.nix ../../modules/opinionatedDisk.nix diff --git a/nix/os/devices/vmd102066.contaboserver.net/default.nix b/nix/os/devices/vmd102066.contaboserver.net/default.nix index 958331e..db025f1 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/default.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/default.nix @@ -1,17 +1,17 @@ -{ repoFlake, ... }: -let +{repoFlake, ...}: let nodeName = "vmd102066.contaboserver.net"; system = "x86_64-linux"; nodeFlake = repoFlake.inputs.get-flake ./.; -in -{ +in { meta.nodeSpecialArgs.${nodeName} = { inherit nodeName nodeFlake; packages' = repoFlake.packages.${system}; }; - meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; }; + meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { + inherit system; + }; ${nodeName} = { deployment.targetHost = nodeName; diff --git a/nix/os/devices/vmd102066.contaboserver.net/flake.nix b/nix/os/devices/vmd102066.contaboserver.net/flake.nix index 0547466..d432f24 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/flake.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/flake.nix @@ -8,5 +8,5 @@ inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = _: { }; + outputs = _: {}; } diff --git a/nix/os/devices/vmd102066.contaboserver.net/hw.nix b/nix/os/devices/vmd102066.contaboserver.net/hw.nix index 9f1ce04..e09b10e 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/hw.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/hw.nix @@ -1,5 +1,4 @@ -{ ... }: -let +{...}: let stage1Modules = [ "aesni_intel" "kvm-intel" @@ -12,8 +11,7 @@ let "virtio" "scsi_mod" ]; -in -{ +in { # TASK: new device hardware.opinionatedDisk = { enable = true; diff --git a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix index e0c96b0..96cfc55 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/pkg.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/pkg.nix @@ -3,8 +3,7 @@ pkgs, lib, ... -}: -{ +}: { home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix { inherit pkgs; }; @@ -13,12 +12,7 @@ { hostName = "localhost"; system = "x86_64-linux"; - supportedFeatures = [ - "kvm" - "nixos-test" - "big-parallel" - "benchmark" - ]; + supportedFeatures = ["kvm" "nixos-test" "big-parallel" "benchmark"]; maxJobs = 4; } ]; @@ -28,7 +22,7 @@ hydraURL = "http://localhost:3000"; # externally visible URL notificationSender = "hydra@${config.networking.hostName}.stefanjunker.de"; # e-mail of hydra service # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/machines - buildMachinesFiles = [ ]; + buildMachinesFiles = []; # you will probably also want, otherwise *everything* will be built from scratch useSubstitutes = true; }; @@ -36,13 +30,7 @@ services.gitlab-runner = { enable = false; - extraPackages = with pkgs; [ - bash - gitlab-runner - nix - gitFull - git-crypt - ]; + extraPackages = with pkgs; [bash gitlab-runner nix gitFull git-crypt]; concurrent = 2; checkInterval = 0; @@ -51,7 +39,7 @@ executor = "shell"; runUntagged = true; registrationConfigFile = "/etc/secrets/gitlab-runner/nix-runner.registration"; - tagList = [ "nix" ]; + tagList = ["nix"]; }; }; }; diff --git a/nix/os/devices/vmd102066.contaboserver.net/system.nix b/nix/os/devices/vmd102066.contaboserver.net/system.nix index f3ee31c..45c6b0c 100644 --- a/nix/os/devices/vmd102066.contaboserver.net/system.nix +++ b/nix/os/devices/vmd102066.contaboserver.net/system.nix @@ -4,12 +4,10 @@ config, nodeName, ... -}: -let +}: let keys = import ../../../variables/keys.nix; passwords = import ../../../variables/passwords.crypt.nix; -in -{ +in { networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # iperf3 @@ -39,7 +37,7 @@ in networking.nat = { enable = true; - internalInterfaces = [ "ve-+" ]; + internalInterfaces = ["ve-+"]; externalInterface = "eth0"; }; @@ -47,9 +45,7 @@ in # services.kubernetes.roles = ["master" "node"]; # virtualization - virtualisation = { - docker.enable = true; - }; + virtualisation = {docker.enable = true;}; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; @@ -57,7 +53,7 @@ in systemd.services."sshd-status" = { enable = true; description = "sshd-status service"; - path = [ pkgs.systemd ]; + path = [pkgs.systemd]; script = '' systemctl status sshd | grep -i tasks ''; @@ -77,13 +73,11 @@ in # }; # }; - nix.gc = { - automatic = true; - }; + nix.gc = {automatic = true;}; boot.initrd.network = { enable = true; - udhcpc.extraArgs = [ "-x hostname:${config.networking.hostName}" ]; + udhcpc.extraArgs = ["-x hostname:${config.networking.hostName}"]; ssh = { enable = true; @@ -110,12 +104,7 @@ in inherit config; hostAddress = "192.168.100.16"; localAddress = "192.168.100.17"; - subvolumes = [ - "mailserver" - "webserver" - "backup" - "syncthing" - ]; + subvolumes = ["mailserver" "webserver" "backup" "syncthing"]; }; bkpTarget = import ../../containers/backup-target.nix { diff --git a/nix/os/lib/default.nix b/nix/os/lib/default.nix index e8a0933..03bf5e7 100644 --- a/nix/os/lib/default.nix +++ b/nix/os/lib/default.nix @@ -1,10 +1,10 @@ -{ lib, config }: -let - keys = import ../../variables/keys.nix; -in { - mkUser = - args: + lib, + config, +}: let + keys = import ../../variables/keys.nix; +in { + mkUser = args: lib.mkMerge [ { isNormalUser = true; @@ -45,7 +45,7 @@ in # LVM doesn't allow most characters in VG names # TODO: replace this with a whitelist for: [a-zA-Z0-9.-_+] - volumeGroup = diskId: builtins.replaceStrings [ ":" ] [ "" ] diskId; + volumeGroup = diskId: builtins.replaceStrings [":"] [""] diskId; # This is important at install-time bootGrubDevice = diskId: "/dev/disk/by-id/" + diskId; @@ -56,11 +56,15 @@ in # Cannot use the disk ID here because might be different at install vs. runtime. # Example: MMC card which is used in the internal reader vs. USB reader - bootFsDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); - bootLuksDevice = diskId: "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); + bootFsDevice = diskId: + "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("2-" + diskId)); + bootLuksDevice = diskId: + "/dev/disk/by-partlabel/" + (shortenGptPartlabel ("3-" + diskId)); luksName = diskId: (volumeGroup diskId) + "pv"; luksPhysicalVolume = diskId: "/dev/mapper/" + (luksName diskId); - lvmPv = - diskId: encrypted: if encrypted == true then luksPhysicalVolume diskId else bootLuksDevice diskId; + lvmPv = diskId: encrypted: + if encrypted == true + then luksPhysicalVolume diskId + else bootLuksDevice diskId; }; } diff --git a/nix/os/modules/ddclient-hetzner.nix b/nix/os/modules/ddclient-hetzner.nix index f9685e2..893620a 100644 --- a/nix/os/modules/ddclient-hetzner.nix +++ b/nix/os/modules/ddclient-hetzner.nix @@ -1,12 +1,14 @@ -{ lib, config, ... }: -let - cfg = config.services.ddclient-hetzner; -in { + lib, + config, + ... +}: let + cfg = config.services.ddclient-hetzner; +in { options.services.ddclient-hetzner = with lib; { enable = mkEnableOption "Enable ddclient-hetzner"; - zone = mkOption { type = types.str; }; - domains = mkOption { type = types.listOf types.str; }; - passwordFile = mkOption { type = types.path; }; + zone = mkOption {type = types.str;}; + domains = mkOption {type = types.listOf types.str;}; + passwordFile = mkOption {type = types.path;}; }; } diff --git a/nix/os/modules/ddclient-ovh.nix b/nix/os/modules/ddclient-ovh.nix index 260cd86..9b0321d 100644 --- a/nix/os/modules/ddclient-ovh.nix +++ b/nix/os/modules/ddclient-ovh.nix @@ -1,10 +1,12 @@ -{ lib, config, ... }: -let - cfg = config.services.ddclientovh; -in { + lib, + config, + ... +}: let + cfg = config.services.ddclientovh; +in { options.services.ddclientovh = with lib; { enable = mkEnableOption "Enable ddclient-ovh"; - domain = mkOption { type = types.str; }; + domain = mkOption {type = types.str;}; }; } diff --git a/nix/os/modules/initrd-network.nix b/nix/os/modules/initrd-network.nix index 4ca89cf..e517d62 100644 --- a/nix/os/modules/initrd-network.nix +++ b/nix/os/modules/initrd-network.nix @@ -4,8 +4,7 @@ pkgs, ... }: -with lib; -let +with lib; let cfg = config.boot.initrd.network; udhcpcScript = pkgs.writeScript "udhcp-script" '' @@ -26,8 +25,7 @@ let ''; udhcpcArgs = toString cfg.udhcpc.extraArgs; -in -{ +in { options = { boot.initrd.network.enable = mkOption { type = types.bool; @@ -48,7 +46,7 @@ in }; boot.initrd.network.udhcpc.extraArgs = mkOption { - default = [ ]; + default = []; type = types.listOf types.str; description = '' Additional command-line arguments passed verbatim to udhcpc if @@ -76,9 +74,9 @@ in }; config = mkIf cfg.enable { - warnings = [ "Enabled SSH for stage1" ]; + warnings = ["Enabled SSH for stage1"]; - boot.initrd.kernelModules = [ "af_packet" ]; + boot.initrd.kernelModules = ["af_packet"]; boot.initrd.extraUtilsCommands = '' copy_bin_and_libs ${pkgs.mkinitcpio-nfs-utils}/bin/ipconfig diff --git a/nix/os/modules/natrouter.nix b/nix/os/modules/natrouter.nix index ed2c3bd..62af2a8 100644 --- a/nix/os/modules/natrouter.nix +++ b/nix/os/modules/natrouter.nix @@ -1,6 +1,9 @@ -{ lib, config, ... }: -with lib; { + lib, + config, + ... +}: +with lib; { # TODO # Provide a NAT/DHCP Router # diff --git a/nix/os/modules/opinionatedDisk.nix b/nix/os/modules/opinionatedDisk.nix index db2bbbf..dbe449b 100644 --- a/nix/os/modules/opinionatedDisk.nix +++ b/nix/os/modules/opinionatedDisk.nix @@ -4,17 +4,18 @@ pkgs, ... }: -with lib; -let +with lib; let cfg = config.hardware.opinionatedDisk; - ownLib = pkgs.callPackage ../lib/default.nix { }; + ownLib = pkgs.callPackage ../lib/default.nix {}; - earlyDiskId = cfg: if cfg.earlyDiskIdOverride != "" then cfg.earlyDiskIdOverride else cfg.diskId; -in -{ + earlyDiskId = cfg: + if cfg.earlyDiskIdOverride != "" + then cfg.earlyDiskIdOverride + else cfg.diskId; +in { options.hardware.opinionatedDisk = { enable = mkEnableOption "Enable opinionated filesystem layout"; - diskId = mkOption { type = types.str; }; + diskId = mkOption {type = types.str;}; encrypted = mkOption { default = true; type = types.bool; @@ -35,30 +36,31 @@ in fileSystems."/" = { device = ownLib.disk.rootFsDevice cfg.diskId; fsType = "btrfs"; - options = [ "subvol=nixos" ]; + options = ["subvol=nixos"]; }; fileSystems."/home" = { device = ownLib.disk.rootFsDevice cfg.diskId; fsType = "btrfs"; - options = [ "subvol=home" ]; + options = ["subvol=home"]; }; - swapDevices = [ { device = ownLib.disk.swapFsDevice cfg.diskId; } ]; + swapDevices = [{device = ownLib.disk.swapFsDevice cfg.diskId;}]; boot.loader.grub = { device = ownLib.disk.bootGrubDevice (earlyDiskId cfg); enableCryptodisk = cfg.encrypted; }; - boot.initrd.luks.devices = lib.optionalAttrs cfg.encrypted ( - builtins.listToAttrs [ + boot.initrd.luks.devices = + lib.optionalAttrs cfg.encrypted + (builtins.listToAttrs [ { - name = - let - splitstring = builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); - lastelem = (builtins.length splitstring) - 1; - in + name = let + splitstring = + builtins.split "/" (ownLib.disk.bootLuksDevice cfg.diskId); + lastelem = (builtins.length splitstring) - 1; + in builtins.elemAt splitstring lastelem; value = { device = ownLib.disk.bootLuksDevice cfg.diskId; @@ -67,7 +69,6 @@ in allowDiscards = true; }; } - ] - ); + ]); }; } diff --git a/nix/os/profiles/common/configuration.nix b/nix/os/profiles/common/configuration.nix index 9a404e5..7c1f786 100644 --- a/nix/os/profiles/common/configuration.nix +++ b/nix/os/profiles/common/configuration.nix @@ -6,8 +6,7 @@ repoFlakeInputs', packages', ... -}: -{ +}: { imports = [ repoFlake.inputs.sops-nix.nixosModules.sops @@ -31,10 +30,7 @@ boot.tmp.useTmpfs = true; # Workaround for nm-pptp to enforce module load - boot.kernelModules = [ - "nf_conntrack_proto_gre" - "nf_conntrack_pptp" - ]; + boot.kernelModules = ["nf_conntrack_proto_gre" "nf_conntrack_pptp"]; nixpkgs.config = { allowBroken = false; diff --git a/nix/os/profiles/common/hw.nix b/nix/os/profiles/common/hw.nix index 7e5fb14..80bdc31 100644 --- a/nix/os/profiles/common/hw.nix +++ b/nix/os/profiles/common/hw.nix @@ -1,13 +1,5 @@ -{ ... }: -{ +{...}: { hardware.trackpoint.emulateWheel = true; - boot.initrd.availableKernelModules = [ - "xhci_pci" - "ahci" - "usb_storage" - "sd_mod" - "rtsx_pci_sdmmc" - "cryptd" - ]; + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" "cryptd"]; } diff --git a/nix/os/profiles/common/system.nix b/nix/os/profiles/common/system.nix index f38e9aa..f576a28 100644 --- a/nix/os/profiles/common/system.nix +++ b/nix/os/profiles/common/system.nix @@ -4,8 +4,7 @@ lib, nodeName, ... -}: -{ +}: { networking.hostName = builtins.elemAt (builtins.split "\\." nodeName) 0; # Define your hostname. networking.domain = builtins.elemAt (builtins.split "(^[^\\.]+\.)" nodeName) 2; @@ -16,13 +15,11 @@ ''; # Fonts, I18N, Date ... - fonts.packages = [ pkgs.corefonts ]; + fonts.packages = [pkgs.corefonts]; console.font = "lat9w-16"; - i18n = { - defaultLocale = "en_US.UTF-8"; - }; + i18n = {defaultLocale = "en_US.UTF-8";}; time.timeZone = "Etc/UTC"; services.gpm.enable = true; diff --git a/nix/os/profiles/common/user.nix b/nix/os/profiles/common/user.nix index 6c799c9..27b7427 100644 --- a/nix/os/profiles/common/user.nix +++ b/nix/os/profiles/common/user.nix @@ -3,8 +3,7 @@ pkgs, lib, ... -}: -let +}: let keys = import ../../../variables/keys.nix; inherit (import ../../lib/default.nix { @@ -17,8 +16,7 @@ let inherit (lib) types; cfg = config.users.commonUsers; -in -{ +in { options.users.commonUsers = { enable = lib.mkOption { default = true; @@ -41,53 +39,57 @@ in type = types.str; }; }; - config = lib.mkIf cfg.enable ( - lib.mkMerge [ - (lib.mkIf (cfg.installPassword == "") { - sops.secrets.sharedUsers-root = { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; + config = lib.mkIf cfg.enable (lib.mkMerge [ + (lib.mkIf (cfg.installPassword == "") { + sops.secrets.sharedUsers-root = { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - neededForUsers = true; - format = "yaml"; - }; + sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + neededForUsers = true; + format = "yaml"; + }; - sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { - sopsFile = ../../../../secrets/shared-users.yaml; - # neededForUsers = true; - format = "yaml"; - }; - }) + sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot { + sopsFile = ../../../../secrets/shared-users.yaml; + # neededForUsers = true; + format = "yaml"; + }; + }) - { - users.mutableUsers = cfg.installPassword != ""; + { + users.mutableUsers = cfg.installPassword != ""; - users.users.root = lib.mkMerge [ - { openssh.authorizedKeys.keys = keys.users.steveej.openssh; } + users.users.root = lib.mkMerge [ + { + openssh.authorizedKeys.keys = keys.users.steveej.openssh; + } - (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) + (lib.mkIf (cfg.installPassword != "") { + password = cfg.installPassword; + }) - (lib.mkIf (cfg.installPassword == "") { hashedPasswordFile = cfg.rootPasswordFile; }) - ]; + (lib.mkIf (cfg.installPassword == "") { + hashedPasswordFile = cfg.rootPasswordFile; + }) + ]; - users.users.steveej = lib.mkIf cfg.enableNonRoot ( - mkUser ( - lib.mkMerge [ - { uid = 1000; } + users.users.steveej = lib.mkIf cfg.enableNonRoot (mkUser (lib.mkMerge [ + { + uid = 1000; + } - (lib.mkIf (cfg.installPassword != "") { password = cfg.installPassword; }) + (lib.mkIf (cfg.installPassword != "") { + password = cfg.installPassword; + }) - (lib.mkIf (cfg.installPassword == "") { - hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; - }) - ] - ) - ); - } - ] - ); + (lib.mkIf (cfg.installPassword == "") { + hashedPasswordFile = config.sops.secrets.sharedUsers-steveej.path; + }) + ])); + } + ]); } diff --git a/nix/os/profiles/containers/configuration.nix b/nix/os/profiles/containers/configuration.nix index 40fd3f4..28ebb64 100644 --- a/nix/os/profiles/containers/configuration.nix +++ b/nix/os/profiles/containers/configuration.nix @@ -3,23 +3,26 @@ pkgs, lib, ... -}: -{ +}: { networking.useHostResolvConf = false; networking.firewall.enable = true; networking.nftables.enable = true; networking.nftables.flushRuleset = true; - networking.nameservers = lib.mkForce [ hostAddress ]; + networking.nameservers = lib.mkForce [hostAddress]; - environment.systemPackages = [ pkgs.dnsutils ]; + environment.systemPackages = [ + pkgs.dnsutils + ]; imports = [ { # keep DNS set up to a minimum: only query the container host services.resolved.enable = lib.mkForce false; - networking.nameservers = [ hostAddress ]; + networking.nameservers = [ + hostAddress + ]; } ../../snippets/nix-settings.nix # ../../modules/ddclient-ovh.nix diff --git a/nix/os/profiles/graphical-gnome-xorg.nix b/nix/os/profiles/graphical-gnome-xorg.nix index a13dd07..bfd4036 100644 --- a/nix/os/profiles/graphical-gnome-xorg.nix +++ b/nix/os/profiles/graphical-gnome-xorg.nix @@ -1,5 +1,8 @@ -{ pkgs, lib, ... }: { + pkgs, + lib, + ... +}: { services.xserver = { enable = true; libinput.enable = true; @@ -95,11 +98,8 @@ support32Bit = true; }; - services.dbus.packages = with pkgs; [ dconf ]; + services.dbus.packages = with pkgs; [dconf]; # More Services - environment.systemPackages = [ - pkgs.gnome.adwaita-icon-theme - pkgs.gnomeExtensions.appindicator - ]; + environment.systemPackages = [pkgs.gnome.adwaita-icon-theme pkgs.gnomeExtensions.appindicator]; } diff --git a/nix/os/profiles/graphical/boot.nix b/nix/os/profiles/graphical/boot.nix index 4bf6ca4..91b4ae9 100644 --- a/nix/os/profiles/graphical/boot.nix +++ b/nix/os/profiles/graphical/boot.nix @@ -1,4 +1,5 @@ -{ config, ... }: -{ - boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback ]; +{config, ...}: { + boot.extraModulePackages = [ + config.boot.kernelPackages.v4l2loopback + ]; } diff --git a/nix/os/profiles/graphical/configuration.nix b/nix/os/profiles/graphical/configuration.nix index bc955f4..b9cf53e 100644 --- a/nix/os/profiles/graphical/configuration.nix +++ b/nix/os/profiles/graphical/configuration.nix @@ -1,8 +1,3 @@ -{ pkgs, ... }: -{ - imports = [ - ./boot.nix - ./system.nix - ./hw.nix - ]; +{pkgs, ...}: { + imports = [./boot.nix ./system.nix ./hw.nix]; } diff --git a/nix/os/profiles/graphical/hw.nix b/nix/os/profiles/graphical/hw.nix index 76ceacf..abb1e68 100644 --- a/nix/os/profiles/graphical/hw.nix +++ b/nix/os/profiles/graphical/hw.nix @@ -1,4 +1,3 @@ -{ ... }: -{ +{...}: { hardware.enableAllFirmware = true; } diff --git a/nix/os/profiles/graphical/system.nix b/nix/os/profiles/graphical/system.nix index 28e4504..ce49500 100644 --- a/nix/os/profiles/graphical/system.nix +++ b/nix/os/profiles/graphical/system.nix @@ -1,6 +1,11 @@ -{ pkgs, lib, ... }: { - imports = [ ../../snippets/bluetooth.nix ]; + pkgs, + lib, + ... +}: { + imports = [ + ../../snippets/bluetooth.nix + ]; networking.networkmanager = { enable = true; @@ -21,11 +26,7 @@ services.pcscd.enable = true; hardware.opengl.enable = true; - services.udev.packages = [ - pkgs.libu2f-host - pkgs.yubikey-personalization - pkgs.android-udev-rules - ]; + services.udev.packages = [pkgs.libu2f-host pkgs.yubikey-personalization pkgs.android-udev-rules]; services.udev.extraRules = '' # OnePlusOne ATTR{idVendor}=="05c6", ATTR{idProduct}=="6764", SYMLINK+="libmtp-%k", MODE="660", GROUP="audio", ENV{ID_MTP_DEVICE}="1", ENV{ID_MEDIA_PLAYER}="1", TAG+="uaccess" @@ -52,9 +53,6 @@ services.printing = { enable = true; - drivers = with pkgs; [ - mfcl3770cdwlpr - mfcl3770cdwcupswrapper - ]; + drivers = with pkgs; [mfcl3770cdwlpr mfcl3770cdwcupswrapper]; }; } diff --git a/nix/os/profiles/install-medium/iso/iso.nix b/nix/os/profiles/install-medium/iso/iso.nix index a32f3f6..394aece 100644 --- a/nix/os/profiles/install-medium/iso/iso.nix +++ b/nix/os/profiles/install-medium/iso/iso.nix @@ -5,26 +5,25 @@ pkgs, lib, ... -}: -let +}: let nixos-init-script = '' #!${pkgs.stdenv.shell} export HOME=/root export PATH=${ - pkgs.lib.makeBinPath [ - config.nix.package - pkgs.systemd - pkgs.gnugrep - pkgs.gnused - config.system.build.nixos-rebuild - config.system.build.nixos-install - pkgs.utillinux - pkgs.e2fsprogs - pkgs.coreutils - pkgs.hdparm - ] - }:$PATH + pkgs.lib.makeBinPath [ + config.nix.package + pkgs.systemd + pkgs.gnugrep + pkgs.gnused + config.system.build.nixos-rebuild + config.system.build.nixos-install + pkgs.utillinux + pkgs.e2fsprogs + pkgs.coreutils + pkgs.hdparm + ] + }:$PATH export NIX_PATH=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix:/nix/var/nix/profiles/per-user/root/channels set -xe @@ -62,8 +61,7 @@ let nixos-install reboot ''; -in -{ +in { imports = [ @@ -72,11 +70,13 @@ in # ]; - isoImage.isoName = lib.mkForce "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; + isoImage.isoName = + lib.mkForce + "${config.isoImage.isoBaseName}-${pkgs.stdenv.hostPlatform.system}.iso"; boot.loader.timeout = lib.mkForce 0; boot.postBootCommands = ""; - environment.systemPackages = [ ]; + environment.systemPackages = []; users.users.root = { openssh.authorizedKeys.keys = [ @@ -85,18 +85,18 @@ in }; services.gpm.enable = true; - systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ]; + systemd.services.sshd.wantedBy = lib.mkForce ["multi-user.target"]; systemd.services.nixos-init = { script = nixos-init-script; - path = with pkgs; [ ]; + path = with pkgs; []; description = "Initialize /dev/vda from configuration.nix found at /dev/vdb"; enable = true; - wantedBy = [ "multi-user.target" ]; - after = [ "multi-user.target" ]; - requires = [ "network-online.target" ]; + wantedBy = ["multi-user.target"]; + after = ["multi-user.target"]; + requires = ["network-online.target"]; restartIfChanged = false; unitConfig.X-StopOnRemoval = false; diff --git a/nix/os/profiles/removable-medium/boot.nix b/nix/os/profiles/removable-medium/boot.nix index 17a1dba..e0938bd 100644 --- a/nix/os/profiles/removable-medium/boot.nix +++ b/nix/os/profiles/removable-medium/boot.nix @@ -1,6 +1,5 @@ -{ lib, ... }: -{ +{lib, ...}: { boot.loader.grub.efiInstallAsRemovable = lib.mkForce true; boot.loader.efi.canTouchEfiVariables = lib.mkForce false; - boot.extraModulePackages = [ ]; + boot.extraModulePackages = []; } diff --git a/nix/os/profiles/removable-medium/configuration.nix b/nix/os/profiles/removable-medium/configuration.nix index ad7def0..95ca049 100644 --- a/nix/os/profiles/removable-medium/configuration.nix +++ b/nix/os/profiles/removable-medium/configuration.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { imports = [ ../../modules/opinionatedDisk.nix diff --git a/nix/os/profiles/removable-medium/hw.nix b/nix/os/profiles/removable-medium/hw.nix index c689541..17c16b0 100644 --- a/nix/os/profiles/removable-medium/hw.nix +++ b/nix/os/profiles/removable-medium/hw.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +{...}: { hardware.opinionatedDisk.enable = true; hardware.enableAllFirmware = true; } diff --git a/nix/os/profiles/removable-medium/pkg.nix b/nix/os/profiles/removable-medium/pkg.nix index d27081f..5a54115 100644 --- a/nix/os/profiles/removable-medium/pkg.nix +++ b/nix/os/profiles/removable-medium/pkg.nix @@ -1,5 +1,4 @@ -{ pkgs, ... }: -{ +{pkgs, ...}: { home-manager.users.steveej = import ../../../home-manager/configuration/graphical-removable.nix { inherit pkgs; }; diff --git a/nix/os/profiles/removable-medium/system.nix b/nix/os/profiles/removable-medium/system.nix index 147ebec..7586a85 100644 --- a/nix/os/profiles/removable-medium/system.nix +++ b/nix/os/profiles/removable-medium/system.nix @@ -3,15 +3,11 @@ lib, pkgs, ... -}: -let -in -{ +}: let +in { services.illum.enable = true; - services.printing = { - enable = false; - }; + services.printing = {enable = false;}; services.spice-vdagentd.enable = true; services.qemuGuest.enable = true; diff --git a/nix/os/snippets/bluetooth.nix b/nix/os/snippets/bluetooth.nix index 754995f..a4cfeca 100644 --- a/nix/os/snippets/bluetooth.nix +++ b/nix/os/snippets/bluetooth.nix @@ -1,7 +1,10 @@ -{ pkgs, lib, ... }: { + pkgs, + lib, + ... +}: { # required for running blueman-applet in user sessions - services.dbus.packages = with pkgs; [ blueman ]; + services.dbus.packages = with pkgs; [blueman]; hardware.bluetooth.enable = true; services.blueman.enable = true; } diff --git a/nix/os/snippets/holo-zerotier.nix b/nix/os/snippets/holo-zerotier.nix index 24abf73..8ea2be5 100644 --- a/nix/os/snippets/holo-zerotier.nix +++ b/nix/os/snippets/holo-zerotier.nix @@ -1,15 +1,17 @@ -{ config, lib, ... }: -let - cfg = config.steveej.holo-zerotier; -in { + config, + lib, + ... +}: let + cfg = config.steveej.holo-zerotier; +in { options.steveej.holo-zerotier = { enable = lib.mkEnableOption "Enable holo-zerotier"; - autostart = lib.mkOption { default = false; }; + autostart = lib.mkOption {default = false;}; }; config = { - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "zerotierone" ]; + nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) ["zerotierone"]; services.zerotierone = { enable = cfg.enable; @@ -18,31 +20,29 @@ in ]; }; - systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); + systemd.services.zerotierone.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce []); systemd.services.zerotieroneSecretNetworks = { enable = cfg.enable; - requiredBy = [ "zerotierone.service" ]; - partOf = [ "zerotierone.service" ]; + requiredBy = ["zerotierone.service"]; + partOf = ["zerotierone.service"]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; - script = - let - secret = config.sops.secrets.zerotieroneNetworks; - in - '' - # include the secret's hash to trigger a restart on change - # ${builtins.hashString "sha256" (builtins.toJSON secret)} + script = let + secret = config.sops.secrets.zerotieroneNetworks; + in '' + # include the secret's hash to trigger a restart on change + # ${builtins.hashString "sha256" (builtins.toJSON secret)} - ${config.systemd.services.zerotierone.preStart} + ${config.systemd.services.zerotierone.preStart} - rm -rf /var/lib/zerotier-one/networks.d/*.conf - for network in `grep -v '#' ${secret.path}`; do - touch /var/lib/zerotier-one/networks.d/''${network}.conf - done - ''; + rm -rf /var/lib/zerotier-one/networks.d/*.conf + for network in `grep -v '#' ${secret.path}`; do + touch /var/lib/zerotier-one/networks.d/''${network}.conf + done + ''; }; sops.secrets.zerotieroneNetworks = { diff --git a/nix/os/snippets/home-manager-with-zsh.nix b/nix/os/snippets/home-manager-with-zsh.nix index 2b4646d..266a125 100644 --- a/nix/os/snippets/home-manager-with-zsh.nix +++ b/nix/os/snippets/home-manager-with-zsh.nix @@ -6,8 +6,7 @@ pkgs, lib, ... -}: -let +}: let # TODO: make this configurable homeUser = "steveej"; commonHomeImports = [ @@ -15,9 +14,10 @@ let ../../home-manager/programs/neovim.nix ../../home-manager/programs/zsh.nix ]; -in -{ - imports = [ nodeFlake.inputs.home-manager.nixosModules.home-manager ]; +in { + imports = [ + nodeFlake.inputs.home-manager.nixosModules.home-manager + ]; # TODO: investigate an issue with the "name" arg contained here, which causes problems with home-manager # home-manager.extraSpecialArgs = specialArgs; @@ -34,11 +34,15 @@ in home-manager.useGlobalPkgs = false; home-manager.useUserPackages = true; - home-manager.users.root = _: { imports = commonHomeImports; }; + home-manager.users.root = _: { + imports = commonHomeImports; + }; - home-manager.users."${homeUser}" = _: { imports = commonHomeImports; }; + home-manager.users."${homeUser}" = _: { + imports = commonHomeImports; + }; programs.zsh.enable = true; users.defaultUserShell = pkgs.zsh; - environment.pathsToLink = [ "/share/zsh" ]; + environment.pathsToLink = ["/share/zsh"]; } diff --git a/nix/os/snippets/k3s-w-nix-snapshotter.nix b/nix/os/snippets/k3s-w-nix-snapshotter.nix index f208ba7..d6f1279 100644 --- a/nix/os/snippets/k3s-w-nix-snapshotter.nix +++ b/nix/os/snippets/k3s-w-nix-snapshotter.nix @@ -7,14 +7,12 @@ system, config, ... -}: -let +}: let cfg = config.steveej.k3s; # TODO: make this configurable homeUser = "steveej"; -in -{ +in { options.steveej.k3s = { enable = lib.mkOption { description = "steveej's k3s distro"; @@ -24,11 +22,13 @@ in }; # (1) Import nixos module. - imports = [ nodeFlake.inputs.nix-snapshotter.nixosModules.default ]; + imports = [ + nodeFlake.inputs.nix-snapshotter.nixosModules.default + ]; config = lib.mkIf cfg.enable { # (2) Add overlay. - nixpkgs.overlays = [ nodeFlake.inputs.nix-snapshotter.overlays.default ]; + nixpkgs.overlays = [nodeFlake.inputs.nix-snapshotter.overlays.default]; # (3) Enable service. virtualisation.containerd = { diff --git a/nix/os/snippets/mycelium.nix b/nix/os/snippets/mycelium.nix index b3da3a2..6d211cf 100644 --- a/nix/os/snippets/mycelium.nix +++ b/nix/os/snippets/mycelium.nix @@ -6,12 +6,11 @@ system, lib, ... -}: -let +}: let cfg.autostart = false; -in -{ - imports = [ ]; +in { + imports = [ + ]; sops.secrets.mycelium-key = { format = "binary"; @@ -23,12 +22,14 @@ in # package = nodeFlake.inputs.mycelium.packages.${system}.myceliumd; keyFile = config.sops.secrets.mycelium-key.path; addHostedPublicNodes = true; - peers = [ ]; + peers = [ + ]; # tunName = "mycelium-pub"; - extraArgs = [ ]; + extraArgs = [ + ]; }; - systemd.services.mycelium.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce [ ]); + systemd.services.mycelium.wantedBy = lib.mkIf (!cfg.autostart) (lib.mkForce []); } diff --git a/nix/os/snippets/nix-settings-holo-chain.nix b/nix/os/snippets/nix-settings-holo-chain.nix index 32bdf73..d975cea 100644 --- a/nix/os/snippets/nix-settings-holo-chain.nix +++ b/nix/os/snippets/nix-settings-holo-chain.nix @@ -1,5 +1,4 @@ -{ pkgs, ... }: -{ +{pkgs, ...}: { nix.settings = { substituters = [ "https://holochain-ci.cachix.org" diff --git a/nix/os/snippets/nix-settings.nix b/nix/os/snippets/nix-settings.nix index 947e03b..4b7104e 100644 --- a/nix/os/snippets/nix-settings.nix +++ b/nix/os/snippets/nix-settings.nix @@ -3,17 +3,17 @@ pkgs, lib, ... -}: -let - pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable { inherit (pkgs) system config; }; -in -{ +}: let + pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config;}; +in { nix.daemonCPUSchedPolicy = "idle"; nix.daemonIOSchedClass = "idle"; nix.settings.max-jobs = lib.mkDefault "auto"; nix.settings.cores = lib.mkDefault 0; nix.settings.sandbox = true; - nix.nixPath = [ "nixpkgs=${pkgs.path}" ]; + nix.nixPath = [ + "nixpkgs=${pkgs.path}" + ]; nix.settings.experimental-features = [ "nix-command" diff --git a/nix/os/snippets/obs-studio.nix b/nix/os/snippets/obs-studio.nix index 8a99fcb..c46305e 100644 --- a/nix/os/snippets/obs-studio.nix +++ b/nix/os/snippets/obs-studio.nix @@ -1,10 +1,10 @@ -{ config, ... }: -let +{config, ...}: let # TODO: make configurable homeUser = "steveej"; -in -{ - boot.extraModulePackages = [ config.boot.kernelPackages.v4l2loopback.out ]; +in { + boot.extraModulePackages = [ + config.boot.kernelPackages.v4l2loopback.out + ]; # Activate kernel modules (choose from built-ins and extra ones) boot.kernelModules = [ @@ -23,5 +23,9 @@ in security.polkit.enable = true; - home-manager.users.${homeUser} = _: { imports = [ ../../home-manager/programs/obs-studio.nix ]; }; + home-manager.users.${homeUser} = _: { + imports = [ + ../../home-manager/programs/obs-studio.nix + ]; + }; } diff --git a/nix/os/snippets/radicale.nix b/nix/os/snippets/radicale.nix index 48cd869..69628bf 100644 --- a/nix/os/snippets/radicale.nix +++ b/nix/os/snippets/radicale.nix @@ -4,12 +4,10 @@ pkgs, repoFlakeInputs', ... -}: -let +}: let # TODO: make configurable homeUser = "steveej"; -in -{ +in { sops.secrets.radicale_htpasswd = { sopsFile = ../../../secrets/desktop/radicale_htpasswd; format = "binary"; @@ -21,13 +19,11 @@ in # TODO: bump these to latest and make it work ( args: - import ../../home-manager/programs/radicale.nix ( - args - // { - osConfig = config; - pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; - } - ) + import ../../home-manager/programs/radicale.nix (args + // { + osConfig = config; + pkgs = repoFlakeInputs'.radicalePkgs.legacyPackages; + }) ) ]; }; diff --git a/nix/os/snippets/sway-desktop.nix b/nix/os/snippets/sway-desktop.nix index a40eb85..f8d21b0 100644 --- a/nix/os/snippets/sway-desktop.nix +++ b/nix/os/snippets/sway-desktop.nix @@ -3,12 +3,10 @@ lib, config, ... -}: -let +}: let # TODO: make this configurable homeUser = "steveej"; -in -{ +in { services.xserver.serverFlagsSection = '' Option "BlankTime" "0" Option "StandbyTime" "0" @@ -30,7 +28,7 @@ in # required by swaywm security.polkit.enable = true; - security.pam.services.swaylock = { }; + security.pam.services.swaylock = {}; # test these on https://mozilla.github.io/webrtc-landing/gum_test.html xdg.portal = { @@ -46,20 +44,18 @@ in screencast = { chooser_type = "dmenu"; # display the output as a list in favor of the default mouse selection - chooser_cmd = lib.getExe ( - pkgs.writeShellApplication { - name = "chooser_cmd"; - runtimeInputs = [ - pkgs.sway - pkgs.jq - pkgs.fuzzel - pkgs.gnused - ]; - text = '' - swaymsg -t get_outputs | jq '.[] | "\(.name)@\(.current_mode.width)x\(.current_mode.height) on \(.model)"' | sed 's/"//g' | fuzzel -d | sed 's/@.*//' - ''; - } - ); + chooser_cmd = lib.getExe (pkgs.writeShellApplication { + name = "chooser_cmd"; + runtimeInputs = [ + pkgs.sway + pkgs.jq + pkgs.fuzzel + pkgs.gnused + ]; + text = '' + swaymsg -t get_outputs | jq '.[] | "\(.name)@\(.current_mode.width)x\(.current_mode.height) on \(.model)"' | sed 's/"//g' | fuzzel -d | sed 's/@.*//' + ''; + }); max_fps = 30; }; }; @@ -105,8 +101,8 @@ in # autologin steveej on tty1 # TODO: make user configurable systemd.services."autovt@tty1".description = "Autologin at the TTY1"; - systemd.services."autovt@tty1".after = [ "systemd-logind.service" ]; # without it user session not started and xorg can't be run from this tty - systemd.services."autovt@tty1".wantedBy = [ "multi-user.target" ]; + systemd.services."autovt@tty1".after = ["systemd-logind.service"]; # without it user session not started and xorg can't be run from this tty + systemd.services."autovt@tty1".wantedBy = ["multi-user.target"]; systemd.services."autovt@tty1".serviceConfig = { ExecStart = [ "" # override upstream default with an empty ExecStart @@ -116,21 +112,21 @@ in Type = "idle"; }; - programs = - let - steveejSwayOnTty1 = '' - if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then - exec sway - fi - ''; - in - { - bash.loginShellInit = steveejSwayOnTty1; - # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion - zsh.loginShellInit = steveejSwayOnTty1; - }; + programs = let + steveejSwayOnTty1 = '' + if test $(id --user steveej) = $(id -u) && test $(tty) = "/dev/tty1"; then + exec sway + fi + ''; + in { + bash.loginShellInit = steveejSwayOnTty1; + # TODO: only do this when zsh is enabled. first naiv attempt lead infinite recursion + zsh.loginShellInit = steveejSwayOnTty1; + }; home-manager.users."${homeUser}" = _: { - imports = [ ../../home-manager/profiles/sway-desktop.nix ]; + imports = [ + ../../home-manager/profiles/sway-desktop.nix + ]; }; } diff --git a/nix/os/snippets/systemd-resolved.nix b/nix/os/snippets/systemd-resolved.nix index f7c2301..3b8c145 100644 --- a/nix/os/snippets/systemd-resolved.nix +++ b/nix/os/snippets/systemd-resolved.nix @@ -1,5 +1,4 @@ -{ lib, ... }: -{ +{lib, ...}: { networking.nameservers = [ # https://dnsforge.de/ "176.9.93.198" @@ -13,12 +12,12 @@ services.resolved = { enable = true; dnssec = "true"; - domains = [ "~." ]; + domains = ["~."]; # TODO: figure out why "true" doesn't work dnsovertls = "opportunistic"; - fallbackDns = lib.mkForce [ ]; + fallbackDns = lib.mkForce []; # TODO: IPv6 # extraConfig = '' diff --git a/nix/os/snippets/timezone.nix b/nix/os/snippets/timezone.nix index 67db1e8..25aee48 100644 --- a/nix/os/snippets/timezone.nix +++ b/nix/os/snippets/timezone.nix @@ -1,7 +1,5 @@ -{ lib, ... }: -let +{lib, ...}: let passwords = import ../../variables/passwords.crypt.nix; -in -{ +in { time.timeZone = lib.mkDefault passwords.timeZone.stefan; } diff --git a/nix/pkgs/browserpass/default.nix b/nix/pkgs/browserpass/default.nix index 34a6977..5b13732 100644 --- a/nix/pkgs/browserpass/default.nix +++ b/nix/pkgs/browserpass/default.nix @@ -1,27 +1,27 @@ -with import { }; -stdenv.mkDerivation rec { - broken = true; +with import {}; + stdenv.mkDerivation rec { + broken = true; - name = "browserpass"; - version = "2.0.9"; + name = "browserpass"; + version = "2.0.9"; - src = fetchzip { - url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; - sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; - stripRoot = false; - }; + src = fetchzip { + url = "https://github.com/dannyvankooten/browserpass/releases/download/${version}/${name}-linux64.zip"; + sha256 = "1nygcfjhyrcvbdmz4hjphcnmr4lm9y24lpdkdcjix6vbsjs0hipw"; + stripRoot = false; + }; - buildPhase = ":"; + buildPhase = ":"; - libPath = lib.makeLibraryPath [ ]; - installPhase = '' - set -x - patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 + libPath = lib.makeLibraryPath []; + installPhase = '' + set -x + patchelf --set-interpreter ${glibc}/lib/ld-linux-x86-64.so.2 browserpass-linux64 - mkdir -p $out/bin - cp -a * $out/bin/ - # wrapProgram $out/bin/browserpass-linux64 \ - # --prefix LD_LIBRARY_PATH : "${libPath}" - # - ''; -} + mkdir -p $out/bin + cp -a * $out/bin/ + # wrapProgram $out/bin/browserpass-linux64 \ + # --prefix LD_LIBRARY_PATH : "${libPath}" + # + ''; + } diff --git a/nix/pkgs/dcpj4110dw/default.nix b/nix/pkgs/dcpj4110dw/default.nix index 93f59c7..8a4f6a6 100644 --- a/nix/pkgs/dcpj4110dw/default.nix +++ b/nix/pkgs/dcpj4110dw/default.nix @@ -16,8 +16,7 @@ file, proot, bash, -}: -let +}: let model = "dcpj4110dw"; version = "3.0.1-1"; src = fetchurl { @@ -25,16 +24,12 @@ let sha256 = "sha256-ryKDsSkabAD2X3WLmeqjdB3+4DXdJ0qUz3O64DV+ixw="; }; reldir = "opt/brother/Printers/${model}/"; -in -rec { +in rec { driver = pkgsi686Linux.stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [ - dpkg - makeWrapper - ]; + nativeBuildInputs = [dpkg makeWrapper]; unpackPhase = "dpkg-deb -x $src $out"; @@ -50,18 +45,7 @@ rec { mv $out/${reldir}/lpd/filter${model} $out/${reldir}/lpd/.wrapped_filter${model} cat <<-EOF >$out/${reldir}/lpd/.wrapper_inner_filter${model} - export PATH=\$PATH:${ - lib.makeBinPath [ - gawk - file - a2ps - coreutils - ghostscript - gnugrep - gnused - which - ] - } + export PATH=\$PATH:${lib.makeBinPath [gawk file a2ps coreutils ghostscript gnugrep gnused which]} exec $out/${reldir}/lpd/.wrapped_filter${model} EOF chmod +x $out/${reldir}/lpd/.wrapper_inner_filter${model} @@ -80,13 +64,10 @@ rec { meta = { description = "Brother ${lib.strings.toUpper model} driver"; homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; + sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; # license = lib.licenses.unfree; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; + platforms = ["x86_64-linux" "i686-linux"]; + maintainers = [lib.maintainers.steveej]; }; }; @@ -100,29 +81,14 @@ rec { name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [ - dpkg - makeWrapper - ]; - buildInputs = [ - cups - ghostscript - a2ps - gawk - ]; + nativeBuildInputs = [dpkg makeWrapper]; + buildInputs = [cups ghostscript a2ps gawk]; unpackPhase = "dpkg-deb -x $src $out"; installPhase = '' wrapProgram $out/${reldir}/cupswrapper/cupswrapper${model} \ - --prefix PATH : ${ - lib.makeBinPath [ - coreutils - ghostscript - gnugrep - gnused - ] - } + --prefix PATH : ${lib.makeBinPath [coreutils ghostscript gnugrep gnused]} patchelf --set-interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ $out/${reldir}/cupswrapper/brcupsconfpt1 @@ -134,13 +100,10 @@ rec { meta = { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; homepage = "http://www.brother.com/"; - sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; + sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; license = lib.licenses.gpl2; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; + platforms = ["x86_64-linux" "i686-linux"]; + maintainers = [lib.maintainers.steveej]; }; }; } diff --git a/nix/pkgs/default.nix b/nix/pkgs/default.nix index 78b37a6..6f114b2 100644 --- a/nix/pkgs/default.nix +++ b/nix/pkgs/default.nix @@ -1,6 +1,5 @@ -{ pkgs }: -{ - duplicacy = pkgs.callPackage ../pkgs/duplicacy { }; +{pkgs}: { + duplicacy = pkgs.callPackage ../pkgs/duplicacy {}; staruml = pkgs.callPackage ../pkgs/staruml.nix { inherit (pkgs.gnome2) GConf; libgcrypt = pkgs.libgcrypt_1_5; diff --git a/nix/pkgs/duplicacy/default.nix b/nix/pkgs/duplicacy/default.nix index b961a17..7a3fc19 100644 --- a/nix/pkgs/duplicacy/default.nix +++ b/nix/pkgs/duplicacy/default.nix @@ -1,4 +1,7 @@ -{ buildGoPackage, fetchFromGitHub }: +{ + buildGoPackage, + fetchFromGitHub, +}: buildGoPackage rec { name = "duplicay-${version}"; version = "2.1.2"; diff --git a/nix/pkgs/duplicacy/shell.nix b/nix/pkgs/duplicacy/shell.nix index 045572c..051e832 100644 --- a/nix/pkgs/duplicacy/shell.nix +++ b/nix/pkgs/duplicacy/shell.nix @@ -1,12 +1,12 @@ -with import { }; -stdenv.mkDerivation { - name = "env"; - buildInputs = [ - zsh - go - go2nix - dep2nix - nix-prefetch-github - (callPackage ./default.nix { }) - ]; -} +with import {}; + stdenv.mkDerivation { + name = "env"; + buildInputs = [ + zsh + go + go2nix + dep2nix + nix-prefetch-github + (callPackage ./default.nix {}) + ]; + } diff --git a/nix/pkgs/jay.nix b/nix/pkgs/jay.nix index 9a7b0e5..a4c2db4 100644 --- a/nix/pkgs/jay.nix +++ b/nix/pkgs/jay.nix @@ -31,6 +31,6 @@ rustPlatform.buildRustPackage rec { homepage = "https://github.com/mahkoh/jay"; license = licenses.gpl3; platforms = platforms.linux; - maintainers = with maintainers; [ dit7ya ]; + maintainers = with maintainers; [dit7ya]; }; } diff --git a/nix/pkgs/logseq/default.nix b/nix/pkgs/logseq/default.nix index b8176f3..159d03b 100644 --- a/nix/pkgs/logseq/default.nix +++ b/nix/pkgs/logseq/default.nix @@ -14,98 +14,85 @@ nix-update-script, overrideSrc ? null, }: -stdenv.mkDerivation ( - finalAttrs: - let - inherit (finalAttrs) - pname - version - src - appimageContents - ; - in - { - pname = "logseq"; - version = "0.10.9"; +stdenv.mkDerivation (finalAttrs: let + inherit (finalAttrs) pname version src appimageContents; +in { + pname = "logseq"; + version = "0.10.9"; - src = - if overrideSrc != null then - overrideSrc - else - (fetchurl { - url = "https://github.com/logseq/logseq/releases/download/${version}/logseq-linux-x64-${version}.AppImage"; - hash = "sha256-F3YbqgvL04P0nXaIVkJlCq/z8hUE0M0UutkBs2omuBe="; - name = "${pname}-${version}.AppImage"; - }); + src = + if overrideSrc != null + then overrideSrc + else + (fetchurl { + url = "https://github.com/logseq/logseq/releases/download/${version}/logseq-linux-x64-${version}.AppImage"; + hash = "sha256-F3YbqgvL04P0nXaIVkJlCq/z8hUE0M0UutkBs2omuBe="; + name = "${pname}-${version}.AppImage"; + }); - nativeBuildInputs = - [ makeWrapper ] - ++ lib.optionals stdenv.hostPlatform.isLinux [ autoPatchelfHook ] - ++ lib.optionals stdenv.hostPlatform.isDarwin [ unzip ]; - buildInputs = [ stdenv.cc.cc.lib ]; + nativeBuildInputs = + [makeWrapper] + ++ lib.optionals stdenv.hostPlatform.isLinux [autoPatchelfHook] + ++ lib.optionals stdenv.hostPlatform.isDarwin [unzip]; + buildInputs = [stdenv.cc.cc.lib]; - dontUnpack = stdenv.hostPlatform.isLinux; - dontConfigure = true; - dontBuild = true; + dontUnpack = stdenv.hostPlatform.isLinux; + dontConfigure = true; + dontBuild = true; - installPhase = + installPhase = + '' + runHook preInstall + '' + + lib.optionalString stdenv.hostPlatform.isLinux ( + let + appimageContents = appimageTools.extract {inherit pname src version;}; + in '' + mkdir -p $out/bin $out/share/logseq $out/share/applications + cp -a ${appimageContents}/{locales,resources} $out/share/logseq + cp -a ${appimageContents}/Logseq.desktop $out/share/applications/logseq.desktop + + # remove the `git` in `dugite` because we want the `git` in `nixpkgs` + chmod +w -R $out/share/logseq/resources/app/node_modules/dugite/git + chmod +w $out/share/logseq/resources/app/node_modules/dugite + rm -rf $out/share/logseq/resources/app/node_modules/dugite/git + chmod -w $out/share/logseq/resources/app/node_modules/dugite + + mkdir -p $out/share/pixmaps + ln -s $out/share/logseq/resources/app/icons/logseq.png $out/share/pixmaps/logseq.png + + substituteInPlace $out/share/applications/logseq.desktop \ + --replace Exec=Logseq Exec=logseq \ + --replace Icon=Logseq Icon=logseq '' - runHook preInstall - '' - + lib.optionalString stdenv.hostPlatform.isLinux ( - let - appimageContents = appimageTools.extract { inherit pname src version; }; - in - '' - mkdir -p $out/bin $out/share/logseq $out/share/applications - cp -a ${appimageContents}/{locales,resources} $out/share/logseq - cp -a ${appimageContents}/Logseq.desktop $out/share/applications/logseq.desktop - - # remove the `git` in `dugite` because we want the `git` in `nixpkgs` - chmod +w -R $out/share/logseq/resources/app/node_modules/dugite/git - chmod +w $out/share/logseq/resources/app/node_modules/dugite - rm -rf $out/share/logseq/resources/app/node_modules/dugite/git - chmod -w $out/share/logseq/resources/app/node_modules/dugite - - mkdir -p $out/share/pixmaps - ln -s $out/share/logseq/resources/app/icons/logseq.png $out/share/pixmaps/logseq.png - - substituteInPlace $out/share/applications/logseq.desktop \ - --replace Exec=Logseq Exec=logseq \ - --replace Icon=Logseq Icon=logseq - '' - ) - + lib.optionalString stdenv.hostPlatform.isDarwin '' - mkdir -p $out/{Applications/Logseq.app,bin} - cp -R . $out/Applications/Logseq.app - makeWrapper $out/Applications/Logseq.app/Contents/MacOS/Logseq $out/bin/logseq - '' - + '' - runHook postInstall - ''; - - postFixup = lib.optionalString stdenv.hostPlatform.isLinux '' - # set the env "LOCAL_GIT_DIRECTORY" for dugite so that we can use the git in nixpkgs - makeWrapper ${electron_27}/bin/electron $out/bin/logseq \ - --set "LOCAL_GIT_DIRECTORY" ${git} \ - --add-flags $out/share/logseq/resources/app \ - --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" + ) + + lib.optionalString stdenv.hostPlatform.isDarwin '' + mkdir -p $out/{Applications/Logseq.app,bin} + cp -R . $out/Applications/Logseq.app + makeWrapper $out/Applications/Logseq.app/Contents/MacOS/Logseq $out/bin/logseq + '' + + '' + runHook postInstall ''; - passthru.updateScript = nix-update-script { }; + postFixup = lib.optionalString stdenv.hostPlatform.isLinux '' + # set the env "LOCAL_GIT_DIRECTORY" for dugite so that we can use the git in nixpkgs + makeWrapper ${electron_27}/bin/electron $out/bin/logseq \ + --set "LOCAL_GIT_DIRECTORY" ${git} \ + --add-flags $out/share/logseq/resources/app \ + --add-flags "\''${NIXOS_OZONE_WL:+\''${WAYLAND_DISPLAY:+--ozone-platform-hint=auto --enable-features=WaylandWindowDecorations}}" + ''; - meta = { - description = "Local-first, non-linear, outliner notebook for organizing and sharing your personal knowledge base"; - homepage = "https://github.com/logseq/logseq"; - changelog = "https://github.com/logseq/logseq/releases/tag/${version}"; - license = lib.licenses.agpl3Plus; - sourceProvenance = with lib.sourceTypes; [ binaryNativeCode ]; - maintainers = with lib.maintainers; [ cheeseecake ]; - platforms = [ - "x86_64-linux" - "aarch64-linux" - ] ++ lib.platforms.darwin; - mainProgram = "logseq"; - }; - } -) + passthru.updateScript = nix-update-script {}; + + meta = { + description = "Local-first, non-linear, outliner notebook for organizing and sharing your personal knowledge base"; + homepage = "https://github.com/logseq/logseq"; + changelog = "https://github.com/logseq/logseq/releases/tag/${version}"; + license = lib.licenses.agpl3Plus; + sourceProvenance = with lib.sourceTypes; [binaryNativeCode]; + maintainers = with lib.maintainers; [cheeseecake]; + platforms = ["x86_64-linux" "aarch64-linux"] ++ lib.platforms.darwin; + mainProgram = "logseq"; + }; +}) diff --git a/nix/pkgs/magmawm.nix b/nix/pkgs/magmawm.nix index 2676b77..2d4c335 100644 --- a/nix/pkgs/magmawm.nix +++ b/nix/pkgs/magmawm.nix @@ -18,7 +18,9 @@ craneLib.buildPackage { pname = "magmawm"; version = src.rev; - nativeBuildInputs = [ pkg-config ]; + nativeBuildInputs = [ + pkg-config + ]; buildInputs = [ wayland @@ -43,6 +45,6 @@ craneLib.buildPackage { homepage = "https://github.com/MagmaWM/MagmaWM"; license = licenses.gpl3; platforms = platforms.linux; - maintainers = with maintainers; [ ]; + maintainers = with maintainers; []; }; } diff --git a/nix/pkgs/mfcl3770cdw.nix b/nix/pkgs/mfcl3770cdw.nix index 142c1c0..5c04cbf 100644 --- a/nix/pkgs/mfcl3770cdw.nix +++ b/nix/pkgs/mfcl3770cdw.nix @@ -11,8 +11,7 @@ which, perl, lib, -}: -let +}: let model = "mfcl3770cdw"; version = "1.0.2-0"; src = fetchurl { @@ -20,16 +19,12 @@ let sha256 = "09fhbzhpjymhkwxqyxzv24b06ybmajr6872yp7pri39595mhrvay"; }; reldir = "opt/brother/Printers/${model}/"; -in -rec { +in rec { driver = stdenv.mkDerivation rec { inherit src version; name = "${model}drv-${version}"; - nativeBuildInputs = [ - dpkg - makeWrapper - ]; + nativeBuildInputs = [dpkg makeWrapper]; unpackPhase = "dpkg-deb -x $src $out"; @@ -41,14 +36,8 @@ rec { --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/lpd/filter_${model} \ --prefix PATH : ${ - lib.makeBinPath [ - coreutils - ghostscript - gnugrep - gnused - which - ] - } + lib.makeBinPath [coreutils ghostscript gnugrep gnused which] + } # need to use i686 glibc here, these are 32bit proprietary binaries interpreter=${pkgsi686Linux.glibc}/lib/ld-linux.so.2 patchelf --set-interpreter "$interpreter" $dir/lpd/brmfcl3770cdwfilter @@ -58,11 +47,8 @@ rec { description = "Brother ${lib.strings.toUpper model} driver"; homepage = "http://www.brother.com/"; license = lib.licenses.unfree; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; + platforms = ["x86_64-linux" "i686-linux"]; + maintainers = [lib.maintainers.steveej]; }; }; @@ -70,10 +56,7 @@ rec { inherit version src; name = "${model}cupswrapper-${version}"; - nativeBuildInputs = [ - dpkg - makeWrapper - ]; + nativeBuildInputs = [dpkg makeWrapper]; unpackPhase = "dpkg-deb -x $src $out"; @@ -85,13 +68,7 @@ rec { --replace "basedir =~" "basedir = \"$basedir\"; #" \ --replace "PRINTER =~" "PRINTER = \"${model}\"; #" wrapProgram $dir/cupswrapper/brother_lpdwrapper_${model} \ - --prefix PATH : ${ - lib.makeBinPath [ - coreutils - gnugrep - gnused - ] - } + --prefix PATH : ${lib.makeBinPath [coreutils gnugrep gnused]} mkdir -p $out/lib/cups/filter mkdir -p $out/share/cups/model ln $dir/cupswrapper/brother_lpdwrapper_${model} $out/lib/cups/filter @@ -102,11 +79,8 @@ rec { description = "Brother ${lib.strings.toUpper model} CUPS wrapper driver"; homepage = "http://www.brother.com/"; license = lib.licenses.gpl2; - platforms = [ - "x86_64-linux" - "i686-linux" - ]; - maintainers = [ lib.maintainers.steveej ]; + platforms = ["x86_64-linux" "i686-linux"]; + maintainers = [lib.maintainers.steveej]; }; }; } diff --git a/nix/pkgs/nozbe/default.nix b/nix/pkgs/nozbe/default.nix index e5ac519..368add8 100644 --- a/nix/pkgs/nozbe/default.nix +++ b/nix/pkgs/nozbe/default.nix @@ -1,60 +1,60 @@ -with import { }; -stdenv.mkDerivation rec { - name = "nozbe"; - version = "3.6.3"; +with import {}; + stdenv.mkDerivation rec { + name = "nozbe"; + version = "3.6.3"; - src = fetchzip { - url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; - sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; - stripRoot = false; - }; + src = fetchzip { + url = "https://files.nozbe.com/linux/linux64_newest.tar.gz"; + sha256 = "08hag0kv23psqa1pl9kardz90scgk21rsr5xxfg8jvmnxy2nc858"; + stripRoot = false; + }; - buildInputs = [ makeWrapper ]; + buildInputs = [makeWrapper]; - buildPhase = ":"; + buildPhase = ":"; - libPath = lib.makeLibraryPath [ - alsaLib - atk - cairo - cups - dbus - expat - freetype - fontconfig - gnome3.gconf - gcc.cc - gdk_pixbuf - gtk2-x11 - glib - pango - nss - nspr - systemd.lib - xorg.libX11 - xorg.libXcursor - xorg.libXcomposite - xorg.libXext - xorg.libXfixes - xorg.libXdamage - xorg.libXi - xorg.libXrandr - xorg.libXrender - xorg.libXtst - xorg.libXScrnSaver - ]; - installPhase = '' - pushd Nozbe-${version} - ls -lha + libPath = lib.makeLibraryPath [ + alsaLib + atk + cairo + cups + dbus + expat + freetype + fontconfig + gnome3.gconf + gcc.cc + gdk_pixbuf + gtk2-x11 + glib + pango + nss + nspr + systemd.lib + xorg.libX11 + xorg.libXcursor + xorg.libXcomposite + xorg.libXext + xorg.libXfixes + xorg.libXdamage + xorg.libXi + xorg.libXrandr + xorg.libXrender + xorg.libXtst + xorg.libXScrnSaver + ]; + installPhase = '' + pushd Nozbe-${version} + ls -lha - patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe + patchelf --set-interpreter ${stdenv.glibc}/lib/ld-linux-x86-64.so.2 Nozbe - mkdir -p $out/bin - cp -a * $out/ + mkdir -p $out/bin + cp -a * $out/ - wrapProgram $out/Nozbe \ - --prefix LD_LIBRARY_PATH : "${libPath}" + wrapProgram $out/Nozbe \ + --prefix LD_LIBRARY_PATH : "${libPath}" - ln -sf ../Nozbe $out/bin/ - ''; -} + ln -sf ../Nozbe $out/bin/ + ''; + } diff --git a/nix/pkgs/posh.nix b/nix/pkgs/posh.nix index b7ad5cb..4d993ba 100644 --- a/nix/pkgs/posh.nix +++ b/nix/pkgs/posh.nix @@ -1,44 +1,42 @@ # posh makes use of podman to run an encapsulated shell session -{ pkgs, ... }: -let - cniConfigDir = - let - loopback = pkgs.writeText "00-loopback.conf" '' - { - "cniVersion": "0.3.0", - "type": "loopback" - } - ''; +{pkgs, ...}: let + cniConfigDir = let + loopback = pkgs.writeText "00-loopback.conf" '' + { + "cniVersion": "0.3.0", + "type": "loopback" + } + ''; - podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' - { - "cniVersion": "0.3.0", - "name": "podman", - "plugins": [ - { - "type": "bridge", - "bridge": "cni0", - "isGateway": true, - "ipMasq": true, - "ipam": { - "type": "host-local", - "subnet": "10.88.0.0/16", - "routes": [ - { "dst": "0.0.0.0/0" } - ] - } - }, - { - "type": "portmap", - "capabilities": { - "portMappings": true - } + podman-bridge = pkgs.writeText "87-podman-bridge.conflist" '' + { + "cniVersion": "0.3.0", + "name": "podman", + "plugins": [ + { + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.88.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] } - ] - } - ''; - in - pkgs.runCommand "cniConfig" { } '' + }, + { + "type": "portmap", + "capabilities": { + "portMappings": true + } + } + ] + } + ''; + in + pkgs.runCommand "cniConfig" {} '' set -x mkdir $out; ln -s ${loopback} $out/${loopback.name} @@ -127,58 +125,54 @@ let } ''; in -{ - image, - pull ? "always", - global_args ? "", - run_args ? "", - userns ? "keep-id", -}: -(pkgs.writeScriptBin "posh" '' - #! ${pkgs.bash}/bin/bash - source /etc/profile + { + image, + pull ? "always", + global_args ? "", + run_args ? "", + userns ? "keep-id", + }: + (pkgs.writeScriptBin "posh" '' + #! ${pkgs.bash}/bin/bash + source /etc/profile - test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK" - tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q" + test -S "$SSH_AUTH_SOCK" && ssh="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK" + tty -s && tty="-t" entrypoint=--entrypoint='["/usr/bin/env","bash","-il"]' || quiet="-q" - # define these as variables so we can override them at runtime - POSH_IMAGE=${image} - POSH_PULL=${pull} + # define these as variables so we can override them at runtime + POSH_IMAGE=${image} + POSH_PULL=${pull} - if [ "$1" == "-c" ]; then - # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string - shift - # TODO parse the beginning of the command for POSH_* overrides - fi + if [ "$1" == "-c" ]; then + # We've most likely been spawned by sshd and are interested in $2 whitch contains the command string + shift + # TODO parse the beginning of the command for POSH_* overrides + fi - test "$@" && cmd=( -c "$@") + test "$@" && cmd=( -c "$@") - HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" - HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" - test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR - ln -sf ${policy-json} $HOME_POLICY_JSON + HOME_CONTAINERS_CONFIGDIR="$HOME/.config/containers" + HOME_POLICY_JSON="$HOME_CONTAINERS_CONFIGDIR/policy.json" + test -d $HOME_CONTAINERS_CONFIGIDR || mkdir $HOME_CONTAINERS_CONFIGIDR + ln -sf ${policy-json} $HOME_POLICY_JSON - set -x - exec ${pkgs.podman}/bin/podman \ - --cgroup-manager=cgroupfs \ - ${global_args} \ - run \ - --annotation=io.crun.keep_original_groups=1 \ - --config ${podmanConfig} \ - --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ - --rm -i --network host --pull=''${POSH_PULL} \ - $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ - ${if userns != null then "--userns=" + userns else ""} \ - ${run_args} \ - ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" -'').overrideAttrs - ( - attrs: - attrs - // { - passthru = { - shellPath = "/bin/posh"; - }; - } - ) + set -x + exec ${pkgs.podman}/bin/podman \ + --cgroup-manager=cgroupfs \ + ${global_args} \ + run \ + --annotation=io.crun.keep_original_groups=1 \ + --config ${podmanConfig} \ + --conmon ${pkgs.conmon}/bin/conmon --runtime ${pkgs.crun}/bin/crun \ + --rm -i --network host --pull=''${POSH_PULL} \ + $tty $ssh -e HOME -v $HOME:$HOME -w $HOME \ + ${ + if userns != null + then "--userns=" + userns + else "" + } \ + ${run_args} \ + ''${POSH_IMAGE} /usr/bin/env bash -l "''${cmd[@]}" + '') + .overrideAttrs (attrs: attrs // {passthru = {shellPath = "/bin/posh";};}) diff --git a/nix/pkgs/slirp4netns.nix b/nix/pkgs/slirp4netns.nix index 5e50ecf..ffcc730 100644 --- a/nix/pkgs/slirp4netns.nix +++ b/nix/pkgs/slirp4netns.nix @@ -18,13 +18,7 @@ stdenv.mkDerivation rec { sha256 = "0kqncza4kgqkqiki569j7ym9pvp7879i6q2z0djvda9y0i6b80w4"; }; - buildInputs = [ - autoconf - automake - libtool - gnumake - gcc - ]; + buildInputs = [autoconf automake libtool gnumake gcc]; configurePhase = '' ./autogen.sh @@ -43,7 +37,7 @@ stdenv.mkDerivation rec { description = "User-mode networking for unprivileged network namespaces"; homepage = "https://github.com/rootless-containers/slirp4netns"; license = null; - maintainers = [ maintainers.steveej ]; + maintainers = [maintainers.steveej]; platforms = platforms.all; }; } diff --git a/nix/pkgs/staruml.nix b/nix/pkgs/staruml.nix index 35399ad..a0e9d90 100644 --- a/nix/pkgs/staruml.nix +++ b/nix/pkgs/staruml.nix @@ -15,8 +15,7 @@ libgcrypt, dbus, systemd, -}: -let +}: let inherit (stdenv) lib; LD_LIBRARY_PATH = lib.makeLibraryPath [ glib @@ -31,56 +30,55 @@ let dbus ]; in -stdenv.mkDerivation rec { - version = "2.8.1"; - name = "staruml-${version}"; + stdenv.mkDerivation rec { + version = "2.8.1"; + name = "staruml-${version}"; - src = - if stdenv.system == "i686-linux" then - fetchurl { - url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; - sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; - } - else - fetchurl { - url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; - sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; - }; + src = + if stdenv.system == "i686-linux" + then + fetchurl + { + url = "http://staruml.io/download/release/v${version}/StarUML-v${version}-32-bit.deb"; + sha256 = "0vb3k9m3l6pmsid4shlk0xdjsriq3gxzm8q7l04didsppg0vvq1n"; + } + else + fetchurl { + url = "https://s3.amazonaws.com/staruml-bucket/releases-v2/StarUML-v${version}-64-bit.deb"; + sha256 = "05gzrnlssjkhyh0wv019d4r7p40lxnsa1sghazll6f233yrqmxb0"; + }; - buildInputs = [ dpkg ]; + buildInputs = [dpkg]; - nativeBuildInputs = [ makeWrapper ]; + nativeBuildInputs = [makeWrapper]; - unpackPhase = '' - mkdir pkg - dpkg-deb -x $src pkg - sourceRoot=pkg - ''; + unpackPhase = '' + mkdir pkg + dpkg-deb -x $src pkg + sourceRoot=pkg + ''; - installPhase = '' - mkdir $out - mv opt/staruml $out/bin + installPhase = '' + mkdir $out + mv opt/staruml $out/bin - mkdir -p $out/lib - ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/ - ln -s ${systemd.lib}/lib/libudev.so.1 $out/lib/libudev.so.0 + mkdir -p $out/lib + ln -s ${stdenv.cc.cc.lib}/lib/libstdc++.so.6 $out/lib/ + ln -s ${systemd.lib}/lib/libudev.so.1 $out/lib/libudev.so.0 - for binary in StarUML Brackets-node; do - ${patchelf}/bin/patchelf \ - --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - $out/bin/$binary - wrapProgram $out/bin/$binary \ - --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH} - done - ''; + for binary in StarUML Brackets-node; do + ${patchelf}/bin/patchelf \ + --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ + $out/bin/$binary + wrapProgram $out/bin/$binary \ + --prefix LD_LIBRARY_PATH : $out/lib:${LD_LIBRARY_PATH} + done + ''; - meta = with stdenv.lib; { - description = "A sophisticated software modeler"; - homepage = "http://staruml.io/"; - license = licenses.unfree; - platforms = [ - "i686-linux" - "x86_64-linux" - ]; - }; -} + meta = with stdenv.lib; { + description = "A sophisticated software modeler"; + homepage = "http://staruml.io/"; + license = licenses.unfree; + platforms = ["i686-linux" "x86_64-linux"]; + }; + } diff --git a/nix/home-manager/programs/vscode/nix4vscode/config.toml b/nix/scripts/nix4vscode/config.toml similarity index 58% rename from nix/home-manager/programs/vscode/nix4vscode/config.toml rename to nix/scripts/nix4vscode/config.toml index 38f9978..55c54da 100644 --- a/nix/home-manager/programs/vscode/nix4vscode/config.toml +++ b/nix/scripts/nix4vscode/config.toml @@ -3,7 +3,3 @@ vscode_version = "1.94.2" [[extensions]] publisher_name = "FelixZeller" extension_name = "markdown-oxide" - -[[extensions]] -publisher_name = "ibecker" -extension_name = "treefmt-vscode" diff --git a/nix/tests/buildvmwithbootloader/build-vm.nix b/nix/tests/buildvmwithbootloader/build-vm.nix index 62dc948..be819b6 100644 --- a/nix/tests/buildvmwithbootloader/build-vm.nix +++ b/nix/tests/buildvmwithbootloader/build-vm.nix @@ -3,15 +3,20 @@ vmPkgsPath, buildPkgsPath, nixosConfigPath, -}: -let - buildPkgs = import buildPkgsPath { }; - vmPkgs' = import vmPkgsPath { }; - vmPkgs = vmPkgs' // { - runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; - }; +}: let + buildPkgs = import buildPkgsPath {}; + vmPkgs' = import vmPkgsPath {}; + vmPkgs = + vmPkgs' + // { + runtimeShell = "${vmPkgs'.bash}/${vmPkgs'.bash.shellPath}"; + }; - importWithPkgs = { path, pkgs }: args: import path (args // { inherit pkgs; }); + importWithPkgs = { + path, + pkgs, + }: args: + import path (args // {inherit pkgs;}); nixosConfig = importWithPkgs { path = "${nixosConfigPath}"; @@ -31,10 +36,8 @@ let modules = [ nixosConfig vmConfig - { virtualisation.useBootLoader = true; } + {virtualisation.useBootLoader = true;} ]; - }).config; -in -{ - vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm; -} + }) + .config; +in {vmWithBootLoaderMixed = vmWithBootLoaderConfigMixed.system.build.vm;} diff --git a/nix/tests/buildvmwithbootloader/configuration.nix b/nix/tests/buildvmwithbootloader/configuration.nix index bf197d0..92072fe 100644 --- a/nix/tests/buildvmwithbootloader/configuration.nix +++ b/nix/tests/buildvmwithbootloader/configuration.nix @@ -1,7 +1,9 @@ -{ pkgs, lib, ... }: -let -in { + pkgs, + lib, + ... +}: let +in { boot.loader.grub = { enable = true; version = 2; @@ -20,23 +22,13 @@ in allowDiscards = true; } ]; - fileSystems."/" = { - label = "root"; - }; + fileSystems."/" = {label = "root";}; - fileSystems."/boot" = { - label = "boot"; - }; + fileSystems."/boot" = {label = "boot";}; boot.tmpOnTmpfs = true; - boot.initrd.availableKernelModules = [ - "xhci_pci" - "ahci" - "usb_storage" - "sd_mod" - "rtsx_pci_sdmmc" - ]; + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc"]; users.extraUsers.root.initialPassword = lib.mkForce "toorroot"; users.mutableUsers = false; diff --git a/nix/tests/test-vm.nix b/nix/tests/test-vm.nix index ebbdb46..55053e2 100644 --- a/nix/tests/test-vm.nix +++ b/nix/tests/test-vm.nix @@ -4,8 +4,7 @@ pkgs, fetchgit, ... -}: -{ +}: { boot.consoleLogLevel = 6; users.users.root.initialPassword = "root"; systemd.services."serial-getty@ttyS0".enable = true; diff --git a/nix/variables/passwords.crypt.nix b/nix/variables/passwords.crypt.nix index 91d2eb6..3edf90a 100644 Binary files a/nix/variables/passwords.crypt.nix and b/nix/variables/passwords.crypt.nix differ diff --git a/nix/variables/versions.nix b/nix/variables/versions.nix index 6d441a6..535d7d3 100644 --- a/nix/variables/versions.nix +++ b/nix/variables/versions.nix @@ -2,28 +2,29 @@ let nixpkgs = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-22.11"; - rev = ''5b7cd5c39befee629be284970415b6eb3b0ff000''; + rev = '' + 5b7cd5c39befee629be284970415b6eb3b0ff000''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "nixos-unstable"; - rev = ''4bb072f0a8b267613c127684e099a70e1f6ff106''; + rev = '' + 4bb072f0a8b267613c127684e099a70e1f6ff106''; }; "nixpkgs-master" = { url = "https://github.com/NixOS/nixpkgs/"; ref = "master"; - rev = ''a8636efe2df64047cd58898010a72f73efd56722''; + rev = '' + a8636efe2df64047cd58898010a72f73efd56722''; }; "home-manager-module" = { url = "https://github.com/nix-community/home-manager"; ref = "release-22.11"; - rev = ''83110c259889230b324bb2d35bef78bf5f214a1f''; + rev = '' + 83110c259889230b324bb2d35bef78bf5f214a1f''; }; } diff --git a/nix/variables/versions.tmpl.nix b/nix/variables/versions.tmpl.nix index 66e90e3..e0734f1 100644 --- a/nix/variables/versions.tmpl.nix +++ b/nix/variables/versions.tmpl.nix @@ -6,12 +6,9 @@ let <% git ls-remote https://github.com/nixos/nixpkgs nixos-22.11 | awk '{ print $1 }' | tr -d ' ' -%>''; }; -in -{ +in { inherit nixpkgs; - nixos = nixpkgs // { - suffix = "/nixos"; - }; + nixos = nixpkgs // {suffix = "/nixos";}; "channels-nixos-stable" = nixpkgs; "channels-nixos-unstable" = { url = "https://github.com/NixOS/nixpkgs/";