steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: steveej:5d5282a914dae64cee17f70d2f9b0541cb3e0711
Branches Tags
steveej:master
steveej:WIP-router0-nfmnk-tunnels
steveej:wip
steveej:wip-bpir3
steveej:pr_htz0
steveej:evolution_decsync
steveej:t14_relabel
steveej:t14_new_drive
steveej:srv0_drivechange
steveej:staging-steveej
steveej:pa600-unused
steveej:pr/odroidh2p-0
..
compare: steveej:b60a4e2b535cf0bdf3731ed497700c013db35f52
Branches Tags
steveej:master
steveej:WIP-router0-nfmnk-tunnels
steveej:wip
steveej:wip-bpir3
steveej:pr_htz0
steveej:evolution_decsync
steveej:t14_relabel
steveej:t14_new_drive
steveej:srv0_drivechange
steveej:staging-steveej
steveej:pa600-unused
steveej:pr/odroidh2p-0

No commits in common. "5d5282a914dae64cee17f70d2f9b0541cb3e0711" and "b60a4e2b535cf0bdf3731ed497700c013db35f52" have entirely different histories.
5d5282a914 ... b60a4e2b53

214 changed files with 4425 additions and 5053 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.gitignore vendored
View file

@ -4,6 +4,3 @@
.env
**/result
.direnv/
# nixago: ignore-linked-files
/treefmt.toml

18
.vscode/settings.json vendored
View file

@ -1,9 +1,4 @@
{
"editor.defaultFormatter": "ibecker.treefmt-vscode",
"treefmt.command": "treefmt",
"editor.formatOnSave": true,
"nix.enableLanguageServer": true,
"nix.serverPath": "nil",
"nix.serverSettings": {
// settings for 'nil' LSP
"nil": {
@ -14,14 +9,11 @@
"unused_with"
]
},
// TODO: this doesn't work because treefmt-nix wants the output path as an argument
// "formatting": {
// "command": [
// "treefmt-nix",
// "--stdin",
// "/dev/stdout"
// ]
// }
"formatting": {
"command": [
"alejandra",
]
}
}
},
}

5
default.nix
View file

@ -4,9 +4,6 @@
# Having pkgs default to <nixpkgs> is fine though, and it lets you use short
# commands such as:
# nix-build -A mypackage
{
pkgs ? import <nixpkgs> { },
}:
{
{pkgs ? import <nixpkgs> {}}: {
pkgs = import ./nix/pkgs {inherit pkgs;};
}

223
flake.lock generated
View file

@ -346,81 +346,6 @@
}
},
"flake-utils_3": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_5": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_6": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_7": {
"locked": {
"lastModified": 1653893745,
"narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_8": {
"inputs": {
"systems": "systems_3"
},
@ -438,7 +363,7 @@
"type": "github"
}
},
"flake-utils_9": {
"flake-utils_4": {
"inputs": {
"systems": "systems_4"
},
@ -560,7 +485,7 @@
},
"lib-aggregate": {
"inputs": {
"flake-utils": "flake-utils_8",
"flake-utils": "flake-utils_3",
"nixpkgs-lib": "nixpkgs-lib_2"
},
"locked": {
@ -714,126 +639,6 @@
"type": "github"
}
},
"nixago": {
"inputs": {
"flake-utils": "flake-utils_3",
"nixago-exts": "nixago-exts",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1714086354,
"narHash": "sha256-yKVQMxL9p7zCWUhnGhDzRVT8sDgHoI3V595lBK0C2YA=",
"owner": "jmgilman",
"repo": "nixago",
"rev": "5133633e9fe6b144c8e00e3b212cdbd5a173b63d",
"type": "github"
},
"original": {
"owner": "jmgilman",
"repo": "nixago",
"type": "github"
}
},
"nixago-exts": {
"inputs": {
"flake-utils": "flake-utils_4",
"nixago": "nixago_2",
"nixpkgs": [
"nixago",
"nixpkgs"
]
},
"locked": {
"lastModified": 1676070308,
"narHash": "sha256-QaJ65oc2l8iwQIGWUJ0EKjCeSuuCM/LqR8RauxZUUkc=",
"owner": "nix-community",
"repo": "nixago-extensions",
"rev": "e5380cb0456f4ea3c86cf94e3039eb856bf07d0b",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixago-extensions",
"type": "github"
}
},
"nixago-exts_2": {
"inputs": {
"flake-utils": "flake-utils_6",
"nixago": "nixago_3",
"nixpkgs": [
"nixago",
"nixago-exts",
"nixago",
"nixpkgs"
]
},
"locked": {
"lastModified": 1655508669,
"narHash": "sha256-BDDdo5dZQMmwNH/GNacy33nPBnCpSIydWFPZs0kkj/g=",
"owner": "nix-community",
"repo": "nixago-extensions",
"rev": "3022a932ce109258482ecc6568c163e8d0b426aa",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixago-extensions",
"type": "github"
}
},
"nixago_2": {
"inputs": {
"flake-utils": "flake-utils_5",
"nixago-exts": "nixago-exts_2",
"nixpkgs": [
"nixago",
"nixago-exts",
"nixpkgs"
]
},
"locked": {
"lastModified": 1676070010,
"narHash": "sha256-iYzJIWptE1EUD8VINAg66AAMUajizg8JUYN3oBmb8no=",
"owner": "nix-community",
"repo": "nixago",
"rev": "d480ba6c0c16e2c5c0bd2122852d6a0c9ad1ed0e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "rename-config-data",
"repo": "nixago",
"type": "github"
}
},
"nixago_3": {
"inputs": {
"flake-utils": "flake-utils_7",
"nixpkgs": [
"nixago",
"nixago-exts",
"nixago",
"nixago-exts",
"nixpkgs"
]
},
"locked": {
"lastModified": 1655405483,
"narHash": "sha256-Crd49aZWNrpczlRTOwWGfwBMsTUoG9vlHDKQC7cx264=",
"owner": "nix-community",
"repo": "nixago",
"rev": "e6a9566c18063db5b120e69e048d3627414e327d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nixago",
"type": "github"
}
},
"nixos-anywhere": {
"inputs": {
"disko": "disko",
@ -1253,7 +1058,6 @@
"logseq_0_10_9_aarch64_appimage": "logseq_0_10_9_aarch64_appimage",
"nix-vscode-extensions": "nix-vscode-extensions",
"nix4vscode": "nix4vscode",
"nixago": "nixago",
"nixos-anywhere": "nixos-anywhere",
"nixpkgs": [
"nixpkgs-2405"
@ -1276,7 +1080,6 @@
"rperf": "rperf",
"sops-nix": "sops-nix",
"srvos": "srvos",
"treefmt-nix": "treefmt-nix_4",
"x13s-bt-firmware": "x13s-bt-firmware",
"yofi": "yofi"
}
@ -1513,26 +1316,6 @@
"type": "github"
}
},
"treefmt-nix_4": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1730321837,
"narHash": "sha256-vK+a09qq19QNu2MlLcvN4qcRctJbqWkX7ahgPZ/+maI=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "746901bb8dba96d154b66492a29f5db0693dbfcc",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"x13s-bt-firmware": {
"flake": false,
"locked": {
@ -1547,7 +1330,7 @@
},
"yofi": {
"inputs": {
"flake-utils": "flake-utils_9",
"flake-utils": "flake-utils_4",
"nixpkgs": [
"nixpkgs"
]

116
flake.nix
View file

@ -125,22 +125,14 @@
url = "github:nix-community/nixvim/nixos-24.05";
inputs.nixpkgs.follows = "nixpkgs";
};
treefmt-nix = {
url = "github:numtide/treefmt-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nixago.url = "github:jmgilman/nixago";
nixago.inputs.nixpkgs.follows = "nixpkgs";
};
outputs =
inputs@{
outputs = inputs @ {
self,
flake-parts,
nixpkgs,
...
}:
let
}: let
inherit (nixpkgs) lib;
systems = [
@ -148,26 +140,25 @@
"aarch64-linux"
];
in
flake-parts.lib.mkFlake { inherit inputs; } (
{ withSystem, ... }:
{
flake-parts.lib.mkFlake {inherit inputs;}
({withSystem, ...}: {
flake.colmena =
lib.lists.foldl (sum: cur: lib.attrsets.recursiveUpdate sum cur)
{ meta.nixpkgs = import inputs.nixpkgs.outPath { system = builtins.elemAt systems 0; }; }
{
meta.nixpkgs = import inputs.nixpkgs.outPath {
system = builtins.elemAt systems 0;
};
}
# FIXME: this doesn't seem to work to apply overlays into a node's nixpkgs import
# try this instead: https://github.com/zhaofengli/colmena/issues/60#issuecomment-1510496861
(
builtins.map
(
nodeName:
(builtins.map
(nodeName:
import ./nix/os/devices/${nodeName} {
inherit nodeName;
repoFlake = self;
repoFlakeWithSystem = withSystem;
nodeFlake = self.inputs.get-flake ./nix/os/devices/${nodeName};
}
)
[
}) [
"steveej-t14"
"steveej-x13s"
"steveej-x13s-rmvbl"
@ -182,33 +173,17 @@
"sj-srv1"
"hstk0"
]
);
]);
flake.lib = {
inherit withSystem;
treefmtEval =
pkgs:
let
settingsNix = {
# Used to find the project root
projectRootFile = ".git/config";
programs.nixfmt.enable = true;
};
in
inputs.treefmt-nix.lib.evalModule pkgs settingsNix;
treefmtSettings = pkgs: (self.lib.treefmtEval pkgs).config.settings;
};
# this makes nixos-anywhere work
flake.nixosConfigurations =
let
flake.nixosConfigurations = let
colmenaHive = (inputs.colmena.lib.makeHive self.outputs.colmena).nodes;
router0-dmz0 = (inputs.get-flake ./nix/os/devices/router0-dmz0).nixosConfigurations;
in
(
in (
colmenaHive
// {
router0-dmz0 = router0-dmz0.native;
@ -218,15 +193,13 @@
router0-dmz0_cross = router0-dmz0.cross;
steveej-x13s_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s).nixosConfigurations.cross;
steveej-x13s-rmvbl_cross =
(inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross;
steveej-x13s-rmvbl_cross = (inputs.get-flake ./nix/os/devices/steveej-x13s-rmvbl).nixosConfigurations.cross;
}
);
inherit systems;
perSystem =
{
perSystem = {
self',
inputs',
system,
@ -234,33 +207,37 @@
lib,
pkgs,
...
}:
{
imports = [ ./nix/modules/flake-parts/perSystem/default.nix ];
}: {
imports = [
./nix/modules/flake-parts/perSystem/default.nix
];
packages =
let
packages = let
dcpj4110dw = pkgs.callPackage (self + /nix/pkgs/dcpj4110dw) {};
craneLibFn = (inputs.crane.mkLib inputs.nixpkgs.legacyPackages.${system}).overrideToolchain;
craneLib = craneLibFn inputs'.fenix.packages.stable.toolchain;
craneLib =
craneLibFn
inputs'.fenix.packages.stable.toolchain;
craneLibOfiPass = craneLibFn (
craneLibOfiPass =
craneLibFn
(
inputs'.fenix.packages.stable.toolchain
# .override {
# date = "1.60.0";
# }
);
in
{
in {
dcpj4110dwDriver = dcpj4110dw.driver;
dcpj4110dwCupswrapper = dcpj4110dw.cupswrapper;
inherit (inputs'.colmena.packages) colmena;
prs = pkgs.callPackage (
{
prs =
pkgs.callPackage
({
pkgs,
dbus,
glib,
@ -276,12 +253,7 @@
pname = "prs";
version = inputs.prs.shortRev;
src = inputs.prs;
nativeBuildInputs = [
gpgme
installShellFiles
pkg-config
python3
];
nativeBuildInputs = [gpgme installShellFiles pkg-config python3];
buildInputs = [
dbus
@ -299,8 +271,8 @@
installShellCompletion --cmd prs --$shell <($out/bin/prs internal completions $shell --stdout)
done
'';
}
) { };
})
{};
nomad = inputs'.nixpkgs-unstable.legacyPackages.nomad_1_6;
@ -333,8 +305,11 @@
rperf = craneLib.buildPackage {
src = inputs.rperf;
nativeBuildInputs = [ pkgs.pkg-config ];
buildInputs = [ ];
nativeBuildInputs = [
pkgs.pkg-config
];
buildInputs = [
];
};
x13s-bt-firmware = pkgs.runCommand "x13s-bt-firmware" {} ''
@ -350,10 +325,9 @@
'';
};
formatter = (self.lib.treefmtEval pkgs).config.build.wrapper;
formatter = pkgs.alejandra;
devShells =
let
devShells = let
all = import ./nix/devShells.nix {
inherit
self
@ -362,9 +336,7 @@
pkgs
;
};
in
(all // { default = all.develop; });
in (all // {default = all.develop;});
};
}
);
});
}

38
nix/container-images/default.nix
View file

@ -1,10 +1,6 @@
{
pkgs ? import <nixpkgs> { },
}:
let
{pkgs ? import <nixpkgs> {}}: let
baseEnv = ["SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"];
in
rec {
in rec {
base = pkgs.dockerTools.buildImage rec {
name = "base";
@ -25,20 +21,12 @@ rec {
interactive_base = pkgs.dockerTools.buildImage {
name = "interactive_base";
fromImage = base;
contents = with pkgs; [
procps
zsh
coreutils
neovim
];
contents = with pkgs; [procps zsh coreutils neovim];
config = {
Cmd = [ "/bin/zsh" ];
};
config = {Cmd = ["/bin/zsh"];};
};
s3ql =
let
s3ql = let
entrypoint = pkgs.writeScript "entrypoint" ''
#!${pkgs.stdenv.shell}
@ -85,10 +73,7 @@ rec {
pkgs.dockerTools.buildImage {
name = "s3ql";
fromImage = interactive_base;
contents = [
pkgs.s3ql
pkgs.fuse
];
contents = [pkgs.s3ql pkgs.fuse];
runAsRoot = ''
#!${pkgs.stdenv.shell}
@ -99,7 +84,9 @@ rec {
'';
config = {
Env = baseEnv ++ [
Env =
baseEnv
++ [
"HOME=/home/s3ql"
"S3QL_CACHE_DIR=/var/cache/s3ql"
"S3QL_AUTHINFO2=/etc/s3ql/authinfo2"
@ -115,8 +102,7 @@ rec {
};
};
syncthing =
let
syncthing = let
entrypoint = pkgs.writeScript "entrypoint" ''
#!${pkgs.stdenv.shell}
set -x
@ -148,9 +134,7 @@ rec {
config = {
Env = baseEnv ++ ["SYNCTHING_HOME=/home/syncthing"];
Cmd = [entrypoint];
Volumes = {
"/data" = { };
};
Volumes = {"/data" = {};};
};
};
}

30
nix/default.nix
View file

@ -1,9 +1,6 @@
{ versionsPath }:
let
{versionsPath}: let
channelVersions = import versionsPath;
mkChannelSource =
name:
let
mkChannelSource = name: let
channelVersion = builtins.getAttr name channelVersions;
in
builtins.fetchGit {
@ -11,24 +8,19 @@ let
inherit name;
inherit (channelVersion) url ref rev;
};
nixPath = builtins.concatStringsSep ":" (
builtins.map (
elemName:
let
nixPath = builtins.concatStringsSep ":" (builtins.map
(elemName: let
elem = builtins.getAttr elemName channelVersions;
elemPath = mkChannelSource elemName;
suffix = if builtins.hasAttr "suffix" elem then elem.suffix else "";
suffix =
if builtins.hasAttr "suffix" elem
then elem.suffix
else "";
in
builtins.concatStringsSep "=" [
elemName
elemPath
]
+ suffix
) (builtins.attrNames channelVersions)
);
builtins.concatStringsSep "=" [elemName elemPath] + suffix)
(builtins.attrNames channelVersions));
pkgs = import (mkChannelSource "nixpkgs") {};
in
{
in {
inherit nixPath;
channelSources = pkgs.writeText "channels.rc" ''
export NIX_PATH=${nixPath}

22
nix/devShells.nix
View file

@ -3,11 +3,9 @@
self',
inputs',
pkgs,
}:
let
}: let
pkgsUnstable = inputs'.nixpkgs-unstable.legacyPackages;
in
{
in {
install = pkgs.mkShell {
name = "infra-install";
packages = with pkgs; [
@ -22,9 +20,10 @@ in
develop = pkgs.mkShell {
name = "infra-develop";
inputsFrom = [ self'.devShells.install ];
inputsFrom = [
self'.devShells.install
];
packages = with pkgs; [
pkgs.treefmt
inputs'.colmena.packages.colmena
dconf2nix
inputs'.nixos-anywhere.packages.nixos-anywhere
@ -92,15 +91,6 @@ in
# Set Environment Variables
RUST_BACKTRACE = 1;
KANIDM_URL =
self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin;
shellHook =
(self.inputs.nixago.lib.${pkgs.stdenv.system}.make {
data = self.lib.treefmtSettings pkgs;
output = "treefmt.toml";
format = "toml";
}).shellHook;
KANIDM_URL = self.nixosConfigurations.sj-srv1.config.containers.webserver.config.services.kanidm.serverSettings.origin;
};
}

33
nix/home-manager/configuration/graphical-fullblown.nix
View file

@ -7,13 +7,11 @@
repoFlake,
packages',
...
}:
let
}: let
pkgsUnstable =
pkgs.pkgsUnstable
or (import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config overlays;});
in
{
in {
imports = [
../profiles/common.nix
# ../profiles/dotfiles.nix
@ -36,18 +34,18 @@ in
../programs/libreoffice.nix
../programs/neovim.nix
../programs/vscode
{ home.packages = [ pkgsUnstable.markdown-oxide ]; }
{
home.packages = [
pkgsUnstable.markdown-oxide
];
}
];
home.sessionVariables.HM_CONFIG = "graphical-fullblown";
home.sessionVariables.GOPATH = "$HOME/src/go";
home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" [
"$HOME/.local/bin"
"$PATH"
];
home.sessionVariables.PATH = pkgs.lib.concatStringsSep ":" ["$HOME/.local/bin" "$PATH"];
nixpkgs.config.allowInsecurePredicate =
pkg:
nixpkgs.config.allowInsecurePredicate = pkg:
builtins.elem (lib.getName pkg) [
"electron-28.3.3"
"electron-27.3.11"
@ -248,15 +246,19 @@ in
# libretro.snes9x2010
# retroarchFull
(pkgs.logseq.overrideAttrs (
(
pkgs.logseq.overrideAttrs (
attrs:
lib.attrsets.recursiveUpdate attrs (
lib.attrsets.recursiveUpdate
attrs
(
lib.attrsets.optionalAttrs pkgs.stdenv.isAarch64 {
src = repoFlake.inputs.logseq_0_10_9_aarch64_appimage;
meta.platforms = ["aarch64-linux"];
}
)
))
)
)
# (
# pkgsUnstable.callPackage (repoFlake + "/nix/pkgs/logseq")
@ -265,7 +267,8 @@ in
# })
# )
])
++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [ ])
++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [
])
++ (lib.lists.optionals (!pkgs.stdenv.targetPlatform.isAarch64) [
pkgsUnstable.ledger-live-desktop

5
nix/home-manager/configuration/graphical-gnome3.nix
View file

@ -1,5 +1,8 @@
{ pkgs, config, ... }:
{
pkgs,
config,
...
}: {
home.packages =
[]
++ (with pkgs; [

5
nix/home-manager/configuration/graphical-removable.nix
View file

@ -1,5 +1,8 @@
{ pkgs, config, ... }:
{
pkgs,
config,
...
}: {
imports = [
../profiles/common.nix
../profiles/qtile-desktop.nix

18
nix/home-manager/lib.nix
View file

@ -1,22 +1,14 @@
{ }:
let
in
{
mkSimpleTrayService =
{ execStart }:
{
{}: let
in {
mkSimpleTrayService = {execStart}: {
Unit = {
Description = "";
After = ["graphical-session-pre.target"];
PartOf = ["graphical-session.target"];
};
Install = {
WantedBy = [ "graphical-session.target" ];
};
Install = {WantedBy = ["graphical-session.target"];};
Service = {
ExecStart = execStart;
};
Service = {ExecStart = execStart;};
};
}

11
nix/home-manager/profiles/common.nix
View file

@ -1,5 +1,8 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
...
}: {
home.stateVersion = lib.mkDefault "23.11";
# TODO: re-enable this with the appropriate version?
@ -12,8 +15,7 @@
allowUnfree = true;
allowUnsupportedSystem = true;
allowInsecurePredicate =
pkg:
allowInsecurePredicate = pkg:
builtins.elem (lib.getName pkg) [
"electron-28.3.3"
"electron-27.3.11"
@ -26,8 +28,7 @@
"electron"
];
allowUnfreePredicate =
pkg:
allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [
"obsidian"
"vivaldi"

9
nix/home-manager/profiles/dotfiles.nix
View file

@ -5,16 +5,14 @@
repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git",
repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git",
...
}:
let
}: let
repoBareLocal =
pkgs.runCommand "fetchbare"
{
outputHashMode = "recursive";
outputHashAlgo = "sha256";
outputHash = "0000000000000000000000000000000000000000000000000000";
}
''
} ''
(
set -xe
export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
@ -41,8 +39,7 @@ let
set_remotes ${repoHttps} ${repoSsh}
fi
'';
in
{
in {
# TODO: fix the dotfiles
# home.activation.vcsh = config.lib.dag.entryAfter["linkGeneration"] ''
# $DRY_RUN_CMD ${vcshActivationScript}

6
nix/home-manager/profiles/dotfiles/vcsh.tmpl.nix
View file

@ -3,16 +3,14 @@
repoHttps ? "https://gitlab.com/steveeJ/dotfiles.git",
repoSsh ? "git@gitlab.com:/steveeJ/dotfiles.git",
...
}:
let
}: let
repoBareLocal =
pkgs.runCommand "fetchbare"
{
outputHashMode = "recursive";
outputHashAlgo = "sha256";
outputHash = "0000000000000000000000000000000000000000000000000000";
}
''
} ''
(
set -xe
export GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt

10
nix/home-manager/profiles/experimental-desktop.nix
View file

@ -5,12 +5,12 @@
nodeFlake,
packages',
...
}:
let
}: let
pkgsUnstable = pkgs.callPackage nodeFlake.inputs.nixpkgs-unstable.outPath {};
in
{
imports = [ ../profiles/wayland-desktop.nix ];
in {
imports = [
../profiles/wayland-desktop.nix
];
home.packages = [
# experimental WMs

72
nix/home-manager/profiles/gnome-desktop.nix
View file

@ -3,11 +3,11 @@
config,
lib,
...
}:
let
in
{
imports = [ ../profiles/wayland-desktop.nix ];
}: let
in {
imports = [
../profiles/wayland-desktop.nix
];
services = {
gnome-keyring.enable = false;
@ -25,8 +25,7 @@ in
services.gpg-agent.pinentryPackage = pkgs.pinentry-gnome3;
dconf.settings =
let
dconf.settings = let
manualKeybindings = [
{
binding = "Print";
@ -43,21 +42,22 @@ in
numWorkspaces = 10;
customKeybindingBaseName = "org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom";
customKeybindingsNames = builtins.genList (i: "/${customKeybindingBaseName}${toString i}/") (
(builtins.length manualKeybindings) + numWorkspaces # for sending to the workspace
customKeybindingsNames =
builtins.genList (i: "/${customKeybindingBaseName}${toString i}/")
(
(builtins.length manualKeybindings)
+ numWorkspaces # for sending to the workspace
);
workspacesKeyBindingsOffset = builtins.length manualKeybindings;
# with this we can make use of all number keys [0-9]
mapToNumber =
i:
if i < 10 then
i
else if i == 10 then
0
else
throw "i exceeds 10: ${i}";
mapToNumber = i:
if i < 10
then i
else if i == 10
then 0
else throw "i exceeds 10: ${i}";
in
{
"org/gnome/settings-daemon/plugins/media-keys" = {
@ -67,41 +67,43 @@ in
};
# disable the builtin <Super>[1-9] functionality
"org/gnome/shell/keybindings" = builtins.listToAttrs (
(builtins.genList (i: {
"org/gnome/shell/keybindings" = builtins.listToAttrs ((builtins.genList
(i: {
name = "switch-to-application-${toString (i + 1)}";
value = [];
}) numWorkspaces)
})
numWorkspaces)
++ [
{
name = "toggle-overview";
value = [];
}
]
);
]);
# remap it to switching to the workspaces
"org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (
builtins.genList (i: {
"org/gnome/desktop/wm/keybindings" = builtins.listToAttrs (builtins.genList
(i: {
name = "switch-to-workspace-${toString (i + 1)}";
value = [ "<Super>${toString (mapToNumber (i + 1))}" ];
}) numWorkspaces
);
value = [
"<Super>${toString (mapToNumber (i + 1))}"
];
})
numWorkspaces);
}
// builtins.listToAttrs (
builtins.genList (i: {
// builtins.listToAttrs (builtins.genList
(i: {
name = "${customKeybindingBaseName}${toString i}";
value = builtins.elemAt manualKeybindings i;
}) (builtins.length manualKeybindings)
)
// builtins.listToAttrs (
builtins.genList (i: {
})
(builtins.length manualKeybindings))
// builtins.listToAttrs (builtins.genList
(i: {
name = "${customKeybindingBaseName}${toString (workspacesKeyBindingsOffset + i)}";
value = {
binding = "<Control><Super>${toString (mapToNumber (i + 1))}";
command = "wmctrl -r :ACTIVE: -t ${toString i}";
name = "Send to workspace ${toString (i + 1)}";
};
}) numWorkspaces
);
})
numWorkspaces);
}

14
nix/home-manager/profiles/nix-channels.nix
View file

@ -1,11 +1,14 @@
{ pkgs, config, ... }:
let
in
{
pkgs,
config,
...
}: let
in {
home.file.".nix-channels".text = "";
home.activation.removeExistingNixChannels = config.lib.dag.entryBefore ["checkLinkTargets"] ''
$DRY_RUN_CMD ${pkgs.writeScript "activation-script" ''
$DRY_RUN_CMD ${
pkgs.writeScript "activation-script" ''
set -ex
if test -f $HOME/.nix-channels; then
echo Uninstalling available channels...
@ -19,6 +22,7 @@ in
mv --backup=numbered $HOME/.nix-channels.dummy $HOME/.nix-channels
rm $HOME/.nix-channels
fi
''};
''
};
'';
}

16
nix/home-manager/profiles/qtile-desktop.nix
View file

@ -1,15 +1,14 @@
{ pkgs, config, ... }:
let
{
pkgs,
config,
...
}: let
inherit (import ../lib.nix {}) mkSimpleTrayService;
audio = pkgs.writeShellScript "audio" ''
export PATH=${
with pkgs;
lib.makeBinPath [
pulseaudio
findutils
gnugrep
]
lib.makeBinPath [pulseaudio findutils gnugrep]
}:$PATH
export MUTEFILE=''${TEMPDIR:-/tmp}/.qtilemute
@ -252,8 +251,7 @@ let
def print_new_window(window):
print("new window: ", window)
'';
in
{
in {
services = {
gnome-keyring.enable = true;
blueman-applet.enable = true;

35
nix/home-manager/profiles/sway-desktop.nix
View file

@ -22,16 +22,14 @@
# packages',
repoFlakeInputs',
...
}:
let
}: let
inherit (import ../lib.nix {}) mkSimpleTrayService;
lockCmd = "${pkgs.swaylock}/bin/swaylock -efF --color '#000000'";
displayOffCmd = "${pkgs.sway}/bin/swaymsg 'output * power off'";
displayOnCmd = "${pkgs.sway}/bin/swaymsg 'output * power on'";
swapOutputWorkspaces = ../../../scripts/sway-swapoutputworkspaces.sh;
in
{
in {
imports = [
../profiles/wayland-desktop.nix
../programs/waybar.nix
@ -100,17 +98,10 @@ in
systemd.enable = true;
xwayland = false;
config =
let
config = let
modifier = "Mod4";
inherit (config.wayland.windowManager.sway.config)
left
right
up
down
;
in
{
inherit (config.wayland.windowManager.sway.config) left right up down;
in {
inherit modifier;
bars = [];
@ -184,30 +175,28 @@ in
startup =
[
{
command = builtins.toString (
pkgs.writeShellScript "ensure-graphical-session" ''
command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart graphical-session.target
) &
''
);
'');
}
]
++ lib.optionals config.services.swayidle.enable [
{
command = builtins.toString (
pkgs.writeShellScript "ensure-graphical-session" ''
command = builtins.toString (pkgs.writeShellScript "ensure-graphical-session" ''
(
${pkgs.coreutils}/bin/sleep 0.2
${pkgs.systemd}/bin/systemctl --user restart swayidle
) &
''
);
'');
}
];
colors.focused = lib.mkOptionDefault { childBorder = lib.mkForce "#ffa500"; };
colors.focused = lib.mkOptionDefault {
childBorder = lib.mkForce "#ffa500";
};
window.titlebar = false;
window.border = 4;

15
nix/home-manager/profiles/wayland-desktop.nix
View file

@ -5,14 +5,12 @@
repoFlake,
nodeFlake,
...
}:
let
}: let
inherit (import ../lib.nix {}) mkSimpleTrayService;
nixpkgs-wayland' = repoFlake.inputs.nixpkgs-wayland.packages.${pkgs.system};
wayprompt = nixpkgs-wayland'.wayprompt;
in
{
in {
fonts.fontconfig.enable = true;
# services.gpg-agent.pinentryFlavor = lib.mkForce null;
@ -32,8 +30,7 @@ in
};
};
home.packages =
with pkgs;
home.packages = with pkgs;
[
# required by network-manager-applet
networkmanagerapplet
@ -65,9 +62,11 @@ in
waypipe
]
++ (lib.lists.optionals (!pkgs.stdenv.isAarch64)
++ (
lib.lists.optionals (!pkgs.stdenv.isAarch64)
# TODO: broken on aarch64
[ ]
[
]
);
home.sessionVariables = {

10
nix/home-manager/programs/chromium.nix
View file

@ -3,8 +3,7 @@
lib,
pkgs,
...
}:
let
}: let
extensions =
[
#undetectable adblocker
@ -63,8 +62,7 @@ let
# shazam music
{id = "mmioliijnhnoblpgimnlajmefafdfilb";}
]);
in
{
in {
programs.chromium = {
enable = true;
inherit extensions;
@ -74,7 +72,9 @@ in
programs.brave = {
# TODO: enable this on aarch64-linux
enable = true && !pkgs.stdenv.targetPlatform.isAarch64;
enable =
true
&& !pkgs.stdenv.targetPlatform.isAarch64;
inherit extensions;
};
}

19
nix/home-manager/programs/espanso.nix
View file

@ -1,5 +1,8 @@
{ pkgs, repoFlake, ... }:
{
pkgs,
repoFlake,
...
}: {
services.espanso = {
package = pkgs.espanso-wayland;
# package = pkgs.espanso-wayland.overrideAttrs (_: {
@ -21,11 +24,10 @@
# backend = "Clipboard";
};
};
matches =
let
playerctl = ''${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl'';
in
{
matches = let
playerctl = ''
${pkgs.coreutils}/bin/env DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(${pkgs.coreutils}/bin/id -u)/bus" ${pkgs.playerctl}/bin/playerctl'';
in {
default = {
matches = [
{
@ -62,7 +64,10 @@
name = "output";
type = "script";
params = {
args = [ (pkgs.writeShellScript "espanso" "${playerctl} metadata title") ];
args = [
(pkgs.writeShellScript "espanso"
"${playerctl} metadata title")
];
};
}
];

7
nix/home-manager/programs/firefox.nix
View file

@ -1,8 +1,5 @@
{ pkgs, ... }:
{
programs.librewolf = {
enable = false;
};
{pkgs, ...}: {
programs.librewolf = {enable = false;};
programs.firefox = {
enable = true;
package = pkgs.firefox-esr-128;

7
nix/home-manager/programs/gpg-agent.nix
View file

@ -3,9 +3,10 @@
pkgs,
config,
...
}:
{
home.packages = [ pkgs.gcr ];
}: {
home.packages = [
pkgs.gcr
];
programs.gpg.enable = true;
services.gpg-agent = {

20
nix/home-manager/programs/homeshick.nix
View file

@ -1,12 +1,15 @@
{ pkgs, config, ... }:
let
in
# TODO: clean up the impurity in here
{
pkgs,
config,
...
}: let
# TODO: clean up the impurity in here
in {
home.sessionVariables.HOMESHICK_DIR = "${pkgs.homeshick}";
home.activation.bootstrapRepos = config.lib.dag.entryAfter ["writeBoundary"] ''
$DRY_RUN_CMD ${pkgs.writeScript "activation-script" ''
$DRY_RUN_CMD ${
pkgs.writeScript "activation-script" ''
set -e
echo home-manager path is ${config.home.path}
echo home is $HOME
@ -17,12 +20,13 @@ in
# echo Updating homeshick
# ln -sfT ${pkgs.homeshick} "$HOMESICK_REPOS"/.homeshick
# mv -Tf "$HOMESICK_REPOS"/{.,}homeshick
''};
''
};
'';
nixpkgs.config = {
packageOverrides =
pkgs: with pkgs; {
packageOverrides = pkgs:
with pkgs; {
homeshick = builtins.fetchGit {
url = "https://github.com/andsens/homeshick.git";
ref = "master";

3
nix/home-manager/programs/libreoffice.nix
View file

@ -1,4 +1,3 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
home.packages = [pkgs.libreoffice];
}

7
nix/home-manager/programs/neovim.nix
View file

@ -3,9 +3,10 @@
pkgs,
lib,
...
}:
{
imports = [ repoFlake.inputs.nixvim.homeManagerModules.nixvim ];
}: {
imports = [
repoFlake.inputs.nixvim.homeManagerModules.nixvim
];
programs.nixvim = {
enable = true;

20
nix/home-manager/programs/obs-studio.nix
View file

@ -1,25 +1,21 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
...
}: {
programs.obs-studio = {
enable = true;
plugins =
builtins.map
(
plugin:
(plugin.overrideAttrs (attrs: {
builtins.map (plugin: (plugin.overrideAttrs (attrs: {
meta = lib.mkMerge [
{inherit (attrs) meta;}
{meta.platforms = [pkgs.stdenv.system];}
];
}))
)
(
with pkgs.obs-studio-plugins;
[
})))
(with pkgs.obs-studio-plugins; [
# wlrobs
obs-backgroundremoval
obs-pipewire-audio-capture
]
);
]);
};
}

10
nix/home-manager/programs/openvscode-server.nix
View file

@ -3,12 +3,10 @@
nodeFlake,
repoFlake,
...
}:
let
}: let
pkgsUnstable = import nodeFlake.inputs.nixpkgs-unstable {inherit (pkgs) system config;};
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;};
in
{
in {
home.packages = [
pkgs.nil
pkgs.nixd
@ -35,9 +33,7 @@ in
(pkgsVscodium.openvscode-server.overrideAttrs (attrs: {
src = repoFlake.inputs.openvscode-server;
version = "1.94.2";
yarnCache = attrs.yarnCache.overrideAttrs (_: {
outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt=";
});
yarnCache = attrs.yarnCache.overrideAttrs (_: {outputHash = "sha256-89c6GYLT2RzHqwxBKegYqB6g5rEJ6/nH53cnfV7b0Tt=";});
}))
pkgs.waypipe

5
nix/home-manager/programs/pass.nix
View file

@ -1,5 +1,8 @@
{ repoFlake, pkgs, ... }:
{
repoFlake,
pkgs,
...
}: {
# required by pass-otp
# home.sessionVariables.PASSWORD_STORE_EXTENSIONS_DIR = "$HOME/.nix-profile/lib/password-store/extensions";
# home.sessionVariables.PASSWORD_STORE_ENABLE_EXTENSIONS = "true";

22
nix/home-manager/programs/radicale.nix
View file

@ -4,8 +4,7 @@
pkgs,
osConfig,
...
}:
let
}: let
libdecsync = pkgs.python3Packages.buildPythonPackage rec {
pname = "libdecsync";
version = "2.2.1";
@ -39,18 +38,18 @@ let
# pkgs.libxcrypt
];
propagatedBuildInputs = [
libdecsync
pkgs.python3Packages.setuptools
];
propagatedBuildInputs = [libdecsync pkgs.python3Packages.setuptools];
};
radicale-decsync = pkgs.radicale.overrideAttrs (old: {
propagatedBuildInputs = old.propagatedBuildInputs ++ [ radicale-storage-decsync ];
propagatedBuildInputs =
old.propagatedBuildInputs
++ [radicale-storage-decsync];
});
mkRadicaleService =
{ suffix, port }:
let
mkRadicaleService = {
suffix,
port,
}: let
radicale-config = pkgs.writeText "radicale-config-${suffix}" ''
[server]
hosts = localhost:${builtins.toString port}
@ -65,8 +64,7 @@ let
filesystem_folder = ${config.xdg.dataHome}/radicale/radicale-${suffix}
decsync_dir = ${config.xdg.dataHome}/decsync/decsync-${suffix}
'';
in
{
in {
systemd.user.services."radicale-${suffix}" = {
Unit.Description = "Radicale with DecSync (${suffix})";
Service = {

10
nix/home-manager/programs/redshift.nix
View file

@ -1,8 +1,10 @@
{ pkgs, config, ... }:
let
passwords = import ../../variables/passwords.crypt.nix;
in
{
pkgs,
config,
...
}: let
passwords = import ../../variables/passwords.crypt.nix;
in {
services.gammastep = {
enable = true;
provider = "manual";

11
nix/home-manager/programs/salut.nix
View file

@ -9,9 +9,10 @@
# for i in `seq 0 10`; do nix shell nixpkgs#libnotify --command notify-send notifiiiiiii "$i"; sleep 1; done
let
inherit (import ../lib.nix {}) mkSimpleTrayService;
in
{
home.packages = [ packages'.salut ];
in {
home.packages = [
packages'.salut
];
xdg.configFile."salut/config.ini" = {
enable = true;
@ -33,5 +34,7 @@ in
onChange = "${pkgs.systemd}/bin/systemctl --user restart salut";
};
systemd.user.services.salut = mkSimpleTrayService { execStart = "${packages'.salut}/bin/salut"; };
systemd.user.services.salut = mkSimpleTrayService {
execStart = "${packages'.salut}/bin/salut";
};
}

30
nix/home-manager/programs/vscode/default.nix
View file

@ -3,11 +3,9 @@
nodeFlake,
repoFlake,
...
}:
let
}: let
pkgsVscodium = import repoFlake.inputs.nixpkgs-vscodium {inherit (pkgs) system config;};
in
{
in {
programs.vscode = {
enable = true;
package = pkgsVscodium.vscodium;
@ -20,16 +18,16 @@ in
# sha256 = "1qc1qsahfx1nvznq4adplx63w5d94xhafngv76vnqjjbzhv991v2";
# })
]
++ (
with pkgsVscodium.vscode-extensions;
++ (with pkgsVscodium.vscode-extensions;
[
eamodio.gitlens
mkhl.direnv
tomoki1207.pdf
vscodevim.vim
# bbenoist.nix
bbenoist.nix
jnoortheen.nix-ide
# kamadorueda.alejandra
ms-vscode.theme-tomorrowkit
nonylene.dark-molokai-theme
@ -46,14 +44,11 @@ in
# TODO: not compatible with vscodium
# ms-vscode-remote.remote-ssh
]
++ (
let
++ (let
extensions = repoFlake.inputs.nix-vscode-extensions.extensions.${pkgs.system};
in
(
in (
with extensions.vscode-marketplace;
with extensions.vscode-marketplace-release;
[
with extensions.vscode-marketplace-release; [
tamasfe.even-better-toml
serayuzgur.crates
@ -65,11 +60,10 @@ in
ibecker.treefmt-vscode
]
)
)
)
)))
++ [
(pkgsVscodium.vscode-utils.extensionFromVscodeMarketplace {
(pkgsVscodium.vscode-utils.extensionFromVscodeMarketplace
{
name = "markdown-oxide";
publisher = "felixzeller";
version = "1.1.0";
@ -81,6 +75,7 @@ in
home.packages = [
pkgs.nixpkgs-fmt
pkgs.alejandra
pkgs.nil
];
}
@ -158,3 +153,4 @@ in
# xyz.plsql-language
# yzane.markdown-pdf
# zxh404.vscode-proto3

72
nix/home-manager/programs/vscode/nix4vscode/default.nix
View file

@ -1,72 +0,0 @@
{ pkgs, lib }:
let
inherit (pkgs.stdenv)
isDarwin
isLinux
isi686
isx86_64
isAarch32
isAarch64
;
vscode-utils = pkgs.vscode-utils;
merge = lib.attrsets.recursiveUpdate;
in
merge
(merge
(merge
(merge
{
"felixzeller"."markdown-oxide" = vscode-utils.extensionFromVscodeMarketplace {
name = "markdown-oxide";
publisher = "felixzeller";
version = "1.1.0";
sha256 = "07l37hkg106m3nl9530l7i39iw1kibckv1zi4n23gbp7srdrwbs3";
};
}
(
lib.attrsets.optionalAttrs (isLinux && (isi686 || isx86_64)) {
"ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace {
name = "treefmt-vscode";
publisher = "ibecker";
version = "2.1.0";
sha256 = "1r17wjpw8xiha5r9h3146facxghpcp416zf8551sw93cmam9ky6j";
arch = "linux-x64";
};
}
)
)
(
lib.attrsets.optionalAttrs (isLinux && (isAarch32 || isAarch64)) {
"ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace {
name = "treefmt-vscode";
publisher = "ibecker";
version = "2.1.0";
sha256 = "0swvl7fkjcwp43grnrhnmy60a5m3hfwawk204byi8hhbczy131li";
arch = "linux-arm64";
};
}
)
)
(
lib.attrsets.optionalAttrs (isDarwin && (isi686 || isx86_64)) {
"ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace {
name = "treefmt-vscode";
publisher = "ibecker";
version = "2.1.0";
sha256 = "1swq9hy6a9nzkrn07j21g59pyk2m7aqsfi1pphl9l9y8p4zwiaqm";
arch = "darwin-x64";
};
}
)
)
(
lib.attrsets.optionalAttrs (isDarwin && (isAarch32 || isAarch64)) {
"ibecker"."treefmt-vscode" = vscode-utils.extensionFromVscodeMarketplace {
name = "treefmt-vscode";
publisher = "ibecker";
version = "2.1.0";
sha256 = "1xg3wnn3f1kvsz5a09l0cjpzfm3l9va73cahbvl14mx3n6734r2m";
arch = "darwin-arm64";
};
}
)

17
nix/home-manager/programs/waybar.nix
View file

@ -3,8 +3,7 @@
config,
repoFlake,
...
}:
{
}: {
home.packages = [
# required by any bar that has a tray plugin
pkgs.libappindicator-gtk3
@ -13,9 +12,10 @@
programs.waybar = {
enable = true;
package =
repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar;
style = pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css" + pkgs.lib.readFile ./waybar.css;
package = repoFlake.inputs.nixpkgs-wayland.outputs.packages.${pkgs.stdenv.hostPlatform.system}.waybar;
style =
pkgs.lib.readFile "${pkgs.waybar.src}/resources/style.css"
+ pkgs.lib.readFile ./waybar.css;
systemd.enable = true;
settings = {
mainBar = {
@ -24,7 +24,12 @@
height = 30;
output =
# hide the bar on HEADDLESS displays as i use them only for screensharing
(builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99) ++ [ "*" ];
(
builtins.genList (i: "!HEADLESS-${builtins.toString i}") 99
)
++ [
"*"
];
# output = [
# "eDP-1"
# "DP-*"

27
nix/home-manager/programs/zsh.nix
View file

@ -3,10 +3,8 @@
lib,
pkgs,
...
}:
let
just-plugin =
let
}: let
just-plugin = let
plugin_file = pkgs.writeText "_just" ''
#compdef just
#autload
@ -37,8 +35,7 @@ let
chmod --recursive a-w $out
'';
};
in
{
in {
programs.zsh = {
enable = true;
@ -49,11 +46,9 @@ in
# will be called again by oh-my-zsh
enableCompletion = false;
enableAutosuggestions = true;
initExtra =
let
initExtra = let
inNixShell = ''$([[ -n "$IN_NIX_SHELL" ]] && printf " 🐚")'';
in
''
in ''
if test ! -n "$TMPDIR" -a -z "$TMPDIR"; then
unset TMPDIR
fi
@ -74,13 +69,12 @@ in
fi
${
if builtins.hasAttr "homeshick" pkgs then
''
if builtins.hasAttr "homeshick" pkgs
then ''
source ${pkgs.homeshick}/homeshick.sh
fpath=(${pkgs.homeshick}/completions $fpath)
''
else
""
else ""
}
# Disable intercepting of ctrl-s and ctrl-q as flow control.
@ -134,10 +128,7 @@ in
oh-my-zsh = {
enable = true;
theme = "tjkirch";
plugins = [
"git"
"sudo"
];
plugins = ["git" "sudo"];
};
};
}

3
nix/modules/flake-parts/colmena.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }:
{
{lib, ...}: {
options.flake.colmena = lib.mkOption {
# type = lib.types.attrsOf lib.types.unspecified;
type = lib.types.raw;

12
nix/modules/flake-parts/perSystem/default.nix
View file

@ -5,11 +5,9 @@
lib,
pkgs,
...
}:
{
}: {
packages = {
myPython = pkgs.python310.withPackages (
ps:
myPython = pkgs.python310.withPackages (ps:
with ps;
[
pep8
@ -35,10 +33,6 @@
pyaml
requests
]
++ [
pkgs.pypi2nix
pkgs.libffi
]
);
++ [pkgs.pypi2nix pkgs.libffi]);
};
}

10
nix/os/cachix.nix
View file

@ -1,12 +1,14 @@
# WARN: this file will get overwritten by $ cachix use <name>
{ pkgs, lib, ... }:
let
{
pkgs,
lib,
...
}: let
folder = ./cachix;
toImport = name: value: folder + ("/" + name);
filterCaches = key: value: value == "regular" && lib.hasSuffix ".nix" key;
imports = lib.mapAttrsToList toImport (lib.filterAttrs filterCaches (builtins.readDir folder));
in
{
in {
inherit imports;
nix.settings.substituters = ["https://cache.nixos.org/"];
}

4
nix/os/cachix/nixpkgs-wayland.nix
View file

@ -1,6 +1,8 @@
{
nix = {
settings.substituters = [ "https://nixpkgs-wayland.cachix.org" ];
settings.substituters = [
"https://nixpkgs-wayland.cachix.org"
];
settings.trusted-public-keys = [
"nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
];

43
nix/os/containers/backup.nix
View file

@ -5,23 +5,16 @@
subvolumes,
targetPathSuffix ? "",
autoStart ? false,
}:
let
}: let
passwords = import ../../variables/passwords.crypt.nix;
subvolumeParentDir = "/var/lib/container-volumes";
in
{
config =
{ pkgs, ... }:
{
in {
config = {pkgs, ...}: {
system.stateVersion = "20.03"; # Did you read the comment?
imports = [../profiles/containers/configuration.nix];
environment.systemPackages = with pkgs; [
btrfs-progs
btrbk
];
environment.systemPackages = with pkgs; [btrfs-progs btrbk];
networking.firewall.enable = true;
@ -29,9 +22,7 @@ in
enable = true;
description = "bkp-sync service";
serviceConfig = {
Type = "oneshot";
};
serviceConfig = {Type = "oneshot";};
after = ["bkp-run.service"];
@ -48,20 +39,13 @@ in
enable = true;
description = "bkp-run";
serviceConfig = {
Type = "oneshot";
};
serviceConfig = {Type = "oneshot";};
partOf = ["bkp-sync.service"];
path = with pkgs; [
btrfs-progs
btrbk
coreutils
];
path = with pkgs; [btrfs-progs btrbk coreutils];
script =
let
script = let
btrbkConf = pkgs.writeText "cfg" ''
timestamp_format long
ssh_identity ${passwords.storage.backupTarget.keyPath}
@ -78,10 +62,10 @@ in
volume ${subvolumeParentDir}
target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes}
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") ""
subvolumes}
'';
in
''
in ''
#! ${pkgs.bash}/bin/bash
set -Eeuxo pipefail
@ -92,10 +76,7 @@ in
systemd.timers."bkp" = {
description = "Timer to trigger bkp periodically";
enable = true;
wantedBy = [
"timer.target"
"multi-user.target"
];
wantedBy = ["timer.target" "multi-user.target"];
timerConfig = {
# Obtained using `systemd-analyze calendar "Wed 23:00"`
# OnCalendar = "Wed *-*-* 23:00:00";

27
nix/os/containers/mailserver.nix
View file

@ -6,18 +6,15 @@
imapsPort ? 993,
sievePort ? 4190,
autoStart ? false,
}:
{
}: {
inherit specialArgs;
config =
{
config = {
pkgs,
config,
lib,
repoFlake,
...
}:
{
}: {
system.stateVersion = "22.05"; # Did you read the comment?
imports = [
@ -110,8 +107,7 @@
serviceConfig.Restart = "always";
description = "Getmail service";
path = [pkgs.getmail6];
script =
let
script = let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
verbose = 1
@ -130,8 +126,7 @@
type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
'';
in
''
in ''
getmail --idle=INBOX --rcfile=${rc}
'';
};
@ -145,8 +140,7 @@
serviceConfig.Restart = "always";
description = "Getmail service";
path = [pkgs.getmail6];
script =
let
script = let
rc = pkgs.writeText "mailATstefanjunker.de.getmail.rc" ''
[options]
verbose = 2
@ -165,8 +159,7 @@
type = MDA_external
path = ${pkgs.dovecot}/libexec/dovecot/dovecot-lda
'';
in
''
in ''
getmail --rcfile=${rc} --idle=INBOX
'';
};
@ -180,8 +173,7 @@
path = [pkgs.getmail6];
serviceConfig.RestartSec = 1000;
serviceConfig.Restart = "always";
script =
let
script = let
rc = pkgs.writeText "schtifATweb.de.getmail.rc" ''
[options]
verbose = 1
@ -200,8 +192,7 @@
type = Maildir
path = ~/.maildir/
'';
in
''
in ''
getmail --rcfile=${rc} --idle=INBOX
'';
};

88
nix/os/containers/mycelium/flake.nix
View file

@ -11,36 +11,33 @@
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
{
outputs = {
self,
nixpkgs,
nixos-generators,
...
}:
let
}: let
systems = [
"aarch64-linux"
"x86_64-linux"
];
forAllSystems = nixpkgs.lib.genAttrs systems;
in
in {
nixosConfigurations.default =
nixpkgs.lib.nixosSystem
{
nixosConfigurations.default = nixpkgs.lib.nixosSystem {
system = "aarch64-linux";
specialArgs = {};
modules = [
(
{
({
config,
modulesPath,
pkgs,
lib,
...
}:
{
}: {
nixpkgs.overlays = [
(final: previous: {
# inherit (self.inputs.nixpkgs-systemd256.legacyPackages.${pkgs.system}) systemd systemdMinimal;
@ -102,7 +99,9 @@
})
];
imports = [ (modulesPath + "/profiles/minimal.nix") ];
imports = [
(modulesPath + "/profiles/minimal.nix")
];
system.stateVersion = "24.11";
# https://github.com/hercules-ci/arion/blob/c24c185e67f093298a081900b49ca18716077dec/src/nix/modules/nixos/container-systemd.nix
@ -136,7 +135,9 @@
mkdir -p /run/wrappers
'';
boot.kernelParams = [ "systemd.log_level=debug" ];
boot.kernelParams = [
"systemd.log_level=debug"
];
# services.udev.enable = false;
@ -150,14 +151,12 @@
services.mycelium.keyFile = "/var/lib/secrets/mycelium-keyfile";
systemd.services.mycelium.serviceConfig.DynamicUser = lib.mkForce false;
systemd.services.mycelium.serviceConfig.User = lib.mkForce "root";
systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce (
pkgs.writeShellScript "mycelium" ''
systemd.services.mycelium.serviceConfig.ExecStart = lib.mkForce (pkgs.writeShellScript "mycelium" ''
while true; do
ls -lha $CREDENTIALS_DIRECTORY
sleep 5
done
''
);
'');
systemd.services.testing-credentials = {
wantedBy = ["multi-user.target"];
@ -175,8 +174,7 @@
# "hosts:/etc/hosts"
# ];
SetCredential = "mycelium-keyfile:not secret string";
ExecStart = lib.mkForce (
pkgs.writeShellScript "mycelium" ''
ExecStart = lib.mkForce (pkgs.writeShellScript "mycelium" ''
cd $STATE_DIRECTORY
pwd
env
@ -184,8 +182,7 @@
ls -lha $CREDENTIALS_DIRECTORY
sleep 5
done
''
);
'');
};
};
@ -200,32 +197,28 @@
'';
};
};
}
)
})
];
};
packages = forAllSystems (
system:
let
packages = forAllSystems (system: let
name = "mycelium";
inherit (self.inputs) nix-snapshotter;
config = {
entrypoint = "${self.nixosConfigurations.default.config.system.build.toplevel}/init";
# port = 2379;
args = [ ];
args = [
];
# nodePort = 30001;
};
myceliumPorts = {
tcp = [9651];
udp = [
9650
9651
];
udp = [9650 9651];
};
inherit (config)
inherit
(config)
entrypoint
# port
@ -234,7 +227,9 @@
;
pkgs = import nixpkgs { overlays = [ nix-snapshotter.overlays.default ]; };
pkgs = import nixpkgs {
overlays = [nix-snapshotter.overlays.default];
};
image = pkgs.nix-snapshotter.buildImage {
inherit name;
@ -258,19 +253,14 @@
];
};
};
in
{
k8s =
let
pod = pkgs.writeText "${name}-pod.json" (
builtins.toJSON {
in {
k8s = let
pod = pkgs.writeText "${name}-pod.json" (builtins.toJSON {
apiVersion = "v1";
kind = "Pod";
metadata = {
inherit name;
labels = {
inherit name;
};
labels = {inherit name;};
};
spec.containers = [
{
@ -294,19 +284,15 @@
];
}
];
}
);
});
service = pkgs.writeText "${name}-service.json" (
builtins.toJSON {
service = pkgs.writeText "${name}-service.json" (builtins.toJSON {
apiVersion = "v1";
kind = "Service";
metadata.name = "${name}-service";
spec = {
type = "NodePort";
selector = {
inherit name;
};
selector = {inherit name;};
ports = [
{
name = "mycelium-tcp-0";
@ -327,8 +313,7 @@
}
];
};
}
);
});
in
pkgs.runCommand "declarative-k8s" {} ''
mkdir -p $out/share/k8s
@ -370,7 +355,6 @@
# mount -t tmpfs tmpfs /run/credentials/mycelium.service -o ro,nosuid,nodev,noexec,relatime,nosymfollow,size=1024k,nr_inodes=1024,mode=700,noswap
};
}
);
});
};
}

11
nix/os/containers/syncthing.nix
View file

@ -6,12 +6,13 @@
syncthingPort ? 22000,
syncthingLocalAnnouncePort ? 21027,
autoStart ? false,
}:
{
}: {
inherit specialArgs;
config =
{ config, pkgs, ... }:
{
config = {
config,
pkgs,
...
}: {
system.stateVersion = "20.05"; # Did you read the comment?
imports = [../profiles/containers/configuration.nix];

56
nix/os/containers/webserver.nix
View file

@ -7,14 +7,11 @@
httpsPort,
forgejoSshPort,
autoStart ? false,
}:
let
}: let
domain = "www.stefanjunker.de";
in
{
in {
inherit specialArgs;
config =
{
config = {
config,
pkgs,
lib,
@ -22,8 +19,7 @@ in
nodeFlake,
system,
...
}:
{
}: {
system.stateVersion = "22.05"; # Did you read the comment?
disabledModules = [
@ -139,11 +135,9 @@ in
useridField = "uid";
};
oauth2 =
let
oauth2 = let
originURL = config.services.kanidm.serverSettings.origin;
in
{
in {
providerName = "kanidm (${originURL})";
authorizationURL = "${originURL}/ui/oauth2";
@ -189,11 +183,9 @@ in
owner = config.users.users.authelia-default.name;
};
services.authelia.instances.default =
let
services.authelia.instances.default = let
baseDir = "/var/lib/authelia-default";
in
{
in {
enable = true;
secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path;
secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path;
@ -324,11 +316,11 @@ in
Unit = "kanidm-tls-update.service";
};
};
systemd.services.kanidm-tls-update =
let
dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
in
{
systemd.services.kanidm-tls-update = let
dbDir =
builtins.dirOf
config.services.kanidm.serverSettings.db_path;
in {
enable = true;
requiredBy = ["kanidm.service"];
unitConfig = {
@ -338,11 +330,9 @@ in
# ];
};
serviceConfig.Type = "oneshot";
script =
let
script = let
tlsDir = builtins.dirOf config.services.kanidm.serverSettings.tls_key;
in
''
in ''
set -xe
cat "${config.services.caddy.dataDir}/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${config.services.kanidm.serverSettings.domain}/${config.services.kanidm.serverSettings.domain}.key" > tls.key
@ -369,12 +359,12 @@ in
'';
};
systemd.services.kanidm.serviceConfig =
let
dbDir = builtins.dirOf config.services.kanidm.serverSettings.db_path;
in
systemd.services.kanidm.serviceConfig = let
dbDir =
builtins.dirOf
config.services.kanidm.serverSettings.db_path;
# stateDir = "/var/lib/${config.systemd.services.kanidm.serviceConfig.StateDirectory}";
{
in {
# ExecStartPre = ''
# mkdir -p ${dbDir}
# '';
@ -384,11 +374,9 @@ in
];
};
services.kanidm =
let
services.kanidm = let
dataDir = "/var/lib/kanidm";
in
{
in {
package = repoFlake.inputs.nixpkgs-kanidm.legacyPackages.${pkgs.system}.kanidm;
enablePam = false;

30
nix/os/devices/default.nix
View file

@ -7,14 +7,9 @@
moreargs ? "",
rebuildarg ? "",
...
}@args:
let
rebuildargsSudo = [
"switch"
"boot"
];
rebuild =
{
} @ args: let
rebuildargsSudo = ["switch" "boot"];
rebuild = {
gitRoot,
rebuildarg ? "dry-activate",
moreargs ? "",
@ -35,18 +30,18 @@ let
${
if
(builtins.elem rebuildarg rebuildargsSudo) && (builtins.match ".*--target-host.*" moreargs) == null
then
"sudo -E \\"
else
""
(builtins.elem rebuildarg rebuildargsSudo)
&& (builtins.match ".*--target-host.*" moreargs) == null
then "sudo -E \\"
else ""
}
nixos-rebuild --show-trace -I nixos-config=''${NIXOS_CONFIG} ${rebuildarg} ${moreargs}
'';
in
in {
recipes =
{
recipes = {
rebuild = rebuild {
rebuild =
rebuild {
inherit gitRoot;
inherit moreargs;
inherit rebuildarg;
@ -54,5 +49,6 @@ in
# // pkgs.lib.attrsets.optionalAttrs (moreargs != "") { inherit moreargs; }
# // pkgs.lib.attrsets.optionalAttrs (rebuildarg != "") { inherit rebuildarg; }
;
} // (import ./disk.nix (args // { inherit pkgs ownLib gitRoot; }));
}
// (import ./disk.nix (args // {inherit pkgs ownLib gitRoot;}));
}

53
nix/os/devices/disk.nix
View file

@ -3,29 +3,40 @@
ownLib,
dir,
gitRoot,
diskId ? (import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.diskId,
diskId ?
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix")
{})
.hardware
.opinionatedDisk
.diskId,
encrypted ?
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix") { }).hardware.opinionatedDisk.encrypted,
(import ((builtins.getEnv "PWD") + "/${dir}/hw.nix")
{})
.hardware
.opinionatedDisk
.encrypted,
previousDiskId ? "",
...
}:
let
}: let
mntRootVol = "/mnt/${diskId}-root";
in
rec {
in rec {
diskMount = pkgs.writeScript "script" ''
#!/usr/bin/env bash
set -xe
echo Mounting ${diskId}
${pkgs.lib.strings.optionalString encrypted ''
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
''}
sleep 1
sudo vgchange -ay ${ownLib.disk.volumeGroup diskId}
sudo mkdir -p /mnt
sudo mkdir ${mntRootVol}
sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}
sudo mount ${ownLib.disk.rootFsDevice diskId} ${mntRootVol}/nixos/home -o subvol=home
sudo mount ${
ownLib.disk.rootFsDevice diskId
} ${mntRootVol}/nixos/home -o subvol=home
sudo mount ${ownLib.disk.bootFsDevice diskId} ${mntRootVol}/nixos/boot
'';
@ -62,7 +73,9 @@ rec {
#!/usr/bin/env bash
set -xe
read -p "Continue to format ${ownLib.disk.bootGrubDevice diskId} (YES/n)? " choice
read -p "Continue to format ${
ownLib.disk.bootGrubDevice diskId
} (YES/n)? " choice
case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;;
@ -109,11 +122,15 @@ rec {
${pkgs.lib.strings.optionalString encrypted ''
# Encrypt
sudo cryptsetup luksFormat ${ownLib.disk.bootLuksDevice diskId} -
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
''}
# LVM
sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${ownLib.disk.lvmPv diskId encrypted}
sudo vgcreate ${ownLib.disk.volumeGroup diskId} ${
ownLib.disk.lvmPv diskId encrypted
}
sudo lvcreate ${ownLib.disk.volumeGroup diskId} -L 2G -n swap
sudo lvcreate ${ownLib.disk.volumeGroup diskId} -l 100%FREE -n root
@ -137,7 +154,9 @@ rec {
#!/usr/bin/env bash
set -xe
read -p "Continue to relabel ${ownLib.disk.bootGrubDevice diskId} (YES/n)?" choice
read -p "Continue to relabel ${
ownLib.disk.bootGrubDevice diskId
} (YES/n)?" choice
case "$choice" in
YES ) echo "Continuing in 3 seconds..."; sleep 3;;
n|N ) echo "Exiting..."; exit 0;;
@ -168,9 +187,13 @@ rec {
if test "${previousDiskId}"; then
${pkgs.lib.strings.optionalString encrypted ''
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${ownLib.disk.luksName diskId}
''}
${
pkgs.lib.strings.optionalString encrypted ''
sudo cryptsetup luksOpen ${ownLib.disk.bootLuksDevice diskId} ${
ownLib.disk.luksName diskId
}
''
}
sync
sleep 1
if sudo vgs ${previousDiskId}; then

3
nix/os/devices/elias-e525/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }:
{
{lib, ...}: {
boot.loader.grub.efiSupport = lib.mkForce false;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
}

3
nix/os/devices/elias-e525/configuration.nix
View file

@ -1,5 +1,4 @@
{ ... }:
{
{...}: {
imports = [
../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix

10
nix/os/devices/elias-e525/default.nix
View file

@ -3,17 +3,17 @@
repoFlake,
nodeFlake,
...
}:
let
}: let
system = "x86_64-linux";
in
{
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system};
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
inherit system;
};
${nodeName} = {
deployment.targetHost = "elias-e525.lan";

3
nix/os/devices/elias-e525/hw.nix
View file

@ -1,5 +1,4 @@
{ ... }:
{
{...}: {
# TASK: new device
hardware.opinionatedDisk = {
enable = true;

10
nix/os/devices/elias-e525/pkg.nix
View file

@ -1,5 +1,8 @@
{ pkgs, lib, ... }:
let
{
pkgs,
lib,
...
}: let
homeEnv = keyboard: {
imports = [
../../../home-manager/profiles/common.nix
@ -19,8 +22,7 @@ let
rustdesk
];
};
in
{
in {
services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) {
gnome-remote-desktop.enable = true;
};

10
nix/os/devices/elias-e525/system.nix
View file

@ -3,10 +3,8 @@
lib,
config,
...
}:
let
in
{
}: let
in {
# TASK: new device
networking.hostName = "elias-e525"; # Define your hostname.
@ -46,7 +44,5 @@ in
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
nix.gc = {
automatic = true;
};
nix.gc = {automatic = true;};
}

6
nix/os/devices/elias-e525/user.nix
View file

@ -3,12 +3,10 @@
pkgs,
lib,
...
}:
let
}: let
keys = import ../../../variables/keys.nix;
inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
in
{
in {
sops.secrets.sharedUsers-elias = {
sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true;

3
nix/os/devices/fwhost1/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }:
{
{lib, ...}: {
boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
}

3
nix/os/devices/fwhost1/configuration.nix
View file

@ -1,5 +1,4 @@
{ ... }:
{
{...}: {
imports = [
../../profiles/common/configuration.nix
../../modules/opinionatedDisk.nix

6
nix/os/devices/fwhost1/hw.nix
View file

@ -1,7 +1,5 @@
{ ... }:
let
in
{
{...}: let
in {
# TASK: new device
hardware.opinionatedDisk = {
enable = true;

18
nix/os/devices/fwhost1/pkg.nix
View file

@ -1,17 +1,17 @@
{ pkgs, ... }:
{
nixpkgs.config.packageOverrides =
pkgs: with pkgs; {
nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath;
{pkgs, ...}: {
nixpkgs.config.packageOverrides = pkgs:
with pkgs; {
nixPath =
(import ../../../default.nix {
versionsPath = ./versions.nix;
})
.nixPath;
};
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
inherit pkgs;
};
environment.systemPackages = with pkgs; [
iw
wirelesstools
];
environment.systemPackages = with pkgs; [iw wirelesstools];
system.stateVersion = "21.11";
}

11
nix/os/devices/fwhost1/system.nix
View file

@ -3,12 +3,10 @@
lib,
config,
...
}:
let
}: let
keys = import ../../../variables/keys.nix;
passwords = import ../../../variables/passwords.crypt.nix;
in
{
in {
# TASK: new device
networking.hostName = "fwhost1"; # Define your hostname.
@ -23,10 +21,7 @@ in
networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false;
networking.bridges.breth.interfaces = [
"eth0"
"eth1"
];
networking.bridges.breth.interfaces = ["eth0" "eth1"];
networking.bridges.breth.rstp = true;
networking.defaultGateway.address = "172.172.171.10";

10
nix/os/devices/fwhost1/user.nix
View file

@ -1,7 +1,9 @@
{ config, pkgs, ... }:
let
{
config,
pkgs,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {}) mkUser;
in
{ }
in {}

7
nix/os/devices/fwhost1/versions.nix
View file

@ -4,12 +4,9 @@ let
ref = "nixos-21.11";
rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb";
};
in
{
in {
inherit nixpkgs;
nixos = nixpkgs // {
suffix = "/nixos";
};
nixos = nixpkgs // {suffix = "/nixos";};
"channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = {

7
nix/os/devices/fwhost1/versions.tmpl.nix
View file

@ -6,12 +6,9 @@ let
<% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '
' -%>'';
};
in
{
in {
inherit nixpkgs;
nixos = nixpkgs // {
suffix = "/nixos";
};
nixos = nixpkgs // {suffix = "/nixos";};
"channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = {

3
nix/os/devices/fwhost2/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }:
{
{lib, ...}: {
boot.loader.grub.efiInstallAsRemovable = lib.mkForce true;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
}

3
nix/os/devices/fwhost2/configuration.nix
View file

@ -1,5 +1,4 @@
{ ... }:
{
{...}: {
imports = [
../../profiles/common/configuration.nix
../../modules/opinionatedDisk.nix

6
nix/os/devices/fwhost2/hw.nix
View file

@ -1,7 +1,5 @@
{ ... }:
let
in
{
{...}: let
in {
# TASK: new device
hardware.opinionatedDisk = {
enable = true;

18
nix/os/devices/fwhost2/pkg.nix
View file

@ -1,17 +1,17 @@
{ pkgs, ... }:
{
nixpkgs.config.packageOverrides =
pkgs: with pkgs; {
nixPath = (import ../../../default.nix { versionsPath = ./versions.nix; }).nixPath;
{pkgs, ...}: {
nixpkgs.config.packageOverrides = pkgs:
with pkgs; {
nixPath =
(import ../../../default.nix {
versionsPath = ./versions.nix;
})
.nixPath;
};
home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
inherit pkgs;
};
environment.systemPackages = with pkgs; [
iw
wirelesstools
];
environment.systemPackages = with pkgs; [iw wirelesstools];
system.stateVersion = "21.11";
}

11
nix/os/devices/fwhost2/system.nix
View file

@ -4,12 +4,10 @@
config,
utils,
...
}:
let
}: let
keys = import ../../../variables/keys.nix;
passwords = import ../../../variables/passwords.crypt.nix;
in
{
in {
# TASK: new device
networking.hostName = "fwhost2"; # Define your hostname.
@ -24,10 +22,7 @@ in
networking.firewall.logRefusedConnections = false;
networking.usePredictableInterfaceNames = false;
networking.bridges.breth.interfaces = [
"eth0"
"eth1"
];
networking.bridges.breth.interfaces = ["eth0" "eth1"];
networking.bridges.breth.rstp = true;
networking.defaultGateway.address = "172.172.171.10";

10
nix/os/devices/fwhost2/user.nix
View file

@ -1,10 +1,12 @@
{ config, pkgs, ... }:
let
{
config,
pkgs,
...
}: let
passwords = import ../../../variables/passwords.crypt.nix;
keys = import ../../../variables/keys.nix;
inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in
{
in {
# users.extraUsers.steveej2 = mkUser {
# uid = 1001;
# openssh.authorizedKeys.keys = keys.users.steveej.openssh;

7
nix/os/devices/fwhost2/versions.nix
View file

@ -4,12 +4,9 @@ let
ref = "nixos-21.11";
rev = "386234e2a61e1e8acf94dfa3a3d3ca19a6776efb";
};
in
{
in {
inherit nixpkgs;
nixos = nixpkgs // {
suffix = "/nixos";
};
nixos = nixpkgs // {suffix = "/nixos";};
"channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = {

7
nix/os/devices/fwhost2/versions.tmpl.nix
View file

@ -6,12 +6,9 @@ let
<% git ls-remote https://github.com/nixos/nixpkgs nixos-21.11 | awk '{ print $1 }' | tr -d '
' -%>'';
};
in
{
in {
inherit nixpkgs;
nixos = nixpkgs // {
suffix = "/nixos";
};
nixos = nixpkgs // {suffix = "/nixos";};
"channels-nixos-stable" = nixpkgs;
"channels-nixos-unstable" = {

28
nix/os/devices/hstk0/configuration.nix
View file

@ -9,9 +9,9 @@
nodeName,
system,
...
}:
{
disabledModules = [ ];
}: {
disabledModules = [
];
imports = [
nodeFlake.inputs.disko.nixosModules.disko
@ -28,7 +28,9 @@
}
../../snippets/nix-settings.nix
{ nix.settings.sandbox = lib.mkForce "relaxed"; }
{
nix.settings.sandbox = lib.mkForce "relaxed";
}
../../snippets/mycelium.nix
@ -78,12 +80,15 @@
nat.enable = true;
firewall.enable = true;
firewall.allowedTCPPorts = [ 5201 ];
firewall.allowedUDPPorts = [ 5201 ];
firewall.allowedTCPPorts = [
5201
];
firewall.allowedUDPPorts = [
5201
];
};
disko.devices =
let
disko.devices = let
disk = id: {
type = "disk";
device = "/dev/${id}";
@ -104,8 +109,7 @@
};
};
};
in
{
in {
disk = {
sda = disk "sda";
sdb = disk "sdb";
@ -145,5 +149,7 @@
virtualisation.libvirtd.enable = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.binfmt.emulatedSystems = [
"aarch64-linux"
];
}

19
nix/os/devices/hstk0/default.nix
View file

@ -3,22 +3,19 @@
repoFlake,
nodeFlake,
...
}:
let
}: let
system = "x86_64-linux";
in
{
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit
repoFlake
nodeName
nodeFlake
system
;
inherit repoFlake nodeName nodeFlake system;
packages' = repoFlake.packages.${system};
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
meta.nodeNixpkgs.${nodeName} =
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
${nodeName} = {
deployment.targetHost = "185.130.224.33";

29
nix/os/devices/hstk0/flake.nix
View file

@ -16,37 +16,38 @@
# outputs = _: {};
outputs =
{
outputs = {
self,
get-flake,
nixpkgs,
...
}@attrs:
let
} @ attrs: let
system = "x86_64-linux";
nodeName = "hostkey-0";
mkNixosConfiguration =
{
extraModules ? [ ],
...
}@attrs:
mkNixosConfiguration = {extraModules ? [], ...} @ attrs:
nixpkgs.lib.nixosSystem (
nixpkgs.lib.attrsets.recursiveUpdate attrs {
nixpkgs.lib.attrsets.recursiveUpdate
attrs
{
specialArgs = {
nodeFlake = self;
repoFlake = get-flake ../../../..;
inherit nodeName;
};
modules = [ ./configuration.nix ] ++ extraModules;
modules =
[
./configuration.nix
]
++ extraModules;
}
);
in
{
in {
nixosConfigurations = {
native = mkNixosConfiguration { inherit system; };
native = mkNixosConfiguration {
inherit system;
};
};
};
}

3
nix/os/devices/justyna-p300/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }:
{
{lib, ...}: {
boot.loader.grub.efiInstallAsRemovable = lib.mkForce false;
boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
boot.loader.grub.efiSupport = lib.mkForce false;

3
nix/os/devices/justyna-p300/configuration.nix
View file

@ -1,5 +1,4 @@
{ ... }:
{
{...}: {
imports = [
../../profiles/common/configuration.nix
../../profiles/graphical/configuration.nix

10
nix/os/devices/justyna-p300/default.nix
View file

@ -3,17 +3,17 @@
repoFlake,
nodeFlake,
...
}:
let
}: let
system = "x86_64-linux";
in
{
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system};
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
inherit system;
};
${nodeName} = {
deployment.targetHost = nodeName;

2
nix/os/devices/justyna-p300/flake.nix
View file

@ -6,7 +6,7 @@
inputs.nixpkgs.follows = "nixpkgs";
};
inputs.disko.url = "github:nix-community/disko";
inputs.disko.url = github:nix-community/disko;
inputs.disko.inputs.nixpkgs.follows = "nixpkgs";
outputs = _: {};

7
nix/os/devices/justyna-p300/hw.nix
View file

@ -3,9 +3,10 @@
nodeFlake,
lib,
...
}:
{
imports = [ nodeFlake.inputs.disko.nixosModules.disko ];
}: {
imports = [
nodeFlake.inputs.disko.nixosModules.disko
];
disko.devices.disk.sda = {
device = "/dev/sda";

17
nix/os/devices/justyna-p300/pkg.nix
View file

@ -3,8 +3,7 @@
lib,
packages',
...
}:
let
}: let
homeEnv = keyboard: {
imports = [
../../../home-manager/profiles/common.nix
@ -24,19 +23,15 @@ let
rustdesk
];
};
in
{
in {
services.gnome = builtins.mapAttrs (attr: value: lib.mkForce value) {
gnome-remote-desktop.enable = true;
};
services.printing.drivers = lib.mkForce (
with packages';
[
services.printing.drivers = lib.mkForce (with packages'; [
dcpj4110dwDriver
dcpj4110dwCupswrapper
]
);
]);
services.printing.extraConf = ''
LogLevel debug
@ -65,7 +60,9 @@ in
services.syncthing.enable = true;
services.syncthing.tray = true;
home.packages = with pkgs; [ session-desktop ];
home.packages = with pkgs; [
session-desktop
];
};
system.stateVersion = "21.11";

10
nix/os/devices/justyna-p300/system.nix
View file

@ -3,11 +3,9 @@
lib,
config,
...
}:
let
}: let
passwords = import ../../../variables/passwords.crypt.nix;
in
{
in {
networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [
# iperf3
@ -47,7 +45,5 @@ in
boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
nix.gc = {
automatic = true;
};
nix.gc = {automatic = true;};
}

10
nix/os/devices/justyna-p300/user.nix
View file

@ -1,9 +1,11 @@
{ config, pkgs, ... }:
let
{
config,
pkgs,
...
}: let
keys = import ../../../variables/keys.nix;
inherit (pkgs.callPackage ../../lib/default.nix {}) mkUser;
in
{
in {
sops.secrets.sharedUsers-elias = {
sopsFile = ../../../../secrets/shared-users.yaml;
neededForUsers = true;

313
nix/os/devices/router0-dmz0/configuration.nix
View file

@ -9,33 +9,33 @@
localDomainName,
system,
...
}:
let
inherit (nodeFlake.inputs) nixos-nftables-firewall nixos-sbc;
}: let
inherit
(nodeFlake.inputs)
nixos-nftables-firewall
nixos-sbc
;
vlanRangeStart = builtins.head vlanRange;
vlanRangeEnd = builtins.elemAt vlanRange ((builtins.length vlanRange) - 1);
vlanRange = builtins.map (vlanid: (lib.strings.toInt vlanid)) (builtins.attrNames vlans);
vlanRangeWith0 = [0] ++ vlanRange;
mkVlanIpv4HostAddr =
{
mkVlanIpv4HostAddr = {
vlanid,
host,
thirdIpv4SegmentMin ? 20,
cidr ? true,
}:
let
}: let
# reserve the first subnet for vlanid == 0
# number the other subnets continously from there
offset = if vlanid == 0 then thirdIpv4SegmentMin else thirdIpv4SegmentMin + 1 - vlanRangeStart;
offset =
if vlanid == 0
then thirdIpv4SegmentMin
else thirdIpv4SegmentMin + 1 - vlanRangeStart;
in
builtins.concatStringsSep "." [
"192"
"168"
(toString (vlanid + offset))
"${toString host}${lib.strings.optionalString cidr "/24"}"
];
builtins.concatStringsSep "."
["192" "168" (toString (vlanid + offset)) "${toString host}${lib.strings.optionalString cidr "/24"}"];
defaultVlan = {
name = "${localDomainName}";
@ -62,25 +62,30 @@ let
"15".packet_priority = -10;
};
vlansByName = lib.attrsets.mapAttrs' (
vlansByName =
lib.attrsets.mapAttrs'
(
vlanid': attrs:
lib.attrsets.nameValuePair attrs.name (
attrs
lib.attrsets.nameValuePair
attrs.name
(attrs
// {
id = lib.strings.toInt vlanid';
id' = vlanid';
}
})
)
) vlans;
vlans;
getVlanDomain =
{ vlanid }:
if vlanid == 0 then defaultVlan.name else vlans."${toString vlanid}".name + "." + defaultVlan.name;
getVlanDomain = {vlanid}:
if vlanid == 0
then defaultVlan.name
else vlans."${toString vlanid}".name + "." + defaultVlan.name;
bridgeInterfaceName = "br-lan";
mkInterfaceName =
{ vlanid }:
if vlanid == 0 then bridgeInterfaceName else "${bridgeInterfaceName}.${toString vlanid}";
mkInterfaceName = {vlanid}:
if vlanid == 0
then bridgeInterfaceName
else "${bridgeInterfaceName}.${toString vlanid}";
dmzExposedHost = "sj-srv1";
dmzExposedHostDomain = "dmz.internal";
@ -91,10 +96,8 @@ let
cidr = false;
};
dmzExposedHostMACaddr =
repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress;
in
{
dmzExposedHostMACaddr = repoFlake.nixosConfigurations.${dmzExposedHost}.config.systemd.network.netdevs."10-dmz0".netdevConfig.MACAddress;
in {
imports = [
nixos-sbc.nixosModules.default
nixos-sbc.nixosModules.boards.bananapi.bpir3
@ -191,11 +194,9 @@ in
prerouting = {
"exposeHost" = {
after = ["hook"];
rules =
let
rules = let
wanInterfaces = builtins.concatStringsSep ", " config.networking.nftables.firewall.zones.wan.interfaces;
in
[
in [
"iifname { ${wanInterfaces} } tcp dport 220 redirect to 22"
"iifname { ${wanInterfaces} } dnat ip to ${dmzExposedHostIpv4}"
];
@ -213,23 +214,17 @@ in
lan.interfaces = [(mkInterfaceName {vlanid = 0;})];
vlan.interfaces = builtins.map (vlanid: (mkInterfaceName {inherit vlanid;})) vlanRange;
# lan.ipv4Addresses = ["192.168.0.0/16"];
wan.interfaces = [
"wan"
"lan0"
];
vpn.interfaces = [
"wg0"
"wg1"
"wg2"
];
wan.interfaces = ["wan" "lan0"];
vpn.interfaces = ["wg0" "wg1" "wg2"];
}
//
# generate a zone for each vlan
lib.attrsets.mapAttrs (key: value: {
lib.attrsets.mapAttrs
(key: value: {
interfaces = [(mkInterfaceName {vlanid = value.id;})];
}) vlansByName;
rules =
let
})
vlansByName;
rules = let
ipv6IcmpTypes = [
"destination-unreachable"
"echo-reply"
@ -255,8 +250,7 @@ in
"ip protocol icmp icmp type { ${builtins.concatStringsSep ", " ipv4IcmpTypes} } accept"
"ip6 nexthdr icmpv6 icmpv6 type { ${builtins.concatStringsSep ", " ipv6IcmpTypes} } accept"
];
in
{
in {
fw = {
from = ["fw"];
verdict = "accept";
@ -270,10 +264,7 @@ in
lan-to-fw = {
from = ["lan"];
to = [
"fw"
"lan"
];
to = ["fw" "lan"];
verdict = "accept";
};
@ -320,14 +311,15 @@ in
];
from = ["vlan"];
to = ["fw"];
extraLines = allowIcmpLines ++ [ "drop" ];
extraLines =
allowIcmpLines
++ [
"drop"
];
};
to-wan-nat = {
from = [
"lan"
"vlan"
];
from = ["lan" "vlan"];
to = ["wan"];
masquerade = true;
verdict = "accept";
@ -348,14 +340,15 @@ in
to = 22;
}
];
extraLines = allowIcmpLines ++ [ "drop" ];
extraLines =
allowIcmpLines
++ [
"drop"
];
};
to-vpn-nat = {
from = [
"lan"
"vlan"
];
from = ["lan" "vlan"];
to = ["vpn"];
masquerade = false;
verdict = "accept";
@ -384,13 +377,48 @@ in
systemd.network = {
wait-online.anyInterface = true;
netdevs =
let
router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}";
netdevs = let
router0-ifog_wg0Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${
builtins.toString
repoFlake
.nixosConfigurations
.router0-ifog
.config
.systemd
.network
.netdevs
.wg0
.wireguardConfig
.ListenPort
}";
router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-ifog.config.systemd.network.netdevs.wg1.wireguardConfig.ListenPort}";
router0-ifog_wg1Endpoint = "${repoFlake.colmena.router0-ifog.deployment.targetHost}:${
builtins.toString
repoFlake
.nixosConfigurations
.router0-ifog
.config
.systemd
.network
.netdevs
.wg1
.wireguardConfig
.ListenPort
}";
router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${builtins.toString repoFlake.nixosConfigurations.router0-hosthatch.config.systemd.network.netdevs.wg0.wireguardConfig.ListenPort}";
router0-hosthatch_wg0Endpoint = "${repoFlake.colmena.router0-hosthatch.deployment.targetHost}:${
builtins.toString
repoFlake
.nixosConfigurations
.router0-hosthatch
.config
.systemd
.network
.netdevs
.wg0
.wireguardConfig
.ListenPort
}";
in
{
# Create the bridge interface
@ -508,11 +536,15 @@ in
};
}
# generate the vlan devices. these will be tagged on the main bridge
// builtins.foldl' (acc: cur: acc // cur) { } (
builtins.map
// builtins.foldl'
(acc: cur: acc // cur)
{}
(
{ vlanid, vlanid' }:
{
builtins.map
({
vlanid,
vlanid',
}: {
"20-${mkInterfaceName {inherit vlanid;}}" = {
netdevConfig = {
Kind = "vlan";
@ -520,17 +552,17 @@ in
};
vlanConfig.Id = vlanid;
};
}
)
})
(
builtins.map (vlanid: {
builtins.map
(vlanid: {
inherit vlanid;
vlanid' = builtins.toString vlanid;
}) vlanRange
})
vlanRange
)
);
networks =
let
networks = let
commonWanOptions = {
networkConfig = {
# start a DHCP Client for IPv4/6 Addressing/Routing
@ -761,13 +793,19 @@ in
}
];
vlan = (builtins.map (vlanid: (mkInterfaceName { inherit vlanid; })) vlanRange);
vlan = (
builtins.map
(vlanid: (mkInterfaceName {inherit vlanid;}))
vlanRange
);
};
"50-wg0" = {
enable = true;
matchConfig.Name = "wg0";
address = [ "10.0.0.1/31" ];
address = [
"10.0.0.1/31"
];
routes = [
# {
@ -782,7 +820,9 @@ in
"50-wg1" = {
enable = true;
matchConfig.Name = "wg1";
address = [ "10.0.0.3/31" ];
address = [
"10.0.0.3/31"
];
routes = [
# {
# routeConfig = {
@ -796,7 +836,9 @@ in
"50-wg2" = {
enable = true;
matchConfig.Name = "wg2";
address = [ "10.0.1.1/31" ];
address = [
"10.0.1.1/31"
];
routes = [
# TODO: add a testing route here
@ -807,11 +849,14 @@ in
# * netdev type vlan
# * host address for vlan
# * vlan config for wlan interface
// builtins.foldl' (acc: cur: acc // cur) { } (
builtins.map
(
{ vlanid, vlanid' }:
{
// builtins.foldl'
(acc: cur: acc // cur)
{}
(builtins.map
({
vlanid,
vlanid',
}: {
# configure the tagged vlan device with an address and vlan filtering.
# dnsmasq is configured to serve the respective /24 range on each tagged device.
# this device only receives traffic for the given vlanid and sends tagged traffic to the bridge.
@ -889,27 +934,25 @@ in
# };
# linkConfig.RequiredForOnline = "no";
# };
}
)
})
(
builtins.map (vlanid: {
builtins.map
(vlanid: {
inherit vlanid;
vlanid' = builtins.toString vlanid;
}) vlanRange
)
);
})
vlanRange
));
};
# wireless access point
services.hostapd = {
enable = true;
# package = nodeFlake.packages.${system}.hostapd_patched;
radios =
let
radios = let
# generated with https://miniwebtool.com/mac-address-generator/
mkBssid = i: "34:56:ce:0f:ed:4${toString i}";
in
{
in {
wlan0 = {
band = "2g";
# FIXME: apparently setting this could cause bugs, testing disabling it for a while.
@ -959,18 +1002,17 @@ in
};
networks = {
wlan0 =
let
wlan0 = let
iface = "wlan0";
in
{
in {
ssid = "mlsia";
bssid = mkBssid 0;
# enables debug logging
logLevel = 0;
authentication.mode = "wpa2-sha256"
authentication.mode =
"wpa2-sha256"
# "wpa3-sae-transition"
# "wpa3-sae"
;
@ -1006,11 +1048,13 @@ in
vlan_bridge = "br-${iface}.";
*/
vlan_file =
let
generated = builtins.map (
vlan_file = let
generated =
builtins.map
(
vlanid: "${builtins.toString vlanid} ${iface}.${builtins.toString vlanid}"
) vlanRange;
)
vlanRange;
wildcard = [
# Optional wildcard entry matching all VLAN IDs. The first # in the interface
@ -1020,13 +1064,14 @@ in
"* ${iface}.#"
];
file = pkgs.writeText "hostapd.vlan" (builtins.concatStringsSep "\n" (generated ++ wildcard));
file =
pkgs.writeText "hostapd.vlan"
(builtins.concatStringsSep "\n" (generated ++ wildcard));
filePath = toString file;
in
filePath;
wpa_key_mgmt = lib.mkForce (
builtins.concatStringsSep " " [
wpa_key_mgmt = lib.mkForce (builtins.concatStringsSep " " [
"WPA-PSK"
# TODO: the printer can't connect when this is on
@ -1034,8 +1079,7 @@ in
# unfortunately SAE doesn't support VLAN passwords in the way i'd like to use them
# "SAE"
]
);
]);
# wpa_psk_radius = 0;
wpa_pairwise = "CCMP";
@ -1106,10 +1150,11 @@ in
# v6 config
enable-ra = true;
dhcp-range =
let
mkDhcpRange =
{ tag, vlanid }:
dhcp-range = let
mkDhcpRange = {
tag,
vlanid,
}:
builtins.concatStringsSep "," [
tag
(mkVlanIpv4HostAddr {
@ -1128,13 +1173,15 @@ in
# "ra-names"
];
in
builtins.map (
builtins.map
(
vlanid:
mkDhcpRange {
tag = mkInterfaceName {inherit vlanid;};
inherit vlanid;
}
) vlanRangeWith0;
)
vlanRangeWith0;
dhcp-host = builtins.concatStringsSep "," [
dmzExposedHostMACaddr
@ -1164,22 +1211,25 @@ in
];
domain =
[ "/${getVlanDomain { vlanid = 0; }}/,local" ]
++ builtins.map (
vlanid:
"${getVlanDomain { inherit vlanid; }},${
mkVlanIpv4HostAddr {
[
"/${getVlanDomain {vlanid = 0;}}/,local"
]
++ builtins.map
(
vlanid: "${getVlanDomain {inherit vlanid;}},${mkVlanIpv4HostAddr {
inherit vlanid;
host = 0;
cidr = true;
}
},local"
) vlanRangeWith0;
}},local"
)
vlanRangeWith0;
# TODO: compare this to using `interface-name`
dynamic-host =
[ ]
++ builtins.map (
[
]
++ builtins.map
(
vlanid:
builtins.concatStringsSep "," [
# "${getVlanDomain{inherit vlanid;}}" "0.0.0.1" (mkInterfaceName {inherit vlanid;})
@ -1187,12 +1237,13 @@ in
"0.0.0.1"
(mkInterfaceName {inherit vlanid;})
]
) vlanRangeWith0;
)
vlanRangeWith0;
dhcp-option-force = builtins.map (
vlanid:
"${mkInterfaceName { inherit vlanid; }},option:domain-search,${getVlanDomain { inherit vlanid; }}"
) vlanRangeWith0;
dhcp-option-force =
builtins.map
(vlanid: "${mkInterfaceName {inherit vlanid;}},option:domain-search,${getVlanDomain {inherit vlanid;}}")
vlanRangeWith0;
# auth-server = [
# (builtins.concatStringsSep "," [

21
nix/os/devices/router0-dmz0/default.nix
View file

@ -5,24 +5,25 @@
nodeFlake,
localDomainName ? "internal",
...
}:
{
}: {
meta.nodeSpecialArgs.${nodeName} = {
inherit
repoFlake
nodeName
nodeFlake
system
;
inherit repoFlake nodeName nodeFlake system;
packages' = repoFlake.packages.${system};
nodePackages' = nodeFlake.packages.${system};
inherit (nodeFlake.inputs.bpir3.packages.${system}) armTrustedFirmwareMT7986;
inherit
(nodeFlake.inputs.bpir3.packages.${system})
armTrustedFirmwareMT7986
;
inherit localDomainName;
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
meta.nodeNixpkgs.${nodeName} =
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
${nodeName} = {
deployment.targetHost = "${nodeName}.${localDomainName}";

38
nix/os/devices/router0-dmz0/flake.nix
View file

@ -39,15 +39,13 @@
# };
};
outputs =
{
outputs = {
self,
get-flake,
nixpkgs,
nixos-sbc,
...
}:
let
}: let
nativeSystem = "aarch64-linux";
nodeName = "router0-dmz0";
@ -59,13 +57,11 @@
};
};
mkNixosConfiguration =
{
extraModules ? [ ],
...
}@attrs:
mkNixosConfiguration = {extraModules ? [], ...} @ attrs:
nixpkgs.lib.nixosSystem (
nixpkgs.lib.attrsets.recursiveUpdate attrs {
nixpkgs.lib.attrsets.recursiveUpdate
attrs
{
specialArgs =
(import ./default.nix {
system = nativeSystem;
@ -73,9 +69,13 @@
repoFlake = get-flake ../../../..;
nodeFlake = self;
}).meta.nodeSpecialArgs.${nodeName};
})
.meta
.nodeSpecialArgs
.${nodeName};
modules = [
modules =
[
./configuration.nix
# flake registry
@ -83,13 +83,15 @@
nixpkgs.overlays = builtins.attrValues self.overlays;
nix.registry.nixpkgs.flake = nixpkgs;
}
] ++ extraModules;
]
++ extraModules;
}
);
in
{
in {
nixosConfigurations = {
native = mkNixosConfiguration { system = nativeSystem; };
native = mkNixosConfiguration {
system = nativeSystem;
};
cross = mkNixosConfiguration {
extraModules = [
@ -103,7 +105,9 @@
overlays.default = final: previous: {
hostapd = previous.hostapd.overrideDerivation (attrs: {
patches = attrs.patches ++ [
patches =
attrs.patches
++ [
"${self.inputs.openwrt}/package/network/services/hostapd/patches/710-vlan_no_bridge.patch"
];
});

20
nix/os/devices/router0-hosthatch/configuration.nix
View file

@ -9,8 +9,7 @@
system,
variables,
...
}:
{
}: {
system.stateVersion = "24.05";
imports = [
@ -157,7 +156,9 @@
interface = "eth0";
address = variables.ipv4gateway;
};
nameservers = [ variables.ipv4dns ];
nameservers = [
variables.ipv4dns
];
# these will be configured via nftables
nat.enable = lib.mkForce false;
@ -179,10 +180,7 @@
};
zones.vpn = {
interfaces = [
"wg0"
"wg1"
];
interfaces = ["wg0" "wg1"];
};
rules = {
@ -285,7 +283,9 @@
systemd.network.networks.wg0 = {
enable = true;
matchConfig.Name = "wg0";
address = [ "10.0.1.0/31" ];
address = [
"10.0.1.0/31"
];
routes = [
{
@ -299,7 +299,9 @@
systemd.network.networks.wg1 = {
enable = true;
matchConfig.Name = "wg1";
address = [ "10.0.1.2/31" ];
address = [
"10.0.1.2/31"
];
routes = [
{

20
nix/os/devices/router0-hosthatch/default.nix
View file

@ -4,24 +4,20 @@
repoFlake,
nodeFlake,
...
}:
let
}: let
variables = import ./variables.crypt.nix;
in
{
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit
repoFlake
nodeName
nodeFlake
system
variables
;
inherit repoFlake nodeName nodeFlake system variables;
packages' = repoFlake.packages.${system};
nodePackages' = nodeFlake.packages.${system};
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
meta.nodeNixpkgs.${nodeName} =
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
${nodeName} = {
deployment.targetHost = variables.ipv4;

20
nix/os/devices/router0-ifog/configuration.nix
View file

@ -9,8 +9,7 @@
system,
variables,
...
}:
{
}: {
system.stateVersion = "23.11";
imports = [
@ -157,7 +156,9 @@
interface = "eth0";
address = variables.ipv4gateway;
};
nameservers = [ variables.ipv4dns ];
nameservers = [
variables.ipv4dns
];
# these will be configured via nftables
nat.enable = lib.mkForce false;
@ -179,10 +180,7 @@
};
zones.vpn = {
interfaces = [
"wg0"
"wg1"
];
interfaces = ["wg0" "wg1"];
};
rules = {
@ -285,7 +283,9 @@
systemd.network.networks.wg0 = {
enable = true;
matchConfig.Name = "wg0";
address = [ "10.0.0.0/31" ];
address = [
"10.0.0.0/31"
];
routes = [
{
@ -299,7 +299,9 @@
systemd.network.networks.wg1 = {
enable = true;
matchConfig.Name = "wg1";
address = [ "10.0.0.2/31" ];
address = [
"10.0.0.2/31"
];
routes = [
{

20
nix/os/devices/router0-ifog/default.nix
View file

@ -4,24 +4,20 @@
repoFlake,
nodeFlake,
...
}:
let
}: let
variables = import ./variables.crypt.nix;
in
{
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit
repoFlake
nodeName
nodeFlake
system
variables
;
inherit repoFlake nodeName nodeFlake system variables;
packages' = repoFlake.packages.${system};
nodePackages' = nodeFlake.packages.${system};
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
meta.nodeNixpkgs.${nodeName} =
import nodeFlake.inputs.nixpkgs.outPath
{
inherit system;
};
${nodeName} = {
deployment.targetHost = variables.ipv4;

3
nix/os/devices/sj-srv1/boot.nix
View file

@ -1,4 +1,3 @@
{ lib, ... }:
{
{lib, ...}: {
boot.extraModulePackages = [];
}

3
nix/os/devices/sj-srv1/configuration.nix
View file

@ -3,8 +3,7 @@
config,
pkgs,
...
}:
{
}: {
disabledModules = [];
imports = [
../../profiles/common/configuration.nix

10
nix/os/devices/sj-srv1/default.nix
View file

@ -3,17 +3,17 @@
repoFlake,
nodeFlake,
...
}:
let
}: let
system = "x86_64-linux";
in
{
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system};
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
inherit system;
};
${nodeName} = {
deployment.targetHost = "${nodeName}.dmz.internal";

6
nix/os/devices/sj-srv1/hw.nix
View file

@ -1,5 +1,4 @@
{ ... }:
let
{...}: let
stage1Modules = [
"virtio_balloon"
"virtio_scsi"
@ -39,8 +38,7 @@ let
"cdc_ether"
"uas"
];
in
{
in {
hardware.opinionatedDisk = {
enable = true;
encrypted = false;

36
nix/os/devices/sj-srv1/system.nix
View file

@ -6,11 +6,9 @@
nodeFlake,
nodeName,
...
}:
let
}: let
hostBridgeAddress = "192.168.101.1";
in
{
in {
imports = [
../../snippets/systemd-resolved.nix
{
@ -28,7 +26,9 @@ in
];
programs.wireshark.enable = true;
environment.systemPackages = [ pkgs.dnsutils ];
environment.systemPackages = [
pkgs.dnsutils
];
networking.firewall.enable = true;
networking.nftables.enable = true;
@ -89,7 +89,9 @@ in
networkConfig.LinkLocalAddressing = "no";
# TODO: i'm not sure if and if so why this is required
macvlan = [ "dmz0" ];
macvlan = [
"dmz0"
];
DHCP = "no";
};
@ -109,26 +111,22 @@ in
};
# virtualization
virtualisation = {
docker.enable = false;
};
virtualisation = {docker.enable = false;};
nix.gc = {
automatic = true;
};
nix.gc = {automatic = true;};
sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
# adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix
services.restic.backups.${nodeName} =
let
services.restic.backups.${nodeName} = let
btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
in
{
in {
initialize = true;
repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}";
paths = [ "/backup" ];
paths = [
"/backup"
];
pruneOpts = [
"--keep-daily 7"
@ -169,7 +167,9 @@ in
sievePort = 4190;
};
webserver = import ../../containers/webserver.nix {
webserver =
import ../../containers/webserver.nix
{
specialArgs = {
inherit repoFlake nodeFlake;
hostAddress = hostBridgeAddress;

3
nix/os/devices/sj-vps-htz0/boot.nix
View file

@ -1,5 +1,4 @@
{ lib, ... }:
{
{lib, ...}: {
boot.loader.grub.efiSupport = lib.mkForce false;
boot.extraModulePackages = [];
}

3
nix/os/devices/sj-vps-htz0/configuration.nix
View file

@ -3,8 +3,7 @@
config,
pkgs,
...
}:
{
}: {
disabledModules = [];
imports = [
../../profiles/common/configuration.nix

10
nix/os/devices/sj-vps-htz0/default.nix
View file

@ -3,17 +3,17 @@
repoFlake,
nodeFlake,
...
}:
let
}: let
system = "x86_64-linux";
in
{
in {
meta.nodeSpecialArgs.${nodeName} = {
inherit repoFlake nodeName nodeFlake;
packages' = repoFlake.packages.${system};
};
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath { inherit system; };
meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
inherit system;
};
${nodeName} = {
deployment.targetHost = "${nodeName}.infra.stefanjunker.de";

6
nix/os/devices/sj-vps-htz0/hw.nix
View file

@ -1,5 +1,4 @@
{ ... }:
let
{...}: let
stage1Modules = [
"virtio_balloon"
"virtio_scsi"
@ -15,8 +14,7 @@ let
"pata_acpi"
"ata_generic"
];
in
{
in {
hardware.opinionatedDisk = {
enable = true;
encrypted = false;

34
nix/os/devices/sj-vps-htz0/system.nix
View file

@ -5,12 +5,12 @@
repoFlake,
nodeName,
...
}:
let
}: let
wireguardPort = 51820;
in
{
imports = [ ../../snippets/systemd-resolved.nix ];
in {
imports = [
../../snippets/systemd-resolved.nix
];
networking.firewall.enable = true;
networking.nftables.enable = true;
@ -19,7 +19,9 @@ in
# iperf3
5201
];
networking.firewall.allowedUDPPorts = [ wireguardPort ];
networking.firewall.allowedUDPPorts = [
wireguardPort
];
networking.firewall.logRefusedConnections = false;
@ -51,10 +53,7 @@ in
networking.nat = {
enable = true;
internalInterfaces = [
"ve-*"
"wg*"
];
internalInterfaces = ["ve-*" "wg*"];
externalInterface = "eth0";
};
@ -71,8 +70,11 @@ in
networking.wireguard.interfaces.wg0 = {
# eth0 MTU (1400) - 80
mtu = 1320;
ips = [ "192.168.99.1/31" ];
listenPort = wireguardPort;
ips = [
"192.168.99.1/31"
];
listenPort =
wireguardPort;
privateKeyFile = config.sops.secrets.wg0-private.path;
peers = [
{
@ -84,16 +86,12 @@ in
};
# virtualization
virtualisation = {
docker.enable = false;
};
virtualisation = {docker.enable = false;};
services.spice-vdagentd.enable = true;
services.qemuGuest.enable = true;
nix.gc = {
automatic = true;
};
nix.gc = {automatic = true;};
containers = {};

Some files were not shown because too many files have changed in this diff Show more